summaryrefslogtreecommitdiffstats
path: root/perl-install
diff options
context:
space:
mode:
authordamien <damien@mandriva.com>2001-03-21 01:17:46 +0000
committerdamien <damien@mandriva.com>2001-03-21 01:17:46 +0000
commit8e75979d0b43aefcc21ff5313a8ff94ed91bd3dd (patch)
treeffe7695cdb716a0d31c5379f858bc69f7ed1fc98 /perl-install
parenta2b09c2a8f87e554d565f74f45d612e142b73708 (diff)
downloaddrakx-8e75979d0b43aefcc21ff5313a8ff94ed91bd3dd.tar
drakx-8e75979d0b43aefcc21ff5313a8ff94ed91bd3dd.tar.gz
drakx-8e75979d0b43aefcc21ff5313a8ff94ed91bd3dd.tar.bz2
drakx-8e75979d0b43aefcc21ff5313a8ff94ed91bd3dd.tar.xz
drakx-8e75979d0b43aefcc21ff5313a8ff94ed91bd3dd.zip
new tinyfirewall conf tool
Diffstat (limited to 'perl-install')
-rwxr-xr-xperl-install/standalone/tinyfirewall32
-rw-r--r--perl-install/tinyfirewall.pm133
2 files changed, 165 insertions, 0 deletions
diff --git a/perl-install/standalone/tinyfirewall b/perl-install/standalone/tinyfirewall
new file mode 100755
index 000000000..f527f58df
--- /dev/null
+++ b/perl-install/standalone/tinyfirewall
@@ -0,0 +1,32 @@
+#!/usr/bin/perl
+
+# DrakNet
+
+# Copyright (C) 1999 MandrakeSoft (damien@mandrakesoft.com)
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2, or (at your option)
+# any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
+
+use lib qw(/usr/lib/libDrakX);
+use interactive;
+use standalone;
+use tinyfirewall;
+
+$::isEmbedded = ($::XID, $::CCPID) = "@ARGV" =~ /--embedded (\w+) (\w+)/;
+$::isWizard = "@ARGV" =~ /--wizard/;
+
+local $_ = join '', @ARGV;
+
+my $in = vnew interactive('su');
+tinyfirewall::main($in);
diff --git a/perl-install/tinyfirewall.pm b/perl-install/tinyfirewall.pm
new file mode 100644
index 000000000..f502ea1f1
--- /dev/null
+++ b/perl-install/tinyfirewall.pm
@@ -0,0 +1,133 @@
+package tinyfirewall;
+
+use diagnostics;
+use strict;
+use common qw(:common :functional :system :file);
+use commands;
+use run_program;
+use my_gtk qw(:helpers :wrappers);
+
+
+my @messages = (_("tinyfirewall configurator
+
+This configures a personal firewall for this Linux Mandrake machine.
+For a powerful dedicated firewall solution, please look to the
+specialized MandrakeSecurity Firewall distribution."),
+_("We'll now ask you questions about which services you'd like to allow
+the Internet to connect to. Please think carefully about these
+questions, as your computer's security is important.
+
+Please, if you're not currently using one of these services, firewall
+it off. You can change this configuration anytime you like by
+re-running this application!"),
+_("Are you running a web server on this machine that you need the whole
+Internet to see? If you are running a webserver that only needs to be
+accessed by this machine, you can safely answer NO here."),
+_("Are you running a name server on this machine? If you didn't set one
+up to give away IP and zone information to the whole Internet, please
+answer no."),
+_("Do you want to allow incoming Secure Shell (ssh) connections? This
+is a telnet-replacement that you might use to login. If you're using
+telnet now, you should definitely switch to ssh. telnet is not
+encrypted -- so some attackers can steal your password if you use
+it. ssh is encrypted and doesn't allow for this eavesdropping."),
+_("Do you want to allow incoming telnet connections?
+This is horribly unsafe, as we explained in the previous screen. We
+strongly recommend answering No here and using ssh in place of
+telnet."),
+_("Are you running an FTP server here that you need accessible to the
+Internet? If you are, we strongly recommend that you only use it for
+Anonymous transfers. Any passwords sent by FTP can be stolen by some
+attackers, since FTP also uses no encryption for transferring passwords."),
+_("Are you running a mail server here? If you're sending you
+messages through pine, mutt or any other text-based mail client,
+you probably are. Otherwise, you should firewall this off."),
+_("Are you running a POP or IMAP server here? This would
+be used to host non-web-based mail accounts for people via
+this machine."),
+_("You appear to be running a 2.2 kernel. If your network IP
+is automatically set by a computer in your home or office
+(dynamically assigned), we need to allow for this. Is
+this the case?"),
+_("Is your computer getting time syncronized to another computer?
+Mostly, this is used by medium-large Unix/Linux organizations
+to synchronize time for logging and such. If you're not part
+of a larger office and haven't heard of this, you probably
+aren't."),
+_("Configuration complete. May we write these changes to disk?")
+);
+
+my %settings;
+sub ReadConfig {
+ my ($config_file, $default_config_file)=@_;
+ $config_file ||= "/etc/Bastille/bastille-firewall.cfg";
+ $default_config_file ||= "/usr/share/Bastille/bastille-firewall.cfg"; # set this later
+ -e $config_file or cp($default_config_file, $config_file);
+ add2hash(\%settings, { getVarsFromSh("$config_file") })
+}
+
+my $GetNetworkInfo = sub { print "in int! :=\n"};
+
+sub DoInterface {
+ my ($in)=@_;
+ $::isWizard=1;
+ my @struct = (
+ [$GetNetworkInfo],
+ [],
+ [undef , undef, undef, "http no", "http yes", ["tcp", "80"], ["tcp", "443"]],
+ [undef , undef, undef, "dns no", "dns yes", ["tcp", "53"], ["udp", "53"]],
+ [undef , undef, undef, "ssh no", "ssh yes", ["tcp", "22"]],
+ [undef , undef, undef, "telnet no", "telnet yes", ["tcp", "23"]],
+ [undef , undef, undef, "ftp no", "ftp yes", ["tcp", "20"],["tcp", "21"]],
+ [undef , undef, undef, "smtp no", "smtp yes", ["tcp", "25"]],
+ [undef , undef, undef, "popimap no", "popimap yes", ["tcp", "109"], ["tcp", "110"], ["tcp", "143"]],
+ [undef , _("No I don't need DHCP"), "Yes I need DHCP", "dhcp no", "dhcp yes", [$settings{DHCP_IFACES}]],
+ [undef , _("No I don't need NTP"), "Yes I need NTP", "ntp no", "ntp yes", ]
+ );
+ my $totalsteps = @struct;
+ $totalsteps -= 2 if !Kernel22();
+ # $curstep=0;
+ # my $step = "Step " . ($curstep eq $num_steps && !Kernel22() ? $curstep - 2 : $curstep) . " / $totalsteps\n\n";
+
+ foreach (0..@struct) {
+ my $l = $struct[$_];
+ my $size=@$l;
+ $size or next;
+ print "### $size ###\n";
+ $size == 1 and ($l->[0])->();
+ my $no = $l->[1] ? $l->[1] : _("No (firewall this off from the internet)");
+ my $yes = $l->[2] ? $l->[2] : _("Yes (allow this through the firewall)");
+ print "Y : $yes\n";
+ print "N : $no\n";
+ if ($in->ask_from_list(_("Firewall Configuration Wizard"),
+ $messages[$_],
+ [ $yes, $no ], or_( map { if_($_, CheckService($_->[0], $_->[1])) } (@$l[5..7])) ? $yes : $no
+ )) {
+ print "EEEEEEEEEEEEEEEEE\n";
+ } else {
+ print "NNNNNNNNNNN\n";
+ }
+ }
+}
+
+
+sub CheckService {
+ my ($protocol, $port) = @_;
+ my @services;
+
+ @services = split / /, $settings{uc($protocol) . "_PUBLIC_SERVICES"};
+ map { $_ eq $port and return 1 } @services;
+}
+
+sub Kernel22
+{
+ my ($major, $minor, $patchlevel) = (cat_("/proc/version"))[0] =~ m/^Linux version ([0-9]+)\.([0-9]+)\.([0-9]+)/;
+ $major eq "2" && $minor eq "2";
+}
+
+sub main {
+ my ($in)=@_;
+ ReadConfig;
+ DoInterface($in);
+
+}