summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--perl-install/tinyfirewall.pm248
1 files changed, 223 insertions, 25 deletions
diff --git a/perl-install/tinyfirewall.pm b/perl-install/tinyfirewall.pm
index f502ea1f1..4ff57387c 100644
--- a/perl-install/tinyfirewall.pm
+++ b/perl-install/tinyfirewall.pm
@@ -5,8 +5,10 @@ use strict;
use common qw(:common :functional :system :file);
use commands;
use run_program;
+use netconnect;
+use network;
use my_gtk qw(:helpers :wrappers);
-
+use Data::Dumper;
my @messages = (_("tinyfirewall configurator
@@ -58,15 +60,76 @@ _("Configuration complete. May we write these changes to disk?")
);
my %settings;
-sub ReadConfig {
+#sub ReadConfig {
+my $config_file = "/etc/Bastille/bastille-firewall.cfg";
+my $default_config_file = "/usr/share/Bastille/bastille-firewall.cfg"; # set this later
+sub ReadConfig
+##############################
+## Reads the default values from $config_file
+{
+ ## if $config_file doesn't exist, move the
+ ## $default_config_file to $config_file
+
+ system ("/bin/cp $default_config_file $config_file")
+ if !( -e $config_file);
+
+
+ open CONFIGFILE, $config_file
+ or die "Can't open $config_file: $!\n";
+
+ while (my $line = <CONFIGFILE>)
+ {
+ $line =~ s/\#.*$//; # remove comments
+ $line =~ s/^\s+//; # remove leading whitespace
+ $line =~ s/\s+$//; # remove tailing whitespace
+ $line =~ s/\s+/ /; # remove extra whitespace
+
+
+ ## what's left will be useful stuff, so
+ ## get the values
+
+ $line =~ m/^(.+)\s*\=\s*\"(.*)\"\s*$/;
+ my ($variable, $value) = ($1, $2);
+
+
+ ## set the proper value in the hash
+
+ $settings{$variable} = $value
+ if ($variable);
+ }
+
+ close CONFIGFILE;
+ return;
my ($config_file, $default_config_file)=@_;
$config_file ||= "/etc/Bastille/bastille-firewall.cfg";
- $default_config_file ||= "/usr/share/Bastille/bastille-firewall.cfg"; # set this later
+ $default_config_file ||= "/usr/share/Bastille/bastille-firewall.cfg";
-e $config_file or cp($default_config_file, $config_file);
- add2hash(\%settings, { getVarsFromSh("$config_file") })
+ add2hash(\%settings, { getVarsFromSh("$config_file") });
+ print Data::Dumper->Dump ( [%settings], ["plop"]) . "\n";
}
-my $GetNetworkInfo = sub { print "in int! :=\n"};
+my $GetNetworkInfo = sub {
+ $settings{DNS_SERVERS} = join(' ', uniq(split(' ', $settings{DNS_SERVERS}),
+ @{network::read_resolv_conf("/etc/resolv.conf")}{'dnsServer', 'dnsServer2', 'dnsServer3'}));
+ open NETSTAT, "/bin/netstat -in |" or die "Can't pipe from /bin/netstat: $!\n"; <NETSTAT>; <NETSTAT>;
+ my @interfaces = map { (split / /)[0]; } (<NETSTAT>); close NETSTAT;
+ open ROUTE, "/sbin/route -n |" or die "Can't pipe from /sbin/route: $!\n"; <ROUTE>; <ROUTE>;
+ my $defaultgw;
+ my $iface;
+ while (<ROUTE>) {
+ my @parts = split /\s+/;
+ ($parts[0] eq "0.0.0.0") and $defaultgw = $parts[1], $iface = $parts[7];
+ } close ROUTE;
+ my $fulliface = $iface;
+ $fulliface =~ s/[0-9]+/\\\+/; # so we can match eth0 against eth+, for example
+ $settings{PUBLIC_INTERFACES} = join(' ', uniq(split(' ', $settings{PUBLIC_INTERFACES}), $iface));
+ $settings{PUBLIC_INTERFACES} =~ $fulliface and $settings{PUBLIC_INTERFACES} =~ s/$iface *//;
+ $settings{INTERNAL_IFACES} = join(' ', uniq(split(' ', $settings{INTERNAL_IFACES}),
+ map { my $i=$_; my $f=$i; $f=~s/[0-9]+/\\\+/;
+ if_(and_( map {$settings{$_} !~ /$i/ and $settings{$_} !~ /$f/ } ('TRUSTED_IFACES', 'PUBLIC_IFACES', 'INTERNAL_IFACES')), $i)
+ } (@interfaces) ));
+ print Data::Dumper->Dump ( [%settings], ["plop"]) . "\n";
+};
sub DoInterface {
my ($in)=@_;
@@ -81,35 +144,171 @@ sub DoInterface {
[undef , undef, undef, "ftp no", "ftp yes", ["tcp", "20"],["tcp", "21"]],
[undef , undef, undef, "smtp no", "smtp yes", ["tcp", "25"]],
[undef , undef, undef, "popimap no", "popimap yes", ["tcp", "109"], ["tcp", "110"], ["tcp", "143"]],
- [undef , _("No I don't need DHCP"), "Yes I need DHCP", "dhcp no", "dhcp yes", [$settings{DHCP_IFACES}]],
- [undef , _("No I don't need NTP"), "Yes I need NTP", "ntp no", "ntp yes", ]
+ [undef , _("No I don't need DHCP"), _("Yes I need DHCP"), "dhcp no", "dhcp yes", [$settings{DHCP_IFACES}]],
+ [undef , _("No I don't need NTP"), _("Yes I need NTP"), "ntp no", "ntp yes", ]
);
- my $totalsteps = @struct;
- $totalsteps -= 2 if !Kernel22();
- # $curstep=0;
- # my $step = "Step " . ($curstep eq $num_steps && !Kernel22() ? $curstep - 2 : $curstep) . " / $totalsteps\n\n";
-
- foreach (0..@struct) {
- my $l = $struct[$_];
- my $size=@$l;
- $size or next;
- print "### $size ###\n";
- $size == 1 and ($l->[0])->();
+ !Kernel22() and pop @struct, pop @struct;
+ for (my $i=0;$i<@struct;$i++) {
+ $::Wizard_no_previous = $i == 0;
+ $::Wizard_finished = $i == $#struct;
+ my $l = $struct[$i];
+ @$l or goto ask;
+ if (@$l == 1) {
+ ($l->[0])->();
+ ask:
+ $in->ask_okcancel(_("Firewall Configuration Wizard"), $messages[$i],1) ? next : goto prev;
+ }
my $no = $l->[1] ? $l->[1] : _("No (firewall this off from the internet)");
my $yes = $l->[2] ? $l->[2] : _("Yes (allow this through the firewall)");
- print "Y : $yes\n";
- print "N : $no\n";
- if ($in->ask_from_list(_("Firewall Configuration Wizard"),
- $messages[$_],
+ if (my $e = $in->ask_from_list(_("Firewall Configuration Wizard"),
+ $messages[$i],
[ $yes, $no ], or_( map { if_($_, CheckService($_->[0], $_->[1])) } (@$l[5..7])) ? $yes : $no
)) {
- print "EEEEEEEEEEEEEEEEE\n";
+ WidgetHandler($i, $e =~ /Yes/)
} else {
- print "NNNNNNNNNNN\n";
+ prev:
+ $i = $i-2 >= -1 ? $i-2 : -1;
}
}
}
+sub WidgetHandler {
+ my ($i, $e)=@_;
+
+ if ($data eq "save no")
+ {
+ Gtk->exit (0);
+ }
+ elsif ($data eq "save yes")
+ {
+ CloseWindow();
+ }
+ elsif ($data eq "quit no")
+ {
+ DestroyStep();
+ $curstep = $previous_step;
+ DoInterface();
+ return 0;
+ }
+
+ if ($togglebutton->active)
+ {
+ if ($data eq "http no")
+ {
+ RemoveService ("tcp", "80");
+ RemoveService ("tcp", "443");
+ }
+
+ elsif ($data eq "http yes")
+ {
+ AddService ("tcp", "80");
+ AddService ("tcp", "443");
+ }
+
+ elsif ($data eq "dns no")
+ {
+ RemoveService ("tcp", "53");
+ RemoveService ("udp", "53");
+ }
+
+ elsif ($data eq "dns yes")
+ {
+ AddService ("tcp", "53");
+ AddService ("udp", "53");
+ }
+ elsif ($data eq "ssh no")
+ {
+ RemoveService ("tcp", "22");
+ }
+ elsif ($data eq "ssh yes")
+ {
+ AddService ("tcp", "22");
+ }
+ elsif ($data eq "telnet no")
+ {
+ RemoveService ("tcp", "23");
+ }
+ elsif ($data eq "telnet yes")
+ {
+ AddService ("tcp", "23");
+ }
+ elsif ($data eq "ftp no")
+ {
+ RemoveService ("tcp", "20");
+ RemoveService ("tcp", "21");
+ }
+ elsif ($data eq "ftp yes")
+ {
+ AddService ("tcp", "20");
+ AddService ("tcp", "21");
+ }
+ elsif ($data eq "smtp no")
+ {
+ RemoveService ("tcp", "25");
+ }
+ elsif ($data eq "smtp yes")
+ {
+ AddService ("tcp", "25");
+ }
+ elsif ($data eq "popimap no")
+ {
+ RemoveService ("tcp", "109");
+ RemoveService ("tcp", "110");
+ RemoveService ("tcp", "143");
+
+
+ }
+ elsif ($data eq "popimap yes")
+ {
+ AddService ("tcp", "109");
+ AddService ("tcp", "110");
+ AddService ("tcp", "143");
+
+ $settings{FORCE_PASV_FTP} = "N";
+ $settings{TCP_BLOCKED_SERVICES} = "6000:6020";
+ $settings{UDP_BLOCKED_SERVICES} = "2049";
+ $settings{ICMP_ALLOWED_TYPES} = "destination-unreachable echo-reply time-exceeded";
+ $settings{ENABLE_SRC_ADDR_VERIFY} = "Y";
+ $settings{IP_MASQ_NETWORK} = "";
+ $settings{IP_MASQ_MODULES} = "";
+ $settings{REJECT_METHOD} = "DENY";
+ }
+ elsif ($data eq "dhcp yes")
+ {
+ return if $settings{DHCP_IFACES}; # variable already has something
+
+ ## Get a list of network interfaces
+
+ open NETSTAT, "/bin/netstat -in |"
+ or die "Can't pipe from /bin/netstat: $!\n";
+
+ <NETSTAT>; <NETSTAT>; # get rid of first 2 lines
+
+ my @interfaces;
+
+ while (<NETSTAT>)
+ {
+ $settings{DHCP_IFACES} .= (split / /)[0] . " ";
+ }
+
+ close NETSTAT;
+
+ chop $settings{DHCP_IFACES}
+ }
+ elsif ($data eq "dhcp no")
+ {
+ $settings{DHCP_IFACES} = "";
+ }
+ elsif ($data eq "ntp yes")
+ {
+ $settings{ICMP_OUTBOUND_DISABLED_TYPES} = "";
+ $settings{LOG_FAILURES} = "N";
+ }
+
+
+
+ }
+}
sub CheckService {
my ($protocol, $port) = @_;
@@ -129,5 +328,4 @@ sub main {
my ($in)=@_;
ReadConfig;
DoInterface($in);
-
}