ipfw/setup.cgi

   1 #!/usr/local/bin/perl
   2 # setup.cgi
   3 # Create an initial IPFW rules file
   4
   5 require './ipfw-lib.pl';
   6 &ReadParse();
   7
   8 # Start with base configuration, which will include 65535 rule
   9 $rules = &get_config("$config{'ipfw'} list |", \$out);
  10 if ($in{'reset'}) {
  11         @$rules = grep { $_->{'num'} == 65535 } @$rules;
  12         }
  13
  14 # A flush will generate the 65535 rule, so we can exclude it
  15 if (&get_ipfw_format() == 1) {
  16         @$rules = grep { $_->{'num'} != 65535 } @$rules;
  17         }
  18
  19 # Add selected rules
  20 if ($in{'auto'} == 0) {
  21         # Allow all traffic
  22         splice(@$rules, 0, 0, { "action" => "allow",
  23                                 "num" => "00100",
  24                                 "proto" => "all",
  25                                 "from" => "any",
  26                                 "to" => "any",
  27                                 "cmt" => "Allow all traffic" });
  28         }
  29 elsif ($in{'auto'} >= 2) {
  30         # Block all traffic, apart from established connections, DNS replies
  31         # and safe ICMP types
  32         $iface = $in{'iface'.$in{'auto'}} ||
  33                  $in{'iface'.$in{'auto'}.'_other'};
  34         $iface || &error($text{'setup_eiface'});
  35         splice(@$rules, 0, 0, { "action" => "skipto",
  36                                 "aarg" => "00300",
  37                                 "num" => "00100",
  38                                 "proto" => "all",
  39                                 "from" => "any",
  40                                 "to" => "any",
  41                                 "recv" => $iface,
  42                                 "cmt" => "Skip next rule for external interface" },
  43                               { "action" => "allow",
  44                                 "num" => "00200",
  45                                 "proto" => "all",
  46                                 "from" => "any",
  47                                 "to" => "any",
  48                                 "cmt" => "Allow all traffic on internal interfaces" },
  49                               { "action" => "allow",
  50                                 "num" => "00300",
  51                                 "proto" => "tcp",
  52                                 "from" => "any",
  53                                 "to" => "any",
  54                                 "established" => 1,
  55                                 "cmt" => "Allow established TCP connections" },
  56                               { "action" => "allow",
  57                                 "num" => "00400",
  58                                 "proto" => "tcp",
  59                                 "from" => "any",
  60                                 "to" => "any",
  61                                 "tcpflags" => "ack",
  62                                 "cmt" => "Allow traffic with ACK flag set" },
  63                               { "action" => "allow",
  64                                 "num" => "00500",
  65                                 "proto" => "udp",
  66                                 "from" => "any",
  67                                 "from_ports" => "53",
  68                                 "to" => "any",
  69                                 "to_ports" => "1024-65535",
  70                                 "cmt" => "Accept responses to DNS queries" },
  71                               { "action" => "allow",
  72                                 "num" => "00600",
  73                                 "proto" => "icmp",
  74                                 "from" => "any",
  75                                 "to" => "any",
  76                                 "icmptypes" => "0,3,4,11,12",
  77                                 "cmt" => "Accept safe ICMP types" });
  78         if ($in{'auto'} >= 3) {
  79                 # Add SSH and ident
  80                 splice(@$rules, @$rules-1, 0,
  81                       { "action" => "allow",
  82                         "num" => "00700",
  83                         "proto" => "tcp",
  84                         "from" => "any",
  85                         "to" => "any",
  86                         "to_ports" => 22,
  87                         "cmt" => "Allow connections to our SSH server" },
  88                       { "action" => "allow",
  89                         "num" => "00800",
  90                         "proto" => "tcp",
  91                         "from" => "any",
  92                         "to" => "any",
  93                         "to_ports" => 113,
  94                         "cmt" => "Allow connections to our IDENT server" });
  95                 }
  96         if ($in{'auto'} >= 4) {
  97                 # Allow pings and most high ports
  98                 splice(@$rules, @$rules-1, 0,
  99                               { "action" => "allow",
 100                                 "num" => "00900",
 101                                 "proto" => "icmp",
 102                                 "from" => "any",
 103                                 "to" => "any",
 104                                 "icmptypes" => "8",
 105                                 "cmt" => "Respond to pings" },
 106                               { "action" => "deny",
 107                                 "num" => "01000",
 108                                 "proto" => "tcp",
 109                                 "from" => "any",
 110                                 "to" => "any",
 111                                 "to_ports" => "2049-2050",
 112                                 "cmt" => "Protect our NFS server" },
 113                               { "action" => "deny",
 114                                 "num" => "01100",
 115                                 "proto" => "tcp",
 116                                 "from" => "any",
 117                                 "to" => "any",
 118                                 "to_ports" => "6000-6063",
 119                                 "cmt" => "Protect our X11 display server" },
 120                               { "action" => "deny",
 121                                 "num" => "01200",
 122                                 "proto" => "tcp",
 123                                 "from" => "any",
 124                                 "to" => "any",
 125                                 "to_ports" => "7000-7010",
 126                                 "cmt" => "Protect our X font server" },
 127                               { "action" => "allow",
 128                                 "num" => "01300",
 129                                 "proto" => "tcp",
 130                                 "from" => "any",
 131                                 "to" => "any",
 132                                 "to_ports" => "1024-65535",
 133                                 "cmt" => "Allow connections to unprivileged ports" });
 134                 }
 135
 136         # Add final deny all rule (if needed)
 137         local $lr = $rules->[@$rules-1];
 138         if ($lr->{'num'} != 65535 || $lr->{'action'} ne 'deny') {
 139                 splice(@$rules, @$rules-1, 0,
 140                               { "action" => "deny",
 141                                 "num" => "10000",
 142                                 "proto" => "all",
 143                                 "from" => "any",
 144                                 "to" => "any" });
 145                 }
 146         }
 147
 148 # Add flush line at top
 149 if (&get_ipfw_format() == 1) {
 150         splice(@$rules, 0, 0, { 'other' => 1,
 151                                 'text' => 'flush' });
 152         }
 153
 154 # Save firewall
 155 &lock_file($ipfw_file);
 156 &save_config($rules);
 157 &unlock_file($ipfw_file);
 158 &copy_to_cluster();
 159
 160 if ($in{'atboot'}) {
 161         &create_firewall_init();
 162         }
 163
 164 &webmin_log("setup");
 165 &redirect("");
 166