#!/bin/sh #------------------------------------------------------------------------------ # /etc/rc.d/rc360.fwrules - rewrite old packet filter rules to new format # # Creation: jw5 # Last Update: $Id$ #------------------------------------------------------------------------------ case $PF_ORIG_CONFIG in yes) begin_script FWRULES "rewriting packet filter rules to new format ..." convert_action () { act=$1 action=$2 prot= set `echo $1 | sed -e 's/-/ /'` case $1 in ACCEPT | REJECT | DROP) action=$1 case "$2" in '') ;; TCP) prot='prot:tcp ' ;; UDP) prot='prot:udp ' ;; GRE) prot='prot:gre ' ;; *) log_error "unknown protocol '$2'" ;; esac ;; TCP) prot='prot:tcp ' ;; UDP) prot='prot:udp ' ;; *) log_error "unknown action format: $act" prot= action=REJECT ;; esac } #---------------------------------------------------------------------------- # input rules #---------------------------------------------------------------------------- idx=1 # PF_INPUT_POLICY already set PF_INPUT_ACCEPT_DEF='yes' # use default rule set PF_INPUT_LOG=$PACKETFILTER_LOG unique $ROUTE_NETWORK $MASQ_NETWORK $TRUSTED_NETS for j in $list do eval "PF_INPUT_$idx='$j ACCEPT'" idx=`expr $idx + 1` done [ 0$INPUT_ACCEPT_PORT_N -eq 0 ] || for j in `seq 1 $INPUT_ACCEPT_PORT_N` do eval port=\$INPUT_ACCEPT_PORT_$j set $port port=$1 action=$2 convert_action $action ACCEPT eval "PF_INPUT_$idx='$prot$port $action'" idx=`expr $idx + 1` done PF_INPUT_N=`expr $idx - 1` #---------------------------------------------------------------------------- # forward rules #---------------------------------------------------------------------------- idx=1 PF_FORWARD_POLICY='REJECT' # be nice and use reject as policy PF_FORWARD_ACCEPT_DEF='yes' # use default rule set PF_FORWARD_LOG=$PACKETFILTER_LOG for j in $TRUSTED_NETS do for i in $TRUSTED_NETS do if [ "$j" != "$i" ] then eval "PF_FORWARD_$idx='$j $i ACCEPT'" idx=`expr $idx + 1` fi done done fwd_idx=$idx [ 0$FORWARD_DENY_PORT_N -eq 0 ] || for j in `seq 1 $FORWARD_DENY_PORT_N` do eval port=\$FORWARD_DENY_PORT_$j set $port port=$1 action=$2 convert_action $action REJECT eval "PF_FORWARD_$fwd_idx='$prot$port $action'" fwd_idx=`expr $fwd_idx + 1` done case $FORWARD_HOST_WHITE in yes) PF_USR_CHAIN_N='1' PF_USR_CHAIN_1_NAME='usr-white' action=ACCEPT list_name=PF_USR_CHAIN_1_RULE idx=1 ;; *) action=REJECT list_name=PF_FORWARD idx=$fwd_idx ;; esac [ 0$FORWARD_HOST_N -eq 0 ] || for j in `seq 1 $FORWARD_HOST_N` do eval host='$FORWARD_HOST_'$j eval "${list_name}_$idx='$host $action'" idx=`expr $idx + 1` done case $FORWARD_HOST_WHITE in yes) eval "PF_USR_CHAIN_1_RULE_$idx='REJECT'" PF_USR_CHAIN_1_N=$idx action=usr-white ;; *) fwd_idx=$idx action=ACCEPT ;; esac unique $MASQ_NETWORK $ROUTE_NETWORK for j in $list do eval "PF_FORWARD_$fwd_idx='$j $action'" fwd_idx=`expr $fwd_idx + 1` done PF_FORWARD_N=`expr $fwd_idx - 1` #---------------------------------------------------------------------------- # nat rules #---------------------------------------------------------------------------- case x$MASQ_NETWORK in x) ;; *) idx=1 for j in $TRUSTED_NETS do for i in $TRUSTED_NETS do if [ "$j" != "$i" ] then eval "PF_POSTROUTING_$idx='$j $i ACCEPT'" idx=`expr $idx + 1` fi done done for j in $ROUTE_NETWORK do eval "PF_POSTROUTING_$idx='any $j ACCEPT'" idx=`expr $idx + 1` done for j in $MASQ_NETWORK do eval "PF_POSTROUTING_$idx='$j MASQUERADE'" idx=`expr $idx + 1` done PF_POSTROUTING_N=`expr $idx - 1` esac { echo "Original configuration:" for i in ROUTE_NETWORK MASQ_NETWORK TRUSTED_NETS PACKETFILTER_LOG \ PF_INPUT_POLICY INPUT_ACCEPT_PORT_N \ INPUT_ACCEPT_PORT_[1-9]= INPUT_ACCEPT_PORT_[1-9][0-9] \ FORWARD_DENY_PORT_N FORWARD_DENY_PORT_[1-9]= \ FORWARD_DENY_PORT_[1-9][0-9] \ FORWARD_HOST_WHITE FORWARD_HOST_N \ FORWARD_HOST_[1-9]= FORWARD_HOST_[1-9][0-9] do set | grep -e "^$i" done echo "New configuration:" for i in PF_INPUT_POLICY PF_INPUT_ACCEPT_DEF PF_INPUT_LOG \ PF_INPUT_N PF_INPUT_[1-9]= PF_INPUT_[1-9][0-9] \ PF_FORWARD_POLICY PF_FORWARD_ACCEPT_DEF PF_FORWARD_LOG \ PF_FORWARD_N PF_FORWARD_[1-9]= PF_FORWARD_[1-9][0-9]\ PF_USR_CHAIN_N PF_USR_CHAIN_[0-9] \ PF_POSTROUTING_N PF_POSTROUTING_[1-9]= PF_POSTROUTING_[1-9][0-9] do set | grep "^$i" done } | log_error end_script ;; esac