onkelbeh/fwbuilder
1
0
Fork 0
mirror of https://github.com/fwbuilder/fwbuilder synced 2026-03-23 03:37:15 +01:00
Code Issues Releases Wiki Activity
fwbuilder/test/ipt/rc.firewall.local
Vadim Kurland 3a2041d16d per Mikes request, the GUI now opens rule set object of the firewall 
when user opens the firewall or any of its children objects in the
editor. This includes any rule set, interface or any other child
object.

Also moved function Interface::getParentHost() from class Interface to
class Host as static FWObject* Host::getParentHost(FWObject *o). Its
behavior is now more logical, it returns non-NULL pointer only if an
object actually has a parent that is host, firewall or cluster. Old
function Interface::getParentHost() returned non-NULL pointer even
when object was not in the proper position in the tree.

Now this function can be used to get parent host/firewall/cluster for
any child object rather than only interface.

I had to fix bunch of problems in unit tests that got uncovered because
new function behaves in a more strict way (returns NULL when there is
no parent of correct type).
2011-06-05 21:38:46 -07:00

234 lines
5.1 KiB
Bash
Executable File
Raw Blame History

#!/bin/sh
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_ipt v5.0.0.3547
#
# Generated Sun Jun 5 20:10:11 2011 PDT by vadim
#
# files: * rc.firewall.local /etc/rc.d//rc.firewall.local
#
# Compiled for iptables (any version)
#
# Endian firewall appliance, 2 interfaces:
# br0 is GREEN
# eth1 is RED
# Do not forget to change IP addresses to
# match your firewall.
PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}"
export PATH
LSMOD="/sbin/lsmod"
MODPROBE="/sbin/modprobe"
IPTABLES="/sbin/iptables"
IP6TABLES="/sbin/ip6tables"
IPTABLES_RESTORE="/sbin/iptables-restore"
IP6TABLES_RESTORE="/sbin/ip6tables-restore"
IP="/sbin/ip"
IFCONFIG="/sbin/ifconfig"
VCONFIG="/sbin/vconfig"
BRCTL="/sbin/brctl"
IFENSLAVE="/sbin/ifenslave"
IPSET="/usr/sbin/ipset"
LOGGER="/usr/bin/logger"
log() {
echo "$1"
command -v "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1"
}
check_file() {
test -r "$2" || {
echo "Can not find file $2 referenced by AddressTable object $1"
exit 1
}
}
getInterfaceVarName() {
echo $1 | sed 's/\./_/'
}
# function getinterfaces is used to process wildcard interfaces
getinterfaces() {
NAME=$1
$IP link show | grep ": $NAME" | while read L; do
OIFS=$IFS
IFS=" :"
set $L
IFS=$OIFS
echo $2
done
}
find_program() {
PGM=$1
command -v $PGM >/dev/null 2>&1 || {
echo "$PGM not found"
exit 1
}
}
check_tools() {
find_program $IPTABLES
find_program $MODPROBE
find_program $IP
}
reset_iptables_v4() {
$IPTABLES -P OUTPUT DROP
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
cat /proc/net/ip_tables_names | while read table; do
$IPTABLES -t $table -L -n | while read c chain rest; do
if test "X$c" = "XChain" ; then
$IPTABLES -t $table -F $chain
fi
done
$IPTABLES -t $table -X
done
}
reset_iptables_v6() {
$IP6TABLES -P OUTPUT DROP
$IP6TABLES -P INPUT DROP
$IP6TABLES -P FORWARD DROP
cat /proc/net/ip6_tables_names | while read table; do
$IP6TABLES -t $table -L -n | while read c chain rest; do
if test "X$c" = "XChain" ; then
$IP6TABLES -t $table -F $chain
fi
done
$IP6TABLES -t $table -X
done
}
check_file() {
test -r "$2" || {
echo "Can not find file $2 referenced by address table object $1"
exit 1
}
}
check_run_time_address_table_files() {
:
check_file "atbl.1" "addr-table-1.tbl"
}
verify_interfaces() {
:
echo "Verifying interfaces: et0 eth1"
for i in et0 eth1 ; do
$IP link show "$i" > /dev/null 2>&1 || {
log "Interface $i does not exist"
exit 1
}
done
}
prolog_commands() {
echo "Running prolog script"
}
epilog_commands() {
echo "Running epilog script"
}
run_epilog_and_exit() {
epilog_commands
exit $1
}
script_body() {
# ================ IPv4
# ================ Table 'filter', rule set Policy
#
# Rule 0 (global)
#
echo "Rule 0 (global)"
#
$IPTABLES -A OUTPUT -p tcp -m tcp -d 10.3.14.40 --dport 80 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -p tcp -m tcp -d 10.3.14.40 --dport 80 -m state --state NEW -j ACCEPT
#
# Rule 1 (global)
#
echo "Rule 1 (global)"
#
$IPTABLES -N RULE_1
$IPTABLES -A INPUT -s 192.168.1.1 -j RULE_1
$IPTABLES -A INPUT -s 192.168.1.2 -j RULE_1
$IPTABLES -A INPUT -s 192.168.1.3/30 -j RULE_1
$IPTABLES -A INPUT -s 192.168.1.200 -j RULE_1
$IPTABLES -A INPUT -s 192.168.1.201 -j RULE_1
$IPTABLES -A INPUT -s 192.168.2.128/25 -j RULE_1
$IPTABLES -A FORWARD -s 192.168.1.1 -j RULE_1
$IPTABLES -A FORWARD -s 192.168.1.2 -j RULE_1
$IPTABLES -A FORWARD -s 192.168.1.3/30 -j RULE_1
$IPTABLES -A FORWARD -s 192.168.1.200 -j RULE_1
$IPTABLES -A FORWARD -s 192.168.1.201 -j RULE_1
$IPTABLES -A FORWARD -s 192.168.2.128/25 -j RULE_1
$IPTABLES -A RULE_1 -j LOG --log-level info --log-prefix "RULE 1 -- DENY "
$IPTABLES -A RULE_1 -j DROP
#
# Rule 2 (global)
#
echo "Rule 2 (global)"
#
$IPTABLES -N RULE_2
grep -Ev '^#|^;|^\s*$' addr-table-1.tbl | while read L ; do
set $L; at_atbl_1=$1; $IPTABLES -A INPUT -s $at_atbl_1 -j RULE_2
done
grep -Ev '^#|^;|^\s*$' addr-table-1.tbl | while read L ; do
set $L; at_atbl_1=$1; $IPTABLES -A FORWARD -s $at_atbl_1 -j RULE_2
done
$IPTABLES -A RULE_2 -j LOG --log-level info --log-prefix "RULE 2 -- DENY "
$IPTABLES -A RULE_2 -j DROP
}
reset_all() {
:
reset_iptables_v4
}
case "$1" in
start)
check_tools
check_run_time_address_table_files
verify_interfaces
prolog_commands
script_body
epilog_commands
;;
stop)
# on IPCOP "/etc/rc.firewall stop" purges all tables and chains
# and then calls this script with command "stop", but there is
# nothing left for us to do here.
;;
reload)
$0 stop
$0 start
;;
*)
echo "Usage $0 {start|stop|reload}"
;;
esac
Reference in New Issue View Git Blame Copy Permalink