tbrehm
2012-06-07 42f191ba77aa9293098b3327d6415f02483fcf6b
Implemented support for UFW firewall (FS#1757 - New IPTables firewall script for IPv4 and IPv6)
8 files modified
266 ■■■■ changed files
install/lib/installer_base.lib.php 9 ●●●●● patch | view | raw | blame | history
install/tpl/server.ini.master 1 ●●●● patch | view | raw | blame | history
interface/lib/classes/aps_crawler.inc.php 2 ●●● patch | view | raw | blame | history
interface/web/admin/form/server_config.tform.php 8 ●●●●● patch | view | raw | blame | history
interface/web/admin/lib/lang/en_server_config.lng 1 ●●●● patch | view | raw | blame | history
interface/web/admin/templates/server_config_server_edit.htm 6 ●●●●● patch | view | raw | blame | history
server/lib/classes/system.inc.php 10 ●●●●● patch | view | raw | blame | history
server/plugins-available/firewall_plugin.inc.php 229 ●●●● patch | view | raw | blame | history
install/lib/installer_base.lib.php
@@ -470,6 +470,15 @@
            if(!$this->dbmaster->query($query)) {
                $this->warning('Unable to set rights of user in master database: '.$value['db']."\n Query: ".$query."\n Error: ".$this->dbmaster->errorMessage);
            }
            $query = "GRANT SELECT, UPDATE ON ".$value['db'].".`aps_instances` TO '".$value['user']."'@'".$host."' ";
            if ($verbose){
                echo $query ."\n";
            }
            if(!$this->dbmaster->query($query)) {
                $this->warning('Unable to set rights of user in master database: '.$value['db']."\n Query: ".$query."\n Error: ".$this->dbmaster->errorMessage);
            }
        }
        /*
install/tpl/server.ini.master
@@ -11,6 +11,7 @@
gateway=192.168.0.1
hostname=server1.domain.tld
nameservers=192.168.0.1,192.168.0.2
firewall=bastille
loglevel=2
backup_dir=/var/backup
backup_mode=rootgz
interface/lib/classes/aps_crawler.inc.php
@@ -61,7 +61,7 @@
            // Check if the cURL module is available
            if(!function_exists('curl_version')) throw new Exception('cURL is not available');
            
            // Check if used folders are writable (chmod 777)
            // Check if used folders are writable
            if($this->interface_mode)
            {
                if(!is_writable($this->interface_pkg_dir)) 
interface/web/admin/form/server_config.tform.php
@@ -97,6 +97,14 @@
            'width' => '15',
            'maxlength' => '255'
        ),
        'firewall' => array(
            'datatype' => 'VARCHAR',
            'formtype' => 'SELECT',
            'default' => 'bastille',
            'value' => array('bastille' => 'bastille', 'ufw' => 'ufw'),
            'width' => '40',
            'maxlength' => '255'
        ),
        'hostname' => array(
            'datatype' => 'VARCHAR',
            'formtype' => 'TEXT',
interface/web/admin/lib/lang/en_server_config.lng
@@ -162,4 +162,5 @@
$wb["php_settings_txt"] = 'PHP Settings';
$wb["apps_vhost_settings_txt"] = 'Apps Vhost Settings';
$wb["awstats_settings_txt"] = 'AWStats Settings';
$wb["firewall_txt"] = 'Firewall';
?>
interface/web/admin/templates/server_config_server_edit.htm
@@ -33,6 +33,12 @@
                <p class="formHint">{tmpl_var name='nameservers_hint_txt'}</p>
            </div>
      <div class="ctrlHolder">
          <label for="firewall">{tmpl_var name='firewall_txt'}</label>
        <select name="firewall" id="firewall" class="selectInput">
                    {tmpl_var name='firewall'}
                </select>
      </div>
      <div class="ctrlHolder">
          <label for="loglevel">{tmpl_var name='loglevel_txt'}</label>
        <select name="loglevel" id="loglevel" class="selectInput">
                    {tmpl_var name='loglevel'}
server/lib/classes/system.inc.php
@@ -1271,6 +1271,16 @@
        }
        
    }
    //* Check if a application is installed
    function is_installed($appname) {
        exec('which '.escapeshellcmd($appname).' 2> /dev/null',$out,$returncode);
        if(isset($out[0]) && stristr($out[0],$appname) && $returncode == 0) {
            return true;
        } else {
            return false;
        }
    }
}
?>
server/plugins-available/firewall_plugin.inc.php
@@ -30,12 +30,12 @@
class firewall_plugin {
    
    var $plugin_name = 'firewall_plugin';
    var $class_name  = 'firewall_plugin';
    private $plugin_name = 'firewall_plugin';
    private $class_name  = 'firewall_plugin';
    
    //* This function is called during ispconfig installation to determine
    //  if a symlink shall be created for this plugin.
    function onInstall() {
    public function onInstall() {
        global $conf;
        
        if($conf['bastille']['installed'] = true && $conf['services']['firewall'] == true) {
@@ -51,7 +51,7 @@
         This function is called when the plugin is loaded
    */
    
    function onLoad() {
    public function onLoad() {
        global $app;
        
        /*
@@ -62,51 +62,182 @@
        $app->plugins->registerEvent('firewall_insert',$this->plugin_name,'insert');
        $app->plugins->registerEvent('firewall_update',$this->plugin_name,'update');
        $app->plugins->registerEvent('firewall_delete',$this->plugin_name,'delete');
    }
    
    
    function insert($event_name,$data) {
    public function insert($event_name,$data) {
        global $app, $conf;
        
        $this->update($event_name,$data);
        
    }
    
    function update($event_name,$data) {
    public function update($event_name,$data) {
        global $app, $conf;
        
        $tcp_ports = '';
        $udp_ports = '';
        //* load the server configuration options
        $app->uses('getconf');
        $server_config = $app->getconf->get_server_config($conf['server_id'], 'server');
        if($server_config['firewall'] == 'ufw') {
            $this->ufw_update($event_name,$data);
        } else {
            $this->bastille_update($event_name,$data);
        }
        
        $ports = explode(',',$data['new']['tcp_port']);
        if(is_array($ports)) {
            foreach($ports as $p) {
                if(strstr($p,':')) {
                    $p_parts = explode(':',$p);
                    $p_clean = intval($p_parts[0]).':'.intval($p_parts[1]);
                } else {
                    $p_clean = intval($p);
                }
                $tcp_ports .= $p_clean . ' ';
    }
    public function delete($event_name,$data) {
        global $app, $conf;
        //* load the server configuration options
        $app->uses('getconf');
        $server_config = $app->getconf->get_server_config($conf['server_id'], 'server');
        if($server_config['firewall'] == 'ufw') {
            $this->ufw_delete($event_name,$data);
        } else {
            $this->bastille_delete($event_name,$data);
        }
    }
    private function ufw_update($event_name,$data) {
        global $app, $conf;
        $app->uses('system');
        if(!$app->system->is_installed('ufw')) {
            $app->log('UFW Firewall is not installed',LOGLEVEL_WARN);
            return false;
        }
        exec('ufw --version',$out);
        $parts = explode(' ',$out[0]);
        $ufwversion = $parts[1];
        unset($parts);
        unset($out);
        if(version_compare ( $ufwversion , '0.30') < 0) {
            $app->log('The installed UFW Firewall version is too old. Minimum required version 0.30',LOGLEVEL_WARN);
            return false;
        }
        //* Basic firewall setup when the firewall is added the first time
        if($event_name == 'firewall_insert') {
            exec('ufw --force disable');
            exec('ufw --force reset');
            exec('ufw default deny incoming');
            exec('ufw default allow outgoing');
        }
        $tcp_ports_new = $this->clean_ports($data['new']['tcp_port'],',');
        $tcp_ports_old = $this->clean_ports($data['old']['tcp_port'],',');
        $udp_ports_new = $this->clean_ports($data['new']['udp_port'],',');
        $udp_ports_old = $this->clean_ports($data['old']['udp_port'],',');
        $tcp_ports_new_array = explode(',',$tcp_ports_new);
        $tcp_ports_old_array = explode(',',$tcp_ports_old);
        $udp_ports_new_array = explode(',',$udp_ports_new);
        $udp_ports_old_array = explode(',',$udp_ports_old);
        //* add tcp ports
        foreach($tcp_ports_new_array as $port) {
            if(!in_array($port,$tcp_ports_old_array) && $port > 0) {
                exec('ufw allow '.$port.'/tcp');
                $app->log('ufw allow '.$port.'/tcp',LOGLEVEL_DEBUG);
                sleep(1);
            }
        }
        $tcp_ports = trim($tcp_ports);
        
        $ports = explode(',',$data['new']['udp_port']);
        if(is_array($ports)) {
            foreach($ports as $p) {
                if(strstr($p,':')) {
                    $p_parts = explode(':',$p);
                    $p_clean = intval($p_parts[0]).':'.intval($p_parts[1]);
                } else {
                    $p_clean = intval($p);
                }
                $udp_ports .= $p_clean . ' ';
        //* remove tcp ports
        foreach($tcp_ports_old_array as $port) {
            if(!in_array($port,$tcp_ports_new_array) && $port > 0) {
                exec('ufw delete allow '.$port.'/tcp');
                $app->log('ufw delete allow '.$port.'/tcp',LOGLEVEL_DEBUG);
                sleep(1);
            }
        }
        $udp_ports = trim($udp_ports);
        //* add udp ports
        foreach($udp_ports_new_array as $port) {
            if(!in_array($port,$udp_ports_old_array) && $port > 0) {
                exec('ufw allow '.$port.'/udp');
                $app->log('ufw allow '.$port.'/udp',LOGLEVEL_DEBUG);
                sleep(1);
            }
        }
        //* remove udp ports
        foreach($udp_ports_old_array as $port) {
            if(!in_array($port,$udp_ports_new_array) && $port > 0) {
                exec('ufw delete allow '.$port.'/udp');
                $app->log('ufw delete allow '.$port.'/udp',LOGLEVEL_DEBUG);
                sleep(1);
            }
        }
        /*
        if($tcp_ports_new != $tcp_ports_old) {
            exec('ufw allow to any proto tcp port '.$tcp_ports_new);
            $app->log('ufw allow to any proto tcp port '.$tcp_ports_new,LOGLEVEL_DEBUG);
            if($event_name == 'firewall_update') {
                exec('ufw delete allow to any proto tcp port '.$tcp_ports_old);
                $app->log('ufw delete allow to any proto tcp port '.$tcp_ports_old,LOGLEVEL_DEBUG);
            }
        }
        if($udp_ports_new != $udp_ports_old) {
            exec('ufw allow to any proto udp port '.$udp_ports_new);
            $app->log('ufw allow to any proto udp port '.$udp_ports_new,LOGLEVEL_DEBUG);
            if($event_name == 'firewall_update') {
                exec('ufw delete allow to any proto udp port '.$udp_ports_old);
                $app->log('ufw delete allow to any proto udp port '.$udp_ports_old,LOGLEVEL_DEBUG);
            }
        }
        */
        if($data['new']['active'] == 'y') {
            if($data['new']['active'] == $data['old']['active']) {
                exec('ufw reload');
                $app->log('Reloading the firewall',LOGLEVEL_DEBUG);
            } else {
                //* Ensure that bastille firewall is stopped
                exec($conf['init_scripts'] . '/' . 'bastille-firewall stop');
                if(@is_file('/etc/debian_version')) exec('update-rc.d -f bastille-firewall remove');
                //* Start ufw firewall
                exec('ufw --force enable');
                $app->log('Starting the firewall',LOGLEVEL_DEBUG);
            }
        } else {
            exec('ufw disable');
            $app->log('Stopping the firewall',LOGLEVEL_DEBUG);
        }
    }
    private function ufw_delete($event_name,$data) {
        global $app, $conf;
        $app->uses('system');
        if(!$app->system->is_installed('ufw')) {
            $app->log('UFW Firewall is not installed',LOGLEVEL_DEBUG);
            return false;
        }
        exec('ufw --force reset');
        exec('ufw disable');
        $app->log('Stopping the firewall',LOGLEVEL_DEBUG);
    }
    private function bastille_update($event_name,$data) {
        global $app, $conf;
        $app->uses('system');
        $tcp_ports = $this->clean_ports($data['new']['tcp_port'],' ');
        $udp_ports = $this->clean_ports($data['new']['udp_port'],' ');
        
        $app->load('tpl');
        $tpl = new tpl();
@@ -120,6 +251,10 @@
        unset($tpl);
        
        if($data['new']['active'] == 'y') {
            //* ensure that ufw firewall is disabled in case both firewalls are installed
            if($app->system->is_installed('ufw')) {
                exec('ufw disable');
            }
            exec($conf['init_scripts'] . '/' . 'bastille-firewall restart');
            if(@is_file('/etc/debian_version')) exec('update-rc.d bastille-firewall defaults');
            $app->log('Restarting the firewall',LOGLEVEL_DEBUG);
@@ -132,7 +267,7 @@
        
    }
    
    function delete($event_name,$data) {
    private function bastille_delete($event_name,$data) {
        global $app, $conf;
        
        exec($conf['init_scripts'] . '/' . 'bastille-firewall stop');
@@ -142,6 +277,34 @@
    }
    
    
    private function clean_ports($portlist,$spacer) {
        $ports = explode(',',$portlist);
        $ports_out = '';
        if(is_array($ports)) {
            foreach($ports as $p) {
                $p_clean = '';
                if(strstr($p,':')) {
                    $p_parts = explode(':',$p);
                    $tmp_lower = intval($p_parts[0]);
                    $tmp_higher = intval($p_parts[1]);
                    if($tmp_lower > 0 && $tmp_lower <= 65535 && $tmp_higher > 0 && $tmp_higher <= 65535 && $tmp_lower < $tmp_higher) {
                        $p_clean = $tmp_lower.':'.$tmp_higher;
                    }
                } else {
                    $tmp = intval($p);
                    if($tmp > 0 && $tmp <= 65535) {
                        $p_clean = $tmp;
                    }
                }
                if($p_clean != '') $ports_out .= $p_clean . $spacer;
            }
        }
        return substr($ports_out,0,strlen($spacer)*-1);
    }
    
} // end class