/alcasar.sh |
---|
456,12 → 456,14 |
$SED "s?^EXTIF=.*?EXTIF=\"$EXTIF\"?g" $DIR_DEST_BIN/alcasar-iptables.sh $DIR_DEST_BIN/alcasar-iptables-bypass.sh |
$SED "s?^INTIF=.*?INTIF=\"$INTIF\"?g" $DIR_DEST_BIN/alcasar-iptables.sh $DIR_DEST_BIN/alcasar-iptables-bypass.sh |
chmod o+r $DIR_DEST_BIN/alcasar-iptables.sh #lecture possible pour apache (interface php du filtrage réseau) |
# create the filter exxeption file |
# create the filter exception file and ip_bloqued file |
touch $DIR_DEST_ETC/alcasar-filter-exceptions |
# create the ip_blocked file with a first line (LAN between ALCASAR and the Internet GW) |
echo "#$PUBLIC_IP/$PUBLIC_PREFIX LAN-ALCASAR-BOX" > $DIR_DEST_ETC/alcasar-ip-blocked |
# load conntrack ftp module |
[ -e /etc/modprobe.preload.default ] || cp /etc/modprobe.preload /etc/modprobe.preload.default |
echo "ip_conntrack_ftp" >> /etc/modprobe.preload |
# le script $DIR_DEST_BIN/alcasar-iptables.sh est lancé à la fin (pour ne pas perturber une mise à jour via ssh) |
# the script "$DIR_DEST_BIN/alcasar-iptables.sh" is launched at the end in order to allow update via ssh |
} # End of network () |
################################################################## |
1401,7 → 1403,7 |
# sshd écoute côté LAN et WAN |
$SED "s?^#ListenAddress 0\.0\.0\.0?ListenAddress $PRIVATE_IP?g" /etc/ssh/sshd_config |
$SED "/^ListenAddress $PRIVATE_IP/a\ListenAddress $PUBLIC_IP" /etc/ssh/sshd_config |
# Put the default value in conf file (sshd, QOS and protocols/dns/ext_LAN filtering are off)(web antivirus is on) |
# Put the default value in conf file (sshd, QOS and protocols/dns/ are off)(web antivirus is on) |
/sbin/chkconfig --del sshd |
echo "SSH=off" >> $CONF_FILE |
echo 'Admin_from_IP="0.0.0.0/0.0.0.0"' >> $CONF_FILE |
1409,7 → 1411,6 |
echo "LDAP=off" >> $CONF_FILE |
echo "LDAP_IP=0.0.0.0/0.0.0.0" >> $CONF_FILE |
echo "PROTOCOLS_FILTERING=off" >> $CONF_FILE |
echo "EXT_LAN_FILTERING=off" >> $CONF_FILE |
echo "DNS_FILTERING=off" >> $CONF_FILE |
echo "WEB_ANTIVIRUS=on" >> $CONF_FILE |
# Coloration des prompts |
/CHANGELOG |
---|
5,7 → 5,7 |
Bugs |
- "username" in "userinfo" table is varchar(64) like in others tables of ALCASAR database. |
- "activity.php" : don't print "private_ip_address". Update with new "chilli_query" output |
- re-activation of COA between radius and coova. |
- re-activation of COA between radius and coova (radius disconnect the users directly). |
Improve core |
- all "alcasar.info" becomes "alcasar.net" in code |
- change the order of http chain (DG --> squid --> HAVP --> Internet) more réactivity and less charge of CPU |
14,7 → 14,8 |
- The IP addresses in the consultation network are dynamicly allocated. Static ip can be reserved in the Alcasar Control Center |
- The script "alcasar-https.sh {-on|-off}" enable or disable encryption on authentication flows |
- Exceptions of authentication are now managed by Radius (like other users) |
- A file containing @network/@Host to be blocked is integrated in the firewall's main script. |
- @network and @Host can be blocked by the firewall (conf file : etc/alcasar-ip-blocked). Alacasar Control Center is updated. |
- the filtering of LAN betwenne ALCASAR and the Internet GW is no more need. |
---------------------- 2.5 -------------------- |
Bugs |
- watchdog of Daemons for service's test |
/scripts/alcasar-conf.sh |
---|
174,11 → 174,8 |
fi |
cp $CONF_FILE $DIR_UPDATE/etc/ |
fi |
# le paramêtre 'EXT_LAN_FILTERING' n'existe que depuis la V2.5 |
param_ext_lan_filtering=`grep EXT_LAN_FILTERING $DIR_UPDATE/etc/alcasar.conf|wc -l` |
if [ $param_ext_lan_filtering -eq "0" ]; then |
echo "EXT_LAN_FILTERING=off" >> $DIR_UPDATE/etc/alcasar.conf |
fi |
# le paramêtre 'EXT_LAN_FILTERING' n'existe plus depuis la V2.6 |
$SED "/^EXT_LAN/d" $DIR_UPDATE/etc/alcasar.conf |
# le répertoire "ISO" est remplacé par "system_backup" suite à la suppression de "mondoarchive" (V2.5) |
rm -rf /var/Save/ISO |
# création de l'archive et copie dans le répertoire WEB associé |
/web/acc/admin/net_filter.php |
---|
100,56 → 100,51 |
exec ("sudo /usr/local/sbin/alcasar-nf.sh -off"); |
break; |
case 'new_port' : |
$_POST['add_proto'] = str_replace (CHR(32),"-",$_POST['add_proto']); |
if ((trim($_POST['add_port']) != "80") and ($_POST['add_port'] != "") and ($_POST['add_proto'] != "") and (is_numeric($_POST['add_port']))) |
{ |
$_POST['add_proto'] = str_replace (CHR(32),"-",$_POST['add_proto']); |
$tab=file(SERVICES_LIST); |
if ($tab) |
$insert = true; |
if ($tab) // file isn't empty |
{ |
$pointeur=fopen(SERVICES_LIST,"r"); |
// test if port doesn't already exist |
$insert = true; |
foreach ($tab as $line) |
foreach ($tab as $line) //test if port doesn't already exist |
{ |
$proto_f=explode(" ", $line); |
if (trim($_POST['add_port']) == trim($proto_f[1])) {$insert = false;} |
} |
fclose($pointeur); |
if ($insert == true) |
{ |
$line = "\n" . "#" . trim($_POST['add_proto']) . " " . trim($_POST['add_port']); |
$pointeur=fopen(SERVICES_LIST,"a"); |
fwrite ($pointeur, $line); |
fclose ($pointeur); |
exec ("sudo /usr/local/bin/alcasar-file-clean.sh"); |
} |
} |
if ($insert == true) |
{ |
$line = "\n" . "#" . trim($_POST['add_proto']) . " " . trim($_POST['add_port']); |
$pointeur=fopen(SERVICES_LIST,"a"); |
fwrite ($pointeur, $line); |
fclose ($pointeur); |
exec ("sudo /usr/local/bin/alcasar-file-clean.sh"); |
} |
} |
break; |
case 'new_ip' : |
if (trim($_POST['add_ip']) != "") |
{ |
$_POST['add_comment'] = str_replace (CHR(32),"-",$_POST['add_comment']); |
$tab=file(IP_BLOCKED); |
if ($tab) |
$insert = true; |
if ($tab) // file isn't empty |
{ |
$pointeur=fopen(IP_BLOCKED,"r"); |
// test if IP doesn't already exist |
$insert = true; |
foreach ($tab as $line) |
foreach ($tab as $line) // test if IP address doesn't already exist |
{ |
$IP_f=explode("#", $line); |
if (trim($_POST['add_ip']) == trim($IP_f[0])) {$insert = false;} |
$IP_f=explode(" ", $line); |
if (trim($_POST['add_ip']) == trim(trim($IP_f[0],"#"))) {$insert = false;} |
} |
fclose($pointeur); |
if ($insert == true) |
{ |
$line ="\n" . trim($_POST['add_ip']) . " # " . trim($_POST['add_comment']); |
$pointeur=fopen(IP_BLOCKED,"a"); |
fwrite ($pointeur, $line); |
fclose ($pointeur); |
exec ("sudo /usr/local/bin/alcasar-file-clean.sh"); |
} |
} |
if ($insert == true) |
{ |
$line ="\n" . "#".trim($_POST['add_ip']) . " " . trim($_POST['add_comment']); |
$pointeur=fopen(IP_BLOCKED,"a"); |
fwrite ($pointeur, $line); |
fclose ($pointeur); |
exec ("sudo /usr/local/bin/alcasar-file-clean.sh"); |
} |
} |
break; |
case 'change_port' : |
171,7 → 166,6 |
if ($name_svc1 == $name_svc2) |
{ |
$remove_line = True; |
break; |
} |
} |
if (strstr($key,'chk-')) |
193,7 → 187,7 |
} |
fclose($pointeur); |
} |
exec ("sudo /usr/local/sbin/alcasar-nf.sh -on"); |
exec ("sudo /usr/local/bin/alcasar-iptables.sh -on"); |
break; |
case 'change_ip' : |
$tab=file(IP_BLOCKED); |
208,6 → 202,7 |
$actif = False; $remove_line = false; |
foreach ($_POST as $key => $value) |
{ |
$key = str_replace ("_",".",$key); // dot are replace by '_' in post request |
if (strstr($key,'del-')) |
{ |
$ip_blocked2 = str_replace('del-','',$key); |
236,7 → 231,7 |
} |
fclose($pointeur); |
} |
#exec ("sudo /usr/local/bin/alcasar-iptables.sh"); |
exec ("sudo /usr/local/bin/alcasar-iptables.sh"); |
break; |
} |
# default values |
301,9 → 296,10 |
{ |
$blocked_ip=explode(" ", $line); |
$ip_addr=trim($blocked_ip[0],"#"); |
echo "<tr><td>$ip_addr<td>$blocked_ip[1]"; |
$comment=trim($blocked_ip[1]); |
if ($comment ==''){$comment=" ";} |
echo "<tr><td>$ip_addr<td>$comment"; |
echo "<td><input type='checkbox' name='chk-$ip_addr'"; |
// if the line is commented -> IP adress is not blocked |
if (preg_match('/^#/',$line, $r)) { |
echo ">";} |
else { |