Subversion Repositories ALCASAR

Compare Revisions

Ignore whitespace Rev 859 → Rev 860

/alcasar.sh
456,12 → 456,14
$SED "s?^EXTIF=.*?EXTIF=\"$EXTIF\"?g" $DIR_DEST_BIN/alcasar-iptables.sh $DIR_DEST_BIN/alcasar-iptables-bypass.sh
$SED "s?^INTIF=.*?INTIF=\"$INTIF\"?g" $DIR_DEST_BIN/alcasar-iptables.sh $DIR_DEST_BIN/alcasar-iptables-bypass.sh
chmod o+r $DIR_DEST_BIN/alcasar-iptables.sh #lecture possible pour apache (interface php du filtrage réseau)
# create the filter exxeption file
# create the filter exception file and ip_bloqued file
touch $DIR_DEST_ETC/alcasar-filter-exceptions
# create the ip_blocked file with a first line (LAN between ALCASAR and the Internet GW)
echo "#$PUBLIC_IP/$PUBLIC_PREFIX LAN-ALCASAR-BOX" > $DIR_DEST_ETC/alcasar-ip-blocked
# load conntrack ftp module
[ -e /etc/modprobe.preload.default ] || cp /etc/modprobe.preload /etc/modprobe.preload.default
echo "ip_conntrack_ftp" >> /etc/modprobe.preload
# le script $DIR_DEST_BIN/alcasar-iptables.sh est lancé à la fin (pour ne pas perturber une mise à jour via ssh)
# the script "$DIR_DEST_BIN/alcasar-iptables.sh" is launched at the end in order to allow update via ssh
} # End of network ()
 
##################################################################
1401,7 → 1403,7
# sshd écoute côté LAN et WAN
$SED "s?^#ListenAddress 0\.0\.0\.0?ListenAddress $PRIVATE_IP?g" /etc/ssh/sshd_config
$SED "/^ListenAddress $PRIVATE_IP/a\ListenAddress $PUBLIC_IP" /etc/ssh/sshd_config
# Put the default value in conf file (sshd, QOS and protocols/dns/ext_LAN filtering are off)(web antivirus is on)
# Put the default value in conf file (sshd, QOS and protocols/dns/ are off)(web antivirus is on)
/sbin/chkconfig --del sshd
echo "SSH=off" >> $CONF_FILE
echo 'Admin_from_IP="0.0.0.0/0.0.0.0"' >> $CONF_FILE
1409,7 → 1411,6
echo "LDAP=off" >> $CONF_FILE
echo "LDAP_IP=0.0.0.0/0.0.0.0" >> $CONF_FILE
echo "PROTOCOLS_FILTERING=off" >> $CONF_FILE
echo "EXT_LAN_FILTERING=off" >> $CONF_FILE
echo "DNS_FILTERING=off" >> $CONF_FILE
echo "WEB_ANTIVIRUS=on" >> $CONF_FILE
# Coloration des prompts
/CHANGELOG
5,7 → 5,7
Bugs
- "username" in "userinfo" table is varchar(64) like in others tables of ALCASAR database.
- "activity.php" : don't print "private_ip_address". Update with new "chilli_query" output
- re-activation of COA between radius and coova.
- re-activation of COA between radius and coova (radius disconnect the users directly).
Improve core
- all "alcasar.info" becomes "alcasar.net" in code
- change the order of http chain (DG --> squid --> HAVP --> Internet) more réactivity and less charge of CPU
14,7 → 14,8
- The IP addresses in the consultation network are dynamicly allocated. Static ip can be reserved in the Alcasar Control Center
- The script "alcasar-https.sh {-on|-off}" enable or disable encryption on authentication flows
- Exceptions of authentication are now managed by Radius (like other users)
- A file containing @network/@Host to be blocked is integrated in the firewall's main script.
- @network and @Host can be blocked by the firewall (conf file : etc/alcasar-ip-blocked). Alacasar Control Center is updated.
- the filtering of LAN betwenne ALCASAR and the Internet GW is no more need.
---------------------- 2.5 --------------------
Bugs
- watchdog of Daemons for service's test
/scripts/alcasar-conf.sh
174,11 → 174,8
fi
cp $CONF_FILE $DIR_UPDATE/etc/
fi
# le paramêtre 'EXT_LAN_FILTERING' n'existe que depuis la V2.5
param_ext_lan_filtering=`grep EXT_LAN_FILTERING $DIR_UPDATE/etc/alcasar.conf|wc -l`
if [ $param_ext_lan_filtering -eq "0" ]; then
echo "EXT_LAN_FILTERING=off" >> $DIR_UPDATE/etc/alcasar.conf
fi
# le paramêtre 'EXT_LAN_FILTERING' n'existe plus depuis la V2.6
$SED "/^EXT_LAN/d" $DIR_UPDATE/etc/alcasar.conf
# le répertoire "ISO" est remplacé par "system_backup" suite à la suppression de "mondoarchive" (V2.5)
rm -rf /var/Save/ISO
# création de l'archive et copie dans le répertoire WEB associé
/web/acc/admin/net_filter.php
100,56 → 100,51
exec ("sudo /usr/local/sbin/alcasar-nf.sh -off");
break;
case 'new_port' :
$_POST['add_proto'] = str_replace (CHR(32),"-",$_POST['add_proto']);
if ((trim($_POST['add_port']) != "80") and ($_POST['add_port'] != "") and ($_POST['add_proto'] != "") and (is_numeric($_POST['add_port'])))
{
$_POST['add_proto'] = str_replace (CHR(32),"-",$_POST['add_proto']);
$tab=file(SERVICES_LIST);
if ($tab)
$insert = true;
if ($tab) // file isn't empty
{
$pointeur=fopen(SERVICES_LIST,"r");
// test if port doesn't already exist
$insert = true;
foreach ($tab as $line)
foreach ($tab as $line) //test if port doesn't already exist
{
$proto_f=explode(" ", $line);
if (trim($_POST['add_port']) == trim($proto_f[1])) {$insert = false;}
}
fclose($pointeur);
if ($insert == true)
{
$line = "\n" . "#" . trim($_POST['add_proto']) . " " . trim($_POST['add_port']);
$pointeur=fopen(SERVICES_LIST,"a");
fwrite ($pointeur, $line);
fclose ($pointeur);
exec ("sudo /usr/local/bin/alcasar-file-clean.sh");
}
}
if ($insert == true)
{
$line = "\n" . "#" . trim($_POST['add_proto']) . " " . trim($_POST['add_port']);
$pointeur=fopen(SERVICES_LIST,"a");
fwrite ($pointeur, $line);
fclose ($pointeur);
exec ("sudo /usr/local/bin/alcasar-file-clean.sh");
}
}
break;
case 'new_ip' :
if (trim($_POST['add_ip']) != "")
{
$_POST['add_comment'] = str_replace (CHR(32),"-",$_POST['add_comment']);
$tab=file(IP_BLOCKED);
if ($tab)
$insert = true;
if ($tab) // file isn't empty
{
$pointeur=fopen(IP_BLOCKED,"r");
// test if IP doesn't already exist
$insert = true;
foreach ($tab as $line)
foreach ($tab as $line) // test if IP address doesn't already exist
{
$IP_f=explode("#", $line);
if (trim($_POST['add_ip']) == trim($IP_f[0])) {$insert = false;}
$IP_f=explode(" ", $line);
if (trim($_POST['add_ip']) == trim(trim($IP_f[0],"#"))) {$insert = false;}
}
fclose($pointeur);
if ($insert == true)
{
$line ="\n" . trim($_POST['add_ip']) . " # " . trim($_POST['add_comment']);
$pointeur=fopen(IP_BLOCKED,"a");
fwrite ($pointeur, $line);
fclose ($pointeur);
exec ("sudo /usr/local/bin/alcasar-file-clean.sh");
}
}
if ($insert == true)
{
$line ="\n" . "#".trim($_POST['add_ip']) . " " . trim($_POST['add_comment']);
$pointeur=fopen(IP_BLOCKED,"a");
fwrite ($pointeur, $line);
fclose ($pointeur);
exec ("sudo /usr/local/bin/alcasar-file-clean.sh");
}
}
break;
case 'change_port' :
171,7 → 166,6
if ($name_svc1 == $name_svc2)
{
$remove_line = True;
break;
}
}
if (strstr($key,'chk-'))
193,7 → 187,7
}
fclose($pointeur);
}
exec ("sudo /usr/local/sbin/alcasar-nf.sh -on");
exec ("sudo /usr/local/bin/alcasar-iptables.sh -on");
break;
case 'change_ip' :
$tab=file(IP_BLOCKED);
208,6 → 202,7
$actif = False; $remove_line = false;
foreach ($_POST as $key => $value)
{
$key = str_replace ("_",".",$key); // dot are replace by '_' in post request
if (strstr($key,'del-'))
{
$ip_blocked2 = str_replace('del-','',$key);
236,7 → 231,7
}
fclose($pointeur);
}
#exec ("sudo /usr/local/bin/alcasar-iptables.sh");
exec ("sudo /usr/local/bin/alcasar-iptables.sh");
break;
}
# default values
301,9 → 296,10
{
$blocked_ip=explode(" ", $line);
$ip_addr=trim($blocked_ip[0],"#");
echo "<tr><td>$ip_addr<td>$blocked_ip[1]";
$comment=trim($blocked_ip[1]);
if ($comment ==''){$comment="&nbsp;";}
echo "<tr><td>$ip_addr<td>$comment";
echo "<td><input type='checkbox' name='chk-$ip_addr'";
// if the line is commented -> IP adress is not blocked
if (preg_match('/^#/',$line, $r)) {
echo ">";}
else {