`service ip6tables stop`; // Start fail2ban if we can `service fail2ban start`; // Make sure our conntrack kernel module is configured correctly include 'modprobe.php'; $m = new \FreePBX\Firewall\Modprobe(); $m->checkModules(); unset($m); $path = $v->checkFile("Services.class.php"); include $path; $services = new \FreePBX\modules\Firewall\Services(); // Now, start by grabbing our interfaces, and making sure // they are configured correctly. $path = $v->checkFile("Network.class.php"); include $path; $nets = new \FreePBX\modules\Firewall\Network(); $known = $nets->discoverInterfaces(); foreach ($known as $int => $conf) { if (!isset($conf['config']['ZONE']) || !isValidZone($conf['config']['ZONE'])) { $nets->updateInterfaceZone($int, "trusted"); $zone = "trusted"; } else { $zone = $conf['config']['ZONE']; } $driver->changeInterfaceZone($int, $zone); } // Same for our known networks $nets = array(); if (!empty($fwconf['networkmaps'])) { $nets = @json_decode($fwconf['networkmaps'], true); }
public function changeInterfaceZone($iface = false, $newzone = false) { $this->checkFpbxFirewall(); $this->checkTarget("zone-{$newzone}"); // Interfaces are checked AFTER networks, so that source networks // can override default interface inputs. // First, see if we know about this interface, and delete it if we do. $current =& $this->getCurrentIptables(); // This is the policy we want to remove $p = "-i {$iface} -j zone-"; // Remove from both ipv4 and ipv6. $ipvers = array("ipv6" => "/sbin/ip6tables", "ipv4" => "/sbin/iptables"); foreach ($ipvers as $ipv => $ipt) { $interfaces =& $current[$ipv]['filter']['fpbxinterfaces']; foreach ($interfaces as $i => $n) { if (strpos($n, $p) === 0) { // Found it! Blow it away. array_splice($interfaces, $i, 1); // And remove it from real life $i++; $cmd = "{$ipt} -D fpbxinterfaces {$i}"; $this->l($cmd); exec($cmd, $output, $ret); // Break disabled, just to make sure that if there // are multiple entries for the same interface, they're // all gone. // break; } } // Now we can just add it. $cmd = "{$ipt} -A fpbxinterfaces {$p}{$newzone}"; $this->l($cmd); $output = null; exec($cmd, $output, $ret); $interfaces[] = "{$p}{$newzone}"; } $net = new \FreePBX\modules\Firewall\Network(); $net->updateInterfaceZone($iface, $newzone); }