FLI4L - OPT_PORTBLOCK by Daniel Sokoll <fli4l@sirsocke.de>
---------------------------------------------------------------------------------

OPT_PORTBLOCK: open / block portgroups via webinterface

The idea behind OPT_PORTBLOCK is the use of different programs with different
ports at different times.

If you use only one of these programs it's better to block all ports wich this
program didn't use. So with OPT_PORTBLOCK you can creat portgroups for each of
this programs, give them names and open / block this portgroups via HTTPd.

example:
Using three programs with following ports:
- FTP		ports: 21/tcp
- Program_2	ports: 410/tcp, 410/udp and 411/udp
- Program_3	ports: 417:419/tcp and 113/tcp (for ident)

Hint: Working Connections arn't closed by blocking theis ports. 

Since version 1.3 the HTTPd-rights are set (read HTTPd-Doku):
Target: portblock
rightt: action


--- IMPORTANT! Bevore using OPT_PortBlock ---------------------------------------

You have to open all ports you want to use with OPT_PortBlock first by using the
firewallrules in BASE.TXT.

Example BASE.TXT (for ftp[21], auth[113], 410 and 417 to 419):

FIREWALL_DENY_PORT_N='5'	               	#no. of ports to reject/deny
FIREWALL_DENY_PORT_1='0:20		REJECT'	#privileged ports: reject or deny
FIREWALL_DENY_PORT_2='22:112 		REJECT'	#privileged ports: reject or deny
FIREWALL_DENY_PORT_3='114:409		REJECT'	#privileged ports: reject or deny
FIREWALL_DENY_PORT_4='412:416		REJECT'	#privileged ports: reject or deny
FIREWALL_DENY_PORT_5='420:1023		REJECT'	#privileged ports: reject or deny




--- The Variables ---------------------------------------------------------------

OPT_PORTBLOCK='yes'	# Parameter: [ yes / no ]
	Install OPT_PortBlock?


PB_PORTRULE_N='X'	# Parameter: [ NUMBER ]
	Number of Rules to use


PB_PORTRULE_X='ftp'	# Parameter: [ SERVICE / PORT / PORTRANGE ]
	Here you configure the port of service that should be blocked by access
	from the internet. Important: if an service exist in /ETC/SERVICES you
	had to use this servicename.
	Example for services: 
	Port:	Service:
	21	ftp
	80	www
	113	auth
	If you want to use a portrange you can configure it by using a ':'
	'417:419' means ports 417 - 419, => Ports 417, 418 and 419.
  	TOOL: at /doc/english/opt/portblock you can find  HTML/Javascript-Tool
	      with that you can check the ports if there are services.


PB_PROTOCOL_X='tcp'	# Parameter: [ tcp / udp / both ]
	Choose protocol: tcp, udp or both
	Important: If you want to configure a service ( /ETC/SERVICES ) you hat to
	use the protocol that's used by this service, else you will get ERRORS.
  	TOOL: at /doc/english/opt/portblock you can find  HTML/Javascript-Tool
	      with that you can check the ports if there are services.


PB_DIRECTIO_X='both'	# Parameter: [ in / out / both ]
	Choose firewall-direction: 
        in: Internet into Intranet
        out: presonal net into Internet
        both: block both directions

        IMPORTANT: If you are using more than one inner Lan then problems are possible
        because of PORTBLOCK is using MASQ_NETWORK from Masquerading [ CONFIG/BASE.TXT ]
        for the inner network. 


PB_GROUPCOUNT_N='X'	# Parameter: [ NUMBER ]
	Number of groups to create


PB_GROUP_NAME_X='FTP'	# Parameter: [ NAME ]
	Name of this group (shown in HTTPd)


PB_GROUPRULES_X='Y'	# Parameter: [ NUMBERS OF THE RULES ]
	rules that belong to this group.
	To configure more than one rule, you had to devide the single rules by using
	a ';' e.g. '2;3'
	To set a rulerange, e.g. 3 to 5 : "3-5"
	Also combinations are allowed: e.g.: "1;3-5;8", that means that the rules
	1, 3, 4, 5 and 8 where set to this group.


PB_BLOCK_AUTO_X='yes'	# Parameter: [ yes / no ]
	autoblock ths group at boot?


PB_GROUP_USER_X='all'	# Parameter: [ NUMBER / all / none ]
	Only the user NUMBER is allowed to see the status of this group and is allowed
	to do changes. The NUMBER is the number X of the user in HTTPD_USER_X in the
	CONFIG/HTTPD.TXT.
	If every user should be able to control this group you'd to set
	PB_GROUP_USER_X='all'.
	And if noone should be able to see (and control) this group you'd to set
	PB_GROUP_USER_X='none' (that the group is hidden)


PB_BLOCKTYPE='REJECT'	# Parameter: [ REJECT / DENY ]
	type of block: 'REJECT' (negate) or 'DENY' (kick it to thrash)


PB_NETWORK='192.168.10.0/24'	# Parameter: [ NETZWORK ]
	Network, wich is used when PB_DIRECTIO_X='in' or PB_DIRECTIO_X='out'.
	If PB_DIRECTIO_X='both', then 0.0.0.0/0 -> 0.0.0.0/0 is used. 

PB_SHOW_DETAILS='yes'	# Parameter: [ yes / no ]
        Say yes if you want a detailsbutton to show info about grouprules.


SWAP_BLOCK_COLORS='no'	# Parameter: [ yes / no ]
	What colors should be used for open / blocked ports?
	no:	green=blocked / red=open
	yes:	green=open / red=blocked


LANGUAGE='en'		# Parameter: german / english [ 'de' / 'en' ]
	Which language should be used in HTTPd.


PB_LOGGING='yes'	# Parameter: ['yes' / 'no']
	Should the actions done by portblock be logged?


PB_LOGUSER='all'	# Parameter: [ NUMBER / all / none ]
	User who is allowed to see and control the portblock-logfile.
	(see PB_GROUP_USER_X for parameters)


PB_LOGFILE='/var/log/log.portblock'	# Parameter: [ PATH AND FILENAME ]
	Sets the path and the filename of the logfile


# --- Optional package: pbscript ---

OPT_PBSCRIPT='no'	# Parameter: [ yes / no ]
	Installs a shellscript for use with e.g. easycron
	For dokumentation view PBSCRIPT.TXT


# --- Optional package: pbstatus ---

OPT_PBSTATUS='no'	# Parameter: ['yes' / 'no']
	Installs some functions to send a command to fli4l if all Groups are
	closed, or an other Command if at least one Group is open.

PBSTATUS_SCRIPT_OPEN    # Parameter: [ COMMAND ]
        Here you can set the command thats running if at least one group is
        open.

PBSTATUS_SCRIPT_CLOSED  # Parameter: [ COMMAND ]
        Here you can set the command thats running if all groups are closed.


--- Contakt ---------------------------------------------------------------------

fli4l@sirsocke.de
http://www.sirsocke.de


--- History ---------------------------------------------------------------------

25.04.2003	v1.0 Entire Version
26.04.2003	v1.1 choose tcp, udp or both at each port(range) / service
29.04.2003	v1.2 create Groups
30.04.2003	v1.3 choose language / httpd-rights
06.05.2003	v1.4 Firewall-logging / PortBlockScript
08.05.2003	v1.5 keep settings on reconnect
15.05.2003	v1.6 Userrights / Logging
16.08.2003	v2.0.0 Grouprules more comfortable / directions
25.08.2003      v2.0.0a Dokumentation of problems with more than one lan
04.10.2003 	v2.0.1 show details?
04.11.2003	v2.0.2 Ethernetrouter possible / PortBlockStatus