Unified Firewall Port Filter
With the following Addin script you can define which services are filtered by the Unified Firewall.
/**
* @param {Config} config
* @param {Context} context
* Do not edit this comment or parameter types. Required for code suggestions
*/
exports.main = function (config, context) {
var fwVersion = context.device.firmwareVersionObject;
var ufApi = config.getUfApi();
var networkName = context.network.name;
/*
* NAT-Modus:
* "left" für SNAT,
* "right" für DNAT,
* "both" für beide und
* "none" zum ausgeschaltet
*/
var nat = "left";
/*
* Freizugebende Dienst-Gruppen
*/
var freigaben = {
// true gibt einen Dienst frei, false blockiert ihn. Zusammensetzung siehe "serviceMap" unten
mail: true,
ping: true,
ssh: true,
telnet: false,
ipsec: true,
dns: false,
// Benutzerdefinierte Ports
tcp: [
8080,
portRange(400, 500),
],
udp: [
234
]
};
/*
* Service-Gruppen, die oben bei "freigaben" verwendet werden können.
*/
var serviceMap = {
mail: [
predefinedService("internet.imap4s", nat, "leftToRight"),
predefinedService("internet.smtpsubmission", "left", "leftToRight"),
predefinedService("internet.smtps", nat, "leftToRight"),
predefinedService("internet.pop3s", nat, "leftToRight")
],
ping: [
predefinedService("standard.ping", nat, "both")
],
ssh: [
predefinedService("standard.ssh", nat, "leftToRight")
],
ipsec: [
predefinedService("vpn.ipsec", nat, "leftToRight")
],
dns: [
predefinedService("standard.dns", nat, "leftToRight")
],
};
/**
* Die folgenden IDs für vordefinierte Dienste können oben in der
* "serviceMap"-Variable verwendet werden, um eigene Gruppen zu
* definieren:
*
* database.mssql (Microsoft SQL Server)
* database.mysql (MySQL)
* internet.aim (AIM)
* internet.aimvideo (AIM Video)
* internet.cuseeme (CUseeMe)
* internet.elster (ESTP)
* internet.ftp (FTP)
* internet.gotomeeting (GoToMeeting)
* internet.groupwise (Novell Groupwise Messaging)
* internet.hbci (HBCI)
* internet.http (HTTP)
* internet.https (HTTPS)
* internet.icq (ICQ)
* internet.imap4 (IMAP4)
* internet.imap4s (IMAP4s)
* internet.irc (IRC)
* internet.jabber (jabber)
* internet.msn (MSN Messenger)
* internet.news (NNTP)
* internet.ntp (NTP)
* internet.pop3 (POP3)
* internet.pop3s (POP3s)
* internet.quicktime (Apple QuickTime)
* internet.rstp (RSTP)
* internet.sipgate (Sipgate)
* internet.smtp (SMTP)
* internet.smtps (SMTPs)
* internet.smtpsubmission (SMTP Submission)
* internet.webex (WebEx)
* internet.wmedia (Windows Media)
* internet.yahoo (Yahoo Messenger)
* internet.whatsapp (WhatsApp Messenger)
* internet.facetime (Apple FaceTime)
* remote.applerdp (Apple Remote Desktop)
* remote.ica (ICA (Citrix MetaFrame))
* remote.laplink (Laplink)
* remote.pcanywhere (pcAnywhere)
* remote.rdp (RDP)
* remote.teamvieweralternative (TeamViewer (Alternative))
* remote.telnet (Telnet)
* remote.vnc (VNC)
* standard.dns (DNS)
* standard.exchange (Microsoft Exchange)
* standard.icmp (ICMP)
* standard.ipx (IPX ueber IP)
* standard.kerberos (Kerberos)
* standard.ldap (LDAP)
* standard.netbios (NetBIOS)
* standard.ping (Ping)
* standard.snmp (SNMP)
* standard.ssh (SSH)
* standard.tcp (Frei definiert)
* standard.tracerouteUdp (TraceRoute UDP)
* standard.rscsCybersecurityWeb (LANCOM R&S(R) Webclient Standard)
* standard.rscsCybersecurityCC (LANCOM R&S(R) Command Center Standard)
* vpn.ipsec (IPsec)
* vpn.l2tp (L2TP)
* vpn.pptp (PPTP)
* vpn.ssl (VPN-SSL (openVPN))
*/
/**
* Ab hier keine Anpassungen durch den Benutzer mehr nötig/vorgesehen!
*/
freigaben.udp = Array.isArray(freigaben.udp) ? freigaben.udp : [];
freigaben.tcp = Array.isArray(freigaben.tcp) ? freigaben.tcp : [];
var services = [];
var serviceItem, proto, ports, i, j, portNumber;
if (freigaben.udp.length || freigaben.tcp.length) {
var protos = ["tcp", "udp"];
for (i = 0; i < protos.length; i++) {
proto = protos[i];
for (j = 0; j < freigaben[proto].length; j++) {
ports = freigaben[proto][j];
serviceItem = {
noproxy: true,
protocol: proto,
portfrom: 0,
portto: 0
};
if (typeof (ports) === "number" || typeof (ports) === "string") {
portNumber = parseInt(String(ports), 10);
serviceItem.portfrom = portNumber;
serviceItem.portto = portNumber;
} else if (typeof (ports) === "object"
&& ports.hasOwnProperty("portto")
&& ports.hasOwnProperty("portfrom")) {
serviceItem.portfrom = ports.portfrom;
serviceItem.portto = ports.portto;
} else {
continue;
}
services.push(serviceItem);
}
}
}
var extraRules = [];
if (services.length) {
var extraServiceName = String("Zusatz-Freigaben fuer " + networkName);
ufApi.createObject('userdefined-services', {
name: extraServiceName,
userdefined: true,
services: services
});
extraRules.push(
userdefinedService(
extraServiceName,
nat,
"leftToRight"
)
);
}
var keys = Object.keys(freigaben);
var serviceKey, rules, extraRule;
for (i = 0; i < keys.length; i++) {
serviceKey = keys[i];
if (freigaben.hasOwnProperty(serviceKey) && serviceKey != "tcp" && serviceKey != "udp") {
if (freigaben[serviceKey]) {
rules = serviceMap[serviceKey];
if (!rules || !rules.length) {
config.warnLog(String("Konnte keine Regeln für Dienst '" + serviceKey + "' bestimmen."));
continue;
}
for (j = 0; j < rules.length; j++) {
extraRule = rules[j];
extraRules.push(extraRule);
}
}
}
}
if (!extraRules.length) {
config.infoLog("Keine Extra-Freigaben");
return;
}
var desktopObjName = String("Lokale Extras " + networkName);
ufApi.raw({
method: 'POST',
uri: '/model/networks',
body: network(
ufApi.lookupField('networks', 'ipv4', { name: networkName }),
ufApi.lookupField('networks', 'interface', { name: networkName }),
desktopObjName
),
failOnError: false
});
ufApi.raw({
method: 'POST',
uri: '/model/desktop-connections/',
body: desktopConnection(
ufApi.lookup('networks', { name: desktopObjName }),
ufApi.lookup('internet', { name: "WAN" }),
extraRules
),
failOnError: false
});
var remoteDesktopObjName = String("Remote Extras " + networkName);
ufApi.raw({
method: 'POST',
uri: '/model/vpngroups',
body: vpnGroup(
ufApi.lookupField('vpngroups', 'vpngroupobjectitems', { name: String("Branch Site Networks for " + networkName) }),
remoteDesktopObjName
),
failOnError: false
});
ufApi.raw({
method: 'POST',
uri: '/model/desktop-connections/',
body: desktopConnection(
ufApi.lookup('vpngroups', { name: remoteDesktopObjName }),
ufApi.lookup('internet', { name: "WAN" }),
extraRules
),
failOnError: false
});
function vpnGroup(items, name) {
return {
"tags": [],
"type": "vpngroup",
"top": 111,
"color": 7891540,
"description": "",
"layer": 0,
"left": 222,
"icon": "vpn-network",
"name": name,
"vpngroupobjectitems": items
};
}
function network(ip, iface, name) {
return {
"tags": [],
"ipv4": ip,
"type": "network",
"interface": iface,
"top": 111,
"color": parseInt("7891540", 10),
"description": "",
"layer": 0,
"left": 222,
"icon": "network",
"nologin": false,
"name": name,
"exemptFromIdps": false,
"exemptFromAv": false
};
}
function desktopConnection(obja, objb, rules) {
var connectionDefinition = {
"objb": objb,
"appfilterRoutingProfiles": [],
"description": "",
"color": 1562591,
"rules": rules,
"obja": obja,
"points": [{"x": 1350, "type": "linepoint", "y": 222}, {
"x": 1350,
"type": "rulepoint",
"y": 282
}, {"x": 1320, "type": "linepoint", "y": 338}],
"blockall": false,
"trafficshaping": [],
"webfiltersettings": [],
"applicationfilter": {"mode": "off", "activeprofiles": []}
};
if (fwVersion.major === 10 && fwVersion.minor >= 8) {
delete connectionDefinition.trafficshaping;
connectionDefinition.trafficShaping = {
"trafficGroup": "",
"outgoingDscp": null
};
}
return connectionDefinition;
}
function userdefinedService(serviceName, natactive, action) {
return service(
ufApi.lookup("userdefined-services", { name: serviceName }),
natactive,
action,
true
);
}
function predefinedService(serviceName, natactive, action) {
return service(
ufApi.lookup("predefined-services", { name: serviceName }),
natactive,
action,
false
);
}
function service(lookup, natactive, action, editable) {
var serviceDefinition = {
"uniqueId": lookup,
"dmz": false,
"natactive": natactive,
"editable": editable,
"timeranges": [{
"endweekday": 0,
"repeattype": "weekly",
"endtime": "23:59:59",
"starttime": "00:00:00",
"startweekday": 0
}, {
"endweekday": 1,
"repeattype": "weekly",
"endtime": "23:59:59",
"starttime": "00:00:00",
"startweekday": 1
}, {
"endweekday": 2,
"repeattype": "weekly",
"endtime": "23:59:59",
"starttime": "00:00:00",
"startweekday": 2
}, {
"endweekday": 3,
"repeattype": "weekly",
"endtime": "23:59:59",
"starttime": "00:00:00",
"startweekday": 3
}, {
"endweekday": 4,
"repeattype": "weekly",
"endtime": "23:59:59",
"starttime": "00:00:00",
"startweekday": 4
}, {
"endweekday": 5,
"repeattype": "weekly",
"endtime": "23:59:59",
"starttime": "00:00:00",
"startweekday": 5
}, {
"endweekday": 6,
"repeattype": "weekly",
"endtime": "23:59:59",
"starttime": "00:00:00",
"startweekday": 6
}],
"action": action,
"trafficshaping": [],
"log": false,
"applicationfilter": {"useconnection": true, "activeprofiles": []}
};
if (fwVersion.major === 10 && fwVersion.minor >= 7) {
serviceDefinition.useConnection = false;
}
if (fwVersion.major === 10 && fwVersion.minor >= 8) {
delete serviceDefinition.trafficshaping;
serviceDefinition.useConnectionTrafficShaping = false;
serviceDefinition.trafficShaping = {
"trafficGroup": "",
"outgoingDscp": null
};
}
return serviceDefinition;
}
function portRange(a, b) {
a = parseInt(String(a), 10);
b = parseInt(String(b), 10);
if (a === b || !b) {
return a;
}
if (b < a) {
return portRange(b, a);
}
return {
portfrom: a,
portto: b
};
}
};