From 8955b5a74668565b31ffad1df13d2be1add87fb2 Mon Sep 17 00:00:00 2001 From: Christian Schmidt Date: Thu, 20 Jan 2011 20:10:23 +0100 Subject: [PATCH 1/8] Fixed index.cgi nfs mount warning by using posix output. --- html/cgi-bin/index.cgi | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/html/cgi-bin/index.cgi b/html/cgi-bin/index.cgi index 8e623c96a..0dcadb0b2 100644 --- a/html/cgi-bin/index.cgi +++ b/html/cgi-bin/index.cgi @@ -407,7 +407,7 @@ if ($used / $mem > 90) { # Diskspace usage warning my @temp=(); my $temp2=(); -my @df = `/bin/df -B M -x rootfs`; +my @df = `/bin/df -B M -P -x rootfs`; foreach my $line (@df) { next if $line =~ m/^Filesystem/; if ($line =~ m/root/ ) { From e4e42008adb48a1c97fa4ec829fcb01c242b8c8f Mon Sep 17 00:00:00 2001 From: Christian Schmidt Date: Thu, 20 Jan 2011 21:01:42 +0100 Subject: [PATCH 2/8] Fixed outgoing fw log messages in mode 1 and found a bug logging only active when using german language. --- config/outgoingfw/outgoingfw.pl | 11 +++++++++-- config/rootfiles/core/45/filelists/files | 1 + config/rootfiles/core/45/update.sh | 2 ++ 3 files changed, 12 insertions(+), 2 deletions(-) diff --git a/config/outgoingfw/outgoingfw.pl b/config/outgoingfw/outgoingfw.pl index 6709ee603..53462db48 100644 --- a/config/outgoingfw/outgoingfw.pl +++ b/config/outgoingfw/outgoingfw.pl @@ -2,7 +2,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2005-2010 IPFire Team # +# Copyright (C) 2007-2011 IPFire Team # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -25,6 +25,7 @@ use strict; #use warnings; require '/var/ipfire/general-functions.pl'; +require "${General::swroot}/lang.pl"; my %outfwsettings = (); my %checked = (); @@ -218,7 +219,13 @@ foreach $configentry (sort @configs) $CMD = "$CMD -o $netsettings{'RED_DEV'}"; - if ($configline[9] eq "aktiv") { + if ( $configline[9] eq $Lang::tr{'aktiv'} && $outfwsettings{'POLICY'} eq 'MODE1' ) { + if ($DEBUG) { + print "$CMD -m limit --limit 10/minute -j LOG --log-prefix 'LOG_OUTGOINGFW '\n"; + } else { + system("$CMD -m limit --limit 10/minute -j LOG --log-prefix 'LOG_OUTGOINGFW '"); + } + } elsif ( $configline[9] eq $Lang::tr{'aktiv'} && $outfwsettings{'POLICY'} eq 'MODE2' ) { if ($DEBUG) { print "$CMD -m limit --limit 10/minute -j LOG --log-prefix 'DROP_OUTGOINGFW '\n"; } else { diff --git a/config/rootfiles/core/45/filelists/files b/config/rootfiles/core/45/filelists/files index f6d15ca78..814baf3e4 100644 --- a/config/rootfiles/core/45/filelists/files +++ b/config/rootfiles/core/45/filelists/files @@ -6,3 +6,4 @@ srv/web/ipfire/cgi-bin/pppsetup.cgi srv/web/ipfire/cgi-bin/proxy.cgi srv/web/ipfire/cgi-bin/vpnmain.cgi usr/sbin/updxlrator +var/ipfire/outgoing/bin/outgoingfw.pl diff --git a/config/rootfiles/core/45/update.sh b/config/rootfiles/core/45/update.sh index 1197905cd..03c6cfbba 100644 --- a/config/rootfiles/core/45/update.sh +++ b/config/rootfiles/core/45/update.sh @@ -37,6 +37,8 @@ extract_files #Start services echo Starting Proxy /etc/init.d/squid start 2>/dev/null +echo Rewriting Outgoing FW Rules +/var/ipfire/outgoing/bin/outgoingfw.pl # #Update Language cache From 5b7f487baa9a67d5f415ef9ca2de8840933f837d Mon Sep 17 00:00:00 2001 From: Christian Schmidt Date: Thu, 20 Jan 2011 21:09:14 +0100 Subject: [PATCH 3/8] Fixed firewall log display 20 for local interface. --- config/rootfiles/core/45/filelists/files | 1 + html/cgi-bin/logs.cgi/firewalllog.dat | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/config/rootfiles/core/45/filelists/files b/config/rootfiles/core/45/filelists/files index 814baf3e4..8df8185fb 100644 --- a/config/rootfiles/core/45/filelists/files +++ b/config/rootfiles/core/45/filelists/files @@ -7,3 +7,4 @@ srv/web/ipfire/cgi-bin/proxy.cgi srv/web/ipfire/cgi-bin/vpnmain.cgi usr/sbin/updxlrator var/ipfire/outgoing/bin/outgoingfw.pl +srv/web/ipfire/cgi-bin/logs.cgi/firewalllog.dat \ No newline at end of file diff --git a/html/cgi-bin/logs.cgi/firewalllog.dat b/html/cgi-bin/logs.cgi/firewalllog.dat index 5979a7679..2c4fb14f0 100644 --- a/html/cgi-bin/logs.cgi/firewalllog.dat +++ b/html/cgi-bin/logs.cgi/firewalllog.dat @@ -333,7 +333,7 @@ foreach $_ (@log) my $comment = $3; my $packet = $4; - $packet =~ /IN=(\w+)/; my $iface=$1; if ( $1 eq "27" ){ $iface="";} + $packet =~ /IN=(\w+)/; my $iface=$1; if ( $1 eq "27" || $1 eq "20"){ $iface="";} $packet =~ /SRC=([\d\.]+)/; my $srcaddr=$1; $packet =~ /DST=([\d\.]+)/; my $dstaddr=$1; $packet =~ /MAC=([\w+\:]+)/; my $macaddr=$1; From b18bad8a194459493ccafefa25698168cda553d3 Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Fri, 21 Jan 2011 16:11:03 +0100 Subject: [PATCH 4/8] Also fix output of NFS shares in the media status. --- html/cgi-bin/media.cgi | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/html/cgi-bin/media.cgi b/html/cgi-bin/media.cgi index 6a89ca867..9456c3c22 100644 --- a/html/cgi-bin/media.cgi +++ b/html/cgi-bin/media.cgi @@ -70,7 +70,7 @@ if ( $querry[0] =~ "sd?" || $querry[0] =~ "hd?" || $querry[0] =~ "xvd??"){ &Header::openbox('100%', 'center', $Lang::tr{'disk usage'}); print "\n"; - open(DF,'/bin/df -B M -x rootfs|'); + open(DF,'/bin/df -P -B M -x rootfs|'); while(){ if ($_ =~ m/^Filesystem/ ){ print <
 \n

Inodes

\n"; - open(DF,'/bin/df -i -x rootfs|'); + open(DF,'/bin/df -P -i -x rootfs|'); while(){ if ($_ =~ m/^Filesystem/ ){ print < Date: Fri, 21 Jan 2011 17:52:32 +0100 Subject: [PATCH 5/8] Fixed several bugs in vpn-watch script. The counter was pending between 0 and 1 and not going up to 9. If ipsec whack is returning and empty page we do not need to check if the remoteip has changed because the tunnel is not up. If ipsec is restarted the counter can be reset. All these facts causes that on low powered system the tunnels are intable if you have a lot of them. But we need to check if the convergation timer is okay because with these bugs the tunnels were minutly restarted and with correct handling after 10. --- config/rootfiles/core/45/filelists/files | 3 ++- config/rootfiles/core/45/update.sh | 4 ++++ src/scripts/vpn-watch | 15 ++++++++++----- 3 files changed, 16 insertions(+), 6 deletions(-) diff --git a/config/rootfiles/core/45/filelists/files b/config/rootfiles/core/45/filelists/files index 8df8185fb..4d88e2395 100644 --- a/config/rootfiles/core/45/filelists/files +++ b/config/rootfiles/core/45/filelists/files @@ -7,4 +7,5 @@ srv/web/ipfire/cgi-bin/proxy.cgi srv/web/ipfire/cgi-bin/vpnmain.cgi usr/sbin/updxlrator var/ipfire/outgoing/bin/outgoingfw.pl -srv/web/ipfire/cgi-bin/logs.cgi/firewalllog.dat \ No newline at end of file +srv/web/ipfire/cgi-bin/logs.cgi/firewalllog.dat +usr/local/bin/vpn-watch \ No newline at end of file diff --git a/config/rootfiles/core/45/update.sh b/config/rootfiles/core/45/update.sh index 03c6cfbba..d22779172 100644 --- a/config/rootfiles/core/45/update.sh +++ b/config/rootfiles/core/45/update.sh @@ -28,6 +28,8 @@ #Stop services echo Stopping Proxy /etc/init.d/squid stop 2>/dev/null +echo Stopping vpn-watch +killall vpn-watch # #Extract files @@ -39,6 +41,8 @@ echo Starting Proxy /etc/init.d/squid start 2>/dev/null echo Rewriting Outgoing FW Rules /var/ipfire/outgoing/bin/outgoingfw.pl +echo Starting vpn-watch +/usr/local/bin/vpn-watch & # #Update Language cache diff --git a/src/scripts/vpn-watch b/src/scripts/vpn-watch index 0c5f62d59..32a854983 100755 --- a/src/scripts/vpn-watch +++ b/src/scripts/vpn-watch @@ -1,6 +1,6 @@ #!/usr/bin/perl ################################################## -##### VPN-Watch.pl Version 0.5 ##### +##### VPN-Watch.pl Version 0.6 ##### ################################################## # # # VPN-Watch is part of the IPFire Firewall # @@ -32,7 +32,7 @@ while ( $i == 0){ $round++; # Reset roundcounter after 10 min. To do established check. - if ($round > 9) { $round=0 } + if ($round > 9) { $round==0 } if (open(FILE, "<${General::swroot}/vpn/config")) { @vpnsettings = ; close(FILE); @@ -55,17 +55,22 @@ foreach (@vpnsettings){ my $remoteip = `/usr/bin/ping -c 1 $remotehostname 2>/dev/null | head -n1 | awk '{print \$3}' | tr -d '()' | tr -d ':'`;chomp($remoteip); if ($remoteip eq ""){next;if ($debug){logger("Unable to resolve $remotehostname.");}} my $ipmatch= `echo "$status" | grep '$remoteip' | grep '$settings[2]'`; - my $established= `echo "$status" | grep '$settings[2]' | grep 'erouted;'`; + my $established= `echo "$status" | grep '$settings[2]' | grep 'erouted;'`; - if ( $ipmatch eq '' ){ + if ( $ipmatch eq '' && $status ne ''){ logger("Remote IP for host $remotehostname($remoteip) has changed, restarting ipsec."); system("/usr/local/bin/ipsecctrl S $settings[0]"); + $round=0; last; #all connections will reloaded #remove this if ipsecctrl can restart single con again } - if ( ($round = 0) && ($established eq '')) { + + if ($debug){logger("Round=".$round." and established=".$established);} + + if ( ($round == 0) && ($established eq '')) { logger("Connection to $remotehostname($remoteip) not erouted, restarting ipsec."); system("/usr/local/bin/ipsecctrl S $settings[0]"); + $round=0; last; #all connections will reloaded #remove this if ipsecctrl can restart single con again From 9f9298d99459a03e3497f67a8accdf7c29c6a96a Mon Sep 17 00:00:00 2001 From: Christian Schmidt Date: Fri, 21 Jan 2011 18:01:49 +0100 Subject: [PATCH 6/8] Fixed little typo. --- src/scripts/vpn-watch | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/scripts/vpn-watch b/src/scripts/vpn-watch index 32a854983..ee6807cdb 100755 --- a/src/scripts/vpn-watch +++ b/src/scripts/vpn-watch @@ -32,7 +32,7 @@ while ( $i == 0){ $round++; # Reset roundcounter after 10 min. To do established check. - if ($round > 9) { $round==0 } + if ($round > 9) { $round=0; } if (open(FILE, "<${General::swroot}/vpn/config")) { @vpnsettings = ; close(FILE); From aa7970cc87ef9b4dfb8e771b6d80e457ef27658b Mon Sep 17 00:00:00 2001 From: Christian Schmidt Date: Sat, 22 Jan 2011 11:16:39 +0100 Subject: [PATCH 7/8] Fix vpn-watch script not restarting minutly when remote ip has changed. --- src/scripts/vpn-watch | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/scripts/vpn-watch b/src/scripts/vpn-watch index ee6807cdb..466aaa62d 100755 --- a/src/scripts/vpn-watch +++ b/src/scripts/vpn-watch @@ -57,7 +57,7 @@ foreach (@vpnsettings){ my $ipmatch= `echo "$status" | grep '$remoteip' | grep '$settings[2]'`; my $established= `echo "$status" | grep '$settings[2]' | grep 'erouted;'`; - if ( $ipmatch eq '' && $status ne ''){ + if ( $round == 0 && $ipmatch eq '' && $status ne ''){ logger("Remote IP for host $remotehostname($remoteip) has changed, restarting ipsec."); system("/usr/local/bin/ipsecctrl S $settings[0]"); $round=0; From 7f8eb58ded528ab6f71dee3fbdfd4cd0b7f529ef Mon Sep 17 00:00:00 2001 From: Arne Fitzenreiter Date: Sat, 22 Jan 2011 12:59:50 +0100 Subject: [PATCH 8/8] core45: fix missing lf in filelist. --- config/rootfiles/core/45/filelists/files | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/rootfiles/core/45/filelists/files b/config/rootfiles/core/45/filelists/files index 4d88e2395..ae685d538 100644 --- a/config/rootfiles/core/45/filelists/files +++ b/config/rootfiles/core/45/filelists/files @@ -8,4 +8,4 @@ srv/web/ipfire/cgi-bin/vpnmain.cgi usr/sbin/updxlrator var/ipfire/outgoing/bin/outgoingfw.pl srv/web/ipfire/cgi-bin/logs.cgi/firewalllog.dat -usr/local/bin/vpn-watch \ No newline at end of file +usr/local/bin/vpn-watch