mirror of
https://github.com/vincentmli/bpfire.git
synced 2026-04-13 04:22:58 +02:00
Forward Firewall: applied all changes as diff and added new files. Also deleted c files from xtaccess and setdmzholes.
Signed-off-by: Alexander Marx <amarx@ipfire.org> Conflicts: config/backup/include lfs/configroot lfs/usb-stick
This commit is contained in:
Michael Tremer
@@ -15,6 +15,8 @@
|
||||
/var/ipfire/auth/users
|
||||
/var/ipfire/dhcp/*
|
||||
/var/ipfire/dnsforward/*
|
||||
/var/ipfire/forward/*
|
||||
/var/ipfire/fwhosts/*
|
||||
/var/ipfire/main/*
|
||||
/var/ipfire/outgoing/groups
|
||||
/var/ipfire/outgoing/macgroups
|
||||
|
||||
@@ -21,8 +21,8 @@ use Net::SSLeay;
|
||||
use Net::IPv4Addr qw(:all);
|
||||
$|=1; # line buffering
|
||||
|
||||
$General::version = 'VERSION';
|
||||
$General::swroot = 'CONFIG_ROOT';
|
||||
$General::version = '2.11';
|
||||
$General::swroot = '/var/ipfire';
|
||||
$General::noipprefix = 'noipg-';
|
||||
$General::adminmanualurl = 'http://wiki.ipfire.org';
|
||||
|
||||
@@ -39,6 +39,99 @@ sub log
|
||||
$logmessage = $1;
|
||||
system('logger', '-t', $tag, $logmessage);
|
||||
}
|
||||
sub setup_default_networks
|
||||
{
|
||||
my %netsettings=();
|
||||
my $defaultNetworks = shift;
|
||||
|
||||
&readhash("/var/ipfire/ethernet/settings", \%netsettings);
|
||||
|
||||
# Get current defined networks (Red, Green, Blue, Orange)
|
||||
$defaultNetworks->{$Lang::tr{'fwhost any'}}{'IPT'} = "0.0.0.0/0.0.0.0";
|
||||
$defaultNetworks->{$Lang::tr{'fwhost any'}}{'NAME'} = "ALL";
|
||||
|
||||
$defaultNetworks->{$Lang::tr{'green'}}{'IPT'} = "$netsettings{'GREEN_NETADDRESS'}/$netsettings{'GREEN_NETMASK'}";
|
||||
$defaultNetworks->{$Lang::tr{'green'}}{'NAME'} = "GREEN";
|
||||
|
||||
if ($netsettings{'ORANGE_DEV'} ne ''){
|
||||
$defaultNetworks->{$Lang::tr{'orange'}}{'IPT'} = "$netsettings{'ORANGE_NETADDRESS'}/$netsettings{'ORANGE_NETMASK'}";
|
||||
$defaultNetworks->{$Lang::tr{'orange'}}{'NAME'} = "ORANGE";
|
||||
}
|
||||
|
||||
if ($netsettings{'BLUE_DEV'} ne ''){
|
||||
$defaultNetworks->{$Lang::tr{'blue'}}{'IPT'} = "$netsettings{'BLUE_NETADDRESS'}/$netsettings{'BLUE_NETMASK'}";
|
||||
$defaultNetworks->{$Lang::tr{'blue'}}{'NAME'} = "BLUE";
|
||||
}
|
||||
|
||||
# OpenVPN
|
||||
if(-e "${General::swroot}/ovpn/settings")
|
||||
{
|
||||
my %ovpnSettings = ();
|
||||
&readhash("${General::swroot}/ovpn/settings", \%ovpnSettings);
|
||||
|
||||
# OpenVPN on Red?
|
||||
if(defined($ovpnSettings{'DOVPN_SUBNET'}))
|
||||
{
|
||||
my ($ip,$sub) = split(/\//,$ovpnSettings{'DOVPN_SUBNET'});
|
||||
$sub=&General::iporsubtocidr($sub);
|
||||
my @tempovpnsubnet = split("\/", $ovpnSettings{'DOVPN_SUBNET'});
|
||||
$defaultNetworks->{'OpenVPN ' .$ip."/".$sub}{'ADR'} = $tempovpnsubnet[0];
|
||||
$defaultNetworks->{'OpenVPN ' .$ip."/".$sub}{'NAME'} = "OpenVPN-Dyn";
|
||||
}
|
||||
} # end OpenVPN
|
||||
# IPsec RW NET
|
||||
if(-e "${General::swroot}/vpn/settings")
|
||||
{
|
||||
my %ipsecsettings = ();
|
||||
&readhash("${General::swroot}/vpn/settings", \%ipsecsettings);
|
||||
if($ipsecsettings{'RW_NET'} ne '')
|
||||
{
|
||||
my ($ip,$sub) = split(/\//,$ipsecsettings{'RW_NET'});
|
||||
$sub=&General::iporsubtocidr($sub);
|
||||
my @tempipsecsubnet = split("\/", $ipsecsettings{'RW_NET'});
|
||||
$defaultNetworks->{'IPsec RW ' .$ip."/".$sub}{'ADR'} = $tempipsecsubnet[0];
|
||||
$defaultNetworks->{'IPsec RW ' .$ip."/".$sub}{'NAME'} = "IPsec RW";
|
||||
}
|
||||
}
|
||||
#open(FILE, "${General::swroot}/ethernet/aliases") or die 'Unable to open aliases file.';
|
||||
#my @current = <FILE>;
|
||||
#close(FILE);
|
||||
#my $ctr = 0;
|
||||
#foreach my $line (@current)
|
||||
#{
|
||||
#if ($line ne ''){
|
||||
#chomp($line);
|
||||
#my @temp = split(/\,/,$line);
|
||||
#if ($temp[2] eq '') {
|
||||
#$temp[2] = "Alias $ctr : $temp[0]";
|
||||
#}
|
||||
#$defaultNetworks->{$temp[2]}{'IPT'} = "$temp[0]";
|
||||
#$ctr++;
|
||||
#}
|
||||
#}
|
||||
}
|
||||
sub get_aliases
|
||||
{
|
||||
|
||||
my $defaultNetworks = shift;
|
||||
open(FILE, "${General::swroot}/ethernet/aliases") or die 'Unable to open aliases file.';
|
||||
my @current = <FILE>;
|
||||
close(FILE);
|
||||
my $ctr = 0;
|
||||
foreach my $line (@current)
|
||||
{
|
||||
if ($line ne ''){
|
||||
chomp($line);
|
||||
my @temp = split(/\,/,$line);
|
||||
if ($temp[2] eq '') {
|
||||
$temp[2] = "Alias $ctr : $temp[0]";
|
||||
}
|
||||
$defaultNetworks->{$temp[2]}{'IPT'} = "$temp[0]";
|
||||
|
||||
$ctr++;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
sub readhash
|
||||
{
|
||||
|
||||
@@ -4,49 +4,37 @@
|
||||
'title' => "$Lang::tr{'ssport forwarding'}",
|
||||
'enabled' => 1,
|
||||
};
|
||||
$subfirewall->{'20.xtaccess'} = {
|
||||
'caption' => $Lang::tr{'external access'},
|
||||
'uri' => '/cgi-bin/xtaccess.cgi',
|
||||
'title' => "$Lang::tr{'external access'}",
|
||||
'enabled' => 1,
|
||||
};
|
||||
$subfirewall->{'30.wireless'} = {
|
||||
'caption' => $Lang::tr{'blue access'},
|
||||
'uri' => '/cgi-bin/wireless.cgi',
|
||||
'title' => "$Lang::tr{'blue access'}",
|
||||
'enabled' => 1,
|
||||
};
|
||||
$subfirewall->{'40.dmz'} = {
|
||||
'caption' => $Lang::tr{'ssdmz pinholes'},
|
||||
'uri' => '/cgi-bin/dmzholes.cgi',
|
||||
'title' => "$Lang::tr{'dmz pinhole configuration'}",
|
||||
$subfirewall->{'51.forward'} = {
|
||||
'caption' => $Lang::tr{'fwdfw menu'},
|
||||
'uri' => '/cgi-bin/forwardfw.cgi',
|
||||
'title' => "$Lang::tr{'fwdfw menu'}",
|
||||
'enabled' => 1,
|
||||
};
|
||||
$subfirewall->{'50.outgoing'} = {
|
||||
'caption' => $Lang::tr{'outgoing firewall'},
|
||||
'uri' => '/cgi-bin/outgoingfw.cgi',
|
||||
'title' => "$Lang::tr{'outgoing firewall'}",
|
||||
};
|
||||
$subfirewall->{'65.fwhost'} = {
|
||||
'caption' => $Lang::tr{'fwhost menu'},
|
||||
'uri' => '/cgi-bin/fwhosts.cgi',
|
||||
'title' => "$Lang::tr{'fwhost menu'}",
|
||||
'enabled' => 1,
|
||||
};
|
||||
$subfirewall->{'51.outgoinggrp'} = {
|
||||
'caption' => $Lang::tr{'outgoing firewall groups'},
|
||||
'uri' => '/cgi-bin/outgoinggrp.cgi',
|
||||
'title' => "$Lang::tr{'outgoing firewall groups'}",
|
||||
'enabled' => 1,
|
||||
};
|
||||
$subfirewall->{'60.upnp'} = {
|
||||
$subfirewall->{'70.upnp'} = {
|
||||
'caption' => 'UPnP',
|
||||
'uri' => '/cgi-bin/upnp.cgi',
|
||||
'title' => "Universal Plug and Play",
|
||||
'enabled' => 0,
|
||||
};
|
||||
$subfirewall->{'60.optingsfw'} = {
|
||||
$subfirewall->{'80.optingsfw'} = {
|
||||
'caption' => $Lang::tr{'options fw'},
|
||||
'uri' => '/cgi-bin/optionsfw.cgi',
|
||||
'title' => "$Lang::tr{'options fw'}",
|
||||
'enabled' => 1,
|
||||
};
|
||||
$subfirewall->{'70.iptables'} = {
|
||||
$subfirewall->{'90.iptables'} = {
|
||||
'caption' => $Lang::tr{'ipts'},
|
||||
'uri' => '/cgi-bin/iptables.cgi',
|
||||
'title' => "$Lang::tr{'ipts'}",
|
||||
|
||||
@@ -26,8 +26,6 @@ var/ipfire/dhcp
|
||||
#var/ipfire/dhcp/fixleases
|
||||
#var/ipfire/dhcp/settings
|
||||
var/ipfire/dhcpc
|
||||
var/ipfire/dmzholes
|
||||
#var/ipfire/dmzholes/config
|
||||
var/ipfire/dns
|
||||
#var/ipfire/dns/settings
|
||||
var/ipfire/dnsforward
|
||||
@@ -47,6 +45,19 @@ var/ipfire/extrahd/partitions
|
||||
var/ipfire/extrahd/scan
|
||||
var/ipfire/extrahd/settings
|
||||
var/ipfire/fwlogs
|
||||
var/ipfire/forward
|
||||
var/ipfire/forward/bin/rules.pl
|
||||
var/ipfire/forward/bin/firewall-lib.pl
|
||||
var/ipfire/forward/settings
|
||||
var/ipfire/forward/config
|
||||
var/ipfire/forward/input
|
||||
var/ipfire/fwhosts
|
||||
var/ipfire/fwhosts/icmp-types
|
||||
var/ipfire/fwhosts/customhosts
|
||||
var/ipfire/fwhosts/customnetworks
|
||||
var/ipfire/fwhosts/customgroups
|
||||
var/ipfire/fwhosts/customservices
|
||||
var/ipfire/fwhosts/customservicegrp
|
||||
#var/ipfire/fwlogs/ipsettings
|
||||
#var/ipfire/fwlogs/portsettings
|
||||
var/ipfire/general-functions.pl
|
||||
@@ -188,7 +199,5 @@ var/ipfire/wakeonlan
|
||||
var/ipfire/wireless
|
||||
#var/ipfire/wireless/config
|
||||
#var/ipfire/wireless/settings
|
||||
var/ipfire/xtaccess
|
||||
#var/ipfire/xtaccess/config
|
||||
var/ipfire/firebuild
|
||||
etc/system-release
|
||||
|
||||
@@ -84,11 +84,11 @@ etc/rc.d/init.d/networking/red.up/10-miniupnpd
|
||||
etc/rc.d/init.d/networking/red.up/10-multicast
|
||||
etc/rc.d/init.d/networking/red.up/20-RL-firewall
|
||||
etc/rc.d/init.d/networking/red.up/22-outgoingfwctrl
|
||||
etc/rc.d/init.d/networking/red.up/23-RS-snort
|
||||
etc/rc.d/init.d/networking/red.up/24-RS-qos
|
||||
etc/rc.d/init.d/networking/red.up/25-portfw
|
||||
etc/rc.d/init.d/networking/red.up/26-xtaccess
|
||||
etc/rc.d/init.d/networking/red.up/27-RS-squid
|
||||
etc/rc.d/init.d/networking/red.up/23-forwardfwctrl
|
||||
etc/rc.d/init.d/networking/red.up/24-RS-snort
|
||||
etc/rc.d/init.d/networking/red.up/25-RS-qos
|
||||
etc/rc.d/init.d/networking/red.up/26-portfw
|
||||
etc/rc.d/init.d/networking/red.up/28-RS-squid
|
||||
etc/rc.d/init.d/networking/red.up/30-ddns
|
||||
etc/rc.d/init.d/networking/red.up/40-ipac
|
||||
etc/rc.d/init.d/networking/red.up/50-ipsec
|
||||
|
||||
@@ -16,6 +16,7 @@ usr/local/bin/logwatch
|
||||
#usr/local/bin/mpfirectrl
|
||||
usr/local/bin/openvpnctrl
|
||||
usr/local/bin/outgoingfwctrl
|
||||
usr/local/bin/forwardfwctrl
|
||||
usr/local/bin/pakfire
|
||||
usr/local/bin/qosctrl
|
||||
usr/local/bin/rebuildhosts
|
||||
@@ -23,9 +24,7 @@ usr/local/bin/rebuildroutes
|
||||
usr/local/bin/redctrl
|
||||
#usr/local/bin/sambactrl
|
||||
usr/local/bin/setaliases
|
||||
usr/local/bin/setdmzholes
|
||||
usr/local/bin/setportfw
|
||||
usr/local/bin/setxtaccess
|
||||
usr/local/bin/smartctrl
|
||||
usr/local/bin/snortctrl
|
||||
usr/local/bin/squidctrl
|
||||
|
||||
@@ -885,6 +885,141 @@
|
||||
'forwarding rule added' => 'Weiterleitungsregel hinzugefügt. Starte Weiterleitung neu',
|
||||
'forwarding rule removed' => 'Weiterleitungsregel entfernt. Starte Weiterleitung neu',
|
||||
'forwarding rule updated' => 'Weiterleitungsregel aktualisiert; starte Weiterleitung neu',
|
||||
'forward firewall' => 'Firewall',
|
||||
'fwdfw additional' => 'Zusätzlich',
|
||||
'fwdfw action' => 'Aktion',
|
||||
'fwdfw menu' => 'Firewall',
|
||||
'fwdfw addrule' => 'Neue Regel hinzufügen:',
|
||||
'fwdfw addr grp' => 'Adress Gruppen:',
|
||||
'fwdfw change' => 'Aktualisieren',
|
||||
'fwdfw cust addr' => 'Custom Adressen:',
|
||||
'fwdfw cust net' => 'Custom Netzwerke:',
|
||||
'fwdfw copy' => 'Kopieren',
|
||||
'fwdfw delete' => 'Löschen',
|
||||
'fwdfw edit' => 'Bearbeiten',
|
||||
'fwdfw err nosrc' => 'Keine Quelle gewählt.',
|
||||
'fwdfw err nosrcip' => 'Bitte Quell IP-Adresse angeben.',
|
||||
'fwdfw err notgt' => 'Kein Ziel gewählt.',
|
||||
'fwdfw err notgtip' => 'Bitte Ziel IP-Adresse angeben.',
|
||||
'fwdfw err prot' => 'Quell- und Zielprotokoll müssen gleich sein.',
|
||||
'fwdfw err remark' => 'Bemerkung enthält ungültige Zeichen.',
|
||||
'fwdfw err ruleexists' => 'Eine identische Regel existiert bereits.',
|
||||
'fwdfw err src_addr' => 'Quell-MAC/IP ungültig.',
|
||||
'fwdfw err same' => 'Quelle und Ziel sind identisch.',
|
||||
'fwdfw err samesub' => 'Quell und Ziel IP Adresse im selben Subnetz.',
|
||||
'fwdfw err srcport' => 'Bitte Quellport angeben.',
|
||||
'fwdfw err tgtport' => 'Bitte Zielport angeben.',
|
||||
'fwdfw err tgt_addr' => 'Ziel-IP ungültig.',
|
||||
'fwdfw err tgt_port' => 'Ziel Port ungültig',
|
||||
'fwdfw err tgt_mac' => 'MAC Adressen können nicht als Ziel defininert werden.',
|
||||
'fwdfw err tgt_grp' => 'Ziel-Dienstgruppe ist leer.',
|
||||
'fwdfw err time' => 'Es muss mindestens ein Tag gewählt werden.',
|
||||
'fwdfw from' => 'Von:',
|
||||
'fwdfw hint ip1' => 'Die zuletzt erzeugte Regel wird vielleicht nicht aktiviert, weil Quelle und Ziel evtl im selben Netz sind.',
|
||||
'fwdfw hint ip2' => 'Bitte überprüfen Sie ob diese Regel Sinn macht: ',
|
||||
'fwdfw ipsec network' => 'IPsec Netzwerke:',
|
||||
'fwdfw log rule' => 'Log Regel',
|
||||
'fwdfw man port' => 'Port(s) manuel:',
|
||||
'fwdfw moveup' => 'Hoch',
|
||||
'fwdfw movedown' => 'Runter',
|
||||
'fwdfw reread' => 'Übernehmen',
|
||||
'fwdfw rules' => 'Regeln',
|
||||
'fwdfw rule action' => 'Regel Aktion:',
|
||||
'fwdfw rule activate' => 'Regel aktivieren',
|
||||
'fwdfw source' => 'Quelle',
|
||||
'fwdfw sourceip' => 'Quelladresse (MAC, IP oder Netzwerk):',
|
||||
'fwdfw std network' => 'Standard Netzwerke:',
|
||||
'fwdfw target' => 'Ziel',
|
||||
'fwdfw targetip' => 'Zieladresse (IP oder Netzwerk):',
|
||||
'fwdfw till' => 'Bis:',
|
||||
'fwdfw time' => 'Zeitrahmen:',
|
||||
'fwdfw timeframe' => 'Zeitrahmen hinzufügen',
|
||||
'fwdfw toggle' => 'Aktivieren oder deaktivieren',
|
||||
'fwdfw togglelog' => 'Log aktivieren oder deaktivieren',
|
||||
'fwdfw use srcport' => 'Quellport benutzen',
|
||||
'fwdfw use srv' => 'Ziel-Dienstport benutzen',
|
||||
'fwdfw newrule' => 'Neue Regel',
|
||||
'fwdfw wd_mon' => 'Mo',
|
||||
'fwdfw wd_tue' => 'Di',
|
||||
'fwdfw wd_wed' => 'Mi',
|
||||
'fwdfw wd_thu' => 'Do',
|
||||
'fwdfw wd_fri' => 'Fr',
|
||||
'fwdfw wd_sat' => 'Sa',
|
||||
'fwdfw wd_sun' => 'So',
|
||||
'fwhost addgrp' => 'Gruppe:',
|
||||
'fwhost addgrpname' => 'Gruppenname:',
|
||||
'fwhost addhost' => 'Adresse:',
|
||||
'fwhost addnet' => 'Netzwerk:',
|
||||
'fwhost addrule' => 'Neue Regel hinzufügen:',
|
||||
'fwhost any' => 'Alle',
|
||||
'fwhost attention' => 'ACHTUNG',
|
||||
'fwhost back' => 'Übernehmen',
|
||||
'fwhost blue' => 'Blau',
|
||||
'fwhost ccdhost' => 'OpenVPN Clients:',
|
||||
'fwhost ccdnet' => 'OpenVPN Netzwerke:',
|
||||
'fwhost change' => 'Ändern',
|
||||
'fwhost changeremark' => 'Es wurde nur die Bemerkung angepasst.',
|
||||
'fwhost cust addr' => 'Custom Adressen:',
|
||||
'fwhost cust grp' => 'Custom Gruppen:',
|
||||
'fwhost cust net' => 'Custom Netzwerke:',
|
||||
'fwhost cust service' => 'Custom Dienste:',
|
||||
'fwhost cust srvgrp' => 'Custom Dienstgruppen',
|
||||
'fwhost deleted' => 'Gelöscht',
|
||||
'fwhost empty' => 'Keine Einträge vorhanden',
|
||||
'fwhost err addr' => 'IP oder Subnetzmaske ungültig.',
|
||||
'fwhost err addrgrp' => 'Bitte gruppenname angeben.',
|
||||
'fwhost err empty' => 'Bitte alle Felder füllen.',
|
||||
'fwhost err grpexist' => 'Gruppe existiert bereits.',
|
||||
'fwhost err groupempty' => 'Gewählte Gruppe ist leer.',
|
||||
'fwhost err name' => 'Name ungültig. Erlaubte Zeichen: a-z, A-Z, 0-9 Leerzeichen und Bindestrich.',
|
||||
'fwhost err name1' => 'Name muss gefüllt sein.',
|
||||
'fwhost err netexist' => 'Ein Netz mit diesem Namen existiert bereits!',
|
||||
'fwhost err net' => 'Netzwerk IP existiert bereits',
|
||||
'fwhost err mac' => 'MAC Adresse ungültig.',
|
||||
'fwhost err hostexist' => 'Ein Host mit diesem Namen existiert bereits.',
|
||||
'fwhost err hostip' => 'Netz- oder Broadcastadressen sind nicht erlaubt.',
|
||||
'fwhost err hostorip' => 'Name oder IP Adresse ungültig.',
|
||||
'fwhost err isccdhost' => 'Dieser Name wird bereits für einen Openvpn Host verwendet.',
|
||||
'fwhost err isccdipnet' => 'Diese IP wird bereits für einen Openvpn Netzwerk verwendet.',
|
||||
'fwhost err isccdiphost'=> 'Diese IP wird bereits für einen Openvpn Host verwendet.',
|
||||
'fwhost err isccdnet' => 'Dieser Name wird bereits für einen Openvpn Netzwerk verwendet.',
|
||||
'fwhost err isingrp' => 'Dieser Eintrag existiert bereits in der Gruppe.',
|
||||
'fwhost err ip' => 'IP Addresse ungültig.',
|
||||
'fwhost err ipmac' => 'IP/MAC Addresse ungültig.',
|
||||
'fwhost err ipcheck' => 'Diese IP Adresse wird bereits verwendet.',
|
||||
'fwhost err ipwithsub' => 'Bitte IP Adresse OHNE Subnetzmaske eingeben.',
|
||||
'fwhost err partofnet' => 'Dieses Netzwerk ist Teil eines bereits existierenden Netzwerks.',
|
||||
'fwhost err port' => 'Port muss gefüllt sein.',
|
||||
'fwhost err remark' => 'Bemerkung ungültig. Erlaubte Zeichen: a-z, A-Z, 0-9 Leerzeichen und Bindestrich.',
|
||||
'fwhost err srvexist' => 'Dieser Dienst ist bereits in der Gruppe',
|
||||
'fwhost err srv exists' => 'Ein Service mit diesem Namen existiert bereits.',
|
||||
'fwhost err sub32' => 'Bitte Host hinzufügen. Dieses Subnetz ist kein Netzwerk.',
|
||||
'fwhost green' => 'Grün',
|
||||
'fwhost hosts' => 'Firewall Hosts',
|
||||
'fwhost hint' => 'Hinweis',
|
||||
'fwhost icmptype' => 'ICMP-Typ:',
|
||||
'fwhost ipadr' => 'IP Adresse:',
|
||||
'fwhost ip_mac' => 'IP/MAC Adresse',
|
||||
'fwhost ipsec host' => 'IpSec Clients:',
|
||||
'fwhost ipsec net' => 'IpSec Netzwerke:',
|
||||
'fwhost newnet' => 'Netz Einstellungen',
|
||||
'fwhost newhost' => 'Adress Einstellungen',
|
||||
'fwhost newgrp' => 'Adress Gruppierung',
|
||||
'fwhost newservice' => 'Dienst Einstellungen',
|
||||
'fwhost newservicegrp' => 'Dienst Gruppierung',
|
||||
'fwhost macwarn' => 'MAC Adressen können nicht als Ziel definiert werden. Solche Adressen werden ignoriert.',
|
||||
'fwhost menu' => 'Firewall Gruppen',
|
||||
'fwhost orange' => 'Orange',
|
||||
'fwhost ovpn_n2n' => 'OpenVPN N-2-N',
|
||||
'fwhost port' => 'Port(s)',
|
||||
'fwhost prot' => 'Protokoll',
|
||||
'fwhost reset' => 'Abbrechen',
|
||||
'fwhost services' => 'Dienste',
|
||||
'fwhost srv_name' => 'Dienstname',
|
||||
'fwhost stdnet' => 'Standard Netzwerke:',
|
||||
'fwhost type' => 'Typ',
|
||||
'fwhost used' => 'Benutzt',
|
||||
'fwhost wo subnet' => '(Ohne Subnetz)',
|
||||
'free' => 'Frei',
|
||||
'free memory' => 'Freier Speicher ',
|
||||
'free swap' => 'Freier Swap',
|
||||
|
||||
@@ -910,6 +910,142 @@
|
||||
'forwarding rule added' => 'Forwarding rule added; restarting forwarder',
|
||||
'forwarding rule removed' => 'Forwarding rule removed; restarting forwarder',
|
||||
'forwarding rule updated' => 'Forwarding rule updated; restarting forwarder',
|
||||
'forward firewall' => 'Firewall',
|
||||
'fwdfw additional' => 'Additional',
|
||||
'fwdfw action' => 'Action',
|
||||
'fwdfw menu' => 'Firewall',
|
||||
'fwdfw addrule' => 'Add new rule:',
|
||||
'fwdfw addr grp' => 'Adress groups:',
|
||||
'fwdfw change' => 'Update',
|
||||
'fwdfw cust addr' => 'Custom addresses:',
|
||||
'fwdfw cust net' => 'Custom networks:',
|
||||
'fwdfw copy' => 'Copy',
|
||||
'fwdfw delete' => 'Delete',
|
||||
'fwdfw edit' => 'Edit',
|
||||
'fwdfw err nosrc' => 'No source selected.',
|
||||
'fwdfw err nosrcip' => 'Please provide source IP address.',
|
||||
'fwdfw err notgt' => 'No target selected.',
|
||||
'fwdfw err notgtip' => 'Please provide target IP address.',
|
||||
'fwdfw err prot' => 'Source and target protocol have to match.',
|
||||
'fwdfw err remark' => 'Invalid chars in remark.',
|
||||
'fwdfw err ruleexists' => 'This rule already exists.',
|
||||
'fwdfw err src_addr' => 'Invalid source MAC/IP.',
|
||||
'fwdfw err same' => 'Identical source and target',
|
||||
'fwdfw err samesub' => 'Source and target IP adress are in same subnet.',
|
||||
'fwdfw err srcport' => 'Please provide source port.',
|
||||
'fwdfw err tgtport' => 'Please provide target port.',
|
||||
'fwdfw err tgt_addr' => 'Invalid target IP-address.',
|
||||
'fwdfw err tgt_port' => 'Invalid target port',
|
||||
'fwdfw err tgt_mac' => 'MAC addresses can not be used as target.',
|
||||
'fwdfw err tgt_grp' => 'Target servicegroup is empty',
|
||||
'fwdfw err time' => 'You have to define at least one day.',
|
||||
'fwdfw from' => 'From:',
|
||||
'fwdfw hint ip1' => 'The last generated rule may never be activated because source and target my be in same subnet.',
|
||||
'fwdfw hint ip2' => 'Please doublecheck if this rule makes sense: ',
|
||||
'fwdfw ipsec network' => 'IpSec networks:',
|
||||
'fwdfw log rule' => 'Log rule',
|
||||
'fwdfw man port' => 'Port(s) manual:',
|
||||
'fwdfw moveup' => 'Move up',
|
||||
'fwdfw movedown' => 'Move down',
|
||||
'fwdfw reread' => 'Apply',
|
||||
'fwdfw rules' => 'Rules',
|
||||
'fwdfw rule action' => 'Rule action:',
|
||||
'fwdfw rule activate' => 'Activate rule',
|
||||
'fwdfw source' => 'Source',
|
||||
'fwdfw sourceip' => 'Source address (MAC, IP or Network):',
|
||||
'fwdfw std network' => 'Standard networks:',
|
||||
'fwdfw target' => 'Target',
|
||||
'fwdfw targetip' => 'Target address (IP or network):',
|
||||
'fwdfw till' => 'Till:',
|
||||
'fwdfw time' => 'Timeframe:',
|
||||
'fwdfw timeframe' => 'Add timeframe',
|
||||
'fwdfw toggle' => 'Activate or deactivate',
|
||||
'fwdfw togglelog' => 'Activate or deactivate logging',
|
||||
'fwdfw use srcport' => 'Use sourceport',
|
||||
'fwdfw use srv' => 'Use targetport',
|
||||
'fwdfw newrule' => 'New rule',
|
||||
'fwdfw wd_mon' => 'Mon',
|
||||
'fwdfw wd_tue' => 'Tue',
|
||||
'fwdfw wd_wed' => 'Wed',
|
||||
'fwdfw wd_thu' => 'Thu',
|
||||
'fwdfw wd_fri' => 'Fri',
|
||||
'fwdfw wd_sat' => 'Sat',
|
||||
'fwdfw wd_sun' => 'Sun',
|
||||
'fwhost addgrp' => 'Group:',
|
||||
'fwhost addgrpname' => 'Groupname:',
|
||||
'fwhost addhost' => 'Address:',
|
||||
'fwhost addnet' => 'Network:',
|
||||
'fwhost addrule' => 'Add new rule:',
|
||||
'fwhost any' => 'Any',
|
||||
'fwhost attention' => 'ATTENTION',
|
||||
'fwhost back' => 'commit',
|
||||
'fwhost blue' => 'Blue',
|
||||
'fwhost ccdhost' => 'OpenVPN clients:',
|
||||
'fwhost ccdnet' => 'OpenVPN networks:',
|
||||
'fwhost change' => 'Modify',
|
||||
'fwhost changeremark' => 'You just modified the remark!',
|
||||
'fwhost cust addr' => 'Custom addresses:',
|
||||
'fwhost cust grp' => 'Custom groups:',
|
||||
'fwhost cust net' => 'Custom networks:',
|
||||
'fwhost cust service' => 'Custom services:',
|
||||
'fwhost cust srvgrp' => 'Custom servicegroups',
|
||||
'fwhost deleted' => 'Deleted',
|
||||
'fwhost empty' => 'No entries by now',
|
||||
'fwhost err addr' => 'Invalid IP or subnet!',
|
||||
'fwhost err addrgrp' => 'Please provide a groupname!',
|
||||
'fwhost err empty' => 'Please fill in all fields!',
|
||||
'fwhost err grpexist' => 'Group already exists!',
|
||||
'fwhost err groupempty' => 'Selected Group is empty!',
|
||||
'fwhost err name' => 'Name invalid. Allowed: a-z, A-Z, 0-9 space and minus.',
|
||||
'fwhost err name1' => 'Name is empty.',
|
||||
'fwhost err netexist' => 'A network with this name already exists!',
|
||||
'fwhost err net' => 'Network IP already exists',
|
||||
'fwhost err mac' => 'MAC address invalid',
|
||||
'fwhost err hostexist' => 'A host with this name already exists!',
|
||||
'fwhost err hostip' => 'Net or broadcast not allowed!',
|
||||
'fwhost err hostorip' => 'Name or IP invalid.',
|
||||
'fwhost err isccdhost' => 'This name is already used by an OpenVPN client!',
|
||||
'fwhost err isccdipnet' => 'This IP is already used by an OpenVPN network!',
|
||||
'fwhost err isccdiphost'=> 'This IP is already used by an OpenVPN client!',
|
||||
'fwhost err isccdnet' => 'This name is already used by an OpenVPN Network!',
|
||||
'fwhost err isingrp' => 'This entry already exists in the group!',
|
||||
'fwhost err ip' => 'IP address invalid.',
|
||||
'fwhost err ipmac' => 'IP/MAC address invalid.',
|
||||
'fwhost err ipcheck' => 'This IP address is already in use!',
|
||||
'fwhost err ipwithsub' => 'Please provide IP address WITHOUT subnetmask',
|
||||
'fwhost err partofnet' => 'This network is part of an already existing one!',
|
||||
'fwhost err port' => 'Port is empty.',
|
||||
'fwhost err remark' => 'Remark invalid. Allowed: a-z, A-Z, 0-9 space and minus.',
|
||||
'fwhost err srvexist' => 'Dieser Dienst ist bereits in der Gruppe',
|
||||
'fwhost err srv exists' => 'A Service with this name already exists.',
|
||||
'fwhost err sub32' => 'Please add single host. This subnet is no network!',
|
||||
'fwhost green' => 'Green',
|
||||
'fwhost hosts' => 'Firewall Hosts',
|
||||
'fwhost hint' => 'Note',
|
||||
'fwhost icmptype' => 'ICMP type:',
|
||||
'fwhost ipadr' => 'IP address:',
|
||||
'fwhost ip_mac' => 'IP/MAC address',
|
||||
'fwhost ipsec host' => 'IPsec clients:',
|
||||
'fwhost ipsec net' => 'IPsec networks:',
|
||||
'fwhost netaddress' => 'Network address:',
|
||||
'fwhost newnet' => 'Network',
|
||||
'fwhost newhost' => 'Host',
|
||||
'fwhost newgrp' => 'Address grouping',
|
||||
'fwhost newservice' => 'Service',
|
||||
'fwhost newservicegrp' => 'Service grouping',
|
||||
'fwhost macwarn' => 'MAC addresses can not be used as target. Such addresses will be ignored!',
|
||||
'fwhost menu' => 'Firewall Groups',
|
||||
'fwhost orange' => 'Orange',
|
||||
'fwhost ovpn_n2n' => 'OpenVPN N-2-N',
|
||||
'fwhost port' => 'Port(s)',
|
||||
'fwhost prot' => 'Protocol',
|
||||
'fwhost reset' => 'Cancel',
|
||||
'fwhost services' => 'Services',
|
||||
'fwhost srv_name' => 'Servicename',
|
||||
'fwhost stdnet' => 'Standard networks:',
|
||||
'fwhost type' => 'Type',
|
||||
'fwhost used' => 'Used',
|
||||
'fwhost wo subnet' => '(without subnet)',
|
||||
'free' => 'Free',
|
||||
'free memory' => 'Free Memory ',
|
||||
'free swap' => 'Free Swap',
|
||||
|
||||
@@ -50,59 +50,62 @@ $(TARGET) :
|
||||
@$(PREBUILD)
|
||||
|
||||
# Create all directories
|
||||
for i in addon-lang auth backup ca certs connscheduler crls ddns dhcp dhcpc dmzholes dns dnsforward \
|
||||
ethernet extrahd/bin fwlogs isdn key langs logging mac main menu.d modem net-traffic \
|
||||
for i in addon-lang auth backup ca certs connscheduler crls ddns dhcp dhcpc dns dnsforward \
|
||||
ethernet extrahd/bin fwlogs isdn key langs logging mac main menu.d modem net-traffic \
|
||||
ethernet extrahd/bin fwlogs fwhosts forward forward/bin isdn key langs logging mac main menu.d modem net-traffic \
|
||||
net-traffic/templates nfs optionsfw outgoing/bin outgoing/groups outgoing/groups/ipgroups \
|
||||
outgoing/groups/macgroups ovpn patches pakfire portfw ppp private proxy/advanced/cre \
|
||||
proxy/calamaris/bin qos/bin red remote sensors snort time tripwire/report \
|
||||
updatexlrator/bin updatexlrator/autocheck urlfilter/autoupdate urlfilter/bin upnp vpn \
|
||||
wakeonlan wireless xtaccess ; do \
|
||||
wakeonlan wireless ; do \
|
||||
mkdir -p $(CONFIG_ROOT)/$$i; \
|
||||
done
|
||||
|
||||
# Touch empty files
|
||||
for i in auth/users backup/include.user backup/exclude.user \
|
||||
certs/index.txt ddns/config ddns/noipsettings ddns/settings ddns/ipcache dhcp/settings \
|
||||
dhcp/fixleases dhcp/advoptions dhcp/dhcpd.conf.local dmzholes/config dns/settings dnsforward/config ethernet/aliases ethernet/settings ethernet/known_nics ethernet/scanned_nics \
|
||||
dhcp/fixleases dhcp/advoptions dhcp/dhcpd.conf.local dns/settings dnsforward/config ethernet/aliases ethernet/settings ethernet/known_nics ethernet/scanned_nics \
|
||||
ethernet/wireless extrahd/scan extrahd/devices extrahd/partitions extrahd/settings fwlogs/ipsettings fwlogs/portsettings \
|
||||
forward/settings forward/config forward/input fwhosts/customnetworks fwhosts/customhosts fwhosts/customgroups fwhosts/customservices fwhosts/customservicegrp fwlogs/ipsettings fwlogs/portsettings \
|
||||
isdn/settings mac/settings main/disable_nf_sip main/hosts main/routing main/settings net-traffic/settings optionsfw/settings outgoing/settings outgoing/rules \
|
||||
ovpn/ccd.conf ovpn/ccdroute ovpn/ccdroute2 pakfire/settings portfw/config ppp/settings-1 ppp/settings-2 ppp/settings-3 ppp/settings-4 \
|
||||
ppp/settings-5 ppp/settings proxy/settings proxy/advanced/settings proxy/advanced/cre/enable remote/settings qos/settings qos/classes qos/subclasses qos/level7config qos/portconfig \
|
||||
ppp/settings-5 ppp/settings proxy/settings proxy/advanced/settings proxy/advanced/cre/enable remote/settings qos/settings qos/classes qos/subclasses qos/level7config qos/portconfig \
|
||||
qos/tosconfig snort/settings tripwire/settings upnp/settings vpn/config vpn/settings vpn/ipsec.conf \
|
||||
vpn/ipsec.secrets vpn/caconfig wakeonlan/clients.conf wireless/config wireless/settings; do \
|
||||
touch $(CONFIG_ROOT)/$$i; \
|
||||
touch $(CONFIG_ROOT)/$$i; \
|
||||
done
|
||||
|
||||
# Copy initial configfiles
|
||||
cp $(DIR_SRC)/config/cfgroot/header.pl $(CONFIG_ROOT)/
|
||||
cp $(DIR_SRC)/config/cfgroot/general-functions.pl $(CONFIG_ROOT)/
|
||||
cp $(DIR_SRC)/config/cfgroot/lang.pl $(CONFIG_ROOT)/
|
||||
cp $(DIR_SRC)/config/cfgroot/countries.pl $(CONFIG_ROOT)/
|
||||
cp $(DIR_SRC)/config/cfgroot/countries.pl $(CONFIG_ROOT)/
|
||||
cp $(DIR_SRC)/config/cfgroot/graphs.pl $(CONFIG_ROOT)/
|
||||
cp $(DIR_SRC)/config/cfgroot/advoptions-list $(CONFIG_ROOT)/dhcp/advoptions-list
|
||||
cp $(DIR_SRC)/config/cfgroot/connscheduler-lib.pl $(CONFIG_ROOT)/connscheduler/lib.pl
|
||||
cp $(DIR_SRC)/config/cfgroot/connscheduler.conf $(CONFIG_ROOT)/connscheduler
|
||||
cp $(DIR_SRC)/config/extrahd/* $(CONFIG_ROOT)/extrahd/bin/
|
||||
cp $(DIR_SRC)/config/cfgroot/sensors-settings $(CONFIG_ROOT)/sensors/settings
|
||||
cp $(DIR_SRC)/config/menu/* $(CONFIG_ROOT)/menu.d/
|
||||
cp $(DIR_SRC)/config/menu/* $(CONFIG_ROOT)/menu.d/
|
||||
cp $(DIR_SRC)/config/cfgroot/modem-defaults $(CONFIG_ROOT)/modem/defaults
|
||||
cp $(DIR_SRC)/config/cfgroot/modem-settings $(CONFIG_ROOT)/modem/settings
|
||||
cp $(DIR_SRC)/config/cfgroot/net-traffic-lib.pl $(CONFIG_ROOT)/net-traffic/net-traffic-lib.pl
|
||||
cp $(DIR_SRC)/config/cfgroot/net-traffic-admin.pl $(CONFIG_ROOT)/net-traffic/net-traffic-admin.pl
|
||||
cp $(DIR_SRC)/config/cfgroot/net-traffic-admin.pl $(CONFIG_ROOT)/net-traffic/net-traffic-admin.pl
|
||||
cp $(DIR_SRC)/config/cfgroot/nfs-server $(CONFIG_ROOT)/nfs/nfs-server
|
||||
cp $(DIR_SRC)/config/cfgroot/p2protocols $(CONFIG_ROOT)/outgoing/p2protocols
|
||||
cp $(DIR_SRC)/config/outgoingfw/outgoingfw.pl $(CONFIG_ROOT)/outgoing/bin/
|
||||
cp $(DIR_SRC)/config/outgoingfw/defaultservices $(CONFIG_ROOT)/outgoing/
|
||||
cp $(DIR_SRC)/config/cfgroot/p2protocols $(CONFIG_ROOT)/outgoing/p2protocols
|
||||
cp $(DIR_SRC)/config/outgoingfw/outgoingfw.pl $(CONFIG_ROOT)/outgoing/bin/
|
||||
cp $(DIR_SRC)/config/outgoingfw/defaultservices $(CONFIG_ROOT)/outgoing/
|
||||
cp $(DIR_SRC)/config/cfgroot/proxy-acl $(CONFIG_ROOT)/proxy/acl-1.4
|
||||
cp $(DIR_SRC)/config/qos/* $(CONFIG_ROOT)/qos/bin/
|
||||
cp $(DIR_SRC)/config/cfgroot/ssh-settings $(CONFIG_ROOT)/remote/settings
|
||||
cp $(DIR_SRC)/config/cfgroot/xtaccess-config $(CONFIG_ROOT)/xtaccess/config
|
||||
cp $(DIR_SRC)/config/qos/* $(CONFIG_ROOT)/qos/bin/
|
||||
cp $(DIR_SRC)/config/cfgroot/ssh-settings $(CONFIG_ROOT)/remote/settings
|
||||
cp $(DIR_SRC)/config/cfgroot/time-settings $(CONFIG_ROOT)/time/settings
|
||||
cp $(DIR_SRC)/config/cfgroot/logging-settings $(CONFIG_ROOT)/logging/settings
|
||||
cp $(DIR_SRC)/config/cfgroot/logging-settings $(CONFIG_ROOT)/logging/settings
|
||||
cp $(DIR_SRC)/config/cfgroot/useragents $(CONFIG_ROOT)/proxy/advanced
|
||||
cp $(DIR_SRC)/config/cfgroot/ethernet-vlans $(CONFIG_ROOT)/ethernet/vlans
|
||||
cp $(DIR_SRC)/langs/list $(CONFIG_ROOT)/langs/
|
||||
|
||||
cp $(DIR_SRC)/langs/list $(CONFIG_ROOT)/langs/
|
||||
cp $(DIR_SRC)/config/forwardfw/rules.pl $(CONFIG_ROOT)/forward/bin/rules.pl
|
||||
cp $(DIR_SRC)/config/forwardfw/firewall-lib.pl $(CONFIG_ROOT)/forward/bin/firewall-lib.pl
|
||||
cp $(DIR_SRC)/config/fwhosts/icmp-types $(CONFIG_ROOT)/fwhosts/icmp-types
|
||||
# Oneliner configfiles
|
||||
echo "ENABLED=off" > $(CONFIG_ROOT)/vpn/settings
|
||||
echo "VPN_DELAYED_START=0" >>$(CONFIG_ROOT)/vpn/settings
|
||||
@@ -115,6 +118,14 @@ $(TARGET) :
|
||||
echo "DROPOUTPUT=on" >> $(CONFIG_ROOT)/optionsfw/settings
|
||||
echo "DROPPORTSCAN=on" >> $(CONFIG_ROOT)/optionsfw/settings
|
||||
|
||||
# Set outgoingfw.pl executable
|
||||
chmod 755 $(CONFIG_ROOT)/outgoing/bin/outgoingfw.pl
|
||||
|
||||
# set rules.pl executable
|
||||
chmod 755 $(CONFIG_ROOT)/forward/bin/rules.pl
|
||||
|
||||
|
||||
|
||||
# Modify variables in header.pl
|
||||
sed -i -e "s+CONFIG_ROOT+$(CONFIG_ROOT)+g" \
|
||||
-e "s+VERSION+$(VERSION)+g" \
|
||||
@@ -140,7 +151,5 @@ $(TARGET) :
|
||||
done
|
||||
chown root:nobody $(CONFIG_ROOT)/dhcpc
|
||||
|
||||
# Set outgoingfw.pl executable
|
||||
chmod 755 $(CONFIG_ROOT)/outgoing/bin/outgoingfw.pl
|
||||
|
||||
|
||||
@$(POSTBUILD)
|
||||
|
||||
@@ -181,18 +181,17 @@ $(TARGET) :
|
||||
ln -sf ../../firewall /etc/rc.d/init.d/networking/red.up/20-RL-firewall
|
||||
ln -sf ../../../../../usr/local/bin/outgoingfwctrl \
|
||||
/etc/rc.d/init.d/networking/red.up/22-outgoingfwctrl
|
||||
ln -sf ../../../../../usr/local/bin/forwardfwctrl \
|
||||
/etc/rc.d/init.d/networking/red.up/23-forwardfwctrl
|
||||
ln -sf ../../../../../usr/local/bin/snortctrl \
|
||||
/etc/rc.d/init.d/networking/red.up/23-RS-snort
|
||||
/etc/rc.d/init.d/networking/red.up/24-RS-snort
|
||||
ln -sf ../../../../../usr/local/bin/qosctrl \
|
||||
/etc/rc.d/init.d/networking/red.up/24-RS-qos
|
||||
/etc/rc.d/init.d/networking/red.up/25-RS-qos
|
||||
ln -sf ../../../../../usr/local/bin/setportfw \
|
||||
/etc/rc.d/init.d/networking/red.up/25-portfw
|
||||
ln -sf ../../../../../usr/local/bin/setxtaccess \
|
||||
/etc/rc.d/init.d/networking/red.up/26-xtaccess
|
||||
/etc/rc.d/init.d/networking/red.up/26-portfw
|
||||
ln -sf ../../../../../usr/local/bin/dialctrl.pl \
|
||||
/etc/rc.d/init.d/networking/red.up/99-U-dialctrl.pl
|
||||
ln -sf ../../squid /etc/rc.d/init.d/networking/red.up/27-RS-squid
|
||||
|
||||
ln -sf ../../squid /etc/rc.d/init.d/networking/red.up/28-RS-squid
|
||||
ln -sf ../../dnsmasq /etc/rc.d/init.d/networking/red.down/05-RS-dnsmasq
|
||||
ln -sf ../../firewall /etc/rc.d/init.d/networking/red.down/20-RL-firewall
|
||||
ln -sf ../../../../../usr/local/bin/dialctrl.pl \
|
||||
|
||||
@@ -195,6 +195,14 @@ case "$1" in
|
||||
# Outgoing Firewall
|
||||
/sbin/iptables -A FORWARD -j OUTGOINGFWMAC
|
||||
|
||||
# Forward Firewall
|
||||
/sbin/iptables -N FORWARDFW
|
||||
/sbin/iptables -A FORWARD -j FORWARDFW
|
||||
|
||||
# Input Firewall
|
||||
/sbin/iptables -N INPUTFW
|
||||
/sbin/iptables -A INPUT -m state --state NEW -j INPUTFW
|
||||
|
||||
# localhost and ethernet.
|
||||
/sbin/iptables -A INPUT -i lo -m state --state NEW -j ACCEPT
|
||||
/sbin/iptables -A INPUT -s 127.0.0.0/8 -m state --state NEW -j DROP # Loopback not on lo
|
||||
@@ -234,17 +242,6 @@ case "$1" in
|
||||
|
||||
iptables_red
|
||||
|
||||
# DMZ pinhole chain. setdmzholes setuid prog adds rules here to allow
|
||||
# ORANGE to talk to GREEN / BLUE.
|
||||
/sbin/iptables -N DMZHOLES
|
||||
if [ "$ORANGE_DEV" != "" ]; then
|
||||
/sbin/iptables -A FORWARD -i $ORANGE_DEV -m state --state NEW -j DMZHOLES
|
||||
fi
|
||||
|
||||
# XTACCESS chain, used for external access
|
||||
/sbin/iptables -N XTACCESS
|
||||
/sbin/iptables -A INPUT -m state --state NEW -j XTACCESS
|
||||
|
||||
# PORTFWACCESS chain, used for portforwarding
|
||||
/sbin/iptables -N PORTFWACCESS
|
||||
/sbin/iptables -A FORWARD -m state --state NEW -j PORTFWACCESS
|
||||
|
||||
@@ -47,9 +47,7 @@ init_networking() {
|
||||
# (exit ${failed})
|
||||
# evaluate_retval
|
||||
|
||||
boot_mesg "Setting up DMZ pinholes"
|
||||
/usr/local/bin/setdmzholes; evaluate_retval
|
||||
|
||||
|
||||
if [ "$CONFIG_TYPE" = "3" -o "$CONFIG_TYPE" = "4" ]; then
|
||||
boot_mesg "Setting up wireless firewall rules"
|
||||
/usr/local/bin/wirelessctrl; evaluate_retval
|
||||
|
||||
@@ -24,11 +24,11 @@ CFLAGS=-O2 -Wall
|
||||
COMPILE=$(CC) $(CFLAGS)
|
||||
|
||||
PROGS = iowrap
|
||||
SUID_PROGS = setdmzholes setportfw setxtaccess \
|
||||
SUID_PROGS = setportfw \
|
||||
squidctrl sshctrl ipfirereboot \
|
||||
ipsecctrl timectrl dhcpctrl snortctrl \
|
||||
applejuicectrl rebuildhosts backupctrl \
|
||||
logwatch openvpnctrl outgoingfwctrl \
|
||||
logwatch openvpnctrl outgoingfwctrl forwardfwctrl \
|
||||
wirelessctrl getipstat qosctrl launch-ether-wake \
|
||||
redctrl syslogdctrl extrahdctrl sambactrl upnpctrl tripwirectrl \
|
||||
smartctrl clamavctrl addonctrl pakfire mpfirectrl wlanapctrl \
|
||||
@@ -90,15 +90,15 @@ clamavctrl: clamavctrl.c setuid.o ../install+setup/libsmooth/varval.o
|
||||
outgoingfwctrl: outgoingfwctrl.c setuid.o ../install+setup/libsmooth/varval.o
|
||||
$(COMPILE) -I../install+setup/libsmooth/ outgoingfwctrl.c setuid.o ../install+setup/libsmooth/varval.o -o $@
|
||||
|
||||
forwardfwctrl: forwardfwctrl.c setuid.o ../install+setup/libsmooth/varval.o
|
||||
$(COMPILE) -I../install+setup/libsmooth/ forwardfwctrl.c setuid.o ../install+setup/libsmooth/varval.o -o $@
|
||||
|
||||
timectrl: timectrl.c setuid.o ../install+setup/libsmooth/varval.o
|
||||
$(COMPILE) -I../install+setup/libsmooth/ timectrl.c setuid.o ../install+setup/libsmooth/varval.o -o $@
|
||||
|
||||
launch-ether-wake: launch-ether-wake.c setuid.o ../install+setup/libsmooth/varval.o
|
||||
$(COMPILE) -I../install+setup/libsmooth/ launch-ether-wake.c setuid.o ../install+setup/libsmooth/varval.o -o $@
|
||||
|
||||
setdmzholes: setdmzholes.c setuid.o ../install+setup/libsmooth/varval.o
|
||||
$(COMPILE) -I../install+setup/libsmooth/ setdmzholes.c setuid.o ../install+setup/libsmooth/varval.o -o $@
|
||||
|
||||
setportfw: setportfw.c setuid.o ../install+setup/libsmooth/varval.o
|
||||
$(COMPILE) -I../install+setup/libsmooth/ setportfw.c setuid.o ../install+setup/libsmooth/varval.o -o $@
|
||||
|
||||
|
||||
@@ -1,162 +0,0 @@
|
||||
/* SmoothWall helper program - setdmzhole
|
||||
*
|
||||
* This program is distributed under the terms of the GNU General Public
|
||||
* Licence. See the file COPYING for details.
|
||||
*
|
||||
* (c) Daniel Goscomb, 2001
|
||||
*
|
||||
* Modifications and improvements by Lawrence Manning.
|
||||
*
|
||||
* 10/04/01 Aslak added protocol support
|
||||
* This program reads the list of ports to forward and setups iptables
|
||||
* and rules in ipmasqadm to enable them.
|
||||
*
|
||||
* $Id: setdmzholes.c,v 1.5.2.3 2005/10/18 17:05:27 franck78 Exp $
|
||||
*
|
||||
*/
|
||||
#include "libsmooth.h"
|
||||
#include <stdio.h>
|
||||
#include <string.h>
|
||||
#include <stdlib.h>
|
||||
#include "setuid.h"
|
||||
|
||||
FILE *fwdfile = NULL;
|
||||
|
||||
void exithandler(void)
|
||||
{
|
||||
if (fwdfile)
|
||||
fclose(fwdfile);
|
||||
}
|
||||
|
||||
int main(void)
|
||||
{
|
||||
int count;
|
||||
char *protocol;
|
||||
char *locip;
|
||||
char *remip;
|
||||
char *remport;
|
||||
char *enabled;
|
||||
char *src_net;
|
||||
char *dst_net;
|
||||
char s[STRING_SIZE];
|
||||
char *result;
|
||||
struct keyvalue *kv = NULL;
|
||||
char orange_dev[STRING_SIZE] = "";
|
||||
char blue_dev[STRING_SIZE] = "";
|
||||
char green_dev[STRING_SIZE] = "";
|
||||
char *idev;
|
||||
char *odev;
|
||||
char command[STRING_SIZE];
|
||||
|
||||
if (!(initsetuid()))
|
||||
exit(1);
|
||||
|
||||
atexit(exithandler);
|
||||
|
||||
kv=initkeyvalues();
|
||||
if (!readkeyvalues(kv, CONFIG_ROOT "/ethernet/settings"))
|
||||
{
|
||||
fprintf(stderr, "Cannot read ethernet settings\n");
|
||||
exit(1);
|
||||
}
|
||||
|
||||
if (!findkey(kv, "GREEN_DEV", green_dev))
|
||||
{
|
||||
fprintf(stderr, "Cannot read GREEN_DEV\n");
|
||||
exit(1);
|
||||
}
|
||||
findkey(kv, "BLUE_DEV", blue_dev);
|
||||
findkey(kv, "ORANGE_DEV", orange_dev);
|
||||
|
||||
if (!(fwdfile = fopen(CONFIG_ROOT "/dmzholes/config", "r")))
|
||||
{
|
||||
fprintf(stderr, "Couldn't open dmzholes settings file\n");
|
||||
exit(1);
|
||||
}
|
||||
|
||||
safe_system("/sbin/iptables -F DMZHOLES");
|
||||
|
||||
while (fgets(s, STRING_SIZE, fwdfile) != NULL)
|
||||
{
|
||||
if (s[strlen(s) - 1] == '\n')
|
||||
s[strlen(s) - 1] = '\0';
|
||||
result = strtok(s, ",");
|
||||
|
||||
count = 0;
|
||||
protocol = NULL;
|
||||
locip = NULL; remip = NULL;
|
||||
remport = NULL;
|
||||
enabled = NULL;
|
||||
src_net = NULL;
|
||||
dst_net = NULL;
|
||||
idev = NULL;
|
||||
odev = NULL;
|
||||
|
||||
while (result)
|
||||
{
|
||||
if (count == 0)
|
||||
protocol = result;
|
||||
else if (count == 1)
|
||||
locip = result;
|
||||
else if (count == 2)
|
||||
remip = result;
|
||||
else if (count == 3)
|
||||
remport = result;
|
||||
else if (count == 4)
|
||||
enabled = result;
|
||||
else if (count == 5)
|
||||
src_net = result;
|
||||
else if (count == 6)
|
||||
dst_net = result;
|
||||
count++;
|
||||
result = strtok(NULL, ",");
|
||||
}
|
||||
|
||||
if (!(protocol && locip && remip && remport && enabled))
|
||||
{
|
||||
fprintf(stderr, "Bad line:\n");
|
||||
break;
|
||||
}
|
||||
|
||||
if (!VALID_PROTOCOL(protocol))
|
||||
{
|
||||
fprintf(stderr, "Bad protocol: %s\n", protocol);
|
||||
exit(1);
|
||||
}
|
||||
if (!VALID_IP_AND_MASK(locip))
|
||||
{
|
||||
fprintf(stderr, "Bad local IP: %s\n", locip);
|
||||
exit(1);
|
||||
}
|
||||
if (!VALID_IP_AND_MASK(remip))
|
||||
{
|
||||
fprintf(stderr, "Bad remote IP: %s\n", remip);
|
||||
exit(1);
|
||||
}
|
||||
if (!VALID_PORT_RANGE(remport))
|
||||
{
|
||||
fprintf(stderr, "Bad remote port: %s\n", remport);
|
||||
exit(1);
|
||||
}
|
||||
|
||||
if (!src_net) { src_net = strdup ("orange");}
|
||||
if (!dst_net) { dst_net = strdup ("green");}
|
||||
|
||||
if (!strcmp(src_net, "blue")) { idev = blue_dev; }
|
||||
if (!strcmp(src_net, "orange")) { idev = orange_dev; }
|
||||
if (!strcmp(dst_net, "blue")) { odev = blue_dev; }
|
||||
if (!strcmp(dst_net, "green")) { odev = green_dev; }
|
||||
|
||||
if (!strcmp(enabled, "on") && strlen(idev) && strlen (odev))
|
||||
{
|
||||
char *ctr;
|
||||
/* If remport contains a - we need to change it to a : */
|
||||
if ((ctr = strchr(remport,'-')) != NULL){*ctr = ':';}
|
||||
memset(command, 0, STRING_SIZE);
|
||||
snprintf(command, STRING_SIZE - 1, "/sbin/iptables -A DMZHOLES -p %s -i %s -o %s -s %s -d %s --dport %s -j ACCEPT", protocol, idev, odev, locip, remip, remport);
|
||||
safe_system(command);
|
||||
}
|
||||
}
|
||||
|
||||
return 0;
|
||||
}
|
||||
@@ -1,168 +0,0 @@
|
||||
/* SmoothWall helper program - setxtaccess
|
||||
*
|
||||
* This program is distributed under the terms of the GNU General Public
|
||||
* Licence. See the file COPYING for details.
|
||||
*
|
||||
* (c) Daniel Goscomb, 2001
|
||||
*
|
||||
* Modifications and improvements by Lawrence Manning.
|
||||
*
|
||||
* 10/04/01 Aslak added protocol support
|
||||
*
|
||||
* (c) Steve Bootes 2002/04/14 - Added source IP support for aliases
|
||||
*
|
||||
* 19/04/03 Robert Kerr Fixed root exploit
|
||||
*
|
||||
* $Id: setxtaccess.c,v 1.3.2.1 2005/01/04 17:21:40 eoberlander Exp $
|
||||
*
|
||||
*/
|
||||
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
#include "setuid.h"
|
||||
|
||||
FILE *ifacefile = NULL;
|
||||
FILE *fwdfile = NULL;
|
||||
FILE *ipfile = NULL;
|
||||
|
||||
void exithandler(void)
|
||||
{
|
||||
if (fwdfile)
|
||||
fclose(fwdfile);
|
||||
}
|
||||
|
||||
int main(void)
|
||||
{
|
||||
char iface[STRING_SIZE] = "";
|
||||
char locip[STRING_SIZE] = "";
|
||||
char s[STRING_SIZE] = "";
|
||||
int count;
|
||||
char *protocol;
|
||||
char *destip;
|
||||
char *remip;
|
||||
char *locport;
|
||||
char *enabled;
|
||||
char *information;
|
||||
char *result;
|
||||
char command[STRING_SIZE];
|
||||
|
||||
if (!(initsetuid()))
|
||||
exit(1);
|
||||
|
||||
atexit(exithandler);
|
||||
|
||||
if (!(ipfile = fopen(CONFIG_ROOT "/red/local-ipaddress", "r")))
|
||||
{
|
||||
fprintf(stderr, "Couldn't open local ip file\n");
|
||||
exit(1);
|
||||
}
|
||||
if (fgets(locip, STRING_SIZE, ipfile))
|
||||
{
|
||||
if (locip[strlen(locip) - 1] == '\n')
|
||||
locip[strlen(locip) - 1] = '\0';
|
||||
}
|
||||
fclose (ipfile);
|
||||
if (!VALID_IP(locip))
|
||||
{
|
||||
fprintf(stderr, "Bad local IP: %s\n", locip);
|
||||
exit(1);
|
||||
}
|
||||
|
||||
if (!(ifacefile = fopen(CONFIG_ROOT "/red/iface", "r")))
|
||||
{
|
||||
fprintf(stderr, "Couldn't open iface file\n");
|
||||
exit(1);
|
||||
}
|
||||
if (fgets(iface, STRING_SIZE, ifacefile))
|
||||
{
|
||||
if (iface[strlen(iface) - 1] == '\n')
|
||||
iface[strlen(iface) - 1] = '\0';
|
||||
}
|
||||
fclose (ifacefile);
|
||||
if (!VALID_DEVICE(iface))
|
||||
{
|
||||
fprintf(stderr, "Bad iface: %s\n", iface);
|
||||
exit(1);
|
||||
}
|
||||
|
||||
if (!(fwdfile = fopen(CONFIG_ROOT "/xtaccess/config", "r")))
|
||||
{
|
||||
fprintf(stderr, "Couldn't open xtaccess settings file\n");
|
||||
exit(1);
|
||||
}
|
||||
|
||||
safe_system("/sbin/iptables -F XTACCESS");
|
||||
|
||||
while (fgets(s, STRING_SIZE, fwdfile) != NULL)
|
||||
{
|
||||
if (s[strlen(s) - 1] == '\n')
|
||||
s[strlen(s) - 1] = '\0';
|
||||
count = 0;
|
||||
protocol = NULL;
|
||||
remip = NULL;
|
||||
destip = NULL;
|
||||
locport = NULL;
|
||||
enabled = NULL;
|
||||
information = NULL;
|
||||
result = strtok(s, ",");
|
||||
while (result)
|
||||
{
|
||||
if (count == 0)
|
||||
protocol = result;
|
||||
else if (count == 1)
|
||||
remip = result;
|
||||
else if (count == 2)
|
||||
locport = result;
|
||||
else if (count == 3)
|
||||
enabled = result;
|
||||
else if (count == 4)
|
||||
destip = result;
|
||||
else
|
||||
information = result;
|
||||
count++;
|
||||
result = strtok(NULL, ",");
|
||||
}
|
||||
|
||||
if (!(protocol && remip && locport && enabled))
|
||||
break;
|
||||
|
||||
if (!VALID_PROTOCOL(protocol))
|
||||
{
|
||||
fprintf(stderr, "Bad protocol: %s\n", protocol);
|
||||
exit(1);
|
||||
}
|
||||
if (!VALID_IP_AND_MASK(remip))
|
||||
{
|
||||
fprintf(stderr, "Bad remote IP: %s\n", remip);
|
||||
exit(1);
|
||||
}
|
||||
if (!VALID_PORT_RANGE(locport))
|
||||
{
|
||||
fprintf(stderr, "Bad local port: %s\n", locport);
|
||||
exit(1);
|
||||
}
|
||||
|
||||
/* check for destination ip in config file. If it's there
|
||||
* and it's not 0.0.0.0, use it; else use the current
|
||||
* local ip address. (This makes sure we can use old-style
|
||||
* config files without the destination ip) */
|
||||
if (!destip || !strcmp(destip, "0.0.0.0"))
|
||||
destip = locip;
|
||||
if (!VALID_IP(destip))
|
||||
{
|
||||
fprintf(stderr, "Bad destination IP: %s\n", remip);
|
||||
exit(1);
|
||||
}
|
||||
|
||||
if (strcmp(enabled, "on") == 0)
|
||||
{
|
||||
memset(command, 0, STRING_SIZE);
|
||||
snprintf(command, STRING_SIZE - 1, "/sbin/iptables -A XTACCESS -i %s -p %s -s %s -d %s --dport %s -j ACCEPT",
|
||||
iface, protocol, remip, destip, locport);
|
||||
safe_system(command);
|
||||
}
|
||||
}
|
||||
|
||||
return 0;
|
||||
}
|
||||
Reference in New Issue
Block a user