Forward Firewall: applied all changes as diff and added new files. Also deleted c files from xtaccess and setdmzholes.

Signed-off-by: Alexander Marx <amarx@ipfire.org> Conflicts: config/backup/include lfs/configroot lfs/usb-stick
2026-04-23 17:32:57 +02:00 · 2013-08-09 14:02:02 +02:00
parent 7323724196
commit 111c99ddfa
15 changed files with 449 additions and 414 deletions
--- a/src/initscripts/init.d/firewall
+++ b/src/initscripts/init.d/firewall
@@ -195,6 +195,14 @@ case "$1" in
 	# Outgoing Firewall
 	/sbin/iptables -A FORWARD -j OUTGOINGFWMAC

+    # Forward Firewall
+    /sbin/iptables -N FORWARDFW
+    /sbin/iptables -A FORWARD -j FORWARDFW
+    
+    # Input Firewall
+    /sbin/iptables -N INPUTFW
+    /sbin/iptables -A INPUT -m state --state NEW -j INPUTFW
+    
 	# localhost and ethernet.
 	/sbin/iptables -A INPUT   -i lo -m state --state NEW -j ACCEPT
 	/sbin/iptables -A INPUT   -s 127.0.0.0/8 -m state --state NEW -j DROP   # Loopback not on lo
@@ -234,17 +242,6 @@ case "$1" in

 	iptables_red

-	# DMZ pinhole chain.  setdmzholes setuid prog adds rules here to allow
-	# ORANGE to talk to GREEN / BLUE.
-	/sbin/iptables -N DMZHOLES
-	if [ "$ORANGE_DEV" != "" ]; then
-		/sbin/iptables -A FORWARD -i $ORANGE_DEV -m state --state NEW -j DMZHOLES
-	fi
-
-	# XTACCESS chain, used for external access
-	/sbin/iptables -N XTACCESS
-	/sbin/iptables -A INPUT -m state --state NEW -j XTACCESS
-
 	# PORTFWACCESS chain, used for portforwarding
 	/sbin/iptables -N PORTFWACCESS
 	/sbin/iptables -A FORWARD -m state --state NEW -j PORTFWACCESS
--- a/src/initscripts/init.d/network
+++ b/src/initscripts/init.d/network
@@ -47,9 +47,7 @@ init_networking() {
 #	(exit ${failed})
 #	evaluate_retval

-	boot_mesg "Setting up DMZ pinholes"
-	/usr/local/bin/setdmzholes; evaluate_retval
-
+	
 	if [ "$CONFIG_TYPE" = "3" -o "$CONFIG_TYPE" = "4" ]; then
 		boot_mesg "Setting up wireless firewall rules"
 		/usr/local/bin/wirelessctrl; evaluate_retval
--- a/src/misc-progs/Makefile
+++ b/src/misc-progs/Makefile
@@ -24,11 +24,11 @@ CFLAGS=-O2 -Wall
 COMPILE=$(CC) $(CFLAGS)

 PROGS = iowrap
-SUID_PROGS = setdmzholes setportfw setxtaccess \
+SUID_PROGS = setportfw \
 	squidctrl sshctrl ipfirereboot \
 	ipsecctrl timectrl dhcpctrl snortctrl \
 	applejuicectrl rebuildhosts backupctrl \
-	logwatch openvpnctrl outgoingfwctrl \
+	logwatch openvpnctrl outgoingfwctrl forwardfwctrl \
 	wirelessctrl getipstat qosctrl launch-ether-wake \
 	redctrl syslogdctrl extrahdctrl sambactrl upnpctrl tripwirectrl \
 	smartctrl clamavctrl addonctrl pakfire mpfirectrl wlanapctrl \
@@ -90,15 +90,15 @@ clamavctrl: clamavctrl.c setuid.o ../install+setup/libsmooth/varval.o
 outgoingfwctrl: outgoingfwctrl.c setuid.o ../install+setup/libsmooth/varval.o
 	$(COMPILE) -I../install+setup/libsmooth/ outgoingfwctrl.c setuid.o ../install+setup/libsmooth/varval.o -o $@
 	
+forwardfwctrl: forwardfwctrl.c setuid.o ../install+setup/libsmooth/varval.o
+	$(COMPILE) -I../install+setup/libsmooth/ forwardfwctrl.c setuid.o ../install+setup/libsmooth/varval.o -o $@
+	
 timectrl: timectrl.c setuid.o ../install+setup/libsmooth/varval.o
 	$(COMPILE) -I../install+setup/libsmooth/ timectrl.c setuid.o ../install+setup/libsmooth/varval.o -o $@

 launch-ether-wake: launch-ether-wake.c setuid.o ../install+setup/libsmooth/varval.o
 	$(COMPILE) -I../install+setup/libsmooth/ launch-ether-wake.c setuid.o ../install+setup/libsmooth/varval.o -o $@

-setdmzholes: setdmzholes.c setuid.o ../install+setup/libsmooth/varval.o
-	$(COMPILE) -I../install+setup/libsmooth/ setdmzholes.c setuid.o ../install+setup/libsmooth/varval.o -o $@
-
 setportfw: setportfw.c setuid.o ../install+setup/libsmooth/varval.o
 	$(COMPILE) -I../install+setup/libsmooth/ setportfw.c setuid.o ../install+setup/libsmooth/varval.o -o $@

--- a/src/misc-progs/setdmzholes.c
+++ b/src/misc-progs/setdmzholes.c
@@ -1,162 +0,0 @@
-/* SmoothWall helper program - setdmzhole
- *
- * This program is distributed under the terms of the GNU General Public
- * Licence.  See the file COPYING for details.
- *
- * (c) Daniel Goscomb, 2001
- * 
- * Modifications and improvements by Lawrence Manning.
- *
- * 10/04/01 Aslak added protocol support
- * This program reads the list of ports to forward and setups iptables
- * and rules in ipmasqadm to enable them.
- * 
- * $Id: setdmzholes.c,v 1.5.2.3 2005/10/18 17:05:27 franck78 Exp $
- * 
- */
-#include "libsmooth.h"
-#include <stdio.h>
-#include <string.h>
-#include <stdlib.h>
-#include "setuid.h"
-
-FILE *fwdfile = NULL;
-
-void exithandler(void)
-{
-	if (fwdfile)
-		fclose(fwdfile);
-}
-
-int main(void)
-{
-	int count;
-	char *protocol;
-	char *locip;
-	char *remip;
-	char *remport;
-	char *enabled;
-	char *src_net;
-	char *dst_net;
-	char s[STRING_SIZE];
-	char *result;
-	struct keyvalue *kv = NULL;
-	char orange_dev[STRING_SIZE] = "";
-	char blue_dev[STRING_SIZE] = "";
-	char green_dev[STRING_SIZE] = "";
-	char *idev;
-	char *odev;
-	char command[STRING_SIZE];
-
-	if (!(initsetuid()))
-		exit(1);
-
-	atexit(exithandler);
-
-	kv=initkeyvalues();
-	if (!readkeyvalues(kv, CONFIG_ROOT "/ethernet/settings"))
-	{
-		fprintf(stderr, "Cannot read ethernet settings\n");
-		exit(1);
-	}
-
-	if (!findkey(kv, "GREEN_DEV", green_dev))
-	{
-		fprintf(stderr, "Cannot read GREEN_DEV\n");
-		exit(1);
-	}
-	findkey(kv, "BLUE_DEV", blue_dev);
-	findkey(kv, "ORANGE_DEV", orange_dev);
-
-	if (!(fwdfile = fopen(CONFIG_ROOT "/dmzholes/config", "r")))
-	{
-		fprintf(stderr, "Couldn't open dmzholes settings file\n");
-		exit(1);
-	}
-
-	safe_system("/sbin/iptables -F DMZHOLES");
-
-	while (fgets(s, STRING_SIZE, fwdfile) != NULL)
-	{
-		if (s[strlen(s) - 1] == '\n')
-		        s[strlen(s) - 1] = '\0';
-		result = strtok(s, ",");
-		
-		count = 0;
-		protocol = NULL;
-		locip = NULL; remip = NULL;
-		remport = NULL;
-		enabled = NULL;
-		src_net = NULL;
-		dst_net = NULL;
-		idev = NULL;
-		odev = NULL;
-		
-		while (result)
-		{
-			if (count == 0)
-				protocol = result;
-			else if (count == 1)
-				locip = result;
-			else if (count == 2)
-				remip = result;
-			else if (count == 3)
-				remport = result;
-			else if (count == 4)
-				enabled = result;
-			else if (count == 5)
-				src_net = result;
-			else if (count == 6)
-				dst_net = result;
-			count++;
-			result = strtok(NULL, ",");
-		}
-
-		if (!(protocol && locip && remip && remport && enabled))
-		{
-			fprintf(stderr, "Bad line:\n");
-			break;
-		}
-
-		if (!VALID_PROTOCOL(protocol))
-		{
-			fprintf(stderr, "Bad protocol: %s\n", protocol);
-			exit(1);
-		}
-		if (!VALID_IP_AND_MASK(locip))
-		{
-			fprintf(stderr, "Bad local IP: %s\n", locip);
-			exit(1);
-		}
-		if (!VALID_IP_AND_MASK(remip))
-		{
-			fprintf(stderr, "Bad remote IP: %s\n", remip);
-			exit(1);
-		}
-		if (!VALID_PORT_RANGE(remport))
-		{
-			fprintf(stderr, "Bad remote port: %s\n", remport);
-			exit(1);
-		}
-		
-		if (!src_net) { src_net = strdup ("orange");}
-		if (!dst_net) { dst_net = strdup ("green");}
-		
-		if (!strcmp(src_net, "blue"))   { idev = blue_dev; }
-		if (!strcmp(src_net, "orange")) { idev = orange_dev; }
-		if (!strcmp(dst_net, "blue"))   { odev = blue_dev; }
-		if (!strcmp(dst_net, "green"))  { odev = green_dev; }
-		
-		if (!strcmp(enabled, "on") && strlen(idev) && strlen (odev))
-		{
-			char *ctr;
-			/* If remport contains a - we need to change it to a : */
-			if ((ctr = strchr(remport,'-')) != NULL){*ctr = ':';}
-			memset(command, 0, STRING_SIZE);
-			snprintf(command, STRING_SIZE - 1, "/sbin/iptables -A DMZHOLES -p %s -i %s -o %s -s %s -d %s --dport %s -j ACCEPT", protocol, idev, odev, locip, remip, remport);
-			safe_system(command);
-		}
-	}
-
-	return 0;
-}
--- a/src/misc-progs/setxtaccess.c
+++ b/src/misc-progs/setxtaccess.c
@@ -1,168 +0,0 @@
-/* SmoothWall helper program - setxtaccess
- *
- * This program is distributed under the terms of the GNU General Public
- * Licence.  See the file COPYING for details.
- *
- * (c) Daniel Goscomb, 2001
- * 
- * Modifications and improvements by Lawrence Manning.
- *
- * 10/04/01 Aslak added protocol support
- * 
- * (c) Steve Bootes 2002/04/14 - Added source IP support for aliases
- *
- * 19/04/03 Robert Kerr Fixed root exploit
- *
- * $Id: setxtaccess.c,v 1.3.2.1 2005/01/04 17:21:40 eoberlander Exp $
- * 
- */
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include "setuid.h"
-
-FILE *ifacefile = NULL;
-FILE *fwdfile = NULL;
-FILE *ipfile = NULL;
-
-void exithandler(void)
-{
-	if (fwdfile)
-		fclose(fwdfile);
-}
-
-int main(void)
-{
-	char iface[STRING_SIZE] = "";
-	char locip[STRING_SIZE] = "";
-	char s[STRING_SIZE] = "";
-	int count;
-	char *protocol;
-	char *destip;
-	char *remip;
-	char *locport;
-	char *enabled;
-	char *information;
-	char *result;
-	char command[STRING_SIZE];
-
-	if (!(initsetuid()))
-		exit(1);
-
-	atexit(exithandler);
-
-	if (!(ipfile = fopen(CONFIG_ROOT "/red/local-ipaddress", "r")))
-	{
-		fprintf(stderr, "Couldn't open local ip file\n");
-		exit(1);
-	}
-	if (fgets(locip, STRING_SIZE, ipfile))
-	{
-		if (locip[strlen(locip) - 1] == '\n')
-			locip[strlen(locip) - 1] = '\0';
-	}
-	fclose (ipfile);
-	if (!VALID_IP(locip))
-	{
-		fprintf(stderr, "Bad local IP: %s\n", locip);
-		exit(1);
-	}
-
-	if (!(ifacefile = fopen(CONFIG_ROOT "/red/iface", "r")))
-	{
-		fprintf(stderr, "Couldn't open iface file\n");
-		exit(1);
-	}
-	if (fgets(iface, STRING_SIZE, ifacefile))
-	{
-		if (iface[strlen(iface) - 1] == '\n')
-			iface[strlen(iface) - 1] = '\0';
-	}
-		fclose (ifacefile);
-	if (!VALID_DEVICE(iface))
-	{
-		fprintf(stderr, "Bad iface: %s\n", iface);
-		exit(1);
-	}
- 
-	if (!(fwdfile = fopen(CONFIG_ROOT "/xtaccess/config", "r")))
-	{
-		fprintf(stderr, "Couldn't open xtaccess settings file\n");
-		exit(1);
-	}
-
-	safe_system("/sbin/iptables -F XTACCESS");
-
-	while (fgets(s, STRING_SIZE, fwdfile) != NULL)
-	{
-		if (s[strlen(s) - 1] == '\n')
-			s[strlen(s) - 1] = '\0';
-		count = 0;
-		protocol = NULL;
-		remip = NULL;
-		destip = NULL;
-		locport = NULL;
-		enabled = NULL;
-		information = NULL;
-		result = strtok(s, ",");
-		while (result)
-		{
-			if (count == 0)
-				protocol = result;
-			else if (count == 1)
-				remip = result;
-			else if (count == 2)
-				locport = result;
-			else if (count == 3)
-				enabled = result;
-			else if (count == 4)
-				destip = result;
-			else
-				information = result;
-			count++;
-			result = strtok(NULL, ",");
-		}
-
-		if (!(protocol && remip && locport && enabled))
-			break;
-		
-		if (!VALID_PROTOCOL(protocol))
-		{
-			fprintf(stderr, "Bad protocol: %s\n", protocol);
-			exit(1);
-		}
-		if (!VALID_IP_AND_MASK(remip))
-		{
-			fprintf(stderr, "Bad remote IP: %s\n", remip);
-			exit(1);
-		}
-		if (!VALID_PORT_RANGE(locport))
-		{
-			fprintf(stderr, "Bad local port: %s\n", locport);
-			exit(1);
-		}
-
-                /* check for destination ip in config file. If it's there
-                 * and it's not 0.0.0.0, use it; else use the current
-                 * local ip address. (This makes sure we can use old-style
-                 * config files without the destination ip) */
-		if (!destip || !strcmp(destip, "0.0.0.0"))
-			destip = locip;
-		if (!VALID_IP(destip))
-		{
-			fprintf(stderr, "Bad destination IP: %s\n", remip);
-			exit(1);
-		}
-
-		if (strcmp(enabled, "on") == 0)
-		{
-			memset(command, 0, STRING_SIZE);
-			snprintf(command, STRING_SIZE - 1, "/sbin/iptables -A XTACCESS -i %s -p %s -s %s -d %s --dport %s -j ACCEPT",
-	iface, protocol, remip, destip, locport);
-			safe_system(command);
-		}
-	}
-	
-	return 0;
-}