Forward Firewall: applied all changes as diff and added new files. Also deleted c files from xtaccess and setdmzholes.

Signed-off-by: Alexander Marx <amarx@ipfire.org>

Conflicts:
	config/backup/include
	lfs/configroot
	lfs/usb-stick

config/backup/include

@@ -15,6 +15,8 @@
 /var/ipfire/auth/users
 /var/ipfire/dhcp/*
 /var/ipfire/dnsforward/*
+/var/ipfire/forward/*
+/var/ipfire/fwhosts/*
 /var/ipfire/main/*
 /var/ipfire/outgoing/groups
 /var/ipfire/outgoing/macgroups

config/cfgroot/general-functions.pl

@@ -21,8 +21,8 @@ use Net::SSLeay;
 use Net::IPv4Addr qw(:all);
 $|=1; # line buffering
 
-$General::version = 'VERSION';
+$General::version = '2.11';
-$General::swroot = 'CONFIG_ROOT';
+$General::swroot = '/var/ipfire';
 $General::noipprefix = 'noipg-';
 $General::adminmanualurl = 'http://wiki.ipfire.org';
 
@@ -39,6 +39,99 @@ sub log
 	$logmessage = $1;
 	system('logger', '-t', $tag, $logmessage);
 }
+sub setup_default_networks
+{
+	my %netsettings=();
+	my $defaultNetworks = shift;
+	
+	&readhash("/var/ipfire/ethernet/settings", \%netsettings);
+	
+	# Get current defined networks (Red, Green, Blue, Orange)
+	$defaultNetworks->{$Lang::tr{'fwhost any'}}{'IPT'} = "0.0.0.0/0.0.0.0";
+	$defaultNetworks->{$Lang::tr{'fwhost any'}}{'NAME'} = "ALL";
+		
+	$defaultNetworks->{$Lang::tr{'green'}}{'IPT'} = "$netsettings{'GREEN_NETADDRESS'}/$netsettings{'GREEN_NETMASK'}";
+	$defaultNetworks->{$Lang::tr{'green'}}{'NAME'} = "GREEN";
+
+	if ($netsettings{'ORANGE_DEV'} ne ''){
+		$defaultNetworks->{$Lang::tr{'orange'}}{'IPT'} = "$netsettings{'ORANGE_NETADDRESS'}/$netsettings{'ORANGE_NETMASK'}";
+		$defaultNetworks->{$Lang::tr{'orange'}}{'NAME'} = "ORANGE";
+	}
+
+	if ($netsettings{'BLUE_DEV'} ne ''){
+		$defaultNetworks->{$Lang::tr{'blue'}}{'IPT'} = "$netsettings{'BLUE_NETADDRESS'}/$netsettings{'BLUE_NETMASK'}";
+		$defaultNetworks->{$Lang::tr{'blue'}}{'NAME'} = "BLUE";
+	}
+
+	# OpenVPN
+	if(-e "${General::swroot}/ovpn/settings")
+	{
+		my %ovpnSettings = ();
+		&readhash("${General::swroot}/ovpn/settings", \%ovpnSettings);
+
+		# OpenVPN on Red?
+		if(defined($ovpnSettings{'DOVPN_SUBNET'}))
+		{
+			my ($ip,$sub) = split(/\//,$ovpnSettings{'DOVPN_SUBNET'});
+			$sub=&General::iporsubtocidr($sub);
+			my @tempovpnsubnet = split("\/", $ovpnSettings{'DOVPN_SUBNET'});
+			$defaultNetworks->{'OpenVPN ' .$ip."/".$sub}{'ADR'} = $tempovpnsubnet[0];
+			$defaultNetworks->{'OpenVPN ' .$ip."/".$sub}{'NAME'} = "OpenVPN-Dyn";
+		}
+	} # end OpenVPN
+	# IPsec RW NET
+	if(-e "${General::swroot}/vpn/settings")
+	{
+		my %ipsecsettings = ();
+		&readhash("${General::swroot}/vpn/settings", \%ipsecsettings);
+		if($ipsecsettings{'RW_NET'} ne '')
+		{
+			my ($ip,$sub) = split(/\//,$ipsecsettings{'RW_NET'});
+			$sub=&General::iporsubtocidr($sub);
+			my @tempipsecsubnet = split("\/", $ipsecsettings{'RW_NET'});
+			$defaultNetworks->{'IPsec RW ' .$ip."/".$sub}{'ADR'} = $tempipsecsubnet[0];
+			$defaultNetworks->{'IPsec RW ' .$ip."/".$sub}{'NAME'} = "IPsec RW";
+		}
+	}
+	#open(FILE, "${General::swroot}/ethernet/aliases") or die 'Unable to open aliases file.';
+	#my @current = <FILE>;
+	#close(FILE);
+	#my $ctr = 0;
+	#foreach my $line (@current)
+	#{
+		#if ($line ne ''){
+			#chomp($line);
+			#my @temp = split(/\,/,$line);
+			#if ($temp[2] eq '') {
+				#$temp[2] = "Alias $ctr : $temp[0]";
+			#}
+			#$defaultNetworks->{$temp[2]}{'IPT'} = "$temp[0]";
+			#$ctr++;
+		#}
+	#}
+}
+sub get_aliases
+{
+	
+	my $defaultNetworks = shift;
+	open(FILE, "${General::swroot}/ethernet/aliases") or die 'Unable to open aliases file.';
+	my @current = <FILE>;
+	close(FILE);
+	my $ctr = 0;
+	foreach my $line (@current)
+	{
+		if ($line ne ''){
+			chomp($line);
+			my @temp = split(/\,/,$line);
+			if ($temp[2] eq '') {
+				$temp[2] = "Alias $ctr : $temp[0]";
+			}
+			$defaultNetworks->{$temp[2]}{'IPT'} = "$temp[0]";
+			
+			$ctr++;
+		}
+	}
+}
 
 sub readhash
 {

config/menu/50-firewall.menu

@@ -4,49 +4,37 @@
 				 'title' => "$Lang::tr{'ssport forwarding'}",
 				 'enabled' => 1,
 				 };
-    $subfirewall->{'20.xtaccess'} = {
-				 'caption' => $Lang::tr{'external access'},
-				 'uri' => '/cgi-bin/xtaccess.cgi',
-				 'title' => "$Lang::tr{'external access'}",
-				 'enabled' => 1,
-				 };
     $subfirewall->{'30.wireless'} = {
 				'caption' => $Lang::tr{'blue access'},
 				'uri' => '/cgi-bin/wireless.cgi',
 				'title' => "$Lang::tr{'blue access'}",
 				'enabled' => 1,
 				 };
-    $subfirewall->{'40.dmz'} = {
+    $subfirewall->{'51.forward'} = {
-				'caption' => $Lang::tr{'ssdmz pinholes'},
+				'caption' => $Lang::tr{'fwdfw menu'},
-				'uri' => '/cgi-bin/dmzholes.cgi',
+				'uri' => '/cgi-bin/forwardfw.cgi',
-				'title' => "$Lang::tr{'dmz pinhole configuration'}",
+				'title' => "$Lang::tr{'fwdfw menu'}",
 				'enabled' => 1,
-				 };
+				};			
-    $subfirewall->{'50.outgoing'} = {
+	$subfirewall->{'65.fwhost'} = {
-				'caption' => $Lang::tr{'outgoing firewall'},
+				'caption' => $Lang::tr{'fwhost menu'},
-				'uri' => '/cgi-bin/outgoingfw.cgi',
+				'uri' => '/cgi-bin/fwhosts.cgi',
-				'title' => "$Lang::tr{'outgoing firewall'}",
+				'title' => "$Lang::tr{'fwhost menu'}",
 				'enabled' => 1,
 				};
-    $subfirewall->{'51.outgoinggrp'} = {
+	$subfirewall->{'70.upnp'} = {
-				'caption' => $Lang::tr{'outgoing firewall groups'},
-				'uri' => '/cgi-bin/outgoinggrp.cgi',
-				'title' => "$Lang::tr{'outgoing firewall groups'}",
-				'enabled' => 1,
-				};
-    $subfirewall->{'60.upnp'} = {
 				'caption' => 'UPnP',
 				'uri' => '/cgi-bin/upnp.cgi',
 				'title' => "Universal Plug and Play",
 				'enabled' => 0,
 				};
-    $subfirewall->{'60.optingsfw'} = {
+	$subfirewall->{'80.optingsfw'} = {
 				'caption' => $Lang::tr{'options fw'},
 				'uri' => '/cgi-bin/optionsfw.cgi',
 				'title' => "$Lang::tr{'options fw'}",
 				'enabled' => 1,
 				};
-    $subfirewall->{'70.iptables'} = {
+	$subfirewall->{'90.iptables'} = {
 				'caption' => $Lang::tr{'ipts'},
 				'uri' => '/cgi-bin/iptables.cgi',
 				'title' => "$Lang::tr{'ipts'}",

config/rootfiles/common/configroot

@@ -26,8 +26,6 @@ var/ipfire/dhcp
 #var/ipfire/dhcp/fixleases
 #var/ipfire/dhcp/settings
 var/ipfire/dhcpc
-var/ipfire/dmzholes
-#var/ipfire/dmzholes/config
 var/ipfire/dns
 #var/ipfire/dns/settings
 var/ipfire/dnsforward
@@ -47,6 +45,19 @@ var/ipfire/extrahd/partitions
 var/ipfire/extrahd/scan
 var/ipfire/extrahd/settings
 var/ipfire/fwlogs
+var/ipfire/forward
+var/ipfire/forward/bin/rules.pl
+var/ipfire/forward/bin/firewall-lib.pl
+var/ipfire/forward/settings
+var/ipfire/forward/config
+var/ipfire/forward/input
+var/ipfire/fwhosts
+var/ipfire/fwhosts/icmp-types
+var/ipfire/fwhosts/customhosts
+var/ipfire/fwhosts/customnetworks
+var/ipfire/fwhosts/customgroups
+var/ipfire/fwhosts/customservices
+var/ipfire/fwhosts/customservicegrp
 #var/ipfire/fwlogs/ipsettings
 #var/ipfire/fwlogs/portsettings
 var/ipfire/general-functions.pl
@@ -188,7 +199,5 @@ var/ipfire/wakeonlan
 var/ipfire/wireless
 #var/ipfire/wireless/config
 #var/ipfire/wireless/settings
-var/ipfire/xtaccess
-#var/ipfire/xtaccess/config
 var/ipfire/firebuild
 etc/system-release

config/rootfiles/common/i586/initscripts

@@ -84,11 +84,11 @@ etc/rc.d/init.d/networking/red.up/10-miniupnpd
 etc/rc.d/init.d/networking/red.up/10-multicast
 etc/rc.d/init.d/networking/red.up/20-RL-firewall
 etc/rc.d/init.d/networking/red.up/22-outgoingfwctrl
-etc/rc.d/init.d/networking/red.up/23-RS-snort
+etc/rc.d/init.d/networking/red.up/23-forwardfwctrl
-etc/rc.d/init.d/networking/red.up/24-RS-qos
+etc/rc.d/init.d/networking/red.up/24-RS-snort
-etc/rc.d/init.d/networking/red.up/25-portfw
+etc/rc.d/init.d/networking/red.up/25-RS-qos
-etc/rc.d/init.d/networking/red.up/26-xtaccess
+etc/rc.d/init.d/networking/red.up/26-portfw
-etc/rc.d/init.d/networking/red.up/27-RS-squid
+etc/rc.d/init.d/networking/red.up/28-RS-squid
 etc/rc.d/init.d/networking/red.up/30-ddns
 etc/rc.d/init.d/networking/red.up/40-ipac
 etc/rc.d/init.d/networking/red.up/50-ipsec

config/rootfiles/common/misc-progs

@@ -16,6 +16,7 @@ usr/local/bin/logwatch
 #usr/local/bin/mpfirectrl
 usr/local/bin/openvpnctrl
 usr/local/bin/outgoingfwctrl
+usr/local/bin/forwardfwctrl
 usr/local/bin/pakfire
 usr/local/bin/qosctrl
 usr/local/bin/rebuildhosts
@@ -23,9 +24,7 @@ usr/local/bin/rebuildroutes
 usr/local/bin/redctrl
 #usr/local/bin/sambactrl
 usr/local/bin/setaliases
-usr/local/bin/setdmzholes
 usr/local/bin/setportfw
-usr/local/bin/setxtaccess
 usr/local/bin/smartctrl
 usr/local/bin/snortctrl
 usr/local/bin/squidctrl

langs/de/cgi-bin/de.pl

@@ -885,6 +885,141 @@
 'forwarding rule added' => 'Weiterleitungsregel hinzugefügt. Starte Weiterleitung neu',
 'forwarding rule removed' => 'Weiterleitungsregel entfernt. Starte Weiterleitung neu',
 'forwarding rule updated' => 'Weiterleitungsregel aktualisiert; starte Weiterleitung neu',
+'forward firewall' 		=> 'Firewall',
+'fwdfw additional'		=> 'Zusätzlich',
+'fwdfw action'			=> 'Aktion',
+'fwdfw menu' 			=> 'Firewall',
+'fwdfw addrule' 		=> 'Neue Regel hinzufügen:',
+'fwdfw addr grp' 		=> 'Adress Gruppen:',
+'fwdfw change'			=> 'Aktualisieren',
+'fwdfw cust addr' 		=> 'Custom Adressen:',
+'fwdfw cust net' 		=> 'Custom Netzwerke:',
+'fwdfw copy'			=> 'Kopieren',
+'fwdfw delete'			=> 'Löschen',
+'fwdfw edit'			=> 'Bearbeiten',
+'fwdfw err nosrc'		=> 'Keine Quelle gewählt.',
+'fwdfw err nosrcip'		=> 'Bitte Quell IP-Adresse angeben.',
+'fwdfw err notgt'		=> 'Kein Ziel gewählt.',
+'fwdfw err notgtip'		=> 'Bitte Ziel IP-Adresse angeben.',
+'fwdfw err prot'		=> 'Quell- und Zielprotokoll müssen gleich sein.',
+'fwdfw err remark'		=> 'Bemerkung enthält ungültige Zeichen.',
+'fwdfw err ruleexists'	=> 'Eine identische Regel existiert bereits.',
+'fwdfw err src_addr'	=> 'Quell-MAC/IP ungültig.',
+'fwdfw err same'		=> 'Quelle und Ziel sind identisch.',
+'fwdfw err samesub'		=> 'Quell und Ziel IP Adresse im selben Subnetz.',
+'fwdfw err srcport'		=> 'Bitte Quellport angeben.',
+'fwdfw err tgtport'		=> 'Bitte Zielport angeben.',
+'fwdfw err tgt_addr'	=> 'Ziel-IP ungültig.',
+'fwdfw err tgt_port'	=> 'Ziel Port ungültig',
+'fwdfw err tgt_mac'		=> 'MAC Adressen können nicht als Ziel defininert werden.',
+'fwdfw err tgt_grp'		=> 'Ziel-Dienstgruppe ist leer.',
+'fwdfw err time'		=> 'Es muss mindestens ein Tag gewählt werden.',
+'fwdfw from'			=> 'Von:',
+'fwdfw hint ip1'		=> 'Die zuletzt erzeugte Regel wird vielleicht nicht aktiviert, weil Quelle und Ziel evtl im selben Netz sind.',
+'fwdfw hint ip2'		=> 'Bitte überprüfen Sie ob diese Regel Sinn macht: ',
+'fwdfw ipsec network'	=> 'IPsec Netzwerke:',
+'fwdfw log rule'		=> 'Log Regel',
+'fwdfw man port'		=> 'Port(s) manuel:',
+'fwdfw moveup'			=> 'Hoch',
+'fwdfw movedown'		=> 'Runter',
+'fwdfw reread'			=> 'Übernehmen',
+'fwdfw rules'			=> 'Regeln',
+'fwdfw rule action' 	=> 'Regel Aktion:',
+'fwdfw rule activate'	=> 'Regel aktivieren',
+'fwdfw source' 			=> 'Quelle',
+'fwdfw sourceip' 		=> 'Quelladresse (MAC, IP oder Netzwerk):',
+'fwdfw std network' 	=> 'Standard Netzwerke:',
+'fwdfw target'			=> 'Ziel',
+'fwdfw targetip'		=> 'Zieladresse (IP oder Netzwerk):',
+'fwdfw till'			=> 'Bis:',
+'fwdfw time'			=> 'Zeitrahmen:',
+'fwdfw timeframe'		=> 'Zeitrahmen hinzufügen',
+'fwdfw toggle'			=> 'Aktivieren oder deaktivieren',
+'fwdfw togglelog'		=> 'Log aktivieren oder deaktivieren',
+'fwdfw use srcport'		=> 'Quellport benutzen',
+'fwdfw use srv'			=> 'Ziel-Dienstport benutzen',
+'fwdfw newrule' 		=> 'Neue Regel',
+'fwdfw wd_mon'			=> 'Mo',
+'fwdfw wd_tue'			=> 'Di',
+'fwdfw wd_wed'			=> 'Mi',
+'fwdfw wd_thu'			=> 'Do',
+'fwdfw wd_fri'			=> 'Fr',
+'fwdfw wd_sat'			=> 'Sa',
+'fwdfw wd_sun'			=> 'So',
+'fwhost addgrp' 		=> 'Gruppe:',
+'fwhost addgrpname'		=> 'Gruppenname:',
+'fwhost addhost' 		=> 'Adresse:',
+'fwhost addnet' 		=> 'Netzwerk:',
+'fwhost addrule' 		=> 'Neue Regel hinzufügen:',
+'fwhost any'			=> 'Alle',
+'fwhost attention'		=> 'ACHTUNG',
+'fwhost back'			=> 'Übernehmen',
+'fwhost blue'			=> 'Blau',
+'fwhost ccdhost'		=> 'OpenVPN Clients:',
+'fwhost ccdnet'			=> 'OpenVPN Netzwerke:',
+'fwhost change'			=> 'Ändern',
+'fwhost changeremark'	=> 'Es wurde nur die Bemerkung angepasst.',
+'fwhost cust addr' 		=> 'Custom Adressen:',
+'fwhost cust grp'		=> 'Custom Gruppen:',
+'fwhost cust net' 		=> 'Custom Netzwerke:',
+'fwhost cust service'	=> 'Custom Dienste:',
+'fwhost cust srvgrp'	=> 'Custom Dienstgruppen',
+'fwhost deleted'		=> 'Gelöscht',
+'fwhost empty'			=> 'Keine Einträge vorhanden',
+'fwhost err addr' 		=> 'IP oder Subnetzmaske ungültig.',
+'fwhost err addrgrp'	=> 'Bitte gruppenname angeben.',
+'fwhost err empty'		=> 'Bitte alle Felder füllen.',
+'fwhost err grpexist'	=> 'Gruppe existiert bereits.',
+'fwhost err groupempty'	=> 'Gewählte Gruppe ist leer.',
+'fwhost err name'		=> 'Name ungültig. Erlaubte Zeichen: a-z, A-Z, 0-9 Leerzeichen und Bindestrich.',
+'fwhost err name1'		=> 'Name muss gefüllt sein.',
+'fwhost err netexist'	=> 'Ein Netz mit diesem Namen existiert bereits!',
+'fwhost err net' 		=> 'Netzwerk IP existiert bereits',
+'fwhost err mac' 		=> 'MAC Adresse ungültig.',
+'fwhost err hostexist'	=> 'Ein Host mit diesem Namen existiert bereits.',
+'fwhost err hostip' 	=> 'Netz- oder Broadcastadressen sind nicht erlaubt.',
+'fwhost err hostorip' 	=> 'Name oder IP Adresse ungültig.',
+'fwhost err isccdhost'	=> 'Dieser Name wird bereits für einen Openvpn Host verwendet.',
+'fwhost err isccdipnet'	=> 'Diese IP wird bereits für einen Openvpn Netzwerk verwendet.',
+'fwhost err isccdiphost'=> 'Diese IP wird bereits für einen Openvpn Host verwendet.',
+'fwhost err isccdnet'	=> 'Dieser Name wird bereits für einen Openvpn Netzwerk verwendet.',
+'fwhost err isingrp'	=> 'Dieser Eintrag existiert bereits in der Gruppe.',
+'fwhost err ip'			=> 'IP Addresse ungültig.',
+'fwhost err ipmac'		=> 'IP/MAC Addresse ungültig.',
+'fwhost err ipcheck'	=> 'Diese IP Adresse wird bereits verwendet.',
+'fwhost err ipwithsub'	=> 'Bitte IP Adresse OHNE Subnetzmaske eingeben.',
+'fwhost err partofnet'	=> 'Dieses Netzwerk ist Teil eines bereits existierenden Netzwerks.', 
+'fwhost err port'		=> 'Port muss gefüllt sein.',
+'fwhost err remark'		=> 'Bemerkung ungültig. Erlaubte Zeichen: a-z, A-Z, 0-9 Leerzeichen und Bindestrich.',
+'fwhost err srvexist'	=> 'Dieser Dienst ist bereits in der Gruppe',
+'fwhost err srv exists'	=> 'Ein Service mit diesem Namen existiert bereits.',
+'fwhost err sub32'		=> 'Bitte Host hinzufügen. Dieses Subnetz ist kein Netzwerk.',
+'fwhost green'			=> 'Grün',
+'fwhost hosts' 			=> 'Firewall Hosts',
+'fwhost hint'			=> 'Hinweis',
+'fwhost icmptype'		=> 'ICMP-Typ:',
+'fwhost ipadr'			=> 'IP Adresse:',
+'fwhost ip_mac'			=> 'IP/MAC Adresse',
+'fwhost ipsec host'		=> 'IpSec Clients:',
+'fwhost ipsec net'		=> 'IpSec Netzwerke:',
+'fwhost newnet' 		=> 'Netz Einstellungen',
+'fwhost newhost' 		=> 'Adress Einstellungen',
+'fwhost newgrp' 		=> 'Adress Gruppierung',
+'fwhost newservice'		=> 'Dienst Einstellungen',
+'fwhost newservicegrp'	=> 'Dienst Gruppierung',
+'fwhost macwarn'		=> 'MAC Adressen können nicht als Ziel definiert werden. Solche Adressen werden ignoriert.',
+'fwhost menu' 			=> 'Firewall Gruppen',
+'fwhost orange'			=> 'Orange',
+'fwhost ovpn_n2n'		=> 'OpenVPN N-2-N',
+'fwhost port'			=> 'Port(s)',
+'fwhost prot'			=> 'Protokoll',
+'fwhost reset'			=> 'Abbrechen',
+'fwhost services'		=> 'Dienste',
+'fwhost srv_name'		=> 'Dienstname',
+'fwhost stdnet'			=> 'Standard Netzwerke:',
+'fwhost type'			=> 'Typ',
+'fwhost used'			=> 'Benutzt',
+'fwhost wo subnet'		=> '(Ohne Subnetz)',
 'free' => 'Frei',
 'free memory' => 'Freier Speicher   ',
 'free swap' => 'Freier Swap',

langs/en/cgi-bin/en.pl

@@ -910,6 +910,142 @@
 'forwarding rule added' => 'Forwarding rule added; restarting forwarder',
 'forwarding rule removed' => 'Forwarding rule removed; restarting forwarder',
 'forwarding rule updated' => 'Forwarding rule updated; restarting forwarder',
+'forward firewall' 		=> 'Firewall',
+'fwdfw additional'		=> 'Additional',
+'fwdfw action'			=> 'Action',
+'fwdfw menu' 			=> 'Firewall',
+'fwdfw addrule' 		=> 'Add new rule:',
+'fwdfw addr grp' 		=> 'Adress groups:',
+'fwdfw change'			=> 'Update',
+'fwdfw cust addr' 		=> 'Custom addresses:',
+'fwdfw cust net' 		=> 'Custom networks:',
+'fwdfw copy'			=> 'Copy',
+'fwdfw delete'			=> 'Delete',
+'fwdfw edit'			=> 'Edit',
+'fwdfw err nosrc'		=> 'No source selected.',
+'fwdfw err nosrcip'		=> 'Please provide source IP address.',
+'fwdfw err notgt'		=> 'No target selected.',
+'fwdfw err notgtip'		=> 'Please provide target IP address.',
+'fwdfw err prot'		=> 'Source and target protocol have to match.',
+'fwdfw err remark'		=> 'Invalid chars in remark.',
+'fwdfw err ruleexists'	=> 'This rule already exists.',
+'fwdfw err src_addr'	=> 'Invalid source MAC/IP.',
+'fwdfw err same'		=> 'Identical source and target',
+'fwdfw err samesub'		=> 'Source and target IP adress are in same subnet.',
+'fwdfw err srcport'		=> 'Please provide source port.',
+'fwdfw err tgtport'		=> 'Please provide target port.',
+'fwdfw err tgt_addr'	=> 'Invalid target IP-address.',
+'fwdfw err tgt_port'	=> 'Invalid target port',
+'fwdfw err tgt_mac'		=> 'MAC addresses can not be used as target.',
+'fwdfw err tgt_grp'		=> 'Target servicegroup is empty',
+'fwdfw err time'		=> 'You have to define at least one day.',
+'fwdfw from'			=> 'From:',
+'fwdfw hint ip1'		=> 'The last generated rule may never be activated because source and target my be in same subnet.',
+'fwdfw hint ip2'		=> 'Please doublecheck if this rule makes sense: ',
+'fwdfw ipsec network'	=> 'IpSec networks:',
+'fwdfw log rule'		=> 'Log rule',
+'fwdfw man port'		=> 'Port(s) manual:',
+'fwdfw moveup'			=> 'Move up',
+'fwdfw movedown'		=> 'Move down',
+'fwdfw reread'			=> 'Apply',
+'fwdfw rules'			=> 'Rules',
+'fwdfw rule action' 	=> 'Rule action:',
+'fwdfw rule activate'	=> 'Activate rule',
+'fwdfw source' 			=> 'Source',
+'fwdfw sourceip' 		=> 'Source address (MAC, IP or Network):',
+'fwdfw std network' 	=> 'Standard networks:',
+'fwdfw target'			=> 'Target',
+'fwdfw targetip'		=> 'Target address (IP or network):',
+'fwdfw till'			=> 'Till:',
+'fwdfw time'			=> 'Timeframe:',
+'fwdfw timeframe'		=> 'Add timeframe',
+'fwdfw toggle'			=> 'Activate or deactivate',
+'fwdfw togglelog'		=> 'Activate or deactivate logging',
+'fwdfw use srcport'		=> 'Use sourceport',
+'fwdfw use srv'			=> 'Use targetport',
+'fwdfw newrule' 		=> 'New rule',
+'fwdfw wd_mon'			=> 'Mon',
+'fwdfw wd_tue'			=> 'Tue',
+'fwdfw wd_wed'			=> 'Wed',
+'fwdfw wd_thu'			=> 'Thu',
+'fwdfw wd_fri'			=> 'Fri',
+'fwdfw wd_sat'			=> 'Sat',
+'fwdfw wd_sun'			=> 'Sun',
+'fwhost addgrp' 		=> 'Group:',
+'fwhost addgrpname'		=> 'Groupname:',
+'fwhost addhost' 		=> 'Address:',
+'fwhost addnet' 		=> 'Network:',
+'fwhost addrule' 		=> 'Add new rule:',
+'fwhost any'			=> 'Any',
+'fwhost attention'		=> 'ATTENTION',
+'fwhost back'			=> 'commit',
+'fwhost blue'			=> 'Blue',
+'fwhost ccdhost'		=> 'OpenVPN clients:',
+'fwhost ccdnet'			=> 'OpenVPN networks:',
+'fwhost change'			=> 'Modify',
+'fwhost changeremark'	=> 'You just modified the remark!',
+'fwhost cust addr' 		=> 'Custom addresses:',
+'fwhost cust grp'		=> 'Custom groups:',
+'fwhost cust net' 		=> 'Custom networks:',
+'fwhost cust service'	=> 'Custom services:',
+'fwhost cust srvgrp'	=> 'Custom servicegroups',
+'fwhost deleted'		=> 'Deleted',
+'fwhost empty'			=> 'No entries by now',
+'fwhost err addr' 		=> 'Invalid IP or subnet!',
+'fwhost err addrgrp'	=> 'Please provide a groupname!',
+'fwhost err empty'		=> 'Please fill in all fields!',
+'fwhost err grpexist'	=> 'Group already exists!',
+'fwhost err groupempty'	=> 'Selected Group is empty!',
+'fwhost err name'		=> 'Name invalid. Allowed: a-z, A-Z, 0-9 space and minus.',
+'fwhost err name1'		=> 'Name is empty.',
+'fwhost err netexist'	=> 'A network with this name already exists!',
+'fwhost err net' 		=> 'Network IP already exists',
+'fwhost err mac' 		=> 'MAC address invalid',
+'fwhost err hostexist'	=> 'A host with this name already exists!',
+'fwhost err hostip' 	=> 'Net or broadcast not allowed!',
+'fwhost err hostorip' 	=> 'Name or IP invalid.',
+'fwhost err isccdhost'	=> 'This name is already used by an OpenVPN client!',
+'fwhost err isccdipnet'	=> 'This IP is already used by an OpenVPN network!',
+'fwhost err isccdiphost'=> 'This IP is already used by an OpenVPN client!',
+'fwhost err isccdnet'	=> 'This name is already used by an OpenVPN Network!',
+'fwhost err isingrp'	=> 'This entry already exists in the group!',
+'fwhost err ip'			=> 'IP address invalid.',
+'fwhost err ipmac'		=> 'IP/MAC address invalid.',
+'fwhost err ipcheck'	=> 'This IP address is already in use!',
+'fwhost err ipwithsub'	=> 'Please provide IP address WITHOUT subnetmask',
+'fwhost err partofnet'	=> 'This network is part of an already existing one!', 
+'fwhost err port'		=> 'Port is empty.',
+'fwhost err remark'		=> 'Remark invalid. Allowed: a-z, A-Z, 0-9 space and minus.',
+'fwhost err srvexist'	=> 'Dieser Dienst ist bereits in der Gruppe',
+'fwhost err srv exists'	=> 'A Service with this name already exists.',
+'fwhost err sub32'		=> 'Please add single host. This subnet is no network!',
+'fwhost green'			=> 'Green',
+'fwhost hosts' 			=> 'Firewall Hosts',
+'fwhost hint'			=> 'Note',
+'fwhost icmptype'		=> 'ICMP type:',
+'fwhost ipadr'			=> 'IP address:',
+'fwhost ip_mac'			=> 'IP/MAC address',
+'fwhost ipsec host'		=> 'IPsec clients:',
+'fwhost ipsec net'		=> 'IPsec networks:',
+'fwhost netaddress'		=> 'Network address:',
+'fwhost newnet' 		=> 'Network',
+'fwhost newhost' 		=> 'Host',
+'fwhost newgrp' 		=> 'Address grouping',
+'fwhost newservice'		=> 'Service',
+'fwhost newservicegrp'	=> 'Service grouping',
+'fwhost macwarn'		=> 'MAC addresses can not be used as target. Such addresses will be ignored!',
+'fwhost menu' 			=> 'Firewall Groups',
+'fwhost orange'			=> 'Orange',
+'fwhost ovpn_n2n'		=> 'OpenVPN N-2-N',
+'fwhost port'			=> 'Port(s)',
+'fwhost prot'			=> 'Protocol',
+'fwhost reset'			=> 'Cancel',
+'fwhost services'		=> 'Services',
+'fwhost srv_name'		=> 'Servicename',
+'fwhost stdnet'			=> 'Standard networks:',
+'fwhost type'			=> 'Type',
+'fwhost used'			=> 'Used',
+'fwhost wo subnet'		=> '(without subnet)',
 'free' => 'Free',
 'free memory' => 'Free Memory    ',
 'free swap' => 'Free Swap',

lfs/configroot

@@ -50,59 +50,62 @@ $(TARGET) :
 	@$(PREBUILD)
 
 	# Create all directories
-	for i in addon-lang auth backup ca certs connscheduler crls ddns dhcp dhcpc dmzholes dns dnsforward \
+	for i in addon-lang auth backup ca certs connscheduler crls ddns dhcp dhcpc dns dnsforward \
-			ethernet extrahd/bin fwlogs isdn key langs logging mac main  menu.d modem net-traffic \
+			ethernet extrahd/bin fwlogs isdn key langs logging mac main menu.d modem net-traffic \
+			ethernet extrahd/bin fwlogs fwhosts forward forward/bin isdn key langs logging mac main  menu.d modem net-traffic \
 			net-traffic/templates nfs optionsfw outgoing/bin outgoing/groups outgoing/groups/ipgroups \
 			outgoing/groups/macgroups ovpn patches pakfire portfw ppp private proxy/advanced/cre \
 			proxy/calamaris/bin qos/bin red remote sensors snort time tripwire/report \
 			updatexlrator/bin updatexlrator/autocheck urlfilter/autoupdate urlfilter/bin upnp vpn \
-			wakeonlan wireless xtaccess ; do \
+			wakeonlan wireless ; do \
 	        mkdir -p $(CONFIG_ROOT)/$$i; \
 	done
 
 	# Touch empty files
 	for i in auth/users backup/include.user backup/exclude.user \
 	    certs/index.txt ddns/config ddns/noipsettings ddns/settings ddns/ipcache dhcp/settings \
-	    dhcp/fixleases dhcp/advoptions dhcp/dhcpd.conf.local dmzholes/config dns/settings dnsforward/config ethernet/aliases ethernet/settings ethernet/known_nics ethernet/scanned_nics \
+	    dhcp/fixleases dhcp/advoptions dhcp/dhcpd.conf.local dns/settings dnsforward/config ethernet/aliases ethernet/settings ethernet/known_nics ethernet/scanned_nics \
 	    ethernet/wireless extrahd/scan extrahd/devices extrahd/partitions extrahd/settings fwlogs/ipsettings fwlogs/portsettings \
+	    forward/settings forward/config forward/input fwhosts/customnetworks fwhosts/customhosts fwhosts/customgroups fwhosts/customservices fwhosts/customservicegrp fwlogs/ipsettings fwlogs/portsettings \
 	    isdn/settings mac/settings main/disable_nf_sip main/hosts main/routing main/settings net-traffic/settings optionsfw/settings outgoing/settings outgoing/rules \
 	    ovpn/ccd.conf ovpn/ccdroute ovpn/ccdroute2 pakfire/settings portfw/config ppp/settings-1 ppp/settings-2 ppp/settings-3 ppp/settings-4 \
-	    ppp/settings-5 ppp/settings proxy/settings proxy/advanced/settings proxy/advanced/cre/enable remote/settings qos/settings qos/classes qos/subclasses qos/level7config qos/portconfig \
+		ppp/settings-5 ppp/settings proxy/settings proxy/advanced/settings proxy/advanced/cre/enable remote/settings qos/settings qos/classes qos/subclasses qos/level7config qos/portconfig \
 	    qos/tosconfig snort/settings tripwire/settings upnp/settings vpn/config vpn/settings vpn/ipsec.conf \
 	    vpn/ipsec.secrets vpn/caconfig wakeonlan/clients.conf wireless/config wireless/settings; do \
-	        touch $(CONFIG_ROOT)/$$i; \
+	    touch $(CONFIG_ROOT)/$$i; \
 	done
 
 	# Copy initial configfiles
 	cp $(DIR_SRC)/config/cfgroot/header.pl			$(CONFIG_ROOT)/
 	cp $(DIR_SRC)/config/cfgroot/general-functions.pl	$(CONFIG_ROOT)/
 	cp $(DIR_SRC)/config/cfgroot/lang.pl			$(CONFIG_ROOT)/
-	cp $(DIR_SRC)/config/cfgroot/countries.pl			$(CONFIG_ROOT)/
+	cp $(DIR_SRC)/config/cfgroot/countries.pl		$(CONFIG_ROOT)/
 	cp $(DIR_SRC)/config/cfgroot/graphs.pl			$(CONFIG_ROOT)/
 	cp $(DIR_SRC)/config/cfgroot/advoptions-list		$(CONFIG_ROOT)/dhcp/advoptions-list
 	cp $(DIR_SRC)/config/cfgroot/connscheduler-lib.pl	$(CONFIG_ROOT)/connscheduler/lib.pl
 	cp $(DIR_SRC)/config/cfgroot/connscheduler.conf		$(CONFIG_ROOT)/connscheduler
 	cp $(DIR_SRC)/config/extrahd/*				$(CONFIG_ROOT)/extrahd/bin/
 	cp $(DIR_SRC)/config/cfgroot/sensors-settings		$(CONFIG_ROOT)/sensors/settings
-	cp $(DIR_SRC)/config/menu/*					$(CONFIG_ROOT)/menu.d/
+	cp $(DIR_SRC)/config/menu/*				$(CONFIG_ROOT)/menu.d/
 	cp $(DIR_SRC)/config/cfgroot/modem-defaults		$(CONFIG_ROOT)/modem/defaults
 	cp $(DIR_SRC)/config/cfgroot/modem-settings		$(CONFIG_ROOT)/modem/settings
 	cp $(DIR_SRC)/config/cfgroot/net-traffic-lib.pl		$(CONFIG_ROOT)/net-traffic/net-traffic-lib.pl
-	cp $(DIR_SRC)/config/cfgroot/net-traffic-admin.pl		$(CONFIG_ROOT)/net-traffic/net-traffic-admin.pl
+	cp $(DIR_SRC)/config/cfgroot/net-traffic-admin.pl	$(CONFIG_ROOT)/net-traffic/net-traffic-admin.pl
 	cp $(DIR_SRC)/config/cfgroot/nfs-server			$(CONFIG_ROOT)/nfs/nfs-server
-	cp $(DIR_SRC)/config/cfgroot/p2protocols			$(CONFIG_ROOT)/outgoing/p2protocols
+	cp $(DIR_SRC)/config/cfgroot/p2protocols		$(CONFIG_ROOT)/outgoing/p2protocols
-	cp $(DIR_SRC)/config/outgoingfw/outgoingfw.pl		$(CONFIG_ROOT)/outgoing/bin/
+	cp $(DIR_SRC)/config/outgoingfw/outgoingfw.pl	$(CONFIG_ROOT)/outgoing/bin/
-	cp $(DIR_SRC)/config/outgoingfw/defaultservices		$(CONFIG_ROOT)/outgoing/
+	cp $(DIR_SRC)/config/outgoingfw/defaultservices	$(CONFIG_ROOT)/outgoing/
 	cp $(DIR_SRC)/config/cfgroot/proxy-acl			$(CONFIG_ROOT)/proxy/acl-1.4
-	cp $(DIR_SRC)/config/qos/*					$(CONFIG_ROOT)/qos/bin/
+	cp $(DIR_SRC)/config/qos/*						$(CONFIG_ROOT)/qos/bin/
-	cp $(DIR_SRC)/config/cfgroot/ssh-settings			$(CONFIG_ROOT)/remote/settings
+	cp $(DIR_SRC)/config/cfgroot/ssh-settings		$(CONFIG_ROOT)/remote/settings
-	cp $(DIR_SRC)/config/cfgroot/xtaccess-config		$(CONFIG_ROOT)/xtaccess/config
 	cp $(DIR_SRC)/config/cfgroot/time-settings		$(CONFIG_ROOT)/time/settings
-	cp $(DIR_SRC)/config/cfgroot/logging-settings		$(CONFIG_ROOT)/logging/settings
+	cp $(DIR_SRC)/config/cfgroot/logging-settings	$(CONFIG_ROOT)/logging/settings
 	cp $(DIR_SRC)/config/cfgroot/useragents			$(CONFIG_ROOT)/proxy/advanced
 	cp $(DIR_SRC)/config/cfgroot/ethernet-vlans		$(CONFIG_ROOT)/ethernet/vlans
-	cp $(DIR_SRC)/langs/list					$(CONFIG_ROOT)/langs/
+	cp $(DIR_SRC)/langs/list						$(CONFIG_ROOT)/langs/
-
+	cp $(DIR_SRC)/config/forwardfw/rules.pl			$(CONFIG_ROOT)/forward/bin/rules.pl
+	cp $(DIR_SRC)/config/forwardfw/firewall-lib.pl	$(CONFIG_ROOT)/forward/bin/firewall-lib.pl
+	cp $(DIR_SRC)/config/fwhosts/icmp-types			$(CONFIG_ROOT)/fwhosts/icmp-types
 	# Oneliner configfiles
 	echo  "ENABLED=off"		> $(CONFIG_ROOT)/vpn/settings
 	echo  "VPN_DELAYED_START=0"	>>$(CONFIG_ROOT)/vpn/settings
@@ -115,6 +118,14 @@ $(TARGET) :
 	echo  "DROPOUTPUT=on"		>> $(CONFIG_ROOT)/optionsfw/settings
 	echo  "DROPPORTSCAN=on"		>> $(CONFIG_ROOT)/optionsfw/settings
 
+	# Set outgoingfw.pl executable
+	chmod 755 $(CONFIG_ROOT)/outgoing/bin/outgoingfw.pl
+	
+	# set rules.pl executable
+	chmod 755 $(CONFIG_ROOT)/forward/bin/rules.pl
+	
+
+
 	# Modify variables in header.pl
 	sed -i -e "s+CONFIG_ROOT+$(CONFIG_ROOT)+g" \
 	    -e "s+VERSION+$(VERSION)+g" \
@@ -140,7 +151,5 @@ $(TARGET) :
 	done
 	chown root:nobody $(CONFIG_ROOT)/dhcpc
 
-	# Set outgoingfw.pl executable
+		
-	chmod 755 $(CONFIG_ROOT)/outgoing/bin/outgoingfw.pl
-
 	@$(POSTBUILD)

lfs/initscripts

@@ -181,18 +181,17 @@ $(TARGET) :
 	ln -sf ../../firewall /etc/rc.d/init.d/networking/red.up/20-RL-firewall
 	ln -sf ../../../../../usr/local/bin/outgoingfwctrl \
 		/etc/rc.d/init.d/networking/red.up/22-outgoingfwctrl
+	ln -sf ../../../../../usr/local/bin/forwardfwctrl \
+		/etc/rc.d/init.d/networking/red.up/23-forwardfwctrl
 	ln -sf ../../../../../usr/local/bin/snortctrl \
-		/etc/rc.d/init.d/networking/red.up/23-RS-snort
+		/etc/rc.d/init.d/networking/red.up/24-RS-snort
 	ln -sf ../../../../../usr/local/bin/qosctrl \
-		/etc/rc.d/init.d/networking/red.up/24-RS-qos
+		/etc/rc.d/init.d/networking/red.up/25-RS-qos
 	ln -sf ../../../../../usr/local/bin/setportfw \
-		/etc/rc.d/init.d/networking/red.up/25-portfw
+		/etc/rc.d/init.d/networking/red.up/26-portfw
-	ln -sf ../../../../../usr/local/bin/setxtaccess \
-		/etc/rc.d/init.d/networking/red.up/26-xtaccess
 	ln -sf ../../../../../usr/local/bin/dialctrl.pl \
 		/etc/rc.d/init.d/networking/red.up/99-U-dialctrl.pl
-	ln -sf ../../squid /etc/rc.d/init.d/networking/red.up/27-RS-squid
+	ln -sf ../../squid /etc/rc.d/init.d/networking/red.up/28-RS-squid
-	
 	ln -sf ../../dnsmasq /etc/rc.d/init.d/networking/red.down/05-RS-dnsmasq
 	ln -sf ../../firewall /etc/rc.d/init.d/networking/red.down/20-RL-firewall
 	ln -sf ../../../../../usr/local/bin/dialctrl.pl \

src/initscripts/init.d/firewall

@@ -195,6 +195,14 @@ case "$1" in
 	# Outgoing Firewall
 	/sbin/iptables -A FORWARD -j OUTGOINGFWMAC
 
+    # Forward Firewall
+    /sbin/iptables -N FORWARDFW
+    /sbin/iptables -A FORWARD -j FORWARDFW
+    
+    # Input Firewall
+    /sbin/iptables -N INPUTFW
+    /sbin/iptables -A INPUT -m state --state NEW -j INPUTFW
+    
 	# localhost and ethernet.
 	/sbin/iptables -A INPUT   -i lo -m state --state NEW -j ACCEPT
 	/sbin/iptables -A INPUT   -s 127.0.0.0/8 -m state --state NEW -j DROP   # Loopback not on lo
@@ -234,17 +242,6 @@ case "$1" in
 
 	iptables_red
 
-	# DMZ pinhole chain.  setdmzholes setuid prog adds rules here to allow
-	# ORANGE to talk to GREEN / BLUE.
-	/sbin/iptables -N DMZHOLES
-	if [ "$ORANGE_DEV" != "" ]; then
-		/sbin/iptables -A FORWARD -i $ORANGE_DEV -m state --state NEW -j DMZHOLES
-	fi
-
-	# XTACCESS chain, used for external access
-	/sbin/iptables -N XTACCESS
-	/sbin/iptables -A INPUT -m state --state NEW -j XTACCESS
-
 	# PORTFWACCESS chain, used for portforwarding
 	/sbin/iptables -N PORTFWACCESS
 	/sbin/iptables -A FORWARD -m state --state NEW -j PORTFWACCESS

src/initscripts/init.d/network

@@ -47,9 +47,7 @@ init_networking() {
 #	(exit ${failed})
 #	evaluate_retval
 
-	boot_mesg "Setting up DMZ pinholes"
+	
-	/usr/local/bin/setdmzholes; evaluate_retval
-
 	if [ "$CONFIG_TYPE" = "3" -o "$CONFIG_TYPE" = "4" ]; then
 		boot_mesg "Setting up wireless firewall rules"
 		/usr/local/bin/wirelessctrl; evaluate_retval

src/misc-progs/Makefile

@@ -24,11 +24,11 @@ CFLAGS=-O2 -Wall
 COMPILE=$(CC) $(CFLAGS)
 
 PROGS = iowrap
-SUID_PROGS = setdmzholes setportfw setxtaccess \
+SUID_PROGS = setportfw \
 	squidctrl sshctrl ipfirereboot \
 	ipsecctrl timectrl dhcpctrl snortctrl \
 	applejuicectrl rebuildhosts backupctrl \
-	logwatch openvpnctrl outgoingfwctrl \
+	logwatch openvpnctrl outgoingfwctrl forwardfwctrl \
 	wirelessctrl getipstat qosctrl launch-ether-wake \
 	redctrl syslogdctrl extrahdctrl sambactrl upnpctrl tripwirectrl \
 	smartctrl clamavctrl addonctrl pakfire mpfirectrl wlanapctrl \
@@ -90,15 +90,15 @@ clamavctrl: clamavctrl.c setuid.o ../install+setup/libsmooth/varval.o
 outgoingfwctrl: outgoingfwctrl.c setuid.o ../install+setup/libsmooth/varval.o
 	$(COMPILE) -I../install+setup/libsmooth/ outgoingfwctrl.c setuid.o ../install+setup/libsmooth/varval.o -o $@
 	
+forwardfwctrl: forwardfwctrl.c setuid.o ../install+setup/libsmooth/varval.o
+	$(COMPILE) -I../install+setup/libsmooth/ forwardfwctrl.c setuid.o ../install+setup/libsmooth/varval.o -o $@
+	
 timectrl: timectrl.c setuid.o ../install+setup/libsmooth/varval.o
 	$(COMPILE) -I../install+setup/libsmooth/ timectrl.c setuid.o ../install+setup/libsmooth/varval.o -o $@
 
 launch-ether-wake: launch-ether-wake.c setuid.o ../install+setup/libsmooth/varval.o
 	$(COMPILE) -I../install+setup/libsmooth/ launch-ether-wake.c setuid.o ../install+setup/libsmooth/varval.o -o $@
 
-setdmzholes: setdmzholes.c setuid.o ../install+setup/libsmooth/varval.o
-	$(COMPILE) -I../install+setup/libsmooth/ setdmzholes.c setuid.o ../install+setup/libsmooth/varval.o -o $@
-
 setportfw: setportfw.c setuid.o ../install+setup/libsmooth/varval.o
 	$(COMPILE) -I../install+setup/libsmooth/ setportfw.c setuid.o ../install+setup/libsmooth/varval.o -o $@
 

src/misc-progs/setdmzholes.c

@@ -1,162 +0,0 @@
-/* SmoothWall helper program - setdmzhole
- *
- * This program is distributed under the terms of the GNU General Public
- * Licence.  See the file COPYING for details.
- *
- * (c) Daniel Goscomb, 2001
- * 
- * Modifications and improvements by Lawrence Manning.
- *
- * 10/04/01 Aslak added protocol support
- * This program reads the list of ports to forward and setups iptables
- * and rules in ipmasqadm to enable them.
- * 
- * $Id: setdmzholes.c,v 1.5.2.3 2005/10/18 17:05:27 franck78 Exp $
- * 
- */
-#include "libsmooth.h"
-#include <stdio.h>
-#include <string.h>
-#include <stdlib.h>
-#include "setuid.h"
-
-FILE *fwdfile = NULL;
-
-void exithandler(void)
-{
-	if (fwdfile)
-		fclose(fwdfile);
-}
-
-int main(void)
-{
-	int count;
-	char *protocol;
-	char *locip;
-	char *remip;
-	char *remport;
-	char *enabled;
-	char *src_net;
-	char *dst_net;
-	char s[STRING_SIZE];
-	char *result;
-	struct keyvalue *kv = NULL;
-	char orange_dev[STRING_SIZE] = "";
-	char blue_dev[STRING_SIZE] = "";
-	char green_dev[STRING_SIZE] = "";
-	char *idev;
-	char *odev;
-	char command[STRING_SIZE];
-
-	if (!(initsetuid()))
-		exit(1);
-
-	atexit(exithandler);
-
-	kv=initkeyvalues();
-	if (!readkeyvalues(kv, CONFIG_ROOT "/ethernet/settings"))
-	{
-		fprintf(stderr, "Cannot read ethernet settings\n");
-		exit(1);
-	}
-
-	if (!findkey(kv, "GREEN_DEV", green_dev))
-	{
-		fprintf(stderr, "Cannot read GREEN_DEV\n");
-		exit(1);
-	}
-	findkey(kv, "BLUE_DEV", blue_dev);
-	findkey(kv, "ORANGE_DEV", orange_dev);
-
-	if (!(fwdfile = fopen(CONFIG_ROOT "/dmzholes/config", "r")))
-	{
-		fprintf(stderr, "Couldn't open dmzholes settings file\n");
-		exit(1);
-	}
-
-	safe_system("/sbin/iptables -F DMZHOLES");
-
-	while (fgets(s, STRING_SIZE, fwdfile) != NULL)
-	{
-		if (s[strlen(s) - 1] == '\n')
-		        s[strlen(s) - 1] = '\0';
-		result = strtok(s, ",");
-		
-		count = 0;
-		protocol = NULL;
-		locip = NULL; remip = NULL;
-		remport = NULL;
-		enabled = NULL;
-		src_net = NULL;
-		dst_net = NULL;
-		idev = NULL;
-		odev = NULL;
-		
-		while (result)
-		{
-			if (count == 0)
-				protocol = result;
-			else if (count == 1)
-				locip = result;
-			else if (count == 2)
-				remip = result;
-			else if (count == 3)
-				remport = result;
-			else if (count == 4)
-				enabled = result;
-			else if (count == 5)
-				src_net = result;
-			else if (count == 6)
-				dst_net = result;
-			count++;
-			result = strtok(NULL, ",");
-		}
-
-		if (!(protocol && locip && remip && remport && enabled))
-		{
-			fprintf(stderr, "Bad line:\n");
-			break;
-		}
-
-		if (!VALID_PROTOCOL(protocol))
-		{
-			fprintf(stderr, "Bad protocol: %s\n", protocol);
-			exit(1);
-		}
-		if (!VALID_IP_AND_MASK(locip))
-		{
-			fprintf(stderr, "Bad local IP: %s\n", locip);
-			exit(1);
-		}
-		if (!VALID_IP_AND_MASK(remip))
-		{
-			fprintf(stderr, "Bad remote IP: %s\n", remip);
-			exit(1);
-		}
-		if (!VALID_PORT_RANGE(remport))
-		{
-			fprintf(stderr, "Bad remote port: %s\n", remport);
-			exit(1);
-		}
-		
-		if (!src_net) { src_net = strdup ("orange");}
-		if (!dst_net) { dst_net = strdup ("green");}
-		
-		if (!strcmp(src_net, "blue"))   { idev = blue_dev; }
-		if (!strcmp(src_net, "orange")) { idev = orange_dev; }
-		if (!strcmp(dst_net, "blue"))   { odev = blue_dev; }
-		if (!strcmp(dst_net, "green"))  { odev = green_dev; }
-		
-		if (!strcmp(enabled, "on") && strlen(idev) && strlen (odev))
-		{
-			char *ctr;
-			/* If remport contains a - we need to change it to a : */
-			if ((ctr = strchr(remport,'-')) != NULL){*ctr = ':';}
-			memset(command, 0, STRING_SIZE);
-			snprintf(command, STRING_SIZE - 1, "/sbin/iptables -A DMZHOLES -p %s -i %s -o %s -s %s -d %s --dport %s -j ACCEPT", protocol, idev, odev, locip, remip, remport);
-			safe_system(command);
-		}
-	}
-
-	return 0;
-}

src/misc-progs/setxtaccess.c

@@ -1,168 +0,0 @@
-/* SmoothWall helper program - setxtaccess
- *
- * This program is distributed under the terms of the GNU General Public
- * Licence.  See the file COPYING for details.
- *
- * (c) Daniel Goscomb, 2001
- * 
- * Modifications and improvements by Lawrence Manning.
- *
- * 10/04/01 Aslak added protocol support
- * 
- * (c) Steve Bootes 2002/04/14 - Added source IP support for aliases
- *
- * 19/04/03 Robert Kerr Fixed root exploit
- *
- * $Id: setxtaccess.c,v 1.3.2.1 2005/01/04 17:21:40 eoberlander Exp $
- * 
- */
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include "setuid.h"
-
-FILE *ifacefile = NULL;
-FILE *fwdfile = NULL;
-FILE *ipfile = NULL;
-
-void exithandler(void)
-{
-	if (fwdfile)
-		fclose(fwdfile);
-}
-
-int main(void)
-{
-	char iface[STRING_SIZE] = "";
-	char locip[STRING_SIZE] = "";
-	char s[STRING_SIZE] = "";
-	int count;
-	char *protocol;
-	char *destip;
-	char *remip;
-	char *locport;
-	char *enabled;
-	char *information;
-	char *result;
-	char command[STRING_SIZE];
-
-	if (!(initsetuid()))
-		exit(1);
-
-	atexit(exithandler);
-
-	if (!(ipfile = fopen(CONFIG_ROOT "/red/local-ipaddress", "r")))
-	{
-		fprintf(stderr, "Couldn't open local ip file\n");
-		exit(1);
-	}
-	if (fgets(locip, STRING_SIZE, ipfile))
-	{
-		if (locip[strlen(locip) - 1] == '\n')
-			locip[strlen(locip) - 1] = '\0';
-	}
-	fclose (ipfile);
-	if (!VALID_IP(locip))
-	{
-		fprintf(stderr, "Bad local IP: %s\n", locip);
-		exit(1);
-	}
-
-	if (!(ifacefile = fopen(CONFIG_ROOT "/red/iface", "r")))
-	{
-		fprintf(stderr, "Couldn't open iface file\n");
-		exit(1);
-	}
-	if (fgets(iface, STRING_SIZE, ifacefile))
-	{
-		if (iface[strlen(iface) - 1] == '\n')
-			iface[strlen(iface) - 1] = '\0';
-	}
-		fclose (ifacefile);
-	if (!VALID_DEVICE(iface))
-	{
-		fprintf(stderr, "Bad iface: %s\n", iface);
-		exit(1);
-	}
- 
-	if (!(fwdfile = fopen(CONFIG_ROOT "/xtaccess/config", "r")))
-	{
-		fprintf(stderr, "Couldn't open xtaccess settings file\n");
-		exit(1);
-	}
-
-	safe_system("/sbin/iptables -F XTACCESS");
-
-	while (fgets(s, STRING_SIZE, fwdfile) != NULL)
-	{
-		if (s[strlen(s) - 1] == '\n')
-			s[strlen(s) - 1] = '\0';
-		count = 0;
-		protocol = NULL;
-		remip = NULL;
-		destip = NULL;
-		locport = NULL;
-		enabled = NULL;
-		information = NULL;
-		result = strtok(s, ",");
-		while (result)
-		{
-			if (count == 0)
-				protocol = result;
-			else if (count == 1)
-				remip = result;
-			else if (count == 2)
-				locport = result;
-			else if (count == 3)
-				enabled = result;
-			else if (count == 4)
-				destip = result;
-			else
-				information = result;
-			count++;
-			result = strtok(NULL, ",");
-		}
-
-		if (!(protocol && remip && locport && enabled))
-			break;
-		
-		if (!VALID_PROTOCOL(protocol))
-		{
-			fprintf(stderr, "Bad protocol: %s\n", protocol);
-			exit(1);
-		}
-		if (!VALID_IP_AND_MASK(remip))
-		{
-			fprintf(stderr, "Bad remote IP: %s\n", remip);
-			exit(1);
-		}
-		if (!VALID_PORT_RANGE(locport))
-		{
-			fprintf(stderr, "Bad local port: %s\n", locport);
-			exit(1);
-		}
-
-                /* check for destination ip in config file. If it's there
-                 * and it's not 0.0.0.0, use it; else use the current
-                 * local ip address. (This makes sure we can use old-style
-                 * config files without the destination ip) */
-		if (!destip || !strcmp(destip, "0.0.0.0"))
-			destip = locip;
-		if (!VALID_IP(destip))
-		{
-			fprintf(stderr, "Bad destination IP: %s\n", remip);
-			exit(1);
-		}
-
-		if (strcmp(enabled, "on") == 0)
-		{
-			memset(command, 0, STRING_SIZE);
-			snprintf(command, STRING_SIZE - 1, "/sbin/iptables -A XTACCESS -i %s -p %s -s %s -d %s --dport %s -j ACCEPT",
-	iface, protocol, remip, destip, locport);
-			safe_system(command);
-		}
-	}
-	
-	return 0;
-}