Forward Firewall: build iso with new firewall

config/outgoingfw/defaultservices

@@ -1,34 +0,0 @@
-bootpc,68,tcp&udp,Bootstrap Protocol Client
-bootps,67,tcp&udp,Bootstrap Protocol Server
-domain,53,tcp&udp,Domain Name Server
-echo,7,tcp&udp,Echo
-ftp,21,tcp&udp,File Transfer Control
-ftp-data,20,tcp&udp,File Control Data
-http,80,tcp,Hypertext Transfer Protocol
-https,443,tcp,secure HTTP
-imap,143,tcp,Interactive Mail Access Protocol
-imap3,220,tcp,Interactive Mail Access Protocol v3
-imaps,993,tcp,secure IMAP
-ipfire-https,444,tcp,IPFire HTTPS
-ipfire-ssh,222,tcp&udp,IPFire SSH
-irc,194,tcp&udp,Internet Relay Chat
-ircd,6667,tcp&udp,Internet Relay Chat
-microsoft-ds,445,tcp&udp,Netbios Filesharing
-nameserver,42,tcp&udp,Host Name Server
-netbios-dgm,138,tcp&udp,NETBIOS Datagram Service
-netbios-ns,137,tcp&udp,NETBIOS Name Server
-netbios-ssn,139,tcp&udp,NETBIOS Session Service
-nfs,2049,tcp&udp,Network File System
-ntp,123,udp,Network Time Protocol
-pop3,110,tcp,POP3 Email
-pop3s,995,tcp,secure POP3 Email
-sftp,115,tcp&udp,secure File Transfer Protocol
-smtp,25,tcp,Simple Mail Transfer Protocol
-smtps,465,tcp,secure Simple Mail Transfer Protocol
-snmp,161,tcp&udp,Simple Network Management
-snmptrap,162,udp,SNMP Trap
-ssh,22,tcp&udp,SSH
-telnet,23,tcp&udp,Telnet
-tftp,69,tcp&udp,Trivial File Transfer
-time,37,tcp&udp,Time
-wins,1512,tcp&udp,Windows Internet Name Service

config/outgoingfw/outgoingfw.pl

@@ -1,286 +0,0 @@
-#!/usr/bin/perl
-###############################################################################
-#                                                                             #
-# IPFire.org - A linux based firewall                                         #
-# Copyright (C) 2007-2011  IPFire Team                                        #
-#                                                                             #
-# This program is free software: you can redistribute it and/or modify        #
-# it under the terms of the GNU General Public License as published by        #
-# the Free Software Foundation, either version 3 of the License, or           #
-# (at your option) any later version.                                         #
-#                                                                             #
-# This program is distributed in the hope that it will be useful,             #
-# but WITHOUT ANY WARRANTY; without even the implied warranty of              #
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the               #
-# GNU General Public License for more details.                                #
-#                                                                             #
-# You should have received a copy of the GNU General Public License           #
-# along with this program.  If not, see <http://www.gnu.org/licenses/>.       #
-#                                                                             #
-###############################################################################
-
-
-use strict;
-# enable only the following on debugging purpose
-#use warnings;
-
-require '/var/ipfire/general-functions.pl';
-require "${General::swroot}/lang.pl";
-
-my %outfwsettings = ();
-my %checked = ();
-my %selected= () ;
-my %netsettings = ();
-my $errormessage = "";
-my $configentry = "";
-my @configs = ();
-my @configline = ();
-my $p2pentry = "";
-my @p2ps = ();
-my @p2pline = ();
-my $CMD = "";
-my $P2PSTRING = "";
-
-my $DEBUG = 0;
-
-my $configfile = "/var/ipfire/outgoing/rules";
-my $p2pfile = "/var/ipfire/outgoing/p2protocols";
-
-### Values that have to be initialized
-$outfwsettings{'ACTION'} = '';
-$outfwsettings{'VALID'} = 'yes';
-$outfwsettings{'EDIT'} = 'no';
-$outfwsettings{'NAME'} = '';
-$outfwsettings{'SNET'} = '';
-$outfwsettings{'SIP'} = '';
-$outfwsettings{'SPORT'} = '';
-$outfwsettings{'SMAC'} = '';
-$outfwsettings{'DIP'} = '';
-$outfwsettings{'DPORT'} = '';
-$outfwsettings{'PROT'} = '';
-$outfwsettings{'STATE'} = '';
-$outfwsettings{'DISPLAY_DIP'} = '';
-$outfwsettings{'DISPLAY_DPORT'} = '';
-$outfwsettings{'DISPLAY_SMAC'} = '';
-$outfwsettings{'DISPLAY_SIP'} = '';
-$outfwsettings{'POLICY'} = 'MODE0';
-
-my @SOURCE = "";
-my $SOURCE = "";
-my $DESTINATION = "";
-my @PROTO = "";
-my $PROTO = "";
-my $DPORT = "";
-my $DEV = "";
-my $MAC = "";
-my $DO = "";
-my $DAY = "";
-
-# read files
-&General::readhash("${General::swroot}/outgoing/settings", \%outfwsettings);
-&General::readhash("${General::swroot}/ethernet/settings", \%netsettings);
-
-$netsettings{'RED_DEV'}=`cat /var/ipfire/red/iface`;
-$netsettings{'RED_IP'}=`cat /var/ipfire/red/local-ipaddress`;
-
-open( FILE, "< $configfile" ) or die "Unable to read $configfile";
-@configs = <FILE>;
-close FILE;
-
-if ( $outfwsettings{'POLICY'} eq 'MODE1' ) {
-	$outfwsettings{'STATE'} = "ALLOW";
-	$DO = "RETURN";
-} elsif ( $outfwsettings{'POLICY'} eq 'MODE2' ) {
-	$outfwsettings{'STATE'} = "DENY";
-	$DO = "DROP -m comment --comment 'DROP_OUTGOINGFW '";
-}
-
-### Initialize IPTables
-system("/sbin/iptables --flush OUTGOINGFW >/dev/null 2>&1");
-system("/sbin/iptables --delete-chain OUTGOINGFW >/dev/null 2>&1");
-system("/sbin/iptables -N OUTGOINGFW >/dev/null 2>&1");
-
-system("/sbin/iptables --flush OUTGOINGFWMAC >/dev/null 2>&1");
-system("/sbin/iptables --delete-chain OUTGOINGFWMAC >/dev/null 2>&1");
-system("/sbin/iptables -N OUTGOINGFWMAC >/dev/null 2>&1");
-
-if ( $outfwsettings{'POLICY'} eq 'MODE0' ) {
-	&firewall_local_reload();
-	exit 0
-}
-
-if ( $outfwsettings{'POLICY'} eq 'MODE1' ) {
-	$CMD = "/sbin/iptables -A OUTGOINGFW -m state --state ESTABLISHED,RELATED -j RETURN";
-	if ($DEBUG) { print "$CMD\n"; } else { system("$CMD"); }
-	$CMD = "/sbin/iptables -A OUTGOINGFWMAC -m state --state ESTABLISHED,RELATED -j RETURN";
-	if ($DEBUG) { print "$CMD\n"; } else { system("$CMD"); }
-		$CMD = "/sbin/iptables -A OUTGOINGFW -p icmp -j RETURN";
-	if ($DEBUG) { print "$CMD\n"; } else { system("$CMD"); }
-		$CMD = "/sbin/iptables -A OUTGOINGFWMAC -p icmp -j RETURN";
-	if ($DEBUG) { print "$CMD\n"; } else { system("$CMD"); }
-}
-
-foreach $configentry (sort @configs)
-{
-	@SOURCE = "";
-	$DESTINATION = "";
-	$PROTO = "";
-	$DPORT = "";
-	$DEV = "";
-	$MAC = "";
-	@configline = split( /\;/, $configentry );
-
-	if ($outfwsettings{'STATE'} eq $configline[0]) {
-		if ($configline[2] eq 'green') {
-			@SOURCE = ("$netsettings{'GREEN_NETADDRESS'}/$netsettings{'GREEN_NETMASK'}");
-			$DEV = $netsettings{'GREEN_DEV'};
-		} elsif ($configline[2] eq 'red') {
-			@SOURCE = ("$netsettings{'RED_IP'}");
-			$DEV = "";
-		} elsif ($configline[2] eq 'blue') {
-			@SOURCE = ("$netsettings{'BLUE_NETADDRESS'}/$netsettings{'BLUE_NETMASK'}");
-			$DEV = $netsettings{'BLUE_DEV'};
-		} elsif ($configline[2] eq 'orange') {
-			@SOURCE = ("$netsettings{'ORANGE_NETADDRESS'}/$netsettings{'ORANGE_NETMASK'}");
-			$DEV = $netsettings{'ORANGE_DEV'};
-		} elsif ($configline[2] eq 'ipsec') {
-			@SOURCE = "";
-			$DEV = "ipsec+";
-		} elsif ($configline[2] eq 'ovpn') {
-			@SOURCE = "";
-			$DEV = "tun+";
-		} elsif ($configline[2] eq 'ip') {
-			@SOURCE = ("$configline[5]");
-			$DEV = "";
-		} elsif ($configline[2] eq 'mac') {
-			@SOURCE = ("$configline[6]");
-			$DEV = "";
-		} elsif ($configline[2] eq 'all') {
-			@SOURCE = ("0/0");
-			$DEV = "";
-		} else {
-			if ( -e "/var/ipfire/outgoing/groups/ipgroups/$configline[2]" ) {
-				@SOURCE = `cat /var/ipfire/outgoing/groups/ipgroups/$configline[2]`;
-			} elsif ( -e "/var/ipfire/outgoing/groups/macgroups/$configline[2]" ) {
-				@SOURCE = `cat /var/ipfire/outgoing/groups/macgroups/$configline[2]`;
-				$configline[2] = "mac";
-			}
-			$DEV = "";
-		}
-
-		if ($configline[7]) { $DESTINATION = "$configline[7]"; } else { $DESTINATION = "0/0"; }
-
-		if ($configline[3] eq 'tcp') {
-			@PROTO = ("tcp");
-		} elsif ($configline[3] eq 'udp') {
-			@PROTO  = ("udp");
-		} elsif ($configline[3] eq 'esp') {
-			@PROTO = ("esp");
-		} elsif ($configline[3] eq 'gre') {
-			@PROTO = ("gre");
-		} else {
-			@PROTO = ("tcp","udp");
-		}
-
-		my $macrule = 0;
-		foreach $PROTO (@PROTO){
-			foreach $SOURCE (@SOURCE) {
-				$SOURCE =~ s/\s//gi;
-
-				if ( $SOURCE eq "" || $configline[1] eq "" ){next;}
-
-				if ( ( $configline[6] ne "" || $configline[2] eq 'mac' ) && $configline[2] ne 'all'){
-					$SOURCE =~ s/[^a-zA-Z0-9]/:/gi;
-					$CMD = "-m mac --mac-source $SOURCE -d $DESTINATION -p $PROTO";
-					$macrule = 1;
-				} else {
-					$CMD = "-s $SOURCE -d $DESTINATION -p $PROTO";
-				}
-
-				 if ($configline[8] && ( $configline[3] ne 'esp' || $configline[3] ne 'gre') ) {
-					$DPORT = "$configline[8]";
-					$CMD = "$CMD -m multiport --destination-port $DPORT";
-				 }
-
-				 if ($DEV) {
-					$CMD = "$CMD -i $DEV";
-				}
-
-				if ($configline[17] && $configline[18]) {
-					$DAY = "";
-					if ($configline[10]){$DAY = "Mon,"}
-					if ($configline[11]){$DAY .= "Tue,"}
-					if ($configline[12]){$DAY .= "Wed,"}
-					if ($configline[13]){$DAY .= "Thu,"}
-					if ($configline[14]){$DAY .= "Fri,"}
-					if ($configline[15]){$DAY .= "Sat,"}
-					if ($configline[16]){$DAY .= "Sun"}
-					$CMD = "$CMD -m time --timestart $configline[17] --timestop $configline[18] --weekdays $DAY";
-				}
-
-				$CMD = "$CMD -o $netsettings{'RED_DEV'}";
-
-				if ( $configline[9] eq $Lang::tr{'aktiv'} && $outfwsettings{'POLICY'} eq 'MODE1' ) {
-					applyrule("$CMD -m limit --limit 10/minute -j LOG --log-prefix 'LOG_OUTGOINGFW '", $macrule);
-				} elsif ( $configline[9] eq $Lang::tr{'aktiv'} && $outfwsettings{'POLICY'} eq 'MODE2' ) {
-					applyrule("$CMD -m limit --limit 10/minute -j LOG --log-prefix 'DROP_OUTGOINGFW '", $macrule);
-				}
-
-				applyrule("$CMD -j $DO", $macrule);
-			}
-		}
-	}
-}
-
-### Do the P2P-Stuff here
-open( FILE, "< $p2pfile" ) or die "Unable to read $p2pfile";
-@p2ps = <FILE>;
-close FILE;
-
-$CMD = "-m ipp2p";
-
-foreach $p2pentry (sort @p2ps) {
-	@p2pline = split( /\;/, $p2pentry );
-	if ( $outfwsettings{'POLICY'} eq 'MODE2' ) {
-		$DO = "DROP";
-		if ("$p2pline[2]" eq "off") {
-			$P2PSTRING = "$P2PSTRING --$p2pline[1]";
-		}
-	} else {
-		$DO = "RETURN";
-		if ("$p2pline[2]" eq "on") {
-			$P2PSTRING = "$P2PSTRING --$p2pline[1]";
-		}
-	}
-}
-if ($P2PSTRING) {
-	applyrule("$CMD $P2PSTRING -j $DO", 0);
-}
-
-if ( $outfwsettings{'POLICY'} eq 'MODE1' ) {
-	if ( $outfwsettings{'MODE1LOG'} eq 'on' ) {
-		applyrule("-o $netsettings{'RED_DEV'} -m limit --limit 10/minute -j LOG --log-prefix 'DROP_OUTGOINGFW '", 0);
-	}
-
-	applyrule("-o $netsettings{'RED_DEV'} -j DROP -m comment --comment 'DROP_OUTGOINGFW '", 0);
-}
-
-&firewall_local_reload();
-
-sub applyrule($$) {
-	my $cmd = shift;
-	my $macrule = shift;
-
-	system("/sbin/iptables -A OUTGOINGFWMAC $cmd");
-	if ($macrule == 0) {
-		system("/sbin/iptables -A OUTGOINGFW $cmd");
-	}
-}
-
-sub firewall_local_reload() {
-	my $script = "/etc/sysconfig/firewall.local";
-
-	if ( -x $script ) {
-		system("$script reload >/dev/null 2>&1");
-	}
-}

config/rootfiles/common/configroot

@@ -120,7 +120,7 @@ var/ipfire/optionsfw
 var/ipfire/outgoing
 #var/ipfire/outgoing/bin
 #var/ipfire/outgoing/bin/outgoingfw.pl
-var/ipfire/outgoing/defaultservices
+#var/ipfire/outgoing/defaultservices
 #var/ipfire/outgoing/groups
 #var/ipfire/outgoing/groups/ipgroups
 #var/ipfire/outgoing/groups/macgroups

lfs/configroot

@@ -53,7 +53,7 @@ $(TARGET) :
 	for i in addon-lang auth backup ca certs connscheduler crls ddns dhcp dhcpc dns dnsforward \
 			ethernet extrahd/bin fwlogs isdn key langs logging mac main menu.d modem net-traffic \
 			ethernet extrahd/bin fwlogs fwhosts forward forward/bin isdn key langs logging mac main  menu.d modem net-traffic \
-			net-traffic/templates nfs optionsfw outgoing/bin outgoing/groups outgoing/groups/ipgroups \
+			net-traffic/templates nfs optionsfw outgoing/bin \
 			outgoing/groups/macgroups ovpn patches pakfire portfw ppp private proxy/advanced/cre \
 			proxy/calamaris/bin qos/bin red remote sensors snort time tripwire/report \
 			updatexlrator/bin updatexlrator/autocheck urlfilter/autoupdate urlfilter/bin upnp vpn \
@@ -65,9 +65,9 @@ $(TARGET) :
 	for i in auth/users backup/include.user backup/exclude.user \
 	    certs/index.txt ddns/config ddns/noipsettings ddns/settings ddns/ipcache dhcp/settings \
 	    dhcp/fixleases dhcp/advoptions dhcp/dhcpd.conf.local dns/settings dnsforward/config ethernet/aliases ethernet/settings ethernet/known_nics ethernet/scanned_nics \
-	    ethernet/wireless extrahd/scan extrahd/devices extrahd/partitions extrahd/settings fwlogs/ipsettings fwlogs/portsettings \
-	    forward/settings forward/config forward/input fwhosts/customnetworks fwhosts/customhosts fwhosts/customgroups fwhosts/customservices fwhosts/customservicegrp fwlogs/ipsettings fwlogs/portsettings \
-	    isdn/settings mac/settings main/disable_nf_sip main/hosts main/routing main/settings net-traffic/settings optionsfw/settings outgoing/settings outgoing/rules \
+	    extrahd/scan extrahd/devices extrahd/partitions extrahd/settings forward/settings forward/config forward/input \
+	    fwhosts/customnetworks fwhosts/customhosts fwhosts/customgroups fwhosts/customservices fwhosts/customservicegrp fwlogs/ipsettings fwlogs/portsettings \
+	    isdn/settings mac/settings main/disable_nf_sip main/hosts main/routing main/settings net-traffic/settings optionsfw/settings \
 	    ovpn/ccd.conf ovpn/ccdroute ovpn/ccdroute2 pakfire/settings portfw/config ppp/settings-1 ppp/settings-2 ppp/settings-3 ppp/settings-4 \
 		ppp/settings-5 ppp/settings proxy/settings proxy/advanced/settings proxy/advanced/cre/enable remote/settings qos/settings qos/classes qos/subclasses qos/level7config qos/portconfig \
 	    qos/tosconfig snort/settings tripwire/settings upnp/settings vpn/config vpn/settings vpn/ipsec.conf \
@@ -93,8 +93,6 @@ $(TARGET) :
 	cp $(DIR_SRC)/config/cfgroot/net-traffic-admin.pl	$(CONFIG_ROOT)/net-traffic/net-traffic-admin.pl
 	cp $(DIR_SRC)/config/cfgroot/nfs-server			$(CONFIG_ROOT)/nfs/nfs-server
 	cp $(DIR_SRC)/config/cfgroot/p2protocols		$(CONFIG_ROOT)/outgoing/p2protocols
-	cp $(DIR_SRC)/config/outgoingfw/outgoingfw.pl	$(CONFIG_ROOT)/outgoing/bin/
-	cp $(DIR_SRC)/config/outgoingfw/defaultservices	$(CONFIG_ROOT)/outgoing/
 	cp $(DIR_SRC)/config/cfgroot/proxy-acl			$(CONFIG_ROOT)/proxy/acl-1.4
 	cp $(DIR_SRC)/config/qos/*						$(CONFIG_ROOT)/qos/bin/
 	cp $(DIR_SRC)/config/cfgroot/ssh-settings		$(CONFIG_ROOT)/remote/settings
@@ -118,14 +116,8 @@ $(TARGET) :
 	echo  "DROPOUTPUT=on"		>> $(CONFIG_ROOT)/optionsfw/settings
 	echo  "DROPPORTSCAN=on"		>> $(CONFIG_ROOT)/optionsfw/settings
 
-	# Set outgoingfw.pl executable
-	chmod 755 $(CONFIG_ROOT)/outgoing/bin/outgoingfw.pl
-	
 	# set rules.pl executable
 	chmod 755 $(CONFIG_ROOT)/forward/bin/rules.pl
-	
-
-
 	# Modify variables in header.pl
 	sed -i -e "s+CONFIG_ROOT+$(CONFIG_ROOT)+g" \
 	    -e "s+VERSION+$(VERSION)+g" \
@@ -142,7 +134,7 @@ $(TARGET) :
 
 	# Language files
 	cp $(DIR_SRC)/langs/*/cgi-bin/*.pl $(CONFIG_ROOT)/langs/
-	
+
 	# Configroot permissions
 	chown -R nobody:nobody $(CONFIG_ROOT)
 	chown      root:root   $(CONFIG_ROOT)

src/initscripts/init.d/firewall

@@ -195,14 +195,14 @@ case "$1" in
 	# Outgoing Firewall
 	/sbin/iptables -A FORWARD -j OUTGOINGFWMAC
 
-    # Forward Firewall
-    /sbin/iptables -N FORWARDFW
-    /sbin/iptables -A FORWARD -j FORWARDFW
-    
-    # Input Firewall
-    /sbin/iptables -N INPUTFW
-    /sbin/iptables -A INPUT -m state --state NEW -j INPUTFW
-    
+	# Forward Firewall
+	/sbin/iptables -N FORWARDFW
+	/sbin/iptables -A FORWARD -j FORWARDFW
+
+	# Input Firewall
+	/sbin/iptables -N INPUTFW
+	/sbin/iptables -A INPUT -m state --state NEW -j INPUTFW
+
 	# localhost and ethernet.
 	/sbin/iptables -A INPUT   -i lo -m state --state NEW -j ACCEPT
 	/sbin/iptables -A INPUT   -s 127.0.0.0/8 -m state --state NEW -j DROP   # Loopback not on lo

src/misc-progs/Makefile

@@ -28,7 +28,7 @@ SUID_PROGS = setportfw \
 	squidctrl sshctrl ipfirereboot \
 	ipsecctrl timectrl dhcpctrl snortctrl \
 	applejuicectrl rebuildhosts backupctrl \
-	logwatch openvpnctrl outgoingfwctrl forwardfwctrl \
+	logwatch openvpnctrl forwardfwctrl \
 	wirelessctrl getipstat qosctrl launch-ether-wake \
 	redctrl syslogdctrl extrahdctrl sambactrl upnpctrl tripwirectrl \
 	smartctrl clamavctrl addonctrl pakfire mpfirectrl wlanapctrl \
@@ -86,13 +86,10 @@ smartctrl: smartctrl.c setuid.o ../install+setup/libsmooth/varval.o
 
 clamavctrl: clamavctrl.c setuid.o ../install+setup/libsmooth/varval.o
 	$(COMPILE) -I../install+setup/libsmooth/ clamavctrl.c setuid.o ../install+setup/libsmooth/varval.o -o $@
-	
-outgoingfwctrl: outgoingfwctrl.c setuid.o ../install+setup/libsmooth/varval.o
-	$(COMPILE) -I../install+setup/libsmooth/ outgoingfwctrl.c setuid.o ../install+setup/libsmooth/varval.o -o $@
-	
+
 forwardfwctrl: forwardfwctrl.c setuid.o ../install+setup/libsmooth/varval.o
 	$(COMPILE) -I../install+setup/libsmooth/ forwardfwctrl.c setuid.o ../install+setup/libsmooth/varval.o -o $@
-	
+
 timectrl: timectrl.c setuid.o ../install+setup/libsmooth/varval.o
 	$(COMPILE) -I../install+setup/libsmooth/ timectrl.c setuid.o ../install+setup/libsmooth/varval.o -o $@
 

src/misc-progs/forwardfwctrl.c

@@ -18,7 +18,10 @@ int main(int argc, char *argv[]) {
 	if (!(initsetuid()))
 		exit(1);
 
-	safe_system("chmod 755 /var/ipfire/outgoing/bin/outgoingfw.pl");
-	safe_system("/var/ipfire/outgoing/bin/outgoingfw.pl");
+	if(argc > 1)
+		safe_system("/var/ipfire/forward/bin/rules.pl flush");
+	else
+		safe_system("/var/ipfire/forward/bin/rules.pl");
+	
 	return 0;
 }