diff --git a/config/backup/backup.pl b/config/backup/backup.pl index f9b8302af..28e2dd89e 100644 --- a/config/backup/backup.pl +++ b/config/backup/backup.pl @@ -22,7 +22,7 @@ require '/var/ipfire/general-functions.pl'; require "${General::swroot}/lang.pl"; require "${General::swroot}/header.pl"; - +use File::Path; my $debug = 1; my @include = ""; my ($Sekunden, $Minuten, $Stunden, $Monatstag, $Monat, $Jahr, $Wochentag, $Jahrestag, $Sommerzeit) = localtime(time); @@ -64,7 +64,72 @@ elsif ($ARGV[0] eq 'restore') { system("cd / && tar -xvz -p -f /tmp/restore.ipf"); #Here some converter scripts to correct old Backups (before core 65) system("/usr/sbin/ovpn-ccd-convert"); -} + #OUTGOINGFW CONVERTER + if( -d "${General::swroot}/outgoing"){ + if( -f "${General::swroot}/forward/config" ){ + unlink("${General::swroot}/forward/config"); + system("touch ${General::swroot}/forward/config"); + chown 99,99,"${General::swroot}/forward/config"; + } + if( -f "${General::swroot}/forward/outgoing" ){ + unlink("${General::swroot}/forward/outgoing"); + system("touch ${General::swroot}/forward/outgoing"); + chown 99,99,"${General::swroot}/forward/outgoing"; + } + unlink("${General::swroot}/fwhosts/customgroups"); + unlink("${General::swroot}/fwhosts/customhosts"); + unlink("${General::swroot}/fwhosts/customgroups"); + unlink("${General::swroot}/fwhosts/customnetworks"); + unlink("${General::swroot}/fwhosts/customservicegrp"); + unlink("${General::swroot}/fwhosts/customnetworks"); + system("touch ${General::swroot}/fwhosts/customgroups"); + system("touch ${General::swroot}/fwhosts/customhosts"); + system("touch ${General::swroot}/fwhosts/customnetworks"); + system("touch ${General::swroot}/fwhosts/customservicegrp"); + #START CONVERTER "OUTGOINGFW" + system("/usr/sbin/convert-outgoingfw"); + chown 99,99,"${General::swroot}/fwhosts/customgroups"; + chown 99,99,"${General::swroot}/fwhosts/customhosts"; + chown 99,99,"${General::swroot}/fwhosts/customnetworks"; + chown 99,99,"${General::swroot}/fwhosts/customservicegrp"; + #START CONVERTER "OUTGOINGFW" + rmtree("${General::swroot}/outgoing"); + } + #XTACCESS CONVERTER + if( -d "${General::swroot}/xtaccess"){ + if( -f "${General::swroot}/forward/input" ){ + unlink("${General::swroot}/forward/input"); + system("touch ${General::swroot}/forward/input"); + } + #START CONVERTER "XTACCESS" + system("/usr/sbin/convert-xtaccess"); + chown 99,99,"${General::swroot}/forward/input"; + rmtree("${General::swroot}/xtaccess"); + } + #DMZ-HOLES CONVERTER + if( -d "${General::swroot}/dmzholes"){ + if( -f "${General::swroot}/forward/dmz" ){ + unlink("${General::swroot}/forward/dmz"); + system("touch ${General::swroot}/forward/dmz"); + } + #START CONVERTER "DMZ-HOLES" + system("/usr/sbin/convert-dmz"); + chown 99,99,"${General::swroot}/forward/dmz"; + rmtree("${General::swroot}/dmzholes"); + } + #PORTFORWARD CONVERTER + if( -d "${General::swroot}/portfw"){ + if( -f "${General::swroot}/forward/nat" ){ + unlink("${General::swroot}/forward/nat"); + system("touch ${General::swroot}/forward/nat"); + } + #START CONVERTER "PORTFW" + system("/usr/sbin/convert-portfw"); + chown 99,99,"${General::swroot}/forward/nat"; + rmtree("${General::swroot}/portfw"); + } + system("/usr/local/bin/forwardfwctrl"); + } elsif ($ARGV[0] eq 'restoreaddon') { if ( -e "/tmp/$ARGV[1]" ){system("mv /tmp/$ARGV[1] /var/ipfire/backup/addons/backup/$ARGV[1]");} system("cd / && tar -xvz -p -f /var/ipfire/backup/addons/backup/$ARGV[1]"); diff --git a/config/backup/exclude b/config/backup/exclude index 8103bb9d9..41ae8b576 100644 --- a/config/backup/exclude +++ b/config/backup/exclude @@ -1,5 +1,7 @@ *.tmp /var/ipfire/ethernet/settings +/var/ipfire/forward/bin/* /var/ipfire/proxy/calamaris/bin/* /var/ipfire/qos/bin/qos.pl /var/ipfire/urlfilter/blacklists/*/*.db +/var/ipfire/forward/bin/* diff --git a/config/backup/include b/config/backup/include index c863a0e56..551b52df2 100644 --- a/config/backup/include +++ b/config/backup/include @@ -15,14 +15,9 @@ /var/ipfire/auth/users /var/ipfire/dhcp/* /var/ipfire/dnsforward/* +/var/ipfire/forward +/var/ipfire/fwhosts /var/ipfire/main/* -/var/ipfire/outgoing/groups -/var/ipfire/outgoing/macgroups -/var/ipfire/outgoing/rules -/var/ipfire/outgoing/p2protocols -/var/ipfire/dmzholes -/var/ipfire/xtaccess -/var/ipfire/portfw /var/ipfire/ovpn /var/ipfire/ppp /var/ipfire/proxy diff --git a/config/cfgroot/general-functions.pl b/config/cfgroot/general-functions.pl index 41643d8d7..c592d5d0c 100644 --- a/config/cfgroot/general-functions.pl +++ b/config/cfgroot/general-functions.pl @@ -39,6 +39,90 @@ sub log $logmessage = $1; system('logger', '-t', $tag, $logmessage); } +sub setup_default_networks +{ + my %netsettings=(); + my $defaultNetworks = shift; + + &readhash("/var/ipfire/ethernet/settings", \%netsettings); + + # Get current defined networks (Red, Green, Blue, Orange) + $defaultNetworks->{$Lang::tr{'fwhost any'}}{'IPT'} = "0.0.0.0/0.0.0.0"; + $defaultNetworks->{$Lang::tr{'fwhost any'}}{'NAME'} = "ALL"; + + $defaultNetworks->{$Lang::tr{'green'}}{'IPT'} = "$netsettings{'GREEN_NETADDRESS'}/$netsettings{'GREEN_NETMASK'}"; + $defaultNetworks->{$Lang::tr{'green'}}{'NAME'} = "GREEN"; + + if ($netsettings{'RED_DEV'} ne ''){ + $defaultNetworks->{$Lang::tr{'fwdfw red'}}{'IPT'} = "$netsettings{'RED_NETADDRESS'}/$netsettings{'RED_NETMASK'}"; + $defaultNetworks->{$Lang::tr{'fwdfw red'}}{'NAME'} = "RED"; + } + if ($netsettings{'ORANGE_DEV'} ne ''){ + $defaultNetworks->{$Lang::tr{'orange'}}{'IPT'} = "$netsettings{'ORANGE_NETADDRESS'}/$netsettings{'ORANGE_NETMASK'}"; + $defaultNetworks->{$Lang::tr{'orange'}}{'NAME'} = "ORANGE"; + } + + if ($netsettings{'BLUE_DEV'} ne ''){ + $defaultNetworks->{$Lang::tr{'blue'}}{'IPT'} = "$netsettings{'BLUE_NETADDRESS'}/$netsettings{'BLUE_NETMASK'}"; + $defaultNetworks->{$Lang::tr{'blue'}}{'NAME'} = "BLUE"; + } + + #IPFire himself + $defaultNetworks->{'IPFire'}{'NAME'} = "IPFire"; + + # OpenVPN + if(-e "${General::swroot}/ovpn/settings") + { + my %ovpnSettings = (); + &readhash("${General::swroot}/ovpn/settings", \%ovpnSettings); + + # OpenVPN on Red? + if(defined($ovpnSettings{'DOVPN_SUBNET'})) + { + my ($ip,$sub) = split(/\//,$ovpnSettings{'DOVPN_SUBNET'}); + $sub=&General::iporsubtocidr($sub); + my @tempovpnsubnet = split("\/", $ovpnSettings{'DOVPN_SUBNET'}); + $defaultNetworks->{'OpenVPN ' ."($ip/$sub)"}{'ADR'} = $tempovpnsubnet[0]; + $defaultNetworks->{'OpenVPN ' ."($ip/$sub)"}{'NAME'} = "OpenVPN-Dyn"; + } + } # end OpenVPN + # IPsec RW NET + if(-e "${General::swroot}/vpn/settings") + { + my %ipsecsettings = (); + &readhash("${General::swroot}/vpn/settings", \%ipsecsettings); + if($ipsecsettings{'RW_NET'} ne '') + { + my ($ip,$sub) = split(/\//,$ipsecsettings{'RW_NET'}); + $sub=&General::iporsubtocidr($sub); + my @tempipsecsubnet = split("\/", $ipsecsettings{'RW_NET'}); + $defaultNetworks->{'IPsec RW ' .$ip."/".$sub}{'ADR'} = $tempipsecsubnet[0]; + $defaultNetworks->{'IPsec RW ' .$ip."/".$sub}{'NAME'} = "IPsec RW"; + } + } +} +sub get_aliases +{ + + my $defaultNetworks = shift; + open(FILE, "${General::swroot}/ethernet/aliases") or die 'Unable to open aliases file.'; + my @current = ; + close(FILE); + my $ctr = 0; + foreach my $line (@current) + { + if ($line ne ''){ + chomp($line); + my @temp = split(/\,/,$line); + if ($temp[2] eq '') { + $temp[2] = "Alias $ctr : $temp[0]"; + } + $defaultNetworks->{$temp[2]}{'IPT'} = "$temp[0]"; + + $ctr++; + } + } +} sub readhash { diff --git a/config/cfgroot/graphs.pl b/config/cfgroot/graphs.pl index c51e882e2..19c0546da 100644 --- a/config/cfgroot/graphs.pl +++ b/config/cfgroot/graphs.pl @@ -602,22 +602,37 @@ sub updatefwhitsgraph { "--color=SHADEA".$color{"color19"}, "--color=SHADEB".$color{"color19"}, "--color=BACK".$color{"color21"}, - "DEF:output=".$mainsettings{'RRDLOG'}."/collectd/localhost/iptables-filter-FORWARD/ipt_bytes-DROP_OUTPUT.rrd:value:AVERAGE", - "DEF:input=".$mainsettings{'RRDLOG'}."/collectd/localhost/iptables-filter-INPUT/ipt_bytes-DROP_INPUT.rrd:value:AVERAGE", + "DEF:output=".$mainsettings{'RRDLOG'}."/collectd/localhost/iptables-filter-POLICYOUT/ipt_bytes-DROP_OUTPUT.rrd:value:AVERAGE", + "DEF:input=".$mainsettings{'RRDLOG'}."/collectd/localhost/iptables-filter-POLICYIN/ipt_bytes-DROP_INPUT.rrd:value:AVERAGE", + "DEF:forward=".$mainsettings{'RRDLOG'}."/collectd/localhost/iptables-filter-POLICYFWD/ipt_bytes-DROP_FORWARD.rrd:value:AVERAGE", "DEF:newnotsyn=".$mainsettings{'RRDLOG'}."/collectd/localhost/iptables-filter-NEWNOTSYN/ipt_bytes-DROP_NEWNOTSYN.rrd:value:AVERAGE", "DEF:portscan=".$mainsettings{'RRDLOG'}."/collectd/localhost/iptables-filter-PSCAN/ipt_bytes-DROP_PScan.rrd:value:AVERAGE", - "CDEF:amount=output,input,newnotsyn,+,+", - "COMMENT:".sprintf("%-20s",$Lang::tr{'caption'}), + "COMMENT:".sprintf("%-26s",$Lang::tr{'caption'}), "COMMENT:".sprintf("%15s",$Lang::tr{'maximal'}), "COMMENT:".sprintf("%15s",$Lang::tr{'average'}), - "COMMENT:".sprintf("%15s",$Lang::tr{'minimal'}), + "COMMENT:".sprintf("%14s",$Lang::tr{'minimal'}), "COMMENT:".sprintf("%15s",$Lang::tr{'current'})."\\j", - "AREA:amount".$color{"color24"}."A0:".sprintf("%-20s",$Lang::tr{'firewallhits'}), - "GPRINT:amount:MAX:%8.1lf %sBps", - "GPRINT:amount:AVERAGE:%8.1lf %sBps", - "GPRINT:amount:MIN:%8.1lf %sBps", - "GPRINT:amount:LAST:%8.1lf %sBps\\j", - "STACK:portscan".$color{"color25"}."A0:".sprintf("%-20s",$Lang::tr{'portscans'}), + "AREA:output".$color{"color25"}."A0:".sprintf("%-25s",$Lang::tr{'firewallhits'}."-OUTPUT"), + "GPRINT:output:MAX:%8.1lf %sBps", + "GPRINT:output:AVERAGE:%8.1lf %sBps", + "GPRINT:output:MIN:%8.1lf %sBps", + "GPRINT:output:LAST:%8.1lf %sBps\\j", + "STACK:forward".$color{"color23"}."A0:".sprintf("%-25s",$Lang::tr{'firewallhits'}."-FORWARD"), + "GPRINT:forward:MAX:%8.1lf %sBps", + "GPRINT:forward:AVERAGE:%8.1lf %sBps", + "GPRINT:forward:MIN:%8.1lf %sBps", + "GPRINT:forward:LAST:%8.1lf %sBps\\j", + "STACK:input".$color{"color24"}."A0:".sprintf("%-25s",$Lang::tr{'firewallhits'}."-INPUT"), + "GPRINT:input:MAX:%8.1lf %sBps", + "GPRINT:input:AVERAGE:%8.1lf %sBps", + "GPRINT:input:MIN:%8.1lf %sBps", + "GPRINT:input:LAST:%8.1lf %sBps\\j", + "STACK:newnotsyn".$color{"color14"}."A0:".sprintf("%-25s","NewNotSyn"), + "GPRINT:newnotsyn:MAX:%8.1lf %sBps", + "GPRINT:newnotsyn:MIN:%8.1lf %sBps", + "GPRINT:newnotsyn:AVERAGE:%8.1lf %sBps", + "GPRINT:newnotsyn:LAST:%8.1lf %sBps\\j", + "STACK:portscan".$color{"color16"}."A0:".sprintf("%-25s",$Lang::tr{'portscans'}), "GPRINT:portscan:MAX:%8.1lf %sBps", "GPRINT:portscan:MIN:%8.1lf %sBps", "GPRINT:portscan:AVERAGE:%8.1lf %sBps", diff --git a/config/cfgroot/header.pl b/config/cfgroot/header.pl index 9129c682c..fb5748222 100644 --- a/config/cfgroot/header.pl +++ b/config/cfgroot/header.pl @@ -149,11 +149,8 @@ sub genmenu { eval `/bin/cat /var/ipfire/menu.d/*.menu`; eval `/bin/cat /var/ipfire/menu.d/*.main`; - if (! blue_used() && ! orange_used()) { - $menu->{'05.firewall'}{'subMenu'}->{'40.dmz'}{'enabled'} = 0; - } if (! blue_used()) { - $menu->{'05.firewall'}{'subMenu'}->{'30.wireless'}{'enabled'} = 0; + $menu->{'05.firewall'}{'subMenu'}->{'60.wireless'}{'enabled'} = 0; } if ( $ethsettings{'CONFIG_TYPE'} =~ /^(1|2|3|4)$/ && $ethsettings{'RED_TYPE'} eq 'STATIC' ) { $menu->{'03.network'}{'subMenu'}->{'70.aliases'}{'enabled'} = 1; diff --git a/config/cfgroot/p2protocols b/config/cfgroot/p2protocols deleted file mode 100644 index 78c610115..000000000 --- a/config/cfgroot/p2protocols +++ /dev/null @@ -1,9 +0,0 @@ -Bittorrent;bit;on; -Edonkey;edk;on; -KaZaA;kazaa;on; -Gnutella;gnu;on; -DirectConnect;dc;on; -Applejuice;apple;on; -WinMX;winmx;on; -SoulSeek;soul;on; -Ares;ares;on; \ No newline at end of file diff --git a/config/collectd/collectd.conf b/config/collectd/collectd.conf index 67d9e1905..14dd568c2 100644 --- a/config/collectd/collectd.conf +++ b/config/collectd/collectd.conf @@ -45,10 +45,11 @@ include "/etc/collectd.precache" - Chain filter INPUT DROP_INPUT - Chain filter FORWARD DROP_OUTPUT Chain filter PSCAN DROP_PScan Chain filter NEWNOTSYN DROP_NEWNOTSYN + Chain filter POLICYFWD DROP_FORWARD + Chain filter POLICYOUT DROP_OUTPUT + Chain filter POLICYIN DROP_INPUT # diff --git a/config/forwardfw/convert-dmz b/config/forwardfw/convert-dmz new file mode 100755 index 000000000..efc4386b4 --- /dev/null +++ b/config/forwardfw/convert-dmz @@ -0,0 +1,193 @@ +#!/usr/bin/perl + +############################################################################### +# # +# IPFire.org - A linux based firewall # +# Copyright (C) 2013 Alexander Marx # +# # +# This program is free software: you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation, either version 3 of the License, or # +# (at your option) any later version. # +# # +# This program is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with this program. If not, see . # +# # +############################################################################### +# # +# This script converts old dmz holes rules from old firewall # +# to the new one. This is a 2-step process. # +# STEP1: read old config and normalize settings # +# STEP2: check valid ip and save valid rules to new firewall # +# # +############################################################################### +my @current=(); +my @alias=(); +my %configdmz=(); +my %ifaces=(); +my %configfwdfw=(); +require '/var/ipfire/general-functions.pl'; +my $dmzconfig = "${General::swroot}/dmzholes/config"; +my $fwdfwconfig = "${General::swroot}/forward/config"; +my $ifacesettings = "${General::swroot}/ethernet/settings"; +my $field0 = 'ACCEPT'; +my $field1 = 'FORWARDFW'; +my $field2 = ''; #ON or emtpy +my $field3 = ''; #std_net_src or src_addr +my $field4 = ''; #ALL or IP-Address with /32 +my $field5 = ''; #std_net_tgt or tgt_addr +my $field6 = ''; #IP or network name +my $field11 = 'ON'; #use target port +my $field12 = ''; #TCP or UDP +my $field13 = 'All ICMP-Types'; +my $field14 = 'TGT_PORT'; +my $field15 = ''; #Port Number +my $field16 = ''; #remark +my $field26 = '00:00'; +my $field27 = '00:00'; +my $field28 = ''; +my $field29 = 'ALL'; +my $field30 = ''; +my $field31 = 'dnat'; + + +open(FILE, $dmzconfig) or die 'Unable to open config file.'; +my @current = ; +close(FILE); +#open LOGFILE +open (LOG, ">/var/log/converters/dmz-convert.log") or die $!; +&General::readhash($ifacesettings, \%ifaces); +&General::readhasharray($fwdfwconfig,\%configfwdfw); +&process_rules; +sub process_rules{ + foreach my $line (@current){ + my $now=localtime; + #get values from old configfile + my ($a,$b,$c,$d,$e,$f,$g,$h) = split (",",$line); + $h =~ s/\s*\n//gi; + print LOG "$now Processing A: $a B: $b C: $c D: $d E: $e F: $f G: $g H: $h\n"; + #Now convert values and check ip addresses + $a=uc($a); + $e=uc($e); + $field2=$e if($e eq 'ON'); + #SOURCE IP-check + $b=&check_ip($b); + if (&General::validipandmask($b)){ + #When ip valid, check if we have a network + my ($ip,$subnet) = split ("/",$b); + if ($f eq 'orange' && $ip eq $ifaces{'ORANGE_NETADDRESS'}){ + $field3='std_net_src'; + $field4='ORANGE'; + }elsif($f eq 'blue' && $ip eq $ifaces{'BLUE_NETADDRESS'}){ + $field3='std_net_src'; + $field4='BLUE'; + }elsif($f eq 'orange' && &General::IpInSubnet($ip,$ifaces{'ORANGE_NETADDRESS'},$ifaces{'ORANGE_NETMASK'})){ + $field3='src_addr'; + $field4=$b; + }elsif($f eq 'blue' && &General::IpInSubnet($ip,$ifaces{'BLUE_NETADDRESS'},$ifaces{'BLUE_NETMASK'})){ + $field3='src_addr'; + $field4=$b; + }else{ + print LOG "$now ->NOT Converted, source ip $b not part of source network $f \n\n"; + next; + } + }else{ + print LOG "$now -> SOURCE IP INVALID. \n\n"; + next; + } + #TARGET IP-check + $c=&check_ip($c); + if (&General::validipandmask($c)){ + my $now=localtime; + #When ip valid, check if we have a network + my ($ip,$subnet) = split ("/",$c); + if ($g eq 'green' && $ip eq $ifaces{'GREEN_NETADDRESS'}){ + $field5='std_net_tgt'; + $field6='GREEN'; + }elsif($g eq 'blue' && $ip eq $ifaces{'BLUE_NETADDRESS'}){ + $field5='std_net_tgt'; + $field6='BLUE'; + }elsif($g eq 'green' && &General::IpInSubnet($ip,$ifaces{'GREEN_NETADDRESS'},$ifaces{'GREEN_NETMASK'})){ + $field5='tgt_addr'; + $field6=$c; + }elsif($g eq 'blue' && &General::IpInSubnet($ip,$ifaces{'BLUE_NETADDRESS'},$ifaces{'BLUE_NETMASK'})){ + $field5='tgt_addr'; + $field6=$c; + }else{ + print LOG "$now ->NOT Converted, target ip $c not part of target network $g \n\n"; + next; + } + }else{ + print LOG "$now -> TARGET IP INVALID. \n\n"; + next; + } + $field12=$a; + #convert portrange + $d =~ tr/-/:/; + $field15=$d; + $field16=$h; + my $key = &General::findhasharraykey (\%configfwdfw); + foreach my $i (0 .. 27) { $configfwdfw{$key}[$i] = "";} + $configfwdfw{$key}[0] = $field0; + $configfwdfw{$key}[1] = $field1; + $configfwdfw{$key}[2] = $field2; + $configfwdfw{$key}[3] = $field3; + $configfwdfw{$key}[4] = $field4; + $configfwdfw{$key}[5] = $field5; + $configfwdfw{$key}[6] = $field6; + $configfwdfw{$key}[7] = ''; + $configfwdfw{$key}[8] = ''; + $configfwdfw{$key}[9] = ''; + $configfwdfw{$key}[10] = ''; + $configfwdfw{$key}[11] = $field11; + $configfwdfw{$key}[12] = $field12; + $configfwdfw{$key}[13] = $field13; + $configfwdfw{$key}[14] = $field14; + $configfwdfw{$key}[15] = $field15; + $configfwdfw{$key}[16] = $field16; + $configfwdfw{$key}[17] = ''; + $configfwdfw{$key}[18] = ''; + $configfwdfw{$key}[19] = ''; + $configfwdfw{$key}[20] = ''; + $configfwdfw{$key}[21] = ''; + $configfwdfw{$key}[22] = ''; + $configfwdfw{$key}[23] = ''; + $configfwdfw{$key}[24] = ''; + $configfwdfw{$key}[25] = ''; + $configfwdfw{$key}[26] = $field26; + $configfwdfw{$key}[27] = $field27; + $configfwdfw{$key}[28] = $field28; + $configfwdfw{$key}[29] = $field29; + $configfwdfw{$key}[30] = $field30; + $configfwdfw{$key}[31] = $field31; + print LOG "$Now -> Converted to $field0,$field1,$field2,$field3,$field4,$field5,$field6,,,,,$field11,$field12,$field13,$field14,$field15,$field16,,,,,,,,,,$field26,$field27\n"; + } + &General::writehasharray($fwdfwconfig,\%configfwdfw); +close (LOG); +} + +sub check_ip +{ + my $adr=shift; + my $a; + #ip with subnet in decimal + if($adr =~ m/^(\d\d?\d?).(\d\d?\d?).(\d\d?\d?).(\d\d?\d?)\/(\d{1,2})$/){ + $adr=int($1).".".int($2).".".int($3).".".int($4); + my $b = &General::iporsubtodec($5); + $a=$adr."/".$b; + }elsif($adr =~ /^(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})$/){ + $adr=int($1).".".int($2).".".int($3).".".int($4); + if(&General::validip($adr)){ + $a=$adr."/32"; + } + } + if(&General::validipandmask($adr)){ + $a=&General::iporsubtodec($adr); + } + return $a; +} diff --git a/config/forwardfw/convert-outgoingfw b/config/forwardfw/convert-outgoingfw new file mode 100755 index 000000000..bd3305930 --- /dev/null +++ b/config/forwardfw/convert-outgoingfw @@ -0,0 +1,704 @@ +#!/usr/bin/perl +############################################################################### +# # +# IPFire.org - A linux based firewall # +# Copyright (C) 2013 Alexander Marx # +# # +# This program is free software: you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation, either version 3 of the License, or # +# (at your option) any later version. # +# # +# This program is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with this program. If not, see . # +# # +############################################################################### +# # +# This script converts old groups and firewallrules # +# to the new one. This is a 3-step process. # +# STEP1: convert groups ->LOG /var/log/converters # +# STEP2: convert rules ->LOG /var/log/converters # +# STEP3: convert P2P rules # +# # +############################################################################### + +require '/var/ipfire/general-functions.pl'; + +use Socket; +use File::Path; +use File::Copy; + +my $ipgrouppath = "${General::swroot}/outgoing/groups/ipgroups/"; +my $macgrouppath = "${General::swroot}/outgoing/groups/macgroups/"; +my $outgoingrules = "${General::swroot}/outgoing/rules"; +my $outfwsettings = "${General::swroot}/outgoing/settings"; +my $host = "Converted "; +my $confighosts = "${General::swroot}/fwhosts/customhosts"; +my $confignets = "${General::swroot}/fwhosts/customnetworks"; +my $configgroups = "${General::swroot}/fwhosts/customgroups"; +my $ovpnsettings = "${General::swroot}/ovpn/settings"; +my $ovpnconfig = "${General::swroot}/ovpn/ovpnconfig"; +my $ccdconfig = "${General::swroot}/ovpn/ccd.conf"; +my $fwdfwconfig = "${General::swroot}/forward/config"; +my $outfwconfig = "${General::swroot}/forward/outgoing"; +my $fwdfwsettings = "${General::swroot}/forward/settings"; +my @ipgroups = qx(ls $ipgrouppath); +my @macgroups = qx(ls $macgrouppath); +my @hostarray=(); +my %outsettings=(); +my %hosts=(); +my %nets=(); +my %groups=(); +my %settingsovpn=(); +my %configovpn=(); +my %ccdconf=(); +my %fwconfig=(); +my %fwconfigout=(); +my %fwdsettings=(); +my %ownnet=(); +my %ovpnSettings = (); +&General::readhash("${General::swroot}/ovpn/settings", \%ovpnSettings); +&General::readhash($outfwsettings,\%outsettings); +&General::readhash("${General::swroot}/ethernet/settings", \%ownnet); +#ONLY RUN if /var/ipfire/outgoing exists +if ( -d "/var/ipfire/outgoing"){ + &process_groups; + &process_rules; + &process_p2p; +} +system("/usr/local/bin/forwardfwctrl"); +sub process_groups +{ + if(! -d "/var/log/converters"){ mkdir("/var/log/converters");} + if( -f "/var/log/converters/groups-convert.log"){rmtree("var/log/converters");} + open (LOG, ">/var/log/converters/groups-convert.log") or die $!; + #IP Group processing + foreach my $group (@ipgroups){ + my $now=localtime; + chomp $group; + print LOG "\n$now Processing IP-GROUP: $group...\n"; + open (DATEI, "<$ipgrouppath/$group"); + my @zeilen = ; + foreach my $ip (@zeilen){ + chomp($ip); + $ip =~ s/\s//gi; + print LOG "$now Check IP $ip from Group $group "; + my $val=&check_ip($ip); + if($val){ + push(@hostarray,$val.",ip"); + print LOG "$now -> OK\n"; + } + else{ + print LOG "$now -> IP \"$ip\" from group $group not converted (invalid IP) \n"; + } + $val=''; + } + &new_hostgrp($group,'ip'); + @hostarray=(); + } + $group=''; + @zeilen=(); + @hostarray=(); + #MAC Group processing + foreach my $group (@macgroups){ + chomp $group; + print LOG "\nProcessing MAC-GROUP: $group...\n"; + open (DATEI, "<$macgrouppath/$group"); + my @zeilen = ; + foreach my $mac (@zeilen){ + chomp($mac); + $mac =~ s/\s//gi; + print LOG "$now Checking MAC $mac from group $group "; + #MAC checking + if(&General::validmac($mac)){ + $val=$mac; + } + if($val){ + push(@hostarray,$val.",mac"); + print LOG "$now -> OK\n"; + } + else{ + print LOG "$now -> Mac $mac from group $group not converted (invalid MAC)\n"; + } + $val=''; + } + &new_hostgrp($group,'mac'); + @hostarray=(); + @zeilen=(); + } + close (LOG); +} +sub check_ip +{ + my $adr=shift; + my $a; + #ip with subnet in decimal + if($adr =~ m/^(\d\d?\d?).(\d\d?\d?).(\d\d?\d?).(\d\d?\d?)\/(\d{1,2})$/){ + $adr=int($1).".".int($2).".".int($3).".".int($4); + my $b = &General::iporsubtodec($5); + $a=$adr."/".$b; + }elsif($adr =~ /^(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})$/){ + $adr=int($1).".".int($2).".".int($3).".".int($4); + if(&General::validip($adr)){ + $a=$adr."/255.255.255.255"; + } + } + if(&General::validipandmask($adr)){ + $a=&General::iporsubtodec($adr); + } + return $a; +} +sub new_hostgrp +{ + &General::readhasharray($confighosts,\%hosts); + &General::readhasharray($confignets,\%nets); + &General::readhasharray($configgroups,\%groups); + my $grp=shift; + my $run=shift; + my $name; #"converted" + my $name2; + my $name3; #custom host/custom net + foreach my $adr (@hostarray){ + if($run eq 'ip'){ + my ($ip,$type) = split(",",$adr); + my ($ippart,$subnet) = split("/",$ip); + my ($byte1,$byte2,$byte3,$byte4) = split(/\./,$subnet); + if($byte4 eq '255'){ + print LOG "Processing SINGLE HOST $ippart/$subnet from group $grp\n"; + if(!&check_host($ip)){ + my $key = &General::findhasharraykey(\%hosts); + $name="host "; + $name2=$name.$ippart; + $name3="Custom Host"; + $hosts{$key}[0] = $name2; + $hosts{$key}[1] = $type; + $hosts{$key}[2] = $ip; + $hosts{$key}[3] = ''; + $hosts{$key}[4] = 1; + print LOG "->Host (IP) $ip added to custom hosts\n" + }else{ + print LOG "->Host (IP) $ip already exists in custom hosts\n"; + $name="host "; + $name2=$name.$ippart; + foreach my $key (sort keys %hosts){ + if($hosts{$key}[0] eq $name2){ + $hosts{$key}[4]++; + } + } + $name="host "; + $name2=$name.$ippart; + $name3="Custom Host"; + } + }elsif($byte4 < '255'){ + print LOG "Processing NETWORK $ippart/$subnet from Group $grp\n"; + if(!&check_net($ippart,$subnet)){ + #Check if this network is one one of IPFire internal networks + if (($ownnet{'GREEN_NETADDRESS'} ne '' && $ownnet{'GREEN_NETADDRESS'} ne '0.0.0.0') && &General::IpInSubnet($ippart,$ownnet{'GREEN_NETADDRESS'},$ownnet{'GREEN_NETMASK'})) + { + $name2='GREEN'; + $name3='Standard Network'; + }elsif (($ownnet{'ORANGE_NETADDRESS'} ne '' && $ownnet{'ORANGE_NETADDRESS'} ne '0.0.0.0') && &General::IpInSubnet($ippart,$ownnet{'ORANGE_NETADDRESS'},$ownnet{'ORANGE_NETMASK'})) + { + $name2='ORANGE'; + $name3='Standard Network'; + }elsif (($ownnet{'BLUE_NETADDRESS'} ne '' && $ownnet{'BLUE_NETADDRESS'} ne '0.0.0.0') && &General::IpInSubnet($ippart,$ownnet{'BLUE_NETADDRESS'},$ownnet{'BLUE_NETMASK'})) + { + $name2='BLUE'; + $name3='Standard Network'; + }elsif ($ippart eq '0.0.0.0') + { + $name2='ALL'; + $name3='Standard Network'; + }elsif(defined($ovpnSettings{'DOVPN_SUBNET'}) && "$ippart/".&General::iporsubtodec($subnet) eq $ovpnSettings{'DOVPN_SUBNET'}) + { + $name2='OpenVPN-Dyn'; + $name3='Standard Network'; + }else{ + my $netkey = &General::findhasharraykey(\%nets); + $name="net "; + $name2=$name.$ippart; + $name3="Custom Network"; + $nets{$netkey}[0] = $name2; + $nets{$netkey}[1] = $ippart; + $nets{$netkey}[2] = $subnet; + $nets{$netkey}[3] = ''; + $nets{$netkey}[4] = 1; + print LOG "->Network $ippart/$subnet added to custom networks\n"; + } + }else{ + print LOG "Network $ippart already exists in custom networks\n"; + $name="net "; + $name2=$name.$ippart; + foreach my $key (sort keys %nets){ + if($nets{$key}[0] eq $name2){ + $nets{$key}[4]++; + } + } + $name="net "; + $name2=$name.$ippart; + $name3="Custom Network"; + } + } + if($name2 && !&check_grp($grp,$name2)){ + my $grpkey = &General::findhasharraykey(\%groups); + $groups{$grpkey}[0] = $grp; + $groups{$grpkey}[1] = ''; + $groups{$grpkey}[2] = $name2; + $groups{$grpkey}[3] = $name3; + $groups{$grpkey}[4] = 0; + print LOG "->$name2 added to group $grp\n"; + } + }elsif($run eq 'mac'){ + #MACRUN + my ($mac,$type) = split(",",$adr); + print LOG "Processing HOST (MAC) $mac\n"; + if(!&check_host($mac)){ + my $key = &General::findhasharraykey(\%hosts); + $name="host "; + $name2=$name.$mac; + $name3="Custom Host"; + $hosts{$key}[0] = $name2; + $hosts{$key}[1] = $type; + $hosts{$key}[2] = $mac; + $hosts{$key}[3] = ''; + $hosts{$key}[4] = 1; + print LOG "->Host (MAC) $mac added to custom hosts\n"; + }else{ + print LOG "->Host (MAC) $mac already exists in custom hosts \n"; + $name="host "; + $name2=$name.$mac; + foreach my $key (sort keys %hosts){ + if($hosts{$key}[0] eq $name2){ + $hosts{$key}[4]++; + } + } + $name="host "; + $name2=$name.$mac; + $name3="Custom Host"; + } + if($name2 && !&check_grp($grp,$name2)){ + my $grpkey = &General::findhasharraykey(\%groups); + $groups{$grpkey}[0] = $grp; + $groups{$grpkey}[1] = ''; + $groups{$grpkey}[2] = $name2; + $groups{$grpkey}[3] = $name3; + $groups{$grpkey}[4] = 0; + print LOG "->$name2 added to group $grp\n"; + } + } + } + @hostarray=(); + &General::writehasharray($confighosts,\%hosts); + &General::writehasharray($configgroups,\%groups); + &General::writehasharray($confignets,\%nets); + +} +sub check_host +{ + my $ip=shift; + foreach my $key (sort keys %hosts) + { + if($hosts{$key}[2] eq $ip) + { + return 1; + } + } + return 0; +} +sub check_net +{ + my $ip=shift; + my $sub=shift; + foreach my $key (sort keys %nets) + { + if($nets{$key}[1] eq $ip && $nets{$key}[2] eq $sub) + { + return 1; + } + } + return 0; +} +sub check_grp +{ + my $grp=shift; + my $value=shift; + foreach my $key (sort keys %groups) + { + if($groups{$key}[0] eq $grp && $groups{$key}[2] eq $value) + { + return 1; + } + } + return 0; +} +sub process_rules +{ + my ($type,$action,$active,$grp1,$source,$grp2,$useport,$port,$prot,$grp3,$target,$remark,$log,$time,$time_mon,$time_tue,$time_wed,$time_thu,$time_fri,$time_sat,$time_sun,$time_from,$time_to); + #open LOG + if( -f "/var/log/converters/outgoingfw-convert.log"){unlink ("/var/log/converters/outgoingfw-convert.log");} + open (LOG, ">/var/log/converters/outgoingfw-convert.log") or die $!; + + &General::readhash($fwdfwsettings,\%fwdsettings); + if ($outsettings{'POLICY'} eq 'MODE1'){ + $fwdsettings{'POLICY'}='MODE1'; + $fwdsettings{'POLICY1'}='MODE2'; + $type='ALLOW'; + $action='ACCEPT'; + }else{ + $fwdsettings{'POLICY'}='MODE2'; + $fwdsettings{'POLICY1'}='MODE2'; + $type='DENY'; + $action='DROP'; + } + &General::writehash($fwdfwsettings,\%fwdsettings); + open (DATEI, "<$outgoingrules"); + my @lines = ; + foreach my $rule (@lines) + { + my $now=localtime; + chomp($rule); + $port=''; + print LOG "$now processing: $rule\n"; + my @configline=(); + @configline = split( /\;/, $rule ); + my @prot=(); + if($configline[0] eq $type){ + #some variables we can use from old config + if($configline[1] eq 'on'){ $active='ON';}else{$active='';} + if($configline[3] eq 'all' && $configline[8] ne ''){ + push(@prot,"TCP"); + push(@prot,"UDP"); + }elsif($configline[3] eq 'all' && $configline[8] eq ''){ + push(@prot,""); + }else{ + push(@prot,$configline[3]); + } + if($configline[4] ne ''){ + $configline[4] =~ s/,/;/g; + $remark = $configline[4]; + }else{$remark = '';} + if($configline[9] eq 'Active'){ $log='ON';}else{$log='';} + if($configline[10] eq 'on' && $configline[11] eq 'on' && $configline[12] eq 'on' && $configline[13] eq 'on' && $configline[14] eq 'on' && $configline[15] eq 'on' && $configline[16] eq 'on'){ + if($configline[17] eq '00:00' && $configline[18] eq '00:00'){ + $time=''; + }else{ + $time='ON'; + } + }else{ + $time='ON'; + } + $time_mon=$configline[10]; + $time_tue=$configline[11]; + $time_wed=$configline[12]; + $time_thu=$configline[13]; + $time_fri=$configline[14]; + $time_sat=$configline[15]; + $time_sun=$configline[16]; + $time_from=$configline[17]; + $time_to=$configline[18]; + ############################################################ + #sourcepart + if ($configline[2] eq 'green') { + $grp1='std_net_src'; + $source='GREEN'; + }elsif ($configline[2] eq 'orange') { + $grp1='std_net_src'; + $source='ORANGE'; + }elsif ($configline[2] eq 'red') { + $grp1='std_net_src'; + $source='IPFire'; + &General::readhash($fwdfwsettings,\%fwdsettings); + $fwdsettings{'POLICY1'}=$outsettings{'POLICY'}; + $fwdsettings{'POLICY'}=$outsettings{'POLICY'}; + &General::writehash($fwdfwsettings,\%fwdsettings); + }elsif ($configline[2] eq 'blue') { + $grp1='std_net_src'; + $source='BLUE'; + }elsif ($configline[2] eq 'ipsec') { + print LOG "$now -> Rule not converted, ipsec+ interface is obsolet since IPFire 2.7 \n"; + next; + }elsif ($configline[2] eq 'ovpn') { + print LOG "$now ->Creating networks/groups for OpenVPN...\n"; + &build_ovpn_grp; + $grp1='cust_grp_src'; + $source='ovpn' + }elsif ($configline[2] eq 'ip') { + my $z=&check_ip($configline[5]); + if($z){ + my ($ipa,$subn) = split("/",$z); + $subn=&General::iporsubtocidr($subn); + $grp1='src_addr'; + $source="$ipa/$subn"; + }else{ + print LOG "$now -> Rule not converted, missing/invalid source ip \"$configline[5]\"\n"; + next; + } + }elsif ($configline[2] eq 'mac') { + if(&General::validmac($configline[6])){ + $grp1='src_addr'; + $source=$configline[6]; + }else{ + print LOG"$now -> Rule not converted, invalid MAC \"$configline[6]\" \n"; + next; + } + }elsif ($configline[2] eq 'all') { + $grp1='std_net_src'; + $source='ALL'; + }else{ + foreach my $key (sort keys %groups){ + if($groups{$key}[0] eq $configline[2]){ + $grp1='cust_grp_src'; + $source=$configline[2]; + } + } + if ($grp1 eq '' || $source eq ''){ + print LOG "$now -> Rule not converted, no valid source recognised\n"; + } + } + ############################################################ + #destinationpart + if($configline[7] ne ''){ + my $address=&check_ip($configline[7]); + if($address){ + my ($dip,$dsub) = split("/",$address); + $dsub=&General::iporsubtocidr($dsub); + $grp2='tgt_addr'; + $target="$dip/$dsub"; + }elsif(!$address){ + my $getwebsiteip=&get_ip_from_domain($configline[7]); + if ($getwebsiteip){ + $grp2='tgt_addr'; + $target=$getwebsiteip; + $remark.=" $configline[7]"; + }else{ + print LOG "$now -> Rule not converted, invalid domain \"$configline[7]\"\n"; + next; + } + } + }else{ + $grp2='std_net_tgt'; + $target='ALL'; + } + if($configline[8] ne '' && $configline[3] ne 'gre' && $configline[3] ne 'esp'){ + my @values=(); + my @parts=split(",",$configline[8]); + foreach (@parts){ + $_=~ tr/-/:/; + if (!($_ =~ /^(\d+)\:(\d+)$/)) { + if(&General::validport($_)){ + $useport='ON'; + push (@values,$_); + $grp3='TGT_PORT'; + }else{ + print LOG "$now -> Rule not converted, invalid destination Port \"$configline[8]\"\n"; + next; + } + }else{ + my ($a1,$a2) = split(/\:/,$_); + if (&General::validport($a1) && &General::validport($a2) && $a1 < $a2){ + $useport='ON'; + push (@values,"$a1:$a2"); + $grp3='TGT_PORT'; + }else{ + print LOG "$now -> Rule not converted, invalid destination Port \"$configline[8]\"\n"; + next; + } + } + } + $port=join("|",@values); + @values=(); + @parts=(); + } + }else{ + print LOG "-> Rule not converted because not for Firewall mode $outsettings{'POLICY'} (we are only converting for actual mode)\n"; + } + &General::readhasharray($fwdfwconfig,\%fwconfig); + &General::readhasharray($outfwconfig,\%fwconfigout); + my $check; + my $chain; + foreach my $protocol (@prot){ + my $now=localtime; + if ($source eq 'IPFire'){ + $chain='OUTGOINGFW'; + }else{ + $chain='FORWARDFW'; + } + $protocol=uc($protocol); + print LOG "$now -> Converted: $action,$chain,$active,$grp1,$source,$grp2,$target,,,,,$useport,$protocol,,$grp3,$port,$remark,$log,$time,$time_mon,$time_tue,$time_wed,$time_thu,$time_fri,$time_sat,$time_sun,$time_from,$time_to\n"; + #Put rules into system.... + ########################### + #check for double rules + foreach my $key (sort keys %fwconfig){ + if("$action,$chain,$active,$grp1,$source,$grp2,$target,,,,,$useport,$protocol,,$grp3,$port,$remark,$log,$time,$time_mon,$time_tue,$time_wed,$time_thu,$time_fri,$time_sat,$time_sun,$time_from,$time_to" + eq "$fwconfig{$key}[0],$fwconfig{$key}[1],$fwconfig{$key}[2],$fwconfig{$key}[3],$fwconfig{$key}[4],$fwconfig{$key}[5],$fwconfig{$key}[6],,,,,$fwconfig{$key}[11],$fwconfig{$key}[12],,$fwconfig{$key}[14],$fwconfig{$key}[15],$fwconfig{$key}[16],$fwconfig{$key}[17],$fwconfig{$key}[18],$fwconfig{$key}[19],$fwconfig{$key}[20],$fwconfig{$key}[21],$fwconfig{$key}[22],$fwconfig{$key}[23],$fwconfig{$key}[24],$fwconfig{$key}[25],$fwconfig{$key}[26],$fwconfig{$key}[27]"){ + $check='on'; + next; + } + } + if($check ne 'on'){ + #increase groupcounter + my $check1; + if($grp1 eq 'cust_grp_src'){ + foreach my $key (sort keys %groups){ + if($groups{$key}[0] eq $source){ + $groups{$key}[4]++; + $check1='on'; + } + } + if($check1 eq 'on'){ + &General::writehasharray($configgroups,\%groups); + } + } + if ($chain eq 'FORWARDFW'){ + my $key = &General::findhasharraykey(\%fwconfig); + $fwconfig{$key}[0] = $action; + $fwconfig{$key}[1] = $chain; + $fwconfig{$key}[2] = $active; + $fwconfig{$key}[3] = $grp1; + $fwconfig{$key}[4] = $source; + $fwconfig{$key}[5] = $grp2; + $fwconfig{$key}[6] = $target; + $fwconfig{$key}[11] = $useport; + $fwconfig{$key}[12] = $protocol; + $fwconfig{$key}[14] = $grp3; + $fwconfig{$key}[15] = $port; + $fwconfig{$key}[16] = $remark; + $fwconfig{$key}[17] = $log; + $fwconfig{$key}[18] = $time; + $fwconfig{$key}[19] = $time_mon; + $fwconfig{$key}[20] = $time_tue; + $fwconfig{$key}[21] = $time_wed; + $fwconfig{$key}[22] = $time_thu; + $fwconfig{$key}[23] = $time_fri; + $fwconfig{$key}[24] = $time_sat; + $fwconfig{$key}[25] = $time_sun; + $fwconfig{$key}[26] = $time_from; + $fwconfig{$key}[27] = $time_to; + $fwconfig{$key}[28] = ''; + $fwconfig{$key}[29] = 'ALL'; + $fwconfig{$key}[30] = ''; + $fwconfig{$key}[31] = 'dnat'; + }else{ + my $key = &General::findhasharraykey(\%fwconfigout); + $fwconfigout{$key}[0] = $action; + $fwconfigout{$key}[1] = $chain; + $fwconfigout{$key}[2] = $active; + $fwconfigout{$key}[3] = $grp1; + $fwconfigout{$key}[4] = $source; + $fwconfigout{$key}[5] = $grp2; + $fwconfigout{$key}[6] = $target; + $fwconfigout{$key}[11] = $useport; + $fwconfigout{$key}[12] = $protocol; + $fwconfigout{$key}[14] = $grp3; + $fwconfigout{$key}[15] = $port; + $fwconfigout{$key}[16] = $remark; + $fwconfigout{$key}[17] = $log; + $fwconfigout{$key}[18] = $time; + $fwconfigout{$key}[19] = $time_mon; + $fwconfigout{$key}[20] = $time_tue; + $fwconfigout{$key}[21] = $time_wed; + $fwconfigout{$key}[22] = $time_thu; + $fwconfigout{$key}[23] = $time_fri; + $fwconfigout{$key}[24] = $time_sat; + $fwconfigout{$key}[25] = $time_sun; + $fwconfigout{$key}[26] = $time_from; + $fwconfigout{$key}[27] = $time_to; + $fwconfigout{$key}[28] = ''; + $fwconfigout{$key}[29] = 'ALL'; + $fwconfigout{$key}[30] = ''; + $fwconfigout{$key}[31] = 'dnat'; + } + &General::writehasharray($fwdfwconfig,\%fwconfig); + &General::writehasharray($outfwconfig,\%fwconfigout); + } + } + @prot=(); + } + close(LOG); + @lines=(); +} +sub get_ip_from_domain +{ + $web=shift; + my $resolvedip; + my $checked; + my ($name,$aliases,$addrtype,$length,@addrs) = gethostbyname($web); + if(@addrs){ + $resolvedip=inet_ntoa($addrs[0]); + return $resolvedip; + } + return; +} +sub build_ovpn_grp +{ + my $now=localtime; + &General::readhasharray($confighosts,\%hosts); + &General::readhasharray($confignets,\%nets); + &General::readhasharray($configgroups,\%groups); + &General::readhasharray($ovpnconfig,\%configovpn); + &General::readhasharray($ccdconfig,\%ccdconf); + &General::readhash($ovpnsettings,\%settingsovpn); + #get ovpn nets + my @ovpnnets=(); + if($settingsovpn{'DOVPN_SUBNET'}){ + my ($net,$subnet)=split("/",$settingsovpn{'DOVPN_SUBNET'}); + push (@ovpnnets,"$net,$subnet,dynamic"); + print LOG "$now ->found dynamic OpenVPN net\n"; + } + foreach my $key (sort keys %ccdconf){ + my ($net,$subnet)=split("/",$ccdconf{$key}[1]); + $subnet=&General::iporsubtodec($subnet); + push (@ovpnnets,"$net,$subnet,$ccdconf{$key}[0]"); + print LOG "$now ->found OpenVPN static net $net/$subnet\n"; + } + foreach my $key (sort keys %configovpn){ + if ($configovpn{$key}[3] eq 'net'){ + my ($net,$subnet)=split("/",$configovpn{$key}[27]); + push (@ovpnnets,"$net,$subnet,$configovpn{$key}[2]"); + print LOG "$now ->found OpenVPN $net/$subnet $configovpn{$key}[2]\n"; + } + } + #add ovpn nets to customnetworks/groups + foreach my $line (@ovpnnets){ + my $now=localtime; + my ($net,$subnet,$name) = split(",",$line); + if (!&check_net($net,$subnet)){ + my $netkey = &General::findhasharraykey(\%nets); + $name2=$name."(ovpn)".$net; + $name3="Custom Network"; + $nets{$netkey}[0] = $name2; + $nets{$netkey}[1] = $net; + $nets{$netkey}[2] = $subnet; + $nets{$netkey}[3] = ''; + $nets{$netkey}[4] = 1; + print LOG "$now ->added $name2 $net/$subnet to customnetworks\n"; + }else{ + print LOG "-> Custom Network with same IP already exist \"$net/$subnet\" (you can ignore this, if this run was manual from shell)\n"; + } + if($name2){ + my $grpkey = &General::findhasharraykey(\%groups); + $groups{$grpkey}[0] = "ovpn"; + $groups{$grpkey}[1] = ''; + $groups{$grpkey}[2] = $name2; + $groups{$grpkey}[3] = "Custom Network"; + $groups{$grpkey}[4] = 0; + print LOG "$now ->added $name2 to customgroup ovpn\n"; + } + $name2=''; + } + @ovpnnets=(); + &General::writehasharray($confighosts,\%hosts); + &General::writehasharray($configgroups,\%groups); + &General::writehasharray($confignets,\%nets); + print LOG "$now ->finished OVPN\n"; +} +sub process_p2p +{ + copy("/var/ipfire/outgoing/p2protocols","/var/ipfire/forward/p2protocols"); + chmod oct('0777'), '/var/ipfire/forward/p2protocols'; +} diff --git a/config/forwardfw/convert-portfw b/config/forwardfw/convert-portfw new file mode 100755 index 000000000..a37383e31 --- /dev/null +++ b/config/forwardfw/convert-portfw @@ -0,0 +1,158 @@ +#!/usr/bin/perl +############################################################################### +# # +# IPFire.org - A linux based firewall # +# Copyright (C) 2013 Alexander Marx # +# # +# This program is free software: you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation, either version 3 of the License, or # +# (at your option) any later version. # +# # +# This program is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with this program. If not, see . # +# # +############################################################################### +# # +# This script converts old portforwarding rules from old Firewall # +# to the new one. This is a 3-step process. # +# STEP1: read old config and normalize settings # +# STEP2: create new rules from old ones # +# STEP3: check if rule already exists, when not, put it into # +# /var/ipfire/forward/nat # +############################################################################### +require '/var/ipfire/general-functions.pl'; +my @values=(); +my @built_rules=(); +my %nat=(); +my $portfwconfig = "${General::swroot}/portfw/config"; +my $confignat = "${General::swroot}/forward/config"; +my ($key,$flag,$prot,$ipfireport,$target,$targetport,$active,$alias,$source,$remark); +my ($key1,$flag1,$prot1,$ipfireport1,$target1,$targetport1,$active1,$alias1,$source1,$remark1); +my $count=0; +my $jump; +if(! -d "/var/log/converters"){ mkdir("/var/log/converters");} +open(FILE, $portfwconfig) or die 'Unable to open config file.'; +my @current = ; +close(FILE); +open (LOG, ">/var/log/converters/portfw-convert.log") or die $!; +open(ALIAS, "${General::swroot}/ethernet/aliases") or die 'Unable to open aliases file.'; +my @alias = ; +close(ALIAS); +&get_config; +&build_rules; +&write_rules; +sub get_config +{ + print LOG "STEP 1: Get config from old portforward\n#########################################\n"; + foreach my $line (@current){ + if($jump eq '1'){ + $jump=''; + $count++; + next; + } + my $u=$count+1; + ($key,$flag,$prot,$ipfireport,$target,$targetport,$active,$alias,$source,$remark) = split(",",$line); + ($key1,$flag1,$prot1,$ipfireport1,$target1,$targetport1,$active1,$alias1,$source1,$remark1) = split(",",$current[$u]); + if ($flag1 eq '1'){ + $source=$source1; + $jump='1'; + } + my $now=localtime; + chomp($remark); + print LOG "$now processing-> KEY: $key FLAG: $flag PROT: $prot FIREPORT: $ipfireport TARGET: $target TGTPORT: $targetport ACTIVE: $active ALIAS: $alias SOURCE: $source REM: $remark Doublerule: $jump\n"; + push (@values,$prot.",".$ipfireport.",".$target.",".$targetport.",".$active.",".$alias.",".$source.",".$remark); + $count++; + } +} +sub build_rules +{ + print LOG "\nSTEP 2: Convert old portforwardrules in a useable format\n########################################################\n"; + my $src; + my $src1; + my $ipfireip; + my $count=0; + my $stop; + #build rules for new firewall + foreach my $line (@values){ + chomp ($line); + ($prot,$ipfireport,$target,$targetport,$active,$alias,$source,$remark)=split(",",$line); + $count++; + #get sourcepart + if($source eq '0.0.0.0/0'){ + $src = 'std_net_src'; + $src1 = 'ALL'; + }else{ + $src = 'src_addr'; + my ($a,$b) = split("/",$source); + $src1 = $a."/32"; + } + #get ipfire ip + if($alias eq '0.0.0.0'){ + $alias='ALL'; + }else{ + foreach my $ali (@alias){ + my ($alias_ip,$alias_active,$alias_name) = split (",",$ali); + if($alias eq $alias_ip){ + chomp($alias_name); + $alias=$alias_name; + } + } + } + $active = uc $active; + $prot = uc $prot; + chomp($remark); + push (@built_rules,"ACCEPT,FORWARDFW,$active,$src,$src1,tgt_addr,$target/32,ON,$prot,,TGT_PORT,$targetport,$remark,00:00,00:00,ON,$alias,$ipfireport,dnat"); + my $now=localtime; + print LOG "$now Converted-> KEY: $count ACCEPT,FORWARDFW,$active,$src,$src1,tgt_addr,$target/32,ON,$prot,,TGT_PORT,$targetport,$remark,00:00,00:00,ON,$alias,$ipfireport,dnat\n"; + } +} +sub write_rules +{ + my $skip=''; + my $id; + print LOG "\nSTEP 3: Create DNAT rules in new firewall\n#########################################\n"; + &General::readhasharray($confignat,\%nat); + foreach my $line (@built_rules){ + $skip=''; + my ($action,$chain,$active,$src,$src1,$tgt,$tgt1,$use_prot,$prot,$dummy,$tgt_port,$tgt_port1,$remark,$from,$to,$use_port,$alias,$ipfireport,$dnat) = split (",",$line); + foreach my $key (sort keys %nat){ + if ($line eq "$nat{$key}[0],$nat{$key}[1],$nat{$key}[2],$nat{$key}[3],$nat{$key}[4],$nat{$key}[5],$nat{$key}[6],$nat{$key}[11],$nat{$key}[12],$nat{$key}[13],$nat{$key}[14],$nat{$key}[15],$nat{$key}[16],$nat{$key}[26],$nat{$key}[27],$nat{$key}[28],$nat{$key}[29],$nat{$key}[30],$nat{$key}[31]"){ + my $now=localtime; + print LOG "$now SKIP-> Rule $nat{$key}[0],$nat{$key}[1],$nat{$key}[2],$nat{$key}[3],$nat{$key}[4],$nat{$key}[5],$nat{$key}[6],$nat{$key}[11],$nat{$key}[12],$nat{$key}[13],$nat{$key}[14],$nat{$key}[15],$nat{$key}[16],$nat{$key}[26],$nat{$key}[27],$nat{$key}[28],$nat{$key}[29],$nat{$key}[30],$nat{$key}[31] ->EXISTS\n"; + $skip='1'; + } + } + if ($skip ne '1'){ + $id = &General::findhasharraykey(\%nat); + $nat{$id}[0] = $action; + $nat{$id}[1] = $chain; + $nat{$id}[2] = $active; + $nat{$id}[3] = $src; + $nat{$id}[4] = $src1; + $nat{$id}[5] = $tgt; + $nat{$id}[6] = $tgt1; + $nat{$id}[11] = $use_prot; + $nat{$id}[12] = $prot; + $nat{$id}[13] = $dummy; + $nat{$id}[14] = $tgt_port; + $nat{$id}[15] = $tgt_port1; + $nat{$id}[16] = $remark; + $nat{$id}[26] = $from; + $nat{$id}[27] = $to; + $nat{$id}[28] = $use_port; + $nat{$id}[29] = $alias; + $nat{$id}[30] = $ipfireport; + $nat{$id}[31] = $dnat; + my $now=localtime; + print LOG "$now NEW RULE-> Rule $nat{$id}[0],$nat{$id}[1],$nat{$id}[2],$nat{$id}[3],$nat{$id}[4],$nat{$id}[5],$nat{$id}[6],$nat{$id}[11],$nat{$id}[12],$nat{$id}[13],$nat{$id}[14],$nat{$id}[15],$nat{$id}[16],$nat{$id}[26],$nat{$id}[27],$nat{$id}[28],$nat{$id}[29],$nat{$id}[30],$nat{$id}[31]\n"; + } + } + &General::writehasharray($confignat,\%nat); +} +close (LOG); diff --git a/config/forwardfw/convert-xtaccess b/config/forwardfw/convert-xtaccess new file mode 100755 index 000000000..d86c445af --- /dev/null +++ b/config/forwardfw/convert-xtaccess @@ -0,0 +1,141 @@ +#!/usr/bin/perl +############################################################################### +# # +# IPFire.org - A linux based firewall # +# Copyright (C) 2013 Alexander Marx # +# # +# This program is free software: you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation, either version 3 of the License, or # +# (at your option) any later version. # +# # +# This program is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with this program. If not, see . # +# # +############################################################################### +# # +#This script converts old xtaccess rules to new firewall # +#Logfiles are created under /var/log/converters # +# # +############################################################################### +my @current=(); +my @alias=(); +my %configinputfw=(); +require '/var/ipfire/general-functions.pl'; +my $xtaccessconfig = "${General::swroot}/xtaccess/config"; +my $inputfwconfig = "${General::swroot}/forward/input"; +my $aliasconfig = "${General::swroot}/ethernet/aliases"; +my $field0='ACCEPT'; +my $field1='INPUTFW'; +my $field2=''; #ON or emtpy +my $field3=''; #std_net_src or src_addr +my $field4=''; #ALL or IP-Address with /32 +my $field5='ipfire'; +my $field6=''; #Default IP or alias name +my $field11='ON'; #use target port +my $field12=''; #TCP or UDP +my $field13='All ICMP-Types'; +my $field14='TGT_PORT'; +my $field15=''; #Port Number +my $field16=''; #remark +my $field26='00:00'; +my $field27='00:00'; +my $field28 = ''; +my $field29 = 'ALL'; +my $field30 = ''; +my $field31 = 'dnat'; +open(FILE, $xtaccessconfig) or die 'Unable to open config file.'; +my @current = ; +close(FILE); +open(FILE1, $aliasconfig) or die 'Unable to open config file.'; +my @alias = ; +close(FILE1); +&General::readhasharray($inputfwconfig,\%configinputfw); + +foreach my $line (@current){ + my ($a,$b,$c,$d,$e,$f) = split (",",$line); + $e =~ s/\R//g; + if ($f gt ''){ + $f =~ s/\R//g; + $field16=$f; + } + #active or not + $field2=uc($d); + #get protocol + if ($a eq 'tcp'){ $field12 ='TCP';}else{$field12='UDP';} + #check source address + if ($b eq '0.0.0.0/0'){ + $field3='std_net_src'; + $field4='ALL'; + }elsif($b =~/^(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})$/){ + $field3='src_addr'; + $field4=$b."/32"; + }elsif ($b =~ /^(.*?)\/(.*?)$/) { + $field3='src_addr'; + $field4=$b; + }else{ + print "Regel konnte nicht konvertiert werden!\n"; + } + #check ipfire address + if ($e eq '0.0.0.0'){ + $field6 = 'RED1'; + }else{ + foreach my $line (@alias){ + my ($ip,$state,$aliasname) = split (",",$line); + if ($ip eq $e){ + $aliasname =~ s/\R//g; + $field6 = $aliasname; + } + } + } + #get target port + $c=~ s/\R//g; + $c=~ tr/-/:/; + if ($c =~ /^(\D)\:(\d+)$/) { + $c = "1:$2"; + } + if ($c =~ /^(\d+)\:(\D)$/) { + $c = "$1:65535"; + } + $field15=$c; + my $key = &General::findhasharraykey (\%configinputfw); + foreach my $i (0 .. 31) { $configinputfw{$key}[$i] = "";} + $configinputfw{$key}[0] = $field0; + $configinputfw{$key}[1] = $field1; + $configinputfw{$key}[2] = $field2; + $configinputfw{$key}[3] = $field3; + $configinputfw{$key}[4] = $field4; + $configinputfw{$key}[5] = $field5; + $configinputfw{$key}[6] = $field6; + $configinputfw{$key}[7] = ''; + $configinputfw{$key}[8] = ''; + $configinputfw{$key}[9] = ''; + $configinputfw{$key}[10] = ''; + $configinputfw{$key}[11] = $field11; + $configinputfw{$key}[12] = $field12; + $configinputfw{$key}[13] = $field13; + $configinputfw{$key}[14] = $field14; + $configinputfw{$key}[15] = $field15; + $configinputfw{$key}[16] = $field16; + $configinputfw{$key}[17] = ''; + $configinputfw{$key}[18] = ''; + $configinputfw{$key}[19] = ''; + $configinputfw{$key}[20] = ''; + $configinputfw{$key}[21] = ''; + $configinputfw{$key}[22] = ''; + $configinputfw{$key}[23] = ''; + $configinputfw{$key}[24] = ''; + $configinputfw{$key}[25] = ''; + $configinputfw{$key}[26] = $field26; + $configinputfw{$key}[27] = $field27; + $configinputfw{$key}[28] = $field28; + $configinputfw{$key}[29] = $field29; + $configinputfw{$key}[30] = $field30; + $configinputfw{$key}[31] = $field31; + &General::writehasharray($inputfwconfig,\%configinputfw); +} diff --git a/config/forwardfw/firewall-lib.pl b/config/forwardfw/firewall-lib.pl new file mode 100755 index 000000000..f1e8403da --- /dev/null +++ b/config/forwardfw/firewall-lib.pl @@ -0,0 +1,256 @@ +#!/usr/bin/perl +############################################################################### +# # +# IPFire.org - A linux based firewall # +# Copyright (C) 2013 Alexander Marx # +# # +# This program is free software: you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation, either version 3 of the License, or # +# (at your option) any later version. # +# # +# This program is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with this program. If not, see . # +# # +############################################################################### + +use strict; +no warnings 'uninitialized'; + +package fwlib; + +my %customnetwork=(); +my %customhost=(); +my %customgrp=(); +my %customservice=(); +my %customservicegrp=(); +my %ccdnet=(); +my %ccdhost=(); +my %ipsecconf=(); +my %ipsecsettings=(); +my %netsettings=(); +my %ovpnsettings=(); + +require '/var/ipfire/general-functions.pl'; + +my $confignet = "${General::swroot}/fwhosts/customnetworks"; +my $confighost = "${General::swroot}/fwhosts/customhosts"; +my $configgrp = "${General::swroot}/fwhosts/customgroups"; +my $configsrv = "${General::swroot}/fwhosts/customservices"; +my $configsrvgrp = "${General::swroot}/fwhosts/customservicegrp"; +my $configccdnet = "${General::swroot}/ovpn/ccd.conf"; +my $configccdhost = "${General::swroot}/ovpn/ovpnconfig"; +my $configipsec = "${General::swroot}/vpn/config"; +my $configovpn = "${General::swroot}/ovpn/settings"; +my $val; +my $field; + +&General::readhash("/var/ipfire/ethernet/settings", \%netsettings); +&General::readhash("${General::swroot}/ovpn/settings", \%ovpnsettings); +&General::readhash("${General::swroot}/vpn/settings", \%ipsecsettings); + + +&General::readhasharray("$confignet", \%customnetwork); +&General::readhasharray("$confighost", \%customhost); +&General::readhasharray("$configgrp", \%customgrp); +&General::readhasharray("$configccdnet", \%ccdnet); +&General::readhasharray("$configccdhost", \%ccdhost); +&General::readhasharray("$configipsec", \%ipsecconf); +&General::readhasharray("$configsrv", \%customservice); +&General::readhasharray("$configsrvgrp", \%customservicegrp); + +sub get_srv_prot +{ + my $val=shift; + foreach my $key (sort {$a <=> $b} keys %customservice){ + if($customservice{$key}[0] eq $val){ + if ($customservice{$key}[0] eq $val){ + return $customservice{$key}[2]; + } + } + } +} +sub get_srvgrp_prot +{ + my $val=shift; + my @ips=(); + my $tcp; + my $udp; + my $icmp; + foreach my $key (sort {$a <=> $b} keys %customservicegrp){ + if($customservicegrp{$key}[0] eq $val){ + if (&get_srv_prot($customservicegrp{$key}[2]) eq 'TCP'){ + $tcp=1; + }elsif(&get_srv_prot($customservicegrp{$key}[2]) eq 'UDP'){ + $udp=1; + }elsif(&get_srv_prot($customservicegrp{$key}[2]) eq 'ICMP'){ + $icmp=1; + } + } + } + if ($tcp eq '1'){push (@ips,'TCP');} + if ($udp eq '1'){push (@ips,'UDP');} + if ($icmp eq '1'){push (@ips,'ICMP');} + my $back=join(",",@ips); + return $back; + +} + + +sub get_srv_port +{ + my $val=shift; + my $field=shift; + my $prot=shift; + foreach my $key (sort {$a <=> $b} keys %customservice){ + if($customservice{$key}[0] eq $val){ + if($customservice{$key}[2] eq $prot){ + return $customservice{$key}[$field]; + } + } + } +} +sub get_srvgrp_port +{ + my $val=shift; + my $prot=shift; + my $back; + my $value; + my @ips=(); + foreach my $key (sort {$a <=> $b} keys %customservicegrp){ + if($customservicegrp{$key}[0] eq $val){ + if ($prot ne 'ICMP'){ + $value=&get_srv_port($customservicegrp{$key}[2],1,$prot); + }elsif ($prot eq 'ICMP'){ + $value=&get_srv_port($customservicegrp{$key}[2],3,$prot); + } + push (@ips,$value) if ($value ne '') ; + } + } + if($prot ne 'ICMP'){ + if ($#ips gt 0){$back="-m multiport --dports ";}else{$back="--dport ";} + }elsif ($prot eq 'ICMP'){ + $back="--icmp-type "; + } + + $back.=join(",",@ips); + return $back; +} +sub get_ipsec_net_ip +{ + my $val=shift; + my $field=shift; + foreach my $key (sort {$a <=> $b} keys %ipsecconf){ + if($ipsecconf{$key}[1] eq $val){ + return $ipsecconf{$key}[$field]; + } + } +} +sub get_ipsec_host_ip +{ + my $val=shift; + my $field=shift; + foreach my $key (sort {$a <=> $b} keys %ipsecconf){ + if($ipsecconf{$key}[1] eq $val){ + return $ipsecconf{$key}[$field]; + } + } +} +sub get_ovpn_n2n_ip +{ + my $val=shift; + my $field=shift; + foreach my $key (sort {$a <=> $b} keys %ccdhost){ + if($ccdhost{$key}[1] eq $val){ + return $ccdhost{$key}[$field]; + } + } +} +sub get_ovpn_host_ip +{ + my $val=shift; + my $field=shift; + foreach my $key (sort {$a <=> $b} keys %ccdhost){ + if($ccdhost{$key}[1] eq $val){ + return $ccdhost{$key}[$field]; + } + } +} +sub get_ovpn_net_ip +{ + + my $val=shift; + my $field=shift; + foreach my $key (sort {$a <=> $b} keys %ccdnet){ + if($ccdnet{$key}[0] eq $val){ + return $ccdnet{$key}[$field]; + } + } +} +sub get_grp_ip +{ + my $val=shift; + my $src=shift; + foreach my $key (sort {$a <=> $b} keys %customgrp){ + if ($customgrp{$key}[0] eq $val){ + &get_address($customgrp{$key}[3],$src); + } + } + +} +sub get_std_net_ip +{ + my $val=shift; + my $con=shift; + if ($val eq 'ALL'){ + return "0.0.0.0/0.0.0.0"; + }elsif($val eq 'GREEN'){ + return "$netsettings{'GREEN_NETADDRESS'}/$netsettings{'GREEN_NETMASK'}"; + }elsif($val eq 'ORANGE'){ + return "$netsettings{'ORANGE_NETADDRESS'}/$netsettings{'ORANGE_NETMASK'}"; + }elsif($val eq 'BLUE'){ + return "$netsettings{'BLUE_NETADDRESS'}/$netsettings{'BLUE_NETMASK'}"; + }elsif($val eq 'RED'){ + return "0.0.0.0/0 -o $con"; + }elsif($val =~ /OpenVPN/i){ + return "$ovpnsettings{'DOVPN_SUBNET'}"; + }elsif($val =~ /IPsec/i){ + return "$ipsecsettings{'RW_NET'}"; + }elsif($val eq 'IPFire'){ + return ; + } +} +sub get_net_ip +{ + my $val=shift; + foreach my $key (sort {$a <=> $b} keys %customnetwork){ + if($customnetwork{$key}[0] eq $val){ + return "$customnetwork{$key}[1]/$customnetwork{$key}[2]"; + } + } +} +sub get_host_ip +{ + my $val=shift; + my $src=shift; + foreach my $key (sort {$a <=> $b} keys %customhost){ + if($customhost{$key}[0] eq $val){ + if ($customhost{$key}[1] eq 'mac' && $src eq 'src'){ + return "-m mac --mac-source $customhost{$key}[2]"; + }elsif($customhost{$key}[1] eq 'ip' && $src eq 'src'){ + return "$customhost{$key}[2]"; + }elsif($customhost{$key}[1] eq 'ip' && $src eq 'tgt'){ + return "$customhost{$key}[2]"; + }elsif($customhost{$key}[1] eq 'mac' && $src eq 'tgt'){ + return "none"; + } + } + } +} + +return 1; diff --git a/config/forwardfw/firewall-policy b/config/forwardfw/firewall-policy new file mode 100755 index 000000000..0fcfaa471 --- /dev/null +++ b/config/forwardfw/firewall-policy @@ -0,0 +1,91 @@ +#!/bin/sh + +############################################################################### +# # +# IPFire.org - A linux based firewall # +# Copyright (C) 2013 Alexander Marx # +# # +# This program is free software: you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation, either version 3 of the License, or # +# (at your option) any later version. # +# # +# This program is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with this program. If not, see . # +# # +############################################################################### + + +eval $(/usr/local/bin/readhash /var/ipfire/forward/settings) +eval $(/usr/local/bin/readhash /var/ipfire/optionsfw/settings) +eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings) + +iptables -F POLICYFWD +iptables -F POLICYOUT +iptables -F POLICYIN + +if [ -f "/var/ipfire/red/iface" ]; then + IFACE=`cat /var/ipfire/red/iface` +fi + +#FORWARDFW +if [ "$POLICY" == "MODE1" ]; then + if [ "$FWPOLICY" == "REJECT" ]; then + if [ "$DROPFORWARD" == "on" ]; then + /sbin/iptables -A POLICYFWD -m limit --limit 10/minute -j LOG --log-prefix "REJECT_FORWARD" + fi + /sbin/iptables -A POLICYFWD -j REJECT --reject-with icmp-host-unreachable -m comment --comment "DROP_FORWARD" + fi + if [ "$FWPOLICY" == "DROP" ]; then + if [ "$DROPFORWARD" == "on" ]; then + /sbin/iptables -A POLICYFWD -m limit --limit 10/minute -j LOG --log-prefix "DROP_FORWARD" + fi + /sbin/iptables -A POLICYFWD -j DROP -m comment --comment "DROP_FORWARD" + fi +else + if [ "$BLUE_DEV" ] && [ "$IFACE" ]; then + /sbin/iptables -A POLICYFWD -i blue0 ! -o $IFACE -j DROP + fi + /sbin/iptables -A POLICYFWD -i orange0 ! -o $IFACE -j DROP + /sbin/iptables -A POLICYFWD -j ACCEPT + /sbin/iptables -A POLICYFWD -m comment --comment "DROP_FORWARD" -j DROP +fi + +#OUTGOINGFW +if [ "$POLICY1" == "MODE1" ]; then + if [ "$FWPOLICY1" == "REJECT" ]; then + if [ "$DROPOUTGOING" == "on" ]; then + /sbin/iptables -A POLICYOUT -m limit --limit 10/minute -j LOG --log-prefix "REJECT_OUTPUT" + fi + /sbin/iptables -A POLICYOUT -j REJECT --reject-with icmp-host-unreachable -m comment --comment "DROP_OUTPUT" + fi + if [ "$FWPOLICY1" == "DROP" ]; then + if [ "$DROPOUTGOING" == "on" ]; then + /sbin/iptables -A POLICYOUT -m limit --limit 10/minute -j LOG --log-prefix "DROP_OUTPUT" + fi + /sbin/iptables -A POLICYOUT -j DROP -m comment --comment "DROP_OUTPUT" + fi +else + /sbin/iptables -A POLICYOUT -j ACCEPT + /sbin/iptables -A POLICYOUT -m comment --comment "DROP_OUTPUT" -j DROP +fi +#INPUT +if [ "$FWPOLICY2" == "REJECT" ]; then + if [ "$DROPINPUT" == "on" ]; then + /sbin/iptables -A POLICYIN -m limit --limit 10/minute -j LOG --log-prefix "REJECT_INPUT" + fi + /sbin/iptables -A POLICYIN -j REJECT --reject-with icmp-host-unreachable -m comment --comment "DROP_INPUT" +fi +if [ "$FWPOLICY2" == "DROP" ]; then + if [ "$DROPINPUT" == "on" ]; then + /sbin/iptables -A POLICYIN -m limit --limit 10/minute -j LOG --log-prefix "DROP_INPUT" + fi + /sbin/iptables -A POLICYIN -j DROP -m comment --comment "DROP_INPUT" +fi + +exit 0 diff --git a/config/forwardfw/p2protocols b/config/forwardfw/p2protocols new file mode 100644 index 000000000..700058126 --- /dev/null +++ b/config/forwardfw/p2protocols @@ -0,0 +1,9 @@ +Applejuice;apple;off; +Ares;ares;off; +Bittorrent;bit;off; +DirectConnect;dc;off; +Edonkey;edk;off; +Gnutella;gnu;off; +KaZaA;kazaa;off; +SoulSeek;soul;off; +WinMX;winmx;off; diff --git a/config/forwardfw/rules.pl b/config/forwardfw/rules.pl new file mode 100755 index 000000000..370b7ecfb --- /dev/null +++ b/config/forwardfw/rules.pl @@ -0,0 +1,610 @@ +#!/usr/bin/perl +############################################################################### +# # +# IPFire.org - A linux based firewall # +# Copyright (C) 2013 Alexander Marx # +# # +# This program is free software: you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation, either version 3 of the License, or # +# (at your option) any later version. # +# # +# This program is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with this program. If not, see . # +# # +############################################################################### + +use strict; +use Time::Local; +no warnings 'uninitialized'; + +# enable only the following on debugging purpose +#use warnings; +#use CGI::Carp 'fatalsToBrowser'; + +my %fwdfwsettings=(); +my %defaultNetworks=(); +my %configfwdfw=(); +my %color=(); +my %icmptypes=(); +my %ovpnSettings=(); +my %customgrp=(); +our %sourcehash=(); +our %targethash=(); +my @timeframe=(); +my %configinputfw=(); +my %configoutgoingfw=(); +my %confignatfw=(); +my %aliases=(); +my @DPROT=(); +my @p2ps=(); +require '/var/ipfire/general-functions.pl'; +require "${General::swroot}/lang.pl"; +require "${General::swroot}/forward/bin/firewall-lib.pl"; + +my $configfwdfw = "${General::swroot}/forward/config"; +my $configinput = "${General::swroot}/forward/input"; +my $configoutgoing = "${General::swroot}/forward/outgoing"; +my $p2pfile = "${General::swroot}/forward/p2protocols"; +my $configgrp = "${General::swroot}/fwhosts/customgroups"; +my $netsettings = "${General::swroot}/ethernet/settings"; +my $errormessage=''; +my $orange; +my $green; +my $blue; +my ($TYPE,$PROT,$SPROT,$DPROT,$SPORT,$DPORT,$TIME,$TIMEFROM,$TIMETILL,$SRC_TGT); +my $CHAIN="FORWARDFW"; +my $conexists='off'; +my $command = 'iptables -A'; +my $dnat=''; +my $snat=''; +&General::readhash("${General::swroot}/forward/settings", \%fwdfwsettings); +&General::readhash("$netsettings", \%defaultNetworks); +&General::readhasharray($configfwdfw, \%configfwdfw); +&General::readhasharray($configinput, \%configinputfw); +&General::readhasharray($configoutgoing, \%configoutgoingfw); +&General::readhasharray($configgrp, \%customgrp); +&General::get_aliases(\%aliases); + +#check if we have an internetconnection +open (CONN,"/var/ipfire/red/iface"); +my $con = ; +close(CONN); +if (-f "/var/ipfire/red/active"){ + $conexists='on'; +} +open (CONN1,"/var/ipfire/red/local-ipaddress"); +my $redip = ; +close(CONN1); +################################ +# DEBUG/TEST # +################################ +my $MODE=0; # 0 - normal operation + # 1 - print configline and rules to console + # +################################ +my $param=shift; + +if($param eq 'flush'){ + if ($MODE eq '1'){ + print " Flushing chains...\n"; + } + &flush; +}else{ + if ($MODE eq '1'){ + print " Flushing chains...\n"; + } + &flush; + if ($MODE eq '1'){ + print " Preparing rules...\n"; + } + &preparerules; + if($MODE eq '0'){ + if ($fwdfwsettings{'POLICY'} eq 'MODE1'){ + &p2pblock; + system ("/usr/sbin/firewall-policy"); + }elsif($fwdfwsettings{'POLICY'} eq 'MODE2'){ + &p2pblock; + system ("iptables -A $CHAIN -m conntrack --ctstate NEW -j ACCEPT"); + system ("/usr/sbin/firewall-policy"); + system ("/etc/sysconfig/firewall.local reload"); + } + } +} +sub flush +{ + system ("iptables -F FORWARDFW"); + system ("iptables -F INPUTFW"); + system ("iptables -F OUTGOINGFW"); + system ("iptables -t nat -F NAT_DESTINATION"); + system ("iptables -t nat -F NAT_SOURCE"); +} +sub preparerules +{ + if (! -z "${General::swroot}/forward/config"){ + &buildrules(\%configfwdfw); + } + if (! -z "${General::swroot}/forward/input"){ + &buildrules(\%configinputfw); + } + if (! -z "${General::swroot}/forward/outgoing"){ + &buildrules(\%configoutgoingfw); + } +} +sub buildrules +{ + my $hash=shift; + my $STAG; + my $natip; + my $snatport; + my $fireport; + my $nat; + my $fwaccessdport; + my $natchain; + foreach my $key (sort {$a <=> $b} keys %$hash){ + next if (($$hash{$key}[6] eq 'RED' || $$hash{$key}[6] eq 'RED1') && $conexists eq 'off' ); + if ($$hash{$key}[28] eq 'ON'){ + $command='iptables -t nat -A'; + $natip=&get_nat_ip($$hash{$key}[29],$$hash{$key}[31]); + if($$hash{$key}[31] eq 'dnat'){ + $nat='DNAT'; + if ($$hash{$key}[30] =~ /\|/){ + $$hash{$key}[30]=~ tr/|/,/; + $fireport='-m multiport --dport '.$$hash{$key}[30]; + }else{ + $fireport='--dport '.$$hash{$key}[30] if ($$hash{$key}[30]>0); + } + }else{ + $nat='SNAT'; + } + } + $STAG=''; + if($$hash{$key}[2] eq 'ON'){ + #get source ip's + if ($$hash{$key}[3] eq 'cust_grp_src'){ + foreach my $grp (sort {$a <=> $b} keys %customgrp){ + if($customgrp{$grp}[0] eq $$hash{$key}[4]){ + &get_address($customgrp{$grp}[3],$customgrp{$grp}[2],"src"); + } + } + }else{ + &get_address($$hash{$key}[3],$$hash{$key}[4],"src"); + } + #get target ip's + if ($$hash{$key}[5] eq 'cust_grp_tgt'){ + foreach my $grp (sort {$a <=> $b} keys %customgrp){ + if($customgrp{$grp}[0] eq $$hash{$key}[6]){ + &get_address($customgrp{$grp}[3],$customgrp{$grp}[2],"tgt"); + } + } + }elsif($$hash{$key}[5] eq 'ipfire' ){ + if($$hash{$key}[6] eq 'GREEN'){ + $targethash{$key}[0]=$defaultNetworks{'GREEN_ADDRESS'}; + } + if($$hash{$key}[6] eq 'BLUE'){ + $targethash{$key}[0]=$defaultNetworks{'BLUE_ADDRESS'}; + } + if($$hash{$key}[6] eq 'ORANGE'){ + $targethash{$key}[0]=$defaultNetworks{'ORANGE_ADDRESS'}; + } + if($$hash{$key}[6] eq 'ALL'){ + $targethash{$key}[0]='0.0.0.0/0'; + } + if($$hash{$key}[6] eq 'RED' || $$hash{$key}[6] eq 'RED1'){ + open(FILE, "/var/ipfire/red/local-ipaddress")or die "Couldn't open local-ipaddress"; + $targethash{$key}[0]= ; + close(FILE); + }else{ + foreach my $alias (sort keys %aliases){ + if ($$hash{$key}[6] eq $alias){ + $targethash{$key}[0]=$aliases{$alias}{'IPT'}; + } + } + } + }else{ + &get_address($$hash{$key}[5],$$hash{$key}[6],"tgt"); + } + ##get source prot and port + $SRC_TGT='SRC'; + $SPROT = &get_prot($hash,$key); + $SPORT = &get_port($hash,$key); + $SRC_TGT=''; + + ##get target prot and port + $DPROT=&get_prot($hash,$key); + + if ($DPROT eq ''){$DPROT=' ';} + @DPROT=split(",",$DPROT); + + #get time if defined + if($$hash{$key}[18] eq 'ON'){ + my ($time1,$time2,$daylight); + my $daylight=$$hash{$key}[28]; + $time1=&get_time($$hash{$key}[26],$daylight); + $time2=&get_time($$hash{$key}[27],$daylight); + if($$hash{$key}[19] ne ''){push (@timeframe,"Mon");} + if($$hash{$key}[20] ne ''){push (@timeframe,"Tue");} + if($$hash{$key}[21] ne ''){push (@timeframe,"Wed");} + if($$hash{$key}[22] ne ''){push (@timeframe,"Thu");} + if($$hash{$key}[23] ne ''){push (@timeframe,"Fri");} + if($$hash{$key}[24] ne ''){push (@timeframe,"Sat");} + if($$hash{$key}[25] ne ''){push (@timeframe,"Sun");} + $TIME=join(",",@timeframe); + + $TIMEFROM="--timestart $time1 "; + $TIMETILL="--timestop $time2 "; + $TIME="-m time --weekdays $TIME $TIMEFROM $TIMETILL"; + } + if ($MODE eq '1'){ + print "NR:$key "; + foreach my $i (0 .. $#{$$hash{$key}}){ + print "$i: $$hash{$key}[$i] "; + } + print "\n"; + print"##################################\n"; + #print rules to console + foreach my $DPROT (@DPROT){ + $DPORT = &get_port($hash,$key,$DPROT); + if ($SPROT ne ''){$PROT=$SPROT;}else{$PROT=$DPROT;} + $PROT="-p $PROT" if ($PROT ne '' && $PROT ne ' '); + foreach my $a (sort keys %sourcehash){ + foreach my $b (sort keys %targethash){ + if ($sourcehash{$a}[0] ne $targethash{$b}[0] && $targethash{$b}[0] ne 'none' || $sourcehash{$a}[0] eq '0.0.0.0/0.0.0.0'){ + if($SPROT eq '' || $SPROT eq $DPROT || $DPROT eq ' '){ + if(substr($sourcehash{$a}[0], 3, 3) ne 'mac' && $sourcehash{$a}[0] ne ''){ $STAG="-s";} + if(substr($DPORT, 2, 4) eq 'icmp'){ + my @icmprule= split(",",substr($DPORT, 12,)); + foreach (@icmprule){ + if ($$hash{$key}[17] eq 'ON'){ + print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] --icmp-type $_ $TIME -j LOG\n"; + } + print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] --icmp-type $_ $TIME -j $$hash{$key}[0]\n"; + } + }elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'dnat'){ + $natchain='NAT_DESTINATION'; + if ($$hash{$key}[17] eq 'ON'){ + print "$command $natchain $PROT $STAG $sourcehash{$a}[0] $fireport $TIME -j LOG --log-prefix 'DNAT' \n"; + } + my ($ip,$sub) =split("/",$targethash{$b}[0]); + print "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j $nat --to $ip$DPORT\n"; + $DPORT =~ s/\-/:/g; + if ($DPORT){ + $fwaccessdport="--dport ".substr($DPORT,1,); + }elsif(! $DPORT && $$hash{$key}[30] ne ''){ + if ($$hash{$key}[30]=~m/|/i){ + $$hash{$key}[30] =~ s/\|/,/g; + $fwaccessdport="-m multiport --dport $$hash{$key}[30]"; + }else{ + $fwaccessdport="--dport $$hash{$key}[30]"; + } + } + print "iptables -A FORWARDFW $PROT -i $con $STAG $sourcehash{$a}[0] -d $ip $fwaccessdport $TIME -j $$hash{$key}[0]\n"; + next; + }elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'snat'){ + $natchain='NAT_SOURCE'; + print "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $nat --to $natip\n"; + } + if ($$hash{$key}[17] eq 'ON'){ + print "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG\n"; + } + if ($PROT ne '-p ICMP'){ + print "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n"; + } + } + } + } + } + print"\n"; + } + }elsif($MODE eq '0'){ + foreach my $DPROT (@DPROT){ + $DPORT = &get_port($hash,$key,$DPROT); + if ($SPROT ne ''){$PROT=$SPROT;}else{$PROT=$DPROT;} + $PROT="-p $PROT" if ($PROT ne '' && $PROT ne ' '); + foreach my $a (sort keys %sourcehash){ + foreach my $b (sort keys %targethash){ + if ($sourcehash{$a}[0] ne $targethash{$b}[0] && $targethash{$b}[0] ne 'none' || $sourcehash{$a}[0] eq '0.0.0.0/0.0.0.0'){ + if($SPROT eq '' || $SPROT eq $DPROT || $DPROT eq ' '){ + if(substr($sourcehash{$a}[0], 3, 3) ne 'mac' && $sourcehash{$a}[0] ne ''){ $STAG="-s";} + #Process ICMP RULE + if(substr($DPORT, 2, 4) eq 'icmp'){ + my @icmprule= split(",",substr($DPORT, 12,)); + foreach (@icmprule){ + if ($$hash{$key}[17] eq 'ON'){ + system ("$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] -- icmp-type $_ $TIME -j LOG"); + } + system ("$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] --icmp-type $_ $TIME -j $$hash{$key}[0]"); + } + #PROCESS DNAT RULE (Portforward) + }elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'dnat'){ + $natchain='NAT_DESTINATION'; + if ($$hash{$key}[17] eq 'ON'){ + system "$command $natchain $PROT $STAG $sourcehash{$a}[0] $fireport $TIME -j LOG --log-prefix 'DNAT' \n"; + } + my ($ip,$sub) =split("/",$targethash{$b}[0]); + system "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j $nat --to $ip$DPORT\n"; + $DPORT =~ s/\-/:/g; + if ($DPORT){ + $fwaccessdport="--dport ".substr($DPORT,1,); + }elsif(! $DPORT && $$hash{$key}[30] ne ''){ + if ($$hash{$key}[30]=~m/|/i){ + $$hash{$key}[30] =~ s/\|/,/g; + $fwaccessdport="-m multiport --dport $$hash{$key}[30]"; + }else{ + $fwaccessdport="--dport $$hash{$key}[30]"; + } + } + system "iptables -A FORWARDFW $PROT -i $con $STAG $sourcehash{$a}[0] -d $ip $fwaccessdport $TIME -j $$hash{$key}[0]\n"; + next; + #PROCESS SNAT RULE + }elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'snat'){ + $natchain='NAT_SOURCE'; + system "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $nat --to $natip\n"; + } + if ($$hash{$key}[17] eq 'ON'){ + system "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG\n"; + } + #PROCESS EVERY OTHER RULE (If NOT ICMP, else the rule would be applied double) + if ($PROT ne '-p ICMP'){ + system "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n"; + } + } + } + } + } + } + } + } + %sourcehash=(); + %targethash=(); + undef $TIME; + undef $TIMEFROM; + undef $TIMETILL; + undef $fireport; + } +} +sub get_nat_ip +{ + my $val=shift; + my $type=shift; + my $result; + if($val eq 'RED' || $val eq 'GREEN' || $val eq 'ORANGE' || $val eq 'BLUE'){ + $result=$defaultNetworks{$val.'_ADDRESS'}; + }elsif($val eq 'ALL'){ + $result='-i '.$con; + }elsif($val eq 'Default IP' && $type eq 'dnat'){ + $result='-d '.$redip; + }elsif($val eq 'Default IP' && $type eq 'snat'){ + $result=$redip; + }else{ + foreach my $al (sort keys %aliases){ + if($val eq $al && $type eq 'dnat'){ + $result='-d '.$aliases{$al}{'IPT'}; + }elsif($val eq $al && $type eq 'snat'){ + $result=$aliases{$al}{'IPT'}; + } + } + } + return $result; +} +sub get_time +{ + my $val=shift; + my $val1=shift; + my $time; + my $minutes; + my $ruletime; + $minutes = &utcmin($val); + $ruletime = $minutes + &time_get_utc($val); + if ($ruletime < 0){$ruletime +=1440;} + if ($ruletime > 1440){$ruletime -=1440;} + $time=sprintf "%02d:%02d", $ruletime / 60, $ruletime % 60; + return $time; +} +sub time_get_utc +{ + # Calculates the UTCtime from a given time + my $val=shift; + my @localtime=localtime(time); + my @gmtime=gmtime(time); + my $diff = ($gmtime[2]*60+$gmtime[1]%60)-($localtime[2]*60+$localtime[1]%60); + return $diff; +} +sub utcmin +{ + my $ruletime=shift; + my ($hrs,$min) = split(":",$ruletime); + my $newtime = $hrs*60+$min; + return $newtime; +} +sub p2pblock +{ + my $P2PSTRING; + my $DO; + open( FILE, "< $p2pfile" ) or die "Unable to read $p2pfile"; + @p2ps = ; + close FILE; + my $CMD = "-m ipp2p"; + foreach my $p2pentry (sort @p2ps) { + my @p2pline = split( /\;/, $p2pentry ); + if ( $fwdfwsettings{'POLICY'} eq 'MODE1' ) { + $DO = "ACCEPT"; + if ("$p2pline[2]" eq "on") { + $P2PSTRING = "$P2PSTRING --$p2pline[1]"; + } + }else { + $DO = "RETURN"; + if ("$p2pline[2]" eq "off") { + $P2PSTRING = "$P2PSTRING --$p2pline[1]"; + } + } + } + if ($MODE eq 1){ + if($P2PSTRING){ + print"/sbin/iptables -A FORWARDFW $CMD $P2PSTRING -j $DO\n"; + } + }else{ + if($P2PSTRING){ + system("/sbin/iptables -A FORWARDFW $CMD $P2PSTRING -j $DO"); + } + } +} +sub get_address +{ + my $base=shift; #source of checking ($configfwdfw{$key}[x] or groupkey + my $base2=shift; + my $type=shift; #src or tgt + my $hash; + if ($type eq 'src'){ + $hash=\%sourcehash; + }else{ + $hash=\%targethash; + } + my $key = &General::findhasharraykey($hash); + if($base eq 'src_addr' || $base eq 'tgt_addr' ){ + if (&General::validmac($base2)){ + $$hash{$key}[0] = "-m mac --mac-source $base2"; + }else{ + $$hash{$key}[0] = $base2; + } + }elsif($base eq 'std_net_src' || $base eq 'std_net_tgt' || $base eq 'Standard Network'){ + $$hash{$key}[0]=&fwlib::get_std_net_ip($base2,$con); + }elsif($base eq 'cust_net_src' || $base eq 'cust_net_tgt' || $base eq 'Custom Network'){ + $$hash{$key}[0]=&fwlib::get_net_ip($base2); + }elsif($base eq 'cust_host_src' || $base eq 'cust_host_tgt' || $base eq 'Custom Host'){ + $$hash{$key}[0]=&fwlib::get_host_ip($base2,$type); + }elsif($base eq 'ovpn_net_src' || $base eq 'ovpn_net_tgt' || $base eq 'OpenVPN static network'){ + $$hash{$key}[0]=&fwlib::get_ovpn_net_ip($base2,1); + }elsif($base eq 'ovpn_host_src' ||$base eq 'ovpn_host_tgt' || $base eq 'OpenVPN static host'){ + $$hash{$key}[0]=&fwlib::get_ovpn_host_ip($base2,33); + }elsif($base eq 'ovpn_n2n_src' ||$base eq 'ovpn_n2n_tgt' || $base eq 'OpenVPN N-2-N'){ + $$hash{$key}[0]=&fwlib::get_ovpn_n2n_ip($base2,11); + }elsif($base eq 'ipsec_net_src' || $base eq 'ipsec_net_tgt' || $base eq 'IpSec Network'){ + $$hash{$key}[0]=&fwlib::get_ipsec_net_ip($base2,11); + }elsif($base eq 'ipfire_src' ){ + if($base2 eq 'GREEN'){ + $$hash{$key}[0]=$defaultNetworks{'GREEN_ADDRESS'}; + } + if($base2 eq 'BLUE'){ + $$hash{$key}[0]=$defaultNetworks{'BLUE_ADDRESS'}; + } + if($base2 eq 'ORANGE'){ + $$hash{$key}[0]=$defaultNetworks{'ORANGE_ADDRESS'}; + } + if($base2 eq 'ALL'){ + $$hash{$key}[0]='0.0.0.0/0'; + } + if($base2 eq 'RED' || $base2 eq 'RED1'){ + open(FILE, "/var/ipfire/red/local-ipaddress")or die "Couldn't open local-ipaddress"; + $$hash{$key}[0]= ; + close(FILE); + }else{ + foreach my $alias (sort keys %aliases){ + if ($base2 eq $alias){ + $$hash{$key}[0]=$aliases{$alias}{'IPT'}; + } + } + } + } +} +sub get_prot +{ + my $hash=shift; + my $key=shift; + if ($$hash{$key}[7] eq 'ON' && $SRC_TGT eq 'SRC'){ + if ($$hash{$key}[10] ne ''){ + return"$$hash{$key}[8]"; + }elsif($$hash{$key}[9] ne ''){ + return"$$hash{$key}[8]"; + }else{ + return "$$hash{$key}[8]"; + } + }elsif($$hash{$key}[11] eq 'ON' && $SRC_TGT eq ''){ + if ($$hash{$key}[14] eq 'TGT_PORT'){ + if ($$hash{$key}[15] ne ''){ + return "$$hash{$key}[12]"; + }elsif($$hash{$key}[13] ne ''){ + return "$$hash{$key}[12]"; + }else{ + return "$$hash{$key}[12]"; + } + }elsif($$hash{$key}[14] eq 'cust_srv'){ + return &fwlib::get_srv_prot($$hash{$key}[15]); + + }elsif($$hash{$key}[14] eq 'cust_srvgrp'){ + return &fwlib::get_srvgrp_prot($$hash{$key}[15]); + } + } + #DNAT + if ($SRC_TGT eq '' && $$hash{$key}[31] eq 'dnat' && $$hash{$key}[11] eq '' && $$hash{$key}[12] ne ''){ + return "$$hash{$key}[12]"; + } +} +sub get_port +{ + my $hash=shift; + my $key=shift; + my $prot=shift; + if ($$hash{$key}[7] eq 'ON' && $SRC_TGT eq 'SRC'){ + if ($$hash{$key}[10] ne ''){ + $$hash{$key}[10] =~ s/\|/,/g; + if(index($$hash{$key}[10],",") > 0){ + return "-m multiport --sport $$hash{$key}[10] "; + }else{ + if($$hash{$key}[28] ne 'ON' || ($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'snat') ||($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'dnat') ){ + return "--sport $$hash{$key}[10] "; + }else{ + return ":$$hash{$key}[10]"; + } + } + }elsif($$hash{$key}[9] ne '' && $$hash{$key}[9] ne 'All ICMP-Types'){ + return "--icmp-type $$hash{$key}[9] "; + }elsif($$hash{$key}[9] eq 'All ICMP-Types'){ + return; + } + }elsif($$hash{$key}[11] eq 'ON' && $SRC_TGT eq ''){ + if($$hash{$key}[14] eq 'TGT_PORT'){ + if ($$hash{$key}[15] ne ''){ + $$hash{$key}[15] =~ s/\|/,/g; + if(index($$hash{$key}[15],",") > 0){ + return "-m multiport --dport $$hash{$key}[15] "; + }else{ + if($$hash{$key}[28] ne 'ON' || ($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'snat') ){ + return "--dport $$hash{$key}[15] "; + }else{ + $$hash{$key}[15] =~ s/\:/-/g; + return ":$$hash{$key}[15]"; + } + } + }elsif($$hash{$key}[13] ne '' && $$hash{$key}[13] ne 'All ICMP-Types'){ + return "--icmp-type $$hash{$key}[13] "; + }elsif($$hash{$key}[13] ne '' && $$hash{$key}[13] eq 'All ICMP-Types'){ + return; + } + }elsif($$hash{$key}[14] eq 'cust_srv'){ + if ($prot ne 'ICMP'){ + if($$hash{$key}[31] eq 'dnat' && $$hash{$key}[28] eq 'ON'){ + return ":".&fwlib::get_srv_port($$hash{$key}[15],1,$prot); + }else{ + return "--dport ".&fwlib::get_srv_port($$hash{$key}[15],1,$prot); + } + }elsif($prot eq 'ICMP' && $$hash{$key}[15] ne 'All ICMP-Types'){ + return "--icmp-type ".&fwlib::get_srv_port($$hash{$key}[15],3,$prot); + }elsif($prot eq 'ICMP' && $$hash{$key}[15] eq 'All ICMP-Types'){ + return; + } + }elsif($$hash{$key}[14] eq 'cust_srvgrp'){ + if ($prot ne 'ICMP'){ + return &fwlib::get_srvgrp_port($$hash{$key}[15],$prot); + } + elsif($prot eq 'ICMP'){ + return &fwlib::get_srvgrp_port($$hash{$key}[15],$prot); + } + } + } +} diff --git a/config/fwhosts/customservices b/config/fwhosts/customservices new file mode 100644 index 000000000..07dd3d2b7 --- /dev/null +++ b/config/fwhosts/customservices @@ -0,0 +1,32 @@ +32,rsync,873,TCP,BLANK,0 +21,IMAPS,993,TCP,BLANK,0 +7,WINS,42,TCP,BLANK,0 +26,LPD,515,TCP,BLANK,0 +17,IRC,194,TCP,BLANK,0 +2,FTP-control,21,TCP,BLANK,0 +1,FTP-data,20,TCP,BLANK,0 +18,HTTPS,443,TCP,BLANK,0 +30,NFS,2049,TCP,BLANK,0 +16,SNMP,161,UDP,BLANK,0 +25,IPP (UDP),631,UDP,BLANK,0 +27,JetDirect,9100,TCP,BLANK,0 +28,LDAP,389,TCP,BLANK,0 +14,NetBIOS Session Service,139,TCP,BLANK,0 +20,FTPS control,990,TCP,BLANK,0 +24,IPP (TCP),631,TCP,BLANK,0 +10,SFTP,115,TCP,BLANK,0 +31,Radius,1812,TCP,BLANK,0 +11,NTP,123,UDP,BLANK,0 +22,POP3S,995,TCP,BLANK,0 +13,NetBIOS Datagram Service,138,TCP,BLANK,0 +23,RDP,3389,TCP,BLANK,0 +29,LDAPS,636,TCP,BLANK,0 +6,Time,37,TCP,BLANK,0 +3,SSH,22,TCP,BLANK,0 +9,POP3,110,TCP,BLANK,0 +12,NetBIOS Name Service,137,TCP,BLANK,0 +15,IMAP,143,TCP,BLANK,0 +8,HTTP,80,TCP,BLANK,0 +4,Telnet,23,UDP,BLANK,0 +19,FTPS data,989,TCP,BLANK,0 +5,SMTP,25,TCP,BLANK,0 diff --git a/config/fwhosts/icmp-types b/config/fwhosts/icmp-types new file mode 100755 index 000000000..a9066a89b --- /dev/null +++ b/config/fwhosts/icmp-types @@ -0,0 +1,36 @@ +0,echo-reply,0 +1,destination-unreachable,3 +2,network-unreachable,3/0 +3,host-unreachable,3/1 +4,protocol-unreachable,3/2 +5,port-unreachable,3/3 +6,fragmentation-needed,3/4 +7,source-route-failed,3/5 +8,network-unknown,3/6 +9,host-unknown,3/7 +10,network-prohibited,3/9 +11,host-prohibited,3/10 +12,TOS-network-unreachable,3/11 +13,TOS-host-unreachable,3/12 +14,communication-prohibited,3/13 +15,host-precedence-violation,3/14 +16,precedence-cutoff,3/15 +17,source-quench,4 +18,redirect,5 +19,network-redirect,5/0 +20,host-redirect,5/1 +21,TOS-network-redirect,5/2 +22,TOS-host-redirect,5/3 +23,echo-request,8 +24,router-advertisement,9 +25,router-solicitation,10 +26,time-exceeded,11 +27,ttl-zero-during-transit,11/0 +28,ttl-zero-during-reassembly,11/1 +29,parameter-problem,12 +30,ip-header-bad,12/0 +31,required-option-missing,12/1 +32,timestamp-request,13 +33,timestamp-reply,14 +34,address-mask-request,17 +35,address-mask-reply,18 diff --git a/config/menu/50-firewall.menu b/config/menu/50-firewall.menu index de28f8e25..2de9e7b08 100644 --- a/config/menu/50-firewall.menu +++ b/config/menu/50-firewall.menu @@ -1,52 +1,40 @@ - $subfirewall->{'10.dnat'} = { - 'caption' => $Lang::tr{'ssport forwarding'}, - 'uri' => '/cgi-bin/portfw.cgi', - 'title' => "$Lang::tr{'ssport forwarding'}", - 'enabled' => 1, - }; - $subfirewall->{'20.xtaccess'} = { - 'caption' => $Lang::tr{'external access'}, - 'uri' => '/cgi-bin/xtaccess.cgi', - 'title' => "$Lang::tr{'external access'}", - 'enabled' => 1, - }; - $subfirewall->{'30.wireless'} = { - 'caption' => $Lang::tr{'blue access'}, - 'uri' => '/cgi-bin/wireless.cgi', - 'title' => "$Lang::tr{'blue access'}", - 'enabled' => 1, - }; - $subfirewall->{'40.dmz'} = { - 'caption' => $Lang::tr{'ssdmz pinholes'}, - 'uri' => '/cgi-bin/dmzholes.cgi', - 'title' => "$Lang::tr{'dmz pinhole configuration'}", - 'enabled' => 1, - }; - $subfirewall->{'50.outgoing'} = { - 'caption' => $Lang::tr{'outgoing firewall'}, - 'uri' => '/cgi-bin/outgoingfw.cgi', - 'title' => "$Lang::tr{'outgoing firewall'}", + $subfirewall->{'10.forward'} = { + 'caption' => $Lang::tr{'fwdfw menu'}, + 'uri' => '/cgi-bin/forwardfw.cgi', + 'title' => "$Lang::tr{'fwdfw menu'}", 'enabled' => 1, }; - $subfirewall->{'51.outgoinggrp'} = { - 'caption' => $Lang::tr{'outgoing firewall groups'}, - 'uri' => '/cgi-bin/outgoinggrp.cgi', - 'title' => "$Lang::tr{'outgoing firewall groups'}", + $subfirewall->{'20.fwhost'} = { + 'caption' => $Lang::tr{'fwhost menu'}, + 'uri' => '/cgi-bin/fwhosts.cgi', + 'title' => "$Lang::tr{'fwhost menu'}", 'enabled' => 1, }; - $subfirewall->{'60.upnp'} = { - 'caption' => 'UPnP', - 'uri' => '/cgi-bin/upnp.cgi', - 'title' => "Universal Plug and Play", - 'enabled' => 0, - }; - $subfirewall->{'60.optingsfw'} = { + $subfirewall->{'30.optionsfw'} = { 'caption' => $Lang::tr{'options fw'}, 'uri' => '/cgi-bin/optionsfw.cgi', 'title' => "$Lang::tr{'options fw'}", 'enabled' => 1, }; - $subfirewall->{'70.iptables'} = { + $subfirewall->{'40.p2p'} = { + 'caption' => 'P2P-Block', + 'uri' => '/cgi-bin/p2p-block.cgi', + 'title' => "P2P-Block", + 'enabled' => 1, + }; + $subfirewall->{'60.wireless'} = { + 'caption' => $Lang::tr{'blue access'}, + 'uri' => '/cgi-bin/wireless.cgi', + 'title' => "$Lang::tr{'blue access'}", + 'enabled' => 1, + }; + $subfirewall->{'70.upnp'} = { + 'caption' => 'UPnP', + 'uri' => '/cgi-bin/upnp.cgi', + 'title' => "Universal Plug and Play", + 'enabled' => 0, + }; + $subfirewall->{'90.iptables'} = { 'caption' => $Lang::tr{'ipts'}, 'uri' => '/cgi-bin/iptables.cgi', 'title' => "$Lang::tr{'ipts'}", diff --git a/config/outgoingfw/defaultservices b/config/outgoingfw/defaultservices deleted file mode 100644 index f2cf47514..000000000 --- a/config/outgoingfw/defaultservices +++ /dev/null @@ -1,34 +0,0 @@ -bootpc,68,tcp&udp,Bootstrap Protocol Client -bootps,67,tcp&udp,Bootstrap Protocol Server -domain,53,tcp&udp,Domain Name Server -echo,7,tcp&udp,Echo -ftp,21,tcp&udp,File Transfer Control -ftp-data,20,tcp&udp,File Control Data -http,80,tcp,Hypertext Transfer Protocol -https,443,tcp,secure HTTP -imap,143,tcp,Interactive Mail Access Protocol -imap3,220,tcp,Interactive Mail Access Protocol v3 -imaps,993,tcp,secure IMAP -ipfire-https,444,tcp,IPFire HTTPS -ipfire-ssh,222,tcp&udp,IPFire SSH -irc,194,tcp&udp,Internet Relay Chat -ircd,6667,tcp&udp,Internet Relay Chat -microsoft-ds,445,tcp&udp,Netbios Filesharing -nameserver,42,tcp&udp,Host Name Server -netbios-dgm,138,tcp&udp,NETBIOS Datagram Service -netbios-ns,137,tcp&udp,NETBIOS Name Server -netbios-ssn,139,tcp&udp,NETBIOS Session Service -nfs,2049,tcp&udp,Network File System -ntp,123,udp,Network Time Protocol -pop3,110,tcp,POP3 Email -pop3s,995,tcp,secure POP3 Email -sftp,115,tcp&udp,secure File Transfer Protocol -smtp,25,tcp,Simple Mail Transfer Protocol -smtps,465,tcp,secure Simple Mail Transfer Protocol -snmp,161,tcp&udp,Simple Network Management -snmptrap,162,udp,SNMP Trap -ssh,22,tcp&udp,SSH -telnet,23,tcp&udp,Telnet -tftp,69,tcp&udp,Trivial File Transfer -time,37,tcp&udp,Time -wins,1512,tcp&udp,Windows Internet Name Service diff --git a/config/outgoingfw/outgoingfw.pl b/config/outgoingfw/outgoingfw.pl deleted file mode 100644 index 1208567dd..000000000 --- a/config/outgoingfw/outgoingfw.pl +++ /dev/null @@ -1,286 +0,0 @@ -#!/usr/bin/perl -############################################################################### -# # -# IPFire.org - A linux based firewall # -# Copyright (C) 2007-2011 IPFire Team # -# # -# This program is free software: you can redistribute it and/or modify # -# it under the terms of the GNU General Public License as published by # -# the Free Software Foundation, either version 3 of the License, or # -# (at your option) any later version. # -# # -# This program is distributed in the hope that it will be useful, # -# but WITHOUT ANY WARRANTY; without even the implied warranty of # -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # -# GNU General Public License for more details. # -# # -# You should have received a copy of the GNU General Public License # -# along with this program. If not, see . # -# # -############################################################################### - - -use strict; -# enable only the following on debugging purpose -#use warnings; - -require '/var/ipfire/general-functions.pl'; -require "${General::swroot}/lang.pl"; - -my %outfwsettings = (); -my %checked = (); -my %selected= () ; -my %netsettings = (); -my $errormessage = ""; -my $configentry = ""; -my @configs = (); -my @configline = (); -my $p2pentry = ""; -my @p2ps = (); -my @p2pline = (); -my $CMD = ""; -my $P2PSTRING = ""; - -my $DEBUG = 0; - -my $configfile = "/var/ipfire/outgoing/rules"; -my $p2pfile = "/var/ipfire/outgoing/p2protocols"; - -### Values that have to be initialized -$outfwsettings{'ACTION'} = ''; -$outfwsettings{'VALID'} = 'yes'; -$outfwsettings{'EDIT'} = 'no'; -$outfwsettings{'NAME'} = ''; -$outfwsettings{'SNET'} = ''; -$outfwsettings{'SIP'} = ''; -$outfwsettings{'SPORT'} = ''; -$outfwsettings{'SMAC'} = ''; -$outfwsettings{'DIP'} = ''; -$outfwsettings{'DPORT'} = ''; -$outfwsettings{'PROT'} = ''; -$outfwsettings{'STATE'} = ''; -$outfwsettings{'DISPLAY_DIP'} = ''; -$outfwsettings{'DISPLAY_DPORT'} = ''; -$outfwsettings{'DISPLAY_SMAC'} = ''; -$outfwsettings{'DISPLAY_SIP'} = ''; -$outfwsettings{'POLICY'} = 'MODE0'; - -my @SOURCE = ""; -my $SOURCE = ""; -my $DESTINATION = ""; -my @PROTO = ""; -my $PROTO = ""; -my $DPORT = ""; -my $DEV = ""; -my $MAC = ""; -my $DO = ""; -my $DAY = ""; - -# read files -&General::readhash("${General::swroot}/outgoing/settings", \%outfwsettings); -&General::readhash("${General::swroot}/ethernet/settings", \%netsettings); - -$netsettings{'RED_DEV'}=`cat /var/ipfire/red/iface`; -$netsettings{'RED_IP'}=`cat /var/ipfire/red/local-ipaddress`; - -open( FILE, "< $configfile" ) or die "Unable to read $configfile"; -@configs = ; -close FILE; - -if ( $outfwsettings{'POLICY'} eq 'MODE1' ) { - $outfwsettings{'STATE'} = "ALLOW"; - $DO = "RETURN"; -} elsif ( $outfwsettings{'POLICY'} eq 'MODE2' ) { - $outfwsettings{'STATE'} = "DENY"; - $DO = "DROP -m comment --comment 'DROP_OUTGOINGFW '"; -} - -### Initialize IPTables -system("/sbin/iptables --flush OUTGOINGFW >/dev/null 2>&1"); -system("/sbin/iptables --delete-chain OUTGOINGFW >/dev/null 2>&1"); -system("/sbin/iptables -N OUTGOINGFW >/dev/null 2>&1"); - -system("/sbin/iptables --flush OUTGOINGFWMAC >/dev/null 2>&1"); -system("/sbin/iptables --delete-chain OUTGOINGFWMAC >/dev/null 2>&1"); -system("/sbin/iptables -N OUTGOINGFWMAC >/dev/null 2>&1"); - -if ( $outfwsettings{'POLICY'} eq 'MODE0' ) { - &firewall_local_reload(); - exit 0 -} - -if ( $outfwsettings{'POLICY'} eq 'MODE1' ) { - $CMD = "/sbin/iptables -A OUTGOINGFW -m state --state ESTABLISHED,RELATED -j RETURN"; - if ($DEBUG) { print "$CMD\n"; } else { system("$CMD"); } - $CMD = "/sbin/iptables -A OUTGOINGFWMAC -m state --state ESTABLISHED,RELATED -j RETURN"; - if ($DEBUG) { print "$CMD\n"; } else { system("$CMD"); } - $CMD = "/sbin/iptables -A OUTGOINGFW -p icmp -j RETURN"; - if ($DEBUG) { print "$CMD\n"; } else { system("$CMD"); } - $CMD = "/sbin/iptables -A OUTGOINGFWMAC -p icmp -j RETURN"; - if ($DEBUG) { print "$CMD\n"; } else { system("$CMD"); } -} - -foreach $configentry (sort @configs) -{ - @SOURCE = ""; - $DESTINATION = ""; - $PROTO = ""; - $DPORT = ""; - $DEV = ""; - $MAC = ""; - @configline = split( /\;/, $configentry ); - - if ($outfwsettings{'STATE'} eq $configline[0]) { - if ($configline[2] eq 'green') { - @SOURCE = ("$netsettings{'GREEN_NETADDRESS'}/$netsettings{'GREEN_NETMASK'}"); - $DEV = $netsettings{'GREEN_DEV'}; - } elsif ($configline[2] eq 'red') { - @SOURCE = ("$netsettings{'RED_IP'}"); - $DEV = ""; - } elsif ($configline[2] eq 'blue') { - @SOURCE = ("$netsettings{'BLUE_NETADDRESS'}/$netsettings{'BLUE_NETMASK'}"); - $DEV = $netsettings{'BLUE_DEV'}; - } elsif ($configline[2] eq 'orange') { - @SOURCE = ("$netsettings{'ORANGE_NETADDRESS'}/$netsettings{'ORANGE_NETMASK'}"); - $DEV = $netsettings{'ORANGE_DEV'}; - } elsif ($configline[2] eq 'ipsec') { - @SOURCE = ""; - $DEV = "ipsec+"; - } elsif ($configline[2] eq 'ovpn') { - @SOURCE = ""; - $DEV = "tun+"; - } elsif ($configline[2] eq 'ip') { - @SOURCE = ("$configline[5]"); - $DEV = ""; - } elsif ($configline[2] eq 'mac') { - @SOURCE = ("$configline[6]"); - $DEV = ""; - } elsif ($configline[2] eq 'all') { - @SOURCE = ("0/0"); - $DEV = ""; - } else { - if ( -e "/var/ipfire/outgoing/groups/ipgroups/$configline[2]" ) { - @SOURCE = `cat /var/ipfire/outgoing/groups/ipgroups/$configline[2]`; - } elsif ( -e "/var/ipfire/outgoing/groups/macgroups/$configline[2]" ) { - @SOURCE = `cat /var/ipfire/outgoing/groups/macgroups/$configline[2]`; - $configline[2] = "mac"; - } - $DEV = ""; - } - - if ($configline[7]) { $DESTINATION = "$configline[7]"; } else { $DESTINATION = "0/0"; } - - if ($configline[3] eq 'tcp') { - @PROTO = ("tcp"); - } elsif ($configline[3] eq 'udp') { - @PROTO = ("udp"); - } elsif ($configline[3] eq 'esp') { - @PROTO = ("esp"); - } elsif ($configline[3] eq 'gre') { - @PROTO = ("gre"); - } else { - @PROTO = ("tcp","udp"); - } - - my $macrule = 0; - foreach $PROTO (@PROTO){ - foreach $SOURCE (@SOURCE) { - $SOURCE =~ s/\s//gi; - - if ( $SOURCE eq "" || $configline[1] eq "" ){next;} - - if ( ( $configline[6] ne "" || $configline[2] eq 'mac' ) && $configline[2] ne 'all'){ - $SOURCE =~ s/[^a-zA-Z0-9]/:/gi; - $CMD = "-m mac --mac-source $SOURCE -d $DESTINATION -p $PROTO"; - $macrule = 1; - } else { - $CMD = "-s $SOURCE -d $DESTINATION -p $PROTO"; - } - - if ($configline[8] && ( $configline[3] ne 'esp' || $configline[3] ne 'gre') ) { - $DPORT = "$configline[8]"; - $CMD = "$CMD -m multiport --destination-port $DPORT"; - } - - if ($DEV) { - $CMD = "$CMD -i $DEV"; - } - - if ($configline[17] && $configline[18]) { - $DAY = ""; - if ($configline[10]){$DAY = "Mon,"} - if ($configline[11]){$DAY .= "Tue,"} - if ($configline[12]){$DAY .= "Wed,"} - if ($configline[13]){$DAY .= "Thu,"} - if ($configline[14]){$DAY .= "Fri,"} - if ($configline[15]){$DAY .= "Sat,"} - if ($configline[16]){$DAY .= "Sun"} - $CMD = "$CMD -m time --timestart $configline[17] --timestop $configline[18] --weekdays $DAY"; - } - - $CMD = "$CMD -o $netsettings{'RED_DEV'}"; - - if ( $configline[9] eq $Lang::tr{'aktiv'} && $outfwsettings{'POLICY'} eq 'MODE1' ) { - applyrule("$CMD -m limit --limit 10/minute -j LOG --log-prefix 'LOG_OUTGOINGFW '", $macrule); - } elsif ( $configline[9] eq $Lang::tr{'aktiv'} && $outfwsettings{'POLICY'} eq 'MODE2' ) { - applyrule("$CMD -m limit --limit 10/minute -j LOG --log-prefix 'DROP_OUTGOINGFW '", $macrule); - } - - applyrule("$CMD -j $DO", $macrule); - } - } - } -} - -### Do the P2P-Stuff here -open( FILE, "< $p2pfile" ) or die "Unable to read $p2pfile"; -@p2ps = ; -close FILE; - -$CMD = "-m ipp2p"; - -foreach $p2pentry (sort @p2ps) { - @p2pline = split( /\;/, $p2pentry ); - if ( $outfwsettings{'POLICY'} eq 'MODE2' ) { - $DO = "DROP"; - if ("$p2pline[2]" eq "off") { - $P2PSTRING = "$P2PSTRING --$p2pline[1]"; - } - } else { - $DO = "RETURN"; - if ("$p2pline[2]" eq "on") { - $P2PSTRING = "$P2PSTRING --$p2pline[1]"; - } - } -} -if ($P2PSTRING) { - applyrule("$CMD $P2PSTRING -j $DO", 0); -} - -if ( $outfwsettings{'POLICY'} eq 'MODE1' ) { - if ( $outfwsettings{'MODE1LOG'} eq 'on' ) { - applyrule("-o $netsettings{'RED_DEV'} -m limit --limit 10/minute -j LOG --log-prefix 'DROP_OUTGOINGFW '", 0); - } - - applyrule("-o $netsettings{'RED_DEV'} -j DROP -m comment --comment 'DROP_OUTGOINGFW '", 0); -} - -&firewall_local_reload(); - -sub applyrule($$) { - my $cmd = shift; - my $macrule = shift; - - system("/sbin/iptables -A OUTGOINGFWMAC $cmd"); - if ($macrule == 0) { - system("/sbin/iptables -A OUTGOINGFW $cmd"); - } -} - -sub firewall_local_reload() { - my $script = "/etc/sysconfig/firewall.local"; - - if ( -x $script ) { - system("$script reload >/dev/null 2>&1"); - } -} diff --git a/config/rootfiles/common/apache2 b/config/rootfiles/common/apache2 index 9be3581cb..8889b67a7 100644 --- a/config/rootfiles/common/apache2 +++ b/config/rootfiles/common/apache2 @@ -1390,9 +1390,11 @@ srv/web/ipfire/cgi-bin/credits.cgi srv/web/ipfire/cgi-bin/dns.cgi srv/web/ipfire/cgi-bin/ddns.cgi srv/web/ipfire/cgi-bin/dhcp.cgi -srv/web/ipfire/cgi-bin/dmzholes.cgi +#srv/web/ipfire/cgi-bin/dmzholes.cgi srv/web/ipfire/cgi-bin/extrahd.cgi srv/web/ipfire/cgi-bin/fireinfo.cgi +srv/web/ipfire/cgi-bin/forwardfw.cgi +srv/web/ipfire/cgi-bin/fwhosts.cgi srv/web/ipfire/cgi-bin/gui.cgi srv/web/ipfire/cgi-bin/hardwaregraphs.cgi srv/web/ipfire/cgi-bin/hosts.cgi @@ -1408,12 +1410,12 @@ srv/web/ipfire/cgi-bin/modem.cgi srv/web/ipfire/cgi-bin/netexternal.cgi srv/web/ipfire/cgi-bin/netinternal.cgi srv/web/ipfire/cgi-bin/netother.cgi -srv/web/ipfire/cgi-bin/outgoingfw.cgi -srv/web/ipfire/cgi-bin/outgoinggrp.cgi +#srv/web/ipfire/cgi-bin/outgoingfw.cgi +#srv/web/ipfire/cgi-bin/outgoinggrp.cgi srv/web/ipfire/cgi-bin/optionsfw.cgi srv/web/ipfire/cgi-bin/ovpnmain.cgi +srv/web/ipfire/cgi-bin/p2p-block.cgi srv/web/ipfire/cgi-bin/pakfire.cgi -srv/web/ipfire/cgi-bin/portfw.cgi srv/web/ipfire/cgi-bin/pppsetup.cgi srv/web/ipfire/cgi-bin/proxy.cgi srv/web/ipfire/cgi-bin/qos.cgi @@ -1432,6 +1434,6 @@ srv/web/ipfire/cgi-bin/wakeonlan.cgi srv/web/ipfire/cgi-bin/webaccess.cgi srv/web/ipfire/cgi-bin/wireless.cgi srv/web/ipfire/cgi-bin/wirelessclient.cgi -srv/web/ipfire/cgi-bin/xtaccess.cgi +#srv/web/ipfire/cgi-bin/xtaccess.cgi srv/web/ipfire/html var/updatecache diff --git a/config/rootfiles/common/armv5tel/initscripts b/config/rootfiles/common/armv5tel/initscripts index 25fca8db4..1b8fbda00 100644 --- a/config/rootfiles/common/armv5tel/initscripts +++ b/config/rootfiles/common/armv5tel/initscripts @@ -81,11 +81,9 @@ etc/rc.d/init.d/networking/red.up/05-RS-dnsmasq etc/rc.d/init.d/networking/red.up/10-miniupnpd etc/rc.d/init.d/networking/red.up/10-multicast etc/rc.d/init.d/networking/red.up/20-RL-firewall -etc/rc.d/init.d/networking/red.up/22-outgoingfwctrl +etc/rc.d/init.d/networking/red.up/22-forwardfwctrl etc/rc.d/init.d/networking/red.up/23-RS-snort etc/rc.d/init.d/networking/red.up/24-RS-qos -etc/rc.d/init.d/networking/red.up/25-portfw -etc/rc.d/init.d/networking/red.up/26-xtaccess etc/rc.d/init.d/networking/red.up/27-RS-squid etc/rc.d/init.d/networking/red.up/30-ddns etc/rc.d/init.d/networking/red.up/40-ipac diff --git a/config/rootfiles/common/configroot b/config/rootfiles/common/configroot index 8965ff70e..32f7d4d56 100644 --- a/config/rootfiles/common/configroot +++ b/config/rootfiles/common/configroot @@ -26,8 +26,6 @@ var/ipfire/dhcp #var/ipfire/dhcp/fixleases #var/ipfire/dhcp/settings var/ipfire/dhcpc -var/ipfire/dmzholes -#var/ipfire/dmzholes/config var/ipfire/dns #var/ipfire/dns/settings var/ipfire/dnsforward @@ -47,6 +45,23 @@ var/ipfire/extrahd/partitions var/ipfire/extrahd/scan var/ipfire/extrahd/settings var/ipfire/fwlogs +var/ipfire/forward +var/ipfire/forward/bin/rules.pl +var/ipfire/forward/bin/firewall-lib.pl +var/ipfire/forward/settings +var/ipfire/forward/config +var/ipfire/forward/input +var/ipfire/forward/outgoing +var/ipfire/forward/dmz +var/ipfire/forward/nat +var/ipfire/forward/p2protocols +var/ipfire/fwhosts +var/ipfire/fwhosts/icmp-types +var/ipfire/fwhosts/customhosts +var/ipfire/fwhosts/customnetworks +var/ipfire/fwhosts/customgroups +var/ipfire/fwhosts/customservices +var/ipfire/fwhosts/customservicegrp #var/ipfire/fwlogs/ipsettings #var/ipfire/fwlogs/portsettings var/ipfire/general-functions.pl @@ -105,11 +120,11 @@ var/ipfire/net-traffic #var/ipfire/nfs #var/ipfire/nfs/nfs-server var/ipfire/optionsfw -#var/ipfire/optionsfw/settings -var/ipfire/outgoing +var/ipfire/optionsfw/settings +#var/ipfire/outgoing #var/ipfire/outgoing/bin #var/ipfire/outgoing/bin/outgoingfw.pl -var/ipfire/outgoing/defaultservices +#var/ipfire/outgoing/defaultservices #var/ipfire/outgoing/groups #var/ipfire/outgoing/groups/ipgroups #var/ipfire/outgoing/groups/macgroups @@ -188,7 +203,5 @@ var/ipfire/wakeonlan var/ipfire/wireless #var/ipfire/wireless/config #var/ipfire/wireless/settings -var/ipfire/xtaccess -#var/ipfire/xtaccess/config var/ipfire/firebuild etc/system-release diff --git a/config/rootfiles/common/i586/initscripts b/config/rootfiles/common/i586/initscripts index 3aca59ece..ca47f807c 100644 --- a/config/rootfiles/common/i586/initscripts +++ b/config/rootfiles/common/i586/initscripts @@ -83,11 +83,9 @@ etc/rc.d/init.d/networking/red.up/05-RS-dnsmasq etc/rc.d/init.d/networking/red.up/10-miniupnpd etc/rc.d/init.d/networking/red.up/10-multicast etc/rc.d/init.d/networking/red.up/20-RL-firewall -etc/rc.d/init.d/networking/red.up/22-outgoingfwctrl +etc/rc.d/init.d/networking/red.up/22-forwardfwctrl etc/rc.d/init.d/networking/red.up/23-RS-snort etc/rc.d/init.d/networking/red.up/24-RS-qos -etc/rc.d/init.d/networking/red.up/25-portfw -etc/rc.d/init.d/networking/red.up/26-xtaccess etc/rc.d/init.d/networking/red.up/27-RS-squid etc/rc.d/init.d/networking/red.up/30-ddns etc/rc.d/init.d/networking/red.up/40-ipac diff --git a/config/rootfiles/common/misc-progs b/config/rootfiles/common/misc-progs index 8fd9b0bfc..2463ba2aa 100644 --- a/config/rootfiles/common/misc-progs +++ b/config/rootfiles/common/misc-progs @@ -15,7 +15,8 @@ usr/local/bin/launch-ether-wake usr/local/bin/logwatch #usr/local/bin/mpfirectrl usr/local/bin/openvpnctrl -usr/local/bin/outgoingfwctrl +#usr/local/bin/outgoingfwctrl +usr/local/bin/forwardfwctrl usr/local/bin/pakfire usr/local/bin/qosctrl usr/local/bin/rebuildhosts @@ -23,9 +24,6 @@ usr/local/bin/rebuildroutes usr/local/bin/redctrl #usr/local/bin/sambactrl usr/local/bin/setaliases -usr/local/bin/setdmzholes -usr/local/bin/setportfw -usr/local/bin/setxtaccess usr/local/bin/smartctrl usr/local/bin/snortctrl usr/local/bin/squidctrl diff --git a/config/rootfiles/common/stage2 b/config/rootfiles/common/stage2 index 1e91b3743..fe6d23a8f 100644 --- a/config/rootfiles/common/stage2 +++ b/config/rootfiles/common/stage2 @@ -109,6 +109,11 @@ usr/local/bin/update-lang-cache #usr/local/src #usr/sbin usr/sbin/ovpn-ccd-convert +usr/sbin/firewall-policy +usr/sbin/convert-xtaccess +usr/sbin/convert-outgoingfw +usr/sbin/convert-dmz +usr/sbin/convert-portfw #usr/share #usr/share/doc #usr/share/doc/licenses diff --git a/config/rootfiles/oldcore/66/filelists/files b/config/rootfiles/oldcore/66/filelists/files index 9d0006f53..821263e05 100644 --- a/config/rootfiles/oldcore/66/filelists/files +++ b/config/rootfiles/oldcore/66/filelists/files @@ -48,6 +48,5 @@ var/ipfire/backup/bin/backup.pl var/ipfire/backup/include var/ipfire/general-functions.pl var/ipfire/langs -var/ipfire/outgoing/bin/outgoingfw.pl var/ipfire/qos/bin/makeqosscripts.pl var/ipfire/updatexlrator/bin/download diff --git a/doc/language_issues.de b/doc/language_issues.de index bbe5e1de7..9f48b8b91 100644 --- a/doc/language_issues.de +++ b/doc/language_issues.de @@ -11,10 +11,12 @@ WARNING: translation string unused: Remote VPN IP WARNING: translation string unused: Resolv WARNING: translation string unused: TOS Bits WARNING: translation string unused: Verbose +WARNING: translation string unused: access allowed WARNING: translation string unused: access refused with this oinkcode WARNING: translation string unused: add network WARNING: translation string unused: add new ovpn WARNING: translation string unused: add service +WARNING: translation string unused: add xtaccess WARNING: translation string unused: add-route WARNING: translation string unused: admin user password has been changed WARNING: translation string unused: administrator user password @@ -45,6 +47,7 @@ WARNING: translation string unused: all updates installed WARNING: translation string unused: allmsg WARNING: translation string unused: alt information WARNING: translation string unused: alt ovpn +WARNING: translation string unused: alt vpn WARNING: translation string unused: and WARNING: translation string unused: apply WARNING: translation string unused: archive not exist @@ -68,6 +71,7 @@ WARNING: translation string unused: cache management WARNING: translation string unused: cache size WARNING: translation string unused: calamaris report interval (in minutes) WARNING: translation string unused: calc traffic all x minutes +WARNING: translation string unused: cant enable xtaccess WARNING: translation string unused: capsinactive WARNING: translation string unused: ccd err iroute WARNING: translation string unused: ccd err netadr @@ -109,6 +113,11 @@ WARNING: translation string unused: debugme WARNING: translation string unused: deep scan directories WARNING: translation string unused: default networks WARNING: translation string unused: default services +WARNING: translation string unused: description +WARNING: translation string unused: destination ip bad +WARNING: translation string unused: destination ip or net +WARNING: translation string unused: destination net +WARNING: translation string unused: destination port overlaps WARNING: translation string unused: dhcp base ip fixed lease WARNING: translation string unused: dhcp create fixed leases WARNING: translation string unused: dhcp fixed lease err1 @@ -119,10 +128,16 @@ WARNING: translation string unused: dial user password has been changed WARNING: translation string unused: dialup settings WARNING: translation string unused: disconnect WARNING: translation string unused: display traffic at home +WARNING: translation string unused: dmz pinhole configuration +WARNING: translation string unused: dmz pinhole rule added +WARNING: translation string unused: dmz pinhole rule removed +WARNING: translation string unused: dmzpinholes for same net not necessary WARNING: translation string unused: dns server WARNING: translation string unused: do not log this port list WARNING: translation string unused: donation-link WARNING: translation string unused: driver +WARNING: translation string unused: dstprt range overlaps +WARNING: translation string unused: dstprt within existing WARNING: translation string unused: dynamic dns client WARNING: translation string unused: eciadsl help WARNING: translation string unused: eciadsl upload @@ -149,6 +164,7 @@ WARNING: translation string unused: error external access WARNING: translation string unused: expected WARNING: translation string unused: expertoptions WARNING: translation string unused: exportkey +WARNING: translation string unused: external access WARNING: translation string unused: external access rule changed WARNING: translation string unused: extrahd unable to read WARNING: translation string unused: extrahd unable to write @@ -158,6 +174,10 @@ WARNING: translation string unused: firewall log viewer WARNING: translation string unused: firmware WARNING: translation string unused: firmware upload WARNING: translation string unused: force update +WARNING: translation string unused: forward firewall +WARNING: translation string unused: forwarding rule added +WARNING: translation string unused: forwarding rule removed +WARNING: translation string unused: forwarding rule updated WARNING: translation string unused: frequency WARNING: translation string unused: fritzdsl help WARNING: translation string unused: fritzdsl upload @@ -166,6 +186,39 @@ WARNING: translation string unused: from email pw WARNING: translation string unused: from email server WARNING: translation string unused: from email user WARNING: translation string unused: from warn email bad +WARNING: translation string unused: fwdfw ACCEPT +WARNING: translation string unused: fwdfw DROP +WARNING: translation string unused: fwdfw MODE1 +WARNING: translation string unused: fwdfw MODE2 +WARNING: translation string unused: fwdfw REJECT +WARNING: translation string unused: fwdfw addr grp +WARNING: translation string unused: fwdfw cust addr +WARNING: translation string unused: fwdfw cust net +WARNING: translation string unused: fwdfw err srcovpn +WARNING: translation string unused: fwdfw err srcport +WARNING: translation string unused: fwdfw err tgt_port +WARNING: translation string unused: fwdfw err tgtovpn +WARNING: translation string unused: fwdfw err tgtport +WARNING: translation string unused: fwdfw from +WARNING: translation string unused: fwdfw ipsec network +WARNING: translation string unused: fwdfw natport used +WARNING: translation string unused: fwdfw rules +WARNING: translation string unused: fwdfw std network +WARNING: translation string unused: fwdfw till +WARNING: translation string unused: fwdfw time +WARNING: translation string unused: fwhost addrule +WARNING: translation string unused: fwhost attention +WARNING: translation string unused: fwhost blue +WARNING: translation string unused: fwhost changeremark +WARNING: translation string unused: fwhost err addrgrp +WARNING: translation string unused: fwhost err hostorip +WARNING: translation string unused: fwhost err mac +WARNING: translation string unused: fwhost green +WARNING: translation string unused: fwhost ipadr +WARNING: translation string unused: fwhost ipsec host +WARNING: translation string unused: fwhost orange +WARNING: translation string unused: fwhost reset +WARNING: translation string unused: fwhost wo subnet WARNING: translation string unused: gen static key WARNING: translation string unused: generate WARNING: translation string unused: genkey @@ -220,6 +273,7 @@ WARNING: translation string unused: local hard disk WARNING: translation string unused: localkeyfile WARNING: translation string unused: log enabled WARNING: translation string unused: log viewer +WARNING: translation string unused: logging WARNING: translation string unused: loosedirectorychecking WARNING: translation string unused: ls_dhcpd WARNING: translation string unused: ls_disk space @@ -245,6 +299,7 @@ WARNING: translation string unused: mbmon value WARNING: translation string unused: min size WARNING: translation string unused: missing dat WARNING: translation string unused: missing gz +WARNING: translation string unused: mode WARNING: translation string unused: modem on com1 WARNING: translation string unused: modem on com2 WARNING: translation string unused: modem on com3 @@ -261,6 +316,7 @@ WARNING: translation string unused: monthly volume start day short WARNING: translation string unused: mount WARNING: translation string unused: mtu QoS WARNING: translation string unused: nat-traversal +WARNING: translation string unused: net WARNING: translation string unused: net address WARNING: translation string unused: net config type WARNING: translation string unused: net config type help @@ -286,6 +342,7 @@ WARNING: translation string unused: o-no WARNING: translation string unused: o-yes WARNING: translation string unused: online help en WARNING: translation string unused: only red +WARNING: translation string unused: open to all WARNING: translation string unused: openvpn disabled WARNING: translation string unused: openvpn enabled WARNING: translation string unused: optional data @@ -296,7 +353,16 @@ WARNING: translation string unused: original WARNING: translation string unused: other countries WARNING: translation string unused: our donors WARNING: translation string unused: out +WARNING: translation string unused: outgoing firewall +WARNING: translation string unused: outgoing firewall mode0 +WARNING: translation string unused: outgoing firewall mode1 +WARNING: translation string unused: outgoing firewall mode2 WARNING: translation string unused: outgoing firewall outgoing firewall reserved groupname +WARNING: translation string unused: outgoing firewall p2p description 1 +WARNING: translation string unused: outgoing firewall p2p description 2 +WARNING: translation string unused: outgoing firewall p2p description 3 +WARNING: translation string unused: outgoing firewall reset +WARNING: translation string unused: outgoing firewall warning WARNING: translation string unused: override mtu WARNING: translation string unused: ovpn WARNING: translation string unused: ovpn config @@ -327,6 +393,8 @@ WARNING: translation string unused: passwords must be at least 6 characters in l WARNING: translation string unused: phonebook entry WARNING: translation string unused: ping disabled WARNING: translation string unused: polfile +WARNING: translation string unused: policy +WARNING: translation string unused: port forwarding configuration WARNING: translation string unused: ports WARNING: translation string unused: pots WARNING: translation string unused: pppoe @@ -353,7 +421,9 @@ WARNING: translation string unused: router ip WARNING: translation string unused: rules already up to date WARNING: translation string unused: safe removal of umounted device WARNING: translation string unused: save error +WARNING: translation string unused: select dest net WARNING: translation string unused: select media +WARNING: translation string unused: select source net WARNING: translation string unused: selecttraffic WARNING: translation string unused: send email notification WARNING: translation string unused: send test mail @@ -369,15 +439,23 @@ WARNING: translation string unused: shutdown2 WARNING: translation string unused: shutting down WARNING: translation string unused: sitekeyfile WARNING: translation string unused: smbreload +WARNING: translation string unused: source ip in use +WARNING: translation string unused: source ip or net +WARNING: translation string unused: source net +WARNING: translation string unused: source port overlaps WARNING: translation string unused: squid extension methods WARNING: translation string unused: squid extension methods invalid WARNING: translation string unused: squid fix cache +WARNING: translation string unused: srcprt range overlaps +WARNING: translation string unused: srcprt within existing +WARNING: translation string unused: ssdmz pinholes WARNING: translation string unused: ssh access tip WARNING: translation string unused: ssh1 disabled WARNING: translation string unused: ssh1 enabled WARNING: translation string unused: ssh1 support WARNING: translation string unused: ssnetwork status WARNING: translation string unused: sspasswords +WARNING: translation string unused: ssport forwarding WARNING: translation string unused: ssproxy graphs WARNING: translation string unused: sssystem status WARNING: translation string unused: sstraffic graphs @@ -476,13 +554,16 @@ WARNING: translation string unused: warn when traffic reaches WARNING: translation string unused: web proxy configuration WARNING: translation string unused: week-graph WARNING: translation string unused: weekly firewallhits +WARNING: translation string unused: xtaccess all error WARNING: translation string unused: xtaccess bad transfert WARNING: translation string unused: year-graph WARNING: translation string unused: yearly firewallhits WARNING: untranslated string: Scan for Songs +WARNING: untranslated string: advproxy cache-digest WARNING: untranslated string: bytes WARNING: untranslated string: community rules WARNING: untranslated string: emerging rules +WARNING: untranslated string: fwhost err hostip WARNING: untranslated string: new WARNING: untranslated string: outgoing firewall reserved groupname WARNING: untranslated string: qos add subclass diff --git a/doc/language_issues.en b/doc/language_issues.en index 12489577b..328376f35 100644 --- a/doc/language_issues.en +++ b/doc/language_issues.en @@ -11,10 +11,12 @@ WARNING: translation string unused: Remote VPN IP WARNING: translation string unused: Resolv WARNING: translation string unused: TOS Bits WARNING: translation string unused: Verbose +WARNING: translation string unused: access allowed WARNING: translation string unused: access refused with this oinkcode WARNING: translation string unused: add network WARNING: translation string unused: add new ovpn WARNING: translation string unused: add service +WARNING: translation string unused: add xtaccess WARNING: translation string unused: add-route WARNING: translation string unused: admin user password has been changed WARNING: translation string unused: administrator user password @@ -46,6 +48,7 @@ WARNING: translation string unused: all updates installed WARNING: translation string unused: allmsg WARNING: translation string unused: alt information WARNING: translation string unused: alt ovpn +WARNING: translation string unused: alt vpn WARNING: translation string unused: and WARNING: translation string unused: ansi t1.483 WARNING: translation string unused: apply @@ -87,6 +90,7 @@ WARNING: translation string unused: cache management WARNING: translation string unused: cache size WARNING: translation string unused: calamaris report interval (in minutes) WARNING: translation string unused: calc traffic all x minutes +WARNING: translation string unused: cant enable xtaccess WARNING: translation string unused: capsinactive WARNING: translation string unused: ccd err iroute WARNING: translation string unused: ccd err netadr @@ -129,6 +133,11 @@ WARNING: translation string unused: debugme WARNING: translation string unused: deep scan directories WARNING: translation string unused: default networks WARNING: translation string unused: default services +WARNING: translation string unused: description +WARNING: translation string unused: destination ip bad +WARNING: translation string unused: destination ip or net +WARNING: translation string unused: destination net +WARNING: translation string unused: destination port overlaps WARNING: translation string unused: dhcp base ip fixed lease WARNING: translation string unused: dhcp create fixed leases WARNING: translation string unused: dhcp fixed lease err1 @@ -141,11 +150,17 @@ WARNING: translation string unused: dial user password has been changed WARNING: translation string unused: dialup settings WARNING: translation string unused: disconnect WARNING: translation string unused: display traffic at home +WARNING: translation string unused: dmz pinhole configuration +WARNING: translation string unused: dmz pinhole rule added +WARNING: translation string unused: dmz pinhole rule removed +WARNING: translation string unused: dmzpinholes for same net not necessary WARNING: translation string unused: dns server WARNING: translation string unused: do not log this port list WARNING: translation string unused: donation-link WARNING: translation string unused: done WARNING: translation string unused: driver +WARNING: translation string unused: dstprt range overlaps +WARNING: translation string unused: dstprt within existing WARNING: translation string unused: dynamic dns client WARNING: translation string unused: eciadsl help WARNING: translation string unused: eciadsl upload @@ -172,6 +187,7 @@ WARNING: translation string unused: error external access WARNING: translation string unused: expected WARNING: translation string unused: expertoptions WARNING: translation string unused: exportkey +WARNING: translation string unused: external access WARNING: translation string unused: external access rule changed WARNING: translation string unused: extrahd unable to read WARNING: translation string unused: extrahd unable to write @@ -181,6 +197,10 @@ WARNING: translation string unused: firewall log viewer WARNING: translation string unused: firmware WARNING: translation string unused: firmware upload WARNING: translation string unused: force update +WARNING: translation string unused: forward firewall +WARNING: translation string unused: forwarding rule added +WARNING: translation string unused: forwarding rule removed +WARNING: translation string unused: forwarding rule updated WARNING: translation string unused: frequency WARNING: translation string unused: fritzdsl help WARNING: translation string unused: fritzdsl upload @@ -189,6 +209,39 @@ WARNING: translation string unused: from email pw WARNING: translation string unused: from email server WARNING: translation string unused: from email user WARNING: translation string unused: from warn email bad +WARNING: translation string unused: fwdfw ACCEPT +WARNING: translation string unused: fwdfw DROP +WARNING: translation string unused: fwdfw MODE1 +WARNING: translation string unused: fwdfw MODE2 +WARNING: translation string unused: fwdfw REJECT +WARNING: translation string unused: fwdfw addr grp +WARNING: translation string unused: fwdfw cust addr +WARNING: translation string unused: fwdfw cust net +WARNING: translation string unused: fwdfw err srcovpn +WARNING: translation string unused: fwdfw err srcport +WARNING: translation string unused: fwdfw err tgt_port +WARNING: translation string unused: fwdfw err tgtovpn +WARNING: translation string unused: fwdfw err tgtport +WARNING: translation string unused: fwdfw from +WARNING: translation string unused: fwdfw ipsec network +WARNING: translation string unused: fwdfw natport used +WARNING: translation string unused: fwdfw rules +WARNING: translation string unused: fwdfw std network +WARNING: translation string unused: fwdfw till +WARNING: translation string unused: fwdfw time +WARNING: translation string unused: fwhost addrule +WARNING: translation string unused: fwhost attention +WARNING: translation string unused: fwhost blue +WARNING: translation string unused: fwhost changeremark +WARNING: translation string unused: fwhost err addrgrp +WARNING: translation string unused: fwhost err hostorip +WARNING: translation string unused: fwhost err mac +WARNING: translation string unused: fwhost green +WARNING: translation string unused: fwhost ipadr +WARNING: translation string unused: fwhost ipsec host +WARNING: translation string unused: fwhost orange +WARNING: translation string unused: fwhost reset +WARNING: translation string unused: fwhost wo subnet WARNING: translation string unused: g.dtm WARNING: translation string unused: g.lite WARNING: translation string unused: gen static key @@ -246,6 +299,7 @@ WARNING: translation string unused: local hard disk WARNING: translation string unused: localkeyfile WARNING: translation string unused: log enabled WARNING: translation string unused: log viewer +WARNING: translation string unused: logging WARNING: translation string unused: loosedirectorychecking WARNING: translation string unused: ls_dhcpd WARNING: translation string unused: ls_disk space @@ -271,6 +325,7 @@ WARNING: translation string unused: mbmon value WARNING: translation string unused: min size WARNING: translation string unused: missing dat WARNING: translation string unused: missing gz +WARNING: translation string unused: mode WARNING: translation string unused: modem on com1 WARNING: translation string unused: modem on com2 WARNING: translation string unused: modem on com3 @@ -287,6 +342,7 @@ WARNING: translation string unused: monthly volume start day short WARNING: translation string unused: mount WARNING: translation string unused: mtu QoS WARNING: translation string unused: nat-traversal +WARNING: translation string unused: net WARNING: translation string unused: net address WARNING: translation string unused: net config type WARNING: translation string unused: net config type help @@ -313,6 +369,7 @@ WARNING: translation string unused: o-no WARNING: translation string unused: o-yes WARNING: translation string unused: online help en WARNING: translation string unused: only red +WARNING: translation string unused: open to all WARNING: translation string unused: openvpn disabled WARNING: translation string unused: openvpn enabled WARNING: translation string unused: optional data @@ -323,7 +380,16 @@ WARNING: translation string unused: original WARNING: translation string unused: other countries WARNING: translation string unused: our donors WARNING: translation string unused: out +WARNING: translation string unused: outgoing firewall +WARNING: translation string unused: outgoing firewall mode0 +WARNING: translation string unused: outgoing firewall mode1 +WARNING: translation string unused: outgoing firewall mode2 WARNING: translation string unused: outgoing firewall outgoing firewall reserved groupname +WARNING: translation string unused: outgoing firewall p2p description 1 +WARNING: translation string unused: outgoing firewall p2p description 2 +WARNING: translation string unused: outgoing firewall p2p description 3 +WARNING: translation string unused: outgoing firewall reset +WARNING: translation string unused: outgoing firewall warning WARNING: translation string unused: override mtu WARNING: translation string unused: ovpn WARNING: translation string unused: ovpn config @@ -354,6 +420,8 @@ WARNING: translation string unused: passwords must be at least 6 characters in l WARNING: translation string unused: phonebook entry WARNING: translation string unused: ping disabled WARNING: translation string unused: polfile +WARNING: translation string unused: policy +WARNING: translation string unused: port forwarding configuration WARNING: translation string unused: ports WARNING: translation string unused: pots WARNING: translation string unused: pppoe @@ -381,7 +449,9 @@ WARNING: translation string unused: router ip WARNING: translation string unused: rules already up to date WARNING: translation string unused: safe removal of umounted device WARNING: translation string unused: save error +WARNING: translation string unused: select dest net WARNING: translation string unused: select media +WARNING: translation string unused: select source net WARNING: translation string unused: selecttraffic WARNING: translation string unused: send email notification WARNING: translation string unused: send test mail @@ -400,15 +470,23 @@ WARNING: translation string unused: shutdown2 WARNING: translation string unused: shutting down WARNING: translation string unused: sitekeyfile WARNING: translation string unused: smbreload +WARNING: translation string unused: source ip in use +WARNING: translation string unused: source ip or net +WARNING: translation string unused: source net +WARNING: translation string unused: source port overlaps WARNING: translation string unused: squid extension methods WARNING: translation string unused: squid extension methods invalid WARNING: translation string unused: squid fix cache +WARNING: translation string unused: srcprt range overlaps +WARNING: translation string unused: srcprt within existing +WARNING: translation string unused: ssdmz pinholes WARNING: translation string unused: ssh access tip WARNING: translation string unused: ssh1 disabled WARNING: translation string unused: ssh1 enabled WARNING: translation string unused: ssh1 support WARNING: translation string unused: ssnetwork status WARNING: translation string unused: sspasswords +WARNING: translation string unused: ssport forwarding WARNING: translation string unused: ssproxy graphs WARNING: translation string unused: sssystem status WARNING: translation string unused: sstraffic graphs @@ -511,14 +589,18 @@ WARNING: translation string unused: warn when traffic reaches WARNING: translation string unused: web proxy configuration WARNING: translation string unused: week-graph WARNING: translation string unused: weekly firewallhits +WARNING: translation string unused: xtaccess all error WARNING: translation string unused: xtaccess bad transfert WARNING: translation string unused: year-graph WARNING: translation string unused: yearly firewallhits WARNING: untranslated string: Scan for Songs +WARNING: untranslated string: advproxy cache-digest WARNING: untranslated string: bytes +WARNING: untranslated string: fwhost err hostip WARNING: untranslated string: new WARNING: untranslated string: outgoing firewall reserved groupname WARNING: untranslated string: route config changed WARNING: untranslated string: routing config added WARNING: untranslated string: routing config changed WARNING: untranslated string: routing table +WARNING: untranslated string: wlanap country diff --git a/doc/language_issues.es b/doc/language_issues.es index 88666b618..2fafaf180 100644 --- a/doc/language_issues.es +++ b/doc/language_issues.es @@ -11,10 +11,12 @@ WARNING: translation string unused: Remote VPN IP WARNING: translation string unused: Resolv WARNING: translation string unused: TOS Bits WARNING: translation string unused: Verbose +WARNING: translation string unused: access allowed WARNING: translation string unused: access refused with this oinkcode WARNING: translation string unused: add network WARNING: translation string unused: add new ovpn WARNING: translation string unused: add service +WARNING: translation string unused: add xtaccess WARNING: translation string unused: add-route WARNING: translation string unused: admin user password has been changed WARNING: translation string unused: administrator user password @@ -46,6 +48,7 @@ WARNING: translation string unused: all updates installed WARNING: translation string unused: allmsg WARNING: translation string unused: alt information WARNING: translation string unused: alt ovpn +WARNING: translation string unused: alt vpn WARNING: translation string unused: and WARNING: translation string unused: ansi t1.483 WARNING: translation string unused: apply @@ -87,6 +90,7 @@ WARNING: translation string unused: cache management WARNING: translation string unused: cache size WARNING: translation string unused: calamaris report interval (in minutes) WARNING: translation string unused: calc traffic all x minutes +WARNING: translation string unused: cant enable xtaccess WARNING: translation string unused: capsinactive WARNING: translation string unused: cfg restart WARNING: translation string unused: check for net traffic update @@ -127,6 +131,11 @@ WARNING: translation string unused: debugme WARNING: translation string unused: deep scan directories WARNING: translation string unused: default networks WARNING: translation string unused: default services +WARNING: translation string unused: description +WARNING: translation string unused: destination ip bad +WARNING: translation string unused: destination ip or net +WARNING: translation string unused: destination net +WARNING: translation string unused: destination port overlaps WARNING: translation string unused: dhcp base ip fixed lease WARNING: translation string unused: dhcp create fixed leases WARNING: translation string unused: dhcp fixed lease err1 @@ -139,11 +148,18 @@ WARNING: translation string unused: dial user password has been changed WARNING: translation string unused: dialup settings WARNING: translation string unused: disconnect WARNING: translation string unused: display traffic at home +WARNING: translation string unused: dmz pinhole configuration +WARNING: translation string unused: dmz pinhole rule added +WARNING: translation string unused: dmz pinhole rule removed +WARNING: translation string unused: dmzpinholes for same net not necessary WARNING: translation string unused: dns server WARNING: translation string unused: do not log this port list WARNING: translation string unused: donation-link WARNING: translation string unused: done WARNING: translation string unused: driver +WARNING: translation string unused: drop output +WARNING: translation string unused: dstprt range overlaps +WARNING: translation string unused: dstprt within existing WARNING: translation string unused: dynamic dns client WARNING: translation string unused: eciadsl help WARNING: translation string unused: eciadsl upload @@ -170,6 +186,7 @@ WARNING: translation string unused: error external access WARNING: translation string unused: expected WARNING: translation string unused: expertoptions WARNING: translation string unused: exportkey +WARNING: translation string unused: external access WARNING: translation string unused: external access rule changed WARNING: translation string unused: extrahd unable to read WARNING: translation string unused: extrahd unable to write @@ -179,6 +196,9 @@ WARNING: translation string unused: firewall log viewer WARNING: translation string unused: firmware WARNING: translation string unused: firmware upload WARNING: translation string unused: force update +WARNING: translation string unused: forwarding rule added +WARNING: translation string unused: forwarding rule removed +WARNING: translation string unused: forwarding rule updated WARNING: translation string unused: frequency WARNING: translation string unused: fritzdsl help WARNING: translation string unused: fritzdsl upload @@ -244,6 +264,7 @@ WARNING: translation string unused: local hard disk WARNING: translation string unused: localkeyfile WARNING: translation string unused: log enabled WARNING: translation string unused: log viewer +WARNING: translation string unused: logging WARNING: translation string unused: loosedirectorychecking WARNING: translation string unused: ls_dhcpd WARNING: translation string unused: ls_disk space @@ -269,6 +290,7 @@ WARNING: translation string unused: mbmon value WARNING: translation string unused: min size WARNING: translation string unused: missing dat WARNING: translation string unused: missing gz +WARNING: translation string unused: mode WARNING: translation string unused: modem on com1 WARNING: translation string unused: modem on com2 WARNING: translation string unused: modem on com3 @@ -285,6 +307,7 @@ WARNING: translation string unused: monthly volume start day short WARNING: translation string unused: mount WARNING: translation string unused: mtu QoS WARNING: translation string unused: nat-traversal +WARNING: translation string unused: net WARNING: translation string unused: net address WARNING: translation string unused: net config type WARNING: translation string unused: net config type help @@ -311,6 +334,7 @@ WARNING: translation string unused: o-no WARNING: translation string unused: o-yes WARNING: translation string unused: online help en WARNING: translation string unused: only red +WARNING: translation string unused: open to all WARNING: translation string unused: optional data WARNING: translation string unused: optionsfw portlist hint WARNING: translation string unused: optionsfw warning @@ -318,8 +342,14 @@ WARNING: translation string unused: or WARNING: translation string unused: original WARNING: translation string unused: other countries WARNING: translation string unused: out +WARNING: translation string unused: outgoing firewall +WARNING: translation string unused: outgoing firewall mode0 +WARNING: translation string unused: outgoing firewall mode1 +WARNING: translation string unused: outgoing firewall mode2 WARNING: translation string unused: outgoing firewall outgoing firewall reserved groupname WARNING: translation string unused: outgoing firewall p2p description +WARNING: translation string unused: outgoing firewall reset +WARNING: translation string unused: outgoing firewall warning WARNING: translation string unused: override mtu WARNING: translation string unused: ovpn WARNING: translation string unused: ovpn config @@ -350,6 +380,8 @@ WARNING: translation string unused: passwords must be at least 6 characters in l WARNING: translation string unused: phonebook entry WARNING: translation string unused: ping disabled WARNING: translation string unused: polfile +WARNING: translation string unused: policy +WARNING: translation string unused: port forwarding configuration WARNING: translation string unused: ports WARNING: translation string unused: pots WARNING: translation string unused: pppoe @@ -377,7 +409,9 @@ WARNING: translation string unused: router ip WARNING: translation string unused: rules already up to date WARNING: translation string unused: safe removal of umounted device WARNING: translation string unused: save error +WARNING: translation string unused: select dest net WARNING: translation string unused: select media +WARNING: translation string unused: select source net WARNING: translation string unused: selecttraffic WARNING: translation string unused: send email notification WARNING: translation string unused: send test mail @@ -396,15 +430,23 @@ WARNING: translation string unused: shutdown2 WARNING: translation string unused: shutting down WARNING: translation string unused: sitekeyfile WARNING: translation string unused: smbreload +WARNING: translation string unused: source ip in use +WARNING: translation string unused: source ip or net +WARNING: translation string unused: source net +WARNING: translation string unused: source port overlaps WARNING: translation string unused: squid extension methods WARNING: translation string unused: squid extension methods invalid WARNING: translation string unused: squid fix cache +WARNING: translation string unused: srcprt range overlaps +WARNING: translation string unused: srcprt within existing +WARNING: translation string unused: ssdmz pinholes WARNING: translation string unused: ssh access tip WARNING: translation string unused: ssh1 disabled WARNING: translation string unused: ssh1 enabled WARNING: translation string unused: ssh1 support WARNING: translation string unused: ssnetwork status WARNING: translation string unused: sspasswords +WARNING: translation string unused: ssport forwarding WARNING: translation string unused: ssproxy graphs WARNING: translation string unused: sssystem status WARNING: translation string unused: sstraffic graphs @@ -497,6 +539,7 @@ WARNING: translation string unused: warn when traffic reaches WARNING: translation string unused: web proxy configuration WARNING: translation string unused: week-graph WARNING: translation string unused: weekly firewallhits +WARNING: translation string unused: xtaccess all error WARNING: translation string unused: xtaccess bad transfert WARNING: translation string unused: year-graph WARNING: translation string unused: yearly firewallhits @@ -556,6 +599,11 @@ WARNING: untranslated string: dnsforward edit an entry WARNING: untranslated string: dnsforward entries WARNING: untranslated string: dnsforward forward_server WARNING: untranslated string: dnsforward zone +WARNING: untranslated string: drop action +WARNING: untranslated string: drop action1 +WARNING: untranslated string: drop action2 +WARNING: untranslated string: drop forward +WARNING: untranslated string: drop outgoing WARNING: untranslated string: emerging rules WARNING: untranslated string: fireinfo ipfire version WARNING: untranslated string: fireinfo is disabled @@ -574,6 +622,141 @@ WARNING: untranslated string: fireinfo why descr2 WARNING: untranslated string: fireinfo why enable WARNING: untranslated string: fireinfo why read more WARNING: untranslated string: fireinfo your profile id +WARNING: untranslated string: fw default drop +WARNING: untranslated string: fw settings +WARNING: untranslated string: fw settings color +WARNING: untranslated string: fw settings dropdown +WARNING: untranslated string: fw settings remark +WARNING: untranslated string: fw settings ruletable +WARNING: untranslated string: fwdfw action +WARNING: untranslated string: fwdfw additional +WARNING: untranslated string: fwdfw addrule +WARNING: untranslated string: fwdfw change +WARNING: untranslated string: fwdfw copy +WARNING: untranslated string: fwdfw delete +WARNING: untranslated string: fwdfw dnat +WARNING: untranslated string: fwdfw dnat error +WARNING: untranslated string: fwdfw dnat porterr +WARNING: untranslated string: fwdfw edit +WARNING: untranslated string: fwdfw err nosrc +WARNING: untranslated string: fwdfw err nosrcip +WARNING: untranslated string: fwdfw err notgt +WARNING: untranslated string: fwdfw err notgtip +WARNING: untranslated string: fwdfw err prot +WARNING: untranslated string: fwdfw err remark +WARNING: untranslated string: fwdfw err ruleexists +WARNING: untranslated string: fwdfw err same +WARNING: untranslated string: fwdfw err samesub +WARNING: untranslated string: fwdfw err src_addr +WARNING: untranslated string: fwdfw err tgt_addr +WARNING: untranslated string: fwdfw err tgt_grp +WARNING: untranslated string: fwdfw err tgt_mac +WARNING: untranslated string: fwdfw err time +WARNING: untranslated string: fwdfw final_rule +WARNING: untranslated string: fwdfw hint ip1 +WARNING: untranslated string: fwdfw hint ip2 +WARNING: untranslated string: fwdfw log rule +WARNING: untranslated string: fwdfw man port +WARNING: untranslated string: fwdfw menu +WARNING: untranslated string: fwdfw movedown +WARNING: untranslated string: fwdfw moveup +WARNING: untranslated string: fwdfw newrule +WARNING: untranslated string: fwdfw p2p txt +WARNING: untranslated string: fwdfw pol allow +WARNING: untranslated string: fwdfw pol block +WARNING: untranslated string: fwdfw pol text +WARNING: untranslated string: fwdfw pol text1 +WARNING: untranslated string: fwdfw pol title +WARNING: untranslated string: fwdfw red +WARNING: untranslated string: fwdfw reread +WARNING: untranslated string: fwdfw rule action +WARNING: untranslated string: fwdfw rule activate +WARNING: untranslated string: fwdfw rulepos +WARNING: untranslated string: fwdfw snat +WARNING: untranslated string: fwdfw source +WARNING: untranslated string: fwdfw sourceip +WARNING: untranslated string: fwdfw target +WARNING: untranslated string: fwdfw targetip +WARNING: untranslated string: fwdfw timeframe +WARNING: untranslated string: fwdfw toggle +WARNING: untranslated string: fwdfw togglelog +WARNING: untranslated string: fwdfw use nat +WARNING: untranslated string: fwdfw use srcport +WARNING: untranslated string: fwdfw use srv +WARNING: untranslated string: fwdfw useless rule +WARNING: untranslated string: fwdfw wd_fri +WARNING: untranslated string: fwdfw wd_mon +WARNING: untranslated string: fwdfw wd_sat +WARNING: untranslated string: fwdfw wd_sun +WARNING: untranslated string: fwdfw wd_thu +WARNING: untranslated string: fwdfw wd_tue +WARNING: untranslated string: fwdfw wd_wed +WARNING: untranslated string: fwdfw xt access +WARNING: untranslated string: fwhost addgrp +WARNING: untranslated string: fwhost addgrpname +WARNING: untranslated string: fwhost addhost +WARNING: untranslated string: fwhost addnet +WARNING: untranslated string: fwhost addservice +WARNING: untranslated string: fwhost addservicegrp +WARNING: untranslated string: fwhost any +WARNING: untranslated string: fwhost back +WARNING: untranslated string: fwhost ccdhost +WARNING: untranslated string: fwhost ccdnet +WARNING: untranslated string: fwhost change +WARNING: untranslated string: fwhost cust addr +WARNING: untranslated string: fwhost cust grp +WARNING: untranslated string: fwhost cust net +WARNING: untranslated string: fwhost cust service +WARNING: untranslated string: fwhost cust srvgrp +WARNING: untranslated string: fwhost deleted +WARNING: untranslated string: fwhost empty +WARNING: untranslated string: fwhost err addr +WARNING: untranslated string: fwhost err empty +WARNING: untranslated string: fwhost err groupempty +WARNING: untranslated string: fwhost err grpexist +WARNING: untranslated string: fwhost err hostexist +WARNING: untranslated string: fwhost err hostip +WARNING: untranslated string: fwhost err ip +WARNING: untranslated string: fwhost err ipcheck +WARNING: untranslated string: fwhost err ipmac +WARNING: untranslated string: fwhost err ipwithsub +WARNING: untranslated string: fwhost err isccdhost +WARNING: untranslated string: fwhost err isccdiphost +WARNING: untranslated string: fwhost err isccdipnet +WARNING: untranslated string: fwhost err isccdnet +WARNING: untranslated string: fwhost err isingrp +WARNING: untranslated string: fwhost err name +WARNING: untranslated string: fwhost err name1 +WARNING: untranslated string: fwhost err net +WARNING: untranslated string: fwhost err netexist +WARNING: untranslated string: fwhost err partofnet +WARNING: untranslated string: fwhost err port +WARNING: untranslated string: fwhost err remark +WARNING: untranslated string: fwhost err srv exists +WARNING: untranslated string: fwhost err srvexist +WARNING: untranslated string: fwhost err sub32 +WARNING: untranslated string: fwhost hint +WARNING: untranslated string: fwhost hosts +WARNING: untranslated string: fwhost icmptype +WARNING: untranslated string: fwhost ip_mac +WARNING: untranslated string: fwhost ipsec net +WARNING: untranslated string: fwhost menu +WARNING: untranslated string: fwhost netaddress +WARNING: untranslated string: fwhost newgrp +WARNING: untranslated string: fwhost newhost +WARNING: untranslated string: fwhost newnet +WARNING: untranslated string: fwhost newservice +WARNING: untranslated string: fwhost newservicegrp +WARNING: untranslated string: fwhost ovpn_n2n +WARNING: untranslated string: fwhost port +WARNING: untranslated string: fwhost prot +WARNING: untranslated string: fwhost reread +WARNING: untranslated string: fwhost services +WARNING: untranslated string: fwhost srv_name +WARNING: untranslated string: fwhost stdnet +WARNING: untranslated string: fwhost type +WARNING: untranslated string: fwhost used +WARNING: untranslated string: fwhost welcome WARNING: untranslated string: minute WARNING: untranslated string: new WARNING: untranslated string: openvpn default @@ -595,9 +778,6 @@ WARNING: untranslated string: outgoing firewall ip groups WARNING: untranslated string: outgoing firewall mac groups WARNING: untranslated string: outgoing firewall p2p allow WARNING: untranslated string: outgoing firewall p2p deny -WARNING: untranslated string: outgoing firewall p2p description 1 -WARNING: untranslated string: outgoing firewall p2p description 2 -WARNING: untranslated string: outgoing firewall p2p description 3 WARNING: untranslated string: outgoing firewall reserved groupname WARNING: untranslated string: outgoing firewall view group WARNING: untranslated string: ovpn errmsg green already pushed @@ -618,6 +798,7 @@ WARNING: untranslated string: proxy reports monthly WARNING: untranslated string: proxy reports today WARNING: untranslated string: proxy reports weekly WARNING: untranslated string: qos enter bandwidths +WARNING: untranslated string: red1 WARNING: untranslated string: route config changed WARNING: untranslated string: routing config added WARNING: untranslated string: routing config changed diff --git a/doc/language_issues.fr b/doc/language_issues.fr index 6c963aea4..b07e7ff50 100644 --- a/doc/language_issues.fr +++ b/doc/language_issues.fr @@ -11,10 +11,12 @@ WARNING: translation string unused: Remote VPN IP WARNING: translation string unused: Resolv WARNING: translation string unused: TOS Bits WARNING: translation string unused: Verbose +WARNING: translation string unused: access allowed WARNING: translation string unused: access refused with this oinkcode WARNING: translation string unused: add network WARNING: translation string unused: add new ovpn WARNING: translation string unused: add service +WARNING: translation string unused: add xtaccess WARNING: translation string unused: add-route WARNING: translation string unused: admin user password has been changed WARNING: translation string unused: administrator user password @@ -46,6 +48,7 @@ WARNING: translation string unused: all updates installed WARNING: translation string unused: allmsg WARNING: translation string unused: alt information WARNING: translation string unused: alt ovpn +WARNING: translation string unused: alt vpn WARNING: translation string unused: and WARNING: translation string unused: ansi t1.483 WARNING: translation string unused: apply @@ -87,6 +90,7 @@ WARNING: translation string unused: cache management WARNING: translation string unused: cache size WARNING: translation string unused: calamaris report interval (in minutes) WARNING: translation string unused: calc traffic all x minutes +WARNING: translation string unused: cant enable xtaccess WARNING: translation string unused: capsinactive WARNING: translation string unused: cfg restart WARNING: translation string unused: check for net traffic update @@ -127,6 +131,11 @@ WARNING: translation string unused: debugme WARNING: translation string unused: deep scan directories WARNING: translation string unused: default networks WARNING: translation string unused: default services +WARNING: translation string unused: description +WARNING: translation string unused: destination ip bad +WARNING: translation string unused: destination ip or net +WARNING: translation string unused: destination net +WARNING: translation string unused: destination port overlaps WARNING: translation string unused: dhcp base ip fixed lease WARNING: translation string unused: dhcp create fixed leases WARNING: translation string unused: dhcp fixed lease err1 @@ -139,11 +148,18 @@ WARNING: translation string unused: dial user password has been changed WARNING: translation string unused: dialup settings WARNING: translation string unused: disconnect WARNING: translation string unused: display traffic at home +WARNING: translation string unused: dmz pinhole configuration +WARNING: translation string unused: dmz pinhole rule added +WARNING: translation string unused: dmz pinhole rule removed +WARNING: translation string unused: dmzpinholes for same net not necessary WARNING: translation string unused: dns server WARNING: translation string unused: do not log this port list WARNING: translation string unused: donation-link WARNING: translation string unused: done WARNING: translation string unused: driver +WARNING: translation string unused: drop output +WARNING: translation string unused: dstprt range overlaps +WARNING: translation string unused: dstprt within existing WARNING: translation string unused: dynamic dns client WARNING: translation string unused: eciadsl help WARNING: translation string unused: eciadsl upload @@ -170,6 +186,7 @@ WARNING: translation string unused: error external access WARNING: translation string unused: expected WARNING: translation string unused: expertoptions WARNING: translation string unused: exportkey +WARNING: translation string unused: external access WARNING: translation string unused: external access rule changed WARNING: translation string unused: extrahd unable to read WARNING: translation string unused: extrahd unable to write @@ -179,6 +196,9 @@ WARNING: translation string unused: firewall log viewer WARNING: translation string unused: firmware WARNING: translation string unused: firmware upload WARNING: translation string unused: force update +WARNING: translation string unused: forwarding rule added +WARNING: translation string unused: forwarding rule removed +WARNING: translation string unused: forwarding rule updated WARNING: translation string unused: frequency WARNING: translation string unused: fritzdsl help WARNING: translation string unused: fritzdsl upload @@ -244,6 +264,7 @@ WARNING: translation string unused: local hard disk WARNING: translation string unused: localkeyfile WARNING: translation string unused: log enabled WARNING: translation string unused: log viewer +WARNING: translation string unused: logging WARNING: translation string unused: loosedirectorychecking WARNING: translation string unused: ls_dhcpd WARNING: translation string unused: ls_disk space @@ -269,6 +290,7 @@ WARNING: translation string unused: mbmon value WARNING: translation string unused: min size WARNING: translation string unused: missing dat WARNING: translation string unused: missing gz +WARNING: translation string unused: mode WARNING: translation string unused: modem on com1 WARNING: translation string unused: modem on com2 WARNING: translation string unused: modem on com3 @@ -285,6 +307,7 @@ WARNING: translation string unused: monthly volume start day short WARNING: translation string unused: mount WARNING: translation string unused: mtu QoS WARNING: translation string unused: nat-traversal +WARNING: translation string unused: net WARNING: translation string unused: net address WARNING: translation string unused: net config type WARNING: translation string unused: net config type help @@ -311,6 +334,7 @@ WARNING: translation string unused: o-no WARNING: translation string unused: o-yes WARNING: translation string unused: online help en WARNING: translation string unused: only red +WARNING: translation string unused: open to all WARNING: translation string unused: optional data WARNING: translation string unused: optionsfw portlist hint WARNING: translation string unused: optionsfw warning @@ -318,7 +342,16 @@ WARNING: translation string unused: or WARNING: translation string unused: original WARNING: translation string unused: other countries WARNING: translation string unused: out +WARNING: translation string unused: outgoing firewall +WARNING: translation string unused: outgoing firewall mode0 +WARNING: translation string unused: outgoing firewall mode1 +WARNING: translation string unused: outgoing firewall mode2 WARNING: translation string unused: outgoing firewall outgoing firewall reserved groupname +WARNING: translation string unused: outgoing firewall p2p description 1 +WARNING: translation string unused: outgoing firewall p2p description 2 +WARNING: translation string unused: outgoing firewall p2p description 3 +WARNING: translation string unused: outgoing firewall reset +WARNING: translation string unused: outgoing firewall warning WARNING: translation string unused: override mtu WARNING: translation string unused: ovpn WARNING: translation string unused: ovpn config @@ -349,6 +382,8 @@ WARNING: translation string unused: passwords must be at least 6 characters in l WARNING: translation string unused: phonebook entry WARNING: translation string unused: ping disabled WARNING: translation string unused: polfile +WARNING: translation string unused: policy +WARNING: translation string unused: port forwarding configuration WARNING: translation string unused: ports WARNING: translation string unused: pots WARNING: translation string unused: pppoe @@ -376,7 +411,9 @@ WARNING: translation string unused: router ip WARNING: translation string unused: rules already up to date WARNING: translation string unused: safe removal of umounted device WARNING: translation string unused: save error +WARNING: translation string unused: select dest net WARNING: translation string unused: select media +WARNING: translation string unused: select source net WARNING: translation string unused: selecttraffic WARNING: translation string unused: send email notification WARNING: translation string unused: send test mail @@ -395,15 +432,23 @@ WARNING: translation string unused: shutdown2 WARNING: translation string unused: shutting down WARNING: translation string unused: sitekeyfile WARNING: translation string unused: smbreload +WARNING: translation string unused: source ip in use +WARNING: translation string unused: source ip or net +WARNING: translation string unused: source net +WARNING: translation string unused: source port overlaps WARNING: translation string unused: squid extension methods WARNING: translation string unused: squid extension methods invalid WARNING: translation string unused: squid fix cache +WARNING: translation string unused: srcprt range overlaps +WARNING: translation string unused: srcprt within existing +WARNING: translation string unused: ssdmz pinholes WARNING: translation string unused: ssh access tip WARNING: translation string unused: ssh1 disabled WARNING: translation string unused: ssh1 enabled WARNING: translation string unused: ssh1 support WARNING: translation string unused: ssnetwork status WARNING: translation string unused: sspasswords +WARNING: translation string unused: ssport forwarding WARNING: translation string unused: ssproxy graphs WARNING: translation string unused: sssystem status WARNING: translation string unused: sstraffic graphs @@ -498,6 +543,7 @@ WARNING: translation string unused: warn when traffic reaches WARNING: translation string unused: web proxy configuration WARNING: translation string unused: week-graph WARNING: translation string unused: weekly firewallhits +WARNING: translation string unused: xtaccess all error WARNING: translation string unused: xtaccess bad transfert WARNING: translation string unused: year-graph WARNING: translation string unused: yearly firewallhits @@ -556,6 +602,11 @@ WARNING: untranslated string: dnsforward edit an entry WARNING: untranslated string: dnsforward entries WARNING: untranslated string: dnsforward forward_server WARNING: untranslated string: dnsforward zone +WARNING: untranslated string: drop action +WARNING: untranslated string: drop action1 +WARNING: untranslated string: drop action2 +WARNING: untranslated string: drop forward +WARNING: untranslated string: drop outgoing WARNING: untranslated string: emerging rules WARNING: untranslated string: fireinfo ipfire version WARNING: untranslated string: fireinfo is disabled @@ -574,6 +625,141 @@ WARNING: untranslated string: fireinfo why descr2 WARNING: untranslated string: fireinfo why enable WARNING: untranslated string: fireinfo why read more WARNING: untranslated string: fireinfo your profile id +WARNING: untranslated string: fw default drop +WARNING: untranslated string: fw settings +WARNING: untranslated string: fw settings color +WARNING: untranslated string: fw settings dropdown +WARNING: untranslated string: fw settings remark +WARNING: untranslated string: fw settings ruletable +WARNING: untranslated string: fwdfw action +WARNING: untranslated string: fwdfw additional +WARNING: untranslated string: fwdfw addrule +WARNING: untranslated string: fwdfw change +WARNING: untranslated string: fwdfw copy +WARNING: untranslated string: fwdfw delete +WARNING: untranslated string: fwdfw dnat +WARNING: untranslated string: fwdfw dnat error +WARNING: untranslated string: fwdfw dnat porterr +WARNING: untranslated string: fwdfw edit +WARNING: untranslated string: fwdfw err nosrc +WARNING: untranslated string: fwdfw err nosrcip +WARNING: untranslated string: fwdfw err notgt +WARNING: untranslated string: fwdfw err notgtip +WARNING: untranslated string: fwdfw err prot +WARNING: untranslated string: fwdfw err remark +WARNING: untranslated string: fwdfw err ruleexists +WARNING: untranslated string: fwdfw err same +WARNING: untranslated string: fwdfw err samesub +WARNING: untranslated string: fwdfw err src_addr +WARNING: untranslated string: fwdfw err tgt_addr +WARNING: untranslated string: fwdfw err tgt_grp +WARNING: untranslated string: fwdfw err tgt_mac +WARNING: untranslated string: fwdfw err time +WARNING: untranslated string: fwdfw final_rule +WARNING: untranslated string: fwdfw hint ip1 +WARNING: untranslated string: fwdfw hint ip2 +WARNING: untranslated string: fwdfw log rule +WARNING: untranslated string: fwdfw man port +WARNING: untranslated string: fwdfw menu +WARNING: untranslated string: fwdfw movedown +WARNING: untranslated string: fwdfw moveup +WARNING: untranslated string: fwdfw newrule +WARNING: untranslated string: fwdfw p2p txt +WARNING: untranslated string: fwdfw pol allow +WARNING: untranslated string: fwdfw pol block +WARNING: untranslated string: fwdfw pol text +WARNING: untranslated string: fwdfw pol text1 +WARNING: untranslated string: fwdfw pol title +WARNING: untranslated string: fwdfw red +WARNING: untranslated string: fwdfw reread +WARNING: untranslated string: fwdfw rule action +WARNING: untranslated string: fwdfw rule activate +WARNING: untranslated string: fwdfw rulepos +WARNING: untranslated string: fwdfw snat +WARNING: untranslated string: fwdfw source +WARNING: untranslated string: fwdfw sourceip +WARNING: untranslated string: fwdfw target +WARNING: untranslated string: fwdfw targetip +WARNING: untranslated string: fwdfw timeframe +WARNING: untranslated string: fwdfw toggle +WARNING: untranslated string: fwdfw togglelog +WARNING: untranslated string: fwdfw use nat +WARNING: untranslated string: fwdfw use srcport +WARNING: untranslated string: fwdfw use srv +WARNING: untranslated string: fwdfw useless rule +WARNING: untranslated string: fwdfw wd_fri +WARNING: untranslated string: fwdfw wd_mon +WARNING: untranslated string: fwdfw wd_sat +WARNING: untranslated string: fwdfw wd_sun +WARNING: untranslated string: fwdfw wd_thu +WARNING: untranslated string: fwdfw wd_tue +WARNING: untranslated string: fwdfw wd_wed +WARNING: untranslated string: fwdfw xt access +WARNING: untranslated string: fwhost addgrp +WARNING: untranslated string: fwhost addgrpname +WARNING: untranslated string: fwhost addhost +WARNING: untranslated string: fwhost addnet +WARNING: untranslated string: fwhost addservice +WARNING: untranslated string: fwhost addservicegrp +WARNING: untranslated string: fwhost any +WARNING: untranslated string: fwhost back +WARNING: untranslated string: fwhost ccdhost +WARNING: untranslated string: fwhost ccdnet +WARNING: untranslated string: fwhost change +WARNING: untranslated string: fwhost cust addr +WARNING: untranslated string: fwhost cust grp +WARNING: untranslated string: fwhost cust net +WARNING: untranslated string: fwhost cust service +WARNING: untranslated string: fwhost cust srvgrp +WARNING: untranslated string: fwhost deleted +WARNING: untranslated string: fwhost empty +WARNING: untranslated string: fwhost err addr +WARNING: untranslated string: fwhost err empty +WARNING: untranslated string: fwhost err groupempty +WARNING: untranslated string: fwhost err grpexist +WARNING: untranslated string: fwhost err hostexist +WARNING: untranslated string: fwhost err hostip +WARNING: untranslated string: fwhost err ip +WARNING: untranslated string: fwhost err ipcheck +WARNING: untranslated string: fwhost err ipmac +WARNING: untranslated string: fwhost err ipwithsub +WARNING: untranslated string: fwhost err isccdhost +WARNING: untranslated string: fwhost err isccdiphost +WARNING: untranslated string: fwhost err isccdipnet +WARNING: untranslated string: fwhost err isccdnet +WARNING: untranslated string: fwhost err isingrp +WARNING: untranslated string: fwhost err name +WARNING: untranslated string: fwhost err name1 +WARNING: untranslated string: fwhost err net +WARNING: untranslated string: fwhost err netexist +WARNING: untranslated string: fwhost err partofnet +WARNING: untranslated string: fwhost err port +WARNING: untranslated string: fwhost err remark +WARNING: untranslated string: fwhost err srv exists +WARNING: untranslated string: fwhost err srvexist +WARNING: untranslated string: fwhost err sub32 +WARNING: untranslated string: fwhost hint +WARNING: untranslated string: fwhost hosts +WARNING: untranslated string: fwhost icmptype +WARNING: untranslated string: fwhost ip_mac +WARNING: untranslated string: fwhost ipsec net +WARNING: untranslated string: fwhost menu +WARNING: untranslated string: fwhost netaddress +WARNING: untranslated string: fwhost newgrp +WARNING: untranslated string: fwhost newhost +WARNING: untranslated string: fwhost newnet +WARNING: untranslated string: fwhost newservice +WARNING: untranslated string: fwhost newservicegrp +WARNING: untranslated string: fwhost ovpn_n2n +WARNING: untranslated string: fwhost port +WARNING: untranslated string: fwhost prot +WARNING: untranslated string: fwhost reread +WARNING: untranslated string: fwhost services +WARNING: untranslated string: fwhost srv_name +WARNING: untranslated string: fwhost stdnet +WARNING: untranslated string: fwhost type +WARNING: untranslated string: fwhost used +WARNING: untranslated string: fwhost welcome WARNING: untranslated string: minute WARNING: untranslated string: new WARNING: untranslated string: ntp common settings @@ -602,6 +788,7 @@ WARNING: untranslated string: proxy reports monthly WARNING: untranslated string: proxy reports today WARNING: untranslated string: proxy reports weekly WARNING: untranslated string: qos enter bandwidths +WARNING: untranslated string: red1 WARNING: untranslated string: route config changed WARNING: untranslated string: routing config added WARNING: untranslated string: routing config changed diff --git a/doc/language_issues.nl b/doc/language_issues.nl index 899940424..9e17b91f5 100644 --- a/doc/language_issues.nl +++ b/doc/language_issues.nl @@ -11,10 +11,12 @@ WARNING: translation string unused: Remote VPN IP WARNING: translation string unused: Resolv WARNING: translation string unused: TOS Bits WARNING: translation string unused: Verbose +WARNING: translation string unused: access allowed WARNING: translation string unused: access refused with this oinkcode WARNING: translation string unused: add network WARNING: translation string unused: add new ovpn WARNING: translation string unused: add service +WARNING: translation string unused: add xtaccess WARNING: translation string unused: add-route WARNING: translation string unused: admin user password has been changed WARNING: translation string unused: administrator user password @@ -46,6 +48,7 @@ WARNING: translation string unused: all updates installed WARNING: translation string unused: allmsg WARNING: translation string unused: alt information WARNING: translation string unused: alt ovpn +WARNING: translation string unused: alt vpn WARNING: translation string unused: and WARNING: translation string unused: ansi t1.483 WARNING: translation string unused: apply @@ -87,6 +90,7 @@ WARNING: translation string unused: cache management WARNING: translation string unused: cache size WARNING: translation string unused: calamaris report interval (in minutes) WARNING: translation string unused: calc traffic all x minutes +WARNING: translation string unused: cant enable xtaccess WARNING: translation string unused: capsinactive WARNING: translation string unused: ccd err iroute WARNING: translation string unused: ccd err netadr @@ -129,6 +133,11 @@ WARNING: translation string unused: debugme WARNING: translation string unused: deep scan directories WARNING: translation string unused: default networks WARNING: translation string unused: default services +WARNING: translation string unused: description +WARNING: translation string unused: destination ip bad +WARNING: translation string unused: destination ip or net +WARNING: translation string unused: destination net +WARNING: translation string unused: destination port overlaps WARNING: translation string unused: dhcp base ip fixed lease WARNING: translation string unused: dhcp create fixed leases WARNING: translation string unused: dhcp fixed lease err1 @@ -141,11 +150,18 @@ WARNING: translation string unused: dial user password has been changed WARNING: translation string unused: dialup settings WARNING: translation string unused: disconnect WARNING: translation string unused: display traffic at home +WARNING: translation string unused: dmz pinhole configuration +WARNING: translation string unused: dmz pinhole rule added +WARNING: translation string unused: dmz pinhole rule removed +WARNING: translation string unused: dmzpinholes for same net not necessary WARNING: translation string unused: dns server WARNING: translation string unused: do not log this port list WARNING: translation string unused: donation-link WARNING: translation string unused: done WARNING: translation string unused: driver +WARNING: translation string unused: drop output +WARNING: translation string unused: dstprt range overlaps +WARNING: translation string unused: dstprt within existing WARNING: translation string unused: dynamic dns client WARNING: translation string unused: eciadsl help WARNING: translation string unused: eciadsl upload @@ -172,6 +188,7 @@ WARNING: translation string unused: error external access WARNING: translation string unused: expected WARNING: translation string unused: expertoptions WARNING: translation string unused: exportkey +WARNING: translation string unused: external access WARNING: translation string unused: external access rule changed WARNING: translation string unused: extrahd unable to read WARNING: translation string unused: extrahd unable to write @@ -181,6 +198,9 @@ WARNING: translation string unused: firewall log viewer WARNING: translation string unused: firmware WARNING: translation string unused: firmware upload WARNING: translation string unused: force update +WARNING: translation string unused: forwarding rule added +WARNING: translation string unused: forwarding rule removed +WARNING: translation string unused: forwarding rule updated WARNING: translation string unused: frequency WARNING: translation string unused: fritzdsl help WARNING: translation string unused: fritzdsl upload @@ -246,6 +266,7 @@ WARNING: translation string unused: local hard disk WARNING: translation string unused: localkeyfile WARNING: translation string unused: log enabled WARNING: translation string unused: log viewer +WARNING: translation string unused: logging WARNING: translation string unused: loosedirectorychecking WARNING: translation string unused: ls_dhcpd WARNING: translation string unused: ls_disk space @@ -271,6 +292,7 @@ WARNING: translation string unused: mbmon value WARNING: translation string unused: min size WARNING: translation string unused: missing dat WARNING: translation string unused: missing gz +WARNING: translation string unused: mode WARNING: translation string unused: modem on com1 WARNING: translation string unused: modem on com2 WARNING: translation string unused: modem on com3 @@ -287,6 +309,7 @@ WARNING: translation string unused: monthly volume start day short WARNING: translation string unused: mount WARNING: translation string unused: mtu QoS WARNING: translation string unused: nat-traversal +WARNING: translation string unused: net WARNING: translation string unused: net address WARNING: translation string unused: net config type WARNING: translation string unused: net config type help @@ -313,6 +336,7 @@ WARNING: translation string unused: o-no WARNING: translation string unused: o-yes WARNING: translation string unused: online help en WARNING: translation string unused: only red +WARNING: translation string unused: open to all WARNING: translation string unused: openvpn disabled WARNING: translation string unused: openvpn enabled WARNING: translation string unused: optional data @@ -323,7 +347,16 @@ WARNING: translation string unused: original WARNING: translation string unused: other countries WARNING: translation string unused: our donors WARNING: translation string unused: out +WARNING: translation string unused: outgoing firewall +WARNING: translation string unused: outgoing firewall mode0 +WARNING: translation string unused: outgoing firewall mode1 +WARNING: translation string unused: outgoing firewall mode2 WARNING: translation string unused: outgoing firewall outgoing firewall reserved groupname +WARNING: translation string unused: outgoing firewall p2p description 1 +WARNING: translation string unused: outgoing firewall p2p description 2 +WARNING: translation string unused: outgoing firewall p2p description 3 +WARNING: translation string unused: outgoing firewall reset +WARNING: translation string unused: outgoing firewall warning WARNING: translation string unused: override mtu WARNING: translation string unused: ovpn WARNING: translation string unused: ovpn config @@ -354,6 +387,8 @@ WARNING: translation string unused: passwords must be at least 6 characters in l WARNING: translation string unused: phonebook entry WARNING: translation string unused: ping disabled WARNING: translation string unused: polfile +WARNING: translation string unused: policy +WARNING: translation string unused: port forwarding configuration WARNING: translation string unused: ports WARNING: translation string unused: pots WARNING: translation string unused: pppoe @@ -381,7 +416,9 @@ WARNING: translation string unused: router ip WARNING: translation string unused: rules already up to date WARNING: translation string unused: safe removal of umounted device WARNING: translation string unused: save error +WARNING: translation string unused: select dest net WARNING: translation string unused: select media +WARNING: translation string unused: select source net WARNING: translation string unused: selecttraffic WARNING: translation string unused: send email notification WARNING: translation string unused: send test mail @@ -400,15 +437,23 @@ WARNING: translation string unused: shutdown2 WARNING: translation string unused: shutting down WARNING: translation string unused: sitekeyfile WARNING: translation string unused: smbreload +WARNING: translation string unused: source ip in use +WARNING: translation string unused: source ip or net +WARNING: translation string unused: source net +WARNING: translation string unused: source port overlaps WARNING: translation string unused: squid extension methods WARNING: translation string unused: squid extension methods invalid WARNING: translation string unused: squid fix cache +WARNING: translation string unused: srcprt range overlaps +WARNING: translation string unused: srcprt within existing +WARNING: translation string unused: ssdmz pinholes WARNING: translation string unused: ssh access tip WARNING: translation string unused: ssh1 disabled WARNING: translation string unused: ssh1 enabled WARNING: translation string unused: ssh1 support WARNING: translation string unused: ssnetwork status WARNING: translation string unused: sspasswords +WARNING: translation string unused: ssport forwarding WARNING: translation string unused: ssproxy graphs WARNING: translation string unused: sssystem status WARNING: translation string unused: sstraffic graphs @@ -501,6 +546,7 @@ WARNING: translation string unused: warn when traffic reaches WARNING: translation string unused: web proxy configuration WARNING: translation string unused: week-graph WARNING: translation string unused: weekly firewallhits +WARNING: translation string unused: xtaccess all error WARNING: translation string unused: xtaccess bad transfert WARNING: translation string unused: year-graph WARNING: translation string unused: yearly firewallhits @@ -520,9 +566,150 @@ WARNING: untranslated string: dnsforward edit an entry WARNING: untranslated string: dnsforward entries WARNING: untranslated string: dnsforward forward_server WARNING: untranslated string: dnsforward zone +WARNING: untranslated string: drop action +WARNING: untranslated string: drop action1 +WARNING: untranslated string: drop action2 +WARNING: untranslated string: drop forward +WARNING: untranslated string: drop outgoing +WARNING: untranslated string: fw default drop +WARNING: untranslated string: fw settings +WARNING: untranslated string: fw settings color +WARNING: untranslated string: fw settings dropdown +WARNING: untranslated string: fw settings remark +WARNING: untranslated string: fw settings ruletable +WARNING: untranslated string: fwdfw action +WARNING: untranslated string: fwdfw additional +WARNING: untranslated string: fwdfw addrule +WARNING: untranslated string: fwdfw change +WARNING: untranslated string: fwdfw copy +WARNING: untranslated string: fwdfw delete +WARNING: untranslated string: fwdfw dnat +WARNING: untranslated string: fwdfw dnat error +WARNING: untranslated string: fwdfw dnat porterr +WARNING: untranslated string: fwdfw edit +WARNING: untranslated string: fwdfw err nosrc +WARNING: untranslated string: fwdfw err nosrcip +WARNING: untranslated string: fwdfw err notgt +WARNING: untranslated string: fwdfw err notgtip +WARNING: untranslated string: fwdfw err prot +WARNING: untranslated string: fwdfw err remark +WARNING: untranslated string: fwdfw err ruleexists +WARNING: untranslated string: fwdfw err same +WARNING: untranslated string: fwdfw err samesub +WARNING: untranslated string: fwdfw err src_addr +WARNING: untranslated string: fwdfw err tgt_addr +WARNING: untranslated string: fwdfw err tgt_grp +WARNING: untranslated string: fwdfw err tgt_mac +WARNING: untranslated string: fwdfw err time +WARNING: untranslated string: fwdfw final_rule +WARNING: untranslated string: fwdfw hint ip1 +WARNING: untranslated string: fwdfw hint ip2 +WARNING: untranslated string: fwdfw log rule +WARNING: untranslated string: fwdfw man port +WARNING: untranslated string: fwdfw menu +WARNING: untranslated string: fwdfw movedown +WARNING: untranslated string: fwdfw moveup +WARNING: untranslated string: fwdfw newrule +WARNING: untranslated string: fwdfw p2p txt +WARNING: untranslated string: fwdfw pol allow +WARNING: untranslated string: fwdfw pol block +WARNING: untranslated string: fwdfw pol text +WARNING: untranslated string: fwdfw pol text1 +WARNING: untranslated string: fwdfw pol title +WARNING: untranslated string: fwdfw red +WARNING: untranslated string: fwdfw reread +WARNING: untranslated string: fwdfw rule action +WARNING: untranslated string: fwdfw rule activate +WARNING: untranslated string: fwdfw rulepos +WARNING: untranslated string: fwdfw snat +WARNING: untranslated string: fwdfw source +WARNING: untranslated string: fwdfw sourceip +WARNING: untranslated string: fwdfw target +WARNING: untranslated string: fwdfw targetip +WARNING: untranslated string: fwdfw timeframe +WARNING: untranslated string: fwdfw toggle +WARNING: untranslated string: fwdfw togglelog +WARNING: untranslated string: fwdfw use nat +WARNING: untranslated string: fwdfw use srcport +WARNING: untranslated string: fwdfw use srv +WARNING: untranslated string: fwdfw useless rule +WARNING: untranslated string: fwdfw wd_fri +WARNING: untranslated string: fwdfw wd_mon +WARNING: untranslated string: fwdfw wd_sat +WARNING: untranslated string: fwdfw wd_sun +WARNING: untranslated string: fwdfw wd_thu +WARNING: untranslated string: fwdfw wd_tue +WARNING: untranslated string: fwdfw wd_wed +WARNING: untranslated string: fwdfw xt access +WARNING: untranslated string: fwhost addgrp +WARNING: untranslated string: fwhost addgrpname +WARNING: untranslated string: fwhost addhost +WARNING: untranslated string: fwhost addnet +WARNING: untranslated string: fwhost addservice +WARNING: untranslated string: fwhost addservicegrp +WARNING: untranslated string: fwhost any +WARNING: untranslated string: fwhost back +WARNING: untranslated string: fwhost ccdhost +WARNING: untranslated string: fwhost ccdnet +WARNING: untranslated string: fwhost change +WARNING: untranslated string: fwhost cust addr +WARNING: untranslated string: fwhost cust grp +WARNING: untranslated string: fwhost cust net +WARNING: untranslated string: fwhost cust service +WARNING: untranslated string: fwhost cust srvgrp +WARNING: untranslated string: fwhost deleted +WARNING: untranslated string: fwhost empty +WARNING: untranslated string: fwhost err addr +WARNING: untranslated string: fwhost err empty +WARNING: untranslated string: fwhost err groupempty +WARNING: untranslated string: fwhost err grpexist +WARNING: untranslated string: fwhost err hostexist +WARNING: untranslated string: fwhost err hostip +WARNING: untranslated string: fwhost err ip +WARNING: untranslated string: fwhost err ipcheck +WARNING: untranslated string: fwhost err ipmac +WARNING: untranslated string: fwhost err ipwithsub +WARNING: untranslated string: fwhost err isccdhost +WARNING: untranslated string: fwhost err isccdiphost +WARNING: untranslated string: fwhost err isccdipnet +WARNING: untranslated string: fwhost err isccdnet +WARNING: untranslated string: fwhost err isingrp +WARNING: untranslated string: fwhost err name +WARNING: untranslated string: fwhost err name1 +WARNING: untranslated string: fwhost err net +WARNING: untranslated string: fwhost err netexist +WARNING: untranslated string: fwhost err partofnet +WARNING: untranslated string: fwhost err port +WARNING: untranslated string: fwhost err remark +WARNING: untranslated string: fwhost err srv exists +WARNING: untranslated string: fwhost err srvexist +WARNING: untranslated string: fwhost err sub32 +WARNING: untranslated string: fwhost hint +WARNING: untranslated string: fwhost hosts +WARNING: untranslated string: fwhost icmptype +WARNING: untranslated string: fwhost ip_mac +WARNING: untranslated string: fwhost ipsec net +WARNING: untranslated string: fwhost menu +WARNING: untranslated string: fwhost netaddress +WARNING: untranslated string: fwhost newgrp +WARNING: untranslated string: fwhost newhost +WARNING: untranslated string: fwhost newnet +WARNING: untranslated string: fwhost newservice +WARNING: untranslated string: fwhost newservicegrp +WARNING: untranslated string: fwhost ovpn_n2n +WARNING: untranslated string: fwhost port +WARNING: untranslated string: fwhost prot +WARNING: untranslated string: fwhost reread +WARNING: untranslated string: fwhost services +WARNING: untranslated string: fwhost srv_name +WARNING: untranslated string: fwhost stdnet +WARNING: untranslated string: fwhost type +WARNING: untranslated string: fwhost used +WARNING: untranslated string: fwhost welcome WARNING: untranslated string: new WARNING: untranslated string: outgoing firewall reserved groupname WARNING: untranslated string: qos enter bandwidths +WARNING: untranslated string: red1 WARNING: untranslated string: route config changed WARNING: untranslated string: routing config added WARNING: untranslated string: routing config changed diff --git a/doc/language_issues.pl b/doc/language_issues.pl index 88666b618..2fafaf180 100644 --- a/doc/language_issues.pl +++ b/doc/language_issues.pl @@ -11,10 +11,12 @@ WARNING: translation string unused: Remote VPN IP WARNING: translation string unused: Resolv WARNING: translation string unused: TOS Bits WARNING: translation string unused: Verbose +WARNING: translation string unused: access allowed WARNING: translation string unused: access refused with this oinkcode WARNING: translation string unused: add network WARNING: translation string unused: add new ovpn WARNING: translation string unused: add service +WARNING: translation string unused: add xtaccess WARNING: translation string unused: add-route WARNING: translation string unused: admin user password has been changed WARNING: translation string unused: administrator user password @@ -46,6 +48,7 @@ WARNING: translation string unused: all updates installed WARNING: translation string unused: allmsg WARNING: translation string unused: alt information WARNING: translation string unused: alt ovpn +WARNING: translation string unused: alt vpn WARNING: translation string unused: and WARNING: translation string unused: ansi t1.483 WARNING: translation string unused: apply @@ -87,6 +90,7 @@ WARNING: translation string unused: cache management WARNING: translation string unused: cache size WARNING: translation string unused: calamaris report interval (in minutes) WARNING: translation string unused: calc traffic all x minutes +WARNING: translation string unused: cant enable xtaccess WARNING: translation string unused: capsinactive WARNING: translation string unused: cfg restart WARNING: translation string unused: check for net traffic update @@ -127,6 +131,11 @@ WARNING: translation string unused: debugme WARNING: translation string unused: deep scan directories WARNING: translation string unused: default networks WARNING: translation string unused: default services +WARNING: translation string unused: description +WARNING: translation string unused: destination ip bad +WARNING: translation string unused: destination ip or net +WARNING: translation string unused: destination net +WARNING: translation string unused: destination port overlaps WARNING: translation string unused: dhcp base ip fixed lease WARNING: translation string unused: dhcp create fixed leases WARNING: translation string unused: dhcp fixed lease err1 @@ -139,11 +148,18 @@ WARNING: translation string unused: dial user password has been changed WARNING: translation string unused: dialup settings WARNING: translation string unused: disconnect WARNING: translation string unused: display traffic at home +WARNING: translation string unused: dmz pinhole configuration +WARNING: translation string unused: dmz pinhole rule added +WARNING: translation string unused: dmz pinhole rule removed +WARNING: translation string unused: dmzpinholes for same net not necessary WARNING: translation string unused: dns server WARNING: translation string unused: do not log this port list WARNING: translation string unused: donation-link WARNING: translation string unused: done WARNING: translation string unused: driver +WARNING: translation string unused: drop output +WARNING: translation string unused: dstprt range overlaps +WARNING: translation string unused: dstprt within existing WARNING: translation string unused: dynamic dns client WARNING: translation string unused: eciadsl help WARNING: translation string unused: eciadsl upload @@ -170,6 +186,7 @@ WARNING: translation string unused: error external access WARNING: translation string unused: expected WARNING: translation string unused: expertoptions WARNING: translation string unused: exportkey +WARNING: translation string unused: external access WARNING: translation string unused: external access rule changed WARNING: translation string unused: extrahd unable to read WARNING: translation string unused: extrahd unable to write @@ -179,6 +196,9 @@ WARNING: translation string unused: firewall log viewer WARNING: translation string unused: firmware WARNING: translation string unused: firmware upload WARNING: translation string unused: force update +WARNING: translation string unused: forwarding rule added +WARNING: translation string unused: forwarding rule removed +WARNING: translation string unused: forwarding rule updated WARNING: translation string unused: frequency WARNING: translation string unused: fritzdsl help WARNING: translation string unused: fritzdsl upload @@ -244,6 +264,7 @@ WARNING: translation string unused: local hard disk WARNING: translation string unused: localkeyfile WARNING: translation string unused: log enabled WARNING: translation string unused: log viewer +WARNING: translation string unused: logging WARNING: translation string unused: loosedirectorychecking WARNING: translation string unused: ls_dhcpd WARNING: translation string unused: ls_disk space @@ -269,6 +290,7 @@ WARNING: translation string unused: mbmon value WARNING: translation string unused: min size WARNING: translation string unused: missing dat WARNING: translation string unused: missing gz +WARNING: translation string unused: mode WARNING: translation string unused: modem on com1 WARNING: translation string unused: modem on com2 WARNING: translation string unused: modem on com3 @@ -285,6 +307,7 @@ WARNING: translation string unused: monthly volume start day short WARNING: translation string unused: mount WARNING: translation string unused: mtu QoS WARNING: translation string unused: nat-traversal +WARNING: translation string unused: net WARNING: translation string unused: net address WARNING: translation string unused: net config type WARNING: translation string unused: net config type help @@ -311,6 +334,7 @@ WARNING: translation string unused: o-no WARNING: translation string unused: o-yes WARNING: translation string unused: online help en WARNING: translation string unused: only red +WARNING: translation string unused: open to all WARNING: translation string unused: optional data WARNING: translation string unused: optionsfw portlist hint WARNING: translation string unused: optionsfw warning @@ -318,8 +342,14 @@ WARNING: translation string unused: or WARNING: translation string unused: original WARNING: translation string unused: other countries WARNING: translation string unused: out +WARNING: translation string unused: outgoing firewall +WARNING: translation string unused: outgoing firewall mode0 +WARNING: translation string unused: outgoing firewall mode1 +WARNING: translation string unused: outgoing firewall mode2 WARNING: translation string unused: outgoing firewall outgoing firewall reserved groupname WARNING: translation string unused: outgoing firewall p2p description +WARNING: translation string unused: outgoing firewall reset +WARNING: translation string unused: outgoing firewall warning WARNING: translation string unused: override mtu WARNING: translation string unused: ovpn WARNING: translation string unused: ovpn config @@ -350,6 +380,8 @@ WARNING: translation string unused: passwords must be at least 6 characters in l WARNING: translation string unused: phonebook entry WARNING: translation string unused: ping disabled WARNING: translation string unused: polfile +WARNING: translation string unused: policy +WARNING: translation string unused: port forwarding configuration WARNING: translation string unused: ports WARNING: translation string unused: pots WARNING: translation string unused: pppoe @@ -377,7 +409,9 @@ WARNING: translation string unused: router ip WARNING: translation string unused: rules already up to date WARNING: translation string unused: safe removal of umounted device WARNING: translation string unused: save error +WARNING: translation string unused: select dest net WARNING: translation string unused: select media +WARNING: translation string unused: select source net WARNING: translation string unused: selecttraffic WARNING: translation string unused: send email notification WARNING: translation string unused: send test mail @@ -396,15 +430,23 @@ WARNING: translation string unused: shutdown2 WARNING: translation string unused: shutting down WARNING: translation string unused: sitekeyfile WARNING: translation string unused: smbreload +WARNING: translation string unused: source ip in use +WARNING: translation string unused: source ip or net +WARNING: translation string unused: source net +WARNING: translation string unused: source port overlaps WARNING: translation string unused: squid extension methods WARNING: translation string unused: squid extension methods invalid WARNING: translation string unused: squid fix cache +WARNING: translation string unused: srcprt range overlaps +WARNING: translation string unused: srcprt within existing +WARNING: translation string unused: ssdmz pinholes WARNING: translation string unused: ssh access tip WARNING: translation string unused: ssh1 disabled WARNING: translation string unused: ssh1 enabled WARNING: translation string unused: ssh1 support WARNING: translation string unused: ssnetwork status WARNING: translation string unused: sspasswords +WARNING: translation string unused: ssport forwarding WARNING: translation string unused: ssproxy graphs WARNING: translation string unused: sssystem status WARNING: translation string unused: sstraffic graphs @@ -497,6 +539,7 @@ WARNING: translation string unused: warn when traffic reaches WARNING: translation string unused: web proxy configuration WARNING: translation string unused: week-graph WARNING: translation string unused: weekly firewallhits +WARNING: translation string unused: xtaccess all error WARNING: translation string unused: xtaccess bad transfert WARNING: translation string unused: year-graph WARNING: translation string unused: yearly firewallhits @@ -556,6 +599,11 @@ WARNING: untranslated string: dnsforward edit an entry WARNING: untranslated string: dnsforward entries WARNING: untranslated string: dnsforward forward_server WARNING: untranslated string: dnsforward zone +WARNING: untranslated string: drop action +WARNING: untranslated string: drop action1 +WARNING: untranslated string: drop action2 +WARNING: untranslated string: drop forward +WARNING: untranslated string: drop outgoing WARNING: untranslated string: emerging rules WARNING: untranslated string: fireinfo ipfire version WARNING: untranslated string: fireinfo is disabled @@ -574,6 +622,141 @@ WARNING: untranslated string: fireinfo why descr2 WARNING: untranslated string: fireinfo why enable WARNING: untranslated string: fireinfo why read more WARNING: untranslated string: fireinfo your profile id +WARNING: untranslated string: fw default drop +WARNING: untranslated string: fw settings +WARNING: untranslated string: fw settings color +WARNING: untranslated string: fw settings dropdown +WARNING: untranslated string: fw settings remark +WARNING: untranslated string: fw settings ruletable +WARNING: untranslated string: fwdfw action +WARNING: untranslated string: fwdfw additional +WARNING: untranslated string: fwdfw addrule +WARNING: untranslated string: fwdfw change +WARNING: untranslated string: fwdfw copy +WARNING: untranslated string: fwdfw delete +WARNING: untranslated string: fwdfw dnat +WARNING: untranslated string: fwdfw dnat error +WARNING: untranslated string: fwdfw dnat porterr +WARNING: untranslated string: fwdfw edit +WARNING: untranslated string: fwdfw err nosrc +WARNING: untranslated string: fwdfw err nosrcip +WARNING: untranslated string: fwdfw err notgt +WARNING: untranslated string: fwdfw err notgtip +WARNING: untranslated string: fwdfw err prot +WARNING: untranslated string: fwdfw err remark +WARNING: untranslated string: fwdfw err ruleexists +WARNING: untranslated string: fwdfw err same +WARNING: untranslated string: fwdfw err samesub +WARNING: untranslated string: fwdfw err src_addr +WARNING: untranslated string: fwdfw err tgt_addr +WARNING: untranslated string: fwdfw err tgt_grp +WARNING: untranslated string: fwdfw err tgt_mac +WARNING: untranslated string: fwdfw err time +WARNING: untranslated string: fwdfw final_rule +WARNING: untranslated string: fwdfw hint ip1 +WARNING: untranslated string: fwdfw hint ip2 +WARNING: untranslated string: fwdfw log rule +WARNING: untranslated string: fwdfw man port +WARNING: untranslated string: fwdfw menu +WARNING: untranslated string: fwdfw movedown +WARNING: untranslated string: fwdfw moveup +WARNING: untranslated string: fwdfw newrule +WARNING: untranslated string: fwdfw p2p txt +WARNING: untranslated string: fwdfw pol allow +WARNING: untranslated string: fwdfw pol block +WARNING: untranslated string: fwdfw pol text +WARNING: untranslated string: fwdfw pol text1 +WARNING: untranslated string: fwdfw pol title +WARNING: untranslated string: fwdfw red +WARNING: untranslated string: fwdfw reread +WARNING: untranslated string: fwdfw rule action +WARNING: untranslated string: fwdfw rule activate +WARNING: untranslated string: fwdfw rulepos +WARNING: untranslated string: fwdfw snat +WARNING: untranslated string: fwdfw source +WARNING: untranslated string: fwdfw sourceip +WARNING: untranslated string: fwdfw target +WARNING: untranslated string: fwdfw targetip +WARNING: untranslated string: fwdfw timeframe +WARNING: untranslated string: fwdfw toggle +WARNING: untranslated string: fwdfw togglelog +WARNING: untranslated string: fwdfw use nat +WARNING: untranslated string: fwdfw use srcport +WARNING: untranslated string: fwdfw use srv +WARNING: untranslated string: fwdfw useless rule +WARNING: untranslated string: fwdfw wd_fri +WARNING: untranslated string: fwdfw wd_mon +WARNING: untranslated string: fwdfw wd_sat +WARNING: untranslated string: fwdfw wd_sun +WARNING: untranslated string: fwdfw wd_thu +WARNING: untranslated string: fwdfw wd_tue +WARNING: untranslated string: fwdfw wd_wed +WARNING: untranslated string: fwdfw xt access +WARNING: untranslated string: fwhost addgrp +WARNING: untranslated string: fwhost addgrpname +WARNING: untranslated string: fwhost addhost +WARNING: untranslated string: fwhost addnet +WARNING: untranslated string: fwhost addservice +WARNING: untranslated string: fwhost addservicegrp +WARNING: untranslated string: fwhost any +WARNING: untranslated string: fwhost back +WARNING: untranslated string: fwhost ccdhost +WARNING: untranslated string: fwhost ccdnet +WARNING: untranslated string: fwhost change +WARNING: untranslated string: fwhost cust addr +WARNING: untranslated string: fwhost cust grp +WARNING: untranslated string: fwhost cust net +WARNING: untranslated string: fwhost cust service +WARNING: untranslated string: fwhost cust srvgrp +WARNING: untranslated string: fwhost deleted +WARNING: untranslated string: fwhost empty +WARNING: untranslated string: fwhost err addr +WARNING: untranslated string: fwhost err empty +WARNING: untranslated string: fwhost err groupempty +WARNING: untranslated string: fwhost err grpexist +WARNING: untranslated string: fwhost err hostexist +WARNING: untranslated string: fwhost err hostip +WARNING: untranslated string: fwhost err ip +WARNING: untranslated string: fwhost err ipcheck +WARNING: untranslated string: fwhost err ipmac +WARNING: untranslated string: fwhost err ipwithsub +WARNING: untranslated string: fwhost err isccdhost +WARNING: untranslated string: fwhost err isccdiphost +WARNING: untranslated string: fwhost err isccdipnet +WARNING: untranslated string: fwhost err isccdnet +WARNING: untranslated string: fwhost err isingrp +WARNING: untranslated string: fwhost err name +WARNING: untranslated string: fwhost err name1 +WARNING: untranslated string: fwhost err net +WARNING: untranslated string: fwhost err netexist +WARNING: untranslated string: fwhost err partofnet +WARNING: untranslated string: fwhost err port +WARNING: untranslated string: fwhost err remark +WARNING: untranslated string: fwhost err srv exists +WARNING: untranslated string: fwhost err srvexist +WARNING: untranslated string: fwhost err sub32 +WARNING: untranslated string: fwhost hint +WARNING: untranslated string: fwhost hosts +WARNING: untranslated string: fwhost icmptype +WARNING: untranslated string: fwhost ip_mac +WARNING: untranslated string: fwhost ipsec net +WARNING: untranslated string: fwhost menu +WARNING: untranslated string: fwhost netaddress +WARNING: untranslated string: fwhost newgrp +WARNING: untranslated string: fwhost newhost +WARNING: untranslated string: fwhost newnet +WARNING: untranslated string: fwhost newservice +WARNING: untranslated string: fwhost newservicegrp +WARNING: untranslated string: fwhost ovpn_n2n +WARNING: untranslated string: fwhost port +WARNING: untranslated string: fwhost prot +WARNING: untranslated string: fwhost reread +WARNING: untranslated string: fwhost services +WARNING: untranslated string: fwhost srv_name +WARNING: untranslated string: fwhost stdnet +WARNING: untranslated string: fwhost type +WARNING: untranslated string: fwhost used +WARNING: untranslated string: fwhost welcome WARNING: untranslated string: minute WARNING: untranslated string: new WARNING: untranslated string: openvpn default @@ -595,9 +778,6 @@ WARNING: untranslated string: outgoing firewall ip groups WARNING: untranslated string: outgoing firewall mac groups WARNING: untranslated string: outgoing firewall p2p allow WARNING: untranslated string: outgoing firewall p2p deny -WARNING: untranslated string: outgoing firewall p2p description 1 -WARNING: untranslated string: outgoing firewall p2p description 2 -WARNING: untranslated string: outgoing firewall p2p description 3 WARNING: untranslated string: outgoing firewall reserved groupname WARNING: untranslated string: outgoing firewall view group WARNING: untranslated string: ovpn errmsg green already pushed @@ -618,6 +798,7 @@ WARNING: untranslated string: proxy reports monthly WARNING: untranslated string: proxy reports today WARNING: untranslated string: proxy reports weekly WARNING: untranslated string: qos enter bandwidths +WARNING: untranslated string: red1 WARNING: untranslated string: route config changed WARNING: untranslated string: routing config added WARNING: untranslated string: routing config changed diff --git a/doc/language_issues.ru b/doc/language_issues.ru index 768bc1294..90d419df8 100644 --- a/doc/language_issues.ru +++ b/doc/language_issues.ru @@ -11,10 +11,12 @@ WARNING: translation string unused: Remote VPN IP WARNING: translation string unused: Resolv WARNING: translation string unused: TOS Bits WARNING: translation string unused: Verbose +WARNING: translation string unused: access allowed WARNING: translation string unused: access refused with this oinkcode WARNING: translation string unused: add network WARNING: translation string unused: add new ovpn WARNING: translation string unused: add service +WARNING: translation string unused: add xtaccess WARNING: translation string unused: add-route WARNING: translation string unused: admin user password has been changed WARNING: translation string unused: administrator user password @@ -46,6 +48,7 @@ WARNING: translation string unused: all updates installed WARNING: translation string unused: allmsg WARNING: translation string unused: alt information WARNING: translation string unused: alt ovpn +WARNING: translation string unused: alt vpn WARNING: translation string unused: and WARNING: translation string unused: ansi t1.483 WARNING: translation string unused: apply @@ -87,6 +90,7 @@ WARNING: translation string unused: cache management WARNING: translation string unused: cache size WARNING: translation string unused: calamaris report interval (in minutes) WARNING: translation string unused: calc traffic all x minutes +WARNING: translation string unused: cant enable xtaccess WARNING: translation string unused: capsinactive WARNING: translation string unused: cfg restart WARNING: translation string unused: check for net traffic update @@ -126,6 +130,11 @@ WARNING: translation string unused: debugme WARNING: translation string unused: deep scan directories WARNING: translation string unused: default networks WARNING: translation string unused: default services +WARNING: translation string unused: description +WARNING: translation string unused: destination ip bad +WARNING: translation string unused: destination ip or net +WARNING: translation string unused: destination net +WARNING: translation string unused: destination port overlaps WARNING: translation string unused: dhcp base ip fixed lease WARNING: translation string unused: dhcp create fixed leases WARNING: translation string unused: dhcp fixed lease err1 @@ -138,11 +147,18 @@ WARNING: translation string unused: dial user password has been changed WARNING: translation string unused: dialup settings WARNING: translation string unused: disconnect WARNING: translation string unused: display traffic at home +WARNING: translation string unused: dmz pinhole configuration +WARNING: translation string unused: dmz pinhole rule added +WARNING: translation string unused: dmz pinhole rule removed +WARNING: translation string unused: dmzpinholes for same net not necessary WARNING: translation string unused: dns server WARNING: translation string unused: do not log this port list WARNING: translation string unused: donation-link WARNING: translation string unused: done WARNING: translation string unused: driver +WARNING: translation string unused: drop output +WARNING: translation string unused: dstprt range overlaps +WARNING: translation string unused: dstprt within existing WARNING: translation string unused: dynamic dns client WARNING: translation string unused: eciadsl help WARNING: translation string unused: eciadsl upload @@ -169,6 +185,7 @@ WARNING: translation string unused: error external access WARNING: translation string unused: expected WARNING: translation string unused: expertoptions WARNING: translation string unused: exportkey +WARNING: translation string unused: external access WARNING: translation string unused: external access rule changed WARNING: translation string unused: filename WARNING: translation string unused: firewall graphs @@ -176,6 +193,9 @@ WARNING: translation string unused: firewall log viewer WARNING: translation string unused: firmware WARNING: translation string unused: firmware upload WARNING: translation string unused: force update +WARNING: translation string unused: forwarding rule added +WARNING: translation string unused: forwarding rule removed +WARNING: translation string unused: forwarding rule updated WARNING: translation string unused: fritzdsl help WARNING: translation string unused: fritzdsl upload WARNING: translation string unused: from email adr @@ -239,6 +259,7 @@ WARNING: translation string unused: local hard disk WARNING: translation string unused: localkeyfile WARNING: translation string unused: log enabled WARNING: translation string unused: log viewer +WARNING: translation string unused: logging WARNING: translation string unused: loosedirectorychecking WARNING: translation string unused: ls_dhcpd WARNING: translation string unused: ls_disk space @@ -264,6 +285,7 @@ WARNING: translation string unused: mbmon value WARNING: translation string unused: min size WARNING: translation string unused: missing dat WARNING: translation string unused: missing gz +WARNING: translation string unused: mode WARNING: translation string unused: modem on com1 WARNING: translation string unused: modem on com2 WARNING: translation string unused: modem on com3 @@ -279,6 +301,7 @@ WARNING: translation string unused: monthly volume start day short WARNING: translation string unused: mount WARNING: translation string unused: mtu QoS WARNING: translation string unused: nat-traversal +WARNING: translation string unused: net WARNING: translation string unused: net address WARNING: translation string unused: net config type WARNING: translation string unused: net config type help @@ -305,6 +328,7 @@ WARNING: translation string unused: o-no WARNING: translation string unused: o-yes WARNING: translation string unused: online help en WARNING: translation string unused: only red +WARNING: translation string unused: open to all WARNING: translation string unused: optional data WARNING: translation string unused: optionsfw portlist hint WARNING: translation string unused: optionsfw warning @@ -312,7 +336,16 @@ WARNING: translation string unused: or WARNING: translation string unused: original WARNING: translation string unused: other countries WARNING: translation string unused: out +WARNING: translation string unused: outgoing firewall +WARNING: translation string unused: outgoing firewall mode0 +WARNING: translation string unused: outgoing firewall mode1 +WARNING: translation string unused: outgoing firewall mode2 WARNING: translation string unused: outgoing firewall outgoing firewall reserved groupname +WARNING: translation string unused: outgoing firewall p2p description 1 +WARNING: translation string unused: outgoing firewall p2p description 2 +WARNING: translation string unused: outgoing firewall p2p description 3 +WARNING: translation string unused: outgoing firewall reset +WARNING: translation string unused: outgoing firewall warning WARNING: translation string unused: override mtu WARNING: translation string unused: ovpn WARNING: translation string unused: ovpn config @@ -343,6 +376,8 @@ WARNING: translation string unused: passwords must be at least 6 characters in l WARNING: translation string unused: phonebook entry WARNING: translation string unused: ping disabled WARNING: translation string unused: polfile +WARNING: translation string unused: policy +WARNING: translation string unused: port forwarding configuration WARNING: translation string unused: ports WARNING: translation string unused: pots WARNING: translation string unused: pppoe @@ -370,7 +405,9 @@ WARNING: translation string unused: router ip WARNING: translation string unused: rules already up to date WARNING: translation string unused: safe removal of umounted device WARNING: translation string unused: save error +WARNING: translation string unused: select dest net WARNING: translation string unused: select media +WARNING: translation string unused: select source net WARNING: translation string unused: selecttraffic WARNING: translation string unused: send email notification WARNING: translation string unused: send test mail @@ -389,15 +426,23 @@ WARNING: translation string unused: shutdown2 WARNING: translation string unused: shutting down WARNING: translation string unused: sitekeyfile WARNING: translation string unused: smbreload +WARNING: translation string unused: source ip in use +WARNING: translation string unused: source ip or net +WARNING: translation string unused: source net +WARNING: translation string unused: source port overlaps WARNING: translation string unused: squid extension methods WARNING: translation string unused: squid extension methods invalid WARNING: translation string unused: squid fix cache +WARNING: translation string unused: srcprt range overlaps +WARNING: translation string unused: srcprt within existing +WARNING: translation string unused: ssdmz pinholes WARNING: translation string unused: ssh access tip WARNING: translation string unused: ssh1 disabled WARNING: translation string unused: ssh1 enabled WARNING: translation string unused: ssh1 support WARNING: translation string unused: ssnetwork status WARNING: translation string unused: sspasswords +WARNING: translation string unused: ssport forwarding WARNING: translation string unused: ssproxy graphs WARNING: translation string unused: sssystem status WARNING: translation string unused: sstraffic graphs @@ -489,6 +534,7 @@ WARNING: translation string unused: vpn watch WARNING: translation string unused: warn when traffic reaches WARNING: translation string unused: web proxy configuration WARNING: translation string unused: weekly firewallhits +WARNING: translation string unused: xtaccess all error WARNING: translation string unused: xtaccess bad transfert WARNING: translation string unused: yearly firewallhits WARNING: untranslated string: Add a route @@ -549,6 +595,11 @@ WARNING: untranslated string: dnsforward edit an entry WARNING: untranslated string: dnsforward entries WARNING: untranslated string: dnsforward forward_server WARNING: untranslated string: dnsforward zone +WARNING: untranslated string: drop action +WARNING: untranslated string: drop action1 +WARNING: untranslated string: drop action2 +WARNING: untranslated string: drop forward +WARNING: untranslated string: drop outgoing WARNING: untranslated string: emerging rules WARNING: untranslated string: extrahd because there is already a device mounted WARNING: untranslated string: extrahd cant umount @@ -557,6 +608,141 @@ WARNING: untranslated string: extrahd maybe the device is in use WARNING: untranslated string: extrahd to WARNING: untranslated string: extrahd to root WARNING: untranslated string: extrahd you cant mount +WARNING: untranslated string: fw default drop +WARNING: untranslated string: fw settings +WARNING: untranslated string: fw settings color +WARNING: untranslated string: fw settings dropdown +WARNING: untranslated string: fw settings remark +WARNING: untranslated string: fw settings ruletable +WARNING: untranslated string: fwdfw action +WARNING: untranslated string: fwdfw additional +WARNING: untranslated string: fwdfw addrule +WARNING: untranslated string: fwdfw change +WARNING: untranslated string: fwdfw copy +WARNING: untranslated string: fwdfw delete +WARNING: untranslated string: fwdfw dnat +WARNING: untranslated string: fwdfw dnat error +WARNING: untranslated string: fwdfw dnat porterr +WARNING: untranslated string: fwdfw edit +WARNING: untranslated string: fwdfw err nosrc +WARNING: untranslated string: fwdfw err nosrcip +WARNING: untranslated string: fwdfw err notgt +WARNING: untranslated string: fwdfw err notgtip +WARNING: untranslated string: fwdfw err prot +WARNING: untranslated string: fwdfw err remark +WARNING: untranslated string: fwdfw err ruleexists +WARNING: untranslated string: fwdfw err same +WARNING: untranslated string: fwdfw err samesub +WARNING: untranslated string: fwdfw err src_addr +WARNING: untranslated string: fwdfw err tgt_addr +WARNING: untranslated string: fwdfw err tgt_grp +WARNING: untranslated string: fwdfw err tgt_mac +WARNING: untranslated string: fwdfw err time +WARNING: untranslated string: fwdfw final_rule +WARNING: untranslated string: fwdfw hint ip1 +WARNING: untranslated string: fwdfw hint ip2 +WARNING: untranslated string: fwdfw log rule +WARNING: untranslated string: fwdfw man port +WARNING: untranslated string: fwdfw menu +WARNING: untranslated string: fwdfw movedown +WARNING: untranslated string: fwdfw moveup +WARNING: untranslated string: fwdfw newrule +WARNING: untranslated string: fwdfw p2p txt +WARNING: untranslated string: fwdfw pol allow +WARNING: untranslated string: fwdfw pol block +WARNING: untranslated string: fwdfw pol text +WARNING: untranslated string: fwdfw pol text1 +WARNING: untranslated string: fwdfw pol title +WARNING: untranslated string: fwdfw red +WARNING: untranslated string: fwdfw reread +WARNING: untranslated string: fwdfw rule action +WARNING: untranslated string: fwdfw rule activate +WARNING: untranslated string: fwdfw rulepos +WARNING: untranslated string: fwdfw snat +WARNING: untranslated string: fwdfw source +WARNING: untranslated string: fwdfw sourceip +WARNING: untranslated string: fwdfw target +WARNING: untranslated string: fwdfw targetip +WARNING: untranslated string: fwdfw timeframe +WARNING: untranslated string: fwdfw toggle +WARNING: untranslated string: fwdfw togglelog +WARNING: untranslated string: fwdfw use nat +WARNING: untranslated string: fwdfw use srcport +WARNING: untranslated string: fwdfw use srv +WARNING: untranslated string: fwdfw useless rule +WARNING: untranslated string: fwdfw wd_fri +WARNING: untranslated string: fwdfw wd_mon +WARNING: untranslated string: fwdfw wd_sat +WARNING: untranslated string: fwdfw wd_sun +WARNING: untranslated string: fwdfw wd_thu +WARNING: untranslated string: fwdfw wd_tue +WARNING: untranslated string: fwdfw wd_wed +WARNING: untranslated string: fwdfw xt access +WARNING: untranslated string: fwhost addgrp +WARNING: untranslated string: fwhost addgrpname +WARNING: untranslated string: fwhost addhost +WARNING: untranslated string: fwhost addnet +WARNING: untranslated string: fwhost addservice +WARNING: untranslated string: fwhost addservicegrp +WARNING: untranslated string: fwhost any +WARNING: untranslated string: fwhost back +WARNING: untranslated string: fwhost ccdhost +WARNING: untranslated string: fwhost ccdnet +WARNING: untranslated string: fwhost change +WARNING: untranslated string: fwhost cust addr +WARNING: untranslated string: fwhost cust grp +WARNING: untranslated string: fwhost cust net +WARNING: untranslated string: fwhost cust service +WARNING: untranslated string: fwhost cust srvgrp +WARNING: untranslated string: fwhost deleted +WARNING: untranslated string: fwhost empty +WARNING: untranslated string: fwhost err addr +WARNING: untranslated string: fwhost err empty +WARNING: untranslated string: fwhost err groupempty +WARNING: untranslated string: fwhost err grpexist +WARNING: untranslated string: fwhost err hostexist +WARNING: untranslated string: fwhost err hostip +WARNING: untranslated string: fwhost err ip +WARNING: untranslated string: fwhost err ipcheck +WARNING: untranslated string: fwhost err ipmac +WARNING: untranslated string: fwhost err ipwithsub +WARNING: untranslated string: fwhost err isccdhost +WARNING: untranslated string: fwhost err isccdiphost +WARNING: untranslated string: fwhost err isccdipnet +WARNING: untranslated string: fwhost err isccdnet +WARNING: untranslated string: fwhost err isingrp +WARNING: untranslated string: fwhost err name +WARNING: untranslated string: fwhost err name1 +WARNING: untranslated string: fwhost err net +WARNING: untranslated string: fwhost err netexist +WARNING: untranslated string: fwhost err partofnet +WARNING: untranslated string: fwhost err port +WARNING: untranslated string: fwhost err remark +WARNING: untranslated string: fwhost err srv exists +WARNING: untranslated string: fwhost err srvexist +WARNING: untranslated string: fwhost err sub32 +WARNING: untranslated string: fwhost hint +WARNING: untranslated string: fwhost hosts +WARNING: untranslated string: fwhost icmptype +WARNING: untranslated string: fwhost ip_mac +WARNING: untranslated string: fwhost ipsec net +WARNING: untranslated string: fwhost menu +WARNING: untranslated string: fwhost netaddress +WARNING: untranslated string: fwhost newgrp +WARNING: untranslated string: fwhost newhost +WARNING: untranslated string: fwhost newnet +WARNING: untranslated string: fwhost newservice +WARNING: untranslated string: fwhost newservicegrp +WARNING: untranslated string: fwhost ovpn_n2n +WARNING: untranslated string: fwhost port +WARNING: untranslated string: fwhost prot +WARNING: untranslated string: fwhost reread +WARNING: untranslated string: fwhost services +WARNING: untranslated string: fwhost srv_name +WARNING: untranslated string: fwhost stdnet +WARNING: untranslated string: fwhost type +WARNING: untranslated string: fwhost used +WARNING: untranslated string: fwhost welcome WARNING: untranslated string: incoming traffic in bytes per second WARNING: untranslated string: minute WARNING: untranslated string: new @@ -584,6 +770,7 @@ WARNING: untranslated string: proxy reports monthly WARNING: untranslated string: proxy reports today WARNING: untranslated string: proxy reports weekly WARNING: untranslated string: qos enter bandwidths +WARNING: untranslated string: red1 WARNING: untranslated string: route config changed WARNING: untranslated string: routing config added WARNING: untranslated string: routing config changed diff --git a/doc/language_issues.tr b/doc/language_issues.tr index af1af7b8c..b4f0dfec1 100644 --- a/doc/language_issues.tr +++ b/doc/language_issues.tr @@ -11,10 +11,12 @@ WARNING: translation string unused: Remote VPN IP WARNING: translation string unused: Resolv WARNING: translation string unused: TOS Bits WARNING: translation string unused: Verbose +WARNING: translation string unused: access allowed WARNING: translation string unused: access refused with this oinkcode WARNING: translation string unused: add network WARNING: translation string unused: add new ovpn WARNING: translation string unused: add service +WARNING: translation string unused: add xtaccess WARNING: translation string unused: add-route WARNING: translation string unused: admin user password has been changed WARNING: translation string unused: administrator user password @@ -46,6 +48,7 @@ WARNING: translation string unused: all updates installed WARNING: translation string unused: allmsg WARNING: translation string unused: alt information WARNING: translation string unused: alt ovpn +WARNING: translation string unused: alt vpn WARNING: translation string unused: and WARNING: translation string unused: ansi t1.483 WARNING: translation string unused: apply @@ -87,6 +90,7 @@ WARNING: translation string unused: cache management WARNING: translation string unused: cache size WARNING: translation string unused: calamaris report interval (in minutes) WARNING: translation string unused: calc traffic all x minutes +WARNING: translation string unused: cant enable xtaccess WARNING: translation string unused: capsinactive WARNING: translation string unused: ccd err iroute WARNING: translation string unused: ccd err netadr @@ -129,6 +133,11 @@ WARNING: translation string unused: debugme WARNING: translation string unused: deep scan directories WARNING: translation string unused: default networks WARNING: translation string unused: default services +WARNING: translation string unused: description +WARNING: translation string unused: destination ip bad +WARNING: translation string unused: destination ip or net +WARNING: translation string unused: destination net +WARNING: translation string unused: destination port overlaps WARNING: translation string unused: dhcp base ip fixed lease WARNING: translation string unused: dhcp create fixed leases WARNING: translation string unused: dhcp fixed lease err1 @@ -141,11 +150,18 @@ WARNING: translation string unused: dial user password has been changed WARNING: translation string unused: dialup settings WARNING: translation string unused: disconnect WARNING: translation string unused: display traffic at home +WARNING: translation string unused: dmz pinhole configuration +WARNING: translation string unused: dmz pinhole rule added +WARNING: translation string unused: dmz pinhole rule removed +WARNING: translation string unused: dmzpinholes for same net not necessary WARNING: translation string unused: dns server WARNING: translation string unused: do not log this port list WARNING: translation string unused: donation-link WARNING: translation string unused: done WARNING: translation string unused: driver +WARNING: translation string unused: drop output +WARNING: translation string unused: dstprt range overlaps +WARNING: translation string unused: dstprt within existing WARNING: translation string unused: dynamic dns client WARNING: translation string unused: eciadsl help WARNING: translation string unused: eciadsl upload @@ -172,6 +188,7 @@ WARNING: translation string unused: error external access WARNING: translation string unused: expected WARNING: translation string unused: expertoptions WARNING: translation string unused: exportkey +WARNING: translation string unused: external access WARNING: translation string unused: external access rule changed WARNING: translation string unused: extrahd unable to read WARNING: translation string unused: extrahd unable to write @@ -181,6 +198,9 @@ WARNING: translation string unused: firewall log viewer WARNING: translation string unused: firmware WARNING: translation string unused: firmware upload WARNING: translation string unused: force update +WARNING: translation string unused: forwarding rule added +WARNING: translation string unused: forwarding rule removed +WARNING: translation string unused: forwarding rule updated WARNING: translation string unused: frequency WARNING: translation string unused: fritzdsl help WARNING: translation string unused: fritzdsl upload @@ -246,6 +266,7 @@ WARNING: translation string unused: local hard disk WARNING: translation string unused: localkeyfile WARNING: translation string unused: log enabled WARNING: translation string unused: log viewer +WARNING: translation string unused: logging WARNING: translation string unused: loosedirectorychecking WARNING: translation string unused: ls_dhcpd WARNING: translation string unused: ls_disk space @@ -271,6 +292,7 @@ WARNING: translation string unused: mbmon value WARNING: translation string unused: min size WARNING: translation string unused: missing dat WARNING: translation string unused: missing gz +WARNING: translation string unused: mode WARNING: translation string unused: modem on com1 WARNING: translation string unused: modem on com2 WARNING: translation string unused: modem on com3 @@ -287,6 +309,7 @@ WARNING: translation string unused: monthly volume start day short WARNING: translation string unused: mount WARNING: translation string unused: mtu QoS WARNING: translation string unused: nat-traversal +WARNING: translation string unused: net WARNING: translation string unused: net address WARNING: translation string unused: net config type WARNING: translation string unused: net config type help @@ -313,6 +336,7 @@ WARNING: translation string unused: o-no WARNING: translation string unused: o-yes WARNING: translation string unused: online help en WARNING: translation string unused: only red +WARNING: translation string unused: open to all WARNING: translation string unused: openvpn disabled WARNING: translation string unused: openvpn enabled WARNING: translation string unused: optional data @@ -323,7 +347,16 @@ WARNING: translation string unused: original WARNING: translation string unused: other countries WARNING: translation string unused: our donors WARNING: translation string unused: out +WARNING: translation string unused: outgoing firewall +WARNING: translation string unused: outgoing firewall mode0 +WARNING: translation string unused: outgoing firewall mode1 +WARNING: translation string unused: outgoing firewall mode2 WARNING: translation string unused: outgoing firewall outgoing firewall reserved groupname +WARNING: translation string unused: outgoing firewall p2p description 1 +WARNING: translation string unused: outgoing firewall p2p description 2 +WARNING: translation string unused: outgoing firewall p2p description 3 +WARNING: translation string unused: outgoing firewall reset +WARNING: translation string unused: outgoing firewall warning WARNING: translation string unused: override mtu WARNING: translation string unused: ovpn WARNING: translation string unused: ovpn config @@ -354,6 +387,8 @@ WARNING: translation string unused: passwords must be at least 6 characters in l WARNING: translation string unused: phonebook entry WARNING: translation string unused: ping disabled WARNING: translation string unused: polfile +WARNING: translation string unused: policy +WARNING: translation string unused: port forwarding configuration WARNING: translation string unused: ports WARNING: translation string unused: pots WARNING: translation string unused: pppoe @@ -381,7 +416,9 @@ WARNING: translation string unused: router ip WARNING: translation string unused: rules already up to date WARNING: translation string unused: safe removal of umounted device WARNING: translation string unused: save error +WARNING: translation string unused: select dest net WARNING: translation string unused: select media +WARNING: translation string unused: select source net WARNING: translation string unused: selecttraffic WARNING: translation string unused: send email notification WARNING: translation string unused: send test mail @@ -400,15 +437,23 @@ WARNING: translation string unused: shutdown2 WARNING: translation string unused: shutting down WARNING: translation string unused: sitekeyfile WARNING: translation string unused: smbreload +WARNING: translation string unused: source ip in use +WARNING: translation string unused: source ip or net +WARNING: translation string unused: source net +WARNING: translation string unused: source port overlaps WARNING: translation string unused: squid extension methods WARNING: translation string unused: squid extension methods invalid WARNING: translation string unused: squid fix cache +WARNING: translation string unused: srcprt range overlaps +WARNING: translation string unused: srcprt within existing +WARNING: translation string unused: ssdmz pinholes WARNING: translation string unused: ssh access tip WARNING: translation string unused: ssh1 disabled WARNING: translation string unused: ssh1 enabled WARNING: translation string unused: ssh1 support WARNING: translation string unused: ssnetwork status WARNING: translation string unused: sspasswords +WARNING: translation string unused: ssport forwarding WARNING: translation string unused: ssproxy graphs WARNING: translation string unused: sssystem status WARNING: translation string unused: sstraffic graphs @@ -505,6 +550,7 @@ WARNING: translation string unused: warn when traffic reaches WARNING: translation string unused: web proxy configuration WARNING: translation string unused: week-graph WARNING: translation string unused: weekly firewallhits +WARNING: translation string unused: xtaccess all error WARNING: translation string unused: xtaccess bad transfert WARNING: translation string unused: year-graph WARNING: translation string unused: yearly firewallhits @@ -517,8 +563,149 @@ WARNING: untranslated string: dnsforward edit an entry WARNING: untranslated string: dnsforward entries WARNING: untranslated string: dnsforward forward_server WARNING: untranslated string: dnsforward zone +WARNING: untranslated string: drop action +WARNING: untranslated string: drop action1 +WARNING: untranslated string: drop action2 +WARNING: untranslated string: drop forward +WARNING: untranslated string: drop outgoing +WARNING: untranslated string: fw default drop +WARNING: untranslated string: fw settings +WARNING: untranslated string: fw settings color +WARNING: untranslated string: fw settings dropdown +WARNING: untranslated string: fw settings remark +WARNING: untranslated string: fw settings ruletable +WARNING: untranslated string: fwdfw action +WARNING: untranslated string: fwdfw additional +WARNING: untranslated string: fwdfw addrule +WARNING: untranslated string: fwdfw change +WARNING: untranslated string: fwdfw copy +WARNING: untranslated string: fwdfw delete +WARNING: untranslated string: fwdfw dnat +WARNING: untranslated string: fwdfw dnat error +WARNING: untranslated string: fwdfw dnat porterr +WARNING: untranslated string: fwdfw edit +WARNING: untranslated string: fwdfw err nosrc +WARNING: untranslated string: fwdfw err nosrcip +WARNING: untranslated string: fwdfw err notgt +WARNING: untranslated string: fwdfw err notgtip +WARNING: untranslated string: fwdfw err prot +WARNING: untranslated string: fwdfw err remark +WARNING: untranslated string: fwdfw err ruleexists +WARNING: untranslated string: fwdfw err same +WARNING: untranslated string: fwdfw err samesub +WARNING: untranslated string: fwdfw err src_addr +WARNING: untranslated string: fwdfw err tgt_addr +WARNING: untranslated string: fwdfw err tgt_grp +WARNING: untranslated string: fwdfw err tgt_mac +WARNING: untranslated string: fwdfw err time +WARNING: untranslated string: fwdfw final_rule +WARNING: untranslated string: fwdfw hint ip1 +WARNING: untranslated string: fwdfw hint ip2 +WARNING: untranslated string: fwdfw log rule +WARNING: untranslated string: fwdfw man port +WARNING: untranslated string: fwdfw menu +WARNING: untranslated string: fwdfw movedown +WARNING: untranslated string: fwdfw moveup +WARNING: untranslated string: fwdfw newrule +WARNING: untranslated string: fwdfw p2p txt +WARNING: untranslated string: fwdfw pol allow +WARNING: untranslated string: fwdfw pol block +WARNING: untranslated string: fwdfw pol text +WARNING: untranslated string: fwdfw pol text1 +WARNING: untranslated string: fwdfw pol title +WARNING: untranslated string: fwdfw red +WARNING: untranslated string: fwdfw reread +WARNING: untranslated string: fwdfw rule action +WARNING: untranslated string: fwdfw rule activate +WARNING: untranslated string: fwdfw rulepos +WARNING: untranslated string: fwdfw snat +WARNING: untranslated string: fwdfw source +WARNING: untranslated string: fwdfw sourceip +WARNING: untranslated string: fwdfw target +WARNING: untranslated string: fwdfw targetip +WARNING: untranslated string: fwdfw timeframe +WARNING: untranslated string: fwdfw toggle +WARNING: untranslated string: fwdfw togglelog +WARNING: untranslated string: fwdfw use nat +WARNING: untranslated string: fwdfw use srcport +WARNING: untranslated string: fwdfw use srv +WARNING: untranslated string: fwdfw useless rule +WARNING: untranslated string: fwdfw wd_fri +WARNING: untranslated string: fwdfw wd_mon +WARNING: untranslated string: fwdfw wd_sat +WARNING: untranslated string: fwdfw wd_sun +WARNING: untranslated string: fwdfw wd_thu +WARNING: untranslated string: fwdfw wd_tue +WARNING: untranslated string: fwdfw wd_wed +WARNING: untranslated string: fwdfw xt access +WARNING: untranslated string: fwhost addgrp +WARNING: untranslated string: fwhost addgrpname +WARNING: untranslated string: fwhost addhost +WARNING: untranslated string: fwhost addnet +WARNING: untranslated string: fwhost addservice +WARNING: untranslated string: fwhost addservicegrp +WARNING: untranslated string: fwhost any +WARNING: untranslated string: fwhost back +WARNING: untranslated string: fwhost ccdhost +WARNING: untranslated string: fwhost ccdnet +WARNING: untranslated string: fwhost change +WARNING: untranslated string: fwhost cust addr +WARNING: untranslated string: fwhost cust grp +WARNING: untranslated string: fwhost cust net +WARNING: untranslated string: fwhost cust service +WARNING: untranslated string: fwhost cust srvgrp +WARNING: untranslated string: fwhost deleted +WARNING: untranslated string: fwhost empty +WARNING: untranslated string: fwhost err addr +WARNING: untranslated string: fwhost err empty +WARNING: untranslated string: fwhost err groupempty +WARNING: untranslated string: fwhost err grpexist +WARNING: untranslated string: fwhost err hostexist +WARNING: untranslated string: fwhost err hostip +WARNING: untranslated string: fwhost err ip +WARNING: untranslated string: fwhost err ipcheck +WARNING: untranslated string: fwhost err ipmac +WARNING: untranslated string: fwhost err ipwithsub +WARNING: untranslated string: fwhost err isccdhost +WARNING: untranslated string: fwhost err isccdiphost +WARNING: untranslated string: fwhost err isccdipnet +WARNING: untranslated string: fwhost err isccdnet +WARNING: untranslated string: fwhost err isingrp +WARNING: untranslated string: fwhost err name +WARNING: untranslated string: fwhost err name1 +WARNING: untranslated string: fwhost err net +WARNING: untranslated string: fwhost err netexist +WARNING: untranslated string: fwhost err partofnet +WARNING: untranslated string: fwhost err port +WARNING: untranslated string: fwhost err remark +WARNING: untranslated string: fwhost err srv exists +WARNING: untranslated string: fwhost err srvexist +WARNING: untranslated string: fwhost err sub32 +WARNING: untranslated string: fwhost hint +WARNING: untranslated string: fwhost hosts +WARNING: untranslated string: fwhost icmptype +WARNING: untranslated string: fwhost ip_mac +WARNING: untranslated string: fwhost ipsec net +WARNING: untranslated string: fwhost menu +WARNING: untranslated string: fwhost netaddress +WARNING: untranslated string: fwhost newgrp +WARNING: untranslated string: fwhost newhost +WARNING: untranslated string: fwhost newnet +WARNING: untranslated string: fwhost newservice +WARNING: untranslated string: fwhost newservicegrp +WARNING: untranslated string: fwhost ovpn_n2n +WARNING: untranslated string: fwhost port +WARNING: untranslated string: fwhost prot +WARNING: untranslated string: fwhost reread +WARNING: untranslated string: fwhost services +WARNING: untranslated string: fwhost srv_name +WARNING: untranslated string: fwhost stdnet +WARNING: untranslated string: fwhost type +WARNING: untranslated string: fwhost used +WARNING: untranslated string: fwhost welcome WARNING: untranslated string: new WARNING: untranslated string: outgoing firewall reserved groupname +WARNING: untranslated string: red1 WARNING: untranslated string: route config changed WARNING: untranslated string: routing config added WARNING: untranslated string: routing config changed diff --git a/doc/language_missings b/doc/language_missings index 1550f479e..20838cbba 100644 --- a/doc/language_missings +++ b/doc/language_missings @@ -5,13 +5,13 @@ # Checking cgi-bin translations for language: en # ############################################################################ < ccd maxclients +< wlanap country ############################################################################ # Checking install/setup translations for language: fr # ############################################################################ ############################################################################ # Checking cgi-bin translations for language: fr # ############################################################################ -< advproxy cache-digest < advproxy errmsg cache < advproxy errmsg invalid upstream proxy < age second @@ -67,6 +67,11 @@ < dnsforward entries < dnsforward forward_server < dnsforward zone +< drop action +< drop action1 +< drop action2 +< drop forward +< drop outgoing < fireinfo ipfire version < fireinfo is disabled < fireinfo is enabled @@ -84,6 +89,174 @@ < fireinfo why enable < fireinfo why read more < fireinfo your profile id +< forward firewall +< fw default drop +< fwdfw ACCEPT +< fwdfw action +< fwdfw additional +< fwdfw addr grp +< fwdfw addrule +< fwdfw change +< fwdfw copy +< fwdfw cust addr +< fwdfw cust net +< fwdfw delete +< fwdfw dnat +< fwdfw dnat error +< fwdfw dnat porterr +< fwdfw DROP +< fwdfw edit +< fwdfw err nosrc +< fwdfw err nosrcip +< fwdfw err notgt +< fwdfw err notgtip +< fwdfw err prot +< fwdfw err remark +< fwdfw err ruleexists +< fwdfw err same +< fwdfw err samesub +< fwdfw err src_addr +< fwdfw err srcovpn +< fwdfw err srcport +< fwdfw err tgt_addr +< fwdfw err tgt_grp +< fwdfw err tgt_mac +< fwdfw err tgtovpn +< fwdfw err tgtport +< fwdfw err tgt_port +< fwdfw err time +< fwdfw final_rule +< fwdfw from +< fwdfw hint ip1 +< fwdfw hint ip2 +< fwdfw ipsec network +< fwdfw log rule +< fwdfw man port +< fwdfw menu +< fwdfw MODE1 +< fwdfw MODE2 +< fwdfw movedown +< fwdfw moveup +< fwdfw natport used +< fwdfw newrule +< fwdfw p2p txt +< fwdfw pol allow +< fwdfw pol block +< fwdfw pol text +< fwdfw pol text1 +< fwdfw pol title +< fwdfw red +< fwdfw REJECT +< fwdfw reread +< fwdfw rule action +< fwdfw rule activate +< fwdfw rulepos +< fwdfw rules +< fwdfw snat +< fwdfw source +< fwdfw sourceip +< fwdfw std network +< fwdfw target +< fwdfw targetip +< fwdfw till +< fwdfw time +< fwdfw timeframe +< fwdfw toggle +< fwdfw togglelog +< fwdfw useless rule +< fwdfw use nat +< fwdfw use srcport +< fwdfw use srv +< fwdfw wd_fri +< fwdfw wd_mon +< fwdfw wd_sat +< fwdfw wd_sun +< fwdfw wd_thu +< fwdfw wd_tue +< fwdfw wd_wed +< fwdfw xt access +< fwhost addgrp +< fwhost addgrpname +< fwhost addhost +< fwhost addnet +< fwhost addrule +< fwhost addservice +< fwhost addservicegrp +< fwhost any +< fwhost attention +< fwhost back +< fwhost blue +< fwhost ccdhost +< fwhost ccdnet +< fwhost change +< fwhost changeremark +< fwhost cust addr +< fwhost cust grp +< fwhost cust net +< fwhost cust service +< fwhost cust srvgrp +< fwhost deleted +< fwhost empty +< fwhost err addr +< fwhost err addrgrp +< fwhost err empty +< fwhost err groupempty +< fwhost err grpexist +< fwhost err hostexist +< fwhost err hostorip +< fwhost err ip +< fwhost err ipcheck +< fwhost err ipmac +< fwhost err ipwithsub +< fwhost err isccdhost +< fwhost err isccdiphost +< fwhost err isccdipnet +< fwhost err isccdnet +< fwhost err isingrp +< fwhost err mac +< fwhost err name +< fwhost err name1 +< fwhost err net +< fwhost err netexist +< fwhost err partofnet +< fwhost err port +< fwhost err remark +< fwhost err srvexist +< fwhost err srv exists +< fwhost err sub32 +< fwhost green +< fwhost hint +< fwhost hosts +< fwhost icmptype +< fwhost ipadr +< fwhost ip_mac +< fwhost ipsec host +< fwhost ipsec net +< fwhost menu +< fwhost netaddress +< fwhost newgrp +< fwhost newhost +< fwhost newnet +< fwhost newservice +< fwhost newservicegrp +< fwhost orange +< fwhost ovpn_n2n +< fwhost port +< fwhost prot +< fwhost reread +< fwhost reset +< fwhost services +< fwhost srv_name +< fwhost stdnet +< fwhost type +< fwhost used +< fwhost welcome +< fwhost wo subnet +< fw settings +< fw settings color +< fw settings dropdown +< fw settings remark +< fw settings ruletable < minute < ntp common settings < ntp sync @@ -112,6 +285,7 @@ < proxy reports today < proxy reports weekly < qos enter bandwidths +< red1 < server restart < snort working < static routes @@ -233,7 +407,6 @@ ############################################################################ # Checking cgi-bin translations for language: es # ############################################################################ -< advproxy cache-digest < advproxy errmsg cache < advproxy errmsg invalid upstream proxy < age second @@ -289,6 +462,11 @@ < dnsforward entries < dnsforward forward_server < dnsforward zone +< drop action +< drop action1 +< drop action2 +< drop forward +< drop outgoing < fireinfo ipfire version < fireinfo is disabled < fireinfo is enabled @@ -306,6 +484,174 @@ < fireinfo why enable < fireinfo why read more < fireinfo your profile id +< forward firewall +< fw default drop +< fwdfw ACCEPT +< fwdfw action +< fwdfw additional +< fwdfw addr grp +< fwdfw addrule +< fwdfw change +< fwdfw copy +< fwdfw cust addr +< fwdfw cust net +< fwdfw delete +< fwdfw dnat +< fwdfw dnat error +< fwdfw dnat porterr +< fwdfw DROP +< fwdfw edit +< fwdfw err nosrc +< fwdfw err nosrcip +< fwdfw err notgt +< fwdfw err notgtip +< fwdfw err prot +< fwdfw err remark +< fwdfw err ruleexists +< fwdfw err same +< fwdfw err samesub +< fwdfw err src_addr +< fwdfw err srcovpn +< fwdfw err srcport +< fwdfw err tgt_addr +< fwdfw err tgt_grp +< fwdfw err tgt_mac +< fwdfw err tgtovpn +< fwdfw err tgtport +< fwdfw err tgt_port +< fwdfw err time +< fwdfw final_rule +< fwdfw from +< fwdfw hint ip1 +< fwdfw hint ip2 +< fwdfw ipsec network +< fwdfw log rule +< fwdfw man port +< fwdfw menu +< fwdfw MODE1 +< fwdfw MODE2 +< fwdfw movedown +< fwdfw moveup +< fwdfw natport used +< fwdfw newrule +< fwdfw p2p txt +< fwdfw pol allow +< fwdfw pol block +< fwdfw pol text +< fwdfw pol text1 +< fwdfw pol title +< fwdfw red +< fwdfw REJECT +< fwdfw reread +< fwdfw rule action +< fwdfw rule activate +< fwdfw rulepos +< fwdfw rules +< fwdfw snat +< fwdfw source +< fwdfw sourceip +< fwdfw std network +< fwdfw target +< fwdfw targetip +< fwdfw till +< fwdfw time +< fwdfw timeframe +< fwdfw toggle +< fwdfw togglelog +< fwdfw useless rule +< fwdfw use nat +< fwdfw use srcport +< fwdfw use srv +< fwdfw wd_fri +< fwdfw wd_mon +< fwdfw wd_sat +< fwdfw wd_sun +< fwdfw wd_thu +< fwdfw wd_tue +< fwdfw wd_wed +< fwdfw xt access +< fwhost addgrp +< fwhost addgrpname +< fwhost addhost +< fwhost addnet +< fwhost addrule +< fwhost addservice +< fwhost addservicegrp +< fwhost any +< fwhost attention +< fwhost back +< fwhost blue +< fwhost ccdhost +< fwhost ccdnet +< fwhost change +< fwhost changeremark +< fwhost cust addr +< fwhost cust grp +< fwhost cust net +< fwhost cust service +< fwhost cust srvgrp +< fwhost deleted +< fwhost empty +< fwhost err addr +< fwhost err addrgrp +< fwhost err empty +< fwhost err groupempty +< fwhost err grpexist +< fwhost err hostexist +< fwhost err hostorip +< fwhost err ip +< fwhost err ipcheck +< fwhost err ipmac +< fwhost err ipwithsub +< fwhost err isccdhost +< fwhost err isccdiphost +< fwhost err isccdipnet +< fwhost err isccdnet +< fwhost err isingrp +< fwhost err mac +< fwhost err name +< fwhost err name1 +< fwhost err net +< fwhost err netexist +< fwhost err partofnet +< fwhost err port +< fwhost err remark +< fwhost err srvexist +< fwhost err srv exists +< fwhost err sub32 +< fwhost green +< fwhost hint +< fwhost hosts +< fwhost icmptype +< fwhost ipadr +< fwhost ip_mac +< fwhost ipsec host +< fwhost ipsec net +< fwhost menu +< fwhost netaddress +< fwhost newgrp +< fwhost newhost +< fwhost newnet +< fwhost newservice +< fwhost newservicegrp +< fwhost orange +< fwhost ovpn_n2n +< fwhost port +< fwhost prot +< fwhost reread +< fwhost reset +< fwhost services +< fwhost srv_name +< fwhost stdnet +< fwhost type +< fwhost used +< fwhost welcome +< fwhost wo subnet +< fw settings +< fw settings color +< fw settings dropdown +< fw settings remark +< fw settings ruletable < minute < openvpn default < openvpn destination port used @@ -350,6 +696,7 @@ < proxy reports today < proxy reports weekly < qos enter bandwidths +< red1 < server restart < Set time on boot < static routes @@ -448,7 +795,6 @@ ############################################################################ # Checking cgi-bin translations for language: pl # ############################################################################ -< advproxy cache-digest < advproxy errmsg cache < advproxy errmsg invalid upstream proxy < age second @@ -503,6 +849,11 @@ < dnsforward entries < dnsforward forward_server < dnsforward zone +< drop action +< drop action1 +< drop action2 +< drop forward +< drop outgoing < extrahd because there is already a device mounted < extrahd cant umount < extrahd install or load driver @@ -512,6 +863,174 @@ < extrahd unable to read < extrahd unable to write < extrahd you cant mount +< forward firewall +< fw default drop +< fwdfw ACCEPT +< fwdfw action +< fwdfw additional +< fwdfw addr grp +< fwdfw addrule +< fwdfw change +< fwdfw copy +< fwdfw cust addr +< fwdfw cust net +< fwdfw delete +< fwdfw dnat +< fwdfw dnat error +< fwdfw dnat porterr +< fwdfw DROP +< fwdfw edit +< fwdfw err nosrc +< fwdfw err nosrcip +< fwdfw err notgt +< fwdfw err notgtip +< fwdfw err prot +< fwdfw err remark +< fwdfw err ruleexists +< fwdfw err same +< fwdfw err samesub +< fwdfw err src_addr +< fwdfw err srcovpn +< fwdfw err srcport +< fwdfw err tgt_addr +< fwdfw err tgt_grp +< fwdfw err tgt_mac +< fwdfw err tgtovpn +< fwdfw err tgtport +< fwdfw err tgt_port +< fwdfw err time +< fwdfw final_rule +< fwdfw from +< fwdfw hint ip1 +< fwdfw hint ip2 +< fwdfw ipsec network +< fwdfw log rule +< fwdfw man port +< fwdfw menu +< fwdfw MODE1 +< fwdfw MODE2 +< fwdfw movedown +< fwdfw moveup +< fwdfw natport used +< fwdfw newrule +< fwdfw p2p txt +< fwdfw pol allow +< fwdfw pol block +< fwdfw pol text +< fwdfw pol text1 +< fwdfw pol title +< fwdfw red +< fwdfw REJECT +< fwdfw reread +< fwdfw rule action +< fwdfw rule activate +< fwdfw rulepos +< fwdfw rules +< fwdfw snat +< fwdfw source +< fwdfw sourceip +< fwdfw std network +< fwdfw target +< fwdfw targetip +< fwdfw till +< fwdfw time +< fwdfw timeframe +< fwdfw toggle +< fwdfw togglelog +< fwdfw useless rule +< fwdfw use nat +< fwdfw use srcport +< fwdfw use srv +< fwdfw wd_fri +< fwdfw wd_mon +< fwdfw wd_sat +< fwdfw wd_sun +< fwdfw wd_thu +< fwdfw wd_tue +< fwdfw wd_wed +< fwdfw xt access +< fwhost addgrp +< fwhost addgrpname +< fwhost addhost +< fwhost addnet +< fwhost addrule +< fwhost addservice +< fwhost addservicegrp +< fwhost any +< fwhost attention +< fwhost back +< fwhost blue +< fwhost ccdhost +< fwhost ccdnet +< fwhost change +< fwhost changeremark +< fwhost cust addr +< fwhost cust grp +< fwhost cust net +< fwhost cust service +< fwhost cust srvgrp +< fwhost deleted +< fwhost empty +< fwhost err addr +< fwhost err addrgrp +< fwhost err empty +< fwhost err groupempty +< fwhost err grpexist +< fwhost err hostexist +< fwhost err hostorip +< fwhost err ip +< fwhost err ipcheck +< fwhost err ipmac +< fwhost err ipwithsub +< fwhost err isccdhost +< fwhost err isccdiphost +< fwhost err isccdipnet +< fwhost err isccdnet +< fwhost err isingrp +< fwhost err mac +< fwhost err name +< fwhost err name1 +< fwhost err net +< fwhost err netexist +< fwhost err partofnet +< fwhost err port +< fwhost err remark +< fwhost err srvexist +< fwhost err srv exists +< fwhost err sub32 +< fwhost green +< fwhost hint +< fwhost hosts +< fwhost icmptype +< fwhost ipadr +< fwhost ip_mac +< fwhost ipsec host +< fwhost ipsec net +< fwhost menu +< fwhost netaddress +< fwhost newgrp +< fwhost newhost +< fwhost newnet +< fwhost newservice +< fwhost newservicegrp +< fwhost orange +< fwhost ovpn_n2n +< fwhost port +< fwhost prot +< fwhost reread +< fwhost reset +< fwhost services +< fwhost srv_name +< fwhost stdnet +< fwhost type +< fwhost used +< fwhost welcome +< fwhost wo subnet +< fw settings +< fw settings color +< fw settings dropdown +< fw settings remark +< fw settings ruletable < minute < openvpn default < openvpn destination port used @@ -542,6 +1061,7 @@ < proxy reports today < proxy reports weekly < qos enter bandwidths +< red1 < server restart < static routes < tor @@ -639,7 +1159,6 @@ # Checking cgi-bin translations for language: ru # ############################################################################ < Add a route -< advproxy cache-digest < advproxy errmsg cache < advproxy errmsg invalid upstream proxy < age second @@ -696,6 +1215,11 @@ < dnsforward entries < dnsforward forward_server < dnsforward zone +< drop action +< drop action1 +< drop action2 +< drop forward +< drop outgoing < Edit an existing route < extrahd because there is already a device mounted < extrahd cant umount @@ -706,7 +1230,175 @@ < extrahd unable to read < extrahd unable to write < extrahd you cant mount +< forward firewall < frequency +< fw default drop +< fwdfw ACCEPT +< fwdfw action +< fwdfw additional +< fwdfw addr grp +< fwdfw addrule +< fwdfw change +< fwdfw copy +< fwdfw cust addr +< fwdfw cust net +< fwdfw delete +< fwdfw dnat +< fwdfw dnat error +< fwdfw dnat porterr +< fwdfw DROP +< fwdfw edit +< fwdfw err nosrc +< fwdfw err nosrcip +< fwdfw err notgt +< fwdfw err notgtip +< fwdfw err prot +< fwdfw err remark +< fwdfw err ruleexists +< fwdfw err same +< fwdfw err samesub +< fwdfw err src_addr +< fwdfw err srcovpn +< fwdfw err srcport +< fwdfw err tgt_addr +< fwdfw err tgt_grp +< fwdfw err tgt_mac +< fwdfw err tgtovpn +< fwdfw err tgtport +< fwdfw err tgt_port +< fwdfw err time +< fwdfw final_rule +< fwdfw from +< fwdfw hint ip1 +< fwdfw hint ip2 +< fwdfw ipsec network +< fwdfw log rule +< fwdfw man port +< fwdfw menu +< fwdfw MODE1 +< fwdfw MODE2 +< fwdfw movedown +< fwdfw moveup +< fwdfw natport used +< fwdfw newrule +< fwdfw p2p txt +< fwdfw pol allow +< fwdfw pol block +< fwdfw pol text +< fwdfw pol text1 +< fwdfw pol title +< fwdfw red +< fwdfw REJECT +< fwdfw reread +< fwdfw rule action +< fwdfw rule activate +< fwdfw rulepos +< fwdfw rules +< fwdfw snat +< fwdfw source +< fwdfw sourceip +< fwdfw std network +< fwdfw target +< fwdfw targetip +< fwdfw till +< fwdfw time +< fwdfw timeframe +< fwdfw toggle +< fwdfw togglelog +< fwdfw useless rule +< fwdfw use nat +< fwdfw use srcport +< fwdfw use srv +< fwdfw wd_fri +< fwdfw wd_mon +< fwdfw wd_sat +< fwdfw wd_sun +< fwdfw wd_thu +< fwdfw wd_tue +< fwdfw wd_wed +< fwdfw xt access +< fwhost addgrp +< fwhost addgrpname +< fwhost addhost +< fwhost addnet +< fwhost addrule +< fwhost addservice +< fwhost addservicegrp +< fwhost any +< fwhost attention +< fwhost back +< fwhost blue +< fwhost ccdhost +< fwhost ccdnet +< fwhost change +< fwhost changeremark +< fwhost cust addr +< fwhost cust grp +< fwhost cust net +< fwhost cust service +< fwhost cust srvgrp +< fwhost deleted +< fwhost empty +< fwhost err addr +< fwhost err addrgrp +< fwhost err empty +< fwhost err groupempty +< fwhost err grpexist +< fwhost err hostexist +< fwhost err hostorip +< fwhost err ip +< fwhost err ipcheck +< fwhost err ipmac +< fwhost err ipwithsub +< fwhost err isccdhost +< fwhost err isccdiphost +< fwhost err isccdipnet +< fwhost err isccdnet +< fwhost err isingrp +< fwhost err mac +< fwhost err name +< fwhost err name1 +< fwhost err net +< fwhost err netexist +< fwhost err partofnet +< fwhost err port +< fwhost err remark +< fwhost err srvexist +< fwhost err srv exists +< fwhost err sub32 +< fwhost green +< fwhost hint +< fwhost hosts +< fwhost icmptype +< fwhost ipadr +< fwhost ip_mac +< fwhost ipsec host +< fwhost ipsec net +< fwhost menu +< fwhost netaddress +< fwhost newgrp +< fwhost newhost +< fwhost newnet +< fwhost newservice +< fwhost newservicegrp +< fwhost orange +< fwhost ovpn_n2n +< fwhost port +< fwhost prot +< fwhost reread +< fwhost reset +< fwhost services +< fwhost srv_name +< fwhost stdnet +< fwhost type +< fwhost used +< fwhost welcome +< fwhost wo subnet +< fw settings +< fw settings color +< fw settings dropdown +< fw settings remark +< fw settings ruletable < hour-graph < incoming traffic in bytes per second < minute @@ -737,6 +1429,7 @@ < proxy reports today < proxy reports weekly < qos enter bandwidths +< red1 < server restart < static routes < tor diff --git a/html/cgi-bin/dmzholes.cgi b/html/cgi-bin/dmzholes.cgi deleted file mode 100644 index 5c16f004c..000000000 --- a/html/cgi-bin/dmzholes.cgi +++ /dev/null @@ -1,446 +0,0 @@ -#!/usr/bin/perl -############################################################################### -# # -# IPFire.org - A linux based firewall # -# Copyright (C) 2007 Michael Tremer & Christian Schmidt # -# # -# This program is free software: you can redistribute it and/or modify # -# it under the terms of the GNU General Public License as published by # -# the Free Software Foundation, either version 3 of the License, or # -# (at your option) any later version. # -# # -# This program is distributed in the hope that it will be useful, # -# but WITHOUT ANY WARRANTY; without even the implied warranty of # -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # -# GNU General Public License for more details. # -# # -# You should have received a copy of the GNU General Public License # -# along with this program. If not, see . # -# # -############################################################################### - -use strict; - -# enable only the following on debugging purpose -#use warnings; -#use CGI::Carp 'fatalsToBrowser'; - -require '/var/ipfire/general-functions.pl'; -require "${General::swroot}/lang.pl"; -require "${General::swroot}/header.pl"; - -#workaround to suppress a warning when a variable is used only once -my @dummy = ( ${Header::table2colour}, ${Header::colouryellow} ); -undef (@dummy); - -my %cgiparams=(); -my %checked=(); -my %selected=(); -my %netsettings=(); -my $errormessage = ''; -my $filename = "${General::swroot}/dmzholes/config"; - -&General::readhash("${General::swroot}/ethernet/settings", \%netsettings); - -&Header::showhttpheaders(); - -$cgiparams{'ENABLED'} = 'off'; -$cgiparams{'REMARK'} = ''; -$cgiparams{'ACTION'} = ''; -$cgiparams{'SRC_IP'} = ''; -$cgiparams{'DEST_IP'} =''; -$cgiparams{'DEST_PORT'} = ''; -&Header::getcgihash(\%cgiparams); - -open(FILE, $filename) or die 'Unable to open config file.'; -my @current = ; -close(FILE); - -if ($cgiparams{'ACTION'} eq $Lang::tr{'add'}) -{ - unless($cgiparams{'PROTOCOL'} =~ /^(tcp|udp)$/) { $errormessage = $Lang::tr{'invalid input'}; } - unless(&General::validipormask($cgiparams{'SRC_IP'})) { $errormessage = $Lang::tr{'source ip bad'}; } - unless($errormessage){$errormessage = &General::validportrange($cgiparams{'DEST_PORT'},'dst');} - unless(&General::validipormask($cgiparams{'DEST_IP'})) { $errormessage = $Lang::tr{'destination ip bad'}; } - unless ($errormessage) { - $errormessage = &validNet($cgiparams{'SRC_NET'},$cgiparams{'DEST_NET'}); } - # Darren Critchley - Remove commas from remarks - $cgiparams{'REMARK'} = &Header::cleanhtml($cgiparams{'REMARK'}); - - unless ($errormessage) - { - if($cgiparams{'EDITING'} eq 'no') { - open(FILE,">>$filename") or die 'Unable to open config file.'; - flock FILE, 2; - print FILE "$cgiparams{'PROTOCOL'},"; # [0] - print FILE "$cgiparams{'SRC_IP'},"; # [1] - print FILE "$cgiparams{'DEST_IP'},"; # [2] - print FILE "$cgiparams{'DEST_PORT'},"; # [3] - print FILE "$cgiparams{'ENABLED'},"; # [4] - print FILE "$cgiparams{'SRC_NET'},"; # [5] - print FILE "$cgiparams{'DEST_NET'},"; # [6] - print FILE "$cgiparams{'REMARK'}\n"; # [7] - } else { - open(FILE,">$filename") or die 'Unable to open config file.'; - flock FILE, 2; - my $id = 0; - foreach my $line (@current) - { - $id++; - if ($cgiparams{'EDITING'} eq $id) { - print FILE "$cgiparams{'PROTOCOL'},"; # [0] - print FILE "$cgiparams{'SRC_IP'},"; # [1] - print FILE "$cgiparams{'DEST_IP'},"; # [2] - print FILE "$cgiparams{'DEST_PORT'},"; # [3] - print FILE "$cgiparams{'ENABLED'},"; # [4] - print FILE "$cgiparams{'SRC_NET'},"; # [5] - print FILE "$cgiparams{'DEST_NET'},"; # [6] - print FILE "$cgiparams{'REMARK'}\n"; # [7] - } else { print FILE "$line"; } - } - } - close(FILE); - undef %cgiparams; - &General::log($Lang::tr{'dmz pinhole rule added'}); - system('/usr/local/bin/setdmzholes'); - } -} -if ($cgiparams{'ACTION'} eq $Lang::tr{'remove'}) -{ - my $id = 0; - open(FILE, ">$filename") or die 'Unable to open config file.'; - flock FILE, 2; - foreach my $line (@current) - { - $id++; - unless ($cgiparams{'ID'} eq $id) { print FILE "$line"; } - } - close(FILE); - system('/usr/local/bin/setdmzholes'); - &General::log($Lang::tr{'dmz pinhole rule removed'}); -} -if ($cgiparams{'ACTION'} eq $Lang::tr{'toggle enable disable'}) -{ - my $id = 0; - open(FILE, ">$filename") or die 'Unable to open config file.'; - flock FILE, 2; - foreach my $line (@current) - { - $id++; - unless ($cgiparams{'ID'} eq $id) { print FILE "$line"; } - else - { - chomp($line); - my @temp = split(/\,/,$line); - print FILE "$temp[0],$temp[1],$temp[2],$temp[3],$cgiparams{'ENABLE'},$temp[5],$temp[6],$temp[7]\n"; - } - } - close(FILE); - system('/usr/local/bin/setdmzholes'); -} -if ($cgiparams{'ACTION'} eq $Lang::tr{'edit'}) -{ - my $id = 0; - foreach my $line (@current) - { - $id++; - if ($cgiparams{'ID'} eq $id) - { - chomp($line); - my @temp = split(/\,/,$line); - $cgiparams{'PROTOCOL'} = $temp[0]; - $cgiparams{'SRC_IP'} = $temp[1]; - $cgiparams{'DEST_IP'} = $temp[2]; - $cgiparams{'DEST_PORT'} = $temp[3]; - $cgiparams{'ENABLED'} = $temp[4]; - $cgiparams{'SRC_NET'} = $temp[5]; - $cgiparams{'DEST_NET'} = $temp[6]; - $cgiparams{'REMARK'} = $temp[7]; - } - } -} - -if ($cgiparams{'ACTION'} eq '') -{ - $cgiparams{'PROTOCOL'} = 'tcp'; - $cgiparams{'ENABLED'} = 'on'; - $cgiparams{'SRC_NET'} = 'orange'; - $cgiparams{'DEST_NET'} = 'blue'; -} - -$selected{'PROTOCOL'}{'udp'} = ''; -$selected{'PROTOCOL'}{'tcp'} = ''; -$selected{'PROTOCOL'}{$cgiparams{'PROTOCOL'}} = "selected='selected'"; - -$selected{'SRC_NET'}{'orange'} = ''; -$selected{'SRC_NET'}{'blue'} = ''; -$selected{'SRC_NET'}{$cgiparams{'SRC_NET'}} = "selected='selected'"; - -$selected{'DEST_NET'}{'blue'} = ''; -$selected{'DEST_NET'}{'green'} = ''; -$selected{'DEST_NET'}{$cgiparams{'DEST_NET'}} = "selected='selected'"; - -$checked{'ENABLED'}{'off'} = ''; -$checked{'ENABLED'}{'on'} = ''; -$checked{'ENABLED'}{$cgiparams{'ENABLED'}} = "checked='checked'"; - -&Header::openpage($Lang::tr{'dmz pinhole configuration'}, 1, ''); - -&Header::openbigbox('100%', 'left', '', $errormessage); - -if ($errormessage) { - &Header::openbox('100%', 'left', $Lang::tr{'error messages'}); - print "$errormessage\n"; - print " \n"; - &Header::closebox(); -} - -print "
\n"; - -my $buttonText = $Lang::tr{'add'}; -if ($cgiparams{'ACTION'} eq $Lang::tr{'edit'}) { - &Header::openbox('100%', 'left', $Lang::tr{'edit a rule'}); - $buttonText = $Lang::tr{'update'}; -} else { - &Header::openbox('100%', 'left', $Lang::tr{'add a new rule'}); -} -print < - - - - - - $Lang::tr{'source net'}: - - - - - -   - - $Lang::tr{'destination net'}: - - - - - $Lang::tr{'destination ip or net'}: - - - - - $Lang::tr{'destination port'}:  - - - - - - - - - - - - - -
- $Lang::tr{'remark title'} * - -
- *  - $Lang::tr{'this field may be blank'} - $Lang::tr{'enabled'} - - -
-END -; -if ($cgiparams{'ACTION'} eq $Lang::tr{'edit'}) { - print "\n"; -} else { - print "\n"; -} -&Header::closebox(); -print "\n"; - -&Header::openbox('100%', 'left', $Lang::tr{'current rules'}); -print < - -$Lang::tr{'proto'} -$Lang::tr{'net'} -$Lang::tr{'source'} -  -$Lang::tr{'net'} -$Lang::tr{'destination'} -$Lang::tr{'remark'} -  -$Lang::tr{'action'} -END -; - -# Achim Weber: if i add a new rule, this rule is not displayed?!? -# we re-read always config. -# If something has happeened re-read config -#if($cgiparams{'ACTION'} ne '') -#{ - open(FILE, $filename) or die 'Unable to open config file.'; - @current = ; - close(FILE); -#} -my $id = 0; -foreach my $line (@current) -{ - my $protocol=''; - my $gif=''; - my $toggle=''; - my $gdesc=''; - $id++; - chomp($line); - my @temp = split(/\,/,$line); - if ($temp[0] eq 'udp') { $protocol = 'UDP'; } else { $protocol = 'TCP' } - - my $srcnetcolor = ($temp[5] eq 'blue')? ${Header::colourblue} : ${Header::colourorange}; - my $destnetcolor = ($temp[6] eq 'blue')? ${Header::colourblue} : ${Header::colourgreen}; - - if ($cgiparams{'ACTION'} eq $Lang::tr{'edit'} && $cgiparams{'ID'} eq $id) { - print "\n"; } - elsif ($id % 2) { - print "\n"; } - else { - print "\n"; } - if ($temp[4] eq 'on') { $gif='on.gif'; $toggle='off'; $gdesc=$Lang::tr{'click to disable'};} - else { $gif = 'off.gif'; $toggle='on'; $gdesc=$Lang::tr{'click to enable'}; } - - # Darren Critchley - Get Port Service Name if we can - code borrowed from firewalllog.dat - my $dstprt =$temp[3]; - $_=$temp[3]; - if (/^\d+$/) { - my $servi = uc(getservbyport($temp[3], lc($temp[0]))); - if ($servi ne '' && $temp[3] < 1024) { - $dstprt = "$dstprt($servi)"; } - } - # Darren Critchley - If the line is too long, wrap the port numbers - my $dstaddr = "$temp[2] : $dstprt"; - if (length($dstaddr) > 26) { - $dstaddr = "$temp[2] :
$dstprt"; - } -print <$protocol - -$temp[1] - - -$dstaddr -$temp[7] - - -
- - - - -
- - - -
- - - -
- - - -
- - - -
- - - -END - ; -} -print "\n"; - -# If the fixed lease file contains entries, print Key to action icons -if ( ! -z "$filename") { -print < - -   $Lang::tr{'legend'}: -   $Lang::tr{ - $Lang::tr{'click to disable'} -     $Lang::tr{ - $Lang::tr{'click to enable'} -     $Lang::tr{ - $Lang::tr{'edit'} -     $Lang::tr{ - $Lang::tr{'remove'} - - -END -; -} - -&Header::closebox(); - -&Header::closebigbox(); - -&Header::closepage(); - -sub validNet -{ - my $srcNet = $_[0]; - my $destNet = $_[1]; - - if ($srcNet eq $destNet) { - return $Lang::tr{'dmzpinholes for same net not necessary'}; } - unless ($srcNet =~ /^(blue|orange)$/) { - return $Lang::tr{'select source net'}; } - unless ($destNet =~ /^(blue|green)$/) { - return $Lang::tr{'select dest net'}; } - - return ''; -} - -sub haveOrangeNet -{ - if ($netsettings{'CONFIG_TYPE'} == 2) {return 1;} - if ($netsettings{'CONFIG_TYPE'} == 4) {return 1;} - return 0; -} - -sub haveBlueNet -{ - if ($netsettings{'CONFIG_TYPE'} == 3) {return 1;} - if ($netsettings{'CONFIG_TYPE'} == 4) {return 1;} - return 0; -} diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi new file mode 100755 index 000000000..c18f4f41c --- /dev/null +++ b/html/cgi-bin/forwardfw.cgi @@ -0,0 +1,2463 @@ +#!/usr/bin/perl +############################################################################### +# # +# IPFire.org - A linux based firewall # +# Copyright (C) 2013 Alexander Marx # +# # +# This program is free software: you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation, either version 3 of the License, or # +# (at your option) any later version. # +# # +# This program is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with this program. If not, see . # +# # +############################################################################### + +use strict; +use Sort::Naturally; +no warnings 'uninitialized'; +# enable only the following on debugging purpose +#use warnings; +#use CGI::Carp 'fatalsToBrowser'; + +require '/var/ipfire/general-functions.pl'; +require "${General::swroot}/lang.pl"; +require "${General::swroot}/header.pl"; +require "${General::swroot}/forward/bin/firewall-lib.pl"; + +unless (-d "${General::swroot}/forward") { system("mkdir ${General::swroot}/forward"); } +unless (-e "${General::swroot}/forward/settings") { system("touch ${General::swroot}/forward/settings"); } +unless (-e "${General::swroot}/forward/config") { system("touch ${General::swroot}/forward/config"); } +unless (-e "${General::swroot}/forward/input") { system("touch ${General::swroot}/forward/input"); } +unless (-e "${General::swroot}/forward/outgoing") { system("touch ${General::swroot}/forward/outgoing"); } + +my %fwdfwsettings=(); +my %selected=() ; +my %defaultNetworks=(); +my %netsettings=(); +my %customhost=(); +my %customgrp=(); +my %customnetworks=(); +my %customservice=(); +my %customservicegrp=(); +my %ccdnet=(); +my %customnetwork=(); +my %ccdhost=(); +my %configfwdfw=(); +my %configinputfw=(); +my %configoutgoingfw=(); +my %ipsecconf=(); +my %color=(); +my %mainsettings=(); +my %checked=(); +my %icmptypes=(); +my %ovpnsettings=(); +my %ipsecsettings=(); +my %aliases=(); +my %optionsfw=(); +my %ifaces=(); + +my $VERSION='0.9.9.14'; +my $color; +my $confignet = "${General::swroot}/fwhosts/customnetworks"; +my $confighost = "${General::swroot}/fwhosts/customhosts"; +my $configgrp = "${General::swroot}/fwhosts/customgroups"; +my $configsrv = "${General::swroot}/fwhosts/customservices"; +my $configsrvgrp = "${General::swroot}/fwhosts/customservicegrp"; +my $configccdnet = "${General::swroot}/ovpn/ccd.conf"; +my $configccdhost = "${General::swroot}/ovpn/ovpnconfig"; +my $configipsec = "${General::swroot}/vpn/config"; +my $configipsecrw = "${General::swroot}/vpn/settings"; +my $configfwdfw = "${General::swroot}/forward/config"; +my $configinput = "${General::swroot}/forward/input"; +my $configoutgoing = "${General::swroot}/forward/outgoing"; +my $configovpn = "${General::swroot}/ovpn/settings"; +my $fwoptions = "${General::swroot}/optionsfw/settings"; +my $ifacesettings = "${General::swroot}/ethernet/settings"; +my $errormessage=''; +my $hint=''; +my $ipgrp="${General::swroot}/outgoing/groups"; +my $tdcolor=''; +my $checkorange=''; +my @protocols; +&General::readhash("${General::swroot}/forward/settings", \%fwdfwsettings); +&General::readhash("${General::swroot}/main/settings", \%mainsettings); +&General::readhash("/srv/web/ipfire/html/themes/".$mainsettings{'THEME'}."/include/colors.txt", \%color); +&General::readhash($fwoptions, \%optionsfw); +&General::readhash($ifacesettings, \%ifaces); +&General::readhash("$configovpn", \%ovpnsettings); +&General::readhash("$configipsecrw", \%ipsecsettings); +&General::readhasharray("$configipsec", \%ipsecconf); +&Header::showhttpheaders(); +&Header::getcgihash(\%fwdfwsettings); +&Header::openpage($Lang::tr{'fwdfw menu'}, 1, ''); +&Header::openbigbox('100%', 'center',$errormessage); +#### JAVA SCRIPT #### +print< + \$(document).ready(function() { + // Automatically select radio buttons when corresponding + // dropdown menu changes. + \$("select").change(function() { + var id = \$(this).attr("name"); + //When using SNAT or DNAT, check "USE NAT" Checkbox + if ( id === 'snat' || id === 'dnat') { + \$('#USE_NAT').prop('checked', true); + } + \$('#' + id).prop("checked", true); + }); + }); +function checkradio(a){ + \$(a).attr('checked', true); +} + +END + +#### ACTION ##### + +if ($fwdfwsettings{'ACTION'} eq 'saverule') +{ + &General::readhasharray("$configfwdfw", \%configfwdfw); + &General::readhasharray("$configinput", \%configinputfw); + &General::readhasharray("$configoutgoing", \%configoutgoingfw); + $errormessage=&checksource; + if(!$errormessage){&checktarget;} + if(!$errormessage){&checkrule;} + + #check if manual ip (source) is orange network + if ($fwdfwsettings{'grp1'} eq 'src_addr'){ + my ($sip,$scidr) = split("/",$fwdfwsettings{$fwdfwsettings{'grp1'}}); + if ( &General::IpInSubnet($sip,$netsettings{'ORANGE_ADDRESS'},$netsettings{'ORANGE_NETMASK'})){ + $checkorange='on'; + } + } + #check useless rules + if( ($fwdfwsettings{$fwdfwsettings{'grp1'}} eq 'ORANGE' || $checkorange eq 'on') && $fwdfwsettings{'grp2'} eq 'ipfire'){ + $errormessage.=$Lang::tr{'fwdfw useless rule'}."
"; + } + #check if we try to break rules + if( $fwdfwsettings{'grp1'} eq 'ipfire_src' && $fwdfwsettings{'grp2'} eq 'ipfire'){ + $errormessage=$Lang::tr{'fwdfw err same'}; + } + #INPUT part + if($fwdfwsettings{'grp2'} eq 'ipfire' && $fwdfwsettings{$fwdfwsettings{'grp1'}} ne 'ORANGE'){ + $fwdfwsettings{'config'}=$configinput; + $fwdfwsettings{'chain'} = 'INPUTFW'; + my $maxkey=&General::findhasharraykey(\%configinputfw); + #check if we have an identical rule already + if($fwdfwsettings{'oldrulenumber'} eq $fwdfwsettings{'rulepos'}){ + foreach my $key (sort keys %configinputfw){ + if ( "$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'},$fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'ICMP_TGT'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'LOG'},$fwdfwsettings{'TIME'},$fwdfwsettings{'TIME_MON'},$fwdfwsettings{'TIME_TUE'},$fwdfwsettings{'TIME_WED'},$fwdfwsettings{'TIME_THU'},$fwdfwsettings{'TIME_FRI'},$fwdfwsettings{'TIME_SAT'},$fwdfwsettings{'TIME_SUN'},$fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'},$fwdfwsettings{'USE_NAT'},$fwdfwsettings{$fwdfwsettings{'nat'}},$fwdfwsettings{'dnatport'},$fwdfwsettings{'nat'}" + eq "$configinputfw{$key}[0],$configinputfw{$key}[2],$configinputfw{$key}[3],$configinputfw{$key}[4],$configinputfw{$key}[5],$configinputfw{$key}[6],$configinputfw{$key}[7],$configinputfw{$key}[8],$configinputfw{$key}[9],$configinputfw{$key}[10],$configinputfw{$key}[11],$configinputfw{$key}[12],$configinputfw{$key}[13],$configinputfw{$key}[14],$configinputfw{$key}[15],$configinputfw{$key}[17],$configinputfw{$key}[18],$configinputfw{$key}[19],$configinputfw{$key}[20],$configinputfw{$key}[21],$configinputfw{$key}[22],$configinputfw{$key}[23],$configinputfw{$key}[24],$configinputfw{$key}[25],$configinputfw{$key}[26],$configinputfw{$key}[27],$configinputfw{$key}[28],$configinputfw{$key}[29],$configinputfw{$key}[30],$configinputfw{$key}[31]"){ + $errormessage.=$Lang::tr{'fwdfw err ruleexists'}; + if ($fwdfwsettings{'oldruleremark'} ne $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'updatefwrule'} eq 'on'){ + $errormessage=''; + }elsif($fwdfwsettings{'oldruleremark'} ne $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'updatefwrule'} eq 'on' && $fwdfwsettings{'ruleremark'} ne '' && !&validremark($fwdfwsettings{'ruleremark'})){ + $errormessage=$Lang::tr{'fwdfw err remark'}."
"; + } + if ($fwdfwsettings{'oldruleremark'} eq $fwdfwsettings{'ruleremark'}){ + $fwdfwsettings{'nosave'} = 'on'; + } + } + } + } + #check Rulepos on new Rule + if($fwdfwsettings{'rulepos'} > 0 && !$fwdfwsettings{'oldrulenumber'}){ + $fwdfwsettings{'oldrulenumber'}=$maxkey; + foreach my $key (sort keys %configinputfw){ + if ( "$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'},$fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'ICMP_TGT'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'LOG'},$fwdfwsettings{'TIME'},$fwdfwsettings{'TIME_MON'},$fwdfwsettings{'TIME_TUE'},$fwdfwsettings{'TIME_WED'},$fwdfwsettings{'TIME_THU'},$fwdfwsettings{'TIME_FRI'},$fwdfwsettings{'TIME_SAT'},$fwdfwsettings{'TIME_SUN'},$fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'},$fwdfwsettings{'USE_NAT'},$fwdfwsettings{$fwdfwsettings{'nat'}},$fwdfwsettings{'dnatport'},$fwdfwsettings{'nat'}" + eq "$configinputfw{$key}[0],$configinputfw{$key}[2],$configinputfw{$key}[3],$configinputfw{$key}[4],$configinputfw{$key}[5],$configinputfw{$key}[6],$configinputfw{$key}[7],$configinputfw{$key}[8],$configinputfw{$key}[9],$configinputfw{$key}[10],$configinputfw{$key}[11],$configinputfw{$key}[12],$configinputfw{$key}[13],$configinputfw{$key}[14],$configinputfw{$key}[15],$configinputfw{$key}[17],$configinputfw{$key}[18],$configinputfw{$key}[19],$configinputfw{$key}[20],$configinputfw{$key}[21],$configinputfw{$key}[22],$configinputfw{$key}[23],$configinputfw{$key}[24],$configinputfw{$key}[25],$configinputfw{$key}[26],$configinputfw{$key}[27],$configinputfw{$key}[28],$configinputfw{$key}[29],$configinputfw{$key}[30],$configinputfw{$key}[31]"){ + $errormessage.=$Lang::tr{'fwdfw err ruleexists'}; + } + } + } + #check if we just close a rule + if( $fwdfwsettings{'oldgrp1a'} eq $fwdfwsettings{'grp1'} && $fwdfwsettings{'oldgrp1b'} eq $fwdfwsettings{$fwdfwsettings{'grp1'}} && $fwdfwsettings{'oldgrp2a'} eq $fwdfwsettings{'grp2'} && $fwdfwsettings{'oldgrp2b'} eq $fwdfwsettings{$fwdfwsettings{'grp2'}} && $fwdfwsettings{'oldgrp3a'} eq $fwdfwsettings{'grp3'} && $fwdfwsettings{'oldgrp3b'} eq $fwdfwsettings{$fwdfwsettings{'grp3'}} && $fwdfwsettings{'oldusesrv'} eq $fwdfwsettings{'USESRV'} && $fwdfwsettings{'oldruleremark'} eq $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'oldruletype'} eq $fwdfwsettings{'chain'}) { + if($fwdfwsettings{'nosave'} eq 'on' && $fwdfwsettings{'updatefwrule'} eq 'on'){ + $errormessage=''; + $fwdfwsettings{'nosave2'} = 'on'; + } + } + &checkcounter($fwdfwsettings{'oldgrp1a'},$fwdfwsettings{'oldgrp1b'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}}); + if ($fwdfwsettings{'nobase'} ne 'on'){ + &checkcounter($fwdfwsettings{'oldgrp2a'},$fwdfwsettings{'oldgrp2b'},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}}); + } + if($fwdfwsettings{'oldusesrv'} eq '' && $fwdfwsettings{'USESRV'} eq 'ON'){ + &checkcounter(0,0,$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}}); + }elsif ($fwdfwsettings{'USESRV'} eq '' && $fwdfwsettings{'oldusesrv'} eq 'ON') { + &checkcounter($fwdfwsettings{'oldgrp3a'},$fwdfwsettings{'oldgrp3b'},0,0); + }elsif ($fwdfwsettings{'oldusesrv'} eq $fwdfwsettings{'USESRV'} && $fwdfwsettings{'oldgrp3b'} ne $fwdfwsettings{$fwdfwsettings{'grp3'}} && $fwdfwsettings{'updatefwrule'} eq 'on'){ + &checkcounter($fwdfwsettings{'oldgrp3a'},$fwdfwsettings{'oldgrp3b'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}}); + } + if($fwdfwsettings{'nosave2'} ne 'on'){ + &saverule(\%configinputfw,$configinput); + } + }elsif($fwdfwsettings{'grp1'} eq 'ipfire_src' ){ + # OUTGOING PART + $fwdfwsettings{'config'}=$configoutgoing; + $fwdfwsettings{'chain'} = 'OUTGOINGFW'; + my $maxkey=&General::findhasharraykey(\%configoutgoingfw); + if($fwdfwsettings{'oldrulenumber'} eq $fwdfwsettings{'rulepos'}){ + foreach my $key (sort keys %configoutgoingfw){ + if ( "$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'},$fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'ICMP_TGT'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'LOG'},$fwdfwsettings{'TIME'},$fwdfwsettings{'TIME_MON'},$fwdfwsettings{'TIME_TUE'},$fwdfwsettings{'TIME_WED'},$fwdfwsettings{'TIME_THU'},$fwdfwsettings{'TIME_FRI'},$fwdfwsettings{'TIME_SAT'},$fwdfwsettings{'TIME_SUN'},$fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'},$fwdfwsettings{'USE_NAT'},$fwdfwsettings{$fwdfwsettings{'nat'}},$fwdfwsettings{'dnatport'},$fwdfwsettings{'nat'}" + eq "$configoutgoingfw{$key}[0],$configoutgoingfw{$key}[2],$configoutgoingfw{$key}[3],$configoutgoingfw{$key}[4],$configoutgoingfw{$key}[5],$configoutgoingfw{$key}[6],$configoutgoingfw{$key}[7],$configoutgoingfw{$key}[8],$configoutgoingfw{$key}[9],$configoutgoingfw{$key}[10],$configoutgoingfw{$key}[11],$configoutgoingfw{$key}[12],$configoutgoingfw{$key}[13],$configoutgoingfw{$key}[14],$configoutgoingfw{$key}[15],$configoutgoingfw{$key}[17],$configoutgoingfw{$key}[18],$configoutgoingfw{$key}[19],$configoutgoingfw{$key}[20],$configoutgoingfw{$key}[21],$configoutgoingfw{$key}[22],$configoutgoingfw{$key}[23],$configoutgoingfw{$key}[24],$configoutgoingfw{$key}[25],$configoutgoingfw{$key}[26],$configoutgoingfw{$key}[27],$configoutgoingfw{$key}[28],$configoutgoingfw{$key}[29],$configoutgoingfw{$key}[30],$configoutgoingfw{$key}[31]"){ + $errormessage.=$Lang::tr{'fwdfw err ruleexists'}; + if ($fwdfwsettings{'oldruleremark'} ne $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'updatefwrule'} eq 'on'){ + $errormessage=''; + }elsif($fwdfwsettings{'oldruleremark'} ne $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'updatefwrule'} eq 'on' && $fwdfwsettings{'ruleremark'} ne '' && !&validremark($fwdfwsettings{'ruleremark'})){ + $errormessage=$Lang::tr{'fwdfw err remark'}."
"; + } + if ($fwdfwsettings{'oldruleremark'} eq $fwdfwsettings{'ruleremark'}){ + $fwdfwsettings{'nosave'} = 'on'; + } + } + } + } + #check Rulepos on new Rule + if($fwdfwsettings{'rulepos'} > 0 && !$fwdfwsettings{'oldrulenumber'}){ + print"CHECK OUTGOING DOPPELTE REGEL
"; + $fwdfwsettings{'oldrulenumber'}=$maxkey; + foreach my $key (sort keys %configoutgoingfw){ + if ( "$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'},$fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'ICMP_TGT'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'LOG'},$fwdfwsettings{'TIME'},$fwdfwsettings{'TIME_MON'},$fwdfwsettings{'TIME_TUE'},$fwdfwsettings{'TIME_WED'},$fwdfwsettings{'TIME_THU'},$fwdfwsettings{'TIME_FRI'},$fwdfwsettings{'TIME_SAT'},$fwdfwsettings{'TIME_SUN'},$fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'},$fwdfwsettings{'USE_NAT'},$fwdfwsettings{$fwdfwsettings{'nat'}},$fwdfwsettings{'dnatport'},$fwdfwsettings{'nat'}" + eq "$configoutgoingfw{$key}[0],$configoutgoingfw{$key}[2],$configoutgoingfw{$key}[3],$configoutgoingfw{$key}[4],$configoutgoingfw{$key}[5],$configoutgoingfw{$key}[6],$configoutgoingfw{$key}[7],$configoutgoingfw{$key}[8],$configoutgoingfw{$key}[9],$configoutgoingfw{$key}[10],$configoutgoingfw{$key}[11],$configoutgoingfw{$key}[12],$configoutgoingfw{$key}[13],$configoutgoingfw{$key}[14],$configoutgoingfw{$key}[15],$configoutgoingfw{$key}[17],$configoutgoingfw{$key}[18],$configoutgoingfw{$key}[19],$configoutgoingfw{$key}[20],$configoutgoingfw{$key}[21],$configoutgoingfw{$key}[22],$configoutgoingfw{$key}[23],$configoutgoingfw{$key}[24],$configoutgoingfw{$key}[25],$configoutgoingfw{$key}[26],$configoutgoingfw{$key}[27],$configoutgoingfw{$key}[28],$configoutgoingfw{$key}[29],$configoutgoingfw{$key}[30],$configoutgoingfw{$key}[31]"){ + $errormessage.=$Lang::tr{'fwdfw err ruleexists'}; + } + } + } + #check if we just close a rule + if( $fwdfwsettings{'oldgrp1a'} eq $fwdfwsettings{'grp1'} && $fwdfwsettings{'oldgrp1b'} eq $fwdfwsettings{$fwdfwsettings{'grp1'}} && $fwdfwsettings{'oldgrp2a'} eq $fwdfwsettings{'grp2'} && $fwdfwsettings{'oldgrp2b'} eq $fwdfwsettings{$fwdfwsettings{'grp2'}} && $fwdfwsettings{'oldgrp3a'} eq $fwdfwsettings{'grp3'} && $fwdfwsettings{'oldgrp3b'} eq $fwdfwsettings{$fwdfwsettings{'grp3'}} && $fwdfwsettings{'oldusesrv'} eq $fwdfwsettings{'USESRV'} && $fwdfwsettings{'oldruleremark'} eq $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'oldruletype'} eq $fwdfwsettings{'chain'}) { + if($fwdfwsettings{'nosave'} eq 'on' && $fwdfwsettings{'updatefwrule'} eq 'on'){ + $fwdfwsettings{'nosave2'} = 'on'; + $errormessage=''; + } + } + #increase counters + &checkcounter($fwdfwsettings{'oldgrp1a'},$fwdfwsettings{'oldgrp1b'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}}); + &checkcounter($fwdfwsettings{'oldgrp2a'},$fwdfwsettings{'oldgrp2b'},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}}); + if($fwdfwsettings{'oldusesrv'} eq '' && $fwdfwsettings{'USESRV'} eq 'ON'){ + &checkcounter(0,0,$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}}); + }elsif ($fwdfwsettings{'USESRV'} eq '' && $fwdfwsettings{'oldusesrv'} eq 'ON') { + &checkcounter($fwdfwsettings{'oldgrp3a'},$fwdfwsettings{'oldgrp3b'},0,0); + }elsif ($fwdfwsettings{'oldusesrv'} eq $fwdfwsettings{'USESRV'} && $fwdfwsettings{'oldgrp3b'} ne $fwdfwsettings{$fwdfwsettings{'grp3'}} && $fwdfwsettings{'updatefwrule'} eq 'on'){ + &checkcounter($fwdfwsettings{'oldgrp3a'},$fwdfwsettings{'oldgrp3b'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}}); + } + if ($fwdfwsettings{'nobase'} eq 'on'){ + &checkcounter(0,0,$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}}); + } + if ($fwdfwsettings{'nosave2'} ne 'on'){ + &saverule(\%configoutgoingfw,$configoutgoing); + } + }else{ + #FORWARD PART + $fwdfwsettings{'config'}=$configfwdfw; + $fwdfwsettings{'chain'} = 'FORWARDFW'; + my $maxkey=&General::findhasharraykey(\%configfwdfw); + if($fwdfwsettings{'oldrulenumber'} eq $fwdfwsettings{'rulepos'}){ + #check if we have an identical rule already + foreach my $key (sort keys %configfwdfw){ + if ( "$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'},$fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'ICMP_TGT'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'TIME'},$fwdfwsettings{'TIME_MON'},$fwdfwsettings{'TIME_TUE'},$fwdfwsettings{'TIME_WED'},$fwdfwsettings{'TIME_THU'},$fwdfwsettings{'TIME_FRI'},$fwdfwsettings{'TIME_SAT'},$fwdfwsettings{'TIME_SUN'},$fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'},$fwdfwsettings{'USE_NAT'},$fwdfwsettings{$fwdfwsettings{'nat'}},$fwdfwsettings{'dnatport'},$fwdfwsettings{'nat'}" + eq "$configfwdfw{$key}[0],$configfwdfw{$key}[2],$configfwdfw{$key}[3],$configfwdfw{$key}[4],$configfwdfw{$key}[5],$configfwdfw{$key}[6],$configfwdfw{$key}[7],$configfwdfw{$key}[8],$configfwdfw{$key}[9],$configfwdfw{$key}[10],$configfwdfw{$key}[11],$configfwdfw{$key}[12],$configfwdfw{$key}[13],$configfwdfw{$key}[14],$configfwdfw{$key}[15],$configfwdfw{$key}[18],$configfwdfw{$key}[19],$configfwdfw{$key}[20],$configfwdfw{$key}[21],$configfwdfw{$key}[22],$configfwdfw{$key}[23],$configfwdfw{$key}[24],$configfwdfw{$key}[25],$configfwdfw{$key}[26],$configfwdfw{$key}[27],$configfwdfw{$key}[28],$configfwdfw{$key}[29],$configfwdfw{$key}[30],$configfwdfw{$key}[31]"){ + $errormessage.=$Lang::tr{'fwdfw err ruleexists'}; + if ($fwdfwsettings{'oldruleremark'} ne $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'updatefwrule'} eq 'on' ){ + $errormessage=''; + }elsif($fwdfwsettings{'oldruleremark'} ne $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'updatefwrule'} eq 'on' && $fwdfwsettings{'ruleremark'} ne '' && !&validremark($fwdfwsettings{'ruleremark'})){ + $errormessage=$Lang::tr{'fwdfw err remark'}."
"; + } + if ($fwdfwsettings{'oldruleremark'} eq $fwdfwsettings{'ruleremark'}){ + $fwdfwsettings{'nosave'} = 'on'; + } + } + } + } + #check Rulepos on new Rule + if($fwdfwsettings{'rulepos'} > 0 && !$fwdfwsettings{'oldrulenumber'}){ + $fwdfwsettings{'oldrulenumber'}=$maxkey; + foreach my $key (sort keys %configfwdfw){ + if ( "$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'},$fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'ICMP_TGT'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'TIME'},$fwdfwsettings{'TIME_MON'},$fwdfwsettings{'TIME_TUE'},$fwdfwsettings{'TIME_WED'},$fwdfwsettings{'TIME_THU'},$fwdfwsettings{'TIME_FRI'},$fwdfwsettings{'TIME_SAT'},$fwdfwsettings{'TIME_SUN'},$fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'},$fwdfwsettings{'USE_NAT'},$fwdfwsettings{$fwdfwsettings{'nat'}},$fwdfwsettings{'dnatport'},$fwdfwsettings{'nat'}" + eq "$configfwdfw{$key}[0],$configfwdfw{$key}[2],$configfwdfw{$key}[3],$configfwdfw{$key}[4],$configfwdfw{$key}[5],$configfwdfw{$key}[6],$configfwdfw{$key}[7],$configfwdfw{$key}[8],$configfwdfw{$key}[9],$configfwdfw{$key}[10],$configfwdfw{$key}[11],$configfwdfw{$key}[12],$configfwdfw{$key}[13],$configfwdfw{$key}[14],$configfwdfw{$key}[15],$configfwdfw{$key}[18],$configfwdfw{$key}[19],$configfwdfw{$key}[20],$configfwdfw{$key}[21],$configfwdfw{$key}[22],$configfwdfw{$key}[23],$configfwdfw{$key}[24],$configfwdfw{$key}[25],$configfwdfw{$key}[26],$configfwdfw{$key}[27],$configfwdfw{$key}[28],$configfwdfw{$key}[29],$configfwdfw{$key}[30],$configfwdfw{$key}[31]"){ + $errormessage.=$Lang::tr{'fwdfw err ruleexists'}; + } + } + } + #check if we just close a rule + if( $fwdfwsettings{'oldgrp1a'} eq $fwdfwsettings{'grp1'} && $fwdfwsettings{'oldgrp1b'} eq $fwdfwsettings{$fwdfwsettings{'grp1'}} && $fwdfwsettings{'oldgrp2a'} eq $fwdfwsettings{'grp2'} && $fwdfwsettings{'oldgrp2b'} eq $fwdfwsettings{$fwdfwsettings{'grp2'}} && $fwdfwsettings{'oldgrp3a'} eq $fwdfwsettings{'grp3'} && $fwdfwsettings{'oldgrp3b'} eq $fwdfwsettings{$fwdfwsettings{'grp3'}} && $fwdfwsettings{'oldusesrv'} eq $fwdfwsettings{'USESRV'} && $fwdfwsettings{'oldruleremark'} eq $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'oldruletype'} eq $fwdfwsettings{'chain'}) { + if($fwdfwsettings{'nosave'} eq 'on' && $fwdfwsettings{'updatefwrule'} eq 'on'){ + $fwdfwsettings{'nosave2'} = 'on'; + $errormessage=''; + } + } + #increase counters + &checkcounter($fwdfwsettings{'oldgrp1a'},$fwdfwsettings{'oldgrp1b'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}}); + &checkcounter($fwdfwsettings{'oldgrp2a'},$fwdfwsettings{'oldgrp2b'},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}}); + if($fwdfwsettings{'oldusesrv'} eq '' && $fwdfwsettings{'USESRV'} eq 'ON'){ + &checkcounter(0,0,$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}}); + }elsif ($fwdfwsettings{'USESRV'} eq '' && $fwdfwsettings{'oldusesrv'} eq 'ON') { + &checkcounter($fwdfwsettings{'oldgrp3a'},$fwdfwsettings{'oldgrp3b'},0,0); + }elsif ($fwdfwsettings{'oldusesrv'} eq $fwdfwsettings{'USESRV'} && $fwdfwsettings{'oldgrp3b'} ne $fwdfwsettings{$fwdfwsettings{'grp3'}} && $fwdfwsettings{'updatefwrule'} eq 'on'){ + &checkcounter($fwdfwsettings{'oldgrp3a'},$fwdfwsettings{'oldgrp3b'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}}); + } + if ($fwdfwsettings{'nobase'} eq 'on'){ + &checkcounter(0,0,$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}}); + } + if ($fwdfwsettings{'nosave2'} ne 'on'){ + &saverule(\%configfwdfw,$configfwdfw); + } + } + if ($errormessage){ + &newrule; + }else{ + if($fwdfwsettings{'nosave2'} ne 'on'){ + &rules; + } + &base; + } +} +if ($fwdfwsettings{'ACTION'} eq $Lang::tr{'fwdfw newrule'}) +{ + &newrule; +} +if ($fwdfwsettings{'ACTION'} eq $Lang::tr{'fwdfw toggle'}) +{ + my %togglehash=(); + &General::readhasharray($fwdfwsettings{'config'}, \%togglehash); + foreach my $key (sort keys %togglehash){ + if ($key eq $fwdfwsettings{'key'}){ + if ($togglehash{$key}[2] eq 'ON'){$togglehash{$key}[2]='';}else{$togglehash{$key}[2]='ON';} + } + } + &General::writehasharray($fwdfwsettings{'config'}, \%togglehash); + &rules; + &base; +} +if ($fwdfwsettings{'ACTION'} eq $Lang::tr{'fwdfw togglelog'}) +{ + my %togglehash=(); + &General::readhasharray($fwdfwsettings{'config'}, \%togglehash); + foreach my $key (sort keys %togglehash){ + if ($key eq $fwdfwsettings{'key'}){ + if ($togglehash{$key}[17] eq 'ON'){$togglehash{$key}[17]='';}else{$togglehash{$key}[17]='ON';} + } + } + &General::writehasharray($fwdfwsettings{'config'}, \%togglehash); + &rules; + &base; +} +if ($fwdfwsettings{'ACTION'} eq $Lang::tr{'fwdfw reread'}) +{ + &reread_rules; + &base; +} +if ($fwdfwsettings{'ACTION'} eq 'editrule') +{ + $fwdfwsettings{'updatefwrule'}='on'; + &newrule; +} +if ($fwdfwsettings{'ACTION'} eq 'deleterule') +{ + &deleterule; +} +if ($fwdfwsettings{'ACTION'} eq 'moveup') +{ + &pos_up; + &base; +} +if ($fwdfwsettings{'ACTION'} eq 'movedown') +{ + &pos_down; + &base; +} +if ($fwdfwsettings{'ACTION'} eq 'copyrule') +{ + $fwdfwsettings{'copyfwrule'}='on'; + &newrule; +} +if ($fwdfwsettings{'ACTION'} eq '' or $fwdfwsettings{'ACTION'} eq 'reset') +{ + &base; +} +### Functions #### +sub addrule +{ + &error; + if (-f "${General::swroot}/forward/reread"){ + print "
    $Lang::tr{'fwhost reread'}

"; + } + &Header::openbox('100%', 'left', $Lang::tr{'fwdfw menu'}); + print "
"; + print ""; + print ""; + print"
"; + &Header::closebox(); + &viewtablerule; +} +sub base +{ + &hint; + &addrule; + print "

"; + print "

Version: $VERSION
"; +} +sub changerule +{ + my $oldchain=shift; + $fwdfwsettings{'updatefwrule'}=''; + $fwdfwsettings{'config'}=$oldchain; + $fwdfwsettings{'nobase'}='on'; + &deleterule; + &checkcounter(0,0,$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}}); + &checkcounter(0,0,$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}}); +} +sub checksource +{ + my ($ip,$subnet); + #check ip-address if manual + if ($fwdfwsettings{'src_addr'} eq $fwdfwsettings{$fwdfwsettings{'grp1'}} && $fwdfwsettings{'src_addr'} ne ''){ + #check if ip with subnet + if ($fwdfwsettings{'src_addr'} =~ /^(.*?)\/(.*?)$/) { + ($ip,$subnet)=split (/\//,$fwdfwsettings{'src_addr'}); + $subnet = &General::iporsubtocidr($subnet); + $fwdfwsettings{'isip'}='on'; + } + #check if only ip + if($fwdfwsettings{'src_addr'}=~/^(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})$/){ + $ip=$fwdfwsettings{'src_addr'}; + $subnet = '32'; + $fwdfwsettings{'isip'}='on'; + } + + if ($fwdfwsettings{'isip'} ne 'on'){ + if (&General::validmac($fwdfwsettings{'src_addr'})){ + $fwdfwsettings{'ismac'}='on'; + } + } + if ($fwdfwsettings{'isip'} eq 'on'){ + ##check if ip is valid + if (! &General::validip($ip)){ + $errormessage.=$Lang::tr{'fwdfw err src_addr'}."
"; + return $errormessage; + } + #check and form valid IP + $ip=&General::ip2dec($ip); + $ip=&General::dec2ip($ip); + #check if net or broadcast + $fwdfwsettings{'src_addr'}="$ip/$subnet"; + if(!&General::validipandmask($fwdfwsettings{'src_addr'})){ + $errormessage.=$Lang::tr{'fwdfw err src_addr'}."
"; + return $errormessage; + } + } + if ($fwdfwsettings{'isip'} ne 'on' && $fwdfwsettings{'ismac'} ne 'on'){ + $errormessage.=$Lang::tr{'fwdfw err src_addr'}."
"; + return $errormessage; + } + }elsif($fwdfwsettings{'src_addr'} eq $fwdfwsettings{$fwdfwsettings{'grp1'}} && $fwdfwsettings{'src_addr'} eq ''){ + $errormessage.=$Lang::tr{'fwdfw err nosrcip'}; + return $errormessage; + } + + #check empty fields + if ($fwdfwsettings{$fwdfwsettings{'grp1'}} eq ''){ $errormessage.=$Lang::tr{'fwdfw err nosrc'}."
";} + #check icmp source + if ($fwdfwsettings{'USE_SRC_PORT'} eq 'ON' && $fwdfwsettings{'PROT'} eq 'ICMP'){ + $fwdfwsettings{'SRC_PORT'}=''; + &General::readhasharray("${General::swroot}/fwhosts/icmp-types", \%icmptypes); + foreach my $key (keys %icmptypes){ + if($fwdfwsettings{'ICMP_TYPES'} eq "$icmptypes{$key}[0] ($icmptypes{$key}[1])"){ + $fwdfwsettings{'ICMP_TYPES'}="$icmptypes{$key}[0]"; + } + } + }elsif($fwdfwsettings{'USE_SRC_PORT'} eq 'ON' && $fwdfwsettings{'PROT'} eq 'GRE'){ + $fwdfwsettings{'SRC_PORT'}=''; + $fwdfwsettings{'ICMP_TYPES'}=''; + }elsif($fwdfwsettings{'USE_SRC_PORT'} eq 'ON' && $fwdfwsettings{'PROT'} eq 'ESP'){ + $fwdfwsettings{'SRC_PORT'}=''; + $fwdfwsettings{'ICMP_TYPES'}=''; + }elsif($fwdfwsettings{'USE_SRC_PORT'} eq 'ON' && $fwdfwsettings{'PROT'} eq 'AH'){ + $fwdfwsettings{'SRC_PORT'}=''; + $fwdfwsettings{'ICMP_TYPES'}=''; + }elsif($fwdfwsettings{'USE_SRC_PORT'} eq 'ON' && $fwdfwsettings{'PROT'} ne 'ICMP'){ + $fwdfwsettings{'ICMP_TYPES'}=''; + }else{ + $fwdfwsettings{'ICMP_TYPES'}=''; + $fwdfwsettings{'SRC_PORT'}=''; + $fwdfwsettings{'PROT'}=''; + } + + if($fwdfwsettings{'USE_SRC_PORT'} eq 'ON' && ($fwdfwsettings{'PROT'} eq 'TCP' || $fwdfwsettings{'PROT'} eq 'UDP') && $fwdfwsettings{'SRC_PORT'} ne ''){ + my @parts=split(",",$fwdfwsettings{'SRC_PORT'}); + my @values=(); + foreach (@parts){ + chomp($_); + if ($_ =~ /^(\d+)\-(\d+)$/ || $_ =~ /^(\d+)\:(\d+)$/) { + my $check; + #change dashes with : + $_=~ tr/-/:/; + if ($_ eq "*") { + push(@values,"1:65535"); + $check='on'; + } + if ($_ =~ /^(\D)\:(\d+)$/ || $_ =~ /^(\D)\-(\d+)$/) { + push(@values,"1:$2"); + $check='on'; + } + if ($_ =~ /^(\d+)\:(\D)$/ || $_ =~ /^(\d+)\-(\D)$/ ) { + push(@values,"$1:65535"); + $check='on' + } + $errormessage .= &General::validportrange($_, 'destination'); + if(!$check){ + push (@values,$_); + } + }else{ + if (&General::validport($_)){ + push (@values,$_); + }else{ + + } + } + } + $fwdfwsettings{'SRC_PORT'}=join("|",@values); + } + return $errormessage; +} +sub checktarget +{ + my ($ip,$subnet); + &General::readhasharray("$configsrv", \%customservice); + #check DNAT settings (has to be single Host and single Port or portrange) + if ($fwdfwsettings{'USE_NAT'} eq 'ON' && $fwdfwsettings{'nat'} eq 'dnat'){ + if($fwdfwsettings{'grp2'} eq 'tgt_addr' || $fwdfwsettings{'grp2'} eq 'cust_host_tgt' || $fwdfwsettings{'grp2'} eq 'ovpn_host_tgt'){ + if ($fwdfwsettings{'USESRV'} eq '' && $fwdfwsettings{'dnatport'} eq ''){ + $errormessage=$Lang::tr{'fwdfw target'}.": ".$Lang::tr{'fwdfw dnat porterr'}."
"; + return $errormessage; + } + #check if manual ip is a single Host (if set) + if ($fwdfwsettings{'grp2'} eq 'tgt_addr'){ + my @tmp= split (/\./,$fwdfwsettings{$fwdfwsettings{'grp2'}}); + my @tmp1= split ("/",$tmp[3]); + if (($tmp1[0] eq "0") || ($tmp1[0] eq "255")) + { + $errormessage=$Lang::tr{'fwdfw dnat error'}."
"; + return $errormessage; + } + } + #check if Port is a single Port or portrange + if ($fwdfwsettings{'nat'} eq 'dnat' && $fwdfwsettings{'grp3'} eq 'TGT_PORT'){ + if(($fwdfwsettings{'TGT_PROT'} ne 'TCP'|| $fwdfwsettings{'TGT_PROT'} ne 'UDP') && $fwdfwsettings{'TGT_PORT'} eq ''){ + $errormessage=$Lang::tr{'fwdfw target'}.": ".$Lang::tr{'fwdfw dnat porterr'}."
"; + return $errormessage; + } + if (($fwdfwsettings{'TGT_PROT'} eq 'TCP'|| $fwdfwsettings{'TGT_PROT'} eq 'UDP') && $fwdfwsettings{'TGT_PORT'} ne '' && !&check_natport($fwdfwsettings{'TGT_PORT'})){ + $errormessage=$Lang::tr{'fwdfw target'}.": ".$Lang::tr{'fwdfw dnat porterr'}."
"; + return $errormessage; + } + } + }else{ + $errormessage=$Lang::tr{'fwdfw dnat error'}."
"; + return $errormessage; + } + } + if ($fwdfwsettings{'tgt_addr'} eq $fwdfwsettings{$fwdfwsettings{'grp2'}} && $fwdfwsettings{'tgt_addr'} ne ''){ + #check if ip with subnet + if ($fwdfwsettings{'tgt_addr'} =~ /^(.*?)\/(.*?)$/) { + ($ip,$subnet)=split (/\//,$fwdfwsettings{'tgt_addr'}); + $subnet = &General::iporsubtocidr($subnet); + } + #check if only ip + if($fwdfwsettings{'tgt_addr'}=~/^(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})$/){ + $ip=$fwdfwsettings{'tgt_addr'}; + $subnet='32'; + } + #check if ip is valid + if (! &General::validip($ip)){ + $errormessage.=$Lang::tr{'fwdfw err tgt_addr'}."
"; + return $errormessage; + } + #check and form valid IP + $ip=&General::ip2dec($ip); + $ip=&General::dec2ip($ip); + $fwdfwsettings{'tgt_addr'}="$ip/$subnet"; + if(!&General::validipandmask($fwdfwsettings{'tgt_addr'})){ + $errormessage.=$Lang::tr{'fwdfw err tgt_addr'}."
"; + return $errormessage; + } + }elsif($fwdfwsettings{'tgt_addr'} eq $fwdfwsettings{$fwdfwsettings{'grp2'}} && $fwdfwsettings{'tgt_addr'} eq ''){ + $errormessage.=$Lang::tr{'fwdfw err notgtip'}; + return $errormessage; + } + #check empty fields + if ($fwdfwsettings{$fwdfwsettings{'grp2'}} eq ''){ $errormessage.=$Lang::tr{'fwdfw err notgt'}."
";} + #check tgt services + if ($fwdfwsettings{'USESRV'} eq 'ON'){ + if ($fwdfwsettings{'grp3'} eq 'cust_srv'){ + $fwdfwsettings{'TGT_PROT'}=''; + $fwdfwsettings{'ICMP_TGT'}=''; + } + if ($fwdfwsettings{'grp3'} eq 'cust_srvgrp'){ + $fwdfwsettings{'TGT_PROT'}=''; + $fwdfwsettings{'ICMP_TGT'}=''; + #check target service + if($fwdfwsettings{$fwdfwsettings{'grp3'}} eq ''){ + $errormessage.=$Lang::tr{'fwdfw err tgt_grp'}; + } + } + if ($fwdfwsettings{'grp3'} eq 'TGT_PORT'){ + if ($fwdfwsettings{'TGT_PROT'} eq 'TCP' || $fwdfwsettings{'TGT_PROT'} eq 'UDP'){ + if ($fwdfwsettings{'TGT_PORT'} ne ''){ + if ($fwdfwsettings{'TGT_PORT'} =~ "," && $fwdfwsettings{'USE_NAT'} && $fwdfwsettings{'nat'} eq 'dnat') { + $errormessage=$Lang::tr{'fwdfw dnat porterr'}."
"; + return $errormessage; + } + my @parts=split(",",$fwdfwsettings{'TGT_PORT'}); + my @values=(); + foreach (@parts){ + chomp($_); + if ($_ =~ /^(\d+)\-(\d+)$/ || $_ =~ /^(\d+)\:(\d+)$/) { + my $check; + #change dashes with : + $_=~ tr/-/:/; + if ($_ eq "*") { + push(@values,"1:65535"); + $check='on'; + } + if ($_ =~ /^(\D)\:(\d+)$/ || $_ =~ /^(\D)\-(\d+)$/) { + push(@values,"1:$2"); + $check='on'; + } + if ($_ =~ /^(\d+)\:(\D)$/ || $_ =~ /^(\d+)\-(\D)$/) { + push(@values,"$1:65535"); + $check='on' + } + $errormessage .= &General::validportrange($_, 'destination'); + if(!$check){ + push (@values,$_); + } + }else{ + if (&General::validport($_)){ + push (@values,$_); + }else{ + + } + } + } + $fwdfwsettings{'TGT_PORT'}=join("|",@values); + } + }elsif ($fwdfwsettings{'TGT_PROT'} eq 'GRE'){ + $fwdfwsettings{$fwdfwsettings{'grp3'}} = ''; + $fwdfwsettings{'TGT_PORT'} = ''; + $fwdfwsettings{'ICMP_TGT'} = ''; + }elsif($fwdfwsettings{'TGT_PROT'} eq 'ESP'){ + $fwdfwsettings{$fwdfwsettings{'grp3'}} = ''; + $fwdfwsettings{'TGT_PORT'} = ''; + $fwdfwsettings{'ICMP_TGT'}=''; + }elsif($fwdfwsettings{'TGT_PROT'} eq 'AH'){ + $fwdfwsettings{$fwdfwsettings{'grp3'}} = ''; + $fwdfwsettings{'TGT_PORT'} = ''; + $fwdfwsettings{'ICMP_TGT'}=''; + }elsif ($fwdfwsettings{'TGT_PROT'} eq 'ICMP'){ + $fwdfwsettings{$fwdfwsettings{'grp3'}} = ''; + $fwdfwsettings{'TGT_PORT'} = ''; + &General::readhasharray("${General::swroot}/fwhosts/icmp-types", \%icmptypes); + foreach my $key (keys %icmptypes){ + + if ("$icmptypes{$key}[0] ($icmptypes{$key}[1])" eq $fwdfwsettings{'ICMP_TGT'}){ + $fwdfwsettings{'ICMP_TGT'}=$icmptypes{$key}[0]; + } + } + } + } + } + #check targetport + if ($fwdfwsettings{'USESRV'} ne 'ON'){ + $fwdfwsettings{'grp3'}=''; + $fwdfwsettings{$fwdfwsettings{'grp3'}}=''; + $fwdfwsettings{'ICMP_TGT'}=''; + } + #check timeframe + if($fwdfwsettings{'TIME'} eq 'ON'){ + if($fwdfwsettings{'TIME_MON'} eq '' && $fwdfwsettings{'TIME_TUE'} eq '' && $fwdfwsettings{'TIME_WED'} eq '' && $fwdfwsettings{'TIME_THU'} eq '' && $fwdfwsettings{'TIME_FRI'} eq '' && $fwdfwsettings{'TIME_SAT'} eq '' && $fwdfwsettings{'TIME_SUN'} eq ''){ + $errormessage=$Lang::tr{'fwdfw err time'}; + return $errormessage; + } + } + return $errormessage; +} +sub check_natport +{ + my $val=shift; + if($fwdfwsettings{'USE_NAT'} eq 'ON' && $fwdfwsettings{'nat'} eq 'dnat' && $fwdfwsettings{'dnatport'} ne ''){ + if ($fwdfwsettings{'dnatport'} =~ /^(\d+)\-(\d+)$/) { + $fwdfwsettings{'dnatport'} =~ tr/-/:/; + if ($fwdfwsettings{'dnatport'} eq "*") { + $fwdfwsettings{'dnatport'}="1:65535"; + } + if ($fwdfwsettings{'dnatport'} =~ /^(\D)\:(\d+)$/) { + $fwdfwsettings{'dnatport'} = "1:$2"; + } + if ($fwdfwsettings{'dnatport'} =~ /^(\d+)\:(\D)$/) { + $fwdfwsettings{'dnatport'} ="$1:65535"; + } + } + return 1; + } + if ($val =~ "," || $val>65536 || $val<0){ + return 0; + } + return 1; +} +sub checkrule +{ + #check valid port for NAT + if($fwdfwsettings{'USE_NAT'} eq 'ON'){ + #if no port is given in nat area, take target host port + if($fwdfwsettings{'nat'} eq 'dnat' && $fwdfwsettings{'grp3'} eq 'TGT_PORT' && $fwdfwsettings{'dnatport'} eq ''){$fwdfwsettings{'dnatport'}=$fwdfwsettings{'TGT_PORT'};} + #check if port given in nat area is a single valid port or portrange + if($fwdfwsettings{'nat'} eq 'dnat' && $fwdfwsettings{'TGT_PORT'} ne '' && !&check_natport($fwdfwsettings{'dnatport'})){ + $errormessage=$Lang::tr{'fwdfw target'}.": ".$Lang::tr{'fwdfw dnat porterr'}."
"; + }elsif($fwdfwsettings{'USESRV'} eq 'ON' && $fwdfwsettings{'grp3'} eq 'cust_srv'){ + my $custsrvport; + #get servcie Protocol and Port + foreach my $key (sort keys %customservice){ + if($fwdfwsettings{$fwdfwsettings{'grp3'}} eq $customservice{$key}[0]){ + if ($customservice{$key}[2] ne 'TCP' && $customservice{$key}[2] ne 'UDP'){ + $errormessage=$Lang::tr{'fwdfw target'}.": ".$Lang::tr{'fwdfw dnat porterr'}."
"; + } + $custsrvport= $customservice{$key}[1]; + } + } + if($fwdfwsettings{'nat'} eq 'dnat' && $fwdfwsettings{'dnatport'} eq ''){$fwdfwsettings{'dnatport'}=$custsrvport;} + } + #check if DNAT port is multiple + if($fwdfwsettings{'nat'} eq 'dnat' && $fwdfwsettings{'dnatport'} ne ''){ + my @parts=split(",",$fwdfwsettings{'dnatport'}); + my @values=(); + foreach (@parts){ + chomp($_); + if ($_ =~ /^(\d+)\-(\d+)$/ || $_ =~ /^(\d+)\:(\d+)$/) { + my $check; + #change dashes with : + $_=~ tr/-/:/; + if ($_ eq "*") { + push(@values,"1:65535"); + $check='on'; + } + if ($_ =~ /^(\D)\:(\d+)$/ || $_ =~ /^(\D)\-(\d+)$/) { + push(@values,"1:$2"); + $check='on'; + } + if ($_ =~ /^(\d+)\:(\D)$/ || $_ =~ /^(\d+)\-(\D)$/) { + push(@values,"$1:65535"); + $check='on' + } + $errormessage .= &General::validportrange($_, 'destination'); + if(!$check){ + push (@values,$_); + } + }else{ + if (&General::validport($_)){ + push (@values,$_); + }else{ + + } + } + } + $fwdfwsettings{'dnatport'}=join("|",@values); + } + } + #check valid remark + if ($fwdfwsettings{'ruleremark'} ne '' && !&validremark($fwdfwsettings{'ruleremark'})){ + $errormessage.=$Lang::tr{'fwdfw err remark'}."
"; + } + #check if source and target identical + if ($fwdfwsettings{$fwdfwsettings{'grp1'}} eq $fwdfwsettings{$fwdfwsettings{'grp2'}} && $fwdfwsettings{$fwdfwsettings{'grp1'}} ne 'ALL'){ + $errormessage=$Lang::tr{'fwdfw err same'}; + return $errormessage; + } + #get source and targetip address if possible + my ($sip,$scidr,$tip,$tcidr); + ($sip,$scidr)=&get_ip("src","grp1"); + ($tip,$tcidr)=&get_ip("tgt","grp2"); + #check same iprange in source and target + if ($sip ne '' && $scidr ne '' && $tip ne '' && $tcidr ne ''){ + my $networkip1=&General::getnetworkip($sip,$scidr); + my $networkip2=&General::getnetworkip($tip,$tcidr); + if ($scidr gt $tcidr){ + if ( &General::IpInSubnet($networkip1,$tip,&General::iporsubtodec($tcidr))){ + $errormessage.=$Lang::tr{'fwdfw err samesub'}; + } + }elsif($scidr eq $tcidr && $scidr eq '32'){ + my ($sbyte1,$sbyte2,$sbyte3,$sbyte4)=split(/\./,$networkip1); + my ($tbyte1,$tbyte2,$tbyte3,$tbyte4)=split(/\./,$networkip2); + if ($sbyte1 eq $tbyte1 && $sbyte2 eq $tbyte2 && $sbyte3 eq $tbyte3){ + $hint=$Lang::tr{'fwdfw hint ip1'}."
"; + $hint.=$Lang::tr{'fwdfw hint ip2'}." Source: $networkip1/$scidr Target: $networkip2/$tcidr
"; + } + }else{ + if ( &General::IpInSubnet($networkip2,$sip,&General::iporsubtodec($scidr)) ){ + $errormessage.=$Lang::tr{'fwdfw err samesub'}; + } + } + } + #check source and destination protocol if manual + if( $fwdfwsettings{'USE_SRC_PORT'} eq 'ON' && $fwdfwsettings{'USESRV'} eq 'ON'){ + if($fwdfwsettings{'PROT'} ne $fwdfwsettings{'TGT_PROT'} && $fwdfwsettings{'grp3'} eq 'TGT_PORT'){ + $errormessage.=$Lang::tr{'fwdfw err prot'}; + } + #check source and destination protocol if source manual and dest servicegrp + if ($fwdfwsettings{'grp3'} eq 'cust_srv'){ + foreach my $key (sort keys %customservice){ + if($customservice{$key}[0] eq $fwdfwsettings{$fwdfwsettings{'grp3'}}){ + if ($customservice{$key}[2] ne $fwdfwsettings{'PROT'}){ + $errormessage.=$Lang::tr{'fwdfw err prot'}; + last; + } + } + } + } + } + if( $fwdfwsettings{'USE_SRC_PORT'} ne 'ON' && $fwdfwsettings{'USESRV'} ne 'ON'){ + $fwdfwsettings{'PROT'}=''; + $fwdfwsettings{'TGT_PROT'}=''; + } +} +sub checkcounter +{ + my ($base1,$val1,$base2,$val2) = @_; + + if($base1 eq 'cust_net_src' || $base1 eq 'cust_net_tgt'){ + &dec_counter($confignet,\%customnetwork,$val1); + }elsif($base1 eq 'cust_host_src' || $base1 eq 'cust_host_tgt'){ + &dec_counter($confighost,\%customhost,$val1); + }elsif($base1 eq 'cust_grp_src' || $base1 eq 'cust_grp_tgt'){ + &dec_counter($configgrp,\%customgrp,$val1); + }elsif($base1 eq 'cust_srv'){ + &dec_counter($configsrv,\%customservice,$val1); + }elsif($base1 eq 'cust_srvgrp'){ + &dec_counter($configsrvgrp,\%customservicegrp,$val1); + } + + if($base2 eq 'cust_net_src' || $base2 eq 'cust_net_tgt'){ + &inc_counter($confignet,\%customnetwork,$val2); + }elsif($base2 eq 'cust_host_src' || $base2 eq 'cust_host_tgt'){ + &inc_counter($confighost,\%customhost,$val2); + }elsif($base2 eq 'cust_grp_src' || $base2 eq 'cust_grp_tgt'){ + &inc_counter($configgrp,\%customgrp,$val2); + }elsif($base2 eq 'cust_srv'){ + &inc_counter($configsrv,\%customservice,$val2); + }elsif($base2 eq 'cust_srvgrp'){ + &inc_counter($configsrvgrp,\%customservicegrp,$val2); + } +} +sub checkvpn +{ + my $ip=shift; + #Test if manual IP is part of static OpenVPN networks + &General::readhasharray("$configccdnet", \%ccdnet); + foreach my $key (sort keys %ccdnet){ + my ($vpnip,$vpnsubnet) = split ("/",$ccdnet{$key}[1]); + my $sub=&General::iporsubtodec($vpnsubnet); + if (&General::IpInSubnet($ip,$vpnip,$sub)){ + return 0; + } + } + # A Test if manual ip is part of dynamic openvpn subnet is made in getcolor + # because if one creates a custom host with the ip, we need to check the color there! + # It does not make sense to check this here + + # Test if manual IP is part of an OpenVPN N2N subnet does also not make sense here + # Is also checked in getcolor + + # Test if manual ip is part of an IPsec Network is also checked in getcolor + return 1; +} +sub checkvpncolor +{ + +} +sub deleterule +{ + my %delhash=(); + &General::readhasharray($fwdfwsettings{'config'}, \%delhash); + foreach my $key (sort {$a <=> $b} keys %delhash){ + if ($key == $fwdfwsettings{'key'}){ + #check hosts/net and groups + &checkcounter($delhash{$key}[3],$delhash{$key}[4],,); + &checkcounter($delhash{$key}[5],$delhash{$key}[6],,); + #check services and groups + if ($delhash{$key}[11] eq 'ON'){ + &checkcounter($delhash{$key}[14],$delhash{$key}[15],,); + } + } + if ($key >= $fwdfwsettings{'key'}) { + my $next = $key + 1; + if (exists $delhash{$next}) { + foreach my $i (0 .. $#{$delhash{$next}}) { + $delhash{$key}[$i] = $delhash{$next}[$i]; + } + } + } + } + # Remove the very last entry. + my $last_key = (sort {$a <=> $b} keys %delhash)[-1]; + delete $delhash{$last_key}; + + &General::writehasharray($fwdfwsettings{'config'}, \%delhash); + &rules; + + if($fwdfwsettings{'nobase'} ne 'on'){ + &base; + } +} +sub disable_rule +{ + my $key1=shift; + &General::readhasharray("$configfwdfw", \%configfwdfw); + foreach my $key (sort keys %configfwdfw){ + if ($key eq $key1 ){ + if ($configfwdfw{$key}[2] eq 'ON'){$configfwdfw{$key}[2]='';} + } + } + &General::writehasharray("$configfwdfw", \%configfwdfw); + &rules; +} +sub dec_counter +{ + my $config=shift; + my %hash=%{(shift)}; + my $val=shift; + my $pos; + &General::readhasharray($config, \%hash); + foreach my $key (sort { uc($hash{$a}[0]) cmp uc($hash{$b}[0]) } keys %hash){ + if($hash{$key}[0] eq $val){ + $pos=$#{$hash{$key}}; + $hash{$key}[$pos] = $hash{$key}[$pos]-1; + } + } + &General::writehasharray($config, \%hash); +} +sub error +{ + if ($errormessage) { + &Header::openbox('100%', 'left', $Lang::tr{'error messages'}); + print "$errormessage\n"; + print " \n"; + &Header::closebox(); + print"
"; + } +} +sub fillselect +{ + my %hash=%{(shift)}; + my $val=shift; + my $key; + foreach my $key (sort { ncmp($hash{$a}[0],$hash{$b}[0]) } keys %hash){ + if($hash{$key}[0] eq $val){ + print""; + }else{ + print""; + } + } +} +sub gen_dd_block +{ + my $srctgt = shift; + my $grp=shift; + my $helper=''; + my $show=''; + $checked{'grp1'}{$fwdfwsettings{'grp1'}} = 'CHECKED'; + $checked{'grp2'}{$fwdfwsettings{'grp2'}} = 'CHECKED'; + $checked{'grp3'}{$fwdfwsettings{'grp3'}} = 'CHECKED'; + $checked{'USE_SRC_PORT'}{$fwdfwsettings{'USE_SRC_PORT'}} = 'CHECKED'; + $checked{'USESRV'}{$fwdfwsettings{'USESRV'}} = 'CHECKED'; + $checked{'ACTIVE'}{$fwdfwsettings{'ACTIVE'}} = 'CHECKED'; + $checked{'LOG'}{$fwdfwsettings{'LOG'}} = 'CHECKED'; + $checked{'TIME'}{$fwdfwsettings{'TIME'}} = 'CHECKED'; + $checked{'TIME_MON'}{$fwdfwsettings{'TIME_MON'}} = 'CHECKED'; + $checked{'TIME_TUE'}{$fwdfwsettings{'TIME_TUE'}} = 'CHECKED'; + $checked{'TIME_WED'}{$fwdfwsettings{'TIME_WED'}} = 'CHECKED'; + $checked{'TIME_THU'}{$fwdfwsettings{'TIME_THU'}} = 'CHECKED'; + $checked{'TIME_FRI'}{$fwdfwsettings{'TIME_FRI'}} = 'CHECKED'; + $checked{'TIME_SAT'}{$fwdfwsettings{'TIME_SAT'}} = 'CHECKED'; + $checked{'TIME_SUN'}{$fwdfwsettings{'TIME_SUN'}} = 'CHECKED'; + $selected{'TIME_FROM'}{$fwdfwsettings{'TIME_FROM'}} = 'selected'; + $selected{'TIME_TO'}{$fwdfwsettings{'TIME_TO'}} = 'selected'; + $selected{'ipfire'}{$fwdfwsettings{$fwdfwsettings{'grp1'}}} ='selected'; + $selected{'ipfire'}{$fwdfwsettings{$fwdfwsettings{'grp2'}}} ='selected'; +print< + + + "; + #custom networks + if (! -z $confignet || $optionsfw{'SHOWDROPDOWN'} eq 'on'){ + print""; + } + #custom hosts + if (! -z $confighost || $optionsfw{'SHOWDROPDOWN'} eq 'on'){ + print""; + } + #custom groups + if (! -z $configgrp || $optionsfw{'SHOWDROPDOWN'} eq 'on'){ + print""; + } + #End left table. start right table (vpn) + print"
$Lang::tr{'fwhost stdnet'}
$Lang::tr{'fwhost cust net'}
$Lang::tr{'fwhost cust addr'}
$Lang::tr{'fwhost cust grp'}
"; + # CCD networks + if( ! -z $configccdnet || $optionsfw{'SHOWDROPDOWN'} eq 'on'){ + print""; + } + #OVPN CCD Hosts + foreach my $key (sort { ncmp($ccdhost{$a}[0],$ccdhost{$b}[0]) } keys %ccdhost){ + if ($ccdhost{$key}[33] ne '' ){ + print"" ; + } + if ($show eq '1'){$show='';print"";} + #OVPN N2N + foreach my $key (sort { ncmp($ccdhost{$a}[1],$ccdhost{$b}[1]) } keys %ccdhost){ + if ($ccdhost{$key}[3] eq 'net'){ + print"" ; + } + if ($show eq '1'){$show='';print"";} + #IPsec netze + foreach my $key (sort { ncmp($ipsecconf{$a}[1],$ipsecconf{$b}[1]) } keys %ipsecconf) { + if ($ipsecconf{$key}[3] eq 'net' || $optionsfw{'SHOWDROPDOWN'} eq 'on'){ + print""; + } + if ($show eq '1'){$show='';print"";} + + print"
$Lang::tr{'fwhost ccdnet'}
$Lang::tr{'fwhost ccdhost'}
$Lang::tr{'fwhost ccdhost'}
$Lang::tr{'fwhost ovpn_n2n'}:
$Lang::tr{'fwhost ovpn_n2n'}
$Lang::tr{'fwhost ipsec net'}
$Lang::tr{'fwhost ipsec net'}
"; + print"
"; +} +sub get_ip +{ + my $val=shift; + my $grp =shift; + my $a; + my $b; + &General::readhash("/var/ipfire/ethernet/settings", \%netsettings); + if ($fwdfwsettings{$grp} ne $Lang::tr{'fwhost any'}){ + if ($fwdfwsettings{$grp} eq $val.'_addr'){ + ($a,$b) = split (/\//, $fwdfwsettings{$fwdfwsettings{$grp}}); + }elsif($fwdfwsettings{$grp} eq 'std_net_'.$val){ + if ($fwdfwsettings{$fwdfwsettings{$grp}} =~ /Gr/i){ + $a=$netsettings{'GREEN_NETADDRESS'}; + $b=&General::iporsubtocidr($netsettings{'GREEN_NETMASK'}); + }elsif($fwdfwsettings{$fwdfwsettings{$grp}} =~ /Ora/i){ + $a=$netsettings{'ORANGE_NETADDRESS'}; + $b=&General::iporsubtocidr($netsettings{'ORANGE_NETMASK'}); + }elsif($fwdfwsettings{$fwdfwsettings{$grp}} =~ /Bl/i){ + $a=$netsettings{'BLUE_NETADDRESS'}; + $b=&General::iporsubtocidr($netsettings{'BLUE_NETMASK'}); + }elsif($fwdfwsettings{$fwdfwsettings{$grp}} =~ /OpenVPN/i){ + &General::readhash("$configovpn",\%ovpnsettings); + ($a,$b) = split (/\//, $ovpnsettings{'DOVPN_SUBNET'}); + $b=&General::iporsubtocidr($b); + } + }elsif($fwdfwsettings{$grp} eq 'cust_net_'.$val){ + &General::readhasharray("$confignet", \%customnetwork); + foreach my $key (keys %customnetwork){ + if($customnetwork{$key}[0] eq $fwdfwsettings{$fwdfwsettings{$grp}}){ + $a=$customnetwork{$key}[1]; + $b=&General::iporsubtocidr($customnetwork{$key}[2]); + } + } + }elsif($fwdfwsettings{$grp} eq 'cust_host_'.$val){ + &General::readhasharray("$confighost", \%customhost); + foreach my $key (keys %customhost){ + if($customhost{$key}[0] eq $fwdfwsettings{$fwdfwsettings{$grp}}){ + if ($customhost{$key}[1] eq 'ip'){ + ($a,$b)=split (/\//,$customhost{$key}[2]); + $b=&General::iporsubtocidr($b); + }else{ + if ($grp eq 'grp2'){ + $errormessage=$Lang::tr{'fwdfw err tgt_mac'}; + } + } + } + } + } + } + return $a,$b; +} +sub get_name +{ + my $val=shift; + &General::setup_default_networks(\%defaultNetworks); + foreach my $network (sort keys %defaultNetworks) + { + return "$network" if ($val eq $defaultNetworks{$network}{'NAME'}); + } +} +sub getsrcport +{ + my %hash=%{(shift)}; + my $key=shift; + if($hash{$key}[7] eq 'ON' && $hash{$key}[8] ne '' && $hash{$key}[10]){ + $hash{$key}[10]=~ s/\|/,/g; + print": $hash{$key}[10]"; + }elsif($hash{$key}[7] eq 'ON' && $hash{$key}[8] eq 'ICMP'){ + print":
$hash{$key}[9] "; + } +} +sub gettgtport +{ + my %hash=%{(shift)}; + my $key=shift; + my $service; + my $prot; + if($hash{$key}[11] eq 'ON' && $hash{$key}[12] ne 'ICMP'){ + if($hash{$key}[14] eq 'cust_srv'){ + &General::readhasharray("$configsrv", \%customservice); + foreach my $i (sort keys %customservice){ + if($customservice{$i}[0] eq $hash{$key}[15]){ + $service = $customservice{$i}[0]; + } + } + }elsif($hash{$key}[14] eq 'cust_srvgrp'){ + $service=$hash{$key}[15]; + }elsif($hash{$key}[14] eq 'TGT_PORT'){ + $hash{$key}[15]=~ s/\|/,/g; + $service=$hash{$key}[15]; + } + if($service){ + print": $service"; + } + }elsif($hash{$key}[11] eq 'ON' && $hash{$key}[12] eq 'ICMP'){ + print":
$hash{$key}[13]"; + } +} +sub get_serviceports +{ + my $type=shift; + my $name=shift; + &General::readhasharray("$configsrv", \%customservice); + &General::readhasharray("$configsrvgrp", \%customservicegrp); + my $tcp; + my $udp; + my $icmp; + @protocols=(); + if($type eq 'service'){ + foreach my $key (sort { ncmp($customservice{$a}[0],$customservice{$b}[0]) } keys %customservice){ + if ($customservice{$key}[0] eq $name){ + push (@protocols,$customservice{$key}[2]); + } + } + }elsif($type eq 'group'){ + foreach my $key (sort { ncmp($customservicegrp{$a}[0],$customservicegrp{$b}[0]) } keys %customservicegrp){ + if ($customservicegrp{$key}[0] eq $name){ + foreach my $key1 (sort { ncmp($customservice{$a}[0],$customservice{$b}[0]) } keys %customservice){ + if ($customservice{$key1}[0] eq $customservicegrp{$key}[2]){ + if($customservice{$key1}[2] eq 'TCP'){ + $tcp='TCP'; + }elsif($customservice{$key1}[2] eq 'ICMP'){ + $icmp='ICMP'; + }elsif($customservice{$key1}[2] eq 'UDP'){ + $udp='UDP'; + } + } + } + } + } + } + if($tcp && $udp && $icmp){ + push (@protocols,"All"); + return @protocols; + } + if($tcp){ + push (@protocols,"TCP"); + } + if($udp){ + push (@protocols,"UDP"); + } + if($icmp){ + push (@protocols,"ICMP"); + } + return @protocols; +} +sub getcolor +{ + my $nettype=shift; + my $val=shift; + my $hash=shift; + if($optionsfw{'SHOWCOLORS'} eq 'on'){ + #custom Hosts + if ($nettype eq 'cust_host_src' || $nettype eq 'cust_host_tgt'){ + foreach my $key (sort keys %$hash){ + if ($$hash{$key}[0] eq $val){ + $val=$$hash{$key}[2]; + } + } + } + #standard networks + if ($val eq 'GREEN'){ + $tdcolor="style='background-color: $Header::colourgreen;color:white;'"; + return; + }elsif ($val eq 'ORANGE'){ + $tdcolor="style='background-color: $Header::colourorange;color:white;'"; + return; + }elsif ($val eq 'BLUE'){ + $tdcolor="style='background-color: $Header::colourblue;color:white;'"; + return; + }elsif ($val eq 'RED' ||$val eq 'RED1' ){ + $tdcolor="style='background-color: $Header::colourred;color:white;'"; + return; + }elsif ($val eq 'IPFire' ){ + $tdcolor="style='background-color: $Header::colourred;color:white;'"; + return; + }elsif($val =~ /^(.*?)\/(.*?)$/){ + my ($sip,$scidr) = split ("/",$val); + if ( &General::IpInSubnet($sip,$netsettings{'ORANGE_ADDRESS'},$netsettings{'ORANGE_NETMASK'})){ + $tdcolor="style='background-color: $Header::colourorange;color:white;'"; + return; + } + if ( &General::IpInSubnet($sip,$netsettings{'GREEN_ADDRESS'},$netsettings{'GREEN_NETMASK'})){ + $tdcolor="style='background-color: $Header::colourgreen;color:white;'"; + return; + } + if ( &General::IpInSubnet($sip,$netsettings{'BLUE_ADDRESS'},$netsettings{'BLUE_NETMASK'})){ + $tdcolor="style='background-color: $Header::colourblue;color:white;'"; + return; + } + }elsif ($val eq 'Default IP'){ + $tdcolor="style='background-color: $Header::colourred;color:white;'"; + return; + } + #Check if a manual IP or custom host is part of a VPN + if ($nettype eq 'src_addr' || $nettype eq 'tgt_addr' || $nettype eq 'cust_host_src' || $nettype eq 'cust_host_tgt'){ + #Check if IP is part of OpenVPN dynamic subnet + my ($a,$b) = split("/",$ovpnsettings{'DOVPN_SUBNET'}); + my ($c,$d) = split("/",$val); + if (&General::IpInSubnet($c,$a,$b)){ + $tdcolor="style='background-color: $Header::colourovpn;color:white;'"; + return; + } + #Check if IP is part of OpenVPN static subnet + foreach my $key (sort keys %ccdnet){ + my ($a,$b) = split("/",$ccdnet{$key}[1]); + $b =&General::iporsubtodec($b); + if (&General::IpInSubnet($c,$a,$b)){ + $tdcolor="style='background-color: $Header::colourovpn;color:white;'"; + return; + } + } + #Check if IP is part of OpenVPN N2N subnet + foreach my $key (sort keys %ccdhost){ + if ($ccdhost{$key}[3] eq 'net'){ + my ($a,$b) = split("/",$ccdhost{$key}[11]); + if (&General::IpInSubnet($c,$a,$b)){ + $tdcolor="style='background-color: $Header::colourovpn;color:white;'"; + return; + } + } + } + #Check if IP is part of IPsec RW network + if ($ipsecsettings{'RW_NET'} ne ''){ + my ($a,$b) = split("/",$ipsecsettings{'RW_NET'}); + $b=&General::iporsubtodec($b); + if (&General::IpInSubnet($c,$a,$b)){ + $tdcolor="style='background-color: $Header::colourvpn;color:white;'"; + return; + } + } + #Check if IP is part of a IPsec N2N network + foreach my $key (sort keys %ipsecconf){ + my ($a,$b) = split("/",$ipsecconf{$key}[11]); + if (&General::IpInSubnet($c,$a,$b)){ + $tdcolor="style='background-color: $Header::colourvpn;color:white;'"; + return; + } + } + } + #VPN networks + if ($nettype eq 'ovpn_n2n_src' || $nettype eq 'ovpn_n2n_tgt' || $nettype eq 'ovpn_net_src' || $nettype eq 'ovpn_net_tgt'|| $nettype eq 'ovpn_host_src' || $nettype eq 'ovpn_host_tgt'){ + $tdcolor="style='background-color: $Header::colourovpn;color:white;'"; + return; + } + if ($nettype eq 'ipsec_net_src' || $nettype eq 'ipsec_net_tgt'){ + $tdcolor="style='background-color: $Header::colourvpn;color:white;'"; + return; + } + #ALIASE + foreach my $alias (sort keys %aliases) + { + if ($val eq $alias){ + $tdcolor="style='background-color:$Header::colourred;color:white;'"; + return; + } + } + } + $tdcolor=''; + return; +} +sub hint +{ + if ($hint) { + &Header::openbox('100%', 'left', $Lang::tr{'fwhost hint'}); + print "$hint\n"; + print " \n"; + &Header::closebox(); + print"
"; + } +} +sub inc_counter +{ + my $config=shift; + my %hash=%{(shift)}; + my $val=shift; + my $pos; + + &General::readhasharray($config, \%hash); + foreach my $key (sort { uc($hash{$a}[0]) cmp uc($hash{$b}[0]) } keys %hash){ + if($hash{$key}[0] eq $val){ + $pos=$#{$hash{$key}}; + $hash{$key}[$pos] = $hash{$key}[$pos]+1; + } + } + &General::writehasharray($config, \%hash); +} +sub newrule +{ + &error; + &General::setup_default_networks(\%defaultNetworks); + &General::readhash("/var/ipfire/ethernet/settings", \%netsettings); + #read all configfiles + &General::readhasharray("$configccdnet", \%ccdnet); + &General::readhasharray("$confignet", \%customnetwork); + &General::readhasharray("$configccdhost", \%ccdhost); + &General::readhasharray("$confighost", \%customhost); + &General::readhasharray("$configccdhost", \%ccdhost); + &General::readhasharray("$configgrp", \%customgrp); + &General::readhasharray("$configipsec", \%ipsecconf); + &General::get_aliases(\%aliases); + my %checked=(); + my $helper; + my $sum=0; + if($fwdfwsettings{'config'} eq ''){$fwdfwsettings{'config'}=$configfwdfw;} + my $config=$fwdfwsettings{'config'}; + my %hash=(); + #Get Red IP-ADDRESS + open (CONN1,"/var/ipfire/red/local-ipaddress"); + my $redip = ; + close(CONN1); + $checked{'grp1'}{$fwdfwsettings{'grp1'}} = 'CHECKED'; + $checked{'grp2'}{$fwdfwsettings{'grp2'}} = 'CHECKED'; + $checked{'grp3'}{$fwdfwsettings{'grp3'}} = 'CHECKED'; + $checked{'USE_SRC_PORT'}{$fwdfwsettings{'USE_SRC_PORT'}} = 'CHECKED'; + $checked{'USESRV'}{$fwdfwsettings{'USESRV'}} = 'CHECKED'; + $checked{'ACTIVE'}{$fwdfwsettings{'ACTIVE'}} = 'CHECKED'; + $checked{'LOG'}{$fwdfwsettings{'LOG'}} = 'CHECKED'; + $checked{'TIME'}{$fwdfwsettings{'TIME'}} = 'CHECKED'; + $checked{'TIME_MON'}{$fwdfwsettings{'TIME_MON'}} = 'CHECKED'; + $checked{'TIME_TUE'}{$fwdfwsettings{'TIME_TUE'}} = 'CHECKED'; + $checked{'TIME_WED'}{$fwdfwsettings{'TIME_WED'}} = 'CHECKED'; + $checked{'TIME_THU'}{$fwdfwsettings{'TIME_THU'}} = 'CHECKED'; + $checked{'TIME_FRI'}{$fwdfwsettings{'TIME_FRI'}} = 'CHECKED'; + $checked{'TIME_SAT'}{$fwdfwsettings{'TIME_SAT'}} = 'CHECKED'; + $checked{'TIME_SUN'}{$fwdfwsettings{'TIME_SUN'}} = 'CHECKED'; + $checked{'USE_NAT'}{$fwdfwsettings{'USE_NAT'}} = 'CHECKED'; + $selected{'TIME_FROM'}{$fwdfwsettings{'TIME_FROM'}} = 'selected'; + $selected{'TIME_TO'}{$fwdfwsettings{'TIME_TO'}} = 'selected'; + $selected{'ipfire'}{$fwdfwsettings{$fwdfwsettings{'grp2'}}} ='selected'; + $selected{'ipfire_src'}{$fwdfwsettings{$fwdfwsettings{'grp1'}}} ='selected'; + #check if update and get values + if($fwdfwsettings{'updatefwrule'} eq 'on' || $fwdfwsettings{'copyfwrule'} eq 'on' && !$errormessage){ + &General::readhasharray("$config", \%hash); + foreach my $key (sort keys %hash){ + $sum++; + if ($key eq $fwdfwsettings{'key'}){ + $fwdfwsettings{'oldrulenumber'} = $fwdfwsettings{'key'}; + $fwdfwsettings{'RULE_ACTION'} = $hash{$key}[0]; + $fwdfwsettings{'chain'} = $hash{$key}[1]; + $fwdfwsettings{'ACTIVE'} = $hash{$key}[2]; + $fwdfwsettings{'grp1'} = $hash{$key}[3]; + $fwdfwsettings{$fwdfwsettings{'grp1'}} = $hash{$key}[4]; + $fwdfwsettings{'grp2'} = $hash{$key}[5]; + $fwdfwsettings{$fwdfwsettings{'grp2'}} = $hash{$key}[6]; + $fwdfwsettings{'USE_SRC_PORT'} = $hash{$key}[7]; + $fwdfwsettings{'PROT'} = $hash{$key}[8]; + $fwdfwsettings{'ICMP_TYPES'} = $hash{$key}[9]; + $fwdfwsettings{'SRC_PORT'} = $hash{$key}[10]; + $fwdfwsettings{'USESRV'} = $hash{$key}[11]; + $fwdfwsettings{'TGT_PROT'} = $hash{$key}[12]; + $fwdfwsettings{'ICMP_TGT'} = $hash{$key}[13]; + $fwdfwsettings{'grp3'} = $hash{$key}[14]; + $fwdfwsettings{$fwdfwsettings{'grp3'}} = $hash{$key}[15]; + $fwdfwsettings{'ruleremark'} = $hash{$key}[16]; + $fwdfwsettings{'LOG'} = $hash{$key}[17]; + $fwdfwsettings{'TIME'} = $hash{$key}[18]; + $fwdfwsettings{'TIME_MON'} = $hash{$key}[19]; + $fwdfwsettings{'TIME_TUE'} = $hash{$key}[20]; + $fwdfwsettings{'TIME_WED'} = $hash{$key}[21]; + $fwdfwsettings{'TIME_THU'} = $hash{$key}[22]; + $fwdfwsettings{'TIME_FRI'} = $hash{$key}[23]; + $fwdfwsettings{'TIME_SAT'} = $hash{$key}[24]; + $fwdfwsettings{'TIME_SUN'} = $hash{$key}[25]; + $fwdfwsettings{'TIME_FROM'} = $hash{$key}[26]; + $fwdfwsettings{'TIME_TO'} = $hash{$key}[27]; + $fwdfwsettings{'USE_NAT'} = $hash{$key}[28]; + $fwdfwsettings{'nat'} = $hash{$key}[31]; #changed order + $fwdfwsettings{$fwdfwsettings{'nat'}} = $hash{$key}[29]; + $fwdfwsettings{'dnatport'} = $hash{$key}[30]; + $checked{'grp1'}{$fwdfwsettings{'grp1'}} = 'CHECKED'; + $checked{'grp2'}{$fwdfwsettings{'grp2'}} = 'CHECKED'; + $checked{'grp3'}{$fwdfwsettings{'grp3'}} = 'CHECKED'; + $checked{'USE_SRC_PORT'}{$fwdfwsettings{'USE_SRC_PORT'}} = 'CHECKED'; + $checked{'USESRV'}{$fwdfwsettings{'USESRV'}} = 'CHECKED'; + $checked{'ACTIVE'}{$fwdfwsettings{'ACTIVE'}} = 'CHECKED'; + $checked{'LOG'}{$fwdfwsettings{'LOG'}} = 'CHECKED'; + $checked{'TIME'}{$fwdfwsettings{'TIME'}} = 'CHECKED'; + $checked{'TIME_MON'}{$fwdfwsettings{'TIME_MON'}} = 'CHECKED'; + $checked{'TIME_TUE'}{$fwdfwsettings{'TIME_TUE'}} = 'CHECKED'; + $checked{'TIME_WED'}{$fwdfwsettings{'TIME_WED'}} = 'CHECKED'; + $checked{'TIME_THU'}{$fwdfwsettings{'TIME_THU'}} = 'CHECKED'; + $checked{'TIME_FRI'}{$fwdfwsettings{'TIME_FRI'}} = 'CHECKED'; + $checked{'TIME_SAT'}{$fwdfwsettings{'TIME_SAT'}} = 'CHECKED'; + $checked{'TIME_SUN'}{$fwdfwsettings{'TIME_SUN'}} = 'CHECKED'; + $checked{'USE_NAT'}{$fwdfwsettings{'USE_NAT'}} = 'CHECKED'; + $checked{'nat'}{$fwdfwsettings{'nat'}} = 'CHECKED'; + $selected{'TIME_FROM'}{$fwdfwsettings{'TIME_FROM'}} = 'selected'; + $selected{'TIME_TO'}{$fwdfwsettings{'TIME_TO'}} = 'selected'; + $selected{'ipfire'}{$fwdfwsettings{$fwdfwsettings{'grp2'}}} ='selected'; + $selected{'ipfire_src'}{$fwdfwsettings{$fwdfwsettings{'grp1'}}} ='selected'; + $selected{'dnat'}{$fwdfwsettings{$fwdfwsettings{'nat'}}} ='selected'; + $selected{'snat'}{$fwdfwsettings{$fwdfwsettings{'nat'}}} ='selected'; + } + } + $fwdfwsettings{'oldgrp1a'}=$fwdfwsettings{'grp1'}; + $fwdfwsettings{'oldgrp1b'}=$fwdfwsettings{$fwdfwsettings{'grp1'}}; + $fwdfwsettings{'oldgrp2a'}=$fwdfwsettings{'grp2'}; + $fwdfwsettings{'oldgrp2b'}=$fwdfwsettings{$fwdfwsettings{'grp2'}}; + $fwdfwsettings{'oldgrp3a'}=$fwdfwsettings{'grp3'}; + $fwdfwsettings{'oldgrp3b'}=$fwdfwsettings{$fwdfwsettings{'grp3'}}; + $fwdfwsettings{'oldusesrv'}=$fwdfwsettings{'USESRV'}; + $fwdfwsettings{'oldruleremark'}=$fwdfwsettings{'ruleremark'}; + $fwdfwsettings{'oldnat'}=$fwdfwsettings{'USE_NAT'}; + $fwdfwsettings{'oldruletype'}=$fwdfwsettings{'chain'}; + #check if manual ip (source) is orange network + if ($fwdfwsettings{'grp1'} eq 'src_addr'){ + my ($sip,$scidr) = split("/",$fwdfwsettings{$fwdfwsettings{'grp1'}}); + if ( &General::IpInSubnet($sip,$netsettings{'ORANGE_ADDRESS'},$netsettings{'ORANGE_NETMASK'})){ + $fwdfwsettings{'oldorange'} ='on'; + } + } + }else{ + $fwdfwsettings{'ACTIVE'}='ON'; + $checked{'ACTIVE'}{$fwdfwsettings{'ACTIVE'}} = 'CHECKED'; + $fwdfwsettings{'oldgrp1a'}=$fwdfwsettings{'grp1'}; + $fwdfwsettings{'oldgrp1b'}=$fwdfwsettings{$fwdfwsettings{'grp1'}}; + $fwdfwsettings{'oldgrp2a'}=$fwdfwsettings{'grp2'}; + $fwdfwsettings{'oldgrp2b'}=$fwdfwsettings{$fwdfwsettings{'grp2'}}; + $fwdfwsettings{'oldgrp3a'}=$fwdfwsettings{'grp3'}; + $fwdfwsettings{'oldgrp3b'}=$fwdfwsettings{$fwdfwsettings{'grp3'}}; + $fwdfwsettings{'oldusesrv'}=$fwdfwsettings{'USESRV'}; + $fwdfwsettings{'oldruleremark'}=$fwdfwsettings{'ruleremark'}; + $fwdfwsettings{'oldnat'}=$fwdfwsettings{'USE_NAT'}; + #check if manual ip (source) is orange network + if ($fwdfwsettings{'grp1'} eq 'src_addr'){ + my ($sip,$scidr) = split("/",$fwdfwsettings{$fwdfwsettings{'grp1'}}); + if ( &General::IpInSubnet($sip,$netsettings{'ORANGE_ADDRESS'},$netsettings{'ORANGE_NETMASK'})){ + $fwdfwsettings{'oldorange'} ='on'; + } + } + } + &Header::openbox('100%', 'left', $Lang::tr{'fwdfw addrule'}); + print "
"; + &Header::closebox(); + &Header::openbox('100%', 'left', $Lang::tr{'fwdfw source'}); + #------SOURCE------------------------------------------------------- + print< + $Lang::tr{'fwdfw sourceip'}Firewall +END + print"$Lang::tr{'fwdfw use srcport'} + $Lang::tr{'fwdfw man port'} + $Lang::tr{'fwhost icmptype'}$Lang::tr{'fwdfw targetip'}Firewall +END + print"$Lang::tr{'fwdfw use srv'}$Lang::tr{'fwhost cust service'}$Lang::tr{'fwhost cust srvgrp'}$Lang::tr{'fwdfw man port'} + $Lang::tr{'fwhost icmptype'}$Lang::tr{'fwdfw use nat'} + $Lang::tr{'fwdfw dnat'} +END + print"Firewall: "; + $fwdfwsettings{'dnatport'}=~ tr/|/,/; + print"Port: "; + print"
"; + #SNAT + print"$Lang::tr{'fwdfw snat'}"; + print"Firewall: "; + print"
"; + &Header::closebox(); + #---Activate/logging/remark------------------------------------- + &Header::openbox('100%', 'left', $Lang::tr{'fwdfw additional'}); + print< + $Lang::tr{'fwdfw rule action'}"; + print"$Lang::tr{'remark'}:"; + if($fwdfwsettings{'updatefwrule'} eq 'on' || $fwdfwsettings{'copyfwrule'} eq 'on'){ + print "$Lang::tr{'fwdfw rulepos'}:"; + }else{ + print "$Lang::tr{'fwdfw rulepos'}:"; + } + + print< + + +
$Lang::tr{'fwdfw rule activate'}
$Lang::tr{'fwdfw log rule'}

+END + &Header::closebox(); + #---ADD TIMEFRAME----------------------------------------------- + &Header::openbox('100%', 'left', $Lang::tr{'fwdfw timeframe'}); + print< + $Lang::tr{'fwdfw timeframe'} +   + + $Lang::tr{'time'}: + $Lang::tr{'advproxy monday'} $Lang::tr{'advproxy tuesday'} $Lang::tr{'advproxy wednesday'} $Lang::tr{'advproxy thursday'} $Lang::tr{'advproxy friday'} $Lang::tr{'advproxy saturday'} $Lang::tr{'advproxy sunday'} + $Lang::tr{'advproxy from'} + $Lang::tr{'advproxy to'} + + + + + + + + + + + +END + for (my $i=0;$i<=23;$i++) { + $i = sprintf("%02s",$i); + for (my $j=0;$j<=45;$j+=15) { + $j = sprintf("%02s",$j); + my $time = $i.":".$j; + print "\t\t\t\t\t\n"; + } + } + print<
+END + #---ACTION------------------------------------------------------ + if($fwdfwsettings{'updatefwrule'} ne 'on'){ + print< + + + +
+ +
+END + }else{ + print< + + + + + + + + + + + + + + +
+
+END + } + &Header::closebox(); +} +sub pos_up +{ + my %uphash=(); + my %tmp=(); + &General::readhasharray($fwdfwsettings{'config'}, \%uphash); + foreach my $key (sort keys %uphash){ + if ($key eq $fwdfwsettings{'key'}) { + my $last = $key -1; + if (exists $uphash{$last}){ + #save rule last + foreach my $y (0 .. $#{$uphash{$last}}) { + $tmp{0}[$y] = $uphash{$last}[$y]; + } + #copy active rule to last + foreach my $i (0 .. $#{$uphash{$last}}) { + $uphash{$last}[$i] = $uphash{$key}[$i]; + } + #copy saved rule to actual position + foreach my $x (0 .. $#{$tmp{0}}) { + $uphash{$key}[$x] = $tmp{0}[$x]; + } + } + } + } + &General::writehasharray($fwdfwsettings{'config'}, \%uphash); + &rules; +} +sub pos_down +{ + my %downhash=(); + my %tmp=(); + &General::readhasharray($fwdfwsettings{'config'}, \%downhash); + foreach my $key (sort keys %downhash){ + if ($key eq $fwdfwsettings{'key'}) { + my $next = $key + 1; + if (exists $downhash{$next}){ + #save rule next + foreach my $y (0 .. $#{$downhash{$next}}) { + $tmp{0}[$y] = $downhash{$next}[$y]; + } + #copy active rule to next + foreach my $i (0 .. $#{$downhash{$next}}) { + $downhash{$next}[$i] = $downhash{$key}[$i]; + } + #copy saved rule to actual position + foreach my $x (0 .. $#{$tmp{0}}) { + $downhash{$key}[$x] = $tmp{0}[$x]; + } + } + } + } + &General::writehasharray($fwdfwsettings{'config'}, \%downhash); + &rules; +} +sub rules +{ + if (!-f "${General::swroot}/forward/reread"){ + system("touch ${General::swroot}/forward/reread"); + system("touch ${General::swroot}/fwhosts/reread"); + } +} +sub reread_rules +{ + system("/usr/local/bin/forwardfwctrl"); + if ( -f "${General::swroot}/forward/reread"){ + system("rm ${General::swroot}/forward/reread"); + system("rm ${General::swroot}/fwhosts/reread"); + } +} +sub saverule +{ + my $hash=shift; + my $config=shift; + &General::readhasharray("$config", $hash); + if (!$errormessage){ + ################################################################ + #check if we change an INPUT rule to a OUTGOING + if($fwdfwsettings{'oldruletype'} eq 'INPUTFW' && $fwdfwsettings{'chain'} eq 'OUTGOINGFW' ){ + &changerule($configinput); + #print"1"; + } + #check if we change an INPUT rule to a FORWARD + elsif($fwdfwsettings{'oldruletype'} eq 'INPUTFW' && $fwdfwsettings{'chain'} eq 'FORWARDFW' ){ + &changerule($configinput); + #print"2"; + } + ################################################################ + #check if we change an OUTGOING rule to an INPUT + elsif($fwdfwsettings{'oldruletype'} eq 'OUTGOINGFW' && $fwdfwsettings{'chain'} eq 'INPUTFW' ){ + &changerule($configoutgoing); + #print"3"; + } + #check if we change an OUTGOING rule to a FORWARD + elsif($fwdfwsettings{'oldruletype'} eq 'OUTGOINGFW' && $fwdfwsettings{'chain'} eq 'FORWARDFW' ){ + &changerule($configoutgoing); + #print"4"; + } + ################################################################ + #check if we change a FORWARD rule to an INPUT + elsif($fwdfwsettings{'oldruletype'} eq 'FORWARDFW' && $fwdfwsettings{'chain'} eq 'INPUTFW'){ + &changerule($configfwdfw); + #print"5"; + } + #check if we change a FORWARD rule to an OUTGOING + elsif($fwdfwsettings{'oldruletype'} eq 'FORWARDFW' && $fwdfwsettings{'chain'} eq 'OUTGOINGFW'){ + &changerule($configfwdfw); + #print"6"; + } + if ($fwdfwsettings{'updatefwrule'} ne 'on'){ + my $key = &General::findhasharraykey ($hash); + $$hash{$key}[0] = $fwdfwsettings{'RULE_ACTION'}; + $$hash{$key}[1] = $fwdfwsettings{'chain'}; + $$hash{$key}[2] = $fwdfwsettings{'ACTIVE'}; + $$hash{$key}[3] = $fwdfwsettings{'grp1'}; + $$hash{$key}[4] = $fwdfwsettings{$fwdfwsettings{'grp1'}}; + $$hash{$key}[5] = $fwdfwsettings{'grp2'}; + $$hash{$key}[6] = $fwdfwsettings{$fwdfwsettings{'grp2'}}; + $$hash{$key}[7] = $fwdfwsettings{'USE_SRC_PORT'}; + $$hash{$key}[8] = $fwdfwsettings{'PROT'}; + $$hash{$key}[9] = $fwdfwsettings{'ICMP_TYPES'}; + $$hash{$key}[10] = $fwdfwsettings{'SRC_PORT'}; + $$hash{$key}[11] = $fwdfwsettings{'USESRV'}; + $$hash{$key}[12] = $fwdfwsettings{'TGT_PROT'}; + $$hash{$key}[13] = $fwdfwsettings{'ICMP_TGT'}; + $$hash{$key}[14] = $fwdfwsettings{'grp3'}; + $$hash{$key}[15] = $fwdfwsettings{$fwdfwsettings{'grp3'}}; + $$hash{$key}[16] = $fwdfwsettings{'ruleremark'}; + $$hash{$key}[17] = $fwdfwsettings{'LOG'}; + $$hash{$key}[18] = $fwdfwsettings{'TIME'}; + $$hash{$key}[19] = $fwdfwsettings{'TIME_MON'}; + $$hash{$key}[20] = $fwdfwsettings{'TIME_TUE'}; + $$hash{$key}[21] = $fwdfwsettings{'TIME_WED'}; + $$hash{$key}[22] = $fwdfwsettings{'TIME_THU'}; + $$hash{$key}[23] = $fwdfwsettings{'TIME_FRI'}; + $$hash{$key}[24] = $fwdfwsettings{'TIME_SAT'}; + $$hash{$key}[25] = $fwdfwsettings{'TIME_SUN'}; + $$hash{$key}[26] = $fwdfwsettings{'TIME_FROM'}; + $$hash{$key}[27] = $fwdfwsettings{'TIME_TO'}; + $$hash{$key}[28] = $fwdfwsettings{'USE_NAT'}; + $$hash{$key}[29] = $fwdfwsettings{$fwdfwsettings{'nat'}}; + $$hash{$key}[30] = $fwdfwsettings{'dnatport'}; + $$hash{$key}[31] = $fwdfwsettings{'nat'}; + &General::writehasharray("$config", $hash); + }else{ + foreach my $key (sort {$a <=> $b} keys %$hash){ + if($key eq $fwdfwsettings{'key'}){ + $$hash{$key}[0] = $fwdfwsettings{'RULE_ACTION'}; + $$hash{$key}[1] = $fwdfwsettings{'chain'}; + $$hash{$key}[2] = $fwdfwsettings{'ACTIVE'}; + $$hash{$key}[3] = $fwdfwsettings{'grp1'}; + $$hash{$key}[4] = $fwdfwsettings{$fwdfwsettings{'grp1'}}; + $$hash{$key}[5] = $fwdfwsettings{'grp2'}; + $$hash{$key}[6] = $fwdfwsettings{$fwdfwsettings{'grp2'}}; + $$hash{$key}[7] = $fwdfwsettings{'USE_SRC_PORT'}; + $$hash{$key}[8] = $fwdfwsettings{'PROT'}; + $$hash{$key}[9] = $fwdfwsettings{'ICMP_TYPES'}; + $$hash{$key}[10] = $fwdfwsettings{'SRC_PORT'}; + $$hash{$key}[11] = $fwdfwsettings{'USESRV'}; + $$hash{$key}[12] = $fwdfwsettings{'TGT_PROT'}; + $$hash{$key}[13] = $fwdfwsettings{'ICMP_TGT'}; + $$hash{$key}[14] = $fwdfwsettings{'grp3'}; + $$hash{$key}[15] = $fwdfwsettings{$fwdfwsettings{'grp3'}}; + $$hash{$key}[16] = $fwdfwsettings{'ruleremark'}; + $$hash{$key}[17] = $fwdfwsettings{'LOG'}; + $$hash{$key}[18] = $fwdfwsettings{'TIME'}; + $$hash{$key}[19] = $fwdfwsettings{'TIME_MON'}; + $$hash{$key}[20] = $fwdfwsettings{'TIME_TUE'}; + $$hash{$key}[21] = $fwdfwsettings{'TIME_WED'}; + $$hash{$key}[22] = $fwdfwsettings{'TIME_THU'}; + $$hash{$key}[23] = $fwdfwsettings{'TIME_FRI'}; + $$hash{$key}[24] = $fwdfwsettings{'TIME_SAT'}; + $$hash{$key}[25] = $fwdfwsettings{'TIME_SUN'}; + $$hash{$key}[26] = $fwdfwsettings{'TIME_FROM'}; + $$hash{$key}[27] = $fwdfwsettings{'TIME_TO'}; + $$hash{$key}[28] = $fwdfwsettings{'USE_NAT'}; + $$hash{$key}[29] = $fwdfwsettings{$fwdfwsettings{'nat'}}; + $$hash{$key}[30] = $fwdfwsettings{'dnatport'}; + $$hash{$key}[31] = $fwdfwsettings{'nat'}; + last; + } + } + } + &General::writehasharray("$config", $hash); + if($fwdfwsettings{'oldrulenumber'} > $fwdfwsettings{'rulepos'}){ + my %tmp=(); + my $val=$fwdfwsettings{'oldrulenumber'}-$fwdfwsettings{'rulepos'}; + for (my $z=0;$z<$val;$z++){ + foreach my $key (sort {$a <=> $b} keys %$hash){ + if ($key eq $fwdfwsettings{'oldrulenumber'}) { + my $last = $key -1; + if (exists $$hash{$last}){ + #save rule last + foreach my $y (0 .. $#{$$hash{$last}}) { + $tmp{0}[$y] = $$hash{$last}[$y]; + } + #copy active rule to last + foreach my $i (0 .. $#{$$hash{$last}}) { + $$hash{$last}[$i] = $$hash{$key}[$i]; + } + #copy saved rule to actual position + foreach my $x (0 .. $#{$tmp{0}}) { + $$hash{$key}[$x] = $tmp{0}[$x]; + } + } + } + } + $fwdfwsettings{'oldrulenumber'}--; + } + &General::writehasharray("$config", $hash); + &rules; + }elsif($fwdfwsettings{'rulepos'} > $fwdfwsettings{'oldrulenumber'}){ + my %tmp=(); + my $val=$fwdfwsettings{'rulepos'}-$fwdfwsettings{'oldrulenumber'}; + for (my $z=0;$z<$val;$z++){ + foreach my $key (sort {$a <=> $b} keys %$hash){ + if ($key eq $fwdfwsettings{'oldrulenumber'}) { + my $next = $key + 1; + if (exists $$hash{$next}){ + #save rule next + foreach my $y (0 .. $#{$$hash{$next}}) { + $tmp{0}[$y] = $$hash{$next}[$y]; + } + #copy active rule to next + foreach my $i (0 .. $#{$$hash{$next}}) { + $$hash{$next}[$i] = $$hash{$key}[$i]; + } + #copy saved rule to actual position + foreach my $x (0 .. $#{$tmp{0}}) { + $$hash{$key}[$x] = $tmp{0}[$x]; + } + } + } + } + $fwdfwsettings{'oldrulenumber'}++; + } + &General::writehasharray("$config", $hash); + &rules; + } + } +} +sub validremark +{ + # Checks a hostname against RFC1035 + my $remark = $_[0]; + + # Each part should be at least two characters in length + # but no more than 63 characters + if (length ($remark) < 1 || length ($remark) > 255) { + return 0;} + # Only valid characters are a-z, A-Z, 0-9 and - + if ($remark !~ /^[a-zäöüA-ZÖÄÜ0-9-.:;\|_()\/\s]*$/) { + return 0;} + # First character can only be a letter or a digit + if (substr ($remark, 0, 1) !~ /^[a-zäöüA-ZÖÄÜ0-9]*$/) { + return 0;} + # Last character can only be a letter or a digit + if (substr ($remark, -1, 1) !~ /^[a-zöäüA-ZÖÄÜ0-9.:;_)]*$/) { + return 0;} + return 1; +} +sub viewtablerule +{ + &General::readhash("/var/ipfire/ethernet/settings", \%netsettings); + &viewtablenew(\%configfwdfw,$configfwdfw,"","Forward" ); + &viewtablenew(\%configinputfw,$configinput,"",$Lang::tr{'fwdfw xt access'} ); + &viewtablenew(\%configoutgoingfw,$configoutgoing,"","Outgoing" ); +} +sub viewtablenew +{ + my $hash=shift; + my $config=shift; + my $title=shift; + my $title1=shift; + my $go=''; + &General::get_aliases(\%aliases); + &General::readhasharray("$confighost", \%customhost); + &General::readhasharray("$config", $hash); + &General::readhasharray("$configccdnet", \%ccdnet); + &General::readhasharray("$configccdhost", \%ccdhost); + if( ! -z $config){ + &Header::openbox('100%', 'left',$title); + my $count=0; + my ($gif,$log); + my $ruletype; + my $rulecolor; + my $tooltip; + my @tmpsrc=(); + my $coloryellow=''; + print"$title1
"; + print""; + print""; + foreach my $key (sort {$a <=> $b} keys %$hash){ + $tdcolor=''; + @tmpsrc=(); + #check if vpn hosts/nets have been deleted + if($$hash{$key}[3] =~ /ipsec/i || $$hash{$key}[3] =~ /ovpn/i){ + push (@tmpsrc,$$hash{$key}[4]); + } + if($$hash{$key}[5] =~ /ipsec/i || $$hash{$key}[5] =~ /ovpn/i){ + push (@tmpsrc,$$hash{$key}[6]); + } + foreach my $host (@tmpsrc){ + if($$hash{$key}[3] eq 'ipsec_net_src' || $$hash{$key}[5] eq 'ipsec_net_tgt'){ + if(&fwlib::get_ipsec_net_ip($host,11) eq ''){ + $coloryellow='on'; + &disable_rule($key); + $$hash{$key}[2]=''; + } + }elsif($$hash{$key}[3] eq 'ovpn_net_src' || $$hash{$key}[5] eq 'ovpn_net_tgt'){ + if(&fwlib::get_ovpn_net_ip($host,1) eq ''){ + $coloryellow='on'; + &disable_rule($key); + $$hash{$key}[2]=''; + } + }elsif($$hash{$key}[3] eq 'ovpn_n2n_src' || $$hash{$key}[5] eq 'ovpn_n2n_tgt'){ + if(&fwlib::get_ovpn_n2n_ip($host,27) eq ''){ + $coloryellow='on'; + &disable_rule($key); + $$hash{$key}[2]=''; + } + }elsif($$hash{$key}[3] eq 'ovpn_host_src' || $$hash{$key}[5] eq 'ovpn_host_tgt'){ + if(&fwlib::get_ovpn_host_ip($host,33) eq ''){ + $coloryellow='on'; + &disable_rule($key); + $$hash{$key}[2]=''; + } + } + } + $$hash{'ACTIVE'}=$$hash{$key}[2]; + $count++; + if($coloryellow eq 'on'){ + print""; + $coloryellow=''; + }elsif($coloryellow eq ''){ + if ($count % 2){ + $color="$color{'color22'}"; + } + else{ + $color="$color{'color20'}"; + } + } + print""; + #KEY + print<$key   +END + #RULETYPE (A,R,D) + if ($$hash{$key}[0] eq 'ACCEPT'){ + $ruletype='A'; + $tooltip='ACCEPT'; + $rulecolor=$color{'color17'}; + }elsif($$hash{$key}[0] eq 'DROP'){ + $ruletype='D'; + $tooltip='DROP'; + $rulecolor=$color{'color25'}; + }elsif($$hash{$key}[0] eq 'REJECT'){ + $ruletype='R'; + $tooltip='REJECT'; + $rulecolor=$color{'color16'}; + } + print""; + #Get Protocol + my $prot; + if ($$hash{$key}[8] && $$hash{$key}[7] eq 'ON'){#source prot if manual + push (@protocols,$$hash{$key}[8]); + }elsif ($$hash{$key}[12]){ #target prot if manual + push (@protocols,$$hash{$key}[12]); + }elsif($$hash{$key}[14] eq 'cust_srv'){ + &get_serviceports("service",$$hash{$key}[15]); + }elsif($$hash{$key}[14] eq 'cust_srvgrp'){ + &get_serviceports("group",$$hash{$key}[15]); + }else{ + push (@protocols,$Lang::tr{'all'}); + } + my $protz=join(",",@protocols); + print""; + @protocols=(); + #SOURCE + my $ipfireiface; + &getcolor($$hash{$key}[3],$$hash{$key}[4],\%customhost); + print" +END + #TARGET + &getcolor($$hash{$key}[5],$$hash{$key}[6],\%customhost); + print< +END + #Is this a DNAT rule? + if ($$hash{$key}[31] eq 'dnat' && $$hash{$key}[28] eq 'ON'){ + print "Firewall ($$hash{$key}[29])"; + if($$hash{$key}[30] ne ''){ + $$hash{$key}[30]=~ tr/|/,/; + print": $$hash{$key}[30]"; + } + print"
->"; + } + if ($$hash{$key}[5] eq 'ipfire'){ + $ipfireiface='Interface'; + } + if ($$hash{$key}[5] eq 'std_net_tgt' || $$hash{$key}[5] eq 'ipfire' || $$hash{$key}[6] eq 'RED1' || $$hash{$key}[6] eq 'GREEN' || $$hash{$key}[6] eq 'ORANGE' || $$hash{$key}[6] eq 'BLUE' ){ + if ($$hash{$key}[6] eq 'RED1'){ + print "$ipfireiface $Lang::tr{'red1'}"; + }elsif ($$hash{$key}[6] eq 'GREEN' || $$hash{$key}[6] eq 'ORANGE' || $$hash{$key}[6] eq 'BLUE'|| $$hash{$key}[6] eq 'ALL') + { + print "$ipfireiface ".&get_name($$hash{$key}[6]); + }else{ + print $$hash{$key}[6]; + } + }elsif ($$hash{$key}[5] eq 'tgt_addr'){ + my ($split1,$split2) = split("/",$$hash{$key}[6]); + if ($split2 eq '32'){ + print $split1; + }else{ + print $$hash{$key}[6]; + } + }else{ + print "$$hash{$key}[6]"; + } + $tdcolor=''; + #TARGETPORT + &gettgtport(\%$hash,$key); + print""; + #RULE ACTIVE + if($$hash{$key}[2] eq 'ON'){ + $gif="/images/on.gif" + + }else{ + $gif="/images/off.gif" + } + print<
+ + + + + + + +END + if (exists $$hash{$key-1}){ + print<
+ + + + +END + }else{ + print""; + } + if (exists $$hash{$key+1}){ + print<
+ + + + +END + }else{ + print""; + } + #REMARK + if ($optionsfw{'SHOWREMARK'} eq 'on' && $$hash{$key}[16] ne ''){ + print""; + print""; + } + if ($$hash{$key}[18] eq 'ON'){ + #TIMEFRAME + if ($$hash{$key}[18] eq 'ON'){ + my @days=(); + if($$hash{$key}[19] ne ''){push (@days,$Lang::tr{'fwdfw wd_mon'});} + if($$hash{$key}[20] ne ''){push (@days,$Lang::tr{'fwdfw wd_tue'});} + if($$hash{$key}[21] ne ''){push (@days,$Lang::tr{'fwdfw wd_wed'});} + if($$hash{$key}[22] ne ''){push (@days,$Lang::tr{'fwdfw wd_thu'});} + if($$hash{$key}[23] ne ''){push (@days,$Lang::tr{'fwdfw wd_fri'});} + if($$hash{$key}[24] ne ''){push (@days,$Lang::tr{'fwdfw wd_sat'});} + if($$hash{$key}[25] ne ''){push (@days,$Lang::tr{'fwdfw wd_sun'});} + my $weekdays=join(",",@days); + if (@days){ + print""; + print""; + } + } + } + print""; + } + print"
#$Lang::tr{'fwdfw source'}Log$Lang::tr{'fwdfw target'}$Lang::tr{'fwdfw action'}
$ruletype$protz"; + if ($$hash{$key}[3] eq 'ipfire_src'){ + $ipfireiface='Interface '; + } + if ($$hash{$key}[3] eq 'std_net_src'){ + print &get_name($$hash{$key}[4]); + }elsif ($$hash{$key}[3] eq 'src_addr'){ + my ($split1,$split2) = split("/",$$hash{$key}[4]); + if ($split2 eq '32'){ + print $split1; + }else{ + print $$hash{$key}[4]; + } + }elsif ($$hash{$key}[4] eq 'RED1'){ + print "$ipfireiface $Lang::tr{'fwdfw red'}"; + }else{ + print "$$hash{$key}[4]"; + } + $tdcolor=''; + #SOURCEPORT + &getsrcport(\%$hash,$key); + #Is this a SNAT rule? + if ($$hash{$key}[31] eq 'snat' && $$hash{$key}[28] eq 'ON'){ + my $net=&get_name($$hash{$key}[29]); + if ( ! $net){ $net=$$hash{$key}[29];} + print"
->$net"; + if ($$hash{$key}[30] ne ''){ + print": $$hash{$key}[30]"; + } + } + if ($$hash{$key}[17] eq 'ON'){ + $log="/images/on.gif"; + }else{ + $log="/images/off.gif"; + } + #LOGGING + print< +
+ + + +
+ + + +
+ + + +
+ + + +
   $$hash{$key}[16]
   $weekdays   $$hash{$key}[26] - $$hash{$key}[27]
"; + #SHOW FINAL RULE + print ""; + my $col; + if ($config eq '/var/ipfire/forward/config'){ + my $pol='fwdfw '.$fwdfwsettings{'POLICY'}; + if ($fwdfwsettings{'POLICY'} eq 'MODE1'){ + $col="bgcolor='darkred'"; + }else{ + $col="bgcolor='green'"; + } + &show_defaultrules($col,$pol); + }elsif ($config eq '/var/ipfire/forward/outgoing'){ + if ($fwdfwsettings{'POLICY1'} eq 'MODE1'){ + $col="bgcolor='darkred'"; + print""; + }else{ + $col="bgcolor='green'"; + print""; + } + }else{ + print""; + } + print"
$Lang::tr{'fwdfw final_rule'}$Lang::tr{'fwdfw pol block'}
$Lang::tr{'fwdfw final_rule'}$Lang::tr{'fwdfw pol allow'}
$Lang::tr{'fwdfw final_rule'}$Lang::tr{'fwdfw pol block'}
"; + print "
"; + print "

"; + &Header::closebox(); + }else{ + if ($optionsfw{'SHOWTABLES'} eq 'on'){ + print "$title1
"; + print"
$Lang::tr{'fwhost empty'}
"; + my $col; + if ($config eq '/var/ipfire/forward/config'){ + my $pol='fwdfw '.$fwdfwsettings{'POLICY'}; + if ($fwdfwsettings{'POLICY'} eq 'MODE1'){ + $col="bgcolor='darkred'"; + }else{ + $col="bgcolor='green'"; + } + &show_defaultrules($col,$pol); + }elsif ($config eq '/var/ipfire/forward/outgoing'){ + print ""; + my $pol='fwdfw '.$fwdfwsettings{'POLICY1'}; + if ($fwdfwsettings{'POLICY1'} eq 'MODE1'){ + $col="bgcolor='darkred'"; + print""; + }else{ + $col="bgcolor='green'"; + print""; + } + }else{ + print "
$Lang::tr{'fwdfw final_rule'}$Lang::tr{'fwdfw pol block'}
$Lang::tr{'fwdfw final_rule'}$Lang::tr{'fwdfw pol allow'}
"; + print""; + } + print"
$Lang::tr{'fwdfw final_rule'}$Lang::tr{'fwdfw pol block'}


"; + } + } +} +&Header::closebigbox(); +&Header::closepage(); + +sub show_defaultrules +{ + my $col=shift; + my $pol=shift; + #STANDARD RULES (From WIKI) + print""; + if ($col eq "bgcolor='green'"){ + print "
"; + my $blue = " $Lang::tr{'blue'} ($Lang::tr{'fwdfw pol block'})" if (&Header::blue_used()); + my $orange = " $Lang::tr{'orange'} ($Lang::tr{'fwdfw pol block'})" if (&Header::orange_used()); + my $blue1 = " $Lang::tr{'blue'} ($Lang::tr{'fwdfw pol allow'})" if (&Header::blue_used()); + my $orange1 = " $Lang::tr{'orange'} ($Lang::tr{'fwdfw pol allow'})" if (&Header::orange_used()); + print""; + print"" if (&Header::orange_used()); + print"" if (&Header::blue_used()); + print""; + if (&Header::orange_used()){ + print""; + print"" if (&Header::blue_used()); + print""; + } + if (&Header::blue_used()){ + print""; + print"" if (&Header::orange_used()); + print""; + print""; + } + print""; + }elsif($col eq "bgcolor='darkred'"){ + print "
$Lang::tr{'green'} $Lang::tr{'red'} ($Lang::tr{'fwdfw pol allow'})$orange1$blue1
$Lang::tr{'orange'} $Lang::tr{'red'} ($Lang::tr{'fwdfw pol allow'}) $Lang::tr{'green'} ($Lang::tr{'fwdfw pol block'})$blue
$Lang::tr{'blue'} $Lang::tr{'red'} ($Lang::tr{'fwdfw pol allow'})$orange $Lang::tr{'green'} ($Lang::tr{'fwdfw pol block'})
$Lang::tr{'fwdfw final_rule'} $Lang::tr{'fwdfw pol allow'}
"; + print""; + } +} diff --git a/html/cgi-bin/fwhosts.cgi b/html/cgi-bin/fwhosts.cgi new file mode 100755 index 000000000..7ed27c4f6 --- /dev/null +++ b/html/cgi-bin/fwhosts.cgi @@ -0,0 +1,2198 @@ +#!/usr/bin/perl +############################################################################### +# # +# IPFire.org - A linux based firewall # +# Copyright (C) 2013 Alexander Marx # +# # +# This program is free software: you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation, either version 3 of the License, or # +# (at your option) any later version. # +# # +# This program is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with this program. If not, see . # +# # +############################################################################### +use strict; + +# enable only the following on debugging purpose +use warnings; +use Sort::Naturally; +use CGI::Carp 'fatalsToBrowser'; +no warnings 'uninitialized'; +require '/var/ipfire/general-functions.pl'; +require "${General::swroot}/lang.pl"; +require "${General::swroot}/header.pl"; + +my %fwhostsettings=(); +my %customnetwork=(); +my %customhost=(); +my %customgrp=(); +my %customservice=(); +my %customservicegrp=(); +my %ccdnet=(); +my %ccdhost=(); +my %ipsecconf=(); +my %icmptypes=(); +my %color=(); +my %defaultNetworks=(); +my %mainsettings=(); +my %ownnet=(); +my %ipsecsettings=(); +my %fwfwd=(); +my %fwinp=(); +my %ovpnsettings=(); +my %ipsecconf=(); +my %ipsecsettings=(); + +my $errormessage; +my $hint; +my $update=0; +my $confignet = "${General::swroot}/fwhosts/customnetworks"; +my $confighost = "${General::swroot}/fwhosts/customhosts"; +my $configgrp = "${General::swroot}/fwhosts/customgroups"; +my $configccdnet = "${General::swroot}/ovpn/ccd.conf"; +my $configccdhost = "${General::swroot}/ovpn/ovpnconfig"; +my $configipsec = "${General::swroot}/vpn/config"; +my $configsrv = "${General::swroot}/fwhosts/customservices"; +my $configsrvgrp = "${General::swroot}/fwhosts/customservicegrp"; +my $fwconfigfwd = "${General::swroot}/forward/config"; +my $fwconfiginp = "${General::swroot}/forward/input"; +my $configovpn = "${General::swroot}/ovpn/settings"; +my $tdcolor=''; +my $configipsec = "${General::swroot}/vpn/config"; +my $configipsecrw = "${General::swroot}/vpn/settings"; + +unless (-e $confignet) { system("touch $confignet"); } +unless (-e $confighost) { system("touch $confighost"); } +unless (-e $configgrp) { system("touch $configgrp"); } +unless (-e $configsrv) { system("touch $configsrv"); } +unless (-e $configsrvgrp) { system("touch $configsrvgrp"); } + +&General::readhash("${General::swroot}/main/settings", \%mainsettings); +&General::readhash("/srv/web/ipfire/html/themes/".$mainsettings{'THEME'}."/include/colors.txt", \%color); +&General::readhash("${General::swroot}/ethernet/settings", \%ownnet); +&General::readhash("$configovpn", \%ovpnsettings); +&General::readhasharray("$configipsec", \%ipsecconf); +&General::readhash("$configipsecrw", \%ipsecsettings); + +&Header::getcgihash(\%fwhostsettings); + +&Header::showhttpheaders(); +&Header::openpage($Lang::tr{'fwhost hosts'}, 1, ''); +&Header::openbigbox('100%', 'center'); + +#### JAVA SCRIPT #### +print< + \$(document).ready(function() { + // Automatically select radio buttons when corresponding + // dropdown menu changes. + \$("select").change(function() { + var id = \$(this).attr("name"); + //When using SNAT or DNAT, check "USE NAT" Checkbox + if ( id === 'snat' || id === 'dnat') { + \$('#USE_NAT').prop('checked', true); + } + \$('#' + id).prop("checked", true); + }); + }); + +END + +## ACTION #### +if ($fwhostsettings{'ACTION'} eq $Lang::tr{'fwdfw reread'}) +{ + &reread_rules; + &showmenu; +} +# Update +if ($fwhostsettings{'ACTION'} eq 'updatenet' ) +{ + &General::readhasharray("$confignet", \%customnetwork); + foreach my $key (keys %customnetwork) + { + if($customnetwork{$key}[0] eq $fwhostsettings{'orgname'}) + { + $fwhostsettings{'orgname'} = $customnetwork{$key}[0]; + $fwhostsettings{'orgip'} = $customnetwork{$key}[1]; + $fwhostsettings{'orgsub'} = $customnetwork{$key}[2]; + $fwhostsettings{'netremark'} = $customnetwork{$key}[3]; + $fwhostsettings{'count'} = $customnetwork{$key}[4]; + delete $customnetwork{$key}; + + } + } + &General::writehasharray("$confignet", \%customnetwork); + $fwhostsettings{'actualize'} = 'on'; + $fwhostsettings{'ACTION'} = 'savenet'; +} +if ($fwhostsettings{'ACTION'} eq 'updatehost') +{ + my ($ip,$subnet); + &General::readhasharray("$confighost", \%customhost); + foreach my $key (keys %customhost) + { + if($customhost{$key}[0] eq $fwhostsettings{'orgname'}) + { + if ($customhost{$key}[1] eq 'ip'){ + ($ip,$subnet) = split (/\//,$customhost{$key}[2]); + }else{ + $ip = $customhost{$key}[2]; + } + $fwhostsettings{'orgip'} = $ip; + $fwhostsettings{'count'} = $customhost{$key}[4]; + delete $customhost{$key}; + &General::writehasharray("$confighost", \%customhost); + } + } + $fwhostsettings{'actualize'} = 'on'; + if($fwhostsettings{'orgip'}){ + $fwhostsettings{'ACTION'} = 'savehost'; + }else{ + $fwhostsettings{'ACTION'} = $Lang::tr{'fwhost newhost'}; + } +} +if ($fwhostsettings{'ACTION'} eq 'updateservice') +{ + my $count=0; + my $needrules=0; + $errormessage=&checkports(\%customservice); + if (!$errormessage){ + &General::readhasharray("$configsrv", \%customservice); + foreach my $key (keys %customservice) + { + if ($customservice{$key}[0] eq $fwhostsettings{'oldsrvname'}) + { + $count=$customservice{$key}[4]; + delete $customservice{$key}; + &General::writehasharray("$configsrv", \%customservice); + last; + } + } + if ($fwhostsettings{'PROT'} ne 'ICMP'){ + $fwhostsettings{'ICMP_TYPES'}='BLANK'; + } + my $key1 = &General::findhasharraykey(\%customservice); + foreach my $i (0 .. 4) { $customservice{$key1}[$i] = "";} + $customservice{$key1}[0] = $fwhostsettings{'SRV_NAME'}; + $customservice{$key1}[1] = $fwhostsettings{'SRV_PORT'}; + $customservice{$key1}[2] = $fwhostsettings{'PROT'}; + $customservice{$key1}[3] = $fwhostsettings{'ICMP_TYPES'}; + $customservice{$key1}[4] = $count; + &General::writehasharray("$configsrv", \%customservice); + #check if we need to update firewallrules + if ($fwhostsettings{'SRV_NAME'} ne $fwhostsettings{'oldsrvname'}){ + if ( ! -z $fwconfigfwd ){ + &General::readhasharray("$fwconfigfwd", \%fwfwd); + foreach my $key (sort keys %fwfwd){ + if ($fwfwd{$key}[15] eq $fwhostsettings{'oldsrvname'}){ + $fwfwd{$key}[15] = $fwhostsettings{'SRV_NAME'}; + } + } + &General::writehasharray("$fwconfigfwd", \%fwfwd); + } + if ( ! -z $fwconfiginp ){ + &General::readhasharray("$fwconfiginp", \%fwinp); + foreach my $line (sort keys %fwinp){ + if ($fwfwd{$line}[15] eq $fwhostsettings{'oldsrvname'}){ + $fwfwd{$line}[15] = $fwhostsettings{'SRV_NAME'}; + } + } + &General::writehasharray("$fwconfiginp", \%fwinp); + } + #check if we need to update groups + &General::readhasharray("$configsrvgrp", \%customservicegrp); + foreach my $key (sort keys %customservicegrp){ + if($customservicegrp{$key}[2] eq $fwhostsettings{'oldsrvname'}){ + $customservicegrp{$key}[2] = $fwhostsettings{'SRV_NAME'}; + } + } + &General::writehasharray("$configsrvgrp", \%customservicegrp); + $needrules='on'; + } + if($count gt 0 && $fwhostsettings{'oldsrvport'} ne $fwhostsettings{'SRV_PORT'} ){ + $needrules='on'; + } + if($count gt 0 && $fwhostsettings{'oldsrvprot'} ne $fwhostsettings{'PROT'} ){ + $needrules='on'; + } + $fwhostsettings{'SRV_NAME'} = ''; + $fwhostsettings{'SRV_PORT'} = ''; + $fwhostsettings{'PROT'} = ''; + }else{ + $fwhostsettings{'SRV_NAME'} = $fwhostsettings{'oldsrvname'}; + $fwhostsettings{'SRV_PORT'} = $fwhostsettings{'oldsrvport'}; + $fwhostsettings{'PROT'} = $fwhostsettings{'oldsrvprot'}; + $fwhostsettings{'updatesrv'}= 'on'; + } + if($needrules eq 'on'){ + &rules; + } + &addservice; +} +# save +if ($fwhostsettings{'ACTION'} eq 'savenet' ) +{ + my $count=0; + my $needrules=0; + if ($fwhostsettings{'orgname'} eq ''){$fwhostsettings{'orgname'}=$fwhostsettings{'HOSTNAME'};} + #check if all fields are set + if ($fwhostsettings{'HOSTNAME'} eq '' || $fwhostsettings{'IP'} eq '' || $fwhostsettings{'SUBNET'} eq '') + { + $errormessage=$errormessage.$Lang::tr{'fwhost err empty'}; + &addnet; + &viewtablenet; + }else{ + #check valid ip + if (!&General::validipandmask($fwhostsettings{'IP'}."/".$fwhostsettings{'SUBNET'})) + { + $errormessage=$errormessage.$Lang::tr{'fwhost err addr'}; + $fwhostsettings{'BLK_HOST'} ='readonly'; + $fwhostsettings{'NOCHECK'} ='false'; + $fwhostsettings{'error'} ='on'; + } + #check remark + if ($fwhostsettings{'NETREMARK'} ne '' && !&validremark($fwhostsettings{'NETREMARK'})){ + $errormessage=$Lang::tr{'fwhost err remark'}; + $fwhostsettings{'error'} ='on'; + } + #check if subnet is sigle host + if(&General::iporsubtocidr($fwhostsettings{'SUBNET'}) eq '32') + { + $errormessage=$errormessage.$Lang::tr{'fwhost err sub32'}; + } + if($fwhostsettings{'error'} ne 'on'){ + #check if we use one of ipfire's networks (green,orange,blue) + if (($ownnet{'GREEN_NETADDRESS'} ne '' && $ownnet{'GREEN_NETADDRESS'} ne '0.0.0.0') && &General::IpInSubnet($fwhostsettings{'IP'},$ownnet{'GREEN_NETADDRESS'},$ownnet{'GREEN_NETMASK'})) + { + $errormessage=$errormessage.$Lang::tr{'ccd err green'}."
"; + $fwhostsettings{'HOSTNAME'} = $fwhostsettings{'orgname'}; + if ($fwhostsettings{'update'} eq 'on'){$fwhostsettings{'ACTION'}='editnet';} + } + if (($ownnet{'ORANGE_NETADDRESS'} ne '' && $ownnet{'ORANGE_NETADDRESS'} ne '0.0.0.0') && &General::IpInSubnet($fwhostsettings{'IP'},$ownnet{'ORANGE_NETADDRESS'},$ownnet{'ORANGE_NETMASK'})) + { + $errormessage=$errormessage.$Lang::tr{'ccd err orange'}."
"; + $fwhostsettings{'HOSTNAME'} = $fwhostsettings{'orgname'}; + if ($fwhostsettings{'update'} eq 'on'){$fwhostsettings{'ACTION'}='editnet';} + } + if (($ownnet{'BLUE_NETADDRESS'} ne '' && $ownnet{'BLUE_NETADDRESS'} ne '0.0.0.0') && &General::IpInSubnet($fwhostsettings{'IP'},$ownnet{'BLUE_NETADDRESS'},$ownnet{'BLUE_NETMASK'})) + { + $errormessage=$errormessage.$Lang::tr{'ccd err blue'}."
"; + $fwhostsettings{'HOSTNAME'} = $fwhostsettings{'orgname'}; + if ($fwhostsettings{'update'} eq 'on'){$fwhostsettings{'ACTION'}='editnet';} + } + if (($ownnet{'RED_NETADDRESS'} ne '' && $ownnet{'RED_NETADDRESS'} ne '0.0.0.0') && &General::IpInSubnet($fwhostsettings{'IP'},$ownnet{'RED_NETADDRESS'},$ownnet{'RED_NETMASK'})) + { + $errormessage=$errormessage.$Lang::tr{'ccd err red'}."
"; + $fwhostsettings{'HOSTNAME'} = $fwhostsettings{'orgname'}; + if ($fwhostsettings{'update'} eq 'on'){$fwhostsettings{'ACTION'}='editnet';} + } + } + #only check plausi when no error till now + if (!$errormessage){ + &plausicheck("editnet"); + } + #check if network ip is part of an already used one + if(&checksubnet(\%customnetwork)) + { + $errormessage=$errormessage.$Lang::tr{'fwhost err partofnet'}; + $fwhostsettings{'HOSTNAME'} = $fwhostsettings{'orgname'}; + } + if($fwhostsettings{'actualize'} eq 'on' && $fwhostsettings{'newnet'} ne 'on' && $errormessage) + { + $fwhostsettings{'actualize'} = ''; + my $key = &General::findhasharraykey (\%customnetwork); + foreach my $i (0 .. 3) { $customnetwork{$key}[$i] = "";} + $customnetwork{$key}[0] = $fwhostsettings{'orgname'} ; + $customnetwork{$key}[1] = $fwhostsettings{'orgip'} ; + $customnetwork{$key}[2] = $fwhostsettings{'orgsub'}; + $customnetwork{$key}[3] = $fwhostsettings{'orgnetremark'}; + $customnetwork{$key}[4] = $fwhostsettings{'count'}; + &General::writehasharray("$confignet", \%customnetwork); + undef %customnetwork; + } + if (!$errormessage){ + + &General::readhasharray("$confignet", \%customnetwork); + if ($fwhostsettings{'ACTION'} eq 'updatenet'){ + if ($fwhostsettings{'update'} == '0'){ + foreach my $key (keys %customnetwork) { + if($customnetwork{$key}[0] eq $fwhostsettings{'orgname'}){ + $count=$customnetwork{$key}[4]; + delete $customnetwork{$key}; + last; + } + } + } + } + #get count if actualize is 'on' + if($fwhostsettings{'actualize'} eq 'on'){ + $fwhostsettings{'actualize'} = ''; + $count=$fwhostsettings{'count'}; + #check if we need to reload rules + if($fwhostsettings{'orgip'} ne $fwhostsettings{'IP'} && $count gt '0'){ + $needrules='on'; + } + if ($fwhostsettings{'orgname'} ne $fwhostsettings{'HOSTNAME'}){ + #check if we need to update groups + &General::readhasharray("$configgrp", \%customgrp); + foreach my $key (sort keys %customgrp){ + if($customgrp{$key}[2] eq $fwhostsettings{'orgname'}){ + $customgrp{$key}[2]=$fwhostsettings{'HOSTNAME'}; + last; + } + } + &General::writehasharray("$configgrp", \%customgrp); + #check if we need to update firewallrules + if ( ! -z $fwconfigfwd ){ + &General::readhasharray("$fwconfigfwd", \%fwfwd); + foreach my $line (sort keys %fwfwd){ + if ($fwfwd{$line}[4] eq $fwhostsettings{'orgname'}){ + $fwfwd{$line}[4] = $fwhostsettings{'HOSTNAME'}; + } + if ($fwfwd{$line}[6] eq $fwhostsettings{'orgname'}){ + $fwfwd{$line}[6] = $fwhostsettings{'HOSTNAME'}; + } + } + &General::writehasharray("$fwconfigfwd", \%fwfwd); + } + if ( ! -z $fwconfiginp ){ + &General::readhasharray("$fwconfiginp", \%fwinp); + foreach my $line (sort keys %fwinp){ + if ($fwfwd{$line}[4] eq $fwhostsettings{'orgname'}){ + $fwfwd{$line}[4] = $fwhostsettings{'HOSTNAME'}; + } + } + &General::writehasharray("$fwconfiginp", \%fwinp); + } + } + } + my $key = &General::findhasharraykey (\%customnetwork); + foreach my $i (0 .. 4) { $customnetwork{$key}[$i] = "";} + $fwhostsettings{'SUBNET'} = &General::iporsubtocidr($fwhostsettings{'SUBNET'}); + $customnetwork{$key}[0] = $fwhostsettings{'HOSTNAME'}; + #convert ip when leading '0' in byte + $fwhostsettings{'IP'} =&General::ip2dec($fwhostsettings{'IP'}); + $fwhostsettings{'IP'} =&General::dec2ip($fwhostsettings{'IP'}); + $customnetwork{$key}[1] = &General::getnetworkip($fwhostsettings{'IP'},$fwhostsettings{'SUBNET'}) ; + $customnetwork{$key}[2] = &General::iporsubtodec($fwhostsettings{'SUBNET'}) ; + if($fwhostsettings{'newnet'} eq 'on'){$count=0;} + $customnetwork{$key}[3] = $fwhostsettings{'NETREMARK'}; + $customnetwork{$key}[4] = $count; + &General::writehasharray("$confignet", \%customnetwork); + $fwhostsettings{'IP'}=$fwhostsettings{'IP'}."/".&General::iporsubtodec($fwhostsettings{'SUBNET'}); + undef %customnetwork; + $fwhostsettings{'HOSTNAME'}=''; + $fwhostsettings{'IP'}=''; + $fwhostsettings{'SUBNET'}=''; + $fwhostsettings{'NETREMARK'}=''; + #check if an edited net affected groups and need to reload rules + if ($needrules eq 'on'){ + &rules; + } + &addnet; + &viewtablenet; + }else { + &addnet; + &viewtablenet; + } + } +} +if ($fwhostsettings{'ACTION'} eq 'savehost') +{ + my $count=0; + my $needrules=0; + if ($fwhostsettings{'orgname'} eq ''){$fwhostsettings{'orgname'}=$fwhostsettings{'HOSTNAME'};} + $fwhostsettings{'SUBNET'}='32'; + #check if all fields are set + if ($fwhostsettings{'HOSTNAME'} eq '' || $fwhostsettings{'IP'} eq '' || $fwhostsettings{'SUBNET'} eq '') + { + $errormessage=$errormessage.$Lang::tr{'fwhost err empty'}; + $fwhostsettings{'ACTION'} = 'edithost'; + }else{ + if($fwhostsettings{'IP'}=~/^([0-9a-fA-F]{1,2}:){5}[0-9a-fA-F]{1,2}$/){ + $fwhostsettings{'type'} = 'mac'; + }elsif($fwhostsettings{'IP'}=~/^(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})$/){ + $fwhostsettings{'type'} = 'ip'; + }else{ + $fwhostsettings{'type'} = ''; + $errormessage=$Lang::tr{'fwhost err ipmac'}; + } + #check remark + if ($fwhostsettings{'HOSTREMARK'} ne '' && !&validremark($fwhostsettings{'HOSTREMARK'})){ + $errormessage=$Lang::tr{'fwhost err remark'}; + } + #CHECK IP-PART + if ($fwhostsettings{'type'} eq 'ip'){ + #check for subnet + if (rindex($fwhostsettings{'IP'},'/') eq '-1' ){ + if($fwhostsettings{'type'} eq 'ip' && !&General::validipandmask($fwhostsettings{'IP'}."/32")) + { + $errormessage.=$errormessage.$Lang::tr{'fwhost err ip'}; + $fwhostsettings{'error'}='on'; + } + }elsif(rindex($fwhostsettings{'IP'},'/') ne '-1' ){ + $errormessage=$errormessage.$Lang::tr{'fwhost err ipwithsub'}; + $fwhostsettings{'error'}='on'; + } + #check if net or broadcast + my @tmp= split (/\./,$fwhostsettings{'IP'}); + if (($tmp[3] eq "0") || ($tmp[3] eq "255")){ + $errormessage=$Lang::tr{'fwhost err hostip'}; + } + } + #only check plausi when no error till now + if (!$errormessage){ + &plausicheck("edithost"); + } + if($fwhostsettings{'actualize'} eq 'on' && $fwhostsettings{'newhost'} ne 'on' && $errormessage){ + $fwhostsettings{'actualize'} = ''; + my $key = &General::findhasharraykey (\%customhost); + foreach my $i (0 .. 4) { $customhost{$key}[$i] = "";} + $customhost{$key}[0] = $fwhostsettings{'orgname'} ; + $customhost{$key}[1] = $fwhostsettings{'type'} ; + if($customhost{$key}[1] eq 'ip'){ + $customhost{$key}[2] = $fwhostsettings{'orgip'}."/".&General::iporsubtodec($fwhostsettings{'SUBNET'}); + }else{ + $customhost{$key}[2] = $fwhostsettings{'orgip'}; + } + $customhost{$key}[3] = $fwhostsettings{'orgremark'}; + $customhost{$key}[4] = $fwhostsettings{'count'}; + &General::writehasharray("$confighost", \%customhost); + undef %customhost; + } + if (!$errormessage){ + #get count if host was edited + if($fwhostsettings{'actualize'} eq 'on'){ + $count=$fwhostsettings{'count'}; + if($fwhostsettings{'orgip'} ne $fwhostsettings{'IP'} && $count gt '0' ){ + $needrules='on'; + } + if($fwhostsettings{'orgname'} ne $fwhostsettings{'HOSTNAME'}){ + #check if we need to update groups + &General::readhasharray("$configgrp", \%customgrp); + foreach my $key (sort keys %customgrp){ + if($customgrp{$key}[2] eq $fwhostsettings{'orgname'}){ + $customgrp{$key}[2]=$fwhostsettings{'HOSTNAME'}; + } + } + &General::writehasharray("$configgrp", \%customgrp); + #check if we need to update firewallrules + if ( ! -z $fwconfigfwd ){ + &General::readhasharray("$fwconfigfwd", \%fwfwd); + foreach my $line (sort keys %fwfwd){ + if ($fwfwd{$line}[4] eq $fwhostsettings{'orgname'}){ + $fwfwd{$line}[4] = $fwhostsettings{'HOSTNAME'}; + } + if ($fwfwd{$line}[6] eq $fwhostsettings{'orgname'}){ + $fwfwd{$line}[6] = $fwhostsettings{'HOSTNAME'}; + } + } + &General::writehasharray("$fwconfigfwd", \%fwfwd); + } + if ( ! -z $fwconfiginp ){ + &General::readhasharray("$fwconfiginp", \%fwinp); + foreach my $line (sort keys %fwinp){ + if ($fwfwd{$line}[4] eq $fwhostsettings{'orgname'}){ + $fwfwd{$line}[4] = $fwhostsettings{'HOSTNAME'}; + } + } + &General::writehasharray("$fwconfiginp", \%fwinp); + } + } + } + my $key = &General::findhasharraykey (\%customhost); + foreach my $i (0 .. 4) { $customhost{$key}[$i] = "";} + $customhost{$key}[0] = $fwhostsettings{'HOSTNAME'} ; + $customhost{$key}[1] = $fwhostsettings{'type'} ; + if ($fwhostsettings{'type'} eq 'ip'){ + #convert ip when leading '0' in byte + $fwhostsettings{'IP'}=&General::ip2dec($fwhostsettings{'IP'}); + $fwhostsettings{'IP'}=&General::dec2ip($fwhostsettings{'IP'}); + $customhost{$key}[2] = $fwhostsettings{'IP'}."/".&General::iporsubtodec($fwhostsettings{'SUBNET'}); + }else{ + $customhost{$key}[2] = $fwhostsettings{'IP'}; + } + if($fwhostsettings{'newhost'} eq 'on'){$count=0;} + $customhost{$key}[3] = $fwhostsettings{'HOSTREMARK'}; + $customhost{$key}[4] =$count; + &General::writehasharray("$confighost", \%customhost); + undef %customhost; + $fwhostsettings{'HOSTNAME'}=''; + $fwhostsettings{'IP'}=''; + $fwhostsettings{'type'}=''; + $fwhostsettings{'HOSTREMARK'}=''; + #check if we need to update rules while host was edited + if($needrules eq 'on'){ + &rules; + } + &addhost; + &viewtablehost; + }else{ + &addhost; + &viewtablehost; + } + } +} +if ($fwhostsettings{'ACTION'} eq 'savegrp') +{ + my $grp=$fwhostsettings{'grp_name'};; + my $rem=$fwhostsettings{'remark'}; + my $count; + my $type; + my $updcounter='off'; + my @target; + my @newgrp; + &General::readhasharray("$configgrp", \%customgrp); + &General::readhasharray("$confignet", \%customnetwork); + &General::readhasharray("$confighost", \%customhost); + #check name + if (!&validhostname($grp)){$errormessage.=$Lang::tr{'fwhost err name'};} + #check existing name + if (!checkgroup(\%customgrp,$grp) && $fwhostsettings{'update'} ne 'on'){$errormessage.=$Lang::tr{'fwhost err grpexist'};} + #check remark + if ($rem ne '' && !&validremark($rem) && $fwhostsettings{'update'} ne 'on'){ + $errormessage.=$Lang::tr{'fwhost err remark'}; + } + if ($fwhostsettings{'update'} eq 'on'){ + #check standard networks + if ($fwhostsettings{'grp2'} eq 'std_net'){ + @target=$fwhostsettings{'DEFAULT_SRC_ADR'}; + $type='Standard Network'; + } + #check custom networks + if ($fwhostsettings{'grp2'} eq 'cust_net' && $fwhostsettings{'CUST_SRC_NET'} ne ''){ + @target=$fwhostsettings{'CUST_SRC_NET'}; + $updcounter='net'; + $type='Custom Network'; + }elsif($fwhostsettings{'grp2'} eq 'cust_net' && $fwhostsettings{'CUST_SRC_NET'} eq ''){ + $errormessage=$Lang::tr{'fwhost err groupempty'}."
"; + $fwhostsettings{'grp_name'}=''; + $fwhostsettings{'remark'}=''; + } + #check custom addresses + if ($fwhostsettings{'grp2'} eq 'cust_host' && $fwhostsettings{'CUST_SRC_HOST'} ne ''){ + @target=$fwhostsettings{'CUST_SRC_HOST'}; + $updcounter='host'; + $type='Custom Host'; + }elsif($fwhostsettings{'grp2'} eq 'cust_host' && $fwhostsettings{'CUST_SRC_HOST'} eq ''){ + $errormessage=$Lang::tr{'fwhost err groupempty'}."
"; + $fwhostsettings{'grp_name'}=''; + $fwhostsettings{'remark'}=''; + } + #get address from ovpn ccd static net + if ($fwhostsettings{'grp2'} eq 'ovpn_net' && $fwhostsettings{'OVPN_CCD_NET'} ne ''){ + @target=$fwhostsettings{'OVPN_CCD_NET'}; + $type='OpenVPN static network'; + }elsif($fwhostsettings{'grp2'} eq 'ovpn_net' && $fwhostsettings{'OVPN_CCD_NET'} eq ''){ + $errormessage=$Lang::tr{'fwhost err groupempty'}; + $fwhostsettings{'grp_name'}=''; + $fwhostsettings{'remark'}=''; + } + #get address from ovpn ccd static host + if ($fwhostsettings{'grp2'} eq 'ovpn_host' && $fwhostsettings{'OVPN_CCD_HOST'} ne ''){ + @target=$fwhostsettings{'OVPN_CCD_HOST'}; + $type='OpenVPN static host'; + }elsif ($fwhostsettings{'grp2'} eq 'ovpn_host' && $fwhostsettings{'OVPN_CCD_HOST'} eq ''){ + $errormessage=$Lang::tr{'fwhost err groupempty'}; + } + #get address from ovpn ccd Net-2-Net + if ($fwhostsettings{'grp2'} eq 'ovpn_n2n' && $fwhostsettings{'OVPN_N2N'} ne ''){ + @target=$fwhostsettings{'OVPN_N2N'}; + $type='OpenVPN N-2-N'; + }elsif ($fwhostsettings{'grp2'} eq 'ovpn_n2n' && $fwhostsettings{'OVPN_N2N'} eq ''){ + $errormessage=$Lang::tr{'fwhost err groupempty'}; + $fwhostsettings{'grp_name'}=''; + $fwhostsettings{'remark'}=''; + } + #get address from IPSEC HOST + if ($fwhostsettings{'grp2'} eq 'ipsec_host' && $fwhostsettings{'IPSEC_HOST'} ne ''){ + @target=$fwhostsettings{'IPSEC_HOST'}; + $type='IpSec Host'; + }elsif ($fwhostsettings{'grp2'} eq 'ipsec_host' && $fwhostsettings{'IPSEC_HOST'} eq ''){ + $errormessage=$Lang::tr{'fwhost err groupempty'}; + $fwhostsettings{'grp_name'}=''; + $fwhostsettings{'remark'}=''; + } + #get address from IPSEC NETWORK + if ($fwhostsettings{'grp2'} eq 'ipsec_net' && $fwhostsettings{'IPSEC_NET'} ne ''){ + @target=$fwhostsettings{'IPSEC_NET'}; + $type='IpSec Network'; + }elsif ($fwhostsettings{'grp2'} eq 'ipsec_net' && $fwhostsettings{'IPSEC_NET'} eq ''){ + $errormessage=$Lang::tr{'fwhost err groupempty'}; + $fwhostsettings{'grp_name'}=''; + $fwhostsettings{'remark'}=''; + } + #check if host/net exists in grp + + my $test="$grp,$fwhostsettings{'oldremark'},@target"; + foreach my $key (keys %customgrp) { + my $test1="$customgrp{$key}[0],$customgrp{$key}[1],$customgrp{$key}[2]"; + if ($test1 eq $test){ + $errormessage=$Lang::tr{'fwhost err isingrp'}; + $fwhostsettings{'update'} = 'on'; + } + } + } + + if (!$errormessage){ + #on first save, we have an empty @target, so fill it with nothing + my $targetvalues=@target; + if ($targetvalues == '0'){ + @target="none"; + } + #on update, we have to delete the dummy entry + foreach my $key (keys %customgrp){ + if ($customgrp{$key}[0] eq $grp && $customgrp{$key}[2] eq "none"){ + delete $customgrp{$key}; + last; + } + } + &General::writehasharray("$configgrp", \%customgrp); + &General::readhasharray("$configgrp", \%customgrp); + #get count used + foreach my $key (keys %customgrp) + { + if($customgrp{$key}[0] eq $grp) + { + $count=$customgrp{$key}[4]; + last; + } + } + if ($count eq '' ){$count='0';} + + #create array with new lines + foreach my $line (@target){ + push (@newgrp,"$grp,$rem,$line"); + } + #append new entries + my $key = &General::findhasharraykey (\%customgrp); + foreach my $line (@newgrp){ + foreach my $i (0 .. 4) { $customgrp{$key}[$i] = "";} + my ($a,$b,$c,$d) = split (",",$line); + $customgrp{$key}[0] = $a; + $customgrp{$key}[1] = $b; + $customgrp{$key}[2] = $c; + $customgrp{$key}[3] = $type; + $customgrp{$key}[4] = $count; + } + &General::writehasharray("$configgrp", \%customgrp); + #update counter in Host/Net + if($updcounter eq 'net'){ + foreach my $key (keys %customnetwork) { + if($customnetwork{$key}[0] eq $fwhostsettings{'CUST_SRC_NET'}){ + $customnetwork{$key}[4] = $customnetwork{$key}[4]+1; + last; + } + } + &General::writehasharray("$confignet", \%customnetwork); + }elsif($updcounter eq 'host'){ + foreach my $key (keys %customhost) { + if ($customhost{$key}[0] eq $fwhostsettings{'CUST_SRC_HOST'}){ + $customhost{$key}[4]=$customhost{$key}[4]+1; + } + } + &General::writehasharray("$confighost", \%customhost); + } + $fwhostsettings{'update'}='on'; + } + #check if ruleupdate is needed + if($count > 0 ) + { + &rules; + } + &addgrp; + &viewtablegrp; +} +if ($fwhostsettings{'ACTION'} eq 'saveservice') +{ + my $ICMP; + &General::readhasharray("$configsrv", \%customservice ); + $errormessage=&checkports(\%customservice); + if ($fwhostsettings{'PROT'} eq 'ICMP'){ + &General::readhasharray("${General::swroot}/fwhosts/icmp-types", \%icmptypes); + foreach my $key (keys %icmptypes){ + if ("$icmptypes{$key}[0] ($icmptypes{$key}[1])" eq $fwhostsettings{'ICMP_TYPES'}){ + $ICMP=$icmptypes{$key}[0]; + } + } + } + if($ICMP eq ''){$ICMP='BLANK';} + if (!$errormessage){ + my $key = &General::findhasharraykey (\%customservice); + foreach my $i (0 .. 4) { $customservice{$key}[$i] = "";} + $customservice{$key}[0] = $fwhostsettings{'SRV_NAME'}; + $customservice{$key}[1] = $fwhostsettings{'SRV_PORT'}; + $customservice{$key}[2] = $fwhostsettings{'PROT'}; + $customservice{$key}[3] = $ICMP; + $customservice{$key}[4] = 0; + &General::writehasharray("$configsrv", \%customservice ); + #reset fields + $fwhostsettings{'SRV_NAME'}=''; + $fwhostsettings{'SRV_PORT'}=''; + $fwhostsettings{'PROT'}=''; + $fwhostsettings{'ICMP_TYPES'}=''; + } + &addservice; +} +if ($fwhostsettings{'ACTION'} eq 'saveservicegrp') +{ + my $prot; + my $port; + my $count=0; + &General::readhasharray("$configsrvgrp", \%customservicegrp ); + &General::readhasharray("$configsrv", \%customservice ); + $errormessage=&checkservicegroup; + #check remark + if ($fwhostsettings{'SRVGRP_REMARK'} ne '' && !&validremark($fwhostsettings{'SRVGRP_REMARK'})){ + $errormessage=$Lang::tr{'fwhost err remark'}; + } + if (!$errormessage){ + #on first save, we have to enter a dummy value + if ($fwhostsettings{'CUST_SRV'} eq ''){ + $fwhostsettings{'CUST_SRV'}='none'; + } + #on update, we have to delete the dummy entry + foreach my $key (keys %customservicegrp){ + if ($customservicegrp{$key}[2] eq 'none'){ + delete $customservicegrp{$key}; + last; + } + } + &General::writehasharray("$configsrvgrp", \%customservicegrp ); + #check if remark has also changed + if ($fwhostsettings{'SRVGRP_REMARK'} ne $fwhostsettings{'oldsrvgrpremark'} && $fwhostsettings{'updatesrvgrp'} eq 'on') + { + foreach my $key (keys %customservicegrp) + { + if($customservicegrp{$key}[0] eq $fwhostsettings{'SRVGRP_NAME'} && $customservicegrp{$key}[1] eq $fwhostsettings{'oldsrvgrpremark'}) + { + $customservicegrp{$key}[1]=''; + $customservicegrp{$key}[1]=$fwhostsettings{'SRVGRP_REMARK'}; + } + } + } + #get count used + foreach my $key (keys %customservicegrp) + { + if($customservicegrp{$key}[0] eq $fwhostsettings{'SRVGRP_NAME'}) + { + $count=$customservicegrp{$key}[3]; + last; + } + } + if ($count eq '' ){$count='0';} + + foreach my $key (sort keys %customservice){ + if($customservice{$key}[0] eq $fwhostsettings{'CUST_SRV'}){ + $port=$customservice{$key}[1]; + $prot=$customservice{$key}[2]; + $customservice{$key}[4]++; + } + } + &General::writehasharray("$configsrv", \%customservice ); + my $key = &General::findhasharraykey (\%customservicegrp); + foreach my $i (0 .. 3) { $customservice{$key}[$i] = "";} + $customservicegrp{$key}[0] = $fwhostsettings{'SRVGRP_NAME'}; + $customservicegrp{$key}[1] = $fwhostsettings{'SRVGRP_REMARK'}; + $customservicegrp{$key}[2] = $fwhostsettings{'CUST_SRV'}; + $customservicegrp{$key}[3] = $count; + &General::writehasharray("$configsrvgrp", \%customservicegrp ); + $fwhostsettings{'updatesrvgrp'}='on'; + } + if ($count gt 0){ + &rules; + } + &addservicegrp; + &viewtableservicegrp; +} +# edit +if ($fwhostsettings{'ACTION'} eq 'editnet') +{ + &addnet; + &viewtablenet; +} +if ($fwhostsettings{'ACTION'} eq 'edithost') +{ + &addhost; + &viewtablehost; +} +if ($fwhostsettings{'ACTION'} eq 'editgrp') +{ + $fwhostsettings{'update'}='on'; + &addgrp; + &viewtablegrp; +} +if ($fwhostsettings{'ACTION'} eq 'editservice') +{ + $fwhostsettings{'updatesrv'}='on'; + &addservice; +} +if ($fwhostsettings{'ACTION'} eq 'editservicegrp') +{ + $fwhostsettings{'updatesrvgrp'} = 'on'; + &addservicegrp; + &viewtableservicegrp; +} +# reset +if ($fwhostsettings{'ACTION'} eq 'resetnet') +{ + $fwhostsettings{'HOSTNAME'} =""; + $fwhostsettings{'IP'} =""; + $fwhostsettings{'SUBNET'} =""; + &showmenu; +} +if ($fwhostsettings{'ACTION'} eq 'resethost') +{ + $fwhostsettings{'HOSTNAME'} =""; + $fwhostsettings{'IP'} =""; + $fwhostsettings{'type'} =""; + &showmenu; +} +if ($fwhostsettings{'ACTION'} eq 'resetgrp') +{ + $fwhostsettings{'grp_name'} =""; + $fwhostsettings{'remark'} =""; + &showmenu; +} +# delete +if ($fwhostsettings{'ACTION'} eq 'delnet') +{ + &General::readhasharray("$confignet", \%customnetwork); + foreach my $key (keys %customnetwork) { + if($fwhostsettings{'key'} eq $customnetwork{$key}[0]){ + delete $customnetwork{$key}; + &General::writehasharray("$confignet", \%customnetwork); + last; + } + } + &addnet; + &viewtablenet; +} +if ($fwhostsettings{'ACTION'} eq 'delhost') +{ + &General::readhasharray("$confighost", \%customhost); + foreach my $key (keys %customhost) { + if($fwhostsettings{'key'} eq $customhost{$key}[0]){ + delete $customhost{$key}; + &General::writehasharray("$confighost", \%customhost); + last; + } + } + &addhost; + &viewtablehost; +} +if ($fwhostsettings{'ACTION'} eq 'deletegrphost') +{ + my $grpremark; + my $grpname; + &General::readhasharray("$configgrp", \%customgrp); + foreach my $key (keys %customgrp){ + if($customgrp{$key}[0].",".$customgrp{$key}[1].",".$customgrp{$key}[2].",".$customgrp{$key}[3] eq $fwhostsettings{'delhost'}){ + #decrease count from source host/net + if ($customgrp{$key}[3] eq 'Custom Network'){ + &General::readhasharray("$confignet", \%customnetwork); + foreach my $key1 (keys %customnetwork){ + if ($customnetwork{$key1}[0] eq $customgrp{$key}[2]){ + $customnetwork{$key1}[4] = $customnetwork{$key1}[4]-1; + last; + } + } + &General::writehasharray("$confignet", \%customnetwork); + } + if ($customgrp{$key}[3] eq 'Custom Host'){ + &General::readhasharray("$confighost", \%customhost); + foreach my $key1 (keys %customhost){ + if ($customhost{$key1}[0] eq $customgrp{$key}[2]){ + $customhost{$key1}[4] = $customhost{$key1}[4]-1; + last; + } + } + &General::writehasharray("$confighost", \%customhost); + } + $grpname=$customgrp{$key}[0]; + $grpremark=$customgrp{$key}[1]; + delete $customgrp{$key}; + } + } + &General::writehasharray("$configgrp", \%customgrp); + if ($fwhostsettings{'grpcnt'} > 0){&rules;} + if ($fwhostsettings{'update'} eq 'on'){ + $fwhostsettings{'remark'}= $grpremark; + $fwhostsettings{'grp_name'}=$grpname; + } + &addgrp; + &viewtablegrp; +} +if ($fwhostsettings{'ACTION'} eq 'delgrp') +{ + &General::readhasharray("$configgrp", \%customgrp); + &decrease($fwhostsettings{'grp_name'}); + foreach my $key (sort keys %customgrp) + { + if($customgrp{$key}[0] eq $fwhostsettings{'grp_name'}) + { + delete $customgrp{$key}; + } + } + &General::writehasharray("$configgrp", \%customgrp); + $fwhostsettings{'grp_name'}=''; + &addgrp; + &viewtablegrp; +} +if ($fwhostsettings{'ACTION'} eq 'delservice') +{ + &General::readhasharray("$configsrv", \%customservice); + foreach my $key (keys %customservice) { + if($customservice{$key}[0] eq $fwhostsettings{'SRV_NAME'}){ + #&deletefromgrp($customhost{$key}[0],$configgrp); + delete $customservice{$key}; + &General::writehasharray("$configsrv", \%customservice); + last; + } + } + $fwhostsettings{'SRV_NAME'}=''; + $fwhostsettings{'SRV_PORT'}=''; + $fwhostsettings{'PROT'}=''; + &addservice; +} +if ($fwhostsettings{'ACTION'} eq 'delservicegrp') +{ + &General::readhasharray("$configsrvgrp", \%customservicegrp); + &decreaseservice($fwhostsettings{'SRVGRP_NAME'}); + foreach my $key (sort keys %customservicegrp) + { + if($customservicegrp{$key}[0] eq $fwhostsettings{'SRVGRP_NAME'}) + { + delete $customservicegrp{$key}; + } + } + &General::writehasharray("$configsrvgrp", \%customservicegrp); + $fwhostsettings{'SRVGRP_NAME'}=''; + &addservicegrp; + &viewtableservicegrp; +} +if ($fwhostsettings{'ACTION'} eq 'delgrpservice') +{ + my $grpname; + my $grpremark; + &General::readhasharray("$configsrvgrp", \%customservicegrp); + &General::readhasharray("$configsrv", \%customservice); + foreach my $key (keys %customservicegrp){ + if($customservicegrp{$key}[0].",".$customservicegrp{$key}[1].",".$customservicegrp{$key}[2].",".$customservicegrp{$key}[3] eq $fwhostsettings{'delsrvfromgrp'}) + { + #decrease count from source service + foreach my $key1 (sort keys %customservice){ + if($customservice{$key1}[0] eq $customservicegrp{$key}[2]){ + $customservice{$key1}[4]--; + last; + } + } + &General::writehasharray("$configsrv", \%customservice); + $grpname=$customservicegrp{$key}[0]; + $grpremark=$customservicegrp{$key}[1]; + delete $customservicegrp{$key}; + } + } + &General::writehasharray("$configsrvgrp", \%customservicegrp); + &rules; + if ($fwhostsettings{'updatesrvgrp'} eq 'on'){ + $fwhostsettings{'SRVGRP_NAME'}=$grpname; + $fwhostsettings{'SRVGRP_REMARK'}=$grpremark; + } + &addservicegrp; + &viewtableservicegrp; + +} +if ($fwhostsettings{'ACTION'} eq $Lang::tr{'fwhost newnet'}) +{ + &addnet; + &viewtablenet; +} +if ($fwhostsettings{'ACTION'} eq $Lang::tr{'fwhost newhost'}) +{ + &addhost; + &viewtablehost; +} +if ($fwhostsettings{'ACTION'} eq $Lang::tr{'fwhost newgrp'}) +{ + &addgrp; + &viewtablegrp; +} +if ($fwhostsettings{'ACTION'} eq $Lang::tr{'fwhost newservice'}) +{ + &addservice; +} +if ($fwhostsettings{'ACTION'} eq $Lang::tr{'fwhost newservicegrp'}) +{ + &addservicegrp; + &viewtableservicegrp; +} +if ($fwhostsettings{'ACTION'} eq 'changegrpremark') +{ + &General::readhasharray("$configgrp", \%customgrp); + if ($fwhostsettings{'oldrem'} ne $fwhostsettings{'newrem'} && (&validremark($fwhostsettings{'newrem'}) || $fwhostsettings{'newrem'} eq '')){ + foreach my $key (sort keys %customgrp) + { + if($customgrp{$key}[0] eq $fwhostsettings{'grp'} && $customgrp{$key}[1] eq $fwhostsettings{'oldrem'}) + { + $customgrp{$key}[1]=''; + $customgrp{$key}[1]=$fwhostsettings{'newrem'}; + } + } + &General::writehasharray("$configgrp", \%customgrp); + $fwhostsettings{'update'}='on'; + $fwhostsettings{'remark'}=$fwhostsettings{'newrem'}; + }else{ + $errormessage=$Lang::tr{'fwhost err remark'}; + $fwhostsettings{'remark'}=$fwhostsettings{'oldrem'}; + $fwhostsettings{'grp_name'}=$fwhostsettings{'grp'}; + $fwhostsettings{'update'} = 'on'; + } + $fwhostsettings{'grp_name'}=$fwhostsettings{'grp'}; + &addgrp; + &viewtablegrp; +} +if ($fwhostsettings{'ACTION'} eq 'changesrvgrpremark') +{ + &General::readhasharray("$configsrvgrp", \%customservicegrp ); + if ($fwhostsettings{'oldsrvrem'} ne $fwhostsettings{'newsrvrem'} && (&validremark($fwhostsettings{'newsrvrem'}) || $fwhostsettings{'newsrvrem'} eq '')){ + foreach my $key (sort keys %customservicegrp) + { + if($customservicegrp{$key}[0] eq $fwhostsettings{'srvgrp'} && $customservicegrp{$key}[1] eq $fwhostsettings{'oldsrvrem'}) + { + $customservicegrp{$key}[1]=''; + $customservicegrp{$key}[1]=$fwhostsettings{'newsrvrem'}; + } + } + &General::writehasharray("$configsrvgrp", \%customservicegrp); + $fwhostsettings{'updatesrvgrp'}='on'; + $fwhostsettings{'SRVGRP_REMARK'}=$fwhostsettings{'newsrvrem'}; + }else{ + $errormessage=$Lang::tr{'fwhost err remark'}; + $fwhostsettings{'SRVGRP_REMARK'}=$fwhostsettings{'oldsrvrem'}; + $fwhostsettings{'SRVGRP_NAME'}=$fwhostsettings{'srvgrp'}; + $fwhostsettings{'updatesrvgrp'} = 'on'; + } + $fwhostsettings{'SRVGRP_NAME'}=$fwhostsettings{'srvgrp'}; + &addservicegrp; + &viewtableservicegrp; +} +### VIEW ### +if($fwhostsettings{'ACTION'} eq '') +{ + &showmenu; +} +### FUNCTIONS ### +sub showmenu +{ + if (-f "${General::swroot}/forward/reread"){ + print "
$Lang::tr{'fwdfw final_rule'}$Lang::tr{'fwdfw pol block'}
    $Lang::tr{'fwhost reread'}

"; + } + &Header::openbox('100%', 'left',$Lang::tr{'fwhost menu'}); + print "$Lang::tr{'fwhost welcome'}"; + print<
+ + +
+END + &Header::closebox(); + +} +# Add +sub addnet +{ + &error; + &showmenu; + &Header::openbox('100%', 'left', $Lang::tr{'fwhost addnet'}); + $fwhostsettings{'orgname'}=$fwhostsettings{'HOSTNAME'}; + $fwhostsettings{'orgnetremark'}=$fwhostsettings{'NETREMARK'}; + print< + $Lang::tr{'name'}:
+ $Lang::tr{'fwhost netaddress'}: + $Lang::tr{'netmask'}: + $Lang::tr{'remark'}: +
+END + if ($fwhostsettings{'ACTION'} eq 'editnet' || $fwhostsettings{'error'} eq 'on') + { + print ""; + }else{ + print ""; + } + print "
"; + &Header::closebox(); +} +sub addhost +{ + &error; + &showmenu; + &Header::openbox('100%', 'left', $Lang::tr{'fwhost addhost'}); + $fwhostsettings{'orgname'}=$fwhostsettings{'HOSTNAME'}; + $fwhostsettings{'orgremark'}=$fwhostsettings{'HOSTREMARK'}; + print< + $Lang::tr{'name'}:
+ IP/MAC: + $Lang::tr{'remark'}: +
+END + + if ($fwhostsettings{'ACTION'} eq 'edithost' || $fwhostsettings{'error'} eq 'on') + { + + print "
"; + }else{ + print " "; + } + print "
"; + &Header::closebox(); +} +sub addgrp +{ + &hint; + &error; + &showmenu; + &Header::openbox('100%', 'left', $Lang::tr{'fwhost addgrp'}); + &General::setup_default_networks(\%defaultNetworks); + &General::readhasharray("$configccdnet", \%ccdnet); + &General::readhasharray("$confignet", \%customnetwork); + &General::readhasharray("$configccdhost", \%ccdhost); + &General::readhasharray("$confighost", \%customhost); + &General::readhasharray("$configipsec", \%ipsecconf); + + my %checked=(); + my $show=''; + $checked{'check1'}{'off'} = ''; + $checked{'check1'}{'on'} = ''; + $checked{'grp2'}{$fwhostsettings{'grp2'}} = 'CHECKED'; + $fwhostsettings{'oldremark'}=$fwhostsettings{'remark'}; + my $grp=$fwhostsettings{'grp_name'}; + my $rem=$fwhostsettings{'remark'}; + if ($fwhostsettings{'update'} eq ''){ + print< + $Lang::tr{'fwhost addgrpname'}
+ $Lang::tr{'remark'}: +
+END + }else{ + print< + $Lang::tr{'fwhost addgrpname'} + $Lang::tr{'remark'}: +
+END + } + if ($fwhostsettings{'update'} eq 'on'){ + print< + +
+ + "; + if (! -z $confignet){ + print""; + } + if (! -z $confighost){ + print""; + } + print"
$Lang::tr{'fwhost stdnet'}
$Lang::tr{'fwhost cust net'}
$Lang::tr{'fwhost cust addr'}
"; + #Inner table right + print"		"; + #OVPN networks + if (! -z $configccdnet){ + print""; + } + #OVPN clients + foreach my $key (sort { ncmp($ccdhost{$a}[0],$ccdhost{$b}[0]) } keys %ccdhost) + { + if ($ccdhost{$key}[33] ne ''){ + print"";} + #OVPN n2n networks + foreach my $key (sort { ncmp($ccdhost{$a}[1],$ccdhost{$b}[1]) } keys %ccdhost) { + if($ccdhost{$key}[3] eq 'net'){ + print"";} + #IPsec networks + foreach my $key (sort { ncmp($ipsecconf{$a}[0],$ipsecconf{$b}[0]) } keys %ipsecconf) { + if ($ipsecconf{$key}[3] eq 'net'){ + print"";} + print"
$Lang::tr{'fwhost ccdnet'}
$Lang::tr{'fwhost ccdhost'}
$Lang::tr{'fwhost ovpn_n2n'}
$Lang::tr{'fwhost ipsec net'}
"; + print"
"; + print"

"; + } + print""; + print"
"; + &Header::closebox(); +} +sub addservice +{ + &error; + &showmenu; + &Header::openbox('100%', 'left', $Lang::tr{'fwhost addservice'}); + if ($fwhostsettings{'updatesrv'} eq 'on') + { + $fwhostsettings{'oldsrvname'} = $fwhostsettings{'SRV_NAME'}; + $fwhostsettings{'oldsrvport'} = $fwhostsettings{'SRV_PORT'}; + $fwhostsettings{'oldsrvprot'} = $fwhostsettings{'PROT'}; + } + print<
+ $Lang::tr{'fwhost srv_name'}: + $Lang::tr{'fwhost prot'}: +END + &General::readhasharray("${General::swroot}/fwhosts/icmp-types", \%icmptypes); + print""; + foreach my $key (sort { ncmp($icmptypes{$a}[0],$icmptypes{$b}[0]) }keys %icmptypes){ + print""; + } + + print< + $Lang::tr{'fwhost port'}: +
+ +END + if ($fwhostsettings{'updatesrv'} eq 'on') + { + print< + + + + +END + + }else{ + print""; + } + print< + + + +END + &Header::closebox(); + &viewtableservice; +} +sub addservicegrp +{ + &hint; + &error; + &showmenu; + &Header::openbox('100%', 'left', $Lang::tr{'fwhost addservicegrp'}); + $fwhostsettings{'oldsrvgrpremark'}=$fwhostsettings{'SRVGRP_REMARK'}; + if ($fwhostsettings{'updatesrvgrp'} eq ''){ + print<
+ $Lang::tr{'fwhost addgrpname'} + $Lang::tr{'remark'}: +
+ +END + }else{ + print< + $Lang::tr{'fwhost addgrpname'} + $Lang::tr{'remark'}: +
+ +END + } + if($fwhostsettings{'updatesrvgrp'} eq 'on'){ + print< + + + +
$Lang::tr{'fwhost cust service'}


+END + } + print< +
+
+END + &Header::closebox(); +} +# View +sub viewtablenet +{ + if(! -z $confignet){ + &Header::openbox('100%', 'left', $Lang::tr{'fwhost cust net'}); + &General::readhasharray("$confignet", \%customnetwork); + if (!keys %customnetwork) + { + print "
$Lang::tr{'fwhost empty'}"; + }else{ + print< + $Lang::tr{'name'}$Lang::tr{'fwhost netaddress'}$Lang::tr{'remark'}$Lang::tr{'used'} +END + } + my $count=0; + foreach my $key (sort {ncmp($a,$b)} keys %customnetwork) { + if ($fwhostsettings{'ACTION'} eq 'editnet' && $fwhostsettings{'HOSTNAME'} eq $customnetwork{$key}[0]) { + print" "; + }elsif ($count % 2) + { + print" "; + }else + { + print" "; + } + my $colnet="$customnetwork{$key}[1]/".&General::subtocidr($customnetwork{$key}[2]); + print"
$customnetwork{$key}[0]".&Header::colorize($colnet)."$customnetwork{$key}[3]$customnetwork{$key}[4]x"; + print< + + + + + + +END + if($customnetwork{$key}[4] == '0') + { + print"
"; + }else{ + print""; + } + $count++; + } + print""; + &Header::closebox(); + } + +} +sub getcolor +{ + my $c=shift; + #Check if IP is part of OpenVPN N2N subnet + foreach my $key (sort keys %ccdhost){ + if ($ccdhost{$key}[3] eq 'net'){ + my ($a,$b) = split("/",$ccdhost{$key}[11]); + if (&General::IpInSubnet($c,$a,$b)){ + $tdcolor="style='color:$Header::colourovpn ;'"; + return $tdcolor; + } + } + } + #Check if IP is part of OpenVPN dynamic subnet + my ($a,$b) = split("/",$ovpnsettings{'DOVPN_SUBNET'}); + if (&General::IpInSubnet($c,$a,$b)){ + $tdcolor="style='color: $Header::colourovpn;'"; + return $tdcolor; + } + #Check if IP is part of OpenVPN static subnet + foreach my $key (sort keys %ccdnet){ + my ($a,$b) = split("/",$ccdnet{$key}[1]); + $b =&General::iporsubtodec($b); + if (&General::IpInSubnet($c,$a,$b)){ + $tdcolor="style='color: $Header::colourovpn;'"; + return $tdcolor; + } + } + #Check if IP is part of IPsec RW network + if ($ipsecsettings{'RW_NET'} ne ''){ + my ($a,$b) = split("/",$ipsecsettings{'RW_NET'}); + $b=&General::iporsubtodec($b); + if (&General::IpInSubnet($c,$a,$b)){ + $tdcolor="style='color: $Header::colourvpn;'"; + return $tdcolor; + } + } + #Check if IP is part of a IPsec N2N network + foreach my $key (sort keys %ipsecconf){ + my ($a,$b) = split("/",$ipsecconf{$key}[11]); + if (&General::IpInSubnet($c,$a,$b)){ + $tdcolor="style='color: $Header::colourvpn;'"; + return $tdcolor; + } + } + $tdcolor=''; + return $tdcolor; +} +sub viewtablehost +{ + if (! -z $confighost){ + &Header::openbox('100%', 'left', $Lang::tr{'fwhost cust addr'}); + &General::readhasharray("$confighost", \%customhost); + &General::readhasharray("$configccdnet", \%ccdnet); + &General::readhasharray("$configccdhost", \%ccdhost); + if (!keys %customhost) + { + print "
$Lang::tr{'fwhost empty'}"; + }else{ + print< + $Lang::tr{'name'}$Lang::tr{'fwhost ip_mac'}$Lang::tr{'remark'}$Lang::tr{'used'} +END + } + my $count=0; + foreach my $key (sort { ncmp ($customhost{$a}[0],$customhost{$b}[0])} keys %customhost) { + if ( ($fwhostsettings{'ACTION'} eq 'edithost' || $fwhostsettings{'error'}) && $fwhostsettings{'HOSTNAME'} eq $customhost{$key}[0]) { + print" "; + }elsif ($count % 2){ print" ";} + else{ print" ";} + my ($ip,$sub)=split(/\//,$customhost{$key}[2]); + $customhost{$key}[4]=~s/\s+//g; + print"$customhost{$key}[0]".&Header::colorize($ip)."$customhost{$key}[3]$customhost{$key}[4]x"; + print<
+ + + + + +
+END + if($customhost{$key}[4] == '0') + { + print"
"; + }else{ + print""; + } + $count++; + } + print""; + &Header::closebox(); + } +} +sub viewtablegrp +{ + if(! -z "$configgrp"){ + &Header::openbox('100%', 'left', $Lang::tr{'fwhost cust grp'}); + &General::readhasharray("$configgrp", \%customgrp); + &General::readhasharray("$configipsec", \%ipsecconf); + &General::readhasharray("$configccdhost", \%ccdhost); + &General::readhasharray("$configccdnet", \%ccdnet); + &General::readhasharray("$confighost", \%customhost); + &General::readhasharray("$confignet", \%customnetwork); + my @grp=(); + my $helper=''; + my $count=1; + my $grpname; + my $remark; + my $number; + my $delflag; + if (!keys %customgrp) + { + print "
$Lang::tr{'fwhost err emptytable'}"; + }else{ + foreach my $key (sort { ncmp($customgrp{$a}[0],$customgrp{$b}[0]) } sort { ncmp($customgrp{$a}[2],$customgrp{$b}[2]) } keys %customgrp){ + $count++; + if ($helper ne $customgrp{$key}[0]){ + $delflag='0'; + foreach my $key1 (sort { ncmp($customgrp{$a}[0],$customgrp{$b}[0]) } sort { ncmp($customgrp{$a}[2],$customgrp{$b}[2]) } keys %customgrp){ + if ($customgrp{$key}[0] eq $customgrp{$key1}[0]) + { + $delflag++; + } + if($delflag > 1){ + last; + } + } + $number=1; + if ($customgrp{$key}[2] eq "none"){$customgrp{$key}[2]=$Lang::tr{'fwhost err emptytable'};} + $grpname=$customgrp{$key}[0]; + $remark="$customgrp{$key}[1]"; + if($count gt 1){ print"";} + print "
$grpname   "; + print " $Lang::tr{'remark'}:  $remark   " if ($remark ne ''); + print "$Lang::tr{'used'}: $customgrp{$key}[4]x"; + if($customgrp{$key}[4] == '0') + { + print"
"; + } + print"
"; + print""; + } + + if ( ($fwhostsettings{'ACTION'} eq 'editgrp' || $fwhostsettings{'update'} ne '') && $fwhostsettings{'grp_name'} eq $customgrp{$key}[0]) { + print" "; + }elsif ($count %2 == 0){ + print""; + }else{ + print""; + } + my $ip=&getipforgroup($customgrp{$key}[2],$customgrp{$key}[3]); + if ($ip eq ''){print"";} + print ""; + }else{ + print "$customgrp{$key}[2]"; + } + if ($ip eq '' && $customgrp{$key}[2] ne $Lang::tr{'fwhost err emptytable'}){ + print ""; + + $helper=$customgrp{$key}[0]; + $number++; + } + print"
Name$Lang::tr{'ip address'}$Lang::tr{'fwhost type'}
"; + if($customgrp{$key}[3] eq 'Standard Network'){ + print &get_name($customgrp{$key}[2])."$Lang::tr{'fwhost deleted'}$customgrp{$key}[3]
"; + }else{ + my ($colip,$colsub) = split("/",$ip); + $ip="$colip/".&General::subtocidr($colsub) if ($colsub); + print"
".&Header::colorize($ip)."$customgrp{$key}[3]"; + } + if ($delflag > '1' && $ip ne ''){ + print""; + } + print"
"; + } + &Header::closebox(); +} + +} +sub viewtableservice +{ + my $count=0; + if(! -z "$configsrv") + { + &Header::openbox('100%', 'left', $Lang::tr{'fwhost services'}); + &General::readhasharray("$configsrv", \%customservice); + print< + $Lang::tr{'fwhost srv_name'}$Lang::tr{'fwhost prot'}$Lang::tr{'fwhost port'}ICMP$Lang::tr{'fwhost used'} +END + foreach my $key (sort { ncmp($customservice{$a}[0],$customservice{$b}[0])} keys %customservice) + { + $count++; + if ( ($fwhostsettings{'updatesrv'} eq 'on' || $fwhostsettings{'error'}) && $fwhostsettings{'SRV_NAME'} eq $customservice{$key}[0]) { + print" "; + }elsif ($count % 2){ print" ";}else{ print" ";} + print<$customservice{$key}[0]$customservice{$key}[2]$customservice{$key}[1] +END + if($customservice{$key}[3] ne 'BLANK'){print $customservice{$key}[3];} + + print<$customservice{$key}[4]x +
+ + +
+END + if ($customservice{$key}[4] eq '0') + { + print"
"; + }else{ + print""; + } + } + print""; + &Header::closebox(); + } +} +sub viewtableservicegrp +{ + my $count=0; + my $grpname; + my $remark; + my $helper; + my $port; + my $protocol; + my $delflag; + if (! -z $configsrvgrp){ + &Header::openbox('100%', 'left', $Lang::tr{'fwhost cust srvgrp'}); + &General::readhasharray("$configsrvgrp", \%customservicegrp); + &General::readhasharray("$configsrv", \%customservice); + my $number= keys %customservicegrp; + foreach my $key (sort { ncmp($customservicegrp{$a}[0],$customservicegrp{$b}[0]) } keys %customservicegrp){ + $count++; + if ($helper ne $customservicegrp{$key}[0]){ + $delflag=0; + foreach my $key1 (sort { ncmp($customservicegrp{$a}[0],$customservicegrp{$b}[0]) } sort { ncmp($customservicegrp{$a}[2],$customservicegrp{$b}[2]) } keys %customservicegrp){ + if ($customservicegrp{$key}[0] eq $customservicegrp{$key1}[0]) + { + $delflag++; + } + if($delflag > 1){ + last; + } + } + $grpname=$customservicegrp{$key}[0]; + if ($customservicegrp{$key}[2] eq "none"){ + $customservicegrp{$key}[2]=$Lang::tr{'fwhost empty'}; + $port=''; + $protocol=''; + } + $remark="$customservicegrp{$key}[1]"; + if($count >=2){print"";} + print "
$grpname    "; + print "$Lang::tr{'remark'}:  $remark " if ($remark ne ''); + print "  $Lang::tr{'used'}: $customservicegrp{$key}[3]x"; + if($customservicegrp{$key}[3] == '0') + { + print"
"; + } + print"
"; + print""; + } + if( $fwhostsettings{'SRVGRP_NAME'} eq $customservicegrp{$key}[0]) { + print" "; + }elsif ($count %2 == 0){ + print""; + }else{ + print""; + } + print ""; + foreach my $srv (sort keys %customservice){ + if ($customservicegrp{$key}[2] eq $customservice{$srv}[0]){ + $protocol=$customservice{$srv}[2]; + $port=$customservice{$srv}[1]; + last; + } + } + print""; + $helper=$customservicegrp{$key}[0]; + } + print"
Name$Lang::tr{'port'}$Lang::tr{'fwhost prot'}
$customservicegrp{$key}[2]$port$protocol
"; + if ($number gt '1'){ + print""; + } + print"
"; + &Header::closebox(); + } +} +# Check +sub checkname +{ + my %hash=%{(shift)}; + foreach my $key (keys %hash) { + if($hash{$key}[0] eq $fwhostsettings{'HOSTNAME'}){ + return 0; + } + } + return 1; + +} +sub checkgroup +{ + my %hash=%{(shift)}; + my $name=shift; + foreach my $key (keys %hash) { + if($hash{$key}[0] eq $name){ + return 0; + } + } + return 1; +} +sub checkip +{ + + my %hash=%{(shift)}; + my $a=shift; + foreach my $key (keys %hash) { + if($hash{$key}[$a] eq $fwhostsettings{'IP'}."/".&General::iporsubtodec($fwhostsettings{'SUBNET'})){ + return 0; + } + } + return 1; +} +sub checksubnet +{ + my %hash=%{(shift)}; + &General::readhasharray("$confignet", \%hash); + foreach my $key (keys %hash) { + if(&General::IpInSubnet($fwhostsettings{'IP'},$hash{$key}[1],$hash{$key}[2])) + { + return 1; + } + } + return 0; +} +sub checkservicegroup +{ + &General::readhasharray("$configsrvgrp", \%customservicegrp); + + + #check name + if ( ! &validhostname($fwhostsettings{'SRVGRP_NAME'})) + { + $errormessage.=$Lang::tr{'fwhost err name'}."
"; + return $errormessage; + } + #check empty selectbox + if (keys %customservice lt 1) + { + $errormessage.=$Lang::tr{'fwhost err groupempty'}."
"; + } + #check if name already exists + if ($fwhostsettings{'updatesrvgrp'} ne 'on'){ + foreach my $key (keys %customservicegrp) { + if( $customservicegrp{$key}[0] eq $fwhostsettings{'SRVGRP_NAME'} ){ + $errormessage.=$Lang::tr{'fwhost err grpexist'}."
"; + + } + } + } + #check if service already exists in group + foreach my $key (keys %customservicegrp) { + if($customservicegrp{$key}[0] eq $fwhostsettings{'SRVGRP_NAME'} && $customservicegrp{$key}[2] eq $fwhostsettings{'CUST_SRV'} ){ + $errormessage.=$Lang::tr{'fwhost err srvexist'}."
"; + } + } + return $errormessage; +} +sub error +{ + if ($errormessage) { + &Header::openbox('100%', 'left', $Lang::tr{'error messages'}); + print "$errormessage\n"; + print " \n"; + &Header::closebox(); + } +} +sub hint +{ + if ($hint) { + &Header::openbox('100%', 'left', $Lang::tr{'fwhost hint'}); + print "$hint\n"; + print " \n"; + &Header::closebox(); + } +} +sub get_name +{ + my $val=shift; + &General::setup_default_networks(\%defaultNetworks); + foreach my $network (sort keys %defaultNetworks) + { + return "$network" if ($val eq $defaultNetworks{$network}{'NAME'}); + } +} + +sub deletefromgrp +{ + my $target=shift; + my $config=shift; + my %hash=(); + &General::readhasharray("$config",\%hash); + foreach my $key (keys %hash) { + $errormessage.="lese $hash{$key}[2] und $target
"; + if($hash{$key}[2] eq $target){ + + delete $hash{$key}; + $errormessage.="Habe $target aus Gruppe gelöscht!
"; + } + } + &General::writehasharray("$config",\%hash); + +} +sub plausicheck +{ + my $edit=shift; + #check hostname + if (!&validhostname($fwhostsettings{'HOSTNAME'})) + { + $errormessage=$errormessage.$Lang::tr{'fwhost err name'}; + $fwhostsettings{'BLK_IP'}='readonly'; + $fwhostsettings{'HOSTNAME'} = $fwhostsettings{'orgname'}; + if ($fwhostsettings{'update'} eq 'on'){$fwhostsettings{'ACTION'}=$edit;} + } + #check if name collides with CCD Netname + &General::readhasharray("$configccdnet", \%ccdnet); + foreach my $key (keys %ccdnet) { + if($ccdnet{$key}[0] eq $fwhostsettings{'HOSTNAME'}){ + $errormessage=$errormessage.$Lang::tr{'fwhost err isccdnet'};; + $fwhostsettings{'HOSTNAME'} = $fwhostsettings{'orgname'}; + if ($fwhostsettings{'update'} eq 'on'){$fwhostsettings{'ACTION'}=$edit;} + last; + } + } + #check if IP collides with CCD NetIP + if ($fwhostsettings{'type'} ne 'mac'){ + &General::readhasharray("$configccdnet", \%ccdnet); + foreach my $key (keys %ccdnet) { + my $test=(&General::getnetworkip($fwhostsettings{'IP'},&General::iporsubtocidr($fwhostsettings{'SUBNET'})))."/".$fwhostsettings{'SUBNET'}; + if($ccdnet{$key}[1] eq $test){ + $errormessage=$errormessage.$Lang::tr{'fwhost err isccdipnet'}; + $fwhostsettings{'IP'} = $fwhostsettings{'orgip'}; + $fwhostsettings{'SUBNET'} = $fwhostsettings{'orgsubnet'}; + if ($fwhostsettings{'update'} eq 'on'){$fwhostsettings{'ACTION'}=$edit;} + last; + } + } + } + #check if name collides with CCD Hostname + &General::readhasharray("$configccdhost", \%ccdhost); + foreach my $key (keys %ccdhost) { + my ($ip,$sub)=split(/\//,$ccdhost{$key}[33]); + if($ip eq $fwhostsettings{'IP'}){ + $errormessage=$Lang::tr{'fwhost err isccdiphost'}; + if ($fwhostsettings{'update'} eq 'on'){$fwhostsettings{'ACTION'}=$edit;} + last; + } + } + #check if IP collides with CCD HostIP (only hosts) + if ($edit eq 'edithost') + { + foreach my $key (keys %ccdhost) { + if($ccdhost{$key}[1] eq $fwhostsettings{'HOSTNAME'}){ + $errormessage=$Lang::tr{'fwhost err isccdhost'}; + $fwhostsettings{'IP'} = $fwhostsettings{'orgname'}; + if ($fwhostsettings{'update'} eq 'on'){$fwhostsettings{'ACTION'}=$edit;} + last; + } + } + } + #check if network with this name already exists + &General::readhasharray("$confignet", \%customnetwork); + if (!&checkname(\%customnetwork)) + { + $errormessage=$errormessage."
".$Lang::tr{'fwhost err netexist'}; + $fwhostsettings{'HOSTNAME'} = $fwhostsettings{'orgname'}; + if ($fwhostsettings{'update'} eq 'on'){$fwhostsettings{'ACTION'}=$edit;} + } + #check if network ip already exists + if (!&checkip(\%customnetwork,1)) + { + $errormessage=$errormessage."
".$Lang::tr{'fwhost err net'}; + if ($fwhostsettings{'update'} eq 'on'){$fwhostsettings{'ACTION'}=$edit;} + } + #check if host with this name already exists + &General::readhasharray("$confighost", \%customhost); + if (!&checkname(\%customhost)) + { + $errormessage.="
".$Lang::tr{'fwhost err hostexist'}; + $fwhostsettings{'HOSTNAME'} = $fwhostsettings{'orgname'}; + if ($fwhostsettings{'update'} eq 'on'){$fwhostsettings{'ACTION'}=$edit;} + } + #check if host with this ip already exists + if (!&checkip(\%customhost,2)) + { + $errormessage=$errormessage."
".$Lang::tr{'fwhost err ipcheck'}; + } + return; +} +sub getipforgroup +{ + my $name=$_[0], + my $type=$_[1]; + my $value; + + #get address from IPSEC NETWORK + if ($type eq 'IpSec Network'){ + foreach my $key (keys %ipsecconf) { + if ($ipsecconf{$key}[1] eq $name){ + return $ipsecconf{$key}[11]; + } + } + &deletefromgrp($name,$configgrp); + } + + #get address from IPSEC HOST + if ($type eq 'IpSec Host'){ + foreach my $key (keys %ipsecconf) { + if ($ipsecconf{$key}[1] eq $name){ + return $ipsecconf{$key}[10]; + } + } + &deletefromgrp($name,$configgrp); + } + + #get address from ovpn ccd Net-2-Net + if ($type eq 'OpenVPN N-2-N'){ + foreach my $key (keys %ccdhost) { + if($ccdhost{$key}[1] eq $name){ + my ($a,$b) = split ("/",$ccdhost{$key}[11]); + $b=&General::iporsubtodec($b); + return "$a/$b"; + } + } + &deletefromgrp($name,$configgrp); + } + + #get address from ovpn ccd static host + if ($type eq 'OpenVPN static host'){ + foreach my $key (keys %ccdhost) { + if($ccdhost{$key}[1] eq $name){ + my ($a,$b) = split (/\//,$ccdhost{$key}[33]); + $b=&General::iporsubtodec($b); + return "$a/$b"; + } + } + &deletefromgrp($name,$configgrp); + } + + #get address from ovpn ccd static net + if ($type eq 'OpenVPN static network'){ + foreach my $key (keys %ccdnet) { + if ($ccdnet{$key}[0] eq $name){ + my ($a,$b) = split (/\//,$ccdnet{$key}[1]); + $b=&General::iporsubtodec($b); + return "$a/$b"; + } + } + } + + #check custom addresses + if ($type eq 'Custom Host'){ + foreach my $key (keys %customhost) { + if ($customhost{$key}[0] eq $name){ + my ($ip,$sub) = split("/",$customhost{$key}[2]); + return $ip; + } + } + } + + ##check custom networks + if ($type eq 'Custom Network'){ + foreach my $key (keys %customnetwork) { + if($customnetwork{$key}[0] eq $name){ + return $customnetwork{$key}[1]."/".$customnetwork{$key}[2]; + } + } + } + + #check standard networks + if ($type eq 'Standard Network'){ + if ($name =~ /OpenVPN/i){ + my %ovpn=(); + &General::readhash("${General::swroot}/ovpn/settings",\%ovpn); + return $ovpn{'DOVPN_SUBNET'}; + } + if ($name eq 'GREEN'){ + my %hash=(); + &General::readhash("${General::swroot}/ethernet/settings",\%hash); + return $hash{'GREEN_NETADDRESS'}."/".$hash{'GREEN_NETMASK'}; + } + if ($name eq 'BLUE'){ + my %hash=(); + &General::readhash("${General::swroot}/ethernet/settings",\%hash); + return $hash{'BLUE_NETADDRESS'}."/".$hash{'BLUE_NETMASK'}; + } + if ($name eq 'ORANGE'){ + my %hash=(); + &General::readhash("${General::swroot}/ethernet/settings",\%hash); + return $hash{'ORANGE_NETADDRESS'}."/".$hash{'ORANGE_NETMASK'}; + } + if ($name eq 'ALL'){ + return "0.0.0.0/0.0.0.0"; + } + if ($name =~ /IPsec/i){ + my %hash=(); + &General::readhash("${General::swroot}/vpn/settings",\%hash); + return $hash{'RW_NET'}; + } + } +} +sub rules +{ + if (!-f "${General::swroot}/fwhosts/reread"){ + system("touch ${General::swroot}/fwhosts/reread"); + system("touch ${General::swroot}/forward/reread"); + } +} +sub reread_rules +{ + system ("/usr/local/bin/forwardfwctrl"); + if ( -f "${General::swroot}/fwhosts/reread"){ + system("rm ${General::swroot}/fwhosts/reread"); + system("rm ${General::swroot}/forward/reread"); + } + +} +sub decrease +{ + my $grp=$_[0]; + &General::readhasharray("$confignet", \%customnetwork); + &General::readhasharray("$confighost", \%customhost); + foreach my $key (sort keys %customgrp ){ + if ( ($customgrp{$key}[0] eq $grp) && ($customgrp{$key}[3] eq 'Custom Network')){ + foreach my $key1 (sort keys %customnetwork){ + if ($customnetwork{$key1}[0] eq $customgrp{$key}[2]){ + $customnetwork{$key1}[4]=$customnetwork{$key1}[4]-1; + last; + } + } + } + + if (($customgrp{$key}[0] eq $grp) && ($customgrp{$key}[3] eq 'Custom Host')){ + foreach my $key2 (sort keys %customhost){ + if ($customhost{$key2}[0] eq $customgrp{$key}[2]){ + $customhost{$key2}[4]=$customhost{$key2}[4]-1; + last; + } + } + + } + } + &General::writehasharray("$confignet", \%customnetwork); + &General::writehasharray("$confighost", \%customhost); +} +sub decreaseservice +{ + my $grp=$_[0]; + &General::readhasharray("$configsrv", \%customservice); + &General::readhasharray("$configsrvgrp", \%customservicegrp); + + foreach my $key (sort keys %customservicegrp){ + if ($customservicegrp{$key}[0] eq $grp ){ + foreach my $key2 (sort keys %customservice){ + if ($customservice{$key2}[0] eq $customservicegrp{$key}[2]){ + $customservice{$key2}[4]--; + } + } + } + } + &General::writehasharray("$configsrv", \%customservice); + +} +sub checkports +{ + + my %hash=%{(shift)}; + #check empty fields + if ($fwhostsettings{'SRV_NAME'} eq '' ){ + $errormessage=$Lang::tr{'fwhost err name1'}; + } + if ($fwhostsettings{'SRV_PORT'} eq '' && $fwhostsettings{'PROT'} ne 'ICMP'){ + $errormessage=$Lang::tr{'fwhost err port'}; + } + #check valid name + if (! &validhostname($fwhostsettings{'SRV_NAME'})){ + $errormessage="
".$Lang::tr{'fwhost err name'}; + } + #change dashes with : + $fwhostsettings{'SRV_PORT'}=~ tr/-/:/; + + if ($fwhostsettings{'SRV_PORT'} eq "*") { + $fwhostsettings{'SRV_PORT'} = "1:65535"; + } + if ($fwhostsettings{'SRV_PORT'} =~ /^(\D)\:(\d+)$/) { + $fwhostsettings{'SRV_PORT'} = "1:$2"; + } + if ($fwhostsettings{'SRV_PORT'} =~ /^(\d+)\:(\D)$/) { + $fwhostsettings{'SRV_PORT'} = "$1:65535"; + } + if($fwhostsettings{'PROT'} ne 'ICMP'){ + $errormessage = $errormessage.&General::validportrange($fwhostsettings{'SRV_PORT'}, 'src'); + } + # a new service has to have a different name + foreach my $key (keys %hash){ + if ($hash{$key}[0] eq $fwhostsettings{'SRV_NAME'}){ + $errormessage = "
".$Lang::tr{'fwhost err srv exists'}; + last; + } + } + return $errormessage; +} +sub validhostname +{ + # Checks a hostname against RFC1035 + my $hostname = $_[0]; + + # Each part should be at least two characters in length + # but no more than 63 characters + if (length ($hostname) < 1 || length ($hostname) > 63) { + return 0;} + # Only valid characters are a-z, A-Z, 0-9 and - + if ($hostname !~ /^[a-zA-ZäöüÖÄÜ0-9-_.;()\/\s]*$/) { + return 0;} + # First character can only be a letter or a digit + if (substr ($hostname, 0, 1) !~ /^[a-zA-ZöäüÖÄÜ0-9]*$/) { + return 0;} + # Last character can only be a letter or a digit + if (substr ($hostname, -1, 1) !~ /^[a-zA-ZöäüÖÄÜ0-9()]*$/) { + return 0;} + return 1; +} +sub validremark +{ + # Checks a hostname against RFC1035 + my $remark = $_[0]; + # Each part should be at least two characters in length + # but no more than 63 characters + if (length ($remark) < 1 || length ($remark) > 255) { + return 0;} + # Only valid characters are a-z, A-Z, 0-9 and - + if ($remark !~ /^[a-zäöüA-ZÖÄÜ0-9-.:;\|_()\/\s]*$/) { + return 0;} + # First character can only be a letter or a digit + if (substr ($remark, 0, 1) !~ /^[a-zäöüA-ZÖÄÜ0-9]*$/) { + return 0;} + # Last character can only be a letter or a digit + if (substr ($remark, -1, 1) !~ /^[a-zöäüA-ZÖÄÜ0-9.:;_)]*$/) { + return 0;} + return 1; +} +&Header::closebigbox(); +&Header::closepage(); diff --git a/html/cgi-bin/index.cgi b/html/cgi-bin/index.cgi index ea19e26f5..03ef36746 100644 --- a/html/cgi-bin/index.cgi +++ b/html/cgi-bin/index.cgi @@ -341,7 +341,7 @@ END } else { print $Lang::tr{'advproxy off'}; } } if ( $netsettings{'ORANGE_DEV'} ) { print <$Lang::tr{'dmz'}
+ $Lang::tr{'dmz'}
$netsettings{'ORANGE_ADDRESS'} Online END diff --git a/html/cgi-bin/optionsfw.cgi b/html/cgi-bin/optionsfw.cgi index 189395726..713f37f9f 100644 --- a/html/cgi-bin/optionsfw.cgi +++ b/html/cgi-bin/optionsfw.cgi @@ -11,7 +11,6 @@ # $Id: optionsfw.cgi,v 1.1.2.10 2005/10/03 00:34:10 gespinasse Exp $ # # - # enable only the following on debugging purpose #use warnings; #use CGI::Carp 'fatalsToBrowser'; @@ -22,38 +21,49 @@ require "${General::swroot}/header.pl"; my %checked =(); # Checkbox manipulations - -# File used -my $filename = "${General::swroot}/optionsfw/settings"; - our %settings=(); -$settings{'DISABLEPING'} = 'NO'; -$settings{'DROPNEWNOTSYN'} = 'on'; -$settings{'DROPINPUT'} = 'on'; -$settings{'DROPOUTPUT'} = 'on'; -$settings{'DROPPORTSCAN'} = 'on'; -$settings{'DROPWIRELESSINPUT'} = 'on'; -$settings{'DROPWIRELESSFORWARD'} = 'on'; +my %fwdfwsettings=(); +my %configfwdfw=(); +my %configoutgoingfw=(); +my $configfwdfw = "${General::swroot}/forward/config"; +my $configoutgoing = "${General::swroot}/forward/outgoing"; my $errormessage = ''; my $warnmessage = ''; +my $filename = "${General::swroot}/optionsfw/settings"; +&General::readhash("${General::swroot}/forward/settings", \%fwdfwsettings); &Header::showhttpheaders(); #Get GUI values &Header::getcgihash(\%settings); - if ($settings{'ACTION'} eq $Lang::tr{'save'}) { - $errormessage = $Lang::tr{'new optionsfw later'}; - delete $settings{'__CGI__'};delete $settings{'x'};delete $settings{'y'}; - &General::writehash($filename, \%settings); # Save good settings - } else { - &General::readhash($filename, \%settings); # Get saved settings and reset to good if needed - } + if ($settings{'defpol'} ne '1'){ + $errormessage .= $Lang::tr{'new optionsfw later'}; + &General::writehash($filename, \%settings); # Save good settings + system("/usr/local/bin/forwardfwctrl"); + }else{ + if ($settings{'POLICY'} ne ''){ + $fwdfwsettings{'POLICY'} = $settings{'POLICY'}; + } + if ($settings{'POLICY1'} ne ''){ + $fwdfwsettings{'POLICY1'} = $settings{'POLICY1'}; + } + my $MODE = $fwdfwsettings{'POLICY'}; + my $MODE1 = $fwdfwsettings{'POLICY1'}; + %fwdfwsettings = (); + $fwdfwsettings{'POLICY'} = "$MODE"; + $fwdfwsettings{'POLICY1'} = "$MODE1"; + &General::writehash("${General::swroot}/forward/settings", \%fwdfwsettings); + &General::readhash("${General::swroot}/forward/settings", \%fwdfwsettings); + system("/usr/local/bin/forwardfwctrl"); + } + &General::readhash($filename, \%settings); # Load good settings +} &Header::openpage($Lang::tr{'options fw'}, 1, ''); &Header::openbigbox('100%', 'left', '', $errormessage); - +&General::readhash($filename, \%settings); if ($errormessage) { &Header::openbox('100%', 'left', $Lang::tr{'warning messages'}); print "$errormessage "; @@ -66,9 +76,12 @@ $checked{'DROPNEWNOTSYN'}{$settings{'DROPNEWNOTSYN'}} = "checked='checked'"; $checked{'DROPINPUT'}{'off'} = ''; $checked{'DROPINPUT'}{'on'} = ''; $checked{'DROPINPUT'}{$settings{'DROPINPUT'}} = "checked='checked'"; -$checked{'DROPOUTPUT'}{'off'} = ''; -$checked{'DROPOUTPUT'}{'on'} = ''; -$checked{'DROPOUTPUT'}{$settings{'DROPOUTPUT'}} = "checked='checked'"; +$checked{'DROPFORWARD'}{'off'} = ''; +$checked{'DROPFORWARD'}{'on'} = ''; +$checked{'DROPFORWARD'}{$settings{'DROPFORWARD'}} = "checked='checked'"; +$checked{'DROPOUTGOING'}{'off'} = ''; +$checked{'DROPOUTGOING'}{'on'} = ''; +$checked{'DROPOUTGOING'}{$settings{'DROPOUTGOING'}} = "checked='checked'"; $checked{'DROPPORTSCAN'}{'off'} = ''; $checked{'DROPPORTSCAN'}{'on'} = ''; $checked{'DROPPORTSCAN'}{$settings{'DROPPORTSCAN'}} = "checked='checked'"; @@ -84,6 +97,21 @@ $checked{'DROPPROXY'}{$settings{'DROPPROXY'}} = "checked='checked'"; $checked{'DROPSAMBA'}{'off'} = ''; $checked{'DROPSAMBA'}{'on'} = ''; $checked{'DROPSAMBA'}{$settings{'DROPSAMBA'}} = "checked='checked'"; +$checked{'SHOWCOLORS'}{'off'} = ''; +$checked{'SHOWCOLORS'}{'on'} = ''; +$checked{'SHOWCOLORS'}{$settings{'SHOWCOLORS'}} = "checked='checked'"; +$checked{'SHOWREMARK'}{'off'} = ''; +$checked{'SHOWREMARK'}{'on'} = ''; +$checked{'SHOWREMARK'}{$settings{'SHOWREMARK'}} = "checked='checked'"; +$checked{'SHOWTABLES'}{'off'} = ''; +$checked{'SHOWTABLES'}{'on'} = ''; +$checked{'SHOWTABLES'}{$settings{'SHOWTABLES'}} = "checked='checked'"; +$checked{'SHOWDROPDOWN'}{'off'} = ''; +$checked{'SHOWDROPDOWN'}{'on'} = ''; +$checked{'SHOWDROPDOWN'}{$settings{'SHOWDROPDOWN'}} = "checked='checked'"; +$selected{'FWPOLICY'}{$settings{'FWPOLICY'}}= 'selected'; +$selected{'FWPOLICY1'}{$settings{'FWPOLICY1'}}= 'selected'; +$selected{'FWPOLICY2'}{$settings{'FWPOLICY2'}}= 'selected'; &Header::openbox('100%', 'center', $Lang::tr{'options fw'}); print "
"; @@ -96,8 +124,10 @@ print < off $Lang::tr{'drop input'}on / off -$Lang::tr{'drop output'}on / - off +$Lang::tr{'drop forward'}on / + off +$Lang::tr{'drop outgoing'}on / + off $Lang::tr{'drop portscan'}on / off $Lang::tr{'drop wirelessinput'}on / @@ -105,7 +135,8 @@ print <$Lang::tr{'drop wirelessforward'}on / off -
+
+
$Lang::tr{'fw blue'}
$Lang::tr{'drop proxy'}on / @@ -113,15 +144,77 @@ print <$Lang::tr{'drop samba'}on / off
+
+ + + + + + +
$Lang::tr{'fw settings'}
$Lang::tr{'fw settings color'}on / + off
$Lang::tr{'fw settings remark'}on / + off
$Lang::tr{'fw settings ruletable'}on / + off
$Lang::tr{'fw settings dropdown'}on / + off
+
+ + + + + +
$Lang::tr{'fw default drop'}
$Lang::tr{'drop action'} +
$Lang::tr{'drop action1'} +
$Lang::tr{'drop action2'} +
+
+ +
- -
END ; &Header::closebox(); + +&Header::openbox('100%', 'center', $Lang::tr{'fwdfw pol title'}); + if ($fwdfwsettings{'POLICY'} eq 'MODE1'){ $selected{'POLICY'}{'MODE1'} = 'selected'; } else { $selected{'POLICY'}{'MODE1'} = ''; } + if ($fwdfwsettings{'POLICY'} eq 'MODE2'){ $selected{'POLICY'}{'MODE2'} = 'selected'; } else { $selected{'POLICY'}{'MODE2'} = ''; } + if ($fwdfwsettings{'POLICY1'} eq 'MODE1'){ $selected{'POLICY1'}{'MODE1'} = 'selected'; } else { $selected{'POLICY1'}{'MODE1'} = ''; } + if ($fwdfwsettings{'POLICY1'} eq 'MODE2'){ $selected{'POLICY1'}{'MODE2'} = 'selected'; } else { $selected{'POLICY1'}{'MODE2'} = ''; } +print < + + + + + +END + print "
FORWARD
$Lang::tr{'fwdfw pol text'}
+
"; + print"

"; + print < + + + + + +END + print "
OUTGOING
$Lang::tr{'fwdfw pol text1'}
+
"; + &Header::closebox(); + &Header::closebigbox(); &Header::closepage(); diff --git a/html/cgi-bin/outgoingfw.cgi b/html/cgi-bin/outgoingfw.cgi deleted file mode 100644 index b417817a2..000000000 --- a/html/cgi-bin/outgoingfw.cgi +++ /dev/null @@ -1,849 +0,0 @@ -#!/usr/bin/perl -############################################################################### -# # -# IPFire.org - A linux based firewall # -# Copyright (C) 2005-2010 IPFire Team # -# # -# This program is free software: you can redistribute it and/or modify # -# it under the terms of the GNU General Public License as published by # -# the Free Software Foundation, either version 3 of the License, or # -# (at your option) any later version. # -# # -# This program is distributed in the hope that it will be useful, # -# but WITHOUT ANY WARRANTY; without even the implied warranty of # -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # -# GNU General Public License for more details. # -# # -# You should have received a copy of the GNU General Public License # -# along with this program. If not, see . # -# # -############################################################################### - -use strict; -# enable only the following on debugging purpose -#use warnings; -#use CGI::Carp 'fatalsToBrowser'; - -require '/var/ipfire/general-functions.pl'; -require "${General::swroot}/lang.pl"; -require "${General::swroot}/header.pl"; - -my %outfwsettings = (); -my %checked = (); -my %selected= () ; -my %netsettings = (); -my $errormessage = ""; -my $configentry = ""; -my @configs = (); -my @configline = (); -my $p2pentry = ""; -my @p2ps = (); -my @p2pline = (); - -my $configfile = "/var/ipfire/outgoing/rules"; -my $configpath = "/var/ipfire/outgoing/groups/"; -my $p2pfile = "/var/ipfire/outgoing/p2protocols"; -my $servicefile = "/var/ipfire/outgoing/defaultservices"; - -my %color = (); -my %mainsettings = (); -&General::readhash("${General::swroot}/main/settings", \%mainsettings); -&General::readhash("/srv/web/ipfire/html/themes/".$mainsettings{'THEME'}."/include/colors.txt", \%color); - -&General::readhash("${General::swroot}/ethernet/settings", \%netsettings); - -&Header::showhttpheaders(); - -### Values that have to be initialized -$outfwsettings{'ACTION'} = ''; -$outfwsettings{'VALID'} = 'yes'; -$outfwsettings{'EDIT'} = 'no'; -$outfwsettings{'NAME'} = ''; -$outfwsettings{'SNET'} = ''; -$outfwsettings{'SIP'} = ''; -$outfwsettings{'SPORT'} = ''; -$outfwsettings{'SMAC'} = ''; -$outfwsettings{'DIP'} = ''; -$outfwsettings{'DPORT'} = ''; -$outfwsettings{'PROT'} = ''; -$outfwsettings{'STATE'} = ''; -$outfwsettings{'DISPLAY_DIP'} = ''; -$outfwsettings{'DISPLAY_DPORT'} = ''; -$outfwsettings{'DISPLAY_SMAC'} = ''; -$outfwsettings{'DISPLAY_SIP'} = ''; -$outfwsettings{'POLICY'} = 'MODE0'; -$outfwsettings{'MODE1LOG'} = 'off'; - -$outfwsettings{'TIME_FROM'} = '00:00'; -$outfwsettings{'TIME_TO'} = '00:00'; - -&General::readhash("${General::swroot}/outgoing/settings", \%outfwsettings); -&Header::getcgihash(\%outfwsettings); - -############### -# DEBUG DEBUG -#&Header::openbox('100%', 'left', 'DEBUG'); -#my $debugCount = 0; -#foreach my $line (sort keys %outfwsettings) { -#print "$line = $outfwsettings{$line}
\n"; -# $debugCount++; -#} -#print " Count: $debugCount\n"; -#&Header::closebox(); -# DEBUG DEBUG -############### - -$selected{'TIME_FROM'}{$outfwsettings{'TIME_FROM'}} = "selected='selected'"; -$selected{'TIME_TO'}{$outfwsettings{'TIME_TO'}} = "selected='selected'"; - -$checked{'MODE1LOG'}{'off'} = ''; -$checked{'MODE1LOG'}{'on'} = ''; -$checked{'MODE1LOG'}{$outfwsettings{'MODE1LOG'}} = "checked='checked'"; -$checked{'TIME_MON'}{'off'} = ''; -$checked{'TIME_MON'}{'on'} = ''; -$checked{'TIME_MON'}{$outfwsettings{'TIME_MON'}} = "checked='checked'"; -$checked{'TIME_TUE'}{'off'} = ''; -$checked{'TIME_TUE'}{'on'} = ''; -$checked{'TIME_TUE'}{$outfwsettings{'TIME_TUE'}} = "checked='checked'"; -$checked{'TIME_WED'}{'off'} = ''; -$checked{'TIME_WED'}{'on'} = ''; -$checked{'TIME_WED'}{$outfwsettings{'TIME_WED'}} = "checked='checked'"; -$checked{'TIME_THU'}{'off'} = ''; -$checked{'TIME_THU'}{'on'} = ''; -$checked{'TIME_THU'}{$outfwsettings{'TIME_THU'}} = "checked='checked'"; -$checked{'TIME_FRI'}{'off'} = ''; -$checked{'TIME_FRI'}{'on'} = ''; -$checked{'TIME_FRI'}{$outfwsettings{'TIME_FRI'}} = "checked='checked'"; -$checked{'TIME_SAT'}{'off'} = ''; -$checked{'TIME_SAT'}{'on'} = ''; -$checked{'TIME_SAT'}{$outfwsettings{'TIME_SAT'}} = "checked='checked'"; -$checked{'TIME_SUN'}{'off'} = ''; -$checked{'TIME_SUN'}{'on'} = ''; -$checked{'TIME_SUN'}{$outfwsettings{'TIME_SUN'}} = "checked='checked'"; - -if ($outfwsettings{'POLICY'} eq 'MODE0'){ $selected{'POLICY'}{'MODE0'} = 'selected'; } else { $selected{'POLICY'}{'MODE0'} = ''; } -if ($outfwsettings{'POLICY'} eq 'MODE1'){ $selected{'POLICY'}{'MODE1'} = 'selected'; } else { $selected{'POLICY'}{'MODE1'} = ''; } -if ($outfwsettings{'POLICY'} eq 'MODE2'){ $selected{'POLICY'}{'MODE2'} = 'selected'; } else { $selected{'POLICY'}{'MODE2'} = ''; } - -# This is a little hack if poeple don´t mark any date then all will be selected, because they might have forgotten to select -# a valid day. A Rule without any matching day will never work, because the timeranges are new feature people might not notice -# that they have to select a day for the rule. - -if ( $outfwsettings{'TIME_MON'} eq "" && - $outfwsettings{'TIME_TUE'} eq "" && - $outfwsettings{'TIME_WED'} eq "" && - $outfwsettings{'TIME_THU'} eq "" && - $outfwsettings{'TIME_FRI'} eq "" && - $outfwsettings{'TIME_SAT'} eq "" && - $outfwsettings{'TIME_SUN'} eq "" ) - { - $outfwsettings{'TIME_MON'} = "on"; - $outfwsettings{'TIME_TUE'} = "on"; - $outfwsettings{'TIME_WED'} = "on"; - $outfwsettings{'TIME_THU'} = "on"; - $outfwsettings{'TIME_FRI'} = "on"; - $outfwsettings{'TIME_SAT'} = "on"; - $outfwsettings{'TIME_SUN'} = "on"; - } - -&Header::openpage($Lang::tr{'outgoing firewall'}, 1, ''); -&Header::openbigbox('100%', 'left', '', $errormessage); - -############################################################################################################################ -############################################################################################################################ - -if ($outfwsettings{'ACTION'} eq $Lang::tr{'reset'}) -{ - $outfwsettings{'POLICY'}='MODE0'; - unlink $configfile; - system("/usr/bin/touch $configfile"); - my $MODE = $outfwsettings{'POLICY'}; - %outfwsettings = (); - $outfwsettings{'POLICY'} = "$MODE"; - &General::writehash("${General::swroot}/outgoing/settings", \%outfwsettings); -} -if ($outfwsettings{'ACTION'} eq $Lang::tr{'save'}) -{ - my $MODE = $outfwsettings{'POLICY'}; - my $MODE1LOG = $outfwsettings{'MODE1LOG'}; - %outfwsettings = (); - $outfwsettings{'POLICY'} = "$MODE"; - $outfwsettings{'MODE1LOG'} = "$MODE1LOG"; - &General::writehash("${General::swroot}/outgoing/settings", \%outfwsettings); - system("/usr/local/bin/outgoingfwctrl"); -} -if ($outfwsettings{'ACTION'} eq 'enable') -{ - open( FILE, "< $p2pfile" ) or die "Unable to read $p2pfile"; - @p2ps = ; - close FILE; - open( FILE, "> $p2pfile" ) or die "Unable to write $p2pfile"; - foreach $p2pentry (sort @p2ps) - { - @p2pline = split( /\;/, $p2pentry ); - if ($p2pline[1] eq $outfwsettings{'P2PROT'}) { - print FILE "$p2pline[0];$p2pline[1];on;\n"; - } else { - print FILE "$p2pline[0];$p2pline[1];$p2pline[2];\n"; - } - } - close FILE; - system("/usr/local/bin/outgoingfwctrl"); -} -if ($outfwsettings{'ACTION'} eq 'disable') -{ - open( FILE, "< $p2pfile" ) or die "Unable to read $p2pfile"; - @p2ps = ; - close FILE; - open( FILE, "> $p2pfile" ) or die "Unable to write $p2pfile"; - foreach $p2pentry (sort @p2ps) - { - @p2pline = split( /\;/, $p2pentry ); - if ($p2pline[1] eq $outfwsettings{'P2PROT'}) { - print FILE "$p2pline[0];$p2pline[1];off;\n"; - } else { - print FILE "$p2pline[0];$p2pline[1];$p2pline[2];\n"; - } - } - close FILE; - system("/usr/local/bin/outgoingfwctrl"); -} -if ($outfwsettings{'ACTION'} eq $Lang::tr{'edit'}) -{ - open( FILE, "< $configfile" ) or die "Unable to read $configfile"; - @configs = ; - close FILE; - open( FILE, "> $configfile" ) or die "Unable to write $configfile"; - foreach $configentry (sort @configs) - { - @configline = split( /\;/, $configentry ); - - $configline[10] = "on" if not exists $configline[11]; - $configline[11] = "on" if not exists $configline[11]; - $configline[12] = "on" if not exists $configline[12]; - $configline[13] = "on" if not exists $configline[13]; - $configline[14] = "on" if not exists $configline[14]; - $configline[15] = "on" if not exists $configline[15]; - $configline[16] = "on" if not exists $configline[16]; - $configline[17] = "00:00" if not exists $configline[17]; - $configline[18] = "00:00" if not exists $configline[18]; - - unless (($configline[0] eq $outfwsettings{'STATE'}) && - ($configline[1] eq $outfwsettings{'ENABLED'}) && - ($configline[2] eq $outfwsettings{'SNET'}) && - ($configline[3] eq $outfwsettings{'PROT'}) && - ($configline[4] eq $outfwsettings{'NAME'}) && - ($configline[5] eq $outfwsettings{'SIP'}) && - ($configline[6] eq $outfwsettings{'SMAC'}) && - ($configline[7] eq $outfwsettings{'DIP'}) && - ($configline[9] eq $outfwsettings{'LOG'}) && - ($configline[8] eq $outfwsettings{'DPORT'}) && - ($configline[10] eq $outfwsettings{'TIME_MON'}) && - ($configline[11] eq $outfwsettings{'TIME_TUE'}) && - ($configline[12] eq $outfwsettings{'TIME_WED'}) && - ($configline[13] eq $outfwsettings{'TIME_THU'}) && - ($configline[14] eq $outfwsettings{'TIME_FRI'}) && - ($configline[15] eq $outfwsettings{'TIME_SAT'}) && - ($configline[16] eq $outfwsettings{'TIME_SUN'}) && - ($configline[17] eq $outfwsettings{'TIME_FROM'}) && - ($configline[18] eq $outfwsettings{'TIME_TO'})) - { - print FILE $configentry; - } - } - close FILE; - $selected{'SNET'}{"$outfwsettings{'SNET'}"} = 'selected'; - $selected{'PROT'}{"$outfwsettings{'PROT'}"} = 'selected'; - $selected{'LOG'}{"$outfwsettings{'LOG'}"} = 'selected'; - &addrule(); - &Header::closebigbox(); - &Header::closepage(); - exit - system("/usr/local/bin/outgoingfwctrl"); -} -if ($outfwsettings{'ACTION'} eq $Lang::tr{'delete'}) -{ - open( FILE, "< $configfile" ) or die "Unable to read $configfile"; - @configs = ; - close FILE; - open( FILE, "> $configfile" ) or die "Unable to write $configfile"; - foreach $configentry (sort @configs) - { - @configline = split( /\;/, $configentry ); - - $configline[10] = "on" if not exists $configline[11]; - $configline[11] = "on" if not exists $configline[11]; - $configline[12] = "on" if not exists $configline[12]; - $configline[13] = "on" if not exists $configline[13]; - $configline[14] = "on" if not exists $configline[14]; - $configline[15] = "on" if not exists $configline[15]; - $configline[16] = "on" if not exists $configline[16]; - $configline[17] = "00:00" if not exists $configline[17]; - $configline[18] = "00:00" if not exists $configline[18]; - - unless (($configline[0] eq $outfwsettings{'STATE'}) && - ($configline[1] eq $outfwsettings{'ENABLED'}) && - ($configline[2] eq $outfwsettings{'SNET'}) && - ($configline[3] eq $outfwsettings{'PROT'}) && - ($configline[4] eq $outfwsettings{'NAME'}) && - ($configline[5] eq $outfwsettings{'SIP'}) && - ($configline[6] eq $outfwsettings{'SMAC'}) && - ($configline[7] eq $outfwsettings{'DIP'}) && - ($configline[9] eq $outfwsettings{'LOG'}) && - ($configline[8] eq $outfwsettings{'DPORT'}) && - ($configline[10] eq $outfwsettings{'TIME_MON'}) && - ($configline[11] eq $outfwsettings{'TIME_TUE'}) && - ($configline[12] eq $outfwsettings{'TIME_WED'}) && - ($configline[13] eq $outfwsettings{'TIME_THU'}) && - ($configline[14] eq $outfwsettings{'TIME_FRI'}) && - ($configline[15] eq $outfwsettings{'TIME_SAT'}) && - ($configline[16] eq $outfwsettings{'TIME_SUN'}) && - ($configline[17] eq $outfwsettings{'TIME_FROM'}) && - ($configline[18] eq $outfwsettings{'TIME_TO'})) - { - print FILE $configentry; - } - } - close FILE; - system("/usr/local/bin/outgoingfwctrl"); -} -if ($outfwsettings{'ACTION'} eq $Lang::tr{'add'}) -{ - if ( $outfwsettings{'VALID'} eq 'yes' ) { - - if ( $outfwsettings{'SNET'} eq "all" ) { - $outfwsettings{'SIP'} =""; - $outfwsettings{'SMAC'}=""; - } - open( FILE, ">> $configfile" ) or die "Unable to write $configfile"; - print FILE <$errormessage\n"; - print " \n"; - &Header::closebox(); -} - -############################################################################################################################ -############################################################################################################################ - -if ($outfwsettings{'POLICY'} ne 'MODE0'){ - &Header::openbox('100%', 'center', 'Rules'); - print < - - -END -; - open( FILE, "< $configfile" ) or die "Unable to read $configfile"; - @configs = ; - close FILE; - if (@configs) { - print < - - - - - - - - - -END -; - foreach $configentry (sort @configs) - { - @configline = split( /\;/, $configentry ); - $outfwsettings{'STATE'} = $configline[0]; - $outfwsettings{'ENABLED'} = $configline[1]; - $outfwsettings{'SNET'} = $configline[2]; - $outfwsettings{'PROT'} = $configline[3]; - $outfwsettings{'NAME'} = $configline[4]; - $outfwsettings{'SIP'} = $configline[5]; - $outfwsettings{'SMAC'} = $configline[6]; - $outfwsettings{'DIP'} = $configline[7]; - $outfwsettings{'DPORT'} = $configline[8]; - $outfwsettings{'LOG'} = $configline[9]; - - $configline[10] = "on" if not exists $configline[11]; - $configline[11] = "on" if not exists $configline[11]; - $configline[12] = "on" if not exists $configline[12]; - $configline[13] = "on" if not exists $configline[13]; - $configline[14] = "on" if not exists $configline[14]; - $configline[15] = "on" if not exists $configline[15]; - $configline[16] = "on" if not exists $configline[16]; - $configline[17] = "00:00" if not exists $configline[17]; - $configline[18] = "00:00" if not exists $configline[18]; - - $outfwsettings{'TIME_MON'} = $configline[10]; - $outfwsettings{'TIME_TUE'} = $configline[11]; - $outfwsettings{'TIME_WED'} = $configline[12]; - $outfwsettings{'TIME_THU'} = $configline[13]; - $outfwsettings{'TIME_FRI'} = $configline[14]; - $outfwsettings{'TIME_SAT'} = $configline[15]; - $outfwsettings{'TIME_SUN'} = $configline[16]; - $outfwsettings{'TIME_FROM'} = $configline[17]; - $outfwsettings{'TIME_TO'} = $configline[18]; - - if ($outfwsettings{'DIP'} eq ''){ $outfwsettings{'DISPLAY_DIP'} = 'ALL'; } else { $outfwsettings{'DISPLAY_DIP'} = $outfwsettings{'DIP'}; } - if ($outfwsettings{'DPORT'} eq ''){ $outfwsettings{'DISPLAY_DPORT'} = 'ALL'; } else { $outfwsettings{'DISPLAY_DPORT'} = $outfwsettings{'DPORT'}; } - if ($outfwsettings{'STATE'} eq 'DENY'){ $outfwsettings{'DISPLAY_STATE'} = "DENY"; } - if ($outfwsettings{'STATE'} eq 'ALLOW'){ $outfwsettings{'DISPLAY_STATE'} = "ALLOW"; } - if ((($outfwsettings{'POLICY'} eq 'MODE1') && ($outfwsettings{'STATE'} eq 'ALLOW')) || (($outfwsettings{'POLICY'} eq 'MODE2') && ($outfwsettings{'STATE'} eq 'DENY'))){ - if ( $outfwsettings{'ENABLED'} eq "on" ){ - print ""; - } else { - print ""; - } - print <$outfwsettings{'PROT'} - "; - print ""; - } else { - $outfwsettings{'DISPLAY_SMAC'} = $outfwsettings{'SMAC'}; - print ""; - print ""; - } - } - print < - - - -END -; - } - } -if ($outfwsettings{'POLICY'} eq 'MODE1'){ -print <
- -
$Lang::tr{'protocol'}$Lang::tr{'network'}$Lang::tr{'destination'}$Lang::tr{'description'}$Lang::tr{'policy'}$Lang::tr{'logging'}$Lang::tr{'action'}
$outfwsettings{'SNET'} - $outfwsettings{'DISPLAY_DIP'}:$outfwsettings{'DISPLAY_DPORT'} - $outfwsettings{'NAME'} - $outfwsettings{'DISPLAY_STATE'} - $outfwsettings{'LOG'} - - -
- - - - - - - - - - - - - - - - - - - - - -
-
- - - - - - - - - - - - - - - - - - - - - -
-END -; - if (($outfwsettings{'SIP'}) || ($outfwsettings{'SMAC'})) { - - unless ($outfwsettings{'SIP'}) { - $outfwsettings{'DISPLAY_SIP'} = 'ALL'; - } else { - $outfwsettings{'DISPLAY_SIP'} = $outfwsettings{'SIP'}; - } - - unless ($outfwsettings{'SMAC'}) { - $outfwsettings{'DISPLAY_SMAC'} = 'ALL'; - print "
$Lang::tr{'source ip or net'}: $outfwsettings{'DISPLAY_SIP'}
$Lang::tr{'source'} $Lang::tr{'mac address'}: $outfwsettings{'DISPLAY_SMAC'}$Lang::tr{'time'} - -END -; - if ($outfwsettings{'TIME_MON'} eq 'on') { print "";} - else { print "";} - print "$Lang::tr{'advproxy monday'},"; - if ($outfwsettings{'TIME_TUE'} eq 'on') { print "";} - else { print "";} - print "$Lang::tr{'advproxy tuesday'},"; - if ($outfwsettings{'TIME_WED'} eq 'on') { print "";} - else { print "";} - print "$Lang::tr{'advproxy wednesday'},"; - if ($outfwsettings{'TIME_THU'} eq 'on') { print "";} - else { print "";} - print "$Lang::tr{'advproxy thursday'},"; - if ($outfwsettings{'TIME_FRI'} eq 'on') { print "";} - else { print "";} - print "$Lang::tr{'advproxy friday'},"; - if ($outfwsettings{'TIME_SAT'} eq 'on') { print "";} - else { print "";} - print "$Lang::tr{'advproxy saturday'},"; - if ($outfwsettings{'TIME_SUN'} eq 'on') { print "";} - else { print "";} - print "$Lang::tr{'advproxy sunday'}"; - print < - $Lang::tr{'advproxy from'} $outfwsettings{'TIME_FROM'}$Lang::tr{'advproxy to'} $outfwsettings{'TIME_TO'}all - all - ALL - drop - DENY - on off -
-
-
-END -; -} - print < -END -; - - } - &Header::closebox(); -} - -if ($outfwsettings{'POLICY'} ne 'MODE0'){ - open( FILE, "< $p2pfile" ) or die "Unable to read $p2pfile"; - @p2ps = ; - close FILE; - &Header::openbox('100%', 'center', 'P2P-Block'); - print < - $Lang::tr{'protocol'} - $Lang::tr{'status'} -END -; - my $id = 1; - foreach $p2pentry (sort @p2ps) - { - @p2pline = split( /\;/, $p2pentry ); - print < -END -; - print "\t\t\t\n"; - print <$p2pline[0]: - -END -; - if ($p2pline[2] eq 'on') { - print < - -END -; - } else { - print < - -END -; - } - print < -END -; - } - print < -
$Lang::tr{'outgoing firewall p2p description 1'} $Lang::tr{ $Lang::tr{'outgoing firewall p2p description 2'} $Lang::tr{ $Lang::tr{'outgoing firewall p2p description 3'} -END -; - &Header::closebox(); -} - -&Header::openbox('100%', 'center', 'Policy'); -print < - - - - - - END ; - my $id = 0; - my $gif; - foreach my $key (sort { uc($confighash{$a}[1]) cmp uc($confighash{$b}[1]) } keys %confighash) { - if ($confighash{$key}[0] eq 'on') { $gif = 'on.gif'; } else { $gif = 'off.gif'; } - + my $id = 0; + my $gif; + foreach my $key (sort { ncmp ($confighash{$a}[1],$confighash{$b}[1]) } keys %confighash) { + if ($confighash{$key}[0] eq 'on') { $gif = 'on.gif'; } else { $gif = 'off.gif'; } if ($id % 2) { print "\n"; } else { diff --git a/html/cgi-bin/p2p-block.cgi b/html/cgi-bin/p2p-block.cgi new file mode 100755 index 000000000..cfca54284 --- /dev/null +++ b/html/cgi-bin/p2p-block.cgi @@ -0,0 +1,134 @@ +#!/usr/bin/perl +############################################################################### +# # +# IPFire.org - A linux based firewall # +# Copyright (C) 2013 # +# # +# This program is free software: you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation, either version 3 of the License, or # +# (at your option) any later version. # +# # +# This program is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with this program. If not, see . # +# # +############################################################################### +# Author: Alexander Marx (Amarx@ipfire.org) # +############################################################################### + +use strict; +no warnings 'uninitialized'; +# enable only the following on debugging purpose +#use warnings; +#use CGI::Carp 'fatalsToBrowser'; + +require '/var/ipfire/general-functions.pl'; +require "${General::swroot}/lang.pl"; +require "${General::swroot}/header.pl"; + +my $errormessage=''; +my $p2pfile = "${General::swroot}/forward/p2protocols"; + +my @p2ps = (); +my %fwdfwsettings=(); +my %color=(); +my %mainsettings=(); + +&General::readhash("${General::swroot}/forward/settings", \%fwdfwsettings); +&General::readhash("${General::swroot}/main/settings", \%mainsettings); +&General::readhash("/srv/web/ipfire/html/themes/".$mainsettings{'THEME'}."/include/colors.txt", \%color); + + + +&Header::showhttpheaders(); +&Header::getcgihash(\%fwdfwsettings); +&Header::openpage($Lang::tr{'fwdfw menu'}, 1, ''); +&Header::openbigbox('100%', 'center',$errormessage); + +if ($fwdfwsettings{'ACTION'} eq ''){ +&p2pblock; +} +if ($fwdfwsettings{'ACTION'} eq 'togglep2p') +{ + open( FILE, "< $p2pfile" ) or die "Unable to read $p2pfile"; + @p2ps = ; + close FILE; + open( FILE, "> $p2pfile" ) or die "Unable to write $p2pfile"; + foreach my $p2pentry (sort @p2ps) + { + my @p2pline = split( /\;/, $p2pentry ); + if ($p2pline[1] eq $fwdfwsettings{'P2PROT'}) { + if($p2pline[2] eq 'on'){ + $p2pline[2]='off'; + }else{ + $p2pline[2]='on'; + } + } + print FILE "$p2pline[0];$p2pline[1];$p2pline[2];\n"; + } + close FILE; + &rules; + &p2pblock; +} +if ($fwdfwsettings{'ACTION'} eq $Lang::tr{'fwdfw reread'}) +{ + &reread_rules; + &p2pblock; +} + + +sub p2pblock +{ + if (-f "${General::swroot}/forward/reread"){ + print "
$Lang::tr{'mode'} 0:$Lang::tr{'outgoing firewall mode0'}
$Lang::tr{'mode'} 1:$Lang::tr{'outgoing firewall mode1'}
$Lang::tr{'mode'} 2:$Lang::tr{'outgoing firewall mode2'}
- - -END -; - if ($outfwsettings{'POLICY'} ne 'MODE0') { - print < -END -; - } -print < - -END -; -&Header::closebox(); - -############################################################################################################################ -############################################################################################################################ - -sub addrule -{ - &Header::openbox('100%', 'center', $Lang::tr{'Add Rule'}); - if ($outfwsettings{'ENABLED'} eq 'on') { $selected{'ENABLED'} = 'checked'; } - $selected{'TIME_FROM'}{$outfwsettings{'TIME_FROM'}} = "selected='selected'"; - $selected{'TIME_TO'}{$outfwsettings{'TIME_TO'}} = "selected='selected'"; -print < - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
$Lang::tr{'description'}: $Lang::tr{'active'}:
$Lang::tr{'protocol'} - - $Lang::tr{'policy'}: -END -; - if ($outfwsettings{'POLICY'} eq 'MODE1'){ - print "\t\t\t\tALLOW\n"; - } elsif ($outfwsettings{'POLICY'} eq 'MODE2'){ - print "\t\t\t\tDENY\n"; - } - print < -
$Lang::tr{'source'}: - - $Lang::tr{'outgoing firewall warning'}
$Lang::tr{'source ip or net'}
$Lang::tr{'source'} $Lang::tr{'mac address'}: - -
$Lang::tr{'logging'}: - - - -
$Lang::tr{'destination ip or net'}: $Lang::tr{'destination port'}(s)
$Lang::tr{'time'}:$Lang::tr{'advproxy monday'} $Lang::tr{'advproxy tuesday'} $Lang::tr{'advproxy wednesday'} $Lang::tr{'advproxy thursday'} $Lang::tr{'advproxy friday'} $Lang::tr{'advproxy saturday'} $Lang::tr{'advproxy sunday'} - $Lang::tr{'advproxy from'}$Lang::tr{'advproxy to'}
- - - - - - - - - -
-
$Lang::tr{'this field may be blank'}
-END -; - &Header::closebox(); - -if ($outfwsettings{'POLICY'} eq 'MODE1' || $outfwsettings{'POLICY'} eq 'MODE2') -{ -&Header::openbox('100%', 'center', 'Quick Add'); - - open( FILE, "< /var/ipfire/outgoing/defaultservices" ) or die "Unable to read default services"; - my @defservices = ; - close FILE; - -print ""; -foreach my $serviceline(@defservices) - { - my @service = split(/,/,$serviceline); - print <
- - - - - - ";} - elsif ($outfwsettings{'POLICY'} eq 'MODE2'){print "";} - } - print "
$Lang::tr{'service'}$Lang::tr{'description'}$Lang::tr{'port'}$Lang::tr{'protocol'}$Lang::tr{'source net'}$Lang::tr{'logging'}$Lang::tr{'action'}
$service[0]$service[3]$service[1]$service[2] - - - -END -; - if ($outfwsettings{'POLICY'} eq 'MODE1'){ print "
"; - &Header::closebox(); - } -} - -&Header::closebigbox(); -&Header::closepage(); diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi index 73e610bfd..f01235884 100644 --- a/html/cgi-bin/ovpnmain.cgi +++ b/html/cgi-bin/ovpnmain.cgi @@ -30,6 +30,7 @@ use File::Copy; use File::Temp qw/ tempfile tempdir /; use strict; use Archive::Zip qw(:ERROR_CODES :CONSTANTS); +use Sort::Naturally; require '/var/ipfire/general-functions.pl'; require "${General::swroot}/lang.pl"; require "${General::swroot}/header.pl"; @@ -165,49 +166,29 @@ sub deletebackupcert unlink ("${General::swroot}/ovpn/certs/$hexvalue.pem"); } } - sub checkportfw { - my $KEY2 = $_[0]; # key2 - my $SRC_PORT = $_[1]; # src_port - my $PROTOCOL = $_[2]; # protocol - my $SRC_IP = $_[3]; # sourceip - - my $pfwfilename = "${General::swroot}/portfw/config"; - open(FILE, $pfwfilename) or die 'Unable to open config file.'; - my @pfwcurrent = ; - close(FILE); - my $pfwkey1 = 0; # used for finding last sequence number used - foreach my $pfwline (@pfwcurrent) - { - my @pfwtemp = split(/\,/,$pfwline); - - chomp ($pfwtemp[8]); - if ($KEY2 eq "0"){ # if key2 is 0 then it is a portfw addition - if ( $SRC_PORT eq $pfwtemp[3] && - $PROTOCOL eq $pfwtemp[2] && - $SRC_IP eq $pfwtemp[7]) - { - $errormessage = "$Lang::tr{'source port in use'} $SRC_PORT"; - } - # Check if key2 = 0, if it is then it is a port forward entry and we want the sequence number - if ( $pfwtemp[1] eq "0") { - $pfwkey1=$pfwtemp[0]; - } - # Darren Critchley - Duplicate or overlapping Port range check - if ($pfwtemp[1] eq "0" && - $PROTOCOL eq $pfwtemp[2] && - $SRC_IP eq $pfwtemp[7] && - $errormessage eq '') - { - &portchecks($SRC_PORT, $pfwtemp[5]); -# &portchecks($pfwtemp[3], $pfwtemp[5]); -# &portchecks($pfwtemp[3], $SRC_IP); + my $DPORT = shift; + my $DPROT = shift; + my %natconfig =(); + my $confignat = "${General::swroot}/forward/config"; + $DPROT= uc ($DPROT); + &General::readhasharray($confignat, \%natconfig); + foreach my $key (sort keys %natconfig){ + my @portarray = split (/\|/,$natconfig{$key}[30]); + foreach my $value (@portarray){ + if ($value =~ /:/i){ + my ($a,$b) = split (":",$value); + if ($DPROT eq $natconfig{$key}[12] && $DPORT gt $a && $DPORT lt $b){ + $errormessage= "$Lang::tr{'source port in use'} $DPORT"; + } + }else{ + if ($DPROT eq $natconfig{$key}[12] && $DPORT eq $value){ + $errormessage= "$Lang::tr{'source port in use'} $DPORT"; + } + } } } - } -# $errormessage="$KEY2 $SRC_PORT $PROTOCOL $SRC_IP"; - - return; + return; } sub checkportoverlap @@ -239,32 +220,6 @@ sub checkportinc return 0; } } -# Darren Critchley - Duplicate or overlapping Port range check -sub portchecks -{ - my $p1 = $_[0]; # New port range - my $p2 = $_[1]; # existing port range -# $_ = $_[0]; - our ($prtrange1, $prtrange2); - $prtrange1 = 0; -# if (m/:/ && $prtrange1 == 1) { # comparing two port ranges -# unless (&checkportoverlap($p1,$p2)) { -# $errormessage = "$Lang::tr{'source port overlaps'} $p1"; -# } -# } - if (m/:/ && $prtrange1 == 0 && $errormessage eq '') { # compare one port to a range - unless (&checkportinc($p2,$p1)) { - $errormessage = "$Lang::tr{'srcprt within existing'} $p1"; - } - } - $prtrange1 = 1; - if (! m/:/ && $prtrange1 == 1 && $errormessage eq '') { # compare one port to a range - unless (&checkportinc($p1,$p2)) { - $errormessage = "$Lang::tr{'srcprt range overlaps'} $p2"; - } - } - return; -} # Darren Critchley - certain ports are reserved for IPFire # TCP 67,68,81,222,445 @@ -1144,7 +1099,7 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'TYPE'} eq '' && $cg if ($cgiparams{'ENABLED'} eq 'on'){ - &checkportfw(0,$cgiparams{'DDEST_PORT'},$cgiparams{'DPROTOCOL'},'0.0.0.0'); + &checkportfw($cgiparams{'DDEST_PORT'},$cgiparams{'DPROTOCOL'}); } if ($errormessage) { goto SETTINGS_ERROR; } @@ -4895,11 +4850,10 @@ END
    $Lang::tr{'fwhost reread'}

"; + } + my $gif; + open( FILE, "< $p2pfile" ) or die "Unable to read $p2pfile"; + @p2ps = ; + close FILE; + &Header::openbox('100%', 'center', 'P2P-Block'); + print < + $Lang::tr{'protocol'}$Lang::tr{'status'} +END + foreach my $p2pentry (sort @p2ps) + { + my @p2pline = split( /\;/, $p2pentry ); + if($p2pline[2] eq 'on'){ + $gif="/images/on.gif" + }else{ + $gif="/images/off.gif" + } + print < + + $p2pline[0]: +END + } + print"$Lang::tr{'outgoing firewall p2p allow'}"; + print"$Lang::tr{'outgoing firewall p2p deny'}"; + print"


$Lang::tr{'fwdfw p2p txt'}
"; + &Header::closebox(); +} +sub rules +{ + if (!-f "${General::swroot}/forward/reread"){ + system("touch ${General::swroot}/forward/reread"); + system("touch ${General::swroot}/fwhosts/reread"); + } +} +sub reread_rules +{ + system("/usr/local/bin/forwardfwctrl"); + if ( -f "${General::swroot}/forward/reread"){ + system("rm ${General::swroot}/forward/reread"); + system("rm ${General::swroot}/fwhosts/reread"); + } +} +&Header::closebigbox(); +&Header::closepage(); diff --git a/html/cgi-bin/portfw.cgi b/html/cgi-bin/portfw.cgi deleted file mode 100644 index 199682f44..000000000 --- a/html/cgi-bin/portfw.cgi +++ /dev/null @@ -1,1177 +0,0 @@ -#!/usr/bin/perl -############################################################################### -# # -# IPFire.org - A linux based firewall # -# Copyright (C) 2007 Michael Tremer & Christian Schmidt # -# # -# This program is free software: you can redistribute it and/or modify # -# it under the terms of the GNU General Public License as published by # -# the Free Software Foundation, either version 3 of the License, or # -# (at your option) any later version. # -# # -# This program is distributed in the hope that it will be useful, # -# but WITHOUT ANY WARRANTY; without even the implied warranty of # -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # -# GNU General Public License for more details. # -# # -# You should have received a copy of the GNU General Public License # -# along with this program. If not, see . # -# # -############################################################################### - -use strict; - -# enable only the following on debugging purpose -#use warnings; -#use CGI::Carp 'fatalsToBrowser'; - -require '/var/ipfire/general-functions.pl'; -require "${General::swroot}/lang.pl"; -require "${General::swroot}/header.pl"; - -#workaround to suppress a warning when a variable is used only once -my @dummy = ( ${Header::colouryellow} ); -undef (@dummy); - -my %color = (); -my %mainsettings = (); -&General::readhash("${General::swroot}/main/settings", \%mainsettings); -&General::readhash("/srv/web/ipfire/html/themes/".$mainsettings{'THEME'}."/include/colors.txt", \%color); - -my %cgiparams=(); -my %selected=(); -my %checked=(); -my $prtrange1=0; -my $prtrange2=0; -my $errormessage = ''; -my $filename = "${General::swroot}/portfw/config"; -my $aliasfile = "${General::swroot}/ethernet/aliases"; - -&Header::showhttpheaders(); - -$cgiparams{'ENABLED'} = 'off'; -$cgiparams{'KEY1'} = '0'; -$cgiparams{'KEY2'} = '0'; -$cgiparams{'PROTOCOL'} = ''; -$cgiparams{'SRC_PORT'} = ''; -$cgiparams{'DEST_IP'} = ''; -$cgiparams{'DEST_PORT'} = ''; -$cgiparams{'SRC_IP'} = ''; -$cgiparams{'ORIG_IP'} = ''; -$cgiparams{'REMARK'} = ''; -$cgiparams{'OVERRIDE'} = 'off'; -$cgiparams{'ACTION'} = ''; - -&Header::getcgihash(\%cgiparams); - -my $disable_all = "0"; -my $enable_all = "0"; - -if ($cgiparams{'ACTION'} eq $Lang::tr{'add'}) -{ - &valaddupdate(); - - # Darren Critchley - if there is an error, don't waste any more time processing - if ($errormessage) { goto ERROR; } - - open(FILE, $filename) or die 'Unable to open config file.'; - my @current = ; - close(FILE); - my $key1 = 0; # used for finding last sequence number used - foreach my $line (@current) - { - my @temp = split(/\,/,$line); - - chomp ($temp[8]); - if ($cgiparams{'KEY2'} eq "0"){ # if key2 is 0 then it is a portfw addition - if ( $cgiparams{'SRC_PORT'} eq $temp[3] && - $cgiparams{'PROTOCOL'} eq $temp[2] && - $cgiparams{'SRC_IP'} eq $temp[7]) - { - $errormessage = - "$Lang::tr{'source port in use'} $cgiparams{'SRC_PORT'}"; - } - # Check if key2 = 0, if it is then it is a port forward entry and we want the sequence number - if ( $temp[1] eq "0") { - $key1=$temp[0]; - } - # Darren Critchley - Duplicate or overlapping Port range check - if ($temp[1] eq "0" && - $cgiparams{'PROTOCOL'} eq $temp[2] && - $cgiparams{'SRC_IP'} eq $temp[7] && - $errormessage eq '') - { - &portchecks($temp[3], $temp[5]); - } - } else { - if ( $cgiparams{'KEY1'} eq $temp[0] && - $cgiparams{'ORIG_IP'} eq $temp[8]) - { - $errormessage = - "$Lang::tr{'source ip in use'} $cgiparams{'ORIG_IP'}"; - } - } - } - -ERROR: - unless ($errormessage) - { - # Darren Critchley - we only want to store ranges with Colons - $cgiparams{'SRC_PORT'} =~ tr/-/:/; - $cgiparams{'DEST_PORT'} =~ tr/-/:/; - - if ($cgiparams{'KEY1'} eq "0") { # 0 in KEY1 indicates it is a portfw add - $key1++; # Add one to last sequence number - open(FILE,">>$filename") or die 'Unable to open config file.'; - flock FILE, 2; - if ($cgiparams{'ORIG_IP'} eq '0.0.0.0/0') { - # if the default/all is taken, then write it to the rule - print FILE "$key1,0,$cgiparams{'PROTOCOL'},$cgiparams{'SRC_PORT'},$cgiparams{'DEST_IP'},$cgiparams{'DEST_PORT'},$cgiparams{'ENABLED'},$cgiparams{'SRC_IP'},$cgiparams{'ORIG_IP'},$cgiparams{'REMARK'}\n"; - } else { # else create an extra record so it shows up - print FILE "$key1,0,$cgiparams{'PROTOCOL'},$cgiparams{'SRC_PORT'},$cgiparams{'DEST_IP'},$cgiparams{'DEST_PORT'},$cgiparams{'ENABLED'},$cgiparams{'SRC_IP'},0,$cgiparams{'REMARK'}\n"; - print FILE "$key1,1,$cgiparams{'PROTOCOL'},0,$cgiparams{'DEST_IP'},$cgiparams{'DEST_PORT'},$cgiparams{'ENABLED'},0,$cgiparams{'ORIG_IP'},$cgiparams{'REMARK'}\n"; - } - close(FILE); - undef %cgiparams; - &General::log($Lang::tr{'forwarding rule added'}); - system('/usr/local/bin/setportfw'); - } else { # else key1 eq 0 - my $insertpoint = ($cgiparams{'KEY2'} - 1); - open(FILE, ">$filename") or die 'Unable to open config file.'; - flock FILE, 2; - foreach my $line (@current) { - chomp($line); - my @temp = split(/\,/,$line); - if ($cgiparams{'KEY1'} eq $temp[0] && $insertpoint eq $temp[1]) { - if ($temp[1] eq "0") { # this is the first xtaccess rule, therefore modify the portfw rule - $temp[8] = '0'; - } - print FILE "$temp[0],$temp[1],$temp[2],$temp[3],$temp[4],$temp[5],$temp[6],$temp[7],$temp[8],$temp[9]\n"; - print FILE "$cgiparams{'KEY1'},$cgiparams{'KEY2'},$cgiparams{'PROTOCOL'},0,$cgiparams{'DEST_IP'},$cgiparams{'DEST_PORT'},$cgiparams{'ENABLED'},0,$cgiparams{'ORIG_IP'},$cgiparams{'REMARK'}\n"; - } else { - print FILE "$line\n"; - } - } - close(FILE); - undef %cgiparams; - &General::log($Lang::tr{'external access rule added'}); - system('/usr/local/bin/setportfw'); - } # end if if KEY1 eq 0 - } # end unless($errormessage) -} - -if ($cgiparams{'ACTION'} eq $Lang::tr{'update'}) -{ - &valaddupdate(); - - # Darren Critchley - If there is an error don't waste any more processing time - if ($errormessage) { $cgiparams{'ACTION'} = $Lang::tr{'edit'}; goto UPD_ERROR; } - - open(FILE, $filename) or die 'Unable to open config file.'; - my @current = ; - close(FILE); - my $disabledpfw = '0'; - my $lastpfw = ''; - my $xtaccessdel = '0'; - - foreach my $line (@current) - { - my @temp = split(/\,/,$line); - if ( $temp[1] eq "0" ) { # keep track of the last portfw and if it is enabled - $disabledpfw = $temp[6]; - $lastpfw = $temp[0]; - } - chomp ($temp[8]); - if ( $cgiparams{'SRC_PORT'} eq $temp[3] && - $cgiparams{'PROTOCOL'} eq $temp[2] && - $cgiparams{'SRC_IP'} eq $temp[7]) - { - if ($cgiparams{'KEY1'} ne $temp[0] && $cgiparams{'KEY2'} eq "0") - { - $errormessage = - "$Lang::tr{'source port in use'} $cgiparams{'SRC_PORT'}"; - } - } - if ($cgiparams{'ORIG_IP'} eq $temp[8]) - { - if ($cgiparams{'KEY1'} eq $temp[0] && $cgiparams{'KEY2'} ne $temp[1]) - # If we have the same source ip within a portfw group, then we have a problem! - { - $errormessage = "$Lang::tr{'source ip in use'} $cgiparams{'ORIG_IP'}"; - $cgiparams{'ACTION'} = $Lang::tr{'edit'}; - } - } - - # Darren Critchley - Flag when a user disables an xtaccess - if ($cgiparams{'KEY1'} eq $temp[0] && - $cgiparams{'KEY2'} eq $temp[1] && - $cgiparams{'KEY2'} ne "0" && # if KEY2 is 0 then it is a portfw - $cgiparams{'ENABLED'} eq "off" && - $temp[6] eq "on") { # we have determined that someone has turned an xtaccess off - $xtaccessdel = "1"; - } - - # Darren Critchley - Portfw enabled, then enable xtaccess for all associated xtaccess records - if ($cgiparams{'ENABLED'} eq "on" && $cgiparams{'KEY2'} eq "0" && $cgiparams{'ENABLED'} ne $temp[6]) - { - $enable_all = "1"; - } else { - $enable_all = "0"; - } - # Darren Critchley - Portfw disabled, then disable xtaccess for all associated xtaccess records - if ($cgiparams{'ENABLED'} eq "off" && $cgiparams{'KEY2'} eq "0") - { - $disable_all = "1"; - } else { - $disable_all = "0"; - } - - # Darren Critchley - if we are enabling an xtaccess, only allow if the associated Portfw is enabled - if ($cgiparams{'KEY1'} eq $lastpfw && $cgiparams{'KEY2'} ne "0") { # identifies an xtaccess record in the group - if ($cgiparams{'ENABLED'} eq "on" && $cgiparams{'ENABLED'} ne $temp[6] ){ # a change has been made - if ($disabledpfw eq "off") - { - $errormessage = "$Lang::tr{'cant enable xtaccess'}"; - $cgiparams{'ACTION'} = $Lang::tr{'edit'}; - } - } - } - - # Darren Critchley - rule to stop someone from entering ALL into a external access rule, - # the portfw is the only place that ALL can be specified - if ($cgiparams{'KEY2'} ne "0" && $cgiparams{'ORIG_IP'} eq "0.0.0.0/0") { - $errormessage = "$Lang::tr{'xtaccess all error'}"; - $cgiparams{'ACTION'} = $Lang::tr{'edit'}; - } - - # Darren Critchley - Duplicate or overlapping Port range check - if ($temp[1] eq "0" && - $cgiparams{'KEY1'} ne $temp[0] && - $cgiparams{'PROTOCOL'} eq $temp[2] && - $cgiparams{'SRC_IP'} eq $temp[7] && - $errormessage eq '') - { - &portchecks($temp[3], $temp[5]); - } # end port testing - - } - - # Darren Critchley - if an xtaccess was disabled, now we need to check to see if it was the only xtaccess - if($xtaccessdel eq "1") { - my $xctr = 0; - foreach my $line (@current) - { - my @temp = split(/\,/,$line); - if($temp[0] eq $cgiparams{'KEY1'} && - $temp[6] eq "on") { # we only want to count the enabled xtaccess's - $xctr++; - } - } - if ($xctr == 2){ - $disable_all = "1"; - } - } - -UPD_ERROR: - unless ($errormessage) - { - # Darren Critchley - we only want to store ranges with Colons - $cgiparams{'SRC_PORT'} =~ tr/-/:/; - $cgiparams{'DEST_PORT'} =~ tr/-/:/; - - open(FILE, ">$filename") or die 'Unable to open config file.'; - flock FILE, 2; - foreach my $line (@current) { - chomp($line); - my @temp = split(/\,/,$line); - if ($cgiparams{'KEY1'} eq $temp[0] && $cgiparams{'KEY2'} eq $temp[1]) { - print FILE "$cgiparams{'KEY1'},$cgiparams{'KEY2'},$cgiparams{'PROTOCOL'},$cgiparams{'SRC_PORT'},$cgiparams{'DEST_IP'},$cgiparams{'DEST_PORT'},$cgiparams{'ENABLED'},$cgiparams{'SRC_IP'},$cgiparams{'ORIG_IP'},$cgiparams{'REMARK'}\n"; - } else { - # Darren Critchley - If it is a port forward record, then chances are good that a change was made to - # Destination Ip or Port, and we need to update all the associated external access records - if ($cgiparams{'KEY2'} eq "0" && $cgiparams{'KEY1'} eq $temp[0]) { - $temp[4] = $cgiparams{'DEST_IP'}; - $temp[5] = $cgiparams{'DEST_PORT'}; - $temp[2] = $cgiparams{'PROTOCOL'}; - } - - # Darren Critchley - If a Portfw has been disabled, then set all associated xtaccess as disabled - if ( $disable_all eq "1" && $cgiparams{'KEY1'} eq $temp[0] ) { - $temp[6] = 'off'; - } - if ( $enable_all eq "1" && $cgiparams{'KEY1'} eq $temp[0] ) { - $temp[6] = 'on'; - } - # Darren Critchley - Deal with the override to allow ALL - if ( $cgiparams{'OVERRIDE'} eq "on" && $temp[1] ne "0" && $cgiparams{'KEY1'} eq $temp[0] ) { - $temp[6] = 'off'; - } - print FILE "$temp[0],$temp[1],$temp[2],$temp[3],$temp[4],$temp[5],$temp[6],$temp[7],$temp[8],$temp[9]\n"; - } - } - close(FILE); - undef %cgiparams; - &General::log($Lang::tr{'forwarding rule updated'}); - system('/usr/local/bin/setportfw'); - } - if ($errormessage) { - $cgiparams{'ACTION'} = $Lang::tr{'edit'}; - } -} - -# Darren Critchley - Allows rules to be enabled and disabled -if ($cgiparams{'ACTION'} eq $Lang::tr{'toggle enable disable'}) -{ - open(FILE, $filename) or die 'Unable to open config file.'; - my @current = ; - close(FILE); - my $disabledpfw = '0'; - my $lastpfw = ''; - my $xtaccessdel = '0'; - - foreach my $line (@current) - { - my @temp = split(/\,/,$line); - if ( $temp[1] eq "0" ) { # keep track of the last portfw and if it is enabled - $disabledpfw = $temp[6]; - $lastpfw = $temp[0]; - } - # Darren Critchley - Flag when a user disables an xtaccess - if ($cgiparams{'KEY1'} eq $temp[0] && - $cgiparams{'KEY2'} eq $temp[1] && - $cgiparams{'KEY2'} ne "0" && # if KEY2 is 0 then it is a portfw - $cgiparams{'ENABLED'} eq "off" && - $temp[6] eq "on") { # we have determined that someone has turned an xtaccess off - $xtaccessdel = "1"; - } - - # Darren Critchley - Portfw enabled, then enable xtaccess for all associated xtaccess records - if ($cgiparams{'ENABLED'} eq "on" && $cgiparams{'KEY2'} eq "0" && $cgiparams{'ENABLED'} ne $temp[6]) - { - $enable_all = "1"; - } else { - $enable_all = "0"; - } - # Darren Critchley - Portfw disabled, then disable xtaccess for all associated xtaccess records - if ($cgiparams{'ENABLED'} eq "off" && $cgiparams{'KEY2'} eq "0") - { - $disable_all = "1"; - } else { - $disable_all = "0"; - } - - # Darren Critchley - if we are enabling an xtaccess, only allow if the associated Portfw is enabled - if ($cgiparams{'KEY1'} eq $lastpfw && $cgiparams{'KEY2'} ne "0") { # identifies an xtaccess record in the group - if ($cgiparams{'ENABLED'} eq "on" && $cgiparams{'ENABLED'} ne $temp[6] ){ # a change has been made - if ($disabledpfw eq "off") - { - $errormessage = "$Lang::tr{'cant enable xtaccess'}"; - goto TOGGLEEXIT; - } - } - } - } - - # Darren Critchley - if an xtaccess was disabled, now we need to check to see if it was the only xtaccess - if($xtaccessdel eq "1") { - my $xctr = 0; - foreach my $line (@current) - { - my @temp = split(/\,/,$line); - if($temp[0] eq $cgiparams{'KEY1'} && - $temp[6] eq "on") { # we only want to count the enabled xtaccess's - $xctr++; - } - } - if ($xctr == 2){ - $disable_all = "1"; - } - } - - open(FILE, ">$filename") or die 'Unable to open config file.'; - flock FILE, 2; - foreach my $line (@current) { - chomp($line); - my @temp = split(/\,/,$line); - if ($cgiparams{'KEY1'} eq $temp[0] && $cgiparams{'KEY2'} eq $temp[1]) { - print FILE "$cgiparams{'KEY1'},$cgiparams{'KEY2'},$temp[2],$temp[3],$temp[4],$temp[5],$cgiparams{'ENABLED'},$temp[7],$temp[8],$temp[9]\n"; - } else { - # Darren Critchley - If a Portfw has been disabled, then set all associated xtaccess as disabled - if ( $disable_all eq "1" && $cgiparams{'KEY1'} eq $temp[0] ) { - $temp[6] = 'off'; - } - if ( $enable_all eq "1" && $cgiparams{'KEY1'} eq $temp[0] ) { - $temp[6] = 'on'; - } - print FILE "$temp[0],$temp[1],$temp[2],$temp[3],$temp[4],$temp[5],$temp[6],$temp[7],$temp[8],$temp[9]\n"; - } - } - close(FILE); - &General::log($Lang::tr{'forwarding rule updated'}); - system('/usr/local/bin/setportfw'); -TOGGLEEXIT: - undef %cgiparams; -} - - -# Darren Critchley - broke out Edit routine from the delete routine - Edit routine now just puts values in fields -if ($cgiparams{'ACTION'} eq $Lang::tr{'edit'}) -{ - open(FILE, "$filename") or die 'Unable to open config file.'; - my @current = ; - close(FILE); - - unless ($errormessage) - { - foreach my $line (@current) - { - chomp($line); - my @temp = split(/\,/,$line); - if ($cgiparams{'KEY1'} eq $temp[0] && $cgiparams{'KEY2'} eq $temp[1] ) { - $cgiparams{'PROTOCOL'} = $temp[2]; - $cgiparams{'SRC_PORT'} = $temp[3]; - $cgiparams{'DEST_IP'} = $temp[4]; - $cgiparams{'DEST_PORT'} = $temp[5]; - $cgiparams{'ENABLED'} = $temp[6]; - $cgiparams{'SRC_IP'} = $temp[7]; - $cgiparams{'ORIG_IP'} = $temp[8]; - $cgiparams{'REMARK'} = $temp[9]; - } - - } - } -} - -# Darren Critchley - broke out Remove routine as the logic is getting too complex to be combined with the Edit -if ($cgiparams{'ACTION'} eq $Lang::tr{'remove'}) -{ - open(FILE, "$filename") or die 'Unable to open config file.'; - my @current = ; - close(FILE); - - # If the record being deleted is an xtaccess record, and it is the only one for a portfw record - # then we need to adjust the portfw record to be open to ALL ip addressess or an error will occur - # in setportfw.c - my $fixportfw = '0'; - if ($cgiparams{'KEY2'} ne "0") { - my $counter = 0; - foreach my $line (@current) - { - chomp($line); - my @temp = split(/\,/,$line); - if ($temp[0] eq $cgiparams{'KEY1'}) { - $counter++; - } - } - if ($counter eq 2) { - $fixportfw = '1'; - } - } - - unless ($errormessage) - { - open(FILE, ">$filename") or die 'Unable to open config file.'; - flock FILE, 2; - my $linedeleted = 0; - foreach my $line (@current) - { - chomp($line); - my @temp = split(/\,/,$line); - - if ($cgiparams{'KEY1'} eq $temp[0] && $cgiparams{'KEY2'} eq $temp[1] || - $cgiparams{'KEY1'} eq $temp[0] && $cgiparams{'KEY2'} eq "0" ) - { - $linedeleted = 1; - } else { - if ($temp[0] eq $cgiparams{'KEY1'} && $temp[1] eq "0" && $fixportfw eq "1") { - $temp[8] = '0.0.0.0/0'; - } - print FILE "$temp[0],$temp[1],$temp[2],$temp[3],$temp[4],$temp[5],$temp[6],$temp[7],$temp[8],$temp[9]\n"; -# print FILE "$line\n"; - } - } - close(FILE); - if ($linedeleted == 1) { - &General::log($Lang::tr{'forwarding rule removed'}); - undef %cgiparams; - } - system('/usr/local/bin/setportfw'); - } -} - -# Darren Critchley - Added routine to allow external access rules to be added -if ($cgiparams{'ACTION'} eq $Lang::tr{'add xtaccess'}) -{ - open(FILE, $filename) or die 'Unable to open config file.'; - my @current = ; - close(FILE); - my $key = 0; # used for finding last sequence number used - foreach my $line (@current) - { - my @temp = split(/\,/,$line); - if ($temp[0] eq $cgiparams{'KEY1'}) { - $key = $temp[1] - } - if ($cgiparams{'KEY1'} eq $temp[0] && $cgiparams{'KEY2'} eq $temp[1] ) { - $cgiparams{'PROTOCOL'} = $temp[2]; - $cgiparams{'SRC_PORT'} = $temp[3]; - $cgiparams{'DEST_IP'} = $temp[4]; - $cgiparams{'DEST_PORT'} = $temp[5]; - $cgiparams{'ENABLED'} = $temp[6]; - $cgiparams{'SRC_IP'} = $temp[7]; - $cgiparams{'ORIG_IP'} = ''; - $cgiparams{'REMARK'} = $temp[9]; - } - } - $key++; - $cgiparams{'KEY2'} = $key; - # Until the ADD button is hit, there needs to be no change to portfw rules -} - -if ($cgiparams{'ACTION'} eq $Lang::tr{'reset'}) -{ - undef %cgiparams; -} - -if ($cgiparams{'ACTION'} eq '') -{ - $cgiparams{'PROTOCOL'} = 'tcp'; - $cgiparams{'ENABLED'} = 'on'; - $cgiparams{'SRC_IP'} = '0.0.0.0'; -} - -$selected{'PROTOCOL'}{'udp'} = ''; -$selected{'PROTOCOL'}{'tcp'} = ''; -$selected{'PROTOCOL'}{'gre'} = ''; -$selected{'PROTOCOL'}{$cgiparams{'PROTOCOL'}} = "selected='selected'"; - -$selected{'SRC_IP'}{$cgiparams{'SRC_IP'}} = "selected='selected'"; - -$checked{'ENABLED'}{'off'} = ''; -$checked{'ENABLED'}{'on'} = ''; -$checked{'ENABLED'}{$cgiparams{'ENABLED'}} = "checked='checked'"; - -&Header::openpage($Lang::tr{'port forwarding configuration'}, 1, ''); - -&Header::openbigbox('100%', 'left', '', $errormessage); - -if ($errormessage) { - &Header::openbox('100%', 'left', $Lang::tr{'error messages'}); - print "$errormessage\n"; - print " \n"; - &Header::closebox(); -} - -print "
\n"; - -if ($cgiparams{'ACTION'} eq $Lang::tr{'edit'}){ - &Header::openbox('100%', 'left', $Lang::tr{'edit a rule'}); -} else { - &Header::openbox('100%', 'left', $Lang::tr{'add a new rule'}); -} - -if ($cgiparams{'ACTION'} eq $Lang::tr{'edit'} && $cgiparams{'KEY2'} ne "0" || $cgiparams{'ACTION'} eq $Lang::tr{'add xtaccess'}){ -# if it is not a port forward record, don't validate as the fields are disabled - my $PROT = "\U$cgiparams{'PROTOCOL'}\E"; - # Darren Critchley - Format the source and destination ports - my $dstprt = $cgiparams{'DEST_PORT'}; - $dstprt =~ s/-/ - /; - $dstprt =~ s/:/ - /; - -print < - - $Lang::tr{'protocol'}: $PROT -   - $Lang::tr{'destination ip'}:  - $cgiparams{'DEST_IP'} -   - $Lang::tr{'destination port'}:  - $dstprt - - - - - - - - -END -; -} else { -print < - - $Lang::tr{'protocol'}:  - - - - $Lang::tr{'alias ip'}: - - - - -   -   - $Lang::tr{'destination ip'}: - - $Lang::tr{'destination port'}: - - - -END -; -} - -print < - - $Lang::tr{'remark title'} *  - -END -; -unless ($cgiparams{'ACTION'} eq $Lang::tr{'add xtaccess'} && $cgiparams{'ENABLED'} eq "off") { - print " "; - print "$Lang::tr{'enabled'} \n"; -} -print < - -END -; - -if ($cgiparams{'ACTION'} eq $Lang::tr{'edit'} && $cgiparams{'KEY2'} eq "0" && ($cgiparams{'ORIG_IP'} eq "0" || $cgiparams{'ORIG_IP'} eq "0.0.0.0/0")){ -# if it is a port forward rule with a 0 in the orig_port field, this means there are xtaccess records, and we -# don't want to allow a person to change the orig_ip field as it will mess other logic up - print "\n"; -} else { -print < - - $Lang::tr{'source network'} *  - - - -END -; -} - -print < -
- - * $Lang::tr{'this field may be blank'} -END -; - - -if ($cgiparams{'ACTION'} eq $Lang::tr{'edit'}){ - if($cgiparams{'KEY2'} eq "0"){ - print "$Lang::tr{'open to all'}: \n"; - } else { - print " \n"; - } - print ""; - print ""; - print ""; - print ""; - # on an edit and an xtaccess add, for some reason the "Reset" button stops working, so I make it a submit button -} else { - print " \n"; - print ""; - if ($cgiparams{'ACTION'} eq $Lang::tr{'add xtaccess'}) { - print ""; - print ""; - print ""; - } elsif ($errormessage ne '') { - print ""; - } else { - print ""; - } -} -print <  - - -END -; -&Header::closebox(); - -print "\n"; - -&Header::openbox('100%', 'left', $Lang::tr{'current rules'}); -print < - -$Lang::tr{'proto'} -$Lang::tr{'source'} -  -$Lang::tr{'destination'} -$Lang::tr{'remark'} -$Lang::tr{'action'} - -END -; - -my $id = 0; -my $xtaccesscolor = '#F6F4F4'; -open(RULES, "$filename") or die 'Unable to open config file.'; -while () -{ - my $protocol = ''; - my $gif = ''; - my $gdesc = ''; - my $toggle = ''; - chomp($_); - my @temp = split(/\,/,$_); - $temp[9] ='' unless defined $temp[9];# Glles ESpinasse : suppress warning on page init - if ($temp[2] eq 'udp') { - $protocol = 'UDP'; } - elsif ($temp[2] eq 'gre') { - $protocol = 'GRE' } - else { - $protocol = 'TCP' } - # Change bgcolor when a new portfw rule is added - if ($temp[1] eq "0"){ - $id++; - } - # Darren Critchley highlight the row we are editing - if ( $cgiparams{'ACTION'} eq $Lang::tr{'edit'} && $cgiparams{'KEY1'} eq $temp[0] && $cgiparams{'KEY2'} eq $temp[1] ) { - print "\n"; - } else { - if ($id % 2) { - print "\n"; - } - else { - print "\n"; - } - } - - if ($temp[6] eq 'on') { $gif = 'on.gif'; $toggle='off'; $gdesc=$Lang::tr{'click to disable'};} - else { $gif = 'off.gif'; $toggle='on'; $gdesc=$Lang::tr{'click to enable'}; } - - # Darren Critchley - this code no longer works - should we remove? - # catch for 'old-style' rules file - assume default ip if - # none exists - if (!&General::validip($temp[7]) || $temp[7] eq '0.0.0.0') { - $temp[7] = 'DEFAULT IP'; } - if ($temp[1] eq '0') { # Port forwarding entry - - # Darren Critchley - Format the source and destintation ports - my $srcprt = $temp[3]; - $srcprt =~ s/-/ - /; - $srcprt =~ s/:/ - /; - my $dstprt = $temp[5]; - $dstprt =~ s/-/ - /; - $dstprt =~ s/:/ - /; - - # Darren Critchley - Get Port Service Name if we can - code borrowed from firewalllog.dat - $_=$temp[3]; - if (/^\d+$/) { - my $servi = uc(getservbyport($temp[3], lc($temp[2]))); - if ($servi ne '' && $temp[3] < 1024) { - $srcprt = "$srcprt($servi)"; } - } - $_=$temp[5]; - if (/^\d+$/) { - my $servi = uc(getservbyport($temp[5], lc($temp[2]))); - if ($servi ne '' && $temp[5] < 1024) { - $dstprt = "$dstprt($servi)"; } - } - - # Darren Critchley - If the line is too long, wrap the port numbers - my $srcaddr = "$temp[7] : $srcprt"; - if (length($srcaddr) > 22) { - $srcaddr = "$temp[7] :
$srcprt"; - } - my $dstaddr = "$temp[4] : $dstprt"; - if (length($dstaddr) > 26) { - $dstaddr = "$temp[4] :
$dstprt"; - } -print <$protocol -$srcaddr -=> -$dstaddr - $temp[9] - -
- - - - - -
- - - -
- - - - -
- - - -
- - - - -
- - - -
- - - - -
- - - -END - ; - } else { # external access entry -print <  - - $Lang::tr{'access allowed'} $temp[8]     ($temp[9]) - - -
- - - - - -
- - -  - - -
- - - - -
- - - -
- - - - -
- - - -END - ; - } -} - -close(RULES); - -print ""; - -# If the fixed lease file contains entries, print Key to action icons -if ( ! -z "$filename") { -print < - -  $Lang::tr{'legend'}:  - $Lang::tr{ - $Lang::tr{'click to disable'} -    - $Lang::tr{ - $Lang::tr{'click to enable'} -    - $Lang::tr{ - $Lang::tr{'add xtaccess'} -    - $Lang::tr{ - $Lang::tr{'edit'} -    - $Lang::tr{ - $Lang::tr{'remove'} - - -END -; -} - -&Header::closebox(); - -&Header::closebigbox(); - -&Header::closepage(); - -# Validate Field Entries -sub validateparams -{ - # Darren Critchley - Get rid of dashes in port ranges - $cgiparams{'DEST_PORT'}=~ tr/-/:/; - $cgiparams{'SRC_PORT'}=~ tr/-/:/; - - # Darren Critchley - code to substitue wildcards - if ($cgiparams{'SRC_PORT'} eq "*") { - $cgiparams{'SRC_PORT'} = "1:65535"; - } - if ($cgiparams{'SRC_PORT'} =~ /^(\D)\:(\d+)$/) { - $cgiparams{'SRC_PORT'} = "1:$2"; - } - if ($cgiparams{'SRC_PORT'} =~ /^(\d+)\:(\D)$/) { - $cgiparams{'SRC_PORT'} = "$1:65535"; - } - if ($cgiparams{'DEST_PORT'} eq "*") { - $cgiparams{'DEST_PORT'} = "1:65535"; - } - if ($cgiparams{'DEST_PORT'} =~ /^(\D)\:(\d+)$/) { - $cgiparams{'DEST_PORT'} = "1:$2"; - } - if ($cgiparams{'DEST_PORT'} =~ /^(\d+)\:(\D)$/) { - $cgiparams{'DEST_PORT'} = "$1:65535"; - } - - # Darren Critchley - Add code for GRE protocol - we want to ignore ports, but we need a place holder - if ($cgiparams{'PROTOCOL'} eq 'gre') { - $cgiparams{'SRC_PORT'} = "GRE"; - $cgiparams{'DEST_PORT'} = "GRE"; - } - - unless($cgiparams{'PROTOCOL'} =~ /^(tcp|udp|gre)$/) { $errormessage = $Lang::tr{'invalid input'}; } - # Darren Critchley - Changed how the error routine works a bit - for the validportrange check, we need to - # pass in src or dest to determine which side we are working with. - # the routine returns the complete error or '' - if ($cgiparams{'PROTOCOL'} ne 'gre') { - $errormessage = &General::validportrange($cgiparams{'SRC_PORT'}, 'src'); - } - if( ($cgiparams{'ORIG_IP'} ne "0" && $cgiparams{'KEY2'} ne "0") || $cgiparams{'ACTION'} eq $Lang::tr{'add'}) { - # if it is a port forward record with 0 in orig_ip then ignore checking this field - unless(&General::validipormask($cgiparams{'ORIG_IP'})) - { - if ($cgiparams{'ORIG_IP'} ne '') { - $errormessage = $Lang::tr{'source ip bad'}; } - else { - $cgiparams{'ORIG_IP'} = '0.0.0.0/0'; } - } - } - # Darren Critchey - New rule that sets destination same as source if dest_port is blank. - if ($cgiparams{'DEST_PORT'} eq ''){ - $cgiparams{'DEST_PORT'} = $cgiparams{'SRC_PORT'}; - } - # Darren Critchey - Just in case error message is already set, this routine would wipe it out if - # we don't do a test here - if ($cgiparams{'PROTOCOL'} ne 'gre') { - unless($errormessage) {$errormessage = &General::validportrange($cgiparams{'DEST_PORT'}, 'dest');} - } - unless(&General::validip($cgiparams{'DEST_IP'})) { $errormessage = $Lang::tr{'destination ip bad'}; } - return; -} - -# Darren Critchley - we want to make sure that a port range does not overlap another port range -sub checkportoverlap -{ - my $portrange1 = $_[0]; # New port range - my $portrange2 = $_[1]; # existing port range - my @tempr1 = split(/\:/,$portrange1); - my @tempr2 = split(/\:/,$portrange2); - - unless (&checkportinc($tempr1[0], $portrange2)){ return 0;} - unless (&checkportinc($tempr1[1], $portrange2)){ return 0;} - - unless (&checkportinc($tempr2[0], $portrange1)){ return 0;} - unless (&checkportinc($tempr2[1], $portrange1)){ return 0;} - - return 1; # Everything checks out! -} - -# Darren Critchley - we want to make sure that a port entry is not within an already existing range -sub checkportinc -{ - my $port1 = $_[0]; # Port - my $portrange2 = $_[1]; # Port range - my @tempr1 = split(/\:/,$portrange2); - - if ($port1 < $tempr1[0] || $port1 > $tempr1[1]) { - return 1; - } else { - return 0; - } -} - -# Darren Critchley - certain ports are reserved for Ipcop -# TCP 67,68,81,222,445 -# UDP 67,68 -# Params passed in -> port, rangeyn, protocol -sub disallowreserved -{ - # port 67 and 68 same for tcp and udp, don't bother putting in an array - my $msg = ""; - my @tcp_reserved = (); - my $prt = $_[0]; # the port or range - my $ryn = $_[1]; # tells us whether or not it is a port range - my $prot = $_[2]; # protocol - my $srcdst = $_[3]; # source or destination - - if ($ryn) { # disect port range - if ($srcdst eq "src") { - $msg = "$Lang::tr{'rsvd src port overlap'}"; - } else { - $msg = "$Lang::tr{'rsvd dst port overlap'}"; - } - my @tmprng = split(/\:/,$prt); - unless (67 < $tmprng[0] || 67 > $tmprng[1]) { $errormessage="$msg 67"; return; } - unless (68 < $tmprng[0] || 68 > $tmprng[1]) { $errormessage="$msg 68"; return; } - if ($prot eq "tcp") { - foreach my $prange (@tcp_reserved) { - unless ($prange < $tmprng[0] || $prange > $tmprng[1]) { $errormessage="$msg $prange"; return; } - } - } - } else { - if ($srcdst eq "src") { - $msg = "$Lang::tr{'reserved src port'}"; - } else { - $msg = "$Lang::tr{'reserved dst port'}"; - } - if ($prt == 67) { $errormessage="$msg 67"; return; } - if ($prt == 68) { $errormessage="$msg 68"; return; } - if ($prot eq "tcp") { - foreach my $prange (@tcp_reserved) { - if ($prange == $prt) { $errormessage="$msg $prange"; return; } - } - } - } - return; -} - -# Darren Critchley - Attempt to combine Add/Update validation as they are almost the same -sub valaddupdate -{ - if ($cgiparams{'KEY2'} eq "0"){ # if it is a port forward rule, then validate properly - &validateparams(); - } else { # it is an xtaccess rule, just check for a valid ip - unless(&General::validipormask($cgiparams{'ORIG_IP'})) - { - if ($cgiparams{'ORIG_IP'} ne '') { - $errormessage = $Lang::tr{'source ip bad'}; } - else { # this rule stops someone from adding an ALL xtaccess record - $errormessage = $Lang::tr{'xtaccess all error'}; - $cgiparams{'ACTION'} = $Lang::tr{'add xtaccess'}; - } - } - # Darren Critchley - check for 0.0.0.0/0 - not allowed for xtaccess - if ($cgiparams{'ORIG_IP'} eq "0.0.0.0/0" || $cgiparams{'ORIG_IP'} eq "0.0.0.0") { - $errormessage = $Lang::tr{'xtaccess all error'}; - $cgiparams{'ACTION'} = $Lang::tr{'add xtaccess'}; - } - } - # Darren Critchley - Remove commas from remarks - $cgiparams{'REMARK'} = &Header::cleanhtml($cgiparams{'REMARK'}); - - # Darren Critchley - Check to see if we are working with port ranges - our ($prtrange1, $prtrange2); - $_ = $cgiparams{'SRC_PORT'}; - if ($cgiparams{'KEY2'} eq "0" && m/:/){ - $prtrange1 = 1; - } - if ($cgiparams{'SRC_IP'} eq '0.0.0.0') { # Dave Roberts - only check if using DEFAULT IP - if ($prtrange1 == 1){ # check for source ports reserved for Ipcop - &disallowreserved($cgiparams{'SRC_PORT'},1,$cgiparams{'PROTOCOL'},"src"); - if ($errormessage) { goto EXITSUB; } - } else { # check for source port reserved for Ipcop - &disallowreserved($cgiparams{'SRC_PORT'},0,$cgiparams{'PROTOCOL'},"src"); - if ($errormessage) { goto EXITSUB; } - } - } - - $_ = $cgiparams{'DEST_PORT'}; - if ($cgiparams{'KEY2'} eq "0" && m/:/){ - $prtrange2 = 1; - } - if ($cgiparams{'SRC_IP'} eq '0.0.0.0') { # Dave Roberts - only check if using DEFAULT IP - if ($prtrange2 == 1){ # check for destination ports reserved for IPFire - &disallowreserved($cgiparams{'DEST_PORT'},1,$cgiparams{'PROTOCOL'},"dst"); - if ($errormessage) { goto EXITSUB; } - } else { # check for destination port reserved for IPFire - &disallowreserved($cgiparams{'DEST_PORT'},0,$cgiparams{'PROTOCOL'},"dst"); - if ($errormessage) { goto EXITSUB; } - } - } - - -EXITSUB: - return; -} - -# Darren Critchley - Duplicate or overlapping Port range check -sub portchecks -{ - $_ = $_[0]; - our ($prtrange1, $prtrange2); - if (m/:/ && $prtrange1 == 1) { # comparing two port ranges - unless (&checkportoverlap($cgiparams{'SRC_PORT'},$_[0])) { - $errormessage = "$Lang::tr{'source port overlaps'} $_[0]"; - } - } - if (m/:/ && $prtrange1 == 0 && $errormessage eq '') { # compare one port to a range - unless (&checkportinc($cgiparams{'SRC_PORT'}, $_[0])) { - $errormessage = "$Lang::tr{'srcprt within existing'} $_[0]"; - } - } - if (! m/:/ && $prtrange1 == 1 && $errormessage eq '') { # compare one port to a range - unless (&checkportinc($_[0], $cgiparams{'SRC_PORT'})) { - $errormessage = "$Lang::tr{'srcprt range overlaps'} $_[0]"; - } - } - - if ($errormessage eq ''){ - $_ = $_[1]; - if (m/:/ && $prtrange2 == 1) { # if true then there is a port range - unless (&checkportoverlap($cgiparams{'DEST_PORT'},$_[1])) { - $errormessage = "$Lang::tr{'destination port overlaps'} $_[1]"; - } - } - if (m/:/ && $prtrange2 == 0 && $errormessage eq '') { # compare one port to a range - unless (&checkportinc($cgiparams{'DEST_PORT'}, $_[1])) { - $errormessage = "$Lang::tr{'dstprt within existing'} $_[1]"; - } - } - if (! m/:/ && $prtrange2 == 1 && $errormessage eq '') { # compare one port to a range - unless (&checkportinc($_[1], $cgiparams{'DEST_PORT'})) { - $errormessage = "$Lang::tr{'dstprt range overlaps'} $_[1]"; - } - } - } - return; -} diff --git a/html/cgi-bin/upnp.cgi b/html/cgi-bin/upnp.cgi index 8d2666ec7..2b03eff8a 100644 --- a/html/cgi-bin/upnp.cgi +++ b/html/cgi-bin/upnp.cgi @@ -82,7 +82,7 @@ if ($upnpsettings{'ACTION'} eq $Lang::tr{'save'}) debug_mode = $upnpsettings{'DEBUGMODE'} insert_forward_rules = $upnpsettings{'FORWARDRULES'} forward_chain_name = FORWARD -prerouting_chain_name = PORTFW +prerouting_chain_name = UPNPFW upstream_bitrate = $upnpsettings{'DOWNSTREAM'} downstream_bitrate = $upnpsettings{'UPSTREAM'} description_document_name = $upnpsettings{'DESCRIPTION'} diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi index 58645c39c..2fbe48035 100644 --- a/html/cgi-bin/vpnmain.cgi +++ b/html/cgi-bin/vpnmain.cgi @@ -23,7 +23,7 @@ use Net::DNS; use File::Copy; use File::Temp qw/ tempfile tempdir /; use strict; - +use Sort::Naturally; # enable only the following on debugging purpose #use warnings; #use CGI::Carp 'fatalsToBrowser'; @@ -2491,7 +2491,7 @@ END ; my $id = 0; my $gif; - foreach my $key (keys %confighash) { + foreach my $key (sort { ncmp ($confighash{$a}[1],$confighash{$b}[1]) } keys %confighash) { if ($confighash{$key}[0] eq 'on') { $gif = 'on.gif'; } else { $gif = 'off.gif'; } if ($id % 2) { diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl index 4e005e1a8..c054b0c84 100644 --- a/langs/de/cgi-bin/de.pl +++ b/langs/de/cgi-bin/de.pl @@ -1,4 +1,4 @@ -%tr = ( +%tr = ( %tr, 'Act as' => 'Konfiguriert als', @@ -187,7 +187,6 @@ 'advproxy banned mac clients' => 'Gesperrte MAC-Adressen (eine pro Zeile)', 'advproxy cache management' => 'Cacheverwaltung', 'advproxy cache replacement policy' => 'Cache Ersetzungsrichtlinie', -'advproxy cache-digest' => 'Cache-Digest-Erstellung aktivieren', 'advproxy chgwebpwd ERROR' => 'F E H L E R :', 'advproxy chgwebpwd SUCCESS' => 'E R F O L G :', 'advproxy chgwebpwd change password' => 'Passwort ändern', @@ -747,12 +746,16 @@ 'download root certificate' => 'Root-Zertifikat herunterladen', 'dpd action' => 'Aktion für Dead Peer Detection', 'driver' => 'Treiber', -'drop input' => 'Verworfene Input-Pakete loggen', +'drop action' => 'Standardverhalten der (Forward) Firewall in Modus "Blocked"', +'drop action1' => 'Standardverhalten der (Outgoing) Firewall in Modus "Blocked"', +'drop action2' => 'Standardverhalten der (Input) Firewall', +'drop forward' => 'Verworfene (Forward) Firewall-Pakete loggen', +'drop input' => 'Verworfene Input Pakete loggen', 'drop newnotsyn' => 'Verworfene New Not Syn Pakete loggen', -'drop output' => 'Verworfene Output-Pakete loggen', -'drop portscan' => 'Verworfene Portscan-Pakete loggen', -'drop proxy' => 'Alle Pakete verwerfen, die nicht direkt an den Proxy gerichtet sind', -'drop samba' => 'Alle Microsoft-Pakete verwerfen, Ports 135,137,138,139,445,1025', +'drop outgoing' => 'Verworfene (Outgoing) Firewall-Pakete loggen', +'drop portscan' => 'Verworfene Portscan Pakete loggen', +'drop proxy' => 'Alle Pakete verwerfen die nicht direkt an den Proxy gerichtet sind', +'drop samba' => 'Alle Microsoft Pakete verwerfen, Ports 135,137,138,139,445,1025', 'drop wirelessforward' => 'Verworfene Wireless Forward Pakete loggen', 'drop wirelessinput' => 'Verworfene Wireless Input Pakete loggen', 'dst port' => 'Ziel-Port', @@ -882,6 +885,7 @@ 'fixed ip lease removed' => 'Feste IP-Zuordnung gelöscht', 'force update' => 'Aktualisierung erzwingen', 'force user' => 'Standardbenutzer für das UNIX Dateisystem', +'forward firewall' => 'Firewall', 'forwarding rule added' => 'Weiterleitungsregel hinzugefügt. Starte Weiterleitung neu', 'forwarding rule removed' => 'Weiterleitungsregel entfernt. Starte Weiterleitung neu', 'forwarding rule updated' => 'Weiterleitungsregel aktualisiert; starte Weiterleitung neu', @@ -899,7 +903,175 @@ 'from email user' => 'Von Email Benutzer', 'from warn email bad' => 'Von Email Adresse ist nicht gültig', 'fw blue' => 'Firewall-Optionen für das Blaue Interface', +'fw default drop' => 'Firewall Policy', 'fw logging' => 'Firewall-Logging', +'fw settings' => 'Firewall-Einstellungen', +'fw settings color' => 'Farben in Regeltabelle anzeigen', +'fw settings dropdown' => 'Alle Netzwerke auf Regelerstellungsseite anzeigen', +'fw settings remark' => 'Anmerkungen in Regeltabelle anzeigen', +'fw settings ruletable' => 'Leere Regeltabellen anzeigen', +'fwdfw ACCEPT' => 'Akzeptieren (ACCEPT)', +'fwdfw DROP' => 'Verwerfen (DROP)', +'fwdfw MODE1' => 'Alle Pakete verwerfen', +'fwdfw MODE2' => 'Alle Pakete annehmen', +'fwdfw REJECT' => 'Verweigern (REJECT)', +'fwdfw action' => 'Aktion', +'fwdfw additional' => 'Weitere Einstellungen', +'fwdfw addr grp' => 'Adressgruppen:', +'fwdfw addrule' => 'Regel hinzufügen/ändern:', +'fwdfw change' => 'Aktualisieren', +'fwdfw copy' => 'Kopieren', +'fwdfw cust addr' => 'Custom Adressen:', +'fwdfw cust net' => 'Custom Netzwerke:', +'fwdfw delete' => 'Löschen', +'fwdfw dnat' => 'DNAT/Port-Weiterleitung', +'fwdfw dnat error' => 'Für Destination-NAT muss ein einzelner Host als Ziel ausgewählt werden. Gruppen oder Netzwerke sind nicht erlaubt', +'fwdfw dnat porterr' => 'Für NAT-Regeln muss ein einzelner Port oder Portbereich angegeben werden', +'fwdfw edit' => 'Bearbeiten', +'fwdfw err nosrc' => 'Keine Quelle ausgewählt', +'fwdfw err nosrcip' => 'Bitte Quell-IP-Adresse angeben', +'fwdfw err notgt' => 'Kein Ziel ausgewählt', +'fwdfw err notgtip' => 'Bitte Ziel-IP-Adresse angeben', +'fwdfw err prot' => 'Quell- und Zielprotokoll müssen identisch sein', +'fwdfw err remark' => 'Die Bemerkung enthält ungültige Zeichen', +'fwdfw err ruleexists' => 'Eine identische Regel existiert bereits', +'fwdfw err same' => 'Quelle und Ziel sind identisch', +'fwdfw err samesub' => 'Quell- und Ziel-IP-Adresse befinden sich im selben Subnetz', +'fwdfw err src_addr' => 'Quell-MAC/IP-Adresse ungültig', +'fwdfw err srcovpn' => 'Die gewählte Quell-IP-Adresse wird bereits von einem OpenVPN-Client genutzt. Bitte wählen Sie die passende Verbindung direkt aus.', +'fwdfw err srcport' => 'Bitte Quellport angeben', +'fwdfw err tgt_addr' => 'Ungültige Ziel-IP-Adresse', +'fwdfw err tgt_grp' => 'Die Ziel-Dienstgruppe ist leer', +'fwdfw err tgt_mac' => 'MAC-Adressen können nicht als Ziel defininert werden', +'fwdfw err tgt_port' => 'Ungültiger Zielport', +'fwdfw err tgtovpn' => 'Die gewählte Ziel-IP-Adresse wird bereits von einem OpenVPN-Client genutzt. Bitte wählen Sie die passende Verbindung direkt aus.', +'fwdfw err tgtport' => 'Bitte Zielport angeben', +'fwdfw err time' => 'Es muss mindestens ein Tag ausgewählt werden', +'fwdfw final_rule' => 'Letzte Regel: ', +'fwdfw from' => 'Von:', +'fwdfw hint ip1' => 'Die zuletzt erzeugte Regel mag eventuell niemals zutreffen, da sich Quelle und Ziel überlappen.', +'fwdfw hint ip2' => 'Bitte überprüfen Sie, ob diese Regel Sinn macht: ', +'fwdfw ipsec network' => 'IPsec-Netzwerke:', +'fwdfw log rule' => 'Logging aktivieren', +'fwdfw man port' => 'Port(s):', +'fwdfw menu' => 'Firewallregeln', +'fwdfw movedown' => 'Herunter', +'fwdfw moveup' => 'Herauf', +'fwdfw natport used' => 'Der eingegebene Port wird bereits von einer anderen DNAT-Regel benutzt.', +'fwdfw newrule' => 'Neue Regel erstellen', +'fwdfw p2p txt' => 'P2P-Netzwerke erlauben/verbieten.', +'fwdfw pol allow' => 'Zugelassen', +'fwdfw pol block' => 'Blockiert', +'fwdfw pol text' => 'Firewall-Standardverhalten für Verbindungen aus lokalen Netzwerken: Alle Verbindungen können entweder zugelassen oder geblockt werden, wenn keine Ausnahmeregel zutrifft. "Blockiert" trennt ebenfalls die Kommunikation zwischen den lokalen Netzwerken.', +'fwdfw pol text1' => 'Firewall-Standardverhalten für von der Firewall selbst initiierte Verbindungen.', +'fwdfw pol title' => 'Standardverhalten der Firewall', +'fwdfw red' => 'ROT', +'fwdfw reread' => 'Ãœbernehmen', +'fwdfw rule action' => 'Regelaktion:', +'fwdfw rule activate' => 'Regel aktivieren', +'fwdfw rulepos' => 'Regelposition', +'fwdfw rules' => 'Regeln', +'fwdfw snat' => 'SNAT (ersetzt die Quell-IP-Adresse mit der hier konfigurierten)', +'fwdfw source' => 'Quelle', +'fwdfw sourceip' => 'Quelladresse (IP/MAC-Adresse oder Netzwerk):', +'fwdfw std network' => 'Standard Netzwerke:', +'fwdfw target' => 'Ziel', +'fwdfw targetip' => 'Zieladresse (IP/MAC-Adresse oder Netzwerk):', +'fwdfw till' => 'Bis:', +'fwdfw time' => 'Zeitrahmen', +'fwdfw timeframe' => 'Zeitrahmen hinzufügen', +'fwdfw toggle' => 'Aktivieren oder deaktivieren', +'fwdfw togglelog' => 'Log aktivieren oder deaktivieren', +'fwdfw use nat' => 'NAT benutzen', +'fwdfw use srcport' => 'Quellport benutzen', +'fwdfw use srv' => 'Zielport benutzen', +'fwdfw useless rule' => 'Diese Regel ist nicht sinnvoll.', +'fwdfw wd_fri' => 'Fr', +'fwdfw wd_mon' => 'Mo', +'fwdfw wd_sat' => 'Sa', +'fwdfw wd_sun' => 'So', +'fwdfw wd_thu' => 'Do', +'fwdfw wd_tue' => 'Di', +'fwdfw wd_wed' => 'Mi', +'fwdfw xt access' => 'Input', +'fwhost addgrp' => 'Neue Gruppe hinzufügen:', +'fwhost addgrpname' => 'Gruppenname:', +'fwhost addhost' => 'Neuen Host hinzufügen:', +'fwhost addnet' => 'Neues Netzwerk hinzufügen:', +'fwhost addrule' => 'Regel hinzufügen/ändern:', +'fwhost addservice' => 'Neuen Dienst hinzufügen:', +'fwhost addservicegrp' => 'Neue Dienstgruppe hinzufügen:', +'fwhost any' => 'Alle', +'fwhost attention' => 'ACHTUNG', +'fwhost back' => 'Zurück', +'fwhost blue' => 'Blau', +'fwhost ccdhost' => 'OpenVPN-Clients:', +'fwhost ccdnet' => 'OpenVPN-Netzwerke:', +'fwhost change' => 'Ändern', +'fwhost changeremark' => 'Es wurde nur die Bemerkung angepasst.', +'fwhost cust addr' => 'Hosts:', +'fwhost cust grp' => 'Gruppen:', +'fwhost cust net' => 'Netzwerke:', +'fwhost cust service' => 'Dienste:', +'fwhost cust srvgrp' => 'Dienstgruppen', +'fwhost deleted' => 'Gelöscht', +'fwhost empty' => 'Keine Regeln definiert', +'fwhost err addr' => 'IP-Adresse oder Subnetzmaske ungültig', +'fwhost err addrgrp' => 'Bitte Gruppennamen angeben', +'fwhost err empty' => 'Bitte alle Felder ausfüllen', +'fwhost err emptytable' => 'Keine Einträge in Gruppe', +'fwhost err groupempty' => 'Die gewählte Gruppe ist leer', +'fwhost err grpexist' => 'Die Gruppe existiert bereits', +'fwhost err hostexist' => 'Ein Host mit diesem Namen existiert bereits', +'fwhost err hostorip' => 'Name oder IP-Adresse ungültig', +'fwhost err ip' => 'IP-Adresse ungültig', +'fwhost err ipcheck' => 'Diese IP-Adresse wird bereits verwendet', +'fwhost err ipmac' => 'Ungültige IP/MAC-Addresse', +'fwhost err ipwithsub' => 'Bitte nur eine IP-Adresse (ohne Subnetzmaske) eingeben', +'fwhost err isccdhost' => 'Dieser Name wird bereits für einen OpenVPN-Host verwendet', +'fwhost err isccdiphost' => 'Diese IP-Adresse wird bereits für einen OpenVPN-Host verwendet', +'fwhost err isccdipnet' => 'Diese IP-Adresse wird bereits für einen OpenVPN-Netzwerk verwendet', +'fwhost err isccdnet' => 'Dieser Name wird bereits für einen OpenVPN-Netzwerk verwendet', +'fwhost err isingrp' => 'Dieser Eintrag existiert bereits in der Gruppe', +'fwhost err mac' => 'Ungültige MAC-Adresse', +'fwhost err name' => 'Ungültiger Name. Erlaubte Zeichen: Klein- und Großbuchstaben, Leerzeichen und Bindestrich.', +'fwhost err name1' => 'Der Name muss ausgefüllt sein', +'fwhost err net' => 'Netzwerk/IP-Adresse existiert bereits', +'fwhost err netexist' => 'Ein Netz mit diesem Namen existiert bereits', +'fwhost err partofnet' => 'Dieses Netzwerk ist ein Subnetz eines bereits existierenden Netzwerks', +'fwhost err port' => 'Port muss gefüllt sein', +'fwhost err remark' => 'Ungültige Bemerkung. Erlaubte Zeichen: Klein- und Großbuchstaben, Bindestrich, Unterstrich, Runde Klammern, Semikolon, Punkt.', +'fwhost err srv exists' => 'Ein Service mit diesem Namen existiert bereits', +'fwhost err srvexist' => 'Dieser Dienst ist bereits in der Gruppe', +'fwhost err sub32' => 'Bitte einen einzelnen Host hinzufügen, keine Netzwerke', +'fwhost green' => 'Grün', +'fwhost hint' => 'Hinweis', +'fwhost hosts' => 'Firewall-Hosts', +'fwhost icmptype' => 'ICMP-Typ:', +'fwhost ip_mac' => 'IP/MAC-Adresse', +'fwhost ipadr' => 'IP-Adresse:', +'fwhost ipsec host' => 'IPsec-Clients:', +'fwhost ipsec net' => 'IPsec-Netzwerke:', +'fwhost menu' => 'Firewallgruppen', +'fwhost netaddress' => 'Netzwerkadresse', +'fwhost newgrp' => 'Netzwerk-/Hostgruppen', +'fwhost newhost' => 'Hosts', +'fwhost newnet' => 'Netzwerke', +'fwhost newservice' => 'Dienst', +'fwhost newservicegrp' => 'Dienstgruppen', +'fwhost orange' => 'Orange', +'fwhost ovpn_n2n' => 'OpenVPN Net-to-Net', +'fwhost port' => 'Port(s)', +'fwhost prot' => 'Protokoll', +'fwhost reread' => 'Die Firewallregeln müssen neu eingelesen werden.', +'fwhost reset' => 'Abbrechen', +'fwhost services' => 'Dienste', +'fwhost srv_name' => 'Dienstname', +'fwhost stdnet' => 'Standard-Netzwerke:', +'fwhost type' => 'Typ', +'fwhost used' => 'Genutzt', +'fwhost welcome' => 'Hier können einzelne Hosts, Netzwerke oder Dienste zu Gruppen zusammengefasst werden, was das erstellen von Firewallregeln einfacher und schneller macht.', +'fwhost wo subnet' => '(Ohne Subnetz)', 'gateway' => 'Gateway', 'gateway ip' => 'Gateway-IP', 'gen static key' => 'Statischen Schlüssel erzeugen', @@ -1289,7 +1461,7 @@ 'network traffic graphs others' => 'Netzwerk (sonstige)', 'network updated' => 'Benutzerdefiniertes Netzwerk aktualisiert', 'networks settings' => 'Firewall - Netzwerkeinstellungen', -'new optionsfw later' => 'Ihre Modifikation(en) wird (werden) beim nächsten Neustart aktiv werden', +'new optionsfw later' => 'Einige Einstellungen werden erst nach einem Neustart aktiv', 'new optionsfw must boot' => 'Sie müssen Ihren IPFire neu starten', 'newer' => 'Neuer', 'next' => 'Nächster', @@ -1353,7 +1525,7 @@ 'optional at cmd' => 'zusätzlicher Modembefehl', 'optional data' => '3. Optionale Einstellungen', 'options' => 'Optionen', -'options fw' => 'Firewall Optionen', +'options fw' => 'Firewall-Optionen', 'optionsfw portlist hint' => 'Die Liste der Ports muss durch ein Komma getrennt werden (z.B. 137,138). Sie können maximal bis zu 15 Ports pro Protokoll angeben.', 'optionsfw warning' => 'Verändern dieser Optionen bedingt einen Neustart der Firewall', 'or' => 'oder', @@ -1553,6 +1725,7 @@ 'reconnect' => 'Neu Verbinden', 'reconnection' => 'Wiederverbindung', 'red' => 'Internet', +'red1' => 'ROT', 'references' => 'Referenzen', 'refresh' => 'Aktualisieren', 'refresh index page while connected' => 'Aktualisere index.cgi Seite während der Verbindung', @@ -2307,7 +2480,7 @@ 'wlanap encryption' => 'Verschlüsselung', 'wlanap informations' => 'Informationen', 'wlanap interface' => 'Interface übernehmen', -'wlanap invalid wpa' => 'Ungültige Länge in WPA-Passphrase. Muss zwischen 8 und 63 ASCII-Zeichen lang sein.', +'wlanap invalid wpa' => 'Ungültige Länge in WPA-Passphrase. Muss zwischen 8 und 63 Zeichen lang sein.', 'wlanap link dhcp' => 'Wireless Lan DHCP-Einstellungen', 'wlanap link wireless' => 'Wireless Lan Clients freischalten', 'wlanap no interface' => 'Ausgewähltes Interface ist keine WLAN-Karte!', diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index ba80985a8..c38ba9628 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -1,4 +1,4 @@ -%tr = ( +%tr = ( %tr, 'Act as' => 'Act as:', @@ -187,7 +187,6 @@ 'advproxy banned mac clients' => 'Banned MAC addresses (one per line)', 'advproxy cache management' => 'Cache management', 'advproxy cache replacement policy' => 'Cache replacement policy', -'advproxy cache-digest' => 'Enable Cache-Digest Generation', 'advproxy chgwebpwd ERROR' => 'E R R O R :', 'advproxy chgwebpwd SUCCESS' => 'S U C C E S S :', 'advproxy chgwebpwd change password' => 'Change password', @@ -771,9 +770,13 @@ 'download root certificate' => 'Download root certificate', 'dpd action' => 'Dead Peer Detection action', 'driver' => 'Driver', +'drop action' => 'Default behaviour of (forward) firewall in mode "Blocked"', +'drop action1' => 'Default behaviour of (outgoing) firewall in mode "Blocked"', +'drop action2' => 'Default behaviour of (input) firewall', +'drop forward' => 'Log dropped forward packets', 'drop input' => 'Log dropped input packets', 'drop newnotsyn' => 'Log dropped new not syn packets', -'drop output' => 'Log dropped output packets', +'drop outgoing' => 'Log dropped outgoing packets', 'drop portscan' => 'Log dropped portscan packets', 'drop proxy' => 'Drop all packets not addressed to proxy', 'drop samba' => 'Drop all Microsoft ports 135,137,138,139,445,1025', @@ -907,6 +910,7 @@ 'fixed ip lease removed' => 'Fixed IP lease removed', 'force update' => 'Force update', 'force user' => 'force all new file to user', +'forward firewall' => 'Firewall', 'forwarding rule added' => 'Forwarding rule added; restarting forwarder', 'forwarding rule removed' => 'Forwarding rule removed; restarting forwarder', 'forwarding rule updated' => 'Forwarding rule updated; restarting forwarder', @@ -924,7 +928,175 @@ 'from email user' => 'From e-mail user', 'from warn email bad' => 'From e-mail address is not valid', 'fw blue' => 'Firewall options for BLUE interface', +'fw default drop' => 'Firewall policy', 'fw logging' => 'Firewall logging', +'fw settings' => 'Firewall settings', +'fw settings color' => 'Show colors in ruletable', +'fw settings dropdown' => 'Show all networks on rulecreation site', +'fw settings remark' => 'Show remarks in ruletable', +'fw settings ruletable' => 'Show empty ruletables', +'fwdfw ACCEPT' => 'ACCEPT', +'fwdfw DROP' => 'DROP', +'fwdfw MODE1' => 'Drop all packets', +'fwdfw MODE2' => 'Accept all packets', +'fwdfw REJECT' => 'REJECT', +'fwdfw action' => 'Action', +'fwdfw additional' => 'Additional settings', +'fwdfw addr grp' => 'Adress groups:', +'fwdfw addrule' => 'Add/Edit rule:', +'fwdfw change' => 'Update', +'fwdfw copy' => 'Copy', +'fwdfw cust addr' => 'Custom addresses:', +'fwdfw cust net' => 'Custom networks:', +'fwdfw delete' => 'Delete', +'fwdfw dnat' => 'Port forwarding/Destination NAT', +'fwdfw dnat error' => 'You have to select a single host for DNAT. Groups or networks are not allowed.', +'fwdfw dnat porterr' => 'You have to select a single port or portrange (tcp/udp) for NAT', +'fwdfw edit' => 'Edit', +'fwdfw err nosrc' => 'No source selected.', +'fwdfw err nosrcip' => 'Please provide a source IP address.', +'fwdfw err notgt' => 'No destination selected.', +'fwdfw err notgtip' => 'Please provide a destination IP address.', +'fwdfw err prot' => 'Source and destination protocol need to match.', +'fwdfw err remark' => 'Invalid characters in remark.', +'fwdfw err ruleexists' => 'This rule already exists.', +'fwdfw err same' => 'Source and destination are identical.', +'fwdfw err samesub' => 'Source and destination IP addresses are from the same subnet.', +'fwdfw err src_addr' => 'Invalid source MAC/IP address.', +'fwdfw err srcovpn' => 'The entered source IP address is used by an OpenVPN client. Please use the dropdown menu and select the right client connection.', +'fwdfw err srcport' => 'Please provide a source port.', +'fwdfw err tgt_addr' => 'Invalid destination IP address.', +'fwdfw err tgt_grp' => 'The destination service group is empty', +'fwdfw err tgt_mac' => 'A MAC addresses cannot be used as destination.', +'fwdfw err tgt_port' => 'Invalid destination port.', +'fwdfw err tgtovpn' => 'The entered destination IP address is used by an OpenVPN client. Please use the dropdown menu and select the right client connection.', +'fwdfw err tgtport' => 'Please provide a destination port.', +'fwdfw err time' => 'You have to select at least one day.', +'fwdfw final_rule' => 'Last rule: ', +'fwdfw from' => 'From:', +'fwdfw hint ip1' => 'The last generated rule may never match, because source and destination subnets may overlap.', +'fwdfw hint ip2' => 'Please double-check if this rule makes sense: ', +'fwdfw ipsec network' => 'IPsec networks:', +'fwdfw log rule' => 'Log rule', +'fwdfw man port' => 'Port(s):', +'fwdfw menu' => 'Firewall Rules', +'fwdfw movedown' => 'Move down', +'fwdfw moveup' => 'Move up', +'fwdfw natport used' => 'The given port for NAPT is already in use by an other DNAT rule.', +'fwdfw newrule' => 'New rule', +'fwdfw p2p txt' => 'Grant/deny access to P2P networks.', +'fwdfw pol allow' => 'Allowed', +'fwdfw pol block' => 'Blocked', +'fwdfw pol text' => 'Sets the default firewall behaviour for connections from local networks. You may either allow all new connections or block them by default. Connections between the local networks are also blocked in the latter mode.', +'fwdfw pol text1' => 'Sets the default firewall behaviour for connections initiated by the firewall itself. Attention! You may lock yourself out.', +'fwdfw pol title' => 'Default firewall behaviour', +'fwdfw red' => 'RED', +'fwdfw reread' => 'Apply', +'fwdfw rule action' => 'Rule action:', +'fwdfw rule activate' => 'Activate rule', +'fwdfw rulepos' => 'Rule position', +'fwdfw rules' => 'Rules', +'fwdfw snat' => 'SNAT (replace the source\'s IP address by this IP address)', +'fwdfw source' => 'Source', +'fwdfw sourceip' => 'Source address (MAC/IP address or network):', +'fwdfw std network' => 'Standard networks:', +'fwdfw target' => 'Destination', +'fwdfw targetip' => 'Destination address (MAC/IP address or network):', +'fwdfw till' => 'Until:', +'fwdfw time' => 'Time Constraints', +'fwdfw timeframe' => 'Use time constraints', +'fwdfw toggle' => 'Activate or deactivate', +'fwdfw togglelog' => 'Activate or deactivate logging', +'fwdfw use nat' => 'Use NAT', +'fwdfw use srcport' => 'Use source port', +'fwdfw use srv' => 'Use destination port', +'fwdfw useless rule' => 'This rule is useless.', +'fwdfw wd_fri' => 'Fri', +'fwdfw wd_mon' => 'Mon', +'fwdfw wd_sat' => 'Sat', +'fwdfw wd_sun' => 'Sun', +'fwdfw wd_thu' => 'Thu', +'fwdfw wd_tue' => 'Tue', +'fwdfw wd_wed' => 'Wed', +'fwdfw xt access' => 'Input', +'fwhost addgrp' => 'Add new network/host group:', +'fwhost addgrpname' => 'Group name:', +'fwhost addhost' => 'Add new host:', +'fwhost addnet' => 'Add new hetwork:', +'fwhost addrule' => 'Add/edit rule:', +'fwhost addservice' => 'Add service:', +'fwhost addservicegrp' => 'Add new service group:', +'fwhost any' => 'Any', +'fwhost attention' => 'ATTENTION', +'fwhost back' => 'Back', +'fwhost blue' => 'Blue', +'fwhost ccdhost' => 'OpenVPN clients:', +'fwhost ccdnet' => 'OpenVPN networks:', +'fwhost change' => 'Modify', +'fwhost changeremark' => 'You modified just the remark', +'fwhost cust addr' => 'Hosts:', +'fwhost cust grp' => 'Network/Host Groups:', +'fwhost cust net' => 'Networks:', +'fwhost cust service' => 'Services:', +'fwhost cust srvgrp' => 'Service Groups:', +'fwhost deleted' => 'Deleted', +'fwhost empty' => 'No rules defined', +'fwhost err addr' => 'Invalid IP address or subnet', +'fwhost err addrgrp' => 'Please provide a group name', +'fwhost err empty' => 'Please fill in all input fields', +'fwhost err emptytable' => 'No entries in this group', +'fwhost err groupempty' => 'The selected group is empty', +'fwhost err grpexist' => 'Group already exists', +'fwhost err hostexist' => 'A host with the same name already exists', +'fwhost err hostorip' => 'Invalid name or IP address', +'fwhost err ip' => 'IP address invalid', +'fwhost err ipcheck' => 'This IP address is already in use', +'fwhost err ipmac' => 'IP/MAC address invalid', +'fwhost err ipwithsub' => 'Please provide only an IP address (without subnet mask)', +'fwhost err isccdhost' => 'This name is already used by an OpenVPN client connection', +'fwhost err isccdiphost' => 'This IP address is already used by an OpenVPN client connection', +'fwhost err isccdipnet' => 'This IP address is already used by an OpenVPN network connection', +'fwhost err isccdnet' => 'This name is already used by an OpenVPN network', +'fwhost err isingrp' => 'This entry already exists in the group', +'fwhost err mac' => 'Invalid MAC address', +'fwhost err name' => 'Invalid name. Allowed characters: Upper- and lowercase letters, digits, space and dash.', +'fwhost err name1' => 'Empty name.', +'fwhost err net' => 'Network/IP address already exists', +'fwhost err netexist' => 'A network with the same name already exists', +'fwhost err partofnet' => 'The network is a subnet of an already existing network.', +'fwhost err port' => 'Port is empty', +'fwhost err remark' => 'Invalid remark. Allowed characters: Upper- and lowercase letters, digits, space, dash, braces, semicolon, pipe and dot.', +'fwhost err srv exists' => 'A service with the same name already exists', +'fwhost err srvexist' => 'This service already exists in the group', +'fwhost err sub32' => 'Please add a single host, not a network.', +'fwhost green' => 'Green', +'fwhost hint' => 'Note', +'fwhost hosts' => 'Firewall Hosts', +'fwhost icmptype' => 'ICMP type:', +'fwhost ip_mac' => 'IP/MAC address', +'fwhost ipadr' => 'IP address:', +'fwhost ipsec host' => 'IPsec clients:', +'fwhost ipsec net' => 'IPsec networks:', +'fwhost menu' => 'Firewall Groups', +'fwhost netaddress' => 'Network address', +'fwhost newgrp' => 'Network/Host Groups', +'fwhost newhost' => 'Hosts', +'fwhost newnet' => 'Networks', +'fwhost newservice' => 'Services', +'fwhost newservicegrp' => 'Service Groups', +'fwhost orange' => 'Orange', +'fwhost ovpn_n2n' => 'OpenVPN Net-to-Net', +'fwhost port' => 'Port(s)', +'fwhost prot' => 'Protocol', +'fwhost reread' => 'Firewall rules need to be updated.', +'fwhost reset' => 'Cancel', +'fwhost services' => 'Services:', +'fwhost srv_name' => 'Service name', +'fwhost stdnet' => 'Standard networks:', +'fwhost type' => 'Type', +'fwhost used' => 'Used', +'fwhost welcome' => 'Over here, you can group single hosts, networks and services together, which will creating new rules more easy and faster.', +'fwhost wo subnet' => '(without subnet)', 'g.dtm' => 'TO BE REMOVED', 'g.lite' => 'TO BE REMOVED', 'gateway' => 'Gateway', @@ -1317,7 +1489,7 @@ 'network traffic graphs others' => 'Network (others)', 'network updated' => 'Custom Network updated', 'networks settings' => 'Firewall - Network settings', -'new optionsfw later' => 'Your modification(s) will be active on next restart', +'new optionsfw later' => 'Some options need a reboot to take effect', 'new optionsfw must boot' => 'You must reboot your IPFire', 'newer' => 'Newer', 'next' => 'next', @@ -1543,7 +1715,7 @@ 'profile saved' => 'Profile saved: ', 'profiles' => 'Profiles:', 'proto' => 'Proto', -'protocol' => 'Protocol:', +'protocol' => 'Protocol', 'proxy' => 'Proxy', 'proxy access graphs' => 'Proxy access graphs', 'proxy admin password' => 'Cache administrator password', @@ -1584,6 +1756,7 @@ 'reconnect' => 'Reconnect', 'reconnection' => 'Reconnection', 'red' => 'Internet', +'red1' => 'RED', 'references' => 'References', 'refresh' => 'Refresh', 'refresh index page while connected' => 'Refresh index.cgi page while connected', @@ -2339,13 +2512,12 @@ 'wlan client wpa mode tkip tkip' => 'TKIP-TKIP', 'wlanap access point' => 'Access Point', 'wlanap channel' => 'Channel', -'wlanap country' => 'Country Code', 'wlanap debugging' => 'Debugging', 'wlanap del interface' => 'Remove selected interface?', 'wlanap encryption' => 'Encryption', 'wlanap informations' => 'Informations', 'wlanap interface' => 'Select interface', -'wlanap invalid wpa' => 'Invalid length in WPA Passphrase. Must be between 8 and 63 ascii characters.', +'wlanap invalid wpa' => 'Invalid length in WPA Passphrase. Must be between 8 and 63 characters.', 'wlanap link dhcp' => 'Wireless lan DHCP configuration', 'wlanap link wireless' => 'Activate wireless lan clients', 'wlanap no interface' => 'Selected interface is not a wirless lan card!', diff --git a/lfs/configroot b/lfs/configroot index 118523685..341b14632 100644 --- a/lfs/configroot +++ b/lfs/configroot @@ -50,59 +50,66 @@ $(TARGET) : @$(PREBUILD) # Create all directories - for i in addon-lang auth backup ca certs connscheduler crls ddns dhcp dhcpc dmzholes dns dnsforward \ - ethernet extrahd/bin fwlogs isdn key langs logging mac main menu.d modem net-traffic \ - net-traffic/templates nfs optionsfw outgoing/bin outgoing/groups outgoing/groups/ipgroups \ - outgoing/groups/macgroups ovpn patches pakfire portfw ppp private proxy/advanced/cre \ + for i in addon-lang auth backup ca certs connscheduler crls ddns dhcp dhcpc dns dnsforward \ + ethernet extrahd/bin fwlogs isdn key langs logging mac main menu.d modem net-traffic \ + ethernet extrahd/bin fwlogs fwhosts forward forward/bin isdn key langs logging mac main menu.d modem net-traffic \ + net-traffic/templates nfs optionsfw \ + ovpn patches pakfire portfw ppp private proxy/advanced/cre \ proxy/calamaris/bin qos/bin red remote sensors snort time tripwire/report \ updatexlrator/bin updatexlrator/autocheck urlfilter/autoupdate urlfilter/bin upnp vpn \ - wakeonlan wireless xtaccess ; do \ + wakeonlan wireless ; do \ mkdir -p $(CONFIG_ROOT)/$$i; \ done # Touch empty files for i in auth/users backup/include.user backup/exclude.user \ certs/index.txt ddns/config ddns/noipsettings ddns/settings ddns/ipcache dhcp/settings \ - dhcp/fixleases dhcp/advoptions dhcp/dhcpd.conf.local dmzholes/config dns/settings dnsforward/config ethernet/aliases ethernet/settings ethernet/known_nics ethernet/scanned_nics \ - ethernet/wireless extrahd/scan extrahd/devices extrahd/partitions extrahd/settings fwlogs/ipsettings fwlogs/portsettings \ - isdn/settings mac/settings main/disable_nf_sip main/hosts main/routing main/settings net-traffic/settings optionsfw/settings outgoing/settings outgoing/rules \ + dhcp/fixleases dhcp/advoptions dhcp/dhcpd.conf.local dns/settings dnsforward/config ethernet/aliases ethernet/settings ethernet/known_nics ethernet/scanned_nics \ + extrahd/scan extrahd/devices extrahd/partitions extrahd/settings forward/settings forward/config forward/input forward/outgoing forward/dmz forward/nat \ + fwhosts/customnetworks fwhosts/customhosts fwhosts/customgroups fwhosts/customservicegrp fwlogs/ipsettings fwlogs/portsettings \ + isdn/settings mac/settings main/disable_nf_sip main/hosts main/routing main/settings net-traffic/settings optionsfw/settings \ ovpn/ccd.conf ovpn/ccdroute ovpn/ccdroute2 pakfire/settings portfw/config ppp/settings-1 ppp/settings-2 ppp/settings-3 ppp/settings-4 \ - ppp/settings-5 ppp/settings proxy/settings proxy/advanced/settings proxy/advanced/cre/enable remote/settings qos/settings qos/classes qos/subclasses qos/level7config qos/portconfig \ + ppp/settings-5 ppp/settings proxy/settings proxy/advanced/settings proxy/advanced/cre/enable remote/settings qos/settings qos/classes qos/subclasses qos/level7config qos/portconfig \ qos/tosconfig snort/settings tripwire/settings upnp/settings vpn/config vpn/settings vpn/ipsec.conf \ vpn/ipsec.secrets vpn/caconfig wakeonlan/clients.conf wireless/config wireless/settings; do \ - touch $(CONFIG_ROOT)/$$i; \ + touch $(CONFIG_ROOT)/$$i; \ done # Copy initial configfiles cp $(DIR_SRC)/config/cfgroot/header.pl $(CONFIG_ROOT)/ cp $(DIR_SRC)/config/cfgroot/general-functions.pl $(CONFIG_ROOT)/ cp $(DIR_SRC)/config/cfgroot/lang.pl $(CONFIG_ROOT)/ - cp $(DIR_SRC)/config/cfgroot/countries.pl $(CONFIG_ROOT)/ + cp $(DIR_SRC)/config/cfgroot/countries.pl $(CONFIG_ROOT)/ cp $(DIR_SRC)/config/cfgroot/graphs.pl $(CONFIG_ROOT)/ cp $(DIR_SRC)/config/cfgroot/advoptions-list $(CONFIG_ROOT)/dhcp/advoptions-list cp $(DIR_SRC)/config/cfgroot/connscheduler-lib.pl $(CONFIG_ROOT)/connscheduler/lib.pl cp $(DIR_SRC)/config/cfgroot/connscheduler.conf $(CONFIG_ROOT)/connscheduler cp $(DIR_SRC)/config/extrahd/* $(CONFIG_ROOT)/extrahd/bin/ cp $(DIR_SRC)/config/cfgroot/sensors-settings $(CONFIG_ROOT)/sensors/settings - cp $(DIR_SRC)/config/menu/* $(CONFIG_ROOT)/menu.d/ + cp $(DIR_SRC)/config/menu/* $(CONFIG_ROOT)/menu.d/ cp $(DIR_SRC)/config/cfgroot/modem-defaults $(CONFIG_ROOT)/modem/defaults cp $(DIR_SRC)/config/cfgroot/modem-settings $(CONFIG_ROOT)/modem/settings cp $(DIR_SRC)/config/cfgroot/net-traffic-lib.pl $(CONFIG_ROOT)/net-traffic/net-traffic-lib.pl - cp $(DIR_SRC)/config/cfgroot/net-traffic-admin.pl $(CONFIG_ROOT)/net-traffic/net-traffic-admin.pl + cp $(DIR_SRC)/config/cfgroot/net-traffic-admin.pl $(CONFIG_ROOT)/net-traffic/net-traffic-admin.pl cp $(DIR_SRC)/config/cfgroot/nfs-server $(CONFIG_ROOT)/nfs/nfs-server - cp $(DIR_SRC)/config/cfgroot/p2protocols $(CONFIG_ROOT)/outgoing/p2protocols - cp $(DIR_SRC)/config/outgoingfw/outgoingfw.pl $(CONFIG_ROOT)/outgoing/bin/ - cp $(DIR_SRC)/config/outgoingfw/defaultservices $(CONFIG_ROOT)/outgoing/ cp $(DIR_SRC)/config/cfgroot/proxy-acl $(CONFIG_ROOT)/proxy/acl-1.4 - cp $(DIR_SRC)/config/qos/* $(CONFIG_ROOT)/qos/bin/ - cp $(DIR_SRC)/config/cfgroot/ssh-settings $(CONFIG_ROOT)/remote/settings - cp $(DIR_SRC)/config/cfgroot/xtaccess-config $(CONFIG_ROOT)/xtaccess/config + cp $(DIR_SRC)/config/qos/* $(CONFIG_ROOT)/qos/bin/ + cp $(DIR_SRC)/config/cfgroot/ssh-settings $(CONFIG_ROOT)/remote/settings cp $(DIR_SRC)/config/cfgroot/time-settings $(CONFIG_ROOT)/time/settings - cp $(DIR_SRC)/config/cfgroot/logging-settings $(CONFIG_ROOT)/logging/settings + cp $(DIR_SRC)/config/cfgroot/logging-settings $(CONFIG_ROOT)/logging/settings cp $(DIR_SRC)/config/cfgroot/useragents $(CONFIG_ROOT)/proxy/advanced cp $(DIR_SRC)/config/cfgroot/ethernet-vlans $(CONFIG_ROOT)/ethernet/vlans - cp $(DIR_SRC)/langs/list $(CONFIG_ROOT)/langs/ - + cp $(DIR_SRC)/langs/list $(CONFIG_ROOT)/langs/ + cp $(DIR_SRC)/config/forwardfw/rules.pl $(CONFIG_ROOT)/forward/bin/rules.pl + cp $(DIR_SRC)/config/forwardfw/convert-xtaccess /usr/sbin/convert-xtaccess + cp $(DIR_SRC)/config/forwardfw/convert-outgoingfw /usr/sbin/convert-outgoingfw + cp $(DIR_SRC)/config/forwardfw/convert-dmz /usr/sbin/convert-dmz + cp $(DIR_SRC)/config/forwardfw/convert-portfw /usr/sbin/convert-portfw + cp $(DIR_SRC)/config/forwardfw/p2protocols $(CONFIG_ROOT)/forward/p2protocols + cp $(DIR_SRC)/config/forwardfw/firewall-lib.pl $(CONFIG_ROOT)/forward/bin/firewall-lib.pl + cp $(DIR_SRC)/config/forwardfw/firewall-policy /usr/sbin/firewall-policy + cp $(DIR_SRC)/config/fwhosts/icmp-types $(CONFIG_ROOT)/fwhosts/icmp-types + cp $(DIR_SRC)/config/fwhosts/customservices $(CONFIG_ROOT)/fwhosts/customservices # Oneliner configfiles echo "ENABLED=off" > $(CONFIG_ROOT)/vpn/settings echo "VPN_DELAYED_START=0" >>$(CONFIG_ROOT)/vpn/settings @@ -110,11 +117,29 @@ $(TARGET) : echo "nameserver 1.2.3.4" > $(CONFIG_ROOT)/ppp/fake-resolv.conf echo "DROPNEWNOTSYN=on" >> $(CONFIG_ROOT)/optionsfw/settings echo "DROPINPUT=on" >> $(CONFIG_ROOT)/optionsfw/settings - echo "DROPOUTPUT=on" >> $(CONFIG_ROOT)/optionsfw/settings - echo "DROPINPUT=on" >> $(CONFIG_ROOT)/optionsfw/settings - echo "DROPOUTPUT=on" >> $(CONFIG_ROOT)/optionsfw/settings + echo "DROPFORWARD=on" >> $(CONFIG_ROOT)/optionsfw/settings + echo "FWPOLICY=DROP" >> $(CONFIG_ROOT)/optionsfw/settings + echo "FWPOLICY1=DROP" >> $(CONFIG_ROOT)/optionsfw/settings + echo "FWPOLICY2=DROP" >> $(CONFIG_ROOT)/optionsfw/settings echo "DROPPORTSCAN=on" >> $(CONFIG_ROOT)/optionsfw/settings - + echo "DROPOUTGOING=on" >> $(CONFIG_ROOT)/optionsfw/settings + echo "DROPSAMBA=on" >> $(CONFIG_ROOT)/optionsfw/settings + echo "DROPPROXY=on" >> $(CONFIG_ROOT)/optionsfw/settings + echo "SHOWREMARK=on" >> $(CONFIG_ROOT)/optionsfw/settings + echo "SHOWCOLORS=on" >> $(CONFIG_ROOT)/optionsfw/settings + echo "SHOWTABLES=off" >> $(CONFIG_ROOT)/optionsfw/settings + echo "SHOWDROPDOWN=off" >> $(CONFIG_ROOT)/optionsfw/settings + echo "DROPWIRELESSINPUT=off" >> $(CONFIG_ROOT)/optionsfw/settings + echo "DROPWIRELESSFORWARD=off" >> $(CONFIG_ROOT)/optionsfw/settings + echo "POLICY=MODE2" >> $(CONFIG_ROOT)/forward/settings + echo "POLICY1=MODE2" >> $(CONFIG_ROOT)/forward/settings + + # set rules.pl executable + chmod 755 $(CONFIG_ROOT)/forward/bin/rules.pl + + # set converters executable + chmod 755 /usr/sbin/convert-* + # Modify variables in header.pl sed -i -e "s+CONFIG_ROOT+$(CONFIG_ROOT)+g" \ -e "s+VERSION+$(VERSION)+g" \ @@ -131,7 +156,7 @@ $(TARGET) : # Language files cp $(DIR_SRC)/langs/*/cgi-bin/*.pl $(CONFIG_ROOT)/langs/ - + # Configroot permissions chown -R nobody:nobody $(CONFIG_ROOT) chown root:root $(CONFIG_ROOT) @@ -140,7 +165,5 @@ $(TARGET) : done chown root:nobody $(CONFIG_ROOT)/dhcpc - # Set outgoingfw.pl executable - chmod 755 $(CONFIG_ROOT)/outgoing/bin/outgoingfw.pl - + @$(POSTBUILD) diff --git a/lfs/initscripts b/lfs/initscripts index 6549147a8..0b2dbee77 100644 --- a/lfs/initscripts +++ b/lfs/initscripts @@ -179,20 +179,15 @@ $(TARGET) : ln -sf ../../dnsmasq /etc/rc.d/init.d/networking/red.up/05-RS-dnsmasq ln -sf ../../firewall /etc/rc.d/init.d/networking/red.up/20-RL-firewall - ln -sf ../../../../../usr/local/bin/outgoingfwctrl \ - /etc/rc.d/init.d/networking/red.up/22-outgoingfwctrl + ln -sf ../../../../../usr/local/bin/forwardfwctrl \ + /etc/rc.d/init.d/networking/red.up/22-forwardfwctrl ln -sf ../../../../../usr/local/bin/snortctrl \ /etc/rc.d/init.d/networking/red.up/23-RS-snort ln -sf ../../../../../usr/local/bin/qosctrl \ /etc/rc.d/init.d/networking/red.up/24-RS-qos - ln -sf ../../../../../usr/local/bin/setportfw \ - /etc/rc.d/init.d/networking/red.up/25-portfw - ln -sf ../../../../../usr/local/bin/setxtaccess \ - /etc/rc.d/init.d/networking/red.up/26-xtaccess ln -sf ../../../../../usr/local/bin/dialctrl.pl \ /etc/rc.d/init.d/networking/red.up/99-U-dialctrl.pl ln -sf ../../squid /etc/rc.d/init.d/networking/red.up/27-RS-squid - ln -sf ../../dnsmasq /etc/rc.d/init.d/networking/red.down/05-RS-dnsmasq ln -sf ../../firewall /etc/rc.d/init.d/networking/red.down/20-RL-firewall ln -sf ../../../../../usr/local/bin/dialctrl.pl \ diff --git a/lfs/strongswan b/lfs/strongswan index 4701f3478..9ac2e68c7 100644 --- a/lfs/strongswan +++ b/lfs/strongswan @@ -76,8 +76,7 @@ $(subst %,%_MD5,$(objects)) : $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(PREBUILD) @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE) - - cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/strongswan-4.5.3_ipfire.patch + cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/strongswan-5.0.2_ipfire.patch cd $(DIR_APP) && [ -x "configure" ] || ./autogen.sh cd $(DIR_APP) && ./configure \ diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall index 0237297e7..fc49da4e9 100644 --- a/src/initscripts/init.d/firewall +++ b/src/initscripts/init.d/firewall @@ -68,11 +68,171 @@ iptables_init() { # SYN/FIN (QueSO or nmap OS probe) /sbin/iptables -A BADTCP -p tcp --tcp-flags SYN,FIN SYN,FIN -j PSCAN # NEW TCP without SYN - /sbin/iptables -A BADTCP -p tcp ! --syn -m state --state NEW -j NEWNOTSYN + /sbin/iptables -A BADTCP -p tcp ! --syn -m conntrack --ctstate NEW -j NEWNOTSYN - /sbin/iptables -A INPUT -j BADTCP - /sbin/iptables -A FORWARD -j BADTCP + /sbin/iptables -A INPUT -p tcp -j BADTCP + /sbin/iptables -A FORWARD -p tcp -j BADTCP + # Connection tracking chain + /sbin/iptables -N CONNTRACK + /sbin/iptables -A CONNTRACK -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT + + # Fix for braindead ISP's + /sbin/iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu + + # CUSTOM chains, can be used by the users themselves + /sbin/iptables -N CUSTOMINPUT + /sbin/iptables -A INPUT -j CUSTOMINPUT + /sbin/iptables -N CUSTOMFORWARD + /sbin/iptables -A FORWARD -j CUSTOMFORWARD + /sbin/iptables -N CUSTOMOUTPUT + /sbin/iptables -A OUTPUT -j CUSTOMOUTPUT + /sbin/iptables -t nat -N CUSTOMPREROUTING + /sbin/iptables -t nat -A PREROUTING -j CUSTOMPREROUTING + /sbin/iptables -t nat -N CUSTOMPOSTROUTING + /sbin/iptables -t nat -A POSTROUTING -j CUSTOMPOSTROUTING + + # Guardian (IPS) chains + /sbin/iptables -N GUARDIAN + /sbin/iptables -A INPUT -j GUARDIAN + /sbin/iptables -A FORWARD -j GUARDIAN + + # Block OpenVPN transfer networks + /sbin/iptables -N OVPNBLOCK + for i in INPUT FORWARD OUTPUT; do + /sbin/iptables -A ${i} -j OVPNBLOCK + done + + # OpenVPN transfer network translation + /sbin/iptables -t nat -N OVPNNAT + /sbin/iptables -t nat -A POSTROUTING -j OVPNNAT + + # IPTV chains for IGMPPROXY + /sbin/iptables -N IPTVINPUT + /sbin/iptables -A INPUT -j IPTVINPUT + /sbin/iptables -N IPTVFORWARD + /sbin/iptables -A FORWARD -j IPTVFORWARD + + # filtering from GUI + /sbin/iptables -N GUIINPUT + /sbin/iptables -A INPUT -j GUIINPUT + /sbin/iptables -A GUIINPUT -p icmp --icmp-type 8 -j ACCEPT + + # Accept everything on loopback + /sbin/iptables -N LOOPBACK + /sbin/iptables -A LOOPBACK -i lo -j ACCEPT + /sbin/iptables -A LOOPBACK -o lo -j ACCEPT + + # Filter all packets with loopback addresses on non-loopback interfaces. + /sbin/iptables -A LOOPBACK -s 127.0.0.0/8 -j DROP + /sbin/iptables -A LOOPBACK -d 127.0.0.0/8 -j DROP + + for i in INPUT FORWARD OUTPUT; do + /sbin/iptables -A ${i} -j LOOPBACK + done + + # Accept everything connected + for i in INPUT FORWARD OUTPUT; do + /sbin/iptables -A ${i} -j CONNTRACK + done + + # trafic from ipsecX/TUN/TAP interfaces, before "-i GREEN_DEV" accept everything + /sbin/iptables -N IPSECINPUT + /sbin/iptables -N IPSECFORWARD + /sbin/iptables -N IPSECOUTPUT + /sbin/iptables -A INPUT -j IPSECINPUT + /sbin/iptables -A FORWARD -j IPSECFORWARD + /sbin/iptables -A OUTPUT -j IPSECOUTPUT + /sbin/iptables -t nat -N IPSECNAT + /sbin/iptables -t nat -A POSTROUTING -j IPSECNAT + + # localhost and ethernet. + /sbin/iptables -A INPUT -i $GREEN_DEV -m conntrack --ctstate NEW -j ACCEPT ! -p icmp + + # allow DHCP on BLUE to be turned on/off + /sbin/iptables -N DHCPBLUEINPUT + /sbin/iptables -A INPUT -j DHCPBLUEINPUT + + # WIRELESS chains + /sbin/iptables -N WIRELESSINPUT + /sbin/iptables -A INPUT -m conntrack --ctstate NEW -j WIRELESSINPUT + /sbin/iptables -N WIRELESSFORWARD + /sbin/iptables -A FORWARD -m conntrack --ctstate NEW -j WIRELESSFORWARD + + # TOR + /sbin/iptables -N TOR_INPUT + /sbin/iptables -A INPUT -j TOR_INPUT + + # Jump into the actual firewall ruleset. + /sbin/iptables -N INPUTFW + /sbin/iptables -A INPUT -j INPUTFW + + /sbin/iptables -N OUTGOINGFW + /sbin/iptables -A OUTPUT -j OUTGOINGFW + + /sbin/iptables -N FORWARDFW + /sbin/iptables -A FORWARD -j FORWARDFW + + # RED chain, used for the red interface + /sbin/iptables -N REDINPUT + /sbin/iptables -A INPUT -j REDINPUT + /sbin/iptables -N REDFORWARD + /sbin/iptables -A FORWARD -j REDFORWARD + /sbin/iptables -t nat -N REDNAT + /sbin/iptables -t nat -A POSTROUTING -j REDNAT + + iptables_red + + # Custom prerouting chains (for transparent proxy) + /sbin/iptables -t nat -N SQUID + /sbin/iptables -t nat -A PREROUTING -j SQUID + + # DNAT rules + /sbin/iptables -t nat -N NAT_DESTINATION + /sbin/iptables -t nat -A PREROUTING -j NAT_DESTINATION + + # SNAT rules + /sbin/iptables -t nat -N NAT_SOURCE + /sbin/iptables -t nat -A POSTROUTING -j NAT_SOURCE + + # upnp chain for our upnp daemon + /sbin/iptables -t nat -N UPNPFW + /sbin/iptables -t nat -A PREROUTING -j UPNPFW + /sbin/iptables -N UPNPFW + /sbin/iptables -A FORWARD -m conntrack --ctstate NEW -j UPNPFW + + # run local firewall configuration, if present + if [ -x /etc/sysconfig/firewall.local ]; then + /etc/sysconfig/firewall.local start + fi + + # run openvpn + /usr/local/bin/openvpnctrl --create-chains-and-rules + + # run wirelessctrl + /usr/local/bin/wirelessctrl + + #POLICY CHAIN + /sbin/iptables -N POLICYIN + /sbin/iptables -A INPUT -j POLICYIN + /sbin/iptables -N POLICYFWD + /sbin/iptables -A FORWARD -j POLICYFWD + /sbin/iptables -N POLICYOUT + /sbin/iptables -A OUTPUT -j POLICYOUT + + /usr/sbin/firewall-policy + + # read new firewall + /usr/local/bin/forwardfwctrl + + if [ "$DROPINPUT" == "on" ]; then + /sbin/iptables -A INPUT -m limit --limit 10/minute -j LOG --log-prefix "DROP_INPUT" + fi + /sbin/iptables -A INPUT -j DROP -m comment --comment "DROP_INPUT" + if [ "$DROPFORWARD" == "on" ]; then + /sbin/iptables -A FORWARD -m limit --limit 10/minute -j LOG --log-prefix "DROP_FORWARD" + fi + /sbin/iptables -A FORWARD -j DROP -m comment --comment "DROP_FORWARD" } iptables_red() { @@ -130,223 +290,23 @@ iptables_red() { case "$1" in start) iptables_init - - # Limit Packets- helps reduce dos/syn attacks - # original do nothing line - #/sbin/iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -m limit --limit 10/sec - # the correct one, but the negative '!' do nothing... - #/sbin/iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN ! -m limit --limit 10/sec -j DROP - - # Fix for braindead ISP's - /sbin/iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu - - # CUSTOM chains, can be used by the users themselves - /sbin/iptables -N CUSTOMINPUT - /sbin/iptables -A INPUT -j CUSTOMINPUT - /sbin/iptables -N GUARDIAN - /sbin/iptables -A INPUT -j GUARDIAN - /sbin/iptables -A FORWARD -j GUARDIAN - /sbin/iptables -N CUSTOMFORWARD - /sbin/iptables -A FORWARD -j CUSTOMFORWARD - /sbin/iptables -N CUSTOMOUTPUT - /sbin/iptables -A OUTPUT -j CUSTOMOUTPUT - /sbin/iptables -N OUTGOINGFW - /sbin/iptables -N OUTGOINGFWMAC - /sbin/iptables -A OUTPUT -j OUTGOINGFW - /sbin/iptables -t nat -N CUSTOMPREROUTING - /sbin/iptables -t nat -A PREROUTING -j CUSTOMPREROUTING - /sbin/iptables -t nat -N CUSTOMPOSTROUTING - /sbin/iptables -t nat -A POSTROUTING -j CUSTOMPOSTROUTING - - # IPTV chains for IGMPPROXY - /sbin/iptables -N IPTVINPUT - /sbin/iptables -A INPUT -j IPTVINPUT - /sbin/iptables -N IPTVFORWARD - /sbin/iptables -A FORWARD -j IPTVFORWARD - - # filtering from GUI - /sbin/iptables -N GUIINPUT - /sbin/iptables -A INPUT -j GUIINPUT - /sbin/iptables -A GUIINPUT -p icmp --icmp-type 8 -j ACCEPT - - # Accept everything connected - /sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT - /sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT - - # trafic from ipsecX/TUN/TAP interfaces, before "-i GREEN_DEV" accept everything - /sbin/iptables -N IPSECINPUT - /sbin/iptables -N IPSECFORWARD - /sbin/iptables -N IPSECOUTPUT - /sbin/iptables -N OPENSSLVIRTUAL - /sbin/iptables -A INPUT -j IPSECINPUT - /sbin/iptables -A INPUT -j OPENSSLVIRTUAL -m comment --comment "OPENSSLVIRTUAL INPUT" - /sbin/iptables -A FORWARD -j IPSECFORWARD - /sbin/iptables -A FORWARD -j OPENSSLVIRTUAL -m comment --comment "OPENSSLVIRTUAL FORWARD" - /sbin/iptables -A OUTPUT -j IPSECOUTPUT - /sbin/iptables -t nat -N OVPNNAT - /sbin/iptables -t nat -N IPSECNAT - /sbin/iptables -t nat -A POSTROUTING -j OVPNNAT - /sbin/iptables -t nat -A POSTROUTING -j IPSECNAT - - # TOR - /sbin/iptables -N TOR_INPUT - /sbin/iptables -A INPUT -j TOR_INPUT - - # Outgoing Firewall - /sbin/iptables -A FORWARD -j OUTGOINGFWMAC - - # localhost and ethernet. - /sbin/iptables -A INPUT -i lo -m state --state NEW -j ACCEPT - /sbin/iptables -A INPUT -s 127.0.0.0/8 -m state --state NEW -j DROP # Loopback not on lo - /sbin/iptables -A INPUT -d 127.0.0.0/8 -m state --state NEW -j DROP - /sbin/iptables -A FORWARD -i lo -m state --state NEW -j ACCEPT - /sbin/iptables -A FORWARD -s 127.0.0.0/8 -m state --state NEW -j DROP - /sbin/iptables -A FORWARD -d 127.0.0.0/8 -m state --state NEW -j DROP - /sbin/iptables -A INPUT -i $GREEN_DEV -m state --state NEW -j ACCEPT ! -p icmp - /sbin/iptables -A FORWARD -i $GREEN_DEV -m state --state NEW -j ACCEPT - - # If a host on orange tries to initiate a connection to IPFire's red IP and - # the connection gets DNATed back through a port forward to a server on orange - # we end up with orange -> orange traffic passing through IPFire - [ "$ORANGE_DEV" != "" ] && /sbin/iptables -A FORWARD -i $ORANGE_DEV -o $ORANGE_DEV -m state --state NEW -j ACCEPT - - # allow DHCP on BLUE to be turned on/off - /sbin/iptables -N DHCPBLUEINPUT - /sbin/iptables -A INPUT -j DHCPBLUEINPUT - - # OPenSSL - /sbin/iptables -N OPENSSLPHYSICAL - /sbin/iptables -A INPUT -j OPENSSLPHYSICAL - - # WIRELESS chains - /sbin/iptables -N WIRELESSINPUT - /sbin/iptables -A INPUT -m state --state NEW -j WIRELESSINPUT - /sbin/iptables -N WIRELESSFORWARD - /sbin/iptables -A FORWARD -m state --state NEW -j WIRELESSFORWARD - - # RED chain, used for the red interface - /sbin/iptables -N REDINPUT - /sbin/iptables -A INPUT -j REDINPUT - /sbin/iptables -N REDFORWARD - /sbin/iptables -A FORWARD -j REDFORWARD - /sbin/iptables -t nat -N REDNAT - /sbin/iptables -t nat -A POSTROUTING -j REDNAT - - iptables_red - - # DMZ pinhole chain. setdmzholes setuid prog adds rules here to allow - # ORANGE to talk to GREEN / BLUE. - /sbin/iptables -N DMZHOLES - if [ "$ORANGE_DEV" != "" ]; then - /sbin/iptables -A FORWARD -i $ORANGE_DEV -m state --state NEW -j DMZHOLES - fi - - # XTACCESS chain, used for external access - /sbin/iptables -N XTACCESS - /sbin/iptables -A INPUT -m state --state NEW -j XTACCESS - - # PORTFWACCESS chain, used for portforwarding - /sbin/iptables -N PORTFWACCESS - /sbin/iptables -A FORWARD -m state --state NEW -j PORTFWACCESS - - # Custom prerouting chains (for transparent proxy and port forwarding) - /sbin/iptables -t nat -N SQUID - /sbin/iptables -t nat -A PREROUTING -j SQUID - /sbin/iptables -t nat -N PORTFW - /sbin/iptables -t nat -A PREROUTING -j PORTFW - - # upnp chain for our upnp daemon - /sbin/iptables -t nat -N UPNPFW - /sbin/iptables -t nat -A PREROUTING -j UPNPFW - /sbin/iptables -N UPNPFW - /sbin/iptables -A FORWARD -m state --state NEW -j UPNPFW - - # Custom mangle chain (for port fowarding) - /sbin/iptables -t mangle -N PORTFWMANGLE - /sbin/iptables -t mangle -A PREROUTING -j PORTFWMANGLE - - # Postrouting rules (for port forwarding) - /sbin/iptables -t nat -A POSTROUTING -m mark --mark 1 -j SNAT \ - --to-source $GREEN_ADDRESS - if [ "$BLUE_DEV" != "" ]; then - /sbin/iptables -t nat -A POSTROUTING -m mark --mark 2 -j SNAT --to-source $BLUE_ADDRESS - fi - if [ "$ORANGE_DEV" != "" ]; then - /sbin/iptables -t nat -A POSTROUTING -m mark --mark 3 -j SNAT --to-source $ORANGE_ADDRESS - fi - - # run local firewall configuration, if present - if [ -x /etc/sysconfig/firewall.local ]; then - /etc/sysconfig/firewall.local start - fi - - # last rule in input and forward chain is for logging. - - if [ "$DROPINPUT" == "on" ]; then - /sbin/iptables -A INPUT -m limit --limit 10/minute -j LOG --log-prefix "DROP_INPUT " - fi - /sbin/iptables -A INPUT -j DROP -m comment --comment "DROP_INPUT" - if [ "$DROPOUTPUT" == "on" ]; then - /sbin/iptables -A FORWARD -m limit --limit 10/minute -j LOG --log-prefix "DROP_OUTPUT " - fi - /sbin/iptables -A FORWARD -j DROP -m comment --comment "DROP_OUTPUT" - ;; - startovpn) - # run openvpn - /usr/local/bin/openvpnctrl --create-chains-and-rules - ;; - stop) - iptables_init - # Accept everyting connected - /sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT - - # localhost and ethernet. - /sbin/iptables -A INPUT -i lo -j ACCEPT - /sbin/iptables -A INPUT -i $GREEN_DEV -m state --state NEW -j ACCEPT - - if [ "$RED_DEV" != "" -a "$RED_TYPE" == "DHCP" ]; then - /sbin/iptables -A INPUT -p tcp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT - /sbin/iptables -A INPUT -p udp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT - fi - if [ "$PROTOCOL" == "RFC1483" -a "$METHOD" == "DHCP" ]; then - /sbin/iptables -A INPUT -p tcp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT - /sbin/iptables -A INPUT -p udp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT - fi - - # run local firewall configuration, if present - if [ -x /etc/sysconfig/firewall.local ]; then - /etc/sysconfig/firewall.local stop - fi - - if [ "$DROPINPUT" == "on" ]; then - /sbin/iptables -A INPUT -m limit --limit 10/minute -j LOG --log-prefix "DROP_INPUT " - fi - /sbin/iptables -A INPUT -j DROP -m comment --comment "DROP_INPUT" - if [ "$DROPOUTPUT" == "on" ]; then - /sbin/iptables -A FORWARD -m limit --limit 10/minute -j LOG --log-prefix "DROP_OUTPUT " - fi - /sbin/iptables -A FORWARD -j DROP -m comment --comment "DROP_OUTPUT" - ;; - stopovpn) - # stop openvpn - /usr/local/bin/openvpnctrl --delete-chains-and-rules - ;; + ;; reload) iptables_red - # run local firewall configuration, if present - if [ -x /etc/sysconfig/firewall.local ]; then + if [ -x /etc/sysconfig/firewall.local ]; then /etc/sysconfig/firewall.local reload fi ;; restart) - $0 stop - $0 stopovpn + # run local firewall configuration, if present + if [ -x /etc/sysconfig/firewall.local ]; then + /etc/sysconfig/firewall.local stop + fi $0 start - $0 startovpn ;; *) - echo "Usage: $0 {start|stop|reload|restart}" + echo "Usage: $0 {start|reload|restart}" exit 1 ;; esac diff --git a/src/initscripts/init.d/network b/src/initscripts/init.d/network index 9ff220011..02df4bc97 100644 --- a/src/initscripts/init.d/network +++ b/src/initscripts/init.d/network @@ -47,9 +47,7 @@ init_networking() { # (exit ${failed}) # evaluate_retval - boot_mesg "Setting up DMZ pinholes" - /usr/local/bin/setdmzholes; evaluate_retval - + if [ "$CONFIG_TYPE" = "3" -o "$CONFIG_TYPE" = "4" ]; then boot_mesg "Setting up wireless firewall rules" /usr/local/bin/wirelessctrl; evaluate_retval diff --git a/src/misc-progs/Makefile b/src/misc-progs/Makefile index 4d09fbf65..c748a66b4 100644 --- a/src/misc-progs/Makefile +++ b/src/misc-progs/Makefile @@ -24,11 +24,10 @@ CFLAGS=-O2 -Wall COMPILE=$(CC) $(CFLAGS) PROGS = iowrap -SUID_PROGS = setdmzholes setportfw setxtaccess \ - squidctrl sshctrl ipfirereboot \ +SUID_PROGS = squidctrl sshctrl ipfirereboot \ ipsecctrl timectrl dhcpctrl snortctrl \ applejuicectrl rebuildhosts backupctrl \ - logwatch openvpnctrl outgoingfwctrl \ + logwatch openvpnctrl forwardfwctrl \ wirelessctrl getipstat qosctrl launch-ether-wake \ redctrl syslogdctrl extrahdctrl sambactrl upnpctrl tripwirectrl \ smartctrl clamavctrl addonctrl pakfire mpfirectrl wlanapctrl \ @@ -86,22 +85,16 @@ smartctrl: smartctrl.c setuid.o ../install+setup/libsmooth/varval.o clamavctrl: clamavctrl.c setuid.o ../install+setup/libsmooth/varval.o $(COMPILE) -I../install+setup/libsmooth/ clamavctrl.c setuid.o ../install+setup/libsmooth/varval.o -o $@ - -outgoingfwctrl: outgoingfwctrl.c setuid.o ../install+setup/libsmooth/varval.o - $(COMPILE) -I../install+setup/libsmooth/ outgoingfwctrl.c setuid.o ../install+setup/libsmooth/varval.o -o $@ - + +forwardfwctrl: forwardfwctrl.c setuid.o ../install+setup/libsmooth/varval.o + $(COMPILE) -I../install+setup/libsmooth/ forwardfwctrl.c setuid.o ../install+setup/libsmooth/varval.o -o $@ + timectrl: timectrl.c setuid.o ../install+setup/libsmooth/varval.o $(COMPILE) -I../install+setup/libsmooth/ timectrl.c setuid.o ../install+setup/libsmooth/varval.o -o $@ launch-ether-wake: launch-ether-wake.c setuid.o ../install+setup/libsmooth/varval.o $(COMPILE) -I../install+setup/libsmooth/ launch-ether-wake.c setuid.o ../install+setup/libsmooth/varval.o -o $@ -setdmzholes: setdmzholes.c setuid.o ../install+setup/libsmooth/varval.o - $(COMPILE) -I../install+setup/libsmooth/ setdmzholes.c setuid.o ../install+setup/libsmooth/varval.o -o $@ - -setportfw: setportfw.c setuid.o ../install+setup/libsmooth/varval.o - $(COMPILE) -I../install+setup/libsmooth/ setportfw.c setuid.o ../install+setup/libsmooth/varval.o -o $@ - rebuildhosts: rebuildhosts.c setuid.o ../install+setup/libsmooth/varval.o $(COMPILE) -I../install+setup/libsmooth/ rebuildhosts.c setuid.o ../install+setup/libsmooth/varval.o -o $@ diff --git a/src/misc-progs/outgoingfwctrl.c b/src/misc-progs/forwardfwctrl.c similarity index 53% rename from src/misc-progs/outgoingfwctrl.c rename to src/misc-progs/forwardfwctrl.c index 2d993d940..797d27ac5 100644 --- a/src/misc-progs/outgoingfwctrl.c +++ b/src/misc-progs/forwardfwctrl.c @@ -5,20 +5,12 @@ * */ -#include -#include -#include -#include -#include -#include #include "setuid.h" int main(int argc, char *argv[]) { - if (!(initsetuid())) exit(1); - safe_system("chmod 755 /var/ipfire/outgoing/bin/outgoingfw.pl"); - safe_system("/var/ipfire/outgoing/bin/outgoingfw.pl"); + safe_system("/var/ipfire/forward/bin/rules.pl"); return 0; } diff --git a/src/misc-progs/openvpnctrl.c b/src/misc-progs/openvpnctrl.c index 76916f147..97491e40c 100644 --- a/src/misc-progs/openvpnctrl.c +++ b/src/misc-progs/openvpnctrl.c @@ -27,6 +27,7 @@ char enableorange[STRING_SIZE] = "off"; char OVPNRED[STRING_SIZE] = "OVPN"; char OVPNBLUE[STRING_SIZE] = "OVPN_BLUE_"; char OVPNORANGE[STRING_SIZE] = "OVPN_ORANGE_"; +char OVPNBLOCK[STRING_SIZE] = "OVPNBLOCK"; char OVPNNAT[STRING_SIZE] = "OVPNNAT"; char WRAPPERVERSION[STRING_SIZE] = "ipfire-2.2.3"; @@ -253,20 +254,13 @@ void setChainRules(char *chain, char *interface, char *protocol, char *port) sprintf(str, "/sbin/iptables -A %sINPUT -i %s -p %s --dport %s -j ACCEPT", chain, interface, protocol, port); executeCommand(str); - sprintf(str, "/sbin/iptables -A %sINPUT -i tun+ -j ACCEPT", chain); - executeCommand(str); - sprintf(str, "/sbin/iptables -A %sFORWARD -i tun+ -j ACCEPT", chain); - executeCommand(str); } void flushChain(char *chain) { char str[STRING_SIZE]; - sprintf(str, "/sbin/iptables -F %sINPUT", chain); + sprintf(str, "/sbin/iptables -F %s", chain); executeCommand(str); - sprintf(str, "/sbin/iptables -F %sFORWARD", chain); - executeCommand(str); - safe_system(str); } void flushChainNAT(char *chain) { @@ -276,15 +270,18 @@ void flushChainNAT(char *chain) { executeCommand(str); } +void flushChainINPUT(char *chain) { + char str[STRING_SIZE]; + + snprintf(str, STRING_SIZE, "%sINPUT", chain); + flushChain(str); +} + void deleteChainReference(char *chain) { char str[STRING_SIZE]; sprintf(str, "/sbin/iptables -D INPUT -j %sINPUT", chain); executeCommand(str); - safe_system(str); - sprintf(str, "/sbin/iptables -D FORWARD -j %sFORWARD", chain); - executeCommand(str); - safe_system(str); } void deleteChain(char *chain) { @@ -292,8 +289,6 @@ void deleteChain(char *chain) { sprintf(str, "/sbin/iptables -X %sINPUT", chain); executeCommand(str); - sprintf(str, "/sbin/iptables -X %sFORWARD", chain); - executeCommand(str); } void deleteAllChains(void) { @@ -301,28 +296,28 @@ void deleteAllChains(void) { deleteChainReference(OVPNRED); deleteChainReference(OVPNBLUE); deleteChainReference(OVPNORANGE); - flushChain(OVPNRED); - flushChain(OVPNBLUE); - flushChain(OVPNORANGE); + flushChainINPUT(OVPNRED); + flushChainINPUT(OVPNBLUE); + flushChainINPUT(OVPNORANGE); deleteChain(OVPNRED); deleteChain(OVPNBLUE); deleteChain(OVPNORANGE); + + // Only flush chains that are created by the firewall + flushChain(OVPNBLOCK); + flushChainNAT(OVPNNAT); } void createChainReference(char *chain) { char str[STRING_SIZE]; sprintf(str, "/sbin/iptables -I INPUT %s -j %sINPUT", "14", chain); executeCommand(str); - sprintf(str, "/sbin/iptables -I FORWARD %s -j %sFORWARD", "12", chain); - executeCommand(str); } void createChain(char *chain) { char str[STRING_SIZE]; sprintf(str, "/sbin/iptables -N %sINPUT", chain); executeCommand(str); - sprintf(str, "/sbin/iptables -N %sFORWARD", chain); - executeCommand(str); } void createAllChains(void) { @@ -471,9 +466,10 @@ void setFirewallRules(void) { freekeyvalues(kv); // Flush all chains. - flushChain(OVPNRED); - flushChain(OVPNBLUE); - flushChain(OVPNORANGE); + flushChainINPUT(OVPNRED); + flushChainINPUT(OVPNBLUE); + flushChainINPUT(OVPNORANGE); + flushChain(OVPNBLOCK); flushChainNAT(OVPNNAT); // set firewall rules @@ -497,6 +493,11 @@ void setFirewallRules(void) { OVPNRED, redif, conn->proto, conn->port); executeCommand(command); + /* Block all communication from the transfer nets. */ + snprintf(command, STRING_SIZE, "/sbin/iptables -A %s -s %s -j DROP", + OVPNBLOCK, conn->transfer_subnet); + executeCommand(command); + local_subnet_address = getLocalSubnetAddress(conn); transfer_subnet_address = calcTransferNetAddress(conn); diff --git a/src/misc-progs/setdmzholes.c b/src/misc-progs/setdmzholes.c deleted file mode 100644 index 7a2643d9e..000000000 --- a/src/misc-progs/setdmzholes.c +++ /dev/null @@ -1,162 +0,0 @@ -/* SmoothWall helper program - setdmzhole - * - * This program is distributed under the terms of the GNU General Public - * Licence. See the file COPYING for details. - * - * (c) Daniel Goscomb, 2001 - * - * Modifications and improvements by Lawrence Manning. - * - * 10/04/01 Aslak added protocol support - * This program reads the list of ports to forward and setups iptables - * and rules in ipmasqadm to enable them. - * - * $Id: setdmzholes.c,v 1.5.2.3 2005/10/18 17:05:27 franck78 Exp $ - * - */ -#include "libsmooth.h" -#include -#include -#include -#include "setuid.h" - -FILE *fwdfile = NULL; - -void exithandler(void) -{ - if (fwdfile) - fclose(fwdfile); -} - -int main(void) -{ - int count; - char *protocol; - char *locip; - char *remip; - char *remport; - char *enabled; - char *src_net; - char *dst_net; - char s[STRING_SIZE]; - char *result; - struct keyvalue *kv = NULL; - char orange_dev[STRING_SIZE] = ""; - char blue_dev[STRING_SIZE] = ""; - char green_dev[STRING_SIZE] = ""; - char *idev; - char *odev; - char command[STRING_SIZE]; - - if (!(initsetuid())) - exit(1); - - atexit(exithandler); - - kv=initkeyvalues(); - if (!readkeyvalues(kv, CONFIG_ROOT "/ethernet/settings")) - { - fprintf(stderr, "Cannot read ethernet settings\n"); - exit(1); - } - - if (!findkey(kv, "GREEN_DEV", green_dev)) - { - fprintf(stderr, "Cannot read GREEN_DEV\n"); - exit(1); - } - findkey(kv, "BLUE_DEV", blue_dev); - findkey(kv, "ORANGE_DEV", orange_dev); - - if (!(fwdfile = fopen(CONFIG_ROOT "/dmzholes/config", "r"))) - { - fprintf(stderr, "Couldn't open dmzholes settings file\n"); - exit(1); - } - - safe_system("/sbin/iptables -F DMZHOLES"); - - while (fgets(s, STRING_SIZE, fwdfile) != NULL) - { - if (s[strlen(s) - 1] == '\n') - s[strlen(s) - 1] = '\0'; - result = strtok(s, ","); - - count = 0; - protocol = NULL; - locip = NULL; remip = NULL; - remport = NULL; - enabled = NULL; - src_net = NULL; - dst_net = NULL; - idev = NULL; - odev = NULL; - - while (result) - { - if (count == 0) - protocol = result; - else if (count == 1) - locip = result; - else if (count == 2) - remip = result; - else if (count == 3) - remport = result; - else if (count == 4) - enabled = result; - else if (count == 5) - src_net = result; - else if (count == 6) - dst_net = result; - count++; - result = strtok(NULL, ","); - } - - if (!(protocol && locip && remip && remport && enabled)) - { - fprintf(stderr, "Bad line:\n"); - break; - } - - if (!VALID_PROTOCOL(protocol)) - { - fprintf(stderr, "Bad protocol: %s\n", protocol); - exit(1); - } - if (!VALID_IP_AND_MASK(locip)) - { - fprintf(stderr, "Bad local IP: %s\n", locip); - exit(1); - } - if (!VALID_IP_AND_MASK(remip)) - { - fprintf(stderr, "Bad remote IP: %s\n", remip); - exit(1); - } - if (!VALID_PORT_RANGE(remport)) - { - fprintf(stderr, "Bad remote port: %s\n", remport); - exit(1); - } - - if (!src_net) { src_net = strdup ("orange");} - if (!dst_net) { dst_net = strdup ("green");} - - if (!strcmp(src_net, "blue")) { idev = blue_dev; } - if (!strcmp(src_net, "orange")) { idev = orange_dev; } - if (!strcmp(dst_net, "blue")) { odev = blue_dev; } - if (!strcmp(dst_net, "green")) { odev = green_dev; } - - if (!strcmp(enabled, "on") && strlen(idev) && strlen (odev)) - { - char *ctr; - /* If remport contains a - we need to change it to a : */ - if ((ctr = strchr(remport,'-')) != NULL){*ctr = ':';} - memset(command, 0, STRING_SIZE); - snprintf(command, STRING_SIZE - 1, "/sbin/iptables -A DMZHOLES -p %s -i %s -o %s -s %s -d %s --dport %s -j ACCEPT", protocol, idev, odev, locip, remip, remport); - safe_system(command); - } - } - - return 0; -} diff --git a/src/misc-progs/setportfw.c b/src/misc-progs/setportfw.c deleted file mode 100644 index a65aebd2a..000000000 --- a/src/misc-progs/setportfw.c +++ /dev/null @@ -1,369 +0,0 @@ -/* SmoothWall helper program - setportfw - * - * This program is distributed under the terms of the GNU General Public - * Licence. See the file COPYING for details. - * - * (c) Daniel Goscomb, 2001 - * Copyright (c) 2002/04/13 Steve Bootes - Added source ip support for aliases - * - * Modifications and improvements by Lawrence Manning. - * - * 10/04/01 Aslak added protocol support - * This program reads the list of ports to forward and setups iptables - * and rules in ipmasqadm to enable them. - * - * 02/11/03 Darren Critchley modifications to allow it to open multiple - * source ip addresses - * 02/25/03 Darren Critchley modifications to allow port ranges - * 04/01/03 Darren Critchley modifications to allow gre protocol - * 20/04/03 Robert Kerr Fixed root exploit, validated all variables properly, - * tidied up the iptables logic, killed duplicated code, - * removed srciptmp (unecessary) - * - * $Id: setportfw.c,v 1.3.2.6 2005/08/24 18:44:19 gespinasse Exp $ - * - */ - -#include -#include -#include -#include "libsmooth.h" -#include "setuid.h" - -struct keyvalue *kv = NULL; -FILE *fwdfile = NULL; - -void exithandler(void) -{ - if(kv) - freekeyvalues(kv); - if (fwdfile) - fclose(fwdfile); -} - -int main(void) -{ - FILE *ipfile = NULL, *ifacefile = NULL; - int count; - char iface[STRING_SIZE] =""; - char locip[STRING_SIZE] =""; - char greenip[STRING_SIZE] ="", greenmask[STRING_SIZE] =""; - char bluedev[STRING_SIZE] ="", blueip[STRING_SIZE] ="", bluemask[STRING_SIZE] =""; - char orangedev[STRING_SIZE] ="", orangeip[STRING_SIZE] ="", orangemask[STRING_SIZE] =""; - char *protocol; - char *srcip; - char *locport; - char *remip; - char *remport; - char *origip; - char *enabled; - char s[STRING_SIZE]; - char *result; - char *key1; - char *key2; - char command[STRING_SIZE]; - - if (!(initsetuid())) - exit(1); - - atexit(exithandler); - - /* Read in and verify config */ - kv=initkeyvalues(); - - if (!readkeyvalues(kv, CONFIG_ROOT "/ethernet/settings")) - { - fprintf(stderr, "Cannot read ethernet settings\n"); - exit(1); - } - - if (!findkey(kv, "GREEN_ADDRESS", greenip)) - { - fprintf(stderr, "Cannot read GREEN_ADDRESS\n"); - exit(1); - } - - if (!VALID_IP(greenip)) - { - fprintf(stderr, "Bad GREEN_ADDRESS: %s\n", greenip); - exit(1); - } - - if (!findkey(kv, "GREEN_NETMASK", greenmask)) - { - fprintf(stderr, "Cannot read GREEN_NETMASK\n"); - exit(1); - } - - if (!VALID_IP(greenmask)) - { - fprintf(stderr, "Bad GREEN_NETMASK: %s\n", greenmask); - exit(1); - } - - /* Get the BLUE interface details */ - findkey(kv, "BLUE_DEV", bluedev); - - if (strlen(bluedev)) - { - - if (!VALID_DEVICE(bluedev)) - { - fprintf(stderr, "Bad BLUE_DEV: %s\n", bluedev); - exit(1); - } - - if (!findkey(kv, "BLUE_ADDRESS", blueip)) - { - fprintf(stderr, "Cannot read BLUE_ADDRESS\n"); - exit(1); - } - - if (!VALID_IP(blueip)) - { - fprintf(stderr, "Bad BLUE_ADDRESS: %s\n", blueip); - exit(1); - } - - if (!findkey(kv, "BLUE_NETMASK", bluemask)) - { - fprintf(stderr, "Cannot read BLUE_NETMASK\n"); - exit(1); - } - - if (!VALID_IP(bluemask)) - { - fprintf(stderr, "Bad BLUE_NETMASK: %s\n", bluemask); - exit(1); - } - - } - - /* Get the ORANGE interface details */ - findkey(kv, "ORANGE_DEV", orangedev); - - if (strlen(orangedev)) - { - - if (!VALID_DEVICE(orangedev)) - { - fprintf(stderr, "Bad ORANGE_DEV: %s\n", orangedev); - exit(1); - } - - if (!findkey(kv, "ORANGE_ADDRESS", orangeip)) - { - fprintf(stderr, "Cannot read ORANGE_ADDRESS\n"); - exit(1); - } - - if (!VALID_IP(orangeip)) - { - fprintf(stderr, "Bad ORANGE_ADDRESS: %s\n", orangeip); - exit(1); - } - - if (!findkey(kv, "ORANGE_NETMASK", orangemask)) - { - fprintf(stderr, "Cannot read ORANGE_NETMASK\n"); - exit(1); - } - - if (!VALID_IP(orangemask)) - { - fprintf(stderr, "Bad ORANGE_NETMASK: %s\n", orangemask); - exit(1); - } - - } - - - if (!(ipfile = fopen(CONFIG_ROOT "/red/local-ipaddress", "r"))) - { - fprintf(stderr, "Couldn't open local ip file\n"); - exit(1); - } - fgets(locip, STRING_SIZE, ipfile); - if (locip[strlen(locip) - 1] == '\n') - locip[strlen(locip) - 1] = '\0'; - fclose (ipfile); - if (!VALID_IP(locip)) - { - fprintf(stderr, "Bad local IP: %s\n", locip); - exit(1); - } - - if (!(ifacefile = fopen(CONFIG_ROOT "/red/iface", "r"))) - { - fprintf(stderr, "Couldn't open iface file\n"); - exit(1); - } - fgets(iface, STRING_SIZE, ifacefile); - if (iface[strlen(iface) - 1] == '\n') - iface[strlen(iface) - 1] = '\0'; - fclose (ifacefile); - if (!VALID_DEVICE(iface)) - { - fprintf(stderr, "Bad iface: %s\n", iface); - exit(1); - } - - if (!(fwdfile = fopen(CONFIG_ROOT "/portfw/config", "r"))) - { - fprintf(stderr, "Couldn't open portfw settings file\n"); - exit(1); - } - - safe_system("/sbin/iptables -t nat -F PORTFW"); - safe_system("/sbin/iptables -t mangle -F PORTFWMANGLE"); - safe_system("/sbin/iptables -F PORTFWACCESS"); - - while (fgets(s, STRING_SIZE, fwdfile) != NULL) - { - if (s[strlen(s) - 1] == '\n') - s[strlen(s) - 1] = '\0'; - result = strtok(s, ","); - - count = 0; - key1 = NULL; - key2 = NULL; - protocol = NULL; - srcip = NULL; - locport = NULL; - remip = NULL; - origip = NULL; - remport = NULL; - enabled = NULL; - while (result) - { - if (count == 0) - key1 = result; - else if (count == 1) - key2 = result; - else if (count == 2) - protocol = result; - else if (count == 3) - locport = result; - else if (count == 4) - remip = result; - else if (count == 5) - remport = result; - else if (count == 6) - enabled = result; - else if (count == 7) - srcip = result; - else if (count == 8) - origip = result; - count++; - result = strtok(NULL, ","); - } - - if (!(key1 && key2 && protocol && locport && remip && remport && enabled - && srcip && origip)) - break; - - if (!VALID_PROTOCOL(protocol)) - { - fprintf(stderr, "Bad protocol: %s\n", protocol); - exit(1); - } - if (strcmp(protocol, "gre") == 0) - { - locport = "0"; - remport = "0"; - } - if (strcmp(origip,"0") && !VALID_IP_AND_MASK(origip)) - { - fprintf(stderr, "Bad IP: %s\n", origip); - exit(1); - } - if (!VALID_PORT_RANGE(locport)) - { - fprintf(stderr, "Bad local port: %s\n", locport); - exit(1); - } - if (!VALID_IP(remip)) - { - fprintf(stderr, "Bad remote IP: %s\n", remip); - exit(1); - } - if (!VALID_PORT_RANGE(remport)) - { - fprintf(stderr, "Bad remote port: %s\n", remport); - exit(1); - } - - /* check for source ip in config file. If it's there - * and it's not 0.0.0.0, use it; else use the - * local ip address. (This makes sure we can use old-style - * config files without the source ip) */ - if (!srcip || !strcmp(srcip, "0.0.0.0")) - srcip = locip; - if (strcmp(srcip,"0") && !VALID_IP(srcip)) - { - fprintf(stderr, "Bad source IP: %s\n", srcip); - exit(1); - } - - /* This may seem complicated... refer to portfw.pl for an explanation of - * the keys and their meaning in certain circumstances */ - - if (strcmp(enabled, "on") == 0) - { - - /* If key2 is a zero, then it is a portfw command, otherwise it is an - * external access command */ - if (strcmp(key2, "0") == 0) - { - memset(command, 0, STRING_SIZE); - if (strcmp(protocol, "gre") == 0) - snprintf(command, STRING_SIZE - 1, "/sbin/iptables -t nat -A PORTFW -p %s -d %s -j DNAT --to %s", protocol, srcip, remip); - else - { - char *ctr; - /* If locport contains a - we need to change it to a : */ - if ((ctr = strchr(locport, '-')) != NULL) {*ctr = ':';} - /* If remport contains a : we need to change it to a - */ - if ((ctr = strchr(remport,':')) != NULL){*ctr = '-';} - snprintf(command, STRING_SIZE - 1, "/sbin/iptables -t nat -A PORTFW -p %s -d %s --dport %s -j DNAT --to %s:%s", protocol, srcip, locport, remip, remport); - safe_system(command); - /* Now if remport contains a - we need to change it to a : */ - if ((ctr = strchr(remport,'-')) != NULL){*ctr = ':';} - snprintf(command, STRING_SIZE - 1, "/sbin/iptables -t mangle -A PORTFWMANGLE -p %s -s %s/%s -d %s --dport %s -j MARK --set-mark 1", protocol, greenip, greenmask, srcip, locport); - if (strlen(bluedev)) - { - safe_system(command); - snprintf(command, STRING_SIZE - 1, "/sbin/iptables -t mangle -A PORTFWMANGLE -p %s -s %s/%s -d %s --dport %s -j MARK --set-mark 2", protocol, blueip, bluemask, srcip, locport); - } - if (strlen(orangedev)) - { - safe_system(command); - snprintf(command, STRING_SIZE - 1, "/sbin/iptables -t mangle -A PORTFWMANGLE -p %s -s %s/%s -d %s --dport %s -j MARK --set-mark 3", protocol, orangeip, orangemask, srcip, locport); - } - } - safe_system(command); - } - - /* if key2 is not "0" then it's an external access rule, if key2 is "0" - * then the portfw rule may contain external access information if origip - * is not "0" (the only defined not 0 value seems to be 0.0.0.0 - open - * to all; again, check portfw.pl for more details) */ - if(strcmp(key2, "0") || strcmp(origip,"0") ) - { - memset(command, 0, STRING_SIZE); - if (strcmp(protocol, "gre") == 0) - snprintf(command, STRING_SIZE - 1, "/sbin/iptables -A PORTFWACCESS -i %s -p %s -s %s -d %s -j ACCEPT", iface, protocol, origip, remip); - else - { - char *ctr; - /* If remport contains a - we need to change it to a : */ - if ((ctr = strchr(remport,'-')) != NULL){*ctr = ':';} - snprintf(command, STRING_SIZE - 1, "/sbin/iptables -A PORTFWACCESS -i %s -p %s -s %s -d %s --dport %s -j ACCEPT", iface, protocol, origip, remip, remport); - } - safe_system(command); - } - } - } - - return 0; -} diff --git a/src/misc-progs/setxtaccess.c b/src/misc-progs/setxtaccess.c deleted file mode 100644 index 27a03e03a..000000000 --- a/src/misc-progs/setxtaccess.c +++ /dev/null @@ -1,168 +0,0 @@ -/* SmoothWall helper program - setxtaccess - * - * This program is distributed under the terms of the GNU General Public - * Licence. See the file COPYING for details. - * - * (c) Daniel Goscomb, 2001 - * - * Modifications and improvements by Lawrence Manning. - * - * 10/04/01 Aslak added protocol support - * - * (c) Steve Bootes 2002/04/14 - Added source IP support for aliases - * - * 19/04/03 Robert Kerr Fixed root exploit - * - * $Id: setxtaccess.c,v 1.3.2.1 2005/01/04 17:21:40 eoberlander Exp $ - * - */ - -#include -#include -#include -#include "setuid.h" - -FILE *ifacefile = NULL; -FILE *fwdfile = NULL; -FILE *ipfile = NULL; - -void exithandler(void) -{ - if (fwdfile) - fclose(fwdfile); -} - -int main(void) -{ - char iface[STRING_SIZE] = ""; - char locip[STRING_SIZE] = ""; - char s[STRING_SIZE] = ""; - int count; - char *protocol; - char *destip; - char *remip; - char *locport; - char *enabled; - char *information; - char *result; - char command[STRING_SIZE]; - - if (!(initsetuid())) - exit(1); - - atexit(exithandler); - - if (!(ipfile = fopen(CONFIG_ROOT "/red/local-ipaddress", "r"))) - { - fprintf(stderr, "Couldn't open local ip file\n"); - exit(1); - } - if (fgets(locip, STRING_SIZE, ipfile)) - { - if (locip[strlen(locip) - 1] == '\n') - locip[strlen(locip) - 1] = '\0'; - } - fclose (ipfile); - if (!VALID_IP(locip)) - { - fprintf(stderr, "Bad local IP: %s\n", locip); - exit(1); - } - - if (!(ifacefile = fopen(CONFIG_ROOT "/red/iface", "r"))) - { - fprintf(stderr, "Couldn't open iface file\n"); - exit(1); - } - if (fgets(iface, STRING_SIZE, ifacefile)) - { - if (iface[strlen(iface) - 1] == '\n') - iface[strlen(iface) - 1] = '\0'; - } - fclose (ifacefile); - if (!VALID_DEVICE(iface)) - { - fprintf(stderr, "Bad iface: %s\n", iface); - exit(1); - } - - if (!(fwdfile = fopen(CONFIG_ROOT "/xtaccess/config", "r"))) - { - fprintf(stderr, "Couldn't open xtaccess settings file\n"); - exit(1); - } - - safe_system("/sbin/iptables -F XTACCESS"); - - while (fgets(s, STRING_SIZE, fwdfile) != NULL) - { - if (s[strlen(s) - 1] == '\n') - s[strlen(s) - 1] = '\0'; - count = 0; - protocol = NULL; - remip = NULL; - destip = NULL; - locport = NULL; - enabled = NULL; - information = NULL; - result = strtok(s, ","); - while (result) - { - if (count == 0) - protocol = result; - else if (count == 1) - remip = result; - else if (count == 2) - locport = result; - else if (count == 3) - enabled = result; - else if (count == 4) - destip = result; - else - information = result; - count++; - result = strtok(NULL, ","); - } - - if (!(protocol && remip && locport && enabled)) - break; - - if (!VALID_PROTOCOL(protocol)) - { - fprintf(stderr, "Bad protocol: %s\n", protocol); - exit(1); - } - if (!VALID_IP_AND_MASK(remip)) - { - fprintf(stderr, "Bad remote IP: %s\n", remip); - exit(1); - } - if (!VALID_PORT_RANGE(locport)) - { - fprintf(stderr, "Bad local port: %s\n", locport); - exit(1); - } - - /* check for destination ip in config file. If it's there - * and it's not 0.0.0.0, use it; else use the current - * local ip address. (This makes sure we can use old-style - * config files without the destination ip) */ - if (!destip || !strcmp(destip, "0.0.0.0")) - destip = locip; - if (!VALID_IP(destip)) - { - fprintf(stderr, "Bad destination IP: %s\n", remip); - exit(1); - } - - if (strcmp(enabled, "on") == 0) - { - memset(command, 0, STRING_SIZE); - snprintf(command, STRING_SIZE - 1, "/sbin/iptables -A XTACCESS -i %s -p %s -s %s -d %s --dport %s -j ACCEPT", - iface, protocol, remip, destip, locport); - safe_system(command); - } - } - - return 0; -} diff --git a/src/misc-progs/wirelessctrl.c b/src/misc-progs/wirelessctrl.c index 12b954baa..450aa368f 100644 --- a/src/misc-progs/wirelessctrl.c +++ b/src/misc-progs/wirelessctrl.c @@ -154,9 +154,7 @@ int main(void) (VALID_IP_AND_MASK(ipaddress))) { snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSINPUT -m mac --mac-source %s -s %s -i %s -j ACCEPT", macaddress, ipaddress, blue_dev); safe_system(command); - snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -m mac --mac-source %s -s %s -i %s ! -o %s -j ACCEPT", macaddress, ipaddress, blue_dev, green_dev); - safe_system(command); - snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -m mac --mac-source %s -s %s -i %s -j DMZHOLES", macaddress, ipaddress, blue_dev); + snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -m mac --mac-source %s -s %s -i %s -j RETURN", macaddress, ipaddress, blue_dev); safe_system(command); } else { @@ -164,18 +162,14 @@ int main(void) if (strlen(macaddress) == 17) { snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSINPUT -m mac --mac-source %s -i %s -j ACCEPT", macaddress, blue_dev); safe_system(command); - snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -m mac --mac-source %s -i %s ! -o %s -j ACCEPT", macaddress, blue_dev, green_dev); - safe_system(command); - snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -m mac --mac-source %s -i %s -j DMZHOLES", macaddress, blue_dev); + snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -m mac --mac-source %s -i %s -j RETURN", macaddress, blue_dev); safe_system(command); } if (VALID_IP_AND_MASK(ipaddress)) { snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSINPUT -s %s -i %s -j ACCEPT", ipaddress, blue_dev); safe_system(command); - snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -s %s -i %s ! -o %s -j ACCEPT", ipaddress, blue_dev, green_dev); - safe_system(command); - snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -s %s -i %s -j DMZHOLES", ipaddress, blue_dev); + snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -s %s -i %s -j RETURN", ipaddress, blue_dev); safe_system(command); } } diff --git a/src/patches/strongswan-4.5.3_ipfire.patch b/src/patches/strongswan-5.0.2_ipfire.patch similarity index 91% rename from src/patches/strongswan-4.5.3_ipfire.patch rename to src/patches/strongswan-5.0.2_ipfire.patch index 2ba975b1d..6606095b1 100644 --- a/src/patches/strongswan-4.5.3_ipfire.patch +++ b/src/patches/strongswan-5.0.2_ipfire.patch @@ -1,7 +1,8 @@ -diff -Naur strongswan-4.5.3.org/src/_updown/_updown.in strongswan-4.5.3/src/_updown/_updown.in ---- strongswan-4.5.3.org/src/_updown/_updown.in 2010-10-22 16:33:30.000000000 +0200 -+++ strongswan-4.5.3/src/_updown/_updown.in 2011-09-13 14:19:31.000000000 +0200 -@@ -183,6 +183,29 @@ +diff --git a/src/_updown/_updown.in b/src/_updown/_updown.in +index 3a40e21..d9f3ea0 100644 +--- a/src/_updown/_updown.in ++++ b/src/_updown/_updown.in +@@ -193,6 +193,29 @@ custom:*) # custom parameters (see above CAUTION comment) ;; esac @@ -31,7 +32,7 @@ diff -Naur strongswan-4.5.3.org/src/_updown/_updown.in strongswan-4.5.3/src/_upd # utility functions for route manipulation # Meddling with this stuff should not be necessary and requires great care. uproute() { -@@ -387,12 +410,12 @@ +@@ -397,12 +420,12 @@ up-host:iptables) # connection to me, with (left/right)firewall=yes, coming up # This is used only by the default updown script, not by your custom # ones, so do not mess with it; see CAUTION comment up at top. @@ -47,7 +48,7 @@ diff -Naur strongswan-4.5.3.org/src/_updown/_updown.in strongswan-4.5.3/src/_upd # # log IPsec host connection setup if [ $VPN_LOGGING ] -@@ -400,10 +423,10 @@ +@@ -410,10 +433,10 @@ up-host:iptables) if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] then logger -t $TAG -p $FAC_PRIO \ @@ -60,7 +61,7 @@ diff -Naur strongswan-4.5.3.org/src/_updown/_updown.in strongswan-4.5.3/src/_upd fi fi ;; -@@ -411,12 +434,12 @@ +@@ -421,12 +444,12 @@ down-host:iptables) # connection to me, with (left/right)firewall=yes, going down # This is used only by the default updown script, not by your custom # ones, so do not mess with it; see CAUTION comment up at top. @@ -76,7 +77,7 @@ diff -Naur strongswan-4.5.3.org/src/_updown/_updown.in strongswan-4.5.3/src/_upd # # log IPsec host connection teardown if [ $VPN_LOGGING ] -@@ -424,10 +447,10 @@ +@@ -434,10 +457,10 @@ down-host:iptables) if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] then logger -t $TAG -p $FAC_PRIO -- \ @@ -89,7 +90,7 @@ diff -Naur strongswan-4.5.3.org/src/_updown/_updown.in strongswan-4.5.3/src/_upd fi fi ;; -@@ -437,10 +460,10 @@ +@@ -447,24 +470,24 @@ up-client:iptables) # ones, so do not mess with it; see CAUTION comment up at top. if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] then @@ -101,9 +102,11 @@ diff -Naur strongswan-4.5.3.org/src/_updown/_updown.in strongswan-4.5.3/src/_upd + -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j MARK --set-mark 50 + iptables -I IPSECFORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT +- -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT ++ -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j RETURN fi -@@ -449,12 +472,12 @@ + # + # a virtual IP requires an INPUT and OUTPUT rule on the host # or sometimes host access via the internal IP is needed if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] then @@ -119,7 +122,7 @@ diff -Naur strongswan-4.5.3.org/src/_updown/_updown.in strongswan-4.5.3/src/_upd fi # # log IPsec client connection setup -@@ -463,12 +486,51 @@ +@@ -473,12 +496,51 @@ up-client:iptables) if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] then logger -t $TAG -p $FAC_PRIO \ @@ -173,7 +176,7 @@ diff -Naur strongswan-4.5.3.org/src/_updown/_updown.in strongswan-4.5.3/src/_upd ;; down-client:iptables) # connection to client subnet, with (left/right)firewall=yes, going down -@@ -476,11 +538,11 @@ +@@ -486,28 +548,28 @@ down-client:iptables) # ones, so do not mess with it; see CAUTION comment up at top. if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] then @@ -187,8 +190,11 @@ diff -Naur strongswan-4.5.3.org/src/_updown/_updown.in strongswan-4.5.3/src/_upd + iptables -D IPSECFORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ -d $PLUTO_MY_CLIENT $D_MY_PORT \ - $IPSEC_POLICY_IN -j ACCEPT -@@ -490,14 +552,14 @@ +- $IPSEC_POLICY_IN -j ACCEPT ++ $IPSEC_POLICY_IN -j RETURN + fi + # + # a virtual IP requires an INPUT and OUTPUT rule on the host # or sometimes host access via the internal IP is needed if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] then @@ -206,7 +212,7 @@ diff -Naur strongswan-4.5.3.org/src/_updown/_updown.in strongswan-4.5.3/src/_upd fi # # log IPsec client connection teardown -@@ -506,12 +568,51 @@ +@@ -516,12 +578,51 @@ down-client:iptables) if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] then logger -t $TAG -p $FAC_PRIO -- \ @@ -260,7 +266,7 @@ diff -Naur strongswan-4.5.3.org/src/_updown/_updown.in strongswan-4.5.3/src/_upd ;; # # IPv6 -@@ -546,10 +647,10 @@ +@@ -556,10 +657,10 @@ up-host-v6:iptables) # connection to me, with (left/right)firewall=yes, coming up # This is used only by the default updown script, not by your custom # ones, so do not mess with it; see CAUTION comment up at top. @@ -273,7 +279,7 @@ diff -Naur strongswan-4.5.3.org/src/_updown/_updown.in strongswan-4.5.3/src/_upd -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT # -@@ -570,10 +671,10 @@ +@@ -580,10 +681,10 @@ down-host-v6:iptables) # connection to me, with (left/right)firewall=yes, going down # This is used only by the default updown script, not by your custom # ones, so do not mess with it; see CAUTION comment up at top. @@ -286,7 +292,7 @@ diff -Naur strongswan-4.5.3.org/src/_updown/_updown.in strongswan-4.5.3/src/_upd -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT # -@@ -596,10 +697,10 @@ +@@ -606,10 +707,10 @@ up-client-v6:iptables) # ones, so do not mess with it; see CAUTION comment up at top. if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ] then @@ -299,7 +305,7 @@ diff -Naur strongswan-4.5.3.org/src/_updown/_updown.in strongswan-4.5.3/src/_upd -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT fi -@@ -608,10 +709,10 @@ +@@ -618,10 +719,10 @@ up-client-v6:iptables) # or sometimes host access via the internal IP is needed if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] then @@ -312,7 +318,7 @@ diff -Naur strongswan-4.5.3.org/src/_updown/_updown.in strongswan-4.5.3/src/_upd -s $PLUTO_MY_CLIENT $S_MY_PORT \ -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT fi -@@ -635,11 +736,11 @@ +@@ -645,11 +746,11 @@ down-client-v6:iptables) # ones, so do not mess with it; see CAUTION comment up at top. if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ] then @@ -326,7 +332,7 @@ diff -Naur strongswan-4.5.3.org/src/_updown/_updown.in strongswan-4.5.3/src/_upd -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ -d $PLUTO_MY_CLIENT $D_MY_PORT \ $IPSEC_POLICY_IN -j ACCEPT -@@ -649,11 +750,11 @@ +@@ -659,11 +760,11 @@ down-client-v6:iptables) # or sometimes host access via the internal IP is needed if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] then