From 111c99ddfa3632a8c2788b9c6d70c5e6d8a1dfd4 Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Fri, 9 Aug 2013 14:02:02 +0200 Subject: [PATCH 001/306] Forward Firewall: applied all changes as diff and added new files. Also deleted c files from xtaccess and setdmzholes. Signed-off-by: Alexander Marx Conflicts: config/backup/include lfs/configroot lfs/usb-stick --- config/backup/include | 2 + config/cfgroot/general-functions.pl | 97 ++++++++++++- config/menu/50-firewall.menu | 36 ++--- config/rootfiles/common/configroot | 17 ++- config/rootfiles/common/i586/initscripts | 10 +- config/rootfiles/common/misc-progs | 3 +- langs/de/cgi-bin/de.pl | 135 ++++++++++++++++++ langs/en/cgi-bin/en.pl | 136 ++++++++++++++++++ lfs/configroot | 51 ++++--- lfs/initscripts | 13 +- src/initscripts/init.d/firewall | 19 ++- src/initscripts/init.d/network | 4 +- src/misc-progs/Makefile | 10 +- src/misc-progs/setdmzholes.c | 162 ---------------------- src/misc-progs/setxtaccess.c | 168 ----------------------- 15 files changed, 449 insertions(+), 414 deletions(-) delete mode 100644 src/misc-progs/setdmzholes.c delete mode 100644 src/misc-progs/setxtaccess.c diff --git a/config/backup/include b/config/backup/include index c863a0e56..232ac4897 100644 --- a/config/backup/include +++ b/config/backup/include @@ -15,6 +15,8 @@ /var/ipfire/auth/users /var/ipfire/dhcp/* /var/ipfire/dnsforward/* +/var/ipfire/forward/* +/var/ipfire/fwhosts/* /var/ipfire/main/* /var/ipfire/outgoing/groups /var/ipfire/outgoing/macgroups diff --git a/config/cfgroot/general-functions.pl b/config/cfgroot/general-functions.pl index 41643d8d7..d81c8bb98 100644 --- a/config/cfgroot/general-functions.pl +++ b/config/cfgroot/general-functions.pl @@ -21,8 +21,8 @@ use Net::SSLeay; use Net::IPv4Addr qw(:all); $|=1; # line buffering -$General::version = 'VERSION'; -$General::swroot = 'CONFIG_ROOT'; +$General::version = '2.11'; +$General::swroot = '/var/ipfire'; $General::noipprefix = 'noipg-'; $General::adminmanualurl = 'http://wiki.ipfire.org'; @@ -39,6 +39,99 @@ sub log $logmessage = $1; system('logger', '-t', $tag, $logmessage); } +sub setup_default_networks +{ + my %netsettings=(); + my $defaultNetworks = shift; + + &readhash("/var/ipfire/ethernet/settings", \%netsettings); + + # Get current defined networks (Red, Green, Blue, Orange) + $defaultNetworks->{$Lang::tr{'fwhost any'}}{'IPT'} = "0.0.0.0/0.0.0.0"; + $defaultNetworks->{$Lang::tr{'fwhost any'}}{'NAME'} = "ALL"; + + $defaultNetworks->{$Lang::tr{'green'}}{'IPT'} = "$netsettings{'GREEN_NETADDRESS'}/$netsettings{'GREEN_NETMASK'}"; + $defaultNetworks->{$Lang::tr{'green'}}{'NAME'} = "GREEN"; + + if ($netsettings{'ORANGE_DEV'} ne ''){ + $defaultNetworks->{$Lang::tr{'orange'}}{'IPT'} = "$netsettings{'ORANGE_NETADDRESS'}/$netsettings{'ORANGE_NETMASK'}"; + $defaultNetworks->{$Lang::tr{'orange'}}{'NAME'} = "ORANGE"; + } + + if ($netsettings{'BLUE_DEV'} ne ''){ + $defaultNetworks->{$Lang::tr{'blue'}}{'IPT'} = "$netsettings{'BLUE_NETADDRESS'}/$netsettings{'BLUE_NETMASK'}"; + $defaultNetworks->{$Lang::tr{'blue'}}{'NAME'} = "BLUE"; + } + + # OpenVPN + if(-e "${General::swroot}/ovpn/settings") + { + my %ovpnSettings = (); + &readhash("${General::swroot}/ovpn/settings", \%ovpnSettings); + + # OpenVPN on Red? + if(defined($ovpnSettings{'DOVPN_SUBNET'})) + { + my ($ip,$sub) = split(/\//,$ovpnSettings{'DOVPN_SUBNET'}); + $sub=&General::iporsubtocidr($sub); + my @tempovpnsubnet = split("\/", $ovpnSettings{'DOVPN_SUBNET'}); + $defaultNetworks->{'OpenVPN ' .$ip."/".$sub}{'ADR'} = $tempovpnsubnet[0]; + $defaultNetworks->{'OpenVPN ' .$ip."/".$sub}{'NAME'} = "OpenVPN-Dyn"; + } + } # end OpenVPN + # IPsec RW NET + if(-e "${General::swroot}/vpn/settings") + { + my %ipsecsettings = (); + &readhash("${General::swroot}/vpn/settings", \%ipsecsettings); + if($ipsecsettings{'RW_NET'} ne '') + { + my ($ip,$sub) = split(/\//,$ipsecsettings{'RW_NET'}); + $sub=&General::iporsubtocidr($sub); + my @tempipsecsubnet = split("\/", $ipsecsettings{'RW_NET'}); + $defaultNetworks->{'IPsec RW ' .$ip."/".$sub}{'ADR'} = $tempipsecsubnet[0]; + $defaultNetworks->{'IPsec RW ' .$ip."/".$sub}{'NAME'} = "IPsec RW"; + } + } + #open(FILE, "${General::swroot}/ethernet/aliases") or die 'Unable to open aliases file.'; + #my @current = ; + #close(FILE); + #my $ctr = 0; + #foreach my $line (@current) + #{ + #if ($line ne ''){ + #chomp($line); + #my @temp = split(/\,/,$line); + #if ($temp[2] eq '') { + #$temp[2] = "Alias $ctr : $temp[0]"; + #} + #$defaultNetworks->{$temp[2]}{'IPT'} = "$temp[0]"; + #$ctr++; + #} + #} +} +sub get_aliases +{ + + my $defaultNetworks = shift; + open(FILE, "${General::swroot}/ethernet/aliases") or die 'Unable to open aliases file.'; + my @current = ; + close(FILE); + my $ctr = 0; + foreach my $line (@current) + { + if ($line ne ''){ + chomp($line); + my @temp = split(/\,/,$line); + if ($temp[2] eq '') { + $temp[2] = "Alias $ctr : $temp[0]"; + } + $defaultNetworks->{$temp[2]}{'IPT'} = "$temp[0]"; + + $ctr++; + } + } +} sub readhash { diff --git a/config/menu/50-firewall.menu b/config/menu/50-firewall.menu index de28f8e25..90baa65b2 100644 --- a/config/menu/50-firewall.menu +++ b/config/menu/50-firewall.menu @@ -4,49 +4,37 @@ 'title' => "$Lang::tr{'ssport forwarding'}", 'enabled' => 1, }; - $subfirewall->{'20.xtaccess'} = { - 'caption' => $Lang::tr{'external access'}, - 'uri' => '/cgi-bin/xtaccess.cgi', - 'title' => "$Lang::tr{'external access'}", - 'enabled' => 1, - }; $subfirewall->{'30.wireless'} = { 'caption' => $Lang::tr{'blue access'}, 'uri' => '/cgi-bin/wireless.cgi', 'title' => "$Lang::tr{'blue access'}", 'enabled' => 1, }; - $subfirewall->{'40.dmz'} = { - 'caption' => $Lang::tr{'ssdmz pinholes'}, - 'uri' => '/cgi-bin/dmzholes.cgi', - 'title' => "$Lang::tr{'dmz pinhole configuration'}", + $subfirewall->{'51.forward'} = { + 'caption' => $Lang::tr{'fwdfw menu'}, + 'uri' => '/cgi-bin/forwardfw.cgi', + 'title' => "$Lang::tr{'fwdfw menu'}", 'enabled' => 1, - }; - $subfirewall->{'50.outgoing'} = { - 'caption' => $Lang::tr{'outgoing firewall'}, - 'uri' => '/cgi-bin/outgoingfw.cgi', - 'title' => "$Lang::tr{'outgoing firewall'}", + }; + $subfirewall->{'65.fwhost'} = { + 'caption' => $Lang::tr{'fwhost menu'}, + 'uri' => '/cgi-bin/fwhosts.cgi', + 'title' => "$Lang::tr{'fwhost menu'}", 'enabled' => 1, }; - $subfirewall->{'51.outgoinggrp'} = { - 'caption' => $Lang::tr{'outgoing firewall groups'}, - 'uri' => '/cgi-bin/outgoinggrp.cgi', - 'title' => "$Lang::tr{'outgoing firewall groups'}", - 'enabled' => 1, - }; - $subfirewall->{'60.upnp'} = { + $subfirewall->{'70.upnp'} = { 'caption' => 'UPnP', 'uri' => '/cgi-bin/upnp.cgi', 'title' => "Universal Plug and Play", 'enabled' => 0, }; - $subfirewall->{'60.optingsfw'} = { + $subfirewall->{'80.optingsfw'} = { 'caption' => $Lang::tr{'options fw'}, 'uri' => '/cgi-bin/optionsfw.cgi', 'title' => "$Lang::tr{'options fw'}", 'enabled' => 1, }; - $subfirewall->{'70.iptables'} = { + $subfirewall->{'90.iptables'} = { 'caption' => $Lang::tr{'ipts'}, 'uri' => '/cgi-bin/iptables.cgi', 'title' => "$Lang::tr{'ipts'}", diff --git a/config/rootfiles/common/configroot b/config/rootfiles/common/configroot index 8965ff70e..7a23b8c61 100644 --- a/config/rootfiles/common/configroot +++ b/config/rootfiles/common/configroot @@ -26,8 +26,6 @@ var/ipfire/dhcp #var/ipfire/dhcp/fixleases #var/ipfire/dhcp/settings var/ipfire/dhcpc -var/ipfire/dmzholes -#var/ipfire/dmzholes/config var/ipfire/dns #var/ipfire/dns/settings var/ipfire/dnsforward @@ -47,6 +45,19 @@ var/ipfire/extrahd/partitions var/ipfire/extrahd/scan var/ipfire/extrahd/settings var/ipfire/fwlogs +var/ipfire/forward +var/ipfire/forward/bin/rules.pl +var/ipfire/forward/bin/firewall-lib.pl +var/ipfire/forward/settings +var/ipfire/forward/config +var/ipfire/forward/input +var/ipfire/fwhosts +var/ipfire/fwhosts/icmp-types +var/ipfire/fwhosts/customhosts +var/ipfire/fwhosts/customnetworks +var/ipfire/fwhosts/customgroups +var/ipfire/fwhosts/customservices +var/ipfire/fwhosts/customservicegrp #var/ipfire/fwlogs/ipsettings #var/ipfire/fwlogs/portsettings var/ipfire/general-functions.pl @@ -188,7 +199,5 @@ var/ipfire/wakeonlan var/ipfire/wireless #var/ipfire/wireless/config #var/ipfire/wireless/settings -var/ipfire/xtaccess -#var/ipfire/xtaccess/config var/ipfire/firebuild etc/system-release diff --git a/config/rootfiles/common/i586/initscripts b/config/rootfiles/common/i586/initscripts index 3aca59ece..cf606440c 100644 --- a/config/rootfiles/common/i586/initscripts +++ b/config/rootfiles/common/i586/initscripts @@ -84,11 +84,11 @@ etc/rc.d/init.d/networking/red.up/10-miniupnpd etc/rc.d/init.d/networking/red.up/10-multicast etc/rc.d/init.d/networking/red.up/20-RL-firewall etc/rc.d/init.d/networking/red.up/22-outgoingfwctrl -etc/rc.d/init.d/networking/red.up/23-RS-snort -etc/rc.d/init.d/networking/red.up/24-RS-qos -etc/rc.d/init.d/networking/red.up/25-portfw -etc/rc.d/init.d/networking/red.up/26-xtaccess -etc/rc.d/init.d/networking/red.up/27-RS-squid +etc/rc.d/init.d/networking/red.up/23-forwardfwctrl +etc/rc.d/init.d/networking/red.up/24-RS-snort +etc/rc.d/init.d/networking/red.up/25-RS-qos +etc/rc.d/init.d/networking/red.up/26-portfw +etc/rc.d/init.d/networking/red.up/28-RS-squid etc/rc.d/init.d/networking/red.up/30-ddns etc/rc.d/init.d/networking/red.up/40-ipac etc/rc.d/init.d/networking/red.up/50-ipsec diff --git a/config/rootfiles/common/misc-progs b/config/rootfiles/common/misc-progs index 8fd9b0bfc..d2d2a5de2 100644 --- a/config/rootfiles/common/misc-progs +++ b/config/rootfiles/common/misc-progs @@ -16,6 +16,7 @@ usr/local/bin/logwatch #usr/local/bin/mpfirectrl usr/local/bin/openvpnctrl usr/local/bin/outgoingfwctrl +usr/local/bin/forwardfwctrl usr/local/bin/pakfire usr/local/bin/qosctrl usr/local/bin/rebuildhosts @@ -23,9 +24,7 @@ usr/local/bin/rebuildroutes usr/local/bin/redctrl #usr/local/bin/sambactrl usr/local/bin/setaliases -usr/local/bin/setdmzholes usr/local/bin/setportfw -usr/local/bin/setxtaccess usr/local/bin/smartctrl usr/local/bin/snortctrl usr/local/bin/squidctrl diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl index 021682f70..a6989d3fe 100644 --- a/langs/de/cgi-bin/de.pl +++ b/langs/de/cgi-bin/de.pl @@ -885,6 +885,141 @@ 'forwarding rule added' => 'Weiterleitungsregel hinzugefügt. Starte Weiterleitung neu', 'forwarding rule removed' => 'Weiterleitungsregel entfernt. Starte Weiterleitung neu', 'forwarding rule updated' => 'Weiterleitungsregel aktualisiert; starte Weiterleitung neu', +'forward firewall' => 'Firewall', +'fwdfw additional' => 'Zusätzlich', +'fwdfw action' => 'Aktion', +'fwdfw menu' => 'Firewall', +'fwdfw addrule' => 'Neue Regel hinzufügen:', +'fwdfw addr grp' => 'Adress Gruppen:', +'fwdfw change' => 'Aktualisieren', +'fwdfw cust addr' => 'Custom Adressen:', +'fwdfw cust net' => 'Custom Netzwerke:', +'fwdfw copy' => 'Kopieren', +'fwdfw delete' => 'Löschen', +'fwdfw edit' => 'Bearbeiten', +'fwdfw err nosrc' => 'Keine Quelle gewählt.', +'fwdfw err nosrcip' => 'Bitte Quell IP-Adresse angeben.', +'fwdfw err notgt' => 'Kein Ziel gewählt.', +'fwdfw err notgtip' => 'Bitte Ziel IP-Adresse angeben.', +'fwdfw err prot' => 'Quell- und Zielprotokoll müssen gleich sein.', +'fwdfw err remark' => 'Bemerkung enthält ungültige Zeichen.', +'fwdfw err ruleexists' => 'Eine identische Regel existiert bereits.', +'fwdfw err src_addr' => 'Quell-MAC/IP ungültig.', +'fwdfw err same' => 'Quelle und Ziel sind identisch.', +'fwdfw err samesub' => 'Quell und Ziel IP Adresse im selben Subnetz.', +'fwdfw err srcport' => 'Bitte Quellport angeben.', +'fwdfw err tgtport' => 'Bitte Zielport angeben.', +'fwdfw err tgt_addr' => 'Ziel-IP ungültig.', +'fwdfw err tgt_port' => 'Ziel Port ungültig', +'fwdfw err tgt_mac' => 'MAC Adressen können nicht als Ziel defininert werden.', +'fwdfw err tgt_grp' => 'Ziel-Dienstgruppe ist leer.', +'fwdfw err time' => 'Es muss mindestens ein Tag gewählt werden.', +'fwdfw from' => 'Von:', +'fwdfw hint ip1' => 'Die zuletzt erzeugte Regel wird vielleicht nicht aktiviert, weil Quelle und Ziel evtl im selben Netz sind.', +'fwdfw hint ip2' => 'Bitte überprüfen Sie ob diese Regel Sinn macht: ', +'fwdfw ipsec network' => 'IPsec Netzwerke:', +'fwdfw log rule' => 'Log Regel', +'fwdfw man port' => 'Port(s) manuel:', +'fwdfw moveup' => 'Hoch', +'fwdfw movedown' => 'Runter', +'fwdfw reread' => 'Übernehmen', +'fwdfw rules' => 'Regeln', +'fwdfw rule action' => 'Regel Aktion:', +'fwdfw rule activate' => 'Regel aktivieren', +'fwdfw source' => 'Quelle', +'fwdfw sourceip' => 'Quelladresse (MAC, IP oder Netzwerk):', +'fwdfw std network' => 'Standard Netzwerke:', +'fwdfw target' => 'Ziel', +'fwdfw targetip' => 'Zieladresse (IP oder Netzwerk):', +'fwdfw till' => 'Bis:', +'fwdfw time' => 'Zeitrahmen:', +'fwdfw timeframe' => 'Zeitrahmen hinzufügen', +'fwdfw toggle' => 'Aktivieren oder deaktivieren', +'fwdfw togglelog' => 'Log aktivieren oder deaktivieren', +'fwdfw use srcport' => 'Quellport benutzen', +'fwdfw use srv' => 'Ziel-Dienstport benutzen', +'fwdfw newrule' => 'Neue Regel', +'fwdfw wd_mon' => 'Mo', +'fwdfw wd_tue' => 'Di', +'fwdfw wd_wed' => 'Mi', +'fwdfw wd_thu' => 'Do', +'fwdfw wd_fri' => 'Fr', +'fwdfw wd_sat' => 'Sa', +'fwdfw wd_sun' => 'So', +'fwhost addgrp' => 'Gruppe:', +'fwhost addgrpname' => 'Gruppenname:', +'fwhost addhost' => 'Adresse:', +'fwhost addnet' => 'Netzwerk:', +'fwhost addrule' => 'Neue Regel hinzufügen:', +'fwhost any' => 'Alle', +'fwhost attention' => 'ACHTUNG', +'fwhost back' => 'Übernehmen', +'fwhost blue' => 'Blau', +'fwhost ccdhost' => 'OpenVPN Clients:', +'fwhost ccdnet' => 'OpenVPN Netzwerke:', +'fwhost change' => 'Ändern', +'fwhost changeremark' => 'Es wurde nur die Bemerkung angepasst.', +'fwhost cust addr' => 'Custom Adressen:', +'fwhost cust grp' => 'Custom Gruppen:', +'fwhost cust net' => 'Custom Netzwerke:', +'fwhost cust service' => 'Custom Dienste:', +'fwhost cust srvgrp' => 'Custom Dienstgruppen', +'fwhost deleted' => 'Gelöscht', +'fwhost empty' => 'Keine Einträge vorhanden', +'fwhost err addr' => 'IP oder Subnetzmaske ungültig.', +'fwhost err addrgrp' => 'Bitte gruppenname angeben.', +'fwhost err empty' => 'Bitte alle Felder füllen.', +'fwhost err grpexist' => 'Gruppe existiert bereits.', +'fwhost err groupempty' => 'Gewählte Gruppe ist leer.', +'fwhost err name' => 'Name ungültig. Erlaubte Zeichen: a-z, A-Z, 0-9 Leerzeichen und Bindestrich.', +'fwhost err name1' => 'Name muss gefüllt sein.', +'fwhost err netexist' => 'Ein Netz mit diesem Namen existiert bereits!', +'fwhost err net' => 'Netzwerk IP existiert bereits', +'fwhost err mac' => 'MAC Adresse ungültig.', +'fwhost err hostexist' => 'Ein Host mit diesem Namen existiert bereits.', +'fwhost err hostip' => 'Netz- oder Broadcastadressen sind nicht erlaubt.', +'fwhost err hostorip' => 'Name oder IP Adresse ungültig.', +'fwhost err isccdhost' => 'Dieser Name wird bereits für einen Openvpn Host verwendet.', +'fwhost err isccdipnet' => 'Diese IP wird bereits für einen Openvpn Netzwerk verwendet.', +'fwhost err isccdiphost'=> 'Diese IP wird bereits für einen Openvpn Host verwendet.', +'fwhost err isccdnet' => 'Dieser Name wird bereits für einen Openvpn Netzwerk verwendet.', +'fwhost err isingrp' => 'Dieser Eintrag existiert bereits in der Gruppe.', +'fwhost err ip' => 'IP Addresse ungültig.', +'fwhost err ipmac' => 'IP/MAC Addresse ungültig.', +'fwhost err ipcheck' => 'Diese IP Adresse wird bereits verwendet.', +'fwhost err ipwithsub' => 'Bitte IP Adresse OHNE Subnetzmaske eingeben.', +'fwhost err partofnet' => 'Dieses Netzwerk ist Teil eines bereits existierenden Netzwerks.', +'fwhost err port' => 'Port muss gefüllt sein.', +'fwhost err remark' => 'Bemerkung ungültig. Erlaubte Zeichen: a-z, A-Z, 0-9 Leerzeichen und Bindestrich.', +'fwhost err srvexist' => 'Dieser Dienst ist bereits in der Gruppe', +'fwhost err srv exists' => 'Ein Service mit diesem Namen existiert bereits.', +'fwhost err sub32' => 'Bitte Host hinzufügen. Dieses Subnetz ist kein Netzwerk.', +'fwhost green' => 'Grün', +'fwhost hosts' => 'Firewall Hosts', +'fwhost hint' => 'Hinweis', +'fwhost icmptype' => 'ICMP-Typ:', +'fwhost ipadr' => 'IP Adresse:', +'fwhost ip_mac' => 'IP/MAC Adresse', +'fwhost ipsec host' => 'IpSec Clients:', +'fwhost ipsec net' => 'IpSec Netzwerke:', +'fwhost newnet' => 'Netz Einstellungen', +'fwhost newhost' => 'Adress Einstellungen', +'fwhost newgrp' => 'Adress Gruppierung', +'fwhost newservice' => 'Dienst Einstellungen', +'fwhost newservicegrp' => 'Dienst Gruppierung', +'fwhost macwarn' => 'MAC Adressen können nicht als Ziel definiert werden. Solche Adressen werden ignoriert.', +'fwhost menu' => 'Firewall Gruppen', +'fwhost orange' => 'Orange', +'fwhost ovpn_n2n' => 'OpenVPN N-2-N', +'fwhost port' => 'Port(s)', +'fwhost prot' => 'Protokoll', +'fwhost reset' => 'Abbrechen', +'fwhost services' => 'Dienste', +'fwhost srv_name' => 'Dienstname', +'fwhost stdnet' => 'Standard Netzwerke:', +'fwhost type' => 'Typ', +'fwhost used' => 'Benutzt', +'fwhost wo subnet' => '(Ohne Subnetz)', 'free' => 'Frei', 'free memory' => 'Freier Speicher ', 'free swap' => 'Freier Swap', diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index 2e04c468d..77e24130d 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -910,6 +910,142 @@ 'forwarding rule added' => 'Forwarding rule added; restarting forwarder', 'forwarding rule removed' => 'Forwarding rule removed; restarting forwarder', 'forwarding rule updated' => 'Forwarding rule updated; restarting forwarder', +'forward firewall' => 'Firewall', +'fwdfw additional' => 'Additional', +'fwdfw action' => 'Action', +'fwdfw menu' => 'Firewall', +'fwdfw addrule' => 'Add new rule:', +'fwdfw addr grp' => 'Adress groups:', +'fwdfw change' => 'Update', +'fwdfw cust addr' => 'Custom addresses:', +'fwdfw cust net' => 'Custom networks:', +'fwdfw copy' => 'Copy', +'fwdfw delete' => 'Delete', +'fwdfw edit' => 'Edit', +'fwdfw err nosrc' => 'No source selected.', +'fwdfw err nosrcip' => 'Please provide source IP address.', +'fwdfw err notgt' => 'No target selected.', +'fwdfw err notgtip' => 'Please provide target IP address.', +'fwdfw err prot' => 'Source and target protocol have to match.', +'fwdfw err remark' => 'Invalid chars in remark.', +'fwdfw err ruleexists' => 'This rule already exists.', +'fwdfw err src_addr' => 'Invalid source MAC/IP.', +'fwdfw err same' => 'Identical source and target', +'fwdfw err samesub' => 'Source and target IP adress are in same subnet.', +'fwdfw err srcport' => 'Please provide source port.', +'fwdfw err tgtport' => 'Please provide target port.', +'fwdfw err tgt_addr' => 'Invalid target IP-address.', +'fwdfw err tgt_port' => 'Invalid target port', +'fwdfw err tgt_mac' => 'MAC addresses can not be used as target.', +'fwdfw err tgt_grp' => 'Target servicegroup is empty', +'fwdfw err time' => 'You have to define at least one day.', +'fwdfw from' => 'From:', +'fwdfw hint ip1' => 'The last generated rule may never be activated because source and target my be in same subnet.', +'fwdfw hint ip2' => 'Please doublecheck if this rule makes sense: ', +'fwdfw ipsec network' => 'IpSec networks:', +'fwdfw log rule' => 'Log rule', +'fwdfw man port' => 'Port(s) manual:', +'fwdfw moveup' => 'Move up', +'fwdfw movedown' => 'Move down', +'fwdfw reread' => 'Apply', +'fwdfw rules' => 'Rules', +'fwdfw rule action' => 'Rule action:', +'fwdfw rule activate' => 'Activate rule', +'fwdfw source' => 'Source', +'fwdfw sourceip' => 'Source address (MAC, IP or Network):', +'fwdfw std network' => 'Standard networks:', +'fwdfw target' => 'Target', +'fwdfw targetip' => 'Target address (IP or network):', +'fwdfw till' => 'Till:', +'fwdfw time' => 'Timeframe:', +'fwdfw timeframe' => 'Add timeframe', +'fwdfw toggle' => 'Activate or deactivate', +'fwdfw togglelog' => 'Activate or deactivate logging', +'fwdfw use srcport' => 'Use sourceport', +'fwdfw use srv' => 'Use targetport', +'fwdfw newrule' => 'New rule', +'fwdfw wd_mon' => 'Mon', +'fwdfw wd_tue' => 'Tue', +'fwdfw wd_wed' => 'Wed', +'fwdfw wd_thu' => 'Thu', +'fwdfw wd_fri' => 'Fri', +'fwdfw wd_sat' => 'Sat', +'fwdfw wd_sun' => 'Sun', +'fwhost addgrp' => 'Group:', +'fwhost addgrpname' => 'Groupname:', +'fwhost addhost' => 'Address:', +'fwhost addnet' => 'Network:', +'fwhost addrule' => 'Add new rule:', +'fwhost any' => 'Any', +'fwhost attention' => 'ATTENTION', +'fwhost back' => 'commit', +'fwhost blue' => 'Blue', +'fwhost ccdhost' => 'OpenVPN clients:', +'fwhost ccdnet' => 'OpenVPN networks:', +'fwhost change' => 'Modify', +'fwhost changeremark' => 'You just modified the remark!', +'fwhost cust addr' => 'Custom addresses:', +'fwhost cust grp' => 'Custom groups:', +'fwhost cust net' => 'Custom networks:', +'fwhost cust service' => 'Custom services:', +'fwhost cust srvgrp' => 'Custom servicegroups', +'fwhost deleted' => 'Deleted', +'fwhost empty' => 'No entries by now', +'fwhost err addr' => 'Invalid IP or subnet!', +'fwhost err addrgrp' => 'Please provide a groupname!', +'fwhost err empty' => 'Please fill in all fields!', +'fwhost err grpexist' => 'Group already exists!', +'fwhost err groupempty' => 'Selected Group is empty!', +'fwhost err name' => 'Name invalid. Allowed: a-z, A-Z, 0-9 space and minus.', +'fwhost err name1' => 'Name is empty.', +'fwhost err netexist' => 'A network with this name already exists!', +'fwhost err net' => 'Network IP already exists', +'fwhost err mac' => 'MAC address invalid', +'fwhost err hostexist' => 'A host with this name already exists!', +'fwhost err hostip' => 'Net or broadcast not allowed!', +'fwhost err hostorip' => 'Name or IP invalid.', +'fwhost err isccdhost' => 'This name is already used by an OpenVPN client!', +'fwhost err isccdipnet' => 'This IP is already used by an OpenVPN network!', +'fwhost err isccdiphost'=> 'This IP is already used by an OpenVPN client!', +'fwhost err isccdnet' => 'This name is already used by an OpenVPN Network!', +'fwhost err isingrp' => 'This entry already exists in the group!', +'fwhost err ip' => 'IP address invalid.', +'fwhost err ipmac' => 'IP/MAC address invalid.', +'fwhost err ipcheck' => 'This IP address is already in use!', +'fwhost err ipwithsub' => 'Please provide IP address WITHOUT subnetmask', +'fwhost err partofnet' => 'This network is part of an already existing one!', +'fwhost err port' => 'Port is empty.', +'fwhost err remark' => 'Remark invalid. Allowed: a-z, A-Z, 0-9 space and minus.', +'fwhost err srvexist' => 'Dieser Dienst ist bereits in der Gruppe', +'fwhost err srv exists' => 'A Service with this name already exists.', +'fwhost err sub32' => 'Please add single host. This subnet is no network!', +'fwhost green' => 'Green', +'fwhost hosts' => 'Firewall Hosts', +'fwhost hint' => 'Note', +'fwhost icmptype' => 'ICMP type:', +'fwhost ipadr' => 'IP address:', +'fwhost ip_mac' => 'IP/MAC address', +'fwhost ipsec host' => 'IPsec clients:', +'fwhost ipsec net' => 'IPsec networks:', +'fwhost netaddress' => 'Network address:', +'fwhost newnet' => 'Network', +'fwhost newhost' => 'Host', +'fwhost newgrp' => 'Address grouping', +'fwhost newservice' => 'Service', +'fwhost newservicegrp' => 'Service grouping', +'fwhost macwarn' => 'MAC addresses can not be used as target. Such addresses will be ignored!', +'fwhost menu' => 'Firewall Groups', +'fwhost orange' => 'Orange', +'fwhost ovpn_n2n' => 'OpenVPN N-2-N', +'fwhost port' => 'Port(s)', +'fwhost prot' => 'Protocol', +'fwhost reset' => 'Cancel', +'fwhost services' => 'Services', +'fwhost srv_name' => 'Servicename', +'fwhost stdnet' => 'Standard networks:', +'fwhost type' => 'Type', +'fwhost used' => 'Used', +'fwhost wo subnet' => '(without subnet)', 'free' => 'Free', 'free memory' => 'Free Memory ', 'free swap' => 'Free Swap', diff --git a/lfs/configroot b/lfs/configroot index 118523685..5280d8c28 100644 --- a/lfs/configroot +++ b/lfs/configroot @@ -50,59 +50,62 @@ $(TARGET) : @$(PREBUILD) # Create all directories - for i in addon-lang auth backup ca certs connscheduler crls ddns dhcp dhcpc dmzholes dns dnsforward \ - ethernet extrahd/bin fwlogs isdn key langs logging mac main menu.d modem net-traffic \ + for i in addon-lang auth backup ca certs connscheduler crls ddns dhcp dhcpc dns dnsforward \ + ethernet extrahd/bin fwlogs isdn key langs logging mac main menu.d modem net-traffic \ + ethernet extrahd/bin fwlogs fwhosts forward forward/bin isdn key langs logging mac main menu.d modem net-traffic \ net-traffic/templates nfs optionsfw outgoing/bin outgoing/groups outgoing/groups/ipgroups \ outgoing/groups/macgroups ovpn patches pakfire portfw ppp private proxy/advanced/cre \ proxy/calamaris/bin qos/bin red remote sensors snort time tripwire/report \ updatexlrator/bin updatexlrator/autocheck urlfilter/autoupdate urlfilter/bin upnp vpn \ - wakeonlan wireless xtaccess ; do \ + wakeonlan wireless ; do \ mkdir -p $(CONFIG_ROOT)/$$i; \ done # Touch empty files for i in auth/users backup/include.user backup/exclude.user \ certs/index.txt ddns/config ddns/noipsettings ddns/settings ddns/ipcache dhcp/settings \ - dhcp/fixleases dhcp/advoptions dhcp/dhcpd.conf.local dmzholes/config dns/settings dnsforward/config ethernet/aliases ethernet/settings ethernet/known_nics ethernet/scanned_nics \ + dhcp/fixleases dhcp/advoptions dhcp/dhcpd.conf.local dns/settings dnsforward/config ethernet/aliases ethernet/settings ethernet/known_nics ethernet/scanned_nics \ ethernet/wireless extrahd/scan extrahd/devices extrahd/partitions extrahd/settings fwlogs/ipsettings fwlogs/portsettings \ + forward/settings forward/config forward/input fwhosts/customnetworks fwhosts/customhosts fwhosts/customgroups fwhosts/customservices fwhosts/customservicegrp fwlogs/ipsettings fwlogs/portsettings \ isdn/settings mac/settings main/disable_nf_sip main/hosts main/routing main/settings net-traffic/settings optionsfw/settings outgoing/settings outgoing/rules \ ovpn/ccd.conf ovpn/ccdroute ovpn/ccdroute2 pakfire/settings portfw/config ppp/settings-1 ppp/settings-2 ppp/settings-3 ppp/settings-4 \ - ppp/settings-5 ppp/settings proxy/settings proxy/advanced/settings proxy/advanced/cre/enable remote/settings qos/settings qos/classes qos/subclasses qos/level7config qos/portconfig \ + ppp/settings-5 ppp/settings proxy/settings proxy/advanced/settings proxy/advanced/cre/enable remote/settings qos/settings qos/classes qos/subclasses qos/level7config qos/portconfig \ qos/tosconfig snort/settings tripwire/settings upnp/settings vpn/config vpn/settings vpn/ipsec.conf \ vpn/ipsec.secrets vpn/caconfig wakeonlan/clients.conf wireless/config wireless/settings; do \ - touch $(CONFIG_ROOT)/$$i; \ + touch $(CONFIG_ROOT)/$$i; \ done # Copy initial configfiles cp $(DIR_SRC)/config/cfgroot/header.pl $(CONFIG_ROOT)/ cp $(DIR_SRC)/config/cfgroot/general-functions.pl $(CONFIG_ROOT)/ cp $(DIR_SRC)/config/cfgroot/lang.pl $(CONFIG_ROOT)/ - cp $(DIR_SRC)/config/cfgroot/countries.pl $(CONFIG_ROOT)/ + cp $(DIR_SRC)/config/cfgroot/countries.pl $(CONFIG_ROOT)/ cp $(DIR_SRC)/config/cfgroot/graphs.pl $(CONFIG_ROOT)/ cp $(DIR_SRC)/config/cfgroot/advoptions-list $(CONFIG_ROOT)/dhcp/advoptions-list cp $(DIR_SRC)/config/cfgroot/connscheduler-lib.pl $(CONFIG_ROOT)/connscheduler/lib.pl cp $(DIR_SRC)/config/cfgroot/connscheduler.conf $(CONFIG_ROOT)/connscheduler cp $(DIR_SRC)/config/extrahd/* $(CONFIG_ROOT)/extrahd/bin/ cp $(DIR_SRC)/config/cfgroot/sensors-settings $(CONFIG_ROOT)/sensors/settings - cp $(DIR_SRC)/config/menu/* $(CONFIG_ROOT)/menu.d/ + cp $(DIR_SRC)/config/menu/* $(CONFIG_ROOT)/menu.d/ cp $(DIR_SRC)/config/cfgroot/modem-defaults $(CONFIG_ROOT)/modem/defaults cp $(DIR_SRC)/config/cfgroot/modem-settings $(CONFIG_ROOT)/modem/settings cp $(DIR_SRC)/config/cfgroot/net-traffic-lib.pl $(CONFIG_ROOT)/net-traffic/net-traffic-lib.pl - cp $(DIR_SRC)/config/cfgroot/net-traffic-admin.pl $(CONFIG_ROOT)/net-traffic/net-traffic-admin.pl + cp $(DIR_SRC)/config/cfgroot/net-traffic-admin.pl $(CONFIG_ROOT)/net-traffic/net-traffic-admin.pl cp $(DIR_SRC)/config/cfgroot/nfs-server $(CONFIG_ROOT)/nfs/nfs-server - cp $(DIR_SRC)/config/cfgroot/p2protocols $(CONFIG_ROOT)/outgoing/p2protocols - cp $(DIR_SRC)/config/outgoingfw/outgoingfw.pl $(CONFIG_ROOT)/outgoing/bin/ - cp $(DIR_SRC)/config/outgoingfw/defaultservices $(CONFIG_ROOT)/outgoing/ + cp $(DIR_SRC)/config/cfgroot/p2protocols $(CONFIG_ROOT)/outgoing/p2protocols + cp $(DIR_SRC)/config/outgoingfw/outgoingfw.pl $(CONFIG_ROOT)/outgoing/bin/ + cp $(DIR_SRC)/config/outgoingfw/defaultservices $(CONFIG_ROOT)/outgoing/ cp $(DIR_SRC)/config/cfgroot/proxy-acl $(CONFIG_ROOT)/proxy/acl-1.4 - cp $(DIR_SRC)/config/qos/* $(CONFIG_ROOT)/qos/bin/ - cp $(DIR_SRC)/config/cfgroot/ssh-settings $(CONFIG_ROOT)/remote/settings - cp $(DIR_SRC)/config/cfgroot/xtaccess-config $(CONFIG_ROOT)/xtaccess/config + cp $(DIR_SRC)/config/qos/* $(CONFIG_ROOT)/qos/bin/ + cp $(DIR_SRC)/config/cfgroot/ssh-settings $(CONFIG_ROOT)/remote/settings cp $(DIR_SRC)/config/cfgroot/time-settings $(CONFIG_ROOT)/time/settings - cp $(DIR_SRC)/config/cfgroot/logging-settings $(CONFIG_ROOT)/logging/settings + cp $(DIR_SRC)/config/cfgroot/logging-settings $(CONFIG_ROOT)/logging/settings cp $(DIR_SRC)/config/cfgroot/useragents $(CONFIG_ROOT)/proxy/advanced cp $(DIR_SRC)/config/cfgroot/ethernet-vlans $(CONFIG_ROOT)/ethernet/vlans - cp $(DIR_SRC)/langs/list $(CONFIG_ROOT)/langs/ - + cp $(DIR_SRC)/langs/list $(CONFIG_ROOT)/langs/ + cp $(DIR_SRC)/config/forwardfw/rules.pl $(CONFIG_ROOT)/forward/bin/rules.pl + cp $(DIR_SRC)/config/forwardfw/firewall-lib.pl $(CONFIG_ROOT)/forward/bin/firewall-lib.pl + cp $(DIR_SRC)/config/fwhosts/icmp-types $(CONFIG_ROOT)/fwhosts/icmp-types # Oneliner configfiles echo "ENABLED=off" > $(CONFIG_ROOT)/vpn/settings echo "VPN_DELAYED_START=0" >>$(CONFIG_ROOT)/vpn/settings @@ -115,6 +118,14 @@ $(TARGET) : echo "DROPOUTPUT=on" >> $(CONFIG_ROOT)/optionsfw/settings echo "DROPPORTSCAN=on" >> $(CONFIG_ROOT)/optionsfw/settings + # Set outgoingfw.pl executable + chmod 755 $(CONFIG_ROOT)/outgoing/bin/outgoingfw.pl + + # set rules.pl executable + chmod 755 $(CONFIG_ROOT)/forward/bin/rules.pl + + + # Modify variables in header.pl sed -i -e "s+CONFIG_ROOT+$(CONFIG_ROOT)+g" \ -e "s+VERSION+$(VERSION)+g" \ @@ -140,7 +151,5 @@ $(TARGET) : done chown root:nobody $(CONFIG_ROOT)/dhcpc - # Set outgoingfw.pl executable - chmod 755 $(CONFIG_ROOT)/outgoing/bin/outgoingfw.pl - + @$(POSTBUILD) diff --git a/lfs/initscripts b/lfs/initscripts index 6549147a8..f4ad0f7fe 100644 --- a/lfs/initscripts +++ b/lfs/initscripts @@ -181,18 +181,17 @@ $(TARGET) : ln -sf ../../firewall /etc/rc.d/init.d/networking/red.up/20-RL-firewall ln -sf ../../../../../usr/local/bin/outgoingfwctrl \ /etc/rc.d/init.d/networking/red.up/22-outgoingfwctrl + ln -sf ../../../../../usr/local/bin/forwardfwctrl \ + /etc/rc.d/init.d/networking/red.up/23-forwardfwctrl ln -sf ../../../../../usr/local/bin/snortctrl \ - /etc/rc.d/init.d/networking/red.up/23-RS-snort + /etc/rc.d/init.d/networking/red.up/24-RS-snort ln -sf ../../../../../usr/local/bin/qosctrl \ - /etc/rc.d/init.d/networking/red.up/24-RS-qos + /etc/rc.d/init.d/networking/red.up/25-RS-qos ln -sf ../../../../../usr/local/bin/setportfw \ - /etc/rc.d/init.d/networking/red.up/25-portfw - ln -sf ../../../../../usr/local/bin/setxtaccess \ - /etc/rc.d/init.d/networking/red.up/26-xtaccess + /etc/rc.d/init.d/networking/red.up/26-portfw ln -sf ../../../../../usr/local/bin/dialctrl.pl \ /etc/rc.d/init.d/networking/red.up/99-U-dialctrl.pl - ln -sf ../../squid /etc/rc.d/init.d/networking/red.up/27-RS-squid - + ln -sf ../../squid /etc/rc.d/init.d/networking/red.up/28-RS-squid ln -sf ../../dnsmasq /etc/rc.d/init.d/networking/red.down/05-RS-dnsmasq ln -sf ../../firewall /etc/rc.d/init.d/networking/red.down/20-RL-firewall ln -sf ../../../../../usr/local/bin/dialctrl.pl \ diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall index 0237297e7..467d1b9ab 100644 --- a/src/initscripts/init.d/firewall +++ b/src/initscripts/init.d/firewall @@ -195,6 +195,14 @@ case "$1" in # Outgoing Firewall /sbin/iptables -A FORWARD -j OUTGOINGFWMAC + # Forward Firewall + /sbin/iptables -N FORWARDFW + /sbin/iptables -A FORWARD -j FORWARDFW + + # Input Firewall + /sbin/iptables -N INPUTFW + /sbin/iptables -A INPUT -m state --state NEW -j INPUTFW + # localhost and ethernet. /sbin/iptables -A INPUT -i lo -m state --state NEW -j ACCEPT /sbin/iptables -A INPUT -s 127.0.0.0/8 -m state --state NEW -j DROP # Loopback not on lo @@ -234,17 +242,6 @@ case "$1" in iptables_red - # DMZ pinhole chain. setdmzholes setuid prog adds rules here to allow - # ORANGE to talk to GREEN / BLUE. - /sbin/iptables -N DMZHOLES - if [ "$ORANGE_DEV" != "" ]; then - /sbin/iptables -A FORWARD -i $ORANGE_DEV -m state --state NEW -j DMZHOLES - fi - - # XTACCESS chain, used for external access - /sbin/iptables -N XTACCESS - /sbin/iptables -A INPUT -m state --state NEW -j XTACCESS - # PORTFWACCESS chain, used for portforwarding /sbin/iptables -N PORTFWACCESS /sbin/iptables -A FORWARD -m state --state NEW -j PORTFWACCESS diff --git a/src/initscripts/init.d/network b/src/initscripts/init.d/network index 9ff220011..02df4bc97 100644 --- a/src/initscripts/init.d/network +++ b/src/initscripts/init.d/network @@ -47,9 +47,7 @@ init_networking() { # (exit ${failed}) # evaluate_retval - boot_mesg "Setting up DMZ pinholes" - /usr/local/bin/setdmzholes; evaluate_retval - + if [ "$CONFIG_TYPE" = "3" -o "$CONFIG_TYPE" = "4" ]; then boot_mesg "Setting up wireless firewall rules" /usr/local/bin/wirelessctrl; evaluate_retval diff --git a/src/misc-progs/Makefile b/src/misc-progs/Makefile index 4d09fbf65..306773fb6 100644 --- a/src/misc-progs/Makefile +++ b/src/misc-progs/Makefile @@ -24,11 +24,11 @@ CFLAGS=-O2 -Wall COMPILE=$(CC) $(CFLAGS) PROGS = iowrap -SUID_PROGS = setdmzholes setportfw setxtaccess \ +SUID_PROGS = setportfw \ squidctrl sshctrl ipfirereboot \ ipsecctrl timectrl dhcpctrl snortctrl \ applejuicectrl rebuildhosts backupctrl \ - logwatch openvpnctrl outgoingfwctrl \ + logwatch openvpnctrl outgoingfwctrl forwardfwctrl \ wirelessctrl getipstat qosctrl launch-ether-wake \ redctrl syslogdctrl extrahdctrl sambactrl upnpctrl tripwirectrl \ smartctrl clamavctrl addonctrl pakfire mpfirectrl wlanapctrl \ @@ -90,15 +90,15 @@ clamavctrl: clamavctrl.c setuid.o ../install+setup/libsmooth/varval.o outgoingfwctrl: outgoingfwctrl.c setuid.o ../install+setup/libsmooth/varval.o $(COMPILE) -I../install+setup/libsmooth/ outgoingfwctrl.c setuid.o ../install+setup/libsmooth/varval.o -o $@ +forwardfwctrl: forwardfwctrl.c setuid.o ../install+setup/libsmooth/varval.o + $(COMPILE) -I../install+setup/libsmooth/ forwardfwctrl.c setuid.o ../install+setup/libsmooth/varval.o -o $@ + timectrl: timectrl.c setuid.o ../install+setup/libsmooth/varval.o $(COMPILE) -I../install+setup/libsmooth/ timectrl.c setuid.o ../install+setup/libsmooth/varval.o -o $@ launch-ether-wake: launch-ether-wake.c setuid.o ../install+setup/libsmooth/varval.o $(COMPILE) -I../install+setup/libsmooth/ launch-ether-wake.c setuid.o ../install+setup/libsmooth/varval.o -o $@ -setdmzholes: setdmzholes.c setuid.o ../install+setup/libsmooth/varval.o - $(COMPILE) -I../install+setup/libsmooth/ setdmzholes.c setuid.o ../install+setup/libsmooth/varval.o -o $@ - setportfw: setportfw.c setuid.o ../install+setup/libsmooth/varval.o $(COMPILE) -I../install+setup/libsmooth/ setportfw.c setuid.o ../install+setup/libsmooth/varval.o -o $@ diff --git a/src/misc-progs/setdmzholes.c b/src/misc-progs/setdmzholes.c deleted file mode 100644 index 7a2643d9e..000000000 --- a/src/misc-progs/setdmzholes.c +++ /dev/null @@ -1,162 +0,0 @@ -/* SmoothWall helper program - setdmzhole - * - * This program is distributed under the terms of the GNU General Public - * Licence. See the file COPYING for details. - * - * (c) Daniel Goscomb, 2001 - * - * Modifications and improvements by Lawrence Manning. - * - * 10/04/01 Aslak added protocol support - * This program reads the list of ports to forward and setups iptables - * and rules in ipmasqadm to enable them. - * - * $Id: setdmzholes.c,v 1.5.2.3 2005/10/18 17:05:27 franck78 Exp $ - * - */ -#include "libsmooth.h" -#include -#include -#include -#include "setuid.h" - -FILE *fwdfile = NULL; - -void exithandler(void) -{ - if (fwdfile) - fclose(fwdfile); -} - -int main(void) -{ - int count; - char *protocol; - char *locip; - char *remip; - char *remport; - char *enabled; - char *src_net; - char *dst_net; - char s[STRING_SIZE]; - char *result; - struct keyvalue *kv = NULL; - char orange_dev[STRING_SIZE] = ""; - char blue_dev[STRING_SIZE] = ""; - char green_dev[STRING_SIZE] = ""; - char *idev; - char *odev; - char command[STRING_SIZE]; - - if (!(initsetuid())) - exit(1); - - atexit(exithandler); - - kv=initkeyvalues(); - if (!readkeyvalues(kv, CONFIG_ROOT "/ethernet/settings")) - { - fprintf(stderr, "Cannot read ethernet settings\n"); - exit(1); - } - - if (!findkey(kv, "GREEN_DEV", green_dev)) - { - fprintf(stderr, "Cannot read GREEN_DEV\n"); - exit(1); - } - findkey(kv, "BLUE_DEV", blue_dev); - findkey(kv, "ORANGE_DEV", orange_dev); - - if (!(fwdfile = fopen(CONFIG_ROOT "/dmzholes/config", "r"))) - { - fprintf(stderr, "Couldn't open dmzholes settings file\n"); - exit(1); - } - - safe_system("/sbin/iptables -F DMZHOLES"); - - while (fgets(s, STRING_SIZE, fwdfile) != NULL) - { - if (s[strlen(s) - 1] == '\n') - s[strlen(s) - 1] = '\0'; - result = strtok(s, ","); - - count = 0; - protocol = NULL; - locip = NULL; remip = NULL; - remport = NULL; - enabled = NULL; - src_net = NULL; - dst_net = NULL; - idev = NULL; - odev = NULL; - - while (result) - { - if (count == 0) - protocol = result; - else if (count == 1) - locip = result; - else if (count == 2) - remip = result; - else if (count == 3) - remport = result; - else if (count == 4) - enabled = result; - else if (count == 5) - src_net = result; - else if (count == 6) - dst_net = result; - count++; - result = strtok(NULL, ","); - } - - if (!(protocol && locip && remip && remport && enabled)) - { - fprintf(stderr, "Bad line:\n"); - break; - } - - if (!VALID_PROTOCOL(protocol)) - { - fprintf(stderr, "Bad protocol: %s\n", protocol); - exit(1); - } - if (!VALID_IP_AND_MASK(locip)) - { - fprintf(stderr, "Bad local IP: %s\n", locip); - exit(1); - } - if (!VALID_IP_AND_MASK(remip)) - { - fprintf(stderr, "Bad remote IP: %s\n", remip); - exit(1); - } - if (!VALID_PORT_RANGE(remport)) - { - fprintf(stderr, "Bad remote port: %s\n", remport); - exit(1); - } - - if (!src_net) { src_net = strdup ("orange");} - if (!dst_net) { dst_net = strdup ("green");} - - if (!strcmp(src_net, "blue")) { idev = blue_dev; } - if (!strcmp(src_net, "orange")) { idev = orange_dev; } - if (!strcmp(dst_net, "blue")) { odev = blue_dev; } - if (!strcmp(dst_net, "green")) { odev = green_dev; } - - if (!strcmp(enabled, "on") && strlen(idev) && strlen (odev)) - { - char *ctr; - /* If remport contains a - we need to change it to a : */ - if ((ctr = strchr(remport,'-')) != NULL){*ctr = ':';} - memset(command, 0, STRING_SIZE); - snprintf(command, STRING_SIZE - 1, "/sbin/iptables -A DMZHOLES -p %s -i %s -o %s -s %s -d %s --dport %s -j ACCEPT", protocol, idev, odev, locip, remip, remport); - safe_system(command); - } - } - - return 0; -} diff --git a/src/misc-progs/setxtaccess.c b/src/misc-progs/setxtaccess.c deleted file mode 100644 index 27a03e03a..000000000 --- a/src/misc-progs/setxtaccess.c +++ /dev/null @@ -1,168 +0,0 @@ -/* SmoothWall helper program - setxtaccess - * - * This program is distributed under the terms of the GNU General Public - * Licence. See the file COPYING for details. - * - * (c) Daniel Goscomb, 2001 - * - * Modifications and improvements by Lawrence Manning. - * - * 10/04/01 Aslak added protocol support - * - * (c) Steve Bootes 2002/04/14 - Added source IP support for aliases - * - * 19/04/03 Robert Kerr Fixed root exploit - * - * $Id: setxtaccess.c,v 1.3.2.1 2005/01/04 17:21:40 eoberlander Exp $ - * - */ - -#include -#include -#include -#include "setuid.h" - -FILE *ifacefile = NULL; -FILE *fwdfile = NULL; -FILE *ipfile = NULL; - -void exithandler(void) -{ - if (fwdfile) - fclose(fwdfile); -} - -int main(void) -{ - char iface[STRING_SIZE] = ""; - char locip[STRING_SIZE] = ""; - char s[STRING_SIZE] = ""; - int count; - char *protocol; - char *destip; - char *remip; - char *locport; - char *enabled; - char *information; - char *result; - char command[STRING_SIZE]; - - if (!(initsetuid())) - exit(1); - - atexit(exithandler); - - if (!(ipfile = fopen(CONFIG_ROOT "/red/local-ipaddress", "r"))) - { - fprintf(stderr, "Couldn't open local ip file\n"); - exit(1); - } - if (fgets(locip, STRING_SIZE, ipfile)) - { - if (locip[strlen(locip) - 1] == '\n') - locip[strlen(locip) - 1] = '\0'; - } - fclose (ipfile); - if (!VALID_IP(locip)) - { - fprintf(stderr, "Bad local IP: %s\n", locip); - exit(1); - } - - if (!(ifacefile = fopen(CONFIG_ROOT "/red/iface", "r"))) - { - fprintf(stderr, "Couldn't open iface file\n"); - exit(1); - } - if (fgets(iface, STRING_SIZE, ifacefile)) - { - if (iface[strlen(iface) - 1] == '\n') - iface[strlen(iface) - 1] = '\0'; - } - fclose (ifacefile); - if (!VALID_DEVICE(iface)) - { - fprintf(stderr, "Bad iface: %s\n", iface); - exit(1); - } - - if (!(fwdfile = fopen(CONFIG_ROOT "/xtaccess/config", "r"))) - { - fprintf(stderr, "Couldn't open xtaccess settings file\n"); - exit(1); - } - - safe_system("/sbin/iptables -F XTACCESS"); - - while (fgets(s, STRING_SIZE, fwdfile) != NULL) - { - if (s[strlen(s) - 1] == '\n') - s[strlen(s) - 1] = '\0'; - count = 0; - protocol = NULL; - remip = NULL; - destip = NULL; - locport = NULL; - enabled = NULL; - information = NULL; - result = strtok(s, ","); - while (result) - { - if (count == 0) - protocol = result; - else if (count == 1) - remip = result; - else if (count == 2) - locport = result; - else if (count == 3) - enabled = result; - else if (count == 4) - destip = result; - else - information = result; - count++; - result = strtok(NULL, ","); - } - - if (!(protocol && remip && locport && enabled)) - break; - - if (!VALID_PROTOCOL(protocol)) - { - fprintf(stderr, "Bad protocol: %s\n", protocol); - exit(1); - } - if (!VALID_IP_AND_MASK(remip)) - { - fprintf(stderr, "Bad remote IP: %s\n", remip); - exit(1); - } - if (!VALID_PORT_RANGE(locport)) - { - fprintf(stderr, "Bad local port: %s\n", locport); - exit(1); - } - - /* check for destination ip in config file. If it's there - * and it's not 0.0.0.0, use it; else use the current - * local ip address. (This makes sure we can use old-style - * config files without the destination ip) */ - if (!destip || !strcmp(destip, "0.0.0.0")) - destip = locip; - if (!VALID_IP(destip)) - { - fprintf(stderr, "Bad destination IP: %s\n", remip); - exit(1); - } - - if (strcmp(enabled, "on") == 0) - { - memset(command, 0, STRING_SIZE); - snprintf(command, STRING_SIZE - 1, "/sbin/iptables -A XTACCESS -i %s -p %s -s %s -d %s --dport %s -j ACCEPT", - iface, protocol, remip, destip, locport); - safe_system(command); - } - } - - return 0; -} From 2a81ab0d7701a7afd049d3ca5a28dc4e0fbffd20 Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Fri, 28 Dec 2012 08:26:07 +0100 Subject: [PATCH 002/306] Forward Firewall: added new files --- config/forwardfw/firewall-lib.pl | 252 ++++ config/forwardfw/rules.pl | 334 +++++ config/fwhosts/icmp-types | 36 + html/cgi-bin/forwardfw.cgi | 1772 +++++++++++++++++++++++++++ html/cgi-bin/fwhosts.cgi | 1970 ++++++++++++++++++++++++++++++ 5 files changed, 4364 insertions(+) create mode 100644 config/forwardfw/firewall-lib.pl create mode 100755 config/forwardfw/rules.pl create mode 100644 config/fwhosts/icmp-types create mode 100755 html/cgi-bin/forwardfw.cgi create mode 100755 html/cgi-bin/fwhosts.cgi diff --git a/config/forwardfw/firewall-lib.pl b/config/forwardfw/firewall-lib.pl new file mode 100644 index 000000000..24b990c77 --- /dev/null +++ b/config/forwardfw/firewall-lib.pl @@ -0,0 +1,252 @@ +#!/usr/bin/perl +############################################################################### +# # +# IPFire.org - A linux based firewall # +# Copyright (C) 2012 # +# # +# This program is free software: you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation, either version 3 of the License, or # +# (at your option) any later version. # +# # +# This program is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with this program. If not, see . # +# # +############################################################################### + + +use strict; +no warnings 'uninitialized'; + +package fwlib; + +my %customnetwork=(); +my %customhost=(); +my %customgrp=(); +my %customservice=(); +my %customservicegrp=(); +my %ccdnet=(); +my %ccdhost=(); +my %ipsecconf=(); +my %ipsecsettings=(); +my %netsettings=(); +my %ovpnsettings=(); + +require '/var/ipfire/general-functions.pl'; + +my $confignet = "${General::swroot}/fwhosts/customnetworks"; +my $confighost = "${General::swroot}/fwhosts/customhosts"; +my $configgrp = "${General::swroot}/fwhosts/customgroups"; +my $configsrv = "${General::swroot}/fwhosts/customservices"; +my $configsrvgrp = "${General::swroot}/fwhosts/customservicegrp"; +my $configccdnet = "${General::swroot}/ovpn/ccd.conf"; +my $configccdhost = "${General::swroot}/ovpn/ovpnconfig"; +my $configipsec = "${General::swroot}/vpn/config"; +my $configovpn = "${General::swroot}/ovpn/settings"; +my $val; +my $field; + +&General::readhash("/var/ipfire/ethernet/settings", \%netsettings); +&General::readhash("${General::swroot}/ovpn/settings", \%ovpnsettings); +&General::readhash("${General::swroot}/vpn/settings", \%ipsecsettings); + + +&General::readhasharray("$confignet", \%customnetwork); +&General::readhasharray("$confighost", \%customhost); +&General::readhasharray("$configgrp", \%customgrp); +&General::readhasharray("$configccdnet", \%ccdnet); +&General::readhasharray("$configccdhost", \%ccdhost); +&General::readhasharray("$configipsec", \%ipsecconf); +&General::readhasharray("$configsrv", \%customservice); +&General::readhasharray("$configsrvgrp", \%customservicegrp); + +sub get_srv_prot +{ + my $val=shift; + foreach my $key (sort keys %customservice){ + if($customservice{$key}[0] eq $val){ + if ($customservice{$key}[0] eq $val){ + return $customservice{$key}[2]; + } + } + } +} +sub get_srvgrp_prot +{ + my $val=shift; + my @ips=(); + my $tcp; + my $udp; + my $icmp; + foreach my $key (sort keys %customservicegrp){ + if($customservicegrp{$key}[0] eq $val){ + if (&get_srv_prot($customservicegrp{$key}[2]) eq 'TCP'){ + $tcp=1; + }elsif(&get_srv_prot($customservicegrp{$key}[2]) eq 'UDP'){ + $udp=1; + }elsif(&get_srv_prot($customservicegrp{$key}[2]) eq 'ICMP'){ + $icmp=1; + } + } + } + if ($tcp eq '1'){push (@ips,'TCP');} + if ($udp eq '1'){push (@ips,'UDP');} + if ($icmp eq '1'){push (@ips,'ICMP');} + my $back=join(",",@ips); + return $back; + +} + + +sub get_srv_port +{ + my $val=shift; + my $field=shift; + my $prot=shift; + foreach my $key (sort keys %customservice){ + if($customservice{$key}[0] eq $val){ + if($customservice{$key}[2] eq $prot){ + return $customservice{$key}[$field]; + } + } + } +} +sub get_srvgrp_port +{ + my $val=shift; + my $prot=shift; + my $back; + my $value; + my @ips=(); + foreach my $key (sort keys %customservicegrp){ + if($customservicegrp{$key}[0] eq $val){ + if ($prot ne 'ICMP'){ + $value=&get_srv_port($customservicegrp{$key}[2],1,$prot); + }elsif ($prot eq 'ICMP'){ + $value=&get_srv_port($customservicegrp{$key}[2],3,$prot); + } + push (@ips,$value) if ($value ne '') ; + } + } + if($prot ne 'ICMP'){ + if ($#ips gt 0){$back="-m multiport --dports ";}else{$back="--dport ";} + }elsif ($prot eq 'ICMP'){ + $back="--icmp-type "; + } + + $back.=join(",",@ips); + return $back; +} +sub get_ipsec_net_ip +{ + my $val=shift; + my $field=shift; + foreach my $key (sort keys %ipsecconf){ + if($ipsecconf{$key}[1] eq $val){ + return $ipsecconf{$key}[$field]; + } + } +} +sub get_ipsec_host_ip +{ + my $val=shift; + my $field=shift; + foreach my $key (sort keys %ipsecconf){ + if($ipsecconf{$key}[1] eq $val){ + return $ipsecconf{$key}[$field]; + } + } +} +sub get_ovpn_n2n_ip +{ + my $val=shift; + my $field=shift; + foreach my $key (sort keys %ccdhost){ + if($ccdhost{$key}[1] eq $val){ + return $ccdhost{$key}[$field]; + } + } +} +sub get_ovpn_host_ip +{ + my $val=shift; + my $field=shift; + foreach my $key (sort keys %ccdhost){ + if($ccdhost{$key}[1] eq $val){ + return $ccdhost{$key}[$field]; + } + } +} +sub get_ovpn_net_ip +{ + + my $val=shift; + my $field=shift; + foreach my $key (sort keys %ccdnet){ + if($ccdnet{$key}[0] eq $val){ + return $ccdnet{$key}[$field]; + } + } +} +sub get_grp_ip +{ + my $val=shift; + my $src=shift; + foreach my $key (sort keys %customgrp){ + if ($customgrp{$key}[0] eq $val){ + &get_address($customgrp{$key}[3],$src); + } + } + +} +sub get_std_net_ip +{ + my $val=shift; + if ($val eq 'ALL'){ + return "0.0.0.0/0.0.0.0"; + }elsif($val eq 'GREEN'){ + return "$netsettings{'GREEN_NETADDRESS'}/$netsettings{'GREEN_NETMASK'}"; + }elsif($val eq 'ORANGE'){ + return "$netsettings{'ORANGE_NETADDRESS'}/$netsettings{'ORANGE_NETMASK'}"; + }elsif($val eq 'BLUE'){ + return "$netsettings{'BLUE_NETADDRESS'}/$netsettings{'BLUE_NETMASK'}"; + }elsif($val =~ /OpenVPN/i){ + return "$ovpnsettings{'DOVPN_SUBNET'}"; + }elsif($val =~ /IPsec/i){ + return "$ipsecsettings{'RW_NET'}"; + } +} +sub get_net_ip +{ + my $val=shift; + foreach my $key (sort keys %customnetwork){ + if($customnetwork{$key}[0] eq $val){ + return "$customnetwork{$key}[1]/$customnetwork{$key}[2]"; + } + } +} +sub get_host_ip +{ + my $val=shift; + my $src=shift; + foreach my $key (sort keys %customhost){ + if($customhost{$key}[0] eq $val){ + if ($customhost{$key}[1] eq 'mac' && $src eq 'src'){ + return "-m mac --mac-source $customhost{$key}[2]"; + }elsif($customhost{$key}[1] eq 'ip' && $src eq 'src'){ + return "$customhost{$key}[2]"; + }elsif($customhost{$key}[1] eq 'ip' && $src eq 'tgt'){ + return "$customhost{$key}[2]"; + }elsif($customhost{$key}[1] eq 'mac' && $src eq 'tgt'){ + return "none"; + } + } + } +} + +return 1; diff --git a/config/forwardfw/rules.pl b/config/forwardfw/rules.pl new file mode 100755 index 000000000..d6bd3c9d6 --- /dev/null +++ b/config/forwardfw/rules.pl @@ -0,0 +1,334 @@ +#!/usr/bin/perl +############################################################################### +# # +# IPFire.org - A linux based firewall # +# Copyright (C) 2012 # +# # +# This program is free software: you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation, either version 3 of the License, or # +# (at your option) any later version. # +# # +# This program is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with this program. If not, see . # +# # +############################################################################### +# # +# Hi folks! I hope this code is useful for all. I needed something to handle # +# my VPN Connections in a comfortable way. # +# This script builds firewallrules from the webinterface # +############################################################################### + + +use strict; +no warnings 'uninitialized'; + +# enable only the following on debugging purpose +#use warnings; +#use CGI::Carp 'fatalsToBrowser'; + +my %fwdfwsettings=(); +my %defaultNetworks=(); +my %configfwdfw=(); +my %color=(); +my %icmptypes=(); +my %ovpnSettings=(); +my %customgrp=(); +our %sourcehash=(); +our %targethash=(); +my @timeframe=(); +my %configinputfw=(); +my %aliases=(); +my @DPROT=(); +require '/var/ipfire/general-functions.pl'; +require "${General::swroot}/lang.pl"; +require "${General::swroot}/forward/bin/firewall-lib.pl"; + +my $configfwdfw = "${General::swroot}/forward/config"; +my $configinput = "${General::swroot}/forward/input"; +my $configgrp = "${General::swroot}/fwhosts/customgroups"; +my $errormessage=''; +my ($TYPE,$PROT,$SPROT,$DPROT,$SPORT,$DPORT,$TIME,$TIMEFROM,$TIMETILL,$SRC_TGT); +my $CHAIN="FORWARDFW"; + + +&General::readhash("${General::swroot}/forward/settings", \%fwdfwsettings); +&General::readhasharray($configfwdfw, \%configfwdfw); +&General::readhasharray($configinput, \%configinputfw); +&General::readhasharray($configgrp, \%customgrp); +&General::get_aliases(\%aliases); + +################################ +# DEBUG/TEST # +################################ +my $MODE=0; # 0 - normal operation + # 1 - print configline and rules to console + # +################################ +my $param=shift; + +if($param eq 'flush'){ + if ($MODE eq '1'){ + print " Flushing chains...\n"; + } + &flush; +}else{ + if ($MODE eq '1'){ + print " Flushing chains...\n"; + } + &flush; + if ($MODE eq '1'){ + print " Preparing rules...\n"; + } + &preparerules; + if($MODE eq '0'){ + if ($fwdfwsettings{'POLICY'} eq 'MODE1'){ + system ("iptables -A $CHAIN -j DROP"); + }elsif($fwdfwsettings{'POLICY'} eq 'MODE2'){ + system ("iptables -A $CHAIN -j ACCEPT"); + } + } +} + +sub flush +{ + system ("iptables -F FORWARDFW"); + system ("iptables -F INPUTFW"); +} +sub preparerules +{ + if (! -z "${General::swroot}/forward/config"){ + &buildrules(\%configfwdfw); + } + if (! -z "${General::swroot}/forward/input"){ + &buildrules(\%configinputfw); + } +} +sub buildrules +{ + my $hash=shift; + foreach my $key (sort keys %$hash){ + if($$hash{$key}[2] eq 'ON'){ + #get source ip's + if ($$hash{$key}[3] eq 'cust_grp_src'){ + foreach my $grp (sort keys %customgrp){ + if($customgrp{$grp}[0] eq $$hash{$key}[4]){ + &get_address($customgrp{$grp}[3],$customgrp{$grp}[2],"src"); + } + } + }else{ + &get_address($$hash{$key}[3],$$hash{$key}[4],"src"); + } + #get target ip's + if ($$hash{$key}[5] eq 'cust_grp_tgt'){ + foreach my $grp (sort keys %customgrp){ + if($customgrp{$grp}[0] eq $$hash{$key}[6]){ + &get_address($customgrp{$grp}[3],$customgrp{$grp}[2],"tgt"); + } + } + }elsif($$hash{$key}[5] eq 'ipfire'){ + + if($$hash{$key}[6] eq 'Default IP'){ + open(FILE, "/var/ipfire/red/local-ipaddress") or die 'Unable to open config file.'; + $targethash{$key}[0]= ; + close(FILE); + }else{ + foreach my $alias (sort keys %aliases){ + if ($$hash{$key}[6] eq $alias){ + $targethash{$key}[0]=$aliases{$alias}{'IPT'}; + } + } + } + }else{ + &get_address($$hash{$key}[5],$$hash{$key}[6],"tgt"); + } + + ##get source prot and port + $SRC_TGT='SRC'; + $SPROT = &get_prot($hash,$key); + $SPORT = &get_port($hash,$key); + $SRC_TGT=''; + + ##get target prot and port + $DPROT=&get_prot($hash,$key); + + if ($DPROT eq ''){$DPROT=' ';} + @DPROT=split(",",$DPROT); + + + #get time if defined + if($$hash{$key}[18] eq 'ON'){ + if($$hash{$key}[19] ne ''){push (@timeframe,"Mon");} + if($$hash{$key}[20] ne ''){push (@timeframe,"Tue");} + if($$hash{$key}[21] ne ''){push (@timeframe,"Wed");} + if($$hash{$key}[22] ne ''){push (@timeframe,"Thu");} + if($$hash{$key}[23] ne ''){push (@timeframe,"Fri");} + if($$hash{$key}[24] ne ''){push (@timeframe,"Sat");} + if($$hash{$key}[25] ne ''){push (@timeframe,"Sun");} + $TIME=join(",",@timeframe); + $TIMEFROM="--timestart $$hash{$key}[26] "; + $TIMETILL="--timestop $$hash{$key}[27] "; + $TIME="-m time --weekdays $TIME $TIMEFROM $TIMETILL"; + } + + if ($MODE eq '1'){ + print "NR:$key "; + foreach my $i (0 .. $#{$$hash{$key}}){ + print "$i: $$hash{$key}[$i] "; + } + print "\n"; + print"##################################\n"; + #print rules to console + + foreach my $DPROT (@DPROT){ + $DPORT = &get_port($hash,$key,$DPROT); + if ($SPROT ne ''){$PROT=$SPROT;}else{$PROT=$DPROT;} + $PROT="-p $PROT" if ($PROT ne '' && $PROT ne ' '); + foreach my $a (sort keys %sourcehash){ + foreach my $b (sort keys %targethash){ + if ($sourcehash{$a}[0] ne $targethash{$b}[0] && $targethash{$b}[0] ne 'none'){ + if($SPROT eq '' || $SPROT eq $DPROT || $DPROT eq ' '){ + if ($$hash{$key}[17] eq 'ON'){ + print "iptables -A $$hash{$key}[1] $PROT -s $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG\n"; + } + print "iptables -A $$hash{$key}[1] $PROT -s $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n"; + } + } + } + } + print"\n"; + } + + }elsif($MODE eq '0'){ + foreach my $DPROT (@DPROT){ + $DPORT = &get_port($hash,$key,$DPROT); + if ($SPROT ne ''){$PROT=$SPROT;}else{$PROT=$DPROT;} + $PROT="-p $PROT" if ($PROT ne '' && $PROT ne ' '); + foreach my $a (sort keys %sourcehash){ + foreach my $b (sort keys %targethash){ + if ($sourcehash{$a}[0] ne $targethash{$b}[0] && $targethash{$b}[0] ne 'none'){ + if($SPROT eq '' || $SPROT eq $DPROT || $DPROT eq ' '){ + if ($$hash{$key}[17] eq 'ON'){ + system ("iptables -A $$hash{$key}[1] $PROT -s $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG"); + } + system ("iptables -A $$hash{$key}[1] $PROT -s $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]"); + } + } + } + } + print"\n"; + } + } + } + %sourcehash=(); + %targethash=(); + undef $TIME; + undef $TIMEFROM; + undef $TIMETILL; + } +} +sub get_address +{ + my $base=shift; #source of checking ($configfwdfw{$key}[x] or groupkey + my $base2=shift; + my $type=shift; #src or tgt + my $hash; + if ($type eq 'src'){ + $hash=\%sourcehash; + }else{ + $hash=\%targethash; + } + my $key = &General::findhasharraykey($hash); + if($base eq 'src_addr' || $base eq 'tgt_addr' ){ + $$hash{$key}[0] = $configfwdfw{$key}[4]; + }elsif($base eq 'std_net_src' || $base eq 'std_net_tgt' || $base eq 'Standard Network'){ + $$hash{$key}[0]=&fwlib::get_std_net_ip($base2); + }elsif($base eq 'cust_net_src' || $base eq 'cust_net_tgt' || $base eq 'Custom Network'){ + $$hash{$key}[0]=&fwlib::get_net_ip($base2); + }elsif($base eq 'cust_host_src' || $base eq 'cust_host_tgt' || $base eq 'Custom Host'){ + $$hash{$key}[0]=&fwlib::get_host_ip($base2,$type); + }elsif($base eq 'ovpn_net_src' || $base eq 'ovpn_net_tgt' || $base eq 'OpenVPN static network'){ + $$hash{$key}[0]=&fwlib::get_ovpn_net_ip($base2,1); + }elsif($base eq 'ovpn_host_src' ||$base eq 'ovpn_host_tgt' || $base eq 'OpenVPN static host'){ + $$hash{$key}[0]=&fwlib::get_ovpn_host_ip($base2,33); + }elsif($base eq 'ovpn_n2n_src' ||$base eq 'ovpn_n2n_tgt' || $base eq 'OpenVPN N-2-N'){ + $$hash{$key}[0]=&fwlib::get_ovpn_n2n_ip($base2,27); + }elsif($base eq 'ipsec_net_src' || $base eq 'ipsec_net_tgt' || $base eq 'IpSec Network'){ + $$hash{$key}[0]=&fwlib::get_ipsec_net_ip($base2,11); + } +} +sub get_prot +{ + my $hash=shift; + my $key=shift; + if ($$hash{$key}[7] eq 'ON' && $SRC_TGT eq 'SRC'){ + if ($$hash{$key}[10] ne ''){ + return"$$hash{$key}[8]"; + }elsif($$hash{$key}[9] ne ''){ + return"$$hash{$key}[8]"; + }else{ + return "$$hash{$key}[8]"; + } + }elsif($$hash{$key}[11] eq 'ON' && $SRC_TGT eq ''){ + if ($$hash{$key}[14] eq 'TGT_PORT'){ + if ($$hash{$key}[15] ne ''){ + return "$$hash{$key}[12]"; + }elsif($$hash{$key}[13] ne ''){ + return "$$hash{$key}[12]"; + }else{ + return "$$hash{$key}[12]"; + } + }elsif($$hash{$key}[14] eq 'cust_srv'){ + return &fwlib::get_srv_prot($$hash{$key}[15]); + + }elsif($$hash{$key}[14] eq 'cust_srvgrp'){ + return &fwlib::get_srvgrp_prot($$hash{$key}[15]); + } + } +} +sub get_port +{ + my $hash=shift; + my $key=shift; + my $prot=shift; + if ($$hash{$key}[7] eq 'ON' && $SRC_TGT eq 'SRC'){ + if ($$hash{$key}[10] ne ''){ + return "--sport $$hash{$key}[10] "; + }elsif($$hash{$key}[9] ne ''){ + return "--icmp-type $$hash{$key}[9] "; + } + }elsif($$hash{$key}[11] eq 'ON' && $SRC_TGT eq ''){ + + if($$hash{$key}[14] eq 'TGT_PORT'){ + if ($$hash{$key}[15] ne ''){ + return "--dport $$hash{$key}[15] "; + }elsif($$hash{$key}[13] ne '' && $$hash{$key}[13] ne 'All ICMP-Types'){ + return "--icmp-type $$hash{$key}[13] "; + }elsif($$hash{$key}[13] ne '' && $$hash{$key}[13] eq 'All ICMP-Types'){ + return; + } + }elsif($$hash{$key}[14] eq 'cust_srv'){ + if ($prot ne 'ICMP'){ + return "--dport ".&fwlib::get_srv_port($$hash{$key}[15],1,$prot); + }elsif($prot eq 'ICMP' && $$hash{$key}[15] ne 'All ICMP-Types'){ + return "--icmp-type ".&fwlib::get_srv_port($$hash{$key}[15],3,$prot); + }elsif($prot eq 'ICMP' && $$hash{$key}[15] eq 'All ICMP-Types'){ + return; + } + }elsif($$hash{$key}[14] eq 'cust_srvgrp'){ + if ($prot ne 'ICMP'){ + return &fwlib::get_srvgrp_port($$hash{$key}[15],$prot); + } + elsif($prot eq 'ICMP'){ + return &fwlib::get_srvgrp_port($$hash{$key}[15],$prot); + } + + + } + } +} diff --git a/config/fwhosts/icmp-types b/config/fwhosts/icmp-types new file mode 100644 index 000000000..d41cdbfba --- /dev/null +++ b/config/fwhosts/icmp-types @@ -0,0 +1,36 @@ +0,echo-reply (pong),0 +1,destination-unreachable,3 +2,network-unreachable,3/0 +3,host-unreachable,3/1 +4,protocol-unreachable,3/2 +5,port-unreachable,3/3 +6,fragmentation-needed,3/4 +7,source-route-failed,3/5 +8,network-unknown,3/6 +9,host-unknown,3/7 +10,network-prohibited,3/9 +11,host-prohibited,3/10 +12,TOS-network-unreachable,3/11 +13,TOS-host-unreachable,3/12 +14,communication-prohibited,3/13 +15,host-precedence-violation,3/14 +16,precedence-cutoff,3/15 +17,source-quench,4 +18,redirect,5 +19,network-redirect,5/0 +20,host-redirect,5/1 +21,TOS-network-redirect,5/2 +22,TOS-host-redirect,5/3 +23,echo-request (ping),8 +24,router-advertisement,9 +25,router-solicitation,10 +26,time-exceeded (ttl-exceeded),11 +27,ttl-zero-during-transit,11/0 +28,ttl-zero-during-reassembly,11/1 +29,parameter-problem,12 +30,ip-header-bad,12/0 +31,required-option-missing,12/1 +32,timestamp-request,13 +33,timestamp-reply,14 +34,address-mask-request,17 +35,address-mask-reply,18 diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi new file mode 100755 index 000000000..be2f0cfea --- /dev/null +++ b/html/cgi-bin/forwardfw.cgi @@ -0,0 +1,1772 @@ +#!/usr/bin/perl +############################################################################### +# # +# IPFire.org - A linux based firewall # +# Copyright (C) 2012 # +# # +# This program is free software: you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation, either version 3 of the License, or # +# (at your option) any later version. # +# # +# This program is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with this program. If not, see . # +# # +############################################################################### +# # +# Hi folks! I hope this code is useful for all. I needed something to handle # +# my VPN Connections in a comfortable way. As a prerequisite i needed # +# something that makes sure the vpn roadwarrior are able to have a fixed # +# ip-address. So i developed the ccd extension for the vpn server. # +# # +# Now that the ccd extension is ready i am able to develop the main request. # +# Any feedback is appreciated. # +# # +# # +############################################################################### + +use strict; +no warnings 'uninitialized'; +# enable only the following on debugging purpose +#use warnings; +#use CGI::Carp 'fatalsToBrowser'; + +require '/var/ipfire/general-functions.pl'; +require "${General::swroot}/lang.pl"; +require "${General::swroot}/header.pl"; +require "${General::swroot}/forward/bin/firewall-lib.pl"; + +unless (-d "${General::swroot}/forward") { system("mkdir ${General::swroot}/forward"); } +unless (-e "${General::swroot}/forward/settings") { system("touch ${General::swroot}/forward/settings"); } +unless (-e "${General::swroot}/forward/config") { system("touch ${General::swroot}/forward/config"); } +unless (-e "${General::swroot}/forward/input") { system("touch ${General::swroot}/forward/input"); } + +my %fwdfwsettings=(); +my %selected=() ; +my %defaultNetworks=(); +my %netsettings=(); +my %customhost=(); +my %customgrp=(); +my %customnetworks=(); +my %customservice=(); +my %customservicegrp=(); +my %ccdnet=(); +my %customnetwork=(); +my %ccdhost=(); +my %configfwdfw=(); +my %configinputfw=(); +my %ipsecconf=(); +my %color=(); +my %mainsettings=(); +my %checked=(); +my %icmptypes=(); +my %ovpnsettings=(); +my %ipsecsettings=(); +my %aliases=(); +my $color; +my $confignet = "${General::swroot}/fwhosts/customnetworks"; +my $confighost = "${General::swroot}/fwhosts/customhosts"; +my $configgrp = "${General::swroot}/fwhosts/customgroups"; +my $configsrv = "${General::swroot}/fwhosts/customservices"; +my $configsrvgrp = "${General::swroot}/fwhosts/customservicegrp"; +my $configccdnet = "${General::swroot}/ovpn/ccd.conf"; +my $configccdhost = "${General::swroot}/ovpn/ovpnconfig"; +my $configipsec = "${General::swroot}/vpn/config"; +my $configipsecrw = "${General::swroot}/vpn/settings"; +my $configfwdfw = "${General::swroot}/forward/config"; +my $configinput = "${General::swroot}/forward/input"; +my $configovpn = "${General::swroot}/ovpn/settings"; + +my $errormessage=''; +my $hint=''; +my $ipgrp="${General::swroot}/outgoing/groups"; + + +&General::readhash("${General::swroot}/forward/settings", \%fwdfwsettings); +&General::readhash("${General::swroot}/main/settings", \%mainsettings); +&General::readhash("/srv/web/ipfire/html/themes/".$mainsettings{'THEME'}."/include/colors.txt", \%color); + +&Header::showhttpheaders(); +&Header::getcgihash(\%fwdfwsettings); +&Header::openpage($Lang::tr{'fwdfw menu'}, 1, ''); +&Header::openbigbox('100%', 'center',$errormessage); +#### ACTION ##### + +if ($fwdfwsettings{'ACTION'} eq $Lang::tr{'save'}) +{ + my $MODE = $fwdfwsettings{'POLICY'}; + %fwdfwsettings = (); + $fwdfwsettings{'POLICY'} = "$MODE"; + &General::writehash("${General::swroot}/forward/settings", \%fwdfwsettings); + &reread_rules; +} +if ($fwdfwsettings{'ACTION'} eq 'saverule') +{ + &General::readhasharray("$configfwdfw", \%configfwdfw); + &General::readhasharray("$configinput", \%configinputfw); + $errormessage=&checksource; + if(!$errormessage){&checktarget;} + if(!$errormessage){&checkrule;} + + #check if we change an forward rule to an external access + if( $fwdfwsettings{'grp2'} eq 'ipfire' && $fwdfwsettings{'oldgrp2a'} ne 'ipfire'){ + $fwdfwsettings{'updatefwrule'}=''; + $fwdfwsettings{'config'}=$configfwdfw; + $fwdfwsettings{'nobase'}='on'; + &deleterule; + } + + #check if we change an external access rule to an forward + if( $fwdfwsettings{'grp2'} ne 'ipfire' && $fwdfwsettings{'oldgrp2a'} eq 'ipfire'){ + $fwdfwsettings{'updatefwrule'}=''; + $fwdfwsettings{'config'}=$configinput; + $fwdfwsettings{'nobase'}='on'; + &deleterule; + } + + #INPUT part + if($fwdfwsettings{'grp2'} eq 'ipfire'){ + $fwdfwsettings{'chain'} = 'INPUTFW'; + #check if we have an identical rule already + foreach my $key (sort keys %configinputfw){ + if ("$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'},$fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'ICMP_TGT'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'ruleremark'},$fwdfwsettings{'LOG'},$fwdfwsettings{'TIME'},$fwdfwsettings{'TIME_MON'},$fwdfwsettings{'TIME_TUE'},$fwdfwsettings{'TIME_WED'},$fwdfwsettings{'TIME_THU'},$fwdfwsettings{'TIME_FRI'},$fwdfwsettings{'TIME_SAT'},$fwdfwsettings{'TIME_SUN'},$fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'}" + eq "$configfwdfw{$key}[0],$configfwdfw{$key}[2],$configfwdfw{$key}[3],$configfwdfw{$key}[4],$configfwdfw{$key}[5],$configfwdfw{$key}[6],$configfwdfw{$key}[7],$configfwdfw{$key}[8],$configfwdfw{$key}[9],$configfwdfw{$key}[10],$configfwdfw{$key}[11],$configfwdfw{$key}[12],$configfwdfw{$key}[13],$configfwdfw{$key}[14],$configfwdfw{$key}[15],$configfwdfw{$key}[16],$configfwdfw{$key}[17],$configfwdfw{$key}[18],$configfwdfw{$key}[19],$configfwdfw{$key}[20],$configfwdfw{$key}[21],$configfwdfw{$key}[22],$configfwdfw{$key}[23],$configfwdfw{$key}[24],$configfwdfw{$key}[25],$configfwdfw{$key}[26],$configfwdfw{$key}[27]"){ + $errormessage.=$Lang::tr{'fwdfw err ruleexists'}; + } + } + + &checkcounter($fwdfwsettings{'oldgrp1a'},$fwdfwsettings{'oldgrp1b'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}}); + if ($fwdfwsettings{'nobase'} ne 'on'){ + &checkcounter($fwdfwsettings{'oldgrp2a'},$fwdfwsettings{'oldgrp2b'},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}}); + } + + if($fwdfwsettings{'oldusesrv'} eq '' && $fwdfwsettings{'USESRV'} eq 'ON'){ + &checkcounter(0,0,$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}}); + }elsif ($fwdfwsettings{'USESRV'} eq '' && $fwdfwsettings{'oldusesrv'} eq 'ON') { + &checkcounter($fwdfwsettings{'oldgrp3a'},$fwdfwsettings{'oldgrp3b'},0,0); + }elsif ($fwdfwsettings{'oldusesrv'} eq $fwdfwsettings{'USESRV'} && $fwdfwsettings{'oldgrp3b'} ne $fwdfwsettings{$fwdfwsettings{'grp3'}} && $fwdfwsettings{'updatefwrule'} eq 'on'){ + &checkcounter($fwdfwsettings{'oldgrp3a'},$fwdfwsettings{'oldgrp3b'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}}); + } + + if ($fwdfwsettings{'nobase'} eq 'on'){ + &checkcounter(0,0,$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}}); + } + + + &saverule(\%configinputfw,$configinput); + + #print "Source: $fwdfwsettings{'grp1'} -> $fwdfwsettings{$fwdfwsettings{'grp1'}}
"; + #print "Sourceport: $fwdfwsettings{'USE_SRC_PORT'}, $fwdfwsettings{'PROT'}, $fwdfwsettings{'ICMP_TYPES'}, $fwdfwsettings{'SRC_PORT'}
"; + #print "Target: $fwdfwsettings{'grp2'} -> $fwdfwsettings{$fwdfwsettings{'grp2'}}
"; + #print "Dienst: $fwdfwsettings{'USESRV'}, $fwdfwsettings{'grp3'} -> $fwdfwsettings{$fwdfwsettings{'grp3'}}
"; + #print "BEMERKUNG: $fwdfwsettings{'ruleremark'}
"; + #print " Regel AKTIV: $fwdfwsettings{'ACTIVE'}
"; + #print " Regel LOG: $fwdfwsettings{'LOG'}
"; + #print " ZEITRAHMEN: $fwdfwsettings{'TIME'}
"; + #print " MO: $fwdfwsettings{'TIME_MON'}
"; + #print " DI: $fwdfwsettings{'TIME_TUE'}
"; + #print " MI: $fwdfwsettings{'TIME_WED'}
"; + #print " DO: $fwdfwsettings{'TIME_THU'}
"; + #print " FR: $fwdfwsettings{'TIME_FRI'}
"; + #print " SA: $fwdfwsettings{'TIME_SAT'}
"; + #print " SO: $fwdfwsettings{'TIME_SUN'}
"; + #print " VON: $fwdfwsettings{'TIME_FROM'} bis $fwdfwsettings{'TIME_TO'}
"; + #print "
"; + #print"ALT: $fwdfwsettings{'oldgrp1a'} $fwdfwsettings{'oldgrp1b'} NEU: $fwdfwsettings{'grp1'} $fwdfwsettings{$fwdfwsettings{'grp1'}}
"; + #print"ALT: $fwdfwsettings{'oldgrp2a'} $fwdfwsettings{'oldgrp2b'} NEU: $fwdfwsettings{'grp2'} $fwdfwsettings{$fwdfwsettings{'grp2'}}
"; + #print"ALT: $fwdfwsettings{'oldgrp3a'} $fwdfwsettings{'oldgrp3b'} NEU: $fwdfwsettings{'grp3'} $fwdfwsettings{$fwdfwsettings{'grp3'}}
"; + #print"DIENSTE Checkalt:$fwdfwsettings{'oldusesrv'} DIENSTE Checkneu:$fwdfwsettings{'USESRV'} DIENST ALT:$fwdfwsettings{'oldgrp3a'},$fwdfwsettings{'oldgrp3b'} DIENST NEU:$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}}
"; + + + + }else{ + $fwdfwsettings{'chain'} = 'FORWARDFW'; + #check if we have an identical rule already + foreach my $key (sort keys %configfwdfw){ + + if ("$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'},$fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'ICMP_TGT'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'ruleremark'},$fwdfwsettings{'LOG'},$fwdfwsettings{'TIME'},$fwdfwsettings{'TIME_MON'},$fwdfwsettings{'TIME_TUE'},$fwdfwsettings{'TIME_WED'},$fwdfwsettings{'TIME_THU'},$fwdfwsettings{'TIME_FRI'},$fwdfwsettings{'TIME_SAT'},$fwdfwsettings{'TIME_SUN'},$fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'}" + eq "$configfwdfw{$key}[0],$configfwdfw{$key}[2],$configfwdfw{$key}[3],$configfwdfw{$key}[4],$configfwdfw{$key}[5],$configfwdfw{$key}[6],$configfwdfw{$key}[7],$configfwdfw{$key}[8],$configfwdfw{$key}[9],$configfwdfw{$key}[10],$configfwdfw{$key}[11],$configfwdfw{$key}[12],$configfwdfw{$key}[13],$configfwdfw{$key}[14],$configfwdfw{$key}[15],$configfwdfw{$key}[16],$configfwdfw{$key}[17],$configfwdfw{$key}[18],$configfwdfw{$key}[19],$configfwdfw{$key}[20],$configfwdfw{$key}[21],$configfwdfw{$key}[22],$configfwdfw{$key}[23],$configfwdfw{$key}[24],$configfwdfw{$key}[25],$configfwdfw{$key}[26],$configfwdfw{$key}[27]"){ + $errormessage.=$Lang::tr{'fwdfw err ruleexists'}; + } + } + #increase counters + &checkcounter($fwdfwsettings{'oldgrp1a'},$fwdfwsettings{'oldgrp1b'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}}); + + &checkcounter($fwdfwsettings{'oldgrp2a'},$fwdfwsettings{'oldgrp2b'},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}}); + + if($fwdfwsettings{'oldusesrv'} eq '' && $fwdfwsettings{'USESRV'} eq 'ON'){ + &checkcounter(0,0,$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}}); + }elsif ($fwdfwsettings{'USESRV'} eq '' && $fwdfwsettings{'oldusesrv'} eq 'ON') { + &checkcounter($fwdfwsettings{'oldgrp3a'},$fwdfwsettings{'oldgrp3b'},0,0); + }elsif ($fwdfwsettings{'oldusesrv'} eq $fwdfwsettings{'USESRV'} && $fwdfwsettings{'oldgrp3b'} ne $fwdfwsettings{$fwdfwsettings{'grp3'}} && $fwdfwsettings{'updatefwrule'} eq 'on'){ + &checkcounter($fwdfwsettings{'oldgrp3a'},$fwdfwsettings{'oldgrp3b'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}}); + } + + if ($fwdfwsettings{'nobase'} eq 'on'){ + &checkcounter(0,0,$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}}); + } + + + &saverule(\%configfwdfw,$configfwdfw); + + #print "Source: $fwdfwsettings{'grp1'} -> $fwdfwsettings{$fwdfwsettings{'grp1'}}
"; + #print "Sourceport: $fwdfwsettings{'USE_SRC_PORT'}, $fwdfwsettings{'PROT'}, $fwdfwsettings{'ICMP_TYPES'}, $fwdfwsettings{'SRC_PORT'}
"; + #print "Target: $fwdfwsettings{'grp2'} -> $fwdfwsettings{$fwdfwsettings{'grp2'}}
"; + #print "Dienst: $fwdfwsettings{'USESRV'}, $fwdfwsettings{'grp3'} -> $fwdfwsettings{$fwdfwsettings{'grp3'}}
"; + #print "BEMERKUNG: $fwdfwsettings{'ruleremark'}
"; + #print " Regel AKTIV: $fwdfwsettings{'ACTIVE'}
"; + #print " Regel LOG: $fwdfwsettings{'LOG'}
"; + #print " ZEITRAHMEN: $fwdfwsettings{'TIME'}
"; + #print " MO: $fwdfwsettings{'TIME_MON'}
"; + #print " DI: $fwdfwsettings{'TIME_TUE'}
"; + #print " MI: $fwdfwsettings{'TIME_WED'}
"; + #print " DO: $fwdfwsettings{'TIME_THU'}
"; + #print " FR: $fwdfwsettings{'TIME_FRI'}
"; + #print " SA: $fwdfwsettings{'TIME_SAT'}
"; + #print " SO: $fwdfwsettings{'TIME_SUN'}
"; + #print " VON: $fwdfwsettings{'TIME_FROM'} bis $fwdfwsettings{'TIME_TO'}
"; + #print "
"; + #print"ALT: $fwdfwsettings{'oldgrp1a'} $fwdfwsettings{'oldgrp1b'} NEU: $fwdfwsettings{'grp1'} $fwdfwsettings{$fwdfwsettings{'grp1'}}
"; + #print"ALT: $fwdfwsettings{'oldgrp2a'} $fwdfwsettings{'oldgrp2b'} NEU: $fwdfwsettings{'grp2'} $fwdfwsettings{$fwdfwsettings{'grp2'}}
"; + #print"ALT: $fwdfwsettings{'oldgrp3a'} $fwdfwsettings{'oldgrp3b'} NEU: $fwdfwsettings{'grp3'} $fwdfwsettings{$fwdfwsettings{'grp3'}}
"; + #print"DIENSTE Checkalt:$fwdfwsettings{'oldusesrv'} DIENSTE Checkneu:$fwdfwsettings{'USESRV'} DIENST ALT:$fwdfwsettings{'oldgrp3a'},$fwdfwsettings{'oldgrp3b'} DIENST NEU:$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}}
"; + + + + } + if ($errormessage){ + &newrule; + }else{ + &rules; + &base; + } + +} +if ($fwdfwsettings{'ACTION'} eq $Lang::tr{'reset'}) +{ + &General::readhasharray("$configfwdfw", \%configfwdfw); + foreach my $key (sort keys %configfwdfw){ + &checkcounter($configfwdfw{$key}[3],$configfwdfw{$key}[4],,); + &checkcounter($configfwdfw{$key}[5],$configfwdfw{$key}[6],,); + &checkcounter($configfwdfw{$key}[14],$configfwdfw{$key}[15],,); + } + &General::readhasharray("$configinput", \%configinputfw); + foreach my $key (sort keys %configinputfw){ + &checkcounter($configinputfw{$key}[3],$configinputfw{$key}[4],,); + &checkcounter($configinputfw{$key}[5],$configinputfw{$key}[6],,); + &checkcounter($configinputfw{$key}[14],$configinputfw{$key}[15],,); + } + $fwdfwsettings{'POLICY'}='MODE0'; + system("rm ${General::swroot}/forward/config"); + system("rm ${General::swroot}/forward/input"); + %fwdfwsettings = (); + + &General::writehash("${General::swroot}/forward/settings", \%fwdfwsettings); + unless (-e "${General::swroot}/forward/config") { system("touch ${General::swroot}/forward/config"); } + unless (-e "${General::swroot}/forward/input") { system("touch ${General::swroot}/forward/input"); } + + &reread_rules; + +} +if ($fwdfwsettings{'ACTION'} eq $Lang::tr{'fwdfw newrule'}) +{ + &newrule; +} +if ($fwdfwsettings{'ACTION'} eq $Lang::tr{'fwdfw toggle'}) +{ + my %togglehash=(); + &General::readhasharray($fwdfwsettings{'config'}, \%togglehash); + foreach my $key (sort keys %togglehash){ + if ($key eq $fwdfwsettings{'key'}){ + if ($togglehash{$key}[2] eq 'ON'){$togglehash{$key}[2]='';}else{$togglehash{$key}[2]='ON';} + } + } + &General::writehasharray($fwdfwsettings{'config'}, \%togglehash); + &rules; + &base; +} +if ($fwdfwsettings{'ACTION'} eq $Lang::tr{'fwdfw togglelog'}) +{ + my %togglehash=(); + &General::readhasharray($fwdfwsettings{'config'}, \%togglehash); + foreach my $key (sort keys %togglehash){ + if ($key eq $fwdfwsettings{'key'}){ + if ($togglehash{$key}[17] eq 'ON'){$togglehash{$key}[17]='';}else{$togglehash{$key}[17]='ON';} + } + } + &General::writehasharray($fwdfwsettings{'config'}, \%togglehash); + &rules; + &base; +} +if ($fwdfwsettings{'ACTION'} eq $Lang::tr{'fwdfw reread'}) +{ + &reread_rules; + &base; +} +if ($fwdfwsettings{'ACTION'} eq 'editrule') +{ + $fwdfwsettings{'updatefwrule'}='on'; + &newrule; +} +if ($fwdfwsettings{'ACTION'} eq 'deleterule') +{ + &deleterule; +} +if ($fwdfwsettings{'ACTION'} eq 'moveup') +{ + &pos_up; + &base; +} +if ($fwdfwsettings{'ACTION'} eq 'movedown') +{ + &pos_down; + &base; +} +if ($fwdfwsettings{'ACTION'} eq 'copyrule') +{ + $fwdfwsettings{'copyfwrule'}='on'; + #$fwdfwsettings{'updatefwrule'}='on'; + &newrule; +} +if ($fwdfwsettings{'ACTION'} eq '') +{ + &base; +} +### Functions #### +sub pos_up +{ + my %uphash=(); + my %tmp=(); + &General::readhasharray($fwdfwsettings{'config'}, \%uphash); + foreach my $key (sort keys %uphash){ + if ($key eq $fwdfwsettings{'key'}) { + my $last = $key -1; + if (exists $uphash{$last}){ + #save rule last + foreach my $y (0 .. $#{$uphash{$last}}) { + $tmp{0}[$y] = $uphash{$last}[$y]; + } + #copy active rule to last + foreach my $i (0 .. $#{$uphash{$last}}) { + $uphash{$last}[$i] = $uphash{$key}[$i]; + } + #copy saved rule to actual position + foreach my $x (0 .. $#{$tmp{0}}) { + $uphash{$key}[$x] = $tmp{0}[$x]; + } + } + } + } + &General::writehasharray($fwdfwsettings{'config'}, \%uphash); + &rules; +} +sub pos_down +{ + my %downhash=(); + my %tmp=(); + &General::readhasharray($fwdfwsettings{'config'}, \%downhash); + foreach my $key (sort keys %downhash){ + if ($key eq $fwdfwsettings{'key'}) { + my $next = $key + 1; + if (exists $downhash{$next}){ + #save rule next + foreach my $y (0 .. $#{$downhash{$next}}) { + $tmp{0}[$y] = $downhash{$next}[$y]; + } + #copy active rule to next + foreach my $i (0 .. $#{$downhash{$next}}) { + $downhash{$next}[$i] = $downhash{$key}[$i]; + } + #copy saved rule to actual position + foreach my $x (0 .. $#{$tmp{0}}) { + $downhash{$key}[$x] = $tmp{0}[$x]; + } + } + } + } + &General::writehasharray($fwdfwsettings{'config'}, \%downhash); + &rules; +} +sub checkcounter +{ + my ($base1,$val1,$base2,$val2) = @_; + + if($base1 eq 'cust_net_src' || $base1 eq 'cust_net_tgt'){ + &dec_counter($confignet,\%customnetwork,$val1); + }elsif($base1 eq 'cust_host_src' || $base1 eq 'cust_host_tgt'){ + &dec_counter($confighost,\%customhost,$val1); + }elsif($base1 eq 'cust_grp_src' || $base1 eq 'cust_grp_tgt'){ + &dec_counter($configgrp,\%customgrp,$val1); + }elsif($base1 eq 'cust_srv'){ + &dec_counter($configsrv,\%customservice,$val1); + }elsif($base1 eq 'cust_srvgrp'){ + &dec_counter($configsrvgrp,\%customservicegrp,$val1); + } + + if($base2 eq 'cust_net_src' || $base2 eq 'cust_net_tgt'){ + &inc_counter($confignet,\%customnetwork,$val2); + }elsif($base2 eq 'cust_host_src' || $base2 eq 'cust_host_tgt'){ + &inc_counter($confighost,\%customhost,$val2); + }elsif($base2 eq 'cust_grp_src' || $base2 eq 'cust_grp_tgt'){ + &inc_counter($configgrp,\%customgrp,$val2); + }elsif($base2 eq 'cust_srv'){ + &inc_counter($configsrv,\%customservice,$val2); + }elsif($base2 eq 'cust_srvgrp'){ + &inc_counter($configsrvgrp,\%customservicegrp,$val2); + } +} +sub inc_counter +{ + my $config=shift; + my %hash=%{(shift)}; + my $val=shift; + my $pos; + + &General::readhasharray($config, \%hash); + foreach my $key (sort { uc($hash{$a}[0]) cmp uc($hash{$b}[0]) } keys %hash){ + if($hash{$key}[0] eq $val){ + $pos=$#{$hash{$key}}; + $hash{$key}[$pos] = $hash{$key}[$pos]+1; + + } + } + &General::writehasharray($config, \%hash); +} +sub dec_counter +{ + my $config=shift; + my %hash=%{(shift)}; + my $val=shift; + my $pos; + #$errormessage.="ALT:config: $config , verringert wird $val
"; + &General::readhasharray($config, \%hash); + foreach my $key (sort { uc($hash{$a}[0]) cmp uc($hash{$b}[0]) } keys %hash){ + if($hash{$key}[0] eq $val){ + $pos=$#{$hash{$key}}; + $hash{$key}[$pos] = $hash{$key}[$pos]-1; + + } + } + &General::writehasharray($config, \%hash); +} +sub base +{ + + if ($fwdfwsettings{'POLICY'} eq 'MODE0'){ $selected{'POLICY'}{'MODE0'} = 'selected'; } else { $selected{'POLICY'}{'MODE0'} = ''; } + if ($fwdfwsettings{'POLICY'} eq 'MODE1'){ $selected{'POLICY'}{'MODE1'} = 'selected'; } else { $selected{'POLICY'}{'MODE1'} = ''; } + if ($fwdfwsettings{'POLICY'} eq 'MODE2'){ $selected{'POLICY'}{'MODE2'} = 'selected'; } else { $selected{'POLICY'}{'MODE2'} = ''; } + + &hint; + if ($fwdfwsettings{'POLICY'} ne 'MODE0' && $fwdfwsettings{'POLICY'} ne '') { + &addrule; + } + + #print""; + #foreach (0 .. 40){ + #my $i="color".$_; + #print""; + #} + #print"
$_
"; + &Header::openbox('100%', 'center', 'Policy'); +print < + + + + + +
$Lang::tr{'mode'} 0:$Lang::tr{'outgoing firewall mode0'}
$Lang::tr{'mode'} 1:$Lang::tr{'outgoing firewall mode1'}
$Lang::tr{'mode'} 2:$Lang::tr{'outgoing firewall mode2'}
+ + +END + if ($fwdfwsettings{'POLICY'} ne 'MODE0'&& $fwdfwsettings{'POLICY'} ne '' ) { + print "$Lang::tr{'outgoing firewall reset'}: "; + } +print "
"; + &Header::closebox(); +} +sub addrule +{ + &error; + &Header::openbox('100%', 'left', $Lang::tr{'fwdfw addrule'}); + + print "
"; + print ""; + print ""; + if (-f "${General::swroot}/forward/reread"){ + print ""; + } + print"
"; + + &Header::closebox(); + &viewtablerule; + +} +sub deleterule +{ + my %delhash=(); + &General::readhasharray($fwdfwsettings{'config'}, \%delhash); + foreach my $key (sort keys %delhash){ + if ($key eq $fwdfwsettings{'key'}){ + #check hosts/net and groups + &checkcounter($delhash{$key}[3],$delhash{$key}[4],,); + &checkcounter($delhash{$key}[5],$delhash{$key}[6],,); + #check services and groups + if ($delhash{$key}[11] eq 'ON'){ + &checkcounter($delhash{$key}[14],$delhash{$key}[15],,); + } + } + + if ($key ge $fwdfwsettings{'key'}) { + my $next = $key + 1; + if (exists $delhash{$next}) { + foreach my $i (0 .. $#{$configfwdfw{$next}}) { + $delhash{$key}[$i] = $delhash{$next}[$i]; + } + } + } + } + # Remove the very last entry. + my $last_key = (sort keys %delhash)[-1]; + delete $delhash{$last_key}; + + &General::writehasharray($fwdfwsettings{'config'}, \%delhash); + &rules; + if($fwdfwsettings{'nobase'} ne 'on'){ + &base; + } +} +sub disable_rule +{ + my $key1=shift; + &General::readhasharray("$configfwdfw", \%configfwdfw); + foreach my $key (sort keys %configfwdfw){ + if ($key eq $key1 ){ + if ($configfwdfw{$key}[2] eq 'ON'){$configfwdfw{$key}[2]='';} + } + } + &General::writehasharray("$configfwdfw", \%configfwdfw); + &rules; + +} +sub checksource +{ + my ($ip,$subnet); + + #check ip-address if manual + if ($fwdfwsettings{'src_addr'} eq $fwdfwsettings{$fwdfwsettings{'grp1'}} && $fwdfwsettings{'src_addr'} ne ''){ + #check if ip with subnet + if ($fwdfwsettings{'src_addr'} =~ /^(.*?)\/(.*?)$/) { + ($ip,$subnet)=split (/\//,$fwdfwsettings{'src_addr'}); + $subnet = &General::iporsubtocidr($subnet); + } + #check if only ip + if($fwdfwsettings{'src_addr'}=~/^(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})$/){ + $ip=$fwdfwsettings{'src_addr'}; + $subnet = '32'; + } + #check and form valid IP + $ip=&General::ip2dec($ip); + $ip=&General::dec2ip($ip); + #check if net or broadcast + my @tmp= split (/\./,$ip); + if (($tmp[3] eq "0") || ($tmp[3] eq "255")) + { + $errormessage=$Lang::tr{'fwhost err hostip'}; + } + $fwdfwsettings{'src_addr'}="$ip/$subnet"; + + if(!&General::validipandmask($fwdfwsettings{'src_addr'})){ + $errormessage.=$Lang::tr{'fwdfw err src_addr'}."
"; + } + }elsif($fwdfwsettings{'src_addr'} eq $fwdfwsettings{$fwdfwsettings{'grp1'}} && $fwdfwsettings{'src_addr'} eq ''){ + $errormessage.=$Lang::tr{'fwdfw err nosrcip'}; + return $errormessage; + } + + #check empty fields + if ($fwdfwsettings{$fwdfwsettings{'grp1'}} eq ''){ $errormessage.=$Lang::tr{'fwdfw err nosrc'}."
";} + #check icmp source + if ($fwdfwsettings{'USE_SRC_PORT'} eq 'ON' && $fwdfwsettings{'PROT'} eq 'ICMP'){ + $fwdfwsettings{'SRC_PORT'}=''; + &General::readhasharray("${General::swroot}/fwhosts/icmp-types", \%icmptypes); + foreach my $key (keys %icmptypes){ + if($fwdfwsettings{'ICMP_TYPES'} eq "$icmptypes{$key}[0] ($icmptypes{$key}[1])"){ + $fwdfwsettings{'ICMP_TYPES'}="$icmptypes{$key}[0]"; + } + } + }elsif($fwdfwsettings{'USE_SRC_PORT'} eq 'ON' && $fwdfwsettings{'PROT'} ne 'ICMP'){ + $fwdfwsettings{'ICMP_TYPES'}=''; + }else{ + $fwdfwsettings{'ICMP_TYPES'}=''; + $fwdfwsettings{'SRC_PORT'}=''; + $fwdfwsettings{'PROT'}=''; + } + + if($fwdfwsettings{'USE_SRC_PORT'} eq 'ON' && $fwdfwsettings{'PROT'} ne 'ICMP' && $fwdfwsettings{'SRC_PORT'} ne ''){ + #change dashes with : + $fwdfwsettings{'SRC_PORT'}=~ tr/-/:/; + + if ($fwdfwsettings{'SRC_PORT'} eq "*") { + $fwdfwsettings{'SRC_PORT'} = "1:65535"; + } + if ($fwdfwsettings{'SRC_PORT'} =~ /^(\D)\:(\d+)$/) { + $fwdfwsettings{'SRC_PORT'} = "1:$2"; + } + if ($fwdfwsettings{'SRC_PORT'} =~ /^(\d+)\:(\D)$/) { + $fwdfwsettings{'SRC_PORT'} = "$1:65535"; + } + + $errormessage.=&General::validportrange($fwdfwsettings{'SRC_PORT'},'src'); + } + return $errormessage; +} +sub checktarget +{ + my ($ip,$subnet); + + + if ($fwdfwsettings{'tgt_addr'} eq $fwdfwsettings{$fwdfwsettings{'grp2'}} && $fwdfwsettings{'tgt_addr'} ne ''){ + #check if ip with subnet + if ($fwdfwsettings{'tgt_addr'} =~ /^(.*?)\/(.*?)$/) { + ($ip,$subnet)=split (/\//,$fwdfwsettings{'tgt_addr'}); + $subnet = &General::iporsubtocidr($subnet); + } + #check if only ip + if($fwdfwsettings{'tgt_addr'}=~/^(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})$/){ + $ip=$fwdfwsettings{'tgt_addr'}; + $subnet='32'; + } + #check and form valid IP + $ip=&General::ip2dec($ip); + $ip=&General::dec2ip($ip); + + #check if net or broadcast + my @tmp= split (/\./,$ip); + if (($tmp[3] eq "0") || ($tmp[3] eq "255")) + { + $errormessage=$Lang::tr{'fwhost err hostip'}; + } + $fwdfwsettings{'tgt_addr'}=$ip."/".$subnet; + + if(!&General::validipandmask($fwdfwsettings{'tgt_addr'})){ + $errormessage.=$Lang::tr{'fwdfw err tgt_addr'}."
"; + } + + }elsif($fwdfwsettings{'tgt_addr'} eq $fwdfwsettings{$fwdfwsettings{'grp2'}} && $fwdfwsettings{'tgt_addr'} eq ''){ + $errormessage.=$Lang::tr{'fwdfw err notgtip'}; + return $errormessage; + } + + #check empty fields + if ($fwdfwsettings{$fwdfwsettings{'grp2'}} eq ''){ $errormessage.=$Lang::tr{'fwdfw err notgt'}."
";} + + #check tgt services + if ($fwdfwsettings{'USESRV'} eq 'ON'){ + if ($fwdfwsettings{'grp3'} eq 'cust_srv'){ + $fwdfwsettings{'TGT_PROT'}=''; + $fwdfwsettings{'ICMP_TGT'}=''; + } + if ($fwdfwsettings{'grp3'} eq 'cust_srvgrp'){ + $fwdfwsettings{'TGT_PROT'}=''; + $fwdfwsettings{'ICMP_TGT'}=''; + #check target service + if($fwdfwsettings{$fwdfwsettings{'grp3'}} eq ''){ + $errormessage.=$Lang::tr{'fwdfw err tgt_grp'}; + } + } + if ($fwdfwsettings{'grp3'} eq 'TGT_PORT'){ + if ($fwdfwsettings{'TGT_PROT'} ne 'ICMP'){ + if ($fwdfwsettings{'TGT_PORT'} ne ''){ + #change dashes with : + $fwdfwsettings{'TGT_PORT'}=~ tr/-/:/; + if ($fwdfwsettings{'TGT_PORT'} eq "*") { + $fwdfwsettings{'TGT_PORT'} = "1:65535"; + } + if ($fwdfwsettings{'TGT_PORT'} =~ /^(\D)\:(\d+)$/) { + $fwdfwsettings{'TGT_PORT'} = "1:$2"; + } + if ($fwdfwsettings{'TGT_PORT'} =~ /^(\d+)\:(\D)$/) { + $fwdfwsettings{'TGT_PORT'} = "$1:65535"; + } + $errormessage .= &General::validportrange($fwdfwsettings{'TGT_PORT'}, 'destination'); + } + }elsif ($fwdfwsettings{'TGT_PROT'} eq 'ICMP'){ + &General::readhasharray("${General::swroot}/fwhosts/icmp-types", \%icmptypes); + foreach my $key (keys %icmptypes){ + + if ("$icmptypes{$key}[0] ($icmptypes{$key}[1])" eq $fwdfwsettings{'ICMP_TGT'}){ + + $fwdfwsettings{'ICMP_TGT'}=$icmptypes{$key}[0]; + } + } + } + } + } + + #check targetport + if ($fwdfwsettings{'USESRV'} ne 'ON'){ + $fwdfwsettings{'grp3'}=''; + $fwdfwsettings{$fwdfwsettings{'grp3'}}=''; + $fwdfwsettings{'TGT_PROT'}=''; + $fwdfwsettings{'ICMP_TGT'}=''; + } + + + #check timeframe + if($fwdfwsettings{'TIME'} eq 'ON'){ + if($fwdfwsettings{'TIME_MON'} eq '' && $fwdfwsettings{'TIME_TUE'} eq '' && $fwdfwsettings{'TIME_WED'} eq '' && $fwdfwsettings{'TIME_THU'} eq '' && $fwdfwsettings{'TIME_FRI'} eq '' && $fwdfwsettings{'TIME_SAT'} eq '' && $fwdfwsettings{'TIME_SUN'} eq ''){ + $errormessage=$Lang::tr{'fwdfw err time'}; + } + } + + + + return $errormessage; +} +sub checkrule +{ + #check valid remark + if ($fwdfwsettings{'ruleremark'} ne '' && !&validremark($fwdfwsettings{'ruleremark'})){ + $errormessage.=$Lang::tr{'fwdfw err remark'}."
"; + } + #check if source and target identical + if ($fwdfwsettings{$fwdfwsettings{'grp1'}} eq $fwdfwsettings{$fwdfwsettings{'grp2'}}){ + $errormessage.=$Lang::tr{'fwdfw err same'}; + return $errormessage; + } + + #get source and targetip address if possible + my ($sip,$scidr,$tip,$tcidr); + ($sip,$scidr)=&get_ip("src","grp1"); + ($tip,$tcidr)=&get_ip("tgt","grp2"); + + + + #check same iprange in source and target + if ($sip ne '' && $scidr ne '' && $tip ne '' && $tcidr ne ''){ + + my $networkip1=&General::getnetworkip($sip,$scidr); + my $networkip2=&General::getnetworkip($tip,$tcidr); + if ($scidr gt $tcidr){ + if ( &General::IpInSubnet($networkip1,$tip,&General::iporsubtodec($tcidr)) ){ + $errormessage.=$Lang::tr{'fwdfw err samesub'}; + } + }elsif($scidr eq $tcidr && $scidr eq '32'){ + my ($sbyte1,$sbyte2,$sbyte3,$sbyte4)=split(".",$networkip1); + my ($tbyte1,$tbyte2,$tbyte3,$tbyte4)=split(".",$networkip2); + if ($sbyte1 eq $tbyte1 && $sbyte2 eq $tbyte2 && $sbyte3 eq $tbyte3){ + $hint=$Lang::tr{'fwdfw hint ip1'}."
"; + $hint.=$Lang::tr{'fwdfw hint ip2'}." Source: $networkip1/$scidr Target:$networkip2/$tcidr
"; + } + + }else{ + if ( &General::IpInSubnet($networkip2,$sip,&General::iporsubtodec($scidr)) ){ + $errormessage.=$Lang::tr{'fwdfw err samesub'}; + } + } + } + + #check source and destination protocol if manual + if( $fwdfwsettings{'USE_SRC_PORT'} eq 'ON' && $fwdfwsettings{'USESRV'} eq 'ON'){ + if($fwdfwsettings{'PROT'} ne $fwdfwsettings{'TGT_PROT'} && $fwdfwsettings{'grp3'} eq 'TGT_PORT'){ + $errormessage.=$Lang::tr{'fwdfw err prot'}; + } + #check source and destination protocol if source manual and dest servicegrp + if ($fwdfwsettings{'grp3'} eq 'cust_srv'){ + &General::readhasharray("$configsrv", \%customservice); + foreach my $key (sort keys %customservice){ + if($customservice{$key}[0] eq $fwdfwsettings{$fwdfwsettings{'grp3'}}){ + if ($customservice{$key}[2] ne $fwdfwsettings{'PROT'}){ + $errormessage.=$Lang::tr{'fwdfw err prot'}; + last; + } + } + } + } + } + +} +sub get_ip +{ + my $val=shift; + my $grp =shift; + my $a; + my $b; + &General::readhash("/var/ipfire/ethernet/settings", \%netsettings); + if ($fwdfwsettings{$grp} ne $Lang::tr{'fwhost any'}){ + if ($fwdfwsettings{$grp} eq $val.'_addr'){ + ($a,$b) = split (/\//, $fwdfwsettings{$fwdfwsettings{$grp}}); + }elsif($fwdfwsettings{$grp} eq 'std_net_'.$val){ + if ($fwdfwsettings{$fwdfwsettings{$grp}} =~ /Gr/i){ + $a=$netsettings{'GREEN_NETADDRESS'}; + $b=&General::iporsubtocidr($netsettings{'GREEN_NETMASK'}); + }elsif($fwdfwsettings{$fwdfwsettings{$grp}} =~ /Ora/i){ + $a=$netsettings{'ORANGE_NETADDRESS'}; + $b=&General::iporsubtocidr($netsettings{'ORANGE_NETMASK'}); + }elsif($fwdfwsettings{$fwdfwsettings{$grp}} =~ /Bl/i){ + $a=$netsettings{'BLUE_NETADDRESS'}; + $b=&General::iporsubtocidr($netsettings{'BLUE_NETMASK'}); + }elsif($fwdfwsettings{$fwdfwsettings{$grp}} =~ /OpenVPN/i){ + &General::readhash("$configovpn",\%ovpnsettings); + ($a,$b) = split (/\//, $ovpnsettings{'DOVPN_SUBNET'}); + $b=&General::iporsubtocidr($b); + } + }elsif($fwdfwsettings{$grp} eq 'cust_net_'.$val){ + &General::readhasharray("$confignet", \%customnetwork); + foreach my $key (keys %customnetwork){ + if($customnetwork{$key}[0] eq $fwdfwsettings{$fwdfwsettings{$grp}}){ + $a=$customnetwork{$key}[1]; + $b=&General::iporsubtocidr($customnetwork{$key}[2]); + } + } + }elsif($fwdfwsettings{$grp} eq 'cust_host_'.$val){ + &General::readhasharray("$confighost", \%customhost); + foreach my $key (keys %customhost){ + if($customhost{$key}[0] eq $fwdfwsettings{$fwdfwsettings{$grp}}){ + if ($customhost{$key}[1] eq 'ip'){ + ($a,$b)=split (/\//,$customhost{$key}[2]); + $b=&General::iporsubtocidr($b); + }else{ + if ($grp eq 'grp2'){ + $errormessage=$Lang::tr{'fwdfw err tgt_mac'}; + } + } + } + } + } + } + + return $a,$b; +} +sub newrule +{ + &error; + &General::setup_default_networks(\%defaultNetworks); + #read all configfiles + &General::readhasharray("$configccdnet", \%ccdnet); + &General::readhasharray("$confignet", \%customnetwork); + &General::readhasharray("$configccdhost", \%ccdhost); + &General::readhasharray("$confighost", \%customhost); + &General::readhasharray("$configccdhost", \%ccdhost); + &General::readhasharray("$configgrp", \%customgrp); + &General::readhasharray("$configipsec", \%ipsecconf); + &General::get_aliases(\%aliases); + + + my %checked=(); + my $helper; + if($fwdfwsettings{'config'} eq ''){$fwdfwsettings{'config'}=$configfwdfw;} + my $config=$fwdfwsettings{'config'}; + my %hash=(); + + $checked{'grp1'}{$fwdfwsettings{'grp1'}} = 'CHECKED'; + $checked{'grp2'}{$fwdfwsettings{'grp2'}} = 'CHECKED'; + $checked{'grp3'}{$fwdfwsettings{'grp3'}} = 'CHECKED'; + $checked{'USE_SRC_PORT'}{$fwdfwsettings{'USE_SRC_PORT'}} = 'CHECKED'; + $checked{'USESRV'}{$fwdfwsettings{'USESRV'}} = 'CHECKED'; + $checked{'ACTIVE'}{$fwdfwsettings{'ACTIVE'}} = 'CHECKED'; + $checked{'LOG'}{$fwdfwsettings{'LOG'}} = 'CHECKED'; + $checked{'TIME'}{$fwdfwsettings{'TIME'}} = 'CHECKED'; + $checked{'TIME_MON'}{$fwdfwsettings{'TIME_MON'}} = 'CHECKED'; + $checked{'TIME_TUE'}{$fwdfwsettings{'TIME_TUE'}} = 'CHECKED'; + $checked{'TIME_WED'}{$fwdfwsettings{'TIME_WED'}} = 'CHECKED'; + $checked{'TIME_THU'}{$fwdfwsettings{'TIME_THU'}} = 'CHECKED'; + $checked{'TIME_FRI'}{$fwdfwsettings{'TIME_FRI'}} = 'CHECKED'; + $checked{'TIME_SAT'}{$fwdfwsettings{'TIME_SAT'}} = 'CHECKED'; + $checked{'TIME_SUN'}{$fwdfwsettings{'TIME_SUN'}} = 'CHECKED'; + $selected{'TIME_FROM'}{$fwdfwsettings{'TIME_FROM'}} = 'selected'; + $selected{'TIME_TO'}{$fwdfwsettings{'TIME_TO'}} = 'selected'; + $selected{'ipfire'}{$fwdfwsettings{$fwdfwsettings{'grp2'}}} ='selected'; + + #check if update and get values + if($fwdfwsettings{'updatefwrule'} eq 'on' || $fwdfwsettings{'copyfwrule'} eq 'on' && !$errormessage){ + &General::readhasharray("$config", \%hash); + foreach my $key (sort keys %hash){ + if ($key eq $fwdfwsettings{'key'}){ + $fwdfwsettings{'RULE_ACTION'} = $hash{$key}[0]; + $fwdfwsettings{'ACTIVE'} = $hash{$key}[2]; + $fwdfwsettings{'grp1'} = $hash{$key}[3]; + $fwdfwsettings{$fwdfwsettings{'grp1'}} = $hash{$key}[4]; + $fwdfwsettings{'grp2'} = $hash{$key}[5]; + $fwdfwsettings{$fwdfwsettings{'grp2'}} = $hash{$key}[6]; + $fwdfwsettings{'USE_SRC_PORT'} = $hash{$key}[7]; + $fwdfwsettings{'PROT'} = $hash{$key}[8]; + $fwdfwsettings{'ICMP_TYPES'} = $hash{$key}[9]; + $fwdfwsettings{'SRC_PORT'} = $hash{$key}[10]; + $fwdfwsettings{'USESRV'} = $hash{$key}[11]; + $fwdfwsettings{'TGT_PROT'} = $hash{$key}[12]; + $fwdfwsettings{'ICMP_TGT'} = $hash{$key}[13]; + $fwdfwsettings{'grp3'} = $hash{$key}[14]; + $fwdfwsettings{$fwdfwsettings{'grp3'}} = $hash{$key}[15]; + $fwdfwsettings{'ruleremark'} = $hash{$key}[16]; + $fwdfwsettings{'LOG'} = $hash{$key}[17]; + $fwdfwsettings{'TIME'} = $hash{$key}[18]; + $fwdfwsettings{'TIME_MON'} = $hash{$key}[19]; + $fwdfwsettings{'TIME_TUE'} = $hash{$key}[20]; + $fwdfwsettings{'TIME_WED'} = $hash{$key}[21]; + $fwdfwsettings{'TIME_THU'} = $hash{$key}[22]; + $fwdfwsettings{'TIME_FRI'} = $hash{$key}[23]; + $fwdfwsettings{'TIME_SAT'} = $hash{$key}[24]; + $fwdfwsettings{'TIME_SUN'} = $hash{$key}[25]; + $fwdfwsettings{'TIME_FROM'} = $hash{$key}[26]; + $fwdfwsettings{'TIME_TO'} = $hash{$key}[27]; + + $checked{'grp1'}{$fwdfwsettings{'grp1'}} = 'CHECKED'; + $checked{'grp2'}{$fwdfwsettings{'grp2'}} = 'CHECKED'; + $checked{'grp3'}{$fwdfwsettings{'grp3'}} = 'CHECKED'; + $checked{'USE_SRC_PORT'}{$fwdfwsettings{'USE_SRC_PORT'}} = 'CHECKED'; + $checked{'USESRV'}{$fwdfwsettings{'USESRV'}} = 'CHECKED'; + $checked{'ACTIVE'}{$fwdfwsettings{'ACTIVE'}} = 'CHECKED'; + $checked{'LOG'}{$fwdfwsettings{'LOG'}} = 'CHECKED'; + $checked{'TIME'}{$fwdfwsettings{'TIME'}} = 'CHECKED'; + $checked{'TIME_MON'}{$fwdfwsettings{'TIME_MON'}} = 'CHECKED'; + $checked{'TIME_TUE'}{$fwdfwsettings{'TIME_TUE'}} = 'CHECKED'; + $checked{'TIME_WED'}{$fwdfwsettings{'TIME_WED'}} = 'CHECKED'; + $checked{'TIME_THU'}{$fwdfwsettings{'TIME_THU'}} = 'CHECKED'; + $checked{'TIME_FRI'}{$fwdfwsettings{'TIME_FRI'}} = 'CHECKED'; + $checked{'TIME_SAT'}{$fwdfwsettings{'TIME_SAT'}} = 'CHECKED'; + $checked{'TIME_SUN'}{$fwdfwsettings{'TIME_SUN'}} = 'CHECKED'; + $selected{'TIME_FROM'}{$fwdfwsettings{'TIME_FROM'}} = 'selected'; + $selected{'TIME_TO'}{$fwdfwsettings{'TIME_TO'}} = 'selected'; + $selected{'ipfire'}{$fwdfwsettings{$fwdfwsettings{'grp2'}}} ='selected'; + } + } + $fwdfwsettings{'oldgrp1a'}=$fwdfwsettings{'grp1'}; + $fwdfwsettings{'oldgrp1b'}=$fwdfwsettings{$fwdfwsettings{'grp1'}}; + $fwdfwsettings{'oldgrp2a'}=$fwdfwsettings{'grp2'}; + $fwdfwsettings{'oldgrp2b'}=$fwdfwsettings{$fwdfwsettings{'grp2'}}; + $fwdfwsettings{'oldgrp3a'}=$fwdfwsettings{'grp3'}; + $fwdfwsettings{'oldgrp3b'}=$fwdfwsettings{$fwdfwsettings{'grp3'}}; + $fwdfwsettings{'oldusesrv'}=$fwdfwsettings{'USESRV'}; + }else{ + $fwdfwsettings{'ACTIVE'}='ON'; + $checked{'ACTIVE'}{$fwdfwsettings{'ACTIVE'}} = 'CHECKED'; + } + + &Header::openbox('100%', 'left', $Lang::tr{'fwdfw addrule'}); + +print < + +
$Lang::tr{'fwdfw rule action'}
"; + + + &Header::closebox(); + &Header::openbox('100%', 'left', $Lang::tr{'fwdfw source'}); + + + #------SOURCE------------------------------------------------------- + print< + $Lang::tr{'fwdfw sourceip'} +
+ $Lang::tr{'fwhost stdnet'}$Lang::tr{'fwhost ccdnet'}$Lang::tr{'fwhost cust net'}$Lang::tr{'fwhost ccdhost'}$Lang::tr{'fwhost cust addr'}$Lang::tr{'fwhost ovpn_n2n'}$Lang::tr{'fwhost cust grp'}$Lang::tr{'fwhost ipsec net'}$Lang::tr{'fwhost ipsec host'}$Lang::tr{'fwdfw use srcport'} + $Lang::tr{'fwdfw man port'} + $Lang::tr{'fwhost icmptype'}$Lang::tr{'fwdfw targetip'}IPFire ($Lang::tr{'external access'})$Lang::tr{'fwhost stdnet'}$Lang::tr{'fwhost ccdnet'}$Lang::tr{'fwhost cust net'}$Lang::tr{'fwhost ccdhost'}$Lang::tr{'fwhost cust addr'}$Lang::tr{'fwhost ovpn_n2n'}$Lang::tr{'fwhost cust grp'}$Lang::tr{'fwhost ipsec net'}$Lang::tr{'fwhost ipsec host'}$Lang::tr{'fwdfw use srv'}$Lang::tr{'fwhost cust service'}$Lang::tr{'fwhost cust srvgrp'}:$Lang::tr{'fwdfw man port'} + $Lang::tr{'fwhost icmptype'} + $Lang::tr{'fwdfw rule activate'} + $Lang::tr{'fwdfw log rule'} +

+END + &Header::closebox(); + #---ADD TIMEFRAME----------------------------------------------- + &Header::openbox('100%', 'left', $Lang::tr{'fwdfw timeframe'}); + print< + $Lang::tr{'fwdfw timeframe'} +   + + $Lang::tr{'time'}: + $Lang::tr{'advproxy monday'} $Lang::tr{'advproxy tuesday'} $Lang::tr{'advproxy wednesday'} $Lang::tr{'advproxy thursday'} $Lang::tr{'advproxy friday'} $Lang::tr{'advproxy saturday'} $Lang::tr{'advproxy sunday'} + + $Lang::tr{'advproxy from'} + $Lang::tr{'advproxy to'} + + + + + + + + + + + + + + +END + for (my $i=0;$i<=23;$i++) { + $i = sprintf("%02s",$i); + for (my $j=0;$j<=45;$j+=15) { + $j = sprintf("%02s",$j); + my $time = $i.":".$j; + print "\t\t\t\t\t\n"; + } + } + print< +
+END + &Header::closebox(); + #---ACTION------------------------------------------------------ + if($fwdfwsettings{'updatefwrule'} ne 'on'){ + print< + + +
+
+END + }else{ + print< + + + + + + + + + +
+ +
+END + } + &Header::closebox(); +} +sub saverule +{ + + my $hash=shift; + my $config=shift; + &General::readhasharray("$config", $hash); + if (!$errormessage){ + if ($fwdfwsettings{'updatefwrule'} ne 'on' ){ + my $key = &General::findhasharraykey ($hash); + $$hash{$key}[0] = $fwdfwsettings{'RULE_ACTION'}; + $$hash{$key}[1] = $fwdfwsettings{'chain'}; + $$hash{$key}[2] = $fwdfwsettings{'ACTIVE'}; + $$hash{$key}[3] = $fwdfwsettings{'grp1'}; + $$hash{$key}[4] = $fwdfwsettings{$fwdfwsettings{'grp1'}}; + $$hash{$key}[5] = $fwdfwsettings{'grp2'}; + $$hash{$key}[6] = $fwdfwsettings{$fwdfwsettings{'grp2'}}; + $$hash{$key}[7] = $fwdfwsettings{'USE_SRC_PORT'}; + $$hash{$key}[8] = $fwdfwsettings{'PROT'}; + $$hash{$key}[9] = $fwdfwsettings{'ICMP_TYPES'}; + $$hash{$key}[10] = $fwdfwsettings{'SRC_PORT'}; + $$hash{$key}[11] = $fwdfwsettings{'USESRV'}; + $$hash{$key}[12] = $fwdfwsettings{'TGT_PROT'}; + $$hash{$key}[13] = $fwdfwsettings{'ICMP_TGT'}; + $$hash{$key}[14] = $fwdfwsettings{'grp3'}; + $$hash{$key}[15] = $fwdfwsettings{$fwdfwsettings{'grp3'}}; + $$hash{$key}[16] = $fwdfwsettings{'ruleremark'}; + $$hash{$key}[17] = $fwdfwsettings{'LOG'}; + $$hash{$key}[18] = $fwdfwsettings{'TIME'}; + $$hash{$key}[19] = $fwdfwsettings{'TIME_MON'}; + $$hash{$key}[20] = $fwdfwsettings{'TIME_TUE'}; + $$hash{$key}[21] = $fwdfwsettings{'TIME_WED'}; + $$hash{$key}[22] = $fwdfwsettings{'TIME_THU'}; + $$hash{$key}[23] = $fwdfwsettings{'TIME_FRI'}; + $$hash{$key}[24] = $fwdfwsettings{'TIME_SAT'}; + $$hash{$key}[25] = $fwdfwsettings{'TIME_SUN'}; + $$hash{$key}[26] = $fwdfwsettings{'TIME_FROM'}; + $$hash{$key}[27] = $fwdfwsettings{'TIME_TO'}; + &General::writehasharray("$config", $hash); + }else{ + foreach my $key (sort keys %$hash){ + if($key eq $fwdfwsettings{'key'}){ + $$hash{$key}[0] = $fwdfwsettings{'RULE_ACTION'}; + $$hash{$key}[1] = $fwdfwsettings{'chain'}; + $$hash{$key}[2] = $fwdfwsettings{'ACTIVE'}; + $$hash{$key}[3] = $fwdfwsettings{'grp1'}; + $$hash{$key}[4] = $fwdfwsettings{$fwdfwsettings{'grp1'}}; + $$hash{$key}[5] = $fwdfwsettings{'grp2'}; + $$hash{$key}[6] = $fwdfwsettings{$fwdfwsettings{'grp2'}}; + $$hash{$key}[7] = $fwdfwsettings{'USE_SRC_PORT'}; + $$hash{$key}[8] = $fwdfwsettings{'PROT'}; + $$hash{$key}[9] = $fwdfwsettings{'ICMP_TYPES'}; + $$hash{$key}[10] = $fwdfwsettings{'SRC_PORT'}; + $$hash{$key}[11] = $fwdfwsettings{'USESRV'}; + $$hash{$key}[12] = $fwdfwsettings{'TGT_PROT'}; + $$hash{$key}[13] = $fwdfwsettings{'ICMP_TGT'}; + $$hash{$key}[14] = $fwdfwsettings{'grp3'}; + $$hash{$key}[15] = $fwdfwsettings{$fwdfwsettings{'grp3'}}; + $$hash{$key}[16] = $fwdfwsettings{'ruleremark'}; + $$hash{$key}[17] = $fwdfwsettings{'LOG'}; + $$hash{$key}[18] = $fwdfwsettings{'TIME'}; + $$hash{$key}[19] = $fwdfwsettings{'TIME_MON'}; + $$hash{$key}[20] = $fwdfwsettings{'TIME_TUE'}; + $$hash{$key}[21] = $fwdfwsettings{'TIME_WED'}; + $$hash{$key}[22] = $fwdfwsettings{'TIME_THU'}; + $$hash{$key}[23] = $fwdfwsettings{'TIME_FRI'}; + $$hash{$key}[24] = $fwdfwsettings{'TIME_SAT'}; + $$hash{$key}[25] = $fwdfwsettings{'TIME_SUN'}; + $$hash{$key}[26] = $fwdfwsettings{'TIME_FROM'}; + $$hash{$key}[27] = $fwdfwsettings{'TIME_TO'}; + last; + } + } + &General::writehasharray("$config", $hash); + } + } +} +sub error +{ + if ($errormessage) { + &Header::openbox('100%', 'left', $Lang::tr{'error messages'}); + print "$errormessage\n"; + print " \n"; + &Header::closebox(); + print"
"; + } +} +sub hint +{ + if ($hint) { + &Header::openbox('100%', 'left', $Lang::tr{'fwhost hint'}); + print "$hint\n"; + print " \n"; + &Header::closebox(); + print"
"; + } +} +sub get_name +{ + my $val=shift; + &General::setup_default_networks(\%defaultNetworks); + foreach my $network (sort keys %defaultNetworks) + { + return "$network" if ($val eq $defaultNetworks{$network}{'NAME'}); + } +} +sub validremark +{ + # Checks a hostname against RFC1035 + my $remark = $_[0]; + + # Each part should be at least two characters in length + # but no more than 63 characters + if (length ($remark) < 1 || length ($remark) > 63) { + return 0;} + # Only valid characters are a-z, A-Z, 0-9 and - + if ($remark !~ /^[a-zäöüA-ZÖÄÜ0-9-\s]*$/) { + return 0;} + # First character can only be a letter or a digit + if (substr ($remark, 0, 1) !~ /^[a-zäöüA-ZÖÄÜ0-9]*$/) { + return 0;} + # Last character can only be a letter or a digit + if (substr ($remark, -1, 1) !~ /^[a-zöäüA-ZÖÄÜ0-9]*$/) { + return 0;} + return 1; +} +sub getsrcport +{ + my %hash=%{(shift)}; + my $key=shift; + if($hash{$key}[7] eq 'ON' && $hash{$key}[8] ne 'ICMP'){ + print" : ($hash{$key}[8]) $hash{$key}[10]"; + }elsif($hash{$key}[7] eq 'ON' && $hash{$key}[8] eq 'ICMP'){ + print" : ($hash{$key}[8])
$hash{$key}[9]"; + } +} +sub gettgtport +{ + my %hash=%{(shift)}; + my $key=shift; + my $service; + my $prot; + + if($hash{$key}[11] eq 'ON' && $hash{$key}[12] ne 'ICMP'){ + if($hash{$key}[14] eq 'cust_srv'){ + &General::readhasharray("$configsrv", \%customservice); + foreach my $i (sort keys %customservice){ + #print "HHUHU: $customservice{$i}[0] und $hash{$key}[15]
"; + if($customservice{$i}[0] eq $hash{$key}[15]){ + $prot = $hash{$key}[12]; + $service = $customservice{$i}[0]; + } + } + }elsif($hash{$key}[14] eq 'cust_srvgrp'){ + + $service=$hash{$key}[15]; + }elsif($hash{$key}[14] eq 'TGT_PORT'){ + $service=$hash{$key}[15]; + $prot=$hash{$key}[12]; + } + }elsif($hash{$key}[11] eq 'ON' && $hash{$key}[12] eq 'ICMP'){ + print" : ($hash{$key}[12])
$hash{$key}[13]"; + } + + if ($prot ne '' || $service ne ''){ + print" :"; + if ($prot ne ''){ + print"($prot) "; + } + print" $service"; + } +} +sub viewtablerule +{ + &viewtablenew(\%configfwdfw,$configfwdfw,$Lang::tr{'fwdfw rules'},"Forward" ); + &viewtablenew(\%configinputfw,$configinput,"",$Lang::tr{'external access'} ); +} +sub viewtablenew +{ + my $hash=shift; + my $config=shift; + my $title=shift; + my $title1=shift; + + if ( ! -z "$config"){ + &Header::openbox('100%', 'left',$title); + my $count=0; + my ($gif,$log); + my $ruletype; + my $rulecolor; + my $tooltip; + my @tmpsrc=(); + my $coloryellow=''; + &General::readhasharray("$config", $hash); + print"$title1
"; + print""; + print""; + foreach my $key (sort keys %$hash){ + @tmpsrc=(); + #check if vpn hosts/nets have been deleted + if($$hash{$key}[3] =~ /ipsec/i || $$hash{$key}[3] =~ /ovpn/i){ + push (@tmpsrc,$$hash{$key}[4]); + } + if($$hash{$key}[5] =~ /ipsec/i || $$hash{$key}[5] =~ /ovpn/i){ + push (@tmpsrc,$$hash{$key}[6]); + } + + foreach my $host (@tmpsrc){ + if($$hash{$key}[3] eq 'ipsec_net_src' || $$hash{$key}[5] eq 'ipsec_net_tgt'){ + if(&fwlib::get_ipsec_net_ip($host,11) eq ''){ + $coloryellow='on'; + &disable_rule($key); + $$hash{$key}[2]=''; + + } + }elsif($$hash{$key}[3] eq 'ovpn_net_src' || $$hash{$key}[5] eq 'ovpn_net_tgt'){ + if(&fwlib::get_ovpn_net_ip($host,1) eq ''){ + $coloryellow='on'; + &disable_rule($key); + $$hash{$key}[2]=''; + } + }elsif($$hash{$key}[3] eq 'ovpn_n2n_src' || $$hash{$key}[5] eq 'ovpn_n2n_tgt'){ + if(&fwlib::get_ovpn_n2n_ip($host,27) eq ''){ + $coloryellow='on'; + &disable_rule($key); + $$hash{$key}[2]=''; + } + }elsif($$hash{$key}[3] eq 'ovpn_host_src' || $$hash{$key}[5] eq 'ovpn_host_tgt'){ + if(&fwlib::get_ovpn_host_ip($host,33) eq ''){ + $coloryellow='on'; + &disable_rule($key); + $$hash{$key}[2]=''; + } + } + $$hash{$key}[3]=''; + $$hash{$key}[5]=''; + } + + $$hash{'ACTIVE'}=$$hash{$key}[2]; + $count++; + + if($coloryellow eq 'on'){ + print""; + $coloryellow=''; + }elsif($coloryellow eq ''){ + if ($count % 2){ + print""; + } + else{ + print""; + } + } + + print<$key +END + if ($$hash{$key}[0] eq 'ACCEPT'){ + $ruletype='A'; + $tooltip='ACCEPT'; + $rulecolor=$color{'color17'}; + }elsif($$hash{$key}[0] eq 'DROP'){ + $ruletype='D'; + $tooltip='DROP'; + $rulecolor=$color{'color25'}; + }elsif($$hash{$key}[0] eq 'REJECT'){ + $ruletype='R'; + $tooltip='REJECT'; + $rulecolor=$color{'color16'}; + } + print""; + print" +END + + print< +END + if ($$hash{$key}[5] eq 'std_net_tgt'){ + print &get_name($$hash{$key}[6]); + }else{ + print $$hash{$key}[6]; + } + &gettgtport(\%$hash,$key); + ################################################################################ + print""; + + if($$hash{$key}[2] eq 'ON'){ + $gif="/images/on.gif" + + }else{ + $gif="/images/off.gif" + + } + print< + + + + + + + + + + + +END + if (exists $$hash{$key-1}){ + print< + +END + }else{ + print""; + } + + if (exists $$hash{$key+1}){ + print< + +END + }else{ + print""; + } + #if timeframe set, print new line in table + if ($$hash{$key}[18] eq 'ON'){ + my @days=(); + if($$hash{$key}[19] ne ''){push (@days,$Lang::tr{'fwdfw wd_mon'});} + if($$hash{$key}[20] ne ''){push (@days,$Lang::tr{'fwdfw wd_tue'});} + if($$hash{$key}[21] ne ''){push (@days,$Lang::tr{'fwdfw wd_wed'});} + if($$hash{$key}[22] ne ''){push (@days,$Lang::tr{'fwdfw wd_thu'});} + if($$hash{$key}[23] ne ''){push (@days,$Lang::tr{'fwdfw wd_fri'});} + if($$hash{$key}[24] ne ''){push (@days,$Lang::tr{'fwdfw wd_sat'});} + if($$hash{$key}[25] ne ''){push (@days,$Lang::tr{'fwdfw wd_sun'});} + + my $weekdays=join(",",@days); + + if (@days){ + print""; + } + } + } + print"
#$Lang::tr{'fwdfw source'}Log$Lang::tr{'fwdfw target'}$Lang::tr{'remark'}$Lang::tr{'fwdfw action'}
$ruletype"; + if ($$hash{$key}[3] eq 'std_net_src'){ + print &get_name($$hash{$key}[4]); + }else{ + print $$hash{$key}[4]; + } + &getsrcport(\%$hash,$key); + if ($$hash{$key}[17] eq 'ON'){ + $log="/images/on.gif"; + }else{ + $log="/images/off.gif"; + } + print< + +
+
+ + + + $$hash{$key}[16] + + + +
+ + + +
+ + + +
+ + + + + + + + + + + +
$Lang::tr{'fwdfw time'} "; + print"$weekdays"; + print "  $Lang::tr{'fwdfw from'} $$hash{$key}[26]   $Lang::tr{'fwdfw till'} $$hash{$key}[27]
"; + &Header::closebox(); + } + +} +sub fillselect +{ + my %hash=%{(shift)}; + my $val=shift; + my $key; + foreach my $key (sort { uc($hash{$a}[0]) cmp uc($hash{$b}[0]) } keys %hash) + { + if($hash{$key}[0] eq $val){ + print""; + }else{ + print""; + } + } +} +sub rules +{ + if (!-f "${General::swroot}/forward/reread"){ + system("touch ${General::swroot}/forward/reread"); + } +} +sub reread_rules +{ + system("/usr/local/bin/forwardfwctrl"); + system("rm ${General::swroot}/forward/reread"); +} +&Header::closebigbox(); +&Header::closepage(); diff --git a/html/cgi-bin/fwhosts.cgi b/html/cgi-bin/fwhosts.cgi new file mode 100755 index 000000000..8fe281b74 --- /dev/null +++ b/html/cgi-bin/fwhosts.cgi @@ -0,0 +1,1970 @@ +#!/usr/bin/perl +############################################################################### +# # +# IPFire.org - A linux based firewall # +# Copyright (C) 2011 IPFire Team # +# # +# This program is free software: you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation, either version 3 of the License, or # +# (at your option) any later version. # +# # +# This program is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with this program. If not, see . # +# # +############################################################################### +# New function for forwarding firewall. To make it comfortable to create # +# rules, we need "spelling names" for single Hosts. If you have any questions # +# # +############################################################################### +use strict; + +# enable only the following on debugging purpose +use warnings; +use CGI::Carp 'fatalsToBrowser'; +no warnings 'uninitialized'; +require '/var/ipfire/general-functions.pl'; +require "${General::swroot}/lang.pl"; +require "${General::swroot}/header.pl"; + +my %fwhostsettings=(); +my %customnetwork=(); +my %customhost=(); +my %customgrp=(); +my %customservice=(); +my %customservicegrp=(); +my %ccdnet=(); +my %ccdhost=(); +my %ipsecconf=(); +my %icmptypes=(); +my %color=(); +my %defaultNetworks=(); +my %mainsettings=(); +my %ownnet=(); +my %ipsecsettings=(); + +my $errormessage; +my $hint; +my $update=0; +my $confignet = "${General::swroot}/fwhosts/customnetworks"; +my $confighost = "${General::swroot}/fwhosts/customhosts"; +my $configgrp = "${General::swroot}/fwhosts/customgroups"; +my $configccdnet = "${General::swroot}/ovpn/ccd.conf"; +my $configccdhost = "${General::swroot}/ovpn/ovpnconfig"; +my $configipsec = "${General::swroot}/vpn/config"; +my $configsrv = "${General::swroot}/fwhosts/customservices"; +my $configsrvgrp = "${General::swroot}/fwhosts/customservicegrp"; + +unless (-e $confignet) { system("touch $confignet"); } +unless (-e $confighost) { system("touch $confighost"); } +unless (-e $configgrp) { system("touch $configgrp"); } +unless (-e $configsrv) { system("touch $configsrv"); } +unless (-e $configsrvgrp) { system("touch $configsrvgrp"); } + +&General::readhash("${General::swroot}/main/settings", \%mainsettings); +&General::readhash("/srv/web/ipfire/html/themes/".$mainsettings{'THEME'}."/include/colors.txt", \%color); +&General::readhash("${General::swroot}/ethernet/settings", \%ownnet); +&Header::getcgihash(\%fwhostsettings); + +&Header::showhttpheaders(); +&Header::openpage($Lang::tr{'fwhost hosts'}, 1, ''); +&Header::openbigbox('100%', 'center'); + +## ACTION #### +# Update +if ($fwhostsettings{'ACTION'} eq 'updatenet' ) +{ + &General::readhasharray("$confignet", \%customnetwork); + foreach my $key (keys %customnetwork) + { + if($customnetwork{$key}[0] eq $fwhostsettings{'orgname'}) + { + $fwhostsettings{'orgname'} = $customnetwork{$key}[0]; + $fwhostsettings{'orgip'} = $customnetwork{$key}[1]; + $fwhostsettings{'orgsub'} = $customnetwork{$key}[2]; + $fwhostsettings{'count'} = $customnetwork{$key}[3]; + delete $customnetwork{$key}; + + } + } + &General::writehasharray("$confignet", \%customnetwork); + $fwhostsettings{'actualize'} = 'on'; + $fwhostsettings{'ACTION'} = 'savenet'; +} +if ($fwhostsettings{'ACTION'} eq 'updatehost') +{ + my ($ip,$subnet); + &General::readhasharray("$confighost", \%customhost); + foreach my $key (keys %customhost) + { + if($customhost{$key}[0] eq $fwhostsettings{'orgname'}) + { + $fwhostsettings{'orgname'} = $customhost{$key}[0]; + if ($customhost{$key}[1] eq 'ip'){ + ($ip,$subnet) = split (/\//,$customhost{$key}[2]); + }else{ + $ip = $customhost{$key}[2]; + } + $fwhostsettings{'orgip'} = $ip; + $fwhostsettings{'count'} = $customhost{$key}[3]; + delete $customhost{$key}; + } + } + &General::writehasharray("$confighost", \%customhost); + $fwhostsettings{'actualize'} = 'on'; + $fwhostsettings{'ACTION'} = 'savehost'; +} +if ($fwhostsettings{'ACTION'} eq 'updateservice') +{ + my $count=0; + my $needrules=0; + $errormessage=&checkports(\%customservice); + + if (!$errormessage){ + &General::readhasharray("$configsrv", \%customservice); + foreach my $key (keys %customservice) + { + if ($customservice{$key}[0] eq $fwhostsettings{'oldsrvname'}) + { + $count=$customservice{$key}[4]; + delete $customservice{$key}; + &General::writehasharray("$configsrv", \%customservice); + last; + } + } + if ($fwhostsettings{'PROT'} ne 'ICMP'){ + $fwhostsettings{'ICMP_TYPES'}='BLANK'; + } + my $key1 = &General::findhasharraykey(\%customservice); + foreach my $i (0 .. 4) { $customservice{$key1}[$i] = "";} + $customservice{$key1}[0] = $fwhostsettings{'SRV_NAME'}; + $customservice{$key1}[1] = $fwhostsettings{'SRV_PORT'}; + $customservice{$key1}[2] = $fwhostsettings{'PROT'}; + $customservice{$key1}[3] = $fwhostsettings{'ICMP_TYPES'}; + $customservice{$key1}[4] = $count; + &General::writehasharray("$configsrv", \%customservice); + if($fwhostsettings{'updatesrv'} eq 'on'){ + if($count gt 0 && $fwhostsettings{'oldsrvport'} ne $fwhostsettings{'SRV_PORT'} ){ + $needrules='on'; + } + if($count gt 0 && $fwhostsettings{'oldsrvprot'} ne $fwhostsettings{'PROT'} ){ + $needrules='on'; + } + } + $fwhostsettings{'SRV_NAME'} = ''; + $fwhostsettings{'SRV_PORT'} = ''; + $fwhostsettings{'PROT'} = ''; + + }else{ + $fwhostsettings{'SRV_NAME'} = $fwhostsettings{'oldsrvname'}; + $fwhostsettings{'SRV_PORT'} = $fwhostsettings{'oldsrvport'}; + $fwhostsettings{'PROT'} = $fwhostsettings{'oldsrvprot'}; + $fwhostsettings{'updatesrv'}= 'on'; + } + + if($needrules eq 'on'){ + $errormessage="reread!"; + &rules; + } + + &addservice; +} +# save +if ($fwhostsettings{'ACTION'} eq 'savenet' ) +{ + my $count=0; + my $needrules=0; + if ($fwhostsettings{'orgname'} eq ''){$fwhostsettings{'orgname'}=$fwhostsettings{'HOSTNAME'};} + + #check if all fields are set + if ($fwhostsettings{'HOSTNAME'} eq '' || $fwhostsettings{'IP'} eq '' || $fwhostsettings{'SUBNET'} eq '') + { + $errormessage=$errormessage.$Lang::tr{'fwhost err empty'}; + &addnet; + &viewtablenet; + }else{ + #check valid ip + if (!&General::validipandmask($fwhostsettings{'IP'}."/".$fwhostsettings{'SUBNET'})) + { + $errormessage=$errormessage.$Lang::tr{'fwhost err addr'}; + $fwhostsettings{'BLK_HOST'} ='readonly'; + $fwhostsettings{'NOCHECK'} ='false'; + $fwhostsettings{'error'} ='on'; + } + #check if subnet is sigle host + if(&General::iporsubtocidr($fwhostsettings{'SUBNET'}) eq '32') + { + $errormessage=$errormessage.$Lang::tr{'fwhost err sub32'}; + + } + if($fwhostsettings{'error'} ne 'on'){ + #check if we use one of ipfire's networks (green,orange,blue) + if (($ownnet{'GREEN_NETADDRESS'} ne '' && $ownnet{'GREEN_NETADDRESS'} ne '0.0.0.0') && &General::IpInSubnet($fwhostsettings{'IP'},$ownnet{'GREEN_NETADDRESS'},$ownnet{'GREEN_NETMASK'})) + { + $errormessage=$errormessage.$Lang::tr{'ccd err green'}."
"; + $fwhostsettings{'HOSTNAME'} = $fwhostsettings{'orgname'}; + if ($fwhostsettings{'update'} eq 'on'){$fwhostsettings{'ACTION'}='editnet';} + } + if (($ownnet{'ORANGE_NETADDRESS'} ne '' && $ownnet{'ORANGE_NETADDRESS'} ne '0.0.0.0') && &General::IpInSubnet($fwhostsettings{'IP'},$ownnet{'ORANGE_NETADDRESS'},$ownnet{'ORANGE_NETMASK'})) + { + $errormessage=$errormessage.$Lang::tr{'ccd err orange'}."
"; + $fwhostsettings{'HOSTNAME'} = $fwhostsettings{'orgname'}; + if ($fwhostsettings{'update'} eq 'on'){$fwhostsettings{'ACTION'}='editnet';} + } + if (($ownnet{'BLUE_NETADDRESS'} ne '' && $ownnet{'BLUE_NETADDRESS'} ne '0.0.0.0') && &General::IpInSubnet($fwhostsettings{'IP'},$ownnet{'BLUE_NETADDRESS'},$ownnet{'BLUE_NETMASK'})) + { + $errormessage=$errormessage.$Lang::tr{'ccd err blue'}."
"; + $fwhostsettings{'HOSTNAME'} = $fwhostsettings{'orgname'}; + if ($fwhostsettings{'update'} eq 'on'){$fwhostsettings{'ACTION'}='editnet';} + } + if (($ownnet{'RED_NETADDRESS'} ne '' && $ownnet{'RED_NETADDRESS'} ne '0.0.0.0') && &General::IpInSubnet($fwhostsettings{'IP'},$ownnet{'RED_NETADDRESS'},$ownnet{'RED_NETMASK'})) + { + $errormessage=$errormessage.$Lang::tr{'ccd err red'}."
"; + $fwhostsettings{'HOSTNAME'} = $fwhostsettings{'orgname'}; + if ($fwhostsettings{'update'} eq 'on'){$fwhostsettings{'ACTION'}='editnet';} + } + } + #only check plausi when no error till now + if (!$errormessage){ + &plausicheck("editnet"); + } + + #check if network ip is part of an already used one + if(&checksubnet(\%customnetwork)) + { + $errormessage=$errormessage.$Lang::tr{'fwhost err partofnet'}; + $fwhostsettings{'HOSTNAME'} = $fwhostsettings{'orgname'}; + } + + if($fwhostsettings{'actualize'} eq 'on' && $fwhostsettings{'newnet'} ne 'on' && $errormessage) + { + $fwhostsettings{'actualize'} = ''; + my $key = &General::findhasharraykey (\%customnetwork); + foreach my $i (0 .. 3) { $customnetwork{$key}[$i] = "";} + $customnetwork{$key}[0] = $fwhostsettings{'orgname'} ; + $customnetwork{$key}[1] = $fwhostsettings{'orgip'} ; + $customnetwork{$key}[2] = $fwhostsettings{'orgsub'}; + $customnetwork{$key}[3] = $fwhostsettings{'count'}; + &General::writehasharray("$confignet", \%customnetwork); + undef %customnetwork; + } + + if (!$errormessage){ + &General::readhasharray("$confignet", \%customnetwork); + if ($fwhostsettings{'ACTION'} eq 'updatenet'){ + if ($fwhostsettings{'update'} == '0'){ + foreach my $key (keys %customnetwork) { + if($customnetwork{$key}[0] eq $fwhostsettings{'orgname'}){ + $count=$customnetwork{$key}[3]; + delete $customnetwork{$key}; + last; + } + } + } + } + #get count if actualize is 'on' + if($fwhostsettings{'actualize'} eq 'on'){ + $fwhostsettings{'actualize'} = ''; + $count=$fwhostsettings{'count'}; + #check if we need to reload rules + if($fwhostsettings{'orgip'} ne $fwhostsettings{'IP'} && $count gt '0'){ + $needrules='on'; + } + if ($fwhostsettings{'orgname'} ne $fwhostsettings{'HOSTNAME'}){ + #check if we need to update groups + &General::readhasharray("$configgrp", \%customgrp); + foreach my $key (sort keys %customgrp){ + if($customgrp{$key}[2] eq $fwhostsettings{'orgname'}){ + $customgrp{$key}[2]=$fwhostsettings{'HOSTNAME'}; + last; + } + } + &General::writehasharray("$configgrp", \%customgrp); + } + } + my $key = &General::findhasharraykey (\%customnetwork); + foreach my $i (0 .. 3) { $customnetwork{$key}[$i] = "";} + $fwhostsettings{'SUBNET'} = &General::iporsubtocidr($fwhostsettings{'SUBNET'}); + $customnetwork{$key}[0] = $fwhostsettings{'HOSTNAME'}; + #convert ip when leading '0' in byte + $fwhostsettings{'IP'}=&General::ip2dec($fwhostsettings{'IP'}); + $fwhostsettings{'IP'}=&General::dec2ip($fwhostsettings{'IP'}); + $customnetwork{$key}[1] = &General::getnetworkip($fwhostsettings{'IP'},$fwhostsettings{'SUBNET'}) ; + $customnetwork{$key}[2] = &General::iporsubtodec($fwhostsettings{'SUBNET'}) ; + if($fwhostsettings{'newnet'} eq 'on'){$count=0;} + $customnetwork{$key}[3] = $count; + &General::writehasharray("$confignet", \%customnetwork); + $fwhostsettings{'IP'}=$fwhostsettings{'IP'}."/".&General::iporsubtodec($fwhostsettings{'SUBNET'}); + undef %customnetwork; + $fwhostsettings{'HOSTNAME'}=''; + $fwhostsettings{'IP'}=''; + $fwhostsettings{'SUBNET'}=''; + #check if an edited net affected groups and need to reload rules + if ($needrules eq 'on'){ + &rules; + } + &addnet; + &viewtablenet; + }else + { + &addnet; + &viewtablenet; + } + } + +} +if ($fwhostsettings{'ACTION'} eq 'savehost') +{ + my $count=0; + my $needrules=0; + if ($fwhostsettings{'orgname'} eq ''){$fwhostsettings{'orgname'}=$fwhostsettings{'HOSTNAME'};} + + $fwhostsettings{'SUBNET'}='32'; + + #check if all fields are set + if ($fwhostsettings{'HOSTNAME'} eq '' || $fwhostsettings{'IP'} eq '' || $fwhostsettings{'SUBNET'} eq '') + { + $errormessage=$errormessage.$Lang::tr{'fwhost err empty'}; + $fwhostsettings{'ACTION'} = 'edithost'; + }else{ + + if($fwhostsettings{'type'} eq 'ip' && $fwhostsettings{'IP'}=~/^([0-9a-fA-F]{1,2}:){5}[0-9a-fA-F]{1,2}$/){ + $fwhostsettings{'type'} = 'mac'; + }elsif($fwhostsettings{'type'} eq 'mac' && $fwhostsettings{'IP'}=~/^(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})$/){ + $fwhostsettings{'type'} = 'ip'; + }elsif($fwhostsettings{'type'} eq 'mac' && $fwhostsettings{'IP'}=~/^([0-9a-fA-F]{1,2}:){5}[0-9a-fA-F]{1,2}$/){ + $fwhostsettings{'type'} = 'mac'; + }elsif($fwhostsettings{'type'} eq 'ip' && $fwhostsettings{'IP'}=~/^(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})$/){ + $fwhostsettings{'type'} = 'ip'; + }else{ + $fwhostsettings{'type'} = ''; + $errormessage=$Lang::tr{'fwhost err ipmac'}; + } + + if($fwhostsettings{'type'} eq 'mac' ) + { + if ($fwhostsettings{'IP'}!~/^([0-9a-fA-F]{1,2}:){5}[0-9a-fA-F]{1,2}$/ ) + { + $errormessage=$Lang::tr{'fwhost err mac'}; + + } + } + #CHECK IP-PART + if ($fwhostsettings{'type'} eq 'ip'){ + #check for subnet + if (rindex($fwhostsettings{'IP'},'/') eq '-1' ){ + if($fwhostsettings{'type'} eq 'ip' && !&General::validipandmask($fwhostsettings{'IP'}."/32")) + { + $errormessage.=$errormessage.$Lang::tr{'fwhost err ip'}; + $fwhostsettings{'error'}='on'; + } + + }elsif(rindex($fwhostsettings{'IP'},'/') ne '-1' ){ + $errormessage=$errormessage.$Lang::tr{'fwhost err ipwithsub'}; + $fwhostsettings{'error'}='on'; + } + #check if net or broadcast + my @tmp= split (/\./,$fwhostsettings{'IP'}); + if (($tmp[3] eq "0") || ($tmp[3] eq "255")){ + $errormessage=$Lang::tr{'fwhost err hostip'}; + } + } + + + + #only check plausi when no error till now + if (!$errormessage){ + &plausicheck("edithost"); + } + + if($fwhostsettings{'actualize'} eq 'on' && $fwhostsettings{'newhost'} ne 'on' && $errormessage){ + $fwhostsettings{'actualize'} = ''; + my $key = &General::findhasharraykey (\%customhost); + foreach my $i (0 .. 3) { $customhost{$key}[$i] = "";} + $customhost{$key}[0] = $fwhostsettings{'orgname'} ; + $customhost{$key}[1] = $fwhostsettings{'type'} ; + if($customhost{$key}[1] eq 'ip'){ + $customhost{$key}[2] = $fwhostsettings{'orgip'}."/".&General::iporsubtodec($fwhostsettings{'SUBNET'}); + }else{ + $customhost{$key}[2] = $fwhostsettings{'orgip'}; + } + $customhost{$key}[3] = $fwhostsettings{'count'}; + &General::writehasharray("$confighost", \%customhost); + undef %customhost; + + } + + if (!$errormessage){ + #get count if host was edited + if($fwhostsettings{'actualize'} eq 'on'){ + $count=$fwhostsettings{'count'}; + if($fwhostsettings{'orgip'} ne $fwhostsettings{'IP'} && $count gt '0' ){ + $needrules='on'; + } + if($fwhostsettings{'orgname'} ne $fwhostsettings{'HOSTNAME'}){ + #check if we need to update groups + &General::readhasharray("$configgrp", \%customgrp); + foreach my $key (sort keys %customgrp){ + if($customgrp{$key}[2] eq $fwhostsettings{'orgname'}){ + $customgrp{$key}[2]=$fwhostsettings{'HOSTNAME'}; + last; + } + } + &General::writehasharray("$configgrp", \%customgrp); + } + + + } + my $key = &General::findhasharraykey (\%customhost); + foreach my $i (0 .. 3) { $customhost{$key}[$i] = "";} + $customhost{$key}[0] = $fwhostsettings{'HOSTNAME'} ; + $customhost{$key}[1] = $fwhostsettings{'type'} ; + if ($fwhostsettings{'type'} eq 'ip'){ + #convert ip when leading '0' in byte + $fwhostsettings{'IP'}=&General::ip2dec($fwhostsettings{'IP'}); + $fwhostsettings{'IP'}=&General::dec2ip($fwhostsettings{'IP'}); + $customhost{$key}[2] = $fwhostsettings{'IP'}."/".&General::iporsubtodec($fwhostsettings{'SUBNET'}); + }else{ + $customhost{$key}[2] = $fwhostsettings{'IP'}; + } + if($fwhostsettings{'newhost'} eq 'on'){$count=0;} + $customhost{$key}[3] = $count; + &General::writehasharray("$confighost", \%customhost); + + #$fwhostsettings{'IP'} = $fwhostsettings{'IP'}."/".&General::iporsubtodec($fwhostsettings{'SUBNET'}); + undef %customhost; + $fwhostsettings{'HOSTNAME'}=''; + $fwhostsettings{'IP'}=''; + $fwhostsettings{'type'}=''; + #check if we need to update rules while host was edited + if($needrules eq 'on'){ + &rules; + } + &addhost; + &viewtablehost; + }else{ + &addhost; + &viewtablehost; + } + + } + +} +if ($fwhostsettings{'ACTION'} eq 'savegrp') +{ + my $grp; + my $rem=$fwhostsettings{'remark'}; + my $count; + my $type; + my $updcounter='off'; + my @target; + my @newgrp; + &General::readhasharray("$configgrp", \%customgrp); + &General::readhasharray("$confignet", \%customnetwork); + &General::readhasharray("$confighost", \%customhost); + $grp=$fwhostsettings{'grp_name'}; + + if (!&General::validhostname($grp)){$errormessage=$errormessage.$Lang::tr{'fwhost err name'};} + + ###check standard networks + if ($fwhostsettings{'grp2'} eq 'std_net'){ + @target=$fwhostsettings{'DEFAULT_SRC_ADR'}; + $type='Standard Network'; + } + ##check custom networks + if ($fwhostsettings{'grp2'} eq 'cust_net' && $fwhostsettings{'CUST_SRC_NET'} ne ''){ + @target=$fwhostsettings{'CUST_SRC_NET'}; + $updcounter='net'; + $type='Custom Network'; + }elsif($fwhostsettings{'grp2'} eq 'cust_net' && $fwhostsettings{'CUST_SRC_NET'} eq ''){ + $errormessage=$Lang::tr{'fwhost err groupempty'}."
"; + $fwhostsettings{'grp_name'}=''; + $fwhostsettings{'remark'}=''; + } + #check custom addresses + if ($fwhostsettings{'grp2'} eq 'cust_host' && $fwhostsettings{'CUST_SRC_HOST'} ne ''){ + @target=$fwhostsettings{'CUST_SRC_HOST'}; + $updcounter='host'; + $type='Custom Host'; + }elsif($fwhostsettings{'grp2'} eq 'cust_host' && $fwhostsettings{'CUST_SRC_HOST'} eq ''){ + $errormessage=$Lang::tr{'fwhost err groupempty'}."
"; + $fwhostsettings{'grp_name'}=''; + $fwhostsettings{'remark'}=''; + } + #get address from ovpn ccd static net + if ($fwhostsettings{'grp2'} eq 'ovpn_net' && $fwhostsettings{'OVPN_CCD_NET'} ne ''){ + @target=$fwhostsettings{'OVPN_CCD_NET'}; + $type='OpenVPN static network'; + }elsif($fwhostsettings{'grp2'} eq 'ovpn_net' && $fwhostsettings{'OVPN_CCD_NET'} eq ''){ + $errormessage=$Lang::tr{'fwhost err groupempty'}; + $fwhostsettings{'grp_name'}=''; + $fwhostsettings{'remark'}=''; + } + #get address from ovpn ccd static host + if ($fwhostsettings{'grp2'} eq 'ovpn_host' && $fwhostsettings{'OVPN_CCD_HOST'} ne ''){ + @target=$fwhostsettings{'OVPN_CCD_HOST'}; + $type='OpenVPN static host'; + }elsif ($fwhostsettings{'grp2'} eq 'ovpn_host' && $fwhostsettings{'OVPN_CCD_HOST'} eq ''){ + $errormessage=$Lang::tr{'fwhost err groupempty'}; + } + #get address from ovpn ccd Net-2-Net + if ($fwhostsettings{'grp2'} eq 'ovpn_n2n' && $fwhostsettings{'OVPN_N2N'} ne ''){ + @target=$fwhostsettings{'OVPN_N2N'}; + $type='OpenVPN N-2-N'; + }elsif ($fwhostsettings{'grp2'} eq 'ovpn_n2n' && $fwhostsettings{'OVPN_N2N'} eq ''){ + $errormessage=$Lang::tr{'fwhost err groupempty'}; + $fwhostsettings{'grp_name'}=''; + $fwhostsettings{'remark'}=''; + } + + #get address from IPSEC HOST + if ($fwhostsettings{'grp2'} eq 'ipsec_host' && $fwhostsettings{'IPSEC_HOST'} ne ''){ + @target=$fwhostsettings{'IPSEC_HOST'}; + $type='IpSec Host'; + }elsif ($fwhostsettings{'grp2'} eq 'ipsec_host' && $fwhostsettings{'IPSEC_HOST'} eq ''){ + $errormessage=$Lang::tr{'fwhost err groupempty'}; + $fwhostsettings{'grp_name'}=''; + $fwhostsettings{'remark'}=''; + } + #get address from IPSEC NETWORK + if ($fwhostsettings{'grp2'} eq 'ipsec_net' && $fwhostsettings{'IPSEC_NET'} ne ''){ + @target=$fwhostsettings{'IPSEC_NET'}; + $type='IpSec Network'; + }elsif ($fwhostsettings{'grp2'} eq 'ipsec_net' && $fwhostsettings{'IPSEC_NET'} eq ''){ + $errormessage=$Lang::tr{'fwhost err groupempty'}; + $fwhostsettings{'grp_name'}=''; + $fwhostsettings{'remark'}=''; + } + + #check if host/net exists in grp + my $test="$grp,$fwhostsettings{'oldremark'},@target"; + foreach my $key (keys %customgrp) { + my $test1="$customgrp{$key}[0],$customgrp{$key}[1],$customgrp{$key}[2]"; + if ($test1 eq $test){ + $errormessage=$Lang::tr{'fwhost err isingrp'}; + $fwhostsettings{'update'} = 'on'; + } + } + + if (!$errormessage){ + #on first save, we have an empty @target, so fill it with nothing + my $targetvalues=@target; + if ($targetvalues == '0'){ + @target=$Lang::tr{'fwhost empty'}; + } + #on update, we have to delete the dummy entry + + foreach my $key (keys %customgrp){ + if ($customgrp{$key}[0] eq $grp && $customgrp{$key}[2] eq $Lang::tr{'fwhost empty'}){ + delete $customgrp{$key}; + last; + } + } + &General::writehasharray("$configgrp", \%customgrp); + &General::readhasharray("$configgrp", \%customgrp); + + + + #check if remark has also changed + if ($fwhostsettings{'remark'} ne $fwhostsettings{'oldremark'} && $fwhostsettings{'update'} eq 'on') + { + foreach my $key (keys %customgrp) + { + if($customgrp{$key}[0] eq $grp && $customgrp{$key}[1] eq $fwhostsettings{'oldremark'}) + { + $customgrp{$key}[1]=''; + $customgrp{$key}[1]=$rem; + } + } + } + #get count used + foreach my $key (keys %customgrp) + { + if($customgrp{$key}[0] eq $grp) + { + $count=$customgrp{$key}[4]; + last; + } + } + if ($count eq '' ){$count='0';} + + #create array with new lines + foreach my $line (@target){ + push (@newgrp,"$grp,$rem,$line"); + } + #append new entries + my $key = &General::findhasharraykey (\%customgrp); + foreach my $line (@newgrp){ + foreach my $i (0 .. 4) { $customgrp{$key}[$i] = "";} + my ($a,$b,$c,$d) = split (",",$line); + $customgrp{$key}[0] = $a; + $customgrp{$key}[1] = $b; + $customgrp{$key}[2] = $c; + $customgrp{$key}[3] = $type; + $customgrp{$key}[4] = $count; + } + &General::writehasharray("$configgrp", \%customgrp); + + #update counter in Host/Net + if($updcounter eq 'net'){ + foreach my $key (keys %customnetwork) { + if($customnetwork{$key}[0] eq $fwhostsettings{'CUST_SRC_NET'}){ + $customnetwork{$key}[3] = $customnetwork{$key}[3]+1; + last; + } + } + &General::writehasharray("$confignet", \%customnetwork); + }elsif($updcounter eq 'host'){ + foreach my $key (keys %customhost) { + if ($customhost{$key}[0] eq $fwhostsettings{'CUST_SRC_HOST'}){ + $customhost{$key}[3]=$customhost{$key}[3]+1; + } + } + &General::writehasharray("$confighost", \%customhost); + } + + $fwhostsettings{'update'}='on'; + + } + if ($fwhostsettings{'remark'} ne $fwhostsettings{'oldremark'} && $errormessage) + { + foreach my $key (keys %customgrp) + { + if($customgrp{$key}[0] eq $grp && $customgrp{$key}[1] eq $fwhostsettings{'oldremark'}) + { + $customgrp{$key}[1]=''; + $customgrp{$key}[1]=$rem; + } + } + &General::writehasharray("$configsrvgrp", \%customservicegrp); + $errormessage=''; + $hint=$Lang::tr{'fwhost changeremark'}; + $fwhostsettings{'update'}='on'; + } + #check if ruleupdate is needed + if($count > 0 ) + { + &rules; + } + &addgrp; + &viewtablegrp; + +} +if ($fwhostsettings{'ACTION'} eq 'saveservice') +{ + my $ICMP; + + &General::readhasharray("$configsrv", \%customservice ); + $errormessage=&checkports(\%customservice); + + if ($fwhostsettings{'PROT'} eq 'ICMP'){ + &General::readhasharray("${General::swroot}/fwhosts/icmp-types", \%icmptypes); + foreach my $key (keys %icmptypes){ + if ("$icmptypes{$key}[0] ($icmptypes{$key}[1])" eq $fwhostsettings{'ICMP_TYPES'}){ + $ICMP=$icmptypes{$key}[0]; + } + } + } + if($ICMP eq ''){$ICMP='BLANK';} + if (!$errormessage){ + + my $key = &General::findhasharraykey (\%customservice); + foreach my $i (0 .. 4) { $customservice{$key}[$i] = "";} + $customservice{$key}[0] = $fwhostsettings{'SRV_NAME'}; + $customservice{$key}[1] = $fwhostsettings{'SRV_PORT'}; + $customservice{$key}[2] = $fwhostsettings{'PROT'}; + $customservice{$key}[3] = $ICMP; + $customservice{$key}[4] = 0; + &General::writehasharray("$configsrv", \%customservice ); + #reset fields + $fwhostsettings{'SRV_NAME'}=''; + $fwhostsettings{'SRV_PORT'}=''; + $fwhostsettings{'PROT'}=''; + $fwhostsettings{'ICMP_TYPES'}=''; + + } + + &addservice; + +} +if ($fwhostsettings{'ACTION'} eq 'saveservicegrp') +{ + my $prot; + my $port; + my $count=0; + &General::readhasharray("$configsrvgrp", \%customservicegrp ); + &General::readhasharray("$configsrv", \%customservice ); + + $errormessage=&checkservicegroup; + + if (!$errormessage){ + #on first save, we have to enter a dummy value + if ($fwhostsettings{'CUST_SRV'} eq ''){$fwhostsettings{'CUST_SRV'}=$Lang::tr{'fwhost empty'};} + + #on update, we have to delete the dummy entry + foreach my $key (keys %customservicegrp){ + if ($customservicegrp{$key}[2] eq $Lang::tr{'fwhost empty'}){ + delete $customservicegrp{$key}; + last; + } + } + &General::writehasharray("$configsrvgrp", \%customservicegrp ); + #check if remark has also changed + if ($fwhostsettings{'SRVGRP_REMARK'} ne $fwhostsettings{'oldsrvgrpremark'} && $fwhostsettings{'updatesrvgrp'} eq 'on') + { + foreach my $key (keys %customservicegrp) + { + if($customservicegrp{$key}[0] eq $fwhostsettings{'SRVGRP_NAME'} && $customservicegrp{$key}[1] eq $fwhostsettings{'oldsrvgrpremark'}) + { + $customservicegrp{$key}[1]=''; + $customservicegrp{$key}[1]=$fwhostsettings{'SRVGRP_REMARK'}; + } + } + } + #get count used + foreach my $key (keys %customservicegrp) + { + if($customservicegrp{$key}[0] eq $fwhostsettings{'SRVGRP_NAME'}) + { + $count=$customservicegrp{$key}[5]; + last; + } + } + if ($count eq '' ){$count='0';} + + foreach my $key (sort keys %customservice){ + if($customservice{$key}[0] eq $fwhostsettings{'CUST_SRV'}){ + $port=$customservice{$key}[1]; + $prot=$customservice{$key}[2]; + $customservice{$key}[4]++; + } + } + &General::writehasharray("$configsrv", \%customservice ); + + my $key = &General::findhasharraykey (\%customservicegrp); + foreach my $i (0 .. 3) { $customservice{$key}[$i] = "";} + $customservicegrp{$key}[0] = $fwhostsettings{'SRVGRP_NAME'}; + $customservicegrp{$key}[1] = $fwhostsettings{'SRVGRP_REMARK'}; + $customservicegrp{$key}[2] = $fwhostsettings{'CUST_SRV'}; + $customservicegrp{$key}[3] = $port; + $customservicegrp{$key}[4] = $prot; + $customservicegrp{$key}[5] = $count; + &General::writehasharray("$configsrvgrp", \%customservicegrp ); + $fwhostsettings{'updatesrvgrp'}='on'; + } + if ($fwhostsettings{'SRVGRP_REMARK'} ne $fwhostsettings{'oldsrvgrpremark'} && $errormessage){ + foreach my $key (keys %customservicegrp) + { + if($customservicegrp{$key}[0] eq $fwhostsettings{'SRVGRP_NAME'} && $customservicegrp{$key}[1] eq $fwhostsettings{'oldsrvgrpremark'}) + { + $customservicegrp{$key}[1]=''; + $customservicegrp{$key}[1]=$fwhostsettings{'SRVGRP_REMARK'}; + } + } + &General::writehasharray("$configsrvgrp", \%customservicegrp); + $errormessage=''; + $hint=$Lang::tr{'fwhost changeremark'}; + $fwhostsettings{'update'}='on'; + } + if ($count gt 0){ + &rules; + } + &addservicegrp; + &viewtableservicegrp; +} +# edit +if ($fwhostsettings{'ACTION'} eq 'editnet') +{ + &addnet; + &viewtablenet; +} +if ($fwhostsettings{'ACTION'} eq 'edithost') +{ + &addhost; + &viewtablehost; +} +if ($fwhostsettings{'ACTION'} eq 'editgrp') +{ + $fwhostsettings{'update'}='on'; + &addgrp; + &viewtablegrp; +} +if ($fwhostsettings{'ACTION'} eq 'editservice') +{ + $fwhostsettings{'updatesrv'}='on'; + &addservice; +} +if ($fwhostsettings{'ACTION'} eq 'editservicegrp') +{ + $fwhostsettings{'updatesrvgrp'} = 'on'; + &addservicegrp; + &viewtableservicegrp; +} +# reset +if ($fwhostsettings{'ACTION'} eq 'resetnet') +{ + $fwhostsettings{'HOSTNAME'} =""; + $fwhostsettings{'IP'} =""; + $fwhostsettings{'SUBNET'} =""; + &showmenu; +} +if ($fwhostsettings{'ACTION'} eq 'resethost') +{ + $fwhostsettings{'HOSTNAME'} =""; + $fwhostsettings{'IP'} =""; + $fwhostsettings{'type'} =""; + &showmenu; +} +# delete +if ($fwhostsettings{'ACTION'} eq 'delnet') +{ + &General::readhasharray("$confignet", \%customnetwork); + foreach my $key (keys %customnetwork) { + if($fwhostsettings{'key'} eq $customnetwork{$key}[0]){ + delete $customnetwork{$key}; + &General::writehasharray("$confignet", \%customnetwork); + last; + } + } + &addnet; + &viewtablenet; +} +if ($fwhostsettings{'ACTION'} eq 'delhost') +{ + &General::readhasharray("$confighost", \%customhost); + foreach my $key (keys %customhost) { + if($fwhostsettings{'key'} eq $customhost{$key}[0]){ + delete $customhost{$key}; + &General::writehasharray("$confighost", \%customhost); + last; + } + } + &addhost; + &viewtablehost; + +} +if ($fwhostsettings{'ACTION'} eq 'deletegrphost') +{ + &General::readhasharray("$configgrp", \%customgrp); + foreach my $key (keys %customgrp){ + if($customgrp{$key}[0].",".$customgrp{$key}[1].",".$customgrp{$key}[2].",".$customgrp{$key}[3] eq $fwhostsettings{'delhost'}){ + #decrease count from source host/net + if ($customgrp{$key}[3] eq 'Custom Network'){ + &General::readhasharray("$confignet", \%customnetwork); + foreach my $key1 (keys %customnetwork){ + if ($customnetwork{$key1}[0] eq $customgrp{$key}[2]){ + $customnetwork{$key1}[3] = $customnetwork{$key1}[3]-1; + last; + } + } + &General::writehasharray("$confignet", \%customnetwork); + } + if ($customgrp{$key}[3] eq 'Custom Host'){ + &General::readhasharray("$confighost", \%customhost); + foreach my $key1 (keys %customhost){ + if ($customhost{$key1}[0] eq $customgrp{$key}[2]){ + $customhost{$key1}[3] = $customhost{$key1}[3]-1; + last; + } + } + &General::writehasharray("$confighost", \%customhost); + } + delete $customgrp{$key}; + } + } + &General::writehasharray("$configgrp", \%customgrp); + &rules; + &addgrp; + &viewtablegrp; +} +if ($fwhostsettings{'ACTION'} eq 'delgrp') +{ + &General::readhasharray("$configgrp", \%customgrp); + &decrease($fwhostsettings{'grp_name'}); + foreach my $key (sort keys %customgrp) + { + if($customgrp{$key}[0] eq $fwhostsettings{'grp_name'}) + { + delete $customgrp{$key}; + } + } + &General::writehasharray("$configgrp", \%customgrp); + $fwhostsettings{'grp_name'}=''; + &addgrp; + &viewtablegrp; +} +if ($fwhostsettings{'ACTION'} eq 'delservice') +{ + &General::readhasharray("$configsrv", \%customservice); + foreach my $key (keys %customservice) { + if($customservice{$key}[0] eq $fwhostsettings{'SRV_NAME'}){ + #&deletefromgrp($customhost{$key}[0],$configgrp); + delete $customservice{$key}; + &General::writehasharray("$configsrv", \%customservice); + last; + } + } + $fwhostsettings{'SRV_NAME'}=''; + $fwhostsettings{'SRV_PORT'}=''; + $fwhostsettings{'PROT'}=''; + &addservice; +} +if ($fwhostsettings{'ACTION'} eq 'delservicegrp') +{ + &General::readhasharray("$configsrvgrp", \%customservicegrp); + &decreaseservice($fwhostsettings{'SRVGRP_NAME'}); + foreach my $key (sort keys %customservicegrp) + { + if($customservicegrp{$key}[0] eq $fwhostsettings{'SRVGRP_NAME'}) + { + delete $customservicegrp{$key}; + } + } + &General::writehasharray("$configsrvgrp", \%customservicegrp); + $fwhostsettings{'SRVGRP_NAME'}=''; + &addservicegrp; + &viewtableservicegrp; +} +if ($fwhostsettings{'ACTION'} eq 'delgrpservice') +{ + &General::readhasharray("$configsrvgrp", \%customservicegrp); + &General::readhasharray("$configsrv", \%customservice); + foreach my $key (keys %customservicegrp){ + if($customservicegrp{$key}[0].",".$customservicegrp{$key}[1].",".$customservicegrp{$key}[2].",".$customservicegrp{$key}[3] eq $fwhostsettings{'delsrvfromgrp'}) + { + #decrease count from source service + foreach my $key1 (sort keys %customservice){ + if($customservice{$key1}[0] eq $customservicegrp{$key}[2]){ + $customservice{$key1}[4]--; + last; + } + } + &General::writehasharray("$configsrv", \%customservice); + delete $customservicegrp{$key} + } + } + &General::writehasharray("$configsrvgrp", \%customservicegrp); + &rules; + &addservicegrp; + &viewtableservicegrp; + +} +if ($fwhostsettings{'ACTION'} eq $Lang::tr{'fwhost newnet'}) +{ + &addnet; + &viewtablenet; +} +if ($fwhostsettings{'ACTION'} eq $Lang::tr{'fwhost newhost'}) +{ + &addhost; + &viewtablehost; +} +if ($fwhostsettings{'ACTION'} eq $Lang::tr{'fwhost newgrp'}) +{ + &addgrp; + &viewtablegrp; +} +if ($fwhostsettings{'ACTION'} eq $Lang::tr{'fwhost newservice'}) +{ + &addservice; +} +if ($fwhostsettings{'ACTION'} eq $Lang::tr{'fwhost newservicegrp'}) +{ + &addservicegrp; + &viewtableservicegrp; +} +### VIEW ### +if($fwhostsettings{'ACTION'} eq '') +{ + &showmenu; +} +### FUNCTIONS ### +sub showmenu +{ + + &Header::openbox('100%', 'left',$Lang::tr{'fwhost menu'}); + print<
+ + +
+END + + &Header::closebox(); + +} +# Add +sub addnet +{ + &error; + &showmenu; + &Header::openbox('100%', 'left', $Lang::tr{'fwhost addnet'}); + $fwhostsettings{'orgname'}=$fwhostsettings{'HOSTNAME'}; + print<
+ $Lang::tr{'name'}:$Lang::tr{'fwhost netaddress'}$Lang::tr{'netmask'}: +
+END + if ($fwhostsettings{'ACTION'} eq 'editnet' || $fwhostsettings{'error'} eq 'on') + { + print ""; + }else{ + print ""; + } + print "
"; + &Header::closebox(); +} +sub addhost +{ + &error; + &showmenu; + &Header::openbox('100%', 'left', $Lang::tr{'fwhost addhost'}); + $fwhostsettings{'orgname'}=$fwhostsettings{'HOSTNAME'}; + print<
+ $Lang::tr{'name'}:IP/MAC: +

$Lang::tr{'fwhost attention'}
$Lang::tr{'fwhost macwarn'} +
+END + + if ($fwhostsettings{'ACTION'} eq 'edithost' || $fwhostsettings{'error'} eq 'on') + { + + print "
"; + }else{ + print " "; + } + print "
"; + &Header::closebox(); +} +sub addgrp +{ + &hint; + &error; + &showmenu; + &Header::openbox('100%', 'left', $Lang::tr{'fwhost addgrp'}); + &General::setup_default_networks(\%defaultNetworks); + my %checked=(); + $checked{'check1'}{'off'} = ''; + $checked{'check1'}{'on'} = ''; + $checked{'grp2'}{$fwhostsettings{'grp2'}} = 'CHECKED'; + $fwhostsettings{'oldremark'}=$fwhostsettings{'remark'}; + + if ($fwhostsettings{'update'} eq ''){ + print<
+ $Lang::tr{'fwhost addgrpname'}$Lang::tr{'remark'}: +
+END + }else{ + print< + $Lang::tr{'fwhost addgrpname'}$Lang::tr{'remark'}: +
+END + + } + if ($fwhostsettings{'update'} eq 'on'){ + + + print<$Lang::tr{'fwhost stdnet'}$Lang::tr{'fwhost ccdnet'}$Lang::tr{'fwhost cust net'}$Lang::tr{'fwhost ccdhost'}$Lang::tr{'fwhost cust addr'}$Lang::tr{'fwhost ovpn_n2n'}$Lang::tr{'fwhost ipsec net'}$Lang::tr{'fwhost ipsec host'}
+
+END + + &Header::closebox(); +} +sub addservice +{ + &error; + &showmenu; + &Header::openbox('100%', 'left', $Lang::tr{'fwhost newservice'}); + if ($fwhostsettings{'updatesrv'} eq 'on') + { + $fwhostsettings{'oldsrvname'} = $fwhostsettings{'SRV_NAME'}; + $fwhostsettings{'oldsrvport'} = $fwhostsettings{'SRV_PORT'}; + $fwhostsettings{'oldsrvprot'} = $fwhostsettings{'PROT'}; + } + print<
+ $Lang::tr{'fwhost srv_name'}:$Lang::tr{'fwhost prot'}: + $Lang::tr{'fwhost icmptype'} + + +
+END + + }else{ + print""; + } + print< + + + +END + &Header::closebox(); + &viewtableservice; +} +sub addservicegrp +{ + &hint; + &error; + &showmenu; + &Header::openbox('100%', 'left', $Lang::tr{'fwhost newservicegrp'}); + $fwhostsettings{'oldsrvgrpremark'}=$fwhostsettings{'SRVGRP_REMARK'}; + + if ($fwhostsettings{'updatesrvgrp'} eq ''){ + print<
+ $Lang::tr{'fwhost addgrpname'}$Lang::tr{'remark'}: +
+ +END + }else{ + print< + $Lang::tr{'fwhost addgrpname'}$Lang::tr{'remark'}: +
+ +END + } + if($fwhostsettings{'updatesrvgrp'} eq 'on'){ + + + print< + $Lang::tr{'fwhost cust service'}
+
+END + + &Header::closebox(); +} +# View +sub viewtablenet +{ + if(! -z $confignet){ + &Header::openbox('100%', 'left', $Lang::tr{'fwhost cust net'}); + &General::readhasharray("$confignet", \%customnetwork); + if (!keys %customnetwork) + { + print "
$Lang::tr{'fwhost empty'}"; + }else{ + print< + $Lang::tr{'name'}$Lang::tr{'fwhost netaddress'}$Lang::tr{'netmask'}$Lang::tr{'used'} +END + } + my $count=0; + foreach my $key (sort { uc($customnetwork{$a}[0]) cmp uc($customnetwork{$b}[0]) } keys %customnetwork) { + if ($fwhostsettings{'ACTION'} eq 'editnet' && $fwhostsettings{'HOSTNAME'} eq $customnetwork{$key}[0]) { + print" "; + }elsif ($count % 2) + { + print" "; + }else + { + print" "; + } + print<
$customnetwork{$key}[0]$customnetwork{$key}[1]$customnetwork{$key}[2]$customnetwork{$key}[3] x + + + + + +
+END + if($customnetwork{$key}[3] == '0') + { + print"
"; + }else{ + print""; + } + $count++; + } + print""; + &Header::closebox(); + } + +} +sub viewtablehost +{ + if (! -z $confighost){ + &Header::openbox('100%', 'left', $Lang::tr{'fwhost cust addr'}); + &General::readhasharray("$confighost", \%customhost); + if (!keys %customhost) + { + print "
$Lang::tr{'fwhost empty'}"; + }else{ + print< + $Lang::tr{'name'}$Lang::tr{'fwhost ip_mac'}$Lang::tr{'used'} +END + } + my $count=0; + foreach my $key (sort { uc($customhost{$a}[0]) cmp uc($customhost{$b}[0]) } keys %customhost) { + if ( ($fwhostsettings{'ACTION'} eq 'edithost' || $fwhostsettings{'error'}) && $fwhostsettings{'HOSTNAME'} eq $customhost{$key}[0]) { + print" "; + }elsif ($count % 2){ print" ";} + else{ print" ";} + my ($ip,$sub)=split(/\//,$customhost{$key}[2]); + print<
$customhost{$key}[0]$customhost{$key}[2]$customhost{$key}[3] x + + + + + +
+END + if($customhost{$key}[3] == '0') + { + print"
"; + }else{ + print""; + } + $count++; + } + print""; + &Header::closebox(); + } +} +sub viewtablegrp +{ + if(! -z "$configgrp"){ + &Header::openbox('100%', 'left', $Lang::tr{'fwhost cust grp'}); + &General::readhasharray("$configgrp", \%customgrp); + &General::readhasharray("$configipsec", \%ipsecconf); + &General::readhasharray("$configccdhost", \%ccdhost); + &General::readhasharray("$configccdnet", \%ccdnet); + &General::readhasharray("$confighost", \%customhost); + &General::readhasharray("$confignet", \%customnetwork); + my @grp=(); + my $helper=''; + my $count=0; + my $grpname; + my $remark; + my $number=keys %customgrp; + if (!keys %customgrp) + { + print "
$Lang::tr{'fwhost empty'}"; + }else{ + foreach my $key (sort { uc($customgrp{$a}[0]) cmp uc($customgrp{$b}[0]) } sort { uc($customgrp{$a}[2]) cmp uc($customgrp{$b}[2]) } keys %customgrp){ + + $count++; + if ($helper ne $customgrp{$key}[0]){ + $grpname=$customgrp{$key}[0]; + $remark=$customgrp{$key}[1]; + if($count >=2){print"";} + print "
$grpname    "; + print " $Lang::tr{'remark'}:  $remark   " if ($remark ne ''); + print "$Lang::tr{'used'}: $customgrp{$key}[4] x"; + if($customgrp{$key}[4] == '0') + { + print"
"; + } + print"
"; + print""; + } + if ( ($fwhostsettings{'ACTION'} eq 'editgrp' || $fwhostsettings{'update'} ne '') && $fwhostsettings{'grp_name'} eq $customgrp{$key}[0]) { + print" "; + }elsif ($count %2 == 0){print"";}else{print"";} + my $ip=&getipforgroup($customgrp{$key}[2],$customgrp{$key}[3]); + if ($ip eq ''){print"";} + + + print ""; + }else{ + print "$customgrp{$key}[2]"; + } + if ($ip eq '' && $customgrp{$key}[2] ne $Lang::tr{'fwhost empty'}){ + print ""; + + $helper=$customgrp{$key}[0]; + } + print"
Name$Lang::tr{'ip address'}$Lang::tr{'fwhost type'}
"; + if($customgrp{$key}[3] eq 'Standard Network'){ + print &get_name($customgrp{$key}[2])."$Lang::tr{'fwhost deleted'}$customgrp{$key}[3]
"; + }else{ + print"
$ip$customgrp{$key}[3]"; + } + if ($number gt '1' && $ip ne ''){ + print""; + } + print"
"; + + } + &Header::closebox(); +} + +} +sub viewtableservice +{ + my $count=0; + if(! -z "$configsrv") + { + &Header::openbox('100%', 'left', $Lang::tr{'fwhost services'}); + &General::readhasharray("$configsrv", \%customservice); + print< + $Lang::tr{'fwhost srv_name'}$Lang::tr{'fwhost prot'}$Lang::tr{'fwhost port'}ICMP$Lang::tr{'fwhost used'} +END + foreach my $key (sort { uc($customservice{$a}[0]) cmp uc($customservice{$b}[0]) } keys %customservice) + { + $count++; + if ( ($fwhostsettings{'updatesrv'} eq 'on' || $fwhostsettings{'error'}) && $fwhostsettings{'SRV_NAME'} eq $customservice{$key}[0]) { + print" "; + }elsif ($count % 2){ print" ";}else{ print" ";} + print<$customservice{$key}[0]$customservice{$key}[2]$customservice{$key}[1] +END + if($customservice{$key}[3] ne 'BLANK'){print $customservice{$key}[3];} + + print<$customservice{$key}[4]x +
+ + +
+END + if ($customservice{$key}[4] eq '0') + { + print"
"; + }else{ + print""; + } + } + print""; + &Header::closebox(); + } +} +sub viewtableservicegrp +{ + my $count=0; + my $grpname; + my $remark; + my $helper; + if (! -z $configsrvgrp){ + + &Header::openbox('100%', 'left', $Lang::tr{'fwhost cust srvgrp'}); + &General::readhasharray("$configsrvgrp", \%customservicegrp); + my $number= keys %customservicegrp; + foreach my $key (sort { uc($customservicegrp{$a}[0]) cmp uc($customservicegrp{$b}[0]) } keys %customservicegrp){ + $count++; + if ($helper ne $customservicegrp{$key}[0]){ + $grpname=$customservicegrp{$key}[0]; + $remark=$customservicegrp{$key}[1]; + if($count >=2){print"";} + print "
$grpname     "; + print "$Lang::tr{'remark'}:  $remark " if ($remark ne ''); + print "  $Lang::tr{'used'}: $customservicegrp{$key}[5] x"; + if($customservicegrp{$key}[5] == '0') + { + print"
"; + } + print"
"; + print""; + } + if( $fwhostsettings{'SRVGRP_NAME'} eq $customservicegrp{$key}[0]) { + print" "; + }elsif ($count %2 == 0){print"";}else{print"";} + print ""; + print""; + $helper=$customservicegrp{$key}[0]; + } + print"
Name$Lang::tr{'port'}$Lang::tr{'fwhost prot'}
$customservicegrp{$key}[2]$customservicegrp{$key}[3]$customservicegrp{$key}[4]
"; + if ($number gt '1'){ + print""; + } + print"
"; + &Header::closebox(); + } +} +# Check +sub checkname +{ + my %hash=%{(shift)}; + foreach my $key (keys %hash) { + if($hash{$key}[0] eq $fwhostsettings{'HOSTNAME'}){ + return 0; + } + } + return 1; + +} +sub checkip +{ + + my %hash=%{(shift)}; + my $a=shift; + foreach my $key (keys %hash) { + if($hash{$key}[$a] eq $fwhostsettings{'IP'}."/".&General::iporsubtodec($fwhostsettings{'SUBNET'})){ + return 0; + } + } + return 1; +} +sub checksubnet +{ + + my %hash=%{(shift)}; + &General::readhasharray("$confignet", \%hash); + foreach my $key (keys %hash) { + if(&General::IpInSubnet($fwhostsettings{'IP'},$hash{$key}[1],$hash{$key}[2])) + { + return 1; + } + } + return 0; +} +sub checkservicegroup +{ + &General::readhasharray("$configsrvgrp", \%customservicegrp); + + + #check name + if ( ! &General::validhostname($fwhostsettings{'SRVGRP_NAME'})) + { + $errormessage.=$Lang::tr{'fwhost err name'}."
"; + return $errormessage; + } + #check remark + if ( ($fwhostsettings{'SRVGRP_REMARK'} ne '') && (! &validhostname($fwhostsettings{'SRVGRP_REMARK'}))) + { + $errormessage.=$Lang::tr{'fwhost err remark'}."
"; + } + #check empty selectbox + if (keys %customservice lt 1) + { + $errormessage.=$Lang::tr{'fwhost err groupempty'}."
"; + } + + #check if name already exists + if ($fwhostsettings{'updatesrvgrp'} ne 'on'){ + foreach my $key (keys %customservicegrp) { + if( $customservicegrp{$key}[0] eq $fwhostsettings{'SRVGRP_NAME'} ){ + $errormessage.=$Lang::tr{'fwhost err grpexist'}."
"; + + } + } + } + #check if service already exists in group + foreach my $key (keys %customservicegrp) { + if($customservicegrp{$key}[0] eq $fwhostsettings{'SRVGRP_NAME'} && $customservicegrp{$key}[2] eq $fwhostsettings{'CUST_SRV'} ){ + $errormessage.=$Lang::tr{'fwhost err srvexist'}."
"; + + } + } + + + + return $errormessage; +} +sub error +{ + if ($errormessage) { + &Header::openbox('100%', 'left', $Lang::tr{'error messages'}); + print "$errormessage\n"; + print " \n"; + &Header::closebox(); + } +} +sub hint +{ + if ($hint) { + &Header::openbox('100%', 'left', $Lang::tr{'fwhost hint'}); + print "$hint\n"; + print " \n"; + &Header::closebox(); + } +} +sub get_name +{ + my $val=shift; + &General::setup_default_networks(\%defaultNetworks); + foreach my $network (sort keys %defaultNetworks) + { + return "$network" if ($val eq $defaultNetworks{$network}{'NAME'}); + } +} +sub deletefromgrp +{ + my $target=shift; + my $config=shift; + my %hash=(); + &General::readhasharray("$config",\%hash); + foreach my $key (keys %hash) { + $errormessage.="lese $hash{$key}[2] und $target
"; + if($hash{$key}[2] eq $target){ + + delete $hash{$key}; + $errormessage.="Habe $target aus Gruppe gelöscht!
"; + } + } + &General::writehasharray("$config",\%hash); + +} +sub plausicheck +{ + + my $edit=shift; + #check hostname + if (!&General::validhostname($fwhostsettings{'HOSTNAME'})) + { + $errormessage=$errormessage.$Lang::tr{'fwhost err name'}; + $fwhostsettings{'BLK_IP'}='readonly'; + $fwhostsettings{'HOSTNAME'} = $fwhostsettings{'orgname'}; + if ($fwhostsettings{'update'} eq 'on'){$fwhostsettings{'ACTION'}=$edit;} + } + #check if name collides with CCD Netname + + &General::readhasharray("$configccdnet", \%ccdnet); + foreach my $key (keys %ccdnet) { + if($ccdnet{$key}[0] eq $fwhostsettings{'HOSTNAME'}){ + $errormessage=$errormessage.$Lang::tr{'fwhost err isccdnet'};; + $fwhostsettings{'HOSTNAME'} = $fwhostsettings{'orgname'}; + if ($fwhostsettings{'update'} eq 'on'){$fwhostsettings{'ACTION'}=$edit;} + last; + } + } + + #check if IP collides with CCD NetIP + if ($fwhostsettings{'type'} ne 'mac'){ + &General::readhasharray("$configccdnet", \%ccdnet); + foreach my $key (keys %ccdnet) { + my $test=(&General::getnetworkip($fwhostsettings{'IP'},&General::iporsubtocidr($fwhostsettings{'SUBNET'})))."/".$fwhostsettings{'SUBNET'}; + if($ccdnet{$key}[1] eq $test){ + $errormessage=$errormessage.$Lang::tr{'fwhost err isccdipnet'}; + $fwhostsettings{'IP'} = $fwhostsettings{'orgip'}; + $fwhostsettings{'SUBNET'} = $fwhostsettings{'orgsubnet'}; + if ($fwhostsettings{'update'} eq 'on'){$fwhostsettings{'ACTION'}=$edit;} + last; + } + } + } + + + + #check if name collides with CCD Hostname + &General::readhasharray("$configccdhost", \%ccdhost); + foreach my $key (keys %ccdhost) { + my ($ip,$sub)=split(/\//,$ccdhost{$key}[33]); + if($ip eq $fwhostsettings{'IP'}){ + $errormessage=$Lang::tr{'fwhost err isccdiphost'}; + if ($fwhostsettings{'update'} eq 'on'){$fwhostsettings{'ACTION'}=$edit;} + last; + } + } + #check if IP collides with CCD HostIP (only hosts) + if ($edit eq 'edithost') + { + foreach my $key (keys %ccdhost) { + if($ccdhost{$key}[1] eq $fwhostsettings{'HOSTNAME'}){ + $errormessage=$Lang::tr{'fwhost err isccdhost'}; + $fwhostsettings{'IP'} = $fwhostsettings{'orgname'}; + if ($fwhostsettings{'update'} eq 'on'){$fwhostsettings{'ACTION'}=$edit;} + last; + } + } + } + #check if network with this name already exists + &General::readhasharray("$confignet", \%customnetwork); + if (!&checkname(\%customnetwork)) + { + $errormessage=$errormessage."
".$Lang::tr{'fwhost err netexist'}; + $fwhostsettings{'HOSTNAME'} = $fwhostsettings{'orgname'}; + if ($fwhostsettings{'update'} eq 'on'){$fwhostsettings{'ACTION'}=$edit;} + } + #check if network ip already exists + if (!&checkip(\%customnetwork,1)) + { + $errormessage=$errormessage."
".$Lang::tr{'fwhost err net'}; + if ($fwhostsettings{'update'} eq 'on'){$fwhostsettings{'ACTION'}=$edit;} + } + #check if host with this name already exists + &General::readhasharray("$confighost", \%customhost); + if (!&checkname(\%customhost)) + { + $errormessage=$errormessage."
".$Lang::tr{'fwhost err hostexist'}; + $fwhostsettings{'HOSTNAME'} = $fwhostsettings{'orgname'}; + if ($fwhostsettings{'update'} eq 'on'){$fwhostsettings{'ACTION'}=$edit;} + } + #check if host with this ip already exists + if (!&checkip(\%customhost,2)) + { + $errormessage=$errormessage."
".$Lang::tr{'fwhost err ipcheck'}; + + } + + + return; +} +sub getipforgroup +{ + my $name=$_[0], + my $type=$_[1]; + my $value; + + #get address from IPSEC NETWORK + if ($type eq 'IpSec Network'){ + foreach my $key (keys %ipsecconf) { + if ($ipsecconf{$key}[1] eq $name){ + return $ipsecconf{$key}[11]; + } + } + &deletefromgrp($name,$configgrp); + } + + #get address from IPSEC HOST + if ($type eq 'IpSec Host'){ + foreach my $key (keys %ipsecconf) { + if ($ipsecconf{$key}[1] eq $name){ + return $ipsecconf{$key}[10]; + } + } + &deletefromgrp($name,$configgrp); + } + + #get address from ovpn ccd Net-2-Net + if ($type eq 'OpenVPN N-2-N'){ + foreach my $key (keys %ccdhost) { + if($ccdhost{$key}[1] eq $name){ + my ($a,$b) = split ("/",$ccdhost{$key}[11]); + $b=&General::iporsubtodec($b); + return "$a/$b"; + } + } + &deletefromgrp($name,$configgrp); + } + + #get address from ovpn ccd static host + if ($type eq 'OpenVPN static host'){ + foreach my $key (keys %ccdhost) { + if($ccdhost{$key}[1] eq $name){ + my ($a,$b) = split (/\//,$ccdhost{$key}[33]); + $b=&General::iporsubtodec($b); + return "$a/$b"; + } + } + &deletefromgrp($name,$configgrp); + } + + #get address from ovpn ccd static net + if ($type eq 'OpenVPN static network'){ + foreach my $key (keys %ccdnet) { + if ($ccdnet{$key}[0] eq $name){ + my ($a,$b) = split (/\//,$ccdnet{$key}[1]); + $b=&General::iporsubtodec($b); + return "$a/$b"; + } + } + } + + #check custom addresses + if ($type eq 'Custom Host'){ + foreach my $key (keys %customhost) { + if ($customhost{$key}[0] eq $name){ + return $customhost{$key}[2]; + } + } + } + + ##check custom networks + if ($type eq 'Custom Network'){ + foreach my $key (keys %customnetwork) { + if($customnetwork{$key}[0] eq $name){ + return $customnetwork{$key}[1]."/".$customnetwork{$key}[2]; + } + } + } + + #check standard networks + if ($type eq 'Standard Network'){ + if ($name =~ /OpenVPN/i){ + my %ovpn=(); + &General::readhash("${General::swroot}/ovpn/settings",\%ovpn); + return $ovpn{'DOVPN_SUBNET'}; + } + if ($name eq 'GREEN'){ + my %hash=(); + &General::readhash("${General::swroot}/ethernet/settings",\%hash); + return $hash{'GREEN_NETADDRESS'}."/".$hash{'GREEN_NETMASK'}; + } + if ($name eq 'BLUE'){ + my %hash=(); + &General::readhash("${General::swroot}/ethernet/settings",\%hash); + return $hash{'BLUE_NETADDRESS'}."/".$hash{'BLUE_NETMASK'}; + } + if ($name eq 'ORANGE'){ + my %hash=(); + &General::readhash("${General::swroot}/ethernet/settings",\%hash); + return $hash{'ORANGE_NETADDRESS'}."/".$hash{'ORANGE_NETMASK'}; + } + if ($name eq 'ALL'){ + return "0.0.0.0/0.0.0.0"; + } + if ($name =~ /IPsec/i){ + my %hash=(); + &General::readhash("${General::swroot}/vpn/settings",\%hash); + return $hash{'RW_NET'}; + } + } +} +sub rules +{ + system ("/usr/local/bin/forwardfwctrl"); + system("rm ${General::swroot}/forward/reread"); +} +sub decrease +{ + my $grp=$_[0]; + &General::readhasharray("$confignet", \%customnetwork); + &General::readhasharray("$confighost", \%customhost); + foreach my $key (sort keys %customgrp ){ + if ( ($customgrp{$key}[0] eq $grp) && ($customgrp{$key}[3] eq 'Custom Network')){ + foreach my $key1 (sort keys %customnetwork){ + if ($customnetwork{$key1}[0] eq $customgrp{$key}[2]){ + $customnetwork{$key1}[3]=$customnetwork{$key1}[3]-1; + last; + } + } + } + + if (($customgrp{$key}[0] eq $grp) && ($customgrp{$key}[3] eq 'Custom Host')){ + foreach my $key2 (sort keys %customhost){ + if ($customhost{$key2}[0] eq $customgrp{$key}[2]){ + $customhost{$key2}[3]=$customhost{$key2}[3]-1; + last; + } + } + + } + } + &General::writehasharray("$confignet", \%customnetwork); + &General::writehasharray("$confighost", \%customhost); +} +sub decreaseservice +{ + my $grp=$_[0]; + &General::readhasharray("$configsrv", \%customservice); + &General::readhasharray("$configsrvgrp", \%customservicegrp); + + foreach my $key (sort keys %customservicegrp){ + if ($customservicegrp{$key}[0] eq $grp ){ + foreach my $key2 (sort keys %customservice){ + if ($customservice{$key2}[0] eq $customservicegrp{$key}[2]){ + $customservice{$key2}[4]--; + } + } + } + } + &General::writehasharray("$configsrv", \%customservice); + +} +sub checkports +{ + + my %hash=%{(shift)}; + #check empty fields + if ($fwhostsettings{'SRV_NAME'} eq '' ){ + $errormessage=$Lang::tr{'fwhost err name1'}; + } + if ($fwhostsettings{'SRV_PORT'} eq '' && $fwhostsettings{'PROT'} ne 'ICMP'){ + $errormessage=$Lang::tr{'fwhost err port'}; + } + #check valid name + if (! &General::validhostname($fwhostsettings{'SRV_NAME'})){ + $errormessage="
".$Lang::tr{'fwhost err name'}; + } + #change dashes with : + $fwhostsettings{'SRV_PORT'}=~ tr/-/:/; + + if ($fwhostsettings{'SRV_PORT'} eq "*") { + $fwhostsettings{'SRV_PORT'} = "1:65535"; + } + if ($fwhostsettings{'SRV_PORT'} =~ /^(\D)\:(\d+)$/) { + $fwhostsettings{'SRV_PORT'} = "1:$2"; + } + if ($fwhostsettings{'SRV_PORT'} =~ /^(\d+)\:(\D)$/) { + $fwhostsettings{'SRV_PORT'} = "$1:65535"; + } + if($fwhostsettings{'PROT'} ne 'ICMP'){ + $errormessage = $errormessage.&General::validportrange($fwhostsettings{'SRV_PORT'}, 'src'); + } + # a new service has to have a different name + foreach my $key (keys %hash){ + if ($hash{$key}[0] eq $fwhostsettings{'SRV_NAME'}){ + $errormessage = "
".$Lang::tr{'fwhost err srv exists'}; + last; + } + } + return $errormessage; +} +sub validhostname +{ + # Checks a hostname against RFC1035 + my $hostname = $_[0]; + + # Each part should be at least two characters in length + # but no more than 63 characters + if (length ($hostname) < 1 || length ($hostname) > 63) { + return 0;} + # Only valid characters are a-z, A-Z, 0-9 and - + if ($hostname !~ /^[a-zA-ZäöüÖÄÜ0-9-\s]*$/) { + return 0;} + # First character can only be a letter or a digit + if (substr ($hostname, 0, 1) !~ /^[a-zA-ZöäüÖÄÜ0-9]*$/) { + return 0;} + # Last character can only be a letter or a digit + if (substr ($hostname, -1, 1) !~ /^[a-zA-ZöäüÖÄÜ0-9]*$/) { + return 0;} + return 1; +} + +&Header::closebigbox(); +&Header::closepage(); From 14f7cb87b993267a1d76098ab9fa088533af1e18 Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Fri, 28 Dec 2012 13:29:34 +0100 Subject: [PATCH 003/306] Forward Firewall: fixed rules.pl error when using manual target address Signed-off-by: Alexander Marx --- config/forwardfw/rules.pl | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/config/forwardfw/rules.pl b/config/forwardfw/rules.pl index d6bd3c9d6..8c9e2ba52 100755 --- a/config/forwardfw/rules.pl +++ b/config/forwardfw/rules.pl @@ -111,7 +111,9 @@ sub preparerules } sub buildrules { + my $hash=shift; + foreach my $key (sort keys %$hash){ if($$hash{$key}[2] eq 'ON'){ #get source ip's @@ -132,7 +134,7 @@ sub buildrules } } }elsif($$hash{$key}[5] eq 'ipfire'){ - + if($$hash{$key}[6] eq 'Default IP'){ open(FILE, "/var/ipfire/red/local-ipaddress") or die 'Unable to open config file.'; $targethash{$key}[0]= ; @@ -147,20 +149,19 @@ sub buildrules }else{ &get_address($$hash{$key}[5],$$hash{$key}[6],"tgt"); } - ##get source prot and port $SRC_TGT='SRC'; $SPROT = &get_prot($hash,$key); $SPORT = &get_port($hash,$key); $SRC_TGT=''; - + ##get target prot and port $DPROT=&get_prot($hash,$key); - + if ($DPROT eq ''){$DPROT=' ';} @DPROT=split(",",$DPROT); - - + + #get time if defined if($$hash{$key}[18] eq 'ON'){ if($$hash{$key}[19] ne ''){push (@timeframe,"Mon");} @@ -245,7 +246,7 @@ sub get_address } my $key = &General::findhasharraykey($hash); if($base eq 'src_addr' || $base eq 'tgt_addr' ){ - $$hash{$key}[0] = $configfwdfw{$key}[4]; + $$hash{$key}[0] = $base2; }elsif($base eq 'std_net_src' || $base eq 'std_net_tgt' || $base eq 'Standard Network'){ $$hash{$key}[0]=&fwlib::get_std_net_ip($base2); }elsif($base eq 'cust_net_src' || $base eq 'cust_net_tgt' || $base eq 'Custom Network'){ From 55674e0d3877ac07f71e26e0d07dacc6baf5759f Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Sat, 29 Dec 2012 07:09:37 +0100 Subject: [PATCH 004/306] Forward Firewall: fixed Typos Signed-off-by: Alexander Marx --- html/cgi-bin/forwardfw.cgi | 8 ++++---- html/cgi-bin/fwhosts.cgi | 2 +- langs/de/cgi-bin/de.pl | 2 +- langs/en/cgi-bin/en.pl | 6 +++--- 4 files changed, 9 insertions(+), 9 deletions(-) diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi index be2f0cfea..6ed0a9b22 100755 --- a/html/cgi-bin/forwardfw.cgi +++ b/html/cgi-bin/forwardfw.cgi @@ -577,7 +577,7 @@ sub checksource my @tmp= split (/\./,$ip); if (($tmp[3] eq "0") || ($tmp[3] eq "255")) { - $errormessage=$Lang::tr{'fwhost err hostip'}; + $errormessage=$Lang::tr{'fwhost err hostip'}."
"; } $fwdfwsettings{'src_addr'}="$ip/$subnet"; @@ -650,9 +650,9 @@ sub checktarget my @tmp= split (/\./,$ip); if (($tmp[3] eq "0") || ($tmp[3] eq "255")) { - $errormessage=$Lang::tr{'fwhost err hostip'}; + $errormessage=$Lang::tr{'fwhost err hostip'}."
"; } - $fwdfwsettings{'tgt_addr'}=$ip."/".$subnet; + $fwdfwsettings{'tgt_addr'}="$ip/$subnet"; if(!&General::validipandmask($fwdfwsettings{'tgt_addr'})){ $errormessage.=$Lang::tr{'fwdfw err tgt_addr'}."
"; @@ -762,7 +762,7 @@ sub checkrule my ($tbyte1,$tbyte2,$tbyte3,$tbyte4)=split(".",$networkip2); if ($sbyte1 eq $tbyte1 && $sbyte2 eq $tbyte2 && $sbyte3 eq $tbyte3){ $hint=$Lang::tr{'fwdfw hint ip1'}."
"; - $hint.=$Lang::tr{'fwdfw hint ip2'}." Source: $networkip1/$scidr Target:$networkip2/$tcidr
"; + $hint.=$Lang::tr{'fwdfw hint ip2'}." Source: $networkip1/$scidr Target: $networkip2/$tcidr
"; } }else{ diff --git a/html/cgi-bin/fwhosts.cgi b/html/cgi-bin/fwhosts.cgi index 8fe281b74..e82aca576 100755 --- a/html/cgi-bin/fwhosts.cgi +++ b/html/cgi-bin/fwhosts.cgi @@ -1226,7 +1226,7 @@ END print""; } print< +
diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl index a6989d3fe..d31d3c7d1 100644 --- a/langs/de/cgi-bin/de.pl +++ b/langs/de/cgi-bin/de.pl @@ -953,7 +953,7 @@ 'fwhost addrule' => 'Neue Regel hinzufügen:', 'fwhost any' => 'Alle', 'fwhost attention' => 'ACHTUNG', -'fwhost back' => 'Übernehmen', +'fwhost back' => 'Zurück', 'fwhost blue' => 'Blau', 'fwhost ccdhost' => 'OpenVPN Clients:', 'fwhost ccdnet' => 'OpenVPN Netzwerke:', diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index 77e24130d..6175c2b40 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -936,11 +936,11 @@ 'fwdfw err tgtport' => 'Please provide target port.', 'fwdfw err tgt_addr' => 'Invalid target IP-address.', 'fwdfw err tgt_port' => 'Invalid target port', -'fwdfw err tgt_mac' => 'MAC addresses can not be used as target.', +'fwdfw err tgt_mac' => 'MAC addresses cannot be used as target.', 'fwdfw err tgt_grp' => 'Target servicegroup is empty', 'fwdfw err time' => 'You have to define at least one day.', 'fwdfw from' => 'From:', -'fwdfw hint ip1' => 'The last generated rule may never be activated because source and target my be in same subnet.', +'fwdfw hint ip1' => 'The last generated rule may never be activated because source and target probably are in same subnet.', 'fwdfw hint ip2' => 'Please doublecheck if this rule makes sense: ', 'fwdfw ipsec network' => 'IpSec networks:', 'fwdfw log rule' => 'Log rule', @@ -978,7 +978,7 @@ 'fwhost addrule' => 'Add new rule:', 'fwhost any' => 'Any', 'fwhost attention' => 'ATTENTION', -'fwhost back' => 'commit', +'fwhost back' => 'back', 'fwhost blue' => 'Blue', 'fwhost ccdhost' => 'OpenVPN clients:', 'fwhost ccdnet' => 'OpenVPN networks:', From d24a34cbdc529fcb9122ed7f99bc48c4a83263bb Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Tue, 1 Jan 2013 06:17:06 +0100 Subject: [PATCH 005/306] Forward Firewall: changed remarkfield to have maximum 255 chars. Changed Layout from viewtablerule. Signed-off-by: Alexander Marx --- html/cgi-bin/forwardfw.cgi | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi index 6ed0a9b22..1f5ea0044 100755 --- a/html/cgi-bin/forwardfw.cgi +++ b/html/cgi-bin/forwardfw.cgi @@ -1266,7 +1266,7 @@ END &Header::openbox('100%', 'left', $Lang::tr{'fwdfw additional'}); print< - $Lang::tr{'remark'}: + $Lang::tr{'remark'}: $Lang::tr{'fwdfw rule activate'} $Lang::tr{'fwdfw log rule'}

@@ -1464,7 +1464,7 @@ sub validremark # Each part should be at least two characters in length # but no more than 63 characters - if (length ($remark) < 1 || length ($remark) > 63) { + if (length ($remark) < 1 || length ($remark) > 255) { return 0;} # Only valid characters are a-z, A-Z, 0-9 and - if ($remark !~ /^[a-zäöüA-ZÖÄÜ0-9-\s]*$/) { @@ -1547,7 +1547,7 @@ sub viewtablenew &General::readhasharray("$config", $hash); print"$title1
"; print""; - print""; + print""; foreach my $key (sort keys %$hash){ @tmpsrc=(); #check if vpn hosts/nets have been deleted @@ -1637,7 +1637,7 @@ END - - +
#$Lang::tr{'fwdfw source'}Log$Lang::tr{'fwdfw target'}$Lang::tr{'remark'}$Lang::tr{'fwdfw action'}
#$Lang::tr{'fwdfw source'}Log$Lang::tr{'fwdfw target'}$Lang::tr{'remark'}$Lang::tr{'fwdfw action'}
+ @@ -1645,7 +1645,7 @@ END END print< + END if ($$hash{$key}[5] eq 'std_net_tgt'){ print &get_name($$hash{$key}[6]); From 231499fcc85bfb6ae4fbb03fbaca2873984be103 Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Thu, 3 Jan 2013 08:14:28 +0100 Subject: [PATCH 006/306] Forward Firewall: build iso with new firewall --- config/outgoingfw/defaultservices | 34 --- config/outgoingfw/outgoingfw.pl | 286 ------------------ config/rootfiles/common/configroot | 2 +- lfs/configroot | 18 +- src/initscripts/init.d/firewall | 16 +- src/misc-progs/Makefile | 9 +- .../{outgoingfwctrl.c => forwardfwctrl.c} | 7 +- 7 files changed, 22 insertions(+), 350 deletions(-) delete mode 100644 config/outgoingfw/defaultservices delete mode 100644 config/outgoingfw/outgoingfw.pl rename src/misc-progs/{outgoingfwctrl.c => forwardfwctrl.c} (75%) diff --git a/config/outgoingfw/defaultservices b/config/outgoingfw/defaultservices deleted file mode 100644 index f2cf47514..000000000 --- a/config/outgoingfw/defaultservices +++ /dev/null @@ -1,34 +0,0 @@ -bootpc,68,tcp&udp,Bootstrap Protocol Client -bootps,67,tcp&udp,Bootstrap Protocol Server -domain,53,tcp&udp,Domain Name Server -echo,7,tcp&udp,Echo -ftp,21,tcp&udp,File Transfer Control -ftp-data,20,tcp&udp,File Control Data -http,80,tcp,Hypertext Transfer Protocol -https,443,tcp,secure HTTP -imap,143,tcp,Interactive Mail Access Protocol -imap3,220,tcp,Interactive Mail Access Protocol v3 -imaps,993,tcp,secure IMAP -ipfire-https,444,tcp,IPFire HTTPS -ipfire-ssh,222,tcp&udp,IPFire SSH -irc,194,tcp&udp,Internet Relay Chat -ircd,6667,tcp&udp,Internet Relay Chat -microsoft-ds,445,tcp&udp,Netbios Filesharing -nameserver,42,tcp&udp,Host Name Server -netbios-dgm,138,tcp&udp,NETBIOS Datagram Service -netbios-ns,137,tcp&udp,NETBIOS Name Server -netbios-ssn,139,tcp&udp,NETBIOS Session Service -nfs,2049,tcp&udp,Network File System -ntp,123,udp,Network Time Protocol -pop3,110,tcp,POP3 Email -pop3s,995,tcp,secure POP3 Email -sftp,115,tcp&udp,secure File Transfer Protocol -smtp,25,tcp,Simple Mail Transfer Protocol -smtps,465,tcp,secure Simple Mail Transfer Protocol -snmp,161,tcp&udp,Simple Network Management -snmptrap,162,udp,SNMP Trap -ssh,22,tcp&udp,SSH -telnet,23,tcp&udp,Telnet -tftp,69,tcp&udp,Trivial File Transfer -time,37,tcp&udp,Time -wins,1512,tcp&udp,Windows Internet Name Service diff --git a/config/outgoingfw/outgoingfw.pl b/config/outgoingfw/outgoingfw.pl deleted file mode 100644 index 1208567dd..000000000 --- a/config/outgoingfw/outgoingfw.pl +++ /dev/null @@ -1,286 +0,0 @@ -#!/usr/bin/perl -############################################################################### -# # -# IPFire.org - A linux based firewall # -# Copyright (C) 2007-2011 IPFire Team # -# # -# This program is free software: you can redistribute it and/or modify # -# it under the terms of the GNU General Public License as published by # -# the Free Software Foundation, either version 3 of the License, or # -# (at your option) any later version. # -# # -# This program is distributed in the hope that it will be useful, # -# but WITHOUT ANY WARRANTY; without even the implied warranty of # -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # -# GNU General Public License for more details. # -# # -# You should have received a copy of the GNU General Public License # -# along with this program. If not, see . # -# # -############################################################################### - - -use strict; -# enable only the following on debugging purpose -#use warnings; - -require '/var/ipfire/general-functions.pl'; -require "${General::swroot}/lang.pl"; - -my %outfwsettings = (); -my %checked = (); -my %selected= () ; -my %netsettings = (); -my $errormessage = ""; -my $configentry = ""; -my @configs = (); -my @configline = (); -my $p2pentry = ""; -my @p2ps = (); -my @p2pline = (); -my $CMD = ""; -my $P2PSTRING = ""; - -my $DEBUG = 0; - -my $configfile = "/var/ipfire/outgoing/rules"; -my $p2pfile = "/var/ipfire/outgoing/p2protocols"; - -### Values that have to be initialized -$outfwsettings{'ACTION'} = ''; -$outfwsettings{'VALID'} = 'yes'; -$outfwsettings{'EDIT'} = 'no'; -$outfwsettings{'NAME'} = ''; -$outfwsettings{'SNET'} = ''; -$outfwsettings{'SIP'} = ''; -$outfwsettings{'SPORT'} = ''; -$outfwsettings{'SMAC'} = ''; -$outfwsettings{'DIP'} = ''; -$outfwsettings{'DPORT'} = ''; -$outfwsettings{'PROT'} = ''; -$outfwsettings{'STATE'} = ''; -$outfwsettings{'DISPLAY_DIP'} = ''; -$outfwsettings{'DISPLAY_DPORT'} = ''; -$outfwsettings{'DISPLAY_SMAC'} = ''; -$outfwsettings{'DISPLAY_SIP'} = ''; -$outfwsettings{'POLICY'} = 'MODE0'; - -my @SOURCE = ""; -my $SOURCE = ""; -my $DESTINATION = ""; -my @PROTO = ""; -my $PROTO = ""; -my $DPORT = ""; -my $DEV = ""; -my $MAC = ""; -my $DO = ""; -my $DAY = ""; - -# read files -&General::readhash("${General::swroot}/outgoing/settings", \%outfwsettings); -&General::readhash("${General::swroot}/ethernet/settings", \%netsettings); - -$netsettings{'RED_DEV'}=`cat /var/ipfire/red/iface`; -$netsettings{'RED_IP'}=`cat /var/ipfire/red/local-ipaddress`; - -open( FILE, "< $configfile" ) or die "Unable to read $configfile"; -@configs = ; -close FILE; - -if ( $outfwsettings{'POLICY'} eq 'MODE1' ) { - $outfwsettings{'STATE'} = "ALLOW"; - $DO = "RETURN"; -} elsif ( $outfwsettings{'POLICY'} eq 'MODE2' ) { - $outfwsettings{'STATE'} = "DENY"; - $DO = "DROP -m comment --comment 'DROP_OUTGOINGFW '"; -} - -### Initialize IPTables -system("/sbin/iptables --flush OUTGOINGFW >/dev/null 2>&1"); -system("/sbin/iptables --delete-chain OUTGOINGFW >/dev/null 2>&1"); -system("/sbin/iptables -N OUTGOINGFW >/dev/null 2>&1"); - -system("/sbin/iptables --flush OUTGOINGFWMAC >/dev/null 2>&1"); -system("/sbin/iptables --delete-chain OUTGOINGFWMAC >/dev/null 2>&1"); -system("/sbin/iptables -N OUTGOINGFWMAC >/dev/null 2>&1"); - -if ( $outfwsettings{'POLICY'} eq 'MODE0' ) { - &firewall_local_reload(); - exit 0 -} - -if ( $outfwsettings{'POLICY'} eq 'MODE1' ) { - $CMD = "/sbin/iptables -A OUTGOINGFW -m state --state ESTABLISHED,RELATED -j RETURN"; - if ($DEBUG) { print "$CMD\n"; } else { system("$CMD"); } - $CMD = "/sbin/iptables -A OUTGOINGFWMAC -m state --state ESTABLISHED,RELATED -j RETURN"; - if ($DEBUG) { print "$CMD\n"; } else { system("$CMD"); } - $CMD = "/sbin/iptables -A OUTGOINGFW -p icmp -j RETURN"; - if ($DEBUG) { print "$CMD\n"; } else { system("$CMD"); } - $CMD = "/sbin/iptables -A OUTGOINGFWMAC -p icmp -j RETURN"; - if ($DEBUG) { print "$CMD\n"; } else { system("$CMD"); } -} - -foreach $configentry (sort @configs) -{ - @SOURCE = ""; - $DESTINATION = ""; - $PROTO = ""; - $DPORT = ""; - $DEV = ""; - $MAC = ""; - @configline = split( /\;/, $configentry ); - - if ($outfwsettings{'STATE'} eq $configline[0]) { - if ($configline[2] eq 'green') { - @SOURCE = ("$netsettings{'GREEN_NETADDRESS'}/$netsettings{'GREEN_NETMASK'}"); - $DEV = $netsettings{'GREEN_DEV'}; - } elsif ($configline[2] eq 'red') { - @SOURCE = ("$netsettings{'RED_IP'}"); - $DEV = ""; - } elsif ($configline[2] eq 'blue') { - @SOURCE = ("$netsettings{'BLUE_NETADDRESS'}/$netsettings{'BLUE_NETMASK'}"); - $DEV = $netsettings{'BLUE_DEV'}; - } elsif ($configline[2] eq 'orange') { - @SOURCE = ("$netsettings{'ORANGE_NETADDRESS'}/$netsettings{'ORANGE_NETMASK'}"); - $DEV = $netsettings{'ORANGE_DEV'}; - } elsif ($configline[2] eq 'ipsec') { - @SOURCE = ""; - $DEV = "ipsec+"; - } elsif ($configline[2] eq 'ovpn') { - @SOURCE = ""; - $DEV = "tun+"; - } elsif ($configline[2] eq 'ip') { - @SOURCE = ("$configline[5]"); - $DEV = ""; - } elsif ($configline[2] eq 'mac') { - @SOURCE = ("$configline[6]"); - $DEV = ""; - } elsif ($configline[2] eq 'all') { - @SOURCE = ("0/0"); - $DEV = ""; - } else { - if ( -e "/var/ipfire/outgoing/groups/ipgroups/$configline[2]" ) { - @SOURCE = `cat /var/ipfire/outgoing/groups/ipgroups/$configline[2]`; - } elsif ( -e "/var/ipfire/outgoing/groups/macgroups/$configline[2]" ) { - @SOURCE = `cat /var/ipfire/outgoing/groups/macgroups/$configline[2]`; - $configline[2] = "mac"; - } - $DEV = ""; - } - - if ($configline[7]) { $DESTINATION = "$configline[7]"; } else { $DESTINATION = "0/0"; } - - if ($configline[3] eq 'tcp') { - @PROTO = ("tcp"); - } elsif ($configline[3] eq 'udp') { - @PROTO = ("udp"); - } elsif ($configline[3] eq 'esp') { - @PROTO = ("esp"); - } elsif ($configline[3] eq 'gre') { - @PROTO = ("gre"); - } else { - @PROTO = ("tcp","udp"); - } - - my $macrule = 0; - foreach $PROTO (@PROTO){ - foreach $SOURCE (@SOURCE) { - $SOURCE =~ s/\s//gi; - - if ( $SOURCE eq "" || $configline[1] eq "" ){next;} - - if ( ( $configline[6] ne "" || $configline[2] eq 'mac' ) && $configline[2] ne 'all'){ - $SOURCE =~ s/[^a-zA-Z0-9]/:/gi; - $CMD = "-m mac --mac-source $SOURCE -d $DESTINATION -p $PROTO"; - $macrule = 1; - } else { - $CMD = "-s $SOURCE -d $DESTINATION -p $PROTO"; - } - - if ($configline[8] && ( $configline[3] ne 'esp' || $configline[3] ne 'gre') ) { - $DPORT = "$configline[8]"; - $CMD = "$CMD -m multiport --destination-port $DPORT"; - } - - if ($DEV) { - $CMD = "$CMD -i $DEV"; - } - - if ($configline[17] && $configline[18]) { - $DAY = ""; - if ($configline[10]){$DAY = "Mon,"} - if ($configline[11]){$DAY .= "Tue,"} - if ($configline[12]){$DAY .= "Wed,"} - if ($configline[13]){$DAY .= "Thu,"} - if ($configline[14]){$DAY .= "Fri,"} - if ($configline[15]){$DAY .= "Sat,"} - if ($configline[16]){$DAY .= "Sun"} - $CMD = "$CMD -m time --timestart $configline[17] --timestop $configline[18] --weekdays $DAY"; - } - - $CMD = "$CMD -o $netsettings{'RED_DEV'}"; - - if ( $configline[9] eq $Lang::tr{'aktiv'} && $outfwsettings{'POLICY'} eq 'MODE1' ) { - applyrule("$CMD -m limit --limit 10/minute -j LOG --log-prefix 'LOG_OUTGOINGFW '", $macrule); - } elsif ( $configline[9] eq $Lang::tr{'aktiv'} && $outfwsettings{'POLICY'} eq 'MODE2' ) { - applyrule("$CMD -m limit --limit 10/minute -j LOG --log-prefix 'DROP_OUTGOINGFW '", $macrule); - } - - applyrule("$CMD -j $DO", $macrule); - } - } - } -} - -### Do the P2P-Stuff here -open( FILE, "< $p2pfile" ) or die "Unable to read $p2pfile"; -@p2ps = ; -close FILE; - -$CMD = "-m ipp2p"; - -foreach $p2pentry (sort @p2ps) { - @p2pline = split( /\;/, $p2pentry ); - if ( $outfwsettings{'POLICY'} eq 'MODE2' ) { - $DO = "DROP"; - if ("$p2pline[2]" eq "off") { - $P2PSTRING = "$P2PSTRING --$p2pline[1]"; - } - } else { - $DO = "RETURN"; - if ("$p2pline[2]" eq "on") { - $P2PSTRING = "$P2PSTRING --$p2pline[1]"; - } - } -} -if ($P2PSTRING) { - applyrule("$CMD $P2PSTRING -j $DO", 0); -} - -if ( $outfwsettings{'POLICY'} eq 'MODE1' ) { - if ( $outfwsettings{'MODE1LOG'} eq 'on' ) { - applyrule("-o $netsettings{'RED_DEV'} -m limit --limit 10/minute -j LOG --log-prefix 'DROP_OUTGOINGFW '", 0); - } - - applyrule("-o $netsettings{'RED_DEV'} -j DROP -m comment --comment 'DROP_OUTGOINGFW '", 0); -} - -&firewall_local_reload(); - -sub applyrule($$) { - my $cmd = shift; - my $macrule = shift; - - system("/sbin/iptables -A OUTGOINGFWMAC $cmd"); - if ($macrule == 0) { - system("/sbin/iptables -A OUTGOINGFW $cmd"); - } -} - -sub firewall_local_reload() { - my $script = "/etc/sysconfig/firewall.local"; - - if ( -x $script ) { - system("$script reload >/dev/null 2>&1"); - } -} diff --git a/config/rootfiles/common/configroot b/config/rootfiles/common/configroot index 7a23b8c61..d4c7390f2 100644 --- a/config/rootfiles/common/configroot +++ b/config/rootfiles/common/configroot @@ -120,7 +120,7 @@ var/ipfire/optionsfw var/ipfire/outgoing #var/ipfire/outgoing/bin #var/ipfire/outgoing/bin/outgoingfw.pl -var/ipfire/outgoing/defaultservices +#var/ipfire/outgoing/defaultservices #var/ipfire/outgoing/groups #var/ipfire/outgoing/groups/ipgroups #var/ipfire/outgoing/groups/macgroups diff --git a/lfs/configroot b/lfs/configroot index 5280d8c28..6327c1274 100644 --- a/lfs/configroot +++ b/lfs/configroot @@ -53,7 +53,7 @@ $(TARGET) : for i in addon-lang auth backup ca certs connscheduler crls ddns dhcp dhcpc dns dnsforward \ ethernet extrahd/bin fwlogs isdn key langs logging mac main menu.d modem net-traffic \ ethernet extrahd/bin fwlogs fwhosts forward forward/bin isdn key langs logging mac main menu.d modem net-traffic \ - net-traffic/templates nfs optionsfw outgoing/bin outgoing/groups outgoing/groups/ipgroups \ + net-traffic/templates nfs optionsfw outgoing/bin \ outgoing/groups/macgroups ovpn patches pakfire portfw ppp private proxy/advanced/cre \ proxy/calamaris/bin qos/bin red remote sensors snort time tripwire/report \ updatexlrator/bin updatexlrator/autocheck urlfilter/autoupdate urlfilter/bin upnp vpn \ @@ -65,9 +65,9 @@ $(TARGET) : for i in auth/users backup/include.user backup/exclude.user \ certs/index.txt ddns/config ddns/noipsettings ddns/settings ddns/ipcache dhcp/settings \ dhcp/fixleases dhcp/advoptions dhcp/dhcpd.conf.local dns/settings dnsforward/config ethernet/aliases ethernet/settings ethernet/known_nics ethernet/scanned_nics \ - ethernet/wireless extrahd/scan extrahd/devices extrahd/partitions extrahd/settings fwlogs/ipsettings fwlogs/portsettings \ - forward/settings forward/config forward/input fwhosts/customnetworks fwhosts/customhosts fwhosts/customgroups fwhosts/customservices fwhosts/customservicegrp fwlogs/ipsettings fwlogs/portsettings \ - isdn/settings mac/settings main/disable_nf_sip main/hosts main/routing main/settings net-traffic/settings optionsfw/settings outgoing/settings outgoing/rules \ + extrahd/scan extrahd/devices extrahd/partitions extrahd/settings forward/settings forward/config forward/input \ + fwhosts/customnetworks fwhosts/customhosts fwhosts/customgroups fwhosts/customservices fwhosts/customservicegrp fwlogs/ipsettings fwlogs/portsettings \ + isdn/settings mac/settings main/disable_nf_sip main/hosts main/routing main/settings net-traffic/settings optionsfw/settings \ ovpn/ccd.conf ovpn/ccdroute ovpn/ccdroute2 pakfire/settings portfw/config ppp/settings-1 ppp/settings-2 ppp/settings-3 ppp/settings-4 \ ppp/settings-5 ppp/settings proxy/settings proxy/advanced/settings proxy/advanced/cre/enable remote/settings qos/settings qos/classes qos/subclasses qos/level7config qos/portconfig \ qos/tosconfig snort/settings tripwire/settings upnp/settings vpn/config vpn/settings vpn/ipsec.conf \ @@ -93,8 +93,6 @@ $(TARGET) : cp $(DIR_SRC)/config/cfgroot/net-traffic-admin.pl $(CONFIG_ROOT)/net-traffic/net-traffic-admin.pl cp $(DIR_SRC)/config/cfgroot/nfs-server $(CONFIG_ROOT)/nfs/nfs-server cp $(DIR_SRC)/config/cfgroot/p2protocols $(CONFIG_ROOT)/outgoing/p2protocols - cp $(DIR_SRC)/config/outgoingfw/outgoingfw.pl $(CONFIG_ROOT)/outgoing/bin/ - cp $(DIR_SRC)/config/outgoingfw/defaultservices $(CONFIG_ROOT)/outgoing/ cp $(DIR_SRC)/config/cfgroot/proxy-acl $(CONFIG_ROOT)/proxy/acl-1.4 cp $(DIR_SRC)/config/qos/* $(CONFIG_ROOT)/qos/bin/ cp $(DIR_SRC)/config/cfgroot/ssh-settings $(CONFIG_ROOT)/remote/settings @@ -118,14 +116,8 @@ $(TARGET) : echo "DROPOUTPUT=on" >> $(CONFIG_ROOT)/optionsfw/settings echo "DROPPORTSCAN=on" >> $(CONFIG_ROOT)/optionsfw/settings - # Set outgoingfw.pl executable - chmod 755 $(CONFIG_ROOT)/outgoing/bin/outgoingfw.pl - # set rules.pl executable chmod 755 $(CONFIG_ROOT)/forward/bin/rules.pl - - - # Modify variables in header.pl sed -i -e "s+CONFIG_ROOT+$(CONFIG_ROOT)+g" \ -e "s+VERSION+$(VERSION)+g" \ @@ -142,7 +134,7 @@ $(TARGET) : # Language files cp $(DIR_SRC)/langs/*/cgi-bin/*.pl $(CONFIG_ROOT)/langs/ - + # Configroot permissions chown -R nobody:nobody $(CONFIG_ROOT) chown root:root $(CONFIG_ROOT) diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall index 467d1b9ab..4287d33f1 100644 --- a/src/initscripts/init.d/firewall +++ b/src/initscripts/init.d/firewall @@ -195,14 +195,14 @@ case "$1" in # Outgoing Firewall /sbin/iptables -A FORWARD -j OUTGOINGFWMAC - # Forward Firewall - /sbin/iptables -N FORWARDFW - /sbin/iptables -A FORWARD -j FORWARDFW - - # Input Firewall - /sbin/iptables -N INPUTFW - /sbin/iptables -A INPUT -m state --state NEW -j INPUTFW - + # Forward Firewall + /sbin/iptables -N FORWARDFW + /sbin/iptables -A FORWARD -j FORWARDFW + + # Input Firewall + /sbin/iptables -N INPUTFW + /sbin/iptables -A INPUT -m state --state NEW -j INPUTFW + # localhost and ethernet. /sbin/iptables -A INPUT -i lo -m state --state NEW -j ACCEPT /sbin/iptables -A INPUT -s 127.0.0.0/8 -m state --state NEW -j DROP # Loopback not on lo diff --git a/src/misc-progs/Makefile b/src/misc-progs/Makefile index 306773fb6..c3f3b6c2f 100644 --- a/src/misc-progs/Makefile +++ b/src/misc-progs/Makefile @@ -28,7 +28,7 @@ SUID_PROGS = setportfw \ squidctrl sshctrl ipfirereboot \ ipsecctrl timectrl dhcpctrl snortctrl \ applejuicectrl rebuildhosts backupctrl \ - logwatch openvpnctrl outgoingfwctrl forwardfwctrl \ + logwatch openvpnctrl forwardfwctrl \ wirelessctrl getipstat qosctrl launch-ether-wake \ redctrl syslogdctrl extrahdctrl sambactrl upnpctrl tripwirectrl \ smartctrl clamavctrl addonctrl pakfire mpfirectrl wlanapctrl \ @@ -86,13 +86,10 @@ smartctrl: smartctrl.c setuid.o ../install+setup/libsmooth/varval.o clamavctrl: clamavctrl.c setuid.o ../install+setup/libsmooth/varval.o $(COMPILE) -I../install+setup/libsmooth/ clamavctrl.c setuid.o ../install+setup/libsmooth/varval.o -o $@ - -outgoingfwctrl: outgoingfwctrl.c setuid.o ../install+setup/libsmooth/varval.o - $(COMPILE) -I../install+setup/libsmooth/ outgoingfwctrl.c setuid.o ../install+setup/libsmooth/varval.o -o $@ - + forwardfwctrl: forwardfwctrl.c setuid.o ../install+setup/libsmooth/varval.o $(COMPILE) -I../install+setup/libsmooth/ forwardfwctrl.c setuid.o ../install+setup/libsmooth/varval.o -o $@ - + timectrl: timectrl.c setuid.o ../install+setup/libsmooth/varval.o $(COMPILE) -I../install+setup/libsmooth/ timectrl.c setuid.o ../install+setup/libsmooth/varval.o -o $@ diff --git a/src/misc-progs/outgoingfwctrl.c b/src/misc-progs/forwardfwctrl.c similarity index 75% rename from src/misc-progs/outgoingfwctrl.c rename to src/misc-progs/forwardfwctrl.c index 2d993d940..a02b462ba 100644 --- a/src/misc-progs/outgoingfwctrl.c +++ b/src/misc-progs/forwardfwctrl.c @@ -18,7 +18,10 @@ int main(int argc, char *argv[]) { if (!(initsetuid())) exit(1); - safe_system("chmod 755 /var/ipfire/outgoing/bin/outgoingfw.pl"); - safe_system("/var/ipfire/outgoing/bin/outgoingfw.pl"); + if(argc > 1) + safe_system("/var/ipfire/forward/bin/rules.pl flush"); + else + safe_system("/var/ipfire/forward/bin/rules.pl"); + return 0; } From c04f132d4947c6fbd41f9c18bc6590bd647e1786 Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Thu, 3 Jan 2013 12:00:09 +0100 Subject: [PATCH 007/306] Forward Firewall: removed outgoingfwctrl from /config/rootfiles/misc-progs --- config/rootfiles/common/misc-progs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/rootfiles/common/misc-progs b/config/rootfiles/common/misc-progs index d2d2a5de2..5102d8931 100644 --- a/config/rootfiles/common/misc-progs +++ b/config/rootfiles/common/misc-progs @@ -15,7 +15,7 @@ usr/local/bin/launch-ether-wake usr/local/bin/logwatch #usr/local/bin/mpfirectrl usr/local/bin/openvpnctrl -usr/local/bin/outgoingfwctrl +#usr/local/bin/outgoingfwctrl usr/local/bin/forwardfwctrl usr/local/bin/pakfire usr/local/bin/qosctrl From adf41e6f3733955207801ef06665272aaddefd90 Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Thu, 3 Jan 2013 12:17:06 +0100 Subject: [PATCH 008/306] Forward Firewall: removed outgoingfw.cgi from /config/rootfiles/core/66/filelists/files --- config/rootfiles/oldcore/66/filelists/files | 1 - 1 file changed, 1 deletion(-) diff --git a/config/rootfiles/oldcore/66/filelists/files b/config/rootfiles/oldcore/66/filelists/files index 9d0006f53..821263e05 100644 --- a/config/rootfiles/oldcore/66/filelists/files +++ b/config/rootfiles/oldcore/66/filelists/files @@ -48,6 +48,5 @@ var/ipfire/backup/bin/backup.pl var/ipfire/backup/include var/ipfire/general-functions.pl var/ipfire/langs -var/ipfire/outgoing/bin/outgoingfw.pl var/ipfire/qos/bin/makeqosscripts.pl var/ipfire/updatexlrator/bin/download From 9bdb6b504536142e57acf9d967dc29aea47f09cf Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Thu, 3 Jan 2013 12:26:44 +0100 Subject: [PATCH 009/306] Forward Firewall: Deleted outgoingfw.cgi,outgoinggroups.cgi and xtaccess.cgi from /config/rootfils7common/apache2 --- config/rootfiles/common/apache2 | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/config/rootfiles/common/apache2 b/config/rootfiles/common/apache2 index 9be3581cb..5d5195fba 100644 --- a/config/rootfiles/common/apache2 +++ b/config/rootfiles/common/apache2 @@ -1393,6 +1393,8 @@ srv/web/ipfire/cgi-bin/dhcp.cgi srv/web/ipfire/cgi-bin/dmzholes.cgi srv/web/ipfire/cgi-bin/extrahd.cgi srv/web/ipfire/cgi-bin/fireinfo.cgi +srv/web/ipfire/cgi-bin/forwardfw.cgi +srv/web/ipfire/cgi-bin/fwhosts.cgi srv/web/ipfire/cgi-bin/gui.cgi srv/web/ipfire/cgi-bin/hardwaregraphs.cgi srv/web/ipfire/cgi-bin/hosts.cgi @@ -1408,8 +1410,8 @@ srv/web/ipfire/cgi-bin/modem.cgi srv/web/ipfire/cgi-bin/netexternal.cgi srv/web/ipfire/cgi-bin/netinternal.cgi srv/web/ipfire/cgi-bin/netother.cgi -srv/web/ipfire/cgi-bin/outgoingfw.cgi -srv/web/ipfire/cgi-bin/outgoinggrp.cgi +#srv/web/ipfire/cgi-bin/outgoingfw.cgi +#srv/web/ipfire/cgi-bin/outgoinggrp.cgi srv/web/ipfire/cgi-bin/optionsfw.cgi srv/web/ipfire/cgi-bin/ovpnmain.cgi srv/web/ipfire/cgi-bin/pakfire.cgi @@ -1432,6 +1434,6 @@ srv/web/ipfire/cgi-bin/wakeonlan.cgi srv/web/ipfire/cgi-bin/webaccess.cgi srv/web/ipfire/cgi-bin/wireless.cgi srv/web/ipfire/cgi-bin/wirelessclient.cgi -srv/web/ipfire/cgi-bin/xtaccess.cgi +#srv/web/ipfire/cgi-bin/xtaccess.cgi srv/web/ipfire/html var/updatecache From e534554162a34ae47d135f3df251caac14502628 Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Thu, 3 Jan 2013 13:29:35 +0100 Subject: [PATCH 010/306] Forward Firewall: Fixed Bug: When deleting a rule, only the last entry in the list is deleted --- html/cgi-bin/forwardfw.cgi | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi index 1f5ea0044..caaba2168 100755 --- a/html/cgi-bin/forwardfw.cgi +++ b/html/cgi-bin/forwardfw.cgi @@ -512,6 +512,7 @@ sub deleterule my %delhash=(); &General::readhasharray($fwdfwsettings{'config'}, \%delhash); foreach my $key (sort keys %delhash){ + if ($key eq $fwdfwsettings{'key'}){ #check hosts/net and groups &checkcounter($delhash{$key}[3],$delhash{$key}[4],,); @@ -521,11 +522,10 @@ sub deleterule &checkcounter($delhash{$key}[14],$delhash{$key}[15],,); } } - if ($key ge $fwdfwsettings{'key'}) { my $next = $key + 1; if (exists $delhash{$next}) { - foreach my $i (0 .. $#{$configfwdfw{$next}}) { + foreach my $i (0 .. $#{$delhash{$next}}) { $delhash{$key}[$i] = $delhash{$next}[$i]; } } @@ -537,6 +537,7 @@ sub deleterule &General::writehasharray($fwdfwsettings{'config'}, \%delhash); &rules; + if($fwdfwsettings{'nobase'} ne 'on'){ &base; } From 6be0579b189df15a1e6775462c0945c41043801b Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Thu, 3 Jan 2013 17:30:11 +0100 Subject: [PATCH 011/306] Forward Firewall: replaced Outgoing-Logging with ForwardFW Logging. And changed Options in optionsfw.cgi from outgoing to forward --- html/cgi-bin/optionsfw.cgi | 12 ++++++------ src/initscripts/init.d/firewall | 13 ++++++++++++- 2 files changed, 18 insertions(+), 7 deletions(-) diff --git a/html/cgi-bin/optionsfw.cgi b/html/cgi-bin/optionsfw.cgi index 189395726..66ebb1caa 100644 --- a/html/cgi-bin/optionsfw.cgi +++ b/html/cgi-bin/optionsfw.cgi @@ -30,7 +30,7 @@ our %settings=(); $settings{'DISABLEPING'} = 'NO'; $settings{'DROPNEWNOTSYN'} = 'on'; $settings{'DROPINPUT'} = 'on'; -$settings{'DROPOUTPUT'} = 'on'; +$settings{'DROPFORWARD'} = 'on'; $settings{'DROPPORTSCAN'} = 'on'; $settings{'DROPWIRELESSINPUT'} = 'on'; $settings{'DROPWIRELESSFORWARD'} = 'on'; @@ -66,9 +66,9 @@ $checked{'DROPNEWNOTSYN'}{$settings{'DROPNEWNOTSYN'}} = "checked='checked'"; $checked{'DROPINPUT'}{'off'} = ''; $checked{'DROPINPUT'}{'on'} = ''; $checked{'DROPINPUT'}{$settings{'DROPINPUT'}} = "checked='checked'"; -$checked{'DROPOUTPUT'}{'off'} = ''; -$checked{'DROPOUTPUT'}{'on'} = ''; -$checked{'DROPOUTPUT'}{$settings{'DROPOUTPUT'}} = "checked='checked'"; +$checked{'DROPFORWARD'}{'off'} = ''; +$checked{'DROPFORWARD'}{'on'} = ''; +$checked{'DROPFORWARD'}{$settings{'DROPFORWARD'}} = "checked='checked'"; $checked{'DROPPORTSCAN'}{'off'} = ''; $checked{'DROPPORTSCAN'}{'on'} = ''; $checked{'DROPPORTSCAN'}{$settings{'DROPPORTSCAN'}} = "checked='checked'"; @@ -96,8 +96,8 @@ print < off
$Lang::tr{'drop input'}on / off
$Lang::tr{'drop output'}on / - off
$Lang::tr{'drop forward'}on / + off
$Lang::tr{'drop portscan'}on / off
$Lang::tr{'drop wirelessinput'}on / diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall index 4287d33f1..f4cc2afa8 100644 --- a/src/initscripts/init.d/firewall +++ b/src/initscripts/init.d/firewall @@ -287,6 +287,13 @@ case "$1" in /sbin/iptables -A FORWARD -m limit --limit 10/minute -j LOG --log-prefix "DROP_OUTPUT " fi /sbin/iptables -A FORWARD -j DROP -m comment --comment "DROP_OUTPUT" + + if [ "$DROPFORWARD" == "on" ]; then + /sbin/iptables -A FORWARDFW -m limit --limit 10/minute -j LOG --log-prefix "DROP_FORWARDFW " + fi + /sbin/iptables -A FORWARDFW -j DROP -m comment --comment "DROP_FORWARDFW" + + ;; startovpn) # run openvpn @@ -323,7 +330,11 @@ case "$1" in /sbin/iptables -A FORWARD -m limit --limit 10/minute -j LOG --log-prefix "DROP_OUTPUT " fi /sbin/iptables -A FORWARD -j DROP -m comment --comment "DROP_OUTPUT" - ;; + if [ "$DROPFORWARD" == "on" ]; then + /sbin/iptables -A FORWARDFW -m limit --limit 10/minute -j LOG --log-prefix "DROP_FORWARDFW " + fi + /sbin/iptables -A FORWARDFW -j DROP -m comment --comment "DROP_FORWARDFW" + ;; stopovpn) # stop openvpn /usr/local/bin/openvpnctrl --delete-chains-and-rules From 74e7001436c27096cd035452bd051a88795ef04f Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Fri, 4 Jan 2013 05:37:19 +0100 Subject: [PATCH 012/306] Forward Firewall: Replaced 'drop output' with 'drop forward' in languagefiles. This is for the loggingoption in the firewall options. --- langs/de/cgi-bin/de.pl | 8 ++++---- langs/en/cgi-bin/en.pl | 8 ++++---- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl index d31d3c7d1..f62d4927e 100644 --- a/langs/de/cgi-bin/de.pl +++ b/langs/de/cgi-bin/de.pl @@ -749,10 +749,10 @@ 'driver' => 'Treiber', 'drop input' => 'Verworfene Input-Pakete loggen', 'drop newnotsyn' => 'Verworfene New Not Syn Pakete loggen', -'drop output' => 'Verworfene Output-Pakete loggen', -'drop portscan' => 'Verworfene Portscan-Pakete loggen', -'drop proxy' => 'Alle Pakete verwerfen, die nicht direkt an den Proxy gerichtet sind', -'drop samba' => 'Alle Microsoft-Pakete verwerfen, Ports 135,137,138,139,445,1025', +'drop forward' => 'Verworfene Forward Pakete loggen', +'drop portscan' => 'Verworfene Portscan Pakete loggen', +'drop proxy' => 'Alle Pakete verwerfen die nicht direkt an den Proxy gerichtet sind', +'drop samba' => 'Alle Microsoft Pakete verwerfen, Ports 135,137,138,139,445,1025', 'drop wirelessforward' => 'Verworfene Wireless Forward Pakete loggen', 'drop wirelessinput' => 'Verworfene Wireless Input Pakete loggen', 'dst port' => 'Ziel-Port', diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index 6175c2b40..3c9b7c0f1 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -771,10 +771,10 @@ 'download root certificate' => 'Download root certificate', 'dpd action' => 'Dead Peer Detection action', 'driver' => 'Driver', -'drop input' => 'Log dropped input packets', -'drop newnotsyn' => 'Log dropped new not syn packets', -'drop output' => 'Log dropped output packets', -'drop portscan' => 'Log dropped portscan packets', +'drop input' => 'Log dropped input pakets', +'drop newnotsyn' => 'Log dropped new not syn pakets', +'drop forward' => 'Log dropped forward pakets', +'drop portscan' => 'Log dropped portscan pakets', 'drop proxy' => 'Drop all packets not addressed to proxy', 'drop samba' => 'Drop all Microsoft ports 135,137,138,139,445,1025', 'drop wirelessforward' => 'Log dropped wireless forward packets', From 7f5b2820698c2249b3d8496ec80315be86617f0a Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Fri, 4 Jan 2013 07:55:24 +0100 Subject: [PATCH 013/306] Forward Firewall: Changed Buttons and Layout of fwhosts.cgi --- html/cgi-bin/fwhosts.cgi | 30 ++++++++++++++---------------- 1 file changed, 14 insertions(+), 16 deletions(-) diff --git a/html/cgi-bin/fwhosts.cgi b/html/cgi-bin/fwhosts.cgi index e82aca576..236e0b47c 100755 --- a/html/cgi-bin/fwhosts.cgi +++ b/html/cgi-bin/fwhosts.cgi @@ -1012,11 +1012,11 @@ sub addnet END if ($fwhostsettings{'ACTION'} eq 'editnet' || $fwhostsettings{'error'} eq 'on') { - print ""; + print ""; }else{ - print ""; + print ""; } - print "
"; + print "
"; &Header::closebox(); } sub addhost @@ -1040,11 +1040,11 @@ END if ($fwhostsettings{'ACTION'} eq 'edithost' || $fwhostsettings{'error'} eq 'on') { - print " "; + print " "; }else{ - print " "; + print " "; } - print "
"; + print "
"; &Header::closebox(); } sub addgrp @@ -1063,13 +1063,13 @@ sub addgrp if ($fwhostsettings{'update'} eq ''){ print<
- $Lang::tr{'fwhost addgrpname'}$Lang::tr{'remark'}: + $Lang::tr{'fwhost addgrpname'}$Lang::tr{'remark'}:
END }else{ print< - $Lang::tr{'fwhost addgrpname'}$Lang::tr{'remark'}: + $Lang::tr{'fwhost addgrpname'}$Lang::tr{'remark'}:
END @@ -1215,7 +1215,7 @@ END if ($fwhostsettings{'updatesrv'} eq 'on') { print< + @@ -1223,10 +1223,10 @@ END END }else{ - print""; + print""; } print< +
@@ -1258,10 +1258,8 @@ END END } if($fwhostsettings{'updatesrvgrp'} eq 'on'){ - - print< + +
$Lang::tr{'fwhost cust service'}
+
END From 92788c464b2129302c4fa8b1b3dfec2f329bafdd Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Fri, 4 Jan 2013 09:44:42 +0100 Subject: [PATCH 014/306] Forward Firewall: deleted /var/ipfire/outgoing from backup --- config/backup/include | 7 ------- 1 file changed, 7 deletions(-) diff --git a/config/backup/include b/config/backup/include index 232ac4897..baff1cd92 100644 --- a/config/backup/include +++ b/config/backup/include @@ -18,13 +18,6 @@ /var/ipfire/forward/* /var/ipfire/fwhosts/* /var/ipfire/main/* -/var/ipfire/outgoing/groups -/var/ipfire/outgoing/macgroups -/var/ipfire/outgoing/rules -/var/ipfire/outgoing/p2protocols -/var/ipfire/dmzholes -/var/ipfire/xtaccess -/var/ipfire/portfw /var/ipfire/ovpn /var/ipfire/ppp /var/ipfire/proxy From 3d016366b8c38ed77038f4c1178d8b7afa466115 Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Fri, 4 Jan 2013 13:25:06 +0100 Subject: [PATCH 015/306] Forward Firewall: changed languagefiles for loggingoptions in optionsfw.cgi --- langs/de/cgi-bin/de.pl | 2 +- langs/en/cgi-bin/en.pl | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl index f62d4927e..7fe166465 100644 --- a/langs/de/cgi-bin/de.pl +++ b/langs/de/cgi-bin/de.pl @@ -749,7 +749,7 @@ 'driver' => 'Treiber', 'drop input' => 'Verworfene Input-Pakete loggen', 'drop newnotsyn' => 'Verworfene New Not Syn Pakete loggen', -'drop forward' => 'Verworfene Forward Pakete loggen', +'drop forward' => 'Verworfene Firewall-Pakete loggen', 'drop portscan' => 'Verworfene Portscan Pakete loggen', 'drop proxy' => 'Alle Pakete verwerfen die nicht direkt an den Proxy gerichtet sind', 'drop samba' => 'Alle Microsoft Pakete verwerfen, Ports 135,137,138,139,445,1025', diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index 3c9b7c0f1..c33f97247 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -773,7 +773,7 @@ 'driver' => 'Driver', 'drop input' => 'Log dropped input pakets', 'drop newnotsyn' => 'Log dropped new not syn pakets', -'drop forward' => 'Log dropped forward pakets', +'drop forward' => 'Log dropped firewall pakets', 'drop portscan' => 'Log dropped portscan pakets', 'drop proxy' => 'Drop all packets not addressed to proxy', 'drop samba' => 'Drop all Microsoft ports 135,137,138,139,445,1025', From c0ec19967e4dc75b6e719177af6e258a7b4fd858 Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Sun, 6 Jan 2013 20:43:23 +0100 Subject: [PATCH 016/306] Forward Firewall: fixed default entries in /var/ipfire/optionsfw/settings. --- lfs/configroot | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/lfs/configroot b/lfs/configroot index 6327c1274..62946f278 100644 --- a/lfs/configroot +++ b/lfs/configroot @@ -111,9 +111,7 @@ $(TARGET) : echo "nameserver 1.2.3.4" > $(CONFIG_ROOT)/ppp/fake-resolv.conf echo "DROPNEWNOTSYN=on" >> $(CONFIG_ROOT)/optionsfw/settings echo "DROPINPUT=on" >> $(CONFIG_ROOT)/optionsfw/settings - echo "DROPOUTPUT=on" >> $(CONFIG_ROOT)/optionsfw/settings - echo "DROPINPUT=on" >> $(CONFIG_ROOT)/optionsfw/settings - echo "DROPOUTPUT=on" >> $(CONFIG_ROOT)/optionsfw/settings + echo "DROPFORWARD=on" >> $(CONFIG_ROOT)/optionsfw/settings echo "DROPPORTSCAN=on" >> $(CONFIG_ROOT)/optionsfw/settings # set rules.pl executable From fd10a52ca2860678368d162ce6b52b8c1cf25d0e Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Tue, 8 Jan 2013 11:20:39 +0100 Subject: [PATCH 017/306] Forward firewall: commented out line in init.d/firewall that all Forward traffic from green is allowed and put it in rules.pl. Now rules.pl allows this traffic when firewall is set to Mode0 or Mode2 --- config/forwardfw/firewall-lib.pl | 0 config/forwardfw/rules.pl | 6 ++++-- config/fwhosts/icmp-types | 0 src/initscripts/init.d/firewall | 24 +++++++++--------------- 4 files changed, 13 insertions(+), 17 deletions(-) mode change 100644 => 100755 config/forwardfw/firewall-lib.pl mode change 100644 => 100755 config/fwhosts/icmp-types diff --git a/config/forwardfw/firewall-lib.pl b/config/forwardfw/firewall-lib.pl old mode 100644 new mode 100755 diff --git a/config/forwardfw/rules.pl b/config/forwardfw/rules.pl index 8c9e2ba52..960951fc0 100755 --- a/config/forwardfw/rules.pl +++ b/config/forwardfw/rules.pl @@ -88,9 +88,11 @@ if($param eq 'flush'){ &preparerules; if($MODE eq '0'){ if ($fwdfwsettings{'POLICY'} eq 'MODE1'){ - system ("iptables -A $CHAIN -j DROP"); + #system ("iptables -A $CHAIN -j DROP"); }elsif($fwdfwsettings{'POLICY'} eq 'MODE2'){ - system ("iptables -A $CHAIN -j ACCEPT"); + #system ("iptables -A $CHAIN -j ACCEPT"); + }elsif($fwdfwsettings{'POLICY'} eq 'MODE0' || $fwdfwsettings{'POLICY'} eq 'MODE2'){ + system ("iptables -A $CHAIN -m state --state NEW -j ACCEPT"); } } } diff --git a/config/fwhosts/icmp-types b/config/fwhosts/icmp-types old mode 100644 new mode 100755 diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall index f4cc2afa8..c1daa59b5 100644 --- a/src/initscripts/init.d/firewall +++ b/src/initscripts/init.d/firewall @@ -211,7 +211,7 @@ case "$1" in /sbin/iptables -A FORWARD -s 127.0.0.0/8 -m state --state NEW -j DROP /sbin/iptables -A FORWARD -d 127.0.0.0/8 -m state --state NEW -j DROP /sbin/iptables -A INPUT -i $GREEN_DEV -m state --state NEW -j ACCEPT ! -p icmp - /sbin/iptables -A FORWARD -i $GREEN_DEV -m state --state NEW -j ACCEPT + #/sbin/iptables -A FORWARD -i $GREEN_DEV -m state --state NEW -j ACCEPT # If a host on orange tries to initiate a connection to IPFire's red IP and # the connection gets DNATed back through a port forward to a server on orange @@ -283,18 +283,12 @@ case "$1" in /sbin/iptables -A INPUT -m limit --limit 10/minute -j LOG --log-prefix "DROP_INPUT " fi /sbin/iptables -A INPUT -j DROP -m comment --comment "DROP_INPUT" - if [ "$DROPOUTPUT" == "on" ]; then - /sbin/iptables -A FORWARD -m limit --limit 10/minute -j LOG --log-prefix "DROP_OUTPUT " - fi - /sbin/iptables -A FORWARD -j DROP -m comment --comment "DROP_OUTPUT" - if [ "$DROPFORWARD" == "on" ]; then - /sbin/iptables -A FORWARDFW -m limit --limit 10/minute -j LOG --log-prefix "DROP_FORWARDFW " + /sbin/iptables -A FORWARD -m limit --limit 10/minute -j LOG --log-prefix "DROP_FORWARD " fi - /sbin/iptables -A FORWARDFW -j DROP -m comment --comment "DROP_FORWARDFW" + /sbin/iptables -A FORWARD -j DROP -m comment --comment "DROP_FORWARD" - - ;; + ;; startovpn) # run openvpn /usr/local/bin/openvpnctrl --create-chains-and-rules @@ -326,14 +320,14 @@ case "$1" in /sbin/iptables -A INPUT -m limit --limit 10/minute -j LOG --log-prefix "DROP_INPUT " fi /sbin/iptables -A INPUT -j DROP -m comment --comment "DROP_INPUT" - if [ "$DROPOUTPUT" == "on" ]; then - /sbin/iptables -A FORWARD -m limit --limit 10/minute -j LOG --log-prefix "DROP_OUTPUT " - fi - /sbin/iptables -A FORWARD -j DROP -m comment --comment "DROP_OUTPUT" + #if [ "$DROPOUTPUT" == "on" ]; then + # /sbin/iptables -A FORWARD -m limit --limit 10/minute -j LOG --log-prefix "DROP_OUTPUT " + #fi + #/sbin/iptables -A FORWARD -j DROP -m comment --comment "DROP_OUTPUT" if [ "$DROPFORWARD" == "on" ]; then /sbin/iptables -A FORWARDFW -m limit --limit 10/minute -j LOG --log-prefix "DROP_FORWARDFW " fi - /sbin/iptables -A FORWARDFW -j DROP -m comment --comment "DROP_FORWARDFW" + /sbin/iptables -A FORWARDFW -j DROP -m comment --comment "DROP_FORWARDFW-oberdropper" ;; stopovpn) # stop openvpn From af8bc0d0a8c6a93277d9bfb6ef959f2cc8005b7d Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Wed, 9 Jan 2013 09:08:12 +0100 Subject: [PATCH 018/306] Forward Firewall: added a customservices file with default values --- config/fwhosts/customservices | 22 ++++++++++++++++++++++ lfs/configroot | 3 ++- 2 files changed, 24 insertions(+), 1 deletion(-) create mode 100644 config/fwhosts/customservices diff --git a/config/fwhosts/customservices b/config/fwhosts/customservices new file mode 100644 index 000000000..d115f9756 --- /dev/null +++ b/config/fwhosts/customservices @@ -0,0 +1,22 @@ +11,NTP,123,UDP,BLANK,0 +21,IMAPS,993,TCP,BLANK,0 +7,WINS,42,TCP,BLANK,0 +2,FTP-control,21,TCP,BLANK,0 +17,IRC,194,TCP,BLANK,0 +22,POP3S,995,TCP,BLANK,0 +1,FTP-data,20,TCP,BLANK,0 +18,HTTPS,443,TCP,BLANK,0 +16,SNMP,161,UDP,BLANK,0 +13,NetBIOS Datagramservice,138,TCP,BLANK,0 +6,TIME,37,TCP,BLANK,0 +3,SSH,22,TCP,BLANK,0 +9,POP3,110,TCP,BLANK,0 +12,NetBIOS nameservice,137,TCP,BLANK,0 +20,FTPS control,990,TCP,BLANK,0 +15,IMAP,143,TCP,BLANK,0 +14,NetBIOS Sessionservice,139,TCP,BLANK,0 +8,HTTP,80,TCP,BLANK,0 +4,TELNET,23,UDP,BLANK,0 +10,SFTP,115,TCP,BLANK,0 +19,FTPS data,989,TCP,BLANK,0 +5,SMTP,25,TCP,BLANK,0 diff --git a/lfs/configroot b/lfs/configroot index 62946f278..704c69007 100644 --- a/lfs/configroot +++ b/lfs/configroot @@ -66,7 +66,7 @@ $(TARGET) : certs/index.txt ddns/config ddns/noipsettings ddns/settings ddns/ipcache dhcp/settings \ dhcp/fixleases dhcp/advoptions dhcp/dhcpd.conf.local dns/settings dnsforward/config ethernet/aliases ethernet/settings ethernet/known_nics ethernet/scanned_nics \ extrahd/scan extrahd/devices extrahd/partitions extrahd/settings forward/settings forward/config forward/input \ - fwhosts/customnetworks fwhosts/customhosts fwhosts/customgroups fwhosts/customservices fwhosts/customservicegrp fwlogs/ipsettings fwlogs/portsettings \ + fwhosts/customnetworks fwhosts/customhosts fwhosts/customgroups fwhosts/customservicegrp fwlogs/ipsettings fwlogs/portsettings \ isdn/settings mac/settings main/disable_nf_sip main/hosts main/routing main/settings net-traffic/settings optionsfw/settings \ ovpn/ccd.conf ovpn/ccdroute ovpn/ccdroute2 pakfire/settings portfw/config ppp/settings-1 ppp/settings-2 ppp/settings-3 ppp/settings-4 \ ppp/settings-5 ppp/settings proxy/settings proxy/advanced/settings proxy/advanced/cre/enable remote/settings qos/settings qos/classes qos/subclasses qos/level7config qos/portconfig \ @@ -104,6 +104,7 @@ $(TARGET) : cp $(DIR_SRC)/config/forwardfw/rules.pl $(CONFIG_ROOT)/forward/bin/rules.pl cp $(DIR_SRC)/config/forwardfw/firewall-lib.pl $(CONFIG_ROOT)/forward/bin/firewall-lib.pl cp $(DIR_SRC)/config/fwhosts/icmp-types $(CONFIG_ROOT)/fwhosts/icmp-types + cp $(DIR_SRC)/config/fwhosts/customservices $(CONFIG_ROOT)/fwhosts/customservices # Oneliner configfiles echo "ENABLED=off" > $(CONFIG_ROOT)/vpn/settings echo "VPN_DELAYED_START=0" >>$(CONFIG_ROOT)/vpn/settings From 62fc8511664c6646d706aa42927bac53ac6a5b5f Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Wed, 9 Jan 2013 10:22:32 +0100 Subject: [PATCH 019/306] Forward Firewall: fixed 12 Bugs from forum. 1) Added more possible chars in remark: : / . 2) Added "Internet" to std networks to be able to define internetaccess 3) When renaming a custom address, the firewallrules get updated 4) Ports are now ignored when using GRE as Protocol 5) When saving a customservice, the cursor is now in first textfield 6) Added a customservices file to installation with predefined services 7) Added ESP as protocol 8) Fixed counterproblem 9) Dropdownboxes for customservices and groups now sorted 10) Firewallrules now sorted in right order 11) fixed a Bug when defining manual address in source and target, the hint message is no longer displayed 12) When defining an external access rule, the last forwardrule was deleted --- config/forwardfw/firewall-forward-policy | 24 + config/forwardfw/firewall-lib.pl | 2 + config/forwardfw/rules.pl | 22 +- config/rootfiles/common/apache2 | 2 +- config/rootfiles/common/stage2 | 1 + html/cgi-bin/dmzholes.cgi | 446 ------------ html/cgi-bin/forwardfw.cgi | 243 +++---- html/cgi-bin/fwhosts.cgi | 56 +- html/cgi-bin/optionsfw.cgi | 27 +- html/cgi-bin/outgoingfw.cgi | 849 ----------------------- langs/de/cgi-bin/de.pl | 8 +- langs/en/cgi-bin/en.pl | 4 +- lfs/configroot | 1 + src/initscripts/init.d/firewall | 27 +- 14 files changed, 224 insertions(+), 1488 deletions(-) create mode 100755 config/forwardfw/firewall-forward-policy delete mode 100644 html/cgi-bin/dmzholes.cgi delete mode 100644 html/cgi-bin/outgoingfw.cgi diff --git a/config/forwardfw/firewall-forward-policy b/config/forwardfw/firewall-forward-policy new file mode 100755 index 000000000..aec71e29b --- /dev/null +++ b/config/forwardfw/firewall-forward-policy @@ -0,0 +1,24 @@ +#!/bin/sh + +eval $(/usr/local/bin/readhash /var/ipfire/forward/settings) +eval $(/usr/local/bin/readhash /var/ipfire/optionsfw/settings) + +iptables -F POLICY + +if [ "$POLICY" == "MODE1" ]; then + + if [ "$FWPOLICY" == "REJECT" ]; then + if [ "$DROPFORWARD" == "on" ]; then + /sbin/iptables -A POLICY -m limit --limit 10/minute -j LOG --log-prefix "REJECT_FORWARD" + fi + /sbin/iptables -A POLICY -j REJECT --reject-with icmp-host-unreachable -m comment --comment "DROP_OUTPUT" + fi + if [ "$FWPOLICY" == "DROP" ]; then + if [ "$DROPFORWARD" == "on" ]; then + /sbin/iptables -A POLICY -m limit --limit 10/minute -j LOG --log-prefix "DROP_FORWARD" + fi + /sbin/iptables -A POLICY -j DROP -m comment --comment "DROP_OUTPUT" + fi +fi + + diff --git a/config/forwardfw/firewall-lib.pl b/config/forwardfw/firewall-lib.pl index 24b990c77..44c0079b7 100755 --- a/config/forwardfw/firewall-lib.pl +++ b/config/forwardfw/firewall-lib.pl @@ -215,6 +215,8 @@ sub get_std_net_ip return "$netsettings{'ORANGE_NETADDRESS'}/$netsettings{'ORANGE_NETMASK'}"; }elsif($val eq 'BLUE'){ return "$netsettings{'BLUE_NETADDRESS'}/$netsettings{'BLUE_NETMASK'}"; + }elsif($val eq 'RED'){ + return "0.0.0.0/0 -o red0"; }elsif($val =~ /OpenVPN/i){ return "$ovpnsettings{'DOVPN_SUBNET'}"; }elsif($val =~ /IPsec/i){ diff --git a/config/forwardfw/rules.pl b/config/forwardfw/rules.pl index 960951fc0..953aad0bc 100755 --- a/config/forwardfw/rules.pl +++ b/config/forwardfw/rules.pl @@ -88,10 +88,11 @@ if($param eq 'flush'){ &preparerules; if($MODE eq '0'){ if ($fwdfwsettings{'POLICY'} eq 'MODE1'){ - #system ("iptables -A $CHAIN -j DROP"); + system ("/usr/sbin/firewall-forward-policy"); }elsif($fwdfwsettings{'POLICY'} eq 'MODE2'){ - #system ("iptables -A $CHAIN -j ACCEPT"); + system ("/usr/sbin/firewall-forward-policy"); }elsif($fwdfwsettings{'POLICY'} eq 'MODE0' || $fwdfwsettings{'POLICY'} eq 'MODE2'){ + system ("/usr/sbin/firewall-forward-policy"); system ("iptables -A $CHAIN -m state --state NEW -j ACCEPT"); } } @@ -113,9 +114,7 @@ sub preparerules } sub buildrules { - my $hash=shift; - foreach my $key (sort keys %$hash){ if($$hash{$key}[2] eq 'ON'){ #get source ip's @@ -163,7 +162,7 @@ sub buildrules if ($DPROT eq ''){$DPROT=' ';} @DPROT=split(",",$DPROT); - + #get time if defined if($$hash{$key}[18] eq 'ON'){ if($$hash{$key}[19] ne ''){push (@timeframe,"Mon");} @@ -178,7 +177,7 @@ sub buildrules $TIMETILL="--timestop $$hash{$key}[27] "; $TIME="-m time --weekdays $TIME $TIMEFROM $TIMETILL"; } - + if ($MODE eq '1'){ print "NR:$key "; foreach my $i (0 .. $#{$$hash{$key}}){ @@ -187,7 +186,7 @@ sub buildrules print "\n"; print"##################################\n"; #print rules to console - + foreach my $DPROT (@DPROT){ $DPORT = &get_port($hash,$key,$DPROT); if ($SPROT ne ''){$PROT=$SPROT;}else{$PROT=$DPROT;} @@ -206,7 +205,7 @@ sub buildrules } print"\n"; } - + }elsif($MODE eq '0'){ foreach my $DPROT (@DPROT){ $DPORT = &get_port($hash,$key,$DPROT); @@ -302,11 +301,12 @@ sub get_port if ($$hash{$key}[7] eq 'ON' && $SRC_TGT eq 'SRC'){ if ($$hash{$key}[10] ne ''){ return "--sport $$hash{$key}[10] "; - }elsif($$hash{$key}[9] ne ''){ + }elsif($$hash{$key}[9] ne '' && $$hash{$key}[9] ne 'All ICMP-Types'){ return "--icmp-type $$hash{$key}[9] "; + }elsif($$hash{$key}[9] eq 'All ICMP-Types'){ + return; } }elsif($$hash{$key}[11] eq 'ON' && $SRC_TGT eq ''){ - if($$hash{$key}[14] eq 'TGT_PORT'){ if ($$hash{$key}[15] ne ''){ return "--dport $$hash{$key}[15] "; @@ -330,8 +330,6 @@ sub get_port elsif($prot eq 'ICMP'){ return &fwlib::get_srvgrp_port($$hash{$key}[15],$prot); } - - } } } diff --git a/config/rootfiles/common/apache2 b/config/rootfiles/common/apache2 index 5d5195fba..d57390443 100644 --- a/config/rootfiles/common/apache2 +++ b/config/rootfiles/common/apache2 @@ -1390,7 +1390,7 @@ srv/web/ipfire/cgi-bin/credits.cgi srv/web/ipfire/cgi-bin/dns.cgi srv/web/ipfire/cgi-bin/ddns.cgi srv/web/ipfire/cgi-bin/dhcp.cgi -srv/web/ipfire/cgi-bin/dmzholes.cgi +#srv/web/ipfire/cgi-bin/dmzholes.cgi srv/web/ipfire/cgi-bin/extrahd.cgi srv/web/ipfire/cgi-bin/fireinfo.cgi srv/web/ipfire/cgi-bin/forwardfw.cgi diff --git a/config/rootfiles/common/stage2 b/config/rootfiles/common/stage2 index 1e91b3743..4755f07f0 100644 --- a/config/rootfiles/common/stage2 +++ b/config/rootfiles/common/stage2 @@ -109,6 +109,7 @@ usr/local/bin/update-lang-cache #usr/local/src #usr/sbin usr/sbin/ovpn-ccd-convert +usr/sbin/firewall-forward-policy #usr/share #usr/share/doc #usr/share/doc/licenses diff --git a/html/cgi-bin/dmzholes.cgi b/html/cgi-bin/dmzholes.cgi deleted file mode 100644 index 5c16f004c..000000000 --- a/html/cgi-bin/dmzholes.cgi +++ /dev/null @@ -1,446 +0,0 @@ -#!/usr/bin/perl -############################################################################### -# # -# IPFire.org - A linux based firewall # -# Copyright (C) 2007 Michael Tremer & Christian Schmidt # -# # -# This program is free software: you can redistribute it and/or modify # -# it under the terms of the GNU General Public License as published by # -# the Free Software Foundation, either version 3 of the License, or # -# (at your option) any later version. # -# # -# This program is distributed in the hope that it will be useful, # -# but WITHOUT ANY WARRANTY; without even the implied warranty of # -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # -# GNU General Public License for more details. # -# # -# You should have received a copy of the GNU General Public License # -# along with this program. If not, see . # -# # -############################################################################### - -use strict; - -# enable only the following on debugging purpose -#use warnings; -#use CGI::Carp 'fatalsToBrowser'; - -require '/var/ipfire/general-functions.pl'; -require "${General::swroot}/lang.pl"; -require "${General::swroot}/header.pl"; - -#workaround to suppress a warning when a variable is used only once -my @dummy = ( ${Header::table2colour}, ${Header::colouryellow} ); -undef (@dummy); - -my %cgiparams=(); -my %checked=(); -my %selected=(); -my %netsettings=(); -my $errormessage = ''; -my $filename = "${General::swroot}/dmzholes/config"; - -&General::readhash("${General::swroot}/ethernet/settings", \%netsettings); - -&Header::showhttpheaders(); - -$cgiparams{'ENABLED'} = 'off'; -$cgiparams{'REMARK'} = ''; -$cgiparams{'ACTION'} = ''; -$cgiparams{'SRC_IP'} = ''; -$cgiparams{'DEST_IP'} =''; -$cgiparams{'DEST_PORT'} = ''; -&Header::getcgihash(\%cgiparams); - -open(FILE, $filename) or die 'Unable to open config file.'; -my @current = ; -close(FILE); - -if ($cgiparams{'ACTION'} eq $Lang::tr{'add'}) -{ - unless($cgiparams{'PROTOCOL'} =~ /^(tcp|udp)$/) { $errormessage = $Lang::tr{'invalid input'}; } - unless(&General::validipormask($cgiparams{'SRC_IP'})) { $errormessage = $Lang::tr{'source ip bad'}; } - unless($errormessage){$errormessage = &General::validportrange($cgiparams{'DEST_PORT'},'dst');} - unless(&General::validipormask($cgiparams{'DEST_IP'})) { $errormessage = $Lang::tr{'destination ip bad'}; } - unless ($errormessage) { - $errormessage = &validNet($cgiparams{'SRC_NET'},$cgiparams{'DEST_NET'}); } - # Darren Critchley - Remove commas from remarks - $cgiparams{'REMARK'} = &Header::cleanhtml($cgiparams{'REMARK'}); - - unless ($errormessage) - { - if($cgiparams{'EDITING'} eq 'no') { - open(FILE,">>$filename") or die 'Unable to open config file.'; - flock FILE, 2; - print FILE "$cgiparams{'PROTOCOL'},"; # [0] - print FILE "$cgiparams{'SRC_IP'},"; # [1] - print FILE "$cgiparams{'DEST_IP'},"; # [2] - print FILE "$cgiparams{'DEST_PORT'},"; # [3] - print FILE "$cgiparams{'ENABLED'},"; # [4] - print FILE "$cgiparams{'SRC_NET'},"; # [5] - print FILE "$cgiparams{'DEST_NET'},"; # [6] - print FILE "$cgiparams{'REMARK'}\n"; # [7] - } else { - open(FILE,">$filename") or die 'Unable to open config file.'; - flock FILE, 2; - my $id = 0; - foreach my $line (@current) - { - $id++; - if ($cgiparams{'EDITING'} eq $id) { - print FILE "$cgiparams{'PROTOCOL'},"; # [0] - print FILE "$cgiparams{'SRC_IP'},"; # [1] - print FILE "$cgiparams{'DEST_IP'},"; # [2] - print FILE "$cgiparams{'DEST_PORT'},"; # [3] - print FILE "$cgiparams{'ENABLED'},"; # [4] - print FILE "$cgiparams{'SRC_NET'},"; # [5] - print FILE "$cgiparams{'DEST_NET'},"; # [6] - print FILE "$cgiparams{'REMARK'}\n"; # [7] - } else { print FILE "$line"; } - } - } - close(FILE); - undef %cgiparams; - &General::log($Lang::tr{'dmz pinhole rule added'}); - system('/usr/local/bin/setdmzholes'); - } -} -if ($cgiparams{'ACTION'} eq $Lang::tr{'remove'}) -{ - my $id = 0; - open(FILE, ">$filename") or die 'Unable to open config file.'; - flock FILE, 2; - foreach my $line (@current) - { - $id++; - unless ($cgiparams{'ID'} eq $id) { print FILE "$line"; } - } - close(FILE); - system('/usr/local/bin/setdmzholes'); - &General::log($Lang::tr{'dmz pinhole rule removed'}); -} -if ($cgiparams{'ACTION'} eq $Lang::tr{'toggle enable disable'}) -{ - my $id = 0; - open(FILE, ">$filename") or die 'Unable to open config file.'; - flock FILE, 2; - foreach my $line (@current) - { - $id++; - unless ($cgiparams{'ID'} eq $id) { print FILE "$line"; } - else - { - chomp($line); - my @temp = split(/\,/,$line); - print FILE "$temp[0],$temp[1],$temp[2],$temp[3],$cgiparams{'ENABLE'},$temp[5],$temp[6],$temp[7]\n"; - } - } - close(FILE); - system('/usr/local/bin/setdmzholes'); -} -if ($cgiparams{'ACTION'} eq $Lang::tr{'edit'}) -{ - my $id = 0; - foreach my $line (@current) - { - $id++; - if ($cgiparams{'ID'} eq $id) - { - chomp($line); - my @temp = split(/\,/,$line); - $cgiparams{'PROTOCOL'} = $temp[0]; - $cgiparams{'SRC_IP'} = $temp[1]; - $cgiparams{'DEST_IP'} = $temp[2]; - $cgiparams{'DEST_PORT'} = $temp[3]; - $cgiparams{'ENABLED'} = $temp[4]; - $cgiparams{'SRC_NET'} = $temp[5]; - $cgiparams{'DEST_NET'} = $temp[6]; - $cgiparams{'REMARK'} = $temp[7]; - } - } -} - -if ($cgiparams{'ACTION'} eq '') -{ - $cgiparams{'PROTOCOL'} = 'tcp'; - $cgiparams{'ENABLED'} = 'on'; - $cgiparams{'SRC_NET'} = 'orange'; - $cgiparams{'DEST_NET'} = 'blue'; -} - -$selected{'PROTOCOL'}{'udp'} = ''; -$selected{'PROTOCOL'}{'tcp'} = ''; -$selected{'PROTOCOL'}{$cgiparams{'PROTOCOL'}} = "selected='selected'"; - -$selected{'SRC_NET'}{'orange'} = ''; -$selected{'SRC_NET'}{'blue'} = ''; -$selected{'SRC_NET'}{$cgiparams{'SRC_NET'}} = "selected='selected'"; - -$selected{'DEST_NET'}{'blue'} = ''; -$selected{'DEST_NET'}{'green'} = ''; -$selected{'DEST_NET'}{$cgiparams{'DEST_NET'}} = "selected='selected'"; - -$checked{'ENABLED'}{'off'} = ''; -$checked{'ENABLED'}{'on'} = ''; -$checked{'ENABLED'}{$cgiparams{'ENABLED'}} = "checked='checked'"; - -&Header::openpage($Lang::tr{'dmz pinhole configuration'}, 1, ''); - -&Header::openbigbox('100%', 'left', '', $errormessage); - -if ($errormessage) { - &Header::openbox('100%', 'left', $Lang::tr{'error messages'}); - print "$errormessage\n"; - print " \n"; - &Header::closebox(); -} - -print "
\n"; - -my $buttonText = $Lang::tr{'add'}; -if ($cgiparams{'ACTION'} eq $Lang::tr{'edit'}) { - &Header::openbox('100%', 'left', $Lang::tr{'edit a rule'}); - $buttonText = $Lang::tr{'update'}; -} else { - &Header::openbox('100%', 'left', $Lang::tr{'add a new rule'}); -} -print < - - - - - - $Lang::tr{'source net'}: - - - - - -   - - $Lang::tr{'destination net'}: - - - - - $Lang::tr{'destination ip or net'}: - - - - - $Lang::tr{'destination port'}:  - - - - - - - - - - - - - -
- $Lang::tr{'remark title'} * - -
- *  - $Lang::tr{'this field may be blank'} - $Lang::tr{'enabled'} - - -
-END -; -if ($cgiparams{'ACTION'} eq $Lang::tr{'edit'}) { - print "\n"; -} else { - print "\n"; -} -&Header::closebox(); -print "\n"; - -&Header::openbox('100%', 'left', $Lang::tr{'current rules'}); -print < - -$Lang::tr{'proto'} -$Lang::tr{'net'} -$Lang::tr{'source'} -  -$Lang::tr{'net'} -$Lang::tr{'destination'} -$Lang::tr{'remark'} -  -$Lang::tr{'action'} -END -; - -# Achim Weber: if i add a new rule, this rule is not displayed?!? -# we re-read always config. -# If something has happeened re-read config -#if($cgiparams{'ACTION'} ne '') -#{ - open(FILE, $filename) or die 'Unable to open config file.'; - @current = ; - close(FILE); -#} -my $id = 0; -foreach my $line (@current) -{ - my $protocol=''; - my $gif=''; - my $toggle=''; - my $gdesc=''; - $id++; - chomp($line); - my @temp = split(/\,/,$line); - if ($temp[0] eq 'udp') { $protocol = 'UDP'; } else { $protocol = 'TCP' } - - my $srcnetcolor = ($temp[5] eq 'blue')? ${Header::colourblue} : ${Header::colourorange}; - my $destnetcolor = ($temp[6] eq 'blue')? ${Header::colourblue} : ${Header::colourgreen}; - - if ($cgiparams{'ACTION'} eq $Lang::tr{'edit'} && $cgiparams{'ID'} eq $id) { - print "\n"; } - elsif ($id % 2) { - print "\n"; } - else { - print "\n"; } - if ($temp[4] eq 'on') { $gif='on.gif'; $toggle='off'; $gdesc=$Lang::tr{'click to disable'};} - else { $gif = 'off.gif'; $toggle='on'; $gdesc=$Lang::tr{'click to enable'}; } - - # Darren Critchley - Get Port Service Name if we can - code borrowed from firewalllog.dat - my $dstprt =$temp[3]; - $_=$temp[3]; - if (/^\d+$/) { - my $servi = uc(getservbyport($temp[3], lc($temp[0]))); - if ($servi ne '' && $temp[3] < 1024) { - $dstprt = "$dstprt($servi)"; } - } - # Darren Critchley - If the line is too long, wrap the port numbers - my $dstaddr = "$temp[2] : $dstprt"; - if (length($dstaddr) > 26) { - $dstaddr = "$temp[2] :
$dstprt"; - } -print <$protocol - -$temp[1] - - -$dstaddr -$temp[7] - - -
- - - - -
- - - -
- - - -
- - - -
- - - -
- - - -END - ; -} -print "\n"; - -# If the fixed lease file contains entries, print Key to action icons -if ( ! -z "$filename") { -print < - -   $Lang::tr{'legend'}: -   $Lang::tr{ - $Lang::tr{'click to disable'} -     $Lang::tr{ - $Lang::tr{'click to enable'} -     $Lang::tr{ - $Lang::tr{'edit'} -     $Lang::tr{ - $Lang::tr{'remove'} - - -END -; -} - -&Header::closebox(); - -&Header::closebigbox(); - -&Header::closepage(); - -sub validNet -{ - my $srcNet = $_[0]; - my $destNet = $_[1]; - - if ($srcNet eq $destNet) { - return $Lang::tr{'dmzpinholes for same net not necessary'}; } - unless ($srcNet =~ /^(blue|orange)$/) { - return $Lang::tr{'select source net'}; } - unless ($destNet =~ /^(blue|green)$/) { - return $Lang::tr{'select dest net'}; } - - return ''; -} - -sub haveOrangeNet -{ - if ($netsettings{'CONFIG_TYPE'} == 2) {return 1;} - if ($netsettings{'CONFIG_TYPE'} == 4) {return 1;} - return 0; -} - -sub haveBlueNet -{ - if ($netsettings{'CONFIG_TYPE'} == 3) {return 1;} - if ($netsettings{'CONFIG_TYPE'} == 4) {return 1;} - return 0; -} diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi index caaba2168..6aadb996b 100755 --- a/html/cgi-bin/forwardfw.cgi +++ b/html/cgi-bin/forwardfw.cgi @@ -112,54 +112,50 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule') $errormessage=&checksource; if(!$errormessage){&checktarget;} if(!$errormessage){&checkrule;} - + #check if we change an forward rule to an external access - if( $fwdfwsettings{'grp2'} eq 'ipfire' && $fwdfwsettings{'oldgrp2a'} ne 'ipfire'){ + if( $fwdfwsettings{'grp2'} eq 'ipfire' && $fwdfwsettings{'oldgrp2a'} ne 'ipfire' && $fwdfwsettings{'updatefwrule'} eq 'on'){ $fwdfwsettings{'updatefwrule'}=''; $fwdfwsettings{'config'}=$configfwdfw; $fwdfwsettings{'nobase'}='on'; &deleterule; + &checkcounter(0,0,$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}}); + &checkcounter(0,0,$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}}); } - + #check if we change an external access rule to an forward - if( $fwdfwsettings{'grp2'} ne 'ipfire' && $fwdfwsettings{'oldgrp2a'} eq 'ipfire'){ + if( $fwdfwsettings{'grp2'} ne 'ipfire' && $fwdfwsettings{'oldgrp2a'} eq 'ipfire' && $fwdfwsettings{'updatefwrule'} eq 'on'){ $fwdfwsettings{'updatefwrule'}=''; $fwdfwsettings{'config'}=$configinput; $fwdfwsettings{'nobase'}='on'; &deleterule; + &checkcounter(0,0,$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}}); + &checkcounter(0,0,$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}}); } - #INPUT part if($fwdfwsettings{'grp2'} eq 'ipfire'){ $fwdfwsettings{'chain'} = 'INPUTFW'; #check if we have an identical rule already foreach my $key (sort keys %configinputfw){ if ("$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'},$fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'ICMP_TGT'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'ruleremark'},$fwdfwsettings{'LOG'},$fwdfwsettings{'TIME'},$fwdfwsettings{'TIME_MON'},$fwdfwsettings{'TIME_TUE'},$fwdfwsettings{'TIME_WED'},$fwdfwsettings{'TIME_THU'},$fwdfwsettings{'TIME_FRI'},$fwdfwsettings{'TIME_SAT'},$fwdfwsettings{'TIME_SUN'},$fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'}" - eq "$configfwdfw{$key}[0],$configfwdfw{$key}[2],$configfwdfw{$key}[3],$configfwdfw{$key}[4],$configfwdfw{$key}[5],$configfwdfw{$key}[6],$configfwdfw{$key}[7],$configfwdfw{$key}[8],$configfwdfw{$key}[9],$configfwdfw{$key}[10],$configfwdfw{$key}[11],$configfwdfw{$key}[12],$configfwdfw{$key}[13],$configfwdfw{$key}[14],$configfwdfw{$key}[15],$configfwdfw{$key}[16],$configfwdfw{$key}[17],$configfwdfw{$key}[18],$configfwdfw{$key}[19],$configfwdfw{$key}[20],$configfwdfw{$key}[21],$configfwdfw{$key}[22],$configfwdfw{$key}[23],$configfwdfw{$key}[24],$configfwdfw{$key}[25],$configfwdfw{$key}[26],$configfwdfw{$key}[27]"){ - $errormessage.=$Lang::tr{'fwdfw err ruleexists'}; - } + eq "$configinputfw{$key}[0],$configinputfw{$key}[2],$configinputfw{$key}[3],$configinputfw{$key}[4],$configinputfw{$key}[5],$configinputfw{$key}[6],$configinputfw{$key}[7],$configinputfw{$key}[8],$configinputfw{$key}[9],$configinputfw{$key}[10],$configinputfw{$key}[11],$configinputfw{$key}[12],$configinputfw{$key}[13],$configinputfw{$key}[14],$configinputfw{$key}[15],$configinputfw{$key}[16],$configinputfw{$key}[17],$configinputfw{$key}[18],$configinputfw{$key}[19],$configinputfw{$key}[20],$configinputfw{$key}[21],$configinputfw{$key}[22],$configinputfw{$key}[23],$configinputfw{$key}[24],$configinputfw{$key}[25],$configinputfw{$key}[26],$configinputfw{$key}[27]"){ + $errormessage.=$Lang::tr{'fwdfw err ruleexists'}; + } } - - &checkcounter($fwdfwsettings{'oldgrp1a'},$fwdfwsettings{'oldgrp1b'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}}); - if ($fwdfwsettings{'nobase'} ne 'on'){ - &checkcounter($fwdfwsettings{'oldgrp2a'},$fwdfwsettings{'oldgrp2b'},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}}); - } - - if($fwdfwsettings{'oldusesrv'} eq '' && $fwdfwsettings{'USESRV'} eq 'ON'){ - &checkcounter(0,0,$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}}); - }elsif ($fwdfwsettings{'USESRV'} eq '' && $fwdfwsettings{'oldusesrv'} eq 'ON') { - &checkcounter($fwdfwsettings{'oldgrp3a'},$fwdfwsettings{'oldgrp3b'},0,0); - }elsif ($fwdfwsettings{'oldusesrv'} eq $fwdfwsettings{'USESRV'} && $fwdfwsettings{'oldgrp3b'} ne $fwdfwsettings{$fwdfwsettings{'grp3'}} && $fwdfwsettings{'updatefwrule'} eq 'on'){ - &checkcounter($fwdfwsettings{'oldgrp3a'},$fwdfwsettings{'oldgrp3b'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}}); - } - - if ($fwdfwsettings{'nobase'} eq 'on'){ - &checkcounter(0,0,$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}}); - } - - + + &checkcounter($fwdfwsettings{'oldgrp1a'},$fwdfwsettings{'oldgrp1b'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}}); + if ($fwdfwsettings{'nobase'} ne 'on'){ + &checkcounter($fwdfwsettings{'oldgrp2a'},$fwdfwsettings{'oldgrp2b'},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}}); + } + if($fwdfwsettings{'oldusesrv'} eq '' && $fwdfwsettings{'USESRV'} eq 'ON'){ + &checkcounter(0,0,$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}}); + }elsif ($fwdfwsettings{'USESRV'} eq '' && $fwdfwsettings{'oldusesrv'} eq 'ON') { + &checkcounter($fwdfwsettings{'oldgrp3a'},$fwdfwsettings{'oldgrp3b'},0,0); + }elsif ($fwdfwsettings{'oldusesrv'} eq $fwdfwsettings{'USESRV'} && $fwdfwsettings{'oldgrp3b'} ne $fwdfwsettings{$fwdfwsettings{'grp3'}} && $fwdfwsettings{'updatefwrule'} eq 'on'){ + &checkcounter($fwdfwsettings{'oldgrp3a'},$fwdfwsettings{'oldgrp3b'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}}); + } + &saverule(\%configinputfw,$configinput); - #print "Source: $fwdfwsettings{'grp1'} -> $fwdfwsettings{$fwdfwsettings{'grp1'}}
"; #print "Sourceport: $fwdfwsettings{'USE_SRC_PORT'}, $fwdfwsettings{'PROT'}, $fwdfwsettings{'ICMP_TYPES'}, $fwdfwsettings{'SRC_PORT'}
"; #print "Target: $fwdfwsettings{'grp2'} -> $fwdfwsettings{$fwdfwsettings{'grp2'}}
"; @@ -181,9 +177,6 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule') #print"ALT: $fwdfwsettings{'oldgrp2a'} $fwdfwsettings{'oldgrp2b'} NEU: $fwdfwsettings{'grp2'} $fwdfwsettings{$fwdfwsettings{'grp2'}}
"; #print"ALT: $fwdfwsettings{'oldgrp3a'} $fwdfwsettings{'oldgrp3b'} NEU: $fwdfwsettings{'grp3'} $fwdfwsettings{$fwdfwsettings{'grp3'}}
"; #print"DIENSTE Checkalt:$fwdfwsettings{'oldusesrv'} DIENSTE Checkneu:$fwdfwsettings{'USESRV'} DIENST ALT:$fwdfwsettings{'oldgrp3a'},$fwdfwsettings{'oldgrp3b'} DIENST NEU:$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}}
"; - - - }else{ $fwdfwsettings{'chain'} = 'FORWARDFW'; #check if we have an identical rule already @@ -196,9 +189,9 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule') } #increase counters &checkcounter($fwdfwsettings{'oldgrp1a'},$fwdfwsettings{'oldgrp1b'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}}); - + &checkcounter($fwdfwsettings{'oldgrp2a'},$fwdfwsettings{'oldgrp2b'},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}}); - + if($fwdfwsettings{'oldusesrv'} eq '' && $fwdfwsettings{'USESRV'} eq 'ON'){ &checkcounter(0,0,$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}}); }elsif ($fwdfwsettings{'USESRV'} eq '' && $fwdfwsettings{'oldusesrv'} eq 'ON') { @@ -206,14 +199,11 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule') }elsif ($fwdfwsettings{'oldusesrv'} eq $fwdfwsettings{'USESRV'} && $fwdfwsettings{'oldgrp3b'} ne $fwdfwsettings{$fwdfwsettings{'grp3'}} && $fwdfwsettings{'updatefwrule'} eq 'on'){ &checkcounter($fwdfwsettings{'oldgrp3a'},$fwdfwsettings{'oldgrp3b'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}}); } - if ($fwdfwsettings{'nobase'} eq 'on'){ &checkcounter(0,0,$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}}); } - - &saverule(\%configfwdfw,$configfwdfw); - + #print "Source: $fwdfwsettings{'grp1'} -> $fwdfwsettings{$fwdfwsettings{'grp1'}}
"; #print "Sourceport: $fwdfwsettings{'USE_SRC_PORT'}, $fwdfwsettings{'PROT'}, $fwdfwsettings{'ICMP_TYPES'}, $fwdfwsettings{'SRC_PORT'}
"; #print "Target: $fwdfwsettings{'grp2'} -> $fwdfwsettings{$fwdfwsettings{'grp2'}}
"; @@ -235,9 +225,6 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule') #print"ALT: $fwdfwsettings{'oldgrp2a'} $fwdfwsettings{'oldgrp2b'} NEU: $fwdfwsettings{'grp2'} $fwdfwsettings{$fwdfwsettings{'grp2'}}
"; #print"ALT: $fwdfwsettings{'oldgrp3a'} $fwdfwsettings{'oldgrp3b'} NEU: $fwdfwsettings{'grp3'} $fwdfwsettings{$fwdfwsettings{'grp3'}}
"; #print"DIENSTE Checkalt:$fwdfwsettings{'oldusesrv'} DIENSTE Checkneu:$fwdfwsettings{'USESRV'} DIENST ALT:$fwdfwsettings{'oldgrp3a'},$fwdfwsettings{'oldgrp3b'} DIENST NEU:$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}}
"; - - - } if ($errormessage){ &newrule; @@ -245,7 +232,6 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule') &rules; &base; } - } if ($fwdfwsettings{'ACTION'} eq $Lang::tr{'reset'}) { @@ -264,12 +250,10 @@ if ($fwdfwsettings{'ACTION'} eq $Lang::tr{'reset'}) $fwdfwsettings{'POLICY'}='MODE0'; system("rm ${General::swroot}/forward/config"); system("rm ${General::swroot}/forward/input"); - %fwdfwsettings = (); - &General::writehash("${General::swroot}/forward/settings", \%fwdfwsettings); unless (-e "${General::swroot}/forward/config") { system("touch ${General::swroot}/forward/config"); } unless (-e "${General::swroot}/forward/input") { system("touch ${General::swroot}/forward/input"); } - + %fwdfwsettings = (); &reread_rules; } @@ -407,7 +391,7 @@ sub checkcounter }elsif($base1 eq 'cust_srvgrp'){ &dec_counter($configsrvgrp,\%customservicegrp,$val1); } - + if($base2 eq 'cust_net_src' || $base2 eq 'cust_net_tgt'){ &inc_counter($confignet,\%customnetwork,$val2); }elsif($base2 eq 'cust_host_src' || $base2 eq 'cust_host_tgt'){ @@ -426,13 +410,12 @@ sub inc_counter my %hash=%{(shift)}; my $val=shift; my $pos; - + &General::readhasharray($config, \%hash); foreach my $key (sort { uc($hash{$a}[0]) cmp uc($hash{$b}[0]) } keys %hash){ if($hash{$key}[0] eq $val){ $pos=$#{$hash{$key}}; $hash{$key}[$pos] = $hash{$key}[$pos]+1; - } } &General::writehasharray($config, \%hash); @@ -449,23 +432,21 @@ sub dec_counter if($hash{$key}[0] eq $val){ $pos=$#{$hash{$key}}; $hash{$key}[$pos] = $hash{$key}[$pos]-1; - } } &General::writehasharray($config, \%hash); } sub base { - if ($fwdfwsettings{'POLICY'} eq 'MODE0'){ $selected{'POLICY'}{'MODE0'} = 'selected'; } else { $selected{'POLICY'}{'MODE0'} = ''; } if ($fwdfwsettings{'POLICY'} eq 'MODE1'){ $selected{'POLICY'}{'MODE1'} = 'selected'; } else { $selected{'POLICY'}{'MODE1'} = ''; } if ($fwdfwsettings{'POLICY'} eq 'MODE2'){ $selected{'POLICY'}{'MODE2'} = 'selected'; } else { $selected{'POLICY'}{'MODE2'} = ''; } - + &hint; if ($fwdfwsettings{'POLICY'} ne 'MODE0' && $fwdfwsettings{'POLICY'} ne '') { &addrule; } - + #print""; #foreach (0 .. 40){ #my $i="color".$_; @@ -494,7 +475,7 @@ sub addrule { &error; &Header::openbox('100%', 'left', $Lang::tr{'fwdfw addrule'}); - + print ""; print "
"; print ""; @@ -505,7 +486,6 @@ sub addrule &Header::closebox(); &viewtablerule; - } sub deleterule { @@ -537,7 +517,7 @@ sub deleterule &General::writehasharray($fwdfwsettings{'config'}, \%delhash); &rules; - + if($fwdfwsettings{'nobase'} ne 'on'){ &base; } @@ -553,7 +533,6 @@ sub disable_rule } &General::writehasharray("$configfwdfw", \%configfwdfw); &rules; - } sub checksource { @@ -589,7 +568,7 @@ sub checksource $errormessage.=$Lang::tr{'fwdfw err nosrcip'}; return $errormessage; } - + #check empty fields if ($fwdfwsettings{$fwdfwsettings{'grp1'}} eq ''){ $errormessage.=$Lang::tr{'fwdfw err nosrc'}."
";} #check icmp source @@ -601,6 +580,12 @@ sub checksource $fwdfwsettings{'ICMP_TYPES'}="$icmptypes{$key}[0]"; } } + }elsif($fwdfwsettings{'USE_SRC_PORT'} eq 'ON' && $fwdfwsettings{'PROT'} eq 'GRE'){ + $fwdfwsettings{'SRC_PORT'}=''; + $fwdfwsettings{'ICMP_TYPES'}=''; + }elsif($fwdfwsettings{'USE_SRC_PORT'} eq 'ON' && $fwdfwsettings{'PROT'} eq 'ESP'){ + $fwdfwsettings{'SRC_PORT'}=''; + $fwdfwsettings{'ICMP_TYPES'}=''; }elsif($fwdfwsettings{'USE_SRC_PORT'} eq 'ON' && $fwdfwsettings{'PROT'} ne 'ICMP'){ $fwdfwsettings{'ICMP_TYPES'}=''; }else{ @@ -608,7 +593,7 @@ sub checksource $fwdfwsettings{'SRC_PORT'}=''; $fwdfwsettings{'PROT'}=''; } - + if($fwdfwsettings{'USE_SRC_PORT'} eq 'ON' && $fwdfwsettings{'PROT'} ne 'ICMP' && $fwdfwsettings{'SRC_PORT'} ne ''){ #change dashes with : $fwdfwsettings{'SRC_PORT'}=~ tr/-/:/; @@ -622,7 +607,7 @@ sub checksource if ($fwdfwsettings{'SRC_PORT'} =~ /^(\d+)\:(\D)$/) { $fwdfwsettings{'SRC_PORT'} = "$1:65535"; } - + $errormessage.=&General::validportrange($fwdfwsettings{'SRC_PORT'},'src'); } return $errormessage; @@ -630,8 +615,7 @@ sub checksource sub checktarget { my ($ip,$subnet); - - + if ($fwdfwsettings{'tgt_addr'} eq $fwdfwsettings{$fwdfwsettings{'grp2'}} && $fwdfwsettings{'tgt_addr'} ne ''){ #check if ip with subnet if ($fwdfwsettings{'tgt_addr'} =~ /^(.*?)\/(.*?)$/) { @@ -658,15 +642,15 @@ sub checktarget if(!&General::validipandmask($fwdfwsettings{'tgt_addr'})){ $errormessage.=$Lang::tr{'fwdfw err tgt_addr'}."
"; } - + }elsif($fwdfwsettings{'tgt_addr'} eq $fwdfwsettings{$fwdfwsettings{'grp2'}} && $fwdfwsettings{'tgt_addr'} eq ''){ $errormessage.=$Lang::tr{'fwdfw err notgtip'}; return $errormessage; } - + #check empty fields if ($fwdfwsettings{$fwdfwsettings{'grp2'}} eq ''){ $errormessage.=$Lang::tr{'fwdfw err notgt'}."
";} - + #check tgt services if ($fwdfwsettings{'USESRV'} eq 'ON'){ if ($fwdfwsettings{'grp3'} eq 'cust_srv'){ @@ -682,7 +666,7 @@ sub checktarget } } if ($fwdfwsettings{'grp3'} eq 'TGT_PORT'){ - if ($fwdfwsettings{'TGT_PROT'} ne 'ICMP'){ + if ($fwdfwsettings{'TGT_PROT'} ne 'ICMP' && $fwdfwsettings{'TGT_PROT'} ne 'GRE'){ if ($fwdfwsettings{'TGT_PORT'} ne ''){ #change dashes with : $fwdfwsettings{'TGT_PORT'}=~ tr/-/:/; @@ -697,19 +681,25 @@ sub checktarget } $errormessage .= &General::validportrange($fwdfwsettings{'TGT_PORT'}, 'destination'); } + }elsif ($fwdfwsettings{'TGT_PROT'} eq 'GRE'){ + $fwdfwsettings{'TGT_PORT'} = ''; + $fwdfwsettings{'ICMP_TGT'} = ''; + }elsif($fwdfwsettings{'TGT_PORT'} eq 'ESP'){ + $fwdfwsettings{'TGT_PORT'}=''; + $fwdfwsettings{'ICMP_TGT'}=''; }elsif ($fwdfwsettings{'TGT_PROT'} eq 'ICMP'){ + $fwdfwsettings{'TGT_PORT'} = ''; &General::readhasharray("${General::swroot}/fwhosts/icmp-types", \%icmptypes); foreach my $key (keys %icmptypes){ if ("$icmptypes{$key}[0] ($icmptypes{$key}[1])" eq $fwdfwsettings{'ICMP_TGT'}){ - $fwdfwsettings{'ICMP_TGT'}=$icmptypes{$key}[0]; } } } } } - + #check targetport if ($fwdfwsettings{'USESRV'} ne 'ON'){ $fwdfwsettings{'grp3'}=''; @@ -717,17 +707,12 @@ sub checktarget $fwdfwsettings{'TGT_PROT'}=''; $fwdfwsettings{'ICMP_TGT'}=''; } - - #check timeframe if($fwdfwsettings{'TIME'} eq 'ON'){ if($fwdfwsettings{'TIME_MON'} eq '' && $fwdfwsettings{'TIME_TUE'} eq '' && $fwdfwsettings{'TIME_WED'} eq '' && $fwdfwsettings{'TIME_THU'} eq '' && $fwdfwsettings{'TIME_FRI'} eq '' && $fwdfwsettings{'TIME_SAT'} eq '' && $fwdfwsettings{'TIME_SUN'} eq ''){ $errormessage=$Lang::tr{'fwdfw err time'}; } } - - - return $errormessage; } sub checkrule @@ -741,17 +726,14 @@ sub checkrule $errormessage.=$Lang::tr{'fwdfw err same'}; return $errormessage; } - + #get source and targetip address if possible my ($sip,$scidr,$tip,$tcidr); ($sip,$scidr)=&get_ip("src","grp1"); ($tip,$tcidr)=&get_ip("tgt","grp2"); - - - + #check same iprange in source and target if ($sip ne '' && $scidr ne '' && $tip ne '' && $tcidr ne ''){ - my $networkip1=&General::getnetworkip($sip,$scidr); my $networkip2=&General::getnetworkip($tip,$tcidr); if ($scidr gt $tcidr){ @@ -759,20 +741,19 @@ sub checkrule $errormessage.=$Lang::tr{'fwdfw err samesub'}; } }elsif($scidr eq $tcidr && $scidr eq '32'){ - my ($sbyte1,$sbyte2,$sbyte3,$sbyte4)=split(".",$networkip1); - my ($tbyte1,$tbyte2,$tbyte3,$tbyte4)=split(".",$networkip2); + my ($sbyte1,$sbyte2,$sbyte3,$sbyte4)=split(/\./,$networkip1); + my ($tbyte1,$tbyte2,$tbyte3,$tbyte4)=split(/\./,$networkip2); if ($sbyte1 eq $tbyte1 && $sbyte2 eq $tbyte2 && $sbyte3 eq $tbyte3){ $hint=$Lang::tr{'fwdfw hint ip1'}."
"; $hint.=$Lang::tr{'fwdfw hint ip2'}." Source: $networkip1/$scidr Target: $networkip2/$tcidr
"; } - }else{ if ( &General::IpInSubnet($networkip2,$sip,&General::iporsubtodec($scidr)) ){ $errormessage.=$Lang::tr{'fwdfw err samesub'}; } } } - + #check source and destination protocol if manual if( $fwdfwsettings{'USE_SRC_PORT'} eq 'ON' && $fwdfwsettings{'USESRV'} eq 'ON'){ if($fwdfwsettings{'PROT'} ne $fwdfwsettings{'TGT_PROT'} && $fwdfwsettings{'grp3'} eq 'TGT_PORT'){ @@ -791,7 +772,6 @@ sub checkrule } } } - } sub get_ip { @@ -842,7 +822,6 @@ sub get_ip } } } - return $a,$b; } sub newrule @@ -858,14 +837,11 @@ sub newrule &General::readhasharray("$configgrp", \%customgrp); &General::readhasharray("$configipsec", \%ipsecconf); &General::get_aliases(\%aliases); - - my %checked=(); my $helper; if($fwdfwsettings{'config'} eq ''){$fwdfwsettings{'config'}=$configfwdfw;} my $config=$fwdfwsettings{'config'}; my %hash=(); - $checked{'grp1'}{$fwdfwsettings{'grp1'}} = 'CHECKED'; $checked{'grp2'}{$fwdfwsettings{'grp2'}} = 'CHECKED'; $checked{'grp3'}{$fwdfwsettings{'grp3'}} = 'CHECKED'; @@ -884,7 +860,6 @@ sub newrule $selected{'TIME_FROM'}{$fwdfwsettings{'TIME_FROM'}} = 'selected'; $selected{'TIME_TO'}{$fwdfwsettings{'TIME_TO'}} = 'selected'; $selected{'ipfire'}{$fwdfwsettings{$fwdfwsettings{'grp2'}}} ='selected'; - #check if update and get values if($fwdfwsettings{'updatefwrule'} eq 'on' || $fwdfwsettings{'copyfwrule'} eq 'on' && !$errormessage){ &General::readhasharray("$config", \%hash); @@ -917,7 +892,6 @@ sub newrule $fwdfwsettings{'TIME_SUN'} = $hash{$key}[25]; $fwdfwsettings{'TIME_FROM'} = $hash{$key}[26]; $fwdfwsettings{'TIME_TO'} = $hash{$key}[27]; - $checked{'grp1'}{$fwdfwsettings{'grp1'}} = 'CHECKED'; $checked{'grp2'}{$fwdfwsettings{'grp2'}} = 'CHECKED'; $checked{'grp3'}{$fwdfwsettings{'grp3'}} = 'CHECKED'; @@ -949,9 +923,9 @@ sub newrule $fwdfwsettings{'ACTIVE'}='ON'; $checked{'ACTIVE'}{$fwdfwsettings{'ACTIVE'}} = 'CHECKED'; } - + &Header::openbox('100%', 'left', $Lang::tr{'fwdfw addrule'}); - + print <
@@ -962,7 +936,7 @@ END if($fwdfwsettings{'POLICY'} eq 'MODE2'){ $fwdfwsettings{'RULE_ACTION'} = 'DROP'; } - + if ($_ eq $fwdfwsettings{'RULE_ACTION'}) { print""; @@ -975,19 +949,19 @@ END &Header::closebox(); &Header::openbox('100%', 'left', $Lang::tr{'fwdfw source'}); - - + + #------SOURCE------------------------------------------------------- print< - + END - + #
$Lang::tr{'fwdfw sourceip'}
$Lang::tr{'fwhost stdnet'}
$Lang::tr{'fwhost cust grp'}
$Lang::tr{'fwhost ipsec host'}
- - - END - #
$Lang::tr{'fwdfw use srcport'} $Lang::tr{'fwdfw man port'}
$Lang::tr{'fwdfw targetip'}IPFire ($Lang::tr{'external access'})
$Lang::tr{'fwhost stdnet'}$Lang::tr{'fwhost ccdnet'}
$Lang::tr{'fwhost cust net'}
$Lang::tr{'fwhost cust grp'}
$Lang::tr{'fwhost ipsec host'}
$Lang::tr{'fwhost attention'}:
$Lang::tr{'fwhost macwarn'}

- +
$Lang::tr{'fwdfw use srv'}$Lang::tr{'fwhost cust service'}
$Lang::tr{'fwdfw man port'}


- + END #---Activate/logging/remark------------------------------------- &Header::openbox('100%', 'left', $Lang::tr{'fwdfw additional'}); @@ -1282,7 +1246,6 @@ END $Lang::tr{'time'}: $Lang::tr{'advproxy monday'} $Lang::tr{'advproxy tuesday'} $Lang::tr{'advproxy wednesday'} $Lang::tr{'advproxy thursday'} $Lang::tr{'advproxy friday'} $Lang::tr{'advproxy saturday'} $Lang::tr{'advproxy sunday'} - $Lang::tr{'advproxy from'} $Lang::tr{'advproxy to'} @@ -1297,7 +1260,6 @@ END - -
-
END } @@ -1355,7 +1315,6 @@ END } sub saverule { - my $hash=shift; my $config=shift; &General::readhasharray("$config", $hash); @@ -1456,7 +1415,7 @@ sub get_name foreach my $network (sort keys %defaultNetworks) { return "$network" if ($val eq $defaultNetworks{$network}{'NAME'}); - } + } } sub validremark { @@ -1468,13 +1427,13 @@ sub validremark if (length ($remark) < 1 || length ($remark) > 255) { return 0;} # Only valid characters are a-z, A-Z, 0-9 and - - if ($remark !~ /^[a-zäöüA-ZÖÄÜ0-9-\s]*$/) { + if ($remark !~ /^[a-zäöüA-ZÖÄÜ0-9-.:\/\s]*$/) { return 0;} # First character can only be a letter or a digit if (substr ($remark, 0, 1) !~ /^[a-zäöüA-ZÖÄÜ0-9]*$/) { return 0;} # Last character can only be a letter or a digit - if (substr ($remark, -1, 1) !~ /^[a-zöäüA-ZÖÄÜ0-9]*$/) { + if (substr ($remark, -1, 1) !~ /^[a-zöäüA-ZÖÄÜ0-9.]*$/) { return 0;} return 1; } @@ -1494,7 +1453,7 @@ sub gettgtport my $key=shift; my $service; my $prot; - + if($hash{$key}[11] eq 'ON' && $hash{$key}[12] ne 'ICMP'){ if($hash{$key}[14] eq 'cust_srv'){ &General::readhasharray("$configsrv", \%customservice); @@ -1506,7 +1465,7 @@ sub gettgtport } } }elsif($hash{$key}[14] eq 'cust_srvgrp'){ - + $service=$hash{$key}[15]; }elsif($hash{$key}[14] eq 'TGT_PORT'){ $service=$hash{$key}[15]; @@ -1515,7 +1474,7 @@ sub gettgtport }elsif($hash{$key}[11] eq 'ON' && $hash{$key}[12] eq 'ICMP'){ print" : ($hash{$key}[12])
$hash{$key}[13]"; } - + if ($prot ne '' || $service ne ''){ print" :"; if ($prot ne ''){ @@ -1535,7 +1494,7 @@ sub viewtablenew my $config=shift; my $title=shift; my $title1=shift; - + if ( ! -z "$config"){ &Header::openbox('100%', 'left',$title); my $count=0; @@ -1549,7 +1508,7 @@ sub viewtablenew print"$title1
"; print""; print""; - foreach my $key (sort keys %$hash){ + foreach my $key (sort {$a <=> $b} keys %$hash){ @tmpsrc=(); #check if vpn hosts/nets have been deleted if($$hash{$key}[3] =~ /ipsec/i || $$hash{$key}[3] =~ /ovpn/i){ @@ -1558,14 +1517,12 @@ sub viewtablenew if($$hash{$key}[5] =~ /ipsec/i || $$hash{$key}[5] =~ /ovpn/i){ push (@tmpsrc,$$hash{$key}[6]); } - foreach my $host (@tmpsrc){ if($$hash{$key}[3] eq 'ipsec_net_src' || $$hash{$key}[5] eq 'ipsec_net_tgt'){ - if(&fwlib::get_ipsec_net_ip($host,11) eq ''){ + if(&fwlib::get_ipsec_net_ip($host,11) eq ''){ $coloryellow='on'; &disable_rule($key); $$hash{$key}[2]=''; - } }elsif($$hash{$key}[3] eq 'ovpn_net_src' || $$hash{$key}[5] eq 'ovpn_net_tgt'){ if(&fwlib::get_ovpn_net_ip($host,1) eq ''){ @@ -1589,10 +1546,8 @@ sub viewtablenew $$hash{$key}[3]=''; $$hash{$key}[5]=''; } - $$hash{'ACTIVE'}=$$hash{$key}[2]; $count++; - if($coloryellow eq 'on'){ print""; $coloryellow=''; @@ -1604,7 +1559,6 @@ sub viewtablenew print""; } } - print<$key END @@ -1636,7 +1590,6 @@ END } print< -
- - - - "; } - if (exists $$hash{$key+1}){ print< @@ -1729,9 +1676,7 @@ END if($$hash{$key}[23] ne ''){push (@days,$Lang::tr{'fwdfw wd_fri'});} if($$hash{$key}[24] ne ''){push (@days,$Lang::tr{'fwdfw wd_sat'});} if($$hash{$key}[25] ne ''){push (@days,$Lang::tr{'fwdfw wd_sun'});} - my $weekdays=join(",",@days); - if (@days){ print"
#$Lang::tr{'fwdfw source'}Log$Lang::tr{'fwdfw target'}$Lang::tr{'remark'}$Lang::tr{'fwdfw action'}
@@ -1662,7 +1615,6 @@ END }else{ $gif="/images/off.gif" - } print< @@ -1671,22 +1623,18 @@ END
@@ -1706,7 +1654,6 @@ END }else{ print"
$Lang::tr{'fwdfw time'} "; print"$weekdays"; @@ -1742,21 +1687,19 @@ END print"
"; &Header::closebox(); } - } sub fillselect { my %hash=%{(shift)}; my $val=shift; my $key; - foreach my $key (sort { uc($hash{$a}[0]) cmp uc($hash{$b}[0]) } keys %hash) - { - if($hash{$key}[0] eq $val){ - print""; - }else{ - print""; - } + foreach my $key (sort { uc($hash{$a}[0]) cmp uc($hash{$b}[0]) } keys %hash){ + if($hash{$key}[0] eq $val){ + print""; + }else{ + print""; } + } } sub rules { diff --git a/html/cgi-bin/fwhosts.cgi b/html/cgi-bin/fwhosts.cgi index 236e0b47c..5a8383692 100755 --- a/html/cgi-bin/fwhosts.cgi +++ b/html/cgi-bin/fwhosts.cgi @@ -47,6 +47,8 @@ my %defaultNetworks=(); my %mainsettings=(); my %ownnet=(); my %ipsecsettings=(); +my %fwfwd=(); +my %fwinp=(); my $errormessage; my $hint; @@ -59,6 +61,8 @@ my $configccdhost = "${General::swroot}/ovpn/ovpnconfig"; my $configipsec = "${General::swroot}/vpn/config"; my $configsrv = "${General::swroot}/fwhosts/customservices"; my $configsrvgrp = "${General::swroot}/fwhosts/customservicegrp"; +my $fwconfigfwd = "${General::swroot}/forward/config"; +my $fwconfiginp = "${General::swroot}/forward/input"; unless (-e $confignet) { system("touch $confignet"); } unless (-e $confighost) { system("touch $confighost"); } @@ -116,6 +120,9 @@ if ($fwhostsettings{'ACTION'} eq 'updatehost') } } &General::writehasharray("$confighost", \%customhost); + + + $fwhostsettings{'actualize'} = 'on'; $fwhostsettings{'ACTION'} = 'savehost'; } @@ -285,6 +292,28 @@ if ($fwhostsettings{'ACTION'} eq 'savenet' ) } } &General::writehasharray("$configgrp", \%customgrp); + #check if we need to update firewallrules + if ( ! -z $fwconfigfwd ){ + &General::readhasharray("$fwconfigfwd", \%fwfwd); + foreach my $line (sort keys %fwfwd){ + if ($fwfwd{$line}[4] eq $fwhostsettings{'orgname'}){ + $fwfwd{$line}[4] = $fwhostsettings{'HOSTNAME'}; + } + if ($fwfwd{$line}[6] eq $fwhostsettings{'orgname'}){ + $fwfwd{$line}[6] = $fwhostsettings{'HOSTNAME'}; + } + } + &General::writehasharray("$fwconfigfwd", \%fwfwd); + } + if ( ! -z $fwconfiginp ){ + &General::readhasharray("$fwconfiginp", \%fwinp); + foreach my $line (sort keys %fwinp){ + if ($fwfwd{$line}[4] eq $fwhostsettings{'orgname'}){ + $fwfwd{$line}[4] = $fwhostsettings{'HOSTNAME'}; + } + } + &General::writehasharray("$fwconfiginp", \%fwinp); + } } } my $key = &General::findhasharraykey (\%customnetwork); @@ -416,9 +445,29 @@ if ($fwhostsettings{'ACTION'} eq 'savehost') } } &General::writehasharray("$configgrp", \%customgrp); + #check if we need to update firewallrules + if ( ! -z $fwconfigfwd ){ + &General::readhasharray("$fwconfigfwd", \%fwfwd); + foreach my $line (sort keys %fwfwd){ + if ($fwfwd{$line}[4] eq $fwhostsettings{'orgname'}){ + $fwfwd{$line}[4] = $fwhostsettings{'HOSTNAME'}; + } + if ($fwfwd{$line}[6] eq $fwhostsettings{'orgname'}){ + $fwfwd{$line}[6] = $fwhostsettings{'HOSTNAME'}; + } + } + &General::writehasharray("$fwconfigfwd", \%fwfwd); + } + if ( ! -z $fwconfiginp ){ + &General::readhasharray("$fwconfiginp", \%fwinp); + foreach my $line (sort keys %fwinp){ + if ($fwfwd{$line}[4] eq $fwhostsettings{'orgname'}){ + $fwfwd{$line}[4] = $fwhostsettings{'HOSTNAME'}; + } + } + &General::writehasharray("$fwconfiginp", \%fwinp); + } } - - } my $key = &General::findhasharraykey (\%customhost); foreach my $i (0 .. 3) { $customhost{$key}[$i] = "";} @@ -1084,6 +1133,7 @@ END foreach my $network (sort keys %defaultNetworks) { next if($defaultNetworks{$network}{'LOCATION'} eq "IPCOP"); + next if($defaultNetworks{$network}{'NAME'} eq "RED"); print ""; @@ -1186,7 +1236,7 @@ sub addservice } print< - $Lang::tr{'fwhost srv_name'}:$Lang::tr{'fwhost prot'}:$Lang::tr{'fwhost prot'}:/ off +
+ + + +
$Lang::tr{'fw default drop'}
$Lang::tr{'drop action'} +
+
+ +
- -
END diff --git a/html/cgi-bin/outgoingfw.cgi b/html/cgi-bin/outgoingfw.cgi deleted file mode 100644 index b417817a2..000000000 --- a/html/cgi-bin/outgoingfw.cgi +++ /dev/null @@ -1,849 +0,0 @@ -#!/usr/bin/perl -############################################################################### -# # -# IPFire.org - A linux based firewall # -# Copyright (C) 2005-2010 IPFire Team # -# # -# This program is free software: you can redistribute it and/or modify # -# it under the terms of the GNU General Public License as published by # -# the Free Software Foundation, either version 3 of the License, or # -# (at your option) any later version. # -# # -# This program is distributed in the hope that it will be useful, # -# but WITHOUT ANY WARRANTY; without even the implied warranty of # -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # -# GNU General Public License for more details. # -# # -# You should have received a copy of the GNU General Public License # -# along with this program. If not, see . # -# # -############################################################################### - -use strict; -# enable only the following on debugging purpose -#use warnings; -#use CGI::Carp 'fatalsToBrowser'; - -require '/var/ipfire/general-functions.pl'; -require "${General::swroot}/lang.pl"; -require "${General::swroot}/header.pl"; - -my %outfwsettings = (); -my %checked = (); -my %selected= () ; -my %netsettings = (); -my $errormessage = ""; -my $configentry = ""; -my @configs = (); -my @configline = (); -my $p2pentry = ""; -my @p2ps = (); -my @p2pline = (); - -my $configfile = "/var/ipfire/outgoing/rules"; -my $configpath = "/var/ipfire/outgoing/groups/"; -my $p2pfile = "/var/ipfire/outgoing/p2protocols"; -my $servicefile = "/var/ipfire/outgoing/defaultservices"; - -my %color = (); -my %mainsettings = (); -&General::readhash("${General::swroot}/main/settings", \%mainsettings); -&General::readhash("/srv/web/ipfire/html/themes/".$mainsettings{'THEME'}."/include/colors.txt", \%color); - -&General::readhash("${General::swroot}/ethernet/settings", \%netsettings); - -&Header::showhttpheaders(); - -### Values that have to be initialized -$outfwsettings{'ACTION'} = ''; -$outfwsettings{'VALID'} = 'yes'; -$outfwsettings{'EDIT'} = 'no'; -$outfwsettings{'NAME'} = ''; -$outfwsettings{'SNET'} = ''; -$outfwsettings{'SIP'} = ''; -$outfwsettings{'SPORT'} = ''; -$outfwsettings{'SMAC'} = ''; -$outfwsettings{'DIP'} = ''; -$outfwsettings{'DPORT'} = ''; -$outfwsettings{'PROT'} = ''; -$outfwsettings{'STATE'} = ''; -$outfwsettings{'DISPLAY_DIP'} = ''; -$outfwsettings{'DISPLAY_DPORT'} = ''; -$outfwsettings{'DISPLAY_SMAC'} = ''; -$outfwsettings{'DISPLAY_SIP'} = ''; -$outfwsettings{'POLICY'} = 'MODE0'; -$outfwsettings{'MODE1LOG'} = 'off'; - -$outfwsettings{'TIME_FROM'} = '00:00'; -$outfwsettings{'TIME_TO'} = '00:00'; - -&General::readhash("${General::swroot}/outgoing/settings", \%outfwsettings); -&Header::getcgihash(\%outfwsettings); - -############### -# DEBUG DEBUG -#&Header::openbox('100%', 'left', 'DEBUG'); -#my $debugCount = 0; -#foreach my $line (sort keys %outfwsettings) { -#print "$line = $outfwsettings{$line}
\n"; -# $debugCount++; -#} -#print " Count: $debugCount\n"; -#&Header::closebox(); -# DEBUG DEBUG -############### - -$selected{'TIME_FROM'}{$outfwsettings{'TIME_FROM'}} = "selected='selected'"; -$selected{'TIME_TO'}{$outfwsettings{'TIME_TO'}} = "selected='selected'"; - -$checked{'MODE1LOG'}{'off'} = ''; -$checked{'MODE1LOG'}{'on'} = ''; -$checked{'MODE1LOG'}{$outfwsettings{'MODE1LOG'}} = "checked='checked'"; -$checked{'TIME_MON'}{'off'} = ''; -$checked{'TIME_MON'}{'on'} = ''; -$checked{'TIME_MON'}{$outfwsettings{'TIME_MON'}} = "checked='checked'"; -$checked{'TIME_TUE'}{'off'} = ''; -$checked{'TIME_TUE'}{'on'} = ''; -$checked{'TIME_TUE'}{$outfwsettings{'TIME_TUE'}} = "checked='checked'"; -$checked{'TIME_WED'}{'off'} = ''; -$checked{'TIME_WED'}{'on'} = ''; -$checked{'TIME_WED'}{$outfwsettings{'TIME_WED'}} = "checked='checked'"; -$checked{'TIME_THU'}{'off'} = ''; -$checked{'TIME_THU'}{'on'} = ''; -$checked{'TIME_THU'}{$outfwsettings{'TIME_THU'}} = "checked='checked'"; -$checked{'TIME_FRI'}{'off'} = ''; -$checked{'TIME_FRI'}{'on'} = ''; -$checked{'TIME_FRI'}{$outfwsettings{'TIME_FRI'}} = "checked='checked'"; -$checked{'TIME_SAT'}{'off'} = ''; -$checked{'TIME_SAT'}{'on'} = ''; -$checked{'TIME_SAT'}{$outfwsettings{'TIME_SAT'}} = "checked='checked'"; -$checked{'TIME_SUN'}{'off'} = ''; -$checked{'TIME_SUN'}{'on'} = ''; -$checked{'TIME_SUN'}{$outfwsettings{'TIME_SUN'}} = "checked='checked'"; - -if ($outfwsettings{'POLICY'} eq 'MODE0'){ $selected{'POLICY'}{'MODE0'} = 'selected'; } else { $selected{'POLICY'}{'MODE0'} = ''; } -if ($outfwsettings{'POLICY'} eq 'MODE1'){ $selected{'POLICY'}{'MODE1'} = 'selected'; } else { $selected{'POLICY'}{'MODE1'} = ''; } -if ($outfwsettings{'POLICY'} eq 'MODE2'){ $selected{'POLICY'}{'MODE2'} = 'selected'; } else { $selected{'POLICY'}{'MODE2'} = ''; } - -# This is a little hack if poeple don´t mark any date then all will be selected, because they might have forgotten to select -# a valid day. A Rule without any matching day will never work, because the timeranges are new feature people might not notice -# that they have to select a day for the rule. - -if ( $outfwsettings{'TIME_MON'} eq "" && - $outfwsettings{'TIME_TUE'} eq "" && - $outfwsettings{'TIME_WED'} eq "" && - $outfwsettings{'TIME_THU'} eq "" && - $outfwsettings{'TIME_FRI'} eq "" && - $outfwsettings{'TIME_SAT'} eq "" && - $outfwsettings{'TIME_SUN'} eq "" ) - { - $outfwsettings{'TIME_MON'} = "on"; - $outfwsettings{'TIME_TUE'} = "on"; - $outfwsettings{'TIME_WED'} = "on"; - $outfwsettings{'TIME_THU'} = "on"; - $outfwsettings{'TIME_FRI'} = "on"; - $outfwsettings{'TIME_SAT'} = "on"; - $outfwsettings{'TIME_SUN'} = "on"; - } - -&Header::openpage($Lang::tr{'outgoing firewall'}, 1, ''); -&Header::openbigbox('100%', 'left', '', $errormessage); - -############################################################################################################################ -############################################################################################################################ - -if ($outfwsettings{'ACTION'} eq $Lang::tr{'reset'}) -{ - $outfwsettings{'POLICY'}='MODE0'; - unlink $configfile; - system("/usr/bin/touch $configfile"); - my $MODE = $outfwsettings{'POLICY'}; - %outfwsettings = (); - $outfwsettings{'POLICY'} = "$MODE"; - &General::writehash("${General::swroot}/outgoing/settings", \%outfwsettings); -} -if ($outfwsettings{'ACTION'} eq $Lang::tr{'save'}) -{ - my $MODE = $outfwsettings{'POLICY'}; - my $MODE1LOG = $outfwsettings{'MODE1LOG'}; - %outfwsettings = (); - $outfwsettings{'POLICY'} = "$MODE"; - $outfwsettings{'MODE1LOG'} = "$MODE1LOG"; - &General::writehash("${General::swroot}/outgoing/settings", \%outfwsettings); - system("/usr/local/bin/outgoingfwctrl"); -} -if ($outfwsettings{'ACTION'} eq 'enable') -{ - open( FILE, "< $p2pfile" ) or die "Unable to read $p2pfile"; - @p2ps = ; - close FILE; - open( FILE, "> $p2pfile" ) or die "Unable to write $p2pfile"; - foreach $p2pentry (sort @p2ps) - { - @p2pline = split( /\;/, $p2pentry ); - if ($p2pline[1] eq $outfwsettings{'P2PROT'}) { - print FILE "$p2pline[0];$p2pline[1];on;\n"; - } else { - print FILE "$p2pline[0];$p2pline[1];$p2pline[2];\n"; - } - } - close FILE; - system("/usr/local/bin/outgoingfwctrl"); -} -if ($outfwsettings{'ACTION'} eq 'disable') -{ - open( FILE, "< $p2pfile" ) or die "Unable to read $p2pfile"; - @p2ps = ; - close FILE; - open( FILE, "> $p2pfile" ) or die "Unable to write $p2pfile"; - foreach $p2pentry (sort @p2ps) - { - @p2pline = split( /\;/, $p2pentry ); - if ($p2pline[1] eq $outfwsettings{'P2PROT'}) { - print FILE "$p2pline[0];$p2pline[1];off;\n"; - } else { - print FILE "$p2pline[0];$p2pline[1];$p2pline[2];\n"; - } - } - close FILE; - system("/usr/local/bin/outgoingfwctrl"); -} -if ($outfwsettings{'ACTION'} eq $Lang::tr{'edit'}) -{ - open( FILE, "< $configfile" ) or die "Unable to read $configfile"; - @configs = ; - close FILE; - open( FILE, "> $configfile" ) or die "Unable to write $configfile"; - foreach $configentry (sort @configs) - { - @configline = split( /\;/, $configentry ); - - $configline[10] = "on" if not exists $configline[11]; - $configline[11] = "on" if not exists $configline[11]; - $configline[12] = "on" if not exists $configline[12]; - $configline[13] = "on" if not exists $configline[13]; - $configline[14] = "on" if not exists $configline[14]; - $configline[15] = "on" if not exists $configline[15]; - $configline[16] = "on" if not exists $configline[16]; - $configline[17] = "00:00" if not exists $configline[17]; - $configline[18] = "00:00" if not exists $configline[18]; - - unless (($configline[0] eq $outfwsettings{'STATE'}) && - ($configline[1] eq $outfwsettings{'ENABLED'}) && - ($configline[2] eq $outfwsettings{'SNET'}) && - ($configline[3] eq $outfwsettings{'PROT'}) && - ($configline[4] eq $outfwsettings{'NAME'}) && - ($configline[5] eq $outfwsettings{'SIP'}) && - ($configline[6] eq $outfwsettings{'SMAC'}) && - ($configline[7] eq $outfwsettings{'DIP'}) && - ($configline[9] eq $outfwsettings{'LOG'}) && - ($configline[8] eq $outfwsettings{'DPORT'}) && - ($configline[10] eq $outfwsettings{'TIME_MON'}) && - ($configline[11] eq $outfwsettings{'TIME_TUE'}) && - ($configline[12] eq $outfwsettings{'TIME_WED'}) && - ($configline[13] eq $outfwsettings{'TIME_THU'}) && - ($configline[14] eq $outfwsettings{'TIME_FRI'}) && - ($configline[15] eq $outfwsettings{'TIME_SAT'}) && - ($configline[16] eq $outfwsettings{'TIME_SUN'}) && - ($configline[17] eq $outfwsettings{'TIME_FROM'}) && - ($configline[18] eq $outfwsettings{'TIME_TO'})) - { - print FILE $configentry; - } - } - close FILE; - $selected{'SNET'}{"$outfwsettings{'SNET'}"} = 'selected'; - $selected{'PROT'}{"$outfwsettings{'PROT'}"} = 'selected'; - $selected{'LOG'}{"$outfwsettings{'LOG'}"} = 'selected'; - &addrule(); - &Header::closebigbox(); - &Header::closepage(); - exit - system("/usr/local/bin/outgoingfwctrl"); -} -if ($outfwsettings{'ACTION'} eq $Lang::tr{'delete'}) -{ - open( FILE, "< $configfile" ) or die "Unable to read $configfile"; - @configs = ; - close FILE; - open( FILE, "> $configfile" ) or die "Unable to write $configfile"; - foreach $configentry (sort @configs) - { - @configline = split( /\;/, $configentry ); - - $configline[10] = "on" if not exists $configline[11]; - $configline[11] = "on" if not exists $configline[11]; - $configline[12] = "on" if not exists $configline[12]; - $configline[13] = "on" if not exists $configline[13]; - $configline[14] = "on" if not exists $configline[14]; - $configline[15] = "on" if not exists $configline[15]; - $configline[16] = "on" if not exists $configline[16]; - $configline[17] = "00:00" if not exists $configline[17]; - $configline[18] = "00:00" if not exists $configline[18]; - - unless (($configline[0] eq $outfwsettings{'STATE'}) && - ($configline[1] eq $outfwsettings{'ENABLED'}) && - ($configline[2] eq $outfwsettings{'SNET'}) && - ($configline[3] eq $outfwsettings{'PROT'}) && - ($configline[4] eq $outfwsettings{'NAME'}) && - ($configline[5] eq $outfwsettings{'SIP'}) && - ($configline[6] eq $outfwsettings{'SMAC'}) && - ($configline[7] eq $outfwsettings{'DIP'}) && - ($configline[9] eq $outfwsettings{'LOG'}) && - ($configline[8] eq $outfwsettings{'DPORT'}) && - ($configline[10] eq $outfwsettings{'TIME_MON'}) && - ($configline[11] eq $outfwsettings{'TIME_TUE'}) && - ($configline[12] eq $outfwsettings{'TIME_WED'}) && - ($configline[13] eq $outfwsettings{'TIME_THU'}) && - ($configline[14] eq $outfwsettings{'TIME_FRI'}) && - ($configline[15] eq $outfwsettings{'TIME_SAT'}) && - ($configline[16] eq $outfwsettings{'TIME_SUN'}) && - ($configline[17] eq $outfwsettings{'TIME_FROM'}) && - ($configline[18] eq $outfwsettings{'TIME_TO'})) - { - print FILE $configentry; - } - } - close FILE; - system("/usr/local/bin/outgoingfwctrl"); -} -if ($outfwsettings{'ACTION'} eq $Lang::tr{'add'}) -{ - if ( $outfwsettings{'VALID'} eq 'yes' ) { - - if ( $outfwsettings{'SNET'} eq "all" ) { - $outfwsettings{'SIP'} =""; - $outfwsettings{'SMAC'}=""; - } - open( FILE, ">> $configfile" ) or die "Unable to write $configfile"; - print FILE <$errormessage\n"; - print " \n"; - &Header::closebox(); -} - -############################################################################################################################ -############################################################################################################################ - -if ($outfwsettings{'POLICY'} ne 'MODE0'){ - &Header::openbox('100%', 'center', 'Rules'); - print < - - -END -; - open( FILE, "< $configfile" ) or die "Unable to read $configfile"; - @configs = ; - close FILE; - if (@configs) { - print < - - - - - - - - - -END -; - foreach $configentry (sort @configs) - { - @configline = split( /\;/, $configentry ); - $outfwsettings{'STATE'} = $configline[0]; - $outfwsettings{'ENABLED'} = $configline[1]; - $outfwsettings{'SNET'} = $configline[2]; - $outfwsettings{'PROT'} = $configline[3]; - $outfwsettings{'NAME'} = $configline[4]; - $outfwsettings{'SIP'} = $configline[5]; - $outfwsettings{'SMAC'} = $configline[6]; - $outfwsettings{'DIP'} = $configline[7]; - $outfwsettings{'DPORT'} = $configline[8]; - $outfwsettings{'LOG'} = $configline[9]; - - $configline[10] = "on" if not exists $configline[11]; - $configline[11] = "on" if not exists $configline[11]; - $configline[12] = "on" if not exists $configline[12]; - $configline[13] = "on" if not exists $configline[13]; - $configline[14] = "on" if not exists $configline[14]; - $configline[15] = "on" if not exists $configline[15]; - $configline[16] = "on" if not exists $configline[16]; - $configline[17] = "00:00" if not exists $configline[17]; - $configline[18] = "00:00" if not exists $configline[18]; - - $outfwsettings{'TIME_MON'} = $configline[10]; - $outfwsettings{'TIME_TUE'} = $configline[11]; - $outfwsettings{'TIME_WED'} = $configline[12]; - $outfwsettings{'TIME_THU'} = $configline[13]; - $outfwsettings{'TIME_FRI'} = $configline[14]; - $outfwsettings{'TIME_SAT'} = $configline[15]; - $outfwsettings{'TIME_SUN'} = $configline[16]; - $outfwsettings{'TIME_FROM'} = $configline[17]; - $outfwsettings{'TIME_TO'} = $configline[18]; - - if ($outfwsettings{'DIP'} eq ''){ $outfwsettings{'DISPLAY_DIP'} = 'ALL'; } else { $outfwsettings{'DISPLAY_DIP'} = $outfwsettings{'DIP'}; } - if ($outfwsettings{'DPORT'} eq ''){ $outfwsettings{'DISPLAY_DPORT'} = 'ALL'; } else { $outfwsettings{'DISPLAY_DPORT'} = $outfwsettings{'DPORT'}; } - if ($outfwsettings{'STATE'} eq 'DENY'){ $outfwsettings{'DISPLAY_STATE'} = "DENY"; } - if ($outfwsettings{'STATE'} eq 'ALLOW'){ $outfwsettings{'DISPLAY_STATE'} = "ALLOW"; } - if ((($outfwsettings{'POLICY'} eq 'MODE1') && ($outfwsettings{'STATE'} eq 'ALLOW')) || (($outfwsettings{'POLICY'} eq 'MODE2') && ($outfwsettings{'STATE'} eq 'DENY'))){ - if ( $outfwsettings{'ENABLED'} eq "on" ){ - print ""; - } else { - print ""; - } - print <$outfwsettings{'PROT'} - "; - print ""; - } else { - $outfwsettings{'DISPLAY_SMAC'} = $outfwsettings{'SMAC'}; - print ""; - print ""; - } - } - print < - - - -END -; - } - } -if ($outfwsettings{'POLICY'} eq 'MODE1'){ -print <
- -
$Lang::tr{'protocol'}$Lang::tr{'network'}$Lang::tr{'destination'}$Lang::tr{'description'}$Lang::tr{'policy'}$Lang::tr{'logging'}$Lang::tr{'action'}
$outfwsettings{'SNET'} - $outfwsettings{'DISPLAY_DIP'}:$outfwsettings{'DISPLAY_DPORT'} - $outfwsettings{'NAME'} - $outfwsettings{'DISPLAY_STATE'} - $outfwsettings{'LOG'} - - -
- - - - - - - - - - - - - - - - - - - - - -
-
- - - - - - - - - - - - - - - - - - - - - -
-END -; - if (($outfwsettings{'SIP'}) || ($outfwsettings{'SMAC'})) { - - unless ($outfwsettings{'SIP'}) { - $outfwsettings{'DISPLAY_SIP'} = 'ALL'; - } else { - $outfwsettings{'DISPLAY_SIP'} = $outfwsettings{'SIP'}; - } - - unless ($outfwsettings{'SMAC'}) { - $outfwsettings{'DISPLAY_SMAC'} = 'ALL'; - print "
$Lang::tr{'source ip or net'}: $outfwsettings{'DISPLAY_SIP'}
$Lang::tr{'source'} $Lang::tr{'mac address'}: $outfwsettings{'DISPLAY_SMAC'}$Lang::tr{'time'} - -END -; - if ($outfwsettings{'TIME_MON'} eq 'on') { print "";} - else { print "";} - print "$Lang::tr{'advproxy monday'},"; - if ($outfwsettings{'TIME_TUE'} eq 'on') { print "";} - else { print "";} - print "$Lang::tr{'advproxy tuesday'},"; - if ($outfwsettings{'TIME_WED'} eq 'on') { print "";} - else { print "";} - print "$Lang::tr{'advproxy wednesday'},"; - if ($outfwsettings{'TIME_THU'} eq 'on') { print "";} - else { print "";} - print "$Lang::tr{'advproxy thursday'},"; - if ($outfwsettings{'TIME_FRI'} eq 'on') { print "";} - else { print "";} - print "$Lang::tr{'advproxy friday'},"; - if ($outfwsettings{'TIME_SAT'} eq 'on') { print "";} - else { print "";} - print "$Lang::tr{'advproxy saturday'},"; - if ($outfwsettings{'TIME_SUN'} eq 'on') { print "";} - else { print "";} - print "$Lang::tr{'advproxy sunday'}"; - print < - $Lang::tr{'advproxy from'} $outfwsettings{'TIME_FROM'}$Lang::tr{'advproxy to'} $outfwsettings{'TIME_TO'}all - all - ALL - drop - DENY - on off -
-
-
-END -; -} - print < -END -; - - } - &Header::closebox(); -} - -if ($outfwsettings{'POLICY'} ne 'MODE0'){ - open( FILE, "< $p2pfile" ) or die "Unable to read $p2pfile"; - @p2ps = ; - close FILE; - &Header::openbox('100%', 'center', 'P2P-Block'); - print < - $Lang::tr{'protocol'} - $Lang::tr{'status'} -END -; - my $id = 1; - foreach $p2pentry (sort @p2ps) - { - @p2pline = split( /\;/, $p2pentry ); - print < -END -; - print "\t\t\t\n"; - print <$p2pline[0]: - -END -; - if ($p2pline[2] eq 'on') { - print < - -END -; - } else { - print < - -END -; - } - print < -END -; - } - print < -
$Lang::tr{'outgoing firewall p2p description 1'} $Lang::tr{ $Lang::tr{'outgoing firewall p2p description 2'} $Lang::tr{ $Lang::tr{'outgoing firewall p2p description 3'} -END -; - &Header::closebox(); -} - -&Header::openbox('100%', 'center', 'Policy'); -print < - - - - - - + +END + if($fwdfwsettings{'updatefwrule'} eq 'on' || $fwdfwsettings{'copyfwrule'} eq 'on'){ + print ""; + } + + print<
$Lang::tr{'mode'} 0:$Lang::tr{'outgoing firewall mode0'}
$Lang::tr{'mode'} 1:$Lang::tr{'outgoing firewall mode1'}
$Lang::tr{'mode'} 2:$Lang::tr{'outgoing firewall mode2'}
- - -END -; - if ($outfwsettings{'POLICY'} ne 'MODE0') { - print < -END -; - } -print < - -END -; -&Header::closebox(); - -############################################################################################################################ -############################################################################################################################ - -sub addrule -{ - &Header::openbox('100%', 'center', $Lang::tr{'Add Rule'}); - if ($outfwsettings{'ENABLED'} eq 'on') { $selected{'ENABLED'} = 'checked'; } - $selected{'TIME_FROM'}{$outfwsettings{'TIME_FROM'}} = "selected='selected'"; - $selected{'TIME_TO'}{$outfwsettings{'TIME_TO'}} = "selected='selected'"; -print < - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
$Lang::tr{'description'}: $Lang::tr{'active'}:
$Lang::tr{'protocol'} - - $Lang::tr{'policy'}: -END -; - if ($outfwsettings{'POLICY'} eq 'MODE1'){ - print "\t\t\t\tALLOW\n"; - } elsif ($outfwsettings{'POLICY'} eq 'MODE2'){ - print "\t\t\t\tDENY\n"; - } - print < -
$Lang::tr{'source'}: - - $Lang::tr{'outgoing firewall warning'}
$Lang::tr{'source ip or net'}
$Lang::tr{'source'} $Lang::tr{'mac address'}: - -
$Lang::tr{'logging'}: - - - -
$Lang::tr{'destination ip or net'}: $Lang::tr{'destination port'}(s)
$Lang::tr{'time'}:$Lang::tr{'advproxy monday'} $Lang::tr{'advproxy tuesday'} $Lang::tr{'advproxy wednesday'} $Lang::tr{'advproxy thursday'} $Lang::tr{'advproxy friday'} $Lang::tr{'advproxy saturday'} $Lang::tr{'advproxy sunday'} - $Lang::tr{'advproxy from'}$Lang::tr{'advproxy to'}
- - - - - - - - - -
-
$Lang::tr{'this field may be blank'}
-END -; - &Header::closebox(); - -if ($outfwsettings{'POLICY'} eq 'MODE1' || $outfwsettings{'POLICY'} eq 'MODE2') -{ -&Header::openbox('100%', 'center', 'Quick Add'); - - open( FILE, "< /var/ipfire/outgoing/defaultservices" ) or die "Unable to read default services"; - my @defservices = ; - close FILE; - -print ""; -foreach my $serviceline(@defservices) - { - my @service = split(/,/,$serviceline); - print <
- - - - - - ";} - elsif ($outfwsettings{'POLICY'} eq 'MODE2'){print "";} - } - print "
$Lang::tr{'service'}$Lang::tr{'description'}$Lang::tr{'port'}$Lang::tr{'protocol'}$Lang::tr{'source net'}$Lang::tr{'logging'}$Lang::tr{'action'}
$service[0]$service[3]$service[1]$service[2] - - - -END -; - if ($outfwsettings{'POLICY'} eq 'MODE1'){ print "
"; - &Header::closebox(); - } -} - -&Header::closebigbox(); -&Header::closepage(); diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl index 7fe166465..11e418756 100644 --- a/langs/de/cgi-bin/de.pl +++ b/langs/de/cgi-bin/de.pl @@ -747,7 +747,8 @@ 'download root certificate' => 'Root-Zertifikat herunterladen', 'dpd action' => 'Aktion für Dead Peer Detection', 'driver' => 'Treiber', -'drop input' => 'Verworfene Input-Pakete loggen', +'drop action' => 'Standardverhalten der Firewall in Modus1', +'drop input' => 'Verworfene Input Pakete loggen', 'drop newnotsyn' => 'Verworfene New Not Syn Pakete loggen', 'drop forward' => 'Verworfene Firewall-Pakete loggen', 'drop portscan' => 'Verworfene Portscan Pakete loggen', @@ -1033,8 +1034,9 @@ 'from email server' => 'Von Email Server', 'from email user' => 'Von Email Benutzer', 'from warn email bad' => 'Von Email Adresse ist nicht gültig', -'fw blue' => 'Firewall-Optionen für das Blaue Interface', -'fw logging' => 'Firewall-Logging', +'fw blue' => 'Firewall Optionen für das Blaue Interface', +'fw default drop' => 'Firewall Policy', +'fw logging' => 'Firewall Logging', 'gateway' => 'Gateway', 'gateway ip' => 'Gateway-IP', 'gen static key' => 'Statischen Schlüssel erzeugen', diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index c33f97247..c4c882bf8 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -771,9 +771,10 @@ 'download root certificate' => 'Download root certificate', 'dpd action' => 'Dead Peer Detection action', 'driver' => 'Driver', +'drop action' => 'Default behaviour of firewall in mode 1', 'drop input' => 'Log dropped input pakets', 'drop newnotsyn' => 'Log dropped new not syn pakets', -'drop forward' => 'Log dropped firewall pakets', +'drop forward' => 'Log dropped forward pakets', 'drop portscan' => 'Log dropped portscan pakets', 'drop proxy' => 'Drop all packets not addressed to proxy', 'drop samba' => 'Drop all Microsoft ports 135,137,138,139,445,1025', @@ -1060,6 +1061,7 @@ 'from email user' => 'From e-mail user', 'from warn email bad' => 'From e-mail address is not valid', 'fw blue' => 'Firewall options for BLUE interface', +'fw default drop' => 'Firewall policy', 'fw logging' => 'Firewall logging', 'g.dtm' => 'TO BE REMOVED', 'g.lite' => 'TO BE REMOVED', diff --git a/lfs/configroot b/lfs/configroot index 704c69007..56ee98df9 100644 --- a/lfs/configroot +++ b/lfs/configroot @@ -103,6 +103,7 @@ $(TARGET) : cp $(DIR_SRC)/langs/list $(CONFIG_ROOT)/langs/ cp $(DIR_SRC)/config/forwardfw/rules.pl $(CONFIG_ROOT)/forward/bin/rules.pl cp $(DIR_SRC)/config/forwardfw/firewall-lib.pl $(CONFIG_ROOT)/forward/bin/firewall-lib.pl + cp $(DIR_SRC)/config/forwardfw/firewall-forward-policy /usr/sbin/firewall-forward-policy cp $(DIR_SRC)/config/fwhosts/icmp-types $(CONFIG_ROOT)/fwhosts/icmp-types cp $(DIR_SRC)/config/fwhosts/customservices $(CONFIG_ROOT)/fwhosts/customservices # Oneliner configfiles diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall index c1daa59b5..0af3d4b2a 100644 --- a/src/initscripts/init.d/firewall +++ b/src/initscripts/init.d/firewall @@ -226,12 +226,6 @@ case "$1" in /sbin/iptables -N OPENSSLPHYSICAL /sbin/iptables -A INPUT -j OPENSSLPHYSICAL - # WIRELESS chains - /sbin/iptables -N WIRELESSINPUT - /sbin/iptables -A INPUT -m state --state NEW -j WIRELESSINPUT - /sbin/iptables -N WIRELESSFORWARD - /sbin/iptables -A FORWARD -m state --state NEW -j WIRELESSFORWARD - # RED chain, used for the red interface /sbin/iptables -N REDINPUT /sbin/iptables -A INPUT -j REDINPUT @@ -283,11 +277,16 @@ case "$1" in /sbin/iptables -A INPUT -m limit --limit 10/minute -j LOG --log-prefix "DROP_INPUT " fi /sbin/iptables -A INPUT -j DROP -m comment --comment "DROP_INPUT" - if [ "$DROPFORWARD" == "on" ]; then - /sbin/iptables -A FORWARD -m limit --limit 10/minute -j LOG --log-prefix "DROP_FORWARD " - fi - /sbin/iptables -A FORWARD -j DROP -m comment --comment "DROP_FORWARD" + #if [ "$DROPFORWARD" == "on" ]; then + # /sbin/iptables -A FORWARD -m limit --limit 10/minute -j LOG --log-prefix "DROP_FORWARD " + #fi + #/sbin/iptables -A FORWARD -j DROP -m comment --comment "DROP_FORWARD" + #POLICY CHAIN + /sbin/iptables -N POLICY + /sbin/iptables -A FORWARD -j POLICY + + /usr/sbin/firewall-forward-policy ;; startovpn) # run openvpn @@ -320,14 +319,10 @@ case "$1" in /sbin/iptables -A INPUT -m limit --limit 10/minute -j LOG --log-prefix "DROP_INPUT " fi /sbin/iptables -A INPUT -j DROP -m comment --comment "DROP_INPUT" - #if [ "$DROPOUTPUT" == "on" ]; then - # /sbin/iptables -A FORWARD -m limit --limit 10/minute -j LOG --log-prefix "DROP_OUTPUT " - #fi - #/sbin/iptables -A FORWARD -j DROP -m comment --comment "DROP_OUTPUT" if [ "$DROPFORWARD" == "on" ]; then - /sbin/iptables -A FORWARDFW -m limit --limit 10/minute -j LOG --log-prefix "DROP_FORWARDFW " + /sbin/iptables -A FORWARD -m limit --limit 10/minute -j LOG --log-prefix "DROP_FORWARD " fi - /sbin/iptables -A FORWARDFW -j DROP -m comment --comment "DROP_FORWARDFW-oberdropper" + /sbin/iptables -A FORWARD -j DROP -m comment --comment "DROP_FORWARD" ;; stopovpn) # stop openvpn From 9dafa928db040447cd888d6cd901130bdecfaebd Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Wed, 9 Jan 2013 14:42:52 +0100 Subject: [PATCH 020/306] Forward Firewall: Deleted /var/ipfire/outgoing from configroot and aaded default values to /var/ipfire/optionsfw/settings --- lfs/configroot | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/lfs/configroot b/lfs/configroot index 56ee98df9..833904c8c 100644 --- a/lfs/configroot +++ b/lfs/configroot @@ -53,8 +53,8 @@ $(TARGET) : for i in addon-lang auth backup ca certs connscheduler crls ddns dhcp dhcpc dns dnsforward \ ethernet extrahd/bin fwlogs isdn key langs logging mac main menu.d modem net-traffic \ ethernet extrahd/bin fwlogs fwhosts forward forward/bin isdn key langs logging mac main menu.d modem net-traffic \ - net-traffic/templates nfs optionsfw outgoing/bin \ - outgoing/groups/macgroups ovpn patches pakfire portfw ppp private proxy/advanced/cre \ + net-traffic/templates nfs optionsfw \ + ovpn patches pakfire portfw ppp private proxy/advanced/cre \ proxy/calamaris/bin qos/bin red remote sensors snort time tripwire/report \ updatexlrator/bin updatexlrator/autocheck urlfilter/autoupdate urlfilter/bin upnp vpn \ wakeonlan wireless ; do \ @@ -92,7 +92,6 @@ $(TARGET) : cp $(DIR_SRC)/config/cfgroot/net-traffic-lib.pl $(CONFIG_ROOT)/net-traffic/net-traffic-lib.pl cp $(DIR_SRC)/config/cfgroot/net-traffic-admin.pl $(CONFIG_ROOT)/net-traffic/net-traffic-admin.pl cp $(DIR_SRC)/config/cfgroot/nfs-server $(CONFIG_ROOT)/nfs/nfs-server - cp $(DIR_SRC)/config/cfgroot/p2protocols $(CONFIG_ROOT)/outgoing/p2protocols cp $(DIR_SRC)/config/cfgroot/proxy-acl $(CONFIG_ROOT)/proxy/acl-1.4 cp $(DIR_SRC)/config/qos/* $(CONFIG_ROOT)/qos/bin/ cp $(DIR_SRC)/config/cfgroot/ssh-settings $(CONFIG_ROOT)/remote/settings @@ -114,6 +113,7 @@ $(TARGET) : echo "DROPNEWNOTSYN=on" >> $(CONFIG_ROOT)/optionsfw/settings echo "DROPINPUT=on" >> $(CONFIG_ROOT)/optionsfw/settings echo "DROPFORWARD=on" >> $(CONFIG_ROOT)/optionsfw/settings + echo "FWPOLICY=DROP" >> $(CONFIG_ROOT)/optionsfw/settings echo "DROPPORTSCAN=on" >> $(CONFIG_ROOT)/optionsfw/settings # set rules.pl executable From bbc14c234d62afe1cd8b0730265d5c3a57111744 Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Wed, 9 Jan 2013 14:44:10 +0100 Subject: [PATCH 021/306] Forward Firewall: Deleted config/cfgroot/p2protocols --- config/cfgroot/p2protocols | 9 --------- 1 file changed, 9 deletions(-) delete mode 100644 config/cfgroot/p2protocols diff --git a/config/cfgroot/p2protocols b/config/cfgroot/p2protocols deleted file mode 100644 index 78c610115..000000000 --- a/config/cfgroot/p2protocols +++ /dev/null @@ -1,9 +0,0 @@ -Bittorrent;bit;on; -Edonkey;edk;on; -KaZaA;kazaa;on; -Gnutella;gnu;on; -DirectConnect;dc;on; -Applejuice;apple;on; -WinMX;winmx;on; -SoulSeek;soul;on; -Ares;ares;on; \ No newline at end of file From 485aac63955b1171f5f74525f345fdc4f94663fd Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Wed, 9 Jan 2013 14:48:35 +0100 Subject: [PATCH 022/306] Forward Firewall: Deleted /var/ipfire/outgoing from /config/rootfiles/common/configroot --- config/rootfiles/common/configroot | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/rootfiles/common/configroot b/config/rootfiles/common/configroot index d4c7390f2..bd6c4be07 100644 --- a/config/rootfiles/common/configroot +++ b/config/rootfiles/common/configroot @@ -117,7 +117,7 @@ var/ipfire/net-traffic #var/ipfire/nfs/nfs-server var/ipfire/optionsfw #var/ipfire/optionsfw/settings -var/ipfire/outgoing +#var/ipfire/outgoing #var/ipfire/outgoing/bin #var/ipfire/outgoing/bin/outgoingfw.pl #var/ipfire/outgoing/defaultservices From b9648e583305cc03907e9dde6c459fd8ba71cd0c Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Wed, 9 Jan 2013 14:54:31 +0100 Subject: [PATCH 023/306] Forward Firewall: added Red interface to get_std_network function --- config/cfgroot/general-functions.pl | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/config/cfgroot/general-functions.pl b/config/cfgroot/general-functions.pl index d81c8bb98..6709c2b85 100644 --- a/config/cfgroot/general-functions.pl +++ b/config/cfgroot/general-functions.pl @@ -53,6 +53,10 @@ sub setup_default_networks $defaultNetworks->{$Lang::tr{'green'}}{'IPT'} = "$netsettings{'GREEN_NETADDRESS'}/$netsettings{'GREEN_NETMASK'}"; $defaultNetworks->{$Lang::tr{'green'}}{'NAME'} = "GREEN"; + if ($netsettings{'RED_DEV'} ne ''){ + $defaultNetworks->{$Lang::tr{'red'}}{'IPT'} = "$netsettings{'RED_NETADDRESS'}/$netsettings{'RED_NETMASK'}"; + $defaultNetworks->{$Lang::tr{'red'}}{'NAME'} = "RED"; + } if ($netsettings{'ORANGE_DEV'} ne ''){ $defaultNetworks->{$Lang::tr{'orange'}}{'IPT'} = "$netsettings{'ORANGE_NETADDRESS'}/$netsettings{'ORANGE_NETMASK'}"; $defaultNetworks->{$Lang::tr{'orange'}}{'NAME'} = "ORANGE"; From b526909163c325956f16fdd90287465aa78ffd17 Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Thu, 10 Jan 2013 09:41:04 +0100 Subject: [PATCH 024/306] Forward Firewall: BUGFIX: MAC source addresses where not created as rules --- config/backup/exclude | 1 + config/forwardfw/rules.pl | 22 ++++++++++++++++------ html/cgi-bin/forwardfw.cgi | 33 ++++++++++++++++++++++----------- 3 files changed, 39 insertions(+), 17 deletions(-) diff --git a/config/backup/exclude b/config/backup/exclude index 8103bb9d9..bd15ceb21 100644 --- a/config/backup/exclude +++ b/config/backup/exclude @@ -1,5 +1,6 @@ *.tmp /var/ipfire/ethernet/settings +/var/ipfire/forward/bin/* /var/ipfire/proxy/calamaris/bin/* /var/ipfire/qos/bin/qos.pl /var/ipfire/urlfilter/blacklists/*/*.db diff --git a/config/forwardfw/rules.pl b/config/forwardfw/rules.pl index 953aad0bc..58bdf2a05 100755 --- a/config/forwardfw/rules.pl +++ b/config/forwardfw/rules.pl @@ -115,7 +115,9 @@ sub preparerules sub buildrules { my $hash=shift; + my $STAG; foreach my $key (sort keys %$hash){ + $STAG=''; if($$hash{$key}[2] eq 'ON'){ #get source ip's if ($$hash{$key}[3] eq 'cust_grp_src'){ @@ -195,17 +197,17 @@ sub buildrules foreach my $b (sort keys %targethash){ if ($sourcehash{$a}[0] ne $targethash{$b}[0] && $targethash{$b}[0] ne 'none'){ if($SPROT eq '' || $SPROT eq $DPROT || $DPROT eq ' '){ + if(substr($sourcehash{$a}[0], 4, 6) eq 'mac'){ $STAG="-s";} if ($$hash{$key}[17] eq 'ON'){ - print "iptables -A $$hash{$key}[1] $PROT -s $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG\n"; + print "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG\n"; } - print "iptables -A $$hash{$key}[1] $PROT -s $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n"; + print "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n"; } } } } print"\n"; } - }elsif($MODE eq '0'){ foreach my $DPROT (@DPROT){ $DPORT = &get_port($hash,$key,$DPROT); @@ -215,10 +217,11 @@ sub buildrules foreach my $b (sort keys %targethash){ if ($sourcehash{$a}[0] ne $targethash{$b}[0] && $targethash{$b}[0] ne 'none'){ if($SPROT eq '' || $SPROT eq $DPROT || $DPROT eq ' '){ + if(substr($sourcehash{$a}[0], 4, 6) eq 'mac'){ $STAG="-s";} if ($$hash{$key}[17] eq 'ON'){ - system ("iptables -A $$hash{$key}[1] $PROT -s $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG"); + system ("iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG"); } - system ("iptables -A $$hash{$key}[1] $PROT -s $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]"); + system ("iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]"); } } } @@ -247,7 +250,11 @@ sub get_address } my $key = &General::findhasharraykey($hash); if($base eq 'src_addr' || $base eq 'tgt_addr' ){ - $$hash{$key}[0] = $base2; + if (&General::validmac($base2)){ + $$hash{$key}[0] = "-m mac --mac-source $base2"; + }else{ + $$hash{$key}[0] = $base2; + } }elsif($base eq 'std_net_src' || $base eq 'std_net_tgt' || $base eq 'Standard Network'){ $$hash{$key}[0]=&fwlib::get_std_net_ip($base2); }elsif($base eq 'cust_net_src' || $base eq 'cust_net_tgt' || $base eq 'Custom Network'){ @@ -307,6 +314,7 @@ sub get_port return; } }elsif($$hash{$key}[11] eq 'ON' && $SRC_TGT eq ''){ + if($$hash{$key}[14] eq 'TGT_PORT'){ if ($$hash{$key}[15] ne ''){ return "--dport $$hash{$key}[15] "; @@ -330,6 +338,8 @@ sub get_port elsif($prot eq 'ICMP'){ return &fwlib::get_srvgrp_port($$hash{$key}[15],$prot); } + + } } } diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi index 6aadb996b..21f680d46 100755 --- a/html/cgi-bin/forwardfw.cgi +++ b/html/cgi-bin/forwardfw.cgi @@ -544,24 +544,35 @@ sub checksource if ($fwdfwsettings{'src_addr'} =~ /^(.*?)\/(.*?)$/) { ($ip,$subnet)=split (/\//,$fwdfwsettings{'src_addr'}); $subnet = &General::iporsubtocidr($subnet); + $fwdfwsettings{'isip'}='on'; } #check if only ip if($fwdfwsettings{'src_addr'}=~/^(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})$/){ $ip=$fwdfwsettings{'src_addr'}; $subnet = '32'; + $fwdfwsettings{'isip'}='on'; } - #check and form valid IP - $ip=&General::ip2dec($ip); - $ip=&General::dec2ip($ip); - #check if net or broadcast - my @tmp= split (/\./,$ip); - if (($tmp[3] eq "0") || ($tmp[3] eq "255")) - { - $errormessage=$Lang::tr{'fwhost err hostip'}."
"; - } - $fwdfwsettings{'src_addr'}="$ip/$subnet"; - if(!&General::validipandmask($fwdfwsettings{'src_addr'})){ + if ($fwdfwsettings{'isip'} ne 'on'){ + if (&General::validmac($fwdfwsettings{'src_addr'})){$fwdfwsettings{'ismac'}='on';} + } + if ($fwdfwsettings{'isip'} eq 'on'){ + #check and form valid IP + $ip=&General::ip2dec($ip); + $ip=&General::dec2ip($ip); + #check if net or broadcast + my @tmp= split (/\./,$ip); + if (($tmp[3] eq "0") || ($tmp[3] eq "255")) + { + $errormessage=$Lang::tr{'fwhost err hostip'}."
"; + } + $fwdfwsettings{'src_addr'}="$ip/$subnet"; + + if(!&General::validipandmask($fwdfwsettings{'src_addr'})){ + $errormessage.=$Lang::tr{'fwdfw err src_addr'}."
"; + } + } + if ($fwdfwsettings{'isip'} ne 'on' && $fwdfwsettings{'ismac'} ne 'on'){ $errormessage.=$Lang::tr{'fwdfw err src_addr'}."
"; } }elsif($fwdfwsettings{'src_addr'} eq $fwdfwsettings{$fwdfwsettings{'grp1'}} && $fwdfwsettings{'src_addr'} eq ''){ From 54cb7ff0199cc9a7833038597fee4bfc7dbfeab5 Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Thu, 10 Jan 2013 09:58:38 +0100 Subject: [PATCH 025/306] Forward Firewall: added check for mac rules --- config/forwardfw/rules.pl | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/config/forwardfw/rules.pl b/config/forwardfw/rules.pl index 58bdf2a05..e129d7621 100755 --- a/config/forwardfw/rules.pl +++ b/config/forwardfw/rules.pl @@ -66,7 +66,7 @@ my $CHAIN="FORWARDFW"; ################################ # DEBUG/TEST # ################################ -my $MODE=0; # 0 - normal operation +my $MODE=1; # 0 - normal operation # 1 - print configline and rules to console # ################################ @@ -97,7 +97,6 @@ if($param eq 'flush'){ } } } - sub flush { system ("iptables -F FORWARDFW"); @@ -197,7 +196,7 @@ sub buildrules foreach my $b (sort keys %targethash){ if ($sourcehash{$a}[0] ne $targethash{$b}[0] && $targethash{$b}[0] ne 'none'){ if($SPROT eq '' || $SPROT eq $DPROT || $DPROT eq ' '){ - if(substr($sourcehash{$a}[0], 4, 6) eq 'mac'){ $STAG="-s";} + if(substr($sourcehash{$a}[0], 3, 3) ne 'mac'){ $STAG="-s";} if ($$hash{$key}[17] eq 'ON'){ print "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG\n"; } @@ -217,7 +216,7 @@ sub buildrules foreach my $b (sort keys %targethash){ if ($sourcehash{$a}[0] ne $targethash{$b}[0] && $targethash{$b}[0] ne 'none'){ if($SPROT eq '' || $SPROT eq $DPROT || $DPROT eq ' '){ - if(substr($sourcehash{$a}[0], 4, 6) eq 'mac'){ $STAG="-s";} + if(substr($sourcehash{$a}[0], 3, 3) ne 'mac'){ $STAG="-s";} if ($$hash{$key}[17] eq 'ON'){ system ("iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG"); } From 8139398721023908ae3145d18839d2712ce522c8 Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Thu, 10 Jan 2013 12:17:30 +0100 Subject: [PATCH 026/306] Forward Firewall: edited /src/initscripts/init.d/firewall and misc-progs/wirelessctrl.c added WIRELESSFORWARD to FORWARDFW (instead of FORWARD) so that rules work commented out DMZHOLES lines in wirelessctrl.c to get rid of booterrormessages (There's no DMZHOLES anymore) --- src/initscripts/init.d/firewall | 6 ++++++ src/misc-progs/wirelessctrl.c | 12 ++++++------ 2 files changed, 12 insertions(+), 6 deletions(-) diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall index 0af3d4b2a..66dba6424 100644 --- a/src/initscripts/init.d/firewall +++ b/src/initscripts/init.d/firewall @@ -221,6 +221,12 @@ case "$1" in # allow DHCP on BLUE to be turned on/off /sbin/iptables -N DHCPBLUEINPUT /sbin/iptables -A INPUT -j DHCPBLUEINPUT + + # WIRELESS chains + /sbin/iptables -N WIRELESSINPUT + /sbin/iptables -A INPUT -m state --state NEW -j WIRELESSINPUT + /sbin/iptables -N WIRELESSFORWARD + /sbin/iptables -A FORWARDFW -m state --state NEW -j WIRELESSFORWARD # OPenSSL /sbin/iptables -N OPENSSLPHYSICAL diff --git a/src/misc-progs/wirelessctrl.c b/src/misc-progs/wirelessctrl.c index 12b954baa..be6f967c4 100644 --- a/src/misc-progs/wirelessctrl.c +++ b/src/misc-progs/wirelessctrl.c @@ -156,8 +156,8 @@ int main(void) safe_system(command); snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -m mac --mac-source %s -s %s -i %s ! -o %s -j ACCEPT", macaddress, ipaddress, blue_dev, green_dev); safe_system(command); - snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -m mac --mac-source %s -s %s -i %s -j DMZHOLES", macaddress, ipaddress, blue_dev); - safe_system(command); + /*snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -m mac --mac-source %s -s %s -i %s -j DMZHOLES", macaddress, ipaddress, blue_dev); + safe_system(command);*/ } else { /* correctly formed mac address is 17 chars */ @@ -166,8 +166,8 @@ int main(void) safe_system(command); snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -m mac --mac-source %s -i %s ! -o %s -j ACCEPT", macaddress, blue_dev, green_dev); safe_system(command); - snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -m mac --mac-source %s -i %s -j DMZHOLES", macaddress, blue_dev); - safe_system(command); + /*snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -m mac --mac-source %s -i %s -j DMZHOLES", macaddress, blue_dev); + safe_system(command);*/ } if (VALID_IP_AND_MASK(ipaddress)) { @@ -175,8 +175,8 @@ int main(void) safe_system(command); snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -s %s -i %s ! -o %s -j ACCEPT", ipaddress, blue_dev, green_dev); safe_system(command); - snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -s %s -i %s -j DMZHOLES", ipaddress, blue_dev); - safe_system(command); + /*snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -s %s -i %s -j DMZHOLES", ipaddress, blue_dev); + safe_system(command);*/ } } } From 8dc23ff4fcc6b9f07cdd48abe7991419d255d363 Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Thu, 10 Jan 2013 12:55:56 +0100 Subject: [PATCH 027/306] Forward Firewall: adapted initscripts/firewall and wirelessctrl.c Now the Wirelesschains should work with new firewall. --- src/initscripts/init.d/firewall | 2 +- src/misc-progs/wirelessctrl.c | 12 ++++++------ 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall index 66dba6424..225d4827c 100644 --- a/src/initscripts/init.d/firewall +++ b/src/initscripts/init.d/firewall @@ -226,7 +226,7 @@ case "$1" in /sbin/iptables -N WIRELESSINPUT /sbin/iptables -A INPUT -m state --state NEW -j WIRELESSINPUT /sbin/iptables -N WIRELESSFORWARD - /sbin/iptables -A FORWARDFW -m state --state NEW -j WIRELESSFORWARD + /sbin/iptables -A FORWARD -m state --state NEW -j WIRELESSFORWARD # OPenSSL /sbin/iptables -N OPENSSLPHYSICAL diff --git a/src/misc-progs/wirelessctrl.c b/src/misc-progs/wirelessctrl.c index be6f967c4..90f602d5f 100644 --- a/src/misc-progs/wirelessctrl.c +++ b/src/misc-progs/wirelessctrl.c @@ -156,8 +156,8 @@ int main(void) safe_system(command); snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -m mac --mac-source %s -s %s -i %s ! -o %s -j ACCEPT", macaddress, ipaddress, blue_dev, green_dev); safe_system(command); - /*snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -m mac --mac-source %s -s %s -i %s -j DMZHOLES", macaddress, ipaddress, blue_dev); - safe_system(command);*/ + snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -m mac --mac-source %s -s %s -i %s -j FORWARDFW", macaddress, ipaddress, blue_dev); + safe_system(command); } else { /* correctly formed mac address is 17 chars */ @@ -166,8 +166,8 @@ int main(void) safe_system(command); snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -m mac --mac-source %s -i %s ! -o %s -j ACCEPT", macaddress, blue_dev, green_dev); safe_system(command); - /*snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -m mac --mac-source %s -i %s -j DMZHOLES", macaddress, blue_dev); - safe_system(command);*/ + snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -m mac --mac-source %s -i %s -j FORWARDFW", macaddress, blue_dev); + safe_system(command); } if (VALID_IP_AND_MASK(ipaddress)) { @@ -175,8 +175,8 @@ int main(void) safe_system(command); snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -s %s -i %s ! -o %s -j ACCEPT", ipaddress, blue_dev, green_dev); safe_system(command); - /*snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -s %s -i %s -j DMZHOLES", ipaddress, blue_dev); - safe_system(command);*/ + snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -s %s -i %s -j FORWARDFW", ipaddress, blue_dev); + safe_system(command); } } } From 2da264ec63eb3091704a6b71cc7f83dc6f07a892 Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Fri, 11 Jan 2013 08:48:20 +0100 Subject: [PATCH 028/306] Forward Firewall: added possibility to change ruleposition --- html/cgi-bin/forwardfw.cgi | 177 ++++++++++++++++++++++++++----------- langs/de/cgi-bin/de.pl | 1 + langs/en/cgi-bin/en.pl | 1 + 3 files changed, 127 insertions(+), 52 deletions(-) diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi index 21f680d46..c161c4af7 100755 --- a/html/cgi-bin/forwardfw.cgi +++ b/html/cgi-bin/forwardfw.cgi @@ -136,13 +136,14 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule') if($fwdfwsettings{'grp2'} eq 'ipfire'){ $fwdfwsettings{'chain'} = 'INPUTFW'; #check if we have an identical rule already - foreach my $key (sort keys %configinputfw){ - if ("$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'},$fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'ICMP_TGT'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'ruleremark'},$fwdfwsettings{'LOG'},$fwdfwsettings{'TIME'},$fwdfwsettings{'TIME_MON'},$fwdfwsettings{'TIME_TUE'},$fwdfwsettings{'TIME_WED'},$fwdfwsettings{'TIME_THU'},$fwdfwsettings{'TIME_FRI'},$fwdfwsettings{'TIME_SAT'},$fwdfwsettings{'TIME_SUN'},$fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'}" - eq "$configinputfw{$key}[0],$configinputfw{$key}[2],$configinputfw{$key}[3],$configinputfw{$key}[4],$configinputfw{$key}[5],$configinputfw{$key}[6],$configinputfw{$key}[7],$configinputfw{$key}[8],$configinputfw{$key}[9],$configinputfw{$key}[10],$configinputfw{$key}[11],$configinputfw{$key}[12],$configinputfw{$key}[13],$configinputfw{$key}[14],$configinputfw{$key}[15],$configinputfw{$key}[16],$configinputfw{$key}[17],$configinputfw{$key}[18],$configinputfw{$key}[19],$configinputfw{$key}[20],$configinputfw{$key}[21],$configinputfw{$key}[22],$configinputfw{$key}[23],$configinputfw{$key}[24],$configinputfw{$key}[25],$configinputfw{$key}[26],$configinputfw{$key}[27]"){ - $errormessage.=$Lang::tr{'fwdfw err ruleexists'}; + if($fwdfwsettings{'oldrulenumer'} eq $fwdfwsettings{'rulepos'}){ + foreach my $key (sort keys %configinputfw){ + if ("$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'},$fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'ICMP_TGT'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'LOG'},$fwdfwsettings{'TIME'},$fwdfwsettings{'TIME_MON'},$fwdfwsettings{'TIME_TUE'},$fwdfwsettings{'TIME_WED'},$fwdfwsettings{'TIME_THU'},$fwdfwsettings{'TIME_FRI'},$fwdfwsettings{'TIME_SAT'},$fwdfwsettings{'TIME_SUN'},$fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'}" + eq "$configinputfw{$key}[0],$configinputfw{$key}[2],$configinputfw{$key}[3],$configinputfw{$key}[4],$configinputfw{$key}[5],$configinputfw{$key}[6],$configinputfw{$key}[7],$configinputfw{$key}[8],$configinputfw{$key}[9],$configinputfw{$key}[10],$configinputfw{$key}[11],$configinputfw{$key}[12],$configinputfw{$key}[13],$configinputfw{$key}[14],$configinputfw{$key}[15],$configinputfw{$key}[17],$configinputfw{$key}[18],$configinputfw{$key}[19],$configinputfw{$key}[20],$configinputfw{$key}[21],$configinputfw{$key}[22],$configinputfw{$key}[23],$configinputfw{$key}[24],$configinputfw{$key}[25],$configinputfw{$key}[26],$configinputfw{$key}[27]"){ + $errormessage.=$Lang::tr{'fwdfw err ruleexists'}; + } } - } - + } &checkcounter($fwdfwsettings{'oldgrp1a'},$fwdfwsettings{'oldgrp1b'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}}); if ($fwdfwsettings{'nobase'} ne 'on'){ &checkcounter($fwdfwsettings{'oldgrp2a'},$fwdfwsettings{'oldgrp2b'},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}}); @@ -179,19 +180,18 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule') #print"DIENSTE Checkalt:$fwdfwsettings{'oldusesrv'} DIENSTE Checkneu:$fwdfwsettings{'USESRV'} DIENST ALT:$fwdfwsettings{'oldgrp3a'},$fwdfwsettings{'oldgrp3b'} DIENST NEU:$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}}
"; }else{ $fwdfwsettings{'chain'} = 'FORWARDFW'; - #check if we have an identical rule already - foreach my $key (sort keys %configfwdfw){ - - if ("$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'},$fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'ICMP_TGT'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'ruleremark'},$fwdfwsettings{'LOG'},$fwdfwsettings{'TIME'},$fwdfwsettings{'TIME_MON'},$fwdfwsettings{'TIME_TUE'},$fwdfwsettings{'TIME_WED'},$fwdfwsettings{'TIME_THU'},$fwdfwsettings{'TIME_FRI'},$fwdfwsettings{'TIME_SAT'},$fwdfwsettings{'TIME_SUN'},$fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'}" - eq "$configfwdfw{$key}[0],$configfwdfw{$key}[2],$configfwdfw{$key}[3],$configfwdfw{$key}[4],$configfwdfw{$key}[5],$configfwdfw{$key}[6],$configfwdfw{$key}[7],$configfwdfw{$key}[8],$configfwdfw{$key}[9],$configfwdfw{$key}[10],$configfwdfw{$key}[11],$configfwdfw{$key}[12],$configfwdfw{$key}[13],$configfwdfw{$key}[14],$configfwdfw{$key}[15],$configfwdfw{$key}[16],$configfwdfw{$key}[17],$configfwdfw{$key}[18],$configfwdfw{$key}[19],$configfwdfw{$key}[20],$configfwdfw{$key}[21],$configfwdfw{$key}[22],$configfwdfw{$key}[23],$configfwdfw{$key}[24],$configfwdfw{$key}[25],$configfwdfw{$key}[26],$configfwdfw{$key}[27]"){ - $errormessage.=$Lang::tr{'fwdfw err ruleexists'}; - } + if($fwdfwsettings{'oldrulenumber'} eq $fwdfwsettings{'rulepos'}){ + #check if we have an identical rule already + foreach my $key (sort keys %configfwdfw){ + if ("$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'},$fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'ICMP_TGT'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'LOG'},$fwdfwsettings{'TIME'},$fwdfwsettings{'TIME_MON'},$fwdfwsettings{'TIME_TUE'},$fwdfwsettings{'TIME_WED'},$fwdfwsettings{'TIME_THU'},$fwdfwsettings{'TIME_FRI'},$fwdfwsettings{'TIME_SAT'},$fwdfwsettings{'TIME_SUN'},$fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'}" + eq "$configfwdfw{$key}[0],$configfwdfw{$key}[2],$configfwdfw{$key}[3],$configfwdfw{$key}[4],$configfwdfw{$key}[5],$configfwdfw{$key}[6],$configfwdfw{$key}[7],$configfwdfw{$key}[8],$configfwdfw{$key}[9],$configfwdfw{$key}[10],$configfwdfw{$key}[11],$configfwdfw{$key}[12],$configfwdfw{$key}[13],$configfwdfw{$key}[14],$configfwdfw{$key}[15],$configfwdfw{$key}[17],$configfwdfw{$key}[18],$configfwdfw{$key}[19],$configfwdfw{$key}[20],$configfwdfw{$key}[21],$configfwdfw{$key}[22],$configfwdfw{$key}[23],$configfwdfw{$key}[24],$configfwdfw{$key}[25],$configfwdfw{$key}[26],$configfwdfw{$key}[27]"){ + $errormessage.=$Lang::tr{'fwdfw err ruleexists'}; + } + } } #increase counters &checkcounter($fwdfwsettings{'oldgrp1a'},$fwdfwsettings{'oldgrp1b'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}}); - &checkcounter($fwdfwsettings{'oldgrp2a'},$fwdfwsettings{'oldgrp2b'},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}}); - if($fwdfwsettings{'oldusesrv'} eq '' && $fwdfwsettings{'USESRV'} eq 'ON'){ &checkcounter(0,0,$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}}); }elsif ($fwdfwsettings{'USESRV'} eq '' && $fwdfwsettings{'oldusesrv'} eq 'ON') { @@ -203,7 +203,6 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule') &checkcounter(0,0,$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}}); } &saverule(\%configfwdfw,$configfwdfw); - #print "Source: $fwdfwsettings{'grp1'} -> $fwdfwsettings{$fwdfwsettings{'grp1'}}
"; #print "Sourceport: $fwdfwsettings{'USE_SRC_PORT'}, $fwdfwsettings{'PROT'}, $fwdfwsettings{'ICMP_TYPES'}, $fwdfwsettings{'SRC_PORT'}
"; #print "Target: $fwdfwsettings{'grp2'} -> $fwdfwsettings{$fwdfwsettings{'grp2'}}
"; @@ -491,8 +490,7 @@ sub deleterule { my %delhash=(); &General::readhasharray($fwdfwsettings{'config'}, \%delhash); - foreach my $key (sort keys %delhash){ - + foreach my $key (sort {$a <=> $b} keys %delhash){ if ($key eq $fwdfwsettings{'key'}){ #check hosts/net and groups &checkcounter($delhash{$key}[3],$delhash{$key}[4],,); @@ -850,6 +848,7 @@ sub newrule &General::get_aliases(\%aliases); my %checked=(); my $helper; + my $sum=0; if($fwdfwsettings{'config'} eq ''){$fwdfwsettings{'config'}=$configfwdfw;} my $config=$fwdfwsettings{'config'}; my %hash=(); @@ -875,7 +874,9 @@ sub newrule if($fwdfwsettings{'updatefwrule'} eq 'on' || $fwdfwsettings{'copyfwrule'} eq 'on' && !$errormessage){ &General::readhasharray("$config", \%hash); foreach my $key (sort keys %hash){ + $sum++; if ($key eq $fwdfwsettings{'key'}){ + $fwdfwsettings{'oldrulenumber'} = $key; $fwdfwsettings{'RULE_ACTION'} = $hash{$key}[0]; $fwdfwsettings{'ACTIVE'} = $hash{$key}[2]; $fwdfwsettings{'grp1'} = $hash{$key}[3]; @@ -1242,7 +1243,20 @@ END &Header::openbox('100%', 'left', $Lang::tr{'fwdfw additional'}); print< -
$Lang::tr{'remark'}:
$Lang::tr{'remark'}:
$Lang::tr{'fwdfw rulepos'}:
$Lang::tr{'fwdfw rule activate'}
$Lang::tr{'fwdfw log rule'}

@@ -1318,6 +1332,8 @@ END + +
END @@ -1330,7 +1346,7 @@ sub saverule my $config=shift; &General::readhasharray("$config", $hash); if (!$errormessage){ - if ($fwdfwsettings{'updatefwrule'} ne 'on' ){ + if ($fwdfwsettings{'updatefwrule'} ne 'on'){ my $key = &General::findhasharraykey ($hash); $$hash{$key}[0] = $fwdfwsettings{'RULE_ACTION'}; $$hash{$key}[1] = $fwdfwsettings{'chain'}; @@ -1362,37 +1378,94 @@ sub saverule $$hash{$key}[27] = $fwdfwsettings{'TIME_TO'}; &General::writehasharray("$config", $hash); }else{ - foreach my $key (sort keys %$hash){ - if($key eq $fwdfwsettings{'key'}){ - $$hash{$key}[0] = $fwdfwsettings{'RULE_ACTION'}; - $$hash{$key}[1] = $fwdfwsettings{'chain'}; - $$hash{$key}[2] = $fwdfwsettings{'ACTIVE'}; - $$hash{$key}[3] = $fwdfwsettings{'grp1'}; - $$hash{$key}[4] = $fwdfwsettings{$fwdfwsettings{'grp1'}}; - $$hash{$key}[5] = $fwdfwsettings{'grp2'}; - $$hash{$key}[6] = $fwdfwsettings{$fwdfwsettings{'grp2'}}; - $$hash{$key}[7] = $fwdfwsettings{'USE_SRC_PORT'}; - $$hash{$key}[8] = $fwdfwsettings{'PROT'}; - $$hash{$key}[9] = $fwdfwsettings{'ICMP_TYPES'}; - $$hash{$key}[10] = $fwdfwsettings{'SRC_PORT'}; - $$hash{$key}[11] = $fwdfwsettings{'USESRV'}; - $$hash{$key}[12] = $fwdfwsettings{'TGT_PROT'}; - $$hash{$key}[13] = $fwdfwsettings{'ICMP_TGT'}; - $$hash{$key}[14] = $fwdfwsettings{'grp3'}; - $$hash{$key}[15] = $fwdfwsettings{$fwdfwsettings{'grp3'}}; - $$hash{$key}[16] = $fwdfwsettings{'ruleremark'}; - $$hash{$key}[17] = $fwdfwsettings{'LOG'}; - $$hash{$key}[18] = $fwdfwsettings{'TIME'}; - $$hash{$key}[19] = $fwdfwsettings{'TIME_MON'}; - $$hash{$key}[20] = $fwdfwsettings{'TIME_TUE'}; - $$hash{$key}[21] = $fwdfwsettings{'TIME_WED'}; - $$hash{$key}[22] = $fwdfwsettings{'TIME_THU'}; - $$hash{$key}[23] = $fwdfwsettings{'TIME_FRI'}; - $$hash{$key}[24] = $fwdfwsettings{'TIME_SAT'}; - $$hash{$key}[25] = $fwdfwsettings{'TIME_SUN'}; - $$hash{$key}[26] = $fwdfwsettings{'TIME_FROM'}; - $$hash{$key}[27] = $fwdfwsettings{'TIME_TO'}; - last; + #ruleposition check + if($fwdfwsettings{'oldrulenumber'} gt $fwdfwsettings{'rulepos'}){ + my %tmp=(); + my $val=$fwdfwsettings{'oldrulenumber'}-$fwdfwsettings{'rulepos'}; + for ($a=0;$a<$val;$a++){ + $fwdfwsettings{'oldrulenumber'}=$fwdfwsettings{'oldrulenumber'}-$a; + foreach my $key (sort {$a <=> $b} keys %$hash){ + if ($key eq $fwdfwsettings{'oldrulenumber'}) { + my $last = $key -1; + if (exists $$hash{$last}){ + #save rule last + foreach my $y (0 .. $#{$$hash{$last}}) { + $tmp{0}[$y] = $$hash{$last}[$y]; + } + #copy active rule to last + foreach my $i (0 .. $#{$$hash{$last}}) { + $$hash{$last}[$i] = $$hash{$key}[$i]; + } + #copy saved rule to actual position + foreach my $x (0 .. $#{$tmp{0}}) { + $$hash{$key}[$x] = $tmp{0}[$x]; + } + } + } + } + } + &General::writehasharray("$config", $hash); + &rules; + }elsif($fwdfwsettings{'rulepos'} gt $fwdfwsettings{'oldrulenumber'}){ + my %tmp=(); + my $val=$fwdfwsettings{'rulepos'}-$fwdfwsettings{'oldrulenumber'}; + for ($a=0;$a<$val;$a++){ + $fwdfwsettings{'oldrulenumber'}=$fwdfwsettings{'oldrulenumber'}+$a; + foreach my $key (sort {$a <=> $b} keys %$hash){ + if ($key eq $fwdfwsettings{'oldrulenumber'}) { + my $next = $key + 1; + if (exists $$hash{$next}){ + #save rule next + foreach my $y (0 .. $#{$$hash{$next}}) { + $tmp{0}[$y] = $$hash{$next}[$y]; + } + #copy active rule to next + foreach my $i (0 .. $#{$$hash{$next}}) { + $$hash{$next}[$i] = $$hash{$key}[$i]; + } + #copy saved rule to actual position + foreach my $x (0 .. $#{$tmp{0}}) { + $$hash{$key}[$x] = $tmp{0}[$x]; + } + } + } + } + } + &General::writehasharray("$config", $hash); + &rules; + }else{ + foreach my $key (sort {$a <=> $b} keys %$hash){ + if($key eq $fwdfwsettings{'key'}){ + $$hash{$key}[0] = $fwdfwsettings{'RULE_ACTION'}; + $$hash{$key}[1] = $fwdfwsettings{'chain'}; + $$hash{$key}[2] = $fwdfwsettings{'ACTIVE'}; + $$hash{$key}[3] = $fwdfwsettings{'grp1'}; + $$hash{$key}[4] = $fwdfwsettings{$fwdfwsettings{'grp1'}}; + $$hash{$key}[5] = $fwdfwsettings{'grp2'}; + $$hash{$key}[6] = $fwdfwsettings{$fwdfwsettings{'grp2'}}; + $$hash{$key}[7] = $fwdfwsettings{'USE_SRC_PORT'}; + $$hash{$key}[8] = $fwdfwsettings{'PROT'}; + $$hash{$key}[9] = $fwdfwsettings{'ICMP_TYPES'}; + $$hash{$key}[10] = $fwdfwsettings{'SRC_PORT'}; + $$hash{$key}[11] = $fwdfwsettings{'USESRV'}; + $$hash{$key}[12] = $fwdfwsettings{'TGT_PROT'}; + $$hash{$key}[13] = $fwdfwsettings{'ICMP_TGT'}; + $$hash{$key}[14] = $fwdfwsettings{'grp3'}; + $$hash{$key}[15] = $fwdfwsettings{$fwdfwsettings{'grp3'}}; + $$hash{$key}[16] = $fwdfwsettings{'ruleremark'}; + $$hash{$key}[17] = $fwdfwsettings{'LOG'}; + $$hash{$key}[18] = $fwdfwsettings{'TIME'}; + $$hash{$key}[19] = $fwdfwsettings{'TIME_MON'}; + $$hash{$key}[20] = $fwdfwsettings{'TIME_TUE'}; + $$hash{$key}[21] = $fwdfwsettings{'TIME_WED'}; + $$hash{$key}[22] = $fwdfwsettings{'TIME_THU'}; + $$hash{$key}[23] = $fwdfwsettings{'TIME_FRI'}; + $$hash{$key}[24] = $fwdfwsettings{'TIME_SAT'}; + $$hash{$key}[25] = $fwdfwsettings{'TIME_SUN'}; + $$hash{$key}[26] = $fwdfwsettings{'TIME_FROM'}; + $$hash{$key}[27] = $fwdfwsettings{'TIME_TO'}; + last; + } } } &General::writehasharray("$config", $hash); @@ -1438,7 +1511,7 @@ sub validremark if (length ($remark) < 1 || length ($remark) > 255) { return 0;} # Only valid characters are a-z, A-Z, 0-9 and - - if ($remark !~ /^[a-zäöüA-ZÖÄÜ0-9-.:\/\s]*$/) { + if ($remark !~ /^[a-zäöüA-ZÖÄÜ0-9-.:_\/\s]*$/) { return 0;} # First character can only be a letter or a digit if (substr ($remark, 0, 1) !~ /^[a-zäöüA-ZÖÄÜ0-9]*$/) { diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl index 11e418756..fed90c1bc 100644 --- a/langs/de/cgi-bin/de.pl +++ b/langs/de/cgi-bin/de.pl @@ -927,6 +927,7 @@ 'fwdfw rules' => 'Regeln', 'fwdfw rule action' => 'Regel Aktion:', 'fwdfw rule activate' => 'Regel aktivieren', +'fwdfw rulepos' => 'Regelposition', 'fwdfw source' => 'Quelle', 'fwdfw sourceip' => 'Quelladresse (MAC, IP oder Netzwerk):', 'fwdfw std network' => 'Standard Netzwerke:', diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index c4c882bf8..4bfc8ba2e 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -952,6 +952,7 @@ 'fwdfw rules' => 'Rules', 'fwdfw rule action' => 'Rule action:', 'fwdfw rule activate' => 'Activate rule', +'fwdfw rulepos' => 'Ruleposition', 'fwdfw source' => 'Source', 'fwdfw sourceip' => 'Source address (MAC, IP or Network):', 'fwdfw std network' => 'Standard networks:', From 1aec05a64e69852338ffd6e1b49e0d9beb9e5fda Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Fri, 11 Jan 2013 13:21:43 +0100 Subject: [PATCH 029/306] Forward Firewall: when adding custom hosts or networks the cursor is now in first textfield --- html/cgi-bin/fwhosts.cgi | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/html/cgi-bin/fwhosts.cgi b/html/cgi-bin/fwhosts.cgi index 5a8383692..278d57c0a 100755 --- a/html/cgi-bin/fwhosts.cgi +++ b/html/cgi-bin/fwhosts.cgi @@ -1056,7 +1056,7 @@ sub addnet $fwhostsettings{'orgname'}=$fwhostsettings{'HOSTNAME'}; print<
- $Lang::tr{'name'}:$Lang::tr{'fwhost netaddress'}$Lang::tr{'netmask'}: + $Lang::tr{'name'}:$Lang::tr{'fwhost netaddress'}$Lang::tr{'netmask'}:
END if ($fwhostsettings{'ACTION'} eq 'editnet' || $fwhostsettings{'error'} eq 'on') @@ -1076,7 +1076,7 @@ sub addhost $fwhostsettings{'orgname'}=$fwhostsettings{'HOSTNAME'}; print< - $Lang::tr{'name'}:$Lang::tr{'fwdfw use srcport'} $Lang::tr{'fwdfw man port'} $Lang::tr{'fwdfw man port'} - - + + END if ($fwdfwsettings{'POLICY'} ne 'MODE0'&& $fwdfwsettings{'POLICY'} ne '' ) { print "$Lang::tr{'outgoing firewall reset'}: "; } -print ""; + print ""; &Header::closebox(); } sub addrule @@ -564,7 +591,7 @@ sub disable_rule sub checksource { my ($ip,$subnet); - + #check ip-address if manual if ($fwdfwsettings{'src_addr'} eq $fwdfwsettings{$fwdfwsettings{'grp1'}} && $fwdfwsettings{'src_addr'} ne ''){ #check if ip with subnet @@ -579,7 +606,7 @@ sub checksource $subnet = '32'; $fwdfwsettings{'isip'}='on'; } - + if ($fwdfwsettings{'isip'} ne 'on'){ if (&General::validmac($fwdfwsettings{'src_addr'})){$fwdfwsettings{'ismac'}='on';} } @@ -594,7 +621,7 @@ sub checksource $errormessage=$Lang::tr{'fwhost err hostip'}."
"; } $fwdfwsettings{'src_addr'}="$ip/$subnet"; - + if(!&General::validipandmask($fwdfwsettings{'src_addr'})){ $errormessage.=$Lang::tr{'fwdfw err src_addr'}."
"; } @@ -671,7 +698,7 @@ sub checktarget #check and form valid IP $ip=&General::ip2dec($ip); $ip=&General::dec2ip($ip); - + #check if net or broadcast my @tmp= split (/\./,$ip); if (($tmp[3] eq "0") || ($tmp[3] eq "255")) @@ -994,11 +1021,9 @@ END } print"
"; - &Header::closebox(); &Header::openbox('100%', 'left', $Lang::tr{'fwdfw source'}); - #------SOURCE------------------------------------------------------- print< @@ -1806,6 +1831,35 @@ END &Header::closebox(); } } +sub p2pblock +{ + my $gif; + open( FILE, "< $p2pfile" ) or die "Unable to read $p2pfile"; + @p2ps = ; + close FILE; + &Header::openbox('100%', 'center', 'P2P-Block'); + print < + $Lang::tr{'protocol'}$Lang::tr{'status'} +END + foreach my $p2pentry (sort @p2ps) + { + my @p2pline = split( /\;/, $p2pentry ); + if($p2pline[2] eq 'on'){ + $gif="/images/on.gif" + }else{ + $gif="/images/off.gif" + } + print < + + $p2pline[0]: +END + } + print"$Lang::tr{'outgoing firewall p2p deny'}"; + print"$Lang::tr{'outgoing firewall p2p allow'}"; + &Header::closebox(); +} sub fillselect { my %hash=%{(shift)}; From 7f9d1c39693c49b767a40dd226b47adf83ffbef1 Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Tue, 15 Jan 2013 12:37:27 +0100 Subject: [PATCH 039/306] Forward Firewall: added p2protocols to /var/ipfire/forward/ for p2pblocking options --- config/forwardfw/p2protocols | 9 +++++++++ config/rootfiles/common/configroot | 1 + lfs/configroot | 1 + 3 files changed, 11 insertions(+) create mode 100644 config/forwardfw/p2protocols diff --git a/config/forwardfw/p2protocols b/config/forwardfw/p2protocols new file mode 100644 index 000000000..d8998095c --- /dev/null +++ b/config/forwardfw/p2protocols @@ -0,0 +1,9 @@ +Applejuice;apple;on; +Ares;ares;on; +Bittorrent;bit;on; +DirectConnect;dc;on; +Edonkey;edk;on; +Gnutella;gnu;on; +KaZaA;kazaa;on; +SoulSeek;soul;on; +WinMX;winmx;on; diff --git a/config/rootfiles/common/configroot b/config/rootfiles/common/configroot index bd6c4be07..f15df7699 100644 --- a/config/rootfiles/common/configroot +++ b/config/rootfiles/common/configroot @@ -51,6 +51,7 @@ var/ipfire/forward/bin/firewall-lib.pl var/ipfire/forward/settings var/ipfire/forward/config var/ipfire/forward/input +var/ipfire/forward/p2protocols var/ipfire/fwhosts var/ipfire/fwhosts/icmp-types var/ipfire/fwhosts/customhosts diff --git a/lfs/configroot b/lfs/configroot index d0cbd08ad..829e124c5 100644 --- a/lfs/configroot +++ b/lfs/configroot @@ -101,6 +101,7 @@ $(TARGET) : cp $(DIR_SRC)/config/cfgroot/ethernet-vlans $(CONFIG_ROOT)/ethernet/vlans cp $(DIR_SRC)/langs/list $(CONFIG_ROOT)/langs/ cp $(DIR_SRC)/config/forwardfw/rules.pl $(CONFIG_ROOT)/forward/bin/rules.pl + cp $(DIR_SRC)/config/forwardfw/p2protocols $(CONFIG_ROOT)/forward/p2protocols cp $(DIR_SRC)/config/forwardfw/firewall-lib.pl $(CONFIG_ROOT)/forward/bin/firewall-lib.pl cp $(DIR_SRC)/config/forwardfw/firewall-forward-policy /usr/sbin/firewall-forward-policy cp $(DIR_SRC)/config/fwhosts/icmp-types $(CONFIG_ROOT)/fwhosts/icmp-types From bcbf1b8ebe50b470c8ad6e63cb9519c3fea37499 Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Tue, 15 Jan 2013 13:07:59 +0100 Subject: [PATCH 040/306] Forward Firewall: Bugfix: when usinf ESP or AH as target protocol, no rules where created --- html/cgi-bin/forwardfw.cgi | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi index 8d70bfb3e..8e1100b45 100755 --- a/html/cgi-bin/forwardfw.cgi +++ b/html/cgi-bin/forwardfw.cgi @@ -734,7 +734,7 @@ sub checktarget } } if ($fwdfwsettings{'grp3'} eq 'TGT_PORT'){ - if ($fwdfwsettings{'TGT_PROT'} ne 'ICMP' && $fwdfwsettings{'TGT_PROT'} ne 'GRE'){ + if ($fwdfwsettings{'TGT_PROT'} eq 'TCP' || $fwdfwsettings{'TGT_PROT'} eq 'UDP'){ if ($fwdfwsettings{'TGT_PORT'} ne ''){ #change dashes with : $fwdfwsettings{'TGT_PORT'}=~ tr/-/:/; @@ -751,15 +751,19 @@ sub checktarget } }elsif ($fwdfwsettings{'TGT_PROT'} eq 'GRE'){ $fwdfwsettings{$fwdfwsettings{'grp3'}} = ''; + $fwdfwsettings{'TGT_PORT'} = ''; $fwdfwsettings{'ICMP_TGT'} = ''; - }elsif($fwdfwsettings{'TGT_PORT'} eq 'ESP'){ + }elsif($fwdfwsettings{'TGT_PROT'} eq 'ESP'){ $fwdfwsettings{$fwdfwsettings{'grp3'}} = ''; + $fwdfwsettings{'TGT_PORT'} = ''; $fwdfwsettings{'ICMP_TGT'}=''; - }elsif($fwdfwsettings{'TGT_PORT'} eq 'AH'){ + }elsif($fwdfwsettings{'TGT_PROT'} eq 'AH'){ $fwdfwsettings{$fwdfwsettings{'grp3'}} = ''; + $fwdfwsettings{'TGT_PORT'} = ''; $fwdfwsettings{'ICMP_TGT'}=''; }elsif ($fwdfwsettings{'TGT_PROT'} eq 'ICMP'){ $fwdfwsettings{$fwdfwsettings{'grp3'}} = ''; + $fwdfwsettings{'TGT_PORT'} = ''; &General::readhasharray("${General::swroot}/fwhosts/icmp-types", \%icmptypes); foreach my $key (keys %icmptypes){ @@ -777,6 +781,7 @@ sub checktarget $fwdfwsettings{$fwdfwsettings{'grp3'}}=''; $fwdfwsettings{'TGT_PROT'}=''; $fwdfwsettings{'ICMP_TGT'}=''; + } #check timeframe if($fwdfwsettings{'TIME'} eq 'ON'){ From af49e3672351be5c1bad9958dfbd70bb638ffb45 Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Wed, 16 Jan 2013 06:12:34 +0100 Subject: [PATCH 041/306] Forward Firewall: edited p2pblock call in rules.pl --- config/forwardfw/rules.pl | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/config/forwardfw/rules.pl b/config/forwardfw/rules.pl index 152558b64..a6ba4fc50 100755 --- a/config/forwardfw/rules.pl +++ b/config/forwardfw/rules.pl @@ -89,10 +89,13 @@ if($param eq 'flush'){ &preparerules; if($MODE eq '0'){ if ($fwdfwsettings{'POLICY'} eq 'MODE1'){ + &p2pblock; system ("/usr/sbin/firewall-forward-policy"); }elsif($fwdfwsettings{'POLICY'} eq 'MODE2'){ + &p2pblock; system ("/usr/sbin/firewall-forward-policy"); - }elsif($fwdfwsettings{'POLICY'} eq 'MODE0' || $fwdfwsettings{'POLICY'} eq 'MODE2'){ + system ("iptables -A $CHAIN -m state --state NEW -j ACCEPT"); + }elsif($fwdfwsettings{'POLICY'} eq 'MODE0'){ system ("/usr/sbin/firewall-forward-policy"); system ("iptables -A $CHAIN -m state --state NEW -j ACCEPT"); } @@ -107,7 +110,6 @@ sub preparerules { if (! -z "${General::swroot}/forward/config"){ &buildrules(\%configfwdfw); - &p2pblock; } if (! -z "${General::swroot}/forward/input"){ &buildrules(\%configinputfw); From 27f4a6b159d9b040feffa8b06784fc71965fac2e Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Fri, 18 Jan 2013 08:35:25 +0100 Subject: [PATCH 042/306] Forward Firewall: added converters for old exaccess rules and old rules from outgoingfw and old firewallgroups. Also fixed a Bug: Day SUN was not checked when in rule-edit mode --- config/forwardfw/convert-outgoingfw | 525 ++++++++++++++++++++++++++++ config/forwardfw/convert-xtaccess | 111 ++++++ config/rootfiles/common/stage2 | 2 + html/cgi-bin/forwardfw.cgi | 7 +- lfs/configroot | 3 + 5 files changed, 645 insertions(+), 3 deletions(-) create mode 100644 config/forwardfw/convert-outgoingfw create mode 100644 config/forwardfw/convert-xtaccess diff --git a/config/forwardfw/convert-outgoingfw b/config/forwardfw/convert-outgoingfw new file mode 100644 index 000000000..282a017e4 --- /dev/null +++ b/config/forwardfw/convert-outgoingfw @@ -0,0 +1,525 @@ +#!/usr/bin/perl + + +require '/var/ipfire/general-functions.pl'; +use Socket; + +my $ipgrouppath = "${General::swroot}/outgoing/groups/ipgroups/"; +my $macgrouppath = "${General::swroot}/outgoing/groups/macgroups/"; +my $outgoingrules = "${General::swroot}/outgoing/rules"; +my $outfwsettings = "${General::swroot}/outgoing/settings"; +my $host = "Converted "; +my $confighosts = "${General::swroot}/fwhosts/customhosts"; +my $confignets = "${General::swroot}/fwhosts/customnetworks"; +my $configgroups = "${General::swroot}/fwhosts/customgroups"; +my $ovpnsettings = "${General::swroot}/ovpn/settings"; +my $ovpnconfig = "${General::swroot}/ovpn/ovpnconfig"; +my $ccdconfig = "${General::swroot}/ovpn/ccd.conf"; +my $fwdfwconfig = "${General::swroot}/forward/config"; +my $fwdfwsettings = "${General::swroot}/forward/settings"; +my @ipgroups = qx(ls $ipgrouppath); +my @macgroups = qx(ls $macgrouppath); +my @hostarray=(); +my %outsettings=(); +my %hosts=(); +my %nets=(); +my %groups=(); +my %settingsovpn=(); +my %configovpn=(); +my %ccdconf=(); +my %fwconf=(); +my %fwdsettings=(); +&General::readhash($outfwsettings,\%outsettings); + + +&process_groups; +&process_rules; + + + +sub process_groups +{ + if(! -d "/var/log/firewall"){ mkdir("/var/log/firewall");} + if( -f "/var/log/firewall/ip-convert.log"){unlink ("/var/log/firewall/ip-convert.log");} + open (LOG, ">/var/log/firewall/ip-convert.log") or die $!; + #IP Group processing + foreach my $group (@ipgroups){ + chomp $group; + open (DATEI, "<$ipgrouppath/$group"); + my @zeilen = ; + foreach my $ip (@zeilen){ + chomp($ip); + $ip =~ s/\s//gi; + my $val=&check_ip($ip); + if($val){ + push(@hostarray,$val.",ip"); + } + else{ + print LOG "-> IP \"$ip\" from group $group not converted (invalid IP) \n"; + } + $val=''; + } + &new_hostgrp($group,'ip'); + @hostarray=(); + } + $group=''; + @zeilen=(); + @hostarray=(); + #MAC Group processing + foreach my $group (@macgroups){ + chomp $group; + open (DATEI, "<$macgrouppath/$group"); + my @zeilen = ; + foreach my $mac (@zeilen){ + chomp($mac); + $mac =~ s/\s//gi; + #MAC checking + if(&General::validmac($mac)){ + $val=$mac; + } + if($val){ + push(@hostarray,$val.",mac"); + } + else{ + print LOG "-> Mac $mac from group $group not converted (invalid MAC)\n"; + } + $val=''; + } + &new_hostgrp($group,'mac'); + @hostarray=(); + } + close (LOG); +} +sub check_ip +{ + my $adr=shift; + my $a; + #ip with subnet in decimal + if($adr =~ m/^(\d\d?\d?).(\d\d?\d?).(\d\d?\d?).(\d\d?\d?)\/(\d{1,2})$/){ + $adr=int($1).".".int($2).".".int($3).".".int($4); + my $b = &General::iporsubtodec($5); + $a=$adr."/".$b; + } + if($adr =~ /^(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})$/){ + $adr=int($1).".".int($2).".".int($3).".".int($4); + if(&General::validip($adr)){ + $a=$adr."/255.255.255.255"; + } + } + if(&General::validipandmask($adr)){ + $a=&General::iporsubtodec($adr); + } + return $a; +} +sub new_hostgrp +{ + &General::readhasharray($confighosts,\%hosts); + &General::readhasharray($confignets,\%nets); + &General::readhasharray($configgroups,\%groups); + my $grp=shift; + my $run=shift; + my $name; #"converted" + my $name2; + my $name3; #custom host/custom net + foreach my $adr (@hostarray){ + if($run eq 'ip'){ + my ($ip,$type) = split(",",$adr); + my ($ippart,$subnet) = split("/",$ip); + my ($byte1,$byte2,$byte3,$byte4) = split(/\./,$subnet); + if($byte4 eq '255'){ + if(!&check_host($ip)){ + my $key = &General::findhasharraykey(\%hosts); + $name="host "; + $name2=$name.$ippart; + $name3="Custom Host"; + $hosts{$key}[0] = $name2; + $hosts{$key}[1] = $type; + $hosts{$key}[2] = $ip; + $hosts{$key}[3] = 1; + }else{ + print LOG "Host (IP) $ip already exists\n"; + } + }elsif($byte4 < '255'){ + if(!&check_net($ippart,$subnet)){ + my $netkey = &General::findhasharraykey(\%nets); + $name="net "; + $name2=$name.$ippart; + $name3="Custom Network"; + $nets{$netkey}[0] = $name2; + $nets{$netkey}[1] = $ippart; + $nets{$netkey}[2] = $subnet; + $nets{$netkey}[3] = 1; + }else{ + print LOG "Network $ippart already exists\n"; + } + } + if($name2){ + my $grpkey = &General::findhasharraykey(\%groups); + $groups{$grpkey}[0] = $grp; + $groups{$grpkey}[1] = ''; + $groups{$grpkey}[2] = $name2; + $groups{$grpkey}[3] = $name3; + $groups{$grpkey}[4] = 0; + } + }elsif($run eq 'mac'){ + #MACRUN + my ($mac,$type) = split(",",$adr); + if(!&check_host($mac)){ + my $key = &General::findhasharraykey(\%hosts); + $name="host "; + $name2=$name.$mac; + $name3="Custom Host"; + $hosts{$key}[0] = $name2; + $hosts{$key}[1] = $type; + $hosts{$key}[2] = $mac; + $hosts{$key}[3] = 1; + }else{ + print LOG "Host (MAC) $mac already exists\n"; + } + if($name2){ + my $grpkey = &General::findhasharraykey(\%groups); + $groups{$grpkey}[0] = $grp; + $groups{$grpkey}[1] = ''; + $groups{$grpkey}[2] = $name2; + $groups{$grpkey}[3] = $name3; + $groups{$grpkey}[4] = 0; + } + } + } + &General::writehasharray($confighosts,\%hosts); + &General::writehasharray($configgroups,\%groups); + &General::writehasharray($confignets,\%nets); +} +sub check_host +{ + my $ip=shift; + foreach my $key (sort keys %hosts) + { + if($hosts{$key}[2] eq $ip) + { + return 1; + } + } + return 0; +} +sub check_net +{ + my $ip=shift; + my $sub=shift; + foreach my $key (sort keys %nets) + { + if($nets{$key}[1] eq $ip && $nets{$key}[2] eq $sub) + { + return 1; + } + } + return 0; +} +sub check_grp +{ + my $grp=shift; + my $value=shift; + foreach my $key (sort keys %groups) + { + if($groups{$key}[0] eq $grp && $groups{$key}[2] eq $value) + { + return 1; + } + } + return 0; +} +sub process_rules +{ + print "Outgoing ist im Mode $outsettings{'POLICY'}\n"; + &General::readhash($fwdfwsettings,\%fwdsettings); + if($fwdsettings{'POLICY'} ne $outsettings{'POLICY'}){ + $fwdsettings{'POLICY'}=$outsettings{'POLICY'}; + &General::writehash($fwdfwsettings,\%fwdsettings); + } + #open LOG + if( -f "/var/log/firewall/rule-convert.log"){unlink ("/var/log/firewall/rule-convert.log");} + open (LOG, ">/var/log/firewall/rule-convert.log") or die $!; + + my ($type,$action,$active,$grp1,$source,$grp2,$useport,$port,$prot,$grp3,$target,$remark,$log,$time,$time_mon,$time_tue,$time_wed,$time_thu,$time_fri,$time_sat,$time_sun,$time_from,$time_to); + if ($outsettings{'POLICY'} eq 'MODE1'){ + $type='ALLOW'; + $action='ACCEPT'; + }elsif($outsettings{'POLICY'} eq 'MODE2'){ + $type='DENY'; + $action='DROP'; + }else{ + return; + } + open (DATEI, "<$outgoingrules"); + my @lines = ; + foreach my $rule (@lines) + { + chomp($rule); + print LOG "processing: $rule\n"; + print "$rule\n"; + my @configline = split( /\;/, $rule ); + my @prot=(); + if($configline[0] eq $type){ + #some variables we can use from old config + if($configline[1] eq 'on'){ $active='ON';}else{$active='';} + if($configline[3] eq 'all'){ + push(@prot,"tcp"); + push(@prot,"udp"); + $useport='ON'; + $grp3='TGT_PORT'; + + }else{ + push(@prot,$configline[3]); + $useport='ON'; + $grp3='TGT_PORT'; + } + if($configline[4] ne ''){ $remark=$configline[4];}else{$remark='';} + if($configline[9] eq 'aktiv'){ $log='ON';}else{$log='';} + + if($configline[10] eq 'on' && $configline[11] eq 'on' && $configline[12] eq 'on' && $configline[13] eq 'on' && $configline[14] eq 'on' && $configline[15] eq 'on' && $configline[16] eq 'on'){ + if($configline[17] eq '00:00' && $configline[18] eq '00:00'){ + $time=''; + }else{ + $time='ON'; + } + }else{ + $time='ON'; + } + $time_mon=$configline[10]; + $time_tue=$configline[11]; + $time_wed=$configline[12]; + $time_thu=$configline[13]; + $time_fri=$configline[14]; + $time_sat=$configline[15]; + $time_sun=$configline[16]; + $time_from=$configline[17]; + $time_to=$configline[18]; + ############################################################ + #sourcepart + if ($configline[2] eq 'green') { + $grp1='std_net_src'; + $source='GREEN'; + }elsif ($configline[2] eq 'orange') { + $grp1='std_net_src'; + $source='ORANGE'; + }elsif ($configline[2] eq 'red') { + print LOG "-> Rule not converted, is an outgoing rule.Please put it manually in /etc/sysconfig/firewall.local \n"; + next; + }elsif ($configline[2] eq 'blue') { + $grp1='std_net_src'; + $source='BLUE'; + }elsif ($configline[2] eq 'ipsec') { + print LOG "-> Rule not converted, ipsec+ interface is obsolet since IPFire 2.7 \n"; + next; + }elsif ($configline[2] eq 'ovpn') { + &build_ovpn_grp; + }elsif ($configline[2] eq 'ip') { + my $z=&check_ip($configline[5]); + if($z){ + $grp1='src_addr'; + $source=$z; + }else{ + print LOG "-> Rule not converted, missing/invalid source ip \"$configline[5]\"\n"; + next; + } + }elsif ($configline[2] eq 'mac') { + if(&General::validmac($configline[6])){ + $grp1='src_addr'; + $source=$configline[6]; + }else{ + print LOG"-> Rule not converted, invalid MAC \"$configline[6]\" \n"; + next; + } + }elsif ($configline[2] eq 'all') { + $grp1='std_net_src'; + $source='ALL'; + }else{ + #&General::readhasharray($configgroups,\%groups); + foreach my $key (sort keys %groups){ + if($groups{$key}[0] eq $configline[2]){ + $grp1='cust_grp_src'; + $source=$configline[2]; + } + } + if ($grp1 eq '' || $source eq ''){ + print LOG "-> Rule not converted, no valid source recognised\n"; + } + } + ############################################################ + #destinationpart + if($configline[7] ne ''){ + my $address=&check_ip($configline[7]); + if($address){ + $grp2='tgt_addr'; + $target=$address; + }elsif(!$address){ + my $getwebsiteip=&get_ip_from_domain($configline[7]); + if ($getwebsiteip){ + $grp2='tgt_addr'; + $target=$getwebsiteip; + }else{ + print LOG "-> Rule not converted, invalid domain \"$configline[7]\"\n"; + next; + } + } + }else{ + $grp2='std_net_tgt'; + $target='ALL'; + } + if($configline[8] ne ''){ + if (!($configline[8] =~ /^(\d+)\:(\d+)$/)) { + if(&General::validport($configline[8])){ + $useport='ON'; + $port=$configline[8]; + $grp3='TGT_PORT'; + }else{ + print LOG "-> Rule not converted, invalid destination Port \"$configline[8]\"\n"; + next; + } + }else{ + my ($a1,$a2) = split(/\:/,$configline[8]); + if (&General::validport($a1) && &General::validport($a2) && $a1 < $a2){ + $useport='ON'; + $port=$configline[8]; + $grp3='TGT_PORT'; + }else{ + print LOG "-> Rule not converted, invalid destination Port \"$configline[8]\"\n"; + next; + } + } + } + }else{ + print LOG "-> Rule not converted because not for Firewall mode $outsettings{'POLICY'} (we are only converting for actual mode)\n"; + } + &General::readhasharray($fwdfwconfig,\%fwconfig); + my $check; + foreach my $protocol (@prot){ + $protocol=uc($protocol); + print"0:$action 1:FORWARDFW 2:$active 3:$grp1 4:$source 5:$grp2 6:$target 7:src_srv(leer) 8:srcprot(leer) 9:icmp(leer) 10:srcport(leer) 11:$useport 12:$protocol 13:icmp(leer) 14:$grp3 15:$port 16:$remark 17:$log 18:$time 19:$time_mon 20:$time_tue 21:$time_wed 22:$time_thu 23:$time_fri 24:$time_sat 25:$time_sun 26:$time_from 27:$time_to\n\n"; + print LOG "-> Converted: $action,FORWARDFW,$active,$grp1,$source,$grp2,$target,,,,,$useport,$protocol,,$grp3,$port,$remark,$log,$time,$time_mon,$time_tue,$time_wed,$time_thu,$time_fri,$time_sat,$time_sun,$time_from,$time_to\n"; + #Put rules into system.... + ########################### + + #check for double rules + foreach my $key (sort keys %fwconfig){ + if("$action,FORWARDFW,$active,$grp1,$source,$grp2,$target,,,,,$useport,$protocol,,$grp3,$port,$remark,$log,$time,$time_mon,$time_tue,$time_wed,$time_thu,$time_fri,$time_sat,$time_sun,$time_from,$time_to" + eq "$fwconfig{$key}[0],$fwconfig{$key}[1],$fwconfig{$key}[2],$fwconfig{$key}[3],$fwconfig{$key}[4],$fwconfig{$key}[5],$fwconfig{$key}[6],,,,,$fwconfig{$key}[11],$fwconfig{$key}[12],,$fwconfig{$key}[14],$fwconfig{$key}[15],$fwconfig{$key}[16],$fwconfig{$key}[17],$fwconfig{$key}[18],$fwconfig{$key}[19],$fwconfig{$key}[20],$fwconfig{$key}[21],$fwconfig{$key}[22],$fwconfig{$key}[23],$fwconfig{$key}[24],$fwconfig{$key}[25],$fwconfig{$key}[26],$fwconfig{$key}[27]"){ + $check='on'; + next; + } + } + if($check ne 'on'){ + #increase groupcounter + my $check1; + if($grp1 eq 'cust_grp_src'){ + foreach my $key (sort keys %groups){ + if($groups{$key}[0] eq $source){ + $groups{$key}[4]++; + $check1='on'; + } + } + if($check1 eq 'on'){ + print" schreibe in gruppe\n"; + &General::writehasharray($configgroups,\%groups); + } + } + print"SCHREIBE REGEL!\n"; + my $key = &General::findhasharraykey(\%fwconfig); + $fwconfig{$key}[0] = $action; + $fwconfig{$key}[1] = "FORWARDFW"; + $fwconfig{$key}[2] = $active; + $fwconfig{$key}[3] = $grp1; + $fwconfig{$key}[4] = $source; + $fwconfig{$key}[5] = $grp2; + $fwconfig{$key}[6] = $target; + $fwconfig{$key}[11] = $useport; + $fwconfig{$key}[12] = $protocol; + $fwconfig{$key}[14] = $grp3; + $fwconfig{$key}[15] = $port; + $fwconfig{$key}[16] = $remark; + $fwconfig{$key}[17] = $log; + $fwconfig{$key}[18] = $time; + $fwconfig{$key}[19] = $time_mon; + $fwconfig{$key}[20] = $time_tue; + $fwconfig{$key}[21] = $time_wed; + $fwconfig{$key}[22] = $time_thu; + $fwconfig{$key}[23] = $time_fri; + $fwconfig{$key}[24] = $time_sat; + $fwconfig{$key}[25] = $time_sun; + $fwconfig{$key}[26] = $time_from; + $fwconfig{$key}[27] = $time_to; + } + } + &General::writehasharray($fwdfwconfig,\%fwconfig); + system("/usr/local/bin/forwardfwctrl"); + @prot=(); + } + close(LOG); + @lines=(); +} +sub get_ip_from_domain +{ + $web=shift; + my $resolvedip; + my $checked; + my ($name,$aliases,$addrtype,$length,@addrs) = gethostbyname($web); + if(@addrs){ + $resolvedip=inet_ntoa($addrs[0]); + return $resolvedip; + } + return; +} +sub build_ovpn_grp +{ + &General::readhasharray($confighosts,\%hosts); + &General::readhasharray($confignets,\%nets); + &General::readhasharray($configgroups,\%groups); + &General::readhasharray($ovpnconfig,\%configovpn); + &General::readhasharray($ccdconfig,\%ccdconf); + &General::readhash($ovpnsettings,\%settingsovpn); + #get ovpn nets + my @ovpnnets=(); + if($settingsovpn{'DOVPN_SUBNET'}){ + my ($net,$subnet)=split("/",$settingsovpn{'DOVPN_SUBNET'}); + push (@ovpnnets,"$net,$subnet,dynamic"); + } + foreach my $key (sort keys %ccdconf){ + my ($net,$subnet)=split("/",$ccdconf{$key}[1]); + $subnet=&General::iporsubtodec($subnet); + push (@ovpnnets,"$net,$subnet,$ccdconf{$key}[0]"); + } + foreach my $key (sort keys %configovpn){ + if ($configovpn{$key}[3] eq 'net'){ + my ($net,$subnet)=split("/",$configovpn{$key}[27]); + push (@ovpnnets,"$net,$subnet,$configovpn{$key}[2]"); + } + } + #add ovpn nets to customnetworks/groups + foreach my $line (@ovpnnets){ + my ($net,$subnet,$name) = split(",",$line); + if (!&check_net($net,$subnet)){ + my $netkey = &General::findhasharraykey(\%nets); + $name2=$name."(ovpn)".$net; + $name3="Custom Network"; + $nets{$netkey}[0] = $name2; + $nets{$netkey}[1] = $net; + $nets{$netkey}[2] = $subnet; + $nets{$netkey}[3] = 1; + }else{ + print LOG "-> Custom Network with same IP already exist \"$net/$subnet\" (you can ignore this, if this run was manual from shell)\n"; + } + if($name2){ + my $grpkey = &General::findhasharraykey(\%groups); + $groups{$grpkey}[0] = "ovpn"; + $groups{$grpkey}[1] = ''; + $groups{$grpkey}[2] = $name2; + $groups{$grpkey}[3] = "Custom Network"; + $groups{$grpkey}[4] = 0; + } + $name2=''; + } + @ovpnnets=(); + &General::writehasharray($confighosts,\%hosts); + &General::writehasharray($configgroups,\%groups); + &General::writehasharray($confignets,\%nets); +} diff --git a/config/forwardfw/convert-xtaccess b/config/forwardfw/convert-xtaccess new file mode 100644 index 000000000..3db7da65e --- /dev/null +++ b/config/forwardfw/convert-xtaccess @@ -0,0 +1,111 @@ +#!/usr/bin/perl +my @current=(); +my @alias=(); +my %configinputfw=(); +require '/var/ipfire/general-functions.pl'; +my $xtaccessconfig = "${General::swroot}/xtaccess/config"; +my $inputfwconfig = "${General::swroot}/forward/input"; +my $aliasconfig = "${General::swroot}/ethernet/aliases"; +my $field0='ACCEPT'; +my $field1='INPUTFW'; +my $field2=''; #ON or emtpy +my $field3=''; #std_net_src or src_addr +my $field4=''; #ALL or IP-Address with /32 +my $field5='ipfire'; +my $field6=''; #Default IP or alias name +my $field11='ON'; #use target port +my $field12=''; #TCP or UDP +my $field13='All ICMP-Types'; +my $field14='TGT_PORT'; +my $field15=''; #Port Number +my $field16=''; #remark +my $field26='00:00'; +my $field27='00:00'; +open(FILE, $xtaccessconfig) or die 'Unable to open config file.'; +my @current = ; +close(FILE); +open(FILE1, $aliasconfig) or die 'Unable to open config file.'; +my @alias = ; +close(FILE1); +&General::readhasharray($inputfwconfig,\%configinputfw); + +foreach my $line (@current){ + my ($a,$b,$c,$d,$e,$f) = split (",",$line); + $e =~ s/\R//g; + if ($f gt ''){ + $f =~ s/\R//g; + $field16=$f; + } + #active or not + $field2=uc($d); + #get protocol + if ($a eq 'tcp'){ $field12 ='TCP';}else{$field12='UDP';} + #check source address + if ($b eq '0.0.0.0/0'){ + $field3='std_net_src'; + $field4='ALL'; + }elsif($b =~/^(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})$/){ + $field3='src_addr'; + $field4=$b."/32"; + }elsif ($b =~ /^(.*?)\/(.*?)$/) { + $field3='src_addr'; + $field4=$b; + }else{ + print "Regel konnte nicht konvertiert werden!\n"; + } + #check ipfire address + if ($e eq '0.0.0.0'){ + $field6 = 'Default IP'; + }else{ + foreach my $line (@alias){ + my ($ip,$state,$aliasname) = split (",",$line); + if ($ip eq $e){ + $aliasname =~ s/\R//g; + $field6 = $aliasname; + } + } + } + #get target port + $c=~ s/\R//g; + $c=~ tr/-/:/; + if ($c =~ /^(\D)\:(\d+)$/) { + $c = "1:$2"; + } + if ($c =~ /^(\d+)\:(\D)$/) { + $c = "$1:65535"; + } + $field15=$c; + #Ausgabe + #print "0:$field0 1:$field1 2:$field2 3:$field3 4:$field4 5:$field5 6:$field6 11:$field11 12:$field12 13:$field13 14:$field14 15:$field15 16:$field16 26:$field26 27:$field27\n"; + my $key = &General::findhasharraykey (\%configinputfw); + foreach my $i (0 .. 27) { $configinputfw{$key}[$i] = "";} + $configinputfw{$key}[0] = $field0; + $configinputfw{$key}[1] = $field1; + $configinputfw{$key}[2] = $field2; + $configinputfw{$key}[3] = $field3; + $configinputfw{$key}[4] = $field4; + $configinputfw{$key}[5] = $field5; + $configinputfw{$key}[6] = $field6; + $configinputfw{$key}[7] = ''; + $configinputfw{$key}[8] = ''; + $configinputfw{$key}[9] = ''; + $configinputfw{$key}[10] = ''; + $configinputfw{$key}[11] = $field11; + $configinputfw{$key}[12] = $field12; + $configinputfw{$key}[13] = $field13; + $configinputfw{$key}[14] = $field14; + $configinputfw{$key}[15] = $field15; + $configinputfw{$key}[16] = $field16; + $configinputfw{$key}[17] = ''; + $configinputfw{$key}[18] = ''; + $configinputfw{$key}[19] = ''; + $configinputfw{$key}[20] = ''; + $configinputfw{$key}[21] = ''; + $configinputfw{$key}[22] = ''; + $configinputfw{$key}[23] = ''; + $configinputfw{$key}[24] = ''; + $configinputfw{$key}[25] = ''; + $configinputfw{$key}[26] = $field26; + $configinputfw{$key}[27] = $field27; + &General::writehasharray($inputfwconfig,\%configinputfw); +} diff --git a/config/rootfiles/common/stage2 b/config/rootfiles/common/stage2 index 4755f07f0..f772be335 100644 --- a/config/rootfiles/common/stage2 +++ b/config/rootfiles/common/stage2 @@ -110,6 +110,8 @@ usr/local/bin/update-lang-cache #usr/sbin usr/sbin/ovpn-ccd-convert usr/sbin/firewall-forward-policy +usr/sbin/convert-xtaccess +usr/sbin/convert-outgoingfw #usr/share #usr/share/doc #usr/share/doc/licenses diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi index 8e1100b45..8fae77123 100755 --- a/html/cgi-bin/forwardfw.cgi +++ b/html/cgi-bin/forwardfw.cgi @@ -192,6 +192,7 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule') #print"ALT: $fwdfwsettings{'oldgrp3a'} $fwdfwsettings{'oldgrp3b'} NEU: $fwdfwsettings{'grp3'} $fwdfwsettings{$fwdfwsettings{'grp3'}}
"; #print"DIENSTE Checkalt:$fwdfwsettings{'oldusesrv'} DIENSTE Checkneu:$fwdfwsettings{'USESRV'} DIENST ALT:$fwdfwsettings{'oldgrp3a'},$fwdfwsettings{'oldgrp3b'} DIENST NEU:$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}}
"; }else{ + #FORWARD PART $fwdfwsettings{'chain'} = 'FORWARDFW'; if($fwdfwsettings{'oldrulenumber'} eq $fwdfwsettings{'rulepos'}){ #check if we have an identical rule already @@ -798,7 +799,7 @@ sub checkrule $errormessage.=$Lang::tr{'fwdfw err remark'}."
"; } #check if source and target identical - if ($fwdfwsettings{$fwdfwsettings{'grp1'}} eq $fwdfwsettings{$fwdfwsettings{'grp2'}}){ + if ($fwdfwsettings{$fwdfwsettings{'grp1'}} eq $fwdfwsettings{$fwdfwsettings{'grp2'}} && $fwdfwsettings{$fwdfwsettings{'grp1'}} ne 'ALL'){ $errormessage.=$Lang::tr{'fwdfw err same'}; return $errormessage; } @@ -1349,7 +1350,7 @@ END - +
"; From e0800c21db6316f0a41461f2e02fc7565d7c1a49 Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Fri, 18 Jan 2013 10:58:33 +0100 Subject: [PATCH 048/306] Forward Firewall: Edited Backup.pl so that any old backups get converted to new firewall. Afterwards the directories /var/ipfire/outgoing and /var/ipfire/xtaccess are removed! --- config/backup/backup.pl | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/config/backup/backup.pl b/config/backup/backup.pl index f9b8302af..0d7585321 100644 --- a/config/backup/backup.pl +++ b/config/backup/backup.pl @@ -22,7 +22,7 @@ require '/var/ipfire/general-functions.pl'; require "${General::swroot}/lang.pl"; require "${General::swroot}/header.pl"; - +use File::Path; my $debug = 1; my @include = ""; my ($Sekunden, $Minuten, $Stunden, $Monatstag, $Monat, $Jahr, $Wochentag, $Jahrestag, $Sommerzeit) = localtime(time); @@ -64,7 +64,17 @@ elsif ($ARGV[0] eq 'restore') { system("cd / && tar -xvz -p -f /tmp/restore.ipf"); #Here some converter scripts to correct old Backups (before core 65) system("/usr/sbin/ovpn-ccd-convert"); -} + system("/usr/sbin/convert-xtaccess"); + system("/usr/sbin/convert-outgoingfw"); + + #clean up system, if an old backup was restored + if( -d "/var/ipfire/outgoing"){ + rmtree("/var/ipfire/outgoing"); + } + if( -d "/var/ipfire/xtaccess"){ + rmtree("/var/ipfire/xtaccess"); + } + } elsif ($ARGV[0] eq 'restoreaddon') { if ( -e "/tmp/$ARGV[1]" ){system("mv /tmp/$ARGV[1] /var/ipfire/backup/addons/backup/$ARGV[1]");} system("cd / && tar -xvz -p -f /var/ipfire/backup/addons/backup/$ARGV[1]"); From 8f0b047b4ba13521dfd782d0d164a2efec12cba1 Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Sat, 19 Jan 2013 07:15:25 +0100 Subject: [PATCH 049/306] Forward Firewall: implemented multiport support for source and target ports --- config/forwardfw/convert-outgoingfw | 50 +++++++------ config/forwardfw/rules.pl | 6 +- html/cgi-bin/forwardfw.cgi | 108 +++++++++++++++++++--------- 3 files changed, 110 insertions(+), 54 deletions(-) diff --git a/config/forwardfw/convert-outgoingfw b/config/forwardfw/convert-outgoingfw index 2b39cee8c..ef9f2d3b8 100644 --- a/config/forwardfw/convert-outgoingfw +++ b/config/forwardfw/convert-outgoingfw @@ -3,7 +3,7 @@ require '/var/ipfire/general-functions.pl'; use Socket; - +use File::Path; my $ipgrouppath = "${General::swroot}/outgoing/groups/ipgroups/"; my $macgrouppath = "${General::swroot}/outgoing/groups/macgroups/"; my $outgoingrules = "${General::swroot}/outgoing/rules"; @@ -37,7 +37,7 @@ my %fwdsettings=(); sub process_groups { if(! -d "/var/log/converters"){ mkdir("/var/log/converters");} - if( -f "/var/log/converters/groups-convert.log"){unlink ("/var/log/converters/groups-convert.log");} + if( -f "/var/log/converters/groups-convert.log"){rmtree("var/log/converters");} open (LOG, ">/var/log/converters/groups-convert.log") or die $!; #IP Group processing foreach my $group (@ipgroups){ @@ -362,26 +362,36 @@ sub process_rules $target='ALL'; } if($configline[8] ne ''){ - if (!($configline[8] =~ /^(\d+)\:(\d+)$/)) { - if(&General::validport($configline[8])){ - $useport='ON'; - $port=$configline[8]; - $grp3='TGT_PORT'; - }else{ - print LOG "-> Rule not converted, invalid destination Port \"$configline[8]\"\n"; - next; - } - }else{ - my ($a1,$a2) = split(/\:/,$configline[8]); - if (&General::validport($a1) && &General::validport($a2) && $a1 < $a2){ - $useport='ON'; - $port=$configline[8]; - $grp3='TGT_PORT'; + my @values=(); + my @parts=split(",",$configline[8]); + foreach (@parts){ + print"PRüfe port $_\n"; + if (!($_ =~ /^(\d+)\:(\d+)$/)) { + if(&General::validport($_)){ + $useport='ON'; + print" push single\n"; + push (@values,$_); + $grp3='TGT_PORT'; + }else{ + print LOG "-> Rule not converted, invalid destination Port \"$configline[8]\"\n"; + next; + } }else{ - print LOG "-> Rule not converted, invalid destination Port \"$configline[8]\"\n"; - next; - } + my ($a1,$a2) = split(/\:/,$_); + if (&General::validport($a1) && &General::validport($a2) && $a1 < $a2){ + $useport='ON'; + print"push range $_\n"; + push (@values,"$a1:$a2"); + $grp3='TGT_PORT'; + }else{ + print LOG "-> Rule not converted, invalid destination Port \"$configline[8]\"\n"; + next; + } + } } + $port=join("|",@values); + print"fertig, habe \"$port\"\n"; + @values=(); } }else{ print LOG "-> Rule not converted because not for Firewall mode $outsettings{'POLICY'} (we are only converting for actual mode)\n"; diff --git a/config/forwardfw/rules.pl b/config/forwardfw/rules.pl index 9f4315fbe..999cde589 100755 --- a/config/forwardfw/rules.pl +++ b/config/forwardfw/rules.pl @@ -339,7 +339,8 @@ sub get_port my $prot=shift; if ($$hash{$key}[7] eq 'ON' && $SRC_TGT eq 'SRC'){ if ($$hash{$key}[10] ne ''){ - return "--sport $$hash{$key}[10] "; + $$hash{$key}[10] =~ s/\|/,/g; + return "-m multiport --sport $$hash{$key}[10] "; }elsif($$hash{$key}[9] ne '' && $$hash{$key}[9] ne 'All ICMP-Types'){ return "--icmp-type $$hash{$key}[9] "; }elsif($$hash{$key}[9] eq 'All ICMP-Types'){ @@ -349,7 +350,8 @@ sub get_port if($$hash{$key}[14] eq 'TGT_PORT'){ if ($$hash{$key}[15] ne ''){ - return "--dport $$hash{$key}[15] "; + $$hash{$key}[15] =~ s/\|/,/g; + return "-m multiport --dport $$hash{$key}[15] "; }elsif($$hash{$key}[13] ne '' && $$hash{$key}[13] ne 'All ICMP-Types'){ return "--icmp-type $$hash{$key}[13] "; }elsif($$hash{$key}[13] ne '' && $$hash{$key}[13] eq 'All ICMP-Types'){ diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi index b2976e1c3..ffb0c2566 100755 --- a/html/cgi-bin/forwardfw.cgi +++ b/html/cgi-bin/forwardfw.cgi @@ -210,12 +210,13 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule') } } #check if we just close a rule - if( $fwdfwsettings{'oldgrp1a'} eq $fwdfwsettings{'grp1'} && $fwdfwsettings{'oldgrp1b'} eq $fwdfwsettings{$fwdfwsettings{'grp1'}} && $fwdfwsettings{'oldgrp2a'} eq $fwdfwsettings{'grp2'} && $fwdfwsettings{'oldgrp2b'} eq $fwdfwsettings{$fwdfwsettings{'grp2'}} && $fwdfwsettings{'oldgrp3a'} eq $fwdfwsettings{'grp3'} && $fwdfwsettings{'oldgrp3b'} eq $fwdfwsettings{$fwdfwsettings{'grp3'}} && $fwdfwsettings{'oldusesrv'} eq $fwdfwsettings{'USESRV'} ) { + if( $fwdfwsettings{'oldgrp1a'} eq $fwdfwsettings{'grp1'} && $fwdfwsettings{'oldgrp1b'} eq $fwdfwsettings{$fwdfwsettings{'grp1'}} && $fwdfwsettings{'oldgrp2a'} eq $fwdfwsettings{'grp2'} && $fwdfwsettings{'oldgrp2b'} eq $fwdfwsettings{$fwdfwsettings{'grp2'}} && $fwdfwsettings{'oldgrp3a'} eq $fwdfwsettings{'grp3'} && $fwdfwsettings{'oldgrp3b'} eq $fwdfwsettings{$fwdfwsettings{'grp3'}} && $fwdfwsettings{'oldusesrv'} eq $fwdfwsettings{'USESRV'} && $fwdfwsettings{'oldruleremark'} eq $fwdfwsettings{'ruleremark'} ) { if($fwdfwsettings{'nosave'} eq 'on' && $fwdfwsettings{'updatefwrule'} eq 'on'){ $fwdfwsettings{'nosave2'} = 'on'; $errormessage=''; } } + #increase counters &checkcounter($fwdfwsettings{'oldgrp1a'},$fwdfwsettings{'oldgrp1b'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}}); &checkcounter($fwdfwsettings{'oldgrp2a'},$fwdfwsettings{'oldgrp2b'},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}}); @@ -663,23 +664,42 @@ sub checksource $fwdfwsettings{'PROT'}=''; } - if($fwdfwsettings{'USE_SRC_PORT'} eq 'ON' && $fwdfwsettings{'PROT'} ne 'ICMP' && $fwdfwsettings{'SRC_PORT'} ne ''){ - #change dashes with : - $fwdfwsettings{'SRC_PORT'}=~ tr/-/:/; - - if ($fwdfwsettings{'SRC_PORT'} eq "*") { - $fwdfwsettings{'SRC_PORT'} = "1:65535"; + if($fwdfwsettings{'USE_SRC_PORT'} eq 'ON' && ($fwdfwsettings{'PROT'} eq 'TCP' || $fwdfwsettings{'PROT'} eq 'UDP') && $fwdfwsettings{'SRC_PORT'} ne ''){ + my @parts=split(",",$fwdfwsettings{'SRC_PORT'}); + my @values=(); + foreach (@parts){ + chomp($_); + if ($_ =~ /^(\d+)\:(\d+)$/) { + my $check; + #change dashes with : + $_=~ tr/-/:/; + if ($_ eq "*") { + push(@values,"1:65535"); + $check='on'; + } + if ($_ =~ /^(\D)\:(\d+)$/) { + push(@values,"1:$2"); + $check='on'; + } + if ($_ =~ /^(\d+)\:(\D)$/) { + push(@values,"$1:65535"); + $check='on' + } + $errormessage .= &General::validportrange($_, 'destination'); + if(!$check){ + push (@values,$_); + } + }else{ + if (&General::validport($_)){ + push (@values,$_); + }else{ + + } + } } - if ($fwdfwsettings{'SRC_PORT'} =~ /^(\D)\:(\d+)$/) { - $fwdfwsettings{'SRC_PORT'} = "1:$2"; - } - if ($fwdfwsettings{'SRC_PORT'} =~ /^(\d+)\:(\D)$/) { - $fwdfwsettings{'SRC_PORT'} = "$1:65535"; - } - - $errormessage.=&General::validportrange($fwdfwsettings{'SRC_PORT'},'src'); + $fwdfwsettings{'SRC_PORT'}=join("|",@values); + return $errormessage; } - return $errormessage; } sub checktarget { @@ -737,18 +757,39 @@ sub checktarget if ($fwdfwsettings{'grp3'} eq 'TGT_PORT'){ if ($fwdfwsettings{'TGT_PROT'} eq 'TCP' || $fwdfwsettings{'TGT_PROT'} eq 'UDP'){ if ($fwdfwsettings{'TGT_PORT'} ne ''){ - #change dashes with : - $fwdfwsettings{'TGT_PORT'}=~ tr/-/:/; - if ($fwdfwsettings{'TGT_PORT'} eq "*") { - $fwdfwsettings{'TGT_PORT'} = "1:65535"; + my @parts=split(",",$fwdfwsettings{'TGT_PORT'}); + my @values=(); + foreach (@parts){ + chomp($_); + if ($_ =~ /^(\d+)\:(\d+)$/) { + my $check; + #change dashes with : + $_=~ tr/-/:/; + if ($_ eq "*") { + push(@values,"1:65535"); + $check='on'; + } + if ($_ =~ /^(\D)\:(\d+)$/) { + push(@values,"1:$2"); + $check='on'; + } + if ($_ =~ /^(\d+)\:(\D)$/) { + push(@values,"$1:65535"); + $check='on' + } + $errormessage .= &General::validportrange($_, 'destination'); + if(!$check){ + push (@values,$_); + } + }else{ + if (&General::validport($_)){ + push (@values,$_); + }else{ + + } + } } - if ($fwdfwsettings{'TGT_PORT'} =~ /^(\D)\:(\d+)$/) { - $fwdfwsettings{'TGT_PORT'} = "1:$2"; - } - if ($fwdfwsettings{'TGT_PORT'} =~ /^(\d+)\:(\D)$/) { - $fwdfwsettings{'TGT_PORT'} = "$1:65535"; - } - $errormessage .= &General::validportrange($fwdfwsettings{'TGT_PORT'}, 'destination'); + $fwdfwsettings{'TGT_PORT'}=join("|",@values); } }elsif ($fwdfwsettings{'TGT_PROT'} eq 'GRE'){ $fwdfwsettings{$fwdfwsettings{'grp3'}} = ''; @@ -782,7 +823,6 @@ sub checktarget $fwdfwsettings{$fwdfwsettings{'grp3'}}=''; $fwdfwsettings{'TGT_PROT'}=''; $fwdfwsettings{'ICMP_TGT'}=''; - } #check timeframe if($fwdfwsettings{'TIME'} eq 'ON'){ @@ -1140,8 +1180,9 @@ END print""; } } + $fwdfwsettings{'SRC_PORT'}=~ s/\|/,/g; print< + $Lang::tr{'fwhost icmptype'} + $Lang::tr{'fwhost icmptype'} +
END @@ -1596,7 +1639,8 @@ sub getsrcport { my %hash=%{(shift)}; my $key=shift; - if($hash{$key}[7] eq 'ON' && $hash{$key}[8] ne 'ICMP'){ + if($hash{$key}[7] eq 'ON' && ($hash{$key}[8] eq 'TCP' || $hash{$key}[8] eq 'UDP')){ + $hash{$key}[10]=~ s/\|/,/g; print" : ($hash{$key}[8]) $hash{$key}[10]"; }elsif($hash{$key}[7] eq 'ON' && $hash{$key}[8] eq 'ICMP'){ print" : ($hash{$key}[8])
$hash{$key}[9]"; @@ -1613,7 +1657,6 @@ sub gettgtport if($hash{$key}[14] eq 'cust_srv'){ &General::readhasharray("$configsrv", \%customservice); foreach my $i (sort keys %customservice){ - #print "HHUHU: $customservice{$i}[0] und $hash{$key}[15]
"; if($customservice{$i}[0] eq $hash{$key}[15]){ $prot = $hash{$key}[12]; $service = $customservice{$i}[0]; @@ -1623,6 +1666,7 @@ sub gettgtport $service=$hash{$key}[15]; }elsif($hash{$key}[14] eq 'TGT_PORT'){ + $hash{$key}[15]=~ s/\|/,/g; $service=$hash{$key}[15]; $prot=$hash{$key}[12]; } From 8b3dd79147c3804e5f8944eef5c22380788ac348 Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Sat, 19 Jan 2013 07:24:08 +0100 Subject: [PATCH 050/306] Forward Firewall: deleted comments from converterscript --- config/forwardfw/convert-outgoingfw | 16 ++++++---------- 1 file changed, 6 insertions(+), 10 deletions(-) diff --git a/config/forwardfw/convert-outgoingfw b/config/forwardfw/convert-outgoingfw index ef9f2d3b8..cef4f0c1c 100644 --- a/config/forwardfw/convert-outgoingfw +++ b/config/forwardfw/convert-outgoingfw @@ -365,11 +365,9 @@ sub process_rules my @values=(); my @parts=split(",",$configline[8]); foreach (@parts){ - print"PRüfe port $_\n"; if (!($_ =~ /^(\d+)\:(\d+)$/)) { if(&General::validport($_)){ $useport='ON'; - print" push single\n"; push (@values,$_); $grp3='TGT_PORT'; }else{ @@ -377,21 +375,19 @@ sub process_rules next; } }else{ - my ($a1,$a2) = split(/\:/,$_); - if (&General::validport($a1) && &General::validport($a2) && $a1 < $a2){ + my ($a1,$a2) = split(/\:/,$_); + if (&General::validport($a1) && &General::validport($a2) && $a1 < $a2){ $useport='ON'; - print"push range $_\n"; push (@values,"$a1:$a2"); $grp3='TGT_PORT'; - }else{ + }else{ print LOG "-> Rule not converted, invalid destination Port \"$configline[8]\"\n"; next; - } + } } } - $port=join("|",@values); - print"fertig, habe \"$port\"\n"; - @values=(); + $port=join("|",@values); + @values=(); } }else{ print LOG "-> Rule not converted because not for Firewall mode $outsettings{'POLICY'} (we are only converting for actual mode)\n"; From 93a5f4a5821f92be219be12696de86ff8641395c Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Sat, 19 Jan 2013 14:09:50 +0100 Subject: [PATCH 051/306] Forward Firewall: implemented ne column in ruletable "protocol" --- config/forwardfw/rules.pl | 12 +++++-- html/cgi-bin/forwardfw.cgi | 68 +++++++++++++++++++++++++++++--------- 2 files changed, 62 insertions(+), 18 deletions(-) diff --git a/config/forwardfw/rules.pl b/config/forwardfw/rules.pl index 999cde589..2cdb36674 100755 --- a/config/forwardfw/rules.pl +++ b/config/forwardfw/rules.pl @@ -340,7 +340,11 @@ sub get_port if ($$hash{$key}[7] eq 'ON' && $SRC_TGT eq 'SRC'){ if ($$hash{$key}[10] ne ''){ $$hash{$key}[10] =~ s/\|/,/g; - return "-m multiport --sport $$hash{$key}[10] "; + if(index($$hash{$key}[10],",") > 0){ + return "-m multiport --sport $$hash{$key}[10] "; + }else{ + return "--sport $$hash{$key}[10] "; + } }elsif($$hash{$key}[9] ne '' && $$hash{$key}[9] ne 'All ICMP-Types'){ return "--icmp-type $$hash{$key}[9] "; }elsif($$hash{$key}[9] eq 'All ICMP-Types'){ @@ -351,7 +355,11 @@ sub get_port if($$hash{$key}[14] eq 'TGT_PORT'){ if ($$hash{$key}[15] ne ''){ $$hash{$key}[15] =~ s/\|/,/g; - return "-m multiport --dport $$hash{$key}[15] "; + if(index($$hash{$key}[15],",") > 0){ + return "-m multiport --dport $$hash{$key}[15] "; + }else{ + return "--dport $$hash{$key}[15] "; + } }elsif($$hash{$key}[13] ne '' && $$hash{$key}[13] ne 'All ICMP-Types'){ return "--icmp-type $$hash{$key}[13] "; }elsif($$hash{$key}[13] ne '' && $$hash{$key}[13] eq 'All ICMP-Types'){ diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi index ffb0c2566..9b4ca0d2a 100755 --- a/html/cgi-bin/forwardfw.cgi +++ b/html/cgi-bin/forwardfw.cgi @@ -873,6 +873,8 @@ sub checkrule #check source and destination protocol if manual if( $fwdfwsettings{'USE_SRC_PORT'} eq 'ON' && $fwdfwsettings{'USESRV'} eq 'ON'){ + + if($fwdfwsettings{'PROT'} ne $fwdfwsettings{'TGT_PROT'} && $fwdfwsettings{'grp3'} eq 'TGT_PORT'){ $errormessage.=$Lang::tr{'fwdfw err prot'}; } @@ -1639,11 +1641,11 @@ sub getsrcport { my %hash=%{(shift)}; my $key=shift; - if($hash{$key}[7] eq 'ON' && ($hash{$key}[8] eq 'TCP' || $hash{$key}[8] eq 'UDP')){ + if($hash{$key}[7] eq 'ON' && $hash{$key}[8] ne '' && $hash{$key}[10]){ $hash{$key}[10]=~ s/\|/,/g; - print" : ($hash{$key}[8]) $hash{$key}[10]"; + print": $hash{$key}[10]"; }elsif($hash{$key}[7] eq 'ON' && $hash{$key}[8] eq 'ICMP'){ - print" : ($hash{$key}[8])
$hash{$key}[9]"; + print":
$hash{$key}[9] "; } } sub gettgtport @@ -1658,29 +1660,47 @@ sub gettgtport &General::readhasharray("$configsrv", \%customservice); foreach my $i (sort keys %customservice){ if($customservice{$i}[0] eq $hash{$key}[15]){ - $prot = $hash{$key}[12]; $service = $customservice{$i}[0]; } } }elsif($hash{$key}[14] eq 'cust_srvgrp'){ - $service=$hash{$key}[15]; }elsif($hash{$key}[14] eq 'TGT_PORT'){ $hash{$key}[15]=~ s/\|/,/g; $service=$hash{$key}[15]; - $prot=$hash{$key}[12]; } + + print": $service"; }elsif($hash{$key}[11] eq 'ON' && $hash{$key}[12] eq 'ICMP'){ - print" : ($hash{$key}[12])
$hash{$key}[13]"; + print":
$hash{$key}[13]"; } - - if ($prot ne '' || $service ne ''){ - print" :"; - if ($prot ne ''){ - print"($prot) "; +} +sub get_serviceports +{ + my $type=shift; + my $name=shift; + &General::readhasharray("$configsrv", \%customservice); + &General::readhasharray("$configsrvgrp", \%customservicegrp); + my $protocols; + my $tcp; + my $udp; + if($type eq 'service'){ + foreach my $key (sort { uc($customservice{$a}[0]) cmp uc($customservice{$b}[0]) } keys %customservice){ + if ($customservice{$key}[0] eq $name){ + $protocols=$customservice{$key}[2]; + } + } + + }elsif($type eq 'group'){ + foreach my $key (sort { uc($customservicegrp{$a}[0]) cmp uc($customservicegrp{$b}[0]) } keys %customservicegrp){ + if ($customservicegrp{$key}[0] eq $name){ + if($customservicegrp{$key}[4] eq 'TCP'){$tcp='TCP';}else{$udp='UDP';} + } } - print" $service"; } + if($tcp){$protocols.="TCP";} + if($udp){$protocols.=",UDP";} + return $protocols; } sub viewtablerule { @@ -1706,7 +1726,7 @@ sub viewtablenew &General::readhasharray("$config", $hash); print"$title1
"; print""; - print""; + print""; foreach my $key (sort {$a <=> $b} keys %$hash){ @tmpsrc=(); #check if vpn hosts/nets have been deleted @@ -1775,7 +1795,7 @@ END $rulecolor=$color{'color16'}; } print""; - print""; + print""; + #Get Protocol + my $prot; + if ($$hash{$key}[12]){ #target prot if manual + $prot=$$hash{$key}[12]; + }elsif($$hash{$key}[8]){ #source prot if manual + $prot=$$hash{$key}[8]; + }elsif($$hash{$key}[14] eq 'cust_srv'){ + $prot=&get_serviceports("service",$$hash{$key}[15]); + }elsif($$hash{$key}[14] eq 'cust_srvgrp'){ + $prot=&get_serviceports("group",$$hash{$key}[15]); + }else{ + $prot=$Lang::tr{'all'}; + } + print""; + + print""; if($$hash{$key}[2] eq 'ON'){ $gif="/images/on.gif" From 99e698d03387f4ad40db1d2bd737c0d6cdc55a23 Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Sat, 19 Jan 2013 20:51:12 +0100 Subject: [PATCH 052/306] Forward Firewall: Minor changes... 1) improved convert-outgoingfw. source was wrong when tun+ interface 2) target had always a ":" in ruletable 3) convert-outgoingfw bugfix: ports where not cleared for next rule --- config/backup/backup.pl | 6 ++---- config/forwardfw/convert-outgoingfw | 14 ++++++++++---- html/cgi-bin/forwardfw.cgi | 6 +++--- lfs/configroot | 3 +++ 4 files changed, 18 insertions(+), 11 deletions(-) diff --git a/config/backup/backup.pl b/config/backup/backup.pl index 0d7585321..28129e46e 100644 --- a/config/backup/backup.pl +++ b/config/backup/backup.pl @@ -64,14 +64,12 @@ elsif ($ARGV[0] eq 'restore') { system("cd / && tar -xvz -p -f /tmp/restore.ipf"); #Here some converter scripts to correct old Backups (before core 65) system("/usr/sbin/ovpn-ccd-convert"); - system("/usr/sbin/convert-xtaccess"); - system("/usr/sbin/convert-outgoingfw"); - - #clean up system, if an old backup was restored if( -d "/var/ipfire/outgoing"){ + system("/usr/sbin/convert-outgoingfw"); rmtree("/var/ipfire/outgoing"); } if( -d "/var/ipfire/xtaccess"){ + system("/usr/sbin/convert-xtaccess"); rmtree("/var/ipfire/xtaccess"); } } diff --git a/config/forwardfw/convert-outgoingfw b/config/forwardfw/convert-outgoingfw index cef4f0c1c..e94692abe 100644 --- a/config/forwardfw/convert-outgoingfw +++ b/config/forwardfw/convert-outgoingfw @@ -182,10 +182,12 @@ sub new_hostgrp $groups{$grpkey}[4] = 0; } } + @hostarray=(); } &General::writehasharray($confighosts,\%hosts); &General::writehasharray($configgroups,\%groups); &General::writehasharray($confignets,\%nets); + } sub check_host { @@ -251,8 +253,10 @@ sub process_rules foreach my $rule (@lines) { chomp($rule); + $port=''; print LOG "processing: $rule\n"; - my @configline = split( /\;/, $rule ); + my @configline=(); + @configline = split( /\;/, $rule ); my @prot=(); if($configline[0] eq $type){ #some variables we can use from old config @@ -262,7 +266,6 @@ sub process_rules push(@prot,"udp"); $useport='ON'; $grp3='TGT_PORT'; - }else{ push(@prot,$configline[3]); $useport='ON'; @@ -270,7 +273,6 @@ sub process_rules } if($configline[4] ne ''){ $remark=$configline[4];}else{$remark='';} if($configline[9] eq 'aktiv'){ $log='ON';}else{$log='';} - if($configline[10] eq 'on' && $configline[11] eq 'on' && $configline[12] eq 'on' && $configline[13] eq 'on' && $configline[14] eq 'on' && $configline[15] eq 'on' && $configline[16] eq 'on'){ if($configline[17] eq '00:00' && $configline[18] eq '00:00'){ $time=''; @@ -307,7 +309,9 @@ sub process_rules print LOG "-> Rule not converted, ipsec+ interface is obsolet since IPFire 2.7 \n"; next; }elsif ($configline[2] eq 'ovpn') { - &build_ovpn_grp; + &build_ovpn_grp; + $grp1='cust_grp_src'; + $source='ovpn' }elsif ($configline[2] eq 'ip') { my $z=&check_ip($configline[5]); if($z){ @@ -385,9 +389,11 @@ sub process_rules next; } } + } $port=join("|",@values); @values=(); + @parts=(); } }else{ print LOG "-> Rule not converted because not for Firewall mode $outsettings{'POLICY'} (we are only converting for actual mode)\n"; diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi index 9b4ca0d2a..4391f1228 100755 --- a/html/cgi-bin/forwardfw.cgi +++ b/html/cgi-bin/forwardfw.cgi @@ -1654,7 +1654,6 @@ sub gettgtport my $key=shift; my $service; my $prot; - if($hash{$key}[11] eq 'ON' && $hash{$key}[12] ne 'ICMP'){ if($hash{$key}[14] eq 'cust_srv'){ &General::readhasharray("$configsrv", \%customservice); @@ -1669,8 +1668,9 @@ sub gettgtport $hash{$key}[15]=~ s/\|/,/g; $service=$hash{$key}[15]; } - - print": $service"; + if($service){ + print": $service"; + } }elsif($hash{$key}[11] eq 'ON' && $hash{$key}[12] eq 'ICMP'){ print":
$hash{$key}[13]"; } diff --git a/lfs/configroot b/lfs/configroot index e0babd235..4c039977b 100644 --- a/lfs/configroot +++ b/lfs/configroot @@ -123,6 +123,9 @@ $(TARGET) : # set rules.pl executable chmod 755 $(CONFIG_ROOT)/forward/bin/rules.pl + # set converters executable + chmod 755 /usr/sbin/convert-* + # Modify variables in header.pl sed -i -e "s+CONFIG_ROOT+$(CONFIG_ROOT)+g" \ -e "s+VERSION+$(VERSION)+g" \ From 879462965387442e12cbade08cc20e3498c7672a Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Sat, 19 Jan 2013 21:21:18 +0100 Subject: [PATCH 053/306] Forward Firewall: edited convert-outgoingfw. When a Protocol ESP or GRE is used AND a Port is selected (in old system), the rule was not converted successfully. --- config/forwardfw/convert-outgoingfw | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/config/forwardfw/convert-outgoingfw b/config/forwardfw/convert-outgoingfw index e94692abe..0f33396c2 100644 --- a/config/forwardfw/convert-outgoingfw +++ b/config/forwardfw/convert-outgoingfw @@ -365,7 +365,7 @@ sub process_rules $grp2='std_net_tgt'; $target='ALL'; } - if($configline[8] ne ''){ + if($configline[8] ne '' && $configline[3] ne 'gre' && $configline[3] ne 'esp'){ my @values=(); my @parts=split(",",$configline[8]); foreach (@parts){ @@ -389,7 +389,6 @@ sub process_rules next; } } - } $port=join("|",@values); @values=(); From 9edb1d7a8e5e70c1ebe3d8f4197770e1c1c5d4e3 Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Sun, 20 Jan 2013 05:54:04 +0100 Subject: [PATCH 054/306] Forward Firewall: edited Backup.pl. If someone put /var/ipfire/outgoing into /var/ipfire/backup/include, the rules are backed up and need to be restored. Now the backup takes care of this and checks if there are old rules to convert. --- config/backup/backup.pl | 19 +++++++++++++++---- config/forwardfw/convert-outgoingfw | 0 config/forwardfw/convert-xtaccess | 0 3 files changed, 15 insertions(+), 4 deletions(-) mode change 100644 => 100755 config/forwardfw/convert-outgoingfw mode change 100644 => 100755 config/forwardfw/convert-xtaccess diff --git a/config/backup/backup.pl b/config/backup/backup.pl index 28129e46e..b21716185 100644 --- a/config/backup/backup.pl +++ b/config/backup/backup.pl @@ -64,13 +64,24 @@ elsif ($ARGV[0] eq 'restore') { system("cd / && tar -xvz -p -f /tmp/restore.ipf"); #Here some converter scripts to correct old Backups (before core 65) system("/usr/sbin/ovpn-ccd-convert"); - if( -d "/var/ipfire/outgoing"){ + if( -d "${General::swroot}/outgoing"){ + if( -f "${General::swroot}/forward/config" ){ + unlink("${General::swroot}/forward/config"); + system("touch ${General::swroot}/forward/config"); + chown 99,99,"${General::swroot}/forward/config"; + } + if( -f "${General::swroot}/forward/input" ){ + unlink("${General::swroot}/forward/input"); + system("touch ${General::swroot}/forward/input"); + chown 99,99,"${General::swroot}/forward/input"; + } system("/usr/sbin/convert-outgoingfw"); - rmtree("/var/ipfire/outgoing"); + rmtree("${General::swroot}/outgoing"); + system("/usr/local/bin/forwrdfwctrl"); } - if( -d "/var/ipfire/xtaccess"){ + if( -d "${General::swroot}/xtaccess"){ system("/usr/sbin/convert-xtaccess"); - rmtree("/var/ipfire/xtaccess"); + rmtree("${General::swroot}/xtaccess"); } } elsif ($ARGV[0] eq 'restoreaddon') { diff --git a/config/forwardfw/convert-outgoingfw b/config/forwardfw/convert-outgoingfw old mode 100644 new mode 100755 diff --git a/config/forwardfw/convert-xtaccess b/config/forwardfw/convert-xtaccess old mode 100644 new mode 100755 From 43902ae5a274e33f0e0bd14787bac49aa827bcc8 Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Sun, 20 Jan 2013 13:18:47 +0100 Subject: [PATCH 055/306] Forward Firewall: Bugfix: when editing a rule it was possible to enter invalid chars in remark --- html/cgi-bin/forwardfw.cgi | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi index 4391f1228..e7815a491 100755 --- a/html/cgi-bin/forwardfw.cgi +++ b/html/cgi-bin/forwardfw.cgi @@ -140,8 +140,9 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule') if ("$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'},$fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'ICMP_TGT'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'LOG'},$fwdfwsettings{'TIME'},$fwdfwsettings{'TIME_MON'},$fwdfwsettings{'TIME_TUE'},$fwdfwsettings{'TIME_WED'},$fwdfwsettings{'TIME_THU'},$fwdfwsettings{'TIME_FRI'},$fwdfwsettings{'TIME_SAT'},$fwdfwsettings{'TIME_SUN'},$fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'}" eq "$configinputfw{$key}[0],$configinputfw{$key}[2],$configinputfw{$key}[3],$configinputfw{$key}[4],$configinputfw{$key}[5],$configinputfw{$key}[6],$configinputfw{$key}[7],$configinputfw{$key}[8],$configinputfw{$key}[9],$configinputfw{$key}[10],$configinputfw{$key}[11],$configinputfw{$key}[12],$configinputfw{$key}[13],$configinputfw{$key}[14],$configinputfw{$key}[15],$configinputfw{$key}[17],$configinputfw{$key}[18],$configinputfw{$key}[19],$configinputfw{$key}[20],$configinputfw{$key}[21],$configinputfw{$key}[22],$configinputfw{$key}[23],$configinputfw{$key}[24],$configinputfw{$key}[25],$configinputfw{$key}[26],$configinputfw{$key}[27]"){ $errormessage.=$Lang::tr{'fwdfw err ruleexists'}; - if ($fwdfwsettings{'oldruleremark'} ne $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'updatefwrule'} eq 'on'){ + if ($fwdfwsettings{'oldruleremark'} ne $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'updatefwrule'} eq 'on' && &validremark($fwdfwsettings{'ruleremark'})){ $errormessage=''; + } if ($fwdfwsettings{'oldruleremark'} eq $fwdfwsettings{'ruleremark'}){ $fwdfwsettings{'nosave'} = 'on'; From 61068ee1a4b6d4c029da662f4d8f3bcfa1734909 Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Sun, 20 Jan 2013 20:36:11 +0100 Subject: [PATCH 056/306] Forward Firewall: Some more checks to check remark if rule was edited --- html/cgi-bin/forwardfw.cgi | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi index e7815a491..dda14b55a 100755 --- a/html/cgi-bin/forwardfw.cgi +++ b/html/cgi-bin/forwardfw.cgi @@ -142,7 +142,8 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule') $errormessage.=$Lang::tr{'fwdfw err ruleexists'}; if ($fwdfwsettings{'oldruleremark'} ne $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'updatefwrule'} eq 'on' && &validremark($fwdfwsettings{'ruleremark'})){ $errormessage=''; - + }elsif($fwdfwsettings{'oldruleremark'} ne $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'updatefwrule'} eq 'on' && !&validremark($fwdfwsettings{'ruleremark'})){ + $errormessage=$Lang::tr{'fwdfw err remark'}."
"; } if ($fwdfwsettings{'oldruleremark'} eq $fwdfwsettings{'ruleremark'}){ $fwdfwsettings{'nosave'} = 'on'; @@ -201,8 +202,10 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule') if ("$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'},$fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'ICMP_TGT'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'LOG'},$fwdfwsettings{'TIME'},$fwdfwsettings{'TIME_MON'},$fwdfwsettings{'TIME_TUE'},$fwdfwsettings{'TIME_WED'},$fwdfwsettings{'TIME_THU'},$fwdfwsettings{'TIME_FRI'},$fwdfwsettings{'TIME_SAT'},$fwdfwsettings{'TIME_SUN'},$fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'}" eq "$configfwdfw{$key}[0],$configfwdfw{$key}[2],$configfwdfw{$key}[3],$configfwdfw{$key}[4],$configfwdfw{$key}[5],$configfwdfw{$key}[6],$configfwdfw{$key}[7],$configfwdfw{$key}[8],$configfwdfw{$key}[9],$configfwdfw{$key}[10],$configfwdfw{$key}[11],$configfwdfw{$key}[12],$configfwdfw{$key}[13],$configfwdfw{$key}[14],$configfwdfw{$key}[15],$configfwdfw{$key}[17],$configfwdfw{$key}[18],$configfwdfw{$key}[19],$configfwdfw{$key}[20],$configfwdfw{$key}[21],$configfwdfw{$key}[22],$configfwdfw{$key}[23],$configfwdfw{$key}[24],$configfwdfw{$key}[25],$configfwdfw{$key}[26],$configfwdfw{$key}[27]"){ $errormessage.=$Lang::tr{'fwdfw err ruleexists'}; - if ($fwdfwsettings{'oldruleremark'} ne $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'updatefwrule'} eq 'on'){ + if ($fwdfwsettings{'oldruleremark'} ne $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'updatefwrule'} eq 'on' && &validremark($fwdfwsettings{'ruleremark'})){ $errormessage=''; + }elsif($fwdfwsettings{'oldruleremark'} ne $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'updatefwrule'} eq 'on' && !&validremark($fwdfwsettings{'ruleremark'})){ + $errormessage=$Lang::tr{'fwdfw err remark'}."
"; } if ($fwdfwsettings{'oldruleremark'} eq $fwdfwsettings{'ruleremark'}){ $fwdfwsettings{'nosave'} = 'on'; @@ -217,7 +220,6 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule') $errormessage=''; } } - #increase counters &checkcounter($fwdfwsettings{'oldgrp1a'},$fwdfwsettings{'oldgrp1b'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}}); &checkcounter($fwdfwsettings{'oldgrp2a'},$fwdfwsettings{'oldgrp2b'},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}}); From 25c4997947301c3be6407fece18e4ef652e59285 Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Mon, 21 Jan 2013 05:54:20 +0100 Subject: [PATCH 057/306] Forward Firewall: edited colspan for timeframe from 6 to 7 edited de.pl and changed "Port(s) manuel" to "Port(s) manuell" --- html/cgi-bin/forwardfw.cgi | 2 +- langs/de/cgi-bin/de.pl | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi index dda14b55a..bf35b1f97 100755 --- a/html/cgi-bin/forwardfw.cgi +++ b/html/cgi-bin/forwardfw.cgi @@ -1916,7 +1916,7 @@ END if($$hash{$key}[25] ne ''){push (@days,$Lang::tr{'fwdfw wd_sun'});} my $weekdays=join(",",@days); if (@days){ - print""; } diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl index 7cae85e16..be1622458 100644 --- a/langs/de/cgi-bin/de.pl +++ b/langs/de/cgi-bin/de.pl @@ -919,7 +919,7 @@ 'fwdfw hint ip2' => 'Bitte überprüfen Sie ob diese Regel Sinn macht: ', 'fwdfw ipsec network' => 'IPsec Netzwerke:', 'fwdfw log rule' => 'Log Regel', -'fwdfw man port' => 'Port(s) manuel:', +'fwdfw man port' => 'Port(s) manuell:', 'fwdfw moveup' => 'Hoch', 'fwdfw movedown' => 'Runter', 'fwdfw reread' => 'Übernehmen', From 5a9fd5dbd1af37c5ecf3608333486716cf43354b Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Mon, 21 Jan 2013 14:49:21 +0100 Subject: [PATCH 058/306] Forward Firewall: extended converter --- config/forwardfw/convert-outgoingfw | 35 ++++++++++++++++++++++++----- 1 file changed, 29 insertions(+), 6 deletions(-) diff --git a/config/forwardfw/convert-outgoingfw b/config/forwardfw/convert-outgoingfw index 0f33396c2..89cc35697 100755 --- a/config/forwardfw/convert-outgoingfw +++ b/config/forwardfw/convert-outgoingfw @@ -2,8 +2,11 @@ require '/var/ipfire/general-functions.pl'; + use Socket; use File::Path; +use File::Copy; + my $ipgrouppath = "${General::swroot}/outgoing/groups/ipgroups/"; my $macgrouppath = "${General::swroot}/outgoing/groups/macgroups/"; my $outgoingrules = "${General::swroot}/outgoing/rules"; @@ -33,6 +36,7 @@ my %fwdsettings=(); &process_groups; &process_rules; +&process_p2p; sub process_groups { @@ -42,14 +46,17 @@ sub process_groups #IP Group processing foreach my $group (@ipgroups){ chomp $group; + print LOG "\nProcessing IP-GROUP: $group...\n"; open (DATEI, "<$ipgrouppath/$group"); my @zeilen = ; foreach my $ip (@zeilen){ chomp($ip); $ip =~ s/\s//gi; + print LOG "Check IP $ip from Group $group "; my $val=&check_ip($ip); if($val){ push(@hostarray,$val.",ip"); + print LOG "-> OK\n"; } else{ print LOG "-> IP \"$ip\" from group $group not converted (invalid IP) \n"; @@ -65,17 +72,20 @@ sub process_groups #MAC Group processing foreach my $group (@macgroups){ chomp $group; + print LOG "\nProcessing MAC-GROUP: $group...\n"; open (DATEI, "<$macgrouppath/$group"); my @zeilen = ; foreach my $mac (@zeilen){ chomp($mac); $mac =~ s/\s//gi; + print LOG "Checking MAC $mac from group $group "; #MAC checking if(&General::validmac($mac)){ $val=$mac; } if($val){ push(@hostarray,$val.",mac"); + print LOG "-> OK\n"; } else{ print LOG "-> Mac $mac from group $group not converted (invalid MAC)\n"; @@ -123,7 +133,8 @@ sub new_hostgrp my ($ip,$type) = split(",",$adr); my ($ippart,$subnet) = split("/",$ip); my ($byte1,$byte2,$byte3,$byte4) = split(/\./,$subnet); - if($byte4 eq '255'){ + if($byte4 eq '255'){ + print LOG "Processing SINGLE HOST $ippart/$subnet from group $grp\n"; if(!&check_host($ip)){ my $key = &General::findhasharraykey(\%hosts); $name="host "; @@ -133,10 +144,12 @@ sub new_hostgrp $hosts{$key}[1] = $type; $hosts{$key}[2] = $ip; $hosts{$key}[3] = 1; + print LOG "->Host (IP) $ip added to custom hosts\n" }else{ - print LOG "Host (IP) $ip already exists\n"; + print LOG "->Host (IP) $ip already exists\n"; } }elsif($byte4 < '255'){ + print LOG "Processing NETWORK $ippart/$subnet from Group $grp\n"; if(!&check_net($ippart,$subnet)){ my $netkey = &General::findhasharraykey(\%nets); $name="net "; @@ -146,6 +159,7 @@ sub new_hostgrp $nets{$netkey}[1] = $ippart; $nets{$netkey}[2] = $subnet; $nets{$netkey}[3] = 1; + print LOG "->Network $ippart/$subnet added to custom networks\n"; }else{ print LOG "Network $ippart already exists\n"; } @@ -157,10 +171,12 @@ sub new_hostgrp $groups{$grpkey}[2] = $name2; $groups{$grpkey}[3] = $name3; $groups{$grpkey}[4] = 0; + print LOG "->$name2 added to group $grp\n"; } }elsif($run eq 'mac'){ #MACRUN my ($mac,$type) = split(",",$adr); + print LOG "Processing HOST (MAC) $mac\n"; if(!&check_host($mac)){ my $key = &General::findhasharraykey(\%hosts); $name="host "; @@ -170,8 +186,9 @@ sub new_hostgrp $hosts{$key}[1] = $type; $hosts{$key}[2] = $mac; $hosts{$key}[3] = 1; + print LOG "->Host (MAC) $mac added to custom hosts\n"; }else{ - print LOG "Host (MAC) $mac already exists\n"; + print LOG "->Host (MAC) $mac already exists\n"; } if($name2){ my $grpkey = &General::findhasharraykey(\%groups); @@ -180,10 +197,11 @@ sub new_hostgrp $groups{$grpkey}[2] = $name2; $groups{$grpkey}[3] = $name3; $groups{$grpkey}[4] = 0; + print LOG "->$name2 added to group $grp\n"; } } - @hostarray=(); } + @hostarray=(); &General::writehasharray($confighosts,\%hosts); &General::writehasharray($configgroups,\%groups); &General::writehasharray($confignets,\%nets); @@ -262,8 +280,7 @@ sub process_rules #some variables we can use from old config if($configline[1] eq 'on'){ $active='ON';}else{$active='';} if($configline[3] eq 'all'){ - push(@prot,"tcp"); - push(@prot,"udp"); + push(@prot,""); $useport='ON'; $grp3='TGT_PORT'; }else{ @@ -356,6 +373,7 @@ sub process_rules if ($getwebsiteip){ $grp2='tgt_addr'; $target=$getwebsiteip; + $remark.=" $configline[7]"; }else{ print LOG "-> Rule not converted, invalid domain \"$configline[7]\"\n"; next; @@ -526,3 +544,8 @@ sub build_ovpn_grp &General::writehasharray($configgroups,\%groups); &General::writehasharray($confignets,\%nets); } +sub process_p2p +{ + copy("/var/ipfire/outgoing/p2protocols","/var/ipfire/forward/p2protocols"); + chmod oct(0777), '/var/ipfire/forward/p2protocols'; +} From 5238a8719d75273e5e52f083c0c10cbe9e3ea312 Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Mon, 21 Jan 2013 21:26:44 +0100 Subject: [PATCH 059/306] Forward Firewall: minor improvements, if an outgoingrule has a given port and prot "all", there are two new rules generated for UDP and TCP. If an outgoingrule has only "all" as prot, but no port, there's only one new rule created --- config/forwardfw/convert-outgoingfw | 18 ++++++++++-------- config/forwardfw/rules.pl | 4 ++-- 2 files changed, 12 insertions(+), 10 deletions(-) diff --git a/config/forwardfw/convert-outgoingfw b/config/forwardfw/convert-outgoingfw index 89cc35697..ada4196e3 100755 --- a/config/forwardfw/convert-outgoingfw +++ b/config/forwardfw/convert-outgoingfw @@ -37,7 +37,7 @@ my %fwdsettings=(); &process_groups; &process_rules; &process_p2p; - +system("/usr/local/bin/forwardfwctrl"); sub process_groups { if(! -d "/var/log/converters"){ mkdir("/var/log/converters");} @@ -279,16 +279,19 @@ sub process_rules if($configline[0] eq $type){ #some variables we can use from old config if($configline[1] eq 'on'){ $active='ON';}else{$active='';} - if($configline[3] eq 'all'){ + if($configline[3] eq 'all' && $configline[8] ne ''){ + push(@prot,"TCP"); + push(@prot,"UDP"); + }elsif($configline[3] eq 'all' && $configline[8] eq ''){ push(@prot,""); - $useport='ON'; - $grp3='TGT_PORT'; }else{ push(@prot,$configline[3]); - $useport='ON'; - $grp3='TGT_PORT'; } - if($configline[4] ne ''){ $remark=$configline[4];}else{$remark='';} + + if($configline[4] ne ''){ + $configline[4] =~ s/,/;/g; + $remark = $configline[4]; + }else{$remark = '';} if($configline[9] eq 'aktiv'){ $log='ON';}else{$log='';} if($configline[10] eq 'on' && $configline[11] eq 'on' && $configline[12] eq 'on' && $configline[13] eq 'on' && $configline[14] eq 'on' && $configline[15] eq 'on' && $configline[16] eq 'on'){ if($configline[17] eq '00:00' && $configline[18] eq '00:00'){ @@ -472,7 +475,6 @@ sub process_rules } } &General::writehasharray($fwdfwconfig,\%fwconfig); - system("/usr/local/bin/forwardfwctrl"); @prot=(); } close(LOG); diff --git a/config/forwardfw/rules.pl b/config/forwardfw/rules.pl index 2cdb36674..672fa1774 100755 --- a/config/forwardfw/rules.pl +++ b/config/forwardfw/rules.pl @@ -248,12 +248,12 @@ sub p2pblock my @p2pline = split( /\;/, $p2pentry ); if ( $fwdfwsettings{'POLICY'} eq 'MODE2' ) { $DO = "DROP"; - if ("$p2pline[2]" eq "off") { + if ("$p2pline[2]" eq "on") { $P2PSTRING = "$P2PSTRING --$p2pline[1]"; } } else { $DO = "RETURN"; - if ("$p2pline[2]" eq "on") { + if ("$p2pline[2]" eq "off") { $P2PSTRING = "$P2PSTRING --$p2pline[1]"; } } From 3b81fad442d9078bc9131e731ce2034656bcb165 Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Mon, 21 Jan 2013 21:47:32 +0100 Subject: [PATCH 060/306] Forward Firewall: converter now creates cdir format from ip-addresses --- config/forwardfw/convert-outgoingfw | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/config/forwardfw/convert-outgoingfw b/config/forwardfw/convert-outgoingfw index ada4196e3..03208e62b 100755 --- a/config/forwardfw/convert-outgoingfw +++ b/config/forwardfw/convert-outgoingfw @@ -335,8 +335,10 @@ sub process_rules }elsif ($configline[2] eq 'ip') { my $z=&check_ip($configline[5]); if($z){ + my ($ipa,$subn) = split("/",$z); + $subn=&General::iporsubtocidr($subn); $grp1='src_addr'; - $source=$z; + $source="$ipa/$subn"; }else{ print LOG "-> Rule not converted, missing/invalid source ip \"$configline[5]\"\n"; next; @@ -369,8 +371,10 @@ sub process_rules if($configline[7] ne ''){ my $address=&check_ip($configline[7]); if($address){ + my ($dip,$dsub) = split("/",$address); + $dsub=&General::iporsubtocidr($dsub); $grp2='tgt_addr'; - $target=$address; + $target="$dip/$dsub"; }elsif(!$address){ my $getwebsiteip=&get_ip_from_domain($configline[7]); if ($getwebsiteip){ From 8d1beadce31786cc87afc01880d731c8a19e120f Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Tue, 22 Jan 2013 05:42:46 +0100 Subject: [PATCH 061/306] Forward Firewall: 1) fixed outgoingfw converter: now checkbox for logging is converted corectly 2) edited p2p_block: now a checked prot is allowed --- config/forwardfw/convert-outgoingfw | 2 +- config/forwardfw/rules.pl | 6 +++--- html/cgi-bin/forwardfw.cgi | 6 +++--- 3 files changed, 7 insertions(+), 7 deletions(-) diff --git a/config/forwardfw/convert-outgoingfw b/config/forwardfw/convert-outgoingfw index 03208e62b..77f76cb83 100755 --- a/config/forwardfw/convert-outgoingfw +++ b/config/forwardfw/convert-outgoingfw @@ -292,7 +292,7 @@ sub process_rules $configline[4] =~ s/,/;/g; $remark = $configline[4]; }else{$remark = '';} - if($configline[9] eq 'aktiv'){ $log='ON';}else{$log='';} + if($configline[9] eq 'Active'){ $log='ON';}else{$log='';} if($configline[10] eq 'on' && $configline[11] eq 'on' && $configline[12] eq 'on' && $configline[13] eq 'on' && $configline[14] eq 'on' && $configline[15] eq 'on' && $configline[16] eq 'on'){ if($configline[17] eq '00:00' && $configline[18] eq '00:00'){ $time=''; diff --git a/config/forwardfw/rules.pl b/config/forwardfw/rules.pl index 672fa1774..099f2950d 100755 --- a/config/forwardfw/rules.pl +++ b/config/forwardfw/rules.pl @@ -246,12 +246,12 @@ sub p2pblock my $CMD = "-m ipp2p"; foreach my $p2pentry (sort @p2ps) { my @p2pline = split( /\;/, $p2pentry ); - if ( $fwdfwsettings{'POLICY'} eq 'MODE2' ) { - $DO = "DROP"; + if ( $fwdfwsettings{'POLICY'} eq 'MODE1' ) { + $DO = "ACCEPT"; if ("$p2pline[2]" eq "on") { $P2PSTRING = "$P2PSTRING --$p2pline[1]"; } - } else { + }else { $DO = "RETURN"; if ("$p2pline[2]" eq "off") { $P2PSTRING = "$P2PSTRING --$p2pline[1]"; diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi index bf35b1f97..094c54474 100755 --- a/html/cgi-bin/forwardfw.cgi +++ b/html/cgi-bin/forwardfw.cgi @@ -1916,7 +1916,7 @@ END if($$hash{$key}[25] ne ''){push (@days,$Lang::tr{'fwdfw wd_sun'});} my $weekdays=join(",",@days); if (@days){ - print""; } @@ -1951,8 +1951,8 @@ END END } - print""; - print"
#$Lang::tr{'fwdfw source'}Log$Lang::tr{'fwdfw target'}$Lang::tr{'remark'}$Lang::tr{'fwdfw action'}
#$Lang::tr{'fwdfw source'}Log$Lang::tr{'fwdfw target'}$Lang::tr{'protocol'}$Lang::tr{'remark'}$Lang::tr{'fwdfw action'}
$ruletype"; + print""; if ($$hash{$key}[3] eq 'std_net_src'){ print &get_name($$hash{$key}[4]); }else{ @@ -1807,7 +1827,23 @@ END } &gettgtport(\%$hash,$key); ################################################################################ - print"$$hash{$key}[16]$prot$$hash{$key}[16]
$Lang::tr{'fwdfw time'} "; + print"
$Lang::tr{'fwdfw time'} "; print"$weekdays"; print "  $Lang::tr{'fwdfw from'} $$hash{$key}[26]   $Lang::tr{'fwdfw till'} $$hash{$key}[27]
$Lang::tr{'fwdfw time'} "; + print"
$Lang::tr{'fwdfw time'} "; print"$weekdays"; print "  $Lang::tr{'fwdfw from'} $$hash{$key}[26]   $Lang::tr{'fwdfw till'} $$hash{$key}[27]
$p2pline[0]:
$Lang::tr{'outgoing firewall p2p deny'}
$Lang::tr{'outgoing firewall p2p allow'}
"; + print"$Lang::tr{'outgoing firewall p2p allow'}"; + print"$Lang::tr{'outgoing firewall p2p deny'}"; &Header::closebox(); } sub fillselect From 04f24153fcb06d29411569d19784430e16eee237 Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Tue, 22 Jan 2013 12:28:14 +0100 Subject: [PATCH 062/306] Forward Firewall: edited language file en.pl and changed 'protocol:' to 'protocol' because in de.pl it is also just 'Protokoll' --- langs/en/cgi-bin/en.pl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index 4bfc8ba2e..b4db9628b 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -1682,7 +1682,7 @@ 'profile saved' => 'Profile saved: ', 'profiles' => 'Profiles:', 'proto' => 'Proto', -'protocol' => 'Protocol:', +'protocol' => 'Protocol', 'proxy' => 'Proxy', 'proxy access graphs' => 'Proxy access graphs', 'proxy admin password' => 'Cache administrator password', From ed62bbfb521de113f824228fed88f2f8f962035a Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Wed, 23 Jan 2013 05:51:30 +0100 Subject: [PATCH 063/306] Forward Firewall: changed sortorder in group tables --- html/cgi-bin/fwhosts.cgi | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/html/cgi-bin/fwhosts.cgi b/html/cgi-bin/fwhosts.cgi index 278d57c0a..1afe0cda2 100755 --- a/html/cgi-bin/fwhosts.cgi +++ b/html/cgi-bin/fwhosts.cgi @@ -1348,7 +1348,7 @@ sub viewtablenet END } my $count=0; - foreach my $key (sort { uc($customnetwork{$a}[0]) cmp uc($customnetwork{$b}[0]) } keys %customnetwork) { + foreach my $key (sort {$a <=> $b} keys %customnetwork) { if ($fwhostsettings{'ACTION'} eq 'editnet' && $fwhostsettings{'HOSTNAME'} eq $customnetwork{$key}[0]) { print" "; }elsif ($count % 2) @@ -1395,7 +1395,7 @@ sub viewtablehost END } my $count=0; - foreach my $key (sort { uc($customhost{$a}[0]) cmp uc($customhost{$b}[0]) } keys %customhost) { + foreach my $key (sort {$a <=> $b} keys %customhost) { if ( ($fwhostsettings{'ACTION'} eq 'edithost' || $fwhostsettings{'error'}) && $fwhostsettings{'HOSTNAME'} eq $customhost{$key}[0]) { print" "; }elsif ($count % 2){ print" ";} @@ -1442,7 +1442,7 @@ sub viewtablegrp { print "
$Lang::tr{'fwhost empty'}"; }else{ - foreach my $key (sort { uc($customgrp{$a}[0]) cmp uc($customgrp{$b}[0]) } sort { uc($customgrp{$a}[2]) cmp uc($customgrp{$b}[2]) } keys %customgrp){ + foreach my $key (sort {$a <=> $b} keys %customgrp){ $count++; if ($helper ne $customgrp{$key}[0]){ @@ -1502,7 +1502,7 @@ sub viewtableservice END - foreach my $key (sort { uc($customservice{$a}[0]) cmp uc($customservice{$b}[0]) } keys %customservice) + foreach my $key (sort {$a <=> $b} keys %customservice) { $count++; if ( ($fwhostsettings{'updatesrv'} eq 'on' || $fwhostsettings{'error'}) && $fwhostsettings{'SRV_NAME'} eq $customservice{$key}[0]) { @@ -1542,7 +1542,7 @@ sub viewtableservicegrp &Header::openbox('100%', 'left', $Lang::tr{'fwhost cust srvgrp'}); &General::readhasharray("$configsrvgrp", \%customservicegrp); my $number= keys %customservicegrp; - foreach my $key (sort { uc($customservicegrp{$a}[0]) cmp uc($customservicegrp{$b}[0]) } keys %customservicegrp){ + foreach my $key (sort { uc($customservicegrp{$a}[2]) cmp uc($customservicegrp{$b}[2]) } keys %customservicegrp){ $count++; if ($helper ne $customservicegrp{$key}[0]){ $grpname=$customservicegrp{$key}[0]; From 4b147d950b148500c5ec04a9f13e04f8b2e1ad96 Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Wed, 23 Jan 2013 15:06:21 +0100 Subject: [PATCH 064/306] Forward Firewall: deleted symlink to outgoingfwctrl from lfs/initscripts --- lfs/initscripts | 2 -- 1 file changed, 2 deletions(-) diff --git a/lfs/initscripts b/lfs/initscripts index f4ad0f7fe..f78d3939e 100644 --- a/lfs/initscripts +++ b/lfs/initscripts @@ -179,8 +179,6 @@ $(TARGET) : ln -sf ../../dnsmasq /etc/rc.d/init.d/networking/red.up/05-RS-dnsmasq ln -sf ../../firewall /etc/rc.d/init.d/networking/red.up/20-RL-firewall - ln -sf ../../../../../usr/local/bin/outgoingfwctrl \ - /etc/rc.d/init.d/networking/red.up/22-outgoingfwctrl ln -sf ../../../../../usr/local/bin/forwardfwctrl \ /etc/rc.d/init.d/networking/red.up/23-forwardfwctrl ln -sf ../../../../../usr/local/bin/snortctrl \ From a57a5709a40580f68c4b2ecfd13d3a989ad7d4da Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Thu, 24 Jan 2013 05:25:58 +0100 Subject: [PATCH 065/306] Forward Firewall: changed Layout of P2P table --- html/cgi-bin/forwardfw.cgi | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi index 094c54474..0e83c8c0b 100755 --- a/html/cgi-bin/forwardfw.cgi +++ b/html/cgi-bin/forwardfw.cgi @@ -1934,8 +1934,8 @@ sub p2pblock close FILE; &Header::openbox('100%', 'center', 'P2P-Block'); print < - "; + print"
$Lang::tr{'fwhost srv_name'}$Lang::tr{'fwhost prot'}$Lang::tr{'fwhost port'}ICMP$Lang::tr{'fwhost used'}
$Lang::tr{'protocol'}$Lang::tr{'status'} + + END foreach my $p2pentry (sort @p2ps) { @@ -1948,11 +1948,11 @@ END print < - + END } - print""; - print"
$Lang::tr{'protocol'}$Lang::tr{'status'}
$p2pline[0]:
$p2pline[0]:
$Lang::tr{'outgoing firewall p2p allow'}
$Lang::tr{'outgoing firewall p2p deny'}
"; + print"
$Lang::tr{'outgoing firewall p2p allow'}
$Lang::tr{'outgoing firewall p2p deny'}
"; &Header::closebox(); } sub fillselect From 45cfd811310ad839d8cc6b7358cd9074bf43ae80 Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Thu, 24 Jan 2013 12:50:33 +0100 Subject: [PATCH 066/306] Forward Firewall: deleted 22-outgoingfwctrl --- config/rootfiles/common/i586/initscripts | 1 - 1 file changed, 1 deletion(-) diff --git a/config/rootfiles/common/i586/initscripts b/config/rootfiles/common/i586/initscripts index cf606440c..de3ae5f19 100644 --- a/config/rootfiles/common/i586/initscripts +++ b/config/rootfiles/common/i586/initscripts @@ -83,7 +83,6 @@ etc/rc.d/init.d/networking/red.up/05-RS-dnsmasq etc/rc.d/init.d/networking/red.up/10-miniupnpd etc/rc.d/init.d/networking/red.up/10-multicast etc/rc.d/init.d/networking/red.up/20-RL-firewall -etc/rc.d/init.d/networking/red.up/22-outgoingfwctrl etc/rc.d/init.d/networking/red.up/23-forwardfwctrl etc/rc.d/init.d/networking/red.up/24-RS-snort etc/rc.d/init.d/networking/red.up/25-RS-qos From 47a40c972633d9e817d58d5f0212ba47006b4973 Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Thu, 24 Jan 2013 14:20:01 +0100 Subject: [PATCH 067/306] Forward Firewall: set P2Protocols default to "off" --- config/forwardfw/p2protocols | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/config/forwardfw/p2protocols b/config/forwardfw/p2protocols index d8998095c..700058126 100644 --- a/config/forwardfw/p2protocols +++ b/config/forwardfw/p2protocols @@ -1,9 +1,9 @@ -Applejuice;apple;on; -Ares;ares;on; -Bittorrent;bit;on; -DirectConnect;dc;on; -Edonkey;edk;on; -Gnutella;gnu;on; -KaZaA;kazaa;on; -SoulSeek;soul;on; -WinMX;winmx;on; +Applejuice;apple;off; +Ares;ares;off; +Bittorrent;bit;off; +DirectConnect;dc;off; +Edonkey;edk;off; +Gnutella;gnu;off; +KaZaA;kazaa;off; +SoulSeek;soul;off; +WinMX;winmx;off; From f3fb9b64ac9a15703827454e7f67bc6754af9c5c Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Thu, 24 Jan 2013 17:37:34 +0100 Subject: [PATCH 068/306] FOrward Firewall: disabled p2p table border --- html/cgi-bin/forwardfw.cgi | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi index 0e83c8c0b..72d233fbb 100755 --- a/html/cgi-bin/forwardfw.cgi +++ b/html/cgi-bin/forwardfw.cgi @@ -1934,7 +1934,7 @@ sub p2pblock close FILE; &Header::openbox('100%', 'center', 'P2P-Block'); print < + END foreach my $p2pentry (sort @p2ps) From f1ec713da7db766dc3593c99b9b5c5cbc6efdb86 Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Fri, 25 Jan 2013 12:18:28 +0100 Subject: [PATCH 069/306] Forward Firewall: minor chnages just layout --- html/cgi-bin/forwardfw.cgi | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi index 72d233fbb..840219890 100755 --- a/html/cgi-bin/forwardfw.cgi +++ b/html/cgi-bin/forwardfw.cgi @@ -1951,8 +1951,8 @@ END END } - print""; - print"
$Lang::tr{'protocol'}$Lang::tr{'status'}
$p2pline[0]:
$Lang::tr{'outgoing firewall p2p allow'}
$Lang::tr{'outgoing firewall p2p deny'}
"; + print"$Lang::tr{'outgoing firewall p2p allow'}"; + print"$Lang::tr{'outgoing firewall p2p deny'}"; &Header::closebox(); } sub fillselect From e3afaf8890558beb5e399efe2f8fa6cbd9123b91 Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Sat, 26 Jan 2013 19:49:24 +0100 Subject: [PATCH 070/306] Forward Firewall: bugfix: network ip was treated like single host --- config/forwardfw/convert-outgoingfw | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/config/forwardfw/convert-outgoingfw b/config/forwardfw/convert-outgoingfw index 77f76cb83..a23059833 100755 --- a/config/forwardfw/convert-outgoingfw +++ b/config/forwardfw/convert-outgoingfw @@ -54,6 +54,7 @@ sub process_groups $ip =~ s/\s//gi; print LOG "Check IP $ip from Group $group "; my $val=&check_ip($ip); + print "ALARM IP ist nun: $val"; ############################ if($val){ push(@hostarray,$val.",ip"); print LOG "-> OK\n"; @@ -101,13 +102,16 @@ sub check_ip { my $adr=shift; my $a; + + print "habe bekommen: $adr\n";######################################### #ip with subnet in decimal if($adr =~ m/^(\d\d?\d?).(\d\d?\d?).(\d\d?\d?).(\d\d?\d?)\/(\d{1,2})$/){ + print "Bin drin, erkannt: cidr\n";################################ $adr=int($1).".".int($2).".".int($3).".".int($4); my $b = &General::iporsubtodec($5); $a=$adr."/".$b; - } - if($adr =~ /^(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})$/){ + }elsif($adr =~ /^(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})$/){ + print "Hm erkannt ip ohne subnetz, ersetze es\n";################# $adr=int($1).".".int($2).".".int($3).".".int($4); if(&General::validip($adr)){ $a=$adr."/255.255.255.255"; From 70d38e5089fcd9de5a595dc5e08563104eba65ea Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Sat, 26 Jan 2013 21:11:21 +0100 Subject: [PATCH 071/306] Forward Firewall: fixed converterbug and added ruleposition to new rules in forwardfw.cgi --- config/forwardfw/convert-outgoingfw | 11 +++------- html/cgi-bin/forwardfw.cgi | 32 +++++++++++++++++++++++++---- 2 files changed, 31 insertions(+), 12 deletions(-) diff --git a/config/forwardfw/convert-outgoingfw b/config/forwardfw/convert-outgoingfw index a23059833..edb1fd0a8 100755 --- a/config/forwardfw/convert-outgoingfw +++ b/config/forwardfw/convert-outgoingfw @@ -54,7 +54,6 @@ sub process_groups $ip =~ s/\s//gi; print LOG "Check IP $ip from Group $group "; my $val=&check_ip($ip); - print "ALARM IP ist nun: $val"; ############################ if($val){ push(@hostarray,$val.",ip"); print LOG "-> OK\n"; @@ -102,16 +101,12 @@ sub check_ip { my $adr=shift; my $a; - - print "habe bekommen: $adr\n";######################################### #ip with subnet in decimal if($adr =~ m/^(\d\d?\d?).(\d\d?\d?).(\d\d?\d?).(\d\d?\d?)\/(\d{1,2})$/){ - print "Bin drin, erkannt: cidr\n";################################ $adr=int($1).".".int($2).".".int($3).".".int($4); my $b = &General::iporsubtodec($5); $a=$adr."/".$b; }elsif($adr =~ /^(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})$/){ - print "Hm erkannt ip ohne subnetz, ersetze es\n";################# $adr=int($1).".".int($2).".".int($3).".".int($4); if(&General::validip($adr)){ $a=$adr."/255.255.255.255"; @@ -209,7 +204,7 @@ sub new_hostgrp &General::writehasharray($confighosts,\%hosts); &General::writehasharray($configgroups,\%groups); &General::writehasharray($confignets,\%nets); - + } sub check_host { @@ -291,7 +286,7 @@ sub process_rules }else{ push(@prot,$configline[3]); } - + if($configline[4] ne ''){ $configline[4] =~ s/,/;/g; $remark = $configline[4]; @@ -557,5 +552,5 @@ sub build_ovpn_grp sub process_p2p { copy("/var/ipfire/outgoing/p2protocols","/var/ipfire/forward/p2protocols"); - chmod oct(0777), '/var/ipfire/forward/p2protocols'; + chmod oct('0777'), '/var/ipfire/forward/p2protocols'; } diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi index 840219890..4fc74aab7 100755 --- a/html/cgi-bin/forwardfw.cgi +++ b/html/cgi-bin/forwardfw.cgi @@ -134,8 +134,9 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule') #INPUT part if($fwdfwsettings{'grp2'} eq 'ipfire'){ $fwdfwsettings{'chain'} = 'INPUTFW'; + my $maxkey=&General::findhasharraykey(\%configinputfw); #check if we have an identical rule already - if($fwdfwsettings{'oldrulenumer'} eq $fwdfwsettings{'rulepos'}){ + if($fwdfwsettings{'oldrulenumber'} eq $fwdfwsettings{'rulepos'}){ foreach my $key (sort keys %configinputfw){ if ("$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'},$fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'ICMP_TGT'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'LOG'},$fwdfwsettings{'TIME'},$fwdfwsettings{'TIME_MON'},$fwdfwsettings{'TIME_TUE'},$fwdfwsettings{'TIME_WED'},$fwdfwsettings{'TIME_THU'},$fwdfwsettings{'TIME_FRI'},$fwdfwsettings{'TIME_SAT'},$fwdfwsettings{'TIME_SUN'},$fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'}" eq "$configinputfw{$key}[0],$configinputfw{$key}[2],$configinputfw{$key}[3],$configinputfw{$key}[4],$configinputfw{$key}[5],$configinputfw{$key}[6],$configinputfw{$key}[7],$configinputfw{$key}[8],$configinputfw{$key}[9],$configinputfw{$key}[10],$configinputfw{$key}[11],$configinputfw{$key}[12],$configinputfw{$key}[13],$configinputfw{$key}[14],$configinputfw{$key}[15],$configinputfw{$key}[17],$configinputfw{$key}[18],$configinputfw{$key}[19],$configinputfw{$key}[20],$configinputfw{$key}[21],$configinputfw{$key}[22],$configinputfw{$key}[23],$configinputfw{$key}[24],$configinputfw{$key}[25],$configinputfw{$key}[26],$configinputfw{$key}[27]"){ @@ -151,6 +152,16 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule') } } } + #check Rulepos on new Rule + if($fwdfwsettings{'rulepos'} > 0 && !$fwdfwsettings{'oldrulenumber'}){ + $fwdfwsettings{'oldrulenumber'}=$maxkey; + foreach my $key (sort keys %configinputfw){ + if ("$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'},$fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'ICMP_TGT'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'LOG'},$fwdfwsettings{'TIME'},$fwdfwsettings{'TIME_MON'},$fwdfwsettings{'TIME_TUE'},$fwdfwsettings{'TIME_WED'},$fwdfwsettings{'TIME_THU'},$fwdfwsettings{'TIME_FRI'},$fwdfwsettings{'TIME_SAT'},$fwdfwsettings{'TIME_SUN'},$fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'}" + eq "$configinputfw{$key}[0],$configinputfw{$key}[2],$configinputfw{$key}[3],$configinputfw{$key}[4],$configinputfw{$key}[5],$configinputfw{$key}[6],$configinputfw{$key}[7],$configinputfw{$key}[8],$configinputfw{$key}[9],$configinputfw{$key}[10],$configinputfw{$key}[11],$configinputfw{$key}[12],$configinputfw{$key}[13],$configinputfw{$key}[14],$configinputfw{$key}[15],$configinputfw{$key}[17],$configinputfw{$key}[18],$configinputfw{$key}[19],$configinputfw{$key}[20],$configinputfw{$key}[21],$configinputfw{$key}[22],$configinputfw{$key}[23],$configinputfw{$key}[24],$configinputfw{$key}[25],$configinputfw{$key}[26],$configinputfw{$key}[27]"){ + $errormessage.=$Lang::tr{'fwdfw err ruleexists'}; + } + } + } #check if we just close a rule if( $fwdfwsettings{'oldgrp1a'} eq $fwdfwsettings{'grp1'} && $fwdfwsettings{'oldgrp1b'} eq $fwdfwsettings{$fwdfwsettings{'grp1'}} && $fwdfwsettings{'oldgrp2a'} eq $fwdfwsettings{'grp2'} && $fwdfwsettings{'oldgrp2b'} eq $fwdfwsettings{$fwdfwsettings{'grp2'}} && $fwdfwsettings{'oldgrp3a'} eq $fwdfwsettings{'grp3'} && $fwdfwsettings{'oldgrp3b'} eq $fwdfwsettings{$fwdfwsettings{'grp3'}} && $fwdfwsettings{'oldusesrv'} eq $fwdfwsettings{'USESRV'} ) { if($fwdfwsettings{'nosave'} eq 'on' && $fwdfwsettings{'updatefwrule'} eq 'on'){ @@ -196,6 +207,7 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule') }else{ #FORWARD PART $fwdfwsettings{'chain'} = 'FORWARDFW'; + my $maxkey=&General::findhasharraykey(\%configfwdfw); if($fwdfwsettings{'oldrulenumber'} eq $fwdfwsettings{'rulepos'}){ #check if we have an identical rule already foreach my $key (sort keys %configfwdfw){ @@ -213,6 +225,16 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule') } } } + #check Rulepos on new Rule + if($fwdfwsettings{'rulepos'} > 0 && !$fwdfwsettings{'oldrulenumber'}){ + $fwdfwsettings{'oldrulenumber'}=$maxkey; + foreach my $key (sort keys %configfwdfw){ + if ("$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'},$fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'ICMP_TGT'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'LOG'},$fwdfwsettings{'TIME'},$fwdfwsettings{'TIME_MON'},$fwdfwsettings{'TIME_TUE'},$fwdfwsettings{'TIME_WED'},$fwdfwsettings{'TIME_THU'},$fwdfwsettings{'TIME_FRI'},$fwdfwsettings{'TIME_SAT'},$fwdfwsettings{'TIME_SUN'},$fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'}" + eq "$configfwdfw{$key}[0],$configfwdfw{$key}[2],$configfwdfw{$key}[3],$configfwdfw{$key}[4],$configfwdfw{$key}[5],$configfwdfw{$key}[6],$configfwdfw{$key}[7],$configfwdfw{$key}[8],$configfwdfw{$key}[9],$configfwdfw{$key}[10],$configfwdfw{$key}[11],$configfwdfw{$key}[12],$configfwdfw{$key}[13],$configfwdfw{$key}[14],$configfwdfw{$key}[15],$configfwdfw{$key}[17],$configfwdfw{$key}[18],$configfwdfw{$key}[19],$configfwdfw{$key}[20],$configfwdfw{$key}[21],$configfwdfw{$key}[22],$configfwdfw{$key}[23],$configfwdfw{$key}[24],$configfwdfw{$key}[25],$configfwdfw{$key}[26],$configfwdfw{$key}[27]"){ + $errormessage.=$Lang::tr{'fwdfw err ruleexists'}; + } + } + } #check if we just close a rule if( $fwdfwsettings{'oldgrp1a'} eq $fwdfwsettings{'grp1'} && $fwdfwsettings{'oldgrp1b'} eq $fwdfwsettings{$fwdfwsettings{'grp1'}} && $fwdfwsettings{'oldgrp2a'} eq $fwdfwsettings{'grp2'} && $fwdfwsettings{'oldgrp2b'} eq $fwdfwsettings{$fwdfwsettings{'grp2'}} && $fwdfwsettings{'oldgrp3a'} eq $fwdfwsettings{'grp3'} && $fwdfwsettings{'oldgrp3b'} eq $fwdfwsettings{$fwdfwsettings{'grp3'}} && $fwdfwsettings{'oldusesrv'} eq $fwdfwsettings{'USESRV'} && $fwdfwsettings{'oldruleremark'} eq $fwdfwsettings{'ruleremark'} ) { if($fwdfwsettings{'nosave'} eq 'on' && $fwdfwsettings{'updatefwrule'} eq 'on'){ @@ -989,7 +1011,7 @@ sub newrule foreach my $key (sort keys %hash){ $sum++; if ($key eq $fwdfwsettings{'key'}){ - $fwdfwsettings{'oldrulenumber'} = $key; + $fwdfwsettings{'oldrulenumber'} = $fwdfwsettings{'key'}; $fwdfwsettings{'RULE_ACTION'} = $hash{$key}[0]; $fwdfwsettings{'ACTIVE'} = $hash{$key}[2]; $fwdfwsettings{'grp1'} = $hash{$key}[3]; @@ -1080,7 +1102,6 @@ END &Header::closebox(); &Header::openbox('100%', 'left', $Lang::tr{'fwdfw source'}); - #------SOURCE------------------------------------------------------- print< @@ -1373,6 +1394,8 @@ END print">$count"; } print""; + }else{ + print "$Lang::tr{'fwdfw rulepos'}:"; } print< -
+ +
END }else{ From 85dc70c746cd8fe0b602c0e98f2cc4b2232507ec Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Sun, 27 Jan 2013 13:20:33 +0100 Subject: [PATCH 072/306] Forward Firewall: Fixed a bug in servicegroup-Tableview --- html/cgi-bin/fwhosts.cgi | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/html/cgi-bin/fwhosts.cgi b/html/cgi-bin/fwhosts.cgi index 1afe0cda2..89b2a9321 100755 --- a/html/cgi-bin/fwhosts.cgi +++ b/html/cgi-bin/fwhosts.cgi @@ -1542,7 +1542,7 @@ sub viewtableservicegrp &Header::openbox('100%', 'left', $Lang::tr{'fwhost cust srvgrp'}); &General::readhasharray("$configsrvgrp", \%customservicegrp); my $number= keys %customservicegrp; - foreach my $key (sort { uc($customservicegrp{$a}[2]) cmp uc($customservicegrp{$b}[2]) } keys %customservicegrp){ + foreach my $key (sort {$a <=> $b} keys %customservicegrp){ $count++; if ($helper ne $customservicegrp{$key}[0]){ $grpname=$customservicegrp{$key}[0]; From 0f869e32d4ea1f56e84cb61578964adf6eec7659 Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Mon, 28 Jan 2013 06:12:51 +0100 Subject: [PATCH 073/306] Forward FIrewall: tried to sort servicegroups the right way...not perfect now --- html/cgi-bin/fwhosts.cgi | 25 ++++++++++++++----------- 1 file changed, 14 insertions(+), 11 deletions(-) diff --git a/html/cgi-bin/fwhosts.cgi b/html/cgi-bin/fwhosts.cgi index 89b2a9321..970243530 100755 --- a/html/cgi-bin/fwhosts.cgi +++ b/html/cgi-bin/fwhosts.cgi @@ -1313,7 +1313,7 @@ END $Lang::tr{'fwhost cust service'}"; - } - print""; - $helper=$customservicegrp{$key}[0]; + }elsif ($count %2 == 0){ + print""; + }else{ + print""; + } + print "$customservicegrp{$key}[2]"; + print"$customservicegrp{$key}[3]$customservicegrp{$key}[4]
"; + if ($number gt '1'){ + print""; + } + print"
"; + $helper=$customservicegrp{$key}[0]; } print""; &Header::closebox(); From 7bd9d462de4035d508b108ab0bedc3fda87e1326 Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Wed, 30 Jan 2013 06:22:59 +0100 Subject: [PATCH 074/306] Forward Firewall: Deleted MODE0 from WEB Interface and added a table for DMZ-Rules. --- html/cgi-bin/forwardfw.cgi | 48 ++++++++++++++++++-------------------- lfs/configroot | 2 +- 2 files changed, 24 insertions(+), 26 deletions(-) diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi index 4fc74aab7..8f6ca585e 100755 --- a/html/cgi-bin/forwardfw.cgi +++ b/html/cgi-bin/forwardfw.cgi @@ -303,13 +303,15 @@ if ($fwdfwsettings{'ACTION'} eq $Lang::tr{'reset'}) &checkcounter($configinputfw{$key}[5],$configinputfw{$key}[6],,); &checkcounter($configinputfw{$key}[14],$configinputfw{$key}[15],,); } - $fwdfwsettings{'POLICY'}='MODE0'; + system("rm ${General::swroot}/forward/config"); system("rm ${General::swroot}/forward/input"); &General::writehash("${General::swroot}/forward/settings", \%fwdfwsettings); unless (-e "${General::swroot}/forward/config") { system("touch ${General::swroot}/forward/config"); } unless (-e "${General::swroot}/forward/input") { system("touch ${General::swroot}/forward/input"); } %fwdfwsettings = (); + $fwdfwsettings{'POLICY'}='MODE2'; + &General::writehash("${General::swroot}/forward/settings", \%fwdfwsettings); &reread_rules; } @@ -517,39 +519,23 @@ sub dec_counter } sub base { - if ($fwdfwsettings{'POLICY'} eq 'MODE0'){ $selected{'POLICY'}{'MODE0'} = 'selected'; } else { $selected{'POLICY'}{'MODE0'} = ''; } if ($fwdfwsettings{'POLICY'} eq 'MODE1'){ $selected{'POLICY'}{'MODE1'} = 'selected'; } else { $selected{'POLICY'}{'MODE1'} = ''; } if ($fwdfwsettings{'POLICY'} eq 'MODE2'){ $selected{'POLICY'}{'MODE2'} = 'selected'; } else { $selected{'POLICY'}{'MODE2'} = ''; } - &hint; - if ($fwdfwsettings{'POLICY'} ne 'MODE0' && $fwdfwsettings{'POLICY'} ne '') { - &addrule; - } - - #print""; - #foreach (0 .. 40){ - #my $i="color".$_; - #print""; - #} - #print"
$_
"; - if ($fwdfwsettings{'POLICY'} eq 'MODE1' || $fwdfwsettings{'POLICY'} eq 'MODE2' ) { - &p2pblock; - } + &addrule; + &p2pblock; &Header::openbox('100%', 'center', 'Policy'); print < - -
$Lang::tr{'mode'} 0:$Lang::tr{'outgoing firewall mode0'}
$Lang::tr{'mode'} 1:$Lang::tr{'outgoing firewall mode1'}
$Lang::tr{'mode'} 2:$Lang::tr{'outgoing firewall mode2'}
+
END - if ($fwdfwsettings{'POLICY'} ne 'MODE0'&& $fwdfwsettings{'POLICY'} ne '' ) { - print "$Lang::tr{'outgoing firewall reset'}: "; - } + print "$Lang::tr{'outgoing firewall reset'}: "; print "
"; &Header::closebox(); } @@ -1731,7 +1717,9 @@ sub get_serviceports } sub viewtablerule { + &viewtablenew(\%configfwdfw,$configfwdfw,$Lang::tr{'fwdfw rules'},"Forward" ); + &viewtablenew(\%configfwdfw,$configfwdfw,'',"DMZ" ); &viewtablenew(\%configinputfw,$configinput,"",$Lang::tr{'external access'} ); } sub viewtablenew @@ -1740,8 +1728,17 @@ sub viewtablenew my $config=shift; my $title=shift; my $title1=shift; - - if ( ! -z "$config"){ + my $go=''; + &General::readhasharray("$config", $hash); + #check if there are DMZ entries + if ($title1 eq 'DMZ'){ + foreach my $key (keys %$hash){ + if ($$hash{$key}[4] eq 'ORANGE' || $$hash{$key}[6] eq 'ORANGE'){$go='on';} + } + }elsif( ! -z "$config" ){ + $go='on'; + } + if($go ne ''){ &Header::openbox('100%', 'left',$title); my $count=0; my ($gif,$log); @@ -1750,11 +1747,13 @@ sub viewtablenew my $tooltip; my @tmpsrc=(); my $coloryellow=''; - &General::readhasharray("$config", $hash); print"$title1
"; print""; print""; foreach my $key (sort {$a <=> $b} keys %$hash){ + #check if we have a FORWARDFW OR DMZ RULE + if ($title1 eq 'DMZ' && ($$hash{$key}[4] ne 'ORANGE' && $$hash{$key}[6] ne 'ORANGE')){next;} + if ($title1 eq 'Forward' && ($$hash{$key}[4] eq 'ORANGE' || $$hash{$key}[6] eq 'ORANGE')){next;} @tmpsrc=(); #check if vpn hosts/nets have been deleted if($$hash{$key}[3] =~ /ipsec/i || $$hash{$key}[3] =~ /ovpn/i){ @@ -1843,7 +1842,6 @@ END END - print< END diff --git a/lfs/configroot b/lfs/configroot index 4c039977b..88fa9f2f8 100644 --- a/lfs/configroot +++ b/lfs/configroot @@ -118,7 +118,7 @@ $(TARGET) : echo "DROPFORWARD=on" >> $(CONFIG_ROOT)/optionsfw/settings echo "FWPOLICY=DROP" >> $(CONFIG_ROOT)/optionsfw/settings echo "DROPPORTSCAN=on" >> $(CONFIG_ROOT)/optionsfw/settings - echo "POLICY=MODE0" >> $(CONFIG_ROOT)/forward/settings + echo "POLICY=MODE2" >> $(CONFIG_ROOT)/forward/settings # set rules.pl executable chmod 755 $(CONFIG_ROOT)/forward/bin/rules.pl From 210ee67b5354f513a71a74df2633e2d3e0ddad95 Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Wed, 30 Jan 2013 09:14:01 +0100 Subject: [PATCH 075/306] Forward Firewall: deleted mode0, added default Mode2 and fixed /etc/init.d/firewall to reload the rules correctly on reload. Also made it possible to create broadcastrules (To drop broadcastpackets) --- config/forwardfw/rules.pl | 19 ++++++++++++++----- html/cgi-bin/forwardfw.cgi | 12 +++++------- src/initscripts/init.d/firewall | 5 +++-- 3 files changed, 22 insertions(+), 14 deletions(-) diff --git a/config/forwardfw/rules.pl b/config/forwardfw/rules.pl index 099f2950d..3b2cb03f1 100755 --- a/config/forwardfw/rules.pl +++ b/config/forwardfw/rules.pl @@ -53,12 +53,16 @@ my $configfwdfw = "${General::swroot}/forward/config"; my $configinput = "${General::swroot}/forward/input"; my $p2pfile = "${General::swroot}/forward/p2protocols"; my $configgrp = "${General::swroot}/fwhosts/customgroups"; +my $netsettings = "${General::swroot}/ethernet/settings"; my $errormessage=''; +my $orange; +my $green; my ($TYPE,$PROT,$SPROT,$DPROT,$SPORT,$DPORT,$TIME,$TIMEFROM,$TIMETILL,$SRC_TGT); my $CHAIN="FORWARDFW"; &General::readhash("${General::swroot}/forward/settings", \%fwdfwsettings); +&General::readhash("$netsettings", \%defaultNetworks); &General::readhasharray($configfwdfw, \%configfwdfw); &General::readhasharray($configinput, \%configinputfw); &General::readhasharray($configgrp, \%customgrp); @@ -92,12 +96,17 @@ if($param eq 'flush'){ &p2pblock; system ("/usr/sbin/firewall-forward-policy"); }elsif($fwdfwsettings{'POLICY'} eq 'MODE2'){ - &p2pblock; - system ("/usr/sbin/firewall-forward-policy"); - system ("iptables -A $CHAIN -m state --state NEW -j ACCEPT"); - }elsif($fwdfwsettings{'POLICY'} eq 'MODE0'){ - system ("/usr/sbin/firewall-forward-policy"); + if ($defaultNetworks{'ORANGE_DEV'}){ + $defaultNetworks{'ORANGE_NETMASK'}=&General::iporsubtocidr($defaultNetworks{'ORANGE_NETMASK'}); + $defaultNetworks{'GREEN_NETMASK'}=&General::iporsubtocidr($defaultNetworks{'GREEN_NETMASK'}); + $orange="$defaultNetworks{'ORANGE_ADDRESS'}/$defaultNetworks{'ORANGE_NETMASK'}"; + $green="$defaultNetworks{'GREEN_ADDRESS'}/$defaultNetworks{'GREEN_NETMASK'}"; + #set default rules for DMZ + system ("iptables -A $CHAIN -s $orange -d $green -j RETURN"); + &p2pblock; + } system ("iptables -A $CHAIN -m state --state NEW -j ACCEPT"); + system ("/usr/sbin/firewall-forward-policy"); } } } diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi index 8f6ca585e..6895a9eed 100755 --- a/html/cgi-bin/forwardfw.cgi +++ b/html/cgi-bin/forwardfw.cgi @@ -731,9 +731,9 @@ sub checktarget $ip=&General::ip2dec($ip); $ip=&General::dec2ip($ip); - #check if net or broadcast + #check if net my @tmp= split (/\./,$ip); - if (($tmp[3] eq "0") || ($tmp[3] eq "255")) + if ($tmp[3] eq "0") { $errormessage=$Lang::tr{'fwhost err hostip'}."
"; } @@ -865,7 +865,7 @@ sub checkrule my $networkip1=&General::getnetworkip($sip,$scidr); my $networkip2=&General::getnetworkip($tip,$tcidr); if ($scidr gt $tcidr){ - if ( &General::IpInSubnet($networkip1,$tip,&General::iporsubtodec($tcidr)) ){ + if ( &General::IpInSubnet($networkip1,$tip,&General::iporsubtodec($tcidr))){ $errormessage.=$Lang::tr{'fwdfw err samesub'}; } }elsif($scidr eq $tcidr && $scidr eq '32'){ @@ -876,7 +876,7 @@ sub checkrule $hint.=$Lang::tr{'fwdfw hint ip2'}." Source: $networkip1/$scidr Target: $networkip2/$tcidr
"; } }else{ - if ( &General::IpInSubnet($networkip2,$sip,&General::iporsubtodec($scidr)) ){ + if ( &General::IpInSubnet($networkip2,$sip,&General::iporsubtodec($scidr)) && $tcidr ne '32' ){ $errormessage.=$Lang::tr{'fwdfw err samesub'}; } } @@ -884,9 +884,7 @@ sub checkrule #check source and destination protocol if manual if( $fwdfwsettings{'USE_SRC_PORT'} eq 'ON' && $fwdfwsettings{'USESRV'} eq 'ON'){ - - - if($fwdfwsettings{'PROT'} ne $fwdfwsettings{'TGT_PROT'} && $fwdfwsettings{'grp3'} eq 'TGT_PORT'){ + if($fwdfwsettings{'PROT'} ne $fwdfwsettings{'TGT_PROT'} && $fwdfwsettings{'grp3'} eq 'TGT_PORT'){ $errormessage.=$Lang::tr{'fwdfw err prot'}; } #check source and destination protocol if source manual and dest servicegrp diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall index af488b0d7..0dbb25feb 100644 --- a/src/initscripts/init.d/firewall +++ b/src/initscripts/init.d/firewall @@ -351,9 +351,10 @@ case "$1" in ;; restart) $0 stop - $0 stopovpn $0 start - $0 startovpn + /usr/local/bin/forwardfwctrl + /usr/local/bin/openvpnctrl -s > /dev/null 2>&1 + /usr/local/bin/openvpnctrl -sn2n > /dev/null 2>&1 ;; *) echo "Usage: $0 {start|stop|reload|restart}" From e974ced8c5a280554d4034e60647188e109fe9a1 Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Wed, 30 Jan 2013 10:27:38 +0100 Subject: [PATCH 076/306] Forward Firewall: when resetting firewall, an error was generated in log, because there's no reread file --- html/cgi-bin/forwardfw.cgi | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi index 6895a9eed..18ed594ca 100755 --- a/html/cgi-bin/forwardfw.cgi +++ b/html/cgi-bin/forwardfw.cgi @@ -1997,7 +1997,9 @@ sub rules sub reread_rules { system("/usr/local/bin/forwardfwctrl"); - system("rm ${General::swroot}/forward/reread"); + if ( -f "${General::swroot}/forward/reread"){ + system("rm ${General::swroot}/forward/reread"); + } } &Header::closebigbox(); &Header::closepage(); From 6adcf1569cf30ca399ae0aacb9e86c06fff4ffc6 Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Wed, 30 Jan 2013 13:34:54 +0100 Subject: [PATCH 077/306] Forward Firewall: set standard rules for blue in mode 2 --- config/forwardfw/rules.pl | 13 ++++++++++--- html/cgi-bin/forwardfw.cgi | 6 +++--- src/initscripts/init.d/firewall | 1 + 3 files changed, 14 insertions(+), 6 deletions(-) diff --git a/config/forwardfw/rules.pl b/config/forwardfw/rules.pl index 3b2cb03f1..e55602ed6 100755 --- a/config/forwardfw/rules.pl +++ b/config/forwardfw/rules.pl @@ -57,6 +57,7 @@ my $netsettings = "${General::swroot}/ethernet/settings"; my $errormessage=''; my $orange; my $green; +my $blue; my ($TYPE,$PROT,$SPROT,$DPROT,$SPORT,$DPORT,$TIME,$TIMEFROM,$TIMETILL,$SRC_TGT); my $CHAIN="FORWARDFW"; @@ -96,15 +97,21 @@ if($param eq 'flush'){ &p2pblock; system ("/usr/sbin/firewall-forward-policy"); }elsif($fwdfwsettings{'POLICY'} eq 'MODE2'){ + $defaultNetworks{'GREEN_NETMASK'}=&General::iporsubtocidr($defaultNetworks{'GREEN_NETMASK'}); + $green="$defaultNetworks{'GREEN_ADDRESS'}/$defaultNetworks{'GREEN_NETMASK'}"; if ($defaultNetworks{'ORANGE_DEV'}){ $defaultNetworks{'ORANGE_NETMASK'}=&General::iporsubtocidr($defaultNetworks{'ORANGE_NETMASK'}); - $defaultNetworks{'GREEN_NETMASK'}=&General::iporsubtocidr($defaultNetworks{'GREEN_NETMASK'}); $orange="$defaultNetworks{'ORANGE_ADDRESS'}/$defaultNetworks{'ORANGE_NETMASK'}"; - $green="$defaultNetworks{'GREEN_ADDRESS'}/$defaultNetworks{'GREEN_NETMASK'}"; #set default rules for DMZ system ("iptables -A $CHAIN -s $orange -d $green -j RETURN"); - &p2pblock; } + if ($defaultNetworks{'BLUE_DEV'}){ + $defaultNetworks{'BLUE_NETMASK'}=&General::iporsubtocidr($defaultNetworks{'BLUE_NETMASK'}); + $blue="$defaultNetworks{'BLUE_ADDRESS'}/$defaultNetworks{'BLUE_NETMASK'}"; + #set default rules for BLUE + system ("iptables -A $CHAIN -s $blue -d $green -j RETURN"); + } + &p2pblock; system ("iptables -A $CHAIN -m state --state NEW -j ACCEPT"); system ("/usr/sbin/firewall-forward-policy"); } diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi index 18ed594ca..2b84d1773 100755 --- a/html/cgi-bin/forwardfw.cgi +++ b/html/cgi-bin/forwardfw.cgi @@ -731,9 +731,9 @@ sub checktarget $ip=&General::ip2dec($ip); $ip=&General::dec2ip($ip); - #check if net + #check if net or broadcast my @tmp= split (/\./,$ip); - if ($tmp[3] eq "0") + if ($tmp[3] eq "0" || ($tmp[3] eq "255")) { $errormessage=$Lang::tr{'fwhost err hostip'}."
"; } @@ -876,7 +876,7 @@ sub checkrule $hint.=$Lang::tr{'fwdfw hint ip2'}." Source: $networkip1/$scidr Target: $networkip2/$tcidr
"; } }else{ - if ( &General::IpInSubnet($networkip2,$sip,&General::iporsubtodec($scidr)) && $tcidr ne '32' ){ + if ( &General::IpInSubnet($networkip2,$sip,&General::iporsubtodec($scidr)) ){ $errormessage.=$Lang::tr{'fwdfw err samesub'}; } } diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall index 0dbb25feb..8333c4df7 100644 --- a/src/initscripts/init.d/firewall +++ b/src/initscripts/init.d/firewall @@ -353,6 +353,7 @@ case "$1" in $0 stop $0 start /usr/local/bin/forwardfwctrl + /usr/local/bin/setportfw /usr/local/bin/openvpnctrl -s > /dev/null 2>&1 /usr/local/bin/openvpnctrl -sn2n > /dev/null 2>&1 ;; From 5b7ed8bbae95651ff9098b90466bb815d2361f5f Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Wed, 30 Jan 2013 15:24:57 +0100 Subject: [PATCH 078/306] Forward Firewall: Tablegroup DMZ and WLAN now only show the own rules --- config/forwardfw/rules.pl | 16 ++++++++++------ html/cgi-bin/forwardfw.cgi | 18 ++++++++++++++---- 2 files changed, 24 insertions(+), 10 deletions(-) diff --git a/config/forwardfw/rules.pl b/config/forwardfw/rules.pl index e55602ed6..ddcd560c1 100755 --- a/config/forwardfw/rules.pl +++ b/config/forwardfw/rules.pl @@ -99,18 +99,22 @@ if($param eq 'flush'){ }elsif($fwdfwsettings{'POLICY'} eq 'MODE2'){ $defaultNetworks{'GREEN_NETMASK'}=&General::iporsubtocidr($defaultNetworks{'GREEN_NETMASK'}); $green="$defaultNetworks{'GREEN_ADDRESS'}/$defaultNetworks{'GREEN_NETMASK'}"; - if ($defaultNetworks{'ORANGE_DEV'}){ - $defaultNetworks{'ORANGE_NETMASK'}=&General::iporsubtocidr($defaultNetworks{'ORANGE_NETMASK'}); - $orange="$defaultNetworks{'ORANGE_ADDRESS'}/$defaultNetworks{'ORANGE_NETMASK'}"; - #set default rules for DMZ - system ("iptables -A $CHAIN -s $orange -d $green -j RETURN"); - } if ($defaultNetworks{'BLUE_DEV'}){ $defaultNetworks{'BLUE_NETMASK'}=&General::iporsubtocidr($defaultNetworks{'BLUE_NETMASK'}); $blue="$defaultNetworks{'BLUE_ADDRESS'}/$defaultNetworks{'BLUE_NETMASK'}"; #set default rules for BLUE system ("iptables -A $CHAIN -s $blue -d $green -j RETURN"); } + if ($defaultNetworks{'ORANGE_DEV'}){ + $defaultNetworks{'ORANGE_NETMASK'}=&General::iporsubtocidr($defaultNetworks{'ORANGE_NETMASK'}); + $orange="$defaultNetworks{'ORANGE_ADDRESS'}/$defaultNetworks{'ORANGE_NETMASK'}"; + #set default rules for DMZ + system ("iptables -A $CHAIN -s $orange -d $green -j RETURN"); + if ($defaultNetworks{'BLUE_DEV'}){ + system ("iptables -A $CHAIN -s $orange -d $blue -j RETURN"); + } + } + &p2pblock; system ("iptables -A $CHAIN -m state --state NEW -j ACCEPT"); system ("/usr/sbin/firewall-forward-policy"); diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi index 2b84d1773..82286feec 100755 --- a/html/cgi-bin/forwardfw.cgi +++ b/html/cgi-bin/forwardfw.cgi @@ -1718,6 +1718,7 @@ sub viewtablerule &viewtablenew(\%configfwdfw,$configfwdfw,$Lang::tr{'fwdfw rules'},"Forward" ); &viewtablenew(\%configfwdfw,$configfwdfw,'',"DMZ" ); + &viewtablenew(\%configfwdfw,$configfwdfw,'',"WLAN" ); &viewtablenew(\%configinputfw,$configinput,"",$Lang::tr{'external access'} ); } sub viewtablenew @@ -1731,9 +1732,17 @@ sub viewtablenew #check if there are DMZ entries if ($title1 eq 'DMZ'){ foreach my $key (keys %$hash){ - if ($$hash{$key}[4] eq 'ORANGE' || $$hash{$key}[6] eq 'ORANGE'){$go='on';} + if ($$hash{$key}[4] eq 'ORANGE'){$go='on';last} } - }elsif( ! -z "$config" ){ + }elsif($title1 eq 'WLAN'){ + foreach my $key (keys %$hash){ + if ($$hash{$key}[4] eq 'BLUE'){$go='on';last} + } + }elsif($title1 eq 'Forward'){ + foreach my $key (keys %$hash){ + if (($$hash{$key}[4] ne 'ORANGE' && $$hash{$key}[4] ne 'BLUE')){$go='on';last} + } + }elsif( ! -z $config){ $go='on'; } if($go ne ''){ @@ -1750,8 +1759,9 @@ sub viewtablenew print""; foreach my $key (sort {$a <=> $b} keys %$hash){ #check if we have a FORWARDFW OR DMZ RULE - if ($title1 eq 'DMZ' && ($$hash{$key}[4] ne 'ORANGE' && $$hash{$key}[6] ne 'ORANGE')){next;} - if ($title1 eq 'Forward' && ($$hash{$key}[4] eq 'ORANGE' || $$hash{$key}[6] eq 'ORANGE')){next;} + if ($title1 eq 'DMZ' && ($$hash{$key}[4] ne 'ORANGE')){next;} + if ($title1 eq 'WLAN' && ($$hash{$key}[4] ne 'BLUE')){next;} + if ($title1 eq 'Forward' && ($$hash{$key}[4] eq 'ORANGE' || $$hash{$key}[4] eq 'BLUE')){next;} @tmpsrc=(); #check if vpn hosts/nets have been deleted if($$hash{$key}[3] =~ /ipsec/i || $$hash{$key}[3] =~ /ovpn/i){ From 0b14d3d9b14ee36a01a67d83591ede814cc9f92d Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Wed, 30 Jan 2013 16:28:18 +0100 Subject: [PATCH 079/306] Forward Firewall: fixed portforward rules. Now possible even if firewall in mode1 --- src/initscripts/init.d/firewall | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall index 8333c4df7..7453056be 100644 --- a/src/initscripts/init.d/firewall +++ b/src/initscripts/init.d/firewall @@ -211,7 +211,7 @@ case "$1" in /sbin/iptables -A FORWARD -s 127.0.0.0/8 -m state --state NEW -j DROP /sbin/iptables -A FORWARD -d 127.0.0.0/8 -m state --state NEW -j DROP /sbin/iptables -A INPUT -i $GREEN_DEV -m state --state NEW -j ACCEPT ! -p icmp - #/sbin/iptables -A FORWARD -i $GREEN_DEV -m state --state NEW -j ACCEPT + /sbin/iptables -A FORWARD -i $GREEN_DEV -m state --state NEW -j ACCEPT # If a host on orange tries to initiate a connection to IPFire's red IP and # the connection gets DNATed back through a port forward to a server on orange From 2b9460abfa947eb91b391e4e97daa95ee7bc87fc Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Thu, 31 Jan 2013 05:17:41 +0100 Subject: [PATCH 080/306] Forward Firewall: changed firewall modes from mode1,mode2 to "allowed" and "blocked". Also new descriptiontext. --- html/cgi-bin/forwardfw.cgi | 12 +++++++----- langs/de/cgi-bin/de.pl | 4 ++++ langs/en/cgi-bin/en.pl | 4 ++++ 3 files changed, 15 insertions(+), 5 deletions(-) diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi index 82286feec..1ecdd6264 100755 --- a/html/cgi-bin/forwardfw.cgi +++ b/html/cgi-bin/forwardfw.cgi @@ -524,14 +524,16 @@ sub base &hint; &addrule; &p2pblock; - &Header::openbox('100%', 'center', 'Policy'); + &Header::openbox('100%', 'center', $Lang::tr{'fwdfw pol title'}); print < -
#$Lang::tr{'fwdfw source'}Log$Lang::tr{'fwdfw target'}$Lang::tr{'protocol'}$Lang::tr{'remark'}$Lang::tr{'fwdfw action'}
#$Lang::tr{'fwdfw source'}Log$Lang::tr{'fwdfw target'}$Lang::tr{'protocol'}$Lang::tr{'remark'}$Lang::tr{'fwdfw action'}
- - +
$Lang::tr{'mode'} 1:$Lang::tr{'outgoing firewall mode1'}
$Lang::tr{'mode'} 2:$Lang::tr{'outgoing firewall mode2'}
+ + - - "; } print<
$customnetwork{$key}[0] + ";} my ($ip,$sub)=split(/\//,$customhost{$key}[2]); print<$customhost{$key}[0] +
$Lang::tr{'fwdfw pol text'}
+
END diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl index be1622458..127db1e92 100644 --- a/langs/de/cgi-bin/de.pl +++ b/langs/de/cgi-bin/de.pl @@ -922,6 +922,10 @@ 'fwdfw man port' => 'Port(s) manuell:', 'fwdfw moveup' => 'Hoch', 'fwdfw movedown' => 'Runter', +'fwdfw pol allow' => 'Zugelassen', +'fwdfw pol block' => 'Blockiert', +'fwdfw pol title' => 'Standardverhalten der Firewall', +'fwdfw pol text' => 'Standardverhalten für Verbindungen aus den lokalen Netzwerken. Bei "Zugelassen" werden sämtliche Verbindungen zugelassen mit Ausnahme der in Forward konfigurierten Regeln. Mit "Blockiert" werden alle Verbindungsversuche blockiert mit Ausnahme der in Forward erstellten Regeln. Außerdem werden hier der externe Zugang und der Zugriff auf die DMZ geregelt.', 'fwdfw reread' => 'Übernehmen', 'fwdfw rules' => 'Regeln', 'fwdfw rule action' => 'Regel Aktion:', diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index b4db9628b..8df7bf505 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -948,6 +948,10 @@ 'fwdfw man port' => 'Port(s) manual:', 'fwdfw moveup' => 'Move up', 'fwdfw movedown' => 'Move down', +'fwdfw pol allow' => 'Allowed', +'fwdfw pol block' => 'Blocked', +'fwdfw pol title' => 'Firewall default behavior', +'fwdfw pol text' => 'Default behavior for connections from local nwtworks. "Allowed" allows all connections from local networks except the defined rules."Blocked" prohibits all connections except the defined ones.Also external access and connections to/from demilitarized zone are configurable here.', 'fwdfw reread' => 'Apply', 'fwdfw rules' => 'Rules', 'fwdfw rule action' => 'Rule action:', From 53f3a4c82dcbcc95118635bf89e67876ccb79206 Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Thu, 31 Jan 2013 05:48:20 +0100 Subject: [PATCH 081/306] Forward Firewall: Typo in en.pl --- langs/en/cgi-bin/en.pl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index 8df7bf505..e8526e726 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -951,7 +951,7 @@ 'fwdfw pol allow' => 'Allowed', 'fwdfw pol block' => 'Blocked', 'fwdfw pol title' => 'Firewall default behavior', -'fwdfw pol text' => 'Default behavior for connections from local nwtworks. "Allowed" allows all connections from local networks except the defined rules."Blocked" prohibits all connections except the defined ones.Also external access and connections to/from demilitarized zone are configurable here.', +'fwdfw pol text' => 'Default behavior for connections from local networks. "Allowed" allows all connections from local networks except the defined rules."Blocked" prohibits all connections except the defined ones.Also external access and connections to/from demilitarized zone are configurable here.', 'fwdfw reread' => 'Apply', 'fwdfw rules' => 'Rules', 'fwdfw rule action' => 'Rule action:', From 8f1634ffbc7b3d039088bf80c85c3bcf2eeaf56c Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Thu, 31 Jan 2013 07:33:47 +0100 Subject: [PATCH 082/306] Forward Firewall: firewall policy dropdown - resized --- html/cgi-bin/forwardfw.cgi | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi index 1ecdd6264..c3acfca28 100755 --- a/html/cgi-bin/forwardfw.cgi +++ b/html/cgi-bin/forwardfw.cgi @@ -531,7 +531,7 @@ print <$Lang::tr{'fwdfw pol text'}
From d6bdebd47d1c163dae1fbde6b6758d58ec66d67b Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Thu, 31 Jan 2013 08:45:04 +0100 Subject: [PATCH 083/306] Forward Firewall: fixed icmp-types and deleted dmzholes chain --- config/fwhosts/icmp-types | 6 +++--- src/initscripts/init.d/firewall | 4 ++-- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/config/fwhosts/icmp-types b/config/fwhosts/icmp-types index d41cdbfba..a9066a89b 100755 --- a/config/fwhosts/icmp-types +++ b/config/fwhosts/icmp-types @@ -1,4 +1,4 @@ -0,echo-reply (pong),0 +0,echo-reply,0 1,destination-unreachable,3 2,network-unreachable,3/0 3,host-unreachable,3/1 @@ -21,10 +21,10 @@ 20,host-redirect,5/1 21,TOS-network-redirect,5/2 22,TOS-host-redirect,5/3 -23,echo-request (ping),8 +23,echo-request,8 24,router-advertisement,9 25,router-solicitation,10 -26,time-exceeded (ttl-exceeded),11 +26,time-exceeded,11 27,ttl-zero-during-transit,11/0 28,ttl-zero-during-reassembly,11/1 29,parameter-problem,12 diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall index 7453056be..c2308d3c0 100644 --- a/src/initscripts/init.d/firewall +++ b/src/initscripts/init.d/firewall @@ -242,9 +242,9 @@ case "$1" in iptables_red - # DMZ pinhole chain. setdmzholes setuid prog adds rules here to allow + # DMZ pinhole chain. # ORANGE to talk to GREEN / BLUE. - /sbin/iptables -N DMZHOLES + if [ "$ORANGE_DEV" != "" ]; then /sbin/iptables -A FORWARD -i $ORANGE_DEV -m state --state NEW -j FORWARDFW fi From 20c00d4bdf1114b983c71d2557dcdb0b067e87e0 Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Thu, 31 Jan 2013 20:52:56 +0100 Subject: [PATCH 084/306] Forward Firewall: BUGFIX-CustomGroup sort order --- html/cgi-bin/fwhosts.cgi | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/html/cgi-bin/fwhosts.cgi b/html/cgi-bin/fwhosts.cgi index 970243530..02630526a 100755 --- a/html/cgi-bin/fwhosts.cgi +++ b/html/cgi-bin/fwhosts.cgi @@ -1442,7 +1442,7 @@ sub viewtablegrp { print "
$Lang::tr{'fwhost empty'}"; }else{ - foreach my $key (sort {$a <=> $b} keys %customgrp){ + foreach my $key (sort { uc($customgrp{$a}[0]) cmp uc($customgrp{$b}[0]) } sort { uc($customgrp{$a}[2]) cmp uc($customgrp{$b}[2]) } keys %customgrp){ $count++; if ($helper ne $customgrp{$key}[0]){ From 937d4e0892956a054f012f9f6d4ce5b1e03227f0 Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Fri, 1 Feb 2013 13:18:15 +0100 Subject: [PATCH 085/306] Forward Firewall: redefined layout of customservicegroups and some layout changes --- html/cgi-bin/fwhosts.cgi | 32 +++++++++----- langs/de/cgi-bin/de.pl | 90 ++++++++++++++++++++-------------------- langs/en/cgi-bin/en.pl | 52 +++++++++++------------ 3 files changed, 92 insertions(+), 82 deletions(-) diff --git a/html/cgi-bin/fwhosts.cgi b/html/cgi-bin/fwhosts.cgi index 02630526a..88c32c4cc 100755 --- a/html/cgi-bin/fwhosts.cgi +++ b/html/cgi-bin/fwhosts.cgi @@ -800,9 +800,8 @@ if ($fwhostsettings{'ACTION'} eq 'saveservicegrp') $customservicegrp{$key}[0] = $fwhostsettings{'SRVGRP_NAME'}; $customservicegrp{$key}[1] = $fwhostsettings{'SRVGRP_REMARK'}; $customservicegrp{$key}[2] = $fwhostsettings{'CUST_SRV'}; - $customservicegrp{$key}[3] = $port; - $customservicegrp{$key}[4] = $prot; - $customservicegrp{$key}[5] = $count; + $customservicegrp{$key}[3] = $count; + &General::writehasharray("$configsrvgrp", \%customservicegrp ); $fwhostsettings{'updatesrvgrp'}='on'; } @@ -1359,7 +1358,7 @@ END print"
$customnetwork{$key}[1]$customnetwork{$key}[2]$customnetwork{$key}[3] x$customnetwork{$key}[0]$customnetwork{$key}[1]$customnetwork{$key}[2]$customnetwork{$key}[3]x @@ -1402,7 +1401,7 @@ END else{ print"
$customhost{$key}[2]$customhost{$key}[3] x$customhost{$key}[0]$customhost{$key}[2]$customhost{$key}[3]x @@ -1451,7 +1450,7 @@ sub viewtablegrp if($count >=2){print"
";} print "
$grpname    "; print " $Lang::tr{'remark'}:  $remark   " if ($remark ne ''); - print "$Lang::tr{'used'}: $customgrp{$key}[4] x"; + print "$Lang::tr{'used'}: $customgrp{$key}[4]x"; if($customgrp{$key}[4] == '0') { print""; @@ -1502,7 +1501,7 @@ sub viewtableservice END - foreach my $key (sort {$a <=> $b} keys %customservice) + foreach my $key (sort { uc($customservice{$a}[0]) cmp uc($customservice{$b}[0])|| $a <=> $b } keys %customservice) { $count++; if ( ($fwhostsettings{'updatesrv'} eq 'on' || $fwhostsettings{'error'}) && $fwhostsettings{'SRV_NAME'} eq $customservice{$key}[0]) { @@ -1537,9 +1536,12 @@ sub viewtableservicegrp my $grpname; my $remark; my $helper; + my $port; + my $protocol; if (! -z $configsrvgrp){ &Header::openbox('100%', 'left', $Lang::tr{'fwhost cust srvgrp'}); &General::readhasharray("$configsrvgrp", \%customservicegrp); + &General::readhasharray("$configsrv", \%customservice); my $number= keys %customservicegrp; foreach my $key (sort { uc($customservicegrp{$a}[0]) cmp uc($customservicegrp{$b}[0])|| $a <=> $b } keys %customservicegrp){ $count++; @@ -1549,8 +1551,8 @@ sub viewtableservicegrp if($count >=2){print"
$Lang::tr{'fwhost srv_name'}$Lang::tr{'fwhost prot'}$Lang::tr{'fwhost port'}ICMP$Lang::tr{'fwhost used'}
";} print "
$grpname     "; print "$Lang::tr{'remark'}:  $remark " if ($remark ne ''); - print "  $Lang::tr{'used'}: $customservicegrp{$key}[5] x"; - if($customservicegrp{$key}[5] == '0') + print "  $Lang::tr{'used'}: $customservicegrp{$key}[3]x"; + if($customservicegrp{$key}[3] == '0') { print"
"; } @@ -1559,13 +1561,21 @@ sub viewtableservicegrp } if( $fwhostsettings{'SRVGRP_NAME'} eq $customservicegrp{$key}[0]) { print" "; - }elsif ($count %2 == 0){ + } + if ($count %2 == 0){ print""; }else{ print""; } print "$customservicegrp{$key}[2]"; - print"$customservicegrp{$key}[3]$customservicegrp{$key}[4]
"; + foreach my $srv (sort keys %customservice){ + if ($customservicegrp{$key}[2] eq $customservice{$srv}[0]){ + $protocol=$customservice{$srv}[2]; + $port=$customservice{$srv}[1]; + last; + } + } + print"$port$protocol"; if ($number gt '1'){ print""; } diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl index 127db1e92..d2c1f0383 100644 --- a/langs/de/cgi-bin/de.pl +++ b/langs/de/cgi-bin/de.pl @@ -746,7 +746,7 @@ 'download root certificate' => 'Root-Zertifikat herunterladen', 'dpd action' => 'Aktion für Dead Peer Detection', 'driver' => 'Treiber', -'drop action' => 'Standardverhalten der Firewall in Modus1', +'drop action' => 'Standardverhalten der Firewall in Modus "Blocked"', 'drop input' => 'Verworfene Input Pakete loggen', 'drop newnotsyn' => 'Verworfene New Not Syn Pakete loggen', 'drop forward' => 'Verworfene Firewall-Pakete loggen', @@ -897,25 +897,25 @@ 'fwdfw copy' => 'Kopieren', 'fwdfw delete' => 'Löschen', 'fwdfw edit' => 'Bearbeiten', -'fwdfw err nosrc' => 'Keine Quelle gewählt.', -'fwdfw err nosrcip' => 'Bitte Quell IP-Adresse angeben.', -'fwdfw err notgt' => 'Kein Ziel gewählt.', -'fwdfw err notgtip' => 'Bitte Ziel IP-Adresse angeben.', -'fwdfw err prot' => 'Quell- und Zielprotokoll müssen gleich sein.', -'fwdfw err remark' => 'Bemerkung enthält ungültige Zeichen.', -'fwdfw err ruleexists' => 'Eine identische Regel existiert bereits.', -'fwdfw err src_addr' => 'Quell-MAC/IP ungültig.', -'fwdfw err same' => 'Quelle und Ziel sind identisch.', -'fwdfw err samesub' => 'Quell und Ziel IP Adresse im selben Subnetz.', -'fwdfw err srcport' => 'Bitte Quellport angeben.', -'fwdfw err tgtport' => 'Bitte Zielport angeben.', -'fwdfw err tgt_addr' => 'Ziel-IP ungültig.', +'fwdfw err nosrc' => 'Keine Quelle gewählt', +'fwdfw err nosrcip' => 'Bitte Quell IP-Adresse angeben', +'fwdfw err notgt' => 'Kein Ziel gewählt', +'fwdfw err notgtip' => 'Bitte Ziel IP-Adresse angeben', +'fwdfw err prot' => 'Quell- und Zielprotokoll müssen gleich sein', +'fwdfw err remark' => 'Bemerkung enthält ungültige Zeichen', +'fwdfw err ruleexists' => 'Eine identische Regel existiert bereits', +'fwdfw err src_addr' => 'Quell-MAC/IP ungültig', +'fwdfw err same' => 'Quelle und Ziel sind identisch', +'fwdfw err samesub' => 'Quell und Ziel IP Adresse im selben Subnetz', +'fwdfw err srcport' => 'Bitte Quellport angeben', +'fwdfw err tgtport' => 'Bitte Zielport angeben', +'fwdfw err tgt_addr' => 'Ziel-IP ungültig', 'fwdfw err tgt_port' => 'Ziel Port ungültig', -'fwdfw err tgt_mac' => 'MAC Adressen können nicht als Ziel defininert werden.', -'fwdfw err tgt_grp' => 'Ziel-Dienstgruppe ist leer.', -'fwdfw err time' => 'Es muss mindestens ein Tag gewählt werden.', +'fwdfw err tgt_mac' => 'MAC Adressen können nicht als Ziel defininert werden', +'fwdfw err tgt_grp' => 'Ziel-Dienstgruppe ist leer', +'fwdfw err time' => 'Es muss mindestens ein Tag gewählt werden', 'fwdfw from' => 'Von:', -'fwdfw hint ip1' => 'Die zuletzt erzeugte Regel wird vielleicht nicht aktiviert, weil Quelle und Ziel evtl im selben Netz sind.', +'fwdfw hint ip1' => 'Die zuletzt erzeugte Regel wird vielleicht nicht aktiviert, weil Quelle und Ziel evtl im selben Netz sind', 'fwdfw hint ip2' => 'Bitte überprüfen Sie ob diese Regel Sinn macht: ', 'fwdfw ipsec network' => 'IPsec Netzwerke:', 'fwdfw log rule' => 'Log Regel', @@ -925,7 +925,7 @@ 'fwdfw pol allow' => 'Zugelassen', 'fwdfw pol block' => 'Blockiert', 'fwdfw pol title' => 'Standardverhalten der Firewall', -'fwdfw pol text' => 'Standardverhalten für Verbindungen aus den lokalen Netzwerken. Bei "Zugelassen" werden sämtliche Verbindungen zugelassen mit Ausnahme der in Forward konfigurierten Regeln. Mit "Blockiert" werden alle Verbindungsversuche blockiert mit Ausnahme der in Forward erstellten Regeln. Außerdem werden hier der externe Zugang und der Zugriff auf die DMZ geregelt.', +'fwdfw pol text' => 'Standardverhalten für Verbindungen aus den lokalen Netzwerken. Bei "Zugelassen" werden sämtliche Verbindungen zugelassen mit Ausnahme der in Forward konfigurierten Regeln. Mit "Blockiert" werden alle Verbindungsversuche blockiert, mit Ausnahme der in Forward erstellten Regeln. Außerdem werden hier der externe Zugang und der Zugriff auf die DMZ geregelt.', 'fwdfw reread' => 'Übernehmen', 'fwdfw rules' => 'Regeln', 'fwdfw rule action' => 'Regel Aktion:', @@ -971,34 +971,34 @@ 'fwhost cust srvgrp' => 'Custom Dienstgruppen', 'fwhost deleted' => 'Gelöscht', 'fwhost empty' => 'Keine Einträge vorhanden', -'fwhost err addr' => 'IP oder Subnetzmaske ungültig.', -'fwhost err addrgrp' => 'Bitte gruppenname angeben.', -'fwhost err empty' => 'Bitte alle Felder füllen.', -'fwhost err grpexist' => 'Gruppe existiert bereits.', -'fwhost err groupempty' => 'Gewählte Gruppe ist leer.', -'fwhost err name' => 'Name ungültig. Erlaubte Zeichen: a-z, A-Z, 0-9 Leerzeichen und Bindestrich.', -'fwhost err name1' => 'Name muss gefüllt sein.', -'fwhost err netexist' => 'Ein Netz mit diesem Namen existiert bereits!', +'fwhost err addr' => 'IP oder Subnetzmaske ungültig', +'fwhost err addrgrp' => 'Bitte gruppenname angeben', +'fwhost err empty' => 'Bitte alle Felder füllen', +'fwhost err grpexist' => 'Gruppe existiert bereits', +'fwhost err groupempty' => 'Gewählte Gruppe ist leer', +'fwhost err name' => 'Name ungültig. Erlaubte Zeichen: a-z, A-Z, 0-9 Leerzeichen und Bindestrich', +'fwhost err name1' => 'Name muss gefüllt sein', +'fwhost err netexist' => 'Ein Netz mit diesem Namen existiert bereits', 'fwhost err net' => 'Netzwerk IP existiert bereits', -'fwhost err mac' => 'MAC Adresse ungültig.', -'fwhost err hostexist' => 'Ein Host mit diesem Namen existiert bereits.', -'fwhost err hostip' => 'Netz- oder Broadcastadressen sind nicht erlaubt.', -'fwhost err hostorip' => 'Name oder IP Adresse ungültig.', -'fwhost err isccdhost' => 'Dieser Name wird bereits für einen Openvpn Host verwendet.', -'fwhost err isccdipnet' => 'Diese IP wird bereits für einen Openvpn Netzwerk verwendet.', -'fwhost err isccdiphost'=> 'Diese IP wird bereits für einen Openvpn Host verwendet.', -'fwhost err isccdnet' => 'Dieser Name wird bereits für einen Openvpn Netzwerk verwendet.', -'fwhost err isingrp' => 'Dieser Eintrag existiert bereits in der Gruppe.', -'fwhost err ip' => 'IP Addresse ungültig.', -'fwhost err ipmac' => 'IP/MAC Addresse ungültig.', -'fwhost err ipcheck' => 'Diese IP Adresse wird bereits verwendet.', -'fwhost err ipwithsub' => 'Bitte IP Adresse OHNE Subnetzmaske eingeben.', -'fwhost err partofnet' => 'Dieses Netzwerk ist Teil eines bereits existierenden Netzwerks.', -'fwhost err port' => 'Port muss gefüllt sein.', -'fwhost err remark' => 'Bemerkung ungültig. Erlaubte Zeichen: a-z, A-Z, 0-9 Leerzeichen und Bindestrich.', +'fwhost err mac' => 'MAC Adresse ungültig', +'fwhost err hostexist' => 'Ein Host mit diesem Namen existiert bereits', +'fwhost err hostip' => 'Netz- oder Broadcastadressen sind nicht erlaubt', +'fwhost err hostorip' => 'Name oder IP Adresse ungültig', +'fwhost err isccdhost' => 'Dieser Name wird bereits für einen Openvpn Host verwendet', +'fwhost err isccdipnet' => 'Diese IP wird bereits für einen Openvpn Netzwerk verwendet', +'fwhost err isccdiphost'=> 'Diese IP wird bereits für einen Openvpn Host verwendet', +'fwhost err isccdnet' => 'Dieser Name wird bereits für einen Openvpn Netzwerk verwendet', +'fwhost err isingrp' => 'Dieser Eintrag existiert bereits in der Gruppe', +'fwhost err ip' => 'IP Addresse ungültig', +'fwhost err ipmac' => 'IP/MAC Addresse ungültig', +'fwhost err ipcheck' => 'Diese IP Adresse wird bereits verwendet', +'fwhost err ipwithsub' => 'Bitte IP Adresse OHNE Subnetzmaske eingeben', +'fwhost err partofnet' => 'Dieses Netzwerk ist Teil eines bereits existierenden Netzwerks', +'fwhost err port' => 'Port muss gefüllt sein', +'fwhost err remark' => 'Bemerkung ungültig. Erlaubte Zeichen: a-z, A-Z, 0-9 Leerzeichen und Bindestrich', 'fwhost err srvexist' => 'Dieser Dienst ist bereits in der Gruppe', -'fwhost err srv exists' => 'Ein Service mit diesem Namen existiert bereits.', -'fwhost err sub32' => 'Bitte Host hinzufügen. Dieses Subnetz ist kein Netzwerk.', +'fwhost err srv exists' => 'Ein Service mit diesem Namen existiert bereits', +'fwhost err sub32' => 'Bitte Host hinzufügen. Dieses Subnetz ist kein Netzwerk', 'fwhost green' => 'Grün', 'fwhost hosts' => 'Firewall Hosts', 'fwhost hint' => 'Hinweis', diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index e8526e726..955d3cfbf 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -771,7 +771,7 @@ 'download root certificate' => 'Download root certificate', 'dpd action' => 'Dead Peer Detection action', 'driver' => 'Driver', -'drop action' => 'Default behaviour of firewall in mode 1', +'drop action' => 'Default behaviour of firewall in mode "Blocked"', 'drop input' => 'Log dropped input pakets', 'drop newnotsyn' => 'Log dropped new not syn pakets', 'drop forward' => 'Log dropped forward pakets', @@ -951,7 +951,7 @@ 'fwdfw pol allow' => 'Allowed', 'fwdfw pol block' => 'Blocked', 'fwdfw pol title' => 'Firewall default behavior', -'fwdfw pol text' => 'Default behavior for connections from local networks. "Allowed" allows all connections from local networks except the defined rules."Blocked" prohibits all connections except the defined ones.Also external access and connections to/from demilitarized zone are configurable here.', +'fwdfw pol text' => 'Default behavior for connections from local networks. "Allowed" allows all connections from local networks except the defined rules. "Blocked" prohibits all connections except the defined ones. Also external access and connections to/from the demilitarized zone are configurable here.', 'fwdfw reread' => 'Apply', 'fwdfw rules' => 'Rules', 'fwdfw rule action' => 'Rule action:', @@ -989,7 +989,7 @@ 'fwhost ccdhost' => 'OpenVPN clients:', 'fwhost ccdnet' => 'OpenVPN networks:', 'fwhost change' => 'Modify', -'fwhost changeremark' => 'You just modified the remark!', +'fwhost changeremark' => 'You just modified the remark', 'fwhost cust addr' => 'Custom addresses:', 'fwhost cust grp' => 'Custom groups:', 'fwhost cust net' => 'Custom networks:', @@ -997,34 +997,34 @@ 'fwhost cust srvgrp' => 'Custom servicegroups', 'fwhost deleted' => 'Deleted', 'fwhost empty' => 'No entries by now', -'fwhost err addr' => 'Invalid IP or subnet!', -'fwhost err addrgrp' => 'Please provide a groupname!', -'fwhost err empty' => 'Please fill in all fields!', -'fwhost err grpexist' => 'Group already exists!', -'fwhost err groupempty' => 'Selected Group is empty!', +'fwhost err addr' => 'Invalid IP or subnet', +'fwhost err addrgrp' => 'Please provide a groupname', +'fwhost err empty' => 'Please fill in all fields', +'fwhost err grpexist' => 'Group already exists', +'fwhost err groupempty' => 'Selected Group is empty', 'fwhost err name' => 'Name invalid. Allowed: a-z, A-Z, 0-9 space and minus.', 'fwhost err name1' => 'Name is empty.', -'fwhost err netexist' => 'A network with this name already exists!', +'fwhost err netexist' => 'A network with this name already exists', 'fwhost err net' => 'Network IP already exists', 'fwhost err mac' => 'MAC address invalid', -'fwhost err hostexist' => 'A host with this name already exists!', -'fwhost err hostip' => 'Net or broadcast not allowed!', -'fwhost err hostorip' => 'Name or IP invalid.', -'fwhost err isccdhost' => 'This name is already used by an OpenVPN client!', -'fwhost err isccdipnet' => 'This IP is already used by an OpenVPN network!', -'fwhost err isccdiphost'=> 'This IP is already used by an OpenVPN client!', -'fwhost err isccdnet' => 'This name is already used by an OpenVPN Network!', -'fwhost err isingrp' => 'This entry already exists in the group!', -'fwhost err ip' => 'IP address invalid.', -'fwhost err ipmac' => 'IP/MAC address invalid.', -'fwhost err ipcheck' => 'This IP address is already in use!', +'fwhost err hostexist' => 'A host with this name already exists', +'fwhost err hostip' => 'Network or broadcast addresses not allowed', +'fwhost err hostorip' => 'Name or IP invalid', +'fwhost err isccdhost' => 'This name is already used by an OpenVPN client', +'fwhost err isccdipnet' => 'This IP is already used by an OpenVPN network', +'fwhost err isccdiphost'=> 'This IP is already used by an OpenVPN client', +'fwhost err isccdnet' => 'This name is already used by an OpenVPN Network', +'fwhost err isingrp' => 'This entry already exists in the group', +'fwhost err ip' => 'IP address invalid', +'fwhost err ipmac' => 'IP/MAC address invalid', +'fwhost err ipcheck' => 'This IP address is already in use', 'fwhost err ipwithsub' => 'Please provide IP address WITHOUT subnetmask', -'fwhost err partofnet' => 'This network is part of an already existing one!', -'fwhost err port' => 'Port is empty.', -'fwhost err remark' => 'Remark invalid. Allowed: a-z, A-Z, 0-9 space and minus.', +'fwhost err partofnet' => 'This network is part of an already existing one', +'fwhost err port' => 'Port is empty', +'fwhost err remark' => 'Remark invalid. Allowed: a-z, A-Z, 0-9 space and minus', 'fwhost err srvexist' => 'Dieser Dienst ist bereits in der Gruppe', -'fwhost err srv exists' => 'A Service with this name already exists.', -'fwhost err sub32' => 'Please add single host. This subnet is no network!', +'fwhost err srv exists' => 'A Service with this name already exists', +'fwhost err sub32' => 'Please add single host. This subnet is no network', 'fwhost green' => 'Green', 'fwhost hosts' => 'Firewall Hosts', 'fwhost hint' => 'Note', @@ -1039,7 +1039,7 @@ 'fwhost newgrp' => 'Address grouping', 'fwhost newservice' => 'Service', 'fwhost newservicegrp' => 'Service grouping', -'fwhost macwarn' => 'MAC addresses can not be used as target. Such addresses will be ignored!', +'fwhost macwarn' => 'MAC addresses can not be used as target. Such addresses will be ignored.', 'fwhost menu' => 'Firewall Groups', 'fwhost orange' => 'Orange', 'fwhost ovpn_n2n' => 'OpenVPN N-2-N', From fb70d3d54035db1c7427f8d42570980199455190 Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Mon, 4 Feb 2013 11:21:33 +0100 Subject: [PATCH 086/306] Forward Firewall: changed sortorder of customhosts and bugfix when remark is changed --- html/cgi-bin/fwhosts.cgi | 32 ++++---------------------------- 1 file changed, 4 insertions(+), 28 deletions(-) diff --git a/html/cgi-bin/fwhosts.cgi b/html/cgi-bin/fwhosts.cgi index 88c32c4cc..a46777a58 100755 --- a/html/cgi-bin/fwhosts.cgi +++ b/html/cgi-bin/fwhosts.cgi @@ -519,7 +519,6 @@ if ($fwhostsettings{'ACTION'} eq 'savegrp') $grp=$fwhostsettings{'grp_name'}; if (!&General::validhostname($grp)){$errormessage=$errormessage.$Lang::tr{'fwhost err name'};} - ###check standard networks if ($fwhostsettings{'grp2'} eq 'std_net'){ @target=$fwhostsettings{'DEFAULT_SRC_ADR'}; @@ -570,7 +569,6 @@ if ($fwhostsettings{'ACTION'} eq 'savegrp') $fwhostsettings{'grp_name'}=''; $fwhostsettings{'remark'}=''; } - #get address from IPSEC HOST if ($fwhostsettings{'grp2'} eq 'ipsec_host' && $fwhostsettings{'IPSEC_HOST'} ne ''){ @target=$fwhostsettings{'IPSEC_HOST'}; @@ -589,7 +587,6 @@ if ($fwhostsettings{'ACTION'} eq 'savegrp') $fwhostsettings{'grp_name'}=''; $fwhostsettings{'remark'}=''; } - #check if host/net exists in grp my $test="$grp,$fwhostsettings{'oldremark'},@target"; foreach my $key (keys %customgrp) { @@ -599,7 +596,6 @@ if ($fwhostsettings{'ACTION'} eq 'savegrp') $fwhostsettings{'update'} = 'on'; } } - if (!$errormessage){ #on first save, we have an empty @target, so fill it with nothing my $targetvalues=@target; @@ -607,7 +603,6 @@ if ($fwhostsettings{'ACTION'} eq 'savegrp') @target=$Lang::tr{'fwhost empty'}; } #on update, we have to delete the dummy entry - foreach my $key (keys %customgrp){ if ($customgrp{$key}[0] eq $grp && $customgrp{$key}[2] eq $Lang::tr{'fwhost empty'}){ delete $customgrp{$key}; @@ -616,21 +611,6 @@ if ($fwhostsettings{'ACTION'} eq 'savegrp') } &General::writehasharray("$configgrp", \%customgrp); &General::readhasharray("$configgrp", \%customgrp); - - - - #check if remark has also changed - if ($fwhostsettings{'remark'} ne $fwhostsettings{'oldremark'} && $fwhostsettings{'update'} eq 'on') - { - foreach my $key (keys %customgrp) - { - if($customgrp{$key}[0] eq $grp && $customgrp{$key}[1] eq $fwhostsettings{'oldremark'}) - { - $customgrp{$key}[1]=''; - $customgrp{$key}[1]=$rem; - } - } - } #get count used foreach my $key (keys %customgrp) { @@ -676,13 +656,11 @@ if ($fwhostsettings{'ACTION'} eq 'savegrp') } &General::writehasharray("$confighost", \%customhost); } - $fwhostsettings{'update'}='on'; - } - if ($fwhostsettings{'remark'} ne $fwhostsettings{'oldremark'} && $errormessage) + if ($fwhostsettings{'remark'} ne $fwhostsettings{'oldremark'} ) { - foreach my $key (keys %customgrp) + foreach my $key (sort keys %customgrp) { if($customgrp{$key}[0] eq $grp && $customgrp{$key}[1] eq $fwhostsettings{'oldremark'}) { @@ -690,9 +668,8 @@ if ($fwhostsettings{'ACTION'} eq 'savegrp') $customgrp{$key}[1]=$rem; } } - &General::writehasharray("$configsrvgrp", \%customservicegrp); + &General::writehasharray("$configgrp", \%customgrp); $errormessage=''; - $hint=$Lang::tr{'fwhost changeremark'}; $fwhostsettings{'update'}='on'; } #check if ruleupdate is needed @@ -702,7 +679,6 @@ if ($fwhostsettings{'ACTION'} eq 'savegrp') } &addgrp; &viewtablegrp; - } if ($fwhostsettings{'ACTION'} eq 'saveservice') { @@ -1394,7 +1370,7 @@ sub viewtablehost END } my $count=0; - foreach my $key (sort {$a <=> $b} keys %customhost) { + foreach my $key (sort { uc($customhost{$a}[0]) cmp uc($customhost{$b}[0])|| $a <=> $b } keys %customhost) { if ( ($fwhostsettings{'ACTION'} eq 'edithost' || $fwhostsettings{'error'}) && $fwhostsettings{'HOSTNAME'} eq $customhost{$key}[0]) { print" "; }elsif ($count % 2){ print" ";} From 7772ae734e9bc926c19adfbd9333471cdf300f6f Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Mon, 4 Feb 2013 15:36:37 +0100 Subject: [PATCH 087/306] Forward Firewall: extended the accepted chars for group and servicenames NOw / () and _ are allowed, too --- html/cgi-bin/fwhosts.cgi | 52 ++++------------------------------------ 1 file changed, 5 insertions(+), 47 deletions(-) diff --git a/html/cgi-bin/fwhosts.cgi b/html/cgi-bin/fwhosts.cgi index a46777a58..6b6a5ec23 100755 --- a/html/cgi-bin/fwhosts.cgi +++ b/html/cgi-bin/fwhosts.cgi @@ -120,9 +120,6 @@ if ($fwhostsettings{'ACTION'} eq 'updatehost') } } &General::writehasharray("$confighost", \%customhost); - - - $fwhostsettings{'actualize'} = 'on'; $fwhostsettings{'ACTION'} = 'savehost'; } @@ -131,7 +128,6 @@ if ($fwhostsettings{'ACTION'} eq 'updateservice') my $count=0; my $needrules=0; $errormessage=&checkports(\%customservice); - if (!$errormessage){ &General::readhasharray("$configsrv", \%customservice); foreach my $key (keys %customservice) @@ -166,19 +162,16 @@ if ($fwhostsettings{'ACTION'} eq 'updateservice') $fwhostsettings{'SRV_NAME'} = ''; $fwhostsettings{'SRV_PORT'} = ''; $fwhostsettings{'PROT'} = ''; - }else{ $fwhostsettings{'SRV_NAME'} = $fwhostsettings{'oldsrvname'}; $fwhostsettings{'SRV_PORT'} = $fwhostsettings{'oldsrvport'}; $fwhostsettings{'PROT'} = $fwhostsettings{'oldsrvprot'}; $fwhostsettings{'updatesrv'}= 'on'; } - if($needrules eq 'on'){ $errormessage="reread!"; &rules; } - &addservice; } # save @@ -187,7 +180,6 @@ if ($fwhostsettings{'ACTION'} eq 'savenet' ) my $count=0; my $needrules=0; if ($fwhostsettings{'orgname'} eq ''){$fwhostsettings{'orgname'}=$fwhostsettings{'HOSTNAME'};} - #check if all fields are set if ($fwhostsettings{'HOSTNAME'} eq '' || $fwhostsettings{'IP'} eq '' || $fwhostsettings{'SUBNET'} eq '') { @@ -207,7 +199,6 @@ if ($fwhostsettings{'ACTION'} eq 'savenet' ) if(&General::iporsubtocidr($fwhostsettings{'SUBNET'}) eq '32') { $errormessage=$errormessage.$Lang::tr{'fwhost err sub32'}; - } if($fwhostsettings{'error'} ne 'on'){ #check if we use one of ipfire's networks (green,orange,blue) @@ -240,14 +231,12 @@ if ($fwhostsettings{'ACTION'} eq 'savenet' ) if (!$errormessage){ &plausicheck("editnet"); } - #check if network ip is part of an already used one if(&checksubnet(\%customnetwork)) { $errormessage=$errormessage.$Lang::tr{'fwhost err partofnet'}; $fwhostsettings{'HOSTNAME'} = $fwhostsettings{'orgname'}; } - if($fwhostsettings{'actualize'} eq 'on' && $fwhostsettings{'newnet'} ne 'on' && $errormessage) { $fwhostsettings{'actualize'} = ''; @@ -260,7 +249,6 @@ if ($fwhostsettings{'ACTION'} eq 'savenet' ) &General::writehasharray("$confignet", \%customnetwork); undef %customnetwork; } - if (!$errormessage){ &General::readhasharray("$confignet", \%customnetwork); if ($fwhostsettings{'ACTION'} eq 'updatenet'){ @@ -345,23 +333,19 @@ if ($fwhostsettings{'ACTION'} eq 'savenet' ) &viewtablenet; } } - } if ($fwhostsettings{'ACTION'} eq 'savehost') { my $count=0; my $needrules=0; if ($fwhostsettings{'orgname'} eq ''){$fwhostsettings{'orgname'}=$fwhostsettings{'HOSTNAME'};} - $fwhostsettings{'SUBNET'}='32'; - #check if all fields are set if ($fwhostsettings{'HOSTNAME'} eq '' || $fwhostsettings{'IP'} eq '' || $fwhostsettings{'SUBNET'} eq '') { $errormessage=$errormessage.$Lang::tr{'fwhost err empty'}; $fwhostsettings{'ACTION'} = 'edithost'; }else{ - if($fwhostsettings{'type'} eq 'ip' && $fwhostsettings{'IP'}=~/^([0-9a-fA-F]{1,2}:){5}[0-9a-fA-F]{1,2}$/){ $fwhostsettings{'type'} = 'mac'; }elsif($fwhostsettings{'type'} eq 'mac' && $fwhostsettings{'IP'}=~/^(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})$/){ @@ -374,13 +358,11 @@ if ($fwhostsettings{'ACTION'} eq 'savehost') $fwhostsettings{'type'} = ''; $errormessage=$Lang::tr{'fwhost err ipmac'}; } - if($fwhostsettings{'type'} eq 'mac' ) { if ($fwhostsettings{'IP'}!~/^([0-9a-fA-F]{1,2}:){5}[0-9a-fA-F]{1,2}$/ ) { $errormessage=$Lang::tr{'fwhost err mac'}; - } } #CHECK IP-PART @@ -392,7 +374,6 @@ if ($fwhostsettings{'ACTION'} eq 'savehost') $errormessage.=$errormessage.$Lang::tr{'fwhost err ip'}; $fwhostsettings{'error'}='on'; } - }elsif(rindex($fwhostsettings{'IP'},'/') ne '-1' ){ $errormessage=$errormessage.$Lang::tr{'fwhost err ipwithsub'}; $fwhostsettings{'error'}='on'; @@ -403,14 +384,10 @@ if ($fwhostsettings{'ACTION'} eq 'savehost') $errormessage=$Lang::tr{'fwhost err hostip'}; } } - - - #only check plausi when no error till now if (!$errormessage){ &plausicheck("edithost"); } - if($fwhostsettings{'actualize'} eq 'on' && $fwhostsettings{'newhost'} ne 'on' && $errormessage){ $fwhostsettings{'actualize'} = ''; my $key = &General::findhasharraykey (\%customhost); @@ -425,9 +402,7 @@ if ($fwhostsettings{'ACTION'} eq 'savehost') $customhost{$key}[3] = $fwhostsettings{'count'}; &General::writehasharray("$confighost", \%customhost); undef %customhost; - } - if (!$errormessage){ #get count if host was edited if($fwhostsettings{'actualize'} eq 'on'){ @@ -484,7 +459,6 @@ if ($fwhostsettings{'ACTION'} eq 'savehost') if($fwhostsettings{'newhost'} eq 'on'){$count=0;} $customhost{$key}[3] = $count; &General::writehasharray("$confighost", \%customhost); - #$fwhostsettings{'IP'} = $fwhostsettings{'IP'}."/".&General::iporsubtodec($fwhostsettings{'SUBNET'}); undef %customhost; $fwhostsettings{'HOSTNAME'}=''; @@ -500,9 +474,7 @@ if ($fwhostsettings{'ACTION'} eq 'savehost') &addhost; &viewtablehost; } - } - } if ($fwhostsettings{'ACTION'} eq 'savegrp') { @@ -517,8 +489,7 @@ if ($fwhostsettings{'ACTION'} eq 'savegrp') &General::readhasharray("$confignet", \%customnetwork); &General::readhasharray("$confighost", \%customhost); $grp=$fwhostsettings{'grp_name'}; - - if (!&General::validhostname($grp)){$errormessage=$errormessage.$Lang::tr{'fwhost err name'};} + if (!&validhostname($grp)){$errormessage=$errormessage.$Lang::tr{'fwhost err name'};} ###check standard networks if ($fwhostsettings{'grp2'} eq 'std_net'){ @target=$fwhostsettings{'DEFAULT_SRC_ADR'}; @@ -638,7 +609,6 @@ if ($fwhostsettings{'ACTION'} eq 'savegrp') $customgrp{$key}[4] = $count; } &General::writehasharray("$configgrp", \%customgrp); - #update counter in Host/Net if($updcounter eq 'net'){ foreach my $key (keys %customnetwork) { @@ -683,10 +653,8 @@ if ($fwhostsettings{'ACTION'} eq 'savegrp') if ($fwhostsettings{'ACTION'} eq 'saveservice') { my $ICMP; - &General::readhasharray("$configsrv", \%customservice ); $errormessage=&checkports(\%customservice); - if ($fwhostsettings{'PROT'} eq 'ICMP'){ &General::readhasharray("${General::swroot}/fwhosts/icmp-types", \%icmptypes); foreach my $key (keys %icmptypes){ @@ -697,7 +665,6 @@ if ($fwhostsettings{'ACTION'} eq 'saveservice') } if($ICMP eq ''){$ICMP='BLANK';} if (!$errormessage){ - my $key = &General::findhasharraykey (\%customservice); foreach my $i (0 .. 4) { $customservice{$key}[$i] = "";} $customservice{$key}[0] = $fwhostsettings{'SRV_NAME'}; @@ -711,11 +678,8 @@ if ($fwhostsettings{'ACTION'} eq 'saveservice') $fwhostsettings{'SRV_PORT'}=''; $fwhostsettings{'PROT'}=''; $fwhostsettings{'ICMP_TYPES'}=''; - } - &addservice; - } if ($fwhostsettings{'ACTION'} eq 'saveservicegrp') { @@ -724,13 +688,10 @@ if ($fwhostsettings{'ACTION'} eq 'saveservicegrp') my $count=0; &General::readhasharray("$configsrvgrp", \%customservicegrp ); &General::readhasharray("$configsrv", \%customservice ); - $errormessage=&checkservicegroup; - if (!$errormessage){ #on first save, we have to enter a dummy value if ($fwhostsettings{'CUST_SRV'} eq ''){$fwhostsettings{'CUST_SRV'}=$Lang::tr{'fwhost empty'};} - #on update, we have to delete the dummy entry foreach my $key (keys %customservicegrp){ if ($customservicegrp{$key}[2] eq $Lang::tr{'fwhost empty'}){ @@ -770,14 +731,12 @@ if ($fwhostsettings{'ACTION'} eq 'saveservicegrp') } } &General::writehasharray("$configsrv", \%customservice ); - my $key = &General::findhasharraykey (\%customservicegrp); foreach my $i (0 .. 3) { $customservice{$key}[$i] = "";} $customservicegrp{$key}[0] = $fwhostsettings{'SRVGRP_NAME'}; $customservicegrp{$key}[1] = $fwhostsettings{'SRVGRP_REMARK'}; $customservicegrp{$key}[2] = $fwhostsettings{'CUST_SRV'}; $customservicegrp{$key}[3] = $count; - &General::writehasharray("$configsrvgrp", \%customservicegrp ); $fwhostsettings{'updatesrvgrp'}='on'; } @@ -870,7 +829,6 @@ if ($fwhostsettings{'ACTION'} eq 'delhost') } &addhost; &viewtablehost; - } if ($fwhostsettings{'ACTION'} eq 'deletegrphost') { @@ -1605,7 +1563,7 @@ sub checkservicegroup #check name - if ( ! &General::validhostname($fwhostsettings{'SRVGRP_NAME'})) + if ( ! &validhostname($fwhostsettings{'SRVGRP_NAME'})) { $errormessage.=$Lang::tr{'fwhost err name'}."
"; return $errormessage; @@ -1955,7 +1913,7 @@ sub checkports $errormessage=$Lang::tr{'fwhost err port'}; } #check valid name - if (! &General::validhostname($fwhostsettings{'SRV_NAME'})){ + if (! &validhostname($fwhostsettings{'SRV_NAME'})){ $errormessage="
".$Lang::tr{'fwhost err name'}; } #change dashes with : @@ -1992,13 +1950,13 @@ sub validhostname if (length ($hostname) < 1 || length ($hostname) > 63) { return 0;} # Only valid characters are a-z, A-Z, 0-9 and - - if ($hostname !~ /^[a-zA-ZäöüÖÄÜ0-9-\s]*$/) { + if ($hostname !~ /^[a-zA-ZäöüÖÄÜ0-9-_()\/\s]*$/) { return 0;} # First character can only be a letter or a digit if (substr ($hostname, 0, 1) !~ /^[a-zA-ZöäüÖÄÜ0-9]*$/) { return 0;} # Last character can only be a letter or a digit - if (substr ($hostname, -1, 1) !~ /^[a-zA-ZöäüÖÄÜ0-9]*$/) { + if (substr ($hostname, -1, 1) !~ /^[a-zA-ZöäüÖÄÜ0-9()]*$/) { return 0;} return 1; } From 5edf47ffbac2f7a8a668c8b64addd767c3df306b Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Wed, 6 Feb 2013 15:14:15 +0100 Subject: [PATCH 088/306] Forward Firewall: Bugfix: now the Protocols are corrected in the tablerule if a servicegroup was used --- html/cgi-bin/forwardfw.cgi | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi index c3acfca28..7e173f505 100755 --- a/html/cgi-bin/forwardfw.cgi +++ b/html/cgi-bin/forwardfw.cgi @@ -1703,16 +1703,20 @@ sub get_serviceports $protocols=$customservice{$key}[2]; } } - }elsif($type eq 'group'){ foreach my $key (sort { uc($customservicegrp{$a}[0]) cmp uc($customservicegrp{$b}[0]) } keys %customservicegrp){ if ($customservicegrp{$key}[0] eq $name){ - if($customservicegrp{$key}[4] eq 'TCP'){$tcp='TCP';}else{$udp='UDP';} + foreach my $key1 (sort { uc($customservice{$a}[0]) cmp uc($customservice{$b}[0]) } keys %customservice){ + if ($customservice{$key1}[0] eq $customservicegrp{$key}[2]){ + if($customservice{$key1}[2] eq 'TCP'){$tcp='TCP';}else{$udp='UDP';} + } + } } } } - if($tcp){$protocols.="TCP";} - if($udp){$protocols.=",UDP";} + if($tcp && $udp){$protocols="TCP,UDP"; + }elsif($tcp){$protocols.="TCP"; + }elsif($udp){$protocols.="UDP";} return $protocols; } sub viewtablerule From bfee206c989a77ae56701aec25a435262dcda1ee Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Thu, 7 Feb 2013 12:12:11 +0100 Subject: [PATCH 089/306] Forward Firewall: When changing a service which is used in a rule, the rule was destroyed. Now the configfiles of the firewall are adapted as needed. --- html/cgi-bin/fwhosts.cgi | 25 ++++++++++++++++++++++++- 1 file changed, 24 insertions(+), 1 deletion(-) diff --git a/html/cgi-bin/fwhosts.cgi b/html/cgi-bin/fwhosts.cgi index 6b6a5ec23..06522acc1 100755 --- a/html/cgi-bin/fwhosts.cgi +++ b/html/cgi-bin/fwhosts.cgi @@ -151,6 +151,30 @@ if ($fwhostsettings{'ACTION'} eq 'updateservice') $customservice{$key1}[3] = $fwhostsettings{'ICMP_TYPES'}; $customservice{$key1}[4] = $count; &General::writehasharray("$configsrv", \%customservice); + + #check if we need to update configfiles for rules + if ($fwhostsettings{'SRV_NAME'} ne $fwhostsettings{'oldsrvname'}){ + if ( ! -z $fwconfigfwd ){ + &General::readhasharray("$fwconfigfwd", \%fwfwd); + foreach my $key (sort keys %fwfwd){ + if ($fwfwd{$key}[15] eq $fwhostsettings{'oldsrvname'}){ + $fwfwd{$key}[15] = $fwhostsettings{'SRV_NAME'}; + } + } + &General::writehasharray("$fwconfigfwd", \%fwfwd); + $needrules='on'; + } + if ( ! -z $fwconfiginp ){ + &General::readhasharray("$fwconfiginp", \%fwinp); + foreach my $line (sort keys %fwinp){ + if ($fwfwd{$line}[15] eq $fwhostsettings{'oldsrvname'}){ + $fwfwd{$line}[15] = $fwhostsettings{'SRV_NAME'}; + } + } + &General::writehasharray("$fwconfiginp", \%fwinp); + } + $needrules='on'; + } if($fwhostsettings{'updatesrv'} eq 'on'){ if($count gt 0 && $fwhostsettings{'oldsrvport'} ne $fwhostsettings{'SRV_PORT'} ){ $needrules='on'; @@ -169,7 +193,6 @@ if ($fwhostsettings{'ACTION'} eq 'updateservice') $fwhostsettings{'updatesrv'}= 'on'; } if($needrules eq 'on'){ - $errormessage="reread!"; &rules; } &addservice; From 0013abb07c6dda5f4a67ec2a2025e8d1007c4417 Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Thu, 7 Feb 2013 13:17:25 +0100 Subject: [PATCH 090/306] Forward Firewall: changed sortorder of servicedropdown in servicegrouping. catched F5 when editing a host-Now no entry is saved in customhosts table theres only the IP shown (deleted subnet) --- html/cgi-bin/fwhosts.cgi | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/html/cgi-bin/fwhosts.cgi b/html/cgi-bin/fwhosts.cgi index 06522acc1..900928d82 100755 --- a/html/cgi-bin/fwhosts.cgi +++ b/html/cgi-bin/fwhosts.cgi @@ -482,7 +482,6 @@ if ($fwhostsettings{'ACTION'} eq 'savehost') if($fwhostsettings{'newhost'} eq 'on'){$count=0;} $customhost{$key}[3] = $count; &General::writehasharray("$confighost", \%customhost); - #$fwhostsettings{'IP'} = $fwhostsettings{'IP'}."/".&General::iporsubtodec($fwhostsettings{'SUBNET'}); undef %customhost; $fwhostsettings{'HOSTNAME'}=''; $fwhostsettings{'IP'}=''; @@ -1269,7 +1268,7 @@ END $Lang::tr{'fwhost cust service'} @@ -1748,9 +1747,10 @@ sub plausicheck &General::readhasharray("$confighost", \%customhost); if (!&checkname(\%customhost)) { - $errormessage=$errormessage."
".$Lang::tr{'fwhost err hostexist'}; + $errormessage.="
".$Lang::tr{'fwhost err hostexist'}; $fwhostsettings{'HOSTNAME'} = $fwhostsettings{'orgname'}; - if ($fwhostsettings{'update'} eq 'on'){$fwhostsettings{'ACTION'}=$edit;} + #if ($fwhostsettings{'update'} eq 'on'){$fwhostsettings{'ACTION'}=$edit;} + $fwhostsettings{'ACTION'}=$edit; } #check if host with this ip already exists if (!&checkip(\%customhost,2)) From ed73b87ece9ecefd829dde86cc3a559172d3bbcd Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Thu, 7 Feb 2013 15:24:19 +0100 Subject: [PATCH 091/306] Forward Firewall: some code optimizations --- html/cgi-bin/fwhosts.cgi | 21 +++++++++------------ 1 file changed, 9 insertions(+), 12 deletions(-) diff --git a/html/cgi-bin/fwhosts.cgi b/html/cgi-bin/fwhosts.cgi index 900928d82..c23c90937 100755 --- a/html/cgi-bin/fwhosts.cgi +++ b/html/cgi-bin/fwhosts.cgi @@ -152,7 +152,7 @@ if ($fwhostsettings{'ACTION'} eq 'updateservice') $customservice{$key1}[4] = $count; &General::writehasharray("$configsrv", \%customservice); - #check if we need to update configfiles for rules + #check if we need to update firewallrules if ($fwhostsettings{'SRV_NAME'} ne $fwhostsettings{'oldsrvname'}){ if ( ! -z $fwconfigfwd ){ &General::readhasharray("$fwconfigfwd", \%fwfwd); @@ -162,7 +162,6 @@ if ($fwhostsettings{'ACTION'} eq 'updateservice') } } &General::writehasharray("$fwconfigfwd", \%fwfwd); - $needrules='on'; } if ( ! -z $fwconfiginp ){ &General::readhasharray("$fwconfiginp", \%fwinp); @@ -175,14 +174,14 @@ if ($fwhostsettings{'ACTION'} eq 'updateservice') } $needrules='on'; } - if($fwhostsettings{'updatesrv'} eq 'on'){ - if($count gt 0 && $fwhostsettings{'oldsrvport'} ne $fwhostsettings{'SRV_PORT'} ){ - $needrules='on'; - } - if($count gt 0 && $fwhostsettings{'oldsrvprot'} ne $fwhostsettings{'PROT'} ){ - $needrules='on'; - } + + if($count gt 0 && $fwhostsettings{'oldsrvport'} ne $fwhostsettings{'SRV_PORT'} ){ + $needrules='on'; } + if($count gt 0 && $fwhostsettings{'oldsrvprot'} ne $fwhostsettings{'PROT'} ){ + $needrules='on'; + } + $fwhostsettings{'SRV_NAME'} = ''; $fwhostsettings{'SRV_PORT'} = ''; $fwhostsettings{'PROT'} = ''; @@ -1749,14 +1748,12 @@ sub plausicheck { $errormessage.="
".$Lang::tr{'fwhost err hostexist'}; $fwhostsettings{'HOSTNAME'} = $fwhostsettings{'orgname'}; - #if ($fwhostsettings{'update'} eq 'on'){$fwhostsettings{'ACTION'}=$edit;} - $fwhostsettings{'ACTION'}=$edit; + if ($fwhostsettings{'update'} eq 'on'){$fwhostsettings{'ACTION'}=$edit;} } #check if host with this ip already exists if (!&checkip(\%customhost,2)) { $errormessage=$errormessage."
".$Lang::tr{'fwhost err ipcheck'}; - } From bfac6bd4dc79788c16d66b29b84d3ecb6d105653 Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Fri, 8 Feb 2013 06:00:41 +0100 Subject: [PATCH 092/306] Forward Firewall: when a service is used in a servicegroup, it was not updated when editing the service --- html/cgi-bin/fwhosts.cgi | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/html/cgi-bin/fwhosts.cgi b/html/cgi-bin/fwhosts.cgi index c23c90937..6ce7ac8df 100755 --- a/html/cgi-bin/fwhosts.cgi +++ b/html/cgi-bin/fwhosts.cgi @@ -151,7 +151,6 @@ if ($fwhostsettings{'ACTION'} eq 'updateservice') $customservice{$key1}[3] = $fwhostsettings{'ICMP_TYPES'}; $customservice{$key1}[4] = $count; &General::writehasharray("$configsrv", \%customservice); - #check if we need to update firewallrules if ($fwhostsettings{'SRV_NAME'} ne $fwhostsettings{'oldsrvname'}){ if ( ! -z $fwconfigfwd ){ @@ -172,9 +171,19 @@ if ($fwhostsettings{'ACTION'} eq 'updateservice') } &General::writehasharray("$fwconfiginp", \%fwinp); } + #check if we need to update groups + &General::readhasharray("$configsrvgrp", \%customservicegrp); + foreach my $key (sort keys %customservicegrp){ + if($customservicegrp{$key}[2] eq $fwhostsettings{'oldsrvname'}){ + $customservicegrp{$key}[2] = $fwhostsettings{'SRV_NAME'}; + } + } + &General::writehasharray("$configsrvgrp", \%customservicegrp); + $needrules='on'; } + if($count gt 0 && $fwhostsettings{'oldsrvport'} ne $fwhostsettings{'SRV_PORT'} ){ $needrules='on'; } From 5e9707230693d7f3e180ec6a711f54dd0c224ab7 Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Fri, 8 Feb 2013 08:07:45 +0100 Subject: [PATCH 093/306] Forward Firewall: Fixes Problem when editing a host and afterwards pressing F5, a emtpy entry was created in customhosts --- html/cgi-bin/fwhosts.cgi | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/html/cgi-bin/fwhosts.cgi b/html/cgi-bin/fwhosts.cgi index 6ce7ac8df..fb39ed86c 100755 --- a/html/cgi-bin/fwhosts.cgi +++ b/html/cgi-bin/fwhosts.cgi @@ -108,7 +108,6 @@ if ($fwhostsettings{'ACTION'} eq 'updatehost') { if($customhost{$key}[0] eq $fwhostsettings{'orgname'}) { - $fwhostsettings{'orgname'} = $customhost{$key}[0]; if ($customhost{$key}[1] eq 'ip'){ ($ip,$subnet) = split (/\//,$customhost{$key}[2]); }else{ @@ -117,11 +116,15 @@ if ($fwhostsettings{'ACTION'} eq 'updatehost') $fwhostsettings{'orgip'} = $ip; $fwhostsettings{'count'} = $customhost{$key}[3]; delete $customhost{$key}; + &General::writehasharray("$confighost", \%customhost); } } - &General::writehasharray("$confighost", \%customhost); $fwhostsettings{'actualize'} = 'on'; + if($fwhostsettings{'orgip'}){ $fwhostsettings{'ACTION'} = 'savehost'; + }else{ + $fwhostsettings{'ACTION'} = $Lang::tr{'fwhost newhost'}; + } } if ($fwhostsettings{'ACTION'} eq 'updateservice') { From 13e5dda402cac2e441d029459e152750c2493e7f Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Fri, 8 Feb 2013 10:33:04 +0100 Subject: [PATCH 094/306] Forward Firewall: when editing a group the rules where not read correctly, because of wrong COUNT --- html/cgi-bin/fwhosts.cgi | 13 ++++--------- 1 file changed, 4 insertions(+), 9 deletions(-) diff --git a/html/cgi-bin/fwhosts.cgi b/html/cgi-bin/fwhosts.cgi index fb39ed86c..bb1b34920 100755 --- a/html/cgi-bin/fwhosts.cgi +++ b/html/cgi-bin/fwhosts.cgi @@ -750,7 +750,7 @@ if ($fwhostsettings{'ACTION'} eq 'saveservicegrp') { if($customservicegrp{$key}[0] eq $fwhostsettings{'SRVGRP_NAME'}) { - $count=$customservicegrp{$key}[5]; + $count=$customservicegrp{$key}[3]; last; } } @@ -1611,7 +1611,6 @@ sub checkservicegroup { $errormessage.=$Lang::tr{'fwhost err groupempty'}."
"; } - #check if name already exists if ($fwhostsettings{'updatesrvgrp'} ne 'on'){ foreach my $key (keys %customservicegrp) { @@ -1623,14 +1622,10 @@ sub checkservicegroup } #check if service already exists in group foreach my $key (keys %customservicegrp) { - if($customservicegrp{$key}[0] eq $fwhostsettings{'SRVGRP_NAME'} && $customservicegrp{$key}[2] eq $fwhostsettings{'CUST_SRV'} ){ - $errormessage.=$Lang::tr{'fwhost err srvexist'}."
"; - - } + if($customservicegrp{$key}[0] eq $fwhostsettings{'SRVGRP_NAME'} && $customservicegrp{$key}[2] eq $fwhostsettings{'CUST_SRV'} ){ + $errormessage.=$Lang::tr{'fwhost err srvexist'}."
"; } - - - + } return $errormessage; } sub error From 5de39dea9c1ebbdf7c2a9407dafd3900677ac9db Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Fri, 8 Feb 2013 11:03:06 +0100 Subject: [PATCH 095/306] Forward Firewall: If editing an external access rule and producing an error, the FORWARD Rule with same ID is displayed instead of INPUT rule --- html/cgi-bin/forwardfw.cgi | 2 ++ 1 file changed, 2 insertions(+) diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi index 7e173f505..481648498 100755 --- a/html/cgi-bin/forwardfw.cgi +++ b/html/cgi-bin/forwardfw.cgi @@ -133,6 +133,7 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule') } #INPUT part if($fwdfwsettings{'grp2'} eq 'ipfire'){ + $fwdfwsettings{'config'}=$configinput; $fwdfwsettings{'chain'} = 'INPUTFW'; my $maxkey=&General::findhasharraykey(\%configinputfw); #check if we have an identical rule already @@ -206,6 +207,7 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule') #print"DIENSTE Checkalt:$fwdfwsettings{'oldusesrv'} DIENSTE Checkneu:$fwdfwsettings{'USESRV'} DIENST ALT:$fwdfwsettings{'oldgrp3a'},$fwdfwsettings{'oldgrp3b'} DIENST NEU:$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}}
"; }else{ #FORWARD PART + $fwdfwsettings{'config'}=$configfwdfw; $fwdfwsettings{'chain'} = 'FORWARDFW'; my $maxkey=&General::findhasharraykey(\%configfwdfw); if($fwdfwsettings{'oldrulenumber'} eq $fwdfwsettings{'rulepos'}){ From 0918e51633a3c1582ce075b6e6dc71d0a07566be Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Sat, 9 Feb 2013 13:46:25 +0100 Subject: [PATCH 096/306] Forward Firewall: fixed repositioning function and Networks or broadcasts are now allowed as target --- html/cgi-bin/forwardfw.cgi | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi index 481648498..3026e00ab 100755 --- a/html/cgi-bin/forwardfw.cgi +++ b/html/cgi-bin/forwardfw.cgi @@ -735,12 +735,12 @@ sub checktarget $ip=&General::ip2dec($ip); $ip=&General::dec2ip($ip); - #check if net or broadcast - my @tmp= split (/\./,$ip); - if ($tmp[3] eq "0" || ($tmp[3] eq "255")) - { - $errormessage=$Lang::tr{'fwhost err hostip'}."
"; - } + ##check if net or broadcast + #my @tmp= split (/\./,$ip); + #if ($tmp[3] eq "0" || ($tmp[3] eq "255")) + #{ + #$errormessage=$Lang::tr{'fwhost err hostip'}."
"; + #} $fwdfwsettings{'tgt_addr'}="$ip/$subnet"; if(!&General::validipandmask($fwdfwsettings{'tgt_addr'})){ @@ -1546,7 +1546,7 @@ sub saverule } } &General::writehasharray("$config", $hash); - if($fwdfwsettings{'oldrulenumber'} gt $fwdfwsettings{'rulepos'}){ + if($fwdfwsettings{'oldrulenumber'} > $fwdfwsettings{'rulepos'}){ my %tmp=(); my $val=$fwdfwsettings{'oldrulenumber'}-$fwdfwsettings{'rulepos'}; for (my $z=0;$z<$val;$z++){ @@ -1573,7 +1573,7 @@ sub saverule } &General::writehasharray("$config", $hash); &rules; - }elsif($fwdfwsettings{'rulepos'} gt $fwdfwsettings{'oldrulenumber'}){ + }elsif($fwdfwsettings{'rulepos'} > $fwdfwsettings{'oldrulenumber'}){ my %tmp=(); my $val=$fwdfwsettings{'rulepos'}-$fwdfwsettings{'oldrulenumber'}; for (my $z=0;$z<$val;$z++){ From 8f204435d41f19c0e79b3ab0fb364606b8eb1522 Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Sun, 10 Feb 2013 10:53:16 +0100 Subject: [PATCH 097/306] Forward Firewall: When a group has only one entry and the group is used, it is not possiblle to delete the group --- html/cgi-bin/fwhosts.cgi | 13 +++++-------- 1 file changed, 5 insertions(+), 8 deletions(-) diff --git a/html/cgi-bin/fwhosts.cgi b/html/cgi-bin/fwhosts.cgi index bb1b34920..1ace2692e 100755 --- a/html/cgi-bin/fwhosts.cgi +++ b/html/cgi-bin/fwhosts.cgi @@ -182,18 +182,14 @@ if ($fwhostsettings{'ACTION'} eq 'updateservice') } } &General::writehasharray("$configsrvgrp", \%customservicegrp); - $needrules='on'; } - - if($count gt 0 && $fwhostsettings{'oldsrvport'} ne $fwhostsettings{'SRV_PORT'} ){ $needrules='on'; } if($count gt 0 && $fwhostsettings{'oldsrvprot'} ne $fwhostsettings{'PROT'} ){ $needrules='on'; } - $fwhostsettings{'SRV_NAME'} = ''; $fwhostsettings{'SRV_PORT'} = ''; $fwhostsettings{'PROT'} = ''; @@ -1367,6 +1363,7 @@ END }elsif ($count % 2){ print" ";} else{ print" ";} my ($ip,$sub)=split(/\//,$customhost{$key}[2]); + $customhost{$key}[3]=~s/\s+//g; print<$customhost{$key}[0]$ip$customhost{$key}[3]x @@ -1400,18 +1397,18 @@ sub viewtablegrp &General::readhasharray("$confignet", \%customnetwork); my @grp=(); my $helper=''; - my $count=0; + my $count=1; my $grpname; my $remark; - my $number=keys %customgrp; + my $number=1; if (!keys %customgrp) { print "
$Lang::tr{'fwhost empty'}"; }else{ foreach my $key (sort { uc($customgrp{$a}[0]) cmp uc($customgrp{$b}[0]) } sort { uc($customgrp{$a}[2]) cmp uc($customgrp{$b}[2]) } keys %customgrp){ - $count++; if ($helper ne $customgrp{$key}[0]){ + $number=1; $grpname=$customgrp{$key}[0]; $remark=$customgrp{$key}[1]; if($count >=2){print"";} @@ -1443,7 +1440,7 @@ sub viewtablegrp }else{ print"$ip$customgrp{$key}[3]"; } - if ($number gt '1' && $ip ne ''){ + if ($number > 1 && $ip ne ''){ print""; } print""; From 12dcfbbdbe38f8b81a3969f70516511ec779d011 Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Mon, 11 Feb 2013 05:51:42 +0100 Subject: [PATCH 098/306] Forward Firewall: Portfw now working and firewall closed correctly --- html/cgi-bin/fwhosts.cgi | 3 ++- src/initscripts/init.d/firewall | 13 ++++++------- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/html/cgi-bin/fwhosts.cgi b/html/cgi-bin/fwhosts.cgi index 1ace2692e..face57b32 100755 --- a/html/cgi-bin/fwhosts.cgi +++ b/html/cgi-bin/fwhosts.cgi @@ -1400,7 +1400,7 @@ sub viewtablegrp my $count=1; my $grpname; my $remark; - my $number=1; + my $number; if (!keys %customgrp) { print "
$Lang::tr{'fwhost empty'}"; @@ -1446,6 +1446,7 @@ sub viewtablegrp print""; $helper=$customgrp{$key}[0]; + $number++; } print""; diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall index c2308d3c0..ed7509ff2 100644 --- a/src/initscripts/init.d/firewall +++ b/src/initscripts/init.d/firewall @@ -211,7 +211,7 @@ case "$1" in /sbin/iptables -A FORWARD -s 127.0.0.0/8 -m state --state NEW -j DROP /sbin/iptables -A FORWARD -d 127.0.0.0/8 -m state --state NEW -j DROP /sbin/iptables -A INPUT -i $GREEN_DEV -m state --state NEW -j ACCEPT ! -p icmp - /sbin/iptables -A FORWARD -i $GREEN_DEV -m state --state NEW -j ACCEPT + #/sbin/iptables -A FORWARD -i $GREEN_DEV -m state --state NEW -j ACCEPT # If a host on orange tries to initiate a connection to IPFire's red IP and # the connection gets DNATed back through a port forward to a server on orange @@ -227,7 +227,11 @@ case "$1" in /sbin/iptables -A INPUT -m state --state NEW -j WIRELESSINPUT /sbin/iptables -N WIRELESSFORWARD /sbin/iptables -A FORWARD -m state --state NEW -j WIRELESSFORWARD - + + # PORTFWACCESS chain, used for portforwarding + /sbin/iptables -N PORTFWACCESS + /sbin/iptables -A FORWARD -m state --state NEW -j PORTFWACCESS + # OPenSSL /sbin/iptables -N OPENSSLPHYSICAL /sbin/iptables -A INPUT -j OPENSSLPHYSICAL @@ -244,15 +248,10 @@ case "$1" in # DMZ pinhole chain. # ORANGE to talk to GREEN / BLUE. - if [ "$ORANGE_DEV" != "" ]; then /sbin/iptables -A FORWARD -i $ORANGE_DEV -m state --state NEW -j FORWARDFW fi - # PORTFWACCESS chain, used for portforwarding - /sbin/iptables -N PORTFWACCESS - /sbin/iptables -A FORWARD -m state --state NEW -j PORTFWACCESS - # Custom prerouting chains (for transparent proxy and port forwarding) /sbin/iptables -t nat -N SQUID /sbin/iptables -t nat -A PREROUTING -j SQUID From cd9d9d8a13405e380ad0422d2b47f48d9ef1f8a4 Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Wed, 13 Feb 2013 13:31:55 +0100 Subject: [PATCH 099/306] Forward Firewall: added "apply" button to groupmanagement. Now the user can make all changes and finally click apply button to reread firewallrules. Also added a comment in de.pl and en.pl which should remiond the user to click the button. --- html/cgi-bin/forwardfw.cgi | 2 +- html/cgi-bin/fwhosts.cgi | 27 ++++++++++++++++++++++++--- langs/de/cgi-bin/de.pl | 1 + langs/en/cgi-bin/en.pl | 2 +- 4 files changed, 27 insertions(+), 5 deletions(-) diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi index 3026e00ab..9f89fe7fe 100755 --- a/html/cgi-bin/forwardfw.cgi +++ b/html/cgi-bin/forwardfw.cgi @@ -552,7 +552,7 @@ sub addrule print ""; print ""; if (-f "${General::swroot}/forward/reread"){ - print ""; + print ""; } print"
$Lang::tr{'fwhost reread'}
"; diff --git a/html/cgi-bin/fwhosts.cgi b/html/cgi-bin/fwhosts.cgi index face57b32..636cf65e4 100755 --- a/html/cgi-bin/fwhosts.cgi +++ b/html/cgi-bin/fwhosts.cgi @@ -80,6 +80,11 @@ unless (-e $configsrvgrp) { system("touch $configsrvgrp"); } &Header::openbigbox('100%', 'center'); ## ACTION #### +if ($fwhostsettings{'ACTION'} eq $Lang::tr{'fwdfw reread'}) +{ + &reread_rules; + &showmenu; +} # Update if ($fwhostsettings{'ACTION'} eq 'updatenet' ) { @@ -1003,9 +1008,15 @@ sub showmenu -
+
END + + if (-f "${General::swroot}/fwhosts/reread"){ + print "$Lang::tr{'fwhost reread'}"; + } + print""; + &Header::closebox(); } @@ -1877,9 +1888,19 @@ sub getipforgroup } sub rules { - system ("/usr/local/bin/forwardfwctrl"); - system("rm ${General::swroot}/forward/reread"); + if (!-f "${General::swroot}/fwhosts/reread"){ + system("touch ${General::swroot}/fwhosts/reread"); + } } +sub reread_rules +{ + system ("/usr/local/bin/forwardfwctrl"); + if ( -f "${General::swroot}/fwhosts/reread"){ + system("rm ${General::swroot}/fwhosts/reread"); + } + +} + sub decrease { my $grp=$_[0]; diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl index d2c1f0383..141145eae 100644 --- a/langs/de/cgi-bin/de.pl +++ b/langs/de/cgi-bin/de.pl @@ -1018,6 +1018,7 @@ 'fwhost ovpn_n2n' => 'OpenVPN N-2-N', 'fwhost port' => 'Port(s)', 'fwhost prot' => 'Protokoll', +'fwhost reread' => 'Die Firewallregeln müssen neu eingelesen werden. Bitte Übernehmen klicken.', 'fwhost reset' => 'Abbrechen', 'fwhost services' => 'Dienste', 'fwhost srv_name' => 'Dienstname', diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index 955d3cfbf..1d0c3e7cf 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -1045,6 +1045,7 @@ 'fwhost ovpn_n2n' => 'OpenVPN N-2-N', 'fwhost port' => 'Port(s)', 'fwhost prot' => 'Protocol', +'fwhost reread' => 'Firewallrules need to be updated. Please click applybutton.', 'fwhost reset' => 'Cancel', 'fwhost services' => 'Services', 'fwhost srv_name' => 'Servicename', @@ -2480,7 +2481,6 @@ 'wlan client wpa mode tkip tkip' => 'TKIP-TKIP', 'wlanap access point' => 'Access Point', 'wlanap channel' => 'Channel', -'wlanap country' => 'Country Code', 'wlanap debugging' => 'Debugging', 'wlanap del interface' => 'Remove selected interface?', 'wlanap encryption' => 'Encryption', From 6c8699612cdb1fec557f02b2e4ee22750e7b1ff7 Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Thu, 14 Feb 2013 17:23:11 +0100 Subject: [PATCH 100/306] Forward Firewall: added extra button for changing remark --- html/cgi-bin/fwhosts.cgi | 350 ++++++++++++++++++++++----------------- 1 file changed, 196 insertions(+), 154 deletions(-) diff --git a/html/cgi-bin/fwhosts.cgi b/html/cgi-bin/fwhosts.cgi index 636cf65e4..c45b0de58 100755 --- a/html/cgi-bin/fwhosts.cgi +++ b/html/cgi-bin/fwhosts.cgi @@ -512,7 +512,7 @@ if ($fwhostsettings{'ACTION'} eq 'savehost') } if ($fwhostsettings{'ACTION'} eq 'savegrp') { - my $grp; + my $grp=$fwhostsettings{'grp_name'};; my $rem=$fwhostsettings{'remark'}; my $count; my $type; @@ -522,94 +522,106 @@ if ($fwhostsettings{'ACTION'} eq 'savegrp') &General::readhasharray("$configgrp", \%customgrp); &General::readhasharray("$confignet", \%customnetwork); &General::readhasharray("$confighost", \%customhost); - $grp=$fwhostsettings{'grp_name'}; - if (!&validhostname($grp)){$errormessage=$errormessage.$Lang::tr{'fwhost err name'};} - ###check standard networks - if ($fwhostsettings{'grp2'} eq 'std_net'){ - @target=$fwhostsettings{'DEFAULT_SRC_ADR'}; - $type='Standard Network'; + #check name + if (!&validhostname($grp)){$errormessage.=$Lang::tr{'fwhost err name'};} + #check remark + if ($rem ne '' && !&validremark($rem) && $fwhostsettings{'update'} ne 'on'){ + $errormessage.=$Lang::tr{'fwhost err remark'}; + $fwhostsettings{'update'} = 'on'; + $fwhostsettings{'remark'}=$fwhostsettings{'oldremark'}; + &addgrp; + &viewtablegrp; } - ##check custom networks - if ($fwhostsettings{'grp2'} eq 'cust_net' && $fwhostsettings{'CUST_SRC_NET'} ne ''){ - @target=$fwhostsettings{'CUST_SRC_NET'}; - $updcounter='net'; - $type='Custom Network'; - }elsif($fwhostsettings{'grp2'} eq 'cust_net' && $fwhostsettings{'CUST_SRC_NET'} eq ''){ - $errormessage=$Lang::tr{'fwhost err groupempty'}."
"; - $fwhostsettings{'grp_name'}=''; - $fwhostsettings{'remark'}=''; - } - #check custom addresses - if ($fwhostsettings{'grp2'} eq 'cust_host' && $fwhostsettings{'CUST_SRC_HOST'} ne ''){ - @target=$fwhostsettings{'CUST_SRC_HOST'}; - $updcounter='host'; - $type='Custom Host'; - }elsif($fwhostsettings{'grp2'} eq 'cust_host' && $fwhostsettings{'CUST_SRC_HOST'} eq ''){ - $errormessage=$Lang::tr{'fwhost err groupempty'}."
"; - $fwhostsettings{'grp_name'}=''; - $fwhostsettings{'remark'}=''; - } - #get address from ovpn ccd static net - if ($fwhostsettings{'grp2'} eq 'ovpn_net' && $fwhostsettings{'OVPN_CCD_NET'} ne ''){ - @target=$fwhostsettings{'OVPN_CCD_NET'}; - $type='OpenVPN static network'; - }elsif($fwhostsettings{'grp2'} eq 'ovpn_net' && $fwhostsettings{'OVPN_CCD_NET'} eq ''){ - $errormessage=$Lang::tr{'fwhost err groupempty'}; - $fwhostsettings{'grp_name'}=''; - $fwhostsettings{'remark'}=''; - } - #get address from ovpn ccd static host - if ($fwhostsettings{'grp2'} eq 'ovpn_host' && $fwhostsettings{'OVPN_CCD_HOST'} ne ''){ - @target=$fwhostsettings{'OVPN_CCD_HOST'}; - $type='OpenVPN static host'; - }elsif ($fwhostsettings{'grp2'} eq 'ovpn_host' && $fwhostsettings{'OVPN_CCD_HOST'} eq ''){ - $errormessage=$Lang::tr{'fwhost err groupempty'}; - } - #get address from ovpn ccd Net-2-Net - if ($fwhostsettings{'grp2'} eq 'ovpn_n2n' && $fwhostsettings{'OVPN_N2N'} ne ''){ - @target=$fwhostsettings{'OVPN_N2N'}; - $type='OpenVPN N-2-N'; - }elsif ($fwhostsettings{'grp2'} eq 'ovpn_n2n' && $fwhostsettings{'OVPN_N2N'} eq ''){ - $errormessage=$Lang::tr{'fwhost err groupempty'}; - $fwhostsettings{'grp_name'}=''; - $fwhostsettings{'remark'}=''; - } - #get address from IPSEC HOST - if ($fwhostsettings{'grp2'} eq 'ipsec_host' && $fwhostsettings{'IPSEC_HOST'} ne ''){ - @target=$fwhostsettings{'IPSEC_HOST'}; - $type='IpSec Host'; - }elsif ($fwhostsettings{'grp2'} eq 'ipsec_host' && $fwhostsettings{'IPSEC_HOST'} eq ''){ - $errormessage=$Lang::tr{'fwhost err groupempty'}; - $fwhostsettings{'grp_name'}=''; - $fwhostsettings{'remark'}=''; - } - #get address from IPSEC NETWORK - if ($fwhostsettings{'grp2'} eq 'ipsec_net' && $fwhostsettings{'IPSEC_NET'} ne ''){ - @target=$fwhostsettings{'IPSEC_NET'}; - $type='IpSec Network'; - }elsif ($fwhostsettings{'grp2'} eq 'ipsec_net' && $fwhostsettings{'IPSEC_NET'} eq ''){ - $errormessage=$Lang::tr{'fwhost err groupempty'}; - $fwhostsettings{'grp_name'}=''; - $fwhostsettings{'remark'}=''; - } - #check if host/net exists in grp - my $test="$grp,$fwhostsettings{'oldremark'},@target"; - foreach my $key (keys %customgrp) { - my $test1="$customgrp{$key}[0],$customgrp{$key}[1],$customgrp{$key}[2]"; - if ($test1 eq $test){ - $errormessage=$Lang::tr{'fwhost err isingrp'}; - $fwhostsettings{'update'} = 'on'; + if ($fwhostsettings{'update'} eq 'on'){ + #check standard networks + if ($fwhostsettings{'grp2'} eq 'std_net'){ + @target=$fwhostsettings{'DEFAULT_SRC_ADR'}; + $type='Standard Network'; + } + #check custom networks + if ($fwhostsettings{'grp2'} eq 'cust_net' && $fwhostsettings{'CUST_SRC_NET'} ne ''){ + @target=$fwhostsettings{'CUST_SRC_NET'}; + $updcounter='net'; + $type='Custom Network'; + }elsif($fwhostsettings{'grp2'} eq 'cust_net' && $fwhostsettings{'CUST_SRC_NET'} eq ''){ + $errormessage=$Lang::tr{'fwhost err groupempty'}."
"; + $fwhostsettings{'grp_name'}=''; + $fwhostsettings{'remark'}=''; + } + #check custom addresses + if ($fwhostsettings{'grp2'} eq 'cust_host' && $fwhostsettings{'CUST_SRC_HOST'} ne ''){ + @target=$fwhostsettings{'CUST_SRC_HOST'}; + $updcounter='host'; + $type='Custom Host'; + }elsif($fwhostsettings{'grp2'} eq 'cust_host' && $fwhostsettings{'CUST_SRC_HOST'} eq ''){ + $errormessage=$Lang::tr{'fwhost err groupempty'}."
"; + $fwhostsettings{'grp_name'}=''; + $fwhostsettings{'remark'}=''; + } + #get address from ovpn ccd static net + if ($fwhostsettings{'grp2'} eq 'ovpn_net' && $fwhostsettings{'OVPN_CCD_NET'} ne ''){ + @target=$fwhostsettings{'OVPN_CCD_NET'}; + $type='OpenVPN static network'; + }elsif($fwhostsettings{'grp2'} eq 'ovpn_net' && $fwhostsettings{'OVPN_CCD_NET'} eq ''){ + $errormessage=$Lang::tr{'fwhost err groupempty'}; + $fwhostsettings{'grp_name'}=''; + $fwhostsettings{'remark'}=''; + } + #get address from ovpn ccd static host + if ($fwhostsettings{'grp2'} eq 'ovpn_host' && $fwhostsettings{'OVPN_CCD_HOST'} ne ''){ + @target=$fwhostsettings{'OVPN_CCD_HOST'}; + $type='OpenVPN static host'; + }elsif ($fwhostsettings{'grp2'} eq 'ovpn_host' && $fwhostsettings{'OVPN_CCD_HOST'} eq ''){ + $errormessage=$Lang::tr{'fwhost err groupempty'}; + } + #get address from ovpn ccd Net-2-Net + if ($fwhostsettings{'grp2'} eq 'ovpn_n2n' && $fwhostsettings{'OVPN_N2N'} ne ''){ + @target=$fwhostsettings{'OVPN_N2N'}; + $type='OpenVPN N-2-N'; + }elsif ($fwhostsettings{'grp2'} eq 'ovpn_n2n' && $fwhostsettings{'OVPN_N2N'} eq ''){ + $errormessage=$Lang::tr{'fwhost err groupempty'}; + $fwhostsettings{'grp_name'}=''; + $fwhostsettings{'remark'}=''; + } + #get address from IPSEC HOST + if ($fwhostsettings{'grp2'} eq 'ipsec_host' && $fwhostsettings{'IPSEC_HOST'} ne ''){ + @target=$fwhostsettings{'IPSEC_HOST'}; + $type='IpSec Host'; + }elsif ($fwhostsettings{'grp2'} eq 'ipsec_host' && $fwhostsettings{'IPSEC_HOST'} eq ''){ + $errormessage=$Lang::tr{'fwhost err groupempty'}; + $fwhostsettings{'grp_name'}=''; + $fwhostsettings{'remark'}=''; + } + #get address from IPSEC NETWORK + if ($fwhostsettings{'grp2'} eq 'ipsec_net' && $fwhostsettings{'IPSEC_NET'} ne ''){ + @target=$fwhostsettings{'IPSEC_NET'}; + $type='IpSec Network'; + }elsif ($fwhostsettings{'grp2'} eq 'ipsec_net' && $fwhostsettings{'IPSEC_NET'} eq ''){ + $errormessage=$Lang::tr{'fwhost err groupempty'}; + $fwhostsettings{'grp_name'}=''; + $fwhostsettings{'remark'}=''; + } + #check if host/net exists in grp + + my $test="$grp,$fwhostsettings{'oldremark'},@target"; + foreach my $key (keys %customgrp) { + my $test1="$customgrp{$key}[0],$customgrp{$key}[1],$customgrp{$key}[2]"; + if ($test1 eq $test){ + $errormessage=$Lang::tr{'fwhost err isingrp'}; + $fwhostsettings{'update'} = 'on'; + } } } + if (!$errormessage){ #on first save, we have an empty @target, so fill it with nothing my $targetvalues=@target; if ($targetvalues == '0'){ - @target=$Lang::tr{'fwhost empty'}; + @target="none"; } #on update, we have to delete the dummy entry foreach my $key (keys %customgrp){ - if ($customgrp{$key}[0] eq $grp && $customgrp{$key}[2] eq $Lang::tr{'fwhost empty'}){ + if ($customgrp{$key}[0] eq $grp && $customgrp{$key}[2] eq "none"){ delete $customgrp{$key}; last; } @@ -662,20 +674,6 @@ if ($fwhostsettings{'ACTION'} eq 'savegrp') } $fwhostsettings{'update'}='on'; } - if ($fwhostsettings{'remark'} ne $fwhostsettings{'oldremark'} ) - { - foreach my $key (sort keys %customgrp) - { - if($customgrp{$key}[0] eq $grp && $customgrp{$key}[1] eq $fwhostsettings{'oldremark'}) - { - $customgrp{$key}[1]=''; - $customgrp{$key}[1]=$rem; - } - } - &General::writehasharray("$configgrp", \%customgrp); - $errormessage=''; - $fwhostsettings{'update'}='on'; - } #check if ruleupdate is needed if($count > 0 ) { @@ -725,10 +723,12 @@ if ($fwhostsettings{'ACTION'} eq 'saveservicegrp') $errormessage=&checkservicegroup; if (!$errormessage){ #on first save, we have to enter a dummy value - if ($fwhostsettings{'CUST_SRV'} eq ''){$fwhostsettings{'CUST_SRV'}=$Lang::tr{'fwhost empty'};} + if ($fwhostsettings{'CUST_SRV'} eq ''){ + $fwhostsettings{'CUST_SRV'}='none'; + } #on update, we have to delete the dummy entry foreach my $key (keys %customservicegrp){ - if ($customservicegrp{$key}[2] eq $Lang::tr{'fwhost empty'}){ + if ($customservicegrp{$key}[2] eq 'none'){ delete $customservicegrp{$key}; last; } @@ -774,20 +774,6 @@ if ($fwhostsettings{'ACTION'} eq 'saveservicegrp') &General::writehasharray("$configsrvgrp", \%customservicegrp ); $fwhostsettings{'updatesrvgrp'}='on'; } - if ($fwhostsettings{'SRVGRP_REMARK'} ne $fwhostsettings{'oldsrvgrpremark'} && $errormessage){ - foreach my $key (keys %customservicegrp) - { - if($customservicegrp{$key}[0] eq $fwhostsettings{'SRVGRP_NAME'} && $customservicegrp{$key}[1] eq $fwhostsettings{'oldsrvgrpremark'}) - { - $customservicegrp{$key}[1]=''; - $customservicegrp{$key}[1]=$fwhostsettings{'SRVGRP_REMARK'}; - } - } - &General::writehasharray("$configsrvgrp", \%customservicegrp); - $errormessage=''; - $hint=$Lang::tr{'fwhost changeremark'}; - $fwhostsettings{'update'}='on'; - } if ($count gt 0){ &rules; } @@ -994,6 +980,62 @@ if ($fwhostsettings{'ACTION'} eq $Lang::tr{'fwhost newservicegrp'}) &addservicegrp; &viewtableservicegrp; } +if ($fwhostsettings{'ACTION'} eq 'changegrpremark') +{ + &General::readhasharray("$configgrp", \%customgrp); + if ($fwhostsettings{'oldrem'} ne $fwhostsettings{'newrem'} && &validremark($fwhostsettings{'newrem'})){ + foreach my $key (sort keys %customgrp) + { + #$customgrp{$key}[1]=~ s/\|/,/g; + if($customgrp{$key}[0] eq $fwhostsettings{'grp'} && $customgrp{$key}[1] eq $fwhostsettings{'oldrem'}) + { + #$fwhostsettings{'newrem'}=~ s/,/\|/g; + $customgrp{$key}[1]=''; + $customgrp{$key}[1]=$fwhostsettings{'newrem'}; + } + } + &General::writehasharray("$configgrp", \%customgrp); + $fwhostsettings{'update'}='on'; + #$fwhostsettings{'newrem'}=~ s/\|/,/g; + $fwhostsettings{'remark'}=$fwhostsettings{'newrem'}; + }else{ + $errormessage=$Lang::tr{'fwhost err remark'}; + $fwhostsettings{'remark'}=$fwhostsettings{'oldrem'}; + $fwhostsettings{'grp_name'}=$fwhostsettings{'grp'}; + $fwhostsettings{'update'} = 'on'; + } + $fwhostsettings{'grp_name'}=$fwhostsettings{'grp'}; + &addgrp; + &viewtablegrp; +} +if ($fwhostsettings{'ACTION'} eq 'changesrvgrpremark') +{ + &General::readhasharray("$configsrvgrp", \%customservicegrp ); + if ($fwhostsettings{'oldsrvrem'} ne $fwhostsettings{'newsrvrem'} && &validremark($fwhostsettings{'newsrvrem'})){ + foreach my $key (sort keys %customservicegrp) + { + #$customservicegrp{$key}[1]=~ s/\|/,/g; + if($customservicegrp{$key}[0] eq $fwhostsettings{'srvgrp'} && $customservicegrp{$key}[1] eq $fwhostsettings{'oldsrvrem'}) + { + #$fwhostsettings{'newsrvrem'}=~ s/,/|/g; + $customservicegrp{$key}[1]=''; + $customservicegrp{$key}[1]=$fwhostsettings{'newsrvrem'}; + } + } + &General::writehasharray("$configsrvgrp", \%customservicegrp); + $fwhostsettings{'updatesrvgrp'}='on'; + #$fwhostsettings{'newsrvrem'}=~ s/\|/,/g; + $fwhostsettings{'SRVGRP_REMARK'}=$fwhostsettings{'newsrvrem'}; + }else{ + $errormessage=$Lang::tr{'fwhost err remark'}; + $fwhostsettings{'SRVGRP_REMARK'}=$fwhostsettings{'oldsrvrem'}; + $fwhostsettings{'SRVGRP_NAME'}=$fwhostsettings{'srvgrp'}; + $fwhostsettings{'updatesrvgrp'} = 'on'; + } + $fwhostsettings{'SRVGRP_NAME'}=$fwhostsettings{'srvgrp'}; + &addservicegrp; + &viewtableservicegrp; +} ### VIEW ### if($fwhostsettings{'ACTION'} eq '') { @@ -1081,7 +1123,8 @@ sub addgrp $checked{'check1'}{'on'} = ''; $checked{'grp2'}{$fwhostsettings{'grp2'}} = 'CHECKED'; $fwhostsettings{'oldremark'}=$fwhostsettings{'remark'}; - + my $grp=$fwhostsettings{'grp_name'}; + my $rem=$fwhostsettings{'remark'}; if ($fwhostsettings{'update'} eq ''){ print<
@@ -1090,18 +1133,14 @@ sub addgrp END }else{ print< - $Lang::tr{'fwhost addgrpname'}$Lang::tr{'remark'}: -
+ +
$Lang::tr{'fwhost addgrpname'}$Lang::tr{'remark'}:
+
END - } if ($fwhostsettings{'update'} eq 'on'){ - - print<$Lang::tr{'fwhost stdnet'} # - print<

- $Lang::tr{'fwhost attention'}:
- $Lang::tr{'fwhost macwarn'}
-END + print"

$Lang::tr{'fwhost attention'}:
$Lang::tr{'fwhost macwarn'}
"; } - print< - -
$Lang::tr{'fwhost stdnet'}$Lang::tr{'fwhost ccdnet'}
$Lang::tr{'fwhost cust net'}$Lang::tr{'fwhost ccdhost'}
$Lang::tr{'fwhost cust addr'}
-END - + print""; + print"
"; &Header::closebox(); } sub addservice @@ -1264,7 +1291,6 @@ sub addservicegrp &showmenu; &Header::openbox('100%', 'left', $Lang::tr{'fwhost newservicegrp'}); $fwhostsettings{'oldsrvgrpremark'}=$fwhostsettings{'SRVGRP_REMARK'}; - if ($fwhostsettings{'updatesrvgrp'} eq ''){ print<
@@ -1274,15 +1300,15 @@ sub addservicegrp END }else{ print< - $Lang::tr{'fwhost addgrpname'}$Lang::tr{'remark'}: -
- + + + +
$Lang::tr{'fwhost addgrpname'}$Lang::tr{'remark'}:
END } if($fwhostsettings{'updatesrvgrp'} eq 'on'){ print< +
$Lang::tr{'fwhost cust service'}
END - &Header::closebox(); } # View @@ -1420,8 +1445,9 @@ sub viewtablegrp $count++; if ($helper ne $customgrp{$key}[0]){ $number=1; + if ($customgrp{$key}[2] eq "none"){$customgrp{$key}[2]=$Lang::tr{'fwhost empty'};} $grpname=$customgrp{$key}[0]; - $remark=$customgrp{$key}[1]; + $remark="$customgrp{$key}[1]"; if($count >=2){print"";} print "
$grpname    "; print " $Lang::tr{'remark'}:  $remark   " if ($remark ne ''); @@ -1435,11 +1461,13 @@ sub viewtablegrp } if ( ($fwhostsettings{'ACTION'} eq 'editgrp' || $fwhostsettings{'update'} ne '') && $fwhostsettings{'grp_name'} eq $customgrp{$key}[0]) { print" "; - }elsif ($count %2 == 0){print"";}else{print"";} + }elsif ($count %2 == 0){ + print""; + }else{ + print""; + } my $ip=&getipforgroup($customgrp{$key}[2],$customgrp{$key}[3]); if ($ip eq ''){print"";} - - print ""; if($customgrp{$key}[3] eq 'Standard Network'){ print &get_name($customgrp{$key}[2]).""; @@ -1523,7 +1551,10 @@ sub viewtableservicegrp $count++; if ($helper ne $customservicegrp{$key}[0]){ $grpname=$customservicegrp{$key}[0]; - $remark=$customservicegrp{$key}[1]; + if ($customservicegrp{$key}[2] eq "none"){ + $customservicegrp{$key}[2]=$Lang::tr{'fwhost empty'}; + } + $remark="$customservicegrp{$key}[1]"; if($count >=2){print"";} print "
$grpname     "; print "$Lang::tr{'remark'}:  $remark " if ($remark ne ''); @@ -1537,8 +1568,7 @@ sub viewtableservicegrp } if( $fwhostsettings{'SRVGRP_NAME'} eq $customservicegrp{$key}[0]) { print" "; - } - if ($count %2 == 0){ + }elsif ($count %2 == 0){ print""; }else{ print""; @@ -1610,11 +1640,6 @@ sub checkservicegroup $errormessage.=$Lang::tr{'fwhost err name'}."
"; return $errormessage; } - #check remark - if ( ($fwhostsettings{'SRVGRP_REMARK'} ne '') && (! &validhostname($fwhostsettings{'SRVGRP_REMARK'}))) - { - $errormessage.=$Lang::tr{'fwhost err remark'}."
"; - } #check empty selectbox if (keys %customservice lt 1) { @@ -1900,7 +1925,6 @@ sub reread_rules } } - sub decrease { my $grp=$_[0]; @@ -2006,6 +2030,24 @@ sub validhostname return 0;} return 1; } - +sub validremark +{ + # Checks a hostname against RFC1035 + my $remark = $_[0]; + # Each part should be at least two characters in length + # but no more than 63 characters + if (length ($remark) < 1 || length ($remark) > 255) { + return 0;} + # Only valid characters are a-z, A-Z, 0-9 and - + if ($remark !~ /^[a-zäöüA-ZÖÄÜ0-9-.:;_\/\s]*$/) { + return 0;} + # First character can only be a letter or a digit + if (substr ($remark, 0, 1) !~ /^[a-zäöüA-ZÖÄÜ0-9]*$/) { + return 0;} + # Last character can only be a letter or a digit + if (substr ($remark, -1, 1) !~ /^[a-zöäüA-ZÖÄÜ0-9.]*$/) { + return 0;} + return 1; +} &Header::closebigbox(); &Header::closepage(); From 2cee24627a50955ee1ab6b1414ce9d5aa7feeb2c Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Fri, 15 Feb 2013 06:21:00 +0100 Subject: [PATCH 101/306] Forward Firewall: Changed "apply" button to be more eye-catching (red font) also some minor bugfixes (The last entry in a used group can not be deleted) --- html/cgi-bin/forwardfw.cgi | 2 +- html/cgi-bin/fwhosts.cgi | 17 +++++++++++++++-- 2 files changed, 16 insertions(+), 3 deletions(-) diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi index 9f89fe7fe..2e783ce46 100755 --- a/html/cgi-bin/forwardfw.cgi +++ b/html/cgi-bin/forwardfw.cgi @@ -552,7 +552,7 @@ sub addrule print ""; print ""; if (-f "${General::swroot}/forward/reread"){ - print ""; + print ""; } print"
$Lang::tr{'fwhost reread'}$Lang::tr{'fwhost reread'}
"; diff --git a/html/cgi-bin/fwhosts.cgi b/html/cgi-bin/fwhosts.cgi index c45b0de58..c1229b363 100755 --- a/html/cgi-bin/fwhosts.cgi +++ b/html/cgi-bin/fwhosts.cgi @@ -1055,7 +1055,7 @@ END if (-f "${General::swroot}/fwhosts/reread"){ - print "$Lang::tr{'fwhost reread'}"; + print "$Lang::tr{'fwhost reread'}"; } print""; @@ -1437,6 +1437,7 @@ sub viewtablegrp my $grpname; my $remark; my $number; + my $delflag; if (!keys %customgrp) { print "
$Lang::tr{'fwhost empty'}"; @@ -1444,6 +1445,17 @@ sub viewtablegrp foreach my $key (sort { uc($customgrp{$a}[0]) cmp uc($customgrp{$b}[0]) } sort { uc($customgrp{$a}[2]) cmp uc($customgrp{$b}[2]) } keys %customgrp){ $count++; if ($helper ne $customgrp{$key}[0]){ + $delflag='0'; + foreach my $key1 (sort { uc($customgrp{$a}[0]) cmp uc($customgrp{$b}[0]) } sort { uc($customgrp{$a}[2]) cmp uc($customgrp{$b}[2]) } keys %customgrp){ + if ($customgrp{$key}[0] eq $customgrp{$key1}[0]) + { + $delflag++; + } + #if($delflag > 0){ + #last; + #} + + } $number=1; if ($customgrp{$key}[2] eq "none"){$customgrp{$key}[2]=$Lang::tr{'fwhost empty'};} $grpname=$customgrp{$key}[0]; @@ -1459,6 +1471,7 @@ sub viewtablegrp print"
"; print""; } + if ( ($fwhostsettings{'ACTION'} eq 'editgrp' || $fwhostsettings{'update'} ne '') && $fwhostsettings{'grp_name'} eq $customgrp{$key}[0]) { print" "; }elsif ($count %2 == 0){ @@ -1479,7 +1492,7 @@ sub viewtablegrp }else{ print""; From d13a936349b048eb5515699fea46c7242b9c95ac Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Fri, 15 Feb 2013 08:15:51 +0100 Subject: [PATCH 102/306] Forward Firewall: Last rule in servicegroup is not deletable if group is used --- html/cgi-bin/fwhosts.cgi | 20 +++++++++++++++----- 1 file changed, 15 insertions(+), 5 deletions(-) diff --git a/html/cgi-bin/fwhosts.cgi b/html/cgi-bin/fwhosts.cgi index c1229b363..6db70463d 100755 --- a/html/cgi-bin/fwhosts.cgi +++ b/html/cgi-bin/fwhosts.cgi @@ -1451,10 +1451,9 @@ sub viewtablegrp { $delflag++; } - #if($delflag > 0){ - #last; - #} - + if($delflag > 1){ + last; + } } $number=1; if ($customgrp{$key}[2] eq "none"){$customgrp{$key}[2]=$Lang::tr{'fwhost empty'};} @@ -1555,6 +1554,7 @@ sub viewtableservicegrp my $helper; my $port; my $protocol; + my $delflag; if (! -z $configsrvgrp){ &Header::openbox('100%', 'left', $Lang::tr{'fwhost cust srvgrp'}); &General::readhasharray("$configsrvgrp", \%customservicegrp); @@ -1563,6 +1563,16 @@ sub viewtableservicegrp foreach my $key (sort { uc($customservicegrp{$a}[0]) cmp uc($customservicegrp{$b}[0])|| $a <=> $b } keys %customservicegrp){ $count++; if ($helper ne $customservicegrp{$key}[0]){ + $delflag=0; + foreach my $key1 (sort { uc($customservicegrp{$a}[0]) cmp uc($customservicegrp{$b}[0]) } sort { uc($customservicegrp{$a}[2]) cmp uc($customservicegrp{$b}[2]) } keys %customservicegrp){ + if ($customservicegrp{$key}[0] eq $customservicegrp{$key1}[0]) + { + $delflag++; + } + if($delflag > 1){ + last; + } + } $grpname=$customservicegrp{$key}[0]; if ($customservicegrp{$key}[2] eq "none"){ $customservicegrp{$key}[2]=$Lang::tr{'fwhost empty'}; @@ -1595,7 +1605,7 @@ sub viewtableservicegrp } } print""; From 3f8fe51ef093987c5633a9564648b1d3fe2e5087 Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Fri, 15 Feb 2013 13:24:34 +0100 Subject: [PATCH 103/306] Forward Firewall: When editing a group and deleting an entry, the next mode is also update --- html/cgi-bin/fwhosts.cgi | 28 ++++++++++++++++++++++------ 1 file changed, 22 insertions(+), 6 deletions(-) diff --git a/html/cgi-bin/fwhosts.cgi b/html/cgi-bin/fwhosts.cgi index 6db70463d..d39fe124b 100755 --- a/html/cgi-bin/fwhosts.cgi +++ b/html/cgi-bin/fwhosts.cgi @@ -852,6 +852,8 @@ if ($fwhostsettings{'ACTION'} eq 'delhost') } if ($fwhostsettings{'ACTION'} eq 'deletegrphost') { + my $grpremark; + my $grpname; &General::readhasharray("$configgrp", \%customgrp); foreach my $key (keys %customgrp){ if($customgrp{$key}[0].",".$customgrp{$key}[1].",".$customgrp{$key}[2].",".$customgrp{$key}[3] eq $fwhostsettings{'delhost'}){ @@ -876,11 +878,17 @@ if ($fwhostsettings{'ACTION'} eq 'deletegrphost') } &General::writehasharray("$confighost", \%customhost); } + $grpname=$customgrp{$key}[0]; + $grpremark=$customgrp{$key}[1]; delete $customgrp{$key}; } } &General::writehasharray("$configgrp", \%customgrp); &rules; + if ($fwhostsettings{'update'} eq 'on'){ + $fwhostsettings{'remark'}= $grpremark; + $fwhostsettings{'grp_name'}=$grpname; + } &addgrp; &viewtablegrp; } @@ -934,6 +942,8 @@ if ($fwhostsettings{'ACTION'} eq 'delservicegrp') } if ($fwhostsettings{'ACTION'} eq 'delgrpservice') { + my $grpname; + my $grpremark; &General::readhasharray("$configsrvgrp", \%customservicegrp); &General::readhasharray("$configsrv", \%customservice); foreach my $key (keys %customservicegrp){ @@ -947,11 +957,18 @@ if ($fwhostsettings{'ACTION'} eq 'delgrpservice') } } &General::writehasharray("$configsrv", \%customservice); - delete $customservicegrp{$key} + $grpname=$customservicegrp{$key}[0]; + $grpremark=$customservicegrp{$key}[1]; + delete $customservicegrp{$key}; } } &General::writehasharray("$configsrvgrp", \%customservicegrp); &rules; + if ($fwhostsettings{'updatesrvgrp'} eq 'on'){ + #$fwhostsettings{'updatesrvgrp'}='on'; + $fwhostsettings{'SRVGRP_NAME'}=$grpname; + $fwhostsettings{'SRVGRP_REMARK'}=$grpremark; + } &addservicegrp; &viewtableservicegrp; @@ -1451,7 +1468,7 @@ sub viewtablegrp { $delflag++; } - if($delflag > 1){ + if($delflag > 0){ last; } } @@ -1494,7 +1511,7 @@ sub viewtablegrp if ($delflag > '1' && $ip ne ''){ print""; } - print""; + print""; $helper=$customgrp{$key}[0]; $number++; @@ -1554,7 +1571,6 @@ sub viewtableservicegrp my $helper; my $port; my $protocol; - my $delflag; if (! -z $configsrvgrp){ &Header::openbox('100%', 'left', $Lang::tr{'fwhost cust srvgrp'}); &General::readhasharray("$configsrvgrp", \%customservicegrp); @@ -1605,10 +1621,10 @@ sub viewtableservicegrp } } print""; + print""; $helper=$customservicegrp{$key}[0]; } print"
Name$Lang::tr{'ip address'}$Lang::tr{'fwhost type'}
$ip$customgrp{$key}[3]
"; } - if ($number > 1 && $ip ne ''){ + if ($delflag > '1' && $ip ne ''){ print""; } print"
$port$protocol
"; - if ($number gt '1'){ + if ($delflag > '1'){ print""; } print"
$port$protocol
"; - if ($delflag > '1'){ + if ($number gt '1'){ print""; } - print"
"; From 6ba1cd4ceba9d4b343e5afb47e206e7a507f226c Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Fri, 15 Feb 2013 13:28:27 +0100 Subject: [PATCH 104/306] Forward Firewall: ; is now allowed in Ruleremark --- html/cgi-bin/forwardfw.cgi | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi index 2e783ce46..ce2aed9eb 100755 --- a/html/cgi-bin/forwardfw.cgi +++ b/html/cgi-bin/forwardfw.cgi @@ -1642,7 +1642,7 @@ sub validremark if (length ($remark) < 1 || length ($remark) > 255) { return 0;} # Only valid characters are a-z, A-Z, 0-9 and - - if ($remark !~ /^[a-zäöüA-ZÖÄÜ0-9-.:_\/\s]*$/) { + if ($remark !~ /^[a-zäöüA-ZÖÄÜ0-9-.:;_\/\s]*$/) { return 0;} # First character can only be a letter or a digit if (substr ($remark, 0, 1) !~ /^[a-zäöüA-ZÖÄÜ0-9]*$/) { From c7043621fc4cf73f30749d21310a8569fbf1c78f Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Sun, 17 Feb 2013 06:34:39 +0100 Subject: [PATCH 105/306] Forward Firewall: savepoint 1. Trying to add OUTGOING to the firewall. actual working: Create OUTGOING Rules, change external access or foward rules to outgoing ones. Missing: rules.pl need to be updated --- config/cfgroot/general-functions.pl | 19 +---- html/cgi-bin/forwardfw.cgi | 113 ++++++++++++++++++++++++---- html/cgi-bin/fwhosts.cgi | 1 + 3 files changed, 102 insertions(+), 31 deletions(-) diff --git a/config/cfgroot/general-functions.pl b/config/cfgroot/general-functions.pl index 6709c2b85..5cac38d7e 100644 --- a/config/cfgroot/general-functions.pl +++ b/config/cfgroot/general-functions.pl @@ -66,6 +66,9 @@ sub setup_default_networks $defaultNetworks->{$Lang::tr{'blue'}}{'IPT'} = "$netsettings{'BLUE_NETADDRESS'}/$netsettings{'BLUE_NETMASK'}"; $defaultNetworks->{$Lang::tr{'blue'}}{'NAME'} = "BLUE"; } + + #IPFire himself + $defaultNetworks->{'IPFire'}{'NAME'} = "IPFire"; # OpenVPN if(-e "${General::swroot}/ovpn/settings") @@ -97,22 +100,6 @@ sub setup_default_networks $defaultNetworks->{'IPsec RW ' .$ip."/".$sub}{'NAME'} = "IPsec RW"; } } - #open(FILE, "${General::swroot}/ethernet/aliases") or die 'Unable to open aliases file.'; - #my @current = ; - #close(FILE); - #my $ctr = 0; - #foreach my $line (@current) - #{ - #if ($line ne ''){ - #chomp($line); - #my @temp = split(/\,/,$line); - #if ($temp[2] eq '') { - #$temp[2] = "Alias $ctr : $temp[0]"; - #} - #$defaultNetworks->{$temp[2]}{'IPT'} = "$temp[0]"; - #$ctr++; - #} - #} } sub get_aliases { diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi index ce2aed9eb..fc1d2b55c 100755 --- a/html/cgi-bin/forwardfw.cgi +++ b/html/cgi-bin/forwardfw.cgi @@ -27,7 +27,7 @@ # Now that the ccd extension is ready i am able to develop the main request. # # Any feedback is appreciated. # # # -# # +#Copymaster # ############################################################################### use strict; @@ -45,6 +45,7 @@ unless (-d "${General::swroot}/forward") { system("mkdir ${General::swroot}/f unless (-e "${General::swroot}/forward/settings") { system("touch ${General::swroot}/forward/settings"); } unless (-e "${General::swroot}/forward/config") { system("touch ${General::swroot}/forward/config"); } unless (-e "${General::swroot}/forward/input") { system("touch ${General::swroot}/forward/input"); } +unless (-e "${General::swroot}/forward/outgoing") { system("touch ${General::swroot}/forward/outgoing"); } my %fwdfwsettings=(); my %selected=() ; @@ -60,6 +61,7 @@ my %customnetwork=(); my %ccdhost=(); my %configfwdfw=(); my %configinputfw=(); +my %configoutgoingfw=(); my %ipsecconf=(); my %color=(); my %mainsettings=(); @@ -69,6 +71,7 @@ my %ovpnsettings=(); my %ipsecsettings=(); my %aliases=(); my @p2ps = (); + my $color; my $confignet = "${General::swroot}/fwhosts/customnetworks"; my $confighost = "${General::swroot}/fwhosts/customhosts"; @@ -81,6 +84,7 @@ my $configipsec = "${General::swroot}/vpn/config"; my $configipsecrw = "${General::swroot}/vpn/settings"; my $configfwdfw = "${General::swroot}/forward/config"; my $configinput = "${General::swroot}/forward/input"; +my $configoutgoing = "${General::swroot}/forward/outgoing"; my $configovpn = "${General::swroot}/ovpn/settings"; my $p2pfile = "${General::swroot}/forward/p2protocols"; my $errormessage=''; @@ -110,27 +114,39 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule') { &General::readhasharray("$configfwdfw", \%configfwdfw); &General::readhasharray("$configinput", \%configinputfw); + &General::readhasharray("$configinput", \%configoutgoingfw); $errormessage=&checksource; if(!$errormessage){&checktarget;} if(!$errormessage){&checkrule;} + #check if we change an forward rule to an external access if( $fwdfwsettings{'grp2'} eq 'ipfire' && $fwdfwsettings{'oldgrp2a'} ne 'ipfire' && $fwdfwsettings{'updatefwrule'} eq 'on'){ - $fwdfwsettings{'updatefwrule'}=''; - $fwdfwsettings{'config'}=$configfwdfw; - $fwdfwsettings{'nobase'}='on'; - &deleterule; - &checkcounter(0,0,$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}}); - &checkcounter(0,0,$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}}); + &changerule($configfwdfw); } - #check if we change an external access rule to an forward + #check if we change an forward rule to an outgoing + if( $fwdfwsettings{$fwdfwsettings{'grp1'}} eq 'IPFire' && $fwdfwsettings{'oldgrp1b'} ne 'IPFire' && $fwdfwsettings{'updatefwrule'} eq 'on'){ + &changerule($configfwdfw); + } + #check if we change an external access rule to a forward if( $fwdfwsettings{'grp2'} ne 'ipfire' && $fwdfwsettings{'oldgrp2a'} eq 'ipfire' && $fwdfwsettings{'updatefwrule'} eq 'on'){ - $fwdfwsettings{'updatefwrule'}=''; - $fwdfwsettings{'config'}=$configinput; - $fwdfwsettings{'nobase'}='on'; - &deleterule; - &checkcounter(0,0,$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}}); - &checkcounter(0,0,$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}}); - } + &changerule($configinput); + } + #check if we change an external access rule to a outgoing + if( $fwdfwsettings{$fwdfwsettings{'grp1'}} eq 'IPFire' && $fwdfwsettings{'grp2'} ne 'ipfire' && $fwdfwsettings{'oldgrp2a'} eq 'ipfire' && $fwdfwsettings{'updatefwrule'} eq 'on'){ + &changerule($configinput); + } + #check if we change an outgoing rule to a forward + if( $fwdfwsettings{$fwdfwsettings{'grp1'}} ne 'IPFire' && $fwdfwsettings{'oldgrp1b'} eq 'IPFire' && $fwdfwsettings{'grp2'} ne 'ipfire' &&$fwdfwsettings{'updatefwrule'} eq 'on'){ + &changerule($configoutgoing); + } + #check if we change an outgoing rule to a external access + if( $fwdfwsettings{$fwdfwsettings{'grp1'}} ne 'IPFire' && $fwdfwsettings{'oldgrp1b'} eq 'IPFire' && $fwdfwsettings{'grp2'} eq 'ipfire' && $fwdfwsettings{'updatefwrule'} eq 'on'){ + &changerule($configoutgoing); + } + #check if we try to break rules + if( $fwdfwsettings{$fwdfwsettings{'grp1'}} eq 'IPFire' && $fwdfwsettings{'grp2'} eq 'ipfire'){ + $errormessage.=$Lang::tr{'fwdfw err same'}; + } #INPUT part if($fwdfwsettings{'grp2'} eq 'ipfire'){ $fwdfwsettings{'config'}=$configinput; @@ -205,6 +221,59 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule') #print"ALT: $fwdfwsettings{'oldgrp2a'} $fwdfwsettings{'oldgrp2b'} NEU: $fwdfwsettings{'grp2'} $fwdfwsettings{$fwdfwsettings{'grp2'}}
"; #print"ALT: $fwdfwsettings{'oldgrp3a'} $fwdfwsettings{'oldgrp3b'} NEU: $fwdfwsettings{'grp3'} $fwdfwsettings{$fwdfwsettings{'grp3'}}
"; #print"DIENSTE Checkalt:$fwdfwsettings{'oldusesrv'} DIENSTE Checkneu:$fwdfwsettings{'USESRV'} DIENST ALT:$fwdfwsettings{'oldgrp3a'},$fwdfwsettings{'oldgrp3b'} DIENST NEU:$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}}
"; + }elsif($fwdfwsettings{$fwdfwsettings{'grp1'}} eq 'IPFire'){ + $fwdfwsettings{'config'}=$configoutgoing; + $fwdfwsettings{'chain'} = 'OUTGOINGFW'; + my $maxkey=&General::findhasharraykey(\%configoutgoingfw); + if($fwdfwsettings{'oldrulenumber'} eq $fwdfwsettings{'rulepos'}){ + foreach my $key (sort keys %configoutgoingfw){ + if ("$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'},$fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'ICMP_TGT'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'LOG'},$fwdfwsettings{'TIME'},$fwdfwsettings{'TIME_MON'},$fwdfwsettings{'TIME_TUE'},$fwdfwsettings{'TIME_WED'},$fwdfwsettings{'TIME_THU'},$fwdfwsettings{'TIME_FRI'},$fwdfwsettings{'TIME_SAT'},$fwdfwsettings{'TIME_SUN'},$fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'}" + eq "$configoutgoingfw{$key}[0],$configoutgoingfw{$key}[2],$configoutgoingfw{$key}[3],$configoutgoingfw{$key}[4],$configoutgoingfw{$key}[5],$configoutgoingfw{$key}[6],$configoutgoingfw{$key}[7],$configoutgoingfw{$key}[8],$configoutgoingfw{$key}[9],$configoutgoingfw{$key}[10],$configoutgoingfw{$key}[11],$configoutgoingfw{$key}[12],$configoutgoingfw{$key}[13],$configoutgoingfw{$key}[14],$configoutgoingfw{$key}[15],$configoutgoingfw{$key}[17],$configoutgoingfw{$key}[18],$configoutgoingfw{$key}[19],$configoutgoingfw{$key}[20],$configoutgoingfw{$key}[21],$configoutgoingfw{$key}[22],$configoutgoingfw{$key}[23],$configoutgoingfw{$key}[24],$configoutgoingfw{$key}[25],$configoutgoingfw{$key}[26],$configoutgoingfw{$key}[27]"){ + $errormessage.=$Lang::tr{'fwdfw err ruleexists'}; + if ($fwdfwsettings{'oldruleremark'} ne $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'updatefwrule'} eq 'on' && &validremark($fwdfwsettings{'ruleremark'})){ + $errormessage=''; + }elsif($fwdfwsettings{'oldruleremark'} ne $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'updatefwrule'} eq 'on' && !&validremark($fwdfwsettings{'ruleremark'})){ + $errormessage=$Lang::tr{'fwdfw err remark'}."
"; + } + if ($fwdfwsettings{'oldruleremark'} eq $fwdfwsettings{'ruleremark'}){ + $fwdfwsettings{'nosave'} = 'on'; + } + } + } + } + #check Rulepos on new Rule + if($fwdfwsettings{'rulepos'} > 0 && !$fwdfwsettings{'oldrulenumber'}){ + $fwdfwsettings{'oldrulenumber'}=$maxkey; + foreach my $key (sort keys %configoutgoingfw){ + if ("$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'},$fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'ICMP_TGT'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'LOG'},$fwdfwsettings{'TIME'},$fwdfwsettings{'TIME_MON'},$fwdfwsettings{'TIME_TUE'},$fwdfwsettings{'TIME_WED'},$fwdfwsettings{'TIME_THU'},$fwdfwsettings{'TIME_FRI'},$fwdfwsettings{'TIME_SAT'},$fwdfwsettings{'TIME_SUN'},$fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'}" + eq "$configoutgoingfw{$key}[0],$configoutgoingfw{$key}[2],$configoutgoingfw{$key}[3],$configoutgoingfw{$key}[4],$configoutgoingfw{$key}[5],$configoutgoingfw{$key}[6],$configoutgoingfw{$key}[7],$configoutgoingfw{$key}[8],$configoutgoingfw{$key}[9],$configoutgoingfw{$key}[10],$configoutgoingfw{$key}[11],$configoutgoingfw{$key}[12],$configoutgoingfw{$key}[13],$configoutgoingfw{$key}[14],$configoutgoingfw{$key}[15],$configoutgoingfw{$key}[17],$configoutgoingfw{$key}[18],$configoutgoingfw{$key}[19],$configoutgoingfw{$key}[20],$configoutgoingfw{$key}[21],$configoutgoingfw{$key}[22],$configoutgoingfw{$key}[23],$configoutgoingfw{$key}[24],$configoutgoingfw{$key}[25],$configoutgoingfw{$key}[26],$configoutgoingfw{$key}[27]"){ + $errormessage.=$Lang::tr{'fwdfw err ruleexists'}; + } + } + } + #check if we just close a rule + if( $fwdfwsettings{'oldgrp1a'} eq $fwdfwsettings{'grp1'} && $fwdfwsettings{'oldgrp1b'} eq $fwdfwsettings{$fwdfwsettings{'grp1'}} && $fwdfwsettings{'oldgrp2a'} eq $fwdfwsettings{'grp2'} && $fwdfwsettings{'oldgrp2b'} eq $fwdfwsettings{$fwdfwsettings{'grp2'}} && $fwdfwsettings{'oldgrp3a'} eq $fwdfwsettings{'grp3'} && $fwdfwsettings{'oldgrp3b'} eq $fwdfwsettings{$fwdfwsettings{'grp3'}} && $fwdfwsettings{'oldusesrv'} eq $fwdfwsettings{'USESRV'} && $fwdfwsettings{'oldruleremark'} eq $fwdfwsettings{'ruleremark'} ) { + if($fwdfwsettings{'nosave'} eq 'on' && $fwdfwsettings{'updatefwrule'} eq 'on'){ + $fwdfwsettings{'nosave2'} = 'on'; + $errormessage=''; + } + } + #increase counters + &checkcounter($fwdfwsettings{'oldgrp1a'},$fwdfwsettings{'oldgrp1b'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}}); + &checkcounter($fwdfwsettings{'oldgrp2a'},$fwdfwsettings{'oldgrp2b'},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}}); + if($fwdfwsettings{'oldusesrv'} eq '' && $fwdfwsettings{'USESRV'} eq 'ON'){ + &checkcounter(0,0,$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}}); + }elsif ($fwdfwsettings{'USESRV'} eq '' && $fwdfwsettings{'oldusesrv'} eq 'ON') { + &checkcounter($fwdfwsettings{'oldgrp3a'},$fwdfwsettings{'oldgrp3b'},0,0); + }elsif ($fwdfwsettings{'oldusesrv'} eq $fwdfwsettings{'USESRV'} && $fwdfwsettings{'oldgrp3b'} ne $fwdfwsettings{$fwdfwsettings{'grp3'}} && $fwdfwsettings{'updatefwrule'} eq 'on'){ + &checkcounter($fwdfwsettings{'oldgrp3a'},$fwdfwsettings{'oldgrp3b'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}}); + } + if ($fwdfwsettings{'nobase'} eq 'on'){ + &checkcounter(0,0,$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}}); + } + if ($fwdfwsettings{'nosave2'} ne 'on'){ + &saverule(\%configoutgoingfw,$configoutgoing); + } }else{ #FORWARD PART $fwdfwsettings{'config'}=$configfwdfw; @@ -405,6 +474,18 @@ if ($fwdfwsettings{'ACTION'} eq '') &base; } ### Functions #### +sub changerule +{ + my $oldchain=shift; + $fwdfwsettings{'updatefwrule'}=''; + $fwdfwsettings{'config'}=$oldchain; + $fwdfwsettings{'nobase'}='on'; + &deleterule; + &checkcounter(0,0,$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}}); + &checkcounter(0,0,$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}}); +} + + sub pos_up { my %uphash=(); @@ -1233,6 +1314,7 @@ END END foreach my $network (sort keys %defaultNetworks) { + next if($defaultNetworks{$network}{'NAME'} eq "IPFire"); print ""; @@ -1728,6 +1810,7 @@ sub viewtablerule &viewtablenew(\%configfwdfw,$configfwdfw,'',"DMZ" ); &viewtablenew(\%configfwdfw,$configfwdfw,'',"WLAN" ); &viewtablenew(\%configinputfw,$configinput,"",$Lang::tr{'external access'} ); + &viewtablenew(\%configoutgoingfw,$configoutgoing,"","Outgoing" ); } sub viewtablenew { diff --git a/html/cgi-bin/fwhosts.cgi b/html/cgi-bin/fwhosts.cgi index d39fe124b..1f85135d4 100755 --- a/html/cgi-bin/fwhosts.cgi +++ b/html/cgi-bin/fwhosts.cgi @@ -1571,6 +1571,7 @@ sub viewtableservicegrp my $helper; my $port; my $protocol; + my $delflag; if (! -z $configsrvgrp){ &Header::openbox('100%', 'left', $Lang::tr{'fwhost cust srvgrp'}); &General::readhasharray("$configsrvgrp", \%customservicegrp); From d7127db8fb715f13b87cbce980137c2879a1d64e Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Sun, 17 Feb 2013 07:03:43 +0100 Subject: [PATCH 106/306] Forward Firewall: Savepoint2.MOved checks if rule has changed to function saverule to take care that rules are only deleted if there's no error --- html/cgi-bin/forwardfw.cgi | 52 ++++++++++++++++++-------------------- 1 file changed, 25 insertions(+), 27 deletions(-) diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi index fc1d2b55c..386e02d3e 100755 --- a/html/cgi-bin/forwardfw.cgi +++ b/html/cgi-bin/forwardfw.cgi @@ -118,31 +118,6 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule') $errormessage=&checksource; if(!$errormessage){&checktarget;} if(!$errormessage){&checkrule;} - - #check if we change an forward rule to an external access - if( $fwdfwsettings{'grp2'} eq 'ipfire' && $fwdfwsettings{'oldgrp2a'} ne 'ipfire' && $fwdfwsettings{'updatefwrule'} eq 'on'){ - &changerule($configfwdfw); - } - #check if we change an forward rule to an outgoing - if( $fwdfwsettings{$fwdfwsettings{'grp1'}} eq 'IPFire' && $fwdfwsettings{'oldgrp1b'} ne 'IPFire' && $fwdfwsettings{'updatefwrule'} eq 'on'){ - &changerule($configfwdfw); - } - #check if we change an external access rule to a forward - if( $fwdfwsettings{'grp2'} ne 'ipfire' && $fwdfwsettings{'oldgrp2a'} eq 'ipfire' && $fwdfwsettings{'updatefwrule'} eq 'on'){ - &changerule($configinput); - } - #check if we change an external access rule to a outgoing - if( $fwdfwsettings{$fwdfwsettings{'grp1'}} eq 'IPFire' && $fwdfwsettings{'grp2'} ne 'ipfire' && $fwdfwsettings{'oldgrp2a'} eq 'ipfire' && $fwdfwsettings{'updatefwrule'} eq 'on'){ - &changerule($configinput); - } - #check if we change an outgoing rule to a forward - if( $fwdfwsettings{$fwdfwsettings{'grp1'}} ne 'IPFire' && $fwdfwsettings{'oldgrp1b'} eq 'IPFire' && $fwdfwsettings{'grp2'} ne 'ipfire' &&$fwdfwsettings{'updatefwrule'} eq 'on'){ - &changerule($configoutgoing); - } - #check if we change an outgoing rule to a external access - if( $fwdfwsettings{$fwdfwsettings{'grp1'}} ne 'IPFire' && $fwdfwsettings{'oldgrp1b'} eq 'IPFire' && $fwdfwsettings{'grp2'} eq 'ipfire' && $fwdfwsettings{'updatefwrule'} eq 'on'){ - &changerule($configoutgoing); - } #check if we try to break rules if( $fwdfwsettings{$fwdfwsettings{'grp1'}} eq 'IPFire' && $fwdfwsettings{'grp2'} eq 'ipfire'){ $errormessage.=$Lang::tr{'fwdfw err same'}; @@ -222,6 +197,7 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule') #print"ALT: $fwdfwsettings{'oldgrp3a'} $fwdfwsettings{'oldgrp3b'} NEU: $fwdfwsettings{'grp3'} $fwdfwsettings{$fwdfwsettings{'grp3'}}
"; #print"DIENSTE Checkalt:$fwdfwsettings{'oldusesrv'} DIENSTE Checkneu:$fwdfwsettings{'USESRV'} DIENST ALT:$fwdfwsettings{'oldgrp3a'},$fwdfwsettings{'oldgrp3b'} DIENST NEU:$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}}
"; }elsif($fwdfwsettings{$fwdfwsettings{'grp1'}} eq 'IPFire'){ + # OUTGOING PART $fwdfwsettings{'config'}=$configoutgoing; $fwdfwsettings{'chain'} = 'OUTGOINGFW'; my $maxkey=&General::findhasharraykey(\%configoutgoingfw); @@ -484,8 +460,6 @@ sub changerule &checkcounter(0,0,$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}}); &checkcounter(0,0,$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}}); } - - sub pos_up { my %uphash=(); @@ -1561,6 +1535,30 @@ sub saverule my $config=shift; &General::readhasharray("$config", $hash); if (!$errormessage){ + #check if we change an forward rule to an external access + if( $fwdfwsettings{'grp2'} eq 'ipfire' && $fwdfwsettings{'oldgrp2a'} ne 'ipfire' && $fwdfwsettings{'updatefwrule'} eq 'on'){ + &changerule($configfwdfw); + } + #check if we change an forward rule to an outgoing + if( $fwdfwsettings{$fwdfwsettings{'grp1'}} eq 'IPFire' && $fwdfwsettings{'oldgrp1b'} ne 'IPFire' && $fwdfwsettings{'updatefwrule'} eq 'on'){ + &changerule($configfwdfw); + } + #check if we change an external access rule to a forward + if( $fwdfwsettings{'grp2'} ne 'ipfire' && $fwdfwsettings{'oldgrp2a'} eq 'ipfire' && $fwdfwsettings{'updatefwrule'} eq 'on'){ + &changerule($configinput); + } + #check if we change an external access rule to a outgoing + if( $fwdfwsettings{$fwdfwsettings{'grp1'}} eq 'IPFire' && $fwdfwsettings{'grp2'} ne 'ipfire' && $fwdfwsettings{'oldgrp2a'} eq 'ipfire' && $fwdfwsettings{'updatefwrule'} eq 'on'){ + &changerule($configinput); + } + #check if we change an outgoing rule to a forward + if( $fwdfwsettings{$fwdfwsettings{'grp1'}} ne 'IPFire' && $fwdfwsettings{'oldgrp1b'} eq 'IPFire' && $fwdfwsettings{'grp2'} ne 'ipfire' &&$fwdfwsettings{'updatefwrule'} eq 'on'){ + &changerule($configoutgoing); + } + #check if we change an outgoing rule to a external access + if( $fwdfwsettings{$fwdfwsettings{'grp1'}} ne 'IPFire' && $fwdfwsettings{'oldgrp1b'} eq 'IPFire' && $fwdfwsettings{'grp2'} eq 'ipfire' && $fwdfwsettings{'updatefwrule'} eq 'on'){ + &changerule($configoutgoing); + } if ($fwdfwsettings{'updatefwrule'} ne 'on'){ my $key = &General::findhasharraykey ($hash); $$hash{$key}[0] = $fwdfwsettings{'RULE_ACTION'}; From 5d7faa4518d894f90218c216bb2fb86e69f46b2a Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Sun, 17 Feb 2013 13:58:35 +0100 Subject: [PATCH 107/306] Forward Firewall: First part of adding OUTGOING to th efirewall --- config/forwardfw/firewall-forward-policy | 24 -------- config/forwardfw/firewall-lib.pl | 2 + config/forwardfw/firewall-policy | 39 +++++++++++++ config/forwardfw/rules.pl | 16 ++++-- config/rootfiles/common/stage2 | 2 +- html/cgi-bin/forwardfw.cgi | 71 +++++++++++++++--------- html/cgi-bin/optionsfw.cgi | 10 ++++ langs/de/cgi-bin/de.pl | 9 ++- langs/en/cgi-bin/en.pl | 6 +- lfs/configroot | 2 +- src/initscripts/init.d/firewall | 10 +++- 11 files changed, 126 insertions(+), 65 deletions(-) delete mode 100755 config/forwardfw/firewall-forward-policy create mode 100755 config/forwardfw/firewall-policy diff --git a/config/forwardfw/firewall-forward-policy b/config/forwardfw/firewall-forward-policy deleted file mode 100755 index aec71e29b..000000000 --- a/config/forwardfw/firewall-forward-policy +++ /dev/null @@ -1,24 +0,0 @@ -#!/bin/sh - -eval $(/usr/local/bin/readhash /var/ipfire/forward/settings) -eval $(/usr/local/bin/readhash /var/ipfire/optionsfw/settings) - -iptables -F POLICY - -if [ "$POLICY" == "MODE1" ]; then - - if [ "$FWPOLICY" == "REJECT" ]; then - if [ "$DROPFORWARD" == "on" ]; then - /sbin/iptables -A POLICY -m limit --limit 10/minute -j LOG --log-prefix "REJECT_FORWARD" - fi - /sbin/iptables -A POLICY -j REJECT --reject-with icmp-host-unreachable -m comment --comment "DROP_OUTPUT" - fi - if [ "$FWPOLICY" == "DROP" ]; then - if [ "$DROPFORWARD" == "on" ]; then - /sbin/iptables -A POLICY -m limit --limit 10/minute -j LOG --log-prefix "DROP_FORWARD" - fi - /sbin/iptables -A POLICY -j DROP -m comment --comment "DROP_OUTPUT" - fi -fi - - diff --git a/config/forwardfw/firewall-lib.pl b/config/forwardfw/firewall-lib.pl index eb84c4af4..9f806850e 100755 --- a/config/forwardfw/firewall-lib.pl +++ b/config/forwardfw/firewall-lib.pl @@ -221,6 +221,8 @@ sub get_std_net_ip return "$ovpnsettings{'DOVPN_SUBNET'}"; }elsif($val =~ /IPsec/i){ return "$ipsecsettings{'RW_NET'}"; + }elsif($val eq 'IPFire'){ + return ; } } sub get_net_ip diff --git a/config/forwardfw/firewall-policy b/config/forwardfw/firewall-policy new file mode 100755 index 000000000..e96278a16 --- /dev/null +++ b/config/forwardfw/firewall-policy @@ -0,0 +1,39 @@ +#!/bin/sh + +eval $(/usr/local/bin/readhash /var/ipfire/forward/settings) +eval $(/usr/local/bin/readhash /var/ipfire/optionsfw/settings) + +iptables -F POLICYFWD +iptables -F POLICYOUT + + +if [ "$POLICY" == "MODE1" ]; then + if [ "$FWPOLICY" == "REJECT" ]; then + if [ "$DROPFORWARD" == "on" ]; then + /sbin/iptables -A POLICYFWD -m limit --limit 10/minute -j LOG --log-prefix "REJECT_FORWARD" + fi + /sbin/iptables -A POLICYFWD -j REJECT --reject-with icmp-host-unreachable -m comment --comment "DROP_FORWARD" + fi + if [ "$FWPOLICY" == "DROP" ]; then + if [ "$DROPFORWARD" == "on" ]; then + /sbin/iptables -A POLICYFWD -m limit --limit 10/minute -j LOG --log-prefix "DROP_FORWARD" + fi + /sbin/iptables -A POLICYFWD -j DROP -m comment --comment "DROP_FORWARD" + fi +fi +if [ "$POLICY1" == "MODE1" ]; then + /sbin/iptables -A OUTGOINGFW -m state --state ESTABLISHED,RELATED -j ACCEPT + if [ "$FWPOLICY1" == "REJECT" ]; then + if [ "$DROPOUTGOING" == "on" ]; then + /sbin/iptables -A POLICYOUT -m limit --limit 10/minute -j LOG --log-prefix "REJECT_OUTPUT" + fi + /sbin/iptables -A POLICYOUT -j REJECT --reject-with icmp-host-unreachable -m comment --comment "DROP_OUTPUT" + fi + if [ "$FWPOLICY1" == "DROP" ]; then + if [ "$DROPOUTGOING" == "on" ]; then + /sbin/iptables -A POLICYOUT -m limit --limit 10/minute -j LOG --log-prefix "DROP_OUTPUT" + fi + /sbin/iptables -A POLICYOUT -j DROP -m comment --comment "DROP_OUTPUT" + fi +fi + diff --git a/config/forwardfw/rules.pl b/config/forwardfw/rules.pl index ddcd560c1..ffdb6c2ce 100755 --- a/config/forwardfw/rules.pl +++ b/config/forwardfw/rules.pl @@ -42,6 +42,7 @@ our %sourcehash=(); our %targethash=(); my @timeframe=(); my %configinputfw=(); +my %configoutgoingfw=(); my %aliases=(); my @DPROT=(); my @p2ps=(); @@ -51,6 +52,7 @@ require "${General::swroot}/forward/bin/firewall-lib.pl"; my $configfwdfw = "${General::swroot}/forward/config"; my $configinput = "${General::swroot}/forward/input"; +my $configoutgoing = "${General::swroot}/forward/outgoing"; my $p2pfile = "${General::swroot}/forward/p2protocols"; my $configgrp = "${General::swroot}/fwhosts/customgroups"; my $netsettings = "${General::swroot}/ethernet/settings"; @@ -66,6 +68,7 @@ my $CHAIN="FORWARDFW"; &General::readhash("$netsettings", \%defaultNetworks); &General::readhasharray($configfwdfw, \%configfwdfw); &General::readhasharray($configinput, \%configinputfw); +&General::readhasharray($configoutgoing, \%configoutgoingfw); &General::readhasharray($configgrp, \%customgrp); &General::get_aliases(\%aliases); @@ -95,7 +98,7 @@ if($param eq 'flush'){ if($MODE eq '0'){ if ($fwdfwsettings{'POLICY'} eq 'MODE1'){ &p2pblock; - system ("/usr/sbin/firewall-forward-policy"); + system ("/usr/sbin/firewall-policy"); }elsif($fwdfwsettings{'POLICY'} eq 'MODE2'){ $defaultNetworks{'GREEN_NETMASK'}=&General::iporsubtocidr($defaultNetworks{'GREEN_NETMASK'}); $green="$defaultNetworks{'GREEN_ADDRESS'}/$defaultNetworks{'GREEN_NETMASK'}"; @@ -117,7 +120,7 @@ if($param eq 'flush'){ &p2pblock; system ("iptables -A $CHAIN -m state --state NEW -j ACCEPT"); - system ("/usr/sbin/firewall-forward-policy"); + system ("/usr/sbin/firewall-policy"); } } } @@ -125,6 +128,7 @@ sub flush { system ("iptables -F FORWARDFW"); system ("iptables -F INPUTFW"); + system ("iptables -F OUTGOINGFW"); } sub preparerules { @@ -134,6 +138,9 @@ sub preparerules if (! -z "${General::swroot}/forward/input"){ &buildrules(\%configinputfw); } + if (! -z "${General::swroot}/forward/outgoing"){ + &buildrules(\%configoutgoingfw); + } } sub buildrules { @@ -160,7 +167,6 @@ sub buildrules } } }elsif($$hash{$key}[5] eq 'ipfire'){ - if($$hash{$key}[6] eq 'Default IP'){ open(FILE, "/var/ipfire/red/local-ipaddress") or die 'Unable to open config file.'; $targethash{$key}[0]= ; @@ -217,7 +223,7 @@ sub buildrules foreach my $b (sort keys %targethash){ if ($sourcehash{$a}[0] ne $targethash{$b}[0] && $targethash{$b}[0] ne 'none' || $sourcehash{$a}[0] eq '0.0.0.0/0.0.0.0'){ if($SPROT eq '' || $SPROT eq $DPROT || $DPROT eq ' '){ - if(substr($sourcehash{$a}[0], 3, 3) ne 'mac'){ $STAG="-s";} + if(substr($sourcehash{$a}[0], 3, 3) ne 'mac' && $sourcehash{$a}[0] ne ''){ $STAG="-s";} if ($$hash{$key}[17] eq 'ON'){ print "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG\n"; } @@ -237,7 +243,7 @@ sub buildrules foreach my $b (sort keys %targethash){ if ($sourcehash{$a}[0] ne $targethash{$b}[0] && $targethash{$b}[0] ne 'none' || $sourcehash{$a}[0] eq '0.0.0.0/0.0.0.0'){ if($SPROT eq '' || $SPROT eq $DPROT || $DPROT eq ' '){ - if(substr($sourcehash{$a}[0], 3, 3) ne 'mac'){ $STAG="-s";} + if(substr($sourcehash{$a}[0], 3, 3) ne 'mac' && $sourcehash{$a}[0] ne ''){ $STAG="-s";} if ($$hash{$key}[17] eq 'ON'){ system ("iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG"); } diff --git a/config/rootfiles/common/stage2 b/config/rootfiles/common/stage2 index f772be335..a8e4b79d3 100644 --- a/config/rootfiles/common/stage2 +++ b/config/rootfiles/common/stage2 @@ -109,7 +109,7 @@ usr/local/bin/update-lang-cache #usr/local/src #usr/sbin usr/sbin/ovpn-ccd-convert -usr/sbin/firewall-forward-policy +usr/sbin/firewall-policy usr/sbin/convert-xtaccess usr/sbin/convert-outgoingfw #usr/share diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi index 386e02d3e..460a08c4c 100755 --- a/html/cgi-bin/forwardfw.cgi +++ b/html/cgi-bin/forwardfw.cgi @@ -105,8 +105,10 @@ my $ipgrp="${General::swroot}/outgoing/groups"; if ($fwdfwsettings{'ACTION'} eq $Lang::tr{'save'}) { my $MODE = $fwdfwsettings{'POLICY'}; + my $MODE1 = $fwdfwsettings{'POLICY1'}; %fwdfwsettings = (); $fwdfwsettings{'POLICY'} = "$MODE"; + $fwdfwsettings{'POLICY1'} = "$MODE1"; &General::writehash("${General::swroot}/forward/settings", \%fwdfwsettings); &reread_rules; } @@ -114,7 +116,7 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule') { &General::readhasharray("$configfwdfw", \%configfwdfw); &General::readhasharray("$configinput", \%configinputfw); - &General::readhasharray("$configinput", \%configoutgoingfw); + &General::readhasharray("$configoutgoing", \%configoutgoingfw); $errormessage=&checksource; if(!$errormessage){&checktarget;} if(!$errormessage){&checkrule;} @@ -219,6 +221,7 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule') } #check Rulepos on new Rule if($fwdfwsettings{'rulepos'} > 0 && !$fwdfwsettings{'oldrulenumber'}){ + print"CHECK OUTGOING DOPPELTE REGEL
"; $fwdfwsettings{'oldrulenumber'}=$maxkey; foreach my $key (sort keys %configoutgoingfw){ if ("$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'},$fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'ICMP_TGT'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'LOG'},$fwdfwsettings{'TIME'},$fwdfwsettings{'TIME_MON'},$fwdfwsettings{'TIME_TUE'},$fwdfwsettings{'TIME_WED'},$fwdfwsettings{'TIME_THU'},$fwdfwsettings{'TIME_FRI'},$fwdfwsettings{'TIME_SAT'},$fwdfwsettings{'TIME_SUN'},$fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'}" @@ -356,8 +359,29 @@ if ($fwdfwsettings{'ACTION'} eq $Lang::tr{'reset'}) &General::writehash("${General::swroot}/forward/settings", \%fwdfwsettings); unless (-e "${General::swroot}/forward/config") { system("touch ${General::swroot}/forward/config"); } unless (-e "${General::swroot}/forward/input") { system("touch ${General::swroot}/forward/input"); } + my $MODE1=$fwdfwsettings{'POLICY1'}; %fwdfwsettings = (); $fwdfwsettings{'POLICY'}='MODE2'; + $fwdfwsettings{'POLICY1'}=$MODE1; + &General::writehash("${General::swroot}/forward/settings", \%fwdfwsettings); + &reread_rules; + +} +if ($fwdfwsettings{'ACTION'} eq 'resetoutgoing') +{ + &General::readhasharray("$configoutgoing", \%configoutgoingfw); + foreach my $key (sort keys %configoutgoingfw){ + &checkcounter($configoutgoingfw{$key}[3],$configoutgoingfw{$key}[4],,); + &checkcounter($configoutgoingfw{$key}[5],$configoutgoingfw{$key}[6],,); + &checkcounter($configoutgoingfw{$key}[14],$configoutgoingfw{$key}[15],,); + } + system("rm ${General::swroot}/forward/outgoing"); + &General::writehash("${General::swroot}/forward/settings", \%fwdfwsettings); + unless (-e "${General::swroot}/forward/outgoing") { system("touch ${General::swroot}/forward/outgoing"); } + my $MODE=$fwdfwsettings{'POLICY'}; + %fwdfwsettings = (); + $fwdfwsettings{'POLICY'}=$MODE; + $fwdfwsettings{'POLICY1'}='MODE2'; &General::writehash("${General::swroot}/forward/settings", \%fwdfwsettings); &reread_rules; @@ -578,6 +602,8 @@ sub base { if ($fwdfwsettings{'POLICY'} eq 'MODE1'){ $selected{'POLICY'}{'MODE1'} = 'selected'; } else { $selected{'POLICY'}{'MODE1'} = ''; } if ($fwdfwsettings{'POLICY'} eq 'MODE2'){ $selected{'POLICY'}{'MODE2'} = 'selected'; } else { $selected{'POLICY'}{'MODE2'} = ''; } + if ($fwdfwsettings{'POLICY1'} eq 'MODE1'){ $selected{'POLICY1'}{'MODE1'} = 'selected'; } else { $selected{'POLICY1'}{'MODE1'} = ''; } + if ($fwdfwsettings{'POLICY1'} eq 'MODE2'){ $selected{'POLICY1'}{'MODE2'} = 'selected'; } else { $selected{'POLICY1'}{'MODE2'} = ''; } &hint; &addrule; &p2pblock; @@ -585,8 +611,8 @@ sub base print < + -
FORWARD
$Lang::tr{'fwdfw pol text'}
"; + print"

"; + print < + + + + +
OUTGOING
$Lang::tr{'fwdfw pol text1'}
+ + +END + print "$Lang::tr{'outgoing firewall reset'}:
"; + print "
"; &Header::closebox(); } sub addrule @@ -1805,8 +1846,6 @@ sub viewtablerule { &viewtablenew(\%configfwdfw,$configfwdfw,$Lang::tr{'fwdfw rules'},"Forward" ); - &viewtablenew(\%configfwdfw,$configfwdfw,'',"DMZ" ); - &viewtablenew(\%configfwdfw,$configfwdfw,'',"WLAN" ); &viewtablenew(\%configinputfw,$configinput,"",$Lang::tr{'external access'} ); &viewtablenew(\%configoutgoingfw,$configoutgoing,"","Outgoing" ); } @@ -1818,23 +1857,7 @@ sub viewtablenew my $title1=shift; my $go=''; &General::readhasharray("$config", $hash); - #check if there are DMZ entries - if ($title1 eq 'DMZ'){ - foreach my $key (keys %$hash){ - if ($$hash{$key}[4] eq 'ORANGE'){$go='on';last} - } - }elsif($title1 eq 'WLAN'){ - foreach my $key (keys %$hash){ - if ($$hash{$key}[4] eq 'BLUE'){$go='on';last} - } - }elsif($title1 eq 'Forward'){ - foreach my $key (keys %$hash){ - if (($$hash{$key}[4] ne 'ORANGE' && $$hash{$key}[4] ne 'BLUE')){$go='on';last} - } - }elsif( ! -z $config){ - $go='on'; - } - if($go ne ''){ + if( ! -z $config){ &Header::openbox('100%', 'left',$title); my $count=0; my ($gif,$log); @@ -1844,13 +1867,9 @@ sub viewtablenew my @tmpsrc=(); my $coloryellow=''; print"$title1
"; - print""; + print"
"; print""; foreach my $key (sort {$a <=> $b} keys %$hash){ - #check if we have a FORWARDFW OR DMZ RULE - if ($title1 eq 'DMZ' && ($$hash{$key}[4] ne 'ORANGE')){next;} - if ($title1 eq 'WLAN' && ($$hash{$key}[4] ne 'BLUE')){next;} - if ($title1 eq 'Forward' && ($$hash{$key}[4] eq 'ORANGE' || $$hash{$key}[4] eq 'BLUE')){next;} @tmpsrc=(); #check if vpn hosts/nets have been deleted if($$hash{$key}[3] =~ /ipsec/i || $$hash{$key}[3] =~ /ovpn/i){ diff --git a/html/cgi-bin/optionsfw.cgi b/html/cgi-bin/optionsfw.cgi index db4794c0c..f85c76214 100644 --- a/html/cgi-bin/optionsfw.cgi +++ b/html/cgi-bin/optionsfw.cgi @@ -31,6 +31,7 @@ $settings{'DISABLEPING'} = 'NO'; $settings{'DROPNEWNOTSYN'} = 'on'; $settings{'DROPINPUT'} = 'on'; $settings{'DROPFORWARD'} = 'on'; +$settings{'DROPOUTGOING'} = 'on'; $settings{'DROPPORTSCAN'} = 'on'; $settings{'DROPWIRELESSINPUT'} = 'on'; $settings{'DROPWIRELESSFORWARD'} = 'on'; @@ -72,6 +73,9 @@ $checked{'DROPINPUT'}{$settings{'DROPINPUT'}} = "checked='checked'"; $checked{'DROPFORWARD'}{'off'} = ''; $checked{'DROPFORWARD'}{'on'} = ''; $checked{'DROPFORWARD'}{$settings{'DROPFORWARD'}} = "checked='checked'"; +$checked{'DROPOUTGOING'}{'off'} = ''; +$checked{'DROPOUTGOING'}{'on'} = ''; +$checked{'DROPOUTGOING'}{$settings{'DROPOUTGOING'}} = "checked='checked'"; $checked{'DROPPORTSCAN'}{'off'} = ''; $checked{'DROPPORTSCAN'}{'on'} = ''; $checked{'DROPPORTSCAN'}{$settings{'DROPPORTSCAN'}} = "checked='checked'"; @@ -102,6 +106,8 @@ print < off + +
#$Lang::tr{'fwdfw source'}Log$Lang::tr{'fwdfw target'}$Lang::tr{'protocol'}$Lang::tr{'remark'}$Lang::tr{'fwdfw action'}
$Lang::tr{'drop forward'}on / off
$Lang::tr{'drop outgoing'}on / + off
$Lang::tr{'drop portscan'}on / off
$Lang::tr{'drop wirelessinput'}on / @@ -124,6 +130,10 @@ print <DROP
$Lang::tr{'drop action1'} +

diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl index 141145eae..fd26cd322 100644 --- a/langs/de/cgi-bin/de.pl +++ b/langs/de/cgi-bin/de.pl @@ -746,10 +746,12 @@ 'download root certificate' => 'Root-Zertifikat herunterladen', 'dpd action' => 'Aktion für Dead Peer Detection', 'driver' => 'Treiber', -'drop action' => 'Standardverhalten der Firewall in Modus "Blocked"', +'drop action' => 'Standardverhalten der (Forward) Firewall in Modus "Blocked"', +'drop action1' => 'Standardverhalten der (Outgoing) Firewall in Modus "Blocked"', 'drop input' => 'Verworfene Input Pakete loggen', 'drop newnotsyn' => 'Verworfene New Not Syn Pakete loggen', -'drop forward' => 'Verworfene Firewall-Pakete loggen', +'drop forward' => 'Verworfene (Forward) Firewall-Pakete loggen', +'drop outgoing' => 'Verworfene (Outgoing) Firewall-Pakete loggen', 'drop portscan' => 'Verworfene Portscan Pakete loggen', 'drop proxy' => 'Alle Pakete verwerfen die nicht direkt an den Proxy gerichtet sind', 'drop samba' => 'Alle Microsoft Pakete verwerfen, Ports 135,137,138,139,445,1025', @@ -926,6 +928,7 @@ 'fwdfw pol block' => 'Blockiert', 'fwdfw pol title' => 'Standardverhalten der Firewall', 'fwdfw pol text' => 'Standardverhalten für Verbindungen aus den lokalen Netzwerken. Bei "Zugelassen" werden sämtliche Verbindungen zugelassen mit Ausnahme der in Forward konfigurierten Regeln. Mit "Blockiert" werden alle Verbindungsversuche blockiert, mit Ausnahme der in Forward erstellten Regeln. Außerdem werden hier der externe Zugang und der Zugriff auf die DMZ geregelt.', +'fwdfw pol text1' => 'Standardverhalten für Verbindungen von IPFire. Bei "Zugelassen" werden sämtliche Verbindungen zugelassen mit Ausnahme der in Forward konfigurierten Regeln. Mit "Blockiert" werden alle Verbindungsversuche blockiert, mit Ausnahme der in Forward erstellten Regeln.Achtung! Mit diesen Einstellungen kann man sich aussperren. Normalerweise ist keine Änderung nötig.', 'fwdfw reread' => 'Übernehmen', 'fwdfw rules' => 'Regeln', 'fwdfw rule action' => 'Regel Aktion:', @@ -1018,7 +1021,7 @@ 'fwhost ovpn_n2n' => 'OpenVPN N-2-N', 'fwhost port' => 'Port(s)', 'fwhost prot' => 'Protokoll', -'fwhost reread' => 'Die Firewallregeln müssen neu eingelesen werden. Bitte Übernehmen klicken.', +'fwhost reread' => 'Die Firewallregeln müssen neu eingelesen werden.', 'fwhost reset' => 'Abbrechen', 'fwhost services' => 'Dienste', 'fwhost srv_name' => 'Dienstname', diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index 1d0c3e7cf..aea37679b 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -771,7 +771,8 @@ 'download root certificate' => 'Download root certificate', 'dpd action' => 'Dead Peer Detection action', 'driver' => 'Driver', -'drop action' => 'Default behaviour of firewall in mode "Blocked"', +'drop action' => 'Default behaviour of (forward) firewall in mode "Blocked"', +'drop action' => 'Default behaviour of (outgoing) firewall in mode "Blocked"', 'drop input' => 'Log dropped input pakets', 'drop newnotsyn' => 'Log dropped new not syn pakets', 'drop forward' => 'Log dropped forward pakets', @@ -952,6 +953,7 @@ 'fwdfw pol block' => 'Blocked', 'fwdfw pol title' => 'Firewall default behavior', 'fwdfw pol text' => 'Default behavior for connections from local networks. "Allowed" allows all connections from local networks except the defined rules. "Blocked" prohibits all connections except the defined ones. Also external access and connections to/from the demilitarized zone are configurable here.', +'fwdfw pol text1' => 'Default behavior for connections from IPFire. "Allowed" allows all connections from local networks except the defined rules. "Blocked" prohibits all connections except the defined ones. Attention! YOu can lock yourself out with these settings. Normally there is no need to change anything here.', 'fwdfw reread' => 'Apply', 'fwdfw rules' => 'Rules', 'fwdfw rule action' => 'Rule action:', @@ -1045,7 +1047,7 @@ 'fwhost ovpn_n2n' => 'OpenVPN N-2-N', 'fwhost port' => 'Port(s)', 'fwhost prot' => 'Protocol', -'fwhost reread' => 'Firewallrules need to be updated. Please click applybutton.', +'fwhost reread' => 'Firewallrules need to be updated.', 'fwhost reset' => 'Cancel', 'fwhost services' => 'Services', 'fwhost srv_name' => 'Servicename', diff --git a/lfs/configroot b/lfs/configroot index 88fa9f2f8..aa5d764df 100644 --- a/lfs/configroot +++ b/lfs/configroot @@ -105,7 +105,7 @@ $(TARGET) : cp $(DIR_SRC)/config/forwardfw/convert-outgoingfw /usr/sbin/convert-outgoingfw cp $(DIR_SRC)/config/forwardfw/p2protocols $(CONFIG_ROOT)/forward/p2protocols cp $(DIR_SRC)/config/forwardfw/firewall-lib.pl $(CONFIG_ROOT)/forward/bin/firewall-lib.pl - cp $(DIR_SRC)/config/forwardfw/firewall-forward-policy /usr/sbin/firewall-forward-policy + cp $(DIR_SRC)/config/forwardfw/firewall-policy /usr/sbin/firewall-policy cp $(DIR_SRC)/config/fwhosts/icmp-types $(CONFIG_ROOT)/fwhosts/icmp-types cp $(DIR_SRC)/config/fwhosts/customservices $(CONFIG_ROOT)/fwhosts/customservices # Oneliner configfiles diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall index ed7509ff2..7ec327417 100644 --- a/src/initscripts/init.d/firewall +++ b/src/initscripts/init.d/firewall @@ -153,6 +153,7 @@ case "$1" in /sbin/iptables -N OUTGOINGFW /sbin/iptables -N OUTGOINGFWMAC /sbin/iptables -A OUTPUT -j OUTGOINGFW + /sbin/iptables -A OUTGOINGFW -m state --state ESTABLISHED,RELATED -j ACCEPT /sbin/iptables -t nat -N CUSTOMPREROUTING /sbin/iptables -t nat -A PREROUTING -j CUSTOMPREROUTING /sbin/iptables -t nat -N CUSTOMPOSTROUTING @@ -295,10 +296,13 @@ case "$1" in #/sbin/iptables -A FORWARD -j DROP -m comment --comment "DROP_FORWARD" #POLICY CHAIN - /sbin/iptables -N POLICY - /sbin/iptables -A FORWARD -j POLICY + /sbin/iptables -N POLICYFWD + /sbin/iptables -A FORWARD -j POLICYFWD + /sbin/iptables -N POLICYOUT + /sbin/iptables -A OUTPUT -j POLICYOUT - /usr/sbin/firewall-forward-policy + + /usr/sbin/firewall-policy ;; startovpn) # run openvpn From 4e62b47f3371f261d3a295faab9083063b5fbad1 Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Sun, 17 Feb 2013 21:53:18 +0100 Subject: [PATCH 108/306] FORWARD Firewall: integrating OUTGOING Firewall Part 2 --- langs/de/cgi-bin/de.pl | 4 ++-- langs/en/cgi-bin/en.pl | 2 +- lfs/configroot | 3 +++ 3 files changed, 6 insertions(+), 3 deletions(-) diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl index fd26cd322..25b25d450 100644 --- a/langs/de/cgi-bin/de.pl +++ b/langs/de/cgi-bin/de.pl @@ -927,8 +927,8 @@ 'fwdfw pol allow' => 'Zugelassen', 'fwdfw pol block' => 'Blockiert', 'fwdfw pol title' => 'Standardverhalten der Firewall', -'fwdfw pol text' => 'Standardverhalten für Verbindungen aus den lokalen Netzwerken. Bei "Zugelassen" werden sämtliche Verbindungen zugelassen mit Ausnahme der in Forward konfigurierten Regeln. Mit "Blockiert" werden alle Verbindungsversuche blockiert, mit Ausnahme der in Forward erstellten Regeln. Außerdem werden hier der externe Zugang und der Zugriff auf die DMZ geregelt.', -'fwdfw pol text1' => 'Standardverhalten für Verbindungen von IPFire. Bei "Zugelassen" werden sämtliche Verbindungen zugelassen mit Ausnahme der in Forward konfigurierten Regeln. Mit "Blockiert" werden alle Verbindungsversuche blockiert, mit Ausnahme der in Forward erstellten Regeln.Achtung! Mit diesen Einstellungen kann man sich aussperren. Normalerweise ist keine Änderung nötig.', +'fwdfw pol text' => 'Standardverhalten für Verbindungen aus den lokalen Netzwerken. Bei "Zugelassen" werden sämtliche Verbindungen zugelassen mit Ausnahme der konfigurierten Regeln. Mit "Blockiert" werden alle Verbindungsversuche blockiert, mit Ausnahme erstellten Regeln. Außerdem werden hier der externe Zugang und der Zugriff auf die DMZ geregelt.', +'fwdfw pol text1' => 'Standardverhalten für Verbindungen von IPFire. Bei "Zugelassen" werden sämtliche Verbindungen zugelassen mit Ausnahme konfigurierten Regeln. Mit "Blockiert" werden alle Verbindungsversuche blockiert, mit Ausnahme der erstellten Regeln.Achtung! Mit diesen Einstellungen kann man sich aussperren. Normalerweise ist keine Änderung nötig.', 'fwdfw reread' => 'Übernehmen', 'fwdfw rules' => 'Regeln', 'fwdfw rule action' => 'Regel Aktion:', diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index aea37679b..35296bcd6 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -953,7 +953,7 @@ 'fwdfw pol block' => 'Blocked', 'fwdfw pol title' => 'Firewall default behavior', 'fwdfw pol text' => 'Default behavior for connections from local networks. "Allowed" allows all connections from local networks except the defined rules. "Blocked" prohibits all connections except the defined ones. Also external access and connections to/from the demilitarized zone are configurable here.', -'fwdfw pol text1' => 'Default behavior for connections from IPFire. "Allowed" allows all connections from local networks except the defined rules. "Blocked" prohibits all connections except the defined ones. Attention! YOu can lock yourself out with these settings. Normally there is no need to change anything here.', +'fwdfw pol text1' => 'Default behavior for connections from IPFire. "Allowed" allows all connections from local networks except the defined rules. "Blocked" prohibits all connections except the defined ones. Attention! You can lock yourself out with these settings. Normally there is no need to change anything here.', 'fwdfw reread' => 'Apply', 'fwdfw rules' => 'Rules', 'fwdfw rule action' => 'Rule action:', diff --git a/lfs/configroot b/lfs/configroot index aa5d764df..9b4c4d109 100644 --- a/lfs/configroot +++ b/lfs/configroot @@ -117,8 +117,11 @@ $(TARGET) : echo "DROPINPUT=on" >> $(CONFIG_ROOT)/optionsfw/settings echo "DROPFORWARD=on" >> $(CONFIG_ROOT)/optionsfw/settings echo "FWPOLICY=DROP" >> $(CONFIG_ROOT)/optionsfw/settings + echo "FWPOLICY1=DROP" >> $(CONFIG_ROOT)/optionsfw/settings echo "DROPPORTSCAN=on" >> $(CONFIG_ROOT)/optionsfw/settings + echo "DROPOUTGOING=on" >> $(CONFIG_ROOT)/optionsfw/settings echo "POLICY=MODE2" >> $(CONFIG_ROOT)/forward/settings + echo "POLICY1=MODE2" >> $(CONFIG_ROOT)/forward/settings # set rules.pl executable chmod 755 $(CONFIG_ROOT)/forward/bin/rules.pl From 35fb91640a78eb4c58c0ecab50f317d8bd4341da Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Mon, 18 Feb 2013 05:36:18 +0100 Subject: [PATCH 109/306] Forward Firewall: Fixed Firewall-options (preselection of new Dropdown) for outgoing firewall default behaviour (DROp/REJECT) --- html/cgi-bin/optionsfw.cgi | 2 ++ 1 file changed, 2 insertions(+) diff --git a/html/cgi-bin/optionsfw.cgi b/html/cgi-bin/optionsfw.cgi index f85c76214..b396e3f4c 100644 --- a/html/cgi-bin/optionsfw.cgi +++ b/html/cgi-bin/optionsfw.cgi @@ -92,6 +92,8 @@ $checked{'DROPSAMBA'}{'off'} = ''; $checked{'DROPSAMBA'}{'on'} = ''; $checked{'DROPSAMBA'}{$settings{'DROPSAMBA'}} = "checked='checked'"; $selected{'FWPOLICY'}{$settings{'FWPOLICY'}}= 'selected'; +$selected{'FWPOLICY1'}{$settings{'FWPOLICY1'}}= 'selected'; + &Header::openbox('100%', 'center', $Lang::tr{'options fw'}); print "
"; From aa8647835d948bf7261fb49ba26054b8789b61d8 Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Mon, 18 Feb 2013 10:41:19 +0100 Subject: [PATCH 110/306] Forward Firewall: Finalize integration of OUTGOING into firewall --- config/forwardfw/firewall-policy | 2 +- html/cgi-bin/forwardfw.cgi | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/config/forwardfw/firewall-policy b/config/forwardfw/firewall-policy index e96278a16..90d8065aa 100755 --- a/config/forwardfw/firewall-policy +++ b/config/forwardfw/firewall-policy @@ -22,7 +22,7 @@ if [ "$POLICY" == "MODE1" ]; then fi fi if [ "$POLICY1" == "MODE1" ]; then - /sbin/iptables -A OUTGOINGFW -m state --state ESTABLISHED,RELATED -j ACCEPT + /sbin/iptables -I OUTGOINGFW 1 -m state --state ESTABLISHED,RELATED -j ACCEPT if [ "$FWPOLICY1" == "REJECT" ]; then if [ "$DROPOUTGOING" == "on" ]; then /sbin/iptables -A POLICYOUT -m limit --limit 10/minute -j LOG --log-prefix "REJECT_OUTPUT" diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi index 460a08c4c..86fed83b9 100755 --- a/html/cgi-bin/forwardfw.cgi +++ b/html/cgi-bin/forwardfw.cgi @@ -198,7 +198,7 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule') #print"ALT: $fwdfwsettings{'oldgrp2a'} $fwdfwsettings{'oldgrp2b'} NEU: $fwdfwsettings{'grp2'} $fwdfwsettings{$fwdfwsettings{'grp2'}}
"; #print"ALT: $fwdfwsettings{'oldgrp3a'} $fwdfwsettings{'oldgrp3b'} NEU: $fwdfwsettings{'grp3'} $fwdfwsettings{$fwdfwsettings{'grp3'}}
"; #print"DIENSTE Checkalt:$fwdfwsettings{'oldusesrv'} DIENSTE Checkneu:$fwdfwsettings{'USESRV'} DIENST ALT:$fwdfwsettings{'oldgrp3a'},$fwdfwsettings{'oldgrp3b'} DIENST NEU:$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}}
"; - }elsif($fwdfwsettings{$fwdfwsettings{'grp1'}} eq 'IPFire'){ + }elsif($fwdfwsettings{$fwdfwsettings{'grp1'}} eq 'IPFire' ){ # OUTGOING PART $fwdfwsettings{'config'}=$configoutgoing; $fwdfwsettings{'chain'} = 'OUTGOINGFW'; From 0b54aaede3702dcaf76e3d4b50fd5ca591e8fe13 Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Mon, 18 Feb 2013 12:28:30 +0100 Subject: [PATCH 111/306] Forward Firewall: when creating a second group of services, the cached port and protocol from first group are shown in table --- html/cgi-bin/fwhosts.cgi | 2 ++ 1 file changed, 2 insertions(+) diff --git a/html/cgi-bin/fwhosts.cgi b/html/cgi-bin/fwhosts.cgi index 1f85135d4..4b0a1122d 100755 --- a/html/cgi-bin/fwhosts.cgi +++ b/html/cgi-bin/fwhosts.cgi @@ -1593,6 +1593,8 @@ sub viewtableservicegrp $grpname=$customservicegrp{$key}[0]; if ($customservicegrp{$key}[2] eq "none"){ $customservicegrp{$key}[2]=$Lang::tr{'fwhost empty'}; + $port=''; + $protocol=''; } $remark="$customservicegrp{$key}[1]"; if($count >=2){print"";} From d0815ce43f84bf53f31f2a51ba4fb768d6c12e4d Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Mon, 18 Feb 2013 16:10:42 +0100 Subject: [PATCH 112/306] Forward Firewall: Fix 80,81,83 (Forum) Apply Button now on group and rule site remark can be delted - and . are allowed in Hostname --- html/cgi-bin/forwardfw.cgi | 2 ++ html/cgi-bin/fwhosts.cgi | 12 +++++++----- 2 files changed, 9 insertions(+), 5 deletions(-) diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi index 86fed83b9..6d662224e 100755 --- a/html/cgi-bin/forwardfw.cgi +++ b/html/cgi-bin/forwardfw.cgi @@ -2110,6 +2110,7 @@ sub rules { if (!-f "${General::swroot}/forward/reread"){ system("touch ${General::swroot}/forward/reread"); + system("touch ${General::swroot}/fwhosts/reread"); } } sub reread_rules @@ -2117,6 +2118,7 @@ sub reread_rules system("/usr/local/bin/forwardfwctrl"); if ( -f "${General::swroot}/forward/reread"){ system("rm ${General::swroot}/forward/reread"); + system("rm ${General::swroot}/fwhosts/reread"); } } &Header::closebigbox(); diff --git a/html/cgi-bin/fwhosts.cgi b/html/cgi-bin/fwhosts.cgi index 4b0a1122d..ae9383d76 100755 --- a/html/cgi-bin/fwhosts.cgi +++ b/html/cgi-bin/fwhosts.cgi @@ -1000,7 +1000,7 @@ if ($fwhostsettings{'ACTION'} eq $Lang::tr{'fwhost newservicegrp'}) if ($fwhostsettings{'ACTION'} eq 'changegrpremark') { &General::readhasharray("$configgrp", \%customgrp); - if ($fwhostsettings{'oldrem'} ne $fwhostsettings{'newrem'} && &validremark($fwhostsettings{'newrem'})){ + if ($fwhostsettings{'oldrem'} ne $fwhostsettings{'newrem'} && (&validremark($fwhostsettings{'newrem'}) || $fwhostsettings{'newrem'} eq '')){ foreach my $key (sort keys %customgrp) { #$customgrp{$key}[1]=~ s/\|/,/g; @@ -1028,7 +1028,7 @@ if ($fwhostsettings{'ACTION'} eq 'changegrpremark') if ($fwhostsettings{'ACTION'} eq 'changesrvgrpremark') { &General::readhasharray("$configsrvgrp", \%customservicegrp ); - if ($fwhostsettings{'oldsrvrem'} ne $fwhostsettings{'newsrvrem'} && &validremark($fwhostsettings{'newsrvrem'})){ + if ($fwhostsettings{'oldsrvrem'} ne $fwhostsettings{'newsrvrem'} && (&validremark($fwhostsettings{'newsrvrem'}) || $fwhostsettings{'newsrvrem'} eq '')){ foreach my $key (sort keys %customservicegrp) { #$customservicegrp{$key}[1]=~ s/\|/,/g; @@ -1468,7 +1468,7 @@ sub viewtablegrp { $delflag++; } - if($delflag > 0){ + if($delflag > 1){ last; } } @@ -1753,7 +1753,7 @@ sub plausicheck my $edit=shift; #check hostname - if (!&General::validhostname($fwhostsettings{'HOSTNAME'})) + if (!&validhostname($fwhostsettings{'HOSTNAME'})) { $errormessage=$errormessage.$Lang::tr{'fwhost err name'}; $fwhostsettings{'BLK_IP'}='readonly'; @@ -1957,6 +1957,7 @@ sub rules { if (!-f "${General::swroot}/fwhosts/reread"){ system("touch ${General::swroot}/fwhosts/reread"); + system("touch ${General::swroot}/forward/reread"); } } sub reread_rules @@ -1964,6 +1965,7 @@ sub reread_rules system ("/usr/local/bin/forwardfwctrl"); if ( -f "${General::swroot}/fwhosts/reread"){ system("rm ${General::swroot}/fwhosts/reread"); + system("rm ${General::swroot}/forward/reread"); } } @@ -2062,7 +2064,7 @@ sub validhostname if (length ($hostname) < 1 || length ($hostname) > 63) { return 0;} # Only valid characters are a-z, A-Z, 0-9 and - - if ($hostname !~ /^[a-zA-ZäöüÖÄÜ0-9-_()\/\s]*$/) { + if ($hostname !~ /^[a-zA-ZäöüÖÄÜ0-9-_.;()\/\s]*$/) { return 0;} # First character can only be a letter or a digit if (substr ($hostname, 0, 1) !~ /^[a-zA-ZöäüÖÄÜ0-9]*$/) { From e3580608b3cd6695980e2ace6eae4f969d71e070 Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Mon, 18 Feb 2013 21:13:07 +0100 Subject: [PATCH 113/306] Forward Firewall: added remark field to custom hosts and host table --- html/cgi-bin/forwardfw.cgi | 4 +-- html/cgi-bin/fwhosts.cgi | 51 ++++++++++++++++++-------------------- 2 files changed, 26 insertions(+), 29 deletions(-) diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi index 6d662224e..6bcfdc7d9 100755 --- a/html/cgi-bin/forwardfw.cgi +++ b/html/cgi-bin/forwardfw.cgi @@ -1763,13 +1763,13 @@ sub validremark if (length ($remark) < 1 || length ($remark) > 255) { return 0;} # Only valid characters are a-z, A-Z, 0-9 and - - if ($remark !~ /^[a-zäöüA-ZÖÄÜ0-9-.:;_\/\s]*$/) { + if ($remark !~ /^[a-zäöüA-ZÖÄÜ0-9-.:;\|_()\/\s]*$/) { return 0;} # First character can only be a letter or a digit if (substr ($remark, 0, 1) !~ /^[a-zäöüA-ZÖÄÜ0-9]*$/) { return 0;} # Last character can only be a letter or a digit - if (substr ($remark, -1, 1) !~ /^[a-zöäüA-ZÖÄÜ0-9.]*$/) { + if (substr ($remark, -1, 1) !~ /^[a-zöäüA-ZÖÄÜ0-9.:;_)]*$/) { return 0;} return 1; } diff --git a/html/cgi-bin/fwhosts.cgi b/html/cgi-bin/fwhosts.cgi index ae9383d76..0fbbad9b9 100755 --- a/html/cgi-bin/fwhosts.cgi +++ b/html/cgi-bin/fwhosts.cgi @@ -119,7 +119,7 @@ if ($fwhostsettings{'ACTION'} eq 'updatehost') $ip = $customhost{$key}[2]; } $fwhostsettings{'orgip'} = $ip; - $fwhostsettings{'count'} = $customhost{$key}[3]; + $fwhostsettings{'count'} = $customhost{$key}[4]; delete $customhost{$key}; &General::writehasharray("$confighost", \%customhost); } @@ -400,6 +400,10 @@ if ($fwhostsettings{'ACTION'} eq 'savehost') $errormessage=$Lang::tr{'fwhost err mac'}; } } + #check remark + if ($fwhostsettings{'HOSTREMARK'} ne '' && !&validremark($fwhostsettings{'HOSTREMARK'})){ + $errormessage=$Lang::tr{'fwhost err remark'}; + } #CHECK IP-PART if ($fwhostsettings{'type'} eq 'ip'){ #check for subnet @@ -426,7 +430,7 @@ if ($fwhostsettings{'ACTION'} eq 'savehost') if($fwhostsettings{'actualize'} eq 'on' && $fwhostsettings{'newhost'} ne 'on' && $errormessage){ $fwhostsettings{'actualize'} = ''; my $key = &General::findhasharraykey (\%customhost); - foreach my $i (0 .. 3) { $customhost{$key}[$i] = "";} + foreach my $i (0 .. 4) { $customhost{$key}[$i] = "";} $customhost{$key}[0] = $fwhostsettings{'orgname'} ; $customhost{$key}[1] = $fwhostsettings{'type'} ; if($customhost{$key}[1] eq 'ip'){ @@ -434,7 +438,8 @@ if ($fwhostsettings{'ACTION'} eq 'savehost') }else{ $customhost{$key}[2] = $fwhostsettings{'orgip'}; } - $customhost{$key}[3] = $fwhostsettings{'count'}; + $customhost{$key}[3] = $fwhostsettings{'HOSTREMARK'}; + $customhost{$key}[4] = $fwhostsettings{'count'}; &General::writehasharray("$confighost", \%customhost); undef %customhost; } @@ -480,7 +485,7 @@ if ($fwhostsettings{'ACTION'} eq 'savehost') } } my $key = &General::findhasharraykey (\%customhost); - foreach my $i (0 .. 3) { $customhost{$key}[$i] = "";} + foreach my $i (0 .. 4) { $customhost{$key}[$i] = "";} $customhost{$key}[0] = $fwhostsettings{'HOSTNAME'} ; $customhost{$key}[1] = $fwhostsettings{'type'} ; if ($fwhostsettings{'type'} eq 'ip'){ @@ -492,12 +497,14 @@ if ($fwhostsettings{'ACTION'} eq 'savehost') $customhost{$key}[2] = $fwhostsettings{'IP'}; } if($fwhostsettings{'newhost'} eq 'on'){$count=0;} - $customhost{$key}[3] = $count; + $customhost{$key}[3] = $fwhostsettings{'HOSTREMARK'}; + $customhost{$key}[4] =$count; &General::writehasharray("$confighost", \%customhost); undef %customhost; $fwhostsettings{'HOSTNAME'}=''; $fwhostsettings{'IP'}=''; $fwhostsettings{'type'}=''; + $fwhostsettings{'HOSTREMARK'}=''; #check if we need to update rules while host was edited if($needrules eq 'on'){ &rules; @@ -527,10 +534,6 @@ if ($fwhostsettings{'ACTION'} eq 'savegrp') #check remark if ($rem ne '' && !&validremark($rem) && $fwhostsettings{'update'} ne 'on'){ $errormessage.=$Lang::tr{'fwhost err remark'}; - $fwhostsettings{'update'} = 'on'; - $fwhostsettings{'remark'}=$fwhostsettings{'oldremark'}; - &addgrp; - &viewtablegrp; } if ($fwhostsettings{'update'} eq 'on'){ #check standard networks @@ -667,7 +670,7 @@ if ($fwhostsettings{'ACTION'} eq 'savegrp') }elsif($updcounter eq 'host'){ foreach my $key (keys %customhost) { if ($customhost{$key}[0] eq $fwhostsettings{'CUST_SRC_HOST'}){ - $customhost{$key}[3]=$customhost{$key}[3]+1; + $customhost{$key}[4]=$customhost{$key}[3]+1; } } &General::writehasharray("$confighost", \%customhost); @@ -872,7 +875,7 @@ if ($fwhostsettings{'ACTION'} eq 'deletegrphost') &General::readhasharray("$confighost", \%customhost); foreach my $key1 (keys %customhost){ if ($customhost{$key1}[0] eq $customgrp{$key}[2]){ - $customhost{$key1}[3] = $customhost{$key1}[3]-1; + $customhost{$key1}[4] = $customhost{$key1}[4]-1; last; } } @@ -884,7 +887,7 @@ if ($fwhostsettings{'ACTION'} eq 'deletegrphost') } } &General::writehasharray("$configgrp", \%customgrp); - &rules; + if ($fwhostsettings{'grpcnt'} > 0){&rules;} if ($fwhostsettings{'update'} eq 'on'){ $fwhostsettings{'remark'}= $grpremark; $fwhostsettings{'grp_name'}=$grpname; @@ -1114,6 +1117,7 @@ END if ($fwhostsettings{'type'} eq 'mac'){print "";}else{print "";} print<IP/MAC: + $Lang::tr{'remark'}:

$Lang::tr{'fwhost attention'}
$Lang::tr{'fwhost macwarn'}
END @@ -1406,7 +1410,7 @@ sub viewtablehost }else{ print< - $Lang::tr{'name'}$Lang::tr{'fwhost ip_mac'}$Lang::tr{'used'} + $Lang::tr{'name'}$Lang::tr{'fwhost ip_mac'}$Lang::tr{'remark'}$Lang::tr{'used'} END } my $count=0; @@ -1416,17 +1420,18 @@ END }elsif ($count % 2){ print" ";} else{ print" ";} my ($ip,$sub)=split(/\//,$customhost{$key}[2]); - $customhost{$key}[3]=~s/\s+//g; + $customhost{$key}[4]=~s/\s+//g; print<$customhost{$key}[0]$ip$customhost{$key}[3]x + $customhost{$key}[0]$ip$customhost{$key}[3]$customhost{$key}[4]x + END - if($customhost{$key}[3] == '0') + if($customhost{$key}[4] == '0') { print"
"; }else{ @@ -1511,7 +1516,7 @@ sub viewtablegrp if ($delflag > '1' && $ip ne ''){ print""; } - print""; + print""; $helper=$customgrp{$key}[0]; $number++; @@ -1750,7 +1755,6 @@ sub deletefromgrp } sub plausicheck { - my $edit=shift; #check hostname if (!&validhostname($fwhostsettings{'HOSTNAME'})) @@ -1761,7 +1765,6 @@ sub plausicheck if ($fwhostsettings{'update'} eq 'on'){$fwhostsettings{'ACTION'}=$edit;} } #check if name collides with CCD Netname - &General::readhasharray("$configccdnet", \%ccdnet); foreach my $key (keys %ccdnet) { if($ccdnet{$key}[0] eq $fwhostsettings{'HOSTNAME'}){ @@ -1771,7 +1774,6 @@ sub plausicheck last; } } - #check if IP collides with CCD NetIP if ($fwhostsettings{'type'} ne 'mac'){ &General::readhasharray("$configccdnet", \%ccdnet); @@ -1786,9 +1788,6 @@ sub plausicheck } } } - - - #check if name collides with CCD Hostname &General::readhasharray("$configccdhost", \%ccdhost); foreach my $key (keys %ccdhost) { @@ -1838,8 +1837,6 @@ sub plausicheck { $errormessage=$errormessage."
".$Lang::tr{'fwhost err ipcheck'}; } - - return; } sub getipforgroup @@ -2083,13 +2080,13 @@ sub validremark if (length ($remark) < 1 || length ($remark) > 255) { return 0;} # Only valid characters are a-z, A-Z, 0-9 and - - if ($remark !~ /^[a-zäöüA-ZÖÄÜ0-9-.:;_\/\s]*$/) { + if ($remark !~ /^[a-zäöüA-ZÖÄÜ0-9-.:;()_\/\s]*$/) { return 0;} # First character can only be a letter or a digit if (substr ($remark, 0, 1) !~ /^[a-zäöüA-ZÖÄÜ0-9]*$/) { return 0;} # Last character can only be a letter or a digit - if (substr ($remark, -1, 1) !~ /^[a-zöäüA-ZÖÄÜ0-9.]*$/) { + if (substr ($remark, -1, 1) !~ /^[a-zöäüA-ZÖÄÜ0-9).]*$/) { return 0;} return 1; } From 6563800485c11292341c931ccf8aadb281eaa2c8 Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Mon, 18 Feb 2013 21:20:51 +0100 Subject: [PATCH 114/306] Forward Firewall: Fixed typo --- langs/en/cgi-bin/en.pl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index 35296bcd6..c9a3a32c0 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -772,7 +772,7 @@ 'dpd action' => 'Dead Peer Detection action', 'driver' => 'Driver', 'drop action' => 'Default behaviour of (forward) firewall in mode "Blocked"', -'drop action' => 'Default behaviour of (outgoing) firewall in mode "Blocked"', +'drop action1' => 'Default behaviour of (outgoing) firewall in mode "Blocked"', 'drop input' => 'Log dropped input pakets', 'drop newnotsyn' => 'Log dropped new not syn pakets', 'drop forward' => 'Log dropped forward pakets', From d928d79566cd802f85cd38bcd8bd76f4bb112547 Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Tue, 19 Feb 2013 06:29:32 +0100 Subject: [PATCH 115/306] Forward Firewall: some exentions for remarks --- html/cgi-bin/fwhosts.cgi | 4 ++-- langs/de/cgi-bin/de.pl | 2 +- langs/en/cgi-bin/en.pl | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/html/cgi-bin/fwhosts.cgi b/html/cgi-bin/fwhosts.cgi index 0fbbad9b9..90e1fb305 100755 --- a/html/cgi-bin/fwhosts.cgi +++ b/html/cgi-bin/fwhosts.cgi @@ -2080,13 +2080,13 @@ sub validremark if (length ($remark) < 1 || length ($remark) > 255) { return 0;} # Only valid characters are a-z, A-Z, 0-9 and - - if ($remark !~ /^[a-zäöüA-ZÖÄÜ0-9-.:;()_\/\s]*$/) { + if ($remark !~ /^[a-zäöüA-ZÖÄÜ0-9-.:;\|_()\/\s]*$/) { return 0;} # First character can only be a letter or a digit if (substr ($remark, 0, 1) !~ /^[a-zäöüA-ZÖÄÜ0-9]*$/) { return 0;} # Last character can only be a letter or a digit - if (substr ($remark, -1, 1) !~ /^[a-zöäüA-ZÖÄÜ0-9).]*$/) { + if (substr ($remark, -1, 1) !~ /^[a-zöäüA-ZÖÄÜ0-9.:;_)]*$/) { return 0;} return 1; } diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl index 25b25d450..926676607 100644 --- a/langs/de/cgi-bin/de.pl +++ b/langs/de/cgi-bin/de.pl @@ -998,7 +998,7 @@ 'fwhost err ipwithsub' => 'Bitte IP Adresse OHNE Subnetzmaske eingeben', 'fwhost err partofnet' => 'Dieses Netzwerk ist Teil eines bereits existierenden Netzwerks', 'fwhost err port' => 'Port muss gefüllt sein', -'fwhost err remark' => 'Bemerkung ungültig. Erlaubte Zeichen: a-z, A-Z, 0-9 Leerzeichen und Bindestrich', +'fwhost err remark' => 'Bemerkung ungültig. Erlaubte Zeichen: a-z, A-Z, 0-9 und -_();|.', 'fwhost err srvexist' => 'Dieser Dienst ist bereits in der Gruppe', 'fwhost err srv exists' => 'Ein Service mit diesem Namen existiert bereits', 'fwhost err sub32' => 'Bitte Host hinzufügen. Dieses Subnetz ist kein Netzwerk', diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index c9a3a32c0..9e3f70c54 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -1023,7 +1023,7 @@ 'fwhost err ipwithsub' => 'Please provide IP address WITHOUT subnetmask', 'fwhost err partofnet' => 'This network is part of an already existing one', 'fwhost err port' => 'Port is empty', -'fwhost err remark' => 'Remark invalid. Allowed: a-z, A-Z, 0-9 space and minus', +'fwhost err remark' => 'Remark invalid. Allowed: a-z, A-Z, 0-9 and -_();|.', 'fwhost err srvexist' => 'Dieser Dienst ist bereits in der Gruppe', 'fwhost err srv exists' => 'A Service with this name already exists', 'fwhost err sub32' => 'Please add single host. This subnet is no network', From c178bf21c1e6d68be2fca6763e8e4b8493304d32 Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Tue, 19 Feb 2013 06:34:48 +0100 Subject: [PATCH 116/306] Forward Firewall: added Policymode for OUTGOING to converterscript --- config/forwardfw/convert-outgoingfw | 1 + 1 file changed, 1 insertion(+) diff --git a/config/forwardfw/convert-outgoingfw b/config/forwardfw/convert-outgoingfw index edb1fd0a8..3c11f92fe 100755 --- a/config/forwardfw/convert-outgoingfw +++ b/config/forwardfw/convert-outgoingfw @@ -249,6 +249,7 @@ sub process_rules &General::readhash($fwdfwsettings,\%fwdsettings); if($fwdsettings{'POLICY'} ne $outsettings{'POLICY'}){ $fwdsettings{'POLICY'}=$outsettings{'POLICY'}; + $fwdsettings{'POLICY1'}='MODE2'; &General::writehash($fwdfwsettings,\%fwdsettings); } #open LOG From 046d88c2d0f5718a8efbd5cbee5e2f4e1b5f4dbd Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Tue, 19 Feb 2013 06:48:00 +0100 Subject: [PATCH 117/306] Forward Firewall: outgoing converter is now ble to set default policy correctly --- config/forwardfw/convert-outgoingfw | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/forwardfw/convert-outgoingfw b/config/forwardfw/convert-outgoingfw index 3c11f92fe..f279a6c5b 100755 --- a/config/forwardfw/convert-outgoingfw +++ b/config/forwardfw/convert-outgoingfw @@ -248,8 +248,8 @@ sub process_rules { &General::readhash($fwdfwsettings,\%fwdsettings); if($fwdsettings{'POLICY'} ne $outsettings{'POLICY'}){ + if ($outsettings{'POLICY'} eq 'MODE0'){$outsettings{'POLICY'}='MODE2';} $fwdsettings{'POLICY'}=$outsettings{'POLICY'}; - $fwdsettings{'POLICY1'}='MODE2'; &General::writehash($fwdfwsettings,\%fwdsettings); } #open LOG From e5a058c131806586e53c44d5ecca7e1d4a926f84 Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Tue, 19 Feb 2013 15:24:24 +0100 Subject: [PATCH 118/306] FORWARD FIREWALL: added remark in custom networks --- html/cgi-bin/fwhosts.cgi | 34 +++++++++++++++++++++++----------- 1 file changed, 23 insertions(+), 11 deletions(-) diff --git a/html/cgi-bin/fwhosts.cgi b/html/cgi-bin/fwhosts.cgi index 90e1fb305..5bba69e53 100755 --- a/html/cgi-bin/fwhosts.cgi +++ b/html/cgi-bin/fwhosts.cgi @@ -96,7 +96,8 @@ if ($fwhostsettings{'ACTION'} eq 'updatenet' ) $fwhostsettings{'orgname'} = $customnetwork{$key}[0]; $fwhostsettings{'orgip'} = $customnetwork{$key}[1]; $fwhostsettings{'orgsub'} = $customnetwork{$key}[2]; - $fwhostsettings{'count'} = $customnetwork{$key}[3]; + $fwhostsettings{'netremark'} = $customnetwork{$key}[3]; + $fwhostsettings{'count'} = $customnetwork{$key}[4]; delete $customnetwork{$key}; } @@ -230,6 +231,11 @@ if ($fwhostsettings{'ACTION'} eq 'savenet' ) $fwhostsettings{'NOCHECK'} ='false'; $fwhostsettings{'error'} ='on'; } + #check remark + if ($fwhostsettings{'NETREMARK'} ne '' && !&validremark($fwhostsettings{'NETREMARK'})){ + $errormessage=$Lang::tr{'fwhost err remark'}; + $fwhostsettings{'error'} ='on'; + } #check if subnet is sigle host if(&General::iporsubtocidr($fwhostsettings{'SUBNET'}) eq '32') { @@ -280,17 +286,19 @@ if ($fwhostsettings{'ACTION'} eq 'savenet' ) $customnetwork{$key}[0] = $fwhostsettings{'orgname'} ; $customnetwork{$key}[1] = $fwhostsettings{'orgip'} ; $customnetwork{$key}[2] = $fwhostsettings{'orgsub'}; - $customnetwork{$key}[3] = $fwhostsettings{'count'}; + $customnetwork{$key}[3] = $fwhostsettings{'NETREMARK'}; + $customnetwork{$key}[4] = $fwhostsettings{'count'}; &General::writehasharray("$confignet", \%customnetwork); undef %customnetwork; } if (!$errormessage){ + &General::readhasharray("$confignet", \%customnetwork); if ($fwhostsettings{'ACTION'} eq 'updatenet'){ if ($fwhostsettings{'update'} == '0'){ foreach my $key (keys %customnetwork) { if($customnetwork{$key}[0] eq $fwhostsettings{'orgname'}){ - $count=$customnetwork{$key}[3]; + $count=$customnetwork{$key}[4]; delete $customnetwork{$key}; last; } @@ -340,22 +348,24 @@ if ($fwhostsettings{'ACTION'} eq 'savenet' ) } } my $key = &General::findhasharraykey (\%customnetwork); - foreach my $i (0 .. 3) { $customnetwork{$key}[$i] = "";} + foreach my $i (0 .. 4) { $customnetwork{$key}[$i] = "";} $fwhostsettings{'SUBNET'} = &General::iporsubtocidr($fwhostsettings{'SUBNET'}); $customnetwork{$key}[0] = $fwhostsettings{'HOSTNAME'}; #convert ip when leading '0' in byte - $fwhostsettings{'IP'}=&General::ip2dec($fwhostsettings{'IP'}); - $fwhostsettings{'IP'}=&General::dec2ip($fwhostsettings{'IP'}); + $fwhostsettings{'IP'} =&General::ip2dec($fwhostsettings{'IP'}); + $fwhostsettings{'IP'} =&General::dec2ip($fwhostsettings{'IP'}); $customnetwork{$key}[1] = &General::getnetworkip($fwhostsettings{'IP'},$fwhostsettings{'SUBNET'}) ; $customnetwork{$key}[2] = &General::iporsubtodec($fwhostsettings{'SUBNET'}) ; if($fwhostsettings{'newnet'} eq 'on'){$count=0;} - $customnetwork{$key}[3] = $count; + $customnetwork{$key}[3] = $fwhostsettings{'NETREMARK'}; + $customnetwork{$key}[4] = $count; &General::writehasharray("$confignet", \%customnetwork); $fwhostsettings{'IP'}=$fwhostsettings{'IP'}."/".&General::iporsubtodec($fwhostsettings{'SUBNET'}); undef %customnetwork; $fwhostsettings{'HOSTNAME'}=''; $fwhostsettings{'IP'}=''; $fwhostsettings{'SUBNET'}=''; + $fwhostsettings{'NETREMARK'}=''; #check if an edited net affected groups and need to reload rules if ($needrules eq 'on'){ &rules; @@ -662,7 +672,7 @@ if ($fwhostsettings{'ACTION'} eq 'savegrp') if($updcounter eq 'net'){ foreach my $key (keys %customnetwork) { if($customnetwork{$key}[0] eq $fwhostsettings{'CUST_SRC_NET'}){ - $customnetwork{$key}[3] = $customnetwork{$key}[3]+1; + $customnetwork{$key}[4] = $customnetwork{$key}[4]+1; last; } } @@ -1092,6 +1102,7 @@ sub addnet print<
$Lang::tr{'name'}:$Lang::tr{'fwhost netaddress'}$Lang::tr{'netmask'}: + $Lang::tr{'remark'}:
END if ($fwhostsettings{'ACTION'} eq 'editnet' || $fwhostsettings{'error'} eq 'on') @@ -1363,7 +1374,7 @@ sub viewtablenet }else{ print< - $Lang::tr{'name'}$Lang::tr{'fwhost netaddress'}$Lang::tr{'netmask'}$Lang::tr{'used'} + $Lang::tr{'name'}$Lang::tr{'fwhost netaddress'}$Lang::tr{'netmask'}$Lang::tr{'remark'}$Lang::tr{'used'} END } my $count=0; @@ -1378,15 +1389,16 @@ END print" "; } print<$customnetwork{$key}[0]$customnetwork{$key}[1]$customnetwork{$key}[2]$customnetwork{$key}[3]x + $customnetwork{$key}[0]$customnetwork{$key}[1]$customnetwork{$key}[2]$customnetwork{$key}[3]$customnetwork{$key}[4]x + END - if($customnetwork{$key}[3] == '0') + if($customnetwork{$key}[4] == '0') { print"
"; }else{ From be5698ef6688c770f422011875b2d6451af017d8 Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Tue, 19 Feb 2013 15:41:03 +0100 Subject: [PATCH 119/306] FORWARD FIREWALL: Some Typos in language Files --- html/cgi-bin/fwhosts.cgi | 2 +- langs/de/cgi-bin/de.pl | 1 + langs/en/cgi-bin/en.pl | 2 +- 3 files changed, 3 insertions(+), 2 deletions(-) diff --git a/html/cgi-bin/fwhosts.cgi b/html/cgi-bin/fwhosts.cgi index 5bba69e53..afb47fa3d 100755 --- a/html/cgi-bin/fwhosts.cgi +++ b/html/cgi-bin/fwhosts.cgi @@ -1101,7 +1101,7 @@ sub addnet $fwhostsettings{'orgname'}=$fwhostsettings{'HOSTNAME'}; print<
- $Lang::tr{'name'}:$Lang::tr{'fwhost netaddress'}$Lang::tr{'netmask'}: + $Lang::tr{'name'}:$Lang::tr{'fwhost netaddress'}:$Lang::tr{'netmask'}: $Lang::tr{'remark'}:
END diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl index 926676607..09adde417 100644 --- a/langs/de/cgi-bin/de.pl +++ b/langs/de/cgi-bin/de.pl @@ -1010,6 +1010,7 @@ 'fwhost ip_mac' => 'IP/MAC Adresse', 'fwhost ipsec host' => 'IpSec Clients:', 'fwhost ipsec net' => 'IpSec Netzwerke:', +'fwhost netaddress' => 'Netzwerk Adresse', 'fwhost newnet' => 'Netz Einstellungen', 'fwhost newhost' => 'Adress Einstellungen', 'fwhost newgrp' => 'Adress Gruppierung', diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index 9e3f70c54..793faa759 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -1035,7 +1035,7 @@ 'fwhost ip_mac' => 'IP/MAC address', 'fwhost ipsec host' => 'IPsec clients:', 'fwhost ipsec net' => 'IPsec networks:', -'fwhost netaddress' => 'Network address:', +'fwhost netaddress' => 'Network address', 'fwhost newnet' => 'Network', 'fwhost newhost' => 'Host', 'fwhost newgrp' => 'Address grouping', From f80db6a4ceb985e14a5bc85134bafbd0b3c34416 Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Tue, 19 Feb 2013 16:30:41 +0100 Subject: [PATCH 120/306] Forward Firewall: Bugfix: on update of network or hostst and changing remark to invalid value, the remark was saved --- html/cgi-bin/fwhosts.cgi | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/html/cgi-bin/fwhosts.cgi b/html/cgi-bin/fwhosts.cgi index afb47fa3d..dc0699672 100755 --- a/html/cgi-bin/fwhosts.cgi +++ b/html/cgi-bin/fwhosts.cgi @@ -286,7 +286,7 @@ if ($fwhostsettings{'ACTION'} eq 'savenet' ) $customnetwork{$key}[0] = $fwhostsettings{'orgname'} ; $customnetwork{$key}[1] = $fwhostsettings{'orgip'} ; $customnetwork{$key}[2] = $fwhostsettings{'orgsub'}; - $customnetwork{$key}[3] = $fwhostsettings{'NETREMARK'}; + $customnetwork{$key}[3] = $fwhostsettings{'orgnetremark'}; $customnetwork{$key}[4] = $fwhostsettings{'count'}; &General::writehasharray("$confignet", \%customnetwork); undef %customnetwork; @@ -448,7 +448,7 @@ if ($fwhostsettings{'ACTION'} eq 'savehost') }else{ $customhost{$key}[2] = $fwhostsettings{'orgip'}; } - $customhost{$key}[3] = $fwhostsettings{'HOSTREMARK'}; + $customhost{$key}[3] = $fwhostsettings{'orgremark'}; $customhost{$key}[4] = $fwhostsettings{'count'}; &General::writehasharray("$confighost", \%customhost); undef %customhost; @@ -1099,6 +1099,7 @@ sub addnet &showmenu; &Header::openbox('100%', 'left', $Lang::tr{'fwhost addnet'}); $fwhostsettings{'orgname'}=$fwhostsettings{'HOSTNAME'}; + $fwhostsettings{'orgnetremark'}=$fwhostsettings{'NETREMARK'}; print< $Lang::tr{'name'}:$Lang::tr{'fwhost netaddress'}:$Lang::tr{'netmask'}: @@ -1107,7 +1108,7 @@ sub addnet END if ($fwhostsettings{'ACTION'} eq 'editnet' || $fwhostsettings{'error'} eq 'on') { - print ""; + print ""; }else{ print ""; } @@ -1120,6 +1121,7 @@ sub addhost &showmenu; &Header::openbox('100%', 'left', $Lang::tr{'fwhost addhost'}); $fwhostsettings{'orgname'}=$fwhostsettings{'HOSTNAME'}; + $fwhostsettings{'orgremark'}=$fwhostsettings{'HOSTREMARK'}; print< $Lang::tr{'name'}:"; + print " "; }else{ print " "; } From 6128ded855eefc07abc6904490cfed055e35647b Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Thu, 21 Feb 2013 09:34:07 +0100 Subject: [PATCH 121/306] Forward Firewall: convert-outgoingfw now supports outgoing rules --- config/forwardfw/convert-outgoingfw | 123 ++++++++++++++++++---------- 1 file changed, 81 insertions(+), 42 deletions(-) diff --git a/config/forwardfw/convert-outgoingfw b/config/forwardfw/convert-outgoingfw index f279a6c5b..5980651a8 100755 --- a/config/forwardfw/convert-outgoingfw +++ b/config/forwardfw/convert-outgoingfw @@ -19,6 +19,7 @@ my $ovpnsettings = "${General::swroot}/ovpn/settings"; my $ovpnconfig = "${General::swroot}/ovpn/ovpnconfig"; my $ccdconfig = "${General::swroot}/ovpn/ccd.conf"; my $fwdfwconfig = "${General::swroot}/forward/config"; +my $outfwconfig = "${General::swroot}/forward/outgoing"; my $fwdfwsettings = "${General::swroot}/forward/settings"; my @ipgroups = qx(ls $ipgrouppath); my @macgroups = qx(ls $macgrouppath); @@ -30,7 +31,8 @@ my %groups=(); my %settingsovpn=(); my %configovpn=(); my %ccdconf=(); -my %fwconf=(); +my %fwconfig=(); +my %fwconfigout=(); my %fwdsettings=(); &General::readhash($outfwsettings,\%outsettings); @@ -246,17 +248,15 @@ sub check_grp } sub process_rules { - &General::readhash($fwdfwsettings,\%fwdsettings); - if($fwdsettings{'POLICY'} ne $outsettings{'POLICY'}){ - if ($outsettings{'POLICY'} eq 'MODE0'){$outsettings{'POLICY'}='MODE2';} - $fwdsettings{'POLICY'}=$outsettings{'POLICY'}; - &General::writehash($fwdfwsettings,\%fwdsettings); - } - #open LOG - if( -f "/var/log/converters/outgoingfw-convert.log"){unlink ("/var/log/converters/outgoingfw-convert.log");} - open (LOG, ">/var/log/converters/outgoingfw-convert.log") or die $!; - my ($type,$action,$active,$grp1,$source,$grp2,$useport,$port,$prot,$grp3,$target,$remark,$log,$time,$time_mon,$time_tue,$time_wed,$time_thu,$time_fri,$time_sat,$time_sun,$time_from,$time_to); + print"uzlputz modus ist $outsettings{'POLICY'} \n"; + &General::readhash($fwdfwsettings,\%fwdsettings); + if ($outsettings{'POLICY'} eq 'MODE0'){ + $fwdfwsettings{'POLICY'}='MODE2'; + }else{ + $fwdsettings{'POLICY'}=$outsettings{'POLICY'}; + } + &General::writehash($fwdfwsettings,\%fwdsettings); if ($outsettings{'POLICY'} eq 'MODE1'){ $type='ALLOW'; $action='ACCEPT'; @@ -266,6 +266,9 @@ sub process_rules }else{ return; } + #open LOG + if( -f "/var/log/converters/outgoingfw-convert.log"){unlink ("/var/log/converters/outgoingfw-convert.log");} + open (LOG, ">/var/log/converters/outgoingfw-convert.log") or die $!; open (DATEI, "<$outgoingrules"); my @lines = ; foreach my $rule (@lines) @@ -320,8 +323,11 @@ sub process_rules $grp1='std_net_src'; $source='ORANGE'; }elsif ($configline[2] eq 'red') { - print LOG "-> Rule not converted, is an outgoing rule.Please put it manually in /etc/sysconfig/firewall.local \n"; - next; + $grp1='std_net_src'; + $source='IPFire'; + &General::readhash($fwdfwsettings,\%fwdsettings); + $fwdsettings{'POLICY1'}=$outsettings{'POLICY'}; + &General::writehash($fwdfwsettings,\%fwdsettings); }elsif ($configline[2] eq 'blue') { $grp1='std_net_src'; $source='BLUE'; @@ -355,7 +361,6 @@ sub process_rules $grp1='std_net_src'; $source='ALL'; }else{ - #&General::readhasharray($configgroups,\%groups); foreach my $key (sort keys %groups){ if($groups{$key}[0] eq $configline[2]){ $grp1='cust_grp_src'; @@ -423,16 +428,22 @@ sub process_rules print LOG "-> Rule not converted because not for Firewall mode $outsettings{'POLICY'} (we are only converting for actual mode)\n"; } &General::readhasharray($fwdfwconfig,\%fwconfig); + &General::readhasharray($outfwconfig,\%fwconfigout); my $check; + my $chain; foreach my $protocol (@prot){ + if ($source eq 'IPFire'){ + $chain='OUTGOINGFW'; + }else{ + $chain='FORWARDFW'; + } $protocol=uc($protocol); - print LOG "-> Converted: $action,FORWARDFW,$active,$grp1,$source,$grp2,$target,,,,,$useport,$protocol,,$grp3,$port,$remark,$log,$time,$time_mon,$time_tue,$time_wed,$time_thu,$time_fri,$time_sat,$time_sun,$time_from,$time_to\n"; + print LOG "-> Converted: $action,$chain,$active,$grp1,$source,$grp2,$target,,,,,$useport,$protocol,,$grp3,$port,$remark,$log,$time,$time_mon,$time_tue,$time_wed,$time_thu,$time_fri,$time_sat,$time_sun,$time_from,$time_to\n"; #Put rules into system.... ########################### - #check for double rules foreach my $key (sort keys %fwconfig){ - if("$action,FORWARDFW,$active,$grp1,$source,$grp2,$target,,,,,$useport,$protocol,,$grp3,$port,$remark,$log,$time,$time_mon,$time_tue,$time_wed,$time_thu,$time_fri,$time_sat,$time_sun,$time_from,$time_to" + if("$action,$chain,$active,$grp1,$source,$grp2,$target,,,,,$useport,$protocol,,$grp3,$port,$remark,$log,$time,$time_mon,$time_tue,$time_wed,$time_thu,$time_fri,$time_sat,$time_sun,$time_from,$time_to" eq "$fwconfig{$key}[0],$fwconfig{$key}[1],$fwconfig{$key}[2],$fwconfig{$key}[3],$fwconfig{$key}[4],$fwconfig{$key}[5],$fwconfig{$key}[6],,,,,$fwconfig{$key}[11],$fwconfig{$key}[12],,$fwconfig{$key}[14],$fwconfig{$key}[15],$fwconfig{$key}[16],$fwconfig{$key}[17],$fwconfig{$key}[18],$fwconfig{$key}[19],$fwconfig{$key}[20],$fwconfig{$key}[21],$fwconfig{$key}[22],$fwconfig{$key}[23],$fwconfig{$key}[24],$fwconfig{$key}[25],$fwconfig{$key}[26],$fwconfig{$key}[27]"){ $check='on'; next; @@ -452,33 +463,61 @@ sub process_rules &General::writehasharray($configgroups,\%groups); } } - my $key = &General::findhasharraykey(\%fwconfig); - $fwconfig{$key}[0] = $action; - $fwconfig{$key}[1] = "FORWARDFW"; - $fwconfig{$key}[2] = $active; - $fwconfig{$key}[3] = $grp1; - $fwconfig{$key}[4] = $source; - $fwconfig{$key}[5] = $grp2; - $fwconfig{$key}[6] = $target; - $fwconfig{$key}[11] = $useport; - $fwconfig{$key}[12] = $protocol; - $fwconfig{$key}[14] = $grp3; - $fwconfig{$key}[15] = $port; - $fwconfig{$key}[16] = $remark; - $fwconfig{$key}[17] = $log; - $fwconfig{$key}[18] = $time; - $fwconfig{$key}[19] = $time_mon; - $fwconfig{$key}[20] = $time_tue; - $fwconfig{$key}[21] = $time_wed; - $fwconfig{$key}[22] = $time_thu; - $fwconfig{$key}[23] = $time_fri; - $fwconfig{$key}[24] = $time_sat; - $fwconfig{$key}[25] = $time_sun; - $fwconfig{$key}[26] = $time_from; - $fwconfig{$key}[27] = $time_to; + if ($chain eq 'FORWARDFW'){ + my $key = &General::findhasharraykey(\%fwconfig); + $fwconfig{$key}[0] = $action; + $fwconfig{$key}[1] = $chain; + $fwconfig{$key}[2] = $active; + $fwconfig{$key}[3] = $grp1; + $fwconfig{$key}[4] = $source; + $fwconfig{$key}[5] = $grp2; + $fwconfig{$key}[6] = $target; + $fwconfig{$key}[11] = $useport; + $fwconfig{$key}[12] = $protocol; + $fwconfig{$key}[14] = $grp3; + $fwconfig{$key}[15] = $port; + $fwconfig{$key}[16] = $remark; + $fwconfig{$key}[17] = $log; + $fwconfig{$key}[18] = $time; + $fwconfig{$key}[19] = $time_mon; + $fwconfig{$key}[20] = $time_tue; + $fwconfig{$key}[21] = $time_wed; + $fwconfig{$key}[22] = $time_thu; + $fwconfig{$key}[23] = $time_fri; + $fwconfig{$key}[24] = $time_sat; + $fwconfig{$key}[25] = $time_sun; + $fwconfig{$key}[26] = $time_from; + $fwconfig{$key}[27] = $time_to; + }else{ + my $key = &General::findhasharraykey(\%fwconfigout); + $fwconfigout{$key}[0] = $action; + $fwconfigout{$key}[1] = $chain; + $fwconfigout{$key}[2] = $active; + $fwconfigout{$key}[3] = $grp1; + $fwconfigout{$key}[4] = $source; + $fwconfigout{$key}[5] = $grp2; + $fwconfigout{$key}[6] = $target; + $fwconfigout{$key}[11] = $useport; + $fwconfigout{$key}[12] = $protocol; + $fwconfigout{$key}[14] = $grp3; + $fwconfigout{$key}[15] = $port; + $fwconfigout{$key}[16] = $remark; + $fwconfigout{$key}[17] = $log; + $fwconfigout{$key}[18] = $time; + $fwconfigout{$key}[19] = $time_mon; + $fwconfigout{$key}[20] = $time_tue; + $fwconfigout{$key}[21] = $time_wed; + $fwconfigout{$key}[22] = $time_thu; + $fwconfigout{$key}[23] = $time_fri; + $fwconfigout{$key}[24] = $time_sat; + $fwconfigout{$key}[25] = $time_sun; + $fwconfigout{$key}[26] = $time_from; + $fwconfigout{$key}[27] = $time_to; + } + &General::writehasharray($fwdfwconfig,\%fwconfig); + &General::writehasharray($outfwconfig,\%fwconfigout); } } - &General::writehasharray($fwdfwconfig,\%fwconfig); @prot=(); } close(LOG); From 7bf83f9d39d3101ac096b42d0fc43a8caef97c5e Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Thu, 21 Feb 2013 10:26:55 +0100 Subject: [PATCH 122/306] Forward Firewall: moved p2p-block to a seperate cgi and deleted it from forwardfw.cgi --- config/menu/50-firewall.menu | 8 +- html/cgi-bin/forwardfw.cgi | 66 ++-------------- html/cgi-bin/fwhosts.cgi | 13 +--- html/cgi-bin/p2p-block.cgi | 142 +++++++++++++++++++++++++++++++++++ 4 files changed, 158 insertions(+), 71 deletions(-) create mode 100755 html/cgi-bin/p2p-block.cgi diff --git a/config/menu/50-firewall.menu b/config/menu/50-firewall.menu index 90baa65b2..029534323 100644 --- a/config/menu/50-firewall.menu +++ b/config/menu/50-firewall.menu @@ -28,12 +28,18 @@ 'title' => "Universal Plug and Play", 'enabled' => 0, }; - $subfirewall->{'80.optingsfw'} = { + $subfirewall->{'80.optionsfw'} = { 'caption' => $Lang::tr{'options fw'}, 'uri' => '/cgi-bin/optionsfw.cgi', 'title' => "$Lang::tr{'options fw'}", 'enabled' => 1, }; + $subfirewall->{'81.p2p'} = { + 'caption' => 'P2P-Block', + 'uri' => '/cgi-bin/p2p-block.cgi', + 'title' => "P2P-Block", + 'enabled' => 1, + }; $subfirewall->{'90.iptables'} = { 'caption' => $Lang::tr{'ipts'}, 'uri' => '/cgi-bin/iptables.cgi', diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi index 6bcfdc7d9..738c38786 100755 --- a/html/cgi-bin/forwardfw.cgi +++ b/html/cgi-bin/forwardfw.cgi @@ -70,7 +70,6 @@ my %icmptypes=(); my %ovpnsettings=(); my %ipsecsettings=(); my %aliases=(); -my @p2ps = (); my $color; my $confignet = "${General::swroot}/fwhosts/customnetworks"; @@ -86,7 +85,6 @@ my $configfwdfw = "${General::swroot}/forward/config"; my $configinput = "${General::swroot}/forward/input"; my $configoutgoing = "${General::swroot}/forward/outgoing"; my $configovpn = "${General::swroot}/ovpn/settings"; -my $p2pfile = "${General::swroot}/forward/p2protocols"; my $errormessage=''; my $hint=''; my $ipgrp="${General::swroot}/outgoing/groups"; @@ -446,29 +444,6 @@ if ($fwdfwsettings{'ACTION'} eq 'copyrule') #$fwdfwsettings{'updatefwrule'}='on'; &newrule; } -if ($fwdfwsettings{'ACTION'} eq 'togglep2p') -{ - #$errormessage="Toggle $fwdfwsettings{'P2PROT'}
"; - open( FILE, "< $p2pfile" ) or die "Unable to read $p2pfile"; - @p2ps = ; - close FILE; - open( FILE, "> $p2pfile" ) or die "Unable to write $p2pfile"; - foreach my $p2pentry (sort @p2ps) - { - my @p2pline = split( /\;/, $p2pentry ); - if ($p2pline[1] eq $fwdfwsettings{'P2PROT'}) { - if($p2pline[2] eq 'on'){ - $p2pline[2]='off'; - }else{ - $p2pline[2]='on'; - } - } - print FILE "$p2pline[0];$p2pline[1];$p2pline[2];\n"; - } - close FILE; - &rules; - &base; -} if ($fwdfwsettings{'ACTION'} eq '') { &base; @@ -606,7 +581,7 @@ sub base if ($fwdfwsettings{'POLICY1'} eq 'MODE2'){ $selected{'POLICY1'}{'MODE2'} = 'selected'; } else { $selected{'POLICY1'}{'MODE2'} = ''; } &hint; &addrule; - &p2pblock; + print "


"; &Header::openbox('100%', 'center', $Lang::tr{'fwdfw pol title'}); print < @@ -642,16 +617,14 @@ END sub addrule { &error; + if (-f "${General::swroot}/forward/reread"){ + print "
$Lang::tr{'fwhost reread'}

"; + } &Header::openbox('100%', 'left', $Lang::tr{'fwdfw addrule'}); - print "
"; print ""; print ""; - if (-f "${General::swroot}/forward/reread"){ - print ""; - } - print"
$Lang::tr{'fwhost reread'}
"; - + print"
"; &Header::closebox(); &viewtablerule; } @@ -2064,35 +2037,6 @@ END &Header::closebox(); } } -sub p2pblock -{ - my $gif; - open( FILE, "< $p2pfile" ) or die "Unable to read $p2pfile"; - @p2ps = ; - close FILE; - &Header::openbox('100%', 'center', 'P2P-Block'); - print < - $Lang::tr{'protocol'}$Lang::tr{'status'} -END - foreach my $p2pentry (sort @p2ps) - { - my @p2pline = split( /\;/, $p2pentry ); - if($p2pline[2] eq 'on'){ - $gif="/images/on.gif" - }else{ - $gif="/images/off.gif" - } - print < - - $p2pline[0]: -END - } - print"$Lang::tr{'outgoing firewall p2p allow'}"; - print"$Lang::tr{'outgoing firewall p2p deny'}"; - &Header::closebox(); -} sub fillselect { my %hash=%{(shift)}; diff --git a/html/cgi-bin/fwhosts.cgi b/html/cgi-bin/fwhosts.cgi index dc0699672..ae018d697 100755 --- a/html/cgi-bin/fwhosts.cgi +++ b/html/cgi-bin/fwhosts.cgi @@ -1074,21 +1074,16 @@ if($fwhostsettings{'ACTION'} eq '') ### FUNCTIONS ### sub showmenu { - + if (-f "${General::swroot}/forward/reread"){ + print "
$Lang::tr{'fwhost reread'}

"; + } &Header::openbox('100%', 'left',$Lang::tr{'fwhost menu'}); print<
-
+
END - - - if (-f "${General::swroot}/fwhosts/reread"){ - print "$Lang::tr{'fwhost reread'}"; - } - print""; - &Header::closebox(); } diff --git a/html/cgi-bin/p2p-block.cgi b/html/cgi-bin/p2p-block.cgi new file mode 100755 index 000000000..1c69a0ea3 --- /dev/null +++ b/html/cgi-bin/p2p-block.cgi @@ -0,0 +1,142 @@ +#!/usr/bin/perl +############################################################################### +# # +# IPFire.org - A linux based firewall # +# Copyright (C) 2012 # +# # +# This program is free software: you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation, either version 3 of the License, or # +# (at your option) any later version. # +# # +# This program is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with this program. If not, see . # +# # +############################################################################### +# # +# Hi folks! I hope this code is useful for all. I needed something to handle # +# my VPN Connections in a comfortable way. As a prerequisite i needed # +# something that makes sure the vpn roadwarrior are able to have a fixed # +# ip-address. So i developed the ccd extension for the vpn server. # +# # +# Now that the ccd extension is ready i am able to develop the main request. # +# Any feedback is appreciated. # +# # +#Copymaster # +############################################################################### + +use strict; +no warnings 'uninitialized'; +# enable only the following on debugging purpose +#use warnings; +#use CGI::Carp 'fatalsToBrowser'; + +require '/var/ipfire/general-functions.pl'; +require "${General::swroot}/lang.pl"; +require "${General::swroot}/header.pl"; + +my $errormessage=''; +my $p2pfile = "${General::swroot}/forward/p2protocols"; + +my @p2ps = (); +my %fwdfwsettings=(); +my %color=(); +my %mainsettings=(); + +&General::readhash("${General::swroot}/forward/settings", \%fwdfwsettings); +&General::readhash("${General::swroot}/main/settings", \%mainsettings); +&General::readhash("/srv/web/ipfire/html/themes/".$mainsettings{'THEME'}."/include/colors.txt", \%color); + + + +&Header::showhttpheaders(); +&Header::getcgihash(\%fwdfwsettings); +&Header::openpage($Lang::tr{'fwdfw menu'}, 1, ''); +&Header::openbigbox('100%', 'center',$errormessage); + +if ($fwdfwsettings{'ACTION'} eq ''){ +&p2pblock; +} +if ($fwdfwsettings{'ACTION'} eq 'togglep2p') +{ + open( FILE, "< $p2pfile" ) or die "Unable to read $p2pfile"; + @p2ps = ; + close FILE; + open( FILE, "> $p2pfile" ) or die "Unable to write $p2pfile"; + foreach my $p2pentry (sort @p2ps) + { + my @p2pline = split( /\;/, $p2pentry ); + if ($p2pline[1] eq $fwdfwsettings{'P2PROT'}) { + if($p2pline[2] eq 'on'){ + $p2pline[2]='off'; + }else{ + $p2pline[2]='on'; + } + } + print FILE "$p2pline[0];$p2pline[1];$p2pline[2];\n"; + } + close FILE; + &rules; + &p2pblock; +} +if ($fwdfwsettings{'ACTION'} eq $Lang::tr{'fwdfw reread'}) +{ + &reread_rules; + &p2pblock; +} + + +sub p2pblock +{ + if (-f "${General::swroot}/forward/reread"){ + print "
$Lang::tr{'fwhost reread'}

"; + } + my $gif; + open( FILE, "< $p2pfile" ) or die "Unable to read $p2pfile"; + @p2ps = ; + close FILE; + &Header::openbox('100%', 'center', 'P2P-Block'); + print < + $Lang::tr{'protocol'}$Lang::tr{'status'} +END + foreach my $p2pentry (sort @p2ps) + { + my @p2pline = split( /\;/, $p2pentry ); + if($p2pline[2] eq 'on'){ + $gif="/images/on.gif" + }else{ + $gif="/images/off.gif" + } + print < + + $p2pline[0]: +END + } + print"$Lang::tr{'outgoing firewall p2p allow'}"; + print"$Lang::tr{'outgoing firewall p2p deny'}"; + &Header::closebox(); +} +sub rules +{ + if (!-f "${General::swroot}/forward/reread"){ + system("touch ${General::swroot}/forward/reread"); + system("touch ${General::swroot}/fwhosts/reread"); + } +} +sub reread_rules +{ + system("/usr/local/bin/forwardfwctrl"); + if ( -f "${General::swroot}/forward/reread"){ + system("rm ${General::swroot}/forward/reread"); + system("rm ${General::swroot}/fwhosts/reread"); + } +} +&Header::closebigbox(); +&Header::closepage(); From 15add1c8afbbc8eed5dd9d9649049109dbce8d58 Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Thu, 21 Feb 2013 15:00:03 +0100 Subject: [PATCH 123/306] Forward Firewall: changes in rule layout. new Option in firewall-options: it is now possible to select if the colors are shown in ruletable --- html/cgi-bin/forwardfw.cgi | 208 ++++++++++++++++++++++--------------- html/cgi-bin/optionsfw.cgi | 12 ++- langs/de/cgi-bin/de.pl | 2 + langs/en/cgi-bin/en.pl | 2 + 4 files changed, 142 insertions(+), 82 deletions(-) diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi index 738c38786..c55cbf8a7 100755 --- a/html/cgi-bin/forwardfw.cgi +++ b/html/cgi-bin/forwardfw.cgi @@ -70,6 +70,7 @@ my %icmptypes=(); my %ovpnsettings=(); my %ipsecsettings=(); my %aliases=(); +my %optionsfw=(); my $color; my $confignet = "${General::swroot}/fwhosts/customnetworks"; @@ -85,14 +86,16 @@ my $configfwdfw = "${General::swroot}/forward/config"; my $configinput = "${General::swroot}/forward/input"; my $configoutgoing = "${General::swroot}/forward/outgoing"; my $configovpn = "${General::swroot}/ovpn/settings"; +my $fwoptions = "${General::swroot}/optionsfw/settings"; my $errormessage=''; my $hint=''; my $ipgrp="${General::swroot}/outgoing/groups"; - +my $tdcolor=''; &General::readhash("${General::swroot}/forward/settings", \%fwdfwsettings); &General::readhash("${General::swroot}/main/settings", \%mainsettings); &General::readhash("/srv/web/ipfire/html/themes/".$mainsettings{'THEME'}."/include/colors.txt", \%color); +&General::readhash($fwoptions, \%optionsfw); &Header::showhttpheaders(); &Header::getcgihash(\%fwdfwsettings); @@ -133,9 +136,9 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule') if ("$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'},$fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'ICMP_TGT'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'LOG'},$fwdfwsettings{'TIME'},$fwdfwsettings{'TIME_MON'},$fwdfwsettings{'TIME_TUE'},$fwdfwsettings{'TIME_WED'},$fwdfwsettings{'TIME_THU'},$fwdfwsettings{'TIME_FRI'},$fwdfwsettings{'TIME_SAT'},$fwdfwsettings{'TIME_SUN'},$fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'}" eq "$configinputfw{$key}[0],$configinputfw{$key}[2],$configinputfw{$key}[3],$configinputfw{$key}[4],$configinputfw{$key}[5],$configinputfw{$key}[6],$configinputfw{$key}[7],$configinputfw{$key}[8],$configinputfw{$key}[9],$configinputfw{$key}[10],$configinputfw{$key}[11],$configinputfw{$key}[12],$configinputfw{$key}[13],$configinputfw{$key}[14],$configinputfw{$key}[15],$configinputfw{$key}[17],$configinputfw{$key}[18],$configinputfw{$key}[19],$configinputfw{$key}[20],$configinputfw{$key}[21],$configinputfw{$key}[22],$configinputfw{$key}[23],$configinputfw{$key}[24],$configinputfw{$key}[25],$configinputfw{$key}[26],$configinputfw{$key}[27]"){ $errormessage.=$Lang::tr{'fwdfw err ruleexists'}; - if ($fwdfwsettings{'oldruleremark'} ne $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'updatefwrule'} eq 'on' && &validremark($fwdfwsettings{'ruleremark'})){ + if ($fwdfwsettings{'oldruleremark'} ne $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'updatefwrule'} eq 'on' && $fwdfwsettings{'ruleremark'} eq ''){ $errormessage=''; - }elsif($fwdfwsettings{'oldruleremark'} ne $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'updatefwrule'} eq 'on' && !&validremark($fwdfwsettings{'ruleremark'})){ + }elsif($fwdfwsettings{'oldruleremark'} ne $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'updatefwrule'} eq 'on' && $fwdfwsettings{'ruleremark'} ne '' && !&validremark($fwdfwsettings{'ruleremark'})){ $errormessage=$Lang::tr{'fwdfw err remark'}."
"; } if ($fwdfwsettings{'oldruleremark'} eq $fwdfwsettings{'ruleremark'}){ @@ -206,9 +209,9 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule') if ("$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'},$fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'ICMP_TGT'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'LOG'},$fwdfwsettings{'TIME'},$fwdfwsettings{'TIME_MON'},$fwdfwsettings{'TIME_TUE'},$fwdfwsettings{'TIME_WED'},$fwdfwsettings{'TIME_THU'},$fwdfwsettings{'TIME_FRI'},$fwdfwsettings{'TIME_SAT'},$fwdfwsettings{'TIME_SUN'},$fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'}" eq "$configoutgoingfw{$key}[0],$configoutgoingfw{$key}[2],$configoutgoingfw{$key}[3],$configoutgoingfw{$key}[4],$configoutgoingfw{$key}[5],$configoutgoingfw{$key}[6],$configoutgoingfw{$key}[7],$configoutgoingfw{$key}[8],$configoutgoingfw{$key}[9],$configoutgoingfw{$key}[10],$configoutgoingfw{$key}[11],$configoutgoingfw{$key}[12],$configoutgoingfw{$key}[13],$configoutgoingfw{$key}[14],$configoutgoingfw{$key}[15],$configoutgoingfw{$key}[17],$configoutgoingfw{$key}[18],$configoutgoingfw{$key}[19],$configoutgoingfw{$key}[20],$configoutgoingfw{$key}[21],$configoutgoingfw{$key}[22],$configoutgoingfw{$key}[23],$configoutgoingfw{$key}[24],$configoutgoingfw{$key}[25],$configoutgoingfw{$key}[26],$configoutgoingfw{$key}[27]"){ $errormessage.=$Lang::tr{'fwdfw err ruleexists'}; - if ($fwdfwsettings{'oldruleremark'} ne $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'updatefwrule'} eq 'on' && &validremark($fwdfwsettings{'ruleremark'})){ + if ($fwdfwsettings{'oldruleremark'} ne $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'updatefwrule'} eq 'on' && $fwdfwsettings{'ruleremark'} eq ''){ $errormessage=''; - }elsif($fwdfwsettings{'oldruleremark'} ne $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'updatefwrule'} eq 'on' && !&validremark($fwdfwsettings{'ruleremark'})){ + }elsif($fwdfwsettings{'oldruleremark'} ne $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'updatefwrule'} eq 'on' && $fwdfwsettings{'ruleremark'} ne '' && !&validremark($fwdfwsettings{'ruleremark'})){ $errormessage=$Lang::tr{'fwdfw err remark'}."
"; } if ($fwdfwsettings{'oldruleremark'} eq $fwdfwsettings{'ruleremark'}){ @@ -262,9 +265,9 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule') if ("$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'},$fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'ICMP_TGT'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'LOG'},$fwdfwsettings{'TIME'},$fwdfwsettings{'TIME_MON'},$fwdfwsettings{'TIME_TUE'},$fwdfwsettings{'TIME_WED'},$fwdfwsettings{'TIME_THU'},$fwdfwsettings{'TIME_FRI'},$fwdfwsettings{'TIME_SAT'},$fwdfwsettings{'TIME_SUN'},$fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'}" eq "$configfwdfw{$key}[0],$configfwdfw{$key}[2],$configfwdfw{$key}[3],$configfwdfw{$key}[4],$configfwdfw{$key}[5],$configfwdfw{$key}[6],$configfwdfw{$key}[7],$configfwdfw{$key}[8],$configfwdfw{$key}[9],$configfwdfw{$key}[10],$configfwdfw{$key}[11],$configfwdfw{$key}[12],$configfwdfw{$key}[13],$configfwdfw{$key}[14],$configfwdfw{$key}[15],$configfwdfw{$key}[17],$configfwdfw{$key}[18],$configfwdfw{$key}[19],$configfwdfw{$key}[20],$configfwdfw{$key}[21],$configfwdfw{$key}[22],$configfwdfw{$key}[23],$configfwdfw{$key}[24],$configfwdfw{$key}[25],$configfwdfw{$key}[26],$configfwdfw{$key}[27]"){ $errormessage.=$Lang::tr{'fwdfw err ruleexists'}; - if ($fwdfwsettings{'oldruleremark'} ne $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'updatefwrule'} eq 'on' && &validremark($fwdfwsettings{'ruleremark'})){ + if ($fwdfwsettings{'oldruleremark'} ne $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'updatefwrule'} eq 'on' && $fwdfwsettings{'ruleremark'} eq ''){ $errormessage=''; - }elsif($fwdfwsettings{'oldruleremark'} ne $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'updatefwrule'} eq 'on' && !&validremark($fwdfwsettings{'ruleremark'})){ + }elsif($fwdfwsettings{'oldruleremark'} ne $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'updatefwrule'} eq 'on' && $fwdfwsettings{'ruleremark'} ne '' && !&validremark($fwdfwsettings{'ruleremark'})){ $errormessage=$Lang::tr{'fwdfw err remark'}."
"; } if ($fwdfwsettings{'oldruleremark'} eq $fwdfwsettings{'ruleremark'}){ @@ -1817,7 +1820,7 @@ sub get_serviceports } sub viewtablerule { - + &General::readhash("/var/ipfire/ethernet/settings", \%netsettings); &viewtablenew(\%configfwdfw,$configfwdfw,$Lang::tr{'fwdfw rules'},"Forward" ); &viewtablenew(\%configinputfw,$configinput,"",$Lang::tr{'external access'} ); &viewtablenew(\%configoutgoingfw,$configoutgoing,"","Outgoing" ); @@ -1829,6 +1832,7 @@ sub viewtablenew my $title=shift; my $title1=shift; my $go=''; + &General::get_aliases(\%aliases); &General::readhasharray("$config", $hash); if( ! -z $config){ &Header::openbox('100%', 'left',$title); @@ -1840,8 +1844,8 @@ sub viewtablenew my @tmpsrc=(); my $coloryellow=''; print"$title1
"; - print""; - print""; + print"
#$Lang::tr{'fwdfw source'}Log$Lang::tr{'fwdfw target'}$Lang::tr{'protocol'}$Lang::tr{'remark'}$Lang::tr{'fwdfw action'}
"; + print""; foreach my $key (sort {$a <=> $b} keys %$hash){ @tmpsrc=(); #check if vpn hosts/nets have been deleted @@ -1887,14 +1891,15 @@ sub viewtablenew $coloryellow=''; }elsif($coloryellow eq ''){ if ($count % 2){ - print""; + $color="$color{'color22'}"; } else{ - print""; + $color="$color{'color20'}"; } } + print""; print<$key + END if ($$hash{$key}[0] eq 'ACCEPT'){ $ruletype='A'; @@ -1909,13 +1914,15 @@ END $tooltip='REJECT'; $rulecolor=$color{'color16'}; } - print""; - print""; + &getcolor($$hash{$key}[4]); + print" END + &getcolor($$hash{$key}[6]); print< + "; #Get Protocol my $prot; @@ -1956,66 +1963,6 @@ END $prot=$Lang::tr{'all'}; } print""; - - print""; - - if($$hash{$key}[2] eq 'ON'){ - $gif="/images/on.gif" - - }else{ - $gif="/images/off.gif" - } - print< - - - - - - - -END - if (exists $$hash{$key-1}){ - print< - -END - }else{ - print""; - } - if (exists $$hash{$key+1}){ - print< - -END - }else{ - print""; - } - #if timeframe set, print new line in table if ($$hash{$key}[18] eq 'ON'){ my @days=(); if($$hash{$key}[19] ne ''){push (@days,$Lang::tr{'fwdfw wd_mon'});} @@ -2027,16 +1974,115 @@ END if($$hash{$key}[25] ne ''){push (@days,$Lang::tr{'fwdfw wd_sun'});} my $weekdays=join(",",@days); if (@days){ - print""; + print""; } + }else{ + print""; + } + if($$hash{$key}[2] eq 'ON'){ + $gif="/images/on.gif" + + }else{ + $gif="/images/off.gif" } + print< + + + + + + + +END + if (exists $$hash{$key-1}){ + print< + +END + }else{ + print""; + } + if (exists $$hash{$key+1}){ + print< + +END + }else{ + print""; + } + #REMARK + print""; } print"
#$Lang::tr{'fwdfw source'}Log$Lang::tr{'fwdfw target'}$Lang::tr{'protocol'}$Lang::tr{'remark'}$Lang::tr{'fwdfw action'}
$key$ruletype"; + print"$ruletype"; if ($$hash{$key}[3] eq 'std_net_src'){ print &get_name($$hash{$key}[4]); }else{ print $$hash{$key}[4]; } + $tdcolor=''; &getsrcport(\%$hash,$key); if ($$hash{$key}[17] eq 'ON'){ $log="/images/on.gif"; @@ -1925,14 +1932,15 @@ END print<
-
+ END if ($$hash{$key}[5] eq 'std_net_tgt'){ print &get_name($$hash{$key}[6]); @@ -1940,7 +1948,6 @@ END print $$hash{$key}[6]; } &gettgtport(\%$hash,$key); - ################################################################################ print"$prot$$hash{$key}[16] - - - -
- - - -
- - - -
- - - - - - - - - - - -
$Lang::tr{'fwdfw time'} "; - print"$weekdays"; - print "  $Lang::tr{'fwdfw from'} $$hash{$key}[26]   $Lang::tr{'fwdfw till'} $$hash{$key}[27]
$weekdays   $$hash{$key}[26] - $$hash{$key}[27] + + + +
+ + + +
+ + + +
+ + + + + + + + + + + +
"; + print"$Lang::tr{'remark'}: $$hash{$key}[16]
"; &Header::closebox(); } } +sub getcolor +{ + my $val=shift; + if($optionsfw{'SHOWCOLORS'} eq 'on'){ + foreach my $alias (sort keys %aliases) + { + if ($val eq $alias){ + $tdcolor="style='border: 2px solid red;'"; + return; + } + } + if ($val eq 'GREEN'){ + $tdcolor="style='border: 2px solid green;'"; + }elsif ($val eq 'ORANGE'){ + $tdcolor="style='border: 2px solid orange;'"; + }elsif ($val eq 'BLUE'){ + $tdcolor="style='border: 2px solid blue;'"; + }elsif ($val eq 'IPFire' ){ + $tdcolor="style='border: 2px solid red;'"; + }elsif($val =~ /^(.*?)\/(.*?)$/){ + my ($sip,$scidr) = split ("/",$val); + if ( &General::IpInSubnet($sip,$netsettings{'ORANGE_ADDRESS'},$netsettings{'ORANGE_NETMASK'})){ + $tdcolor="style='border: 2px solid orange;'"; + } + if ( &General::IpInSubnet($sip,$netsettings{'GREEN_ADDRESS'},$netsettings{'GREEN_NETMASK'})){ + $tdcolor="style='border: 2px solid green;'"; + } + if ( &General::IpInSubnet($sip,$netsettings{'BLUE_ADDRESS'},$netsettings{'BLUE_NETMASK'})){ + $tdcolor="style='border: 2px solid blue;'"; + } + if ( &General::IpInSubnet($sip,$netsettings{'RED_ADDRESS'},$netsettings{'RED_NETMASK'})){ + $tdcolor="style='border: 2px solid red;'"; + } + }elsif ($val eq 'Default IP'){ + $tdcolor="style='border: 2px solid red;'"; + }else{ + $tdcolor=''; + } + } +} sub fillselect { my %hash=%{(shift)}; diff --git a/html/cgi-bin/optionsfw.cgi b/html/cgi-bin/optionsfw.cgi index b396e3f4c..da246f3db 100644 --- a/html/cgi-bin/optionsfw.cgi +++ b/html/cgi-bin/optionsfw.cgi @@ -91,6 +91,9 @@ $checked{'DROPPROXY'}{$settings{'DROPPROXY'}} = "checked='checked'"; $checked{'DROPSAMBA'}{'off'} = ''; $checked{'DROPSAMBA'}{'on'} = ''; $checked{'DROPSAMBA'}{$settings{'DROPSAMBA'}} = "checked='checked'"; +$checked{'SHOWCOLORS'}{'off'} = ''; +$checked{'SHOWCOLORS'}{'on'} = ''; +$checked{'SHOWCOLORS'}{$settings{'SHOWCOLORS'}} = "checked='checked'"; $selected{'FWPOLICY'}{$settings{'FWPOLICY'}}= 'selected'; $selected{'FWPOLICY1'}{$settings{'FWPOLICY1'}}= 'selected'; @@ -117,7 +120,8 @@ print <$Lang::tr{'drop wirelessforward'}on / off -
+
+
$Lang::tr{'fw blue'}
$Lang::tr{'drop proxy'}on / @@ -125,6 +129,12 @@ print <$Lang::tr{'drop samba'}on / off
+
+ + + +
$Lang::tr{'fw settings'}
$Lang::tr{'fw settings color'}on / + off

diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl index 09adde417..b119f5898 100644 --- a/langs/de/cgi-bin/de.pl +++ b/langs/de/cgi-bin/de.pl @@ -1045,6 +1045,8 @@ 'from warn email bad' => 'Von Email Adresse ist nicht gültig', 'fw blue' => 'Firewall Optionen für das Blaue Interface', 'fw default drop' => 'Firewall Policy', +'fw settings' => 'Firewall Einstellungen', +'fw settings color' => 'Farben in Regeltabelle anzeigen', 'fw logging' => 'Firewall Logging', 'gateway' => 'Gateway', 'gateway ip' => 'Gateway-IP', diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index 793faa759..9ed01b72d 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -1070,6 +1070,8 @@ 'from warn email bad' => 'From e-mail address is not valid', 'fw blue' => 'Firewall options for BLUE interface', 'fw default drop' => 'Firewall policy', +'fw settings' => 'Firewall settings', +'fw settings color' => 'Show colors in ruletable', 'fw logging' => 'Firewall logging', 'g.dtm' => 'TO BE REMOVED', 'g.lite' => 'TO BE REMOVED', From b324de14db6c48823e570a285c91bb18593f02ff Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Thu, 21 Feb 2013 16:40:47 +0100 Subject: [PATCH 124/306] Forward Firewall: fix wlan clients now working with forwardfw --- html/cgi-bin/forwardfw.cgi | 12 ++++++------ src/initscripts/init.d/firewall | 6 +++--- 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi index c55cbf8a7..814f6ecc4 100755 --- a/html/cgi-bin/forwardfw.cgi +++ b/html/cgi-bin/forwardfw.cgi @@ -595,10 +595,10 @@ print <"; print "
$Lang::tr{'fw default drop'}
- - + + END - print "$Lang::tr{'outgoing firewall reset'}: "; + print "$Lang::tr{'outgoing firewall reset'}:
"; print"

"; print < - - + + END - print "$Lang::tr{'outgoing firewall reset'}:
"; + print "$Lang::tr{'outgoing firewall reset'}: "; print "
"; &Header::closebox(); } diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall index 7ec327417..03d7505ec 100644 --- a/src/initscripts/init.d/firewall +++ b/src/initscripts/init.d/firewall @@ -227,7 +227,7 @@ case "$1" in /sbin/iptables -N WIRELESSINPUT /sbin/iptables -A INPUT -m state --state NEW -j WIRELESSINPUT /sbin/iptables -N WIRELESSFORWARD - /sbin/iptables -A FORWARD -m state --state NEW -j WIRELESSFORWARD + /sbin/iptables -A FORWARDFW -m state --state NEW -j WIRELESSFORWARD # PORTFWACCESS chain, used for portforwarding /sbin/iptables -N PORTFWACCESS @@ -300,9 +300,9 @@ case "$1" in /sbin/iptables -A FORWARD -j POLICYFWD /sbin/iptables -N POLICYOUT /sbin/iptables -A OUTPUT -j POLICYOUT - - + /usr/sbin/firewall-policy + ;; startovpn) # run openvpn From 12a43202a6fb6a9b80664ebcf01792928c57c016 Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Thu, 21 Feb 2013 21:53:52 +0100 Subject: [PATCH 125/306] Forward Firewall: bugfix converter->default forward mode is now set correctly some layout changes --- config/forwardfw/convert-outgoingfw | 6 ++-- html/cgi-bin/forwardfw.cgi | 49 +++++++++++++++++------------ 2 files changed, 32 insertions(+), 23 deletions(-) diff --git a/config/forwardfw/convert-outgoingfw b/config/forwardfw/convert-outgoingfw index 5980651a8..22c9272ba 100755 --- a/config/forwardfw/convert-outgoingfw +++ b/config/forwardfw/convert-outgoingfw @@ -251,10 +251,10 @@ sub process_rules my ($type,$action,$active,$grp1,$source,$grp2,$useport,$port,$prot,$grp3,$target,$remark,$log,$time,$time_mon,$time_tue,$time_wed,$time_thu,$time_fri,$time_sat,$time_sun,$time_from,$time_to); print"uzlputz modus ist $outsettings{'POLICY'} \n"; &General::readhash($fwdfwsettings,\%fwdsettings); - if ($outsettings{'POLICY'} eq 'MODE0'){ - $fwdfwsettings{'POLICY'}='MODE2'; + if ($outsettings{'POLICY'} eq 'MODE1'){ + $fwdfwsettings{'POLICY'}='MODE1'; }else{ - $fwdsettings{'POLICY'}=$outsettings{'POLICY'}; + $fwdsettings{'POLICY'}='MODE2'; } &General::writehash($fwdfwsettings,\%fwdsettings); if ($outsettings{'POLICY'} eq 'MODE1'){ diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi index 814f6ecc4..bb6c42eb7 100755 --- a/html/cgi-bin/forwardfw.cgi +++ b/html/cgi-bin/forwardfw.cgi @@ -584,7 +584,7 @@ sub base if ($fwdfwsettings{'POLICY1'} eq 'MODE2'){ $selected{'POLICY1'}{'MODE2'} = 'selected'; } else { $selected{'POLICY1'}{'MODE2'} = ''; } &hint; &addrule; - print "


"; + print "

"; &Header::openbox('100%', 'center', $Lang::tr{'fwdfw pol title'}); print < @@ -610,10 +610,10 @@ END - +
END - print "$Lang::tr{'outgoing firewall reset'}: "; + print "$Lang::tr{'outgoing firewall reset'}: "; print "
"; &Header::closebox(); } @@ -1269,7 +1269,7 @@ END $fwdfwsettings{'SRC_PORT'}=~ s/\|/,/g; print< - $Lang::tr{'fwhost icmptype'} END &General::readhasharray("${General::swroot}/fwhosts/icmp-types", \%icmptypes); print""; @@ -1397,7 +1397,7 @@ END } print< - $Lang::tr{'fwhost cust srvgrp'}:$Lang::tr{'fwhost cust srvgrp'}: - $Lang::tr{'fwhost icmptype'} END &General::readhasharray("${General::swroot}/fwhosts/icmp-types", \%icmptypes); print""; @@ -1847,6 +1847,7 @@ sub viewtablenew print""; print""; foreach my $key (sort {$a <=> $b} keys %$hash){ + $tdcolor=''; @tmpsrc=(); #check if vpn hosts/nets have been deleted if($$hash{$key}[3] =~ /ipsec/i || $$hash{$key}[3] =~ /ovpn/i){ @@ -1881,8 +1882,8 @@ sub viewtablenew $$hash{$key}[2]=''; } } - $$hash{$key}[3]=''; - $$hash{$key}[5]=''; + #$$hash{$key}[3]=''; + #$$hash{$key}[5]=''; } $$hash{'ACTIVE'}=$$hash{$key}[2]; $count++; @@ -1915,7 +1916,7 @@ END $rulecolor=$color{'color16'}; } print""; - &getcolor($$hash{$key}[4]); + &getcolor($$hash{$key}[3],$$hash{$key}[4]); print" END - &getcolor($$hash{$key}[6]); + &getcolor($$hash{$key}[5],$$hash{$key}[6]); print< END @@ -1947,6 +1948,7 @@ END }else{ print $$hash{$key}[6]; } + $tdcolor=''; &gettgtport(\%$hash,$key); print""; #Get Protocol @@ -2041,12 +2043,22 @@ END } print"
#$Lang::tr{'fwdfw source'}Log$Lang::tr{'fwdfw target'}$Lang::tr{'protocol'}$Lang::tr{'remark'}$Lang::tr{'fwdfw action'}
$ruletype"; if ($$hash{$key}[3] eq 'std_net_src'){ print &get_name($$hash{$key}[4]); @@ -1938,7 +1939,7 @@ END
"; &Header::closebox(); + print "
"; } } sub getcolor { + my $nettype=shift; my $val=shift; if($optionsfw{'SHOWCOLORS'} eq 'on'){ + if ($nettype eq 'ovpn_n2n_src' || $nettype eq 'ovpn_n2n_tgt' || $nettype eq 'ovpn_net_src' || $nettype eq 'ovpn_net_tgt'|| $nettype eq 'ovpn_host_src' || $nettype eq 'ovpn_host_tgt'){ + $tdcolor="style='border: 2px solid $Header::colourovpn;'"; + return; + } + if ($nettype eq 'ipsec_net_src' || $nettype eq 'ipsec_net_tgt'){ + $tdcolor="style='border: 2px solid $Header::colourvpn;'"; + return; + } foreach my $alias (sort keys %aliases) { if ($val eq $alias){ @@ -2055,26 +2067,23 @@ sub getcolor } } if ($val eq 'GREEN'){ - $tdcolor="style='border: 2px solid green;'"; + $tdcolor="style='border: 2px solid $Header::colourgreen;'"; }elsif ($val eq 'ORANGE'){ - $tdcolor="style='border: 2px solid orange;'"; + $tdcolor="style='border: 2px solid $Header::colourorange;'"; }elsif ($val eq 'BLUE'){ - $tdcolor="style='border: 2px solid blue;'"; + $tdcolor="style='border: 2px solid $Header::colourblue;'"; }elsif ($val eq 'IPFire' ){ - $tdcolor="style='border: 2px solid red;'"; + $tdcolor="style='border: 2px solid $Header::colourred;'"; }elsif($val =~ /^(.*?)\/(.*?)$/){ my ($sip,$scidr) = split ("/",$val); if ( &General::IpInSubnet($sip,$netsettings{'ORANGE_ADDRESS'},$netsettings{'ORANGE_NETMASK'})){ - $tdcolor="style='border: 2px solid orange;'"; + $tdcolor="style='border: 2px solid $Header::colourorange;'"; } if ( &General::IpInSubnet($sip,$netsettings{'GREEN_ADDRESS'},$netsettings{'GREEN_NETMASK'})){ - $tdcolor="style='border: 2px solid green;'"; + $tdcolor="style='border: 2px solid $Header::colourgreen;'"; } if ( &General::IpInSubnet($sip,$netsettings{'BLUE_ADDRESS'},$netsettings{'BLUE_NETMASK'})){ - $tdcolor="style='border: 2px solid blue;'"; - } - if ( &General::IpInSubnet($sip,$netsettings{'RED_ADDRESS'},$netsettings{'RED_NETMASK'})){ - $tdcolor="style='border: 2px solid red;'"; + $tdcolor="style='border: 2px solid $Header::colourblue;'"; } }elsif ($val eq 'Default IP'){ $tdcolor="style='border: 2px solid red;'"; From 5dd84c259d95ee2fc2967326388d5cc73af4eabc Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Fri, 22 Feb 2013 06:25:26 +0100 Subject: [PATCH 126/306] FOrward Firewall: Minor Layout changes --- html/cgi-bin/forwardfw.cgi | 11 ++++++----- html/cgi-bin/fwhosts.cgi | 16 ++++++++-------- 2 files changed, 14 insertions(+), 13 deletions(-) diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi index bb6c42eb7..195205875 100755 --- a/html/cgi-bin/forwardfw.cgi +++ b/html/cgi-bin/forwardfw.cgi @@ -1281,7 +1281,7 @@ END } } print<
+
END &Header::closebox(); @@ -1438,9 +1438,10 @@ END } print< -


+
END + &Header::closebox; #---Activate/logging/remark------------------------------------- &Header::openbox('100%', 'left', $Lang::tr{'fwdfw additional'}); print< -
$Lang::tr{'fwdfw rule activate'}
$Lang::tr{'fwdfw log rule'}

+
END &Header::closebox(); #---ADD TIMEFRAME----------------------------------------------- @@ -1513,9 +1514,9 @@ END } print< -
+
END - &Header::closebox(); + #---ACTION------------------------------------------------------ if($fwdfwsettings{'updatefwrule'} ne 'on'){ print<
$Lang::tr{'name'}:$Lang::tr{'fwhost netaddress'}:$Lang::tr{'netmask'}: - $Lang::tr{'remark'}: -
+ $Lang::tr{'remark'}: +
END if ($fwhostsettings{'ACTION'} eq 'editnet' || $fwhostsettings{'error'} eq 'on') { @@ -1125,7 +1125,7 @@ END if ($fwhostsettings{'type'} eq 'mac'){print "";}else{print "";} print<IP/MAC: - $Lang::tr{'remark'}: + $Lang::tr{'remark'}:

$Lang::tr{'fwhost attention'}
$Lang::tr{'fwhost macwarn'}
END @@ -1158,7 +1158,7 @@ sub addgrp print< $Lang::tr{'fwhost addgrpname'}$Lang::tr{'remark'}: -
+
END }else{ print< -
+
END if ($fwhostsettings{'updatesrv'} eq 'on') @@ -1324,14 +1324,14 @@ sub addservicegrp print< $Lang::tr{'fwhost addgrpname'}$Lang::tr{'remark'}: -
+
END }else{ print< $Lang::tr{'fwhost addgrpname'}$Lang::tr{'remark'}: -
+
END } @@ -1347,7 +1347,7 @@ END } print< -


+

END From 562d24b8169ac043b2ab4ebf160862b25e88097e Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Fri, 22 Feb 2013 06:43:11 +0100 Subject: [PATCH 127/306] Forward Firewall: Some minor changes in Language file timeframe:->timeframe --- html/cgi-bin/forwardfw.cgi | 4 ++-- langs/de/cgi-bin/de.pl | 2 +- langs/en/cgi-bin/en.pl | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi index 195205875..f5a775bb4 100755 --- a/html/cgi-bin/forwardfw.cgi +++ b/html/cgi-bin/forwardfw.cgi @@ -1846,7 +1846,7 @@ sub viewtablenew my $coloryellow=''; print"$title1
"; print""; - print""; + print""; foreach my $key (sort {$a <=> $b} keys %$hash){ $tdcolor=''; @tmpsrc=(); @@ -1980,7 +1980,7 @@ END print""; } }else{ - print""; + print""; } if($$hash{$key}[2] eq 'ON'){ $gif="/images/on.gif" diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl index b119f5898..95e62d6aa 100644 --- a/langs/de/cgi-bin/de.pl +++ b/langs/de/cgi-bin/de.pl @@ -940,7 +940,7 @@ 'fwdfw target' => 'Ziel', 'fwdfw targetip' => 'Zieladresse (IP oder Netzwerk):', 'fwdfw till' => 'Bis:', -'fwdfw time' => 'Zeitrahmen:', +'fwdfw time' => 'Zeitrahmen', 'fwdfw timeframe' => 'Zeitrahmen hinzufügen', 'fwdfw toggle' => 'Aktivieren oder deaktivieren', 'fwdfw togglelog' => 'Log aktivieren oder deaktivieren', diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index 9ed01b72d..cdf76a7a8 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -965,7 +965,7 @@ 'fwdfw target' => 'Target', 'fwdfw targetip' => 'Target address (IP or network):', 'fwdfw till' => 'Till:', -'fwdfw time' => 'Timeframe:', +'fwdfw time' => 'Timeframe', 'fwdfw timeframe' => 'Add timeframe', 'fwdfw toggle' => 'Activate or deactivate', 'fwdfw togglelog' => 'Activate or deactivate logging', From e28356b92834e75f09756de76e3cb139e9b72e9c Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Fri, 22 Feb 2013 08:28:48 +0100 Subject: [PATCH 128/306] Forward Firewall: added default option SHOWCOLOR to options and refined default behaviour of firewall in forwardfw.cgi --- html/cgi-bin/forwardfw.cgi | 64 ++++++++++++++++++-------------------- html/cgi-bin/optionsfw.cgi | 1 + 2 files changed, 32 insertions(+), 33 deletions(-) diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi index f5a775bb4..fd6831460 100755 --- a/html/cgi-bin/forwardfw.cgi +++ b/html/cgi-bin/forwardfw.cgi @@ -342,35 +342,33 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule') } if ($fwdfwsettings{'ACTION'} eq $Lang::tr{'reset'}) { - &General::readhasharray("$configfwdfw", \%configfwdfw); - foreach my $key (sort keys %configfwdfw){ - &checkcounter($configfwdfw{$key}[3],$configfwdfw{$key}[4],,); - &checkcounter($configfwdfw{$key}[5],$configfwdfw{$key}[6],,); - &checkcounter($configfwdfw{$key}[14],$configfwdfw{$key}[15],,); - } - &General::readhasharray("$configinput", \%configinputfw); - foreach my $key (sort keys %configinputfw){ - &checkcounter($configinputfw{$key}[3],$configinputfw{$key}[4],,); - &checkcounter($configinputfw{$key}[5],$configinputfw{$key}[6],,); - &checkcounter($configinputfw{$key}[14],$configinputfw{$key}[15],,); - } - - system("rm ${General::swroot}/forward/config"); - system("rm ${General::swroot}/forward/input"); - &General::writehash("${General::swroot}/forward/settings", \%fwdfwsettings); - unless (-e "${General::swroot}/forward/config") { system("touch ${General::swroot}/forward/config"); } - unless (-e "${General::swroot}/forward/input") { system("touch ${General::swroot}/forward/input"); } - my $MODE1=$fwdfwsettings{'POLICY1'}; - %fwdfwsettings = (); - $fwdfwsettings{'POLICY'}='MODE2'; - $fwdfwsettings{'POLICY1'}=$MODE1; - &General::writehash("${General::swroot}/forward/settings", \%fwdfwsettings); - &reread_rules; - -} -if ($fwdfwsettings{'ACTION'} eq 'resetoutgoing') -{ - &General::readhasharray("$configoutgoing", \%configoutgoingfw); + if($fwdfwsettings{'poltype'} eq 'forward'){ + &General::readhasharray("$configfwdfw", \%configfwdfw); + foreach my $key (sort keys %configfwdfw){ + &checkcounter($configfwdfw{$key}[3],$configfwdfw{$key}[4],,); + &checkcounter($configfwdfw{$key}[5],$configfwdfw{$key}[6],,); + &checkcounter($configfwdfw{$key}[14],$configfwdfw{$key}[15],,); + } + &General::readhasharray("$configinput", \%configinputfw); + foreach my $key (sort keys %configinputfw){ + &checkcounter($configinputfw{$key}[3],$configinputfw{$key}[4],,); + &checkcounter($configinputfw{$key}[5],$configinputfw{$key}[6],,); + &checkcounter($configinputfw{$key}[14],$configinputfw{$key}[15],,); + } + + system("rm ${General::swroot}/forward/config"); + system("rm ${General::swroot}/forward/input"); + &General::writehash("${General::swroot}/forward/settings", \%fwdfwsettings); + unless (-e "${General::swroot}/forward/config") { system("touch ${General::swroot}/forward/config"); } + unless (-e "${General::swroot}/forward/input") { system("touch ${General::swroot}/forward/input"); } + my $MODE1=$fwdfwsettings{'POLICY1'}; + %fwdfwsettings = (); + $fwdfwsettings{'POLICY'}='MODE2'; + $fwdfwsettings{'POLICY1'}=$MODE1; + &General::writehash("${General::swroot}/forward/settings", \%fwdfwsettings); + &reread_rules; + }else{ + &General::readhasharray("$configoutgoing", \%configoutgoingfw); foreach my $key (sort keys %configoutgoingfw){ &checkcounter($configoutgoingfw{$key}[3],$configoutgoingfw{$key}[4],,); &checkcounter($configoutgoingfw{$key}[5],$configoutgoingfw{$key}[6],,); @@ -385,7 +383,7 @@ if ($fwdfwsettings{'ACTION'} eq 'resetoutgoing') $fwdfwsettings{'POLICY1'}='MODE2'; &General::writehash("${General::swroot}/forward/settings", \%fwdfwsettings); &reread_rules; - + } } if ($fwdfwsettings{'ACTION'} eq $Lang::tr{'fwdfw newrule'}) { @@ -598,7 +596,7 @@ print <"; + print "$Lang::tr{'outgoing firewall reset'}: "; print "
#$Lang::tr{'fwdfw source'}Log$Lang::tr{'fwdfw target'}$Lang::tr{'protocol'}$Lang::tr{'remark'}$Lang::tr{'fwdfw action'}
#$Lang::tr{'fwdfw source'}Log$Lang::tr{'fwdfw target'}$Lang::tr{'protocol'}$Lang::tr{'fwdfw time'}$Lang::tr{'fwdfw action'}
$weekdays   $$hash{$key}[26] - $$hash{$key}[27]24/7 END - print "$Lang::tr{'outgoing firewall reset'}:
"; print"

"; print < -
+ END - print "$Lang::tr{'outgoing firewall reset'}: "; + print "$Lang::tr{'outgoing firewall reset'}: "; print "
"; &Header::closebox(); } diff --git a/html/cgi-bin/optionsfw.cgi b/html/cgi-bin/optionsfw.cgi index da246f3db..39bd4195d 100644 --- a/html/cgi-bin/optionsfw.cgi +++ b/html/cgi-bin/optionsfw.cgi @@ -35,6 +35,7 @@ $settings{'DROPOUTGOING'} = 'on'; $settings{'DROPPORTSCAN'} = 'on'; $settings{'DROPWIRELESSINPUT'} = 'on'; $settings{'DROPWIRELESSFORWARD'} = 'on'; +$settings{'SHOWCOLORS'} = 'off'; my $errormessage = ''; my $warnmessage = ''; From 1031c2e4a919e510e09dc975ce1567493841d2c5 Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Fri, 22 Feb 2013 09:12:25 +0100 Subject: [PATCH 129/306] Forward Firewall: added color for target "internet" (RED) --- html/cgi-bin/forwardfw.cgi | 2 ++ 1 file changed, 2 insertions(+) diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi index fd6831460..717006893 100755 --- a/html/cgi-bin/forwardfw.cgi +++ b/html/cgi-bin/forwardfw.cgi @@ -2071,6 +2071,8 @@ sub getcolor $tdcolor="style='border: 2px solid $Header::colourorange;'"; }elsif ($val eq 'BLUE'){ $tdcolor="style='border: 2px solid $Header::colourblue;'"; + }elsif ($val eq 'RED'){ + $tdcolor="style='border: 2px solid $Header::colourred;'"; }elsif ($val eq 'IPFire' ){ $tdcolor="style='border: 2px solid $Header::colourred;'"; }elsif($val =~ /^(.*?)\/(.*?)$/){ From e638799b12ce108b6a13cfb3e8a180c56f4d3b9c Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Fri, 22 Feb 2013 09:33:05 +0100 Subject: [PATCH 130/306] Forward Firewall: fixed Table in servicegroups and hostgroups --- html/cgi-bin/fwhosts.cgi | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/html/cgi-bin/fwhosts.cgi b/html/cgi-bin/fwhosts.cgi index dc82a182a..abb60c917 100755 --- a/html/cgi-bin/fwhosts.cgi +++ b/html/cgi-bin/fwhosts.cgi @@ -1499,7 +1499,7 @@ sub viewtablegrp print"
"; } print"
"; - print""; + print"
Name$Lang::tr{'ip address'}$Lang::tr{'fwhost type'}
"; } if ( ($fwhostsettings{'ACTION'} eq 'editgrp' || $fwhostsettings{'update'} ne '') && $fwhostsettings{'grp_name'} eq $customgrp{$key}[0]) { @@ -1620,7 +1620,7 @@ sub viewtableservicegrp print""; } print""; - print"
Name$Lang::tr{'ip address'}$Lang::tr{'fwhost type'}
"; + print"
Name$Lang::tr{'port'}$Lang::tr{'fwhost prot'}
"; } if( $fwhostsettings{'SRVGRP_NAME'} eq $customservicegrp{$key}[0]) { print" "; From d9a4000ba84beb88853a43a7301633b590c79abb Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Fri, 22 Feb 2013 09:50:22 +0100 Subject: [PATCH 131/306] Forward Firewall: show default policy left aligned --- html/cgi-bin/forwardfw.cgi | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi index 717006893..29a6f7079 100755 --- a/html/cgi-bin/forwardfw.cgi +++ b/html/cgi-bin/forwardfw.cgi @@ -587,8 +587,8 @@ sub base print <
Name$Lang::tr{'port'}$Lang::tr{'fwhost prot'}
- - + + "; - print""; + print""; } } print"
FORWARD
$Lang::tr{'fwdfw pol text'}
FORWARD
$Lang::tr{'fwdfw pol text'}
- - + + +
OUTGOING
$Lang::tr{'fwdfw pol text1'}
OUTGOING
$Lang::tr{'fwdfw pol text1'}
"; + print"
"; print""; foreach my $key (sort {$a <=> $b} keys %$hash){ $tdcolor=''; From 96502a5a67692ae5fb06b9a83799c64040ced1df Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Fri, 22 Feb 2013 11:27:30 +0100 Subject: [PATCH 134/306] Forward Firewall: New Firewall-option "show remark in ruletable" --- html/cgi-bin/forwardfw.cgi | 8 +++++--- html/cgi-bin/optionsfw.cgi | 6 ++++++ langs/de/cgi-bin/de.pl | 3 ++- langs/en/cgi-bin/en.pl | 3 ++- 4 files changed, 15 insertions(+), 5 deletions(-) diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi index 2343c41ff..377654252 100755 --- a/html/cgi-bin/forwardfw.cgi +++ b/html/cgi-bin/forwardfw.cgi @@ -1900,7 +1900,7 @@ sub viewtablenew } print""; print<$key + END if ($$hash{$key}[0] eq 'ACCEPT'){ $ruletype='A'; @@ -2038,8 +2038,10 @@ END print""; } #REMARK - print""; + if ($optionsfw{'SHOWREMARK'} eq 'on'){ + print""; + } } print"
#$Lang::tr{'fwdfw source'}Log$Lang::tr{'fwdfw target'}$Lang::tr{'protocol'}$Lang::tr{'fwdfw time'}$Lang::tr{'fwdfw action'}
$key
"; - print"$Lang::tr{'remark'}: $$hash{$key}[16]
"; + print"$Lang::tr{'remark'}: $$hash{$key}[16]
"; &Header::closebox(); diff --git a/html/cgi-bin/optionsfw.cgi b/html/cgi-bin/optionsfw.cgi index 39bd4195d..ab3423081 100644 --- a/html/cgi-bin/optionsfw.cgi +++ b/html/cgi-bin/optionsfw.cgi @@ -36,6 +36,7 @@ $settings{'DROPPORTSCAN'} = 'on'; $settings{'DROPWIRELESSINPUT'} = 'on'; $settings{'DROPWIRELESSFORWARD'} = 'on'; $settings{'SHOWCOLORS'} = 'off'; +$settings{'SHOWREMARK'} = 'on'; my $errormessage = ''; my $warnmessage = ''; @@ -95,6 +96,9 @@ $checked{'DROPSAMBA'}{$settings{'DROPSAMBA'}} = "checked='checked'"; $checked{'SHOWCOLORS'}{'off'} = ''; $checked{'SHOWCOLORS'}{'on'} = ''; $checked{'SHOWCOLORS'}{$settings{'SHOWCOLORS'}} = "checked='checked'"; +$checked{'SHOWREMARK'}{'off'} = ''; +$checked{'SHOWREMARK'}{'on'} = ''; +$checked{'SHOWREMARK'}{$settings{'SHOWREMARK'}} = "checked='checked'"; $selected{'FWPOLICY'}{$settings{'FWPOLICY'}}= 'selected'; $selected{'FWPOLICY1'}{$settings{'FWPOLICY1'}}= 'selected'; @@ -135,6 +139,8 @@ print <		$Lang::tr{'fw settings'}
$Lang::tr{'fw settings color'}on / off
$Lang::tr{'fw settings remark'}on / + off

diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl index 95e62d6aa..1700cef19 100644 --- a/langs/de/cgi-bin/de.pl +++ b/langs/de/cgi-bin/de.pl @@ -1047,6 +1047,7 @@ 'fw default drop' => 'Firewall Policy', 'fw settings' => 'Firewall Einstellungen', 'fw settings color' => 'Farben in Regeltabelle anzeigen', +'fw settings remark' => 'Anmerkungen in Regeltabelle anzeigen', 'fw logging' => 'Firewall Logging', 'gateway' => 'Gateway', 'gateway ip' => 'Gateway-IP', @@ -1437,7 +1438,7 @@ 'network traffic graphs others' => 'Netzwerk (sonstige)', 'network updated' => 'Benutzerdefiniertes Netzwerk aktualisiert', 'networks settings' => 'Firewall - Netzwerkeinstellungen', -'new optionsfw later' => 'Ihre Modifikation(en) wird (werden) beim nächsten Neustart aktiv werden', +'new optionsfw later' => 'Einige Einstellungen werden erst nach einem Neustart aktiv', 'new optionsfw must boot' => 'Sie müssen Ihren IPFire neu starten', 'newer' => 'Neuer', 'next' => 'Nächster', diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index cdf76a7a8..ceb726e80 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -1072,6 +1072,7 @@ 'fw default drop' => 'Firewall policy', 'fw settings' => 'Firewall settings', 'fw settings color' => 'Show colors in ruletable', +'fw settings remark' => 'Show remarks in ruletable', 'fw logging' => 'Firewall logging', 'g.dtm' => 'TO BE REMOVED', 'g.lite' => 'TO BE REMOVED', @@ -1465,7 +1466,7 @@ 'network traffic graphs others' => 'Network (others)', 'network updated' => 'Custom Network updated', 'networks settings' => 'Firewall - Network settings', -'new optionsfw later' => 'Your modification(s) will be active on next restart', +'new optionsfw later' => 'Some options need a reboot to take effect', 'new optionsfw must boot' => 'You must reboot your IPFire', 'newer' => 'Newer', 'next' => 'next', From af768a7e80bb8fb3b25bfd8f13a4a0561927f9e2 Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Fri, 22 Feb 2013 13:04:30 +0100 Subject: [PATCH 135/306] Forward Firewall: removed cellspacing and black lines between rules in ruletable --- html/cgi-bin/forwardfw.cgi | 21 +++++++++++++++++---- 1 file changed, 17 insertions(+), 4 deletions(-) diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi index 377654252..694409fae 100755 --- a/html/cgi-bin/forwardfw.cgi +++ b/html/cgi-bin/forwardfw.cgi @@ -1832,6 +1832,7 @@ sub viewtablenew my $title1=shift; my $go=''; &General::get_aliases(\%aliases); + &General::readhasharray("$confighost", \%customhost); &General::readhasharray("$config", $hash); if( ! -z $config){ if ($title1 eq $Lang::tr{'external access'} || $title1 eq 'Outgoing'){print"

";} @@ -1844,7 +1845,7 @@ sub viewtablenew my @tmpsrc=(); my $coloryellow=''; print"$title1
"; - print"
"; + print"
"; print""; foreach my $key (sort {$a <=> $b} keys %$hash){ $tdcolor=''; @@ -1916,7 +1917,7 @@ END $rulecolor=$color{'color16'}; } print""; - &getcolor($$hash{$key}[3],$$hash{$key}[4]); + &getcolor($$hash{$key}[3],$$hash{$key}[4],\%customhost); print" END - &getcolor($$hash{$key}[5],$$hash{$key}[6]); + &getcolor($$hash{$key}[5],$$hash{$key}[6],\%customhost); print< END @@ -2039,7 +2040,7 @@ END } #REMARK if ($optionsfw{'SHOWREMARK'} eq 'on'){ - print""; } } @@ -2052,7 +2053,9 @@ sub getcolor { my $nettype=shift; my $val=shift; + my $hash=shift; if($optionsfw{'SHOWCOLORS'} eq 'on'){ + #VPN networks if ($nettype eq 'ovpn_n2n_src' || $nettype eq 'ovpn_n2n_tgt' || $nettype eq 'ovpn_net_src' || $nettype eq 'ovpn_net_tgt'|| $nettype eq 'ovpn_host_src' || $nettype eq 'ovpn_host_tgt'){ $tdcolor="style='border: 2px solid $Header::colourovpn;'"; return; @@ -2061,6 +2064,15 @@ sub getcolor $tdcolor="style='border: 2px solid $Header::colourvpn;'"; return; } + #custom Hosts + if ($nettype eq 'cust_host_src' || $nettype eq 'cust_host_tgt'){ + foreach my $key (sort keys %$hash){ + if ($$hash{$key}[0] eq $val){ + $val=$$hash{$key}[2]; + } + } + } + #ALIASE foreach my $alias (sort keys %aliases) { if ($val eq $alias){ @@ -2068,6 +2080,7 @@ sub getcolor return; } } + #standard networks if ($val eq 'GREEN'){ $tdcolor="style='border: 2px solid $Header::colourgreen;'"; }elsif ($val eq 'ORANGE'){ From 6ca0b0f5fbfdfe4875a38b7ffc47d2af56efd9ec Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Sat, 23 Feb 2013 06:21:42 +0100 Subject: [PATCH 136/306] Forward Firewall: made colored borders in ruletable thinner (1px) and changed remarkline --- html/cgi-bin/forwardfw.cgi | 26 +++++++++++++------------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi index 694409fae..24118abc6 100755 --- a/html/cgi-bin/forwardfw.cgi +++ b/html/cgi-bin/forwardfw.cgi @@ -2040,8 +2040,8 @@ END } #REMARK if ($optionsfw{'SHOWREMARK'} eq 'on'){ - print""; + print""; + print""; } } print"
#$Lang::tr{'fwdfw source'}Log$Lang::tr{'fwdfw target'}$Lang::tr{'protocol'}$Lang::tr{'fwdfw time'}$Lang::tr{'fwdfw action'}
$ruletype"; if ($$hash{$key}[3] eq 'std_net_src'){ print &get_name($$hash{$key}[4]); @@ -1939,7 +1940,7 @@ END
"; + print"
"; print"$Lang::tr{'remark'}: $$hash{$key}[16]
"; - print"$Lang::tr{'remark'}: $$hash{$key}[16]
 $$hash{$key}[16]
"; @@ -2057,11 +2057,11 @@ sub getcolor if($optionsfw{'SHOWCOLORS'} eq 'on'){ #VPN networks if ($nettype eq 'ovpn_n2n_src' || $nettype eq 'ovpn_n2n_tgt' || $nettype eq 'ovpn_net_src' || $nettype eq 'ovpn_net_tgt'|| $nettype eq 'ovpn_host_src' || $nettype eq 'ovpn_host_tgt'){ - $tdcolor="style='border: 2px solid $Header::colourovpn;'"; + $tdcolor="style='border: 1px solid $Header::colourovpn;'"; return; } if ($nettype eq 'ipsec_net_src' || $nettype eq 'ipsec_net_tgt'){ - $tdcolor="style='border: 2px solid $Header::colourvpn;'"; + $tdcolor="style='border: 1px solid $Header::colourvpn;'"; return; } #custom Hosts @@ -2082,28 +2082,28 @@ sub getcolor } #standard networks if ($val eq 'GREEN'){ - $tdcolor="style='border: 2px solid $Header::colourgreen;'"; + $tdcolor="style='border: 1px solid $Header::colourgreen;'"; }elsif ($val eq 'ORANGE'){ - $tdcolor="style='border: 2px solid $Header::colourorange;'"; + $tdcolor="style='border: 1px solid $Header::colourorange;'"; }elsif ($val eq 'BLUE'){ - $tdcolor="style='border: 2px solid $Header::colourblue;'"; + $tdcolor="style='border: 1px solid $Header::colourblue;'"; }elsif ($val eq 'RED'){ - $tdcolor="style='border: 2px solid $Header::colourred;'"; + $tdcolor="style='border: 1px solid $Header::colourred;'"; }elsif ($val eq 'IPFire' ){ - $tdcolor="style='border: 2px solid $Header::colourred;'"; + $tdcolor="style='border: 1px solid $Header::colourred;'"; }elsif($val =~ /^(.*?)\/(.*?)$/){ my ($sip,$scidr) = split ("/",$val); if ( &General::IpInSubnet($sip,$netsettings{'ORANGE_ADDRESS'},$netsettings{'ORANGE_NETMASK'})){ - $tdcolor="style='border: 2px solid $Header::colourorange;'"; + $tdcolor="style='border: 1px solid $Header::colourorange;'"; } if ( &General::IpInSubnet($sip,$netsettings{'GREEN_ADDRESS'},$netsettings{'GREEN_NETMASK'})){ - $tdcolor="style='border: 2px solid $Header::colourgreen;'"; + $tdcolor="style='border: 1px solid $Header::colourgreen;'"; } if ( &General::IpInSubnet($sip,$netsettings{'BLUE_ADDRESS'},$netsettings{'BLUE_NETMASK'})){ - $tdcolor="style='border: 2px solid $Header::colourblue;'"; + $tdcolor="style='border: 1px solid $Header::colourblue;'"; } }elsif ($val eq 'Default IP'){ - $tdcolor="style='border: 2px solid red;'"; + $tdcolor="style='border: 1px solid red;'"; }else{ $tdcolor=''; } From f83227921516681f642ce29e4f9121d6341e1d99 Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Sat, 23 Feb 2013 06:33:15 +0100 Subject: [PATCH 137/306] Forward Firewall: minor changes an ruletable --- html/cgi-bin/forwardfw.cgi | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi index 24118abc6..2b1d96221 100755 --- a/html/cgi-bin/forwardfw.cgi +++ b/html/cgi-bin/forwardfw.cgi @@ -2041,7 +2041,7 @@ END #REMARK if ($optionsfw{'SHOWREMARK'} eq 'on'){ print"
 $$hash{$key}[16]
 $$hash{$key}[16]
"; From 30d80ed42a716aa35c5827a4ec513e2925638da9 Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Sat, 23 Feb 2013 20:28:47 +0100 Subject: [PATCH 138/306] Forward Firewall: added p2p-block.cgi to apache2 --- config/rootfiles/common/apache2 | 1 + 1 file changed, 1 insertion(+) diff --git a/config/rootfiles/common/apache2 b/config/rootfiles/common/apache2 index d57390443..17d860986 100644 --- a/config/rootfiles/common/apache2 +++ b/config/rootfiles/common/apache2 @@ -1414,6 +1414,7 @@ srv/web/ipfire/cgi-bin/netother.cgi #srv/web/ipfire/cgi-bin/outgoinggrp.cgi srv/web/ipfire/cgi-bin/optionsfw.cgi srv/web/ipfire/cgi-bin/ovpnmain.cgi +srv/web/ipfire/cgi-bin/p2p-block.cgi srv/web/ipfire/cgi-bin/pakfire.cgi srv/web/ipfire/cgi-bin/portfw.cgi srv/web/ipfire/cgi-bin/pppsetup.cgi From 515863e299fd11273cf06cc3d2a5ecd673553a1f Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Mon, 25 Feb 2013 13:03:54 +0100 Subject: [PATCH 139/306] Forward Firewall: Some further layout changes. 1) New textfile for DMZ rules 2) Tablegroups are shown on firewall site 3) Option in firewall-options to disable emtpy ruletables 4) Infotext on P2P-Block site --- html/cgi-bin/forwardfw.cgi | 177 +++++++++++++++++++++++++++++++++---- html/cgi-bin/p2p-block.cgi | 1 + langs/de/cgi-bin/de.pl | 3 + langs/en/cgi-bin/en.pl | 3 + 4 files changed, 165 insertions(+), 19 deletions(-) diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi index 2b1d96221..a14c6791b 100755 --- a/html/cgi-bin/forwardfw.cgi +++ b/html/cgi-bin/forwardfw.cgi @@ -46,6 +46,7 @@ unless (-e "${General::swroot}/forward/settings") { system("touch ${General::s unless (-e "${General::swroot}/forward/config") { system("touch ${General::swroot}/forward/config"); } unless (-e "${General::swroot}/forward/input") { system("touch ${General::swroot}/forward/input"); } unless (-e "${General::swroot}/forward/outgoing") { system("touch ${General::swroot}/forward/outgoing"); } +unless (-e "${General::swroot}/forward/dmz") { system("touch ${General::swroot}/forward/dmz"); } my %fwdfwsettings=(); my %selected=() ; @@ -62,6 +63,7 @@ my %ccdhost=(); my %configfwdfw=(); my %configinputfw=(); my %configoutgoingfw=(); +my %configdmzfw=(); my %ipsecconf=(); my %color=(); my %mainsettings=(); @@ -85,12 +87,14 @@ my $configipsecrw = "${General::swroot}/vpn/settings"; my $configfwdfw = "${General::swroot}/forward/config"; my $configinput = "${General::swroot}/forward/input"; my $configoutgoing = "${General::swroot}/forward/outgoing"; +my $configdmz = "${General::swroot}/forward/dmz"; my $configovpn = "${General::swroot}/ovpn/settings"; my $fwoptions = "${General::swroot}/optionsfw/settings"; my $errormessage=''; my $hint=''; my $ipgrp="${General::swroot}/outgoing/groups"; my $tdcolor=''; +my $checkorange=''; &General::readhash("${General::swroot}/forward/settings", \%fwdfwsettings); &General::readhash("${General::swroot}/main/settings", \%mainsettings); @@ -118,15 +122,83 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule') &General::readhasharray("$configfwdfw", \%configfwdfw); &General::readhasharray("$configinput", \%configinputfw); &General::readhasharray("$configoutgoing", \%configoutgoingfw); + $errormessage=&checksource; if(!$errormessage){&checktarget;} if(!$errormessage){&checkrule;} + #check if manual ip (source) is orange network + if ($fwdfwsettings{'grp1'} eq 'src_addr'){ + my ($sip,$scidr) = split("/",$fwdfwsettings{$fwdfwsettings{'grp1'}}); + if ( &General::IpInSubnet($sip,$netsettings{'ORANGE_ADDRESS'},$netsettings{'ORANGE_NETMASK'})){ + $checkorange='on'; + } + } + #check useless rules + if( ($fwdfwsettings{$fwdfwsettings{'grp1'}} eq 'ORANGE' || $checkorange eq 'on') && $fwdfwsettings{'grp2'} eq 'ipfire'){ + $errormessage.=$Lang::tr{'fwdfw useless rule'}."
"; + } + #check if we try to break rules if( $fwdfwsettings{$fwdfwsettings{'grp1'}} eq 'IPFire' && $fwdfwsettings{'grp2'} eq 'ipfire'){ $errormessage.=$Lang::tr{'fwdfw err same'}; } + print" save1 checkorange ist $checkorange und oldorange ist $fwdfwsettings{'oldorange'} neue grp1 ist $fwdfwsettings{$fwdfwsettings{'grp1'}} alte grp1 $fwdfwsettings{'oldgrp1b'} und altgrp2 ist $fwdfwsettings{'oldgrp2a'} und aktuell grp2 $fwdfwsettings{'grp2'} und update ist $fwdfwsettings{'updatefwrule'}
"; + + #DMZ-Part + if ($fwdfwsettings{$fwdfwsettings{'grp1'}} eq 'ORANGE' || $checkorange eq 'on'){ + $fwdfwsettings{'config'}=$configdmz; + $fwdfwsettings{'chain'} = 'FORWARDFW'; + my $maxkey=&General::findhasharraykey(\%configdmzfw); + #check if we have an identical rule already + if($fwdfwsettings{'oldrulenumber'} eq $fwdfwsettings{'rulepos'}){ + foreach my $key (sort keys %configdmzfw){ + if ("$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'},$fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'ICMP_TGT'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'LOG'},$fwdfwsettings{'TIME'},$fwdfwsettings{'TIME_MON'},$fwdfwsettings{'TIME_TUE'},$fwdfwsettings{'TIME_WED'},$fwdfwsettings{'TIME_THU'},$fwdfwsettings{'TIME_FRI'},$fwdfwsettings{'TIME_SAT'},$fwdfwsettings{'TIME_SUN'},$fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'}" + eq "$configdmzfw{$key}[0],$configdmzfw{$key}[2],$configdmzfw{$key}[3],$configdmzfw{$key}[4],$configdmzfw{$key}[5],$configdmzfw{$key}[6],$configdmzfw{$key}[7],$configdmzfw{$key}[8],$configdmzfw{$key}[9],$configdmzfw{$key}[10],$configdmzfw{$key}[11],$configdmzfw{$key}[12],$configdmzfw{$key}[13],$configdmzfw{$key}[14],$configdmzfw{$key}[15],$configdmzfw{$key}[17],$configdmzfw{$key}[18],$configdmzfw{$key}[19],$configdmzfw{$key}[20],$configdmzfw{$key}[21],$configdmzfw{$key}[22],$configdmzfw{$key}[23],$configdmzfw{$key}[24],$configdmzfw{$key}[25],$configdmzfw{$key}[26],$configdmzfw{$key}[27]"){ + $errormessage.=$Lang::tr{'fwdfw err ruleexists'}; + if ($fwdfwsettings{'oldruleremark'} ne $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'updatefwrule'} eq 'on' && $fwdfwsettings{'ruleremark'} eq ''){ + $errormessage=''; + }elsif($fwdfwsettings{'oldruleremark'} ne $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'updatefwrule'} eq 'on' && $fwdfwsettings{'ruleremark'} ne '' && !&validremark($fwdfwsettings{'ruleremark'})){ + $errormessage=$Lang::tr{'fwdfw err remark'}."
"; + } + if ($fwdfwsettings{'oldruleremark'} eq $fwdfwsettings{'ruleremark'}){ + $fwdfwsettings{'nosave'} = 'on'; + } + } + } + } + #check Rulepos on new Rule + if($fwdfwsettings{'rulepos'} > 0 && !$fwdfwsettings{'oldrulenumber'}){ + $fwdfwsettings{'oldrulenumber'}=$maxkey; + foreach my $key (sort keys %configdmzfw){ + if ("$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'},$fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'ICMP_TGT'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'LOG'},$fwdfwsettings{'TIME'},$fwdfwsettings{'TIME_MON'},$fwdfwsettings{'TIME_TUE'},$fwdfwsettings{'TIME_WED'},$fwdfwsettings{'TIME_THU'},$fwdfwsettings{'TIME_FRI'},$fwdfwsettings{'TIME_SAT'},$fwdfwsettings{'TIME_SUN'},$fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'}" + eq "$configdmzfw{$key}[0],$configdmzfw{$key}[2],$configdmzfw{$key}[3],$configdmzfw{$key}[4],$configdmzfw{$key}[5],$configdmzfw{$key}[6],$configdmzfw{$key}[7],$configdmzfw{$key}[8],$configdmzfw{$key}[9],$configdmzfw{$key}[10],$configdmzfw{$key}[11],$configdmzfw{$key}[12],$configdmzfw{$key}[13],$configdmzfw{$key}[14],$configdmzfw{$key}[15],$configdmzfw{$key}[17],$configdmzfw{$key}[18],$configdmzfw{$key}[19],$configdmzfw{$key}[20],$configdmzfw{$key}[21],$configdmzfw{$key}[22],$configdmzfw{$key}[23],$configdmzfw{$key}[24],$configdmzfw{$key}[25],$configdmzfw{$key}[26],$configdmzfw{$key}[27]"){ + $errormessage.=$Lang::tr{'fwdfw err ruleexists'}; + } + } + } + #check if we just close a rule + if( $fwdfwsettings{'oldgrp1a'} eq $fwdfwsettings{'grp1'} && $fwdfwsettings{'oldgrp1b'} eq $fwdfwsettings{$fwdfwsettings{'grp1'}} && $fwdfwsettings{'oldgrp2a'} eq $fwdfwsettings{'grp2'} && $fwdfwsettings{'oldgrp2b'} eq $fwdfwsettings{$fwdfwsettings{'grp2'}} && $fwdfwsettings{'oldgrp3a'} eq $fwdfwsettings{'grp3'} && $fwdfwsettings{'oldgrp3b'} eq $fwdfwsettings{$fwdfwsettings{'grp3'}} && $fwdfwsettings{'oldusesrv'} eq $fwdfwsettings{'USESRV'} ) { + if($fwdfwsettings{'nosave'} eq 'on' && $fwdfwsettings{'updatefwrule'} eq 'on'){ + $errormessage=''; + $fwdfwsettings{'nosave2'} = 'on'; + } + } + &checkcounter($fwdfwsettings{'oldgrp1a'},$fwdfwsettings{'oldgrp1b'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}}); + if ($fwdfwsettings{'nobase'} ne 'on'){ + &checkcounter($fwdfwsettings{'oldgrp2a'},$fwdfwsettings{'oldgrp2b'},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}}); + } + if($fwdfwsettings{'oldusesrv'} eq '' && $fwdfwsettings{'USESRV'} eq 'ON'){ + &checkcounter(0,0,$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}}); + }elsif ($fwdfwsettings{'USESRV'} eq '' && $fwdfwsettings{'oldusesrv'} eq 'ON') { + &checkcounter($fwdfwsettings{'oldgrp3a'},$fwdfwsettings{'oldgrp3b'},0,0); + }elsif ($fwdfwsettings{'oldusesrv'} eq $fwdfwsettings{'USESRV'} && $fwdfwsettings{'oldgrp3b'} ne $fwdfwsettings{$fwdfwsettings{'grp3'}} && $fwdfwsettings{'updatefwrule'} eq 'on'){ + &checkcounter($fwdfwsettings{'oldgrp3a'},$fwdfwsettings{'oldgrp3b'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}}); + } + if($fwdfwsettings{'nosave2'} ne 'on'){ + &saverule(\%configdmzfw,$configdmz); + } #INPUT part - if($fwdfwsettings{'grp2'} eq 'ipfire'){ + }elsif($fwdfwsettings{'grp2'} eq 'ipfire' && $fwdfwsettings{$fwdfwsettings{'grp1'}} ne 'ORANGE'){ $fwdfwsettings{'config'}=$configinput; $fwdfwsettings{'chain'} = 'INPUTFW'; my $maxkey=&General::findhasharraykey(\%configinputfw); @@ -1030,6 +1102,7 @@ sub newrule { &error; &General::setup_default_networks(\%defaultNetworks); + &General::readhash("/var/ipfire/ethernet/settings", \%netsettings); #read all configfiles &General::readhasharray("$configccdnet", \%ccdnet); &General::readhasharray("$confignet", \%customnetwork); @@ -1125,11 +1198,32 @@ sub newrule $fwdfwsettings{'oldgrp3b'}=$fwdfwsettings{$fwdfwsettings{'grp3'}}; $fwdfwsettings{'oldusesrv'}=$fwdfwsettings{'USESRV'}; $fwdfwsettings{'oldruleremark'}=$fwdfwsettings{'ruleremark'}; + #check if manual ip (source) is orange network + if ($fwdfwsettings{'grp1'} eq 'src_addr'){ + my ($sip,$scidr) = split("/",$fwdfwsettings{$fwdfwsettings{'grp1'}}); + if ( &General::IpInSubnet($sip,$netsettings{'ORANGE_ADDRESS'},$netsettings{'ORANGE_NETMASK'})){ + $fwdfwsettings{'oldorange'} ='on'; + } + } }else{ $fwdfwsettings{'ACTIVE'}='ON'; $checked{'ACTIVE'}{$fwdfwsettings{'ACTIVE'}} = 'CHECKED'; + $fwdfwsettings{'oldgrp1a'}=$fwdfwsettings{'grp1'}; + $fwdfwsettings{'oldgrp1b'}=$fwdfwsettings{$fwdfwsettings{'grp1'}}; + $fwdfwsettings{'oldgrp2a'}=$fwdfwsettings{'grp2'}; + $fwdfwsettings{'oldgrp2b'}=$fwdfwsettings{$fwdfwsettings{'grp2'}}; + $fwdfwsettings{'oldgrp3a'}=$fwdfwsettings{'grp3'}; + $fwdfwsettings{'oldgrp3b'}=$fwdfwsettings{$fwdfwsettings{'grp3'}}; + $fwdfwsettings{'oldusesrv'}=$fwdfwsettings{'USESRV'}; + $fwdfwsettings{'oldruleremark'}=$fwdfwsettings{'ruleremark'}; + #check if manual ip (source) is orange network + if ($fwdfwsettings{'grp1'} eq 'src_addr'){ + my ($sip,$scidr) = split("/",$fwdfwsettings{$fwdfwsettings{'grp1'}}); + if ( &General::IpInSubnet($sip,$netsettings{'ORANGE_ADDRESS'},$netsettings{'ORANGE_NETMASK'})){ + $fwdfwsettings{'oldorange'} ='on'; + } + } } - &Header::openbox('100%', 'left', $Lang::tr{'fwdfw addrule'}); print < +
END @@ -1550,30 +1645,68 @@ sub saverule my $hash=shift; my $config=shift; &General::readhasharray("$config", $hash); + print" save1 checkorange ist $checkorange und oldorange ist $fwdfwsettings{'oldorange'}
"; + if (!$errormessage){ - #check if we change an forward rule to an external access - if( $fwdfwsettings{'grp2'} eq 'ipfire' && $fwdfwsettings{'oldgrp2a'} ne 'ipfire' && $fwdfwsettings{'updatefwrule'} eq 'on'){ - &changerule($configfwdfw); + #check if we change a DMZ to an outgoing + if( ($fwdfwsettings{'oldgrp1b'} eq 'ORANGE' || $fwdfwsettings{'oldorange'} eq 'on') && $fwdfwsettings{$fwdfwsettings{'grp1'}} eq 'IPFire' && $fwdfwsettings{'updatefwrule'} eq 'on'){ + &changerule($configdmz); + print"1"; } - #check if we change an forward rule to an outgoing - if( $fwdfwsettings{$fwdfwsettings{'grp1'}} eq 'IPFire' && $fwdfwsettings{'oldgrp1b'} ne 'IPFire' && $fwdfwsettings{'updatefwrule'} eq 'on'){ - &changerule($configfwdfw); - } - #check if we change an external access rule to a forward - if( $fwdfwsettings{'grp2'} ne 'ipfire' && $fwdfwsettings{'oldgrp2a'} eq 'ipfire' && $fwdfwsettings{'updatefwrule'} eq 'on'){ - &changerule($configinput); + #check if we change a DMZ to an external access + elsif( $fwdfwsettings{'oldgrp1b'} eq 'ORANGE' && $fwdfwsettings{$fwdfwsettings{'grp1'}} ne 'ORANGE' && $fwdfwsettings{'grp2'} eq 'ipfire' && $fwdfwsettings{'updatefwrule'} eq 'on'){ + &changerule($configdmz); + print"2"; } #check if we change an external access rule to a outgoing - if( $fwdfwsettings{$fwdfwsettings{'grp1'}} eq 'IPFire' && $fwdfwsettings{'grp2'} ne 'ipfire' && $fwdfwsettings{'oldgrp2a'} eq 'ipfire' && $fwdfwsettings{'updatefwrule'} eq 'on'){ + elsif( $fwdfwsettings{$fwdfwsettings{'grp1'}} eq 'IPFire' && $fwdfwsettings{'oldgrp1b'} ne 'IPFire' && $fwdfwsettings{'grp2'} ne 'ipfire' && $fwdfwsettings{'oldgrp2a'} eq 'ipfire' && $fwdfwsettings{'updatefwrule'} eq 'on'){ &changerule($configinput); + print"3"; } - #check if we change an outgoing rule to a forward - if( $fwdfwsettings{$fwdfwsettings{'grp1'}} ne 'IPFire' && $fwdfwsettings{'oldgrp1b'} eq 'IPFire' && $fwdfwsettings{'grp2'} ne 'ipfire' &&$fwdfwsettings{'updatefwrule'} eq 'on'){ - &changerule($configoutgoing); + #check if we change an external access rule to a DMZ + elsif( $fwdfwsettings{$fwdfwsettings{'grp1'}} eq 'ORANGE' && $fwdfwsettings{'grp2'} ne 'ipfire' && $fwdfwsettings{'oldgrp2a'} eq 'ipfire' && $fwdfwsettings{'updatefwrule'} eq 'on'){ + &changerule($configinput); + print"4"; } #check if we change an outgoing rule to a external access - if( $fwdfwsettings{$fwdfwsettings{'grp1'}} ne 'IPFire' && $fwdfwsettings{'oldgrp1b'} eq 'IPFire' && $fwdfwsettings{'grp2'} eq 'ipfire' && $fwdfwsettings{'updatefwrule'} eq 'on'){ + if( $fwdfwsettings{$fwdfwsettings{'grp1'}} ne 'IPFire' && $fwdfwsettings{'oldgrp1b'} eq 'IPFire' && $fwdfwsettings{'grp2'} eq 'ipfire' && $fwdfwsettings{'oldgrp2a'} ne 'ipfire' && $fwdfwsettings{'updatefwrule'} eq 'on'){ &changerule($configoutgoing); + print"5"; + } + #check if we change an outgoing rule to a DMZ + if( ($fwdfwsettings{$fwdfwsettings{'grp1'}} eq 'ORANGE' || $checkorange eq 'on') && $fwdfwsettings{'oldgrp1b'} eq 'IPFire' && $fwdfwsettings{'updatefwrule'} eq 'on'){ + &changerule($configoutgoing); + print"6"; + } + #check if we change an forward rule to an external access + elsif( $fwdfwsettings{'grp2'} eq 'ipfire' && $fwdfwsettings{'oldgrp2a'} ne 'ipfire' && $fwdfwsettings{'updatefwrule'} eq 'on'){ + &changerule($configfwdfw); + print"7"; + } + #check if we change an forward rule to an DMZ + if( ($fwdfwsettings{$fwdfwsettings{'grp1'}} eq 'ORANGE' || $checkorange eq 'on') && ($fwdfwsettings{'oldgrp1b'} ne 'ORANGE' && $fwdfwsettings{'oldorange'} ne 'on') && $fwdfwsettings{'updatefwrule'} eq 'on'){ + &changerule($configfwdfw); + print"8"; + } + #check if we change an forward rule to an outgoing + elsif( $fwdfwsettings{$fwdfwsettings{'grp1'}} eq 'IPFire' && $fwdfwsettings{'oldgrp1b'} ne 'IPFire' && $fwdfwsettings{'updatefwrule'} eq 'on'){ + &changerule($configfwdfw); + print"9"; + } + #check if we change a DMZ to a forward + elsif( ($fwdfwsettings{'oldgrp1b'} eq 'ORANGE' || $fwdfwsettings{'oldorange'} eq 'on') && ($fwdfwsettings{$fwdfwsettings{'grp1'}} ne 'ORANGE' && $checkorange ne 'on') && $fwdfwsettings{'updatefwrule'} eq 'on'){ + &changerule($configdmz); + print"10"; + } + #check if we change an external access rule to a forward + elsif( $fwdfwsettings{'grp2'} ne 'ipfire' && $fwdfwsettings{'oldgrp2a'} eq 'ipfire' && $fwdfwsettings{'updatefwrule'} eq 'on'){ + &changerule($configinput); + print"11"; + } + #check if we change an outgoing rule to a forward + elsif( $fwdfwsettings{$fwdfwsettings{'grp1'}} ne 'IPFire' && $fwdfwsettings{'oldgrp1b'} eq 'IPFire' && $fwdfwsettings{'grp2'} ne 'ipfire' && $fwdfwsettings{'updatefwrule'} eq 'on'){ + &changerule($configoutgoing); + print"12"; } if ($fwdfwsettings{'updatefwrule'} ne 'on'){ my $key = &General::findhasharraykey ($hash); @@ -1820,7 +1953,8 @@ sub get_serviceports sub viewtablerule { &General::readhash("/var/ipfire/ethernet/settings", \%netsettings); - &viewtablenew(\%configfwdfw,$configfwdfw,$Lang::tr{'fwdfw rules'},"Forward" ); + &viewtablenew(\%configdmzfw,$configdmz,$Lang::tr{'fwdfw rules'},"DMZ" ); + &viewtablenew(\%configfwdfw,$configfwdfw,"","Forward" ); &viewtablenew(\%configinputfw,$configinput,"",$Lang::tr{'external access'} ); &viewtablenew(\%configoutgoingfw,$configoutgoing,"","Outgoing" ); } @@ -1835,7 +1969,6 @@ sub viewtablenew &General::readhasharray("$confighost", \%customhost); &General::readhasharray("$config", $hash); if( ! -z $config){ - if ($title1 eq $Lang::tr{'external access'} || $title1 eq 'Outgoing'){print"

";} &Header::openbox('100%', 'left',$title); my $count=0; my ($gif,$log); @@ -2047,6 +2180,12 @@ END print""; &Header::closebox(); print "
"; + print "

"; + }else{ + if ($optionsfw{'SHOWTABLES'} eq 'on'){ + print "$title1
"; + print"
$Lang::tr{'fwhost empty'}


"; + } } } sub getcolor diff --git a/html/cgi-bin/p2p-block.cgi b/html/cgi-bin/p2p-block.cgi index 1c69a0ea3..9d248a133 100755 --- a/html/cgi-bin/p2p-block.cgi +++ b/html/cgi-bin/p2p-block.cgi @@ -121,6 +121,7 @@ END } print"$Lang::tr{'outgoing firewall p2p allow'}"; print"$Lang::tr{'outgoing firewall p2p deny'}"; + print"


$Lang::tr{'fwdfw p2p txt'}
"; &Header::closebox(); } sub rules diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl index 1700cef19..4b03b2878 100644 --- a/langs/de/cgi-bin/de.pl +++ b/langs/de/cgi-bin/de.pl @@ -924,6 +924,7 @@ 'fwdfw man port' => 'Port(s) manuell:', 'fwdfw moveup' => 'Hoch', 'fwdfw movedown' => 'Runter', +'fwdfw p2p txt' => 'Hier können einzelne P2P Netzwerke erlaubt oder verboten werden. Das System setzt die Regeln automatisch unabhängig vom aktuellen Firewall Modus. Bitte beachten, dass ein erlaubtes P2P Netzwerk unter Umständen einen erheblichen Teil der Bandbreite beanspruchen kann, wenn der Client nicht korrekt konfiguriert ist. Eventuell sollten die QOS Einstellungen entsprechend gesetzt werden.', 'fwdfw pol allow' => 'Zugelassen', 'fwdfw pol block' => 'Blockiert', 'fwdfw pol title' => 'Standardverhalten der Firewall', @@ -944,6 +945,7 @@ 'fwdfw timeframe' => 'Zeitrahmen hinzufügen', 'fwdfw toggle' => 'Aktivieren oder deaktivieren', 'fwdfw togglelog' => 'Log aktivieren oder deaktivieren', +'fwdfw useless rule' => 'Diese Regel ist nicht zugelassen.', 'fwdfw use srcport' => 'Quellport benutzen', 'fwdfw use srv' => 'Ziel-Dienstport benutzen', 'fwdfw newrule' => 'Neue Regel', @@ -1048,6 +1050,7 @@ 'fw settings' => 'Firewall Einstellungen', 'fw settings color' => 'Farben in Regeltabelle anzeigen', 'fw settings remark' => 'Anmerkungen in Regeltabelle anzeigen', +'fw settings ruletable' => 'Leere Regeltabellen anzeigen', 'fw logging' => 'Firewall Logging', 'gateway' => 'Gateway', 'gateway ip' => 'Gateway-IP', diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index ceb726e80..dfdd61f27 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -949,6 +949,7 @@ 'fwdfw man port' => 'Port(s) manual:', 'fwdfw moveup' => 'Move up', 'fwdfw movedown' => 'Move down', +'fwdfw p2p txt' => 'Here you can admit or deny or allow single p2p networks. Just define which networks are allowed or denied and the system takes care of the rules depending on the firewall mode. An allowed p2p network may use a lot of bandwith if the clients are not configured correctly. Maybe you should have a look at the QOS settings.', 'fwdfw pol allow' => 'Allowed', 'fwdfw pol block' => 'Blocked', 'fwdfw pol title' => 'Firewall default behavior', @@ -969,6 +970,7 @@ 'fwdfw timeframe' => 'Add timeframe', 'fwdfw toggle' => 'Activate or deactivate', 'fwdfw togglelog' => 'Activate or deactivate logging', +'fwdfw useless rule' => 'This rule is rejected (useless).', 'fwdfw use srcport' => 'Use sourceport', 'fwdfw use srv' => 'Use targetport', 'fwdfw newrule' => 'New rule', @@ -1073,6 +1075,7 @@ 'fw settings' => 'Firewall settings', 'fw settings color' => 'Show colors in ruletable', 'fw settings remark' => 'Show remarks in ruletable', +'fw settings ruletable' => 'Show empty ruletables', 'fw logging' => 'Firewall logging', 'g.dtm' => 'TO BE REMOVED', 'g.lite' => 'TO BE REMOVED', From 5aa8edf6f794691843e13f0febfb29ee0ccf18d7 Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Mon, 25 Feb 2013 13:11:13 +0100 Subject: [PATCH 140/306] Forward Firewall: some changes for ISO --- config/rootfiles/common/configroot | 2 ++ lfs/configroot | 5 ++++- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/config/rootfiles/common/configroot b/config/rootfiles/common/configroot index f15df7699..c930ad078 100644 --- a/config/rootfiles/common/configroot +++ b/config/rootfiles/common/configroot @@ -51,6 +51,8 @@ var/ipfire/forward/bin/firewall-lib.pl var/ipfire/forward/settings var/ipfire/forward/config var/ipfire/forward/input +var/ipfire/forward/outgoing +var/ipfire/forward/dmz var/ipfire/forward/p2protocols var/ipfire/fwhosts var/ipfire/fwhosts/icmp-types diff --git a/lfs/configroot b/lfs/configroot index 9b4c4d109..1a4edb026 100644 --- a/lfs/configroot +++ b/lfs/configroot @@ -65,7 +65,7 @@ $(TARGET) : for i in auth/users backup/include.user backup/exclude.user \ certs/index.txt ddns/config ddns/noipsettings ddns/settings ddns/ipcache dhcp/settings \ dhcp/fixleases dhcp/advoptions dhcp/dhcpd.conf.local dns/settings dnsforward/config ethernet/aliases ethernet/settings ethernet/known_nics ethernet/scanned_nics \ - extrahd/scan extrahd/devices extrahd/partitions extrahd/settings forward/settings forward/config forward/input \ + extrahd/scan extrahd/devices extrahd/partitions extrahd/settings forward/settings forward/config forward/input forward/outgoing forward/dmz \ fwhosts/customnetworks fwhosts/customhosts fwhosts/customgroups fwhosts/customservicegrp fwlogs/ipsettings fwlogs/portsettings \ isdn/settings mac/settings main/disable_nf_sip main/hosts main/routing main/settings net-traffic/settings optionsfw/settings \ ovpn/ccd.conf ovpn/ccdroute ovpn/ccdroute2 pakfire/settings portfw/config ppp/settings-1 ppp/settings-2 ppp/settings-3 ppp/settings-4 \ @@ -120,6 +120,9 @@ $(TARGET) : echo "FWPOLICY1=DROP" >> $(CONFIG_ROOT)/optionsfw/settings echo "DROPPORTSCAN=on" >> $(CONFIG_ROOT)/optionsfw/settings echo "DROPOUTGOING=on" >> $(CONFIG_ROOT)/optionsfw/settings + echo "SHOWREMARK=on" >> $(CONFIG_ROOT)/optionsfw/settings + echo "SHOWCOLORS=off" >> $(CONFIG_ROOT)/optionsfw/settings + echo "SHOWTABLES=on" >> $(CONFIG_ROOT)/optionsfw/settings echo "POLICY=MODE2" >> $(CONFIG_ROOT)/forward/settings echo "POLICY1=MODE2" >> $(CONFIG_ROOT)/forward/settings From d603d1dee0376f6816e9643c8a332780cd112d93 Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Mon, 25 Feb 2013 13:22:43 +0100 Subject: [PATCH 141/306] Forward Firewall: disabled some dev-comments --- html/cgi-bin/forwardfw.cgi | 28 ++++++++++++---------------- 1 file changed, 12 insertions(+), 16 deletions(-) diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi index a14c6791b..5650717d9 100755 --- a/html/cgi-bin/forwardfw.cgi +++ b/html/cgi-bin/forwardfw.cgi @@ -142,8 +142,6 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule') if( $fwdfwsettings{$fwdfwsettings{'grp1'}} eq 'IPFire' && $fwdfwsettings{'grp2'} eq 'ipfire'){ $errormessage.=$Lang::tr{'fwdfw err same'}; } - print" save1 checkorange ist $checkorange und oldorange ist $fwdfwsettings{'oldorange'} neue grp1 ist $fwdfwsettings{$fwdfwsettings{'grp1'}} alte grp1 $fwdfwsettings{'oldgrp1b'} und altgrp2 ist $fwdfwsettings{'oldgrp2a'} und aktuell grp2 $fwdfwsettings{'grp2'} und update ist $fwdfwsettings{'updatefwrule'}
"; - #DMZ-Part if ($fwdfwsettings{$fwdfwsettings{'grp1'}} eq 'ORANGE' || $checkorange eq 'on'){ $fwdfwsettings{'config'}=$configdmz; @@ -1645,68 +1643,66 @@ sub saverule my $hash=shift; my $config=shift; &General::readhasharray("$config", $hash); - print" save1 checkorange ist $checkorange und oldorange ist $fwdfwsettings{'oldorange'}
"; - if (!$errormessage){ #check if we change a DMZ to an outgoing if( ($fwdfwsettings{'oldgrp1b'} eq 'ORANGE' || $fwdfwsettings{'oldorange'} eq 'on') && $fwdfwsettings{$fwdfwsettings{'grp1'}} eq 'IPFire' && $fwdfwsettings{'updatefwrule'} eq 'on'){ &changerule($configdmz); - print"1"; + #print"1"; } #check if we change a DMZ to an external access elsif( $fwdfwsettings{'oldgrp1b'} eq 'ORANGE' && $fwdfwsettings{$fwdfwsettings{'grp1'}} ne 'ORANGE' && $fwdfwsettings{'grp2'} eq 'ipfire' && $fwdfwsettings{'updatefwrule'} eq 'on'){ &changerule($configdmz); - print"2"; + #print"2"; } #check if we change an external access rule to a outgoing elsif( $fwdfwsettings{$fwdfwsettings{'grp1'}} eq 'IPFire' && $fwdfwsettings{'oldgrp1b'} ne 'IPFire' && $fwdfwsettings{'grp2'} ne 'ipfire' && $fwdfwsettings{'oldgrp2a'} eq 'ipfire' && $fwdfwsettings{'updatefwrule'} eq 'on'){ &changerule($configinput); - print"3"; + #print"3"; } #check if we change an external access rule to a DMZ elsif( $fwdfwsettings{$fwdfwsettings{'grp1'}} eq 'ORANGE' && $fwdfwsettings{'grp2'} ne 'ipfire' && $fwdfwsettings{'oldgrp2a'} eq 'ipfire' && $fwdfwsettings{'updatefwrule'} eq 'on'){ &changerule($configinput); - print"4"; + #print"4"; } #check if we change an outgoing rule to a external access if( $fwdfwsettings{$fwdfwsettings{'grp1'}} ne 'IPFire' && $fwdfwsettings{'oldgrp1b'} eq 'IPFire' && $fwdfwsettings{'grp2'} eq 'ipfire' && $fwdfwsettings{'oldgrp2a'} ne 'ipfire' && $fwdfwsettings{'updatefwrule'} eq 'on'){ &changerule($configoutgoing); - print"5"; + #print"5"; } #check if we change an outgoing rule to a DMZ if( ($fwdfwsettings{$fwdfwsettings{'grp1'}} eq 'ORANGE' || $checkorange eq 'on') && $fwdfwsettings{'oldgrp1b'} eq 'IPFire' && $fwdfwsettings{'updatefwrule'} eq 'on'){ &changerule($configoutgoing); - print"6"; + #print"6"; } #check if we change an forward rule to an external access elsif( $fwdfwsettings{'grp2'} eq 'ipfire' && $fwdfwsettings{'oldgrp2a'} ne 'ipfire' && $fwdfwsettings{'updatefwrule'} eq 'on'){ &changerule($configfwdfw); - print"7"; + #print"7"; } #check if we change an forward rule to an DMZ if( ($fwdfwsettings{$fwdfwsettings{'grp1'}} eq 'ORANGE' || $checkorange eq 'on') && ($fwdfwsettings{'oldgrp1b'} ne 'ORANGE' && $fwdfwsettings{'oldorange'} ne 'on') && $fwdfwsettings{'updatefwrule'} eq 'on'){ &changerule($configfwdfw); - print"8"; + #print"8"; } #check if we change an forward rule to an outgoing elsif( $fwdfwsettings{$fwdfwsettings{'grp1'}} eq 'IPFire' && $fwdfwsettings{'oldgrp1b'} ne 'IPFire' && $fwdfwsettings{'updatefwrule'} eq 'on'){ &changerule($configfwdfw); - print"9"; + #print"9"; } #check if we change a DMZ to a forward elsif( ($fwdfwsettings{'oldgrp1b'} eq 'ORANGE' || $fwdfwsettings{'oldorange'} eq 'on') && ($fwdfwsettings{$fwdfwsettings{'grp1'}} ne 'ORANGE' && $checkorange ne 'on') && $fwdfwsettings{'updatefwrule'} eq 'on'){ &changerule($configdmz); - print"10"; + #print"10"; } #check if we change an external access rule to a forward elsif( $fwdfwsettings{'grp2'} ne 'ipfire' && $fwdfwsettings{'oldgrp2a'} eq 'ipfire' && $fwdfwsettings{'updatefwrule'} eq 'on'){ &changerule($configinput); - print"11"; + #print"11"; } #check if we change an outgoing rule to a forward elsif( $fwdfwsettings{$fwdfwsettings{'grp1'}} ne 'IPFire' && $fwdfwsettings{'oldgrp1b'} eq 'IPFire' && $fwdfwsettings{'grp2'} ne 'ipfire' && $fwdfwsettings{'updatefwrule'} eq 'on'){ &changerule($configoutgoing); - print"12"; + #print"12"; } if ($fwdfwsettings{'updatefwrule'} ne 'on'){ my $key = &General::findhasharraykey ($hash); From 31fef6cc2d8c19fb7b5a86529b4b98bc2d4fd85f Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Mon, 25 Feb 2013 13:56:48 +0100 Subject: [PATCH 142/306] Forward Firewall: rules.pl supports now DMZ rules. These rules are applied first --- config/forwardfw/rules.pl | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/config/forwardfw/rules.pl b/config/forwardfw/rules.pl index ffdb6c2ce..0ff153d61 100755 --- a/config/forwardfw/rules.pl +++ b/config/forwardfw/rules.pl @@ -43,6 +43,7 @@ our %targethash=(); my @timeframe=(); my %configinputfw=(); my %configoutgoingfw=(); +my %configdmzfw=(); my %aliases=(); my @DPROT=(); my @p2ps=(); @@ -50,6 +51,7 @@ require '/var/ipfire/general-functions.pl'; require "${General::swroot}/lang.pl"; require "${General::swroot}/forward/bin/firewall-lib.pl"; +my $configdmz = "${General::swroot}/forward/dmz"; my $configfwdfw = "${General::swroot}/forward/config"; my $configinput = "${General::swroot}/forward/input"; my $configoutgoing = "${General::swroot}/forward/outgoing"; @@ -66,6 +68,7 @@ my $CHAIN="FORWARDFW"; &General::readhash("${General::swroot}/forward/settings", \%fwdfwsettings); &General::readhash("$netsettings", \%defaultNetworks); +&General::readhasharray($configdmz, \%configdmzfw); &General::readhasharray($configfwdfw, \%configfwdfw); &General::readhasharray($configinput, \%configinputfw); &General::readhasharray($configoutgoing, \%configoutgoingfw); @@ -132,6 +135,9 @@ sub flush } sub preparerules { + if (! -z "${General::swroot}/forward/dmz"){ + &buildrules(\%configdmzfw); + } if (! -z "${General::swroot}/forward/config"){ &buildrules(\%configfwdfw); } From 25dd450cbae6159727dfeff231da9573a075b4f9 Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Mon, 25 Feb 2013 21:25:53 +0100 Subject: [PATCH 143/306] Forward Firewall: Bugfix: Error appending or writing comments in rule --- html/cgi-bin/forwardfw.cgi | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi index 5650717d9..7d09e4cb5 100755 --- a/html/cgi-bin/forwardfw.cgi +++ b/html/cgi-bin/forwardfw.cgi @@ -153,7 +153,7 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule') if ("$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'},$fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'ICMP_TGT'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'LOG'},$fwdfwsettings{'TIME'},$fwdfwsettings{'TIME_MON'},$fwdfwsettings{'TIME_TUE'},$fwdfwsettings{'TIME_WED'},$fwdfwsettings{'TIME_THU'},$fwdfwsettings{'TIME_FRI'},$fwdfwsettings{'TIME_SAT'},$fwdfwsettings{'TIME_SUN'},$fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'}" eq "$configdmzfw{$key}[0],$configdmzfw{$key}[2],$configdmzfw{$key}[3],$configdmzfw{$key}[4],$configdmzfw{$key}[5],$configdmzfw{$key}[6],$configdmzfw{$key}[7],$configdmzfw{$key}[8],$configdmzfw{$key}[9],$configdmzfw{$key}[10],$configdmzfw{$key}[11],$configdmzfw{$key}[12],$configdmzfw{$key}[13],$configdmzfw{$key}[14],$configdmzfw{$key}[15],$configdmzfw{$key}[17],$configdmzfw{$key}[18],$configdmzfw{$key}[19],$configdmzfw{$key}[20],$configdmzfw{$key}[21],$configdmzfw{$key}[22],$configdmzfw{$key}[23],$configdmzfw{$key}[24],$configdmzfw{$key}[25],$configdmzfw{$key}[26],$configdmzfw{$key}[27]"){ $errormessage.=$Lang::tr{'fwdfw err ruleexists'}; - if ($fwdfwsettings{'oldruleremark'} ne $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'updatefwrule'} eq 'on' && $fwdfwsettings{'ruleremark'} eq ''){ + if ($fwdfwsettings{'oldruleremark'} ne $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'updatefwrule'} eq 'on' ){ $errormessage=''; }elsif($fwdfwsettings{'oldruleremark'} ne $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'updatefwrule'} eq 'on' && $fwdfwsettings{'ruleremark'} ne '' && !&validremark($fwdfwsettings{'ruleremark'})){ $errormessage=$Lang::tr{'fwdfw err remark'}."
"; @@ -206,7 +206,7 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule') if ("$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'},$fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'ICMP_TGT'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'LOG'},$fwdfwsettings{'TIME'},$fwdfwsettings{'TIME_MON'},$fwdfwsettings{'TIME_TUE'},$fwdfwsettings{'TIME_WED'},$fwdfwsettings{'TIME_THU'},$fwdfwsettings{'TIME_FRI'},$fwdfwsettings{'TIME_SAT'},$fwdfwsettings{'TIME_SUN'},$fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'}" eq "$configinputfw{$key}[0],$configinputfw{$key}[2],$configinputfw{$key}[3],$configinputfw{$key}[4],$configinputfw{$key}[5],$configinputfw{$key}[6],$configinputfw{$key}[7],$configinputfw{$key}[8],$configinputfw{$key}[9],$configinputfw{$key}[10],$configinputfw{$key}[11],$configinputfw{$key}[12],$configinputfw{$key}[13],$configinputfw{$key}[14],$configinputfw{$key}[15],$configinputfw{$key}[17],$configinputfw{$key}[18],$configinputfw{$key}[19],$configinputfw{$key}[20],$configinputfw{$key}[21],$configinputfw{$key}[22],$configinputfw{$key}[23],$configinputfw{$key}[24],$configinputfw{$key}[25],$configinputfw{$key}[26],$configinputfw{$key}[27]"){ $errormessage.=$Lang::tr{'fwdfw err ruleexists'}; - if ($fwdfwsettings{'oldruleremark'} ne $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'updatefwrule'} eq 'on' && $fwdfwsettings{'ruleremark'} eq ''){ + if ($fwdfwsettings{'oldruleremark'} ne $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'updatefwrule'} eq 'on'){ $errormessage=''; }elsif($fwdfwsettings{'oldruleremark'} ne $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'updatefwrule'} eq 'on' && $fwdfwsettings{'ruleremark'} ne '' && !&validremark($fwdfwsettings{'ruleremark'})){ $errormessage=$Lang::tr{'fwdfw err remark'}."
"; @@ -279,7 +279,7 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule') if ("$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'},$fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'ICMP_TGT'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'LOG'},$fwdfwsettings{'TIME'},$fwdfwsettings{'TIME_MON'},$fwdfwsettings{'TIME_TUE'},$fwdfwsettings{'TIME_WED'},$fwdfwsettings{'TIME_THU'},$fwdfwsettings{'TIME_FRI'},$fwdfwsettings{'TIME_SAT'},$fwdfwsettings{'TIME_SUN'},$fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'}" eq "$configoutgoingfw{$key}[0],$configoutgoingfw{$key}[2],$configoutgoingfw{$key}[3],$configoutgoingfw{$key}[4],$configoutgoingfw{$key}[5],$configoutgoingfw{$key}[6],$configoutgoingfw{$key}[7],$configoutgoingfw{$key}[8],$configoutgoingfw{$key}[9],$configoutgoingfw{$key}[10],$configoutgoingfw{$key}[11],$configoutgoingfw{$key}[12],$configoutgoingfw{$key}[13],$configoutgoingfw{$key}[14],$configoutgoingfw{$key}[15],$configoutgoingfw{$key}[17],$configoutgoingfw{$key}[18],$configoutgoingfw{$key}[19],$configoutgoingfw{$key}[20],$configoutgoingfw{$key}[21],$configoutgoingfw{$key}[22],$configoutgoingfw{$key}[23],$configoutgoingfw{$key}[24],$configoutgoingfw{$key}[25],$configoutgoingfw{$key}[26],$configoutgoingfw{$key}[27]"){ $errormessage.=$Lang::tr{'fwdfw err ruleexists'}; - if ($fwdfwsettings{'oldruleremark'} ne $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'updatefwrule'} eq 'on' && $fwdfwsettings{'ruleremark'} eq ''){ + if ($fwdfwsettings{'oldruleremark'} ne $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'updatefwrule'} eq 'on'){ $errormessage=''; }elsif($fwdfwsettings{'oldruleremark'} ne $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'updatefwrule'} eq 'on' && $fwdfwsettings{'ruleremark'} ne '' && !&validremark($fwdfwsettings{'ruleremark'})){ $errormessage=$Lang::tr{'fwdfw err remark'}."
"; @@ -335,7 +335,7 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule') if ("$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'},$fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'ICMP_TGT'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'LOG'},$fwdfwsettings{'TIME'},$fwdfwsettings{'TIME_MON'},$fwdfwsettings{'TIME_TUE'},$fwdfwsettings{'TIME_WED'},$fwdfwsettings{'TIME_THU'},$fwdfwsettings{'TIME_FRI'},$fwdfwsettings{'TIME_SAT'},$fwdfwsettings{'TIME_SUN'},$fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'}" eq "$configfwdfw{$key}[0],$configfwdfw{$key}[2],$configfwdfw{$key}[3],$configfwdfw{$key}[4],$configfwdfw{$key}[5],$configfwdfw{$key}[6],$configfwdfw{$key}[7],$configfwdfw{$key}[8],$configfwdfw{$key}[9],$configfwdfw{$key}[10],$configfwdfw{$key}[11],$configfwdfw{$key}[12],$configfwdfw{$key}[13],$configfwdfw{$key}[14],$configfwdfw{$key}[15],$configfwdfw{$key}[17],$configfwdfw{$key}[18],$configfwdfw{$key}[19],$configfwdfw{$key}[20],$configfwdfw{$key}[21],$configfwdfw{$key}[22],$configfwdfw{$key}[23],$configfwdfw{$key}[24],$configfwdfw{$key}[25],$configfwdfw{$key}[26],$configfwdfw{$key}[27]"){ $errormessage.=$Lang::tr{'fwdfw err ruleexists'}; - if ($fwdfwsettings{'oldruleremark'} ne $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'updatefwrule'} eq 'on' && $fwdfwsettings{'ruleremark'} eq ''){ + if ($fwdfwsettings{'oldruleremark'} ne $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'updatefwrule'} eq 'on' ){ $errormessage=''; }elsif($fwdfwsettings{'oldruleremark'} ne $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'updatefwrule'} eq 'on' && $fwdfwsettings{'ruleremark'} ne '' && !&validremark($fwdfwsettings{'ruleremark'})){ $errormessage=$Lang::tr{'fwdfw err remark'}."
"; @@ -2170,7 +2170,7 @@ END #REMARK if ($optionsfw{'SHOWREMARK'} eq 'on'){ print""; - print" $$hash{$key}[16]"; + print"   $$hash{$key}[16]"; } } print""; From 3f6bba6dbb92a41ccbe5f63753c98cb6658e06bf Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Mon, 25 Feb 2013 21:40:09 +0100 Subject: [PATCH 144/306] Forward Firewall: Forgot to delete a dev-comment --- config/forwardfw/convert-outgoingfw | 1 - 1 file changed, 1 deletion(-) diff --git a/config/forwardfw/convert-outgoingfw b/config/forwardfw/convert-outgoingfw index 22c9272ba..e7d8e80af 100755 --- a/config/forwardfw/convert-outgoingfw +++ b/config/forwardfw/convert-outgoingfw @@ -249,7 +249,6 @@ sub check_grp sub process_rules { my ($type,$action,$active,$grp1,$source,$grp2,$useport,$port,$prot,$grp3,$target,$remark,$log,$time,$time_mon,$time_tue,$time_wed,$time_thu,$time_fri,$time_sat,$time_sun,$time_from,$time_to); - print"uzlputz modus ist $outsettings{'POLICY'} \n"; &General::readhash($fwdfwsettings,\%fwdsettings); if ($outsettings{'POLICY'} eq 'MODE1'){ $fwdfwsettings{'POLICY'}='MODE1'; From 5b375ca7e640361701497ae451a4892e7ec5334e Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Tue, 26 Feb 2013 06:16:14 +0100 Subject: [PATCH 145/306] Forward Firewall: added a 1px heigh line after each rule. so the coloured borders are looking better --- html/cgi-bin/forwardfw.cgi | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi index 7d09e4cb5..f7d2bb1dd 100755 --- a/html/cgi-bin/forwardfw.cgi +++ b/html/cgi-bin/forwardfw.cgi @@ -1974,7 +1974,7 @@ sub viewtablenew my @tmpsrc=(); my $coloryellow=''; print"$title1
"; - print""; + print"
"; print""; foreach my $key (sort {$a <=> $b} keys %$hash){ $tdcolor=''; @@ -2172,6 +2172,7 @@ END print""; print""; } + print""; } print"
#$Lang::tr{'fwdfw source'}Log$Lang::tr{'fwdfw target'}$Lang::tr{'protocol'}$Lang::tr{'fwdfw time'}$Lang::tr{'fwdfw action'}
   $$hash{$key}[16]
"; &Header::closebox(); From 3f8d9da3000a6f2268fc2c3c9b724d593a079f8e Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Tue, 26 Feb 2013 13:41:23 +0100 Subject: [PATCH 146/306] Forward Firewall: reordered 50-firewall.menu --- config/menu/50-firewall.menu | 48 ++++++++++++++++++------------------ 1 file changed, 24 insertions(+), 24 deletions(-) diff --git a/config/menu/50-firewall.menu b/config/menu/50-firewall.menu index 029534323..0bf908223 100644 --- a/config/menu/50-firewall.menu +++ b/config/menu/50-firewall.menu @@ -1,45 +1,45 @@ - $subfirewall->{'10.dnat'} = { - 'caption' => $Lang::tr{'ssport forwarding'}, - 'uri' => '/cgi-bin/portfw.cgi', - 'title' => "$Lang::tr{'ssport forwarding'}", - 'enabled' => 1, - }; - $subfirewall->{'30.wireless'} = { - 'caption' => $Lang::tr{'blue access'}, - 'uri' => '/cgi-bin/wireless.cgi', - 'title' => "$Lang::tr{'blue access'}", - 'enabled' => 1, - }; - $subfirewall->{'51.forward'} = { + $subfirewall->{'10.forward'} = { 'caption' => $Lang::tr{'fwdfw menu'}, 'uri' => '/cgi-bin/forwardfw.cgi', 'title' => "$Lang::tr{'fwdfw menu'}", 'enabled' => 1, - }; - $subfirewall->{'65.fwhost'} = { + }; + $subfirewall->{'20.fwhost'} = { 'caption' => $Lang::tr{'fwhost menu'}, 'uri' => '/cgi-bin/fwhosts.cgi', 'title' => "$Lang::tr{'fwhost menu'}", 'enabled' => 1, }; - $subfirewall->{'70.upnp'} = { - 'caption' => 'UPnP', - 'uri' => '/cgi-bin/upnp.cgi', - 'title' => "Universal Plug and Play", - 'enabled' => 0, - }; - $subfirewall->{'80.optionsfw'} = { + $subfirewall->{'30.optionsfw'} = { 'caption' => $Lang::tr{'options fw'}, 'uri' => '/cgi-bin/optionsfw.cgi', 'title' => "$Lang::tr{'options fw'}", 'enabled' => 1, }; - $subfirewall->{'81.p2p'} = { + $subfirewall->{'40.p2p'} = { 'caption' => 'P2P-Block', 'uri' => '/cgi-bin/p2p-block.cgi', 'title' => "P2P-Block", 'enabled' => 1, - }; + }; + $subfirewall->{'50.dnat'} = { + 'caption' => $Lang::tr{'ssport forwarding'}, + 'uri' => '/cgi-bin/portfw.cgi', + 'title' => "$Lang::tr{'ssport forwarding'}", + 'enabled' => 1, + }; + $subfirewall->{'60.wireless'} = { + 'caption' => $Lang::tr{'blue access'}, + 'uri' => '/cgi-bin/wireless.cgi', + 'title' => "$Lang::tr{'blue access'}", + 'enabled' => 1, + }; + $subfirewall->{'70.upnp'} = { + 'caption' => 'UPnP', + 'uri' => '/cgi-bin/upnp.cgi', + 'title' => "Universal Plug and Play", + 'enabled' => 0, + }; $subfirewall->{'90.iptables'} = { 'caption' => $Lang::tr{'ipts'}, 'uri' => '/cgi-bin/iptables.cgi', From 770140a7bfb302261d1e79d3b9add20be6b2b7ed Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Tue, 26 Feb 2013 14:34:30 +0100 Subject: [PATCH 147/306] Forward Firewall: removed some text in p2p-block and changed dropdown to radiobutton in optionsfw --- html/cgi-bin/optionsfw.cgi | 31 +++++++++++++++++++------------ langs/de/cgi-bin/de.pl | 2 +- langs/en/cgi-bin/en.pl | 2 +- 3 files changed, 21 insertions(+), 14 deletions(-) diff --git a/html/cgi-bin/optionsfw.cgi b/html/cgi-bin/optionsfw.cgi index ab3423081..fc9b3d0ca 100644 --- a/html/cgi-bin/optionsfw.cgi +++ b/html/cgi-bin/optionsfw.cgi @@ -37,6 +37,7 @@ $settings{'DROPWIRELESSINPUT'} = 'on'; $settings{'DROPWIRELESSFORWARD'} = 'on'; $settings{'SHOWCOLORS'} = 'off'; $settings{'SHOWREMARK'} = 'on'; +$settings{'SHOWTABLES'} = 'on'; my $errormessage = ''; my $warnmessage = ''; @@ -99,8 +100,15 @@ $checked{'SHOWCOLORS'}{$settings{'SHOWCOLORS'}} = "checked='checked'"; $checked{'SHOWREMARK'}{'off'} = ''; $checked{'SHOWREMARK'}{'on'} = ''; $checked{'SHOWREMARK'}{$settings{'SHOWREMARK'}} = "checked='checked'"; -$selected{'FWPOLICY'}{$settings{'FWPOLICY'}}= 'selected'; -$selected{'FWPOLICY1'}{$settings{'FWPOLICY1'}}= 'selected'; +$checked{'SHOWTABLES'}{'off'} = ''; +$checked{'SHOWTABLES'}{'on'} = ''; +$checked{'SHOWTABLES'}{$settings{'SHOWTABLES'}} = "checked='checked'"; +$checked{'FWPOLICY'}{'DROP'} = ''; +$checked{'FWPOLICY'}{'REJECT'} = ''; +$checked{'FWPOLICY'}{$settings{'FWPOLICY'}} = "checked='checked'"; +$checked{'FWPOLICY1'}{'DROP'} = ''; +$checked{'FWPOLICY1'}{'REJECT'} = ''; +$checked{'FWPOLICY1'}{$settings{'FWPOLICY1'}} = "checked='checked'"; &Header::openbox('100%', 'center', $Lang::tr{'options fw'}); @@ -140,19 +148,18 @@ print <$Lang::tr{'fw settings color'}on / off $Lang::tr{'fw settings remark'}on / - off - + off +$Lang::tr{'fw settings ruletable'}on/ + off +
- - + + +
$Lang::tr{'fw default drop'}
$Lang::tr{'drop action'} -
$Lang::tr{'drop action1'} -
$Lang::tr{'drop action'}DROP / + REJECT
$Lang::tr{'drop action1'}DROP / + REJECT

diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl index 4b03b2878..4ba95c7e5 100644 --- a/langs/de/cgi-bin/de.pl +++ b/langs/de/cgi-bin/de.pl @@ -924,7 +924,7 @@ 'fwdfw man port' => 'Port(s) manuell:', 'fwdfw moveup' => 'Hoch', 'fwdfw movedown' => 'Runter', -'fwdfw p2p txt' => 'Hier können einzelne P2P Netzwerke erlaubt oder verboten werden. Das System setzt die Regeln automatisch unabhängig vom aktuellen Firewall Modus. Bitte beachten, dass ein erlaubtes P2P Netzwerk unter Umständen einen erheblichen Teil der Bandbreite beanspruchen kann, wenn der Client nicht korrekt konfiguriert ist. Eventuell sollten die QOS Einstellungen entsprechend gesetzt werden.', +'fwdfw p2p txt' => 'Hier können einzelne P2P Netzwerke erlaubt oder verboten werden. Das System setzt die Regeln automatisch unabhängig vom aktuellen Firewall Modus. Bitte beachten, dass ein erlaubtes P2P Netzwerk unter Umständen einen erheblichen Teil der Bandbreite beanspruchen kann, wenn der Client nicht korrekt konfiguriert ist.', 'fwdfw pol allow' => 'Zugelassen', 'fwdfw pol block' => 'Blockiert', 'fwdfw pol title' => 'Standardverhalten der Firewall', diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index dfdd61f27..6b9f6d4a5 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -949,7 +949,7 @@ 'fwdfw man port' => 'Port(s) manual:', 'fwdfw moveup' => 'Move up', 'fwdfw movedown' => 'Move down', -'fwdfw p2p txt' => 'Here you can admit or deny or allow single p2p networks. Just define which networks are allowed or denied and the system takes care of the rules depending on the firewall mode. An allowed p2p network may use a lot of bandwith if the clients are not configured correctly. Maybe you should have a look at the QOS settings.', +'fwdfw p2p txt' => 'Here you can admit or deny or allow single p2p networks. Just define which networks are allowed or denied and the system takes care of the rules depending on the firewall mode. An allowed p2p network may use a lot of bandwith if the clients are not configured correctly.', 'fwdfw pol allow' => 'Allowed', 'fwdfw pol block' => 'Blocked', 'fwdfw pol title' => 'Firewall default behavior', From e2619c15215a9f86773e3bb84056b1f651261ec6 Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Tue, 26 Feb 2013 14:40:16 +0100 Subject: [PATCH 148/306] FOrward Firewall: Typo --- html/cgi-bin/optionsfw.cgi | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/html/cgi-bin/optionsfw.cgi b/html/cgi-bin/optionsfw.cgi index fc9b3d0ca..90c3a32a0 100644 --- a/html/cgi-bin/optionsfw.cgi +++ b/html/cgi-bin/optionsfw.cgi @@ -149,7 +149,7 @@ print < off $Lang::tr{'fw settings remark'}on / off -$Lang::tr{'fw settings ruletable'}on/ +$Lang::tr{'fw settings ruletable'}on / off
From 88f18201c74a911303b8ba023830c5e068794a21 Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Tue, 26 Feb 2013 15:33:27 +0100 Subject: [PATCH 149/306] Forward Firewall: changed menu to show access to blue correctly --- config/menu/50-firewall.menu | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/config/menu/50-firewall.menu b/config/menu/50-firewall.menu index 0bf908223..f8f809833 100644 --- a/config/menu/50-firewall.menu +++ b/config/menu/50-firewall.menu @@ -10,12 +10,18 @@ 'title' => "$Lang::tr{'fwhost menu'}", 'enabled' => 1, }; - $subfirewall->{'30.optionsfw'} = { + $subfirewall->{'29.optionsfw'} = { 'caption' => $Lang::tr{'options fw'}, 'uri' => '/cgi-bin/optionsfw.cgi', 'title' => "$Lang::tr{'options fw'}", 'enabled' => 1, }; + $subfirewall->{'30.wireless'} = { + 'caption' => $Lang::tr{'blue access'}, + 'uri' => '/cgi-bin/wireless.cgi', + 'title' => "$Lang::tr{'blue access'}", + 'enabled' => 1, + }; $subfirewall->{'40.p2p'} = { 'caption' => 'P2P-Block', 'uri' => '/cgi-bin/p2p-block.cgi', @@ -28,12 +34,6 @@ 'title' => "$Lang::tr{'ssport forwarding'}", 'enabled' => 1, }; - $subfirewall->{'60.wireless'} = { - 'caption' => $Lang::tr{'blue access'}, - 'uri' => '/cgi-bin/wireless.cgi', - 'title' => "$Lang::tr{'blue access'}", - 'enabled' => 1, - }; $subfirewall->{'70.upnp'} = { 'caption' => 'UPnP', 'uri' => '/cgi-bin/upnp.cgi', From 92e4ae9db1334acf481a60656004b289b0accf80 Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Wed, 27 Feb 2013 05:35:41 +0100 Subject: [PATCH 150/306] Forward Firewall: Some changes in langagefiles and layout in fwhosts.cgi --- html/cgi-bin/fwhosts.cgi | 47 +++++++++++++++++----------------------- langs/de/cgi-bin/de.pl | 26 +++++++++++----------- langs/en/cgi-bin/en.pl | 2 +- 3 files changed, 34 insertions(+), 41 deletions(-) diff --git a/html/cgi-bin/fwhosts.cgi b/html/cgi-bin/fwhosts.cgi index abb60c917..e608b0f3f 100755 --- a/html/cgi-bin/fwhosts.cgi +++ b/html/cgi-bin/fwhosts.cgi @@ -391,25 +391,14 @@ if ($fwhostsettings{'ACTION'} eq 'savehost') $errormessage=$errormessage.$Lang::tr{'fwhost err empty'}; $fwhostsettings{'ACTION'} = 'edithost'; }else{ - if($fwhostsettings{'type'} eq 'ip' && $fwhostsettings{'IP'}=~/^([0-9a-fA-F]{1,2}:){5}[0-9a-fA-F]{1,2}$/){ + if($fwhostsettings{'IP'}=~/^([0-9a-fA-F]{1,2}:){5}[0-9a-fA-F]{1,2}$/){ $fwhostsettings{'type'} = 'mac'; - }elsif($fwhostsettings{'type'} eq 'mac' && $fwhostsettings{'IP'}=~/^(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})$/){ - $fwhostsettings{'type'} = 'ip'; - }elsif($fwhostsettings{'type'} eq 'mac' && $fwhostsettings{'IP'}=~/^([0-9a-fA-F]{1,2}:){5}[0-9a-fA-F]{1,2}$/){ - $fwhostsettings{'type'} = 'mac'; - }elsif($fwhostsettings{'type'} eq 'ip' && $fwhostsettings{'IP'}=~/^(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})$/){ + }elsif($fwhostsettings{'IP'}=~/^(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})$/){ $fwhostsettings{'type'} = 'ip'; }else{ $fwhostsettings{'type'} = ''; $errormessage=$Lang::tr{'fwhost err ipmac'}; } - if($fwhostsettings{'type'} eq 'mac' ) - { - if ($fwhostsettings{'IP'}!~/^([0-9a-fA-F]{1,2}:){5}[0-9a-fA-F]{1,2}$/ ) - { - $errormessage=$Lang::tr{'fwhost err mac'}; - } - } #check remark if ($fwhostsettings{'HOSTREMARK'} ne '' && !&validremark($fwhostsettings{'HOSTREMARK'})){ $errormessage=$Lang::tr{'fwhost err remark'}; @@ -1097,8 +1086,8 @@ sub addnet $fwhostsettings{'orgnetremark'}=$fwhostsettings{'NETREMARK'}; print<
- $Lang::tr{'name'}:$Lang::tr{'fwhost netaddress'}:$Lang::tr{'netmask'}: - $Lang::tr{'remark'}: + $Lang::tr{'name'}:$Lang::tr{'fwhost netaddress'}:$Lang::tr{'netmask'}: + $Lang::tr{'remark'}:
END if ($fwhostsettings{'ACTION'} eq 'editnet' || $fwhostsettings{'error'} eq 'on') @@ -1119,15 +1108,19 @@ sub addhost $fwhostsettings{'orgremark'}=$fwhostsettings{'HOSTREMARK'}; print< - $Lang::tr{'name'}: + END - if ($fwhostsettings{'type'} eq 'ip'){print "";}else{print "";} - if ($fwhostsettings{'type'} eq 'mac'){print "";}else{print "";} + # print<IP/MAC: - $Lang::tr{'remark'}: -

$Lang::tr{'fwhost attention'}
$Lang::tr{'fwhost macwarn'} -
+ + IP/MAC: + $Lang::tr{'remark'}: +

$Lang::tr{'fwhost attention'}
$Lang::tr{'fwhost macwarn'} +
END if ($fwhostsettings{'ACTION'} eq 'edithost' || $fwhostsettings{'error'} eq 'on') @@ -1157,7 +1150,7 @@ sub addgrp if ($fwhostsettings{'update'} eq ''){ print< - $Lang::tr{'fwhost addgrpname'}$Lang::tr{'remark'}: + $Lang::tr{'fwhost addgrpname'}$Lang::tr{'remark'}:
END }else{ @@ -1265,7 +1258,7 @@ sub addservice } print< - $Lang::tr{'fwhost srv_name'}:$Lang::tr{'fwhost prot'}:$Lang::tr{'fwhost prot'}: - $Lang::tr{'fwhost icmptype'}$Lang::tr{'fwhost port'}: + $Lang::tr{'fwhost icmptype'}$Lang::tr{'remark'}: + $Lang::tr{'fwhost addgrpname'}$Lang::tr{'remark'}:
END diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl index 4ba95c7e5..d97739e8a 100644 --- a/langs/de/cgi-bin/de.pl +++ b/langs/de/cgi-bin/de.pl @@ -924,7 +924,7 @@ 'fwdfw man port' => 'Port(s) manuell:', 'fwdfw moveup' => 'Hoch', 'fwdfw movedown' => 'Runter', -'fwdfw p2p txt' => 'Hier können einzelne P2P Netzwerke erlaubt oder verboten werden. Das System setzt die Regeln automatisch unabhängig vom aktuellen Firewall Modus. Bitte beachten, dass ein erlaubtes P2P Netzwerk unter Umständen einen erheblichen Teil der Bandbreite beanspruchen kann, wenn der Client nicht korrekt konfiguriert ist.', +'fwdfw p2p txt' => 'Hier können einzelne P2P Netzwerke erlaubt oder verboten werden. Das System setzt die Regeln automatisch unabhängig vom aktuellen Firewall Modus. Unter Umständen können einzelne aktivierte P2P Netzewerke einen erheblichen Teil der Bandbreite beanspruchen.', 'fwdfw pol allow' => 'Zugelassen', 'fwdfw pol block' => 'Blockiert', 'fwdfw pol title' => 'Standardverhalten der Firewall', @@ -1010,16 +1010,16 @@ 'fwhost icmptype' => 'ICMP-Typ:', 'fwhost ipadr' => 'IP Adresse:', 'fwhost ip_mac' => 'IP/MAC Adresse', -'fwhost ipsec host' => 'IpSec Clients:', -'fwhost ipsec net' => 'IpSec Netzwerke:', +'fwhost ipsec host' => 'IPsec Clients:', +'fwhost ipsec net' => 'IPsec Netzwerke:', 'fwhost netaddress' => 'Netzwerk Adresse', -'fwhost newnet' => 'Netz Einstellungen', -'fwhost newhost' => 'Adress Einstellungen', -'fwhost newgrp' => 'Adress Gruppierung', -'fwhost newservice' => 'Dienst Einstellungen', -'fwhost newservicegrp' => 'Dienst Gruppierung', +'fwhost newnet' => 'Netz-Einstellungen', +'fwhost newhost' => 'Adress-Einstellungen', +'fwhost newgrp' => 'Adress-Gruppierung', +'fwhost newservice' => 'Dienst-Einstellungen', +'fwhost newservicegrp' => 'Dienst-Gruppierung', 'fwhost macwarn' => 'MAC Adressen können nicht als Ziel definiert werden. Solche Adressen werden ignoriert.', -'fwhost menu' => 'Firewall Gruppen', +'fwhost menu' => 'Firewall-Gruppen', 'fwhost orange' => 'Orange', 'fwhost ovpn_n2n' => 'OpenVPN N-2-N', 'fwhost port' => 'Port(s)', @@ -1045,13 +1045,13 @@ 'from email server' => 'Von Email Server', 'from email user' => 'Von Email Benutzer', 'from warn email bad' => 'Von Email Adresse ist nicht gültig', -'fw blue' => 'Firewall Optionen für das Blaue Interface', +'fw blue' => 'Firewall-Optionen für das Blaue Interface', 'fw default drop' => 'Firewall Policy', -'fw settings' => 'Firewall Einstellungen', +'fw settings' => 'Firewall-Einstellungen', 'fw settings color' => 'Farben in Regeltabelle anzeigen', 'fw settings remark' => 'Anmerkungen in Regeltabelle anzeigen', 'fw settings ruletable' => 'Leere Regeltabellen anzeigen', -'fw logging' => 'Firewall Logging', +'fw logging' => 'Firewall-Logging', 'gateway' => 'Gateway', 'gateway ip' => 'Gateway-IP', 'gen static key' => 'Statischen Schlüssel erzeugen', @@ -1505,7 +1505,7 @@ 'optional at cmd' => 'zusätzlicher Modembefehl', 'optional data' => '3. Optionale Einstellungen', 'options' => 'Optionen', -'options fw' => 'Firewall Optionen', +'options fw' => 'Firewall-Optionen', 'optionsfw portlist hint' => 'Die Liste der Ports muss durch ein Komma getrennt werden (z.B. 137,138). Sie können maximal bis zu 15 Ports pro Protokoll angeben.', 'optionsfw warning' => 'Verändern dieser Optionen bedingt einen Neustart der Firewall', 'or' => 'oder', diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index 6b9f6d4a5..99976d12a 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -949,7 +949,7 @@ 'fwdfw man port' => 'Port(s) manual:', 'fwdfw moveup' => 'Move up', 'fwdfw movedown' => 'Move down', -'fwdfw p2p txt' => 'Here you can admit or deny or allow single p2p networks. Just define which networks are allowed or denied and the system takes care of the rules depending on the firewall mode. An allowed p2p network may use a lot of bandwith if the clients are not configured correctly.', +'fwdfw p2p txt' => 'Here you can admit or deny or allow single p2p networks. Just define which networks are allowed or denied and the system takes care of the rules depending on the firewall mode. An allowed p2p network may use a lot of bandwith.', 'fwdfw pol allow' => 'Allowed', 'fwdfw pol block' => 'Blocked', 'fwdfw pol title' => 'Firewall default behavior', From 8013bd0ac28ac8daee7bae5ebcfe4c9fd8154310 Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Wed, 27 Feb 2013 14:23:20 +0100 Subject: [PATCH 151/306] Forward Firewall: Changed layout of rulecreation. Now only the dropdowns for configured networks are shown on the site Also changed fwhosts.cgi (custom groups) to the same feature --- html/cgi-bin/forwardfw.cgi | 1013 +++++++++++++++++------------------- html/cgi-bin/fwhosts.cgi | 161 +++--- 2 files changed, 562 insertions(+), 612 deletions(-) diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi index f7d2bb1dd..b93557d83 100755 --- a/html/cgi-bin/forwardfw.cgi +++ b/html/cgi-bin/forwardfw.cgi @@ -520,129 +520,19 @@ if ($fwdfwsettings{'ACTION'} eq '') &base; } ### Functions #### -sub changerule +sub addrule { - my $oldchain=shift; - $fwdfwsettings{'updatefwrule'}=''; - $fwdfwsettings{'config'}=$oldchain; - $fwdfwsettings{'nobase'}='on'; - &deleterule; - &checkcounter(0,0,$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}}); - &checkcounter(0,0,$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}}); -} -sub pos_up -{ - my %uphash=(); - my %tmp=(); - &General::readhasharray($fwdfwsettings{'config'}, \%uphash); - foreach my $key (sort keys %uphash){ - if ($key eq $fwdfwsettings{'key'}) { - my $last = $key -1; - if (exists $uphash{$last}){ - #save rule last - foreach my $y (0 .. $#{$uphash{$last}}) { - $tmp{0}[$y] = $uphash{$last}[$y]; - } - #copy active rule to last - foreach my $i (0 .. $#{$uphash{$last}}) { - $uphash{$last}[$i] = $uphash{$key}[$i]; - } - #copy saved rule to actual position - foreach my $x (0 .. $#{$tmp{0}}) { - $uphash{$key}[$x] = $tmp{0}[$x]; - } - } - } + &error; + if (-f "${General::swroot}/forward/reread"){ + print "
$Lang::tr{'fwhost reread'}

"; } - &General::writehasharray($fwdfwsettings{'config'}, \%uphash); - &rules; -} -sub pos_down -{ - my %downhash=(); - my %tmp=(); - &General::readhasharray($fwdfwsettings{'config'}, \%downhash); - foreach my $key (sort keys %downhash){ - if ($key eq $fwdfwsettings{'key'}) { - my $next = $key + 1; - if (exists $downhash{$next}){ - #save rule next - foreach my $y (0 .. $#{$downhash{$next}}) { - $tmp{0}[$y] = $downhash{$next}[$y]; - } - #copy active rule to next - foreach my $i (0 .. $#{$downhash{$next}}) { - $downhash{$next}[$i] = $downhash{$key}[$i]; - } - #copy saved rule to actual position - foreach my $x (0 .. $#{$tmp{0}}) { - $downhash{$key}[$x] = $tmp{0}[$x]; - } - } - } - } - &General::writehasharray($fwdfwsettings{'config'}, \%downhash); - &rules; -} -sub checkcounter -{ - my ($base1,$val1,$base2,$val2) = @_; - - if($base1 eq 'cust_net_src' || $base1 eq 'cust_net_tgt'){ - &dec_counter($confignet,\%customnetwork,$val1); - }elsif($base1 eq 'cust_host_src' || $base1 eq 'cust_host_tgt'){ - &dec_counter($confighost,\%customhost,$val1); - }elsif($base1 eq 'cust_grp_src' || $base1 eq 'cust_grp_tgt'){ - &dec_counter($configgrp,\%customgrp,$val1); - }elsif($base1 eq 'cust_srv'){ - &dec_counter($configsrv,\%customservice,$val1); - }elsif($base1 eq 'cust_srvgrp'){ - &dec_counter($configsrvgrp,\%customservicegrp,$val1); - } - - if($base2 eq 'cust_net_src' || $base2 eq 'cust_net_tgt'){ - &inc_counter($confignet,\%customnetwork,$val2); - }elsif($base2 eq 'cust_host_src' || $base2 eq 'cust_host_tgt'){ - &inc_counter($confighost,\%customhost,$val2); - }elsif($base2 eq 'cust_grp_src' || $base2 eq 'cust_grp_tgt'){ - &inc_counter($configgrp,\%customgrp,$val2); - }elsif($base2 eq 'cust_srv'){ - &inc_counter($configsrv,\%customservice,$val2); - }elsif($base2 eq 'cust_srvgrp'){ - &inc_counter($configsrvgrp,\%customservicegrp,$val2); - } -} -sub inc_counter -{ - my $config=shift; - my %hash=%{(shift)}; - my $val=shift; - my $pos; - - &General::readhasharray($config, \%hash); - foreach my $key (sort { uc($hash{$a}[0]) cmp uc($hash{$b}[0]) } keys %hash){ - if($hash{$key}[0] eq $val){ - $pos=$#{$hash{$key}}; - $hash{$key}[$pos] = $hash{$key}[$pos]+1; - } - } - &General::writehasharray($config, \%hash); -} -sub dec_counter -{ - my $config=shift; - my %hash=%{(shift)}; - my $val=shift; - my $pos; - #$errormessage.="ALT:config: $config , verringert wird $val
"; - &General::readhasharray($config, \%hash); - foreach my $key (sort { uc($hash{$a}[0]) cmp uc($hash{$b}[0]) } keys %hash){ - if($hash{$key}[0] eq $val){ - $pos=$#{$hash{$key}}; - $hash{$key}[$pos] = $hash{$key}[$pos]-1; - } - } - &General::writehasharray($config, \%hash); + &Header::openbox('100%', 'left', $Lang::tr{'fwdfw addrule'}); + print "
"; + print ""; + print ""; + print"
"; + &Header::closebox(); + &viewtablerule; } sub base { @@ -685,65 +575,15 @@ END print ""; &Header::closebox(); } -sub addrule +sub changerule { - &error; - if (-f "${General::swroot}/forward/reread"){ - print "
$Lang::tr{'fwhost reread'}

"; - } - &Header::openbox('100%', 'left', $Lang::tr{'fwdfw addrule'}); - print "
"; - print ""; - print ""; - print"
"; - &Header::closebox(); - &viewtablerule; -} -sub deleterule -{ - my %delhash=(); - &General::readhasharray($fwdfwsettings{'config'}, \%delhash); - foreach my $key (sort {$a <=> $b} keys %delhash){ - if ($key == $fwdfwsettings{'key'}){ - #check hosts/net and groups - &checkcounter($delhash{$key}[3],$delhash{$key}[4],,); - &checkcounter($delhash{$key}[5],$delhash{$key}[6],,); - #check services and groups - if ($delhash{$key}[11] eq 'ON'){ - &checkcounter($delhash{$key}[14],$delhash{$key}[15],,); - } - } - if ($key >= $fwdfwsettings{'key'}) { - my $next = $key + 1; - if (exists $delhash{$next}) { - foreach my $i (0 .. $#{$delhash{$next}}) { - $delhash{$key}[$i] = $delhash{$next}[$i]; - } - } - } - } - # Remove the very last entry. - my $last_key = (sort {$a <=> $b} keys %delhash)[-1]; - delete $delhash{$last_key}; - - &General::writehasharray($fwdfwsettings{'config'}, \%delhash); - &rules; - - if($fwdfwsettings{'nobase'} ne 'on'){ - &base; - } -} -sub disable_rule -{ - my $key1=shift; - &General::readhasharray("$configfwdfw", \%configfwdfw); - foreach my $key (sort keys %configfwdfw){ - if ($key eq $key1 ){ - if ($configfwdfw{$key}[2] eq 'ON'){$configfwdfw{$key}[2]='';} - } - } - &General::writehasharray("$configfwdfw", \%configfwdfw); - &rules; + my $oldchain=shift; + $fwdfwsettings{'updatefwrule'}=''; + $fwdfwsettings{'config'}=$oldchain; + $fwdfwsettings{'nobase'}='on'; + &deleterule; + &checkcounter(0,0,$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}}); + &checkcounter(0,0,$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}}); } sub checksource { @@ -1045,6 +885,228 @@ sub checkrule } } } +sub checkcounter +{ + my ($base1,$val1,$base2,$val2) = @_; + + if($base1 eq 'cust_net_src' || $base1 eq 'cust_net_tgt'){ + &dec_counter($confignet,\%customnetwork,$val1); + }elsif($base1 eq 'cust_host_src' || $base1 eq 'cust_host_tgt'){ + &dec_counter($confighost,\%customhost,$val1); + }elsif($base1 eq 'cust_grp_src' || $base1 eq 'cust_grp_tgt'){ + &dec_counter($configgrp,\%customgrp,$val1); + }elsif($base1 eq 'cust_srv'){ + &dec_counter($configsrv,\%customservice,$val1); + }elsif($base1 eq 'cust_srvgrp'){ + &dec_counter($configsrvgrp,\%customservicegrp,$val1); + } + + if($base2 eq 'cust_net_src' || $base2 eq 'cust_net_tgt'){ + &inc_counter($confignet,\%customnetwork,$val2); + }elsif($base2 eq 'cust_host_src' || $base2 eq 'cust_host_tgt'){ + &inc_counter($confighost,\%customhost,$val2); + }elsif($base2 eq 'cust_grp_src' || $base2 eq 'cust_grp_tgt'){ + &inc_counter($configgrp,\%customgrp,$val2); + }elsif($base2 eq 'cust_srv'){ + &inc_counter($configsrv,\%customservice,$val2); + }elsif($base2 eq 'cust_srvgrp'){ + &inc_counter($configsrvgrp,\%customservicegrp,$val2); + } +} +sub deleterule +{ + my %delhash=(); + &General::readhasharray($fwdfwsettings{'config'}, \%delhash); + foreach my $key (sort {$a <=> $b} keys %delhash){ + if ($key == $fwdfwsettings{'key'}){ + #check hosts/net and groups + &checkcounter($delhash{$key}[3],$delhash{$key}[4],,); + &checkcounter($delhash{$key}[5],$delhash{$key}[6],,); + #check services and groups + if ($delhash{$key}[11] eq 'ON'){ + &checkcounter($delhash{$key}[14],$delhash{$key}[15],,); + } + } + if ($key >= $fwdfwsettings{'key'}) { + my $next = $key + 1; + if (exists $delhash{$next}) { + foreach my $i (0 .. $#{$delhash{$next}}) { + $delhash{$key}[$i] = $delhash{$next}[$i]; + } + } + } + } + # Remove the very last entry. + my $last_key = (sort {$a <=> $b} keys %delhash)[-1]; + delete $delhash{$last_key}; + + &General::writehasharray($fwdfwsettings{'config'}, \%delhash); + &rules; + + if($fwdfwsettings{'nobase'} ne 'on'){ + &base; + } +} +sub disable_rule +{ + my $key1=shift; + &General::readhasharray("$configfwdfw", \%configfwdfw); + foreach my $key (sort keys %configfwdfw){ + if ($key eq $key1 ){ + if ($configfwdfw{$key}[2] eq 'ON'){$configfwdfw{$key}[2]='';} + } + } + &General::writehasharray("$configfwdfw", \%configfwdfw); + &rules; +} +sub dec_counter +{ + my $config=shift; + my %hash=%{(shift)}; + my $val=shift; + my $pos; + #$errormessage.="ALT:config: $config , verringert wird $val
"; + &General::readhasharray($config, \%hash); + foreach my $key (sort { uc($hash{$a}[0]) cmp uc($hash{$b}[0]) } keys %hash){ + if($hash{$key}[0] eq $val){ + $pos=$#{$hash{$key}}; + $hash{$key}[$pos] = $hash{$key}[$pos]-1; + } + } + &General::writehasharray($config, \%hash); +} +sub error +{ + if ($errormessage) { + &Header::openbox('100%', 'left', $Lang::tr{'error messages'}); + print "$errormessage\n"; + print " \n"; + &Header::closebox(); + print"
"; + } +} +sub fillselect +{ + my %hash=%{(shift)}; + my $val=shift; + my $key; + foreach my $key (sort { uc($hash{$a}[0]) cmp uc($hash{$b}[0]) } keys %hash){ + if($hash{$key}[0] eq $val){ + print""; + }else{ + print""; + } + } +} +sub gen_dd_block +{ + my $srctgt = shift; + my $grp=shift; + my $helper=''; + my $show=''; + $checked{'grp1'}{$fwdfwsettings{'grp1'}} = 'CHECKED'; + $checked{'grp2'}{$fwdfwsettings{'grp2'}} = 'CHECKED'; + $checked{'grp3'}{$fwdfwsettings{'grp3'}} = 'CHECKED'; + $checked{'USE_SRC_PORT'}{$fwdfwsettings{'USE_SRC_PORT'}} = 'CHECKED'; + $checked{'USESRV'}{$fwdfwsettings{'USESRV'}} = 'CHECKED'; + $checked{'ACTIVE'}{$fwdfwsettings{'ACTIVE'}} = 'CHECKED'; + $checked{'LOG'}{$fwdfwsettings{'LOG'}} = 'CHECKED'; + $checked{'TIME'}{$fwdfwsettings{'TIME'}} = 'CHECKED'; + $checked{'TIME_MON'}{$fwdfwsettings{'TIME_MON'}} = 'CHECKED'; + $checked{'TIME_TUE'}{$fwdfwsettings{'TIME_TUE'}} = 'CHECKED'; + $checked{'TIME_WED'}{$fwdfwsettings{'TIME_WED'}} = 'CHECKED'; + $checked{'TIME_THU'}{$fwdfwsettings{'TIME_THU'}} = 'CHECKED'; + $checked{'TIME_FRI'}{$fwdfwsettings{'TIME_FRI'}} = 'CHECKED'; + $checked{'TIME_SAT'}{$fwdfwsettings{'TIME_SAT'}} = 'CHECKED'; + $checked{'TIME_SUN'}{$fwdfwsettings{'TIME_SUN'}} = 'CHECKED'; + $selected{'TIME_FROM'}{$fwdfwsettings{'TIME_FROM'}} = 'selected'; + $selected{'TIME_TO'}{$fwdfwsettings{'TIME_TO'}} = 'selected'; + $selected{'ipfire'}{$fwdfwsettings{$fwdfwsettings{'grp2'}}} ='selected'; +print< + + + "; + #custom networks + if (! -z $confignet){ + print""; + } + #custom hosts + if (! -z $confighost){ + print""; + } + #custom groups + if (! -z $configgrp){ + print""; + } + #End left table. start right table (vpn) + print"
$Lang::tr{'fwhost stdnet'}
$Lang::tr{'fwhost cust net'}
$Lang::tr{'fwhost cust addr'}
$Lang::tr{'fwhost cust grp'}
"; + # CCD networks + if( ! -z $configccdnet){ + print""; + } + #OVPN CCD Hosts + foreach my $key (sort { uc($ccdhost{$a}[0]) cmp uc($ccdhost{$b}[0]) } keys %ccdhost){ + if ($ccdhost{$key}[33] ne ''){ + print"";} + #OVPN N2N + foreach my $key (sort { uc($ccdhost{$a}[0]) cmp uc($ccdhost{$b}[0]) } keys %ccdhost){ + if ($ccdhost{$key}[3] eq 'net'){ + print"";} + #IPsec netze + foreach my $key (sort { uc($ipsecconf{$a}[1]) cmp uc($ipsecconf{$b}[1]) } keys %ipsecconf) { + if ($ipsecconf{$key}[3] eq 'net'){ + print"";} + + print"
$Lang::tr{'fwhost ccdnet'}
$Lang::tr{'fwhost ccdhost'}
$Lang::tr{'fwhost ccdhost'}
$Lang::tr{'fwhost ipsec net'}
"; + print"
"; +} sub get_ip { my $val=shift; @@ -1096,6 +1158,170 @@ sub get_ip } return $a,$b; } +sub get_name +{ + my $val=shift; + &General::setup_default_networks(\%defaultNetworks); + foreach my $network (sort keys %defaultNetworks) + { + return "$network" if ($val eq $defaultNetworks{$network}{'NAME'}); + } +} +sub getsrcport +{ + my %hash=%{(shift)}; + my $key=shift; + if($hash{$key}[7] eq 'ON' && $hash{$key}[8] ne '' && $hash{$key}[10]){ + $hash{$key}[10]=~ s/\|/,/g; + print": $hash{$key}[10]"; + }elsif($hash{$key}[7] eq 'ON' && $hash{$key}[8] eq 'ICMP'){ + print":
$hash{$key}[9] "; + } +} +sub gettgtport +{ + my %hash=%{(shift)}; + my $key=shift; + my $service; + my $prot; + if($hash{$key}[11] eq 'ON' && $hash{$key}[12] ne 'ICMP'){ + if($hash{$key}[14] eq 'cust_srv'){ + &General::readhasharray("$configsrv", \%customservice); + foreach my $i (sort keys %customservice){ + if($customservice{$i}[0] eq $hash{$key}[15]){ + $service = $customservice{$i}[0]; + } + } + }elsif($hash{$key}[14] eq 'cust_srvgrp'){ + $service=$hash{$key}[15]; + }elsif($hash{$key}[14] eq 'TGT_PORT'){ + $hash{$key}[15]=~ s/\|/,/g; + $service=$hash{$key}[15]; + } + if($service){ + print": $service"; + } + }elsif($hash{$key}[11] eq 'ON' && $hash{$key}[12] eq 'ICMP'){ + print":
$hash{$key}[13]"; + } +} +sub get_serviceports +{ + my $type=shift; + my $name=shift; + &General::readhasharray("$configsrv", \%customservice); + &General::readhasharray("$configsrvgrp", \%customservicegrp); + my $protocols; + my $tcp; + my $udp; + if($type eq 'service'){ + foreach my $key (sort { uc($customservice{$a}[0]) cmp uc($customservice{$b}[0]) } keys %customservice){ + if ($customservice{$key}[0] eq $name){ + $protocols=$customservice{$key}[2]; + } + } + }elsif($type eq 'group'){ + foreach my $key (sort { uc($customservicegrp{$a}[0]) cmp uc($customservicegrp{$b}[0]) } keys %customservicegrp){ + if ($customservicegrp{$key}[0] eq $name){ + foreach my $key1 (sort { uc($customservice{$a}[0]) cmp uc($customservice{$b}[0]) } keys %customservice){ + if ($customservice{$key1}[0] eq $customservicegrp{$key}[2]){ + if($customservice{$key1}[2] eq 'TCP'){$tcp='TCP';}else{$udp='UDP';} + } + } + } + } + } + if($tcp && $udp){$protocols="TCP,UDP"; + }elsif($tcp){$protocols.="TCP"; + }elsif($udp){$protocols.="UDP";} + return $protocols; +} +sub getcolor +{ + my $nettype=shift; + my $val=shift; + my $hash=shift; + if($optionsfw{'SHOWCOLORS'} eq 'on'){ + #VPN networks + if ($nettype eq 'ovpn_n2n_src' || $nettype eq 'ovpn_n2n_tgt' || $nettype eq 'ovpn_net_src' || $nettype eq 'ovpn_net_tgt'|| $nettype eq 'ovpn_host_src' || $nettype eq 'ovpn_host_tgt'){ + $tdcolor="style='border: 1px solid $Header::colourovpn;'"; + return; + } + if ($nettype eq 'ipsec_net_src' || $nettype eq 'ipsec_net_tgt'){ + $tdcolor="style='border: 1px solid $Header::colourvpn;'"; + return; + } + #custom Hosts + if ($nettype eq 'cust_host_src' || $nettype eq 'cust_host_tgt'){ + foreach my $key (sort keys %$hash){ + if ($$hash{$key}[0] eq $val){ + $val=$$hash{$key}[2]; + } + } + } + #ALIASE + foreach my $alias (sort keys %aliases) + { + if ($val eq $alias){ + $tdcolor="style='border: 2px solid red;'"; + return; + } + } + #standard networks + if ($val eq 'GREEN'){ + $tdcolor="style='border: 1px solid $Header::colourgreen;'"; + }elsif ($val eq 'ORANGE'){ + $tdcolor="style='border: 1px solid $Header::colourorange;'"; + }elsif ($val eq 'BLUE'){ + $tdcolor="style='border: 1px solid $Header::colourblue;'"; + }elsif ($val eq 'RED'){ + $tdcolor="style='border: 1px solid $Header::colourred;'"; + }elsif ($val eq 'IPFire' ){ + $tdcolor="style='border: 1px solid $Header::colourred;'"; + }elsif($val =~ /^(.*?)\/(.*?)$/){ + my ($sip,$scidr) = split ("/",$val); + if ( &General::IpInSubnet($sip,$netsettings{'ORANGE_ADDRESS'},$netsettings{'ORANGE_NETMASK'})){ + $tdcolor="style='border: 1px solid $Header::colourorange;'"; + } + if ( &General::IpInSubnet($sip,$netsettings{'GREEN_ADDRESS'},$netsettings{'GREEN_NETMASK'})){ + $tdcolor="style='border: 1px solid $Header::colourgreen;'"; + } + if ( &General::IpInSubnet($sip,$netsettings{'BLUE_ADDRESS'},$netsettings{'BLUE_NETMASK'})){ + $tdcolor="style='border: 1px solid $Header::colourblue;'"; + } + }elsif ($val eq 'Default IP'){ + $tdcolor="style='border: 1px solid red;'"; + }else{ + $tdcolor=''; + } + } +} +sub hint +{ + if ($hint) { + &Header::openbox('100%', 'left', $Lang::tr{'fwhost hint'}); + print "$hint\n"; + print " \n"; + &Header::closebox(); + print"
"; + } +} +sub inc_counter +{ + my $config=shift; + my %hash=%{(shift)}; + my $val=shift; + my $pos; + + &General::readhasharray($config, \%hash); + foreach my $key (sort { uc($hash{$a}[0]) cmp uc($hash{$b}[0]) } keys %hash){ + if($hash{$key}[0] eq $val){ + $pos=$#{$hash{$key}}; + $hash{$key}[$pos] = $hash{$key}[$pos]+1; + } + } + &General::writehasharray($config, \%hash); +} sub newrule { &error; @@ -1257,90 +1483,10 @@ END -
$Lang::tr{'fwdfw sourceip'}
$Lang::tr{'fwhost stdnet'}
END - foreach my $network (sort keys %defaultNetworks) - { - next if($defaultNetworks{$network}{'LOCATION'} eq "IPCOP"); - next if($defaultNetworks{$network}{'NAME'} eq "RED"); - print ""; - } - print<$Lang::tr{'fwhost ccdnet'}$Lang::tr{'fwhost cust net'}$Lang::tr{'fwhost ccdhost'}$Lang::tr{'fwhost cust addr'}$Lang::tr{'fwhost ovpn_n2n'}$Lang::tr{'fwhost cust grp'}$Lang::tr{'fwhost ipsec net'}$Lang::tr{'fwhost ipsec host'}$Lang::tr{'fwdfw targetip'}IPFire ($Lang::tr{'external access'})$Lang::tr{'fwdfw targetip'}IPFire ($Lang::tr{'external access'})$Lang::tr{'fwhost stdnet'}$Lang::tr{'fwhost ccdnet'}$Lang::tr{'fwhost cust net'}$Lang::tr{'fwhost ccdhost'}$Lang::tr{'fwhost cust addr'}$Lang::tr{'fwhost ovpn_n2n'}$Lang::tr{'fwhost cust grp'}$Lang::tr{'fwhost ipsec net'}$Lang::tr{'fwhost ipsec host'}$Lang::tr{'fwdfw use srv'}$Lang::tr{'fwhost cust service'}
END - #---ACTION------------------------------------------------------ if($fwdfwsettings{'updatefwrule'} ne 'on'){ print<$errormessage\n"; - print " \n"; - &Header::closebox(); - print"
"; - } -} -sub hint -{ - if ($hint) { - &Header::openbox('100%', 'left', $Lang::tr{'fwhost hint'}); - print "$hint\n"; - print " \n"; - &Header::closebox(); - print"
"; - } -} -sub get_name -{ - my $val=shift; - &General::setup_default_networks(\%defaultNetworks); - foreach my $network (sort keys %defaultNetworks) - { - return "$network" if ($val eq $defaultNetworks{$network}{'NAME'}); - } -} sub validremark { # Checks a hostname against RFC1035 @@ -1877,75 +1981,6 @@ sub validremark return 0;} return 1; } -sub getsrcport -{ - my %hash=%{(shift)}; - my $key=shift; - if($hash{$key}[7] eq 'ON' && $hash{$key}[8] ne '' && $hash{$key}[10]){ - $hash{$key}[10]=~ s/\|/,/g; - print": $hash{$key}[10]"; - }elsif($hash{$key}[7] eq 'ON' && $hash{$key}[8] eq 'ICMP'){ - print":
$hash{$key}[9] "; - } -} -sub gettgtport -{ - my %hash=%{(shift)}; - my $key=shift; - my $service; - my $prot; - if($hash{$key}[11] eq 'ON' && $hash{$key}[12] ne 'ICMP'){ - if($hash{$key}[14] eq 'cust_srv'){ - &General::readhasharray("$configsrv", \%customservice); - foreach my $i (sort keys %customservice){ - if($customservice{$i}[0] eq $hash{$key}[15]){ - $service = $customservice{$i}[0]; - } - } - }elsif($hash{$key}[14] eq 'cust_srvgrp'){ - $service=$hash{$key}[15]; - }elsif($hash{$key}[14] eq 'TGT_PORT'){ - $hash{$key}[15]=~ s/\|/,/g; - $service=$hash{$key}[15]; - } - if($service){ - print": $service"; - } - }elsif($hash{$key}[11] eq 'ON' && $hash{$key}[12] eq 'ICMP'){ - print":
$hash{$key}[13]"; - } -} -sub get_serviceports -{ - my $type=shift; - my $name=shift; - &General::readhasharray("$configsrv", \%customservice); - &General::readhasharray("$configsrvgrp", \%customservicegrp); - my $protocols; - my $tcp; - my $udp; - if($type eq 'service'){ - foreach my $key (sort { uc($customservice{$a}[0]) cmp uc($customservice{$b}[0]) } keys %customservice){ - if ($customservice{$key}[0] eq $name){ - $protocols=$customservice{$key}[2]; - } - } - }elsif($type eq 'group'){ - foreach my $key (sort { uc($customservicegrp{$a}[0]) cmp uc($customservicegrp{$b}[0]) } keys %customservicegrp){ - if ($customservicegrp{$key}[0] eq $name){ - foreach my $key1 (sort { uc($customservice{$a}[0]) cmp uc($customservice{$b}[0]) } keys %customservice){ - if ($customservice{$key1}[0] eq $customservicegrp{$key}[2]){ - if($customservice{$key1}[2] eq 'TCP'){$tcp='TCP';}else{$udp='UDP';} - } - } - } - } - } - if($tcp && $udp){$protocols="TCP,UDP"; - }elsif($tcp){$protocols.="TCP"; - }elsif($udp){$protocols.="UDP";} - return $protocols; -} sub viewtablerule { &General::readhash("/var/ipfire/ethernet/settings", \%netsettings); @@ -2185,93 +2220,7 @@ END } } } -sub getcolor -{ - my $nettype=shift; - my $val=shift; - my $hash=shift; - if($optionsfw{'SHOWCOLORS'} eq 'on'){ - #VPN networks - if ($nettype eq 'ovpn_n2n_src' || $nettype eq 'ovpn_n2n_tgt' || $nettype eq 'ovpn_net_src' || $nettype eq 'ovpn_net_tgt'|| $nettype eq 'ovpn_host_src' || $nettype eq 'ovpn_host_tgt'){ - $tdcolor="style='border: 1px solid $Header::colourovpn;'"; - return; - } - if ($nettype eq 'ipsec_net_src' || $nettype eq 'ipsec_net_tgt'){ - $tdcolor="style='border: 1px solid $Header::colourvpn;'"; - return; - } - #custom Hosts - if ($nettype eq 'cust_host_src' || $nettype eq 'cust_host_tgt'){ - foreach my $key (sort keys %$hash){ - if ($$hash{$key}[0] eq $val){ - $val=$$hash{$key}[2]; - } - } - } - #ALIASE - foreach my $alias (sort keys %aliases) - { - if ($val eq $alias){ - $tdcolor="style='border: 2px solid red;'"; - return; - } - } - #standard networks - if ($val eq 'GREEN'){ - $tdcolor="style='border: 1px solid $Header::colourgreen;'"; - }elsif ($val eq 'ORANGE'){ - $tdcolor="style='border: 1px solid $Header::colourorange;'"; - }elsif ($val eq 'BLUE'){ - $tdcolor="style='border: 1px solid $Header::colourblue;'"; - }elsif ($val eq 'RED'){ - $tdcolor="style='border: 1px solid $Header::colourred;'"; - }elsif ($val eq 'IPFire' ){ - $tdcolor="style='border: 1px solid $Header::colourred;'"; - }elsif($val =~ /^(.*?)\/(.*?)$/){ - my ($sip,$scidr) = split ("/",$val); - if ( &General::IpInSubnet($sip,$netsettings{'ORANGE_ADDRESS'},$netsettings{'ORANGE_NETMASK'})){ - $tdcolor="style='border: 1px solid $Header::colourorange;'"; - } - if ( &General::IpInSubnet($sip,$netsettings{'GREEN_ADDRESS'},$netsettings{'GREEN_NETMASK'})){ - $tdcolor="style='border: 1px solid $Header::colourgreen;'"; - } - if ( &General::IpInSubnet($sip,$netsettings{'BLUE_ADDRESS'},$netsettings{'BLUE_NETMASK'})){ - $tdcolor="style='border: 1px solid $Header::colourblue;'"; - } - }elsif ($val eq 'Default IP'){ - $tdcolor="style='border: 1px solid red;'"; - }else{ - $tdcolor=''; - } - } -} -sub fillselect -{ - my %hash=%{(shift)}; - my $val=shift; - my $key; - foreach my $key (sort { uc($hash{$a}[0]) cmp uc($hash{$b}[0]) } keys %hash){ - if($hash{$key}[0] eq $val){ - print""; - }else{ - print""; - } - } -} -sub rules -{ - if (!-f "${General::swroot}/forward/reread"){ - system("touch ${General::swroot}/forward/reread"); - system("touch ${General::swroot}/fwhosts/reread"); - } -} -sub reread_rules -{ - system("/usr/local/bin/forwardfwctrl"); - if ( -f "${General::swroot}/forward/reread"){ - system("rm ${General::swroot}/forward/reread"); - system("rm ${General::swroot}/fwhosts/reread"); - } -} + + &Header::closebigbox(); &Header::closepage(); diff --git a/html/cgi-bin/fwhosts.cgi b/html/cgi-bin/fwhosts.cgi index e608b0f3f..073565abf 100755 --- a/html/cgi-bin/fwhosts.cgi +++ b/html/cgi-bin/fwhosts.cgi @@ -1086,8 +1086,10 @@ sub addnet $fwhostsettings{'orgnetremark'}=$fwhostsettings{'NETREMARK'}; print<
- $Lang::tr{'name'}:$Lang::tr{'fwhost netaddress'}:$Lang::tr{'netmask'}: - $Lang::tr{'remark'}: + $Lang::tr{'name'}: + $Lang::tr{'fwhost netaddress'}: + $Lang::tr{'netmask'}: + $Lang::tr{'remark'}:
END if ($fwhostsettings{'ACTION'} eq 'editnet' || $fwhostsettings{'error'} eq 'on') @@ -1108,17 +1110,9 @@ sub addhost $fwhostsettings{'orgremark'}=$fwhostsettings{'HOSTREMARK'}; print< - $Lang::tr{'name'}: - -END - # - print<IP/MAC: - $Lang::tr{'remark'}: + $Lang::tr{'name'}: + IP/MAC: + $Lang::tr{'remark'}:

$Lang::tr{'fwhost attention'}
$Lang::tr{'fwhost macwarn'}
END @@ -1126,9 +1120,9 @@ END if ($fwhostsettings{'ACTION'} eq 'edithost' || $fwhostsettings{'error'} eq 'on') { - print " "; + print " "; }else{ - print " "; + print " "; } print "
"; &Header::closebox(); @@ -1140,7 +1134,14 @@ sub addgrp &showmenu; &Header::openbox('100%', 'left', $Lang::tr{'fwhost addgrp'}); &General::setup_default_networks(\%defaultNetworks); + &General::readhasharray("$configccdnet", \%ccdnet); + &General::readhasharray("$confignet", \%customnetwork); + &General::readhasharray("$configccdhost", \%ccdhost); + &General::readhasharray("$confighost", \%customhost); + &General::readhasharray("$configipsec", \%ipsecconf); + my %checked=(); + my $show=''; $checked{'check1'}{'off'} = ''; $checked{'check1'}{'on'} = ''; $checked{'grp2'}{$fwhostsettings{'grp2'}} = 'CHECKED'; @@ -1150,19 +1151,25 @@ sub addgrp if ($fwhostsettings{'update'} eq ''){ print<
- $Lang::tr{'fwhost addgrpname'}$Lang::tr{'remark'}: -
+ $Lang::tr{'fwhost addgrpname'} + $Lang::tr{'remark'}: +
END }else{ print< - $Lang::tr{'fwhost addgrpname'}$Lang::tr{'remark'}: + $Lang::tr{'fwhost addgrpname'} + $Lang::tr{'remark'}:
END } if ($fwhostsettings{'update'} eq 'on'){ print<
$Lang::tr{'fwhost stdnet'} + + -# + if ($show eq '1'){$show='';print"";} + print"
+ + "; + if (! -z $confignet){ + print""; } - print< - "; } - print<
$Lang::tr{'fwhost stdnet'}$Lang::tr{'fwhost ccdnet'}
$Lang::tr{'fwhost cust net'}
$Lang::tr{'fwhost cust net'}
$Lang::tr{'fwhost cust addr'}
$Lang::tr{'fwhost ccdhost'}
"; + #Inner table right + print"		"; + #OVPN networks + if (! -z $configccdnet){ + print""; + } + #OVPN clients foreach my $key (sort { uc($ccdhost{$a}[0]) cmp uc($ccdhost{$b}[0]) } keys %ccdhost) { if ($ccdhost{$key}[33] ne ''){ + print" - ";} + #OVPN n2n networks foreach my $key (sort { uc($ccdhost{$a}[0]) cmp uc($ccdhost{$b}[0]) } keys %ccdhost) { if($ccdhost{$key}[3] eq 'net'){ + print" - ";} + #IPsec networks foreach my $key (sort { uc($ipsecconf{$a}[0]) cmp uc($ipsecconf{$b}[0]) } keys %ipsecconf) { if ($ipsecconf{$key}[3] eq 'net'){ + print"
$Lang::tr{'fwhost ccdnet'}
$Lang::tr{'fwhost ccdhost'}
$Lang::tr{'fwhost cust addr'}$Lang::tr{'fwhost ovpn_n2n'}
$Lang::tr{'fwhost ovpn_n2n'}
$Lang::tr{'fwhost ipsec net'}
$Lang::tr{'fwhost ipsec net'}
-END -# 		$Lang::tr{'fwhost ipsec host'}
"; + print"
"; print"

$Lang::tr{'fwhost attention'}:
$Lang::tr{'fwhost macwarn'}
"; } - print""; - print"
"; + print""; + print"
"; &Header::closebox(); } sub addservice @@ -1258,7 +1255,8 @@ sub addservice } print<
- $Lang::tr{'fwhost srv_name'}:$Lang::tr{'fwhost prot'}: + $Lang::tr{'fwhost prot'}: - $Lang::tr{'fwhost icmptype'} + $Lang::tr{'fwhost icmptype'} + $Lang::tr{'fwhost port'}:
END @@ -1316,15 +1315,17 @@ sub addservicegrp if ($fwhostsettings{'updatesrvgrp'} eq ''){ print< - $Lang::tr{'fwhost addgrpname'}$Lang::tr{'remark'}: -
+ $Lang::tr{'fwhost addgrpname'} + $Lang::tr{'remark'}: +
END }else{ print< - $Lang::tr{'fwhost addgrpname'}$Lang::tr{'remark'}: -
+ $Lang::tr{'fwhost addgrpname'} + $Lang::tr{'remark'}: +
END } @@ -1977,7 +1978,7 @@ sub decrease if ( ($customgrp{$key}[0] eq $grp) && ($customgrp{$key}[3] eq 'Custom Network')){ foreach my $key1 (sort keys %customnetwork){ if ($customnetwork{$key1}[0] eq $customgrp{$key}[2]){ - $customnetwork{$key1}[3]=$customnetwork{$key1}[3]-1; + $customnetwork{$key1}[4]=$customnetwork{$key1}[4]-1; last; } } @@ -1986,7 +1987,7 @@ sub decrease if (($customgrp{$key}[0] eq $grp) && ($customgrp{$key}[3] eq 'Custom Host')){ foreach my $key2 (sort keys %customhost){ if ($customhost{$key2}[0] eq $customgrp{$key}[2]){ - $customhost{$key2}[3]=$customhost{$key2}[3]-1; + $customhost{$key2}[4]=$customhost{$key2}[4]-1; last; } } From d998784149c62299aa7c417b7a7919c3d9abdcf7 Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Thu, 28 Feb 2013 06:05:32 +0100 Subject: [PATCH 152/306] Forward Firewall: added an option to firewall-options to show all dropdowns on rulecreation site. --- html/cgi-bin/forwardfw.cgi | 39 +++++++++++++++++++++++--------------- html/cgi-bin/optionsfw.cgi | 31 +++++++++++++++++------------- langs/de/cgi-bin/de.pl | 1 + langs/en/cgi-bin/en.pl | 1 + lfs/configroot | 1 + 5 files changed, 45 insertions(+), 28 deletions(-) diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi index b93557d83..f48c2401b 100755 --- a/html/cgi-bin/forwardfw.cgi +++ b/html/cgi-bin/forwardfw.cgi @@ -1026,7 +1026,7 @@ print< - "; #custom networks - if (! -z $confignet){ - print""; } #custom hosts - if (! -z $confighost){ - print""; } #custom groups - if (! -z $configgrp){ - print"
$Lang::tr{'fwhost stdnet'}
$Lang::tr{'fwhost stdnet'}
$Lang::tr{'fwhost cust net'}
$Lang::tr{'fwhost cust net'}
$Lang::tr{'fwhost cust addr'}
$Lang::tr{'fwhost cust addr'}
$Lang::tr{'fwhost cust grp'}
$Lang::tr{'fwhost cust grp'}
"; # CCD networks - if( ! -z $configccdnet){ - print""; } #OVPN CCD Hosts foreach my $key (sort { uc($ccdhost{$a}[0]) cmp uc($ccdhost{$b}[0]) } keys %ccdhost){ - if ($ccdhost{$key}[33] ne ''){ - print"" ; + } if ($show eq '1'){$show='';print"";} #OVPN N2N foreach my $key (sort { uc($ccdhost{$a}[0]) cmp uc($ccdhost{$b}[0]) } keys %ccdhost){ if ($ccdhost{$key}[3] eq 'net'){ - print"" ; + } if ($show eq '1'){$show='';print"";} #IPsec netze foreach my $key (sort { uc($ipsecconf{$a}[1]) cmp uc($ipsecconf{$b}[1]) } keys %ipsecconf) { - if ($ipsecconf{$key}[3] eq 'net'){ - print""; + } if ($show eq '1'){$show='';print"";} print"
$Lang::tr{'fwhost ccdnet'}$Lang::tr{'fwhost ccdnet'}
$Lang::tr{'fwhost ccdhost'}
$Lang::tr{'fwhost ccdhost'}
$Lang::tr{'fwhost ccdhost'}
$Lang::tr{'fwhost ccdhost'}
$Lang::tr{'fwhost ovpn_n2n'}:
$Lang::tr{'fwhost ovpn_n2n'}
$Lang::tr{'fwhost ipsec net'}
$Lang::tr{'fwhost ipsec net'}
$Lang::tr{'fwhost ipsec net'}
"; diff --git a/html/cgi-bin/optionsfw.cgi b/html/cgi-bin/optionsfw.cgi index 90c3a32a0..898ee286f 100644 --- a/html/cgi-bin/optionsfw.cgi +++ b/html/cgi-bin/optionsfw.cgi @@ -38,6 +38,7 @@ $settings{'DROPWIRELESSFORWARD'} = 'on'; $settings{'SHOWCOLORS'} = 'off'; $settings{'SHOWREMARK'} = 'on'; $settings{'SHOWTABLES'} = 'on'; +$settings{'SHOWDROPDOWN'} = 'off'; my $errormessage = ''; my $warnmessage = ''; @@ -103,12 +104,11 @@ $checked{'SHOWREMARK'}{$settings{'SHOWREMARK'}} = "checked='checked'"; $checked{'SHOWTABLES'}{'off'} = ''; $checked{'SHOWTABLES'}{'on'} = ''; $checked{'SHOWTABLES'}{$settings{'SHOWTABLES'}} = "checked='checked'"; -$checked{'FWPOLICY'}{'DROP'} = ''; -$checked{'FWPOLICY'}{'REJECT'} = ''; -$checked{'FWPOLICY'}{$settings{'FWPOLICY'}} = "checked='checked'"; -$checked{'FWPOLICY1'}{'DROP'} = ''; -$checked{'FWPOLICY1'}{'REJECT'} = ''; -$checked{'FWPOLICY1'}{$settings{'FWPOLICY1'}} = "checked='checked'"; +$checked{'SHOWDROPDOWN'}{'off'} = ''; +$checked{'SHOWDROPDOWN'}{'on'} = ''; +$checked{'SHOWDROPDOWN'}{$settings{'SHOWDROPDOWN'}} = "checked='checked'"; +$selected{'FWPOLICY'}{$settings{'FWPOLICY'}}= 'selected'; +$selected{'FWPOLICY1'}{$settings{'FWPOLICY1'}}= 'selected'; &Header::openbox('100%', 'center', $Lang::tr{'options fw'}); @@ -148,18 +148,23 @@ print <$Lang::tr{'fw settings color'}on / off $Lang::tr{'fw settings remark'}on / - off + off $Lang::tr{'fw settings ruletable'}on / off - +$Lang::tr{'fw settings dropdown'}on / + off +
- - - + +
$Lang::tr{'fw default drop'}
$Lang::tr{'drop action'}DROP / - REJECT
$Lang::tr{'drop action1'}DROP / - REJECT
$Lang::tr{'drop action'} +
$Lang::tr{'drop action1'} +

diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl index d97739e8a..c28c2b2ed 100644 --- a/langs/de/cgi-bin/de.pl +++ b/langs/de/cgi-bin/de.pl @@ -1051,6 +1051,7 @@ 'fw settings color' => 'Farben in Regeltabelle anzeigen', 'fw settings remark' => 'Anmerkungen in Regeltabelle anzeigen', 'fw settings ruletable' => 'Leere Regeltabellen anzeigen', +'fw settings dropdown' => 'Alle Netzwerke auf Regelerstellungsseite anzeigen', 'fw logging' => 'Firewall-Logging', 'gateway' => 'Gateway', 'gateway ip' => 'Gateway-IP', diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index 99976d12a..e15167ba8 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -1076,6 +1076,7 @@ 'fw settings color' => 'Show colors in ruletable', 'fw settings remark' => 'Show remarks in ruletable', 'fw settings ruletable' => 'Show empty ruletables', +'fw settings dropdown' => 'Show all networks on rulecreation site', 'fw logging' => 'Firewall logging', 'g.dtm' => 'TO BE REMOVED', 'g.lite' => 'TO BE REMOVED', diff --git a/lfs/configroot b/lfs/configroot index 1a4edb026..77cb67659 100644 --- a/lfs/configroot +++ b/lfs/configroot @@ -123,6 +123,7 @@ $(TARGET) : echo "SHOWREMARK=on" >> $(CONFIG_ROOT)/optionsfw/settings echo "SHOWCOLORS=off" >> $(CONFIG_ROOT)/optionsfw/settings echo "SHOWTABLES=on" >> $(CONFIG_ROOT)/optionsfw/settings + echo "SHOWDROPDOWN=off >> $(CONFIG_ROOT)/optionsfw/settings echo "POLICY=MODE2" >> $(CONFIG_ROOT)/forward/settings echo "POLICY1=MODE2" >> $(CONFIG_ROOT)/forward/settings From a615cab30e57f39cc891d75a195e1df4bf4e21f3 Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Thu, 28 Feb 2013 07:30:24 +0100 Subject: [PATCH 153/306] Forward Firewall: reordered Firewall Menu and changed header.pl to reflect the new menuposition for Blue Access --- config/cfgroot/header.pl | 5 +---- config/menu/50-firewall.menu | 14 +++++++------- 2 files changed, 8 insertions(+), 11 deletions(-) diff --git a/config/cfgroot/header.pl b/config/cfgroot/header.pl index a7f209d9c..e0f18df15 100644 --- a/config/cfgroot/header.pl +++ b/config/cfgroot/header.pl @@ -148,11 +148,8 @@ sub genmenu { eval `/bin/cat /var/ipfire/menu.d/*.menu`; eval `/bin/cat /var/ipfire/menu.d/*.main`; - if (! blue_used() && ! orange_used()) { - $menu->{'05.firewall'}{'subMenu'}->{'40.dmz'}{'enabled'} = 0; - } if (! blue_used()) { - $menu->{'05.firewall'}{'subMenu'}->{'30.wireless'}{'enabled'} = 0; + $menu->{'05.firewall'}{'subMenu'}->{'60.wireless'}{'enabled'} = 0; } if ( $ethsettings{'CONFIG_TYPE'} =~ /^(1|2|3|4)$/ && $ethsettings{'RED_TYPE'} eq 'STATIC' ) { $menu->{'03.network'}{'subMenu'}->{'70.aliases'}{'enabled'} = 1; diff --git a/config/menu/50-firewall.menu b/config/menu/50-firewall.menu index f8f809833..cc50bf655 100644 --- a/config/menu/50-firewall.menu +++ b/config/menu/50-firewall.menu @@ -10,18 +10,12 @@ 'title' => "$Lang::tr{'fwhost menu'}", 'enabled' => 1, }; - $subfirewall->{'29.optionsfw'} = { + $subfirewall->{'30.optionsfw'} = { 'caption' => $Lang::tr{'options fw'}, 'uri' => '/cgi-bin/optionsfw.cgi', 'title' => "$Lang::tr{'options fw'}", 'enabled' => 1, }; - $subfirewall->{'30.wireless'} = { - 'caption' => $Lang::tr{'blue access'}, - 'uri' => '/cgi-bin/wireless.cgi', - 'title' => "$Lang::tr{'blue access'}", - 'enabled' => 1, - }; $subfirewall->{'40.p2p'} = { 'caption' => 'P2P-Block', 'uri' => '/cgi-bin/p2p-block.cgi', @@ -34,6 +28,12 @@ 'title' => "$Lang::tr{'ssport forwarding'}", 'enabled' => 1, }; + $subfirewall->{'60.wireless'} = { + 'caption' => $Lang::tr{'blue access'}, + 'uri' => '/cgi-bin/wireless.cgi', + 'title' => "$Lang::tr{'blue access'}", + 'enabled' => 1, + }; $subfirewall->{'70.upnp'} = { 'caption' => 'UPnP', 'uri' => '/cgi-bin/upnp.cgi', From 223d3b1dca93f96ed104990bd256a664150360e5 Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Thu, 28 Feb 2013 08:13:13 +0100 Subject: [PATCH 154/306] Forward Firewall: chnaged "Internet" to "INTERNET" in dropdown (Target) --- config/cfgroot/general-functions.pl | 4 ++-- html/cgi-bin/forwardfw.cgi | 4 ++-- langs/de/cgi-bin/de.pl | 1 + langs/en/cgi-bin/en.pl | 1 + 4 files changed, 6 insertions(+), 4 deletions(-) diff --git a/config/cfgroot/general-functions.pl b/config/cfgroot/general-functions.pl index 5cac38d7e..07bbab67a 100644 --- a/config/cfgroot/general-functions.pl +++ b/config/cfgroot/general-functions.pl @@ -54,8 +54,8 @@ sub setup_default_networks $defaultNetworks->{$Lang::tr{'green'}}{'NAME'} = "GREEN"; if ($netsettings{'RED_DEV'} ne ''){ - $defaultNetworks->{$Lang::tr{'red'}}{'IPT'} = "$netsettings{'RED_NETADDRESS'}/$netsettings{'RED_NETMASK'}"; - $defaultNetworks->{$Lang::tr{'red'}}{'NAME'} = "RED"; + $defaultNetworks->{$Lang::tr{'fwdfw red'}}{'IPT'} = "$netsettings{'RED_NETADDRESS'}/$netsettings{'RED_NETMASK'}"; + $defaultNetworks->{$Lang::tr{'fwdfw red'}}{'NAME'} = "RED"; } if ($netsettings{'ORANGE_DEV'} ne ''){ $defaultNetworks->{$Lang::tr{'orange'}}{'IPT'} = "$netsettings{'ORANGE_NETADDRESS'}/$netsettings{'ORANGE_NETMASK'}"; diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi index f48c2401b..5703af7f8 100755 --- a/html/cgi-bin/forwardfw.cgi +++ b/html/cgi-bin/forwardfw.cgi @@ -1030,8 +1030,8 @@ print<$network"; diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl index c28c2b2ed..8c026a0a2 100644 --- a/langs/de/cgi-bin/de.pl +++ b/langs/de/cgi-bin/de.pl @@ -930,6 +930,7 @@ 'fwdfw pol title' => 'Standardverhalten der Firewall', 'fwdfw pol text' => 'Standardverhalten für Verbindungen aus den lokalen Netzwerken. Bei "Zugelassen" werden sämtliche Verbindungen zugelassen mit Ausnahme der konfigurierten Regeln. Mit "Blockiert" werden alle Verbindungsversuche blockiert, mit Ausnahme erstellten Regeln. Außerdem werden hier der externe Zugang und der Zugriff auf die DMZ geregelt.', 'fwdfw pol text1' => 'Standardverhalten für Verbindungen von IPFire. Bei "Zugelassen" werden sämtliche Verbindungen zugelassen mit Ausnahme konfigurierten Regeln. Mit "Blockiert" werden alle Verbindungsversuche blockiert, mit Ausnahme der erstellten Regeln.Achtung! Mit diesen Einstellungen kann man sich aussperren. Normalerweise ist keine Änderung nötig.', +'fwdfw red' => 'INTERNET', 'fwdfw reread' => 'Übernehmen', 'fwdfw rules' => 'Regeln', 'fwdfw rule action' => 'Regel Aktion:', diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index e15167ba8..aa07fd07e 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -955,6 +955,7 @@ 'fwdfw pol title' => 'Firewall default behavior', 'fwdfw pol text' => 'Default behavior for connections from local networks. "Allowed" allows all connections from local networks except the defined rules. "Blocked" prohibits all connections except the defined ones. Also external access and connections to/from the demilitarized zone are configurable here.', 'fwdfw pol text1' => 'Default behavior for connections from IPFire. "Allowed" allows all connections from local networks except the defined rules. "Blocked" prohibits all connections except the defined ones. Attention! You can lock yourself out with these settings. Normally there is no need to change anything here.', +'fwdfw red' => 'INTERNET', 'fwdfw reread' => 'Apply', 'fwdfw rules' => 'Rules', 'fwdfw rule action' => 'Rule action:', From 97e2e7b4b72dc635f3b8cb79d16198ad4a966f50 Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Thu, 28 Feb 2013 08:27:16 +0100 Subject: [PATCH 155/306] Forward Firewall: LAyout change: All dropdowns now have same size --- html/cgi-bin/forwardfw.cgi | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi index 5703af7f8..42a3f1ccd 100755 --- a/html/cgi-bin/forwardfw.cgi +++ b/html/cgi-bin/forwardfw.cgi @@ -1026,7 +1026,7 @@ print< - "; #custom networks if (! -z $confignet || $optionsfw{'SHOWDROPDOWN'} eq 'on'){ - print""; } #custom hosts if (! -z $confighost || $optionsfw{'SHOWDROPDOWN'} eq 'on'){ - print""; } #custom groups if (! -z $configgrp || $optionsfw{'SHOWDROPDOWN'} eq 'on'){ - print"
$Lang::tr{'fwhost stdnet'}
$Lang::tr{'fwhost stdnet'}
$Lang::tr{'fwhost cust net'}
$Lang::tr{'fwhost cust net'}
$Lang::tr{'fwhost cust addr'}
$Lang::tr{'fwhost cust addr'}
$Lang::tr{'fwhost cust grp'}
$Lang::tr{'fwhost cust grp'}
"; # CCD networks if( ! -z $configccdnet || $optionsfw{'SHOWDROPDOWN'} eq 'on'){ - print""; } #OVPN CCD Hosts foreach my $key (sort { uc($ccdhost{$a}[0]) cmp uc($ccdhost{$b}[0]) } keys %ccdhost){ if ($ccdhost{$key}[33] ne '' ){ - print"" ; + print"" ; } if ($show eq '1'){$show='';print"";} #OVPN N2N foreach my $key (sort { uc($ccdhost{$a}[0]) cmp uc($ccdhost{$b}[0]) } keys %ccdhost){ if ($ccdhost{$key}[3] eq 'net'){ - print"" ; + print"" ; } if ($show eq '1'){$show='';print"";} #IPsec netze foreach my $key (sort { uc($ipsecconf{$a}[1]) cmp uc($ipsecconf{$b}[1]) } keys %ipsecconf) { if ($ipsecconf{$key}[3] eq 'net' || $optionsfw{'SHOWDROPDOWN'} eq 'on'){ - print""; + print""; } if ($show eq '1'){$show='';print"";} @@ -1534,7 +1534,7 @@ END &Header::openbox('100%', 'left', $Lang::tr{'fwdfw target'}); print< - +
$Lang::tr{'fwhost ccdnet'}$Lang::tr{'fwhost ccdnet'}
$Lang::tr{'fwhost ccdhost'}
$Lang::tr{'fwhost ccdhost'}$Lang::tr{'fwhost ccdhost'}
$Lang::tr{'fwhost ccdhost'}
$Lang::tr{'fwhost ovpn_n2n'}:
$Lang::tr{'fwhost ovpn_n2n'}:$Lang::tr{'fwhost ovpn_n2n'}
$Lang::tr{'fwhost ovpn_n2n'}
$Lang::tr{'fwhost ipsec net'}
$Lang::tr{'fwhost ipsec net'}$Lang::tr{'fwhost ipsec net'}
$Lang::tr{'fwhost ipsec net'}
$Lang::tr{'fwdfw targetip'}IPFire ($Lang::tr{'external access'})
$Lang::tr{'fwdfw targetip'}IPFire ($Lang::tr{'external access'})
$Lang::tr{'drop action2'} +

diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl index 8c026a0a2..4c430770e 100644 --- a/langs/de/cgi-bin/de.pl +++ b/langs/de/cgi-bin/de.pl @@ -186,7 +186,6 @@ 'advproxy banned mac clients' => 'Gesperrte MAC-Adressen (eine pro Zeile)', 'advproxy cache management' => 'Cacheverwaltung', 'advproxy cache replacement policy' => 'Cache Ersetzungsrichtlinie', -'advproxy cache-digest' => 'Cache-Digest-Erstellung aktivieren', 'advproxy chgwebpwd ERROR' => 'F E H L E R :', 'advproxy chgwebpwd SUCCESS' => 'E R F O L G :', 'advproxy chgwebpwd change password' => 'Passwort ändern', @@ -748,6 +747,7 @@ 'driver' => 'Treiber', 'drop action' => 'Standardverhalten der (Forward) Firewall in Modus "Blocked"', 'drop action1' => 'Standardverhalten der (Outgoing) Firewall in Modus "Blocked"', +'drop action2' => 'Standardverhalten der (INPUT) Firewall', 'drop input' => 'Verworfene Input Pakete loggen', 'drop newnotsyn' => 'Verworfene New Not Syn Pakete loggen', 'drop forward' => 'Verworfene (Forward) Firewall-Pakete loggen', @@ -2459,7 +2459,7 @@ 'wlanap encryption' => 'Verschlüsselung', 'wlanap informations' => 'Informationen', 'wlanap interface' => 'Interface übernehmen', -'wlanap invalid wpa' => 'Ungültige Länge in WPA-Passphrase. Muss zwischen 8 und 63 ASCII-Zeichen lang sein.', +'wlanap invalid wpa' => 'Ungültige Länge in WPA-Passphrase. Muss zwischen 8 und 63 Zeichen lang sein.', 'wlanap link dhcp' => 'Wireless Lan DHCP-Einstellungen', 'wlanap link wireless' => 'Wireless Lan Clients freischalten', 'wlanap no interface' => 'Ausgewähltes Interface ist keine WLAN-Karte!', diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index aa07fd07e..48fa3ae83 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -187,7 +187,6 @@ 'advproxy banned mac clients' => 'Banned MAC addresses (one per line)', 'advproxy cache management' => 'Cache management', 'advproxy cache replacement policy' => 'Cache replacement policy', -'advproxy cache-digest' => 'Enable Cache-Digest Generation', 'advproxy chgwebpwd ERROR' => 'E R R O R :', 'advproxy chgwebpwd SUCCESS' => 'S U C C E S S :', 'advproxy chgwebpwd change password' => 'Change password', @@ -773,6 +772,7 @@ 'driver' => 'Driver', 'drop action' => 'Default behaviour of (forward) firewall in mode "Blocked"', 'drop action1' => 'Default behaviour of (outgoing) firewall in mode "Blocked"', +'drop action2' => 'Default behaviour of (input) firewall', 'drop input' => 'Log dropped input pakets', 'drop newnotsyn' => 'Log dropped new not syn pakets', 'drop forward' => 'Log dropped forward pakets', @@ -2496,7 +2496,7 @@ 'wlanap encryption' => 'Encryption', 'wlanap informations' => 'Informations', 'wlanap interface' => 'Select interface', -'wlanap invalid wpa' => 'Invalid length in WPA Passphrase. Must be between 8 and 63 ascii characters.', +'wlanap invalid wpa' => 'Invalid length in WPA Passphrase. Must be between 8 and 63 characters.', 'wlanap link dhcp' => 'Wireless lan DHCP configuration', 'wlanap link wireless' => 'Activate wireless lan clients', 'wlanap no interface' => 'Selected interface is not a wirless lan card!', From a9b3ae26a3e158c3c94cdb169ae55b6af4eb40d4 Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Sun, 3 Mar 2013 05:59:42 +0100 Subject: [PATCH 161/306] Forward Firewall: /etc/init.d/firewall now creates POLICYIN --- src/initscripts/init.d/firewall | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall index 763258878..c51ba3585 100644 --- a/src/initscripts/init.d/firewall +++ b/src/initscripts/init.d/firewall @@ -288,6 +288,8 @@ case "$1" in #/sbin/iptables -A FORWARD -j DROP -m comment --comment "DROP_FORWARD" #POLICY CHAIN + /sbin/iptables -N POLICYIN + /sbin/iptables -A INPUT -j POLICYIN /sbin/iptables -N POLICYFWD /sbin/iptables -A FORWARD -j POLICYFWD /sbin/iptables -N POLICYOUT From 36e9534f244f05b93119f4b6ddae47717acdc062 Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Sun, 3 Mar 2013 06:12:01 +0100 Subject: [PATCH 162/306] Forward Firewall: Added configoption in Buildsystem -< POLICY2='DROP' (for POLICYIN) --- lfs/configroot | 1 + 1 file changed, 1 insertion(+) diff --git a/lfs/configroot b/lfs/configroot index e24a9eee9..7e47881d3 100644 --- a/lfs/configroot +++ b/lfs/configroot @@ -118,6 +118,7 @@ $(TARGET) : echo "DROPFORWARD=on" >> $(CONFIG_ROOT)/optionsfw/settings echo "FWPOLICY=DROP" >> $(CONFIG_ROOT)/optionsfw/settings echo "FWPOLICY1=DROP" >> $(CONFIG_ROOT)/optionsfw/settings + echo "FWPOLICY2=DROP" >> $(CONFIG_ROOT)/optionsfw/settings echo "DROPPORTSCAN=on" >> $(CONFIG_ROOT)/optionsfw/settings echo "DROPOUTGOING=on" >> $(CONFIG_ROOT)/optionsfw/settings echo "SHOWREMARK=on" >> $(CONFIG_ROOT)/optionsfw/settings From dc33c23b1fa602ab80e7b0b4422ca2019caa24fc Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Sun, 3 Mar 2013 20:12:34 +0100 Subject: [PATCH 163/306] Forward Firewall: Updated strongswan patch provided my Michael. (Changes _updown script from FORWARD ACCEPT to RETURN) --- lfs/strongswan | 2 +- ...re.patch => strongswan-5.0.2_ipfire.patch} | 50 +++++++++++-------- 2 files changed, 29 insertions(+), 23 deletions(-) rename src/patches/{strongswan-4.5.3_ipfire.patch => strongswan-5.0.2_ipfire.patch} (91%) diff --git a/lfs/strongswan b/lfs/strongswan index dd53e69fc..9ac2e68c7 100644 --- a/lfs/strongswan +++ b/lfs/strongswan @@ -76,7 +76,7 @@ $(subst %,%_MD5,$(objects)) : $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(PREBUILD) @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE) - cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/strongswan-4.5.3_ipfire.patch + cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/strongswan-5.0.2_ipfire.patch cd $(DIR_APP) && [ -x "configure" ] || ./autogen.sh cd $(DIR_APP) && ./configure \ diff --git a/src/patches/strongswan-4.5.3_ipfire.patch b/src/patches/strongswan-5.0.2_ipfire.patch similarity index 91% rename from src/patches/strongswan-4.5.3_ipfire.patch rename to src/patches/strongswan-5.0.2_ipfire.patch index 2ba975b1d..6606095b1 100644 --- a/src/patches/strongswan-4.5.3_ipfire.patch +++ b/src/patches/strongswan-5.0.2_ipfire.patch @@ -1,7 +1,8 @@ -diff -Naur strongswan-4.5.3.org/src/_updown/_updown.in strongswan-4.5.3/src/_updown/_updown.in ---- strongswan-4.5.3.org/src/_updown/_updown.in 2010-10-22 16:33:30.000000000 +0200 -+++ strongswan-4.5.3/src/_updown/_updown.in 2011-09-13 14:19:31.000000000 +0200 -@@ -183,6 +183,29 @@ +diff --git a/src/_updown/_updown.in b/src/_updown/_updown.in +index 3a40e21..d9f3ea0 100644 +--- a/src/_updown/_updown.in ++++ b/src/_updown/_updown.in +@@ -193,6 +193,29 @@ custom:*) # custom parameters (see above CAUTION comment) ;; esac @@ -31,7 +32,7 @@ diff -Naur strongswan-4.5.3.org/src/_updown/_updown.in strongswan-4.5.3/src/_upd # utility functions for route manipulation # Meddling with this stuff should not be necessary and requires great care. uproute() { -@@ -387,12 +410,12 @@ +@@ -397,12 +420,12 @@ up-host:iptables) # connection to me, with (left/right)firewall=yes, coming up # This is used only by the default updown script, not by your custom # ones, so do not mess with it; see CAUTION comment up at top. @@ -47,7 +48,7 @@ diff -Naur strongswan-4.5.3.org/src/_updown/_updown.in strongswan-4.5.3/src/_upd # # log IPsec host connection setup if [ $VPN_LOGGING ] -@@ -400,10 +423,10 @@ +@@ -410,10 +433,10 @@ up-host:iptables) if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] then logger -t $TAG -p $FAC_PRIO \ @@ -60,7 +61,7 @@ diff -Naur strongswan-4.5.3.org/src/_updown/_updown.in strongswan-4.5.3/src/_upd fi fi ;; -@@ -411,12 +434,12 @@ +@@ -421,12 +444,12 @@ down-host:iptables) # connection to me, with (left/right)firewall=yes, going down # This is used only by the default updown script, not by your custom # ones, so do not mess with it; see CAUTION comment up at top. @@ -76,7 +77,7 @@ diff -Naur strongswan-4.5.3.org/src/_updown/_updown.in strongswan-4.5.3/src/_upd # # log IPsec host connection teardown if [ $VPN_LOGGING ] -@@ -424,10 +447,10 @@ +@@ -434,10 +457,10 @@ down-host:iptables) if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] then logger -t $TAG -p $FAC_PRIO -- \ @@ -89,7 +90,7 @@ diff -Naur strongswan-4.5.3.org/src/_updown/_updown.in strongswan-4.5.3/src/_upd fi fi ;; -@@ -437,10 +460,10 @@ +@@ -447,24 +470,24 @@ up-client:iptables) # ones, so do not mess with it; see CAUTION comment up at top. if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] then @@ -101,9 +102,11 @@ diff -Naur strongswan-4.5.3.org/src/_updown/_updown.in strongswan-4.5.3/src/_upd + -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j MARK --set-mark 50 + iptables -I IPSECFORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT +- -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT ++ -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j RETURN fi -@@ -449,12 +472,12 @@ + # + # a virtual IP requires an INPUT and OUTPUT rule on the host # or sometimes host access via the internal IP is needed if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] then @@ -119,7 +122,7 @@ diff -Naur strongswan-4.5.3.org/src/_updown/_updown.in strongswan-4.5.3/src/_upd fi # # log IPsec client connection setup -@@ -463,12 +486,51 @@ +@@ -473,12 +496,51 @@ up-client:iptables) if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] then logger -t $TAG -p $FAC_PRIO \ @@ -173,7 +176,7 @@ diff -Naur strongswan-4.5.3.org/src/_updown/_updown.in strongswan-4.5.3/src/_upd ;; down-client:iptables) # connection to client subnet, with (left/right)firewall=yes, going down -@@ -476,11 +538,11 @@ +@@ -486,28 +548,28 @@ down-client:iptables) # ones, so do not mess with it; see CAUTION comment up at top. if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] then @@ -187,8 +190,11 @@ diff -Naur strongswan-4.5.3.org/src/_updown/_updown.in strongswan-4.5.3/src/_upd + iptables -D IPSECFORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ -d $PLUTO_MY_CLIENT $D_MY_PORT \ - $IPSEC_POLICY_IN -j ACCEPT -@@ -490,14 +552,14 @@ +- $IPSEC_POLICY_IN -j ACCEPT ++ $IPSEC_POLICY_IN -j RETURN + fi + # + # a virtual IP requires an INPUT and OUTPUT rule on the host # or sometimes host access via the internal IP is needed if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] then @@ -206,7 +212,7 @@ diff -Naur strongswan-4.5.3.org/src/_updown/_updown.in strongswan-4.5.3/src/_upd fi # # log IPsec client connection teardown -@@ -506,12 +568,51 @@ +@@ -516,12 +578,51 @@ down-client:iptables) if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] then logger -t $TAG -p $FAC_PRIO -- \ @@ -260,7 +266,7 @@ diff -Naur strongswan-4.5.3.org/src/_updown/_updown.in strongswan-4.5.3/src/_upd ;; # # IPv6 -@@ -546,10 +647,10 @@ +@@ -556,10 +657,10 @@ up-host-v6:iptables) # connection to me, with (left/right)firewall=yes, coming up # This is used only by the default updown script, not by your custom # ones, so do not mess with it; see CAUTION comment up at top. @@ -273,7 +279,7 @@ diff -Naur strongswan-4.5.3.org/src/_updown/_updown.in strongswan-4.5.3/src/_upd -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT # -@@ -570,10 +671,10 @@ +@@ -580,10 +681,10 @@ down-host-v6:iptables) # connection to me, with (left/right)firewall=yes, going down # This is used only by the default updown script, not by your custom # ones, so do not mess with it; see CAUTION comment up at top. @@ -286,7 +292,7 @@ diff -Naur strongswan-4.5.3.org/src/_updown/_updown.in strongswan-4.5.3/src/_upd -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT # -@@ -596,10 +697,10 @@ +@@ -606,10 +707,10 @@ up-client-v6:iptables) # ones, so do not mess with it; see CAUTION comment up at top. if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ] then @@ -299,7 +305,7 @@ diff -Naur strongswan-4.5.3.org/src/_updown/_updown.in strongswan-4.5.3/src/_upd -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT fi -@@ -608,10 +709,10 @@ +@@ -618,10 +719,10 @@ up-client-v6:iptables) # or sometimes host access via the internal IP is needed if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] then @@ -312,7 +318,7 @@ diff -Naur strongswan-4.5.3.org/src/_updown/_updown.in strongswan-4.5.3/src/_upd -s $PLUTO_MY_CLIENT $S_MY_PORT \ -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT fi -@@ -635,11 +736,11 @@ +@@ -645,11 +746,11 @@ down-client-v6:iptables) # ones, so do not mess with it; see CAUTION comment up at top. if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ] then @@ -326,7 +332,7 @@ diff -Naur strongswan-4.5.3.org/src/_updown/_updown.in strongswan-4.5.3/src/_upd -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ -d $PLUTO_MY_CLIENT $D_MY_PORT \ $IPSEC_POLICY_IN -j ACCEPT -@@ -649,11 +750,11 @@ +@@ -659,11 +760,11 @@ down-client-v6:iptables) # or sometimes host access via the internal IP is needed if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] then From a7d7f5a3da6ed8905c01c7987acaeadbdca9aa5c Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Sun, 3 Mar 2013 20:29:29 +0100 Subject: [PATCH 164/306] Forward Firewall: Added versionnumber on bottom right of firewall. --- html/cgi-bin/forwardfw.cgi | 3 +++ 1 file changed, 3 insertions(+) diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi index 42a3f1ccd..55f61eb2d 100755 --- a/html/cgi-bin/forwardfw.cgi +++ b/html/cgi-bin/forwardfw.cgi @@ -74,6 +74,7 @@ my %ipsecsettings=(); my %aliases=(); my %optionsfw=(); +my $VERSION='0.9.7.9'; my $color; my $confignet = "${General::swroot}/fwhosts/customnetworks"; my $confighost = "${General::swroot}/fwhosts/customhosts"; @@ -574,7 +575,9 @@ END print "$Lang::tr{'outgoing firewall reset'}: "; print ""; &Header::closebox(); + print "

Version: $VERSION
"; } + sub changerule { my $oldchain=shift; From 8cb1afc817acdf6228a13ed097b514c4ed4cfb6c Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Mon, 4 Mar 2013 20:56:20 +0100 Subject: [PATCH 165/306] Forward Firewall: Bugfix: When having more than 1 ICMP rule in a group, the rule is not created. Also changed (INPUT) to (Input) in firewall-options --- config/forwardfw/rules.pl | 33 ++++++++++++++++++++++++++------- langs/de/cgi-bin/de.pl | 2 +- 2 files changed, 27 insertions(+), 8 deletions(-) diff --git a/config/forwardfw/rules.pl b/config/forwardfw/rules.pl index 0ff153d61..d4006846d 100755 --- a/config/forwardfw/rules.pl +++ b/config/forwardfw/rules.pl @@ -120,7 +120,6 @@ if($param eq 'flush'){ system ("iptables -A $CHAIN -s $orange -d $blue -j RETURN"); } } - &p2pblock; system ("iptables -A $CHAIN -m state --state NEW -j ACCEPT"); system ("/usr/sbin/firewall-policy"); @@ -230,10 +229,20 @@ sub buildrules if ($sourcehash{$a}[0] ne $targethash{$b}[0] && $targethash{$b}[0] ne 'none' || $sourcehash{$a}[0] eq '0.0.0.0/0.0.0.0'){ if($SPROT eq '' || $SPROT eq $DPROT || $DPROT eq ' '){ if(substr($sourcehash{$a}[0], 3, 3) ne 'mac' && $sourcehash{$a}[0] ne ''){ $STAG="-s";} - if ($$hash{$key}[17] eq 'ON'){ - print "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG\n"; + if(substr($DPORT, 2, 4) eq 'icmp'){ + my @icmprule= split(",",substr($DPORT, 12,)); + foreach (@icmprule){ + if ($$hash{$key}[17] eq 'ON'){ + print "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] --icmp-type $_ $TIME -j LOG\n"; + } + print "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] --icmp-type $_ $TIME -j $$hash{$key}[0]\n"; + } + }else{ + if ($$hash{$key}[17] eq 'ON'){ + print "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG\n"; + } + print "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n"; } - print "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n"; } } } @@ -250,10 +259,20 @@ sub buildrules if ($sourcehash{$a}[0] ne $targethash{$b}[0] && $targethash{$b}[0] ne 'none' || $sourcehash{$a}[0] eq '0.0.0.0/0.0.0.0'){ if($SPROT eq '' || $SPROT eq $DPROT || $DPROT eq ' '){ if(substr($sourcehash{$a}[0], 3, 3) ne 'mac' && $sourcehash{$a}[0] ne ''){ $STAG="-s";} - if ($$hash{$key}[17] eq 'ON'){ - system ("iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG"); + if(substr($DPORT, 2, 4) eq 'icmp'){ + my @icmprule= split(",",substr($DPORT, 12,)); + foreach (@icmprule){ + if ($$hash{$key}[17] eq 'ON'){ + system ("iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] -- icmp-type $_ $TIME -j LOG"); + } + system ("iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] --icmp-type $_ $TIME -j $$hash{$key}[0]"); + } + }else{ + if ($$hash{$key}[17] eq 'ON'){ + system ("iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG"); + } + system ("iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]"); } - system ("iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]"); } } } diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl index 4c430770e..1c66d49ac 100644 --- a/langs/de/cgi-bin/de.pl +++ b/langs/de/cgi-bin/de.pl @@ -747,7 +747,7 @@ 'driver' => 'Treiber', 'drop action' => 'Standardverhalten der (Forward) Firewall in Modus "Blocked"', 'drop action1' => 'Standardverhalten der (Outgoing) Firewall in Modus "Blocked"', -'drop action2' => 'Standardverhalten der (INPUT) Firewall', +'drop action2' => 'Standardverhalten der (Input) Firewall', 'drop input' => 'Verworfene Input Pakete loggen', 'drop newnotsyn' => 'Verworfene New Not Syn Pakete loggen', 'drop forward' => 'Verworfene (Forward) Firewall-Pakete loggen', From b3f4a4efcf1c8dae2804a879b7f59559935f4b26 Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Tue, 5 Mar 2013 06:00:07 +0100 Subject: [PATCH 166/306] Forward Firewall: Fixed ruletable (view of protocols) --- html/cgi-bin/forwardfw.cgi | 50 +++++++++++++++++++++++++------------- 1 file changed, 33 insertions(+), 17 deletions(-) diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi index 55f61eb2d..a12f1a82e 100755 --- a/html/cgi-bin/forwardfw.cgi +++ b/html/cgi-bin/forwardfw.cgi @@ -74,7 +74,7 @@ my %ipsecsettings=(); my %aliases=(); my %optionsfw=(); -my $VERSION='0.9.7.9'; +my $VERSION='0.9.8.0'; my $color; my $confignet = "${General::swroot}/fwhosts/customnetworks"; my $confighost = "${General::swroot}/fwhosts/customhosts"; @@ -96,7 +96,7 @@ my $hint=''; my $ipgrp="${General::swroot}/outgoing/groups"; my $tdcolor=''; my $checkorange=''; - +my @protocols; &General::readhash("${General::swroot}/forward/settings", \%fwdfwsettings); &General::readhash("${General::swroot}/main/settings", \%mainsettings); &General::readhash("/srv/web/ipfire/html/themes/".$mainsettings{'THEME'}."/include/colors.txt", \%color); @@ -1223,13 +1223,14 @@ sub get_serviceports my $name=shift; &General::readhasharray("$configsrv", \%customservice); &General::readhasharray("$configsrvgrp", \%customservicegrp); - my $protocols; my $tcp; my $udp; + my $icmp; + @protocols=(); if($type eq 'service'){ foreach my $key (sort { uc($customservice{$a}[0]) cmp uc($customservice{$b}[0]) } keys %customservice){ if ($customservice{$key}[0] eq $name){ - $protocols=$customservice{$key}[2]; + push (@protocols,$customservice{$key}[2]); } } }elsif($type eq 'group'){ @@ -1237,16 +1238,32 @@ sub get_serviceports if ($customservicegrp{$key}[0] eq $name){ foreach my $key1 (sort { uc($customservice{$a}[0]) cmp uc($customservice{$b}[0]) } keys %customservice){ if ($customservice{$key1}[0] eq $customservicegrp{$key}[2]){ - if($customservice{$key1}[2] eq 'TCP'){$tcp='TCP';}else{$udp='UDP';} + if($customservice{$key1}[2] eq 'TCP'){ + $tcp='TCP'; + }elsif($customservice{$key1}[2] eq 'ICMP'){ + $icmp='ICMP'; + }elsif($customservice{$key1}[2] eq 'UDP'){ + $udp='UDP'; + } } } } } } - if($tcp && $udp){$protocols="TCP,UDP"; - }elsif($tcp){$protocols.="TCP"; - }elsif($udp){$protocols.="UDP";} - return $protocols; + if($tcp && $udp && $icmp){ + push (@protocols,"All"); + return @protocols; + } + if($tcp){ + push (@protocols,"TCP"); + } + if($udp){ + push (@protocols,"UDP"); + } + if($icmp){ + push (@protocols,"ICMP"); + } + return @protocols; } sub getcolor { @@ -2059,8 +2076,6 @@ sub viewtablenew $$hash{$key}[2]=''; } } - #$$hash{$key}[3]=''; - #$$hash{$key}[5]=''; } $$hash{'ACTIVE'}=$$hash{$key}[2]; $count++; @@ -2131,17 +2146,18 @@ END #Get Protocol my $prot; if ($$hash{$key}[12]){ #target prot if manual - $prot=$$hash{$key}[12]; + push (@protocols,$$hash{$key}[12]); }elsif($$hash{$key}[8]){ #source prot if manual - $prot=$$hash{$key}[8]; + push (@protocols,$$hash{$key}[8]); }elsif($$hash{$key}[14] eq 'cust_srv'){ - $prot=&get_serviceports("service",$$hash{$key}[15]); + &get_serviceports("service",$$hash{$key}[15]); }elsif($$hash{$key}[14] eq 'cust_srvgrp'){ - $prot=&get_serviceports("group",$$hash{$key}[15]); + &get_serviceports("group",$$hash{$key}[15]); }else{ - $prot=$Lang::tr{'all'}; + push (@protocols,$Lang::tr{'all'}); } - print"$prot"; + my $protz=join(",",@protocols); + print"$protz"; if ($$hash{$key}[18] eq 'ON'){ my @days=(); if($$hash{$key}[19] ne ''){push (@days,$Lang::tr{'fwdfw wd_mon'});} From f38e0c4de02235f31fbff715af6dde0fcd62a78f Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Tue, 5 Mar 2013 09:47:21 +0100 Subject: [PATCH 167/306] Forward Firewall: added --kerneltz option to timeframe --- config/forwardfw/rules.pl | 2 +- html/cgi-bin/forwardfw.cgi | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/config/forwardfw/rules.pl b/config/forwardfw/rules.pl index d4006846d..6532a201f 100755 --- a/config/forwardfw/rules.pl +++ b/config/forwardfw/rules.pl @@ -210,7 +210,7 @@ sub buildrules $TIME=join(",",@timeframe); $TIMEFROM="--timestart $$hash{$key}[26] "; $TIMETILL="--timestop $$hash{$key}[27] "; - $TIME="-m time --weekdays $TIME $TIMEFROM $TIMETILL"; + $TIME="-m time --kerneltz --weekdays $TIME $TIMEFROM $TIMETILL"; } if ($MODE eq '1'){ print "NR:$key "; diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi index a12f1a82e..24dbe293d 100755 --- a/html/cgi-bin/forwardfw.cgi +++ b/html/cgi-bin/forwardfw.cgi @@ -74,7 +74,7 @@ my %ipsecsettings=(); my %aliases=(); my %optionsfw=(); -my $VERSION='0.9.8.0'; +my $VERSION='0.9.8.1'; my $color; my $confignet = "${General::swroot}/fwhosts/customnetworks"; my $confighost = "${General::swroot}/fwhosts/customhosts"; From 7874d8200d10669bc7ab8c69c119fa62cbc8c69c Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Tue, 5 Mar 2013 11:21:13 +0100 Subject: [PATCH 168/306] Forward Firewall: wrong Tag leads to a sidemenu with small font --- html/cgi-bin/forwardfw.cgi | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi index 24dbe293d..8ffc200c9 100755 --- a/html/cgi-bin/forwardfw.cgi +++ b/html/cgi-bin/forwardfw.cgi @@ -575,7 +575,7 @@ END print "$Lang::tr{'outgoing firewall reset'}: "; print ""; &Header::closebox(); - print "

Version: $VERSION
"; + print "

Version: $VERSION
"; } sub changerule From f69ea1c7c59cdeb664cbc93eae60a538191ed44b Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Tue, 5 Mar 2013 11:33:21 +0100 Subject: [PATCH 169/306] Forward Firewall: New Version 0.9.8.2 --- html/cgi-bin/forwardfw.cgi | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi index 8ffc200c9..fb0ef5900 100755 --- a/html/cgi-bin/forwardfw.cgi +++ b/html/cgi-bin/forwardfw.cgi @@ -74,7 +74,7 @@ my %ipsecsettings=(); my %aliases=(); my %optionsfw=(); -my $VERSION='0.9.8.1'; +my $VERSION='0.9.8.2'; my $color; my $confignet = "${General::swroot}/fwhosts/customnetworks"; my $confighost = "${General::swroot}/fwhosts/customhosts"; @@ -2158,6 +2158,7 @@ END } my $protz=join(",",@protocols); print"$protz"; + @protocols=(); if ($$hash{$key}[18] eq 'ON'){ my @days=(); if($$hash{$key}[19] ne ''){push (@days,$Lang::tr{'fwdfw wd_mon'});} From c773075074acff71cb574f67fd450f86bf7f6dc1 Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Thu, 7 Mar 2013 06:35:03 +0100 Subject: [PATCH 170/306] Forward Firewall: Try to implement a timeconverter for Rules. New function timeconvert should convert localtime agains gmtime. --- html/cgi-bin/forwardfw.cgi | 62 +++++++++++++++++++++++++++++++++++--- 1 file changed, 58 insertions(+), 4 deletions(-) diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi index fb0ef5900..1caa34869 100755 --- a/html/cgi-bin/forwardfw.cgi +++ b/html/cgi-bin/forwardfw.cgi @@ -74,7 +74,7 @@ my %ipsecsettings=(); my %aliases=(); my %optionsfw=(); -my $VERSION='0.9.8.2'; +my $VERSION='0.9.8.3'; my $color; my $confignet = "${General::swroot}/fwhosts/customnetworks"; my $confighost = "${General::swroot}/fwhosts/customhosts"; @@ -143,6 +143,12 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule') if( $fwdfwsettings{$fwdfwsettings{'grp1'}} eq 'IPFire' && $fwdfwsettings{'grp2'} eq 'ipfire'){ $errormessage.=$Lang::tr{'fwdfw err same'}; } + #Konvert timeframe if defined + if ($fwdfwsettings{'TIME'} eq 'ON'){ + $fwdfwsettings{'TIME_FROM'} = &timeconvert($fwdfwsettings{'TIME_FROM'},'2utc'); + $fwdfwsettings{'TIME_TO'} = &timeconvert($fwdfwsettings{'TIME_TO'},'2utc'); + print "NACHHER: $fwdfwsettings{'TIME_FROM'} - $fwdfwsettings{'TIME_TO'}
"; + } #DMZ-Part if ($fwdfwsettings{$fwdfwsettings{'grp1'}} eq 'ORANGE' || $checkorange eq 'on'){ $fwdfwsettings{'config'}=$configdmz; @@ -577,7 +583,6 @@ END &Header::closebox(); print "

Version: $VERSION
"; } - sub changerule { my $oldchain=shift; @@ -1386,6 +1391,8 @@ sub newrule $checked{'TIME_FRI'}{$fwdfwsettings{'TIME_FRI'}} = 'CHECKED'; $checked{'TIME_SAT'}{$fwdfwsettings{'TIME_SAT'}} = 'CHECKED'; $checked{'TIME_SUN'}{$fwdfwsettings{'TIME_SUN'}} = 'CHECKED'; + $fwdfwsettings{'TIME_FROM'} = &timeconvert($fwdfwsettings{'TIME_FROM'},''); + $fwdfwsettings{'TIME_TO'} = &timeconvert($fwdfwsettings{'TIME_TO'},''); $selected{'TIME_FROM'}{$fwdfwsettings{'TIME_FROM'}} = 'selected'; $selected{'TIME_TO'}{$fwdfwsettings{'TIME_TO'}} = 'selected'; $selected{'ipfire'}{$fwdfwsettings{$fwdfwsettings{'grp2'}}} ='selected'; @@ -1478,7 +1485,8 @@ sub newrule } } &Header::openbox('100%', 'left', $Lang::tr{'fwdfw addrule'}); - + $fwdfwsettings{'TIME_FROM'} = &timeconvert($fwdfwsettings{'TIME_FROM'},''); + $fwdfwsettings{'TIME_TO'} = &timeconvert($fwdfwsettings{'TIME_TO'},''); print < @@ -1990,6 +1998,49 @@ sub saverule } } } +sub timeconvert +{ + my $orgtime=shift; + my $type=shift; + my $newtime; + my ($hour,$min) = split (":", $orgtime); + my @locar = localtime(time); + my @gmtar = gmtime(); + my $oldtime = $hour*60 + $min; + my $gmt = $gmtar[2]*60 + $gmtar[1]; + my $loc = $locar[2]*60 + $locar[1]; + my $diff; + my $newtime; + if ($gmt > $loc) + { + $diff = $gmt - $loc; + if ($type eq '2utc') + { + print"umrechnen nach UTC
"; + $newtime = $oldtime + $diff; + }else{ + $newtime = $oldtime - $diff; + } + }else{ + $diff = $loc - $gmt; + if ($type eq '2utc') + { + $newtime = $oldtime - $diff; + }else{ + $newtime = $oldtime + $diff; + } + } + if ($newtime < 0 ){ + $newtime += 1440; + } + if ($newtime >= 1440){ + $newtime -= 1440; + } + my $newhour =sprintf"%02d", $newtime/60; + my $newmin = sprintf"%02d",$newtime % 60; + $newtime = "$newhour:$newmin"; + return $newtime; +} sub validremark { # Checks a hostname against RFC1035 @@ -2170,7 +2221,10 @@ END if($$hash{$key}[25] ne ''){push (@days,$Lang::tr{'fwdfw wd_sun'});} my $weekdays=join(",",@days); if (@days){ - print""; + my $from = &timeconvert($$hash{$key}[26],'2loc'); + my $to = &timeconvert($$hash{$key}[27],'2loc');; + + print""; } }else{ print""; From a0f267b92c63d8f1ac374073847766873e5fc445 Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Thu, 7 Mar 2013 07:43:28 +0100 Subject: [PATCH 171/306] Forward Firewall: removed --kerneltz from rules.pl. New function timeconvert in forwardfw.cgiu takes care of timeconversion now --- config/forwardfw/rules.pl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/forwardfw/rules.pl b/config/forwardfw/rules.pl index 6532a201f..d4006846d 100755 --- a/config/forwardfw/rules.pl +++ b/config/forwardfw/rules.pl @@ -210,7 +210,7 @@ sub buildrules $TIME=join(",",@timeframe); $TIMEFROM="--timestart $$hash{$key}[26] "; $TIMETILL="--timestop $$hash{$key}[27] "; - $TIME="-m time --kerneltz --weekdays $TIME $TIMEFROM $TIMETILL"; + $TIME="-m time --weekdays $TIME $TIMEFROM $TIMETILL"; } if ($MODE eq '1'){ print "NR:$key "; From ef6f983b1724f9b3ac4d5d4f5ba45288985c44fc Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Thu, 7 Mar 2013 10:01:24 +0100 Subject: [PATCH 172/306] Forward Firewall: put rule OUTGOING ACCEPT Related, established into /etc/init.d/firewall deleted ACCEPT OUTGOINGFW related,established from POLICYOUT --- config/forwardfw/firewall-policy | 23 ++++++++++++----------- src/initscripts/init.d/firewall | 6 +++++- 2 files changed, 17 insertions(+), 12 deletions(-) diff --git a/config/forwardfw/firewall-policy b/config/forwardfw/firewall-policy index bbdec37bc..3b7fa18ad 100755 --- a/config/forwardfw/firewall-policy +++ b/config/forwardfw/firewall-policy @@ -7,6 +7,7 @@ iptables -F POLICYFWD iptables -F POLICYOUT iptables -F POLICYIN +#FORWARDFW if [ "$POLICY" == "MODE1" ]; then if [ "$FWPOLICY" == "REJECT" ]; then if [ "$DROPFORWARD" == "on" ]; then @@ -21,20 +22,20 @@ if [ "$POLICY" == "MODE1" ]; then /sbin/iptables -A POLICYFWD -j DROP -m comment --comment "DROP_FORWARD" fi fi +#OUTGOINGFW if [ "$POLICY1" == "MODE1" ]; then - /sbin/iptables -I OUTGOINGFW 1 -m state --state ESTABLISHED,RELATED -j ACCEPT - if [ "$FWPOLICY1" == "REJECT" ]; then - if [ "$DROPOUTGOING" == "on" ]; then - /sbin/iptables -A POLICYOUT -m limit --limit 10/minute -j LOG --log-prefix "REJECT_OUTPUT" - fi - /sbin/iptables -A POLICYOUT -j REJECT --reject-with icmp-host-unreachable -m comment --comment "REJECT_OUTPUT" + if [ "$FWPOLICY1" == "REJECT" ]; then + if [ "$DROPOUTGOING" == "on" ]; then + /sbin/iptables -A POLICYOUT -m limit --limit 10/minute -j LOG --log-prefix "REJECT_OUTPUT" fi - if [ "$FWPOLICY1" == "DROP" ]; then - if [ "$DROPOUTGOING" == "on" ]; then - /sbin/iptables -A POLICYOUT -m limit --limit 10/minute -j LOG --log-prefix "DROP_OUTPUT" - fi - /sbin/iptables -A POLICYOUT -j DROP -m comment --comment "DROP_OUTPUT" + /sbin/iptables -A POLICYOUT -j REJECT --reject-with icmp-host-unreachable -m comment --comment "REJECT_OUTPUT" + fi + if [ "$FWPOLICY1" == "DROP" ]; then + if [ "$DROPOUTGOING" == "on" ]; then + /sbin/iptables -A POLICYOUT -m limit --limit 10/minute -j LOG --log-prefix "DROP_OUTPUT" fi + /sbin/iptables -A POLICYOUT -j DROP -m comment --comment "DROP_OUTPUT" + fi fi #INPUT if [ "$FWPOLICY2" == "REJECT" ]; then diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall index c51ba3585..9024a88fd 100644 --- a/src/initscripts/init.d/firewall +++ b/src/initscripts/init.d/firewall @@ -149,10 +149,10 @@ case "$1" in /sbin/iptables -N CUSTOMFORWARD /sbin/iptables -A FORWARD -j CUSTOMFORWARD /sbin/iptables -N CUSTOMOUTPUT + /sbin/iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT /sbin/iptables -A OUTPUT -j CUSTOMOUTPUT /sbin/iptables -N OUTGOINGFW /sbin/iptables -A OUTPUT -j OUTGOINGFW - /sbin/iptables -A OUTGOINGFW -m state --state ESTABLISHED,RELATED -j ACCEPT /sbin/iptables -t nat -N CUSTOMPREROUTING /sbin/iptables -t nat -A PREROUTING -j CUSTOMPREROUTING /sbin/iptables -t nat -N CUSTOMPOSTROUTING @@ -173,6 +173,10 @@ case "$1" in /sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT /sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT + # Accept everything on lo + iptables -A INPUT -i lo -m state --state NEW -j ACCEPT + iptables -A OUTPUT -o lo -m state --state NEW -j ACCEPT + # trafic from ipsecX/TUN/TAP interfaces, before "-i GREEN_DEV" accept everything /sbin/iptables -N IPSECINPUT /sbin/iptables -N IPSECFORWARD From 472136c9271f162ab65b224225fe3e478a77ccb4 Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Fri, 8 Mar 2013 08:38:41 +0100 Subject: [PATCH 173/306] Forward Firewall: Fix ruletimes. Now the timevalues which are entered in the gui are saved to the rulefile. Wenn rule.pl is called, the script calculates the difference to UTC time and sets the iptables times accordingly. With this approach there's no need to save if the times are created in summertime or wintertime. --- config/forwardfw/rules.pl | 40 +++++++++++++++++++++-- html/cgi-bin/forwardfw.cgi | 65 ++++---------------------------------- 2 files changed, 45 insertions(+), 60 deletions(-) diff --git a/config/forwardfw/rules.pl b/config/forwardfw/rules.pl index d4006846d..9332c9bec 100755 --- a/config/forwardfw/rules.pl +++ b/config/forwardfw/rules.pl @@ -25,6 +25,7 @@ ############################################################################### use strict; +use Time::Local; no warnings 'uninitialized'; # enable only the following on debugging purpose @@ -200,6 +201,10 @@ sub buildrules #get time if defined if($$hash{$key}[18] eq 'ON'){ + my ($time1,$time2,$daylight); + my $daylight=$$hash{$key}[28]; + $time1=&get_time($$hash{$key}[26],$daylight); + $time2=&get_time($$hash{$key}[27],$daylight); if($$hash{$key}[19] ne ''){push (@timeframe,"Mon");} if($$hash{$key}[20] ne ''){push (@timeframe,"Tue");} if($$hash{$key}[21] ne ''){push (@timeframe,"Wed");} @@ -208,8 +213,9 @@ sub buildrules if($$hash{$key}[24] ne ''){push (@timeframe,"Sat");} if($$hash{$key}[25] ne ''){push (@timeframe,"Sun");} $TIME=join(",",@timeframe); - $TIMEFROM="--timestart $$hash{$key}[26] "; - $TIMETILL="--timestop $$hash{$key}[27] "; + + $TIMEFROM="--timestart $time1 "; + $TIMETILL="--timestop $time2 "; $TIME="-m time --weekdays $TIME $TIMEFROM $TIMETILL"; } if ($MODE eq '1'){ @@ -287,6 +293,36 @@ sub buildrules undef $TIMETILL; } } +sub get_time +{ + my $val=shift; + my $val1=shift; + my $time; + my $minutes; + my $ruletime; + $minutes = &utcmin($val); + $ruletime = $minutes + &time_get_utc($val); + if ($ruletime < 0){$ruletime +=1440;} + if ($ruletime > 1440){$ruletime -=1440;} + $time=sprintf "%02d:%02d", $ruletime / 60, $ruletime % 60; + return $time; +} +sub time_get_utc +{ + # Calculates the UTCtime from a given time + my $val=shift; + my @localtime=localtime(time); + my @gmtime=gmtime(time); + my $diff = ($gmtime[2]*60+$gmtime[1]%60)-($localtime[2]*60+$localtime[1]%60); + return $diff; +} +sub utcmin +{ + my $ruletime=shift; + my ($hrs,$min) = split(":",$ruletime); + my $newtime = $hrs*60+$min; + return $newtime; +} sub p2pblock { my $P2PSTRING; diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi index 1caa34869..1f3d6a9a6 100755 --- a/html/cgi-bin/forwardfw.cgi +++ b/html/cgi-bin/forwardfw.cgi @@ -74,7 +74,7 @@ my %ipsecsettings=(); my %aliases=(); my %optionsfw=(); -my $VERSION='0.9.8.3'; +my $VERSION='0.9.8.4'; my $color; my $confignet = "${General::swroot}/fwhosts/customnetworks"; my $confighost = "${General::swroot}/fwhosts/customhosts"; @@ -143,12 +143,6 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule') if( $fwdfwsettings{$fwdfwsettings{'grp1'}} eq 'IPFire' && $fwdfwsettings{'grp2'} eq 'ipfire'){ $errormessage.=$Lang::tr{'fwdfw err same'}; } - #Konvert timeframe if defined - if ($fwdfwsettings{'TIME'} eq 'ON'){ - $fwdfwsettings{'TIME_FROM'} = &timeconvert($fwdfwsettings{'TIME_FROM'},'2utc'); - $fwdfwsettings{'TIME_TO'} = &timeconvert($fwdfwsettings{'TIME_TO'},'2utc'); - print "NACHHER: $fwdfwsettings{'TIME_FROM'} - $fwdfwsettings{'TIME_TO'}
"; - } #DMZ-Part if ($fwdfwsettings{$fwdfwsettings{'grp1'}} eq 'ORANGE' || $checkorange eq 'on'){ $fwdfwsettings{'config'}=$configdmz; @@ -1391,11 +1385,10 @@ sub newrule $checked{'TIME_FRI'}{$fwdfwsettings{'TIME_FRI'}} = 'CHECKED'; $checked{'TIME_SAT'}{$fwdfwsettings{'TIME_SAT'}} = 'CHECKED'; $checked{'TIME_SUN'}{$fwdfwsettings{'TIME_SUN'}} = 'CHECKED'; - $fwdfwsettings{'TIME_FROM'} = &timeconvert($fwdfwsettings{'TIME_FROM'},''); - $fwdfwsettings{'TIME_TO'} = &timeconvert($fwdfwsettings{'TIME_TO'},''); $selected{'TIME_FROM'}{$fwdfwsettings{'TIME_FROM'}} = 'selected'; $selected{'TIME_TO'}{$fwdfwsettings{'TIME_TO'}} = 'selected'; $selected{'ipfire'}{$fwdfwsettings{$fwdfwsettings{'grp2'}}} ='selected'; + #check if update and get values if($fwdfwsettings{'updatefwrule'} eq 'on' || $fwdfwsettings{'copyfwrule'} eq 'on' && !$errormessage){ &General::readhasharray("$config", \%hash); @@ -1485,8 +1478,10 @@ sub newrule } } &Header::openbox('100%', 'left', $Lang::tr{'fwdfw addrule'}); - $fwdfwsettings{'TIME_FROM'} = &timeconvert($fwdfwsettings{'TIME_FROM'},''); - $fwdfwsettings{'TIME_TO'} = &timeconvert($fwdfwsettings{'TIME_TO'},''); + if ($fwdfwsettings{'TIME'} eq 'ON'){ + $fwdfwsettings{'TIME_FROM'} = &timeconvert($fwdfwsettings{'TIME_FROM'},''); + $fwdfwsettings{'TIME_TO'} = &timeconvert($fwdfwsettings{'TIME_TO'},''); + } print <
$weekdays   $$hash{$key}[26] - $$hash{$key}[27]$weekdays   $from - $to24/7
@@ -1998,49 +1993,6 @@ sub saverule } } } -sub timeconvert -{ - my $orgtime=shift; - my $type=shift; - my $newtime; - my ($hour,$min) = split (":", $orgtime); - my @locar = localtime(time); - my @gmtar = gmtime(); - my $oldtime = $hour*60 + $min; - my $gmt = $gmtar[2]*60 + $gmtar[1]; - my $loc = $locar[2]*60 + $locar[1]; - my $diff; - my $newtime; - if ($gmt > $loc) - { - $diff = $gmt - $loc; - if ($type eq '2utc') - { - print"umrechnen nach UTC
"; - $newtime = $oldtime + $diff; - }else{ - $newtime = $oldtime - $diff; - } - }else{ - $diff = $loc - $gmt; - if ($type eq '2utc') - { - $newtime = $oldtime - $diff; - }else{ - $newtime = $oldtime + $diff; - } - } - if ($newtime < 0 ){ - $newtime += 1440; - } - if ($newtime >= 1440){ - $newtime -= 1440; - } - my $newhour =sprintf"%02d", $newtime/60; - my $newmin = sprintf"%02d",$newtime % 60; - $newtime = "$newhour:$newmin"; - return $newtime; -} sub validremark { # Checks a hostname against RFC1035 @@ -2221,10 +2173,7 @@ END if($$hash{$key}[25] ne ''){push (@days,$Lang::tr{'fwdfw wd_sun'});} my $weekdays=join(",",@days); if (@days){ - my $from = &timeconvert($$hash{$key}[26],'2loc'); - my $to = &timeconvert($$hash{$key}[27],'2loc');; - - print""; + print""; } }else{ print""; From 21b9a50c68d9c42e56a525c9745f638266469a39 Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Fri, 8 Mar 2013 08:58:22 +0100 Subject: [PATCH 174/306] Forward Firewall: changes in de languagefile --- langs/de/cgi-bin/de.pl | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl index 1c66d49ac..267737a8a 100644 --- a/langs/de/cgi-bin/de.pl +++ b/langs/de/cgi-bin/de.pl @@ -892,7 +892,7 @@ 'fwdfw action' => 'Aktion', 'fwdfw menu' => 'Firewall', 'fwdfw addrule' => 'Neue Regel hinzufügen:', -'fwdfw addr grp' => 'Adress Gruppen:', +'fwdfw addr grp' => 'Adressgruppen:', 'fwdfw change' => 'Aktualisieren', 'fwdfw cust addr' => 'Custom Adressen:', 'fwdfw cust net' => 'Custom Netzwerke:', @@ -920,7 +920,7 @@ 'fwdfw hint ip1' => 'Die zuletzt erzeugte Regel wird vielleicht nicht aktiviert, weil Quelle und Ziel evtl im selben Netz sind', 'fwdfw hint ip2' => 'Bitte überprüfen Sie ob diese Regel Sinn macht: ', 'fwdfw ipsec network' => 'IPsec Netzwerke:', -'fwdfw log rule' => 'Log Regel', +'fwdfw log rule' => 'Logging aktivieren', 'fwdfw man port' => 'Port(s) manuell:', 'fwdfw moveup' => 'Hoch', 'fwdfw movedown' => 'Runter', @@ -933,7 +933,7 @@ 'fwdfw red' => 'INTERNET', 'fwdfw reread' => 'Übernehmen', 'fwdfw rules' => 'Regeln', -'fwdfw rule action' => 'Regel Aktion:', +'fwdfw rule action' => 'Regelaktion:', 'fwdfw rule activate' => 'Regel aktivieren', 'fwdfw rulepos' => 'Regelposition', 'fwdfw source' => 'Quelle', @@ -948,7 +948,7 @@ 'fwdfw togglelog' => 'Log aktivieren oder deaktivieren', 'fwdfw useless rule' => 'Diese Regel ist nicht zugelassen.', 'fwdfw use srcport' => 'Quellport benutzen', -'fwdfw use srv' => 'Ziel-Dienstport benutzen', +'fwdfw use srv' => 'Zielport benutzen', 'fwdfw newrule' => 'Neue Regel', 'fwdfw wd_mon' => 'Mo', 'fwdfw wd_tue' => 'Di', @@ -1014,13 +1014,13 @@ 'fwhost ipsec host' => 'IPsec Clients:', 'fwhost ipsec net' => 'IPsec Netzwerke:', 'fwhost netaddress' => 'Netzwerk Adresse', -'fwhost newnet' => 'Netz-Einstellungen', -'fwhost newhost' => 'Adress-Einstellungen', -'fwhost newgrp' => 'Adress-Gruppierung', -'fwhost newservice' => 'Dienst-Einstellungen', -'fwhost newservicegrp' => 'Dienst-Gruppierung', +'fwhost newnet' => 'Netzeinstellungen', +'fwhost newhost' => 'Adresseinstellungen', +'fwhost newgrp' => 'Adressgruppierung', +'fwhost newservice' => 'Diensteinstellungen', +'fwhost newservicegrp' => 'Dienstgruppierung', 'fwhost macwarn' => 'MAC Adressen können nicht als Ziel definiert werden. Solche Adressen werden ignoriert.', -'fwhost menu' => 'Firewall-Gruppen', +'fwhost menu' => 'Firewallgruppen', 'fwhost orange' => 'Orange', 'fwhost ovpn_n2n' => 'OpenVPN N-2-N', 'fwhost port' => 'Port(s)', From fccf52cf7eb362d88dca279b4fd4464dba92d6ce Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Tue, 12 Mar 2013 14:46:16 +0100 Subject: [PATCH 175/306] Forward Firewall: fixed a bug in convert-outgoingfw. THe hosts are created with wrong amount of fields in hasharray. Also fixed a bug which sets wrong firewall mode for FORWARD when outgoing rules are used. --- config/forwardfw/convert-outgoingfw | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/config/forwardfw/convert-outgoingfw b/config/forwardfw/convert-outgoingfw index e7d8e80af..f3374749b 100755 --- a/config/forwardfw/convert-outgoingfw +++ b/config/forwardfw/convert-outgoingfw @@ -186,7 +186,8 @@ sub new_hostgrp $hosts{$key}[0] = $name2; $hosts{$key}[1] = $type; $hosts{$key}[2] = $mac; - $hosts{$key}[3] = 1; + $hosts{$key}[3] = ''; + $hosts{$key}[4] = 1; print LOG "->Host (MAC) $mac added to custom hosts\n"; }else{ print LOG "->Host (MAC) $mac already exists\n"; @@ -250,21 +251,20 @@ sub process_rules { my ($type,$action,$active,$grp1,$source,$grp2,$useport,$port,$prot,$grp3,$target,$remark,$log,$time,$time_mon,$time_tue,$time_wed,$time_thu,$time_fri,$time_sat,$time_sun,$time_from,$time_to); &General::readhash($fwdfwsettings,\%fwdsettings); + print "altefirewall hat modus: $outsettings{'POLICY'}\n"; if ($outsettings{'POLICY'} eq 'MODE1'){ $fwdfwsettings{'POLICY'}='MODE1'; - }else{ - $fwdsettings{'POLICY'}='MODE2'; - } - &General::writehash($fwdfwsettings,\%fwdsettings); - if ($outsettings{'POLICY'} eq 'MODE1'){ $type='ALLOW'; $action='ACCEPT'; }elsif($outsettings{'POLICY'} eq 'MODE2'){ + $fwdsettings{'POLICY'}='MODE2'; $type='DENY'; $action='DROP'; }else{ return; } + &General::writehash($fwdfwsettings,\%fwdsettings); + #open LOG if( -f "/var/log/converters/outgoingfw-convert.log"){unlink ("/var/log/converters/outgoingfw-convert.log");} open (LOG, ">/var/log/converters/outgoingfw-convert.log") or die $!; @@ -289,7 +289,6 @@ sub process_rules }else{ push(@prot,$configline[3]); } - if($configline[4] ne ''){ $configline[4] =~ s/,/;/g; $remark = $configline[4]; @@ -326,6 +325,7 @@ sub process_rules $source='IPFire'; &General::readhash($fwdfwsettings,\%fwdsettings); $fwdsettings{'POLICY1'}=$outsettings{'POLICY'}; + $fwdsettings{'POLICY'}=$outsettings{'POLICY'}; &General::writehash($fwdfwsettings,\%fwdsettings); }elsif ($configline[2] eq 'blue') { $grp1='std_net_src'; @@ -398,6 +398,7 @@ sub process_rules my @values=(); my @parts=split(",",$configline[8]); foreach (@parts){ + $_=~ tr/-/:/; if (!($_ =~ /^(\d+)\:(\d+)$/)) { if(&General::validport($_)){ $useport='ON'; From d58677779f0a678a5495a4b198fc4dfd2fcc6893 Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Tue, 12 Mar 2013 14:51:34 +0100 Subject: [PATCH 176/306] Forward Firewall: forgot to delete devel-comment --- config/forwardfw/convert-outgoingfw | 1 - 1 file changed, 1 deletion(-) diff --git a/config/forwardfw/convert-outgoingfw b/config/forwardfw/convert-outgoingfw index f3374749b..e118c08f9 100755 --- a/config/forwardfw/convert-outgoingfw +++ b/config/forwardfw/convert-outgoingfw @@ -251,7 +251,6 @@ sub process_rules { my ($type,$action,$active,$grp1,$source,$grp2,$useport,$port,$prot,$grp3,$target,$remark,$log,$time,$time_mon,$time_tue,$time_wed,$time_thu,$time_fri,$time_sat,$time_sun,$time_from,$time_to); &General::readhash($fwdfwsettings,\%fwdsettings); - print "altefirewall hat modus: $outsettings{'POLICY'}\n"; if ($outsettings{'POLICY'} eq 'MODE1'){ $fwdfwsettings{'POLICY'}='MODE1'; $type='ALLOW'; From 05612a544bf60d233704be5995241d2354dbde91 Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Wed, 13 Mar 2013 06:02:35 +0100 Subject: [PATCH 177/306] Forward Firewall: fix converter for outgoingfw. remarkfield (new) was not implemented here fwhosts: Some layout changes in tables (cellspacing='0') --- config/forwardfw/convert-outgoingfw | 22 +++++++++++++++++----- html/cgi-bin/fwhosts.cgi | 20 ++++++++++---------- 2 files changed, 27 insertions(+), 15 deletions(-) diff --git a/config/forwardfw/convert-outgoingfw b/config/forwardfw/convert-outgoingfw index e118c08f9..ccb3ea423 100755 --- a/config/forwardfw/convert-outgoingfw +++ b/config/forwardfw/convert-outgoingfw @@ -96,6 +96,7 @@ sub process_groups } &new_hostgrp($group,'mac'); @hostarray=(); + @zeilen=(); } close (LOG); } @@ -144,10 +145,14 @@ sub new_hostgrp $hosts{$key}[0] = $name2; $hosts{$key}[1] = $type; $hosts{$key}[2] = $ip; - $hosts{$key}[3] = 1; + $hosts{$key}[3] = ''; + $hosts{$key}[4] = 1; print LOG "->Host (IP) $ip added to custom hosts\n" }else{ - print LOG "->Host (IP) $ip already exists\n"; + print LOG "->Host (IP) $ip already exists in custom hosts\n"; + $name="host "; + $name2=$name.$ippart; + $name3="Custom Host"; } }elsif($byte4 < '255'){ print LOG "Processing NETWORK $ippart/$subnet from Group $grp\n"; @@ -159,10 +164,14 @@ sub new_hostgrp $nets{$netkey}[0] = $name2; $nets{$netkey}[1] = $ippart; $nets{$netkey}[2] = $subnet; - $nets{$netkey}[3] = 1; + $nets{$netkey}[3] = ''; + $nets{$netkey}[4] = 1; print LOG "->Network $ippart/$subnet added to custom networks\n"; }else{ - print LOG "Network $ippart already exists\n"; + print LOG "Network $ippart already exists in custom networks\n"; + $name="net "; + $name2=$name.$ippart; + $name3="Custom Network"; } } if($name2){ @@ -190,7 +199,10 @@ sub new_hostgrp $hosts{$key}[4] = 1; print LOG "->Host (MAC) $mac added to custom hosts\n"; }else{ - print LOG "->Host (MAC) $mac already exists\n"; + print LOG "->Host (MAC) $mac already exists in custom hosts \n"; + $name="host "; + $name2=$name.$mac; + $name3="Custom Host"; } if($name2){ my $grpkey = &General::findhasharraykey(\%groups); diff --git a/html/cgi-bin/fwhosts.cgi b/html/cgi-bin/fwhosts.cgi index 073565abf..fd1da8a7a 100755 --- a/html/cgi-bin/fwhosts.cgi +++ b/html/cgi-bin/fwhosts.cgi @@ -1364,7 +1364,7 @@ sub viewtablenet print "
$Lang::tr{'fwhost empty'}"; }else{ print< +
$weekdays   $from - $to$weekdays   $$hash{$key}[26] - $$hash{$key}[27] 24/7
END } @@ -1380,7 +1380,7 @@ END print" "; } print<
$customnetwork{$key}[0] + + END if (! -z "${General::swroot}/ethernet/aliases"){ print" @@ -1626,9 +1619,9 @@ END } if ($_ eq $fwdfwsettings{'RULE_ACTION'}) { - print""; + print""; }else{ - print""; + print""; } } } diff --git a/html/cgi-bin/fwhosts.cgi b/html/cgi-bin/fwhosts.cgi index fd1da8a7a..54080a97e 100755 --- a/html/cgi-bin/fwhosts.cgi +++ b/html/cgi-bin/fwhosts.cgi @@ -455,7 +455,6 @@ if ($fwhostsettings{'ACTION'} eq 'savehost') foreach my $key (sort keys %customgrp){ if($customgrp{$key}[2] eq $fwhostsettings{'orgname'}){ $customgrp{$key}[2]=$fwhostsettings{'HOSTNAME'}; - last; } } &General::writehasharray("$configgrp", \%customgrp); @@ -1111,7 +1110,7 @@ sub addhost print< - + From ddcec9d339162ee49d7973f815e03d8da5e973cd Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Thu, 14 Mar 2013 16:24:52 +0100 Subject: [PATCH 180/306] Forward Firewall: Firewall sets Internetdevice correctly now (was always red0) --- config/forwardfw/firewall-lib.pl | 3 ++- config/forwardfw/rules.pl | 13 +++++++++++-- 2 files changed, 13 insertions(+), 3 deletions(-) diff --git a/config/forwardfw/firewall-lib.pl b/config/forwardfw/firewall-lib.pl index 9f806850e..a1f96ba40 100755 --- a/config/forwardfw/firewall-lib.pl +++ b/config/forwardfw/firewall-lib.pl @@ -207,6 +207,7 @@ sub get_grp_ip sub get_std_net_ip { my $val=shift; + my $con=shift; if ($val eq 'ALL'){ return "0.0.0.0/0.0.0.0"; }elsif($val eq 'GREEN'){ @@ -216,7 +217,7 @@ sub get_std_net_ip }elsif($val eq 'BLUE'){ return "$netsettings{'BLUE_NETADDRESS'}/$netsettings{'BLUE_NETMASK'}"; }elsif($val eq 'RED'){ - return "0.0.0.0/0 -o red0"; + return "0.0.0.0/0 -o $con"; }elsif($val =~ /OpenVPN/i){ return "$ovpnsettings{'DOVPN_SUBNET'}"; }elsif($val =~ /IPsec/i){ diff --git a/config/forwardfw/rules.pl b/config/forwardfw/rules.pl index 9332c9bec..2547e474f 100755 --- a/config/forwardfw/rules.pl +++ b/config/forwardfw/rules.pl @@ -65,7 +65,7 @@ my $green; my $blue; my ($TYPE,$PROT,$SPROT,$DPROT,$SPORT,$DPORT,$TIME,$TIMEFROM,$TIMETILL,$SRC_TGT); my $CHAIN="FORWARDFW"; - +my $conexists='off'; &General::readhash("${General::swroot}/forward/settings", \%fwdfwsettings); &General::readhash("$netsettings", \%defaultNetworks); @@ -76,6 +76,14 @@ my $CHAIN="FORWARDFW"; &General::readhasharray($configgrp, \%customgrp); &General::get_aliases(\%aliases); +#check if we have an internetconnection +open (CONN,"/var/ipfire/red/iface"); +my $con = ; +close(CONN); +if (-f "/var/ipfire/red/active"){ + $conexists='on'; +} + ################################ # DEBUG/TEST # ################################ @@ -153,6 +161,7 @@ sub buildrules my $hash=shift; my $STAG; foreach my $key (sort {$a <=> $b} keys %$hash){ + next if ($$hash{$key}[6] eq 'RED' && $conexists eq 'off' ); $STAG=''; if($$hash{$key}[2] eq 'ON'){ #get source ip's @@ -375,7 +384,7 @@ sub get_address $$hash{$key}[0] = $base2; } }elsif($base eq 'std_net_src' || $base eq 'std_net_tgt' || $base eq 'Standard Network'){ - $$hash{$key}[0]=&fwlib::get_std_net_ip($base2); + $$hash{$key}[0]=&fwlib::get_std_net_ip($base2,$con); }elsif($base eq 'cust_net_src' || $base eq 'cust_net_tgt' || $base eq 'Custom Network'){ $$hash{$key}[0]=&fwlib::get_net_ip($base2); }elsif($base eq 'cust_host_src' || $base eq 'cust_host_tgt' || $base eq 'Custom Host'){ From 2669161dab909e57a6642c2dea8d5a70900f4f12 Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Sun, 17 Mar 2013 13:49:57 +0100 Subject: [PATCH 181/306] Forward Firewall: Added support for DNAT/SNAT to forwardfw.cgi --- html/cgi-bin/forwardfw.cgi | 304 +++++++++++++++++++++++++++++++------ 1 file changed, 255 insertions(+), 49 deletions(-) diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi index 6ee2bbc63..0bf3a31c3 100755 --- a/html/cgi-bin/forwardfw.cgi +++ b/html/cgi-bin/forwardfw.cgi @@ -47,6 +47,7 @@ unless (-e "${General::swroot}/forward/config") { system("touch ${General::swr unless (-e "${General::swroot}/forward/input") { system("touch ${General::swroot}/forward/input"); } unless (-e "${General::swroot}/forward/outgoing") { system("touch ${General::swroot}/forward/outgoing"); } unless (-e "${General::swroot}/forward/dmz") { system("touch ${General::swroot}/forward/dmz"); } +unless (-e "${General::swroot}/forward/nat") { system("touch ${General::swroot}/forward/nat"); } my %fwdfwsettings=(); my %selected=() ; @@ -64,6 +65,7 @@ my %configfwdfw=(); my %configinputfw=(); my %configoutgoingfw=(); my %configdmzfw=(); +my %confignatfw=(); my %ipsecconf=(); my %color=(); my %mainsettings=(); @@ -73,8 +75,9 @@ my %ovpnsettings=(); my %ipsecsettings=(); my %aliases=(); my %optionsfw=(); +my %ifaces=(); -my $VERSION='0.9.8.6'; +my $VERSION='0.9.8.7'; my $color; my $confignet = "${General::swroot}/fwhosts/customnetworks"; my $confighost = "${General::swroot}/fwhosts/customhosts"; @@ -89,8 +92,10 @@ my $configfwdfw = "${General::swroot}/forward/config"; my $configinput = "${General::swroot}/forward/input"; my $configoutgoing = "${General::swroot}/forward/outgoing"; my $configdmz = "${General::swroot}/forward/dmz"; +my $confignat = "${General::swroot}/forward/nat"; my $configovpn = "${General::swroot}/ovpn/settings"; my $fwoptions = "${General::swroot}/optionsfw/settings"; +my $ifacesettings = "${General::swroot}/ethernet/settings"; my $errormessage=''; my $hint=''; my $ipgrp="${General::swroot}/outgoing/groups"; @@ -101,6 +106,7 @@ my @protocols; &General::readhash("${General::swroot}/main/settings", \%mainsettings); &General::readhash("/srv/web/ipfire/html/themes/".$mainsettings{'THEME'}."/include/colors.txt", \%color); &General::readhash($fwoptions, \%optionsfw); +&General::readhash($ifacesettings, \%ifaces); &Header::showhttpheaders(); &Header::getcgihash(\%fwdfwsettings); @@ -123,6 +129,7 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule') &General::readhasharray("$configfwdfw", \%configfwdfw); &General::readhasharray("$configinput", \%configinputfw); &General::readhasharray("$configoutgoing", \%configoutgoingfw); + &General::readhasharray("$confignat", \%confignatfw); $errormessage=&checksource; if(!$errormessage){&checktarget;} if(!$errormessage){&checkrule;} @@ -137,13 +144,71 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule') if( ($fwdfwsettings{$fwdfwsettings{'grp1'}} eq 'ORANGE' || $checkorange eq 'on') && $fwdfwsettings{'grp2'} eq 'ipfire'){ $errormessage.=$Lang::tr{'fwdfw useless rule'}."
"; } - #check if we try to break rules if( $fwdfwsettings{$fwdfwsettings{'grp1'}} eq 'IPFire' && $fwdfwsettings{'grp2'} eq 'ipfire'){ $errormessage.=$Lang::tr{'fwdfw err same'}; } + #NAT-Part + if ($fwdfwsettings{'USE_NAT'} eq 'ON'){ + $fwdfwsettings{'config'}=$confignat; + if ($fwdfwsettings{'nat'} eq 'dnat'){ + $fwdfwsettings{'chain'} = 'NAT_DESTINATION'; + }else{ + $fwdfwsettings{'chain'} = 'NAT_SOURCE'; + } + my $maxkey=&General::findhasharraykey(\%confignatfw); + #check if we have an identical rule already + if($fwdfwsettings{'oldrulenumber'} eq $fwdfwsettings{'rulepos'}){ + foreach my $key (sort keys %confignatfw){ + if ("$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'},$fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'ICMP_TGT'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'TIME'},$fwdfwsettings{'TIME_MON'},$fwdfwsettings{'TIME_TUE'},$fwdfwsettings{'TIME_WED'},$fwdfwsettings{'TIME_THU'},$fwdfwsettings{'TIME_FRI'},$fwdfwsettings{'TIME_SAT'},$fwdfwsettings{'TIME_SUN'},$fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'},$fwdfwsettings{'USE_NAT'},$fwdfwsettings{$fwdfwsettings{'nat'}},$fwdfwsettings{'snatport'},$fwdfwsettings{'dnatport'},$fwdfwsettings{'nat'}" + eq "$confignatfw{$key}[0],$confignatfw{$key}[2],$confignatfw{$key}[3],$confignatfw{$key}[4],$confignatfw{$key}[5],$confignatfw{$key}[6],$confignatfw{$key}[7],$confignatfw{$key}[8],$confignatfw{$key}[9],$confignatfw{$key}[10],$confignatfw{$key}[11],$confignatfw{$key}[12],$confignatfw{$key}[13],$confignatfw{$key}[14],$confignatfw{$key}[15],$confignatfw{$key}[17],$confignatfw{$key}[19],$confignatfw{$key}[20],$confignatfw{$key}[21],$confignatfw{$key}[22],$confignatfw{$key}[23],$confignatfw{$key}[24],$confignatfw{$key}[25],$confignatfw{$key}[26],$confignatfw{$key}[27],$confignatfw{$key}[28],$confignatfw{$key}[29],$confignatfw{$key}[30],$confignatfw{$key}[31],$confignatfw{$key}[32]"){ + $errormessage.=$Lang::tr{'fwdfw err ruleexists'}; + if ($fwdfwsettings{'oldruleremark'} ne $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'updatefwrule'} eq 'on' ){ + $errormessage=''; + }elsif($fwdfwsettings{'oldruleremark'} ne $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'updatefwrule'} eq 'on' && $fwdfwsettings{'ruleremark'} ne '' && !&validremark($fwdfwsettings{'ruleremark'})){ + $errormessage=$Lang::tr{'fwdfw err remark'}."
"; + } + if ($fwdfwsettings{'oldruleremark'} eq $fwdfwsettings{'ruleremark'}){ + $fwdfwsettings{'nosave'} = 'on'; + } + } + } + } + #check Rulepos on new Rule + if($fwdfwsettings{'rulepos'} > 0 && !$fwdfwsettings{'oldrulenumber'}){ + $fwdfwsettings{'oldrulenumber'}=$maxkey; + foreach my $key (sort keys %confignatfw){ + print"$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'},$fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'ICMP_TGT'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'TIME'},$fwdfwsettings{'TIME_MON'},$fwdfwsettings{'TIME_TUE'},$fwdfwsettings{'TIME_WED'},$fwdfwsettings{'TIME_THU'},$fwdfwsettings{'TIME_FRI'},$fwdfwsettings{'TIME_SAT'},$fwdfwsettings{'TIME_SUN'},$fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'},$fwdfwsettings{'USE_NAT'},$fwdfwsettings{$fwdfwsettings{'nat'}},$fwdfwsettings{'snatport'},$fwdfwsettings{'dnatport'},$fwdfwsettings{'nat'}
"; + print"$confignatfw{$key}[0],$confignatfw{$key}[2],$confignatfw{$key}[3],$confignatfw{$key}[4],$confignatfw{$key}[5],$confignatfw{$key}[6],$confignatfw{$key}[7],$confignatfw{$key}[8],$confignatfw{$key}[9],$confignatfw{$key}[10],$confignatfw{$key}[11],$confignatfw{$key}[12],$confignatfw{$key}[13],$confignatfw{$key}[14],$confignatfw{$key}[15],$confignatfw{$key}[17],$confignatfw{$key}[19],$confignatfw{$key}[20],$confignatfw{$key}[21],$confignatfw{$key}[22],$confignatfw{$key}[23],$confignatfw{$key}[24],$confignatfw{$key}[25],$confignatfw{$key}[26],$confignatfw{$key}[27],$confignatfw{$key}[28],$confignatfw{$key}[29],$confignatfw{$key}[30],$confignatfw{$key}[31],$confignatfw{$key}[32]
"; + if ("$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'},$fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'ICMP_TGT'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'TIME'},$fwdfwsettings{'TIME_MON'},$fwdfwsettings{'TIME_TUE'},$fwdfwsettings{'TIME_WED'},$fwdfwsettings{'TIME_THU'},$fwdfwsettings{'TIME_FRI'},$fwdfwsettings{'TIME_SAT'},$fwdfwsettings{'TIME_SUN'},$fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'},$fwdfwsettings{'USE_NAT'},$fwdfwsettings{$fwdfwsettings{'nat'}},$fwdfwsettings{'snatport'},$fwdfwsettings{'dnatport'},$fwdfwsettings{'nat'}" + eq "$confignatfw{$key}[0],$confignatfw{$key}[2],$confignatfw{$key}[3],$confignatfw{$key}[4],$confignatfw{$key}[5],$confignatfw{$key}[6],$confignatfw{$key}[7],$confignatfw{$key}[8],$confignatfw{$key}[9],$confignatfw{$key}[10],$confignatfw{$key}[11],$confignatfw{$key}[12],$confignatfw{$key}[13],$confignatfw{$key}[14],$confignatfw{$key}[15],$confignatfw{$key}[17],$confignatfw{$key}[19],$confignatfw{$key}[20],$confignatfw{$key}[21],$confignatfw{$key}[22],$confignatfw{$key}[23],$confignatfw{$key}[24],$confignatfw{$key}[25],$confignatfw{$key}[26],$confignatfw{$key}[27],$confignatfw{$key}[28],$confignatfw{$key}[29],$confignatfw{$key}[30],$confignatfw{$key}[31],$confignatfw{$key}[32]"){ + $errormessage.=$Lang::tr{'fwdfw err ruleexists'}; + } + } + } + #check if we just close a rule + if( $fwdfwsettings{'oldgrp1a'} eq $fwdfwsettings{'grp1'} && $fwdfwsettings{'oldgrp1b'} eq $fwdfwsettings{$fwdfwsettings{'grp1'}} && $fwdfwsettings{'oldgrp2a'} eq $fwdfwsettings{'grp2'} && $fwdfwsettings{'oldgrp2b'} eq $fwdfwsettings{$fwdfwsettings{'grp2'}} && $fwdfwsettings{'oldgrp3a'} eq $fwdfwsettings{'grp3'} && $fwdfwsettings{'oldgrp3b'} eq $fwdfwsettings{$fwdfwsettings{'grp3'}} && $fwdfwsettings{'oldusesrv'} eq $fwdfwsettings{'USESRV'} && $fwdfwsettings{'oldruleremark'} eq $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'oldruletype'} eq $fwdfwsettings{'chain'}) { + if($fwdfwsettings{'nosave'} eq 'on' && $fwdfwsettings{'updatefwrule'} eq 'on'){ + $errormessage=''; + $fwdfwsettings{'nosave2'} = 'on'; + } + } + &checkcounter($fwdfwsettings{'oldgrp1a'},$fwdfwsettings{'oldgrp1b'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}}); + if ($fwdfwsettings{'nobase'} ne 'on'){ + &checkcounter($fwdfwsettings{'oldgrp2a'},$fwdfwsettings{'oldgrp2b'},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}}); + } + if($fwdfwsettings{'oldusesrv'} eq '' && $fwdfwsettings{'USESRV'} eq 'ON'){ + &checkcounter(0,0,$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}}); + }elsif ($fwdfwsettings{'USESRV'} eq '' && $fwdfwsettings{'oldusesrv'} eq 'ON') { + &checkcounter($fwdfwsettings{'oldgrp3a'},$fwdfwsettings{'oldgrp3b'},0,0); + }elsif ($fwdfwsettings{'oldusesrv'} eq $fwdfwsettings{'USESRV'} && $fwdfwsettings{'oldgrp3b'} ne $fwdfwsettings{$fwdfwsettings{'grp3'}} && $fwdfwsettings{'updatefwrule'} eq 'on'){ + &checkcounter($fwdfwsettings{'oldgrp3a'},$fwdfwsettings{'oldgrp3b'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}}); + } + if($fwdfwsettings{'nosave2'} ne 'on'){ + &saverule(\%confignatfw,$confignat); + } #DMZ-Part - if ($fwdfwsettings{$fwdfwsettings{'grp1'}} eq 'ORANGE' || $checkorange eq 'on'){ + }elsif ($fwdfwsettings{$fwdfwsettings{'grp1'}} eq 'ORANGE' || $checkorange eq 'on'){ $fwdfwsettings{'config'}=$configdmz; $fwdfwsettings{'chain'} = 'FORWARDFW'; my $maxkey=&General::findhasharraykey(\%configdmzfw); @@ -175,7 +240,7 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule') } } #check if we just close a rule - if( $fwdfwsettings{'oldgrp1a'} eq $fwdfwsettings{'grp1'} && $fwdfwsettings{'oldgrp1b'} eq $fwdfwsettings{$fwdfwsettings{'grp1'}} && $fwdfwsettings{'oldgrp2a'} eq $fwdfwsettings{'grp2'} && $fwdfwsettings{'oldgrp2b'} eq $fwdfwsettings{$fwdfwsettings{'grp2'}} && $fwdfwsettings{'oldgrp3a'} eq $fwdfwsettings{'grp3'} && $fwdfwsettings{'oldgrp3b'} eq $fwdfwsettings{$fwdfwsettings{'grp3'}} && $fwdfwsettings{'oldusesrv'} eq $fwdfwsettings{'USESRV'} ) { + if( $fwdfwsettings{'oldgrp1a'} eq $fwdfwsettings{'grp1'} && $fwdfwsettings{'oldgrp1b'} eq $fwdfwsettings{$fwdfwsettings{'grp1'}} && $fwdfwsettings{'oldgrp2a'} eq $fwdfwsettings{'grp2'} && $fwdfwsettings{'oldgrp2b'} eq $fwdfwsettings{$fwdfwsettings{'grp2'}} && $fwdfwsettings{'oldgrp3a'} eq $fwdfwsettings{'grp3'} && $fwdfwsettings{'oldgrp3b'} eq $fwdfwsettings{$fwdfwsettings{'grp3'}} && $fwdfwsettings{'oldusesrv'} eq $fwdfwsettings{'USESRV'} && $fwdfwsettings{'oldruleremark'} eq $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'oldruletype'} eq $fwdfwsettings{'chain'}) { if($fwdfwsettings{'nosave'} eq 'on' && $fwdfwsettings{'updatefwrule'} eq 'on'){ $errormessage=''; $fwdfwsettings{'nosave2'} = 'on'; @@ -228,7 +293,7 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule') } } #check if we just close a rule - if( $fwdfwsettings{'oldgrp1a'} eq $fwdfwsettings{'grp1'} && $fwdfwsettings{'oldgrp1b'} eq $fwdfwsettings{$fwdfwsettings{'grp1'}} && $fwdfwsettings{'oldgrp2a'} eq $fwdfwsettings{'grp2'} && $fwdfwsettings{'oldgrp2b'} eq $fwdfwsettings{$fwdfwsettings{'grp2'}} && $fwdfwsettings{'oldgrp3a'} eq $fwdfwsettings{'grp3'} && $fwdfwsettings{'oldgrp3b'} eq $fwdfwsettings{$fwdfwsettings{'grp3'}} && $fwdfwsettings{'oldusesrv'} eq $fwdfwsettings{'USESRV'} ) { + if( $fwdfwsettings{'oldgrp1a'} eq $fwdfwsettings{'grp1'} && $fwdfwsettings{'oldgrp1b'} eq $fwdfwsettings{$fwdfwsettings{'grp1'}} && $fwdfwsettings{'oldgrp2a'} eq $fwdfwsettings{'grp2'} && $fwdfwsettings{'oldgrp2b'} eq $fwdfwsettings{$fwdfwsettings{'grp2'}} && $fwdfwsettings{'oldgrp3a'} eq $fwdfwsettings{'grp3'} && $fwdfwsettings{'oldgrp3b'} eq $fwdfwsettings{$fwdfwsettings{'grp3'}} && $fwdfwsettings{'oldusesrv'} eq $fwdfwsettings{'USESRV'} && $fwdfwsettings{'oldruleremark'} eq $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'oldruletype'} eq $fwdfwsettings{'chain'}) { if($fwdfwsettings{'nosave'} eq 'on' && $fwdfwsettings{'updatefwrule'} eq 'on'){ $errormessage=''; $fwdfwsettings{'nosave2'} = 'on'; @@ -302,7 +367,7 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule') } } #check if we just close a rule - if( $fwdfwsettings{'oldgrp1a'} eq $fwdfwsettings{'grp1'} && $fwdfwsettings{'oldgrp1b'} eq $fwdfwsettings{$fwdfwsettings{'grp1'}} && $fwdfwsettings{'oldgrp2a'} eq $fwdfwsettings{'grp2'} && $fwdfwsettings{'oldgrp2b'} eq $fwdfwsettings{$fwdfwsettings{'grp2'}} && $fwdfwsettings{'oldgrp3a'} eq $fwdfwsettings{'grp3'} && $fwdfwsettings{'oldgrp3b'} eq $fwdfwsettings{$fwdfwsettings{'grp3'}} && $fwdfwsettings{'oldusesrv'} eq $fwdfwsettings{'USESRV'} && $fwdfwsettings{'oldruleremark'} eq $fwdfwsettings{'ruleremark'} ) { + if( $fwdfwsettings{'oldgrp1a'} eq $fwdfwsettings{'grp1'} && $fwdfwsettings{'oldgrp1b'} eq $fwdfwsettings{$fwdfwsettings{'grp1'}} && $fwdfwsettings{'oldgrp2a'} eq $fwdfwsettings{'grp2'} && $fwdfwsettings{'oldgrp2b'} eq $fwdfwsettings{$fwdfwsettings{'grp2'}} && $fwdfwsettings{'oldgrp3a'} eq $fwdfwsettings{'grp3'} && $fwdfwsettings{'oldgrp3b'} eq $fwdfwsettings{$fwdfwsettings{'grp3'}} && $fwdfwsettings{'oldusesrv'} eq $fwdfwsettings{'USESRV'} && $fwdfwsettings{'oldruleremark'} eq $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'oldruletype'} eq $fwdfwsettings{'chain'}) { if($fwdfwsettings{'nosave'} eq 'on' && $fwdfwsettings{'updatefwrule'} eq 'on'){ $fwdfwsettings{'nosave2'} = 'on'; $errormessage=''; @@ -332,8 +397,8 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule') if($fwdfwsettings{'oldrulenumber'} eq $fwdfwsettings{'rulepos'}){ #check if we have an identical rule already foreach my $key (sort keys %configfwdfw){ - if ("$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'},$fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'ICMP_TGT'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'LOG'},$fwdfwsettings{'TIME'},$fwdfwsettings{'TIME_MON'},$fwdfwsettings{'TIME_TUE'},$fwdfwsettings{'TIME_WED'},$fwdfwsettings{'TIME_THU'},$fwdfwsettings{'TIME_FRI'},$fwdfwsettings{'TIME_SAT'},$fwdfwsettings{'TIME_SUN'},$fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'}" - eq "$configfwdfw{$key}[0],$configfwdfw{$key}[2],$configfwdfw{$key}[3],$configfwdfw{$key}[4],$configfwdfw{$key}[5],$configfwdfw{$key}[6],$configfwdfw{$key}[7],$configfwdfw{$key}[8],$configfwdfw{$key}[9],$configfwdfw{$key}[10],$configfwdfw{$key}[11],$configfwdfw{$key}[12],$configfwdfw{$key}[13],$configfwdfw{$key}[14],$configfwdfw{$key}[15],$configfwdfw{$key}[17],$configfwdfw{$key}[18],$configfwdfw{$key}[19],$configfwdfw{$key}[20],$configfwdfw{$key}[21],$configfwdfw{$key}[22],$configfwdfw{$key}[23],$configfwdfw{$key}[24],$configfwdfw{$key}[25],$configfwdfw{$key}[26],$configfwdfw{$key}[27]"){ + if ("$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'},$fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'ICMP_TGT'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'TIME'},$fwdfwsettings{'TIME_MON'},$fwdfwsettings{'TIME_TUE'},$fwdfwsettings{'TIME_WED'},$fwdfwsettings{'TIME_THU'},$fwdfwsettings{'TIME_FRI'},$fwdfwsettings{'TIME_SAT'},$fwdfwsettings{'TIME_SUN'},$fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'}" + eq "$configfwdfw{$key}[0],$configfwdfw{$key}[2],$configfwdfw{$key}[3],$configfwdfw{$key}[4],$configfwdfw{$key}[5],$configfwdfw{$key}[6],$configfwdfw{$key}[7],$configfwdfw{$key}[8],$configfwdfw{$key}[9],$configfwdfw{$key}[10],$configfwdfw{$key}[11],$configfwdfw{$key}[12],$configfwdfw{$key}[13],$configfwdfw{$key}[14],$configfwdfw{$key}[15],$configfwdfw{$key}[17],$configfwdfw{$key}[19],$configfwdfw{$key}[20],$configfwdfw{$key}[21],$configfwdfw{$key}[22],$configfwdfw{$key}[23],$configfwdfw{$key}[24],$configfwdfw{$key}[25],$configfwdfw{$key}[26],$configfwdfw{$key}[27]"){ $errormessage.=$Lang::tr{'fwdfw err ruleexists'}; if ($fwdfwsettings{'oldruleremark'} ne $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'updatefwrule'} eq 'on' ){ $errormessage=''; @@ -350,14 +415,14 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule') if($fwdfwsettings{'rulepos'} > 0 && !$fwdfwsettings{'oldrulenumber'}){ $fwdfwsettings{'oldrulenumber'}=$maxkey; foreach my $key (sort keys %configfwdfw){ - if ("$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'},$fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'ICMP_TGT'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'LOG'},$fwdfwsettings{'TIME'},$fwdfwsettings{'TIME_MON'},$fwdfwsettings{'TIME_TUE'},$fwdfwsettings{'TIME_WED'},$fwdfwsettings{'TIME_THU'},$fwdfwsettings{'TIME_FRI'},$fwdfwsettings{'TIME_SAT'},$fwdfwsettings{'TIME_SUN'},$fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'}" - eq "$configfwdfw{$key}[0],$configfwdfw{$key}[2],$configfwdfw{$key}[3],$configfwdfw{$key}[4],$configfwdfw{$key}[5],$configfwdfw{$key}[6],$configfwdfw{$key}[7],$configfwdfw{$key}[8],$configfwdfw{$key}[9],$configfwdfw{$key}[10],$configfwdfw{$key}[11],$configfwdfw{$key}[12],$configfwdfw{$key}[13],$configfwdfw{$key}[14],$configfwdfw{$key}[15],$configfwdfw{$key}[17],$configfwdfw{$key}[18],$configfwdfw{$key}[19],$configfwdfw{$key}[20],$configfwdfw{$key}[21],$configfwdfw{$key}[22],$configfwdfw{$key}[23],$configfwdfw{$key}[24],$configfwdfw{$key}[25],$configfwdfw{$key}[26],$configfwdfw{$key}[27]"){ + if ("$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'},$fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'ICMP_TGT'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'TIME'},$fwdfwsettings{'TIME_MON'},$fwdfwsettings{'TIME_TUE'},$fwdfwsettings{'TIME_WED'},$fwdfwsettings{'TIME_THU'},$fwdfwsettings{'TIME_FRI'},$fwdfwsettings{'TIME_SAT'},$fwdfwsettings{'TIME_SUN'},$fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'}" + eq "$configfwdfw{$key}[0],$configfwdfw{$key}[2],$configfwdfw{$key}[3],$configfwdfw{$key}[4],$configfwdfw{$key}[5],$configfwdfw{$key}[6],$configfwdfw{$key}[7],$configfwdfw{$key}[8],$configfwdfw{$key}[9],$configfwdfw{$key}[10],$configfwdfw{$key}[11],$configfwdfw{$key}[12],$configfwdfw{$key}[13],$configfwdfw{$key}[14],$configfwdfw{$key}[15],$configfwdfw{$key}[17],$configfwdfw{$key}[19],$configfwdfw{$key}[20],$configfwdfw{$key}[21],$configfwdfw{$key}[22],$configfwdfw{$key}[23],$configfwdfw{$key}[24],$configfwdfw{$key}[25],$configfwdfw{$key}[26],$configfwdfw{$key}[27]"){ $errormessage.=$Lang::tr{'fwdfw err ruleexists'}; } } } #check if we just close a rule - if( $fwdfwsettings{'oldgrp1a'} eq $fwdfwsettings{'grp1'} && $fwdfwsettings{'oldgrp1b'} eq $fwdfwsettings{$fwdfwsettings{'grp1'}} && $fwdfwsettings{'oldgrp2a'} eq $fwdfwsettings{'grp2'} && $fwdfwsettings{'oldgrp2b'} eq $fwdfwsettings{$fwdfwsettings{'grp2'}} && $fwdfwsettings{'oldgrp3a'} eq $fwdfwsettings{'grp3'} && $fwdfwsettings{'oldgrp3b'} eq $fwdfwsettings{$fwdfwsettings{'grp3'}} && $fwdfwsettings{'oldusesrv'} eq $fwdfwsettings{'USESRV'} && $fwdfwsettings{'oldruleremark'} eq $fwdfwsettings{'ruleremark'} ) { + if( $fwdfwsettings{'oldgrp1a'} eq $fwdfwsettings{'grp1'} && $fwdfwsettings{'oldgrp1b'} eq $fwdfwsettings{$fwdfwsettings{'grp1'}} && $fwdfwsettings{'oldgrp2a'} eq $fwdfwsettings{'grp2'} && $fwdfwsettings{'oldgrp2b'} eq $fwdfwsettings{$fwdfwsettings{'grp2'}} && $fwdfwsettings{'oldgrp3a'} eq $fwdfwsettings{'grp3'} && $fwdfwsettings{'oldgrp3b'} eq $fwdfwsettings{$fwdfwsettings{'grp3'}} && $fwdfwsettings{'oldusesrv'} eq $fwdfwsettings{'USESRV'} && $fwdfwsettings{'oldruleremark'} eq $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'oldruletype'} eq $fwdfwsettings{'chain'} ) { if($fwdfwsettings{'nosave'} eq 'on' && $fwdfwsettings{'updatefwrule'} eq 'on'){ $fwdfwsettings{'nosave2'} = 'on'; $errormessage=''; @@ -1380,7 +1445,6 @@ sub newrule $selected{'TIME_FROM'}{$fwdfwsettings{'TIME_FROM'}} = 'selected'; $selected{'TIME_TO'}{$fwdfwsettings{'TIME_TO'}} = 'selected'; $selected{'ipfire'}{$fwdfwsettings{$fwdfwsettings{'grp2'}}} ='selected'; - #check if update and get values if($fwdfwsettings{'updatefwrule'} eq 'on' || $fwdfwsettings{'copyfwrule'} eq 'on' && !$errormessage){ &General::readhasharray("$config", \%hash); @@ -1389,6 +1453,7 @@ sub newrule if ($key eq $fwdfwsettings{'key'}){ $fwdfwsettings{'oldrulenumber'} = $fwdfwsettings{'key'}; $fwdfwsettings{'RULE_ACTION'} = $hash{$key}[0]; + $fwdfwsettings{'chain'} = $hash{$key}[1]; $fwdfwsettings{'ACTIVE'} = $hash{$key}[2]; $fwdfwsettings{'grp1'} = $hash{$key}[3]; $fwdfwsettings{$fwdfwsettings{'grp1'}} = $hash{$key}[4]; @@ -1415,6 +1480,11 @@ sub newrule $fwdfwsettings{'TIME_SUN'} = $hash{$key}[25]; $fwdfwsettings{'TIME_FROM'} = $hash{$key}[26]; $fwdfwsettings{'TIME_TO'} = $hash{$key}[27]; + $fwdfwsettings{'USE_NAT'} = $hash{$key}[28]; + $fwdfwsettings{'nat'} = $hash{$key}[32]; #changed order + $fwdfwsettings{$fwdfwsettings{'nat'}} = $hash{$key}[29]; + $fwdfwsettings{'snatport'} = $hash{$key}[30]; + $fwdfwsettings{'dnatport'} = $hash{$key}[31]; $checked{'grp1'}{$fwdfwsettings{'grp1'}} = 'CHECKED'; $checked{'grp2'}{$fwdfwsettings{'grp2'}} = 'CHECKED'; $checked{'grp3'}{$fwdfwsettings{'grp3'}} = 'CHECKED'; @@ -1430,9 +1500,13 @@ sub newrule $checked{'TIME_FRI'}{$fwdfwsettings{'TIME_FRI'}} = 'CHECKED'; $checked{'TIME_SAT'}{$fwdfwsettings{'TIME_SAT'}} = 'CHECKED'; $checked{'TIME_SUN'}{$fwdfwsettings{'TIME_SUN'}} = 'CHECKED'; + $checked{'USE_NAT'}{$fwdfwsettings{'USE_NAT'}} = 'CHECKED'; + $checked{'nat'}{$fwdfwsettings{'nat'}} = 'CHECKED'; $selected{'TIME_FROM'}{$fwdfwsettings{'TIME_FROM'}} = 'selected'; $selected{'TIME_TO'}{$fwdfwsettings{'TIME_TO'}} = 'selected'; $selected{'ipfire'}{$fwdfwsettings{$fwdfwsettings{'grp2'}}} ='selected'; + $selected{'dnat'}{$fwdfwsettings{$fwdfwsettings{'nat'}}} ='selected'; + $selected{'snat'}{$fwdfwsettings{$fwdfwsettings{'nat'}}} ='selected'; } } $fwdfwsettings{'oldgrp1a'}=$fwdfwsettings{'grp1'}; @@ -1443,6 +1517,12 @@ sub newrule $fwdfwsettings{'oldgrp3b'}=$fwdfwsettings{$fwdfwsettings{'grp3'}}; $fwdfwsettings{'oldusesrv'}=$fwdfwsettings{'USESRV'}; $fwdfwsettings{'oldruleremark'}=$fwdfwsettings{'ruleremark'}; + $fwdfwsettings{'oldnat'}=$fwdfwsettings{'USE_NAT'}; + if ($fwdfwsettings{'config'} eq "${General::swroot}/forward/dmz"){ + $fwdfwsettings{'oldruletype'}='DMZ'; + }else{ + $fwdfwsettings{'oldruletype'}=$fwdfwsettings{'chain'}; + } #check if manual ip (source) is orange network if ($fwdfwsettings{'grp1'} eq 'src_addr'){ my ($sip,$scidr) = split("/",$fwdfwsettings{$fwdfwsettings{'grp1'}}); @@ -1461,6 +1541,7 @@ sub newrule $fwdfwsettings{'oldgrp3b'}=$fwdfwsettings{$fwdfwsettings{'grp3'}}; $fwdfwsettings{'oldusesrv'}=$fwdfwsettings{'USESRV'}; $fwdfwsettings{'oldruleremark'}=$fwdfwsettings{'ruleremark'}; + $fwdfwsettings{'oldnat'}=$fwdfwsettings{'USE_NAT'}; #check if manual ip (source) is orange network if ($fwdfwsettings{'grp1'} eq 'src_addr'){ my ($sip,$scidr) = split("/",$fwdfwsettings{$fwdfwsettings{'grp1'}}); @@ -1601,6 +1682,59 @@ END END &Header::closebox; + #---SNAT / DNAT ------------------------------------------------ + &Header::openbox('100%', 'left', 'NAT'); + print< + + +END + if (! -z "${General::swroot}/ethernet/aliases"){ + print""; + print""; + print""; + #SNAT + print""; + print""; + print"
$Lang::tr{'name'}$Lang::tr{'fwhost netaddress'}$Lang::tr{'netmask'}$Lang::tr{'remark'}$Lang::tr{'used'}
$customnetwork{$key}[1]$customnetwork{$key}[2]$customnetwork{$key}[3]$customnetwork{$key}[4]x$customnetwork{$key}[0]$customnetwork{$key}[1]$customnetwork{$key}[2]$customnetwork{$key}[3]$customnetwork{$key}[4]x @@ -1412,7 +1412,7 @@ sub viewtablehost print "
$Lang::tr{'fwhost empty'}"; }else{ print< + END } @@ -1425,7 +1425,7 @@ END my ($ip,$sub)=split(/\//,$customhost{$key}[2]); $customhost{$key}[4]=~s/\s+//g; print<$customhost{$key}[0] +
$Lang::tr{'name'}$Lang::tr{'fwhost ip_mac'}$Lang::tr{'remark'}$Lang::tr{'used'}
$ip$customhost{$key}[3]$customhost{$key}[4]x$customhost{$key}[0]$ip$customhost{$key}[3]$customhost{$key}[4]x @@ -1493,7 +1493,7 @@ sub viewtablegrp print""; } print"
"; - print""; + print"
Name$Lang::tr{'ip address'}$Lang::tr{'fwhost type'}
"; } if ( ($fwhostsettings{'ACTION'} eq 'editgrp' || $fwhostsettings{'update'} ne '') && $fwhostsettings{'grp_name'} eq $customgrp{$key}[0]) { @@ -1505,16 +1505,16 @@ sub viewtablegrp } my $ip=&getipforgroup($customgrp{$key}[2],$customgrp{$key}[3]); if ($ip eq ''){print"";} - print ""; }else{ print "$customgrp{$key}[2]"; } if ($ip eq '' && $customgrp{$key}[2] ne $Lang::tr{'fwhost empty'}){ - print "
Name$Lang::tr{'ip address'}$Lang::tr{'fwhost type'}
"; + print ""; if($customgrp{$key}[3] eq 'Standard Network'){ print &get_name($customgrp{$key}[2])."$Lang::tr{'fwhost deleted'}$customgrp{$key}[3]
"; + print "
$Lang::tr{'fwhost deleted'}$customgrp{$key}[3]"; }else{ - print"$ip$customgrp{$key}[3]"; + print"$ip$customgrp{$key}[3]"; } if ($delflag > '1' && $ip ne ''){ print""; @@ -1539,7 +1539,7 @@ sub viewtableservice &Header::openbox('100%', 'left', $Lang::tr{'fwhost services'}); &General::readhasharray("$configsrv", \%customservice); print< + END foreach my $key (sort { uc($customservice{$a}[0]) cmp uc($customservice{$b}[0])|| $a <=> $b } keys %customservice) @@ -1614,7 +1614,7 @@ sub viewtableservicegrp print""; } print""; - print"
$Lang::tr{'fwhost srv_name'}$Lang::tr{'fwhost prot'}$Lang::tr{'fwhost port'}ICMP$Lang::tr{'fwhost used'}
"; + print"
Name$Lang::tr{'port'}$Lang::tr{'fwhost prot'}
"; } if( $fwhostsettings{'SRVGRP_NAME'} eq $customservicegrp{$key}[0]) { print" "; From bedb72f3d42cf71be128cf7c803baa53495af6e3 Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Wed, 13 Mar 2013 08:50:32 +0100 Subject: [PATCH 178/306] Forward Firewall: moved ruleaction-dropdown from top to target area. some layout changes in forwardfw.cgi (when no alias exists, the dropdown after ipfire is not shown) --- html/cgi-bin/forwardfw.cgi | 67 +++++++++++++++++++------------------- langs/de/cgi-bin/de.pl | 3 ++ langs/en/cgi-bin/en.pl | 3 ++ 3 files changed, 39 insertions(+), 34 deletions(-) diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi index 1f3d6a9a6..5339f9e67 100755 --- a/html/cgi-bin/forwardfw.cgi +++ b/html/cgi-bin/forwardfw.cgi @@ -1388,7 +1388,7 @@ sub newrule $selected{'TIME_FROM'}{$fwdfwsettings{'TIME_FROM'}} = 'selected'; $selected{'TIME_TO'}{$fwdfwsettings{'TIME_TO'}} = 'selected'; $selected{'ipfire'}{$fwdfwsettings{$fwdfwsettings{'grp2'}}} ='selected'; - + #check if update and get values if($fwdfwsettings{'updatefwrule'} eq 'on' || $fwdfwsettings{'copyfwrule'} eq 'on' && !$errormessage){ &General::readhasharray("$config", \%hash); @@ -1482,32 +1482,7 @@ sub newrule $fwdfwsettings{'TIME_FROM'} = &timeconvert($fwdfwsettings{'TIME_FROM'},''); $fwdfwsettings{'TIME_TO'} = &timeconvert($fwdfwsettings{'TIME_TO'},''); } -print < -
Name$Lang::tr{'port'}$Lang::tr{'fwhost prot'}
-
$Lang::tr{'fwdfw rule action'}
"; - +print "
"; &Header::closebox(); &Header::openbox('100%', 'left', $Lang::tr{'fwdfw source'}); #------SOURCE------------------------------------------------------- @@ -1518,7 +1493,6 @@ END
END &gen_dd_block('src','grp1'); - print<
@@ -1557,13 +1531,18 @@ END &Header::openbox('100%', 'left', $Lang::tr{'fwdfw target'}); print< - END - print ""; + if (! -z "${General::swroot}/ethernet/aliases"){ + print" @@ -1633,8 +1612,28 @@ END &Header::openbox('100%', 'left', $Lang::tr{'fwdfw additional'}); print< - + "; + print""; if($fwdfwsettings{'updatefwrule'} eq 'on' || $fwdfwsettings{'copyfwrule'} eq 'on'){ print " +
$Lang::tr{'fwdfw targetip'}IPFire ($Lang::tr{'external access'})
$Lang::tr{'fwdfw targetip'}IPFire"; } print<
$Lang::tr{'remark'}:
$Lang::tr{'fwdfw rule action'}
$Lang::tr{'remark'}:
$Lang::tr{'fwdfw rulepos'}:
$Lang::tr{'fwdfw sourceip'}
$Lang::tr{'fwdfw sourceip'}
END @@ -1531,7 +1523,7 @@ END &Header::openbox('100%', 'left', $Lang::tr{'fwdfw target'}); print< -
$Lang::tr{'fwdfw targetip'}IPFire
$Lang::tr{'fwdfw targetip'}IPFire"; + print""; } print<
$Lang::tr{'name'}:
IP/MAC:
IP/MAC:
$Lang::tr{'remark'}:


$Lang::tr{'fwhost attention'}
$Lang::tr{'fwhost macwarn'}
USE NAT
DNATIPFire: "; + } + print"
Port:

SNATIPFire:
Port:
"; + print"
"; + &Header::closebox(); #---Activate/logging/remark------------------------------------- &Header::openbox('100%', 'left', $Lang::tr{'fwdfw additional'}); print< + +
END @@ -1801,66 +1937,101 @@ sub saverule my $config=shift; &General::readhasharray("$config", $hash); if (!$errormessage){ - #check if we change a DMZ to an outgoing - if( ($fwdfwsettings{'oldgrp1b'} eq 'ORANGE' || $fwdfwsettings{'oldorange'} eq 'on') && $fwdfwsettings{$fwdfwsettings{'grp1'}} eq 'IPFire' && $fwdfwsettings{'updatefwrule'} eq 'on'){ - &changerule($configdmz); + #check if we change a NAT to a FORWARD/DMZ + if(($fwdfwsettings{'oldruletype'} eq 'NAT_SOURCE' || $fwdfwsettings{'oldruletype'} eq 'NAT_DESTINATION') && $fwdfwsettings{'chain'} eq 'FORWARDFW'){ + &changerule($confignat); #print"1"; } - #check if we change a DMZ to an external access - elsif( $fwdfwsettings{'oldgrp1b'} eq 'ORANGE' && $fwdfwsettings{$fwdfwsettings{'grp1'}} ne 'ORANGE' && $fwdfwsettings{'grp2'} eq 'ipfire' && $fwdfwsettings{'updatefwrule'} eq 'on'){ - &changerule($configdmz); + #check if we change a NAT to a INPUT (external access) + elsif(($fwdfwsettings{'oldruletype'} eq 'NAT_SOURCE' || $fwdfwsettings{'oldruletype'} eq 'NAT_DESTINATION') && $fwdfwsettings{'chain'} eq 'INPUTFW'){ + &changerule($confignat); #print"2"; } - #check if we change an external access rule to a outgoing - elsif( $fwdfwsettings{$fwdfwsettings{'grp1'}} eq 'IPFire' && $fwdfwsettings{'oldgrp1b'} ne 'IPFire' && $fwdfwsettings{'grp2'} ne 'ipfire' && $fwdfwsettings{'oldgrp2a'} eq 'ipfire' && $fwdfwsettings{'updatefwrule'} eq 'on'){ - &changerule($configinput); + #check if we change a NAT to a OUTGOING + elsif(($fwdfwsettings{'oldruletype'} eq 'NAT_SOURCE' || $fwdfwsettings{'oldruletype'} eq 'NAT_DESTINATION') && $fwdfwsettings{'chain'} eq 'OUTGOINGFW'){ + &changerule($confignat); #print"3"; } - #check if we change an external access rule to a DMZ - elsif( $fwdfwsettings{$fwdfwsettings{'grp1'}} eq 'ORANGE' && $fwdfwsettings{'grp2'} ne 'ipfire' && $fwdfwsettings{'oldgrp2a'} eq 'ipfire' && $fwdfwsettings{'updatefwrule'} eq 'on'){ - &changerule($configinput); + ################################################################ + #check if we change a DMZ to a NAT + elsif($fwdfwsettings{'oldruletype'} eq 'DMZ' && ($fwdfwsettings{'chain'} eq 'NAT_SOURCE' || $fwdfwsettings{'chain'} eq 'NAT_DESTINATION')){ + &changerule($configdmz); #print"4"; } - #check if we change an outgoing rule to a external access - if( $fwdfwsettings{$fwdfwsettings{'grp1'}} ne 'IPFire' && $fwdfwsettings{'oldgrp1b'} eq 'IPFire' && $fwdfwsettings{'grp2'} eq 'ipfire' && $fwdfwsettings{'oldgrp2a'} ne 'ipfire' && $fwdfwsettings{'updatefwrule'} eq 'on'){ - &changerule($configoutgoing); + #check if we change a DMZ to an OUTGOING + elsif($fwdfwsettings{'oldruletype'} eq 'DMZ' && $fwdfwsettings{'chain'} eq 'OUTGOINGFW' ){ + &changerule($configdmz); #print"5"; } - #check if we change an outgoing rule to a DMZ - if( ($fwdfwsettings{$fwdfwsettings{'grp1'}} eq 'ORANGE' || $checkorange eq 'on') && $fwdfwsettings{'oldgrp1b'} eq 'IPFire' && $fwdfwsettings{'updatefwrule'} eq 'on'){ - &changerule($configoutgoing); + #check if we change a DMZ to an INPUT + elsif($fwdfwsettings{'oldruletype'} eq 'DMZ' && $fwdfwsettings{'chain'} eq 'INPUTFW' ){ + &changerule($configdmz); #print"6"; } - #check if we change an forward rule to an external access - elsif( $fwdfwsettings{'grp2'} eq 'ipfire' && $fwdfwsettings{'oldgrp2a'} ne 'ipfire' && $fwdfwsettings{'updatefwrule'} eq 'on'){ - &changerule($configfwdfw); + #check if we change a DMZ to a FORWARD/DMZ + elsif($fwdfwsettings{'oldruletype'} eq 'DMZ' && $fwdfwsettings{'chain'} eq 'FORWARDFW' ){ + &changerule($configdmz); #print"7"; } - #check if we change an forward rule to an DMZ - if( ($fwdfwsettings{$fwdfwsettings{'grp1'}} eq 'ORANGE' || $checkorange eq 'on') && ($fwdfwsettings{'oldgrp1b'} ne 'ORANGE' && $fwdfwsettings{'oldorange'} ne 'on') && $fwdfwsettings{'updatefwrule'} eq 'on'){ - &changerule($configfwdfw); + ################################################################ + #check if we change an INPUT rule to a NAT + elsif($fwdfwsettings{'oldruletype'} eq 'INPUTFW' && ($fwdfwsettings{'chain'} eq 'NAT_SOURCE' || $fwdfwsettings{'chain'} eq 'NAT_DESTINATION')){ + &changerule($configinput); #print"8"; } - #check if we change an forward rule to an outgoing - elsif( $fwdfwsettings{$fwdfwsettings{'grp1'}} eq 'IPFire' && $fwdfwsettings{'oldgrp1b'} ne 'IPFire' && $fwdfwsettings{'updatefwrule'} eq 'on'){ - &changerule($configfwdfw); + #check if we change an INPUT rule to a OUTGOING + elsif($fwdfwsettings{'oldruletype'} eq 'INPUTFW' && $fwdfwsettings{'chain'} eq 'OUTGOINGFW' ){ + &changerule($configinput); #print"9"; } - #check if we change a DMZ to a forward - elsif( ($fwdfwsettings{'oldgrp1b'} eq 'ORANGE' || $fwdfwsettings{'oldorange'} eq 'on') && ($fwdfwsettings{$fwdfwsettings{'grp1'}} ne 'ORANGE' && $checkorange ne 'on') && $fwdfwsettings{'updatefwrule'} eq 'on'){ - &changerule($configdmz); + #check if we change an INPUT rule to a FORWARD/DMZ + elsif($fwdfwsettings{'oldruletype'} eq 'INPUTFW' && $fwdfwsettings{'chain'} eq 'FORWARDFW' ){ + &changerule($configinput); #print"10"; } - #check if we change an external access rule to a forward - elsif( $fwdfwsettings{'grp2'} ne 'ipfire' && $fwdfwsettings{'oldgrp2a'} eq 'ipfire' && $fwdfwsettings{'updatefwrule'} eq 'on'){ - &changerule($configinput); + ################################################################ + #check if we change an OUTGOING rule to an INPUT + elsif($fwdfwsettings{'oldruletype'} eq 'OUTGOINGFW' && $fwdfwsettings{'chain'} eq 'INPUTFW' ){ + &changerule($configoutgoing); #print"11"; } - #check if we change an outgoing rule to a forward - elsif( $fwdfwsettings{$fwdfwsettings{'grp1'}} ne 'IPFire' && $fwdfwsettings{'oldgrp1b'} eq 'IPFire' && $fwdfwsettings{'grp2'} ne 'ipfire' && $fwdfwsettings{'updatefwrule'} eq 'on'){ + #check if we change an OUTGOING rule to a FORWARD/DMZ + elsif($fwdfwsettings{'oldruletype'} eq 'OUTGOINGFW' && $fwdfwsettings{'chain'} eq 'FORWARDFW' ){ &changerule($configoutgoing); #print"12"; } + #check if we change an OUTGOING rule to a NAT + elsif($fwdfwsettings{'oldruletype'} eq 'OUTGOINGFW' && ($fwdfwsettings{'chain'} eq 'NAT_SOURCE' || $fwdfwsettings{'chain'} eq 'NAT_DESTINATION')){ + &changerule($configoutgoing); + #print"13"; + } + ################################################################ + #check if we change a FORWARD rule to an INPUT + elsif($fwdfwsettings{'oldruletype'} eq 'FORWARDFW' && $fwdfwsettings{'chain'} eq 'INPUTFW'){ + &changerule($configfwdfw); + #print"14"; + } + #check if we change a FORWARD rule to an DMZ + elsif($fwdfwsettings{'oldruletype'} eq 'FORWARDFW' && $fwdfwsettings{$fwdfwsettings{'grp1'}} eq 'ORANGE' || $checkorange eq 'on'){ + &changerule($configfwdfw); + #print"15"; + } + #check if we change a FORWARD rule to an OUTGOING + elsif($fwdfwsettings{'oldruletype'} eq 'FORWARDFW' && $fwdfwsettings{'chain'} eq 'OUTGOINGFW'){ + &changerule($configfwdfw); + #print"16"; + } + #check if we change a FORWARD rule to an NAT + elsif($fwdfwsettings{'oldruletype'} eq 'FORWARDFW' && ($fwdfwsettings{'chain'} eq 'NAT_SOURCE' || $fwdfwsettings{'chain'} eq 'NAT_DESTINATION')){ + &changerule($configfwdfw); + #print"17"; + } + #Cleanup some values for NAT if they are not used + if($fwdfwsettings{'nat'} eq 'dnat'){ + $fwdfwsettings{'snatport'}=''; + }else{ + $fwdfwsettings{'dnatport'}=''; + } if ($fwdfwsettings{'updatefwrule'} ne 'on'){ my $key = &General::findhasharraykey ($hash); $$hash{$key}[0] = $fwdfwsettings{'RULE_ACTION'}; @@ -1891,6 +2062,13 @@ sub saverule $$hash{$key}[25] = $fwdfwsettings{'TIME_SUN'}; $$hash{$key}[26] = $fwdfwsettings{'TIME_FROM'}; $$hash{$key}[27] = $fwdfwsettings{'TIME_TO'}; + if($fwdfwsettings{'USE_NAT'} eq 'ON'){ + $$hash{$key}[28] = $fwdfwsettings{'USE_NAT'}; + $$hash{$key}[29] = $fwdfwsettings{$fwdfwsettings{'nat'}}; + $$hash{$key}[30] = $fwdfwsettings{'snatport'}; + $$hash{$key}[31] = $fwdfwsettings{'dnatport'}; + $$hash{$key}[32] = $fwdfwsettings{'nat'}; + } &General::writehasharray("$config", $hash); }else{ foreach my $key (sort {$a <=> $b} keys %$hash){ @@ -1923,6 +2101,13 @@ sub saverule $$hash{$key}[25] = $fwdfwsettings{'TIME_SUN'}; $$hash{$key}[26] = $fwdfwsettings{'TIME_FROM'}; $$hash{$key}[27] = $fwdfwsettings{'TIME_TO'}; + if($fwdfwsettings{'USE_NAT'} eq 'ON'){ + $$hash{$key}[28] = $fwdfwsettings{'USE_NAT'}; + $$hash{$key}[29] = $fwdfwsettings{$fwdfwsettings{'nat'}}; + $$hash{$key}[30] = $fwdfwsettings{'snatport'}; + $$hash{$key}[31] = $fwdfwsettings{'dnatport'}; + $$hash{$key}[32] = $fwdfwsettings{'nat'}; + } last; } } @@ -2012,6 +2197,7 @@ sub viewtablerule &viewtablenew(\%configfwdfw,$configfwdfw,"","Forward" ); &viewtablenew(\%configinputfw,$configinput,"",$Lang::tr{'external access'} ); &viewtablenew(\%configoutgoingfw,$configoutgoing,"","Outgoing" ); + &viewtablenew(\%confignatfw,$confignat,"","NAT" ); } sub viewtablenew { @@ -2102,7 +2288,12 @@ END $tooltip='REJECT'; $rulecolor=$color{'color16'}; } - print"$ruletype"; + if($$hash{$key}[28] eq 'ON'){ + print""; + $rulecolor=$color; + }else{ + print"$ruletype"; + } &getcolor($$hash{$key}[3],$$hash{$key}[4],\%customhost); print""; if ($$hash{$key}[3] eq 'std_net_src'){ @@ -2112,6 +2303,13 @@ END } $tdcolor=''; &getsrcport(\%$hash,$key); + #Is this a SNAT rule? + if ($$hash{$key}[32] eq 'snat'){ + print"
SNAT -> $$hash{$key}[29]"; + if ($$hash{$key}[30] ne ''){ + print": $$hash{$key}[30]"; + } + } if ($$hash{$key}[17] eq 'ON'){ $log="/images/on.gif"; }else{ @@ -2130,6 +2328,14 @@ END print< END + #Is this a DNAT rule? + if ($$hash{$key}[32] eq 'dnat'){ + print "IPFire ($$hash{$key}[29])"; + if($$hash{$key}[31] ne ''){ + print": $$hash{$key}[31]"; + } + print"
DNAT->"; + } if ($$hash{$key}[5] eq 'std_net_tgt'){ print &get_name($$hash{$key}[6]); }else{ @@ -2144,7 +2350,7 @@ END push (@protocols,$$hash{$key}[12]); }elsif($$hash{$key}[8]){ #source prot if manual push (@protocols,$$hash{$key}[8]); - }elsif($$hash{$key}[14] eq 'cust_srv'){ + }elsif($$hash{$key}[14] eq 'cust_srv'){ &get_serviceports("service",$$hash{$key}[15]); }elsif($$hash{$key}[14] eq 'cust_srvgrp'){ &get_serviceports("group",$$hash{$key}[15]); From a6edca5a899eca09c3ccd8cd22c2b7a3223fcdd3 Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Tue, 19 Mar 2013 04:48:23 +0100 Subject: [PATCH 182/306] Forward Firewall: support for SNAT/DNAT in GUI and rules.pl --- config/forwardfw/rules.pl | 100 ++++++++++++++++++++++++++++----- html/cgi-bin/forwardfw.cgi | 111 ++++++++++++++++++++++++------------- langs/de/cgi-bin/de.pl | 5 ++ langs/en/cgi-bin/en.pl | 5 ++ 4 files changed, 169 insertions(+), 52 deletions(-) diff --git a/config/forwardfw/rules.pl b/config/forwardfw/rules.pl index 2547e474f..4461893ae 100755 --- a/config/forwardfw/rules.pl +++ b/config/forwardfw/rules.pl @@ -45,6 +45,7 @@ my @timeframe=(); my %configinputfw=(); my %configoutgoingfw=(); my %configdmzfw=(); +my %confignatfw=(); my %aliases=(); my @DPROT=(); my @p2ps=(); @@ -56,6 +57,7 @@ my $configdmz = "${General::swroot}/forward/dmz"; my $configfwdfw = "${General::swroot}/forward/config"; my $configinput = "${General::swroot}/forward/input"; my $configoutgoing = "${General::swroot}/forward/outgoing"; +my $confignat = "${General::swroot}/forward/nat"; my $p2pfile = "${General::swroot}/forward/p2protocols"; my $configgrp = "${General::swroot}/fwhosts/customgroups"; my $netsettings = "${General::swroot}/ethernet/settings"; @@ -66,13 +68,16 @@ my $blue; my ($TYPE,$PROT,$SPROT,$DPROT,$SPORT,$DPORT,$TIME,$TIMEFROM,$TIMETILL,$SRC_TGT); my $CHAIN="FORWARDFW"; my $conexists='off'; - +my $command = 'iptables -A'; +my $dnat=''; +my $snat=''; &General::readhash("${General::swroot}/forward/settings", \%fwdfwsettings); &General::readhash("$netsettings", \%defaultNetworks); &General::readhasharray($configdmz, \%configdmzfw); &General::readhasharray($configfwdfw, \%configfwdfw); &General::readhasharray($configinput, \%configinputfw); &General::readhasharray($configoutgoing, \%configoutgoingfw); +&General::readhasharray($confignat, \%confignatfw); &General::readhasharray($configgrp, \%customgrp); &General::get_aliases(\%aliases); @@ -83,7 +88,9 @@ close(CONN); if (-f "/var/ipfire/red/active"){ $conexists='on'; } - +open (CONN1,"/var/ipfire/red/local-ipaddress"); +my $redip = ; +close(CONN1); ################################ # DEBUG/TEST # ################################ @@ -155,13 +162,29 @@ sub preparerules if (! -z "${General::swroot}/forward/outgoing"){ &buildrules(\%configoutgoingfw); } + if (! -z "${General::swroot}/forward/nat"){ + &buildrules(\%confignatfw); + } } sub buildrules { my $hash=shift; my $STAG; + my $natip; + my $snatport; + my $fireport; foreach my $key (sort {$a <=> $b} keys %$hash){ next if ($$hash{$key}[6] eq 'RED' && $conexists eq 'off' ); + if ($$hash{$key}[28] eq 'ON'){ + $command='iptables -t nat -A'; + $natip=&get_nat_ip($$hash{$key}[29]); + if($$hash{$key}[31] eq 'dnat'){ + $$hash{$key}[0]='DNAT'; + $fireport='--dport '.$$hash{$key}[30] if ($$hash{$key}[30]>0); + }else{ + $$hash{$key}[0]='SNAT'; + } + } $STAG=''; if($$hash{$key}[2] eq 'ON'){ #get source ip's @@ -248,15 +271,22 @@ sub buildrules my @icmprule= split(",",substr($DPORT, 12,)); foreach (@icmprule){ if ($$hash{$key}[17] eq 'ON'){ - print "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] --icmp-type $_ $TIME -j LOG\n"; + print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] --icmp-type $_ $TIME -j LOG\n"; } - print "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] --icmp-type $_ $TIME -j $$hash{$key}[0]\n"; + print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] --icmp-type $_ $TIME -j $$hash{$key}[0]\n"; } - }else{ + }elsif($$hash{$key}[28] ne 'ON'){ if ($$hash{$key}[17] eq 'ON'){ - print "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG\n"; + print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG\n"; } - print "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n"; + print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n"; + }elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[32] eq 'dnat'){ + #if ($$hash{$key}[17] eq 'ON'){ + #print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $targethash{$b}[0] $DPORT $TIME -j LOG\n"; + #} + print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j $$hash{$key}[0] --to $targethash{$b}[0]$DPORT\n"; + }elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[32] eq 'snat'){ + print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0] --to $natip$fireport\n"; } } } @@ -278,15 +308,28 @@ sub buildrules my @icmprule= split(",",substr($DPORT, 12,)); foreach (@icmprule){ if ($$hash{$key}[17] eq 'ON'){ - system ("iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] -- icmp-type $_ $TIME -j LOG"); + system ("$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] -- icmp-type $_ $TIME -j LOG"); } - system ("iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] --icmp-type $_ $TIME -j $$hash{$key}[0]"); + system ("$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] --icmp-type $_ $TIME -j $$hash{$key}[0]"); } - }else{ + }elsif($$hash{$key}[28] ne 'ON'){ if ($$hash{$key}[17] eq 'ON'){ - system ("iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG"); + system "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG\n"; } - system ("iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]"); + system "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n"; + }elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'dnat'){ + if ($$hash{$key}[17] eq 'ON'){ + system "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j LOG --log-prefix 'DNAT' \n"; + } + my $fwaccessdport="--dport ".substr($DPORT,1,) if ($DPORT); + my ($ip,$sub) =split("/",$targethash{$b}[0]); + system "iptables -A PORTFWACCESS $PROT $STAG $sourcehash{$a}[0] -d $targethash{$b}[0] $fwaccessdport $TIME \n"; + system "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j $$hash{$key}[0] --to $ip$DPORT\n"; + }elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'snat'){ + if ($$hash{$key}[17] eq 'ON'){ + system "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG --log-prefix 'SNAT '\n"; + } + system "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0] --to $natip$fireport\n"; } } } @@ -300,8 +343,28 @@ sub buildrules undef $TIME; undef $TIMEFROM; undef $TIMETILL; + undef $fireport; } } +sub get_nat_ip +{ + my $val=shift; + my $result; + if($val eq 'RED' || $val eq 'GREEN' || $val eq 'ORANGE' || $val eq 'BLUE'){ + $result=$defaultNetworks{$val.'_ADDRESS'}; + }elsif($val eq 'ALL'){ + $result='-i '.$con; + }elsif($val eq 'Default IP'){ + $result='-d '.$redip; + }else{ + foreach my $al (sort keys %aliases){ + if($val eq $al){ + $result='-d '.$aliases{$al}{'IPT'}; + } + } + } + return $result; +} sub get_time { my $val=shift; @@ -364,7 +427,6 @@ sub p2pblock } } } - sub get_address { my $base=shift; #source of checking ($configfwdfw{$key}[x] or groupkey @@ -439,7 +501,11 @@ sub get_port if(index($$hash{$key}[10],",") > 0){ return "-m multiport --sport $$hash{$key}[10] "; }else{ - return "--sport $$hash{$key}[10] "; + if($$hash{$key}[28] ne 'ON' || ($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'snat') ||($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'dnat') ){ + return "--sport $$hash{$key}[10] "; + }else{ + return ":$$hash{$key}[10]"; + } } }elsif($$hash{$key}[9] ne '' && $$hash{$key}[9] ne 'All ICMP-Types'){ return "--icmp-type $$hash{$key}[9] "; @@ -454,7 +520,11 @@ sub get_port if(index($$hash{$key}[15],",") > 0){ return "-m multiport --dport $$hash{$key}[15] "; }else{ - return "--dport $$hash{$key}[15] "; + if($$hash{$key}[28] ne 'ON' || ($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'snat') ){ + return "--dport $$hash{$key}[15] "; + }else{ + return ":$$hash{$key}[15]"; + } } }elsif($$hash{$key}[13] ne '' && $$hash{$key}[13] ne 'All ICMP-Types'){ return "--icmp-type $$hash{$key}[13] "; diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi index 0bf3a31c3..84e01704d 100755 --- a/html/cgi-bin/forwardfw.cgi +++ b/html/cgi-bin/forwardfw.cgi @@ -765,7 +765,35 @@ sub checksource sub checktarget { my ($ip,$subnet); - + &General::readhasharray("$configsrv", \%customservice); + #check DNAT settings (has to be single Host and single Port) + if ($fwdfwsettings{'USE_NAT'} eq 'ON' && $fwdfwsettings{'nat'} eq 'dnat'){ + if($fwdfwsettings{'grp2'} eq 'tgt_addr' || $fwdfwsettings{'grp2'} eq 'cust_host_tgt' || $fwdfwsettings{'grp2'} eq 'ovpn_host_tgt'){ + if ($fwdfwsettings{'USESRV'} eq ''){ + $errormessage=$Lang::tr{'fwdfw target'}.": ".$Lang::tr{'fwdfw dnat porterr'}."
"; + } + #check if manual ip is a single Host (if set) + if ($fwdfwsettings{'grp2'} eq 'tgt_addr'){ + my @tmp= split (/\./,$fwdfwsettings{$fwdfwsettings{'grp2'}}); + my @tmp1= split ("/",$tmp[3]); + if (($tmp1[0] eq "0") || ($tmp1[0] eq "255")) + { + $errormessage=$Lang::tr{'fwdfw dnat error'}."
"; + } + } + #check if Port is a single Port + if ($fwdfwsettings{'nat'} eq 'dnat' && $fwdfwsettings{'grp3'} eq 'TGT_PORT'){ + if(($fwdfwsettings{'TGT_PROT'} ne 'TCP'|| $fwdfwsettings{'TGT_PROT'} ne 'UDP') && $fwdfwsettings{'TGT_PORT'} eq ''){ + $errormessage=$Lang::tr{'fwdfw target'}.": ".$Lang::tr{'fwdfw dnat porterr'}."
"; + } + if (($fwdfwsettings{'TGT_PROT'} eq 'TCP'|| $fwdfwsettings{'TGT_PROT'} eq 'UDP') && $fwdfwsettings{'TGT_PORT'} ne '' && !&check_natport($fwdfwsettings{'TGT_PORT'})){ + $errormessage=$Lang::tr{'fwdfw target'}.": ".$Lang::tr{'fwdfw dnat porterr'}."
"; + } + } + }else{ + $errormessage=$Lang::tr{'fwdfw dnat error'}."
"; + } + } if ($fwdfwsettings{'tgt_addr'} eq $fwdfwsettings{$fwdfwsettings{'grp2'}} && $fwdfwsettings{'tgt_addr'} ne ''){ #check if ip with subnet if ($fwdfwsettings{'tgt_addr'} =~ /^(.*?)\/(.*?)$/) { @@ -785,15 +813,12 @@ sub checktarget if(!&General::validipandmask($fwdfwsettings{'tgt_addr'})){ $errormessage.=$Lang::tr{'fwdfw err tgt_addr'}."
"; } - }elsif($fwdfwsettings{'tgt_addr'} eq $fwdfwsettings{$fwdfwsettings{'grp2'}} && $fwdfwsettings{'tgt_addr'} eq ''){ $errormessage.=$Lang::tr{'fwdfw err notgtip'}; return $errormessage; } - #check empty fields if ($fwdfwsettings{$fwdfwsettings{'grp2'}} eq ''){ $errormessage.=$Lang::tr{'fwdfw err notgt'}."
";} - #check tgt services if ($fwdfwsettings{'USESRV'} eq 'ON'){ if ($fwdfwsettings{'grp3'} eq 'cust_srv'){ @@ -886,8 +911,36 @@ sub checktarget } return $errormessage; } +sub check_natport +{ + my $val=shift; + if ($val =~ "," || $val =~ ":" || $val>65536 || $val<0){ + return 0; + } + return 1; +} sub checkrule { + #check valid port for NAT + if($fwdfwsettings{'USE_NAT'} eq 'ON'){ + if($fwdfwsettings{'nat'} eq 'dnat' && $fwdfwsettings{'grp3'} eq 'TGT_PORT' && $fwdfwsettings{'dnatport'} eq ''){$fwdfwsettings{'dnatport'}=$fwdfwsettings{'TGT_PORT'};} + if($fwdfwsettings{'nat'} eq 'dnat' && !&check_natport($fwdfwsettings{'dnatport'})){ + $errormessage=$Lang::tr{'fwdfw target'}.": ".$Lang::tr{'fwdfw dnat porterr'}."
"; + } + elsif($fwdfwsettings{'USESRV'} eq 'ON' && $fwdfwsettings{'grp3'} eq 'cust_srv'){ + my $custsrvport; + #get servcie Protocol and Port + foreach my $key (sort keys %customservice){ + if($fwdfwsettings{$fwdfwsettings{'grp3'}} eq $customservice{$key}[0]){ + if ($customservice{$key}[2] ne 'TCP' && $customservice{$key}[2] ne 'UDP'){ + $errormessage=$Lang::tr{'fwdfw target'}.": ".$Lang::tr{'fwdfw dnat porterr'}."
"; + } + $custsrvport= $customservice{$key}[1]; + } + } + if($fwdfwsettings{'nat'} eq 'dnat' && $fwdfwsettings{'dnatport'} eq ''){$fwdfwsettings{'dnatport'}=$custsrvport;} + } + } #check valid remark if ($fwdfwsettings{'ruleremark'} ne '' && !&validremark($fwdfwsettings{'ruleremark'})){ $errormessage.=$Lang::tr{'fwdfw err remark'}."
"; @@ -897,12 +950,10 @@ sub checkrule $errormessage.=$Lang::tr{'fwdfw err same'}; return $errormessage; } - #get source and targetip address if possible my ($sip,$scidr,$tip,$tcidr); ($sip,$scidr)=&get_ip("src","grp1"); ($tip,$tcidr)=&get_ip("tgt","grp2"); - #check same iprange in source and target if ($sip ne '' && $scidr ne '' && $tip ne '' && $tcidr ne ''){ my $networkip1=&General::getnetworkip($sip,$scidr); @@ -924,7 +975,6 @@ sub checkrule } } } - #check source and destination protocol if manual if( $fwdfwsettings{'USE_SRC_PORT'} eq 'ON' && $fwdfwsettings{'USESRV'} eq 'ON'){ if($fwdfwsettings{'PROT'} ne $fwdfwsettings{'TGT_PROT'} && $fwdfwsettings{'grp3'} eq 'TGT_PORT'){ @@ -932,7 +982,6 @@ sub checkrule } #check source and destination protocol if source manual and dest servicegrp if ($fwdfwsettings{'grp3'} eq 'cust_srv'){ - &General::readhasharray("$configsrv", \%customservice); foreach my $key (sort keys %customservice){ if($customservice{$key}[0] eq $fwdfwsettings{$fwdfwsettings{'grp3'}}){ if ($customservice{$key}[2] ne $fwdfwsettings{'PROT'}){ @@ -1442,6 +1491,7 @@ sub newrule $checked{'TIME_FRI'}{$fwdfwsettings{'TIME_FRI'}} = 'CHECKED'; $checked{'TIME_SAT'}{$fwdfwsettings{'TIME_SAT'}} = 'CHECKED'; $checked{'TIME_SUN'}{$fwdfwsettings{'TIME_SUN'}} = 'CHECKED'; + $checked{'USE_NAT'}{$fwdfwsettings{'USE_NAT'}} = 'CHECKED'; $selected{'TIME_FROM'}{$fwdfwsettings{'TIME_FROM'}} = 'selected'; $selected{'TIME_TO'}{$fwdfwsettings{'TIME_TO'}} = 'selected'; $selected{'ipfire'}{$fwdfwsettings{$fwdfwsettings{'grp2'}}} ='selected'; @@ -1481,10 +1531,9 @@ sub newrule $fwdfwsettings{'TIME_FROM'} = $hash{$key}[26]; $fwdfwsettings{'TIME_TO'} = $hash{$key}[27]; $fwdfwsettings{'USE_NAT'} = $hash{$key}[28]; - $fwdfwsettings{'nat'} = $hash{$key}[32]; #changed order + $fwdfwsettings{'nat'} = $hash{$key}[31]; #changed order $fwdfwsettings{$fwdfwsettings{'nat'}} = $hash{$key}[29]; - $fwdfwsettings{'snatport'} = $hash{$key}[30]; - $fwdfwsettings{'dnatport'} = $hash{$key}[31]; + $fwdfwsettings{'dnatport'} = $hash{$key}[30]; $checked{'grp1'}{$fwdfwsettings{'grp1'}} = 'CHECKED'; $checked{'grp2'}{$fwdfwsettings{'grp2'}} = 'CHECKED'; $checked{'grp3'}{$fwdfwsettings{'grp3'}} = 'CHECKED'; @@ -1686,11 +1735,11 @@ END &Header::openbox('100%', 'left', 'NAT'); print< - USE NAT - DNAT + $Lang::tr{'fwdfw use nat'} + $Lang::tr{'fwdfw dnat'} END if (! -z "${General::swroot}/ethernet/aliases"){ - print"IPFire: "; print ""; print ""; @@ -1698,15 +1747,6 @@ END { print ""; } - #foreach my $network (sort keys %defaultNetworks) - #{ - #next if($defaultNetworks{$network}{'NAME'} eq "RED"); - #next if($defaultNetworks{$network}{'NAME'} eq "IPFire"); - #next if($defaultNetworks{$network}{'NAME'} eq "ALL"); - #print ""; - #} }else{ print""; } @@ -1714,9 +1754,8 @@ END print"Port: "; print"
"; #SNAT - print" SNAT"; - print"IPFire: $Lang::tr{'fwdfw snat'}"; + print"IPFire: "; print""; print"
"; &Header::closebox(); @@ -2065,9 +2104,8 @@ sub saverule if($fwdfwsettings{'USE_NAT'} eq 'ON'){ $$hash{$key}[28] = $fwdfwsettings{'USE_NAT'}; $$hash{$key}[29] = $fwdfwsettings{$fwdfwsettings{'nat'}}; - $$hash{$key}[30] = $fwdfwsettings{'snatport'}; - $$hash{$key}[31] = $fwdfwsettings{'dnatport'}; - $$hash{$key}[32] = $fwdfwsettings{'nat'}; + $$hash{$key}[30] = $fwdfwsettings{'dnatport'}; + $$hash{$key}[31] = $fwdfwsettings{'nat'}; } &General::writehasharray("$config", $hash); }else{ @@ -2104,9 +2142,8 @@ sub saverule if($fwdfwsettings{'USE_NAT'} eq 'ON'){ $$hash{$key}[28] = $fwdfwsettings{'USE_NAT'}; $$hash{$key}[29] = $fwdfwsettings{$fwdfwsettings{'nat'}}; - $$hash{$key}[30] = $fwdfwsettings{'snatport'}; - $$hash{$key}[31] = $fwdfwsettings{'dnatport'}; - $$hash{$key}[32] = $fwdfwsettings{'nat'}; + $$hash{$key}[30] = $fwdfwsettings{'dnatport'}; + $$hash{$key}[31] = $fwdfwsettings{'nat'}; } last; } @@ -2304,7 +2341,7 @@ END $tdcolor=''; &getsrcport(\%$hash,$key); #Is this a SNAT rule? - if ($$hash{$key}[32] eq 'snat'){ + if ($$hash{$key}[31] eq 'snat'){ print"
SNAT -> $$hash{$key}[29]"; if ($$hash{$key}[30] ne ''){ print": $$hash{$key}[30]"; @@ -2329,10 +2366,10 @@ END END #Is this a DNAT rule? - if ($$hash{$key}[32] eq 'dnat'){ + if ($$hash{$key}[31] eq 'dnat'){ print "IPFire ($$hash{$key}[29])"; - if($$hash{$key}[31] ne ''){ - print": $$hash{$key}[31]"; + if($$hash{$key}[30] ne ''){ + print": $$hash{$key}[30]"; } print"
DNAT->"; } diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl index 6aec69d90..0537389f7 100644 --- a/langs/de/cgi-bin/de.pl +++ b/langs/de/cgi-bin/de.pl @@ -899,6 +899,9 @@ 'fwdfw cust net' => 'Custom Netzwerke:', 'fwdfw copy' => 'Kopieren', 'fwdfw delete' => 'Löschen', +'fwdfw dnat' => 'DNAT/Portforward (ersetze diese IP mit der aus ZIEL)', +'fwdfw dnat error' => 'Für DNAT muss ein einzelner Host als ZIEL gewählt werden. Gruppen oder Netzwerke sind nicht erlaubt', +'fwdfw dnat porterr' => 'Für NAT muss ein einzelner PORT (TCP/UDP) angegeben werden', 'fwdfw DROP' => 'Verwerfen (DROP)', 'fwdfw edit' => 'Bearbeiten', 'fwdfw err nosrc' => 'Keine Quelle gewählt', @@ -939,6 +942,7 @@ 'fwdfw rule action' => 'Regelaktion:', 'fwdfw rule activate' => 'Regel aktivieren', 'fwdfw rulepos' => 'Regelposition', +'fwdfw snat' => 'SNAT (ersetze die Adresse(n) von QUELLE mit dieser)', 'fwdfw source' => 'Quelle', 'fwdfw sourceip' => 'Quelladresse (MAC, IP oder Netzwerk):', 'fwdfw std network' => 'Standard Netzwerke:', @@ -949,6 +953,7 @@ 'fwdfw timeframe' => 'Zeitrahmen hinzufügen', 'fwdfw toggle' => 'Aktivieren oder deaktivieren', 'fwdfw togglelog' => 'Log aktivieren oder deaktivieren', +'fwdfw use nat' => 'NAT benutzen', 'fwdfw useless rule' => 'Diese Regel ist nicht zugelassen.', 'fwdfw use srcport' => 'Quellport benutzen', 'fwdfw use srv' => 'Zielport benutzen', diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index 0e875bc88..c64edcb5b 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -924,6 +924,9 @@ 'fwdfw cust net' => 'Custom networks:', 'fwdfw copy' => 'Copy', 'fwdfw delete' => 'Delete', +'fwdfw dnat' => 'DNAT/Portforward (replace this IP with the one from TARGET)', +'fwdfw dnat error' => 'You have to select a single host for DNAT. Groups or networks are not allowed.', +'fwdfw dnat porterr' => 'You have to select a single port (tcp/udp) for NAT', 'fwdfw DROP' => 'DROP', 'fwdfw edit' => 'Edit', 'fwdfw err nosrc' => 'No source selected.', @@ -964,6 +967,7 @@ 'fwdfw rule action' => 'Rule action:', 'fwdfw rule activate' => 'Activate rule', 'fwdfw rulepos' => 'Ruleposition', +'fwdfw snat' => 'SNAT (replace the addresse(s) from SOURCE with this address)', 'fwdfw source' => 'Source', 'fwdfw sourceip' => 'Source address (MAC, IP or Network):', 'fwdfw std network' => 'Standard networks:', @@ -974,6 +978,7 @@ 'fwdfw timeframe' => 'Add timeframe', 'fwdfw toggle' => 'Activate or deactivate', 'fwdfw togglelog' => 'Activate or deactivate logging', +'fwdfw use nat' => 'Use NAT', 'fwdfw useless rule' => 'This rule is rejected (useless).', 'fwdfw use srcport' => 'Use sourceport', 'fwdfw use srv' => 'Use targetport', From 9efd8d1c7eb134c71465396a1bdcc5ae52497d80 Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Tue, 19 Mar 2013 05:15:20 +0100 Subject: [PATCH 183/306] Forward Firewall: delete old portforwarding from system and fix for wlan-firewall part 1 (loop) --- config/rootfiles/common/misc-progs | 1 - html/cgi-bin/portfw.cgi | 1177 ---------------------------- lfs/initscripts | 2 - src/initscripts/init.d/firewall | 16 +- src/misc-progs/Makefile | 6 +- src/misc-progs/setportfw.c | 369 --------- src/misc-progs/wirelessctrl.c | 6 +- 7 files changed, 11 insertions(+), 1566 deletions(-) delete mode 100644 html/cgi-bin/portfw.cgi delete mode 100644 src/misc-progs/setportfw.c diff --git a/config/rootfiles/common/misc-progs b/config/rootfiles/common/misc-progs index 5102d8931..2463ba2aa 100644 --- a/config/rootfiles/common/misc-progs +++ b/config/rootfiles/common/misc-progs @@ -24,7 +24,6 @@ usr/local/bin/rebuildroutes usr/local/bin/redctrl #usr/local/bin/sambactrl usr/local/bin/setaliases -usr/local/bin/setportfw usr/local/bin/smartctrl usr/local/bin/snortctrl usr/local/bin/squidctrl diff --git a/html/cgi-bin/portfw.cgi b/html/cgi-bin/portfw.cgi deleted file mode 100644 index 199682f44..000000000 --- a/html/cgi-bin/portfw.cgi +++ /dev/null @@ -1,1177 +0,0 @@ -#!/usr/bin/perl -############################################################################### -# # -# IPFire.org - A linux based firewall # -# Copyright (C) 2007 Michael Tremer & Christian Schmidt # -# # -# This program is free software: you can redistribute it and/or modify # -# it under the terms of the GNU General Public License as published by # -# the Free Software Foundation, either version 3 of the License, or # -# (at your option) any later version. # -# # -# This program is distributed in the hope that it will be useful, # -# but WITHOUT ANY WARRANTY; without even the implied warranty of # -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # -# GNU General Public License for more details. # -# # -# You should have received a copy of the GNU General Public License # -# along with this program. If not, see . # -# # -############################################################################### - -use strict; - -# enable only the following on debugging purpose -#use warnings; -#use CGI::Carp 'fatalsToBrowser'; - -require '/var/ipfire/general-functions.pl'; -require "${General::swroot}/lang.pl"; -require "${General::swroot}/header.pl"; - -#workaround to suppress a warning when a variable is used only once -my @dummy = ( ${Header::colouryellow} ); -undef (@dummy); - -my %color = (); -my %mainsettings = (); -&General::readhash("${General::swroot}/main/settings", \%mainsettings); -&General::readhash("/srv/web/ipfire/html/themes/".$mainsettings{'THEME'}."/include/colors.txt", \%color); - -my %cgiparams=(); -my %selected=(); -my %checked=(); -my $prtrange1=0; -my $prtrange2=0; -my $errormessage = ''; -my $filename = "${General::swroot}/portfw/config"; -my $aliasfile = "${General::swroot}/ethernet/aliases"; - -&Header::showhttpheaders(); - -$cgiparams{'ENABLED'} = 'off'; -$cgiparams{'KEY1'} = '0'; -$cgiparams{'KEY2'} = '0'; -$cgiparams{'PROTOCOL'} = ''; -$cgiparams{'SRC_PORT'} = ''; -$cgiparams{'DEST_IP'} = ''; -$cgiparams{'DEST_PORT'} = ''; -$cgiparams{'SRC_IP'} = ''; -$cgiparams{'ORIG_IP'} = ''; -$cgiparams{'REMARK'} = ''; -$cgiparams{'OVERRIDE'} = 'off'; -$cgiparams{'ACTION'} = ''; - -&Header::getcgihash(\%cgiparams); - -my $disable_all = "0"; -my $enable_all = "0"; - -if ($cgiparams{'ACTION'} eq $Lang::tr{'add'}) -{ - &valaddupdate(); - - # Darren Critchley - if there is an error, don't waste any more time processing - if ($errormessage) { goto ERROR; } - - open(FILE, $filename) or die 'Unable to open config file.'; - my @current = ; - close(FILE); - my $key1 = 0; # used for finding last sequence number used - foreach my $line (@current) - { - my @temp = split(/\,/,$line); - - chomp ($temp[8]); - if ($cgiparams{'KEY2'} eq "0"){ # if key2 is 0 then it is a portfw addition - if ( $cgiparams{'SRC_PORT'} eq $temp[3] && - $cgiparams{'PROTOCOL'} eq $temp[2] && - $cgiparams{'SRC_IP'} eq $temp[7]) - { - $errormessage = - "$Lang::tr{'source port in use'} $cgiparams{'SRC_PORT'}"; - } - # Check if key2 = 0, if it is then it is a port forward entry and we want the sequence number - if ( $temp[1] eq "0") { - $key1=$temp[0]; - } - # Darren Critchley - Duplicate or overlapping Port range check - if ($temp[1] eq "0" && - $cgiparams{'PROTOCOL'} eq $temp[2] && - $cgiparams{'SRC_IP'} eq $temp[7] && - $errormessage eq '') - { - &portchecks($temp[3], $temp[5]); - } - } else { - if ( $cgiparams{'KEY1'} eq $temp[0] && - $cgiparams{'ORIG_IP'} eq $temp[8]) - { - $errormessage = - "$Lang::tr{'source ip in use'} $cgiparams{'ORIG_IP'}"; - } - } - } - -ERROR: - unless ($errormessage) - { - # Darren Critchley - we only want to store ranges with Colons - $cgiparams{'SRC_PORT'} =~ tr/-/:/; - $cgiparams{'DEST_PORT'} =~ tr/-/:/; - - if ($cgiparams{'KEY1'} eq "0") { # 0 in KEY1 indicates it is a portfw add - $key1++; # Add one to last sequence number - open(FILE,">>$filename") or die 'Unable to open config file.'; - flock FILE, 2; - if ($cgiparams{'ORIG_IP'} eq '0.0.0.0/0') { - # if the default/all is taken, then write it to the rule - print FILE "$key1,0,$cgiparams{'PROTOCOL'},$cgiparams{'SRC_PORT'},$cgiparams{'DEST_IP'},$cgiparams{'DEST_PORT'},$cgiparams{'ENABLED'},$cgiparams{'SRC_IP'},$cgiparams{'ORIG_IP'},$cgiparams{'REMARK'}\n"; - } else { # else create an extra record so it shows up - print FILE "$key1,0,$cgiparams{'PROTOCOL'},$cgiparams{'SRC_PORT'},$cgiparams{'DEST_IP'},$cgiparams{'DEST_PORT'},$cgiparams{'ENABLED'},$cgiparams{'SRC_IP'},0,$cgiparams{'REMARK'}\n"; - print FILE "$key1,1,$cgiparams{'PROTOCOL'},0,$cgiparams{'DEST_IP'},$cgiparams{'DEST_PORT'},$cgiparams{'ENABLED'},0,$cgiparams{'ORIG_IP'},$cgiparams{'REMARK'}\n"; - } - close(FILE); - undef %cgiparams; - &General::log($Lang::tr{'forwarding rule added'}); - system('/usr/local/bin/setportfw'); - } else { # else key1 eq 0 - my $insertpoint = ($cgiparams{'KEY2'} - 1); - open(FILE, ">$filename") or die 'Unable to open config file.'; - flock FILE, 2; - foreach my $line (@current) { - chomp($line); - my @temp = split(/\,/,$line); - if ($cgiparams{'KEY1'} eq $temp[0] && $insertpoint eq $temp[1]) { - if ($temp[1] eq "0") { # this is the first xtaccess rule, therefore modify the portfw rule - $temp[8] = '0'; - } - print FILE "$temp[0],$temp[1],$temp[2],$temp[3],$temp[4],$temp[5],$temp[6],$temp[7],$temp[8],$temp[9]\n"; - print FILE "$cgiparams{'KEY1'},$cgiparams{'KEY2'},$cgiparams{'PROTOCOL'},0,$cgiparams{'DEST_IP'},$cgiparams{'DEST_PORT'},$cgiparams{'ENABLED'},0,$cgiparams{'ORIG_IP'},$cgiparams{'REMARK'}\n"; - } else { - print FILE "$line\n"; - } - } - close(FILE); - undef %cgiparams; - &General::log($Lang::tr{'external access rule added'}); - system('/usr/local/bin/setportfw'); - } # end if if KEY1 eq 0 - } # end unless($errormessage) -} - -if ($cgiparams{'ACTION'} eq $Lang::tr{'update'}) -{ - &valaddupdate(); - - # Darren Critchley - If there is an error don't waste any more processing time - if ($errormessage) { $cgiparams{'ACTION'} = $Lang::tr{'edit'}; goto UPD_ERROR; } - - open(FILE, $filename) or die 'Unable to open config file.'; - my @current = ; - close(FILE); - my $disabledpfw = '0'; - my $lastpfw = ''; - my $xtaccessdel = '0'; - - foreach my $line (@current) - { - my @temp = split(/\,/,$line); - if ( $temp[1] eq "0" ) { # keep track of the last portfw and if it is enabled - $disabledpfw = $temp[6]; - $lastpfw = $temp[0]; - } - chomp ($temp[8]); - if ( $cgiparams{'SRC_PORT'} eq $temp[3] && - $cgiparams{'PROTOCOL'} eq $temp[2] && - $cgiparams{'SRC_IP'} eq $temp[7]) - { - if ($cgiparams{'KEY1'} ne $temp[0] && $cgiparams{'KEY2'} eq "0") - { - $errormessage = - "$Lang::tr{'source port in use'} $cgiparams{'SRC_PORT'}"; - } - } - if ($cgiparams{'ORIG_IP'} eq $temp[8]) - { - if ($cgiparams{'KEY1'} eq $temp[0] && $cgiparams{'KEY2'} ne $temp[1]) - # If we have the same source ip within a portfw group, then we have a problem! - { - $errormessage = "$Lang::tr{'source ip in use'} $cgiparams{'ORIG_IP'}"; - $cgiparams{'ACTION'} = $Lang::tr{'edit'}; - } - } - - # Darren Critchley - Flag when a user disables an xtaccess - if ($cgiparams{'KEY1'} eq $temp[0] && - $cgiparams{'KEY2'} eq $temp[1] && - $cgiparams{'KEY2'} ne "0" && # if KEY2 is 0 then it is a portfw - $cgiparams{'ENABLED'} eq "off" && - $temp[6] eq "on") { # we have determined that someone has turned an xtaccess off - $xtaccessdel = "1"; - } - - # Darren Critchley - Portfw enabled, then enable xtaccess for all associated xtaccess records - if ($cgiparams{'ENABLED'} eq "on" && $cgiparams{'KEY2'} eq "0" && $cgiparams{'ENABLED'} ne $temp[6]) - { - $enable_all = "1"; - } else { - $enable_all = "0"; - } - # Darren Critchley - Portfw disabled, then disable xtaccess for all associated xtaccess records - if ($cgiparams{'ENABLED'} eq "off" && $cgiparams{'KEY2'} eq "0") - { - $disable_all = "1"; - } else { - $disable_all = "0"; - } - - # Darren Critchley - if we are enabling an xtaccess, only allow if the associated Portfw is enabled - if ($cgiparams{'KEY1'} eq $lastpfw && $cgiparams{'KEY2'} ne "0") { # identifies an xtaccess record in the group - if ($cgiparams{'ENABLED'} eq "on" && $cgiparams{'ENABLED'} ne $temp[6] ){ # a change has been made - if ($disabledpfw eq "off") - { - $errormessage = "$Lang::tr{'cant enable xtaccess'}"; - $cgiparams{'ACTION'} = $Lang::tr{'edit'}; - } - } - } - - # Darren Critchley - rule to stop someone from entering ALL into a external access rule, - # the portfw is the only place that ALL can be specified - if ($cgiparams{'KEY2'} ne "0" && $cgiparams{'ORIG_IP'} eq "0.0.0.0/0") { - $errormessage = "$Lang::tr{'xtaccess all error'}"; - $cgiparams{'ACTION'} = $Lang::tr{'edit'}; - } - - # Darren Critchley - Duplicate or overlapping Port range check - if ($temp[1] eq "0" && - $cgiparams{'KEY1'} ne $temp[0] && - $cgiparams{'PROTOCOL'} eq $temp[2] && - $cgiparams{'SRC_IP'} eq $temp[7] && - $errormessage eq '') - { - &portchecks($temp[3], $temp[5]); - } # end port testing - - } - - # Darren Critchley - if an xtaccess was disabled, now we need to check to see if it was the only xtaccess - if($xtaccessdel eq "1") { - my $xctr = 0; - foreach my $line (@current) - { - my @temp = split(/\,/,$line); - if($temp[0] eq $cgiparams{'KEY1'} && - $temp[6] eq "on") { # we only want to count the enabled xtaccess's - $xctr++; - } - } - if ($xctr == 2){ - $disable_all = "1"; - } - } - -UPD_ERROR: - unless ($errormessage) - { - # Darren Critchley - we only want to store ranges with Colons - $cgiparams{'SRC_PORT'} =~ tr/-/:/; - $cgiparams{'DEST_PORT'} =~ tr/-/:/; - - open(FILE, ">$filename") or die 'Unable to open config file.'; - flock FILE, 2; - foreach my $line (@current) { - chomp($line); - my @temp = split(/\,/,$line); - if ($cgiparams{'KEY1'} eq $temp[0] && $cgiparams{'KEY2'} eq $temp[1]) { - print FILE "$cgiparams{'KEY1'},$cgiparams{'KEY2'},$cgiparams{'PROTOCOL'},$cgiparams{'SRC_PORT'},$cgiparams{'DEST_IP'},$cgiparams{'DEST_PORT'},$cgiparams{'ENABLED'},$cgiparams{'SRC_IP'},$cgiparams{'ORIG_IP'},$cgiparams{'REMARK'}\n"; - } else { - # Darren Critchley - If it is a port forward record, then chances are good that a change was made to - # Destination Ip or Port, and we need to update all the associated external access records - if ($cgiparams{'KEY2'} eq "0" && $cgiparams{'KEY1'} eq $temp[0]) { - $temp[4] = $cgiparams{'DEST_IP'}; - $temp[5] = $cgiparams{'DEST_PORT'}; - $temp[2] = $cgiparams{'PROTOCOL'}; - } - - # Darren Critchley - If a Portfw has been disabled, then set all associated xtaccess as disabled - if ( $disable_all eq "1" && $cgiparams{'KEY1'} eq $temp[0] ) { - $temp[6] = 'off'; - } - if ( $enable_all eq "1" && $cgiparams{'KEY1'} eq $temp[0] ) { - $temp[6] = 'on'; - } - # Darren Critchley - Deal with the override to allow ALL - if ( $cgiparams{'OVERRIDE'} eq "on" && $temp[1] ne "0" && $cgiparams{'KEY1'} eq $temp[0] ) { - $temp[6] = 'off'; - } - print FILE "$temp[0],$temp[1],$temp[2],$temp[3],$temp[4],$temp[5],$temp[6],$temp[7],$temp[8],$temp[9]\n"; - } - } - close(FILE); - undef %cgiparams; - &General::log($Lang::tr{'forwarding rule updated'}); - system('/usr/local/bin/setportfw'); - } - if ($errormessage) { - $cgiparams{'ACTION'} = $Lang::tr{'edit'}; - } -} - -# Darren Critchley - Allows rules to be enabled and disabled -if ($cgiparams{'ACTION'} eq $Lang::tr{'toggle enable disable'}) -{ - open(FILE, $filename) or die 'Unable to open config file.'; - my @current = ; - close(FILE); - my $disabledpfw = '0'; - my $lastpfw = ''; - my $xtaccessdel = '0'; - - foreach my $line (@current) - { - my @temp = split(/\,/,$line); - if ( $temp[1] eq "0" ) { # keep track of the last portfw and if it is enabled - $disabledpfw = $temp[6]; - $lastpfw = $temp[0]; - } - # Darren Critchley - Flag when a user disables an xtaccess - if ($cgiparams{'KEY1'} eq $temp[0] && - $cgiparams{'KEY2'} eq $temp[1] && - $cgiparams{'KEY2'} ne "0" && # if KEY2 is 0 then it is a portfw - $cgiparams{'ENABLED'} eq "off" && - $temp[6] eq "on") { # we have determined that someone has turned an xtaccess off - $xtaccessdel = "1"; - } - - # Darren Critchley - Portfw enabled, then enable xtaccess for all associated xtaccess records - if ($cgiparams{'ENABLED'} eq "on" && $cgiparams{'KEY2'} eq "0" && $cgiparams{'ENABLED'} ne $temp[6]) - { - $enable_all = "1"; - } else { - $enable_all = "0"; - } - # Darren Critchley - Portfw disabled, then disable xtaccess for all associated xtaccess records - if ($cgiparams{'ENABLED'} eq "off" && $cgiparams{'KEY2'} eq "0") - { - $disable_all = "1"; - } else { - $disable_all = "0"; - } - - # Darren Critchley - if we are enabling an xtaccess, only allow if the associated Portfw is enabled - if ($cgiparams{'KEY1'} eq $lastpfw && $cgiparams{'KEY2'} ne "0") { # identifies an xtaccess record in the group - if ($cgiparams{'ENABLED'} eq "on" && $cgiparams{'ENABLED'} ne $temp[6] ){ # a change has been made - if ($disabledpfw eq "off") - { - $errormessage = "$Lang::tr{'cant enable xtaccess'}"; - goto TOGGLEEXIT; - } - } - } - } - - # Darren Critchley - if an xtaccess was disabled, now we need to check to see if it was the only xtaccess - if($xtaccessdel eq "1") { - my $xctr = 0; - foreach my $line (@current) - { - my @temp = split(/\,/,$line); - if($temp[0] eq $cgiparams{'KEY1'} && - $temp[6] eq "on") { # we only want to count the enabled xtaccess's - $xctr++; - } - } - if ($xctr == 2){ - $disable_all = "1"; - } - } - - open(FILE, ">$filename") or die 'Unable to open config file.'; - flock FILE, 2; - foreach my $line (@current) { - chomp($line); - my @temp = split(/\,/,$line); - if ($cgiparams{'KEY1'} eq $temp[0] && $cgiparams{'KEY2'} eq $temp[1]) { - print FILE "$cgiparams{'KEY1'},$cgiparams{'KEY2'},$temp[2],$temp[3],$temp[4],$temp[5],$cgiparams{'ENABLED'},$temp[7],$temp[8],$temp[9]\n"; - } else { - # Darren Critchley - If a Portfw has been disabled, then set all associated xtaccess as disabled - if ( $disable_all eq "1" && $cgiparams{'KEY1'} eq $temp[0] ) { - $temp[6] = 'off'; - } - if ( $enable_all eq "1" && $cgiparams{'KEY1'} eq $temp[0] ) { - $temp[6] = 'on'; - } - print FILE "$temp[0],$temp[1],$temp[2],$temp[3],$temp[4],$temp[5],$temp[6],$temp[7],$temp[8],$temp[9]\n"; - } - } - close(FILE); - &General::log($Lang::tr{'forwarding rule updated'}); - system('/usr/local/bin/setportfw'); -TOGGLEEXIT: - undef %cgiparams; -} - - -# Darren Critchley - broke out Edit routine from the delete routine - Edit routine now just puts values in fields -if ($cgiparams{'ACTION'} eq $Lang::tr{'edit'}) -{ - open(FILE, "$filename") or die 'Unable to open config file.'; - my @current = ; - close(FILE); - - unless ($errormessage) - { - foreach my $line (@current) - { - chomp($line); - my @temp = split(/\,/,$line); - if ($cgiparams{'KEY1'} eq $temp[0] && $cgiparams{'KEY2'} eq $temp[1] ) { - $cgiparams{'PROTOCOL'} = $temp[2]; - $cgiparams{'SRC_PORT'} = $temp[3]; - $cgiparams{'DEST_IP'} = $temp[4]; - $cgiparams{'DEST_PORT'} = $temp[5]; - $cgiparams{'ENABLED'} = $temp[6]; - $cgiparams{'SRC_IP'} = $temp[7]; - $cgiparams{'ORIG_IP'} = $temp[8]; - $cgiparams{'REMARK'} = $temp[9]; - } - - } - } -} - -# Darren Critchley - broke out Remove routine as the logic is getting too complex to be combined with the Edit -if ($cgiparams{'ACTION'} eq $Lang::tr{'remove'}) -{ - open(FILE, "$filename") or die 'Unable to open config file.'; - my @current = ; - close(FILE); - - # If the record being deleted is an xtaccess record, and it is the only one for a portfw record - # then we need to adjust the portfw record to be open to ALL ip addressess or an error will occur - # in setportfw.c - my $fixportfw = '0'; - if ($cgiparams{'KEY2'} ne "0") { - my $counter = 0; - foreach my $line (@current) - { - chomp($line); - my @temp = split(/\,/,$line); - if ($temp[0] eq $cgiparams{'KEY1'}) { - $counter++; - } - } - if ($counter eq 2) { - $fixportfw = '1'; - } - } - - unless ($errormessage) - { - open(FILE, ">$filename") or die 'Unable to open config file.'; - flock FILE, 2; - my $linedeleted = 0; - foreach my $line (@current) - { - chomp($line); - my @temp = split(/\,/,$line); - - if ($cgiparams{'KEY1'} eq $temp[0] && $cgiparams{'KEY2'} eq $temp[1] || - $cgiparams{'KEY1'} eq $temp[0] && $cgiparams{'KEY2'} eq "0" ) - { - $linedeleted = 1; - } else { - if ($temp[0] eq $cgiparams{'KEY1'} && $temp[1] eq "0" && $fixportfw eq "1") { - $temp[8] = '0.0.0.0/0'; - } - print FILE "$temp[0],$temp[1],$temp[2],$temp[3],$temp[4],$temp[5],$temp[6],$temp[7],$temp[8],$temp[9]\n"; -# print FILE "$line\n"; - } - } - close(FILE); - if ($linedeleted == 1) { - &General::log($Lang::tr{'forwarding rule removed'}); - undef %cgiparams; - } - system('/usr/local/bin/setportfw'); - } -} - -# Darren Critchley - Added routine to allow external access rules to be added -if ($cgiparams{'ACTION'} eq $Lang::tr{'add xtaccess'}) -{ - open(FILE, $filename) or die 'Unable to open config file.'; - my @current = ; - close(FILE); - my $key = 0; # used for finding last sequence number used - foreach my $line (@current) - { - my @temp = split(/\,/,$line); - if ($temp[0] eq $cgiparams{'KEY1'}) { - $key = $temp[1] - } - if ($cgiparams{'KEY1'} eq $temp[0] && $cgiparams{'KEY2'} eq $temp[1] ) { - $cgiparams{'PROTOCOL'} = $temp[2]; - $cgiparams{'SRC_PORT'} = $temp[3]; - $cgiparams{'DEST_IP'} = $temp[4]; - $cgiparams{'DEST_PORT'} = $temp[5]; - $cgiparams{'ENABLED'} = $temp[6]; - $cgiparams{'SRC_IP'} = $temp[7]; - $cgiparams{'ORIG_IP'} = ''; - $cgiparams{'REMARK'} = $temp[9]; - } - } - $key++; - $cgiparams{'KEY2'} = $key; - # Until the ADD button is hit, there needs to be no change to portfw rules -} - -if ($cgiparams{'ACTION'} eq $Lang::tr{'reset'}) -{ - undef %cgiparams; -} - -if ($cgiparams{'ACTION'} eq '') -{ - $cgiparams{'PROTOCOL'} = 'tcp'; - $cgiparams{'ENABLED'} = 'on'; - $cgiparams{'SRC_IP'} = '0.0.0.0'; -} - -$selected{'PROTOCOL'}{'udp'} = ''; -$selected{'PROTOCOL'}{'tcp'} = ''; -$selected{'PROTOCOL'}{'gre'} = ''; -$selected{'PROTOCOL'}{$cgiparams{'PROTOCOL'}} = "selected='selected'"; - -$selected{'SRC_IP'}{$cgiparams{'SRC_IP'}} = "selected='selected'"; - -$checked{'ENABLED'}{'off'} = ''; -$checked{'ENABLED'}{'on'} = ''; -$checked{'ENABLED'}{$cgiparams{'ENABLED'}} = "checked='checked'"; - -&Header::openpage($Lang::tr{'port forwarding configuration'}, 1, ''); - -&Header::openbigbox('100%', 'left', '', $errormessage); - -if ($errormessage) { - &Header::openbox('100%', 'left', $Lang::tr{'error messages'}); - print "$errormessage\n"; - print " \n"; - &Header::closebox(); -} - -print "
\n"; - -if ($cgiparams{'ACTION'} eq $Lang::tr{'edit'}){ - &Header::openbox('100%', 'left', $Lang::tr{'edit a rule'}); -} else { - &Header::openbox('100%', 'left', $Lang::tr{'add a new rule'}); -} - -if ($cgiparams{'ACTION'} eq $Lang::tr{'edit'} && $cgiparams{'KEY2'} ne "0" || $cgiparams{'ACTION'} eq $Lang::tr{'add xtaccess'}){ -# if it is not a port forward record, don't validate as the fields are disabled - my $PROT = "\U$cgiparams{'PROTOCOL'}\E"; - # Darren Critchley - Format the source and destination ports - my $dstprt = $cgiparams{'DEST_PORT'}; - $dstprt =~ s/-/ - /; - $dstprt =~ s/:/ - /; - -print < - - $Lang::tr{'protocol'}: $PROT -   - $Lang::tr{'destination ip'}:  - $cgiparams{'DEST_IP'} -   - $Lang::tr{'destination port'}:  - $dstprt - - - - - - - - -END -; -} else { -print < - - $Lang::tr{'protocol'}:  - - - - $Lang::tr{'alias ip'}: - - - - -   -   - $Lang::tr{'destination ip'}: - - $Lang::tr{'destination port'}: - - - -END -; -} - -print < - - $Lang::tr{'remark title'} *  - -END -; -unless ($cgiparams{'ACTION'} eq $Lang::tr{'add xtaccess'} && $cgiparams{'ENABLED'} eq "off") { - print " "; - print "$Lang::tr{'enabled'} \n"; -} -print < - -END -; - -if ($cgiparams{'ACTION'} eq $Lang::tr{'edit'} && $cgiparams{'KEY2'} eq "0" && ($cgiparams{'ORIG_IP'} eq "0" || $cgiparams{'ORIG_IP'} eq "0.0.0.0/0")){ -# if it is a port forward rule with a 0 in the orig_port field, this means there are xtaccess records, and we -# don't want to allow a person to change the orig_ip field as it will mess other logic up - print "\n"; -} else { -print < - - $Lang::tr{'source network'} *  - - - -END -; -} - -print < -
- - * $Lang::tr{'this field may be blank'} -END -; - - -if ($cgiparams{'ACTION'} eq $Lang::tr{'edit'}){ - if($cgiparams{'KEY2'} eq "0"){ - print "$Lang::tr{'open to all'}: \n"; - } else { - print " \n"; - } - print ""; - print ""; - print ""; - print ""; - # on an edit and an xtaccess add, for some reason the "Reset" button stops working, so I make it a submit button -} else { - print " \n"; - print ""; - if ($cgiparams{'ACTION'} eq $Lang::tr{'add xtaccess'}) { - print ""; - print ""; - print ""; - } elsif ($errormessage ne '') { - print ""; - } else { - print ""; - } -} -print <  - - -END -; -&Header::closebox(); - -print "\n"; - -&Header::openbox('100%', 'left', $Lang::tr{'current rules'}); -print < - -$Lang::tr{'proto'} -$Lang::tr{'source'} -  -$Lang::tr{'destination'} -$Lang::tr{'remark'} -$Lang::tr{'action'} - -END -; - -my $id = 0; -my $xtaccesscolor = '#F6F4F4'; -open(RULES, "$filename") or die 'Unable to open config file.'; -while () -{ - my $protocol = ''; - my $gif = ''; - my $gdesc = ''; - my $toggle = ''; - chomp($_); - my @temp = split(/\,/,$_); - $temp[9] ='' unless defined $temp[9];# Glles ESpinasse : suppress warning on page init - if ($temp[2] eq 'udp') { - $protocol = 'UDP'; } - elsif ($temp[2] eq 'gre') { - $protocol = 'GRE' } - else { - $protocol = 'TCP' } - # Change bgcolor when a new portfw rule is added - if ($temp[1] eq "0"){ - $id++; - } - # Darren Critchley highlight the row we are editing - if ( $cgiparams{'ACTION'} eq $Lang::tr{'edit'} && $cgiparams{'KEY1'} eq $temp[0] && $cgiparams{'KEY2'} eq $temp[1] ) { - print "\n"; - } else { - if ($id % 2) { - print "\n"; - } - else { - print "\n"; - } - } - - if ($temp[6] eq 'on') { $gif = 'on.gif'; $toggle='off'; $gdesc=$Lang::tr{'click to disable'};} - else { $gif = 'off.gif'; $toggle='on'; $gdesc=$Lang::tr{'click to enable'}; } - - # Darren Critchley - this code no longer works - should we remove? - # catch for 'old-style' rules file - assume default ip if - # none exists - if (!&General::validip($temp[7]) || $temp[7] eq '0.0.0.0') { - $temp[7] = 'DEFAULT IP'; } - if ($temp[1] eq '0') { # Port forwarding entry - - # Darren Critchley - Format the source and destintation ports - my $srcprt = $temp[3]; - $srcprt =~ s/-/ - /; - $srcprt =~ s/:/ - /; - my $dstprt = $temp[5]; - $dstprt =~ s/-/ - /; - $dstprt =~ s/:/ - /; - - # Darren Critchley - Get Port Service Name if we can - code borrowed from firewalllog.dat - $_=$temp[3]; - if (/^\d+$/) { - my $servi = uc(getservbyport($temp[3], lc($temp[2]))); - if ($servi ne '' && $temp[3] < 1024) { - $srcprt = "$srcprt($servi)"; } - } - $_=$temp[5]; - if (/^\d+$/) { - my $servi = uc(getservbyport($temp[5], lc($temp[2]))); - if ($servi ne '' && $temp[5] < 1024) { - $dstprt = "$dstprt($servi)"; } - } - - # Darren Critchley - If the line is too long, wrap the port numbers - my $srcaddr = "$temp[7] : $srcprt"; - if (length($srcaddr) > 22) { - $srcaddr = "$temp[7] :
$srcprt"; - } - my $dstaddr = "$temp[4] : $dstprt"; - if (length($dstaddr) > 26) { - $dstaddr = "$temp[4] :
$dstprt"; - } -print <$protocol -$srcaddr -=> -$dstaddr - $temp[9] - -
- - - - - -
- - - -
- - - - -
- - - -
- - - - -
- - - -
- - - - -
- - - -END - ; - } else { # external access entry -print <  - - $Lang::tr{'access allowed'} $temp[8]     ($temp[9]) - - -
- - - - - -
- - -  - - -
- - - - -
- - - -
- - - - -
- - - -END - ; - } -} - -close(RULES); - -print ""; - -# If the fixed lease file contains entries, print Key to action icons -if ( ! -z "$filename") { -print < - -  $Lang::tr{'legend'}:  - $Lang::tr{ - $Lang::tr{'click to disable'} -    - $Lang::tr{ - $Lang::tr{'click to enable'} -    - $Lang::tr{ - $Lang::tr{'add xtaccess'} -    - $Lang::tr{ - $Lang::tr{'edit'} -    - $Lang::tr{ - $Lang::tr{'remove'} - - -END -; -} - -&Header::closebox(); - -&Header::closebigbox(); - -&Header::closepage(); - -# Validate Field Entries -sub validateparams -{ - # Darren Critchley - Get rid of dashes in port ranges - $cgiparams{'DEST_PORT'}=~ tr/-/:/; - $cgiparams{'SRC_PORT'}=~ tr/-/:/; - - # Darren Critchley - code to substitue wildcards - if ($cgiparams{'SRC_PORT'} eq "*") { - $cgiparams{'SRC_PORT'} = "1:65535"; - } - if ($cgiparams{'SRC_PORT'} =~ /^(\D)\:(\d+)$/) { - $cgiparams{'SRC_PORT'} = "1:$2"; - } - if ($cgiparams{'SRC_PORT'} =~ /^(\d+)\:(\D)$/) { - $cgiparams{'SRC_PORT'} = "$1:65535"; - } - if ($cgiparams{'DEST_PORT'} eq "*") { - $cgiparams{'DEST_PORT'} = "1:65535"; - } - if ($cgiparams{'DEST_PORT'} =~ /^(\D)\:(\d+)$/) { - $cgiparams{'DEST_PORT'} = "1:$2"; - } - if ($cgiparams{'DEST_PORT'} =~ /^(\d+)\:(\D)$/) { - $cgiparams{'DEST_PORT'} = "$1:65535"; - } - - # Darren Critchley - Add code for GRE protocol - we want to ignore ports, but we need a place holder - if ($cgiparams{'PROTOCOL'} eq 'gre') { - $cgiparams{'SRC_PORT'} = "GRE"; - $cgiparams{'DEST_PORT'} = "GRE"; - } - - unless($cgiparams{'PROTOCOL'} =~ /^(tcp|udp|gre)$/) { $errormessage = $Lang::tr{'invalid input'}; } - # Darren Critchley - Changed how the error routine works a bit - for the validportrange check, we need to - # pass in src or dest to determine which side we are working with. - # the routine returns the complete error or '' - if ($cgiparams{'PROTOCOL'} ne 'gre') { - $errormessage = &General::validportrange($cgiparams{'SRC_PORT'}, 'src'); - } - if( ($cgiparams{'ORIG_IP'} ne "0" && $cgiparams{'KEY2'} ne "0") || $cgiparams{'ACTION'} eq $Lang::tr{'add'}) { - # if it is a port forward record with 0 in orig_ip then ignore checking this field - unless(&General::validipormask($cgiparams{'ORIG_IP'})) - { - if ($cgiparams{'ORIG_IP'} ne '') { - $errormessage = $Lang::tr{'source ip bad'}; } - else { - $cgiparams{'ORIG_IP'} = '0.0.0.0/0'; } - } - } - # Darren Critchey - New rule that sets destination same as source if dest_port is blank. - if ($cgiparams{'DEST_PORT'} eq ''){ - $cgiparams{'DEST_PORT'} = $cgiparams{'SRC_PORT'}; - } - # Darren Critchey - Just in case error message is already set, this routine would wipe it out if - # we don't do a test here - if ($cgiparams{'PROTOCOL'} ne 'gre') { - unless($errormessage) {$errormessage = &General::validportrange($cgiparams{'DEST_PORT'}, 'dest');} - } - unless(&General::validip($cgiparams{'DEST_IP'})) { $errormessage = $Lang::tr{'destination ip bad'}; } - return; -} - -# Darren Critchley - we want to make sure that a port range does not overlap another port range -sub checkportoverlap -{ - my $portrange1 = $_[0]; # New port range - my $portrange2 = $_[1]; # existing port range - my @tempr1 = split(/\:/,$portrange1); - my @tempr2 = split(/\:/,$portrange2); - - unless (&checkportinc($tempr1[0], $portrange2)){ return 0;} - unless (&checkportinc($tempr1[1], $portrange2)){ return 0;} - - unless (&checkportinc($tempr2[0], $portrange1)){ return 0;} - unless (&checkportinc($tempr2[1], $portrange1)){ return 0;} - - return 1; # Everything checks out! -} - -# Darren Critchley - we want to make sure that a port entry is not within an already existing range -sub checkportinc -{ - my $port1 = $_[0]; # Port - my $portrange2 = $_[1]; # Port range - my @tempr1 = split(/\:/,$portrange2); - - if ($port1 < $tempr1[0] || $port1 > $tempr1[1]) { - return 1; - } else { - return 0; - } -} - -# Darren Critchley - certain ports are reserved for Ipcop -# TCP 67,68,81,222,445 -# UDP 67,68 -# Params passed in -> port, rangeyn, protocol -sub disallowreserved -{ - # port 67 and 68 same for tcp and udp, don't bother putting in an array - my $msg = ""; - my @tcp_reserved = (); - my $prt = $_[0]; # the port or range - my $ryn = $_[1]; # tells us whether or not it is a port range - my $prot = $_[2]; # protocol - my $srcdst = $_[3]; # source or destination - - if ($ryn) { # disect port range - if ($srcdst eq "src") { - $msg = "$Lang::tr{'rsvd src port overlap'}"; - } else { - $msg = "$Lang::tr{'rsvd dst port overlap'}"; - } - my @tmprng = split(/\:/,$prt); - unless (67 < $tmprng[0] || 67 > $tmprng[1]) { $errormessage="$msg 67"; return; } - unless (68 < $tmprng[0] || 68 > $tmprng[1]) { $errormessage="$msg 68"; return; } - if ($prot eq "tcp") { - foreach my $prange (@tcp_reserved) { - unless ($prange < $tmprng[0] || $prange > $tmprng[1]) { $errormessage="$msg $prange"; return; } - } - } - } else { - if ($srcdst eq "src") { - $msg = "$Lang::tr{'reserved src port'}"; - } else { - $msg = "$Lang::tr{'reserved dst port'}"; - } - if ($prt == 67) { $errormessage="$msg 67"; return; } - if ($prt == 68) { $errormessage="$msg 68"; return; } - if ($prot eq "tcp") { - foreach my $prange (@tcp_reserved) { - if ($prange == $prt) { $errormessage="$msg $prange"; return; } - } - } - } - return; -} - -# Darren Critchley - Attempt to combine Add/Update validation as they are almost the same -sub valaddupdate -{ - if ($cgiparams{'KEY2'} eq "0"){ # if it is a port forward rule, then validate properly - &validateparams(); - } else { # it is an xtaccess rule, just check for a valid ip - unless(&General::validipormask($cgiparams{'ORIG_IP'})) - { - if ($cgiparams{'ORIG_IP'} ne '') { - $errormessage = $Lang::tr{'source ip bad'}; } - else { # this rule stops someone from adding an ALL xtaccess record - $errormessage = $Lang::tr{'xtaccess all error'}; - $cgiparams{'ACTION'} = $Lang::tr{'add xtaccess'}; - } - } - # Darren Critchley - check for 0.0.0.0/0 - not allowed for xtaccess - if ($cgiparams{'ORIG_IP'} eq "0.0.0.0/0" || $cgiparams{'ORIG_IP'} eq "0.0.0.0") { - $errormessage = $Lang::tr{'xtaccess all error'}; - $cgiparams{'ACTION'} = $Lang::tr{'add xtaccess'}; - } - } - # Darren Critchley - Remove commas from remarks - $cgiparams{'REMARK'} = &Header::cleanhtml($cgiparams{'REMARK'}); - - # Darren Critchley - Check to see if we are working with port ranges - our ($prtrange1, $prtrange2); - $_ = $cgiparams{'SRC_PORT'}; - if ($cgiparams{'KEY2'} eq "0" && m/:/){ - $prtrange1 = 1; - } - if ($cgiparams{'SRC_IP'} eq '0.0.0.0') { # Dave Roberts - only check if using DEFAULT IP - if ($prtrange1 == 1){ # check for source ports reserved for Ipcop - &disallowreserved($cgiparams{'SRC_PORT'},1,$cgiparams{'PROTOCOL'},"src"); - if ($errormessage) { goto EXITSUB; } - } else { # check for source port reserved for Ipcop - &disallowreserved($cgiparams{'SRC_PORT'},0,$cgiparams{'PROTOCOL'},"src"); - if ($errormessage) { goto EXITSUB; } - } - } - - $_ = $cgiparams{'DEST_PORT'}; - if ($cgiparams{'KEY2'} eq "0" && m/:/){ - $prtrange2 = 1; - } - if ($cgiparams{'SRC_IP'} eq '0.0.0.0') { # Dave Roberts - only check if using DEFAULT IP - if ($prtrange2 == 1){ # check for destination ports reserved for IPFire - &disallowreserved($cgiparams{'DEST_PORT'},1,$cgiparams{'PROTOCOL'},"dst"); - if ($errormessage) { goto EXITSUB; } - } else { # check for destination port reserved for IPFire - &disallowreserved($cgiparams{'DEST_PORT'},0,$cgiparams{'PROTOCOL'},"dst"); - if ($errormessage) { goto EXITSUB; } - } - } - - -EXITSUB: - return; -} - -# Darren Critchley - Duplicate or overlapping Port range check -sub portchecks -{ - $_ = $_[0]; - our ($prtrange1, $prtrange2); - if (m/:/ && $prtrange1 == 1) { # comparing two port ranges - unless (&checkportoverlap($cgiparams{'SRC_PORT'},$_[0])) { - $errormessage = "$Lang::tr{'source port overlaps'} $_[0]"; - } - } - if (m/:/ && $prtrange1 == 0 && $errormessage eq '') { # compare one port to a range - unless (&checkportinc($cgiparams{'SRC_PORT'}, $_[0])) { - $errormessage = "$Lang::tr{'srcprt within existing'} $_[0]"; - } - } - if (! m/:/ && $prtrange1 == 1 && $errormessage eq '') { # compare one port to a range - unless (&checkportinc($_[0], $cgiparams{'SRC_PORT'})) { - $errormessage = "$Lang::tr{'srcprt range overlaps'} $_[0]"; - } - } - - if ($errormessage eq ''){ - $_ = $_[1]; - if (m/:/ && $prtrange2 == 1) { # if true then there is a port range - unless (&checkportoverlap($cgiparams{'DEST_PORT'},$_[1])) { - $errormessage = "$Lang::tr{'destination port overlaps'} $_[1]"; - } - } - if (m/:/ && $prtrange2 == 0 && $errormessage eq '') { # compare one port to a range - unless (&checkportinc($cgiparams{'DEST_PORT'}, $_[1])) { - $errormessage = "$Lang::tr{'dstprt within existing'} $_[1]"; - } - } - if (! m/:/ && $prtrange2 == 1 && $errormessage eq '') { # compare one port to a range - unless (&checkportinc($_[1], $cgiparams{'DEST_PORT'})) { - $errormessage = "$Lang::tr{'dstprt range overlaps'} $_[1]"; - } - } - } - return; -} diff --git a/lfs/initscripts b/lfs/initscripts index f78d3939e..091b61a42 100644 --- a/lfs/initscripts +++ b/lfs/initscripts @@ -185,8 +185,6 @@ $(TARGET) : /etc/rc.d/init.d/networking/red.up/24-RS-snort ln -sf ../../../../../usr/local/bin/qosctrl \ /etc/rc.d/init.d/networking/red.up/25-RS-qos - ln -sf ../../../../../usr/local/bin/setportfw \ - /etc/rc.d/init.d/networking/red.up/26-portfw ln -sf ../../../../../usr/local/bin/dialctrl.pl \ /etc/rc.d/init.d/networking/red.up/99-U-dialctrl.pl ln -sf ../../squid /etc/rc.d/init.d/networking/red.up/28-RS-squid diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall index 9024a88fd..39e1dfd7b 100644 --- a/src/initscripts/init.d/firewall +++ b/src/initscripts/init.d/firewall @@ -223,7 +223,7 @@ case "$1" in /sbin/iptables -N WIRELESSINPUT /sbin/iptables -A INPUT -m state --state NEW -j WIRELESSINPUT /sbin/iptables -N WIRELESSFORWARD - /sbin/iptables -A FORWARDFW -m state --state NEW -j WIRELESSFORWARD + /sbin/iptables -A FORWARD -m state --state NEW -j WIRELESSFORWARD # PORTFWACCESS chain, used for portforwarding /sbin/iptables -N PORTFWACCESS @@ -252,19 +252,18 @@ case "$1" in # Custom prerouting chains (for transparent proxy and port forwarding) /sbin/iptables -t nat -N SQUID /sbin/iptables -t nat -A PREROUTING -j SQUID - /sbin/iptables -t nat -N PORTFW - /sbin/iptables -t nat -A PREROUTING -j PORTFW - + /sbin/iptables -t nat -N NAT_DESTINATION + /sbin/iptables -t nat -N NAT_SOURCE + /sbin/iptables -t nat -A PREROUTING -j NAT_DESTINATION + /sbin/iptables -t nat -A POSTROUTING -j NAT_SOURCE + + # upnp chain for our upnp daemon /sbin/iptables -t nat -N UPNPFW /sbin/iptables -t nat -A PREROUTING -j UPNPFW /sbin/iptables -N UPNPFW /sbin/iptables -A FORWARD -m state --state NEW -j UPNPFW - # Custom mangle chain (for port fowarding) - /sbin/iptables -t mangle -N PORTFWMANGLE - /sbin/iptables -t mangle -A PREROUTING -j PORTFWMANGLE - # Postrouting rules (for port forwarding) /sbin/iptables -t nat -A POSTROUTING -m mark --mark 1 -j SNAT \ --to-source $GREEN_ADDRESS @@ -354,7 +353,6 @@ case "$1" in $0 stop $0 start /usr/local/bin/forwardfwctrl - /usr/local/bin/setportfw /usr/local/bin/openvpnctrl -s > /dev/null 2>&1 /usr/local/bin/openvpnctrl -sn2n > /dev/null 2>&1 ;; diff --git a/src/misc-progs/Makefile b/src/misc-progs/Makefile index c3f3b6c2f..c748a66b4 100644 --- a/src/misc-progs/Makefile +++ b/src/misc-progs/Makefile @@ -24,8 +24,7 @@ CFLAGS=-O2 -Wall COMPILE=$(CC) $(CFLAGS) PROGS = iowrap -SUID_PROGS = setportfw \ - squidctrl sshctrl ipfirereboot \ +SUID_PROGS = squidctrl sshctrl ipfirereboot \ ipsecctrl timectrl dhcpctrl snortctrl \ applejuicectrl rebuildhosts backupctrl \ logwatch openvpnctrl forwardfwctrl \ @@ -96,9 +95,6 @@ timectrl: timectrl.c setuid.o ../install+setup/libsmooth/varval.o launch-ether-wake: launch-ether-wake.c setuid.o ../install+setup/libsmooth/varval.o $(COMPILE) -I../install+setup/libsmooth/ launch-ether-wake.c setuid.o ../install+setup/libsmooth/varval.o -o $@ -setportfw: setportfw.c setuid.o ../install+setup/libsmooth/varval.o - $(COMPILE) -I../install+setup/libsmooth/ setportfw.c setuid.o ../install+setup/libsmooth/varval.o -o $@ - rebuildhosts: rebuildhosts.c setuid.o ../install+setup/libsmooth/varval.o $(COMPILE) -I../install+setup/libsmooth/ rebuildhosts.c setuid.o ../install+setup/libsmooth/varval.o -o $@ diff --git a/src/misc-progs/setportfw.c b/src/misc-progs/setportfw.c deleted file mode 100644 index a65aebd2a..000000000 --- a/src/misc-progs/setportfw.c +++ /dev/null @@ -1,369 +0,0 @@ -/* SmoothWall helper program - setportfw - * - * This program is distributed under the terms of the GNU General Public - * Licence. See the file COPYING for details. - * - * (c) Daniel Goscomb, 2001 - * Copyright (c) 2002/04/13 Steve Bootes - Added source ip support for aliases - * - * Modifications and improvements by Lawrence Manning. - * - * 10/04/01 Aslak added protocol support - * This program reads the list of ports to forward and setups iptables - * and rules in ipmasqadm to enable them. - * - * 02/11/03 Darren Critchley modifications to allow it to open multiple - * source ip addresses - * 02/25/03 Darren Critchley modifications to allow port ranges - * 04/01/03 Darren Critchley modifications to allow gre protocol - * 20/04/03 Robert Kerr Fixed root exploit, validated all variables properly, - * tidied up the iptables logic, killed duplicated code, - * removed srciptmp (unecessary) - * - * $Id: setportfw.c,v 1.3.2.6 2005/08/24 18:44:19 gespinasse Exp $ - * - */ - -#include -#include -#include -#include "libsmooth.h" -#include "setuid.h" - -struct keyvalue *kv = NULL; -FILE *fwdfile = NULL; - -void exithandler(void) -{ - if(kv) - freekeyvalues(kv); - if (fwdfile) - fclose(fwdfile); -} - -int main(void) -{ - FILE *ipfile = NULL, *ifacefile = NULL; - int count; - char iface[STRING_SIZE] =""; - char locip[STRING_SIZE] =""; - char greenip[STRING_SIZE] ="", greenmask[STRING_SIZE] =""; - char bluedev[STRING_SIZE] ="", blueip[STRING_SIZE] ="", bluemask[STRING_SIZE] =""; - char orangedev[STRING_SIZE] ="", orangeip[STRING_SIZE] ="", orangemask[STRING_SIZE] =""; - char *protocol; - char *srcip; - char *locport; - char *remip; - char *remport; - char *origip; - char *enabled; - char s[STRING_SIZE]; - char *result; - char *key1; - char *key2; - char command[STRING_SIZE]; - - if (!(initsetuid())) - exit(1); - - atexit(exithandler); - - /* Read in and verify config */ - kv=initkeyvalues(); - - if (!readkeyvalues(kv, CONFIG_ROOT "/ethernet/settings")) - { - fprintf(stderr, "Cannot read ethernet settings\n"); - exit(1); - } - - if (!findkey(kv, "GREEN_ADDRESS", greenip)) - { - fprintf(stderr, "Cannot read GREEN_ADDRESS\n"); - exit(1); - } - - if (!VALID_IP(greenip)) - { - fprintf(stderr, "Bad GREEN_ADDRESS: %s\n", greenip); - exit(1); - } - - if (!findkey(kv, "GREEN_NETMASK", greenmask)) - { - fprintf(stderr, "Cannot read GREEN_NETMASK\n"); - exit(1); - } - - if (!VALID_IP(greenmask)) - { - fprintf(stderr, "Bad GREEN_NETMASK: %s\n", greenmask); - exit(1); - } - - /* Get the BLUE interface details */ - findkey(kv, "BLUE_DEV", bluedev); - - if (strlen(bluedev)) - { - - if (!VALID_DEVICE(bluedev)) - { - fprintf(stderr, "Bad BLUE_DEV: %s\n", bluedev); - exit(1); - } - - if (!findkey(kv, "BLUE_ADDRESS", blueip)) - { - fprintf(stderr, "Cannot read BLUE_ADDRESS\n"); - exit(1); - } - - if (!VALID_IP(blueip)) - { - fprintf(stderr, "Bad BLUE_ADDRESS: %s\n", blueip); - exit(1); - } - - if (!findkey(kv, "BLUE_NETMASK", bluemask)) - { - fprintf(stderr, "Cannot read BLUE_NETMASK\n"); - exit(1); - } - - if (!VALID_IP(bluemask)) - { - fprintf(stderr, "Bad BLUE_NETMASK: %s\n", bluemask); - exit(1); - } - - } - - /* Get the ORANGE interface details */ - findkey(kv, "ORANGE_DEV", orangedev); - - if (strlen(orangedev)) - { - - if (!VALID_DEVICE(orangedev)) - { - fprintf(stderr, "Bad ORANGE_DEV: %s\n", orangedev); - exit(1); - } - - if (!findkey(kv, "ORANGE_ADDRESS", orangeip)) - { - fprintf(stderr, "Cannot read ORANGE_ADDRESS\n"); - exit(1); - } - - if (!VALID_IP(orangeip)) - { - fprintf(stderr, "Bad ORANGE_ADDRESS: %s\n", orangeip); - exit(1); - } - - if (!findkey(kv, "ORANGE_NETMASK", orangemask)) - { - fprintf(stderr, "Cannot read ORANGE_NETMASK\n"); - exit(1); - } - - if (!VALID_IP(orangemask)) - { - fprintf(stderr, "Bad ORANGE_NETMASK: %s\n", orangemask); - exit(1); - } - - } - - - if (!(ipfile = fopen(CONFIG_ROOT "/red/local-ipaddress", "r"))) - { - fprintf(stderr, "Couldn't open local ip file\n"); - exit(1); - } - fgets(locip, STRING_SIZE, ipfile); - if (locip[strlen(locip) - 1] == '\n') - locip[strlen(locip) - 1] = '\0'; - fclose (ipfile); - if (!VALID_IP(locip)) - { - fprintf(stderr, "Bad local IP: %s\n", locip); - exit(1); - } - - if (!(ifacefile = fopen(CONFIG_ROOT "/red/iface", "r"))) - { - fprintf(stderr, "Couldn't open iface file\n"); - exit(1); - } - fgets(iface, STRING_SIZE, ifacefile); - if (iface[strlen(iface) - 1] == '\n') - iface[strlen(iface) - 1] = '\0'; - fclose (ifacefile); - if (!VALID_DEVICE(iface)) - { - fprintf(stderr, "Bad iface: %s\n", iface); - exit(1); - } - - if (!(fwdfile = fopen(CONFIG_ROOT "/portfw/config", "r"))) - { - fprintf(stderr, "Couldn't open portfw settings file\n"); - exit(1); - } - - safe_system("/sbin/iptables -t nat -F PORTFW"); - safe_system("/sbin/iptables -t mangle -F PORTFWMANGLE"); - safe_system("/sbin/iptables -F PORTFWACCESS"); - - while (fgets(s, STRING_SIZE, fwdfile) != NULL) - { - if (s[strlen(s) - 1] == '\n') - s[strlen(s) - 1] = '\0'; - result = strtok(s, ","); - - count = 0; - key1 = NULL; - key2 = NULL; - protocol = NULL; - srcip = NULL; - locport = NULL; - remip = NULL; - origip = NULL; - remport = NULL; - enabled = NULL; - while (result) - { - if (count == 0) - key1 = result; - else if (count == 1) - key2 = result; - else if (count == 2) - protocol = result; - else if (count == 3) - locport = result; - else if (count == 4) - remip = result; - else if (count == 5) - remport = result; - else if (count == 6) - enabled = result; - else if (count == 7) - srcip = result; - else if (count == 8) - origip = result; - count++; - result = strtok(NULL, ","); - } - - if (!(key1 && key2 && protocol && locport && remip && remport && enabled - && srcip && origip)) - break; - - if (!VALID_PROTOCOL(protocol)) - { - fprintf(stderr, "Bad protocol: %s\n", protocol); - exit(1); - } - if (strcmp(protocol, "gre") == 0) - { - locport = "0"; - remport = "0"; - } - if (strcmp(origip,"0") && !VALID_IP_AND_MASK(origip)) - { - fprintf(stderr, "Bad IP: %s\n", origip); - exit(1); - } - if (!VALID_PORT_RANGE(locport)) - { - fprintf(stderr, "Bad local port: %s\n", locport); - exit(1); - } - if (!VALID_IP(remip)) - { - fprintf(stderr, "Bad remote IP: %s\n", remip); - exit(1); - } - if (!VALID_PORT_RANGE(remport)) - { - fprintf(stderr, "Bad remote port: %s\n", remport); - exit(1); - } - - /* check for source ip in config file. If it's there - * and it's not 0.0.0.0, use it; else use the - * local ip address. (This makes sure we can use old-style - * config files without the source ip) */ - if (!srcip || !strcmp(srcip, "0.0.0.0")) - srcip = locip; - if (strcmp(srcip,"0") && !VALID_IP(srcip)) - { - fprintf(stderr, "Bad source IP: %s\n", srcip); - exit(1); - } - - /* This may seem complicated... refer to portfw.pl for an explanation of - * the keys and their meaning in certain circumstances */ - - if (strcmp(enabled, "on") == 0) - { - - /* If key2 is a zero, then it is a portfw command, otherwise it is an - * external access command */ - if (strcmp(key2, "0") == 0) - { - memset(command, 0, STRING_SIZE); - if (strcmp(protocol, "gre") == 0) - snprintf(command, STRING_SIZE - 1, "/sbin/iptables -t nat -A PORTFW -p %s -d %s -j DNAT --to %s", protocol, srcip, remip); - else - { - char *ctr; - /* If locport contains a - we need to change it to a : */ - if ((ctr = strchr(locport, '-')) != NULL) {*ctr = ':';} - /* If remport contains a : we need to change it to a - */ - if ((ctr = strchr(remport,':')) != NULL){*ctr = '-';} - snprintf(command, STRING_SIZE - 1, "/sbin/iptables -t nat -A PORTFW -p %s -d %s --dport %s -j DNAT --to %s:%s", protocol, srcip, locport, remip, remport); - safe_system(command); - /* Now if remport contains a - we need to change it to a : */ - if ((ctr = strchr(remport,'-')) != NULL){*ctr = ':';} - snprintf(command, STRING_SIZE - 1, "/sbin/iptables -t mangle -A PORTFWMANGLE -p %s -s %s/%s -d %s --dport %s -j MARK --set-mark 1", protocol, greenip, greenmask, srcip, locport); - if (strlen(bluedev)) - { - safe_system(command); - snprintf(command, STRING_SIZE - 1, "/sbin/iptables -t mangle -A PORTFWMANGLE -p %s -s %s/%s -d %s --dport %s -j MARK --set-mark 2", protocol, blueip, bluemask, srcip, locport); - } - if (strlen(orangedev)) - { - safe_system(command); - snprintf(command, STRING_SIZE - 1, "/sbin/iptables -t mangle -A PORTFWMANGLE -p %s -s %s/%s -d %s --dport %s -j MARK --set-mark 3", protocol, orangeip, orangemask, srcip, locport); - } - } - safe_system(command); - } - - /* if key2 is not "0" then it's an external access rule, if key2 is "0" - * then the portfw rule may contain external access information if origip - * is not "0" (the only defined not 0 value seems to be 0.0.0.0 - open - * to all; again, check portfw.pl for more details) */ - if(strcmp(key2, "0") || strcmp(origip,"0") ) - { - memset(command, 0, STRING_SIZE); - if (strcmp(protocol, "gre") == 0) - snprintf(command, STRING_SIZE - 1, "/sbin/iptables -A PORTFWACCESS -i %s -p %s -s %s -d %s -j ACCEPT", iface, protocol, origip, remip); - else - { - char *ctr; - /* If remport contains a - we need to change it to a : */ - if ((ctr = strchr(remport,'-')) != NULL){*ctr = ':';} - snprintf(command, STRING_SIZE - 1, "/sbin/iptables -A PORTFWACCESS -i %s -p %s -s %s -d %s --dport %s -j ACCEPT", iface, protocol, origip, remip, remport); - } - safe_system(command); - } - } - } - - return 0; -} diff --git a/src/misc-progs/wirelessctrl.c b/src/misc-progs/wirelessctrl.c index 90f602d5f..2a6ed0cae 100644 --- a/src/misc-progs/wirelessctrl.c +++ b/src/misc-progs/wirelessctrl.c @@ -154,7 +154,7 @@ int main(void) (VALID_IP_AND_MASK(ipaddress))) { snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSINPUT -m mac --mac-source %s -s %s -i %s -j ACCEPT", macaddress, ipaddress, blue_dev); safe_system(command); - snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -m mac --mac-source %s -s %s -i %s ! -o %s -j ACCEPT", macaddress, ipaddress, blue_dev, green_dev); + snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -m mac --mac-source %s -s %s -i %s ! -o %s -j RETURN", macaddress, ipaddress, blue_dev, green_dev); safe_system(command); snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -m mac --mac-source %s -s %s -i %s -j FORWARDFW", macaddress, ipaddress, blue_dev); safe_system(command); @@ -164,7 +164,7 @@ int main(void) if (strlen(macaddress) == 17) { snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSINPUT -m mac --mac-source %s -i %s -j ACCEPT", macaddress, blue_dev); safe_system(command); - snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -m mac --mac-source %s -i %s ! -o %s -j ACCEPT", macaddress, blue_dev, green_dev); + snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -m mac --mac-source %s -i %s ! -o %s -j RETURN", macaddress, blue_dev, green_dev); safe_system(command); snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -m mac --mac-source %s -i %s -j FORWARDFW", macaddress, blue_dev); safe_system(command); @@ -173,7 +173,7 @@ int main(void) if (VALID_IP_AND_MASK(ipaddress)) { snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSINPUT -s %s -i %s -j ACCEPT", ipaddress, blue_dev); safe_system(command); - snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -s %s -i %s ! -o %s -j ACCEPT", ipaddress, blue_dev, green_dev); + snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -s %s -i %s ! -o %s -j RETURN", ipaddress, blue_dev, green_dev); safe_system(command); snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -s %s -i %s -j FORWARDFW", ipaddress, blue_dev); safe_system(command); From e800ca53b20429a09054c8113517061279258ab8 Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Tue, 19 Mar 2013 05:23:54 +0100 Subject: [PATCH 184/306] Forward Firewall: delete old Portforwarding from Firewall-menu --- config/menu/50-firewall.menu | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) diff --git a/config/menu/50-firewall.menu b/config/menu/50-firewall.menu index cc50bf655..2de9e7b08 100644 --- a/config/menu/50-firewall.menu +++ b/config/menu/50-firewall.menu @@ -22,13 +22,7 @@ 'title' => "P2P-Block", 'enabled' => 1, }; - $subfirewall->{'50.dnat'} = { - 'caption' => $Lang::tr{'ssport forwarding'}, - 'uri' => '/cgi-bin/portfw.cgi', - 'title' => "$Lang::tr{'ssport forwarding'}", - 'enabled' => 1, - }; - $subfirewall->{'60.wireless'} = { + $subfirewall->{'60.wireless'} = { 'caption' => $Lang::tr{'blue access'}, 'uri' => '/cgi-bin/wireless.cgi', 'title' => "$Lang::tr{'blue access'}", From 6397b6e78974f316d9358841120f8e8bb34007f3 Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Tue, 19 Mar 2013 05:39:53 +0100 Subject: [PATCH 185/306] Forward Firewall: deleted portfw from buildsystem --- config/rootfiles/common/apache2 | 1 - config/rootfiles/common/armv5tel/initscripts | 1 - config/rootfiles/common/i586/initscripts | 1 - 3 files changed, 3 deletions(-) diff --git a/config/rootfiles/common/apache2 b/config/rootfiles/common/apache2 index 17d860986..8889b67a7 100644 --- a/config/rootfiles/common/apache2 +++ b/config/rootfiles/common/apache2 @@ -1416,7 +1416,6 @@ srv/web/ipfire/cgi-bin/optionsfw.cgi srv/web/ipfire/cgi-bin/ovpnmain.cgi srv/web/ipfire/cgi-bin/p2p-block.cgi srv/web/ipfire/cgi-bin/pakfire.cgi -srv/web/ipfire/cgi-bin/portfw.cgi srv/web/ipfire/cgi-bin/pppsetup.cgi srv/web/ipfire/cgi-bin/proxy.cgi srv/web/ipfire/cgi-bin/qos.cgi diff --git a/config/rootfiles/common/armv5tel/initscripts b/config/rootfiles/common/armv5tel/initscripts index 25fca8db4..1f2d9fc0f 100644 --- a/config/rootfiles/common/armv5tel/initscripts +++ b/config/rootfiles/common/armv5tel/initscripts @@ -84,7 +84,6 @@ etc/rc.d/init.d/networking/red.up/20-RL-firewall etc/rc.d/init.d/networking/red.up/22-outgoingfwctrl etc/rc.d/init.d/networking/red.up/23-RS-snort etc/rc.d/init.d/networking/red.up/24-RS-qos -etc/rc.d/init.d/networking/red.up/25-portfw etc/rc.d/init.d/networking/red.up/26-xtaccess etc/rc.d/init.d/networking/red.up/27-RS-squid etc/rc.d/init.d/networking/red.up/30-ddns diff --git a/config/rootfiles/common/i586/initscripts b/config/rootfiles/common/i586/initscripts index de3ae5f19..7deeef132 100644 --- a/config/rootfiles/common/i586/initscripts +++ b/config/rootfiles/common/i586/initscripts @@ -86,7 +86,6 @@ etc/rc.d/init.d/networking/red.up/20-RL-firewall etc/rc.d/init.d/networking/red.up/23-forwardfwctrl etc/rc.d/init.d/networking/red.up/24-RS-snort etc/rc.d/init.d/networking/red.up/25-RS-qos -etc/rc.d/init.d/networking/red.up/26-portfw etc/rc.d/init.d/networking/red.up/28-RS-squid etc/rc.d/init.d/networking/red.up/30-ddns etc/rc.d/init.d/networking/red.up/40-ipac From 93b75f31ad920a2aa96206c2053b70affa135a42 Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Tue, 19 Mar 2013 12:56:38 +0100 Subject: [PATCH 186/306] Forward Firewall: clean up some files Fix iptables loop wirelessctrl Fix firewall chain order Fix policies (added comment for statistic) --- config/forwardfw/firewall-policy | 15 ++++++++++----- html/cgi-bin/forwardfw.cgi | 17 ++++++----------- src/initscripts/init.d/firewall | 15 +++++---------- src/misc-progs/wirelessctrl.c | 12 +++--------- 4 files changed, 24 insertions(+), 35 deletions(-) diff --git a/config/forwardfw/firewall-policy b/config/forwardfw/firewall-policy index 3b7fa18ad..2d4b9ec86 100755 --- a/config/forwardfw/firewall-policy +++ b/config/forwardfw/firewall-policy @@ -13,7 +13,7 @@ if [ "$POLICY" == "MODE1" ]; then if [ "$DROPFORWARD" == "on" ]; then /sbin/iptables -A POLICYFWD -m limit --limit 10/minute -j LOG --log-prefix "REJECT_FORWARD" fi - /sbin/iptables -A POLICYFWD -j REJECT --reject-with icmp-host-unreachable -m comment --comment "REJECT_FORWARD" + /sbin/iptables -A POLICYFWD -j REJECT --reject-with icmp-host-unreachable -m comment --comment "DROP_FORWARD" fi if [ "$FWPOLICY" == "DROP" ]; then if [ "$DROPFORWARD" == "on" ]; then @@ -21,14 +21,17 @@ if [ "$POLICY" == "MODE1" ]; then fi /sbin/iptables -A POLICYFWD -j DROP -m comment --comment "DROP_FORWARD" fi +else + /sbin/iptables -A POLICYFWD -j DROP -m comment --comment "DROP_FORWARD" fi + #OUTGOINGFW if [ "$POLICY1" == "MODE1" ]; then if [ "$FWPOLICY1" == "REJECT" ]; then if [ "$DROPOUTGOING" == "on" ]; then /sbin/iptables -A POLICYOUT -m limit --limit 10/minute -j LOG --log-prefix "REJECT_OUTPUT" fi - /sbin/iptables -A POLICYOUT -j REJECT --reject-with icmp-host-unreachable -m comment --comment "REJECT_OUTPUT" + /sbin/iptables -A POLICYOUT -j REJECT --reject-with icmp-host-unreachable -m comment --comment "DROP_OUTPUT" fi if [ "$FWPOLICY1" == "DROP" ]; then if [ "$DROPOUTGOING" == "on" ]; then @@ -36,17 +39,19 @@ if [ "$POLICY1" == "MODE1" ]; then fi /sbin/iptables -A POLICYOUT -j DROP -m comment --comment "DROP_OUTPUT" fi +else + /sbin/iptables -A POLICYOUT -j DROP -m comment --comment "DROP_OUTPUT" fi #INPUT if [ "$FWPOLICY2" == "REJECT" ]; then if [ "$DROPINPUT" == "on" ]; then /sbin/iptables -A POLICYIN -m limit --limit 10/minute -j LOG --log-prefix "REJECT_INPUT" fi - /sbin/iptables -A POLICYIN -j REJECT --reject-with icmp-host-unreachable -m comment --comment "REJECT_FORWARD" + /sbin/iptables -A POLICYIN -j REJECT --reject-with icmp-host-unreachable -m comment --comment "DROP_INPUT" fi if [ "$FWPOLICY2" == "DROP" ]; then if [ "$DROPINPUT" == "on" ]; then - /sbin/iptables -A POLICYIN -m limit --limit 10/minute -j LOG --log-prefix "DROP_FORWARD" + /sbin/iptables -A POLICYIN -m limit --limit 10/minute -j LOG --log-prefix "DROP_INPUT" fi - /sbin/iptables -A POLICYIN -j DROP -m comment --comment "DROP_FORWARD" + /sbin/iptables -A POLICYIN -j DROP -m comment --comment "DROP_INPUT" fi diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi index 84e01704d..a37fb29d1 100755 --- a/html/cgi-bin/forwardfw.cgi +++ b/html/cgi-bin/forwardfw.cgi @@ -1738,17 +1738,12 @@ END $Lang::tr{'fwdfw use nat'} $Lang::tr{'fwdfw dnat'} END - if (! -z "${General::swroot}/ethernet/aliases"){ - print"IPFire: "; + print"IPFire: "; diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall index 39e1dfd7b..18dea0ab8 100644 --- a/src/initscripts/init.d/firewall +++ b/src/initscripts/init.d/firewall @@ -192,10 +192,6 @@ case "$1" in /sbin/iptables -t nat -A POSTROUTING -j OVPNNAT /sbin/iptables -t nat -A POSTROUTING -j IPSECNAT - # Forward Firewall - /sbin/iptables -N FORWARDFW - /sbin/iptables -A FORWARD -j FORWARDFW - # Input Firewall /sbin/iptables -N INPUTFW /sbin/iptables -A INPUT -m state --state NEW -j INPUTFW @@ -225,6 +221,10 @@ case "$1" in /sbin/iptables -N WIRELESSFORWARD /sbin/iptables -A FORWARD -m state --state NEW -j WIRELESSFORWARD + # Forward Firewall + /sbin/iptables -N FORWARDFW + /sbin/iptables -A FORWARD -j FORWARDFW + # PORTFWACCESS chain, used for portforwarding /sbin/iptables -N PORTFWACCESS /sbin/iptables -A FORWARD -m state --state NEW -j PORTFWACCESS @@ -284,12 +284,7 @@ case "$1" in if [ "$DROPINPUT" == "on" ]; then /sbin/iptables -A INPUT -m limit --limit 10/minute -j LOG --log-prefix "DROP_INPUT " fi - /sbin/iptables -A INPUT -j DROP -m comment --comment "DROP_INPUT" - #if [ "$DROPFORWARD" == "on" ]; then - # /sbin/iptables -A FORWARD -m limit --limit 10/minute -j LOG --log-prefix "DROP_FORWARD " - #fi - #/sbin/iptables -A FORWARD -j DROP -m comment --comment "DROP_FORWARD" - + #POLICY CHAIN /sbin/iptables -N POLICYIN /sbin/iptables -A INPUT -j POLICYIN diff --git a/src/misc-progs/wirelessctrl.c b/src/misc-progs/wirelessctrl.c index 2a6ed0cae..450aa368f 100644 --- a/src/misc-progs/wirelessctrl.c +++ b/src/misc-progs/wirelessctrl.c @@ -154,9 +154,7 @@ int main(void) (VALID_IP_AND_MASK(ipaddress))) { snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSINPUT -m mac --mac-source %s -s %s -i %s -j ACCEPT", macaddress, ipaddress, blue_dev); safe_system(command); - snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -m mac --mac-source %s -s %s -i %s ! -o %s -j RETURN", macaddress, ipaddress, blue_dev, green_dev); - safe_system(command); - snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -m mac --mac-source %s -s %s -i %s -j FORWARDFW", macaddress, ipaddress, blue_dev); + snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -m mac --mac-source %s -s %s -i %s -j RETURN", macaddress, ipaddress, blue_dev); safe_system(command); } else { @@ -164,18 +162,14 @@ int main(void) if (strlen(macaddress) == 17) { snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSINPUT -m mac --mac-source %s -i %s -j ACCEPT", macaddress, blue_dev); safe_system(command); - snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -m mac --mac-source %s -i %s ! -o %s -j RETURN", macaddress, blue_dev, green_dev); - safe_system(command); - snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -m mac --mac-source %s -i %s -j FORWARDFW", macaddress, blue_dev); + snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -m mac --mac-source %s -i %s -j RETURN", macaddress, blue_dev); safe_system(command); } if (VALID_IP_AND_MASK(ipaddress)) { snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSINPUT -s %s -i %s -j ACCEPT", ipaddress, blue_dev); safe_system(command); - snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -s %s -i %s ! -o %s -j RETURN", ipaddress, blue_dev, green_dev); - safe_system(command); - snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -s %s -i %s -j FORWARDFW", ipaddress, blue_dev); + snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -s %s -i %s -j RETURN", ipaddress, blue_dev); safe_system(command); } } From 6b681c40d2d1cf9f0a1d6b8cedcce90809680e1d Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Wed, 20 Mar 2013 11:03:29 +0100 Subject: [PATCH 187/306] Forward Firewall: 0.9.8.7 Implemented SNAT/DNAT reorganized firewall chains --- config/forwardfw/convert-portfw | 144 +++++++++++++++++++++++++++++++ config/forwardfw/firewall-policy | 4 +- html/cgi-bin/forwardfw.cgi | 12 +++ langs/de/cgi-bin/de.pl | 1 + langs/en/cgi-bin/en.pl | 1 + 5 files changed, 160 insertions(+), 2 deletions(-) create mode 100755 config/forwardfw/convert-portfw diff --git a/config/forwardfw/convert-portfw b/config/forwardfw/convert-portfw new file mode 100755 index 000000000..682199f00 --- /dev/null +++ b/config/forwardfw/convert-portfw @@ -0,0 +1,144 @@ +#!/usr/bin/perl + +######################################################################## +# Script: convert-portfw +# Date: 19.03.2013 +# Author: Alexander Marx (amarx@ipfire.org) +######################################################################## +# +# This script converts old portforwarding rules from old Firewall +# to the new one. This is a 3-step process. +# STEP1: read old config and normalize settings +# STEP2: create new rules from old ones +# STEP3: check if rule already exists, when not, put it into +# /var/ipfire/forward/nat +######################################################################## +require '/var/ipfire/general-functions.pl'; +my @values=(); +my @built_rules=(); +my %nat=(); +my $portfwconfig = "${General::swroot}/portfw/config"; +my $confignat = "${General::swroot}/forward/nat"; +my ($key,$flag,$prot,$ipfireport,$target,$targetport,$active,$alias,$source,$remark); +my ($key1,$flag1,$prot1,$ipfireport1,$target1,$targetport1,$active1,$alias1,$source1,$remark1); +my $count=0; +my $jump; +if(! -d "/var/log/converters"){ mkdir("/var/log/converters");} +open(FILE, $portfwconfig) or die 'Unable to open config file.'; +my @current = ; +close(FILE); +open (LOG, ">/var/log/converters/portfw-convert.log") or die $!; +open(ALIAS, "${General::swroot}/ethernet/aliases") or die 'Unable to open aliases file.'; +my @alias = ; +close(ALIAS); +&get_config; +&build_rules; +&write_rules; +sub get_config +{ + print LOG "STEP 1: Get config from old portforward\n#########################################\n"; + foreach my $line (@current){ + if($jump eq '1'){ + $jump=''; + $count++; + next; + } + my $u=$count+1; + ($key,$flag,$prot,$ipfireport,$target,$targetport,$active,$alias,$source,$remark) = split(",",$line); + ($key1,$flag1,$prot1,$ipfireport1,$target1,$targetport1,$active1,$alias1,$source1,$remark1) = split(",",$current[$u]); + if ($flag1 eq '1'){ + $source=$source1; + $jump='1'; + } + my $now=localtime; + chomp($remark); + print LOG "$now processing-> KEY: $key FLAG: $flag PROT: $prot FIREPORT: $ipfireport TARGET: $target TGTPORT: $targetport ACTIVE: $active ALIAS: $alias SOURCE: $source REM: $remark Doublerule: $jump\n"; + push (@values,$prot.",".$ipfireport.",".$target.",".$targetport.",".$active.",".$alias.",".$source.",".$remark); + $count++; + } +} +sub build_rules +{ + print LOG "\nSTEP 2: Convert old portforwardrules in a useable format\n########################################################\n"; + my $src; + my $src1; + my $ipfireip; + my $count=0; + my $stop; + #build rules for new firewall + foreach my $line (@values){ + chomp ($line); + ($prot,$ipfireport,$target,$targetport,$active,$alias,$source,$remark)=split(",",$line); + $count++; + #get sourcepart + if($source eq '0.0.0.0/0'){ + $src = 'std_net_src'; + $src1 = 'ALL'; + }else{ + $src = 'src_addr'; + my ($a,$b) = split("/",$source); + $src1 = $a."/32"; + } + #get ipfire ip + if($alias eq '0.0.0.0'){ + $alias='ALL'; + }else{ + foreach my $ali (@alias){ + my ($alias_ip,$alias_active,$alias_name) = split (",",$ali); + if($alias eq $alias_name){ + $alias=$alias_name; + } + } + } + $active = uc $active; + $prot = uc $prot; + $remark = chomp($remark); + push (@built_rules,"ACCEPT,NAT_DESTINATION,$active,$src,$src1,tgt_addr,$target/32,ON,$prot,,TGT_PORT,$targetport,$remark,00:00,00:00,ON,$alias,$ipfireport,dnat"); + my $now=localtime; + print LOG "$now Converted-> KEY: $count ACCEPT,NAT_DESTINATION,$active,$src,$src1,tgt_addr,$target/32,ON,$prot,,TGT_PORT,$targetport,$remark,00:00,00:00,ON,$alias,$ipfireport,dnat\n"; + } +} +sub write_rules +{ + my $skip=''; + my $id; + print LOG "\nSTEP 3: Create DNAT rules in new firewall\n#########################################\n"; + &General::readhasharray($confignat,\%nat); + foreach my $line (@built_rules){ + $skip=''; + my ($action,$chain,$active,$src,$src1,$tgt,$tgt1,$use_prot,$prot,$dummy,$tgt_port,$tgt_port1,$remark,$from,$to,$use_port,$alias,$ipfireport,$dnat) = split (",",$line); + foreach my $key (sort keys %nat){ + if ($line eq "$nat{$key}[0],$nat{$key}[1],$nat{$key}[2],$nat{$key}[3],$nat{$key}[4],$nat{$key}[5],$nat{$key}[6],$nat{$key}[11],$nat{$key}[12],$nat{$key}[13],$nat{$key}[14],$nat{$key}[15],$nat{$key}[16],$nat{$key}[26],$nat{$key}[27],$nat{$key}[28],$nat{$key}[29],$nat{$key}[30],$nat{$key}[31]"){ + my $now=localtime; + print LOG "$now SKIP-> Rule $nat{$key}[0],$nat{$key}[1],$nat{$key}[2],$nat{$key}[3],$nat{$key}[4],$nat{$key}[5],$nat{$key}[6],$nat{$key}[11],$nat{$key}[12],$nat{$key}[13],$nat{$key}[14],$nat{$key}[15],$nat{$key}[16],$nat{$key}[26],$nat{$key}[27],$nat{$key}[28],$nat{$key}[29],$nat{$key}[30],$nat{$key}[31] ->EXISTS\n"; + $skip='1'; + } + } + if ($skip ne '1'){ + $id = &General::findhasharraykey(\%nat); + $nat{$id}[0] = $action; + $nat{$id}[1] = $chain; + $nat{$id}[2] = $active; + $nat{$id}[3] = $src; + $nat{$id}[4] = $src1; + $nat{$id}[5] = $tgt; + $nat{$id}[6] = $tgt1; + $nat{$id}[11] = $use_prot; + $nat{$id}[12] = $prot; + $nat{$id}[13] = $dummy; + $nat{$id}[14] = $tgt_port; + $nat{$id}[15] = $tgt_port1; + $nat{$id}[16] = $remark; + $nat{$id}[26] = $from; + $nat{$id}[27] = $to; + $nat{$id}[28] = $use_port; + $nat{$id}[29] = $alias; + $nat{$id}[30] = $ipfireport; + $nat{$id}[31] = $dnat; + my $now=localtime; + print LOG "$now NEW RULE-> Rule $nat{$id}[0],$nat{$id}[1],$nat{$id}[2],$nat{$id}[3],$nat{$id}[4],$nat{$id}[5],$nat{$id}[6],$nat{$id}[11],$nat{$id}[12],$nat{$id}[13],$nat{$id}[14],$nat{$id}[15],$nat{$id}[16],$nat{$id}[26],$nat{$id}[27],$nat{$id}[28],$nat{$id}[29],$nat{$id}[30],$nat{$id}[31]\n"; + } + } + &General::writehasharray($confignat,\%nat); +} +close (LOG); diff --git a/config/forwardfw/firewall-policy b/config/forwardfw/firewall-policy index 2d4b9ec86..303a7561b 100755 --- a/config/forwardfw/firewall-policy +++ b/config/forwardfw/firewall-policy @@ -22,7 +22,7 @@ if [ "$POLICY" == "MODE1" ]; then /sbin/iptables -A POLICYFWD -j DROP -m comment --comment "DROP_FORWARD" fi else - /sbin/iptables -A POLICYFWD -j DROP -m comment --comment "DROP_FORWARD" + /sbin/iptables -A POLICYFWD -j ACCEPT -m comment --comment "DROP_FORWARD" fi #OUTGOINGFW @@ -40,7 +40,7 @@ if [ "$POLICY1" == "MODE1" ]; then /sbin/iptables -A POLICYOUT -j DROP -m comment --comment "DROP_OUTPUT" fi else - /sbin/iptables -A POLICYOUT -j DROP -m comment --comment "DROP_OUTPUT" + /sbin/iptables -A POLICYOUT -j ACCEPT -m comment --comment "DROP_OUTPUT" fi #INPUT if [ "$FWPOLICY2" == "REJECT" ]; then diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi index a37fb29d1..e3b8c4a9d 100755 --- a/html/cgi-bin/forwardfw.cgi +++ b/html/cgi-bin/forwardfw.cgi @@ -923,7 +923,19 @@ sub checkrule { #check valid port for NAT if($fwdfwsettings{'USE_NAT'} eq 'ON'){ + #if no port is given in nat area, take target host port if($fwdfwsettings{'nat'} eq 'dnat' && $fwdfwsettings{'grp3'} eq 'TGT_PORT' && $fwdfwsettings{'dnatport'} eq ''){$fwdfwsettings{'dnatport'}=$fwdfwsettings{'TGT_PORT'};} + + #check if given nat port is already used by another dnatrule + if($fwdfwsettings{'nat'} eq 'dnat'){ + foreach my $id (sort keys %confignatfw){ + if ($fwdfwsettings{'dnatport'} eq $confignatfw{$id}[30]){ + $errormessage=$Lang::tr{'fwdfw natport used'}."
"; + } + } + } + + #check if port given in nat area is a single valid port if($fwdfwsettings{'nat'} eq 'dnat' && !&check_natport($fwdfwsettings{'dnatport'})){ $errormessage=$Lang::tr{'fwdfw target'}.": ".$Lang::tr{'fwdfw dnat porterr'}."
"; } diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl index 0537389f7..4e07d7479 100644 --- a/langs/de/cgi-bin/de.pl +++ b/langs/de/cgi-bin/de.pl @@ -957,6 +957,7 @@ 'fwdfw useless rule' => 'Diese Regel ist nicht zugelassen.', 'fwdfw use srcport' => 'Quellport benutzen', 'fwdfw use srv' => 'Zielport benutzen', +'fwdfw natport used' => 'Der Natport wird bereits von einer anderen DNAT Regel benutzt', 'fwdfw newrule' => 'Neue Regel', 'fwdfw wd_mon' => 'Mo', 'fwdfw wd_tue' => 'Di', diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index c64edcb5b..4bea473f1 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -982,6 +982,7 @@ 'fwdfw useless rule' => 'This rule is rejected (useless).', 'fwdfw use srcport' => 'Use sourceport', 'fwdfw use srv' => 'Use targetport', +'fwdfw natport used' => 'The NAT port is already used by another DNAT rule', 'fwdfw newrule' => 'New rule', 'fwdfw wd_mon' => 'Mon', 'fwdfw wd_tue' => 'Tue', From 54d6863787ca89d11e59efc1e9d345fd5b9a5eb9 Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Thu, 21 Mar 2013 07:34:05 +0100 Subject: [PATCH 188/306] Forward Firewall: fixed converter bug: Remark is "0" and Alias ip is taken as ip instead of name --- config/forwardfw/convert-portfw | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/config/forwardfw/convert-portfw b/config/forwardfw/convert-portfw index 682199f00..8ec3c3438 100755 --- a/config/forwardfw/convert-portfw +++ b/config/forwardfw/convert-portfw @@ -85,14 +85,15 @@ sub build_rules }else{ foreach my $ali (@alias){ my ($alias_ip,$alias_active,$alias_name) = split (",",$ali); - if($alias eq $alias_name){ + if($alias eq $alias_ip){ + chomp($alias_name); $alias=$alias_name; } } } $active = uc $active; $prot = uc $prot; - $remark = chomp($remark); + chomp($remark); push (@built_rules,"ACCEPT,NAT_DESTINATION,$active,$src,$src1,tgt_addr,$target/32,ON,$prot,,TGT_PORT,$targetport,$remark,00:00,00:00,ON,$alias,$ipfireport,dnat"); my $now=localtime; print LOG "$now Converted-> KEY: $count ACCEPT,NAT_DESTINATION,$active,$src,$src1,tgt_addr,$target/32,ON,$prot,,TGT_PORT,$targetport,$remark,00:00,00:00,ON,$alias,$ipfireport,dnat\n"; From f833ef4660862fce522799582957a64b2159ea72 Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Thu, 21 Mar 2013 07:47:28 +0100 Subject: [PATCH 189/306] Forward Firewall: fixed layout of deleted host in custom group changed version nr in forwardfw.cgi --- html/cgi-bin/forwardfw.cgi | 2 +- html/cgi-bin/fwhosts.cgi | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi index e3b8c4a9d..1f2af8cd9 100755 --- a/html/cgi-bin/forwardfw.cgi +++ b/html/cgi-bin/forwardfw.cgi @@ -77,7 +77,7 @@ my %aliases=(); my %optionsfw=(); my %ifaces=(); -my $VERSION='0.9.8.7'; +my $VERSION='0.9.8.8'; my $color; my $confignet = "${General::swroot}/fwhosts/customnetworks"; my $confighost = "${General::swroot}/fwhosts/customhosts"; diff --git a/html/cgi-bin/fwhosts.cgi b/html/cgi-bin/fwhosts.cgi index 54080a97e..a0bb21fb8 100755 --- a/html/cgi-bin/fwhosts.cgi +++ b/html/cgi-bin/fwhosts.cgi @@ -1511,7 +1511,7 @@ sub viewtablegrp print "$customgrp{$key}[2]"; } if ($ip eq '' && $customgrp{$key}[2] ne $Lang::tr{'fwhost empty'}){ - print "$Lang::tr{'fwhost deleted'}$customgrp{$key}[3]
"; + print "$Lang::tr{'fwhost deleted'}$customgrp{$key}[3]"; }else{ print"$ip$customgrp{$key}[3]"; } From 8343fd125091b3530a76609e8ec17dbf9f63ed69 Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Thu, 21 Mar 2013 10:35:07 +0100 Subject: [PATCH 190/306] Forward Firewall: Fix converter-outgoingfw. Produced wrong counters while converting --- config/forwardfw/convert-outgoingfw | 45 +++++++++++++++++++++++++---- 1 file changed, 40 insertions(+), 5 deletions(-) diff --git a/config/forwardfw/convert-outgoingfw b/config/forwardfw/convert-outgoingfw index f220738a6..d065b5acd 100755 --- a/config/forwardfw/convert-outgoingfw +++ b/config/forwardfw/convert-outgoingfw @@ -1,5 +1,17 @@ #!/usr/bin/perl - +######################################################################## +# Script: convert-outgoingfw +# Date: 21.03.2013 +# Author: Alexander Marx (amarx@ipfire.org) +######################################################################## +# +# This script converts old groups and firewallrules +# to the new one. This is a 3-step process. +# STEP1: convert groups ->LOG /var/log/converters +# STEP2: convert rules ->LOG /var/log/converters +# STEP3: convert P2P rules +# +######################################################################## require '/var/ipfire/general-functions.pl'; @@ -35,10 +47,12 @@ my %fwconfig=(); my %fwconfigout=(); my %fwdsettings=(); &General::readhash($outfwsettings,\%outsettings); - -&process_groups; -&process_rules; -&process_p2p; +#ONLY RUN if /var/ipfire/outgoing exists +if ( -d "/var/ipfire/outgoing"){ + &process_groups; + &process_rules; + &process_p2p; +} system("/usr/local/bin/forwardfwctrl"); sub process_groups { @@ -152,6 +166,13 @@ sub new_hostgrp print LOG "->Host (IP) $ip already exists in custom hosts\n"; $name="host "; $name2=$name.$ippart; + foreach my $key (sort keys %hosts){ + if($hosts{$key}[0] eq $name2){ + $hosts{$key}[4]++; + } + } + $name="host "; + $name2=$name.$ippart; $name3="Custom Host"; } }elsif($byte4 < '255'){ @@ -171,6 +192,13 @@ sub new_hostgrp print LOG "Network $ippart already exists in custom networks\n"; $name="net "; $name2=$name.$ippart; + foreach my $key (sort keys %nets){ + if($nets{$key}[0] eq $name2){ + $nets{$key}[4]++; + } + } + $name="net "; + $name2=$name.$ippart; $name3="Custom Network"; } } @@ -202,6 +230,13 @@ sub new_hostgrp print LOG "->Host (MAC) $mac already exists in custom hosts \n"; $name="host "; $name2=$name.$mac; + foreach my $key (sort keys %hosts){ + if($hosts{$key}[0] eq $name2){ + $hosts{$key}[4]++; + } + } + $name="host "; + $name2=$name.$mac; $name3="Custom Host"; } if($name2 && !&check_grp($grp,$name2)){ From fb61ec6715f8bcf9005477563a6449f51725f286 Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Thu, 21 Mar 2013 14:36:29 +0100 Subject: [PATCH 191/306] Forward Firewall: Bugfix: blue was allowed to connect to everywhere if forward firewall was open --- config/forwardfw/firewall-policy | 2 ++ 1 file changed, 2 insertions(+) diff --git a/config/forwardfw/firewall-policy b/config/forwardfw/firewall-policy index 303a7561b..55287dd07 100755 --- a/config/forwardfw/firewall-policy +++ b/config/forwardfw/firewall-policy @@ -6,6 +6,7 @@ eval $(/usr/local/bin/readhash /var/ipfire/optionsfw/settings) iptables -F POLICYFWD iptables -F POLICYOUT iptables -F POLICYIN +IFACE=`cat /var/ipfire/red/iface` #FORWARDFW if [ "$POLICY" == "MODE1" ]; then @@ -22,6 +23,7 @@ if [ "$POLICY" == "MODE1" ]; then /sbin/iptables -A POLICYFWD -j DROP -m comment --comment "DROP_FORWARD" fi else + /sbin/iptables -A POLICYFWD -i blue0 ! -o $IFACE -j DROP -m comment --comment "DROP_FORWARD_BLUE" /sbin/iptables -A POLICYFWD -j ACCEPT -m comment --comment "DROP_FORWARD" fi From 218b3341b6fd9da564ee876c08d8bf2c1b0ec78d Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Thu, 21 Mar 2013 17:34:30 +0100 Subject: [PATCH 192/306] Forward Firewall: cleanup of initscript. Fixes double log entries when INPUT is set to REJECT --- html/cgi-bin/forwardfw.cgi | 2 +- src/initscripts/init.d/firewall | 22 ++-------------------- 2 files changed, 3 insertions(+), 21 deletions(-) diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi index 1f2af8cd9..3f4ad306b 100755 --- a/html/cgi-bin/forwardfw.cgi +++ b/html/cgi-bin/forwardfw.cgi @@ -77,7 +77,7 @@ my %aliases=(); my %optionsfw=(); my %ifaces=(); -my $VERSION='0.9.8.8'; +my $VERSION='0.9.8.9'; my $color; my $confignet = "${General::swroot}/fwhosts/customnetworks"; my $confighost = "${General::swroot}/fwhosts/customhosts"; diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall index 18dea0ab8..7e3248147 100644 --- a/src/initscripts/init.d/firewall +++ b/src/initscripts/init.d/firewall @@ -204,13 +204,7 @@ case "$1" in /sbin/iptables -A FORWARD -s 127.0.0.0/8 -m state --state NEW -j DROP /sbin/iptables -A FORWARD -d 127.0.0.0/8 -m state --state NEW -j DROP /sbin/iptables -A INPUT -i $GREEN_DEV -m state --state NEW -j ACCEPT ! -p icmp - #/sbin/iptables -A FORWARD -i $GREEN_DEV -m state --state NEW -j ACCEPT - - # If a host on orange tries to initiate a connection to IPFire's red IP and - # the connection gets DNATed back through a port forward to a server on orange - # we end up with orange -> orange traffic passing through IPFire - [ "$ORANGE_DEV" != "" ] && /sbin/iptables -A FORWARD -i $ORANGE_DEV -o $ORANGE_DEV -m state --state NEW -j ACCEPT - + # allow DHCP on BLUE to be turned on/off /sbin/iptables -N DHCPBLUEINPUT /sbin/iptables -A INPUT -j DHCPBLUEINPUT @@ -242,13 +236,7 @@ case "$1" in /sbin/iptables -t nat -A POSTROUTING -j REDNAT iptables_red - - # DMZ pinhole chain. - # ORANGE to talk to GREEN / BLUE. - if [ "$ORANGE_DEV" != "" ]; then - /sbin/iptables -A FORWARD -i $ORANGE_DEV -m state --state NEW -j FORWARDFW - fi - + # Custom prerouting chains (for transparent proxy and port forwarding) /sbin/iptables -t nat -N SQUID /sbin/iptables -t nat -A PREROUTING -j SQUID @@ -279,12 +267,6 @@ case "$1" in /etc/sysconfig/firewall.local start fi - # last rule in input and forward chain is for logging. - - if [ "$DROPINPUT" == "on" ]; then - /sbin/iptables -A INPUT -m limit --limit 10/minute -j LOG --log-prefix "DROP_INPUT " - fi - #POLICY CHAIN /sbin/iptables -N POLICYIN /sbin/iptables -A INPUT -j POLICYIN From f0da8d53d02633030dafe6ad301488e8946ffccd Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Fri, 22 Mar 2013 07:55:17 +0100 Subject: [PATCH 193/306] Forward Firewall: Version update forwardfw.cgi --- html/cgi-bin/forwardfw.cgi | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi index 3f4ad306b..3e64259e8 100755 --- a/html/cgi-bin/forwardfw.cgi +++ b/html/cgi-bin/forwardfw.cgi @@ -77,7 +77,7 @@ my %aliases=(); my %optionsfw=(); my %ifaces=(); -my $VERSION='0.9.8.9'; +my $VERSION='0.9.9.0'; my $color; my $confignet = "${General::swroot}/fwhosts/customnetworks"; my $confighost = "${General::swroot}/fwhosts/customhosts"; From 82e136591e5dbe3366f2a8d3f9129b98603ad620 Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Tue, 26 Mar 2013 08:35:45 +0100 Subject: [PATCH 194/306] Forward Firewall: bugfix 1) When editing a NAT rule, error message "port already used" fixed --- html/cgi-bin/forwardfw.cgi | 13 ++++--------- 1 file changed, 4 insertions(+), 9 deletions(-) diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi index 3e64259e8..7db9cf123 100755 --- a/html/cgi-bin/forwardfw.cgi +++ b/html/cgi-bin/forwardfw.cgi @@ -174,12 +174,13 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule') } } } + #check Rulepos on new Rule if($fwdfwsettings{'rulepos'} > 0 && !$fwdfwsettings{'oldrulenumber'}){ $fwdfwsettings{'oldrulenumber'}=$maxkey; foreach my $key (sort keys %confignatfw){ - print"$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'},$fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'ICMP_TGT'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'TIME'},$fwdfwsettings{'TIME_MON'},$fwdfwsettings{'TIME_TUE'},$fwdfwsettings{'TIME_WED'},$fwdfwsettings{'TIME_THU'},$fwdfwsettings{'TIME_FRI'},$fwdfwsettings{'TIME_SAT'},$fwdfwsettings{'TIME_SUN'},$fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'},$fwdfwsettings{'USE_NAT'},$fwdfwsettings{$fwdfwsettings{'nat'}},$fwdfwsettings{'snatport'},$fwdfwsettings{'dnatport'},$fwdfwsettings{'nat'}
"; - print"$confignatfw{$key}[0],$confignatfw{$key}[2],$confignatfw{$key}[3],$confignatfw{$key}[4],$confignatfw{$key}[5],$confignatfw{$key}[6],$confignatfw{$key}[7],$confignatfw{$key}[8],$confignatfw{$key}[9],$confignatfw{$key}[10],$confignatfw{$key}[11],$confignatfw{$key}[12],$confignatfw{$key}[13],$confignatfw{$key}[14],$confignatfw{$key}[15],$confignatfw{$key}[17],$confignatfw{$key}[19],$confignatfw{$key}[20],$confignatfw{$key}[21],$confignatfw{$key}[22],$confignatfw{$key}[23],$confignatfw{$key}[24],$confignatfw{$key}[25],$confignatfw{$key}[26],$confignatfw{$key}[27],$confignatfw{$key}[28],$confignatfw{$key}[29],$confignatfw{$key}[30],$confignatfw{$key}[31],$confignatfw{$key}[32]
"; + #print"$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'},$fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'ICMP_TGT'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'TIME'},$fwdfwsettings{'TIME_MON'},$fwdfwsettings{'TIME_TUE'},$fwdfwsettings{'TIME_WED'},$fwdfwsettings{'TIME_THU'},$fwdfwsettings{'TIME_FRI'},$fwdfwsettings{'TIME_SAT'},$fwdfwsettings{'TIME_SUN'},$fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'},$fwdfwsettings{'USE_NAT'},$fwdfwsettings{$fwdfwsettings{'nat'}},$fwdfwsettings{'snatport'},$fwdfwsettings{'dnatport'},$fwdfwsettings{'nat'}
"; + #print"$confignatfw{$key}[0],$confignatfw{$key}[2],$confignatfw{$key}[3],$confignatfw{$key}[4],$confignatfw{$key}[5],$confignatfw{$key}[6],$confignatfw{$key}[7],$confignatfw{$key}[8],$confignatfw{$key}[9],$confignatfw{$key}[10],$confignatfw{$key}[11],$confignatfw{$key}[12],$confignatfw{$key}[13],$confignatfw{$key}[14],$confignatfw{$key}[15],$confignatfw{$key}[17],$confignatfw{$key}[19],$confignatfw{$key}[20],$confignatfw{$key}[21],$confignatfw{$key}[22],$confignatfw{$key}[23],$confignatfw{$key}[24],$confignatfw{$key}[25],$confignatfw{$key}[26],$confignatfw{$key}[27],$confignatfw{$key}[28],$confignatfw{$key}[29],$confignatfw{$key}[30],$confignatfw{$key}[31],$confignatfw{$key}[32]
"; if ("$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'},$fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'ICMP_TGT'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'TIME'},$fwdfwsettings{'TIME_MON'},$fwdfwsettings{'TIME_TUE'},$fwdfwsettings{'TIME_WED'},$fwdfwsettings{'TIME_THU'},$fwdfwsettings{'TIME_FRI'},$fwdfwsettings{'TIME_SAT'},$fwdfwsettings{'TIME_SUN'},$fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'},$fwdfwsettings{'USE_NAT'},$fwdfwsettings{$fwdfwsettings{'nat'}},$fwdfwsettings{'snatport'},$fwdfwsettings{'dnatport'},$fwdfwsettings{'nat'}" eq "$confignatfw{$key}[0],$confignatfw{$key}[2],$confignatfw{$key}[3],$confignatfw{$key}[4],$confignatfw{$key}[5],$confignatfw{$key}[6],$confignatfw{$key}[7],$confignatfw{$key}[8],$confignatfw{$key}[9],$confignatfw{$key}[10],$confignatfw{$key}[11],$confignatfw{$key}[12],$confignatfw{$key}[13],$confignatfw{$key}[14],$confignatfw{$key}[15],$confignatfw{$key}[17],$confignatfw{$key}[19],$confignatfw{$key}[20],$confignatfw{$key}[21],$confignatfw{$key}[22],$confignatfw{$key}[23],$confignatfw{$key}[24],$confignatfw{$key}[25],$confignatfw{$key}[26],$confignatfw{$key}[27],$confignatfw{$key}[28],$confignatfw{$key}[29],$confignatfw{$key}[30],$confignatfw{$key}[31],$confignatfw{$key}[32]"){ $errormessage.=$Lang::tr{'fwdfw err ruleexists'}; @@ -927,7 +928,7 @@ sub checkrule if($fwdfwsettings{'nat'} eq 'dnat' && $fwdfwsettings{'grp3'} eq 'TGT_PORT' && $fwdfwsettings{'dnatport'} eq ''){$fwdfwsettings{'dnatport'}=$fwdfwsettings{'TGT_PORT'};} #check if given nat port is already used by another dnatrule - if($fwdfwsettings{'nat'} eq 'dnat'){ + if($fwdfwsettings{'nat'} eq 'dnat' && $fwdfwsettings{'updatefwrule'} ne 'on'){ foreach my $id (sort keys %confignatfw){ if ($fwdfwsettings{'dnatport'} eq $confignatfw{$id}[30]){ $errormessage=$Lang::tr{'fwdfw natport used'}."
"; @@ -2072,12 +2073,6 @@ sub saverule &changerule($configfwdfw); #print"17"; } - #Cleanup some values for NAT if they are not used - if($fwdfwsettings{'nat'} eq 'dnat'){ - $fwdfwsettings{'snatport'}=''; - }else{ - $fwdfwsettings{'dnatport'}=''; - } if ($fwdfwsettings{'updatefwrule'} ne 'on'){ my $key = &General::findhasharraykey ($hash); $$hash{$key}[0] = $fwdfwsettings{'RULE_ACTION'}; From 28640b7365b6bcd73fd760300c1f994a331fc993 Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Wed, 27 Mar 2013 12:36:19 +0100 Subject: [PATCH 195/306] Forward Firewall: fix NAT-rules: iptables rule was not applied correctly in PORTFWACCESS --- config/forwardfw/rules.pl | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) diff --git a/config/forwardfw/rules.pl b/config/forwardfw/rules.pl index 4461893ae..2ce3efabb 100755 --- a/config/forwardfw/rules.pl +++ b/config/forwardfw/rules.pl @@ -147,6 +147,9 @@ sub flush system ("iptables -F FORWARDFW"); system ("iptables -F INPUTFW"); system ("iptables -F OUTGOINGFW"); + system ("iptables -F PORTFWACCESS"); + system ("iptables -t nat -F NAT_DESTINATION"); + system ("iptables -t nat -F NAT_SOURCE"); } sub preparerules { @@ -280,11 +283,14 @@ sub buildrules print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG\n"; } print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n"; - }elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[32] eq 'dnat'){ - #if ($$hash{$key}[17] eq 'ON'){ - #print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $targethash{$b}[0] $DPORT $TIME -j LOG\n"; - #} - print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j $$hash{$key}[0] --to $targethash{$b}[0]$DPORT\n"; + }elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'dnat'){ + if ($$hash{$key}[17] eq 'ON'){ + print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $fireport $TIME -j LOG --log-prefix 'DNAT' \n"; + } + my $fwaccessdport="--dport ".substr($DPORT,1,) if ($DPORT); + my ($ip,$sub) =split("/",$targethash{$b}[0]); + print "iptables -A PORTFWACCESS $PROT -i $con -d $ip $fwaccessdport $TIME -j ACCEPT\n"; + print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j $$hash{$key}[0] --to $ip$DPORT\n"; }elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[32] eq 'snat'){ print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0] --to $natip$fireport\n"; } @@ -323,7 +329,7 @@ sub buildrules } my $fwaccessdport="--dport ".substr($DPORT,1,) if ($DPORT); my ($ip,$sub) =split("/",$targethash{$b}[0]); - system "iptables -A PORTFWACCESS $PROT $STAG $sourcehash{$a}[0] -d $targethash{$b}[0] $fwaccessdport $TIME \n"; + system "iptables -A PORTFWACCESS $PROT -i $con -d $ip $fwaccessdport $TIME -j ACCEPT\n"; system "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j $$hash{$key}[0] --to $ip$DPORT\n"; }elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'snat'){ if ($$hash{$key}[17] eq 'ON'){ From 6be32fe50454ded7ecbec877db3a05bd87bdcc05 Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Sun, 31 Mar 2013 16:18:12 +0200 Subject: [PATCH 196/306] Forward Firewall: bugfix: DNAT now correctly creates rules, when customservice defined as target --- config/forwardfw/rules.pl | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/config/forwardfw/rules.pl b/config/forwardfw/rules.pl index 2ce3efabb..9af2c7060 100755 --- a/config/forwardfw/rules.pl +++ b/config/forwardfw/rules.pl @@ -539,7 +539,11 @@ sub get_port } }elsif($$hash{$key}[14] eq 'cust_srv'){ if ($prot ne 'ICMP'){ - return "--dport ".&fwlib::get_srv_port($$hash{$key}[15],1,$prot); + if($$hash{$key}[31] eq 'dnat'){ + return ":".&fwlib::get_srv_port($$hash{$key}[15],1,$prot); + }else{ + return "--dport ".&fwlib::get_srv_port($$hash{$key}[15],1,$prot); + } }elsif($prot eq 'ICMP' && $$hash{$key}[15] ne 'All ICMP-Types'){ return "--icmp-type ".&fwlib::get_srv_port($$hash{$key}[15],3,$prot); }elsif($prot eq 'ICMP' && $$hash{$key}[15] eq 'All ICMP-Types'){ From 829697d076d1b74a2499bd3bda6b70cfa56d6b49 Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Mon, 1 Apr 2013 06:26:58 +0200 Subject: [PATCH 197/306] Forward Firewall: enabled Portranges for DNAT --- config/forwardfw/rules.pl | 13 ++++++++----- html/cgi-bin/forwardfw.cgi | 32 +++++++++++++++++++++++++------- langs/de/cgi-bin/de.pl | 2 +- langs/en/cgi-bin/en.pl | 2 +- 4 files changed, 35 insertions(+), 14 deletions(-) diff --git a/config/forwardfw/rules.pl b/config/forwardfw/rules.pl index 9af2c7060..49a45b1a5 100755 --- a/config/forwardfw/rules.pl +++ b/config/forwardfw/rules.pl @@ -287,10 +287,11 @@ sub buildrules if ($$hash{$key}[17] eq 'ON'){ print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $fireport $TIME -j LOG --log-prefix 'DNAT' \n"; } - my $fwaccessdport="--dport ".substr($DPORT,1,) if ($DPORT); my ($ip,$sub) =split("/",$targethash{$b}[0]); - print "iptables -A PORTFWACCESS $PROT -i $con -d $ip $fwaccessdport $TIME -j ACCEPT\n"; print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j $$hash{$key}[0] --to $ip$DPORT\n"; + $DPORT =~ s/\-/:/g; + my $fwaccessdport="--dport ".substr($DPORT,1,) if ($DPORT); + print "iptables -A PORTFWACCESS $PROT -i $con -d $ip $fwaccessdport $TIME -j ACCEPT\n"; }elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[32] eq 'snat'){ print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0] --to $natip$fireport\n"; } @@ -327,10 +328,12 @@ sub buildrules if ($$hash{$key}[17] eq 'ON'){ system "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j LOG --log-prefix 'DNAT' \n"; } - my $fwaccessdport="--dport ".substr($DPORT,1,) if ($DPORT); my ($ip,$sub) =split("/",$targethash{$b}[0]); - system "iptables -A PORTFWACCESS $PROT -i $con -d $ip $fwaccessdport $TIME -j ACCEPT\n"; system "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j $$hash{$key}[0] --to $ip$DPORT\n"; + $DPORT =~ s/\-/:/g; + my $fwaccessdport="--dport ".substr($DPORT,1,) if ($DPORT); + system "iptables -A PORTFWACCESS $PROT -i $con -d $ip $fwaccessdport $TIME -j ACCEPT\n"; + }elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'snat'){ if ($$hash{$key}[17] eq 'ON'){ system "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG --log-prefix 'SNAT '\n"; @@ -519,7 +522,6 @@ sub get_port return; } }elsif($$hash{$key}[11] eq 'ON' && $SRC_TGT eq ''){ - if($$hash{$key}[14] eq 'TGT_PORT'){ if ($$hash{$key}[15] ne ''){ $$hash{$key}[15] =~ s/\|/,/g; @@ -529,6 +531,7 @@ sub get_port if($$hash{$key}[28] ne 'ON' || ($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'snat') ){ return "--dport $$hash{$key}[15] "; }else{ + $$hash{$key}[15] =~ s/\:/-/g; return ":$$hash{$key}[15]"; } } diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi index 7db9cf123..83917015e 100755 --- a/html/cgi-bin/forwardfw.cgi +++ b/html/cgi-bin/forwardfw.cgi @@ -731,7 +731,7 @@ sub checksource my @values=(); foreach (@parts){ chomp($_); - if ($_ =~ /^(\d+)\:(\d+)$/) { + if ($_ =~ /^(\d+)\-(\d+)$/ || $_ =~ /^(\d+)\:(\d+)$/) { my $check; #change dashes with : $_=~ tr/-/:/; @@ -739,11 +739,11 @@ sub checksource push(@values,"1:65535"); $check='on'; } - if ($_ =~ /^(\D)\:(\d+)$/) { + if ($_ =~ /^(\D)\:(\d+)$/ || $_ =~ /^(\D)\-(\d+)$/) { push(@values,"1:$2"); $check='on'; } - if ($_ =~ /^(\d+)\:(\D)$/) { + if ($_ =~ /^(\d+)\:(\D)$/ || $_ =~ /^(\d+)\-(\D)$/ ) { push(@values,"$1:65535"); $check='on' } @@ -837,11 +837,14 @@ sub checktarget if ($fwdfwsettings{'grp3'} eq 'TGT_PORT'){ if ($fwdfwsettings{'TGT_PROT'} eq 'TCP' || $fwdfwsettings{'TGT_PROT'} eq 'UDP'){ if ($fwdfwsettings{'TGT_PORT'} ne ''){ + if ($fwdfwsettings{'TGT_PORT'} =~ "," && $fwdfwsettings{'USE_NAT'}) { + $errormessage=$Lang::tr{'fwdfw dnat porterr'}."
"; + } my @parts=split(",",$fwdfwsettings{'TGT_PORT'}); my @values=(); foreach (@parts){ chomp($_); - if ($_ =~ /^(\d+)\:(\d+)$/) { + if ($_ =~ /^(\d+)\-(\d+)$/ || $_ =~ /^(\d+)\:(\d+)$/) { my $check; #change dashes with : $_=~ tr/-/:/; @@ -849,11 +852,11 @@ sub checktarget push(@values,"1:65535"); $check='on'; } - if ($_ =~ /^(\D)\:(\d+)$/) { + if ($_ =~ /^(\D)\:(\d+)$/ || $_ =~ /^(\D)\-(\d+)$/) { push(@values,"1:$2"); $check='on'; } - if ($_ =~ /^(\d+)\:(\D)$/) { + if ($_ =~ /^(\d+)\:(\D)$/ || $_ =~ /^(\d+)\-(\D)$/) { push(@values,"$1:65535"); $check='on' } @@ -915,7 +918,22 @@ sub checktarget sub check_natport { my $val=shift; - if ($val =~ "," || $val =~ ":" || $val>65536 || $val<0){ + if($fwdfwsettings{'USE_NAT'} eq 'ON' && $fwdfwsettings{'nat'} eq 'dnat' && $fwdfwsettings{'dnatport'} ne ''){ + if ($fwdfwsettings{'dnatport'} =~ /^(\d+)\-(\d+)$/) { + $fwdfwsettings{'dnatport'} =~ tr/-/:/; + if ($fwdfwsettings{'dnatport'} eq "*") { + $fwdfwsettings{'dnatport'}="1:65535"; + } + if ($fwdfwsettings{'dnatport'} =~ /^(\D)\:(\d+)$/) { + $fwdfwsettings{'dnatport'} = "1:$2"; + } + if ($fwdfwsettings{'dnatport'} =~ /^(\d+)\:(\D)$/) { + $fwdfwsettings{'dnatport'} ="$1:65535"; + } + } + return 1; + } + if ($val =~ "," || $val>65536 || $val<0){ return 0; } return 1; diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl index 4e07d7479..3df1954a7 100644 --- a/langs/de/cgi-bin/de.pl +++ b/langs/de/cgi-bin/de.pl @@ -901,7 +901,7 @@ 'fwdfw delete' => 'Löschen', 'fwdfw dnat' => 'DNAT/Portforward (ersetze diese IP mit der aus ZIEL)', 'fwdfw dnat error' => 'Für DNAT muss ein einzelner Host als ZIEL gewählt werden. Gruppen oder Netzwerke sind nicht erlaubt', -'fwdfw dnat porterr' => 'Für NAT muss ein einzelner PORT (TCP/UDP) angegeben werden', +'fwdfw dnat porterr' => 'Für NAT muss ein einzelner PORT oder PORTRANGE (TCP/UDP) angegeben werden', 'fwdfw DROP' => 'Verwerfen (DROP)', 'fwdfw edit' => 'Bearbeiten', 'fwdfw err nosrc' => 'Keine Quelle gewählt', diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index 4bea473f1..ac0d1de8e 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -926,7 +926,7 @@ 'fwdfw delete' => 'Delete', 'fwdfw dnat' => 'DNAT/Portforward (replace this IP with the one from TARGET)', 'fwdfw dnat error' => 'You have to select a single host for DNAT. Groups or networks are not allowed.', -'fwdfw dnat porterr' => 'You have to select a single port (tcp/udp) for NAT', +'fwdfw dnat porterr' => 'You have to select a single port or portrange (tcp/udp) for NAT', 'fwdfw DROP' => 'DROP', 'fwdfw edit' => 'Edit', 'fwdfw err nosrc' => 'No source selected.', From a60dbb4b6aef3c4753f3206812ff80d34235e066 Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Tue, 2 Apr 2013 05:40:50 +0200 Subject: [PATCH 198/306] Forward Firewall: added dmz-converter. Also extended backup.pl script to support old backups. Now it is possible to restore old backups into new firewall. On restore, all config files of new firewall will be destroyed and the 4 converters will recreate them. --- config/backup/backup.pl | 50 ++++++++- config/forwardfw/convert-dmz | 172 +++++++++++++++++++++++++++++ config/rootfiles/common/configroot | 1 + config/rootfiles/common/stage2 | 2 + html/cgi-bin/forwardfw.cgi | 5 +- lfs/configroot | 4 +- 6 files changed, 225 insertions(+), 9 deletions(-) create mode 100755 config/forwardfw/convert-dmz diff --git a/config/backup/backup.pl b/config/backup/backup.pl index b21716185..4ad7363fb 100644 --- a/config/backup/backup.pl +++ b/config/backup/backup.pl @@ -64,25 +64,63 @@ elsif ($ARGV[0] eq 'restore') { system("cd / && tar -xvz -p -f /tmp/restore.ipf"); #Here some converter scripts to correct old Backups (before core 65) system("/usr/sbin/ovpn-ccd-convert"); + #OUTGOINGFW CONVERTER if( -d "${General::swroot}/outgoing"){ if( -f "${General::swroot}/forward/config" ){ unlink("${General::swroot}/forward/config"); system("touch ${General::swroot}/forward/config"); chown 99,99,"${General::swroot}/forward/config"; } - if( -f "${General::swroot}/forward/input" ){ - unlink("${General::swroot}/forward/input"); - system("touch ${General::swroot}/forward/input"); - chown 99,99,"${General::swroot}/forward/input"; - } + if( -f "${General::swroot}/forward/outgoing" ){ + unlink("${General::swroot}/forward/outgoing"); + system("touch ${General::swroot}/forward/outgoing"); + chown 99,99,"${General::swroot}/forward/outgoing"; + } + unlink("${General::swroot}/fwhosts/*"); + system("touch ${General::swroot}/fwhosts/customgroups"); + system("touch ${General::swroot}/fwhosts/customhosts"); + system("touch ${General::swroot}/fwhosts/customnetworks"); + system("touch ${General::swroot}/fwhosts/customservicegrp"); + system("touch ${General::swroot}/fwhosts/customservices"); + chown 99,99,"${General::swroot}/fwhosts/*"; + #START CONVERTER "OUTGOINGFW" system("/usr/sbin/convert-outgoingfw"); rmtree("${General::swroot}/outgoing"); - system("/usr/local/bin/forwrdfwctrl"); } + #XTACCESS CONVERTER if( -d "${General::swroot}/xtaccess"){ + if( -f "${General::swroot}/forward/input" ){ + unlink("${General::swroot}/forward/input"); + system("touch ${General::swroot}/forward/input"); + chown 99,99,"${General::swroot}/forward/input"; + } + #START CONVERTER "XTACCESS" system("/usr/sbin/convert-xtaccess"); rmtree("${General::swroot}/xtaccess"); } + #DMZ-HOLES CONVERTER + if( -d "${General::swroot}/dmz-holes"){ + if( -f "${General::swroot}/forward/dmz" ){ + unlink("${General::swroot}/forward/dmz"); + system("touch ${General::swroot}/forward/dmz"); + chown 99,99,"${General::swroot}/forward/dmz"; + } + #START CONVERTER "DMZ-HOLES" + system("/usr/sbin/convert-dmz"); + rmtree("${General::swroot}/xtaccess"); + } + #PORTFORWARD CONVERTER + if( -d "${General::swroot}/portfw"){ + if( -f "${General::swroot}/forward/nat" ){ + unlink("${General::swroot}/forward/nat"); + system("touch ${General::swroot}/forward/nat"); + chown 99,99,"${General::swroot}/forward/nat"; + } + #START CONVERTER "PORTFW" + system("/usr/sbin/convert-portfw"); + rmtree("${General::swroot}/portfw"); + } + system("/usr/local/bin/forwardfwctrl"); } elsif ($ARGV[0] eq 'restoreaddon') { if ( -e "/tmp/$ARGV[1]" ){system("mv /tmp/$ARGV[1] /var/ipfire/backup/addons/backup/$ARGV[1]");} diff --git a/config/forwardfw/convert-dmz b/config/forwardfw/convert-dmz new file mode 100755 index 000000000..639cef374 --- /dev/null +++ b/config/forwardfw/convert-dmz @@ -0,0 +1,172 @@ +#!/usr/bin/perl + +######################################################################## +# Script: convert-dmz +# Date: 03.04.2013 +# Author: Alexander Marx (amarx@ipfire.org) +######################################################################## +# +# This script converts old dmz holes rules from old Firewall +# to the new one. This is a 2-step process. +# STEP1: read old config and normalize settings +# STEP2: check valid ip and save valid rules to new firewall +# +######################################################################## +my @current=(); +my @alias=(); +my %configdmz=(); +my %ifaces=(); +my %configfwdfw=(); +require '/var/ipfire/general-functions.pl'; +my $dmzconfig = "${General::swroot}/dmzholes/config"; +my $fwdfwconfig = "${General::swroot}/forward/dmz"; +my $ifacesettings = "${General::swroot}/ethernet/settings"; +my $field0 = 'ACCEPT'; +my $field1 = 'FORWARDFW'; +my $field2 = ''; #ON or emtpy +my $field3 = ''; #std_net_src or src_addr +my $field4 = ''; #ALL or IP-Address with /32 +my $field5 = ''; #std_net_tgt or tgt_addr +my $field6 = ''; #IP or network name +my $field11 = 'ON'; #use target port +my $field12 = ''; #TCP or UDP +my $field13 = 'All ICMP-Types'; +my $field14 = 'TGT_PORT'; +my $field15 = ''; #Port Number +my $field16 = ''; #remark +my $field26 = '00:00'; +my $field27 = '00:00'; +open(FILE, $dmzconfig) or die 'Unable to open config file.'; +my @current = ; +close(FILE); +#open LOGFILE +open (LOG, ">/var/log/converters/dmz-convert.log") or die $!; +&General::readhash($ifacesettings, \%ifaces); +&General::readhasharray($fwdfwconfig,\%configfwdfw); +&process_rules; +sub process_rules{ + foreach my $line (@current){ + my $now=localtime; + #get values from old configfile + my ($a,$b,$c,$d,$e,$f,$g,$h) = split (",",$line); + $h =~ s/\s//gi; + print LOG "$Now Processing A: $a B: $b C: $c D: $d E: $e F: $f G: $g H: $h\n"; + #Now convert values and check ip addresses + $a=uc($a); + $e=uc($e); + $field2=$e if($e eq 'ON'); + #SOURCE IP-check + $b=&check_ip($b); + if (&General::validipandmask($b)){ + #When ip valid, check if we have a network + my ($ip,$subnet) = split ("/",$b); + if ($f eq 'orange' && $ip eq $ifaces{'ORANGE_NETADDRESS'}){ + $field3='std_net_src'; + $field4='ORANGE'; + }elsif($f eq 'blue' && $ip eq $ifaces{'BLUE_NETADDRESS'}){ + $field3='std_net_src'; + $field4='BLUE'; + }elsif($f eq 'orange' && &General::IpInSubnet($ip,$ifaces{'ORANGE_NETADDRESS'},$ifaces{'ORANGE_NETMASK'})){ + $field3='src_addr'; + $field4=$b; + }elsif($f eq 'blue' && &General::IpInSubnet($ip,$ifaces{'BLUE_NETADDRESS'},$ifaces{'BLUE_NETMASK'})){ + $field3='src_addr'; + $field4=$b; + }else{ + print LOG "$now ->NOT Converted, source ip $b not part of source network $f \n\n"; + next; + } + }else{ + print LOG "$now -> SOURCE IP INVALID. \n\n"; + next; + } + #TARGET IP-check + $c=&check_ip($c); + if (&General::validipandmask($c)){ + my $now=localtime; + #When ip valid, check if we have a network + my ($ip,$subnet) = split ("/",$c); + if ($g eq 'green' && $ip eq $ifaces{'GREEN_NETADDRESS'}){ + $field5='std_net_tgt'; + $field6='GREEN'; + }elsif($g eq 'blue' && $ip eq $ifaces{'BLUE_NETADDRESS'}){ + $field5='std_net_tgt'; + $field6='BLUE'; + }elsif($g eq 'green' && &General::IpInSubnet($ip,$ifaces{'GREEN_NETADDRESS'},$ifaces{'GREEN_NETMASK'})){ + $field5='tgt_addr'; + $field6=$c; + }elsif($g eq 'blue' && &General::IpInSubnet($ip,$ifaces{'BLUE_NETADDRESS'},$ifaces{'BLUE_NETMASK'})){ + $field5='tgt_addr'; + $field6=$c; + }else{ + print LOG "$Now ->NOT Converted, invalid Source IP $b\n\n"; + next; + } + }else{ + print LOG "$now -> SOURCE IP INVALID. \n\n"; + next; + } + $field12=$a; + #convert portrange + $d =~ tr/-/:/; + $field15=$d; + $field16=$h; + ##Ausgabe + #print "A: $a B: $b C: $c D: $d E: $e F: $f G: $g H: $h\n"; + #print "0:$field0 1:$field1 2:$field2 3:$field3 4:$field4 5:$field5 6:$field6 11:$field11 12:$field12 13:$field13 14:$field14 15:$field15 16:$field16 26:$field26 27:$field27\n\n\n"; + my $key = &General::findhasharraykey (\%configfwdfw); + foreach my $i (0 .. 27) { $configfwdfw{$key}[$i] = "";} + $configfwdfw{$key}[0] = $field0; + $configfwdfw{$key}[1] = $field1; + $configfwdfw{$key}[2] = $field2; + $configfwdfw{$key}[3] = $field3; + $configfwdfw{$key}[4] = $field4; + $configfwdfw{$key}[5] = $field5; + $configfwdfw{$key}[6] = $field6; + $configfwdfw{$key}[7] = ''; + $configfwdfw{$key}[8] = ''; + $configfwdfw{$key}[9] = ''; + $configfwdfw{$key}[10] = ''; + $configfwdfw{$key}[11] = $field11; + $configfwdfw{$key}[12] = $field12; + $configfwdfw{$key}[13] = $field13; + $configfwdfw{$key}[14] = $field14; + $configfwdfw{$key}[15] = $field15; + $configfwdfw{$key}[16] = $field16; + $configfwdfw{$key}[17] = ''; + $configfwdfw{$key}[18] = ''; + $configfwdfw{$key}[19] = ''; + $configfwdfw{$key}[20] = ''; + $configfwdfw{$key}[21] = ''; + $configfwdfw{$key}[22] = ''; + $configfwdfw{$key}[23] = ''; + $configfwdfw{$key}[24] = ''; + $configfwdfw{$key}[25] = ''; + $configfwdfw{$key}[26] = $field26; + $configfwdfw{$key}[27] = $field27; + print LOG "$Now -> Converted to $field0,$field1,$field2,$field3,$field4,$field5,$field6,,,,,$field11,$field12,$field13,$field14,$field15,$field16,,,,,,,,,,$field26,$field27\n"; + } + &General::writehasharray($fwdfwconfig,\%configfwdfw); +close (LOG); +} + +sub check_ip +{ + my $adr=shift; + my $a; + #ip with subnet in decimal + if($adr =~ m/^(\d\d?\d?).(\d\d?\d?).(\d\d?\d?).(\d\d?\d?)\/(\d{1,2})$/){ + $adr=int($1).".".int($2).".".int($3).".".int($4); + my $b = &General::iporsubtodec($5); + $a=$adr."/".$b; + }elsif($adr =~ /^(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})$/){ + $adr=int($1).".".int($2).".".int($3).".".int($4); + if(&General::validip($adr)){ + $a=$adr."/32"; + } + } + if(&General::validipandmask($adr)){ + $a=&General::iporsubtodec($adr); + } + return $a; +} diff --git a/config/rootfiles/common/configroot b/config/rootfiles/common/configroot index c930ad078..b835931c4 100644 --- a/config/rootfiles/common/configroot +++ b/config/rootfiles/common/configroot @@ -53,6 +53,7 @@ var/ipfire/forward/config var/ipfire/forward/input var/ipfire/forward/outgoing var/ipfire/forward/dmz +var/ipfire/forward/net var/ipfire/forward/p2protocols var/ipfire/fwhosts var/ipfire/fwhosts/icmp-types diff --git a/config/rootfiles/common/stage2 b/config/rootfiles/common/stage2 index a8e4b79d3..fe6d23a8f 100644 --- a/config/rootfiles/common/stage2 +++ b/config/rootfiles/common/stage2 @@ -112,6 +112,8 @@ usr/sbin/ovpn-ccd-convert usr/sbin/firewall-policy usr/sbin/convert-xtaccess usr/sbin/convert-outgoingfw +usr/sbin/convert-dmz +usr/sbin/convert-portfw #usr/share #usr/share/doc #usr/share/doc/licenses diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi index 83917015e..e69e6ce9f 100755 --- a/html/cgi-bin/forwardfw.cgi +++ b/html/cgi-bin/forwardfw.cgi @@ -77,7 +77,7 @@ my %aliases=(); my %optionsfw=(); my %ifaces=(); -my $VERSION='0.9.9.0'; +my $VERSION='0.9.9.1'; my $color; my $confignet = "${General::swroot}/fwhosts/customnetworks"; my $confighost = "${General::swroot}/fwhosts/customhosts"; @@ -133,6 +133,7 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule') $errormessage=&checksource; if(!$errormessage){&checktarget;} if(!$errormessage){&checkrule;} + #check if manual ip (source) is orange network if ($fwdfwsettings{'grp1'} eq 'src_addr'){ my ($sip,$scidr) = split("/",$fwdfwsettings{$fwdfwsettings{'grp1'}}); @@ -2034,7 +2035,7 @@ sub saverule #print"6"; } #check if we change a DMZ to a FORWARD/DMZ - elsif($fwdfwsettings{'oldruletype'} eq 'DMZ' && $fwdfwsettings{'chain'} eq 'FORWARDFW' ){ + elsif($fwdfwsettings{'oldruletype'} eq 'DMZ' && $fwdfwsettings{'chain'} eq 'FORWARDFW' && $fwdfwsettings{$fwdfwsettings{'grp1'}} ne 'ORANGE'){ &changerule($configdmz); #print"7"; } diff --git a/lfs/configroot b/lfs/configroot index 7e47881d3..58eb9d753 100644 --- a/lfs/configroot +++ b/lfs/configroot @@ -65,7 +65,7 @@ $(TARGET) : for i in auth/users backup/include.user backup/exclude.user \ certs/index.txt ddns/config ddns/noipsettings ddns/settings ddns/ipcache dhcp/settings \ dhcp/fixleases dhcp/advoptions dhcp/dhcpd.conf.local dns/settings dnsforward/config ethernet/aliases ethernet/settings ethernet/known_nics ethernet/scanned_nics \ - extrahd/scan extrahd/devices extrahd/partitions extrahd/settings forward/settings forward/config forward/input forward/outgoing forward/dmz \ + extrahd/scan extrahd/devices extrahd/partitions extrahd/settings forward/settings forward/config forward/input forward/outgoing forward/dmz forward/nat \ fwhosts/customnetworks fwhosts/customhosts fwhosts/customgroups fwhosts/customservicegrp fwlogs/ipsettings fwlogs/portsettings \ isdn/settings mac/settings main/disable_nf_sip main/hosts main/routing main/settings net-traffic/settings optionsfw/settings \ ovpn/ccd.conf ovpn/ccdroute ovpn/ccdroute2 pakfire/settings portfw/config ppp/settings-1 ppp/settings-2 ppp/settings-3 ppp/settings-4 \ @@ -103,6 +103,8 @@ $(TARGET) : cp $(DIR_SRC)/config/forwardfw/rules.pl $(CONFIG_ROOT)/forward/bin/rules.pl cp $(DIR_SRC)/config/forwardfw/convert-xtaccess /usr/sbin/convert-xtaccess cp $(DIR_SRC)/config/forwardfw/convert-outgoingfw /usr/sbin/convert-outgoingfw + cp $(DIR_SRC)/config/forwardfw/convert-dmz /usr/sbin/convert-dmz + cp $(DIR_SRC)/config/forwardfw/convert-portfw /usr/sbin/convert-portfw cp $(DIR_SRC)/config/forwardfw/p2protocols $(CONFIG_ROOT)/forward/p2protocols cp $(DIR_SRC)/config/forwardfw/firewall-lib.pl $(CONFIG_ROOT)/forward/bin/firewall-lib.pl cp $(DIR_SRC)/config/forwardfw/firewall-policy /usr/sbin/firewall-policy From f7e649ddfbd915136ae5acdad388d0b517e5ea85 Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Tue, 2 Apr 2013 08:43:18 +0200 Subject: [PATCH 199/306] Forward Firewall: some typos in dmz-converter --- config/backup/backup.pl | 8 ++++---- config/forwardfw/convert-dmz | 8 ++++---- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/config/backup/backup.pl b/config/backup/backup.pl index 4ad7363fb..4662a8a1d 100644 --- a/config/backup/backup.pl +++ b/config/backup/backup.pl @@ -66,9 +66,9 @@ elsif ($ARGV[0] eq 'restore') { system("/usr/sbin/ovpn-ccd-convert"); #OUTGOINGFW CONVERTER if( -d "${General::swroot}/outgoing"){ - if( -f "${General::swroot}/forward/config" ){ + if( -f "${General::swroot}/forward/config" ){ unlink("${General::swroot}/forward/config"); - system("touch ${General::swroot}/forward/config"); + system("touch ${General::swroot}/forward/config"); chown 99,99,"${General::swroot}/forward/config"; } if( -f "${General::swroot}/forward/outgoing" ){ @@ -99,7 +99,7 @@ elsif ($ARGV[0] eq 'restore') { rmtree("${General::swroot}/xtaccess"); } #DMZ-HOLES CONVERTER - if( -d "${General::swroot}/dmz-holes"){ + if( -d "${General::swroot}/dmzholes"){ if( -f "${General::swroot}/forward/dmz" ){ unlink("${General::swroot}/forward/dmz"); system("touch ${General::swroot}/forward/dmz"); @@ -107,7 +107,7 @@ elsif ($ARGV[0] eq 'restore') { } #START CONVERTER "DMZ-HOLES" system("/usr/sbin/convert-dmz"); - rmtree("${General::swroot}/xtaccess"); + rmtree("${General::swroot}/dmzholes"); } #PORTFORWARD CONVERTER if( -d "${General::swroot}/portfw"){ diff --git a/config/forwardfw/convert-dmz b/config/forwardfw/convert-dmz index 639cef374..81d77bab7 100755 --- a/config/forwardfw/convert-dmz +++ b/config/forwardfw/convert-dmz @@ -49,8 +49,8 @@ sub process_rules{ my $now=localtime; #get values from old configfile my ($a,$b,$c,$d,$e,$f,$g,$h) = split (",",$line); - $h =~ s/\s//gi; - print LOG "$Now Processing A: $a B: $b C: $c D: $d E: $e F: $f G: $g H: $h\n"; + $h =~ s/\s*\n//gi; + print LOG "$now Processing A: $a B: $b C: $c D: $d E: $e F: $f G: $g H: $h\n"; #Now convert values and check ip addresses $a=uc($a); $e=uc($e); @@ -99,11 +99,11 @@ sub process_rules{ $field5='tgt_addr'; $field6=$c; }else{ - print LOG "$Now ->NOT Converted, invalid Source IP $b\n\n"; + print LOG "$now ->NOT Converted, target ip $c not part of target network $g \n\n"; next; } }else{ - print LOG "$now -> SOURCE IP INVALID. \n\n"; + print LOG "$now -> TARGET IP INVALID. \n\n"; next; } $field12=$a; From e09884e04f0aab0c9b4f2f3d22f9f653e93d0cb9 Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Tue, 2 Apr 2013 11:24:22 +0200 Subject: [PATCH 200/306] Forward Firewall: some fixes: 1) Counter was not correctly decreased when deleting a network from a customgroup 2) Convert-outgoingfw improved 3) Backup didn't set filepermissions correctly --- config/backup/backup.pl | 20 +++++--- config/forwardfw/convert-outgoingfw | 75 +++++++++++++++++------------ html/cgi-bin/fwhosts.cgi | 2 +- 3 files changed, 59 insertions(+), 38 deletions(-) diff --git a/config/backup/backup.pl b/config/backup/backup.pl index 4662a8a1d..28e2dd89e 100644 --- a/config/backup/backup.pl +++ b/config/backup/backup.pl @@ -76,15 +76,23 @@ elsif ($ARGV[0] eq 'restore') { system("touch ${General::swroot}/forward/outgoing"); chown 99,99,"${General::swroot}/forward/outgoing"; } - unlink("${General::swroot}/fwhosts/*"); + unlink("${General::swroot}/fwhosts/customgroups"); + unlink("${General::swroot}/fwhosts/customhosts"); + unlink("${General::swroot}/fwhosts/customgroups"); + unlink("${General::swroot}/fwhosts/customnetworks"); + unlink("${General::swroot}/fwhosts/customservicegrp"); + unlink("${General::swroot}/fwhosts/customnetworks"); system("touch ${General::swroot}/fwhosts/customgroups"); system("touch ${General::swroot}/fwhosts/customhosts"); system("touch ${General::swroot}/fwhosts/customnetworks"); system("touch ${General::swroot}/fwhosts/customservicegrp"); - system("touch ${General::swroot}/fwhosts/customservices"); - chown 99,99,"${General::swroot}/fwhosts/*"; #START CONVERTER "OUTGOINGFW" system("/usr/sbin/convert-outgoingfw"); + chown 99,99,"${General::swroot}/fwhosts/customgroups"; + chown 99,99,"${General::swroot}/fwhosts/customhosts"; + chown 99,99,"${General::swroot}/fwhosts/customnetworks"; + chown 99,99,"${General::swroot}/fwhosts/customservicegrp"; + #START CONVERTER "OUTGOINGFW" rmtree("${General::swroot}/outgoing"); } #XTACCESS CONVERTER @@ -92,10 +100,10 @@ elsif ($ARGV[0] eq 'restore') { if( -f "${General::swroot}/forward/input" ){ unlink("${General::swroot}/forward/input"); system("touch ${General::swroot}/forward/input"); - chown 99,99,"${General::swroot}/forward/input"; } #START CONVERTER "XTACCESS" system("/usr/sbin/convert-xtaccess"); + chown 99,99,"${General::swroot}/forward/input"; rmtree("${General::swroot}/xtaccess"); } #DMZ-HOLES CONVERTER @@ -103,10 +111,10 @@ elsif ($ARGV[0] eq 'restore') { if( -f "${General::swroot}/forward/dmz" ){ unlink("${General::swroot}/forward/dmz"); system("touch ${General::swroot}/forward/dmz"); - chown 99,99,"${General::swroot}/forward/dmz"; } #START CONVERTER "DMZ-HOLES" system("/usr/sbin/convert-dmz"); + chown 99,99,"${General::swroot}/forward/dmz"; rmtree("${General::swroot}/dmzholes"); } #PORTFORWARD CONVERTER @@ -114,10 +122,10 @@ elsif ($ARGV[0] eq 'restore') { if( -f "${General::swroot}/forward/nat" ){ unlink("${General::swroot}/forward/nat"); system("touch ${General::swroot}/forward/nat"); - chown 99,99,"${General::swroot}/forward/nat"; } #START CONVERTER "PORTFW" system("/usr/sbin/convert-portfw"); + chown 99,99,"${General::swroot}/forward/nat"; rmtree("${General::swroot}/portfw"); } system("/usr/local/bin/forwardfwctrl"); diff --git a/config/forwardfw/convert-outgoingfw b/config/forwardfw/convert-outgoingfw index d065b5acd..54ba70987 100755 --- a/config/forwardfw/convert-outgoingfw +++ b/config/forwardfw/convert-outgoingfw @@ -61,21 +61,22 @@ sub process_groups open (LOG, ">/var/log/converters/groups-convert.log") or die $!; #IP Group processing foreach my $group (@ipgroups){ + my $now=localtime; chomp $group; - print LOG "\nProcessing IP-GROUP: $group...\n"; + print LOG "\n$now Processing IP-GROUP: $group...\n"; open (DATEI, "<$ipgrouppath/$group"); my @zeilen = ; foreach my $ip (@zeilen){ chomp($ip); $ip =~ s/\s//gi; - print LOG "Check IP $ip from Group $group "; + print LOG "$now Check IP $ip from Group $group "; my $val=&check_ip($ip); if($val){ push(@hostarray,$val.",ip"); - print LOG "-> OK\n"; + print LOG "$now -> OK\n"; } else{ - print LOG "-> IP \"$ip\" from group $group not converted (invalid IP) \n"; + print LOG "$now -> IP \"$ip\" from group $group not converted (invalid IP) \n"; } $val=''; } @@ -94,17 +95,17 @@ sub process_groups foreach my $mac (@zeilen){ chomp($mac); $mac =~ s/\s//gi; - print LOG "Checking MAC $mac from group $group "; + print LOG "$now Checking MAC $mac from group $group "; #MAC checking if(&General::validmac($mac)){ $val=$mac; } if($val){ push(@hostarray,$val.",mac"); - print LOG "-> OK\n"; + print LOG "$now -> OK\n"; } else{ - print LOG "-> Mac $mac from group $group not converted (invalid MAC)\n"; + print LOG "$now -> Mac $mac from group $group not converted (invalid MAC)\n"; } $val=''; } @@ -297,30 +298,31 @@ sub check_grp sub process_rules { my ($type,$action,$active,$grp1,$source,$grp2,$useport,$port,$prot,$grp3,$target,$remark,$log,$time,$time_mon,$time_tue,$time_wed,$time_thu,$time_fri,$time_sat,$time_sun,$time_from,$time_to); - &General::readhash($fwdfwsettings,\%fwdsettings); - if ($outsettings{'POLICY'} eq 'MODE1'){ - $fwdfwsettings{'POLICY'}='MODE1'; - $type='ALLOW'; - $action='ACCEPT'; - }elsif($outsettings{'POLICY'} eq 'MODE2'){ - $fwdsettings{'POLICY'}='MODE2'; - $type='DENY'; - $action='DROP'; - }else{ - return; - } - &General::writehash($fwdfwsettings,\%fwdsettings); - #open LOG if( -f "/var/log/converters/outgoingfw-convert.log"){unlink ("/var/log/converters/outgoingfw-convert.log");} open (LOG, ">/var/log/converters/outgoingfw-convert.log") or die $!; + + &General::readhash($fwdfwsettings,\%fwdsettings); + if ($outsettings{'POLICY'} eq 'MODE1'){ + $fwdsettings{'POLICY'}='MODE1'; + $fwdsettings{'POLICY1'}='MODE2'; + $type='ALLOW'; + $action='ACCEPT'; + }else{ + $fwdsettings{'POLICY'}='MODE2'; + $fwdsettings{'POLICY1'}='MODE2'; + $type='DENY'; + $action='DROP'; + } + &General::writehash($fwdfwsettings,\%fwdsettings); open (DATEI, "<$outgoingrules"); my @lines = ; foreach my $rule (@lines) { + my $now=localtime; chomp($rule); $port=''; - print LOG "processing: $rule\n"; + print LOG "$now processing: $rule\n"; my @configline=(); @configline = split( /\;/, $rule ); my @prot=(); @@ -377,9 +379,10 @@ sub process_rules $grp1='std_net_src'; $source='BLUE'; }elsif ($configline[2] eq 'ipsec') { - print LOG "-> Rule not converted, ipsec+ interface is obsolet since IPFire 2.7 \n"; + print LOG "$now -> Rule not converted, ipsec+ interface is obsolet since IPFire 2.7 \n"; next; }elsif ($configline[2] eq 'ovpn') { + print LOG "$now ->Creating networks/groups for OpenVPN...\n"; &build_ovpn_grp; $grp1='cust_grp_src'; $source='ovpn' @@ -391,7 +394,7 @@ sub process_rules $grp1='src_addr'; $source="$ipa/$subn"; }else{ - print LOG "-> Rule not converted, missing/invalid source ip \"$configline[5]\"\n"; + print LOG "$now -> Rule not converted, missing/invalid source ip \"$configline[5]\"\n"; next; } }elsif ($configline[2] eq 'mac') { @@ -399,7 +402,7 @@ sub process_rules $grp1='src_addr'; $source=$configline[6]; }else{ - print LOG"-> Rule not converted, invalid MAC \"$configline[6]\" \n"; + print LOG"$now -> Rule not converted, invalid MAC \"$configline[6]\" \n"; next; } }elsif ($configline[2] eq 'all') { @@ -413,7 +416,7 @@ sub process_rules } } if ($grp1 eq '' || $source eq ''){ - print LOG "-> Rule not converted, no valid source recognised\n"; + print LOG "$now -> Rule not converted, no valid source recognised\n"; } } ############################################################ @@ -432,7 +435,7 @@ sub process_rules $target=$getwebsiteip; $remark.=" $configline[7]"; }else{ - print LOG "-> Rule not converted, invalid domain \"$configline[7]\"\n"; + print LOG "$now -> Rule not converted, invalid domain \"$configline[7]\"\n"; next; } } @@ -451,7 +454,7 @@ sub process_rules push (@values,$_); $grp3='TGT_PORT'; }else{ - print LOG "-> Rule not converted, invalid destination Port \"$configline[8]\"\n"; + print LOG "$now -> Rule not converted, invalid destination Port \"$configline[8]\"\n"; next; } }else{ @@ -461,7 +464,7 @@ sub process_rules push (@values,"$a1:$a2"); $grp3='TGT_PORT'; }else{ - print LOG "-> Rule not converted, invalid destination Port \"$configline[8]\"\n"; + print LOG "$now -> Rule not converted, invalid destination Port \"$configline[8]\"\n"; next; } } @@ -478,13 +481,14 @@ sub process_rules my $check; my $chain; foreach my $protocol (@prot){ + my $now=localtime; if ($source eq 'IPFire'){ $chain='OUTGOINGFW'; }else{ $chain='FORWARDFW'; } $protocol=uc($protocol); - print LOG "-> Converted: $action,$chain,$active,$grp1,$source,$grp2,$target,,,,,$useport,$protocol,,$grp3,$port,$remark,$log,$time,$time_mon,$time_tue,$time_wed,$time_thu,$time_fri,$time_sat,$time_sun,$time_from,$time_to\n"; + print LOG "$now -> Converted: $action,$chain,$active,$grp1,$source,$grp2,$target,,,,,$useport,$protocol,,$grp3,$port,$remark,$log,$time,$time_mon,$time_tue,$time_wed,$time_thu,$time_fri,$time_sat,$time_sun,$time_from,$time_to\n"; #Put rules into system.... ########################### #check for double rules @@ -583,6 +587,7 @@ sub get_ip_from_domain } sub build_ovpn_grp { + my $now=localtime; &General::readhasharray($confighosts,\%hosts); &General::readhasharray($confignets,\%nets); &General::readhasharray($configgroups,\%groups); @@ -594,20 +599,24 @@ sub build_ovpn_grp if($settingsovpn{'DOVPN_SUBNET'}){ my ($net,$subnet)=split("/",$settingsovpn{'DOVPN_SUBNET'}); push (@ovpnnets,"$net,$subnet,dynamic"); + print LOG "$now ->found dynamic OpenVPN net\n"; } foreach my $key (sort keys %ccdconf){ my ($net,$subnet)=split("/",$ccdconf{$key}[1]); $subnet=&General::iporsubtodec($subnet); push (@ovpnnets,"$net,$subnet,$ccdconf{$key}[0]"); + print LOG "$now ->found OpenVPN static net $net/$subnet\n"; } foreach my $key (sort keys %configovpn){ if ($configovpn{$key}[3] eq 'net'){ my ($net,$subnet)=split("/",$configovpn{$key}[27]); push (@ovpnnets,"$net,$subnet,$configovpn{$key}[2]"); + print LOG "$now ->found OpenVPN $net/$subnet $configovpn{$key}[2]\n"; } } #add ovpn nets to customnetworks/groups foreach my $line (@ovpnnets){ + my $now=localtime; my ($net,$subnet,$name) = split(",",$line); if (!&check_net($net,$subnet)){ my $netkey = &General::findhasharraykey(\%nets); @@ -616,7 +625,9 @@ sub build_ovpn_grp $nets{$netkey}[0] = $name2; $nets{$netkey}[1] = $net; $nets{$netkey}[2] = $subnet; - $nets{$netkey}[3] = 1; + $nets{$netkey}[3] = ''; + $nets{$netkey}[4] = 1; + print LOG "$now ->added $name2 $net/$subnet to customnetworks\n"; }else{ print LOG "-> Custom Network with same IP already exist \"$net/$subnet\" (you can ignore this, if this run was manual from shell)\n"; } @@ -627,6 +638,7 @@ sub build_ovpn_grp $groups{$grpkey}[2] = $name2; $groups{$grpkey}[3] = "Custom Network"; $groups{$grpkey}[4] = 0; + print LOG "$now ->added $name2 to customgroup ovpn\n"; } $name2=''; } @@ -634,6 +646,7 @@ sub build_ovpn_grp &General::writehasharray($confighosts,\%hosts); &General::writehasharray($configgroups,\%groups); &General::writehasharray($confignets,\%nets); + print LOG "$now ->finished OVPN\n"; } sub process_p2p { diff --git a/html/cgi-bin/fwhosts.cgi b/html/cgi-bin/fwhosts.cgi index a0bb21fb8..8581141e9 100755 --- a/html/cgi-bin/fwhosts.cgi +++ b/html/cgi-bin/fwhosts.cgi @@ -863,7 +863,7 @@ if ($fwhostsettings{'ACTION'} eq 'deletegrphost') &General::readhasharray("$confignet", \%customnetwork); foreach my $key1 (keys %customnetwork){ if ($customnetwork{$key1}[0] eq $customgrp{$key}[2]){ - $customnetwork{$key1}[3] = $customnetwork{$key1}[3]-1; + $customnetwork{$key1}[4] = $customnetwork{$key1}[4]-1; last; } } From bc912c6e0c34bfd81a915b3f2774fc6b848990ff Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Thu, 4 Apr 2013 13:02:50 +0200 Subject: [PATCH 201/306] Forward Firewall: Version 0.9.9.2 1) Some changes in en.pl 2) DNAT now supports REJECT/DROP rules 3) Bugfix: comma in remark customservicegroup 4) improved installer --- config/forwardfw/rules.pl | 17 +++++----- config/rootfiles/common/configroot | 2 +- html/cgi-bin/forwardfw.cgi | 51 +++++++++++------------------- html/cgi-bin/fwhosts.cgi | 4 +++ langs/en/cgi-bin/en.pl | 4 +-- 5 files changed, 34 insertions(+), 44 deletions(-) diff --git a/config/forwardfw/rules.pl b/config/forwardfw/rules.pl index 49a45b1a5..c7acd122b 100755 --- a/config/forwardfw/rules.pl +++ b/config/forwardfw/rules.pl @@ -176,16 +176,17 @@ sub buildrules my $natip; my $snatport; my $fireport; + my $nat; foreach my $key (sort {$a <=> $b} keys %$hash){ next if ($$hash{$key}[6] eq 'RED' && $conexists eq 'off' ); if ($$hash{$key}[28] eq 'ON'){ $command='iptables -t nat -A'; $natip=&get_nat_ip($$hash{$key}[29]); if($$hash{$key}[31] eq 'dnat'){ - $$hash{$key}[0]='DNAT'; + $nat='DNAT'; $fireport='--dport '.$$hash{$key}[30] if ($$hash{$key}[30]>0); }else{ - $$hash{$key}[0]='SNAT'; + $nat='SNAT'; } } $STAG=''; @@ -288,12 +289,12 @@ sub buildrules print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $fireport $TIME -j LOG --log-prefix 'DNAT' \n"; } my ($ip,$sub) =split("/",$targethash{$b}[0]); - print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j $$hash{$key}[0] --to $ip$DPORT\n"; + print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j $nat --to $ip$DPORT\n"; $DPORT =~ s/\-/:/g; my $fwaccessdport="--dport ".substr($DPORT,1,) if ($DPORT); - print "iptables -A PORTFWACCESS $PROT -i $con -d $ip $fwaccessdport $TIME -j ACCEPT\n"; + print "iptables -A PORTFWACCESS $PROT -i $con $STAG $sourcehash{$a}[0] -d $ip $fwaccessdport $TIME -j $$hash{$key}[0]\n"; }elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[32] eq 'snat'){ - print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0] --to $natip$fireport\n"; + print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $nat --to $natip$fireport\n"; } } } @@ -329,16 +330,16 @@ sub buildrules system "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j LOG --log-prefix 'DNAT' \n"; } my ($ip,$sub) =split("/",$targethash{$b}[0]); - system "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j $$hash{$key}[0] --to $ip$DPORT\n"; + system "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j $nat --to $ip$DPORT\n"; $DPORT =~ s/\-/:/g; my $fwaccessdport="--dport ".substr($DPORT,1,) if ($DPORT); - system "iptables -A PORTFWACCESS $PROT -i $con -d $ip $fwaccessdport $TIME -j ACCEPT\n"; + system "iptables -A PORTFWACCESS $PROT -i $con $STAG $sourcehash{$a}[0] -d $ip $fwaccessdport $TIME -j $$hash{$key}[0]\n"; }elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'snat'){ if ($$hash{$key}[17] eq 'ON'){ system "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG --log-prefix 'SNAT '\n"; } - system "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0] --to $natip$fireport\n"; + system "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $nat --to $natip$fireport\n"; } } } diff --git a/config/rootfiles/common/configroot b/config/rootfiles/common/configroot index b835931c4..a562d6551 100644 --- a/config/rootfiles/common/configroot +++ b/config/rootfiles/common/configroot @@ -53,7 +53,7 @@ var/ipfire/forward/config var/ipfire/forward/input var/ipfire/forward/outgoing var/ipfire/forward/dmz -var/ipfire/forward/net +var/ipfire/forward/nat var/ipfire/forward/p2protocols var/ipfire/fwhosts var/ipfire/fwhosts/icmp-types diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi index e69e6ce9f..68a18b428 100755 --- a/html/cgi-bin/forwardfw.cgi +++ b/html/cgi-bin/forwardfw.cgi @@ -77,7 +77,7 @@ my %aliases=(); my %optionsfw=(); my %ifaces=(); -my $VERSION='0.9.9.1'; +my $VERSION='0.9.9.2'; my $color; my $confignet = "${General::swroot}/fwhosts/customnetworks"; my $confighost = "${General::swroot}/fwhosts/customhosts"; @@ -161,17 +161,17 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule') #check if we have an identical rule already if($fwdfwsettings{'oldrulenumber'} eq $fwdfwsettings{'rulepos'}){ foreach my $key (sort keys %confignatfw){ - if ("$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'},$fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'ICMP_TGT'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'TIME'},$fwdfwsettings{'TIME_MON'},$fwdfwsettings{'TIME_TUE'},$fwdfwsettings{'TIME_WED'},$fwdfwsettings{'TIME_THU'},$fwdfwsettings{'TIME_FRI'},$fwdfwsettings{'TIME_SAT'},$fwdfwsettings{'TIME_SUN'},$fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'},$fwdfwsettings{'USE_NAT'},$fwdfwsettings{$fwdfwsettings{'nat'}},$fwdfwsettings{'snatport'},$fwdfwsettings{'dnatport'},$fwdfwsettings{'nat'}" - eq "$confignatfw{$key}[0],$confignatfw{$key}[2],$confignatfw{$key}[3],$confignatfw{$key}[4],$confignatfw{$key}[5],$confignatfw{$key}[6],$confignatfw{$key}[7],$confignatfw{$key}[8],$confignatfw{$key}[9],$confignatfw{$key}[10],$confignatfw{$key}[11],$confignatfw{$key}[12],$confignatfw{$key}[13],$confignatfw{$key}[14],$confignatfw{$key}[15],$confignatfw{$key}[17],$confignatfw{$key}[19],$confignatfw{$key}[20],$confignatfw{$key}[21],$confignatfw{$key}[22],$confignatfw{$key}[23],$confignatfw{$key}[24],$confignatfw{$key}[25],$confignatfw{$key}[26],$confignatfw{$key}[27],$confignatfw{$key}[28],$confignatfw{$key}[29],$confignatfw{$key}[30],$confignatfw{$key}[31],$confignatfw{$key}[32]"){ - $errormessage.=$Lang::tr{'fwdfw err ruleexists'}; - if ($fwdfwsettings{'oldruleremark'} ne $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'updatefwrule'} eq 'on' ){ - $errormessage=''; - }elsif($fwdfwsettings{'oldruleremark'} ne $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'updatefwrule'} eq 'on' && $fwdfwsettings{'ruleremark'} ne '' && !&validremark($fwdfwsettings{'ruleremark'})){ - $errormessage=$Lang::tr{'fwdfw err remark'}."
"; - } - if ($fwdfwsettings{'oldruleremark'} eq $fwdfwsettings{'ruleremark'}){ - $fwdfwsettings{'nosave'} = 'on'; - } + if ("$confignatfw{$key}[0],$confignatfw{$key}[1],$confignatfw{$key}[2],$confignatfw{$key}[3],$confignatfw{$key}[4],$confignatfw{$key}[5],$confignatfw{$key}[6],$confignatfw{$key}[11],$confignatfw{$key}[12],$confignatfw{$key}[14],$confignatfw{$key}[15],$confignatfw{$key}[28],$confignatfw{$key}[29],$confignatfw{$key}[30],$confignatfw{$key}[31]" + eq "$fwdfwsettings{'RULE_ACTION'},NAT_DESTINATION,$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'USE_NAT'},$fwdfwsettings{$fwdfwsettings{'nat'}},$fwdfwsettings{'dnatport'},$fwdfwsettings{'nat'}"){ + $errormessage.=$Lang::tr{'fwdfw err ruleexists'}; + if ($fwdfwsettings{'oldruleremark'} ne $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'updatefwrule'} eq 'on' ){ + $errormessage=''; + }elsif($fwdfwsettings{'oldruleremark'} ne $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'updatefwrule'} eq 'on' && $fwdfwsettings{'ruleremark'} ne '' && !&validremark($fwdfwsettings{'ruleremark'})){ + $errormessage=$Lang::tr{'fwdfw err remark'}."
"; + } + if ($fwdfwsettings{'oldruleremark'} eq $fwdfwsettings{'ruleremark'}){ + $fwdfwsettings{'nosave'} = 'on'; + } } } } @@ -591,9 +591,9 @@ sub addrule { &error; if (-f "${General::swroot}/forward/reread"){ - print "
$Lang::tr{'fwhost reread'}

"; + print "
    $Lang::tr{'fwhost reread'}

"; } - &Header::openbox('100%', 'left', $Lang::tr{'fwdfw addrule'}); + &Header::openbox('100%', 'left', $Lang::tr{'firewall'}); print "
"; print ""; print ""; @@ -768,7 +768,7 @@ sub checktarget { my ($ip,$subnet); &General::readhasharray("$configsrv", \%customservice); - #check DNAT settings (has to be single Host and single Port) + #check DNAT settings (has to be single Host and single Port or portrange) if ($fwdfwsettings{'USE_NAT'} eq 'ON' && $fwdfwsettings{'nat'} eq 'dnat'){ if($fwdfwsettings{'grp2'} eq 'tgt_addr' || $fwdfwsettings{'grp2'} eq 'cust_host_tgt' || $fwdfwsettings{'grp2'} eq 'ovpn_host_tgt'){ if ($fwdfwsettings{'USESRV'} eq ''){ @@ -783,7 +783,7 @@ sub checktarget $errormessage=$Lang::tr{'fwdfw dnat error'}."
"; } } - #check if Port is a single Port + #check if Port is a single Port or portrange if ($fwdfwsettings{'nat'} eq 'dnat' && $fwdfwsettings{'grp3'} eq 'TGT_PORT'){ if(($fwdfwsettings{'TGT_PROT'} ne 'TCP'|| $fwdfwsettings{'TGT_PROT'} ne 'UDP') && $fwdfwsettings{'TGT_PORT'} eq ''){ $errormessage=$Lang::tr{'fwdfw target'}.": ".$Lang::tr{'fwdfw dnat porterr'}."
"; @@ -945,17 +945,7 @@ sub checkrule if($fwdfwsettings{'USE_NAT'} eq 'ON'){ #if no port is given in nat area, take target host port if($fwdfwsettings{'nat'} eq 'dnat' && $fwdfwsettings{'grp3'} eq 'TGT_PORT' && $fwdfwsettings{'dnatport'} eq ''){$fwdfwsettings{'dnatport'}=$fwdfwsettings{'TGT_PORT'};} - - #check if given nat port is already used by another dnatrule - if($fwdfwsettings{'nat'} eq 'dnat' && $fwdfwsettings{'updatefwrule'} ne 'on'){ - foreach my $id (sort keys %confignatfw){ - if ($fwdfwsettings{'dnatport'} eq $confignatfw{$id}[30]){ - $errormessage=$Lang::tr{'fwdfw natport used'}."
"; - } - } - } - - #check if port given in nat area is a single valid port + #check if port given in nat area is a single valid port or portrange if($fwdfwsettings{'nat'} eq 'dnat' && !&check_natport($fwdfwsettings{'dnatport'})){ $errormessage=$Lang::tr{'fwdfw target'}.": ".$Lang::tr{'fwdfw dnat porterr'}."
"; } @@ -2346,12 +2336,7 @@ END $tooltip='REJECT'; $rulecolor=$color{'color16'}; } - if($$hash{$key}[28] eq 'ON'){ - print""; - $rulecolor=$color; - }else{ - print""; - } + print""; &getcolor($$hash{$key}[3],$$hash{$key}[4],\%customhost); print""; + $fwdfwsettings{'dnatport'}=~ tr/|/,/; print""; print""; #SNAT @@ -2371,6 +2406,7 @@ END if ($$hash{$key}[31] eq 'dnat'){ print "IPFire ($$hash{$key}[29])"; if($$hash{$key}[30] ne ''){ + $$hash{$key}[30]=~ tr/|/,/; print": $$hash{$key}[30]"; } print"
DNAT->"; diff --git a/html/cgi-bin/fwhosts.cgi b/html/cgi-bin/fwhosts.cgi index 91ed3228b..0283f5c91 100755 --- a/html/cgi-bin/fwhosts.cgi +++ b/html/cgi-bin/fwhosts.cgi @@ -1067,7 +1067,7 @@ if($fwhostsettings{'ACTION'} eq '') sub showmenu { if (-f "${General::swroot}/forward/reread"){ - print "
$ruletype$ruletype"; if ($$hash{$key}[3] eq 'std_net_src'){ diff --git a/html/cgi-bin/fwhosts.cgi b/html/cgi-bin/fwhosts.cgi index 8581141e9..3b5f98218 100755 --- a/html/cgi-bin/fwhosts.cgi +++ b/html/cgi-bin/fwhosts.cgi @@ -722,6 +722,10 @@ if ($fwhostsettings{'ACTION'} eq 'saveservicegrp') &General::readhasharray("$configsrvgrp", \%customservicegrp ); &General::readhasharray("$configsrv", \%customservice ); $errormessage=&checkservicegroup; + #check remark + if ($fwhostsettings{'SRVGRP_REMARK'} ne '' && !&validremark($fwhostsettings{'SRVGRP_REMARK'})){ + $errormessage=$Lang::tr{'fwhost err remark'}; + } if (!$errormessage){ #on first save, we have to enter a dummy value if ($fwhostsettings{'CUST_SRV'} eq ''){ diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index ac0d1de8e..33d31fc67 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -966,7 +966,7 @@ 'fwdfw rules' => 'Rules', 'fwdfw rule action' => 'Rule action:', 'fwdfw rule activate' => 'Activate rule', -'fwdfw rulepos' => 'Ruleposition', +'fwdfw rulepos' => 'Rule position', 'fwdfw snat' => 'SNAT (replace the addresse(s) from SOURCE with this address)', 'fwdfw source' => 'Source', 'fwdfw sourceip' => 'Source address (MAC, IP or Network):', @@ -1059,7 +1059,7 @@ 'fwhost ovpn_n2n' => 'OpenVPN N-2-N', 'fwhost port' => 'Port(s)', 'fwhost prot' => 'Protocol', -'fwhost reread' => 'Firewallrules need to be updated.', +'fwhost reread' => 'Firewall rules need to be updated.', 'fwhost reset' => 'Cancel', 'fwhost services' => 'Services', 'fwhost srv_name' => 'Servicename', From d526a95bf105e787d8432af4bf9d4ba1f165d781 Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Thu, 4 Apr 2013 14:18:04 +0200 Subject: [PATCH 202/306] Forward Firewall: some changes in en.pl and de.pl. Also adapted "apply" button in fwhosts.cgi --- html/cgi-bin/fwhosts.cgi | 2 +- langs/de/cgi-bin/de.pl | 2 +- langs/en/cgi-bin/en.pl | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/html/cgi-bin/fwhosts.cgi b/html/cgi-bin/fwhosts.cgi index 3b5f98218..91ed3228b 100755 --- a/html/cgi-bin/fwhosts.cgi +++ b/html/cgi-bin/fwhosts.cgi @@ -1067,7 +1067,7 @@ if($fwhostsettings{'ACTION'} eq '') sub showmenu { if (-f "${General::swroot}/forward/reread"){ - print "
$Lang::tr{'fwhost reread'}

"; + print "
$Lang::tr{'fwhost reread'}

"; } &Header::openbox('100%', 'left',$Lang::tr{'fwhost menu'}); print< 'Custom Dienste:', 'fwhost cust srvgrp' => 'Custom Dienstgruppen', 'fwhost deleted' => 'Gelöscht', -'fwhost empty' => 'Keine Einträge vorhanden', +'fwhost empty' => 'Keine Regeln definiert', 'fwhost err addr' => 'IP oder Subnetzmaske ungültig', 'fwhost err addrgrp' => 'Bitte gruppenname angeben', 'fwhost err empty' => 'Bitte alle Felder füllen', diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index 33d31fc67..f3ce76bf7 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -1010,7 +1010,7 @@ 'fwhost cust service' => 'Custom services:', 'fwhost cust srvgrp' => 'Custom servicegroups', 'fwhost deleted' => 'Deleted', -'fwhost empty' => 'No entries by now', +'fwhost empty' => 'No rules defined', 'fwhost err addr' => 'Invalid IP or subnet', 'fwhost err addrgrp' => 'Please provide a groupname', 'fwhost err empty' => 'Please fill in all fields', From ed618226bb7f03b3a12155d8f2d1bcdb58adb566 Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Mon, 8 Apr 2013 15:32:49 +0200 Subject: [PATCH 203/306] Forward Firewall: little changes in ruletable layout. (Headline) --- html/cgi-bin/forwardfw.cgi | 16 ++++++---------- langs/de/cgi-bin/de.pl | 5 +++-- langs/en/cgi-bin/en.pl | 9 +++++---- 3 files changed, 14 insertions(+), 16 deletions(-) diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi index 68a18b428..584f7f093 100755 --- a/html/cgi-bin/forwardfw.cgi +++ b/html/cgi-bin/forwardfw.cgi @@ -77,7 +77,7 @@ my %aliases=(); my %optionsfw=(); my %ifaces=(); -my $VERSION='0.9.9.2'; +my $VERSION='0.9.9.3'; my $color; my $confignet = "${General::swroot}/fwhosts/customnetworks"; my $confighost = "${General::swroot}/fwhosts/customhosts"; @@ -593,7 +593,7 @@ sub addrule if (-f "${General::swroot}/forward/reread"){ print "
    $Lang::tr{'fwhost reread'}

"; } - &Header::openbox('100%', 'left', $Lang::tr{'firewall'}); + &Header::openbox('100%', 'left', ""); print "
"; print ""; print ""; @@ -1622,11 +1622,7 @@ sub newrule } } &Header::openbox('100%', 'left', $Lang::tr{'fwdfw addrule'}); - if ($fwdfwsettings{'TIME'} eq 'ON'){ - $fwdfwsettings{'TIME_FROM'} = &timeconvert($fwdfwsettings{'TIME_FROM'},''); - $fwdfwsettings{'TIME_TO'} = &timeconvert($fwdfwsettings{'TIME_TO'},''); - } -print ""; + print ""; &Header::closebox(); &Header::openbox('100%', 'left', $Lang::tr{'fwdfw source'}); #------SOURCE------------------------------------------------------- @@ -2241,11 +2237,11 @@ sub validremark sub viewtablerule { &General::readhash("/var/ipfire/ethernet/settings", \%netsettings); - &viewtablenew(\%configdmzfw,$configdmz,$Lang::tr{'fwdfw rules'},"DMZ" ); + &viewtablenew(\%confignatfw,$confignat,"$Lang::tr{'fwdfw rules'}","Portforward / SNAT" ); &viewtablenew(\%configfwdfw,$configfwdfw,"","Forward" ); - &viewtablenew(\%configinputfw,$configinput,"",$Lang::tr{'external access'} ); &viewtablenew(\%configoutgoingfw,$configoutgoing,"","Outgoing" ); - &viewtablenew(\%confignatfw,$confignat,"","NAT" ); + &viewtablenew(\%configinputfw,$configinput,"",$Lang::tr{'fwdfw xt access'} ); + &viewtablenew(\%configdmzfw,$configdmz,"","DMZ" ); } sub viewtablenew { diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl index 865a9348f..485c9ff4e 100644 --- a/langs/de/cgi-bin/de.pl +++ b/langs/de/cgi-bin/de.pl @@ -892,7 +892,7 @@ 'fwdfw additional' => 'Zusätzlich', 'fwdfw action' => 'Aktion', 'fwdfw menu' => 'Firewall', -'fwdfw addrule' => 'Neue Regel hinzufügen:', +'fwdfw addrule' => 'Regel hinzufügen/ändern:', 'fwdfw addr grp' => 'Adressgruppen:', 'fwdfw change' => 'Aktualisieren', 'fwdfw cust addr' => 'Custom Adressen:', @@ -966,11 +966,12 @@ 'fwdfw wd_fri' => 'Fr', 'fwdfw wd_sat' => 'Sa', 'fwdfw wd_sun' => 'So', +'fwdfw xt access' => 'Zugriff auf Firewall', 'fwhost addgrp' => 'Gruppe:', 'fwhost addgrpname' => 'Gruppenname:', 'fwhost addhost' => 'Adresse:', 'fwhost addnet' => 'Netzwerk:', -'fwhost addrule' => 'Neue Regel hinzufügen:', +'fwhost addrule' => 'Regel hinzufügen/ändern:', 'fwhost any' => 'Alle', 'fwhost attention' => 'ACHTUNG', 'fwhost back' => 'Zurück', diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index f3ce76bf7..bf730ff68 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -917,7 +917,7 @@ 'fwdfw additional' => 'Additional', 'fwdfw action' => 'Action', 'fwdfw menu' => 'Firewall', -'fwdfw addrule' => 'Add new rule:', +'fwdfw addrule' => 'Add/Edit rule:', 'fwdfw addr grp' => 'Adress groups:', 'fwdfw change' => 'Update', 'fwdfw cust addr' => 'Custom addresses:', @@ -980,8 +980,8 @@ 'fwdfw togglelog' => 'Activate or deactivate logging', 'fwdfw use nat' => 'Use NAT', 'fwdfw useless rule' => 'This rule is rejected (useless).', -'fwdfw use srcport' => 'Use sourceport', -'fwdfw use srv' => 'Use targetport', +'fwdfw use srcport' => 'Use source port', +'fwdfw use srv' => 'Use target port', 'fwdfw natport used' => 'The NAT port is already used by another DNAT rule', 'fwdfw newrule' => 'New rule', 'fwdfw wd_mon' => 'Mon', @@ -991,11 +991,12 @@ 'fwdfw wd_fri' => 'Fri', 'fwdfw wd_sat' => 'Sat', 'fwdfw wd_sun' => 'Sun', +'fwdfw xt access' => 'Access to firewall', 'fwhost addgrp' => 'Group:', 'fwhost addgrpname' => 'Groupname:', 'fwhost addhost' => 'Address:', 'fwhost addnet' => 'Network:', -'fwhost addrule' => 'Add new rule:', +'fwhost addrule' => 'Add/Edit rule:', 'fwhost any' => 'Any', 'fwhost attention' => 'ATTENTION', 'fwhost back' => 'back', From 98cee89f94b5a7eedbfeaef1a4f1dcbc2c0c73d5 Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Thu, 11 Apr 2013 10:50:29 +0200 Subject: [PATCH 204/306] Forward Firewall: Added multiport support to DNAT/Portforwarding Now it is possible to use multiple ports under DNAT when TARGET has no Port, one Port or one Portrange defined --- config/forwardfw/rules.pl | 35 +++++++++++++++++++++++---- html/cgi-bin/forwardfw.cgi | 48 +++++++++++++++++++++++++++++++++----- html/cgi-bin/fwhosts.cgi | 2 +- 3 files changed, 74 insertions(+), 11 deletions(-) diff --git a/config/forwardfw/rules.pl b/config/forwardfw/rules.pl index c7acd122b..917e061eb 100755 --- a/config/forwardfw/rules.pl +++ b/config/forwardfw/rules.pl @@ -177,6 +177,7 @@ sub buildrules my $snatport; my $fireport; my $nat; + my $fwaccessdport; foreach my $key (sort {$a <=> $b} keys %$hash){ next if ($$hash{$key}[6] eq 'RED' && $conexists eq 'off' ); if ($$hash{$key}[28] eq 'ON'){ @@ -184,7 +185,12 @@ sub buildrules $natip=&get_nat_ip($$hash{$key}[29]); if($$hash{$key}[31] eq 'dnat'){ $nat='DNAT'; - $fireport='--dport '.$$hash{$key}[30] if ($$hash{$key}[30]>0); + if ($$hash{$key}[30] =~ /\|/){ + $$hash{$key}[30]=~ tr/|/,/; + $fireport='-m multiport --dport '.$$hash{$key}[30]; + }else{ + $fireport='--dport '.$$hash{$key}[30] if ($$hash{$key}[30]>0); + } }else{ $nat='SNAT'; } @@ -291,7 +297,16 @@ sub buildrules my ($ip,$sub) =split("/",$targethash{$b}[0]); print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j $nat --to $ip$DPORT\n"; $DPORT =~ s/\-/:/g; - my $fwaccessdport="--dport ".substr($DPORT,1,) if ($DPORT); + if ($DPORT){ + $fwaccessdport="--dport ".substr($DPORT,1,); + }elsif(! $DPORT && $$hash{$key}[30] ne ''){ + if ($$hash{$key}[30]=~m/|/i){ + $$hash{$key}[30] =~ s/\|/,/g; + $fwaccessdport="-m multiport --dport $$hash{$key}[30]"; + }else{ + $fwaccessdport="--dport $$hash{$key}[30]"; + } + } print "iptables -A PORTFWACCESS $PROT -i $con $STAG $sourcehash{$a}[0] -d $ip $fwaccessdport $TIME -j $$hash{$key}[0]\n"; }elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[32] eq 'snat'){ print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $nat --to $natip$fireport\n"; @@ -332,9 +347,17 @@ sub buildrules my ($ip,$sub) =split("/",$targethash{$b}[0]); system "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j $nat --to $ip$DPORT\n"; $DPORT =~ s/\-/:/g; - my $fwaccessdport="--dport ".substr($DPORT,1,) if ($DPORT); + if ($DPORT){ + $fwaccessdport="--dport ".substr($DPORT,1,); + }elsif(! $DPORT && $$hash{$key}[30] ne ''){ + if ($$hash{$key}[30]=~m/|/i){ + $$hash{$key}[30] =~ s/\|/,/g; + $fwaccessdport="-m multiport --dport $$hash{$key}[30]"; + }else{ + $fwaccessdport="--dport $$hash{$key}[30]"; + } + } system "iptables -A PORTFWACCESS $PROT -i $con $STAG $sourcehash{$a}[0] -d $ip $fwaccessdport $TIME -j $$hash{$key}[0]\n"; - }elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'snat'){ if ($$hash{$key}[17] eq 'ON'){ system "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG --log-prefix 'SNAT '\n"; @@ -499,6 +522,10 @@ sub get_prot return &fwlib::get_srvgrp_prot($$hash{$key}[15]); } } + #DNAT + if ($SRC_TGT eq '' && $$hash{$key}[31] eq 'dnat' && $$hash{$key}[11] eq '' && $$hash{$key}[12] ne ''){ + return "$$hash{$key}[12]"; + } } sub get_port { diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi index 584f7f093..72771e8cf 100755 --- a/html/cgi-bin/forwardfw.cgi +++ b/html/cgi-bin/forwardfw.cgi @@ -591,7 +591,7 @@ sub addrule { &error; if (-f "${General::swroot}/forward/reread"){ - print "
    $Lang::tr{'fwhost reread'}

"; + print "
    $Lang::tr{'fwhost reread'}

"; } &Header::openbox('100%', 'left', ""); print "
"; @@ -771,7 +771,7 @@ sub checktarget #check DNAT settings (has to be single Host and single Port or portrange) if ($fwdfwsettings{'USE_NAT'} eq 'ON' && $fwdfwsettings{'nat'} eq 'dnat'){ if($fwdfwsettings{'grp2'} eq 'tgt_addr' || $fwdfwsettings{'grp2'} eq 'cust_host_tgt' || $fwdfwsettings{'grp2'} eq 'ovpn_host_tgt'){ - if ($fwdfwsettings{'USESRV'} eq ''){ + if ($fwdfwsettings{'USESRV'} eq '' && $fwdfwsettings{'dnatport'} eq ''){ $errormessage=$Lang::tr{'fwdfw target'}.": ".$Lang::tr{'fwdfw dnat porterr'}."
"; } #check if manual ip is a single Host (if set) @@ -905,7 +905,6 @@ sub checktarget if ($fwdfwsettings{'USESRV'} ne 'ON'){ $fwdfwsettings{'grp3'}=''; $fwdfwsettings{$fwdfwsettings{'grp3'}}=''; - $fwdfwsettings{'TGT_PROT'}=''; $fwdfwsettings{'ICMP_TGT'}=''; } #check timeframe @@ -946,10 +945,9 @@ sub checkrule #if no port is given in nat area, take target host port if($fwdfwsettings{'nat'} eq 'dnat' && $fwdfwsettings{'grp3'} eq 'TGT_PORT' && $fwdfwsettings{'dnatport'} eq ''){$fwdfwsettings{'dnatport'}=$fwdfwsettings{'TGT_PORT'};} #check if port given in nat area is a single valid port or portrange - if($fwdfwsettings{'nat'} eq 'dnat' && !&check_natport($fwdfwsettings{'dnatport'})){ + if($fwdfwsettings{'nat'} eq 'dnat' && $fwdfwsettings{'TGT_PORT'} ne '' && !&check_natport($fwdfwsettings{'dnatport'})){ $errormessage=$Lang::tr{'fwdfw target'}.": ".$Lang::tr{'fwdfw dnat porterr'}."
"; - } - elsif($fwdfwsettings{'USESRV'} eq 'ON' && $fwdfwsettings{'grp3'} eq 'cust_srv'){ + }elsif($fwdfwsettings{'USESRV'} eq 'ON' && $fwdfwsettings{'grp3'} eq 'cust_srv'){ my $custsrvport; #get servcie Protocol and Port foreach my $key (sort keys %customservice){ @@ -962,6 +960,42 @@ sub checkrule } if($fwdfwsettings{'nat'} eq 'dnat' && $fwdfwsettings{'dnatport'} eq ''){$fwdfwsettings{'dnatport'}=$custsrvport;} } + #check if DNAT port is multiple + if($fwdfwsettings{'nat'} eq 'dnat' && $fwdfwsettings{'dnatport'} ne ''){ + my @parts=split(",",$fwdfwsettings{'dnatport'}); + my @values=(); + foreach (@parts){ + chomp($_); + if ($_ =~ /^(\d+)\-(\d+)$/ || $_ =~ /^(\d+)\:(\d+)$/) { + my $check; + #change dashes with : + $_=~ tr/-/:/; + if ($_ eq "*") { + push(@values,"1:65535"); + $check='on'; + } + if ($_ =~ /^(\D)\:(\d+)$/ || $_ =~ /^(\D)\-(\d+)$/) { + push(@values,"1:$2"); + $check='on'; + } + if ($_ =~ /^(\d+)\:(\D)$/ || $_ =~ /^(\d+)\-(\D)$/) { + push(@values,"$1:65535"); + $check='on' + } + $errormessage .= &General::validportrange($_, 'destination'); + if(!$check){ + push (@values,$_); + } + }else{ + if (&General::validport($_)){ + push (@values,$_); + }else{ + + } + } + } + $fwdfwsettings{'dnatport'}=join("|",@values); + } } #check valid remark if ($fwdfwsettings{'ruleremark'} ne '' && !&validremark($fwdfwsettings{'ruleremark'})){ @@ -1764,6 +1798,7 @@ END print ""; } print"
Port:

$Lang::tr{'fwhost reread'}

"; + print "
$Lang::tr{'fwhost reread'}

"; } &Header::openbox('100%', 'left',$Lang::tr{'fwhost menu'}); print< Date: Thu, 11 Apr 2013 17:33:22 +0200 Subject: [PATCH 205/306] Forward Firewall: added SNAT multiport support --- config/forwardfw/rules.pl | 15 ++++++++++----- html/cgi-bin/forwardfw.cgi | 4 ++-- 2 files changed, 12 insertions(+), 7 deletions(-) diff --git a/config/forwardfw/rules.pl b/config/forwardfw/rules.pl index 917e061eb..1cbbee7a5 100755 --- a/config/forwardfw/rules.pl +++ b/config/forwardfw/rules.pl @@ -182,7 +182,7 @@ sub buildrules next if ($$hash{$key}[6] eq 'RED' && $conexists eq 'off' ); if ($$hash{$key}[28] eq 'ON'){ $command='iptables -t nat -A'; - $natip=&get_nat_ip($$hash{$key}[29]); + $natip=&get_nat_ip($$hash{$key}[29],$$hash{$key}[31]); if($$hash{$key}[31] eq 'dnat'){ $nat='DNAT'; if ($$hash{$key}[30] =~ /\|/){ @@ -308,8 +308,8 @@ sub buildrules } } print "iptables -A PORTFWACCESS $PROT -i $con $STAG $sourcehash{$a}[0] -d $ip $fwaccessdport $TIME -j $$hash{$key}[0]\n"; - }elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[32] eq 'snat'){ - print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $nat --to $natip$fireport\n"; + }elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'snat'){ + print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $nat --to $natip\n"; } } } @@ -382,17 +382,22 @@ sub buildrules sub get_nat_ip { my $val=shift; + my $type=shift; my $result; if($val eq 'RED' || $val eq 'GREEN' || $val eq 'ORANGE' || $val eq 'BLUE'){ $result=$defaultNetworks{$val.'_ADDRESS'}; }elsif($val eq 'ALL'){ $result='-i '.$con; - }elsif($val eq 'Default IP'){ + }elsif($val eq 'Default IP' && $type eq 'dnat'){ $result='-d '.$redip; + }elsif($val eq 'Default IP' && $type eq 'snat'){ + $result=$redip; }else{ foreach my $al (sort keys %aliases){ - if($val eq $al){ + if($val eq $al && $type eq 'dnat'){ $result='-d '.$aliases{$al}{'IPT'}; + }elsif($val eq $al && $type eq 'snat'){ + $result=$aliases{$al}{'IPT'}; } } } diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi index 72771e8cf..7bd3fa52f 100755 --- a/html/cgi-bin/forwardfw.cgi +++ b/html/cgi-bin/forwardfw.cgi @@ -77,7 +77,7 @@ my %aliases=(); my %optionsfw=(); my %ifaces=(); -my $VERSION='0.9.9.3'; +my $VERSION='0.9.9.4'; my $color; my $confignet = "${General::swroot}/fwhosts/customnetworks"; my $confighost = "${General::swroot}/fwhosts/customhosts"; @@ -838,7 +838,7 @@ sub checktarget if ($fwdfwsettings{'grp3'} eq 'TGT_PORT'){ if ($fwdfwsettings{'TGT_PROT'} eq 'TCP' || $fwdfwsettings{'TGT_PROT'} eq 'UDP'){ if ($fwdfwsettings{'TGT_PORT'} ne ''){ - if ($fwdfwsettings{'TGT_PORT'} =~ "," && $fwdfwsettings{'USE_NAT'}) { + if ($fwdfwsettings{'TGT_PORT'} =~ "," && $fwdfwsettings{'USE_NAT'} && $fwdfwsettings{'nat'} eq 'dnat') { $errormessage=$Lang::tr{'fwdfw dnat porterr'}."
"; } my @parts=split(",",$fwdfwsettings{'TGT_PORT'}); From 6f348fcb9d96d8372fbfca50675736e81eec6661 Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Fri, 12 Apr 2013 12:39:57 +0200 Subject: [PATCH 206/306] Forward Firewall: edited include file of backup. --- config/backup/include | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/config/backup/include b/config/backup/include index baff1cd92..551b52df2 100644 --- a/config/backup/include +++ b/config/backup/include @@ -15,8 +15,8 @@ /var/ipfire/auth/users /var/ipfire/dhcp/* /var/ipfire/dnsforward/* -/var/ipfire/forward/* -/var/ipfire/fwhosts/* +/var/ipfire/forward +/var/ipfire/fwhosts /var/ipfire/main/* /var/ipfire/ovpn /var/ipfire/ppp From 94ea1f03464ab9434189ec270baa83fc2f2dcadd Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Sun, 14 Apr 2013 15:10:13 +0200 Subject: [PATCH 207/306] Forward Firewall: fixed firewall hits statistik and extended it to show input,output,forward,newnotsyn and portscan seperately. --- config/cfgroot/graphs.pl | 48 ++++++++++++++++++++++++-------- config/collectd/collectd.conf | 7 +++-- config/forwardfw/firewall-policy | 6 ++-- src/initscripts/init.d/firewall | 3 ++ 4 files changed, 46 insertions(+), 18 deletions(-) diff --git a/config/cfgroot/graphs.pl b/config/cfgroot/graphs.pl index c51e882e2..83cc60f26 100644 --- a/config/cfgroot/graphs.pl +++ b/config/cfgroot/graphs.pl @@ -216,7 +216,7 @@ sub updatecpugraph { ,"GPRINT:userpct:AVERAGE:%3.2lf%%" ,"GPRINT:userpct:MIN:%3.2lf%%" ,"GPRINT:userpct:LAST:%3.2lf%%\\j" - ,"STACK:systempct".$color{"color13"}."A0:".sprintf("%-25s",$Lang::tr{'cpu system usage'}) + ,"STACK:systempct".$color{"color13"}."A0:".sprintf("%-26s",$Lang::tr{'cpu system usage'}) ,"GPRINT:systempct:MAX:%3.2lf%%" ,"GPRINT:systempct:AVERAGE:%3.2lf%%" ,"GPRINT:systempct:MIN:%3.2lf%%" @@ -602,26 +602,50 @@ sub updatefwhitsgraph { "--color=SHADEA".$color{"color19"}, "--color=SHADEB".$color{"color19"}, "--color=BACK".$color{"color21"}, - "DEF:output=".$mainsettings{'RRDLOG'}."/collectd/localhost/iptables-filter-FORWARD/ipt_bytes-DROP_OUTPUT.rrd:value:AVERAGE", - "DEF:input=".$mainsettings{'RRDLOG'}."/collectd/localhost/iptables-filter-INPUT/ipt_bytes-DROP_INPUT.rrd:value:AVERAGE", + "DEF:output=".$mainsettings{'RRDLOG'}."/collectd/localhost/iptables-filter-POLICYOUT/ipt_bytes-DROP_OUTPUT.rrd:value:AVERAGE", + "DEF:input=".$mainsettings{'RRDLOG'}."/collectd/localhost/iptables-filter-POLICYIN/ipt_bytes-DROP_INPUT.rrd:value:AVERAGE", + "DEF:forward=".$mainsettings{'RRDLOG'}."/collectd/localhost/iptables-filter-POLICYFWD/ipt_bytes-DROP_FORWARD.rrd:value:AVERAGE", "DEF:newnotsyn=".$mainsettings{'RRDLOG'}."/collectd/localhost/iptables-filter-NEWNOTSYN/ipt_bytes-DROP_NEWNOTSYN.rrd:value:AVERAGE", "DEF:portscan=".$mainsettings{'RRDLOG'}."/collectd/localhost/iptables-filter-PSCAN/ipt_bytes-DROP_PScan.rrd:value:AVERAGE", - "CDEF:amount=output,input,newnotsyn,+,+", - "COMMENT:".sprintf("%-20s",$Lang::tr{'caption'}), + #"CDEF:amount=input", + "COMMENT:".sprintf("%-26s",$Lang::tr{'caption'}), "COMMENT:".sprintf("%15s",$Lang::tr{'maximal'}), "COMMENT:".sprintf("%15s",$Lang::tr{'average'}), - "COMMENT:".sprintf("%15s",$Lang::tr{'minimal'}), + "COMMENT:".sprintf("%14s",$Lang::tr{'minimal'}), "COMMENT:".sprintf("%15s",$Lang::tr{'current'})."\\j", - "AREA:amount".$color{"color24"}."A0:".sprintf("%-20s",$Lang::tr{'firewallhits'}), - "GPRINT:amount:MAX:%8.1lf %sBps", - "GPRINT:amount:AVERAGE:%8.1lf %sBps", - "GPRINT:amount:MIN:%8.1lf %sBps", - "GPRINT:amount:LAST:%8.1lf %sBps\\j", - "STACK:portscan".$color{"color25"}."A0:".sprintf("%-20s",$Lang::tr{'portscans'}), + "AREA:input".$color{"color24"}."A0:".sprintf("%-25s",$Lang::tr{'firewallhits'}."-INPUT"), + "GPRINT:input:MAX:%8.1lf %sBps", + "GPRINT:input:AVERAGE:%8.1lf %sBps", + "GPRINT:input:MIN:%8.1lf %sBps", + "GPRINT:input:LAST:%8.1lf %sBps\\j", + "AREA:output".$color{"color25"}."A0:".sprintf("%-25s",$Lang::tr{'firewallhits'}."-OUTPUT"), + "GPRINT:output:MAX:%8.1lf %sBps", + "GPRINT:output:AVERAGE:%8.1lf %sBps", + "GPRINT:output:MIN:%8.1lf %sBps", + "GPRINT:output:LAST:%8.1lf %sBps\\j", + "AREA:forward".$color{"color23"}."A0:".sprintf("%-25s",$Lang::tr{'firewallhits'}."-FORWARD"), + "GPRINT:forward:MAX:%8.1lf %sBps", + "GPRINT:forward:AVERAGE:%8.1lf %sBps", + "GPRINT:forward:MIN:%8.1lf %sBps", + "GPRINT:forward:LAST:%8.1lf %sBps\\j", + "AREA:newnotsyn".$color{"color14"}."A0:".sprintf("%-24s","NewNotSyn"), + "GPRINT:newnotsyn:MAX:%8.1lf %sBps", + "GPRINT:newnotsyn:MIN:%8.1lf %sBps", + "GPRINT:newnotsyn:AVERAGE:%8.1lf %sBps", + "GPRINT:newnotsyn:LAST:%8.1lf %sBps\\j", + "AREA:portscan".$color{"color16"}."A0:".sprintf("%-24s",$Lang::tr{'portscans'}), "GPRINT:portscan:MAX:%8.1lf %sBps", "GPRINT:portscan:MIN:%8.1lf %sBps", "GPRINT:portscan:AVERAGE:%8.1lf %sBps", "GPRINT:portscan:LAST:%8.1lf %sBps\\j", + + "LINE1:input".$color{"color24"}, + "LINE1:output".$color{"color25"}, + "LINE1:forward".$color{"color23"}, + "LINE1:newnotsyn".$color{"color14"}, + "LINE1:portscan".$color{"color16"}, + + ); $ERROR = RRDs::error; print "Error in RRD::graph for firewallhits: ".$ERROR."\n" if $ERROR; diff --git a/config/collectd/collectd.conf b/config/collectd/collectd.conf index 67d9e1905..e222d5cb7 100644 --- a/config/collectd/collectd.conf +++ b/config/collectd/collectd.conf @@ -23,7 +23,7 @@ LoadPlugin memory LoadPlugin ping LoadPlugin processes LoadPlugin rrdtool -LoadPlugin sensors +#LoadPlugin sensors LoadPlugin swap LoadPlugin syslog #LoadPlugin wireless @@ -45,10 +45,11 @@ include "/etc/collectd.precache" - Chain filter INPUT DROP_INPUT - Chain filter FORWARD DROP_OUTPUT Chain filter PSCAN DROP_PScan Chain filter NEWNOTSYN DROP_NEWNOTSYN + Chain filter POLICYFWD DROP_FORWARD + Chain filter POLICYOUT DROP_OUTPUT + Chain filter POLICYIN DROP_INPUT # diff --git a/config/forwardfw/firewall-policy b/config/forwardfw/firewall-policy index 55287dd07..6e648e268 100755 --- a/config/forwardfw/firewall-policy +++ b/config/forwardfw/firewall-policy @@ -23,8 +23,8 @@ if [ "$POLICY" == "MODE1" ]; then /sbin/iptables -A POLICYFWD -j DROP -m comment --comment "DROP_FORWARD" fi else - /sbin/iptables -A POLICYFWD -i blue0 ! -o $IFACE -j DROP -m comment --comment "DROP_FORWARD_BLUE" - /sbin/iptables -A POLICYFWD -j ACCEPT -m comment --comment "DROP_FORWARD" + /sbin/iptables -A POLICYFWD -i blue0 ! -o $IFACE -j DROP + /sbin/iptables -A POLICYFWD -j ACCEPT fi #OUTGOINGFW @@ -42,7 +42,7 @@ if [ "$POLICY1" == "MODE1" ]; then /sbin/iptables -A POLICYOUT -j DROP -m comment --comment "DROP_OUTPUT" fi else - /sbin/iptables -A POLICYOUT -j ACCEPT -m comment --comment "DROP_OUTPUT" + /sbin/iptables -A POLICYOUT -j ACCEPT fi #INPUT if [ "$FWPOLICY2" == "REJECT" ]; then diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall index 7e3248147..57bdef901 100644 --- a/src/initscripts/init.d/firewall +++ b/src/initscripts/init.d/firewall @@ -277,6 +277,9 @@ case "$1" in /usr/sbin/firewall-policy + #Only for firewall Hits statistik + /sbin/iptables -A POLICYFWD -j DROP -m comment --comment "DROP_FORWARD" + /sbin/iptables -A POLICYOUT -j DROP -m comment --comment "DROP_OUTPUT" ;; startovpn) # run openvpn From be9be7cb5bf598e7d0781559ecd88ad702b58db2 Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Mon, 15 Apr 2013 05:50:20 +0200 Subject: [PATCH 208/306] Forward Firewall: enabled /var/ipfire/optionsfw/settings in configroot --- config/rootfiles/common/configroot | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/rootfiles/common/configroot b/config/rootfiles/common/configroot index a562d6551..32f7d4d56 100644 --- a/config/rootfiles/common/configroot +++ b/config/rootfiles/common/configroot @@ -120,7 +120,7 @@ var/ipfire/net-traffic #var/ipfire/nfs #var/ipfire/nfs/nfs-server var/ipfire/optionsfw -#var/ipfire/optionsfw/settings +var/ipfire/optionsfw/settings #var/ipfire/outgoing #var/ipfire/outgoing/bin #var/ipfire/outgoing/bin/outgoingfw.pl From ed31c098f5306caf1bf0abefaf7814ccb6636362 Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Mon, 15 Apr 2013 09:50:39 +0200 Subject: [PATCH 209/306] Forward Firewall: added drop rules to firewall's stop script so that collectd is working --- src/initscripts/init.d/firewall | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall index 57bdef901..24dee132a 100644 --- a/src/initscripts/init.d/firewall +++ b/src/initscripts/init.d/firewall @@ -316,6 +316,13 @@ case "$1" in /sbin/iptables -A FORWARD -m limit --limit 10/minute -j LOG --log-prefix "DROP_FORWARD " fi /sbin/iptables -A FORWARD -j DROP -m comment --comment "DROP_FORWARD" + + #Only for firewall Hits statistik + /sbin/iptables -A POLICYFWD -j DROP -m comment --comment "DROP_FORWARD" + /sbin/iptables -A POLICYOUT -j DROP -m comment --comment "DROP_OUTPUT" + + + ;; stopovpn) # stop openvpn From 9468a6f71372b680f642cc2c71466db8ce30a186 Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Mon, 15 Apr 2013 12:00:35 +0200 Subject: [PATCH 210/306] Forward Firewall: Firewall Hits graph now with stacked values --- config/cfgroot/graphs.pl | 25 ++++++++----------------- 1 file changed, 8 insertions(+), 17 deletions(-) diff --git a/config/cfgroot/graphs.pl b/config/cfgroot/graphs.pl index 83cc60f26..f8b182b5e 100644 --- a/config/cfgroot/graphs.pl +++ b/config/cfgroot/graphs.pl @@ -607,45 +607,36 @@ sub updatefwhitsgraph { "DEF:forward=".$mainsettings{'RRDLOG'}."/collectd/localhost/iptables-filter-POLICYFWD/ipt_bytes-DROP_FORWARD.rrd:value:AVERAGE", "DEF:newnotsyn=".$mainsettings{'RRDLOG'}."/collectd/localhost/iptables-filter-NEWNOTSYN/ipt_bytes-DROP_NEWNOTSYN.rrd:value:AVERAGE", "DEF:portscan=".$mainsettings{'RRDLOG'}."/collectd/localhost/iptables-filter-PSCAN/ipt_bytes-DROP_PScan.rrd:value:AVERAGE", - #"CDEF:amount=input", "COMMENT:".sprintf("%-26s",$Lang::tr{'caption'}), "COMMENT:".sprintf("%15s",$Lang::tr{'maximal'}), "COMMENT:".sprintf("%15s",$Lang::tr{'average'}), "COMMENT:".sprintf("%14s",$Lang::tr{'minimal'}), "COMMENT:".sprintf("%15s",$Lang::tr{'current'})."\\j", - "AREA:input".$color{"color24"}."A0:".sprintf("%-25s",$Lang::tr{'firewallhits'}."-INPUT"), - "GPRINT:input:MAX:%8.1lf %sBps", - "GPRINT:input:AVERAGE:%8.1lf %sBps", - "GPRINT:input:MIN:%8.1lf %sBps", - "GPRINT:input:LAST:%8.1lf %sBps\\j", "AREA:output".$color{"color25"}."A0:".sprintf("%-25s",$Lang::tr{'firewallhits'}."-OUTPUT"), "GPRINT:output:MAX:%8.1lf %sBps", "GPRINT:output:AVERAGE:%8.1lf %sBps", "GPRINT:output:MIN:%8.1lf %sBps", "GPRINT:output:LAST:%8.1lf %sBps\\j", - "AREA:forward".$color{"color23"}."A0:".sprintf("%-25s",$Lang::tr{'firewallhits'}."-FORWARD"), + "STACK:forward".$color{"color23"}."A0:".sprintf("%-25s",$Lang::tr{'firewallhits'}."-FORWARD"), "GPRINT:forward:MAX:%8.1lf %sBps", "GPRINT:forward:AVERAGE:%8.1lf %sBps", "GPRINT:forward:MIN:%8.1lf %sBps", "GPRINT:forward:LAST:%8.1lf %sBps\\j", - "AREA:newnotsyn".$color{"color14"}."A0:".sprintf("%-24s","NewNotSyn"), + "STACK:input".$color{"color24"}."A0:".sprintf("%-25s",$Lang::tr{'firewallhits'}."-INPUT"), + "GPRINT:input:MAX:%8.1lf %sBps", + "GPRINT:input:AVERAGE:%8.1lf %sBps", + "GPRINT:input:MIN:%8.1lf %sBps", + "GPRINT:input:LAST:%8.1lf %sBps\\j", + "STACK:newnotsyn".$color{"color14"}."A0:".sprintf("%-24s","NewNotSyn"), "GPRINT:newnotsyn:MAX:%8.1lf %sBps", "GPRINT:newnotsyn:MIN:%8.1lf %sBps", "GPRINT:newnotsyn:AVERAGE:%8.1lf %sBps", "GPRINT:newnotsyn:LAST:%8.1lf %sBps\\j", - "AREA:portscan".$color{"color16"}."A0:".sprintf("%-24s",$Lang::tr{'portscans'}), + "STACK:portscan".$color{"color16"}."A0:".sprintf("%-24s",$Lang::tr{'portscans'}), "GPRINT:portscan:MAX:%8.1lf %sBps", "GPRINT:portscan:MIN:%8.1lf %sBps", "GPRINT:portscan:AVERAGE:%8.1lf %sBps", "GPRINT:portscan:LAST:%8.1lf %sBps\\j", - - "LINE1:input".$color{"color24"}, - "LINE1:output".$color{"color25"}, - "LINE1:forward".$color{"color23"}, - "LINE1:newnotsyn".$color{"color14"}, - "LINE1:portscan".$color{"color16"}, - - ); $ERROR = RRDs::error; print "Error in RRD::graph for firewallhits: ".$ERROR."\n" if $ERROR; From 53f4c74d9bd0eebf70b4540b688be6d6c3e556ab Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Mon, 15 Apr 2013 15:02:50 +0200 Subject: [PATCH 211/306] Forward Firewall: some changes in firewall script to make collectd work --- config/collectd/collectd.conf | 2 +- config/forwardfw/firewall-policy | 10 ++++++++-- src/initscripts/init.d/firewall | 8 ++++---- 3 files changed, 13 insertions(+), 7 deletions(-) diff --git a/config/collectd/collectd.conf b/config/collectd/collectd.conf index e222d5cb7..14dd568c2 100644 --- a/config/collectd/collectd.conf +++ b/config/collectd/collectd.conf @@ -23,7 +23,7 @@ LoadPlugin memory LoadPlugin ping LoadPlugin processes LoadPlugin rrdtool -#LoadPlugin sensors +LoadPlugin sensors LoadPlugin swap LoadPlugin syslog #LoadPlugin wireless diff --git a/config/forwardfw/firewall-policy b/config/forwardfw/firewall-policy index 6e648e268..9af835cc9 100755 --- a/config/forwardfw/firewall-policy +++ b/config/forwardfw/firewall-policy @@ -2,11 +2,15 @@ eval $(/usr/local/bin/readhash /var/ipfire/forward/settings) eval $(/usr/local/bin/readhash /var/ipfire/optionsfw/settings) +eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings) iptables -F POLICYFWD iptables -F POLICYOUT iptables -F POLICYIN -IFACE=`cat /var/ipfire/red/iface` + +if [ -f "/var/ipfire/red/iface" ]; then + IFACE=`cat /var/ipfire/red/iface` +fi #FORWARDFW if [ "$POLICY" == "MODE1" ]; then @@ -23,7 +27,9 @@ if [ "$POLICY" == "MODE1" ]; then /sbin/iptables -A POLICYFWD -j DROP -m comment --comment "DROP_FORWARD" fi else - /sbin/iptables -A POLICYFWD -i blue0 ! -o $IFACE -j DROP + if [ "$BLUE_DEV" ] && [ "$IFACE" ]; then + /sbin/iptables -A POLICYFWD -i blue0 ! -o $IFACE -j DROP + fi /sbin/iptables -A POLICYFWD -j ACCEPT fi diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall index 24dee132a..3d14143b4 100644 --- a/src/initscripts/init.d/firewall +++ b/src/initscripts/init.d/firewall @@ -120,8 +120,8 @@ iptables_red() { fi # Outgoing masquerading (don't masqerade IPSEC (mark 50)) - /sbin/iptables -t nat -A REDNAT -m mark --mark 50 -o $IFACE -j RETURN - /sbin/iptables -t nat -A REDNAT -o $IFACE -j MASQUERADE + #/sbin/iptables -t nat -A REDNAT -m mark --mark 50 -o $IFACE -j RETURN + #/sbin/iptables -t nat -A REDNAT -o $IFACE -j MASQUERADE fi } @@ -318,8 +318,8 @@ case "$1" in /sbin/iptables -A FORWARD -j DROP -m comment --comment "DROP_FORWARD" #Only for firewall Hits statistik - /sbin/iptables -A POLICYFWD -j DROP -m comment --comment "DROP_FORWARD" - /sbin/iptables -A POLICYOUT -j DROP -m comment --comment "DROP_OUTPUT" + #/sbin/iptables -A POLICYFWD -j DROP -m comment --comment "DROP_FORWARD" + #/sbin/iptables -A POLICYOUT -j DROP -m comment --comment "DROP_OUTPUT" From aff15defbc1ade178a1fbbf1fa1b592033d4fb77 Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Mon, 15 Apr 2013 20:29:15 +0200 Subject: [PATCH 212/306] Forward Firewall: rules for collectd now in firewall-policy instead of /etc/init.d/firewall --- config/forwardfw/firewall-policy | 4 ++++ src/initscripts/init.d/firewall | 10 ---------- 2 files changed, 4 insertions(+), 10 deletions(-) diff --git a/config/forwardfw/firewall-policy b/config/forwardfw/firewall-policy index 9af835cc9..0a5cd14b0 100755 --- a/config/forwardfw/firewall-policy +++ b/config/forwardfw/firewall-policy @@ -31,6 +31,7 @@ else /sbin/iptables -A POLICYFWD -i blue0 ! -o $IFACE -j DROP fi /sbin/iptables -A POLICYFWD -j ACCEPT + /sbin/iptables -A POLICYFWD -m comment --comment "DROP_FORWARD" -j DROP fi #OUTGOINGFW @@ -49,6 +50,7 @@ if [ "$POLICY1" == "MODE1" ]; then fi else /sbin/iptables -A POLICYOUT -j ACCEPT + /sbin/iptables -A POLICYOUT -m comment --comment "DROP_OUTPUT" -j DROP fi #INPUT if [ "$FWPOLICY2" == "REJECT" ]; then @@ -63,3 +65,5 @@ if [ "$FWPOLICY2" == "DROP" ]; then fi /sbin/iptables -A POLICYIN -j DROP -m comment --comment "DROP_INPUT" fi + +exit 0 diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall index 3d14143b4..0888145e2 100644 --- a/src/initscripts/init.d/firewall +++ b/src/initscripts/init.d/firewall @@ -276,10 +276,6 @@ case "$1" in /sbin/iptables -A OUTPUT -j POLICYOUT /usr/sbin/firewall-policy - - #Only for firewall Hits statistik - /sbin/iptables -A POLICYFWD -j DROP -m comment --comment "DROP_FORWARD" - /sbin/iptables -A POLICYOUT -j DROP -m comment --comment "DROP_OUTPUT" ;; startovpn) # run openvpn @@ -317,12 +313,6 @@ case "$1" in fi /sbin/iptables -A FORWARD -j DROP -m comment --comment "DROP_FORWARD" - #Only for firewall Hits statistik - #/sbin/iptables -A POLICYFWD -j DROP -m comment --comment "DROP_FORWARD" - #/sbin/iptables -A POLICYOUT -j DROP -m comment --comment "DROP_OUTPUT" - - - ;; stopovpn) # stop openvpn From dc82656bf97fef330f5f34ee237426fb53d86708 Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Wed, 17 Apr 2013 12:02:13 +0200 Subject: [PATCH 213/306] Forward Firewall: 0.9.9.4a - Bugfix typo in firewallscript, DMZ Link on startpage now leads to firewall instead of dmzpinholes --- html/cgi-bin/forwardfw.cgi | 2 +- html/cgi-bin/index.cgi | 2 +- src/initscripts/init.d/firewall | 4 ++-- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi index 7bd3fa52f..ef9264cb1 100755 --- a/html/cgi-bin/forwardfw.cgi +++ b/html/cgi-bin/forwardfw.cgi @@ -77,7 +77,7 @@ my %aliases=(); my %optionsfw=(); my %ifaces=(); -my $VERSION='0.9.9.4'; +my $VERSION='0.9.9.4a'; my $color; my $confignet = "${General::swroot}/fwhosts/customnetworks"; my $confighost = "${General::swroot}/fwhosts/customhosts"; diff --git a/html/cgi-bin/index.cgi b/html/cgi-bin/index.cgi index ea19e26f5..03ef36746 100644 --- a/html/cgi-bin/index.cgi +++ b/html/cgi-bin/index.cgi @@ -341,7 +341,7 @@ END } else { print $Lang::tr{'advproxy off'}; } } if ( $netsettings{'ORANGE_DEV'} ) { print <$Lang::tr{'dmz'}
+ $Lang::tr{'dmz'}
$netsettings{'ORANGE_ADDRESS'} Online END diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall index 0888145e2..df8405b52 100644 --- a/src/initscripts/init.d/firewall +++ b/src/initscripts/init.d/firewall @@ -120,8 +120,8 @@ iptables_red() { fi # Outgoing masquerading (don't masqerade IPSEC (mark 50)) - #/sbin/iptables -t nat -A REDNAT -m mark --mark 50 -o $IFACE -j RETURN - #/sbin/iptables -t nat -A REDNAT -o $IFACE -j MASQUERADE + /sbin/iptables -t nat -A REDNAT -m mark --mark 50 -o $IFACE -j RETURN + /sbin/iptables -t nat -A REDNAT -o $IFACE -j MASQUERADE fi } From 931e1fed53d8b5b74dbf2c2bedafc0399cccc7fe Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Fri, 19 Apr 2013 13:12:56 +0200 Subject: [PATCH 214/306] Forward Firewall: added some plausi checks. Now it is checked if someone enters an manual ip address that is a openvpn client. The colors are set correctly in ruletable when someone enters a manual ip which belongs to an IPsec Network, IPsec Roadwarrior (if iprange set) or openvpn n2n --- html/cgi-bin/forwardfw.cgi | 114 ++++++++++++++++++++++++++++++++++--- langs/de/cgi-bin/de.pl | 2 + langs/en/cgi-bin/en.pl | 2 + 3 files changed, 109 insertions(+), 9 deletions(-) diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi index ef9264cb1..e074047b3 100755 --- a/html/cgi-bin/forwardfw.cgi +++ b/html/cgi-bin/forwardfw.cgi @@ -77,7 +77,7 @@ my %aliases=(); my %optionsfw=(); my %ifaces=(); -my $VERSION='0.9.9.4a'; +my $VERSION='0.9.9.5'; my $color; my $confignet = "${General::swroot}/fwhosts/customnetworks"; my $confighost = "${General::swroot}/fwhosts/customhosts"; @@ -107,7 +107,9 @@ my @protocols; &General::readhash("/srv/web/ipfire/html/themes/".$mainsettings{'THEME'}."/include/colors.txt", \%color); &General::readhash($fwoptions, \%optionsfw); &General::readhash($ifacesettings, \%ifaces); - +&General::readhash("$configovpn", \%ovpnsettings); +&General::readhash("$configipsecrw", \%ipsecsettings); +&General::readhasharray("$configipsec", \%ipsecconf); &Header::showhttpheaders(); &Header::getcgihash(\%fwdfwsettings); &Header::openpage($Lang::tr{'fwdfw menu'}, 1, ''); @@ -656,7 +658,6 @@ sub changerule sub checksource { my ($ip,$subnet); - #check ip-address if manual if ($fwdfwsettings{'src_addr'} eq $fwdfwsettings{$fwdfwsettings{'grp1'}} && $fwdfwsettings{'src_addr'} ne ''){ #check if ip with subnet @@ -676,6 +677,11 @@ sub checksource if (&General::validmac($fwdfwsettings{'src_addr'})){$fwdfwsettings{'ismac'}='on';} } if ($fwdfwsettings{'isip'} eq 'on'){ + ##check if ip is valid + if (! &General::validip($ip)){ + $errormessage.=$Lang::tr{'fwdfw err src_addr'}."
"; + return $errormessage; + } #check and form valid IP $ip=&General::ip2dec($ip); $ip=&General::dec2ip($ip); @@ -684,15 +690,24 @@ sub checksource if (($tmp[3] eq "0") || ($tmp[3] eq "255")) { $errormessage=$Lang::tr{'fwhost err hostip'}."
"; + return $errormessage; + } + #check if the ip is part of an existing openvpn client/net or ipsec network + #if this is the case, generate errormessage to make the user use the dropdowns instead of using manual ip's + if (! &checkvpn($ip)){ + $errormessage=$Lang::tr{'fwdfw err srcovpn'}; + return $errormessage; + }else{ + $fwdfwsettings{'src_addr'}="$ip/$subnet"; } - $fwdfwsettings{'src_addr'}="$ip/$subnet"; - if(!&General::validipandmask($fwdfwsettings{'src_addr'})){ $errormessage.=$Lang::tr{'fwdfw err src_addr'}."
"; + return $errormessage; } } if ($fwdfwsettings{'isip'} ne 'on' && $fwdfwsettings{'ismac'} ne 'on'){ $errormessage.=$Lang::tr{'fwdfw err src_addr'}."
"; + return $errormessage; } }elsif($fwdfwsettings{'src_addr'} eq $fwdfwsettings{$fwdfwsettings{'grp1'}} && $fwdfwsettings{'src_addr'} eq ''){ $errormessage.=$Lang::tr{'fwdfw err nosrcip'}; @@ -761,8 +776,8 @@ sub checksource } } $fwdfwsettings{'SRC_PORT'}=join("|",@values); - return $errormessage; } + return $errormessage; } sub checktarget { @@ -773,6 +788,7 @@ sub checktarget if($fwdfwsettings{'grp2'} eq 'tgt_addr' || $fwdfwsettings{'grp2'} eq 'cust_host_tgt' || $fwdfwsettings{'grp2'} eq 'ovpn_host_tgt'){ if ($fwdfwsettings{'USESRV'} eq '' && $fwdfwsettings{'dnatport'} eq ''){ $errormessage=$Lang::tr{'fwdfw target'}.": ".$Lang::tr{'fwdfw dnat porterr'}."
"; + return $errormessage; } #check if manual ip is a single Host (if set) if ($fwdfwsettings{'grp2'} eq 'tgt_addr'){ @@ -781,19 +797,23 @@ sub checktarget if (($tmp1[0] eq "0") || ($tmp1[0] eq "255")) { $errormessage=$Lang::tr{'fwdfw dnat error'}."
"; + return $errormessage; } } #check if Port is a single Port or portrange if ($fwdfwsettings{'nat'} eq 'dnat' && $fwdfwsettings{'grp3'} eq 'TGT_PORT'){ if(($fwdfwsettings{'TGT_PROT'} ne 'TCP'|| $fwdfwsettings{'TGT_PROT'} ne 'UDP') && $fwdfwsettings{'TGT_PORT'} eq ''){ $errormessage=$Lang::tr{'fwdfw target'}.": ".$Lang::tr{'fwdfw dnat porterr'}."
"; + return $errormessage; } if (($fwdfwsettings{'TGT_PROT'} eq 'TCP'|| $fwdfwsettings{'TGT_PROT'} eq 'UDP') && $fwdfwsettings{'TGT_PORT'} ne '' && !&check_natport($fwdfwsettings{'TGT_PORT'})){ $errormessage=$Lang::tr{'fwdfw target'}.": ".$Lang::tr{'fwdfw dnat porterr'}."
"; + return $errormessage; } } }else{ $errormessage=$Lang::tr{'fwdfw dnat error'}."
"; + return $errormessage; } } if ($fwdfwsettings{'tgt_addr'} eq $fwdfwsettings{$fwdfwsettings{'grp2'}} && $fwdfwsettings{'tgt_addr'} ne ''){ @@ -807,13 +827,25 @@ sub checktarget $ip=$fwdfwsettings{'tgt_addr'}; $subnet='32'; } + #check if ip is valid + if (! &General::validip($ip)){ + $errormessage.=$Lang::tr{'fwdfw err tgt_addr'}."
"; + return $errormessage; + } #check and form valid IP $ip=&General::ip2dec($ip); $ip=&General::dec2ip($ip); - - $fwdfwsettings{'tgt_addr'}="$ip/$subnet"; + #check if the ip is part of an existing openvpn client/net or ipsec network + #if this is the case, generate errormessage to make the user use the dropdowns instead of using manual ip's + if (! &checkvpn($ip)){ + $errormessage=$Lang::tr{'fwdfw err tgtovpn'}; + return $errormessage; + }else{ + $fwdfwsettings{'tgt_addr'}="$ip/$subnet"; + } if(!&General::validipandmask($fwdfwsettings{'tgt_addr'})){ $errormessage.=$Lang::tr{'fwdfw err tgt_addr'}."
"; + return $errormessage; } }elsif($fwdfwsettings{'tgt_addr'} eq $fwdfwsettings{$fwdfwsettings{'grp2'}} && $fwdfwsettings{'tgt_addr'} eq ''){ $errormessage.=$Lang::tr{'fwdfw err notgtip'}; @@ -840,6 +872,7 @@ sub checktarget if ($fwdfwsettings{'TGT_PORT'} ne ''){ if ($fwdfwsettings{'TGT_PORT'} =~ "," && $fwdfwsettings{'USE_NAT'} && $fwdfwsettings{'nat'} eq 'dnat') { $errormessage=$Lang::tr{'fwdfw dnat porterr'}."
"; + return $errormessage; } my @parts=split(",",$fwdfwsettings{'TGT_PORT'}); my @values=(); @@ -900,7 +933,6 @@ sub checktarget } } } - #check targetport if ($fwdfwsettings{'USESRV'} ne 'ON'){ $fwdfwsettings{'grp3'}=''; @@ -911,6 +943,7 @@ sub checktarget if($fwdfwsettings{'TIME'} eq 'ON'){ if($fwdfwsettings{'TIME_MON'} eq '' && $fwdfwsettings{'TIME_TUE'} eq '' && $fwdfwsettings{'TIME_WED'} eq '' && $fwdfwsettings{'TIME_THU'} eq '' && $fwdfwsettings{'TIME_FRI'} eq '' && $fwdfwsettings{'TIME_SAT'} eq '' && $fwdfwsettings{'TIME_SUN'} eq ''){ $errormessage=$Lang::tr{'fwdfw err time'}; + return $errormessage; } } return $errormessage; @@ -1076,6 +1109,32 @@ sub checkcounter }elsif($base2 eq 'cust_srvgrp'){ &inc_counter($configsrvgrp,\%customservicegrp,$val2); } +} +sub checkvpn +{ + my $ip=shift; + #Test if manual IP is part of static OpenVPN networks + &General::readhasharray("$configccdnet", \%ccdnet); + foreach my $key (sort keys %ccdnet){ + my ($vpnip,$vpnsubnet) = split ("/",$ccdnet{$key}[1]); + my $sub=&General::iporsubtodec($vpnsubnet); + if (&General::IpInSubnet($ip,$vpnip,$sub)){ + return 0; + } + } + # A Test if manual ip is part of dynamic openvpn subnet is made in getcolor + # because if one creates a custom host with the ip, we need to check the color there! + # It does not make sense to check this here + + # Test if manual IP is part of an OpenVPN N2N subnet does also not make sense here + # Is also checked in getcolor + + # Test if manual ip is part of an IPsec Network is also checked in getcolor + return 1; +} +sub checkvpncolor +{ + } sub deleterule { @@ -1432,6 +1491,33 @@ sub getcolor my $val=shift; my $hash=shift; if($optionsfw{'SHOWCOLORS'} eq 'on'){ + #Check if a manual IP is part of a VPN + if ($nettype eq 'src_addr' || $nettype eq 'tgt_addr'){ + #Check if IP is part of OpenVPN dynamic subnet + my ($a,$b) = split("/",$ovpnsettings{'DOVPN_SUBNET'}); + my ($c,$d) = split("/",$val); + if (&General::IpInSubnet($c,$a,$b)){ + $tdcolor="style='border: 1px solid $Header::colourovpn;'"; + return; + } + #Check if IP is part of IPsec RW network + if ($ipsecsettings{'RW_NET'} ne ''){ + my ($a,$b) = split("/",$ipsecsettings{'RW_NET'}); + $b=&General::iporsubtodec($b); + if (&General::IpInSubnet($c,$a,$b)){ + $tdcolor="style='border: 1px solid $Header::colourvpn;'"; + return; + } + } + #Check if IP is part of a IPsec N2N network + foreach my $key (sort keys %ipsecconf){ + my ($a,$b) = split("/",$ipsecconf{$key}[11]); + if (&General::IpInSubnet($c,$a,$b)){ + $tdcolor="style='border: 1px solid $Header::colourvpn;'"; + return; + } + } + } #VPN networks if ($nettype eq 'ovpn_n2n_src' || $nettype eq 'ovpn_n2n_tgt' || $nettype eq 'ovpn_net_src' || $nettype eq 'ovpn_net_tgt'|| $nettype eq 'ovpn_host_src' || $nettype eq 'ovpn_host_tgt'){ $tdcolor="style='border: 1px solid $Header::colourovpn;'"; @@ -1460,29 +1546,39 @@ sub getcolor #standard networks if ($val eq 'GREEN'){ $tdcolor="style='border: 1px solid $Header::colourgreen;'"; + return; }elsif ($val eq 'ORANGE'){ $tdcolor="style='border: 1px solid $Header::colourorange;'"; + return; }elsif ($val eq 'BLUE'){ $tdcolor="style='border: 1px solid $Header::colourblue;'"; + return; }elsif ($val eq 'RED'){ $tdcolor="style='border: 1px solid $Header::colourred;'"; + return; }elsif ($val eq 'IPFire' ){ $tdcolor="style='border: 1px solid $Header::colourred;'"; + return; }elsif($val =~ /^(.*?)\/(.*?)$/){ my ($sip,$scidr) = split ("/",$val); if ( &General::IpInSubnet($sip,$netsettings{'ORANGE_ADDRESS'},$netsettings{'ORANGE_NETMASK'})){ $tdcolor="style='border: 1px solid $Header::colourorange;'"; + return; } if ( &General::IpInSubnet($sip,$netsettings{'GREEN_ADDRESS'},$netsettings{'GREEN_NETMASK'})){ $tdcolor="style='border: 1px solid $Header::colourgreen;'"; + return; } if ( &General::IpInSubnet($sip,$netsettings{'BLUE_ADDRESS'},$netsettings{'BLUE_NETMASK'})){ $tdcolor="style='border: 1px solid $Header::colourblue;'"; + return; } }elsif ($val eq 'Default IP'){ $tdcolor="style='border: 1px solid $Header::colourred;'"; + return; }else{ $tdcolor=''; + return; } } } diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl index 485c9ff4e..40f6c4599 100644 --- a/langs/de/cgi-bin/de.pl +++ b/langs/de/cgi-bin/de.pl @@ -912,11 +912,13 @@ 'fwdfw err remark' => 'Bemerkung enthält ungültige Zeichen', 'fwdfw err ruleexists' => 'Eine identische Regel existiert bereits', 'fwdfw err src_addr' => 'Quell-MAC/IP ungültig', +'fwdfw err srcovpn' => 'Quell-IP ist ein OpenVPN Client. Bitte Dropdown zum Auswählen nutzen', 'fwdfw err same' => 'Quelle und Ziel sind identisch', 'fwdfw err samesub' => 'Quell und Ziel IP Adresse im selben Subnetz', 'fwdfw err srcport' => 'Bitte Quellport angeben', 'fwdfw err tgtport' => 'Bitte Zielport angeben', 'fwdfw err tgt_addr' => 'Ziel-IP ungültig', +'fwdfw err tgtovpn' => 'Ziel-IP ist ein OpenVPN Client. Bitte Dropdown zum Auswählen nutzen', 'fwdfw err tgt_port' => 'Ziel Port ungültig', 'fwdfw err tgt_mac' => 'MAC Adressen können nicht als Ziel defininert werden', 'fwdfw err tgt_grp' => 'Ziel-Dienstgruppe ist leer', diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index bf730ff68..2f3ec67e5 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -937,11 +937,13 @@ 'fwdfw err remark' => 'Invalid chars in remark.', 'fwdfw err ruleexists' => 'This rule already exists.', 'fwdfw err src_addr' => 'Invalid source MAC/IP.', +'fwdfw err srcovpn' => 'Source-IP is an OpenVPN client. Please use dropdown for selection', 'fwdfw err same' => 'Identical source and target', 'fwdfw err samesub' => 'Source and target IP adress are in same subnet.', 'fwdfw err srcport' => 'Please provide source port.', 'fwdfw err tgtport' => 'Please provide target port.', 'fwdfw err tgt_addr' => 'Invalid target IP-address.', +'fwdfw err tgtovpn' => 'Target-IP is an OpenVPN client. Please use dropdown for selection', 'fwdfw err tgt_port' => 'Invalid target port', 'fwdfw err tgt_mac' => 'MAC addresses cannot be used as target.', 'fwdfw err tgt_grp' => 'Target servicegroup is empty', From 6945e46310ca87cd42ca537293db33a77dc35dbe Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Tue, 23 Apr 2013 14:14:58 +0200 Subject: [PATCH 215/306] Forward Firewall: rewrote portcheck routine in ovpnmain so that checks for portforwardingports are made against /var/ipfire/forward/nat instead of /var/ipfire/portfw/config --- html/cgi-bin/ovpnmain.cgi | 90 ++++++++++----------------------------- 1 file changed, 23 insertions(+), 67 deletions(-) diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi index 5e18d3cb5..fb3cb622f 100644 --- a/html/cgi-bin/ovpnmain.cgi +++ b/html/cgi-bin/ovpnmain.cgi @@ -165,49 +165,31 @@ sub deletebackupcert unlink ("${General::swroot}/ovpn/certs/$hexvalue.pem"); } } - sub checkportfw { - my $KEY2 = $_[0]; # key2 - my $SRC_PORT = $_[1]; # src_port - my $PROTOCOL = $_[2]; # protocol - my $SRC_IP = $_[3]; # sourceip - - my $pfwfilename = "${General::swroot}/portfw/config"; - open(FILE, $pfwfilename) or die 'Unable to open config file.'; - my @pfwcurrent = ; - close(FILE); - my $pfwkey1 = 0; # used for finding last sequence number used - foreach my $pfwline (@pfwcurrent) - { - my @pfwtemp = split(/\,/,$pfwline); - - chomp ($pfwtemp[8]); - if ($KEY2 eq "0"){ # if key2 is 0 then it is a portfw addition - if ( $SRC_PORT eq $pfwtemp[3] && - $PROTOCOL eq $pfwtemp[2] && - $SRC_IP eq $pfwtemp[7]) - { - $errormessage = "$Lang::tr{'source port in use'} $SRC_PORT"; - } - # Check if key2 = 0, if it is then it is a port forward entry and we want the sequence number - if ( $pfwtemp[1] eq "0") { - $pfwkey1=$pfwtemp[0]; - } - # Darren Critchley - Duplicate or overlapping Port range check - if ($pfwtemp[1] eq "0" && - $PROTOCOL eq $pfwtemp[2] && - $SRC_IP eq $pfwtemp[7] && - $errormessage eq '') - { - &portchecks($SRC_PORT, $pfwtemp[5]); -# &portchecks($pfwtemp[3], $pfwtemp[5]); -# &portchecks($pfwtemp[3], $SRC_IP); + my $DPORT = shift; + my $DPROT = shift; + my %natconfig =(); + my $confignat = "${General::swroot}/forward/nat"; + $DPROT= uc ($DPROT); + &General::readhasharray($confignat, \%natconfig); + foreach my $key (sort keys %natconfig){ + $errormessage .= "uzlputz: $natconfig{$key}[30] und $natconfig{$key}[12]
"; + my @portarray = split (/\|/,$natconfig{$key}[30]); + foreach my $value (@portarray){ + $errormessage .= "uzlputz -split portaray: $value
"; + if ($value =~ /:/i){ + my ($a,$b) = split (":",$value); + if ($DPROT eq $natconfig{$key}[12] && $DPORT gt $a && $DPORT lt $b){ + $errormessage= "$Lang::tr{'source port in use'} $DPORT"; + } + }else{ + if ($DPROT eq $natconfig{$key}[12] && $DPORT eq $value){ + $errormessage= "$Lang::tr{'source port in use'} $DPORT"; + } + } } } - } -# $errormessage="$KEY2 $SRC_PORT $PROTOCOL $SRC_IP"; - - return; + return; } sub checkportoverlap @@ -239,32 +221,6 @@ sub checkportinc return 0; } } -# Darren Critchley - Duplicate or overlapping Port range check -sub portchecks -{ - my $p1 = $_[0]; # New port range - my $p2 = $_[1]; # existing port range -# $_ = $_[0]; - our ($prtrange1, $prtrange2); - $prtrange1 = 0; -# if (m/:/ && $prtrange1 == 1) { # comparing two port ranges -# unless (&checkportoverlap($p1,$p2)) { -# $errormessage = "$Lang::tr{'source port overlaps'} $p1"; -# } -# } - if (m/:/ && $prtrange1 == 0 && $errormessage eq '') { # compare one port to a range - unless (&checkportinc($p2,$p1)) { - $errormessage = "$Lang::tr{'srcprt within existing'} $p1"; - } - } - $prtrange1 = 1; - if (! m/:/ && $prtrange1 == 1 && $errormessage eq '') { # compare one port to a range - unless (&checkportinc($p1,$p2)) { - $errormessage = "$Lang::tr{'srcprt range overlaps'} $p2"; - } - } - return; -} # Darren Critchley - certain ports are reserved for IPFire # TCP 67,68,81,222,445 @@ -1144,7 +1100,7 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'TYPE'} eq '' && $cg if ($cgiparams{'ENABLED'} eq 'on'){ - &checkportfw(0,$cgiparams{'DDEST_PORT'},$cgiparams{'DPROTOCOL'},'0.0.0.0'); + &checkportfw($cgiparams{'DDEST_PORT'},$cgiparams{'DPROTOCOL'}); } if ($errormessage) { goto SETTINGS_ERROR; } From 139a1ab9475c73f4c773d83de17346aca2e4eb8c Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Tue, 23 Apr 2013 14:21:52 +0200 Subject: [PATCH 216/306] Forward Firewall: removed devel-tags --- html/cgi-bin/ovpnmain.cgi | 2 -- 1 file changed, 2 deletions(-) diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi index fb3cb622f..9be8d3a08 100644 --- a/html/cgi-bin/ovpnmain.cgi +++ b/html/cgi-bin/ovpnmain.cgi @@ -173,10 +173,8 @@ sub checkportfw { $DPROT= uc ($DPROT); &General::readhasharray($confignat, \%natconfig); foreach my $key (sort keys %natconfig){ - $errormessage .= "uzlputz: $natconfig{$key}[30] und $natconfig{$key}[12]
"; my @portarray = split (/\|/,$natconfig{$key}[30]); foreach my $value (@portarray){ - $errormessage .= "uzlputz -split portaray: $value
"; if ($value =~ /:/i){ my ($a,$b) = split (":",$value); if ($DPROT eq $natconfig{$key}[12] && $DPORT gt $a && $DPORT lt $b){ From e3c589276a90cfd67070e5e3f8007fc7ead6058f Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Wed, 24 Apr 2013 11:49:11 +0200 Subject: [PATCH 217/306] Forward Firewall: if ipsec rw net is set to green subnet, the rules are colored green instead of purple --- html/cgi-bin/forwardfw.cgi | 75 +++++++++++++++++++------------------- 1 file changed, 37 insertions(+), 38 deletions(-) diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi index e074047b3..922297d05 100755 --- a/html/cgi-bin/forwardfw.cgi +++ b/html/cgi-bin/forwardfw.cgi @@ -77,7 +77,7 @@ my %aliases=(); my %optionsfw=(); my %ifaces=(); -my $VERSION='0.9.9.5'; +my $VERSION='0.9.9.6'; my $color; my $confignet = "${General::swroot}/fwhosts/customnetworks"; my $confighost = "${General::swroot}/fwhosts/customhosts"; @@ -1491,6 +1491,40 @@ sub getcolor my $val=shift; my $hash=shift; if($optionsfw{'SHOWCOLORS'} eq 'on'){ + #standard networks + if ($val eq 'GREEN'){ + $tdcolor="style='border: 1px solid $Header::colourgreen;'"; + return; + }elsif ($val eq 'ORANGE'){ + $tdcolor="style='border: 1px solid $Header::colourorange;'"; + return; + }elsif ($val eq 'BLUE'){ + $tdcolor="style='border: 1px solid $Header::colourblue;'"; + return; + }elsif ($val eq 'RED'){ + $tdcolor="style='border: 1px solid $Header::colourred;'"; + return; + }elsif ($val eq 'IPFire' ){ + $tdcolor="style='border: 1px solid $Header::colourred;'"; + return; + }elsif($val =~ /^(.*?)\/(.*?)$/){ + my ($sip,$scidr) = split ("/",$val); + if ( &General::IpInSubnet($sip,$netsettings{'ORANGE_ADDRESS'},$netsettings{'ORANGE_NETMASK'})){ + $tdcolor="style='border: 1px solid $Header::colourorange;'"; + return; + } + if ( &General::IpInSubnet($sip,$netsettings{'GREEN_ADDRESS'},$netsettings{'GREEN_NETMASK'})){ + $tdcolor="style='border: 1px solid $Header::colourgreen;'"; + return; + } + if ( &General::IpInSubnet($sip,$netsettings{'BLUE_ADDRESS'},$netsettings{'BLUE_NETMASK'})){ + $tdcolor="style='border: 1px solid $Header::colourblue;'"; + return; + } + }elsif ($val eq 'Default IP'){ + $tdcolor="style='border: 1px solid $Header::colourred;'"; + return; + } #Check if a manual IP is part of a VPN if ($nettype eq 'src_addr' || $nettype eq 'tgt_addr'){ #Check if IP is part of OpenVPN dynamic subnet @@ -1543,44 +1577,9 @@ sub getcolor return; } } - #standard networks - if ($val eq 'GREEN'){ - $tdcolor="style='border: 1px solid $Header::colourgreen;'"; - return; - }elsif ($val eq 'ORANGE'){ - $tdcolor="style='border: 1px solid $Header::colourorange;'"; - return; - }elsif ($val eq 'BLUE'){ - $tdcolor="style='border: 1px solid $Header::colourblue;'"; - return; - }elsif ($val eq 'RED'){ - $tdcolor="style='border: 1px solid $Header::colourred;'"; - return; - }elsif ($val eq 'IPFire' ){ - $tdcolor="style='border: 1px solid $Header::colourred;'"; - return; - }elsif($val =~ /^(.*?)\/(.*?)$/){ - my ($sip,$scidr) = split ("/",$val); - if ( &General::IpInSubnet($sip,$netsettings{'ORANGE_ADDRESS'},$netsettings{'ORANGE_NETMASK'})){ - $tdcolor="style='border: 1px solid $Header::colourorange;'"; - return; - } - if ( &General::IpInSubnet($sip,$netsettings{'GREEN_ADDRESS'},$netsettings{'GREEN_NETMASK'})){ - $tdcolor="style='border: 1px solid $Header::colourgreen;'"; - return; - } - if ( &General::IpInSubnet($sip,$netsettings{'BLUE_ADDRESS'},$netsettings{'BLUE_NETMASK'})){ - $tdcolor="style='border: 1px solid $Header::colourblue;'"; - return; - } - }elsif ($val eq 'Default IP'){ - $tdcolor="style='border: 1px solid $Header::colourred;'"; - return; - }else{ - $tdcolor=''; - return; - } } + $tdcolor=''; + return; } sub hint { From eff2dbf8336c3935535a5f5565bfc27c4fccd4bb Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Fri, 26 Apr 2013 10:24:34 +0200 Subject: [PATCH 218/306] Forward Firewall: changed sort-order to Sort::Naturally. This Perl Module will be available since core 68. --- html/cgi-bin/forwardfw.cgi | 26 +++++++++++++------------- html/cgi-bin/fwhosts.cgi | 31 ++++++++++++++++--------------- html/cgi-bin/ovpnmain.cgi | 10 +++++----- html/cgi-bin/vpnmain.cgi | 4 ++-- 4 files changed, 36 insertions(+), 35 deletions(-) diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi index 922297d05..e9c051b15 100755 --- a/html/cgi-bin/forwardfw.cgi +++ b/html/cgi-bin/forwardfw.cgi @@ -31,6 +31,7 @@ ############################################################################### use strict; +use Sort::Naturally; no warnings 'uninitialized'; # enable only the following on debugging purpose #use warnings; @@ -1188,7 +1189,6 @@ sub dec_counter my %hash=%{(shift)}; my $val=shift; my $pos; - #$errormessage.="ALT:config: $config , verringert wird $val
"; &General::readhasharray($config, \%hash); foreach my $key (sort { uc($hash{$a}[0]) cmp uc($hash{$b}[0]) } keys %hash){ if($hash{$key}[0] eq $val){ @@ -1213,7 +1213,7 @@ sub fillselect my %hash=%{(shift)}; my $val=shift; my $key; - foreach my $key (sort { uc($hash{$a}[0]) cmp uc($hash{$b}[0]) } keys %hash){ + foreach my $key (sort { ncmp($hash{$a}[0],$hash{$b}[0]) } keys %hash){ if($hash{$key}[0] eq $val){ print""; }else{ @@ -1275,7 +1275,7 @@ END #custom groups if (! -z $configgrp || $optionsfw{'SHOWDROPDOWN'} eq 'on'){ print"$Lang::tr{'fwhost cust grp'}$Lang::tr{'fwhost ccdhost'}";} #OVPN N2N - foreach my $key (sort { uc($ccdhost{$a}[0]) cmp uc($ccdhost{$b}[0]) } keys %ccdhost){ + foreach my $key (sort { ncmp($ccdhost{$a}[1],$ccdhost{$b}[1]) } keys %ccdhost){ if ($ccdhost{$key}[3] eq 'net'){ print"$Lang::tr{'fwhost ovpn_n2n'}:";} #IPsec netze - foreach my $key (sort { uc($ipsecconf{$a}[1]) cmp uc($ipsecconf{$b}[1]) } keys %ipsecconf) { + foreach my $key (sort { ncmp($ipsecconf{$a}[1],$ipsecconf{$b}[1]) } keys %ipsecconf) { if ($ipsecconf{$key}[3] eq 'net' || $optionsfw{'SHOWDROPDOWN'} eq 'on'){ print"$Lang::tr{'fwhost ipsec net'}$Lang::tr{'fwdfw use srv'}$Lang::tr{'fwhost cust service'}"; if (! -z $confignet){ print"$Lang::tr{'fwhost cust net'}"; } if (! -z $confighost){ print"$Lang::tr{'fwhost cust addr'}"; @@ -1203,14 +1204,14 @@ END #OVPN networks if (! -z $configccdnet){ print"$Lang::tr{'fwhost ccdnet'}"; } #OVPN clients - foreach my $key (sort { uc($ccdhost{$a}[0]) cmp uc($ccdhost{$b}[0]) } keys %ccdhost) + foreach my $key (sort { ncmp($ccdhost{$a}[0],$ccdhost{$b}[0]) } keys %ccdhost) { if ($ccdhost{$key}[33] ne ''){ print"$Lang::tr{'fwhost ccdhost'}";} #OVPN n2n networks - foreach my $key (sort { uc($ccdhost{$a}[0]) cmp uc($ccdhost{$b}[0]) } keys %ccdhost) { + foreach my $key (sort { ncmp($ccdhost{$a}[1],$ccdhost{$b}[1]) } keys %ccdhost) { if($ccdhost{$key}[3] eq 'net'){ print"$Lang::tr{'fwhost ovpn_n2n'}";} #IPsec networks - foreach my $key (sort { uc($ipsecconf{$a}[0]) cmp uc($ipsecconf{$b}[0]) } keys %ipsecconf) { + foreach my $key (sort { ncmp($ipsecconf{$a}[0],$ipsecconf{$b}[0]) } keys %ipsecconf) { if ($ipsecconf{$key}[3] eq 'net'){ print"$Lang::tr{'fwhost ipsec net'} END &General::readhasharray("$configsrv", \%customservice); - foreach my $key (sort { uc($customservice{$a}[0]) cmp uc($customservice{$b}[0])|| $a <=> $b } keys %customservice) + foreach my $key (sort { ncmp($customservice{$a}[0],$customservice{$b}[0]) } keys %customservice) { print ""; } @@ -1372,7 +1373,7 @@ sub viewtablenet END } my $count=0; - foreach my $key (sort {$a <=> $b} keys %customnetwork) { + foreach my $key (sort {ncmp($a,$b)} keys %customnetwork) { if ($fwhostsettings{'ACTION'} eq 'editnet' && $fwhostsettings{'HOSTNAME'} eq $customnetwork{$key}[0]) { print" "; }elsif ($count % 2) @@ -1420,7 +1421,7 @@ sub viewtablehost END } my $count=0; - foreach my $key (sort { uc($customhost{$a}[0]) cmp uc($customhost{$b}[0])|| $a <=> $b } keys %customhost) { + foreach my $key (sort { ncmp ($customhost{$a}[0],$customhost{$b}[0])} keys %customhost) { if ( ($fwhostsettings{'ACTION'} eq 'edithost' || $fwhostsettings{'error'}) && $fwhostsettings{'HOSTNAME'} eq $customhost{$key}[0]) { print" "; }elsif ($count % 2){ print" ";} @@ -1470,11 +1471,11 @@ sub viewtablegrp { print "
$Lang::tr{'fwhost empty'}"; }else{ - foreach my $key (sort { uc($customgrp{$a}[0]) cmp uc($customgrp{$b}[0]) } sort { uc($customgrp{$a}[2]) cmp uc($customgrp{$b}[2]) } keys %customgrp){ + foreach my $key (sort { ncmp($customgrp{$a}[0],$customgrp{$b}[0]) } sort { ncmp ($customgrp{$a}[2],$customgrp{$b}[2]) } keys %customgrp){ $count++; if ($helper ne $customgrp{$key}[0]){ $delflag='0'; - foreach my $key1 (sort { uc($customgrp{$a}[0]) cmp uc($customgrp{$b}[0]) } sort { uc($customgrp{$a}[2]) cmp uc($customgrp{$b}[2]) } keys %customgrp){ + foreach my $key1 (sort { ncmp($customgrp{$a}[0],$customgrp{$b}[0]) } sort { ncmp($customgrp{$a}[2],$customgrp{$b}[2]) } keys %customgrp){ if ($customgrp{$key}[0] eq $customgrp{$key1}[0]) { $delflag++; @@ -1545,7 +1546,7 @@ sub viewtableservice END - foreach my $key (sort { uc($customservice{$a}[0]) cmp uc($customservice{$b}[0])|| $a <=> $b } keys %customservice) + foreach my $key (sort { ncmp($customservice{$a}[0],$customservice{$b}[0])} keys %customservice) { $count++; if ( ($fwhostsettings{'updatesrv'} eq 'on' || $fwhostsettings{'error'}) && $fwhostsettings{'SRV_NAME'} eq $customservice{$key}[0]) { @@ -1588,11 +1589,11 @@ sub viewtableservicegrp &General::readhasharray("$configsrvgrp", \%customservicegrp); &General::readhasharray("$configsrv", \%customservice); my $number= keys %customservicegrp; - foreach my $key (sort { uc($customservicegrp{$a}[0]) cmp uc($customservicegrp{$b}[0])|| $a <=> $b } keys %customservicegrp){ + foreach my $key (sort { ncmp($customservicegrp{$a}[0],$customservicegrp{$b}[0]) } keys %customservicegrp){ $count++; if ($helper ne $customservicegrp{$key}[0]){ $delflag=0; - foreach my $key1 (sort { uc($customservicegrp{$a}[0]) cmp uc($customservicegrp{$b}[0]) } sort { uc($customservicegrp{$a}[2]) cmp uc($customservicegrp{$b}[2]) } keys %customservicegrp){ + foreach my $key1 (sort { ncmp($customservicegrp{$a}[0],$customservicegrp{$b}[0]) } sort { ncmp($customservicegrp{$a}[2],$customservicegrp{$b}[2]) } keys %customservicegrp){ if ($customservicegrp{$key}[0] eq $customservicegrp{$key1}[0]) { $delflag++; diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi index 9be8d3a08..05398bb25 100644 --- a/html/cgi-bin/ovpnmain.cgi +++ b/html/cgi-bin/ovpnmain.cgi @@ -30,6 +30,7 @@ use File::Copy; use File::Temp qw/ tempfile tempdir /; use strict; use Archive::Zip qw(:ERROR_CODES :CONSTANTS); +use Sort::Naturally; require '/var/ipfire/general-functions.pl'; require "${General::swroot}/lang.pl"; require "${General::swroot}/header.pl"; @@ -4850,11 +4851,10 @@ END END ; - my $id = 0; - my $gif; - foreach my $key (sort { uc($confighash{$a}[1]) cmp uc($confighash{$b}[1]) } keys %confighash) { - if ($confighash{$key}[0] eq 'on') { $gif = 'on.gif'; } else { $gif = 'off.gif'; } - + my $id = 0; + my $gif; + foreach my $key (sort { ncmp ($confighash{$a}[1],$confighash{$b}[1]) } keys %confighash) { + if ($confighash{$key}[0] eq 'on') { $gif = 'on.gif'; } else { $gif = 'off.gif'; } if ($id % 2) { print "\n"; } else { diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi index 58645c39c..2fbe48035 100644 --- a/html/cgi-bin/vpnmain.cgi +++ b/html/cgi-bin/vpnmain.cgi @@ -23,7 +23,7 @@ use Net::DNS; use File::Copy; use File::Temp qw/ tempfile tempdir /; use strict; - +use Sort::Naturally; # enable only the following on debugging purpose #use warnings; #use CGI::Carp 'fatalsToBrowser'; @@ -2491,7 +2491,7 @@ END ; my $id = 0; my $gif; - foreach my $key (keys %confighash) { + foreach my $key (sort { ncmp ($confighash{$a}[1],$confighash{$b}[1]) } keys %confighash) { if ($confighash{$key}[0] eq 'on') { $gif = 'on.gif'; } else { $gif = 'off.gif'; } if ($id % 2) { From 04abd8d95822b660e65cc1a85dac55f2791ae27f Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Mon, 29 Apr 2013 16:12:14 +0200 Subject: [PATCH 219/306] Forward Firewall: bugfix: counter failure when adding one host to more than 1 Group --- html/cgi-bin/fwhosts.cgi | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/html/cgi-bin/fwhosts.cgi b/html/cgi-bin/fwhosts.cgi index c984ee07f..aa4006869 100755 --- a/html/cgi-bin/fwhosts.cgi +++ b/html/cgi-bin/fwhosts.cgi @@ -669,7 +669,7 @@ if ($fwhostsettings{'ACTION'} eq 'savegrp') }elsif($updcounter eq 'host'){ foreach my $key (keys %customhost) { if ($customhost{$key}[0] eq $fwhostsettings{'CUST_SRC_HOST'}){ - $customhost{$key}[4]=$customhost{$key}[3]+1; + $customhost{$key}[4]=$customhost{$key}[4]+1; } } &General::writehasharray("$confighost", \%customhost); From 3e79f33fc28e1f33a1b7599205ab86ae455d44c8 Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Tue, 30 Apr 2013 08:13:54 +0200 Subject: [PATCH 220/306] Forward Firewall: reordered some rules to get rid of INPUT_DROP messages in log when connected to webinterface --- src/initscripts/init.d/firewall | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall index df8405b52..ca1834051 100644 --- a/src/initscripts/init.d/firewall +++ b/src/initscripts/init.d/firewall @@ -303,11 +303,10 @@ case "$1" in if [ -x /etc/sysconfig/firewall.local ]; then /etc/sysconfig/firewall.local stop fi - + /sbin/iptables -A INPUT -j DROP -m comment --comment "DROP_INPUT" if [ "$DROPINPUT" == "on" ]; then /sbin/iptables -A INPUT -m limit --limit 10/minute -j LOG --log-prefix "DROP_INPUT " fi - /sbin/iptables -A INPUT -j DROP -m comment --comment "DROP_INPUT" if [ "$DROPFORWARD" == "on" ]; then /sbin/iptables -A FORWARD -m limit --limit 10/minute -j LOG --log-prefix "DROP_FORWARD " fi From 6fab5bca2a3fc22aa08e7b6691e9f81a259d35ca Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Tue, 30 Apr 2013 09:58:01 +0200 Subject: [PATCH 221/306] Forward Firewall: edited rules.pl so that in the rules the ip addresses from the remote ovpn N2N subnet are used instead of the openvpn subnet(because its only used as transfer net) --- config/forwardfw/rules.pl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/forwardfw/rules.pl b/config/forwardfw/rules.pl index 1cbbee7a5..529943f81 100755 --- a/config/forwardfw/rules.pl +++ b/config/forwardfw/rules.pl @@ -494,7 +494,7 @@ sub get_address }elsif($base eq 'ovpn_host_src' ||$base eq 'ovpn_host_tgt' || $base eq 'OpenVPN static host'){ $$hash{$key}[0]=&fwlib::get_ovpn_host_ip($base2,33); }elsif($base eq 'ovpn_n2n_src' ||$base eq 'ovpn_n2n_tgt' || $base eq 'OpenVPN N-2-N'){ - $$hash{$key}[0]=&fwlib::get_ovpn_n2n_ip($base2,27); + $$hash{$key}[0]=&fwlib::get_ovpn_n2n_ip($base2,11); }elsif($base eq 'ipsec_net_src' || $base eq 'ipsec_net_tgt' || $base eq 'IpSec Network'){ $$hash{$key}[0]=&fwlib::get_ipsec_net_ip($base2,11); } From cb6148989124a4df35fe4ab256b03106a5121357 Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Thu, 2 May 2013 15:55:14 +0200 Subject: [PATCH 222/306] Forward Firewall: restored old settings in graphs.pl. With new Monofont the columnsize is ok now --- config/cfgroot/graphs.pl | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/config/cfgroot/graphs.pl b/config/cfgroot/graphs.pl index f8b182b5e..19c0546da 100644 --- a/config/cfgroot/graphs.pl +++ b/config/cfgroot/graphs.pl @@ -216,7 +216,7 @@ sub updatecpugraph { ,"GPRINT:userpct:AVERAGE:%3.2lf%%" ,"GPRINT:userpct:MIN:%3.2lf%%" ,"GPRINT:userpct:LAST:%3.2lf%%\\j" - ,"STACK:systempct".$color{"color13"}."A0:".sprintf("%-26s",$Lang::tr{'cpu system usage'}) + ,"STACK:systempct".$color{"color13"}."A0:".sprintf("%-25s",$Lang::tr{'cpu system usage'}) ,"GPRINT:systempct:MAX:%3.2lf%%" ,"GPRINT:systempct:AVERAGE:%3.2lf%%" ,"GPRINT:systempct:MIN:%3.2lf%%" @@ -627,12 +627,12 @@ sub updatefwhitsgraph { "GPRINT:input:AVERAGE:%8.1lf %sBps", "GPRINT:input:MIN:%8.1lf %sBps", "GPRINT:input:LAST:%8.1lf %sBps\\j", - "STACK:newnotsyn".$color{"color14"}."A0:".sprintf("%-24s","NewNotSyn"), + "STACK:newnotsyn".$color{"color14"}."A0:".sprintf("%-25s","NewNotSyn"), "GPRINT:newnotsyn:MAX:%8.1lf %sBps", "GPRINT:newnotsyn:MIN:%8.1lf %sBps", "GPRINT:newnotsyn:AVERAGE:%8.1lf %sBps", "GPRINT:newnotsyn:LAST:%8.1lf %sBps\\j", - "STACK:portscan".$color{"color16"}."A0:".sprintf("%-24s",$Lang::tr{'portscans'}), + "STACK:portscan".$color{"color16"}."A0:".sprintf("%-25s",$Lang::tr{'portscans'}), "GPRINT:portscan:MAX:%8.1lf %sBps", "GPRINT:portscan:MIN:%8.1lf %sBps", "GPRINT:portscan:AVERAGE:%8.1lf %sBps", From c400fe4c84dbb3c32e38d961f24275b29bc73d8f Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Tue, 7 May 2013 12:02:17 +0200 Subject: [PATCH 223/306] Forward Firewall: fixed wrong log Entries INPUT_DROP when connected via Web or ssh --- src/initscripts/init.d/firewall | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall index ca1834051..183ff5ba2 100644 --- a/src/initscripts/init.d/firewall +++ b/src/initscripts/init.d/firewall @@ -267,6 +267,16 @@ case "$1" in /etc/sysconfig/firewall.local start fi + /sbin/iptables -A INPUT -j DROP -m comment --comment "DROP_INPUT_a" + + if [ "$DROPINPUT" == "on" ]; then + /sbin/iptables -A INPUT -m limit --limit 10/minute -j LOG --log-prefix "DROP_INPUT_b" + fi + if [ "$DROPFORWARD" == "on" ]; then + /sbin/iptables -A FORWARD -m limit --limit 10/minute -j LOG --log-prefix "DROP_FORWARD" + fi + /sbin/iptables -A FORWARD -j DROP -m comment --comment "DROP_FORWARD" + #POLICY CHAIN /sbin/iptables -N POLICYIN /sbin/iptables -A INPUT -j POLICYIN @@ -303,12 +313,14 @@ case "$1" in if [ -x /etc/sysconfig/firewall.local ]; then /etc/sysconfig/firewall.local stop fi + /sbin/iptables -A INPUT -j DROP -m comment --comment "DROP_INPUT" + if [ "$DROPINPUT" == "on" ]; then - /sbin/iptables -A INPUT -m limit --limit 10/minute -j LOG --log-prefix "DROP_INPUT " + /sbin/iptables -A INPUT -m limit --limit 10/minute -j LOG --log-prefix "DROP_INPUT" fi if [ "$DROPFORWARD" == "on" ]; then - /sbin/iptables -A FORWARD -m limit --limit 10/minute -j LOG --log-prefix "DROP_FORWARD " + /sbin/iptables -A FORWARD -m limit --limit 10/minute -j LOG --log-prefix "DROP_FORWARD" fi /sbin/iptables -A FORWARD -j DROP -m comment --comment "DROP_FORWARD" From bac7013b21485ce8a6263bd19a7ba65440ec3336 Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Wed, 8 May 2013 08:19:03 +0200 Subject: [PATCH 224/306] Forward Firewall: BUGFIX - when using source Protocol and NO target protocol only the target protocol is shown in ruletable.(But rule is applied correctly) --- html/cgi-bin/forwardfw.cgi | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi index e9c051b15..0fbc030b6 100755 --- a/html/cgi-bin/forwardfw.cgi +++ b/html/cgi-bin/forwardfw.cgi @@ -2516,10 +2516,10 @@ END print""; #Get Protocol my $prot; - if ($$hash{$key}[12]){ #target prot if manual - push (@protocols,$$hash{$key}[12]); - }elsif($$hash{$key}[8]){ #source prot if manual + if ($$hash{$key}[8] && $$hash{$key}[7] eq 'ON'){#source prot if manual push (@protocols,$$hash{$key}[8]); + }elsif ($$hash{$key}[12]){ #target prot if manual + push (@protocols,$$hash{$key}[12]); }elsif($$hash{$key}[14] eq 'cust_srv'){ &get_serviceports("service",$$hash{$key}[15]); }elsif($$hash{$key}[14] eq 'cust_srvgrp'){ From 4682d02723a3650847c74e1fbfe8d38b75474cec Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Wed, 22 May 2013 07:43:46 +0200 Subject: [PATCH 225/306] Forward Firewall: extended the customservices list --- config/fwhosts/customservices | 22 ++++++++++++++++------ 1 file changed, 16 insertions(+), 6 deletions(-) diff --git a/config/fwhosts/customservices b/config/fwhosts/customservices index d115f9756..0e3d6de47 100644 --- a/config/fwhosts/customservices +++ b/config/fwhosts/customservices @@ -1,22 +1,32 @@ -11,NTP,123,UDP,BLANK,0 +32,Rsync,873,TCP,BLANK,0 21,IMAPS,993,TCP,BLANK,0 7,WINS,42,TCP,BLANK,0 -2,FTP-control,21,TCP,BLANK,0 +26,Lpd,515,TCP,BLANK,0 17,IRC,194,TCP,BLANK,0 -22,POP3S,995,TCP,BLANK,0 +2,FTP-control,21,TCP,BLANK,0 1,FTP-data,20,TCP,BLANK,0 18,HTTPS,443,TCP,BLANK,0 +30,Nfs,2049,TCP,BLANK,0 16,SNMP,161,UDP,BLANK,0 +25,Ipp (udp),631,UDP,BLANK,0 +27,JetDirect,9100,TCP,BLANK,0 +28,Ldap,389,TCP,BLANK,0 +14,NetBIOS Sessionservice,139,TCP,BLANK,0 +20,FTPS control,990,TCP,BLANK,0 +24,Ipp (tcp),631,TCP,BLANK,0 +10,SFTP,115,TCP,BLANK,0 +31,Radius,1812,TCP,BLANK,0 +11,NTP,123,UDP,BLANK,0 +22,POP3S,995,TCP,BLANK,0 13,NetBIOS Datagramservice,138,TCP,BLANK,0 +23,RDP,3389,TCP,BLANK,0 +29,Ldaps,636,TCP,BLANK,0 6,TIME,37,TCP,BLANK,0 3,SSH,22,TCP,BLANK,0 9,POP3,110,TCP,BLANK,0 12,NetBIOS nameservice,137,TCP,BLANK,0 -20,FTPS control,990,TCP,BLANK,0 15,IMAP,143,TCP,BLANK,0 -14,NetBIOS Sessionservice,139,TCP,BLANK,0 8,HTTP,80,TCP,BLANK,0 4,TELNET,23,UDP,BLANK,0 -10,SFTP,115,TCP,BLANK,0 19,FTPS data,989,TCP,BLANK,0 5,SMTP,25,TCP,BLANK,0 From e1eef9d53e80503c97f86587d1f8e0fb99195a96 Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Mon, 27 May 2013 10:33:50 +0200 Subject: [PATCH 226/306] Forward Firewall: BUGFIX: When creating DMZ Rules with MANUAL IP as source and afterwards editing the rule, the rule was copied and not just edited. BUGFIX: When using SNAT (outbound) the rule does not seem to work. The NAT_SOURCE chain was on wron position in POSTROUTING --- html/cgi-bin/forwardfw.cgi | 8 ++++---- src/initscripts/init.d/firewall | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi index 0fbc030b6..35d0bc563 100755 --- a/html/cgi-bin/forwardfw.cgi +++ b/html/cgi-bin/forwardfw.cgi @@ -78,7 +78,7 @@ my %aliases=(); my %optionsfw=(); my %ifaces=(); -my $VERSION='0.9.9.6'; +my $VERSION='0.9.9.6a'; my $color; my $confignet = "${General::swroot}/fwhosts/customnetworks"; my $confighost = "${General::swroot}/fwhosts/customhosts"; @@ -596,7 +596,7 @@ sub addrule if (-f "${General::swroot}/forward/reread"){ print "
$Lang::tr{'fwhost srv_name'}$Lang::tr{'fwhost prot'}$Lang::tr{'fwhost port'}ICMP$Lang::tr{'fwhost used'}
    $Lang::tr{'fwhost reread'}

"; } - &Header::openbox('100%', 'left', ""); + &Header::openbox('100%', 'left', $Lang::tr{'fwdfw menu'}); print "
"; print ""; print ""; @@ -2151,7 +2151,7 @@ sub saverule #print"6"; } #check if we change a DMZ to a FORWARD/DMZ - elsif($fwdfwsettings{'oldruletype'} eq 'DMZ' && $fwdfwsettings{'chain'} eq 'FORWARDFW' && $fwdfwsettings{$fwdfwsettings{'grp1'}} ne 'ORANGE'){ + elsif($fwdfwsettings{'oldruletype'} eq 'DMZ' && $fwdfwsettings{'chain'} eq 'FORWARDFW' && $fwdfwsettings{$fwdfwsettings{'grp1'}} ne 'ORANGE' && $checkorange ne 'on'){ &changerule($configdmz); #print"7"; } @@ -2194,7 +2194,7 @@ sub saverule #print"14"; } #check if we change a FORWARD rule to an DMZ - elsif($fwdfwsettings{'oldruletype'} eq 'FORWARDFW' && $fwdfwsettings{$fwdfwsettings{'grp1'}} eq 'ORANGE' || $checkorange eq 'on'){ + elsif($fwdfwsettings{'oldruletype'} eq 'FORWARDFW' && ($fwdfwsettings{$fwdfwsettings{'grp1'}} eq 'ORANGE' || $checkorange eq 'on')){ &changerule($configfwdfw); #print"15"; } diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall index 183ff5ba2..200c1550e 100644 --- a/src/initscripts/init.d/firewall +++ b/src/initscripts/init.d/firewall @@ -243,7 +243,7 @@ case "$1" in /sbin/iptables -t nat -N NAT_DESTINATION /sbin/iptables -t nat -N NAT_SOURCE /sbin/iptables -t nat -A PREROUTING -j NAT_DESTINATION - /sbin/iptables -t nat -A POSTROUTING -j NAT_SOURCE + /sbin/iptables -t nat -I POSTROUTING 2 -j NAT_SOURCE # upnp chain for our upnp daemon From 7c50b0483420028e1dc5f9b75ea0510b6c775567 Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Thu, 30 May 2013 21:55:26 +0200 Subject: [PATCH 227/306] openvpnctrl: Remove unneeded code. --- src/misc-progs/openvpnctrl.c | 17 ----------------- 1 file changed, 17 deletions(-) diff --git a/src/misc-progs/openvpnctrl.c b/src/misc-progs/openvpnctrl.c index 977e47bae..0875cec69 100644 --- a/src/misc-progs/openvpnctrl.c +++ b/src/misc-progs/openvpnctrl.c @@ -253,10 +253,6 @@ void setChainRules(char *chain, char *interface, char *protocol, char *port) sprintf(str, "/sbin/iptables -A %sINPUT -i %s -p %s --dport %s -j ACCEPT", chain, interface, protocol, port); executeCommand(str); - sprintf(str, "/sbin/iptables -A %sINPUT -i tun+ -j ACCEPT", chain); - executeCommand(str); - //sprintf(str, "/sbin/iptables -A %sFORWARD -i tun+ -j ACCEPT", chain); - //executeCommand(str); } void flushChain(char *chain) { @@ -264,9 +260,6 @@ void flushChain(char *chain) { sprintf(str, "/sbin/iptables -F %sINPUT", chain); executeCommand(str); - //sprintf(str, "/sbin/iptables -F %sFORWARD", chain); - //executeCommand(str); - safe_system(str); } void flushChainNAT(char *chain) { @@ -281,10 +274,6 @@ void deleteChainReference(char *chain) { sprintf(str, "/sbin/iptables -D INPUT -j %sINPUT", chain); executeCommand(str); - safe_system(str); - //sprintf(str, "/sbin/iptables -D FORWARD -j %sFORWARD", chain); - //executeCommand(str); - safe_system(str); } void deleteChain(char *chain) { @@ -292,8 +281,6 @@ void deleteChain(char *chain) { sprintf(str, "/sbin/iptables -X %sINPUT", chain); executeCommand(str); - //sprintf(str, "/sbin/iptables -X %sFORWARD", chain); - //executeCommand(str); } void deleteAllChains(void) { @@ -313,16 +300,12 @@ void createChainReference(char *chain) { char str[STRING_SIZE]; sprintf(str, "/sbin/iptables -I INPUT %s -j %sINPUT", "14", chain); executeCommand(str); - //sprintf(str, "/sbin/iptables -I FORWARD %s -j %sFORWARD", "12", chain); - //executeCommand(str); } void createChain(char *chain) { char str[STRING_SIZE]; sprintf(str, "/sbin/iptables -N %sINPUT", chain); executeCommand(str); - //sprintf(str, "/sbin/iptables -N %sFORWARD", chain); - //executeCommand(str); } void createAllChains(void) { From c31f18b6a901bf02dc9e5e1c8474487a23e4c71e Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Fri, 31 May 2013 13:31:48 +0200 Subject: [PATCH 228/306] openvpnctrl: Block all transfer subnets. --- src/misc-progs/openvpnctrl.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/src/misc-progs/openvpnctrl.c b/src/misc-progs/openvpnctrl.c index 0875cec69..3a4c6db80 100644 --- a/src/misc-progs/openvpnctrl.c +++ b/src/misc-progs/openvpnctrl.c @@ -27,6 +27,7 @@ char enableorange[STRING_SIZE] = "off"; char OVPNRED[STRING_SIZE] = "OVPN"; char OVPNBLUE[STRING_SIZE] = "OVPN_BLUE_"; char OVPNORANGE[STRING_SIZE] = "OVPN_ORANGE_"; +char OVPNBLOCK[STRING_SIZE] = "OVPNBLOCK"; char OVPNNAT[STRING_SIZE] = "OVPNNAT"; char WRAPPERVERSION[STRING_SIZE] = "ipfire-2.2.3"; @@ -480,6 +481,11 @@ void setFirewallRules(void) { OVPNRED, redif, conn->proto, conn->port); executeCommand(command); + /* Block all communication from the transfer nets. */ + snprintf(command, STRING_SIZE, "/sbin/iptables -A %s -s %s -j DROP", + OVPNBLOCK, conn->transfer_subnet); + executeCommand(command); + local_subnet_address = getLocalSubnetAddress(conn); transfer_subnet_address = calcTransferNetAddress(conn); From 05d4f131e9f96a27249f1e833923ba2790dbd49a Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Tue, 11 Jun 2013 15:53:31 +0200 Subject: [PATCH 229/306] Forward Firewall: Implemented INPUT Firewall (extended external access) Now you are able to define INPUT Rules on every interface ip --- config/forwardfw/rules.pl | 11 ++++++++++- html/cgi-bin/forwardfw.cgi | 26 ++++++++++++++++---------- langs/de/cgi-bin/de.pl | 1 + langs/en/cgi-bin/en.pl | 1 + 4 files changed, 28 insertions(+), 11 deletions(-) diff --git a/config/forwardfw/rules.pl b/config/forwardfw/rules.pl index 529943f81..12397037e 100755 --- a/config/forwardfw/rules.pl +++ b/config/forwardfw/rules.pl @@ -215,7 +215,16 @@ sub buildrules } } }elsif($$hash{$key}[5] eq 'ipfire'){ - if($$hash{$key}[6] eq 'Default IP'){ + if($$hash{$key}[6] eq 'GREEN'){ + $targethash{$key}[0]=$defaultNetworks{'GREEN_ADDRESS'}; + } + if($$hash{$key}[6] eq 'BLUE'){ + $targethash{$key}[0]=$defaultNetworks{'BLUE_ADDRESS'}; + } + if($$hash{$key}[6] eq 'ORANGE'){ + $targethash{$key}[0]=$defaultNetworks{'ORANGE_ADDRESS'}; + } + if($$hash{$key}[6] eq 'RED'){ open(FILE, "/var/ipfire/red/local-ipaddress") or die 'Unable to open config file.'; $targethash{$key}[0]= ; close(FILE); diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi index 35d0bc563..22b0d407c 100755 --- a/html/cgi-bin/forwardfw.cgi +++ b/html/cgi-bin/forwardfw.cgi @@ -78,7 +78,7 @@ my %aliases=(); my %optionsfw=(); my %ifaces=(); -my $VERSION='0.9.9.6a'; +my $VERSION='0.9.9.7'; my $color; my $confignet = "${General::swroot}/fwhosts/customnetworks"; my $confighost = "${General::swroot}/fwhosts/customhosts"; @@ -1501,7 +1501,7 @@ sub getcolor }elsif ($val eq 'BLUE'){ $tdcolor="style='border: 1px solid $Header::colourblue;'"; return; - }elsif ($val eq 'RED'){ + }elsif ($val eq 'RED' ||$val eq 'RED1' ){ $tdcolor="style='border: 1px solid $Header::colourred;'"; return; }elsif ($val eq 'IPFire' ){ @@ -1802,17 +1802,18 @@ END
END - if (! -z "${General::swroot}/ethernet/aliases"){ - print" @@ -2506,8 +2507,13 @@ END } print"
DNAT->"; } - if ($$hash{$key}[5] eq 'std_net_tgt'){ - print &get_name($$hash{$key}[6]); + if ($$hash{$key}[5] eq 'std_net_tgt' || $$hash{$key}[5] eq 'ipfire' && $$hash{$key}[6] eq 'RED' || $$hash{$key}[6] eq 'RED1' || $$hash{$key}[6] eq 'GREEN' || $$hash{$key}[6] eq 'ORANGE' || $$hash{$key}[6] eq 'BLUE' ){ + if ($$hash{$key}[6] eq 'RED1') + { + print $Lang::tr{'red1'}; + }else{ + print &get_name($$hash{$key}[6]); + } }else{ print $$hash{$key}[6]; } diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl index 40f6c4599..311b096be 100644 --- a/langs/de/cgi-bin/de.pl +++ b/langs/de/cgi-bin/de.pl @@ -1719,6 +1719,7 @@ 'reconnect' => 'Neu Verbinden', 'reconnection' => 'Wiederverbindung', 'red' => 'Internet', +'red1' => 'ROT', 'references' => 'Referenzen', 'refresh' => 'Aktualisieren', 'refresh index page while connected' => 'Aktualisere index.cgi Seite während der Verbindung', diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index 2f3ec67e5..5713d66d5 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -1750,6 +1750,7 @@ 'reconnect' => 'Reconnect', 'reconnection' => 'Reconnection', 'red' => 'Internet', +'red1' => 'RED', 'references' => 'References', 'refresh' => 'Refresh', 'refresh index page while connected' => 'Refresh index.cgi page while connected', From 2181b55552b061ad76dd4126a0c6a0f15de0b288 Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Wed, 12 Jun 2013 12:50:33 +0200 Subject: [PATCH 230/306] openvpnctl: Flush BLOCK and SNAT chain when needed. --- src/misc-progs/openvpnctrl.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/src/misc-progs/openvpnctrl.c b/src/misc-progs/openvpnctrl.c index 3a4c6db80..95027577e 100644 --- a/src/misc-progs/openvpnctrl.c +++ b/src/misc-progs/openvpnctrl.c @@ -295,6 +295,10 @@ void deleteAllChains(void) { deleteChain(OVPNRED); deleteChain(OVPNBLUE); deleteChain(OVPNORANGE); + + // Only flush chains that are created by the firewall + flushChain(OVPNBLOCK); + flushChainNAT(OVPNNAT); } void createChainReference(char *chain) { @@ -458,6 +462,7 @@ void setFirewallRules(void) { flushChain(OVPNRED); flushChain(OVPNBLUE); flushChain(OVPNORANGE); + flushChain(OVPNBLOCK); flushChainNAT(OVPNNAT); // set firewall rules From d2c4a3cab92b07ebf0a01dc745d642429efd8159 Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Wed, 12 Jun 2013 14:14:53 +0200 Subject: [PATCH 231/306] openvpnctrl: Cleanup flushChain functions. --- src/misc-progs/openvpnctrl.c | 21 ++++++++++++++------- 1 file changed, 14 insertions(+), 7 deletions(-) diff --git a/src/misc-progs/openvpnctrl.c b/src/misc-progs/openvpnctrl.c index 95027577e..97491e40c 100644 --- a/src/misc-progs/openvpnctrl.c +++ b/src/misc-progs/openvpnctrl.c @@ -259,7 +259,7 @@ void setChainRules(char *chain, char *interface, char *protocol, char *port) void flushChain(char *chain) { char str[STRING_SIZE]; - sprintf(str, "/sbin/iptables -F %sINPUT", chain); + sprintf(str, "/sbin/iptables -F %s", chain); executeCommand(str); } @@ -270,6 +270,13 @@ void flushChainNAT(char *chain) { executeCommand(str); } +void flushChainINPUT(char *chain) { + char str[STRING_SIZE]; + + snprintf(str, STRING_SIZE, "%sINPUT", chain); + flushChain(str); +} + void deleteChainReference(char *chain) { char str[STRING_SIZE]; @@ -289,9 +296,9 @@ void deleteAllChains(void) { deleteChainReference(OVPNRED); deleteChainReference(OVPNBLUE); deleteChainReference(OVPNORANGE); - flushChain(OVPNRED); - flushChain(OVPNBLUE); - flushChain(OVPNORANGE); + flushChainINPUT(OVPNRED); + flushChainINPUT(OVPNBLUE); + flushChainINPUT(OVPNORANGE); deleteChain(OVPNRED); deleteChain(OVPNBLUE); deleteChain(OVPNORANGE); @@ -459,9 +466,9 @@ void setFirewallRules(void) { freekeyvalues(kv); // Flush all chains. - flushChain(OVPNRED); - flushChain(OVPNBLUE); - flushChain(OVPNORANGE); + flushChainINPUT(OVPNRED); + flushChainINPUT(OVPNBLUE); + flushChainINPUT(OVPNORANGE); flushChain(OVPNBLOCK); flushChainNAT(OVPNNAT); From 690b0bd7618c2b0e7284beaebcf771c02daced1d Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Wed, 12 Jun 2013 13:00:20 +0200 Subject: [PATCH 232/306] Forward Firewall: added OVPNBLOCK and fixed rules.pl to correctly get ip address of red iface --- config/forwardfw/rules.pl | 2 +- src/initscripts/init.d/firewall | 32 ++++++++++++++++++++++++-------- 2 files changed, 25 insertions(+), 9 deletions(-) diff --git a/config/forwardfw/rules.pl b/config/forwardfw/rules.pl index 12397037e..f9e7922b2 100755 --- a/config/forwardfw/rules.pl +++ b/config/forwardfw/rules.pl @@ -224,7 +224,7 @@ sub buildrules if($$hash{$key}[6] eq 'ORANGE'){ $targethash{$key}[0]=$defaultNetworks{'ORANGE_ADDRESS'}; } - if($$hash{$key}[6] eq 'RED'){ + if($$hash{$key}[6] eq 'RED' || $$hash{$key}[6] eq 'RED1'){ open(FILE, "/var/ipfire/red/local-ipaddress") or die 'Unable to open config file.'; $targethash{$key}[0]= ; close(FILE); diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall index 200c1550e..94b869dd6 100644 --- a/src/initscripts/init.d/firewall +++ b/src/initscripts/init.d/firewall @@ -145,18 +145,23 @@ case "$1" in /sbin/iptables -A INPUT -j CUSTOMINPUT /sbin/iptables -N GUARDIAN /sbin/iptables -A INPUT -j GUARDIAN + /sbin/iptables -N OVPNBLOCK + /sbin/iptables -A FORWARD -j OVPNBLOCK /sbin/iptables -A FORWARD -j GUARDIAN /sbin/iptables -N CUSTOMFORWARD /sbin/iptables -A FORWARD -j CUSTOMFORWARD /sbin/iptables -N CUSTOMOUTPUT + /sbin/iptables -A OUTPUT -j OVPNBLOCK /sbin/iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT /sbin/iptables -A OUTPUT -j CUSTOMOUTPUT /sbin/iptables -N OUTGOINGFW /sbin/iptables -A OUTPUT -j OUTGOINGFW /sbin/iptables -t nat -N CUSTOMPREROUTING + /sbin/iptables -t nat -N OVPNNAT /sbin/iptables -t nat -A PREROUTING -j CUSTOMPREROUTING /sbin/iptables -t nat -N CUSTOMPOSTROUTING /sbin/iptables -t nat -A POSTROUTING -j CUSTOMPOSTROUTING + /sbin/iptables -t nat -A POSTROUTING -j OVPNNAT # IPTV chains for IGMPPROXY /sbin/iptables -N IPTVINPUT @@ -164,6 +169,9 @@ case "$1" in /sbin/iptables -N IPTVFORWARD /sbin/iptables -A FORWARD -j IPTVFORWARD + # Filtering ovpn networks INPUT + /sbin/iptables -A INPUT -j OVPNBLOCK + # filtering from GUI /sbin/iptables -N GUIINPUT /sbin/iptables -A INPUT -j GUIINPUT @@ -187,9 +195,7 @@ case "$1" in /sbin/iptables -A FORWARD -j IPSECFORWARD /sbin/iptables -A FORWARD -j OPENSSLVIRTUAL -m comment --comment "OPENSSLVIRTUAL FORWARD" /sbin/iptables -A OUTPUT -j IPSECOUTPUT - /sbin/iptables -t nat -N OVPNNAT /sbin/iptables -t nat -N IPSECNAT - /sbin/iptables -t nat -A POSTROUTING -j OVPNNAT /sbin/iptables -t nat -A POSTROUTING -j IPSECNAT # Input Firewall @@ -243,7 +249,8 @@ case "$1" in /sbin/iptables -t nat -N NAT_DESTINATION /sbin/iptables -t nat -N NAT_SOURCE /sbin/iptables -t nat -A PREROUTING -j NAT_DESTINATION - /sbin/iptables -t nat -I POSTROUTING 2 -j NAT_SOURCE + /sbin/iptables -t nat -I POSTROUTING 3 -j NAT_SOURCE + # upnp chain for our upnp daemon @@ -253,8 +260,7 @@ case "$1" in /sbin/iptables -A FORWARD -m state --state NEW -j UPNPFW # Postrouting rules (for port forwarding) - /sbin/iptables -t nat -A POSTROUTING -m mark --mark 1 -j SNAT \ - --to-source $GREEN_ADDRESS + /sbin/iptables -t nat -A POSTROUTING -m mark --mark 1 -j SNAT --to-source $GREEN_ADDRESS if [ "$BLUE_DEV" != "" ]; then /sbin/iptables -t nat -A POSTROUTING -m mark --mark 2 -j SNAT --to-source $BLUE_ADDRESS fi @@ -266,11 +272,11 @@ case "$1" in if [ -x /etc/sysconfig/firewall.local ]; then /etc/sysconfig/firewall.local start fi - - /sbin/iptables -A INPUT -j DROP -m comment --comment "DROP_INPUT_a" + + /sbin/iptables -A INPUT -j DROP -m comment --comment "DROP_INPUT" if [ "$DROPINPUT" == "on" ]; then - /sbin/iptables -A INPUT -m limit --limit 10/minute -j LOG --log-prefix "DROP_INPUT_b" + /sbin/iptables -A INPUT -m limit --limit 10/minute -j LOG --log-prefix "DROP_INPUT" fi if [ "$DROPFORWARD" == "on" ]; then /sbin/iptables -A FORWARD -m limit --limit 10/minute -j LOG --log-prefix "DROP_FORWARD" @@ -286,6 +292,16 @@ case "$1" in /sbin/iptables -A OUTPUT -j POLICYOUT /usr/sbin/firewall-policy + + /sbin/iptables -A INPUT -j DROP -m comment --comment "DROP_INPUT" + + if [ "$DROPINPUT" == "on" ]; then + /sbin/iptables -A INPUT -m limit --limit 10/minute -j LOG --log-prefix "DROP_INPUT" + fi + if [ "$DROPFORWARD" == "on" ]; then + /sbin/iptables -A FORWARD -m limit --limit 10/minute -j LOG --log-prefix "DROP_FORWARD" + fi + /sbin/iptables -A FORWARD -j DROP -m comment --comment "DROP_FORWARD" ;; startovpn) # run openvpn From ed9ab82c61464a3a719f9662416b58cc83dbf4fd Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Wed, 12 Jun 2013 15:05:31 +0200 Subject: [PATCH 233/306] Forward Firewall 0.9.9.7: reordered INPUT POLICY. --- src/initscripts/init.d/firewall | 10 ---------- 1 file changed, 10 deletions(-) diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall index 94b869dd6..a7d258a56 100644 --- a/src/initscripts/init.d/firewall +++ b/src/initscripts/init.d/firewall @@ -273,16 +273,6 @@ case "$1" in /etc/sysconfig/firewall.local start fi - /sbin/iptables -A INPUT -j DROP -m comment --comment "DROP_INPUT" - - if [ "$DROPINPUT" == "on" ]; then - /sbin/iptables -A INPUT -m limit --limit 10/minute -j LOG --log-prefix "DROP_INPUT" - fi - if [ "$DROPFORWARD" == "on" ]; then - /sbin/iptables -A FORWARD -m limit --limit 10/minute -j LOG --log-prefix "DROP_FORWARD" - fi - /sbin/iptables -A FORWARD -j DROP -m comment --comment "DROP_FORWARD" - #POLICY CHAIN /sbin/iptables -N POLICYIN /sbin/iptables -A INPUT -j POLICYIN From 8762442c4ece6aaf6b863a7c86aaefb9e47c8be3 Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Wed, 12 Jun 2013 15:17:12 +0200 Subject: [PATCH 234/306] Forward Firewall: INPUT Firewall added "ALL" with ip 0.0.0.0 --- config/forwardfw/rules.pl | 3 +++ 1 file changed, 3 insertions(+) diff --git a/config/forwardfw/rules.pl b/config/forwardfw/rules.pl index f9e7922b2..12723e749 100755 --- a/config/forwardfw/rules.pl +++ b/config/forwardfw/rules.pl @@ -224,6 +224,9 @@ sub buildrules if($$hash{$key}[6] eq 'ORANGE'){ $targethash{$key}[0]=$defaultNetworks{'ORANGE_ADDRESS'}; } + if($$hash{$key}[6] eq 'ALL'){ + $targethash{$key}[0]='0.0.0.0/0'; + } if($$hash{$key}[6] eq 'RED' || $$hash{$key}[6] eq 'RED1'){ open(FILE, "/var/ipfire/red/local-ipaddress") or die 'Unable to open config file.'; $targethash{$key}[0]= ; From d9b691e18e59323e14dd37428fe9857ab95246b4 Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Thu, 13 Jun 2013 10:17:18 +0200 Subject: [PATCH 235/306] Forward Firewall: added checks if manual ip (src/tgt) is part of a OpenVPN to colour the rules accordingly --- html/cgi-bin/forwardfw.cgi | 57 ++++++++++++++++++++++++++------------ 1 file changed, 40 insertions(+), 17 deletions(-) diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi index 22b0d407c..7ea7d62ea 100755 --- a/html/cgi-bin/forwardfw.cgi +++ b/html/cgi-bin/forwardfw.cgi @@ -78,7 +78,7 @@ my %aliases=(); my %optionsfw=(); my %ifaces=(); -my $VERSION='0.9.9.7'; +my $VERSION='0.9.9.8'; my $color; my $confignet = "${General::swroot}/fwhosts/customnetworks"; my $confighost = "${General::swroot}/fwhosts/customhosts"; @@ -693,14 +693,15 @@ sub checksource $errormessage=$Lang::tr{'fwhost err hostip'}."
"; return $errormessage; } - #check if the ip is part of an existing openvpn client/net or ipsec network - #if this is the case, generate errormessage to make the user use the dropdowns instead of using manual ip's - if (! &checkvpn($ip)){ - $errormessage=$Lang::tr{'fwdfw err srcovpn'}; - return $errormessage; - }else{ - $fwdfwsettings{'src_addr'}="$ip/$subnet"; - } + ##check if the ip is part of an existing openvpn client/net or ipsec network + ##if this is the case, generate errormessage to make the user use the dropdowns instead of using manual ip's + #if (! &checkvpn($ip)){ + #$errormessage=$Lang::tr{'fwdfw err srcovpn'}; + #return $errormessage; + #}else{ + #$fwdfwsettings{'src_addr'}="$ip/$subnet"; + #} + $fwdfwsettings{'src_addr'}="$ip/$subnet"; if(!&General::validipandmask($fwdfwsettings{'src_addr'})){ $errormessage.=$Lang::tr{'fwdfw err src_addr'}."
"; return $errormessage; @@ -836,14 +837,15 @@ sub checktarget #check and form valid IP $ip=&General::ip2dec($ip); $ip=&General::dec2ip($ip); - #check if the ip is part of an existing openvpn client/net or ipsec network - #if this is the case, generate errormessage to make the user use the dropdowns instead of using manual ip's - if (! &checkvpn($ip)){ - $errormessage=$Lang::tr{'fwdfw err tgtovpn'}; - return $errormessage; - }else{ - $fwdfwsettings{'tgt_addr'}="$ip/$subnet"; - } + ##check if the ip is part of an existing openvpn client/net or ipsec network + ##if this is the case, generate errormessage to make the user use the dropdowns instead of using manual ip's + #if (! &checkvpn($ip)){ + #$errormessage=$Lang::tr{'fwdfw err tgtovpn'}; + #return $errormessage; + #}else{ + #$fwdfwsettings{'tgt_addr'}="$ip/$subnet"; + #} + $fwdfwsettings{'tgt_addr'}="$ip/$subnet"; if(!&General::validipandmask($fwdfwsettings{'tgt_addr'})){ $errormessage.=$Lang::tr{'fwdfw err tgt_addr'}."
"; return $errormessage; @@ -1534,6 +1536,25 @@ sub getcolor $tdcolor="style='border: 1px solid $Header::colourovpn;'"; return; } + #Check if IP is part of OpenVPN static subnet + foreach my $key (sort keys %ccdnet){ + my ($a,$b) = split("/",$ccdnet{$key}[1]); + $b =&General::iporsubtodec($b); + if (&General::IpInSubnet($c,$a,$b)){ + $tdcolor="style='border: 1px solid $Header::colourovpn;'"; + return; + } + } + #Check if IP is part of OpenVPN N2N subnet + foreach my $key (sort keys %ccdhost){ + if ($ccdhost{$key}[3] eq 'net'){ + my ($a,$b) = split("/",$ccdhost{$key}[11]); + if (&General::IpInSubnet($c,$a,$b)){ + $tdcolor="style='border: 1px solid $Header::colourovpn;'"; + return; + } + } + } #Check if IP is part of IPsec RW network if ($ipsecsettings{'RW_NET'} ne ''){ my ($a,$b) = split("/",$ipsecsettings{'RW_NET'}); @@ -2384,6 +2405,8 @@ sub viewtablenew &General::get_aliases(\%aliases); &General::readhasharray("$confighost", \%customhost); &General::readhasharray("$config", $hash); + &General::readhasharray("$configccdnet", \%ccdnet); + &General::readhasharray("$configccdhost", \%ccdhost); if( ! -z $config){ &Header::openbox('100%', 'left',$title); my $count=0; From e41b651b4a3b79bb072ac94835e96432ac1968dd Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Mon, 17 Jun 2013 10:21:24 +0200 Subject: [PATCH 236/306] Forward Firewall: changed order of LOG and DROP rules for INPUT Chain --- src/initscripts/init.d/firewall | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall index a7d258a56..5a8cfb171 100644 --- a/src/initscripts/init.d/firewall +++ b/src/initscripts/init.d/firewall @@ -283,11 +283,10 @@ case "$1" in /usr/sbin/firewall-policy - /sbin/iptables -A INPUT -j DROP -m comment --comment "DROP_INPUT" - if [ "$DROPINPUT" == "on" ]; then /sbin/iptables -A INPUT -m limit --limit 10/minute -j LOG --log-prefix "DROP_INPUT" fi + /sbin/iptables -A INPUT -j DROP -m comment --comment "DROP_INPUT" if [ "$DROPFORWARD" == "on" ]; then /sbin/iptables -A FORWARD -m limit --limit 10/minute -j LOG --log-prefix "DROP_FORWARD" fi From fb0ce57589a8ba724d3c446b612181f6d7f3b8c5 Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Mon, 17 Jun 2013 12:45:57 +0200 Subject: [PATCH 237/306] Forward Firewall: cleanup unused code --- config/forwardfw/convert-dmz | 3 -- config/forwardfw/convert-xtaccess | 4 +- html/cgi-bin/forwardfw.cgi | 70 ------------------------------- html/cgi-bin/fwhosts.cgi | 7 ---- 4 files changed, 1 insertion(+), 83 deletions(-) diff --git a/config/forwardfw/convert-dmz b/config/forwardfw/convert-dmz index 81d77bab7..9c1ad049c 100755 --- a/config/forwardfw/convert-dmz +++ b/config/forwardfw/convert-dmz @@ -111,9 +111,6 @@ sub process_rules{ $d =~ tr/-/:/; $field15=$d; $field16=$h; - ##Ausgabe - #print "A: $a B: $b C: $c D: $d E: $e F: $f G: $g H: $h\n"; - #print "0:$field0 1:$field1 2:$field2 3:$field3 4:$field4 5:$field5 6:$field6 11:$field11 12:$field12 13:$field13 14:$field14 15:$field15 16:$field16 26:$field26 27:$field27\n\n\n"; my $key = &General::findhasharraykey (\%configfwdfw); foreach my $i (0 .. 27) { $configfwdfw{$key}[$i] = "";} $configfwdfw{$key}[0] = $field0; diff --git a/config/forwardfw/convert-xtaccess b/config/forwardfw/convert-xtaccess index 3db7da65e..85ad1c8d0 100755 --- a/config/forwardfw/convert-xtaccess +++ b/config/forwardfw/convert-xtaccess @@ -55,7 +55,7 @@ foreach my $line (@current){ } #check ipfire address if ($e eq '0.0.0.0'){ - $field6 = 'Default IP'; + $field6 = 'RED1'; }else{ foreach my $line (@alias){ my ($ip,$state,$aliasname) = split (",",$line); @@ -75,8 +75,6 @@ foreach my $line (@current){ $c = "$1:65535"; } $field15=$c; - #Ausgabe - #print "0:$field0 1:$field1 2:$field2 3:$field3 4:$field4 5:$field5 6:$field6 11:$field11 12:$field12 13:$field13 14:$field14 15:$field15 16:$field16 26:$field26 27:$field27\n"; my $key = &General::findhasharraykey (\%configinputfw); foreach my $i (0 .. 27) { $configinputfw{$key}[$i] = "";} $configinputfw{$key}[0] = $field0; diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi index 7ea7d62ea..399875533 100755 --- a/html/cgi-bin/forwardfw.cgi +++ b/html/cgi-bin/forwardfw.cgi @@ -183,8 +183,6 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule') if($fwdfwsettings{'rulepos'} > 0 && !$fwdfwsettings{'oldrulenumber'}){ $fwdfwsettings{'oldrulenumber'}=$maxkey; foreach my $key (sort keys %confignatfw){ - #print"$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'},$fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'ICMP_TGT'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'TIME'},$fwdfwsettings{'TIME_MON'},$fwdfwsettings{'TIME_TUE'},$fwdfwsettings{'TIME_WED'},$fwdfwsettings{'TIME_THU'},$fwdfwsettings{'TIME_FRI'},$fwdfwsettings{'TIME_SAT'},$fwdfwsettings{'TIME_SUN'},$fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'},$fwdfwsettings{'USE_NAT'},$fwdfwsettings{$fwdfwsettings{'nat'}},$fwdfwsettings{'snatport'},$fwdfwsettings{'dnatport'},$fwdfwsettings{'nat'}
"; - #print"$confignatfw{$key}[0],$confignatfw{$key}[2],$confignatfw{$key}[3],$confignatfw{$key}[4],$confignatfw{$key}[5],$confignatfw{$key}[6],$confignatfw{$key}[7],$confignatfw{$key}[8],$confignatfw{$key}[9],$confignatfw{$key}[10],$confignatfw{$key}[11],$confignatfw{$key}[12],$confignatfw{$key}[13],$confignatfw{$key}[14],$confignatfw{$key}[15],$confignatfw{$key}[17],$confignatfw{$key}[19],$confignatfw{$key}[20],$confignatfw{$key}[21],$confignatfw{$key}[22],$confignatfw{$key}[23],$confignatfw{$key}[24],$confignatfw{$key}[25],$confignatfw{$key}[26],$confignatfw{$key}[27],$confignatfw{$key}[28],$confignatfw{$key}[29],$confignatfw{$key}[30],$confignatfw{$key}[31],$confignatfw{$key}[32]
"; if ("$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'},$fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'ICMP_TGT'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'TIME'},$fwdfwsettings{'TIME_MON'},$fwdfwsettings{'TIME_TUE'},$fwdfwsettings{'TIME_WED'},$fwdfwsettings{'TIME_THU'},$fwdfwsettings{'TIME_FRI'},$fwdfwsettings{'TIME_SAT'},$fwdfwsettings{'TIME_SUN'},$fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'},$fwdfwsettings{'USE_NAT'},$fwdfwsettings{$fwdfwsettings{'nat'}},$fwdfwsettings{'snatport'},$fwdfwsettings{'dnatport'},$fwdfwsettings{'nat'}" eq "$confignatfw{$key}[0],$confignatfw{$key}[2],$confignatfw{$key}[3],$confignatfw{$key}[4],$confignatfw{$key}[5],$confignatfw{$key}[6],$confignatfw{$key}[7],$confignatfw{$key}[8],$confignatfw{$key}[9],$confignatfw{$key}[10],$confignatfw{$key}[11],$confignatfw{$key}[12],$confignatfw{$key}[13],$confignatfw{$key}[14],$confignatfw{$key}[15],$confignatfw{$key}[17],$confignatfw{$key}[19],$confignatfw{$key}[20],$confignatfw{$key}[21],$confignatfw{$key}[22],$confignatfw{$key}[23],$confignatfw{$key}[24],$confignatfw{$key}[25],$confignatfw{$key}[26],$confignatfw{$key}[27],$confignatfw{$key}[28],$confignatfw{$key}[29],$confignatfw{$key}[30],$confignatfw{$key}[31],$confignatfw{$key}[32]"){ $errormessage.=$Lang::tr{'fwdfw err ruleexists'}; @@ -318,27 +316,6 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule') if($fwdfwsettings{'nosave2'} ne 'on'){ &saverule(\%configinputfw,$configinput); } - #print "Source: $fwdfwsettings{'grp1'} -> $fwdfwsettings{$fwdfwsettings{'grp1'}}
"; - #print "Sourceport: $fwdfwsettings{'USE_SRC_PORT'}, $fwdfwsettings{'PROT'}, $fwdfwsettings{'ICMP_TYPES'}, $fwdfwsettings{'SRC_PORT'}
"; - #print "Target: $fwdfwsettings{'grp2'} -> $fwdfwsettings{$fwdfwsettings{'grp2'}}
"; - #print "Dienst: $fwdfwsettings{'USESRV'}, $fwdfwsettings{'grp3'} -> $fwdfwsettings{$fwdfwsettings{'grp3'}}
"; - #print "BEMERKUNG: $fwdfwsettings{'ruleremark'}
"; - #print " Regel AKTIV: $fwdfwsettings{'ACTIVE'}
"; - #print " Regel LOG: $fwdfwsettings{'LOG'}
"; - #print " ZEITRAHMEN: $fwdfwsettings{'TIME'}
"; - #print " MO: $fwdfwsettings{'TIME_MON'}
"; - #print " DI: $fwdfwsettings{'TIME_TUE'}
"; - #print " MI: $fwdfwsettings{'TIME_WED'}
"; - #print " DO: $fwdfwsettings{'TIME_THU'}
"; - #print " FR: $fwdfwsettings{'TIME_FRI'}
"; - #print " SA: $fwdfwsettings{'TIME_SAT'}
"; - #print " SO: $fwdfwsettings{'TIME_SUN'}
"; - #print " VON: $fwdfwsettings{'TIME_FROM'} bis $fwdfwsettings{'TIME_TO'}
"; - #print "
"; - #print"ALT: $fwdfwsettings{'oldgrp1a'} $fwdfwsettings{'oldgrp1b'} NEU: $fwdfwsettings{'grp1'} $fwdfwsettings{$fwdfwsettings{'grp1'}}
"; - #print"ALT: $fwdfwsettings{'oldgrp2a'} $fwdfwsettings{'oldgrp2b'} NEU: $fwdfwsettings{'grp2'} $fwdfwsettings{$fwdfwsettings{'grp2'}}
"; - #print"ALT: $fwdfwsettings{'oldgrp3a'} $fwdfwsettings{'oldgrp3b'} NEU: $fwdfwsettings{'grp3'} $fwdfwsettings{$fwdfwsettings{'grp3'}}
"; - #print"DIENSTE Checkalt:$fwdfwsettings{'oldusesrv'} DIENSTE Checkneu:$fwdfwsettings{'USESRV'} DIENST ALT:$fwdfwsettings{'oldgrp3a'},$fwdfwsettings{'oldgrp3b'} DIENST NEU:$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}}
"; }elsif($fwdfwsettings{$fwdfwsettings{'grp1'}} eq 'IPFire' ){ # OUTGOING PART $fwdfwsettings{'config'}=$configoutgoing; @@ -449,27 +426,6 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule') if ($fwdfwsettings{'nosave2'} ne 'on'){ &saverule(\%configfwdfw,$configfwdfw); } - #print "Source: $fwdfwsettings{'grp1'} -> $fwdfwsettings{$fwdfwsettings{'grp1'}}
"; - #print "Sourceport: $fwdfwsettings{'USE_SRC_PORT'}, $fwdfwsettings{'PROT'}, $fwdfwsettings{'ICMP_TYPES'}, $fwdfwsettings{'SRC_PORT'}
"; - #print "Target: $fwdfwsettings{'grp2'} -> $fwdfwsettings{$fwdfwsettings{'grp2'}}
"; - #print "Dienst: $fwdfwsettings{'USESRV'}, $fwdfwsettings{'grp3'} -> $fwdfwsettings{$fwdfwsettings{'grp3'}}
"; - #print "BEMERKUNG: $fwdfwsettings{'ruleremark'}
"; - #print " Regel AKTIV: $fwdfwsettings{'ACTIVE'}
"; - #print " Regel LOG: $fwdfwsettings{'LOG'}
"; - #print " ZEITRAHMEN: $fwdfwsettings{'TIME'}
"; - #print " MO: $fwdfwsettings{'TIME_MON'}
"; - #print " DI: $fwdfwsettings{'TIME_TUE'}
"; - #print " MI: $fwdfwsettings{'TIME_WED'}
"; - #print " DO: $fwdfwsettings{'TIME_THU'}
"; - #print " FR: $fwdfwsettings{'TIME_FRI'}
"; - #print " SA: $fwdfwsettings{'TIME_SAT'}
"; - #print " SO: $fwdfwsettings{'TIME_SUN'}
"; - #print " VON: $fwdfwsettings{'TIME_FROM'} bis $fwdfwsettings{'TIME_TO'}
"; - #print "
"; - #print"ALT: $fwdfwsettings{'oldgrp1a'} $fwdfwsettings{'oldgrp1b'} NEU: $fwdfwsettings{'grp1'} $fwdfwsettings{$fwdfwsettings{'grp1'}}
"; - #print"ALT: $fwdfwsettings{'oldgrp2a'} $fwdfwsettings{'oldgrp2b'} NEU: $fwdfwsettings{'grp2'} $fwdfwsettings{$fwdfwsettings{'grp2'}}
"; - #print"ALT: $fwdfwsettings{'oldgrp3a'} $fwdfwsettings{'oldgrp3b'} NEU: $fwdfwsettings{'grp3'} $fwdfwsettings{$fwdfwsettings{'grp3'}}
"; - #print"DIENSTE Checkalt:$fwdfwsettings{'oldusesrv'} DIENSTE Checkneu:$fwdfwsettings{'USESRV'} DIENST ALT:$fwdfwsettings{'oldgrp3a'},$fwdfwsettings{'oldgrp3b'} DIENST NEU:$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}}
"; } if ($errormessage){ &newrule; @@ -489,18 +445,9 @@ if ($fwdfwsettings{'ACTION'} eq $Lang::tr{'reset'}) &checkcounter($configfwdfw{$key}[5],$configfwdfw{$key}[6],,); &checkcounter($configfwdfw{$key}[14],$configfwdfw{$key}[15],,); } - #&General::readhasharray("$configinput", \%configinputfw); - #foreach my $key (sort keys %configinputfw){ - # &checkcounter($configinputfw{$key}[3],$configinputfw{$key}[4],,); - # &checkcounter($configinputfw{$key}[5],$configinputfw{$key}[6],,); - # &checkcounter($configinputfw{$key}[14],$configinputfw{$key}[15],,); - #} - system("rm ${General::swroot}/forward/config"); - #system("rm ${General::swroot}/forward/input"); &General::writehash("${General::swroot}/forward/settings", \%fwdfwsettings); unless (-e "${General::swroot}/forward/config") { system("touch ${General::swroot}/forward/config"); } - #unless (-e "${General::swroot}/forward/input") { system("touch ${General::swroot}/forward/input"); } my $MODE1=$fwdfwsettings{'POLICY1'}; %fwdfwsettings = (); $fwdfwsettings{'POLICY'}='MODE2'; @@ -582,7 +529,6 @@ if ($fwdfwsettings{'ACTION'} eq 'movedown') if ($fwdfwsettings{'ACTION'} eq 'copyrule') { $fwdfwsettings{'copyfwrule'}='on'; - #$fwdfwsettings{'updatefwrule'}='on'; &newrule; } if ($fwdfwsettings{'ACTION'} eq '') @@ -693,14 +639,6 @@ sub checksource $errormessage=$Lang::tr{'fwhost err hostip'}."
"; return $errormessage; } - ##check if the ip is part of an existing openvpn client/net or ipsec network - ##if this is the case, generate errormessage to make the user use the dropdowns instead of using manual ip's - #if (! &checkvpn($ip)){ - #$errormessage=$Lang::tr{'fwdfw err srcovpn'}; - #return $errormessage; - #}else{ - #$fwdfwsettings{'src_addr'}="$ip/$subnet"; - #} $fwdfwsettings{'src_addr'}="$ip/$subnet"; if(!&General::validipandmask($fwdfwsettings{'src_addr'})){ $errormessage.=$Lang::tr{'fwdfw err src_addr'}."
"; @@ -837,14 +775,6 @@ sub checktarget #check and form valid IP $ip=&General::ip2dec($ip); $ip=&General::dec2ip($ip); - ##check if the ip is part of an existing openvpn client/net or ipsec network - ##if this is the case, generate errormessage to make the user use the dropdowns instead of using manual ip's - #if (! &checkvpn($ip)){ - #$errormessage=$Lang::tr{'fwdfw err tgtovpn'}; - #return $errormessage; - #}else{ - #$fwdfwsettings{'tgt_addr'}="$ip/$subnet"; - #} $fwdfwsettings{'tgt_addr'}="$ip/$subnet"; if(!&General::validipandmask($fwdfwsettings{'tgt_addr'})){ $errormessage.=$Lang::tr{'fwdfw err tgt_addr'}."
"; diff --git a/html/cgi-bin/fwhosts.cgi b/html/cgi-bin/fwhosts.cgi index aa4006869..444b3660e 100755 --- a/html/cgi-bin/fwhosts.cgi +++ b/html/cgi-bin/fwhosts.cgi @@ -971,7 +971,6 @@ if ($fwhostsettings{'ACTION'} eq 'delgrpservice') &General::writehasharray("$configsrvgrp", \%customservicegrp); &rules; if ($fwhostsettings{'updatesrvgrp'} eq 'on'){ - #$fwhostsettings{'updatesrvgrp'}='on'; $fwhostsettings{'SRVGRP_NAME'}=$grpname; $fwhostsettings{'SRVGRP_REMARK'}=$grpremark; } @@ -1009,17 +1008,14 @@ if ($fwhostsettings{'ACTION'} eq 'changegrpremark') if ($fwhostsettings{'oldrem'} ne $fwhostsettings{'newrem'} && (&validremark($fwhostsettings{'newrem'}) || $fwhostsettings{'newrem'} eq '')){ foreach my $key (sort keys %customgrp) { - #$customgrp{$key}[1]=~ s/\|/,/g; if($customgrp{$key}[0] eq $fwhostsettings{'grp'} && $customgrp{$key}[1] eq $fwhostsettings{'oldrem'}) { - #$fwhostsettings{'newrem'}=~ s/,/\|/g; $customgrp{$key}[1]=''; $customgrp{$key}[1]=$fwhostsettings{'newrem'}; } } &General::writehasharray("$configgrp", \%customgrp); $fwhostsettings{'update'}='on'; - #$fwhostsettings{'newrem'}=~ s/\|/,/g; $fwhostsettings{'remark'}=$fwhostsettings{'newrem'}; }else{ $errormessage=$Lang::tr{'fwhost err remark'}; @@ -1037,17 +1033,14 @@ if ($fwhostsettings{'ACTION'} eq 'changesrvgrpremark') if ($fwhostsettings{'oldsrvrem'} ne $fwhostsettings{'newsrvrem'} && (&validremark($fwhostsettings{'newsrvrem'}) || $fwhostsettings{'newsrvrem'} eq '')){ foreach my $key (sort keys %customservicegrp) { - #$customservicegrp{$key}[1]=~ s/\|/,/g; if($customservicegrp{$key}[0] eq $fwhostsettings{'srvgrp'} && $customservicegrp{$key}[1] eq $fwhostsettings{'oldsrvrem'}) { - #$fwhostsettings{'newsrvrem'}=~ s/,/|/g; $customservicegrp{$key}[1]=''; $customservicegrp{$key}[1]=$fwhostsettings{'newsrvrem'}; } } &General::writehasharray("$configsrvgrp", \%customservicegrp); $fwhostsettings{'updatesrvgrp'}='on'; - #$fwhostsettings{'newsrvrem'}=~ s/\|/,/g; $fwhostsettings{'SRVGRP_REMARK'}=$fwhostsettings{'newsrvrem'}; }else{ $errormessage=$Lang::tr{'fwhost err remark'}; From ff4770c79ba800a03fea65ffd5153f75e63cf2b8 Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Wed, 19 Jun 2013 13:31:40 +0200 Subject: [PATCH 238/306] Forward Firewall: changed /etc/init.d/firewall. deleted stop routine and rearranged iptables_init and restart routine Now it should be possible to use /etc/init.d/firewall restart without errors --- config/forwardfw/rules.pl | 4 +- src/initscripts/init.d/firewall | 183 +++++++++++++------------------- 2 files changed, 73 insertions(+), 114 deletions(-) diff --git a/config/forwardfw/rules.pl b/config/forwardfw/rules.pl index 12723e749..9f9f7e991 100755 --- a/config/forwardfw/rules.pl +++ b/config/forwardfw/rules.pl @@ -179,7 +179,7 @@ sub buildrules my $nat; my $fwaccessdport; foreach my $key (sort {$a <=> $b} keys %$hash){ - next if ($$hash{$key}[6] eq 'RED' && $conexists eq 'off' ); + next if (($$hash{$key}[6] eq 'RED' || $$hash{$key}[6] eq 'RED1') && $conexists eq 'off' ); if ($$hash{$key}[28] eq 'ON'){ $command='iptables -t nat -A'; $natip=&get_nat_ip($$hash{$key}[29],$$hash{$key}[31]); @@ -228,7 +228,7 @@ sub buildrules $targethash{$key}[0]='0.0.0.0/0'; } if($$hash{$key}[6] eq 'RED' || $$hash{$key}[6] eq 'RED1'){ - open(FILE, "/var/ipfire/red/local-ipaddress") or die 'Unable to open config file.'; + open(FILE, "/var/ipfire/red/local-ipaddress")or die "Couldn't open local-ipaddress"; $targethash{$key}[0]= ; close(FILE); }else{ diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall index 5a8cfb171..844cbf6d5 100644 --- a/src/initscripts/init.d/firewall +++ b/src/initscripts/init.d/firewall @@ -73,70 +73,6 @@ iptables_init() { /sbin/iptables -A INPUT -j BADTCP /sbin/iptables -A FORWARD -j BADTCP -} - -iptables_red() { - /sbin/iptables -F REDINPUT - /sbin/iptables -F REDFORWARD - /sbin/iptables -t nat -F REDNAT - - # PPPoE / PPTP Device - if [ "$IFACE" != "" ]; then - # PPPoE / PPTP - if [ "$DEVICE" != "" ]; then - /sbin/iptables -A REDINPUT -i $DEVICE -j ACCEPT - fi - if [ "$RED_TYPE" == "PPTP" -o "$RED_TYPE" == "PPPOE" ]; then - if [ "$RED_DEV" != "" ]; then - /sbin/iptables -A REDINPUT -i $RED_DEV -j ACCEPT - fi - fi - fi - - # PPTP over DHCP - if [ "$DEVICE" != "" -a "$TYPE" == "PPTP" -a "$METHOD" == "DHCP" ]; then - /sbin/iptables -A REDINPUT -p tcp --source-port 67 --destination-port 68 -i $DEVICE -j ACCEPT - /sbin/iptables -A REDINPUT -p udp --source-port 67 --destination-port 68 -i $DEVICE -j ACCEPT - fi - - # Orange pinholes - if [ "$ORANGE_DEV" != "" ]; then - # This rule enables a host on ORANGE network to connect to the outside - # (only if we have a red connection) - if [ "$IFACE" != "" ]; then - /sbin/iptables -A REDFORWARD -i $ORANGE_DEV -o $IFACE -j ACCEPT - fi - fi - - if [ "$IFACE" != "" -a -f /var/ipfire/red/active ]; then - # DHCP - if [ "$RED_DEV" != "" -a "$RED_TYPE" == "DHCP" ]; then - /sbin/iptables -A REDINPUT -p tcp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT - /sbin/iptables -A REDINPUT -p udp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT - fi - if [ "$METHOD" == "DHCP" -a "$PROTOCOL" == "RFC1483" ]; then - /sbin/iptables -A REDINPUT -p tcp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT - /sbin/iptables -A REDINPUT -p udp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT - fi - - # Outgoing masquerading (don't masqerade IPSEC (mark 50)) - /sbin/iptables -t nat -A REDNAT -m mark --mark 50 -o $IFACE -j RETURN - /sbin/iptables -t nat -A REDNAT -o $IFACE -j MASQUERADE - - fi -} - -# See how we were called. -case "$1" in - start) - iptables_init - - # Limit Packets- helps reduce dos/syn attacks - # original do nothing line - #/sbin/iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -m limit --limit 10/sec - # the correct one, but the negative '!' do nothing... - #/sbin/iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN ! -m limit --limit 10/sec -j DROP - # Fix for braindead ISP's /sbin/iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu @@ -273,6 +209,12 @@ case "$1" in /etc/sysconfig/firewall.local start fi + # run openvpn + /usr/local/bin/openvpnctrl --create-chains-and-rules + + # run wirelessctrl + /usr/local/bin/wirelessctrl + #POLICY CHAIN /sbin/iptables -N POLICYIN /sbin/iptables -A INPUT -j POLICYIN @@ -283,6 +225,9 @@ case "$1" in /usr/sbin/firewall-policy + # read new firewall + /usr/local/bin/forwardfwctrl + if [ "$DROPINPUT" == "on" ]; then /sbin/iptables -A INPUT -m limit --limit 10/minute -j LOG --log-prefix "DROP_INPUT" fi @@ -291,66 +236,80 @@ case "$1" in /sbin/iptables -A FORWARD -m limit --limit 10/minute -j LOG --log-prefix "DROP_FORWARD" fi /sbin/iptables -A FORWARD -j DROP -m comment --comment "DROP_FORWARD" - ;; - startovpn) - # run openvpn - /usr/local/bin/openvpnctrl --create-chains-and-rules - ;; - stop) +} + +iptables_red() { + /sbin/iptables -F REDINPUT + /sbin/iptables -F REDFORWARD + /sbin/iptables -t nat -F REDNAT + + # PPPoE / PPTP Device + if [ "$IFACE" != "" ]; then + # PPPoE / PPTP + if [ "$DEVICE" != "" ]; then + /sbin/iptables -A REDINPUT -i $DEVICE -j ACCEPT + fi + if [ "$RED_TYPE" == "PPTP" -o "$RED_TYPE" == "PPPOE" ]; then + if [ "$RED_DEV" != "" ]; then + /sbin/iptables -A REDINPUT -i $RED_DEV -j ACCEPT + fi + fi + fi + + # PPTP over DHCP + if [ "$DEVICE" != "" -a "$TYPE" == "PPTP" -a "$METHOD" == "DHCP" ]; then + /sbin/iptables -A REDINPUT -p tcp --source-port 67 --destination-port 68 -i $DEVICE -j ACCEPT + /sbin/iptables -A REDINPUT -p udp --source-port 67 --destination-port 68 -i $DEVICE -j ACCEPT + fi + + # Orange pinholes + if [ "$ORANGE_DEV" != "" ]; then + # This rule enables a host on ORANGE network to connect to the outside + # (only if we have a red connection) + if [ "$IFACE" != "" ]; then + /sbin/iptables -A REDFORWARD -i $ORANGE_DEV -o $IFACE -j ACCEPT + fi + fi + + if [ "$IFACE" != "" -a -f /var/ipfire/red/active ]; then + # DHCP + if [ "$RED_DEV" != "" -a "$RED_TYPE" == "DHCP" ]; then + /sbin/iptables -A REDINPUT -p tcp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT + /sbin/iptables -A REDINPUT -p udp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT + fi + if [ "$METHOD" == "DHCP" -a "$PROTOCOL" == "RFC1483" ]; then + /sbin/iptables -A REDINPUT -p tcp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT + /sbin/iptables -A REDINPUT -p udp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT + fi + + # Outgoing masquerading (don't masqerade IPSEC (mark 50)) + /sbin/iptables -t nat -A REDNAT -m mark --mark 50 -o $IFACE -j RETURN + /sbin/iptables -t nat -A REDNAT -o $IFACE -j MASQUERADE + + fi +} + +# See how we were called. +case "$1" in + start) iptables_init - # Accept everyting connected - /sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT - - # localhost and ethernet. - /sbin/iptables -A INPUT -i lo -j ACCEPT - /sbin/iptables -A INPUT -i $GREEN_DEV -m state --state NEW -j ACCEPT - - if [ "$RED_DEV" != "" -a "$RED_TYPE" == "DHCP" ]; then - /sbin/iptables -A INPUT -p tcp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT - /sbin/iptables -A INPUT -p udp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT - fi - if [ "$PROTOCOL" == "RFC1483" -a "$METHOD" == "DHCP" ]; then - /sbin/iptables -A INPUT -p tcp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT - /sbin/iptables -A INPUT -p udp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT - fi - - # run local firewall configuration, if present - if [ -x /etc/sysconfig/firewall.local ]; then - /etc/sysconfig/firewall.local stop - fi - - /sbin/iptables -A INPUT -j DROP -m comment --comment "DROP_INPUT" - - if [ "$DROPINPUT" == "on" ]; then - /sbin/iptables -A INPUT -m limit --limit 10/minute -j LOG --log-prefix "DROP_INPUT" - fi - if [ "$DROPFORWARD" == "on" ]; then - /sbin/iptables -A FORWARD -m limit --limit 10/minute -j LOG --log-prefix "DROP_FORWARD" - fi - /sbin/iptables -A FORWARD -j DROP -m comment --comment "DROP_FORWARD" - ;; - stopovpn) - # stop openvpn - /usr/local/bin/openvpnctrl --delete-chains-and-rules - ;; reload) iptables_red - # run local firewall configuration, if present - if [ -x /etc/sysconfig/firewall.local ]; then + if [ -x /etc/sysconfig/firewall.local ]; then /etc/sysconfig/firewall.local reload fi ;; restart) - $0 stop + # run local firewall configuration, if present + if [ -x /etc/sysconfig/firewall.local ]; then + /etc/sysconfig/firewall.local stop + fi $0 start - /usr/local/bin/forwardfwctrl - /usr/local/bin/openvpnctrl -s > /dev/null 2>&1 - /usr/local/bin/openvpnctrl -sn2n > /dev/null 2>&1 ;; *) - echo "Usage: $0 {start|stop|reload|restart}" + echo "Usage: $0 {start|reload|restart}" exit 1 ;; esac From 674f4e9d515233f5356fc502c862b28829736fde Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Thu, 20 Jun 2013 11:23:43 +0200 Subject: [PATCH 239/306] Forward Firewall: on every reload of the new firewall-rules the firewall.local is also reloaded --- config/forwardfw/rules.pl | 1 + 1 file changed, 1 insertion(+) diff --git a/config/forwardfw/rules.pl b/config/forwardfw/rules.pl index 9f9f7e991..e077b92d9 100755 --- a/config/forwardfw/rules.pl +++ b/config/forwardfw/rules.pl @@ -139,6 +139,7 @@ if($param eq 'flush'){ &p2pblock; system ("iptables -A $CHAIN -m state --state NEW -j ACCEPT"); system ("/usr/sbin/firewall-policy"); + system ("/etc/sysconfig/firewall.local reload"); } } } From 533a2da388be0f83732a07b5a40ec2792fd2fad5 Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Tue, 25 Jun 2013 12:35:01 +0200 Subject: [PATCH 240/306] Forward Firewall: reorganised ruletable layout --- html/cgi-bin/forwardfw.cgi | 62 ++++++++++++++++++++------------------ langs/de/cgi-bin/de.pl | 4 +-- langs/en/cgi-bin/en.pl | 2 +- 3 files changed, 35 insertions(+), 33 deletions(-) diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi index 399875533..b45c06a8b 100755 --- a/html/cgi-bin/forwardfw.cgi +++ b/html/cgi-bin/forwardfw.cgi @@ -404,7 +404,7 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule') } } #check if we just close a rule - if( $fwdfwsettings{'oldgrp1a'} eq $fwdfwsettings{'grp1'} && $fwdfwsettings{'oldgrp1b'} eq $fwdfwsettings{$fwdfwsettings{'grp1'}} && $fwdfwsettings{'oldgrp2a'} eq $fwdfwsettings{'grp2'} && $fwdfwsettings{'oldgrp2b'} eq $fwdfwsettings{$fwdfwsettings{'grp2'}} && $fwdfwsettings{'oldgrp3a'} eq $fwdfwsettings{'grp3'} && $fwdfwsettings{'oldgrp3b'} eq $fwdfwsettings{$fwdfwsettings{'grp3'}} && $fwdfwsettings{'oldusesrv'} eq $fwdfwsettings{'USESRV'} && $fwdfwsettings{'oldruleremark'} eq $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'oldruletype'} eq $fwdfwsettings{'chain'} ) { + if( $fwdfwsettings{'oldgrp1a'} eq $fwdfwsettings{'grp1'} && $fwdfwsettings{'oldgrp1b'} eq $fwdfwsettings{$fwdfwsettings{'grp1'}} && $fwdfwsettings{'oldgrp2a'} eq $fwdfwsettings{'grp2'} && $fwdfwsettings{'oldgrp2b'} eq $fwdfwsettings{$fwdfwsettings{'grp2'}} && $fwdfwsettings{'oldgrp3a'} eq $fwdfwsettings{'grp3'} && $fwdfwsettings{'oldgrp3b'} eq $fwdfwsettings{$fwdfwsettings{'grp3'}} && $fwdfwsettings{'oldusesrv'} eq $fwdfwsettings{'USESRV'} && $fwdfwsettings{'oldruleremark'} eq $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'oldruletype'} eq $fwdfwsettings{'chain'}) { if($fwdfwsettings{'nosave'} eq 'on' && $fwdfwsettings{'updatefwrule'} eq 'on'){ $fwdfwsettings{'nosave2'} = 'on'; $errormessage=''; @@ -552,14 +552,14 @@ sub addrule } sub base { - if ($fwdfwsettings{'POLICY'} eq 'MODE1'){ $selected{'POLICY'}{'MODE1'} = 'selected'; } else { $selected{'POLICY'}{'MODE1'} = ''; } - if ($fwdfwsettings{'POLICY'} eq 'MODE2'){ $selected{'POLICY'}{'MODE2'} = 'selected'; } else { $selected{'POLICY'}{'MODE2'} = ''; } - if ($fwdfwsettings{'POLICY1'} eq 'MODE1'){ $selected{'POLICY1'}{'MODE1'} = 'selected'; } else { $selected{'POLICY1'}{'MODE1'} = ''; } - if ($fwdfwsettings{'POLICY1'} eq 'MODE2'){ $selected{'POLICY1'}{'MODE2'} = 'selected'; } else { $selected{'POLICY1'}{'MODE2'} = ''; } &hint; &addrule; print "

"; &Header::openbox('100%', 'center', $Lang::tr{'fwdfw pol title'}); + if ($fwdfwsettings{'POLICY'} eq 'MODE1'){ $selected{'POLICY'}{'MODE1'} = 'selected'; } else { $selected{'POLICY'}{'MODE1'} = ''; } + if ($fwdfwsettings{'POLICY'} eq 'MODE2'){ $selected{'POLICY'}{'MODE2'} = 'selected'; } else { $selected{'POLICY'}{'MODE2'} = ''; } + if ($fwdfwsettings{'POLICY1'} eq 'MODE1'){ $selected{'POLICY1'}{'MODE1'} = 'selected'; } else { $selected{'POLICY1'}{'MODE1'} = ''; } + if ($fwdfwsettings{'POLICY1'} eq 'MODE2'){ $selected{'POLICY1'}{'MODE2'} = 'selected'; } else { $selected{'POLICY1'}{'MODE2'} = ''; } print <
$Lang::tr{'fwdfw targetip'}IPFire"; } print<
@@ -2347,8 +2347,8 @@ sub viewtablenew my @tmpsrc=(); my $coloryellow=''; print"$title1
"; - print"
"; - print""; + print"
#$Lang::tr{'fwdfw source'}Log$Lang::tr{'fwdfw target'}$Lang::tr{'protocol'}$Lang::tr{'fwdfw time'}$Lang::tr{'fwdfw action'}
"; + print"";#$Lang::tr{'protocol'} foreach my $key (sort {$a <=> $b} keys %$hash){ $tdcolor=''; @tmpsrc=(); @@ -2401,7 +2401,7 @@ sub viewtablenew } print""; print<$key + END if ($$hash{$key}[0] eq 'ACCEPT'){ $ruletype='A'; @@ -2416,7 +2416,7 @@ END $tooltip='REJECT'; $rulecolor=$color{'color16'}; } - print""; + print""; &getcolor($$hash{$key}[3],$$hash{$key}[4],\%customhost); print""; @protocols=(); - if ($$hash{$key}[18] eq 'ON'){ - my @days=(); - if($$hash{$key}[19] ne ''){push (@days,$Lang::tr{'fwdfw wd_mon'});} - if($$hash{$key}[20] ne ''){push (@days,$Lang::tr{'fwdfw wd_tue'});} - if($$hash{$key}[21] ne ''){push (@days,$Lang::tr{'fwdfw wd_wed'});} - if($$hash{$key}[22] ne ''){push (@days,$Lang::tr{'fwdfw wd_thu'});} - if($$hash{$key}[23] ne ''){push (@days,$Lang::tr{'fwdfw wd_fri'});} - if($$hash{$key}[24] ne ''){push (@days,$Lang::tr{'fwdfw wd_sat'});} - if($$hash{$key}[25] ne ''){push (@days,$Lang::tr{'fwdfw wd_sun'});} - my $weekdays=join(",",@days); - if (@days){ - print""; - } - }else{ - print""; - } + if($$hash{$key}[2] eq 'ON'){ $gif="/images/on.gif" @@ -2562,11 +2547,28 @@ END print""; } #REMARK - if ($optionsfw{'SHOWREMARK'} eq 'on'){ + if (($optionsfw{'SHOWREMARK'} eq 'on' && $$hash{$key}[16] ne '') || $$hash{$key}[18] eq 'ON'){ print""; - print""; + print""; + #TIMEFRAME + if ($$hash{$key}[18] eq 'ON'){ + my @days=(); + if($$hash{$key}[19] ne ''){push (@days,$Lang::tr{'fwdfw wd_mon'});} + if($$hash{$key}[20] ne ''){push (@days,$Lang::tr{'fwdfw wd_tue'});} + if($$hash{$key}[21] ne ''){push (@days,$Lang::tr{'fwdfw wd_wed'});} + if($$hash{$key}[22] ne ''){push (@days,$Lang::tr{'fwdfw wd_thu'});} + if($$hash{$key}[23] ne ''){push (@days,$Lang::tr{'fwdfw wd_fri'});} + if($$hash{$key}[24] ne ''){push (@days,$Lang::tr{'fwdfw wd_sat'});} + if($$hash{$key}[25] ne ''){push (@days,$Lang::tr{'fwdfw wd_sun'});} + my $weekdays=join(",",@days); + if (@days){ + print""; + } + }else{ + print""; + } } - print""; + print""; } print"
#$Lang::tr{'fwdfw source'}Log$Lang::tr{'fwdfw target'}$Lang::tr{'fwdfw action'}
$Lang::tr{'fwdfw time'}
$key  $ruletype$ruletype"; if ($$hash{$key}[3] eq 'std_net_src'){ @@ -2428,7 +2428,7 @@ END &getsrcport(\%$hash,$key); #Is this a SNAT rule? if ($$hash{$key}[31] eq 'snat'){ - print"
SNAT -> $$hash{$key}[29]"; + print"
-> $$hash{$key}[29]"; if ($$hash{$key}[30] ne ''){ print": $$hash{$key}[30]"; } @@ -2458,7 +2458,7 @@ END $$hash{$key}[30]=~ tr/|/,/; print": $$hash{$key}[30]"; } - print"
DNAT->"; + print"
->"; } if ($$hash{$key}[5] eq 'std_net_tgt' || $$hash{$key}[5] eq 'ipfire' && $$hash{$key}[6] eq 'RED' || $$hash{$key}[6] eq 'RED1' || $$hash{$key}[6] eq 'GREEN' || $$hash{$key}[6] eq 'ORANGE' || $$hash{$key}[6] eq 'BLUE' ){ if ($$hash{$key}[6] eq 'RED1') @@ -2489,22 +2489,7 @@ END my $protz=join(",",@protocols); print"		$protz$weekdays   $$hash{$key}[26] - $$hash{$key}[27] 24/7
   $$hash{$key}[16]
   $$hash{$key}[16]$weekdays   $$hash{$key}[26] - $$hash{$key}[27]
24/7
"; &Header::closebox(); diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl index 311b096be..744d1b39a 100644 --- a/langs/de/cgi-bin/de.pl +++ b/langs/de/cgi-bin/de.pl @@ -891,7 +891,7 @@ 'fwdfw ACCEPT' => 'Akzeptieren (ACCEPT)', 'fwdfw additional' => 'Zusätzlich', 'fwdfw action' => 'Aktion', -'fwdfw menu' => 'Firewall', +'fwdfw menu' => 'Firewall Regeln', 'fwdfw addrule' => 'Regel hinzufügen/ändern:', 'fwdfw addr grp' => 'Adressgruppen:', 'fwdfw change' => 'Aktualisieren', @@ -968,7 +968,7 @@ 'fwdfw wd_fri' => 'Fr', 'fwdfw wd_sat' => 'Sa', 'fwdfw wd_sun' => 'So', -'fwdfw xt access' => 'Zugriff auf Firewall', +'fwdfw xt access' => 'Input', 'fwhost addgrp' => 'Gruppe:', 'fwhost addgrpname' => 'Gruppenname:', 'fwhost addhost' => 'Adresse:', diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index 5713d66d5..d4bdfcd98 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -916,7 +916,7 @@ 'fwdfw ACCEPT' => 'ACCEPT', 'fwdfw additional' => 'Additional', 'fwdfw action' => 'Action', -'fwdfw menu' => 'Firewall', +'fwdfw menu' => 'Firewall rules', 'fwdfw addrule' => 'Add/Edit rule:', 'fwdfw addr grp' => 'Adress groups:', 'fwdfw change' => 'Update', From 3b2ad4a1bddd2185da6bd500be39ee19694399a7 Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Wed, 26 Jun 2013 07:38:15 +0200 Subject: [PATCH 241/306] Forward Firewall: moved "firewall default behaviour" from firewall page to firewall-options page. Some changes in languagefiles de and en. --- html/cgi-bin/forwardfw.cgi | 113 ++++++------------------------------- html/cgi-bin/optionsfw.cgi | 78 ++++++++++++++++++++++--- langs/de/cgi-bin/de.pl | 30 +++++----- langs/en/cgi-bin/en.pl | 22 ++++---- 4 files changed, 112 insertions(+), 131 deletions(-) diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi index b45c06a8b..7e1f4f427 100755 --- a/html/cgi-bin/forwardfw.cgi +++ b/html/cgi-bin/forwardfw.cgi @@ -117,16 +117,6 @@ my @protocols; &Header::openbigbox('100%', 'center',$errormessage); #### ACTION ##### -if ($fwdfwsettings{'ACTION'} eq $Lang::tr{'save'}) -{ - my $MODE = $fwdfwsettings{'POLICY'}; - my $MODE1 = $fwdfwsettings{'POLICY1'}; - %fwdfwsettings = (); - $fwdfwsettings{'POLICY'} = "$MODE"; - $fwdfwsettings{'POLICY1'} = "$MODE1"; - &General::writehash("${General::swroot}/forward/settings", \%fwdfwsettings); - &reread_rules; -} if ($fwdfwsettings{'ACTION'} eq 'saverule') { &General::readhasharray("$configfwdfw", \%configfwdfw); @@ -436,42 +426,6 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule') &base; } } -if ($fwdfwsettings{'ACTION'} eq $Lang::tr{'reset'}) -{ - if($fwdfwsettings{'poltype'} eq 'forward'){ - &General::readhasharray("$configfwdfw", \%configfwdfw); - foreach my $key (sort keys %configfwdfw){ - &checkcounter($configfwdfw{$key}[3],$configfwdfw{$key}[4],,); - &checkcounter($configfwdfw{$key}[5],$configfwdfw{$key}[6],,); - &checkcounter($configfwdfw{$key}[14],$configfwdfw{$key}[15],,); - } - system("rm ${General::swroot}/forward/config"); - &General::writehash("${General::swroot}/forward/settings", \%fwdfwsettings); - unless (-e "${General::swroot}/forward/config") { system("touch ${General::swroot}/forward/config"); } - my $MODE1=$fwdfwsettings{'POLICY1'}; - %fwdfwsettings = (); - $fwdfwsettings{'POLICY'}='MODE2'; - $fwdfwsettings{'POLICY1'}=$MODE1; - &General::writehash("${General::swroot}/forward/settings", \%fwdfwsettings); - &reread_rules; - }else{ - &General::readhasharray("$configoutgoing", \%configoutgoingfw); - foreach my $key (sort keys %configoutgoingfw){ - &checkcounter($configoutgoingfw{$key}[3],$configoutgoingfw{$key}[4],,); - &checkcounter($configoutgoingfw{$key}[5],$configoutgoingfw{$key}[6],,); - &checkcounter($configoutgoingfw{$key}[14],$configoutgoingfw{$key}[15],,); - } - system("rm ${General::swroot}/forward/outgoing"); - &General::writehash("${General::swroot}/forward/settings", \%fwdfwsettings); - unless (-e "${General::swroot}/forward/outgoing") { system("touch ${General::swroot}/forward/outgoing"); } - my $MODE=$fwdfwsettings{'POLICY'}; - %fwdfwsettings = (); - $fwdfwsettings{'POLICY'}=$MODE; - $fwdfwsettings{'POLICY1'}='MODE2'; - &General::writehash("${General::swroot}/forward/settings", \%fwdfwsettings); - &reread_rules; - } -} if ($fwdfwsettings{'ACTION'} eq $Lang::tr{'fwdfw newrule'}) { &newrule; @@ -555,41 +509,6 @@ sub base &hint; &addrule; print "

"; - &Header::openbox('100%', 'center', $Lang::tr{'fwdfw pol title'}); - if ($fwdfwsettings{'POLICY'} eq 'MODE1'){ $selected{'POLICY'}{'MODE1'} = 'selected'; } else { $selected{'POLICY'}{'MODE1'} = ''; } - if ($fwdfwsettings{'POLICY'} eq 'MODE2'){ $selected{'POLICY'}{'MODE2'} = 'selected'; } else { $selected{'POLICY'}{'MODE2'} = ''; } - if ($fwdfwsettings{'POLICY1'} eq 'MODE1'){ $selected{'POLICY1'}{'MODE1'} = 'selected'; } else { $selected{'POLICY1'}{'MODE1'} = ''; } - if ($fwdfwsettings{'POLICY1'} eq 'MODE2'){ $selected{'POLICY1'}{'MODE2'} = 'selected'; } else { $selected{'POLICY1'}{'MODE2'} = ''; } -print < - - - - - "; - print "
FORWARD
$Lang::tr{'fwdfw pol text'}
- - -END - print "$Lang::tr{'outgoing firewall reset'}:
"; - print"

"; - print < - - - - - "; - print "
OUTGOING
$Lang::tr{'fwdfw pol text1'}
- - -END - print "$Lang::tr{'outgoing firewall reset'}:
"; - &Header::closebox(); print "

Version: $VERSION
"; } sub changerule @@ -1189,7 +1108,10 @@ END next if($defaultNetworks{$network}{'NAME'} eq "IPFire" && $srctgt eq 'tgt'); print ""; + my $defnet="$defaultNetworks{$network}{'NAME'}_NETADDRESS"; + $ifaces{$defnet} = '0.0.0.0' if ($defaultNetworks{$network}{'NAME'} eq 'ALL'); + $defnet = "RED_ADDRESS" if ($defaultNetworks{$network}{'NAME'} eq 'IPFire'); + print ">$network $ifaces{$defnet} "; } print""; #custom networks @@ -1751,14 +1673,14 @@ END &Header::openbox('100%', 'left', $Lang::tr{'fwdfw target'}); print< - $Lang::tr{'fwdfw targetip'}IPFire + $Lang::tr{'fwdfw targetip'}Firewall END print""; } #REMARK - if (($optionsfw{'SHOWREMARK'} eq 'on' && $$hash{$key}[16] ne '') || $$hash{$key}[18] eq 'ON'){ + if ($optionsfw{'SHOWREMARK'} eq 'on' && $$hash{$key}[16] ne ''){ print""; - print"   $$hash{$key}[16]"; + print"   $$hash{$key}[16]"; + } + if ($$hash{$key}[18] eq 'ON'){ #TIMEFRAME if ($$hash{$key}[18] eq 'ON'){ my @days=(); @@ -2562,11 +2486,10 @@ END if($$hash{$key}[25] ne ''){push (@days,$Lang::tr{'fwdfw wd_sun'});} my $weekdays=join(",",@days); if (@days){ - print"$weekdays   $$hash{$key}[26] - $$hash{$key}[27] "; - } - }else{ - print"24/7"; + print""; + print" $weekdays   $$hash{$key}[26] - $$hash{$key}[27] "; } + } } print""; } @@ -2581,7 +2504,5 @@ END } } } - - &Header::closebigbox(); &Header::closepage(); diff --git a/html/cgi-bin/optionsfw.cgi b/html/cgi-bin/optionsfw.cgi index 9e39fbfd3..616f52964 100644 --- a/html/cgi-bin/optionsfw.cgi +++ b/html/cgi-bin/optionsfw.cgi @@ -27,6 +27,13 @@ my %checked =(); # Checkbox manipulations my $filename = "${General::swroot}/optionsfw/settings"; our %settings=(); +my %fwdfwsettings=(); +my %configfwdfw=(); +my %configoutgoingfw=(); + +my $configfwdfw = "${General::swroot}/forward/config"; +my $configoutgoing = "${General::swroot}/forward/outgoing"; + $settings{'DISABLEPING'} = 'NO'; $settings{'DROPNEWNOTSYN'} = 'on'; $settings{'DROPINPUT'} = 'on'; @@ -43,22 +50,43 @@ $settings{'SHOWDROPDOWN'} = 'off'; my $errormessage = ''; my $warnmessage = ''; +&General::readhash("${General::swroot}/forward/settings", \%fwdfwsettings); + &Header::showhttpheaders(); #Get GUI values &Header::getcgihash(\%settings); + + if ($settings{'ACTION'} eq $Lang::tr{'save'}) { - - $errormessage = $Lang::tr{'new optionsfw later'}; - delete $settings{'__CGI__'}; - delete $settings{'x'}; - delete $settings{'y'}; - &General::writehash($filename, \%settings); # Save good settings + if ($settings{'defpol'} ne '1'){ + $errormessage = $Lang::tr{'new optionsfw later'}; + delete $settings{'__CGI__'}; + delete $settings{'x'}; + delete $settings{'y'}; + &General::writehash($filename, \%settings); # Save good settings + system("/usr/local/bin/forwardfwctrl"); + }else{ + if ($settings{'POLICY'} ne ''){ + $fwdfwsettings{'POLICY'} = $settings{'POLICY'}; + } + if ($settings{'POLICY1'} ne ''){ + $fwdfwsettings{'POLICY1'} = $settings{'POLICY1'}; + } + my $MODE = $fwdfwsettings{'POLICY'}; + my $MODE1 = $fwdfwsettings{'POLICY1'}; + %fwdfwsettings = (); + $fwdfwsettings{'POLICY'} = "$MODE"; + $fwdfwsettings{'POLICY1'} = "$MODE1"; + &General::writehash("${General::swroot}/forward/settings", \%fwdfwsettings); + &General::readhash("${General::swroot}/forward/settings", \%fwdfwsettings); + system("/usr/local/bin/forwardfwctrl"); + } }else { &General::readhash($filename, \%settings); # Get saved settings and reset to good if needed - } - system("/usr/local/bin/forwardfwctrl"); +} + &Header::openpage($Lang::tr{'options fw'}, 1, ''); &Header::openbigbox('100%', 'left', '', $errormessage); @@ -111,7 +139,6 @@ $selected{'FWPOLICY'}{$settings{'FWPOLICY'}}= 'selected'; $selected{'FWPOLICY1'}{$settings{'FWPOLICY1'}}= 'selected'; $selected{'FWPOLICY2'}{$settings{'FWPOLICY2'}}= 'selected'; - &Header::openbox('100%', 'center', $Lang::tr{'options fw'}); print "
"; @@ -182,5 +209,38 @@ print < + + + + + +END + print "
FORWARD
$Lang::tr{'fwdfw pol text'}
+
"; + print"

"; + print < + + + + + +END + print "
OUTGOING
$Lang::tr{'fwdfw pol text1'}
+
"; + &Header::closebox(); + &Header::closebigbox(); &Header::closepage(); diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl index 744d1b39a..9587258f9 100644 --- a/langs/de/cgi-bin/de.pl +++ b/langs/de/cgi-bin/de.pl @@ -899,26 +899,26 @@ 'fwdfw cust net' => 'Custom Netzwerke:', 'fwdfw copy' => 'Kopieren', 'fwdfw delete' => 'Löschen', -'fwdfw dnat' => 'DNAT/Portforward (ersetze diese IP mit der aus ZIEL)', +'fwdfw dnat' => 'DNAT/Portforward (ersetze diese IP Adresse mit der aus ZIEL)', 'fwdfw dnat error' => 'Für DNAT muss ein einzelner Host als ZIEL gewählt werden. Gruppen oder Netzwerke sind nicht erlaubt', 'fwdfw dnat porterr' => 'Für NAT muss ein einzelner PORT oder PORTRANGE (TCP/UDP) angegeben werden', 'fwdfw DROP' => 'Verwerfen (DROP)', 'fwdfw edit' => 'Bearbeiten', 'fwdfw err nosrc' => 'Keine Quelle gewählt', -'fwdfw err nosrcip' => 'Bitte Quell IP-Adresse angeben', +'fwdfw err nosrcip' => 'Bitte Quell IP Adresse angeben', 'fwdfw err notgt' => 'Kein Ziel gewählt', -'fwdfw err notgtip' => 'Bitte Ziel IP-Adresse angeben', +'fwdfw err notgtip' => 'Bitte Ziel IP Adresse angeben', 'fwdfw err prot' => 'Quell- und Zielprotokoll müssen gleich sein', 'fwdfw err remark' => 'Bemerkung enthält ungültige Zeichen', 'fwdfw err ruleexists' => 'Eine identische Regel existiert bereits', -'fwdfw err src_addr' => 'Quell-MAC/IP ungültig', -'fwdfw err srcovpn' => 'Quell-IP ist ein OpenVPN Client. Bitte Dropdown zum Auswählen nutzen', +'fwdfw err src_addr' => 'Quell-MAC/IP Adresse ungültig', +'fwdfw err srcovpn' => 'Quell-IP Adresse ist ein OpenVPN Client. Bitte Dropdown zum Auswählen nutzen', 'fwdfw err same' => 'Quelle und Ziel sind identisch', 'fwdfw err samesub' => 'Quell und Ziel IP Adresse im selben Subnetz', 'fwdfw err srcport' => 'Bitte Quellport angeben', 'fwdfw err tgtport' => 'Bitte Zielport angeben', -'fwdfw err tgt_addr' => 'Ziel-IP ungültig', -'fwdfw err tgtovpn' => 'Ziel-IP ist ein OpenVPN Client. Bitte Dropdown zum Auswählen nutzen', +'fwdfw err tgt_addr' => 'Ziel-IP Adresse ungültig', +'fwdfw err tgtovpn' => 'Ziel-IP Adresse ist ein OpenVPN Client. Bitte Dropdown zum Auswählen nutzen', 'fwdfw err tgt_port' => 'Ziel Port ungültig', 'fwdfw err tgt_mac' => 'MAC Adressen können nicht als Ziel defininert werden', 'fwdfw err tgt_grp' => 'Ziel-Dienstgruppe ist leer', @@ -935,8 +935,8 @@ 'fwdfw pol allow' => 'Zugelassen', 'fwdfw pol block' => 'Blockiert', 'fwdfw pol title' => 'Standardverhalten der Firewall', -'fwdfw pol text' => 'Standardverhalten für Verbindungen aus den lokalen Netzwerken. Bei "Zugelassen" werden sämtliche Verbindungen zugelassen mit Ausnahme der konfigurierten Regeln. Mit "Blockiert" werden alle Verbindungsversuche blockiert, mit Ausnahme erstellten Regeln. Außerdem werden hier der externe Zugang und der Zugriff auf die DMZ geregelt.', -'fwdfw pol text1' => 'Standardverhalten für Verbindungen von IPFire. Bei "Zugelassen" werden sämtliche Verbindungen zugelassen mit Ausnahme konfigurierten Regeln. Mit "Blockiert" werden alle Verbindungsversuche blockiert, mit Ausnahme der erstellten Regeln.Achtung! Mit diesen Einstellungen kann man sich aussperren. Normalerweise ist keine Änderung nötig.', +'fwdfw pol text' => 'Standardverhalten für Verbindungen aus den lokalen Netzwerken. Bei "Zugelassen" werden sämtliche Verbindungen zugelassen mit Ausnahme der konfigurierten Regeln. Mit "Blockiert" werden alle Verbindungsversuche blockiert, mit Ausnahme erstellten Regeln.', +'fwdfw pol text1' => 'Standardverhalten für Verbindungen von Firewall. Bei "Zugelassen" werden sämtliche Verbindungen zugelassen mit Ausnahme konfigurierten Regeln. Mit "Blockiert" werden alle Verbindungsversuche blockiert, mit Ausnahme der erstellten Regeln.Achtung! Mit diesen Einstellungen kann man sich aussperren. Normalerweise ist keine Änderung nötig.', 'fwdfw red' => 'INTERNET', 'fwdfw REJECT' => 'Verweigern (REJECT)', 'fwdfw reread' => 'Übernehmen', @@ -946,10 +946,10 @@ 'fwdfw rulepos' => 'Regelposition', 'fwdfw snat' => 'SNAT (ersetze die Adresse(n) von QUELLE mit dieser)', 'fwdfw source' => 'Quelle', -'fwdfw sourceip' => 'Quelladresse (MAC, IP oder Netzwerk):', +'fwdfw sourceip' => 'Quelladresse (MAC, IP Adresse oder Netzwerk):', 'fwdfw std network' => 'Standard Netzwerke:', 'fwdfw target' => 'Ziel', -'fwdfw targetip' => 'Zieladresse (IP oder Netzwerk):', +'fwdfw targetip' => 'Zieladresse (IP Adresse oder Netzwerk):', 'fwdfw till' => 'Bis:', 'fwdfw time' => 'Zeitrahmen', 'fwdfw timeframe' => 'Zeitrahmen hinzufügen', @@ -989,7 +989,7 @@ 'fwhost cust srvgrp' => 'Custom Dienstgruppen', 'fwhost deleted' => 'Gelöscht', 'fwhost empty' => 'Keine Regeln definiert', -'fwhost err addr' => 'IP oder Subnetzmaske ungültig', +'fwhost err addr' => 'IP Adresse oder Subnetzmaske ungültig', 'fwhost err addrgrp' => 'Bitte gruppenname angeben', 'fwhost err empty' => 'Bitte alle Felder füllen', 'fwhost err grpexist' => 'Gruppe existiert bereits', @@ -997,14 +997,14 @@ 'fwhost err name' => 'Name ungültig. Erlaubte Zeichen: a-z, A-Z, 0-9 Leerzeichen und Bindestrich', 'fwhost err name1' => 'Name muss gefüllt sein', 'fwhost err netexist' => 'Ein Netz mit diesem Namen existiert bereits', -'fwhost err net' => 'Netzwerk IP existiert bereits', +'fwhost err net' => 'Netzwerk IP Adresse existiert bereits', 'fwhost err mac' => 'MAC Adresse ungültig', 'fwhost err hostexist' => 'Ein Host mit diesem Namen existiert bereits', 'fwhost err hostip' => 'Netz- oder Broadcastadressen sind nicht erlaubt', 'fwhost err hostorip' => 'Name oder IP Adresse ungültig', 'fwhost err isccdhost' => 'Dieser Name wird bereits für einen Openvpn Host verwendet', -'fwhost err isccdipnet' => 'Diese IP wird bereits für einen Openvpn Netzwerk verwendet', -'fwhost err isccdiphost'=> 'Diese IP wird bereits für einen Openvpn Host verwendet', +'fwhost err isccdipnet' => 'Diese IP Adresse wird bereits für einen Openvpn Netzwerk verwendet', +'fwhost err isccdiphost'=> 'Diese IP Adresse wird bereits für einen Openvpn Host verwendet', 'fwhost err isccdnet' => 'Dieser Name wird bereits für einen Openvpn Netzwerk verwendet', 'fwhost err isingrp' => 'Dieser Eintrag existiert bereits in der Gruppe', 'fwhost err ip' => 'IP Addresse ungültig', diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index d4bdfcd98..d66c202c5 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -924,7 +924,7 @@ 'fwdfw cust net' => 'Custom networks:', 'fwdfw copy' => 'Copy', 'fwdfw delete' => 'Delete', -'fwdfw dnat' => 'DNAT/Portforward (replace this IP with the one from TARGET)', +'fwdfw dnat' => 'DNAT/Portforward (replace this IP address with the one from TARGET)', 'fwdfw dnat error' => 'You have to select a single host for DNAT. Groups or networks are not allowed.', 'fwdfw dnat porterr' => 'You have to select a single port or portrange (tcp/udp) for NAT', 'fwdfw DROP' => 'DROP', @@ -937,13 +937,13 @@ 'fwdfw err remark' => 'Invalid chars in remark.', 'fwdfw err ruleexists' => 'This rule already exists.', 'fwdfw err src_addr' => 'Invalid source MAC/IP.', -'fwdfw err srcovpn' => 'Source-IP is an OpenVPN client. Please use dropdown for selection', +'fwdfw err srcovpn' => 'Source-IP address is an OpenVPN client. Please use dropdown for selection', 'fwdfw err same' => 'Identical source and target', 'fwdfw err samesub' => 'Source and target IP adress are in same subnet.', 'fwdfw err srcport' => 'Please provide source port.', 'fwdfw err tgtport' => 'Please provide target port.', 'fwdfw err tgt_addr' => 'Invalid target IP-address.', -'fwdfw err tgtovpn' => 'Target-IP is an OpenVPN client. Please use dropdown for selection', +'fwdfw err tgtovpn' => 'Target-IP address is an OpenVPN client. Please use dropdown for selection', 'fwdfw err tgt_port' => 'Invalid target port', 'fwdfw err tgt_mac' => 'MAC addresses cannot be used as target.', 'fwdfw err tgt_grp' => 'Target servicegroup is empty', @@ -971,10 +971,10 @@ 'fwdfw rulepos' => 'Rule position', 'fwdfw snat' => 'SNAT (replace the addresse(s) from SOURCE with this address)', 'fwdfw source' => 'Source', -'fwdfw sourceip' => 'Source address (MAC, IP or Network):', +'fwdfw sourceip' => 'Source address (MAC, IP address or Network):', 'fwdfw std network' => 'Standard networks:', 'fwdfw target' => 'Target', -'fwdfw targetip' => 'Target address (IP or network):', +'fwdfw targetip' => 'Target address (IP address or network):', 'fwdfw till' => 'Till:', 'fwdfw time' => 'Timeframe', 'fwdfw timeframe' => 'Add timeframe', @@ -1014,7 +1014,7 @@ 'fwhost cust srvgrp' => 'Custom servicegroups', 'fwhost deleted' => 'Deleted', 'fwhost empty' => 'No rules defined', -'fwhost err addr' => 'Invalid IP or subnet', +'fwhost err addr' => 'Invalid IP address or subnet', 'fwhost err addrgrp' => 'Please provide a groupname', 'fwhost err empty' => 'Please fill in all fields', 'fwhost err grpexist' => 'Group already exists', @@ -1022,14 +1022,14 @@ 'fwhost err name' => 'Name invalid. Allowed: a-z, A-Z, 0-9 space and minus.', 'fwhost err name1' => 'Name is empty.', 'fwhost err netexist' => 'A network with this name already exists', -'fwhost err net' => 'Network IP already exists', +'fwhost err net' => 'Network IP address already exists', 'fwhost err mac' => 'MAC address invalid', 'fwhost err hostexist' => 'A host with this name already exists', 'fwhost err hostip' => 'Network or broadcast addresses not allowed', -'fwhost err hostorip' => 'Name or IP invalid', +'fwhost err hostorip' => 'Name or IP address invalid', 'fwhost err isccdhost' => 'This name is already used by an OpenVPN client', -'fwhost err isccdipnet' => 'This IP is already used by an OpenVPN network', -'fwhost err isccdiphost'=> 'This IP is already used by an OpenVPN client', +'fwhost err isccdipnet' => 'This IP address is already used by an OpenVPN network', +'fwhost err isccdiphost'=> 'This IP address is already used by an OpenVPN client', 'fwhost err isccdnet' => 'This name is already used by an OpenVPN Network', 'fwhost err isingrp' => 'This entry already exists in the group', 'fwhost err ip' => 'IP address invalid', @@ -1039,7 +1039,7 @@ 'fwhost err partofnet' => 'This network is part of an already existing one', 'fwhost err port' => 'Port is empty', 'fwhost err remark' => 'Remark invalid. Allowed: a-z, A-Z, 0-9 and -_();|.', -'fwhost err srvexist' => 'Dieser Dienst ist bereits in der Gruppe', +'fwhost err srvexist' => 'This service already exists in the group', 'fwhost err srv exists' => 'A Service with this name already exists', 'fwhost err sub32' => 'Please add single host. This subnet is no network', 'fwhost green' => 'Green', From 3f09f5309c82ebf8b8518a16aedea8e0aad5e66e Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Wed, 26 Jun 2013 07:56:35 +0200 Subject: [PATCH 242/306] Forward Firewall: convert-dmz now puts converted files into /var/ipfire/forward/config instead of /var/ipfire/forward/dmz --- config/forwardfw/convert-dmz | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/forwardfw/convert-dmz b/config/forwardfw/convert-dmz index 9c1ad049c..0722f5bef 100755 --- a/config/forwardfw/convert-dmz +++ b/config/forwardfw/convert-dmz @@ -19,7 +19,7 @@ my %ifaces=(); my %configfwdfw=(); require '/var/ipfire/general-functions.pl'; my $dmzconfig = "${General::swroot}/dmzholes/config"; -my $fwdfwconfig = "${General::swroot}/forward/dmz"; +my $fwdfwconfig = "${General::swroot}/forward/config"; my $ifacesettings = "${General::swroot}/ethernet/settings"; my $field0 = 'ACCEPT'; my $field1 = 'FORWARDFW'; From 60607a6c75730e94b115cd2351c910bf022648dc Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Wed, 26 Jun 2013 09:07:05 +0200 Subject: [PATCH 243/306] Forward Firewall: removed DMZ from rules.pl (does no longer exist, is forward now --- config/forwardfw/rules.pl | 6 ------ 1 file changed, 6 deletions(-) diff --git a/config/forwardfw/rules.pl b/config/forwardfw/rules.pl index e077b92d9..b22a67b3c 100755 --- a/config/forwardfw/rules.pl +++ b/config/forwardfw/rules.pl @@ -44,7 +44,6 @@ our %targethash=(); my @timeframe=(); my %configinputfw=(); my %configoutgoingfw=(); -my %configdmzfw=(); my %confignatfw=(); my %aliases=(); my @DPROT=(); @@ -53,7 +52,6 @@ require '/var/ipfire/general-functions.pl'; require "${General::swroot}/lang.pl"; require "${General::swroot}/forward/bin/firewall-lib.pl"; -my $configdmz = "${General::swroot}/forward/dmz"; my $configfwdfw = "${General::swroot}/forward/config"; my $configinput = "${General::swroot}/forward/input"; my $configoutgoing = "${General::swroot}/forward/outgoing"; @@ -73,7 +71,6 @@ my $dnat=''; my $snat=''; &General::readhash("${General::swroot}/forward/settings", \%fwdfwsettings); &General::readhash("$netsettings", \%defaultNetworks); -&General::readhasharray($configdmz, \%configdmzfw); &General::readhasharray($configfwdfw, \%configfwdfw); &General::readhasharray($configinput, \%configinputfw); &General::readhasharray($configoutgoing, \%configoutgoingfw); @@ -154,9 +151,6 @@ sub flush } sub preparerules { - if (! -z "${General::swroot}/forward/dmz"){ - &buildrules(\%configdmzfw); - } if (! -z "${General::swroot}/forward/config"){ &buildrules(\%configfwdfw); } From 8442c93764a38c903fe683ae9533a4d906a2b038 Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Wed, 26 Jun 2013 09:42:38 +0200 Subject: [PATCH 244/306] Forward Firewall: removed dmz from forwardfw.cgi --- html/cgi-bin/forwardfw.cgi | 113 +++++-------------------------------- 1 file changed, 13 insertions(+), 100 deletions(-) diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi index 7e1f4f427..ee46e37dd 100755 --- a/html/cgi-bin/forwardfw.cgi +++ b/html/cgi-bin/forwardfw.cgi @@ -47,7 +47,6 @@ unless (-e "${General::swroot}/forward/settings") { system("touch ${General::s unless (-e "${General::swroot}/forward/config") { system("touch ${General::swroot}/forward/config"); } unless (-e "${General::swroot}/forward/input") { system("touch ${General::swroot}/forward/input"); } unless (-e "${General::swroot}/forward/outgoing") { system("touch ${General::swroot}/forward/outgoing"); } -unless (-e "${General::swroot}/forward/dmz") { system("touch ${General::swroot}/forward/dmz"); } unless (-e "${General::swroot}/forward/nat") { system("touch ${General::swroot}/forward/nat"); } my %fwdfwsettings=(); @@ -65,7 +64,6 @@ my %ccdhost=(); my %configfwdfw=(); my %configinputfw=(); my %configoutgoingfw=(); -my %configdmzfw=(); my %confignatfw=(); my %ipsecconf=(); my %color=(); @@ -92,7 +90,6 @@ my $configipsecrw = "${General::swroot}/vpn/settings"; my $configfwdfw = "${General::swroot}/forward/config"; my $configinput = "${General::swroot}/forward/input"; my $configoutgoing = "${General::swroot}/forward/outgoing"; -my $configdmz = "${General::swroot}/forward/dmz"; my $confignat = "${General::swroot}/forward/nat"; my $configovpn = "${General::swroot}/ovpn/settings"; my $fwoptions = "${General::swroot}/optionsfw/settings"; @@ -200,59 +197,6 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule') if($fwdfwsettings{'nosave2'} ne 'on'){ &saverule(\%confignatfw,$confignat); } - #DMZ-Part - }elsif ($fwdfwsettings{$fwdfwsettings{'grp1'}} eq 'ORANGE' || $checkorange eq 'on'){ - $fwdfwsettings{'config'}=$configdmz; - $fwdfwsettings{'chain'} = 'FORWARDFW'; - my $maxkey=&General::findhasharraykey(\%configdmzfw); - #check if we have an identical rule already - if($fwdfwsettings{'oldrulenumber'} eq $fwdfwsettings{'rulepos'}){ - foreach my $key (sort keys %configdmzfw){ - if ("$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'},$fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'ICMP_TGT'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'LOG'},$fwdfwsettings{'TIME'},$fwdfwsettings{'TIME_MON'},$fwdfwsettings{'TIME_TUE'},$fwdfwsettings{'TIME_WED'},$fwdfwsettings{'TIME_THU'},$fwdfwsettings{'TIME_FRI'},$fwdfwsettings{'TIME_SAT'},$fwdfwsettings{'TIME_SUN'},$fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'}" - eq "$configdmzfw{$key}[0],$configdmzfw{$key}[2],$configdmzfw{$key}[3],$configdmzfw{$key}[4],$configdmzfw{$key}[5],$configdmzfw{$key}[6],$configdmzfw{$key}[7],$configdmzfw{$key}[8],$configdmzfw{$key}[9],$configdmzfw{$key}[10],$configdmzfw{$key}[11],$configdmzfw{$key}[12],$configdmzfw{$key}[13],$configdmzfw{$key}[14],$configdmzfw{$key}[15],$configdmzfw{$key}[17],$configdmzfw{$key}[18],$configdmzfw{$key}[19],$configdmzfw{$key}[20],$configdmzfw{$key}[21],$configdmzfw{$key}[22],$configdmzfw{$key}[23],$configdmzfw{$key}[24],$configdmzfw{$key}[25],$configdmzfw{$key}[26],$configdmzfw{$key}[27]"){ - $errormessage.=$Lang::tr{'fwdfw err ruleexists'}; - if ($fwdfwsettings{'oldruleremark'} ne $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'updatefwrule'} eq 'on' ){ - $errormessage=''; - }elsif($fwdfwsettings{'oldruleremark'} ne $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'updatefwrule'} eq 'on' && $fwdfwsettings{'ruleremark'} ne '' && !&validremark($fwdfwsettings{'ruleremark'})){ - $errormessage=$Lang::tr{'fwdfw err remark'}."
"; - } - if ($fwdfwsettings{'oldruleremark'} eq $fwdfwsettings{'ruleremark'}){ - $fwdfwsettings{'nosave'} = 'on'; - } - } - } - } - #check Rulepos on new Rule - if($fwdfwsettings{'rulepos'} > 0 && !$fwdfwsettings{'oldrulenumber'}){ - $fwdfwsettings{'oldrulenumber'}=$maxkey; - foreach my $key (sort keys %configdmzfw){ - if ("$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'},$fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'ICMP_TGT'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'LOG'},$fwdfwsettings{'TIME'},$fwdfwsettings{'TIME_MON'},$fwdfwsettings{'TIME_TUE'},$fwdfwsettings{'TIME_WED'},$fwdfwsettings{'TIME_THU'},$fwdfwsettings{'TIME_FRI'},$fwdfwsettings{'TIME_SAT'},$fwdfwsettings{'TIME_SUN'},$fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'}" - eq "$configdmzfw{$key}[0],$configdmzfw{$key}[2],$configdmzfw{$key}[3],$configdmzfw{$key}[4],$configdmzfw{$key}[5],$configdmzfw{$key}[6],$configdmzfw{$key}[7],$configdmzfw{$key}[8],$configdmzfw{$key}[9],$configdmzfw{$key}[10],$configdmzfw{$key}[11],$configdmzfw{$key}[12],$configdmzfw{$key}[13],$configdmzfw{$key}[14],$configdmzfw{$key}[15],$configdmzfw{$key}[17],$configdmzfw{$key}[18],$configdmzfw{$key}[19],$configdmzfw{$key}[20],$configdmzfw{$key}[21],$configdmzfw{$key}[22],$configdmzfw{$key}[23],$configdmzfw{$key}[24],$configdmzfw{$key}[25],$configdmzfw{$key}[26],$configdmzfw{$key}[27]"){ - $errormessage.=$Lang::tr{'fwdfw err ruleexists'}; - } - } - } - #check if we just close a rule - if( $fwdfwsettings{'oldgrp1a'} eq $fwdfwsettings{'grp1'} && $fwdfwsettings{'oldgrp1b'} eq $fwdfwsettings{$fwdfwsettings{'grp1'}} && $fwdfwsettings{'oldgrp2a'} eq $fwdfwsettings{'grp2'} && $fwdfwsettings{'oldgrp2b'} eq $fwdfwsettings{$fwdfwsettings{'grp2'}} && $fwdfwsettings{'oldgrp3a'} eq $fwdfwsettings{'grp3'} && $fwdfwsettings{'oldgrp3b'} eq $fwdfwsettings{$fwdfwsettings{'grp3'}} && $fwdfwsettings{'oldusesrv'} eq $fwdfwsettings{'USESRV'} && $fwdfwsettings{'oldruleremark'} eq $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'oldruletype'} eq $fwdfwsettings{'chain'}) { - if($fwdfwsettings{'nosave'} eq 'on' && $fwdfwsettings{'updatefwrule'} eq 'on'){ - $errormessage=''; - $fwdfwsettings{'nosave2'} = 'on'; - } - } - &checkcounter($fwdfwsettings{'oldgrp1a'},$fwdfwsettings{'oldgrp1b'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}}); - if ($fwdfwsettings{'nobase'} ne 'on'){ - &checkcounter($fwdfwsettings{'oldgrp2a'},$fwdfwsettings{'oldgrp2b'},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}}); - } - if($fwdfwsettings{'oldusesrv'} eq '' && $fwdfwsettings{'USESRV'} eq 'ON'){ - &checkcounter(0,0,$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}}); - }elsif ($fwdfwsettings{'USESRV'} eq '' && $fwdfwsettings{'oldusesrv'} eq 'ON') { - &checkcounter($fwdfwsettings{'oldgrp3a'},$fwdfwsettings{'oldgrp3b'},0,0); - }elsif ($fwdfwsettings{'oldusesrv'} eq $fwdfwsettings{'USESRV'} && $fwdfwsettings{'oldgrp3b'} ne $fwdfwsettings{$fwdfwsettings{'grp3'}} && $fwdfwsettings{'updatefwrule'} eq 'on'){ - &checkcounter($fwdfwsettings{'oldgrp3a'},$fwdfwsettings{'oldgrp3b'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}}); - } - if($fwdfwsettings{'nosave2'} ne 'on'){ - &saverule(\%configdmzfw,$configdmz); - } #INPUT part }elsif($fwdfwsettings{'grp2'} eq 'ipfire' && $fwdfwsettings{$fwdfwsettings{'grp1'}} ne 'ORANGE'){ $fwdfwsettings{'config'}=$configinput; @@ -1591,11 +1535,7 @@ sub newrule $fwdfwsettings{'oldusesrv'}=$fwdfwsettings{'USESRV'}; $fwdfwsettings{'oldruleremark'}=$fwdfwsettings{'ruleremark'}; $fwdfwsettings{'oldnat'}=$fwdfwsettings{'USE_NAT'}; - if ($fwdfwsettings{'config'} eq "${General::swroot}/forward/dmz"){ - $fwdfwsettings{'oldruletype'}='DMZ'; - }else{ - $fwdfwsettings{'oldruletype'}=$fwdfwsettings{'chain'}; - } + $fwdfwsettings{'oldruletype'}=$fwdfwsettings{'chain'}; #check if manual ip (source) is orange network if ($fwdfwsettings{'grp1'} eq 'src_addr'){ my ($sip,$scidr) = split("/",$fwdfwsettings{$fwdfwsettings{'grp1'}}); @@ -1993,7 +1933,7 @@ sub saverule my $config=shift; &General::readhasharray("$config", $hash); if (!$errormessage){ - #check if we change a NAT to a FORWARD/DMZ + #check if we change a NAT to a FORWARD if(($fwdfwsettings{'oldruletype'} eq 'NAT_SOURCE' || $fwdfwsettings{'oldruletype'} eq 'NAT_DESTINATION') && $fwdfwsettings{'chain'} eq 'FORWARDFW'){ &changerule($confignat); #print"1"; @@ -2009,78 +1949,52 @@ sub saverule #print"3"; } ################################################################ - #check if we change a DMZ to a NAT - elsif($fwdfwsettings{'oldruletype'} eq 'DMZ' && ($fwdfwsettings{'chain'} eq 'NAT_SOURCE' || $fwdfwsettings{'chain'} eq 'NAT_DESTINATION')){ - &changerule($configdmz); - #print"4"; - } - #check if we change a DMZ to an OUTGOING - elsif($fwdfwsettings{'oldruletype'} eq 'DMZ' && $fwdfwsettings{'chain'} eq 'OUTGOINGFW' ){ - &changerule($configdmz); - #print"5"; - } - #check if we change a DMZ to an INPUT - elsif($fwdfwsettings{'oldruletype'} eq 'DMZ' && $fwdfwsettings{'chain'} eq 'INPUTFW' ){ - &changerule($configdmz); - #print"6"; - } - #check if we change a DMZ to a FORWARD/DMZ - elsif($fwdfwsettings{'oldruletype'} eq 'DMZ' && $fwdfwsettings{'chain'} eq 'FORWARDFW' && $fwdfwsettings{$fwdfwsettings{'grp1'}} ne 'ORANGE' && $checkorange ne 'on'){ - &changerule($configdmz); - #print"7"; - } - ################################################################ #check if we change an INPUT rule to a NAT elsif($fwdfwsettings{'oldruletype'} eq 'INPUTFW' && ($fwdfwsettings{'chain'} eq 'NAT_SOURCE' || $fwdfwsettings{'chain'} eq 'NAT_DESTINATION')){ &changerule($configinput); - #print"8"; + #print"4"; } #check if we change an INPUT rule to a OUTGOING elsif($fwdfwsettings{'oldruletype'} eq 'INPUTFW' && $fwdfwsettings{'chain'} eq 'OUTGOINGFW' ){ &changerule($configinput); - #print"9"; + #print"5"; } - #check if we change an INPUT rule to a FORWARD/DMZ + #check if we change an INPUT rule to a FORWARD elsif($fwdfwsettings{'oldruletype'} eq 'INPUTFW' && $fwdfwsettings{'chain'} eq 'FORWARDFW' ){ &changerule($configinput); - #print"10"; + #print"6"; } ################################################################ #check if we change an OUTGOING rule to an INPUT elsif($fwdfwsettings{'oldruletype'} eq 'OUTGOINGFW' && $fwdfwsettings{'chain'} eq 'INPUTFW' ){ &changerule($configoutgoing); - #print"11"; + #print"7"; } - #check if we change an OUTGOING rule to a FORWARD/DMZ + #check if we change an OUTGOING rule to a FORWARD elsif($fwdfwsettings{'oldruletype'} eq 'OUTGOINGFW' && $fwdfwsettings{'chain'} eq 'FORWARDFW' ){ &changerule($configoutgoing); - #print"12"; + #print"8"; } #check if we change an OUTGOING rule to a NAT elsif($fwdfwsettings{'oldruletype'} eq 'OUTGOINGFW' && ($fwdfwsettings{'chain'} eq 'NAT_SOURCE' || $fwdfwsettings{'chain'} eq 'NAT_DESTINATION')){ &changerule($configoutgoing); - #print"13"; + #print"9"; } ################################################################ #check if we change a FORWARD rule to an INPUT elsif($fwdfwsettings{'oldruletype'} eq 'FORWARDFW' && $fwdfwsettings{'chain'} eq 'INPUTFW'){ &changerule($configfwdfw); - #print"14"; - } - #check if we change a FORWARD rule to an DMZ - elsif($fwdfwsettings{'oldruletype'} eq 'FORWARDFW' && ($fwdfwsettings{$fwdfwsettings{'grp1'}} eq 'ORANGE' || $checkorange eq 'on')){ - &changerule($configfwdfw); - #print"15"; + #print"10"; } #check if we change a FORWARD rule to an OUTGOING elsif($fwdfwsettings{'oldruletype'} eq 'FORWARDFW' && $fwdfwsettings{'chain'} eq 'OUTGOINGFW'){ &changerule($configfwdfw); - #print"16"; + #print"11"; } #check if we change a FORWARD rule to an NAT elsif($fwdfwsettings{'oldruletype'} eq 'FORWARDFW' && ($fwdfwsettings{'chain'} eq 'NAT_SOURCE' || $fwdfwsettings{'chain'} eq 'NAT_DESTINATION')){ &changerule($configfwdfw); - #print"17"; + #print"12"; } if ($fwdfwsettings{'updatefwrule'} ne 'on'){ my $key = &General::findhasharraykey ($hash); @@ -2245,7 +2159,6 @@ sub viewtablerule &viewtablenew(\%configfwdfw,$configfwdfw,"","Forward" ); &viewtablenew(\%configoutgoingfw,$configoutgoing,"","Outgoing" ); &viewtablenew(\%configinputfw,$configinput,"",$Lang::tr{'fwdfw xt access'} ); - &viewtablenew(\%configdmzfw,$configdmz,"","DMZ" ); } sub viewtablenew { From 4f3bd0ca20de32b0020f9be926254d2a201d226a Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Wed, 26 Jun 2013 10:29:02 +0200 Subject: [PATCH 245/306] Forward Firewall: changed layout of "apply-button" (after rules where changed. When using single hosts in rules, the prefix is no longer shown in the ruletable. Default settings for firewall-options changed --- html/cgi-bin/forwardfw.cgi | 18 ++++++++++++++++-- html/cgi-bin/fwhosts.cgi | 2 +- lfs/configroot | 4 ++-- 3 files changed, 19 insertions(+), 5 deletions(-) diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi index ee46e37dd..899f226a5 100755 --- a/html/cgi-bin/forwardfw.cgi +++ b/html/cgi-bin/forwardfw.cgi @@ -438,7 +438,7 @@ sub addrule { &error; if (-f "${General::swroot}/forward/reread"){ - print "
    $Lang::tr{'fwhost reread'}

"; + print "
    $Lang::tr{'fwhost reread'}

"; } &Header::openbox('100%', 'left', $Lang::tr{'fwdfw menu'}); print "
"; @@ -2157,8 +2157,8 @@ sub viewtablerule &General::readhash("/var/ipfire/ethernet/settings", \%netsettings); &viewtablenew(\%confignatfw,$confignat,"$Lang::tr{'fwdfw rules'}","Portforward / SNAT" ); &viewtablenew(\%configfwdfw,$configfwdfw,"","Forward" ); - &viewtablenew(\%configoutgoingfw,$configoutgoing,"","Outgoing" ); &viewtablenew(\%configinputfw,$configinput,"",$Lang::tr{'fwdfw xt access'} ); + &viewtablenew(\%configoutgoingfw,$configoutgoing,"","Outgoing" ); } sub viewtablenew { @@ -2256,6 +2256,13 @@ END print""; if ($$hash{$key}[3] eq 'std_net_src'){ print &get_name($$hash{$key}[4]); + }elsif ($$hash{$key}[3] eq 'src_addr'){ + my ($split1,$split2) = split("/",$$hash{$key}[4]); + if ($split2 eq '32'){ + print $split1; + }else{ + print $$hash{$key}[4]; + } }else{ print $$hash{$key}[4]; } @@ -2302,6 +2309,13 @@ END }else{ print &get_name($$hash{$key}[6]); } + }elsif ($$hash{$key}[5] eq 'tgt_addr'){ + my ($split1,$split2) = split("/",$$hash{$key}[6]); + if ($split2 eq '32'){ + print $split1; + }else{ + print $$hash{$key}[6]; + } }else{ print $$hash{$key}[6]; } diff --git a/html/cgi-bin/fwhosts.cgi b/html/cgi-bin/fwhosts.cgi index 444b3660e..4aee444b9 100755 --- a/html/cgi-bin/fwhosts.cgi +++ b/html/cgi-bin/fwhosts.cgi @@ -1061,7 +1061,7 @@ if($fwhostsettings{'ACTION'} eq '') sub showmenu { if (-f "${General::swroot}/forward/reread"){ - print "
$Lang::tr{'fwhost reread'}

"; + print "
    $Lang::tr{'fwhost reread'}

"; } &Header::openbox('100%', 'left',$Lang::tr{'fwhost menu'}); print<> $(CONFIG_ROOT)/optionsfw/settings echo "DROPOUTGOING=on" >> $(CONFIG_ROOT)/optionsfw/settings echo "SHOWREMARK=on" >> $(CONFIG_ROOT)/optionsfw/settings - echo "SHOWCOLORS=off" >> $(CONFIG_ROOT)/optionsfw/settings - echo "SHOWTABLES=on" >> $(CONFIG_ROOT)/optionsfw/settings + echo "SHOWCOLORS=on" >> $(CONFIG_ROOT)/optionsfw/settings + echo "SHOWTABLES=off" >> $(CONFIG_ROOT)/optionsfw/settings echo "SHOWDROPDOWN=off" >> $(CONFIG_ROOT)/optionsfw/settings echo "POLICY=MODE2" >> $(CONFIG_ROOT)/forward/settings echo "POLICY1=MODE2" >> $(CONFIG_ROOT)/forward/settings From c12392c0ef3aa71cda43fe38cfd22e4afab5cc5e Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Wed, 26 Jun 2013 13:30:30 +0200 Subject: [PATCH 246/306] Forward Firewall: removed NAT table and txt file. --- config/forwardfw/convert-portfw | 8 +- config/forwardfw/rules.pl | 44 +++++------ html/cgi-bin/forwardfw.cgi | 128 ++++---------------------------- src/initscripts/init.d/firewall | 4 - 4 files changed, 43 insertions(+), 141 deletions(-) diff --git a/config/forwardfw/convert-portfw b/config/forwardfw/convert-portfw index 8ec3c3438..691cfb429 100755 --- a/config/forwardfw/convert-portfw +++ b/config/forwardfw/convert-portfw @@ -2,7 +2,7 @@ ######################################################################## # Script: convert-portfw -# Date: 19.03.2013 +# Date: 21.03.2013 # Author: Alexander Marx (amarx@ipfire.org) ######################################################################## # @@ -18,7 +18,7 @@ my @values=(); my @built_rules=(); my %nat=(); my $portfwconfig = "${General::swroot}/portfw/config"; -my $confignat = "${General::swroot}/forward/nat"; +my $confignat = "${General::swroot}/forward/config"; my ($key,$flag,$prot,$ipfireport,$target,$targetport,$active,$alias,$source,$remark); my ($key1,$flag1,$prot1,$ipfireport1,$target1,$targetport1,$active1,$alias1,$source1,$remark1); my $count=0; @@ -94,9 +94,9 @@ sub build_rules $active = uc $active; $prot = uc $prot; chomp($remark); - push (@built_rules,"ACCEPT,NAT_DESTINATION,$active,$src,$src1,tgt_addr,$target/32,ON,$prot,,TGT_PORT,$targetport,$remark,00:00,00:00,ON,$alias,$ipfireport,dnat"); + push (@built_rules,"ACCEPT,FORWARDFW,$active,$src,$src1,tgt_addr,$target/32,ON,$prot,,TGT_PORT,$targetport,$remark,00:00,00:00,ON,$alias,$ipfireport,dnat"); my $now=localtime; - print LOG "$now Converted-> KEY: $count ACCEPT,NAT_DESTINATION,$active,$src,$src1,tgt_addr,$target/32,ON,$prot,,TGT_PORT,$targetport,$remark,00:00,00:00,ON,$alias,$ipfireport,dnat\n"; + print LOG "$now Converted-> KEY: $count ACCEPT,FORWARDFW,$active,$src,$src1,tgt_addr,$target/32,ON,$prot,,TGT_PORT,$targetport,$remark,00:00,00:00,ON,$alias,$ipfireport,dnat\n"; } } sub write_rules diff --git a/config/forwardfw/rules.pl b/config/forwardfw/rules.pl index b22a67b3c..4c220c04f 100755 --- a/config/forwardfw/rules.pl +++ b/config/forwardfw/rules.pl @@ -173,6 +173,7 @@ sub buildrules my $fireport; my $nat; my $fwaccessdport; + my $natchain; foreach my $key (sort {$a <=> $b} keys %$hash){ next if (($$hash{$key}[6] eq 'RED' || $$hash{$key}[6] eq 'RED1') && $conexists eq 'off' ); if ($$hash{$key}[28] eq 'ON'){ @@ -292,17 +293,13 @@ sub buildrules } print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] --icmp-type $_ $TIME -j $$hash{$key}[0]\n"; } - }elsif($$hash{$key}[28] ne 'ON'){ - if ($$hash{$key}[17] eq 'ON'){ - print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG\n"; - } - print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n"; }elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'dnat'){ + $natchain='NAT_DESTINATION'; if ($$hash{$key}[17] eq 'ON'){ - print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $fireport $TIME -j LOG --log-prefix 'DNAT' \n"; + print "$command $natchain $PROT $STAG $sourcehash{$a}[0] $fireport $TIME -j LOG --log-prefix 'DNAT' \n"; } my ($ip,$sub) =split("/",$targethash{$b}[0]); - print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j $nat --to $ip$DPORT\n"; + print "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j $nat --to $ip$DPORT\n"; $DPORT =~ s/\-/:/g; if ($DPORT){ $fwaccessdport="--dport ".substr($DPORT,1,); @@ -314,10 +311,16 @@ sub buildrules $fwaccessdport="--dport $$hash{$key}[30]"; } } - print "iptables -A PORTFWACCESS $PROT -i $con $STAG $sourcehash{$a}[0] -d $ip $fwaccessdport $TIME -j $$hash{$key}[0]\n"; + print "iptables -A FORWARDFW $PROT -i $con $STAG $sourcehash{$a}[0] -d $ip $fwaccessdport $TIME -j $$hash{$key}[0]\n"; + next; }elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'snat'){ - print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $nat --to $natip\n"; + $natchain='NAT_SOURCE'; + print "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $nat --to $natip\n"; } + if ($$hash{$key}[17] eq 'ON'){ + print "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG\n"; + } + print "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n"; } } } @@ -342,17 +345,13 @@ sub buildrules } system ("$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] --icmp-type $_ $TIME -j $$hash{$key}[0]"); } - }elsif($$hash{$key}[28] ne 'ON'){ - if ($$hash{$key}[17] eq 'ON'){ - system "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG\n"; - } - system "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n"; }elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'dnat'){ + $natchain='NAT_DESTINATION'; if ($$hash{$key}[17] eq 'ON'){ - system "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j LOG --log-prefix 'DNAT' \n"; + system "$command $natchain $PROT $STAG $sourcehash{$a}[0] $fireport $TIME -j LOG --log-prefix 'DNAT' \n"; } my ($ip,$sub) =split("/",$targethash{$b}[0]); - system "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j $nat --to $ip$DPORT\n"; + system "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j $nat --to $ip$DPORT\n"; $DPORT =~ s/\-/:/g; if ($DPORT){ $fwaccessdport="--dport ".substr($DPORT,1,); @@ -364,13 +363,16 @@ sub buildrules $fwaccessdport="--dport $$hash{$key}[30]"; } } - system "iptables -A PORTFWACCESS $PROT -i $con $STAG $sourcehash{$a}[0] -d $ip $fwaccessdport $TIME -j $$hash{$key}[0]\n"; + system "iptables -A FORWARDFW $PROT -i $con $STAG $sourcehash{$a}[0] -d $ip $fwaccessdport $TIME -j $$hash{$key}[0]\n"; + next; }elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'snat'){ - if ($$hash{$key}[17] eq 'ON'){ - system "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG --log-prefix 'SNAT '\n"; - } - system "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $nat --to $natip$fireport\n"; + $natchain='NAT_SOURCE'; + system "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $nat --to $natip\n"; } + if ($$hash{$key}[17] eq 'ON'){ + system "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG\n"; + } + system "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n"; } } } diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi index 899f226a5..8068ad3a8 100755 --- a/html/cgi-bin/forwardfw.cgi +++ b/html/cgi-bin/forwardfw.cgi @@ -64,7 +64,6 @@ my %ccdhost=(); my %configfwdfw=(); my %configinputfw=(); my %configoutgoingfw=(); -my %confignatfw=(); my %ipsecconf=(); my %color=(); my %mainsettings=(); @@ -90,7 +89,6 @@ my $configipsecrw = "${General::swroot}/vpn/settings"; my $configfwdfw = "${General::swroot}/forward/config"; my $configinput = "${General::swroot}/forward/input"; my $configoutgoing = "${General::swroot}/forward/outgoing"; -my $confignat = "${General::swroot}/forward/nat"; my $configovpn = "${General::swroot}/ovpn/settings"; my $fwoptions = "${General::swroot}/optionsfw/settings"; my $ifacesettings = "${General::swroot}/ethernet/settings"; @@ -119,7 +117,6 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule') &General::readhasharray("$configfwdfw", \%configfwdfw); &General::readhasharray("$configinput", \%configinputfw); &General::readhasharray("$configoutgoing", \%configoutgoingfw); - &General::readhasharray("$confignat", \%confignatfw); $errormessage=&checksource; if(!$errormessage){&checktarget;} if(!$errormessage){&checkrule;} @@ -139,66 +136,8 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule') if( $fwdfwsettings{$fwdfwsettings{'grp1'}} eq 'IPFire' && $fwdfwsettings{'grp2'} eq 'ipfire'){ $errormessage.=$Lang::tr{'fwdfw err same'}; } - #NAT-Part - if ($fwdfwsettings{'USE_NAT'} eq 'ON'){ - $fwdfwsettings{'config'}=$confignat; - if ($fwdfwsettings{'nat'} eq 'dnat'){ - $fwdfwsettings{'chain'} = 'NAT_DESTINATION'; - }else{ - $fwdfwsettings{'chain'} = 'NAT_SOURCE'; - } - my $maxkey=&General::findhasharraykey(\%confignatfw); - #check if we have an identical rule already - if($fwdfwsettings{'oldrulenumber'} eq $fwdfwsettings{'rulepos'}){ - foreach my $key (sort keys %confignatfw){ - if ("$confignatfw{$key}[0],$confignatfw{$key}[1],$confignatfw{$key}[2],$confignatfw{$key}[3],$confignatfw{$key}[4],$confignatfw{$key}[5],$confignatfw{$key}[6],$confignatfw{$key}[11],$confignatfw{$key}[12],$confignatfw{$key}[14],$confignatfw{$key}[15],$confignatfw{$key}[28],$confignatfw{$key}[29],$confignatfw{$key}[30],$confignatfw{$key}[31]" - eq "$fwdfwsettings{'RULE_ACTION'},NAT_DESTINATION,$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'USE_NAT'},$fwdfwsettings{$fwdfwsettings{'nat'}},$fwdfwsettings{'dnatport'},$fwdfwsettings{'nat'}"){ - $errormessage.=$Lang::tr{'fwdfw err ruleexists'}; - if ($fwdfwsettings{'oldruleremark'} ne $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'updatefwrule'} eq 'on' ){ - $errormessage=''; - }elsif($fwdfwsettings{'oldruleremark'} ne $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'updatefwrule'} eq 'on' && $fwdfwsettings{'ruleremark'} ne '' && !&validremark($fwdfwsettings{'ruleremark'})){ - $errormessage=$Lang::tr{'fwdfw err remark'}."
"; - } - if ($fwdfwsettings{'oldruleremark'} eq $fwdfwsettings{'ruleremark'}){ - $fwdfwsettings{'nosave'} = 'on'; - } - } - } - } - - #check Rulepos on new Rule - if($fwdfwsettings{'rulepos'} > 0 && !$fwdfwsettings{'oldrulenumber'}){ - $fwdfwsettings{'oldrulenumber'}=$maxkey; - foreach my $key (sort keys %confignatfw){ - if ("$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'},$fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'ICMP_TGT'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'TIME'},$fwdfwsettings{'TIME_MON'},$fwdfwsettings{'TIME_TUE'},$fwdfwsettings{'TIME_WED'},$fwdfwsettings{'TIME_THU'},$fwdfwsettings{'TIME_FRI'},$fwdfwsettings{'TIME_SAT'},$fwdfwsettings{'TIME_SUN'},$fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'},$fwdfwsettings{'USE_NAT'},$fwdfwsettings{$fwdfwsettings{'nat'}},$fwdfwsettings{'snatport'},$fwdfwsettings{'dnatport'},$fwdfwsettings{'nat'}" - eq "$confignatfw{$key}[0],$confignatfw{$key}[2],$confignatfw{$key}[3],$confignatfw{$key}[4],$confignatfw{$key}[5],$confignatfw{$key}[6],$confignatfw{$key}[7],$confignatfw{$key}[8],$confignatfw{$key}[9],$confignatfw{$key}[10],$confignatfw{$key}[11],$confignatfw{$key}[12],$confignatfw{$key}[13],$confignatfw{$key}[14],$confignatfw{$key}[15],$confignatfw{$key}[17],$confignatfw{$key}[19],$confignatfw{$key}[20],$confignatfw{$key}[21],$confignatfw{$key}[22],$confignatfw{$key}[23],$confignatfw{$key}[24],$confignatfw{$key}[25],$confignatfw{$key}[26],$confignatfw{$key}[27],$confignatfw{$key}[28],$confignatfw{$key}[29],$confignatfw{$key}[30],$confignatfw{$key}[31],$confignatfw{$key}[32]"){ - $errormessage.=$Lang::tr{'fwdfw err ruleexists'}; - } - } - } - #check if we just close a rule - if( $fwdfwsettings{'oldgrp1a'} eq $fwdfwsettings{'grp1'} && $fwdfwsettings{'oldgrp1b'} eq $fwdfwsettings{$fwdfwsettings{'grp1'}} && $fwdfwsettings{'oldgrp2a'} eq $fwdfwsettings{'grp2'} && $fwdfwsettings{'oldgrp2b'} eq $fwdfwsettings{$fwdfwsettings{'grp2'}} && $fwdfwsettings{'oldgrp3a'} eq $fwdfwsettings{'grp3'} && $fwdfwsettings{'oldgrp3b'} eq $fwdfwsettings{$fwdfwsettings{'grp3'}} && $fwdfwsettings{'oldusesrv'} eq $fwdfwsettings{'USESRV'} && $fwdfwsettings{'oldruleremark'} eq $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'oldruletype'} eq $fwdfwsettings{'chain'}) { - if($fwdfwsettings{'nosave'} eq 'on' && $fwdfwsettings{'updatefwrule'} eq 'on'){ - $errormessage=''; - $fwdfwsettings{'nosave2'} = 'on'; - } - } - &checkcounter($fwdfwsettings{'oldgrp1a'},$fwdfwsettings{'oldgrp1b'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}}); - if ($fwdfwsettings{'nobase'} ne 'on'){ - &checkcounter($fwdfwsettings{'oldgrp2a'},$fwdfwsettings{'oldgrp2b'},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}}); - } - if($fwdfwsettings{'oldusesrv'} eq '' && $fwdfwsettings{'USESRV'} eq 'ON'){ - &checkcounter(0,0,$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}}); - }elsif ($fwdfwsettings{'USESRV'} eq '' && $fwdfwsettings{'oldusesrv'} eq 'ON') { - &checkcounter($fwdfwsettings{'oldgrp3a'},$fwdfwsettings{'oldgrp3b'},0,0); - }elsif ($fwdfwsettings{'oldusesrv'} eq $fwdfwsettings{'USESRV'} && $fwdfwsettings{'oldgrp3b'} ne $fwdfwsettings{$fwdfwsettings{'grp3'}} && $fwdfwsettings{'updatefwrule'} eq 'on'){ - &checkcounter($fwdfwsettings{'oldgrp3a'},$fwdfwsettings{'oldgrp3b'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}}); - } - if($fwdfwsettings{'nosave2'} ne 'on'){ - &saverule(\%confignatfw,$confignat); - } #INPUT part - }elsif($fwdfwsettings{'grp2'} eq 'ipfire' && $fwdfwsettings{$fwdfwsettings{'grp1'}} ne 'ORANGE'){ + if($fwdfwsettings{'grp2'} eq 'ipfire' && $fwdfwsettings{$fwdfwsettings{'grp1'}} ne 'ORANGE'){ $fwdfwsettings{'config'}=$configinput; $fwdfwsettings{'chain'} = 'INPUTFW'; my $maxkey=&General::findhasharraykey(\%configinputfw); @@ -1933,69 +1872,39 @@ sub saverule my $config=shift; &General::readhasharray("$config", $hash); if (!$errormessage){ - #check if we change a NAT to a FORWARD - if(($fwdfwsettings{'oldruletype'} eq 'NAT_SOURCE' || $fwdfwsettings{'oldruletype'} eq 'NAT_DESTINATION') && $fwdfwsettings{'chain'} eq 'FORWARDFW'){ - &changerule($confignat); - #print"1"; - } - #check if we change a NAT to a INPUT (external access) - elsif(($fwdfwsettings{'oldruletype'} eq 'NAT_SOURCE' || $fwdfwsettings{'oldruletype'} eq 'NAT_DESTINATION') && $fwdfwsettings{'chain'} eq 'INPUTFW'){ - &changerule($confignat); - #print"2"; - } - #check if we change a NAT to a OUTGOING - elsif(($fwdfwsettings{'oldruletype'} eq 'NAT_SOURCE' || $fwdfwsettings{'oldruletype'} eq 'NAT_DESTINATION') && $fwdfwsettings{'chain'} eq 'OUTGOINGFW'){ - &changerule($confignat); - #print"3"; - } ################################################################ - #check if we change an INPUT rule to a NAT - elsif($fwdfwsettings{'oldruletype'} eq 'INPUTFW' && ($fwdfwsettings{'chain'} eq 'NAT_SOURCE' || $fwdfwsettings{'chain'} eq 'NAT_DESTINATION')){ - &changerule($configinput); - #print"4"; - } #check if we change an INPUT rule to a OUTGOING - elsif($fwdfwsettings{'oldruletype'} eq 'INPUTFW' && $fwdfwsettings{'chain'} eq 'OUTGOINGFW' ){ + if($fwdfwsettings{'oldruletype'} eq 'INPUTFW' && $fwdfwsettings{'chain'} eq 'OUTGOINGFW' ){ &changerule($configinput); - #print"5"; + #print"1"; } #check if we change an INPUT rule to a FORWARD elsif($fwdfwsettings{'oldruletype'} eq 'INPUTFW' && $fwdfwsettings{'chain'} eq 'FORWARDFW' ){ &changerule($configinput); - #print"6"; + #print"2"; } ################################################################ #check if we change an OUTGOING rule to an INPUT elsif($fwdfwsettings{'oldruletype'} eq 'OUTGOINGFW' && $fwdfwsettings{'chain'} eq 'INPUTFW' ){ &changerule($configoutgoing); - #print"7"; + #print"3"; } #check if we change an OUTGOING rule to a FORWARD elsif($fwdfwsettings{'oldruletype'} eq 'OUTGOINGFW' && $fwdfwsettings{'chain'} eq 'FORWARDFW' ){ &changerule($configoutgoing); - #print"8"; - } - #check if we change an OUTGOING rule to a NAT - elsif($fwdfwsettings{'oldruletype'} eq 'OUTGOINGFW' && ($fwdfwsettings{'chain'} eq 'NAT_SOURCE' || $fwdfwsettings{'chain'} eq 'NAT_DESTINATION')){ - &changerule($configoutgoing); - #print"9"; + #print"4"; } ################################################################ #check if we change a FORWARD rule to an INPUT elsif($fwdfwsettings{'oldruletype'} eq 'FORWARDFW' && $fwdfwsettings{'chain'} eq 'INPUTFW'){ &changerule($configfwdfw); - #print"10"; + #print"5"; } #check if we change a FORWARD rule to an OUTGOING elsif($fwdfwsettings{'oldruletype'} eq 'FORWARDFW' && $fwdfwsettings{'chain'} eq 'OUTGOINGFW'){ &changerule($configfwdfw); - #print"11"; + #print"6"; } - #check if we change a FORWARD rule to an NAT - elsif($fwdfwsettings{'oldruletype'} eq 'FORWARDFW' && ($fwdfwsettings{'chain'} eq 'NAT_SOURCE' || $fwdfwsettings{'chain'} eq 'NAT_DESTINATION')){ - &changerule($configfwdfw); - #print"12"; - } if ($fwdfwsettings{'updatefwrule'} ne 'on'){ my $key = &General::findhasharraykey ($hash); $$hash{$key}[0] = $fwdfwsettings{'RULE_ACTION'}; @@ -2026,12 +1935,10 @@ sub saverule $$hash{$key}[25] = $fwdfwsettings{'TIME_SUN'}; $$hash{$key}[26] = $fwdfwsettings{'TIME_FROM'}; $$hash{$key}[27] = $fwdfwsettings{'TIME_TO'}; - if($fwdfwsettings{'USE_NAT'} eq 'ON'){ - $$hash{$key}[28] = $fwdfwsettings{'USE_NAT'}; - $$hash{$key}[29] = $fwdfwsettings{$fwdfwsettings{'nat'}}; - $$hash{$key}[30] = $fwdfwsettings{'dnatport'}; - $$hash{$key}[31] = $fwdfwsettings{'nat'}; - } + $$hash{$key}[28] = $fwdfwsettings{'USE_NAT'}; + $$hash{$key}[29] = $fwdfwsettings{$fwdfwsettings{'nat'}}; + $$hash{$key}[30] = $fwdfwsettings{'dnatport'}; + $$hash{$key}[31] = $fwdfwsettings{'nat'}; &General::writehasharray("$config", $hash); }else{ foreach my $key (sort {$a <=> $b} keys %$hash){ @@ -2064,12 +1971,10 @@ sub saverule $$hash{$key}[25] = $fwdfwsettings{'TIME_SUN'}; $$hash{$key}[26] = $fwdfwsettings{'TIME_FROM'}; $$hash{$key}[27] = $fwdfwsettings{'TIME_TO'}; - if($fwdfwsettings{'USE_NAT'} eq 'ON'){ - $$hash{$key}[28] = $fwdfwsettings{'USE_NAT'}; - $$hash{$key}[29] = $fwdfwsettings{$fwdfwsettings{'nat'}}; - $$hash{$key}[30] = $fwdfwsettings{'dnatport'}; - $$hash{$key}[31] = $fwdfwsettings{'nat'}; - } + $$hash{$key}[28] = $fwdfwsettings{'USE_NAT'}; + $$hash{$key}[29] = $fwdfwsettings{$fwdfwsettings{'nat'}}; + $$hash{$key}[30] = $fwdfwsettings{'dnatport'}; + $$hash{$key}[31] = $fwdfwsettings{'nat'}; last; } } @@ -2155,7 +2060,6 @@ sub validremark sub viewtablerule { &General::readhash("/var/ipfire/ethernet/settings", \%netsettings); - &viewtablenew(\%confignatfw,$confignat,"$Lang::tr{'fwdfw rules'}","Portforward / SNAT" ); &viewtablenew(\%configfwdfw,$configfwdfw,"","Forward" ); &viewtablenew(\%configinputfw,$configinput,"",$Lang::tr{'fwdfw xt access'} ); &viewtablenew(\%configoutgoingfw,$configoutgoing,"","Outgoing" ); diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall index 844cbf6d5..2f7577f51 100644 --- a/src/initscripts/init.d/firewall +++ b/src/initscripts/init.d/firewall @@ -161,10 +161,6 @@ iptables_init() { /sbin/iptables -N FORWARDFW /sbin/iptables -A FORWARD -j FORWARDFW - # PORTFWACCESS chain, used for portforwarding - /sbin/iptables -N PORTFWACCESS - /sbin/iptables -A FORWARD -m state --state NEW -j PORTFWACCESS - # OPenSSL /sbin/iptables -N OPENSSLPHYSICAL /sbin/iptables -A INPUT -j OPENSSLPHYSICAL From f557ea1e596033a79ab1f6df4d57fd90c15a2271 Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Wed, 26 Jun 2013 13:43:53 +0200 Subject: [PATCH 247/306] Forward Firewall: removed PORTFWACCESS flushing from rules.pl --- config/forwardfw/rules.pl | 1 - 1 file changed, 1 deletion(-) diff --git a/config/forwardfw/rules.pl b/config/forwardfw/rules.pl index 4c220c04f..7184c0460 100755 --- a/config/forwardfw/rules.pl +++ b/config/forwardfw/rules.pl @@ -145,7 +145,6 @@ sub flush system ("iptables -F FORWARDFW"); system ("iptables -F INPUTFW"); system ("iptables -F OUTGOINGFW"); - system ("iptables -F PORTFWACCESS"); system ("iptables -t nat -F NAT_DESTINATION"); system ("iptables -t nat -F NAT_SOURCE"); } From 0ac6c61d3770cbc1fd19e3c5332ab76124cd643f Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Wed, 26 Jun 2013 13:54:18 +0200 Subject: [PATCH 248/306] UPNP: changed firewall chain from PORTFW to UPNPFW --- html/cgi-bin/upnp.cgi | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/html/cgi-bin/upnp.cgi b/html/cgi-bin/upnp.cgi index 8d2666ec7..2b03eff8a 100644 --- a/html/cgi-bin/upnp.cgi +++ b/html/cgi-bin/upnp.cgi @@ -82,7 +82,7 @@ if ($upnpsettings{'ACTION'} eq $Lang::tr{'save'}) debug_mode = $upnpsettings{'DEBUGMODE'} insert_forward_rules = $upnpsettings{'FORWARDRULES'} forward_chain_name = FORWARD -prerouting_chain_name = PORTFW +prerouting_chain_name = UPNPFW upstream_bitrate = $upnpsettings{'DOWNSTREAM'} downstream_bitrate = $upnpsettings{'UPSTREAM'} description_document_name = $upnpsettings{'DESCRIPTION'} From ac9e77e3ba748c96c670f1215abb4c5bdebe66b4 Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Wed, 26 Jun 2013 15:25:50 +0200 Subject: [PATCH 249/306] Forward Firewall: added missing fields to the converters (for dnat) --- config/forwardfw/convert-dmz | 10 ++++++++++ config/forwardfw/convert-outgoingfw | 8 ++++++++ config/forwardfw/convert-xtaccess | 10 +++++++++- html/cgi-bin/forwardfw.cgi | 29 +++++++++++++++-------------- 4 files changed, 42 insertions(+), 15 deletions(-) diff --git a/config/forwardfw/convert-dmz b/config/forwardfw/convert-dmz index 0722f5bef..6ba054e63 100755 --- a/config/forwardfw/convert-dmz +++ b/config/forwardfw/convert-dmz @@ -36,6 +36,12 @@ my $field15 = ''; #Port Number my $field16 = ''; #remark my $field26 = '00:00'; my $field27 = '00:00'; +my $field28 = ''; +my $field29 = 'ALL'; +my $field30 = ''; +my $field31 = 'dnat'; + + open(FILE, $dmzconfig) or die 'Unable to open config file.'; my @current = ; close(FILE); @@ -141,6 +147,10 @@ sub process_rules{ $configfwdfw{$key}[25] = ''; $configfwdfw{$key}[26] = $field26; $configfwdfw{$key}[27] = $field27; + $configfwdfw{$key}[28] = $field28; + $configfwdfw{$key}[29] = $field29; + $configfwdfw{$key}[30] = $field30; + $configfwdfw{$key}[31] = $field31; print LOG "$Now -> Converted to $field0,$field1,$field2,$field3,$field4,$field5,$field6,,,,,$field11,$field12,$field13,$field14,$field15,$field16,,,,,,,,,,$field26,$field27\n"; } &General::writehasharray($fwdfwconfig,\%configfwdfw); diff --git a/config/forwardfw/convert-outgoingfw b/config/forwardfw/convert-outgoingfw index 54ba70987..ef2f7e1b9 100755 --- a/config/forwardfw/convert-outgoingfw +++ b/config/forwardfw/convert-outgoingfw @@ -538,6 +538,10 @@ sub process_rules $fwconfig{$key}[25] = $time_sun; $fwconfig{$key}[26] = $time_from; $fwconfig{$key}[27] = $time_to; + $fwconfig{$key}[28] = ''; + $fwconfig{$key}[29] = 'ALL'; + $fwconfig{$key}[30] = ''; + $fwconfig{$key}[31] = 'dnat'; }else{ my $key = &General::findhasharraykey(\%fwconfigout); $fwconfigout{$key}[0] = $action; @@ -563,6 +567,10 @@ sub process_rules $fwconfigout{$key}[25] = $time_sun; $fwconfigout{$key}[26] = $time_from; $fwconfigout{$key}[27] = $time_to; + $fwconfigout{$key}[28] = ''; + $fwconfigout{$key}[29] = 'ALL'; + $fwconfigout{$key}[30] = ''; + $fwconfigout{$key}[31] = 'dnat'; } &General::writehasharray($fwdfwconfig,\%fwconfig); &General::writehasharray($outfwconfig,\%fwconfigout); diff --git a/config/forwardfw/convert-xtaccess b/config/forwardfw/convert-xtaccess index 85ad1c8d0..8c3bb56a0 100755 --- a/config/forwardfw/convert-xtaccess +++ b/config/forwardfw/convert-xtaccess @@ -21,6 +21,10 @@ my $field15=''; #Port Number my $field16=''; #remark my $field26='00:00'; my $field27='00:00'; +my $field28 = ''; +my $field29 = 'ALL'; +my $field30 = ''; +my $field31 = 'dnat'; open(FILE, $xtaccessconfig) or die 'Unable to open config file.'; my @current = ; close(FILE); @@ -76,7 +80,7 @@ foreach my $line (@current){ } $field15=$c; my $key = &General::findhasharraykey (\%configinputfw); - foreach my $i (0 .. 27) { $configinputfw{$key}[$i] = "";} + foreach my $i (0 .. 31) { $configinputfw{$key}[$i] = "";} $configinputfw{$key}[0] = $field0; $configinputfw{$key}[1] = $field1; $configinputfw{$key}[2] = $field2; @@ -105,5 +109,9 @@ foreach my $line (@current){ $configinputfw{$key}[25] = ''; $configinputfw{$key}[26] = $field26; $configinputfw{$key}[27] = $field27; + $configinputfw{$key}[28] = $field28; + $configinputfw{$key}[29] = $field29; + $configinputfw{$key}[30] = $field30; + $configinputfw{$key}[31] = $field31; &General::writehasharray($inputfwconfig,\%configinputfw); } diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi index 8068ad3a8..e3ea5bdb1 100755 --- a/html/cgi-bin/forwardfw.cgi +++ b/html/cgi-bin/forwardfw.cgi @@ -144,8 +144,8 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule') #check if we have an identical rule already if($fwdfwsettings{'oldrulenumber'} eq $fwdfwsettings{'rulepos'}){ foreach my $key (sort keys %configinputfw){ - if ("$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'},$fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'ICMP_TGT'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'LOG'},$fwdfwsettings{'TIME'},$fwdfwsettings{'TIME_MON'},$fwdfwsettings{'TIME_TUE'},$fwdfwsettings{'TIME_WED'},$fwdfwsettings{'TIME_THU'},$fwdfwsettings{'TIME_FRI'},$fwdfwsettings{'TIME_SAT'},$fwdfwsettings{'TIME_SUN'},$fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'}" - eq "$configinputfw{$key}[0],$configinputfw{$key}[2],$configinputfw{$key}[3],$configinputfw{$key}[4],$configinputfw{$key}[5],$configinputfw{$key}[6],$configinputfw{$key}[7],$configinputfw{$key}[8],$configinputfw{$key}[9],$configinputfw{$key}[10],$configinputfw{$key}[11],$configinputfw{$key}[12],$configinputfw{$key}[13],$configinputfw{$key}[14],$configinputfw{$key}[15],$configinputfw{$key}[17],$configinputfw{$key}[18],$configinputfw{$key}[19],$configinputfw{$key}[20],$configinputfw{$key}[21],$configinputfw{$key}[22],$configinputfw{$key}[23],$configinputfw{$key}[24],$configinputfw{$key}[25],$configinputfw{$key}[26],$configinputfw{$key}[27]"){ + if ( "$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'}, $fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'}, $fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'}, $fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'ICMP_TGT'},$fwdfwsettings{'grp3'}, $fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'LOG'}, $fwdfwsettings{'TIME'}, $fwdfwsettings{'TIME_MON'},$fwdfwsettings{'TIME_TUE'},$fwdfwsettings{'TIME_WED'},$fwdfwsettings{'TIME_THU'},$fwdfwsettings{'TIME_FRI'},$fwdfwsettings{'TIME_SAT'},$fwdfwsettings{'TIME_SUN'},$fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'},$fwdfwsettings{'USE_NAT'},$fwdfwsettings{$fwdfwsettings{'nat'}},$fwdfwsettings{'dnatport'},$fwdfwsettings{'nat'}" + eq "$configinputfw{$key}[0], $configinputfw{$key}[2], $configinputfw{$key}[3],$configinputfw{$key}[4], $configinputfw{$key}[5],$configinputfw{$key}[6], $configinputfw{$key}[7], $configinputfw{$key}[8],$configinputfw{$key}[9], $configinputfw{$key}[10], $configinputfw{$key}[11],$configinputfw{$key}[12], $configinputfw{$key}[13], $configinputfw{$key}[14],$configinputfw{$key}[15], $configinputfw{$key}[17],$configinputfw{$key}[18],$configinputfw{$key}[19], $configinputfw{$key}[20], $configinputfw{$key}[21], $configinputfw{$key}[22], $configinputfw{$key}[23], $configinputfw{$key}[24], $configinputfw{$key}[25], $configinputfw{$key}[26], $configinputfw{$key}[27], $configinputfw{$key}[28], $configinputfw{$key}[29], $configinputfw{$key}[30], $configinputfw{$key}[31]"){ $errormessage.=$Lang::tr{'fwdfw err ruleexists'}; if ($fwdfwsettings{'oldruleremark'} ne $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'updatefwrule'} eq 'on'){ $errormessage=''; @@ -162,8 +162,8 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule') if($fwdfwsettings{'rulepos'} > 0 && !$fwdfwsettings{'oldrulenumber'}){ $fwdfwsettings{'oldrulenumber'}=$maxkey; foreach my $key (sort keys %configinputfw){ - if ("$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'},$fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'ICMP_TGT'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'LOG'},$fwdfwsettings{'TIME'},$fwdfwsettings{'TIME_MON'},$fwdfwsettings{'TIME_TUE'},$fwdfwsettings{'TIME_WED'},$fwdfwsettings{'TIME_THU'},$fwdfwsettings{'TIME_FRI'},$fwdfwsettings{'TIME_SAT'},$fwdfwsettings{'TIME_SUN'},$fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'}" - eq "$configinputfw{$key}[0],$configinputfw{$key}[2],$configinputfw{$key}[3],$configinputfw{$key}[4],$configinputfw{$key}[5],$configinputfw{$key}[6],$configinputfw{$key}[7],$configinputfw{$key}[8],$configinputfw{$key}[9],$configinputfw{$key}[10],$configinputfw{$key}[11],$configinputfw{$key}[12],$configinputfw{$key}[13],$configinputfw{$key}[14],$configinputfw{$key}[15],$configinputfw{$key}[17],$configinputfw{$key}[18],$configinputfw{$key}[19],$configinputfw{$key}[20],$configinputfw{$key}[21],$configinputfw{$key}[22],$configinputfw{$key}[23],$configinputfw{$key}[24],$configinputfw{$key}[25],$configinputfw{$key}[26],$configinputfw{$key}[27]"){ + if ( "$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'}, $fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'}, $fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'}, $fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'ICMP_TGT'},$fwdfwsettings{'grp3'}, $fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'LOG'}, $fwdfwsettings{'TIME'}, $fwdfwsettings{'TIME_MON'},$fwdfwsettings{'TIME_TUE'},$fwdfwsettings{'TIME_WED'},$fwdfwsettings{'TIME_THU'},$fwdfwsettings{'TIME_FRI'},$fwdfwsettings{'TIME_SAT'},$fwdfwsettings{'TIME_SUN'},$fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'},$fwdfwsettings{'USE_NAT'},$fwdfwsettings{$fwdfwsettings{'nat'}},$fwdfwsettings{'dnatport'},$fwdfwsettings{'nat'}" + eq "$configinputfw{$key}[0], $configinputfw{$key}[2], $configinputfw{$key}[3],$configinputfw{$key}[4], $configinputfw{$key}[5],$configinputfw{$key}[6], $configinputfw{$key}[7], $configinputfw{$key}[8],$configinputfw{$key}[9], $configinputfw{$key}[10], $configinputfw{$key}[11],$configinputfw{$key}[12], $configinputfw{$key}[13], $configinputfw{$key}[14],$configinputfw{$key}[15], $configinputfw{$key}[17],$configinputfw{$key}[18],$configinputfw{$key}[19], $configinputfw{$key}[20], $configinputfw{$key}[21], $configinputfw{$key}[22], $configinputfw{$key}[23], $configinputfw{$key}[24], $configinputfw{$key}[25], $configinputfw{$key}[26], $configinputfw{$key}[27], $configinputfw{$key}[28], $configinputfw{$key}[29], $configinputfw{$key}[30], $configinputfw{$key}[31]"){ $errormessage.=$Lang::tr{'fwdfw err ruleexists'}; } } @@ -196,8 +196,8 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule') my $maxkey=&General::findhasharraykey(\%configoutgoingfw); if($fwdfwsettings{'oldrulenumber'} eq $fwdfwsettings{'rulepos'}){ foreach my $key (sort keys %configoutgoingfw){ - if ("$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'},$fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'ICMP_TGT'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'LOG'},$fwdfwsettings{'TIME'},$fwdfwsettings{'TIME_MON'},$fwdfwsettings{'TIME_TUE'},$fwdfwsettings{'TIME_WED'},$fwdfwsettings{'TIME_THU'},$fwdfwsettings{'TIME_FRI'},$fwdfwsettings{'TIME_SAT'},$fwdfwsettings{'TIME_SUN'},$fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'}" - eq "$configoutgoingfw{$key}[0],$configoutgoingfw{$key}[2],$configoutgoingfw{$key}[3],$configoutgoingfw{$key}[4],$configoutgoingfw{$key}[5],$configoutgoingfw{$key}[6],$configoutgoingfw{$key}[7],$configoutgoingfw{$key}[8],$configoutgoingfw{$key}[9],$configoutgoingfw{$key}[10],$configoutgoingfw{$key}[11],$configoutgoingfw{$key}[12],$configoutgoingfw{$key}[13],$configoutgoingfw{$key}[14],$configoutgoingfw{$key}[15],$configoutgoingfw{$key}[17],$configoutgoingfw{$key}[18],$configoutgoingfw{$key}[19],$configoutgoingfw{$key}[20],$configoutgoingfw{$key}[21],$configoutgoingfw{$key}[22],$configoutgoingfw{$key}[23],$configoutgoingfw{$key}[24],$configoutgoingfw{$key}[25],$configoutgoingfw{$key}[26],$configoutgoingfw{$key}[27]"){ + if ( "$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'}, $fwdfwsettings{'grp1'}, $fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'}, $fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'}, $fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'}, $fwdfwsettings{'USESRV'}, $fwdfwsettings{'TGT_PROT'}, $fwdfwsettings{'ICMP_TGT'}, $fwdfwsettings{'grp3'}, $fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'LOG'}, $fwdfwsettings{'TIME'}, $fwdfwsettings{'TIME_MON'}, $fwdfwsettings{'TIME_TUE'}, $fwdfwsettings{'TIME_WED'}, $fwdfwsettings{'TIME_THU'}, $fwdfwsettings{'TIME_FRI'}, $fwdfwsettings{'TIME_SAT'}, $fwdfwsettings{'TIME_SUN'}, $fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'}, $fwdfwsettings{'USE_NAT'}, $fwdfwsettings{$fwdfwsettings{'nat'}},$fwdfwsettings{'dnatport'}, $fwdfwsettings{'nat'}" + eq "$configoutgoingfw{$key}[0], $configoutgoingfw{$key}[2],$configoutgoingfw{$key}[3],$configoutgoingfw{$key}[4], $configoutgoingfw{$key}[5],$configoutgoingfw{$key}[6], $configoutgoingfw{$key}[7], $configoutgoingfw{$key}[8],$configoutgoingfw{$key}[9], $configoutgoingfw{$key}[10],$configoutgoingfw{$key}[11],$configoutgoingfw{$key}[12],$configoutgoingfw{$key}[13],$configoutgoingfw{$key}[14],$configoutgoingfw{$key}[15], $configoutgoingfw{$key}[17],$configoutgoingfw{$key}[18],$configoutgoingfw{$key}[19],$configoutgoingfw{$key}[20],$configoutgoingfw{$key}[21],$configoutgoingfw{$key}[22],$configoutgoingfw{$key}[23],$configoutgoingfw{$key}[24],$configoutgoingfw{$key}[25],$configoutgoingfw{$key}[26],$configoutgoingfw{$key}[27],$configoutgoingfw{$key}[28],$configoutgoingfw{$key}[29], $configoutgoingfw{$key}[30],$configoutgoingfw{$key}[31]"){ $errormessage.=$Lang::tr{'fwdfw err ruleexists'}; if ($fwdfwsettings{'oldruleremark'} ne $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'updatefwrule'} eq 'on'){ $errormessage=''; @@ -215,8 +215,8 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule') print"CHECK OUTGOING DOPPELTE REGEL
"; $fwdfwsettings{'oldrulenumber'}=$maxkey; foreach my $key (sort keys %configoutgoingfw){ - if ("$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'},$fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'ICMP_TGT'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'LOG'},$fwdfwsettings{'TIME'},$fwdfwsettings{'TIME_MON'},$fwdfwsettings{'TIME_TUE'},$fwdfwsettings{'TIME_WED'},$fwdfwsettings{'TIME_THU'},$fwdfwsettings{'TIME_FRI'},$fwdfwsettings{'TIME_SAT'},$fwdfwsettings{'TIME_SUN'},$fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'}" - eq "$configoutgoingfw{$key}[0],$configoutgoingfw{$key}[2],$configoutgoingfw{$key}[3],$configoutgoingfw{$key}[4],$configoutgoingfw{$key}[5],$configoutgoingfw{$key}[6],$configoutgoingfw{$key}[7],$configoutgoingfw{$key}[8],$configoutgoingfw{$key}[9],$configoutgoingfw{$key}[10],$configoutgoingfw{$key}[11],$configoutgoingfw{$key}[12],$configoutgoingfw{$key}[13],$configoutgoingfw{$key}[14],$configoutgoingfw{$key}[15],$configoutgoingfw{$key}[17],$configoutgoingfw{$key}[18],$configoutgoingfw{$key}[19],$configoutgoingfw{$key}[20],$configoutgoingfw{$key}[21],$configoutgoingfw{$key}[22],$configoutgoingfw{$key}[23],$configoutgoingfw{$key}[24],$configoutgoingfw{$key}[25],$configoutgoingfw{$key}[26],$configoutgoingfw{$key}[27]"){ + if ( "$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'}, $fwdfwsettings{'grp1'}, $fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'}, $fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'}, $fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'}, $fwdfwsettings{'USESRV'}, $fwdfwsettings{'TGT_PROT'}, $fwdfwsettings{'ICMP_TGT'}, $fwdfwsettings{'grp3'}, $fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'LOG'}, $fwdfwsettings{'TIME'}, $fwdfwsettings{'TIME_MON'}, $fwdfwsettings{'TIME_TUE'}, $fwdfwsettings{'TIME_WED'}, $fwdfwsettings{'TIME_THU'}, $fwdfwsettings{'TIME_FRI'}, $fwdfwsettings{'TIME_SAT'}, $fwdfwsettings{'TIME_SUN'}, $fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'}, $fwdfwsettings{'USE_NAT'}, $fwdfwsettings{$fwdfwsettings{'nat'}},$fwdfwsettings{'dnatport'}, $fwdfwsettings{'nat'}" + eq "$configoutgoingfw{$key}[0], $configoutgoingfw{$key}[2],$configoutgoingfw{$key}[3],$configoutgoingfw{$key}[4], $configoutgoingfw{$key}[5],$configoutgoingfw{$key}[6], $configoutgoingfw{$key}[7], $configoutgoingfw{$key}[8],$configoutgoingfw{$key}[9], $configoutgoingfw{$key}[10],$configoutgoingfw{$key}[11],$configoutgoingfw{$key}[12],$configoutgoingfw{$key}[13],$configoutgoingfw{$key}[14],$configoutgoingfw{$key}[15], $configoutgoingfw{$key}[17],$configoutgoingfw{$key}[18],$configoutgoingfw{$key}[19],$configoutgoingfw{$key}[20],$configoutgoingfw{$key}[21],$configoutgoingfw{$key}[22],$configoutgoingfw{$key}[23],$configoutgoingfw{$key}[24],$configoutgoingfw{$key}[25],$configoutgoingfw{$key}[26],$configoutgoingfw{$key}[27],$configoutgoingfw{$key}[28],$configoutgoingfw{$key}[29], $configoutgoingfw{$key}[30],$configoutgoingfw{$key}[31]"){ $errormessage.=$Lang::tr{'fwdfw err ruleexists'}; } } @@ -252,8 +252,8 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule') if($fwdfwsettings{'oldrulenumber'} eq $fwdfwsettings{'rulepos'}){ #check if we have an identical rule already foreach my $key (sort keys %configfwdfw){ - if ("$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'},$fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'ICMP_TGT'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'TIME'},$fwdfwsettings{'TIME_MON'},$fwdfwsettings{'TIME_TUE'},$fwdfwsettings{'TIME_WED'},$fwdfwsettings{'TIME_THU'},$fwdfwsettings{'TIME_FRI'},$fwdfwsettings{'TIME_SAT'},$fwdfwsettings{'TIME_SUN'},$fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'}" - eq "$configfwdfw{$key}[0],$configfwdfw{$key}[2],$configfwdfw{$key}[3],$configfwdfw{$key}[4],$configfwdfw{$key}[5],$configfwdfw{$key}[6],$configfwdfw{$key}[7],$configfwdfw{$key}[8],$configfwdfw{$key}[9],$configfwdfw{$key}[10],$configfwdfw{$key}[11],$configfwdfw{$key}[12],$configfwdfw{$key}[13],$configfwdfw{$key}[14],$configfwdfw{$key}[15],$configfwdfw{$key}[17],$configfwdfw{$key}[19],$configfwdfw{$key}[20],$configfwdfw{$key}[21],$configfwdfw{$key}[22],$configfwdfw{$key}[23],$configfwdfw{$key}[24],$configfwdfw{$key}[25],$configfwdfw{$key}[26],$configfwdfw{$key}[27]"){ + if ( "$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'},$fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'ICMP_TGT'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'TIME'},$fwdfwsettings{'TIME_MON'},$fwdfwsettings{'TIME_TUE'},$fwdfwsettings{'TIME_WED'},$fwdfwsettings{'TIME_THU'},$fwdfwsettings{'TIME_FRI'},$fwdfwsettings{'TIME_SAT'},$fwdfwsettings{'TIME_SUN'},$fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'},$fwdfwsettings{'USE_NAT'},$fwdfwsettings{$fwdfwsettings{'nat'}},$fwdfwsettings{'dnatport'},$fwdfwsettings{'nat'}" + eq "$configfwdfw{$key}[0], $configfwdfw{$key}[2], $configfwdfw{$key}[3], $configfwdfw{$key}[4], $configfwdfw{$key}[5], $configfwdfw{$key}[6], $configfwdfw{$key}[7], $configfwdfw{$key}[8], $configfwdfw{$key}[9], $configfwdfw{$key}[10], $configfwdfw{$key}[11], $configfwdfw{$key}[12], $configfwdfw{$key}[13], $configfwdfw{$key}[14],$configfwdfw{$key}[15], $configfwdfw{$key}[18],$configfwdfw{$key}[19], $configfwdfw{$key}[20], $configfwdfw{$key}[21], $configfwdfw{$key}[22], $configfwdfw{$key}[23], $configfwdfw{$key}[24], $configfwdfw{$key}[25], $configfwdfw{$key}[26], $configfwdfw{$key}[27], $configfwdfw{$key}[28], $configfwdfw{$key}[29], $configfwdfw{$key}[30], $configfwdfw{$key}[31]"){ $errormessage.=$Lang::tr{'fwdfw err ruleexists'}; if ($fwdfwsettings{'oldruleremark'} ne $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'updatefwrule'} eq 'on' ){ $errormessage=''; @@ -262,6 +262,7 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule') } if ($fwdfwsettings{'oldruleremark'} eq $fwdfwsettings{'ruleremark'}){ $fwdfwsettings{'nosave'} = 'on'; + print "uzlputz neu time:$fwdfwsettings{'TIME'} alt:$configfwdfw{$key}[18]"; } } } @@ -270,8 +271,8 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule') if($fwdfwsettings{'rulepos'} > 0 && !$fwdfwsettings{'oldrulenumber'}){ $fwdfwsettings{'oldrulenumber'}=$maxkey; foreach my $key (sort keys %configfwdfw){ - if ("$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'},$fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'ICMP_TGT'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'TIME'},$fwdfwsettings{'TIME_MON'},$fwdfwsettings{'TIME_TUE'},$fwdfwsettings{'TIME_WED'},$fwdfwsettings{'TIME_THU'},$fwdfwsettings{'TIME_FRI'},$fwdfwsettings{'TIME_SAT'},$fwdfwsettings{'TIME_SUN'},$fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'}" - eq "$configfwdfw{$key}[0],$configfwdfw{$key}[2],$configfwdfw{$key}[3],$configfwdfw{$key}[4],$configfwdfw{$key}[5],$configfwdfw{$key}[6],$configfwdfw{$key}[7],$configfwdfw{$key}[8],$configfwdfw{$key}[9],$configfwdfw{$key}[10],$configfwdfw{$key}[11],$configfwdfw{$key}[12],$configfwdfw{$key}[13],$configfwdfw{$key}[14],$configfwdfw{$key}[15],$configfwdfw{$key}[17],$configfwdfw{$key}[19],$configfwdfw{$key}[20],$configfwdfw{$key}[21],$configfwdfw{$key}[22],$configfwdfw{$key}[23],$configfwdfw{$key}[24],$configfwdfw{$key}[25],$configfwdfw{$key}[26],$configfwdfw{$key}[27]"){ + if ( "$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'},$fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'ICMP_TGT'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'TIME'},$fwdfwsettings{'TIME_MON'},$fwdfwsettings{'TIME_TUE'},$fwdfwsettings{'TIME_WED'},$fwdfwsettings{'TIME_THU'},$fwdfwsettings{'TIME_FRI'},$fwdfwsettings{'TIME_SAT'},$fwdfwsettings{'TIME_SUN'},$fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'},$fwdfwsettings{'USE_NAT'},$fwdfwsettings{$fwdfwsettings{'nat'}},$fwdfwsettings{'dnatport'},$fwdfwsettings{'nat'}" + eq "$configfwdfw{$key}[0], $configfwdfw{$key}[2], $configfwdfw{$key}[3], $configfwdfw{$key}[4], $configfwdfw{$key}[5], $configfwdfw{$key}[6], $configfwdfw{$key}[7], $configfwdfw{$key}[8], $configfwdfw{$key}[9], $configfwdfw{$key}[10], $configfwdfw{$key}[11], $configfwdfw{$key}[12], $configfwdfw{$key}[13], $configfwdfw{$key}[14],$configfwdfw{$key}[15], $configfwdfw{$key}[18],$configfwdfw{$key}[19], $configfwdfw{$key}[20], $configfwdfw{$key}[21], $configfwdfw{$key}[22], $configfwdfw{$key}[23], $configfwdfw{$key}[24], $configfwdfw{$key}[25], $configfwdfw{$key}[26], $configfwdfw{$key}[27], $configfwdfw{$key}[28], $configfwdfw{$key}[29], $configfwdfw{$key}[30], $configfwdfw{$key}[31]"){ $errormessage.=$Lang::tr{'fwdfw err ruleexists'}; } } @@ -2173,7 +2174,7 @@ END $tdcolor=''; &getsrcport(\%$hash,$key); #Is this a SNAT rule? - if ($$hash{$key}[31] eq 'snat'){ + if ($$hash{$key}[31] eq 'snat' && $$hash{$key}[28] eq 'ON'){ print"
-> $$hash{$key}[29]"; if ($$hash{$key}[30] ne ''){ print": $$hash{$key}[30]"; @@ -2198,7 +2199,7 @@ END END #Is this a DNAT rule? - if ($$hash{$key}[31] eq 'dnat'){ + if ($$hash{$key}[31] eq 'dnat' && $$hash{$key}[28] eq 'ON'){ print "IPFire ($$hash{$key}[29])"; if($$hash{$key}[30] ne ''){ $$hash{$key}[30]=~ tr/|/,/; From 2af92cf5acf6d3b0ef52528a0e83a29353ff3c83 Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Thu, 27 Jun 2013 07:28:06 +0200 Subject: [PATCH 250/306] Forward Firewall: added new line at bottom of all ruletables with the "final rule" --- html/cgi-bin/forwardfw.cgi | 49 ++++++++++++++++++++++++++++++++++---- langs/de/cgi-bin/de.pl | 3 +++ langs/en/cgi-bin/en.pl | 3 +++ 3 files changed, 51 insertions(+), 4 deletions(-) diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi index e3ea5bdb1..0725e2542 100755 --- a/html/cgi-bin/forwardfw.cgi +++ b/html/cgi-bin/forwardfw.cgi @@ -75,7 +75,7 @@ my %aliases=(); my %optionsfw=(); my %ifaces=(); -my $VERSION='0.9.9.8'; +my $VERSION='0.9.9.9'; my $color; my $confignet = "${General::swroot}/fwhosts/customnetworks"; my $confighost = "${General::swroot}/fwhosts/customhosts"; @@ -2319,20 +2319,61 @@ END my $weekdays=join(",",@days); if (@days){ print""; - print" $weekdays   $$hash{$key}[26] - $$hash{$key}[27] "; + print"   $weekdays   $$hash{$key}[26] - $$hash{$key}[27] "; } } } print""; } + my $col; + if ($config eq '/var/ipfire/forward/config'){ + my $pol='fwdfw '.$fwdfwsettings{'POLICY'}; + if ($fwdfwsettings{'POLICY'} eq 'MODE1'){ + $col="bgcolor='darkred'"; + }else{ + $col="bgcolor='green'"; + } + print"$Lang::tr{'fwdfw final_rule'} $Lang::tr{$pol}"; + }elsif ($config eq '/var/ipfire/forward/outgoing'){ + my $pol='fwdfw '.$fwdfwsettings{'POLICY1'}; + if ($fwdfwsettings{'POLICY1'} eq 'MODE1'){ + $col="bgcolor='darkred'"; + }else{ + $col="bgcolor='green'"; + } + print"$Lang::tr{'fwdfw final_rule'} $Lang::tr{$pol}"; + }else{ + print"$Lang::tr{'fwdfw final_rule'} $Lang::tr{'fwdfw MODE1'}"; + } print""; - &Header::closebox(); print "
"; print "

"; + &Header::closebox(); }else{ if ($optionsfw{'SHOWTABLES'} eq 'on'){ print "$title1
"; - print"
$Lang::tr{'fwhost empty'}


"; + print""; + my $col; + if ($config eq '/var/ipfire/forward/config'){ + my $pol='fwdfw '.$fwdfwsettings{'POLICY'}; + if ($fwdfwsettings{'POLICY'} eq 'MODE1'){ + $col="bgcolor='darkred'"; + }else{ + $col="bgcolor='green'"; + } + print""; + }elsif ($config eq '/var/ipfire/forward/outgoing'){ + my $pol='fwdfw '.$fwdfwsettings{'POLICY1'}; + if ($fwdfwsettings{'POLICY1'} eq 'MODE1'){ + $col="bgcolor='darkred'"; + }else{ + $col="bgcolor='green'"; + } + print""; + }else{ + print""; + } + print"
$Lang::tr{'fwhost empty'}
$Lang::tr{'fwdfw final_rule'} $Lang::tr{$pol}
$Lang::tr{'fwdfw final_rule'} $Lang::tr{$pol}
$Lang::tr{'fwdfw final_rule'} $Lang::tr{'fwdfw MODE1'}


"; } } } diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl index 9587258f9..0445dda97 100644 --- a/langs/de/cgi-bin/de.pl +++ b/langs/de/cgi-bin/de.pl @@ -924,6 +924,7 @@ 'fwdfw err tgt_grp' => 'Ziel-Dienstgruppe ist leer', 'fwdfw err time' => 'Es muss mindestens ein Tag gewählt werden', 'fwdfw from' => 'Von:', +'fwdfw final_rule' => 'Letzte Regel: ', 'fwdfw hint ip1' => 'Die zuletzt erzeugte Regel wird vielleicht nicht aktiviert, weil Quelle und Ziel evtl im selben Netz sind', 'fwdfw hint ip2' => 'Bitte überprüfen Sie ob diese Regel Sinn macht: ', 'fwdfw ipsec network' => 'IPsec Netzwerke:', @@ -931,6 +932,8 @@ 'fwdfw man port' => 'Port(s) manuell:', 'fwdfw moveup' => 'Hoch', 'fwdfw movedown' => 'Runter', +'fwdfw MODE1' => 'Alle Pakete verwerfen', +'fwdfw MODE2' => 'Alle Pakete annehmen', 'fwdfw p2p txt' => 'Hier können einzelne P2P Netzwerke erlaubt oder verboten werden. Das System setzt die Regeln automatisch unabhängig vom aktuellen Firewall Modus. Unter Umständen können einzelne aktivierte P2P Netzewerke einen erheblichen Teil der Bandbreite beanspruchen.', 'fwdfw pol allow' => 'Zugelassen', 'fwdfw pol block' => 'Blockiert', diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index d66c202c5..37c3b1257 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -949,6 +949,7 @@ 'fwdfw err tgt_grp' => 'Target servicegroup is empty', 'fwdfw err time' => 'You have to define at least one day.', 'fwdfw from' => 'From:', +'fwdfw final_rule' => 'Last rule: ', 'fwdfw hint ip1' => 'The last generated rule may never be activated because source and target probably are in same subnet.', 'fwdfw hint ip2' => 'Please doublecheck if this rule makes sense: ', 'fwdfw ipsec network' => 'IpSec networks:', @@ -956,6 +957,8 @@ 'fwdfw man port' => 'Port(s) manual:', 'fwdfw moveup' => 'Move up', 'fwdfw movedown' => 'Move down', +'fwdfw MODE1' => 'Drop all packets', +'fwdfw MODE2' => 'Accept all packets', 'fwdfw p2p txt' => 'Here you can admit or deny or allow single p2p networks. Just define which networks are allowed or denied and the system takes care of the rules depending on the firewall mode. An allowed p2p network may use a lot of bandwith.', 'fwdfw pol allow' => 'Allowed', 'fwdfw pol block' => 'Blocked', From a0fb1099efded1fe13a7e7fb51a97097776a06a8 Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Fri, 28 Jun 2013 09:36:31 +0200 Subject: [PATCH 251/306] Forward Firewall: Design changes 1) source has a new option "firewall" with dropdown for interfaces 2) source default networks->deleted IPFire, all ip's now in brackets 3) deleted warning message in Target that a mac is not usable 4) changes for "apply" button 5) in ruletable the protocol is now right beneath the ruletype column 6) changed target dropdown "INTERNET" to "RED" 7) renamed OpenVPN N-2N to OpenVPN Net-to-Net 8) set missing default firewall options 9) little changes on the en and de lang files --- config/forwardfw/rules.pl | 26 ++++++++- html/cgi-bin/forwardfw.cgi | 106 +++++++++++++++++++++++-------------- html/cgi-bin/fwhosts.cgi | 3 +- langs/de/cgi-bin/de.pl | 15 +++--- langs/en/cgi-bin/en.pl | 15 +++--- lfs/configroot | 2 + 6 files changed, 109 insertions(+), 58 deletions(-) diff --git a/config/forwardfw/rules.pl b/config/forwardfw/rules.pl index 7184c0460..f3e1217c1 100755 --- a/config/forwardfw/rules.pl +++ b/config/forwardfw/rules.pl @@ -209,7 +209,7 @@ sub buildrules &get_address($customgrp{$grp}[3],$customgrp{$grp}[2],"tgt"); } } - }elsif($$hash{$key}[5] eq 'ipfire'){ + }elsif($$hash{$key}[5] eq 'ipfire' ){ if($$hash{$key}[6] eq 'GREEN'){ $targethash{$key}[0]=$defaultNetworks{'GREEN_ADDRESS'}; } @@ -505,6 +505,30 @@ sub get_address $$hash{$key}[0]=&fwlib::get_ovpn_n2n_ip($base2,11); }elsif($base eq 'ipsec_net_src' || $base eq 'ipsec_net_tgt' || $base eq 'IpSec Network'){ $$hash{$key}[0]=&fwlib::get_ipsec_net_ip($base2,11); + }elsif($base eq 'ipfire_src' ){ + if($base2 eq 'GREEN'){ + $$hash{$key}[0]=$defaultNetworks{'GREEN_ADDRESS'}; + } + if($base2 eq 'BLUE'){ + $$hash{$key}[0]=$defaultNetworks{'BLUE_ADDRESS'}; + } + if($base2 eq 'ORANGE'){ + $$hash{$key}[0]=$defaultNetworks{'ORANGE_ADDRESS'}; + } + if($base2 eq 'ALL'){ + $$hash{$key}[0]='0.0.0.0/0'; + } + if($base2 eq 'RED' || $base2 eq 'RED1'){ + open(FILE, "/var/ipfire/red/local-ipaddress")or die "Couldn't open local-ipaddress"; + $$hash{$key}[0]= ; + close(FILE); + }else{ + foreach my $alias (sort keys %aliases){ + if ($base2 eq $alias){ + $$hash{$key}[0]=$aliases{$alias}{'IPT'}; + } + } + } } } sub get_prot diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi index 0725e2542..716f58810 100755 --- a/html/cgi-bin/forwardfw.cgi +++ b/html/cgi-bin/forwardfw.cgi @@ -189,8 +189,8 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule') if($fwdfwsettings{'nosave2'} ne 'on'){ &saverule(\%configinputfw,$configinput); } - }elsif($fwdfwsettings{$fwdfwsettings{'grp1'}} eq 'IPFire' ){ - # OUTGOING PART + }elsif($fwdfwsettings{'grp1'} eq 'ipfire_src' ){ + # OUTGOING PART $fwdfwsettings{'config'}=$configoutgoing; $fwdfwsettings{'chain'} = 'OUTGOINGFW'; my $maxkey=&General::findhasharraykey(\%configoutgoingfw); @@ -378,7 +378,7 @@ sub addrule { &error; if (-f "${General::swroot}/forward/reread"){ - print "
    $Lang::tr{'fwhost reread'}

"; + print "
    $Lang::tr{'fwhost reread'}

"; } &Header::openbox('100%', 'left', $Lang::tr{'fwdfw menu'}); print "
"; @@ -979,6 +979,7 @@ sub gen_dd_block $checked{'TIME_SUN'}{$fwdfwsettings{'TIME_SUN'}} = 'CHECKED'; $selected{'TIME_FROM'}{$fwdfwsettings{'TIME_FROM'}} = 'selected'; $selected{'TIME_TO'}{$fwdfwsettings{'TIME_TO'}} = 'selected'; + $selected{'ipfire'}{$fwdfwsettings{$fwdfwsettings{'grp1'}}} ='selected'; $selected{'ipfire'}{$fwdfwsettings{$fwdfwsettings{'grp2'}}} ='selected'; print< @@ -989,13 +990,16 @@ END foreach my $network (sort keys %defaultNetworks) { next if($defaultNetworks{$network}{'NAME'} eq "RED" && $srctgt eq 'src'); - next if($defaultNetworks{$network}{'NAME'} eq "IPFire" && $srctgt eq 'tgt'); + next if($defaultNetworks{$network}{'NAME'} eq "IPFire"); print ""; + $ifaces{$defnet}='0.0.0.0' if ($defaultNetworks{$network}{'NAME'} eq 'RED'); + if ($ifaces{$defnet}){ + print ">$network ($ifaces{$defnet})"; + }else{ + print ">$network"; + } } print""; #custom networks @@ -1403,6 +1407,7 @@ sub newrule $selected{'TIME_FROM'}{$fwdfwsettings{'TIME_FROM'}} = 'selected'; $selected{'TIME_TO'}{$fwdfwsettings{'TIME_TO'}} = 'selected'; $selected{'ipfire'}{$fwdfwsettings{$fwdfwsettings{'grp2'}}} ='selected'; + $selected{'ipfire'}{$fwdfwsettings{$fwdfwsettings{'grp1'}}} ='selected'; #check if update and get values if($fwdfwsettings{'updatefwrule'} eq 'on' || $fwdfwsettings{'copyfwrule'} eq 'on' && !$errormessage){ &General::readhasharray("$config", \%hash); @@ -1462,6 +1467,7 @@ sub newrule $selected{'TIME_FROM'}{$fwdfwsettings{'TIME_FROM'}} = 'selected'; $selected{'TIME_TO'}{$fwdfwsettings{'TIME_TO'}} = 'selected'; $selected{'ipfire'}{$fwdfwsettings{$fwdfwsettings{'grp2'}}} ='selected'; + $selected{'ipfire'}{$fwdfwsettings{$fwdfwsettings{'grp1'}}} ='selected'; $selected{'dnat'}{$fwdfwsettings{$fwdfwsettings{'nat'}}} ='selected'; $selected{'snat'}{$fwdfwsettings{$fwdfwsettings{'nat'}}} ='selected'; } @@ -1510,9 +1516,24 @@ sub newrule #------SOURCE------------------------------------------------------- print< - $Lang::tr{'fwdfw sourceip'} -
- + $Lang::tr{'fwdfw sourceip'}Firewall +END + print"$Lang::tr{'fwdfw targetip'}Firewall + $Lang::tr{'fwdfw targetip'}Firewall END print"$Lang::tr{'fwdfw use srv'}$Lang::tr{'fwhost cust service'}"; - print"$Lang::tr{'remark'}:"; + print"$Lang::tr{'remark'}:"; + #print"$Lang::tr{'remark'}:"; if($fwdfwsettings{'updatefwrule'} eq 'on' || $fwdfwsettings{'copyfwrule'} eq 'on'){ print "$Lang::tr{'fwdfw rulepos'}: END + #TARGET &getcolor($$hash{$key}[5],$$hash{$key}[6],\%customhost); print< END #Is this a DNAT rule? if ($$hash{$key}[31] eq 'dnat' && $$hash{$key}[28] eq 'ON'){ - print "IPFire ($$hash{$key}[29])"; + print "Firewall ($$hash{$key}[29])"; if($$hash{$key}[30] ne ''){ $$hash{$key}[30]=~ tr/|/,/; print": $$hash{$key}[30]"; @@ -2225,25 +2268,10 @@ END print $$hash{$key}[6]; } $tdcolor=''; + #TARGETPORT &gettgtport(\%$hash,$key); print""; - #Get Protocol - my $prot; - if ($$hash{$key}[8] && $$hash{$key}[7] eq 'ON'){#source prot if manual - push (@protocols,$$hash{$key}[8]); - }elsif ($$hash{$key}[12]){ #target prot if manual - push (@protocols,$$hash{$key}[12]); - }elsif($$hash{$key}[14] eq 'cust_srv'){ - &get_serviceports("service",$$hash{$key}[15]); - }elsif($$hash{$key}[14] eq 'cust_srvgrp'){ - &get_serviceports("group",$$hash{$key}[15]); - }else{ - push (@protocols,$Lang::tr{'all'}); - } - my $protz=join(",",@protocols); - print"$protz"; - @protocols=(); - + #RULE ACTIVE if($$hash{$key}[2] eq 'ON'){ $gif="/images/on.gif" diff --git a/html/cgi-bin/fwhosts.cgi b/html/cgi-bin/fwhosts.cgi index 4aee444b9..ac0c04489 100755 --- a/html/cgi-bin/fwhosts.cgi +++ b/html/cgi-bin/fwhosts.cgi @@ -1061,7 +1061,7 @@ if($fwhostsettings{'ACTION'} eq '') sub showmenu { if (-f "${General::swroot}/forward/reread"){ - print "
    $Lang::tr{'fwhost reread'}

"; + print "
    $Lang::tr{'fwhost reread'}

"; } &Header::openbox('100%', 'left',$Lang::tr{'fwhost menu'}); print<$Lang::tr{'name'}: IP/MAC: $Lang::tr{'remark'}: -

$Lang::tr{'fwhost attention'}
$Lang::tr{'fwhost macwarn'}
END diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl index 0445dda97..b205c85bc 100644 --- a/langs/de/cgi-bin/de.pl +++ b/langs/de/cgi-bin/de.pl @@ -940,7 +940,7 @@ 'fwdfw pol title' => 'Standardverhalten der Firewall', 'fwdfw pol text' => 'Standardverhalten für Verbindungen aus den lokalen Netzwerken. Bei "Zugelassen" werden sämtliche Verbindungen zugelassen mit Ausnahme der konfigurierten Regeln. Mit "Blockiert" werden alle Verbindungsversuche blockiert, mit Ausnahme erstellten Regeln.', 'fwdfw pol text1' => 'Standardverhalten für Verbindungen von Firewall. Bei "Zugelassen" werden sämtliche Verbindungen zugelassen mit Ausnahme konfigurierten Regeln. Mit "Blockiert" werden alle Verbindungsversuche blockiert, mit Ausnahme der erstellten Regeln.Achtung! Mit diesen Einstellungen kann man sich aussperren. Normalerweise ist keine Änderung nötig.', -'fwdfw red' => 'INTERNET', +'fwdfw red' => 'ROT', 'fwdfw REJECT' => 'Verweigern (REJECT)', 'fwdfw reread' => 'Übernehmen', 'fwdfw rules' => 'Regeln', @@ -985,11 +985,11 @@ 'fwhost ccdnet' => 'OpenVPN Netzwerke:', 'fwhost change' => 'Ändern', 'fwhost changeremark' => 'Es wurde nur die Bemerkung angepasst.', -'fwhost cust addr' => 'Custom Adressen:', -'fwhost cust grp' => 'Custom Gruppen:', -'fwhost cust net' => 'Custom Netzwerke:', -'fwhost cust service' => 'Custom Dienste:', -'fwhost cust srvgrp' => 'Custom Dienstgruppen', +'fwhost cust addr' => 'Adressen:', +'fwhost cust grp' => 'Gruppen:', +'fwhost cust net' => 'Netzwerke:', +'fwhost cust service' => 'Dienste:', +'fwhost cust srvgrp' => 'Dienstgruppen', 'fwhost deleted' => 'Gelöscht', 'fwhost empty' => 'Keine Regeln definiert', 'fwhost err addr' => 'IP Adresse oder Subnetzmaske ungültig', @@ -1034,10 +1034,9 @@ 'fwhost newgrp' => 'Adressgruppierung', 'fwhost newservice' => 'Diensteinstellungen', 'fwhost newservicegrp' => 'Dienstgruppierung', -'fwhost macwarn' => 'MAC Adressen können nicht als Ziel definiert werden. Solche Adressen werden ignoriert.', 'fwhost menu' => 'Firewallgruppen', 'fwhost orange' => 'Orange', -'fwhost ovpn_n2n' => 'OpenVPN N-2-N', +'fwhost ovpn_n2n' => 'OpenVPN Net-to-Net', 'fwhost port' => 'Port(s)', 'fwhost prot' => 'Protokoll', 'fwhost reread' => 'Die Firewallregeln müssen neu eingelesen werden.', diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index 37c3b1257..49a3c1ef8 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -965,7 +965,7 @@ 'fwdfw pol title' => 'Firewall default behavior', 'fwdfw pol text' => 'Default behavior for connections from local networks. "Allowed" allows all connections from local networks except the defined rules. "Blocked" prohibits all connections except the defined ones. Also external access and connections to/from the demilitarized zone are configurable here.', 'fwdfw pol text1' => 'Default behavior for connections from IPFire. "Allowed" allows all connections from local networks except the defined rules. "Blocked" prohibits all connections except the defined ones. Attention! You can lock yourself out with these settings. Normally there is no need to change anything here.', -'fwdfw red' => 'INTERNET', +'fwdfw red' => 'RED', 'fwdfw REJECT' => 'REJECT', 'fwdfw reread' => 'Apply', 'fwdfw rules' => 'Rules', @@ -1010,11 +1010,11 @@ 'fwhost ccdnet' => 'OpenVPN networks:', 'fwhost change' => 'Modify', 'fwhost changeremark' => 'You just modified the remark', -'fwhost cust addr' => 'Custom addresses:', -'fwhost cust grp' => 'Custom groups:', -'fwhost cust net' => 'Custom networks:', -'fwhost cust service' => 'Custom services:', -'fwhost cust srvgrp' => 'Custom servicegroups', +'fwhost cust addr' => 'Addresses:', +'fwhost cust grp' => 'Groups:', +'fwhost cust net' => 'Networks:', +'fwhost cust service' => 'Services:', +'fwhost cust srvgrp' => 'Servicegroups', 'fwhost deleted' => 'Deleted', 'fwhost empty' => 'No rules defined', 'fwhost err addr' => 'Invalid IP address or subnet', @@ -1059,10 +1059,9 @@ 'fwhost newgrp' => 'Address grouping', 'fwhost newservice' => 'Service', 'fwhost newservicegrp' => 'Service grouping', -'fwhost macwarn' => 'MAC addresses can not be used as target. Such addresses will be ignored.', 'fwhost menu' => 'Firewall Groups', 'fwhost orange' => 'Orange', -'fwhost ovpn_n2n' => 'OpenVPN N-2-N', +'fwhost ovpn_n2n' => 'OpenVPN Net-to-Net', 'fwhost port' => 'Port(s)', 'fwhost prot' => 'Protocol', 'fwhost reread' => 'Firewall rules need to be updated.', diff --git a/lfs/configroot b/lfs/configroot index fcaa13f1d..4268f1502 100644 --- a/lfs/configroot +++ b/lfs/configroot @@ -123,6 +123,8 @@ $(TARGET) : echo "FWPOLICY2=DROP" >> $(CONFIG_ROOT)/optionsfw/settings echo "DROPPORTSCAN=on" >> $(CONFIG_ROOT)/optionsfw/settings echo "DROPOUTGOING=on" >> $(CONFIG_ROOT)/optionsfw/settings + echo "DROPSAMBA=on" >> $(CONFIG_ROOT)/optionsfw/settings + echo "DROPPROXY=on" >> $(CONFIG_ROOT)/optionsfw/settings echo "SHOWREMARK=on" >> $(CONFIG_ROOT)/optionsfw/settings echo "SHOWCOLORS=on" >> $(CONFIG_ROOT)/optionsfw/settings echo "SHOWTABLES=off" >> $(CONFIG_ROOT)/optionsfw/settings From 1a8fde0e845eab654aeee6dc5b780c3e4596cb4d Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Mon, 1 Jul 2013 16:38:14 +0200 Subject: [PATCH 252/306] Forward Firewall: changed some names and added subnets to dropdowns --- config/cfgroot/general-functions.pl | 4 ++-- html/cgi-bin/forwardfw.cgi | 9 ++++++--- html/cgi-bin/fwhosts.cgi | 22 +++++++++++----------- langs/de/cgi-bin/de.pl | 18 ++++++++++-------- langs/en/cgi-bin/en.pl | 28 +++++++++++++++------------- 5 files changed, 44 insertions(+), 37 deletions(-) diff --git a/config/cfgroot/general-functions.pl b/config/cfgroot/general-functions.pl index 07bbab67a..c57de1996 100644 --- a/config/cfgroot/general-functions.pl +++ b/config/cfgroot/general-functions.pl @@ -82,8 +82,8 @@ sub setup_default_networks my ($ip,$sub) = split(/\//,$ovpnSettings{'DOVPN_SUBNET'}); $sub=&General::iporsubtocidr($sub); my @tempovpnsubnet = split("\/", $ovpnSettings{'DOVPN_SUBNET'}); - $defaultNetworks->{'OpenVPN ' .$ip."/".$sub}{'ADR'} = $tempovpnsubnet[0]; - $defaultNetworks->{'OpenVPN ' .$ip."/".$sub}{'NAME'} = "OpenVPN-Dyn"; + $defaultNetworks->{'OpenVPN ' ."($ip/$sub)"}{'ADR'} = $tempovpnsubnet[0]; + $defaultNetworks->{'OpenVPN ' ."($ip/$sub)"}{'NAME'} = "OpenVPN-Dyn"; } } # end OpenVPN # IPsec RW NET diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi index 716f58810..57eff4dff 100755 --- a/html/cgi-bin/forwardfw.cgi +++ b/html/cgi-bin/forwardfw.cgi @@ -994,9 +994,12 @@ END print ""; + print ">$network ($ifaces{$defnet}/$defsub1)"; }else{ print ">$network"; } @@ -1694,7 +1697,7 @@ END #---Activate/logging/remark------------------------------------- &Header::openbox('100%', 'left', $Lang::tr{'fwdfw additional'}); print< + "; - print""; + print""; #print""; if($fwdfwsettings{'updatefwrule'} eq 'on' || $fwdfwsettings{'copyfwrule'} eq 'on'){ print " - - + + + END @@ -1107,8 +1107,8 @@ sub addhost $fwhostsettings{'orgremark'}=$fwhostsettings{'HOSTREMARK'}; print<
- - + + END @@ -1147,7 +1147,7 @@ sub addgrp if ($fwhostsettings{'update'} eq ''){ print< - +
$Lang::tr{'fwdfw rule action'}
$Lang::tr{'remark'}:
$Lang::tr{'remark'}:
$Lang::tr{'remark'}:
$Lang::tr{'fwdfw rulepos'}:
$Lang::tr{'name'}:
$Lang::tr{'fwhost netaddress'}:
$Lang::tr{'netmask'}:
$Lang::tr{'name'}:
$Lang::tr{'fwhost netaddress'}:
$Lang::tr{'netmask'}:
$Lang::tr{'remark'}:

$Lang::tr{'name'}:
IP/MAC:
$Lang::tr{'name'}:
IP/MAC:
$Lang::tr{'remark'}:
$Lang::tr{'fwhost addgrpname'}
$Lang::tr{'fwhost addgrpname'}
$Lang::tr{'remark'}:

END @@ -1242,7 +1242,7 @@ sub addservice { &error; &showmenu; - &Header::openbox('100%', 'left', $Lang::tr{'fwhost newservice'}); + &Header::openbox('100%', 'left', $Lang::tr{'fwhost addservice'}); if ($fwhostsettings{'updatesrv'} eq 'on') { $fwhostsettings{'oldsrvname'} = $fwhostsettings{'SRV_NAME'}; @@ -1251,7 +1251,7 @@ sub addservice } print< - $Lang::tr{'fwhost srv_name'}: + $Lang::tr{'fwhost srv_name'}: $Lang::tr{'fwhost prot'}: + $Lang::tr{'fwhost port'}:
END @@ -1306,12 +1306,12 @@ sub addservicegrp &hint; &error; &showmenu; - &Header::openbox('100%', 'left', $Lang::tr{'fwhost newservicegrp'}); + &Header::openbox('100%', 'left', $Lang::tr{'fwhost addservicegrp'}); $fwhostsettings{'oldsrvgrpremark'}=$fwhostsettings{'SRVGRP_REMARK'}; if ($fwhostsettings{'updatesrvgrp'} eq ''){ print< - $Lang::tr{'fwhost addgrpname'} + $Lang::tr{'fwhost addgrpname'} $Lang::tr{'remark'}:
diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl index b205c85bc..5ff88f43d 100644 --- a/langs/de/cgi-bin/de.pl +++ b/langs/de/cgi-bin/de.pl @@ -972,11 +972,13 @@ 'fwdfw wd_sat' => 'Sa', 'fwdfw wd_sun' => 'So', 'fwdfw xt access' => 'Input', -'fwhost addgrp' => 'Gruppe:', +'fwhost addgrp' => 'Gruppe hinzufügen:', 'fwhost addgrpname' => 'Gruppenname:', -'fwhost addhost' => 'Adresse:', -'fwhost addnet' => 'Netzwerk:', +'fwhost addhost' => 'Host hinzufügen:', +'fwhost addnet' => 'Netzwerk hinzufügen:', 'fwhost addrule' => 'Regel hinzufügen/ändern:', +'fwhost addservice' => 'Dienst hinzufügen:', +'fwhost addservicegrp' => 'Dienstgruppe hinzufügen:', 'fwhost any' => 'Alle', 'fwhost attention' => 'ACHTUNG', 'fwhost back' => 'Zurück', @@ -985,7 +987,7 @@ 'fwhost ccdnet' => 'OpenVPN Netzwerke:', 'fwhost change' => 'Ändern', 'fwhost changeremark' => 'Es wurde nur die Bemerkung angepasst.', -'fwhost cust addr' => 'Adressen:', +'fwhost cust addr' => 'Hosts:', 'fwhost cust grp' => 'Gruppen:', 'fwhost cust net' => 'Netzwerke:', 'fwhost cust service' => 'Dienste:', @@ -1029,10 +1031,10 @@ 'fwhost ipsec host' => 'IPsec Clients:', 'fwhost ipsec net' => 'IPsec Netzwerke:', 'fwhost netaddress' => 'Netzwerk Adresse', -'fwhost newnet' => 'Netzeinstellungen', -'fwhost newhost' => 'Adresseinstellungen', -'fwhost newgrp' => 'Adressgruppierung', -'fwhost newservice' => 'Diensteinstellungen', +'fwhost newnet' => 'Netzwerke', +'fwhost newhost' => 'Hosts', +'fwhost newgrp' => 'Netzwerk-/ Hostgruppierung', +'fwhost newservice' => 'Dienst', 'fwhost newservicegrp' => 'Dienstgruppierung', 'fwhost menu' => 'Firewallgruppen', 'fwhost orange' => 'Orange', diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index 49a3c1ef8..c50732765 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -997,24 +997,26 @@ 'fwdfw wd_sat' => 'Sat', 'fwdfw wd_sun' => 'Sun', 'fwdfw xt access' => 'Access to firewall', -'fwhost addgrp' => 'Group:', +'fwhost addgrp' => 'Add Network / Host Group:', 'fwhost addgrpname' => 'Groupname:', -'fwhost addhost' => 'Address:', -'fwhost addnet' => 'Network:', +'fwhost addhost' => 'Add Host:', +'fwhost addnet' => 'Add Network:', 'fwhost addrule' => 'Add/Edit rule:', +'fwhost addservice' => 'Add Service:', +'fwhost addservicegrp' => 'Add Service Group:', 'fwhost any' => 'Any', 'fwhost attention' => 'ATTENTION', -'fwhost back' => 'back', +'fwhost back' => 'Back', 'fwhost blue' => 'Blue', 'fwhost ccdhost' => 'OpenVPN clients:', 'fwhost ccdnet' => 'OpenVPN networks:', 'fwhost change' => 'Modify', 'fwhost changeremark' => 'You just modified the remark', -'fwhost cust addr' => 'Addresses:', -'fwhost cust grp' => 'Groups:', +'fwhost cust addr' => 'Hosts:', +'fwhost cust grp' => 'Network / Host Groups:', 'fwhost cust net' => 'Networks:', 'fwhost cust service' => 'Services:', -'fwhost cust srvgrp' => 'Servicegroups', +'fwhost cust srvgrp' => 'Service groups:', 'fwhost deleted' => 'Deleted', 'fwhost empty' => 'No rules defined', 'fwhost err addr' => 'Invalid IP address or subnet', @@ -1054,11 +1056,11 @@ 'fwhost ipsec host' => 'IPsec clients:', 'fwhost ipsec net' => 'IPsec networks:', 'fwhost netaddress' => 'Network address', -'fwhost newnet' => 'Network', -'fwhost newhost' => 'Host', -'fwhost newgrp' => 'Address grouping', -'fwhost newservice' => 'Service', -'fwhost newservicegrp' => 'Service grouping', +'fwhost newnet' => 'Networks', +'fwhost newhost' => 'Hosts', +'fwhost newgrp' => 'Network / Host Groups', +'fwhost newservice' => 'Services', +'fwhost newservicegrp' => 'Service Groups', 'fwhost menu' => 'Firewall Groups', 'fwhost orange' => 'Orange', 'fwhost ovpn_n2n' => 'OpenVPN Net-to-Net', @@ -1066,7 +1068,7 @@ 'fwhost prot' => 'Protocol', 'fwhost reread' => 'Firewall rules need to be updated.', 'fwhost reset' => 'Cancel', -'fwhost services' => 'Services', +'fwhost services' => 'Services:', 'fwhost srv_name' => 'Servicename', 'fwhost stdnet' => 'Standard networks:', 'fwhost type' => 'Type', From 43d8be093c2dcad28164745d451f8d2351b9b95f Mon Sep 17 00:00:00 2001 From: root Date: Tue, 2 Jul 2013 04:16:52 +0200 Subject: [PATCH 253/306] Forward Firewall: some language changes de.pl and en.pl as well as forwardfw.cgi and fwhost.cgi --- html/cgi-bin/forwardfw.cgi | 14 ++++++++++---- html/cgi-bin/fwhosts.cgi | 3 ++- langs/de/cgi-bin/de.pl | 1 + langs/en/cgi-bin/en.pl | 1 + 4 files changed, 14 insertions(+), 5 deletions(-) diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi index 57eff4dff..5ddeaf129 100755 --- a/html/cgi-bin/forwardfw.cgi +++ b/html/cgi-bin/forwardfw.cgi @@ -1391,6 +1391,10 @@ sub newrule if($fwdfwsettings{'config'} eq ''){$fwdfwsettings{'config'}=$configfwdfw;} my $config=$fwdfwsettings{'config'}; my %hash=(); + #Get Red IP-ADDRESS + open (CONN1,"/var/ipfire/red/local-ipaddress"); + my $redip = ; + close(CONN1); $checked{'grp1'}{$fwdfwsettings{'grp1'}} = 'CHECKED'; $checked{'grp2'}{$fwdfwsettings{'grp2'}} = 'CHECKED'; $checked{'grp3'}{$fwdfwsettings{'grp3'}} = 'CHECKED'; @@ -1410,7 +1414,7 @@ sub newrule $selected{'TIME_FROM'}{$fwdfwsettings{'TIME_FROM'}} = 'selected'; $selected{'TIME_TO'}{$fwdfwsettings{'TIME_TO'}} = 'selected'; $selected{'ipfire'}{$fwdfwsettings{$fwdfwsettings{'grp2'}}} ='selected'; - $selected{'ipfire'}{$fwdfwsettings{$fwdfwsettings{'grp1'}}} ='selected'; + $selected{'ipfire_src'}{$fwdfwsettings{$fwdfwsettings{'grp1'}}} ='selected'; #check if update and get values if($fwdfwsettings{'updatefwrule'} eq 'on' || $fwdfwsettings{'copyfwrule'} eq 'on' && !$errormessage){ &General::readhasharray("$config", \%hash); @@ -1519,14 +1523,14 @@ sub newrule #------SOURCE------------------------------------------------------- print< - $Lang::tr{'fwdfw sourceip'}Firewall + $Lang::tr{'fwdfw sourceip'}Firewall END print" END foreach ("ACCEPT","DROP","REJECT") @@ -2211,6 +2215,8 @@ END }else{ print $$hash{$key}[4]; } + }elsif ($$hash{$key}[4] eq 'RED1'){ + print "$Lang::tr{'fwdfw red'}"; }else{ print $$hash{$key}[4]; } diff --git a/html/cgi-bin/fwhosts.cgi b/html/cgi-bin/fwhosts.cgi index 9afc7c879..9ae490fd5 100755 --- a/html/cgi-bin/fwhosts.cgi +++ b/html/cgi-bin/fwhosts.cgi @@ -1064,8 +1064,9 @@ sub showmenu print "
    $Lang::tr{'fwhost reread'}

"; } &Header::openbox('100%', 'left',$Lang::tr{'fwhost menu'}); + print "$Lang::tr{'fwhost welcome'}"; print<
+

diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl index 5ff88f43d..ef22ba366 100644 --- a/langs/de/cgi-bin/de.pl +++ b/langs/de/cgi-bin/de.pl @@ -1048,6 +1048,7 @@ 'fwhost stdnet' => 'Standard Netzwerke:', 'fwhost type' => 'Typ', 'fwhost used' => 'Benutzt', +'fwhost welcome' => 'Hier können einzelne Netzwerke, Hosts oder Dienste definiert werden. Diese lassen sich zu Gruppen zusammenfassen und in der Firewall verwenden. Durch die Gruppen kann man Einzelne Firewallregeln auf mehrere Netzwerke und Hosts anwenden und so die Regeln übersichtlich halten.', 'fwhost wo subnet' => '(Ohne Subnetz)', 'free' => 'Frei', 'free memory' => 'Freier Speicher ', diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index c50732765..561ba7e85 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -1073,6 +1073,7 @@ 'fwhost stdnet' => 'Standard networks:', 'fwhost type' => 'Type', 'fwhost used' => 'Used', +'fwhost welcome' => 'Here you can define single Networks, Hosts or Services which can be grouped together. These Networks, Hosts and Groups can then be used in the firewall. You are able to use only a few rules for a big amount of Networks, Hosts or Groups.', 'fwhost wo subnet' => '(without subnet)', 'free' => 'Free', 'free memory' => 'Free Memory ', From d4cb89d2d111e219520f4e1294e2e0985f918dac Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Tue, 2 Jul 2013 08:03:25 +0200 Subject: [PATCH 254/306] Forward Firewall: When using "Firewall" as source or target, the ruletable looks confusing. Theres "RED" in source and target. Now theres "INTERFACE RED". --- html/cgi-bin/forwardfw.cgi | 19 +++++++++++++------ 1 file changed, 13 insertions(+), 6 deletions(-) diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi index 5ddeaf129..fb577439c 100755 --- a/html/cgi-bin/forwardfw.cgi +++ b/html/cgi-bin/forwardfw.cgi @@ -75,7 +75,7 @@ my %aliases=(); my %optionsfw=(); my %ifaces=(); -my $VERSION='0.9.9.9'; +my $VERSION='0.9.9.9a'; my $color; my $confignet = "${General::swroot}/fwhosts/customnetworks"; my $confighost = "${General::swroot}/fwhosts/customhosts"; @@ -133,7 +133,7 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule') $errormessage.=$Lang::tr{'fwdfw useless rule'}."
"; } #check if we try to break rules - if( $fwdfwsettings{$fwdfwsettings{'grp1'}} eq 'IPFire' && $fwdfwsettings{'grp2'} eq 'ipfire'){ + if( $fwdfwsettings{'grp1'} eq 'ipfire_src' && $fwdfwsettings{'grp2'} eq 'ipfire'){ $errormessage.=$Lang::tr{'fwdfw err same'}; } #INPUT part @@ -2204,8 +2204,12 @@ END print"$protz"; @protocols=(); #SOURCE + my $ipfireiface; &getcolor($$hash{$key}[3],$$hash{$key}[4],\%customhost); print""; + if ($$hash{$key}[3] eq 'ipfire_src'){ + $ipfireiface='Interface '; + } if ($$hash{$key}[3] eq 'std_net_src'){ print &get_name($$hash{$key}[4]); }elsif ($$hash{$key}[3] eq 'src_addr'){ @@ -2216,9 +2220,9 @@ END print $$hash{$key}[4]; } }elsif ($$hash{$key}[4] eq 'RED1'){ - print "$Lang::tr{'fwdfw red'}"; + print "$ipfireiface $Lang::tr{'fwdfw red'}"; }else{ - print $$hash{$key}[4]; + print "ipfireiface $$hash{$key}[4]"; } $tdcolor=''; #SOURCEPORT @@ -2259,10 +2263,13 @@ END } print"
->"; } + if ($$hash{$key}[5] eq 'ipfire'){ + $ipfireiface='Interface'; + } if ($$hash{$key}[5] eq 'std_net_tgt' || $$hash{$key}[5] eq 'ipfire' && $$hash{$key}[6] eq 'RED' || $$hash{$key}[6] eq 'RED1' || $$hash{$key}[6] eq 'GREEN' || $$hash{$key}[6] eq 'ORANGE' || $$hash{$key}[6] eq 'BLUE' ){ if ($$hash{$key}[6] eq 'RED1') { - print $Lang::tr{'red1'}; + print "$ipfireiface $Lang::tr{'red1'}"; }else{ print &get_name($$hash{$key}[6]); } @@ -2274,7 +2281,7 @@ END print $$hash{$key}[6]; } }else{ - print $$hash{$key}[6]; + print "$ipfireiface $$hash{$key}[6]"; } $tdcolor=''; #TARGETPORT From cb4439f3943662742f8010d41aff47ac06bb1804 Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Tue, 2 Jul 2013 08:21:38 +0200 Subject: [PATCH 255/306] Forward Firewall: Bugfix of last commit. Added "Interface" to source or target that uses "Firewall" interfaces --- html/cgi-bin/forwardfw.cgi | 14 ++++++++------ langs/en/cgi-bin/en.pl | 2 +- 2 files changed, 9 insertions(+), 7 deletions(-) diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi index fb577439c..9bd4606f9 100755 --- a/html/cgi-bin/forwardfw.cgi +++ b/html/cgi-bin/forwardfw.cgi @@ -134,7 +134,7 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule') } #check if we try to break rules if( $fwdfwsettings{'grp1'} eq 'ipfire_src' && $fwdfwsettings{'grp2'} eq 'ipfire'){ - $errormessage.=$Lang::tr{'fwdfw err same'}; + $errormessage=$Lang::tr{'fwdfw err same'}; } #INPUT part if($fwdfwsettings{'grp2'} eq 'ipfire' && $fwdfwsettings{$fwdfwsettings{'grp1'}} ne 'ORANGE'){ @@ -772,7 +772,7 @@ sub checkrule } #check if source and target identical if ($fwdfwsettings{$fwdfwsettings{'grp1'}} eq $fwdfwsettings{$fwdfwsettings{'grp2'}} && $fwdfwsettings{$fwdfwsettings{'grp1'}} ne 'ALL'){ - $errormessage.=$Lang::tr{'fwdfw err same'}; + $errormessage=$Lang::tr{'fwdfw err same'}; return $errormessage; } #get source and targetip address if possible @@ -2267,11 +2267,13 @@ END $ipfireiface='Interface'; } if ($$hash{$key}[5] eq 'std_net_tgt' || $$hash{$key}[5] eq 'ipfire' && $$hash{$key}[6] eq 'RED' || $$hash{$key}[6] eq 'RED1' || $$hash{$key}[6] eq 'GREEN' || $$hash{$key}[6] eq 'ORANGE' || $$hash{$key}[6] eq 'BLUE' ){ - if ($$hash{$key}[6] eq 'RED1') - { + if ($$hash{$key}[6] eq 'RED1'){ print "$ipfireiface $Lang::tr{'red1'}"; + }elsif ($$hash{$key}[6] ne 'RED') + { + print "$ipfireiface $$hash{$key}[6]"; }else{ - print &get_name($$hash{$key}[6]); + print "$$hash{$key}[6]"; } }elsif ($$hash{$key}[5] eq 'tgt_addr'){ my ($split1,$split2) = split("/",$$hash{$key}[6]); @@ -2281,7 +2283,7 @@ END print $$hash{$key}[6]; } }else{ - print "$ipfireiface $$hash{$key}[6]"; + print "$$hash{$key}[6]"; } $tdcolor=''; #TARGETPORT diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index 561ba7e85..da3ec2bed 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -996,7 +996,7 @@ 'fwdfw wd_fri' => 'Fri', 'fwdfw wd_sat' => 'Sat', 'fwdfw wd_sun' => 'Sun', -'fwdfw xt access' => 'Access to firewall', +'fwdfw xt access' => 'Input', 'fwhost addgrp' => 'Add Network / Host Group:', 'fwhost addgrpname' => 'Groupname:', 'fwhost addhost' => 'Add Host:', From f1934a05ad64ae5dd78568eece018cdb452b2326 Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Tue, 2 Jul 2013 14:55:46 +0200 Subject: [PATCH 256/306] Forward Firewall: delted subnets from hosts in firewallgroups, colorized all ip-addresses from the firewall-groups if possible. Some minor changes in forwardfw.cgi --- html/cgi-bin/forwardfw.cgi | 14 +++++++------- html/cgi-bin/fwhosts.cgi | 9 +++++---- langs/en/cgi-bin/en.pl | 2 +- 3 files changed, 13 insertions(+), 12 deletions(-) diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi index 9bd4606f9..07109f2c5 100755 --- a/html/cgi-bin/forwardfw.cgi +++ b/html/cgi-bin/forwardfw.cgi @@ -1614,7 +1614,7 @@ END } print< - $Lang::tr{'fwhost cust srvgrp'}:$Lang::tr{'fwhost cust srvgrp'}$Lang::tr{'fwdfw snat'}"; print"IPFire: @@ -1421,8 +1421,8 @@ END else{ print" ";} my ($ip,$sub)=split(/\//,$customhost{$key}[2]); $customhost{$key}[4]=~s/\s+//g; + print"
$customhost{$key}[0]".&Header::colorize($ip)."$customhost{$key}[3]$customhost{$key}[4]x"; print<$customhost{$key}[0]$ip$customhost{$key}[3]$customhost{$key}[4]x @@ -1511,7 +1511,7 @@ sub viewtablegrp if ($ip eq '' && $customgrp{$key}[2] ne $Lang::tr{'fwhost empty'}){ print "$Lang::tr{'fwhost deleted'}$customgrp{$key}[3]"; }else{ - print"$ip$customgrp{$key}[3]"; + print"".&Header::colorize($ip)."$customgrp{$key}[3]"; } if ($delflag > '1' && $ip ne ''){ print""; @@ -1904,7 +1904,8 @@ sub getipforgroup if ($type eq 'Custom Host'){ foreach my $key (keys %customhost) { if ($customhost{$key}[0] eq $name){ - return $customhost{$key}[2]; + my ($ip,$sub) = split("/",$customhost{$key}[2]); + return $ip; } } } diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index da3ec2bed..e3ad37c9d 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -1073,7 +1073,7 @@ 'fwhost stdnet' => 'Standard networks:', 'fwhost type' => 'Type', 'fwhost used' => 'Used', -'fwhost welcome' => 'Here you can define single Networks, Hosts or Services which can be grouped together. These Networks, Hosts and Groups can then be used in the firewall. You are able to use only a few rules for a big amount of Networks, Hosts or Groups.', +'fwhost welcome' => 'Here you can define single networks, hosts or services which can be grouped together. These networks, hosts and groups can then be used in the firewall. You are able to use only a few rules for a big amount of networks, hosts or groups.', 'fwhost wo subnet' => '(without subnet)', 'free' => 'Free', 'free memory' => 'Free Memory ', From 72586f0ff0bad5d1e9f75ab02dfc3e7595b47ded Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Tue, 2 Jul 2013 15:43:44 +0200 Subject: [PATCH 257/306] Forward Firewall: colorize ip addresses when possible in firewall groups. subnetmask now in cidr format --- html/cgi-bin/forwardfw.cgi | 4 ++++ html/cgi-bin/fwhosts.cgi | 7 +++++-- 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi index 07109f2c5..58eed95b4 100755 --- a/html/cgi-bin/forwardfw.cgi +++ b/html/cgi-bin/forwardfw.cgi @@ -817,6 +817,10 @@ sub checkrule } } } + if( $fwdfwsettings{'USE_SRC_PORT'} ne 'ON' && $fwdfwsettings{'USESRV'} ne 'ON'){ + $fwdfwsettings{'PROT'}=''; + $fwdfwsettings{'TGT_PROT'}=''; + } } sub checkcounter { diff --git a/html/cgi-bin/fwhosts.cgi b/html/cgi-bin/fwhosts.cgi index 753ffbece..c854e9f5c 100755 --- a/html/cgi-bin/fwhosts.cgi +++ b/html/cgi-bin/fwhosts.cgi @@ -1362,7 +1362,7 @@ sub viewtablenet }else{ print< - $Lang::tr{'name'}$Lang::tr{'fwhost netaddress'}$Lang::tr{'netmask'}$Lang::tr{'remark'}$Lang::tr{'used'} + $Lang::tr{'name'}$Lang::tr{'fwhost netaddress'}$Lang::tr{'remark'}$Lang::tr{'used'} END } my $count=0; @@ -1376,7 +1376,8 @@ END { print" "; } - print"$customnetwork{$key}[0]".&Header::colorize($customnetwork{$key}[1])."$customnetwork{$key}[2]$customnetwork{$key}[3]$customnetwork{$key}[4]x"; + my $colnet="$customnetwork{$key}[1]/".&General::subtocidr($customnetwork{$key}[2]); + print"$customnetwork{$key}[0]".&Header::colorize($colnet)."$customnetwork{$key}[3]$customnetwork{$key}[4]x"; print< @@ -1511,6 +1512,8 @@ sub viewtablegrp if ($ip eq '' && $customgrp{$key}[2] ne $Lang::tr{'fwhost empty'}){ print "$Lang::tr{'fwhost deleted'}$customgrp{$key}[3]"; }else{ + my ($colip,$colsub) = split("/",$ip); + $ip="$colip/".&General::subtocidr($colsub) if ($colsub); print"".&Header::colorize($ip)."$customgrp{$key}[3]"; } if ($delflag > '1' && $ip ne ''){ From fc83b09d437a0137b2c2db6ec07b4bdb8f98b051 Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Wed, 3 Jul 2013 09:26:39 +0200 Subject: [PATCH 258/306] Forward Firewall: some bugfixes --- html/cgi-bin/forwardfw.cgi | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi index 58eed95b4..23ab4161c 100755 --- a/html/cgi-bin/forwardfw.cgi +++ b/html/cgi-bin/forwardfw.cgi @@ -47,7 +47,6 @@ unless (-e "${General::swroot}/forward/settings") { system("touch ${General::s unless (-e "${General::swroot}/forward/config") { system("touch ${General::swroot}/forward/config"); } unless (-e "${General::swroot}/forward/input") { system("touch ${General::swroot}/forward/input"); } unless (-e "${General::swroot}/forward/outgoing") { system("touch ${General::swroot}/forward/outgoing"); } -unless (-e "${General::swroot}/forward/nat") { system("touch ${General::swroot}/forward/nat"); } my %fwdfwsettings=(); my %selected=() ; @@ -75,7 +74,7 @@ my %aliases=(); my %optionsfw=(); my %ifaces=(); -my $VERSION='0.9.9.9a'; +my $VERSION='0.9.9.9'; my $color; my $confignet = "${General::swroot}/fwhosts/customnetworks"; my $confighost = "${General::swroot}/fwhosts/customhosts"; @@ -262,7 +261,6 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule') } if ($fwdfwsettings{'oldruleremark'} eq $fwdfwsettings{'ruleremark'}){ $fwdfwsettings{'nosave'} = 'on'; - print "uzlputz neu time:$fwdfwsettings{'TIME'} alt:$configfwdfw{$key}[18]"; } } } @@ -1592,8 +1590,7 @@ END print "" if $ifaces{'GREEN_ADDRESS'}; print "" if $ifaces{'ORANGE_ADDRESS'}; print "" if $ifaces{'BLUE_ADDRESS'}; - print "" if $ifaces{'RED_ADDRESS'}; - + print "
"; @@ -977,7 +998,7 @@ print< - "; #custom networks if (! -z $confignet || $optionsfw{'SHOWDROPDOWN'} eq 'on'){ - print""; } #custom hosts if (! -z $confighost || $optionsfw{'SHOWDROPDOWN'} eq 'on'){ - print""; } #custom groups if (! -z $configgrp || $optionsfw{'SHOWDROPDOWN'} eq 'on'){ - print"
$Lang::tr{'fwhost stdnet'}
$Lang::tr{'fwhost stdnet'}
$Lang::tr{'fwhost cust net'}
$Lang::tr{'fwhost cust net'}
$Lang::tr{'fwhost cust addr'}
$Lang::tr{'fwhost cust addr'}
$Lang::tr{'fwhost cust grp'}
$Lang::tr{'fwhost cust grp'}
"; # CCD networks if( ! -z $configccdnet || $optionsfw{'SHOWDROPDOWN'} eq 'on'){ - print""; } #OVPN CCD Hosts foreach my $key (sort { ncmp($ccdhost{$a}[0],$ccdhost{$b}[0]) } keys %ccdhost){ if ($ccdhost{$key}[33] ne '' ){ - print"" ; + print"" ; } if ($show eq '1'){$show='';print"";} #OVPN N2N foreach my $key (sort { ncmp($ccdhost{$a}[1],$ccdhost{$b}[1]) } keys %ccdhost){ if ($ccdhost{$key}[3] eq 'net'){ - print"" ; + print"" ; } if ($show eq '1'){$show='';print"";} #IPsec netze @@ -1068,11 +1089,11 @@ END } } if($optionsfw{'SHOWDROPDOWN'} eq 'on' && $show eq ''){ - print""; + print""; } if ($show eq '1'){$show='';print"";} - print"
$Lang::tr{'fwhost ccdnet'}$Lang::tr{'fwhost ccdnet'}
$Lang::tr{'fwhost ccdhost'}
$Lang::tr{'fwhost ccdhost'}$Lang::tr{'fwhost ccdhost'}
$Lang::tr{'fwhost ccdhost'}
$Lang::tr{'fwhost ovpn_n2n'}:
$Lang::tr{'fwhost ovpn_n2n'}:$Lang::tr{'fwhost ovpn_n2n'}
$Lang::tr{'fwhost ovpn_n2n'}
$Lang::tr{'fwhost ipsec net'}
$Lang::tr{'fwhost ipsec net'}
"; + print""; print"
"; } sub get_ip @@ -1514,7 +1535,7 @@ sub newrule #------SOURCE------------------------------------------------------- print< - $Lang::tr{'fwdfw sourceip'}Firewall + $Lang::tr{'fwdfw sourceip'}Firewall END print"
END &gen_dd_block('src','grp1'); print<
+
+ END print" +
$Lang::tr{'fwdfw use srcport'} $Lang::tr{'fwdfw man port'}
$Lang::tr{'fwdfw targetip'}Firewall
$Lang::tr{'fwdfw targetip'}Firewall
END &gen_dd_block('tgt','grp2'); print<
+

- - - + - + + END print""; + print""; $fwdfwsettings{'dnatport'}=~ tr/|/,/; - print""; + print""; print""; #SNAT - print""; + print""; print"
$Lang::tr{'fwdfw use srv'}$Lang::tr{'fwhost cust service'}
$Lang::tr{'fwdfw use srv'}$Lang::tr{'fwhost cust service'}
$Lang::tr{'fwhost cust srvgrp'}
$Lang::tr{'fwhost cust srvgrp'}
$Lang::tr{'fwdfw man port'}
$Lang::tr{'fwdfw man port'}
$Lang::tr{'fwhost icmptype'}
$Lang::tr{'fwdfw use nat'}
$Lang::tr{'fwdfw dnat'}
$Lang::tr{'fwdfw use nat'}
$Lang::tr{'fwdfw dnat'}IPFire:
Port:
Port:

$Lang::tr{'fwdfw snat'}
$Lang::tr{'fwdfw snat'}IPFire:
"; + print""; print"
"; &Header::closebox(); #---Activate/logging/remark------------------------------------- @@ -1711,8 +1732,7 @@ END } } print""; - print"$Lang::tr{'remark'}:"; - #print"$Lang::tr{'remark'}:"; + print"$Lang::tr{'remark'}:"; if($fwdfwsettings{'updatefwrule'} eq 'on' || $fwdfwsettings{'copyfwrule'} eq 'on'){ print "$Lang::tr{'fwdfw rulepos'}:$Lang::tr{'fwdfw timeframe'} -   + $Lang::tr{'fwdfw timeframe'} +   $Lang::tr{'time'}: $Lang::tr{'advproxy monday'} $Lang::tr{'advproxy tuesday'} $Lang::tr{'advproxy wednesday'} $Lang::tr{'advproxy thursday'} $Lang::tr{'advproxy friday'} $Lang::tr{'advproxy saturday'} $Lang::tr{'advproxy sunday'} @@ -1746,15 +1766,13 @@ END - - - - - - - - - + + + + + + +
END #---ACTION------------------------------------------------------ if($fwdfwsettings{'updatefwrule'} ne 'on'){ @@ -1787,9 +1804,10 @@ END -
- -
+ +
+ +
END }else{ print<$title1
"; print""; - print""; + print""; foreach my $key (sort {$a <=> $b} keys %$hash){ $tdcolor=''; @tmpsrc=(); @@ -2158,7 +2176,7 @@ sub viewtablenew print""; #KEY print<$key   + END #RULETYPE (A,R,D) if ($$hash{$key}[0] eq 'ACCEPT'){ @@ -2232,12 +2250,11 @@ END #LOGGING print< -
- + END #TARGET &getcolor($$hash{$key}[5],$$hash{$key}[6],\%customhost); @@ -2287,51 +2304,45 @@ END $gif="/images/off.gif" } print< - - - + - - + - - + + END if (exists $$hash{$key-1}){ print< - + END }else{ print""; } if (exists $$hash{$key+1}){ print< - + END }else{ print""; @@ -2339,7 +2350,7 @@ END #REMARK if ($optionsfw{'SHOWREMARK'} eq 'on' && $$hash{$key}[16] ne ''){ print""; - print""; + print""; } if ($$hash{$key}[18] eq 'ON'){ #TIMEFRAME @@ -2355,7 +2366,7 @@ END my $weekdays=join(",",@days); if (@days){ print""; - print""; + print""; } } } From 2e99ab8bf8a1dc79d1c411281bd82a19acf1c9dc Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Fri, 12 Jul 2013 08:01:01 +0200 Subject: [PATCH 281/306] Forward Firewall: added some javascript to automatically select radiobuttons when dropdowns are changed --- html/cgi-bin/fwhosts.cgi | 94 +++++++++++++++++++++++----------------- 1 file changed, 55 insertions(+), 39 deletions(-) diff --git a/html/cgi-bin/fwhosts.cgi b/html/cgi-bin/fwhosts.cgi index 73dabaadb..d7a519a37 100755 --- a/html/cgi-bin/fwhosts.cgi +++ b/html/cgi-bin/fwhosts.cgi @@ -80,6 +80,24 @@ unless (-e $configsrvgrp) { system("touch $configsrvgrp"); } &Header::openpage($Lang::tr{'fwhost hosts'}, 1, ''); &Header::openbigbox('100%', 'center'); +#### JAVA SCRIPT #### +print< + \$(document).ready(function() { + // Automatically select radio buttons when corresponding + // dropdown menu changes. + \$("select").change(function() { + var id = \$(this).attr("name"); + //When using SNAT or DNAT, check "USE NAT" Checkbox + if ( id === 'snat' || id === 'dnat') { + \$('#USE_NAT').prop('checked', true); + } + \$('#' + id).prop("checked", true); + }); + }); + +END + ## ACTION #### if ($fwhostsettings{'ACTION'} eq $Lang::tr{'fwdfw reread'}) { @@ -373,8 +391,7 @@ if ($fwhostsettings{'ACTION'} eq 'savenet' ) } &addnet; &viewtablenet; - }else - { + }else { &addnet; &viewtablenet; } @@ -1066,10 +1083,10 @@ sub showmenu &Header::openbox('100%', 'left',$Lang::tr{'fwhost menu'}); print "$Lang::tr{'fwhost welcome'}"; print<
#$Lang::tr{'fwdfw source'}Log$Lang::tr{'fwdfw target'}$Lang::tr{'fwdfw action'}
#$Lang::tr{'fwdfw source'}Log$Lang::tr{'fwdfw target'}$Lang::tr{'fwdfw action'}
$key   + - +
-
+
-
+
-
+
-
+
-
+
-
   $$hash{$key}[16]
   $$hash{$key}[16]
   $weekdays   $$hash{$key}[26] - $$hash{$key}[27]
   $weekdays   $$hash{$key}[26] - $$hash{$key}[27]
- - -
+

+ + +
END &Header::closebox(); @@ -1083,20 +1100,20 @@ sub addnet $fwhostsettings{'orgname'}=$fwhostsettings{'HOSTNAME'}; $fwhostsettings{'orgnetremark'}=$fwhostsettings{'NETREMARK'}; print<
- $Lang::tr{'name'}: + + - + END if ($fwhostsettings{'ACTION'} eq 'editnet' || $fwhostsettings{'error'} eq 'on') { - print ""; }else{ print "
$Lang::tr{'name'}:
$Lang::tr{'fwhost netaddress'}:
$Lang::tr{'netmask'}:
$Lang::tr{'remark'}:


"; + print ""; } - print "
"; + print "
"; &Header::closebox(); } sub addhost @@ -1107,11 +1124,11 @@ sub addhost $fwhostsettings{'orgname'}=$fwhostsettings{'HOSTNAME'}; $fwhostsettings{'orgremark'}=$fwhostsettings{'HOSTREMARK'}; print<
- $Lang::tr{'name'}: + + - + END if ($fwhostsettings{'ACTION'} eq 'edithost' || $fwhostsettings{'error'} eq 'on') @@ -1119,9 +1136,9 @@ END print "
$Lang::tr{'name'}:
IP/MAC:
$Lang::tr{'remark'}:
"; }else{ - print " "; + print " "; } - print "
"; + print "
"; &Header::closebox(); } sub addgrp @@ -1147,8 +1164,8 @@ sub addgrp my $rem=$fwhostsettings{'remark'}; if ($fwhostsettings{'update'} eq ''){ print<
- $Lang::tr{'fwhost addgrpname'} + +
$Lang::tr{'fwhost addgrpname'}
$Lang::tr{'remark'}:

END @@ -1166,7 +1183,7 @@ END
- "; if (! -z $confignet){ - print""; } if (! -z $confighost){ - print" + END } my $count=0; @@ -1385,7 +1402,7 @@ END print" "; } my $colnet="$customnetwork{$key}[1]/".&General::subtocidr($customnetwork{$key}[2]); - print""; + print""; print< @@ -1399,7 +1416,7 @@ END { print""; }else{ - print""; + print""; } $count++; } @@ -1419,7 +1436,7 @@ sub viewtablehost }else{ print< - + END } my $count=0; @@ -1430,15 +1447,15 @@ END else{ print" ";} my ($ip,$sub)=split(/\//,$customhost{$key}[2]); $customhost{$key}[4]=~s/\s+//g; - print""; + print""; print< + + END if($customhost{$key}[4] == '0') { @@ -1490,8 +1507,8 @@ sub viewtablegrp if ($customgrp{$key}[2] eq "none"){$customgrp{$key}[2]=$Lang::tr{'fwhost empty'};} $grpname=$customgrp{$key}[0]; $remark="$customgrp{$key}[1]"; - if($count >=2){print"
$Lang::tr{'fwhost stdnet'}
$Lang::tr{'fwhost stdnet'}
$Lang::tr{'fwhost cust net'}
$Lang::tr{'fwhost cust net'}
$Lang::tr{'fwhost cust addr'}
$Lang::tr{'fwhost cust addr'}"; #OVPN networks if (! -z $configccdnet){ - print"
$Lang::tr{'fwhost ccdnet'}$Lang::tr{'fwhost ccdnet'}$Lang::tr{'fwhost ovpn_n2n'}$Lang::tr{'fwhost ovpn_n2n'}$Lang::tr{'fwhost ipsec net'}$Lang::tr{'fwhost ipsec net'}"; - print"
"; + print"
"; &Header::closebox(); } sub addservice @@ -1370,7 +1387,7 @@ sub viewtablenet }else{ print< -
$Lang::tr{'name'}$Lang::tr{'fwhost netaddress'}$Lang::tr{'remark'}$Lang::tr{'used'}
$Lang::tr{'name'}$Lang::tr{'fwhost netaddress'}$Lang::tr{'remark'}$Lang::tr{'used'}
$customnetwork{$key}[0]
".&Header::colorize($colnet)."$customnetwork{$key}[3]$customnetwork{$key}[4]x$customnetwork{$key}[0]".&Header::colorize($colnet)."$customnetwork{$key}[3]$customnetwork{$key}[4]x
$Lang::tr{'name'}$Lang::tr{'fwhost ip_mac'}$Lang::tr{'remark'}$Lang::tr{'used'}
$Lang::tr{'name'}$Lang::tr{'fwhost ip_mac'}$Lang::tr{'remark'}$Lang::tr{'used'}
$customhost{$key}[0]
".&Header::colorize($ip)."$customhost{$key}[3]$customhost{$key}[4]x$customhost{$key}[0]".&Header::colorize($ip)."$customhost{$key}[3]$customhost{$key}[4]x -
";} - print "
$grpname    "; + if($count gt 2){ print"
";} + print "
$grpname   "; print " $Lang::tr{'remark'}:  $remark   " if ($remark ne ''); print "$Lang::tr{'used'}: $customgrp{$key}[4]x"; if($customgrp{$key}[4] == '0') @@ -1548,7 +1565,7 @@ sub viewtableservice &General::readhasharray("$configsrv", \%customservice); print< - $Lang::tr{'fwhost srv_name'}$Lang::tr{'fwhost prot'}$Lang::tr{'fwhost port'}ICMP$Lang::tr{'fwhost used'} + $Lang::tr{'fwhost srv_name'}$Lang::tr{'fwhost prot'}$Lang::tr{'fwhost port'}ICMP$Lang::tr{'fwhost used'} END foreach my $key (sort { ncmp($customservice{$a}[0],$customservice{$b}[0])} keys %customservice) { @@ -1614,9 +1631,9 @@ sub viewtableservicegrp } $remark="$customservicegrp{$key}[1]"; if($count >=2){print"";} - print "
$grpname     "; - print "$Lang::tr{'remark'}:  $remark " if ($remark ne ''); - print "  $Lang::tr{'used'}: $customservicegrp{$key}[3]x"; + print "
$grpname    "; + print "$Lang::tr{'remark'}:  $remark " if ($remark ne ''); + print "  $Lang::tr{'used'}: $customservicegrp{$key}[3]x"; if($customservicegrp{$key}[3] == '0') { print"
"; @@ -1676,7 +1693,6 @@ sub checkip } sub checksubnet { - my %hash=%{(shift)}; &General::readhasharray("$confignet", \%hash); foreach my $key (keys %hash) { From 34f30c5f926e1ca90451cc42d72af230f66406ea Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Fri, 12 Jul 2013 11:05:57 +0200 Subject: [PATCH 282/306] Forward Firewall: set default options for optionsfw and minor change on optionsfw.cgi --- html/cgi-bin/optionsfw.cgi | 32 ++++---------------------------- lfs/configroot | 2 ++ 2 files changed, 6 insertions(+), 28 deletions(-) diff --git a/html/cgi-bin/optionsfw.cgi b/html/cgi-bin/optionsfw.cgi index 61441e470..73a2f59a6 100644 --- a/html/cgi-bin/optionsfw.cgi +++ b/html/cgi-bin/optionsfw.cgi @@ -22,10 +22,6 @@ require "${General::swroot}/header.pl"; my %checked =(); # Checkbox manipulations - -# File used -my $filename = "${General::swroot}/optionsfw/settings"; - our %settings=(); my %fwdfwsettings=(); my %configfwdfw=(); @@ -33,37 +29,18 @@ my %configoutgoingfw=(); my $configfwdfw = "${General::swroot}/forward/config"; my $configoutgoing = "${General::swroot}/forward/outgoing"; - -$settings{'DISABLEPING'} = 'NO'; -$settings{'DROPNEWNOTSYN'} = 'on'; -$settings{'DROPINPUT'} = 'on'; -$settings{'DROPFORWARD'} = 'on'; -$settings{'DROPOUTGOING'} = 'on'; -$settings{'DROPPORTSCAN'} = 'on'; -$settings{'DROPWIRELESSINPUT'} = 'on'; -$settings{'DROPWIRELESSFORWARD'} = 'on'; -$settings{'SHOWCOLORS'} = 'off'; -$settings{'SHOWREMARK'} = 'on'; -$settings{'SHOWTABLES'} = 'on'; -$settings{'SHOWDROPDOWN'} = 'off'; - my $errormessage = ''; my $warnmessage = ''; +my $filename = "${General::swroot}/optionsfw/settings"; &General::readhash("${General::swroot}/forward/settings", \%fwdfwsettings); &Header::showhttpheaders(); #Get GUI values &Header::getcgihash(\%settings); -&General::readhash("${General::swroot}/optionsfw/settings", \%settings); - - if ($settings{'ACTION'} eq $Lang::tr{'save'}) { if ($settings{'defpol'} ne '1'){ - $errormessage = $Lang::tr{'new optionsfw later'}; - delete $settings{'__CGI__'}; - delete $settings{'x'}; - delete $settings{'y'}; + $errormessage .= $Lang::tr{'new optionsfw later'}; &General::writehash($filename, \%settings); # Save good settings system("/usr/local/bin/forwardfwctrl"); }else{ @@ -82,13 +59,12 @@ if ($settings{'ACTION'} eq $Lang::tr{'save'}) { &General::readhash("${General::swroot}/forward/settings", \%fwdfwsettings); system("/usr/local/bin/forwardfwctrl"); } - }else { - &General::readhash($filename, \%settings); # Get saved settings and reset to good if needed + &General::readhash($filename, \%settings); # Load good settings } &Header::openpage($Lang::tr{'options fw'}, 1, ''); &Header::openbigbox('100%', 'left', '', $errormessage); - +&General::readhash($filename, \%settings); if ($errormessage) { &Header::openbox('100%', 'left', $Lang::tr{'warning messages'}); print "$errormessage "; diff --git a/lfs/configroot b/lfs/configroot index 4268f1502..341b14632 100644 --- a/lfs/configroot +++ b/lfs/configroot @@ -129,6 +129,8 @@ $(TARGET) : echo "SHOWCOLORS=on" >> $(CONFIG_ROOT)/optionsfw/settings echo "SHOWTABLES=off" >> $(CONFIG_ROOT)/optionsfw/settings echo "SHOWDROPDOWN=off" >> $(CONFIG_ROOT)/optionsfw/settings + echo "DROPWIRELESSINPUT=off" >> $(CONFIG_ROOT)/optionsfw/settings + echo "DROPWIRELESSFORWARD=off" >> $(CONFIG_ROOT)/optionsfw/settings echo "POLICY=MODE2" >> $(CONFIG_ROOT)/forward/settings echo "POLICY1=MODE2" >> $(CONFIG_ROOT)/forward/settings From cb051c577c4da9f42c0235383f2455c020bcab51 Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Fri, 12 Jul 2013 11:40:04 +0200 Subject: [PATCH 283/306] Forward Firewall: language fixes on last rule in ruletable --- html/cgi-bin/forwardfw.cgi | 63 ++++++++++++++++++++------------------ 1 file changed, 33 insertions(+), 30 deletions(-) diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi index 0ab744392..3b0527292 100755 --- a/html/cgi-bin/forwardfw.cgi +++ b/html/cgi-bin/forwardfw.cgi @@ -2387,12 +2387,13 @@ END my $pol='fwdfw '.$fwdfwsettings{'POLICY1'}; if ($fwdfwsettings{'POLICY1'} eq 'MODE1'){ $col="bgcolor='darkred'"; + print"$Lang::tr{'fwdfw final_rule'}$Lang::tr{'fwdfw pol allow'}"; }else{ $col="bgcolor='green'"; + print"$Lang::tr{'fwdfw final_rule'}$Lang::tr{'fwdfw pol block'}"; } - print"$Lang::tr{'fwdfw final_rule'}$Lang::tr{$pol}"; }else{ - print"$Lang::tr{'fwdfw final_rule'}$Lang::tr{'fwdfw MODE1'}"; + print"$Lang::tr{'fwdfw final_rule'}$Lang::tr{'fwdfw pol block'}"; } print""; print "
"; @@ -2416,12 +2417,13 @@ END my $pol='fwdfw '.$fwdfwsettings{'POLICY1'}; if ($fwdfwsettings{'POLICY1'} eq 'MODE1'){ $col="bgcolor='darkred'"; + print"$Lang::tr{'fwdfw final_rule'}$Lang::tr{'fwdfw pol block'}"; }else{ $col="bgcolor='green'"; + print"$Lang::tr{'fwdfw final_rule'}$Lang::tr{'fwdfw pol allow'}"; } - print"$Lang::tr{'fwdfw final_rule'}$Lang::tr{$pol}"; }else{ - print"$Lang::tr{'fwdfw final_rule'}$Lang::tr{'fwdfw MODE1'}"; + print"$Lang::tr{'fwdfw final_rule'}$Lang::tr{'fwdfw pol block'}"; } print"

"; } @@ -2435,30 +2437,31 @@ sub show_defaultrules my $col=shift; my $pol=shift; #STANDARD RULES (From WIKI) - print"
"; - print ""; - if ($col eq "bgcolor='green'"){ - my $blue = " $Lang::tr{'blue'} ($Lang::tr{'fwdfw pol block'})" if (&Header::blue_used()); - my $orange = " $Lang::tr{'orange'} ($Lang::tr{'fwdfw pol block'})" if (&Header::orange_used()); - my $blue1 = " $Lang::tr{'blue'} ($Lang::tr{'fwdfw pol allow'})" if (&Header::blue_used()); - my $orange1 = " $Lang::tr{'orange'} ($Lang::tr{'fwdfw pol allow'})" if (&Header::orange_used()); - print""; - print"" if (&Header::orange_used()); - print"" if (&Header::blue_used()); - print""; - if (&Header::orange_used()){ - print""; - print"" if (&Header::blue_used()); - print""; - } - if (&Header::blue_used()){ - print""; - print"" if (&Header::orange_used()); - print""; - print""; - } - print""; - }elsif($col eq "bgcolor='darkred'"){ - print""; - } + print"
$Lang::tr{'green'} $Lang::tr{'red'} ($Lang::tr{'fwdfw pol allow'})$orange1$blue1
$Lang::tr{'orange'} $Lang::tr{'red'} ($Lang::tr{'fwdfw pol allow'}) $Lang::tr{'green'} ($Lang::tr{'fwdfw pol block'})$blue
$Lang::tr{'blue'} $Lang::tr{'red'} ($Lang::tr{'fwdfw pol allow'})$orange $Lang::tr{'green'} ($Lang::tr{'fwdfw pol block'})
$Lang::tr{'fwdfw final_rule'} $Lang::tr{'fwdfw pol allow'}
$Lang::tr{'fwdfw final_rule'}$Lang::tr{$pol}
"; + if ($col eq "bgcolor='green'"){ + print "
"; + my $blue = " $Lang::tr{'blue'} ($Lang::tr{'fwdfw pol block'})" if (&Header::blue_used()); + my $orange = " $Lang::tr{'orange'} ($Lang::tr{'fwdfw pol block'})" if (&Header::orange_used()); + my $blue1 = " $Lang::tr{'blue'} ($Lang::tr{'fwdfw pol allow'})" if (&Header::blue_used()); + my $orange1 = " $Lang::tr{'orange'} ($Lang::tr{'fwdfw pol allow'})" if (&Header::orange_used()); + print""; + print"" if (&Header::orange_used()); + print"" if (&Header::blue_used()); + print""; + if (&Header::orange_used()){ + print""; + print"" if (&Header::blue_used()); + print""; + } + if (&Header::blue_used()){ + print""; + print"" if (&Header::orange_used()); + print""; + print""; + } + print""; + }elsif($col eq "bgcolor='darkred'"){ + print "
$Lang::tr{'green'} $Lang::tr{'red'} ($Lang::tr{'fwdfw pol allow'})$orange1$blue1
$Lang::tr{'orange'} $Lang::tr{'red'} ($Lang::tr{'fwdfw pol allow'}) $Lang::tr{'green'} ($Lang::tr{'fwdfw pol block'})$blue
$Lang::tr{'blue'} $Lang::tr{'red'} ($Lang::tr{'fwdfw pol allow'})$orange $Lang::tr{'green'} ($Lang::tr{'fwdfw pol block'})
$Lang::tr{'fwdfw final_rule'} $Lang::tr{'fwdfw pol allow'}
"; + print""; + } } From 4affc3e88997fd395f7b9be00b2cc51539d19122 Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Fri, 12 Jul 2013 13:30:14 +0200 Subject: [PATCH 284/306] Forward Firewall: show default rule when input is empty --- html/cgi-bin/forwardfw.cgi | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi index 3b0527292..ccc05d750 100755 --- a/html/cgi-bin/forwardfw.cgi +++ b/html/cgi-bin/forwardfw.cgi @@ -64,7 +64,7 @@ my %aliases=(); my %optionsfw=(); my %ifaces=(); -my $VERSION='0.9.9.11'; +my $VERSION='0.9.9.12'; my $color; my $confignet = "${General::swroot}/fwhosts/customnetworks"; my $confighost = "${General::swroot}/fwhosts/customhosts"; @@ -2373,6 +2373,7 @@ END print""; } print"
$Lang::tr{'fwdfw final_rule'}$Lang::tr{'fwdfw pol block'}
"; + #SHOW FINAL RULE print ""; my $col; if ($config eq '/var/ipfire/forward/config'){ @@ -2423,7 +2424,8 @@ END print""; } }else{ - print""; + print "
$Lang::tr{'fwdfw final_rule'}$Lang::tr{'fwdfw pol allow'}
$Lang::tr{'fwdfw final_rule'}$Lang::tr{'fwdfw pol block'}
"; + print""; } print"
$Lang::tr{'fwdfw final_rule'}$Lang::tr{'fwdfw pol block'}


"; } From 357b3fe80df5e54fd327ebb543fd56de859f0c4b Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Thu, 18 Jul 2013 13:15:10 +0200 Subject: [PATCH 285/306] Forward Firewall: renamed IPFire to Firewall in SNAT area --- html/cgi-bin/forwardfw.cgi | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi index ccc05d750..09d600e4b 100755 --- a/html/cgi-bin/forwardfw.cgi +++ b/html/cgi-bin/forwardfw.cgi @@ -1677,7 +1677,7 @@ END $Lang::tr{'fwdfw use nat'} $Lang::tr{'fwdfw dnat'} END - print"IPFire: "; print ""; print ""; foreach my $alias (sort keys %aliases) @@ -1690,7 +1690,7 @@ END print"
"; #SNAT print"$Lang::tr{'fwdfw snat'}"; - print"IPFire: "; foreach my $alias (sort keys %aliases) { print ""; From 6143bc300e2d83a7ed9b7c6a1d8bf019d62a8ae1 Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Wed, 24 Jul 2013 08:06:24 +0200 Subject: [PATCH 286/306] Forward FIrewall: BUGFIX: when setting outgoing to blocked and creating a rule, the last rule changes to "accept" --- html/cgi-bin/forwardfw.cgi | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi index 09d600e4b..fd00c156d 100755 --- a/html/cgi-bin/forwardfw.cgi +++ b/html/cgi-bin/forwardfw.cgi @@ -2385,15 +2385,15 @@ END } &show_defaultrules($col,$pol); }elsif ($config eq '/var/ipfire/forward/outgoing'){ - my $pol='fwdfw '.$fwdfwsettings{'POLICY1'}; if ($fwdfwsettings{'POLICY1'} eq 'MODE1'){ $col="bgcolor='darkred'"; - print"$Lang::tr{'fwdfw final_rule'}$Lang::tr{'fwdfw pol allow'}"; + print"$Lang::tr{'fwdfw final_rule'}$Lang::tr{'fwdfw pol block'}"; }else{ $col="bgcolor='green'"; - print"$Lang::tr{'fwdfw final_rule'}$Lang::tr{'fwdfw pol block'}"; + print"$Lang::tr{'fwdfw final_rule'}$Lang::tr{'fwdfw pol allow'}"; } }else{ + print"uzlputz daneben"; print"$Lang::tr{'fwdfw final_rule'}$Lang::tr{'fwdfw pol block'}"; } print""; From 653a71b9514dc8a88e7d2247d1d709245afe748c Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Thu, 25 Jul 2013 07:33:20 +0200 Subject: [PATCH 287/306] Forward FIrewall: Bugfix: When using predefined services in rulecreation, the rule was not applied. Bugfix: when in rulecreationpage and pressing "back" the site gets white. --- config/forwardfw/rules.pl | 4 ++-- html/cgi-bin/forwardfw.cgi | 3 +-- 2 files changed, 3 insertions(+), 4 deletions(-) diff --git a/config/forwardfw/rules.pl b/config/forwardfw/rules.pl index 6a91ddf57..9f23c54e0 100755 --- a/config/forwardfw/rules.pl +++ b/config/forwardfw/rules.pl @@ -575,7 +575,7 @@ sub get_port return "--dport $$hash{$key}[15] "; }else{ $$hash{$key}[15] =~ s/\:/-/g; - return ":$$hash{$key}[15]"; + return ":$$hash{$key}[15]"; } } }elsif($$hash{$key}[13] ne '' && $$hash{$key}[13] ne 'All ICMP-Types'){ @@ -585,7 +585,7 @@ sub get_port } }elsif($$hash{$key}[14] eq 'cust_srv'){ if ($prot ne 'ICMP'){ - if($$hash{$key}[31] eq 'dnat'){ + if($$hash{$key}[31] eq 'dnat' && $$hash{$key}[28] eq 'ON'){ return ":".&fwlib::get_srv_port($$hash{$key}[15],1,$prot); }else{ return "--dport ".&fwlib::get_srv_port($$hash{$key}[15],1,$prot); diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi index fd00c156d..cda2b8c51 100755 --- a/html/cgi-bin/forwardfw.cgi +++ b/html/cgi-bin/forwardfw.cgi @@ -378,7 +378,7 @@ if ($fwdfwsettings{'ACTION'} eq 'copyrule') $fwdfwsettings{'copyfwrule'}='on'; &newrule; } -if ($fwdfwsettings{'ACTION'} eq '') +if ($fwdfwsettings{'ACTION'} eq '' or $fwdfwsettings{'ACTION'} eq 'reset') { &base; } @@ -2393,7 +2393,6 @@ END print"$Lang::tr{'fwdfw final_rule'}$Lang::tr{'fwdfw pol allow'}"; } }else{ - print"uzlputz daneben"; print"$Lang::tr{'fwdfw final_rule'}$Lang::tr{'fwdfw pol block'}"; } print""; From 93c2de1c663566438a15cfeae0c03028201b8690 Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Thu, 25 Jul 2013 10:36:36 +0200 Subject: [PATCH 288/306] Forward Firewall: Bugfix: ICMP rules where applied double --- config/forwardfw/rules.pl | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/config/forwardfw/rules.pl b/config/forwardfw/rules.pl index 9f23c54e0..07f3abd1e 100755 --- a/config/forwardfw/rules.pl +++ b/config/forwardfw/rules.pl @@ -297,7 +297,9 @@ sub buildrules if ($$hash{$key}[17] eq 'ON'){ print "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG\n"; } - print "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n"; + if ($PROT ne '-p ICMP'){ + print "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n"; + } } } } @@ -314,6 +316,7 @@ sub buildrules if ($sourcehash{$a}[0] ne $targethash{$b}[0] && $targethash{$b}[0] ne 'none' || $sourcehash{$a}[0] eq '0.0.0.0/0.0.0.0'){ if($SPROT eq '' || $SPROT eq $DPROT || $DPROT eq ' '){ if(substr($sourcehash{$a}[0], 3, 3) ne 'mac' && $sourcehash{$a}[0] ne ''){ $STAG="-s";} + #Process ICMP RULE if(substr($DPORT, 2, 4) eq 'icmp'){ my @icmprule= split(",",substr($DPORT, 12,)); foreach (@icmprule){ @@ -322,6 +325,7 @@ sub buildrules } system ("$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] --icmp-type $_ $TIME -j $$hash{$key}[0]"); } + #PROCESS DNAT RULE (Portforward) }elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'dnat'){ $natchain='NAT_DESTINATION'; if ($$hash{$key}[17] eq 'ON'){ @@ -342,6 +346,7 @@ sub buildrules } system "iptables -A FORWARDFW $PROT -i $con $STAG $sourcehash{$a}[0] -d $ip $fwaccessdport $TIME -j $$hash{$key}[0]\n"; next; + #PROCESS SNAT RULE }elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'snat'){ $natchain='NAT_SOURCE'; system "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $nat --to $natip\n"; @@ -349,7 +354,10 @@ sub buildrules if ($$hash{$key}[17] eq 'ON'){ system "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG\n"; } - system "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n"; + #PROCESS EVERY OTHER RULE (If NOT ICMP, else the rule would be applied double) + if ($PROT ne '-p ICMP'){ + system "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n"; + } } } } From 43215686ce938ebacf037d14edba46817cf470c2 Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Tue, 30 Jul 2013 12:32:25 +0200 Subject: [PATCH 289/306] Forward Firewall: changed rule coloring. Now whole field is colored instead of just borders. Back Button in firewall groups /hostgroups showed a white site --- html/cgi-bin/forwardfw.cgi | 36 ++++++++++++++++++------------------ html/cgi-bin/fwhosts.cgi | 8 +++++++- 2 files changed, 25 insertions(+), 19 deletions(-) diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi index cda2b8c51..427d4a131 100755 --- a/html/cgi-bin/forwardfw.cgi +++ b/html/cgi-bin/forwardfw.cgi @@ -64,7 +64,7 @@ my %aliases=(); my %optionsfw=(); my %ifaces=(); -my $VERSION='0.9.9.12'; +my $VERSION='0.9.9.13'; my $color; my $confignet = "${General::swroot}/fwhosts/customnetworks"; my $confighost = "${General::swroot}/fwhosts/customhosts"; @@ -1250,36 +1250,36 @@ sub getcolor if($optionsfw{'SHOWCOLORS'} eq 'on'){ #standard networks if ($val eq 'GREEN'){ - $tdcolor="style='border: 1px solid $Header::colourgreen;'"; + $tdcolor="style='background-color: $Header::colourgreen;color:white;'"; return; }elsif ($val eq 'ORANGE'){ - $tdcolor="style='border: 1px solid $Header::colourorange;'"; + $tdcolor="style='background-color: $Header::colourorange;color:white;'"; return; }elsif ($val eq 'BLUE'){ - $tdcolor="style='border: 1px solid $Header::colourblue;'"; + $tdcolor="style='background-color: $Header::colourblue;color:white;'"; return; }elsif ($val eq 'RED' ||$val eq 'RED1' ){ - $tdcolor="style='border: 1px solid $Header::colourred;'"; + $tdcolor="style='background-color: $Header::colourred;color:white;'"; return; }elsif ($val eq 'IPFire' ){ - $tdcolor="style='border: 1px solid $Header::colourred;'"; + $tdcolor="style='background-color: $Header::colourred;color:white;'"; return; }elsif($val =~ /^(.*?)\/(.*?)$/){ my ($sip,$scidr) = split ("/",$val); if ( &General::IpInSubnet($sip,$netsettings{'ORANGE_ADDRESS'},$netsettings{'ORANGE_NETMASK'})){ - $tdcolor="style='border: 1px solid $Header::colourorange;'"; + $tdcolor="style='background-color: $Header::colourorange;color:white;'"; return; } if ( &General::IpInSubnet($sip,$netsettings{'GREEN_ADDRESS'},$netsettings{'GREEN_NETMASK'})){ - $tdcolor="style='border: 1px solid $Header::colourgreen;'"; + $tdcolor="style='background-color: $Header::colourgreen;color:white;'"; return; } if ( &General::IpInSubnet($sip,$netsettings{'BLUE_ADDRESS'},$netsettings{'BLUE_NETMASK'})){ - $tdcolor="style='border: 1px solid $Header::colourblue;'"; + $tdcolor="style='background-color: $Header::colourblue;color:white;'"; return; } }elsif ($val eq 'Default IP'){ - $tdcolor="style='border: 1px solid $Header::colourred;'"; + $tdcolor="style='background-color: $Header::colourred;color:white;'"; return; } #Check if a manual IP is part of a VPN @@ -1288,7 +1288,7 @@ sub getcolor my ($a,$b) = split("/",$ovpnsettings{'DOVPN_SUBNET'}); my ($c,$d) = split("/",$val); if (&General::IpInSubnet($c,$a,$b)){ - $tdcolor="style='border: 1px solid $Header::colourovpn;'"; + $tdcolor="style='background-color: $Header::colourovpn;color:white;'"; return; } #Check if IP is part of OpenVPN static subnet @@ -1296,7 +1296,7 @@ sub getcolor my ($a,$b) = split("/",$ccdnet{$key}[1]); $b =&General::iporsubtodec($b); if (&General::IpInSubnet($c,$a,$b)){ - $tdcolor="style='border: 1px solid $Header::colourovpn;'"; + $tdcolor="style='background-color: $Header::colourovpn;color:white;'"; return; } } @@ -1305,7 +1305,7 @@ sub getcolor if ($ccdhost{$key}[3] eq 'net'){ my ($a,$b) = split("/",$ccdhost{$key}[11]); if (&General::IpInSubnet($c,$a,$b)){ - $tdcolor="style='border: 1px solid $Header::colourovpn;'"; + $tdcolor="style='background-color: $Header::colourovpn;color:white;'"; return; } } @@ -1315,7 +1315,7 @@ sub getcolor my ($a,$b) = split("/",$ipsecsettings{'RW_NET'}); $b=&General::iporsubtodec($b); if (&General::IpInSubnet($c,$a,$b)){ - $tdcolor="style='border: 1px solid $Header::colourvpn;'"; + $tdcolor="style='background-color: $Header::colourvpn;color:white;'"; return; } } @@ -1323,18 +1323,18 @@ sub getcolor foreach my $key (sort keys %ipsecconf){ my ($a,$b) = split("/",$ipsecconf{$key}[11]); if (&General::IpInSubnet($c,$a,$b)){ - $tdcolor="style='border: 1px solid $Header::colourvpn;'"; + $tdcolor="style='background-color: $Header::colourvpn;color:white;'"; return; } } } #VPN networks if ($nettype eq 'ovpn_n2n_src' || $nettype eq 'ovpn_n2n_tgt' || $nettype eq 'ovpn_net_src' || $nettype eq 'ovpn_net_tgt'|| $nettype eq 'ovpn_host_src' || $nettype eq 'ovpn_host_tgt'){ - $tdcolor="style='border: 1px solid $Header::colourovpn;'"; + $tdcolor="style='background-color: $Header::colourovpn;color:white;'"; return; } if ($nettype eq 'ipsec_net_src' || $nettype eq 'ipsec_net_tgt'){ - $tdcolor="style='border: 1px solid $Header::colourvpn;'"; + $tdcolor="style='background-color: $Header::colourvpn;color:white;'"; return; } #custom Hosts @@ -1349,7 +1349,7 @@ sub getcolor foreach my $alias (sort keys %aliases) { if ($val eq $alias){ - $tdcolor="style='border: 1px solid $Header::colourred;'"; + $tdcolor="style='background-color:$Header::colourred;color:white;'"; return; } } diff --git a/html/cgi-bin/fwhosts.cgi b/html/cgi-bin/fwhosts.cgi index d7a519a37..065d19541 100755 --- a/html/cgi-bin/fwhosts.cgi +++ b/html/cgi-bin/fwhosts.cgi @@ -846,6 +846,12 @@ if ($fwhostsettings{'ACTION'} eq 'resethost') $fwhostsettings{'type'} =""; &showmenu; } +if ($fwhostsettings{'ACTION'} eq 'resetgrp') +{ + $fwhostsettings{'grp_name'} =""; + $fwhostsettings{'remark'} =""; + &showmenu; +} # delete if ($fwhostsettings{'ACTION'} eq 'delnet') { @@ -1261,7 +1267,7 @@ END print"

$Lang::tr{'fwhost attention'}:
$Lang::tr{'fwhost macwarn'}
"; } print""; - print"
"; + print"
"; &Header::closebox(); } sub addservice From ab4fe66fc95d7e048e44accf5d7750d8bbf03555 Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Wed, 31 Jul 2013 08:28:29 +0200 Subject: [PATCH 290/306] Forward Firewall: Network addresses are now allowed as source and the ip addressfield has now size 18. --- html/cgi-bin/forwardfw.cgi | 14 +++++--------- langs/de/cgi-bin/de.pl | 1 - langs/en/cgi-bin/en.pl | 1 - 3 files changed, 5 insertions(+), 11 deletions(-) diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi index 427d4a131..bd8cea8ed 100755 --- a/html/cgi-bin/forwardfw.cgi +++ b/html/cgi-bin/forwardfw.cgi @@ -433,7 +433,9 @@ sub checksource } if ($fwdfwsettings{'isip'} ne 'on'){ - if (&General::validmac($fwdfwsettings{'src_addr'})){$fwdfwsettings{'ismac'}='on';} + if (&General::validmac($fwdfwsettings{'src_addr'})){ + $fwdfwsettings{'ismac'}='on'; + } } if ($fwdfwsettings{'isip'} eq 'on'){ ##check if ip is valid @@ -445,12 +447,6 @@ sub checksource $ip=&General::ip2dec($ip); $ip=&General::dec2ip($ip); #check if net or broadcast - my @tmp= split (/\./,$ip); - if (($tmp[3] eq "0") || ($tmp[3] eq "255")) - { - $errormessage=$Lang::tr{'fwhost err hostip'}."
"; - return $errormessage; - } $fwdfwsettings{'src_addr'}="$ip/$subnet"; if(!&General::validipandmask($fwdfwsettings{'src_addr'})){ $errormessage.=$Lang::tr{'fwdfw err src_addr'}."
"; @@ -1535,7 +1531,7 @@ sub newrule #------SOURCE------------------------------------------------------- print< - $Lang::tr{'fwdfw sourceip'}Firewall + $Lang::tr{'fwdfw sourceip'}Firewall END print"$Lang::tr{'fwdfw targetip'}Firewall + $Lang::tr{'fwdfw targetip'}Firewall END print"";} print""; print""; - print"

$Lang::tr{'fwhost attention'}:
$Lang::tr{'fwhost macwarn'}
"; + print"

"; } print""; print"
"; From 776a1761d0ec5cb1d28e8a546bc6af818892183a Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Mon, 5 Aug 2013 09:32:46 +0200 Subject: [PATCH 294/306] general-functions.pl: Fix overwritten substitutions. --- config/cfgroot/general-functions.pl | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/config/cfgroot/general-functions.pl b/config/cfgroot/general-functions.pl index c57de1996..c592d5d0c 100644 --- a/config/cfgroot/general-functions.pl +++ b/config/cfgroot/general-functions.pl @@ -21,8 +21,8 @@ use Net::SSLeay; use Net::IPv4Addr qw(:all); $|=1; # line buffering -$General::version = '2.11'; -$General::swroot = '/var/ipfire'; +$General::version = 'VERSION'; +$General::swroot = 'CONFIG_ROOT'; $General::noipprefix = 'noipg-'; $General::adminmanualurl = 'http://wiki.ipfire.org'; From 34aa915f08448c558311a630150c17283d7fe2ad Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Fri, 9 Aug 2013 14:50:50 +0200 Subject: [PATCH 295/306] Update translations. --- doc/language_issues.de | 2 +- doc/language_issues.en | 40 +--------------------------------------- doc/language_issues.es | 2 -- doc/language_issues.fr | 2 -- doc/language_issues.nl | 2 -- doc/language_issues.pl | 2 -- doc/language_issues.ru | 2 -- doc/language_issues.tr | 2 -- doc/language_missings | 37 ------------------------------------- 9 files changed, 2 insertions(+), 89 deletions(-) diff --git a/doc/language_issues.de b/doc/language_issues.de index 8f23c51be..9f48b8b91 100644 --- a/doc/language_issues.de +++ b/doc/language_issues.de @@ -207,6 +207,7 @@ WARNING: translation string unused: fwdfw std network WARNING: translation string unused: fwdfw till WARNING: translation string unused: fwdfw time WARNING: translation string unused: fwhost addrule +WARNING: translation string unused: fwhost attention WARNING: translation string unused: fwhost blue WARNING: translation string unused: fwhost changeremark WARNING: translation string unused: fwhost err addrgrp @@ -563,7 +564,6 @@ WARNING: untranslated string: bytes WARNING: untranslated string: community rules WARNING: untranslated string: emerging rules WARNING: untranslated string: fwhost err hostip -WARNING: untranslated string: fwhost macwarn WARNING: untranslated string: new WARNING: untranslated string: outgoing firewall reserved groupname WARNING: untranslated string: qos add subclass diff --git a/doc/language_issues.en b/doc/language_issues.en index 935020816..328376f35 100644 --- a/doc/language_issues.en +++ b/doc/language_issues.en @@ -230,6 +230,7 @@ WARNING: translation string unused: fwdfw std network WARNING: translation string unused: fwdfw till WARNING: translation string unused: fwdfw time WARNING: translation string unused: fwhost addrule +WARNING: translation string unused: fwhost attention WARNING: translation string unused: fwhost blue WARNING: translation string unused: fwhost changeremark WARNING: translation string unused: fwhost err addrgrp @@ -595,50 +596,11 @@ WARNING: translation string unused: yearly firewallhits WARNING: untranslated string: Scan for Songs WARNING: untranslated string: advproxy cache-digest WARNING: untranslated string: bytes -WARNING: untranslated string: dnsforward -WARNING: untranslated string: dnsforward add a new entry -WARNING: untranslated string: dnsforward configuration -WARNING: untranslated string: dnsforward edit an entry -WARNING: untranslated string: dnsforward entries -WARNING: untranslated string: dnsforward forward_server -WARNING: untranslated string: dnsforward zone -WARNING: untranslated string: emerging rules WARNING: untranslated string: fwhost err hostip -WARNING: untranslated string: fwhost macwarn WARNING: untranslated string: new WARNING: untranslated string: outgoing firewall reserved groupname WARNING: untranslated string: route config changed WARNING: untranslated string: routing config added WARNING: untranslated string: routing config changed WARNING: untranslated string: routing table -WARNING: untranslated string: wlan client -WARNING: untranslated string: wlan client advanced settings -WARNING: untranslated string: wlan client and -WARNING: untranslated string: wlan client bssid -WARNING: untranslated string: wlan client ccmp -WARNING: untranslated string: wlan client configuration -WARNING: untranslated string: wlan client disconnected -WARNING: untranslated string: wlan client duplicate ssid -WARNING: untranslated string: wlan client edit entry -WARNING: untranslated string: wlan client encryption -WARNING: untranslated string: wlan client encryption none -WARNING: untranslated string: wlan client encryption wep -WARNING: untranslated string: wlan client encryption wpa -WARNING: untranslated string: wlan client encryption wpa2 -WARNING: untranslated string: wlan client group cipher -WARNING: untranslated string: wlan client group key algorithm -WARNING: untranslated string: wlan client invalid key length -WARNING: untranslated string: wlan client new entry -WARNING: untranslated string: wlan client new network -WARNING: untranslated string: wlan client pairwise cipher -WARNING: untranslated string: wlan client pairwise key algorithm -WARNING: untranslated string: wlan client pairwise key group key -WARNING: untranslated string: wlan client psk -WARNING: untranslated string: wlan client ssid -WARNING: untranslated string: wlan client tkip -WARNING: untranslated string: wlan client wpa mode -WARNING: untranslated string: wlan client wpa mode all -WARNING: untranslated string: wlan client wpa mode ccmp ccmp -WARNING: untranslated string: wlan client wpa mode ccmp tkip -WARNING: untranslated string: wlan client wpa mode tkip tkip WARNING: untranslated string: wlanap country diff --git a/doc/language_issues.es b/doc/language_issues.es index 7669f8bfc..22aa89623 100644 --- a/doc/language_issues.es +++ b/doc/language_issues.es @@ -699,7 +699,6 @@ WARNING: untranslated string: fwhost addnet WARNING: untranslated string: fwhost addservice WARNING: untranslated string: fwhost addservicegrp WARNING: untranslated string: fwhost any -WARNING: untranslated string: fwhost attention WARNING: untranslated string: fwhost back WARNING: untranslated string: fwhost ccdhost WARNING: untranslated string: fwhost ccdnet @@ -741,7 +740,6 @@ WARNING: untranslated string: fwhost hosts WARNING: untranslated string: fwhost icmptype WARNING: untranslated string: fwhost ip_mac WARNING: untranslated string: fwhost ipsec net -WARNING: untranslated string: fwhost macwarn WARNING: untranslated string: fwhost menu WARNING: untranslated string: fwhost netaddress WARNING: untranslated string: fwhost newgrp diff --git a/doc/language_issues.fr b/doc/language_issues.fr index bab4e21fb..d7de30720 100644 --- a/doc/language_issues.fr +++ b/doc/language_issues.fr @@ -702,7 +702,6 @@ WARNING: untranslated string: fwhost addnet WARNING: untranslated string: fwhost addservice WARNING: untranslated string: fwhost addservicegrp WARNING: untranslated string: fwhost any -WARNING: untranslated string: fwhost attention WARNING: untranslated string: fwhost back WARNING: untranslated string: fwhost ccdhost WARNING: untranslated string: fwhost ccdnet @@ -744,7 +743,6 @@ WARNING: untranslated string: fwhost hosts WARNING: untranslated string: fwhost icmptype WARNING: untranslated string: fwhost ip_mac WARNING: untranslated string: fwhost ipsec net -WARNING: untranslated string: fwhost macwarn WARNING: untranslated string: fwhost menu WARNING: untranslated string: fwhost netaddress WARNING: untranslated string: fwhost newgrp diff --git a/doc/language_issues.nl b/doc/language_issues.nl index 4848c2a5b..b94c15034 100644 --- a/doc/language_issues.nl +++ b/doc/language_issues.nl @@ -648,7 +648,6 @@ WARNING: untranslated string: fwhost addnet WARNING: untranslated string: fwhost addservice WARNING: untranslated string: fwhost addservicegrp WARNING: untranslated string: fwhost any -WARNING: untranslated string: fwhost attention WARNING: untranslated string: fwhost back WARNING: untranslated string: fwhost ccdhost WARNING: untranslated string: fwhost ccdnet @@ -690,7 +689,6 @@ WARNING: untranslated string: fwhost hosts WARNING: untranslated string: fwhost icmptype WARNING: untranslated string: fwhost ip_mac WARNING: untranslated string: fwhost ipsec net -WARNING: untranslated string: fwhost macwarn WARNING: untranslated string: fwhost menu WARNING: untranslated string: fwhost netaddress WARNING: untranslated string: fwhost newgrp diff --git a/doc/language_issues.pl b/doc/language_issues.pl index 7669f8bfc..22aa89623 100644 --- a/doc/language_issues.pl +++ b/doc/language_issues.pl @@ -699,7 +699,6 @@ WARNING: untranslated string: fwhost addnet WARNING: untranslated string: fwhost addservice WARNING: untranslated string: fwhost addservicegrp WARNING: untranslated string: fwhost any -WARNING: untranslated string: fwhost attention WARNING: untranslated string: fwhost back WARNING: untranslated string: fwhost ccdhost WARNING: untranslated string: fwhost ccdnet @@ -741,7 +740,6 @@ WARNING: untranslated string: fwhost hosts WARNING: untranslated string: fwhost icmptype WARNING: untranslated string: fwhost ip_mac WARNING: untranslated string: fwhost ipsec net -WARNING: untranslated string: fwhost macwarn WARNING: untranslated string: fwhost menu WARNING: untranslated string: fwhost netaddress WARNING: untranslated string: fwhost newgrp diff --git a/doc/language_issues.ru b/doc/language_issues.ru index 42514e7d2..f9d8d8ed2 100644 --- a/doc/language_issues.ru +++ b/doc/language_issues.ru @@ -685,7 +685,6 @@ WARNING: untranslated string: fwhost addnet WARNING: untranslated string: fwhost addservice WARNING: untranslated string: fwhost addservicegrp WARNING: untranslated string: fwhost any -WARNING: untranslated string: fwhost attention WARNING: untranslated string: fwhost back WARNING: untranslated string: fwhost ccdhost WARNING: untranslated string: fwhost ccdnet @@ -727,7 +726,6 @@ WARNING: untranslated string: fwhost hosts WARNING: untranslated string: fwhost icmptype WARNING: untranslated string: fwhost ip_mac WARNING: untranslated string: fwhost ipsec net -WARNING: untranslated string: fwhost macwarn WARNING: untranslated string: fwhost menu WARNING: untranslated string: fwhost netaddress WARNING: untranslated string: fwhost newgrp diff --git a/doc/language_issues.tr b/doc/language_issues.tr index ab20a3c80..fe2c61759 100644 --- a/doc/language_issues.tr +++ b/doc/language_issues.tr @@ -645,7 +645,6 @@ WARNING: untranslated string: fwhost addnet WARNING: untranslated string: fwhost addservice WARNING: untranslated string: fwhost addservicegrp WARNING: untranslated string: fwhost any -WARNING: untranslated string: fwhost attention WARNING: untranslated string: fwhost back WARNING: untranslated string: fwhost ccdhost WARNING: untranslated string: fwhost ccdnet @@ -687,7 +686,6 @@ WARNING: untranslated string: fwhost hosts WARNING: untranslated string: fwhost icmptype WARNING: untranslated string: fwhost ip_mac WARNING: untranslated string: fwhost ipsec net -WARNING: untranslated string: fwhost macwarn WARNING: untranslated string: fwhost menu WARNING: untranslated string: fwhost netaddress WARNING: untranslated string: fwhost newgrp diff --git a/doc/language_missings b/doc/language_missings index 3fcfcf4ec..512b2ca70 100644 --- a/doc/language_missings +++ b/doc/language_missings @@ -5,44 +5,7 @@ # Checking cgi-bin translations for language: en # ############################################################################ < ccd maxclients -< dnsforward -< dnsforward add a new entry -< dnsforward configuration -< dnsforward edit an entry -< dnsforward entries -< dnsforward forward_server -< dnsforward zone < wlanap country -< wlan client -< wlan client advanced settings -< wlan client and -< wlan client bssid -< wlan client ccmp -< wlan client configuration -< wlan client disconnected -< wlan client duplicate ssid -< wlan client edit entry -< wlan client encryption -< wlan client encryption none -< wlan client encryption wep -< wlan client encryption wpa -< wlan client encryption wpa2 -< wlan client group cipher -< wlan client group key algorithm -< wlan client invalid key length -< wlan client new entry -< wlan client new network -< wlan client pairwise cipher -< wlan client pairwise key algorithm -< wlan client pairwise key group key -< wlan client psk -< wlan client ssid -< wlan client tkip -< wlan client wpa mode -< wlan client wpa mode all -< wlan client wpa mode ccmp ccmp -< wlan client wpa mode ccmp tkip -< wlan client wpa mode tkip tkip ############################################################################ # Checking install/setup translations for language: fr # ############################################################################ From f78d627af390360e60e9878c274bf7ef1855ef71 Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Mon, 12 Aug 2013 14:39:34 +0200 Subject: [PATCH 296/306] Firewall: Fix spelling of service names in custom services. --- config/fwhosts/customservices | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/config/fwhosts/customservices b/config/fwhosts/customservices index 0e3d6de47..07dd3d2b7 100644 --- a/config/fwhosts/customservices +++ b/config/fwhosts/customservices @@ -1,32 +1,32 @@ -32,Rsync,873,TCP,BLANK,0 +32,rsync,873,TCP,BLANK,0 21,IMAPS,993,TCP,BLANK,0 7,WINS,42,TCP,BLANK,0 -26,Lpd,515,TCP,BLANK,0 +26,LPD,515,TCP,BLANK,0 17,IRC,194,TCP,BLANK,0 2,FTP-control,21,TCP,BLANK,0 1,FTP-data,20,TCP,BLANK,0 18,HTTPS,443,TCP,BLANK,0 -30,Nfs,2049,TCP,BLANK,0 +30,NFS,2049,TCP,BLANK,0 16,SNMP,161,UDP,BLANK,0 -25,Ipp (udp),631,UDP,BLANK,0 +25,IPP (UDP),631,UDP,BLANK,0 27,JetDirect,9100,TCP,BLANK,0 -28,Ldap,389,TCP,BLANK,0 -14,NetBIOS Sessionservice,139,TCP,BLANK,0 +28,LDAP,389,TCP,BLANK,0 +14,NetBIOS Session Service,139,TCP,BLANK,0 20,FTPS control,990,TCP,BLANK,0 -24,Ipp (tcp),631,TCP,BLANK,0 +24,IPP (TCP),631,TCP,BLANK,0 10,SFTP,115,TCP,BLANK,0 31,Radius,1812,TCP,BLANK,0 11,NTP,123,UDP,BLANK,0 22,POP3S,995,TCP,BLANK,0 -13,NetBIOS Datagramservice,138,TCP,BLANK,0 +13,NetBIOS Datagram Service,138,TCP,BLANK,0 23,RDP,3389,TCP,BLANK,0 -29,Ldaps,636,TCP,BLANK,0 -6,TIME,37,TCP,BLANK,0 +29,LDAPS,636,TCP,BLANK,0 +6,Time,37,TCP,BLANK,0 3,SSH,22,TCP,BLANK,0 9,POP3,110,TCP,BLANK,0 -12,NetBIOS nameservice,137,TCP,BLANK,0 +12,NetBIOS Name Service,137,TCP,BLANK,0 15,IMAP,143,TCP,BLANK,0 8,HTTP,80,TCP,BLANK,0 -4,TELNET,23,UDP,BLANK,0 +4,Telnet,23,UDP,BLANK,0 19,FTPS data,989,TCP,BLANK,0 5,SMTP,25,TCP,BLANK,0 From 8c60701a4f856689e5bfae2ff2b6c5b7c0f0fdad Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Mon, 12 Aug 2013 14:42:16 +0200 Subject: [PATCH 297/306] forwardctrl: Remove unused and possibly dangerous flush option. Also remove unused header files. --- src/misc-progs/forwardfwctrl.c | 13 +------------ 1 file changed, 1 insertion(+), 12 deletions(-) diff --git a/src/misc-progs/forwardfwctrl.c b/src/misc-progs/forwardfwctrl.c index a02b462ba..797d27ac5 100644 --- a/src/misc-progs/forwardfwctrl.c +++ b/src/misc-progs/forwardfwctrl.c @@ -5,23 +5,12 @@ * */ -#include -#include -#include -#include -#include -#include #include "setuid.h" int main(int argc, char *argv[]) { - if (!(initsetuid())) exit(1); - if(argc > 1) - safe_system("/var/ipfire/forward/bin/rules.pl flush"); - else - safe_system("/var/ipfire/forward/bin/rules.pl"); - + safe_system("/var/ipfire/forward/bin/rules.pl"); return 0; } From 3027c6bb963cc8f736aca51bc99391bbd00c677f Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Mon, 12 Aug 2013 14:45:07 +0200 Subject: [PATCH 298/306] initscripts: Reset links that reload the firewall after RED connected. --- config/rootfiles/common/armv5tel/initscripts | 3 +-- config/rootfiles/common/i586/initscripts | 8 ++++---- lfs/initscripts | 8 ++++---- 3 files changed, 9 insertions(+), 10 deletions(-) diff --git a/config/rootfiles/common/armv5tel/initscripts b/config/rootfiles/common/armv5tel/initscripts index 1f2d9fc0f..1b8fbda00 100644 --- a/config/rootfiles/common/armv5tel/initscripts +++ b/config/rootfiles/common/armv5tel/initscripts @@ -81,10 +81,9 @@ etc/rc.d/init.d/networking/red.up/05-RS-dnsmasq etc/rc.d/init.d/networking/red.up/10-miniupnpd etc/rc.d/init.d/networking/red.up/10-multicast etc/rc.d/init.d/networking/red.up/20-RL-firewall -etc/rc.d/init.d/networking/red.up/22-outgoingfwctrl +etc/rc.d/init.d/networking/red.up/22-forwardfwctrl etc/rc.d/init.d/networking/red.up/23-RS-snort etc/rc.d/init.d/networking/red.up/24-RS-qos -etc/rc.d/init.d/networking/red.up/26-xtaccess etc/rc.d/init.d/networking/red.up/27-RS-squid etc/rc.d/init.d/networking/red.up/30-ddns etc/rc.d/init.d/networking/red.up/40-ipac diff --git a/config/rootfiles/common/i586/initscripts b/config/rootfiles/common/i586/initscripts index 7deeef132..ca47f807c 100644 --- a/config/rootfiles/common/i586/initscripts +++ b/config/rootfiles/common/i586/initscripts @@ -83,10 +83,10 @@ etc/rc.d/init.d/networking/red.up/05-RS-dnsmasq etc/rc.d/init.d/networking/red.up/10-miniupnpd etc/rc.d/init.d/networking/red.up/10-multicast etc/rc.d/init.d/networking/red.up/20-RL-firewall -etc/rc.d/init.d/networking/red.up/23-forwardfwctrl -etc/rc.d/init.d/networking/red.up/24-RS-snort -etc/rc.d/init.d/networking/red.up/25-RS-qos -etc/rc.d/init.d/networking/red.up/28-RS-squid +etc/rc.d/init.d/networking/red.up/22-forwardfwctrl +etc/rc.d/init.d/networking/red.up/23-RS-snort +etc/rc.d/init.d/networking/red.up/24-RS-qos +etc/rc.d/init.d/networking/red.up/27-RS-squid etc/rc.d/init.d/networking/red.up/30-ddns etc/rc.d/init.d/networking/red.up/40-ipac etc/rc.d/init.d/networking/red.up/50-ipsec diff --git a/lfs/initscripts b/lfs/initscripts index 091b61a42..0b2dbee77 100644 --- a/lfs/initscripts +++ b/lfs/initscripts @@ -180,14 +180,14 @@ $(TARGET) : ln -sf ../../dnsmasq /etc/rc.d/init.d/networking/red.up/05-RS-dnsmasq ln -sf ../../firewall /etc/rc.d/init.d/networking/red.up/20-RL-firewall ln -sf ../../../../../usr/local/bin/forwardfwctrl \ - /etc/rc.d/init.d/networking/red.up/23-forwardfwctrl + /etc/rc.d/init.d/networking/red.up/22-forwardfwctrl ln -sf ../../../../../usr/local/bin/snortctrl \ - /etc/rc.d/init.d/networking/red.up/24-RS-snort + /etc/rc.d/init.d/networking/red.up/23-RS-snort ln -sf ../../../../../usr/local/bin/qosctrl \ - /etc/rc.d/init.d/networking/red.up/25-RS-qos + /etc/rc.d/init.d/networking/red.up/24-RS-qos ln -sf ../../../../../usr/local/bin/dialctrl.pl \ /etc/rc.d/init.d/networking/red.up/99-U-dialctrl.pl - ln -sf ../../squid /etc/rc.d/init.d/networking/red.up/28-RS-squid + ln -sf ../../squid /etc/rc.d/init.d/networking/red.up/27-RS-squid ln -sf ../../dnsmasq /etc/rc.d/init.d/networking/red.down/05-RS-dnsmasq ln -sf ../../firewall /etc/rc.d/init.d/networking/red.down/20-RL-firewall ln -sf ../../../../../usr/local/bin/dialctrl.pl \ From caca013c1165230eea388ed4a770f6663ad5608e Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Mon, 12 Aug 2013 15:53:16 +0200 Subject: [PATCH 299/306] Forward Firewall: added /var/ipfire/forward/bin to backup-exclude script --- config/backup/exclude | 1 + 1 file changed, 1 insertion(+) diff --git a/config/backup/exclude b/config/backup/exclude index bd15ceb21..41ae8b576 100644 --- a/config/backup/exclude +++ b/config/backup/exclude @@ -4,3 +4,4 @@ /var/ipfire/proxy/calamaris/bin/* /var/ipfire/qos/bin/qos.pl /var/ipfire/urlfilter/blacklists/*/*.db +/var/ipfire/forward/bin/* From dc21519f683d5bb0f7e5a9dfcfb4806afb895217 Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Tue, 13 Aug 2013 12:44:01 +0200 Subject: [PATCH 300/306] Forward Firewall: added GPL header to all files --- config/forwardfw/convert-dmz | 40 +++++++++++++++++++-------- config/forwardfw/convert-outgoingfw | 42 +++++++++++++++++++--------- config/forwardfw/convert-portfw | 43 +++++++++++++++++++---------- config/forwardfw/convert-xtaccess | 26 +++++++++++++++++ config/forwardfw/firewall-lib.pl | 5 ++-- config/forwardfw/firewall-policy | 23 +++++++++++++++ config/forwardfw/rules.pl | 9 ++---- html/cgi-bin/forwardfw.cgi | 5 ++-- html/cgi-bin/fwhosts.cgi | 6 ++-- html/cgi-bin/optionsfw.cgi | 3 ++ html/cgi-bin/p2p-block.cgi | 13 ++------- 11 files changed, 151 insertions(+), 64 deletions(-) diff --git a/config/forwardfw/convert-dmz b/config/forwardfw/convert-dmz index 6ba054e63..3d9136425 100755 --- a/config/forwardfw/convert-dmz +++ b/config/forwardfw/convert-dmz @@ -1,17 +1,33 @@ #!/usr/bin/perl -######################################################################## -# Script: convert-dmz -# Date: 03.04.2013 -# Author: Alexander Marx (amarx@ipfire.org) -######################################################################## -# -# This script converts old dmz holes rules from old Firewall -# to the new one. This is a 2-step process. -# STEP1: read old config and normalize settings -# STEP2: check valid ip and save valid rules to new firewall -# -######################################################################## +############################################################################### +# # +# IPFire.org - A linux based firewall # +# Copyright (C) 2013 # +# # +# This program is free software: you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation, either version 3 of the License, or # +# (at your option) any later version. # +# # +# This program is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with this program. If not, see . # +# # +############################################################################### +# Author: Alexander Marx (amarx@ipfire.org) # +############################################################################### +# # +# This script converts old dmz holes rules from old firewall # +# to the new one. This is a 2-step process. # +# STEP1: read old config and normalize settings # +# STEP2: check valid ip and save valid rules to new firewall # +# # +############################################################################### my @current=(); my @alias=(); my %configdmz=(); diff --git a/config/forwardfw/convert-outgoingfw b/config/forwardfw/convert-outgoingfw index 05bf13dad..c9077a871 100755 --- a/config/forwardfw/convert-outgoingfw +++ b/config/forwardfw/convert-outgoingfw @@ -1,17 +1,33 @@ #!/usr/bin/perl -######################################################################## -# Script: convert-outgoingfw -# Date: 21.03.2013 -# Author: Alexander Marx (amarx@ipfire.org) -######################################################################## -# -# This script converts old groups and firewallrules -# to the new one. This is a 3-step process. -# STEP1: convert groups ->LOG /var/log/converters -# STEP2: convert rules ->LOG /var/log/converters -# STEP3: convert P2P rules -# -######################################################################## +############################################################################### +# # +# IPFire.org - A linux based firewall # +# Copyright (C) 2013 # +# # +# This program is free software: you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation, either version 3 of the License, or # +# (at your option) any later version. # +# # +# This program is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with this program. If not, see . # +# # +############################################################################### +# Author: Alexander Marx (amarx@ipfire.org) # +############################################################################### +# # +# This script converts old groups and firewallrules # +# to the new one. This is a 3-step process. # +# STEP1: convert groups ->LOG /var/log/converters # +# STEP2: convert rules ->LOG /var/log/converters # +# STEP3: convert P2P rules # +# # +############################################################################### require '/var/ipfire/general-functions.pl'; diff --git a/config/forwardfw/convert-portfw b/config/forwardfw/convert-portfw index 691cfb429..e741c3d8d 100755 --- a/config/forwardfw/convert-portfw +++ b/config/forwardfw/convert-portfw @@ -1,18 +1,33 @@ #!/usr/bin/perl - -######################################################################## -# Script: convert-portfw -# Date: 21.03.2013 -# Author: Alexander Marx (amarx@ipfire.org) -######################################################################## -# -# This script converts old portforwarding rules from old Firewall -# to the new one. This is a 3-step process. -# STEP1: read old config and normalize settings -# STEP2: create new rules from old ones -# STEP3: check if rule already exists, when not, put it into -# /var/ipfire/forward/nat -######################################################################## +############################################################################### +# # +# IPFire.org - A linux based firewall # +# Copyright (C) 2013 # +# # +# This program is free software: you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation, either version 3 of the License, or # +# (at your option) any later version. # +# # +# This program is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with this program. If not, see . # +# # +############################################################################### +# Author: Alexander Marx (amarx@ipfire.org) # +############################################################################### +# # +# This script converts old portforwarding rules from old Firewall # +# to the new one. This is a 3-step process. # +# STEP1: read old config and normalize settings # +# STEP2: create new rules from old ones # +# STEP3: check if rule already exists, when not, put it into # +# /var/ipfire/forward/nat # +############################################################################### require '/var/ipfire/general-functions.pl'; my @values=(); my @built_rules=(); diff --git a/config/forwardfw/convert-xtaccess b/config/forwardfw/convert-xtaccess index 8c3bb56a0..23fb226c6 100755 --- a/config/forwardfw/convert-xtaccess +++ b/config/forwardfw/convert-xtaccess @@ -1,4 +1,30 @@ #!/usr/bin/perl +############################################################################### +# # +# IPFire.org - A linux based firewall # +# Copyright (C) 2013 # +# # +# This program is free software: you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation, either version 3 of the License, or # +# (at your option) any later version. # +# # +# This program is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with this program. If not, see . # +# # +############################################################################### +# Author: Alexander Marx (amarx@ipfire.org) # +############################################################################### +# # +#This script converts old xtaccess rules to new firewall # +#Logfiles are created under /var/log/converters # +# # +############################################################################### my @current=(); my @alias=(); my %configinputfw=(); diff --git a/config/forwardfw/firewall-lib.pl b/config/forwardfw/firewall-lib.pl index a1f96ba40..e616d7efa 100755 --- a/config/forwardfw/firewall-lib.pl +++ b/config/forwardfw/firewall-lib.pl @@ -2,7 +2,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2012 # +# Copyright (C) 2013 # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -18,7 +18,8 @@ # along with this program. If not, see . # # # ############################################################################### - +# Author: Alexander Marx (amarx@ipfire.org) # +############################################################################### use strict; no warnings 'uninitialized'; diff --git a/config/forwardfw/firewall-policy b/config/forwardfw/firewall-policy index e142f2d3f..f6c88e4af 100755 --- a/config/forwardfw/firewall-policy +++ b/config/forwardfw/firewall-policy @@ -1,5 +1,28 @@ #!/bin/sh +############################################################################### +# # +# IPFire.org - A linux based firewall # +# Copyright (C) 2013 # +# # +# This program is free software: you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation, either version 3 of the License, or # +# (at your option) any later version. # +# # +# This program is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with this program. If not, see . # +# # +############################################################################### +# Author: Alexander Marx (amarx@ipfire.org) # +############################################################################### + + eval $(/usr/local/bin/readhash /var/ipfire/forward/settings) eval $(/usr/local/bin/readhash /var/ipfire/optionsfw/settings) eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings) diff --git a/config/forwardfw/rules.pl b/config/forwardfw/rules.pl index 07f3abd1e..e3592701c 100755 --- a/config/forwardfw/rules.pl +++ b/config/forwardfw/rules.pl @@ -2,7 +2,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2012 # +# Copyright (C) 2013 # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -18,10 +18,7 @@ # along with this program. If not, see . # # # ############################################################################### -# # -# Hi folks! I hope this code is useful for all. I needed something to handle # -# my VPN Connections in a comfortable way. # -# This script builds firewallrules from the webinterface # +# Author: Alexander Marx (amarx@ipfire.org) # ############################################################################### use strict; @@ -89,7 +86,7 @@ close(CONN1); ################################ # DEBUG/TEST # ################################ -my $MODE=1; # 0 - normal operation +my $MODE=0; # 0 - normal operation # 1 - print configline and rules to console # ################################ diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi index bd8cea8ed..88e16086f 100755 --- a/html/cgi-bin/forwardfw.cgi +++ b/html/cgi-bin/forwardfw.cgi @@ -2,7 +2,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2012 # +# Copyright (C) 2013 # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -18,7 +18,8 @@ # along with this program. If not, see . # # # ############################################################################### - +# Author: Alexander Marx (amarx@ipfire.org) # +############################################################################### use strict; use Sort::Naturally; diff --git a/html/cgi-bin/fwhosts.cgi b/html/cgi-bin/fwhosts.cgi index 879e6b83c..fffa9353e 100755 --- a/html/cgi-bin/fwhosts.cgi +++ b/html/cgi-bin/fwhosts.cgi @@ -2,7 +2,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2011 IPFire Team # +# Copyright (C) 2013 # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -18,9 +18,7 @@ # along with this program. If not, see . # # # ############################################################################### -# New function for forwarding firewall. To make it comfortable to create # -# rules, we need "spelling names" for single Hosts. If you have any questions # -# # +# Author: Alexander Marx (amarx@ipfire.org) # ############################################################################### use strict; diff --git a/html/cgi-bin/optionsfw.cgi b/html/cgi-bin/optionsfw.cgi index 73a2f59a6..7d34feab0 100644 --- a/html/cgi-bin/optionsfw.cgi +++ b/html/cgi-bin/optionsfw.cgi @@ -11,6 +11,9 @@ # $Id: optionsfw.cgi,v 1.1.2.10 2005/10/03 00:34:10 gespinasse Exp $ # # +######################################################################## +# Modifications for new Firewall (C) 2013 by amarx@ipfire.org +######################################################################## # enable only the following on debugging purpose #use warnings; diff --git a/html/cgi-bin/p2p-block.cgi b/html/cgi-bin/p2p-block.cgi index 9d248a133..79417502b 100755 --- a/html/cgi-bin/p2p-block.cgi +++ b/html/cgi-bin/p2p-block.cgi @@ -2,7 +2,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2012 # +# Copyright (C) 2013 # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -18,16 +18,7 @@ # along with this program. If not, see . # # # ############################################################################### -# # -# Hi folks! I hope this code is useful for all. I needed something to handle # -# my VPN Connections in a comfortable way. As a prerequisite i needed # -# something that makes sure the vpn roadwarrior are able to have a fixed # -# ip-address. So i developed the ccd extension for the vpn server. # -# # -# Now that the ccd extension is ready i am able to develop the main request. # -# Any feedback is appreciated. # -# # -#Copymaster # +# Author: Alexander Marx (Amarx@ipfire.org) # ############################################################################### use strict; From 5bee9a9df5739810da488bf5bf71da4fe82be484 Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Tue, 13 Aug 2013 13:47:27 +0200 Subject: [PATCH 301/306] Forward Firewall: edited GPL-header --- config/forwardfw/convert-dmz | 4 +--- config/forwardfw/convert-outgoingfw | 4 +--- config/forwardfw/convert-portfw | 4 +--- config/forwardfw/convert-xtaccess | 4 +--- config/forwardfw/firewall-lib.pl | 4 +--- config/forwardfw/firewall-policy | 4 +--- config/forwardfw/rules.pl | 4 +--- html/cgi-bin/forwardfw.cgi | 6 ++---- html/cgi-bin/fwhosts.cgi | 4 +--- html/cgi-bin/optionsfw.cgi | 4 ---- html/cgi-bin/p2p-block.cgi | 4 +--- 11 files changed, 11 insertions(+), 35 deletions(-) diff --git a/config/forwardfw/convert-dmz b/config/forwardfw/convert-dmz index 3d9136425..efc4386b4 100755 --- a/config/forwardfw/convert-dmz +++ b/config/forwardfw/convert-dmz @@ -3,7 +3,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2013 # +# Copyright (C) 2013 Alexander Marx # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -19,8 +19,6 @@ # along with this program. If not, see . # # # ############################################################################### -# Author: Alexander Marx (amarx@ipfire.org) # -############################################################################### # # # This script converts old dmz holes rules from old firewall # # to the new one. This is a 2-step process. # diff --git a/config/forwardfw/convert-outgoingfw b/config/forwardfw/convert-outgoingfw index c9077a871..bd3305930 100755 --- a/config/forwardfw/convert-outgoingfw +++ b/config/forwardfw/convert-outgoingfw @@ -2,7 +2,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2013 # +# Copyright (C) 2013 Alexander Marx # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -18,8 +18,6 @@ # along with this program. If not, see . # # # ############################################################################### -# Author: Alexander Marx (amarx@ipfire.org) # -############################################################################### # # # This script converts old groups and firewallrules # # to the new one. This is a 3-step process. # diff --git a/config/forwardfw/convert-portfw b/config/forwardfw/convert-portfw index e741c3d8d..a37383e31 100755 --- a/config/forwardfw/convert-portfw +++ b/config/forwardfw/convert-portfw @@ -2,7 +2,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2013 # +# Copyright (C) 2013 Alexander Marx # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -18,8 +18,6 @@ # along with this program. If not, see . # # # ############################################################################### -# Author: Alexander Marx (amarx@ipfire.org) # -############################################################################### # # # This script converts old portforwarding rules from old Firewall # # to the new one. This is a 3-step process. # diff --git a/config/forwardfw/convert-xtaccess b/config/forwardfw/convert-xtaccess index 23fb226c6..d86c445af 100755 --- a/config/forwardfw/convert-xtaccess +++ b/config/forwardfw/convert-xtaccess @@ -2,7 +2,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2013 # +# Copyright (C) 2013 Alexander Marx # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -18,8 +18,6 @@ # along with this program. If not, see . # # # ############################################################################### -# Author: Alexander Marx (amarx@ipfire.org) # -############################################################################### # # #This script converts old xtaccess rules to new firewall # #Logfiles are created under /var/log/converters # diff --git a/config/forwardfw/firewall-lib.pl b/config/forwardfw/firewall-lib.pl index e616d7efa..f1e8403da 100755 --- a/config/forwardfw/firewall-lib.pl +++ b/config/forwardfw/firewall-lib.pl @@ -2,7 +2,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2013 # +# Copyright (C) 2013 Alexander Marx # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -18,8 +18,6 @@ # along with this program. If not, see . # # # ############################################################################### -# Author: Alexander Marx (amarx@ipfire.org) # -############################################################################### use strict; no warnings 'uninitialized'; diff --git a/config/forwardfw/firewall-policy b/config/forwardfw/firewall-policy index f6c88e4af..0fcfaa471 100755 --- a/config/forwardfw/firewall-policy +++ b/config/forwardfw/firewall-policy @@ -3,7 +3,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2013 # +# Copyright (C) 2013 Alexander Marx # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -19,8 +19,6 @@ # along with this program. If not, see . # # # ############################################################################### -# Author: Alexander Marx (amarx@ipfire.org) # -############################################################################### eval $(/usr/local/bin/readhash /var/ipfire/forward/settings) diff --git a/config/forwardfw/rules.pl b/config/forwardfw/rules.pl index e3592701c..370b7ecfb 100755 --- a/config/forwardfw/rules.pl +++ b/config/forwardfw/rules.pl @@ -2,7 +2,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2013 # +# Copyright (C) 2013 Alexander Marx # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -18,8 +18,6 @@ # along with this program. If not, see . # # # ############################################################################### -# Author: Alexander Marx (amarx@ipfire.org) # -############################################################################### use strict; use Time::Local; diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi index 88e16086f..0907fba9b 100755 --- a/html/cgi-bin/forwardfw.cgi +++ b/html/cgi-bin/forwardfw.cgi @@ -2,7 +2,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2013 # +# Copyright (C) 2013 Alexander Marx # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -18,8 +18,6 @@ # along with this program. If not, see . # # # ############################################################################### -# Author: Alexander Marx (amarx@ipfire.org) # -############################################################################### use strict; use Sort::Naturally; @@ -65,7 +63,7 @@ my %aliases=(); my %optionsfw=(); my %ifaces=(); -my $VERSION='0.9.9.13'; +my $VERSION='0.9.9.14'; my $color; my $confignet = "${General::swroot}/fwhosts/customnetworks"; my $confighost = "${General::swroot}/fwhosts/customhosts"; diff --git a/html/cgi-bin/fwhosts.cgi b/html/cgi-bin/fwhosts.cgi index fffa9353e..dec649bdd 100755 --- a/html/cgi-bin/fwhosts.cgi +++ b/html/cgi-bin/fwhosts.cgi @@ -2,7 +2,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2013 # +# Copyright (C) 2013 Alexander Marx # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -18,8 +18,6 @@ # along with this program. If not, see . # # # ############################################################################### -# Author: Alexander Marx (amarx@ipfire.org) # -############################################################################### use strict; # enable only the following on debugging purpose diff --git a/html/cgi-bin/optionsfw.cgi b/html/cgi-bin/optionsfw.cgi index 7d34feab0..713f37f9f 100644 --- a/html/cgi-bin/optionsfw.cgi +++ b/html/cgi-bin/optionsfw.cgi @@ -11,10 +11,6 @@ # $Id: optionsfw.cgi,v 1.1.2.10 2005/10/03 00:34:10 gespinasse Exp $ # # -######################################################################## -# Modifications for new Firewall (C) 2013 by amarx@ipfire.org -######################################################################## - # enable only the following on debugging purpose #use warnings; #use CGI::Carp 'fatalsToBrowser'; diff --git a/html/cgi-bin/p2p-block.cgi b/html/cgi-bin/p2p-block.cgi index 79417502b..7c6f7b3a4 100755 --- a/html/cgi-bin/p2p-block.cgi +++ b/html/cgi-bin/p2p-block.cgi @@ -2,7 +2,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2013 # +# Copyright (C) 2013 Alexander Marx # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -18,8 +18,6 @@ # along with this program. If not, see . # # # ############################################################################### -# Author: Alexander Marx (Amarx@ipfire.org) # -############################################################################### use strict; no warnings 'uninitialized'; From 4f585d559f2bea5002cdb57f171732cfd8675bec Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Tue, 13 Aug 2013 13:58:48 +0200 Subject: [PATCH 302/306] Forward Firewall: Modified the Message to reread firewallrules in p2p-block.cgi. This is now the same as in forwardfw.cgi and fwhost.cgi --- html/cgi-bin/p2p-block.cgi | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/html/cgi-bin/p2p-block.cgi b/html/cgi-bin/p2p-block.cgi index 7c6f7b3a4..cfca54284 100755 --- a/html/cgi-bin/p2p-block.cgi +++ b/html/cgi-bin/p2p-block.cgi @@ -2,7 +2,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2013 Alexander Marx # +# Copyright (C) 2013 # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -18,6 +18,8 @@ # along with this program. If not, see . # # # ############################################################################### +# Author: Alexander Marx (Amarx@ipfire.org) # +############################################################################### use strict; no warnings 'uninitialized'; @@ -83,7 +85,7 @@ if ($fwdfwsettings{'ACTION'} eq $Lang::tr{'fwdfw reread'}) sub p2pblock { if (-f "${General::swroot}/forward/reread"){ - print "
$Lang::tr{'fwhost reread'}

"; + print "
    $Lang::tr{'fwhost reread'}

"; } my $gif; open( FILE, "< $p2pfile" ) or die "Unable to read $p2pfile"; From f195a8d763c82635bc1458bd9cd8d13cf45c95a2 Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Tue, 13 Aug 2013 16:00:32 +0200 Subject: [PATCH 303/306] Forward Firewall: BUG: when creating a new group in firewall-groups with the same name as an existing group, the line "no rule defined" was added. BUG: THe line "no rules defined" is now "no entries in this group". --- html/cgi-bin/fwhosts.cgi | 19 ++++++++++++++++--- langs/de/cgi-bin/de.pl | 3 ++- langs/en/cgi-bin/en.pl | 3 ++- 3 files changed, 20 insertions(+), 5 deletions(-) diff --git a/html/cgi-bin/fwhosts.cgi b/html/cgi-bin/fwhosts.cgi index dec649bdd..92c2d38b9 100755 --- a/html/cgi-bin/fwhosts.cgi +++ b/html/cgi-bin/fwhosts.cgi @@ -543,6 +543,8 @@ if ($fwhostsettings{'ACTION'} eq 'savegrp') &General::readhasharray("$confighost", \%customhost); #check name if (!&validhostname($grp)){$errormessage.=$Lang::tr{'fwhost err name'};} + #check existing name + if (!checkgroup(\%customgrp,$grp) && $fwhostsettings{'update'} ne 'on'){$errormessage.=$Lang::tr{'fwhost err grpexist'};} #check remark if ($rem ne '' && !&validremark($rem) && $fwhostsettings{'update'} ne 'on'){ $errormessage.=$Lang::tr{'fwhost err remark'}; @@ -1490,7 +1492,7 @@ sub viewtablegrp my $delflag; if (!keys %customgrp) { - print "
$Lang::tr{'fwhost empty'}"; + print "
$Lang::tr{'fwhost err emptytable'}"; }else{ foreach my $key (sort { ncmp($customgrp{$a}[0],$customgrp{$b}[0]) } sort { ncmp ($customgrp{$a}[2],$customgrp{$b}[2]) } keys %customgrp){ $count++; @@ -1506,7 +1508,7 @@ sub viewtablegrp } } $number=1; - if ($customgrp{$key}[2] eq "none"){$customgrp{$key}[2]=$Lang::tr{'fwhost empty'};} + if ($customgrp{$key}[2] eq "none"){$customgrp{$key}[2]=$Lang::tr{'fwhost err emptytable'};} $grpname=$customgrp{$key}[0]; $remark="$customgrp{$key}[1]"; if($count gt 2){ print"";} @@ -1536,7 +1538,7 @@ sub viewtablegrp }else{ print "$customgrp{$key}[2]"; } - if ($ip eq '' && $customgrp{$key}[2] ne $Lang::tr{'fwhost empty'}){ + if ($ip eq '' && $customgrp{$key}[2] ne $Lang::tr{'fwhost err emptytable'}){ print "$Lang::tr{'fwhost deleted'}$customgrp{$key}[3]
"; }else{ my ($colip,$colsub) = split("/",$ip); @@ -1681,6 +1683,17 @@ sub checkname return 1; } +sub checkgroup +{ + my %hash=%{(shift)}; + my $name=shift; + foreach my $key (keys %hash) { + if($hash{$key}[0] eq $name){ + return 0; + } + } + return 1; +} sub checkip { diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl index d26287139..279bfaab2 100644 --- a/langs/de/cgi-bin/de.pl +++ b/langs/de/cgi-bin/de.pl @@ -1,4 +1,4 @@ -%tr = ( +%tr = ( %tr, 'Act as' => 'Konfiguriert als', @@ -1019,6 +1019,7 @@ 'fwhost err addr' => 'IP-Adresse oder Subnetzmaske ungültig', 'fwhost err addrgrp' => 'Bitte Gruppennamen angeben', 'fwhost err empty' => 'Bitte alle Felder ausfüllen', +'fwhost err emptytable' => 'Keine Einträge in Gruppe', 'fwhost err groupempty' => 'Die gewählte Gruppe ist leer', 'fwhost err grpexist' => 'Die Gruppe existiert bereits', 'fwhost err hostexist' => 'Ein Host mit diesem Namen existiert bereits', diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index 63d1e9358..4ca450c52 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -1,4 +1,4 @@ -%tr = ( +%tr = ( %tr, 'Act as' => 'Act as:', @@ -1044,6 +1044,7 @@ 'fwhost err addr' => 'Invalid IP address or subnet', 'fwhost err addrgrp' => 'Please provide a group name', 'fwhost err empty' => 'Please fill in all input fields', +'fwhost err emptytable' => 'No entries in this group', 'fwhost err groupempty' => 'The selected group is empty', 'fwhost err grpexist' => 'Group already exists', 'fwhost err hostexist' => 'A host with the same name already exists', From 0c2cf9e2145737cc6af6f6147f322d9ce60465f6 Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Wed, 14 Aug 2013 09:06:38 +0200 Subject: [PATCH 304/306] Forward Firewall: BUGFIX: when having more than 10 hosts/networks in a firewall-groups group, the table was not shown correctly --- html/cgi-bin/fwhosts.cgi | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/html/cgi-bin/fwhosts.cgi b/html/cgi-bin/fwhosts.cgi index 92c2d38b9..482ccabf5 100755 --- a/html/cgi-bin/fwhosts.cgi +++ b/html/cgi-bin/fwhosts.cgi @@ -1494,7 +1494,7 @@ sub viewtablegrp { print "
$Lang::tr{'fwhost err emptytable'}"; }else{ - foreach my $key (sort { ncmp($customgrp{$a}[0],$customgrp{$b}[0]) } sort { ncmp ($customgrp{$a}[2],$customgrp{$b}[2]) } keys %customgrp){ + foreach my $key (sort { ncmp($customgrp{$a}[0],$customgrp{$b}[0]) } sort { ncmp($customgrp{$a}[2],$customgrp{$b}[2]) } keys %customgrp){ $count++; if ($helper ne $customgrp{$key}[0]){ $delflag='0'; @@ -1511,7 +1511,7 @@ sub viewtablegrp if ($customgrp{$key}[2] eq "none"){$customgrp{$key}[2]=$Lang::tr{'fwhost err emptytable'};} $grpname=$customgrp{$key}[0]; $remark="$customgrp{$key}[1]"; - if($count gt 2){ print"";} + if($count gt 1){ print"";} print "
$grpname   "; print " $Lang::tr{'remark'}:  $remark   " if ($remark ne ''); print "$Lang::tr{'used'}: $customgrp{$key}[4]x"; @@ -1554,7 +1554,6 @@ sub viewtablegrp $number++; } print""; - } &Header::closebox(); } From b119578f023df75a015505239751246c23f9a523 Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Wed, 14 Aug 2013 12:51:21 +0200 Subject: [PATCH 305/306] Forward Firewall: Now all customhosts are colored correctly in ruletable. Also the ip addresses in firewall-groups (hosts) are colored correctly if they are part of green,orange,blue,openvpn or ipsec --- html/cgi-bin/forwardfw.cgi | 20 ++++++------ html/cgi-bin/fwhosts.cgi | 64 +++++++++++++++++++++++++++++++++++++- 2 files changed, 73 insertions(+), 11 deletions(-) diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi index 0907fba9b..c18f4f41c 100755 --- a/html/cgi-bin/forwardfw.cgi +++ b/html/cgi-bin/forwardfw.cgi @@ -1243,6 +1243,14 @@ sub getcolor my $val=shift; my $hash=shift; if($optionsfw{'SHOWCOLORS'} eq 'on'){ + #custom Hosts + if ($nettype eq 'cust_host_src' || $nettype eq 'cust_host_tgt'){ + foreach my $key (sort keys %$hash){ + if ($$hash{$key}[0] eq $val){ + $val=$$hash{$key}[2]; + } + } + } #standard networks if ($val eq 'GREEN'){ $tdcolor="style='background-color: $Header::colourgreen;color:white;'"; @@ -1277,8 +1285,8 @@ sub getcolor $tdcolor="style='background-color: $Header::colourred;color:white;'"; return; } - #Check if a manual IP is part of a VPN - if ($nettype eq 'src_addr' || $nettype eq 'tgt_addr'){ + #Check if a manual IP or custom host is part of a VPN + if ($nettype eq 'src_addr' || $nettype eq 'tgt_addr' || $nettype eq 'cust_host_src' || $nettype eq 'cust_host_tgt'){ #Check if IP is part of OpenVPN dynamic subnet my ($a,$b) = split("/",$ovpnsettings{'DOVPN_SUBNET'}); my ($c,$d) = split("/",$val); @@ -1332,14 +1340,6 @@ sub getcolor $tdcolor="style='background-color: $Header::colourvpn;color:white;'"; return; } - #custom Hosts - if ($nettype eq 'cust_host_src' || $nettype eq 'cust_host_tgt'){ - foreach my $key (sort keys %$hash){ - if ($$hash{$key}[0] eq $val){ - $val=$$hash{$key}[2]; - } - } - } #ALIASE foreach my $alias (sort keys %aliases) { diff --git a/html/cgi-bin/fwhosts.cgi b/html/cgi-bin/fwhosts.cgi index 482ccabf5..b72cb1064 100755 --- a/html/cgi-bin/fwhosts.cgi +++ b/html/cgi-bin/fwhosts.cgi @@ -46,6 +46,9 @@ my %ownnet=(); my %ipsecsettings=(); my %fwfwd=(); my %fwinp=(); +my %ovpnsettings=(); +my %ipsecconf=(); +my %ipsecsettings=(); my $errormessage; my $hint; @@ -60,6 +63,10 @@ my $configsrv = "${General::swroot}/fwhosts/customservices"; my $configsrvgrp = "${General::swroot}/fwhosts/customservicegrp"; my $fwconfigfwd = "${General::swroot}/forward/config"; my $fwconfiginp = "${General::swroot}/forward/input"; +my $configovpn = "${General::swroot}/ovpn/settings"; +my $tdcolor=''; +my $configipsec = "${General::swroot}/vpn/config"; +my $configipsecrw = "${General::swroot}/vpn/settings"; unless (-e $confignet) { system("touch $confignet"); } unless (-e $confighost) { system("touch $confighost"); } @@ -70,6 +77,10 @@ unless (-e $configsrvgrp) { system("touch $configsrvgrp"); } &General::readhash("${General::swroot}/main/settings", \%mainsettings); &General::readhash("/srv/web/ipfire/html/themes/".$mainsettings{'THEME'}."/include/colors.txt", \%color); &General::readhash("${General::swroot}/ethernet/settings", \%ownnet); +&General::readhash("$configovpn", \%ovpnsettings); +&General::readhasharray("$configipsec", \%ipsecconf); +&General::readhash("$configipsecrw", \%ipsecsettings); + &Header::getcgihash(\%fwhostsettings); &Header::showhttpheaders(); @@ -1429,11 +1440,61 @@ END } } +sub getcolor +{ + my $c=shift; + #Check if IP is part of OpenVPN N2N subnet + foreach my $key (sort keys %ccdhost){ + if ($ccdhost{$key}[3] eq 'net'){ + my ($a,$b) = split("/",$ccdhost{$key}[11]); + if (&General::IpInSubnet($c,$a,$b)){ + $tdcolor="style='color:$Header::colourovpn ;'"; + return $tdcolor; + } + } + } + #Check if IP is part of OpenVPN dynamic subnet + my ($a,$b) = split("/",$ovpnsettings{'DOVPN_SUBNET'}); + if (&General::IpInSubnet($c,$a,$b)){ + $tdcolor="style='color: $Header::colourovpn;'"; + return $tdcolor; + } + #Check if IP is part of OpenVPN static subnet + foreach my $key (sort keys %ccdnet){ + my ($a,$b) = split("/",$ccdnet{$key}[1]); + $b =&General::iporsubtodec($b); + if (&General::IpInSubnet($c,$a,$b)){ + $tdcolor="style='color: $Header::colourovpn;'"; + return $tdcolor; + } + } + #Check if IP is part of IPsec RW network + if ($ipsecsettings{'RW_NET'} ne ''){ + my ($a,$b) = split("/",$ipsecsettings{'RW_NET'}); + $b=&General::iporsubtodec($b); + if (&General::IpInSubnet($c,$a,$b)){ + $tdcolor="style='color: $Header::colourvpn;'"; + return $tdcolor; + } + } + #Check if IP is part of a IPsec N2N network + foreach my $key (sort keys %ipsecconf){ + my ($a,$b) = split("/",$ipsecconf{$key}[11]); + if (&General::IpInSubnet($c,$a,$b)){ + $tdcolor="style='color: $Header::colourvpn;'"; + return $tdcolor; + } + } + $tdcolor=''; + return $tdcolor; +} sub viewtablehost { if (! -z $confighost){ &Header::openbox('100%', 'left', $Lang::tr{'fwhost cust addr'}); &General::readhasharray("$confighost", \%customhost); + &General::readhasharray("$configccdnet", \%ccdnet); + &General::readhasharray("$configccdhost", \%ccdhost); if (!keys %customhost) { print "
$Lang::tr{'fwhost empty'}"; @@ -1451,7 +1512,7 @@ END else{ print" ";} my ($ip,$sub)=split(/\//,$customhost{$key}[2]); $customhost{$key}[4]=~s/\s+//g; - print"$customhost{$key}[0]".&Header::colorize($ip)."$customhost{$key}[3]$customhost{$key}[4]x"; + print"$customhost{$key}[0]".&Header::colorize($ip)."$customhost{$key}[3]$customhost{$key}[4]x"; print< @@ -1777,6 +1838,7 @@ sub get_name return "$network" if ($val eq $defaultNetworks{$network}{'NAME'}); } } + sub deletefromgrp { my $target=shift; From eb95ce89a8effefa0c6aa27bf6f048926d21fed0 Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Wed, 14 Aug 2013 14:19:36 +0200 Subject: [PATCH 306/306] Forward Firewall: ip addresses in firewall-groups (groups) are now colorized --- html/cgi-bin/fwhosts.cgi | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/html/cgi-bin/fwhosts.cgi b/html/cgi-bin/fwhosts.cgi index b72cb1064..7ed27c4f6 100755 --- a/html/cgi-bin/fwhosts.cgi +++ b/html/cgi-bin/fwhosts.cgi @@ -1604,7 +1604,7 @@ sub viewtablegrp }else{ my ($colip,$colsub) = split("/",$ip); $ip="$colip/".&General::subtocidr($colsub) if ($colsub); - print"".&Header::colorize($ip)."$customgrp{$key}[3]"; + print"".&Header::colorize($ip)."$customgrp{$key}[3]"; } if ($delflag > '1' && $ip ne ''){ print"";