diff --git a/config/forwardfw/firewall-forward-policy b/config/forwardfw/firewall-forward-policy new file mode 100755 index 000000000..aec71e29b --- /dev/null +++ b/config/forwardfw/firewall-forward-policy @@ -0,0 +1,24 @@ +#!/bin/sh + +eval $(/usr/local/bin/readhash /var/ipfire/forward/settings) +eval $(/usr/local/bin/readhash /var/ipfire/optionsfw/settings) + +iptables -F POLICY + +if [ "$POLICY" == "MODE1" ]; then + + if [ "$FWPOLICY" == "REJECT" ]; then + if [ "$DROPFORWARD" == "on" ]; then + /sbin/iptables -A POLICY -m limit --limit 10/minute -j LOG --log-prefix "REJECT_FORWARD" + fi + /sbin/iptables -A POLICY -j REJECT --reject-with icmp-host-unreachable -m comment --comment "DROP_OUTPUT" + fi + if [ "$FWPOLICY" == "DROP" ]; then + if [ "$DROPFORWARD" == "on" ]; then + /sbin/iptables -A POLICY -m limit --limit 10/minute -j LOG --log-prefix "DROP_FORWARD" + fi + /sbin/iptables -A POLICY -j DROP -m comment --comment "DROP_OUTPUT" + fi +fi + + diff --git a/config/forwardfw/firewall-lib.pl b/config/forwardfw/firewall-lib.pl index 24b990c77..44c0079b7 100755 --- a/config/forwardfw/firewall-lib.pl +++ b/config/forwardfw/firewall-lib.pl @@ -215,6 +215,8 @@ sub get_std_net_ip return "$netsettings{'ORANGE_NETADDRESS'}/$netsettings{'ORANGE_NETMASK'}"; }elsif($val eq 'BLUE'){ return "$netsettings{'BLUE_NETADDRESS'}/$netsettings{'BLUE_NETMASK'}"; + }elsif($val eq 'RED'){ + return "0.0.0.0/0 -o red0"; }elsif($val =~ /OpenVPN/i){ return "$ovpnsettings{'DOVPN_SUBNET'}"; }elsif($val =~ /IPsec/i){ diff --git a/config/forwardfw/rules.pl b/config/forwardfw/rules.pl index 960951fc0..953aad0bc 100755 --- a/config/forwardfw/rules.pl +++ b/config/forwardfw/rules.pl @@ -88,10 +88,11 @@ if($param eq 'flush'){ &preparerules; if($MODE eq '0'){ if ($fwdfwsettings{'POLICY'} eq 'MODE1'){ - #system ("iptables -A $CHAIN -j DROP"); + system ("/usr/sbin/firewall-forward-policy"); }elsif($fwdfwsettings{'POLICY'} eq 'MODE2'){ - #system ("iptables -A $CHAIN -j ACCEPT"); + system ("/usr/sbin/firewall-forward-policy"); }elsif($fwdfwsettings{'POLICY'} eq 'MODE0' || $fwdfwsettings{'POLICY'} eq 'MODE2'){ + system ("/usr/sbin/firewall-forward-policy"); system ("iptables -A $CHAIN -m state --state NEW -j ACCEPT"); } } @@ -113,9 +114,7 @@ sub preparerules } sub buildrules { - my $hash=shift; - foreach my $key (sort keys %$hash){ if($$hash{$key}[2] eq 'ON'){ #get source ip's @@ -163,7 +162,7 @@ sub buildrules if ($DPROT eq ''){$DPROT=' ';} @DPROT=split(",",$DPROT); - + #get time if defined if($$hash{$key}[18] eq 'ON'){ if($$hash{$key}[19] ne ''){push (@timeframe,"Mon");} @@ -178,7 +177,7 @@ sub buildrules $TIMETILL="--timestop $$hash{$key}[27] "; $TIME="-m time --weekdays $TIME $TIMEFROM $TIMETILL"; } - + if ($MODE eq '1'){ print "NR:$key "; foreach my $i (0 .. $#{$$hash{$key}}){ @@ -187,7 +186,7 @@ sub buildrules print "\n"; print"##################################\n"; #print rules to console - + foreach my $DPROT (@DPROT){ $DPORT = &get_port($hash,$key,$DPROT); if ($SPROT ne ''){$PROT=$SPROT;}else{$PROT=$DPROT;} @@ -206,7 +205,7 @@ sub buildrules } print"\n"; } - + }elsif($MODE eq '0'){ foreach my $DPROT (@DPROT){ $DPORT = &get_port($hash,$key,$DPROT); @@ -302,11 +301,12 @@ sub get_port if ($$hash{$key}[7] eq 'ON' && $SRC_TGT eq 'SRC'){ if ($$hash{$key}[10] ne ''){ return "--sport $$hash{$key}[10] "; - }elsif($$hash{$key}[9] ne ''){ + }elsif($$hash{$key}[9] ne '' && $$hash{$key}[9] ne 'All ICMP-Types'){ return "--icmp-type $$hash{$key}[9] "; + }elsif($$hash{$key}[9] eq 'All ICMP-Types'){ + return; } }elsif($$hash{$key}[11] eq 'ON' && $SRC_TGT eq ''){ - if($$hash{$key}[14] eq 'TGT_PORT'){ if ($$hash{$key}[15] ne ''){ return "--dport $$hash{$key}[15] "; @@ -330,8 +330,6 @@ sub get_port elsif($prot eq 'ICMP'){ return &fwlib::get_srvgrp_port($$hash{$key}[15],$prot); } - - } } } diff --git a/config/rootfiles/common/apache2 b/config/rootfiles/common/apache2 index 5d5195fba..d57390443 100644 --- a/config/rootfiles/common/apache2 +++ b/config/rootfiles/common/apache2 @@ -1390,7 +1390,7 @@ srv/web/ipfire/cgi-bin/credits.cgi srv/web/ipfire/cgi-bin/dns.cgi srv/web/ipfire/cgi-bin/ddns.cgi srv/web/ipfire/cgi-bin/dhcp.cgi -srv/web/ipfire/cgi-bin/dmzholes.cgi +#srv/web/ipfire/cgi-bin/dmzholes.cgi srv/web/ipfire/cgi-bin/extrahd.cgi srv/web/ipfire/cgi-bin/fireinfo.cgi srv/web/ipfire/cgi-bin/forwardfw.cgi diff --git a/config/rootfiles/common/stage2 b/config/rootfiles/common/stage2 index 1e91b3743..4755f07f0 100644 --- a/config/rootfiles/common/stage2 +++ b/config/rootfiles/common/stage2 @@ -109,6 +109,7 @@ usr/local/bin/update-lang-cache #usr/local/src #usr/sbin usr/sbin/ovpn-ccd-convert +usr/sbin/firewall-forward-policy #usr/share #usr/share/doc #usr/share/doc/licenses diff --git a/html/cgi-bin/dmzholes.cgi b/html/cgi-bin/dmzholes.cgi deleted file mode 100644 index 5c16f004c..000000000 --- a/html/cgi-bin/dmzholes.cgi +++ /dev/null @@ -1,446 +0,0 @@ -#!/usr/bin/perl -############################################################################### -# # -# IPFire.org - A linux based firewall # -# Copyright (C) 2007 Michael Tremer & Christian Schmidt # -# # -# This program is free software: you can redistribute it and/or modify # -# it under the terms of the GNU General Public License as published by # -# the Free Software Foundation, either version 3 of the License, or # -# (at your option) any later version. # -# # -# This program is distributed in the hope that it will be useful, # -# but WITHOUT ANY WARRANTY; without even the implied warranty of # -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # -# GNU General Public License for more details. # -# # -# You should have received a copy of the GNU General Public License # -# along with this program. If not, see . # -# # -############################################################################### - -use strict; - -# enable only the following on debugging purpose -#use warnings; -#use CGI::Carp 'fatalsToBrowser'; - -require '/var/ipfire/general-functions.pl'; -require "${General::swroot}/lang.pl"; -require "${General::swroot}/header.pl"; - -#workaround to suppress a warning when a variable is used only once -my @dummy = ( ${Header::table2colour}, ${Header::colouryellow} ); -undef (@dummy); - -my %cgiparams=(); -my %checked=(); -my %selected=(); -my %netsettings=(); -my $errormessage = ''; -my $filename = "${General::swroot}/dmzholes/config"; - -&General::readhash("${General::swroot}/ethernet/settings", \%netsettings); - -&Header::showhttpheaders(); - -$cgiparams{'ENABLED'} = 'off'; -$cgiparams{'REMARK'} = ''; -$cgiparams{'ACTION'} = ''; -$cgiparams{'SRC_IP'} = ''; -$cgiparams{'DEST_IP'} =''; -$cgiparams{'DEST_PORT'} = ''; -&Header::getcgihash(\%cgiparams); - -open(FILE, $filename) or die 'Unable to open config file.'; -my @current = ; -close(FILE); - -if ($cgiparams{'ACTION'} eq $Lang::tr{'add'}) -{ - unless($cgiparams{'PROTOCOL'} =~ /^(tcp|udp)$/) { $errormessage = $Lang::tr{'invalid input'}; } - unless(&General::validipormask($cgiparams{'SRC_IP'})) { $errormessage = $Lang::tr{'source ip bad'}; } - unless($errormessage){$errormessage = &General::validportrange($cgiparams{'DEST_PORT'},'dst');} - unless(&General::validipormask($cgiparams{'DEST_IP'})) { $errormessage = $Lang::tr{'destination ip bad'}; } - unless ($errormessage) { - $errormessage = &validNet($cgiparams{'SRC_NET'},$cgiparams{'DEST_NET'}); } - # Darren Critchley - Remove commas from remarks - $cgiparams{'REMARK'} = &Header::cleanhtml($cgiparams{'REMARK'}); - - unless ($errormessage) - { - if($cgiparams{'EDITING'} eq 'no') { - open(FILE,">>$filename") or die 'Unable to open config file.'; - flock FILE, 2; - print FILE "$cgiparams{'PROTOCOL'},"; # [0] - print FILE "$cgiparams{'SRC_IP'},"; # [1] - print FILE "$cgiparams{'DEST_IP'},"; # [2] - print FILE "$cgiparams{'DEST_PORT'},"; # [3] - print FILE "$cgiparams{'ENABLED'},"; # [4] - print FILE "$cgiparams{'SRC_NET'},"; # [5] - print FILE "$cgiparams{'DEST_NET'},"; # [6] - print FILE "$cgiparams{'REMARK'}\n"; # [7] - } else { - open(FILE,">$filename") or die 'Unable to open config file.'; - flock FILE, 2; - my $id = 0; - foreach my $line (@current) - { - $id++; - if ($cgiparams{'EDITING'} eq $id) { - print FILE "$cgiparams{'PROTOCOL'},"; # [0] - print FILE "$cgiparams{'SRC_IP'},"; # [1] - print FILE "$cgiparams{'DEST_IP'},"; # [2] - print FILE "$cgiparams{'DEST_PORT'},"; # [3] - print FILE "$cgiparams{'ENABLED'},"; # [4] - print FILE "$cgiparams{'SRC_NET'},"; # [5] - print FILE "$cgiparams{'DEST_NET'},"; # [6] - print FILE "$cgiparams{'REMARK'}\n"; # [7] - } else { print FILE "$line"; } - } - } - close(FILE); - undef %cgiparams; - &General::log($Lang::tr{'dmz pinhole rule added'}); - system('/usr/local/bin/setdmzholes'); - } -} -if ($cgiparams{'ACTION'} eq $Lang::tr{'remove'}) -{ - my $id = 0; - open(FILE, ">$filename") or die 'Unable to open config file.'; - flock FILE, 2; - foreach my $line (@current) - { - $id++; - unless ($cgiparams{'ID'} eq $id) { print FILE "$line"; } - } - close(FILE); - system('/usr/local/bin/setdmzholes'); - &General::log($Lang::tr{'dmz pinhole rule removed'}); -} -if ($cgiparams{'ACTION'} eq $Lang::tr{'toggle enable disable'}) -{ - my $id = 0; - open(FILE, ">$filename") or die 'Unable to open config file.'; - flock FILE, 2; - foreach my $line (@current) - { - $id++; - unless ($cgiparams{'ID'} eq $id) { print FILE "$line"; } - else - { - chomp($line); - my @temp = split(/\,/,$line); - print FILE "$temp[0],$temp[1],$temp[2],$temp[3],$cgiparams{'ENABLE'},$temp[5],$temp[6],$temp[7]\n"; - } - } - close(FILE); - system('/usr/local/bin/setdmzholes'); -} -if ($cgiparams{'ACTION'} eq $Lang::tr{'edit'}) -{ - my $id = 0; - foreach my $line (@current) - { - $id++; - if ($cgiparams{'ID'} eq $id) - { - chomp($line); - my @temp = split(/\,/,$line); - $cgiparams{'PROTOCOL'} = $temp[0]; - $cgiparams{'SRC_IP'} = $temp[1]; - $cgiparams{'DEST_IP'} = $temp[2]; - $cgiparams{'DEST_PORT'} = $temp[3]; - $cgiparams{'ENABLED'} = $temp[4]; - $cgiparams{'SRC_NET'} = $temp[5]; - $cgiparams{'DEST_NET'} = $temp[6]; - $cgiparams{'REMARK'} = $temp[7]; - } - } -} - -if ($cgiparams{'ACTION'} eq '') -{ - $cgiparams{'PROTOCOL'} = 'tcp'; - $cgiparams{'ENABLED'} = 'on'; - $cgiparams{'SRC_NET'} = 'orange'; - $cgiparams{'DEST_NET'} = 'blue'; -} - -$selected{'PROTOCOL'}{'udp'} = ''; -$selected{'PROTOCOL'}{'tcp'} = ''; -$selected{'PROTOCOL'}{$cgiparams{'PROTOCOL'}} = "selected='selected'"; - -$selected{'SRC_NET'}{'orange'} = ''; -$selected{'SRC_NET'}{'blue'} = ''; -$selected{'SRC_NET'}{$cgiparams{'SRC_NET'}} = "selected='selected'"; - -$selected{'DEST_NET'}{'blue'} = ''; -$selected{'DEST_NET'}{'green'} = ''; -$selected{'DEST_NET'}{$cgiparams{'DEST_NET'}} = "selected='selected'"; - -$checked{'ENABLED'}{'off'} = ''; -$checked{'ENABLED'}{'on'} = ''; -$checked{'ENABLED'}{$cgiparams{'ENABLED'}} = "checked='checked'"; - -&Header::openpage($Lang::tr{'dmz pinhole configuration'}, 1, ''); - -&Header::openbigbox('100%', 'left', '', $errormessage); - -if ($errormessage) { - &Header::openbox('100%', 'left', $Lang::tr{'error messages'}); - print "$errormessage\n"; - print " \n"; - &Header::closebox(); -} - -print "
\n"; - -my $buttonText = $Lang::tr{'add'}; -if ($cgiparams{'ACTION'} eq $Lang::tr{'edit'}) { - &Header::openbox('100%', 'left', $Lang::tr{'edit a rule'}); - $buttonText = $Lang::tr{'update'}; -} else { - &Header::openbox('100%', 'left', $Lang::tr{'add a new rule'}); -} -print < - - - - - - $Lang::tr{'source net'}: - - - - - -   - - $Lang::tr{'destination net'}: - - - - - $Lang::tr{'destination ip or net'}: - - - - - $Lang::tr{'destination port'}:  - - - - - - - - - - - - - -
- $Lang::tr{'remark title'} * - -
- *  - $Lang::tr{'this field may be blank'} - $Lang::tr{'enabled'} - - -
-END -; -if ($cgiparams{'ACTION'} eq $Lang::tr{'edit'}) { - print "\n"; -} else { - print "\n"; -} -&Header::closebox(); -print "\n"; - -&Header::openbox('100%', 'left', $Lang::tr{'current rules'}); -print < - -$Lang::tr{'proto'} -$Lang::tr{'net'} -$Lang::tr{'source'} -  -$Lang::tr{'net'} -$Lang::tr{'destination'} -$Lang::tr{'remark'} -  -$Lang::tr{'action'} -END -; - -# Achim Weber: if i add a new rule, this rule is not displayed?!? -# we re-read always config. -# If something has happeened re-read config -#if($cgiparams{'ACTION'} ne '') -#{ - open(FILE, $filename) or die 'Unable to open config file.'; - @current = ; - close(FILE); -#} -my $id = 0; -foreach my $line (@current) -{ - my $protocol=''; - my $gif=''; - my $toggle=''; - my $gdesc=''; - $id++; - chomp($line); - my @temp = split(/\,/,$line); - if ($temp[0] eq 'udp') { $protocol = 'UDP'; } else { $protocol = 'TCP' } - - my $srcnetcolor = ($temp[5] eq 'blue')? ${Header::colourblue} : ${Header::colourorange}; - my $destnetcolor = ($temp[6] eq 'blue')? ${Header::colourblue} : ${Header::colourgreen}; - - if ($cgiparams{'ACTION'} eq $Lang::tr{'edit'} && $cgiparams{'ID'} eq $id) { - print "\n"; } - elsif ($id % 2) { - print "\n"; } - else { - print "\n"; } - if ($temp[4] eq 'on') { $gif='on.gif'; $toggle='off'; $gdesc=$Lang::tr{'click to disable'};} - else { $gif = 'off.gif'; $toggle='on'; $gdesc=$Lang::tr{'click to enable'}; } - - # Darren Critchley - Get Port Service Name if we can - code borrowed from firewalllog.dat - my $dstprt =$temp[3]; - $_=$temp[3]; - if (/^\d+$/) { - my $servi = uc(getservbyport($temp[3], lc($temp[0]))); - if ($servi ne '' && $temp[3] < 1024) { - $dstprt = "$dstprt($servi)"; } - } - # Darren Critchley - If the line is too long, wrap the port numbers - my $dstaddr = "$temp[2] : $dstprt"; - if (length($dstaddr) > 26) { - $dstaddr = "$temp[2] :
$dstprt"; - } -print <$protocol - -$temp[1] - - -$dstaddr -$temp[7] - - -
- - - - -
- - - -
- - - -
- - - -
- - - -
- - - -END - ; -} -print "\n"; - -# If the fixed lease file contains entries, print Key to action icons -if ( ! -z "$filename") { -print < - -   $Lang::tr{'legend'}: -   $Lang::tr{ - $Lang::tr{'click to disable'} -     $Lang::tr{ - $Lang::tr{'click to enable'} -     $Lang::tr{ - $Lang::tr{'edit'} -     $Lang::tr{ - $Lang::tr{'remove'} - - -END -; -} - -&Header::closebox(); - -&Header::closebigbox(); - -&Header::closepage(); - -sub validNet -{ - my $srcNet = $_[0]; - my $destNet = $_[1]; - - if ($srcNet eq $destNet) { - return $Lang::tr{'dmzpinholes for same net not necessary'}; } - unless ($srcNet =~ /^(blue|orange)$/) { - return $Lang::tr{'select source net'}; } - unless ($destNet =~ /^(blue|green)$/) { - return $Lang::tr{'select dest net'}; } - - return ''; -} - -sub haveOrangeNet -{ - if ($netsettings{'CONFIG_TYPE'} == 2) {return 1;} - if ($netsettings{'CONFIG_TYPE'} == 4) {return 1;} - return 0; -} - -sub haveBlueNet -{ - if ($netsettings{'CONFIG_TYPE'} == 3) {return 1;} - if ($netsettings{'CONFIG_TYPE'} == 4) {return 1;} - return 0; -} diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi index caaba2168..6aadb996b 100755 --- a/html/cgi-bin/forwardfw.cgi +++ b/html/cgi-bin/forwardfw.cgi @@ -112,54 +112,50 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule') $errormessage=&checksource; if(!$errormessage){&checktarget;} if(!$errormessage){&checkrule;} - + #check if we change an forward rule to an external access - if( $fwdfwsettings{'grp2'} eq 'ipfire' && $fwdfwsettings{'oldgrp2a'} ne 'ipfire'){ + if( $fwdfwsettings{'grp2'} eq 'ipfire' && $fwdfwsettings{'oldgrp2a'} ne 'ipfire' && $fwdfwsettings{'updatefwrule'} eq 'on'){ $fwdfwsettings{'updatefwrule'}=''; $fwdfwsettings{'config'}=$configfwdfw; $fwdfwsettings{'nobase'}='on'; &deleterule; + &checkcounter(0,0,$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}}); + &checkcounter(0,0,$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}}); } - + #check if we change an external access rule to an forward - if( $fwdfwsettings{'grp2'} ne 'ipfire' && $fwdfwsettings{'oldgrp2a'} eq 'ipfire'){ + if( $fwdfwsettings{'grp2'} ne 'ipfire' && $fwdfwsettings{'oldgrp2a'} eq 'ipfire' && $fwdfwsettings{'updatefwrule'} eq 'on'){ $fwdfwsettings{'updatefwrule'}=''; $fwdfwsettings{'config'}=$configinput; $fwdfwsettings{'nobase'}='on'; &deleterule; + &checkcounter(0,0,$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}}); + &checkcounter(0,0,$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}}); } - #INPUT part if($fwdfwsettings{'grp2'} eq 'ipfire'){ $fwdfwsettings{'chain'} = 'INPUTFW'; #check if we have an identical rule already foreach my $key (sort keys %configinputfw){ if ("$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'},$fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'ICMP_TGT'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'ruleremark'},$fwdfwsettings{'LOG'},$fwdfwsettings{'TIME'},$fwdfwsettings{'TIME_MON'},$fwdfwsettings{'TIME_TUE'},$fwdfwsettings{'TIME_WED'},$fwdfwsettings{'TIME_THU'},$fwdfwsettings{'TIME_FRI'},$fwdfwsettings{'TIME_SAT'},$fwdfwsettings{'TIME_SUN'},$fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'}" - eq "$configfwdfw{$key}[0],$configfwdfw{$key}[2],$configfwdfw{$key}[3],$configfwdfw{$key}[4],$configfwdfw{$key}[5],$configfwdfw{$key}[6],$configfwdfw{$key}[7],$configfwdfw{$key}[8],$configfwdfw{$key}[9],$configfwdfw{$key}[10],$configfwdfw{$key}[11],$configfwdfw{$key}[12],$configfwdfw{$key}[13],$configfwdfw{$key}[14],$configfwdfw{$key}[15],$configfwdfw{$key}[16],$configfwdfw{$key}[17],$configfwdfw{$key}[18],$configfwdfw{$key}[19],$configfwdfw{$key}[20],$configfwdfw{$key}[21],$configfwdfw{$key}[22],$configfwdfw{$key}[23],$configfwdfw{$key}[24],$configfwdfw{$key}[25],$configfwdfw{$key}[26],$configfwdfw{$key}[27]"){ - $errormessage.=$Lang::tr{'fwdfw err ruleexists'}; - } + eq "$configinputfw{$key}[0],$configinputfw{$key}[2],$configinputfw{$key}[3],$configinputfw{$key}[4],$configinputfw{$key}[5],$configinputfw{$key}[6],$configinputfw{$key}[7],$configinputfw{$key}[8],$configinputfw{$key}[9],$configinputfw{$key}[10],$configinputfw{$key}[11],$configinputfw{$key}[12],$configinputfw{$key}[13],$configinputfw{$key}[14],$configinputfw{$key}[15],$configinputfw{$key}[16],$configinputfw{$key}[17],$configinputfw{$key}[18],$configinputfw{$key}[19],$configinputfw{$key}[20],$configinputfw{$key}[21],$configinputfw{$key}[22],$configinputfw{$key}[23],$configinputfw{$key}[24],$configinputfw{$key}[25],$configinputfw{$key}[26],$configinputfw{$key}[27]"){ + $errormessage.=$Lang::tr{'fwdfw err ruleexists'}; + } } - - &checkcounter($fwdfwsettings{'oldgrp1a'},$fwdfwsettings{'oldgrp1b'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}}); - if ($fwdfwsettings{'nobase'} ne 'on'){ - &checkcounter($fwdfwsettings{'oldgrp2a'},$fwdfwsettings{'oldgrp2b'},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}}); - } - - if($fwdfwsettings{'oldusesrv'} eq '' && $fwdfwsettings{'USESRV'} eq 'ON'){ - &checkcounter(0,0,$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}}); - }elsif ($fwdfwsettings{'USESRV'} eq '' && $fwdfwsettings{'oldusesrv'} eq 'ON') { - &checkcounter($fwdfwsettings{'oldgrp3a'},$fwdfwsettings{'oldgrp3b'},0,0); - }elsif ($fwdfwsettings{'oldusesrv'} eq $fwdfwsettings{'USESRV'} && $fwdfwsettings{'oldgrp3b'} ne $fwdfwsettings{$fwdfwsettings{'grp3'}} && $fwdfwsettings{'updatefwrule'} eq 'on'){ - &checkcounter($fwdfwsettings{'oldgrp3a'},$fwdfwsettings{'oldgrp3b'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}}); - } - - if ($fwdfwsettings{'nobase'} eq 'on'){ - &checkcounter(0,0,$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}}); - } - - + + &checkcounter($fwdfwsettings{'oldgrp1a'},$fwdfwsettings{'oldgrp1b'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}}); + if ($fwdfwsettings{'nobase'} ne 'on'){ + &checkcounter($fwdfwsettings{'oldgrp2a'},$fwdfwsettings{'oldgrp2b'},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}}); + } + if($fwdfwsettings{'oldusesrv'} eq '' && $fwdfwsettings{'USESRV'} eq 'ON'){ + &checkcounter(0,0,$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}}); + }elsif ($fwdfwsettings{'USESRV'} eq '' && $fwdfwsettings{'oldusesrv'} eq 'ON') { + &checkcounter($fwdfwsettings{'oldgrp3a'},$fwdfwsettings{'oldgrp3b'},0,0); + }elsif ($fwdfwsettings{'oldusesrv'} eq $fwdfwsettings{'USESRV'} && $fwdfwsettings{'oldgrp3b'} ne $fwdfwsettings{$fwdfwsettings{'grp3'}} && $fwdfwsettings{'updatefwrule'} eq 'on'){ + &checkcounter($fwdfwsettings{'oldgrp3a'},$fwdfwsettings{'oldgrp3b'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}}); + } + &saverule(\%configinputfw,$configinput); - #print "Source: $fwdfwsettings{'grp1'} -> $fwdfwsettings{$fwdfwsettings{'grp1'}}
"; #print "Sourceport: $fwdfwsettings{'USE_SRC_PORT'}, $fwdfwsettings{'PROT'}, $fwdfwsettings{'ICMP_TYPES'}, $fwdfwsettings{'SRC_PORT'}
"; #print "Target: $fwdfwsettings{'grp2'} -> $fwdfwsettings{$fwdfwsettings{'grp2'}}
"; @@ -181,9 +177,6 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule') #print"ALT: $fwdfwsettings{'oldgrp2a'} $fwdfwsettings{'oldgrp2b'} NEU: $fwdfwsettings{'grp2'} $fwdfwsettings{$fwdfwsettings{'grp2'}}
"; #print"ALT: $fwdfwsettings{'oldgrp3a'} $fwdfwsettings{'oldgrp3b'} NEU: $fwdfwsettings{'grp3'} $fwdfwsettings{$fwdfwsettings{'grp3'}}
"; #print"DIENSTE Checkalt:$fwdfwsettings{'oldusesrv'} DIENSTE Checkneu:$fwdfwsettings{'USESRV'} DIENST ALT:$fwdfwsettings{'oldgrp3a'},$fwdfwsettings{'oldgrp3b'} DIENST NEU:$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}}
"; - - - }else{ $fwdfwsettings{'chain'} = 'FORWARDFW'; #check if we have an identical rule already @@ -196,9 +189,9 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule') } #increase counters &checkcounter($fwdfwsettings{'oldgrp1a'},$fwdfwsettings{'oldgrp1b'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}}); - + &checkcounter($fwdfwsettings{'oldgrp2a'},$fwdfwsettings{'oldgrp2b'},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}}); - + if($fwdfwsettings{'oldusesrv'} eq '' && $fwdfwsettings{'USESRV'} eq 'ON'){ &checkcounter(0,0,$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}}); }elsif ($fwdfwsettings{'USESRV'} eq '' && $fwdfwsettings{'oldusesrv'} eq 'ON') { @@ -206,14 +199,11 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule') }elsif ($fwdfwsettings{'oldusesrv'} eq $fwdfwsettings{'USESRV'} && $fwdfwsettings{'oldgrp3b'} ne $fwdfwsettings{$fwdfwsettings{'grp3'}} && $fwdfwsettings{'updatefwrule'} eq 'on'){ &checkcounter($fwdfwsettings{'oldgrp3a'},$fwdfwsettings{'oldgrp3b'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}}); } - if ($fwdfwsettings{'nobase'} eq 'on'){ &checkcounter(0,0,$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}}); } - - &saverule(\%configfwdfw,$configfwdfw); - + #print "Source: $fwdfwsettings{'grp1'} -> $fwdfwsettings{$fwdfwsettings{'grp1'}}
"; #print "Sourceport: $fwdfwsettings{'USE_SRC_PORT'}, $fwdfwsettings{'PROT'}, $fwdfwsettings{'ICMP_TYPES'}, $fwdfwsettings{'SRC_PORT'}
"; #print "Target: $fwdfwsettings{'grp2'} -> $fwdfwsettings{$fwdfwsettings{'grp2'}}
"; @@ -235,9 +225,6 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule') #print"ALT: $fwdfwsettings{'oldgrp2a'} $fwdfwsettings{'oldgrp2b'} NEU: $fwdfwsettings{'grp2'} $fwdfwsettings{$fwdfwsettings{'grp2'}}
"; #print"ALT: $fwdfwsettings{'oldgrp3a'} $fwdfwsettings{'oldgrp3b'} NEU: $fwdfwsettings{'grp3'} $fwdfwsettings{$fwdfwsettings{'grp3'}}
"; #print"DIENSTE Checkalt:$fwdfwsettings{'oldusesrv'} DIENSTE Checkneu:$fwdfwsettings{'USESRV'} DIENST ALT:$fwdfwsettings{'oldgrp3a'},$fwdfwsettings{'oldgrp3b'} DIENST NEU:$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}}
"; - - - } if ($errormessage){ &newrule; @@ -245,7 +232,6 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule') &rules; &base; } - } if ($fwdfwsettings{'ACTION'} eq $Lang::tr{'reset'}) { @@ -264,12 +250,10 @@ if ($fwdfwsettings{'ACTION'} eq $Lang::tr{'reset'}) $fwdfwsettings{'POLICY'}='MODE0'; system("rm ${General::swroot}/forward/config"); system("rm ${General::swroot}/forward/input"); - %fwdfwsettings = (); - &General::writehash("${General::swroot}/forward/settings", \%fwdfwsettings); unless (-e "${General::swroot}/forward/config") { system("touch ${General::swroot}/forward/config"); } unless (-e "${General::swroot}/forward/input") { system("touch ${General::swroot}/forward/input"); } - + %fwdfwsettings = (); &reread_rules; } @@ -407,7 +391,7 @@ sub checkcounter }elsif($base1 eq 'cust_srvgrp'){ &dec_counter($configsrvgrp,\%customservicegrp,$val1); } - + if($base2 eq 'cust_net_src' || $base2 eq 'cust_net_tgt'){ &inc_counter($confignet,\%customnetwork,$val2); }elsif($base2 eq 'cust_host_src' || $base2 eq 'cust_host_tgt'){ @@ -426,13 +410,12 @@ sub inc_counter my %hash=%{(shift)}; my $val=shift; my $pos; - + &General::readhasharray($config, \%hash); foreach my $key (sort { uc($hash{$a}[0]) cmp uc($hash{$b}[0]) } keys %hash){ if($hash{$key}[0] eq $val){ $pos=$#{$hash{$key}}; $hash{$key}[$pos] = $hash{$key}[$pos]+1; - } } &General::writehasharray($config, \%hash); @@ -449,23 +432,21 @@ sub dec_counter if($hash{$key}[0] eq $val){ $pos=$#{$hash{$key}}; $hash{$key}[$pos] = $hash{$key}[$pos]-1; - } } &General::writehasharray($config, \%hash); } sub base { - if ($fwdfwsettings{'POLICY'} eq 'MODE0'){ $selected{'POLICY'}{'MODE0'} = 'selected'; } else { $selected{'POLICY'}{'MODE0'} = ''; } if ($fwdfwsettings{'POLICY'} eq 'MODE1'){ $selected{'POLICY'}{'MODE1'} = 'selected'; } else { $selected{'POLICY'}{'MODE1'} = ''; } if ($fwdfwsettings{'POLICY'} eq 'MODE2'){ $selected{'POLICY'}{'MODE2'} = 'selected'; } else { $selected{'POLICY'}{'MODE2'} = ''; } - + &hint; if ($fwdfwsettings{'POLICY'} ne 'MODE0' && $fwdfwsettings{'POLICY'} ne '') { &addrule; } - + #print""; #foreach (0 .. 40){ #my $i="color".$_; @@ -494,7 +475,7 @@ sub addrule { &error; &Header::openbox('100%', 'left', $Lang::tr{'fwdfw addrule'}); - + print ""; print "
"; print ""; @@ -505,7 +486,6 @@ sub addrule &Header::closebox(); &viewtablerule; - } sub deleterule { @@ -537,7 +517,7 @@ sub deleterule &General::writehasharray($fwdfwsettings{'config'}, \%delhash); &rules; - + if($fwdfwsettings{'nobase'} ne 'on'){ &base; } @@ -553,7 +533,6 @@ sub disable_rule } &General::writehasharray("$configfwdfw", \%configfwdfw); &rules; - } sub checksource { @@ -589,7 +568,7 @@ sub checksource $errormessage.=$Lang::tr{'fwdfw err nosrcip'}; return $errormessage; } - + #check empty fields if ($fwdfwsettings{$fwdfwsettings{'grp1'}} eq ''){ $errormessage.=$Lang::tr{'fwdfw err nosrc'}."
";} #check icmp source @@ -601,6 +580,12 @@ sub checksource $fwdfwsettings{'ICMP_TYPES'}="$icmptypes{$key}[0]"; } } + }elsif($fwdfwsettings{'USE_SRC_PORT'} eq 'ON' && $fwdfwsettings{'PROT'} eq 'GRE'){ + $fwdfwsettings{'SRC_PORT'}=''; + $fwdfwsettings{'ICMP_TYPES'}=''; + }elsif($fwdfwsettings{'USE_SRC_PORT'} eq 'ON' && $fwdfwsettings{'PROT'} eq 'ESP'){ + $fwdfwsettings{'SRC_PORT'}=''; + $fwdfwsettings{'ICMP_TYPES'}=''; }elsif($fwdfwsettings{'USE_SRC_PORT'} eq 'ON' && $fwdfwsettings{'PROT'} ne 'ICMP'){ $fwdfwsettings{'ICMP_TYPES'}=''; }else{ @@ -608,7 +593,7 @@ sub checksource $fwdfwsettings{'SRC_PORT'}=''; $fwdfwsettings{'PROT'}=''; } - + if($fwdfwsettings{'USE_SRC_PORT'} eq 'ON' && $fwdfwsettings{'PROT'} ne 'ICMP' && $fwdfwsettings{'SRC_PORT'} ne ''){ #change dashes with : $fwdfwsettings{'SRC_PORT'}=~ tr/-/:/; @@ -622,7 +607,7 @@ sub checksource if ($fwdfwsettings{'SRC_PORT'} =~ /^(\d+)\:(\D)$/) { $fwdfwsettings{'SRC_PORT'} = "$1:65535"; } - + $errormessage.=&General::validportrange($fwdfwsettings{'SRC_PORT'},'src'); } return $errormessage; @@ -630,8 +615,7 @@ sub checksource sub checktarget { my ($ip,$subnet); - - + if ($fwdfwsettings{'tgt_addr'} eq $fwdfwsettings{$fwdfwsettings{'grp2'}} && $fwdfwsettings{'tgt_addr'} ne ''){ #check if ip with subnet if ($fwdfwsettings{'tgt_addr'} =~ /^(.*?)\/(.*?)$/) { @@ -658,15 +642,15 @@ sub checktarget if(!&General::validipandmask($fwdfwsettings{'tgt_addr'})){ $errormessage.=$Lang::tr{'fwdfw err tgt_addr'}."
"; } - + }elsif($fwdfwsettings{'tgt_addr'} eq $fwdfwsettings{$fwdfwsettings{'grp2'}} && $fwdfwsettings{'tgt_addr'} eq ''){ $errormessage.=$Lang::tr{'fwdfw err notgtip'}; return $errormessage; } - + #check empty fields if ($fwdfwsettings{$fwdfwsettings{'grp2'}} eq ''){ $errormessage.=$Lang::tr{'fwdfw err notgt'}."
";} - + #check tgt services if ($fwdfwsettings{'USESRV'} eq 'ON'){ if ($fwdfwsettings{'grp3'} eq 'cust_srv'){ @@ -682,7 +666,7 @@ sub checktarget } } if ($fwdfwsettings{'grp3'} eq 'TGT_PORT'){ - if ($fwdfwsettings{'TGT_PROT'} ne 'ICMP'){ + if ($fwdfwsettings{'TGT_PROT'} ne 'ICMP' && $fwdfwsettings{'TGT_PROT'} ne 'GRE'){ if ($fwdfwsettings{'TGT_PORT'} ne ''){ #change dashes with : $fwdfwsettings{'TGT_PORT'}=~ tr/-/:/; @@ -697,19 +681,25 @@ sub checktarget } $errormessage .= &General::validportrange($fwdfwsettings{'TGT_PORT'}, 'destination'); } + }elsif ($fwdfwsettings{'TGT_PROT'} eq 'GRE'){ + $fwdfwsettings{'TGT_PORT'} = ''; + $fwdfwsettings{'ICMP_TGT'} = ''; + }elsif($fwdfwsettings{'TGT_PORT'} eq 'ESP'){ + $fwdfwsettings{'TGT_PORT'}=''; + $fwdfwsettings{'ICMP_TGT'}=''; }elsif ($fwdfwsettings{'TGT_PROT'} eq 'ICMP'){ + $fwdfwsettings{'TGT_PORT'} = ''; &General::readhasharray("${General::swroot}/fwhosts/icmp-types", \%icmptypes); foreach my $key (keys %icmptypes){ if ("$icmptypes{$key}[0] ($icmptypes{$key}[1])" eq $fwdfwsettings{'ICMP_TGT'}){ - $fwdfwsettings{'ICMP_TGT'}=$icmptypes{$key}[0]; } } } } } - + #check targetport if ($fwdfwsettings{'USESRV'} ne 'ON'){ $fwdfwsettings{'grp3'}=''; @@ -717,17 +707,12 @@ sub checktarget $fwdfwsettings{'TGT_PROT'}=''; $fwdfwsettings{'ICMP_TGT'}=''; } - - #check timeframe if($fwdfwsettings{'TIME'} eq 'ON'){ if($fwdfwsettings{'TIME_MON'} eq '' && $fwdfwsettings{'TIME_TUE'} eq '' && $fwdfwsettings{'TIME_WED'} eq '' && $fwdfwsettings{'TIME_THU'} eq '' && $fwdfwsettings{'TIME_FRI'} eq '' && $fwdfwsettings{'TIME_SAT'} eq '' && $fwdfwsettings{'TIME_SUN'} eq ''){ $errormessage=$Lang::tr{'fwdfw err time'}; } } - - - return $errormessage; } sub checkrule @@ -741,17 +726,14 @@ sub checkrule $errormessage.=$Lang::tr{'fwdfw err same'}; return $errormessage; } - + #get source and targetip address if possible my ($sip,$scidr,$tip,$tcidr); ($sip,$scidr)=&get_ip("src","grp1"); ($tip,$tcidr)=&get_ip("tgt","grp2"); - - - + #check same iprange in source and target if ($sip ne '' && $scidr ne '' && $tip ne '' && $tcidr ne ''){ - my $networkip1=&General::getnetworkip($sip,$scidr); my $networkip2=&General::getnetworkip($tip,$tcidr); if ($scidr gt $tcidr){ @@ -759,20 +741,19 @@ sub checkrule $errormessage.=$Lang::tr{'fwdfw err samesub'}; } }elsif($scidr eq $tcidr && $scidr eq '32'){ - my ($sbyte1,$sbyte2,$sbyte3,$sbyte4)=split(".",$networkip1); - my ($tbyte1,$tbyte2,$tbyte3,$tbyte4)=split(".",$networkip2); + my ($sbyte1,$sbyte2,$sbyte3,$sbyte4)=split(/\./,$networkip1); + my ($tbyte1,$tbyte2,$tbyte3,$tbyte4)=split(/\./,$networkip2); if ($sbyte1 eq $tbyte1 && $sbyte2 eq $tbyte2 && $sbyte3 eq $tbyte3){ $hint=$Lang::tr{'fwdfw hint ip1'}."
"; $hint.=$Lang::tr{'fwdfw hint ip2'}." Source: $networkip1/$scidr Target: $networkip2/$tcidr
"; } - }else{ if ( &General::IpInSubnet($networkip2,$sip,&General::iporsubtodec($scidr)) ){ $errormessage.=$Lang::tr{'fwdfw err samesub'}; } } } - + #check source and destination protocol if manual if( $fwdfwsettings{'USE_SRC_PORT'} eq 'ON' && $fwdfwsettings{'USESRV'} eq 'ON'){ if($fwdfwsettings{'PROT'} ne $fwdfwsettings{'TGT_PROT'} && $fwdfwsettings{'grp3'} eq 'TGT_PORT'){ @@ -791,7 +772,6 @@ sub checkrule } } } - } sub get_ip { @@ -842,7 +822,6 @@ sub get_ip } } } - return $a,$b; } sub newrule @@ -858,14 +837,11 @@ sub newrule &General::readhasharray("$configgrp", \%customgrp); &General::readhasharray("$configipsec", \%ipsecconf); &General::get_aliases(\%aliases); - - my %checked=(); my $helper; if($fwdfwsettings{'config'} eq ''){$fwdfwsettings{'config'}=$configfwdfw;} my $config=$fwdfwsettings{'config'}; my %hash=(); - $checked{'grp1'}{$fwdfwsettings{'grp1'}} = 'CHECKED'; $checked{'grp2'}{$fwdfwsettings{'grp2'}} = 'CHECKED'; $checked{'grp3'}{$fwdfwsettings{'grp3'}} = 'CHECKED'; @@ -884,7 +860,6 @@ sub newrule $selected{'TIME_FROM'}{$fwdfwsettings{'TIME_FROM'}} = 'selected'; $selected{'TIME_TO'}{$fwdfwsettings{'TIME_TO'}} = 'selected'; $selected{'ipfire'}{$fwdfwsettings{$fwdfwsettings{'grp2'}}} ='selected'; - #check if update and get values if($fwdfwsettings{'updatefwrule'} eq 'on' || $fwdfwsettings{'copyfwrule'} eq 'on' && !$errormessage){ &General::readhasharray("$config", \%hash); @@ -917,7 +892,6 @@ sub newrule $fwdfwsettings{'TIME_SUN'} = $hash{$key}[25]; $fwdfwsettings{'TIME_FROM'} = $hash{$key}[26]; $fwdfwsettings{'TIME_TO'} = $hash{$key}[27]; - $checked{'grp1'}{$fwdfwsettings{'grp1'}} = 'CHECKED'; $checked{'grp2'}{$fwdfwsettings{'grp2'}} = 'CHECKED'; $checked{'grp3'}{$fwdfwsettings{'grp3'}} = 'CHECKED'; @@ -949,9 +923,9 @@ sub newrule $fwdfwsettings{'ACTIVE'}='ON'; $checked{'ACTIVE'}{$fwdfwsettings{'ACTIVE'}} = 'CHECKED'; } - + &Header::openbox('100%', 'left', $Lang::tr{'fwdfw addrule'}); - + print <
@@ -962,7 +936,7 @@ END if($fwdfwsettings{'POLICY'} eq 'MODE2'){ $fwdfwsettings{'RULE_ACTION'} = 'DROP'; } - + if ($_ eq $fwdfwsettings{'RULE_ACTION'}) { print""; @@ -975,19 +949,19 @@ END &Header::closebox(); &Header::openbox('100%', 'left', $Lang::tr{'fwdfw source'}); - - + + #------SOURCE------------------------------------------------------- print< - + END - + #
$Lang::tr{'fwdfw sourceip'}
$Lang::tr{'fwhost stdnet'}
$Lang::tr{'fwhost cust grp'}
$Lang::tr{'fwhost ipsec host'}
- - - END - #
$Lang::tr{'fwdfw use srcport'} $Lang::tr{'fwdfw man port'}
$Lang::tr{'fwdfw targetip'}IPFire ($Lang::tr{'external access'})
$Lang::tr{'fwhost stdnet'}$Lang::tr{'fwhost ccdnet'}
$Lang::tr{'fwhost cust net'}
$Lang::tr{'fwhost cust grp'}
$Lang::tr{'fwhost ipsec host'}
$Lang::tr{'fwhost attention'}:
$Lang::tr{'fwhost macwarn'}

- +
$Lang::tr{'fwdfw use srv'}$Lang::tr{'fwhost cust service'}
$Lang::tr{'fwdfw man port'}


- + END #---Activate/logging/remark------------------------------------- &Header::openbox('100%', 'left', $Lang::tr{'fwdfw additional'}); @@ -1282,7 +1246,6 @@ END $Lang::tr{'time'}: $Lang::tr{'advproxy monday'} $Lang::tr{'advproxy tuesday'} $Lang::tr{'advproxy wednesday'} $Lang::tr{'advproxy thursday'} $Lang::tr{'advproxy friday'} $Lang::tr{'advproxy saturday'} $Lang::tr{'advproxy sunday'} - $Lang::tr{'advproxy from'} $Lang::tr{'advproxy to'} @@ -1297,7 +1260,6 @@ END - -
-
END } @@ -1355,7 +1315,6 @@ END } sub saverule { - my $hash=shift; my $config=shift; &General::readhasharray("$config", $hash); @@ -1456,7 +1415,7 @@ sub get_name foreach my $network (sort keys %defaultNetworks) { return "$network" if ($val eq $defaultNetworks{$network}{'NAME'}); - } + } } sub validremark { @@ -1468,13 +1427,13 @@ sub validremark if (length ($remark) < 1 || length ($remark) > 255) { return 0;} # Only valid characters are a-z, A-Z, 0-9 and - - if ($remark !~ /^[a-zäöüA-ZÖÄÜ0-9-\s]*$/) { + if ($remark !~ /^[a-zäöüA-ZÖÄÜ0-9-.:\/\s]*$/) { return 0;} # First character can only be a letter or a digit if (substr ($remark, 0, 1) !~ /^[a-zäöüA-ZÖÄÜ0-9]*$/) { return 0;} # Last character can only be a letter or a digit - if (substr ($remark, -1, 1) !~ /^[a-zöäüA-ZÖÄÜ0-9]*$/) { + if (substr ($remark, -1, 1) !~ /^[a-zöäüA-ZÖÄÜ0-9.]*$/) { return 0;} return 1; } @@ -1494,7 +1453,7 @@ sub gettgtport my $key=shift; my $service; my $prot; - + if($hash{$key}[11] eq 'ON' && $hash{$key}[12] ne 'ICMP'){ if($hash{$key}[14] eq 'cust_srv'){ &General::readhasharray("$configsrv", \%customservice); @@ -1506,7 +1465,7 @@ sub gettgtport } } }elsif($hash{$key}[14] eq 'cust_srvgrp'){ - + $service=$hash{$key}[15]; }elsif($hash{$key}[14] eq 'TGT_PORT'){ $service=$hash{$key}[15]; @@ -1515,7 +1474,7 @@ sub gettgtport }elsif($hash{$key}[11] eq 'ON' && $hash{$key}[12] eq 'ICMP'){ print" : ($hash{$key}[12])
$hash{$key}[13]"; } - + if ($prot ne '' || $service ne ''){ print" :"; if ($prot ne ''){ @@ -1535,7 +1494,7 @@ sub viewtablenew my $config=shift; my $title=shift; my $title1=shift; - + if ( ! -z "$config"){ &Header::openbox('100%', 'left',$title); my $count=0; @@ -1549,7 +1508,7 @@ sub viewtablenew print"$title1
"; print""; print""; - foreach my $key (sort keys %$hash){ + foreach my $key (sort {$a <=> $b} keys %$hash){ @tmpsrc=(); #check if vpn hosts/nets have been deleted if($$hash{$key}[3] =~ /ipsec/i || $$hash{$key}[3] =~ /ovpn/i){ @@ -1558,14 +1517,12 @@ sub viewtablenew if($$hash{$key}[5] =~ /ipsec/i || $$hash{$key}[5] =~ /ovpn/i){ push (@tmpsrc,$$hash{$key}[6]); } - foreach my $host (@tmpsrc){ if($$hash{$key}[3] eq 'ipsec_net_src' || $$hash{$key}[5] eq 'ipsec_net_tgt'){ - if(&fwlib::get_ipsec_net_ip($host,11) eq ''){ + if(&fwlib::get_ipsec_net_ip($host,11) eq ''){ $coloryellow='on'; &disable_rule($key); $$hash{$key}[2]=''; - } }elsif($$hash{$key}[3] eq 'ovpn_net_src' || $$hash{$key}[5] eq 'ovpn_net_tgt'){ if(&fwlib::get_ovpn_net_ip($host,1) eq ''){ @@ -1589,10 +1546,8 @@ sub viewtablenew $$hash{$key}[3]=''; $$hash{$key}[5]=''; } - $$hash{'ACTIVE'}=$$hash{$key}[2]; $count++; - if($coloryellow eq 'on'){ print""; $coloryellow=''; @@ -1604,7 +1559,6 @@ sub viewtablenew print""; } } - print<$key END @@ -1636,7 +1590,6 @@ END } print< -
- - - - "; } - if (exists $$hash{$key+1}){ print< @@ -1729,9 +1676,7 @@ END if($$hash{$key}[23] ne ''){push (@days,$Lang::tr{'fwdfw wd_fri'});} if($$hash{$key}[24] ne ''){push (@days,$Lang::tr{'fwdfw wd_sat'});} if($$hash{$key}[25] ne ''){push (@days,$Lang::tr{'fwdfw wd_sun'});} - my $weekdays=join(",",@days); - if (@days){ print"
#$Lang::tr{'fwdfw source'}Log$Lang::tr{'fwdfw target'}$Lang::tr{'remark'}$Lang::tr{'fwdfw action'}
@@ -1662,7 +1615,6 @@ END }else{ $gif="/images/off.gif" - } print< @@ -1671,22 +1623,18 @@ END
@@ -1706,7 +1654,6 @@ END }else{ print"
$Lang::tr{'fwdfw time'} "; print"$weekdays"; @@ -1742,21 +1687,19 @@ END print"
"; &Header::closebox(); } - } sub fillselect { my %hash=%{(shift)}; my $val=shift; my $key; - foreach my $key (sort { uc($hash{$a}[0]) cmp uc($hash{$b}[0]) } keys %hash) - { - if($hash{$key}[0] eq $val){ - print""; - }else{ - print""; - } + foreach my $key (sort { uc($hash{$a}[0]) cmp uc($hash{$b}[0]) } keys %hash){ + if($hash{$key}[0] eq $val){ + print""; + }else{ + print""; } + } } sub rules { diff --git a/html/cgi-bin/fwhosts.cgi b/html/cgi-bin/fwhosts.cgi index 236e0b47c..5a8383692 100755 --- a/html/cgi-bin/fwhosts.cgi +++ b/html/cgi-bin/fwhosts.cgi @@ -47,6 +47,8 @@ my %defaultNetworks=(); my %mainsettings=(); my %ownnet=(); my %ipsecsettings=(); +my %fwfwd=(); +my %fwinp=(); my $errormessage; my $hint; @@ -59,6 +61,8 @@ my $configccdhost = "${General::swroot}/ovpn/ovpnconfig"; my $configipsec = "${General::swroot}/vpn/config"; my $configsrv = "${General::swroot}/fwhosts/customservices"; my $configsrvgrp = "${General::swroot}/fwhosts/customservicegrp"; +my $fwconfigfwd = "${General::swroot}/forward/config"; +my $fwconfiginp = "${General::swroot}/forward/input"; unless (-e $confignet) { system("touch $confignet"); } unless (-e $confighost) { system("touch $confighost"); } @@ -116,6 +120,9 @@ if ($fwhostsettings{'ACTION'} eq 'updatehost') } } &General::writehasharray("$confighost", \%customhost); + + + $fwhostsettings{'actualize'} = 'on'; $fwhostsettings{'ACTION'} = 'savehost'; } @@ -285,6 +292,28 @@ if ($fwhostsettings{'ACTION'} eq 'savenet' ) } } &General::writehasharray("$configgrp", \%customgrp); + #check if we need to update firewallrules + if ( ! -z $fwconfigfwd ){ + &General::readhasharray("$fwconfigfwd", \%fwfwd); + foreach my $line (sort keys %fwfwd){ + if ($fwfwd{$line}[4] eq $fwhostsettings{'orgname'}){ + $fwfwd{$line}[4] = $fwhostsettings{'HOSTNAME'}; + } + if ($fwfwd{$line}[6] eq $fwhostsettings{'orgname'}){ + $fwfwd{$line}[6] = $fwhostsettings{'HOSTNAME'}; + } + } + &General::writehasharray("$fwconfigfwd", \%fwfwd); + } + if ( ! -z $fwconfiginp ){ + &General::readhasharray("$fwconfiginp", \%fwinp); + foreach my $line (sort keys %fwinp){ + if ($fwfwd{$line}[4] eq $fwhostsettings{'orgname'}){ + $fwfwd{$line}[4] = $fwhostsettings{'HOSTNAME'}; + } + } + &General::writehasharray("$fwconfiginp", \%fwinp); + } } } my $key = &General::findhasharraykey (\%customnetwork); @@ -416,9 +445,29 @@ if ($fwhostsettings{'ACTION'} eq 'savehost') } } &General::writehasharray("$configgrp", \%customgrp); + #check if we need to update firewallrules + if ( ! -z $fwconfigfwd ){ + &General::readhasharray("$fwconfigfwd", \%fwfwd); + foreach my $line (sort keys %fwfwd){ + if ($fwfwd{$line}[4] eq $fwhostsettings{'orgname'}){ + $fwfwd{$line}[4] = $fwhostsettings{'HOSTNAME'}; + } + if ($fwfwd{$line}[6] eq $fwhostsettings{'orgname'}){ + $fwfwd{$line}[6] = $fwhostsettings{'HOSTNAME'}; + } + } + &General::writehasharray("$fwconfigfwd", \%fwfwd); + } + if ( ! -z $fwconfiginp ){ + &General::readhasharray("$fwconfiginp", \%fwinp); + foreach my $line (sort keys %fwinp){ + if ($fwfwd{$line}[4] eq $fwhostsettings{'orgname'}){ + $fwfwd{$line}[4] = $fwhostsettings{'HOSTNAME'}; + } + } + &General::writehasharray("$fwconfiginp", \%fwinp); + } } - - } my $key = &General::findhasharraykey (\%customhost); foreach my $i (0 .. 3) { $customhost{$key}[$i] = "";} @@ -1084,6 +1133,7 @@ END foreach my $network (sort keys %defaultNetworks) { next if($defaultNetworks{$network}{'LOCATION'} eq "IPCOP"); + next if($defaultNetworks{$network}{'NAME'} eq "RED"); print ""; @@ -1186,7 +1236,7 @@ sub addservice } print< - $Lang::tr{'fwhost srv_name'}:$Lang::tr{'fwhost prot'}:$Lang::tr{'fwhost prot'}:/ off +
+ + + +
$Lang::tr{'fw default drop'}
$Lang::tr{'drop action'} +
+
+ +
- -
END diff --git a/html/cgi-bin/outgoingfw.cgi b/html/cgi-bin/outgoingfw.cgi deleted file mode 100644 index b417817a2..000000000 --- a/html/cgi-bin/outgoingfw.cgi +++ /dev/null @@ -1,849 +0,0 @@ -#!/usr/bin/perl -############################################################################### -# # -# IPFire.org - A linux based firewall # -# Copyright (C) 2005-2010 IPFire Team # -# # -# This program is free software: you can redistribute it and/or modify # -# it under the terms of the GNU General Public License as published by # -# the Free Software Foundation, either version 3 of the License, or # -# (at your option) any later version. # -# # -# This program is distributed in the hope that it will be useful, # -# but WITHOUT ANY WARRANTY; without even the implied warranty of # -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # -# GNU General Public License for more details. # -# # -# You should have received a copy of the GNU General Public License # -# along with this program. If not, see . # -# # -############################################################################### - -use strict; -# enable only the following on debugging purpose -#use warnings; -#use CGI::Carp 'fatalsToBrowser'; - -require '/var/ipfire/general-functions.pl'; -require "${General::swroot}/lang.pl"; -require "${General::swroot}/header.pl"; - -my %outfwsettings = (); -my %checked = (); -my %selected= () ; -my %netsettings = (); -my $errormessage = ""; -my $configentry = ""; -my @configs = (); -my @configline = (); -my $p2pentry = ""; -my @p2ps = (); -my @p2pline = (); - -my $configfile = "/var/ipfire/outgoing/rules"; -my $configpath = "/var/ipfire/outgoing/groups/"; -my $p2pfile = "/var/ipfire/outgoing/p2protocols"; -my $servicefile = "/var/ipfire/outgoing/defaultservices"; - -my %color = (); -my %mainsettings = (); -&General::readhash("${General::swroot}/main/settings", \%mainsettings); -&General::readhash("/srv/web/ipfire/html/themes/".$mainsettings{'THEME'}."/include/colors.txt", \%color); - -&General::readhash("${General::swroot}/ethernet/settings", \%netsettings); - -&Header::showhttpheaders(); - -### Values that have to be initialized -$outfwsettings{'ACTION'} = ''; -$outfwsettings{'VALID'} = 'yes'; -$outfwsettings{'EDIT'} = 'no'; -$outfwsettings{'NAME'} = ''; -$outfwsettings{'SNET'} = ''; -$outfwsettings{'SIP'} = ''; -$outfwsettings{'SPORT'} = ''; -$outfwsettings{'SMAC'} = ''; -$outfwsettings{'DIP'} = ''; -$outfwsettings{'DPORT'} = ''; -$outfwsettings{'PROT'} = ''; -$outfwsettings{'STATE'} = ''; -$outfwsettings{'DISPLAY_DIP'} = ''; -$outfwsettings{'DISPLAY_DPORT'} = ''; -$outfwsettings{'DISPLAY_SMAC'} = ''; -$outfwsettings{'DISPLAY_SIP'} = ''; -$outfwsettings{'POLICY'} = 'MODE0'; -$outfwsettings{'MODE1LOG'} = 'off'; - -$outfwsettings{'TIME_FROM'} = '00:00'; -$outfwsettings{'TIME_TO'} = '00:00'; - -&General::readhash("${General::swroot}/outgoing/settings", \%outfwsettings); -&Header::getcgihash(\%outfwsettings); - -############### -# DEBUG DEBUG -#&Header::openbox('100%', 'left', 'DEBUG'); -#my $debugCount = 0; -#foreach my $line (sort keys %outfwsettings) { -#print "$line = $outfwsettings{$line}
\n"; -# $debugCount++; -#} -#print " Count: $debugCount\n"; -#&Header::closebox(); -# DEBUG DEBUG -############### - -$selected{'TIME_FROM'}{$outfwsettings{'TIME_FROM'}} = "selected='selected'"; -$selected{'TIME_TO'}{$outfwsettings{'TIME_TO'}} = "selected='selected'"; - -$checked{'MODE1LOG'}{'off'} = ''; -$checked{'MODE1LOG'}{'on'} = ''; -$checked{'MODE1LOG'}{$outfwsettings{'MODE1LOG'}} = "checked='checked'"; -$checked{'TIME_MON'}{'off'} = ''; -$checked{'TIME_MON'}{'on'} = ''; -$checked{'TIME_MON'}{$outfwsettings{'TIME_MON'}} = "checked='checked'"; -$checked{'TIME_TUE'}{'off'} = ''; -$checked{'TIME_TUE'}{'on'} = ''; -$checked{'TIME_TUE'}{$outfwsettings{'TIME_TUE'}} = "checked='checked'"; -$checked{'TIME_WED'}{'off'} = ''; -$checked{'TIME_WED'}{'on'} = ''; -$checked{'TIME_WED'}{$outfwsettings{'TIME_WED'}} = "checked='checked'"; -$checked{'TIME_THU'}{'off'} = ''; -$checked{'TIME_THU'}{'on'} = ''; -$checked{'TIME_THU'}{$outfwsettings{'TIME_THU'}} = "checked='checked'"; -$checked{'TIME_FRI'}{'off'} = ''; -$checked{'TIME_FRI'}{'on'} = ''; -$checked{'TIME_FRI'}{$outfwsettings{'TIME_FRI'}} = "checked='checked'"; -$checked{'TIME_SAT'}{'off'} = ''; -$checked{'TIME_SAT'}{'on'} = ''; -$checked{'TIME_SAT'}{$outfwsettings{'TIME_SAT'}} = "checked='checked'"; -$checked{'TIME_SUN'}{'off'} = ''; -$checked{'TIME_SUN'}{'on'} = ''; -$checked{'TIME_SUN'}{$outfwsettings{'TIME_SUN'}} = "checked='checked'"; - -if ($outfwsettings{'POLICY'} eq 'MODE0'){ $selected{'POLICY'}{'MODE0'} = 'selected'; } else { $selected{'POLICY'}{'MODE0'} = ''; } -if ($outfwsettings{'POLICY'} eq 'MODE1'){ $selected{'POLICY'}{'MODE1'} = 'selected'; } else { $selected{'POLICY'}{'MODE1'} = ''; } -if ($outfwsettings{'POLICY'} eq 'MODE2'){ $selected{'POLICY'}{'MODE2'} = 'selected'; } else { $selected{'POLICY'}{'MODE2'} = ''; } - -# This is a little hack if poeple don´t mark any date then all will be selected, because they might have forgotten to select -# a valid day. A Rule without any matching day will never work, because the timeranges are new feature people might not notice -# that they have to select a day for the rule. - -if ( $outfwsettings{'TIME_MON'} eq "" && - $outfwsettings{'TIME_TUE'} eq "" && - $outfwsettings{'TIME_WED'} eq "" && - $outfwsettings{'TIME_THU'} eq "" && - $outfwsettings{'TIME_FRI'} eq "" && - $outfwsettings{'TIME_SAT'} eq "" && - $outfwsettings{'TIME_SUN'} eq "" ) - { - $outfwsettings{'TIME_MON'} = "on"; - $outfwsettings{'TIME_TUE'} = "on"; - $outfwsettings{'TIME_WED'} = "on"; - $outfwsettings{'TIME_THU'} = "on"; - $outfwsettings{'TIME_FRI'} = "on"; - $outfwsettings{'TIME_SAT'} = "on"; - $outfwsettings{'TIME_SUN'} = "on"; - } - -&Header::openpage($Lang::tr{'outgoing firewall'}, 1, ''); -&Header::openbigbox('100%', 'left', '', $errormessage); - -############################################################################################################################ -############################################################################################################################ - -if ($outfwsettings{'ACTION'} eq $Lang::tr{'reset'}) -{ - $outfwsettings{'POLICY'}='MODE0'; - unlink $configfile; - system("/usr/bin/touch $configfile"); - my $MODE = $outfwsettings{'POLICY'}; - %outfwsettings = (); - $outfwsettings{'POLICY'} = "$MODE"; - &General::writehash("${General::swroot}/outgoing/settings", \%outfwsettings); -} -if ($outfwsettings{'ACTION'} eq $Lang::tr{'save'}) -{ - my $MODE = $outfwsettings{'POLICY'}; - my $MODE1LOG = $outfwsettings{'MODE1LOG'}; - %outfwsettings = (); - $outfwsettings{'POLICY'} = "$MODE"; - $outfwsettings{'MODE1LOG'} = "$MODE1LOG"; - &General::writehash("${General::swroot}/outgoing/settings", \%outfwsettings); - system("/usr/local/bin/outgoingfwctrl"); -} -if ($outfwsettings{'ACTION'} eq 'enable') -{ - open( FILE, "< $p2pfile" ) or die "Unable to read $p2pfile"; - @p2ps = ; - close FILE; - open( FILE, "> $p2pfile" ) or die "Unable to write $p2pfile"; - foreach $p2pentry (sort @p2ps) - { - @p2pline = split( /\;/, $p2pentry ); - if ($p2pline[1] eq $outfwsettings{'P2PROT'}) { - print FILE "$p2pline[0];$p2pline[1];on;\n"; - } else { - print FILE "$p2pline[0];$p2pline[1];$p2pline[2];\n"; - } - } - close FILE; - system("/usr/local/bin/outgoingfwctrl"); -} -if ($outfwsettings{'ACTION'} eq 'disable') -{ - open( FILE, "< $p2pfile" ) or die "Unable to read $p2pfile"; - @p2ps = ; - close FILE; - open( FILE, "> $p2pfile" ) or die "Unable to write $p2pfile"; - foreach $p2pentry (sort @p2ps) - { - @p2pline = split( /\;/, $p2pentry ); - if ($p2pline[1] eq $outfwsettings{'P2PROT'}) { - print FILE "$p2pline[0];$p2pline[1];off;\n"; - } else { - print FILE "$p2pline[0];$p2pline[1];$p2pline[2];\n"; - } - } - close FILE; - system("/usr/local/bin/outgoingfwctrl"); -} -if ($outfwsettings{'ACTION'} eq $Lang::tr{'edit'}) -{ - open( FILE, "< $configfile" ) or die "Unable to read $configfile"; - @configs = ; - close FILE; - open( FILE, "> $configfile" ) or die "Unable to write $configfile"; - foreach $configentry (sort @configs) - { - @configline = split( /\;/, $configentry ); - - $configline[10] = "on" if not exists $configline[11]; - $configline[11] = "on" if not exists $configline[11]; - $configline[12] = "on" if not exists $configline[12]; - $configline[13] = "on" if not exists $configline[13]; - $configline[14] = "on" if not exists $configline[14]; - $configline[15] = "on" if not exists $configline[15]; - $configline[16] = "on" if not exists $configline[16]; - $configline[17] = "00:00" if not exists $configline[17]; - $configline[18] = "00:00" if not exists $configline[18]; - - unless (($configline[0] eq $outfwsettings{'STATE'}) && - ($configline[1] eq $outfwsettings{'ENABLED'}) && - ($configline[2] eq $outfwsettings{'SNET'}) && - ($configline[3] eq $outfwsettings{'PROT'}) && - ($configline[4] eq $outfwsettings{'NAME'}) && - ($configline[5] eq $outfwsettings{'SIP'}) && - ($configline[6] eq $outfwsettings{'SMAC'}) && - ($configline[7] eq $outfwsettings{'DIP'}) && - ($configline[9] eq $outfwsettings{'LOG'}) && - ($configline[8] eq $outfwsettings{'DPORT'}) && - ($configline[10] eq $outfwsettings{'TIME_MON'}) && - ($configline[11] eq $outfwsettings{'TIME_TUE'}) && - ($configline[12] eq $outfwsettings{'TIME_WED'}) && - ($configline[13] eq $outfwsettings{'TIME_THU'}) && - ($configline[14] eq $outfwsettings{'TIME_FRI'}) && - ($configline[15] eq $outfwsettings{'TIME_SAT'}) && - ($configline[16] eq $outfwsettings{'TIME_SUN'}) && - ($configline[17] eq $outfwsettings{'TIME_FROM'}) && - ($configline[18] eq $outfwsettings{'TIME_TO'})) - { - print FILE $configentry; - } - } - close FILE; - $selected{'SNET'}{"$outfwsettings{'SNET'}"} = 'selected'; - $selected{'PROT'}{"$outfwsettings{'PROT'}"} = 'selected'; - $selected{'LOG'}{"$outfwsettings{'LOG'}"} = 'selected'; - &addrule(); - &Header::closebigbox(); - &Header::closepage(); - exit - system("/usr/local/bin/outgoingfwctrl"); -} -if ($outfwsettings{'ACTION'} eq $Lang::tr{'delete'}) -{ - open( FILE, "< $configfile" ) or die "Unable to read $configfile"; - @configs = ; - close FILE; - open( FILE, "> $configfile" ) or die "Unable to write $configfile"; - foreach $configentry (sort @configs) - { - @configline = split( /\;/, $configentry ); - - $configline[10] = "on" if not exists $configline[11]; - $configline[11] = "on" if not exists $configline[11]; - $configline[12] = "on" if not exists $configline[12]; - $configline[13] = "on" if not exists $configline[13]; - $configline[14] = "on" if not exists $configline[14]; - $configline[15] = "on" if not exists $configline[15]; - $configline[16] = "on" if not exists $configline[16]; - $configline[17] = "00:00" if not exists $configline[17]; - $configline[18] = "00:00" if not exists $configline[18]; - - unless (($configline[0] eq $outfwsettings{'STATE'}) && - ($configline[1] eq $outfwsettings{'ENABLED'}) && - ($configline[2] eq $outfwsettings{'SNET'}) && - ($configline[3] eq $outfwsettings{'PROT'}) && - ($configline[4] eq $outfwsettings{'NAME'}) && - ($configline[5] eq $outfwsettings{'SIP'}) && - ($configline[6] eq $outfwsettings{'SMAC'}) && - ($configline[7] eq $outfwsettings{'DIP'}) && - ($configline[9] eq $outfwsettings{'LOG'}) && - ($configline[8] eq $outfwsettings{'DPORT'}) && - ($configline[10] eq $outfwsettings{'TIME_MON'}) && - ($configline[11] eq $outfwsettings{'TIME_TUE'}) && - ($configline[12] eq $outfwsettings{'TIME_WED'}) && - ($configline[13] eq $outfwsettings{'TIME_THU'}) && - ($configline[14] eq $outfwsettings{'TIME_FRI'}) && - ($configline[15] eq $outfwsettings{'TIME_SAT'}) && - ($configline[16] eq $outfwsettings{'TIME_SUN'}) && - ($configline[17] eq $outfwsettings{'TIME_FROM'}) && - ($configline[18] eq $outfwsettings{'TIME_TO'})) - { - print FILE $configentry; - } - } - close FILE; - system("/usr/local/bin/outgoingfwctrl"); -} -if ($outfwsettings{'ACTION'} eq $Lang::tr{'add'}) -{ - if ( $outfwsettings{'VALID'} eq 'yes' ) { - - if ( $outfwsettings{'SNET'} eq "all" ) { - $outfwsettings{'SIP'} =""; - $outfwsettings{'SMAC'}=""; - } - open( FILE, ">> $configfile" ) or die "Unable to write $configfile"; - print FILE <$errormessage\n"; - print " \n"; - &Header::closebox(); -} - -############################################################################################################################ -############################################################################################################################ - -if ($outfwsettings{'POLICY'} ne 'MODE0'){ - &Header::openbox('100%', 'center', 'Rules'); - print < - - -END -; - open( FILE, "< $configfile" ) or die "Unable to read $configfile"; - @configs = ; - close FILE; - if (@configs) { - print < - - - - - - - - - -END -; - foreach $configentry (sort @configs) - { - @configline = split( /\;/, $configentry ); - $outfwsettings{'STATE'} = $configline[0]; - $outfwsettings{'ENABLED'} = $configline[1]; - $outfwsettings{'SNET'} = $configline[2]; - $outfwsettings{'PROT'} = $configline[3]; - $outfwsettings{'NAME'} = $configline[4]; - $outfwsettings{'SIP'} = $configline[5]; - $outfwsettings{'SMAC'} = $configline[6]; - $outfwsettings{'DIP'} = $configline[7]; - $outfwsettings{'DPORT'} = $configline[8]; - $outfwsettings{'LOG'} = $configline[9]; - - $configline[10] = "on" if not exists $configline[11]; - $configline[11] = "on" if not exists $configline[11]; - $configline[12] = "on" if not exists $configline[12]; - $configline[13] = "on" if not exists $configline[13]; - $configline[14] = "on" if not exists $configline[14]; - $configline[15] = "on" if not exists $configline[15]; - $configline[16] = "on" if not exists $configline[16]; - $configline[17] = "00:00" if not exists $configline[17]; - $configline[18] = "00:00" if not exists $configline[18]; - - $outfwsettings{'TIME_MON'} = $configline[10]; - $outfwsettings{'TIME_TUE'} = $configline[11]; - $outfwsettings{'TIME_WED'} = $configline[12]; - $outfwsettings{'TIME_THU'} = $configline[13]; - $outfwsettings{'TIME_FRI'} = $configline[14]; - $outfwsettings{'TIME_SAT'} = $configline[15]; - $outfwsettings{'TIME_SUN'} = $configline[16]; - $outfwsettings{'TIME_FROM'} = $configline[17]; - $outfwsettings{'TIME_TO'} = $configline[18]; - - if ($outfwsettings{'DIP'} eq ''){ $outfwsettings{'DISPLAY_DIP'} = 'ALL'; } else { $outfwsettings{'DISPLAY_DIP'} = $outfwsettings{'DIP'}; } - if ($outfwsettings{'DPORT'} eq ''){ $outfwsettings{'DISPLAY_DPORT'} = 'ALL'; } else { $outfwsettings{'DISPLAY_DPORT'} = $outfwsettings{'DPORT'}; } - if ($outfwsettings{'STATE'} eq 'DENY'){ $outfwsettings{'DISPLAY_STATE'} = "DENY"; } - if ($outfwsettings{'STATE'} eq 'ALLOW'){ $outfwsettings{'DISPLAY_STATE'} = "ALLOW"; } - if ((($outfwsettings{'POLICY'} eq 'MODE1') && ($outfwsettings{'STATE'} eq 'ALLOW')) || (($outfwsettings{'POLICY'} eq 'MODE2') && ($outfwsettings{'STATE'} eq 'DENY'))){ - if ( $outfwsettings{'ENABLED'} eq "on" ){ - print ""; - } else { - print ""; - } - print <$outfwsettings{'PROT'} - "; - print ""; - } else { - $outfwsettings{'DISPLAY_SMAC'} = $outfwsettings{'SMAC'}; - print ""; - print ""; - } - } - print < - - - -END -; - } - } -if ($outfwsettings{'POLICY'} eq 'MODE1'){ -print <
- -
$Lang::tr{'protocol'}$Lang::tr{'network'}$Lang::tr{'destination'}$Lang::tr{'description'}$Lang::tr{'policy'}$Lang::tr{'logging'}$Lang::tr{'action'}
$outfwsettings{'SNET'} - $outfwsettings{'DISPLAY_DIP'}:$outfwsettings{'DISPLAY_DPORT'} - $outfwsettings{'NAME'} - $outfwsettings{'DISPLAY_STATE'} - $outfwsettings{'LOG'} - - -
- - - - - - - - - - - - - - - - - - - - - -
-
- - - - - - - - - - - - - - - - - - - - - -
-END -; - if (($outfwsettings{'SIP'}) || ($outfwsettings{'SMAC'})) { - - unless ($outfwsettings{'SIP'}) { - $outfwsettings{'DISPLAY_SIP'} = 'ALL'; - } else { - $outfwsettings{'DISPLAY_SIP'} = $outfwsettings{'SIP'}; - } - - unless ($outfwsettings{'SMAC'}) { - $outfwsettings{'DISPLAY_SMAC'} = 'ALL'; - print "
$Lang::tr{'source ip or net'}: $outfwsettings{'DISPLAY_SIP'}
$Lang::tr{'source'} $Lang::tr{'mac address'}: $outfwsettings{'DISPLAY_SMAC'}$Lang::tr{'time'} - -END -; - if ($outfwsettings{'TIME_MON'} eq 'on') { print "";} - else { print "";} - print "$Lang::tr{'advproxy monday'},"; - if ($outfwsettings{'TIME_TUE'} eq 'on') { print "";} - else { print "";} - print "$Lang::tr{'advproxy tuesday'},"; - if ($outfwsettings{'TIME_WED'} eq 'on') { print "";} - else { print "";} - print "$Lang::tr{'advproxy wednesday'},"; - if ($outfwsettings{'TIME_THU'} eq 'on') { print "";} - else { print "";} - print "$Lang::tr{'advproxy thursday'},"; - if ($outfwsettings{'TIME_FRI'} eq 'on') { print "";} - else { print "";} - print "$Lang::tr{'advproxy friday'},"; - if ($outfwsettings{'TIME_SAT'} eq 'on') { print "";} - else { print "";} - print "$Lang::tr{'advproxy saturday'},"; - if ($outfwsettings{'TIME_SUN'} eq 'on') { print "";} - else { print "";} - print "$Lang::tr{'advproxy sunday'}"; - print < - $Lang::tr{'advproxy from'} $outfwsettings{'TIME_FROM'}$Lang::tr{'advproxy to'} $outfwsettings{'TIME_TO'}all - all - ALL - drop - DENY - on off -
-
-
-END -; -} - print < -END -; - - } - &Header::closebox(); -} - -if ($outfwsettings{'POLICY'} ne 'MODE0'){ - open( FILE, "< $p2pfile" ) or die "Unable to read $p2pfile"; - @p2ps = ; - close FILE; - &Header::openbox('100%', 'center', 'P2P-Block'); - print < - $Lang::tr{'protocol'} - $Lang::tr{'status'} -END -; - my $id = 1; - foreach $p2pentry (sort @p2ps) - { - @p2pline = split( /\;/, $p2pentry ); - print < -END -; - print "\t\t\t\n"; - print <$p2pline[0]: - -END -; - if ($p2pline[2] eq 'on') { - print < - -END -; - } else { - print < - -END -; - } - print < -END -; - } - print < -
$Lang::tr{'outgoing firewall p2p description 1'} $Lang::tr{ $Lang::tr{'outgoing firewall p2p description 2'} $Lang::tr{ $Lang::tr{'outgoing firewall p2p description 3'} -END -; - &Header::closebox(); -} - -&Header::openbox('100%', 'center', 'Policy'); -print < - - - - - -
$Lang::tr{'mode'} 0:$Lang::tr{'outgoing firewall mode0'}
$Lang::tr{'mode'} 1:$Lang::tr{'outgoing firewall mode1'}
$Lang::tr{'mode'} 2:$Lang::tr{'outgoing firewall mode2'}
- - -END -; - if ($outfwsettings{'POLICY'} ne 'MODE0') { - print < -END -; - } -print < - -END -; -&Header::closebox(); - -############################################################################################################################ -############################################################################################################################ - -sub addrule -{ - &Header::openbox('100%', 'center', $Lang::tr{'Add Rule'}); - if ($outfwsettings{'ENABLED'} eq 'on') { $selected{'ENABLED'} = 'checked'; } - $selected{'TIME_FROM'}{$outfwsettings{'TIME_FROM'}} = "selected='selected'"; - $selected{'TIME_TO'}{$outfwsettings{'TIME_TO'}} = "selected='selected'"; -print < - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
$Lang::tr{'description'}: $Lang::tr{'active'}:
$Lang::tr{'protocol'} - - $Lang::tr{'policy'}: -END -; - if ($outfwsettings{'POLICY'} eq 'MODE1'){ - print "\t\t\t\tALLOW\n"; - } elsif ($outfwsettings{'POLICY'} eq 'MODE2'){ - print "\t\t\t\tDENY\n"; - } - print < -
$Lang::tr{'source'}: - - $Lang::tr{'outgoing firewall warning'}
$Lang::tr{'source ip or net'}
$Lang::tr{'source'} $Lang::tr{'mac address'}: - -
$Lang::tr{'logging'}: - - - -
$Lang::tr{'destination ip or net'}: $Lang::tr{'destination port'}(s)
$Lang::tr{'time'}:$Lang::tr{'advproxy monday'} $Lang::tr{'advproxy tuesday'} $Lang::tr{'advproxy wednesday'} $Lang::tr{'advproxy thursday'} $Lang::tr{'advproxy friday'} $Lang::tr{'advproxy saturday'} $Lang::tr{'advproxy sunday'} - $Lang::tr{'advproxy from'}$Lang::tr{'advproxy to'}
- - - - - - - - - -
-
$Lang::tr{'this field may be blank'}
-END -; - &Header::closebox(); - -if ($outfwsettings{'POLICY'} eq 'MODE1' || $outfwsettings{'POLICY'} eq 'MODE2') -{ -&Header::openbox('100%', 'center', 'Quick Add'); - - open( FILE, "< /var/ipfire/outgoing/defaultservices" ) or die "Unable to read default services"; - my @defservices = ; - close FILE; - -print ""; -foreach my $serviceline(@defservices) - { - my @service = split(/,/,$serviceline); - print <
- - - - - - ";} - elsif ($outfwsettings{'POLICY'} eq 'MODE2'){print "";} - } - print "
$Lang::tr{'service'}$Lang::tr{'description'}$Lang::tr{'port'}$Lang::tr{'protocol'}$Lang::tr{'source net'}$Lang::tr{'logging'}$Lang::tr{'action'}
$service[0]$service[3]$service[1]$service[2] - - - -END -; - if ($outfwsettings{'POLICY'} eq 'MODE1'){ print "
"; - &Header::closebox(); - } -} - -&Header::closebigbox(); -&Header::closepage(); diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl index 7fe166465..11e418756 100644 --- a/langs/de/cgi-bin/de.pl +++ b/langs/de/cgi-bin/de.pl @@ -747,7 +747,8 @@ 'download root certificate' => 'Root-Zertifikat herunterladen', 'dpd action' => 'Aktion für Dead Peer Detection', 'driver' => 'Treiber', -'drop input' => 'Verworfene Input-Pakete loggen', +'drop action' => 'Standardverhalten der Firewall in Modus1', +'drop input' => 'Verworfene Input Pakete loggen', 'drop newnotsyn' => 'Verworfene New Not Syn Pakete loggen', 'drop forward' => 'Verworfene Firewall-Pakete loggen', 'drop portscan' => 'Verworfene Portscan Pakete loggen', @@ -1033,8 +1034,9 @@ 'from email server' => 'Von Email Server', 'from email user' => 'Von Email Benutzer', 'from warn email bad' => 'Von Email Adresse ist nicht gültig', -'fw blue' => 'Firewall-Optionen für das Blaue Interface', -'fw logging' => 'Firewall-Logging', +'fw blue' => 'Firewall Optionen für das Blaue Interface', +'fw default drop' => 'Firewall Policy', +'fw logging' => 'Firewall Logging', 'gateway' => 'Gateway', 'gateway ip' => 'Gateway-IP', 'gen static key' => 'Statischen Schlüssel erzeugen', diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index c33f97247..c4c882bf8 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -771,9 +771,10 @@ 'download root certificate' => 'Download root certificate', 'dpd action' => 'Dead Peer Detection action', 'driver' => 'Driver', +'drop action' => 'Default behaviour of firewall in mode 1', 'drop input' => 'Log dropped input pakets', 'drop newnotsyn' => 'Log dropped new not syn pakets', -'drop forward' => 'Log dropped firewall pakets', +'drop forward' => 'Log dropped forward pakets', 'drop portscan' => 'Log dropped portscan pakets', 'drop proxy' => 'Drop all packets not addressed to proxy', 'drop samba' => 'Drop all Microsoft ports 135,137,138,139,445,1025', @@ -1060,6 +1061,7 @@ 'from email user' => 'From e-mail user', 'from warn email bad' => 'From e-mail address is not valid', 'fw blue' => 'Firewall options for BLUE interface', +'fw default drop' => 'Firewall policy', 'fw logging' => 'Firewall logging', 'g.dtm' => 'TO BE REMOVED', 'g.lite' => 'TO BE REMOVED', diff --git a/lfs/configroot b/lfs/configroot index 704c69007..56ee98df9 100644 --- a/lfs/configroot +++ b/lfs/configroot @@ -103,6 +103,7 @@ $(TARGET) : cp $(DIR_SRC)/langs/list $(CONFIG_ROOT)/langs/ cp $(DIR_SRC)/config/forwardfw/rules.pl $(CONFIG_ROOT)/forward/bin/rules.pl cp $(DIR_SRC)/config/forwardfw/firewall-lib.pl $(CONFIG_ROOT)/forward/bin/firewall-lib.pl + cp $(DIR_SRC)/config/forwardfw/firewall-forward-policy /usr/sbin/firewall-forward-policy cp $(DIR_SRC)/config/fwhosts/icmp-types $(CONFIG_ROOT)/fwhosts/icmp-types cp $(DIR_SRC)/config/fwhosts/customservices $(CONFIG_ROOT)/fwhosts/customservices # Oneliner configfiles diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall index c1daa59b5..0af3d4b2a 100644 --- a/src/initscripts/init.d/firewall +++ b/src/initscripts/init.d/firewall @@ -226,12 +226,6 @@ case "$1" in /sbin/iptables -N OPENSSLPHYSICAL /sbin/iptables -A INPUT -j OPENSSLPHYSICAL - # WIRELESS chains - /sbin/iptables -N WIRELESSINPUT - /sbin/iptables -A INPUT -m state --state NEW -j WIRELESSINPUT - /sbin/iptables -N WIRELESSFORWARD - /sbin/iptables -A FORWARD -m state --state NEW -j WIRELESSFORWARD - # RED chain, used for the red interface /sbin/iptables -N REDINPUT /sbin/iptables -A INPUT -j REDINPUT @@ -283,11 +277,16 @@ case "$1" in /sbin/iptables -A INPUT -m limit --limit 10/minute -j LOG --log-prefix "DROP_INPUT " fi /sbin/iptables -A INPUT -j DROP -m comment --comment "DROP_INPUT" - if [ "$DROPFORWARD" == "on" ]; then - /sbin/iptables -A FORWARD -m limit --limit 10/minute -j LOG --log-prefix "DROP_FORWARD " - fi - /sbin/iptables -A FORWARD -j DROP -m comment --comment "DROP_FORWARD" + #if [ "$DROPFORWARD" == "on" ]; then + # /sbin/iptables -A FORWARD -m limit --limit 10/minute -j LOG --log-prefix "DROP_FORWARD " + #fi + #/sbin/iptables -A FORWARD -j DROP -m comment --comment "DROP_FORWARD" + #POLICY CHAIN + /sbin/iptables -N POLICY + /sbin/iptables -A FORWARD -j POLICY + + /usr/sbin/firewall-forward-policy ;; startovpn) # run openvpn @@ -320,14 +319,10 @@ case "$1" in /sbin/iptables -A INPUT -m limit --limit 10/minute -j LOG --log-prefix "DROP_INPUT " fi /sbin/iptables -A INPUT -j DROP -m comment --comment "DROP_INPUT" - #if [ "$DROPOUTPUT" == "on" ]; then - # /sbin/iptables -A FORWARD -m limit --limit 10/minute -j LOG --log-prefix "DROP_OUTPUT " - #fi - #/sbin/iptables -A FORWARD -j DROP -m comment --comment "DROP_OUTPUT" if [ "$DROPFORWARD" == "on" ]; then - /sbin/iptables -A FORWARDFW -m limit --limit 10/minute -j LOG --log-prefix "DROP_FORWARDFW " + /sbin/iptables -A FORWARD -m limit --limit 10/minute -j LOG --log-prefix "DROP_FORWARD " fi - /sbin/iptables -A FORWARDFW -j DROP -m comment --comment "DROP_FORWARDFW-oberdropper" + /sbin/iptables -A FORWARD -j DROP -m comment --comment "DROP_FORWARD" ;; stopovpn) # stop openvpn