Forward Firewall: fixed 12 Bugs from forum.

1) Added more possible chars in remark: : / . 2) Added "Internet" to std networks to be able to define internetaccess 3) When renaming a custom address, the firewallrules get updated 4) Ports are now ignored when using GRE as Protocol 5) When saving a customservice, the cursor is now in first textfield 6) Added a customservices file to installation with predefined services 7) Added ESP as protocol 8) Fixed counterproblem 9) Dropdownboxes for customservices and groups now sorted 10) Firewallrules now sorted in right order 11) fixed a Bug when defining manual address in source and target, the hint message is no longer displayed 12) When defining an external access rule, the last forwardrule was deleted
2026-04-28 03:33:25 +02:00 · 2013-01-09 10:22:32 +01:00
parent af8bc0d0a8
commit 62fc851166
14 changed files with 224 additions and 1488 deletions
--- a/config/forwardfw/firewall-forward-policy
+++ b/config/forwardfw/firewall-forward-policy
@@ -0,0 +1,24 @@
+#!/bin/sh
+
+eval $(/usr/local/bin/readhash /var/ipfire/forward/settings)
+eval $(/usr/local/bin/readhash /var/ipfire/optionsfw/settings)
+
+iptables -F POLICY
+
+if [ "$POLICY" == "MODE1" ]; then
+	
+		if [ "$FWPOLICY" == "REJECT" ]; then
+			if [ "$DROPFORWARD" == "on" ]; then
+				/sbin/iptables -A POLICY -m limit --limit 10/minute -j LOG --log-prefix "REJECT_FORWARD"
+			fi
+			/sbin/iptables -A POLICY -j REJECT --reject-with icmp-host-unreachable -m comment --comment "DROP_OUTPUT"
+		fi
+		if [ "$FWPOLICY" == "DROP" ]; then
+			if [ "$DROPFORWARD" == "on" ]; then
+				/sbin/iptables -A POLICY -m limit --limit 10/minute -j LOG --log-prefix "DROP_FORWARD"
+			fi
+			/sbin/iptables -A POLICY -j DROP -m comment --comment "DROP_OUTPUT"
+		fi
+fi
+
+
--- a/config/forwardfw/firewall-lib.pl
+++ b/config/forwardfw/firewall-lib.pl
@@ -215,6 +215,8 @@ sub get_std_net_ip
 		return "$netsettings{'ORANGE_NETADDRESS'}/$netsettings{'ORANGE_NETMASK'}";
 	}elsif($val eq 'BLUE'){
 		return "$netsettings{'BLUE_NETADDRESS'}/$netsettings{'BLUE_NETMASK'}";
+	}elsif($val eq 'RED'){
+		return "0.0.0.0/0 -o red0";
 	}elsif($val =~ /OpenVPN/i){
 		return "$ovpnsettings{'DOVPN_SUBNET'}";
 	}elsif($val =~ /IPsec/i){
--- a/config/forwardfw/rules.pl
+++ b/config/forwardfw/rules.pl
@@ -88,10 +88,11 @@ if($param eq 'flush'){
 	&preparerules;
 	if($MODE eq '0'){
 		if ($fwdfwsettings{'POLICY'} eq 'MODE1'){
-			#system ("iptables -A $CHAIN -j DROP"); 
+			system ("/usr/sbin/firewall-forward-policy"); 
 		}elsif($fwdfwsettings{'POLICY'} eq 'MODE2'){
-			#system ("iptables -A $CHAIN -j ACCEPT");
+			system ("/usr/sbin/firewall-forward-policy"); 
 		}elsif($fwdfwsettings{'POLICY'} eq 'MODE0' || $fwdfwsettings{'POLICY'} eq 'MODE2'){
+			system ("/usr/sbin/firewall-forward-policy"); 
 			system ("iptables -A $CHAIN -m state --state NEW -j ACCEPT");
 		}
 	}
@@ -113,9 +114,7 @@ sub preparerules
 }
 sub buildrules
 {
-	
 	my $hash=shift;
-	
 	foreach my $key (sort keys %$hash){
 		if($$hash{$key}[2] eq 'ON'){
 			#get source ip's
@@ -163,7 +162,7 @@ sub buildrules
 			if ($DPROT eq ''){$DPROT=' ';}				
 			@DPROT=split(",",$DPROT);

-	
+
 			#get time if defined
 			if($$hash{$key}[18] eq 'ON'){
 				if($$hash{$key}[19] ne ''){push (@timeframe,"Mon");}
@@ -178,7 +177,7 @@ sub buildrules
 				$TIMETILL="--timestop $$hash{$key}[27] ";
 				$TIME="-m time --weekdays $TIME $TIMEFROM $TIMETILL";
 			}
-					
+
 			if ($MODE eq '1'){	
 				print "NR:$key ";
 				foreach my $i (0 .. $#{$$hash{$key}}){
@@ -187,7 +186,7 @@ sub buildrules
 				print "\n";
 				print"##################################\n";
 				#print rules to console
-				
+
 				foreach my $DPROT (@DPROT){
 					$DPORT = &get_port($hash,$key,$DPROT);
 					if ($SPROT ne ''){$PROT=$SPROT;}else{$PROT=$DPROT;}
@@ -206,7 +205,7 @@ sub buildrules
 					}
 					print"\n";
 				}
-			
+
 			}elsif($MODE eq '0'){
 				foreach my $DPROT (@DPROT){
 					$DPORT = &get_port($hash,$key,$DPROT);
@@ -302,11 +301,12 @@ sub get_port
 	if ($$hash{$key}[7] eq 'ON' && $SRC_TGT eq 'SRC'){
 		if ($$hash{$key}[10] ne ''){
 			return "--sport $$hash{$key}[10] ";
-		}elsif($$hash{$key}[9] ne ''){
+		}elsif($$hash{$key}[9] ne '' && $$hash{$key}[9] ne 'All ICMP-Types'){
 			return "--icmp-type $$hash{$key}[9] ";
+		}elsif($$hash{$key}[9] eq 'All ICMP-Types'){
+			return;
 		}
 	}elsif($$hash{$key}[11] eq 'ON' && $SRC_TGT eq ''){
-		
 		if($$hash{$key}[14] eq 'TGT_PORT'){
 			if ($$hash{$key}[15] ne ''){
 				return "--dport $$hash{$key}[15] ";
@@ -330,8 +330,6 @@ sub get_port
 			elsif($prot eq 'ICMP'){
 				return &fwlib::get_srvgrp_port($$hash{$key}[15],$prot);
 			}
-			
-			
 		}
 	}
 }
--- a/config/rootfiles/common/apache2
+++ b/config/rootfiles/common/apache2
@@ -1390,7 +1390,7 @@ srv/web/ipfire/cgi-bin/credits.cgi
 srv/web/ipfire/cgi-bin/dns.cgi
 srv/web/ipfire/cgi-bin/ddns.cgi
 srv/web/ipfire/cgi-bin/dhcp.cgi
-srv/web/ipfire/cgi-bin/dmzholes.cgi
+#srv/web/ipfire/cgi-bin/dmzholes.cgi
 srv/web/ipfire/cgi-bin/extrahd.cgi
 srv/web/ipfire/cgi-bin/fireinfo.cgi
 srv/web/ipfire/cgi-bin/forwardfw.cgi
--- a/config/rootfiles/common/stage2
+++ b/config/rootfiles/common/stage2
@@ -109,6 +109,7 @@ usr/local/bin/update-lang-cache
 #usr/local/src
 #usr/sbin
 usr/sbin/ovpn-ccd-convert
+usr/sbin/firewall-forward-policy
 #usr/share
 #usr/share/doc
 #usr/share/doc/licenses