From b1109b8af5f0a5e3ab7f0b68211d63ab0594c0ac Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Wed, 22 Apr 2015 18:10:59 +0200 Subject: [PATCH 01/13] Enhance the security of the netfilter conntrack helpers This is suggested here https://home.regit.org/netfilter-en/secure-use-of-helpers/ and deprecated in the kernel (#10665). --- config/etc/modprobe.d/nf_conntrack.conf | 2 ++ config/rootfiles/common/stage2 | 1 + src/initscripts/init.d/firewall | 32 +++++++++++++++++++++++-- 3 files changed, 33 insertions(+), 2 deletions(-) create mode 100644 config/etc/modprobe.d/nf_conntrack.conf diff --git a/config/etc/modprobe.d/nf_conntrack.conf b/config/etc/modprobe.d/nf_conntrack.conf new file mode 100644 index 000000000..d5a181306 --- /dev/null +++ b/config/etc/modprobe.d/nf_conntrack.conf @@ -0,0 +1,2 @@ +# Disable automatic conntrack helper assignment +options nf_conntrack nf_conntrack_helper=0 diff --git a/config/rootfiles/common/stage2 b/config/rootfiles/common/stage2 index 90e28d9c4..b5a996bc4 100644 --- a/config/rootfiles/common/stage2 +++ b/config/rootfiles/common/stage2 @@ -22,6 +22,7 @@ etc/mime.types etc/modprobe.d etc/modprobe.d/btmrvl_sdio.conf etc/modprobe.d/cfg80211.conf +etc/modprobe.d/nf_conntrack.conf etc/modprobe.d/pcspeaker.conf etc/modules.conf etc/mtab diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall index 8ca02bc9d..8040ed403 100644 --- a/src/initscripts/init.d/firewall +++ b/src/initscripts/init.d/firewall @@ -21,9 +21,11 @@ iptables_init() { iptables -F iptables -t nat -F iptables -t mangle -F + iptables -t raw -F iptables -X iptables -t nat -X iptables -t mangle -X + iptables -t raw -X # Set up policies iptables -P INPUT DROP @@ -84,10 +86,36 @@ iptables_init() { iptables -A INPUT -p tcp -j BADTCP iptables -A FORWARD -p tcp -j BADTCP - # Connection tracking chain + # Connection tracking chains iptables -N CONNTRACK - iptables -A CONNTRACK -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT + iptables -A CONNTRACK -m conntrack --ctstate ESTABLISHED -j ACCEPT iptables -A CONNTRACK -m conntrack --ctstate INVALID -j DROP + iptables -t raw -N CONNTRACK + iptables -t raw -A PREROUTING -j CONNTRACK + + # Conntrack helpers (https://home.regit.org/netfilter-en/secure-use-of-helpers/) + + # SIP + iptables -A CONNTRACK -m conntrack --ctstate RELATED \ + -m helper --helper sip -j ACCEPT + for proto in udp tcp; do + iptables -t raw -A CONNTRACK -p "${proto}" --dport 5060 -j CT --helper sip + done + + # FTP + iptables -A CONNTRACK -m conntrack --ctstate RELATED \ + -m helper --helper ftp -p tcp --dport 1024: -j ACCEPT + iptables -t raw -A CONNTRACK -p tcp --dport 21 -j CT --helper ftp + + # PPTP + iptables -A CONNTRACK -m conntrack --ctstate RELATED \ + -m helper --helper pptp -j ACCEPT + iptables -t raw -A CONNTRACK -p udp --dport 1723 -j CT --helper pptp + + # TFTP + iptables -A CONNTRACK -m conntrack --ctstate RELATED \ + -m helper --helper tftp -j ACCEPT + iptables -t raw -A CONNTRACK -p udp --dport 69 -j CT --helper tftp # Fix for braindead ISP's iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu From a235f229527896f76ffa9404f6b8fb75f19d522b Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Wed, 22 Apr 2015 18:13:56 +0200 Subject: [PATCH 02/13] firewall: Remove option to disable the SIP ALG --- src/initscripts/init.d/firewall | 7 ------- 1 file changed, 7 deletions(-) diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall index 8040ed403..c21cba73c 100644 --- a/src/initscripts/init.d/firewall +++ b/src/initscripts/init.d/firewall @@ -431,13 +431,6 @@ case "$1" in (exit ${failed}) evaluate_retval - if [ -e /var/ipfire/main/disable_nf_sip ]; then - rmmod nf_nat_sip - rmmod nf_conntrack_sip - rmmod nf_nat_h323 - rmmod nf_conntrack_h323 - fi - boot_mesg "Setting up firewall" iptables_init evaluate_retval From 0f5350608ed5790101caf94c19bf08a0a0c2118f Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Mon, 11 May 2015 13:00:34 +0200 Subject: [PATCH 03/13] firewall: Accept related ICMP packets again This rule is required to forward ICMP error messages for aborted TCP connections and the like. --- src/initscripts/init.d/firewall | 1 + 1 file changed, 1 insertion(+) diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall index c21cba73c..7614b51bb 100644 --- a/src/initscripts/init.d/firewall +++ b/src/initscripts/init.d/firewall @@ -90,6 +90,7 @@ iptables_init() { iptables -N CONNTRACK iptables -A CONNTRACK -m conntrack --ctstate ESTABLISHED -j ACCEPT iptables -A CONNTRACK -m conntrack --ctstate INVALID -j DROP + iptables -A CONNTRACK -p icmp -m conntrack --ctstate RELATED -j ACCEPT iptables -t raw -N CONNTRACK iptables -t raw -A PREROUTING -j CONNTRACK From 4071b2d61bdf3e284395d80a06189d5ae7752c5b Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Mon, 11 May 2015 13:04:14 +0200 Subject: [PATCH 04/13] firewall: iptables will load the conntrack modules automatically --- src/initscripts/init.d/firewall | 11 ----------- 1 file changed, 11 deletions(-) diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall index 7614b51bb..5d6ac3a29 100644 --- a/src/initscripts/init.d/firewall +++ b/src/initscripts/init.d/firewall @@ -421,17 +421,6 @@ iptables_red_down() { # See how we were called. case "$1" in start) - boot_mesg "Loading firewall modules into the kernel" - modprobe iptable_nat || failed=1 - for i in $(find /lib/modules/$(uname -r) -name nf_conntrack*); do - modprobe $(basename $i | cut -d. -f1) || failed=1 - done - for i in $(find /lib/modules/$(uname -r) -name nf_nat*); do - modprobe $(basename $i | cut -d. -f1) || failed=1 - done - (exit ${failed}) - evaluate_retval - boot_mesg "Setting up firewall" iptables_init evaluate_retval From d57c6162cb2d00fd4a4989fa3fe6924db528bce1 Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Tue, 12 May 2015 13:16:40 +0200 Subject: [PATCH 05/13] firewall: Make conntrack helpers configurable --- lfs/configroot | 5 +++++ src/initscripts/init.d/firewall | 36 ++++++++++++++++++++------------- 2 files changed, 27 insertions(+), 14 deletions(-) diff --git a/lfs/configroot b/lfs/configroot index 601cdf6d3..26583a4ea 100644 --- a/lfs/configroot +++ b/lfs/configroot @@ -135,6 +135,11 @@ $(TARGET) : echo "POLICY=MODE2" >> $(CONFIG_ROOT)/firewall/settings echo "POLICY1=MODE2" >> $(CONFIG_ROOT)/firewall/settings + # Add conntrack helper default settings + for proto in FTP PPTP SIP TFTP; do \ + echo "CONNTRACK_$${proto}=on" >> $(CONFIG_ROOT)/optionsfw/settings; \ + done + # set converters executable chmod 755 /usr/sbin/convert-* diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall index 5d6ac3a29..4e6fd94f1 100644 --- a/src/initscripts/init.d/firewall +++ b/src/initscripts/init.d/firewall @@ -97,26 +97,34 @@ iptables_init() { # Conntrack helpers (https://home.regit.org/netfilter-en/secure-use-of-helpers/) # SIP - iptables -A CONNTRACK -m conntrack --ctstate RELATED \ - -m helper --helper sip -j ACCEPT - for proto in udp tcp; do - iptables -t raw -A CONNTRACK -p "${proto}" --dport 5060 -j CT --helper sip - done + if [ "${CONNTRACK_SIP}" = "on" ]; then + iptables -A CONNTRACK -m conntrack --ctstate RELATED \ + -m helper --helper sip -j ACCEPT + for proto in udp tcp; do + iptables -t raw -A CONNTRACK -p "${proto}" --dport 5060 -j CT --helper sip + done + fi # FTP - iptables -A CONNTRACK -m conntrack --ctstate RELATED \ - -m helper --helper ftp -p tcp --dport 1024: -j ACCEPT - iptables -t raw -A CONNTRACK -p tcp --dport 21 -j CT --helper ftp + if [ "${CONNTRACK_FTP}" = "on" ]; then + iptables -A CONNTRACK -m conntrack --ctstate RELATED \ + -m helper --helper ftp -p tcp --dport 1024: -j ACCEPT + iptables -t raw -A CONNTRACK -p tcp --dport 21 -j CT --helper ftp + fi # PPTP - iptables -A CONNTRACK -m conntrack --ctstate RELATED \ - -m helper --helper pptp -j ACCEPT - iptables -t raw -A CONNTRACK -p udp --dport 1723 -j CT --helper pptp + if [ "${CONNTRACK_PPTP}" = "on" ]; then + iptables -A CONNTRACK -m conntrack --ctstate RELATED \ + -m helper --helper pptp -j ACCEPT + iptables -t raw -A CONNTRACK -p udp --dport 1723 -j CT --helper pptp + fi # TFTP - iptables -A CONNTRACK -m conntrack --ctstate RELATED \ - -m helper --helper tftp -j ACCEPT - iptables -t raw -A CONNTRACK -p udp --dport 69 -j CT --helper tftp + if [ "${CONNTRACK_TFTP}" = "on" ]; then + iptables -A CONNTRACK -m conntrack --ctstate RELATED \ + -m helper --helper tftp -j ACCEPT + iptables -t raw -A CONNTRACK -p udp --dport 69 -j CT --helper tftp + fi # Fix for braindead ISP's iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu From a93bf696170d32a45ccc76b29f68ca9b4df9ddb3 Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Tue, 12 May 2015 13:25:04 +0200 Subject: [PATCH 06/13] firewall: Add amanda to the conntrack helpers --- lfs/configroot | 2 +- src/initscripts/init.d/firewall | 7 +++++++ 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/lfs/configroot b/lfs/configroot index 26583a4ea..ae9ceec4b 100644 --- a/lfs/configroot +++ b/lfs/configroot @@ -136,7 +136,7 @@ $(TARGET) : echo "POLICY1=MODE2" >> $(CONFIG_ROOT)/firewall/settings # Add conntrack helper default settings - for proto in FTP PPTP SIP TFTP; do \ + for proto in AMANDA FTP PPTP SIP TFTP; do \ echo "CONNTRACK_$${proto}=on" >> $(CONFIG_ROOT)/optionsfw/settings; \ done diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall index 4e6fd94f1..0c74e0245 100644 --- a/src/initscripts/init.d/firewall +++ b/src/initscripts/init.d/firewall @@ -126,6 +126,13 @@ iptables_init() { iptables -t raw -A CONNTRACK -p udp --dport 69 -j CT --helper tftp fi + # Amanda + if [ "${CONNTRACK_AMANDA}" = "on" ]; then + iptables -A CONNTRACK -m conntrack --ctstate RELATED \ + -m helper --helper amanda -j ACCEPT + iptables -t raw -A CONNTRACK -j CT --helper amanda + fi + # Fix for braindead ISP's iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu From 50354ffe3a946f314b5bf4f8648fa14d14c14667 Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Tue, 12 May 2015 13:27:24 +0200 Subject: [PATCH 07/13] firewall: Add IRC to the conntrack helpers --- lfs/configroot | 2 +- src/initscripts/init.d/firewall | 7 +++++++ 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/lfs/configroot b/lfs/configroot index ae9ceec4b..b8976c1f4 100644 --- a/lfs/configroot +++ b/lfs/configroot @@ -136,7 +136,7 @@ $(TARGET) : echo "POLICY1=MODE2" >> $(CONFIG_ROOT)/firewall/settings # Add conntrack helper default settings - for proto in AMANDA FTP PPTP SIP TFTP; do \ + for proto in AMANDA FTP IRC PPTP SIP TFTP; do \ echo "CONNTRACK_$${proto}=on" >> $(CONFIG_ROOT)/optionsfw/settings; \ done diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall index 0c74e0245..d19329b9a 100644 --- a/src/initscripts/init.d/firewall +++ b/src/initscripts/init.d/firewall @@ -126,6 +126,13 @@ iptables_init() { iptables -t raw -A CONNTRACK -p udp --dport 69 -j CT --helper tftp fi + # IRC + if [ "${CONNTRACK_IRC}" = "on" ]; then + iptables -A CONNTRACK -m conntrack --ctstate RELATED \ + -m helper --helper irc -j ACCEPT + iptables -t raw -A CONNTRACK -p tcp --dport 6667 -j CT --helper irc + fi + # Amanda if [ "${CONNTRACK_AMANDA}" = "on" ]; then iptables -A CONNTRACK -m conntrack --ctstate RELATED \ From c8f8bf328f4dd6567513f942c9c1db1dcf73ef93 Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Tue, 12 May 2015 13:33:08 +0200 Subject: [PATCH 08/13] firewall: Add H.323 to the conntrack helpers --- lfs/configroot | 2 +- src/initscripts/init.d/firewall | 12 ++++++++++++ 2 files changed, 13 insertions(+), 1 deletion(-) diff --git a/lfs/configroot b/lfs/configroot index b8976c1f4..8de5e6b51 100644 --- a/lfs/configroot +++ b/lfs/configroot @@ -136,7 +136,7 @@ $(TARGET) : echo "POLICY1=MODE2" >> $(CONFIG_ROOT)/firewall/settings # Add conntrack helper default settings - for proto in AMANDA FTP IRC PPTP SIP TFTP; do \ + for proto in AMANDA FTP H323 IRC PPTP SIP TFTP; do \ echo "CONNTRACK_$${proto}=on" >> $(CONFIG_ROOT)/optionsfw/settings; \ done diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall index d19329b9a..d5c53b81c 100644 --- a/src/initscripts/init.d/firewall +++ b/src/initscripts/init.d/firewall @@ -105,6 +105,18 @@ iptables_init() { done fi + # H.323 + if [ "${CONNTRACK_H323}" = "on" ]; then + iptables -A CONNTRACK -m conntrack --ctstate RELATED \ + -m helper --helper h323 -j ACCEPT + + # Gatekeeper RAS + iptables -t raw -A CONNTRACK -p udp --dport 1719 -j CT --helper h323 + + # Q.931 + iptables -t raw -A CONNTRACK -p tcp --dport 1720 -j CT --helper h323 + fi + # FTP if [ "${CONNTRACK_FTP}" = "on" ]; then iptables -A CONNTRACK -m conntrack --ctstate RELATED \ From e2c723627c587275e274948d026ac41a80a1705a Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Wed, 12 Aug 2015 12:18:18 +0100 Subject: [PATCH 09/13] firewall: Fix H.323 helpers Signed-off-by: Michael Tremer --- src/initscripts/init.d/firewall | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall index d5c53b81c..978ac499f 100644 --- a/src/initscripts/init.d/firewall +++ b/src/initscripts/init.d/firewall @@ -111,10 +111,10 @@ iptables_init() { -m helper --helper h323 -j ACCEPT # Gatekeeper RAS - iptables -t raw -A CONNTRACK -p udp --dport 1719 -j CT --helper h323 + iptables -t raw -A CONNTRACK -p udp --dport 1719 -j CT --helper RAS # Q.931 - iptables -t raw -A CONNTRACK -p tcp --dport 1720 -j CT --helper h323 + iptables -t raw -A CONNTRACK -p tcp --dport 1720 -j CT --helper Q.931 fi # FTP From 2c4b9c5004f0db606612eba3965846d4a2623296 Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Wed, 12 Aug 2015 12:44:26 +0100 Subject: [PATCH 10/13] firewall: Fix amanda helper This helper requires setting a layer 4 protocol. Signed-off-by: Michael Tremer --- src/initscripts/init.d/firewall | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall index 978ac499f..5b193c2c3 100644 --- a/src/initscripts/init.d/firewall +++ b/src/initscripts/init.d/firewall @@ -149,7 +149,7 @@ iptables_init() { if [ "${CONNTRACK_AMANDA}" = "on" ]; then iptables -A CONNTRACK -m conntrack --ctstate RELATED \ -m helper --helper amanda -j ACCEPT - iptables -t raw -A CONNTRACK -j CT --helper amanda + iptables -t raw -A CONNTRACK -p tcp -j CT --helper amanda fi # Fix for braindead ISP's From 53a6b00c4fc7e863b8a1b22cc01f90b016184363 Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Wed, 12 Aug 2015 12:46:07 +0100 Subject: [PATCH 11/13] firewall: Disable the PPTP and AMANDA conntrack helpers by default These do not seem to work at the moment. Signed-off-by: Michael Tremer --- lfs/configroot | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/lfs/configroot b/lfs/configroot index 8de5e6b51..5ed1476fb 100644 --- a/lfs/configroot +++ b/lfs/configroot @@ -136,10 +136,15 @@ $(TARGET) : echo "POLICY1=MODE2" >> $(CONFIG_ROOT)/firewall/settings # Add conntrack helper default settings - for proto in AMANDA FTP H323 IRC PPTP SIP TFTP; do \ + for proto in FTP H323 IRC SIP TFTP; do \ echo "CONNTRACK_$${proto}=on" >> $(CONFIG_ROOT)/optionsfw/settings; \ done + # Do not enable these by default because these are broken + for proto in AMANDA PPTP; do \ + echo "CONNTRACK_$${proto}=off" >> $(CONFIG_ROOT)/optionsfw/settings; \ + done + # set converters executable chmod 755 /usr/sbin/convert-* From 63fd135400da8e15a1a0519f377c20bad67a6d0e Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Thu, 20 Aug 2015 10:56:54 +0200 Subject: [PATCH 12/13] BUG10844 add new options to firewalloptions for conntrack simple changes, so far no languagefile changes because of simple protocol names. should be clear in all languages. Signed-off-by: Michael Tremer --- html/cgi-bin/optionsfw.cgi | 32 +++++++++++++++++++++++++++++++- 1 file changed, 31 insertions(+), 1 deletion(-) diff --git a/html/cgi-bin/optionsfw.cgi b/html/cgi-bin/optionsfw.cgi index 34e0cdcab..e63898599 100644 --- a/html/cgi-bin/optionsfw.cgi +++ b/html/cgi-bin/optionsfw.cgi @@ -120,6 +120,21 @@ $checked{'SHOWTABLES'}{$settings{'SHOWTABLES'}} = "checked='checked'"; $checked{'SHOWDROPDOWN'}{'off'} = ''; $checked{'SHOWDROPDOWN'}{'on'} = ''; $checked{'SHOWDROPDOWN'}{$settings{'SHOWDROPDOWN'}} = "checked='checked'"; +$checked{'CONNTRACK_FTP'}{'off'} = ''; +$checked{'CONNTRACK_FTP'}{'on'} = ''; +$checked{'CONNTRACK_FTP'}{$settings{'CONNTRACK_FTP'}} = "checked='checked'"; +$checked{'CONNTRACK_H323'}{'off'} = ''; +$checked{'CONNTRACK_H323'}{'on'} = ''; +$checked{'CONNTRACK_H323'}{$settings{'CONNTRACK_H323'}} = "checked='checked'"; +$checked{'CONNTRACK_IRC'}{'off'} = ''; +$checked{'CONNTRACK_IRC'}{'on'} = ''; +$checked{'CONNTRACK_IRC'}{$settings{'CONNTRACK_IRC'}} = "checked='checked'"; +$checked{'CONNTRACK_SIP'}{'off'} = ''; +$checked{'CONNTRACK_SIP'}{'on'} = ''; +$checked{'CONNTRACK_SIP'}{$settings{'CONNTRACK_SIP'}} = "checked='checked'"; +$checked{'CONNTRACK_TFTP'}{'off'} = ''; +$checked{'CONNTRACK_TFTP'}{'on'} = ''; +$checked{'CONNTRACK_TFTP'}{$settings{'CONNTRACK_TFTP'}} = "checked='checked'"; $selected{'FWPOLICY'}{$settings{'FWPOLICY'}}= 'selected'; $selected{'FWPOLICY1'}{$settings{'FWPOLICY1'}}= 'selected'; $selected{'FWPOLICY2'}{$settings{'FWPOLICY2'}}= 'selected'; @@ -223,7 +238,22 @@ END off $Lang::tr{'fw settings dropdown'}on / off - + +
+ + + + + + + + +
Application Layer Gateways
ftpon / + off
h323on / + off
ircon / + off
sipon / + off
tftpon / + off

From 6b86307cac1ed49a3d88836fc5fa90eef98a33ca Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Thu, 20 Aug 2015 23:05:40 +0100 Subject: [PATCH 13/13] firewall options: Fix translation and spelling of new ALG section Signed-off-by: Michael Tremer --- doc/language_issues.de | 1 + doc/language_issues.en | 1 + doc/language_issues.es | 2 ++ doc/language_issues.fr | 2 ++ doc/language_issues.it | 2 ++ doc/language_issues.nl | 2 ++ doc/language_issues.pl | 2 ++ doc/language_issues.ru | 2 ++ doc/language_issues.tr | 2 ++ doc/language_missings | 4 ++++ html/cgi-bin/optionsfw.cgi | 12 ++++++------ langs/de/cgi-bin/de.pl | 1 + langs/en/cgi-bin/en.pl | 1 + 13 files changed, 28 insertions(+), 6 deletions(-) diff --git a/doc/language_issues.de b/doc/language_issues.de index 1ccc65412..90accb3c0 100644 --- a/doc/language_issues.de +++ b/doc/language_issues.de @@ -423,6 +423,7 @@ WARNING: translation string unused: outgoing firewall view group WARNING: translation string unused: outgoing firewall warning WARNING: translation string unused: override mtu WARNING: translation string unused: ovpn config +WARNING: translation string unused: ovpn device WARNING: translation string unused: ovpn dl WARNING: translation string unused: ovpn engines WARNING: translation string unused: ovpn log diff --git a/doc/language_issues.en b/doc/language_issues.en index b7be8627b..1f1c78d61 100644 --- a/doc/language_issues.en +++ b/doc/language_issues.en @@ -450,6 +450,7 @@ WARNING: translation string unused: outgoing firewall view group WARNING: translation string unused: outgoing firewall warning WARNING: translation string unused: override mtu WARNING: translation string unused: ovpn config +WARNING: translation string unused: ovpn device WARNING: translation string unused: ovpn dl WARNING: translation string unused: ovpn engines WARNING: translation string unused: ovpn log diff --git a/doc/language_issues.es b/doc/language_issues.es index 086dfbdc9..270f1b6ee 100644 --- a/doc/language_issues.es +++ b/doc/language_issues.es @@ -382,6 +382,7 @@ WARNING: translation string unused: outgoing firewall reset WARNING: translation string unused: outgoing firewall warning WARNING: translation string unused: override mtu WARNING: translation string unused: ovpn config +WARNING: translation string unused: ovpn device WARNING: translation string unused: ovpn dl WARNING: translation string unused: ovpn log WARNING: translation string unused: ovpn_fastio @@ -611,6 +612,7 @@ WARNING: untranslated string: advproxy group access control WARNING: untranslated string: advproxy group required WARNING: untranslated string: advproxy proxy port transparent WARNING: untranslated string: age second +WARNING: untranslated string: application layer gateways WARNING: untranslated string: atm device WARNING: untranslated string: attention WARNING: untranslated string: bit diff --git a/doc/language_issues.fr b/doc/language_issues.fr index 47ee3fb3f..fa190de0d 100644 --- a/doc/language_issues.fr +++ b/doc/language_issues.fr @@ -390,6 +390,7 @@ WARNING: translation string unused: outgoing firewall view group WARNING: translation string unused: outgoing firewall warning WARNING: translation string unused: override mtu WARNING: translation string unused: ovpn config +WARNING: translation string unused: ovpn device WARNING: translation string unused: ovpn dl WARNING: translation string unused: ovpn log WARNING: translation string unused: ovpn_fastio @@ -618,6 +619,7 @@ WARNING: untranslated string: advproxy group access control WARNING: untranslated string: advproxy group required WARNING: untranslated string: advproxy proxy port transparent WARNING: untranslated string: age second +WARNING: untranslated string: application layer gateways WARNING: untranslated string: atm device WARNING: untranslated string: attention WARNING: untranslated string: bit diff --git a/doc/language_issues.it b/doc/language_issues.it index 098f4401e..c369e6c97 100644 --- a/doc/language_issues.it +++ b/doc/language_issues.it @@ -445,6 +445,7 @@ WARNING: translation string unused: outgoing firewall view group WARNING: translation string unused: outgoing firewall warning WARNING: translation string unused: override mtu WARNING: translation string unused: ovpn config +WARNING: translation string unused: ovpn device WARNING: translation string unused: ovpn dl WARNING: translation string unused: ovpn engines WARNING: translation string unused: ovpn log @@ -671,6 +672,7 @@ WARNING: untranslated string: advproxy AUTH method ntlm auth WARNING: untranslated string: advproxy basic authentication WARNING: untranslated string: advproxy group access control WARNING: untranslated string: advproxy group required +WARNING: untranslated string: application layer gateways WARNING: untranslated string: bytes WARNING: untranslated string: check all WARNING: untranslated string: fwdfw err concon diff --git a/doc/language_issues.nl b/doc/language_issues.nl index 602441d0b..d818973db 100644 --- a/doc/language_issues.nl +++ b/doc/language_issues.nl @@ -443,6 +443,7 @@ WARNING: translation string unused: outgoing firewall view group WARNING: translation string unused: outgoing firewall warning WARNING: translation string unused: override mtu WARNING: translation string unused: ovpn config +WARNING: translation string unused: ovpn device WARNING: translation string unused: ovpn dl WARNING: translation string unused: ovpn log WARNING: translation string unused: ovpn_fastio @@ -668,6 +669,7 @@ WARNING: untranslated string: advproxy AUTH method ntlm auth WARNING: untranslated string: advproxy basic authentication WARNING: untranslated string: advproxy group access control WARNING: untranslated string: advproxy group required +WARNING: untranslated string: application layer gateways WARNING: untranslated string: atm device WARNING: untranslated string: bytes WARNING: untranslated string: capabilities diff --git a/doc/language_issues.pl b/doc/language_issues.pl index 086dfbdc9..270f1b6ee 100644 --- a/doc/language_issues.pl +++ b/doc/language_issues.pl @@ -382,6 +382,7 @@ WARNING: translation string unused: outgoing firewall reset WARNING: translation string unused: outgoing firewall warning WARNING: translation string unused: override mtu WARNING: translation string unused: ovpn config +WARNING: translation string unused: ovpn device WARNING: translation string unused: ovpn dl WARNING: translation string unused: ovpn log WARNING: translation string unused: ovpn_fastio @@ -611,6 +612,7 @@ WARNING: untranslated string: advproxy group access control WARNING: untranslated string: advproxy group required WARNING: untranslated string: advproxy proxy port transparent WARNING: untranslated string: age second +WARNING: untranslated string: application layer gateways WARNING: untranslated string: atm device WARNING: untranslated string: attention WARNING: untranslated string: bit diff --git a/doc/language_issues.ru b/doc/language_issues.ru index 94724d4c2..b4d702b33 100644 --- a/doc/language_issues.ru +++ b/doc/language_issues.ru @@ -384,6 +384,7 @@ WARNING: translation string unused: outgoing firewall view group WARNING: translation string unused: outgoing firewall warning WARNING: translation string unused: override mtu WARNING: translation string unused: ovpn config +WARNING: translation string unused: ovpn device WARNING: translation string unused: ovpn dl WARNING: translation string unused: ovpn log WARNING: translation string unused: ovpn_fastio @@ -611,6 +612,7 @@ WARNING: untranslated string: advproxy group access control WARNING: untranslated string: advproxy group required WARNING: untranslated string: advproxy proxy port transparent WARNING: untranslated string: age second +WARNING: untranslated string: application layer gateways WARNING: untranslated string: atm device WARNING: untranslated string: attention WARNING: untranslated string: bit diff --git a/doc/language_issues.tr b/doc/language_issues.tr index 6f846c738..c692a46e5 100644 --- a/doc/language_issues.tr +++ b/doc/language_issues.tr @@ -445,6 +445,7 @@ WARNING: translation string unused: outgoing firewall view group WARNING: translation string unused: outgoing firewall warning WARNING: translation string unused: override mtu WARNING: translation string unused: ovpn config +WARNING: translation string unused: ovpn device WARNING: translation string unused: ovpn dl WARNING: translation string unused: ovpn engines WARNING: translation string unused: ovpn log @@ -663,6 +664,7 @@ WARNING: translation string unused: xtaccess bad transfert WARNING: translation string unused: year-graph WARNING: translation string unused: yearly firewallhits WARNING: untranslated string: Scan for Songs +WARNING: untranslated string: application layer gateways WARNING: untranslated string: bytes WARNING: untranslated string: check all WARNING: untranslated string: fwhost addgeoipgrp diff --git a/doc/language_missings b/doc/language_missings index 9fdc0d276..21aa756c6 100644 --- a/doc/language_missings +++ b/doc/language_missings @@ -26,6 +26,7 @@ < age shour < age sminute < age ssecond +< application layer gateways < atm device < attention < bit @@ -605,6 +606,7 @@ < age shour < age sminute < age ssecond +< application layer gateways < Async logging enabled < atm device < attention @@ -1167,6 +1169,7 @@ < age shour < age sminute < age ssecond +< application layer gateways < atm device < attention < bit @@ -1715,6 +1718,7 @@ < age shour < age sminute < age ssecond +< application layer gateways < atm device < attention < bit diff --git a/html/cgi-bin/optionsfw.cgi b/html/cgi-bin/optionsfw.cgi index e63898599..7a0e8e0c4 100644 --- a/html/cgi-bin/optionsfw.cgi +++ b/html/cgi-bin/optionsfw.cgi @@ -241,16 +241,16 @@ END
$Lang::tr{'fw default drop'}

- - + - - - -
Application Layer Gateways
ftpon / +
$Lang::tr{'application layer gateways'}
FTPon / off
h323on / +
H.323on / off
ircon / +
IRCon / off
sipon / +
SIPon / off
tftpon / +
TFTPon / off
diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl index e29541256..33f959cb7 100644 --- a/langs/de/cgi-bin/de.pl +++ b/langs/de/cgi-bin/de.pl @@ -367,6 +367,7 @@ 'alt vpn' => 'VPNs', 'and' => 'Und', 'apcupsd' => 'APC-UPS Status', +'application layer gateways' => 'Application-Layer-Gateways', 'apply' => 'Jetzt anwenden', 'april' => 'April', 'archive not exist' => 'Konfigurationsarchiv existiert nicht', diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index 80c05520b..cdb6e5b7f 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -369,6 +369,7 @@ 'and' => 'And', 'ansi t1.483' => 'TO BE REMOVED', 'apcupsd' => 'APC-UPS status', +'application layer gateways' => 'Application Layer Gateways', 'apply' => 'Apply now', 'april' => 'April', 'archive not exist' => 'Configuration archive does not exist',