From 61e1585f054ee47cf78d21abed09769c9482efc4 Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Sun, 3 Jul 2011 17:49:21 +0200 Subject: [PATCH 1/4] Drop reserved ports from the web GUI. Recently, TCP/UDP ports 222 and 444 among others could not be forwareded (DNAT) to another machine on the network. This is unneccessary and now removed. --- config/rootfiles/core/50/filelists/files | 1 + html/cgi-bin/portfw.cgi | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/config/rootfiles/core/50/filelists/files b/config/rootfiles/core/50/filelists/files index 9d3970772..034310c96 100644 --- a/config/rootfiles/core/50/filelists/files +++ b/config/rootfiles/core/50/filelists/files @@ -3,6 +3,7 @@ var/ipfire/langs/ etc/rc.d/init.d/console usr/local/sbin/setup var/ipfire/graphs.pl +srv/web/ipfire/cgi-bin/portfw.cgi srv/web/ipfire/cgi-bin/logs.cgi/log.dat usr/local/share/GeoIP/GeoIP.dat usr/share/hwdata/pci.ids diff --git a/html/cgi-bin/portfw.cgi b/html/cgi-bin/portfw.cgi index 5583fb88a..199682f44 100644 --- a/html/cgi-bin/portfw.cgi +++ b/html/cgi-bin/portfw.cgi @@ -1038,7 +1038,7 @@ sub disallowreserved { # port 67 and 68 same for tcp and udp, don't bother putting in an array my $msg = ""; - my @tcp_reserved = (81,222,444); + my @tcp_reserved = (); my $prt = $_[0]; # the port or range my $ryn = $_[1]; # tells us whether or not it is a port range my $prot = $_[2]; # protocol From b651a44dba1874126f43da03b33e46cea55b2895 Mon Sep 17 00:00:00 2001 From: Arne Fitzenreiter Date: Mon, 4 Jul 2011 12:52:43 +0200 Subject: [PATCH 2/4] squid: update to 3.1.13. --- config/rootfiles/core/50/filelists/squid | 1 + lfs/squid | 4 ++-- 2 files changed, 3 insertions(+), 2 deletions(-) create mode 120000 config/rootfiles/core/50/filelists/squid diff --git a/config/rootfiles/core/50/filelists/squid b/config/rootfiles/core/50/filelists/squid new file mode 120000 index 000000000..2dc8372a0 --- /dev/null +++ b/config/rootfiles/core/50/filelists/squid @@ -0,0 +1 @@ +../../../common/squid \ No newline at end of file diff --git a/lfs/squid b/lfs/squid index bdc164620..ef676a2a5 100644 --- a/lfs/squid +++ b/lfs/squid @@ -24,7 +24,7 @@ include Config -VER = 3.1.11 +VER = 3.1.13 THISAPP = squid-$(VER) DL_FILE = $(THISAPP).tar.bz2 @@ -40,7 +40,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_MD5 = 4b071d2bf4959f2d081344f2f69dd2f1 +$(DL_FILE)_MD5 = 78e756135c2bd6bbaf52eb5520f8b934 install : $(TARGET) From 264c0195fbd8a897d37c81d5d74e6502ab7212a8 Mon Sep 17 00:00:00 2001 From: Arne Fitzenreiter Date: Mon, 4 Jul 2011 21:41:31 +0200 Subject: [PATCH 3/4] ipsec: change grep for ikev2 status display. --- html/cgi-bin/index.cgi | 2 +- html/cgi-bin/vpnmain.cgi | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/html/cgi-bin/index.cgi b/html/cgi-bin/index.cgi index eec3f9bf3..b325250a5 100644 --- a/html/cgi-bin/index.cgi +++ b/html/cgi-bin/index.cgi @@ -370,7 +370,7 @@ END } else { foreach my $line (@status) { if (($line =~ /\"$confighash{$key}[1]\".*IPsec SA established/) || - ($line =~/ $confighash{$key}[1]\{.*INSTALLED/ )) + ($line =~/$confighash{$key}[1]\{.*INSTALLED/ )) { $active = "
$Lang::tr{'capsopen'}
"; } diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi index 1fa40a827..177cdf4c2 100644 --- a/html/cgi-bin/vpnmain.cgi +++ b/html/cgi-bin/vpnmain.cgi @@ -2540,7 +2540,7 @@ END my $active = "
$Lang::tr{'capsclosed'}
"; foreach my $line (@status) { if (($line =~ /\"$confighash{$key}[1]\".*IPsec SA established/) || - ($line =~ / $confighash{$key}[1]\{.*INSTALLED/)) + ($line =~ /$confighash{$key}[1]\{.*INSTALLED/)) { $active = "
$Lang::tr{'capsopen'}
"; } From 85cbc0a08f8f0125602244b91beb1b8e45a36e3f Mon Sep 17 00:00:00 2001 From: Arne Fitzenreiter Date: Mon, 4 Jul 2011 23:09:05 +0200 Subject: [PATCH 4/4] ipsec: fix ike firewall rule to support nat traversal. --- src/misc-progs/ipsecctrl.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/misc-progs/ipsecctrl.c b/src/misc-progs/ipsecctrl.c index c500e582e..a018289f6 100644 --- a/src/misc-progs/ipsecctrl.c +++ b/src/misc-progs/ipsecctrl.c @@ -59,9 +59,9 @@ void open_physical (char *interface, int nat_traversal_port) { // safe_system(str); // IKE - sprintf(str, "/sbin/iptables -D IPSECINPUT -p udp -i %s --sport 500 --dport 500 -j ACCEPT >/dev/null 2>&1", interface); + sprintf(str, "/sbin/iptables -D IPSECINPUT -p udp -i %s --dport 500 -j ACCEPT >/dev/null 2>&1", interface); safe_system(str); - sprintf(str, "/sbin/iptables -A IPSECINPUT -p udp -i %s --sport 500 --dport 500 -j ACCEPT", interface); + sprintf(str, "/sbin/iptables -A IPSECINPUT -p udp -i %s --dport 500 -j ACCEPT", interface); safe_system(str); if (! nat_traversal_port)