webadmin/bpfire
1
0
Fork 0
mirror of https://github.com/vincentmli/bpfire.git synced 2026-04-14 13:02:58 +02:00
Code Issues Packages Projects Releases Wiki Activity
6,431 Commits 2 Branches 1 Tag
47cd046aede256dccbd844dc1e580b47d3dd4c45
Commit Graph

6431 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Michael Tremer
47cd046aed iptables: Remove OPENSSL{PHYSICAL,VIRTUAL} chains which are unused. 2013-08-09 14:15:33 +02:00
Michael Tremer
d5f1422d81 iptables: Jump into the firewall rulesets after everything else has been done. 2013-08-09 14:15:33 +02:00
Michael Tremer
51ab1de143 iptables: Create OVPNNAT chain after CUSTOM* chains. 2013-08-09 14:15:32 +02:00
Michael Tremer
815eaff433 iptables: Create guardian's chains after the CUSTOM* chains. 2013-08-09 14:15:32 +02:00
Michael Tremer
1e55533052 iptables: Cleanup creating the OVPNBLOCK chain. 
This should happen after the CUSTOM* chains.
 2013-08-09 14:15:32 +02:00
Michael Tremer
3b9a23ce07 iptables: Block all loopback packets on non-loopback interfaces. 2013-08-09 14:15:32 +02:00
Michael Tremer
afc611d448 iptables: Create LOOPBACK chain. 
This chain accepts all communication on the loopback
interface without running it through the entire connection
tracking first.

Packets on lo can never be blocked and must always be
accepted. The firewall has to trust itself anyway.
 2013-08-09 14:15:32 +02:00
Michael Tremer
c0359d6dfb iptables: Only jump into BADTCP for TCP packets. 
This saves us from evaluating lots of rules for non-TCP
packets.
 2013-08-09 14:15:32 +02:00
Michael Tremer
b85d2a9819 iptables: Replace state module by conntrack module. 
The state module is deprecated in recent releases of iptables
and should not be used any more.

Additionally, this patch adds an extra chain for all
connection tracking rules, so we can keep the entire ruleset
more small and clean.
 2013-08-09 14:15:32 +02:00
Alexander Marx
7326051edb Forward Firewall: Updated outgoingfw-converter. redesign of the ruletable's defaultrules 2013-08-09 14:15:32 +02:00
Alexander Marx
4d2e7a35d9 Forward Firewall: some textalignment in last rule row 2013-08-09 14:15:32 +02:00
Alexander Marx
a648546338 Forward Firewall: added "default-rules-table" at the end of forward ruletable 2013-08-09 14:15:31 +02:00
Alexander Marx
7f25a65fc1 Forward Firewall: moved default rules from FORWARDFW to POLICYFWD 2013-08-09 14:15:31 +02:00
Alexander Marx
e17121fee7 Forward Firewall: removed nat part from rules.pl (file nat not existent anymore) 2013-08-09 14:15:31 +02:00
Alexander Marx
b044bb0569 Forward Firewall: Bugfixes wrong interface in ruletable,when selecting alias firewall interface 2013-08-09 14:15:31 +02:00
Alexander Marx
fc83b09d43 Forward Firewall: some bugfixes 2013-08-09 14:15:31 +02:00
Alexander Marx
72586f0ff0 Forward Firewall: colorize ip addresses when possible in firewall groups. subnetmask now in cidr format 2013-08-09 14:15:31 +02:00
Alexander Marx
f1934a05ad Forward Firewall: delted subnets from hosts in firewallgroups, colorized all ip-addresses from the firewall-groups if possible. Some minor changes in forwardfw.cgi 2013-08-09 14:15:31 +02:00
Alexander Marx
cb4439f394 Forward Firewall: Bugfix of last commit. Added "Interface" to source or target that uses "Firewall" interfaces 2013-08-09 14:15:31 +02:00
Alexander Marx
d4cb89d2d1 Forward Firewall: When using "Firewall" as source or target, the ruletable looks confusing. Theres "RED" in source and target. Now theres "INTERFACE RED". 2013-08-09 14:15:31 +02:00
root
43d8be093c Forward Firewall: some language changes de.pl and en.pl as well as forwardfw.cgi and fwhost.cgi 2013-08-09 14:15:30 +02:00
Alexander Marx
1a8fde0e84 Forward Firewall: changed some names and added subnets to dropdowns 2013-08-09 14:15:30 +02:00
Alexander Marx
a0fb1099ef Forward Firewall: Design changes 
1) source has a new option "firewall" with dropdown for interfaces
2) source default networks->deleted IPFire, all ip's now in brackets
3) deleted warning message in Target that a mac is not usable
4) changes for "apply" button
5) in ruletable the protocol is now right beneath the ruletype column
6) changed target dropdown "INTERNET" to "RED"
7) renamed OpenVPN N-2N to OpenVPN Net-to-Net
8) set missing default firewall options
9) little changes on the en and de lang files
 2013-08-09 14:15:30 +02:00
Alexander Marx
2af92cf5ac Forward Firewall: added new line at bottom of all ruletables with the "final rule" 2013-08-09 14:15:30 +02:00
Alexander Marx
ac9e77e3ba Forward Firewall: added missing fields to the converters (for dnat) 2013-08-09 14:15:30 +02:00
Alexander Marx
0ac6c61d37 UPNP: changed firewall chain from PORTFW to UPNPFW 2013-08-09 14:15:30 +02:00
Alexander Marx
f557ea1e59 Forward Firewall: removed PORTFWACCESS flushing from rules.pl 2013-08-09 14:15:30 +02:00
Alexander Marx
c12392c0ef Forward Firewall: removed NAT table and txt file. 2013-08-09 14:15:29 +02:00
Alexander Marx
4f3bd0ca20 Forward Firewall: changed layout of "apply-button" (after rules where changed. When using single hosts in rules, the prefix is no longer shown in the ruletable. Default settings for firewall-options changed 2013-08-09 14:15:29 +02:00
Alexander Marx
8442c93764 Forward Firewall: removed dmz from forwardfw.cgi 2013-08-09 14:15:29 +02:00
Alexander Marx
60607a6c75 Forward Firewall: removed DMZ from rules.pl (does no longer exist, is forward now 2013-08-09 14:15:29 +02:00
Alexander Marx
3f09f5309c Forward Firewall: convert-dmz now puts converted files into /var/ipfire/forward/config instead of /var/ipfire/forward/dmz 2013-08-09 14:15:29 +02:00
Alexander Marx
3b2ad4a1bd Forward Firewall: moved "firewall default behaviour" from firewall page to firewall-options page. Some changes in languagefiles de and en. 2013-08-09 14:15:29 +02:00
Alexander Marx
533a2da388 Forward Firewall: reorganised ruletable layout 2013-08-09 14:15:29 +02:00
Alexander Marx
674f4e9d51 Forward Firewall: on every reload of the new firewall-rules the firewall.local is also reloaded 2013-08-09 14:15:29 +02:00
Alexander Marx
ff4770c79b Forward Firewall: changed /etc/init.d/firewall. deleted stop routine and rearranged iptables_init and restart routine 
Now it should be possible to use /etc/init.d/firewall restart without errors
 2013-08-09 14:15:29 +02:00
Alexander Marx
fb0ce57589 Forward Firewall: cleanup unused code 2013-08-09 14:15:28 +02:00
Alexander Marx
e41b651b4a Forward Firewall: changed order of LOG and DROP rules for INPUT Chain 2013-08-09 14:15:28 +02:00
Alexander Marx
d9b691e18e Forward Firewall: added checks if manual ip (src/tgt) is part of a OpenVPN to colour the rules accordingly 2013-08-09 14:15:28 +02:00
Alexander Marx
8762442c4e Forward Firewall: INPUT Firewall added "ALL" with ip 0.0.0.0 2013-08-09 14:15:28 +02:00
Alexander Marx
ed9ab82c61 Forward Firewall 0.9.9.7: reordered INPUT POLICY. 2013-08-09 14:15:28 +02:00
Alexander Marx
690b0bd761 Forward Firewall: added OVPNBLOCK and fixed rules.pl to correctly get ip address of red iface 2013-08-09 14:15:28 +02:00
Michael Tremer
d2c4a3cab9 openvpnctrl: Cleanup flushChain functions. 2013-08-09 14:15:28 +02:00
Michael Tremer
2181b55552 openvpnctl: Flush BLOCK and SNAT chain when needed. 2013-08-09 14:15:28 +02:00
Alexander Marx
05d4f131e9 Forward Firewall: Implemented INPUT Firewall (extended external access) 
Now you are able to define INPUT Rules on every interface ip
 2013-08-09 14:15:27 +02:00
Michael Tremer
c31f18b6a9 openvpnctrl: Block all transfer subnets. 2013-08-09 14:15:27 +02:00
Michael Tremer
7c50b04834 openvpnctrl: Remove unneeded code. 2013-08-09 14:15:27 +02:00
Alexander Marx
e1eef9d53e Forward Firewall: BUGFIX: When creating DMZ Rules with MANUAL IP as source and afterwards editing the rule, the rule was copied and not just edited. 
BUGFIX: When using SNAT (outbound) the rule does not seem to work. The NAT_SOURCE chain was on wron position in POSTROUTING
 2013-08-09 14:13:12 +02:00
Alexander Marx
4682d02723 Forward Firewall: extended the customservices list 2013-08-09 14:13:12 +02:00
Alexander Marx
bac7013b21 Forward Firewall: BUGFIX - when using source Protocol and NO target protocol only the target protocol is shown in ruletable.(But rule is applied correctly) 2013-08-09 14:13:12 +02:00