webadmin/bpfire
1
0
Fork 0
mirror of https://github.com/vincentmli/bpfire.git synced 2026-04-17 06:23:00 +02:00
Code Issues Packages Projects Releases Wiki Activity
8,498 Commits 2 Branches 1 Tag
7db4c67f8162c2cdadab69207c1931dcb0abd783
Commit Graph

82 Commits

Author SHA1 Message Date
Michael Tremer
d840d02aee firewall: Fix off-by-one error in configuration parser 
The configuration parser determines how many comma-separated
values there are in a line. If new values are added we need
to check first if those are set in every line to avoid any
undefined behaviour. A wrong comparison parameter was used
which caused that the limit feature was never enabled in
the rule generation.
 2015-01-02 12:27:16 +01:00
Arne Fitzenreiter
52dae2ba3f Merge branch 'next' 2014-10-10 18:13:13 +02:00
Michael Tremer
a21f2f6a76 firewall: Use correct interface for RED 2014-10-07 14:54:12 +02:00
Arne Fitzenreiter
24d36c80a6 p2pblock: fix flush rules if all p2p's are allowed. 2014-10-05 15:12:44 +02:00
Arne Fitzenreiter
2a5b19c56f p2pblock: ipp2p must run before CONNTRACK. 
And can only used for blocking, not for accept conenections bacause connections must already established for detecting protocol types.
 2014-10-04 17:39:51 +02:00
Michael Tremer
791c2b45d8 firewall: fix rules.pl for old rules without ratelimiting. 2014-10-04 13:52:15 +02:00
Michael Tremer
7e09a94a81 Merge remote-tracking branch 'amarx/BUG10620' into next 2014-09-26 13:03:22 +02:00
Michael Tremer
60bce6ba6a Merge remote-tracking branch 'amarx/BUG10615' into next 2014-09-26 13:02:28 +02:00
Michael Tremer
df6649b0fe Merge remote-tracking branch 'amarx/firewall-dnat' into next 
Conflicts:
	config/firewall/rules.pl
 2014-09-26 12:55:55 +02:00
Alexander Marx
ca4259a758 BUG10620: reload firewall.local in rules.pl, no longer in initscript 2014-09-11 17:13:07 +02:00
Alexander Marx
d2793ea805 BUG10615 part3: adapt rules.pl to use connectionlimit and ratelimit 2014-09-11 15:06:26 +02:00
Michael Tremer
4e9a2b5732 general-functions.pl: Replace lots of broken network code. 
The state of some code especially in general-functions.pl
is in such a bad shape and faulty.
This is a first step that replaces some of the network
functions with those who have been tested and work for
undefined inputs.

The old functions have been left in place as stubs
and must be removed at some time.
 2014-07-27 22:46:20 +02:00
Alexander Marx
48f07c1957 Firewall: make DNAT only accessible from selected source network 
We added RED to the standard networks and now portforwardings are only
useable from the selected source. If selected "all" the portforwarding
can be used from any internal network. Else the access is only grnated
from the selected source network.
 2014-07-18 08:44:45 +02:00
Michael Tremer
c0e0848f99 firewall: Allow blocking access to GREEN from GREEN. 2014-05-20 11:41:23 +02:00
Alexander Marx
a43c9b6a64 Firewall: outgoingconverter fix for ipfire-src 2014-04-28 14:27:54 +02:00
Michael Tremer
ff7cb6d60f firewall: Fix accessing port forwardings from internal networks. 
When a different "external port" was used, false rules have
been created in the mangle table.
 2014-04-20 18:13:35 +02:00
Michael Tremer
766c2f601d rules.pl: Rewrite P2P protocol filter. 2014-04-12 15:40:14 +02:00
Michael Tremer
aa5f4b6568 firewall: Fix creation of automatic rules for the firewall. 
If the firewall is part of a local network (e.g. GREEN),
we automatically add rules that grant/forbid access for the firewall,
too.

This has been broken for various default policies other than ALLOWED.
 2014-04-12 15:16:08 +02:00
Michael Tremer
b8ec7b86ac firewall-policy: Remove empty line. 2014-04-09 15:14:25 +02:00
Michael Tremer
fcc68a4277 firewall: Fix rule generation for protocols without ports. 2014-04-09 14:06:32 +02:00
Michael Tremer
085a20ec8b firewall: Fix using aliases. 
Fix coding errors, actually read aliases configuration
and fall back to default RED IP address if no suitable
alias was found.
 2014-04-05 17:09:56 +02:00
Michael Tremer
1d9c1c3079 convert-portfw: Fix converting aliases. 
ALL is not suitable as it is not a valid configuration value.
 2014-04-05 17:08:17 +02:00
Arne Fitzenreiter
c926c6375d firewall: fix green only mode. 
disable masquerade and green IP/NET check if internet is
connected via green.
 2014-04-05 11:04:25 +02:00
Michael Tremer
025741919a firewall: Fix perl coding error. 
Example:
	my @as = (1, 2, 3);
	foreach my $a (@as) {
		$a += 1;
		print "$a\n";
	}

$a will be a reference to the number in the array and not
copied. Therefore $a += 1 will change the numbers in the
array as well, so that after the loop the content of @as
would be (2, 3, 4).
To avoid that, the number needs to be copied into a new
variable like: my $b = $a; and we are fine.

This caused that the content of the @sources and @destinations
array has been altered for the second run of the loop and
incorrect (i.e. no) rules were created.
 2014-03-31 13:16:26 +02:00
Michael Tremer
c26a9ed25c firewall-policy: Clarify policy rules. 
There are no functional changes here. Everything that
is not explicitely allowed is now forbidden when the
forward policy is "ALLOWED".
 2014-03-30 22:33:58 +02:00
Arne Fitzenreiter
8089b78d9d firewall-policy: fix drop and logging on red0; 2014-03-29 15:06:35 +01:00
Alexander Marx
a3f2459f8f Firewall: fix Update from core 75 to 76 2014-03-27 15:07:41 +01:00
Michael Tremer
51cf3f8be5 firewall: rules.pl: Honour time constraints for NAT rules as well. 2014-03-21 13:39:03 +01:00
Michael Tremer
f98bb538e5 firewall: rules.pl: Catch invalid configurations. 2014-03-21 13:33:08 +01:00
Michael Tremer
c0ce920610 firewall: rules.pl: Allow REDIRECT rules. 2014-03-21 13:28:00 +01:00
Alexander Marx
c71499d8d9 Firewall: Rename defaultNetworks to netsettings 2014-03-21 12:51:18 +01:00
Alexander Marx
fd169d0adc Firewall: DNAT - Show right DNAT interface in ruletable 
Now:
When using a hostgroup as source there are all corresponding DNAT
interfaces shown in ruletable depending on the entries in the group.

When in DNAT area "-automatic" is selected, the DNAT interfaces are
shown as IP-Addresses, else they are shown as "ORANGE","GREEN","BLUE"...

BUGFIX: When there is a MAC address used in a sourcegroup, the rules could not be set. Now MAC addresses get allways the public interface as DNAT
 2014-03-21 12:51:09 +01:00
Alexander Marx
4e54e3c6f5 Firewall: Move some functions from rules.pl to firewall-lib.pl 2014-03-21 12:51:04 +01:00
Michael Tremer
d7a14d01e1 firewall: rules.pl: Fix rules with other NAT port. 2014-03-21 12:40:55 +01:00
Michael Tremer
b0d9fad3f9 firewall: rules.pl: Add support for auto selection of NAT addresses. 2014-03-18 23:49:23 +01:00
Michael Tremer
da7a2208d3 firewall: rules.pl: Code cleanup. 2014-03-17 18:03:00 +01:00
Michael Tremer
5cf8c8c123 firewall: Fix DNAT rules between internal zones. 2014-03-17 17:39:47 +01:00
Michael Tremer
c2a1af7545 firewall: rules.pl: Sanitise source and destination IP addresses. 
Those variables are now empty if source or destination are
unspecified.
 2014-03-17 16:24:23 +01:00
Michael Tremer
e9b5ba4179 firewall: Add auxiliary rules for firewall access. 
Rules for accessing the firewall are added when access
to networks (GREEN, BLUE, ...) the firewall resides in is allowed.
 2014-03-10 21:31:20 +01:00
Michael Tremer
d7050fc04a ipsec: Allow to create firewall rules for IPsec input as well. 2014-03-08 20:55:32 +01:00
Michael Tremer
0bda23f5a1 firewall: Add chain name to logged rules. 
This helps us to debug faster where a packet has been dropped.
 2014-03-04 12:38:13 +01:00
Michael Tremer
3bb4bb3fa1 firewall: Add rate limiting for LOG messages. 
Fixes #10488.
 2014-03-04 12:36:52 +01:00
Michael Tremer
824dc93601 firewall: Add a trailing space to all log prefixes for better readability. 2014-03-02 22:50:29 +01:00
Michael Tremer
9f80e81072 firewall: rules.pl: Remove unused variable $time_constraints. 2014-03-02 22:46:17 +01:00
Michael Tremer
d98aa95a55 firewall: rules.pl: Replace some hardcoded chain names. 2014-03-02 22:44:26 +01:00
Michael Tremer
1c3044d72c firewall: Resurrect port forwardings with different external ports. 2014-03-02 22:35:27 +01:00
Michael Tremer
0e53d8a991 firewall: Make OpenVPN access also possible when INPUT policy is REJECT. 2014-03-02 20:40:00 +01:00
Michael Tremer
6e87f0aa53 firewall: Allow accessing port forwardings from internal networks. 2014-03-02 20:37:44 +01:00
Michael Tremer
8f4f4634df firewall: rules.pl: Refactored entire script. 2014-03-02 18:23:28 +01:00
Michael Tremer
b05ec50ac9 firewall: rules.pl: Cleanup time constraints generation. 2014-03-01 20:20:56 +01:00