The script now will use the previously introduced seperate firewall chains called
IPS_INPUT, IPS_FORWARD and IPS_OUTPUT.
The commit also creates an AND connection between the choosen network zones in the UI and
the final firwall rules.
Fixes#12062.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Create and use seperate iptables chain called IPS_INPUT, IPS_FORWARD and IPS_OUTPUT
to be more flexible which kind of traffic should be passed to suricata.
Reference #12062
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
The checkboxes were swapped which lead to client isolation
being enabled when the UI said disabled and vice-versa.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
The checkboxes were swapped which lead to client isolation
being enabled when the UI said disabled and vice-versa.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This enables that we scan servers in ORANGE for clients in
GREEN which absolutely makes sense.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This creates some overhead that we do not need and rules need to
be adjusted to match any direction they are supposed to match.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This enables that we scan servers in ORANGE for clients in
GREEN which absolutely makes sense.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This creates some overhead that we do not need and rules need to
be adjusted to match any direction they are supposed to match.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This patch adds a notice with a link to the Wiki-page https://wiki.ipfire.org/configuration/network/proxy/extend/wpad to the new WebGUI-Setion to make the user aware of the fact, that WPAD will only work correctly if he makes further adjustments:
- Add DHCP-Options for WPAD via DHCP
- Add HOST-Entries to DNS and Apache-vhost or haproxy-frontend/backend or firewall-redirect for WPAD via DNS
These additional options depend on the users environment and can not be shipped by default as they might break the users setups.
Note: The translations are only done for "en" and "de" yet!
Signed-off-by: Alexander Koch <ipfire@starkstromkonsument.de>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This patch adds the missing Web-GUI for the WPAD-Exceptions to proxy.cgi
Note: The translations are only done for "en" and "de" yet!
Signed-off-by: Alexander Koch <ipfire@starkstromkonsument.de>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This patch extends the script /srv/web/ipfire/cgi-bin/proxy.cgi by additional code for reading exceptions for URL's and IP's/Subnets from two new files:
- /var/ipfire/proxy/advanced/acls/dst_noproxy_url.acl
- /var/ipfire/proxy/advanced/acls/dst_noproxy_ip.acl
as described in: https://wiki.ipfire.org/configuration/network/proxy/extend/add_distri
These can be used to define additional URL's, IP's and Subnets that should be retrieved "DIRECT" and not via the proxy. The files have to be created by the user, as the WPAD-Feature is not enabled by default anyway. If the files are not present or their size is 0, nothing is done. I'll revise the wiki-page, after the patch is merged and the core update is released.
Signed-off-by: Alexander Koch <ipfire@starkstromkonsument.de>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
