webadmin/bpfire
1
0
Fork 0
mirror of https://github.com/vincentmli/bpfire.git synced 2026-04-23 01:12:57 +02:00
Code Issues Packages Projects Releases Wiki Activity
7,561 Commits 2 Branches 1 Tag
fee04791f40ce7e4d7396fff53e5f2ed4fc5e99d
Commit Graph

59 Commits

Author SHA1 Message Date
Michael Tremer
025741919a firewall: Fix perl coding error. 
Example:
	my @as = (1, 2, 3);
	foreach my $a (@as) {
		$a += 1;
		print "$a\n";
	}

$a will be a reference to the number in the array and not
copied. Therefore $a += 1 will change the numbers in the
array as well, so that after the loop the content of @as
would be (2, 3, 4).
To avoid that, the number needs to be copied into a new
variable like: my $b = $a; and we are fine.

This caused that the content of the @sources and @destinations
array has been altered for the second run of the loop and
incorrect (i.e. no) rules were created.
 2014-03-31 13:16:26 +02:00
Michael Tremer
c26a9ed25c firewall-policy: Clarify policy rules. 
There are no functional changes here. Everything that
is not explicitely allowed is now forbidden when the
forward policy is "ALLOWED".
 2014-03-30 22:33:58 +02:00
Arne Fitzenreiter
8089b78d9d firewall-policy: fix drop and logging on red0; 2014-03-29 15:06:35 +01:00
Alexander Marx
a3f2459f8f Firewall: fix Update from core 75 to 76 2014-03-27 15:07:41 +01:00
Michael Tremer
51cf3f8be5 firewall: rules.pl: Honour time constraints for NAT rules as well. 2014-03-21 13:39:03 +01:00
Michael Tremer
f98bb538e5 firewall: rules.pl: Catch invalid configurations. 2014-03-21 13:33:08 +01:00
Michael Tremer
c0ce920610 firewall: rules.pl: Allow REDIRECT rules. 2014-03-21 13:28:00 +01:00
Alexander Marx
c71499d8d9 Firewall: Rename defaultNetworks to netsettings 2014-03-21 12:51:18 +01:00
Alexander Marx
fd169d0adc Firewall: DNAT - Show right DNAT interface in ruletable 
Now:
When using a hostgroup as source there are all corresponding DNAT
interfaces shown in ruletable depending on the entries in the group.

When in DNAT area "-automatic" is selected, the DNAT interfaces are
shown as IP-Addresses, else they are shown as "ORANGE","GREEN","BLUE"...

BUGFIX: When there is a MAC address used in a sourcegroup, the rules could not be set. Now MAC addresses get allways the public interface as DNAT
 2014-03-21 12:51:09 +01:00
Alexander Marx
4e54e3c6f5 Firewall: Move some functions from rules.pl to firewall-lib.pl 2014-03-21 12:51:04 +01:00
Michael Tremer
d7a14d01e1 firewall: rules.pl: Fix rules with other NAT port. 2014-03-21 12:40:55 +01:00
Michael Tremer
b0d9fad3f9 firewall: rules.pl: Add support for auto selection of NAT addresses. 2014-03-18 23:49:23 +01:00
Michael Tremer
da7a2208d3 firewall: rules.pl: Code cleanup. 2014-03-17 18:03:00 +01:00
Michael Tremer
5cf8c8c123 firewall: Fix DNAT rules between internal zones. 2014-03-17 17:39:47 +01:00
Michael Tremer
c2a1af7545 firewall: rules.pl: Sanitise source and destination IP addresses. 
Those variables are now empty if source or destination are
unspecified.
 2014-03-17 16:24:23 +01:00
Michael Tremer
e9b5ba4179 firewall: Add auxiliary rules for firewall access. 
Rules for accessing the firewall are added when access
to networks (GREEN, BLUE, ...) the firewall resides in is allowed.
 2014-03-10 21:31:20 +01:00
Michael Tremer
d7050fc04a ipsec: Allow to create firewall rules for IPsec input as well. 2014-03-08 20:55:32 +01:00
Michael Tremer
0bda23f5a1 firewall: Add chain name to logged rules. 
This helps us to debug faster where a packet has been dropped.
 2014-03-04 12:38:13 +01:00
Michael Tremer
3bb4bb3fa1 firewall: Add rate limiting for LOG messages. 
Fixes #10488.
 2014-03-04 12:36:52 +01:00
Michael Tremer
824dc93601 firewall: Add a trailing space to all log prefixes for better readability. 2014-03-02 22:50:29 +01:00
Michael Tremer
9f80e81072 firewall: rules.pl: Remove unused variable $time_constraints. 2014-03-02 22:46:17 +01:00
Michael Tremer
d98aa95a55 firewall: rules.pl: Replace some hardcoded chain names. 2014-03-02 22:44:26 +01:00
Michael Tremer
1c3044d72c firewall: Resurrect port forwardings with different external ports. 2014-03-02 22:35:27 +01:00
Michael Tremer
0e53d8a991 firewall: Make OpenVPN access also possible when INPUT policy is REJECT. 2014-03-02 20:40:00 +01:00
Michael Tremer
6e87f0aa53 firewall: Allow accessing port forwardings from internal networks. 2014-03-02 20:37:44 +01:00
Michael Tremer
8f4f4634df firewall: rules.pl: Refactored entire script. 2014-03-02 18:23:28 +01:00
Michael Tremer
b05ec50ac9 firewall: rules.pl: Cleanup time constraints generation. 2014-03-01 20:20:56 +01:00
Michael Tremer
6178953be5 firewall: rules.pl: Cleanup rule generation. 
Various perl coding errors that have been suppressed by "no warnings uninitialized"
have been fixed and lots of helper variables have been introduced to make
it much more clearer what the code is actually doing.
 2014-03-01 19:54:14 +01:00
Michael Tremer
1f9e7b53b7 firewall: rules.pl: Remove $command and introduce $IPTABLES. 2014-03-01 18:19:09 +01:00
Michael Tremer
8531b94ae0 firewall: rules.pl: Remove command line args parsing and rest from old debugging mode. 2014-03-01 18:07:39 +01:00
Michael Tremer
68d1eb1017 firewall: rules.pl: Introduce a more slink debugging mode. 2014-03-01 18:04:40 +01:00
Michael Tremer
97ab0569bd firewall: rules.pl: Fix some coding style. 2014-03-01 17:54:22 +01:00
Michael Tremer
b57edbd8ec firewall: rules.pl: Remove totally bloated debug mode. 2014-03-01 17:49:22 +01:00
Michael Tremer
2513ae737d firewall: Allow access to the entire GREEN/BLUE/ORANGE subnets. 
This includes the firewall itself as well.
 2014-03-01 16:04:01 +01:00
Michael Tremer
60fb533157 firewall: rules.pl: Don't reload custom firewall rules here. 2014-03-01 15:01:58 +01:00
Alexander Marx
800077a689 Firewall: Skip rules on boot when red has no ip 2014-02-27 19:42:47 +01:00
Michael Tremer
a8d1d049c6 Revert "Firewall: Fix errormessages on rulecreation when red has no IP" 
This reverts commit f942937c29.

This completely destroys external access rules and is therefore
reverted.
 2014-02-26 20:02:24 +01:00
Alexander Marx
f942937c29 Firewall: Fix errormessages on rulecreation when red has no IP 2014-02-24 19:39:39 +01:00
Alexander Marx
97bf45e516 Firewall: delete -i red0 from DNAT rules 2014-02-24 19:38:57 +01:00
Alexander Marx
525204e00f Firewall: modified DNAT and SNAT rulecreation 2014-02-24 11:54:27 +01:00
Michael Tremer
cc21b588df firewall: Remove rule that allows access to everything. 2014-02-20 13:03:28 +01:00
Michael Tremer
bcf1a62476 firewall: Fix proper check for BLUE and ORANGE devices. 2014-02-20 13:01:48 +01:00
Michael Tremer
a211fee393 firewall: Use --wait for all iptables commands. 2014-02-14 13:04:18 +01:00
Michael Tremer
73372ed4e6 firewall: Move scripts from /var/ipfire/firewall/bin to /usr/lib/firewall. 2014-01-28 20:48:24 +01:00
Alexander Marx
d334d7cb47 Firewall: Bugfix - when using addressgroups with mac addresses in source, the mac rule was not correctly created. 
Further MAC issues: in target area, the manual ip field was target
ip/mac address - changed to IP-Address
Also implemented a plausicheck, if an addressgroup with mac addresses is
used in target area, theres a hint saying that the rule will not be
applied for mac hosts
 2014-01-21 11:55:56 +01:00
Stefan Schantl
37c84696a2 Make firewall convert scripts more robust. 
The converter scripts procude a lot of error, when they get executed on a system with
a previously installed version of the New Firewall or they get run twice.

In this case the scripts will detect that their input files are missing and will exit with
an error message. The scripts now also check if the input files are empty (no corresponding
rules created) and will exit with an nothing to do message.
 2014-01-18 18:28:07 +01:00
Michael Tremer
7514fe47f6 convert-outgoingfw: Fix permissions of p2protocols configuration file. 
World access can not be granted to this file. It must
be writable by nobody and can be read by all users.
 2014-01-10 15:59:33 +01:00
Alexander Marx
454d47a994 Firewall: changed outgoingfw converter to reflect new counters 2013-12-23 08:08:27 +01:00
Alexander Marx
82b837cff8 Firewall: Added new feature: Now protocols can be added to servicegroups (GRE,AH,ESP,IPIP,IPV6) 2013-12-06 08:47:11 +01:00
Alexander Marx
784098e4db Firewall: forgot to delete a development test string 2013-12-05 15:51:15 +01:00