}elsif($val eq 'BLUE'){
return "$netsettings{'BLUE_NETADDRESS'}/$netsettings{'BLUE_NETMASK'}";
}elsif($val eq 'RED'){
- return "0.0.0.0/0 -o $con";
+ return "0.0.0.0/0";
}elsif($val =~ /OpenVPN/i){
return "$ovpnsettings{'DOVPN_SUBNET'}";
}elsif($val =~ /IPsec/i){
return ;
}
}
+sub get_interface
+{
+ my $net=shift;
+ if($net eq "$netsettings{'GREEN_NETADDRESS'}/$netsettings{'GREEN_NETMASK'}"){
+ return "$netsettings{'GREEN_DEV'}";
+ }
+ if($net eq "$netsettings{'ORANGE_NETADDRESS'}/$netsettings{'ORANGE_NETMASK'}"){
+ return "$netsettings{'ORANGE_DEV'}";
+ }
+ if($net eq "$netsettings{'BLUE_NETADDRESS'}/$netsettings{'BLUE_NETMASK'}"){
+ return "$netsettings{'BLUE_DEV'}";
+ }
+ if($net eq "0.0.0.0/0"){
+ return "$netsettings{'RED_DEV'}";
+ }
+ return "";
+}
sub get_net_ip
{
my $val=shift;
# address. Otherwise, we assume that it is an IP address.
if ($key ~~ ["src_addr", "tgt_addr"]) {
if (&General::validmac($value)) {
- push(@ret, "-m mac --mac-source $value");
+ push(@ret, ["-m mac --mac-source $value", ""]);
} else {
- push(@ret, $value);
+ push(@ret, [$value, ""]);
}
# If a default network interface (GREEN, BLUE, etc.) is selected, we
my $external_interface = &get_external_interface();
my $network_address = &get_std_net_ip($value, $external_interface);
+
if ($network_address) {
- push(@ret, $network_address);
+ my $interface = &get_interface($network_address);
+ push(@ret, [$network_address, $interface]);
}
# Custom networks.
} elsif ($key ~~ ["cust_net_src", "cust_net_tgt", "Custom Network"]) {
my $network_address = &get_net_ip($value);
if ($network_address) {
- push(@ret, $network_address);
+ push(@ret, [$network_address, ""]);
}
# Custom hosts.
} elsif ($key ~~ ["cust_host_src", "cust_host_tgt", "Custom Host"]) {
my $host_address = &get_host_ip($value, $type);
if ($host_address) {
- push(@ret, $host_address);
+ push(@ret, [$host_address, ""]);
}
# OpenVPN networks.
} elsif ($key ~~ ["ovpn_net_src", "ovpn_net_tgt", "OpenVPN static network"]) {
my $network_address = &get_ovpn_net_ip($value, 1);
if ($network_address) {
- push(@ret, $network_address);
+ push(@ret, [$network_address, ""]);
}
# OpenVPN hosts.
} elsif ($key ~~ ["ovpn_host_src", "ovpn_host_tgt", "OpenVPN static host"]) {
my $host_address = &get_ovpn_host_ip($value, 33);
if ($host_address) {
- push(@ret, $host_address);
+ push(@ret, [$host_address, ""]);
}
# OpenVPN N2N.
} elsif ($key ~~ ["ovpn_n2n_src", "ovpn_n2n_tgt", "OpenVPN N-2-N"]) {
my $network_address = &get_ovpn_n2n_ip($value, 11);
if ($network_address) {
- push(@ret, $network_address);
+ push(@ret, [$network_address, ""]);
}
# IPsec networks.
} elsif ($key ~~ ["ipsec_net_src", "ipsec_net_tgt", "IpSec Network"]) {
my $network_address = &get_ipsec_net_ip($value, 11);
if ($network_address) {
- push(@ret, $network_address);
+ push(@ret, [$network_address, ""]);
}
# The firewall's own IP addresses.
} elsif ($key ~~ ["ipfire", "ipfire_src"]) {
# ALL
if ($value eq "ALL") {
- push(@ret, "0/0");
+ push(@ret, ["0/0", ""]);
# GREEN
} elsif ($value eq "GREEN") {
- push(@ret, $netsettings{"GREEN_ADDRESS"});
+ push(@ret, [$netsettings{"GREEN_ADDRESS"}, ""]);
# BLUE
} elsif ($value eq "BLUE") {
- push(@ret, $netsettings{"BLUE_ADDRESS"});
+ push(@ret, [$netsettings{"BLUE_ADDRESS"}, ""]);
# ORANGE
} elsif ($value eq "ORANGE") {
- push(@ret, $netsettings{"ORANGE_ADDRESS"});
+ push(@ret, [$netsettings{"ORANGE_ADDRESS"}, ""]);
# RED
} elsif ($value ~~ ["RED", "RED1"]) {
my $address = &get_external_address();
if ($address) {
- push(@ret, $address);
+ push(@ret, [$address, ""]);
}
# Aliases
} else {
my $alias = &get_alias($value);
if ($alias) {
- push(@ret, $alias);
+ push(@ret, [$alias, ""]);
}
}
# If nothing was selected, we assume "any".
} else {
- push(@ret, "0/0");
+ push(@ret, ["0/0", ""]);
}
return @ret;
}
}
+ # Concurrent connection limit
+ my @ratelimit_options = ();
+ if ($$hash{$key}[32] eq 'ON') {
+ my $conn_limit = $$hash{$key}[33];
+
+ if ($conn_limit ge 1) {
+ push(@ratelimit_options, ("-m", "connlimit"));
+
+ # Use the the entire source IP address
+ push(@ratelimit_options, "--connlimit-saddr");
+ push(@ratelimit_options, ("--connlimit-mask", "32"));
+
+ # Apply the limit
+ push(@ratelimit_options, ("--connlimit-upto", $conn_limit));
+ }
+ }
+
+ # Ratelimit
+ if ($$hash{$key}[34] eq 'ON') {
+ my $rate_limit = "$$hash{$key}[35]/$$hash{$key}[36]";
+
+ if ($rate_limit) {
+ push(@ratelimit_options, ("-m", "limit"));
+ push(@ratelimit_options, ("--limit", $rate_limit));
+ }
+ }
+
# Check which protocols are used in this rule and so that we can
# later group rules by protocols.
my @protocols = &get_protocols($hash, $key);
next unless ($src);
# Sanitize source.
- my $source = $src;
+ my $source = @$src[0];
if ($source ~~ @ANY_ADDRESSES) {
$source = "";
}
+ my $source_intf = @$src[1];
+
foreach my $dst (@destinations) {
# Skip invalid rules.
next unless (defined $dst);
next if (!$dst || ($dst eq "none"));
# Sanitize destination.
- my $destination = $dst;
+ my $destination = @$dst[0];
if ($destination ~~ @ANY_ADDRESSES) {
$destination = "";
}
+ my $destination_intf = @$dst[1];
+
# Array with iptables arguments.
my @options = ();
push(@source_options, ("-s", $source));
}
+ if ($source_intf) {
+ push(@source_options, ("-i", $source_intf));
+ }
+
# Prepare destination options.
my @destination_options = ();
if ($destination) {
push(@destination_options, ("-d", $destination));
}
+ if ($destination_intf) {
+ push(@destination_options, ("-o", $destination_intf));
+ }
+
# Add time constraint options.
push(@options, @time_options);
+ # Add ratelimiting option
+ push(@options, @ratelimit_options);
+
my $firewall_is_in_source_subnet = 1;
if ($source) {
$firewall_is_in_source_subnet = &firewall_is_in_subnet($source);
# Make port-forwardings useable from the internal networks.
my @internal_addresses = &fwlib::get_internal_firewall_ip_addresses(1);
unless ($nat_address ~~ @internal_addresses) {
- &add_dnat_mangle_rules($nat_address, @nat_options);
+ &add_dnat_mangle_rules($nat_address, $source_intf, @nat_options);
}
push(@nat_options, @source_options);
}
}
}
+ #Reload firewall.local if present
+ if ( -f '/etc/sysconfig/firewall.local'){
+ run("/etc/sysconfig/firewall.local reload");
+ }
}
# Formats the given timestamp into the iptables format which is "hh:mm" UTC.
sub add_dnat_mangle_rules {
my $nat_address = shift;
+ my $interface = shift;
my @options = @_;
my $mark = 0;
next unless (exists $defaultNetworks{$zone . "_NETADDRESS"});
next unless (exists $defaultNetworks{$zone . "_NETMASK"});
+ next if ($interface && $interface ne $defaultNetworks{$zone . "_DEV"});
+
my @mangle_options = @options;
my $netaddress = $defaultNetworks{$zone . "_NETADDRESS"};
--- /dev/null
+../../../common/dnsmasq
\ No newline at end of file
--- /dev/null
+etc/system-release
+etc/issue
+etc/rc.d/init.d/firewall
+srv/web/ipfire/cgi-bin/firewall.cgi
+srv/web/ipfire/cgi-bin/fwhosts.cgi
+srv/web/ipfire/cgi-bin/urlfilter.cgi
+usr/lib/firewall/firewall-lib.pl
+usr/lib/firewall/rules.pl
+var/ipfire/langs
--- /dev/null
+#!/bin/bash
+############################################################################
+# #
+# This file is part of the IPFire Firewall. #
+# #
+# IPFire is free software; you can redistribute it and/or modify #
+# it under the terms of the GNU General Public License as published by #
+# the Free Software Foundation; either version 3 of the License, or #
+# (at your option) any later version. #
+# #
+# IPFire is distributed in the hope that it will be useful, #
+# but WITHOUT ANY WARRANTY; without even the implied warranty of #
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
+# GNU General Public License for more details. #
+# #
+# You should have received a copy of the GNU General Public License #
+# along with IPFire; if not, write to the Free Software #
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA #
+# #
+# Copyright (C) 2014 IPFire-Team <info@ipfire.org>. #
+# #
+############################################################################
+#
+. /opt/pakfire/lib/functions.sh
+/usr/local/bin/backupctrl exclude >/dev/null 2>&1
+
+# Remove old core updates from pakfire cache to save space...
+core=84
+for (( i=1; i<=$core; i++ ))
+do
+ rm -f /var/cache/pakfire/core-upgrade-*-$i.ipfire
+done
+
+# Stop services
+/etc/init.d/dnsmasq stop
+
+# Remove old files
+
+# Extract files
+extract_files
+
+# Start services
+/etc/init.d/dnsmasq start
+
+# Update Language cache
+perl -e "require '/var/ipfire/lang.pl'; &Lang::BuildCacheLang"
+
+sync
+
+# This update need a reboot...
+touch /var/run/need_reboot
+
+# Finish
+/etc/init.d/fireinfo start
+sendprofile
+
+# Don't report the exitcode last command
+exit 0
--- /dev/null
+boot/config.txt
+etc/collectd.custom
+etc/ipsec.conf
+etc/ipsec.secrets
+etc/ipsec.user.conf
+etc/ipsec.user.secrets
+etc/localtime
+etc/shadow
+etc/ssh/ssh_config
+etc/ssh/sshd_config
+etc/ssl/openssl.cnf
+etc/sudoers
+etc/sysconfig/firewall.local
+etc/sysconfig/rc.local
+etc/udev/rules.d/30-persistent-network.rules
+srv/web/ipfire/html/proxy.pac
+var/ipfire/ovpn
+var/log/cache
+var/state/dhcp/dhcpd.leases
+var/updatecache
--- /dev/null
+../../../common/bash
\ No newline at end of file
\$("#TIME_CONSTRAINTS").toggle();
});
+ // Limit concurrent connections per ip
+ if(!\$("#USE_LIMIT_CONCURRENT_CONNECTIONS_PER_IP").attr("checked")) {
+ \$("#LIMIT_CON").hide();
+ }
+ \$("#USE_LIMIT_CONCURRENT_CONNECTIONS_PER_IP").change(function() {
+ \$("#LIMIT_CON").toggle();
+ });
+
+ // Rate-limit new connections
+ if(!\$("#USE_RATELIMIT").attr("checked")) {
+ \$("#RATELIMIT").hide();
+ }
+ \$("#USE_RATELIMIT").change(function() {
+ \$("#RATELIMIT").toggle();
+ });
+
// Automatically select radio buttons when corresponding
// dropdown menu changes.
\$("select").change(function() {
#check if we have an identical rule already
if($fwdfwsettings{'oldrulenumber'} eq $fwdfwsettings{'rulepos'}){
foreach my $key (sort keys %configinputfw){
- if ( "$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'},$fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'ICMP_TGT'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'LOG'},$fwdfwsettings{'TIME'},$fwdfwsettings{'TIME_MON'},$fwdfwsettings{'TIME_TUE'},$fwdfwsettings{'TIME_WED'},$fwdfwsettings{'TIME_THU'},$fwdfwsettings{'TIME_FRI'},$fwdfwsettings{'TIME_SAT'},$fwdfwsettings{'TIME_SUN'},$fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'},$fwdfwsettings{'USE_NAT'},$fwdfwsettings{$fwdfwsettings{'nat'}},$fwdfwsettings{'dnatport'},$fwdfwsettings{'nat'}"
- eq "$configinputfw{$key}[0],$configinputfw{$key}[2],$configinputfw{$key}[3],$configinputfw{$key}[4],$configinputfw{$key}[5],$configinputfw{$key}[6],$configinputfw{$key}[7],$configinputfw{$key}[8],$configinputfw{$key}[9],$configinputfw{$key}[10],$configinputfw{$key}[11],$configinputfw{$key}[12],$configinputfw{$key}[13],$configinputfw{$key}[14],$configinputfw{$key}[15],$configinputfw{$key}[17],$configinputfw{$key}[18],$configinputfw{$key}[19],$configinputfw{$key}[20],$configinputfw{$key}[21],$configinputfw{$key}[22],$configinputfw{$key}[23],$configinputfw{$key}[24],$configinputfw{$key}[25],$configinputfw{$key}[26],$configinputfw{$key}[27],$configinputfw{$key}[28],$configinputfw{$key}[29],$configinputfw{$key}[30],$configinputfw{$key}[31]"){
+ if ( "$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'},$fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'ICMP_TGT'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'LOG'},$fwdfwsettings{'TIME'},$fwdfwsettings{'TIME_MON'},$fwdfwsettings{'TIME_TUE'},$fwdfwsettings{'TIME_WED'},$fwdfwsettings{'TIME_THU'},$fwdfwsettings{'TIME_FRI'},$fwdfwsettings{'TIME_SAT'},$fwdfwsettings{'TIME_SUN'},$fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'},$fwdfwsettings{'USE_NAT'},$fwdfwsettings{$fwdfwsettings{'nat'}},$fwdfwsettings{'dnatport'},$fwdfwsettings{'nat'},$fwdfwsettings{'LIMIT_CON_CON'},$fwdfwsettings{'concon'},$fwdfwsettings{'RATE_LIMIT'},$fwdfwsettings{'ratecon'},$fwdfwsettings{'RATETIME'}"
+ eq "$configinputfw{$key}[0],$configinputfw{$key}[2],$configinputfw{$key}[3],$configinputfw{$key}[4],$configinputfw{$key}[5],$configinputfw{$key}[6],$configinputfw{$key}[7],$configinputfw{$key}[8],$configinputfw{$key}[9],$configinputfw{$key}[10],$configinputfw{$key}[11],$configinputfw{$key}[12],$configinputfw{$key}[13],$configinputfw{$key}[14],$configinputfw{$key}[15],$configinputfw{$key}[17],$configinputfw{$key}[18],$configinputfw{$key}[19],$configinputfw{$key}[20],$configinputfw{$key}[21],$configinputfw{$key}[22],$configinputfw{$key}[23],$configinputfw{$key}[24],$configinputfw{$key}[25],$configinputfw{$key}[26],$configinputfw{$key}[27],$configinputfw{$key}[28],$configinputfw{$key}[29],$configinputfw{$key}[30],$configinputfw{$key}[31],$configinputfw{$key}[32],$configinputfw{$key}[33],$configinputfw{$key}[34],$configinputfw{$key}[35],$configinputfw{$key}[36]"){
$errormessage.=$Lang::tr{'fwdfw err ruleexists'};
if($fwdfwsettings{'oldruleremark'} ne $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'updatefwrule'} eq 'on' && $fwdfwsettings{'ruleremark'} ne '' && !&validremark($fwdfwsettings{'ruleremark'})){
$errormessage=$Lang::tr{'fwdfw err remark'}."<br>";
if($fwdfwsettings{'rulepos'} > 0 && !$fwdfwsettings{'oldrulenumber'}){
$fwdfwsettings{'oldrulenumber'}=$maxkey;
foreach my $key (sort keys %configinputfw){
- if ( "$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'},$fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'ICMP_TGT'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'LOG'},$fwdfwsettings{'TIME'},$fwdfwsettings{'TIME_MON'},$fwdfwsettings{'TIME_TUE'},$fwdfwsettings{'TIME_WED'},$fwdfwsettings{'TIME_THU'},$fwdfwsettings{'TIME_FRI'},$fwdfwsettings{'TIME_SAT'},$fwdfwsettings{'TIME_SUN'},$fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'},$fwdfwsettings{'USE_NAT'},$fwdfwsettings{$fwdfwsettings{'nat'}},$fwdfwsettings{'dnatport'},$fwdfwsettings{'nat'}"
- eq "$configinputfw{$key}[0],$configinputfw{$key}[2],$configinputfw{$key}[3],$configinputfw{$key}[4],$configinputfw{$key}[5],$configinputfw{$key}[6],$configinputfw{$key}[7],$configinputfw{$key}[8],$configinputfw{$key}[9],$configinputfw{$key}[10],$configinputfw{$key}[11],$configinputfw{$key}[12],$configinputfw{$key}[13],$configinputfw{$key}[14],$configinputfw{$key}[15],$configinputfw{$key}[17],$configinputfw{$key}[18],$configinputfw{$key}[19],$configinputfw{$key}[20],$configinputfw{$key}[21],$configinputfw{$key}[22],$configinputfw{$key}[23],$configinputfw{$key}[24],$configinputfw{$key}[25],$configinputfw{$key}[26],$configinputfw{$key}[27],$configinputfw{$key}[28],$configinputfw{$key}[29],$configinputfw{$key}[30],$configinputfw{$key}[31]"){
+ if ( "$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'},$fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'ICMP_TGT'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'LOG'},$fwdfwsettings{'TIME'},$fwdfwsettings{'TIME_MON'},$fwdfwsettings{'TIME_TUE'},$fwdfwsettings{'TIME_WED'},$fwdfwsettings{'TIME_THU'},$fwdfwsettings{'TIME_FRI'},$fwdfwsettings{'TIME_SAT'},$fwdfwsettings{'TIME_SUN'},$fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'},$fwdfwsettings{'USE_NAT'},$fwdfwsettings{$fwdfwsettings{'nat'}},$fwdfwsettings{'dnatport'},$fwdfwsettings{'nat'},$fwdfwsettings{'LIMIT_CON_CON'},$fwdfwsettings{'concon'},$fwdfwsettings{'RATE_LIMIT'},$fwdfwsettings{'ratecon'},$fwdfwsettings{'RATETIME'}"
+ eq "$configinputfw{$key}[0],$configinputfw{$key}[2],$configinputfw{$key}[3],$configinputfw{$key}[4],$configinputfw{$key}[5],$configinputfw{$key}[6],$configinputfw{$key}[7],$configinputfw{$key}[8],$configinputfw{$key}[9],$configinputfw{$key}[10],$configinputfw{$key}[11],$configinputfw{$key}[12],$configinputfw{$key}[13],$configinputfw{$key}[14],$configinputfw{$key}[15],$configinputfw{$key}[17],$configinputfw{$key}[18],$configinputfw{$key}[19],$configinputfw{$key}[20],$configinputfw{$key}[21],$configinputfw{$key}[22],$configinputfw{$key}[23],$configinputfw{$key}[24],$configinputfw{$key}[25],$configinputfw{$key}[26],$configinputfw{$key}[27],$configinputfw{$key}[28],$configinputfw{$key}[29],$configinputfw{$key}[30],$configinputfw{$key}[31],$configinputfw{$key}[32],$configinputfw{$key}[33],$configinputfw{$key}[34],$configinputfw{$key}[35],$configinputfw{$key}[36]"){
$errormessage.=$Lang::tr{'fwdfw err ruleexists'};
}
}
}
#check if we just close a rule
- if( $fwdfwsettings{'oldgrp1a'} eq $fwdfwsettings{'grp1'} && $fwdfwsettings{'oldgrp1b'} eq $fwdfwsettings{$fwdfwsettings{'grp1'}} && $fwdfwsettings{'oldgrp2a'} eq $fwdfwsettings{'grp2'} && $fwdfwsettings{'oldgrp2b'} eq $fwdfwsettings{$fwdfwsettings{'grp2'}} && $fwdfwsettings{'oldgrp3a'} eq $fwdfwsettings{'grp3'} && $fwdfwsettings{'oldgrp3b'} eq $fwdfwsettings{$fwdfwsettings{'grp3'}} && $fwdfwsettings{'oldusesrv'} eq $fwdfwsettings{'USESRV'} && $fwdfwsettings{'oldruleremark'} eq $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'oldruletype'} eq $fwdfwsettings{'chain'}) {
+ if( $fwdfwsettings{'oldgrp1a'} eq $fwdfwsettings{'grp1'} && $fwdfwsettings{'oldgrp1b'} eq $fwdfwsettings{$fwdfwsettings{'grp1'}} && $fwdfwsettings{'oldgrp2a'} eq $fwdfwsettings{'grp2'} && $fwdfwsettings{'oldgrp2b'} eq $fwdfwsettings{$fwdfwsettings{'grp2'}} && $fwdfwsettings{'oldgrp3a'} eq $fwdfwsettings{'grp3'} && $fwdfwsettings{'oldgrp3b'} eq $fwdfwsettings{$fwdfwsettings{'grp3'}} && $fwdfwsettings{'oldusesrv'} eq $fwdfwsettings{'USESRV'} && $fwdfwsettings{'oldruleremark'} eq $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'oldruletype'} eq $fwdfwsettings{'chain'} ) {
if($fwdfwsettings{'nosave'} eq 'on' && $fwdfwsettings{'updatefwrule'} eq 'on'){
$errormessage='';
$fwdfwsettings{'nosave2'} = 'on';
my $maxkey=&General::findhasharraykey(\%configoutgoingfw);
if($fwdfwsettings{'oldrulenumber'} eq $fwdfwsettings{'rulepos'}){
foreach my $key (sort keys %configoutgoingfw){
- if ( "$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'},$fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'ICMP_TGT'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'LOG'},$fwdfwsettings{'TIME'},$fwdfwsettings{'TIME_MON'},$fwdfwsettings{'TIME_TUE'},$fwdfwsettings{'TIME_WED'},$fwdfwsettings{'TIME_THU'},$fwdfwsettings{'TIME_FRI'},$fwdfwsettings{'TIME_SAT'},$fwdfwsettings{'TIME_SUN'},$fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'},$fwdfwsettings{'USE_NAT'},$fwdfwsettings{$fwdfwsettings{'nat'}},$fwdfwsettings{'dnatport'},$fwdfwsettings{'nat'}"
- eq "$configoutgoingfw{$key}[0],$configoutgoingfw{$key}[2],$configoutgoingfw{$key}[3],$configoutgoingfw{$key}[4],$configoutgoingfw{$key}[5],$configoutgoingfw{$key}[6],$configoutgoingfw{$key}[7],$configoutgoingfw{$key}[8],$configoutgoingfw{$key}[9],$configoutgoingfw{$key}[10],$configoutgoingfw{$key}[11],$configoutgoingfw{$key}[12],$configoutgoingfw{$key}[13],$configoutgoingfw{$key}[14],$configoutgoingfw{$key}[15],$configoutgoingfw{$key}[17],$configoutgoingfw{$key}[18],$configoutgoingfw{$key}[19],$configoutgoingfw{$key}[20],$configoutgoingfw{$key}[21],$configoutgoingfw{$key}[22],$configoutgoingfw{$key}[23],$configoutgoingfw{$key}[24],$configoutgoingfw{$key}[25],$configoutgoingfw{$key}[26],$configoutgoingfw{$key}[27],$configoutgoingfw{$key}[28],$configoutgoingfw{$key}[29],$configoutgoingfw{$key}[30],$configoutgoingfw{$key}[31]"){
+ if ( "$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'},$fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'ICMP_TGT'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'LOG'},$fwdfwsettings{'TIME'},$fwdfwsettings{'TIME_MON'},$fwdfwsettings{'TIME_TUE'},$fwdfwsettings{'TIME_WED'},$fwdfwsettings{'TIME_THU'},$fwdfwsettings{'TIME_FRI'},$fwdfwsettings{'TIME_SAT'},$fwdfwsettings{'TIME_SUN'},$fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'},$fwdfwsettings{'USE_NAT'},$fwdfwsettings{$fwdfwsettings{'nat'}},$fwdfwsettings{'dnatport'},$fwdfwsettings{'nat'},$fwdfwsettings{'LIMIT_CON_CON'},$fwdfwsettings{'concon'},$fwdfwsettings{'RATE_LIMIT'},$fwdfwsettings{'ratecon'},$fwdfwsettings{'RATETIME'}"
+ eq "$configoutgoingfw{$key}[0],$configoutgoingfw{$key}[2],$configoutgoingfw{$key}[3],$configoutgoingfw{$key}[4],$configoutgoingfw{$key}[5],$configoutgoingfw{$key}[6],$configoutgoingfw{$key}[7],$configoutgoingfw{$key}[8],$configoutgoingfw{$key}[9],$configoutgoingfw{$key}[10],$configoutgoingfw{$key}[11],$configoutgoingfw{$key}[12],$configoutgoingfw{$key}[13],$configoutgoingfw{$key}[14],$configoutgoingfw{$key}[15],$configoutgoingfw{$key}[17],$configoutgoingfw{$key}[18],$configoutgoingfw{$key}[19],$configoutgoingfw{$key}[20],$configoutgoingfw{$key}[21],$configoutgoingfw{$key}[22],$configoutgoingfw{$key}[23],$configoutgoingfw{$key}[24],$configoutgoingfw{$key}[25],$configoutgoingfw{$key}[26],$configoutgoingfw{$key}[27],$configoutgoingfw{$key}[28],$configoutgoingfw{$key}[29],$configoutgoingfw{$key}[30],$configoutgoingfw{$key}[31],$configoutgoingfw{$key}[32],$configoutgoingfw{$key}[33],$configoutgoingfw{$key}[34],$configoutgoingfw{$key}[35],$configoutgoingfw{$key}[36]"){
$errormessage.=$Lang::tr{'fwdfw err ruleexists'};
if($fwdfwsettings{'oldruleremark'} ne $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'updatefwrule'} eq 'on' && $fwdfwsettings{'ruleremark'} ne '' && !&validremark($fwdfwsettings{'ruleremark'})){
$errormessage=$Lang::tr{'fwdfw err remark'}."<br>";
if($fwdfwsettings{'rulepos'} > 0 && !$fwdfwsettings{'oldrulenumber'}){
$fwdfwsettings{'oldrulenumber'}=$maxkey;
foreach my $key (sort keys %configoutgoingfw){
- if ( "$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'},$fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'ICMP_TGT'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'LOG'},$fwdfwsettings{'TIME'},$fwdfwsettings{'TIME_MON'},$fwdfwsettings{'TIME_TUE'},$fwdfwsettings{'TIME_WED'},$fwdfwsettings{'TIME_THU'},$fwdfwsettings{'TIME_FRI'},$fwdfwsettings{'TIME_SAT'},$fwdfwsettings{'TIME_SUN'},$fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'},$fwdfwsettings{'USE_NAT'},$fwdfwsettings{$fwdfwsettings{'nat'}},$fwdfwsettings{'dnatport'},$fwdfwsettings{'nat'}"
- eq "$configoutgoingfw{$key}[0],$configoutgoingfw{$key}[2],$configoutgoingfw{$key}[3],$configoutgoingfw{$key}[4],$configoutgoingfw{$key}[5],$configoutgoingfw{$key}[6],$configoutgoingfw{$key}[7],$configoutgoingfw{$key}[8],$configoutgoingfw{$key}[9],$configoutgoingfw{$key}[10],$configoutgoingfw{$key}[11],$configoutgoingfw{$key}[12],$configoutgoingfw{$key}[13],$configoutgoingfw{$key}[14],$configoutgoingfw{$key}[15],$configoutgoingfw{$key}[17],$configoutgoingfw{$key}[18],$configoutgoingfw{$key}[19],$configoutgoingfw{$key}[20],$configoutgoingfw{$key}[21],$configoutgoingfw{$key}[22],$configoutgoingfw{$key}[23],$configoutgoingfw{$key}[24],$configoutgoingfw{$key}[25],$configoutgoingfw{$key}[26],$configoutgoingfw{$key}[27],$configoutgoingfw{$key}[28],$configoutgoingfw{$key}[29],$configoutgoingfw{$key}[30],$configoutgoingfw{$key}[31]"){
+ if ( "$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'},$fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'ICMP_TGT'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'LOG'},$fwdfwsettings{'TIME'},$fwdfwsettings{'TIME_MON'},$fwdfwsettings{'TIME_TUE'},$fwdfwsettings{'TIME_WED'},$fwdfwsettings{'TIME_THU'},$fwdfwsettings{'TIME_FRI'},$fwdfwsettings{'TIME_SAT'},$fwdfwsettings{'TIME_SUN'},$fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'},$fwdfwsettings{'USE_NAT'},$fwdfwsettings{$fwdfwsettings{'nat'}},$fwdfwsettings{'dnatport'},$fwdfwsettings{'nat'},$fwdfwsettings{'LIMIT_CON_CON'},$fwdfwsettings{'concon'},$fwdfwsettings{'RATE_LIMIT'},$fwdfwsettings{'ratecon'},$fwdfwsettings{'RATETIME'}"
+ eq "$configoutgoingfw{$key}[0],$configoutgoingfw{$key}[2],$configoutgoingfw{$key}[3],$configoutgoingfw{$key}[4],$configoutgoingfw{$key}[5],$configoutgoingfw{$key}[6],$configoutgoingfw{$key}[7],$configoutgoingfw{$key}[8],$configoutgoingfw{$key}[9],$configoutgoingfw{$key}[10],$configoutgoingfw{$key}[11],$configoutgoingfw{$key}[12],$configoutgoingfw{$key}[13],$configoutgoingfw{$key}[14],$configoutgoingfw{$key}[15],$configoutgoingfw{$key}[17],$configoutgoingfw{$key}[18],$configoutgoingfw{$key}[19],$configoutgoingfw{$key}[20],$configoutgoingfw{$key}[21],$configoutgoingfw{$key}[22],$configoutgoingfw{$key}[23],$configoutgoingfw{$key}[24],$configoutgoingfw{$key}[25],$configoutgoingfw{$key}[26],$configoutgoingfw{$key}[27],$configoutgoingfw{$key}[28],$configoutgoingfw{$key}[29],$configoutgoingfw{$key}[30],$configoutgoingfw{$key}[31],$configoutgoingfw{$key}[32],$configoutgoingfw{$key}[33],$configoutgoingfw{$key}[34],$configoutgoingfw{$key}[35],$configoutgoingfw{$key}[36]"){
$errormessage.=$Lang::tr{'fwdfw err ruleexists'};
}
}
}
#check if we just close a rule
- if( $fwdfwsettings{'oldgrp1a'} eq $fwdfwsettings{'grp1'} && $fwdfwsettings{'oldgrp1b'} eq $fwdfwsettings{$fwdfwsettings{'grp1'}} && $fwdfwsettings{'oldgrp2a'} eq $fwdfwsettings{'grp2'} && $fwdfwsettings{'oldgrp2b'} eq $fwdfwsettings{$fwdfwsettings{'grp2'}} && $fwdfwsettings{'oldgrp3a'} eq $fwdfwsettings{'grp3'} && $fwdfwsettings{'oldgrp3b'} eq $fwdfwsettings{$fwdfwsettings{'grp3'}} && $fwdfwsettings{'oldusesrv'} eq $fwdfwsettings{'USESRV'} && $fwdfwsettings{'oldruleremark'} eq $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'oldruletype'} eq $fwdfwsettings{'chain'}) {
+ if( $fwdfwsettings{'oldgrp1a'} eq $fwdfwsettings{'grp1'} && $fwdfwsettings{'oldgrp1b'} eq $fwdfwsettings{$fwdfwsettings{'grp1'}} && $fwdfwsettings{'oldgrp2a'} eq $fwdfwsettings{'grp2'} && $fwdfwsettings{'oldgrp2b'} eq $fwdfwsettings{$fwdfwsettings{'grp2'}} && $fwdfwsettings{'oldgrp3a'} eq $fwdfwsettings{'grp3'} && $fwdfwsettings{'oldgrp3b'} eq $fwdfwsettings{$fwdfwsettings{'grp3'}} && $fwdfwsettings{'oldusesrv'} eq $fwdfwsettings{'USESRV'} && $fwdfwsettings{'oldruleremark'} eq $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'oldruletype'} eq $fwdfwsettings{'chain'} ) {
if($fwdfwsettings{'nosave'} eq 'on' && $fwdfwsettings{'updatefwrule'} eq 'on'){
$fwdfwsettings{'nosave2'} = 'on';
$errormessage='';
if($fwdfwsettings{'oldrulenumber'} eq $fwdfwsettings{'rulepos'}){
#check if we have an identical rule already
foreach my $key (sort keys %configfwdfw){
- if ( "$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'},$fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'ICMP_TGT'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'TIME'},$fwdfwsettings{'TIME_MON'},$fwdfwsettings{'TIME_TUE'},$fwdfwsettings{'TIME_WED'},$fwdfwsettings{'TIME_THU'},$fwdfwsettings{'TIME_FRI'},$fwdfwsettings{'TIME_SAT'},$fwdfwsettings{'TIME_SUN'},$fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'},$fwdfwsettings{'USE_NAT'},$fwdfwsettings{$fwdfwsettings{'nat'}},$fwdfwsettings{'dnatport'},$fwdfwsettings{'nat'}"
- eq "$configfwdfw{$key}[0],$configfwdfw{$key}[2],$configfwdfw{$key}[3],$configfwdfw{$key}[4],$configfwdfw{$key}[5],$configfwdfw{$key}[6],$configfwdfw{$key}[7],$configfwdfw{$key}[8],$configfwdfw{$key}[9],$configfwdfw{$key}[10],$configfwdfw{$key}[11],$configfwdfw{$key}[12],$configfwdfw{$key}[13],$configfwdfw{$key}[14],$configfwdfw{$key}[15],$configfwdfw{$key}[18],$configfwdfw{$key}[19],$configfwdfw{$key}[20],$configfwdfw{$key}[21],$configfwdfw{$key}[22],$configfwdfw{$key}[23],$configfwdfw{$key}[24],$configfwdfw{$key}[25],$configfwdfw{$key}[26],$configfwdfw{$key}[27],$configfwdfw{$key}[28],$configfwdfw{$key}[29],$configfwdfw{$key}[30],$configfwdfw{$key}[31]"){
+ if ( "$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'},$fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'ICMP_TGT'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'TIME'},$fwdfwsettings{'TIME_MON'},$fwdfwsettings{'TIME_TUE'},$fwdfwsettings{'TIME_WED'},$fwdfwsettings{'TIME_THU'},$fwdfwsettings{'TIME_FRI'},$fwdfwsettings{'TIME_SAT'},$fwdfwsettings{'TIME_SUN'},$fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'},$fwdfwsettings{'USE_NAT'},$fwdfwsettings{$fwdfwsettings{'nat'}},$fwdfwsettings{'dnatport'},$fwdfwsettings{'nat'},$fwdfwsettings{'LIMIT_CON_CON'},$fwdfwsettings{'concon'},$fwdfwsettings{'RATE_LIMIT'},$fwdfwsettings{'ratecon'},$fwdfwsettings{'RATETIME'}"
+ eq "$configfwdfw{$key}[0],$configfwdfw{$key}[2],$configfwdfw{$key}[3],$configfwdfw{$key}[4],$configfwdfw{$key}[5],$configfwdfw{$key}[6],$configfwdfw{$key}[7],$configfwdfw{$key}[8],$configfwdfw{$key}[9],$configfwdfw{$key}[10],$configfwdfw{$key}[11],$configfwdfw{$key}[12],$configfwdfw{$key}[13],$configfwdfw{$key}[14],$configfwdfw{$key}[15],$configfwdfw{$key}[18],$configfwdfw{$key}[19],$configfwdfw{$key}[20],$configfwdfw{$key}[21],$configfwdfw{$key}[22],$configfwdfw{$key}[23],$configfwdfw{$key}[24],$configfwdfw{$key}[25],$configfwdfw{$key}[26],$configfwdfw{$key}[27],$configfwdfw{$key}[28],$configfwdfw{$key}[29],$configfwdfw{$key}[30],$configfwdfw{$key}[31],$configfwdfw{$key}[32],$configfwdfw{$key}[33],$configfwdfw{$key}[34],$configfwdfw{$key}[35],$configfwdfw{$key}[36]"){
$errormessage.=$Lang::tr{'fwdfw err ruleexists'};
if($fwdfwsettings{'oldruleremark'} ne $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'updatefwrule'} eq 'on' && $fwdfwsettings{'ruleremark'} ne '' && !&validremark($fwdfwsettings{'ruleremark'})){
$errormessage=$Lang::tr{'fwdfw err remark'}."<br>";
if($fwdfwsettings{'rulepos'} > 0 && !$fwdfwsettings{'oldrulenumber'}){
$fwdfwsettings{'oldrulenumber'}=$maxkey;
foreach my $key (sort keys %configfwdfw){
- if ( "$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'},$fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'ICMP_TGT'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'TIME'},$fwdfwsettings{'TIME_MON'},$fwdfwsettings{'TIME_TUE'},$fwdfwsettings{'TIME_WED'},$fwdfwsettings{'TIME_THU'},$fwdfwsettings{'TIME_FRI'},$fwdfwsettings{'TIME_SAT'},$fwdfwsettings{'TIME_SUN'},$fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'},$fwdfwsettings{'USE_NAT'},$fwdfwsettings{$fwdfwsettings{'nat'}},$fwdfwsettings{'dnatport'},$fwdfwsettings{'nat'}"
- eq "$configfwdfw{$key}[0],$configfwdfw{$key}[2],$configfwdfw{$key}[3],$configfwdfw{$key}[4],$configfwdfw{$key}[5],$configfwdfw{$key}[6],$configfwdfw{$key}[7],$configfwdfw{$key}[8],$configfwdfw{$key}[9],$configfwdfw{$key}[10],$configfwdfw{$key}[11],$configfwdfw{$key}[12],$configfwdfw{$key}[13],$configfwdfw{$key}[14],$configfwdfw{$key}[15],$configfwdfw{$key}[18],$configfwdfw{$key}[19],$configfwdfw{$key}[20],$configfwdfw{$key}[21],$configfwdfw{$key}[22],$configfwdfw{$key}[23],$configfwdfw{$key}[24],$configfwdfw{$key}[25],$configfwdfw{$key}[26],$configfwdfw{$key}[27],$configfwdfw{$key}[28],$configfwdfw{$key}[29],$configfwdfw{$key}[30],$configfwdfw{$key}[31]"){
+ if ( "$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'},$fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'ICMP_TGT'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'TIME'},$fwdfwsettings{'TIME_MON'},$fwdfwsettings{'TIME_TUE'},$fwdfwsettings{'TIME_WED'},$fwdfwsettings{'TIME_THU'},$fwdfwsettings{'TIME_FRI'},$fwdfwsettings{'TIME_SAT'},$fwdfwsettings{'TIME_SUN'},$fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'},$fwdfwsettings{'USE_NAT'},$fwdfwsettings{$fwdfwsettings{'nat'}},$fwdfwsettings{'dnatport'},$fwdfwsettings{'nat'},$fwdfwsettings{'LIMIT_CON_CON'},$fwdfwsettings{'concon'},$fwdfwsettings{'RATE_LIMIT'},$fwdfwsettings{'ratecon'},$fwdfwsettings{'RATETIME'}"
+ eq "$configfwdfw{$key}[0],$configfwdfw{$key}[2],$configfwdfw{$key}[3],$configfwdfw{$key}[4],$configfwdfw{$key}[5],$configfwdfw{$key}[6],$configfwdfw{$key}[7],$configfwdfw{$key}[8],$configfwdfw{$key}[9],$configfwdfw{$key}[10],$configfwdfw{$key}[11],$configfwdfw{$key}[12],$configfwdfw{$key}[13],$configfwdfw{$key}[14],$configfwdfw{$key}[15],$configfwdfw{$key}[18],$configfwdfw{$key}[19],$configfwdfw{$key}[20],$configfwdfw{$key}[21],$configfwdfw{$key}[22],$configfwdfw{$key}[23],$configfwdfw{$key}[24],$configfwdfw{$key}[25],$configfwdfw{$key}[26],$configfwdfw{$key}[27],$configfwdfw{$key}[28],$configfwdfw{$key}[29],$configfwdfw{$key}[30],$configfwdfw{$key}[31],$configfwdfw{$key}[32],$configfwdfw{$key}[33],$configfwdfw{$key}[34],$configfwdfw{$key}[35],$configfwdfw{$key}[36]"){
$errormessage.=$Lang::tr{'fwdfw err ruleexists'};
}
}
}
#check if we just close a rule
- if( $fwdfwsettings{'oldgrp1a'} eq $fwdfwsettings{'grp1'} && $fwdfwsettings{'oldgrp1b'} eq $fwdfwsettings{$fwdfwsettings{'grp1'}} && $fwdfwsettings{'oldgrp2a'} eq $fwdfwsettings{'grp2'} && $fwdfwsettings{'oldgrp2b'} eq $fwdfwsettings{$fwdfwsettings{'grp2'}} && $fwdfwsettings{'oldgrp3a'} eq $fwdfwsettings{'grp3'} && $fwdfwsettings{'oldgrp3b'} eq $fwdfwsettings{$fwdfwsettings{'grp3'}} && $fwdfwsettings{'oldusesrv'} eq $fwdfwsettings{'USESRV'} && $fwdfwsettings{'oldruleremark'} eq $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'oldruletype'} eq $fwdfwsettings{'chain'}) {
+ if( $fwdfwsettings{'oldgrp1a'} eq $fwdfwsettings{'grp1'} && $fwdfwsettings{'oldgrp1b'} eq $fwdfwsettings{$fwdfwsettings{'grp1'}} && $fwdfwsettings{'oldgrp2a'} eq $fwdfwsettings{'grp2'} && $fwdfwsettings{'oldgrp2b'} eq $fwdfwsettings{$fwdfwsettings{'grp2'}} && $fwdfwsettings{'oldgrp3a'} eq $fwdfwsettings{'grp3'} && $fwdfwsettings{'oldgrp3b'} eq $fwdfwsettings{$fwdfwsettings{'grp3'}} && $fwdfwsettings{'oldusesrv'} eq $fwdfwsettings{'USESRV'} && $fwdfwsettings{'oldruleremark'} eq $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'oldruletype'} eq $fwdfwsettings{'chain'}){
if($fwdfwsettings{'nosave'} eq 'on' && $fwdfwsettings{'updatefwrule'} eq 'on'){
$fwdfwsettings{'nosave2'} = 'on';
$errormessage='';
}
}
+ #check max concurrent connections per ip address
+ if ($fwdfwsettings{'LIMIT_CON_CON'} eq 'ON'){
+ if (!($fwdfwsettings{'concon'} =~ /^(\d+)$/)) {
+ $errormessage.=$Lang::tr{'fwdfw err concon'};
+ }
+ }else{
+ $fwdfwsettings{'concon'}='';
+ }
+ #check ratelimit value
+ if ($fwdfwsettings{'RATE_LIMIT'} eq 'ON'){
+ if (!($fwdfwsettings{'ratecon'} =~ /^(\d+)$/)) {
+ $errormessage.=$Lang::tr{'fwdfw err ratecon'};
+ }
+ }else{
+ $fwdfwsettings{'ratecon'}='';
+ }
#increase counters
if (!$errormessage){
if ($fwdfwsettings{'nosave2'} ne 'on'){
END
foreach my $network (sort keys %defaultNetworks)
{
- next if($defaultNetworks{$network}{'NAME'} eq "RED" && $srctgt eq 'src');
next if($defaultNetworks{$network}{'NAME'} eq "IPFire");
print "<option value='$defaultNetworks{$network}{'NAME'}'";
print " selected='selected'" if ($fwdfwsettings{$fwdfwsettings{$grp}} eq $defaultNetworks{$network}{'NAME'});
$fwdfwsettings{'nat'} = $hash{$key}[31]; #changed order
$fwdfwsettings{$fwdfwsettings{'nat'}} = $hash{$key}[29];
$fwdfwsettings{'dnatport'} = $hash{$key}[30];
+ $fwdfwsettings{'LIMIT_CON_CON'} = $hash{$key}[32];
+ $fwdfwsettings{'concon'} = $hash{$key}[33];
+ $fwdfwsettings{'RATE_LIMIT'} = $hash{$key}[34];
+ $fwdfwsettings{'ratecon'} = $hash{$key}[35];
+ $fwdfwsettings{'RATETIME'} = $hash{$key}[36];
$checked{'grp1'}{$fwdfwsettings{'grp1'}} = 'CHECKED';
$checked{'grp2'}{$fwdfwsettings{'grp2'}} = 'CHECKED';
$checked{'grp3'}{$fwdfwsettings{'grp3'}} = 'CHECKED';
$checked{'TIME_SUN'}{$fwdfwsettings{'TIME_SUN'}} = 'CHECKED';
$checked{'USE_NAT'}{$fwdfwsettings{'USE_NAT'}} = 'CHECKED';
$checked{'nat'}{$fwdfwsettings{'nat'}} = 'CHECKED';
+ $checked{'LIMIT_CON_CON'}{$fwdfwsettings{'LIMIT_CON_CON'}} = 'CHECKED';
+ $checked{'RATE_LIMIT'}{$fwdfwsettings{'RATE_LIMIT'}} = 'CHECKED';
$selected{'TIME_FROM'}{$fwdfwsettings{'TIME_FROM'}} = 'selected';
$selected{'TIME_TO'}{$fwdfwsettings{'TIME_TO'}} = 'selected';
$selected{'ipfire'}{$fwdfwsettings{$fwdfwsettings{'grp2'}}} ='selected';
$selected{'ipfire_src'}{$fwdfwsettings{$fwdfwsettings{'grp1'}}} ='selected';
$selected{'dnat'}{$fwdfwsettings{'dnat'}} ='selected';
$selected{'snat'}{$fwdfwsettings{'snat'}} ='selected';
+ $selected{'RATETIME'}{$fwdfwsettings{'RATETIME'}} ='selected';
}
}
$fwdfwsettings{'oldgrp1a'}=$fwdfwsettings{'grp1'};
$fwdfwsettings{'oldruleremark'}=$fwdfwsettings{'ruleremark'};
$fwdfwsettings{'oldnat'}=$fwdfwsettings{'USE_NAT'};
$fwdfwsettings{'oldruletype'}=$fwdfwsettings{'chain'};
+ $fwdfwsettings{'oldconcon'}=$fwdfwsettings{'LIMIT_CON_CON'};
+ $fwdfwsettings{'olduseratelimit'}=$fwdfwsettings{'RATE_LIMIT'};
+ $fwdfwsettings{'olduseratelimitamount'}=$fwdfwsettings{'ratecon'};
+ $fwdfwsettings{'oldratelimittime'}=$fwdfwsettings{'RATETIME'};
+
#check if manual ip (source) is orange network
if ($fwdfwsettings{'grp1'} eq 'src_addr'){
my ($sip,$scidr) = split("/",$fwdfwsettings{$fwdfwsettings{'grp1'}});
$fwdfwsettings{'oldusesrv'}=$fwdfwsettings{'USESRV'};
$fwdfwsettings{'oldruleremark'}=$fwdfwsettings{'ruleremark'};
$fwdfwsettings{'oldnat'}=$fwdfwsettings{'USE_NAT'};
+ $fwdfwsettings{'oldconcon'}=$fwdfwsettings{'LIMIT_CON_CON'};
#check if manual ip (source) is orange network
if ($fwdfwsettings{'grp1'} eq 'src_addr'){
my ($sip,$scidr) = split("/",$fwdfwsettings{$fwdfwsettings{'grp1'}});
</table>
</td>
</tr>
+ <tr>
+ <td width='1%'>
+ <input type='checkbox' name='LIMIT_CON_CON' id="USE_LIMIT_CONCURRENT_CONNECTIONS_PER_IP" value='ON' $checked{'LIMIT_CON_CON'}{'ON'}>
+ </td>
+ <td>$Lang::tr{'fwdfw limitconcon'}</td>
+ </tr>
+ <tr id="LIMIT_CON">
+ <td colspan='2'>
+ <table width='66%' border='0'>
+ <tr>
+ <td width="20em"> </td>
+ <td>$Lang::tr{'fwdfw maxconcon'}: <input type='text' name='concon' size='2' value="$fwdfwsettings{'concon'}"></td>
+ </tr>
+ </table>
+ </td>
+ </tr>
+ <tr>
+ <td width='1%'>
+ <input type='checkbox' name='RATE_LIMIT' id="USE_RATELIMIT" value='ON' $checked{'RATE_LIMIT'}{'ON'}>
+ </td>
+ <td>$Lang::tr{'fwdfw ratelimit'}</td>
+ </tr>
+ <tr id="RATELIMIT">
+ <td colspan='2'>
+ <table width='66%' border='0'>
+ <tr>
+ <td width="20em"> </td>
+ <td>$Lang::tr{'fwdfw numcon'}: <input type='text' name='ratecon' size='2' value="$fwdfwsettings{'ratecon'}"> /
+ <select name='RATETIME' style='width:100px;'>
+ <option value='second' $selected{'RATETIME'}{'second'}>$Lang::tr{'age second'}</option>
+ <option value='minute' $selected{'RATETIME'}{'minute'}>$Lang::tr{'minute'}</option>
+ <option value='hour' $selected{'RATETIME'}{'hour'}>$Lang::tr{'hour'}</option>
+ </select>
+ </td>
+ </tr>
+ </table>
+ </td>
+ </tr>
</table>
<br>
END
<input type='hidden' name='oldorange' value='$fwdfwsettings{'oldorange'}' />
<input type='hidden' name='oldnat' value='$fwdfwsettings{'oldnat'}' />
<input type='hidden' name='oldruletype' value='$fwdfwsettings{'oldruletype'}' />
+ <input type='hidden' name='oldconcon' value='$fwdfwsettings{'oldconcon'}' />
<input type='hidden' name='ACTION' value='saverule' ></form><form method='post' style='display:inline'><input type='submit' value='$Lang::tr{'fwhost back'}' style='min-width:100px;'><input type='hidden' name='ACTION' value'reset'></td></td>
</table></form>
END
$$hash{$key}[29] = $fwdfwsettings{$fwdfwsettings{'nat'}};
$$hash{$key}[30] = $fwdfwsettings{'dnatport'};
$$hash{$key}[31] = $fwdfwsettings{'nat'};
+ $$hash{$key}[32] = $fwdfwsettings{'LIMIT_CON_CON'};
+ $$hash{$key}[33] = $fwdfwsettings{'concon'};
+ $$hash{$key}[34] = $fwdfwsettings{'RATE_LIMIT'};
+ $$hash{$key}[35] = $fwdfwsettings{'ratecon'};
+ $$hash{$key}[36] = $fwdfwsettings{'RATETIME'};
&General::writehasharray("$config", $hash);
}else{
foreach my $key (sort {$a <=> $b} keys %$hash){
$$hash{$key}[29] = $fwdfwsettings{$fwdfwsettings{'nat'}};
$$hash{$key}[30] = $fwdfwsettings{'dnatport'};
$$hash{$key}[31] = $fwdfwsettings{'nat'};
+ $$hash{$key}[32] = $fwdfwsettings{'LIMIT_CON_CON'};
+ $$hash{$key}[33] = $fwdfwsettings{'concon'};
+ $$hash{$key}[34] = $fwdfwsettings{'RATE_LIMIT'};
+ $$hash{$key}[35] = $fwdfwsettings{'ratecon'};
+ $$hash{$key}[36] = $fwdfwsettings{'RATETIME'};
last;
}
}
$errormessage=$errormessage.$Lang::tr{'fwhost err sub32'};
}
if($fwhostsettings{'error'} ne 'on'){
- #check if we use one of ipfire's networks (green,orange,blue)
- if (($ownnet{'GREEN_NETADDRESS'} ne '' && $ownnet{'GREEN_NETADDRESS'} ne '0.0.0.0') && ($fwhostsettings{'IP'} eq $ownnet{'GREEN_NETADDRESS'} && $fwhostsettings{'SUBNET'} eq $ownnet{'GREEN_NETMASK'}))
- {
- $errormessage=$errormessage.$Lang::tr{'ccd err green'}."<br>";
- $fwhostsettings{'HOSTNAME'} = $fwhostsettings{'orgname'};
- if ($fwhostsettings{'update'} eq 'on'){$fwhostsettings{'ACTION'}='editnet';}
- }
- if (($ownnet{'ORANGE_NETADDRESS'} ne '' && $ownnet{'ORANGE_NETADDRESS'} ne '0.0.0.0') && ($fwhostsettings{'IP'} eq $ownnet{'ORANGE_NETADDRESS'} && $fwhostsettings{'SUBNET'} eq $ownnet{'ORANGE_NETMASK'}))
- {
- $errormessage=$errormessage.$Lang::tr{'ccd err orange'}."<br>";
- $fwhostsettings{'HOSTNAME'} = $fwhostsettings{'orgname'};
- if ($fwhostsettings{'update'} eq 'on'){$fwhostsettings{'ACTION'}='editnet';}
- }
- if (($ownnet{'BLUE_NETADDRESS'} ne '' && $ownnet{'BLUE_NETADDRESS'} ne '0.0.0.0') && ($fwhostsettings{'IP'} eq $ownnet{'BLUE_NETADDRESS'} && $fwhostsettings{'SUBNET'} eq $ownnet{'BLUE_NETMASK'}))
- {
- $errormessage=$errormessage.$Lang::tr{'ccd err blue'}."<br>";
- $fwhostsettings{'HOSTNAME'} = $fwhostsettings{'orgname'};
- if ($fwhostsettings{'update'} eq 'on'){$fwhostsettings{'ACTION'}='editnet';}
- }
- if (($ownnet{'RED_NETADDRESS'} ne '' && $ownnet{'RED_NETADDRESS'} ne '0.0.0.0') && ($fwhostsettings{'IP'} eq $ownnet{'RED_NETADDRESS'} && $fwhostsettings{'SUBNET'} eq $ownnet{'RED_NETMASK'}))
- {
- $errormessage=$errormessage.$Lang::tr{'ccd err red'}."<br>";
- $fwhostsettings{'HOSTNAME'} = $fwhostsettings{'orgname'};
- if ($fwhostsettings{'update'} eq 'on'){$fwhostsettings{'ACTION'}='editnet';}
- }
+ my $fullip="$fwhostsettings{'IP'}/".&General::iporsubtocidr($fwhostsettings{'SUBNET'});
+ $errormessage=$errormessage.&General::checksubnets($fwhostsettings{'HOSTNAME'},$fullip,"");
}
#only check plausi when no error till now
if (!$errormessage){
&plausicheck("editnet");
}
- #check if network ip is part of an already used one
- if(&checksubnet(\%customnetwork))
- {
- $errormessage=$errormessage.$Lang::tr{'fwhost err partofnet'};
- $fwhostsettings{'HOSTNAME'} = $fwhostsettings{'orgname'};
- }
if($fwhostsettings{'actualize'} eq 'on' && $fwhostsettings{'newnet'} ne 'on' && $errormessage)
{
$fwhostsettings{'actualize'} = '';
$customnetwork{$key}[3] = $fwhostsettings{'orgnetremark'};
&General::writehasharray("$confignet", \%customnetwork);
undef %customnetwork;
- }
+ }
if (!$errormessage){
-
&General::readhasharray("$confignet", \%customnetwork);
if ($fwhostsettings{'ACTION'} eq 'updatenet'){
if ($fwhostsettings{'update'} == '0'){
&General::writehasharray("$fwconfiginp", \%fwinp);
}
}
- }
+ }
my $key = &General::findhasharraykey (\%customnetwork);
foreach my $i (0 .. 3) { $customnetwork{$key}[$i] = "";}
$fwhostsettings{'SUBNET'} = &General::iporsubtocidr($fwhostsettings{'SUBNET'});
}
&addnet;
&viewtablenet;
- }else {
+ }else{
+ $fwhostsettings{'HOSTNAME'} = $fwhostsettings{'orgname'};
&addnet;
&viewtablenet;
}
$tdcolor="<font style='color: $Header::colourblue;'>$c</font>";
return $tdcolor;
}
-
+ if ("$sip/$scidr" eq "0.0.0.0/0"){
+ $tdcolor="<font style='color: $Header::colourred;'>$c</font>";
+ return $tdcolor;
+ }
#Check if IP is part of OpenVPN N2N subnet
foreach my $key (sort keys %ccdhost){
if ($ccdhost{$key}[3] eq 'net'){
&General::readhash("${General::swroot}/vpn/settings",\%hash);
return $hash{'RW_NET'};
}
+ if ($name eq 'RED'){
+ return "0.0.0.0/0";
+ }
}
}
sub decrease
if ($filtersettings{'ENABLE_SAFESEARCH'} eq 'on')
{
print FILE " # rewrite safesearch\n";
- print FILE " s@(.*\\Wgoogle\\.\\w+/(webhp|search|imghp|images|grphp|groups|frghp|froogle)\\?)(.*)(\\bsafe=\\w+)(.*)\@\\1\\3safe=strict\\5\@i\n";
- print FILE " s@(.*\\Wgoogle\\.\\w+/(webhp|search|imghp|images|grphp|groups|frghp|froogle)\\?)(.*)\@\\1safe=strict\\\&\\3\@i\n";
+ print FILE " s@(.*\\Wgoogle\\.\\w+/(webhp|search|imghp|images|grphp|groups|nwshp|frghp|froogle)\\?)(.*)(\\bsafe=\\w+)(.*)\@\\1\\3safe=strict\\5\@i\n";
+ print FILE " s@(.*\\Wgoogle\\.\\w+/(webhp|search|imghp|images|grphp|groups|nwshp|frghp|froogle)\\?)(.*)\@\\1safe=strict\\\&\\3\@i\n";
print FILE " s@(.*\\Wsearch\\.yahoo\\.\\w+/search\\W)(.*)(\\bvm=\\w+)(.*)\@\\1\\2vm=r\\4\@i\n";
print FILE " s@(.*\\Wsearch\\.yahoo\\.\\w+/search\\W.*)\@\\1\\\&vm=r\@i\n";
print FILE " s@(.*\\Walltheweb\\.com/customize\\?)(.*)(\\bcopt_offensive=\\w+)(.*)\@\\1\\2copt_offensive=on\\4\@i\n";
+ print FILE " s@(.*\\Wbing\\.\\w+/)(.*)(\\badlt=\\w+)(.*)\@\\1\\2adlt=strict\\4\@i\n";
+ print FILE " s@(.*\\Wbing\\.\\w+/.*)\@\\1\\\&adlt=strict\@i\n";
}
print FILE "}\n\n";
'fwdfw dnat porterr' => 'Für NAT-Regeln muss ein einzelner Port oder Portbereich angegeben werden.',
'fwdfw dnat porterr2' => 'Externer Port (NAT) darf nur angegeben werden, wenn ein Ziel-Port definiert ist.',
'fwdfw edit' => 'Bearbeiten',
+'fwdfw err concon' => 'Ungültige Zahl für gleichzeitige Verbindungen',
'fwdfw err nosrc' => 'Keine Quelle ausgewählt',
'fwdfw err nosrcip' => 'Bitte Quell-IP-Adresse angeben',
'fwdfw err notgt' => 'Kein Ziel ausgewählt',
'fwdfw err notgtip' => 'Bitte Ziel-IP-Adresse angeben',
'fwdfw err prot_port' => 'Bei dem gewählten Protokoll sind Quell- und Zielport nicht erlaubt',
'fwdfw err prot_port1' => 'Bei Nutzung von Quell- oder Zielport muss als Protokoll TCP oder UDP gewählt werden.',
+'fwdfw err ratecon' => 'Ungültiger Wert bei Anzahl der Verbindungen für Ratenlimitierung',
'fwdfw err remark' => 'Die Bemerkung enthält ungültige Zeichen',
'fwdfw err ruleexists' => 'Eine identische Regel existiert bereits',
'fwdfw err same' => 'Quelle und Ziel sind identisch',
'fwdfw hint mac' => 'Sie nutzen MAC-Adressen in der Zielgruppe. Diese werden bei der Regelerstellung übersprungen.',
'fwdfw iface' => 'Interface',
'fwdfw ipsec network' => 'IPsec-Netzwerke:',
+'fwdfw limitconcon' => 'Beschränke gleichzeitige Verbindungen je IP-Adresse',
'fwdfw log' => 'Log',
'fwdfw log rule' => 'Logging aktivieren',
'fwdfw man port' => 'Port(s):',
'fwdfw many' => 'Diverse',
+'fwdfw maxconcon' => 'Max. gleichzeitige Verbindungen',
'fwdfw menu' => 'Firewall',
'fwdfw movedown' => 'Herunter',
'fwdfw moveup' => 'Herauf',
'fwdfw natport used' => 'Der eingegebene Port wird bereits von einer anderen DNAT-Regel benutzt.',
'fwdfw newrule' => 'Neue Regel erstellen',
+'fwdfw numcon' => 'Anzahl der Verbindungen',
'fwdfw p2p txt' => 'P2P-Netzwerke erlauben/verbieten.',
'fwdfw pol allow' => 'Zugelassen',
'fwdfw pol block' => 'Blockiert',
'fwdfw pol title' => 'Standardverhalten der Firewall',
'fwdfw prot41' => 'IPv6 Encapsulation (Protokoll 41)',
'fwdfw prot41 short' => 'IPv6 Encap',
+'fwdfw ratelimit' => 'Ratenlimitierung für neue Verbindungen',
'fwdfw red' => 'ROT',
'fwdfw reread' => 'Änderungen übernehmen',
'fwdfw rule action' => 'Regelaktion:',
'fwhost err remark' => 'Ungültige Bemerkung. Erlaubte Zeichen: Klein- und Großbuchstaben, Bindestrich, Unterstrich, Runde Klammern, Semikolon, Punkt.',
'fwhost err srv exists' => 'Ein Service mit diesem Namen existiert bereits',
'fwhost err srvexist' => 'Dieser Dienst ist bereits in der Gruppe',
-'fwhost err sub32' => 'Bitte einen einzelnen Host hinzufügen, keine Netzwerke',
+'fwhost err sub32' => 'Bitte Netzwerke hinzufügen, keinen einzelnen Host',
'fwhost green' => 'Grün',
'fwhost hint' => 'Hinweis',
'fwhost hosts' => 'Firewall-Hosts',
'fwdfw dnat porterr' => 'You have to select a single port or portrange (tcp/udp) for NAT',
'fwdfw dnat porterr2' => 'Cannot use external port (NAT) when no destination port is defined.',
'fwdfw edit' => 'Edit',
+'fwdfw err concon' => 'Invalid number for concurrent connections',
'fwdfw err nosrc' => 'No source selected.',
'fwdfw err nosrcip' => 'Please provide a source IP address.',
'fwdfw err notgt' => 'No destination selected.',
'fwdfw err notgtip' => 'Please provide a destination IP address.',
'fwdfw err prot_port' => 'Source- or targetport are not allowed with selected protocol',
'fwdfw err prot_port1' => 'When using Source- or targetport you have to select TCP or UDP for protocol',
+'fwdfw err ratecon' => 'Invalid value for connections in Rate-limit',
'fwdfw err remark' => 'Invalid characters in remark.',
'fwdfw err ruleexists' => 'This rule already exists.',
'fwdfw err same' => 'Source and destination are identical.',
'fwdfw hint mac' => 'The destination group contains MAC addresses, which will be skipped during rule creation.',
'fwdfw iface' => 'Interface',
'fwdfw ipsec network' => 'IPsec networks:',
+'fwdfw limitconcon' => 'Limit concurrent connections per IP address',
'fwdfw log' => 'Log',
'fwdfw log rule' => 'Log rule',
'fwdfw man port' => 'Port(s):',
'fwdfw many' => 'Many',
+'fwdfw maxconcon' => 'Max. concurrent connections',
'fwdfw menu' => 'Firewall',
'fwdfw movedown' => 'Move down',
'fwdfw moveup' => 'Move up',
'fwdfw natport used' => 'The given port for NAPT is already in use by an other DNAT rule.',
'fwdfw newrule' => 'New rule',
+'fwdfw numcon' => 'Number of connections',
'fwdfw p2p txt' => 'Grant/deny access to P2P networks.',
'fwdfw pol allow' => 'Allowed',
'fwdfw pol block' => 'Blocked',
'fwdfw pol title' => 'Default firewall behaviour',
'fwdfw prot41' => 'IPv6 Encapsulation (Protocol 41)',
'fwdfw prot41 short' => 'IPv6 Encap',
+'fwdfw ratelimit' => 'Rate-limit new connections',
'fwdfw red' => 'RED',
'fwdfw reread' => 'Apply changes',
'fwdfw rule action' => 'Rule action:',
'fwhost err remark' => 'Invalid remark. Allowed characters: Upper- and lowercase letters, digits, space, dash, braces, semicolon, pipe and dot.',
'fwhost err srv exists' => 'A service with the same name already exists',
'fwhost err srvexist' => 'This service already exists in the group',
-'fwhost err sub32' => 'Please add a single host, not a network.',
+'fwhost err sub32' => 'Please add a network, not a single host',
'fwhost green' => 'Green',
'fwhost hint' => 'Note',
'fwhost hosts' => 'Firewall Hosts',
'swap usage per' => 'Swap usage per',
'system' => 'System',
'system graphs' => 'System Graphs',
-'system has hwrng' => 'This system has got a hardware random number generator.',
-'system has rdrand' => 'This system has got support for Intel(R) RDRAND.',
+'system has hwrng' => 'This system has a hardware random number generator.',
+'system has rdrand' => 'This system has support for Intel(R) RDRAND.',
'system information' => 'System Information',
'system log viewer' => 'System Log Viewer',
'system logs' => 'System Logs',
@$(PREBUILD)
@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE)
- for i in $$(seq 1 51); do \
+ for i in $$(seq 1 53); do \
cd $(DIR_APP) && patch -Np0 < $(DIR_SRC)/src/patches/bash/bash32-$$(printf "%03d" "$${i}") || exit 1; \
done
cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/bash-4.0-paths-1.patch
cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/bash-4.0-profile-1.patch
cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/bash-3.2-ssh_source_bash.patch
- cd $(DIR_APP) && patch -Np0 < $(DIR_SRC)/src/patches/bash-3.2-CVE-2014-6271.patch
- cd $(DIR_APP) && patch -Np0 < $(DIR_SRC)/src/patches/bash-3.2-CVE-2014-7169.patch
cd $(DIR_APP) && ./configure $(EXTRA_CONFIG)
cd $(DIR_APP) && make $(EXTRA_MAKE)
include Config
-VER = 2.71
+VER = 2.72
THISAPP = dnsmasq-$(VER)
DL_FILE = $(THISAPP).tar.xz
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_MD5 = 9e2e4d59c75e71ee3ca817ff0f9be69e
+$(DL_FILE)_MD5 = 0256e0a71e27c8d8a5c89a0d18f3cfe2
install : $(TARGET)
$(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
@$(PREBUILD)
@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE)
- cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq-2.71-use-nettle-with-minigmp.patch
- cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq-2.71-support-nettle-3.0.patch
- cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq-2.70-Add-support-to-read-ISC-DHCP-lease-file.patch
+ cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq-2.72rc2-Add-support-to-read-ISC-DHCP-lease-file.patch
cd $(DIR_APP) && sed -i src/config.h \
-e 's|/\* #define HAVE_IDN \*/|#define HAVE_IDN|g' \
-e 's|/\* #define HAVE_DNSSEC \*/|#define HAVE_DNSSEC|g' \
DIR_APP = $(DIR_SRC)/$(THISAPP)
TARGET = $(DIR_INFO)/$(THISAPP)
PROG = squid-accounting
-PAK_VER = 2
+PAK_VER = 3
DEPS = "perl-DBI perl-DBD-SQLite perl-File-ReadBackwards perl-PDF-API2 sendEmail"
NAME="IPFire" # Software name
SNAME="ipfire" # Short name
VERSION="2.15" # Version number
-CORE="83" # Core Level (Filename)
+CORE="84" # Core Level (Filename)
PAKFIRE_CORE="83" # Core Level (PAKFIRE)
GIT_BRANCH=`git rev-parse --abbrev-ref HEAD` # Git Branch
SLOGAN="www.ipfire.org" # Software slogan
boot_mesg "Setting up firewall"
iptables_init
evaluate_retval
-
- # run local firewall configuration, if present
- if [ -x /etc/sysconfig/firewall.local ]; then
- /etc/sysconfig/firewall.local start
- fi
;;
reload|up)
boot_mesg "Reloading firewall"
iptables_red_up
evaluate_retval
-
- # run local firewall configuration, if present
- if [ -x /etc/sysconfig/firewall.local ]; then
- /etc/sysconfig/firewall.local reload
- fi
;;
down)
boot_mesg "Disabling firewall access to RED"
evaluate_retval
;;
restart)
- # run local firewall configuration, if present
- if [ -x /etc/sysconfig/firewall.local ]; then
- /etc/sysconfig/firewall.local stop
- fi
$0 start
;;
*)
chmod 644 /var/ipfire/accounting/acct.db
chown nobody.nobody /var/ipfire/accounting/acct.db
fi
+#Set right permissions of directory /srv/web/ipfire/html/accounting
+chown -R nobody.nobody /srv/web/ipfire/html/accounting
+chmod 755 -R /srv/web/ipfire/html/accounting
rm -f /var/ipfire/accounting/dbinstall.pl
/usr/local/bin/update-lang-cache
+++ /dev/null
-*** ../bash-20140912/parse.y 2014-08-26 15:09:42.000000000 -0400
---- parse.y 2014-09-24 22:47:28.000000000 -0400
-***************
-*** 2959,2962 ****
---- 2959,2964 ----
- word_desc_to_read = (WORD_DESC *)NULL;
-
-+ eol_ungetc_lookahead = 0;
-+
- current_token = '\n'; /* XXX */
- last_read_token = '\n';
+ BASH PATCH REPORT
+ =================
+
+Bash-Release: 3.2
+Patch-ID: bash32-052
+
+Bug-Reported-by: Stephane Chazelas <stephane.chazelas@gmail.com>
+Bug-Reference-ID:
+Bug-Reference-URL:
+
+Bug-Description:
+
+Under certain circumstances, bash will execute user code while processing the
+environment for exported function definitions.
+
+Patch (apply with `patch -p0'):
+
*** ../bash-3.2.51/builtins/common.h 2006-03-06 09:38:44.000000000 -0500
--- builtins/common.h 2014-09-16 19:08:02.000000000 -0400
***************
}
#if defined (ARRAY_VARS)
--- 331,334 ----
+*** ../bash-3.2/patchlevel.h Thu Apr 13 08:31:04 2006
+--- patchlevel.h Mon Oct 16 14:22:54 2006
+***************
+*** 26,30 ****
+ looks for to find the patch level (for the sccs version string). */
+
+! #define PATCHLEVEL 51
+
+ #endif /* _PATCHLEVEL_H_ */
+--- 26,30 ----
+ looks for to find the patch level (for the sccs version string). */
+
+! #define PATCHLEVEL 52
+
+ #endif /* _PATCHLEVEL_H_ */
--- /dev/null
+ BASH PATCH REPORT
+ =================
+
+Bash-Release: 3.2
+Patch-ID: bash32-053
+
+Bug-Reported-by: Tavis Ormandy <taviso () cmpxchg8b com>
+Bug-Reference-ID:
+Bug-Reference-URL: http://twitter.com/taviso/statuses/514887394294652929
+
+Bug-Description:
+
+Under certain circumstances, bash can incorrectly save a lookahead character and
+return it on a subsequent call, even when reading a new line.
+
+Patch:
+
+*** ../bash-3.2.52/parse.y 2008-04-29 21:24:55.000000000 -0400
+--- parse.y 2014-09-25 16:18:41.000000000 -0400
+***************
+*** 2504,2507 ****
+--- 2504,2509 ----
+ word_desc_to_read = (WORD_DESC *)NULL;
+
++ eol_ungetc_lookahead = 0;
++
+ last_read_token = '\n';
+ token_to_read = '\n';
+*** ../bash-3.2.52/y.tab.c 2006-09-25 08:15:16.000000000 -0400
+--- y.tab.c 2014-09-25 20:28:17.000000000 -0400
+***************
+*** 3833,3836 ****
+--- 3833,3838 ----
+ word_desc_to_read = (WORD_DESC *)NULL;
+
++ eol_ungetc_lookahead = 0;
++
+ last_read_token = '\n';
+ token_to_read = '\n';
+*** ../bash-3.2/patchlevel.h Thu Apr 13 08:31:04 2006
+--- patchlevel.h Mon Oct 16 14:22:54 2006
+***************
+*** 26,30 ****
+ looks for to find the patch level (for the sccs version string). */
+
+! #define PATCHLEVEL 52
+
+ #endif /* _PATCHLEVEL_H_ */
+--- 26,30 ----
+ looks for to find the patch level (for the sccs version string). */
+
+! #define PATCHLEVEL 53
+
+ #endif /* _PATCHLEVEL_H_ */
+++ /dev/null
-From cdb755c5f16a6768c3e8b1f345fe15fc9244228d Mon Sep 17 00:00:00 2001
-From: Simon Kelley <simon@thekelleys.org.uk>
-Date: Wed, 18 Jun 2014 20:52:53 +0100
-Subject: [PATCH] Fix FTBFS with Nettle-3.0.
-
----
- CHANGELOG | 3 +++
- src/dnssec.c | 18 ++++++++++++------
- 2 files changed, 15 insertions(+), 6 deletions(-)
-
-diff --git a/src/dnssec.c b/src/dnssec.c
-index 2ffb75d..69bfc29 100644
---- a/src/dnssec.c
-+++ b/src/dnssec.c
-@@ -28,6 +28,12 @@
- #include <nettle/nettle-meta.h>
- #include <nettle/bignum.h>
-
-+/* Nettle-3.0 moved to a new API for DSA. We use a name that's defined in the new API
-+ to detect Nettle-3, and invoke the backwards compatibility mode. */
-+#ifdef dsa_params_init
-+#include <nettle/dsa-compat.h>
-+#endif
-+
-
- #define SERIAL_UNDEF -100
- #define SERIAL_EQ 0
-@@ -121,8 +127,8 @@ static int hash_init(const struct nettle_hash *hash, void **ctxp, unsigned char
- return 1;
- }
-
--static int rsa_verify(struct blockdata *key_data, unsigned int key_len, unsigned char *sig, size_t sig_len,
-- unsigned char *digest, int algo)
-+static int dnsmasq_rsa_verify(struct blockdata *key_data, unsigned int key_len, unsigned char *sig, size_t sig_len,
-+ unsigned char *digest, int algo)
- {
- unsigned char *p;
- size_t exp_len;
-@@ -173,8 +179,8 @@ static int rsa_verify(struct blockdata *key_data, unsigned int key_len, unsigned
- return 0;
- }
-
--static int dsa_verify(struct blockdata *key_data, unsigned int key_len, unsigned char *sig, size_t sig_len,
-- unsigned char *digest, int algo)
-+static int dnsmasq_dsa_verify(struct blockdata *key_data, unsigned int key_len, unsigned char *sig, size_t sig_len,
-+ unsigned char *digest, int algo)
- {
- unsigned char *p;
- unsigned int t;
-@@ -293,10 +299,10 @@ static int verify(struct blockdata *key_data, unsigned int key_len, unsigned cha
- switch (algo)
- {
- case 1: case 5: case 7: case 8: case 10:
-- return rsa_verify(key_data, key_len, sig, sig_len, digest, algo);
-+ return dnsmasq_rsa_verify(key_data, key_len, sig, sig_len, digest, algo);
-
- case 3: case 6:
-- return dsa_verify(key_data, key_len, sig, sig_len, digest, algo);
-+ return dnsmasq_dsa_verify(key_data, key_len, sig, sig_len, digest, algo);
-
- #ifndef NO_NETTLE_ECC
- case 13: case 14:
---
-1.7.10.4
-
+++ /dev/null
-From 063efb330a3f341c2548e2cf1f67f83e49cd6395 Mon Sep 17 00:00:00 2001
-From: Simon Kelley <simon@thekelleys.org.uk>
-Date: Tue, 17 Jun 2014 19:49:31 +0100
-Subject: [PATCH] Build config: add -DNO_GMP for use with nettle/mini-gmp
-
----
- Makefile | 2 +-
- bld/pkg-wrapper | 9 +++++++--
- src/config.h | 7 +++++++
- src/dnssec.c | 3 ++-
- 4 files changed, 17 insertions(+), 4 deletions(-)
-
-diff --git a/Makefile b/Makefile
-index c58b50b..17eeb27 100644
---- a/Makefile
-+++ b/Makefile
-@@ -61,7 +61,7 @@ lua_cflags = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_LUASCRIPT $(PKG_CON
- lua_libs = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_LUASCRIPT $(PKG_CONFIG) --libs lua5.1`
- nettle_cflags = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_DNSSEC $(PKG_CONFIG) --cflags nettle hogweed`
- nettle_libs = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_DNSSEC $(PKG_CONFIG) --libs nettle hogweed`
--gmp_libs = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_DNSSEC $(PKG_CONFIG) --copy -lgmp`
-+gmp_libs = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_DNSSEC NO_GMP --copy -lgmp`
- sunos_libs = `if uname | grep SunOS >/dev/null 2>&1; then echo -lsocket -lnsl -lposix4; fi`
- version = -DVERSION='\"`$(top)/bld/get-version $(top)`\"'
-
-diff --git a/bld/pkg-wrapper b/bld/pkg-wrapper
-index 9f9332d..0ddb678 100755
---- a/bld/pkg-wrapper
-+++ b/bld/pkg-wrapper
-@@ -11,9 +11,14 @@ in=`cat`
-
- if grep "^\#[[:space:]]*define[[:space:]]*$search" config.h >/dev/null 2>&1 || \
- echo $in | grep $search >/dev/null 2>&1; then
--
-+# Nasty, nasty, in --copy, arg 2 is another config to search for, use with NO_GMP
- if [ $op = "--copy" ]; then
-- pkg="$*"
-+ if grep "^\#[[:space:]]*define[[:space:]]*$pkg" config.h >/dev/null 2>&1 || \
-+ echo $in | grep $pkg >/dev/null 2>&1; then
-+ pkg=""
-+ else
-+ pkg="$*"
-+ fi
- elif grep "^\#[[:space:]]*define[[:space:]]*${search}_STATIC" config.h >/dev/null 2>&1 || \
- echo $in | grep ${search}_STATIC >/dev/null 2>&1; then
- pkg=`$pkg --static $op $*`
-diff --git a/src/config.h b/src/config.h
-index 2155544..ee6d218 100644
---- a/src/config.h
-+++ b/src/config.h
-@@ -105,6 +105,8 @@ HAVE_AUTH
- define this to include the facility to act as an authoritative DNS
- server for one or more zones.
-
-+HAVE_DNSSEC
-+ include DNSSEC validator.
-
- NO_IPV6
- NO_TFTP
-@@ -118,6 +120,11 @@ NO_AUTH
- which are enabled by default in the distributed source tree. Building dnsmasq
- with something like "make COPTS=-DNO_SCRIPT" will do the trick.
-
-+NO_NETTLE_ECC
-+ Don't include the ECDSA cypher in DNSSEC validation. Needed for older Nettle versions.
-+NO_GMP
-+ Don't use and link against libgmp, Useful if nettle is built with --enable-mini-gmp.
-+
- LEASEFILE
- CONFFILE
- RESOLVFILE
-diff --git a/src/dnssec.c b/src/dnssec.c
-index 44d626b..2ffb75d 100644
---- a/src/dnssec.c
-+++ b/src/dnssec.c
-@@ -26,7 +26,8 @@
- # include <nettle/ecc-curve.h>
- #endif
- #include <nettle/nettle-meta.h>
--#include <gmp.h>
-+#include <nettle/bignum.h>
-+
-
- #define SERIAL_UNDEF -100
- #define SERIAL_EQ 0
---
-1.7.10.4
-
diff --git a/Makefile b/Makefile
-index 292c8bd..5e0cdbe 100644
+index 58a7975..616c6b7 100644
--- a/Makefile
+++ b/Makefile
@@ -69,7 +69,7 @@ objs = cache.o rfc1035.o util.o option.o forward.o network.o \
dnsmasq.o dhcp.o lease.o rfc2131.o netlink.o dbus.o bpf.o \
helper.o tftp.o log.o conntrack.o dhcp6.o rfc3315.o \
dhcp-common.o outpacket.o radv.o slaac.o auth.o ipset.o \
-- domain.o dnssec.o blockdata.o
-+ domain.o dnssec.o blockdata.o isc.o
+- domain.o dnssec.o blockdata.o tables.o loop.o
++ domain.o dnssec.o blockdata.o tables.o loop.o isc.o
hdrs = dnsmasq.h config.h dhcp-protocol.h dhcp6-protocol.h \
dns-protocol.h radv-protocol.h ip6addr.h
diff --git a/src/cache.c b/src/cache.c
-index 5cec918..1f5657f 100644
+index 2c3a498..77a7046 100644
--- a/src/cache.c
+++ b/src/cache.c
@@ -17,7 +17,7 @@
cache_hash(crec);
diff --git a/src/dnsmasq.c b/src/dnsmasq.c
-index 1c96a0e..156ac9a 100644
+index f4a89fc..a448ec4 100644
--- a/src/dnsmasq.c
+++ b/src/dnsmasq.c
-@@ -934,6 +934,11 @@ int main (int argc, char **argv)
+@@ -940,6 +940,11 @@ int main (int argc, char **argv)
poll_resolv(0, daemon->last_resolv != 0, now);
daemon->last_resolv = now;
if (FD_ISSET(piperead, &rset))
diff --git a/src/dnsmasq.h b/src/dnsmasq.h
-index 3032546..a40b2a9 100644
+index e74b15a..4a35168 100644
--- a/src/dnsmasq.h
+++ b/src/dnsmasq.h
-@@ -1447,3 +1447,8 @@ void slaac_add_addrs(struct dhcp_lease *lease, time_t now, int force);
- time_t periodic_slaac(time_t now, struct dhcp_lease *leases);
+@@ -1463,9 +1463,13 @@ time_t periodic_slaac(time_t now, struct dhcp_lease *leases);
void slaac_ping_reply(struct in6_addr *sender, unsigned char *packet, char *interface, struct dhcp_lease *leases);
#endif
-+
+
+/* isc.c */
+#ifdef HAVE_ISC_READER
+void load_dhcp(time_t now);
+#endif
++
+ /* loop.c */
+ #ifdef HAVE_LOOP
+ void loop_send_probes();
+ int detect_loop(char *query, int type);
+ #endif
+-
diff --git a/src/isc.c b/src/isc.c
new file mode 100644
index 0000000..5106442
+
+#endif
diff --git a/src/option.c b/src/option.c
-index daa728f..d16c982 100644
+index 45d8875..29c9ee5 100644
--- a/src/option.c
+++ b/src/option.c
-@@ -1642,7 +1642,7 @@ static int one_opt(int option, char *arg, char *errstr, char *gen_err, int comma
+@@ -1669,7 +1669,7 @@ static int one_opt(int option, char *arg, char *errstr, char *gen_err, int comma
ret_err(_("bad MX target"));
break;