]>
git.ipfire.org Git - ipfire-2.x.git/blob - config/firewall/rules.pl
b5555d168228a000f5407bffbf706f5923579510
2 ###############################################################################
4 # IPFire.org - A linux based firewall #
5 # Copyright (C) 2013 Alexander Marx <amarx@ipfire.org> #
7 # This program is free software: you can redistribute it and/or modify #
8 # it under the terms of the GNU General Public License as published by #
9 # the Free Software Foundation, either version 3 of the License, or #
10 # (at your option) any later version. #
12 # This program is distributed in the hope that it will be useful, #
13 # but WITHOUT ANY WARRANTY; without even the implied warranty of #
14 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
15 # GNU General Public License for more details. #
17 # You should have received a copy of the GNU General Public License #
18 # along with this program. If not, see <http://www.gnu.org/licenses/>. #
20 ###############################################################################
24 require '/var/ipfire/general-functions.pl' ;
25 require "${General::swroot}/lang.pl" ;
26 require "/usr/lib/firewall/firewall-lib.pl" ;
28 # Set to one to enable debugging mode.
31 my $IPTABLES = "iptables --wait" ;
34 my $CHAIN = "FORWARDFW" ;
35 my $CHAIN_NAT_SOURCE = "NAT_SOURCE" ;
36 my $CHAIN_NAT_DESTINATION = "NAT_DESTINATION" ;
39 my %defaultNetworks =();
49 my %configoutgoingfw =();
55 my $configfwdfw = "${General::swroot}/firewall/config" ;
56 my $configinput = "${General::swroot}/firewall/input" ;
57 my $configoutgoing = "${General::swroot}/firewall/outgoing" ;
58 my $p2pfile = "${General::swroot}/firewall/p2protocols" ;
59 my $configgrp = "${General::swroot}/fwhosts/customgroups" ;
60 my $netsettings = "${General::swroot}/ethernet/settings" ;
61 my $errormessage = '' ;
65 my ( $TYPE , $PROT , $SPROT , $DPROT , $SPORT , $DPORT , $SRC_TGT );
66 my $conexists = 'off' ;
70 & General
:: readhash
( "${General::swroot}/firewall/settings" , \
%fwdfwsettings );
71 & General
:: readhash
( " $netsettings " , \
%defaultNetworks );
72 & General
:: readhasharray
( $configfwdfw , \
%configfwdfw );
73 & General
:: readhasharray
( $configinput , \
%configinputfw );
74 & General
:: readhasharray
( $configoutgoing , \
%configoutgoingfw );
75 & General
:: readhasharray
( $configgrp , \
%customgrp );
76 & General
:: get_aliases
( \
%aliases );
78 #check if we have an internetconnection
79 open ( CONN
, "/var/ipfire/red/iface" );
83 if (- f
"/var/ipfire/red/active" ){
87 open ( CONN1
, "/var/ipfire/red/local-ipaddress" );
98 # Reload firewall rules.
101 # Load P2P block rules.
104 # Reload firewall policy.
105 run
( "/usr/sbin/firewall-policy" );
109 # Executes or prints the given shell command.
122 print STDERR
" $message \n " ;
126 run
( " $IPTABLES -F FORWARDFW" );
127 run
( " $IPTABLES -F INPUTFW" );
128 run
( " $IPTABLES -F OUTGOINGFW" );
129 run
( " $IPTABLES -t nat -F NAT_DESTINATION" );
130 run
( " $IPTABLES -t nat -F NAT_SOURCE" );
134 if (! - z
"${General::swroot}/firewall/config" ){
135 & buildrules
( \
%configfwdfw );
137 if (! - z
"${General::swroot}/firewall/input" ){
138 & buildrules
( \
%configinputfw );
140 if (! - z
"${General::swroot}/firewall/outgoing" ){
141 & buildrules
( \
%configoutgoingfw );
153 foreach my $key ( sort { $a <=> $b } keys % $hash ){
154 next if (($ $hash { $key }[ 6 ] eq 'RED' || $ $hash { $key }[ 6 ] eq 'RED1' ) && $conexists eq 'off' );
156 my $time_constraints = "" ;
159 # Check if logging should be enabled.
161 if ($ $hash { $key }[ 17 ] eq 'ON' ) {
168 # Check if NAT is enabled and initialize variables, that we use for that.
169 if ($ $hash { $key }[ 28 ] eq 'ON' ) {
173 if ($ $hash { $key }[ 31 ] eq 'dnat' ) {
176 if ($ $hash { $key }[ 30 ] =~ /\|/ ) {
177 $ $hash { $key }[ 30 ]=~ tr/|/,/ ;
178 $fireport = '-m multiport --dport ' .$ $hash { $key }[ 30 ];
180 $fireport = '--dport ' .$ $hash { $key }[ 30 ] if ($ $hash { $key }[ 30 ]> 0 );
184 } elsif ($ $hash { $key }[ 31 ] eq 'snat' ) {
188 print_error
( "Invalid NAT mode: $ $hash { $key }[31]" );
192 $natip = & get_nat_ip
($ $hash { $key }[ 29 ], $NAT_MODE );
196 if ($ $hash { $key }[ 2 ] eq 'ON' ){
198 if ($ $hash { $key }[ 3 ] eq 'cust_grp_src' ){
199 foreach my $grp ( sort { $a <=> $b } keys %customgrp ){
200 if ( $customgrp { $grp }[ 0 ] eq $ $hash { $key }[ 4 ]){
201 & get_address
( $customgrp { $grp }[ 3 ], $customgrp { $grp }[ 2 ], "src" );
205 & get_address
($ $hash { $key }[ 3 ],$ $hash { $key }[ 4 ], "src" );
208 if ($ $hash { $key }[ 5 ] eq 'cust_grp_tgt' ){
209 foreach my $grp ( sort { $a <=> $b } keys %customgrp ){
210 if ( $customgrp { $grp }[ 0 ] eq $ $hash { $key }[ 6 ]){
211 & get_address
( $customgrp { $grp }[ 3 ], $customgrp { $grp }[ 2 ], "tgt" );
214 } elsif ($ $hash { $key }[ 5 ] eq 'ipfire' ){
215 if ($ $hash { $key }[ 6 ] eq 'GREEN' ){
216 $targethash { $key }[ 0 ]= $defaultNetworks { 'GREEN_ADDRESS' };
218 if ($ $hash { $key }[ 6 ] eq 'BLUE' ){
219 $targethash { $key }[ 0 ]= $defaultNetworks { 'BLUE_ADDRESS' };
221 if ($ $hash { $key }[ 6 ] eq 'ORANGE' ){
222 $targethash { $key }[ 0 ]= $defaultNetworks { 'ORANGE_ADDRESS' };
224 if ($ $hash { $key }[ 6 ] eq 'ALL' ){
225 $targethash { $key }[ 0 ]= '0.0.0.0/0' ;
227 if ($ $hash { $key }[ 6 ] eq 'RED' || $ $hash { $key }[ 6 ] eq 'RED1' ){
228 open ( FILE
, "/var/ipfire/red/local-ipaddress" ) or die "Couldn't open local-ipaddress" ;
229 $targethash { $key }[ 0 ]= < FILE
>;
232 foreach my $alias ( sort keys %aliases ){
233 if ($ $hash { $key }[ 6 ] eq $alias ){
234 $targethash { $key }[ 0 ]= $aliases { $alias }{ 'IPT' };
239 & get_address
($ $hash { $key }[ 5 ],$ $hash { $key }[ 6 ], "tgt" );
241 ##get source prot and port
243 $SPORT = & get_port
( $hash , $key );
246 ##get target prot and port
247 $DPROT =& get_prot
( $hash , $key );
249 if ( $DPROT eq '' ){ $DPROT = ' ' ;}
250 @DPROT = split ( "," , $DPROT );
252 # Set up time constraints.
253 if ($ $hash { $key }[ 18 ] eq 'ON' ) {
254 my @time_args = ( "-m" , "time" );
256 # Select all days of the week this match is active.
258 if ($ $hash { $key }[ 19 ] ne '' ) {
259 push ( @weekdays , "Mon" );
261 if ($ $hash { $key }[ 20 ] ne '' ) {
262 push ( @weekdays , "Tue" );
264 if ($ $hash { $key }[ 21 ] ne '' ) {
265 push ( @weekdays , "Wed" );
267 if ($ $hash { $key }[ 22 ] ne '' ) {
268 push ( @weekdays , "Thu" );
270 if ($ $hash { $key }[ 23 ] ne '' ) {
271 push ( @weekdays , "Fri" );
273 if ($ $hash { $key }[ 24 ] ne '' ) {
274 push ( @weekdays , "Sat" );
276 if ($ $hash { $key }[ 25 ] ne '' ) {
277 push ( @weekdays , "Sun" );
280 push ( @time_args , ( "--weekdays" , join ( "," , @weekdays )));
283 # Convert start time.
284 my $time_start = & format_time
($ $hash { $key }[ 26 ]);
286 push ( @time_args , ( "--timestart" , $time_start ));
290 my $time_stop = & format_time
($ $hash { $key }[ 27 ]);
292 push ( @time_args , ( "--timestop" , $time_stop ));
295 # Format command line.
296 $time_constraints = join ( " " , @time_args );
299 foreach my $DPROT ( @DPROT ){
300 $DPORT = & get_port
( $hash , $key , $DPROT );
302 $PROT = "-p $PROT " if ( $PROT ne '' && $PROT ne ' ' );
303 if ( $DPROT ne 'TCP' && $DPROT ne 'UDP' && $DPROT ne 'ICMP' ){
306 foreach my $a ( sort keys %sourcehash ){
307 foreach my $b ( sort keys %targethash ){
308 if (! $sourcehash { $a }[ 0 ] || ! $targethash { $b }[ 0 ] || ( $natip eq '-d ' && $NAT ) || (! $natip && $NAT )){
309 #Skip rules when no RED IP is set (DHCP,DSL)
312 next if ( $targethash { $b }[ 0 ] eq 'none' );
314 if ( $sourcehash { $a }[ 0 ] ne $targethash { $b }[ 0 ] && $targethash { $b }[ 0 ] ne 'none' || $sourcehash { $a }[ 0 ] eq '0.0.0.0/0.0.0.0' ){
316 if ( substr ( $sourcehash { $a }[ 0 ], 3 , 3 ) ne 'mac' && $sourcehash { $a }[ 0 ] ne '' ){ $STAG = "-s" ;}
318 if ( substr ( $DPORT , 2 , 4 ) eq 'icmp' ){
319 my @icmprule = split ( "," , substr ( $DPORT , 12 ,));
321 $icmptype = "--icmp-type " ;
327 run
( " $IPTABLES -A $ $hash { $key }[1] $PROT $STAG $sourcehash { $a }[0] $SPORT -d $targethash { $b }[0] $icmptype $_ $time_constraints -j LOG" );
329 run
( " $IPTABLES -A $ $hash { $key }[1] $PROT $STAG $sourcehash { $a }[0] $SPORT -d $targethash { $b }[0] $icmptype $_ $time_constraints -j $ $hash { $key }[0]" );
331 #PROCESS DNAT RULE (Portforward)
332 } elsif ( $NAT && $NAT_MODE eq "DNAT" ) {
334 run
( " $IPTABLES -t nat -A $CHAIN_NAT_DESTINATION $PROT $STAG $sourcehash { $a }[0] $SPORT $natip $fireport $time_constraints -j LOG --log-prefix 'DNAT'" );
336 my ( $ip , $sub ) = split ( "/" , $targethash { $b }[ 0 ]);
337 #Process NAT with servicegroup used
338 if ($ $hash { $key }[ 14 ] eq 'cust_srvgrp' ) {
339 run
( " $IPTABLES -t nat -A $CHAIN_NAT_DESTINATION $PROT $STAG $sourcehash { $a }[0] $SPORT $natip $fireport $time_constraints -j DNAT --to-destination $ip $DPORT " );
340 $fwaccessdport = $DPORT ;
342 run
( " $IPTABLES -t nat -A $CHAIN_NAT_DESTINATION $PROT $STAG $sourcehash { $a }[0] $SPORT $natip $fireport $time_constraints -j DNAT --to-destination $ip $DPORT " );
345 $fwaccessdport = "--dport " . substr ( $DPORT , 1 ,);
346 } elsif (! $DPORT && $ $hash { $key }[ 30 ] ne '' ){
347 if ($ $hash { $key }[ 30 ]=~ m/|/i ){
348 $ $hash { $key }[ 30 ] =~ s/\|/,/g ;
349 $fwaccessdport = "-m multiport --dport $ $hash { $key }[30]" ;
351 $fwaccessdport = "--dport $ $hash { $key }[30]" ;
355 run
( " $IPTABLES -A FORWARDFW $PROT $STAG $sourcehash { $a }[0] -d $ip $fwaccessdport $time_constraints -j $ $hash { $key }[0]" );
358 } elsif ( $NAT && $NAT_MODE eq "SNAT" ) {
360 run
( " $IPTABLES -t nat -A $CHAIN_NAT_SOURCE $PROT $STAG $sourcehash { $a }[0] $SPORT -d $targethash { $b }[0] $DPORT $time_constraints -j LOG --log-prefix 'SNAT'" );
362 run
( " $IPTABLES -t nat -A $CHAIN_NAT_SOURCE $PROT $STAG $sourcehash { $a }[0] $SPORT -d $targethash { $b }[0] $DPORT $time_constraints -j SNAT --to-source $natip " );
364 #PROCESS EVERY OTHER RULE (If NOT ICMP, else the rule would be applied double)
365 if ( $PROT ne '-p ICMP' ){
367 run
( " $IPTABLES -A $ $hash { $key }[1] $PROT $STAG $sourcehash { $a }[0] $SPORT -d $targethash { $b }[0] $DPORT $time_constraints -j LOG" );
369 run
( " $IPTABLES -A $ $hash { $key }[1] $PROT $STAG $sourcehash { $a }[0] $SPORT -d $targethash { $b }[0] $DPORT $time_constraints -j $ $hash { $key }[0]" );
371 #PROCESS Prot ICMP and type = All ICMP-Types
372 if ( $PROT eq '-p ICMP' && $ $hash { $key }[ 9 ] eq 'All ICMP-Types' ){
374 run
( " $IPTABLES -A $ $hash { $key }[1] $PROT $STAG $sourcehash { $a }[0] $SPORT -d $targethash { $b }[0] $DPORT $time_constraints -j LOG" );
376 run
( " $IPTABLES -A $ $hash { $key }[1] $PROT $STAG $sourcehash { $a }[0] $SPORT -d $targethash { $b }[0] $DPORT $time_constraints -j $ $hash { $key }[0]" );
394 if ( $val eq 'RED' || $val eq 'GREEN' || $val eq 'ORANGE' || $val eq 'BLUE' ){
395 $result = $defaultNetworks { $val . '_ADDRESS' };
396 } elsif ( $val eq 'ALL' ){
398 } elsif ( $val eq 'Default IP' && $type eq "DNAT" ){
399 $result = '-d ' . $redip ;
400 } elsif ( $val eq 'Default IP' && $type eq "SNAT" ){
403 foreach my $al ( sort keys %aliases ){
404 if ( $val eq $al && $type eq "DNAT" ){
405 $result = '-d ' . $aliases { $al }{ 'IPT' };
406 } elsif ( $val eq $al && $type eq "SNAT" ){
407 $result = $aliases { $al }{ 'IPT' };
414 # Formats the given timestamp into the iptables format which is "hh:mm" UTC.
418 # Convert the given time into minutes.
419 my $minutes = & time_convert_to_minutes
( $val );
421 # Move the timestamp into UTC.
422 $minutes += & time_utc_offset
();
424 # Make sure $minutes is between 00:00 and 23:59.
429 if ( $minutes > 1440 ) {
434 return sprintf ( " %02d : %02d " , $minutes / 60 , $minutes % 60 );
437 # Calculates the offsets in minutes from the local timezone to UTC.
438 sub time_utc_offset
{
439 my @localtime = localtime ( time );
440 my @gmtime = gmtime ( time );
442 return ( $gmtime [ 2 ] * 60 + $gmtime [ 1 ] % 60 ) - ( $localtime [ 2 ] * 60 + $localtime [ 1 ] % 60 );
445 # Takes a timestamp like "14:00" and converts it into minutes since midnight.
446 sub time_convert_to_minutes
{
447 my ( $hrs , $min ) = split ( ":" , shift );
449 return ( $hrs * 60 ) + $min ;
455 open ( FILE
, "< $p2pfile " ) or die "Unable to read $p2pfile " ;
458 my $CMD = "-m ipp2p" ;
459 foreach my $p2pentry ( sort @p2ps ) {
460 my @p2pline = split ( /\;/ , $p2pentry );
461 if ( $fwdfwsettings { 'POLICY' } eq 'MODE1' ) {
463 if ( " $p2pline [2]" eq "on" ) {
464 $P2PSTRING = " $P2PSTRING -- $p2pline [1]" ;
468 if ( " $p2pline [2]" eq "off" ) {
469 $P2PSTRING = " $P2PSTRING -- $p2pline [1]" ;
475 run
( " $IPTABLES -A FORWARDFW $CMD $P2PSTRING -j $DO " );
480 my $base = shift ; #source of checking ($configfwdfw{$key}[x] or groupkey
482 my $type = shift ; #src or tgt
489 my $key = & General
:: findhasharraykey
( $hash );
490 if ( $base eq 'src_addr' || $base eq 'tgt_addr' ){
491 if (& General
:: validmac
( $base2 )){
492 $ $hash { $key }[ 0 ] = "-m mac --mac-source $base2 " ;
494 $ $hash { $key }[ 0 ] = $base2 ;
496 } elsif ( $base eq 'std_net_src' || $base eq 'std_net_tgt' || $base eq 'Standard Network' ){
497 $ $hash { $key }[ 0 ]=& fwlib
:: get_std_net_ip
( $base2 , $con );
498 } elsif ( $base eq 'cust_net_src' || $base eq 'cust_net_tgt' || $base eq 'Custom Network' ){
499 $ $hash { $key }[ 0 ]=& fwlib
:: get_net_ip
( $base2 );
500 } elsif ( $base eq 'cust_host_src' || $base eq 'cust_host_tgt' || $base eq 'Custom Host' ){
501 $ $hash { $key }[ 0 ]=& fwlib
:: get_host_ip
( $base2 , $type );
502 } elsif ( $base eq 'ovpn_net_src' || $base eq 'ovpn_net_tgt' || $base eq 'OpenVPN static network' ){
503 $ $hash { $key }[ 0 ]=& fwlib
:: get_ovpn_net_ip
( $base2 , 1 );
504 } elsif ( $base eq 'ovpn_host_src' || $base eq 'ovpn_host_tgt' || $base eq 'OpenVPN static host' ){
505 $ $hash { $key }[ 0 ]=& fwlib
:: get_ovpn_host_ip
( $base2 , 33 );
506 } elsif ( $base eq 'ovpn_n2n_src' || $base eq 'ovpn_n2n_tgt' || $base eq 'OpenVPN N-2-N' ){
507 $ $hash { $key }[ 0 ]=& fwlib
:: get_ovpn_n2n_ip
( $base2 , 11 );
508 } elsif ( $base eq 'ipsec_net_src' || $base eq 'ipsec_net_tgt' || $base eq 'IpSec Network' ){
509 $ $hash { $key }[ 0 ]=& fwlib
:: get_ipsec_net_ip
( $base2 , 11 );
510 } elsif ( $base eq 'ipfire_src' ){
511 if ( $base2 eq 'GREEN' ){
512 $ $hash { $key }[ 0 ]= $defaultNetworks { 'GREEN_ADDRESS' };
514 if ( $base2 eq 'BLUE' ){
515 $ $hash { $key }[ 0 ]= $defaultNetworks { 'BLUE_ADDRESS' };
517 if ( $base2 eq 'ORANGE' ){
518 $ $hash { $key }[ 0 ]= $defaultNetworks { 'ORANGE_ADDRESS' };
521 $ $hash { $key }[ 0 ]= '0.0.0.0/0' ;
523 if ( $base2 eq 'RED' || $base2 eq 'RED1' ){
524 open ( FILE
, "/var/ipfire/red/local-ipaddress" );
525 $ $hash { $key }[ 0 ]= < FILE
>;
528 foreach my $alias ( sort keys %aliases ){
529 if ( $base2 eq $alias ){
530 $ $hash { $key }[ 0 ]= $aliases { $alias }{ 'IPT' };
540 #check AH,GRE,ESP or ICMP
541 if ($ $hash { $key }[ 7 ] ne 'ON' && $ $hash { $key }[ 11 ] ne 'ON' ){
542 return "$ $hash { $key }[8]" ;
544 if ($ $hash { $key }[ 7 ] eq 'ON' || $ $hash { $key }[ 11 ] eq 'ON' ){
545 #check if servicegroup or service
546 if ($ $hash { $key }[ 14 ] eq 'cust_srv' ){
547 return & fwlib
:: get_srv_prot
($ $hash { $key }[ 15 ]);
548 } elsif ($ $hash { $key }[ 14 ] eq 'cust_srvgrp' ){
549 return & fwlib
:: get_srvgrp_prot
($ $hash { $key }[ 15 ]);
550 } elsif (($ $hash { $key }[ 10 ] ne '' || $ $hash { $key }[ 15 ] ne '' ) && $ $hash { $key }[ 8 ] eq '' ){ #when ports are used and prot set to "all"
552 } elsif (($ $hash { $key }[ 10 ] ne '' || $ $hash { $key }[ 15 ] ne '' ) && ($ $hash { $key }[ 8 ] eq 'TCP' || $ $hash { $key }[ 8 ] eq 'UDP' )){ #when ports are used and prot set to "tcp" or "udp"
553 return "$ $hash { $key }[8]" ;
554 } elsif (($ $hash { $key }[ 10 ] eq '' && $ $hash { $key }[ 15 ] eq '' ) && $ $hash { $key }[ 8 ] ne 'ICMP' ){ #when ports are NOT used and prot NOT set to "ICMP"
555 return "$ $hash { $key }[8]" ;
557 return "$ $hash { $key }[8]" ;
561 if ( $SRC_TGT eq '' && $ $hash { $key }[ 31 ] eq 'dnat' && $ $hash { $key }[ 11 ] eq '' && $ $hash { $key }[ 12 ] ne '' ){
562 return "$ $hash { $key }[8]" ;
570 #Get manual defined Ports from SOURCE
571 if ($ $hash { $key }[ 7 ] eq 'ON' && $SRC_TGT eq 'SRC' ){
572 if ($ $hash { $key }[ 10 ] ne '' ){
573 $ $hash { $key }[ 10 ] =~ s/\|/,/g ;
574 if ( index ($ $hash { $key }[ 10 ], "," ) > 0 ){
575 return "-m multiport --sport $ $hash { $key }[10] " ;
577 if ($ $hash { $key }[ 28 ] ne 'ON' || ($ $hash { $key }[ 28 ] eq 'ON' && $ $hash { $key }[ 31 ] eq 'snat' ) ||($ $hash { $key }[ 28 ] eq 'ON' && $ $hash { $key }[ 31 ] eq 'dnat' ) ){
578 return "--sport $ $hash { $key }[10] " ;
580 return ":$ $hash { $key }[10]" ;
584 #Get manual ports from TARGET
585 } elsif ($ $hash { $key }[ 11 ] eq 'ON' && $SRC_TGT eq '' ){
586 if ($ $hash { $key }[ 14 ] eq 'TGT_PORT' ){
587 if ($ $hash { $key }[ 15 ] ne '' ){
588 $ $hash { $key }[ 15 ] =~ s/\|/,/g ;
589 if ( index ($ $hash { $key }[ 15 ], "," ) > 0 ){
590 return "-m multiport --dport $ $hash { $key }[15] " ;
592 if ($ $hash { $key }[ 28 ] ne 'ON' || ($ $hash { $key }[ 28 ] eq 'ON' && $ $hash { $key }[ 31 ] eq 'snat' ) ){
593 return "--dport $ $hash { $key }[15] " ;
595 $ $hash { $key }[ 15 ] =~ s/\:/-/g ;
596 return ":$ $hash { $key }[15]" ;
600 #Get ports defined in custom Service (firewall-groups)
601 } elsif ($ $hash { $key }[ 14 ] eq 'cust_srv' ){
602 if ( $prot ne 'ICMP' ){
603 if ($ $hash { $key }[ 31 ] eq 'dnat' && $ $hash { $key }[ 28 ] eq 'ON' ){
604 my $ports =& fwlib
:: get_srv_port
($ $hash { $key }[ 15 ], 1 , $prot );
608 return "--dport " .& fwlib
:: get_srv_port
($ $hash { $key }[ 15 ], 1 , $prot );
610 } elsif ( $prot eq 'ICMP' && $ $hash { $key }[ 11 ] eq 'ON' ){ #When PROT is ICMP and "use targetport is checked, this is an icmp-service
611 return "--icmp-type " .& fwlib
:: get_srv_port
($ $hash { $key }[ 15 ], 3 , $prot );
613 #Get ports from services which are used in custom servicegroups (firewall-groups)
614 } elsif ($ $hash { $key }[ 14 ] eq 'cust_srvgrp' ){
615 if ( $prot ne 'ICMP' ){
616 return & fwlib
:: get_srvgrp_port
($ $hash { $key }[ 15 ], $prot );
618 elsif ( $prot eq 'ICMP' ){
619 return & fwlib
:: get_srvgrp_port
($ $hash { $key }[ 15 ], $prot );
624 if ($ $hash { $key }[ 7 ] ne 'ON' && $ $hash { $key }[ 11 ] ne 'ON' && $SRC_TGT eq '' ){
625 if ($ $hash { $key }[ 9 ] ne '' && $ $hash { $key }[ 9 ] ne 'All ICMP-Types' ){
626 return "--icmp-type $ $hash { $key }[9] " ;
627 } elsif ($ $hash { $key }[ 9 ] eq 'All ICMP-Types' ){