/var/ipfire/auth/users
/var/ipfire/dhcp/*
/var/ipfire/dnsforward/*
+/var/ipfire/forward/*
+/var/ipfire/fwhosts/*
/var/ipfire/main/*
/var/ipfire/outgoing/groups
/var/ipfire/outgoing/macgroups
use Net::IPv4Addr qw(:all);
$|=1; # line buffering
-$General::version = 'VERSION';
-$General::swroot = 'CONFIG_ROOT';
+$General::version = '2.11';
+$General::swroot = '/var/ipfire';
$General::noipprefix = 'noipg-';
$General::adminmanualurl = 'http://wiki.ipfire.org';
$logmessage = $1;
system('logger', '-t', $tag, $logmessage);
}
+sub setup_default_networks
+{
+ my %netsettings=();
+ my $defaultNetworks = shift;
+
+ &readhash("/var/ipfire/ethernet/settings", \%netsettings);
+
+ # Get current defined networks (Red, Green, Blue, Orange)
+ $defaultNetworks->{$Lang::tr{'fwhost any'}}{'IPT'} = "0.0.0.0/0.0.0.0";
+ $defaultNetworks->{$Lang::tr{'fwhost any'}}{'NAME'} = "ALL";
+
+ $defaultNetworks->{$Lang::tr{'green'}}{'IPT'} = "$netsettings{'GREEN_NETADDRESS'}/$netsettings{'GREEN_NETMASK'}";
+ $defaultNetworks->{$Lang::tr{'green'}}{'NAME'} = "GREEN";
+
+ if ($netsettings{'ORANGE_DEV'} ne ''){
+ $defaultNetworks->{$Lang::tr{'orange'}}{'IPT'} = "$netsettings{'ORANGE_NETADDRESS'}/$netsettings{'ORANGE_NETMASK'}";
+ $defaultNetworks->{$Lang::tr{'orange'}}{'NAME'} = "ORANGE";
+ }
+
+ if ($netsettings{'BLUE_DEV'} ne ''){
+ $defaultNetworks->{$Lang::tr{'blue'}}{'IPT'} = "$netsettings{'BLUE_NETADDRESS'}/$netsettings{'BLUE_NETMASK'}";
+ $defaultNetworks->{$Lang::tr{'blue'}}{'NAME'} = "BLUE";
+ }
+
+ # OpenVPN
+ if(-e "${General::swroot}/ovpn/settings")
+ {
+ my %ovpnSettings = ();
+ &readhash("${General::swroot}/ovpn/settings", \%ovpnSettings);
+
+ # OpenVPN on Red?
+ if(defined($ovpnSettings{'DOVPN_SUBNET'}))
+ {
+ my ($ip,$sub) = split(/\//,$ovpnSettings{'DOVPN_SUBNET'});
+ $sub=&General::iporsubtocidr($sub);
+ my @tempovpnsubnet = split("\/", $ovpnSettings{'DOVPN_SUBNET'});
+ $defaultNetworks->{'OpenVPN ' .$ip."/".$sub}{'ADR'} = $tempovpnsubnet[0];
+ $defaultNetworks->{'OpenVPN ' .$ip."/".$sub}{'NAME'} = "OpenVPN-Dyn";
+ }
+ } # end OpenVPN
+ # IPsec RW NET
+ if(-e "${General::swroot}/vpn/settings")
+ {
+ my %ipsecsettings = ();
+ &readhash("${General::swroot}/vpn/settings", \%ipsecsettings);
+ if($ipsecsettings{'RW_NET'} ne '')
+ {
+ my ($ip,$sub) = split(/\//,$ipsecsettings{'RW_NET'});
+ $sub=&General::iporsubtocidr($sub);
+ my @tempipsecsubnet = split("\/", $ipsecsettings{'RW_NET'});
+ $defaultNetworks->{'IPsec RW ' .$ip."/".$sub}{'ADR'} = $tempipsecsubnet[0];
+ $defaultNetworks->{'IPsec RW ' .$ip."/".$sub}{'NAME'} = "IPsec RW";
+ }
+ }
+ #open(FILE, "${General::swroot}/ethernet/aliases") or die 'Unable to open aliases file.';
+ #my @current = <FILE>;
+ #close(FILE);
+ #my $ctr = 0;
+ #foreach my $line (@current)
+ #{
+ #if ($line ne ''){
+ #chomp($line);
+ #my @temp = split(/\,/,$line);
+ #if ($temp[2] eq '') {
+ #$temp[2] = "Alias $ctr : $temp[0]";
+ #}
+ #$defaultNetworks->{$temp[2]}{'IPT'} = "$temp[0]";
+ #$ctr++;
+ #}
+ #}
+}
+sub get_aliases
+{
+
+ my $defaultNetworks = shift;
+ open(FILE, "${General::swroot}/ethernet/aliases") or die 'Unable to open aliases file.';
+ my @current = <FILE>;
+ close(FILE);
+ my $ctr = 0;
+ foreach my $line (@current)
+ {
+ if ($line ne ''){
+ chomp($line);
+ my @temp = split(/\,/,$line);
+ if ($temp[2] eq '') {
+ $temp[2] = "Alias $ctr : $temp[0]";
+ }
+ $defaultNetworks->{$temp[2]}{'IPT'} = "$temp[0]";
+
+ $ctr++;
+ }
+ }
+}
sub readhash
{
'title' => "$Lang::tr{'ssport forwarding'}",
'enabled' => 1,
};
- $subfirewall->{'20.xtaccess'} = {
- 'caption' => $Lang::tr{'external access'},
- 'uri' => '/cgi-bin/xtaccess.cgi',
- 'title' => "$Lang::tr{'external access'}",
- 'enabled' => 1,
- };
$subfirewall->{'30.wireless'} = {
'caption' => $Lang::tr{'blue access'},
'uri' => '/cgi-bin/wireless.cgi',
'title' => "$Lang::tr{'blue access'}",
'enabled' => 1,
};
- $subfirewall->{'40.dmz'} = {
- 'caption' => $Lang::tr{'ssdmz pinholes'},
- 'uri' => '/cgi-bin/dmzholes.cgi',
- 'title' => "$Lang::tr{'dmz pinhole configuration'}",
+ $subfirewall->{'51.forward'} = {
+ 'caption' => $Lang::tr{'fwdfw menu'},
+ 'uri' => '/cgi-bin/forwardfw.cgi',
+ 'title' => "$Lang::tr{'fwdfw menu'}",
'enabled' => 1,
- };
- $subfirewall->{'50.outgoing'} = {
- 'caption' => $Lang::tr{'outgoing firewall'},
- 'uri' => '/cgi-bin/outgoingfw.cgi',
- 'title' => "$Lang::tr{'outgoing firewall'}",
- 'enabled' => 1,
- };
- $subfirewall->{'51.outgoinggrp'} = {
- 'caption' => $Lang::tr{'outgoing firewall groups'},
- 'uri' => '/cgi-bin/outgoinggrp.cgi',
- 'title' => "$Lang::tr{'outgoing firewall groups'}",
+ };
+ $subfirewall->{'65.fwhost'} = {
+ 'caption' => $Lang::tr{'fwhost menu'},
+ 'uri' => '/cgi-bin/fwhosts.cgi',
+ 'title' => "$Lang::tr{'fwhost menu'}",
'enabled' => 1,
};
- $subfirewall->{'60.upnp'} = {
+ $subfirewall->{'70.upnp'} = {
'caption' => 'UPnP',
'uri' => '/cgi-bin/upnp.cgi',
'title' => "Universal Plug and Play",
'enabled' => 0,
};
- $subfirewall->{'60.optingsfw'} = {
+ $subfirewall->{'80.optingsfw'} = {
'caption' => $Lang::tr{'options fw'},
'uri' => '/cgi-bin/optionsfw.cgi',
'title' => "$Lang::tr{'options fw'}",
'enabled' => 1,
};
- $subfirewall->{'70.iptables'} = {
+ $subfirewall->{'90.iptables'} = {
'caption' => $Lang::tr{'ipts'},
'uri' => '/cgi-bin/iptables.cgi',
'title' => "$Lang::tr{'ipts'}",
#var/ipfire/dhcp/fixleases
#var/ipfire/dhcp/settings
var/ipfire/dhcpc
-var/ipfire/dmzholes
-#var/ipfire/dmzholes/config
var/ipfire/dns
#var/ipfire/dns/settings
var/ipfire/dnsforward
var/ipfire/extrahd/scan
var/ipfire/extrahd/settings
var/ipfire/fwlogs
+var/ipfire/forward
+var/ipfire/forward/bin/rules.pl
+var/ipfire/forward/bin/firewall-lib.pl
+var/ipfire/forward/settings
+var/ipfire/forward/config
+var/ipfire/forward/input
+var/ipfire/fwhosts
+var/ipfire/fwhosts/icmp-types
+var/ipfire/fwhosts/customhosts
+var/ipfire/fwhosts/customnetworks
+var/ipfire/fwhosts/customgroups
+var/ipfire/fwhosts/customservices
+var/ipfire/fwhosts/customservicegrp
#var/ipfire/fwlogs/ipsettings
#var/ipfire/fwlogs/portsettings
var/ipfire/general-functions.pl
var/ipfire/wireless
#var/ipfire/wireless/config
#var/ipfire/wireless/settings
-var/ipfire/xtaccess
-#var/ipfire/xtaccess/config
var/ipfire/firebuild
etc/system-release
etc/rc.d/init.d/networking/red.up/10-multicast
etc/rc.d/init.d/networking/red.up/20-RL-firewall
etc/rc.d/init.d/networking/red.up/22-outgoingfwctrl
-etc/rc.d/init.d/networking/red.up/23-RS-snort
-etc/rc.d/init.d/networking/red.up/24-RS-qos
-etc/rc.d/init.d/networking/red.up/25-portfw
-etc/rc.d/init.d/networking/red.up/26-xtaccess
-etc/rc.d/init.d/networking/red.up/27-RS-squid
+etc/rc.d/init.d/networking/red.up/23-forwardfwctrl
+etc/rc.d/init.d/networking/red.up/24-RS-snort
+etc/rc.d/init.d/networking/red.up/25-RS-qos
+etc/rc.d/init.d/networking/red.up/26-portfw
+etc/rc.d/init.d/networking/red.up/28-RS-squid
etc/rc.d/init.d/networking/red.up/30-ddns
etc/rc.d/init.d/networking/red.up/40-ipac
etc/rc.d/init.d/networking/red.up/50-ipsec
#usr/local/bin/mpfirectrl
usr/local/bin/openvpnctrl
usr/local/bin/outgoingfwctrl
+usr/local/bin/forwardfwctrl
usr/local/bin/pakfire
usr/local/bin/qosctrl
usr/local/bin/rebuildhosts
usr/local/bin/redctrl
#usr/local/bin/sambactrl
usr/local/bin/setaliases
-usr/local/bin/setdmzholes
usr/local/bin/setportfw
-usr/local/bin/setxtaccess
usr/local/bin/smartctrl
usr/local/bin/snortctrl
usr/local/bin/squidctrl
'forwarding rule added' => 'Weiterleitungsregel hinzugefügt. Starte Weiterleitung neu',
'forwarding rule removed' => 'Weiterleitungsregel entfernt. Starte Weiterleitung neu',
'forwarding rule updated' => 'Weiterleitungsregel aktualisiert; starte Weiterleitung neu',
+'forward firewall' => 'Firewall',
+'fwdfw additional' => 'Zusätzlich',
+'fwdfw action' => 'Aktion',
+'fwdfw menu' => 'Firewall',
+'fwdfw addrule' => 'Neue Regel hinzufügen:',
+'fwdfw addr grp' => 'Adress Gruppen:',
+'fwdfw change' => 'Aktualisieren',
+'fwdfw cust addr' => 'Custom Adressen:',
+'fwdfw cust net' => 'Custom Netzwerke:',
+'fwdfw copy' => 'Kopieren',
+'fwdfw delete' => 'Löschen',
+'fwdfw edit' => 'Bearbeiten',
+'fwdfw err nosrc' => 'Keine Quelle gewählt.',
+'fwdfw err nosrcip' => 'Bitte Quell IP-Adresse angeben.',
+'fwdfw err notgt' => 'Kein Ziel gewählt.',
+'fwdfw err notgtip' => 'Bitte Ziel IP-Adresse angeben.',
+'fwdfw err prot' => 'Quell- und Zielprotokoll müssen gleich sein.',
+'fwdfw err remark' => 'Bemerkung enthält ungültige Zeichen.',
+'fwdfw err ruleexists' => 'Eine identische Regel existiert bereits.',
+'fwdfw err src_addr' => 'Quell-MAC/IP ungültig.',
+'fwdfw err same' => 'Quelle und Ziel sind identisch.',
+'fwdfw err samesub' => 'Quell und Ziel IP Adresse im selben Subnetz.',
+'fwdfw err srcport' => 'Bitte Quellport angeben.',
+'fwdfw err tgtport' => 'Bitte Zielport angeben.',
+'fwdfw err tgt_addr' => 'Ziel-IP ungültig.',
+'fwdfw err tgt_port' => 'Ziel Port ungültig',
+'fwdfw err tgt_mac' => 'MAC Adressen können nicht als Ziel defininert werden.',
+'fwdfw err tgt_grp' => 'Ziel-Dienstgruppe ist leer.',
+'fwdfw err time' => 'Es muss mindestens ein Tag gewählt werden.',
+'fwdfw from' => 'Von:',
+'fwdfw hint ip1' => 'Die zuletzt erzeugte Regel wird vielleicht nicht aktiviert, weil Quelle und Ziel evtl im selben Netz sind.',
+'fwdfw hint ip2' => 'Bitte überprüfen Sie ob diese Regel Sinn macht: ',
+'fwdfw ipsec network' => 'IPsec Netzwerke:',
+'fwdfw log rule' => 'Log Regel',
+'fwdfw man port' => 'Port(s) manuel:',
+'fwdfw moveup' => 'Hoch',
+'fwdfw movedown' => 'Runter',
+'fwdfw reread' => 'Ãœbernehmen',
+'fwdfw rules' => 'Regeln',
+'fwdfw rule action' => 'Regel Aktion:',
+'fwdfw rule activate' => 'Regel aktivieren',
+'fwdfw source' => 'Quelle',
+'fwdfw sourceip' => 'Quelladresse (MAC, IP oder Netzwerk):',
+'fwdfw std network' => 'Standard Netzwerke:',
+'fwdfw target' => 'Ziel',
+'fwdfw targetip' => 'Zieladresse (IP oder Netzwerk):',
+'fwdfw till' => 'Bis:',
+'fwdfw time' => 'Zeitrahmen:',
+'fwdfw timeframe' => 'Zeitrahmen hinzufügen',
+'fwdfw toggle' => 'Aktivieren oder deaktivieren',
+'fwdfw togglelog' => 'Log aktivieren oder deaktivieren',
+'fwdfw use srcport' => 'Quellport benutzen',
+'fwdfw use srv' => 'Ziel-Dienstport benutzen',
+'fwdfw newrule' => 'Neue Regel',
+'fwdfw wd_mon' => 'Mo',
+'fwdfw wd_tue' => 'Di',
+'fwdfw wd_wed' => 'Mi',
+'fwdfw wd_thu' => 'Do',
+'fwdfw wd_fri' => 'Fr',
+'fwdfw wd_sat' => 'Sa',
+'fwdfw wd_sun' => 'So',
+'fwhost addgrp' => 'Gruppe:',
+'fwhost addgrpname' => 'Gruppenname:',
+'fwhost addhost' => 'Adresse:',
+'fwhost addnet' => 'Netzwerk:',
+'fwhost addrule' => 'Neue Regel hinzufügen:',
+'fwhost any' => 'Alle',
+'fwhost attention' => 'ACHTUNG',
+'fwhost back' => 'Ãœbernehmen',
+'fwhost blue' => 'Blau',
+'fwhost ccdhost' => 'OpenVPN Clients:',
+'fwhost ccdnet' => 'OpenVPN Netzwerke:',
+'fwhost change' => 'Ändern',
+'fwhost changeremark' => 'Es wurde nur die Bemerkung angepasst.',
+'fwhost cust addr' => 'Custom Adressen:',
+'fwhost cust grp' => 'Custom Gruppen:',
+'fwhost cust net' => 'Custom Netzwerke:',
+'fwhost cust service' => 'Custom Dienste:',
+'fwhost cust srvgrp' => 'Custom Dienstgruppen',
+'fwhost deleted' => 'Gelöscht',
+'fwhost empty' => 'Keine Einträge vorhanden',
+'fwhost err addr' => 'IP oder Subnetzmaske ungültig.',
+'fwhost err addrgrp' => 'Bitte gruppenname angeben.',
+'fwhost err empty' => 'Bitte alle Felder füllen.',
+'fwhost err grpexist' => 'Gruppe existiert bereits.',
+'fwhost err groupempty' => 'Gewählte Gruppe ist leer.',
+'fwhost err name' => 'Name ungültig. Erlaubte Zeichen: a-z, A-Z, 0-9 Leerzeichen und Bindestrich.',
+'fwhost err name1' => 'Name muss gefüllt sein.',
+'fwhost err netexist' => 'Ein Netz mit diesem Namen existiert bereits!',
+'fwhost err net' => 'Netzwerk IP existiert bereits',
+'fwhost err mac' => 'MAC Adresse ungültig.',
+'fwhost err hostexist' => 'Ein Host mit diesem Namen existiert bereits.',
+'fwhost err hostip' => 'Netz- oder Broadcastadressen sind nicht erlaubt.',
+'fwhost err hostorip' => 'Name oder IP Adresse ungültig.',
+'fwhost err isccdhost' => 'Dieser Name wird bereits für einen Openvpn Host verwendet.',
+'fwhost err isccdipnet' => 'Diese IP wird bereits für einen Openvpn Netzwerk verwendet.',
+'fwhost err isccdiphost'=> 'Diese IP wird bereits für einen Openvpn Host verwendet.',
+'fwhost err isccdnet' => 'Dieser Name wird bereits für einen Openvpn Netzwerk verwendet.',
+'fwhost err isingrp' => 'Dieser Eintrag existiert bereits in der Gruppe.',
+'fwhost err ip' => 'IP Addresse ungültig.',
+'fwhost err ipmac' => 'IP/MAC Addresse ungültig.',
+'fwhost err ipcheck' => 'Diese IP Adresse wird bereits verwendet.',
+'fwhost err ipwithsub' => 'Bitte IP Adresse OHNE Subnetzmaske eingeben.',
+'fwhost err partofnet' => 'Dieses Netzwerk ist Teil eines bereits existierenden Netzwerks.',
+'fwhost err port' => 'Port muss gefüllt sein.',
+'fwhost err remark' => 'Bemerkung ungültig. Erlaubte Zeichen: a-z, A-Z, 0-9 Leerzeichen und Bindestrich.',
+'fwhost err srvexist' => 'Dieser Dienst ist bereits in der Gruppe',
+'fwhost err srv exists' => 'Ein Service mit diesem Namen existiert bereits.',
+'fwhost err sub32' => 'Bitte Host hinzufügen. Dieses Subnetz ist kein Netzwerk.',
+'fwhost green' => 'Grün',
+'fwhost hosts' => 'Firewall Hosts',
+'fwhost hint' => 'Hinweis',
+'fwhost icmptype' => 'ICMP-Typ:',
+'fwhost ipadr' => 'IP Adresse:',
+'fwhost ip_mac' => 'IP/MAC Adresse',
+'fwhost ipsec host' => 'IpSec Clients:',
+'fwhost ipsec net' => 'IpSec Netzwerke:',
+'fwhost newnet' => 'Netz Einstellungen',
+'fwhost newhost' => 'Adress Einstellungen',
+'fwhost newgrp' => 'Adress Gruppierung',
+'fwhost newservice' => 'Dienst Einstellungen',
+'fwhost newservicegrp' => 'Dienst Gruppierung',
+'fwhost macwarn' => 'MAC Adressen können nicht als Ziel definiert werden. Solche Adressen werden ignoriert.',
+'fwhost menu' => 'Firewall Gruppen',
+'fwhost orange' => 'Orange',
+'fwhost ovpn_n2n' => 'OpenVPN N-2-N',
+'fwhost port' => 'Port(s)',
+'fwhost prot' => 'Protokoll',
+'fwhost reset' => 'Abbrechen',
+'fwhost services' => 'Dienste',
+'fwhost srv_name' => 'Dienstname',
+'fwhost stdnet' => 'Standard Netzwerke:',
+'fwhost type' => 'Typ',
+'fwhost used' => 'Benutzt',
+'fwhost wo subnet' => '(Ohne Subnetz)',
'free' => 'Frei',
'free memory' => 'Freier Speicher ',
'free swap' => 'Freier Swap',
'forwarding rule added' => 'Forwarding rule added; restarting forwarder',
'forwarding rule removed' => 'Forwarding rule removed; restarting forwarder',
'forwarding rule updated' => 'Forwarding rule updated; restarting forwarder',
+'forward firewall' => 'Firewall',
+'fwdfw additional' => 'Additional',
+'fwdfw action' => 'Action',
+'fwdfw menu' => 'Firewall',
+'fwdfw addrule' => 'Add new rule:',
+'fwdfw addr grp' => 'Adress groups:',
+'fwdfw change' => 'Update',
+'fwdfw cust addr' => 'Custom addresses:',
+'fwdfw cust net' => 'Custom networks:',
+'fwdfw copy' => 'Copy',
+'fwdfw delete' => 'Delete',
+'fwdfw edit' => 'Edit',
+'fwdfw err nosrc' => 'No source selected.',
+'fwdfw err nosrcip' => 'Please provide source IP address.',
+'fwdfw err notgt' => 'No target selected.',
+'fwdfw err notgtip' => 'Please provide target IP address.',
+'fwdfw err prot' => 'Source and target protocol have to match.',
+'fwdfw err remark' => 'Invalid chars in remark.',
+'fwdfw err ruleexists' => 'This rule already exists.',
+'fwdfw err src_addr' => 'Invalid source MAC/IP.',
+'fwdfw err same' => 'Identical source and target',
+'fwdfw err samesub' => 'Source and target IP adress are in same subnet.',
+'fwdfw err srcport' => 'Please provide source port.',
+'fwdfw err tgtport' => 'Please provide target port.',
+'fwdfw err tgt_addr' => 'Invalid target IP-address.',
+'fwdfw err tgt_port' => 'Invalid target port',
+'fwdfw err tgt_mac' => 'MAC addresses can not be used as target.',
+'fwdfw err tgt_grp' => 'Target servicegroup is empty',
+'fwdfw err time' => 'You have to define at least one day.',
+'fwdfw from' => 'From:',
+'fwdfw hint ip1' => 'The last generated rule may never be activated because source and target my be in same subnet.',
+'fwdfw hint ip2' => 'Please doublecheck if this rule makes sense: ',
+'fwdfw ipsec network' => 'IpSec networks:',
+'fwdfw log rule' => 'Log rule',
+'fwdfw man port' => 'Port(s) manual:',
+'fwdfw moveup' => 'Move up',
+'fwdfw movedown' => 'Move down',
+'fwdfw reread' => 'Apply',
+'fwdfw rules' => 'Rules',
+'fwdfw rule action' => 'Rule action:',
+'fwdfw rule activate' => 'Activate rule',
+'fwdfw source' => 'Source',
+'fwdfw sourceip' => 'Source address (MAC, IP or Network):',
+'fwdfw std network' => 'Standard networks:',
+'fwdfw target' => 'Target',
+'fwdfw targetip' => 'Target address (IP or network):',
+'fwdfw till' => 'Till:',
+'fwdfw time' => 'Timeframe:',
+'fwdfw timeframe' => 'Add timeframe',
+'fwdfw toggle' => 'Activate or deactivate',
+'fwdfw togglelog' => 'Activate or deactivate logging',
+'fwdfw use srcport' => 'Use sourceport',
+'fwdfw use srv' => 'Use targetport',
+'fwdfw newrule' => 'New rule',
+'fwdfw wd_mon' => 'Mon',
+'fwdfw wd_tue' => 'Tue',
+'fwdfw wd_wed' => 'Wed',
+'fwdfw wd_thu' => 'Thu',
+'fwdfw wd_fri' => 'Fri',
+'fwdfw wd_sat' => 'Sat',
+'fwdfw wd_sun' => 'Sun',
+'fwhost addgrp' => 'Group:',
+'fwhost addgrpname' => 'Groupname:',
+'fwhost addhost' => 'Address:',
+'fwhost addnet' => 'Network:',
+'fwhost addrule' => 'Add new rule:',
+'fwhost any' => 'Any',
+'fwhost attention' => 'ATTENTION',
+'fwhost back' => 'commit',
+'fwhost blue' => 'Blue',
+'fwhost ccdhost' => 'OpenVPN clients:',
+'fwhost ccdnet' => 'OpenVPN networks:',
+'fwhost change' => 'Modify',
+'fwhost changeremark' => 'You just modified the remark!',
+'fwhost cust addr' => 'Custom addresses:',
+'fwhost cust grp' => 'Custom groups:',
+'fwhost cust net' => 'Custom networks:',
+'fwhost cust service' => 'Custom services:',
+'fwhost cust srvgrp' => 'Custom servicegroups',
+'fwhost deleted' => 'Deleted',
+'fwhost empty' => 'No entries by now',
+'fwhost err addr' => 'Invalid IP or subnet!',
+'fwhost err addrgrp' => 'Please provide a groupname!',
+'fwhost err empty' => 'Please fill in all fields!',
+'fwhost err grpexist' => 'Group already exists!',
+'fwhost err groupempty' => 'Selected Group is empty!',
+'fwhost err name' => 'Name invalid. Allowed: a-z, A-Z, 0-9 space and minus.',
+'fwhost err name1' => 'Name is empty.',
+'fwhost err netexist' => 'A network with this name already exists!',
+'fwhost err net' => 'Network IP already exists',
+'fwhost err mac' => 'MAC address invalid',
+'fwhost err hostexist' => 'A host with this name already exists!',
+'fwhost err hostip' => 'Net or broadcast not allowed!',
+'fwhost err hostorip' => 'Name or IP invalid.',
+'fwhost err isccdhost' => 'This name is already used by an OpenVPN client!',
+'fwhost err isccdipnet' => 'This IP is already used by an OpenVPN network!',
+'fwhost err isccdiphost'=> 'This IP is already used by an OpenVPN client!',
+'fwhost err isccdnet' => 'This name is already used by an OpenVPN Network!',
+'fwhost err isingrp' => 'This entry already exists in the group!',
+'fwhost err ip' => 'IP address invalid.',
+'fwhost err ipmac' => 'IP/MAC address invalid.',
+'fwhost err ipcheck' => 'This IP address is already in use!',
+'fwhost err ipwithsub' => 'Please provide IP address WITHOUT subnetmask',
+'fwhost err partofnet' => 'This network is part of an already existing one!',
+'fwhost err port' => 'Port is empty.',
+'fwhost err remark' => 'Remark invalid. Allowed: a-z, A-Z, 0-9 space and minus.',
+'fwhost err srvexist' => 'Dieser Dienst ist bereits in der Gruppe',
+'fwhost err srv exists' => 'A Service with this name already exists.',
+'fwhost err sub32' => 'Please add single host. This subnet is no network!',
+'fwhost green' => 'Green',
+'fwhost hosts' => 'Firewall Hosts',
+'fwhost hint' => 'Note',
+'fwhost icmptype' => 'ICMP type:',
+'fwhost ipadr' => 'IP address:',
+'fwhost ip_mac' => 'IP/MAC address',
+'fwhost ipsec host' => 'IPsec clients:',
+'fwhost ipsec net' => 'IPsec networks:',
+'fwhost netaddress' => 'Network address:',
+'fwhost newnet' => 'Network',
+'fwhost newhost' => 'Host',
+'fwhost newgrp' => 'Address grouping',
+'fwhost newservice' => 'Service',
+'fwhost newservicegrp' => 'Service grouping',
+'fwhost macwarn' => 'MAC addresses can not be used as target. Such addresses will be ignored!',
+'fwhost menu' => 'Firewall Groups',
+'fwhost orange' => 'Orange',
+'fwhost ovpn_n2n' => 'OpenVPN N-2-N',
+'fwhost port' => 'Port(s)',
+'fwhost prot' => 'Protocol',
+'fwhost reset' => 'Cancel',
+'fwhost services' => 'Services',
+'fwhost srv_name' => 'Servicename',
+'fwhost stdnet' => 'Standard networks:',
+'fwhost type' => 'Type',
+'fwhost used' => 'Used',
+'fwhost wo subnet' => '(without subnet)',
'free' => 'Free',
'free memory' => 'Free Memory ',
'free swap' => 'Free Swap',
@$(PREBUILD)
# Create all directories
- for i in addon-lang auth backup ca certs connscheduler crls ddns dhcp dhcpc dmzholes dns dnsforward \
- ethernet extrahd/bin fwlogs isdn key langs logging mac main menu.d modem net-traffic \
+ for i in addon-lang auth backup ca certs connscheduler crls ddns dhcp dhcpc dns dnsforward \
+ ethernet extrahd/bin fwlogs isdn key langs logging mac main menu.d modem net-traffic \
+ ethernet extrahd/bin fwlogs fwhosts forward forward/bin isdn key langs logging mac main menu.d modem net-traffic \
net-traffic/templates nfs optionsfw outgoing/bin outgoing/groups outgoing/groups/ipgroups \
outgoing/groups/macgroups ovpn patches pakfire portfw ppp private proxy/advanced/cre \
proxy/calamaris/bin qos/bin red remote sensors snort time tripwire/report \
updatexlrator/bin updatexlrator/autocheck urlfilter/autoupdate urlfilter/bin upnp vpn \
- wakeonlan wireless xtaccess ; do \
+ wakeonlan wireless ; do \
mkdir -p $(CONFIG_ROOT)/$$i; \
done
# Touch empty files
for i in auth/users backup/include.user backup/exclude.user \
certs/index.txt ddns/config ddns/noipsettings ddns/settings ddns/ipcache dhcp/settings \
- dhcp/fixleases dhcp/advoptions dhcp/dhcpd.conf.local dmzholes/config dns/settings dnsforward/config ethernet/aliases ethernet/settings ethernet/known_nics ethernet/scanned_nics \
+ dhcp/fixleases dhcp/advoptions dhcp/dhcpd.conf.local dns/settings dnsforward/config ethernet/aliases ethernet/settings ethernet/known_nics ethernet/scanned_nics \
ethernet/wireless extrahd/scan extrahd/devices extrahd/partitions extrahd/settings fwlogs/ipsettings fwlogs/portsettings \
+ forward/settings forward/config forward/input fwhosts/customnetworks fwhosts/customhosts fwhosts/customgroups fwhosts/customservices fwhosts/customservicegrp fwlogs/ipsettings fwlogs/portsettings \
isdn/settings mac/settings main/disable_nf_sip main/hosts main/routing main/settings net-traffic/settings optionsfw/settings outgoing/settings outgoing/rules \
ovpn/ccd.conf ovpn/ccdroute ovpn/ccdroute2 pakfire/settings portfw/config ppp/settings-1 ppp/settings-2 ppp/settings-3 ppp/settings-4 \
- ppp/settings-5 ppp/settings proxy/settings proxy/advanced/settings proxy/advanced/cre/enable remote/settings qos/settings qos/classes qos/subclasses qos/level7config qos/portconfig \
+ ppp/settings-5 ppp/settings proxy/settings proxy/advanced/settings proxy/advanced/cre/enable remote/settings qos/settings qos/classes qos/subclasses qos/level7config qos/portconfig \
qos/tosconfig snort/settings tripwire/settings upnp/settings vpn/config vpn/settings vpn/ipsec.conf \
vpn/ipsec.secrets vpn/caconfig wakeonlan/clients.conf wireless/config wireless/settings; do \
- touch $(CONFIG_ROOT)/$$i; \
+ touch $(CONFIG_ROOT)/$$i; \
done
# Copy initial configfiles
cp $(DIR_SRC)/config/cfgroot/header.pl $(CONFIG_ROOT)/
cp $(DIR_SRC)/config/cfgroot/general-functions.pl $(CONFIG_ROOT)/
cp $(DIR_SRC)/config/cfgroot/lang.pl $(CONFIG_ROOT)/
- cp $(DIR_SRC)/config/cfgroot/countries.pl $(CONFIG_ROOT)/
+ cp $(DIR_SRC)/config/cfgroot/countries.pl $(CONFIG_ROOT)/
cp $(DIR_SRC)/config/cfgroot/graphs.pl $(CONFIG_ROOT)/
cp $(DIR_SRC)/config/cfgroot/advoptions-list $(CONFIG_ROOT)/dhcp/advoptions-list
cp $(DIR_SRC)/config/cfgroot/connscheduler-lib.pl $(CONFIG_ROOT)/connscheduler/lib.pl
cp $(DIR_SRC)/config/cfgroot/connscheduler.conf $(CONFIG_ROOT)/connscheduler
cp $(DIR_SRC)/config/extrahd/* $(CONFIG_ROOT)/extrahd/bin/
cp $(DIR_SRC)/config/cfgroot/sensors-settings $(CONFIG_ROOT)/sensors/settings
- cp $(DIR_SRC)/config/menu/* $(CONFIG_ROOT)/menu.d/
+ cp $(DIR_SRC)/config/menu/* $(CONFIG_ROOT)/menu.d/
cp $(DIR_SRC)/config/cfgroot/modem-defaults $(CONFIG_ROOT)/modem/defaults
cp $(DIR_SRC)/config/cfgroot/modem-settings $(CONFIG_ROOT)/modem/settings
cp $(DIR_SRC)/config/cfgroot/net-traffic-lib.pl $(CONFIG_ROOT)/net-traffic/net-traffic-lib.pl
- cp $(DIR_SRC)/config/cfgroot/net-traffic-admin.pl $(CONFIG_ROOT)/net-traffic/net-traffic-admin.pl
+ cp $(DIR_SRC)/config/cfgroot/net-traffic-admin.pl $(CONFIG_ROOT)/net-traffic/net-traffic-admin.pl
cp $(DIR_SRC)/config/cfgroot/nfs-server $(CONFIG_ROOT)/nfs/nfs-server
- cp $(DIR_SRC)/config/cfgroot/p2protocols $(CONFIG_ROOT)/outgoing/p2protocols
- cp $(DIR_SRC)/config/outgoingfw/outgoingfw.pl $(CONFIG_ROOT)/outgoing/bin/
- cp $(DIR_SRC)/config/outgoingfw/defaultservices $(CONFIG_ROOT)/outgoing/
+ cp $(DIR_SRC)/config/cfgroot/p2protocols $(CONFIG_ROOT)/outgoing/p2protocols
+ cp $(DIR_SRC)/config/outgoingfw/outgoingfw.pl $(CONFIG_ROOT)/outgoing/bin/
+ cp $(DIR_SRC)/config/outgoingfw/defaultservices $(CONFIG_ROOT)/outgoing/
cp $(DIR_SRC)/config/cfgroot/proxy-acl $(CONFIG_ROOT)/proxy/acl-1.4
- cp $(DIR_SRC)/config/qos/* $(CONFIG_ROOT)/qos/bin/
- cp $(DIR_SRC)/config/cfgroot/ssh-settings $(CONFIG_ROOT)/remote/settings
- cp $(DIR_SRC)/config/cfgroot/xtaccess-config $(CONFIG_ROOT)/xtaccess/config
+ cp $(DIR_SRC)/config/qos/* $(CONFIG_ROOT)/qos/bin/
+ cp $(DIR_SRC)/config/cfgroot/ssh-settings $(CONFIG_ROOT)/remote/settings
cp $(DIR_SRC)/config/cfgroot/time-settings $(CONFIG_ROOT)/time/settings
- cp $(DIR_SRC)/config/cfgroot/logging-settings $(CONFIG_ROOT)/logging/settings
+ cp $(DIR_SRC)/config/cfgroot/logging-settings $(CONFIG_ROOT)/logging/settings
cp $(DIR_SRC)/config/cfgroot/useragents $(CONFIG_ROOT)/proxy/advanced
cp $(DIR_SRC)/config/cfgroot/ethernet-vlans $(CONFIG_ROOT)/ethernet/vlans
- cp $(DIR_SRC)/langs/list $(CONFIG_ROOT)/langs/
-
+ cp $(DIR_SRC)/langs/list $(CONFIG_ROOT)/langs/
+ cp $(DIR_SRC)/config/forwardfw/rules.pl $(CONFIG_ROOT)/forward/bin/rules.pl
+ cp $(DIR_SRC)/config/forwardfw/firewall-lib.pl $(CONFIG_ROOT)/forward/bin/firewall-lib.pl
+ cp $(DIR_SRC)/config/fwhosts/icmp-types $(CONFIG_ROOT)/fwhosts/icmp-types
# Oneliner configfiles
echo "ENABLED=off" > $(CONFIG_ROOT)/vpn/settings
echo "VPN_DELAYED_START=0" >>$(CONFIG_ROOT)/vpn/settings
echo "DROPOUTPUT=on" >> $(CONFIG_ROOT)/optionsfw/settings
echo "DROPPORTSCAN=on" >> $(CONFIG_ROOT)/optionsfw/settings
+ # Set outgoingfw.pl executable
+ chmod 755 $(CONFIG_ROOT)/outgoing/bin/outgoingfw.pl
+
+ # set rules.pl executable
+ chmod 755 $(CONFIG_ROOT)/forward/bin/rules.pl
+
+
+
# Modify variables in header.pl
sed -i -e "s+CONFIG_ROOT+$(CONFIG_ROOT)+g" \
-e "s+VERSION+$(VERSION)+g" \
done
chown root:nobody $(CONFIG_ROOT)/dhcpc
- # Set outgoingfw.pl executable
- chmod 755 $(CONFIG_ROOT)/outgoing/bin/outgoingfw.pl
-
+
@$(POSTBUILD)
ln -sf ../../firewall /etc/rc.d/init.d/networking/red.up/20-RL-firewall
ln -sf ../../../../../usr/local/bin/outgoingfwctrl \
/etc/rc.d/init.d/networking/red.up/22-outgoingfwctrl
+ ln -sf ../../../../../usr/local/bin/forwardfwctrl \
+ /etc/rc.d/init.d/networking/red.up/23-forwardfwctrl
ln -sf ../../../../../usr/local/bin/snortctrl \
- /etc/rc.d/init.d/networking/red.up/23-RS-snort
+ /etc/rc.d/init.d/networking/red.up/24-RS-snort
ln -sf ../../../../../usr/local/bin/qosctrl \
- /etc/rc.d/init.d/networking/red.up/24-RS-qos
+ /etc/rc.d/init.d/networking/red.up/25-RS-qos
ln -sf ../../../../../usr/local/bin/setportfw \
- /etc/rc.d/init.d/networking/red.up/25-portfw
- ln -sf ../../../../../usr/local/bin/setxtaccess \
- /etc/rc.d/init.d/networking/red.up/26-xtaccess
+ /etc/rc.d/init.d/networking/red.up/26-portfw
ln -sf ../../../../../usr/local/bin/dialctrl.pl \
/etc/rc.d/init.d/networking/red.up/99-U-dialctrl.pl
- ln -sf ../../squid /etc/rc.d/init.d/networking/red.up/27-RS-squid
-
+ ln -sf ../../squid /etc/rc.d/init.d/networking/red.up/28-RS-squid
ln -sf ../../dnsmasq /etc/rc.d/init.d/networking/red.down/05-RS-dnsmasq
ln -sf ../../firewall /etc/rc.d/init.d/networking/red.down/20-RL-firewall
ln -sf ../../../../../usr/local/bin/dialctrl.pl \
# Outgoing Firewall
/sbin/iptables -A FORWARD -j OUTGOINGFWMAC
+ # Forward Firewall
+ /sbin/iptables -N FORWARDFW
+ /sbin/iptables -A FORWARD -j FORWARDFW
+
+ # Input Firewall
+ /sbin/iptables -N INPUTFW
+ /sbin/iptables -A INPUT -m state --state NEW -j INPUTFW
+
# localhost and ethernet.
/sbin/iptables -A INPUT -i lo -m state --state NEW -j ACCEPT
/sbin/iptables -A INPUT -s 127.0.0.0/8 -m state --state NEW -j DROP # Loopback not on lo
iptables_red
- # DMZ pinhole chain. setdmzholes setuid prog adds rules here to allow
- # ORANGE to talk to GREEN / BLUE.
- /sbin/iptables -N DMZHOLES
- if [ "$ORANGE_DEV" != "" ]; then
- /sbin/iptables -A FORWARD -i $ORANGE_DEV -m state --state NEW -j DMZHOLES
- fi
-
- # XTACCESS chain, used for external access
- /sbin/iptables -N XTACCESS
- /sbin/iptables -A INPUT -m state --state NEW -j XTACCESS
-
# PORTFWACCESS chain, used for portforwarding
/sbin/iptables -N PORTFWACCESS
/sbin/iptables -A FORWARD -m state --state NEW -j PORTFWACCESS
# (exit ${failed})
# evaluate_retval
- boot_mesg "Setting up DMZ pinholes"
- /usr/local/bin/setdmzholes; evaluate_retval
-
+
if [ "$CONFIG_TYPE" = "3" -o "$CONFIG_TYPE" = "4" ]; then
boot_mesg "Setting up wireless firewall rules"
/usr/local/bin/wirelessctrl; evaluate_retval
COMPILE=$(CC) $(CFLAGS)
PROGS = iowrap
-SUID_PROGS = setdmzholes setportfw setxtaccess \
+SUID_PROGS = setportfw \
squidctrl sshctrl ipfirereboot \
ipsecctrl timectrl dhcpctrl snortctrl \
applejuicectrl rebuildhosts backupctrl \
- logwatch openvpnctrl outgoingfwctrl \
+ logwatch openvpnctrl outgoingfwctrl forwardfwctrl \
wirelessctrl getipstat qosctrl launch-ether-wake \
redctrl syslogdctrl extrahdctrl sambactrl upnpctrl tripwirectrl \
smartctrl clamavctrl addonctrl pakfire mpfirectrl wlanapctrl \
outgoingfwctrl: outgoingfwctrl.c setuid.o ../install+setup/libsmooth/varval.o
$(COMPILE) -I../install+setup/libsmooth/ outgoingfwctrl.c setuid.o ../install+setup/libsmooth/varval.o -o $@
+forwardfwctrl: forwardfwctrl.c setuid.o ../install+setup/libsmooth/varval.o
+ $(COMPILE) -I../install+setup/libsmooth/ forwardfwctrl.c setuid.o ../install+setup/libsmooth/varval.o -o $@
+
timectrl: timectrl.c setuid.o ../install+setup/libsmooth/varval.o
$(COMPILE) -I../install+setup/libsmooth/ timectrl.c setuid.o ../install+setup/libsmooth/varval.o -o $@
launch-ether-wake: launch-ether-wake.c setuid.o ../install+setup/libsmooth/varval.o
$(COMPILE) -I../install+setup/libsmooth/ launch-ether-wake.c setuid.o ../install+setup/libsmooth/varval.o -o $@
-setdmzholes: setdmzholes.c setuid.o ../install+setup/libsmooth/varval.o
- $(COMPILE) -I../install+setup/libsmooth/ setdmzholes.c setuid.o ../install+setup/libsmooth/varval.o -o $@
-
setportfw: setportfw.c setuid.o ../install+setup/libsmooth/varval.o
$(COMPILE) -I../install+setup/libsmooth/ setportfw.c setuid.o ../install+setup/libsmooth/varval.o -o $@
+++ /dev/null
-/* SmoothWall helper program - setdmzhole\r
- *\r
- * This program is distributed under the terms of the GNU General Public\r
- * Licence. See the file COPYING for details.\r
- *\r
- * (c) Daniel Goscomb, 2001\r
- * \r
- * Modifications and improvements by Lawrence Manning.\r
- *\r
- * 10/04/01 Aslak added protocol support\r
- * This program reads the list of ports to forward and setups iptables\r
- * and rules in ipmasqadm to enable them.\r
- * \r
- * $Id: setdmzholes.c,v 1.5.2.3 2005/10/18 17:05:27 franck78 Exp $\r
- * \r
- */\r
-#include "libsmooth.h"\r
-#include <stdio.h>\r
-#include <string.h>\r
-#include <stdlib.h>\r
-#include "setuid.h"\r
-\r
-FILE *fwdfile = NULL;\r
-\r
-void exithandler(void)\r
-{\r
- if (fwdfile)\r
- fclose(fwdfile);\r
-}\r
-\r
-int main(void)\r
-{\r
- int count;\r
- char *protocol;\r
- char *locip;\r
- char *remip;\r
- char *remport;\r
- char *enabled;\r
- char *src_net;\r
- char *dst_net;\r
- char s[STRING_SIZE];\r
- char *result;\r
- struct keyvalue *kv = NULL;\r
- char orange_dev[STRING_SIZE] = "";\r
- char blue_dev[STRING_SIZE] = "";\r
- char green_dev[STRING_SIZE] = "";\r
- char *idev;\r
- char *odev;\r
- char command[STRING_SIZE];\r
-\r
- if (!(initsetuid()))\r
- exit(1);\r
-\r
- atexit(exithandler);\r
-\r
- kv=initkeyvalues();\r
- if (!readkeyvalues(kv, CONFIG_ROOT "/ethernet/settings"))\r
- {\r
- fprintf(stderr, "Cannot read ethernet settings\n");\r
- exit(1);\r
- }\r
-\r
- if (!findkey(kv, "GREEN_DEV", green_dev))\r
- {\r
- fprintf(stderr, "Cannot read GREEN_DEV\n");\r
- exit(1);\r
- }\r
- findkey(kv, "BLUE_DEV", blue_dev);\r
- findkey(kv, "ORANGE_DEV", orange_dev);\r
-\r
- if (!(fwdfile = fopen(CONFIG_ROOT "/dmzholes/config", "r")))\r
- {\r
- fprintf(stderr, "Couldn't open dmzholes settings file\n");\r
- exit(1);\r
- }\r
-\r
- safe_system("/sbin/iptables -F DMZHOLES");\r
-\r
- while (fgets(s, STRING_SIZE, fwdfile) != NULL)\r
- {\r
- if (s[strlen(s) - 1] == '\n')\r
- s[strlen(s) - 1] = '\0';\r
- result = strtok(s, ",");\r
- \r
- count = 0;\r
- protocol = NULL;\r
- locip = NULL; remip = NULL;\r
- remport = NULL;\r
- enabled = NULL;\r
- src_net = NULL;\r
- dst_net = NULL;\r
- idev = NULL;\r
- odev = NULL;\r
- \r
- while (result)\r
- {\r
- if (count == 0)\r
- protocol = result;\r
- else if (count == 1)\r
- locip = result;\r
- else if (count == 2)\r
- remip = result;\r
- else if (count == 3)\r
- remport = result;\r
- else if (count == 4)\r
- enabled = result;\r
- else if (count == 5)\r
- src_net = result;\r
- else if (count == 6)\r
- dst_net = result;\r
- count++;\r
- result = strtok(NULL, ",");\r
- }\r
-\r
- if (!(protocol && locip && remip && remport && enabled))\r
- {\r
- fprintf(stderr, "Bad line:\n");\r
- break;\r
- }\r
-\r
- if (!VALID_PROTOCOL(protocol))\r
- {\r
- fprintf(stderr, "Bad protocol: %s\n", protocol);\r
- exit(1);\r
- }\r
- if (!VALID_IP_AND_MASK(locip))\r
- {\r
- fprintf(stderr, "Bad local IP: %s\n", locip);\r
- exit(1);\r
- }\r
- if (!VALID_IP_AND_MASK(remip))\r
- {\r
- fprintf(stderr, "Bad remote IP: %s\n", remip);\r
- exit(1);\r
- }\r
- if (!VALID_PORT_RANGE(remport))\r
- {\r
- fprintf(stderr, "Bad remote port: %s\n", remport);\r
- exit(1);\r
- }\r
- \r
- if (!src_net) { src_net = strdup ("orange");}\r
- if (!dst_net) { dst_net = strdup ("green");}\r
- \r
- if (!strcmp(src_net, "blue")) { idev = blue_dev; }\r
- if (!strcmp(src_net, "orange")) { idev = orange_dev; }\r
- if (!strcmp(dst_net, "blue")) { odev = blue_dev; }\r
- if (!strcmp(dst_net, "green")) { odev = green_dev; }\r
- \r
- if (!strcmp(enabled, "on") && strlen(idev) && strlen (odev))\r
- {\r
- char *ctr;\r
- /* If remport contains a - we need to change it to a : */\r
- if ((ctr = strchr(remport,'-')) != NULL){*ctr = ':';}\r
- memset(command, 0, STRING_SIZE);\r
- snprintf(command, STRING_SIZE - 1, "/sbin/iptables -A DMZHOLES -p %s -i %s -o %s -s %s -d %s --dport %s -j ACCEPT", protocol, idev, odev, locip, remip, remport);\r
- safe_system(command);\r
- }\r
- }\r
-\r
- return 0;\r
-}\r
+++ /dev/null
-/* SmoothWall helper program - setxtaccess\r
- *\r
- * This program is distributed under the terms of the GNU General Public\r
- * Licence. See the file COPYING for details.\r
- *\r
- * (c) Daniel Goscomb, 2001\r
- * \r
- * Modifications and improvements by Lawrence Manning.\r
- *\r
- * 10/04/01 Aslak added protocol support\r
- * \r
- * (c) Steve Bootes 2002/04/14 - Added source IP support for aliases\r
- *\r
- * 19/04/03 Robert Kerr Fixed root exploit\r
- *\r
- * $Id: setxtaccess.c,v 1.3.2.1 2005/01/04 17:21:40 eoberlander Exp $\r
- * \r
- */\r
-\r
-#include <stdio.h>\r
-#include <stdlib.h>\r
-#include <string.h>\r
-#include "setuid.h"\r
-\r
-FILE *ifacefile = NULL;\r
-FILE *fwdfile = NULL;\r
-FILE *ipfile = NULL;\r
-\r
-void exithandler(void)\r
-{\r
- if (fwdfile)\r
- fclose(fwdfile);\r
-}\r
-\r
-int main(void)\r
-{\r
- char iface[STRING_SIZE] = "";\r
- char locip[STRING_SIZE] = "";\r
- char s[STRING_SIZE] = "";\r
- int count;\r
- char *protocol;\r
- char *destip;\r
- char *remip;\r
- char *locport;\r
- char *enabled;\r
- char *information;\r
- char *result;\r
- char command[STRING_SIZE];\r
-\r
- if (!(initsetuid()))\r
- exit(1);\r
-\r
- atexit(exithandler);\r
-\r
- if (!(ipfile = fopen(CONFIG_ROOT "/red/local-ipaddress", "r")))\r
- {\r
- fprintf(stderr, "Couldn't open local ip file\n");\r
- exit(1);\r
- }\r
- if (fgets(locip, STRING_SIZE, ipfile))\r
- {\r
- if (locip[strlen(locip) - 1] == '\n')\r
- locip[strlen(locip) - 1] = '\0';\r
- }\r
- fclose (ipfile);\r
- if (!VALID_IP(locip))\r
- {\r
- fprintf(stderr, "Bad local IP: %s\n", locip);\r
- exit(1);\r
- }\r
-\r
- if (!(ifacefile = fopen(CONFIG_ROOT "/red/iface", "r")))\r
- {\r
- fprintf(stderr, "Couldn't open iface file\n");\r
- exit(1);\r
- }\r
- if (fgets(iface, STRING_SIZE, ifacefile))\r
- {\r
- if (iface[strlen(iface) - 1] == '\n')\r
- iface[strlen(iface) - 1] = '\0';\r
- }\r
- fclose (ifacefile);\r
- if (!VALID_DEVICE(iface))\r
- {\r
- fprintf(stderr, "Bad iface: %s\n", iface);\r
- exit(1);\r
- }\r
- \r
- if (!(fwdfile = fopen(CONFIG_ROOT "/xtaccess/config", "r")))\r
- {\r
- fprintf(stderr, "Couldn't open xtaccess settings file\n");\r
- exit(1);\r
- }\r
-\r
- safe_system("/sbin/iptables -F XTACCESS");\r
-\r
- while (fgets(s, STRING_SIZE, fwdfile) != NULL)\r
- {\r
- if (s[strlen(s) - 1] == '\n')\r
- s[strlen(s) - 1] = '\0';\r
- count = 0;\r
- protocol = NULL;\r
- remip = NULL;\r
- destip = NULL;\r
- locport = NULL;\r
- enabled = NULL;\r
- information = NULL;\r
- result = strtok(s, ",");\r
- while (result)\r
- {\r
- if (count == 0)\r
- protocol = result;\r
- else if (count == 1)\r
- remip = result;\r
- else if (count == 2)\r
- locport = result;\r
- else if (count == 3)\r
- enabled = result;\r
- else if (count == 4)\r
- destip = result;\r
- else\r
- information = result;\r
- count++;\r
- result = strtok(NULL, ",");\r
- }\r
-\r
- if (!(protocol && remip && locport && enabled))\r
- break;\r
- \r
- if (!VALID_PROTOCOL(protocol))\r
- {\r
- fprintf(stderr, "Bad protocol: %s\n", protocol);\r
- exit(1);\r
- }\r
- if (!VALID_IP_AND_MASK(remip))\r
- {\r
- fprintf(stderr, "Bad remote IP: %s\n", remip);\r
- exit(1);\r
- }\r
- if (!VALID_PORT_RANGE(locport))\r
- {\r
- fprintf(stderr, "Bad local port: %s\n", locport);\r
- exit(1);\r
- }\r
-\r
- /* check for destination ip in config file. If it's there\r
- * and it's not 0.0.0.0, use it; else use the current\r
- * local ip address. (This makes sure we can use old-style\r
- * config files without the destination ip) */\r
- if (!destip || !strcmp(destip, "0.0.0.0"))\r
- destip = locip;\r
- if (!VALID_IP(destip))\r
- {\r
- fprintf(stderr, "Bad destination IP: %s\n", remip);\r
- exit(1);\r
- }\r
-\r
- if (strcmp(enabled, "on") == 0)\r
- {\r
- memset(command, 0, STRING_SIZE);\r
- snprintf(command, STRING_SIZE - 1, "/sbin/iptables -A XTACCESS -i %s -p %s -s %s -d %s --dport %s -j ACCEPT",\r
- iface, protocol, remip, destip, locport);\r
- safe_system(command);\r
- }\r
- }\r
- \r
- return 0;\r
-}\r