+++ /dev/null
-#!/bin/sh
-
-eval $(/usr/local/bin/readhash /var/ipfire/forward/settings)
-eval $(/usr/local/bin/readhash /var/ipfire/optionsfw/settings)
-
-iptables -F POLICY
-
-if [ "$POLICY" == "MODE1" ]; then
-
- if [ "$FWPOLICY" == "REJECT" ]; then
- if [ "$DROPFORWARD" == "on" ]; then
- /sbin/iptables -A POLICY -m limit --limit 10/minute -j LOG --log-prefix "REJECT_FORWARD"
- fi
- /sbin/iptables -A POLICY -j REJECT --reject-with icmp-host-unreachable -m comment --comment "DROP_OUTPUT"
- fi
- if [ "$FWPOLICY" == "DROP" ]; then
- if [ "$DROPFORWARD" == "on" ]; then
- /sbin/iptables -A POLICY -m limit --limit 10/minute -j LOG --log-prefix "DROP_FORWARD"
- fi
- /sbin/iptables -A POLICY -j DROP -m comment --comment "DROP_OUTPUT"
- fi
-fi
-
-
return "$ovpnsettings{'DOVPN_SUBNET'}";
}elsif($val =~ /IPsec/i){
return "$ipsecsettings{'RW_NET'}";
+ }elsif($val eq 'IPFire'){
+ return ;
}
}
sub get_net_ip
--- /dev/null
+#!/bin/sh
+
+eval $(/usr/local/bin/readhash /var/ipfire/forward/settings)
+eval $(/usr/local/bin/readhash /var/ipfire/optionsfw/settings)
+
+iptables -F POLICYFWD
+iptables -F POLICYOUT
+
+
+if [ "$POLICY" == "MODE1" ]; then
+ if [ "$FWPOLICY" == "REJECT" ]; then
+ if [ "$DROPFORWARD" == "on" ]; then
+ /sbin/iptables -A POLICYFWD -m limit --limit 10/minute -j LOG --log-prefix "REJECT_FORWARD"
+ fi
+ /sbin/iptables -A POLICYFWD -j REJECT --reject-with icmp-host-unreachable -m comment --comment "DROP_FORWARD"
+ fi
+ if [ "$FWPOLICY" == "DROP" ]; then
+ if [ "$DROPFORWARD" == "on" ]; then
+ /sbin/iptables -A POLICYFWD -m limit --limit 10/minute -j LOG --log-prefix "DROP_FORWARD"
+ fi
+ /sbin/iptables -A POLICYFWD -j DROP -m comment --comment "DROP_FORWARD"
+ fi
+fi
+if [ "$POLICY1" == "MODE1" ]; then
+ /sbin/iptables -A OUTGOINGFW -m state --state ESTABLISHED,RELATED -j ACCEPT
+ if [ "$FWPOLICY1" == "REJECT" ]; then
+ if [ "$DROPOUTGOING" == "on" ]; then
+ /sbin/iptables -A POLICYOUT -m limit --limit 10/minute -j LOG --log-prefix "REJECT_OUTPUT"
+ fi
+ /sbin/iptables -A POLICYOUT -j REJECT --reject-with icmp-host-unreachable -m comment --comment "DROP_OUTPUT"
+ fi
+ if [ "$FWPOLICY1" == "DROP" ]; then
+ if [ "$DROPOUTGOING" == "on" ]; then
+ /sbin/iptables -A POLICYOUT -m limit --limit 10/minute -j LOG --log-prefix "DROP_OUTPUT"
+ fi
+ /sbin/iptables -A POLICYOUT -j DROP -m comment --comment "DROP_OUTPUT"
+ fi
+fi
+
our %targethash=();
my @timeframe=();
my %configinputfw=();
+my %configoutgoingfw=();
my %aliases=();
my @DPROT=();
my @p2ps=();
my $configfwdfw = "${General::swroot}/forward/config";
my $configinput = "${General::swroot}/forward/input";
+my $configoutgoing = "${General::swroot}/forward/outgoing";
my $p2pfile = "${General::swroot}/forward/p2protocols";
my $configgrp = "${General::swroot}/fwhosts/customgroups";
my $netsettings = "${General::swroot}/ethernet/settings";
&General::readhash("$netsettings", \%defaultNetworks);
&General::readhasharray($configfwdfw, \%configfwdfw);
&General::readhasharray($configinput, \%configinputfw);
+&General::readhasharray($configoutgoing, \%configoutgoingfw);
&General::readhasharray($configgrp, \%customgrp);
&General::get_aliases(\%aliases);
if($MODE eq '0'){
if ($fwdfwsettings{'POLICY'} eq 'MODE1'){
&p2pblock;
- system ("/usr/sbin/firewall-forward-policy");
+ system ("/usr/sbin/firewall-policy");
}elsif($fwdfwsettings{'POLICY'} eq 'MODE2'){
$defaultNetworks{'GREEN_NETMASK'}=&General::iporsubtocidr($defaultNetworks{'GREEN_NETMASK'});
$green="$defaultNetworks{'GREEN_ADDRESS'}/$defaultNetworks{'GREEN_NETMASK'}";
&p2pblock;
system ("iptables -A $CHAIN -m state --state NEW -j ACCEPT");
- system ("/usr/sbin/firewall-forward-policy");
+ system ("/usr/sbin/firewall-policy");
}
}
}
{
system ("iptables -F FORWARDFW");
system ("iptables -F INPUTFW");
+ system ("iptables -F OUTGOINGFW");
}
sub preparerules
{
if (! -z "${General::swroot}/forward/input"){
&buildrules(\%configinputfw);
}
+ if (! -z "${General::swroot}/forward/outgoing"){
+ &buildrules(\%configoutgoingfw);
+ }
}
sub buildrules
{
}
}
}elsif($$hash{$key}[5] eq 'ipfire'){
-
if($$hash{$key}[6] eq 'Default IP'){
open(FILE, "/var/ipfire/red/local-ipaddress") or die 'Unable to open config file.';
$targethash{$key}[0]= <FILE>;
foreach my $b (sort keys %targethash){
if ($sourcehash{$a}[0] ne $targethash{$b}[0] && $targethash{$b}[0] ne 'none' || $sourcehash{$a}[0] eq '0.0.0.0/0.0.0.0'){
if($SPROT eq '' || $SPROT eq $DPROT || $DPROT eq ' '){
- if(substr($sourcehash{$a}[0], 3, 3) ne 'mac'){ $STAG="-s";}
+ if(substr($sourcehash{$a}[0], 3, 3) ne 'mac' && $sourcehash{$a}[0] ne ''){ $STAG="-s";}
if ($$hash{$key}[17] eq 'ON'){
print "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG\n";
}
foreach my $b (sort keys %targethash){
if ($sourcehash{$a}[0] ne $targethash{$b}[0] && $targethash{$b}[0] ne 'none' || $sourcehash{$a}[0] eq '0.0.0.0/0.0.0.0'){
if($SPROT eq '' || $SPROT eq $DPROT || $DPROT eq ' '){
- if(substr($sourcehash{$a}[0], 3, 3) ne 'mac'){ $STAG="-s";}
+ if(substr($sourcehash{$a}[0], 3, 3) ne 'mac' && $sourcehash{$a}[0] ne ''){ $STAG="-s";}
if ($$hash{$key}[17] eq 'ON'){
system ("iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG");
}
#usr/local/src
#usr/sbin
usr/sbin/ovpn-ccd-convert
-usr/sbin/firewall-forward-policy
+usr/sbin/firewall-policy
usr/sbin/convert-xtaccess
usr/sbin/convert-outgoingfw
#usr/share
if ($fwdfwsettings{'ACTION'} eq $Lang::tr{'save'})
{
my $MODE = $fwdfwsettings{'POLICY'};
+ my $MODE1 = $fwdfwsettings{'POLICY1'};
%fwdfwsettings = ();
$fwdfwsettings{'POLICY'} = "$MODE";
+ $fwdfwsettings{'POLICY1'} = "$MODE1";
&General::writehash("${General::swroot}/forward/settings", \%fwdfwsettings);
&reread_rules;
}
{
&General::readhasharray("$configfwdfw", \%configfwdfw);
&General::readhasharray("$configinput", \%configinputfw);
- &General::readhasharray("$configinput", \%configoutgoingfw);
+ &General::readhasharray("$configoutgoing", \%configoutgoingfw);
$errormessage=&checksource;
if(!$errormessage){&checktarget;}
if(!$errormessage){&checkrule;}
}
#check Rulepos on new Rule
if($fwdfwsettings{'rulepos'} > 0 && !$fwdfwsettings{'oldrulenumber'}){
+ print"CHECK OUTGOING DOPPELTE REGEL<br>";
$fwdfwsettings{'oldrulenumber'}=$maxkey;
foreach my $key (sort keys %configoutgoingfw){
if ("$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'},$fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'ICMP_TGT'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'LOG'},$fwdfwsettings{'TIME'},$fwdfwsettings{'TIME_MON'},$fwdfwsettings{'TIME_TUE'},$fwdfwsettings{'TIME_WED'},$fwdfwsettings{'TIME_THU'},$fwdfwsettings{'TIME_FRI'},$fwdfwsettings{'TIME_SAT'},$fwdfwsettings{'TIME_SUN'},$fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'}"
&General::writehash("${General::swroot}/forward/settings", \%fwdfwsettings);
unless (-e "${General::swroot}/forward/config") { system("touch ${General::swroot}/forward/config"); }
unless (-e "${General::swroot}/forward/input") { system("touch ${General::swroot}/forward/input"); }
+ my $MODE1=$fwdfwsettings{'POLICY1'};
%fwdfwsettings = ();
$fwdfwsettings{'POLICY'}='MODE2';
+ $fwdfwsettings{'POLICY1'}=$MODE1;
+ &General::writehash("${General::swroot}/forward/settings", \%fwdfwsettings);
+ &reread_rules;
+
+}
+if ($fwdfwsettings{'ACTION'} eq 'resetoutgoing')
+{
+ &General::readhasharray("$configoutgoing", \%configoutgoingfw);
+ foreach my $key (sort keys %configoutgoingfw){
+ &checkcounter($configoutgoingfw{$key}[3],$configoutgoingfw{$key}[4],,);
+ &checkcounter($configoutgoingfw{$key}[5],$configoutgoingfw{$key}[6],,);
+ &checkcounter($configoutgoingfw{$key}[14],$configoutgoingfw{$key}[15],,);
+ }
+ system("rm ${General::swroot}/forward/outgoing");
+ &General::writehash("${General::swroot}/forward/settings", \%fwdfwsettings);
+ unless (-e "${General::swroot}/forward/outgoing") { system("touch ${General::swroot}/forward/outgoing"); }
+ my $MODE=$fwdfwsettings{'POLICY'};
+ %fwdfwsettings = ();
+ $fwdfwsettings{'POLICY'}=$MODE;
+ $fwdfwsettings{'POLICY1'}='MODE2';
&General::writehash("${General::swroot}/forward/settings", \%fwdfwsettings);
&reread_rules;
{
if ($fwdfwsettings{'POLICY'} eq 'MODE1'){ $selected{'POLICY'}{'MODE1'} = 'selected'; } else { $selected{'POLICY'}{'MODE1'} = ''; }
if ($fwdfwsettings{'POLICY'} eq 'MODE2'){ $selected{'POLICY'}{'MODE2'} = 'selected'; } else { $selected{'POLICY'}{'MODE2'} = ''; }
+ if ($fwdfwsettings{'POLICY1'} eq 'MODE1'){ $selected{'POLICY1'}{'MODE1'} = 'selected'; } else { $selected{'POLICY1'}{'MODE1'} = ''; }
+ if ($fwdfwsettings{'POLICY1'} eq 'MODE2'){ $selected{'POLICY1'}{'MODE2'} = 'selected'; } else { $selected{'POLICY1'}{'MODE2'} = ''; }
&hint;
&addrule;
&p2pblock;
print <<END;
<form method='post' action='$ENV{'SCRIPT_NAME'}'>
<table width='100%' border='0'>
+ <tr><td colspan='3' style='font-weight:bold;color:red;'>FORWARD </td></tr>
<tr><td colspan='3'>$Lang::tr{'fwdfw pol text'}</td></tr>
-
<tr><td colspan='3'><hr /></td></tr>
<tr><td width='15%' align='left'> <select name='POLICY' style="width: 100px">
<option value='MODE1' $selected{'POLICY'}{'MODE1'}>$Lang::tr{'fwdfw pol block'}</option>
END
print "$Lang::tr{'outgoing firewall reset'}: <input type='submit' name='ACTION' value='$Lang::tr{'reset'}' />";
print "</table></form>";
+ print"<br><br>";
+ print <<END;
+ <form method='post' action='$ENV{'SCRIPT_NAME'}'>
+ <table width='100%' border='0'>
+ <tr><td colspan='3' style='font-weight:bold;color:red;'>OUTGOING </td></tr>
+ <tr><td colspan='3'>$Lang::tr{'fwdfw pol text1'}</td></tr>
+ <tr><td colspan='3'><hr /></td></tr>
+ <tr><td width='15%' align='left'> <select name='POLICY1' style="width: 100px">
+ <option value='MODE1' $selected{'POLICY1'}{'MODE1'}>$Lang::tr{'fwdfw pol block'}</option>
+ <option value='MODE2' $selected{'POLICY1'}{'MODE2'}>$Lang::tr{'fwdfw pol allow'}</option></select>
+ <td width='45%' align='left'><input type='submit' name='ACTION' value='$Lang::tr{'save'}' /></form>
+ <td width='45%' align='left'>
+END
+ print "$Lang::tr{'outgoing firewall reset'}: <form method='post' action='$ENV{'SCRIPT_NAME'}' style='display:inline'><input type='submit' value='$Lang::tr{'reset'}' /><input type='hidden' name='ACTION' value='resetoutgoing' />";
+ print "</table></form>";
&Header::closebox();
}
sub addrule
{
&viewtablenew(\%configfwdfw,$configfwdfw,$Lang::tr{'fwdfw rules'},"Forward" );
- &viewtablenew(\%configfwdfw,$configfwdfw,'',"DMZ" );
- &viewtablenew(\%configfwdfw,$configfwdfw,'',"WLAN" );
&viewtablenew(\%configinputfw,$configinput,"",$Lang::tr{'external access'} );
&viewtablenew(\%configoutgoingfw,$configoutgoing,"","Outgoing" );
}
my $title1=shift;
my $go='';
&General::readhasharray("$config", $hash);
- #check if there are DMZ entries
- if ($title1 eq 'DMZ'){
- foreach my $key (keys %$hash){
- if ($$hash{$key}[4] eq 'ORANGE'){$go='on';last}
- }
- }elsif($title1 eq 'WLAN'){
- foreach my $key (keys %$hash){
- if ($$hash{$key}[4] eq 'BLUE'){$go='on';last}
- }
- }elsif($title1 eq 'Forward'){
- foreach my $key (keys %$hash){
- if (($$hash{$key}[4] ne 'ORANGE' && $$hash{$key}[4] ne 'BLUE')){$go='on';last}
- }
- }elsif( ! -z $config){
- $go='on';
- }
- if($go ne ''){
+ if( ! -z $config){
&Header::openbox('100%', 'left',$title);
my $count=0;
my ($gif,$log);
my @tmpsrc=();
my $coloryellow='';
print"<b>$title1</b><br>";
- print"<table width='100%' border='0' cellspacing='1' style='padding-top: 0px; padding-left: 0px; padding-bottom: 0px ;padding-right: 0px ;'>";
+ print"<table width='100%' style='border: 1px solid #000000;' rules='none'; padding-top: 0px; padding-left: 0px; padding-bottom: 0px ;padding-right: 0px ;'>";
print"<tr><td align='center' width='1%'><b>#</td><td width='1%'></td><td align='center' ><b>$Lang::tr{'fwdfw source'}</td><td width='1%'><b>Log</td><td align='center' width='20%'><b>$Lang::tr{'fwdfw target'}</td><td align='center'><b>$Lang::tr{'protocol'}</b></td><td align='center' width='70%'><b>$Lang::tr{'remark'}</td><td align='center' colspan='3' width='1%'><b>$Lang::tr{'fwdfw action'}</td></tr>";
foreach my $key (sort {$a <=> $b} keys %$hash){
- #check if we have a FORWARDFW OR DMZ RULE
- if ($title1 eq 'DMZ' && ($$hash{$key}[4] ne 'ORANGE')){next;}
- if ($title1 eq 'WLAN' && ($$hash{$key}[4] ne 'BLUE')){next;}
- if ($title1 eq 'Forward' && ($$hash{$key}[4] eq 'ORANGE' || $$hash{$key}[4] eq 'BLUE')){next;}
@tmpsrc=();
#check if vpn hosts/nets have been deleted
if($$hash{$key}[3] =~ /ipsec/i || $$hash{$key}[3] =~ /ovpn/i){
$settings{'DROPNEWNOTSYN'} = 'on';
$settings{'DROPINPUT'} = 'on';
$settings{'DROPFORWARD'} = 'on';
+$settings{'DROPOUTGOING'} = 'on';
$settings{'DROPPORTSCAN'} = 'on';
$settings{'DROPWIRELESSINPUT'} = 'on';
$settings{'DROPWIRELESSFORWARD'} = 'on';
$checked{'DROPFORWARD'}{'off'} = '';
$checked{'DROPFORWARD'}{'on'} = '';
$checked{'DROPFORWARD'}{$settings{'DROPFORWARD'}} = "checked='checked'";
+$checked{'DROPOUTGOING'}{'off'} = '';
+$checked{'DROPOUTGOING'}{'on'} = '';
+$checked{'DROPOUTGOING'}{$settings{'DROPOUTGOING'}} = "checked='checked'";
$checked{'DROPPORTSCAN'}{'off'} = '';
$checked{'DROPPORTSCAN'}{'on'} = '';
$checked{'DROPPORTSCAN'}{$settings{'DROPPORTSCAN'}} = "checked='checked'";
<input type='radio' name='DROPINPUT' value='off' $checked{'DROPINPUT'}{'off'} /> off</td></tr>
<tr><td align='left' width='60%'>$Lang::tr{'drop forward'}</td><td align='left'>on <input type='radio' name='DROPFORWARD' value='on' $checked{'DROPFORWARD'}{'on'} />/
<input type='radio' name='DROPFORWARD' value='off' $checked{'DROPFORWARD'}{'off'} /> off</td></tr>
+<tr><td align='left' width='60%'>$Lang::tr{'drop outgoing'}</td><td align='left'>on <input type='radio' name='DROPOUTGOING' value='on' $checked{'DROPOUTGOING'}{'on'} />/
+ <input type='radio' name='DROPOUTGOING' value='off' $checked{'DROPOUTGOING'}{'off'} /> off</td></tr>
<tr><td align='left' width='60%'>$Lang::tr{'drop portscan'}</td><td align='left'>on <input type='radio' name='DROPPORTSCAN' value='on' $checked{'DROPPORTSCAN'}{'on'} />/
<input type='radio' name='DROPPORTSCAN' value='off' $checked{'DROPPORTSCAN'}{'off'} /> off</td></tr>
<tr><td align='left' width='60%'>$Lang::tr{'drop wirelessinput'}</td><td align='left'>on <input type='radio' name='DROPWIRELESSINPUT' value='on' $checked{'DROPWIRELESSINPUT'}{'on'} />/
<option value='DROP' $selected{'FWPOLICY'}{'DROP'}>DROP</option>
<option value='REJECT' $selected{'FWPOLICY'}{'REJECT'}>REJECT</option></select>
</td></tr>
+<tr><td align='left' width='60%'>$Lang::tr{'drop action1'}</td><td><select name='FWPOLICY1'>
+<option value='DROP' $selected{'FWPOLICY1'}{'DROP'}>DROP</option>
+<option value='REJECT' $selected{'FWPOLICY1'}{'REJECT'}>REJECT</option></select>
+</td></tr>
</table>
<br />
'download root certificate' => 'Root-Zertifikat herunterladen',
'dpd action' => 'Aktion für Dead Peer Detection',
'driver' => 'Treiber',
-'drop action' => 'Standardverhalten der Firewall in Modus "Blocked"',
+'drop action' => 'Standardverhalten der (Forward) Firewall in Modus "Blocked"',
+'drop action1' => 'Standardverhalten der (Outgoing) Firewall in Modus "Blocked"',
'drop input' => 'Verworfene Input Pakete loggen',
'drop newnotsyn' => 'Verworfene New Not Syn Pakete loggen',
-'drop forward' => 'Verworfene Firewall-Pakete loggen',
+'drop forward' => 'Verworfene (Forward) Firewall-Pakete loggen',
+'drop outgoing' => 'Verworfene (Outgoing) Firewall-Pakete loggen',
'drop portscan' => 'Verworfene Portscan Pakete loggen',
'drop proxy' => 'Alle Pakete verwerfen die nicht direkt an den Proxy gerichtet sind',
'drop samba' => 'Alle Microsoft Pakete verwerfen, Ports 135,137,138,139,445,1025',
'fwdfw pol block' => 'Blockiert',
'fwdfw pol title' => 'Standardverhalten der Firewall',
'fwdfw pol text' => 'Standardverhalten für Verbindungen aus den lokalen Netzwerken. Bei "Zugelassen" werden sämtliche Verbindungen zugelassen mit Ausnahme der in Forward konfigurierten Regeln. Mit "Blockiert" werden alle Verbindungsversuche blockiert, mit Ausnahme der in Forward erstellten Regeln. Außerdem werden hier der externe Zugang und der Zugriff auf die DMZ geregelt.',
+'fwdfw pol text1' => 'Standardverhalten für Verbindungen von IPFire. Bei "Zugelassen" werden sämtliche Verbindungen zugelassen mit Ausnahme der in Forward konfigurierten Regeln. Mit "Blockiert" werden alle Verbindungsversuche blockiert, mit Ausnahme der in Forward erstellten Regeln.Achtung! Mit diesen Einstellungen kann man sich aussperren. Normalerweise ist keine Änderung nötig.',
'fwdfw reread' => 'Übernehmen',
'fwdfw rules' => 'Regeln',
'fwdfw rule action' => 'Regel Aktion:',
'fwhost ovpn_n2n' => 'OpenVPN N-2-N',
'fwhost port' => 'Port(s)',
'fwhost prot' => 'Protokoll',
-'fwhost reread' => 'Die Firewallregeln müssen neu eingelesen werden. Bitte Übernehmen klicken.',
+'fwhost reread' => 'Die Firewallregeln müssen neu eingelesen werden.',
'fwhost reset' => 'Abbrechen',
'fwhost services' => 'Dienste',
'fwhost srv_name' => 'Dienstname',
'download root certificate' => 'Download root certificate',
'dpd action' => 'Dead Peer Detection action',
'driver' => 'Driver',
-'drop action' => 'Default behaviour of firewall in mode "Blocked"',
+'drop action' => 'Default behaviour of (forward) firewall in mode "Blocked"',
+'drop action' => 'Default behaviour of (outgoing) firewall in mode "Blocked"',
'drop input' => 'Log dropped input pakets',
'drop newnotsyn' => 'Log dropped new not syn pakets',
'drop forward' => 'Log dropped forward pakets',
'fwdfw pol block' => 'Blocked',
'fwdfw pol title' => 'Firewall default behavior',
'fwdfw pol text' => 'Default behavior for connections from local networks. "Allowed" allows all connections from local networks except the defined rules. "Blocked" prohibits all connections except the defined ones. Also external access and connections to/from the demilitarized zone are configurable here.',
+'fwdfw pol text1' => 'Default behavior for connections from IPFire. "Allowed" allows all connections from local networks except the defined rules. "Blocked" prohibits all connections except the defined ones. Attention! YOu can lock yourself out with these settings. Normally there is no need to change anything here.',
'fwdfw reread' => 'Apply',
'fwdfw rules' => 'Rules',
'fwdfw rule action' => 'Rule action:',
'fwhost ovpn_n2n' => 'OpenVPN N-2-N',
'fwhost port' => 'Port(s)',
'fwhost prot' => 'Protocol',
-'fwhost reread' => 'Firewallrules need to be updated. Please click applybutton.',
+'fwhost reread' => 'Firewallrules need to be updated.',
'fwhost reset' => 'Cancel',
'fwhost services' => 'Services',
'fwhost srv_name' => 'Servicename',
cp $(DIR_SRC)/config/forwardfw/convert-outgoingfw /usr/sbin/convert-outgoingfw
cp $(DIR_SRC)/config/forwardfw/p2protocols $(CONFIG_ROOT)/forward/p2protocols
cp $(DIR_SRC)/config/forwardfw/firewall-lib.pl $(CONFIG_ROOT)/forward/bin/firewall-lib.pl
- cp $(DIR_SRC)/config/forwardfw/firewall-forward-policy /usr/sbin/firewall-forward-policy
+ cp $(DIR_SRC)/config/forwardfw/firewall-policy /usr/sbin/firewall-policy
cp $(DIR_SRC)/config/fwhosts/icmp-types $(CONFIG_ROOT)/fwhosts/icmp-types
cp $(DIR_SRC)/config/fwhosts/customservices $(CONFIG_ROOT)/fwhosts/customservices
# Oneliner configfiles
/sbin/iptables -N OUTGOINGFW
/sbin/iptables -N OUTGOINGFWMAC
/sbin/iptables -A OUTPUT -j OUTGOINGFW
+ /sbin/iptables -A OUTGOINGFW -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -t nat -N CUSTOMPREROUTING
/sbin/iptables -t nat -A PREROUTING -j CUSTOMPREROUTING
/sbin/iptables -t nat -N CUSTOMPOSTROUTING
#/sbin/iptables -A FORWARD -j DROP -m comment --comment "DROP_FORWARD"
#POLICY CHAIN
- /sbin/iptables -N POLICY
- /sbin/iptables -A FORWARD -j POLICY
+ /sbin/iptables -N POLICYFWD
+ /sbin/iptables -A FORWARD -j POLICYFWD
+ /sbin/iptables -N POLICYOUT
+ /sbin/iptables -A OUTPUT -j POLICYOUT
- /usr/sbin/firewall-forward-policy
+
+ /usr/sbin/firewall-policy
;;
startovpn)
# run openvpn