--- /dev/null
+From 7395c67b45bd473c7c8af9b21080e91810003ad3 Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Fri, 28 Dec 2012 08:25:24 +0100
+Subject: [PATCH 001/302] Forward Firewall: applied all changes as diff and
+ added new files. Also deleted c files from xtaccess
+ and setdmzholes.
+
+Signed-off-by: Alexander Marx <amarx@ipfire.org>
+---
+ config/backup/include | 2 +
+ config/cfgroot/general-functions.pl | 97 ++++++++++++++++-
+ config/menu/50-firewall.menu | 36 +++----
+ config/rootfiles/common/configroot | 17 ++-
+ config/rootfiles/common/i586/initscripts | 10 +-
+ config/rootfiles/common/misc-progs | 3 +-
+ langs/de/cgi-bin/de.pl | 135 ++++++++++++++++++++++++
+ langs/en/cgi-bin/en.pl | 136 ++++++++++++++++++++++++
+ lfs/configroot | 52 +++++----
+ lfs/initscripts | 13 ++-
+ lfs/usb-stick | 1 +
+ src/initscripts/init.d/firewall | 19 ++--
+ src/initscripts/init.d/network | 4 +-
+ src/misc-progs/Makefile | 10 +-
+ src/misc-progs/setdmzholes.c | 162 ----------------------------
+ src/misc-progs/setxtaccess.c | 168 ------------------------------
+ 16 files changed, 450 insertions(+), 415 deletions(-)
+ delete mode 100644 src/misc-progs/setdmzholes.c
+ delete mode 100644 src/misc-progs/setxtaccess.c
+
+diff --git a/config/backup/include b/config/backup/include
+index a1d1fbc..13dd016 100644
+--- a/config/backup/include
++++ b/config/backup/include
+@@ -14,6 +14,8 @@
+ /etc/ssh/ssh_host*
+ /var/ipfire/auth/users
+ /var/ipfire/dhcp/*
++/var/ipfire/forward/*
++/var/ipfire/fwhosts/*
+ /var/ipfire/main/*
+ /var/ipfire/outgoing/groups
+ /var/ipfire/outgoing/macgroups
+diff --git a/config/cfgroot/general-functions.pl b/config/cfgroot/general-functions.pl
+index c14f990..f17dfd4 100644
+--- a/config/cfgroot/general-functions.pl
++++ b/config/cfgroot/general-functions.pl
+@@ -21,8 +21,8 @@ use Net::SSLeay;
+ use Net::IPv4Addr qw(:all);
+ $|=1; # line buffering
+
+-$General::version = 'VERSION';
+-$General::swroot = 'CONFIG_ROOT';
++$General::version = '2.11';
++$General::swroot = '/var/ipfire';
+ $General::noipprefix = 'noipg-';
+ $General::adminmanualurl = 'http://wiki.ipfire.org';
+
+@@ -39,6 +39,99 @@ sub log
+ $logmessage = $1;
+ system('logger', '-t', $tag, $logmessage);
+ }
++sub setup_default_networks
++{
++ my %netsettings=();
++ my $defaultNetworks = shift;
++
++ &readhash("/var/ipfire/ethernet/settings", \%netsettings);
++
++ # Get current defined networks (Red, Green, Blue, Orange)
++ $defaultNetworks->{$Lang::tr{'fwhost any'}}{'IPT'} = "0.0.0.0/0.0.0.0";
++ $defaultNetworks->{$Lang::tr{'fwhost any'}}{'NAME'} = "ALL";
++
++ $defaultNetworks->{$Lang::tr{'green'}}{'IPT'} = "$netsettings{'GREEN_NETADDRESS'}/$netsettings{'GREEN_NETMASK'}";
++ $defaultNetworks->{$Lang::tr{'green'}}{'NAME'} = "GREEN";
++
++ if ($netsettings{'ORANGE_DEV'} ne ''){
++ $defaultNetworks->{$Lang::tr{'orange'}}{'IPT'} = "$netsettings{'ORANGE_NETADDRESS'}/$netsettings{'ORANGE_NETMASK'}";
++ $defaultNetworks->{$Lang::tr{'orange'}}{'NAME'} = "ORANGE";
++ }
++
++ if ($netsettings{'BLUE_DEV'} ne ''){
++ $defaultNetworks->{$Lang::tr{'blue'}}{'IPT'} = "$netsettings{'BLUE_NETADDRESS'}/$netsettings{'BLUE_NETMASK'}";
++ $defaultNetworks->{$Lang::tr{'blue'}}{'NAME'} = "BLUE";
++ }
++
++ # OpenVPN
++ if(-e "${General::swroot}/ovpn/settings")
++ {
++ my %ovpnSettings = ();
++ &readhash("${General::swroot}/ovpn/settings", \%ovpnSettings);
++
++ # OpenVPN on Red?
++ if(defined($ovpnSettings{'DOVPN_SUBNET'}))
++ {
++ my ($ip,$sub) = split(/\//,$ovpnSettings{'DOVPN_SUBNET'});
++ $sub=&General::iporsubtocidr($sub);
++ my @tempovpnsubnet = split("\/", $ovpnSettings{'DOVPN_SUBNET'});
++ $defaultNetworks->{'OpenVPN ' .$ip."/".$sub}{'ADR'} = $tempovpnsubnet[0];
++ $defaultNetworks->{'OpenVPN ' .$ip."/".$sub}{'NAME'} = "OpenVPN-Dyn";
++ }
++ } # end OpenVPN
++ # IPsec RW NET
++ if(-e "${General::swroot}/vpn/settings")
++ {
++ my %ipsecsettings = ();
++ &readhash("${General::swroot}/vpn/settings", \%ipsecsettings);
++ if($ipsecsettings{'RW_NET'} ne '')
++ {
++ my ($ip,$sub) = split(/\//,$ipsecsettings{'RW_NET'});
++ $sub=&General::iporsubtocidr($sub);
++ my @tempipsecsubnet = split("\/", $ipsecsettings{'RW_NET'});
++ $defaultNetworks->{'IPsec RW ' .$ip."/".$sub}{'ADR'} = $tempipsecsubnet[0];
++ $defaultNetworks->{'IPsec RW ' .$ip."/".$sub}{'NAME'} = "IPsec RW";
++ }
++ }
++ #open(FILE, "${General::swroot}/ethernet/aliases") or die 'Unable to open aliases file.';
++ #my @current = <FILE>;
++ #close(FILE);
++ #my $ctr = 0;
++ #foreach my $line (@current)
++ #{
++ #if ($line ne ''){
++ #chomp($line);
++ #my @temp = split(/\,/,$line);
++ #if ($temp[2] eq '') {
++ #$temp[2] = "Alias $ctr : $temp[0]";
++ #}
++ #$defaultNetworks->{$temp[2]}{'IPT'} = "$temp[0]";
++ #$ctr++;
++ #}
++ #}
++}
++sub get_aliases
++{
++
++ my $defaultNetworks = shift;
++ open(FILE, "${General::swroot}/ethernet/aliases") or die 'Unable to open aliases file.';
++ my @current = <FILE>;
++ close(FILE);
++ my $ctr = 0;
++ foreach my $line (@current)
++ {
++ if ($line ne ''){
++ chomp($line);
++ my @temp = split(/\,/,$line);
++ if ($temp[2] eq '') {
++ $temp[2] = "Alias $ctr : $temp[0]";
++ }
++ $defaultNetworks->{$temp[2]}{'IPT'} = "$temp[0]";
++
++ $ctr++;
++ }
++ }
++}
+
+ sub readhash
+ {
+diff --git a/config/menu/50-firewall.menu b/config/menu/50-firewall.menu
+index de28f8e..90baa65 100644
+--- a/config/menu/50-firewall.menu
++++ b/config/menu/50-firewall.menu
+@@ -4,49 +4,37 @@
+ 'title' => "$Lang::tr{'ssport forwarding'}",
+ 'enabled' => 1,
+ };
+- $subfirewall->{'20.xtaccess'} = {
+- 'caption' => $Lang::tr{'external access'},
+- 'uri' => '/cgi-bin/xtaccess.cgi',
+- 'title' => "$Lang::tr{'external access'}",
+- 'enabled' => 1,
+- };
+ $subfirewall->{'30.wireless'} = {
+ 'caption' => $Lang::tr{'blue access'},
+ 'uri' => '/cgi-bin/wireless.cgi',
+ 'title' => "$Lang::tr{'blue access'}",
+ 'enabled' => 1,
+ };
+- $subfirewall->{'40.dmz'} = {
+- 'caption' => $Lang::tr{'ssdmz pinholes'},
+- 'uri' => '/cgi-bin/dmzholes.cgi',
+- 'title' => "$Lang::tr{'dmz pinhole configuration'}",
++ $subfirewall->{'51.forward'} = {
++ 'caption' => $Lang::tr{'fwdfw menu'},
++ 'uri' => '/cgi-bin/forwardfw.cgi',
++ 'title' => "$Lang::tr{'fwdfw menu'}",
+ 'enabled' => 1,
+- };
+- $subfirewall->{'50.outgoing'} = {
+- 'caption' => $Lang::tr{'outgoing firewall'},
+- 'uri' => '/cgi-bin/outgoingfw.cgi',
+- 'title' => "$Lang::tr{'outgoing firewall'}",
+- 'enabled' => 1,
+- };
+- $subfirewall->{'51.outgoinggrp'} = {
+- 'caption' => $Lang::tr{'outgoing firewall groups'},
+- 'uri' => '/cgi-bin/outgoinggrp.cgi',
+- 'title' => "$Lang::tr{'outgoing firewall groups'}",
++ };
++ $subfirewall->{'65.fwhost'} = {
++ 'caption' => $Lang::tr{'fwhost menu'},
++ 'uri' => '/cgi-bin/fwhosts.cgi',
++ 'title' => "$Lang::tr{'fwhost menu'}",
+ 'enabled' => 1,
+ };
+- $subfirewall->{'60.upnp'} = {
++ $subfirewall->{'70.upnp'} = {
+ 'caption' => 'UPnP',
+ 'uri' => '/cgi-bin/upnp.cgi',
+ 'title' => "Universal Plug and Play",
+ 'enabled' => 0,
+ };
+- $subfirewall->{'60.optingsfw'} = {
++ $subfirewall->{'80.optingsfw'} = {
+ 'caption' => $Lang::tr{'options fw'},
+ 'uri' => '/cgi-bin/optionsfw.cgi',
+ 'title' => "$Lang::tr{'options fw'}",
+ 'enabled' => 1,
+ };
+- $subfirewall->{'70.iptables'} = {
++ $subfirewall->{'90.iptables'} = {
+ 'caption' => $Lang::tr{'ipts'},
+ 'uri' => '/cgi-bin/iptables.cgi',
+ 'title' => "$Lang::tr{'ipts'}",
+diff --git a/config/rootfiles/common/configroot b/config/rootfiles/common/configroot
+index 1d2fc9d..04478b2 100644
+--- a/config/rootfiles/common/configroot
++++ b/config/rootfiles/common/configroot
+@@ -26,8 +26,6 @@ var/ipfire/dhcp
+ #var/ipfire/dhcp/fixleases
+ #var/ipfire/dhcp/settings
+ var/ipfire/dhcpc
+-var/ipfire/dmzholes
+-#var/ipfire/dmzholes/config
+ var/ipfire/dns
+ #var/ipfire/dns/settings
+ var/ipfire/ethernet
+@@ -44,6 +42,19 @@ var/ipfire/extrahd/partitions
+ var/ipfire/extrahd/scan
+ var/ipfire/extrahd/settings
+ var/ipfire/fwlogs
++var/ipfire/forward
++var/ipfire/forward/bin/rules.pl
++var/ipfire/forward/bin/firewall-lib.pl
++var/ipfire/forward/settings
++var/ipfire/forward/config
++var/ipfire/forward/input
++var/ipfire/fwhosts
++var/ipfire/fwhosts/icmp-types
++var/ipfire/fwhosts/customhosts
++var/ipfire/fwhosts/customnetworks
++var/ipfire/fwhosts/customgroups
++var/ipfire/fwhosts/customservices
++var/ipfire/fwhosts/customservicegrp
+ #var/ipfire/fwlogs/ipsettings
+ #var/ipfire/fwlogs/portsettings
+ var/ipfire/general-functions.pl
+@@ -182,7 +193,5 @@ var/ipfire/wakeonlan
+ var/ipfire/wireless
+ #var/ipfire/wireless/config
+ #var/ipfire/wireless/settings
+-var/ipfire/xtaccess
+-#var/ipfire/xtaccess/config
+ var/ipfire/firebuild
+ etc/system-release
+diff --git a/config/rootfiles/common/i586/initscripts b/config/rootfiles/common/i586/initscripts
+index 737e878..7688fac 100644
+--- a/config/rootfiles/common/i586/initscripts
++++ b/config/rootfiles/common/i586/initscripts
+@@ -80,11 +80,11 @@ etc/rc.d/init.d/networking/red.up/10-miniupnpd
+ etc/rc.d/init.d/networking/red.up/10-multicast
+ etc/rc.d/init.d/networking/red.up/20-RL-firewall
+ etc/rc.d/init.d/networking/red.up/22-outgoingfwctrl
+-etc/rc.d/init.d/networking/red.up/23-RS-snort
+-etc/rc.d/init.d/networking/red.up/24-RS-qos
+-etc/rc.d/init.d/networking/red.up/25-portfw
+-etc/rc.d/init.d/networking/red.up/26-xtaccess
+-etc/rc.d/init.d/networking/red.up/27-RS-squid
++etc/rc.d/init.d/networking/red.up/23-forwardfwctrl
++etc/rc.d/init.d/networking/red.up/24-RS-snort
++etc/rc.d/init.d/networking/red.up/25-RS-qos
++etc/rc.d/init.d/networking/red.up/26-portfw
++etc/rc.d/init.d/networking/red.up/28-RS-squid
+ etc/rc.d/init.d/networking/red.up/30-ddns
+ etc/rc.d/init.d/networking/red.up/40-ipac
+ etc/rc.d/init.d/networking/red.up/50-ipsec
+diff --git a/config/rootfiles/common/misc-progs b/config/rootfiles/common/misc-progs
+index 2d6b2e2..ca98dcf 100644
+--- a/config/rootfiles/common/misc-progs
++++ b/config/rootfiles/common/misc-progs
+@@ -15,6 +15,7 @@ usr/local/bin/logwatch
+ #usr/local/bin/mpfirectrl
+ usr/local/bin/openvpnctrl
+ usr/local/bin/outgoingfwctrl
++usr/local/bin/forwardfwctrl
+ usr/local/bin/pakfire
+ usr/local/bin/qosctrl
+ usr/local/bin/rebuildhosts
+@@ -22,9 +23,7 @@ usr/local/bin/rebuildroutes
+ usr/local/bin/redctrl
+ #usr/local/bin/sambactrl
+ usr/local/bin/setaliases
+-usr/local/bin/setdmzholes
+ usr/local/bin/setportfw
+-usr/local/bin/setxtaccess
+ usr/local/bin/smartctrl
+ usr/local/bin/snortctrl
+ usr/local/bin/squidctrl
+diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl
+index 05e1d85..83a8977 100644
+--- a/langs/de/cgi-bin/de.pl
++++ b/langs/de/cgi-bin/de.pl
+@@ -872,6 +872,141 @@
+ 'forwarding rule added' => 'Weiterleitungsregel hinzugefügt. Starte Weiterleitung neu',
+ 'forwarding rule removed' => 'Weiterleitungsregel entfernt. Starte Weiterleitung neu',
+ 'forwarding rule updated' => 'Weiterleitungsregel aktualisiert; starte Weiterleitung neu',
++'forward firewall' => 'Firewall',
++'fwdfw additional' => 'Zusätzlich',
++'fwdfw action' => 'Aktion',
++'fwdfw menu' => 'Firewall',
++'fwdfw addrule' => 'Neue Regel hinzufügen:',
++'fwdfw addr grp' => 'Adress Gruppen:',
++'fwdfw change' => 'Aktualisieren',
++'fwdfw cust addr' => 'Custom Adressen:',
++'fwdfw cust net' => 'Custom Netzwerke:',
++'fwdfw copy' => 'Kopieren',
++'fwdfw delete' => 'Löschen',
++'fwdfw edit' => 'Bearbeiten',
++'fwdfw err nosrc' => 'Keine Quelle gewählt.',
++'fwdfw err nosrcip' => 'Bitte Quell IP-Adresse angeben.',
++'fwdfw err notgt' => 'Kein Ziel gewählt.',
++'fwdfw err notgtip' => 'Bitte Ziel IP-Adresse angeben.',
++'fwdfw err prot' => 'Quell- und Zielprotokoll müssen gleich sein.',
++'fwdfw err remark' => 'Bemerkung enthält ungültige Zeichen.',
++'fwdfw err ruleexists' => 'Eine identische Regel existiert bereits.',
++'fwdfw err src_addr' => 'Quell-MAC/IP ungültig.',
++'fwdfw err same' => 'Quelle und Ziel sind identisch.',
++'fwdfw err samesub' => 'Quell und Ziel IP Adresse im selben Subnetz.',
++'fwdfw err srcport' => 'Bitte Quellport angeben.',
++'fwdfw err tgtport' => 'Bitte Zielport angeben.',
++'fwdfw err tgt_addr' => 'Ziel-IP ungültig.',
++'fwdfw err tgt_port' => 'Ziel Port ungültig',
++'fwdfw err tgt_mac' => 'MAC Adressen können nicht als Ziel defininert werden.',
++'fwdfw err tgt_grp' => 'Ziel-Dienstgruppe ist leer.',
++'fwdfw err time' => 'Es muss mindestens ein Tag gewählt werden.',
++'fwdfw from' => 'Von:',
++'fwdfw hint ip1' => 'Die zuletzt erzeugte Regel wird vielleicht nicht aktiviert, weil Quelle und Ziel evtl im selben Netz sind.',
++'fwdfw hint ip2' => 'Bitte überprüfen Sie ob diese Regel Sinn macht: ',
++'fwdfw ipsec network' => 'IPsec Netzwerke:',
++'fwdfw log rule' => 'Log Regel',
++'fwdfw man port' => 'Port(s) manuel:',
++'fwdfw moveup' => 'Hoch',
++'fwdfw movedown' => 'Runter',
++'fwdfw reread' => 'Ãœbernehmen',
++'fwdfw rules' => 'Regeln',
++'fwdfw rule action' => 'Regel Aktion:',
++'fwdfw rule activate' => 'Regel aktivieren',
++'fwdfw source' => 'Quelle',
++'fwdfw sourceip' => 'Quelladresse (MAC, IP oder Netzwerk):',
++'fwdfw std network' => 'Standard Netzwerke:',
++'fwdfw target' => 'Ziel',
++'fwdfw targetip' => 'Zieladresse (IP oder Netzwerk):',
++'fwdfw till' => 'Bis:',
++'fwdfw time' => 'Zeitrahmen:',
++'fwdfw timeframe' => 'Zeitrahmen hinzufügen',
++'fwdfw toggle' => 'Aktivieren oder deaktivieren',
++'fwdfw togglelog' => 'Log aktivieren oder deaktivieren',
++'fwdfw use srcport' => 'Quellport benutzen',
++'fwdfw use srv' => 'Ziel-Dienstport benutzen',
++'fwdfw newrule' => 'Neue Regel',
++'fwdfw wd_mon' => 'Mo',
++'fwdfw wd_tue' => 'Di',
++'fwdfw wd_wed' => 'Mi',
++'fwdfw wd_thu' => 'Do',
++'fwdfw wd_fri' => 'Fr',
++'fwdfw wd_sat' => 'Sa',
++'fwdfw wd_sun' => 'So',
++'fwhost addgrp' => 'Gruppe:',
++'fwhost addgrpname' => 'Gruppenname:',
++'fwhost addhost' => 'Adresse:',
++'fwhost addnet' => 'Netzwerk:',
++'fwhost addrule' => 'Neue Regel hinzufügen:',
++'fwhost any' => 'Alle',
++'fwhost attention' => 'ACHTUNG',
++'fwhost back' => 'Ãœbernehmen',
++'fwhost blue' => 'Blau',
++'fwhost ccdhost' => 'OpenVPN Clients:',
++'fwhost ccdnet' => 'OpenVPN Netzwerke:',
++'fwhost change' => 'Ändern',
++'fwhost changeremark' => 'Es wurde nur die Bemerkung angepasst.',
++'fwhost cust addr' => 'Custom Adressen:',
++'fwhost cust grp' => 'Custom Gruppen:',
++'fwhost cust net' => 'Custom Netzwerke:',
++'fwhost cust service' => 'Custom Dienste:',
++'fwhost cust srvgrp' => 'Custom Dienstgruppen',
++'fwhost deleted' => 'Gelöscht',
++'fwhost empty' => 'Keine Einträge vorhanden',
++'fwhost err addr' => 'IP oder Subnetzmaske ungültig.',
++'fwhost err addrgrp' => 'Bitte gruppenname angeben.',
++'fwhost err empty' => 'Bitte alle Felder füllen.',
++'fwhost err grpexist' => 'Gruppe existiert bereits.',
++'fwhost err groupempty' => 'Gewählte Gruppe ist leer.',
++'fwhost err name' => 'Name ungültig. Erlaubte Zeichen: a-z, A-Z, 0-9 Leerzeichen und Bindestrich.',
++'fwhost err name1' => 'Name muss gefüllt sein.',
++'fwhost err netexist' => 'Ein Netz mit diesem Namen existiert bereits!',
++'fwhost err net' => 'Netzwerk IP existiert bereits',
++'fwhost err mac' => 'MAC Adresse ungültig.',
++'fwhost err hostexist' => 'Ein Host mit diesem Namen existiert bereits.',
++'fwhost err hostip' => 'Netz- oder Broadcastadressen sind nicht erlaubt.',
++'fwhost err hostorip' => 'Name oder IP Adresse ungültig.',
++'fwhost err isccdhost' => 'Dieser Name wird bereits für einen Openvpn Host verwendet.',
++'fwhost err isccdipnet' => 'Diese IP wird bereits für einen Openvpn Netzwerk verwendet.',
++'fwhost err isccdiphost'=> 'Diese IP wird bereits für einen Openvpn Host verwendet.',
++'fwhost err isccdnet' => 'Dieser Name wird bereits für einen Openvpn Netzwerk verwendet.',
++'fwhost err isingrp' => 'Dieser Eintrag existiert bereits in der Gruppe.',
++'fwhost err ip' => 'IP Addresse ungültig.',
++'fwhost err ipmac' => 'IP/MAC Addresse ungültig.',
++'fwhost err ipcheck' => 'Diese IP Adresse wird bereits verwendet.',
++'fwhost err ipwithsub' => 'Bitte IP Adresse OHNE Subnetzmaske eingeben.',
++'fwhost err partofnet' => 'Dieses Netzwerk ist Teil eines bereits existierenden Netzwerks.',
++'fwhost err port' => 'Port muss gefüllt sein.',
++'fwhost err remark' => 'Bemerkung ungültig. Erlaubte Zeichen: a-z, A-Z, 0-9 Leerzeichen und Bindestrich.',
++'fwhost err srvexist' => 'Dieser Dienst ist bereits in der Gruppe',
++'fwhost err srv exists' => 'Ein Service mit diesem Namen existiert bereits.',
++'fwhost err sub32' => 'Bitte Host hinzufügen. Dieses Subnetz ist kein Netzwerk.',
++'fwhost green' => 'Grün',
++'fwhost hosts' => 'Firewall Hosts',
++'fwhost hint' => 'Hinweis',
++'fwhost icmptype' => 'ICMP-Typ:',
++'fwhost ipadr' => 'IP Adresse:',
++'fwhost ip_mac' => 'IP/MAC Adresse',
++'fwhost ipsec host' => 'IpSec Clients:',
++'fwhost ipsec net' => 'IpSec Netzwerke:',
++'fwhost newnet' => 'Netz Einstellungen',
++'fwhost newhost' => 'Adress Einstellungen',
++'fwhost newgrp' => 'Adress Gruppierung',
++'fwhost newservice' => 'Dienst Einstellungen',
++'fwhost newservicegrp' => 'Dienst Gruppierung',
++'fwhost macwarn' => 'MAC Adressen können nicht als Ziel definiert werden. Solche Adressen werden ignoriert.',
++'fwhost menu' => 'Firewall Gruppen',
++'fwhost orange' => 'Orange',
++'fwhost ovpn_n2n' => 'OpenVPN N-2-N',
++'fwhost port' => 'Port(s)',
++'fwhost prot' => 'Protokoll',
++'fwhost reset' => 'Abbrechen',
++'fwhost services' => 'Dienste',
++'fwhost srv_name' => 'Dienstname',
++'fwhost stdnet' => 'Standard Netzwerke:',
++'fwhost type' => 'Typ',
++'fwhost used' => 'Benutzt',
++'fwhost wo subnet' => '(Ohne Subnetz)',
+ 'free' => 'Frei',
+ 'free memory' => 'Freier Speicher ',
+ 'free swap' => 'Freier Swap',
+diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
+index f0fa2c2..fe4857e 100644
+--- a/langs/en/cgi-bin/en.pl
++++ b/langs/en/cgi-bin/en.pl
+@@ -895,6 +895,142 @@
+ 'forwarding rule added' => 'Forwarding rule added; restarting forwarder',
+ 'forwarding rule removed' => 'Forwarding rule removed; restarting forwarder',
+ 'forwarding rule updated' => 'Forwarding rule updated; restarting forwarder',
++'forward firewall' => 'Firewall',
++'fwdfw additional' => 'Additional',
++'fwdfw action' => 'Action',
++'fwdfw menu' => 'Firewall',
++'fwdfw addrule' => 'Add new rule:',
++'fwdfw addr grp' => 'Adress groups:',
++'fwdfw change' => 'Update',
++'fwdfw cust addr' => 'Custom addresses:',
++'fwdfw cust net' => 'Custom networks:',
++'fwdfw copy' => 'Copy',
++'fwdfw delete' => 'Delete',
++'fwdfw edit' => 'Edit',
++'fwdfw err nosrc' => 'No source selected.',
++'fwdfw err nosrcip' => 'Please provide source IP address.',
++'fwdfw err notgt' => 'No target selected.',
++'fwdfw err notgtip' => 'Please provide target IP address.',
++'fwdfw err prot' => 'Source and target protocol have to match.',
++'fwdfw err remark' => 'Invalid chars in remark.',
++'fwdfw err ruleexists' => 'This rule already exists.',
++'fwdfw err src_addr' => 'Invalid source MAC/IP.',
++'fwdfw err same' => 'Identical source and target',
++'fwdfw err samesub' => 'Source and target IP adress are in same subnet.',
++'fwdfw err srcport' => 'Please provide source port.',
++'fwdfw err tgtport' => 'Please provide target port.',
++'fwdfw err tgt_addr' => 'Invalid target IP-address.',
++'fwdfw err tgt_port' => 'Invalid target port',
++'fwdfw err tgt_mac' => 'MAC addresses can not be used as target.',
++'fwdfw err tgt_grp' => 'Target servicegroup is empty',
++'fwdfw err time' => 'You have to define at least one day.',
++'fwdfw from' => 'From:',
++'fwdfw hint ip1' => 'The last generated rule may never be activated because source and target my be in same subnet.',
++'fwdfw hint ip2' => 'Please doublecheck if this rule makes sense: ',
++'fwdfw ipsec network' => 'IpSec networks:',
++'fwdfw log rule' => 'Log rule',
++'fwdfw man port' => 'Port(s) manual:',
++'fwdfw moveup' => 'Move up',
++'fwdfw movedown' => 'Move down',
++'fwdfw reread' => 'Apply',
++'fwdfw rules' => 'Rules',
++'fwdfw rule action' => 'Rule action:',
++'fwdfw rule activate' => 'Activate rule',
++'fwdfw source' => 'Source',
++'fwdfw sourceip' => 'Source address (MAC, IP or Network):',
++'fwdfw std network' => 'Standard networks:',
++'fwdfw target' => 'Target',
++'fwdfw targetip' => 'Target address (IP or network):',
++'fwdfw till' => 'Till:',
++'fwdfw time' => 'Timeframe:',
++'fwdfw timeframe' => 'Add timeframe',
++'fwdfw toggle' => 'Activate or deactivate',
++'fwdfw togglelog' => 'Activate or deactivate logging',
++'fwdfw use srcport' => 'Use sourceport',
++'fwdfw use srv' => 'Use targetport',
++'fwdfw newrule' => 'New rule',
++'fwdfw wd_mon' => 'Mon',
++'fwdfw wd_tue' => 'Tue',
++'fwdfw wd_wed' => 'Wed',
++'fwdfw wd_thu' => 'Thu',
++'fwdfw wd_fri' => 'Fri',
++'fwdfw wd_sat' => 'Sat',
++'fwdfw wd_sun' => 'Sun',
++'fwhost addgrp' => 'Group:',
++'fwhost addgrpname' => 'Groupname:',
++'fwhost addhost' => 'Address:',
++'fwhost addnet' => 'Network:',
++'fwhost addrule' => 'Add new rule:',
++'fwhost any' => 'Any',
++'fwhost attention' => 'ATTENTION',
++'fwhost back' => 'commit',
++'fwhost blue' => 'Blue',
++'fwhost ccdhost' => 'OpenVPN clients:',
++'fwhost ccdnet' => 'OpenVPN networks:',
++'fwhost change' => 'Modify',
++'fwhost changeremark' => 'You just modified the remark!',
++'fwhost cust addr' => 'Custom addresses:',
++'fwhost cust grp' => 'Custom groups:',
++'fwhost cust net' => 'Custom networks:',
++'fwhost cust service' => 'Custom services:',
++'fwhost cust srvgrp' => 'Custom servicegroups',
++'fwhost deleted' => 'Deleted',
++'fwhost empty' => 'No entries by now',
++'fwhost err addr' => 'Invalid IP or subnet!',
++'fwhost err addrgrp' => 'Please provide a groupname!',
++'fwhost err empty' => 'Please fill in all fields!',
++'fwhost err grpexist' => 'Group already exists!',
++'fwhost err groupempty' => 'Selected Group is empty!',
++'fwhost err name' => 'Name invalid. Allowed: a-z, A-Z, 0-9 space and minus.',
++'fwhost err name1' => 'Name is empty.',
++'fwhost err netexist' => 'A network with this name already exists!',
++'fwhost err net' => 'Network IP already exists',
++'fwhost err mac' => 'MAC address invalid',
++'fwhost err hostexist' => 'A host with this name already exists!',
++'fwhost err hostip' => 'Net or broadcast not allowed!',
++'fwhost err hostorip' => 'Name or IP invalid.',
++'fwhost err isccdhost' => 'This name is already used by an OpenVPN client!',
++'fwhost err isccdipnet' => 'This IP is already used by an OpenVPN network!',
++'fwhost err isccdiphost'=> 'This IP is already used by an OpenVPN client!',
++'fwhost err isccdnet' => 'This name is already used by an OpenVPN Network!',
++'fwhost err isingrp' => 'This entry already exists in the group!',
++'fwhost err ip' => 'IP address invalid.',
++'fwhost err ipmac' => 'IP/MAC address invalid.',
++'fwhost err ipcheck' => 'This IP address is already in use!',
++'fwhost err ipwithsub' => 'Please provide IP address WITHOUT subnetmask',
++'fwhost err partofnet' => 'This network is part of an already existing one!',
++'fwhost err port' => 'Port is empty.',
++'fwhost err remark' => 'Remark invalid. Allowed: a-z, A-Z, 0-9 space and minus.',
++'fwhost err srvexist' => 'Dieser Dienst ist bereits in der Gruppe',
++'fwhost err srv exists' => 'A Service with this name already exists.',
++'fwhost err sub32' => 'Please add single host. This subnet is no network!',
++'fwhost green' => 'Green',
++'fwhost hosts' => 'Firewall Hosts',
++'fwhost hint' => 'Note',
++'fwhost icmptype' => 'ICMP type:',
++'fwhost ipadr' => 'IP address:',
++'fwhost ip_mac' => 'IP/MAC address',
++'fwhost ipsec host' => 'IPsec clients:',
++'fwhost ipsec net' => 'IPsec networks:',
++'fwhost netaddress' => 'Network address:',
++'fwhost newnet' => 'Network',
++'fwhost newhost' => 'Host',
++'fwhost newgrp' => 'Address grouping',
++'fwhost newservice' => 'Service',
++'fwhost newservicegrp' => 'Service grouping',
++'fwhost macwarn' => 'MAC addresses can not be used as target. Such addresses will be ignored!',
++'fwhost menu' => 'Firewall Groups',
++'fwhost orange' => 'Orange',
++'fwhost ovpn_n2n' => 'OpenVPN N-2-N',
++'fwhost port' => 'Port(s)',
++'fwhost prot' => 'Protocol',
++'fwhost reset' => 'Cancel',
++'fwhost services' => 'Services',
++'fwhost srv_name' => 'Servicename',
++'fwhost stdnet' => 'Standard networks:',
++'fwhost type' => 'Type',
++'fwhost used' => 'Used',
++'fwhost wo subnet' => '(without subnet)',
+ 'free' => 'Free',
+ 'free memory' => 'Free Memory ',
+ 'free swap' => 'Free Swap',
+diff --git a/lfs/configroot b/lfs/configroot
+index f8fe426..d177d43 100644
+--- a/lfs/configroot
++++ b/lfs/configroot
+@@ -50,59 +50,61 @@ $(TARGET) :
+ @$(PREBUILD)
+
+ # Create all directories
+- for i in addon-lang auth backup ca certs connscheduler crls ddns dhcp dhcpc dmzholes dns \
+- ethernet extrahd/bin fwlogs isdn key langs logging mac main menu.d modem net-traffic \
++ for i in addon-lang auth backup ca certs connscheduler crls ddns dhcp dhcpc dns \
++ ethernet extrahd/bin fwlogs fwhosts forward forward/bin isdn key langs logging mac main menu.d modem net-traffic \
+ net-traffic/templates nfs optionsfw outgoing/bin outgoing/groups outgoing/groups/ipgroups \
+ outgoing/groups/macgroups ovpn patches pakfire portfw ppp private proxy/advanced/cre \
+ proxy/calamaris/bin qos/bin red remote sensors snort time tripwire/report \
+ updatexlrator/bin updatexlrator/autocheck urlfilter/autoupdate urlfilter/bin upnp vpn \
+- wakeonlan wireless xtaccess ; do \
++ wakeonlan wireless ; do \
+ mkdir -p $(CONFIG_ROOT)/$$i; \
+ done
+
+ # Touch empty files
+ for i in auth/users backup/include.user backup/exclude.user \
+ certs/index.txt ddns/config ddns/noipsettings ddns/settings ddns/ipcache dhcp/settings \
+- dhcp/fixleases dhcp/advoptions dhcp/dhcpd.conf.local dmzholes/config dns/settings ethernet/aliases ethernet/settings ethernet/known_nics ethernet/scanned_nics \
+- extrahd/scan extrahd/devices extrahd/partitions extrahd/settings fwlogs/ipsettings fwlogs/portsettings \
++ dhcp/fixleases dhcp/advoptions dhcp/dhcpd.conf.local dns/settings ethernet/aliases ethernet/settings ethernet/known_nics ethernet/scanned_nics \
++ extrahd/scan extrahd/devices extrahd/partitions extrahd/settings forward/settings forward/config forward/input \
++ fwhosts/customnetworks fwhosts/customhosts fwhosts/customgroups fwhosts/customservices fwhosts/customservicegrp fwlogs/ipsettings fwlogs/portsettings \
+ isdn/settings mac/settings main/disable_nf_sip main/hosts main/routing main/settings net-traffic/settings optionsfw/settings outgoing/settings outgoing/rules \
+ ovpn/ccd.conf ovpn/ccdroute ovpn/ccdroute2 pakfire/settings portfw/config ppp/settings-1 ppp/settings-2 ppp/settings-3 ppp/settings-4 \
+- ppp/settings-5 ppp/settings proxy/settings proxy/advanced/settings proxy/advanced/cre/enable remote/settings qos/settings qos/classes qos/subclasses qos/level7config qos/portconfig \
++ ppp/settings-5 ppp/settings proxy/settings proxy/advanced/settings proxy/advanced/cre/enable remote/settings qos/settings qos/classes qos/subclasses qos/level7config qos/portconfig \
+ qos/tosconfig snort/settings tripwire/settings upnp/settings vpn/config vpn/settings vpn/ipsec.conf \
+ vpn/ipsec.secrets vpn/caconfig wakeonlan/clients.conf wireless/config wireless/settings; do \
+- touch $(CONFIG_ROOT)/$$i; \
++ touch $(CONFIG_ROOT)/$$i; \
+ done
+
+ # Copy initial configfiles
+ cp $(DIR_SRC)/config/cfgroot/header.pl $(CONFIG_ROOT)/
+ cp $(DIR_SRC)/config/cfgroot/general-functions.pl $(CONFIG_ROOT)/
+ cp $(DIR_SRC)/config/cfgroot/lang.pl $(CONFIG_ROOT)/
+- cp $(DIR_SRC)/config/cfgroot/countries.pl $(CONFIG_ROOT)/
++ cp $(DIR_SRC)/config/cfgroot/countries.pl $(CONFIG_ROOT)/
+ cp $(DIR_SRC)/config/cfgroot/graphs.pl $(CONFIG_ROOT)/
+ cp $(DIR_SRC)/config/cfgroot/advoptions-list $(CONFIG_ROOT)/dhcp/advoptions-list
+ cp $(DIR_SRC)/config/cfgroot/connscheduler-lib.pl $(CONFIG_ROOT)/connscheduler/lib.pl
+ cp $(DIR_SRC)/config/cfgroot/connscheduler.conf $(CONFIG_ROOT)/connscheduler
+ cp $(DIR_SRC)/config/extrahd/* $(CONFIG_ROOT)/extrahd/bin/
+ cp $(DIR_SRC)/config/cfgroot/sensors-settings $(CONFIG_ROOT)/sensors/settings
+- cp $(DIR_SRC)/config/menu/* $(CONFIG_ROOT)/menu.d/
++ cp $(DIR_SRC)/config/menu/* $(CONFIG_ROOT)/menu.d/
+ cp $(DIR_SRC)/config/cfgroot/modem-defaults $(CONFIG_ROOT)/modem/defaults
+ cp $(DIR_SRC)/config/cfgroot/modem-settings $(CONFIG_ROOT)/modem/settings
+ cp $(DIR_SRC)/config/cfgroot/net-traffic-lib.pl $(CONFIG_ROOT)/net-traffic/net-traffic-lib.pl
+- cp $(DIR_SRC)/config/cfgroot/net-traffic-admin.pl $(CONFIG_ROOT)/net-traffic/net-traffic-admin.pl
++ cp $(DIR_SRC)/config/cfgroot/net-traffic-admin.pl $(CONFIG_ROOT)/net-traffic/net-traffic-admin.pl
+ cp $(DIR_SRC)/config/cfgroot/nfs-server $(CONFIG_ROOT)/nfs/nfs-server
+- cp $(DIR_SRC)/config/cfgroot/p2protocols $(CONFIG_ROOT)/outgoing/p2protocols
+- cp $(DIR_SRC)/config/outgoingfw/outgoingfw.pl $(CONFIG_ROOT)/outgoing/bin/
+- cp $(DIR_SRC)/config/outgoingfw/defaultservices $(CONFIG_ROOT)/outgoing/
++ cp $(DIR_SRC)/config/cfgroot/p2protocols $(CONFIG_ROOT)/outgoing/p2protocols
++ cp $(DIR_SRC)/config/outgoingfw/outgoingfw.pl $(CONFIG_ROOT)/outgoing/bin/
++ cp $(DIR_SRC)/config/outgoingfw/defaultservices $(CONFIG_ROOT)/outgoing/
+ cp $(DIR_SRC)/config/cfgroot/proxy-acl $(CONFIG_ROOT)/proxy/acl-1.4
+- cp $(DIR_SRC)/config/qos/* $(CONFIG_ROOT)/qos/bin/
+- cp $(DIR_SRC)/config/cfgroot/ssh-settings $(CONFIG_ROOT)/remote/settings
+- cp $(DIR_SRC)/config/cfgroot/xtaccess-config $(CONFIG_ROOT)/xtaccess/config
++ cp $(DIR_SRC)/config/qos/* $(CONFIG_ROOT)/qos/bin/
++ cp $(DIR_SRC)/config/cfgroot/ssh-settings $(CONFIG_ROOT)/remote/settings
+ cp $(DIR_SRC)/config/cfgroot/time-settings $(CONFIG_ROOT)/time/settings
+- cp $(DIR_SRC)/config/cfgroot/logging-settings $(CONFIG_ROOT)/logging/settings
++ cp $(DIR_SRC)/config/cfgroot/logging-settings $(CONFIG_ROOT)/logging/settings
+ cp $(DIR_SRC)/config/cfgroot/useragents $(CONFIG_ROOT)/proxy/advanced
+ cp $(DIR_SRC)/config/cfgroot/ethernet-vlans $(CONFIG_ROOT)/ethernet/vlans
+- cp $(DIR_SRC)/langs/list $(CONFIG_ROOT)/langs/
+-
++ cp $(DIR_SRC)/langs/list $(CONFIG_ROOT)/langs/
++ cp $(DIR_SRC)/config/forwardfw/rules.pl $(CONFIG_ROOT)/forward/bin/rules.pl
++ cp $(DIR_SRC)/config/forwardfw/firewall-lib.pl $(CONFIG_ROOT)/forward/bin/firewall-lib.pl
++ cp $(DIR_SRC)/config/fwhosts/icmp-types $(CONFIG_ROOT)/fwhosts/icmp-types
+ # Oneliner configfiles
+ echo "ENABLED=off" > $(CONFIG_ROOT)/vpn/settings
+ echo "VPN_DELAYED_START=0" >>$(CONFIG_ROOT)/vpn/settings
+@@ -115,6 +117,14 @@ $(TARGET) :
+ echo "DROPOUTPUT=on" >> $(CONFIG_ROOT)/optionsfw/settings
+ echo "DROPPORTSCAN=on" >> $(CONFIG_ROOT)/optionsfw/settings
+
++ # Set outgoingfw.pl executable
++ chmod 755 $(CONFIG_ROOT)/outgoing/bin/outgoingfw.pl
++
++ # set rules.pl executable
++ chmod 755 $(CONFIG_ROOT)/forward/bin/rules.pl
++
++
++
+ # Modify variables in header.pl
+ sed -i -e "s+CONFIG_ROOT+$(CONFIG_ROOT)+g" \
+ -e "s+VERSION+$(VERSION)+g" \
+@@ -140,7 +150,5 @@ $(TARGET) :
+ done
+ chown root:nobody $(CONFIG_ROOT)/dhcpc
+
+- # Set outgoingfw.pl executable
+- chmod 755 $(CONFIG_ROOT)/outgoing/bin/outgoingfw.pl
+-
++
+ @$(POSTBUILD)
+diff --git a/lfs/initscripts b/lfs/initscripts
+index 213b46e..428896e 100644
+--- a/lfs/initscripts
++++ b/lfs/initscripts
+@@ -178,18 +178,17 @@ $(TARGET) :
+ ln -sf ../../firewall /etc/rc.d/init.d/networking/red.up/20-RL-firewall
+ ln -sf ../../../../../usr/local/bin/outgoingfwctrl \
+ /etc/rc.d/init.d/networking/red.up/22-outgoingfwctrl
++ ln -sf ../../../../../usr/local/bin/forwardfwctrl \
++ /etc/rc.d/init.d/networking/red.up/23-forwardfwctrl
+ ln -sf ../../../../../usr/local/bin/snortctrl \
+- /etc/rc.d/init.d/networking/red.up/23-RS-snort
++ /etc/rc.d/init.d/networking/red.up/24-RS-snort
+ ln -sf ../../../../../usr/local/bin/qosctrl \
+- /etc/rc.d/init.d/networking/red.up/24-RS-qos
++ /etc/rc.d/init.d/networking/red.up/25-RS-qos
+ ln -sf ../../../../../usr/local/bin/setportfw \
+- /etc/rc.d/init.d/networking/red.up/25-portfw
+- ln -sf ../../../../../usr/local/bin/setxtaccess \
+- /etc/rc.d/init.d/networking/red.up/26-xtaccess
++ /etc/rc.d/init.d/networking/red.up/26-portfw
+ ln -sf ../../../../../usr/local/bin/dialctrl.pl \
+ /etc/rc.d/init.d/networking/red.up/99-U-dialctrl.pl
+- ln -sf ../../squid /etc/rc.d/init.d/networking/red.up/27-RS-squid
+-
++ ln -sf ../../squid /etc/rc.d/init.d/networking/red.up/28-RS-squid
+ ln -sf ../../dnsmasq /etc/rc.d/init.d/networking/red.down/05-RS-dnsmasq
+ ln -sf ../../firewall /etc/rc.d/init.d/networking/red.down/20-RL-firewall
+ ln -sf ../../../../../usr/local/bin/dialctrl.pl \
+diff --git a/lfs/usb-stick b/lfs/usb-stick
+index 30a1475..a707ffb 100644
+--- a/lfs/usb-stick
++++ b/lfs/usb-stick
+@@ -65,6 +65,7 @@ define COPY_TO_IMG
+ mv /install/mnt/boot/isolinux/{instroot,vmlinuz,splash.lss,*\.msg,memtest} /install/mnt && \
+ rm -rf /install/mnt/boot/isolinux && \
+ cp $(DIR_SRC)/config/syslinux/syslinux.cfg /install/mnt/syslinux.cfg && \
++ sleep 10 && \
+ umount /install/mnt && \
+ losetup -d $$LOOPDEV && \
+ syslinux $$IMAGE
+diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall
+index 7478978..624fbcc 100644
+--- a/src/initscripts/init.d/firewall
++++ b/src/initscripts/init.d/firewall
+@@ -189,6 +189,14 @@ case "$1" in
+ # Outgoing Firewall
+ /sbin/iptables -A FORWARD -j OUTGOINGFWMAC
+
++ # Forward Firewall
++ /sbin/iptables -N FORWARDFW
++ /sbin/iptables -A FORWARD -j FORWARDFW
++
++ # Input Firewall
++ /sbin/iptables -N INPUTFW
++ /sbin/iptables -A INPUT -m state --state NEW -j INPUTFW
++
+ # localhost and ethernet.
+ /sbin/iptables -A INPUT -i lo -m state --state NEW -j ACCEPT
+ /sbin/iptables -A INPUT -s 127.0.0.0/8 -m state --state NEW -j DROP # Loopback not on lo
+@@ -228,17 +236,6 @@ case "$1" in
+
+ iptables_red
+
+- # DMZ pinhole chain. setdmzholes setuid prog adds rules here to allow
+- # ORANGE to talk to GREEN / BLUE.
+- /sbin/iptables -N DMZHOLES
+- if [ "$ORANGE_DEV" != "" ]; then
+- /sbin/iptables -A FORWARD -i $ORANGE_DEV -m state --state NEW -j DMZHOLES
+- fi
+-
+- # XTACCESS chain, used for external access
+- /sbin/iptables -N XTACCESS
+- /sbin/iptables -A INPUT -m state --state NEW -j XTACCESS
+-
+ # PORTFWACCESS chain, used for portforwarding
+ /sbin/iptables -N PORTFWACCESS
+ /sbin/iptables -A FORWARD -m state --state NEW -j PORTFWACCESS
+diff --git a/src/initscripts/init.d/network b/src/initscripts/init.d/network
+index 9ff2200..02df4bc 100644
+--- a/src/initscripts/init.d/network
++++ b/src/initscripts/init.d/network
+@@ -47,9 +47,7 @@ init_networking() {
+ # (exit ${failed})
+ # evaluate_retval
+
+- boot_mesg "Setting up DMZ pinholes"
+- /usr/local/bin/setdmzholes; evaluate_retval
+-
++
+ if [ "$CONFIG_TYPE" = "3" -o "$CONFIG_TYPE" = "4" ]; then
+ boot_mesg "Setting up wireless firewall rules"
+ /usr/local/bin/wirelessctrl; evaluate_retval
+diff --git a/src/misc-progs/Makefile b/src/misc-progs/Makefile
+index 33d1d66..3b1baa8 100644
+--- a/src/misc-progs/Makefile
++++ b/src/misc-progs/Makefile
+@@ -24,11 +24,11 @@ CFLAGS=-O2 -Wall
+ COMPILE=$(CC) $(CFLAGS)
+
+ PROGS = iowrap
+-SUID_PROGS = setdmzholes setportfw setxtaccess \
++SUID_PROGS = setportfw \
+ squidctrl sshctrl ipfirereboot \
+ ipsecctrl timectrl dhcpctrl snortctrl \
+ applejuicectrl rebuildhosts backupctrl \
+- logwatch openvpnctrl outgoingfwctrl \
++ logwatch openvpnctrl outgoingfwctrl forwardfwctrl \
+ wirelessctrl getipstat qosctrl launch-ether-wake \
+ redctrl syslogdctrl extrahdctrl sambactrl upnpctrl tripwirectrl \
+ smartctrl clamavctrl addonctrl pakfire mpfirectrl wlanapctrl \
+@@ -93,15 +93,15 @@ clamavctrl: clamavctrl.c setuid.o ../install+setup/libsmooth/varval.o
+ outgoingfwctrl: outgoingfwctrl.c setuid.o ../install+setup/libsmooth/varval.o
+ $(COMPILE) -I../install+setup/libsmooth/ outgoingfwctrl.c setuid.o ../install+setup/libsmooth/varval.o -o $@
+
++forwardfwctrl: forwardfwctrl.c setuid.o ../install+setup/libsmooth/varval.o
++ $(COMPILE) -I../install+setup/libsmooth/ forwardfwctrl.c setuid.o ../install+setup/libsmooth/varval.o -o $@
++
+ timectrl: timectrl.c setuid.o ../install+setup/libsmooth/varval.o
+ $(COMPILE) -I../install+setup/libsmooth/ timectrl.c setuid.o ../install+setup/libsmooth/varval.o -o $@
+
+ launch-ether-wake: launch-ether-wake.c setuid.o ../install+setup/libsmooth/varval.o
+ $(COMPILE) -I../install+setup/libsmooth/ launch-ether-wake.c setuid.o ../install+setup/libsmooth/varval.o -o $@
+
+-setdmzholes: setdmzholes.c setuid.o ../install+setup/libsmooth/varval.o
+- $(COMPILE) -I../install+setup/libsmooth/ setdmzholes.c setuid.o ../install+setup/libsmooth/varval.o -o $@
+-
+ setportfw: setportfw.c setuid.o ../install+setup/libsmooth/varval.o
+ $(COMPILE) -I../install+setup/libsmooth/ setportfw.c setuid.o ../install+setup/libsmooth/varval.o -o $@
+
+diff --git a/src/misc-progs/setdmzholes.c b/src/misc-progs/setdmzholes.c
+deleted file mode 100644
+index 7a2643d..0000000
+--- a/src/misc-progs/setdmzholes.c
++++ /dev/null
+@@ -1,162 +0,0 @@
+-/* SmoothWall helper program - setdmzhole\r
+- *\r
+- * This program is distributed under the terms of the GNU General Public\r
+- * Licence. See the file COPYING for details.\r
+- *\r
+- * (c) Daniel Goscomb, 2001\r
+- * \r
+- * Modifications and improvements by Lawrence Manning.\r
+- *\r
+- * 10/04/01 Aslak added protocol support\r
+- * This program reads the list of ports to forward and setups iptables\r
+- * and rules in ipmasqadm to enable them.\r
+- * \r
+- * $Id: setdmzholes.c,v 1.5.2.3 2005/10/18 17:05:27 franck78 Exp $\r
+- * \r
+- */\r
+-#include "libsmooth.h"\r
+-#include <stdio.h>\r
+-#include <string.h>\r
+-#include <stdlib.h>\r
+-#include "setuid.h"\r
+-\r
+-FILE *fwdfile = NULL;\r
+-\r
+-void exithandler(void)\r
+-{\r
+- if (fwdfile)\r
+- fclose(fwdfile);\r
+-}\r
+-\r
+-int main(void)\r
+-{\r
+- int count;\r
+- char *protocol;\r
+- char *locip;\r
+- char *remip;\r
+- char *remport;\r
+- char *enabled;\r
+- char *src_net;\r
+- char *dst_net;\r
+- char s[STRING_SIZE];\r
+- char *result;\r
+- struct keyvalue *kv = NULL;\r
+- char orange_dev[STRING_SIZE] = "";\r
+- char blue_dev[STRING_SIZE] = "";\r
+- char green_dev[STRING_SIZE] = "";\r
+- char *idev;\r
+- char *odev;\r
+- char command[STRING_SIZE];\r
+-\r
+- if (!(initsetuid()))\r
+- exit(1);\r
+-\r
+- atexit(exithandler);\r
+-\r
+- kv=initkeyvalues();\r
+- if (!readkeyvalues(kv, CONFIG_ROOT "/ethernet/settings"))\r
+- {\r
+- fprintf(stderr, "Cannot read ethernet settings\n");\r
+- exit(1);\r
+- }\r
+-\r
+- if (!findkey(kv, "GREEN_DEV", green_dev))\r
+- {\r
+- fprintf(stderr, "Cannot read GREEN_DEV\n");\r
+- exit(1);\r
+- }\r
+- findkey(kv, "BLUE_DEV", blue_dev);\r
+- findkey(kv, "ORANGE_DEV", orange_dev);\r
+-\r
+- if (!(fwdfile = fopen(CONFIG_ROOT "/dmzholes/config", "r")))\r
+- {\r
+- fprintf(stderr, "Couldn't open dmzholes settings file\n");\r
+- exit(1);\r
+- }\r
+-\r
+- safe_system("/sbin/iptables -F DMZHOLES");\r
+-\r
+- while (fgets(s, STRING_SIZE, fwdfile) != NULL)\r
+- {\r
+- if (s[strlen(s) - 1] == '\n')\r
+- s[strlen(s) - 1] = '\0';\r
+- result = strtok(s, ",");\r
+- \r
+- count = 0;\r
+- protocol = NULL;\r
+- locip = NULL; remip = NULL;\r
+- remport = NULL;\r
+- enabled = NULL;\r
+- src_net = NULL;\r
+- dst_net = NULL;\r
+- idev = NULL;\r
+- odev = NULL;\r
+- \r
+- while (result)\r
+- {\r
+- if (count == 0)\r
+- protocol = result;\r
+- else if (count == 1)\r
+- locip = result;\r
+- else if (count == 2)\r
+- remip = result;\r
+- else if (count == 3)\r
+- remport = result;\r
+- else if (count == 4)\r
+- enabled = result;\r
+- else if (count == 5)\r
+- src_net = result;\r
+- else if (count == 6)\r
+- dst_net = result;\r
+- count++;\r
+- result = strtok(NULL, ",");\r
+- }\r
+-\r
+- if (!(protocol && locip && remip && remport && enabled))\r
+- {\r
+- fprintf(stderr, "Bad line:\n");\r
+- break;\r
+- }\r
+-\r
+- if (!VALID_PROTOCOL(protocol))\r
+- {\r
+- fprintf(stderr, "Bad protocol: %s\n", protocol);\r
+- exit(1);\r
+- }\r
+- if (!VALID_IP_AND_MASK(locip))\r
+- {\r
+- fprintf(stderr, "Bad local IP: %s\n", locip);\r
+- exit(1);\r
+- }\r
+- if (!VALID_IP_AND_MASK(remip))\r
+- {\r
+- fprintf(stderr, "Bad remote IP: %s\n", remip);\r
+- exit(1);\r
+- }\r
+- if (!VALID_PORT_RANGE(remport))\r
+- {\r
+- fprintf(stderr, "Bad remote port: %s\n", remport);\r
+- exit(1);\r
+- }\r
+- \r
+- if (!src_net) { src_net = strdup ("orange");}\r
+- if (!dst_net) { dst_net = strdup ("green");}\r
+- \r
+- if (!strcmp(src_net, "blue")) { idev = blue_dev; }\r
+- if (!strcmp(src_net, "orange")) { idev = orange_dev; }\r
+- if (!strcmp(dst_net, "blue")) { odev = blue_dev; }\r
+- if (!strcmp(dst_net, "green")) { odev = green_dev; }\r
+- \r
+- if (!strcmp(enabled, "on") && strlen(idev) && strlen (odev))\r
+- {\r
+- char *ctr;\r
+- /* If remport contains a - we need to change it to a : */\r
+- if ((ctr = strchr(remport,'-')) != NULL){*ctr = ':';}\r
+- memset(command, 0, STRING_SIZE);\r
+- snprintf(command, STRING_SIZE - 1, "/sbin/iptables -A DMZHOLES -p %s -i %s -o %s -s %s -d %s --dport %s -j ACCEPT", protocol, idev, odev, locip, remip, remport);\r
+- safe_system(command);\r
+- }\r
+- }\r
+-\r
+- return 0;\r
+-}\r
+diff --git a/src/misc-progs/setxtaccess.c b/src/misc-progs/setxtaccess.c
+deleted file mode 100644
+index 27a03e0..0000000
+--- a/src/misc-progs/setxtaccess.c
++++ /dev/null
+@@ -1,168 +0,0 @@
+-/* SmoothWall helper program - setxtaccess\r
+- *\r
+- * This program is distributed under the terms of the GNU General Public\r
+- * Licence. See the file COPYING for details.\r
+- *\r
+- * (c) Daniel Goscomb, 2001\r
+- * \r
+- * Modifications and improvements by Lawrence Manning.\r
+- *\r
+- * 10/04/01 Aslak added protocol support\r
+- * \r
+- * (c) Steve Bootes 2002/04/14 - Added source IP support for aliases\r
+- *\r
+- * 19/04/03 Robert Kerr Fixed root exploit\r
+- *\r
+- * $Id: setxtaccess.c,v 1.3.2.1 2005/01/04 17:21:40 eoberlander Exp $\r
+- * \r
+- */\r
+-\r
+-#include <stdio.h>\r
+-#include <stdlib.h>\r
+-#include <string.h>\r
+-#include "setuid.h"\r
+-\r
+-FILE *ifacefile = NULL;\r
+-FILE *fwdfile = NULL;\r
+-FILE *ipfile = NULL;\r
+-\r
+-void exithandler(void)\r
+-{\r
+- if (fwdfile)\r
+- fclose(fwdfile);\r
+-}\r
+-\r
+-int main(void)\r
+-{\r
+- char iface[STRING_SIZE] = "";\r
+- char locip[STRING_SIZE] = "";\r
+- char s[STRING_SIZE] = "";\r
+- int count;\r
+- char *protocol;\r
+- char *destip;\r
+- char *remip;\r
+- char *locport;\r
+- char *enabled;\r
+- char *information;\r
+- char *result;\r
+- char command[STRING_SIZE];\r
+-\r
+- if (!(initsetuid()))\r
+- exit(1);\r
+-\r
+- atexit(exithandler);\r
+-\r
+- if (!(ipfile = fopen(CONFIG_ROOT "/red/local-ipaddress", "r")))\r
+- {\r
+- fprintf(stderr, "Couldn't open local ip file\n");\r
+- exit(1);\r
+- }\r
+- if (fgets(locip, STRING_SIZE, ipfile))\r
+- {\r
+- if (locip[strlen(locip) - 1] == '\n')\r
+- locip[strlen(locip) - 1] = '\0';\r
+- }\r
+- fclose (ipfile);\r
+- if (!VALID_IP(locip))\r
+- {\r
+- fprintf(stderr, "Bad local IP: %s\n", locip);\r
+- exit(1);\r
+- }\r
+-\r
+- if (!(ifacefile = fopen(CONFIG_ROOT "/red/iface", "r")))\r
+- {\r
+- fprintf(stderr, "Couldn't open iface file\n");\r
+- exit(1);\r
+- }\r
+- if (fgets(iface, STRING_SIZE, ifacefile))\r
+- {\r
+- if (iface[strlen(iface) - 1] == '\n')\r
+- iface[strlen(iface) - 1] = '\0';\r
+- }\r
+- fclose (ifacefile);\r
+- if (!VALID_DEVICE(iface))\r
+- {\r
+- fprintf(stderr, "Bad iface: %s\n", iface);\r
+- exit(1);\r
+- }\r
+- \r
+- if (!(fwdfile = fopen(CONFIG_ROOT "/xtaccess/config", "r")))\r
+- {\r
+- fprintf(stderr, "Couldn't open xtaccess settings file\n");\r
+- exit(1);\r
+- }\r
+-\r
+- safe_system("/sbin/iptables -F XTACCESS");\r
+-\r
+- while (fgets(s, STRING_SIZE, fwdfile) != NULL)\r
+- {\r
+- if (s[strlen(s) - 1] == '\n')\r
+- s[strlen(s) - 1] = '\0';\r
+- count = 0;\r
+- protocol = NULL;\r
+- remip = NULL;\r
+- destip = NULL;\r
+- locport = NULL;\r
+- enabled = NULL;\r
+- information = NULL;\r
+- result = strtok(s, ",");\r
+- while (result)\r
+- {\r
+- if (count == 0)\r
+- protocol = result;\r
+- else if (count == 1)\r
+- remip = result;\r
+- else if (count == 2)\r
+- locport = result;\r
+- else if (count == 3)\r
+- enabled = result;\r
+- else if (count == 4)\r
+- destip = result;\r
+- else\r
+- information = result;\r
+- count++;\r
+- result = strtok(NULL, ",");\r
+- }\r
+-\r
+- if (!(protocol && remip && locport && enabled))\r
+- break;\r
+- \r
+- if (!VALID_PROTOCOL(protocol))\r
+- {\r
+- fprintf(stderr, "Bad protocol: %s\n", protocol);\r
+- exit(1);\r
+- }\r
+- if (!VALID_IP_AND_MASK(remip))\r
+- {\r
+- fprintf(stderr, "Bad remote IP: %s\n", remip);\r
+- exit(1);\r
+- }\r
+- if (!VALID_PORT_RANGE(locport))\r
+- {\r
+- fprintf(stderr, "Bad local port: %s\n", locport);\r
+- exit(1);\r
+- }\r
+-\r
+- /* check for destination ip in config file. If it's there\r
+- * and it's not 0.0.0.0, use it; else use the current\r
+- * local ip address. (This makes sure we can use old-style\r
+- * config files without the destination ip) */\r
+- if (!destip || !strcmp(destip, "0.0.0.0"))\r
+- destip = locip;\r
+- if (!VALID_IP(destip))\r
+- {\r
+- fprintf(stderr, "Bad destination IP: %s\n", remip);\r
+- exit(1);\r
+- }\r
+-\r
+- if (strcmp(enabled, "on") == 0)\r
+- {\r
+- memset(command, 0, STRING_SIZE);\r
+- snprintf(command, STRING_SIZE - 1, "/sbin/iptables -A XTACCESS -i %s -p %s -s %s -d %s --dport %s -j ACCEPT",\r
+- iface, protocol, remip, destip, locport);\r
+- safe_system(command);\r
+- }\r
+- }\r
+- \r
+- return 0;\r
+-}\r
+--
+1.7.10.4
+
--- /dev/null
+From 712fc4343f5b8334ce18c59460d5095bdb590508 Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Fri, 28 Dec 2012 08:26:07 +0100
+Subject: [PATCH 002/302] Forward Firewall: added new files
+
+---
+ config/forwardfw/firewall-lib.pl | 252 +++++
+ config/forwardfw/rules.pl | 334 +++++++
+ config/fwhosts/icmp-types | 36 +
+ html/cgi-bin/forwardfw.cgi | 1772 ++++++++++++++++++++++++++++++++++
+ html/cgi-bin/fwhosts.cgi | 1970 ++++++++++++++++++++++++++++++++++++++
+ 5 files changed, 4364 insertions(+)
+ create mode 100644 config/forwardfw/firewall-lib.pl
+ create mode 100755 config/forwardfw/rules.pl
+ create mode 100644 config/fwhosts/icmp-types
+ create mode 100755 html/cgi-bin/forwardfw.cgi
+ create mode 100755 html/cgi-bin/fwhosts.cgi
+
+diff --git a/config/forwardfw/firewall-lib.pl b/config/forwardfw/firewall-lib.pl
+new file mode 100644
+index 0000000..24b990c
+--- /dev/null
++++ b/config/forwardfw/firewall-lib.pl
+@@ -0,0 +1,252 @@
++#!/usr/bin/perl
++###############################################################################
++# #
++# IPFire.org - A linux based firewall #
++# Copyright (C) 2012 #
++# #
++# This program is free software: you can redistribute it and/or modify #
++# it under the terms of the GNU General Public License as published by #
++# the Free Software Foundation, either version 3 of the License, or #
++# (at your option) any later version. #
++# #
++# This program is distributed in the hope that it will be useful, #
++# but WITHOUT ANY WARRANTY; without even the implied warranty of #
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
++# GNU General Public License for more details. #
++# #
++# You should have received a copy of the GNU General Public License #
++# along with this program. If not, see <http://www.gnu.org/licenses/>. #
++# #
++###############################################################################
++
++
++use strict;
++no warnings 'uninitialized';
++
++package fwlib;
++
++my %customnetwork=();
++my %customhost=();
++my %customgrp=();
++my %customservice=();
++my %customservicegrp=();
++my %ccdnet=();
++my %ccdhost=();
++my %ipsecconf=();
++my %ipsecsettings=();
++my %netsettings=();
++my %ovpnsettings=();
++
++require '/var/ipfire/general-functions.pl';
++
++my $confignet = "${General::swroot}/fwhosts/customnetworks";
++my $confighost = "${General::swroot}/fwhosts/customhosts";
++my $configgrp = "${General::swroot}/fwhosts/customgroups";
++my $configsrv = "${General::swroot}/fwhosts/customservices";
++my $configsrvgrp = "${General::swroot}/fwhosts/customservicegrp";
++my $configccdnet = "${General::swroot}/ovpn/ccd.conf";
++my $configccdhost = "${General::swroot}/ovpn/ovpnconfig";
++my $configipsec = "${General::swroot}/vpn/config";
++my $configovpn = "${General::swroot}/ovpn/settings";
++my $val;
++my $field;
++
++&General::readhash("/var/ipfire/ethernet/settings", \%netsettings);
++&General::readhash("${General::swroot}/ovpn/settings", \%ovpnsettings);
++&General::readhash("${General::swroot}/vpn/settings", \%ipsecsettings);
++
++
++&General::readhasharray("$confignet", \%customnetwork);
++&General::readhasharray("$confighost", \%customhost);
++&General::readhasharray("$configgrp", \%customgrp);
++&General::readhasharray("$configccdnet", \%ccdnet);
++&General::readhasharray("$configccdhost", \%ccdhost);
++&General::readhasharray("$configipsec", \%ipsecconf);
++&General::readhasharray("$configsrv", \%customservice);
++&General::readhasharray("$configsrvgrp", \%customservicegrp);
++
++sub get_srv_prot
++{
++ my $val=shift;
++ foreach my $key (sort keys %customservice){
++ if($customservice{$key}[0] eq $val){
++ if ($customservice{$key}[0] eq $val){
++ return $customservice{$key}[2];
++ }
++ }
++ }
++}
++sub get_srvgrp_prot
++{
++ my $val=shift;
++ my @ips=();
++ my $tcp;
++ my $udp;
++ my $icmp;
++ foreach my $key (sort keys %customservicegrp){
++ if($customservicegrp{$key}[0] eq $val){
++ if (&get_srv_prot($customservicegrp{$key}[2]) eq 'TCP'){
++ $tcp=1;
++ }elsif(&get_srv_prot($customservicegrp{$key}[2]) eq 'UDP'){
++ $udp=1;
++ }elsif(&get_srv_prot($customservicegrp{$key}[2]) eq 'ICMP'){
++ $icmp=1;
++ }
++ }
++ }
++ if ($tcp eq '1'){push (@ips,'TCP');}
++ if ($udp eq '1'){push (@ips,'UDP');}
++ if ($icmp eq '1'){push (@ips,'ICMP');}
++ my $back=join(",",@ips);
++ return $back;
++
++}
++
++
++sub get_srv_port
++{
++ my $val=shift;
++ my $field=shift;
++ my $prot=shift;
++ foreach my $key (sort keys %customservice){
++ if($customservice{$key}[0] eq $val){
++ if($customservice{$key}[2] eq $prot){
++ return $customservice{$key}[$field];
++ }
++ }
++ }
++}
++sub get_srvgrp_port
++{
++ my $val=shift;
++ my $prot=shift;
++ my $back;
++ my $value;
++ my @ips=();
++ foreach my $key (sort keys %customservicegrp){
++ if($customservicegrp{$key}[0] eq $val){
++ if ($prot ne 'ICMP'){
++ $value=&get_srv_port($customservicegrp{$key}[2],1,$prot);
++ }elsif ($prot eq 'ICMP'){
++ $value=&get_srv_port($customservicegrp{$key}[2],3,$prot);
++ }
++ push (@ips,$value) if ($value ne '') ;
++ }
++ }
++ if($prot ne 'ICMP'){
++ if ($#ips gt 0){$back="-m multiport --dports ";}else{$back="--dport ";}
++ }elsif ($prot eq 'ICMP'){
++ $back="--icmp-type ";
++ }
++
++ $back.=join(",",@ips);
++ return $back;
++}
++sub get_ipsec_net_ip
++{
++ my $val=shift;
++ my $field=shift;
++ foreach my $key (sort keys %ipsecconf){
++ if($ipsecconf{$key}[1] eq $val){
++ return $ipsecconf{$key}[$field];
++ }
++ }
++}
++sub get_ipsec_host_ip
++{
++ my $val=shift;
++ my $field=shift;
++ foreach my $key (sort keys %ipsecconf){
++ if($ipsecconf{$key}[1] eq $val){
++ return $ipsecconf{$key}[$field];
++ }
++ }
++}
++sub get_ovpn_n2n_ip
++{
++ my $val=shift;
++ my $field=shift;
++ foreach my $key (sort keys %ccdhost){
++ if($ccdhost{$key}[1] eq $val){
++ return $ccdhost{$key}[$field];
++ }
++ }
++}
++sub get_ovpn_host_ip
++{
++ my $val=shift;
++ my $field=shift;
++ foreach my $key (sort keys %ccdhost){
++ if($ccdhost{$key}[1] eq $val){
++ return $ccdhost{$key}[$field];
++ }
++ }
++}
++sub get_ovpn_net_ip
++{
++
++ my $val=shift;
++ my $field=shift;
++ foreach my $key (sort keys %ccdnet){
++ if($ccdnet{$key}[0] eq $val){
++ return $ccdnet{$key}[$field];
++ }
++ }
++}
++sub get_grp_ip
++{
++ my $val=shift;
++ my $src=shift;
++ foreach my $key (sort keys %customgrp){
++ if ($customgrp{$key}[0] eq $val){
++ &get_address($customgrp{$key}[3],$src);
++ }
++ }
++
++}
++sub get_std_net_ip
++{
++ my $val=shift;
++ if ($val eq 'ALL'){
++ return "0.0.0.0/0.0.0.0";
++ }elsif($val eq 'GREEN'){
++ return "$netsettings{'GREEN_NETADDRESS'}/$netsettings{'GREEN_NETMASK'}";
++ }elsif($val eq 'ORANGE'){
++ return "$netsettings{'ORANGE_NETADDRESS'}/$netsettings{'ORANGE_NETMASK'}";
++ }elsif($val eq 'BLUE'){
++ return "$netsettings{'BLUE_NETADDRESS'}/$netsettings{'BLUE_NETMASK'}";
++ }elsif($val =~ /OpenVPN/i){
++ return "$ovpnsettings{'DOVPN_SUBNET'}";
++ }elsif($val =~ /IPsec/i){
++ return "$ipsecsettings{'RW_NET'}";
++ }
++}
++sub get_net_ip
++{
++ my $val=shift;
++ foreach my $key (sort keys %customnetwork){
++ if($customnetwork{$key}[0] eq $val){
++ return "$customnetwork{$key}[1]/$customnetwork{$key}[2]";
++ }
++ }
++}
++sub get_host_ip
++{
++ my $val=shift;
++ my $src=shift;
++ foreach my $key (sort keys %customhost){
++ if($customhost{$key}[0] eq $val){
++ if ($customhost{$key}[1] eq 'mac' && $src eq 'src'){
++ return "-m mac --mac-source $customhost{$key}[2]";
++ }elsif($customhost{$key}[1] eq 'ip' && $src eq 'src'){
++ return "$customhost{$key}[2]";
++ }elsif($customhost{$key}[1] eq 'ip' && $src eq 'tgt'){
++ return "$customhost{$key}[2]";
++ }elsif($customhost{$key}[1] eq 'mac' && $src eq 'tgt'){
++ return "none";
++ }
++ }
++ }
++}
++
++return 1;
+diff --git a/config/forwardfw/rules.pl b/config/forwardfw/rules.pl
+new file mode 100755
+index 0000000..d6bd3c9
+--- /dev/null
++++ b/config/forwardfw/rules.pl
+@@ -0,0 +1,334 @@
++#!/usr/bin/perl
++###############################################################################
++# #
++# IPFire.org - A linux based firewall #
++# Copyright (C) 2012 #
++# #
++# This program is free software: you can redistribute it and/or modify #
++# it under the terms of the GNU General Public License as published by #
++# the Free Software Foundation, either version 3 of the License, or #
++# (at your option) any later version. #
++# #
++# This program is distributed in the hope that it will be useful, #
++# but WITHOUT ANY WARRANTY; without even the implied warranty of #
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
++# GNU General Public License for more details. #
++# #
++# You should have received a copy of the GNU General Public License #
++# along with this program. If not, see <http://www.gnu.org/licenses/>. #
++# #
++###############################################################################
++# #
++# Hi folks! I hope this code is useful for all. I needed something to handle #
++# my VPN Connections in a comfortable way. #
++# This script builds firewallrules from the webinterface #
++###############################################################################
++
++
++use strict;
++no warnings 'uninitialized';
++
++# enable only the following on debugging purpose
++#use warnings;
++#use CGI::Carp 'fatalsToBrowser';
++
++my %fwdfwsettings=();
++my %defaultNetworks=();
++my %configfwdfw=();
++my %color=();
++my %icmptypes=();
++my %ovpnSettings=();
++my %customgrp=();
++our %sourcehash=();
++our %targethash=();
++my @timeframe=();
++my %configinputfw=();
++my %aliases=();
++my @DPROT=();
++require '/var/ipfire/general-functions.pl';
++require "${General::swroot}/lang.pl";
++require "${General::swroot}/forward/bin/firewall-lib.pl";
++
++my $configfwdfw = "${General::swroot}/forward/config";
++my $configinput = "${General::swroot}/forward/input";
++my $configgrp = "${General::swroot}/fwhosts/customgroups";
++my $errormessage='';
++my ($TYPE,$PROT,$SPROT,$DPROT,$SPORT,$DPORT,$TIME,$TIMEFROM,$TIMETILL,$SRC_TGT);
++my $CHAIN="FORWARDFW";
++
++
++&General::readhash("${General::swroot}/forward/settings", \%fwdfwsettings);
++&General::readhasharray($configfwdfw, \%configfwdfw);
++&General::readhasharray($configinput, \%configinputfw);
++&General::readhasharray($configgrp, \%customgrp);
++&General::get_aliases(\%aliases);
++
++################################
++# DEBUG/TEST #
++################################
++my $MODE=0; # 0 - normal operation
++ # 1 - print configline and rules to console
++ #
++################################
++my $param=shift;
++
++if($param eq 'flush'){
++ if ($MODE eq '1'){
++ print " Flushing chains...\n";
++ }
++ &flush;
++}else{
++ if ($MODE eq '1'){
++ print " Flushing chains...\n";
++ }
++ &flush;
++ if ($MODE eq '1'){
++ print " Preparing rules...\n";
++ }
++ &preparerules;
++ if($MODE eq '0'){
++ if ($fwdfwsettings{'POLICY'} eq 'MODE1'){
++ system ("iptables -A $CHAIN -j DROP");
++ }elsif($fwdfwsettings{'POLICY'} eq 'MODE2'){
++ system ("iptables -A $CHAIN -j ACCEPT");
++ }
++ }
++}
++
++sub flush
++{
++ system ("iptables -F FORWARDFW");
++ system ("iptables -F INPUTFW");
++}
++sub preparerules
++{
++ if (! -z "${General::swroot}/forward/config"){
++ &buildrules(\%configfwdfw);
++ }
++ if (! -z "${General::swroot}/forward/input"){
++ &buildrules(\%configinputfw);
++ }
++}
++sub buildrules
++{
++ my $hash=shift;
++ foreach my $key (sort keys %$hash){
++ if($$hash{$key}[2] eq 'ON'){
++ #get source ip's
++ if ($$hash{$key}[3] eq 'cust_grp_src'){
++ foreach my $grp (sort keys %customgrp){
++ if($customgrp{$grp}[0] eq $$hash{$key}[4]){
++ &get_address($customgrp{$grp}[3],$customgrp{$grp}[2],"src");
++ }
++ }
++ }else{
++ &get_address($$hash{$key}[3],$$hash{$key}[4],"src");
++ }
++ #get target ip's
++ if ($$hash{$key}[5] eq 'cust_grp_tgt'){
++ foreach my $grp (sort keys %customgrp){
++ if($customgrp{$grp}[0] eq $$hash{$key}[6]){
++ &get_address($customgrp{$grp}[3],$customgrp{$grp}[2],"tgt");
++ }
++ }
++ }elsif($$hash{$key}[5] eq 'ipfire'){
++
++ if($$hash{$key}[6] eq 'Default IP'){
++ open(FILE, "/var/ipfire/red/local-ipaddress") or die 'Unable to open config file.';
++ $targethash{$key}[0]= <FILE>;
++ close(FILE);
++ }else{
++ foreach my $alias (sort keys %aliases){
++ if ($$hash{$key}[6] eq $alias){
++ $targethash{$key}[0]=$aliases{$alias}{'IPT'};
++ }
++ }
++ }
++ }else{
++ &get_address($$hash{$key}[5],$$hash{$key}[6],"tgt");
++ }
++
++ ##get source prot and port
++ $SRC_TGT='SRC';
++ $SPROT = &get_prot($hash,$key);
++ $SPORT = &get_port($hash,$key);
++ $SRC_TGT='';
++
++ ##get target prot and port
++ $DPROT=&get_prot($hash,$key);
++
++ if ($DPROT eq ''){$DPROT=' ';}
++ @DPROT=split(",",$DPROT);
++
++
++ #get time if defined
++ if($$hash{$key}[18] eq 'ON'){
++ if($$hash{$key}[19] ne ''){push (@timeframe,"Mon");}
++ if($$hash{$key}[20] ne ''){push (@timeframe,"Tue");}
++ if($$hash{$key}[21] ne ''){push (@timeframe,"Wed");}
++ if($$hash{$key}[22] ne ''){push (@timeframe,"Thu");}
++ if($$hash{$key}[23] ne ''){push (@timeframe,"Fri");}
++ if($$hash{$key}[24] ne ''){push (@timeframe,"Sat");}
++ if($$hash{$key}[25] ne ''){push (@timeframe,"Sun");}
++ $TIME=join(",",@timeframe);
++ $TIMEFROM="--timestart $$hash{$key}[26] ";
++ $TIMETILL="--timestop $$hash{$key}[27] ";
++ $TIME="-m time --weekdays $TIME $TIMEFROM $TIMETILL";
++ }
++
++ if ($MODE eq '1'){
++ print "NR:$key ";
++ foreach my $i (0 .. $#{$$hash{$key}}){
++ print "$i: $$hash{$key}[$i] ";
++ }
++ print "\n";
++ print"##################################\n";
++ #print rules to console
++
++ foreach my $DPROT (@DPROT){
++ $DPORT = &get_port($hash,$key,$DPROT);
++ if ($SPROT ne ''){$PROT=$SPROT;}else{$PROT=$DPROT;}
++ $PROT="-p $PROT" if ($PROT ne '' && $PROT ne ' ');
++ foreach my $a (sort keys %sourcehash){
++ foreach my $b (sort keys %targethash){
++ if ($sourcehash{$a}[0] ne $targethash{$b}[0] && $targethash{$b}[0] ne 'none'){
++ if($SPROT eq '' || $SPROT eq $DPROT || $DPROT eq ' '){
++ if ($$hash{$key}[17] eq 'ON'){
++ print "iptables -A $$hash{$key}[1] $PROT -s $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG\n";
++ }
++ print "iptables -A $$hash{$key}[1] $PROT -s $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n";
++ }
++ }
++ }
++ }
++ print"\n";
++ }
++
++ }elsif($MODE eq '0'){
++ foreach my $DPROT (@DPROT){
++ $DPORT = &get_port($hash,$key,$DPROT);
++ if ($SPROT ne ''){$PROT=$SPROT;}else{$PROT=$DPROT;}
++ $PROT="-p $PROT" if ($PROT ne '' && $PROT ne ' ');
++ foreach my $a (sort keys %sourcehash){
++ foreach my $b (sort keys %targethash){
++ if ($sourcehash{$a}[0] ne $targethash{$b}[0] && $targethash{$b}[0] ne 'none'){
++ if($SPROT eq '' || $SPROT eq $DPROT || $DPROT eq ' '){
++ if ($$hash{$key}[17] eq 'ON'){
++ system ("iptables -A $$hash{$key}[1] $PROT -s $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG");
++ }
++ system ("iptables -A $$hash{$key}[1] $PROT -s $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]");
++ }
++ }
++ }
++ }
++ print"\n";
++ }
++ }
++ }
++ %sourcehash=();
++ %targethash=();
++ undef $TIME;
++ undef $TIMEFROM;
++ undef $TIMETILL;
++ }
++}
++sub get_address
++{
++ my $base=shift; #source of checking ($configfwdfw{$key}[x] or groupkey
++ my $base2=shift;
++ my $type=shift; #src or tgt
++ my $hash;
++ if ($type eq 'src'){
++ $hash=\%sourcehash;
++ }else{
++ $hash=\%targethash;
++ }
++ my $key = &General::findhasharraykey($hash);
++ if($base eq 'src_addr' || $base eq 'tgt_addr' ){
++ $$hash{$key}[0] = $configfwdfw{$key}[4];
++ }elsif($base eq 'std_net_src' || $base eq 'std_net_tgt' || $base eq 'Standard Network'){
++ $$hash{$key}[0]=&fwlib::get_std_net_ip($base2);
++ }elsif($base eq 'cust_net_src' || $base eq 'cust_net_tgt' || $base eq 'Custom Network'){
++ $$hash{$key}[0]=&fwlib::get_net_ip($base2);
++ }elsif($base eq 'cust_host_src' || $base eq 'cust_host_tgt' || $base eq 'Custom Host'){
++ $$hash{$key}[0]=&fwlib::get_host_ip($base2,$type);
++ }elsif($base eq 'ovpn_net_src' || $base eq 'ovpn_net_tgt' || $base eq 'OpenVPN static network'){
++ $$hash{$key}[0]=&fwlib::get_ovpn_net_ip($base2,1);
++ }elsif($base eq 'ovpn_host_src' ||$base eq 'ovpn_host_tgt' || $base eq 'OpenVPN static host'){
++ $$hash{$key}[0]=&fwlib::get_ovpn_host_ip($base2,33);
++ }elsif($base eq 'ovpn_n2n_src' ||$base eq 'ovpn_n2n_tgt' || $base eq 'OpenVPN N-2-N'){
++ $$hash{$key}[0]=&fwlib::get_ovpn_n2n_ip($base2,27);
++ }elsif($base eq 'ipsec_net_src' || $base eq 'ipsec_net_tgt' || $base eq 'IpSec Network'){
++ $$hash{$key}[0]=&fwlib::get_ipsec_net_ip($base2,11);
++ }
++}
++sub get_prot
++{
++ my $hash=shift;
++ my $key=shift;
++ if ($$hash{$key}[7] eq 'ON' && $SRC_TGT eq 'SRC'){
++ if ($$hash{$key}[10] ne ''){
++ return"$$hash{$key}[8]";
++ }elsif($$hash{$key}[9] ne ''){
++ return"$$hash{$key}[8]";
++ }else{
++ return "$$hash{$key}[8]";
++ }
++ }elsif($$hash{$key}[11] eq 'ON' && $SRC_TGT eq ''){
++ if ($$hash{$key}[14] eq 'TGT_PORT'){
++ if ($$hash{$key}[15] ne ''){
++ return "$$hash{$key}[12]";
++ }elsif($$hash{$key}[13] ne ''){
++ return "$$hash{$key}[12]";
++ }else{
++ return "$$hash{$key}[12]";
++ }
++ }elsif($$hash{$key}[14] eq 'cust_srv'){
++ return &fwlib::get_srv_prot($$hash{$key}[15]);
++
++ }elsif($$hash{$key}[14] eq 'cust_srvgrp'){
++ return &fwlib::get_srvgrp_prot($$hash{$key}[15]);
++ }
++ }
++}
++sub get_port
++{
++ my $hash=shift;
++ my $key=shift;
++ my $prot=shift;
++ if ($$hash{$key}[7] eq 'ON' && $SRC_TGT eq 'SRC'){
++ if ($$hash{$key}[10] ne ''){
++ return "--sport $$hash{$key}[10] ";
++ }elsif($$hash{$key}[9] ne ''){
++ return "--icmp-type $$hash{$key}[9] ";
++ }
++ }elsif($$hash{$key}[11] eq 'ON' && $SRC_TGT eq ''){
++
++ if($$hash{$key}[14] eq 'TGT_PORT'){
++ if ($$hash{$key}[15] ne ''){
++ return "--dport $$hash{$key}[15] ";
++ }elsif($$hash{$key}[13] ne '' && $$hash{$key}[13] ne 'All ICMP-Types'){
++ return "--icmp-type $$hash{$key}[13] ";
++ }elsif($$hash{$key}[13] ne '' && $$hash{$key}[13] eq 'All ICMP-Types'){
++ return;
++ }
++ }elsif($$hash{$key}[14] eq 'cust_srv'){
++ if ($prot ne 'ICMP'){
++ return "--dport ".&fwlib::get_srv_port($$hash{$key}[15],1,$prot);
++ }elsif($prot eq 'ICMP' && $$hash{$key}[15] ne 'All ICMP-Types'){
++ return "--icmp-type ".&fwlib::get_srv_port($$hash{$key}[15],3,$prot);
++ }elsif($prot eq 'ICMP' && $$hash{$key}[15] eq 'All ICMP-Types'){
++ return;
++ }
++ }elsif($$hash{$key}[14] eq 'cust_srvgrp'){
++ if ($prot ne 'ICMP'){
++ return &fwlib::get_srvgrp_port($$hash{$key}[15],$prot);
++ }
++ elsif($prot eq 'ICMP'){
++ return &fwlib::get_srvgrp_port($$hash{$key}[15],$prot);
++ }
++
++
++ }
++ }
++}
+diff --git a/config/fwhosts/icmp-types b/config/fwhosts/icmp-types
+new file mode 100644
+index 0000000..d41cdbf
+--- /dev/null
++++ b/config/fwhosts/icmp-types
+@@ -0,0 +1,36 @@
++0,echo-reply (pong),0
++1,destination-unreachable,3
++2,network-unreachable,3/0
++3,host-unreachable,3/1
++4,protocol-unreachable,3/2
++5,port-unreachable,3/3
++6,fragmentation-needed,3/4
++7,source-route-failed,3/5
++8,network-unknown,3/6
++9,host-unknown,3/7
++10,network-prohibited,3/9
++11,host-prohibited,3/10
++12,TOS-network-unreachable,3/11
++13,TOS-host-unreachable,3/12
++14,communication-prohibited,3/13
++15,host-precedence-violation,3/14
++16,precedence-cutoff,3/15
++17,source-quench,4
++18,redirect,5
++19,network-redirect,5/0
++20,host-redirect,5/1
++21,TOS-network-redirect,5/2
++22,TOS-host-redirect,5/3
++23,echo-request (ping),8
++24,router-advertisement,9
++25,router-solicitation,10
++26,time-exceeded (ttl-exceeded),11
++27,ttl-zero-during-transit,11/0
++28,ttl-zero-during-reassembly,11/1
++29,parameter-problem,12
++30,ip-header-bad,12/0
++31,required-option-missing,12/1
++32,timestamp-request,13
++33,timestamp-reply,14
++34,address-mask-request,17
++35,address-mask-reply,18
+diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi
+new file mode 100755
+index 0000000..be2f0cf
+--- /dev/null
++++ b/html/cgi-bin/forwardfw.cgi
+@@ -0,0 +1,1772 @@
++#!/usr/bin/perl
++###############################################################################
++# #
++# IPFire.org - A linux based firewall #
++# Copyright (C) 2012 #
++# #
++# This program is free software: you can redistribute it and/or modify #
++# it under the terms of the GNU General Public License as published by #
++# the Free Software Foundation, either version 3 of the License, or #
++# (at your option) any later version. #
++# #
++# This program is distributed in the hope that it will be useful, #
++# but WITHOUT ANY WARRANTY; without even the implied warranty of #
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
++# GNU General Public License for more details. #
++# #
++# You should have received a copy of the GNU General Public License #
++# along with this program. If not, see <http://www.gnu.org/licenses/>. #
++# #
++###############################################################################
++# #
++# Hi folks! I hope this code is useful for all. I needed something to handle #
++# my VPN Connections in a comfortable way. As a prerequisite i needed #
++# something that makes sure the vpn roadwarrior are able to have a fixed #
++# ip-address. So i developed the ccd extension for the vpn server. #
++# #
++# Now that the ccd extension is ready i am able to develop the main request. #
++# Any feedback is appreciated. #
++# #
++# #
++###############################################################################
++
++use strict;
++no warnings 'uninitialized';
++# enable only the following on debugging purpose
++#use warnings;
++#use CGI::Carp 'fatalsToBrowser';
++
++require '/var/ipfire/general-functions.pl';
++require "${General::swroot}/lang.pl";
++require "${General::swroot}/header.pl";
++require "${General::swroot}/forward/bin/firewall-lib.pl";
++
++unless (-d "${General::swroot}/forward") { system("mkdir ${General::swroot}/forward"); }
++unless (-e "${General::swroot}/forward/settings") { system("touch ${General::swroot}/forward/settings"); }
++unless (-e "${General::swroot}/forward/config") { system("touch ${General::swroot}/forward/config"); }
++unless (-e "${General::swroot}/forward/input") { system("touch ${General::swroot}/forward/input"); }
++
++my %fwdfwsettings=();
++my %selected=() ;
++my %defaultNetworks=();
++my %netsettings=();
++my %customhost=();
++my %customgrp=();
++my %customnetworks=();
++my %customservice=();
++my %customservicegrp=();
++my %ccdnet=();
++my %customnetwork=();
++my %ccdhost=();
++my %configfwdfw=();
++my %configinputfw=();
++my %ipsecconf=();
++my %color=();
++my %mainsettings=();
++my %checked=();
++my %icmptypes=();
++my %ovpnsettings=();
++my %ipsecsettings=();
++my %aliases=();
++my $color;
++my $confignet = "${General::swroot}/fwhosts/customnetworks";
++my $confighost = "${General::swroot}/fwhosts/customhosts";
++my $configgrp = "${General::swroot}/fwhosts/customgroups";
++my $configsrv = "${General::swroot}/fwhosts/customservices";
++my $configsrvgrp = "${General::swroot}/fwhosts/customservicegrp";
++my $configccdnet = "${General::swroot}/ovpn/ccd.conf";
++my $configccdhost = "${General::swroot}/ovpn/ovpnconfig";
++my $configipsec = "${General::swroot}/vpn/config";
++my $configipsecrw = "${General::swroot}/vpn/settings";
++my $configfwdfw = "${General::swroot}/forward/config";
++my $configinput = "${General::swroot}/forward/input";
++my $configovpn = "${General::swroot}/ovpn/settings";
++
++my $errormessage='';
++my $hint='';
++my $ipgrp="${General::swroot}/outgoing/groups";
++
++
++&General::readhash("${General::swroot}/forward/settings", \%fwdfwsettings);
++&General::readhash("${General::swroot}/main/settings", \%mainsettings);
++&General::readhash("/srv/web/ipfire/html/themes/".$mainsettings{'THEME'}."/include/colors.txt", \%color);
++
++&Header::showhttpheaders();
++&Header::getcgihash(\%fwdfwsettings);
++&Header::openpage($Lang::tr{'fwdfw menu'}, 1, '');
++&Header::openbigbox('100%', 'center',$errormessage);
++#### ACTION #####
++
++if ($fwdfwsettings{'ACTION'} eq $Lang::tr{'save'})
++{
++ my $MODE = $fwdfwsettings{'POLICY'};
++ %fwdfwsettings = ();
++ $fwdfwsettings{'POLICY'} = "$MODE";
++ &General::writehash("${General::swroot}/forward/settings", \%fwdfwsettings);
++ &reread_rules;
++}
++if ($fwdfwsettings{'ACTION'} eq 'saverule')
++{
++ &General::readhasharray("$configfwdfw", \%configfwdfw);
++ &General::readhasharray("$configinput", \%configinputfw);
++ $errormessage=&checksource;
++ if(!$errormessage){&checktarget;}
++ if(!$errormessage){&checkrule;}
++
++ #check if we change an forward rule to an external access
++ if( $fwdfwsettings{'grp2'} eq 'ipfire' && $fwdfwsettings{'oldgrp2a'} ne 'ipfire'){
++ $fwdfwsettings{'updatefwrule'}='';
++ $fwdfwsettings{'config'}=$configfwdfw;
++ $fwdfwsettings{'nobase'}='on';
++ &deleterule;
++ }
++
++ #check if we change an external access rule to an forward
++ if( $fwdfwsettings{'grp2'} ne 'ipfire' && $fwdfwsettings{'oldgrp2a'} eq 'ipfire'){
++ $fwdfwsettings{'updatefwrule'}='';
++ $fwdfwsettings{'config'}=$configinput;
++ $fwdfwsettings{'nobase'}='on';
++ &deleterule;
++ }
++
++ #INPUT part
++ if($fwdfwsettings{'grp2'} eq 'ipfire'){
++ $fwdfwsettings{'chain'} = 'INPUTFW';
++ #check if we have an identical rule already
++ foreach my $key (sort keys %configinputfw){
++ if ("$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'},$fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'ICMP_TGT'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'ruleremark'},$fwdfwsettings{'LOG'},$fwdfwsettings{'TIME'},$fwdfwsettings{'TIME_MON'},$fwdfwsettings{'TIME_TUE'},$fwdfwsettings{'TIME_WED'},$fwdfwsettings{'TIME_THU'},$fwdfwsettings{'TIME_FRI'},$fwdfwsettings{'TIME_SAT'},$fwdfwsettings{'TIME_SUN'},$fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'}"
++ eq "$configfwdfw{$key}[0],$configfwdfw{$key}[2],$configfwdfw{$key}[3],$configfwdfw{$key}[4],$configfwdfw{$key}[5],$configfwdfw{$key}[6],$configfwdfw{$key}[7],$configfwdfw{$key}[8],$configfwdfw{$key}[9],$configfwdfw{$key}[10],$configfwdfw{$key}[11],$configfwdfw{$key}[12],$configfwdfw{$key}[13],$configfwdfw{$key}[14],$configfwdfw{$key}[15],$configfwdfw{$key}[16],$configfwdfw{$key}[17],$configfwdfw{$key}[18],$configfwdfw{$key}[19],$configfwdfw{$key}[20],$configfwdfw{$key}[21],$configfwdfw{$key}[22],$configfwdfw{$key}[23],$configfwdfw{$key}[24],$configfwdfw{$key}[25],$configfwdfw{$key}[26],$configfwdfw{$key}[27]"){
++ $errormessage.=$Lang::tr{'fwdfw err ruleexists'};
++ }
++ }
++
++ &checkcounter($fwdfwsettings{'oldgrp1a'},$fwdfwsettings{'oldgrp1b'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}});
++ if ($fwdfwsettings{'nobase'} ne 'on'){
++ &checkcounter($fwdfwsettings{'oldgrp2a'},$fwdfwsettings{'oldgrp2b'},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}});
++ }
++
++ if($fwdfwsettings{'oldusesrv'} eq '' && $fwdfwsettings{'USESRV'} eq 'ON'){
++ &checkcounter(0,0,$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}});
++ }elsif ($fwdfwsettings{'USESRV'} eq '' && $fwdfwsettings{'oldusesrv'} eq 'ON') {
++ &checkcounter($fwdfwsettings{'oldgrp3a'},$fwdfwsettings{'oldgrp3b'},0,0);
++ }elsif ($fwdfwsettings{'oldusesrv'} eq $fwdfwsettings{'USESRV'} && $fwdfwsettings{'oldgrp3b'} ne $fwdfwsettings{$fwdfwsettings{'grp3'}} && $fwdfwsettings{'updatefwrule'} eq 'on'){
++ &checkcounter($fwdfwsettings{'oldgrp3a'},$fwdfwsettings{'oldgrp3b'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}});
++ }
++
++ if ($fwdfwsettings{'nobase'} eq 'on'){
++ &checkcounter(0,0,$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}});
++ }
++
++
++ &saverule(\%configinputfw,$configinput);
++
++ #print "Source: $fwdfwsettings{'grp1'} -> $fwdfwsettings{$fwdfwsettings{'grp1'}}<br>";
++ #print "Sourceport: $fwdfwsettings{'USE_SRC_PORT'}, $fwdfwsettings{'PROT'}, $fwdfwsettings{'ICMP_TYPES'}, $fwdfwsettings{'SRC_PORT'}<br>";
++ #print "Target: $fwdfwsettings{'grp2'} -> $fwdfwsettings{$fwdfwsettings{'grp2'}}<br>";
++ #print "Dienst: $fwdfwsettings{'USESRV'}, $fwdfwsettings{'grp3'} -> $fwdfwsettings{$fwdfwsettings{'grp3'}}<br>";
++ #print "BEMERKUNG: $fwdfwsettings{'ruleremark'}<br>";
++ #print " Regel AKTIV: $fwdfwsettings{'ACTIVE'}<br>";
++ #print " Regel LOG: $fwdfwsettings{'LOG'}<br>";
++ #print " ZEITRAHMEN: $fwdfwsettings{'TIME'}<br>";
++ #print " MO: $fwdfwsettings{'TIME_MON'}<br>";
++ #print " DI: $fwdfwsettings{'TIME_TUE'}<br>";
++ #print " MI: $fwdfwsettings{'TIME_WED'}<br>";
++ #print " DO: $fwdfwsettings{'TIME_THU'}<br>";
++ #print " FR: $fwdfwsettings{'TIME_FRI'}<br>";
++ #print " SA: $fwdfwsettings{'TIME_SAT'}<br>";
++ #print " SO: $fwdfwsettings{'TIME_SUN'}<br>";
++ #print " VON: $fwdfwsettings{'TIME_FROM'} bis $fwdfwsettings{'TIME_TO'}<br>";
++ #print "<br>";
++ #print"ALT: $fwdfwsettings{'oldgrp1a'} $fwdfwsettings{'oldgrp1b'} NEU: $fwdfwsettings{'grp1'} $fwdfwsettings{$fwdfwsettings{'grp1'}}<br>";
++ #print"ALT: $fwdfwsettings{'oldgrp2a'} $fwdfwsettings{'oldgrp2b'} NEU: $fwdfwsettings{'grp2'} $fwdfwsettings{$fwdfwsettings{'grp2'}}<br>";
++ #print"ALT: $fwdfwsettings{'oldgrp3a'} $fwdfwsettings{'oldgrp3b'} NEU: $fwdfwsettings{'grp3'} $fwdfwsettings{$fwdfwsettings{'grp3'}}<br>";
++ #print"DIENSTE Checkalt:$fwdfwsettings{'oldusesrv'} DIENSTE Checkneu:$fwdfwsettings{'USESRV'} DIENST ALT:$fwdfwsettings{'oldgrp3a'},$fwdfwsettings{'oldgrp3b'} DIENST NEU:$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}}<br>";
++
++
++
++ }else{
++ $fwdfwsettings{'chain'} = 'FORWARDFW';
++ #check if we have an identical rule already
++ foreach my $key (sort keys %configfwdfw){
++
++ if ("$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'},$fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'ICMP_TGT'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'ruleremark'},$fwdfwsettings{'LOG'},$fwdfwsettings{'TIME'},$fwdfwsettings{'TIME_MON'},$fwdfwsettings{'TIME_TUE'},$fwdfwsettings{'TIME_WED'},$fwdfwsettings{'TIME_THU'},$fwdfwsettings{'TIME_FRI'},$fwdfwsettings{'TIME_SAT'},$fwdfwsettings{'TIME_SUN'},$fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'}"
++ eq "$configfwdfw{$key}[0],$configfwdfw{$key}[2],$configfwdfw{$key}[3],$configfwdfw{$key}[4],$configfwdfw{$key}[5],$configfwdfw{$key}[6],$configfwdfw{$key}[7],$configfwdfw{$key}[8],$configfwdfw{$key}[9],$configfwdfw{$key}[10],$configfwdfw{$key}[11],$configfwdfw{$key}[12],$configfwdfw{$key}[13],$configfwdfw{$key}[14],$configfwdfw{$key}[15],$configfwdfw{$key}[16],$configfwdfw{$key}[17],$configfwdfw{$key}[18],$configfwdfw{$key}[19],$configfwdfw{$key}[20],$configfwdfw{$key}[21],$configfwdfw{$key}[22],$configfwdfw{$key}[23],$configfwdfw{$key}[24],$configfwdfw{$key}[25],$configfwdfw{$key}[26],$configfwdfw{$key}[27]"){
++ $errormessage.=$Lang::tr{'fwdfw err ruleexists'};
++ }
++ }
++ #increase counters
++ &checkcounter($fwdfwsettings{'oldgrp1a'},$fwdfwsettings{'oldgrp1b'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}});
++
++ &checkcounter($fwdfwsettings{'oldgrp2a'},$fwdfwsettings{'oldgrp2b'},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}});
++
++ if($fwdfwsettings{'oldusesrv'} eq '' && $fwdfwsettings{'USESRV'} eq 'ON'){
++ &checkcounter(0,0,$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}});
++ }elsif ($fwdfwsettings{'USESRV'} eq '' && $fwdfwsettings{'oldusesrv'} eq 'ON') {
++ &checkcounter($fwdfwsettings{'oldgrp3a'},$fwdfwsettings{'oldgrp3b'},0,0);
++ }elsif ($fwdfwsettings{'oldusesrv'} eq $fwdfwsettings{'USESRV'} && $fwdfwsettings{'oldgrp3b'} ne $fwdfwsettings{$fwdfwsettings{'grp3'}} && $fwdfwsettings{'updatefwrule'} eq 'on'){
++ &checkcounter($fwdfwsettings{'oldgrp3a'},$fwdfwsettings{'oldgrp3b'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}});
++ }
++
++ if ($fwdfwsettings{'nobase'} eq 'on'){
++ &checkcounter(0,0,$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}});
++ }
++
++
++ &saverule(\%configfwdfw,$configfwdfw);
++
++ #print "Source: $fwdfwsettings{'grp1'} -> $fwdfwsettings{$fwdfwsettings{'grp1'}}<br>";
++ #print "Sourceport: $fwdfwsettings{'USE_SRC_PORT'}, $fwdfwsettings{'PROT'}, $fwdfwsettings{'ICMP_TYPES'}, $fwdfwsettings{'SRC_PORT'}<br>";
++ #print "Target: $fwdfwsettings{'grp2'} -> $fwdfwsettings{$fwdfwsettings{'grp2'}}<br>";
++ #print "Dienst: $fwdfwsettings{'USESRV'}, $fwdfwsettings{'grp3'} -> $fwdfwsettings{$fwdfwsettings{'grp3'}}<br>";
++ #print "BEMERKUNG: $fwdfwsettings{'ruleremark'}<br>";
++ #print " Regel AKTIV: $fwdfwsettings{'ACTIVE'}<br>";
++ #print " Regel LOG: $fwdfwsettings{'LOG'}<br>";
++ #print " ZEITRAHMEN: $fwdfwsettings{'TIME'}<br>";
++ #print " MO: $fwdfwsettings{'TIME_MON'}<br>";
++ #print " DI: $fwdfwsettings{'TIME_TUE'}<br>";
++ #print " MI: $fwdfwsettings{'TIME_WED'}<br>";
++ #print " DO: $fwdfwsettings{'TIME_THU'}<br>";
++ #print " FR: $fwdfwsettings{'TIME_FRI'}<br>";
++ #print " SA: $fwdfwsettings{'TIME_SAT'}<br>";
++ #print " SO: $fwdfwsettings{'TIME_SUN'}<br>";
++ #print " VON: $fwdfwsettings{'TIME_FROM'} bis $fwdfwsettings{'TIME_TO'}<br>";
++ #print "<br>";
++ #print"ALT: $fwdfwsettings{'oldgrp1a'} $fwdfwsettings{'oldgrp1b'} NEU: $fwdfwsettings{'grp1'} $fwdfwsettings{$fwdfwsettings{'grp1'}}<br>";
++ #print"ALT: $fwdfwsettings{'oldgrp2a'} $fwdfwsettings{'oldgrp2b'} NEU: $fwdfwsettings{'grp2'} $fwdfwsettings{$fwdfwsettings{'grp2'}}<br>";
++ #print"ALT: $fwdfwsettings{'oldgrp3a'} $fwdfwsettings{'oldgrp3b'} NEU: $fwdfwsettings{'grp3'} $fwdfwsettings{$fwdfwsettings{'grp3'}}<br>";
++ #print"DIENSTE Checkalt:$fwdfwsettings{'oldusesrv'} DIENSTE Checkneu:$fwdfwsettings{'USESRV'} DIENST ALT:$fwdfwsettings{'oldgrp3a'},$fwdfwsettings{'oldgrp3b'} DIENST NEU:$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}}<br>";
++
++
++
++ }
++ if ($errormessage){
++ &newrule;
++ }else{
++ &rules;
++ &base;
++ }
++
++}
++if ($fwdfwsettings{'ACTION'} eq $Lang::tr{'reset'})
++{
++ &General::readhasharray("$configfwdfw", \%configfwdfw);
++ foreach my $key (sort keys %configfwdfw){
++ &checkcounter($configfwdfw{$key}[3],$configfwdfw{$key}[4],,);
++ &checkcounter($configfwdfw{$key}[5],$configfwdfw{$key}[6],,);
++ &checkcounter($configfwdfw{$key}[14],$configfwdfw{$key}[15],,);
++ }
++ &General::readhasharray("$configinput", \%configinputfw);
++ foreach my $key (sort keys %configinputfw){
++ &checkcounter($configinputfw{$key}[3],$configinputfw{$key}[4],,);
++ &checkcounter($configinputfw{$key}[5],$configinputfw{$key}[6],,);
++ &checkcounter($configinputfw{$key}[14],$configinputfw{$key}[15],,);
++ }
++ $fwdfwsettings{'POLICY'}='MODE0';
++ system("rm ${General::swroot}/forward/config");
++ system("rm ${General::swroot}/forward/input");
++ %fwdfwsettings = ();
++
++ &General::writehash("${General::swroot}/forward/settings", \%fwdfwsettings);
++ unless (-e "${General::swroot}/forward/config") { system("touch ${General::swroot}/forward/config"); }
++ unless (-e "${General::swroot}/forward/input") { system("touch ${General::swroot}/forward/input"); }
++
++ &reread_rules;
++
++}
++if ($fwdfwsettings{'ACTION'} eq $Lang::tr{'fwdfw newrule'})
++{
++ &newrule;
++}
++if ($fwdfwsettings{'ACTION'} eq $Lang::tr{'fwdfw toggle'})
++{
++ my %togglehash=();
++ &General::readhasharray($fwdfwsettings{'config'}, \%togglehash);
++ foreach my $key (sort keys %togglehash){
++ if ($key eq $fwdfwsettings{'key'}){
++ if ($togglehash{$key}[2] eq 'ON'){$togglehash{$key}[2]='';}else{$togglehash{$key}[2]='ON';}
++ }
++ }
++ &General::writehasharray($fwdfwsettings{'config'}, \%togglehash);
++ &rules;
++ &base;
++}
++if ($fwdfwsettings{'ACTION'} eq $Lang::tr{'fwdfw togglelog'})
++{
++ my %togglehash=();
++ &General::readhasharray($fwdfwsettings{'config'}, \%togglehash);
++ foreach my $key (sort keys %togglehash){
++ if ($key eq $fwdfwsettings{'key'}){
++ if ($togglehash{$key}[17] eq 'ON'){$togglehash{$key}[17]='';}else{$togglehash{$key}[17]='ON';}
++ }
++ }
++ &General::writehasharray($fwdfwsettings{'config'}, \%togglehash);
++ &rules;
++ &base;
++}
++if ($fwdfwsettings{'ACTION'} eq $Lang::tr{'fwdfw reread'})
++{
++ &reread_rules;
++ &base;
++}
++if ($fwdfwsettings{'ACTION'} eq 'editrule')
++{
++ $fwdfwsettings{'updatefwrule'}='on';
++ &newrule;
++}
++if ($fwdfwsettings{'ACTION'} eq 'deleterule')
++{
++ &deleterule;
++}
++if ($fwdfwsettings{'ACTION'} eq 'moveup')
++{
++ &pos_up;
++ &base;
++}
++if ($fwdfwsettings{'ACTION'} eq 'movedown')
++{
++ &pos_down;
++ &base;
++}
++if ($fwdfwsettings{'ACTION'} eq 'copyrule')
++{
++ $fwdfwsettings{'copyfwrule'}='on';
++ #$fwdfwsettings{'updatefwrule'}='on';
++ &newrule;
++}
++if ($fwdfwsettings{'ACTION'} eq '')
++{
++ &base;
++}
++### Functions ####
++sub pos_up
++{
++ my %uphash=();
++ my %tmp=();
++ &General::readhasharray($fwdfwsettings{'config'}, \%uphash);
++ foreach my $key (sort keys %uphash){
++ if ($key eq $fwdfwsettings{'key'}) {
++ my $last = $key -1;
++ if (exists $uphash{$last}){
++ #save rule last
++ foreach my $y (0 .. $#{$uphash{$last}}) {
++ $tmp{0}[$y] = $uphash{$last}[$y];
++ }
++ #copy active rule to last
++ foreach my $i (0 .. $#{$uphash{$last}}) {
++ $uphash{$last}[$i] = $uphash{$key}[$i];
++ }
++ #copy saved rule to actual position
++ foreach my $x (0 .. $#{$tmp{0}}) {
++ $uphash{$key}[$x] = $tmp{0}[$x];
++ }
++ }
++ }
++ }
++ &General::writehasharray($fwdfwsettings{'config'}, \%uphash);
++ &rules;
++}
++sub pos_down
++{
++ my %downhash=();
++ my %tmp=();
++ &General::readhasharray($fwdfwsettings{'config'}, \%downhash);
++ foreach my $key (sort keys %downhash){
++ if ($key eq $fwdfwsettings{'key'}) {
++ my $next = $key + 1;
++ if (exists $downhash{$next}){
++ #save rule next
++ foreach my $y (0 .. $#{$downhash{$next}}) {
++ $tmp{0}[$y] = $downhash{$next}[$y];
++ }
++ #copy active rule to next
++ foreach my $i (0 .. $#{$downhash{$next}}) {
++ $downhash{$next}[$i] = $downhash{$key}[$i];
++ }
++ #copy saved rule to actual position
++ foreach my $x (0 .. $#{$tmp{0}}) {
++ $downhash{$key}[$x] = $tmp{0}[$x];
++ }
++ }
++ }
++ }
++ &General::writehasharray($fwdfwsettings{'config'}, \%downhash);
++ &rules;
++}
++sub checkcounter
++{
++ my ($base1,$val1,$base2,$val2) = @_;
++
++ if($base1 eq 'cust_net_src' || $base1 eq 'cust_net_tgt'){
++ &dec_counter($confignet,\%customnetwork,$val1);
++ }elsif($base1 eq 'cust_host_src' || $base1 eq 'cust_host_tgt'){
++ &dec_counter($confighost,\%customhost,$val1);
++ }elsif($base1 eq 'cust_grp_src' || $base1 eq 'cust_grp_tgt'){
++ &dec_counter($configgrp,\%customgrp,$val1);
++ }elsif($base1 eq 'cust_srv'){
++ &dec_counter($configsrv,\%customservice,$val1);
++ }elsif($base1 eq 'cust_srvgrp'){
++ &dec_counter($configsrvgrp,\%customservicegrp,$val1);
++ }
++
++ if($base2 eq 'cust_net_src' || $base2 eq 'cust_net_tgt'){
++ &inc_counter($confignet,\%customnetwork,$val2);
++ }elsif($base2 eq 'cust_host_src' || $base2 eq 'cust_host_tgt'){
++ &inc_counter($confighost,\%customhost,$val2);
++ }elsif($base2 eq 'cust_grp_src' || $base2 eq 'cust_grp_tgt'){
++ &inc_counter($configgrp,\%customgrp,$val2);
++ }elsif($base2 eq 'cust_srv'){
++ &inc_counter($configsrv,\%customservice,$val2);
++ }elsif($base2 eq 'cust_srvgrp'){
++ &inc_counter($configsrvgrp,\%customservicegrp,$val2);
++ }
++}
++sub inc_counter
++{
++ my $config=shift;
++ my %hash=%{(shift)};
++ my $val=shift;
++ my $pos;
++
++ &General::readhasharray($config, \%hash);
++ foreach my $key (sort { uc($hash{$a}[0]) cmp uc($hash{$b}[0]) } keys %hash){
++ if($hash{$key}[0] eq $val){
++ $pos=$#{$hash{$key}};
++ $hash{$key}[$pos] = $hash{$key}[$pos]+1;
++
++ }
++ }
++ &General::writehasharray($config, \%hash);
++}
++sub dec_counter
++{
++ my $config=shift;
++ my %hash=%{(shift)};
++ my $val=shift;
++ my $pos;
++ #$errormessage.="ALT:config: $config , verringert wird $val <br>";
++ &General::readhasharray($config, \%hash);
++ foreach my $key (sort { uc($hash{$a}[0]) cmp uc($hash{$b}[0]) } keys %hash){
++ if($hash{$key}[0] eq $val){
++ $pos=$#{$hash{$key}};
++ $hash{$key}[$pos] = $hash{$key}[$pos]-1;
++
++ }
++ }
++ &General::writehasharray($config, \%hash);
++}
++sub base
++{
++
++ if ($fwdfwsettings{'POLICY'} eq 'MODE0'){ $selected{'POLICY'}{'MODE0'} = 'selected'; } else { $selected{'POLICY'}{'MODE0'} = ''; }
++ if ($fwdfwsettings{'POLICY'} eq 'MODE1'){ $selected{'POLICY'}{'MODE1'} = 'selected'; } else { $selected{'POLICY'}{'MODE1'} = ''; }
++ if ($fwdfwsettings{'POLICY'} eq 'MODE2'){ $selected{'POLICY'}{'MODE2'} = 'selected'; } else { $selected{'POLICY'}{'MODE2'} = ''; }
++
++ &hint;
++ if ($fwdfwsettings{'POLICY'} ne 'MODE0' && $fwdfwsettings{'POLICY'} ne '') {
++ &addrule;
++ }
++
++ #print"<table width='100' border='1'><tr>";
++ #foreach (0 .. 40){
++ #my $i="color".$_;
++ #print"<td bgcolor='$color{$i}'>$_</td>";
++ #}
++ #print"</tr></table>";
++ &Header::openbox('100%', 'center', 'Policy');
++print <<END;
++ <form method='post' action='$ENV{'SCRIPT_NAME'}'>
++ <table width='100%'>
++ <tr><td width='10%' align='left'><b>$Lang::tr{'mode'} 0:</b><td width='90%' align='left' colspan='2'>$Lang::tr{'outgoing firewall mode0'}</td></tr>
++ <tr><td width='10%' align='left'><b>$Lang::tr{'mode'} 1:</b><td width='90%' align='left' colspan='2'>$Lang::tr{'outgoing firewall mode1'}</td></tr>
++ <tr><td width='10%' align='left'><b>$Lang::tr{'mode'} 2:</b><td width='90%' align='left' colspan='2'>$Lang::tr{'outgoing firewall mode2'}</td></tr>
++ <tr><td colspan='3'><hr /></td></tr>
++ <tr><td width='10%' align='left'> <select name='POLICY' style="width: 85px"><option value='MODE0' $selected{'POLICY'}{'MODE0'}>$Lang::tr{'mode'} 0</option><option value='MODE1' $selected{'POLICY'}{'MODE1'}>$Lang::tr{'mode'} 1</option><option value='MODE2' $selected{'POLICY'}{'MODE2'}>$Lang::tr{'mode'} 2</option></select>
++ <td width='45%' align='left'><input type='submit' name='ACTION' value=$Lang::tr{'save'} />
++ <td width='45%' align='left'>
++END
++ if ($fwdfwsettings{'POLICY'} ne 'MODE0'&& $fwdfwsettings{'POLICY'} ne '' ) {
++ print "$Lang::tr{'outgoing firewall reset'}: <input type='submit' name='ACTION' value='$Lang::tr{'reset'}' />";
++ }
++print "</table></form>";
++ &Header::closebox();
++}
++sub addrule
++{
++ &error;
++ &Header::openbox('100%', 'left', $Lang::tr{'fwdfw addrule'});
++
++ print "<form method='post'>";
++ print "<table border='0'>";
++ print "<tr><td><input type='submit' name='ACTION' value='$Lang::tr{'fwdfw newrule'}'></td>";
++ if (-f "${General::swroot}/forward/reread"){
++ print "<td><input type='submit' name='ACTION' value='$Lang::tr{'fwdfw reread'}'></td>";
++ }
++ print"</tr></table></form><hr>";
++
++ &Header::closebox();
++ &viewtablerule;
++
++}
++sub deleterule
++{
++ my %delhash=();
++ &General::readhasharray($fwdfwsettings{'config'}, \%delhash);
++ foreach my $key (sort keys %delhash){
++ if ($key eq $fwdfwsettings{'key'}){
++ #check hosts/net and groups
++ &checkcounter($delhash{$key}[3],$delhash{$key}[4],,);
++ &checkcounter($delhash{$key}[5],$delhash{$key}[6],,);
++ #check services and groups
++ if ($delhash{$key}[11] eq 'ON'){
++ &checkcounter($delhash{$key}[14],$delhash{$key}[15],,);
++ }
++ }
++
++ if ($key ge $fwdfwsettings{'key'}) {
++ my $next = $key + 1;
++ if (exists $delhash{$next}) {
++ foreach my $i (0 .. $#{$configfwdfw{$next}}) {
++ $delhash{$key}[$i] = $delhash{$next}[$i];
++ }
++ }
++ }
++ }
++ # Remove the very last entry.
++ my $last_key = (sort keys %delhash)[-1];
++ delete $delhash{$last_key};
++
++ &General::writehasharray($fwdfwsettings{'config'}, \%delhash);
++ &rules;
++ if($fwdfwsettings{'nobase'} ne 'on'){
++ &base;
++ }
++}
++sub disable_rule
++{
++ my $key1=shift;
++ &General::readhasharray("$configfwdfw", \%configfwdfw);
++ foreach my $key (sort keys %configfwdfw){
++ if ($key eq $key1 ){
++ if ($configfwdfw{$key}[2] eq 'ON'){$configfwdfw{$key}[2]='';}
++ }
++ }
++ &General::writehasharray("$configfwdfw", \%configfwdfw);
++ &rules;
++
++}
++sub checksource
++{
++ my ($ip,$subnet);
++
++ #check ip-address if manual
++ if ($fwdfwsettings{'src_addr'} eq $fwdfwsettings{$fwdfwsettings{'grp1'}} && $fwdfwsettings{'src_addr'} ne ''){
++ #check if ip with subnet
++ if ($fwdfwsettings{'src_addr'} =~ /^(.*?)\/(.*?)$/) {
++ ($ip,$subnet)=split (/\//,$fwdfwsettings{'src_addr'});
++ $subnet = &General::iporsubtocidr($subnet);
++ }
++ #check if only ip
++ if($fwdfwsettings{'src_addr'}=~/^(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})$/){
++ $ip=$fwdfwsettings{'src_addr'};
++ $subnet = '32';
++ }
++ #check and form valid IP
++ $ip=&General::ip2dec($ip);
++ $ip=&General::dec2ip($ip);
++ #check if net or broadcast
++ my @tmp= split (/\./,$ip);
++ if (($tmp[3] eq "0") || ($tmp[3] eq "255"))
++ {
++ $errormessage=$Lang::tr{'fwhost err hostip'};
++ }
++ $fwdfwsettings{'src_addr'}="$ip/$subnet";
++
++ if(!&General::validipandmask($fwdfwsettings{'src_addr'})){
++ $errormessage.=$Lang::tr{'fwdfw err src_addr'}."<br>";
++ }
++ }elsif($fwdfwsettings{'src_addr'} eq $fwdfwsettings{$fwdfwsettings{'grp1'}} && $fwdfwsettings{'src_addr'} eq ''){
++ $errormessage.=$Lang::tr{'fwdfw err nosrcip'};
++ return $errormessage;
++ }
++
++ #check empty fields
++ if ($fwdfwsettings{$fwdfwsettings{'grp1'}} eq ''){ $errormessage.=$Lang::tr{'fwdfw err nosrc'}."<br>";}
++ #check icmp source
++ if ($fwdfwsettings{'USE_SRC_PORT'} eq 'ON' && $fwdfwsettings{'PROT'} eq 'ICMP'){
++ $fwdfwsettings{'SRC_PORT'}='';
++ &General::readhasharray("${General::swroot}/fwhosts/icmp-types", \%icmptypes);
++ foreach my $key (keys %icmptypes){
++ if($fwdfwsettings{'ICMP_TYPES'} eq "$icmptypes{$key}[0] ($icmptypes{$key}[1])"){
++ $fwdfwsettings{'ICMP_TYPES'}="$icmptypes{$key}[0]";
++ }
++ }
++ }elsif($fwdfwsettings{'USE_SRC_PORT'} eq 'ON' && $fwdfwsettings{'PROT'} ne 'ICMP'){
++ $fwdfwsettings{'ICMP_TYPES'}='';
++ }else{
++ $fwdfwsettings{'ICMP_TYPES'}='';
++ $fwdfwsettings{'SRC_PORT'}='';
++ $fwdfwsettings{'PROT'}='';
++ }
++
++ if($fwdfwsettings{'USE_SRC_PORT'} eq 'ON' && $fwdfwsettings{'PROT'} ne 'ICMP' && $fwdfwsettings{'SRC_PORT'} ne ''){
++ #change dashes with :
++ $fwdfwsettings{'SRC_PORT'}=~ tr/-/:/;
++
++ if ($fwdfwsettings{'SRC_PORT'} eq "*") {
++ $fwdfwsettings{'SRC_PORT'} = "1:65535";
++ }
++ if ($fwdfwsettings{'SRC_PORT'} =~ /^(\D)\:(\d+)$/) {
++ $fwdfwsettings{'SRC_PORT'} = "1:$2";
++ }
++ if ($fwdfwsettings{'SRC_PORT'} =~ /^(\d+)\:(\D)$/) {
++ $fwdfwsettings{'SRC_PORT'} = "$1:65535";
++ }
++
++ $errormessage.=&General::validportrange($fwdfwsettings{'SRC_PORT'},'src');
++ }
++ return $errormessage;
++}
++sub checktarget
++{
++ my ($ip,$subnet);
++
++
++ if ($fwdfwsettings{'tgt_addr'} eq $fwdfwsettings{$fwdfwsettings{'grp2'}} && $fwdfwsettings{'tgt_addr'} ne ''){
++ #check if ip with subnet
++ if ($fwdfwsettings{'tgt_addr'} =~ /^(.*?)\/(.*?)$/) {
++ ($ip,$subnet)=split (/\//,$fwdfwsettings{'tgt_addr'});
++ $subnet = &General::iporsubtocidr($subnet);
++ }
++ #check if only ip
++ if($fwdfwsettings{'tgt_addr'}=~/^(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})$/){
++ $ip=$fwdfwsettings{'tgt_addr'};
++ $subnet='32';
++ }
++ #check and form valid IP
++ $ip=&General::ip2dec($ip);
++ $ip=&General::dec2ip($ip);
++
++ #check if net or broadcast
++ my @tmp= split (/\./,$ip);
++ if (($tmp[3] eq "0") || ($tmp[3] eq "255"))
++ {
++ $errormessage=$Lang::tr{'fwhost err hostip'};
++ }
++ $fwdfwsettings{'tgt_addr'}=$ip."/".$subnet;
++
++ if(!&General::validipandmask($fwdfwsettings{'tgt_addr'})){
++ $errormessage.=$Lang::tr{'fwdfw err tgt_addr'}."<br>";
++ }
++
++ }elsif($fwdfwsettings{'tgt_addr'} eq $fwdfwsettings{$fwdfwsettings{'grp2'}} && $fwdfwsettings{'tgt_addr'} eq ''){
++ $errormessage.=$Lang::tr{'fwdfw err notgtip'};
++ return $errormessage;
++ }
++
++ #check empty fields
++ if ($fwdfwsettings{$fwdfwsettings{'grp2'}} eq ''){ $errormessage.=$Lang::tr{'fwdfw err notgt'}."<br>";}
++
++ #check tgt services
++ if ($fwdfwsettings{'USESRV'} eq 'ON'){
++ if ($fwdfwsettings{'grp3'} eq 'cust_srv'){
++ $fwdfwsettings{'TGT_PROT'}='';
++ $fwdfwsettings{'ICMP_TGT'}='';
++ }
++ if ($fwdfwsettings{'grp3'} eq 'cust_srvgrp'){
++ $fwdfwsettings{'TGT_PROT'}='';
++ $fwdfwsettings{'ICMP_TGT'}='';
++ #check target service
++ if($fwdfwsettings{$fwdfwsettings{'grp3'}} eq ''){
++ $errormessage.=$Lang::tr{'fwdfw err tgt_grp'};
++ }
++ }
++ if ($fwdfwsettings{'grp3'} eq 'TGT_PORT'){
++ if ($fwdfwsettings{'TGT_PROT'} ne 'ICMP'){
++ if ($fwdfwsettings{'TGT_PORT'} ne ''){
++ #change dashes with :
++ $fwdfwsettings{'TGT_PORT'}=~ tr/-/:/;
++ if ($fwdfwsettings{'TGT_PORT'} eq "*") {
++ $fwdfwsettings{'TGT_PORT'} = "1:65535";
++ }
++ if ($fwdfwsettings{'TGT_PORT'} =~ /^(\D)\:(\d+)$/) {
++ $fwdfwsettings{'TGT_PORT'} = "1:$2";
++ }
++ if ($fwdfwsettings{'TGT_PORT'} =~ /^(\d+)\:(\D)$/) {
++ $fwdfwsettings{'TGT_PORT'} = "$1:65535";
++ }
++ $errormessage .= &General::validportrange($fwdfwsettings{'TGT_PORT'}, 'destination');
++ }
++ }elsif ($fwdfwsettings{'TGT_PROT'} eq 'ICMP'){
++ &General::readhasharray("${General::swroot}/fwhosts/icmp-types", \%icmptypes);
++ foreach my $key (keys %icmptypes){
++
++ if ("$icmptypes{$key}[0] ($icmptypes{$key}[1])" eq $fwdfwsettings{'ICMP_TGT'}){
++
++ $fwdfwsettings{'ICMP_TGT'}=$icmptypes{$key}[0];
++ }
++ }
++ }
++ }
++ }
++
++ #check targetport
++ if ($fwdfwsettings{'USESRV'} ne 'ON'){
++ $fwdfwsettings{'grp3'}='';
++ $fwdfwsettings{$fwdfwsettings{'grp3'}}='';
++ $fwdfwsettings{'TGT_PROT'}='';
++ $fwdfwsettings{'ICMP_TGT'}='';
++ }
++
++
++ #check timeframe
++ if($fwdfwsettings{'TIME'} eq 'ON'){
++ if($fwdfwsettings{'TIME_MON'} eq '' && $fwdfwsettings{'TIME_TUE'} eq '' && $fwdfwsettings{'TIME_WED'} eq '' && $fwdfwsettings{'TIME_THU'} eq '' && $fwdfwsettings{'TIME_FRI'} eq '' && $fwdfwsettings{'TIME_SAT'} eq '' && $fwdfwsettings{'TIME_SUN'} eq ''){
++ $errormessage=$Lang::tr{'fwdfw err time'};
++ }
++ }
++
++
++
++ return $errormessage;
++}
++sub checkrule
++{
++ #check valid remark
++ if ($fwdfwsettings{'ruleremark'} ne '' && !&validremark($fwdfwsettings{'ruleremark'})){
++ $errormessage.=$Lang::tr{'fwdfw err remark'}."<br>";
++ }
++ #check if source and target identical
++ if ($fwdfwsettings{$fwdfwsettings{'grp1'}} eq $fwdfwsettings{$fwdfwsettings{'grp2'}}){
++ $errormessage.=$Lang::tr{'fwdfw err same'};
++ return $errormessage;
++ }
++
++ #get source and targetip address if possible
++ my ($sip,$scidr,$tip,$tcidr);
++ ($sip,$scidr)=&get_ip("src","grp1");
++ ($tip,$tcidr)=&get_ip("tgt","grp2");
++
++
++
++ #check same iprange in source and target
++ if ($sip ne '' && $scidr ne '' && $tip ne '' && $tcidr ne ''){
++
++ my $networkip1=&General::getnetworkip($sip,$scidr);
++ my $networkip2=&General::getnetworkip($tip,$tcidr);
++ if ($scidr gt $tcidr){
++ if ( &General::IpInSubnet($networkip1,$tip,&General::iporsubtodec($tcidr)) ){
++ $errormessage.=$Lang::tr{'fwdfw err samesub'};
++ }
++ }elsif($scidr eq $tcidr && $scidr eq '32'){
++ my ($sbyte1,$sbyte2,$sbyte3,$sbyte4)=split(".",$networkip1);
++ my ($tbyte1,$tbyte2,$tbyte3,$tbyte4)=split(".",$networkip2);
++ if ($sbyte1 eq $tbyte1 && $sbyte2 eq $tbyte2 && $sbyte3 eq $tbyte3){
++ $hint=$Lang::tr{'fwdfw hint ip1'}."<br>";
++ $hint.=$Lang::tr{'fwdfw hint ip2'}." Source: $networkip1/$scidr Target:$networkip2/$tcidr<br>";
++ }
++
++ }else{
++ if ( &General::IpInSubnet($networkip2,$sip,&General::iporsubtodec($scidr)) ){
++ $errormessage.=$Lang::tr{'fwdfw err samesub'};
++ }
++ }
++ }
++
++ #check source and destination protocol if manual
++ if( $fwdfwsettings{'USE_SRC_PORT'} eq 'ON' && $fwdfwsettings{'USESRV'} eq 'ON'){
++ if($fwdfwsettings{'PROT'} ne $fwdfwsettings{'TGT_PROT'} && $fwdfwsettings{'grp3'} eq 'TGT_PORT'){
++ $errormessage.=$Lang::tr{'fwdfw err prot'};
++ }
++ #check source and destination protocol if source manual and dest servicegrp
++ if ($fwdfwsettings{'grp3'} eq 'cust_srv'){
++ &General::readhasharray("$configsrv", \%customservice);
++ foreach my $key (sort keys %customservice){
++ if($customservice{$key}[0] eq $fwdfwsettings{$fwdfwsettings{'grp3'}}){
++ if ($customservice{$key}[2] ne $fwdfwsettings{'PROT'}){
++ $errormessage.=$Lang::tr{'fwdfw err prot'};
++ last;
++ }
++ }
++ }
++ }
++ }
++
++}
++sub get_ip
++{
++ my $val=shift;
++ my $grp =shift;
++ my $a;
++ my $b;
++ &General::readhash("/var/ipfire/ethernet/settings", \%netsettings);
++ if ($fwdfwsettings{$grp} ne $Lang::tr{'fwhost any'}){
++ if ($fwdfwsettings{$grp} eq $val.'_addr'){
++ ($a,$b) = split (/\//, $fwdfwsettings{$fwdfwsettings{$grp}});
++ }elsif($fwdfwsettings{$grp} eq 'std_net_'.$val){
++ if ($fwdfwsettings{$fwdfwsettings{$grp}} =~ /Gr/i){
++ $a=$netsettings{'GREEN_NETADDRESS'};
++ $b=&General::iporsubtocidr($netsettings{'GREEN_NETMASK'});
++ }elsif($fwdfwsettings{$fwdfwsettings{$grp}} =~ /Ora/i){
++ $a=$netsettings{'ORANGE_NETADDRESS'};
++ $b=&General::iporsubtocidr($netsettings{'ORANGE_NETMASK'});
++ }elsif($fwdfwsettings{$fwdfwsettings{$grp}} =~ /Bl/i){
++ $a=$netsettings{'BLUE_NETADDRESS'};
++ $b=&General::iporsubtocidr($netsettings{'BLUE_NETMASK'});
++ }elsif($fwdfwsettings{$fwdfwsettings{$grp}} =~ /OpenVPN/i){
++ &General::readhash("$configovpn",\%ovpnsettings);
++ ($a,$b) = split (/\//, $ovpnsettings{'DOVPN_SUBNET'});
++ $b=&General::iporsubtocidr($b);
++ }
++ }elsif($fwdfwsettings{$grp} eq 'cust_net_'.$val){
++ &General::readhasharray("$confignet", \%customnetwork);
++ foreach my $key (keys %customnetwork){
++ if($customnetwork{$key}[0] eq $fwdfwsettings{$fwdfwsettings{$grp}}){
++ $a=$customnetwork{$key}[1];
++ $b=&General::iporsubtocidr($customnetwork{$key}[2]);
++ }
++ }
++ }elsif($fwdfwsettings{$grp} eq 'cust_host_'.$val){
++ &General::readhasharray("$confighost", \%customhost);
++ foreach my $key (keys %customhost){
++ if($customhost{$key}[0] eq $fwdfwsettings{$fwdfwsettings{$grp}}){
++ if ($customhost{$key}[1] eq 'ip'){
++ ($a,$b)=split (/\//,$customhost{$key}[2]);
++ $b=&General::iporsubtocidr($b);
++ }else{
++ if ($grp eq 'grp2'){
++ $errormessage=$Lang::tr{'fwdfw err tgt_mac'};
++ }
++ }
++ }
++ }
++ }
++ }
++
++ return $a,$b;
++}
++sub newrule
++{
++ &error;
++ &General::setup_default_networks(\%defaultNetworks);
++ #read all configfiles
++ &General::readhasharray("$configccdnet", \%ccdnet);
++ &General::readhasharray("$confignet", \%customnetwork);
++ &General::readhasharray("$configccdhost", \%ccdhost);
++ &General::readhasharray("$confighost", \%customhost);
++ &General::readhasharray("$configccdhost", \%ccdhost);
++ &General::readhasharray("$configgrp", \%customgrp);
++ &General::readhasharray("$configipsec", \%ipsecconf);
++ &General::get_aliases(\%aliases);
++
++
++ my %checked=();
++ my $helper;
++ if($fwdfwsettings{'config'} eq ''){$fwdfwsettings{'config'}=$configfwdfw;}
++ my $config=$fwdfwsettings{'config'};
++ my %hash=();
++
++ $checked{'grp1'}{$fwdfwsettings{'grp1'}} = 'CHECKED';
++ $checked{'grp2'}{$fwdfwsettings{'grp2'}} = 'CHECKED';
++ $checked{'grp3'}{$fwdfwsettings{'grp3'}} = 'CHECKED';
++ $checked{'USE_SRC_PORT'}{$fwdfwsettings{'USE_SRC_PORT'}} = 'CHECKED';
++ $checked{'USESRV'}{$fwdfwsettings{'USESRV'}} = 'CHECKED';
++ $checked{'ACTIVE'}{$fwdfwsettings{'ACTIVE'}} = 'CHECKED';
++ $checked{'LOG'}{$fwdfwsettings{'LOG'}} = 'CHECKED';
++ $checked{'TIME'}{$fwdfwsettings{'TIME'}} = 'CHECKED';
++ $checked{'TIME_MON'}{$fwdfwsettings{'TIME_MON'}} = 'CHECKED';
++ $checked{'TIME_TUE'}{$fwdfwsettings{'TIME_TUE'}} = 'CHECKED';
++ $checked{'TIME_WED'}{$fwdfwsettings{'TIME_WED'}} = 'CHECKED';
++ $checked{'TIME_THU'}{$fwdfwsettings{'TIME_THU'}} = 'CHECKED';
++ $checked{'TIME_FRI'}{$fwdfwsettings{'TIME_FRI'}} = 'CHECKED';
++ $checked{'TIME_SAT'}{$fwdfwsettings{'TIME_SAT'}} = 'CHECKED';
++ $checked{'TIME_SUN'}{$fwdfwsettings{'TIME_SUN'}} = 'CHECKED';
++ $selected{'TIME_FROM'}{$fwdfwsettings{'TIME_FROM'}} = 'selected';
++ $selected{'TIME_TO'}{$fwdfwsettings{'TIME_TO'}} = 'selected';
++ $selected{'ipfire'}{$fwdfwsettings{$fwdfwsettings{'grp2'}}} ='selected';
++
++ #check if update and get values
++ if($fwdfwsettings{'updatefwrule'} eq 'on' || $fwdfwsettings{'copyfwrule'} eq 'on' && !$errormessage){
++ &General::readhasharray("$config", \%hash);
++ foreach my $key (sort keys %hash){
++ if ($key eq $fwdfwsettings{'key'}){
++ $fwdfwsettings{'RULE_ACTION'} = $hash{$key}[0];
++ $fwdfwsettings{'ACTIVE'} = $hash{$key}[2];
++ $fwdfwsettings{'grp1'} = $hash{$key}[3];
++ $fwdfwsettings{$fwdfwsettings{'grp1'}} = $hash{$key}[4];
++ $fwdfwsettings{'grp2'} = $hash{$key}[5];
++ $fwdfwsettings{$fwdfwsettings{'grp2'}} = $hash{$key}[6];
++ $fwdfwsettings{'USE_SRC_PORT'} = $hash{$key}[7];
++ $fwdfwsettings{'PROT'} = $hash{$key}[8];
++ $fwdfwsettings{'ICMP_TYPES'} = $hash{$key}[9];
++ $fwdfwsettings{'SRC_PORT'} = $hash{$key}[10];
++ $fwdfwsettings{'USESRV'} = $hash{$key}[11];
++ $fwdfwsettings{'TGT_PROT'} = $hash{$key}[12];
++ $fwdfwsettings{'ICMP_TGT'} = $hash{$key}[13];
++ $fwdfwsettings{'grp3'} = $hash{$key}[14];
++ $fwdfwsettings{$fwdfwsettings{'grp3'}} = $hash{$key}[15];
++ $fwdfwsettings{'ruleremark'} = $hash{$key}[16];
++ $fwdfwsettings{'LOG'} = $hash{$key}[17];
++ $fwdfwsettings{'TIME'} = $hash{$key}[18];
++ $fwdfwsettings{'TIME_MON'} = $hash{$key}[19];
++ $fwdfwsettings{'TIME_TUE'} = $hash{$key}[20];
++ $fwdfwsettings{'TIME_WED'} = $hash{$key}[21];
++ $fwdfwsettings{'TIME_THU'} = $hash{$key}[22];
++ $fwdfwsettings{'TIME_FRI'} = $hash{$key}[23];
++ $fwdfwsettings{'TIME_SAT'} = $hash{$key}[24];
++ $fwdfwsettings{'TIME_SUN'} = $hash{$key}[25];
++ $fwdfwsettings{'TIME_FROM'} = $hash{$key}[26];
++ $fwdfwsettings{'TIME_TO'} = $hash{$key}[27];
++
++ $checked{'grp1'}{$fwdfwsettings{'grp1'}} = 'CHECKED';
++ $checked{'grp2'}{$fwdfwsettings{'grp2'}} = 'CHECKED';
++ $checked{'grp3'}{$fwdfwsettings{'grp3'}} = 'CHECKED';
++ $checked{'USE_SRC_PORT'}{$fwdfwsettings{'USE_SRC_PORT'}} = 'CHECKED';
++ $checked{'USESRV'}{$fwdfwsettings{'USESRV'}} = 'CHECKED';
++ $checked{'ACTIVE'}{$fwdfwsettings{'ACTIVE'}} = 'CHECKED';
++ $checked{'LOG'}{$fwdfwsettings{'LOG'}} = 'CHECKED';
++ $checked{'TIME'}{$fwdfwsettings{'TIME'}} = 'CHECKED';
++ $checked{'TIME_MON'}{$fwdfwsettings{'TIME_MON'}} = 'CHECKED';
++ $checked{'TIME_TUE'}{$fwdfwsettings{'TIME_TUE'}} = 'CHECKED';
++ $checked{'TIME_WED'}{$fwdfwsettings{'TIME_WED'}} = 'CHECKED';
++ $checked{'TIME_THU'}{$fwdfwsettings{'TIME_THU'}} = 'CHECKED';
++ $checked{'TIME_FRI'}{$fwdfwsettings{'TIME_FRI'}} = 'CHECKED';
++ $checked{'TIME_SAT'}{$fwdfwsettings{'TIME_SAT'}} = 'CHECKED';
++ $checked{'TIME_SUN'}{$fwdfwsettings{'TIME_SUN'}} = 'CHECKED';
++ $selected{'TIME_FROM'}{$fwdfwsettings{'TIME_FROM'}} = 'selected';
++ $selected{'TIME_TO'}{$fwdfwsettings{'TIME_TO'}} = 'selected';
++ $selected{'ipfire'}{$fwdfwsettings{$fwdfwsettings{'grp2'}}} ='selected';
++ }
++ }
++ $fwdfwsettings{'oldgrp1a'}=$fwdfwsettings{'grp1'};
++ $fwdfwsettings{'oldgrp1b'}=$fwdfwsettings{$fwdfwsettings{'grp1'}};
++ $fwdfwsettings{'oldgrp2a'}=$fwdfwsettings{'grp2'};
++ $fwdfwsettings{'oldgrp2b'}=$fwdfwsettings{$fwdfwsettings{'grp2'}};
++ $fwdfwsettings{'oldgrp3a'}=$fwdfwsettings{'grp3'};
++ $fwdfwsettings{'oldgrp3b'}=$fwdfwsettings{$fwdfwsettings{'grp3'}};
++ $fwdfwsettings{'oldusesrv'}=$fwdfwsettings{'USESRV'};
++ }else{
++ $fwdfwsettings{'ACTIVE'}='ON';
++ $checked{'ACTIVE'}{$fwdfwsettings{'ACTIVE'}} = 'CHECKED';
++ }
++
++ &Header::openbox('100%', 'left', $Lang::tr{'fwdfw addrule'});
++
++print <<END;
++ <form method="post">
++ <table border='0'>
++ <tr><td nowrap>$Lang::tr{'fwdfw rule action'}</td><td><select name='RULE_ACTION'>
++END
++ foreach ("ACCEPT","DROP","REJECT")
++ {
++ if($fwdfwsettings{'POLICY'} eq 'MODE2'){
++ $fwdfwsettings{'RULE_ACTION'} = 'DROP';
++ }
++
++ if ($_ eq $fwdfwsettings{'RULE_ACTION'})
++ {
++ print"<option selected>$_</option>";
++ }else{
++ print"<option>$_</option>";
++ }
++ }
++ print"</select></td></tr></table><hr>";
++
++
++ &Header::closebox();
++ &Header::openbox('100%', 'left', $Lang::tr{'fwdfw source'});
++
++
++ #------SOURCE-------------------------------------------------------
++ print<<END;
++ <table width='100%' border='0'>
++ <tr><td width='1%'><input type='radio' name='grp1' value='src_addr' checked></td><td colspan='5'>$Lang::tr{'fwdfw sourceip'}<input type='TEXT' name='src_addr' value='$fwdfwsettings{'src_addr'}' ></td></tr>
++ <tr><td colspan='7'><hr style='border:dotted #BFBFBF; border-width:1px 0 0 0 ; ' /></td></tr>
++ <tr><td width='1%'><input type='radio' name='grp1' value='std_net_src' $checked{'grp1'}{'std_net_src'}></td><td nowrap='nowrap' width='12%'>$Lang::tr{'fwhost stdnet'}</td><td width='13%'><select name='std_net_src' style='min-width:185px;'>
++
++END
++ foreach my $network (sort keys %defaultNetworks)
++ {
++ next if($defaultNetworks{$network}{'LOCATION'} eq "IPCOP");
++ print "<option value='$defaultNetworks{$network}{'NAME'}'";
++ print " selected='selected'" if ($fwdfwsettings{$fwdfwsettings{'grp1'}} eq $defaultNetworks{$network}{'NAME'});
++ print ">$network</option>";
++ }
++ print<<END;
++ </select></td><td width='1%'><input type='radio' name='grp1' value='ovpn_net_src' $checked{'grp1'}{'ovpn_net_src'}></td><td nowrap='nowrap' width='16%'>$Lang::tr{'fwhost ccdnet'}</td><td nowrap='nowrap' width='1%'><select name='ovpn_net_src' style='min-width:185px;'>
++END
++ &fillselect(\%ccdnet,$fwdfwsettings{$fwdfwsettings{'grp1'}});
++ print<<END;
++ </select></td></tr>
++ <tr><td><input type='radio' name='grp1' value='cust_net_src' $checked{'grp1'}{'cust_net_src'}></td><td>$Lang::tr{'fwhost cust net'}</td><td><select name='cust_net_src' style='min-width:185px;'>
++END
++ &fillselect(\%customnetwork,$fwdfwsettings{$fwdfwsettings{'grp1'}});
++ print<<END;
++ </select></td><td width='1%'><input type='radio' name='grp1' value='ovpn_host_src' $checked{'grp1'}{'ovpn_host_src'}></td><td nowrap='nowrap' width='16%'>$Lang::tr{'fwhost ccdhost'}</td><td nowrap='nowrap' width='1%'><select name='ovpn_host_src' style='min-width:185px;'>
++END
++ foreach my $key (sort { uc($ccdhost{$a}[0]) cmp uc($ccdhost{$b}[0]) } keys %ccdhost)
++ {
++ if ($ccdhost{$key}[33] ne ''){
++
++ print "<option value='$ccdhost{$key}[1]'";
++ print "selected='selected'" if ($fwdfwsettings{$fwdfwsettings{'grp1'}} eq $ccdhost{$key}[1]);
++ print ">$ccdhost{$key}[1]</option>";
++ }
++ }
++ print<<END;
++ </select></td></tr>
++ <tr><td valign='top'><input type='radio' name='grp1' value='cust_host_src' $checked{'grp1'}{'cust_host_src'}></td><td>$Lang::tr{'fwhost cust addr'}</td><td><select name='cust_host_src' style='min-width:185px;'>
++END
++ &fillselect(\%customhost,$fwdfwsettings{$fwdfwsettings{'grp1'}});
++ print<<END;
++ </select></td><td width='1%'><input type='radio' name='grp1' value='ovpn_n2n_src' $checked{'grp1'}{'ovpn_n2n_src'}></td><td >$Lang::tr{'fwhost ovpn_n2n'}</td><td colspan='3'><select name='ovpn_n2n_src' style='min-width:185px;'>
++END
++ foreach my $key (sort { uc($ccdhost{$a}[0]) cmp uc($ccdhost{$b}[0]) } keys %ccdhost) {
++ if($ccdhost{$key}[3] eq 'net'){
++ print"<option ";
++ print " selected='selected'" if ($fwdfwsettings{$fwdfwsettings{'grp1'}} eq $ccdhost{$key}[1]);
++ print ">$ccdhost{$key}[1]</option>";
++ }
++ }
++ print<<END;
++ </select></td></tr>
++
++ <tr><td valign='top'><input type='radio' name='grp1' value='cust_grp_src' $checked{'grp1'}{'cust_grp_src'}></td><td >$Lang::tr{'fwhost cust grp'}</td><td><select name='cust_grp_src' style='min-width:185px;'>
++END
++ foreach my $key (sort { uc($customgrp{$a}[0]) cmp uc($customgrp{$b}[0]) } keys %customgrp) {
++ if($helper ne $customgrp{$key}[0]){
++ print"<option ";
++ print "selected='selected' " if ($fwdfwsettings{$fwdfwsettings{'grp1'}} eq $customgrp{$key}[0]);
++ print ">$customgrp{$key}[0]</option>";
++
++
++ }
++ $helper=$customgrp{$key}[0];
++ }
++ print<<END;
++ </select></td>
++ <td valign='top'><input type='radio' name='grp1' value='ipsec_net_src' $checked{'grp1'}{'ipsec_net_src'}></td><td >$Lang::tr{'fwhost ipsec net'}</td><td><select name='ipsec_net_src' style='min-width:185px;'>
++END
++ foreach my $key (sort { uc($ipsecconf{$a}[1]) cmp uc($ipsecconf{$b}[1]) } keys %ipsecconf) {
++ if ($ipsecconf{$key}[3] eq 'net'){
++ print "<option ";
++ print "selected='selected'" if ($fwdfwsettings{$fwdfwsettings{'grp1'}} eq $ipsecconf{$key}[1]);
++ print ">$ipsecconf{$key}[1]</option>";
++ }
++ }
++ #sourceport
++ print<<END;
++ </select></td></tr>
++END
++
++# <td valign='top'><input type='radio' name='grp1' value='ipsec_host_src' $checked{'grp1'}{'ipsec_host_src'}></td><td >$Lang::tr{'fwhost ipsec host'}</td><td><select name='ipsec_host_src' style='min-width:185px;'>
++#END
++# foreach my $key (sort { uc($ipsecconf{$a}[1]) cmp uc($ipsecconf{$b}[1]) } keys %ipsecconf) {
++# if ($ipsecconf{$key}[3] eq 'host'){
++# print "<option ";
++# print "selected='selected'" if($fwdfwsettings{$fwdfwsettings{'grp1'}} eq $ipsecconf{$key}[1]);
++# print ">$ipsecconf{$key}[1]</option>";
++# }
++# }
++ print<<END;
++
++ <tr><td colspan='8'><hr style='border:dotted #BFBFBF; border-width:1px 0 0 0 ; ' /></td></tr></table>
++
++
++ <table width='100%' border='0'>
++ <tr><td width='1%'><input type='checkbox' name='USE_SRC_PORT' value='ON' $checked{'USE_SRC_PORT'}{'ON'}></td><td width='51%' colspan='3'>$Lang::tr{'fwdfw use srcport'}</td>
++ <td width='15%' nowrap='nowrap'>$Lang::tr{'fwdfw man port'}</td><td><select name='PROT'>
++END
++ foreach ("TCP","UDP","GRE","ICMP")
++ {
++ if ($_ eq $fwdfwsettings{'PROT'})
++ {
++ print"<option selected>$_</option>";
++ }else{
++ print"<option>$_</option>";
++ }
++ }
++ print<<END;
++ </select></td><td align='right'><input type='text' name='SRC_PORT' value='$fwdfwsettings{'SRC_PORT'}' maxlength='11' size='9' ></td></tr>
++ <tr><td></td><td></td><td></td><td></td><td nowrap='nowrap'>$Lang::tr{'fwhost icmptype'}</td><td colspan='2'><select name='ICMP_TYPES'>
++END
++ &General::readhasharray("${General::swroot}/fwhosts/icmp-types", \%icmptypes);
++ print"<option>All ICMP-Types</option>";
++ foreach my $key (sort { uc($icmptypes{$a}[0]) cmp uc($icmptypes{$b}[0]) } keys %icmptypes){
++ if($fwdfwsettings{'ICMP_TYPES'} eq "$icmptypes{$key}[0]"){
++ print"<option selected>$icmptypes{$key}[0] ($icmptypes{$key}[1])</option>";
++ }else{
++ print"<option>$icmptypes{$key}[0] ($icmptypes{$key}[1])</option>";
++ }
++ }
++ print<<END;
++ </select></td></tr></table><hr>
++END
++ &Header::closebox();
++
++ #---TARGET------------------------------------------------------
++ &Header::openbox('100%', 'left', $Lang::tr{'fwdfw target'});
++ print<<END;
++ <table width='100%' border='0'>
++ <tr><td width='1%'><input type='radio' name='grp2' value='tgt_addr' checked></td><td colspan='2'>$Lang::tr{'fwdfw targetip'}<input type='TEXT' name='tgt_addr' value='$fwdfwsettings{'tgt_addr'}' size='16'><td><input type='radio' name='grp2' value='ipfire' $checked{'grp2'}{'ipfire'}></td><td><b>IPFire ($Lang::tr{'external access'})</b></td><td><select name='ipfire' style='min-width:185px;'>
++END
++ print "<option value='Default IP' $selected{'ipfire'}{'Default IP'}>Default IP</option>";
++
++ foreach my $alias (sort keys %aliases)
++ {
++ print "<option value='$alias' $selected{'ipfire'}{$alias}>$alias</option>";
++ }
++
++ print<<END;
++ </td></tr>
++ <tr><td colspan='7'><hr style='border:dotted #BFBFBF; border-width:1px 0 0 0 ; ' /></td></tr>
++ <tr><td width='1%'><input type='radio' name='grp2' value='std_net_tgt' $checked{'grp2'}{'std_net_tgt'}></td><td nowrap='nowrap' width='12%'>$Lang::tr{'fwhost stdnet'}</td><td width='13%'><select name='std_net_tgt' style='min-width:185px;'>
++
++END
++
++ foreach my $network (sort keys %defaultNetworks)
++ {
++ print "<option value='$defaultNetworks{$network}{'NAME'}'";
++ print " selected='selected'" if ($fwdfwsettings{$fwdfwsettings{'grp2'}} eq $defaultNetworks{$network}{'NAME'});
++ print ">$network</option>";
++ }
++ print<<END;
++ </select></td><td width='1%'><input type='radio' name='grp2' value='ovpn_net_tgt' $checked{'grp2'}{'ovpn_net_tgt'}></td><td nowrap='nowrap' width='16%'>$Lang::tr{'fwhost ccdnet'}</td><td nowrap='nowrap' width='1%'><select name='ovpn_net_tgt' style='min-width:185px;'>
++END
++ &fillselect(\%ccdnet,$fwdfwsettings{$fwdfwsettings{'grp2'}});
++
++ print<<END;
++ </select></td></tr>
++ <tr><td><input type='radio' name='grp2' value='cust_net_tgt' $checked{'grp2'}{'cust_net_tgt'}></td><td>$Lang::tr{'fwhost cust net'}</td><td><select name='cust_net_tgt' style='min-width:185px;'>
++END
++ &fillselect(\%customnetwork,$fwdfwsettings{$fwdfwsettings{'grp2'}});
++ print<<END;
++ </select></td><td width='1%'><input type='radio' name='grp2' value='ovpn_host_tgt' $checked{'grp2'}{'ovpn_host_tgt'}></td><td nowrap='nowrap' width='16%'>$Lang::tr{'fwhost ccdhost'}</td><td nowrap='nowrap' width='1%'><select name='ovpn_host_tgt' style='min-width:185px;'>
++END
++ foreach my $key (sort { uc($ccdhost{$a}[0]) cmp uc($ccdhost{$b}[0]) } keys %ccdhost)
++ {
++ if ($ccdhost{$key}[33] ne ''){
++ print "<option value='$ccdhost{$key}[1]' ";
++ print "selected='selected'" if ($fwdfwsettings{$fwdfwsettings{'grp2'}} eq $ccdhost{$key}[33]);
++ print ">$ccdhost{$key}[1]</option>";
++ }
++ }
++ print<<END;
++ </select></td></tr>
++ <tr><td valign='top'><input type='radio' name='grp2' value='cust_host_tgt' $checked{'grp2'}{'cust_host_tgt'}></td><td>$Lang::tr{'fwhost cust addr'}</td><td><select name='cust_host_tgt' style='min-width:185px;'>
++END
++ &fillselect(\%customhost,$fwdfwsettings{$fwdfwsettings{'grp2'}});
++ print<<END;
++ </select></td><td width='1%'><input type='radio' name='grp2' value='ovpn_n2n_tgt' $checked{'grp2'}{'ovpn_n2n_tgt'}></td><td >$Lang::tr{'fwhost ovpn_n2n'}</td><td colspan='3'><select name='ovpn_n2n_tgt' style='min-width:185px;'>
++END
++ foreach my $key (sort { uc($ccdhost{$a}[0]) cmp uc($ccdhost{$b}[0]) } keys %ccdhost) {
++ if($ccdhost{$key}[3] eq 'net'){
++ print "<option ";
++ print "selected='selected'" if($fwdfwsettings{$fwdfwsettings{'grp2'}} eq $ccdhost{$key}[1]);
++ print ">$ccdhost{$key}[1]</option>";
++ }
++ }
++ print<<END;
++ </select></td></tr>
++
++ <tr><td valign='top'><input type='radio' name='grp2' value='cust_grp_tgt' $checked{'grp2'}{'cust_grp_tgt'}></td><td >$Lang::tr{'fwhost cust grp'}</td><td><select name='cust_grp_tgt' style='min-width:185px;'>
++END
++ $helper='';
++ foreach my $key (sort { uc($customgrp{$a}[0]) cmp uc($customgrp{$b}[0]) } keys %customgrp) {
++ if($helper ne $customgrp{$key}[0]){
++ print"<option ";
++ print"selected='selected'" if ($fwdfwsettings{$fwdfwsettings{'grp2'}} eq $customgrp{$key}[0]);
++ print">$customgrp{$key}[0]</option>";
++ }
++ $helper=$customgrp{$key}[0];
++ }
++ print<<END;
++ </select></td>
++ <td valign='top'><input type='radio' name='grp2' value='ipsec_net_tgt' $checked{'grp2'}{'ipsec_net_tgt'}></td><td >$Lang::tr{'fwhost ipsec net'}</td><td><select name='ipsec_net_tgt' style='min-width:185px;'>
++END
++ foreach my $key (sort { uc($ipsecconf{$a}[1]) cmp uc($ipsecconf{$b}[1]) } keys %ipsecconf) {
++ if ($ipsecconf{$key}[3] eq 'net'){
++ print"<option ";
++ print"selected='selected'" if ($fwdfwsettings{$fwdfwsettings{'grp2'}} eq $ipsecconf{$key}[1]);
++ print">$ipsecconf{$key}[1]</option>";
++ }
++ }
++ print<<END;
++ </select></td></tr>
++END
++
++# <td valign='top'><input type='radio' name='grp2' value='ipsec_host_tgt' $checked{'grp2'}{'ipsec_host_tgt'}></td><td >$Lang::tr{'fwhost ipsec host'}</td><td><select name='ipsec_host_tgt' style='min-width:185px;'>
++#END
++# foreach my $key (sort { uc($ipsecconf{$a}[1]) cmp uc($ipsecconf{$b}[1]) } keys %ipsecconf) {
++# if ($ipsecconf{$key}[3] eq 'host'){
++# print"<option ";
++# print"selected='Selected'" if ($fwdfwsettings{$fwdfwsettings{'grp2'}} eq $ipsecconf{$key}[1]);
++# print">$ipsecconf{$key}[1]</option>";
++# }
++# }
++ print<<END;
++ </table>
++ <b>$Lang::tr{'fwhost attention'}:</b><br>
++ $Lang::tr{'fwhost macwarn'}<br><hr style='border:dotted #BFBFBF; border-width:1px 0 0 0 ; '></hr><br>
++
++ <table width='100%' border='0'>
++ <tr><td width='1%'><input type='checkbox' name='USESRV' value='ON' $checked{'USESRV'}{'ON'} ></td><td width='48%'>$Lang::tr{'fwdfw use srv'}</td><td width='1%'><input type='radio' name='grp3' value='cust_srv' checked></td><td nowrap='nowrap'>$Lang::tr{'fwhost cust service'}</td><td width='1%' colspan='2'><select name='cust_srv'style='min-width:230px;' >
++END
++ &General::readhasharray("$configsrv", \%customservice);
++ foreach my $key (sort keys %customservice){
++ print"<option ";
++ print"selected='selected'" if ($fwdfwsettings{$fwdfwsettings{'grp3'}} eq $customservice{$key}[0]);
++ print"value='$customservice{$key}[0]'>$customservice{$key}[0]</option>";
++ }
++ print<<END;
++ </select></td></tr>
++ <tr><td colspan='2'></td><td><input type='radio' name='grp3' value='cust_srvgrp' $checked{'grp3'}{'cust_srvgrp'}></td><td nowrap='nowrap'>$Lang::tr{'fwhost cust srvgrp'}:</td><td colspan='2'><select name='cust_srvgrp'style='min-width:230px;' >
++END
++ &General::readhasharray("$configsrvgrp", \%customservicegrp);
++ my $helper;
++ foreach my $key (sort keys %customservicegrp){
++ if ($helper ne $customservicegrp{$key}[0]){
++ print"<option ";
++ print"selected='selected'" if ($fwdfwsettings{$fwdfwsettings{'grp3'}} eq $customservicegrp{$key}[0]);
++ print">$customservicegrp{$key}[0]</option>";
++ }
++ $helper=$customservicegrp{$key}[0];
++ }
++ print<<END;
++ </select></td></tr>
++ <tr><td colspan='2'></td><td><input type='radio' name='grp3' value='TGT_PORT' $checked{'grp3'}{'TGT_PORT'}></td><td>$Lang::tr{'fwdfw man port'}</td><td><select name='TGT_PROT'>
++END
++ foreach ("TCP","UDP","GRE","ICMP")
++ {
++ if ($_ eq $fwdfwsettings{'TGT_PROT'})
++ {
++ print"<option selected>$_</option>";
++ }else{
++ print"<option>$_</option>";
++ }
++ }
++ print<<END;
++ </select></td><td align='right'><input type='text' name='TGT_PORT' value='$fwdfwsettings{'TGT_PORT'}' maxlength='11' size='9' ></td></tr>
++ <tr><td colspan='2'></td><td></td><td>$Lang::tr{'fwhost icmptype'}</td><td colspan='2'><select name='ICMP_TGT'>
++END
++ &General::readhasharray("${General::swroot}/fwhosts/icmp-types", \%icmptypes);
++ print"<option>All ICMP-Types</option>";
++ foreach my $key (sort { uc($icmptypes{$a}[0]) cmp uc($icmptypes{$b}[0]) }keys %icmptypes){
++ if($fwdfwsettings{'ICMP_TGT'} eq "$icmptypes{$key}[0]"){
++ print"<option selected>$icmptypes{$key}[0] ($icmptypes{$key}[1])</option>";
++ }else{
++ print"<option>$icmptypes{$key}[0] ($icmptypes{$key}[1])</option>";
++ }
++ }
++ print<<END;
++ </select></td></tr>
++ </table><hr><br><br>
++
++END
++ #---Activate/logging/remark-------------------------------------
++ &Header::openbox('100%', 'left', $Lang::tr{'fwdfw additional'});
++ print<<END;
++ <table width='100%' border='0'>
++ <tr><td colspan='2' >$Lang::tr{'remark'}:<input type='text' name='ruleremark' size='40' value='$fwdfwsettings{'ruleremark'}'></td></tr>
++ <tr><td width='1%'><input type='checkbox' name='ACTIVE' value='ON' $checked{'ACTIVE'}{'ON'}></td><td>$Lang::tr{'fwdfw rule activate'}</td></tr>
++ <tr><td width='1%'><input type='checkbox' name='LOG' value='ON' $checked{'LOG'}{'ON'} ></td><td>$Lang::tr{'fwdfw log rule'}</td></tr>
++ </table><hr><br>
++END
++ &Header::closebox();
++ #---ADD TIMEFRAME-----------------------------------------------
++ &Header::openbox('100%', 'left', $Lang::tr{'fwdfw timeframe'});
++ print<<END;
++ <table width='70%' border='0'>
++ <tr><td width='1%'><input type='checkbox' name='TIME' value='ON' $checked{'TIME'}{'ON'}></td><td colspan='4'>$Lang::tr{'fwdfw timeframe'}</td></tr>
++ <tr><td colspan='7'> </td></tr>
++ <tr>
++ <td align='left'>$Lang::tr{'time'}:</td>
++ <td width='30%' align='left'>$Lang::tr{'advproxy monday'} $Lang::tr{'advproxy tuesday'} $Lang::tr{'advproxy wednesday'} $Lang::tr{'advproxy thursday'} $Lang::tr{'advproxy friday'} $Lang::tr{'advproxy saturday'} $Lang::tr{'advproxy sunday'}</td>
++
++ <td width='15%' align='left'>$Lang::tr{'advproxy from'}</td>
++ <td width='15%' align='left'>$Lang::tr{'advproxy to'}</td>
++ </tr>
++ <tr>
++ <td align='right'></td>
++ <td width='30%' align='left'>
++ <input type='checkbox' name='TIME_MON' value='on' $checked{'TIME_MON'}{'on'} />
++ <input type='checkbox' name='TIME_TUE' value='on' $checked{'TIME_TUE'}{'on'} />
++ <input type='checkbox' name='TIME_WED' value='on' $checked{'TIME_WED'}{'on'} />
++ <input type='checkbox' name='TIME_THU' value='on' $checked{'TIME_THU'}{'on'} />
++ <input type='checkbox' name='TIME_FRI' value='on' $checked{'TIME_FRI'}{'on'} />
++ <input type='checkbox' name='TIME_SAT' value='on' $checked{'TIME_SAT'}{'on'} />
++ <input type='checkbox' name='TIME_SUN' value='on' $checked{'TIME_SUN'}{$Lang::tr{'fwdfw wd_sun'}} />
++ </td>
++
++ <td><select name='TIME_FROM'>
++END
++ for (my $i=0;$i<=23;$i++) {
++ $i = sprintf("%02s",$i);
++ for (my $j=0;$j<=45;$j+=15) {
++ $j = sprintf("%02s",$j);
++ my $time = $i.":".$j;
++ print "\t\t\t\t\t<option $selected{'TIME_FROM'}{$time}>$i:$j</option>\n";
++ }
++ }
++ print<<END;
++ </select></td>
++ <td><select name='TIME_TO'>
++END
++ for (my $i=0;$i<=23;$i++) {
++ $i = sprintf("%02s",$i);
++ for (my $j=0;$j<=45;$j+=15) {
++ $j = sprintf("%02s",$j);
++ my $time = $i.":".$j;
++ print "\t\t\t\t\t<option $selected{'TIME_TO'}{$time}>$i:$j</option>\n";
++ }
++ }
++ print<<END;
++ </select></td></tr>
++ </table><hr>
++END
++ &Header::closebox();
++ #---ACTION------------------------------------------------------
++ if($fwdfwsettings{'updatefwrule'} ne 'on'){
++ print<<END;
++ <table border='0' width='100%'>
++ <tr><td align='right'><input type='submit' value='$Lang::tr{'add'}' style='min-width:100px;' />
++ <input type='hidden' name='config' value='$config' >
++ <input type='hidden' name='ACTION' value='saverule' ></form><form method='post' style='display:inline'><input type='submit' value='$Lang::tr{'fwhost back'}' style='min-width:100px;'><input type='hidden' name='ACTION' value'reset'></td></td>
++ </table></form>
++END
++ }else{
++ print<<END;
++ <table border='0' width='100%'>
++ <tr><td align='right'><input type='submit' value='$Lang::tr{'fwdfw change'}' style='min-width:100px;' /><input type='hidden' name='updatefwrule' value='$fwdfwsettings{'updatefwrule'}'><input type='hidden' name='key' value='$fwdfwsettings{'key'}'>
++ <input type='hidden' name='oldgrp1a' value='$fwdfwsettings{'oldgrp1a'}' />
++ <input type='hidden' name='oldgrp1b' value='$fwdfwsettings{'oldgrp1b'}' />
++ <input type='hidden' name='oldgrp2a' value='$fwdfwsettings{'oldgrp2a'}' />
++ <input type='hidden' name='oldgrp2b' value='$fwdfwsettings{'oldgrp2b'}' />
++ <input type='hidden' name='oldgrp3a' value='$fwdfwsettings{'oldgrp3a'}' />
++ <input type='hidden' name='oldgrp3b' value='$fwdfwsettings{'oldgrp3b'}' />
++ <input type='hidden' name='oldusesrv' value='$fwdfwsettings{'oldusesrv'}' />
++
++ <input type='hidden' name='ACTION' value='saverule' ></form><form method='post' style='display:inline'><input type='submit' value='$Lang::tr{'fwhost back'}' style='min-width:100px;'><input type='hidden' name='ACTION' value'reset'></td></td>
++
++ </table></form>
++END
++ }
++ &Header::closebox();
++}
++sub saverule
++{
++
++ my $hash=shift;
++ my $config=shift;
++ &General::readhasharray("$config", $hash);
++ if (!$errormessage){
++ if ($fwdfwsettings{'updatefwrule'} ne 'on' ){
++ my $key = &General::findhasharraykey ($hash);
++ $$hash{$key}[0] = $fwdfwsettings{'RULE_ACTION'};
++ $$hash{$key}[1] = $fwdfwsettings{'chain'};
++ $$hash{$key}[2] = $fwdfwsettings{'ACTIVE'};
++ $$hash{$key}[3] = $fwdfwsettings{'grp1'};
++ $$hash{$key}[4] = $fwdfwsettings{$fwdfwsettings{'grp1'}};
++ $$hash{$key}[5] = $fwdfwsettings{'grp2'};
++ $$hash{$key}[6] = $fwdfwsettings{$fwdfwsettings{'grp2'}};
++ $$hash{$key}[7] = $fwdfwsettings{'USE_SRC_PORT'};
++ $$hash{$key}[8] = $fwdfwsettings{'PROT'};
++ $$hash{$key}[9] = $fwdfwsettings{'ICMP_TYPES'};
++ $$hash{$key}[10] = $fwdfwsettings{'SRC_PORT'};
++ $$hash{$key}[11] = $fwdfwsettings{'USESRV'};
++ $$hash{$key}[12] = $fwdfwsettings{'TGT_PROT'};
++ $$hash{$key}[13] = $fwdfwsettings{'ICMP_TGT'};
++ $$hash{$key}[14] = $fwdfwsettings{'grp3'};
++ $$hash{$key}[15] = $fwdfwsettings{$fwdfwsettings{'grp3'}};
++ $$hash{$key}[16] = $fwdfwsettings{'ruleremark'};
++ $$hash{$key}[17] = $fwdfwsettings{'LOG'};
++ $$hash{$key}[18] = $fwdfwsettings{'TIME'};
++ $$hash{$key}[19] = $fwdfwsettings{'TIME_MON'};
++ $$hash{$key}[20] = $fwdfwsettings{'TIME_TUE'};
++ $$hash{$key}[21] = $fwdfwsettings{'TIME_WED'};
++ $$hash{$key}[22] = $fwdfwsettings{'TIME_THU'};
++ $$hash{$key}[23] = $fwdfwsettings{'TIME_FRI'};
++ $$hash{$key}[24] = $fwdfwsettings{'TIME_SAT'};
++ $$hash{$key}[25] = $fwdfwsettings{'TIME_SUN'};
++ $$hash{$key}[26] = $fwdfwsettings{'TIME_FROM'};
++ $$hash{$key}[27] = $fwdfwsettings{'TIME_TO'};
++ &General::writehasharray("$config", $hash);
++ }else{
++ foreach my $key (sort keys %$hash){
++ if($key eq $fwdfwsettings{'key'}){
++ $$hash{$key}[0] = $fwdfwsettings{'RULE_ACTION'};
++ $$hash{$key}[1] = $fwdfwsettings{'chain'};
++ $$hash{$key}[2] = $fwdfwsettings{'ACTIVE'};
++ $$hash{$key}[3] = $fwdfwsettings{'grp1'};
++ $$hash{$key}[4] = $fwdfwsettings{$fwdfwsettings{'grp1'}};
++ $$hash{$key}[5] = $fwdfwsettings{'grp2'};
++ $$hash{$key}[6] = $fwdfwsettings{$fwdfwsettings{'grp2'}};
++ $$hash{$key}[7] = $fwdfwsettings{'USE_SRC_PORT'};
++ $$hash{$key}[8] = $fwdfwsettings{'PROT'};
++ $$hash{$key}[9] = $fwdfwsettings{'ICMP_TYPES'};
++ $$hash{$key}[10] = $fwdfwsettings{'SRC_PORT'};
++ $$hash{$key}[11] = $fwdfwsettings{'USESRV'};
++ $$hash{$key}[12] = $fwdfwsettings{'TGT_PROT'};
++ $$hash{$key}[13] = $fwdfwsettings{'ICMP_TGT'};
++ $$hash{$key}[14] = $fwdfwsettings{'grp3'};
++ $$hash{$key}[15] = $fwdfwsettings{$fwdfwsettings{'grp3'}};
++ $$hash{$key}[16] = $fwdfwsettings{'ruleremark'};
++ $$hash{$key}[17] = $fwdfwsettings{'LOG'};
++ $$hash{$key}[18] = $fwdfwsettings{'TIME'};
++ $$hash{$key}[19] = $fwdfwsettings{'TIME_MON'};
++ $$hash{$key}[20] = $fwdfwsettings{'TIME_TUE'};
++ $$hash{$key}[21] = $fwdfwsettings{'TIME_WED'};
++ $$hash{$key}[22] = $fwdfwsettings{'TIME_THU'};
++ $$hash{$key}[23] = $fwdfwsettings{'TIME_FRI'};
++ $$hash{$key}[24] = $fwdfwsettings{'TIME_SAT'};
++ $$hash{$key}[25] = $fwdfwsettings{'TIME_SUN'};
++ $$hash{$key}[26] = $fwdfwsettings{'TIME_FROM'};
++ $$hash{$key}[27] = $fwdfwsettings{'TIME_TO'};
++ last;
++ }
++ }
++ &General::writehasharray("$config", $hash);
++ }
++ }
++}
++sub error
++{
++ if ($errormessage) {
++ &Header::openbox('100%', 'left', $Lang::tr{'error messages'});
++ print "<class name='base'>$errormessage\n";
++ print " </class>\n";
++ &Header::closebox();
++ print"<hr>";
++ }
++}
++sub hint
++{
++ if ($hint) {
++ &Header::openbox('100%', 'left', $Lang::tr{'fwhost hint'});
++ print "<class name='base'>$hint\n";
++ print " </class>\n";
++ &Header::closebox();
++ print"<hr>";
++ }
++}
++sub get_name
++{
++ my $val=shift;
++ &General::setup_default_networks(\%defaultNetworks);
++ foreach my $network (sort keys %defaultNetworks)
++ {
++ return "$network" if ($val eq $defaultNetworks{$network}{'NAME'});
++ }
++}
++sub validremark
++{
++ # Checks a hostname against RFC1035
++ my $remark = $_[0];
++
++ # Each part should be at least two characters in length
++ # but no more than 63 characters
++ if (length ($remark) < 1 || length ($remark) > 63) {
++ return 0;}
++ # Only valid characters are a-z, A-Z, 0-9 and -
++ if ($remark !~ /^[a-zäöüA-ZÖÄÜ0-9-\s]*$/) {
++ return 0;}
++ # First character can only be a letter or a digit
++ if (substr ($remark, 0, 1) !~ /^[a-zäöüA-ZÖÄÜ0-9]*$/) {
++ return 0;}
++ # Last character can only be a letter or a digit
++ if (substr ($remark, -1, 1) !~ /^[a-zöäüA-ZÖÄÜ0-9]*$/) {
++ return 0;}
++ return 1;
++}
++sub getsrcport
++{
++ my %hash=%{(shift)};
++ my $key=shift;
++ if($hash{$key}[7] eq 'ON' && $hash{$key}[8] ne 'ICMP'){
++ print" : ($hash{$key}[8]) $hash{$key}[10]";
++ }elsif($hash{$key}[7] eq 'ON' && $hash{$key}[8] eq 'ICMP'){
++ print" : ($hash{$key}[8]) <br> $hash{$key}[9]";
++ }
++}
++sub gettgtport
++{
++ my %hash=%{(shift)};
++ my $key=shift;
++ my $service;
++ my $prot;
++
++ if($hash{$key}[11] eq 'ON' && $hash{$key}[12] ne 'ICMP'){
++ if($hash{$key}[14] eq 'cust_srv'){
++ &General::readhasharray("$configsrv", \%customservice);
++ foreach my $i (sort keys %customservice){
++ #print "HHUHU: $customservice{$i}[0] und $hash{$key}[15]<br>";
++ if($customservice{$i}[0] eq $hash{$key}[15]){
++ $prot = $hash{$key}[12];
++ $service = $customservice{$i}[0];
++ }
++ }
++ }elsif($hash{$key}[14] eq 'cust_srvgrp'){
++
++ $service=$hash{$key}[15];
++ }elsif($hash{$key}[14] eq 'TGT_PORT'){
++ $service=$hash{$key}[15];
++ $prot=$hash{$key}[12];
++ }
++ }elsif($hash{$key}[11] eq 'ON' && $hash{$key}[12] eq 'ICMP'){
++ print" : ($hash{$key}[12]) <br>$hash{$key}[13]";
++ }
++
++ if ($prot ne '' || $service ne ''){
++ print" :";
++ if ($prot ne ''){
++ print"($prot) ";
++ }
++ print" $service";
++ }
++}
++sub viewtablerule
++{
++ &viewtablenew(\%configfwdfw,$configfwdfw,$Lang::tr{'fwdfw rules'},"Forward" );
++ &viewtablenew(\%configinputfw,$configinput,"",$Lang::tr{'external access'} );
++}
++sub viewtablenew
++{
++ my $hash=shift;
++ my $config=shift;
++ my $title=shift;
++ my $title1=shift;
++
++ if ( ! -z "$config"){
++ &Header::openbox('100%', 'left',$title);
++ my $count=0;
++ my ($gif,$log);
++ my $ruletype;
++ my $rulecolor;
++ my $tooltip;
++ my @tmpsrc=();
++ my $coloryellow='';
++ &General::readhasharray("$config", $hash);
++ print"<b>$title1</b><br>";
++ print"<table width='100%' border='0' cellspacing='1' style='padding-top: 0px; padding-left: 0px; padding-bottom: 0px ;padding-right: 0px ;'>";
++ print"<tr><td align='center' width='1%'><b>#</td><td></td><td align='center'><b>$Lang::tr{'fwdfw source'}</td><td><b>Log</td><td align='center'><b>$Lang::tr{'fwdfw target'}</td><td align='center'><b>$Lang::tr{'remark'}</td><td align='center' colspan='3'><b>$Lang::tr{'fwdfw action'}</td></tr>";
++ foreach my $key (sort keys %$hash){
++ @tmpsrc=();
++ #check if vpn hosts/nets have been deleted
++ if($$hash{$key}[3] =~ /ipsec/i || $$hash{$key}[3] =~ /ovpn/i){
++ push (@tmpsrc,$$hash{$key}[4]);
++ }
++ if($$hash{$key}[5] =~ /ipsec/i || $$hash{$key}[5] =~ /ovpn/i){
++ push (@tmpsrc,$$hash{$key}[6]);
++ }
++
++ foreach my $host (@tmpsrc){
++ if($$hash{$key}[3] eq 'ipsec_net_src' || $$hash{$key}[5] eq 'ipsec_net_tgt'){
++ if(&fwlib::get_ipsec_net_ip($host,11) eq ''){
++ $coloryellow='on';
++ &disable_rule($key);
++ $$hash{$key}[2]='';
++
++ }
++ }elsif($$hash{$key}[3] eq 'ovpn_net_src' || $$hash{$key}[5] eq 'ovpn_net_tgt'){
++ if(&fwlib::get_ovpn_net_ip($host,1) eq ''){
++ $coloryellow='on';
++ &disable_rule($key);
++ $$hash{$key}[2]='';
++ }
++ }elsif($$hash{$key}[3] eq 'ovpn_n2n_src' || $$hash{$key}[5] eq 'ovpn_n2n_tgt'){
++ if(&fwlib::get_ovpn_n2n_ip($host,27) eq ''){
++ $coloryellow='on';
++ &disable_rule($key);
++ $$hash{$key}[2]='';
++ }
++ }elsif($$hash{$key}[3] eq 'ovpn_host_src' || $$hash{$key}[5] eq 'ovpn_host_tgt'){
++ if(&fwlib::get_ovpn_host_ip($host,33) eq ''){
++ $coloryellow='on';
++ &disable_rule($key);
++ $$hash{$key}[2]='';
++ }
++ }
++ $$hash{$key}[3]='';
++ $$hash{$key}[5]='';
++ }
++
++ $$hash{'ACTIVE'}=$$hash{$key}[2];
++ $count++;
++
++ if($coloryellow eq 'on'){
++ print"<tr bgcolor='$color{'color14'}' >";
++ $coloryellow='';
++ }elsif($coloryellow eq ''){
++ if ($count % 2){
++ print"<tr bgcolor='$color{'color22'}' >";
++ }
++ else{
++ print"<tr bgcolor='$color{'color20'}' >";
++ }
++ }
++
++ print<<END;
++ <td align='right'>$key</td>
++END
++ if ($$hash{$key}[0] eq 'ACCEPT'){
++ $ruletype='A';
++ $tooltip='ACCEPT';
++ $rulecolor=$color{'color17'};
++ }elsif($$hash{$key}[0] eq 'DROP'){
++ $ruletype='D';
++ $tooltip='DROP';
++ $rulecolor=$color{'color25'};
++ }elsif($$hash{$key}[0] eq 'REJECT'){
++ $ruletype='R';
++ $tooltip='REJECT';
++ $rulecolor=$color{'color16'};
++ }
++ print"<td bgcolor='$rulecolor' width='2%' align='center'><span title='$tooltip'><b>$ruletype</b></span></td>";
++ print"<td align='center'>";
++ if ($$hash{$key}[3] eq 'std_net_src'){
++ print &get_name($$hash{$key}[4]);
++ }else{
++ print $$hash{$key}[4];
++ }
++ &getsrcport(\%$hash,$key);
++ if ($$hash{$key}[17] eq 'ON'){
++ $log="/images/on.gif";
++ }else{
++ $log="/images/off.gif";
++ }
++ print<<END;
++ </td>
++
++ <form method='post'>
++ <td width='1%'><input type='image' img src='$log' alt='$Lang::tr{'click to disable'}' title='$Lang::tr{'fwdfw togglelog'}' style='padding-top: 0px; padding-left: 0px; padding-bottom: 0px ;padding-right: 0px ;display: block;'/>
++ <input type='hidden' name='key' value='$key' />
++ <input type='hidden' name='config' value='$config' />
++ <input type='hidden' name='ACTION' value='$Lang::tr{'fwdfw togglelog'}' />
++ </td></form>
++END
++
++ print<<END;
++ <td align='center'>
++END
++ if ($$hash{$key}[5] eq 'std_net_tgt'){
++ print &get_name($$hash{$key}[6]);
++ }else{
++ print $$hash{$key}[6];
++ }
++ &gettgtport(\%$hash,$key);
++ ################################################################################
++ print"</td><td width='20%'>$$hash{$key}[16]</td>";
++
++ if($$hash{$key}[2] eq 'ON'){
++ $gif="/images/on.gif"
++
++ }else{
++ $gif="/images/off.gif"
++
++ }
++ print<<END;
++ <form method='post'>
++ <td width='1%'><input type='image' img src='$gif' alt='$Lang::tr{'click to disable'}' title='$Lang::tr{'fwdfw toggle'}' style='padding-top: 0px; padding-left: 0px; padding-bottom: 0px ;padding-right: 0px ;display: block;' />
++ <input type='hidden' name='key' value='$key' />
++ <input type='hidden' name='config' value='$config' />
++ <input type='hidden' name='ACTION' value='$Lang::tr{'fwdfw toggle'}' />
++ </td></form>
++
++ <form method='post'>
++ <td width='1%' ><input type='image' img src='/images/edit.gif' alt='$Lang::tr{'edit'}' title='$Lang::tr{'fwdfw edit'}' style='padding-top: 0px; padding-left: 0px; padding-bottom: 0px ;padding-right: 0px ;display: block;' />
++ <input type='hidden' name='key' value='$key' />
++ <input type='hidden' name='config' value='$config' />
++ <input type='hidden' name='ACTION' value='editrule' />
++ </td></form></td>
++
++ <form method='post'>
++ <td width='1%'><input type='image' img src='/images/addblue.gif' alt='$Lang::tr{'fwdfw copy'}' title='$Lang::tr{'fwdfw copy'}' style='padding-top: 0px; padding-left: 0px; padding-bottom: 0px ;padding-right: 0px ;display: block;' />
++ <input type='hidden' name='key' value='$key' />
++ <input type='hidden' name='config' value='$config' />
++ <input type='hidden' name='ACTION' value='copyrule' />
++ </td></form></td>
++
++
++ <form method='post'>
++ <td width='1%' ><input type='image' img src='/images/delete.gif' alt='$Lang::tr{'delete'}' title='$Lang::tr{'fwdfw delete'}' style='padding-top: 0px; padding-left: 0px; padding-bottom: 0px ;padding-right: 0px ;display: block;' />
++ <input type='hidden' name='key' value='$key' />
++ <input type='hidden' name='config' value='$config' />
++ <input type='hidden' name='ACTION' value='deleterule' />
++ </td></form></td>
++END
++ if (exists $$hash{$key-1}){
++ print<<END;
++ <form method='post'>
++ <td width='1%'><input type='image' img src='/images/up.gif' alt='$Lang::tr{'fwdfw moveup'}' title='$Lang::tr{'fwdfw moveup'}' style='padding-top: 0px; padding-left: 0px; padding-bottom: 0px ;padding-right: 0px ;display: block;' />
++ <input type='hidden' name='key' value='$key' />
++ <input type='hidden' name='config' value='$config' />
++ <input type='hidden' name='ACTION' value='moveup' />
++ </td></form></td>
++END
++ }else{
++ print"<td></td>";
++ }
++
++ if (exists $$hash{$key+1}){
++ print<<END;
++ <form method='post'>
++ <td width='1%' ><input type='image' img src='/images/down.gif' alt='$Lang::tr{'fwdfw movedown'}' title='$Lang::tr{'fwdfw movedown'}' style='padding-top: 0px; padding-left: 0px; padding-bottom: 0px ;padding-right: 0px ;display: block;' />
++ <input type='hidden' name='key' value='$key' />
++ <input type='hidden' name='config' value='$config' />
++ <input type='hidden' name='ACTION' value='movedown' />
++ </td></form></td></tr>
++END
++ }else{
++ print"<td></td></tr>";
++ }
++ #if timeframe set, print new line in table
++ if ($$hash{$key}[18] eq 'ON'){
++ my @days=();
++ if($$hash{$key}[19] ne ''){push (@days,$Lang::tr{'fwdfw wd_mon'});}
++ if($$hash{$key}[20] ne ''){push (@days,$Lang::tr{'fwdfw wd_tue'});}
++ if($$hash{$key}[21] ne ''){push (@days,$Lang::tr{'fwdfw wd_wed'});}
++ if($$hash{$key}[22] ne ''){push (@days,$Lang::tr{'fwdfw wd_thu'});}
++ if($$hash{$key}[23] ne ''){push (@days,$Lang::tr{'fwdfw wd_fri'});}
++ if($$hash{$key}[24] ne ''){push (@days,$Lang::tr{'fwdfw wd_sat'});}
++ if($$hash{$key}[25] ne ''){push (@days,$Lang::tr{'fwdfw wd_sun'});}
++
++ my $weekdays=join(",",@days);
++
++ if (@days){
++ print"<tr bgcolor='#FFE4B5'><td colspan='4'>$Lang::tr{'fwdfw time'} ";
++ print"$weekdays";
++ print "  $Lang::tr{'fwdfw from'} $$hash{$key}[26]   $Lang::tr{'fwdfw till'} $$hash{$key}[27]</td><td colspan='8'></d></tr>";
++ }
++ }
++ }
++ print"</table>";
++ &Header::closebox();
++ }
++
++}
++sub fillselect
++{
++ my %hash=%{(shift)};
++ my $val=shift;
++ my $key;
++ foreach my $key (sort { uc($hash{$a}[0]) cmp uc($hash{$b}[0]) } keys %hash)
++ {
++ if($hash{$key}[0] eq $val){
++ print"<option value='$hash{$key}[0]' selected>$hash{$key}[0]</option>";
++ }else{
++ print"<option value='$hash{$key}[0]'>$hash{$key}[0]</option>";
++ }
++ }
++}
++sub rules
++{
++ if (!-f "${General::swroot}/forward/reread"){
++ system("touch ${General::swroot}/forward/reread");
++ }
++}
++sub reread_rules
++{
++ system("/usr/local/bin/forwardfwctrl");
++ system("rm ${General::swroot}/forward/reread");
++}
++&Header::closebigbox();
++&Header::closepage();
+diff --git a/html/cgi-bin/fwhosts.cgi b/html/cgi-bin/fwhosts.cgi
+new file mode 100755
+index 0000000..8fe281b
+--- /dev/null
++++ b/html/cgi-bin/fwhosts.cgi
+@@ -0,0 +1,1970 @@
++#!/usr/bin/perl
++###############################################################################
++# #
++# IPFire.org - A linux based firewall #
++# Copyright (C) 2011 IPFire Team <info@ipfire.org> #
++# #
++# This program is free software: you can redistribute it and/or modify #
++# it under the terms of the GNU General Public License as published by #
++# the Free Software Foundation, either version 3 of the License, or #
++# (at your option) any later version. #
++# #
++# This program is distributed in the hope that it will be useful, #
++# but WITHOUT ANY WARRANTY; without even the implied warranty of #
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
++# GNU General Public License for more details. #
++# #
++# You should have received a copy of the GNU General Public License #
++# along with this program. If not, see <http://www.gnu.org/licenses/>. #
++# #
++###############################################################################
++# New function for forwarding firewall. To make it comfortable to create #
++# rules, we need "spelling names" for single Hosts. If you have any questions #
++# <amarx@ipfire.org> #
++###############################################################################
++use strict;
++
++# enable only the following on debugging purpose
++use warnings;
++use CGI::Carp 'fatalsToBrowser';
++no warnings 'uninitialized';
++require '/var/ipfire/general-functions.pl';
++require "${General::swroot}/lang.pl";
++require "${General::swroot}/header.pl";
++
++my %fwhostsettings=();
++my %customnetwork=();
++my %customhost=();
++my %customgrp=();
++my %customservice=();
++my %customservicegrp=();
++my %ccdnet=();
++my %ccdhost=();
++my %ipsecconf=();
++my %icmptypes=();
++my %color=();
++my %defaultNetworks=();
++my %mainsettings=();
++my %ownnet=();
++my %ipsecsettings=();
++
++my $errormessage;
++my $hint;
++my $update=0;
++my $confignet = "${General::swroot}/fwhosts/customnetworks";
++my $confighost = "${General::swroot}/fwhosts/customhosts";
++my $configgrp = "${General::swroot}/fwhosts/customgroups";
++my $configccdnet = "${General::swroot}/ovpn/ccd.conf";
++my $configccdhost = "${General::swroot}/ovpn/ovpnconfig";
++my $configipsec = "${General::swroot}/vpn/config";
++my $configsrv = "${General::swroot}/fwhosts/customservices";
++my $configsrvgrp = "${General::swroot}/fwhosts/customservicegrp";
++
++unless (-e $confignet) { system("touch $confignet"); }
++unless (-e $confighost) { system("touch $confighost"); }
++unless (-e $configgrp) { system("touch $configgrp"); }
++unless (-e $configsrv) { system("touch $configsrv"); }
++unless (-e $configsrvgrp) { system("touch $configsrvgrp"); }
++
++&General::readhash("${General::swroot}/main/settings", \%mainsettings);
++&General::readhash("/srv/web/ipfire/html/themes/".$mainsettings{'THEME'}."/include/colors.txt", \%color);
++&General::readhash("${General::swroot}/ethernet/settings", \%ownnet);
++&Header::getcgihash(\%fwhostsettings);
++
++&Header::showhttpheaders();
++&Header::openpage($Lang::tr{'fwhost hosts'}, 1, '');
++&Header::openbigbox('100%', 'center');
++
++## ACTION ####
++# Update
++if ($fwhostsettings{'ACTION'} eq 'updatenet' )
++{
++ &General::readhasharray("$confignet", \%customnetwork);
++ foreach my $key (keys %customnetwork)
++ {
++ if($customnetwork{$key}[0] eq $fwhostsettings{'orgname'})
++ {
++ $fwhostsettings{'orgname'} = $customnetwork{$key}[0];
++ $fwhostsettings{'orgip'} = $customnetwork{$key}[1];
++ $fwhostsettings{'orgsub'} = $customnetwork{$key}[2];
++ $fwhostsettings{'count'} = $customnetwork{$key}[3];
++ delete $customnetwork{$key};
++
++ }
++ }
++ &General::writehasharray("$confignet", \%customnetwork);
++ $fwhostsettings{'actualize'} = 'on';
++ $fwhostsettings{'ACTION'} = 'savenet';
++}
++if ($fwhostsettings{'ACTION'} eq 'updatehost')
++{
++ my ($ip,$subnet);
++ &General::readhasharray("$confighost", \%customhost);
++ foreach my $key (keys %customhost)
++ {
++ if($customhost{$key}[0] eq $fwhostsettings{'orgname'})
++ {
++ $fwhostsettings{'orgname'} = $customhost{$key}[0];
++ if ($customhost{$key}[1] eq 'ip'){
++ ($ip,$subnet) = split (/\//,$customhost{$key}[2]);
++ }else{
++ $ip = $customhost{$key}[2];
++ }
++ $fwhostsettings{'orgip'} = $ip;
++ $fwhostsettings{'count'} = $customhost{$key}[3];
++ delete $customhost{$key};
++ }
++ }
++ &General::writehasharray("$confighost", \%customhost);
++ $fwhostsettings{'actualize'} = 'on';
++ $fwhostsettings{'ACTION'} = 'savehost';
++}
++if ($fwhostsettings{'ACTION'} eq 'updateservice')
++{
++ my $count=0;
++ my $needrules=0;
++ $errormessage=&checkports(\%customservice);
++
++ if (!$errormessage){
++ &General::readhasharray("$configsrv", \%customservice);
++ foreach my $key (keys %customservice)
++ {
++ if ($customservice{$key}[0] eq $fwhostsettings{'oldsrvname'})
++ {
++ $count=$customservice{$key}[4];
++ delete $customservice{$key};
++ &General::writehasharray("$configsrv", \%customservice);
++ last;
++ }
++ }
++ if ($fwhostsettings{'PROT'} ne 'ICMP'){
++ $fwhostsettings{'ICMP_TYPES'}='BLANK';
++ }
++ my $key1 = &General::findhasharraykey(\%customservice);
++ foreach my $i (0 .. 4) { $customservice{$key1}[$i] = "";}
++ $customservice{$key1}[0] = $fwhostsettings{'SRV_NAME'};
++ $customservice{$key1}[1] = $fwhostsettings{'SRV_PORT'};
++ $customservice{$key1}[2] = $fwhostsettings{'PROT'};
++ $customservice{$key1}[3] = $fwhostsettings{'ICMP_TYPES'};
++ $customservice{$key1}[4] = $count;
++ &General::writehasharray("$configsrv", \%customservice);
++ if($fwhostsettings{'updatesrv'} eq 'on'){
++ if($count gt 0 && $fwhostsettings{'oldsrvport'} ne $fwhostsettings{'SRV_PORT'} ){
++ $needrules='on';
++ }
++ if($count gt 0 && $fwhostsettings{'oldsrvprot'} ne $fwhostsettings{'PROT'} ){
++ $needrules='on';
++ }
++ }
++ $fwhostsettings{'SRV_NAME'} = '';
++ $fwhostsettings{'SRV_PORT'} = '';
++ $fwhostsettings{'PROT'} = '';
++
++ }else{
++ $fwhostsettings{'SRV_NAME'} = $fwhostsettings{'oldsrvname'};
++ $fwhostsettings{'SRV_PORT'} = $fwhostsettings{'oldsrvport'};
++ $fwhostsettings{'PROT'} = $fwhostsettings{'oldsrvprot'};
++ $fwhostsettings{'updatesrv'}= 'on';
++ }
++
++ if($needrules eq 'on'){
++ $errormessage="reread!";
++ &rules;
++ }
++
++ &addservice;
++}
++# save
++if ($fwhostsettings{'ACTION'} eq 'savenet' )
++{
++ my $count=0;
++ my $needrules=0;
++ if ($fwhostsettings{'orgname'} eq ''){$fwhostsettings{'orgname'}=$fwhostsettings{'HOSTNAME'};}
++
++ #check if all fields are set
++ if ($fwhostsettings{'HOSTNAME'} eq '' || $fwhostsettings{'IP'} eq '' || $fwhostsettings{'SUBNET'} eq '')
++ {
++ $errormessage=$errormessage.$Lang::tr{'fwhost err empty'};
++ &addnet;
++ &viewtablenet;
++ }else{
++ #check valid ip
++ if (!&General::validipandmask($fwhostsettings{'IP'}."/".$fwhostsettings{'SUBNET'}))
++ {
++ $errormessage=$errormessage.$Lang::tr{'fwhost err addr'};
++ $fwhostsettings{'BLK_HOST'} ='readonly';
++ $fwhostsettings{'NOCHECK'} ='false';
++ $fwhostsettings{'error'} ='on';
++ }
++ #check if subnet is sigle host
++ if(&General::iporsubtocidr($fwhostsettings{'SUBNET'}) eq '32')
++ {
++ $errormessage=$errormessage.$Lang::tr{'fwhost err sub32'};
++
++ }
++ if($fwhostsettings{'error'} ne 'on'){
++ #check if we use one of ipfire's networks (green,orange,blue)
++ if (($ownnet{'GREEN_NETADDRESS'} ne '' && $ownnet{'GREEN_NETADDRESS'} ne '0.0.0.0') && &General::IpInSubnet($fwhostsettings{'IP'},$ownnet{'GREEN_NETADDRESS'},$ownnet{'GREEN_NETMASK'}))
++ {
++ $errormessage=$errormessage.$Lang::tr{'ccd err green'}."<br>";
++ $fwhostsettings{'HOSTNAME'} = $fwhostsettings{'orgname'};
++ if ($fwhostsettings{'update'} eq 'on'){$fwhostsettings{'ACTION'}='editnet';}
++ }
++ if (($ownnet{'ORANGE_NETADDRESS'} ne '' && $ownnet{'ORANGE_NETADDRESS'} ne '0.0.0.0') && &General::IpInSubnet($fwhostsettings{'IP'},$ownnet{'ORANGE_NETADDRESS'},$ownnet{'ORANGE_NETMASK'}))
++ {
++ $errormessage=$errormessage.$Lang::tr{'ccd err orange'}."<br>";
++ $fwhostsettings{'HOSTNAME'} = $fwhostsettings{'orgname'};
++ if ($fwhostsettings{'update'} eq 'on'){$fwhostsettings{'ACTION'}='editnet';}
++ }
++ if (($ownnet{'BLUE_NETADDRESS'} ne '' && $ownnet{'BLUE_NETADDRESS'} ne '0.0.0.0') && &General::IpInSubnet($fwhostsettings{'IP'},$ownnet{'BLUE_NETADDRESS'},$ownnet{'BLUE_NETMASK'}))
++ {
++ $errormessage=$errormessage.$Lang::tr{'ccd err blue'}."<br>";
++ $fwhostsettings{'HOSTNAME'} = $fwhostsettings{'orgname'};
++ if ($fwhostsettings{'update'} eq 'on'){$fwhostsettings{'ACTION'}='editnet';}
++ }
++ if (($ownnet{'RED_NETADDRESS'} ne '' && $ownnet{'RED_NETADDRESS'} ne '0.0.0.0') && &General::IpInSubnet($fwhostsettings{'IP'},$ownnet{'RED_NETADDRESS'},$ownnet{'RED_NETMASK'}))
++ {
++ $errormessage=$errormessage.$Lang::tr{'ccd err red'}."<br>";
++ $fwhostsettings{'HOSTNAME'} = $fwhostsettings{'orgname'};
++ if ($fwhostsettings{'update'} eq 'on'){$fwhostsettings{'ACTION'}='editnet';}
++ }
++ }
++ #only check plausi when no error till now
++ if (!$errormessage){
++ &plausicheck("editnet");
++ }
++
++ #check if network ip is part of an already used one
++ if(&checksubnet(\%customnetwork))
++ {
++ $errormessage=$errormessage.$Lang::tr{'fwhost err partofnet'};
++ $fwhostsettings{'HOSTNAME'} = $fwhostsettings{'orgname'};
++ }
++
++ if($fwhostsettings{'actualize'} eq 'on' && $fwhostsettings{'newnet'} ne 'on' && $errormessage)
++ {
++ $fwhostsettings{'actualize'} = '';
++ my $key = &General::findhasharraykey (\%customnetwork);
++ foreach my $i (0 .. 3) { $customnetwork{$key}[$i] = "";}
++ $customnetwork{$key}[0] = $fwhostsettings{'orgname'} ;
++ $customnetwork{$key}[1] = $fwhostsettings{'orgip'} ;
++ $customnetwork{$key}[2] = $fwhostsettings{'orgsub'};
++ $customnetwork{$key}[3] = $fwhostsettings{'count'};
++ &General::writehasharray("$confignet", \%customnetwork);
++ undef %customnetwork;
++ }
++
++ if (!$errormessage){
++ &General::readhasharray("$confignet", \%customnetwork);
++ if ($fwhostsettings{'ACTION'} eq 'updatenet'){
++ if ($fwhostsettings{'update'} == '0'){
++ foreach my $key (keys %customnetwork) {
++ if($customnetwork{$key}[0] eq $fwhostsettings{'orgname'}){
++ $count=$customnetwork{$key}[3];
++ delete $customnetwork{$key};
++ last;
++ }
++ }
++ }
++ }
++ #get count if actualize is 'on'
++ if($fwhostsettings{'actualize'} eq 'on'){
++ $fwhostsettings{'actualize'} = '';
++ $count=$fwhostsettings{'count'};
++ #check if we need to reload rules
++ if($fwhostsettings{'orgip'} ne $fwhostsettings{'IP'} && $count gt '0'){
++ $needrules='on';
++ }
++ if ($fwhostsettings{'orgname'} ne $fwhostsettings{'HOSTNAME'}){
++ #check if we need to update groups
++ &General::readhasharray("$configgrp", \%customgrp);
++ foreach my $key (sort keys %customgrp){
++ if($customgrp{$key}[2] eq $fwhostsettings{'orgname'}){
++ $customgrp{$key}[2]=$fwhostsettings{'HOSTNAME'};
++ last;
++ }
++ }
++ &General::writehasharray("$configgrp", \%customgrp);
++ }
++ }
++ my $key = &General::findhasharraykey (\%customnetwork);
++ foreach my $i (0 .. 3) { $customnetwork{$key}[$i] = "";}
++ $fwhostsettings{'SUBNET'} = &General::iporsubtocidr($fwhostsettings{'SUBNET'});
++ $customnetwork{$key}[0] = $fwhostsettings{'HOSTNAME'};
++ #convert ip when leading '0' in byte
++ $fwhostsettings{'IP'}=&General::ip2dec($fwhostsettings{'IP'});
++ $fwhostsettings{'IP'}=&General::dec2ip($fwhostsettings{'IP'});
++ $customnetwork{$key}[1] = &General::getnetworkip($fwhostsettings{'IP'},$fwhostsettings{'SUBNET'}) ;
++ $customnetwork{$key}[2] = &General::iporsubtodec($fwhostsettings{'SUBNET'}) ;
++ if($fwhostsettings{'newnet'} eq 'on'){$count=0;}
++ $customnetwork{$key}[3] = $count;
++ &General::writehasharray("$confignet", \%customnetwork);
++ $fwhostsettings{'IP'}=$fwhostsettings{'IP'}."/".&General::iporsubtodec($fwhostsettings{'SUBNET'});
++ undef %customnetwork;
++ $fwhostsettings{'HOSTNAME'}='';
++ $fwhostsettings{'IP'}='';
++ $fwhostsettings{'SUBNET'}='';
++ #check if an edited net affected groups and need to reload rules
++ if ($needrules eq 'on'){
++ &rules;
++ }
++ &addnet;
++ &viewtablenet;
++ }else
++ {
++ &addnet;
++ &viewtablenet;
++ }
++ }
++
++}
++if ($fwhostsettings{'ACTION'} eq 'savehost')
++{
++ my $count=0;
++ my $needrules=0;
++ if ($fwhostsettings{'orgname'} eq ''){$fwhostsettings{'orgname'}=$fwhostsettings{'HOSTNAME'};}
++
++ $fwhostsettings{'SUBNET'}='32';
++
++ #check if all fields are set
++ if ($fwhostsettings{'HOSTNAME'} eq '' || $fwhostsettings{'IP'} eq '' || $fwhostsettings{'SUBNET'} eq '')
++ {
++ $errormessage=$errormessage.$Lang::tr{'fwhost err empty'};
++ $fwhostsettings{'ACTION'} = 'edithost';
++ }else{
++
++ if($fwhostsettings{'type'} eq 'ip' && $fwhostsettings{'IP'}=~/^([0-9a-fA-F]{1,2}:){5}[0-9a-fA-F]{1,2}$/){
++ $fwhostsettings{'type'} = 'mac';
++ }elsif($fwhostsettings{'type'} eq 'mac' && $fwhostsettings{'IP'}=~/^(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})$/){
++ $fwhostsettings{'type'} = 'ip';
++ }elsif($fwhostsettings{'type'} eq 'mac' && $fwhostsettings{'IP'}=~/^([0-9a-fA-F]{1,2}:){5}[0-9a-fA-F]{1,2}$/){
++ $fwhostsettings{'type'} = 'mac';
++ }elsif($fwhostsettings{'type'} eq 'ip' && $fwhostsettings{'IP'}=~/^(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})$/){
++ $fwhostsettings{'type'} = 'ip';
++ }else{
++ $fwhostsettings{'type'} = '';
++ $errormessage=$Lang::tr{'fwhost err ipmac'};
++ }
++
++ if($fwhostsettings{'type'} eq 'mac' )
++ {
++ if ($fwhostsettings{'IP'}!~/^([0-9a-fA-F]{1,2}:){5}[0-9a-fA-F]{1,2}$/ )
++ {
++ $errormessage=$Lang::tr{'fwhost err mac'};
++
++ }
++ }
++ #CHECK IP-PART
++ if ($fwhostsettings{'type'} eq 'ip'){
++ #check for subnet
++ if (rindex($fwhostsettings{'IP'},'/') eq '-1' ){
++ if($fwhostsettings{'type'} eq 'ip' && !&General::validipandmask($fwhostsettings{'IP'}."/32"))
++ {
++ $errormessage.=$errormessage.$Lang::tr{'fwhost err ip'};
++ $fwhostsettings{'error'}='on';
++ }
++
++ }elsif(rindex($fwhostsettings{'IP'},'/') ne '-1' ){
++ $errormessage=$errormessage.$Lang::tr{'fwhost err ipwithsub'};
++ $fwhostsettings{'error'}='on';
++ }
++ #check if net or broadcast
++ my @tmp= split (/\./,$fwhostsettings{'IP'});
++ if (($tmp[3] eq "0") || ($tmp[3] eq "255")){
++ $errormessage=$Lang::tr{'fwhost err hostip'};
++ }
++ }
++
++
++
++ #only check plausi when no error till now
++ if (!$errormessage){
++ &plausicheck("edithost");
++ }
++
++ if($fwhostsettings{'actualize'} eq 'on' && $fwhostsettings{'newhost'} ne 'on' && $errormessage){
++ $fwhostsettings{'actualize'} = '';
++ my $key = &General::findhasharraykey (\%customhost);
++ foreach my $i (0 .. 3) { $customhost{$key}[$i] = "";}
++ $customhost{$key}[0] = $fwhostsettings{'orgname'} ;
++ $customhost{$key}[1] = $fwhostsettings{'type'} ;
++ if($customhost{$key}[1] eq 'ip'){
++ $customhost{$key}[2] = $fwhostsettings{'orgip'}."/".&General::iporsubtodec($fwhostsettings{'SUBNET'});
++ }else{
++ $customhost{$key}[2] = $fwhostsettings{'orgip'};
++ }
++ $customhost{$key}[3] = $fwhostsettings{'count'};
++ &General::writehasharray("$confighost", \%customhost);
++ undef %customhost;
++
++ }
++
++ if (!$errormessage){
++ #get count if host was edited
++ if($fwhostsettings{'actualize'} eq 'on'){
++ $count=$fwhostsettings{'count'};
++ if($fwhostsettings{'orgip'} ne $fwhostsettings{'IP'} && $count gt '0' ){
++ $needrules='on';
++ }
++ if($fwhostsettings{'orgname'} ne $fwhostsettings{'HOSTNAME'}){
++ #check if we need to update groups
++ &General::readhasharray("$configgrp", \%customgrp);
++ foreach my $key (sort keys %customgrp){
++ if($customgrp{$key}[2] eq $fwhostsettings{'orgname'}){
++ $customgrp{$key}[2]=$fwhostsettings{'HOSTNAME'};
++ last;
++ }
++ }
++ &General::writehasharray("$configgrp", \%customgrp);
++ }
++
++
++ }
++ my $key = &General::findhasharraykey (\%customhost);
++ foreach my $i (0 .. 3) { $customhost{$key}[$i] = "";}
++ $customhost{$key}[0] = $fwhostsettings{'HOSTNAME'} ;
++ $customhost{$key}[1] = $fwhostsettings{'type'} ;
++ if ($fwhostsettings{'type'} eq 'ip'){
++ #convert ip when leading '0' in byte
++ $fwhostsettings{'IP'}=&General::ip2dec($fwhostsettings{'IP'});
++ $fwhostsettings{'IP'}=&General::dec2ip($fwhostsettings{'IP'});
++ $customhost{$key}[2] = $fwhostsettings{'IP'}."/".&General::iporsubtodec($fwhostsettings{'SUBNET'});
++ }else{
++ $customhost{$key}[2] = $fwhostsettings{'IP'};
++ }
++ if($fwhostsettings{'newhost'} eq 'on'){$count=0;}
++ $customhost{$key}[3] = $count;
++ &General::writehasharray("$confighost", \%customhost);
++
++ #$fwhostsettings{'IP'} = $fwhostsettings{'IP'}."/".&General::iporsubtodec($fwhostsettings{'SUBNET'});
++ undef %customhost;
++ $fwhostsettings{'HOSTNAME'}='';
++ $fwhostsettings{'IP'}='';
++ $fwhostsettings{'type'}='';
++ #check if we need to update rules while host was edited
++ if($needrules eq 'on'){
++ &rules;
++ }
++ &addhost;
++ &viewtablehost;
++ }else{
++ &addhost;
++ &viewtablehost;
++ }
++
++ }
++
++}
++if ($fwhostsettings{'ACTION'} eq 'savegrp')
++{
++ my $grp;
++ my $rem=$fwhostsettings{'remark'};
++ my $count;
++ my $type;
++ my $updcounter='off';
++ my @target;
++ my @newgrp;
++ &General::readhasharray("$configgrp", \%customgrp);
++ &General::readhasharray("$confignet", \%customnetwork);
++ &General::readhasharray("$confighost", \%customhost);
++ $grp=$fwhostsettings{'grp_name'};
++
++ if (!&General::validhostname($grp)){$errormessage=$errormessage.$Lang::tr{'fwhost err name'};}
++
++ ###check standard networks
++ if ($fwhostsettings{'grp2'} eq 'std_net'){
++ @target=$fwhostsettings{'DEFAULT_SRC_ADR'};
++ $type='Standard Network';
++ }
++ ##check custom networks
++ if ($fwhostsettings{'grp2'} eq 'cust_net' && $fwhostsettings{'CUST_SRC_NET'} ne ''){
++ @target=$fwhostsettings{'CUST_SRC_NET'};
++ $updcounter='net';
++ $type='Custom Network';
++ }elsif($fwhostsettings{'grp2'} eq 'cust_net' && $fwhostsettings{'CUST_SRC_NET'} eq ''){
++ $errormessage=$Lang::tr{'fwhost err groupempty'}."<br>";
++ $fwhostsettings{'grp_name'}='';
++ $fwhostsettings{'remark'}='';
++ }
++ #check custom addresses
++ if ($fwhostsettings{'grp2'} eq 'cust_host' && $fwhostsettings{'CUST_SRC_HOST'} ne ''){
++ @target=$fwhostsettings{'CUST_SRC_HOST'};
++ $updcounter='host';
++ $type='Custom Host';
++ }elsif($fwhostsettings{'grp2'} eq 'cust_host' && $fwhostsettings{'CUST_SRC_HOST'} eq ''){
++ $errormessage=$Lang::tr{'fwhost err groupempty'}."<br>";
++ $fwhostsettings{'grp_name'}='';
++ $fwhostsettings{'remark'}='';
++ }
++ #get address from ovpn ccd static net
++ if ($fwhostsettings{'grp2'} eq 'ovpn_net' && $fwhostsettings{'OVPN_CCD_NET'} ne ''){
++ @target=$fwhostsettings{'OVPN_CCD_NET'};
++ $type='OpenVPN static network';
++ }elsif($fwhostsettings{'grp2'} eq 'ovpn_net' && $fwhostsettings{'OVPN_CCD_NET'} eq ''){
++ $errormessage=$Lang::tr{'fwhost err groupempty'};
++ $fwhostsettings{'grp_name'}='';
++ $fwhostsettings{'remark'}='';
++ }
++ #get address from ovpn ccd static host
++ if ($fwhostsettings{'grp2'} eq 'ovpn_host' && $fwhostsettings{'OVPN_CCD_HOST'} ne ''){
++ @target=$fwhostsettings{'OVPN_CCD_HOST'};
++ $type='OpenVPN static host';
++ }elsif ($fwhostsettings{'grp2'} eq 'ovpn_host' && $fwhostsettings{'OVPN_CCD_HOST'} eq ''){
++ $errormessage=$Lang::tr{'fwhost err groupempty'};
++ }
++ #get address from ovpn ccd Net-2-Net
++ if ($fwhostsettings{'grp2'} eq 'ovpn_n2n' && $fwhostsettings{'OVPN_N2N'} ne ''){
++ @target=$fwhostsettings{'OVPN_N2N'};
++ $type='OpenVPN N-2-N';
++ }elsif ($fwhostsettings{'grp2'} eq 'ovpn_n2n' && $fwhostsettings{'OVPN_N2N'} eq ''){
++ $errormessage=$Lang::tr{'fwhost err groupempty'};
++ $fwhostsettings{'grp_name'}='';
++ $fwhostsettings{'remark'}='';
++ }
++
++ #get address from IPSEC HOST
++ if ($fwhostsettings{'grp2'} eq 'ipsec_host' && $fwhostsettings{'IPSEC_HOST'} ne ''){
++ @target=$fwhostsettings{'IPSEC_HOST'};
++ $type='IpSec Host';
++ }elsif ($fwhostsettings{'grp2'} eq 'ipsec_host' && $fwhostsettings{'IPSEC_HOST'} eq ''){
++ $errormessage=$Lang::tr{'fwhost err groupempty'};
++ $fwhostsettings{'grp_name'}='';
++ $fwhostsettings{'remark'}='';
++ }
++ #get address from IPSEC NETWORK
++ if ($fwhostsettings{'grp2'} eq 'ipsec_net' && $fwhostsettings{'IPSEC_NET'} ne ''){
++ @target=$fwhostsettings{'IPSEC_NET'};
++ $type='IpSec Network';
++ }elsif ($fwhostsettings{'grp2'} eq 'ipsec_net' && $fwhostsettings{'IPSEC_NET'} eq ''){
++ $errormessage=$Lang::tr{'fwhost err groupempty'};
++ $fwhostsettings{'grp_name'}='';
++ $fwhostsettings{'remark'}='';
++ }
++
++ #check if host/net exists in grp
++ my $test="$grp,$fwhostsettings{'oldremark'},@target";
++ foreach my $key (keys %customgrp) {
++ my $test1="$customgrp{$key}[0],$customgrp{$key}[1],$customgrp{$key}[2]";
++ if ($test1 eq $test){
++ $errormessage=$Lang::tr{'fwhost err isingrp'};
++ $fwhostsettings{'update'} = 'on';
++ }
++ }
++
++ if (!$errormessage){
++ #on first save, we have an empty @target, so fill it with nothing
++ my $targetvalues=@target;
++ if ($targetvalues == '0'){
++ @target=$Lang::tr{'fwhost empty'};
++ }
++ #on update, we have to delete the dummy entry
++
++ foreach my $key (keys %customgrp){
++ if ($customgrp{$key}[0] eq $grp && $customgrp{$key}[2] eq $Lang::tr{'fwhost empty'}){
++ delete $customgrp{$key};
++ last;
++ }
++ }
++ &General::writehasharray("$configgrp", \%customgrp);
++ &General::readhasharray("$configgrp", \%customgrp);
++
++
++
++ #check if remark has also changed
++ if ($fwhostsettings{'remark'} ne $fwhostsettings{'oldremark'} && $fwhostsettings{'update'} eq 'on')
++ {
++ foreach my $key (keys %customgrp)
++ {
++ if($customgrp{$key}[0] eq $grp && $customgrp{$key}[1] eq $fwhostsettings{'oldremark'})
++ {
++ $customgrp{$key}[1]='';
++ $customgrp{$key}[1]=$rem;
++ }
++ }
++ }
++ #get count used
++ foreach my $key (keys %customgrp)
++ {
++ if($customgrp{$key}[0] eq $grp)
++ {
++ $count=$customgrp{$key}[4];
++ last;
++ }
++ }
++ if ($count eq '' ){$count='0';}
++
++ #create array with new lines
++ foreach my $line (@target){
++ push (@newgrp,"$grp,$rem,$line");
++ }
++ #append new entries
++ my $key = &General::findhasharraykey (\%customgrp);
++ foreach my $line (@newgrp){
++ foreach my $i (0 .. 4) { $customgrp{$key}[$i] = "";}
++ my ($a,$b,$c,$d) = split (",",$line);
++ $customgrp{$key}[0] = $a;
++ $customgrp{$key}[1] = $b;
++ $customgrp{$key}[2] = $c;
++ $customgrp{$key}[3] = $type;
++ $customgrp{$key}[4] = $count;
++ }
++ &General::writehasharray("$configgrp", \%customgrp);
++
++ #update counter in Host/Net
++ if($updcounter eq 'net'){
++ foreach my $key (keys %customnetwork) {
++ if($customnetwork{$key}[0] eq $fwhostsettings{'CUST_SRC_NET'}){
++ $customnetwork{$key}[3] = $customnetwork{$key}[3]+1;
++ last;
++ }
++ }
++ &General::writehasharray("$confignet", \%customnetwork);
++ }elsif($updcounter eq 'host'){
++ foreach my $key (keys %customhost) {
++ if ($customhost{$key}[0] eq $fwhostsettings{'CUST_SRC_HOST'}){
++ $customhost{$key}[3]=$customhost{$key}[3]+1;
++ }
++ }
++ &General::writehasharray("$confighost", \%customhost);
++ }
++
++ $fwhostsettings{'update'}='on';
++
++ }
++ if ($fwhostsettings{'remark'} ne $fwhostsettings{'oldremark'} && $errormessage)
++ {
++ foreach my $key (keys %customgrp)
++ {
++ if($customgrp{$key}[0] eq $grp && $customgrp{$key}[1] eq $fwhostsettings{'oldremark'})
++ {
++ $customgrp{$key}[1]='';
++ $customgrp{$key}[1]=$rem;
++ }
++ }
++ &General::writehasharray("$configsrvgrp", \%customservicegrp);
++ $errormessage='';
++ $hint=$Lang::tr{'fwhost changeremark'};
++ $fwhostsettings{'update'}='on';
++ }
++ #check if ruleupdate is needed
++ if($count > 0 )
++ {
++ &rules;
++ }
++ &addgrp;
++ &viewtablegrp;
++
++}
++if ($fwhostsettings{'ACTION'} eq 'saveservice')
++{
++ my $ICMP;
++
++ &General::readhasharray("$configsrv", \%customservice );
++ $errormessage=&checkports(\%customservice);
++
++ if ($fwhostsettings{'PROT'} eq 'ICMP'){
++ &General::readhasharray("${General::swroot}/fwhosts/icmp-types", \%icmptypes);
++ foreach my $key (keys %icmptypes){
++ if ("$icmptypes{$key}[0] ($icmptypes{$key}[1])" eq $fwhostsettings{'ICMP_TYPES'}){
++ $ICMP=$icmptypes{$key}[0];
++ }
++ }
++ }
++ if($ICMP eq ''){$ICMP='BLANK';}
++ if (!$errormessage){
++
++ my $key = &General::findhasharraykey (\%customservice);
++ foreach my $i (0 .. 4) { $customservice{$key}[$i] = "";}
++ $customservice{$key}[0] = $fwhostsettings{'SRV_NAME'};
++ $customservice{$key}[1] = $fwhostsettings{'SRV_PORT'};
++ $customservice{$key}[2] = $fwhostsettings{'PROT'};
++ $customservice{$key}[3] = $ICMP;
++ $customservice{$key}[4] = 0;
++ &General::writehasharray("$configsrv", \%customservice );
++ #reset fields
++ $fwhostsettings{'SRV_NAME'}='';
++ $fwhostsettings{'SRV_PORT'}='';
++ $fwhostsettings{'PROT'}='';
++ $fwhostsettings{'ICMP_TYPES'}='';
++
++ }
++
++ &addservice;
++
++}
++if ($fwhostsettings{'ACTION'} eq 'saveservicegrp')
++{
++ my $prot;
++ my $port;
++ my $count=0;
++ &General::readhasharray("$configsrvgrp", \%customservicegrp );
++ &General::readhasharray("$configsrv", \%customservice );
++
++ $errormessage=&checkservicegroup;
++
++ if (!$errormessage){
++ #on first save, we have to enter a dummy value
++ if ($fwhostsettings{'CUST_SRV'} eq ''){$fwhostsettings{'CUST_SRV'}=$Lang::tr{'fwhost empty'};}
++
++ #on update, we have to delete the dummy entry
++ foreach my $key (keys %customservicegrp){
++ if ($customservicegrp{$key}[2] eq $Lang::tr{'fwhost empty'}){
++ delete $customservicegrp{$key};
++ last;
++ }
++ }
++ &General::writehasharray("$configsrvgrp", \%customservicegrp );
++ #check if remark has also changed
++ if ($fwhostsettings{'SRVGRP_REMARK'} ne $fwhostsettings{'oldsrvgrpremark'} && $fwhostsettings{'updatesrvgrp'} eq 'on')
++ {
++ foreach my $key (keys %customservicegrp)
++ {
++ if($customservicegrp{$key}[0] eq $fwhostsettings{'SRVGRP_NAME'} && $customservicegrp{$key}[1] eq $fwhostsettings{'oldsrvgrpremark'})
++ {
++ $customservicegrp{$key}[1]='';
++ $customservicegrp{$key}[1]=$fwhostsettings{'SRVGRP_REMARK'};
++ }
++ }
++ }
++ #get count used
++ foreach my $key (keys %customservicegrp)
++ {
++ if($customservicegrp{$key}[0] eq $fwhostsettings{'SRVGRP_NAME'})
++ {
++ $count=$customservicegrp{$key}[5];
++ last;
++ }
++ }
++ if ($count eq '' ){$count='0';}
++
++ foreach my $key (sort keys %customservice){
++ if($customservice{$key}[0] eq $fwhostsettings{'CUST_SRV'}){
++ $port=$customservice{$key}[1];
++ $prot=$customservice{$key}[2];
++ $customservice{$key}[4]++;
++ }
++ }
++ &General::writehasharray("$configsrv", \%customservice );
++
++ my $key = &General::findhasharraykey (\%customservicegrp);
++ foreach my $i (0 .. 3) { $customservice{$key}[$i] = "";}
++ $customservicegrp{$key}[0] = $fwhostsettings{'SRVGRP_NAME'};
++ $customservicegrp{$key}[1] = $fwhostsettings{'SRVGRP_REMARK'};
++ $customservicegrp{$key}[2] = $fwhostsettings{'CUST_SRV'};
++ $customservicegrp{$key}[3] = $port;
++ $customservicegrp{$key}[4] = $prot;
++ $customservicegrp{$key}[5] = $count;
++ &General::writehasharray("$configsrvgrp", \%customservicegrp );
++ $fwhostsettings{'updatesrvgrp'}='on';
++ }
++ if ($fwhostsettings{'SRVGRP_REMARK'} ne $fwhostsettings{'oldsrvgrpremark'} && $errormessage){
++ foreach my $key (keys %customservicegrp)
++ {
++ if($customservicegrp{$key}[0] eq $fwhostsettings{'SRVGRP_NAME'} && $customservicegrp{$key}[1] eq $fwhostsettings{'oldsrvgrpremark'})
++ {
++ $customservicegrp{$key}[1]='';
++ $customservicegrp{$key}[1]=$fwhostsettings{'SRVGRP_REMARK'};
++ }
++ }
++ &General::writehasharray("$configsrvgrp", \%customservicegrp);
++ $errormessage='';
++ $hint=$Lang::tr{'fwhost changeremark'};
++ $fwhostsettings{'update'}='on';
++ }
++ if ($count gt 0){
++ &rules;
++ }
++ &addservicegrp;
++ &viewtableservicegrp;
++}
++# edit
++if ($fwhostsettings{'ACTION'} eq 'editnet')
++{
++ &addnet;
++ &viewtablenet;
++}
++if ($fwhostsettings{'ACTION'} eq 'edithost')
++{
++ &addhost;
++ &viewtablehost;
++}
++if ($fwhostsettings{'ACTION'} eq 'editgrp')
++{
++ $fwhostsettings{'update'}='on';
++ &addgrp;
++ &viewtablegrp;
++}
++if ($fwhostsettings{'ACTION'} eq 'editservice')
++{
++ $fwhostsettings{'updatesrv'}='on';
++ &addservice;
++}
++if ($fwhostsettings{'ACTION'} eq 'editservicegrp')
++{
++ $fwhostsettings{'updatesrvgrp'} = 'on';
++ &addservicegrp;
++ &viewtableservicegrp;
++}
++# reset
++if ($fwhostsettings{'ACTION'} eq 'resetnet')
++{
++ $fwhostsettings{'HOSTNAME'} ="";
++ $fwhostsettings{'IP'} ="";
++ $fwhostsettings{'SUBNET'} ="";
++ &showmenu;
++}
++if ($fwhostsettings{'ACTION'} eq 'resethost')
++{
++ $fwhostsettings{'HOSTNAME'} ="";
++ $fwhostsettings{'IP'} ="";
++ $fwhostsettings{'type'} ="";
++ &showmenu;
++}
++# delete
++if ($fwhostsettings{'ACTION'} eq 'delnet')
++{
++ &General::readhasharray("$confignet", \%customnetwork);
++ foreach my $key (keys %customnetwork) {
++ if($fwhostsettings{'key'} eq $customnetwork{$key}[0]){
++ delete $customnetwork{$key};
++ &General::writehasharray("$confignet", \%customnetwork);
++ last;
++ }
++ }
++ &addnet;
++ &viewtablenet;
++}
++if ($fwhostsettings{'ACTION'} eq 'delhost')
++{
++ &General::readhasharray("$confighost", \%customhost);
++ foreach my $key (keys %customhost) {
++ if($fwhostsettings{'key'} eq $customhost{$key}[0]){
++ delete $customhost{$key};
++ &General::writehasharray("$confighost", \%customhost);
++ last;
++ }
++ }
++ &addhost;
++ &viewtablehost;
++
++}
++if ($fwhostsettings{'ACTION'} eq 'deletegrphost')
++{
++ &General::readhasharray("$configgrp", \%customgrp);
++ foreach my $key (keys %customgrp){
++ if($customgrp{$key}[0].",".$customgrp{$key}[1].",".$customgrp{$key}[2].",".$customgrp{$key}[3] eq $fwhostsettings{'delhost'}){
++ #decrease count from source host/net
++ if ($customgrp{$key}[3] eq 'Custom Network'){
++ &General::readhasharray("$confignet", \%customnetwork);
++ foreach my $key1 (keys %customnetwork){
++ if ($customnetwork{$key1}[0] eq $customgrp{$key}[2]){
++ $customnetwork{$key1}[3] = $customnetwork{$key1}[3]-1;
++ last;
++ }
++ }
++ &General::writehasharray("$confignet", \%customnetwork);
++ }
++ if ($customgrp{$key}[3] eq 'Custom Host'){
++ &General::readhasharray("$confighost", \%customhost);
++ foreach my $key1 (keys %customhost){
++ if ($customhost{$key1}[0] eq $customgrp{$key}[2]){
++ $customhost{$key1}[3] = $customhost{$key1}[3]-1;
++ last;
++ }
++ }
++ &General::writehasharray("$confighost", \%customhost);
++ }
++ delete $customgrp{$key};
++ }
++ }
++ &General::writehasharray("$configgrp", \%customgrp);
++ &rules;
++ &addgrp;
++ &viewtablegrp;
++}
++if ($fwhostsettings{'ACTION'} eq 'delgrp')
++{
++ &General::readhasharray("$configgrp", \%customgrp);
++ &decrease($fwhostsettings{'grp_name'});
++ foreach my $key (sort keys %customgrp)
++ {
++ if($customgrp{$key}[0] eq $fwhostsettings{'grp_name'})
++ {
++ delete $customgrp{$key};
++ }
++ }
++ &General::writehasharray("$configgrp", \%customgrp);
++ $fwhostsettings{'grp_name'}='';
++ &addgrp;
++ &viewtablegrp;
++}
++if ($fwhostsettings{'ACTION'} eq 'delservice')
++{
++ &General::readhasharray("$configsrv", \%customservice);
++ foreach my $key (keys %customservice) {
++ if($customservice{$key}[0] eq $fwhostsettings{'SRV_NAME'}){
++ #&deletefromgrp($customhost{$key}[0],$configgrp);
++ delete $customservice{$key};
++ &General::writehasharray("$configsrv", \%customservice);
++ last;
++ }
++ }
++ $fwhostsettings{'SRV_NAME'}='';
++ $fwhostsettings{'SRV_PORT'}='';
++ $fwhostsettings{'PROT'}='';
++ &addservice;
++}
++if ($fwhostsettings{'ACTION'} eq 'delservicegrp')
++{
++ &General::readhasharray("$configsrvgrp", \%customservicegrp);
++ &decreaseservice($fwhostsettings{'SRVGRP_NAME'});
++ foreach my $key (sort keys %customservicegrp)
++ {
++ if($customservicegrp{$key}[0] eq $fwhostsettings{'SRVGRP_NAME'})
++ {
++ delete $customservicegrp{$key};
++ }
++ }
++ &General::writehasharray("$configsrvgrp", \%customservicegrp);
++ $fwhostsettings{'SRVGRP_NAME'}='';
++ &addservicegrp;
++ &viewtableservicegrp;
++}
++if ($fwhostsettings{'ACTION'} eq 'delgrpservice')
++{
++ &General::readhasharray("$configsrvgrp", \%customservicegrp);
++ &General::readhasharray("$configsrv", \%customservice);
++ foreach my $key (keys %customservicegrp){
++ if($customservicegrp{$key}[0].",".$customservicegrp{$key}[1].",".$customservicegrp{$key}[2].",".$customservicegrp{$key}[3] eq $fwhostsettings{'delsrvfromgrp'})
++ {
++ #decrease count from source service
++ foreach my $key1 (sort keys %customservice){
++ if($customservice{$key1}[0] eq $customservicegrp{$key}[2]){
++ $customservice{$key1}[4]--;
++ last;
++ }
++ }
++ &General::writehasharray("$configsrv", \%customservice);
++ delete $customservicegrp{$key}
++ }
++ }
++ &General::writehasharray("$configsrvgrp", \%customservicegrp);
++ &rules;
++ &addservicegrp;
++ &viewtableservicegrp;
++
++}
++if ($fwhostsettings{'ACTION'} eq $Lang::tr{'fwhost newnet'})
++{
++ &addnet;
++ &viewtablenet;
++}
++if ($fwhostsettings{'ACTION'} eq $Lang::tr{'fwhost newhost'})
++{
++ &addhost;
++ &viewtablehost;
++}
++if ($fwhostsettings{'ACTION'} eq $Lang::tr{'fwhost newgrp'})
++{
++ &addgrp;
++ &viewtablegrp;
++}
++if ($fwhostsettings{'ACTION'} eq $Lang::tr{'fwhost newservice'})
++{
++ &addservice;
++}
++if ($fwhostsettings{'ACTION'} eq $Lang::tr{'fwhost newservicegrp'})
++{
++ &addservicegrp;
++ &viewtableservicegrp;
++}
++### VIEW ###
++if($fwhostsettings{'ACTION'} eq '')
++{
++ &showmenu;
++}
++### FUNCTIONS ###
++sub showmenu
++{
++
++ &Header::openbox('100%', 'left',$Lang::tr{'fwhost menu'});
++ print<<END;
++ <table border='0' width='100%'><form method='post'>
++ <tr><td><input type='submit' name='ACTION' value='$Lang::tr{'fwhost newnet'}' /><input type='submit' name='ACTION' value='$Lang::tr{'fwhost newhost'}' /><input type='submit' name='ACTION' value='$Lang::tr{'fwhost newgrp'}' /></td>
++ <td align='right'><input type='submit' name='ACTION' value='$Lang::tr{'fwhost newservice'}' /><input type='submit' name='ACTION' value='$Lang::tr{'fwhost newservicegrp'}' /></td></tr>
++ <tr><td colspan='6'><hr></hr></td></tr></table></form>
++END
++
++ &Header::closebox();
++
++}
++# Add
++sub addnet
++{
++ &error;
++ &showmenu;
++ &Header::openbox('100%', 'left', $Lang::tr{'fwhost addnet'});
++ $fwhostsettings{'orgname'}=$fwhostsettings{'HOSTNAME'};
++ print<<END;
++ <table border='0' width='100%'><form method='post' style='display:inline' >
++ <tr><td>$Lang::tr{'name'}:</td><td><input type='TEXT' name='HOSTNAME' value='$fwhostsettings{'HOSTNAME'}' $fwhostsettings{'BLK_HOST'}></td><td>$Lang::tr{'fwhost netaddress'}</td><td><input type='TEXT' name='IP' value='$fwhostsettings{'IP'}' $fwhostsettings{'BLK_IP'} size='14'></td><td align='right'>$Lang::tr{'netmask'}:</td><td align='right'><input type='TEXT' name='SUBNET' value='$fwhostsettings{'SUBNET'}' $fwhostsettings{'BLK_IP'} size='14'></td></tr>
++ <tr><td colspan='6'><hr></hr></td></tr><tr>
++END
++ if ($fwhostsettings{'ACTION'} eq 'editnet' || $fwhostsettings{'error'} eq 'on')
++ {
++ print "<td colspan='6' align='right' ><input type='submit' value='$Lang::tr{'update'}'><input type='hidden' name='ACTION' value='updatenet'><input type='hidden' name='orgname' value='$fwhostsettings{'orgname'}' ><input type='hidden' name='update' value='on'><input type='hidden' name='newnet' value='$fwhostsettings{'newnet'}'>";
++ }else{
++ print "<td colspan='6' align='right'><input type='submit' value='$Lang::tr{'save'}' /><input type='hidden' name='ACTION' value='savenet'><input type='hidden' name='newnet' value='on'>";
++ }
++ print "</form><form method='post' style='display:inline'><input type='submit' value='$Lang::tr{'fwhost back'}' ><input type='hidden' name='ACTION' value='resetnet'></td></tr></table></form>";
++ &Header::closebox();
++}
++sub addhost
++{
++ &error;
++ &showmenu;
++ &Header::openbox('100%', 'left', $Lang::tr{'fwhost addhost'});
++ $fwhostsettings{'orgname'}=$fwhostsettings{'HOSTNAME'};
++ print<<END;
++ <table border='0' width='100%'><form method='post' style='display:inline'>
++ <tr><td>$Lang::tr{'name'}:</td><td width='35%'><input type='TEXT' name='HOSTNAME' value='$fwhostsettings{'HOSTNAME'}' $fwhostsettings{'BLK_HOST'} ></td><td><select name='type'>
++END
++ if ($fwhostsettings{'type'} eq 'ip'){print "<option value='ip' selected >IP</option>";}else{print "<option value='ip' >IP</option>";}
++ if ($fwhostsettings{'type'} eq 'mac'){print "<option value='mac' selected >MAC</option>";}else{print "<option value='mac' >MAC</option>";}
++ print<<END;
++ </option></select></td><td align='right' width='15%'>IP/MAC:</td><td align='right'><input type='TEXT' name='IP' value='$fwhostsettings{'IP'}' $fwhostsettings{'BLK_IP'} ></td></tr>
++ <tr><td colspan='7'><br><br><b>$Lang::tr{'fwhost attention'}</b><br>$Lang::tr{'fwhost macwarn'}</td></tr>
++ <tr><td colspan='7'><hr></hr></td></tr>
++END
++
++ if ($fwhostsettings{'ACTION'} eq 'edithost' || $fwhostsettings{'error'} eq 'on')
++ {
++
++ print " <td colspan='6' align='right'><input type='submit' value='$Lang::tr{'update'}' /><input type='hidden' name='ACTION' value='updatehost'><input type='hidden' name='orgname' value='$fwhostsettings{'orgname'}' ><input type='hidden' name='update' value='on'><input type='hidden' name='newhost' value='$fwhostsettings{'newhost'}'></form>";
++ }else{
++ print " <td colspan='6' align='right'><input type='submit' name='savehost' value='$Lang::tr{'save'}' /><input type='hidden' name='ACTION' value='savehost' /><input type='hidden' name='newhost' value='on'>";
++ }
++ print " </form><form method='post' style='display:inline'><input type='submit' value='$Lang::tr{'fwhost back'}'><input type='hidden' name='ACTION' value='resethost'></td></tr></table></form>";
++ &Header::closebox();
++}
++sub addgrp
++{
++ &hint;
++ &error;
++ &showmenu;
++ &Header::openbox('100%', 'left', $Lang::tr{'fwhost addgrp'});
++ &General::setup_default_networks(\%defaultNetworks);
++ my %checked=();
++ $checked{'check1'}{'off'} = '';
++ $checked{'check1'}{'on'} = '';
++ $checked{'grp2'}{$fwhostsettings{'grp2'}} = 'CHECKED';
++ $fwhostsettings{'oldremark'}=$fwhostsettings{'remark'};
++
++ if ($fwhostsettings{'update'} eq ''){
++ print<<END;
++ <table width='100%' border='0'><form method='post'>
++ <tr><td nowrap='nowrap' width='16%'>$Lang::tr{'fwhost addgrpname'}</td><td><input type='TEXT' name='grp_name' value='$fwhostsettings{'grp_name'}' size='24'></td><td align='right'>$Lang::tr{'remark'}:</td><td align='right'><input type='TEXT' name='remark' size='30' value='$fwhostsettings{'remark'}'></tr>
++ <tr><td colspan='5'><hr></td></tr></table>
++END
++ }else{
++ print<<END;
++ <table width='100%' border='0'><form method='post'>
++ <tr><td nowrap='nowrap' width='16%'>$Lang::tr{'fwhost addgrpname'}</td><td><input type='TEXT' name='grp_name' size='24' value='$fwhostsettings{'grp_name'}' readonly ></td><td>$Lang::tr{'remark'}:</td><td><input type='TEXT' name='remark' size='30' value='$fwhostsettings{'remark'}'></tr>
++ <tr><td colspan='5'><hr></td></tr></table>
++END
++
++ }
++ if ($fwhostsettings{'update'} eq 'on'){
++
++
++ print<<END;
++ <table width='100%' border='0'><tr><td width='1%'><input type='radio' name='grp2' value='std_net' checked></td><td nowrap='nowrap' width='16%'>$Lang::tr{'fwhost stdnet'}</td><td><select name='DEFAULT_SRC_ADR' style='min-width:185px;'>
++
++END
++ foreach my $network (sort keys %defaultNetworks)
++ {
++ next if($defaultNetworks{$network}{'LOCATION'} eq "IPCOP");
++ print "<option value='$defaultNetworks{$network}{'NAME'}'";
++ print " selected='selected'" if ($fwhostsettings{'DEFAULT_SRC_ADR'} eq $defaultNetworks{$network}{'NAME'});
++ print ">$network</option>";
++ }
++
++ print<<END;
++ </select></td><td width='1%'><input type='radio' name='grp2' value='ovpn_net' $checked{'grp2'}{'ovpn_net'}></td><td nowrap='nowrap' width='16%'>$Lang::tr{'fwhost ccdnet'}</td><td nowrap='nowrap' width='1%'><select name='OVPN_CCD_NET' style='min-width:185px;'>
++END
++ &General::readhasharray("$configccdnet", \%ccdnet);
++ foreach my $key (sort { uc($ccdnet{$a}[0]) cmp uc($ccdnet{$b}[0]) } keys %ccdnet)
++ {
++ print"<option value='$ccdnet{$key}[0]'>$ccdnet{$key}[0]</option>";
++ }
++
++ print<<END;
++ </select></td></tr>
++ <tr><td><input type='radio' name='grp2' value='cust_net' $checked{'grp2'}{'cust_net'}></td><td>$Lang::tr{'fwhost cust net'}</td><td><select name='CUST_SRC_NET' style='min-width:185px;'>
++END
++ &General::readhasharray("$confignet", \%customnetwork);
++ foreach my $key (sort { uc($customnetwork{$a}[0]) cmp uc($customnetwork{$b}[0]) } keys %customnetwork) {
++ print"<option>$customnetwork{$key}[0]</option>";
++ }
++
++ print<<END;
++ </select></td><td width='1%'><input type='radio' name='grp2' value='ovpn_host' $checked{'grp2'}{'ovpn_host'}></td><td nowrap='nowrap' width='16%'>$Lang::tr{'fwhost ccdhost'}</td><td nowrap='nowrap' width='1%'><select name='OVPN_CCD_HOST' style='min-width:185px;'>
++END
++ &General::readhasharray("$configccdhost", \%ccdhost);
++ foreach my $key (sort { uc($ccdhost{$a}[0]) cmp uc($ccdhost{$b}[0]) } keys %ccdhost)
++ {
++ if ($ccdhost{$key}[33] ne ''){
++ print"<option value='$ccdhost{$key}[1]'>$ccdhost{$key}[1]</option>";
++ }
++ }
++
++ print<<END;
++ </select></td></tr>
++ <tr><td valign='top'><input type='radio' name='grp2' value='cust_host' $checked{'grp2'}{'cust_host'}></td><td valign='top'>$Lang::tr{'fwhost cust addr'}</td><td><select name='CUST_SRC_HOST' style='min-width:185px;'>
++END
++ &General::readhasharray("$confighost", \%customhost);
++ foreach my $key (sort { uc($customhost{$a}[0]) cmp uc($customhost{$b}[0]) } keys %customhost) {
++ print"<option>$customhost{$key}[0]</option>";
++ }
++ print<<END;
++ </select></td><td width='1%'><input type='radio' name='grp2' value='ovpn_n2n' $checked{'grp2'}{'ovpn_n2n'}></td><td valign='top'>$Lang::tr{'fwhost ovpn_n2n'}</td><td colspan='3'><select name='OVPN_N2N' style='min-width:185px;'>
++END
++ &General::readhasharray("$configccdhost", \%ccdhost);
++ foreach my $key (sort { uc($ccdhost{$a}[0]) cmp uc($ccdhost{$b}[0]) } keys %ccdhost) {
++ if($ccdhost{$key}[3] eq 'net'){
++ print"<option>$ccdhost{$key}[1]</option>";
++ }
++ }
++ print<<END;
++ </select></td></tr>
++ <tr><td colspan='3'></td><td valign='top'><input type='radio' name='grp2' value='ipsec_net' $checked{'grp2'}{'ipsec_net'}></td><td valign='top'>$Lang::tr{'fwhost ipsec net'}</td><td><select name='IPSEC_NET' style='min-width:185px;'>
++END
++ &General::readhasharray("$configipsec", \%ipsecconf);
++ foreach my $key (sort { uc($ipsecconf{$a}[0]) cmp uc($ipsecconf{$b}[0]) } keys %ipsecconf) {
++ if ($ipsecconf{$key}[3] eq 'net'){
++ print"<option value='$ipsecconf{$key}[1]'>$ipsecconf{$key}[1]</option>";
++ }
++ }
++ print<<END;
++ </select></td></tr></table>
++END
++# <td colspan='3'></td><td valign='top'><input type='radio' name='grp2' value='ipsec_host' $checked{'grp2'}{'ipsec_host'}></td><td valign='top'>$Lang::tr{'fwhost ipsec host'}</td><td><select name='IPSEC_HOST' style='min-width:185px;'>
++#END
++# &General::readhasharray("$configipsec", \%ipsecconf);
++# foreach my $key (sort { uc($ipsecconf{$a}[0]) cmp uc($ipsecconf{$b}[0]) } keys %ipsecconf) {
++# if ($ipsecconf{$key}[3] eq 'host'){
++# print"<option>$ipsecconf{$key}[1]</option>";
++# }
++# }
++# print<<END;
++# </select></td></tr>
++# <tr>
++ print<<END;
++ <br><br><br>
++ <b>$Lang::tr{'fwhost attention'}:</b><br>
++ $Lang::tr{'fwhost macwarn'}<br><hr>
++END
++ }
++ print<<END;
++ <table border='0' width='100%'>
++ <tr><td align='right'><input type='submit' value='$Lang::tr{'add'}' style='min-width:100px;' /><input type='hidden' name='oldremark' value='$fwhostsettings{'oldremark'}'><input type='hidden' name='ACTION' value='savegrp' ></form><form method='post' style='display:inline'><input type='submit' value='$Lang::tr{'fwhost back'}' style='min-width:100px;'><input type='hidden' name='ACTION' value'reset'></td></td>
++ </table></form>
++END
++
++ &Header::closebox();
++}
++sub addservice
++{
++ &error;
++ &showmenu;
++ &Header::openbox('100%', 'left', $Lang::tr{'fwhost newservice'});
++ if ($fwhostsettings{'updatesrv'} eq 'on')
++ {
++ $fwhostsettings{'oldsrvname'} = $fwhostsettings{'SRV_NAME'};
++ $fwhostsettings{'oldsrvport'} = $fwhostsettings{'SRV_PORT'};
++ $fwhostsettings{'oldsrvprot'} = $fwhostsettings{'PROT'};
++ }
++ print<<END;
++ <table width='100%' border='0'><form method='post'>
++ <tr><td width='1%' nowrap='nowrap'>$Lang::tr{'fwhost srv_name'}:</td><td width='1%' nowrap='nowrap'><input type='text' name='SRV_NAME' value='$fwhostsettings{'SRV_NAME'}'></td><td width='1%' nowrap='nowrap'>$Lang::tr{'fwhost prot'}:</td><td><select name='PROT'>
++END
++ foreach ("TCP","UDP","ICMP")
++ {
++ if ($_ eq $fwhostsettings{'PROT'})
++ {
++ print"<option selected>$_</option>";
++ }else{
++ print"<option>$_</option>";
++ }
++ }
++ print<<END;
++ </select></td><td>$Lang::tr{'fwhost port'}:</td><td><input type='text' name='SRV_PORT' value='$fwhostsettings{'SRV_PORT'}' maxlength='11' size='9'></td></tr>
++ <tr><td></td><td></td><td nowrap='nowrap'>$Lang::tr{'fwhost icmptype'}</td><td colspan='4'><select name='ICMP_TYPES'>
++END
++ &General::readhasharray("${General::swroot}/fwhosts/icmp-types", \%icmptypes);
++ print"<option>All ICMP-Types</option>";
++ foreach my $key (sort { uc($icmptypes{$a}[0]) cmp uc($icmptypes{$b}[0]) }keys %icmptypes){
++ print"<option>$icmptypes{$key}[0] ($icmptypes{$key}[1])</option>";
++ }
++
++ print<<END;
++ </select></td>
++ <tr><td colspan='6'><hr></td></tr>
++ <tr><td colspan='6' align='right'>
++END
++ if ($fwhostsettings{'updatesrv'} eq 'on')
++ {
++ print<<END;
++ <input type='submit' value='$Lang::tr{'fwhost change'}'>
++ <input type='hidden' name='ACTION' value='updateservice'>
++ <input type='hidden' name='oldsrvname' value='$fwhostsettings{'oldsrvname'}'>
++ <input type='hidden' name='oldsrvport' value='$fwhostsettings{'oldsrvport'}'>
++ <input type='hidden' name='oldsrvprot' value='$fwhostsettings{'oldsrvprot'}'></form>
++END
++
++ }else{
++ print"<input type='submit' value='$Lang::tr{'save'}'><input type='hidden' name='ACTION' value='saveservice'></form>";
++ }
++ print<<END;
++ <form style='display:inline;' method='post'><input type='submit' value='$Lang::tr{'fwhost reset'}'></form></td></tr>
++ </table></form>
++
++
++END
++ &Header::closebox();
++ &viewtableservice;
++}
++sub addservicegrp
++{
++ &hint;
++ &error;
++ &showmenu;
++ &Header::openbox('100%', 'left', $Lang::tr{'fwhost newservicegrp'});
++ $fwhostsettings{'oldsrvgrpremark'}=$fwhostsettings{'SRVGRP_REMARK'};
++
++ if ($fwhostsettings{'updatesrvgrp'} eq ''){
++ print<<END;
++ <table width='100%' border='0'><form method='post'>
++ <tr><td>$Lang::tr{'fwhost addgrpname'}</td><td><input type='text' name='SRVGRP_NAME' value='$fwhostsettings{'SRVGRP_NAME'}'></td><td>$Lang::tr{'remark'}:</td><td width='1%'><input type='text' name='SRVGRP_REMARK' size='35' value='$fwhostsettings{'SRVGRP_REMARK'}'></td></tr>
++ <tr><td colspan='4'><hr></td></td></tr>
++ </table>
++END
++ }else{
++ print<<END;
++ <table width='100%' border='0'><form method='post'>
++ <tr><td>$Lang::tr{'fwhost addgrpname'}</td><td><input type='text' name='SRVGRP_NAME' value='$fwhostsettings{'SRVGRP_NAME'}' readonly ></td><td>$Lang::tr{'remark'}:</td><td width='1%'><input type='text' name='SRVGRP_REMARK' size='35' value='$fwhostsettings{'SRVGRP_REMARK'}'></td></tr>
++ <tr><td colspan='4'><hr></td></td></tr>
++ </table>
++END
++ }
++ if($fwhostsettings{'updatesrvgrp'} eq 'on'){
++
++
++ print<<END;
++ <table width='100%' border='0'>
++ <tr><td width='1%' nowrap='nowrap'>$Lang::tr{'fwhost cust service'}</td><td><select name='CUST_SRV' style='min-width:185px;'>
++END
++ &General::readhasharray("$configsrv", \%customservice);
++ foreach my $key (sort { uc($customservice{$a}[0]) cmp uc($customservice{$b}[0]) } keys %customservice)
++ {
++ print "<option>$customservice{$key}[0]</option>";
++ }
++ print<<END;
++ </select></td></tr>
++ <tr><td colspan='4'><br><br><br></td></tr>
++ <tr><td colspan='4'><hr></td></tr>
++ </table>
++END
++ }
++ print<<END;
++ <table width='100%'>
++ <tr><td align='right'><input type='submit' value='$Lang::tr{'add'}' style='min-width:100px;' /><input type='hidden' name='updatesrvgrp' value='$fwhostsettings{'updatesrvgrp'}'><input type='hidden' name='oldsrvgrpremark' value='$fwhostsettings{'oldsrvgrpremark'}'><input type='hidden' name='ACTION' value='saveservicegrp' ></form> <form style='display:inline;' method='post'><input type='submit' value='$Lang::tr{'fwhost back'}'></td></tr>
++ </table></form>
++END
++
++ &Header::closebox();
++}
++# View
++sub viewtablenet
++{
++ if(! -z $confignet){
++ &Header::openbox('100%', 'left', $Lang::tr{'fwhost cust net'});
++ &General::readhasharray("$confignet", \%customnetwork);
++ if (!keys %customnetwork)
++ {
++ print "<center><b>$Lang::tr{'fwhost empty'}</b>";
++ }else{
++ print<<END;
++ <table border='0' width='100%'>
++ <tr><td align='center'><b>$Lang::tr{'name'}</td><td align='center'><b>$Lang::tr{'fwhost netaddress'}</td><td align='center'><b>$Lang::tr{'netmask'}</td><td align='center'><b>$Lang::tr{'used'}</td><td></td><td width='3%'></td></tr>
++END
++ }
++ my $count=0;
++ foreach my $key (sort { uc($customnetwork{$a}[0]) cmp uc($customnetwork{$b}[0]) } keys %customnetwork) {
++ if ($fwhostsettings{'ACTION'} eq 'editnet' && $fwhostsettings{'HOSTNAME'} eq $customnetwork{$key}[0]) {
++ print" <tr bgcolor='${Header::colouryellow}'>";
++ }elsif ($count % 2)
++ {
++ print" <tr bgcolor='$color{'color22'}'>";
++ }else
++ {
++ print" <tr bgcolor='$color{'color20'}'>";
++ }
++ print<<END;
++ <td width='40%'><form method='post'>$customnetwork{$key}[0]</td><td width=25%'>$customnetwork{$key}[1]</td><td width='25%'>$customnetwork{$key}[2]</td><td align='center'>$customnetwork{$key}[3] x</td>
++ <td width='1%'><input type='image' src='/images/edit.gif' align='middle' alt=$Lang::tr{'edit'} title=$Lang::tr{'edit'} />
++ <input type='hidden' name='ACTION' value='editnet'>
++ <input type='hidden' name='HOSTNAME' value='$customnetwork{$key}[0]' />
++ <input type='hidden' name='IP' value='$customnetwork{$key}[1]' />
++ <input type='hidden' name='SUBNET' value='$customnetwork{$key}[2]' />
++ </td></form>
++END
++ if($customnetwork{$key}[3] == '0')
++ {
++ print"<td width='1%'><form method='post'><input type='image' src='/images/delete.gif' align='middle' alt=$Lang::tr{'delete'} title=$Lang::tr{'delete'} /><input type='hidden' name='ACTION' value='delnet' /><input type='hidden' name='key' value='$customnetwork{$key}[0]' /></td></form></tr>";
++ }else{
++ print"<td></td></form></tr>";
++ }
++ $count++;
++ }
++ print"</table>";
++ &Header::closebox();
++ }
++
++}
++sub viewtablehost
++{
++ if (! -z $confighost){
++ &Header::openbox('100%', 'left', $Lang::tr{'fwhost cust addr'});
++ &General::readhasharray("$confighost", \%customhost);
++ if (!keys %customhost)
++ {
++ print "<center><b>$Lang::tr{'fwhost empty'}</b>";
++ }else{
++ print<<END;
++ <table border='0' width='100%'>
++ <tr><td align='center'><b>$Lang::tr{'name'}</td><td align='center'><b>$Lang::tr{'fwhost ip_mac'}</td><td align='center'><b>$Lang::tr{'used'}</td><td></td><td width='3%'></td></tr>
++END
++ }
++ my $count=0;
++ foreach my $key (sort { uc($customhost{$a}[0]) cmp uc($customhost{$b}[0]) } keys %customhost) {
++ if ( ($fwhostsettings{'ACTION'} eq 'edithost' || $fwhostsettings{'error'}) && $fwhostsettings{'HOSTNAME'} eq $customhost{$key}[0]) {
++ print" <tr bgcolor='${Header::colouryellow}'>";
++ }elsif ($count % 2){ print" <tr bgcolor='$color{'color22'}'>";}
++ else{ print" <tr bgcolor='$color{'color20'}'>";}
++ my ($ip,$sub)=split(/\//,$customhost{$key}[2]);
++ print<<END;
++ <td width='40%'><form method='post'>$customhost{$key}[0]</td><td width='50%'>$customhost{$key}[2]</td><td align='center'>$customhost{$key}[3] x</td>
++ <td width='1%'><input type='image' src='/images/edit.gif' align='middle' alt=$Lang::tr{'edit'} title=$Lang::tr{'edit'} />
++ <input type='hidden' name='ACTION' value='edithost' />
++ <input type='hidden' name='HOSTNAME' value='$customhost{$key}[0]' />
++ <input type='hidden' name='IP' value='$ip' />
++ <input type='hidden' name='type' value='$customhost{$key}[1]' />
++ </td></form>
++END
++ if($customhost{$key}[3] == '0')
++ {
++ print"<td width='1%'><form method='post'><input type='image' src='/images/delete.gif' align='middle' alt=$Lang::tr{'delete'} title=$Lang::tr{'delete'} /><input type='hidden' name='ACTION' value='delhost' /><input type='hidden' name='key' value='$customhost{$key}[0]' /></td></form></tr>";
++ }else{
++ print"<td width='1%'></td></tr>";
++ }
++ $count++;
++ }
++ print"</table>";
++ &Header::closebox();
++ }
++}
++sub viewtablegrp
++{
++ if(! -z "$configgrp"){
++ &Header::openbox('100%', 'left', $Lang::tr{'fwhost cust grp'});
++ &General::readhasharray("$configgrp", \%customgrp);
++ &General::readhasharray("$configipsec", \%ipsecconf);
++ &General::readhasharray("$configccdhost", \%ccdhost);
++ &General::readhasharray("$configccdnet", \%ccdnet);
++ &General::readhasharray("$confighost", \%customhost);
++ &General::readhasharray("$confignet", \%customnetwork);
++ my @grp=();
++ my $helper='';
++ my $count=0;
++ my $grpname;
++ my $remark;
++ my $number=keys %customgrp;
++ if (!keys %customgrp)
++ {
++ print "<center><b>$Lang::tr{'fwhost empty'}</b>";
++ }else{
++ foreach my $key (sort { uc($customgrp{$a}[0]) cmp uc($customgrp{$b}[0]) } sort { uc($customgrp{$a}[2]) cmp uc($customgrp{$b}[2]) } keys %customgrp){
++
++ $count++;
++ if ($helper ne $customgrp{$key}[0]){
++ $grpname=$customgrp{$key}[0];
++ $remark=$customgrp{$key}[1];
++ if($count >=2){print"</table>";}
++ print "<br><b><u>$grpname</u></b>    ";
++ print " <b>$Lang::tr{'remark'}:</b>  $remark   " if ($remark ne '');
++ print "<b>$Lang::tr{'used'}:</b> $customgrp{$key}[4] x";
++ if($customgrp{$key}[4] == '0')
++ {
++ print"<form method='post' style='display:inline'><input type='image' src='/images/delete.gif' alt=$Lang::tr{'delete'} title=$Lang::tr{'delete'} align='right' /><input type='hidden' name='grp_name' value='$grpname' ><input type='hidden' name='ACTION' value='delgrp'></form>";
++ }
++ print"<form method='post' style='display:inline'><input type='image' src='/images/edit.gif' alt=$Lang::tr{'edit'} title=$Lang::tr{'edit'} align='right' /><input type='hidden' name='grp_name' value='$grpname' ><input type='hidden' name='remark' value='$remark' ><input type='hidden' name='ACTION' value='editgrp'></form>";
++ print"<table width='100%' style='border: 1px solid #000000;' rules='none' ><tr><td align='center'><b>Name</b></td><td align='center'><b>$Lang::tr{'ip address'}</b></td><td align='center' width='25%'><b>$Lang::tr{'fwhost type'}</td></tr>";
++ }
++ if ( ($fwhostsettings{'ACTION'} eq 'editgrp' || $fwhostsettings{'update'} ne '') && $fwhostsettings{'grp_name'} eq $customgrp{$key}[0]) {
++ print" <tr bgcolor='${Header::colouryellow}'>";
++ }elsif ($count %2 == 0){print"<tr bgcolor='$color{'color22'}'>";}else{print"<tr bgcolor='$color{'color20'}'>";}
++ my $ip=&getipforgroup($customgrp{$key}[2],$customgrp{$key}[3]);
++ if ($ip eq ''){print"<tr bgcolor='${Header::colouryellow}'>";}
++
++
++ print "<td width='39%'>";
++ if($customgrp{$key}[3] eq 'Standard Network'){
++ print &get_name($customgrp{$key}[2])."</td>";
++ }else{
++ print "$customgrp{$key}[2]</td>";
++ }
++ if ($ip eq '' && $customgrp{$key}[2] ne $Lang::tr{'fwhost empty'}){
++ print "<td align='center'>$Lang::tr{'fwhost deleted'}</td><td>$customgrp{$key}[3]</td><td width='1%'><form method='post'>";
++ }else{
++ print"<td>$ip</td><td>$customgrp{$key}[3]</td><td width='1%'><form method='post'>";
++ }
++ if ($number gt '1' && $ip ne ''){
++ print"<input type='image' src='/images/delete.gif' align='middle' alt=$Lang::tr{'delete'} title=$Lang::tr{'delete'} />";
++ }
++ print"<input type='hidden' name='ACTION' value='deletegrphost'><input type='hidden' name='delhost' value='$grpname,$remark,$customgrp{$key}[2],$customgrp{$key}[3]'></form></td></tr>";
++
++ $helper=$customgrp{$key}[0];
++ }
++ print"</table>";
++
++ }
++ &Header::closebox();
++}
++
++}
++sub viewtableservice
++{
++ my $count=0;
++ if(! -z "$configsrv")
++ {
++ &Header::openbox('100%', 'left', $Lang::tr{'fwhost services'});
++ &General::readhasharray("$configsrv", \%customservice);
++ print<<END;
++ <table width='100%' border='0'>
++ <tr><td align='center'><b>$Lang::tr{'fwhost srv_name'}</td><td align='center'><b>$Lang::tr{'fwhost prot'}</td><td align='center'><b>$Lang::tr{'fwhost port'}</td><td align='center'><b>ICMP</td><td align='center'><b>$Lang::tr{'fwhost used'}</td><td></td><td width='3%'></td></tr>
++END
++ foreach my $key (sort { uc($customservice{$a}[0]) cmp uc($customservice{$b}[0]) } keys %customservice)
++ {
++ $count++;
++ if ( ($fwhostsettings{'updatesrv'} eq 'on' || $fwhostsettings{'error'}) && $fwhostsettings{'SRV_NAME'} eq $customservice{$key}[0]) {
++ print" <tr bgcolor='${Header::colouryellow}'>";
++ }elsif ($count % 2){ print" <tr bgcolor='$color{'color22'}'>";}else{ print" <tr bgcolor='$color{'color20'}'>";}
++ print<<END;
++ <td>$customservice{$key}[0]</td><td align='center'>$customservice{$key}[2]</td><td align='center'>$customservice{$key}[1]</td><td align='center'>
++END
++ if($customservice{$key}[3] ne 'BLANK'){print $customservice{$key}[3];}
++
++ print<<END;
++ </td><td align='center'>$customservice{$key}[4]x</td>
++ <td width='1%'><form method='post'><input type='image' src='/images/edit.gif' align='middle' alt=$Lang::tr{'edit'} title=$Lang::tr{'edit'} /><input type='hidden' name='ACTION' value='editservice' />
++ <input type='hidden' name='SRV_NAME' value='$customservice{$key}[0]' />
++ <input type='hidden' name='SRV_PORT' value='$customservice{$key}[1]' />
++ <input type='hidden' name='PROT' value='$customservice{$key}[2]' /></form></td>
++END
++ if ($customservice{$key}[4] eq '0')
++ {
++ print"<td width='1%'><form method='post'><input type='image' src='/images/delete.gif' align='middle' alt=$Lang::tr{'delete'} title=$Lang::tr{'delete'} /><input type='hidden' name='ACTION' value='delservice' /><input type='hidden' name='SRV_NAME' value='$customservice{$key}[0]'></td></tr></form>";
++ }else{
++ print"<td></td></tr>";
++ }
++ }
++ print"</table>";
++ &Header::closebox();
++ }
++}
++sub viewtableservicegrp
++{
++ my $count=0;
++ my $grpname;
++ my $remark;
++ my $helper;
++ if (! -z $configsrvgrp){
++
++ &Header::openbox('100%', 'left', $Lang::tr{'fwhost cust srvgrp'});
++ &General::readhasharray("$configsrvgrp", \%customservicegrp);
++ my $number= keys %customservicegrp;
++ foreach my $key (sort { uc($customservicegrp{$a}[0]) cmp uc($customservicegrp{$b}[0]) } keys %customservicegrp){
++ $count++;
++ if ($helper ne $customservicegrp{$key}[0]){
++ $grpname=$customservicegrp{$key}[0];
++ $remark=$customservicegrp{$key}[1];
++ if($count >=2){print"</table>";}
++ print "<br><b><u>$grpname</u></b>     ";
++ print "<b>$Lang::tr{'remark'}:</b>  $remark " if ($remark ne '');
++ print "  <b>$Lang::tr{'used'}:</b> $customservicegrp{$key}[5] x";
++ if($customservicegrp{$key}[5] == '0')
++ {
++ print"<form method='post' style='display:inline'><input type='image' src='/images/delete.gif' alt=$Lang::tr{'delete'} title=$Lang::tr{'delete'} align='right' /><input type='hidden' name='SRVGRP_NAME' value='$grpname' ><input type='hidden' name='ACTION' value='delservicegrp'></form>";
++ }
++ print"<form method='post' style='display:inline'><input type='image' src='/images/edit.gif' alt=$Lang::tr{'edit'} title=$Lang::tr{'edit'} align='right' /><input type='hidden' name='SRVGRP_NAME' value='$grpname' ><input type='hidden' name='SRVGRP_REMARK' value='$remark' ><input type='hidden' name='ACTION' value='editservicegrp'></form>";
++ print"<table width='100%' style='border: 1px solid #000000;' rules='none' ><tr><td align='center'><b>Name</b></td><td align='center'><b>$Lang::tr{'port'}</b></td><td align='center' width='25%'><b>$Lang::tr{'fwhost prot'}</td></tr>";
++ }
++ if( $fwhostsettings{'SRVGRP_NAME'} eq $customservicegrp{$key}[0]) {
++ print" <tr bgcolor='${Header::colouryellow}'>";
++ }elsif ($count %2 == 0){print"<tr bgcolor='$color{'color22'}'>";}else{print"<tr bgcolor='$color{'color20'}'>";}
++ print "<td width='39%'>$customservicegrp{$key}[2]</td>";
++ print"<td align='center'>$customservicegrp{$key}[3]</td><td align='center'>$customservicegrp{$key}[4]</td><td width='1%'><form method='post'>";
++ if ($number gt '1'){
++ print"<input type='image' src='/images/delete.gif' align='middle' alt=$Lang::tr{'delete'} title=$Lang::tr{'delete'} />";
++ }
++ print"<input type='hidden' name='ACTION' value='delgrpservice'><input type='hidden' name='delsrvfromgrp' value='$grpname,$remark,$customservicegrp{$key}[2],$customservicegrp{$key}[3]'></form></td></tr>";
++ $helper=$customservicegrp{$key}[0];
++ }
++ print"</table>";
++ &Header::closebox();
++ }
++}
++# Check
++sub checkname
++{
++ my %hash=%{(shift)};
++ foreach my $key (keys %hash) {
++ if($hash{$key}[0] eq $fwhostsettings{'HOSTNAME'}){
++ return 0;
++ }
++ }
++ return 1;
++
++}
++sub checkip
++{
++
++ my %hash=%{(shift)};
++ my $a=shift;
++ foreach my $key (keys %hash) {
++ if($hash{$key}[$a] eq $fwhostsettings{'IP'}."/".&General::iporsubtodec($fwhostsettings{'SUBNET'})){
++ return 0;
++ }
++ }
++ return 1;
++}
++sub checksubnet
++{
++
++ my %hash=%{(shift)};
++ &General::readhasharray("$confignet", \%hash);
++ foreach my $key (keys %hash) {
++ if(&General::IpInSubnet($fwhostsettings{'IP'},$hash{$key}[1],$hash{$key}[2]))
++ {
++ return 1;
++ }
++ }
++ return 0;
++}
++sub checkservicegroup
++{
++ &General::readhasharray("$configsrvgrp", \%customservicegrp);
++
++
++ #check name
++ if ( ! &General::validhostname($fwhostsettings{'SRVGRP_NAME'}))
++ {
++ $errormessage.=$Lang::tr{'fwhost err name'}."<br>";
++ return $errormessage;
++ }
++ #check remark
++ if ( ($fwhostsettings{'SRVGRP_REMARK'} ne '') && (! &validhostname($fwhostsettings{'SRVGRP_REMARK'})))
++ {
++ $errormessage.=$Lang::tr{'fwhost err remark'}."<br>";
++ }
++ #check empty selectbox
++ if (keys %customservice lt 1)
++ {
++ $errormessage.=$Lang::tr{'fwhost err groupempty'}."<br>";
++ }
++
++ #check if name already exists
++ if ($fwhostsettings{'updatesrvgrp'} ne 'on'){
++ foreach my $key (keys %customservicegrp) {
++ if( $customservicegrp{$key}[0] eq $fwhostsettings{'SRVGRP_NAME'} ){
++ $errormessage.=$Lang::tr{'fwhost err grpexist'}."<br>";
++
++ }
++ }
++ }
++ #check if service already exists in group
++ foreach my $key (keys %customservicegrp) {
++ if($customservicegrp{$key}[0] eq $fwhostsettings{'SRVGRP_NAME'} && $customservicegrp{$key}[2] eq $fwhostsettings{'CUST_SRV'} ){
++ $errormessage.=$Lang::tr{'fwhost err srvexist'}."<br>";
++
++ }
++ }
++
++
++
++ return $errormessage;
++}
++sub error
++{
++ if ($errormessage) {
++ &Header::openbox('100%', 'left', $Lang::tr{'error messages'});
++ print "<class name='base'>$errormessage\n";
++ print " </class>\n";
++ &Header::closebox();
++ }
++}
++sub hint
++{
++ if ($hint) {
++ &Header::openbox('100%', 'left', $Lang::tr{'fwhost hint'});
++ print "<class name='base'>$hint\n";
++ print " </class>\n";
++ &Header::closebox();
++ }
++}
++sub get_name
++{
++ my $val=shift;
++ &General::setup_default_networks(\%defaultNetworks);
++ foreach my $network (sort keys %defaultNetworks)
++ {
++ return "$network" if ($val eq $defaultNetworks{$network}{'NAME'});
++ }
++}
++sub deletefromgrp
++{
++ my $target=shift;
++ my $config=shift;
++ my %hash=();
++ &General::readhasharray("$config",\%hash);
++ foreach my $key (keys %hash) {
++ $errormessage.="lese $hash{$key}[2] und $target<br>";
++ if($hash{$key}[2] eq $target){
++
++ delete $hash{$key};
++ $errormessage.="Habe $target aus Gruppe gelöscht!<br>";
++ }
++ }
++ &General::writehasharray("$config",\%hash);
++
++}
++sub plausicheck
++{
++
++ my $edit=shift;
++ #check hostname
++ if (!&General::validhostname($fwhostsettings{'HOSTNAME'}))
++ {
++ $errormessage=$errormessage.$Lang::tr{'fwhost err name'};
++ $fwhostsettings{'BLK_IP'}='readonly';
++ $fwhostsettings{'HOSTNAME'} = $fwhostsettings{'orgname'};
++ if ($fwhostsettings{'update'} eq 'on'){$fwhostsettings{'ACTION'}=$edit;}
++ }
++ #check if name collides with CCD Netname
++
++ &General::readhasharray("$configccdnet", \%ccdnet);
++ foreach my $key (keys %ccdnet) {
++ if($ccdnet{$key}[0] eq $fwhostsettings{'HOSTNAME'}){
++ $errormessage=$errormessage.$Lang::tr{'fwhost err isccdnet'};;
++ $fwhostsettings{'HOSTNAME'} = $fwhostsettings{'orgname'};
++ if ($fwhostsettings{'update'} eq 'on'){$fwhostsettings{'ACTION'}=$edit;}
++ last;
++ }
++ }
++
++ #check if IP collides with CCD NetIP
++ if ($fwhostsettings{'type'} ne 'mac'){
++ &General::readhasharray("$configccdnet", \%ccdnet);
++ foreach my $key (keys %ccdnet) {
++ my $test=(&General::getnetworkip($fwhostsettings{'IP'},&General::iporsubtocidr($fwhostsettings{'SUBNET'})))."/".$fwhostsettings{'SUBNET'};
++ if($ccdnet{$key}[1] eq $test){
++ $errormessage=$errormessage.$Lang::tr{'fwhost err isccdipnet'};
++ $fwhostsettings{'IP'} = $fwhostsettings{'orgip'};
++ $fwhostsettings{'SUBNET'} = $fwhostsettings{'orgsubnet'};
++ if ($fwhostsettings{'update'} eq 'on'){$fwhostsettings{'ACTION'}=$edit;}
++ last;
++ }
++ }
++ }
++
++
++
++ #check if name collides with CCD Hostname
++ &General::readhasharray("$configccdhost", \%ccdhost);
++ foreach my $key (keys %ccdhost) {
++ my ($ip,$sub)=split(/\//,$ccdhost{$key}[33]);
++ if($ip eq $fwhostsettings{'IP'}){
++ $errormessage=$Lang::tr{'fwhost err isccdiphost'};
++ if ($fwhostsettings{'update'} eq 'on'){$fwhostsettings{'ACTION'}=$edit;}
++ last;
++ }
++ }
++ #check if IP collides with CCD HostIP (only hosts)
++ if ($edit eq 'edithost')
++ {
++ foreach my $key (keys %ccdhost) {
++ if($ccdhost{$key}[1] eq $fwhostsettings{'HOSTNAME'}){
++ $errormessage=$Lang::tr{'fwhost err isccdhost'};
++ $fwhostsettings{'IP'} = $fwhostsettings{'orgname'};
++ if ($fwhostsettings{'update'} eq 'on'){$fwhostsettings{'ACTION'}=$edit;}
++ last;
++ }
++ }
++ }
++ #check if network with this name already exists
++ &General::readhasharray("$confignet", \%customnetwork);
++ if (!&checkname(\%customnetwork))
++ {
++ $errormessage=$errormessage."<br>".$Lang::tr{'fwhost err netexist'};
++ $fwhostsettings{'HOSTNAME'} = $fwhostsettings{'orgname'};
++ if ($fwhostsettings{'update'} eq 'on'){$fwhostsettings{'ACTION'}=$edit;}
++ }
++ #check if network ip already exists
++ if (!&checkip(\%customnetwork,1))
++ {
++ $errormessage=$errormessage."<br>".$Lang::tr{'fwhost err net'};
++ if ($fwhostsettings{'update'} eq 'on'){$fwhostsettings{'ACTION'}=$edit;}
++ }
++ #check if host with this name already exists
++ &General::readhasharray("$confighost", \%customhost);
++ if (!&checkname(\%customhost))
++ {
++ $errormessage=$errormessage."<br>".$Lang::tr{'fwhost err hostexist'};
++ $fwhostsettings{'HOSTNAME'} = $fwhostsettings{'orgname'};
++ if ($fwhostsettings{'update'} eq 'on'){$fwhostsettings{'ACTION'}=$edit;}
++ }
++ #check if host with this ip already exists
++ if (!&checkip(\%customhost,2))
++ {
++ $errormessage=$errormessage."<br>".$Lang::tr{'fwhost err ipcheck'};
++
++ }
++
++
++ return;
++}
++sub getipforgroup
++{
++ my $name=$_[0],
++ my $type=$_[1];
++ my $value;
++
++ #get address from IPSEC NETWORK
++ if ($type eq 'IpSec Network'){
++ foreach my $key (keys %ipsecconf) {
++ if ($ipsecconf{$key}[1] eq $name){
++ return $ipsecconf{$key}[11];
++ }
++ }
++ &deletefromgrp($name,$configgrp);
++ }
++
++ #get address from IPSEC HOST
++ if ($type eq 'IpSec Host'){
++ foreach my $key (keys %ipsecconf) {
++ if ($ipsecconf{$key}[1] eq $name){
++ return $ipsecconf{$key}[10];
++ }
++ }
++ &deletefromgrp($name,$configgrp);
++ }
++
++ #get address from ovpn ccd Net-2-Net
++ if ($type eq 'OpenVPN N-2-N'){
++ foreach my $key (keys %ccdhost) {
++ if($ccdhost{$key}[1] eq $name){
++ my ($a,$b) = split ("/",$ccdhost{$key}[11]);
++ $b=&General::iporsubtodec($b);
++ return "$a/$b";
++ }
++ }
++ &deletefromgrp($name,$configgrp);
++ }
++
++ #get address from ovpn ccd static host
++ if ($type eq 'OpenVPN static host'){
++ foreach my $key (keys %ccdhost) {
++ if($ccdhost{$key}[1] eq $name){
++ my ($a,$b) = split (/\//,$ccdhost{$key}[33]);
++ $b=&General::iporsubtodec($b);
++ return "$a/$b";
++ }
++ }
++ &deletefromgrp($name,$configgrp);
++ }
++
++ #get address from ovpn ccd static net
++ if ($type eq 'OpenVPN static network'){
++ foreach my $key (keys %ccdnet) {
++ if ($ccdnet{$key}[0] eq $name){
++ my ($a,$b) = split (/\//,$ccdnet{$key}[1]);
++ $b=&General::iporsubtodec($b);
++ return "$a/$b";
++ }
++ }
++ }
++
++ #check custom addresses
++ if ($type eq 'Custom Host'){
++ foreach my $key (keys %customhost) {
++ if ($customhost{$key}[0] eq $name){
++ return $customhost{$key}[2];
++ }
++ }
++ }
++
++ ##check custom networks
++ if ($type eq 'Custom Network'){
++ foreach my $key (keys %customnetwork) {
++ if($customnetwork{$key}[0] eq $name){
++ return $customnetwork{$key}[1]."/".$customnetwork{$key}[2];
++ }
++ }
++ }
++
++ #check standard networks
++ if ($type eq 'Standard Network'){
++ if ($name =~ /OpenVPN/i){
++ my %ovpn=();
++ &General::readhash("${General::swroot}/ovpn/settings",\%ovpn);
++ return $ovpn{'DOVPN_SUBNET'};
++ }
++ if ($name eq 'GREEN'){
++ my %hash=();
++ &General::readhash("${General::swroot}/ethernet/settings",\%hash);
++ return $hash{'GREEN_NETADDRESS'}."/".$hash{'GREEN_NETMASK'};
++ }
++ if ($name eq 'BLUE'){
++ my %hash=();
++ &General::readhash("${General::swroot}/ethernet/settings",\%hash);
++ return $hash{'BLUE_NETADDRESS'}."/".$hash{'BLUE_NETMASK'};
++ }
++ if ($name eq 'ORANGE'){
++ my %hash=();
++ &General::readhash("${General::swroot}/ethernet/settings",\%hash);
++ return $hash{'ORANGE_NETADDRESS'}."/".$hash{'ORANGE_NETMASK'};
++ }
++ if ($name eq 'ALL'){
++ return "0.0.0.0/0.0.0.0";
++ }
++ if ($name =~ /IPsec/i){
++ my %hash=();
++ &General::readhash("${General::swroot}/vpn/settings",\%hash);
++ return $hash{'RW_NET'};
++ }
++ }
++}
++sub rules
++{
++ system ("/usr/local/bin/forwardfwctrl");
++ system("rm ${General::swroot}/forward/reread");
++}
++sub decrease
++{
++ my $grp=$_[0];
++ &General::readhasharray("$confignet", \%customnetwork);
++ &General::readhasharray("$confighost", \%customhost);
++ foreach my $key (sort keys %customgrp ){
++ if ( ($customgrp{$key}[0] eq $grp) && ($customgrp{$key}[3] eq 'Custom Network')){
++ foreach my $key1 (sort keys %customnetwork){
++ if ($customnetwork{$key1}[0] eq $customgrp{$key}[2]){
++ $customnetwork{$key1}[3]=$customnetwork{$key1}[3]-1;
++ last;
++ }
++ }
++ }
++
++ if (($customgrp{$key}[0] eq $grp) && ($customgrp{$key}[3] eq 'Custom Host')){
++ foreach my $key2 (sort keys %customhost){
++ if ($customhost{$key2}[0] eq $customgrp{$key}[2]){
++ $customhost{$key2}[3]=$customhost{$key2}[3]-1;
++ last;
++ }
++ }
++
++ }
++ }
++ &General::writehasharray("$confignet", \%customnetwork);
++ &General::writehasharray("$confighost", \%customhost);
++}
++sub decreaseservice
++{
++ my $grp=$_[0];
++ &General::readhasharray("$configsrv", \%customservice);
++ &General::readhasharray("$configsrvgrp", \%customservicegrp);
++
++ foreach my $key (sort keys %customservicegrp){
++ if ($customservicegrp{$key}[0] eq $grp ){
++ foreach my $key2 (sort keys %customservice){
++ if ($customservice{$key2}[0] eq $customservicegrp{$key}[2]){
++ $customservice{$key2}[4]--;
++ }
++ }
++ }
++ }
++ &General::writehasharray("$configsrv", \%customservice);
++
++}
++sub checkports
++{
++
++ my %hash=%{(shift)};
++ #check empty fields
++ if ($fwhostsettings{'SRV_NAME'} eq '' ){
++ $errormessage=$Lang::tr{'fwhost err name1'};
++ }
++ if ($fwhostsettings{'SRV_PORT'} eq '' && $fwhostsettings{'PROT'} ne 'ICMP'){
++ $errormessage=$Lang::tr{'fwhost err port'};
++ }
++ #check valid name
++ if (! &General::validhostname($fwhostsettings{'SRV_NAME'})){
++ $errormessage="<br>".$Lang::tr{'fwhost err name'};
++ }
++ #change dashes with :
++ $fwhostsettings{'SRV_PORT'}=~ tr/-/:/;
++
++ if ($fwhostsettings{'SRV_PORT'} eq "*") {
++ $fwhostsettings{'SRV_PORT'} = "1:65535";
++ }
++ if ($fwhostsettings{'SRV_PORT'} =~ /^(\D)\:(\d+)$/) {
++ $fwhostsettings{'SRV_PORT'} = "1:$2";
++ }
++ if ($fwhostsettings{'SRV_PORT'} =~ /^(\d+)\:(\D)$/) {
++ $fwhostsettings{'SRV_PORT'} = "$1:65535";
++ }
++ if($fwhostsettings{'PROT'} ne 'ICMP'){
++ $errormessage = $errormessage.&General::validportrange($fwhostsettings{'SRV_PORT'}, 'src');
++ }
++ # a new service has to have a different name
++ foreach my $key (keys %hash){
++ if ($hash{$key}[0] eq $fwhostsettings{'SRV_NAME'}){
++ $errormessage = "<br>".$Lang::tr{'fwhost err srv exists'};
++ last;
++ }
++ }
++ return $errormessage;
++}
++sub validhostname
++{
++ # Checks a hostname against RFC1035
++ my $hostname = $_[0];
++
++ # Each part should be at least two characters in length
++ # but no more than 63 characters
++ if (length ($hostname) < 1 || length ($hostname) > 63) {
++ return 0;}
++ # Only valid characters are a-z, A-Z, 0-9 and -
++ if ($hostname !~ /^[a-zA-ZäöüÖÄÜ0-9-\s]*$/) {
++ return 0;}
++ # First character can only be a letter or a digit
++ if (substr ($hostname, 0, 1) !~ /^[a-zA-ZöäüÖÄÜ0-9]*$/) {
++ return 0;}
++ # Last character can only be a letter or a digit
++ if (substr ($hostname, -1, 1) !~ /^[a-zA-ZöäüÖÄÜ0-9]*$/) {
++ return 0;}
++ return 1;
++}
++
++&Header::closebigbox();
++&Header::closepage();
+--
+1.7.10.4
+
--- /dev/null
+From a7c5addd475f541642ab45c8c22f7df2e0fc6f90 Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Fri, 28 Dec 2012 13:29:34 +0100
+Subject: [PATCH 003/302] Forward Firewall: fixed rules.pl error when using
+ manual target address
+
+Signed-off-by: Alexander Marx <amarx@ipfire.org>
+---
+ config/forwardfw/rules.pl | 15 ++++++++-------
+ 1 file changed, 8 insertions(+), 7 deletions(-)
+
+diff --git a/config/forwardfw/rules.pl b/config/forwardfw/rules.pl
+index d6bd3c9..8c9e2ba 100755
+--- a/config/forwardfw/rules.pl
++++ b/config/forwardfw/rules.pl
+@@ -111,7 +111,9 @@ sub preparerules
+ }
+ sub buildrules
+ {
++
+ my $hash=shift;
++
+ foreach my $key (sort keys %$hash){
+ if($$hash{$key}[2] eq 'ON'){
+ #get source ip's
+@@ -132,7 +134,7 @@ sub buildrules
+ }
+ }
+ }elsif($$hash{$key}[5] eq 'ipfire'){
+-
++
+ if($$hash{$key}[6] eq 'Default IP'){
+ open(FILE, "/var/ipfire/red/local-ipaddress") or die 'Unable to open config file.';
+ $targethash{$key}[0]= <FILE>;
+@@ -147,20 +149,19 @@ sub buildrules
+ }else{
+ &get_address($$hash{$key}[5],$$hash{$key}[6],"tgt");
+ }
+-
+ ##get source prot and port
+ $SRC_TGT='SRC';
+ $SPROT = &get_prot($hash,$key);
+ $SPORT = &get_port($hash,$key);
+ $SRC_TGT='';
+-
++
+ ##get target prot and port
+ $DPROT=&get_prot($hash,$key);
+-
++
+ if ($DPROT eq ''){$DPROT=' ';}
+ @DPROT=split(",",$DPROT);
+-
+-
++
++
+ #get time if defined
+ if($$hash{$key}[18] eq 'ON'){
+ if($$hash{$key}[19] ne ''){push (@timeframe,"Mon");}
+@@ -245,7 +246,7 @@ sub get_address
+ }
+ my $key = &General::findhasharraykey($hash);
+ if($base eq 'src_addr' || $base eq 'tgt_addr' ){
+- $$hash{$key}[0] = $configfwdfw{$key}[4];
++ $$hash{$key}[0] = $base2;
+ }elsif($base eq 'std_net_src' || $base eq 'std_net_tgt' || $base eq 'Standard Network'){
+ $$hash{$key}[0]=&fwlib::get_std_net_ip($base2);
+ }elsif($base eq 'cust_net_src' || $base eq 'cust_net_tgt' || $base eq 'Custom Network'){
+--
+1.7.10.4
+
--- /dev/null
+From 4ec434e56500487cd700f2a349da903c945ed6e8 Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Sat, 29 Dec 2012 07:09:37 +0100
+Subject: [PATCH 004/302] Forward Firewall: fixed Typos
+
+Signed-off-by: Alexander Marx <amarx@ipfire.org>
+---
+ html/cgi-bin/forwardfw.cgi | 8 ++++----
+ html/cgi-bin/fwhosts.cgi | 2 +-
+ langs/de/cgi-bin/de.pl | 2 +-
+ langs/en/cgi-bin/en.pl | 6 +++---
+ 4 files changed, 9 insertions(+), 9 deletions(-)
+
+diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi
+index be2f0cf..6ed0a9b 100755
+--- a/html/cgi-bin/forwardfw.cgi
++++ b/html/cgi-bin/forwardfw.cgi
+@@ -577,7 +577,7 @@ sub checksource
+ my @tmp= split (/\./,$ip);
+ if (($tmp[3] eq "0") || ($tmp[3] eq "255"))
+ {
+- $errormessage=$Lang::tr{'fwhost err hostip'};
++ $errormessage=$Lang::tr{'fwhost err hostip'}."<br>";
+ }
+ $fwdfwsettings{'src_addr'}="$ip/$subnet";
+
+@@ -650,9 +650,9 @@ sub checktarget
+ my @tmp= split (/\./,$ip);
+ if (($tmp[3] eq "0") || ($tmp[3] eq "255"))
+ {
+- $errormessage=$Lang::tr{'fwhost err hostip'};
++ $errormessage=$Lang::tr{'fwhost err hostip'}."<br>";
+ }
+- $fwdfwsettings{'tgt_addr'}=$ip."/".$subnet;
++ $fwdfwsettings{'tgt_addr'}="$ip/$subnet";
+
+ if(!&General::validipandmask($fwdfwsettings{'tgt_addr'})){
+ $errormessage.=$Lang::tr{'fwdfw err tgt_addr'}."<br>";
+@@ -762,7 +762,7 @@ sub checkrule
+ my ($tbyte1,$tbyte2,$tbyte3,$tbyte4)=split(".",$networkip2);
+ if ($sbyte1 eq $tbyte1 && $sbyte2 eq $tbyte2 && $sbyte3 eq $tbyte3){
+ $hint=$Lang::tr{'fwdfw hint ip1'}."<br>";
+- $hint.=$Lang::tr{'fwdfw hint ip2'}." Source: $networkip1/$scidr Target:$networkip2/$tcidr<br>";
++ $hint.=$Lang::tr{'fwdfw hint ip2'}." Source: $networkip1/$scidr Target: $networkip2/$tcidr<br>";
+ }
+
+ }else{
+diff --git a/html/cgi-bin/fwhosts.cgi b/html/cgi-bin/fwhosts.cgi
+index 8fe281b..e82aca5 100755
+--- a/html/cgi-bin/fwhosts.cgi
++++ b/html/cgi-bin/fwhosts.cgi
+@@ -1226,7 +1226,7 @@ END
+ print"<input type='submit' value='$Lang::tr{'save'}'><input type='hidden' name='ACTION' value='saveservice'></form>";
+ }
+ print<<END;
+- <form style='display:inline;' method='post'><input type='submit' value='$Lang::tr{'fwhost reset'}'></form></td></tr>
++ <form style='display:inline;' method='post'><input type='submit' value='$Lang::tr{'fwhost back'}'></form></td></tr>
+ </table></form>
+
+
+diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl
+index 83a8977..714e7c5 100644
+--- a/langs/de/cgi-bin/de.pl
++++ b/langs/de/cgi-bin/de.pl
+@@ -940,7 +940,7 @@
+ 'fwhost addrule' => 'Neue Regel hinzufügen:',
+ 'fwhost any' => 'Alle',
+ 'fwhost attention' => 'ACHTUNG',
+-'fwhost back' => 'Ãœbernehmen',
++'fwhost back' => 'Zurück',
+ 'fwhost blue' => 'Blau',
+ 'fwhost ccdhost' => 'OpenVPN Clients:',
+ 'fwhost ccdnet' => 'OpenVPN Netzwerke:',
+diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
+index fe4857e..e083d23 100644
+--- a/langs/en/cgi-bin/en.pl
++++ b/langs/en/cgi-bin/en.pl
+@@ -921,11 +921,11 @@
+ 'fwdfw err tgtport' => 'Please provide target port.',
+ 'fwdfw err tgt_addr' => 'Invalid target IP-address.',
+ 'fwdfw err tgt_port' => 'Invalid target port',
+-'fwdfw err tgt_mac' => 'MAC addresses can not be used as target.',
++'fwdfw err tgt_mac' => 'MAC addresses cannot be used as target.',
+ 'fwdfw err tgt_grp' => 'Target servicegroup is empty',
+ 'fwdfw err time' => 'You have to define at least one day.',
+ 'fwdfw from' => 'From:',
+-'fwdfw hint ip1' => 'The last generated rule may never be activated because source and target my be in same subnet.',
++'fwdfw hint ip1' => 'The last generated rule may never be activated because source and target probably are in same subnet.',
+ 'fwdfw hint ip2' => 'Please doublecheck if this rule makes sense: ',
+ 'fwdfw ipsec network' => 'IpSec networks:',
+ 'fwdfw log rule' => 'Log rule',
+@@ -963,7 +963,7 @@
+ 'fwhost addrule' => 'Add new rule:',
+ 'fwhost any' => 'Any',
+ 'fwhost attention' => 'ATTENTION',
+-'fwhost back' => 'commit',
++'fwhost back' => 'back',
+ 'fwhost blue' => 'Blue',
+ 'fwhost ccdhost' => 'OpenVPN clients:',
+ 'fwhost ccdnet' => 'OpenVPN networks:',
+--
+1.7.10.4
+
--- /dev/null
+From 748fd0ecf07e6f661a3406efecc2a3bac4c8a2cc Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Tue, 1 Jan 2013 06:17:06 +0100
+Subject: [PATCH 005/302] Forward Firewall: changed remarkfield to have
+ maximum 255 chars. Changed Layout from
+ viewtablerule.
+
+Signed-off-by: Alexander Marx <amarx@ipfire.org>
+---
+ html/cgi-bin/forwardfw.cgi | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi
+index 6ed0a9b..1f5ea00 100755
+--- a/html/cgi-bin/forwardfw.cgi
++++ b/html/cgi-bin/forwardfw.cgi
+@@ -1266,7 +1266,7 @@ END
+ &Header::openbox('100%', 'left', $Lang::tr{'fwdfw additional'});
+ print<<END;
+ <table width='100%' border='0'>
+- <tr><td colspan='2' >$Lang::tr{'remark'}:<input type='text' name='ruleremark' size='40' value='$fwdfwsettings{'ruleremark'}'></td></tr>
++ <tr><td colspan='2' >$Lang::tr{'remark'}:<input type='text' name='ruleremark' size='40' maxlength='255' value='$fwdfwsettings{'ruleremark'}'></td></tr>
+ <tr><td width='1%'><input type='checkbox' name='ACTIVE' value='ON' $checked{'ACTIVE'}{'ON'}></td><td>$Lang::tr{'fwdfw rule activate'}</td></tr>
+ <tr><td width='1%'><input type='checkbox' name='LOG' value='ON' $checked{'LOG'}{'ON'} ></td><td>$Lang::tr{'fwdfw log rule'}</td></tr>
+ </table><hr><br>
+@@ -1464,7 +1464,7 @@ sub validremark
+
+ # Each part should be at least two characters in length
+ # but no more than 63 characters
+- if (length ($remark) < 1 || length ($remark) > 63) {
++ if (length ($remark) < 1 || length ($remark) > 255) {
+ return 0;}
+ # Only valid characters are a-z, A-Z, 0-9 and -
+ if ($remark !~ /^[a-zäöüA-ZÖÄÜ0-9-\s]*$/) {
+@@ -1547,7 +1547,7 @@ sub viewtablenew
+ &General::readhasharray("$config", $hash);
+ print"<b>$title1</b><br>";
+ print"<table width='100%' border='0' cellspacing='1' style='padding-top: 0px; padding-left: 0px; padding-bottom: 0px ;padding-right: 0px ;'>";
+- print"<tr><td align='center' width='1%'><b>#</td><td></td><td align='center'><b>$Lang::tr{'fwdfw source'}</td><td><b>Log</td><td align='center'><b>$Lang::tr{'fwdfw target'}</td><td align='center'><b>$Lang::tr{'remark'}</td><td align='center' colspan='3'><b>$Lang::tr{'fwdfw action'}</td></tr>";
++ print"<tr><td align='center' width='1%'><b>#</td><td width='1%'></td><td align='center' width='20%'><b>$Lang::tr{'fwdfw source'}</td><td width='1%'><b>Log</td><td align='center' width='20%'><b>$Lang::tr{'fwdfw target'}</td><td align='center' width='70%'><b>$Lang::tr{'remark'}</td><td align='center' colspan='3' width='1%'><b>$Lang::tr{'fwdfw action'}</td></tr>";
+ foreach my $key (sort keys %$hash){
+ @tmpsrc=();
+ #check if vpn hosts/nets have been deleted
+@@ -1637,7 +1637,7 @@ END
+ </td>
+
+ <form method='post'>
+- <td width='1%'><input type='image' img src='$log' alt='$Lang::tr{'click to disable'}' title='$Lang::tr{'fwdfw togglelog'}' style='padding-top: 0px; padding-left: 0px; padding-bottom: 0px ;padding-right: 0px ;display: block;'/>
++ <td width='1%' align='left'><input type='image' img src='$log' alt='$Lang::tr{'click to disable'}' title='$Lang::tr{'fwdfw togglelog'}' style='padding-top: 0px; padding-left: 0px; padding-bottom: 0px ;padding-right: 0px ;'/>
+ <input type='hidden' name='key' value='$key' />
+ <input type='hidden' name='config' value='$config' />
+ <input type='hidden' name='ACTION' value='$Lang::tr{'fwdfw togglelog'}' />
+@@ -1645,7 +1645,7 @@ END
+ END
+
+ print<<END;
+- <td align='center'>
++ <td align='center' nowrap='nowrap'>
+ END
+ if ($$hash{$key}[5] eq 'std_net_tgt'){
+ print &get_name($$hash{$key}[6]);
+--
+1.7.10.4
+
--- /dev/null
+From eee98759eedeffa520f42d226edad696c531fa69 Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Thu, 3 Jan 2013 08:14:28 +0100
+Subject: [PATCH 006/302] Forward Firewall: build iso with new firewall
+
+---
+ config/outgoingfw/defaultservices | 34 -----
+ config/outgoingfw/outgoingfw.pl | 275 ------------------------------------
+ config/rootfiles/common/configroot | 2 +-
+ langs/de/cgi-bin/de.pl | 1 -
+ langs/en/cgi-bin/en.pl | 1 -
+ lfs/configroot | 14 +-
+ src/initscripts/init.d/firewall | 16 +--
+ src/misc-progs/Makefile | 9 +-
+ src/misc-progs/forwardfwctrl.c | 27 ++++
+ src/misc-progs/outgoingfwctrl.c | 24 ----
+ 10 files changed, 42 insertions(+), 361 deletions(-)
+ delete mode 100644 config/outgoingfw/defaultservices
+ delete mode 100644 config/outgoingfw/outgoingfw.pl
+ create mode 100644 src/misc-progs/forwardfwctrl.c
+ delete mode 100644 src/misc-progs/outgoingfwctrl.c
+
+diff --git a/config/outgoingfw/defaultservices b/config/outgoingfw/defaultservices
+deleted file mode 100644
+index f2cf475..0000000
+--- a/config/outgoingfw/defaultservices
++++ /dev/null
+@@ -1,34 +0,0 @@
+-bootpc,68,tcp&udp,Bootstrap Protocol Client
+-bootps,67,tcp&udp,Bootstrap Protocol Server
+-domain,53,tcp&udp,Domain Name Server
+-echo,7,tcp&udp,Echo
+-ftp,21,tcp&udp,File Transfer Control
+-ftp-data,20,tcp&udp,File Control Data
+-http,80,tcp,Hypertext Transfer Protocol
+-https,443,tcp,secure HTTP
+-imap,143,tcp,Interactive Mail Access Protocol
+-imap3,220,tcp,Interactive Mail Access Protocol v3
+-imaps,993,tcp,secure IMAP
+-ipfire-https,444,tcp,IPFire HTTPS
+-ipfire-ssh,222,tcp&udp,IPFire SSH
+-irc,194,tcp&udp,Internet Relay Chat
+-ircd,6667,tcp&udp,Internet Relay Chat
+-microsoft-ds,445,tcp&udp,Netbios Filesharing
+-nameserver,42,tcp&udp,Host Name Server
+-netbios-dgm,138,tcp&udp,NETBIOS Datagram Service
+-netbios-ns,137,tcp&udp,NETBIOS Name Server
+-netbios-ssn,139,tcp&udp,NETBIOS Session Service
+-nfs,2049,tcp&udp,Network File System
+-ntp,123,udp,Network Time Protocol
+-pop3,110,tcp,POP3 Email
+-pop3s,995,tcp,secure POP3 Email
+-sftp,115,tcp&udp,secure File Transfer Protocol
+-smtp,25,tcp,Simple Mail Transfer Protocol
+-smtps,465,tcp,secure Simple Mail Transfer Protocol
+-snmp,161,tcp&udp,Simple Network Management
+-snmptrap,162,udp,SNMP Trap
+-ssh,22,tcp&udp,SSH
+-telnet,23,tcp&udp,Telnet
+-tftp,69,tcp&udp,Trivial File Transfer
+-time,37,tcp&udp,Time
+-wins,1512,tcp&udp,Windows Internet Name Service
+diff --git a/config/outgoingfw/outgoingfw.pl b/config/outgoingfw/outgoingfw.pl
+deleted file mode 100644
+index 7dd1430..0000000
+--- a/config/outgoingfw/outgoingfw.pl
++++ /dev/null
+@@ -1,275 +0,0 @@
+-#!/usr/bin/perl
+-###############################################################################
+-# #
+-# IPFire.org - A linux based firewall #
+-# Copyright (C) 2007-2011 IPFire Team #
+-# #
+-# This program is free software: you can redistribute it and/or modify #
+-# it under the terms of the GNU General Public License as published by #
+-# the Free Software Foundation, either version 3 of the License, or #
+-# (at your option) any later version. #
+-# #
+-# This program is distributed in the hope that it will be useful, #
+-# but WITHOUT ANY WARRANTY; without even the implied warranty of #
+-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
+-# GNU General Public License for more details. #
+-# #
+-# You should have received a copy of the GNU General Public License #
+-# along with this program. If not, see <http://www.gnu.org/licenses/>. #
+-# #
+-###############################################################################
+-
+-
+-use strict;
+-# enable only the following on debugging purpose
+-#use warnings;
+-
+-require '/var/ipfire/general-functions.pl';
+-require "${General::swroot}/lang.pl";
+-
+-my %outfwsettings = ();
+-my %checked = ();
+-my %selected= () ;
+-my %netsettings = ();
+-my $errormessage = "";
+-my $configentry = "";
+-my @configs = ();
+-my @configline = ();
+-my $p2pentry = "";
+-my @p2ps = ();
+-my @p2pline = ();
+-my $CMD = "";
+-my $P2PSTRING = "";
+-
+-my $DEBUG = 0;
+-
+-my $configfile = "/var/ipfire/outgoing/rules";
+-my $p2pfile = "/var/ipfire/outgoing/p2protocols";
+-
+-### Values that have to be initialized
+-$outfwsettings{'ACTION'} = '';
+-$outfwsettings{'VALID'} = 'yes';
+-$outfwsettings{'EDIT'} = 'no';
+-$outfwsettings{'NAME'} = '';
+-$outfwsettings{'SNET'} = '';
+-$outfwsettings{'SIP'} = '';
+-$outfwsettings{'SPORT'} = '';
+-$outfwsettings{'SMAC'} = '';
+-$outfwsettings{'DIP'} = '';
+-$outfwsettings{'DPORT'} = '';
+-$outfwsettings{'PROT'} = '';
+-$outfwsettings{'STATE'} = '';
+-$outfwsettings{'DISPLAY_DIP'} = '';
+-$outfwsettings{'DISPLAY_DPORT'} = '';
+-$outfwsettings{'DISPLAY_SMAC'} = '';
+-$outfwsettings{'DISPLAY_SIP'} = '';
+-$outfwsettings{'POLICY'} = 'MODE0';
+-
+-my @SOURCE = "";
+-my $SOURCE = "";
+-my $DESTINATION = "";
+-my @PROTO = "";
+-my $PROTO = "";
+-my $DPORT = "";
+-my $DEV = "";
+-my $MAC = "";
+-my $DO = "";
+-my $DAY = "";
+-
+-# read files
+-&General::readhash("${General::swroot}/outgoing/settings", \%outfwsettings);
+-&General::readhash("${General::swroot}/ethernet/settings", \%netsettings);
+-
+-$netsettings{'RED_DEV'}=`cat /var/ipfire/red/iface`;
+-$netsettings{'RED_IP'}=`cat /var/ipfire/red/local-ipaddress`;
+-
+-open( FILE, "< $configfile" ) or die "Unable to read $configfile";
+-@configs = <FILE>;
+-close FILE;
+-
+-if ( $outfwsettings{'POLICY'} eq 'MODE1' ) {
+- $outfwsettings{'STATE'} = "ALLOW";
+- $DO = "RETURN";
+-} elsif ( $outfwsettings{'POLICY'} eq 'MODE2' ) {
+- $outfwsettings{'STATE'} = "DENY";
+- $DO = "DROP -m comment --comment 'DROP_OUTGOINGFW '";
+-}
+-
+-### Initialize IPTables
+-system("/sbin/iptables --flush OUTGOINGFW >/dev/null 2>&1");
+-system("/sbin/iptables --delete-chain OUTGOINGFW >/dev/null 2>&1");
+-system("/sbin/iptables -N OUTGOINGFW >/dev/null 2>&1");
+-
+-system("/sbin/iptables --flush OUTGOINGFWMAC >/dev/null 2>&1");
+-system("/sbin/iptables --delete-chain OUTGOINGFWMAC >/dev/null 2>&1");
+-system("/sbin/iptables -N OUTGOINGFWMAC >/dev/null 2>&1");
+-
+-if ( $outfwsettings{'POLICY'} eq 'MODE0' ) {
+- exit 0
+-}
+-
+-if ( $outfwsettings{'POLICY'} eq 'MODE1' ) {
+- $CMD = "/sbin/iptables -A OUTGOINGFW -m state --state ESTABLISHED,RELATED -j RETURN";
+- if ($DEBUG) { print "$CMD\n"; } else { system("$CMD"); }
+- $CMD = "/sbin/iptables -A OUTGOINGFWMAC -m state --state ESTABLISHED,RELATED -j RETURN";
+- if ($DEBUG) { print "$CMD\n"; } else { system("$CMD"); }
+- $CMD = "/sbin/iptables -A OUTGOINGFW -p icmp -j RETURN";
+- if ($DEBUG) { print "$CMD\n"; } else { system("$CMD"); }
+- $CMD = "/sbin/iptables -A OUTGOINGFWMAC -p icmp -j RETURN";
+- if ($DEBUG) { print "$CMD\n"; } else { system("$CMD"); }
+-}
+-
+-foreach $configentry (sort @configs)
+-{
+- @SOURCE = "";
+- $DESTINATION = "";
+- $PROTO = "";
+- $DPORT = "";
+- $DEV = "";
+- $MAC = "";
+- @configline = split( /\;/, $configentry );
+-
+- if ($outfwsettings{'STATE'} eq $configline[0]) {
+- if ($configline[2] eq 'green') {
+- @SOURCE = ("$netsettings{'GREEN_NETADDRESS'}/$netsettings{'GREEN_NETMASK'}");
+- $DEV = $netsettings{'GREEN_DEV'};
+- } elsif ($configline[2] eq 'red') {
+- @SOURCE = ("$netsettings{'RED_IP'}");
+- $DEV = "";
+- } elsif ($configline[2] eq 'blue') {
+- @SOURCE = ("$netsettings{'BLUE_NETADDRESS'}/$netsettings{'BLUE_NETMASK'}");
+- $DEV = $netsettings{'BLUE_DEV'};
+- } elsif ($configline[2] eq 'orange') {
+- @SOURCE = ("$netsettings{'ORANGE_NETADDRESS'}/$netsettings{'ORANGE_NETMASK'}");
+- $DEV = $netsettings{'ORANGE_DEV'};
+- } elsif ($configline[2] eq 'ipsec') {
+- @SOURCE = "";
+- $DEV = "ipsec+";
+- } elsif ($configline[2] eq 'ovpn') {
+- @SOURCE = "";
+- $DEV = "tun+";
+- } elsif ($configline[2] eq 'ip') {
+- @SOURCE = ("$configline[5]");
+- $DEV = "";
+- } elsif ($configline[2] eq 'mac') {
+- @SOURCE = ("$configline[6]");
+- $DEV = "";
+- } elsif ($configline[2] eq 'all') {
+- @SOURCE = ("0/0");
+- $DEV = "";
+- } else {
+- if ( -e "/var/ipfire/outgoing/groups/ipgroups/$configline[2]" ) {
+- @SOURCE = `cat /var/ipfire/outgoing/groups/ipgroups/$configline[2]`;
+- } elsif ( -e "/var/ipfire/outgoing/groups/macgroups/$configline[2]" ) {
+- @SOURCE = `cat /var/ipfire/outgoing/groups/macgroups/$configline[2]`;
+- $configline[2] = "mac";
+- }
+- $DEV = "";
+- }
+-
+- if ($configline[7]) { $DESTINATION = "$configline[7]"; } else { $DESTINATION = "0/0"; }
+-
+- if ($configline[3] eq 'tcp') {
+- @PROTO = ("tcp");
+- } elsif ($configline[3] eq 'udp') {
+- @PROTO = ("udp");
+- } elsif ($configline[3] eq 'esp') {
+- @PROTO = ("esp");
+- } elsif ($configline[3] eq 'gre') {
+- @PROTO = ("gre");
+- } else {
+- @PROTO = ("tcp","udp");
+- }
+-
+- my $macrule = 0;
+- foreach $PROTO (@PROTO){
+- foreach $SOURCE (@SOURCE) {
+- $SOURCE =~ s/\s//gi;
+-
+- if ( $SOURCE eq "" || $configline[1] eq "" ){next;}
+-
+- if ( ( $configline[6] ne "" || $configline[2] eq 'mac' ) && $configline[2] ne 'all'){
+- $SOURCE =~ s/[^a-zA-Z0-9]/:/gi;
+- $CMD = "-m mac --mac-source $SOURCE -d $DESTINATION -p $PROTO";
+- $macrule = 1;
+- } else {
+- $CMD = "-s $SOURCE -d $DESTINATION -p $PROTO";
+- }
+-
+- if ($configline[8] && ( $configline[3] ne 'esp' || $configline[3] ne 'gre') ) {
+- $DPORT = "$configline[8]";
+- $CMD = "$CMD -m multiport --destination-port $DPORT";
+- }
+-
+- if ($DEV) {
+- $CMD = "$CMD -i $DEV";
+- }
+-
+- if ($configline[17] && $configline[18]) {
+- $DAY = "";
+- if ($configline[10]){$DAY = "Mon,"}
+- if ($configline[11]){$DAY .= "Tue,"}
+- if ($configline[12]){$DAY .= "Wed,"}
+- if ($configline[13]){$DAY .= "Thu,"}
+- if ($configline[14]){$DAY .= "Fri,"}
+- if ($configline[15]){$DAY .= "Sat,"}
+- if ($configline[16]){$DAY .= "Sun"}
+- $CMD = "$CMD -m time --timestart $configline[17] --timestop $configline[18] --weekdays $DAY";
+- }
+-
+- $CMD = "$CMD -o $netsettings{'RED_DEV'}";
+-
+- if ( $configline[9] eq $Lang::tr{'aktiv'} && $outfwsettings{'POLICY'} eq 'MODE1' ) {
+- applyrule("$CMD -m limit --limit 10/minute -j LOG --log-prefix 'LOG_OUTGOINGFW '", $macrule);
+- } elsif ( $configline[9] eq $Lang::tr{'aktiv'} && $outfwsettings{'POLICY'} eq 'MODE2' ) {
+- applyrule("$CMD -m limit --limit 10/minute -j LOG --log-prefix 'DROP_OUTGOINGFW '", $macrule);
+- }
+-
+- applyrule("$CMD -j $DO", $macrule);
+- }
+- }
+- }
+-}
+-
+-### Do the P2P-Stuff here
+-open( FILE, "< $p2pfile" ) or die "Unable to read $p2pfile";
+-@p2ps = <FILE>;
+-close FILE;
+-
+-$CMD = "-m ipp2p";
+-
+-foreach $p2pentry (sort @p2ps) {
+- @p2pline = split( /\;/, $p2pentry );
+- if ( $outfwsettings{'POLICY'} eq 'MODE2' ) {
+- $DO = "DROP";
+- if ("$p2pline[2]" eq "off") {
+- $P2PSTRING = "$P2PSTRING --$p2pline[1]";
+- }
+- } else {
+- $DO = "RETURN";
+- if ("$p2pline[2]" eq "on") {
+- $P2PSTRING = "$P2PSTRING --$p2pline[1]";
+- }
+- }
+-}
+-if ($P2PSTRING) {
+- applyrule("$CMD $P2PSTRING -j $DO", 0);
+-}
+-
+-if ( $outfwsettings{'POLICY'} eq 'MODE1' ) {
+- if ( $outfwsettings{'MODE1LOG'} eq 'on' ) {
+- applyrule("-o $netsettings{'RED_DEV'} -m limit --limit 10/minute -j LOG --log-prefix 'DROP_OUTGOINGFW '", 0);
+- }
+-
+- applyrule("-o $netsettings{'RED_DEV'} -j DROP -m comment --comment 'DROP_OUTGOINGFW '", 0);
+-}
+-
+-sub applyrule($$) {
+- my $cmd = shift;
+- my $macrule = shift;
+-
+- system("/sbin/iptables -A OUTGOINGFWMAC $cmd");
+- if ($macrule == 0) {
+- system("/sbin/iptables -A OUTGOINGFW $cmd");
+- }
+-}
+diff --git a/config/rootfiles/common/configroot b/config/rootfiles/common/configroot
+index 04478b2..12b3d35 100644
+--- a/config/rootfiles/common/configroot
++++ b/config/rootfiles/common/configroot
+@@ -114,7 +114,7 @@ var/ipfire/optionsfw
+ var/ipfire/outgoing
+ #var/ipfire/outgoing/bin
+ #var/ipfire/outgoing/bin/outgoingfw.pl
+-var/ipfire/outgoing/defaultservices
++#var/ipfire/outgoing/defaultservices
+ #var/ipfire/outgoing/groups
+ #var/ipfire/outgoing/groups/ipgroups
+ #var/ipfire/outgoing/groups/macgroups
+diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl
+index 50a26e8..714e7c5 100644
+--- a/langs/de/cgi-bin/de.pl
++++ b/langs/de/cgi-bin/de.pl
+@@ -2336,7 +2336,6 @@
+ 'wireless config changed' => 'Wireless Konfiguration geändert',
+ 'wireless configuration' => 'Wireless-Konfiguration',
+ 'wlanap access point' => 'Access Point',
+-'wlanap country' => 'Ländercode',
+ 'wlanap channel' => 'Kanal',
+ 'wlanap debugging' => 'Debugging',
+ 'wlanap del interface' => 'Ausgewähltes Interface zurücksetzen?',
+diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
+index 0114b5c..e083d23 100644
+--- a/langs/en/cgi-bin/en.pl
++++ b/langs/en/cgi-bin/en.pl
+@@ -2370,7 +2370,6 @@
+ 'wireless config changed' => 'Wireless config changed',
+ 'wireless configuration' => 'Wireless Configuration',
+ 'wlanap access point' => 'Access Point',
+-'wlanap country' => 'Country Code',
+ 'wlanap channel' => 'Channel',
+ 'wlanap debugging' => 'Debugging',
+ 'wlanap del interface' => 'Remove selected interface?',
+diff --git a/lfs/configroot b/lfs/configroot
+index d177d43..4e80025 100644
+--- a/lfs/configroot
++++ b/lfs/configroot
+@@ -52,7 +52,7 @@ $(TARGET) :
+ # Create all directories
+ for i in addon-lang auth backup ca certs connscheduler crls ddns dhcp dhcpc dns \
+ ethernet extrahd/bin fwlogs fwhosts forward forward/bin isdn key langs logging mac main menu.d modem net-traffic \
+- net-traffic/templates nfs optionsfw outgoing/bin outgoing/groups outgoing/groups/ipgroups \
++ net-traffic/templates nfs optionsfw outgoing/bin \
+ outgoing/groups/macgroups ovpn patches pakfire portfw ppp private proxy/advanced/cre \
+ proxy/calamaris/bin qos/bin red remote sensors snort time tripwire/report \
+ updatexlrator/bin updatexlrator/autocheck urlfilter/autoupdate urlfilter/bin upnp vpn \
+@@ -66,7 +66,7 @@ $(TARGET) :
+ dhcp/fixleases dhcp/advoptions dhcp/dhcpd.conf.local dns/settings ethernet/aliases ethernet/settings ethernet/known_nics ethernet/scanned_nics \
+ extrahd/scan extrahd/devices extrahd/partitions extrahd/settings forward/settings forward/config forward/input \
+ fwhosts/customnetworks fwhosts/customhosts fwhosts/customgroups fwhosts/customservices fwhosts/customservicegrp fwlogs/ipsettings fwlogs/portsettings \
+- isdn/settings mac/settings main/disable_nf_sip main/hosts main/routing main/settings net-traffic/settings optionsfw/settings outgoing/settings outgoing/rules \
++ isdn/settings mac/settings main/disable_nf_sip main/hosts main/routing main/settings net-traffic/settings optionsfw/settings \
+ ovpn/ccd.conf ovpn/ccdroute ovpn/ccdroute2 pakfire/settings portfw/config ppp/settings-1 ppp/settings-2 ppp/settings-3 ppp/settings-4 \
+ ppp/settings-5 ppp/settings proxy/settings proxy/advanced/settings proxy/advanced/cre/enable remote/settings qos/settings qos/classes qos/subclasses qos/level7config qos/portconfig \
+ qos/tosconfig snort/settings tripwire/settings upnp/settings vpn/config vpn/settings vpn/ipsec.conf \
+@@ -92,8 +92,6 @@ $(TARGET) :
+ cp $(DIR_SRC)/config/cfgroot/net-traffic-admin.pl $(CONFIG_ROOT)/net-traffic/net-traffic-admin.pl
+ cp $(DIR_SRC)/config/cfgroot/nfs-server $(CONFIG_ROOT)/nfs/nfs-server
+ cp $(DIR_SRC)/config/cfgroot/p2protocols $(CONFIG_ROOT)/outgoing/p2protocols
+- cp $(DIR_SRC)/config/outgoingfw/outgoingfw.pl $(CONFIG_ROOT)/outgoing/bin/
+- cp $(DIR_SRC)/config/outgoingfw/defaultservices $(CONFIG_ROOT)/outgoing/
+ cp $(DIR_SRC)/config/cfgroot/proxy-acl $(CONFIG_ROOT)/proxy/acl-1.4
+ cp $(DIR_SRC)/config/qos/* $(CONFIG_ROOT)/qos/bin/
+ cp $(DIR_SRC)/config/cfgroot/ssh-settings $(CONFIG_ROOT)/remote/settings
+@@ -117,14 +115,8 @@ $(TARGET) :
+ echo "DROPOUTPUT=on" >> $(CONFIG_ROOT)/optionsfw/settings
+ echo "DROPPORTSCAN=on" >> $(CONFIG_ROOT)/optionsfw/settings
+
+- # Set outgoingfw.pl executable
+- chmod 755 $(CONFIG_ROOT)/outgoing/bin/outgoingfw.pl
+-
+ # set rules.pl executable
+ chmod 755 $(CONFIG_ROOT)/forward/bin/rules.pl
+-
+-
+-
+ # Modify variables in header.pl
+ sed -i -e "s+CONFIG_ROOT+$(CONFIG_ROOT)+g" \
+ -e "s+VERSION+$(VERSION)+g" \
+@@ -141,7 +133,7 @@ $(TARGET) :
+
+ # Language files
+ cp $(DIR_SRC)/langs/*/cgi-bin/*.pl $(CONFIG_ROOT)/langs/
+-
++
+ # Configroot permissions
+ chown -R nobody:nobody $(CONFIG_ROOT)
+ chown root:root $(CONFIG_ROOT)
+diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall
+index 624fbcc..dbb5f95 100644
+--- a/src/initscripts/init.d/firewall
++++ b/src/initscripts/init.d/firewall
+@@ -189,14 +189,14 @@ case "$1" in
+ # Outgoing Firewall
+ /sbin/iptables -A FORWARD -j OUTGOINGFWMAC
+
+- # Forward Firewall
+- /sbin/iptables -N FORWARDFW
+- /sbin/iptables -A FORWARD -j FORWARDFW
+-
+- # Input Firewall
+- /sbin/iptables -N INPUTFW
+- /sbin/iptables -A INPUT -m state --state NEW -j INPUTFW
+-
++ # Forward Firewall
++ /sbin/iptables -N FORWARDFW
++ /sbin/iptables -A FORWARD -j FORWARDFW
++
++ # Input Firewall
++ /sbin/iptables -N INPUTFW
++ /sbin/iptables -A INPUT -m state --state NEW -j INPUTFW
++
+ # localhost and ethernet.
+ /sbin/iptables -A INPUT -i lo -m state --state NEW -j ACCEPT
+ /sbin/iptables -A INPUT -s 127.0.0.0/8 -m state --state NEW -j DROP # Loopback not on lo
+diff --git a/src/misc-progs/Makefile b/src/misc-progs/Makefile
+index 3b1baa8..47a40fb 100644
+--- a/src/misc-progs/Makefile
++++ b/src/misc-progs/Makefile
+@@ -28,7 +28,7 @@ SUID_PROGS = setportfw \
+ squidctrl sshctrl ipfirereboot \
+ ipsecctrl timectrl dhcpctrl snortctrl \
+ applejuicectrl rebuildhosts backupctrl \
+- logwatch openvpnctrl outgoingfwctrl forwardfwctrl \
++ logwatch openvpnctrl forwardfwctrl \
+ wirelessctrl getipstat qosctrl launch-ether-wake \
+ redctrl syslogdctrl extrahdctrl sambactrl upnpctrl tripwirectrl \
+ smartctrl clamavctrl addonctrl pakfire mpfirectrl wlanapctrl \
+@@ -89,13 +89,10 @@ smartctrl: smartctrl.c setuid.o ../install+setup/libsmooth/varval.o
+
+ clamavctrl: clamavctrl.c setuid.o ../install+setup/libsmooth/varval.o
+ $(COMPILE) -I../install+setup/libsmooth/ clamavctrl.c setuid.o ../install+setup/libsmooth/varval.o -o $@
+-
+-outgoingfwctrl: outgoingfwctrl.c setuid.o ../install+setup/libsmooth/varval.o
+- $(COMPILE) -I../install+setup/libsmooth/ outgoingfwctrl.c setuid.o ../install+setup/libsmooth/varval.o -o $@
+-
++
+ forwardfwctrl: forwardfwctrl.c setuid.o ../install+setup/libsmooth/varval.o
+ $(COMPILE) -I../install+setup/libsmooth/ forwardfwctrl.c setuid.o ../install+setup/libsmooth/varval.o -o $@
+-
++
+ timectrl: timectrl.c setuid.o ../install+setup/libsmooth/varval.o
+ $(COMPILE) -I../install+setup/libsmooth/ timectrl.c setuid.o ../install+setup/libsmooth/varval.o -o $@
+
+diff --git a/src/misc-progs/forwardfwctrl.c b/src/misc-progs/forwardfwctrl.c
+new file mode 100644
+index 0000000..a02b462
+--- /dev/null
++++ b/src/misc-progs/forwardfwctrl.c
+@@ -0,0 +1,27 @@
++/* This file is part of the IPFire Firewall.
++ *
++ * This program is distributed under the terms of the GNU General Public
++ * Licence. See the file COPYING for details.
++ *
++ */
++
++#include <stdlib.h>
++#include <stdio.h>
++#include <string.h>
++#include <unistd.h>
++#include <sys/types.h>
++#include <fcntl.h>
++#include "setuid.h"
++
++int main(int argc, char *argv[]) {
++
++ if (!(initsetuid()))
++ exit(1);
++
++ if(argc > 1)
++ safe_system("/var/ipfire/forward/bin/rules.pl flush");
++ else
++ safe_system("/var/ipfire/forward/bin/rules.pl");
++
++ return 0;
++}
+diff --git a/src/misc-progs/outgoingfwctrl.c b/src/misc-progs/outgoingfwctrl.c
+deleted file mode 100644
+index 2d993d9..0000000
+--- a/src/misc-progs/outgoingfwctrl.c
++++ /dev/null
+@@ -1,24 +0,0 @@
+-/* This file is part of the IPFire Firewall.
+- *
+- * This program is distributed under the terms of the GNU General Public
+- * Licence. See the file COPYING for details.
+- *
+- */
+-
+-#include <stdlib.h>
+-#include <stdio.h>
+-#include <string.h>
+-#include <unistd.h>
+-#include <sys/types.h>
+-#include <fcntl.h>
+-#include "setuid.h"
+-
+-int main(int argc, char *argv[]) {
+-
+- if (!(initsetuid()))
+- exit(1);
+-
+- safe_system("chmod 755 /var/ipfire/outgoing/bin/outgoingfw.pl");
+- safe_system("/var/ipfire/outgoing/bin/outgoingfw.pl");
+- return 0;
+-}
+--
+1.7.10.4
+
--- /dev/null
+From 51ac18c8f2105f842ff24bf328f5b43a032f9c65 Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Thu, 3 Jan 2013 12:00:09 +0100
+Subject: [PATCH 007/302] Forward Firewall: removed outgoingfwctrl from
+ /config/rootfiles/misc-progs
+
+---
+ config/rootfiles/common/misc-progs | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/config/rootfiles/common/misc-progs b/config/rootfiles/common/misc-progs
+index ca98dcf..16ea4c1 100644
+--- a/config/rootfiles/common/misc-progs
++++ b/config/rootfiles/common/misc-progs
+@@ -14,7 +14,7 @@ usr/local/bin/launch-ether-wake
+ usr/local/bin/logwatch
+ #usr/local/bin/mpfirectrl
+ usr/local/bin/openvpnctrl
+-usr/local/bin/outgoingfwctrl
++#usr/local/bin/outgoingfwctrl
+ usr/local/bin/forwardfwctrl
+ usr/local/bin/pakfire
+ usr/local/bin/qosctrl
+--
+1.7.10.4
+
--- /dev/null
+From 1ada9dca2865a8e35d2b11da6cd4bc3a987fa1be Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Thu, 3 Jan 2013 12:17:06 +0100
+Subject: [PATCH 008/302] Forward Firewall: removed outgoingfw.cgi from
+ /config/rootfiles/core/66/filelists/files
+
+---
+ config/rootfiles/core/66/filelists/files | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/config/rootfiles/core/66/filelists/files b/config/rootfiles/core/66/filelists/files
+index bf51301..a88b10e 100644
+--- a/config/rootfiles/core/66/filelists/files
++++ b/config/rootfiles/core/66/filelists/files
+@@ -38,5 +38,4 @@ usr/sbin/ovpn-ccd-convert
+ var/ipfire/backup/include
+ var/ipfire/general-functions.pl
+ var/ipfire/langs
+-var/ipfire/outgoing/bin/outgoingfw.pl
+ var/ipfire/qos/bin/makeqosscripts.pl
+--
+1.7.10.4
+
--- /dev/null
+From 698be0823dde8813e0d731ca1a05345036fd4c21 Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Thu, 3 Jan 2013 12:26:44 +0100
+Subject: [PATCH 009/302] Forward Firewall: Deleted
+ outgoingfw.cgi,outgoinggroups.cgi and xtaccess.cgi
+ from /config/rootfils7common/apache2
+
+---
+ config/rootfiles/common/apache2 | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/config/rootfiles/common/apache2 b/config/rootfiles/common/apache2
+index 802ddcb..5925fb2 100644
+--- a/config/rootfiles/common/apache2
++++ b/config/rootfiles/common/apache2
+@@ -1393,6 +1393,8 @@ srv/web/ipfire/cgi-bin/dhcp.cgi
+ srv/web/ipfire/cgi-bin/dmzholes.cgi
+ srv/web/ipfire/cgi-bin/extrahd.cgi
+ srv/web/ipfire/cgi-bin/fireinfo.cgi
++srv/web/ipfire/cgi-bin/forwardfw.cgi
++srv/web/ipfire/cgi-bin/fwhosts.cgi
+ srv/web/ipfire/cgi-bin/gui.cgi
+ srv/web/ipfire/cgi-bin/hardwaregraphs.cgi
+ srv/web/ipfire/cgi-bin/hosts.cgi
+@@ -1408,8 +1410,8 @@ srv/web/ipfire/cgi-bin/modem.cgi
+ srv/web/ipfire/cgi-bin/netexternal.cgi
+ srv/web/ipfire/cgi-bin/netinternal.cgi
+ srv/web/ipfire/cgi-bin/netother.cgi
+-srv/web/ipfire/cgi-bin/outgoingfw.cgi
+-srv/web/ipfire/cgi-bin/outgoinggrp.cgi
++#srv/web/ipfire/cgi-bin/outgoingfw.cgi
++#srv/web/ipfire/cgi-bin/outgoinggrp.cgi
+ srv/web/ipfire/cgi-bin/optionsfw.cgi
+ srv/web/ipfire/cgi-bin/ovpnmain.cgi
+ srv/web/ipfire/cgi-bin/pakfire.cgi
+@@ -1431,6 +1433,6 @@ srv/web/ipfire/cgi-bin/vpnmain.cgi
+ srv/web/ipfire/cgi-bin/wakeonlan.cgi
+ srv/web/ipfire/cgi-bin/webaccess.cgi
+ srv/web/ipfire/cgi-bin/wireless.cgi
+-srv/web/ipfire/cgi-bin/xtaccess.cgi
++#srv/web/ipfire/cgi-bin/xtaccess.cgi
+ srv/web/ipfire/html
+ var/updatecache
+--
+1.7.10.4
+
--- /dev/null
+From 66b3844d9a8200ea77711ba28bfe69d6f2616c13 Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Thu, 3 Jan 2013 13:29:35 +0100
+Subject: [PATCH 010/302] Forward Firewall: Fixed Bug: When deleting a rule,
+ only the last entry in the list is deleted
+
+---
+ html/cgi-bin/forwardfw.cgi | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi
+index 1f5ea00..caaba21 100755
+--- a/html/cgi-bin/forwardfw.cgi
++++ b/html/cgi-bin/forwardfw.cgi
+@@ -512,6 +512,7 @@ sub deleterule
+ my %delhash=();
+ &General::readhasharray($fwdfwsettings{'config'}, \%delhash);
+ foreach my $key (sort keys %delhash){
++
+ if ($key eq $fwdfwsettings{'key'}){
+ #check hosts/net and groups
+ &checkcounter($delhash{$key}[3],$delhash{$key}[4],,);
+@@ -521,11 +522,10 @@ sub deleterule
+ &checkcounter($delhash{$key}[14],$delhash{$key}[15],,);
+ }
+ }
+-
+ if ($key ge $fwdfwsettings{'key'}) {
+ my $next = $key + 1;
+ if (exists $delhash{$next}) {
+- foreach my $i (0 .. $#{$configfwdfw{$next}}) {
++ foreach my $i (0 .. $#{$delhash{$next}}) {
+ $delhash{$key}[$i] = $delhash{$next}[$i];
+ }
+ }
+@@ -537,6 +537,7 @@ sub deleterule
+
+ &General::writehasharray($fwdfwsettings{'config'}, \%delhash);
+ &rules;
++
+ if($fwdfwsettings{'nobase'} ne 'on'){
+ &base;
+ }
+--
+1.7.10.4
+
--- /dev/null
+From 9ff0033a797784a9c19304eabbe71c808755d607 Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Thu, 3 Jan 2013 17:30:11 +0100
+Subject: [PATCH 011/302] Forward Firewall: replaced Outgoing-Logging with
+ ForwardFW Logging. And changed Options in
+ optionsfw.cgi from outgoing to forward
+
+---
+ html/cgi-bin/optionsfw.cgi | 12 ++++++------
+ src/initscripts/init.d/firewall | 13 ++++++++++++-
+ 2 files changed, 18 insertions(+), 7 deletions(-)
+
+diff --git a/html/cgi-bin/optionsfw.cgi b/html/cgi-bin/optionsfw.cgi
+index 1893957..66ebb1c 100644
+--- a/html/cgi-bin/optionsfw.cgi
++++ b/html/cgi-bin/optionsfw.cgi
+@@ -30,7 +30,7 @@ our %settings=();
+ $settings{'DISABLEPING'} = 'NO';
+ $settings{'DROPNEWNOTSYN'} = 'on';
+ $settings{'DROPINPUT'} = 'on';
+-$settings{'DROPOUTPUT'} = 'on';
++$settings{'DROPFORWARD'} = 'on';
+ $settings{'DROPPORTSCAN'} = 'on';
+ $settings{'DROPWIRELESSINPUT'} = 'on';
+ $settings{'DROPWIRELESSFORWARD'} = 'on';
+@@ -66,9 +66,9 @@ $checked{'DROPNEWNOTSYN'}{$settings{'DROPNEWNOTSYN'}} = "checked='checked'";
+ $checked{'DROPINPUT'}{'off'} = '';
+ $checked{'DROPINPUT'}{'on'} = '';
+ $checked{'DROPINPUT'}{$settings{'DROPINPUT'}} = "checked='checked'";
+-$checked{'DROPOUTPUT'}{'off'} = '';
+-$checked{'DROPOUTPUT'}{'on'} = '';
+-$checked{'DROPOUTPUT'}{$settings{'DROPOUTPUT'}} = "checked='checked'";
++$checked{'DROPFORWARD'}{'off'} = '';
++$checked{'DROPFORWARD'}{'on'} = '';
++$checked{'DROPFORWARD'}{$settings{'DROPFORWARD'}} = "checked='checked'";
+ $checked{'DROPPORTSCAN'}{'off'} = '';
+ $checked{'DROPPORTSCAN'}{'on'} = '';
+ $checked{'DROPPORTSCAN'}{$settings{'DROPPORTSCAN'}} = "checked='checked'";
+@@ -96,8 +96,8 @@ print <<END
+ <input type='radio' name='DROPNEWNOTSYN' value='off' $checked{'DROPNEWNOTSYN'}{'off'} /> off</td></tr>
+ <tr><td align='left' width='60%'>$Lang::tr{'drop input'}</td><td align='left'>on <input type='radio' name='DROPINPUT' value='on' $checked{'DROPINPUT'}{'on'} />/
+ <input type='radio' name='DROPINPUT' value='off' $checked{'DROPINPUT'}{'off'} /> off</td></tr>
+-<tr><td align='left' width='60%'>$Lang::tr{'drop output'}</td><td align='left'>on <input type='radio' name='DROPOUTPUT' value='on' $checked{'DROPOUTPUT'}{'on'} />/
+- <input type='radio' name='DROPOUTPUT' value='off' $checked{'DROPOUTPUT'}{'off'} /> off</td></tr>
++<tr><td align='left' width='60%'>$Lang::tr{'drop forward'}</td><td align='left'>on <input type='radio' name='DROPFORWARD' value='on' $checked{'DROPFORWARD'}{'on'} />/
++ <input type='radio' name='DROPFORWARD' value='off' $checked{'DROPFORWARD'}{'off'} /> off</td></tr>
+ <tr><td align='left' width='60%'>$Lang::tr{'drop portscan'}</td><td align='left'>on <input type='radio' name='DROPPORTSCAN' value='on' $checked{'DROPPORTSCAN'}{'on'} />/
+ <input type='radio' name='DROPPORTSCAN' value='off' $checked{'DROPPORTSCAN'}{'off'} /> off</td></tr>
+ <tr><td align='left' width='60%'>$Lang::tr{'drop wirelessinput'}</td><td align='left'>on <input type='radio' name='DROPWIRELESSINPUT' value='on' $checked{'DROPWIRELESSINPUT'}{'on'} />/
+diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall
+index dbb5f95..96585bc 100644
+--- a/src/initscripts/init.d/firewall
++++ b/src/initscripts/init.d/firewall
+@@ -281,6 +281,13 @@ case "$1" in
+ /sbin/iptables -A FORWARD -m limit --limit 10/minute -j LOG --log-prefix "DROP_OUTPUT "
+ fi
+ /sbin/iptables -A FORWARD -j DROP -m comment --comment "DROP_OUTPUT"
++
++ if [ "$DROPFORWARD" == "on" ]; then
++ /sbin/iptables -A FORWARDFW -m limit --limit 10/minute -j LOG --log-prefix "DROP_FORWARDFW "
++ fi
++ /sbin/iptables -A FORWARDFW -j DROP -m comment --comment "DROP_FORWARDFW"
++
++
+ ;;
+ startovpn)
+ # run openvpn
+@@ -317,7 +324,11 @@ case "$1" in
+ /sbin/iptables -A FORWARD -m limit --limit 10/minute -j LOG --log-prefix "DROP_OUTPUT "
+ fi
+ /sbin/iptables -A FORWARD -j DROP -m comment --comment "DROP_OUTPUT"
+- ;;
++ if [ "$DROPFORWARD" == "on" ]; then
++ /sbin/iptables -A FORWARDFW -m limit --limit 10/minute -j LOG --log-prefix "DROP_FORWARDFW "
++ fi
++ /sbin/iptables -A FORWARDFW -j DROP -m comment --comment "DROP_FORWARDFW"
++ ;;
+ stopovpn)
+ # stop openvpn
+ /usr/local/bin/openvpnctrl --delete-chains-and-rules
+--
+1.7.10.4
+
--- /dev/null
+From c1c011ab726729afdc9ee4ba17a378489530ac89 Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Fri, 4 Jan 2013 05:37:19 +0100
+Subject: [PATCH 012/302] Forward Firewall: Replaced 'drop output' with 'drop
+ forward' in languagefiles. This is for the
+ loggingoption in the firewall options.
+
+---
+ langs/de/cgi-bin/de.pl | 2 +-
+ langs/en/cgi-bin/en.pl | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl
+index 714e7c5..e1cfef6 100644
+--- a/langs/de/cgi-bin/de.pl
++++ b/langs/de/cgi-bin/de.pl
+@@ -736,7 +736,7 @@
+ 'driver' => 'Treiber',
+ 'drop input' => 'Verworfene Input Pakete loggen',
+ 'drop newnotsyn' => 'Verworfene New Not Syn Pakete loggen',
+-'drop output' => 'Verworfene Output Pakete loggen',
++'drop forward' => 'Verworfene Forward Pakete loggen',
+ 'drop portscan' => 'Verworfene Portscan Pakete loggen',
+ 'drop proxy' => 'Alle Pakete verwerfen die nicht direkt an den Proxy gerichtet sind',
+ 'drop samba' => 'Alle Microsoft Pakete verwerfen, Ports 135,137,138,139,445,1025',
+diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
+index e083d23..619a91c 100644
+--- a/langs/en/cgi-bin/en.pl
++++ b/langs/en/cgi-bin/en.pl
+@@ -759,7 +759,7 @@
+ 'driver' => 'Driver',
+ 'drop input' => 'Log dropped input pakets',
+ 'drop newnotsyn' => 'Log dropped new not syn pakets',
+-'drop output' => 'Log dropped output pakets',
++'drop forward' => 'Log dropped forward pakets',
+ 'drop portscan' => 'Log dropped portscan pakets',
+ 'drop proxy' => 'Drop all packets not addressed to proxy',
+ 'drop samba' => 'Drop all Microsoft ports 135,137,138,139,445,1025',
+--
+1.7.10.4
+
--- /dev/null
+From 790192e1ef8b6a51f9ea3d3af683a25f37763303 Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Fri, 4 Jan 2013 07:55:24 +0100
+Subject: [PATCH 013/302] Forward Firewall: Changed Buttons and Layout of
+ fwhosts.cgi
+
+---
+ html/cgi-bin/fwhosts.cgi | 30 ++++++++++++++----------------
+ 1 file changed, 14 insertions(+), 16 deletions(-)
+
+diff --git a/html/cgi-bin/fwhosts.cgi b/html/cgi-bin/fwhosts.cgi
+index e82aca5..236e0b4 100755
+--- a/html/cgi-bin/fwhosts.cgi
++++ b/html/cgi-bin/fwhosts.cgi
+@@ -1012,11 +1012,11 @@ sub addnet
+ END
+ if ($fwhostsettings{'ACTION'} eq 'editnet' || $fwhostsettings{'error'} eq 'on')
+ {
+- print "<td colspan='6' align='right' ><input type='submit' value='$Lang::tr{'update'}'><input type='hidden' name='ACTION' value='updatenet'><input type='hidden' name='orgname' value='$fwhostsettings{'orgname'}' ><input type='hidden' name='update' value='on'><input type='hidden' name='newnet' value='$fwhostsettings{'newnet'}'>";
++ print "<td colspan='6' align='right' ><input type='submit' value='$Lang::tr{'update'}' style='min-width:100px;'><input type='hidden' name='ACTION' value='updatenet'><input type='hidden' name='orgname' value='$fwhostsettings{'orgname'}' ><input type='hidden' name='update' value='on'><input type='hidden' name='newnet' value='$fwhostsettings{'newnet'}'>";
+ }else{
+- print "<td colspan='6' align='right'><input type='submit' value='$Lang::tr{'save'}' /><input type='hidden' name='ACTION' value='savenet'><input type='hidden' name='newnet' value='on'>";
++ print "<td colspan='6' align='right'><input type='submit' value='$Lang::tr{'save'}' style='min-width:100px;'/><input type='hidden' name='ACTION' value='savenet'><input type='hidden' name='newnet' value='on'>";
+ }
+- print "</form><form method='post' style='display:inline'><input type='submit' value='$Lang::tr{'fwhost back'}' ><input type='hidden' name='ACTION' value='resetnet'></td></tr></table></form>";
++ print "</form><form method='post' style='display:inline'><input type='submit' value='$Lang::tr{'fwhost back'}' style='min-width:100px;' ><input type='hidden' name='ACTION' value='resetnet'></td></tr></table></form>";
+ &Header::closebox();
+ }
+ sub addhost
+@@ -1040,11 +1040,11 @@ END
+ if ($fwhostsettings{'ACTION'} eq 'edithost' || $fwhostsettings{'error'} eq 'on')
+ {
+
+- print " <td colspan='6' align='right'><input type='submit' value='$Lang::tr{'update'}' /><input type='hidden' name='ACTION' value='updatehost'><input type='hidden' name='orgname' value='$fwhostsettings{'orgname'}' ><input type='hidden' name='update' value='on'><input type='hidden' name='newhost' value='$fwhostsettings{'newhost'}'></form>";
++ print " <td colspan='6' align='right'><input type='submit' value='$Lang::tr{'update'}' style='min-width:100px;'/><input type='hidden' name='ACTION' value='updatehost'><input type='hidden' name='orgname' value='$fwhostsettings{'orgname'}' ><input type='hidden' name='update' value='on'><input type='hidden' name='newhost' value='$fwhostsettings{'newhost'}'></form>";
+ }else{
+- print " <td colspan='6' align='right'><input type='submit' name='savehost' value='$Lang::tr{'save'}' /><input type='hidden' name='ACTION' value='savehost' /><input type='hidden' name='newhost' value='on'>";
++ print " <td colspan='6' align='right'><input type='submit' name='savehost' value='$Lang::tr{'save'}'style='min-width:100px;' /><input type='hidden' name='ACTION' value='savehost' /><input type='hidden' name='newhost' value='on'>";
+ }
+- print " </form><form method='post' style='display:inline'><input type='submit' value='$Lang::tr{'fwhost back'}'><input type='hidden' name='ACTION' value='resethost'></td></tr></table></form>";
++ print " </form><form method='post' style='display:inline'><input type='submit' value='$Lang::tr{'fwhost back'}' style='min-width:100px;' ><input type='hidden' name='ACTION' value='resethost'></td></tr></table></form>";
+ &Header::closebox();
+ }
+ sub addgrp
+@@ -1063,13 +1063,13 @@ sub addgrp
+ if ($fwhostsettings{'update'} eq ''){
+ print<<END;
+ <table width='100%' border='0'><form method='post'>
+- <tr><td nowrap='nowrap' width='16%'>$Lang::tr{'fwhost addgrpname'}</td><td><input type='TEXT' name='grp_name' value='$fwhostsettings{'grp_name'}' size='24'></td><td align='right'>$Lang::tr{'remark'}:</td><td align='right'><input type='TEXT' name='remark' size='30' value='$fwhostsettings{'remark'}'></tr>
++ <tr><td>$Lang::tr{'fwhost addgrpname'}</td><td><input type='TEXT' name='grp_name' value='$fwhostsettings{'grp_name'}'></td><td>$Lang::tr{'remark'}:</td><td width='1%'><input type='TEXT' name='remark' size='35' value='$fwhostsettings{'remark'}'></tr>
+ <tr><td colspan='5'><hr></td></tr></table>
+ END
+ }else{
+ print<<END;
+ <table width='100%' border='0'><form method='post'>
+- <tr><td nowrap='nowrap' width='16%'>$Lang::tr{'fwhost addgrpname'}</td><td><input type='TEXT' name='grp_name' size='24' value='$fwhostsettings{'grp_name'}' readonly ></td><td>$Lang::tr{'remark'}:</td><td><input type='TEXT' name='remark' size='30' value='$fwhostsettings{'remark'}'></tr>
++ <tr><td nowrap='nowrap' width='16%'>$Lang::tr{'fwhost addgrpname'}</td><td><input type='TEXT' name='grp_name' value='$fwhostsettings{'grp_name'}' readonly ></td><td>$Lang::tr{'remark'}:</td><td><input type='TEXT' name='remark' size='35' value='$fwhostsettings{'remark'}'></tr>
+ <tr><td colspan='5'><hr></td></tr></table>
+ END
+
+@@ -1215,7 +1215,7 @@ END
+ if ($fwhostsettings{'updatesrv'} eq 'on')
+ {
+ print<<END;
+- <input type='submit' value='$Lang::tr{'fwhost change'}'>
++ <input type='submit' value='$Lang::tr{'update'}'style='min-width:100px;' >
+ <input type='hidden' name='ACTION' value='updateservice'>
+ <input type='hidden' name='oldsrvname' value='$fwhostsettings{'oldsrvname'}'>
+ <input type='hidden' name='oldsrvport' value='$fwhostsettings{'oldsrvport'}'>
+@@ -1223,10 +1223,10 @@ END
+ END
+
+ }else{
+- print"<input type='submit' value='$Lang::tr{'save'}'><input type='hidden' name='ACTION' value='saveservice'></form>";
++ print"<input type='submit' value='$Lang::tr{'save'}' style='min-width:100px;'><input type='hidden' name='ACTION' value='saveservice'></form>";
+ }
+ print<<END;
+- <form style='display:inline;' method='post'><input type='submit' value='$Lang::tr{'fwhost back'}'></form></td></tr>
++ <form style='display:inline;' method='post'><input type='submit' value='$Lang::tr{'fwhost back'}' style='min-width:100px;'></form></td></tr>
+ </table></form>
+
+
+@@ -1258,10 +1258,8 @@ END
+ END
+ }
+ if($fwhostsettings{'updatesrvgrp'} eq 'on'){
+-
+-
+ print<<END;
+- <table width='100%' border='0'>
++ <table border='0' width='100%'>
+ <tr><td width='1%' nowrap='nowrap'>$Lang::tr{'fwhost cust service'}</td><td><select name='CUST_SRV' style='min-width:185px;'>
+ END
+ &General::readhasharray("$configsrv", \%customservice);
+@@ -1277,8 +1275,8 @@ END
+ END
+ }
+ print<<END;
+- <table width='100%'>
+- <tr><td align='right'><input type='submit' value='$Lang::tr{'add'}' style='min-width:100px;' /><input type='hidden' name='updatesrvgrp' value='$fwhostsettings{'updatesrvgrp'}'><input type='hidden' name='oldsrvgrpremark' value='$fwhostsettings{'oldsrvgrpremark'}'><input type='hidden' name='ACTION' value='saveservicegrp' ></form> <form style='display:inline;' method='post'><input type='submit' value='$Lang::tr{'fwhost back'}'></td></tr>
++ <table width='100%' border='0'>
++ <tr><td align='right'><input type='submit' value='$Lang::tr{'add'}' style='min-width:100px;' /><input type='hidden' name='updatesrvgrp' value='$fwhostsettings{'updatesrvgrp'}'><input type='hidden' name='oldsrvgrpremark' value='$fwhostsettings{'oldsrvgrpremark'}'><input type='hidden' name='ACTION' value='saveservicegrp' ></form><form style='display:inline;' method='post'><input type='submit' value='$Lang::tr{'fwhost back'}' style='min-width:100px;'></td></tr>
+ </table></form>
+ END
+
+--
+1.7.10.4
+
--- /dev/null
+From 46b37f1bc3e30fa1faafdf18c3b900af82d27304 Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Fri, 4 Jan 2013 09:44:42 +0100
+Subject: [PATCH 014/302] Forward Firewall: deleted /var/ipfire/outgoing from
+ backup
+
+---
+ config/backup/include | 4 ----
+ 1 file changed, 4 deletions(-)
+
+diff --git a/config/backup/include b/config/backup/include
+index 13dd016..9284b64 100644
+--- a/config/backup/include
++++ b/config/backup/include
+@@ -17,10 +17,6 @@
+ /var/ipfire/forward/*
+ /var/ipfire/fwhosts/*
+ /var/ipfire/main/*
+-/var/ipfire/outgoing/groups
+-/var/ipfire/outgoing/macgroups
+-/var/ipfire/outgoing/rules
+-/var/ipfire/outgoing/p2protocols
+ /var/ipfire/ovpn
+ /var/ipfire/ppp
+ /var/ipfire/proxy
+--
+1.7.10.4
+
--- /dev/null
+From 0257a5e65b0e5717be110ce8bf67277c8f47ce5f Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Fri, 4 Jan 2013 13:25:06 +0100
+Subject: [PATCH 015/302] Forward Firewall: changed languagefiles for
+ loggingoptions in optionsfw.cgi
+
+---
+ langs/de/cgi-bin/de.pl | 2 +-
+ langs/en/cgi-bin/en.pl | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl
+index e1cfef6..b5da683 100644
+--- a/langs/de/cgi-bin/de.pl
++++ b/langs/de/cgi-bin/de.pl
+@@ -736,7 +736,7 @@
+ 'driver' => 'Treiber',
+ 'drop input' => 'Verworfene Input Pakete loggen',
+ 'drop newnotsyn' => 'Verworfene New Not Syn Pakete loggen',
+-'drop forward' => 'Verworfene Forward Pakete loggen',
++'drop forward' => 'Verworfene Firewall-Pakete loggen',
+ 'drop portscan' => 'Verworfene Portscan Pakete loggen',
+ 'drop proxy' => 'Alle Pakete verwerfen die nicht direkt an den Proxy gerichtet sind',
+ 'drop samba' => 'Alle Microsoft Pakete verwerfen, Ports 135,137,138,139,445,1025',
+diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
+index 619a91c..aac1a9a 100644
+--- a/langs/en/cgi-bin/en.pl
++++ b/langs/en/cgi-bin/en.pl
+@@ -759,7 +759,7 @@
+ 'driver' => 'Driver',
+ 'drop input' => 'Log dropped input pakets',
+ 'drop newnotsyn' => 'Log dropped new not syn pakets',
+-'drop forward' => 'Log dropped forward pakets',
++'drop forward' => 'Log dropped firewall pakets',
+ 'drop portscan' => 'Log dropped portscan pakets',
+ 'drop proxy' => 'Drop all packets not addressed to proxy',
+ 'drop samba' => 'Drop all Microsoft ports 135,137,138,139,445,1025',
+--
+1.7.10.4
+
--- /dev/null
+From 700b31f0c144b392eae79ae0a3a6a3e6eb560675 Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Sun, 6 Jan 2013 20:43:23 +0100
+Subject: [PATCH 016/302] Forward Firewall: fixed default entries in
+ /var/ipfire/optionsfw/settings.
+
+---
+ lfs/configroot | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+diff --git a/lfs/configroot b/lfs/configroot
+index 4e80025..9e7a95e 100644
+--- a/lfs/configroot
++++ b/lfs/configroot
+@@ -110,9 +110,7 @@ $(TARGET) :
+ echo "nameserver 1.2.3.4" > $(CONFIG_ROOT)/ppp/fake-resolv.conf
+ echo "DROPNEWNOTSYN=on" >> $(CONFIG_ROOT)/optionsfw/settings
+ echo "DROPINPUT=on" >> $(CONFIG_ROOT)/optionsfw/settings
+- echo "DROPOUTPUT=on" >> $(CONFIG_ROOT)/optionsfw/settings
+- echo "DROPINPUT=on" >> $(CONFIG_ROOT)/optionsfw/settings
+- echo "DROPOUTPUT=on" >> $(CONFIG_ROOT)/optionsfw/settings
++ echo "DROPFORWARD=on" >> $(CONFIG_ROOT)/optionsfw/settings
+ echo "DROPPORTSCAN=on" >> $(CONFIG_ROOT)/optionsfw/settings
+
+ # set rules.pl executable
+--
+1.7.10.4
+
--- /dev/null
+From e5a7430f75c66cf269afa7a2f5b5258703950549 Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Tue, 8 Jan 2013 11:20:39 +0100
+Subject: [PATCH 017/302] Forward firewall: commented out line in
+ init.d/firewall that all Forward traffic from green
+ is allowed and put it in rules.pl. Now rules.pl
+ allows this traffic when firewall is set to Mode0
+ or Mode2
+
+---
+ config/forwardfw/rules.pl | 6 ++++--
+ src/initscripts/init.d/firewall | 24 +++++++++---------------
+ 2 files changed, 13 insertions(+), 17 deletions(-)
+ mode change 100644 => 100755 config/forwardfw/firewall-lib.pl
+ mode change 100644 => 100755 config/fwhosts/icmp-types
+
+diff --git a/config/forwardfw/firewall-lib.pl b/config/forwardfw/firewall-lib.pl
+old mode 100644
+new mode 100755
+diff --git a/config/forwardfw/rules.pl b/config/forwardfw/rules.pl
+index 8c9e2ba..960951f 100755
+--- a/config/forwardfw/rules.pl
++++ b/config/forwardfw/rules.pl
+@@ -88,9 +88,11 @@ if($param eq 'flush'){
+ &preparerules;
+ if($MODE eq '0'){
+ if ($fwdfwsettings{'POLICY'} eq 'MODE1'){
+- system ("iptables -A $CHAIN -j DROP");
++ #system ("iptables -A $CHAIN -j DROP");
+ }elsif($fwdfwsettings{'POLICY'} eq 'MODE2'){
+- system ("iptables -A $CHAIN -j ACCEPT");
++ #system ("iptables -A $CHAIN -j ACCEPT");
++ }elsif($fwdfwsettings{'POLICY'} eq 'MODE0' || $fwdfwsettings{'POLICY'} eq 'MODE2'){
++ system ("iptables -A $CHAIN -m state --state NEW -j ACCEPT");
+ }
+ }
+ }
+diff --git a/config/fwhosts/icmp-types b/config/fwhosts/icmp-types
+old mode 100644
+new mode 100755
+diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall
+index 96585bc..32a234a 100644
+--- a/src/initscripts/init.d/firewall
++++ b/src/initscripts/init.d/firewall
+@@ -205,7 +205,7 @@ case "$1" in
+ /sbin/iptables -A FORWARD -s 127.0.0.0/8 -m state --state NEW -j DROP
+ /sbin/iptables -A FORWARD -d 127.0.0.0/8 -m state --state NEW -j DROP
+ /sbin/iptables -A INPUT -i $GREEN_DEV -m state --state NEW -j ACCEPT ! -p icmp
+- /sbin/iptables -A FORWARD -i $GREEN_DEV -m state --state NEW -j ACCEPT
++ #/sbin/iptables -A FORWARD -i $GREEN_DEV -m state --state NEW -j ACCEPT
+
+ # If a host on orange tries to initiate a connection to IPFire's red IP and
+ # the connection gets DNATed back through a port forward to a server on orange
+@@ -277,18 +277,12 @@ case "$1" in
+ /sbin/iptables -A INPUT -m limit --limit 10/minute -j LOG --log-prefix "DROP_INPUT "
+ fi
+ /sbin/iptables -A INPUT -j DROP -m comment --comment "DROP_INPUT"
+- if [ "$DROPOUTPUT" == "on" ]; then
+- /sbin/iptables -A FORWARD -m limit --limit 10/minute -j LOG --log-prefix "DROP_OUTPUT "
+- fi
+- /sbin/iptables -A FORWARD -j DROP -m comment --comment "DROP_OUTPUT"
+-
+ if [ "$DROPFORWARD" == "on" ]; then
+- /sbin/iptables -A FORWARDFW -m limit --limit 10/minute -j LOG --log-prefix "DROP_FORWARDFW "
++ /sbin/iptables -A FORWARD -m limit --limit 10/minute -j LOG --log-prefix "DROP_FORWARD "
+ fi
+- /sbin/iptables -A FORWARDFW -j DROP -m comment --comment "DROP_FORWARDFW"
+-
++ /sbin/iptables -A FORWARD -j DROP -m comment --comment "DROP_FORWARD"
+
+- ;;
++ ;;
+ startovpn)
+ # run openvpn
+ /usr/local/bin/openvpnctrl --create-chains-and-rules
+@@ -320,14 +314,14 @@ case "$1" in
+ /sbin/iptables -A INPUT -m limit --limit 10/minute -j LOG --log-prefix "DROP_INPUT "
+ fi
+ /sbin/iptables -A INPUT -j DROP -m comment --comment "DROP_INPUT"
+- if [ "$DROPOUTPUT" == "on" ]; then
+- /sbin/iptables -A FORWARD -m limit --limit 10/minute -j LOG --log-prefix "DROP_OUTPUT "
+- fi
+- /sbin/iptables -A FORWARD -j DROP -m comment --comment "DROP_OUTPUT"
++ #if [ "$DROPOUTPUT" == "on" ]; then
++ # /sbin/iptables -A FORWARD -m limit --limit 10/minute -j LOG --log-prefix "DROP_OUTPUT "
++ #fi
++ #/sbin/iptables -A FORWARD -j DROP -m comment --comment "DROP_OUTPUT"
+ if [ "$DROPFORWARD" == "on" ]; then
+ /sbin/iptables -A FORWARDFW -m limit --limit 10/minute -j LOG --log-prefix "DROP_FORWARDFW "
+ fi
+- /sbin/iptables -A FORWARDFW -j DROP -m comment --comment "DROP_FORWARDFW"
++ /sbin/iptables -A FORWARDFW -j DROP -m comment --comment "DROP_FORWARDFW-oberdropper"
+ ;;
+ stopovpn)
+ # stop openvpn
+--
+1.7.10.4
+
--- /dev/null
+From f52bd9f0207808b15d04f7ccfa49233cc98920ec Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Wed, 9 Jan 2013 09:08:12 +0100
+Subject: [PATCH 018/302] Forward Firewall: added a customservices file with
+ default values
+
+---
+ config/fwhosts/customservices | 22 ++++++++++++++++++++++
+ lfs/configroot | 3 ++-
+ 2 files changed, 24 insertions(+), 1 deletion(-)
+ create mode 100644 config/fwhosts/customservices
+
+diff --git a/config/fwhosts/customservices b/config/fwhosts/customservices
+new file mode 100644
+index 0000000..d115f97
+--- /dev/null
++++ b/config/fwhosts/customservices
+@@ -0,0 +1,22 @@
++11,NTP,123,UDP,BLANK,0
++21,IMAPS,993,TCP,BLANK,0
++7,WINS,42,TCP,BLANK,0
++2,FTP-control,21,TCP,BLANK,0
++17,IRC,194,TCP,BLANK,0
++22,POP3S,995,TCP,BLANK,0
++1,FTP-data,20,TCP,BLANK,0
++18,HTTPS,443,TCP,BLANK,0
++16,SNMP,161,UDP,BLANK,0
++13,NetBIOS Datagramservice,138,TCP,BLANK,0
++6,TIME,37,TCP,BLANK,0
++3,SSH,22,TCP,BLANK,0
++9,POP3,110,TCP,BLANK,0
++12,NetBIOS nameservice,137,TCP,BLANK,0
++20,FTPS control,990,TCP,BLANK,0
++15,IMAP,143,TCP,BLANK,0
++14,NetBIOS Sessionservice,139,TCP,BLANK,0
++8,HTTP,80,TCP,BLANK,0
++4,TELNET,23,UDP,BLANK,0
++10,SFTP,115,TCP,BLANK,0
++19,FTPS data,989,TCP,BLANK,0
++5,SMTP,25,TCP,BLANK,0
+diff --git a/lfs/configroot b/lfs/configroot
+index 9e7a95e..8cf9377 100644
+--- a/lfs/configroot
++++ b/lfs/configroot
+@@ -65,7 +65,7 @@ $(TARGET) :
+ certs/index.txt ddns/config ddns/noipsettings ddns/settings ddns/ipcache dhcp/settings \
+ dhcp/fixleases dhcp/advoptions dhcp/dhcpd.conf.local dns/settings ethernet/aliases ethernet/settings ethernet/known_nics ethernet/scanned_nics \
+ extrahd/scan extrahd/devices extrahd/partitions extrahd/settings forward/settings forward/config forward/input \
+- fwhosts/customnetworks fwhosts/customhosts fwhosts/customgroups fwhosts/customservices fwhosts/customservicegrp fwlogs/ipsettings fwlogs/portsettings \
++ fwhosts/customnetworks fwhosts/customhosts fwhosts/customgroups fwhosts/customservicegrp fwlogs/ipsettings fwlogs/portsettings \
+ isdn/settings mac/settings main/disable_nf_sip main/hosts main/routing main/settings net-traffic/settings optionsfw/settings \
+ ovpn/ccd.conf ovpn/ccdroute ovpn/ccdroute2 pakfire/settings portfw/config ppp/settings-1 ppp/settings-2 ppp/settings-3 ppp/settings-4 \
+ ppp/settings-5 ppp/settings proxy/settings proxy/advanced/settings proxy/advanced/cre/enable remote/settings qos/settings qos/classes qos/subclasses qos/level7config qos/portconfig \
+@@ -103,6 +103,7 @@ $(TARGET) :
+ cp $(DIR_SRC)/config/forwardfw/rules.pl $(CONFIG_ROOT)/forward/bin/rules.pl
+ cp $(DIR_SRC)/config/forwardfw/firewall-lib.pl $(CONFIG_ROOT)/forward/bin/firewall-lib.pl
+ cp $(DIR_SRC)/config/fwhosts/icmp-types $(CONFIG_ROOT)/fwhosts/icmp-types
++ cp $(DIR_SRC)/config/fwhosts/customservices $(CONFIG_ROOT)/fwhosts/customservices
+ # Oneliner configfiles
+ echo "ENABLED=off" > $(CONFIG_ROOT)/vpn/settings
+ echo "VPN_DELAYED_START=0" >>$(CONFIG_ROOT)/vpn/settings
+--
+1.7.10.4
+
--- /dev/null
+From 468623ec0c3e205bdca0990b760b5e10f5698189 Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Wed, 9 Jan 2013 10:22:32 +0100
+Subject: [PATCH 019/302] Forward Firewall: fixed 12 Bugs from forum.
+
+1) Added more possible chars in remark: : / .
+2) Added "Internet" to std networks to be able to define internetaccess
+3) When renaming a custom address, the firewallrules get updated
+4) Ports are now ignored when using GRE as Protocol
+5) When saving a customservice, the cursor is now in first textfield
+6) Added a customservices file to installation with predefined services
+7) Added ESP as protocol
+8) Fixed counterproblem
+9) Dropdownboxes for customservices and groups now sorted
+10) Firewallrules now sorted in right order
+11) fixed a Bug when defining manual address in source and target, the hint message is no longer displayed
+12) When defining an external access rule, the last forwardrule was deleted
+---
+ config/forwardfw/firewall-forward-policy | 24 +
+ config/forwardfw/firewall-lib.pl | 2 +
+ config/forwardfw/rules.pl | 22 +-
+ config/rootfiles/common/apache2 | 2 +-
+ config/rootfiles/common/stage2 | 1 +
+ html/cgi-bin/dmzholes.cgi | 446 ----------------
+ html/cgi-bin/forwardfw.cgi | 243 ++++-----
+ html/cgi-bin/fwhosts.cgi | 56 +-
+ html/cgi-bin/optionsfw.cgi | 27 +-
+ html/cgi-bin/outgoingfw.cgi | 849 ------------------------------
+ langs/de/cgi-bin/de.pl | 2 +
+ langs/en/cgi-bin/en.pl | 4 +-
+ lfs/configroot | 1 +
+ src/initscripts/init.d/firewall | 27 +-
+ 14 files changed, 221 insertions(+), 1485 deletions(-)
+ create mode 100755 config/forwardfw/firewall-forward-policy
+ delete mode 100644 html/cgi-bin/dmzholes.cgi
+ delete mode 100644 html/cgi-bin/outgoingfw.cgi
+
+diff --git a/config/forwardfw/firewall-forward-policy b/config/forwardfw/firewall-forward-policy
+new file mode 100755
+index 0000000..aec71e2
+--- /dev/null
++++ b/config/forwardfw/firewall-forward-policy
+@@ -0,0 +1,24 @@
++#!/bin/sh
++
++eval $(/usr/local/bin/readhash /var/ipfire/forward/settings)
++eval $(/usr/local/bin/readhash /var/ipfire/optionsfw/settings)
++
++iptables -F POLICY
++
++if [ "$POLICY" == "MODE1" ]; then
++
++ if [ "$FWPOLICY" == "REJECT" ]; then
++ if [ "$DROPFORWARD" == "on" ]; then
++ /sbin/iptables -A POLICY -m limit --limit 10/minute -j LOG --log-prefix "REJECT_FORWARD"
++ fi
++ /sbin/iptables -A POLICY -j REJECT --reject-with icmp-host-unreachable -m comment --comment "DROP_OUTPUT"
++ fi
++ if [ "$FWPOLICY" == "DROP" ]; then
++ if [ "$DROPFORWARD" == "on" ]; then
++ /sbin/iptables -A POLICY -m limit --limit 10/minute -j LOG --log-prefix "DROP_FORWARD"
++ fi
++ /sbin/iptables -A POLICY -j DROP -m comment --comment "DROP_OUTPUT"
++ fi
++fi
++
++
+diff --git a/config/forwardfw/firewall-lib.pl b/config/forwardfw/firewall-lib.pl
+index 24b990c..44c0079 100755
+--- a/config/forwardfw/firewall-lib.pl
++++ b/config/forwardfw/firewall-lib.pl
+@@ -215,6 +215,8 @@ sub get_std_net_ip
+ return "$netsettings{'ORANGE_NETADDRESS'}/$netsettings{'ORANGE_NETMASK'}";
+ }elsif($val eq 'BLUE'){
+ return "$netsettings{'BLUE_NETADDRESS'}/$netsettings{'BLUE_NETMASK'}";
++ }elsif($val eq 'RED'){
++ return "0.0.0.0/0 -o red0";
+ }elsif($val =~ /OpenVPN/i){
+ return "$ovpnsettings{'DOVPN_SUBNET'}";
+ }elsif($val =~ /IPsec/i){
+diff --git a/config/forwardfw/rules.pl b/config/forwardfw/rules.pl
+index 960951f..953aad0 100755
+--- a/config/forwardfw/rules.pl
++++ b/config/forwardfw/rules.pl
+@@ -88,10 +88,11 @@ if($param eq 'flush'){
+ &preparerules;
+ if($MODE eq '0'){
+ if ($fwdfwsettings{'POLICY'} eq 'MODE1'){
+- #system ("iptables -A $CHAIN -j DROP");
++ system ("/usr/sbin/firewall-forward-policy");
+ }elsif($fwdfwsettings{'POLICY'} eq 'MODE2'){
+- #system ("iptables -A $CHAIN -j ACCEPT");
++ system ("/usr/sbin/firewall-forward-policy");
+ }elsif($fwdfwsettings{'POLICY'} eq 'MODE0' || $fwdfwsettings{'POLICY'} eq 'MODE2'){
++ system ("/usr/sbin/firewall-forward-policy");
+ system ("iptables -A $CHAIN -m state --state NEW -j ACCEPT");
+ }
+ }
+@@ -113,9 +114,7 @@ sub preparerules
+ }
+ sub buildrules
+ {
+-
+ my $hash=shift;
+-
+ foreach my $key (sort keys %$hash){
+ if($$hash{$key}[2] eq 'ON'){
+ #get source ip's
+@@ -163,7 +162,7 @@ sub buildrules
+ if ($DPROT eq ''){$DPROT=' ';}
+ @DPROT=split(",",$DPROT);
+
+-
++
+ #get time if defined
+ if($$hash{$key}[18] eq 'ON'){
+ if($$hash{$key}[19] ne ''){push (@timeframe,"Mon");}
+@@ -178,7 +177,7 @@ sub buildrules
+ $TIMETILL="--timestop $$hash{$key}[27] ";
+ $TIME="-m time --weekdays $TIME $TIMEFROM $TIMETILL";
+ }
+-
++
+ if ($MODE eq '1'){
+ print "NR:$key ";
+ foreach my $i (0 .. $#{$$hash{$key}}){
+@@ -187,7 +186,7 @@ sub buildrules
+ print "\n";
+ print"##################################\n";
+ #print rules to console
+-
++
+ foreach my $DPROT (@DPROT){
+ $DPORT = &get_port($hash,$key,$DPROT);
+ if ($SPROT ne ''){$PROT=$SPROT;}else{$PROT=$DPROT;}
+@@ -206,7 +205,7 @@ sub buildrules
+ }
+ print"\n";
+ }
+-
++
+ }elsif($MODE eq '0'){
+ foreach my $DPROT (@DPROT){
+ $DPORT = &get_port($hash,$key,$DPROT);
+@@ -302,11 +301,12 @@ sub get_port
+ if ($$hash{$key}[7] eq 'ON' && $SRC_TGT eq 'SRC'){
+ if ($$hash{$key}[10] ne ''){
+ return "--sport $$hash{$key}[10] ";
+- }elsif($$hash{$key}[9] ne ''){
++ }elsif($$hash{$key}[9] ne '' && $$hash{$key}[9] ne 'All ICMP-Types'){
+ return "--icmp-type $$hash{$key}[9] ";
++ }elsif($$hash{$key}[9] eq 'All ICMP-Types'){
++ return;
+ }
+ }elsif($$hash{$key}[11] eq 'ON' && $SRC_TGT eq ''){
+-
+ if($$hash{$key}[14] eq 'TGT_PORT'){
+ if ($$hash{$key}[15] ne ''){
+ return "--dport $$hash{$key}[15] ";
+@@ -330,8 +330,6 @@ sub get_port
+ elsif($prot eq 'ICMP'){
+ return &fwlib::get_srvgrp_port($$hash{$key}[15],$prot);
+ }
+-
+-
+ }
+ }
+ }
+diff --git a/config/rootfiles/common/apache2 b/config/rootfiles/common/apache2
+index 5925fb2..b5aa583 100644
+--- a/config/rootfiles/common/apache2
++++ b/config/rootfiles/common/apache2
+@@ -1390,7 +1390,7 @@ srv/web/ipfire/cgi-bin/credits.cgi
+ srv/web/ipfire/cgi-bin/dns.cgi
+ srv/web/ipfire/cgi-bin/ddns.cgi
+ srv/web/ipfire/cgi-bin/dhcp.cgi
+-srv/web/ipfire/cgi-bin/dmzholes.cgi
++#srv/web/ipfire/cgi-bin/dmzholes.cgi
+ srv/web/ipfire/cgi-bin/extrahd.cgi
+ srv/web/ipfire/cgi-bin/fireinfo.cgi
+ srv/web/ipfire/cgi-bin/forwardfw.cgi
+diff --git a/config/rootfiles/common/stage2 b/config/rootfiles/common/stage2
+index e10c649..3935cd4 100644
+--- a/config/rootfiles/common/stage2
++++ b/config/rootfiles/common/stage2
+@@ -108,6 +108,7 @@ usr/local/bin/update-lang-cache
+ #usr/local/src
+ #usr/sbin
+ usr/sbin/ovpn-ccd-convert
++usr/sbin/firewall-forward-policy
+ #usr/share
+ #usr/share/doc
+ #usr/share/doc/licenses
+diff --git a/html/cgi-bin/dmzholes.cgi b/html/cgi-bin/dmzholes.cgi
+deleted file mode 100644
+index 5c16f00..0000000
+--- a/html/cgi-bin/dmzholes.cgi
++++ /dev/null
+@@ -1,446 +0,0 @@
+-#!/usr/bin/perl
+-###############################################################################
+-# #
+-# IPFire.org - A linux based firewall #
+-# Copyright (C) 2007 Michael Tremer & Christian Schmidt #
+-# #
+-# This program is free software: you can redistribute it and/or modify #
+-# it under the terms of the GNU General Public License as published by #
+-# the Free Software Foundation, either version 3 of the License, or #
+-# (at your option) any later version. #
+-# #
+-# This program is distributed in the hope that it will be useful, #
+-# but WITHOUT ANY WARRANTY; without even the implied warranty of #
+-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
+-# GNU General Public License for more details. #
+-# #
+-# You should have received a copy of the GNU General Public License #
+-# along with this program. If not, see <http://www.gnu.org/licenses/>. #
+-# #
+-###############################################################################
+-
+-use strict;
+-
+-# enable only the following on debugging purpose
+-#use warnings;
+-#use CGI::Carp 'fatalsToBrowser';
+-
+-require '/var/ipfire/general-functions.pl';
+-require "${General::swroot}/lang.pl";
+-require "${General::swroot}/header.pl";
+-
+-#workaround to suppress a warning when a variable is used only once
+-my @dummy = ( ${Header::table2colour}, ${Header::colouryellow} );
+-undef (@dummy);
+-
+-my %cgiparams=();
+-my %checked=();
+-my %selected=();
+-my %netsettings=();
+-my $errormessage = '';
+-my $filename = "${General::swroot}/dmzholes/config";
+-
+-&General::readhash("${General::swroot}/ethernet/settings", \%netsettings);
+-
+-&Header::showhttpheaders();
+-
+-$cgiparams{'ENABLED'} = 'off';
+-$cgiparams{'REMARK'} = '';
+-$cgiparams{'ACTION'} = '';
+-$cgiparams{'SRC_IP'} = '';
+-$cgiparams{'DEST_IP'} ='';
+-$cgiparams{'DEST_PORT'} = '';
+-&Header::getcgihash(\%cgiparams);
+-
+-open(FILE, $filename) or die 'Unable to open config file.';
+-my @current = <FILE>;
+-close(FILE);
+-
+-if ($cgiparams{'ACTION'} eq $Lang::tr{'add'})
+-{
+- unless($cgiparams{'PROTOCOL'} =~ /^(tcp|udp)$/) { $errormessage = $Lang::tr{'invalid input'}; }
+- unless(&General::validipormask($cgiparams{'SRC_IP'})) { $errormessage = $Lang::tr{'source ip bad'}; }
+- unless($errormessage){$errormessage = &General::validportrange($cgiparams{'DEST_PORT'},'dst');}
+- unless(&General::validipormask($cgiparams{'DEST_IP'})) { $errormessage = $Lang::tr{'destination ip bad'}; }
+- unless ($errormessage) {
+- $errormessage = &validNet($cgiparams{'SRC_NET'},$cgiparams{'DEST_NET'}); }
+- # Darren Critchley - Remove commas from remarks
+- $cgiparams{'REMARK'} = &Header::cleanhtml($cgiparams{'REMARK'});
+-
+- unless ($errormessage)
+- {
+- if($cgiparams{'EDITING'} eq 'no') {
+- open(FILE,">>$filename") or die 'Unable to open config file.';
+- flock FILE, 2;
+- print FILE "$cgiparams{'PROTOCOL'},"; # [0]
+- print FILE "$cgiparams{'SRC_IP'},"; # [1]
+- print FILE "$cgiparams{'DEST_IP'},"; # [2]
+- print FILE "$cgiparams{'DEST_PORT'},"; # [3]
+- print FILE "$cgiparams{'ENABLED'},"; # [4]
+- print FILE "$cgiparams{'SRC_NET'},"; # [5]
+- print FILE "$cgiparams{'DEST_NET'},"; # [6]
+- print FILE "$cgiparams{'REMARK'}\n"; # [7]
+- } else {
+- open(FILE,">$filename") or die 'Unable to open config file.';
+- flock FILE, 2;
+- my $id = 0;
+- foreach my $line (@current)
+- {
+- $id++;
+- if ($cgiparams{'EDITING'} eq $id) {
+- print FILE "$cgiparams{'PROTOCOL'},"; # [0]
+- print FILE "$cgiparams{'SRC_IP'},"; # [1]
+- print FILE "$cgiparams{'DEST_IP'},"; # [2]
+- print FILE "$cgiparams{'DEST_PORT'},"; # [3]
+- print FILE "$cgiparams{'ENABLED'},"; # [4]
+- print FILE "$cgiparams{'SRC_NET'},"; # [5]
+- print FILE "$cgiparams{'DEST_NET'},"; # [6]
+- print FILE "$cgiparams{'REMARK'}\n"; # [7]
+- } else { print FILE "$line"; }
+- }
+- }
+- close(FILE);
+- undef %cgiparams;
+- &General::log($Lang::tr{'dmz pinhole rule added'});
+- system('/usr/local/bin/setdmzholes');
+- }
+-}
+-if ($cgiparams{'ACTION'} eq $Lang::tr{'remove'})
+-{
+- my $id = 0;
+- open(FILE, ">$filename") or die 'Unable to open config file.';
+- flock FILE, 2;
+- foreach my $line (@current)
+- {
+- $id++;
+- unless ($cgiparams{'ID'} eq $id) { print FILE "$line"; }
+- }
+- close(FILE);
+- system('/usr/local/bin/setdmzholes');
+- &General::log($Lang::tr{'dmz pinhole rule removed'});
+-}
+-if ($cgiparams{'ACTION'} eq $Lang::tr{'toggle enable disable'})
+-{
+- my $id = 0;
+- open(FILE, ">$filename") or die 'Unable to open config file.';
+- flock FILE, 2;
+- foreach my $line (@current)
+- {
+- $id++;
+- unless ($cgiparams{'ID'} eq $id) { print FILE "$line"; }
+- else
+- {
+- chomp($line);
+- my @temp = split(/\,/,$line);
+- print FILE "$temp[0],$temp[1],$temp[2],$temp[3],$cgiparams{'ENABLE'},$temp[5],$temp[6],$temp[7]\n";
+- }
+- }
+- close(FILE);
+- system('/usr/local/bin/setdmzholes');
+-}
+-if ($cgiparams{'ACTION'} eq $Lang::tr{'edit'})
+-{
+- my $id = 0;
+- foreach my $line (@current)
+- {
+- $id++;
+- if ($cgiparams{'ID'} eq $id)
+- {
+- chomp($line);
+- my @temp = split(/\,/,$line);
+- $cgiparams{'PROTOCOL'} = $temp[0];
+- $cgiparams{'SRC_IP'} = $temp[1];
+- $cgiparams{'DEST_IP'} = $temp[2];
+- $cgiparams{'DEST_PORT'} = $temp[3];
+- $cgiparams{'ENABLED'} = $temp[4];
+- $cgiparams{'SRC_NET'} = $temp[5];
+- $cgiparams{'DEST_NET'} = $temp[6];
+- $cgiparams{'REMARK'} = $temp[7];
+- }
+- }
+-}
+-
+-if ($cgiparams{'ACTION'} eq '')
+-{
+- $cgiparams{'PROTOCOL'} = 'tcp';
+- $cgiparams{'ENABLED'} = 'on';
+- $cgiparams{'SRC_NET'} = 'orange';
+- $cgiparams{'DEST_NET'} = 'blue';
+-}
+-
+-$selected{'PROTOCOL'}{'udp'} = '';
+-$selected{'PROTOCOL'}{'tcp'} = '';
+-$selected{'PROTOCOL'}{$cgiparams{'PROTOCOL'}} = "selected='selected'";
+-
+-$selected{'SRC_NET'}{'orange'} = '';
+-$selected{'SRC_NET'}{'blue'} = '';
+-$selected{'SRC_NET'}{$cgiparams{'SRC_NET'}} = "selected='selected'";
+-
+-$selected{'DEST_NET'}{'blue'} = '';
+-$selected{'DEST_NET'}{'green'} = '';
+-$selected{'DEST_NET'}{$cgiparams{'DEST_NET'}} = "selected='selected'";
+-
+-$checked{'ENABLED'}{'off'} = '';
+-$checked{'ENABLED'}{'on'} = '';
+-$checked{'ENABLED'}{$cgiparams{'ENABLED'}} = "checked='checked'";
+-
+-&Header::openpage($Lang::tr{'dmz pinhole configuration'}, 1, '');
+-
+-&Header::openbigbox('100%', 'left', '', $errormessage);
+-
+-if ($errormessage) {
+- &Header::openbox('100%', 'left', $Lang::tr{'error messages'});
+- print "<class name='base'>$errormessage\n";
+- print " </class>\n";
+- &Header::closebox();
+-}
+-
+-print "<form method='post' action='$ENV{'SCRIPT_NAME'}'>\n";
+-
+-my $buttonText = $Lang::tr{'add'};
+-if ($cgiparams{'ACTION'} eq $Lang::tr{'edit'}) {
+- &Header::openbox('100%', 'left', $Lang::tr{'edit a rule'});
+- $buttonText = $Lang::tr{'update'};
+-} else {
+- &Header::openbox('100%', 'left', $Lang::tr{'add a new rule'});
+-}
+-print <<END
+-<table width='100%'>
+-<tr>
+-<td>
+- <select name='PROTOCOL'>
+- <option value='udp' $selected{'PROTOCOL'}{'udp'}>UDP</option>
+- <option value='tcp' $selected{'PROTOCOL'}{'tcp'}>TCP</option>
+- </select>
+-</td>
+-<td>
+- $Lang::tr{'source net'}:</td>
+-<td>
+- <select name='SRC_NET'>
+-END
+-;
+- if (&haveOrangeNet()) {
+- print "<option value='orange' $selected{'SRC_NET'}{'orange'}>$Lang::tr{'orange'}</option>";
+- }
+- if (&haveBlueNet()) {
+- print "<option value='blue' $selected{'SRC_NET'}{'blue'}>$Lang::tr{'blue'}</option>";
+- }
+-print <<END
+- </select>
+-</td>
+-<td class='base'>$Lang::tr{'source ip or net'}:</td>
+-<td><input type='text' name='SRC_IP' value='$cgiparams{'SRC_IP'}' size='15' /></td>
+-</tr>
+-<tr>
+-<td>
+- </td>
+-<td>
+- $Lang::tr{'destination net'}:</td>
+-<td>
+- <select name='DEST_NET'>
+-END
+-;
+- if (&haveOrangeNet() && &haveBlueNet()) {
+- print "<option value='blue' $selected{'DEST_NET'}{'blue'}>$Lang::tr{'blue'}</option>";
+- }
+-
+-print <<END
+- <option value='green' $selected{'DEST_NET'}{'green'}>$Lang::tr{'green'}</option>
+- </select>
+-</td>
+-<td class='base'>
+- $Lang::tr{'destination ip or net'}:</td>
+-<td>
+- <input type='text' name='DEST_IP' value='$cgiparams{'DEST_IP'}' size='15' />
+-</td>
+-<td class='base'>
+- $Lang::tr{'destination port'}:
+- <input type='text' name='DEST_PORT' value='$cgiparams{'DEST_PORT'}' size='5' />
+-</td>
+-</tr>
+-</table>
+-<table width='100%'>
+- <tr>
+- <td colspan='3' width='50%' class='base'>
+- <font class='boldbase'>$Lang::tr{'remark title'} <img src='/blob.gif' alt='*' /></font>
+- <input type='text' name='REMARK' value='$cgiparams{'REMARK'}' size='55' maxlength='50' />
+- </td>
+- </tr>
+- <tr>
+- <td class='base' width='50%'>
+- <img src='/blob.gif' alt ='*' align='top' />
+- <font class='base'>$Lang::tr{'this field may be blank'}</font>
+- </td>
+- <td class='base' width='25%' align='center'>$Lang::tr{'enabled'}<input type='checkbox' name='ENABLED' $checked{'ENABLED'}{'on'} /></td>
+- <td width='25%' align='center'>
+- <input type='hidden' name='ACTION' value='$Lang::tr{'add'}' />
+- <input type='submit' name='SUBMIT' value='$buttonText' />
+- </td>
+- </tr>
+-</table>
+-END
+-;
+-if ($cgiparams{'ACTION'} eq $Lang::tr{'edit'}) {
+- print "<input type='hidden' name='EDITING' value='$cgiparams{'ID'}' />\n";
+-} else {
+- print "<input type='hidden' name='EDITING' value='no' />\n";
+-}
+-&Header::closebox();
+-print "</form>\n";
+-
+-&Header::openbox('100%', 'left', $Lang::tr{'current rules'});
+-print <<END
+-<table width='100%'>
+-<tr>
+-<td width='7%' class='boldbase' align='center'><b>$Lang::tr{'proto'}</b></td>
+-<td width='3%' class='boldbase' align='center'><b>$Lang::tr{'net'}</b></td>
+-<td width='25%' class='boldbase' align='center'><b>$Lang::tr{'source'}</b></td>
+-<td width='2%' class='boldbase' align='center'> </td>
+-<td width='3%' class='boldbase' align='center'><b>$Lang::tr{'net'}</b></td>
+-<td width='25%' class='boldbase' align='center'><b>$Lang::tr{'destination'}</b></td>
+-<td width='30%' class='boldbase' align='center'><b>$Lang::tr{'remark'}</b></td>
+-<td width='1%' class='boldbase' align='center'> </td>
+-<td width='4%' class='boldbase' colspan='3' align='center'><b>$Lang::tr{'action'}</b></td>
+-END
+-;
+-
+-# Achim Weber: if i add a new rule, this rule is not displayed?!?
+-# we re-read always config.
+-# If something has happeened re-read config
+-#if($cgiparams{'ACTION'} ne '')
+-#{
+- open(FILE, $filename) or die 'Unable to open config file.';
+- @current = <FILE>;
+- close(FILE);
+-#}
+-my $id = 0;
+-foreach my $line (@current)
+-{
+- my $protocol='';
+- my $gif='';
+- my $toggle='';
+- my $gdesc='';
+- $id++;
+- chomp($line);
+- my @temp = split(/\,/,$line);
+- if ($temp[0] eq 'udp') { $protocol = 'UDP'; } else { $protocol = 'TCP' }
+-
+- my $srcnetcolor = ($temp[5] eq 'blue')? ${Header::colourblue} : ${Header::colourorange};
+- my $destnetcolor = ($temp[6] eq 'blue')? ${Header::colourblue} : ${Header::colourgreen};
+-
+- if ($cgiparams{'ACTION'} eq $Lang::tr{'edit'} && $cgiparams{'ID'} eq $id) {
+- print "<tr bgcolor='${Header::colouryellow}'>\n"; }
+- elsif ($id % 2) {
+- print "<tr bgcolor='${Header::table1colour}'>\n"; }
+- else {
+- print "<tr bgcolor='${Header::table2colour}'>\n"; }
+- if ($temp[4] eq 'on') { $gif='on.gif'; $toggle='off'; $gdesc=$Lang::tr{'click to disable'};}
+- else { $gif = 'off.gif'; $toggle='on'; $gdesc=$Lang::tr{'click to enable'}; }
+-
+- # Darren Critchley - Get Port Service Name if we can - code borrowed from firewalllog.dat
+- my $dstprt =$temp[3];
+- $_=$temp[3];
+- if (/^\d+$/) {
+- my $servi = uc(getservbyport($temp[3], lc($temp[0])));
+- if ($servi ne '' && $temp[3] < 1024) {
+- $dstprt = "$dstprt($servi)"; }
+- }
+- # Darren Critchley - If the line is too long, wrap the port numbers
+- my $dstaddr = "$temp[2] : $dstprt";
+- if (length($dstaddr) > 26) {
+- $dstaddr = "$temp[2] :<br /> $dstprt";
+- }
+-print <<END
+-<td align='center'>$protocol</td>
+-<td bgcolor='$srcnetcolor'></td>
+-<td align='center'>$temp[1]</td>
+-<td align='center'><img src='/images/forward.gif' /></td>
+-<td bgcolor='$destnetcolor'></td>
+-<td align='center'>$dstaddr</td>
+-<td align='center'>$temp[7]</td>
+-
+-<td align='center'>
+-<form method='post' name='frma$id' action='$ENV{'SCRIPT_NAME'}'>
+-<input type='image' name='$Lang::tr{'toggle enable disable'}' src='/images/$gif' alt='$gdesc' />
+-<input type='hidden' name='ID' value='$id' />
+-<input type='hidden' name='ENABLE' value='$toggle' />
+-<input type='hidden' name='ACTION' value='$Lang::tr{'toggle enable disable'}' />
+-</form>
+-</td>
+-
+-<td align='center'>
+-<form method='post' name='frmb$id' action='$ENV{'SCRIPT_NAME'}'>
+-<input type='image' name='$Lang::tr{'edit'}' src='/images/edit.gif' alt='$Lang::tr{'edit'}' />
+-<input type='hidden' name='ID' value='$id' />
+-<input type='hidden' name='ACTION' value='$Lang::tr{'edit'}' />
+-</form>
+-</td>
+-
+-<td align='center'>
+-<form method='post' name='frmc$id' action='$ENV{'SCRIPT_NAME'}'>
+-<input type='image' name='$Lang::tr{'remove'}' src='/images/delete.gif' alt='$Lang::tr{'remove'}' />
+-<input type='hidden' name='ID' value='$id' />
+-<input type='hidden' name='ACTION' value='$Lang::tr{'remove'}' />
+-</form>
+-</td>
+-
+-</tr>
+-END
+- ;
+-}
+-print "</table>\n";
+-
+-# If the fixed lease file contains entries, print Key to action icons
+-if ( ! -z "$filename") {
+-print <<END
+-<table>
+-<tr>
+- <td class='boldbase'> <b>$Lang::tr{'legend'}:</b></td>
+- <td> <img src='/images/on.gif' alt='$Lang::tr{'click to disable'}' /></td>
+- <td class='base'>$Lang::tr{'click to disable'}</td>
+- <td> <img src='/images/off.gif' alt='$Lang::tr{'click to enable'}' /></td>
+- <td class='base'>$Lang::tr{'click to enable'}</td>
+- <td> <img src='/images/edit.gif' alt='$Lang::tr{'edit'}' /></td>
+- <td class='base'>$Lang::tr{'edit'}</td>
+- <td> <img src='/images/delete.gif' alt='$Lang::tr{'remove'}' /></td>
+- <td class='base'>$Lang::tr{'remove'}</td>
+-</tr>
+-</table>
+-END
+-;
+-}
+-
+-&Header::closebox();
+-
+-&Header::closebigbox();
+-
+-&Header::closepage();
+-
+-sub validNet
+-{
+- my $srcNet = $_[0];
+- my $destNet = $_[1];
+-
+- if ($srcNet eq $destNet) {
+- return $Lang::tr{'dmzpinholes for same net not necessary'}; }
+- unless ($srcNet =~ /^(blue|orange)$/) {
+- return $Lang::tr{'select source net'}; }
+- unless ($destNet =~ /^(blue|green)$/) {
+- return $Lang::tr{'select dest net'}; }
+-
+- return '';
+-}
+-
+-sub haveOrangeNet
+-{
+- if ($netsettings{'CONFIG_TYPE'} == 2) {return 1;}
+- if ($netsettings{'CONFIG_TYPE'} == 4) {return 1;}
+- return 0;
+-}
+-
+-sub haveBlueNet
+-{
+- if ($netsettings{'CONFIG_TYPE'} == 3) {return 1;}
+- if ($netsettings{'CONFIG_TYPE'} == 4) {return 1;}
+- return 0;
+-}
+diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi
+index caaba21..6aadb99 100755
+--- a/html/cgi-bin/forwardfw.cgi
++++ b/html/cgi-bin/forwardfw.cgi
+@@ -112,54 +112,50 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule')
+ $errormessage=&checksource;
+ if(!$errormessage){&checktarget;}
+ if(!$errormessage){&checkrule;}
+-
++
+ #check if we change an forward rule to an external access
+- if( $fwdfwsettings{'grp2'} eq 'ipfire' && $fwdfwsettings{'oldgrp2a'} ne 'ipfire'){
++ if( $fwdfwsettings{'grp2'} eq 'ipfire' && $fwdfwsettings{'oldgrp2a'} ne 'ipfire' && $fwdfwsettings{'updatefwrule'} eq 'on'){
+ $fwdfwsettings{'updatefwrule'}='';
+ $fwdfwsettings{'config'}=$configfwdfw;
+ $fwdfwsettings{'nobase'}='on';
+ &deleterule;
++ &checkcounter(0,0,$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}});
++ &checkcounter(0,0,$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}});
+ }
+-
++
+ #check if we change an external access rule to an forward
+- if( $fwdfwsettings{'grp2'} ne 'ipfire' && $fwdfwsettings{'oldgrp2a'} eq 'ipfire'){
++ if( $fwdfwsettings{'grp2'} ne 'ipfire' && $fwdfwsettings{'oldgrp2a'} eq 'ipfire' && $fwdfwsettings{'updatefwrule'} eq 'on'){
+ $fwdfwsettings{'updatefwrule'}='';
+ $fwdfwsettings{'config'}=$configinput;
+ $fwdfwsettings{'nobase'}='on';
+ &deleterule;
++ &checkcounter(0,0,$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}});
++ &checkcounter(0,0,$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}});
+ }
+-
+ #INPUT part
+ if($fwdfwsettings{'grp2'} eq 'ipfire'){
+ $fwdfwsettings{'chain'} = 'INPUTFW';
+ #check if we have an identical rule already
+ foreach my $key (sort keys %configinputfw){
+ if ("$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'},$fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'ICMP_TGT'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'ruleremark'},$fwdfwsettings{'LOG'},$fwdfwsettings{'TIME'},$fwdfwsettings{'TIME_MON'},$fwdfwsettings{'TIME_TUE'},$fwdfwsettings{'TIME_WED'},$fwdfwsettings{'TIME_THU'},$fwdfwsettings{'TIME_FRI'},$fwdfwsettings{'TIME_SAT'},$fwdfwsettings{'TIME_SUN'},$fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'}"
+- eq "$configfwdfw{$key}[0],$configfwdfw{$key}[2],$configfwdfw{$key}[3],$configfwdfw{$key}[4],$configfwdfw{$key}[5],$configfwdfw{$key}[6],$configfwdfw{$key}[7],$configfwdfw{$key}[8],$configfwdfw{$key}[9],$configfwdfw{$key}[10],$configfwdfw{$key}[11],$configfwdfw{$key}[12],$configfwdfw{$key}[13],$configfwdfw{$key}[14],$configfwdfw{$key}[15],$configfwdfw{$key}[16],$configfwdfw{$key}[17],$configfwdfw{$key}[18],$configfwdfw{$key}[19],$configfwdfw{$key}[20],$configfwdfw{$key}[21],$configfwdfw{$key}[22],$configfwdfw{$key}[23],$configfwdfw{$key}[24],$configfwdfw{$key}[25],$configfwdfw{$key}[26],$configfwdfw{$key}[27]"){
+- $errormessage.=$Lang::tr{'fwdfw err ruleexists'};
+- }
++ eq "$configinputfw{$key}[0],$configinputfw{$key}[2],$configinputfw{$key}[3],$configinputfw{$key}[4],$configinputfw{$key}[5],$configinputfw{$key}[6],$configinputfw{$key}[7],$configinputfw{$key}[8],$configinputfw{$key}[9],$configinputfw{$key}[10],$configinputfw{$key}[11],$configinputfw{$key}[12],$configinputfw{$key}[13],$configinputfw{$key}[14],$configinputfw{$key}[15],$configinputfw{$key}[16],$configinputfw{$key}[17],$configinputfw{$key}[18],$configinputfw{$key}[19],$configinputfw{$key}[20],$configinputfw{$key}[21],$configinputfw{$key}[22],$configinputfw{$key}[23],$configinputfw{$key}[24],$configinputfw{$key}[25],$configinputfw{$key}[26],$configinputfw{$key}[27]"){
++ $errormessage.=$Lang::tr{'fwdfw err ruleexists'};
++ }
+ }
+-
+- &checkcounter($fwdfwsettings{'oldgrp1a'},$fwdfwsettings{'oldgrp1b'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}});
+- if ($fwdfwsettings{'nobase'} ne 'on'){
+- &checkcounter($fwdfwsettings{'oldgrp2a'},$fwdfwsettings{'oldgrp2b'},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}});
+- }
+-
+- if($fwdfwsettings{'oldusesrv'} eq '' && $fwdfwsettings{'USESRV'} eq 'ON'){
+- &checkcounter(0,0,$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}});
+- }elsif ($fwdfwsettings{'USESRV'} eq '' && $fwdfwsettings{'oldusesrv'} eq 'ON') {
+- &checkcounter($fwdfwsettings{'oldgrp3a'},$fwdfwsettings{'oldgrp3b'},0,0);
+- }elsif ($fwdfwsettings{'oldusesrv'} eq $fwdfwsettings{'USESRV'} && $fwdfwsettings{'oldgrp3b'} ne $fwdfwsettings{$fwdfwsettings{'grp3'}} && $fwdfwsettings{'updatefwrule'} eq 'on'){
+- &checkcounter($fwdfwsettings{'oldgrp3a'},$fwdfwsettings{'oldgrp3b'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}});
+- }
+-
+- if ($fwdfwsettings{'nobase'} eq 'on'){
+- &checkcounter(0,0,$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}});
+- }
+-
+-
++
++ &checkcounter($fwdfwsettings{'oldgrp1a'},$fwdfwsettings{'oldgrp1b'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}});
++ if ($fwdfwsettings{'nobase'} ne 'on'){
++ &checkcounter($fwdfwsettings{'oldgrp2a'},$fwdfwsettings{'oldgrp2b'},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}});
++ }
++ if($fwdfwsettings{'oldusesrv'} eq '' && $fwdfwsettings{'USESRV'} eq 'ON'){
++ &checkcounter(0,0,$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}});
++ }elsif ($fwdfwsettings{'USESRV'} eq '' && $fwdfwsettings{'oldusesrv'} eq 'ON') {
++ &checkcounter($fwdfwsettings{'oldgrp3a'},$fwdfwsettings{'oldgrp3b'},0,0);
++ }elsif ($fwdfwsettings{'oldusesrv'} eq $fwdfwsettings{'USESRV'} && $fwdfwsettings{'oldgrp3b'} ne $fwdfwsettings{$fwdfwsettings{'grp3'}} && $fwdfwsettings{'updatefwrule'} eq 'on'){
++ &checkcounter($fwdfwsettings{'oldgrp3a'},$fwdfwsettings{'oldgrp3b'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}});
++ }
++
+ &saverule(\%configinputfw,$configinput);
+-
+ #print "Source: $fwdfwsettings{'grp1'} -> $fwdfwsettings{$fwdfwsettings{'grp1'}}<br>";
+ #print "Sourceport: $fwdfwsettings{'USE_SRC_PORT'}, $fwdfwsettings{'PROT'}, $fwdfwsettings{'ICMP_TYPES'}, $fwdfwsettings{'SRC_PORT'}<br>";
+ #print "Target: $fwdfwsettings{'grp2'} -> $fwdfwsettings{$fwdfwsettings{'grp2'}}<br>";
+@@ -181,9 +177,6 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule')
+ #print"ALT: $fwdfwsettings{'oldgrp2a'} $fwdfwsettings{'oldgrp2b'} NEU: $fwdfwsettings{'grp2'} $fwdfwsettings{$fwdfwsettings{'grp2'}}<br>";
+ #print"ALT: $fwdfwsettings{'oldgrp3a'} $fwdfwsettings{'oldgrp3b'} NEU: $fwdfwsettings{'grp3'} $fwdfwsettings{$fwdfwsettings{'grp3'}}<br>";
+ #print"DIENSTE Checkalt:$fwdfwsettings{'oldusesrv'} DIENSTE Checkneu:$fwdfwsettings{'USESRV'} DIENST ALT:$fwdfwsettings{'oldgrp3a'},$fwdfwsettings{'oldgrp3b'} DIENST NEU:$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}}<br>";
+-
+-
+-
+ }else{
+ $fwdfwsettings{'chain'} = 'FORWARDFW';
+ #check if we have an identical rule already
+@@ -196,9 +189,9 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule')
+ }
+ #increase counters
+ &checkcounter($fwdfwsettings{'oldgrp1a'},$fwdfwsettings{'oldgrp1b'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}});
+-
++
+ &checkcounter($fwdfwsettings{'oldgrp2a'},$fwdfwsettings{'oldgrp2b'},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}});
+-
++
+ if($fwdfwsettings{'oldusesrv'} eq '' && $fwdfwsettings{'USESRV'} eq 'ON'){
+ &checkcounter(0,0,$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}});
+ }elsif ($fwdfwsettings{'USESRV'} eq '' && $fwdfwsettings{'oldusesrv'} eq 'ON') {
+@@ -206,14 +199,11 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule')
+ }elsif ($fwdfwsettings{'oldusesrv'} eq $fwdfwsettings{'USESRV'} && $fwdfwsettings{'oldgrp3b'} ne $fwdfwsettings{$fwdfwsettings{'grp3'}} && $fwdfwsettings{'updatefwrule'} eq 'on'){
+ &checkcounter($fwdfwsettings{'oldgrp3a'},$fwdfwsettings{'oldgrp3b'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}});
+ }
+-
+ if ($fwdfwsettings{'nobase'} eq 'on'){
+ &checkcounter(0,0,$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}});
+ }
+-
+-
+ &saverule(\%configfwdfw,$configfwdfw);
+-
++
+ #print "Source: $fwdfwsettings{'grp1'} -> $fwdfwsettings{$fwdfwsettings{'grp1'}}<br>";
+ #print "Sourceport: $fwdfwsettings{'USE_SRC_PORT'}, $fwdfwsettings{'PROT'}, $fwdfwsettings{'ICMP_TYPES'}, $fwdfwsettings{'SRC_PORT'}<br>";
+ #print "Target: $fwdfwsettings{'grp2'} -> $fwdfwsettings{$fwdfwsettings{'grp2'}}<br>";
+@@ -235,9 +225,6 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule')
+ #print"ALT: $fwdfwsettings{'oldgrp2a'} $fwdfwsettings{'oldgrp2b'} NEU: $fwdfwsettings{'grp2'} $fwdfwsettings{$fwdfwsettings{'grp2'}}<br>";
+ #print"ALT: $fwdfwsettings{'oldgrp3a'} $fwdfwsettings{'oldgrp3b'} NEU: $fwdfwsettings{'grp3'} $fwdfwsettings{$fwdfwsettings{'grp3'}}<br>";
+ #print"DIENSTE Checkalt:$fwdfwsettings{'oldusesrv'} DIENSTE Checkneu:$fwdfwsettings{'USESRV'} DIENST ALT:$fwdfwsettings{'oldgrp3a'},$fwdfwsettings{'oldgrp3b'} DIENST NEU:$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}}<br>";
+-
+-
+-
+ }
+ if ($errormessage){
+ &newrule;
+@@ -245,7 +232,6 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule')
+ &rules;
+ &base;
+ }
+-
+ }
+ if ($fwdfwsettings{'ACTION'} eq $Lang::tr{'reset'})
+ {
+@@ -264,12 +250,10 @@ if ($fwdfwsettings{'ACTION'} eq $Lang::tr{'reset'})
+ $fwdfwsettings{'POLICY'}='MODE0';
+ system("rm ${General::swroot}/forward/config");
+ system("rm ${General::swroot}/forward/input");
+- %fwdfwsettings = ();
+-
+ &General::writehash("${General::swroot}/forward/settings", \%fwdfwsettings);
+ unless (-e "${General::swroot}/forward/config") { system("touch ${General::swroot}/forward/config"); }
+ unless (-e "${General::swroot}/forward/input") { system("touch ${General::swroot}/forward/input"); }
+-
++ %fwdfwsettings = ();
+ &reread_rules;
+
+ }
+@@ -407,7 +391,7 @@ sub checkcounter
+ }elsif($base1 eq 'cust_srvgrp'){
+ &dec_counter($configsrvgrp,\%customservicegrp,$val1);
+ }
+-
++
+ if($base2 eq 'cust_net_src' || $base2 eq 'cust_net_tgt'){
+ &inc_counter($confignet,\%customnetwork,$val2);
+ }elsif($base2 eq 'cust_host_src' || $base2 eq 'cust_host_tgt'){
+@@ -426,13 +410,12 @@ sub inc_counter
+ my %hash=%{(shift)};
+ my $val=shift;
+ my $pos;
+-
++
+ &General::readhasharray($config, \%hash);
+ foreach my $key (sort { uc($hash{$a}[0]) cmp uc($hash{$b}[0]) } keys %hash){
+ if($hash{$key}[0] eq $val){
+ $pos=$#{$hash{$key}};
+ $hash{$key}[$pos] = $hash{$key}[$pos]+1;
+-
+ }
+ }
+ &General::writehasharray($config, \%hash);
+@@ -449,23 +432,21 @@ sub dec_counter
+ if($hash{$key}[0] eq $val){
+ $pos=$#{$hash{$key}};
+ $hash{$key}[$pos] = $hash{$key}[$pos]-1;
+-
+ }
+ }
+ &General::writehasharray($config, \%hash);
+ }
+ sub base
+ {
+-
+ if ($fwdfwsettings{'POLICY'} eq 'MODE0'){ $selected{'POLICY'}{'MODE0'} = 'selected'; } else { $selected{'POLICY'}{'MODE0'} = ''; }
+ if ($fwdfwsettings{'POLICY'} eq 'MODE1'){ $selected{'POLICY'}{'MODE1'} = 'selected'; } else { $selected{'POLICY'}{'MODE1'} = ''; }
+ if ($fwdfwsettings{'POLICY'} eq 'MODE2'){ $selected{'POLICY'}{'MODE2'} = 'selected'; } else { $selected{'POLICY'}{'MODE2'} = ''; }
+-
++
+ &hint;
+ if ($fwdfwsettings{'POLICY'} ne 'MODE0' && $fwdfwsettings{'POLICY'} ne '') {
+ &addrule;
+ }
+-
++
+ #print"<table width='100' border='1'><tr>";
+ #foreach (0 .. 40){
+ #my $i="color".$_;
+@@ -494,7 +475,7 @@ sub addrule
+ {
+ &error;
+ &Header::openbox('100%', 'left', $Lang::tr{'fwdfw addrule'});
+-
++
+ print "<form method='post'>";
+ print "<table border='0'>";
+ print "<tr><td><input type='submit' name='ACTION' value='$Lang::tr{'fwdfw newrule'}'></td>";
+@@ -505,7 +486,6 @@ sub addrule
+
+ &Header::closebox();
+ &viewtablerule;
+-
+ }
+ sub deleterule
+ {
+@@ -537,7 +517,7 @@ sub deleterule
+
+ &General::writehasharray($fwdfwsettings{'config'}, \%delhash);
+ &rules;
+-
++
+ if($fwdfwsettings{'nobase'} ne 'on'){
+ &base;
+ }
+@@ -553,7 +533,6 @@ sub disable_rule
+ }
+ &General::writehasharray("$configfwdfw", \%configfwdfw);
+ &rules;
+-
+ }
+ sub checksource
+ {
+@@ -589,7 +568,7 @@ sub checksource
+ $errormessage.=$Lang::tr{'fwdfw err nosrcip'};
+ return $errormessage;
+ }
+-
++
+ #check empty fields
+ if ($fwdfwsettings{$fwdfwsettings{'grp1'}} eq ''){ $errormessage.=$Lang::tr{'fwdfw err nosrc'}."<br>";}
+ #check icmp source
+@@ -601,6 +580,12 @@ sub checksource
+ $fwdfwsettings{'ICMP_TYPES'}="$icmptypes{$key}[0]";
+ }
+ }
++ }elsif($fwdfwsettings{'USE_SRC_PORT'} eq 'ON' && $fwdfwsettings{'PROT'} eq 'GRE'){
++ $fwdfwsettings{'SRC_PORT'}='';
++ $fwdfwsettings{'ICMP_TYPES'}='';
++ }elsif($fwdfwsettings{'USE_SRC_PORT'} eq 'ON' && $fwdfwsettings{'PROT'} eq 'ESP'){
++ $fwdfwsettings{'SRC_PORT'}='';
++ $fwdfwsettings{'ICMP_TYPES'}='';
+ }elsif($fwdfwsettings{'USE_SRC_PORT'} eq 'ON' && $fwdfwsettings{'PROT'} ne 'ICMP'){
+ $fwdfwsettings{'ICMP_TYPES'}='';
+ }else{
+@@ -608,7 +593,7 @@ sub checksource
+ $fwdfwsettings{'SRC_PORT'}='';
+ $fwdfwsettings{'PROT'}='';
+ }
+-
++
+ if($fwdfwsettings{'USE_SRC_PORT'} eq 'ON' && $fwdfwsettings{'PROT'} ne 'ICMP' && $fwdfwsettings{'SRC_PORT'} ne ''){
+ #change dashes with :
+ $fwdfwsettings{'SRC_PORT'}=~ tr/-/:/;
+@@ -622,7 +607,7 @@ sub checksource
+ if ($fwdfwsettings{'SRC_PORT'} =~ /^(\d+)\:(\D)$/) {
+ $fwdfwsettings{'SRC_PORT'} = "$1:65535";
+ }
+-
++
+ $errormessage.=&General::validportrange($fwdfwsettings{'SRC_PORT'},'src');
+ }
+ return $errormessage;
+@@ -630,8 +615,7 @@ sub checksource
+ sub checktarget
+ {
+ my ($ip,$subnet);
+-
+-
++
+ if ($fwdfwsettings{'tgt_addr'} eq $fwdfwsettings{$fwdfwsettings{'grp2'}} && $fwdfwsettings{'tgt_addr'} ne ''){
+ #check if ip with subnet
+ if ($fwdfwsettings{'tgt_addr'} =~ /^(.*?)\/(.*?)$/) {
+@@ -658,15 +642,15 @@ sub checktarget
+ if(!&General::validipandmask($fwdfwsettings{'tgt_addr'})){
+ $errormessage.=$Lang::tr{'fwdfw err tgt_addr'}."<br>";
+ }
+-
++
+ }elsif($fwdfwsettings{'tgt_addr'} eq $fwdfwsettings{$fwdfwsettings{'grp2'}} && $fwdfwsettings{'tgt_addr'} eq ''){
+ $errormessage.=$Lang::tr{'fwdfw err notgtip'};
+ return $errormessage;
+ }
+-
++
+ #check empty fields
+ if ($fwdfwsettings{$fwdfwsettings{'grp2'}} eq ''){ $errormessage.=$Lang::tr{'fwdfw err notgt'}."<br>";}
+-
++
+ #check tgt services
+ if ($fwdfwsettings{'USESRV'} eq 'ON'){
+ if ($fwdfwsettings{'grp3'} eq 'cust_srv'){
+@@ -682,7 +666,7 @@ sub checktarget
+ }
+ }
+ if ($fwdfwsettings{'grp3'} eq 'TGT_PORT'){
+- if ($fwdfwsettings{'TGT_PROT'} ne 'ICMP'){
++ if ($fwdfwsettings{'TGT_PROT'} ne 'ICMP' && $fwdfwsettings{'TGT_PROT'} ne 'GRE'){
+ if ($fwdfwsettings{'TGT_PORT'} ne ''){
+ #change dashes with :
+ $fwdfwsettings{'TGT_PORT'}=~ tr/-/:/;
+@@ -697,19 +681,25 @@ sub checktarget
+ }
+ $errormessage .= &General::validportrange($fwdfwsettings{'TGT_PORT'}, 'destination');
+ }
++ }elsif ($fwdfwsettings{'TGT_PROT'} eq 'GRE'){
++ $fwdfwsettings{'TGT_PORT'} = '';
++ $fwdfwsettings{'ICMP_TGT'} = '';
++ }elsif($fwdfwsettings{'TGT_PORT'} eq 'ESP'){
++ $fwdfwsettings{'TGT_PORT'}='';
++ $fwdfwsettings{'ICMP_TGT'}='';
+ }elsif ($fwdfwsettings{'TGT_PROT'} eq 'ICMP'){
++ $fwdfwsettings{'TGT_PORT'} = '';
+ &General::readhasharray("${General::swroot}/fwhosts/icmp-types", \%icmptypes);
+ foreach my $key (keys %icmptypes){
+
+ if ("$icmptypes{$key}[0] ($icmptypes{$key}[1])" eq $fwdfwsettings{'ICMP_TGT'}){
+-
+ $fwdfwsettings{'ICMP_TGT'}=$icmptypes{$key}[0];
+ }
+ }
+ }
+ }
+ }
+-
++
+ #check targetport
+ if ($fwdfwsettings{'USESRV'} ne 'ON'){
+ $fwdfwsettings{'grp3'}='';
+@@ -717,17 +707,12 @@ sub checktarget
+ $fwdfwsettings{'TGT_PROT'}='';
+ $fwdfwsettings{'ICMP_TGT'}='';
+ }
+-
+-
+ #check timeframe
+ if($fwdfwsettings{'TIME'} eq 'ON'){
+ if($fwdfwsettings{'TIME_MON'} eq '' && $fwdfwsettings{'TIME_TUE'} eq '' && $fwdfwsettings{'TIME_WED'} eq '' && $fwdfwsettings{'TIME_THU'} eq '' && $fwdfwsettings{'TIME_FRI'} eq '' && $fwdfwsettings{'TIME_SAT'} eq '' && $fwdfwsettings{'TIME_SUN'} eq ''){
+ $errormessage=$Lang::tr{'fwdfw err time'};
+ }
+ }
+-
+-
+-
+ return $errormessage;
+ }
+ sub checkrule
+@@ -741,17 +726,14 @@ sub checkrule
+ $errormessage.=$Lang::tr{'fwdfw err same'};
+ return $errormessage;
+ }
+-
++
+ #get source and targetip address if possible
+ my ($sip,$scidr,$tip,$tcidr);
+ ($sip,$scidr)=&get_ip("src","grp1");
+ ($tip,$tcidr)=&get_ip("tgt","grp2");
+-
+-
+-
++
+ #check same iprange in source and target
+ if ($sip ne '' && $scidr ne '' && $tip ne '' && $tcidr ne ''){
+-
+ my $networkip1=&General::getnetworkip($sip,$scidr);
+ my $networkip2=&General::getnetworkip($tip,$tcidr);
+ if ($scidr gt $tcidr){
+@@ -759,20 +741,19 @@ sub checkrule
+ $errormessage.=$Lang::tr{'fwdfw err samesub'};
+ }
+ }elsif($scidr eq $tcidr && $scidr eq '32'){
+- my ($sbyte1,$sbyte2,$sbyte3,$sbyte4)=split(".",$networkip1);
+- my ($tbyte1,$tbyte2,$tbyte3,$tbyte4)=split(".",$networkip2);
++ my ($sbyte1,$sbyte2,$sbyte3,$sbyte4)=split(/\./,$networkip1);
++ my ($tbyte1,$tbyte2,$tbyte3,$tbyte4)=split(/\./,$networkip2);
+ if ($sbyte1 eq $tbyte1 && $sbyte2 eq $tbyte2 && $sbyte3 eq $tbyte3){
+ $hint=$Lang::tr{'fwdfw hint ip1'}."<br>";
+ $hint.=$Lang::tr{'fwdfw hint ip2'}." Source: $networkip1/$scidr Target: $networkip2/$tcidr<br>";
+ }
+-
+ }else{
+ if ( &General::IpInSubnet($networkip2,$sip,&General::iporsubtodec($scidr)) ){
+ $errormessage.=$Lang::tr{'fwdfw err samesub'};
+ }
+ }
+ }
+-
++
+ #check source and destination protocol if manual
+ if( $fwdfwsettings{'USE_SRC_PORT'} eq 'ON' && $fwdfwsettings{'USESRV'} eq 'ON'){
+ if($fwdfwsettings{'PROT'} ne $fwdfwsettings{'TGT_PROT'} && $fwdfwsettings{'grp3'} eq 'TGT_PORT'){
+@@ -791,7 +772,6 @@ sub checkrule
+ }
+ }
+ }
+-
+ }
+ sub get_ip
+ {
+@@ -842,7 +822,6 @@ sub get_ip
+ }
+ }
+ }
+-
+ return $a,$b;
+ }
+ sub newrule
+@@ -858,14 +837,11 @@ sub newrule
+ &General::readhasharray("$configgrp", \%customgrp);
+ &General::readhasharray("$configipsec", \%ipsecconf);
+ &General::get_aliases(\%aliases);
+-
+-
+ my %checked=();
+ my $helper;
+ if($fwdfwsettings{'config'} eq ''){$fwdfwsettings{'config'}=$configfwdfw;}
+ my $config=$fwdfwsettings{'config'};
+ my %hash=();
+-
+ $checked{'grp1'}{$fwdfwsettings{'grp1'}} = 'CHECKED';
+ $checked{'grp2'}{$fwdfwsettings{'grp2'}} = 'CHECKED';
+ $checked{'grp3'}{$fwdfwsettings{'grp3'}} = 'CHECKED';
+@@ -884,7 +860,6 @@ sub newrule
+ $selected{'TIME_FROM'}{$fwdfwsettings{'TIME_FROM'}} = 'selected';
+ $selected{'TIME_TO'}{$fwdfwsettings{'TIME_TO'}} = 'selected';
+ $selected{'ipfire'}{$fwdfwsettings{$fwdfwsettings{'grp2'}}} ='selected';
+-
+ #check if update and get values
+ if($fwdfwsettings{'updatefwrule'} eq 'on' || $fwdfwsettings{'copyfwrule'} eq 'on' && !$errormessage){
+ &General::readhasharray("$config", \%hash);
+@@ -917,7 +892,6 @@ sub newrule
+ $fwdfwsettings{'TIME_SUN'} = $hash{$key}[25];
+ $fwdfwsettings{'TIME_FROM'} = $hash{$key}[26];
+ $fwdfwsettings{'TIME_TO'} = $hash{$key}[27];
+-
+ $checked{'grp1'}{$fwdfwsettings{'grp1'}} = 'CHECKED';
+ $checked{'grp2'}{$fwdfwsettings{'grp2'}} = 'CHECKED';
+ $checked{'grp3'}{$fwdfwsettings{'grp3'}} = 'CHECKED';
+@@ -949,9 +923,9 @@ sub newrule
+ $fwdfwsettings{'ACTIVE'}='ON';
+ $checked{'ACTIVE'}{$fwdfwsettings{'ACTIVE'}} = 'CHECKED';
+ }
+-
++
+ &Header::openbox('100%', 'left', $Lang::tr{'fwdfw addrule'});
+-
++
+ print <<END;
+ <form method="post">
+ <table border='0'>
+@@ -962,7 +936,7 @@ END
+ if($fwdfwsettings{'POLICY'} eq 'MODE2'){
+ $fwdfwsettings{'RULE_ACTION'} = 'DROP';
+ }
+-
++
+ if ($_ eq $fwdfwsettings{'RULE_ACTION'})
+ {
+ print"<option selected>$_</option>";
+@@ -975,19 +949,19 @@ END
+
+ &Header::closebox();
+ &Header::openbox('100%', 'left', $Lang::tr{'fwdfw source'});
+-
+-
++
++
+ #------SOURCE-------------------------------------------------------
+ print<<END;
+ <table width='100%' border='0'>
+ <tr><td width='1%'><input type='radio' name='grp1' value='src_addr' checked></td><td colspan='5'>$Lang::tr{'fwdfw sourceip'}<input type='TEXT' name='src_addr' value='$fwdfwsettings{'src_addr'}' ></td></tr>
+ <tr><td colspan='7'><hr style='border:dotted #BFBFBF; border-width:1px 0 0 0 ; ' /></td></tr>
+ <tr><td width='1%'><input type='radio' name='grp1' value='std_net_src' $checked{'grp1'}{'std_net_src'}></td><td nowrap='nowrap' width='12%'>$Lang::tr{'fwhost stdnet'}</td><td width='13%'><select name='std_net_src' style='min-width:185px;'>
+-
+ END
+ foreach my $network (sort keys %defaultNetworks)
+ {
+ next if($defaultNetworks{$network}{'LOCATION'} eq "IPCOP");
++ next if($defaultNetworks{$network}{'NAME'} eq "RED");
+ print "<option value='$defaultNetworks{$network}{'NAME'}'";
+ print " selected='selected'" if ($fwdfwsettings{$fwdfwsettings{'grp1'}} eq $defaultNetworks{$network}{'NAME'});
+ print ">$network</option>";
+@@ -1030,7 +1004,7 @@ END
+ }
+ print<<END;
+ </select></td></tr>
+-
++
+ <tr><td valign='top'><input type='radio' name='grp1' value='cust_grp_src' $checked{'grp1'}{'cust_grp_src'}></td><td >$Lang::tr{'fwhost cust grp'}</td><td><select name='cust_grp_src' style='min-width:185px;'>
+ END
+ foreach my $key (sort { uc($customgrp{$a}[0]) cmp uc($customgrp{$b}[0]) } keys %customgrp) {
+@@ -1038,8 +1012,6 @@ END
+ print"<option ";
+ print "selected='selected' " if ($fwdfwsettings{$fwdfwsettings{'grp1'}} eq $customgrp{$key}[0]);
+ print ">$customgrp{$key}[0]</option>";
+-
+-
+ }
+ $helper=$customgrp{$key}[0];
+ }
+@@ -1058,7 +1030,7 @@ END
+ print<<END;
+ </select></td></tr>
+ END
+-
++
+ # <td valign='top'><input type='radio' name='grp1' value='ipsec_host_src' $checked{'grp1'}{'ipsec_host_src'}></td><td >$Lang::tr{'fwhost ipsec host'}</td><td><select name='ipsec_host_src' style='min-width:185px;'>
+ #END
+ # foreach my $key (sort { uc($ipsecconf{$a}[1]) cmp uc($ipsecconf{$b}[1]) } keys %ipsecconf) {
+@@ -1069,15 +1041,12 @@ END
+ # }
+ # }
+ print<<END;
+-
+ <tr><td colspan='8'><hr style='border:dotted #BFBFBF; border-width:1px 0 0 0 ; ' /></td></tr></table>
+-
+-
+ <table width='100%' border='0'>
+ <tr><td width='1%'><input type='checkbox' name='USE_SRC_PORT' value='ON' $checked{'USE_SRC_PORT'}{'ON'}></td><td width='51%' colspan='3'>$Lang::tr{'fwdfw use srcport'}</td>
+ <td width='15%' nowrap='nowrap'>$Lang::tr{'fwdfw man port'}</td><td><select name='PROT'>
+ END
+- foreach ("TCP","UDP","GRE","ICMP")
++ foreach ("TCP","UDP","GRE","ESP","ICMP")
+ {
+ if ($_ eq $fwdfwsettings{'PROT'})
+ {
+@@ -1111,19 +1080,17 @@ END
+ <tr><td width='1%'><input type='radio' name='grp2' value='tgt_addr' checked></td><td colspan='2'>$Lang::tr{'fwdfw targetip'}<input type='TEXT' name='tgt_addr' value='$fwdfwsettings{'tgt_addr'}' size='16'><td><input type='radio' name='grp2' value='ipfire' $checked{'grp2'}{'ipfire'}></td><td><b>IPFire ($Lang::tr{'external access'})</b></td><td><select name='ipfire' style='min-width:185px;'>
+ END
+ print "<option value='Default IP' $selected{'ipfire'}{'Default IP'}>Default IP</option>";
+-
++
+ foreach my $alias (sort keys %aliases)
+ {
+ print "<option value='$alias' $selected{'ipfire'}{$alias}>$alias</option>";
+ }
+-
++
+ print<<END;
+ </td></tr>
+ <tr><td colspan='7'><hr style='border:dotted #BFBFBF; border-width:1px 0 0 0 ; ' /></td></tr>
+ <tr><td width='1%'><input type='radio' name='grp2' value='std_net_tgt' $checked{'grp2'}{'std_net_tgt'}></td><td nowrap='nowrap' width='12%'>$Lang::tr{'fwhost stdnet'}</td><td width='13%'><select name='std_net_tgt' style='min-width:185px;'>
+-
+ END
+-
+ foreach my $network (sort keys %defaultNetworks)
+ {
+ print "<option value='$defaultNetworks{$network}{'NAME'}'";
+@@ -1134,7 +1101,6 @@ END
+ </select></td><td width='1%'><input type='radio' name='grp2' value='ovpn_net_tgt' $checked{'grp2'}{'ovpn_net_tgt'}></td><td nowrap='nowrap' width='16%'>$Lang::tr{'fwhost ccdnet'}</td><td nowrap='nowrap' width='1%'><select name='ovpn_net_tgt' style='min-width:185px;'>
+ END
+ &fillselect(\%ccdnet,$fwdfwsettings{$fwdfwsettings{'grp2'}});
+-
+ print<<END;
+ </select></td></tr>
+ <tr><td><input type='radio' name='grp2' value='cust_net_tgt' $checked{'grp2'}{'cust_net_tgt'}></td><td>$Lang::tr{'fwhost cust net'}</td><td><select name='cust_net_tgt' style='min-width:185px;'>
+@@ -1168,7 +1134,6 @@ END
+ }
+ print<<END;
+ </select></td></tr>
+-
+ <tr><td valign='top'><input type='radio' name='grp2' value='cust_grp_tgt' $checked{'grp2'}{'cust_grp_tgt'}></td><td >$Lang::tr{'fwhost cust grp'}</td><td><select name='cust_grp_tgt' style='min-width:185px;'>
+ END
+ $helper='';
+@@ -1194,7 +1159,6 @@ END
+ print<<END;
+ </select></td></tr>
+ END
+-
+ # <td valign='top'><input type='radio' name='grp2' value='ipsec_host_tgt' $checked{'grp2'}{'ipsec_host_tgt'}></td><td >$Lang::tr{'fwhost ipsec host'}</td><td><select name='ipsec_host_tgt' style='min-width:185px;'>
+ #END
+ # foreach my $key (sort { uc($ipsecconf{$a}[1]) cmp uc($ipsecconf{$b}[1]) } keys %ipsecconf) {
+@@ -1208,12 +1172,12 @@ END
+ </table>
+ <b>$Lang::tr{'fwhost attention'}:</b><br>
+ $Lang::tr{'fwhost macwarn'}<br><hr style='border:dotted #BFBFBF; border-width:1px 0 0 0 ; '></hr><br>
+-
++
+ <table width='100%' border='0'>
+ <tr><td width='1%'><input type='checkbox' name='USESRV' value='ON' $checked{'USESRV'}{'ON'} ></td><td width='48%'>$Lang::tr{'fwdfw use srv'}</td><td width='1%'><input type='radio' name='grp3' value='cust_srv' checked></td><td nowrap='nowrap'>$Lang::tr{'fwhost cust service'}</td><td width='1%' colspan='2'><select name='cust_srv'style='min-width:230px;' >
+ END
+ &General::readhasharray("$configsrv", \%customservice);
+- foreach my $key (sort keys %customservice){
++ foreach my $key (sort { uc($customservice{$a}[0]) cmp uc($customservice{$b}[0]) } keys %customservice){
+ print"<option ";
+ print"selected='selected'" if ($fwdfwsettings{$fwdfwsettings{'grp3'}} eq $customservice{$key}[0]);
+ print"value='$customservice{$key}[0]'>$customservice{$key}[0]</option>";
+@@ -1224,7 +1188,7 @@ END
+ END
+ &General::readhasharray("$configsrvgrp", \%customservicegrp);
+ my $helper;
+- foreach my $key (sort keys %customservicegrp){
++ foreach my $key (sort { uc($customservicegrp{$a}[0]) cmp uc($customservicegrp{$b}[0]) } keys %customservicegrp){
+ if ($helper ne $customservicegrp{$key}[0]){
+ print"<option ";
+ print"selected='selected'" if ($fwdfwsettings{$fwdfwsettings{'grp3'}} eq $customservicegrp{$key}[0]);
+@@ -1236,7 +1200,7 @@ END
+ </select></td></tr>
+ <tr><td colspan='2'></td><td><input type='radio' name='grp3' value='TGT_PORT' $checked{'grp3'}{'TGT_PORT'}></td><td>$Lang::tr{'fwdfw man port'}</td><td><select name='TGT_PROT'>
+ END
+- foreach ("TCP","UDP","GRE","ICMP")
++ foreach ("TCP","UDP","GRE","ESP","ICMP")
+ {
+ if ($_ eq $fwdfwsettings{'TGT_PROT'})
+ {
+@@ -1261,7 +1225,7 @@ END
+ print<<END;
+ </select></td></tr>
+ </table><hr><br><br>
+-
++
+ END
+ #---Activate/logging/remark-------------------------------------
+ &Header::openbox('100%', 'left', $Lang::tr{'fwdfw additional'});
+@@ -1282,7 +1246,6 @@ END
+ <tr>
+ <td align='left'>$Lang::tr{'time'}:</td>
+ <td width='30%' align='left'>$Lang::tr{'advproxy monday'} $Lang::tr{'advproxy tuesday'} $Lang::tr{'advproxy wednesday'} $Lang::tr{'advproxy thursday'} $Lang::tr{'advproxy friday'} $Lang::tr{'advproxy saturday'} $Lang::tr{'advproxy sunday'}</td>
+-
+ <td width='15%' align='left'>$Lang::tr{'advproxy from'}</td>
+ <td width='15%' align='left'>$Lang::tr{'advproxy to'}</td>
+ </tr>
+@@ -1297,7 +1260,6 @@ END
+ <input type='checkbox' name='TIME_SAT' value='on' $checked{'TIME_SAT'}{'on'} />
+ <input type='checkbox' name='TIME_SUN' value='on' $checked{'TIME_SUN'}{$Lang::tr{'fwdfw wd_sun'}} />
+ </td>
+-
+ <td><select name='TIME_FROM'>
+ END
+ for (my $i=0;$i<=23;$i++) {
+@@ -1320,7 +1282,7 @@ END
+ print "\t\t\t\t\t<option $selected{'TIME_TO'}{$time}>$i:$j</option>\n";
+ }
+ }
+- print<<END;
++ print<<END;
+ </select></td></tr>
+ </table><hr>
+ END
+@@ -1345,9 +1307,7 @@ END
+ <input type='hidden' name='oldgrp3a' value='$fwdfwsettings{'oldgrp3a'}' />
+ <input type='hidden' name='oldgrp3b' value='$fwdfwsettings{'oldgrp3b'}' />
+ <input type='hidden' name='oldusesrv' value='$fwdfwsettings{'oldusesrv'}' />
+-
+ <input type='hidden' name='ACTION' value='saverule' ></form><form method='post' style='display:inline'><input type='submit' value='$Lang::tr{'fwhost back'}' style='min-width:100px;'><input type='hidden' name='ACTION' value'reset'></td></td>
+-
+ </table></form>
+ END
+ }
+@@ -1355,7 +1315,6 @@ END
+ }
+ sub saverule
+ {
+-
+ my $hash=shift;
+ my $config=shift;
+ &General::readhasharray("$config", $hash);
+@@ -1456,7 +1415,7 @@ sub get_name
+ foreach my $network (sort keys %defaultNetworks)
+ {
+ return "$network" if ($val eq $defaultNetworks{$network}{'NAME'});
+- }
++ }
+ }
+ sub validremark
+ {
+@@ -1468,13 +1427,13 @@ sub validremark
+ if (length ($remark) < 1 || length ($remark) > 255) {
+ return 0;}
+ # Only valid characters are a-z, A-Z, 0-9 and -
+- if ($remark !~ /^[a-zäöüA-ZÖÄÜ0-9-\s]*$/) {
++ if ($remark !~ /^[a-zäöüA-ZÖÄÜ0-9-.:\/\s]*$/) {
+ return 0;}
+ # First character can only be a letter or a digit
+ if (substr ($remark, 0, 1) !~ /^[a-zäöüA-ZÖÄÜ0-9]*$/) {
+ return 0;}
+ # Last character can only be a letter or a digit
+- if (substr ($remark, -1, 1) !~ /^[a-zöäüA-ZÖÄÜ0-9]*$/) {
++ if (substr ($remark, -1, 1) !~ /^[a-zöäüA-ZÖÄÜ0-9.]*$/) {
+ return 0;}
+ return 1;
+ }
+@@ -1494,7 +1453,7 @@ sub gettgtport
+ my $key=shift;
+ my $service;
+ my $prot;
+-
++
+ if($hash{$key}[11] eq 'ON' && $hash{$key}[12] ne 'ICMP'){
+ if($hash{$key}[14] eq 'cust_srv'){
+ &General::readhasharray("$configsrv", \%customservice);
+@@ -1506,7 +1465,7 @@ sub gettgtport
+ }
+ }
+ }elsif($hash{$key}[14] eq 'cust_srvgrp'){
+-
++
+ $service=$hash{$key}[15];
+ }elsif($hash{$key}[14] eq 'TGT_PORT'){
+ $service=$hash{$key}[15];
+@@ -1515,7 +1474,7 @@ sub gettgtport
+ }elsif($hash{$key}[11] eq 'ON' && $hash{$key}[12] eq 'ICMP'){
+ print" : ($hash{$key}[12]) <br>$hash{$key}[13]";
+ }
+-
++
+ if ($prot ne '' || $service ne ''){
+ print" :";
+ if ($prot ne ''){
+@@ -1535,7 +1494,7 @@ sub viewtablenew
+ my $config=shift;
+ my $title=shift;
+ my $title1=shift;
+-
++
+ if ( ! -z "$config"){
+ &Header::openbox('100%', 'left',$title);
+ my $count=0;
+@@ -1549,7 +1508,7 @@ sub viewtablenew
+ print"<b>$title1</b><br>";
+ print"<table width='100%' border='0' cellspacing='1' style='padding-top: 0px; padding-left: 0px; padding-bottom: 0px ;padding-right: 0px ;'>";
+ print"<tr><td align='center' width='1%'><b>#</td><td width='1%'></td><td align='center' width='20%'><b>$Lang::tr{'fwdfw source'}</td><td width='1%'><b>Log</td><td align='center' width='20%'><b>$Lang::tr{'fwdfw target'}</td><td align='center' width='70%'><b>$Lang::tr{'remark'}</td><td align='center' colspan='3' width='1%'><b>$Lang::tr{'fwdfw action'}</td></tr>";
+- foreach my $key (sort keys %$hash){
++ foreach my $key (sort {$a <=> $b} keys %$hash){
+ @tmpsrc=();
+ #check if vpn hosts/nets have been deleted
+ if($$hash{$key}[3] =~ /ipsec/i || $$hash{$key}[3] =~ /ovpn/i){
+@@ -1558,14 +1517,12 @@ sub viewtablenew
+ if($$hash{$key}[5] =~ /ipsec/i || $$hash{$key}[5] =~ /ovpn/i){
+ push (@tmpsrc,$$hash{$key}[6]);
+ }
+-
+ foreach my $host (@tmpsrc){
+ if($$hash{$key}[3] eq 'ipsec_net_src' || $$hash{$key}[5] eq 'ipsec_net_tgt'){
+- if(&fwlib::get_ipsec_net_ip($host,11) eq ''){
++ if(&fwlib::get_ipsec_net_ip($host,11) eq ''){
+ $coloryellow='on';
+ &disable_rule($key);
+ $$hash{$key}[2]='';
+-
+ }
+ }elsif($$hash{$key}[3] eq 'ovpn_net_src' || $$hash{$key}[5] eq 'ovpn_net_tgt'){
+ if(&fwlib::get_ovpn_net_ip($host,1) eq ''){
+@@ -1589,10 +1546,8 @@ sub viewtablenew
+ $$hash{$key}[3]='';
+ $$hash{$key}[5]='';
+ }
+-
+ $$hash{'ACTIVE'}=$$hash{$key}[2];
+ $count++;
+-
+ if($coloryellow eq 'on'){
+ print"<tr bgcolor='$color{'color14'}' >";
+ $coloryellow='';
+@@ -1604,7 +1559,6 @@ sub viewtablenew
+ print"<tr bgcolor='$color{'color20'}' >";
+ }
+ }
+-
+ print<<END;
+ <td align='right'>$key</td>
+ END
+@@ -1636,7 +1590,6 @@ END
+ }
+ print<<END;
+ </td>
+-
+ <form method='post'>
+ <td width='1%' align='left'><input type='image' img src='$log' alt='$Lang::tr{'click to disable'}' title='$Lang::tr{'fwdfw togglelog'}' style='padding-top: 0px; padding-left: 0px; padding-bottom: 0px ;padding-right: 0px ;'/>
+ <input type='hidden' name='key' value='$key' />
+@@ -1662,7 +1615,6 @@ END
+
+ }else{
+ $gif="/images/off.gif"
+-
+ }
+ print<<END;
+ <form method='post'>
+@@ -1671,22 +1623,18 @@ END
+ <input type='hidden' name='config' value='$config' />
+ <input type='hidden' name='ACTION' value='$Lang::tr{'fwdfw toggle'}' />
+ </td></form>
+-
+ <form method='post'>
+ <td width='1%' ><input type='image' img src='/images/edit.gif' alt='$Lang::tr{'edit'}' title='$Lang::tr{'fwdfw edit'}' style='padding-top: 0px; padding-left: 0px; padding-bottom: 0px ;padding-right: 0px ;display: block;' />
+ <input type='hidden' name='key' value='$key' />
+ <input type='hidden' name='config' value='$config' />
+ <input type='hidden' name='ACTION' value='editrule' />
+ </td></form></td>
+-
+ <form method='post'>
+ <td width='1%'><input type='image' img src='/images/addblue.gif' alt='$Lang::tr{'fwdfw copy'}' title='$Lang::tr{'fwdfw copy'}' style='padding-top: 0px; padding-left: 0px; padding-bottom: 0px ;padding-right: 0px ;display: block;' />
+ <input type='hidden' name='key' value='$key' />
+ <input type='hidden' name='config' value='$config' />
+ <input type='hidden' name='ACTION' value='copyrule' />
+ </td></form></td>
+-
+-
+ <form method='post'>
+ <td width='1%' ><input type='image' img src='/images/delete.gif' alt='$Lang::tr{'delete'}' title='$Lang::tr{'fwdfw delete'}' style='padding-top: 0px; padding-left: 0px; padding-bottom: 0px ;padding-right: 0px ;display: block;' />
+ <input type='hidden' name='key' value='$key' />
+@@ -1706,7 +1654,6 @@ END
+ }else{
+ print"<td></td>";
+ }
+-
+ if (exists $$hash{$key+1}){
+ print<<END;
+ <form method='post'>
+@@ -1729,9 +1676,7 @@ END
+ if($$hash{$key}[23] ne ''){push (@days,$Lang::tr{'fwdfw wd_fri'});}
+ if($$hash{$key}[24] ne ''){push (@days,$Lang::tr{'fwdfw wd_sat'});}
+ if($$hash{$key}[25] ne ''){push (@days,$Lang::tr{'fwdfw wd_sun'});}
+-
+ my $weekdays=join(",",@days);
+-
+ if (@days){
+ print"<tr bgcolor='#FFE4B5'><td colspan='4'>$Lang::tr{'fwdfw time'} ";
+ print"$weekdays";
+@@ -1742,21 +1687,19 @@ END
+ print"</table>";
+ &Header::closebox();
+ }
+-
+ }
+ sub fillselect
+ {
+ my %hash=%{(shift)};
+ my $val=shift;
+ my $key;
+- foreach my $key (sort { uc($hash{$a}[0]) cmp uc($hash{$b}[0]) } keys %hash)
+- {
+- if($hash{$key}[0] eq $val){
+- print"<option value='$hash{$key}[0]' selected>$hash{$key}[0]</option>";
+- }else{
+- print"<option value='$hash{$key}[0]'>$hash{$key}[0]</option>";
+- }
++ foreach my $key (sort { uc($hash{$a}[0]) cmp uc($hash{$b}[0]) } keys %hash){
++ if($hash{$key}[0] eq $val){
++ print"<option value='$hash{$key}[0]' selected>$hash{$key}[0]</option>";
++ }else{
++ print"<option value='$hash{$key}[0]'>$hash{$key}[0]</option>";
+ }
++ }
+ }
+ sub rules
+ {
+diff --git a/html/cgi-bin/fwhosts.cgi b/html/cgi-bin/fwhosts.cgi
+index 236e0b4..5a83836 100755
+--- a/html/cgi-bin/fwhosts.cgi
++++ b/html/cgi-bin/fwhosts.cgi
+@@ -47,6 +47,8 @@ my %defaultNetworks=();
+ my %mainsettings=();
+ my %ownnet=();
+ my %ipsecsettings=();
++my %fwfwd=();
++my %fwinp=();
+
+ my $errormessage;
+ my $hint;
+@@ -59,6 +61,8 @@ my $configccdhost = "${General::swroot}/ovpn/ovpnconfig";
+ my $configipsec = "${General::swroot}/vpn/config";
+ my $configsrv = "${General::swroot}/fwhosts/customservices";
+ my $configsrvgrp = "${General::swroot}/fwhosts/customservicegrp";
++my $fwconfigfwd = "${General::swroot}/forward/config";
++my $fwconfiginp = "${General::swroot}/forward/input";
+
+ unless (-e $confignet) { system("touch $confignet"); }
+ unless (-e $confighost) { system("touch $confighost"); }
+@@ -116,6 +120,9 @@ if ($fwhostsettings{'ACTION'} eq 'updatehost')
+ }
+ }
+ &General::writehasharray("$confighost", \%customhost);
++
++
++
+ $fwhostsettings{'actualize'} = 'on';
+ $fwhostsettings{'ACTION'} = 'savehost';
+ }
+@@ -285,6 +292,28 @@ if ($fwhostsettings{'ACTION'} eq 'savenet' )
+ }
+ }
+ &General::writehasharray("$configgrp", \%customgrp);
++ #check if we need to update firewallrules
++ if ( ! -z $fwconfigfwd ){
++ &General::readhasharray("$fwconfigfwd", \%fwfwd);
++ foreach my $line (sort keys %fwfwd){
++ if ($fwfwd{$line}[4] eq $fwhostsettings{'orgname'}){
++ $fwfwd{$line}[4] = $fwhostsettings{'HOSTNAME'};
++ }
++ if ($fwfwd{$line}[6] eq $fwhostsettings{'orgname'}){
++ $fwfwd{$line}[6] = $fwhostsettings{'HOSTNAME'};
++ }
++ }
++ &General::writehasharray("$fwconfigfwd", \%fwfwd);
++ }
++ if ( ! -z $fwconfiginp ){
++ &General::readhasharray("$fwconfiginp", \%fwinp);
++ foreach my $line (sort keys %fwinp){
++ if ($fwfwd{$line}[4] eq $fwhostsettings{'orgname'}){
++ $fwfwd{$line}[4] = $fwhostsettings{'HOSTNAME'};
++ }
++ }
++ &General::writehasharray("$fwconfiginp", \%fwinp);
++ }
+ }
+ }
+ my $key = &General::findhasharraykey (\%customnetwork);
+@@ -416,9 +445,29 @@ if ($fwhostsettings{'ACTION'} eq 'savehost')
+ }
+ }
+ &General::writehasharray("$configgrp", \%customgrp);
++ #check if we need to update firewallrules
++ if ( ! -z $fwconfigfwd ){
++ &General::readhasharray("$fwconfigfwd", \%fwfwd);
++ foreach my $line (sort keys %fwfwd){
++ if ($fwfwd{$line}[4] eq $fwhostsettings{'orgname'}){
++ $fwfwd{$line}[4] = $fwhostsettings{'HOSTNAME'};
++ }
++ if ($fwfwd{$line}[6] eq $fwhostsettings{'orgname'}){
++ $fwfwd{$line}[6] = $fwhostsettings{'HOSTNAME'};
++ }
++ }
++ &General::writehasharray("$fwconfigfwd", \%fwfwd);
++ }
++ if ( ! -z $fwconfiginp ){
++ &General::readhasharray("$fwconfiginp", \%fwinp);
++ foreach my $line (sort keys %fwinp){
++ if ($fwfwd{$line}[4] eq $fwhostsettings{'orgname'}){
++ $fwfwd{$line}[4] = $fwhostsettings{'HOSTNAME'};
++ }
++ }
++ &General::writehasharray("$fwconfiginp", \%fwinp);
++ }
+ }
+-
+-
+ }
+ my $key = &General::findhasharraykey (\%customhost);
+ foreach my $i (0 .. 3) { $customhost{$key}[$i] = "";}
+@@ -1084,6 +1133,7 @@ END
+ foreach my $network (sort keys %defaultNetworks)
+ {
+ next if($defaultNetworks{$network}{'LOCATION'} eq "IPCOP");
++ next if($defaultNetworks{$network}{'NAME'} eq "RED");
+ print "<option value='$defaultNetworks{$network}{'NAME'}'";
+ print " selected='selected'" if ($fwhostsettings{'DEFAULT_SRC_ADR'} eq $defaultNetworks{$network}{'NAME'});
+ print ">$network</option>";
+@@ -1186,7 +1236,7 @@ sub addservice
+ }
+ print<<END;
+ <table width='100%' border='0'><form method='post'>
+- <tr><td width='1%' nowrap='nowrap'>$Lang::tr{'fwhost srv_name'}:</td><td width='1%' nowrap='nowrap'><input type='text' name='SRV_NAME' value='$fwhostsettings{'SRV_NAME'}'></td><td width='1%' nowrap='nowrap'>$Lang::tr{'fwhost prot'}:</td><td><select name='PROT'>
++ <tr><td width='1%' nowrap='nowrap'>$Lang::tr{'fwhost srv_name'}:</td><td width='1%' nowrap='nowrap'><input type='text' name='SRV_NAME' id='textbox1' value='$fwhostsettings{'SRV_NAME'}'><script>document.getElementById('textbox1').focus()</script></td><td width='1%' nowrap='nowrap'>$Lang::tr{'fwhost prot'}:</td><td><select name='PROT'>
+ END
+ foreach ("TCP","UDP","ICMP")
+ {
+diff --git a/html/cgi-bin/optionsfw.cgi b/html/cgi-bin/optionsfw.cgi
+index 66ebb1c..db4794c 100644
+--- a/html/cgi-bin/optionsfw.cgi
++++ b/html/cgi-bin/optionsfw.cgi
+@@ -44,13 +44,16 @@ my $warnmessage = '';
+ &Header::getcgihash(\%settings);
+
+ if ($settings{'ACTION'} eq $Lang::tr{'save'}) {
++
+ $errormessage = $Lang::tr{'new optionsfw later'};
+- delete $settings{'__CGI__'};delete $settings{'x'};delete $settings{'y'};
++ delete $settings{'__CGI__'};
++ delete $settings{'x'};
++ delete $settings{'y'};
+ &General::writehash($filename, \%settings); # Save good settings
+- } else {
+- &General::readhash($filename, \%settings); # Get saved settings and reset to good if needed
+- }
+-
++ }else {
++ &General::readhash($filename, \%settings); # Get saved settings and reset to good if needed
++ }
++ system("/usr/local/bin/forwardfwctrl");
+ &Header::openpage($Lang::tr{'options fw'}, 1, '');
+ &Header::openbigbox('100%', 'left', '', $errormessage);
+
+@@ -84,6 +87,7 @@ $checked{'DROPPROXY'}{$settings{'DROPPROXY'}} = "checked='checked'";
+ $checked{'DROPSAMBA'}{'off'} = '';
+ $checked{'DROPSAMBA'}{'on'} = '';
+ $checked{'DROPSAMBA'}{$settings{'DROPSAMBA'}} = "checked='checked'";
++$selected{'FWPOLICY'}{$settings{'FWPOLICY'}}= 'selected';
+
+ &Header::openbox('100%', 'center', $Lang::tr{'options fw'});
+ print "<form method='post' action='$ENV{'SCRIPT_NAME'}'>";
+@@ -114,10 +118,19 @@ print <<END
+ <input type='radio' name='DROPSAMBA' value='off' $checked{'DROPSAMBA'}{'off'} /> off</td></tr>
+ </table>
+ <br />
++<table width='95%' cellspacing='0'>
++<tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw default drop'}</b></td></tr>
++<tr><td align='left' width='60%'>$Lang::tr{'drop action'}</td><td><select name='FWPOLICY'>
++<option value='DROP' $selected{'FWPOLICY'}{'DROP'}>DROP</option>
++<option value='REJECT' $selected{'FWPOLICY'}{'REJECT'}>REJECT</option></select>
++</td></tr>
++</table>
++
++<br />
+ <table width='10%' cellspacing='0'>
+ <tr><td align='center'><form method='post' action='$ENV{'SCRIPT_NAME'}'>
+- <input type='hidden' name='ACTION' value=$Lang::tr{'save'} />
+- <input type='image' alt='$Lang::tr{'save'}' title='$Lang::tr{'save'}' src='/images/media-floppy.png' /></form></td></tr>
++<input type='submit' name='ACTION' value=$Lang::tr{'save'} />
++</form></td></tr>
+ </table>
+ </form>
+ END
+diff --git a/html/cgi-bin/outgoingfw.cgi b/html/cgi-bin/outgoingfw.cgi
+deleted file mode 100644
+index b417817..0000000
+--- a/html/cgi-bin/outgoingfw.cgi
++++ /dev/null
+@@ -1,849 +0,0 @@
+-#!/usr/bin/perl
+-###############################################################################
+-# #
+-# IPFire.org - A linux based firewall #
+-# Copyright (C) 2005-2010 IPFire Team #
+-# #
+-# This program is free software: you can redistribute it and/or modify #
+-# it under the terms of the GNU General Public License as published by #
+-# the Free Software Foundation, either version 3 of the License, or #
+-# (at your option) any later version. #
+-# #
+-# This program is distributed in the hope that it will be useful, #
+-# but WITHOUT ANY WARRANTY; without even the implied warranty of #
+-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
+-# GNU General Public License for more details. #
+-# #
+-# You should have received a copy of the GNU General Public License #
+-# along with this program. If not, see <http://www.gnu.org/licenses/>. #
+-# #
+-###############################################################################
+-
+-use strict;
+-# enable only the following on debugging purpose
+-#use warnings;
+-#use CGI::Carp 'fatalsToBrowser';
+-
+-require '/var/ipfire/general-functions.pl';
+-require "${General::swroot}/lang.pl";
+-require "${General::swroot}/header.pl";
+-
+-my %outfwsettings = ();
+-my %checked = ();
+-my %selected= () ;
+-my %netsettings = ();
+-my $errormessage = "";
+-my $configentry = "";
+-my @configs = ();
+-my @configline = ();
+-my $p2pentry = "";
+-my @p2ps = ();
+-my @p2pline = ();
+-
+-my $configfile = "/var/ipfire/outgoing/rules";
+-my $configpath = "/var/ipfire/outgoing/groups/";
+-my $p2pfile = "/var/ipfire/outgoing/p2protocols";
+-my $servicefile = "/var/ipfire/outgoing/defaultservices";
+-
+-my %color = ();
+-my %mainsettings = ();
+-&General::readhash("${General::swroot}/main/settings", \%mainsettings);
+-&General::readhash("/srv/web/ipfire/html/themes/".$mainsettings{'THEME'}."/include/colors.txt", \%color);
+-
+-&General::readhash("${General::swroot}/ethernet/settings", \%netsettings);
+-
+-&Header::showhttpheaders();
+-
+-### Values that have to be initialized
+-$outfwsettings{'ACTION'} = '';
+-$outfwsettings{'VALID'} = 'yes';
+-$outfwsettings{'EDIT'} = 'no';
+-$outfwsettings{'NAME'} = '';
+-$outfwsettings{'SNET'} = '';
+-$outfwsettings{'SIP'} = '';
+-$outfwsettings{'SPORT'} = '';
+-$outfwsettings{'SMAC'} = '';
+-$outfwsettings{'DIP'} = '';
+-$outfwsettings{'DPORT'} = '';
+-$outfwsettings{'PROT'} = '';
+-$outfwsettings{'STATE'} = '';
+-$outfwsettings{'DISPLAY_DIP'} = '';
+-$outfwsettings{'DISPLAY_DPORT'} = '';
+-$outfwsettings{'DISPLAY_SMAC'} = '';
+-$outfwsettings{'DISPLAY_SIP'} = '';
+-$outfwsettings{'POLICY'} = 'MODE0';
+-$outfwsettings{'MODE1LOG'} = 'off';
+-
+-$outfwsettings{'TIME_FROM'} = '00:00';
+-$outfwsettings{'TIME_TO'} = '00:00';
+-
+-&General::readhash("${General::swroot}/outgoing/settings", \%outfwsettings);
+-&Header::getcgihash(\%outfwsettings);
+-
+-###############
+-# DEBUG DEBUG
+-#&Header::openbox('100%', 'left', 'DEBUG');
+-#my $debugCount = 0;
+-#foreach my $line (sort keys %outfwsettings) {
+-#print "$line = $outfwsettings{$line}<br />\n";
+-# $debugCount++;
+-#}
+-#print " Count: $debugCount\n";
+-#&Header::closebox();
+-# DEBUG DEBUG
+-###############
+-
+-$selected{'TIME_FROM'}{$outfwsettings{'TIME_FROM'}} = "selected='selected'";
+-$selected{'TIME_TO'}{$outfwsettings{'TIME_TO'}} = "selected='selected'";
+-
+-$checked{'MODE1LOG'}{'off'} = '';
+-$checked{'MODE1LOG'}{'on'} = '';
+-$checked{'MODE1LOG'}{$outfwsettings{'MODE1LOG'}} = "checked='checked'";
+-$checked{'TIME_MON'}{'off'} = '';
+-$checked{'TIME_MON'}{'on'} = '';
+-$checked{'TIME_MON'}{$outfwsettings{'TIME_MON'}} = "checked='checked'";
+-$checked{'TIME_TUE'}{'off'} = '';
+-$checked{'TIME_TUE'}{'on'} = '';
+-$checked{'TIME_TUE'}{$outfwsettings{'TIME_TUE'}} = "checked='checked'";
+-$checked{'TIME_WED'}{'off'} = '';
+-$checked{'TIME_WED'}{'on'} = '';
+-$checked{'TIME_WED'}{$outfwsettings{'TIME_WED'}} = "checked='checked'";
+-$checked{'TIME_THU'}{'off'} = '';
+-$checked{'TIME_THU'}{'on'} = '';
+-$checked{'TIME_THU'}{$outfwsettings{'TIME_THU'}} = "checked='checked'";
+-$checked{'TIME_FRI'}{'off'} = '';
+-$checked{'TIME_FRI'}{'on'} = '';
+-$checked{'TIME_FRI'}{$outfwsettings{'TIME_FRI'}} = "checked='checked'";
+-$checked{'TIME_SAT'}{'off'} = '';
+-$checked{'TIME_SAT'}{'on'} = '';
+-$checked{'TIME_SAT'}{$outfwsettings{'TIME_SAT'}} = "checked='checked'";
+-$checked{'TIME_SUN'}{'off'} = '';
+-$checked{'TIME_SUN'}{'on'} = '';
+-$checked{'TIME_SUN'}{$outfwsettings{'TIME_SUN'}} = "checked='checked'";
+-
+-if ($outfwsettings{'POLICY'} eq 'MODE0'){ $selected{'POLICY'}{'MODE0'} = 'selected'; } else { $selected{'POLICY'}{'MODE0'} = ''; }
+-if ($outfwsettings{'POLICY'} eq 'MODE1'){ $selected{'POLICY'}{'MODE1'} = 'selected'; } else { $selected{'POLICY'}{'MODE1'} = ''; }
+-if ($outfwsettings{'POLICY'} eq 'MODE2'){ $selected{'POLICY'}{'MODE2'} = 'selected'; } else { $selected{'POLICY'}{'MODE2'} = ''; }
+-
+-# This is a little hack if poeple don´t mark any date then all will be selected, because they might have forgotten to select
+-# a valid day. A Rule without any matching day will never work, because the timeranges are new feature people might not notice
+-# that they have to select a day for the rule.
+-
+-if ( $outfwsettings{'TIME_MON'} eq "" &&
+- $outfwsettings{'TIME_TUE'} eq "" &&
+- $outfwsettings{'TIME_WED'} eq "" &&
+- $outfwsettings{'TIME_THU'} eq "" &&
+- $outfwsettings{'TIME_FRI'} eq "" &&
+- $outfwsettings{'TIME_SAT'} eq "" &&
+- $outfwsettings{'TIME_SUN'} eq "" )
+- {
+- $outfwsettings{'TIME_MON'} = "on";
+- $outfwsettings{'TIME_TUE'} = "on";
+- $outfwsettings{'TIME_WED'} = "on";
+- $outfwsettings{'TIME_THU'} = "on";
+- $outfwsettings{'TIME_FRI'} = "on";
+- $outfwsettings{'TIME_SAT'} = "on";
+- $outfwsettings{'TIME_SUN'} = "on";
+- }
+-
+-&Header::openpage($Lang::tr{'outgoing firewall'}, 1, '');
+-&Header::openbigbox('100%', 'left', '', $errormessage);
+-
+-############################################################################################################################
+-############################################################################################################################
+-
+-if ($outfwsettings{'ACTION'} eq $Lang::tr{'reset'})
+-{
+- $outfwsettings{'POLICY'}='MODE0';
+- unlink $configfile;
+- system("/usr/bin/touch $configfile");
+- my $MODE = $outfwsettings{'POLICY'};
+- %outfwsettings = ();
+- $outfwsettings{'POLICY'} = "$MODE";
+- &General::writehash("${General::swroot}/outgoing/settings", \%outfwsettings);
+-}
+-if ($outfwsettings{'ACTION'} eq $Lang::tr{'save'})
+-{
+- my $MODE = $outfwsettings{'POLICY'};
+- my $MODE1LOG = $outfwsettings{'MODE1LOG'};
+- %outfwsettings = ();
+- $outfwsettings{'POLICY'} = "$MODE";
+- $outfwsettings{'MODE1LOG'} = "$MODE1LOG";
+- &General::writehash("${General::swroot}/outgoing/settings", \%outfwsettings);
+- system("/usr/local/bin/outgoingfwctrl");
+-}
+-if ($outfwsettings{'ACTION'} eq 'enable')
+-{
+- open( FILE, "< $p2pfile" ) or die "Unable to read $p2pfile";
+- @p2ps = <FILE>;
+- close FILE;
+- open( FILE, "> $p2pfile" ) or die "Unable to write $p2pfile";
+- foreach $p2pentry (sort @p2ps)
+- {
+- @p2pline = split( /\;/, $p2pentry );
+- if ($p2pline[1] eq $outfwsettings{'P2PROT'}) {
+- print FILE "$p2pline[0];$p2pline[1];on;\n";
+- } else {
+- print FILE "$p2pline[0];$p2pline[1];$p2pline[2];\n";
+- }
+- }
+- close FILE;
+- system("/usr/local/bin/outgoingfwctrl");
+-}
+-if ($outfwsettings{'ACTION'} eq 'disable')
+-{
+- open( FILE, "< $p2pfile" ) or die "Unable to read $p2pfile";
+- @p2ps = <FILE>;
+- close FILE;
+- open( FILE, "> $p2pfile" ) or die "Unable to write $p2pfile";
+- foreach $p2pentry (sort @p2ps)
+- {
+- @p2pline = split( /\;/, $p2pentry );
+- if ($p2pline[1] eq $outfwsettings{'P2PROT'}) {
+- print FILE "$p2pline[0];$p2pline[1];off;\n";
+- } else {
+- print FILE "$p2pline[0];$p2pline[1];$p2pline[2];\n";
+- }
+- }
+- close FILE;
+- system("/usr/local/bin/outgoingfwctrl");
+-}
+-if ($outfwsettings{'ACTION'} eq $Lang::tr{'edit'})
+-{
+- open( FILE, "< $configfile" ) or die "Unable to read $configfile";
+- @configs = <FILE>;
+- close FILE;
+- open( FILE, "> $configfile" ) or die "Unable to write $configfile";
+- foreach $configentry (sort @configs)
+- {
+- @configline = split( /\;/, $configentry );
+-
+- $configline[10] = "on" if not exists $configline[11];
+- $configline[11] = "on" if not exists $configline[11];
+- $configline[12] = "on" if not exists $configline[12];
+- $configline[13] = "on" if not exists $configline[13];
+- $configline[14] = "on" if not exists $configline[14];
+- $configline[15] = "on" if not exists $configline[15];
+- $configline[16] = "on" if not exists $configline[16];
+- $configline[17] = "00:00" if not exists $configline[17];
+- $configline[18] = "00:00" if not exists $configline[18];
+-
+- unless (($configline[0] eq $outfwsettings{'STATE'}) &&
+- ($configline[1] eq $outfwsettings{'ENABLED'}) &&
+- ($configline[2] eq $outfwsettings{'SNET'}) &&
+- ($configline[3] eq $outfwsettings{'PROT'}) &&
+- ($configline[4] eq $outfwsettings{'NAME'}) &&
+- ($configline[5] eq $outfwsettings{'SIP'}) &&
+- ($configline[6] eq $outfwsettings{'SMAC'}) &&
+- ($configline[7] eq $outfwsettings{'DIP'}) &&
+- ($configline[9] eq $outfwsettings{'LOG'}) &&
+- ($configline[8] eq $outfwsettings{'DPORT'}) &&
+- ($configline[10] eq $outfwsettings{'TIME_MON'}) &&
+- ($configline[11] eq $outfwsettings{'TIME_TUE'}) &&
+- ($configline[12] eq $outfwsettings{'TIME_WED'}) &&
+- ($configline[13] eq $outfwsettings{'TIME_THU'}) &&
+- ($configline[14] eq $outfwsettings{'TIME_FRI'}) &&
+- ($configline[15] eq $outfwsettings{'TIME_SAT'}) &&
+- ($configline[16] eq $outfwsettings{'TIME_SUN'}) &&
+- ($configline[17] eq $outfwsettings{'TIME_FROM'}) &&
+- ($configline[18] eq $outfwsettings{'TIME_TO'}))
+- {
+- print FILE $configentry;
+- }
+- }
+- close FILE;
+- $selected{'SNET'}{"$outfwsettings{'SNET'}"} = 'selected';
+- $selected{'PROT'}{"$outfwsettings{'PROT'}"} = 'selected';
+- $selected{'LOG'}{"$outfwsettings{'LOG'}"} = 'selected';
+- &addrule();
+- &Header::closebigbox();
+- &Header::closepage();
+- exit
+- system("/usr/local/bin/outgoingfwctrl");
+-}
+-if ($outfwsettings{'ACTION'} eq $Lang::tr{'delete'})
+-{
+- open( FILE, "< $configfile" ) or die "Unable to read $configfile";
+- @configs = <FILE>;
+- close FILE;
+- open( FILE, "> $configfile" ) or die "Unable to write $configfile";
+- foreach $configentry (sort @configs)
+- {
+- @configline = split( /\;/, $configentry );
+-
+- $configline[10] = "on" if not exists $configline[11];
+- $configline[11] = "on" if not exists $configline[11];
+- $configline[12] = "on" if not exists $configline[12];
+- $configline[13] = "on" if not exists $configline[13];
+- $configline[14] = "on" if not exists $configline[14];
+- $configline[15] = "on" if not exists $configline[15];
+- $configline[16] = "on" if not exists $configline[16];
+- $configline[17] = "00:00" if not exists $configline[17];
+- $configline[18] = "00:00" if not exists $configline[18];
+-
+- unless (($configline[0] eq $outfwsettings{'STATE'}) &&
+- ($configline[1] eq $outfwsettings{'ENABLED'}) &&
+- ($configline[2] eq $outfwsettings{'SNET'}) &&
+- ($configline[3] eq $outfwsettings{'PROT'}) &&
+- ($configline[4] eq $outfwsettings{'NAME'}) &&
+- ($configline[5] eq $outfwsettings{'SIP'}) &&
+- ($configline[6] eq $outfwsettings{'SMAC'}) &&
+- ($configline[7] eq $outfwsettings{'DIP'}) &&
+- ($configline[9] eq $outfwsettings{'LOG'}) &&
+- ($configline[8] eq $outfwsettings{'DPORT'}) &&
+- ($configline[10] eq $outfwsettings{'TIME_MON'}) &&
+- ($configline[11] eq $outfwsettings{'TIME_TUE'}) &&
+- ($configline[12] eq $outfwsettings{'TIME_WED'}) &&
+- ($configline[13] eq $outfwsettings{'TIME_THU'}) &&
+- ($configline[14] eq $outfwsettings{'TIME_FRI'}) &&
+- ($configline[15] eq $outfwsettings{'TIME_SAT'}) &&
+- ($configline[16] eq $outfwsettings{'TIME_SUN'}) &&
+- ($configline[17] eq $outfwsettings{'TIME_FROM'}) &&
+- ($configline[18] eq $outfwsettings{'TIME_TO'}))
+- {
+- print FILE $configentry;
+- }
+- }
+- close FILE;
+- system("/usr/local/bin/outgoingfwctrl");
+-}
+-if ($outfwsettings{'ACTION'} eq $Lang::tr{'add'})
+-{
+- if ( $outfwsettings{'VALID'} eq 'yes' ) {
+-
+- if ( $outfwsettings{'SNET'} eq "all" ) {
+- $outfwsettings{'SIP'} ="";
+- $outfwsettings{'SMAC'}="";
+- }
+- open( FILE, ">> $configfile" ) or die "Unable to write $configfile";
+- print FILE <<END
+-$outfwsettings{'STATE'};$outfwsettings{'ENABLED'};$outfwsettings{'SNET'};$outfwsettings{'PROT'};$outfwsettings{'NAME'};$outfwsettings{'SIP'};$outfwsettings{'SMAC'};$outfwsettings{'DIP'};$outfwsettings{'DPORT'};$outfwsettings{'LOG'};$outfwsettings{'TIME_MON'};$outfwsettings{'TIME_TUE'};$outfwsettings{'TIME_WED'};$outfwsettings{'TIME_THU'};$outfwsettings{'TIME_FRI'};$outfwsettings{'TIME_SAT'};$outfwsettings{'TIME_SUN'};$outfwsettings{'TIME_FROM'};$outfwsettings{'TIME_TO'};
+-END
+-;
+- close FILE;
+- system("/usr/local/bin/outgoingfwctrl");
+- } else {
+- $outfwsettings{'ACTION'} = 'Add rule';
+- }
+-}
+-if ($outfwsettings{'ACTION'} eq $Lang::tr{'Add Rule'})
+-{
+- &addrule();
+- exit
+-}
+-
+-&General::readhash("${General::swroot}/outgoing/settings", \%outfwsettings);
+-
+-if ($errormessage) {
+- &Header::openbox('100%', 'left', $Lang::tr{'error messages'});
+- print "<class name='base'>$errormessage\n";
+- print " </class>\n";
+- &Header::closebox();
+-}
+-
+-############################################################################################################################
+-############################################################################################################################
+-
+-if ($outfwsettings{'POLICY'} ne 'MODE0'){
+- &Header::openbox('100%', 'center', 'Rules');
+- print <<END
+- <form method='post' action='$ENV{'SCRIPT_NAME'}'>
+- <input type='submit' name='ACTION' value='$Lang::tr{'Add Rule'}' />
+- </form>
+-END
+-;
+- open( FILE, "< $configfile" ) or die "Unable to read $configfile";
+- @configs = <FILE>;
+- close FILE;
+- if (@configs) {
+- print <<END
+- <hr />
+- <table border='0' width='100%' cellspacing='0'>
+- <tr bgcolor='$color{'color22'}'>
+- <td width='14%' align='center'><b>$Lang::tr{'protocol'}</b></td>
+- <td width='14%' align='center'><b>$Lang::tr{'network'}</b></td>
+- <td width='14%' align='center'><b>$Lang::tr{'destination'}</b></td>
+- <td width='14%' align='center'><b>$Lang::tr{'description'}</b></td>
+- <td width='14%' align='center'><b>$Lang::tr{'policy'}</b></td>
+- <td width='16%' align='center'><b>$Lang::tr{'logging'}</b></td>
+- <td width='14%' align='center'><b>$Lang::tr{'action'}</b></td>
+-END
+-;
+- foreach $configentry (sort @configs)
+- {
+- @configline = split( /\;/, $configentry );
+- $outfwsettings{'STATE'} = $configline[0];
+- $outfwsettings{'ENABLED'} = $configline[1];
+- $outfwsettings{'SNET'} = $configline[2];
+- $outfwsettings{'PROT'} = $configline[3];
+- $outfwsettings{'NAME'} = $configline[4];
+- $outfwsettings{'SIP'} = $configline[5];
+- $outfwsettings{'SMAC'} = $configline[6];
+- $outfwsettings{'DIP'} = $configline[7];
+- $outfwsettings{'DPORT'} = $configline[8];
+- $outfwsettings{'LOG'} = $configline[9];
+-
+- $configline[10] = "on" if not exists $configline[11];
+- $configline[11] = "on" if not exists $configline[11];
+- $configline[12] = "on" if not exists $configline[12];
+- $configline[13] = "on" if not exists $configline[13];
+- $configline[14] = "on" if not exists $configline[14];
+- $configline[15] = "on" if not exists $configline[15];
+- $configline[16] = "on" if not exists $configline[16];
+- $configline[17] = "00:00" if not exists $configline[17];
+- $configline[18] = "00:00" if not exists $configline[18];
+-
+- $outfwsettings{'TIME_MON'} = $configline[10];
+- $outfwsettings{'TIME_TUE'} = $configline[11];
+- $outfwsettings{'TIME_WED'} = $configline[12];
+- $outfwsettings{'TIME_THU'} = $configline[13];
+- $outfwsettings{'TIME_FRI'} = $configline[14];
+- $outfwsettings{'TIME_SAT'} = $configline[15];
+- $outfwsettings{'TIME_SUN'} = $configline[16];
+- $outfwsettings{'TIME_FROM'} = $configline[17];
+- $outfwsettings{'TIME_TO'} = $configline[18];
+-
+- if ($outfwsettings{'DIP'} eq ''){ $outfwsettings{'DISPLAY_DIP'} = 'ALL'; } else { $outfwsettings{'DISPLAY_DIP'} = $outfwsettings{'DIP'}; }
+- if ($outfwsettings{'DPORT'} eq ''){ $outfwsettings{'DISPLAY_DPORT'} = 'ALL'; } else { $outfwsettings{'DISPLAY_DPORT'} = $outfwsettings{'DPORT'}; }
+- if ($outfwsettings{'STATE'} eq 'DENY'){ $outfwsettings{'DISPLAY_STATE'} = "<img src='/images/stock_stop.png' alt='DENY' />"; }
+- if ($outfwsettings{'STATE'} eq 'ALLOW'){ $outfwsettings{'DISPLAY_STATE'} = "<img src='/images/stock_ok.png' alt='ALLOW' />"; }
+- if ((($outfwsettings{'POLICY'} eq 'MODE1') && ($outfwsettings{'STATE'} eq 'ALLOW')) || (($outfwsettings{'POLICY'} eq 'MODE2') && ($outfwsettings{'STATE'} eq 'DENY'))){
+- if ( $outfwsettings{'ENABLED'} eq "on" ){
+- print "<tr bgcolor='$color{'color20'}'>";
+- } else {
+- print "<tr bgcolor='$color{'color18'}'>";
+- }
+- print <<END
+- <td align='center'>$outfwsettings{'PROT'}
+- <td align='center'>$outfwsettings{'SNET'}
+- <td align='center'>$outfwsettings{'DISPLAY_DIP'}:$outfwsettings{'DISPLAY_DPORT'}
+- <td align='center'>$outfwsettings{'NAME'}
+- <td align='center'>$outfwsettings{'DISPLAY_STATE'}
+- <td align='center'>$outfwsettings{'LOG'}
+- <td align='center'>
+- <table border='0' cellpadding='0' cellspacing='0'><tr>
+- <td><form method='post' action='$ENV{'SCRIPT_NAME'}'>
+- <input type='hidden' name='PROT' value='$outfwsettings{'PROT'}' />
+- <input type='hidden' name='STATE' value='$outfwsettings{'STATE'}' />
+- <input type='hidden' name='SNET' value='$outfwsettings{'SNET'}' />
+- <input type='hidden' name='DPORT' value='$outfwsettings{'DPORT'}' />
+- <input type='hidden' name='DIP' value='$outfwsettings{'DIP'}' />
+- <input type='hidden' name='SIP' value='$outfwsettings{'SIP'}' />
+- <input type='hidden' name='NAME' value='$outfwsettings{'NAME'}' />
+- <input type='hidden' name='SMAC' value='$outfwsettings{'SMAC'}' />
+- <input type='hidden' name='ENABLED' value='$outfwsettings{'ENABLED'}' />
+- <input type='hidden' name='LOG' value='$outfwsettings{'LOG'}' />
+- <input type='hidden' name='TIME_MON' value='$outfwsettings{'TIME_MON'}' />
+- <input type='hidden' name='TIME_TUE' value='$outfwsettings{'TIME_TUE'}' />
+- <input type='hidden' name='TIME_WED' value='$outfwsettings{'TIME_WED'}' />
+- <input type='hidden' name='TIME_THU' value='$outfwsettings{'TIME_THU'}' />
+- <input type='hidden' name='TIME_FRI' value='$outfwsettings{'TIME_FRI'}' />
+- <input type='hidden' name='TIME_SAT' value='$outfwsettings{'TIME_SAT'}' />
+- <input type='hidden' name='TIME_SUN' value='$outfwsettings{'TIME_SUN'}' />
+- <input type='hidden' name='TIME_FROM' value='$outfwsettings{'TIME_FROM'}' />
+- <input type='hidden' name='TIME_TO' value='$outfwsettings{'TIME_TO'}' />
+- <input type='hidden' name='ACTION' value=$Lang::tr{'edit'} />
+- <input type='image' src='/images/edit.gif' width="20" height="20" alt=$Lang::tr{'edit'} />
+- </form>
+- <td><form method='post' action='$ENV{'SCRIPT_NAME'}'>
+- <input type='hidden' name='PROT' value='$outfwsettings{'PROT'}' />
+- <input type='hidden' name='STATE' value='$outfwsettings{'STATE'}' />
+- <input type='hidden' name='SNET' value='$outfwsettings{'SNET'}' />
+- <input type='hidden' name='DPORT' value='$outfwsettings{'DPORT'}' />
+- <input type='hidden' name='DIP' value='$outfwsettings{'DIP'}' />
+- <input type='hidden' name='SIP' value='$outfwsettings{'SIP'}' />
+- <input type='hidden' name='NAME' value='$outfwsettings{'NAME'}' />
+- <input type='hidden' name='SMAC' value='$outfwsettings{'SMAC'}' />
+- <input type='hidden' name='ENABLED' value='$outfwsettings{'ENABLED'}' />
+- <input type='hidden' name='LOG' value='$outfwsettings{'LOG'}' />
+- <input type='hidden' name='TIME_MON' value='$outfwsettings{'TIME_MON'}' />
+- <input type='hidden' name='TIME_TUE' value='$outfwsettings{'TIME_TUE'}' />
+- <input type='hidden' name='TIME_WED' value='$outfwsettings{'TIME_WED'}' />
+- <input type='hidden' name='TIME_THU' value='$outfwsettings{'TIME_THU'}' />
+- <input type='hidden' name='TIME_FRI' value='$outfwsettings{'TIME_FRI'}' />
+- <input type='hidden' name='TIME_SAT' value='$outfwsettings{'TIME_SAT'}' />
+- <input type='hidden' name='TIME_SUN' value='$outfwsettings{'TIME_SUN'}' />
+- <input type='hidden' name='TIME_FROM' value='$outfwsettings{'TIME_FROM'}' />
+- <input type='hidden' name='TIME_TO' value='$outfwsettings{'TIME_TO'}' />
+- <input type='hidden' name='ACTION' value=$Lang::tr{'delete'} />
+- <input type='image' src='/images/delete.gif' width="20" height="20" alt=$Lang::tr{'delete'} />
+- </form></table>
+-END
+-;
+- if (($outfwsettings{'SIP'}) || ($outfwsettings{'SMAC'})) {
+-
+- unless ($outfwsettings{'SIP'}) {
+- $outfwsettings{'DISPLAY_SIP'} = 'ALL';
+- } else {
+- $outfwsettings{'DISPLAY_SIP'} = $outfwsettings{'SIP'};
+- }
+-
+- unless ($outfwsettings{'SMAC'}) {
+- $outfwsettings{'DISPLAY_SMAC'} = 'ALL';
+- print "<tr><td /><td align='left'>$Lang::tr{'source ip or net'}: </td>";
+- print "<td align='left' colspan='2'>$outfwsettings{'DISPLAY_SIP'}</td>";
+- } else {
+- $outfwsettings{'DISPLAY_SMAC'} = $outfwsettings{'SMAC'};
+- print "<tr><td /><td align='left'>$Lang::tr{'source'} $Lang::tr{'mac address'}: </td>";
+- print "<td align='left' colspan='2'>$outfwsettings{'DISPLAY_SMAC'}</td>";
+- }
+- }
+- print <<END
+- <tr><td width='14%' align='right'>$Lang::tr{'time'} - </td>
+- <td width='14%' align='left'>
+-END
+-;
+- if ($outfwsettings{'TIME_MON'} eq 'on') { print "<font color='$Header::colourgreen'>";}
+- else { print "<font color='$Header::colourred'>";}
+- print "$Lang::tr{'advproxy monday'}</font>,";
+- if ($outfwsettings{'TIME_TUE'} eq 'on') { print "<font color='$Header::colourgreen'>";}
+- else { print "<font color='$Header::colourred'>";}
+- print "$Lang::tr{'advproxy tuesday'}</font>,";
+- if ($outfwsettings{'TIME_WED'} eq 'on') { print "<font color='$Header::colourgreen'>";}
+- else { print "<font color='$Header::colourred'>";}
+- print "$Lang::tr{'advproxy wednesday'}</font>,";
+- if ($outfwsettings{'TIME_THU'} eq 'on') { print "<font color='$Header::colourgreen'>";}
+- else { print "<font color='$Header::colourred'>";}
+- print "$Lang::tr{'advproxy thursday'}</font>,";
+- if ($outfwsettings{'TIME_FRI'} eq 'on') { print "<font color='$Header::colourgreen'>";}
+- else { print "<font color='$Header::colourred'>";}
+- print "$Lang::tr{'advproxy friday'}</font>,";
+- if ($outfwsettings{'TIME_SAT'} eq 'on') { print "<font color='$Header::colourgreen'>";}
+- else { print "<font color='$Header::colourred'>";}
+- print "$Lang::tr{'advproxy saturday'}</font>,";
+- if ($outfwsettings{'TIME_SUN'} eq 'on') { print "<font color='$Header::colourgreen'>";}
+- else { print "<font color='$Header::colourred'>";}
+- print "$Lang::tr{'advproxy sunday'}</font>";
+- print <<END
+- </td>
+- <td width='22%' align='center'>$Lang::tr{'advproxy from'} $outfwsettings{'TIME_FROM'}</td>
+- <td width='22%' align='center'>$Lang::tr{'advproxy to'} $outfwsettings{'TIME_TO'}</td>
+- </form>
+-END
+-;
+- }
+- }
+-if ($outfwsettings{'POLICY'} eq 'MODE1'){
+-print <<END
+- <tr bgcolor='$color{'color20'}'><form method='post' action='$ENV{'SCRIPT_NAME'}'>
+- <td align='center'>all
+- <td align='center'>all
+- <td align='center'>ALL
+- <td align='center'>drop
+- <td align='center'><img src='/images/stock_stop.png' alt='DENY' />
+- <td align='center'>on <input type='radio' name='MODE1LOG' value='on' $checked{'MODE1LOG'}{'on'} /><input type='radio' name='MODE1LOG' value='off' $checked{'MODE1LOG'}{'off'} /> off
+- <td align='center'><input type='hidden' name='ACTION' value=$Lang::tr{'save'} /><input type='image' src='/images/media-floppy.png' width="18" height="18" alt=$Lang::tr{'save'} /></form></tr>
+- <table border='0' cellpadding='0' cellspacing='0'><tr>
+- <td>
+- <td></table>
+-END
+-;
+-}
+- print <<END
+- </table>
+-END
+-;
+-
+- }
+- &Header::closebox();
+-}
+-
+-if ($outfwsettings{'POLICY'} ne 'MODE0'){
+- open( FILE, "< $p2pfile" ) or die "Unable to read $p2pfile";
+- @p2ps = <FILE>;
+- close FILE;
+- &Header::openbox('100%', 'center', 'P2P-Block');
+- print <<END
+- <table width='40%'>
+- <tr bgcolor='$color{'color22'}'><td width='66%' align=center><b>$Lang::tr{'protocol'}</b>
+- <td width='33%' align=center><b>$Lang::tr{'status'}</b>
+-END
+-;
+- my $id = 1;
+- foreach $p2pentry (sort @p2ps)
+- {
+- @p2pline = split( /\;/, $p2pentry );
+- print <<END
+- <form method='post' action='$ENV{'SCRIPT_NAME'}'>
+-END
+-;
+- print "\t\t\t<tr bgcolor='$color{'color20'}'>\n";
+- print <<END
+- <td width='66%' align='center'>$p2pline[0]:
+- <td width='33%' align='center'><input type='hidden' name='P2PROT' value='$p2pline[1]' />
+-END
+-;
+- if ($p2pline[2] eq 'on') {
+- print <<END
+- <input type='hidden' name='ACTION' value='disable' />
+- <input type='image' name='submit' src='/images/stock_ok.png' alt='$Lang::tr{'outgoing firewall p2p allow'}' title='$Lang::tr{'outgoing firewall p2p allow'}'/>
+-END
+-;
+- } else {
+- print <<END
+- <input type='hidden' name='ACTION' value='enable' />
+- <input type='image' name='submit' src='/images/stock_stop.png' alt='$Lang::tr{'outgoing firewall p2p deny'}' title='$Lang::tr{'outgoing firewall p2p deny'}' />
+-END
+-;
+- }
+- print <<END
+- </form>
+-END
+-;
+- }
+- print <<END
+- </table>
+- <br />$Lang::tr{'outgoing firewall p2p description 1'} <img src='/images/stock_ok.png' align='absmiddle' alt='$Lang::tr{'outgoing firewall p2p deny'}'> $Lang::tr{'outgoing firewall p2p description 2'} <img src='/images/stock_stop.png' align='absmiddle' alt='$Lang::tr{'outgoing firewall p2p deny'}'> $Lang::tr{'outgoing firewall p2p description 3'}
+-END
+-;
+- &Header::closebox();
+-}
+-
+-&Header::openbox('100%', 'center', 'Policy');
+-print <<END
+- <form method='post' action='$ENV{'SCRIPT_NAME'}'>
+- <table width='100%'>
+- <tr><td width='10%' align='left'><b>$Lang::tr{'mode'} 0:</b><td width='90%' align='left' colspan='2'>$Lang::tr{'outgoing firewall mode0'}</td></tr>
+- <tr><td width='10%' align='left'><b>$Lang::tr{'mode'} 1:</b><td width='90%' align='left' colspan='2'>$Lang::tr{'outgoing firewall mode1'}</td></tr>
+- <tr><td width='10%' align='left'><b>$Lang::tr{'mode'} 2:</b><td width='90%' align='left' colspan='2'>$Lang::tr{'outgoing firewall mode2'}</td></tr>
+- <tr><td colspan='3'><hr /></td></tr>
+- <tr><td width='10%' align='left'> <select name='POLICY' style="width: 85px"><option value='MODE0' $selected{'POLICY'}{'MODE0'}>$Lang::tr{'mode'} 0</option><option value='MODE1' $selected{'POLICY'}{'MODE1'}>$Lang::tr{'mode'} 1</option><option value='MODE2' $selected{'POLICY'}{'MODE2'}>$Lang::tr{'mode'} 2</option></select>
+- <td width='45%' align='left'><input type='submit' name='ACTION' value=$Lang::tr{'save'} />
+- <td width='45%' align='left'>
+-END
+-;
+- if ($outfwsettings{'POLICY'} ne 'MODE0') {
+- print <<END
+- $Lang::tr{'outgoing firewall reset'}: <input type='submit' name='ACTION' value=$Lang::tr{'reset'} />
+-END
+-;
+- }
+-print <<END
+- </table>
+- </form>
+-END
+-;
+-&Header::closebox();
+-
+-############################################################################################################################
+-############################################################################################################################
+-
+-sub addrule
+-{
+- &Header::openbox('100%', 'center', $Lang::tr{'Add Rule'});
+- if ($outfwsettings{'ENABLED'} eq 'on') { $selected{'ENABLED'} = 'checked'; }
+- $selected{'TIME_FROM'}{$outfwsettings{'TIME_FROM'}} = "selected='selected'";
+- $selected{'TIME_TO'}{$outfwsettings{'TIME_TO'}} = "selected='selected'";
+-print <<END
+- <form method='post' action='$ENV{'SCRIPT_NAME'}'>
+- <table width='80%'>
+- <tr>
+- <td width='20%' align='right'>$Lang::tr{'description'}: <img src='/blob.gif' /></td>
+- <td width='30%' align='left'><input type='text' name='NAME' maxlength='30' value='$outfwsettings{'NAME'}' /></td>
+- <td width='20%' align='right' colspan='2'>$Lang::tr{'active'}:</td>
+- <td width='30%' align='left' colspan='2'><input type='checkbox' name='ENABLED' $selected{'ENABLED'} /></td>
+- </tr>
+- <tr>
+- <td width='20%' align='right'>$Lang::tr{'protocol'}</td>
+- <td width='30%' align='left'>
+- <select name='PROT'>
+- <option value='all' $selected{'PROT'}{'all'}>All</option>
+- <option value='tcp' $selected{'PROT'}{'tcp'}>TCP</option>
+- <option value='udp' $selected{'PROT'}{'udp'}>UDP</option>
+- <option value='gre' $selected{'PROT'}{'gre'}>GRE</option>
+- <option value='esp' $selected{'PROT'}{'esp'}>ESP</option>
+- </select>
+- </td>
+- <td width='20%' align='right' colspan='2'>$Lang::tr{'policy'}:</td>
+- <td width='30%' align='left' colspan='2'>
+-END
+-;
+- if ($outfwsettings{'POLICY'} eq 'MODE1'){
+- print "\t\t\t\tALLOW<input type='hidden' name='STATE' value='ALLOW' />\n";
+- } elsif ($outfwsettings{'POLICY'} eq 'MODE2'){
+- print "\t\t\t\tDENY<input type='hidden' name='STATE' value='DENY' />\n";
+- }
+- print <<END
+- </td>
+- </tr>
+- <tr>
+- <td width='20%' align='right'>$Lang::tr{'source'}:</td>
+- <td width='30%' align='left'>
+- <select name='SNET'>
+- <optgroup label='---'>
+- <option value='all' $selected{'SNET'}{'ALL'}>$Lang::tr{'all'}</option>
+- <optgroup label='$Lang::tr{'mac address'}'>
+- <option value='mac' $selected{'SNET'}{'mac'}>$Lang::tr{'source'} $Lang::tr{'mac address'}</option>
+- </optgroup>
+- <optgroup label='$Lang::tr{'ip address'}'>
+- <option value='ip' $selected{'SNET'}{'ip'}>$Lang::tr{'source ip or net'}</option>
+- <option value='red' $selected{'SNET'}{'red'}>$Lang::tr{'red'} IP</option>
+- </optgroup>
+- <optgroup label='$Lang::tr{'alt vpn'}'>
+- <option value='ovpn' $selected{'SNET'}{'ovpn'}>OpenVPN $Lang::tr{'interface'}</option>
+- </optgroup>
+- <optgroup label='$Lang::tr{'network'}'>
+- <option value='green' $selected{'SNET'}{'green'}>$Lang::tr{'green'}</option>
+-END
+-;
+- if (&Header::blue_used()){
+- print "\t\t\t\t\t<option value='blue' $selected{'SNET'}{'blue'}>$Lang::tr{'wireless'}</option>\n";
+- }
+- if (&Header::orange_used()){
+- print "\t\t\t\t\t<option value='orange' $selected{'SNET'}{'orange'}>$Lang::tr{'dmz'}</option>\n";
+- }
+- print <<END
+- </optgroup>
+- <optgroup label='IP $Lang::tr{'advproxy NCSA group'}'>
+-END
+-;
+- my @ipgroups = qx(ls $configpath/ipgroups/);
+- foreach (sort @ipgroups){
+- chomp($_);
+- print "\t\t\t\t\t<option value='$_' $selected{'SNET'}{$_}>$_</option>\n";
+- }
+- print <<END
+- </optgroup>
+- <optgroup label='MAC $Lang::tr{'advproxy NCSA group'}'>
+-END
+-;
+- my @macgroups = qx(ls $configpath/macgroups/);
+- foreach (sort @macgroups){
+- chomp($_);
+- print "\t\t\t\t\t<option value='$_' $selected{'SNET'}{$_}>$_</option>\n";
+- }
+- print <<END
+- </optgroup>
+- </select>
+- </td>
+- <td align='right' colspan='4'><font color='red'>$Lang::tr{'outgoing firewall warning'}</font></td>
+- </tr>
+- <tr>
+- <td align='right' colspan='4' >$Lang::tr{'source ip or net'}<img src='/blob.gif' /></td>
+- <td align='left' colspan='4' ><input type='text' name='SIP' value='$outfwsettings{'SIP'}' /></td>
+- </tr>
+- <tr>
+- <td align='right' colspan='4' >$Lang::tr{'source'} $Lang::tr{'mac address'}: <img src='/blob.gif' />
+- <td align='left' colspan='4' ><input type='text' name='SMAC' maxlength='23' value='$outfwsettings{'SMAC'}' />
+- </tr>
+- <tr>
+- <td width='20%' align='right'>$Lang::tr{'logging'}:</td>
+- <td width='30%' align='left'>
+- <select name='LOG'>
+- <option value='$Lang::tr{'active'}' $selected{'LOG'}{$Lang::tr{'active'}}>$Lang::tr{'active'}</option>
+- <option value='$Lang::tr{'inactive'}' $selected{'LOG'}{$Lang::tr{'inactive'}}>$Lang::tr{'inactive'}</option>
+- </select>
+- </td>
+- <td width='20%' align='right' colspan='2' />
+- <td width='30%' align='left' colspan='2' />
+- <tr>
+- <td width='20%' align='right'>$Lang::tr{'destination ip or net'}: <img src='/blob.gif' /></td>
+- <td width='30%' align='left'><input type='text' name='DIP' value='$outfwsettings{'DIP'}' /></td>
+- <td width='20%' align='right' colspan='2'>$Lang::tr{'destination port'}(s) <img src='/blob.gif' /></td>
+- <td width='30%' align='left' colspan='2'><input type='text' name='DPORT' value='$outfwsettings{'DPORT'}' /></td>
+- </tr>
+- <tr>
+- <td width='20%' align='right'>$Lang::tr{'time'}:</td>
+- <td width='30%' align='left'>$Lang::tr{'advproxy monday'} $Lang::tr{'advproxy tuesday'} $Lang::tr{'advproxy wednesday'} $Lang::tr{'advproxy thursday'} $Lang::tr{'advproxy friday'} $Lang::tr{'advproxy saturday'} $Lang::tr{'advproxy sunday'}</td>
+- <td width='20%' align='right' colspan='2' />
+- <td width='15%' align='left'>$Lang::tr{'advproxy from'}</td>
+- <td width='15%' align='left'>$Lang::tr{'advproxy to'}</td>
+- </tr>
+- <tr>
+- <td width='20%' align='right'></td>
+- <td width='30%' align='left'>
+- <input type='checkbox' name='TIME_MON' $checked{'TIME_MON'}{'on'} />
+- <input type='checkbox' name='TIME_TUE' $checked{'TIME_TUE'}{'on'} />
+- <input type='checkbox' name='TIME_WED' $checked{'TIME_WED'}{'on'} />
+- <input type='checkbox' name='TIME_THU' $checked{'TIME_THU'}{'on'} />
+- <input type='checkbox' name='TIME_FRI' $checked{'TIME_FRI'}{'on'} />
+- <input type='checkbox' name='TIME_SAT' $checked{'TIME_SAT'}{'on'} />
+- <input type='checkbox' name='TIME_SUN' $checked{'TIME_SUN'}{'on'} />
+- </td>
+- <td width='20%' align='right' colspan='2' />
+- <td width='15%' align='left'>
+- <select name='TIME_FROM'>
+-END
+-;
+-for (my $i=0;$i<=23;$i++) {
+- $i = sprintf("%02s",$i);
+- for (my $j=0;$j<=45;$j+=15) {
+- $j = sprintf("%02s",$j);
+- my $time = $i.":".$j;
+- print "\t\t\t\t\t<option $selected{'TIME_FROM'}{$time}>$i:$j</option>\n";
+- }
+-}
+-print <<END
+- </select>
+- </td>
+- <td width='15%' align='left'><select name='TIME_TO'>
+-END
+-;
+-for (my $i=0;$i<=23;$i++) {
+- $i = sprintf("%02s",$i);
+- for (my $j=0;$j<=45;$j+=15) {
+- $j = sprintf("%02s",$j);
+- my $time = $i.":".$j;
+- print "\t\t\t\t\t<option $selected{'TIME_TO'}{$time}>$i:$j</option>\n";
+- }
+-}
+-print <<END
+- </select>
+- </td>
+- </tr>
+- <tr>
+- <td colspan='6' />
+- <tr>
+- <tr>
+- <td width='40%' align='right' colspan='2'><img src='/blob.gif' />$Lang::tr{'this field may be blank'}</td>
+- <td width='60%' align='left' colspan='4'><input type='submit' name='ACTION' value=$Lang::tr{'add'} /></td>
+- </table></form>
+-END
+-;
+- &Header::closebox();
+-
+-if ($outfwsettings{'POLICY'} eq 'MODE1' || $outfwsettings{'POLICY'} eq 'MODE2')
+-{
+-&Header::openbox('100%', 'center', 'Quick Add');
+-
+- open( FILE, "< /var/ipfire/outgoing/defaultservices" ) or die "Unable to read default services";
+- my @defservices = <FILE>;
+- close FILE;
+-
+-print "<table width='100%'><tr bgcolor='$color{'color20'}'><td><b>$Lang::tr{'service'}</b></td><td><b>$Lang::tr{'description'}</b></td><td><b>$Lang::tr{'port'}</b></td><td><b>$Lang::tr{'protocol'}</b></td><td><b>$Lang::tr{'source net'}</b></td><td><b>$Lang::tr{'logging'}</b></td><td><b>$Lang::tr{'action'}</b></td></tr>";
+-foreach my $serviceline(@defservices)
+- {
+- my @service = split(/,/,$serviceline);
+- print <<END
+- <tr><form method='post' action='$ENV{'SCRIPT_NAME'}'>
+- <td>$service[0]<input type='hidden' name='NAME' value='@service[0]' /></td>
+- <td>$service[3]</td>
+- <td><a href='http://isc.sans.org/port_details.php?port=$service[1]' target='top'>$service[1]</a><input type='hidden' name='DPORT' value='@service[1]' /></td>
+- <td>$service[2]<input type='hidden' name='PROT' value='@service[2]' /></td>
+- <td><select name='SNET'><option value='all' $selected{'SNET'}{'ALL'}>$Lang::tr{'all'}</option><option value='green' $selected{'SNET'}{'green'}>$Lang::tr{'green'}</option>
+-END
+-;
+- if (&Header::blue_used()){
+- print "<option value='blue' $selected{'SNET'}{'blue'}>$Lang::tr{'wireless'}</option>";
+- }
+- if (&Header::orange_used()){
+- print "<option value='orange' $selected{'SNET'}{'orange'}>$Lang::tr{'dmz'}</option>";
+- }
+- print <<END
+- </select></td>
+- <td><select name='LOG'><option value='$Lang::tr{'active'}'>$Lang::tr{'active'}</option><option value='$Lang::tr{'inactive'}' 'selected'>$Lang::tr{'inactive'}</option></select></td><td>
+- <input type='hidden' name='ACTION' value=$Lang::tr{'add'} />
+- <input type='image' alt='$Lang::tr{'add'}' src='/images/add.gif' />
+- <input type='hidden' name='ENABLED' value='on' />
+-END
+-;
+- if ($outfwsettings{'POLICY'} eq 'MODE1'){ print "<input type='hidden' name='STATE' value='ALLOW' /></form></td></tr>";}
+- elsif ($outfwsettings{'POLICY'} eq 'MODE2'){print "<input type='hidden' name='STATE' value='DENY' /></form></td></tr>";}
+- }
+- print "</table>";
+- &Header::closebox();
+- }
+-}
+-
+-&Header::closebigbox();
+-&Header::closepage();
+diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl
+index b5da683..d9bcce6 100644
+--- a/langs/de/cgi-bin/de.pl
++++ b/langs/de/cgi-bin/de.pl
+@@ -734,6 +734,7 @@
+ 'download root certificate' => 'Root Zertifikat herunterladen',
+ 'dpd action' => 'Aktion für Dead Peer Detection',
+ 'driver' => 'Treiber',
++'drop action' => 'Standardverhalten der Firewall in Modus1',
+ 'drop input' => 'Verworfene Input Pakete loggen',
+ 'drop newnotsyn' => 'Verworfene New Not Syn Pakete loggen',
+ 'drop forward' => 'Verworfene Firewall-Pakete loggen',
+@@ -1021,6 +1022,7 @@
+ 'from email user' => 'Von Email Benutzer',
+ 'from warn email bad' => 'Von Email Adresse ist nicht gültig',
+ 'fw blue' => 'Firewall Optionen für das Blaue Interface',
++'fw default drop' => 'Firewall Policy',
+ 'fw logging' => 'Firewall Logging',
+ 'gateway' => 'Gateway',
+ 'gateway ip' => 'Gateway-IP',
+diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
+index aac1a9a..aa0c491 100644
+--- a/langs/en/cgi-bin/en.pl
++++ b/langs/en/cgi-bin/en.pl
+@@ -757,9 +757,10 @@
+ 'download root certificate' => 'Download root certificate',
+ 'dpd action' => 'Dead Peer Detection action',
+ 'driver' => 'Driver',
++'drop action' => 'Default behaviour of firewall in mode 1',
+ 'drop input' => 'Log dropped input pakets',
+ 'drop newnotsyn' => 'Log dropped new not syn pakets',
+-'drop forward' => 'Log dropped firewall pakets',
++'drop forward' => 'Log dropped forward pakets',
+ 'drop portscan' => 'Log dropped portscan pakets',
+ 'drop proxy' => 'Drop all packets not addressed to proxy',
+ 'drop samba' => 'Drop all Microsoft ports 135,137,138,139,445,1025',
+@@ -1045,6 +1046,7 @@
+ 'from email user' => 'From e-mail user',
+ 'from warn email bad' => 'From e-mail address is not valid',
+ 'fw blue' => 'Firewall options for BLUE interface',
++'fw default drop' => 'Firewall policy',
+ 'fw logging' => 'Firewall logging',
+ 'g.dtm' => 'TO BE REMOVED',
+ 'g.lite' => 'TO BE REMOVED',
+diff --git a/lfs/configroot b/lfs/configroot
+index 8cf9377..14f1996 100644
+--- a/lfs/configroot
++++ b/lfs/configroot
+@@ -102,6 +102,7 @@ $(TARGET) :
+ cp $(DIR_SRC)/langs/list $(CONFIG_ROOT)/langs/
+ cp $(DIR_SRC)/config/forwardfw/rules.pl $(CONFIG_ROOT)/forward/bin/rules.pl
+ cp $(DIR_SRC)/config/forwardfw/firewall-lib.pl $(CONFIG_ROOT)/forward/bin/firewall-lib.pl
++ cp $(DIR_SRC)/config/forwardfw/firewall-forward-policy /usr/sbin/firewall-forward-policy
+ cp $(DIR_SRC)/config/fwhosts/icmp-types $(CONFIG_ROOT)/fwhosts/icmp-types
+ cp $(DIR_SRC)/config/fwhosts/customservices $(CONFIG_ROOT)/fwhosts/customservices
+ # Oneliner configfiles
+diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall
+index 32a234a..68f65f4 100644
+--- a/src/initscripts/init.d/firewall
++++ b/src/initscripts/init.d/firewall
+@@ -220,12 +220,6 @@ case "$1" in
+ /sbin/iptables -N OPENSSLPHYSICAL
+ /sbin/iptables -A INPUT -j OPENSSLPHYSICAL
+
+- # WIRELESS chains
+- /sbin/iptables -N WIRELESSINPUT
+- /sbin/iptables -A INPUT -m state --state NEW -j WIRELESSINPUT
+- /sbin/iptables -N WIRELESSFORWARD
+- /sbin/iptables -A FORWARD -m state --state NEW -j WIRELESSFORWARD
+-
+ # RED chain, used for the red interface
+ /sbin/iptables -N REDINPUT
+ /sbin/iptables -A INPUT -j REDINPUT
+@@ -277,11 +271,16 @@ case "$1" in
+ /sbin/iptables -A INPUT -m limit --limit 10/minute -j LOG --log-prefix "DROP_INPUT "
+ fi
+ /sbin/iptables -A INPUT -j DROP -m comment --comment "DROP_INPUT"
+- if [ "$DROPFORWARD" == "on" ]; then
+- /sbin/iptables -A FORWARD -m limit --limit 10/minute -j LOG --log-prefix "DROP_FORWARD "
+- fi
+- /sbin/iptables -A FORWARD -j DROP -m comment --comment "DROP_FORWARD"
++ #if [ "$DROPFORWARD" == "on" ]; then
++ # /sbin/iptables -A FORWARD -m limit --limit 10/minute -j LOG --log-prefix "DROP_FORWARD "
++ #fi
++ #/sbin/iptables -A FORWARD -j DROP -m comment --comment "DROP_FORWARD"
++
++ #POLICY CHAIN
++ /sbin/iptables -N POLICY
++ /sbin/iptables -A FORWARD -j POLICY
+
++ /usr/sbin/firewall-forward-policy
+ ;;
+ startovpn)
+ # run openvpn
+@@ -314,14 +313,10 @@ case "$1" in
+ /sbin/iptables -A INPUT -m limit --limit 10/minute -j LOG --log-prefix "DROP_INPUT "
+ fi
+ /sbin/iptables -A INPUT -j DROP -m comment --comment "DROP_INPUT"
+- #if [ "$DROPOUTPUT" == "on" ]; then
+- # /sbin/iptables -A FORWARD -m limit --limit 10/minute -j LOG --log-prefix "DROP_OUTPUT "
+- #fi
+- #/sbin/iptables -A FORWARD -j DROP -m comment --comment "DROP_OUTPUT"
+ if [ "$DROPFORWARD" == "on" ]; then
+- /sbin/iptables -A FORWARDFW -m limit --limit 10/minute -j LOG --log-prefix "DROP_FORWARDFW "
++ /sbin/iptables -A FORWARD -m limit --limit 10/minute -j LOG --log-prefix "DROP_FORWARD "
+ fi
+- /sbin/iptables -A FORWARDFW -j DROP -m comment --comment "DROP_FORWARDFW-oberdropper"
++ /sbin/iptables -A FORWARD -j DROP -m comment --comment "DROP_FORWARD"
+ ;;
+ stopovpn)
+ # stop openvpn
+--
+1.7.10.4
+
--- /dev/null
+From bf03b56ad3bd6ec6ae9c9cebb362927be4c7f0d4 Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Wed, 9 Jan 2013 14:42:52 +0100
+Subject: [PATCH 020/302] Forward Firewall: Deleted /var/ipfire/outgoing from
+ configroot and aaded default values to
+ /var/ipfire/optionsfw/settings
+
+---
+ lfs/configroot | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/lfs/configroot b/lfs/configroot
+index 14f1996..8a18cfb 100644
+--- a/lfs/configroot
++++ b/lfs/configroot
+@@ -52,8 +52,8 @@ $(TARGET) :
+ # Create all directories
+ for i in addon-lang auth backup ca certs connscheduler crls ddns dhcp dhcpc dns \
+ ethernet extrahd/bin fwlogs fwhosts forward forward/bin isdn key langs logging mac main menu.d modem net-traffic \
+- net-traffic/templates nfs optionsfw outgoing/bin \
+- outgoing/groups/macgroups ovpn patches pakfire portfw ppp private proxy/advanced/cre \
++ net-traffic/templates nfs optionsfw \
++ ovpn patches pakfire portfw ppp private proxy/advanced/cre \
+ proxy/calamaris/bin qos/bin red remote sensors snort time tripwire/report \
+ updatexlrator/bin updatexlrator/autocheck urlfilter/autoupdate urlfilter/bin upnp vpn \
+ wakeonlan wireless ; do \
+@@ -91,7 +91,6 @@ $(TARGET) :
+ cp $(DIR_SRC)/config/cfgroot/net-traffic-lib.pl $(CONFIG_ROOT)/net-traffic/net-traffic-lib.pl
+ cp $(DIR_SRC)/config/cfgroot/net-traffic-admin.pl $(CONFIG_ROOT)/net-traffic/net-traffic-admin.pl
+ cp $(DIR_SRC)/config/cfgroot/nfs-server $(CONFIG_ROOT)/nfs/nfs-server
+- cp $(DIR_SRC)/config/cfgroot/p2protocols $(CONFIG_ROOT)/outgoing/p2protocols
+ cp $(DIR_SRC)/config/cfgroot/proxy-acl $(CONFIG_ROOT)/proxy/acl-1.4
+ cp $(DIR_SRC)/config/qos/* $(CONFIG_ROOT)/qos/bin/
+ cp $(DIR_SRC)/config/cfgroot/ssh-settings $(CONFIG_ROOT)/remote/settings
+@@ -113,6 +112,7 @@ $(TARGET) :
+ echo "DROPNEWNOTSYN=on" >> $(CONFIG_ROOT)/optionsfw/settings
+ echo "DROPINPUT=on" >> $(CONFIG_ROOT)/optionsfw/settings
+ echo "DROPFORWARD=on" >> $(CONFIG_ROOT)/optionsfw/settings
++ echo "FWPOLICY=DROP" >> $(CONFIG_ROOT)/optionsfw/settings
+ echo "DROPPORTSCAN=on" >> $(CONFIG_ROOT)/optionsfw/settings
+
+ # set rules.pl executable
+--
+1.7.10.4
+
--- /dev/null
+From e556da3a76d46dfc71a880b3c16bf6cca67ce979 Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Wed, 9 Jan 2013 14:44:10 +0100
+Subject: [PATCH 021/302] Forward Firewall: Deleted config/cfgroot/p2protocols
+
+---
+ config/cfgroot/p2protocols | 9 ---------
+ 1 file changed, 9 deletions(-)
+ delete mode 100644 config/cfgroot/p2protocols
+
+diff --git a/config/cfgroot/p2protocols b/config/cfgroot/p2protocols
+deleted file mode 100644
+index 78c6101..0000000
+--- a/config/cfgroot/p2protocols
++++ /dev/null
+@@ -1,9 +0,0 @@
+-Bittorrent;bit;on;
+-Edonkey;edk;on;
+-KaZaA;kazaa;on;
+-Gnutella;gnu;on;
+-DirectConnect;dc;on;
+-Applejuice;apple;on;
+-WinMX;winmx;on;
+-SoulSeek;soul;on;
+-Ares;ares;on;
+\ No newline at end of file
+--
+1.7.10.4
+
--- /dev/null
+From 6b2d83ddb3349f6f147ee44a365721c52fc3bb67 Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Wed, 9 Jan 2013 14:48:35 +0100
+Subject: [PATCH 022/302] Forward Firewall: Deleted /var/ipfire/outgoing from
+ /config/rootfiles/common/configroot
+
+---
+ config/rootfiles/common/configroot | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/config/rootfiles/common/configroot b/config/rootfiles/common/configroot
+index 12b3d35..d4f96b8 100644
+--- a/config/rootfiles/common/configroot
++++ b/config/rootfiles/common/configroot
+@@ -111,7 +111,7 @@ var/ipfire/net-traffic
+ #var/ipfire/nfs/nfs-server
+ var/ipfire/optionsfw
+ #var/ipfire/optionsfw/settings
+-var/ipfire/outgoing
++#var/ipfire/outgoing
+ #var/ipfire/outgoing/bin
+ #var/ipfire/outgoing/bin/outgoingfw.pl
+ #var/ipfire/outgoing/defaultservices
+--
+1.7.10.4
+
--- /dev/null
+From 47f0c54143e5df3d6b018f55753f0b48f0861ed2 Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Wed, 9 Jan 2013 14:54:31 +0100
+Subject: [PATCH 023/302] Forward Firewall: added Red interface to
+ get_std_network function
+
+---
+ config/cfgroot/general-functions.pl | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/config/cfgroot/general-functions.pl b/config/cfgroot/general-functions.pl
+index b8a16c4..d769790 100644
+--- a/config/cfgroot/general-functions.pl
++++ b/config/cfgroot/general-functions.pl
+@@ -53,6 +53,10 @@ sub setup_default_networks
+ $defaultNetworks->{$Lang::tr{'green'}}{'IPT'} = "$netsettings{'GREEN_NETADDRESS'}/$netsettings{'GREEN_NETMASK'}";
+ $defaultNetworks->{$Lang::tr{'green'}}{'NAME'} = "GREEN";
+
++ if ($netsettings{'RED_DEV'} ne ''){
++ $defaultNetworks->{$Lang::tr{'red'}}{'IPT'} = "$netsettings{'RED_NETADDRESS'}/$netsettings{'RED_NETMASK'}";
++ $defaultNetworks->{$Lang::tr{'red'}}{'NAME'} = "RED";
++ }
+ if ($netsettings{'ORANGE_DEV'} ne ''){
+ $defaultNetworks->{$Lang::tr{'orange'}}{'IPT'} = "$netsettings{'ORANGE_NETADDRESS'}/$netsettings{'ORANGE_NETMASK'}";
+ $defaultNetworks->{$Lang::tr{'orange'}}{'NAME'} = "ORANGE";
+--
+1.7.10.4
+
--- /dev/null
+From 302521042cb17187b1c47fb5516e8a0bfa281681 Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Thu, 10 Jan 2013 09:41:04 +0100
+Subject: [PATCH 024/302] Forward Firewall: BUGFIX: MAC source addresses where
+ not created as rules
+
+---
+ config/backup/exclude | 1 +
+ config/forwardfw/rules.pl | 22 ++++++++++++++++------
+ html/cgi-bin/forwardfw.cgi | 33 ++++++++++++++++++++++-----------
+ 3 files changed, 39 insertions(+), 17 deletions(-)
+
+diff --git a/config/backup/exclude b/config/backup/exclude
+index 8103bb9..bd15ceb 100644
+--- a/config/backup/exclude
++++ b/config/backup/exclude
+@@ -1,5 +1,6 @@
+ *.tmp
+ /var/ipfire/ethernet/settings
++/var/ipfire/forward/bin/*
+ /var/ipfire/proxy/calamaris/bin/*
+ /var/ipfire/qos/bin/qos.pl
+ /var/ipfire/urlfilter/blacklists/*/*.db
+diff --git a/config/forwardfw/rules.pl b/config/forwardfw/rules.pl
+index 953aad0..58bdf2a 100755
+--- a/config/forwardfw/rules.pl
++++ b/config/forwardfw/rules.pl
+@@ -115,7 +115,9 @@ sub preparerules
+ sub buildrules
+ {
+ my $hash=shift;
++ my $STAG;
+ foreach my $key (sort keys %$hash){
++ $STAG='';
+ if($$hash{$key}[2] eq 'ON'){
+ #get source ip's
+ if ($$hash{$key}[3] eq 'cust_grp_src'){
+@@ -195,17 +197,17 @@ sub buildrules
+ foreach my $b (sort keys %targethash){
+ if ($sourcehash{$a}[0] ne $targethash{$b}[0] && $targethash{$b}[0] ne 'none'){
+ if($SPROT eq '' || $SPROT eq $DPROT || $DPROT eq ' '){
++ if(substr($sourcehash{$a}[0], 4, 6) eq 'mac'){ $STAG="-s";}
+ if ($$hash{$key}[17] eq 'ON'){
+- print "iptables -A $$hash{$key}[1] $PROT -s $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG\n";
++ print "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG\n";
+ }
+- print "iptables -A $$hash{$key}[1] $PROT -s $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n";
++ print "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n";
+ }
+ }
+ }
+ }
+ print"\n";
+ }
+-
+ }elsif($MODE eq '0'){
+ foreach my $DPROT (@DPROT){
+ $DPORT = &get_port($hash,$key,$DPROT);
+@@ -215,10 +217,11 @@ sub buildrules
+ foreach my $b (sort keys %targethash){
+ if ($sourcehash{$a}[0] ne $targethash{$b}[0] && $targethash{$b}[0] ne 'none'){
+ if($SPROT eq '' || $SPROT eq $DPROT || $DPROT eq ' '){
++ if(substr($sourcehash{$a}[0], 4, 6) eq 'mac'){ $STAG="-s";}
+ if ($$hash{$key}[17] eq 'ON'){
+- system ("iptables -A $$hash{$key}[1] $PROT -s $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG");
++ system ("iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG");
+ }
+- system ("iptables -A $$hash{$key}[1] $PROT -s $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]");
++ system ("iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]");
+ }
+ }
+ }
+@@ -247,7 +250,11 @@ sub get_address
+ }
+ my $key = &General::findhasharraykey($hash);
+ if($base eq 'src_addr' || $base eq 'tgt_addr' ){
+- $$hash{$key}[0] = $base2;
++ if (&General::validmac($base2)){
++ $$hash{$key}[0] = "-m mac --mac-source $base2";
++ }else{
++ $$hash{$key}[0] = $base2;
++ }
+ }elsif($base eq 'std_net_src' || $base eq 'std_net_tgt' || $base eq 'Standard Network'){
+ $$hash{$key}[0]=&fwlib::get_std_net_ip($base2);
+ }elsif($base eq 'cust_net_src' || $base eq 'cust_net_tgt' || $base eq 'Custom Network'){
+@@ -307,6 +314,7 @@ sub get_port
+ return;
+ }
+ }elsif($$hash{$key}[11] eq 'ON' && $SRC_TGT eq ''){
++
+ if($$hash{$key}[14] eq 'TGT_PORT'){
+ if ($$hash{$key}[15] ne ''){
+ return "--dport $$hash{$key}[15] ";
+@@ -330,6 +338,8 @@ sub get_port
+ elsif($prot eq 'ICMP'){
+ return &fwlib::get_srvgrp_port($$hash{$key}[15],$prot);
+ }
++
++
+ }
+ }
+ }
+diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi
+index 6aadb99..21f680d 100755
+--- a/html/cgi-bin/forwardfw.cgi
++++ b/html/cgi-bin/forwardfw.cgi
+@@ -544,24 +544,35 @@ sub checksource
+ if ($fwdfwsettings{'src_addr'} =~ /^(.*?)\/(.*?)$/) {
+ ($ip,$subnet)=split (/\//,$fwdfwsettings{'src_addr'});
+ $subnet = &General::iporsubtocidr($subnet);
++ $fwdfwsettings{'isip'}='on';
+ }
+ #check if only ip
+ if($fwdfwsettings{'src_addr'}=~/^(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})$/){
+ $ip=$fwdfwsettings{'src_addr'};
+ $subnet = '32';
++ $fwdfwsettings{'isip'}='on';
+ }
+- #check and form valid IP
+- $ip=&General::ip2dec($ip);
+- $ip=&General::dec2ip($ip);
+- #check if net or broadcast
+- my @tmp= split (/\./,$ip);
+- if (($tmp[3] eq "0") || ($tmp[3] eq "255"))
+- {
+- $errormessage=$Lang::tr{'fwhost err hostip'}."<br>";
+- }
+- $fwdfwsettings{'src_addr'}="$ip/$subnet";
+
+- if(!&General::validipandmask($fwdfwsettings{'src_addr'})){
++ if ($fwdfwsettings{'isip'} ne 'on'){
++ if (&General::validmac($fwdfwsettings{'src_addr'})){$fwdfwsettings{'ismac'}='on';}
++ }
++ if ($fwdfwsettings{'isip'} eq 'on'){
++ #check and form valid IP
++ $ip=&General::ip2dec($ip);
++ $ip=&General::dec2ip($ip);
++ #check if net or broadcast
++ my @tmp= split (/\./,$ip);
++ if (($tmp[3] eq "0") || ($tmp[3] eq "255"))
++ {
++ $errormessage=$Lang::tr{'fwhost err hostip'}."<br>";
++ }
++ $fwdfwsettings{'src_addr'}="$ip/$subnet";
++
++ if(!&General::validipandmask($fwdfwsettings{'src_addr'})){
++ $errormessage.=$Lang::tr{'fwdfw err src_addr'}."<br>";
++ }
++ }
++ if ($fwdfwsettings{'isip'} ne 'on' && $fwdfwsettings{'ismac'} ne 'on'){
+ $errormessage.=$Lang::tr{'fwdfw err src_addr'}."<br>";
+ }
+ }elsif($fwdfwsettings{'src_addr'} eq $fwdfwsettings{$fwdfwsettings{'grp1'}} && $fwdfwsettings{'src_addr'} eq ''){
+--
+1.7.10.4
+
--- /dev/null
+From 171d4f0bdaed03eada052d4d5fb8365a5c165a6c Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Thu, 10 Jan 2013 09:58:38 +0100
+Subject: [PATCH 025/302] Forward Firewall: added check for mac rules
+
+---
+ config/forwardfw/rules.pl | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+diff --git a/config/forwardfw/rules.pl b/config/forwardfw/rules.pl
+index 58bdf2a..e129d76 100755
+--- a/config/forwardfw/rules.pl
++++ b/config/forwardfw/rules.pl
+@@ -66,7 +66,7 @@ my $CHAIN="FORWARDFW";
+ ################################
+ # DEBUG/TEST #
+ ################################
+-my $MODE=0; # 0 - normal operation
++my $MODE=1; # 0 - normal operation
+ # 1 - print configline and rules to console
+ #
+ ################################
+@@ -97,7 +97,6 @@ if($param eq 'flush'){
+ }
+ }
+ }
+-
+ sub flush
+ {
+ system ("iptables -F FORWARDFW");
+@@ -197,7 +196,7 @@ sub buildrules
+ foreach my $b (sort keys %targethash){
+ if ($sourcehash{$a}[0] ne $targethash{$b}[0] && $targethash{$b}[0] ne 'none'){
+ if($SPROT eq '' || $SPROT eq $DPROT || $DPROT eq ' '){
+- if(substr($sourcehash{$a}[0], 4, 6) eq 'mac'){ $STAG="-s";}
++ if(substr($sourcehash{$a}[0], 3, 3) ne 'mac'){ $STAG="-s";}
+ if ($$hash{$key}[17] eq 'ON'){
+ print "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG\n";
+ }
+@@ -217,7 +216,7 @@ sub buildrules
+ foreach my $b (sort keys %targethash){
+ if ($sourcehash{$a}[0] ne $targethash{$b}[0] && $targethash{$b}[0] ne 'none'){
+ if($SPROT eq '' || $SPROT eq $DPROT || $DPROT eq ' '){
+- if(substr($sourcehash{$a}[0], 4, 6) eq 'mac'){ $STAG="-s";}
++ if(substr($sourcehash{$a}[0], 3, 3) ne 'mac'){ $STAG="-s";}
+ if ($$hash{$key}[17] eq 'ON'){
+ system ("iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG");
+ }
+--
+1.7.10.4
+
--- /dev/null
+From d463e5a75df377da0d53a67b4328858eb86a3df0 Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Thu, 10 Jan 2013 12:17:30 +0100
+Subject: [PATCH 026/302] Forward Firewall: edited
+ /src/initscripts/init.d/firewall and
+ misc-progs/wirelessctrl.c
+
+added WIRELESSFORWARD to FORWARDFW (instead of FORWARD) so that rules work
+commented out DMZHOLES lines in wirelessctrl.c to get rid of booterrormessages (There's no DMZHOLES anymore)
+---
+ src/initscripts/init.d/firewall | 6 ++++++
+ src/misc-progs/wirelessctrl.c | 12 ++++++------
+ 2 files changed, 12 insertions(+), 6 deletions(-)
+
+diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall
+index 68f65f4..707ced8 100644
+--- a/src/initscripts/init.d/firewall
++++ b/src/initscripts/init.d/firewall
+@@ -215,6 +215,12 @@ case "$1" in
+ # allow DHCP on BLUE to be turned on/off
+ /sbin/iptables -N DHCPBLUEINPUT
+ /sbin/iptables -A INPUT -j DHCPBLUEINPUT
++
++ # WIRELESS chains
++ /sbin/iptables -N WIRELESSINPUT
++ /sbin/iptables -A INPUT -m state --state NEW -j WIRELESSINPUT
++ /sbin/iptables -N WIRELESSFORWARD
++ /sbin/iptables -A FORWARDFW -m state --state NEW -j WIRELESSFORWARD
+
+ # OPenSSL
+ /sbin/iptables -N OPENSSLPHYSICAL
+diff --git a/src/misc-progs/wirelessctrl.c b/src/misc-progs/wirelessctrl.c
+index 12b954b..be6f967 100644
+--- a/src/misc-progs/wirelessctrl.c
++++ b/src/misc-progs/wirelessctrl.c
+@@ -156,8 +156,8 @@ int main(void)
+ safe_system(command);
+ snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -m mac --mac-source %s -s %s -i %s ! -o %s -j ACCEPT", macaddress, ipaddress, blue_dev, green_dev);
+ safe_system(command);
+- snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -m mac --mac-source %s -s %s -i %s -j DMZHOLES", macaddress, ipaddress, blue_dev);
+- safe_system(command);
++ /*snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -m mac --mac-source %s -s %s -i %s -j DMZHOLES", macaddress, ipaddress, blue_dev);
++ safe_system(command);*/
+ } else {
+
+ /* correctly formed mac address is 17 chars */
+@@ -166,8 +166,8 @@ int main(void)
+ safe_system(command);
+ snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -m mac --mac-source %s -i %s ! -o %s -j ACCEPT", macaddress, blue_dev, green_dev);
+ safe_system(command);
+- snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -m mac --mac-source %s -i %s -j DMZHOLES", macaddress, blue_dev);
+- safe_system(command);
++ /*snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -m mac --mac-source %s -i %s -j DMZHOLES", macaddress, blue_dev);
++ safe_system(command);*/
+ }
+
+ if (VALID_IP_AND_MASK(ipaddress)) {
+@@ -175,8 +175,8 @@ int main(void)
+ safe_system(command);
+ snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -s %s -i %s ! -o %s -j ACCEPT", ipaddress, blue_dev, green_dev);
+ safe_system(command);
+- snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -s %s -i %s -j DMZHOLES", ipaddress, blue_dev);
+- safe_system(command);
++ /*snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -s %s -i %s -j DMZHOLES", ipaddress, blue_dev);
++ safe_system(command);*/
+ }
+ }
+ }
+--
+1.7.10.4
+
--- /dev/null
+From 55fb2298fd200360012f2c4965a0da84b55fee90 Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Thu, 10 Jan 2013 12:55:56 +0100
+Subject: [PATCH 027/302] Forward Firewall: adapted initscripts/firewall and
+ wirelessctrl.c
+
+Now the Wirelesschains should work with new firewall.
+---
+ src/initscripts/init.d/firewall | 2 +-
+ src/misc-progs/wirelessctrl.c | 12 ++++++------
+ 2 files changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall
+index 707ced8..96c61ea 100644
+--- a/src/initscripts/init.d/firewall
++++ b/src/initscripts/init.d/firewall
+@@ -220,7 +220,7 @@ case "$1" in
+ /sbin/iptables -N WIRELESSINPUT
+ /sbin/iptables -A INPUT -m state --state NEW -j WIRELESSINPUT
+ /sbin/iptables -N WIRELESSFORWARD
+- /sbin/iptables -A FORWARDFW -m state --state NEW -j WIRELESSFORWARD
++ /sbin/iptables -A FORWARD -m state --state NEW -j WIRELESSFORWARD
+
+ # OPenSSL
+ /sbin/iptables -N OPENSSLPHYSICAL
+diff --git a/src/misc-progs/wirelessctrl.c b/src/misc-progs/wirelessctrl.c
+index be6f967..90f602d 100644
+--- a/src/misc-progs/wirelessctrl.c
++++ b/src/misc-progs/wirelessctrl.c
+@@ -156,8 +156,8 @@ int main(void)
+ safe_system(command);
+ snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -m mac --mac-source %s -s %s -i %s ! -o %s -j ACCEPT", macaddress, ipaddress, blue_dev, green_dev);
+ safe_system(command);
+- /*snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -m mac --mac-source %s -s %s -i %s -j DMZHOLES", macaddress, ipaddress, blue_dev);
+- safe_system(command);*/
++ snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -m mac --mac-source %s -s %s -i %s -j FORWARDFW", macaddress, ipaddress, blue_dev);
++ safe_system(command);
+ } else {
+
+ /* correctly formed mac address is 17 chars */
+@@ -166,8 +166,8 @@ int main(void)
+ safe_system(command);
+ snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -m mac --mac-source %s -i %s ! -o %s -j ACCEPT", macaddress, blue_dev, green_dev);
+ safe_system(command);
+- /*snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -m mac --mac-source %s -i %s -j DMZHOLES", macaddress, blue_dev);
+- safe_system(command);*/
++ snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -m mac --mac-source %s -i %s -j FORWARDFW", macaddress, blue_dev);
++ safe_system(command);
+ }
+
+ if (VALID_IP_AND_MASK(ipaddress)) {
+@@ -175,8 +175,8 @@ int main(void)
+ safe_system(command);
+ snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -s %s -i %s ! -o %s -j ACCEPT", ipaddress, blue_dev, green_dev);
+ safe_system(command);
+- /*snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -s %s -i %s -j DMZHOLES", ipaddress, blue_dev);
+- safe_system(command);*/
++ snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -s %s -i %s -j FORWARDFW", ipaddress, blue_dev);
++ safe_system(command);
+ }
+ }
+ }
+--
+1.7.10.4
+
--- /dev/null
+From 0bde58afb8a6829b45b143eb22c5473c6e541275 Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Fri, 11 Jan 2013 08:48:20 +0100
+Subject: [PATCH 028/302] Forward Firewall: added possibility to change
+ ruleposition
+
+---
+ html/cgi-bin/forwardfw.cgi | 177 +++++++++++++++++++++++++++++++-------------
+ langs/de/cgi-bin/de.pl | 1 +
+ langs/en/cgi-bin/en.pl | 1 +
+ 3 files changed, 127 insertions(+), 52 deletions(-)
+
+diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi
+index 21f680d..c161c4a 100755
+--- a/html/cgi-bin/forwardfw.cgi
++++ b/html/cgi-bin/forwardfw.cgi
+@@ -136,13 +136,14 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule')
+ if($fwdfwsettings{'grp2'} eq 'ipfire'){
+ $fwdfwsettings{'chain'} = 'INPUTFW';
+ #check if we have an identical rule already
+- foreach my $key (sort keys %configinputfw){
+- if ("$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'},$fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'ICMP_TGT'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'ruleremark'},$fwdfwsettings{'LOG'},$fwdfwsettings{'TIME'},$fwdfwsettings{'TIME_MON'},$fwdfwsettings{'TIME_TUE'},$fwdfwsettings{'TIME_WED'},$fwdfwsettings{'TIME_THU'},$fwdfwsettings{'TIME_FRI'},$fwdfwsettings{'TIME_SAT'},$fwdfwsettings{'TIME_SUN'},$fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'}"
+- eq "$configinputfw{$key}[0],$configinputfw{$key}[2],$configinputfw{$key}[3],$configinputfw{$key}[4],$configinputfw{$key}[5],$configinputfw{$key}[6],$configinputfw{$key}[7],$configinputfw{$key}[8],$configinputfw{$key}[9],$configinputfw{$key}[10],$configinputfw{$key}[11],$configinputfw{$key}[12],$configinputfw{$key}[13],$configinputfw{$key}[14],$configinputfw{$key}[15],$configinputfw{$key}[16],$configinputfw{$key}[17],$configinputfw{$key}[18],$configinputfw{$key}[19],$configinputfw{$key}[20],$configinputfw{$key}[21],$configinputfw{$key}[22],$configinputfw{$key}[23],$configinputfw{$key}[24],$configinputfw{$key}[25],$configinputfw{$key}[26],$configinputfw{$key}[27]"){
+- $errormessage.=$Lang::tr{'fwdfw err ruleexists'};
++ if($fwdfwsettings{'oldrulenumer'} eq $fwdfwsettings{'rulepos'}){
++ foreach my $key (sort keys %configinputfw){
++ if ("$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'},$fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'ICMP_TGT'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'LOG'},$fwdfwsettings{'TIME'},$fwdfwsettings{'TIME_MON'},$fwdfwsettings{'TIME_TUE'},$fwdfwsettings{'TIME_WED'},$fwdfwsettings{'TIME_THU'},$fwdfwsettings{'TIME_FRI'},$fwdfwsettings{'TIME_SAT'},$fwdfwsettings{'TIME_SUN'},$fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'}"
++ eq "$configinputfw{$key}[0],$configinputfw{$key}[2],$configinputfw{$key}[3],$configinputfw{$key}[4],$configinputfw{$key}[5],$configinputfw{$key}[6],$configinputfw{$key}[7],$configinputfw{$key}[8],$configinputfw{$key}[9],$configinputfw{$key}[10],$configinputfw{$key}[11],$configinputfw{$key}[12],$configinputfw{$key}[13],$configinputfw{$key}[14],$configinputfw{$key}[15],$configinputfw{$key}[17],$configinputfw{$key}[18],$configinputfw{$key}[19],$configinputfw{$key}[20],$configinputfw{$key}[21],$configinputfw{$key}[22],$configinputfw{$key}[23],$configinputfw{$key}[24],$configinputfw{$key}[25],$configinputfw{$key}[26],$configinputfw{$key}[27]"){
++ $errormessage.=$Lang::tr{'fwdfw err ruleexists'};
++ }
+ }
+- }
+-
++ }
+ &checkcounter($fwdfwsettings{'oldgrp1a'},$fwdfwsettings{'oldgrp1b'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}});
+ if ($fwdfwsettings{'nobase'} ne 'on'){
+ &checkcounter($fwdfwsettings{'oldgrp2a'},$fwdfwsettings{'oldgrp2b'},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}});
+@@ -179,19 +180,18 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule')
+ #print"DIENSTE Checkalt:$fwdfwsettings{'oldusesrv'} DIENSTE Checkneu:$fwdfwsettings{'USESRV'} DIENST ALT:$fwdfwsettings{'oldgrp3a'},$fwdfwsettings{'oldgrp3b'} DIENST NEU:$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}}<br>";
+ }else{
+ $fwdfwsettings{'chain'} = 'FORWARDFW';
+- #check if we have an identical rule already
+- foreach my $key (sort keys %configfwdfw){
+-
+- if ("$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'},$fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'ICMP_TGT'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'ruleremark'},$fwdfwsettings{'LOG'},$fwdfwsettings{'TIME'},$fwdfwsettings{'TIME_MON'},$fwdfwsettings{'TIME_TUE'},$fwdfwsettings{'TIME_WED'},$fwdfwsettings{'TIME_THU'},$fwdfwsettings{'TIME_FRI'},$fwdfwsettings{'TIME_SAT'},$fwdfwsettings{'TIME_SUN'},$fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'}"
+- eq "$configfwdfw{$key}[0],$configfwdfw{$key}[2],$configfwdfw{$key}[3],$configfwdfw{$key}[4],$configfwdfw{$key}[5],$configfwdfw{$key}[6],$configfwdfw{$key}[7],$configfwdfw{$key}[8],$configfwdfw{$key}[9],$configfwdfw{$key}[10],$configfwdfw{$key}[11],$configfwdfw{$key}[12],$configfwdfw{$key}[13],$configfwdfw{$key}[14],$configfwdfw{$key}[15],$configfwdfw{$key}[16],$configfwdfw{$key}[17],$configfwdfw{$key}[18],$configfwdfw{$key}[19],$configfwdfw{$key}[20],$configfwdfw{$key}[21],$configfwdfw{$key}[22],$configfwdfw{$key}[23],$configfwdfw{$key}[24],$configfwdfw{$key}[25],$configfwdfw{$key}[26],$configfwdfw{$key}[27]"){
+- $errormessage.=$Lang::tr{'fwdfw err ruleexists'};
+- }
++ if($fwdfwsettings{'oldrulenumber'} eq $fwdfwsettings{'rulepos'}){
++ #check if we have an identical rule already
++ foreach my $key (sort keys %configfwdfw){
++ if ("$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'},$fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'ICMP_TGT'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'LOG'},$fwdfwsettings{'TIME'},$fwdfwsettings{'TIME_MON'},$fwdfwsettings{'TIME_TUE'},$fwdfwsettings{'TIME_WED'},$fwdfwsettings{'TIME_THU'},$fwdfwsettings{'TIME_FRI'},$fwdfwsettings{'TIME_SAT'},$fwdfwsettings{'TIME_SUN'},$fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'}"
++ eq "$configfwdfw{$key}[0],$configfwdfw{$key}[2],$configfwdfw{$key}[3],$configfwdfw{$key}[4],$configfwdfw{$key}[5],$configfwdfw{$key}[6],$configfwdfw{$key}[7],$configfwdfw{$key}[8],$configfwdfw{$key}[9],$configfwdfw{$key}[10],$configfwdfw{$key}[11],$configfwdfw{$key}[12],$configfwdfw{$key}[13],$configfwdfw{$key}[14],$configfwdfw{$key}[15],$configfwdfw{$key}[17],$configfwdfw{$key}[18],$configfwdfw{$key}[19],$configfwdfw{$key}[20],$configfwdfw{$key}[21],$configfwdfw{$key}[22],$configfwdfw{$key}[23],$configfwdfw{$key}[24],$configfwdfw{$key}[25],$configfwdfw{$key}[26],$configfwdfw{$key}[27]"){
++ $errormessage.=$Lang::tr{'fwdfw err ruleexists'};
++ }
++ }
+ }
+ #increase counters
+ &checkcounter($fwdfwsettings{'oldgrp1a'},$fwdfwsettings{'oldgrp1b'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}});
+-
+ &checkcounter($fwdfwsettings{'oldgrp2a'},$fwdfwsettings{'oldgrp2b'},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}});
+-
+ if($fwdfwsettings{'oldusesrv'} eq '' && $fwdfwsettings{'USESRV'} eq 'ON'){
+ &checkcounter(0,0,$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}});
+ }elsif ($fwdfwsettings{'USESRV'} eq '' && $fwdfwsettings{'oldusesrv'} eq 'ON') {
+@@ -203,7 +203,6 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule')
+ &checkcounter(0,0,$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}});
+ }
+ &saverule(\%configfwdfw,$configfwdfw);
+-
+ #print "Source: $fwdfwsettings{'grp1'} -> $fwdfwsettings{$fwdfwsettings{'grp1'}}<br>";
+ #print "Sourceport: $fwdfwsettings{'USE_SRC_PORT'}, $fwdfwsettings{'PROT'}, $fwdfwsettings{'ICMP_TYPES'}, $fwdfwsettings{'SRC_PORT'}<br>";
+ #print "Target: $fwdfwsettings{'grp2'} -> $fwdfwsettings{$fwdfwsettings{'grp2'}}<br>";
+@@ -491,8 +490,7 @@ sub deleterule
+ {
+ my %delhash=();
+ &General::readhasharray($fwdfwsettings{'config'}, \%delhash);
+- foreach my $key (sort keys %delhash){
+-
++ foreach my $key (sort {$a <=> $b} keys %delhash){
+ if ($key eq $fwdfwsettings{'key'}){
+ #check hosts/net and groups
+ &checkcounter($delhash{$key}[3],$delhash{$key}[4],,);
+@@ -850,6 +848,7 @@ sub newrule
+ &General::get_aliases(\%aliases);
+ my %checked=();
+ my $helper;
++ my $sum=0;
+ if($fwdfwsettings{'config'} eq ''){$fwdfwsettings{'config'}=$configfwdfw;}
+ my $config=$fwdfwsettings{'config'};
+ my %hash=();
+@@ -875,7 +874,9 @@ sub newrule
+ if($fwdfwsettings{'updatefwrule'} eq 'on' || $fwdfwsettings{'copyfwrule'} eq 'on' && !$errormessage){
+ &General::readhasharray("$config", \%hash);
+ foreach my $key (sort keys %hash){
++ $sum++;
+ if ($key eq $fwdfwsettings{'key'}){
++ $fwdfwsettings{'oldrulenumber'} = $key;
+ $fwdfwsettings{'RULE_ACTION'} = $hash{$key}[0];
+ $fwdfwsettings{'ACTIVE'} = $hash{$key}[2];
+ $fwdfwsettings{'grp1'} = $hash{$key}[3];
+@@ -1242,7 +1243,20 @@ END
+ &Header::openbox('100%', 'left', $Lang::tr{'fwdfw additional'});
+ print<<END;
+ <table width='100%' border='0'>
+- <tr><td colspan='2' >$Lang::tr{'remark'}:<input type='text' name='ruleremark' size='40' maxlength='255' value='$fwdfwsettings{'ruleremark'}'></td></tr>
++ <tr><td width='12%'>$Lang::tr{'remark'}:</td><td align='left'><input type='text' name='ruleremark' size='40' maxlength='255' value='$fwdfwsettings{'ruleremark'}'></td></tr>
++END
++ if($fwdfwsettings{'updatefwrule'} eq 'on' || $fwdfwsettings{'copyfwrule'} eq 'on'){
++ print "<tr><td width='12%'>$Lang::tr{'fwdfw rulepos'}:</td><td><select name='rulepos' >";
++ for (my $count =1; $count <= $sum; $count++){
++ print"<option value='$count' ";
++ print"selected='selected'" if($fwdfwsettings{'oldrulenumber'} eq $count);
++ print">$count</option>";
++ }
++ print"</select></td></tr>";
++ }
++
++ print<<END;
++ </table><table width='100%'>
+ <tr><td width='1%'><input type='checkbox' name='ACTIVE' value='ON' $checked{'ACTIVE'}{'ON'}></td><td>$Lang::tr{'fwdfw rule activate'}</td></tr>
+ <tr><td width='1%'><input type='checkbox' name='LOG' value='ON' $checked{'LOG'}{'ON'} ></td><td>$Lang::tr{'fwdfw log rule'}</td></tr>
+ </table><hr><br>
+@@ -1318,6 +1332,8 @@ END
+ <input type='hidden' name='oldgrp3a' value='$fwdfwsettings{'oldgrp3a'}' />
+ <input type='hidden' name='oldgrp3b' value='$fwdfwsettings{'oldgrp3b'}' />
+ <input type='hidden' name='oldusesrv' value='$fwdfwsettings{'oldusesrv'}' />
++ <input type='hidden' name='oldrulenumber' value='$fwdfwsettings{'oldrulenumber'}' />
++ <input type='hidden' name='rulenumber' value='$fwdfwsettings{'rulepos'}' />
+ <input type='hidden' name='ACTION' value='saverule' ></form><form method='post' style='display:inline'><input type='submit' value='$Lang::tr{'fwhost back'}' style='min-width:100px;'><input type='hidden' name='ACTION' value'reset'></td></td>
+ </table></form>
+ END
+@@ -1330,7 +1346,7 @@ sub saverule
+ my $config=shift;
+ &General::readhasharray("$config", $hash);
+ if (!$errormessage){
+- if ($fwdfwsettings{'updatefwrule'} ne 'on' ){
++ if ($fwdfwsettings{'updatefwrule'} ne 'on'){
+ my $key = &General::findhasharraykey ($hash);
+ $$hash{$key}[0] = $fwdfwsettings{'RULE_ACTION'};
+ $$hash{$key}[1] = $fwdfwsettings{'chain'};
+@@ -1362,37 +1378,94 @@ sub saverule
+ $$hash{$key}[27] = $fwdfwsettings{'TIME_TO'};
+ &General::writehasharray("$config", $hash);
+ }else{
+- foreach my $key (sort keys %$hash){
+- if($key eq $fwdfwsettings{'key'}){
+- $$hash{$key}[0] = $fwdfwsettings{'RULE_ACTION'};
+- $$hash{$key}[1] = $fwdfwsettings{'chain'};
+- $$hash{$key}[2] = $fwdfwsettings{'ACTIVE'};
+- $$hash{$key}[3] = $fwdfwsettings{'grp1'};
+- $$hash{$key}[4] = $fwdfwsettings{$fwdfwsettings{'grp1'}};
+- $$hash{$key}[5] = $fwdfwsettings{'grp2'};
+- $$hash{$key}[6] = $fwdfwsettings{$fwdfwsettings{'grp2'}};
+- $$hash{$key}[7] = $fwdfwsettings{'USE_SRC_PORT'};
+- $$hash{$key}[8] = $fwdfwsettings{'PROT'};
+- $$hash{$key}[9] = $fwdfwsettings{'ICMP_TYPES'};
+- $$hash{$key}[10] = $fwdfwsettings{'SRC_PORT'};
+- $$hash{$key}[11] = $fwdfwsettings{'USESRV'};
+- $$hash{$key}[12] = $fwdfwsettings{'TGT_PROT'};
+- $$hash{$key}[13] = $fwdfwsettings{'ICMP_TGT'};
+- $$hash{$key}[14] = $fwdfwsettings{'grp3'};
+- $$hash{$key}[15] = $fwdfwsettings{$fwdfwsettings{'grp3'}};
+- $$hash{$key}[16] = $fwdfwsettings{'ruleremark'};
+- $$hash{$key}[17] = $fwdfwsettings{'LOG'};
+- $$hash{$key}[18] = $fwdfwsettings{'TIME'};
+- $$hash{$key}[19] = $fwdfwsettings{'TIME_MON'};
+- $$hash{$key}[20] = $fwdfwsettings{'TIME_TUE'};
+- $$hash{$key}[21] = $fwdfwsettings{'TIME_WED'};
+- $$hash{$key}[22] = $fwdfwsettings{'TIME_THU'};
+- $$hash{$key}[23] = $fwdfwsettings{'TIME_FRI'};
+- $$hash{$key}[24] = $fwdfwsettings{'TIME_SAT'};
+- $$hash{$key}[25] = $fwdfwsettings{'TIME_SUN'};
+- $$hash{$key}[26] = $fwdfwsettings{'TIME_FROM'};
+- $$hash{$key}[27] = $fwdfwsettings{'TIME_TO'};
+- last;
++ #ruleposition check
++ if($fwdfwsettings{'oldrulenumber'} gt $fwdfwsettings{'rulepos'}){
++ my %tmp=();
++ my $val=$fwdfwsettings{'oldrulenumber'}-$fwdfwsettings{'rulepos'};
++ for ($a=0;$a<$val;$a++){
++ $fwdfwsettings{'oldrulenumber'}=$fwdfwsettings{'oldrulenumber'}-$a;
++ foreach my $key (sort {$a <=> $b} keys %$hash){
++ if ($key eq $fwdfwsettings{'oldrulenumber'}) {
++ my $last = $key -1;
++ if (exists $$hash{$last}){
++ #save rule last
++ foreach my $y (0 .. $#{$$hash{$last}}) {
++ $tmp{0}[$y] = $$hash{$last}[$y];
++ }
++ #copy active rule to last
++ foreach my $i (0 .. $#{$$hash{$last}}) {
++ $$hash{$last}[$i] = $$hash{$key}[$i];
++ }
++ #copy saved rule to actual position
++ foreach my $x (0 .. $#{$tmp{0}}) {
++ $$hash{$key}[$x] = $tmp{0}[$x];
++ }
++ }
++ }
++ }
++ }
++ &General::writehasharray("$config", $hash);
++ &rules;
++ }elsif($fwdfwsettings{'rulepos'} gt $fwdfwsettings{'oldrulenumber'}){
++ my %tmp=();
++ my $val=$fwdfwsettings{'rulepos'}-$fwdfwsettings{'oldrulenumber'};
++ for ($a=0;$a<$val;$a++){
++ $fwdfwsettings{'oldrulenumber'}=$fwdfwsettings{'oldrulenumber'}+$a;
++ foreach my $key (sort {$a <=> $b} keys %$hash){
++ if ($key eq $fwdfwsettings{'oldrulenumber'}) {
++ my $next = $key + 1;
++ if (exists $$hash{$next}){
++ #save rule next
++ foreach my $y (0 .. $#{$$hash{$next}}) {
++ $tmp{0}[$y] = $$hash{$next}[$y];
++ }
++ #copy active rule to next
++ foreach my $i (0 .. $#{$$hash{$next}}) {
++ $$hash{$next}[$i] = $$hash{$key}[$i];
++ }
++ #copy saved rule to actual position
++ foreach my $x (0 .. $#{$tmp{0}}) {
++ $$hash{$key}[$x] = $tmp{0}[$x];
++ }
++ }
++ }
++ }
++ }
++ &General::writehasharray("$config", $hash);
++ &rules;
++ }else{
++ foreach my $key (sort {$a <=> $b} keys %$hash){
++ if($key eq $fwdfwsettings{'key'}){
++ $$hash{$key}[0] = $fwdfwsettings{'RULE_ACTION'};
++ $$hash{$key}[1] = $fwdfwsettings{'chain'};
++ $$hash{$key}[2] = $fwdfwsettings{'ACTIVE'};
++ $$hash{$key}[3] = $fwdfwsettings{'grp1'};
++ $$hash{$key}[4] = $fwdfwsettings{$fwdfwsettings{'grp1'}};
++ $$hash{$key}[5] = $fwdfwsettings{'grp2'};
++ $$hash{$key}[6] = $fwdfwsettings{$fwdfwsettings{'grp2'}};
++ $$hash{$key}[7] = $fwdfwsettings{'USE_SRC_PORT'};
++ $$hash{$key}[8] = $fwdfwsettings{'PROT'};
++ $$hash{$key}[9] = $fwdfwsettings{'ICMP_TYPES'};
++ $$hash{$key}[10] = $fwdfwsettings{'SRC_PORT'};
++ $$hash{$key}[11] = $fwdfwsettings{'USESRV'};
++ $$hash{$key}[12] = $fwdfwsettings{'TGT_PROT'};
++ $$hash{$key}[13] = $fwdfwsettings{'ICMP_TGT'};
++ $$hash{$key}[14] = $fwdfwsettings{'grp3'};
++ $$hash{$key}[15] = $fwdfwsettings{$fwdfwsettings{'grp3'}};
++ $$hash{$key}[16] = $fwdfwsettings{'ruleremark'};
++ $$hash{$key}[17] = $fwdfwsettings{'LOG'};
++ $$hash{$key}[18] = $fwdfwsettings{'TIME'};
++ $$hash{$key}[19] = $fwdfwsettings{'TIME_MON'};
++ $$hash{$key}[20] = $fwdfwsettings{'TIME_TUE'};
++ $$hash{$key}[21] = $fwdfwsettings{'TIME_WED'};
++ $$hash{$key}[22] = $fwdfwsettings{'TIME_THU'};
++ $$hash{$key}[23] = $fwdfwsettings{'TIME_FRI'};
++ $$hash{$key}[24] = $fwdfwsettings{'TIME_SAT'};
++ $$hash{$key}[25] = $fwdfwsettings{'TIME_SUN'};
++ $$hash{$key}[26] = $fwdfwsettings{'TIME_FROM'};
++ $$hash{$key}[27] = $fwdfwsettings{'TIME_TO'};
++ last;
++ }
+ }
+ }
+ &General::writehasharray("$config", $hash);
+@@ -1438,7 +1511,7 @@ sub validremark
+ if (length ($remark) < 1 || length ($remark) > 255) {
+ return 0;}
+ # Only valid characters are a-z, A-Z, 0-9 and -
+- if ($remark !~ /^[a-zäöüA-ZÖÄÜ0-9-.:\/\s]*$/) {
++ if ($remark !~ /^[a-zäöüA-ZÖÄÜ0-9-.:_\/\s]*$/) {
+ return 0;}
+ # First character can only be a letter or a digit
+ if (substr ($remark, 0, 1) !~ /^[a-zäöüA-ZÖÄÜ0-9]*$/) {
+diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl
+index e989f98..537e72a 100644
+--- a/langs/de/cgi-bin/de.pl
++++ b/langs/de/cgi-bin/de.pl
+@@ -915,6 +915,7 @@
+ 'fwdfw rules' => 'Regeln',
+ 'fwdfw rule action' => 'Regel Aktion:',
+ 'fwdfw rule activate' => 'Regel aktivieren',
++'fwdfw rulepos' => 'Regelposition',
+ 'fwdfw source' => 'Quelle',
+ 'fwdfw sourceip' => 'Quelladresse (MAC, IP oder Netzwerk):',
+ 'fwdfw std network' => 'Standard Netzwerke:',
+diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
+index bb7804b..3ee7a33 100644
+--- a/langs/en/cgi-bin/en.pl
++++ b/langs/en/cgi-bin/en.pl
+@@ -938,6 +938,7 @@
+ 'fwdfw rules' => 'Rules',
+ 'fwdfw rule action' => 'Rule action:',
+ 'fwdfw rule activate' => 'Activate rule',
++'fwdfw rulepos' => 'Ruleposition',
+ 'fwdfw source' => 'Source',
+ 'fwdfw sourceip' => 'Source address (MAC, IP or Network):',
+ 'fwdfw std network' => 'Standard networks:',
+--
+1.7.10.4
+
--- /dev/null
+From 2fcd56f8f22887adbd316580b0ed0b0253b7c8a1 Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Fri, 11 Jan 2013 13:21:43 +0100
+Subject: [PATCH 029/302] Forward Firewall: when adding custom hosts or
+ networks the cursor is now in first textfield
+
+---
+ html/cgi-bin/fwhosts.cgi | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/html/cgi-bin/fwhosts.cgi b/html/cgi-bin/fwhosts.cgi
+index 5a83836..278d57c 100755
+--- a/html/cgi-bin/fwhosts.cgi
++++ b/html/cgi-bin/fwhosts.cgi
+@@ -1056,7 +1056,7 @@ sub addnet
+ $fwhostsettings{'orgname'}=$fwhostsettings{'HOSTNAME'};
+ print<<END;
+ <table border='0' width='100%'><form method='post' style='display:inline' >
+- <tr><td>$Lang::tr{'name'}:</td><td><input type='TEXT' name='HOSTNAME' value='$fwhostsettings{'HOSTNAME'}' $fwhostsettings{'BLK_HOST'}></td><td>$Lang::tr{'fwhost netaddress'}</td><td><input type='TEXT' name='IP' value='$fwhostsettings{'IP'}' $fwhostsettings{'BLK_IP'} size='14'></td><td align='right'>$Lang::tr{'netmask'}:</td><td align='right'><input type='TEXT' name='SUBNET' value='$fwhostsettings{'SUBNET'}' $fwhostsettings{'BLK_IP'} size='14'></td></tr>
++ <tr><td>$Lang::tr{'name'}:</td><td><input type='TEXT' name='HOSTNAME' id='textbox1' value='$fwhostsettings{'HOSTNAME'}' $fwhostsettings{'BLK_HOST'}><script>document.getElementById('textbox1').focus()</script></td><td>$Lang::tr{'fwhost netaddress'}</td><td><input type='TEXT' name='IP' value='$fwhostsettings{'IP'}' $fwhostsettings{'BLK_IP'} size='14'></td><td align='right'>$Lang::tr{'netmask'}:</td><td align='right'><input type='TEXT' name='SUBNET' value='$fwhostsettings{'SUBNET'}' $fwhostsettings{'BLK_IP'} size='14'></td></tr>
+ <tr><td colspan='6'><hr></hr></td></tr><tr>
+ END
+ if ($fwhostsettings{'ACTION'} eq 'editnet' || $fwhostsettings{'error'} eq 'on')
+@@ -1076,7 +1076,7 @@ sub addhost
+ $fwhostsettings{'orgname'}=$fwhostsettings{'HOSTNAME'};
+ print<<END;
+ <table border='0' width='100%'><form method='post' style='display:inline'>
+- <tr><td>$Lang::tr{'name'}:</td><td width='35%'><input type='TEXT' name='HOSTNAME' value='$fwhostsettings{'HOSTNAME'}' $fwhostsettings{'BLK_HOST'} ></td><td><select name='type'>
++ <tr><td>$Lang::tr{'name'}:</td><td width='35%'><input type='TEXT' name='HOSTNAME' id='textbox1' value='$fwhostsettings{'HOSTNAME'}' $fwhostsettings{'BLK_HOST'} ><script>document.getElementById('textbox1').focus()</script></td><td><select name='type'>
+ END
+ if ($fwhostsettings{'type'} eq 'ip'){print "<option value='ip' selected >IP</option>";}else{print "<option value='ip' >IP</option>";}
+ if ($fwhostsettings{'type'} eq 'mac'){print "<option value='mac' selected >MAC</option>";}else{print "<option value='mac' >MAC</option>";}
+--
+1.7.10.4
+
--- /dev/null
+From c564ef3141cd87f83313dc0a746b45c8dbf25eac Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Fri, 11 Jan 2013 13:33:34 +0100
+Subject: [PATCH 030/302] Forward Firewall: hopefully fixed delte-bug. When
+ deleting a rule, it was possible that the
+ rulenumbers get "holes"
+
+---
+ html/cgi-bin/forwardfw.cgi | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi
+index c161c4a..7b7271d 100755
+--- a/html/cgi-bin/forwardfw.cgi
++++ b/html/cgi-bin/forwardfw.cgi
+@@ -510,7 +510,7 @@ sub deleterule
+ }
+ }
+ # Remove the very last entry.
+- my $last_key = (sort keys %delhash)[-1];
++ my $last_key = (sort {$a <=> $b} keys %delhash)[-1];
+ delete $delhash{$last_key};
+
+ &General::writehasharray($fwdfwsettings{'config'}, \%delhash);
+--
+1.7.10.4
+
--- /dev/null
+From 682e263d7835581f55f89225702a8c629c6e726e Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Sat, 12 Jan 2013 08:07:33 +0100
+Subject: [PATCH 031/302] Forward Firewall: changed hash sorting to get right
+ ruleorder in Iptables
+
+---
+ config/forwardfw/firewall-lib.pl | 24 ++++++++++++------------
+ config/forwardfw/rules.pl | 7 +++----
+ html/cgi-bin/forwardfw.cgi | 35 +++++++++++++++++++++++++++--------
+ 3 files changed, 42 insertions(+), 24 deletions(-)
+
+diff --git a/config/forwardfw/firewall-lib.pl b/config/forwardfw/firewall-lib.pl
+index 44c0079..eb84c4a 100755
+--- a/config/forwardfw/firewall-lib.pl
++++ b/config/forwardfw/firewall-lib.pl
+@@ -68,7 +68,7 @@ my $field;
+ sub get_srv_prot
+ {
+ my $val=shift;
+- foreach my $key (sort keys %customservice){
++ foreach my $key (sort {$a <=> $b} keys %customservice){
+ if($customservice{$key}[0] eq $val){
+ if ($customservice{$key}[0] eq $val){
+ return $customservice{$key}[2];
+@@ -83,7 +83,7 @@ sub get_srvgrp_prot
+ my $tcp;
+ my $udp;
+ my $icmp;
+- foreach my $key (sort keys %customservicegrp){
++ foreach my $key (sort {$a <=> $b} keys %customservicegrp){
+ if($customservicegrp{$key}[0] eq $val){
+ if (&get_srv_prot($customservicegrp{$key}[2]) eq 'TCP'){
+ $tcp=1;
+@@ -108,7 +108,7 @@ sub get_srv_port
+ my $val=shift;
+ my $field=shift;
+ my $prot=shift;
+- foreach my $key (sort keys %customservice){
++ foreach my $key (sort {$a <=> $b} keys %customservice){
+ if($customservice{$key}[0] eq $val){
+ if($customservice{$key}[2] eq $prot){
+ return $customservice{$key}[$field];
+@@ -123,7 +123,7 @@ sub get_srvgrp_port
+ my $back;
+ my $value;
+ my @ips=();
+- foreach my $key (sort keys %customservicegrp){
++ foreach my $key (sort {$a <=> $b} keys %customservicegrp){
+ if($customservicegrp{$key}[0] eq $val){
+ if ($prot ne 'ICMP'){
+ $value=&get_srv_port($customservicegrp{$key}[2],1,$prot);
+@@ -146,7 +146,7 @@ sub get_ipsec_net_ip
+ {
+ my $val=shift;
+ my $field=shift;
+- foreach my $key (sort keys %ipsecconf){
++ foreach my $key (sort {$a <=> $b} keys %ipsecconf){
+ if($ipsecconf{$key}[1] eq $val){
+ return $ipsecconf{$key}[$field];
+ }
+@@ -156,7 +156,7 @@ sub get_ipsec_host_ip
+ {
+ my $val=shift;
+ my $field=shift;
+- foreach my $key (sort keys %ipsecconf){
++ foreach my $key (sort {$a <=> $b} keys %ipsecconf){
+ if($ipsecconf{$key}[1] eq $val){
+ return $ipsecconf{$key}[$field];
+ }
+@@ -166,7 +166,7 @@ sub get_ovpn_n2n_ip
+ {
+ my $val=shift;
+ my $field=shift;
+- foreach my $key (sort keys %ccdhost){
++ foreach my $key (sort {$a <=> $b} keys %ccdhost){
+ if($ccdhost{$key}[1] eq $val){
+ return $ccdhost{$key}[$field];
+ }
+@@ -176,7 +176,7 @@ sub get_ovpn_host_ip
+ {
+ my $val=shift;
+ my $field=shift;
+- foreach my $key (sort keys %ccdhost){
++ foreach my $key (sort {$a <=> $b} keys %ccdhost){
+ if($ccdhost{$key}[1] eq $val){
+ return $ccdhost{$key}[$field];
+ }
+@@ -187,7 +187,7 @@ sub get_ovpn_net_ip
+
+ my $val=shift;
+ my $field=shift;
+- foreach my $key (sort keys %ccdnet){
++ foreach my $key (sort {$a <=> $b} keys %ccdnet){
+ if($ccdnet{$key}[0] eq $val){
+ return $ccdnet{$key}[$field];
+ }
+@@ -197,7 +197,7 @@ sub get_grp_ip
+ {
+ my $val=shift;
+ my $src=shift;
+- foreach my $key (sort keys %customgrp){
++ foreach my $key (sort {$a <=> $b} keys %customgrp){
+ if ($customgrp{$key}[0] eq $val){
+ &get_address($customgrp{$key}[3],$src);
+ }
+@@ -226,7 +226,7 @@ sub get_std_net_ip
+ sub get_net_ip
+ {
+ my $val=shift;
+- foreach my $key (sort keys %customnetwork){
++ foreach my $key (sort {$a <=> $b} keys %customnetwork){
+ if($customnetwork{$key}[0] eq $val){
+ return "$customnetwork{$key}[1]/$customnetwork{$key}[2]";
+ }
+@@ -236,7 +236,7 @@ sub get_host_ip
+ {
+ my $val=shift;
+ my $src=shift;
+- foreach my $key (sort keys %customhost){
++ foreach my $key (sort {$a <=> $b} keys %customhost){
+ if($customhost{$key}[0] eq $val){
+ if ($customhost{$key}[1] eq 'mac' && $src eq 'src'){
+ return "-m mac --mac-source $customhost{$key}[2]";
+diff --git a/config/forwardfw/rules.pl b/config/forwardfw/rules.pl
+index 0d945e0..ca2f3cf 100755
+--- a/config/forwardfw/rules.pl
++++ b/config/forwardfw/rules.pl
+@@ -115,12 +115,12 @@ sub buildrules
+ {
+ my $hash=shift;
+ my $STAG;
+- foreach my $key (sort keys %$hash){
++ foreach my $key (sort {$a <=> $b} keys %$hash){
+ $STAG='';
+ if($$hash{$key}[2] eq 'ON'){
+ #get source ip's
+ if ($$hash{$key}[3] eq 'cust_grp_src'){
+- foreach my $grp (sort keys %customgrp){
++ foreach my $grp (sort {$a <=> $b} keys %customgrp){
+ if($customgrp{$grp}[0] eq $$hash{$key}[4]){
+ &get_address($customgrp{$grp}[3],$customgrp{$grp}[2],"src");
+ }
+@@ -130,7 +130,7 @@ sub buildrules
+ }
+ #get target ip's
+ if ($$hash{$key}[5] eq 'cust_grp_tgt'){
+- foreach my $grp (sort keys %customgrp){
++ foreach my $grp (sort {$a <=> $b} keys %customgrp){
+ if($customgrp{$grp}[0] eq $$hash{$key}[6]){
+ &get_address($customgrp{$grp}[3],$customgrp{$grp}[2],"tgt");
+ }
+@@ -187,7 +187,6 @@ sub buildrules
+ print "\n";
+ print"##################################\n";
+ #print rules to console
+-
+ foreach my $DPROT (@DPROT){
+ $DPORT = &get_port($hash,$key,$DPROT);
+ if ($SPROT ne ''){$PROT=$SPROT;}else{$PROT=$DPROT;}
+diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi
+index 7b7271d..78b7827 100755
+--- a/html/cgi-bin/forwardfw.cgi
++++ b/html/cgi-bin/forwardfw.cgi
+@@ -112,7 +112,6 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule')
+ $errormessage=&checksource;
+ if(!$errormessage){&checktarget;}
+ if(!$errormessage){&checkrule;}
+-
+ #check if we change an forward rule to an external access
+ if( $fwdfwsettings{'grp2'} eq 'ipfire' && $fwdfwsettings{'oldgrp2a'} ne 'ipfire' && $fwdfwsettings{'updatefwrule'} eq 'on'){
+ $fwdfwsettings{'updatefwrule'}='';
+@@ -122,7 +121,6 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule')
+ &checkcounter(0,0,$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}});
+ &checkcounter(0,0,$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}});
+ }
+-
+ #check if we change an external access rule to an forward
+ if( $fwdfwsettings{'grp2'} ne 'ipfire' && $fwdfwsettings{'oldgrp2a'} eq 'ipfire' && $fwdfwsettings{'updatefwrule'} eq 'on'){
+ $fwdfwsettings{'updatefwrule'}='';
+@@ -141,9 +139,17 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule')
+ if ("$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'},$fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'ICMP_TGT'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'LOG'},$fwdfwsettings{'TIME'},$fwdfwsettings{'TIME_MON'},$fwdfwsettings{'TIME_TUE'},$fwdfwsettings{'TIME_WED'},$fwdfwsettings{'TIME_THU'},$fwdfwsettings{'TIME_FRI'},$fwdfwsettings{'TIME_SAT'},$fwdfwsettings{'TIME_SUN'},$fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'}"
+ eq "$configinputfw{$key}[0],$configinputfw{$key}[2],$configinputfw{$key}[3],$configinputfw{$key}[4],$configinputfw{$key}[5],$configinputfw{$key}[6],$configinputfw{$key}[7],$configinputfw{$key}[8],$configinputfw{$key}[9],$configinputfw{$key}[10],$configinputfw{$key}[11],$configinputfw{$key}[12],$configinputfw{$key}[13],$configinputfw{$key}[14],$configinputfw{$key}[15],$configinputfw{$key}[17],$configinputfw{$key}[18],$configinputfw{$key}[19],$configinputfw{$key}[20],$configinputfw{$key}[21],$configinputfw{$key}[22],$configinputfw{$key}[23],$configinputfw{$key}[24],$configinputfw{$key}[25],$configinputfw{$key}[26],$configinputfw{$key}[27]"){
+ $errormessage.=$Lang::tr{'fwdfw err ruleexists'};
++ $fwdfwsettings{'nosave'} = 'on';
+ }
+ }
+ }
++ #check if we just close a rule
++ if( $fwdfwsettings{'oldgrp1a'} eq $fwdfwsettings{'grp1'} && $fwdfwsettings{'oldgrp1b'} eq $fwdfwsettings{$fwdfwsettings{'grp1'}} && $fwdfwsettings{'oldgrp2a'} eq $fwdfwsettings{'grp2'} && $fwdfwsettings{'oldgrp2b'} eq $fwdfwsettings{$fwdfwsettings{'grp2'}} && $fwdfwsettings{'oldgrp3a'} eq $fwdfwsettings{'grp3'} && $fwdfwsettings{'oldgrp3b'} eq $fwdfwsettings{$fwdfwsettings{'grp3'}} && $fwdfwsettings{'oldusesrv'} eq $fwdfwsettings{'USESRV'} ) {
++ if($fwdfwsettings{'nosave'} eq 'on' && $fwdfwsettings{'updatefwrule'} eq 'on'){
++ $errormessage='';
++ $fwdfwsettings{'nosave2'} = 'on';
++ }
++ }
+ &checkcounter($fwdfwsettings{'oldgrp1a'},$fwdfwsettings{'oldgrp1b'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}});
+ if ($fwdfwsettings{'nobase'} ne 'on'){
+ &checkcounter($fwdfwsettings{'oldgrp2a'},$fwdfwsettings{'oldgrp2b'},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}});
+@@ -155,8 +161,9 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule')
+ }elsif ($fwdfwsettings{'oldusesrv'} eq $fwdfwsettings{'USESRV'} && $fwdfwsettings{'oldgrp3b'} ne $fwdfwsettings{$fwdfwsettings{'grp3'}} && $fwdfwsettings{'updatefwrule'} eq 'on'){
+ &checkcounter($fwdfwsettings{'oldgrp3a'},$fwdfwsettings{'oldgrp3b'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}});
+ }
+-
+- &saverule(\%configinputfw,$configinput);
++ if($fwdfwsettings{'nosave2'} ne 'on'){
++ &saverule(\%configinputfw,$configinput);
++ }
+ #print "Source: $fwdfwsettings{'grp1'} -> $fwdfwsettings{$fwdfwsettings{'grp1'}}<br>";
+ #print "Sourceport: $fwdfwsettings{'USE_SRC_PORT'}, $fwdfwsettings{'PROT'}, $fwdfwsettings{'ICMP_TYPES'}, $fwdfwsettings{'SRC_PORT'}<br>";
+ #print "Target: $fwdfwsettings{'grp2'} -> $fwdfwsettings{$fwdfwsettings{'grp2'}}<br>";
+@@ -186,9 +193,17 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule')
+ if ("$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'},$fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'ICMP_TGT'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'LOG'},$fwdfwsettings{'TIME'},$fwdfwsettings{'TIME_MON'},$fwdfwsettings{'TIME_TUE'},$fwdfwsettings{'TIME_WED'},$fwdfwsettings{'TIME_THU'},$fwdfwsettings{'TIME_FRI'},$fwdfwsettings{'TIME_SAT'},$fwdfwsettings{'TIME_SUN'},$fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'}"
+ eq "$configfwdfw{$key}[0],$configfwdfw{$key}[2],$configfwdfw{$key}[3],$configfwdfw{$key}[4],$configfwdfw{$key}[5],$configfwdfw{$key}[6],$configfwdfw{$key}[7],$configfwdfw{$key}[8],$configfwdfw{$key}[9],$configfwdfw{$key}[10],$configfwdfw{$key}[11],$configfwdfw{$key}[12],$configfwdfw{$key}[13],$configfwdfw{$key}[14],$configfwdfw{$key}[15],$configfwdfw{$key}[17],$configfwdfw{$key}[18],$configfwdfw{$key}[19],$configfwdfw{$key}[20],$configfwdfw{$key}[21],$configfwdfw{$key}[22],$configfwdfw{$key}[23],$configfwdfw{$key}[24],$configfwdfw{$key}[25],$configfwdfw{$key}[26],$configfwdfw{$key}[27]"){
+ $errormessage.=$Lang::tr{'fwdfw err ruleexists'};
++ $fwdfwsettings{'nosave'} = 'on';
+ }
+ }
+ }
++ #check if we just close a rule
++ if( $fwdfwsettings{'oldgrp1a'} eq $fwdfwsettings{'grp1'} && $fwdfwsettings{'oldgrp1b'} eq $fwdfwsettings{$fwdfwsettings{'grp1'}} && $fwdfwsettings{'oldgrp2a'} eq $fwdfwsettings{'grp2'} && $fwdfwsettings{'oldgrp2b'} eq $fwdfwsettings{$fwdfwsettings{'grp2'}} && $fwdfwsettings{'oldgrp3a'} eq $fwdfwsettings{'grp3'} && $fwdfwsettings{'oldgrp3b'} eq $fwdfwsettings{$fwdfwsettings{'grp3'}} && $fwdfwsettings{'oldusesrv'} eq $fwdfwsettings{'USESRV'} ) {
++ if($fwdfwsettings{'nosave'} eq 'on' && $fwdfwsettings{'updatefwrule'} eq 'on'){
++ $fwdfwsettings{'nosave2'} = 'on';
++ $errormessage='';
++ }
++ }
+ #increase counters
+ &checkcounter($fwdfwsettings{'oldgrp1a'},$fwdfwsettings{'oldgrp1b'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}});
+ &checkcounter($fwdfwsettings{'oldgrp2a'},$fwdfwsettings{'oldgrp2b'},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}});
+@@ -202,7 +217,9 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule')
+ if ($fwdfwsettings{'nobase'} eq 'on'){
+ &checkcounter(0,0,$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}});
+ }
+- &saverule(\%configfwdfw,$configfwdfw);
++ if ($fwdfwsettings{'nosave2'} ne 'on'){
++ &saverule(\%configfwdfw,$configfwdfw);
++ }
+ #print "Source: $fwdfwsettings{'grp1'} -> $fwdfwsettings{$fwdfwsettings{'grp1'}}<br>";
+ #print "Sourceport: $fwdfwsettings{'USE_SRC_PORT'}, $fwdfwsettings{'PROT'}, $fwdfwsettings{'ICMP_TYPES'}, $fwdfwsettings{'SRC_PORT'}<br>";
+ #print "Target: $fwdfwsettings{'grp2'} -> $fwdfwsettings{$fwdfwsettings{'grp2'}}<br>";
+@@ -228,7 +245,9 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule')
+ if ($errormessage){
+ &newrule;
+ }else{
+- &rules;
++ if($fwdfwsettings{'nosave2'} ne 'on'){
++ &rules;
++ }
+ &base;
+ }
+ }
+@@ -491,7 +510,7 @@ sub deleterule
+ my %delhash=();
+ &General::readhasharray($fwdfwsettings{'config'}, \%delhash);
+ foreach my $key (sort {$a <=> $b} keys %delhash){
+- if ($key eq $fwdfwsettings{'key'}){
++ if ($key == $fwdfwsettings{'key'}){
+ #check hosts/net and groups
+ &checkcounter($delhash{$key}[3],$delhash{$key}[4],,);
+ &checkcounter($delhash{$key}[5],$delhash{$key}[6],,);
+@@ -500,7 +519,7 @@ sub deleterule
+ &checkcounter($delhash{$key}[14],$delhash{$key}[15],,);
+ }
+ }
+- if ($key ge $fwdfwsettings{'key'}) {
++ if ($key >= $fwdfwsettings{'key'}) {
+ my $next = $key + 1;
+ if (exists $delhash{$next}) {
+ foreach my $i (0 .. $#{$delhash{$next}}) {
+--
+1.7.10.4
+
--- /dev/null
+From af17e5851d90eebd831a3f12764325ccac089d64 Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Sat, 12 Jan 2013 10:22:49 +0100
+Subject: [PATCH 032/302] Forward Firewall: fixed routine for rulepositioning
+
+---
+ html/cgi-bin/forwardfw.cgi | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi
+index 78b7827..32ecd78 100755
+--- a/html/cgi-bin/forwardfw.cgi
++++ b/html/cgi-bin/forwardfw.cgi
+@@ -1401,8 +1401,7 @@ sub saverule
+ if($fwdfwsettings{'oldrulenumber'} gt $fwdfwsettings{'rulepos'}){
+ my %tmp=();
+ my $val=$fwdfwsettings{'oldrulenumber'}-$fwdfwsettings{'rulepos'};
+- for ($a=0;$a<$val;$a++){
+- $fwdfwsettings{'oldrulenumber'}=$fwdfwsettings{'oldrulenumber'}-$a;
++ for (my $z=0;$z<$val;$z++){
+ foreach my $key (sort {$a <=> $b} keys %$hash){
+ if ($key eq $fwdfwsettings{'oldrulenumber'}) {
+ my $last = $key -1;
+@@ -1422,15 +1421,15 @@ sub saverule
+ }
+ }
+ }
++ $fwdfwsettings{'oldrulenumber'}--;
+ }
+ &General::writehasharray("$config", $hash);
+ &rules;
+ }elsif($fwdfwsettings{'rulepos'} gt $fwdfwsettings{'oldrulenumber'}){
+ my %tmp=();
+ my $val=$fwdfwsettings{'rulepos'}-$fwdfwsettings{'oldrulenumber'};
+- for ($a=0;$a<$val;$a++){
+- $fwdfwsettings{'oldrulenumber'}=$fwdfwsettings{'oldrulenumber'}+$a;
+- foreach my $key (sort {$a <=> $b} keys %$hash){
++ for (my $z=0;$z<$val;$z++){
++ foreach my $key (sort {$a <=> $b} keys %$hash){
+ if ($key eq $fwdfwsettings{'oldrulenumber'}) {
+ my $next = $key + 1;
+ if (exists $$hash{$next}){
+@@ -1449,6 +1448,7 @@ sub saverule
+ }
+ }
+ }
++ $fwdfwsettings{'oldrulenumber'}++;
+ }
+ &General::writehasharray("$config", $hash);
+ &rules;
+--
+1.7.10.4
+
--- /dev/null
+From ac3a18d3872d37672ee720922a415f9b06476d00 Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Sat, 12 Jan 2013 10:51:51 +0100
+Subject: [PATCH 033/302] Forward Firewall: refined routine to check if an
+ existing rule is equal to a new one
+
+---
+ html/cgi-bin/forwardfw.cgi | 15 +++++++++++++--
+ 1 file changed, 13 insertions(+), 2 deletions(-)
+
+diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi
+index 32ecd78..f22c4d6 100755
+--- a/html/cgi-bin/forwardfw.cgi
++++ b/html/cgi-bin/forwardfw.cgi
+@@ -139,7 +139,12 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule')
+ if ("$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'},$fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'ICMP_TGT'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'LOG'},$fwdfwsettings{'TIME'},$fwdfwsettings{'TIME_MON'},$fwdfwsettings{'TIME_TUE'},$fwdfwsettings{'TIME_WED'},$fwdfwsettings{'TIME_THU'},$fwdfwsettings{'TIME_FRI'},$fwdfwsettings{'TIME_SAT'},$fwdfwsettings{'TIME_SUN'},$fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'}"
+ eq "$configinputfw{$key}[0],$configinputfw{$key}[2],$configinputfw{$key}[3],$configinputfw{$key}[4],$configinputfw{$key}[5],$configinputfw{$key}[6],$configinputfw{$key}[7],$configinputfw{$key}[8],$configinputfw{$key}[9],$configinputfw{$key}[10],$configinputfw{$key}[11],$configinputfw{$key}[12],$configinputfw{$key}[13],$configinputfw{$key}[14],$configinputfw{$key}[15],$configinputfw{$key}[17],$configinputfw{$key}[18],$configinputfw{$key}[19],$configinputfw{$key}[20],$configinputfw{$key}[21],$configinputfw{$key}[22],$configinputfw{$key}[23],$configinputfw{$key}[24],$configinputfw{$key}[25],$configinputfw{$key}[26],$configinputfw{$key}[27]"){
+ $errormessage.=$Lang::tr{'fwdfw err ruleexists'};
+- $fwdfwsettings{'nosave'} = 'on';
++ if ($fwdfwsettings{'oldruleremark'} ne $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'updatefwrule'} eq 'on'){
++ $errormessage='';
++ }
++ if ($fwdfwsettings{'oldruleremark'} eq $fwdfwsettings{'ruleremark'}){
++ $fwdfwsettings{'nosave'} = 'on';
++ }
+ }
+ }
+ }
+@@ -193,7 +198,12 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule')
+ if ("$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'},$fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'ICMP_TGT'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'LOG'},$fwdfwsettings{'TIME'},$fwdfwsettings{'TIME_MON'},$fwdfwsettings{'TIME_TUE'},$fwdfwsettings{'TIME_WED'},$fwdfwsettings{'TIME_THU'},$fwdfwsettings{'TIME_FRI'},$fwdfwsettings{'TIME_SAT'},$fwdfwsettings{'TIME_SUN'},$fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'}"
+ eq "$configfwdfw{$key}[0],$configfwdfw{$key}[2],$configfwdfw{$key}[3],$configfwdfw{$key}[4],$configfwdfw{$key}[5],$configfwdfw{$key}[6],$configfwdfw{$key}[7],$configfwdfw{$key}[8],$configfwdfw{$key}[9],$configfwdfw{$key}[10],$configfwdfw{$key}[11],$configfwdfw{$key}[12],$configfwdfw{$key}[13],$configfwdfw{$key}[14],$configfwdfw{$key}[15],$configfwdfw{$key}[17],$configfwdfw{$key}[18],$configfwdfw{$key}[19],$configfwdfw{$key}[20],$configfwdfw{$key}[21],$configfwdfw{$key}[22],$configfwdfw{$key}[23],$configfwdfw{$key}[24],$configfwdfw{$key}[25],$configfwdfw{$key}[26],$configfwdfw{$key}[27]"){
+ $errormessage.=$Lang::tr{'fwdfw err ruleexists'};
+- $fwdfwsettings{'nosave'} = 'on';
++ if ($fwdfwsettings{'oldruleremark'} ne $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'updatefwrule'} eq 'on'){
++ $errormessage='';
++ }
++ if ($fwdfwsettings{'oldruleremark'} eq $fwdfwsettings{'ruleremark'}){
++ $fwdfwsettings{'nosave'} = 'on';
++ }
+ }
+ }
+ }
+@@ -950,6 +960,7 @@ sub newrule
+ $fwdfwsettings{'oldgrp3a'}=$fwdfwsettings{'grp3'};
+ $fwdfwsettings{'oldgrp3b'}=$fwdfwsettings{$fwdfwsettings{'grp3'}};
+ $fwdfwsettings{'oldusesrv'}=$fwdfwsettings{'USESRV'};
++ $fwdfwsettings{'oldruleremark'}=$fwdfwsettings{'ruleremark'};
+ }else{
+ $fwdfwsettings{'ACTIVE'}='ON';
+ $checked{'ACTIVE'}{$fwdfwsettings{'ACTIVE'}} = 'CHECKED';
+--
+1.7.10.4
+
--- /dev/null
+From 818b1259e16b866e4ae0c9aa0ba5e7a3671e608f Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Mon, 14 Jan 2013 13:56:36 +0100
+Subject: [PATCH 034/302] Forward Firewall: BUGFIX: When editing a rule and
+ changing position, no other changes where saved.
+ added the DMZHOLES Rule to init.d/firewall (but
+ chnaged DMZHOLES to FORWARDFW
+
+---
+ html/cgi-bin/forwardfw.cgi | 160 +++++++++++++++++++--------------------
+ src/initscripts/init.d/firewall | 9 ++-
+ 2 files changed, 87 insertions(+), 82 deletions(-)
+
+diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi
+index f22c4d6..8673c51 100755
+--- a/html/cgi-bin/forwardfw.cgi
++++ b/html/cgi-bin/forwardfw.cgi
+@@ -1408,97 +1408,95 @@ sub saverule
+ $$hash{$key}[27] = $fwdfwsettings{'TIME_TO'};
+ &General::writehasharray("$config", $hash);
+ }else{
+- #ruleposition check
+- if($fwdfwsettings{'oldrulenumber'} gt $fwdfwsettings{'rulepos'}){
+- my %tmp=();
+- my $val=$fwdfwsettings{'oldrulenumber'}-$fwdfwsettings{'rulepos'};
+- for (my $z=0;$z<$val;$z++){
+- foreach my $key (sort {$a <=> $b} keys %$hash){
+- if ($key eq $fwdfwsettings{'oldrulenumber'}) {
+- my $last = $key -1;
+- if (exists $$hash{$last}){
+- #save rule last
+- foreach my $y (0 .. $#{$$hash{$last}}) {
+- $tmp{0}[$y] = $$hash{$last}[$y];
+- }
+- #copy active rule to last
+- foreach my $i (0 .. $#{$$hash{$last}}) {
+- $$hash{$last}[$i] = $$hash{$key}[$i];
+- }
+- #copy saved rule to actual position
+- foreach my $x (0 .. $#{$tmp{0}}) {
+- $$hash{$key}[$x] = $tmp{0}[$x];
+- }
++ foreach my $key (sort {$a <=> $b} keys %$hash){
++ if($key eq $fwdfwsettings{'key'}){
++ $$hash{$key}[0] = $fwdfwsettings{'RULE_ACTION'};
++ $$hash{$key}[1] = $fwdfwsettings{'chain'};
++ $$hash{$key}[2] = $fwdfwsettings{'ACTIVE'};
++ $$hash{$key}[3] = $fwdfwsettings{'grp1'};
++ $$hash{$key}[4] = $fwdfwsettings{$fwdfwsettings{'grp1'}};
++ $$hash{$key}[5] = $fwdfwsettings{'grp2'};
++ $$hash{$key}[6] = $fwdfwsettings{$fwdfwsettings{'grp2'}};
++ $$hash{$key}[7] = $fwdfwsettings{'USE_SRC_PORT'};
++ $$hash{$key}[8] = $fwdfwsettings{'PROT'};
++ $$hash{$key}[9] = $fwdfwsettings{'ICMP_TYPES'};
++ $$hash{$key}[10] = $fwdfwsettings{'SRC_PORT'};
++ $$hash{$key}[11] = $fwdfwsettings{'USESRV'};
++ $$hash{$key}[12] = $fwdfwsettings{'TGT_PROT'};
++ $$hash{$key}[13] = $fwdfwsettings{'ICMP_TGT'};
++ $$hash{$key}[14] = $fwdfwsettings{'grp3'};
++ $$hash{$key}[15] = $fwdfwsettings{$fwdfwsettings{'grp3'}};
++ $$hash{$key}[16] = $fwdfwsettings{'ruleremark'};
++ $$hash{$key}[17] = $fwdfwsettings{'LOG'};
++ $$hash{$key}[18] = $fwdfwsettings{'TIME'};
++ $$hash{$key}[19] = $fwdfwsettings{'TIME_MON'};
++ $$hash{$key}[20] = $fwdfwsettings{'TIME_TUE'};
++ $$hash{$key}[21] = $fwdfwsettings{'TIME_WED'};
++ $$hash{$key}[22] = $fwdfwsettings{'TIME_THU'};
++ $$hash{$key}[23] = $fwdfwsettings{'TIME_FRI'};
++ $$hash{$key}[24] = $fwdfwsettings{'TIME_SAT'};
++ $$hash{$key}[25] = $fwdfwsettings{'TIME_SUN'};
++ $$hash{$key}[26] = $fwdfwsettings{'TIME_FROM'};
++ $$hash{$key}[27] = $fwdfwsettings{'TIME_TO'};
++ last;
++ }
++ }
++ }
++ &General::writehasharray("$config", $hash);
++ if($fwdfwsettings{'oldrulenumber'} gt $fwdfwsettings{'rulepos'}){
++ my %tmp=();
++ my $val=$fwdfwsettings{'oldrulenumber'}-$fwdfwsettings{'rulepos'};
++ for (my $z=0;$z<$val;$z++){
++ foreach my $key (sort {$a <=> $b} keys %$hash){
++ if ($key eq $fwdfwsettings{'oldrulenumber'}) {
++ my $last = $key -1;
++ if (exists $$hash{$last}){
++ #save rule last
++ foreach my $y (0 .. $#{$$hash{$last}}) {
++ $tmp{0}[$y] = $$hash{$last}[$y];
++ }
++ #copy active rule to last
++ foreach my $i (0 .. $#{$$hash{$last}}) {
++ $$hash{$last}[$i] = $$hash{$key}[$i];
++ }
++ #copy saved rule to actual position
++ foreach my $x (0 .. $#{$tmp{0}}) {
++ $$hash{$key}[$x] = $tmp{0}[$x];
+ }
+ }
+ }
+- $fwdfwsettings{'oldrulenumber'}--;
+ }
+- &General::writehasharray("$config", $hash);
+- &rules;
+- }elsif($fwdfwsettings{'rulepos'} gt $fwdfwsettings{'oldrulenumber'}){
+- my %tmp=();
+- my $val=$fwdfwsettings{'rulepos'}-$fwdfwsettings{'oldrulenumber'};
+- for (my $z=0;$z<$val;$z++){
+- foreach my $key (sort {$a <=> $b} keys %$hash){
+- if ($key eq $fwdfwsettings{'oldrulenumber'}) {
+- my $next = $key + 1;
+- if (exists $$hash{$next}){
+- #save rule next
+- foreach my $y (0 .. $#{$$hash{$next}}) {
+- $tmp{0}[$y] = $$hash{$next}[$y];
+- }
+- #copy active rule to next
+- foreach my $i (0 .. $#{$$hash{$next}}) {
+- $$hash{$next}[$i] = $$hash{$key}[$i];
+- }
+- #copy saved rule to actual position
+- foreach my $x (0 .. $#{$tmp{0}}) {
+- $$hash{$key}[$x] = $tmp{0}[$x];
+- }
++ $fwdfwsettings{'oldrulenumber'}--;
++ }
++ &General::writehasharray("$config", $hash);
++ &rules;
++ }elsif($fwdfwsettings{'rulepos'} gt $fwdfwsettings{'oldrulenumber'}){
++ my %tmp=();
++ my $val=$fwdfwsettings{'rulepos'}-$fwdfwsettings{'oldrulenumber'};
++ for (my $z=0;$z<$val;$z++){
++ foreach my $key (sort {$a <=> $b} keys %$hash){
++ if ($key eq $fwdfwsettings{'oldrulenumber'}) {
++ my $next = $key + 1;
++ if (exists $$hash{$next}){
++ #save rule next
++ foreach my $y (0 .. $#{$$hash{$next}}) {
++ $tmp{0}[$y] = $$hash{$next}[$y];
++ }
++ #copy active rule to next
++ foreach my $i (0 .. $#{$$hash{$next}}) {
++ $$hash{$next}[$i] = $$hash{$key}[$i];
++ }
++ #copy saved rule to actual position
++ foreach my $x (0 .. $#{$tmp{0}}) {
++ $$hash{$key}[$x] = $tmp{0}[$x];
+ }
+ }
+ }
+- $fwdfwsettings{'oldrulenumber'}++;
+- }
+- &General::writehasharray("$config", $hash);
+- &rules;
+- }else{
+- foreach my $key (sort {$a <=> $b} keys %$hash){
+- if($key eq $fwdfwsettings{'key'}){
+- $$hash{$key}[0] = $fwdfwsettings{'RULE_ACTION'};
+- $$hash{$key}[1] = $fwdfwsettings{'chain'};
+- $$hash{$key}[2] = $fwdfwsettings{'ACTIVE'};
+- $$hash{$key}[3] = $fwdfwsettings{'grp1'};
+- $$hash{$key}[4] = $fwdfwsettings{$fwdfwsettings{'grp1'}};
+- $$hash{$key}[5] = $fwdfwsettings{'grp2'};
+- $$hash{$key}[6] = $fwdfwsettings{$fwdfwsettings{'grp2'}};
+- $$hash{$key}[7] = $fwdfwsettings{'USE_SRC_PORT'};
+- $$hash{$key}[8] = $fwdfwsettings{'PROT'};
+- $$hash{$key}[9] = $fwdfwsettings{'ICMP_TYPES'};
+- $$hash{$key}[10] = $fwdfwsettings{'SRC_PORT'};
+- $$hash{$key}[11] = $fwdfwsettings{'USESRV'};
+- $$hash{$key}[12] = $fwdfwsettings{'TGT_PROT'};
+- $$hash{$key}[13] = $fwdfwsettings{'ICMP_TGT'};
+- $$hash{$key}[14] = $fwdfwsettings{'grp3'};
+- $$hash{$key}[15] = $fwdfwsettings{$fwdfwsettings{'grp3'}};
+- $$hash{$key}[16] = $fwdfwsettings{'ruleremark'};
+- $$hash{$key}[17] = $fwdfwsettings{'LOG'};
+- $$hash{$key}[18] = $fwdfwsettings{'TIME'};
+- $$hash{$key}[19] = $fwdfwsettings{'TIME_MON'};
+- $$hash{$key}[20] = $fwdfwsettings{'TIME_TUE'};
+- $$hash{$key}[21] = $fwdfwsettings{'TIME_WED'};
+- $$hash{$key}[22] = $fwdfwsettings{'TIME_THU'};
+- $$hash{$key}[23] = $fwdfwsettings{'TIME_FRI'};
+- $$hash{$key}[24] = $fwdfwsettings{'TIME_SAT'};
+- $$hash{$key}[25] = $fwdfwsettings{'TIME_SUN'};
+- $$hash{$key}[26] = $fwdfwsettings{'TIME_FROM'};
+- $$hash{$key}[27] = $fwdfwsettings{'TIME_TO'};
+- last;
+- }
+ }
++ $fwdfwsettings{'oldrulenumber'}++;
+ }
+ &General::writehasharray("$config", $hash);
++ &rules;
+ }
+ }
+ }
+diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall
+index 96c61ea..aeaea45 100644
+--- a/src/initscripts/init.d/firewall
++++ b/src/initscripts/init.d/firewall
+@@ -235,7 +235,14 @@ case "$1" in
+ /sbin/iptables -t nat -A POSTROUTING -j REDNAT
+
+ iptables_red
+-
++
++ # DMZ pinhole chain. setdmzholes setuid prog adds rules here to allow
++ # ORANGE to talk to GREEN / BLUE.
++ /sbin/iptables -N DMZHOLES
++ if [ "$ORANGE_DEV" != "" ]; then
++ /sbin/iptables -A FORWARD -i $ORANGE_DEV -m state --state NEW -j FORWARDFW
++ fi
++
+ # PORTFWACCESS chain, used for portforwarding
+ /sbin/iptables -N PORTFWACCESS
+ /sbin/iptables -A FORWARD -m state --state NEW -j PORTFWACCESS
+--
+1.7.10.4
+
--- /dev/null
+From 8ce164805321917a189dfcf7483068f67a43d66a Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Mon, 14 Jan 2013 14:15:18 +0100
+Subject: [PATCH 035/302] Forward Firewall: Added AH Protocol and fixed a bug
+
+---
+ html/cgi-bin/forwardfw.cgi | 16 +++++++++++-----
+ 1 file changed, 11 insertions(+), 5 deletions(-)
+
+diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi
+index 8673c51..37ba41d 100755
+--- a/html/cgi-bin/forwardfw.cgi
++++ b/html/cgi-bin/forwardfw.cgi
+@@ -624,6 +624,9 @@ sub checksource
+ }elsif($fwdfwsettings{'USE_SRC_PORT'} eq 'ON' && $fwdfwsettings{'PROT'} eq 'ESP'){
+ $fwdfwsettings{'SRC_PORT'}='';
+ $fwdfwsettings{'ICMP_TYPES'}='';
++ }elsif($fwdfwsettings{'USE_SRC_PORT'} eq 'ON' && $fwdfwsettings{'PROT'} eq 'AH'){
++ $fwdfwsettings{'SRC_PORT'}='';
++ $fwdfwsettings{'ICMP_TYPES'}='';
+ }elsif($fwdfwsettings{'USE_SRC_PORT'} eq 'ON' && $fwdfwsettings{'PROT'} ne 'ICMP'){
+ $fwdfwsettings{'ICMP_TYPES'}='';
+ }else{
+@@ -720,13 +723,16 @@ sub checktarget
+ $errormessage .= &General::validportrange($fwdfwsettings{'TGT_PORT'}, 'destination');
+ }
+ }elsif ($fwdfwsettings{'TGT_PROT'} eq 'GRE'){
+- $fwdfwsettings{'TGT_PORT'} = '';
++ $fwdfwsettings{$fwdfwsettings{'grp3'}} = '';
+ $fwdfwsettings{'ICMP_TGT'} = '';
+ }elsif($fwdfwsettings{'TGT_PORT'} eq 'ESP'){
+- $fwdfwsettings{'TGT_PORT'}='';
++ $fwdfwsettings{$fwdfwsettings{'grp3'}} = '';
++ $fwdfwsettings{'ICMP_TGT'}='';
++ }elsif($fwdfwsettings{'TGT_PORT'} eq 'AH'){
++ $fwdfwsettings{$fwdfwsettings{'grp3'}} = '';
+ $fwdfwsettings{'ICMP_TGT'}='';
+ }elsif ($fwdfwsettings{'TGT_PROT'} eq 'ICMP'){
+- $fwdfwsettings{'TGT_PORT'} = '';
++ $fwdfwsettings{$fwdfwsettings{'grp3'}} = '';
+ &General::readhasharray("${General::swroot}/fwhosts/icmp-types", \%icmptypes);
+ foreach my $key (keys %icmptypes){
+
+@@ -1088,7 +1094,7 @@ END
+ <tr><td width='1%'><input type='checkbox' name='USE_SRC_PORT' value='ON' $checked{'USE_SRC_PORT'}{'ON'}></td><td width='51%' colspan='3'>$Lang::tr{'fwdfw use srcport'}</td>
+ <td width='15%' nowrap='nowrap'>$Lang::tr{'fwdfw man port'}</td><td><select name='PROT'>
+ END
+- foreach ("TCP","UDP","GRE","ESP","ICMP")
++ foreach ("TCP","UDP","GRE","ESP","AH","ICMP")
+ {
+ if ($_ eq $fwdfwsettings{'PROT'})
+ {
+@@ -1242,7 +1248,7 @@ END
+ </select></td></tr>
+ <tr><td colspan='2'></td><td><input type='radio' name='grp3' value='TGT_PORT' $checked{'grp3'}{'TGT_PORT'}></td><td>$Lang::tr{'fwdfw man port'}</td><td><select name='TGT_PROT'>
+ END
+- foreach ("TCP","UDP","GRE","ESP","ICMP")
++ foreach ("TCP","UDP","GRE","ESP","AH","ICMP")
+ {
+ if ($_ eq $fwdfwsettings{'TGT_PROT'})
+ {
+--
+1.7.10.4
+
--- /dev/null
+From 87b0b5c82663bb6b2f726ca9d1f097d14979c30b Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Tue, 15 Jan 2013 04:56:26 +0100
+Subject: [PATCH 036/302] Forward Firewall: updated de.pl
+
+---
+ langs/de/cgi-bin/de.pl | 6 ------
+ 1 file changed, 6 deletions(-)
+
+diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl
+index bab5933..539f648 100644
+--- a/langs/de/cgi-bin/de.pl
++++ b/langs/de/cgi-bin/de.pl
+@@ -1,6 +1,5 @@
+ %tr = (
+ %tr,
+-
+ 'Act as' => 'Konfiguriert als',
+ 'Add Level7 rule' => 'Level7-Regel hinzufügen',
+ 'Add Port Rule' => 'Port-Regel hinzufügen',
+@@ -1023,14 +1022,9 @@
+ 'from email server' => 'Von Email Server',
+ 'from email user' => 'Von Email Benutzer',
+ 'from warn email bad' => 'Von Email Adresse ist nicht gültig',
+-<<<<<<< HEAD
+ 'fw blue' => 'Firewall Optionen für das Blaue Interface',
+ 'fw default drop' => 'Firewall Policy',
+ 'fw logging' => 'Firewall Logging',
+-=======
+-'fw blue' => 'Firewall-Optionen für das Blaue Interface',
+-'fw logging' => 'Firewall-Logging',
+->>>>>>> c65c1facb42a0519f810534548be7ee9d989cd51
+ 'gateway' => 'Gateway',
+ 'gateway ip' => 'Gateway-IP',
+ 'gen static key' => 'Statischen Schlüssel erzeugen',
+--
+1.7.10.4
+
--- /dev/null
+From 5ab5b24a42cbe3295f2e6ae89fde53bafb19b90f Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Tue, 15 Jan 2013 05:04:33 +0100
+Subject: [PATCH 037/302] Forward Firewall: set standard config for Firewall
+
+---
+ lfs/configroot | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/lfs/configroot b/lfs/configroot
+index 8a18cfb..25aa9af 100644
+--- a/lfs/configroot
++++ b/lfs/configroot
+@@ -114,7 +114,8 @@ $(TARGET) :
+ echo "DROPFORWARD=on" >> $(CONFIG_ROOT)/optionsfw/settings
+ echo "FWPOLICY=DROP" >> $(CONFIG_ROOT)/optionsfw/settings
+ echo "DROPPORTSCAN=on" >> $(CONFIG_ROOT)/optionsfw/settings
+-
++ echo "POLICY=MODE0" >> $(CONFIG_ROOT)/forward/settings
++
+ # set rules.pl executable
+ chmod 755 $(CONFIG_ROOT)/forward/bin/rules.pl
+ # Modify variables in header.pl
+--
+1.7.10.4
+
--- /dev/null
+From 0f8fef10e6949fcdea730162cc080c2419f39ac0 Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Tue, 15 Jan 2013 12:31:09 +0100
+Subject: [PATCH 038/302] Forward Firewall: added P2P Block Option
+
+---
+ config/forwardfw/rules.pl | 41 +++++++++++++++++++++---
+ html/cgi-bin/forwardfw.cgi | 74 ++++++++++++++++++++++++++++++++++++++------
+ 2 files changed, 100 insertions(+), 15 deletions(-)
+
+diff --git a/config/forwardfw/rules.pl b/config/forwardfw/rules.pl
+index ca2f3cf..1043ba6 100755
+--- a/config/forwardfw/rules.pl
++++ b/config/forwardfw/rules.pl
+@@ -24,7 +24,6 @@
+ # This script builds firewallrules from the webinterface #
+ ###############################################################################
+
+-
+ use strict;
+ no warnings 'uninitialized';
+
+@@ -45,12 +44,14 @@ my @timeframe=();
+ my %configinputfw=();
+ my %aliases=();
+ my @DPROT=();
++my @p2ps=();
+ require '/var/ipfire/general-functions.pl';
+ require "${General::swroot}/lang.pl";
+ require "${General::swroot}/forward/bin/firewall-lib.pl";
+
+ my $configfwdfw = "${General::swroot}/forward/config";
+ my $configinput = "${General::swroot}/forward/input";
++my $p2pfile = "${General::swroot}/forward/p2protocols";
+ my $configgrp = "${General::swroot}/fwhosts/customgroups";
+ my $errormessage='';
+ my ($TYPE,$PROT,$SPROT,$DPROT,$SPORT,$DPORT,$TIME,$TIMEFROM,$TIMETILL,$SRC_TGT);
+@@ -106,6 +107,7 @@ sub preparerules
+ {
+ if (! -z "${General::swroot}/forward/config"){
+ &buildrules(\%configfwdfw);
++ &p2pblock;
+ }
+ if (! -z "${General::swroot}/forward/input"){
+ &buildrules(\%configinputfw);
+@@ -163,7 +165,6 @@ sub buildrules
+ if ($DPROT eq ''){$DPROT=' ';}
+ @DPROT=split(",",$DPROT);
+
+-
+ #get time if defined
+ if($$hash{$key}[18] eq 'ON'){
+ if($$hash{$key}[19] ne ''){push (@timeframe,"Mon");}
+@@ -178,7 +179,6 @@ sub buildrules
+ $TIMETILL="--timestop $$hash{$key}[27] ";
+ $TIME="-m time --weekdays $TIME $TIMEFROM $TIMETILL";
+ }
+-
+ if ($MODE eq '1'){
+ print "NR:$key ";
+ foreach my $i (0 .. $#{$$hash{$key}}){
+@@ -235,6 +235,39 @@ sub buildrules
+ undef $TIMETILL;
+ }
+ }
++sub p2pblock
++{
++ my $P2PSTRING;
++ my $DO;
++ open( FILE, "< $p2pfile" ) or die "Unable to read $p2pfile";
++ @p2ps = <FILE>;
++ close FILE;
++ my $CMD = "-m ipp2p";
++ foreach my $p2pentry (sort @p2ps) {
++ my @p2pline = split( /\;/, $p2pentry );
++ if ( $fwdfwsettings{'POLICY'} eq 'MODE2' ) {
++ $DO = "DROP";
++ if ("$p2pline[2]" eq "off") {
++ $P2PSTRING = "$P2PSTRING --$p2pline[1]";
++ }
++ } else {
++ $DO = "RETURN";
++ if ("$p2pline[2]" eq "on") {
++ $P2PSTRING = "$P2PSTRING --$p2pline[1]";
++ }
++ }
++ }
++ if ($MODE eq 1){
++ if($P2PSTRING){
++ print"/sbin/iptables -A FORWARDFW $CMD $P2PSTRING -j $DO\n";
++ }
++ }else{
++ if($P2PSTRING){
++ system("/sbin/iptables -A FORWARDFW $CMD $P2PSTRING -j $DO");
++ }
++ }
++}
++
+ sub get_address
+ {
+ my $base=shift; #source of checking ($configfwdfw{$key}[x] or groupkey
+@@ -336,8 +369,6 @@ sub get_port
+ elsif($prot eq 'ICMP'){
+ return &fwlib::get_srvgrp_port($$hash{$key}[15],$prot);
+ }
+-
+-
+ }
+ }
+ }
+diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi
+index 37ba41d..8d70bfb 100755
+--- a/html/cgi-bin/forwardfw.cgi
++++ b/html/cgi-bin/forwardfw.cgi
+@@ -68,6 +68,7 @@ my %icmptypes=();
+ my %ovpnsettings=();
+ my %ipsecsettings=();
+ my %aliases=();
++my @p2ps = ();
+ my $color;
+ my $confignet = "${General::swroot}/fwhosts/customnetworks";
+ my $confighost = "${General::swroot}/fwhosts/customhosts";
+@@ -81,7 +82,7 @@ my $configipsecrw = "${General::swroot}/vpn/settings";
+ my $configfwdfw = "${General::swroot}/forward/config";
+ my $configinput = "${General::swroot}/forward/input";
+ my $configovpn = "${General::swroot}/ovpn/settings";
+-
++my $p2pfile = "${General::swroot}/forward/p2protocols";
+ my $errormessage='';
+ my $hint='';
+ my $ipgrp="${General::swroot}/outgoing/groups";
+@@ -345,6 +346,29 @@ if ($fwdfwsettings{'ACTION'} eq 'copyrule')
+ #$fwdfwsettings{'updatefwrule'}='on';
+ &newrule;
+ }
++if ($fwdfwsettings{'ACTION'} eq 'togglep2p')
++{
++ #$errormessage="Toggle $fwdfwsettings{'P2PROT'}<br>";
++ open( FILE, "< $p2pfile" ) or die "Unable to read $p2pfile";
++ @p2ps = <FILE>;
++ close FILE;
++ open( FILE, "> $p2pfile" ) or die "Unable to write $p2pfile";
++ foreach my $p2pentry (sort @p2ps)
++ {
++ my @p2pline = split( /\;/, $p2pentry );
++ if ($p2pline[1] eq $fwdfwsettings{'P2PROT'}) {
++ if($p2pline[2] eq 'on'){
++ $p2pline[2]='off';
++ }else{
++ $p2pline[2]='on';
++ }
++ }
++ print FILE "$p2pline[0];$p2pline[1];$p2pline[2];\n";
++ }
++ close FILE;
++ &rules;
++ &base;
++}
+ if ($fwdfwsettings{'ACTION'} eq '')
+ {
+ &base;
+@@ -481,6 +505,9 @@ sub base
+ #print"<td bgcolor='$color{$i}'>$_</td>";
+ #}
+ #print"</tr></table>";
++ if ($fwdfwsettings{'POLICY'} eq 'MODE1' || $fwdfwsettings{'POLICY'} eq 'MODE2' ) {
++ &p2pblock;
++ }
+ &Header::openbox('100%', 'center', 'Policy');
+ print <<END;
+ <form method='post' action='$ENV{'SCRIPT_NAME'}'>
+@@ -490,13 +517,13 @@ print <<END;
+ <tr><td width='10%' align='left'><b>$Lang::tr{'mode'} 2:</b><td width='90%' align='left' colspan='2'>$Lang::tr{'outgoing firewall mode2'}</td></tr>
+ <tr><td colspan='3'><hr /></td></tr>
+ <tr><td width='10%' align='left'> <select name='POLICY' style="width: 85px"><option value='MODE0' $selected{'POLICY'}{'MODE0'}>$Lang::tr{'mode'} 0</option><option value='MODE1' $selected{'POLICY'}{'MODE1'}>$Lang::tr{'mode'} 1</option><option value='MODE2' $selected{'POLICY'}{'MODE2'}>$Lang::tr{'mode'} 2</option></select>
+- <td width='45%' align='left'><input type='submit' name='ACTION' value=$Lang::tr{'save'} />
+- <td width='45%' align='left'>
++ <td width='45%' align='left'><input type='submit' name='ACTION' value=$Lang::tr{'save'} />
++ <td width='45%' align='left'>
+ END
+ if ($fwdfwsettings{'POLICY'} ne 'MODE0'&& $fwdfwsettings{'POLICY'} ne '' ) {
+ print "$Lang::tr{'outgoing firewall reset'}: <input type='submit' name='ACTION' value='$Lang::tr{'reset'}' />";
+ }
+-print "</table></form>";
++ print "</table></form>";
+ &Header::closebox();
+ }
+ sub addrule
+@@ -564,7 +591,7 @@ sub disable_rule
+ sub checksource
+ {
+ my ($ip,$subnet);
+-
++
+ #check ip-address if manual
+ if ($fwdfwsettings{'src_addr'} eq $fwdfwsettings{$fwdfwsettings{'grp1'}} && $fwdfwsettings{'src_addr'} ne ''){
+ #check if ip with subnet
+@@ -579,7 +606,7 @@ sub checksource
+ $subnet = '32';
+ $fwdfwsettings{'isip'}='on';
+ }
+-
++
+ if ($fwdfwsettings{'isip'} ne 'on'){
+ if (&General::validmac($fwdfwsettings{'src_addr'})){$fwdfwsettings{'ismac'}='on';}
+ }
+@@ -594,7 +621,7 @@ sub checksource
+ $errormessage=$Lang::tr{'fwhost err hostip'}."<br>";
+ }
+ $fwdfwsettings{'src_addr'}="$ip/$subnet";
+-
++
+ if(!&General::validipandmask($fwdfwsettings{'src_addr'})){
+ $errormessage.=$Lang::tr{'fwdfw err src_addr'}."<br>";
+ }
+@@ -671,7 +698,7 @@ sub checktarget
+ #check and form valid IP
+ $ip=&General::ip2dec($ip);
+ $ip=&General::dec2ip($ip);
+-
++
+ #check if net or broadcast
+ my @tmp= split (/\./,$ip);
+ if (($tmp[3] eq "0") || ($tmp[3] eq "255"))
+@@ -994,11 +1021,9 @@ END
+ }
+ print"</select></td></tr></table><hr>";
+
+-
+ &Header::closebox();
+ &Header::openbox('100%', 'left', $Lang::tr{'fwdfw source'});
+
+-
+ #------SOURCE-------------------------------------------------------
+ print<<END;
+ <table width='100%' border='0'>
+@@ -1806,6 +1831,35 @@ END
+ &Header::closebox();
+ }
+ }
++sub p2pblock
++{
++ my $gif;
++ open( FILE, "< $p2pfile" ) or die "Unable to read $p2pfile";
++ @p2ps = <FILE>;
++ close FILE;
++ &Header::openbox('100%', 'center', 'P2P-Block');
++ print <<END;
++ <table width='40%' border='0'>
++ <tr bgcolor='$color{'color22'}'><td align=center colspan='2' width='30%'><b>$Lang::tr{'protocol'}</b><td width='10%' align=center><b>$Lang::tr{'status'}</b>
++END
++ foreach my $p2pentry (sort @p2ps)
++ {
++ my @p2pline = split( /\;/, $p2pentry );
++ if($p2pline[2] eq 'on'){
++ $gif="/images/on.gif"
++ }else{
++ $gif="/images/off.gif"
++ }
++ print <<END;
++ <form method='post' action='$ENV{'SCRIPT_NAME'}'>
++ <tr bgcolor='$color{'color20'}'>
++ <td width='66%' align='center' colspan='2'>$p2pline[0]:</td><td width='33%' align='center'><input type='hidden' name='P2PROT' value='$p2pline[1]' /><input type='image' img src='$gif' alt='$Lang::tr{'click to disable'}' title='$Lang::tr{'fwdfw toggle'}' style='padding-top: 0px; padding-left: 0px; padding-bottom: 0px ;padding-right: 0px ;display: block;' ><input type='hidden' name='ACTION' value='togglep2p'></td></tr></form>
++END
++ }
++ print"<tr><td width='10%'><input type='image' img src='/images/on.gif'></td><td>$Lang::tr{'outgoing firewall p2p deny'}</td><td></td></tr>";
++ print"<tr><td width='10%'><input type='image' img src='/images/off.gif'></td><td>$Lang::tr{'outgoing firewall p2p allow'}</td><td></td></tr></table>";
++ &Header::closebox();
++}
+ sub fillselect
+ {
+ my %hash=%{(shift)};
+--
+1.7.10.4
+
--- /dev/null
+From b1017215641de1f1189f4f1aa68f813a9dd8f51c Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Tue, 15 Jan 2013 12:37:27 +0100
+Subject: [PATCH 039/302] Forward Firewall: added p2protocols to
+ /var/ipfire/forward/ for p2pblocking options
+
+---
+ config/forwardfw/p2protocols | 9 +++++++++
+ config/rootfiles/common/configroot | 1 +
+ lfs/configroot | 1 +
+ 3 files changed, 11 insertions(+)
+ create mode 100644 config/forwardfw/p2protocols
+
+diff --git a/config/forwardfw/p2protocols b/config/forwardfw/p2protocols
+new file mode 100644
+index 0000000..d899809
+--- /dev/null
++++ b/config/forwardfw/p2protocols
+@@ -0,0 +1,9 @@
++Applejuice;apple;on;
++Ares;ares;on;
++Bittorrent;bit;on;
++DirectConnect;dc;on;
++Edonkey;edk;on;
++Gnutella;gnu;on;
++KaZaA;kazaa;on;
++SoulSeek;soul;on;
++WinMX;winmx;on;
+diff --git a/config/rootfiles/common/configroot b/config/rootfiles/common/configroot
+index d4f96b8..b35a627 100644
+--- a/config/rootfiles/common/configroot
++++ b/config/rootfiles/common/configroot
+@@ -48,6 +48,7 @@ var/ipfire/forward/bin/firewall-lib.pl
+ var/ipfire/forward/settings
+ var/ipfire/forward/config
+ var/ipfire/forward/input
++var/ipfire/forward/p2protocols
+ var/ipfire/fwhosts
+ var/ipfire/fwhosts/icmp-types
+ var/ipfire/fwhosts/customhosts
+diff --git a/lfs/configroot b/lfs/configroot
+index 25aa9af..eacee0b 100644
+--- a/lfs/configroot
++++ b/lfs/configroot
+@@ -100,6 +100,7 @@ $(TARGET) :
+ cp $(DIR_SRC)/config/cfgroot/ethernet-vlans $(CONFIG_ROOT)/ethernet/vlans
+ cp $(DIR_SRC)/langs/list $(CONFIG_ROOT)/langs/
+ cp $(DIR_SRC)/config/forwardfw/rules.pl $(CONFIG_ROOT)/forward/bin/rules.pl
++ cp $(DIR_SRC)/config/forwardfw/p2protocols $(CONFIG_ROOT)/forward/p2protocols
+ cp $(DIR_SRC)/config/forwardfw/firewall-lib.pl $(CONFIG_ROOT)/forward/bin/firewall-lib.pl
+ cp $(DIR_SRC)/config/forwardfw/firewall-forward-policy /usr/sbin/firewall-forward-policy
+ cp $(DIR_SRC)/config/fwhosts/icmp-types $(CONFIG_ROOT)/fwhosts/icmp-types
+--
+1.7.10.4
+
--- /dev/null
+From 25713e01fffd87110a3d43c0809097dbe5b19a84 Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Tue, 15 Jan 2013 13:07:59 +0100
+Subject: [PATCH 040/302] Forward Firewall: Bugfix: when usinf ESP or AH as
+ target protocol, no rules where created
+
+---
+ html/cgi-bin/forwardfw.cgi | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi
+index 8d70bfb..8e1100b 100755
+--- a/html/cgi-bin/forwardfw.cgi
++++ b/html/cgi-bin/forwardfw.cgi
+@@ -734,7 +734,7 @@ sub checktarget
+ }
+ }
+ if ($fwdfwsettings{'grp3'} eq 'TGT_PORT'){
+- if ($fwdfwsettings{'TGT_PROT'} ne 'ICMP' && $fwdfwsettings{'TGT_PROT'} ne 'GRE'){
++ if ($fwdfwsettings{'TGT_PROT'} eq 'TCP' || $fwdfwsettings{'TGT_PROT'} eq 'UDP'){
+ if ($fwdfwsettings{'TGT_PORT'} ne ''){
+ #change dashes with :
+ $fwdfwsettings{'TGT_PORT'}=~ tr/-/:/;
+@@ -751,15 +751,19 @@ sub checktarget
+ }
+ }elsif ($fwdfwsettings{'TGT_PROT'} eq 'GRE'){
+ $fwdfwsettings{$fwdfwsettings{'grp3'}} = '';
++ $fwdfwsettings{'TGT_PORT'} = '';
+ $fwdfwsettings{'ICMP_TGT'} = '';
+- }elsif($fwdfwsettings{'TGT_PORT'} eq 'ESP'){
++ }elsif($fwdfwsettings{'TGT_PROT'} eq 'ESP'){
+ $fwdfwsettings{$fwdfwsettings{'grp3'}} = '';
++ $fwdfwsettings{'TGT_PORT'} = '';
+ $fwdfwsettings{'ICMP_TGT'}='';
+- }elsif($fwdfwsettings{'TGT_PORT'} eq 'AH'){
++ }elsif($fwdfwsettings{'TGT_PROT'} eq 'AH'){
+ $fwdfwsettings{$fwdfwsettings{'grp3'}} = '';
++ $fwdfwsettings{'TGT_PORT'} = '';
+ $fwdfwsettings{'ICMP_TGT'}='';
+ }elsif ($fwdfwsettings{'TGT_PROT'} eq 'ICMP'){
+ $fwdfwsettings{$fwdfwsettings{'grp3'}} = '';
++ $fwdfwsettings{'TGT_PORT'} = '';
+ &General::readhasharray("${General::swroot}/fwhosts/icmp-types", \%icmptypes);
+ foreach my $key (keys %icmptypes){
+
+@@ -777,6 +781,7 @@ sub checktarget
+ $fwdfwsettings{$fwdfwsettings{'grp3'}}='';
+ $fwdfwsettings{'TGT_PROT'}='';
+ $fwdfwsettings{'ICMP_TGT'}='';
++
+ }
+ #check timeframe
+ if($fwdfwsettings{'TIME'} eq 'ON'){
+--
+1.7.10.4
+
--- /dev/null
+From e4012c524d4bf24a99499bee2e47153a399dca58 Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Wed, 16 Jan 2013 06:12:34 +0100
+Subject: [PATCH 041/302] Forward Firewall: edited p2pblock call in rules.pl
+
+---
+ config/forwardfw/rules.pl | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/config/forwardfw/rules.pl b/config/forwardfw/rules.pl
+index 1043ba6..169bc18 100755
+--- a/config/forwardfw/rules.pl
++++ b/config/forwardfw/rules.pl
+@@ -89,10 +89,13 @@ if($param eq 'flush'){
+ &preparerules;
+ if($MODE eq '0'){
+ if ($fwdfwsettings{'POLICY'} eq 'MODE1'){
++ &p2pblock;
+ system ("/usr/sbin/firewall-forward-policy");
+ }elsif($fwdfwsettings{'POLICY'} eq 'MODE2'){
++ &p2pblock;
+ system ("/usr/sbin/firewall-forward-policy");
+- }elsif($fwdfwsettings{'POLICY'} eq 'MODE0' || $fwdfwsettings{'POLICY'} eq 'MODE2'){
++ system ("iptables -A $CHAIN -m state --state NEW -j ACCEPT");
++ }elsif($fwdfwsettings{'POLICY'} eq 'MODE0'){
+ system ("/usr/sbin/firewall-forward-policy");
+ system ("iptables -A $CHAIN -m state --state NEW -j ACCEPT");
+ }
+@@ -107,7 +110,6 @@ sub preparerules
+ {
+ if (! -z "${General::swroot}/forward/config"){
+ &buildrules(\%configfwdfw);
+- &p2pblock;
+ }
+ if (! -z "${General::swroot}/forward/input"){
+ &buildrules(\%configinputfw);
+--
+1.7.10.4
+
--- /dev/null
+From b95051d937292a05c4f3a22f264623010dd81bc9 Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Fri, 18 Jan 2013 08:35:25 +0100
+Subject: [PATCH 042/302] Forward Firewall: added converters for old exaccess
+ rules and old rules from outgoingfw and old
+ firewallgroups. Also fixed a Bug: Day SUN was not
+ checked when in rule-edit mode
+
+---
+ config/forwardfw/convert-outgoingfw | 525 +++++++++++++++++++++++++++++++++++
+ config/forwardfw/convert-xtaccess | 111 ++++++++
+ config/rootfiles/common/stage2 | 2 +
+ html/cgi-bin/forwardfw.cgi | 7 +-
+ lfs/configroot | 3 +
+ 5 files changed, 645 insertions(+), 3 deletions(-)
+ create mode 100644 config/forwardfw/convert-outgoingfw
+ create mode 100644 config/forwardfw/convert-xtaccess
+
+diff --git a/config/forwardfw/convert-outgoingfw b/config/forwardfw/convert-outgoingfw
+new file mode 100644
+index 0000000..282a017
+--- /dev/null
++++ b/config/forwardfw/convert-outgoingfw
+@@ -0,0 +1,525 @@
++#!/usr/bin/perl
++
++
++require '/var/ipfire/general-functions.pl';
++use Socket;
++
++my $ipgrouppath = "${General::swroot}/outgoing/groups/ipgroups/";
++my $macgrouppath = "${General::swroot}/outgoing/groups/macgroups/";
++my $outgoingrules = "${General::swroot}/outgoing/rules";
++my $outfwsettings = "${General::swroot}/outgoing/settings";
++my $host = "Converted ";
++my $confighosts = "${General::swroot}/fwhosts/customhosts";
++my $confignets = "${General::swroot}/fwhosts/customnetworks";
++my $configgroups = "${General::swroot}/fwhosts/customgroups";
++my $ovpnsettings = "${General::swroot}/ovpn/settings";
++my $ovpnconfig = "${General::swroot}/ovpn/ovpnconfig";
++my $ccdconfig = "${General::swroot}/ovpn/ccd.conf";
++my $fwdfwconfig = "${General::swroot}/forward/config";
++my $fwdfwsettings = "${General::swroot}/forward/settings";
++my @ipgroups = qx(ls $ipgrouppath);
++my @macgroups = qx(ls $macgrouppath);
++my @hostarray=();
++my %outsettings=();
++my %hosts=();
++my %nets=();
++my %groups=();
++my %settingsovpn=();
++my %configovpn=();
++my %ccdconf=();
++my %fwconf=();
++my %fwdsettings=();
++&General::readhash($outfwsettings,\%outsettings);
++
++
++&process_groups;
++&process_rules;
++
++
++
++sub process_groups
++{
++ if(! -d "/var/log/firewall"){ mkdir("/var/log/firewall");}
++ if( -f "/var/log/firewall/ip-convert.log"){unlink ("/var/log/firewall/ip-convert.log");}
++ open (LOG, ">/var/log/firewall/ip-convert.log") or die $!;
++ #IP Group processing
++ foreach my $group (@ipgroups){
++ chomp $group;
++ open (DATEI, "<$ipgrouppath/$group");
++ my @zeilen = <DATEI>;
++ foreach my $ip (@zeilen){
++ chomp($ip);
++ $ip =~ s/\s//gi;
++ my $val=&check_ip($ip);
++ if($val){
++ push(@hostarray,$val.",ip");
++ }
++ else{
++ print LOG "-> IP \"$ip\" from group $group not converted (invalid IP) \n";
++ }
++ $val='';
++ }
++ &new_hostgrp($group,'ip');
++ @hostarray=();
++ }
++ $group='';
++ @zeilen=();
++ @hostarray=();
++ #MAC Group processing
++ foreach my $group (@macgroups){
++ chomp $group;
++ open (DATEI, "<$macgrouppath/$group");
++ my @zeilen = <DATEI>;
++ foreach my $mac (@zeilen){
++ chomp($mac);
++ $mac =~ s/\s//gi;
++ #MAC checking
++ if(&General::validmac($mac)){
++ $val=$mac;
++ }
++ if($val){
++ push(@hostarray,$val.",mac");
++ }
++ else{
++ print LOG "-> Mac $mac from group $group not converted (invalid MAC)\n";
++ }
++ $val='';
++ }
++ &new_hostgrp($group,'mac');
++ @hostarray=();
++ }
++ close (LOG);
++}
++sub check_ip
++{
++ my $adr=shift;
++ my $a;
++ #ip with subnet in decimal
++ if($adr =~ m/^(\d\d?\d?).(\d\d?\d?).(\d\d?\d?).(\d\d?\d?)\/(\d{1,2})$/){
++ $adr=int($1).".".int($2).".".int($3).".".int($4);
++ my $b = &General::iporsubtodec($5);
++ $a=$adr."/".$b;
++ }
++ if($adr =~ /^(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})$/){
++ $adr=int($1).".".int($2).".".int($3).".".int($4);
++ if(&General::validip($adr)){
++ $a=$adr."/255.255.255.255";
++ }
++ }
++ if(&General::validipandmask($adr)){
++ $a=&General::iporsubtodec($adr);
++ }
++ return $a;
++}
++sub new_hostgrp
++{
++ &General::readhasharray($confighosts,\%hosts);
++ &General::readhasharray($confignets,\%nets);
++ &General::readhasharray($configgroups,\%groups);
++ my $grp=shift;
++ my $run=shift;
++ my $name; #"converted"
++ my $name2;
++ my $name3; #custom host/custom net
++ foreach my $adr (@hostarray){
++ if($run eq 'ip'){
++ my ($ip,$type) = split(",",$adr);
++ my ($ippart,$subnet) = split("/",$ip);
++ my ($byte1,$byte2,$byte3,$byte4) = split(/\./,$subnet);
++ if($byte4 eq '255'){
++ if(!&check_host($ip)){
++ my $key = &General::findhasharraykey(\%hosts);
++ $name="host ";
++ $name2=$name.$ippart;
++ $name3="Custom Host";
++ $hosts{$key}[0] = $name2;
++ $hosts{$key}[1] = $type;
++ $hosts{$key}[2] = $ip;
++ $hosts{$key}[3] = 1;
++ }else{
++ print LOG "Host (IP) $ip already exists\n";
++ }
++ }elsif($byte4 < '255'){
++ if(!&check_net($ippart,$subnet)){
++ my $netkey = &General::findhasharraykey(\%nets);
++ $name="net ";
++ $name2=$name.$ippart;
++ $name3="Custom Network";
++ $nets{$netkey}[0] = $name2;
++ $nets{$netkey}[1] = $ippart;
++ $nets{$netkey}[2] = $subnet;
++ $nets{$netkey}[3] = 1;
++ }else{
++ print LOG "Network $ippart already exists\n";
++ }
++ }
++ if($name2){
++ my $grpkey = &General::findhasharraykey(\%groups);
++ $groups{$grpkey}[0] = $grp;
++ $groups{$grpkey}[1] = '';
++ $groups{$grpkey}[2] = $name2;
++ $groups{$grpkey}[3] = $name3;
++ $groups{$grpkey}[4] = 0;
++ }
++ }elsif($run eq 'mac'){
++ #MACRUN
++ my ($mac,$type) = split(",",$adr);
++ if(!&check_host($mac)){
++ my $key = &General::findhasharraykey(\%hosts);
++ $name="host ";
++ $name2=$name.$mac;
++ $name3="Custom Host";
++ $hosts{$key}[0] = $name2;
++ $hosts{$key}[1] = $type;
++ $hosts{$key}[2] = $mac;
++ $hosts{$key}[3] = 1;
++ }else{
++ print LOG "Host (MAC) $mac already exists\n";
++ }
++ if($name2){
++ my $grpkey = &General::findhasharraykey(\%groups);
++ $groups{$grpkey}[0] = $grp;
++ $groups{$grpkey}[1] = '';
++ $groups{$grpkey}[2] = $name2;
++ $groups{$grpkey}[3] = $name3;
++ $groups{$grpkey}[4] = 0;
++ }
++ }
++ }
++ &General::writehasharray($confighosts,\%hosts);
++ &General::writehasharray($configgroups,\%groups);
++ &General::writehasharray($confignets,\%nets);
++}
++sub check_host
++{
++ my $ip=shift;
++ foreach my $key (sort keys %hosts)
++ {
++ if($hosts{$key}[2] eq $ip)
++ {
++ return 1;
++ }
++ }
++ return 0;
++}
++sub check_net
++{
++ my $ip=shift;
++ my $sub=shift;
++ foreach my $key (sort keys %nets)
++ {
++ if($nets{$key}[1] eq $ip && $nets{$key}[2] eq $sub)
++ {
++ return 1;
++ }
++ }
++ return 0;
++}
++sub check_grp
++{
++ my $grp=shift;
++ my $value=shift;
++ foreach my $key (sort keys %groups)
++ {
++ if($groups{$key}[0] eq $grp && $groups{$key}[2] eq $value)
++ {
++ return 1;
++ }
++ }
++ return 0;
++}
++sub process_rules
++{
++ print "Outgoing ist im Mode $outsettings{'POLICY'}\n";
++ &General::readhash($fwdfwsettings,\%fwdsettings);
++ if($fwdsettings{'POLICY'} ne $outsettings{'POLICY'}){
++ $fwdsettings{'POLICY'}=$outsettings{'POLICY'};
++ &General::writehash($fwdfwsettings,\%fwdsettings);
++ }
++ #open LOG
++ if( -f "/var/log/firewall/rule-convert.log"){unlink ("/var/log/firewall/rule-convert.log");}
++ open (LOG, ">/var/log/firewall/rule-convert.log") or die $!;
++
++ my ($type,$action,$active,$grp1,$source,$grp2,$useport,$port,$prot,$grp3,$target,$remark,$log,$time,$time_mon,$time_tue,$time_wed,$time_thu,$time_fri,$time_sat,$time_sun,$time_from,$time_to);
++ if ($outsettings{'POLICY'} eq 'MODE1'){
++ $type='ALLOW';
++ $action='ACCEPT';
++ }elsif($outsettings{'POLICY'} eq 'MODE2'){
++ $type='DENY';
++ $action='DROP';
++ }else{
++ return;
++ }
++ open (DATEI, "<$outgoingrules");
++ my @lines = <DATEI>;
++ foreach my $rule (@lines)
++ {
++ chomp($rule);
++ print LOG "processing: $rule\n";
++ print "$rule\n";
++ my @configline = split( /\;/, $rule );
++ my @prot=();
++ if($configline[0] eq $type){
++ #some variables we can use from old config
++ if($configline[1] eq 'on'){ $active='ON';}else{$active='';}
++ if($configline[3] eq 'all'){
++ push(@prot,"tcp");
++ push(@prot,"udp");
++ $useport='ON';
++ $grp3='TGT_PORT';
++
++ }else{
++ push(@prot,$configline[3]);
++ $useport='ON';
++ $grp3='TGT_PORT';
++ }
++ if($configline[4] ne ''){ $remark=$configline[4];}else{$remark='';}
++ if($configline[9] eq 'aktiv'){ $log='ON';}else{$log='';}
++
++ if($configline[10] eq 'on' && $configline[11] eq 'on' && $configline[12] eq 'on' && $configline[13] eq 'on' && $configline[14] eq 'on' && $configline[15] eq 'on' && $configline[16] eq 'on'){
++ if($configline[17] eq '00:00' && $configline[18] eq '00:00'){
++ $time='';
++ }else{
++ $time='ON';
++ }
++ }else{
++ $time='ON';
++ }
++ $time_mon=$configline[10];
++ $time_tue=$configline[11];
++ $time_wed=$configline[12];
++ $time_thu=$configline[13];
++ $time_fri=$configline[14];
++ $time_sat=$configline[15];
++ $time_sun=$configline[16];
++ $time_from=$configline[17];
++ $time_to=$configline[18];
++ ############################################################
++ #sourcepart
++ if ($configline[2] eq 'green') {
++ $grp1='std_net_src';
++ $source='GREEN';
++ }elsif ($configline[2] eq 'orange') {
++ $grp1='std_net_src';
++ $source='ORANGE';
++ }elsif ($configline[2] eq 'red') {
++ print LOG "-> Rule not converted, is an outgoing rule.Please put it manually in /etc/sysconfig/firewall.local \n";
++ next;
++ }elsif ($configline[2] eq 'blue') {
++ $grp1='std_net_src';
++ $source='BLUE';
++ }elsif ($configline[2] eq 'ipsec') {
++ print LOG "-> Rule not converted, ipsec+ interface is obsolet since IPFire 2.7 \n";
++ next;
++ }elsif ($configline[2] eq 'ovpn') {
++ &build_ovpn_grp;
++ }elsif ($configline[2] eq 'ip') {
++ my $z=&check_ip($configline[5]);
++ if($z){
++ $grp1='src_addr';
++ $source=$z;
++ }else{
++ print LOG "-> Rule not converted, missing/invalid source ip \"$configline[5]\"\n";
++ next;
++ }
++ }elsif ($configline[2] eq 'mac') {
++ if(&General::validmac($configline[6])){
++ $grp1='src_addr';
++ $source=$configline[6];
++ }else{
++ print LOG"-> Rule not converted, invalid MAC \"$configline[6]\" \n";
++ next;
++ }
++ }elsif ($configline[2] eq 'all') {
++ $grp1='std_net_src';
++ $source='ALL';
++ }else{
++ #&General::readhasharray($configgroups,\%groups);
++ foreach my $key (sort keys %groups){
++ if($groups{$key}[0] eq $configline[2]){
++ $grp1='cust_grp_src';
++ $source=$configline[2];
++ }
++ }
++ if ($grp1 eq '' || $source eq ''){
++ print LOG "-> Rule not converted, no valid source recognised\n";
++ }
++ }
++ ############################################################
++ #destinationpart
++ if($configline[7] ne ''){
++ my $address=&check_ip($configline[7]);
++ if($address){
++ $grp2='tgt_addr';
++ $target=$address;
++ }elsif(!$address){
++ my $getwebsiteip=&get_ip_from_domain($configline[7]);
++ if ($getwebsiteip){
++ $grp2='tgt_addr';
++ $target=$getwebsiteip;
++ }else{
++ print LOG "-> Rule not converted, invalid domain \"$configline[7]\"\n";
++ next;
++ }
++ }
++ }else{
++ $grp2='std_net_tgt';
++ $target='ALL';
++ }
++ if($configline[8] ne ''){
++ if (!($configline[8] =~ /^(\d+)\:(\d+)$/)) {
++ if(&General::validport($configline[8])){
++ $useport='ON';
++ $port=$configline[8];
++ $grp3='TGT_PORT';
++ }else{
++ print LOG "-> Rule not converted, invalid destination Port \"$configline[8]\"\n";
++ next;
++ }
++ }else{
++ my ($a1,$a2) = split(/\:/,$configline[8]);
++ if (&General::validport($a1) && &General::validport($a2) && $a1 < $a2){
++ $useport='ON';
++ $port=$configline[8];
++ $grp3='TGT_PORT';
++ }else{
++ print LOG "-> Rule not converted, invalid destination Port \"$configline[8]\"\n";
++ next;
++ }
++ }
++ }
++ }else{
++ print LOG "-> Rule not converted because not for Firewall mode $outsettings{'POLICY'} (we are only converting for actual mode)\n";
++ }
++ &General::readhasharray($fwdfwconfig,\%fwconfig);
++ my $check;
++ foreach my $protocol (@prot){
++ $protocol=uc($protocol);
++ print"0:$action 1:FORWARDFW 2:$active 3:$grp1 4:$source 5:$grp2 6:$target 7:src_srv(leer) 8:srcprot(leer) 9:icmp(leer) 10:srcport(leer) 11:$useport 12:$protocol 13:icmp(leer) 14:$grp3 15:$port 16:$remark 17:$log 18:$time 19:$time_mon 20:$time_tue 21:$time_wed 22:$time_thu 23:$time_fri 24:$time_sat 25:$time_sun 26:$time_from 27:$time_to\n\n";
++ print LOG "-> Converted: $action,FORWARDFW,$active,$grp1,$source,$grp2,$target,,,,,$useport,$protocol,,$grp3,$port,$remark,$log,$time,$time_mon,$time_tue,$time_wed,$time_thu,$time_fri,$time_sat,$time_sun,$time_from,$time_to\n";
++ #Put rules into system....
++ ###########################
++
++ #check for double rules
++ foreach my $key (sort keys %fwconfig){
++ if("$action,FORWARDFW,$active,$grp1,$source,$grp2,$target,,,,,$useport,$protocol,,$grp3,$port,$remark,$log,$time,$time_mon,$time_tue,$time_wed,$time_thu,$time_fri,$time_sat,$time_sun,$time_from,$time_to"
++ eq "$fwconfig{$key}[0],$fwconfig{$key}[1],$fwconfig{$key}[2],$fwconfig{$key}[3],$fwconfig{$key}[4],$fwconfig{$key}[5],$fwconfig{$key}[6],,,,,$fwconfig{$key}[11],$fwconfig{$key}[12],,$fwconfig{$key}[14],$fwconfig{$key}[15],$fwconfig{$key}[16],$fwconfig{$key}[17],$fwconfig{$key}[18],$fwconfig{$key}[19],$fwconfig{$key}[20],$fwconfig{$key}[21],$fwconfig{$key}[22],$fwconfig{$key}[23],$fwconfig{$key}[24],$fwconfig{$key}[25],$fwconfig{$key}[26],$fwconfig{$key}[27]"){
++ $check='on';
++ next;
++ }
++ }
++ if($check ne 'on'){
++ #increase groupcounter
++ my $check1;
++ if($grp1 eq 'cust_grp_src'){
++ foreach my $key (sort keys %groups){
++ if($groups{$key}[0] eq $source){
++ $groups{$key}[4]++;
++ $check1='on';
++ }
++ }
++ if($check1 eq 'on'){
++ print" schreibe in gruppe\n";
++ &General::writehasharray($configgroups,\%groups);
++ }
++ }
++ print"SCHREIBE REGEL!\n";
++ my $key = &General::findhasharraykey(\%fwconfig);
++ $fwconfig{$key}[0] = $action;
++ $fwconfig{$key}[1] = "FORWARDFW";
++ $fwconfig{$key}[2] = $active;
++ $fwconfig{$key}[3] = $grp1;
++ $fwconfig{$key}[4] = $source;
++ $fwconfig{$key}[5] = $grp2;
++ $fwconfig{$key}[6] = $target;
++ $fwconfig{$key}[11] = $useport;
++ $fwconfig{$key}[12] = $protocol;
++ $fwconfig{$key}[14] = $grp3;
++ $fwconfig{$key}[15] = $port;
++ $fwconfig{$key}[16] = $remark;
++ $fwconfig{$key}[17] = $log;
++ $fwconfig{$key}[18] = $time;
++ $fwconfig{$key}[19] = $time_mon;
++ $fwconfig{$key}[20] = $time_tue;
++ $fwconfig{$key}[21] = $time_wed;
++ $fwconfig{$key}[22] = $time_thu;
++ $fwconfig{$key}[23] = $time_fri;
++ $fwconfig{$key}[24] = $time_sat;
++ $fwconfig{$key}[25] = $time_sun;
++ $fwconfig{$key}[26] = $time_from;
++ $fwconfig{$key}[27] = $time_to;
++ }
++ }
++ &General::writehasharray($fwdfwconfig,\%fwconfig);
++ system("/usr/local/bin/forwardfwctrl");
++ @prot=();
++ }
++ close(LOG);
++ @lines=();
++}
++sub get_ip_from_domain
++{
++ $web=shift;
++ my $resolvedip;
++ my $checked;
++ my ($name,$aliases,$addrtype,$length,@addrs) = gethostbyname($web);
++ if(@addrs){
++ $resolvedip=inet_ntoa($addrs[0]);
++ return $resolvedip;
++ }
++ return;
++}
++sub build_ovpn_grp
++{
++ &General::readhasharray($confighosts,\%hosts);
++ &General::readhasharray($confignets,\%nets);
++ &General::readhasharray($configgroups,\%groups);
++ &General::readhasharray($ovpnconfig,\%configovpn);
++ &General::readhasharray($ccdconfig,\%ccdconf);
++ &General::readhash($ovpnsettings,\%settingsovpn);
++ #get ovpn nets
++ my @ovpnnets=();
++ if($settingsovpn{'DOVPN_SUBNET'}){
++ my ($net,$subnet)=split("/",$settingsovpn{'DOVPN_SUBNET'});
++ push (@ovpnnets,"$net,$subnet,dynamic");
++ }
++ foreach my $key (sort keys %ccdconf){
++ my ($net,$subnet)=split("/",$ccdconf{$key}[1]);
++ $subnet=&General::iporsubtodec($subnet);
++ push (@ovpnnets,"$net,$subnet,$ccdconf{$key}[0]");
++ }
++ foreach my $key (sort keys %configovpn){
++ if ($configovpn{$key}[3] eq 'net'){
++ my ($net,$subnet)=split("/",$configovpn{$key}[27]);
++ push (@ovpnnets,"$net,$subnet,$configovpn{$key}[2]");
++ }
++ }
++ #add ovpn nets to customnetworks/groups
++ foreach my $line (@ovpnnets){
++ my ($net,$subnet,$name) = split(",",$line);
++ if (!&check_net($net,$subnet)){
++ my $netkey = &General::findhasharraykey(\%nets);
++ $name2=$name."(ovpn)".$net;
++ $name3="Custom Network";
++ $nets{$netkey}[0] = $name2;
++ $nets{$netkey}[1] = $net;
++ $nets{$netkey}[2] = $subnet;
++ $nets{$netkey}[3] = 1;
++ }else{
++ print LOG "-> Custom Network with same IP already exist \"$net/$subnet\" (you can ignore this, if this run was manual from shell)\n";
++ }
++ if($name2){
++ my $grpkey = &General::findhasharraykey(\%groups);
++ $groups{$grpkey}[0] = "ovpn";
++ $groups{$grpkey}[1] = '';
++ $groups{$grpkey}[2] = $name2;
++ $groups{$grpkey}[3] = "Custom Network";
++ $groups{$grpkey}[4] = 0;
++ }
++ $name2='';
++ }
++ @ovpnnets=();
++ &General::writehasharray($confighosts,\%hosts);
++ &General::writehasharray($configgroups,\%groups);
++ &General::writehasharray($confignets,\%nets);
++}
+diff --git a/config/forwardfw/convert-xtaccess b/config/forwardfw/convert-xtaccess
+new file mode 100644
+index 0000000..3db7da6
+--- /dev/null
++++ b/config/forwardfw/convert-xtaccess
+@@ -0,0 +1,111 @@
++#!/usr/bin/perl
++my @current=();
++my @alias=();
++my %configinputfw=();
++require '/var/ipfire/general-functions.pl';
++my $xtaccessconfig = "${General::swroot}/xtaccess/config";
++my $inputfwconfig = "${General::swroot}/forward/input";
++my $aliasconfig = "${General::swroot}/ethernet/aliases";
++my $field0='ACCEPT';
++my $field1='INPUTFW';
++my $field2=''; #ON or emtpy
++my $field3=''; #std_net_src or src_addr
++my $field4=''; #ALL or IP-Address with /32
++my $field5='ipfire';
++my $field6=''; #Default IP or alias name
++my $field11='ON'; #use target port
++my $field12=''; #TCP or UDP
++my $field13='All ICMP-Types';
++my $field14='TGT_PORT';
++my $field15=''; #Port Number
++my $field16=''; #remark
++my $field26='00:00';
++my $field27='00:00';
++open(FILE, $xtaccessconfig) or die 'Unable to open config file.';
++my @current = <FILE>;
++close(FILE);
++open(FILE1, $aliasconfig) or die 'Unable to open config file.';
++my @alias = <FILE1>;
++close(FILE1);
++&General::readhasharray($inputfwconfig,\%configinputfw);
++
++foreach my $line (@current){
++ my ($a,$b,$c,$d,$e,$f) = split (",",$line);
++ $e =~ s/\R//g;
++ if ($f gt ''){
++ $f =~ s/\R//g;
++ $field16=$f;
++ }
++ #active or not
++ $field2=uc($d);
++ #get protocol
++ if ($a eq 'tcp'){ $field12 ='TCP';}else{$field12='UDP';}
++ #check source address
++ if ($b eq '0.0.0.0/0'){
++ $field3='std_net_src';
++ $field4='ALL';
++ }elsif($b =~/^(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})$/){
++ $field3='src_addr';
++ $field4=$b."/32";
++ }elsif ($b =~ /^(.*?)\/(.*?)$/) {
++ $field3='src_addr';
++ $field4=$b;
++ }else{
++ print "Regel konnte nicht konvertiert werden!\n";
++ }
++ #check ipfire address
++ if ($e eq '0.0.0.0'){
++ $field6 = 'Default IP';
++ }else{
++ foreach my $line (@alias){
++ my ($ip,$state,$aliasname) = split (",",$line);
++ if ($ip eq $e){
++ $aliasname =~ s/\R//g;
++ $field6 = $aliasname;
++ }
++ }
++ }
++ #get target port
++ $c=~ s/\R//g;
++ $c=~ tr/-/:/;
++ if ($c =~ /^(\D)\:(\d+)$/) {
++ $c = "1:$2";
++ }
++ if ($c =~ /^(\d+)\:(\D)$/) {
++ $c = "$1:65535";
++ }
++ $field15=$c;
++ #Ausgabe
++ #print "0:$field0 1:$field1 2:$field2 3:$field3 4:$field4 5:$field5 6:$field6 11:$field11 12:$field12 13:$field13 14:$field14 15:$field15 16:$field16 26:$field26 27:$field27\n";
++ my $key = &General::findhasharraykey (\%configinputfw);
++ foreach my $i (0 .. 27) { $configinputfw{$key}[$i] = "";}
++ $configinputfw{$key}[0] = $field0;
++ $configinputfw{$key}[1] = $field1;
++ $configinputfw{$key}[2] = $field2;
++ $configinputfw{$key}[3] = $field3;
++ $configinputfw{$key}[4] = $field4;
++ $configinputfw{$key}[5] = $field5;
++ $configinputfw{$key}[6] = $field6;
++ $configinputfw{$key}[7] = '';
++ $configinputfw{$key}[8] = '';
++ $configinputfw{$key}[9] = '';
++ $configinputfw{$key}[10] = '';
++ $configinputfw{$key}[11] = $field11;
++ $configinputfw{$key}[12] = $field12;
++ $configinputfw{$key}[13] = $field13;
++ $configinputfw{$key}[14] = $field14;
++ $configinputfw{$key}[15] = $field15;
++ $configinputfw{$key}[16] = $field16;
++ $configinputfw{$key}[17] = '';
++ $configinputfw{$key}[18] = '';
++ $configinputfw{$key}[19] = '';
++ $configinputfw{$key}[20] = '';
++ $configinputfw{$key}[21] = '';
++ $configinputfw{$key}[22] = '';
++ $configinputfw{$key}[23] = '';
++ $configinputfw{$key}[24] = '';
++ $configinputfw{$key}[25] = '';
++ $configinputfw{$key}[26] = $field26;
++ $configinputfw{$key}[27] = $field27;
++ &General::writehasharray($inputfwconfig,\%configinputfw);
++}
+diff --git a/config/rootfiles/common/stage2 b/config/rootfiles/common/stage2
+index 3935cd4..439e89a 100644
+--- a/config/rootfiles/common/stage2
++++ b/config/rootfiles/common/stage2
+@@ -109,6 +109,8 @@ usr/local/bin/update-lang-cache
+ #usr/sbin
+ usr/sbin/ovpn-ccd-convert
+ usr/sbin/firewall-forward-policy
++usr/sbin/convert-xtaccess
++usr/sbin/convert-outgoingfw
+ #usr/share
+ #usr/share/doc
+ #usr/share/doc/licenses
+diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi
+index 8e1100b..8fae771 100755
+--- a/html/cgi-bin/forwardfw.cgi
++++ b/html/cgi-bin/forwardfw.cgi
+@@ -192,6 +192,7 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule')
+ #print"ALT: $fwdfwsettings{'oldgrp3a'} $fwdfwsettings{'oldgrp3b'} NEU: $fwdfwsettings{'grp3'} $fwdfwsettings{$fwdfwsettings{'grp3'}}<br>";
+ #print"DIENSTE Checkalt:$fwdfwsettings{'oldusesrv'} DIENSTE Checkneu:$fwdfwsettings{'USESRV'} DIENST ALT:$fwdfwsettings{'oldgrp3a'},$fwdfwsettings{'oldgrp3b'} DIENST NEU:$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}}<br>";
+ }else{
++ #FORWARD PART
+ $fwdfwsettings{'chain'} = 'FORWARDFW';
+ if($fwdfwsettings{'oldrulenumber'} eq $fwdfwsettings{'rulepos'}){
+ #check if we have an identical rule already
+@@ -798,7 +799,7 @@ sub checkrule
+ $errormessage.=$Lang::tr{'fwdfw err remark'}."<br>";
+ }
+ #check if source and target identical
+- if ($fwdfwsettings{$fwdfwsettings{'grp1'}} eq $fwdfwsettings{$fwdfwsettings{'grp2'}}){
++ if ($fwdfwsettings{$fwdfwsettings{'grp1'}} eq $fwdfwsettings{$fwdfwsettings{'grp2'}} && $fwdfwsettings{$fwdfwsettings{'grp1'}} ne 'ALL'){
+ $errormessage.=$Lang::tr{'fwdfw err same'};
+ return $errormessage;
+ }
+@@ -1349,7 +1350,7 @@ END
+ <input type='checkbox' name='TIME_THU' value='on' $checked{'TIME_THU'}{'on'} />
+ <input type='checkbox' name='TIME_FRI' value='on' $checked{'TIME_FRI'}{'on'} />
+ <input type='checkbox' name='TIME_SAT' value='on' $checked{'TIME_SAT'}{'on'} />
+- <input type='checkbox' name='TIME_SUN' value='on' $checked{'TIME_SUN'}{$Lang::tr{'fwdfw wd_sun'}} />
++ <input type='checkbox' name='TIME_SUN' value='on' $checked{'TIME_SUN'}{'on'} />
+ </td>
+ <td><select name='TIME_FROM'>
+ END
+@@ -1826,7 +1827,7 @@ END
+ if($$hash{$key}[25] ne ''){push (@days,$Lang::tr{'fwdfw wd_sun'});}
+ my $weekdays=join(",",@days);
+ if (@days){
+- print"<tr bgcolor='#FFE4B5'><td colspan='4'>$Lang::tr{'fwdfw time'} ";
++ print"<tr bgcolor='#FFE4B5'><td colspan='6'>$Lang::tr{'fwdfw time'} ";
+ print"$weekdays";
+ print "  $Lang::tr{'fwdfw from'} $$hash{$key}[26]   $Lang::tr{'fwdfw till'} $$hash{$key}[27]</td><td colspan='8'></d></tr>";
+ }
+diff --git a/lfs/configroot b/lfs/configroot
+index eacee0b..292af2e 100644
+--- a/lfs/configroot
++++ b/lfs/configroot
+@@ -100,6 +100,8 @@ $(TARGET) :
+ cp $(DIR_SRC)/config/cfgroot/ethernet-vlans $(CONFIG_ROOT)/ethernet/vlans
+ cp $(DIR_SRC)/langs/list $(CONFIG_ROOT)/langs/
+ cp $(DIR_SRC)/config/forwardfw/rules.pl $(CONFIG_ROOT)/forward/bin/rules.pl
++ cp $(DIR_SRC)/config/forwardfw/convert-xtaccess /usr/sbin/convert-xtaccess
++ cp $(DIR_SRC)/config/forwardfw/convert-outgoingfw /usr/sbin/convert-outgoingfw
+ cp $(DIR_SRC)/config/forwardfw/p2protocols $(CONFIG_ROOT)/forward/p2protocols
+ cp $(DIR_SRC)/config/forwardfw/firewall-lib.pl $(CONFIG_ROOT)/forward/bin/firewall-lib.pl
+ cp $(DIR_SRC)/config/forwardfw/firewall-forward-policy /usr/sbin/firewall-forward-policy
+@@ -119,6 +121,7 @@ $(TARGET) :
+
+ # set rules.pl executable
+ chmod 755 $(CONFIG_ROOT)/forward/bin/rules.pl
++
+ # Modify variables in header.pl
+ sed -i -e "s+CONFIG_ROOT+$(CONFIG_ROOT)+g" \
+ -e "s+VERSION+$(VERSION)+g" \
+--
+1.7.10.4
+
--- /dev/null
+From 2a795af72e4861ad72008b5ff5b31d54c5d1adfd Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Fri, 18 Jan 2013 08:53:51 +0100
+Subject: [PATCH 043/302] Forward Firewall: changed LOG directory to
+ /var/log/converters
+
+---
+ config/forwardfw/convert-outgoingfw | 13 +++++--------
+ 1 file changed, 5 insertions(+), 8 deletions(-)
+
+diff --git a/config/forwardfw/convert-outgoingfw b/config/forwardfw/convert-outgoingfw
+index 282a017..de6a67c 100644
+--- a/config/forwardfw/convert-outgoingfw
++++ b/config/forwardfw/convert-outgoingfw
+@@ -31,17 +31,14 @@ my %fwconf=();
+ my %fwdsettings=();
+ &General::readhash($outfwsettings,\%outsettings);
+
+-
+ &process_groups;
+ &process_rules;
+
+-
+-
+ sub process_groups
+ {
+- if(! -d "/var/log/firewall"){ mkdir("/var/log/firewall");}
+- if( -f "/var/log/firewall/ip-convert.log"){unlink ("/var/log/firewall/ip-convert.log");}
+- open (LOG, ">/var/log/firewall/ip-convert.log") or die $!;
++ if(! -d "/var/log/converters"){ mkdir("/var/log/converters");}
++ if( -f "/var/log/converters/groups-convert.log"){unlink ("/var/log/converters/groups-convert.log");}
++ open (LOG, ">/var/log/converters/groups-convert.log") or die $!;
+ #IP Group processing
+ foreach my $group (@ipgroups){
+ chomp $group;
+@@ -237,8 +234,8 @@ sub process_rules
+ &General::writehash($fwdfwsettings,\%fwdsettings);
+ }
+ #open LOG
+- if( -f "/var/log/firewall/rule-convert.log"){unlink ("/var/log/firewall/rule-convert.log");}
+- open (LOG, ">/var/log/firewall/rule-convert.log") or die $!;
++ if( -f "/var/log/converters/outgoingfw-convert.log"){unlink ("/var/log/converters/outgoingfw-convert.log");}
++ open (LOG, ">/var/log/converters/outgoingfw-convert.log") or die $!;
+
+ my ($type,$action,$active,$grp1,$source,$grp2,$useport,$port,$prot,$grp3,$target,$remark,$log,$time,$time_mon,$time_tue,$time_wed,$time_thu,$time_fri,$time_sat,$time_sun,$time_from,$time_to);
+ if ($outsettings{'POLICY'} eq 'MODE1'){
+--
+1.7.10.4
+
--- /dev/null
+From 2f607bbc83a8cd1f994bc789f9fe2eb6627d3eb4 Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Fri, 18 Jan 2013 09:23:13 +0100
+Subject: [PATCH 044/302] Forward Firewall: Removed console output from
+ outgoingfw-converter
+
+---
+ config/forwardfw/convert-outgoingfw | 5 -----
+ 1 file changed, 5 deletions(-)
+
+diff --git a/config/forwardfw/convert-outgoingfw b/config/forwardfw/convert-outgoingfw
+index de6a67c..2b39cee 100644
+--- a/config/forwardfw/convert-outgoingfw
++++ b/config/forwardfw/convert-outgoingfw
+@@ -227,7 +227,6 @@ sub check_grp
+ }
+ sub process_rules
+ {
+- print "Outgoing ist im Mode $outsettings{'POLICY'}\n";
+ &General::readhash($fwdfwsettings,\%fwdsettings);
+ if($fwdsettings{'POLICY'} ne $outsettings{'POLICY'}){
+ $fwdsettings{'POLICY'}=$outsettings{'POLICY'};
+@@ -253,7 +252,6 @@ sub process_rules
+ {
+ chomp($rule);
+ print LOG "processing: $rule\n";
+- print "$rule\n";
+ my @configline = split( /\;/, $rule );
+ my @prot=();
+ if($configline[0] eq $type){
+@@ -392,7 +390,6 @@ sub process_rules
+ my $check;
+ foreach my $protocol (@prot){
+ $protocol=uc($protocol);
+- print"0:$action 1:FORWARDFW 2:$active 3:$grp1 4:$source 5:$grp2 6:$target 7:src_srv(leer) 8:srcprot(leer) 9:icmp(leer) 10:srcport(leer) 11:$useport 12:$protocol 13:icmp(leer) 14:$grp3 15:$port 16:$remark 17:$log 18:$time 19:$time_mon 20:$time_tue 21:$time_wed 22:$time_thu 23:$time_fri 24:$time_sat 25:$time_sun 26:$time_from 27:$time_to\n\n";
+ print LOG "-> Converted: $action,FORWARDFW,$active,$grp1,$source,$grp2,$target,,,,,$useport,$protocol,,$grp3,$port,$remark,$log,$time,$time_mon,$time_tue,$time_wed,$time_thu,$time_fri,$time_sat,$time_sun,$time_from,$time_to\n";
+ #Put rules into system....
+ ###########################
+@@ -416,11 +413,9 @@ sub process_rules
+ }
+ }
+ if($check1 eq 'on'){
+- print" schreibe in gruppe\n";
+ &General::writehasharray($configgroups,\%groups);
+ }
+ }
+- print"SCHREIBE REGEL!\n";
+ my $key = &General::findhasharraykey(\%fwconfig);
+ $fwconfig{$key}[0] = $action;
+ $fwconfig{$key}[1] = "FORWARDFW";
+--
+1.7.10.4
+
--- /dev/null
+From 7917ab02dd8b2dc5a0729a65cb596d381be8fda3 Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Fri, 18 Jan 2013 09:40:59 +0100
+Subject: [PATCH 045/302] Forward Firewall: edited rules.pl, so thatrules are
+ created when source and target are 0.0.0.0/0.0.0.0
+
+---
+ config/forwardfw/rules.pl | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/config/forwardfw/rules.pl b/config/forwardfw/rules.pl
+index 169bc18..aec2eaa 100755
+--- a/config/forwardfw/rules.pl
++++ b/config/forwardfw/rules.pl
+@@ -195,7 +195,7 @@ sub buildrules
+ $PROT="-p $PROT" if ($PROT ne '' && $PROT ne ' ');
+ foreach my $a (sort keys %sourcehash){
+ foreach my $b (sort keys %targethash){
+- if ($sourcehash{$a}[0] ne $targethash{$b}[0] && $targethash{$b}[0] ne 'none'){
++ if ($sourcehash{$a}[0] ne $targethash{$b}[0] && $targethash{$b}[0] ne 'none' || $sourcehash{$a}[0] eq '0.0.0.0/0.0.0.0'){
+ if($SPROT eq '' || $SPROT eq $DPROT || $DPROT eq ' '){
+ if(substr($sourcehash{$a}[0], 3, 3) ne 'mac'){ $STAG="-s";}
+ if ($$hash{$key}[17] eq 'ON'){
+@@ -215,7 +215,7 @@ sub buildrules
+ $PROT="-p $PROT" if ($PROT ne '' && $PROT ne ' ');
+ foreach my $a (sort keys %sourcehash){
+ foreach my $b (sort keys %targethash){
+- if ($sourcehash{$a}[0] ne $targethash{$b}[0] && $targethash{$b}[0] ne 'none'){
++ if ($sourcehash{$a}[0] ne $targethash{$b}[0] && $targethash{$b}[0] ne 'none' || $sourcehash{$a}[0] eq '0.0.0.0/0.0.0.0'){
+ if($SPROT eq '' || $SPROT eq $DPROT || $DPROT eq ' '){
+ if(substr($sourcehash{$a}[0], 3, 3) ne 'mac'){ $STAG="-s";}
+ if ($$hash{$key}[17] eq 'ON'){
+--
+1.7.10.4
+
--- /dev/null
+From e42916dd32c056ac9b1ae4569df3fc34406bb363 Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Fri, 18 Jan 2013 10:00:21 +0100
+Subject: [PATCH 046/302] Forward Firewall: removed newline when processing
+ rules.pl
+
+---
+ config/forwardfw/rules.pl | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/config/forwardfw/rules.pl b/config/forwardfw/rules.pl
+index aec2eaa..e83fa5f 100755
+--- a/config/forwardfw/rules.pl
++++ b/config/forwardfw/rules.pl
+@@ -226,7 +226,6 @@ sub buildrules
+ }
+ }
+ }
+- print"\n";
+ }
+ }
+ }
+--
+1.7.10.4
+
--- /dev/null
+From e252918f29b6a5609946899de8f32495288b344d Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Fri, 18 Jan 2013 10:18:25 +0100
+Subject: [PATCH 047/302] Forward Firewall: Bugfix: when editing an rule, the
+ default ACTION (ACCEPT,DROP,REJECT) was set
+ depending on Firewallmode. Now it checks, if a rule
+ is edited and value is set to rule action
+
+---
+ html/cgi-bin/forwardfw.cgi | 22 ++++++++++++++--------
+ 1 file changed, 14 insertions(+), 8 deletions(-)
+
+diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi
+index 8fae771..b2976e1 100755
+--- a/html/cgi-bin/forwardfw.cgi
++++ b/html/cgi-bin/forwardfw.cgi
+@@ -1014,15 +1014,21 @@ print <<END;
+ END
+ foreach ("ACCEPT","DROP","REJECT")
+ {
+- if($fwdfwsettings{'POLICY'} eq 'MODE2'){
+- $fwdfwsettings{'RULE_ACTION'} = 'DROP';
+- }
+-
+- if ($_ eq $fwdfwsettings{'RULE_ACTION'})
+- {
+- print"<option selected>$_</option>";
++ if($fwdfwsettings{'updatefwrule'} eq 'on'){
++ print"<option ";
++ print "selected='selected'" if ($fwdfwsettings{'RULE_ACTION'} eq $_);
++ print">$_</option>";
+ }else{
+- print"<option>$_</option>";
++ if($fwdfwsettings{'POLICY'} eq 'MODE2'){
++ $fwdfwsettings{'RULE_ACTION'} = 'DROP';
++ }
++
++ if ($_ eq $fwdfwsettings{'RULE_ACTION'})
++ {
++ print"<option selected>$_</option>";
++ }else{
++ print"<option>$_</option>";
++ }
+ }
+ }
+ print"</select></td></tr></table><hr>";
+--
+1.7.10.4
+
--- /dev/null
+From b5375a29d558eeab4ba1541538584868d0eeba38 Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Fri, 18 Jan 2013 10:58:33 +0100
+Subject: [PATCH 048/302] Forward Firewall: Edited Backup.pl so that any old
+ backups get converted to new firewall. Afterwards
+ the directories /var/ipfire/outgoing and
+ /var/ipfire/xtaccess are removed!
+
+---
+ config/backup/backup.pl | 14 ++++++++++++--
+ 1 file changed, 12 insertions(+), 2 deletions(-)
+
+diff --git a/config/backup/backup.pl b/config/backup/backup.pl
+index f9b8302..0d75853 100644
+--- a/config/backup/backup.pl
++++ b/config/backup/backup.pl
+@@ -22,7 +22,7 @@
+ require '/var/ipfire/general-functions.pl';
+ require "${General::swroot}/lang.pl";
+ require "${General::swroot}/header.pl";
+-
++use File::Path;
+ my $debug = 1;
+ my @include = "";
+ my ($Sekunden, $Minuten, $Stunden, $Monatstag, $Monat, $Jahr, $Wochentag, $Jahrestag, $Sommerzeit) = localtime(time);
+@@ -64,7 +64,17 @@ elsif ($ARGV[0] eq 'restore') {
+ system("cd / && tar -xvz -p -f /tmp/restore.ipf");
+ #Here some converter scripts to correct old Backups (before core 65)
+ system("/usr/sbin/ovpn-ccd-convert");
+-}
++ system("/usr/sbin/convert-xtaccess");
++ system("/usr/sbin/convert-outgoingfw");
++
++ #clean up system, if an old backup was restored
++ if( -d "/var/ipfire/outgoing"){
++ rmtree("/var/ipfire/outgoing");
++ }
++ if( -d "/var/ipfire/xtaccess"){
++ rmtree("/var/ipfire/xtaccess");
++ }
++ }
+ elsif ($ARGV[0] eq 'restoreaddon') {
+ if ( -e "/tmp/$ARGV[1]" ){system("mv /tmp/$ARGV[1] /var/ipfire/backup/addons/backup/$ARGV[1]");}
+ system("cd / && tar -xvz -p -f /var/ipfire/backup/addons/backup/$ARGV[1]");
+--
+1.7.10.4
+
--- /dev/null
+From 572a6a81df7cc940e5870f9fb4a24b8280607e64 Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Sat, 19 Jan 2013 07:15:25 +0100
+Subject: [PATCH 049/302] Forward Firewall: implemented multiport support for
+ source and target ports
+
+---
+ config/forwardfw/convert-outgoingfw | 50 +++++++++-------
+ config/forwardfw/rules.pl | 6 +-
+ html/cgi-bin/forwardfw.cgi | 108 ++++++++++++++++++++++++-----------
+ 3 files changed, 110 insertions(+), 54 deletions(-)
+
+diff --git a/config/forwardfw/convert-outgoingfw b/config/forwardfw/convert-outgoingfw
+index 2b39cee..ef9f2d3 100644
+--- a/config/forwardfw/convert-outgoingfw
++++ b/config/forwardfw/convert-outgoingfw
+@@ -3,7 +3,7 @@
+
+ require '/var/ipfire/general-functions.pl';
+ use Socket;
+-
++use File::Path;
+ my $ipgrouppath = "${General::swroot}/outgoing/groups/ipgroups/";
+ my $macgrouppath = "${General::swroot}/outgoing/groups/macgroups/";
+ my $outgoingrules = "${General::swroot}/outgoing/rules";
+@@ -37,7 +37,7 @@ my %fwdsettings=();
+ sub process_groups
+ {
+ if(! -d "/var/log/converters"){ mkdir("/var/log/converters");}
+- if( -f "/var/log/converters/groups-convert.log"){unlink ("/var/log/converters/groups-convert.log");}
++ if( -f "/var/log/converters/groups-convert.log"){rmtree("var/log/converters");}
+ open (LOG, ">/var/log/converters/groups-convert.log") or die $!;
+ #IP Group processing
+ foreach my $group (@ipgroups){
+@@ -362,26 +362,36 @@ sub process_rules
+ $target='ALL';
+ }
+ if($configline[8] ne ''){
+- if (!($configline[8] =~ /^(\d+)\:(\d+)$/)) {
+- if(&General::validport($configline[8])){
+- $useport='ON';
+- $port=$configline[8];
+- $grp3='TGT_PORT';
+- }else{
+- print LOG "-> Rule not converted, invalid destination Port \"$configline[8]\"\n";
+- next;
+- }
+- }else{
+- my ($a1,$a2) = split(/\:/,$configline[8]);
+- if (&General::validport($a1) && &General::validport($a2) && $a1 < $a2){
+- $useport='ON';
+- $port=$configline[8];
+- $grp3='TGT_PORT';
++ my @values=();
++ my @parts=split(",",$configline[8]);
++ foreach (@parts){
++ print"PRüfe port $_\n";
++ if (!($_ =~ /^(\d+)\:(\d+)$/)) {
++ if(&General::validport($_)){
++ $useport='ON';
++ print" push single\n";
++ push (@values,$_);
++ $grp3='TGT_PORT';
++ }else{
++ print LOG "-> Rule not converted, invalid destination Port \"$configline[8]\"\n";
++ next;
++ }
+ }else{
+- print LOG "-> Rule not converted, invalid destination Port \"$configline[8]\"\n";
+- next;
+- }
++ my ($a1,$a2) = split(/\:/,$_);
++ if (&General::validport($a1) && &General::validport($a2) && $a1 < $a2){
++ $useport='ON';
++ print"push range $_\n";
++ push (@values,"$a1:$a2");
++ $grp3='TGT_PORT';
++ }else{
++ print LOG "-> Rule not converted, invalid destination Port \"$configline[8]\"\n";
++ next;
++ }
++ }
+ }
++ $port=join("|",@values);
++ print"fertig, habe \"$port\"\n";
++ @values=();
+ }
+ }else{
+ print LOG "-> Rule not converted because not for Firewall mode $outsettings{'POLICY'} (we are only converting for actual mode)\n";
+diff --git a/config/forwardfw/rules.pl b/config/forwardfw/rules.pl
+index e83fa5f..ce3ef8a 100755
+--- a/config/forwardfw/rules.pl
++++ b/config/forwardfw/rules.pl
+@@ -339,7 +339,8 @@ sub get_port
+ my $prot=shift;
+ if ($$hash{$key}[7] eq 'ON' && $SRC_TGT eq 'SRC'){
+ if ($$hash{$key}[10] ne ''){
+- return "--sport $$hash{$key}[10] ";
++ $$hash{$key}[10] =~ s/\|/,/g;
++ return "-m multiport --sport $$hash{$key}[10] ";
+ }elsif($$hash{$key}[9] ne '' && $$hash{$key}[9] ne 'All ICMP-Types'){
+ return "--icmp-type $$hash{$key}[9] ";
+ }elsif($$hash{$key}[9] eq 'All ICMP-Types'){
+@@ -349,7 +350,8 @@ sub get_port
+
+ if($$hash{$key}[14] eq 'TGT_PORT'){
+ if ($$hash{$key}[15] ne ''){
+- return "--dport $$hash{$key}[15] ";
++ $$hash{$key}[15] =~ s/\|/,/g;
++ return "-m multiport --dport $$hash{$key}[15] ";
+ }elsif($$hash{$key}[13] ne '' && $$hash{$key}[13] ne 'All ICMP-Types'){
+ return "--icmp-type $$hash{$key}[13] ";
+ }elsif($$hash{$key}[13] ne '' && $$hash{$key}[13] eq 'All ICMP-Types'){
+diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi
+index b2976e1..ffb0c25 100755
+--- a/html/cgi-bin/forwardfw.cgi
++++ b/html/cgi-bin/forwardfw.cgi
+@@ -210,12 +210,13 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule')
+ }
+ }
+ #check if we just close a rule
+- if( $fwdfwsettings{'oldgrp1a'} eq $fwdfwsettings{'grp1'} && $fwdfwsettings{'oldgrp1b'} eq $fwdfwsettings{$fwdfwsettings{'grp1'}} && $fwdfwsettings{'oldgrp2a'} eq $fwdfwsettings{'grp2'} && $fwdfwsettings{'oldgrp2b'} eq $fwdfwsettings{$fwdfwsettings{'grp2'}} && $fwdfwsettings{'oldgrp3a'} eq $fwdfwsettings{'grp3'} && $fwdfwsettings{'oldgrp3b'} eq $fwdfwsettings{$fwdfwsettings{'grp3'}} && $fwdfwsettings{'oldusesrv'} eq $fwdfwsettings{'USESRV'} ) {
++ if( $fwdfwsettings{'oldgrp1a'} eq $fwdfwsettings{'grp1'} && $fwdfwsettings{'oldgrp1b'} eq $fwdfwsettings{$fwdfwsettings{'grp1'}} && $fwdfwsettings{'oldgrp2a'} eq $fwdfwsettings{'grp2'} && $fwdfwsettings{'oldgrp2b'} eq $fwdfwsettings{$fwdfwsettings{'grp2'}} && $fwdfwsettings{'oldgrp3a'} eq $fwdfwsettings{'grp3'} && $fwdfwsettings{'oldgrp3b'} eq $fwdfwsettings{$fwdfwsettings{'grp3'}} && $fwdfwsettings{'oldusesrv'} eq $fwdfwsettings{'USESRV'} && $fwdfwsettings{'oldruleremark'} eq $fwdfwsettings{'ruleremark'} ) {
+ if($fwdfwsettings{'nosave'} eq 'on' && $fwdfwsettings{'updatefwrule'} eq 'on'){
+ $fwdfwsettings{'nosave2'} = 'on';
+ $errormessage='';
+ }
+ }
++
+ #increase counters
+ &checkcounter($fwdfwsettings{'oldgrp1a'},$fwdfwsettings{'oldgrp1b'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}});
+ &checkcounter($fwdfwsettings{'oldgrp2a'},$fwdfwsettings{'oldgrp2b'},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}});
+@@ -663,23 +664,42 @@ sub checksource
+ $fwdfwsettings{'PROT'}='';
+ }
+
+- if($fwdfwsettings{'USE_SRC_PORT'} eq 'ON' && $fwdfwsettings{'PROT'} ne 'ICMP' && $fwdfwsettings{'SRC_PORT'} ne ''){
+- #change dashes with :
+- $fwdfwsettings{'SRC_PORT'}=~ tr/-/:/;
+-
+- if ($fwdfwsettings{'SRC_PORT'} eq "*") {
+- $fwdfwsettings{'SRC_PORT'} = "1:65535";
+- }
+- if ($fwdfwsettings{'SRC_PORT'} =~ /^(\D)\:(\d+)$/) {
+- $fwdfwsettings{'SRC_PORT'} = "1:$2";
+- }
+- if ($fwdfwsettings{'SRC_PORT'} =~ /^(\d+)\:(\D)$/) {
+- $fwdfwsettings{'SRC_PORT'} = "$1:65535";
++ if($fwdfwsettings{'USE_SRC_PORT'} eq 'ON' && ($fwdfwsettings{'PROT'} eq 'TCP' || $fwdfwsettings{'PROT'} eq 'UDP') && $fwdfwsettings{'SRC_PORT'} ne ''){
++ my @parts=split(",",$fwdfwsettings{'SRC_PORT'});
++ my @values=();
++ foreach (@parts){
++ chomp($_);
++ if ($_ =~ /^(\d+)\:(\d+)$/) {
++ my $check;
++ #change dashes with :
++ $_=~ tr/-/:/;
++ if ($_ eq "*") {
++ push(@values,"1:65535");
++ $check='on';
++ }
++ if ($_ =~ /^(\D)\:(\d+)$/) {
++ push(@values,"1:$2");
++ $check='on';
++ }
++ if ($_ =~ /^(\d+)\:(\D)$/) {
++ push(@values,"$1:65535");
++ $check='on'
++ }
++ $errormessage .= &General::validportrange($_, 'destination');
++ if(!$check){
++ push (@values,$_);
++ }
++ }else{
++ if (&General::validport($_)){
++ push (@values,$_);
++ }else{
++
++ }
++ }
+ }
+-
+- $errormessage.=&General::validportrange($fwdfwsettings{'SRC_PORT'},'src');
++ $fwdfwsettings{'SRC_PORT'}=join("|",@values);
++ return $errormessage;
+ }
+- return $errormessage;
+ }
+ sub checktarget
+ {
+@@ -737,18 +757,39 @@ sub checktarget
+ if ($fwdfwsettings{'grp3'} eq 'TGT_PORT'){
+ if ($fwdfwsettings{'TGT_PROT'} eq 'TCP' || $fwdfwsettings{'TGT_PROT'} eq 'UDP'){
+ if ($fwdfwsettings{'TGT_PORT'} ne ''){
+- #change dashes with :
+- $fwdfwsettings{'TGT_PORT'}=~ tr/-/:/;
+- if ($fwdfwsettings{'TGT_PORT'} eq "*") {
+- $fwdfwsettings{'TGT_PORT'} = "1:65535";
+- }
+- if ($fwdfwsettings{'TGT_PORT'} =~ /^(\D)\:(\d+)$/) {
+- $fwdfwsettings{'TGT_PORT'} = "1:$2";
+- }
+- if ($fwdfwsettings{'TGT_PORT'} =~ /^(\d+)\:(\D)$/) {
+- $fwdfwsettings{'TGT_PORT'} = "$1:65535";
++ my @parts=split(",",$fwdfwsettings{'TGT_PORT'});
++ my @values=();
++ foreach (@parts){
++ chomp($_);
++ if ($_ =~ /^(\d+)\:(\d+)$/) {
++ my $check;
++ #change dashes with :
++ $_=~ tr/-/:/;
++ if ($_ eq "*") {
++ push(@values,"1:65535");
++ $check='on';
++ }
++ if ($_ =~ /^(\D)\:(\d+)$/) {
++ push(@values,"1:$2");
++ $check='on';
++ }
++ if ($_ =~ /^(\d+)\:(\D)$/) {
++ push(@values,"$1:65535");
++ $check='on'
++ }
++ $errormessage .= &General::validportrange($_, 'destination');
++ if(!$check){
++ push (@values,$_);
++ }
++ }else{
++ if (&General::validport($_)){
++ push (@values,$_);
++ }else{
++
++ }
++ }
+ }
+- $errormessage .= &General::validportrange($fwdfwsettings{'TGT_PORT'}, 'destination');
++ $fwdfwsettings{'TGT_PORT'}=join("|",@values);
+ }
+ }elsif ($fwdfwsettings{'TGT_PROT'} eq 'GRE'){
+ $fwdfwsettings{$fwdfwsettings{'grp3'}} = '';
+@@ -782,7 +823,6 @@ sub checktarget
+ $fwdfwsettings{$fwdfwsettings{'grp3'}}='';
+ $fwdfwsettings{'TGT_PROT'}='';
+ $fwdfwsettings{'ICMP_TGT'}='';
+-
+ }
+ #check timeframe
+ if($fwdfwsettings{'TIME'} eq 'ON'){
+@@ -1140,8 +1180,9 @@ END
+ print"<option>$_</option>";
+ }
+ }
++ $fwdfwsettings{'SRC_PORT'}=~ s/\|/,/g;
+ print<<END;
+- </select></td><td align='right'><input type='text' name='SRC_PORT' value='$fwdfwsettings{'SRC_PORT'}' maxlength='11' size='9' ></td></tr>
++ </select></td><td align='right'><input type='text' name='SRC_PORT' value='$fwdfwsettings{'SRC_PORT'}' maxlength='20' size='18' ></td></tr>
+ <tr><td></td><td></td><td></td><td></td><td nowrap='nowrap'>$Lang::tr{'fwhost icmptype'}</td><td colspan='2'><select name='ICMP_TYPES'>
+ END
+ &General::readhasharray("${General::swroot}/fwhosts/icmp-types", \%icmptypes);
+@@ -1294,8 +1335,9 @@ END
+ print"<option>$_</option>";
+ }
+ }
++ $fwdfwsettings{'TGT_PORT'} =~ s/\|/,/g;
+ print<<END;
+- </select></td><td align='right'><input type='text' name='TGT_PORT' value='$fwdfwsettings{'TGT_PORT'}' maxlength='11' size='9' ></td></tr>
++ </select></td><td align='right'><input type='text' name='TGT_PORT' value='$fwdfwsettings{'TGT_PORT'}' maxlength='20' size='18' ></td></tr>
+ <tr><td colspan='2'></td><td></td><td>$Lang::tr{'fwhost icmptype'}</td><td colspan='2'><select name='ICMP_TGT'>
+ END
+ &General::readhasharray("${General::swroot}/fwhosts/icmp-types", \%icmptypes);
+@@ -1407,6 +1449,7 @@ END
+ <input type='hidden' name='oldusesrv' value='$fwdfwsettings{'oldusesrv'}' />
+ <input type='hidden' name='oldrulenumber' value='$fwdfwsettings{'oldrulenumber'}' />
+ <input type='hidden' name='rulenumber' value='$fwdfwsettings{'rulepos'}' />
++ <input type='hidden' name='oldruleremark' value='$fwdfwsettings{'oldruleremark'}' />
+ <input type='hidden' name='ACTION' value='saverule' ></form><form method='post' style='display:inline'><input type='submit' value='$Lang::tr{'fwhost back'}' style='min-width:100px;'><input type='hidden' name='ACTION' value'reset'></td></td>
+ </table></form>
+ END
+@@ -1596,7 +1639,8 @@ sub getsrcport
+ {
+ my %hash=%{(shift)};
+ my $key=shift;
+- if($hash{$key}[7] eq 'ON' && $hash{$key}[8] ne 'ICMP'){
++ if($hash{$key}[7] eq 'ON' && ($hash{$key}[8] eq 'TCP' || $hash{$key}[8] eq 'UDP')){
++ $hash{$key}[10]=~ s/\|/,/g;
+ print" : ($hash{$key}[8]) $hash{$key}[10]";
+ }elsif($hash{$key}[7] eq 'ON' && $hash{$key}[8] eq 'ICMP'){
+ print" : ($hash{$key}[8]) <br> $hash{$key}[9]";
+@@ -1613,7 +1657,6 @@ sub gettgtport
+ if($hash{$key}[14] eq 'cust_srv'){
+ &General::readhasharray("$configsrv", \%customservice);
+ foreach my $i (sort keys %customservice){
+- #print "HHUHU: $customservice{$i}[0] und $hash{$key}[15]<br>";
+ if($customservice{$i}[0] eq $hash{$key}[15]){
+ $prot = $hash{$key}[12];
+ $service = $customservice{$i}[0];
+@@ -1623,6 +1666,7 @@ sub gettgtport
+
+ $service=$hash{$key}[15];
+ }elsif($hash{$key}[14] eq 'TGT_PORT'){
++ $hash{$key}[15]=~ s/\|/,/g;
+ $service=$hash{$key}[15];
+ $prot=$hash{$key}[12];
+ }
+--
+1.7.10.4
+
--- /dev/null
+From 49477dc188b7cfdbf92a8bcb818561853ec06775 Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Sat, 19 Jan 2013 07:24:08 +0100
+Subject: [PATCH 050/302] Forward Firewall: deleted comments from
+ converterscript
+
+---
+ config/forwardfw/convert-outgoingfw | 16 ++++++----------
+ 1 file changed, 6 insertions(+), 10 deletions(-)
+
+diff --git a/config/forwardfw/convert-outgoingfw b/config/forwardfw/convert-outgoingfw
+index ef9f2d3..cef4f0c 100644
+--- a/config/forwardfw/convert-outgoingfw
++++ b/config/forwardfw/convert-outgoingfw
+@@ -365,11 +365,9 @@ sub process_rules
+ my @values=();
+ my @parts=split(",",$configline[8]);
+ foreach (@parts){
+- print"PRüfe port $_\n";
+ if (!($_ =~ /^(\d+)\:(\d+)$/)) {
+ if(&General::validport($_)){
+ $useport='ON';
+- print" push single\n";
+ push (@values,$_);
+ $grp3='TGT_PORT';
+ }else{
+@@ -377,21 +375,19 @@ sub process_rules
+ next;
+ }
+ }else{
+- my ($a1,$a2) = split(/\:/,$_);
+- if (&General::validport($a1) && &General::validport($a2) && $a1 < $a2){
++ my ($a1,$a2) = split(/\:/,$_);
++ if (&General::validport($a1) && &General::validport($a2) && $a1 < $a2){
+ $useport='ON';
+- print"push range $_\n";
+ push (@values,"$a1:$a2");
+ $grp3='TGT_PORT';
+- }else{
++ }else{
+ print LOG "-> Rule not converted, invalid destination Port \"$configline[8]\"\n";
+ next;
+- }
++ }
+ }
+ }
+- $port=join("|",@values);
+- print"fertig, habe \"$port\"\n";
+- @values=();
++ $port=join("|",@values);
++ @values=();
+ }
+ }else{
+ print LOG "-> Rule not converted because not for Firewall mode $outsettings{'POLICY'} (we are only converting for actual mode)\n";
+--
+1.7.10.4
+
--- /dev/null
+From 9c7f703ec6e1e6a7fe060abe958309a2c6b9ba0c Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Sat, 19 Jan 2013 14:09:50 +0100
+Subject: [PATCH 051/302] Forward Firewall: implemented ne column in ruletable
+ "protocol"
+
+---
+ config/forwardfw/rules.pl | 12 ++++++--
+ html/cgi-bin/forwardfw.cgi | 68 +++++++++++++++++++++++++++++++++-----------
+ 2 files changed, 62 insertions(+), 18 deletions(-)
+
+diff --git a/config/forwardfw/rules.pl b/config/forwardfw/rules.pl
+index ce3ef8a..b51e76e 100755
+--- a/config/forwardfw/rules.pl
++++ b/config/forwardfw/rules.pl
+@@ -340,7 +340,11 @@ sub get_port
+ if ($$hash{$key}[7] eq 'ON' && $SRC_TGT eq 'SRC'){
+ if ($$hash{$key}[10] ne ''){
+ $$hash{$key}[10] =~ s/\|/,/g;
+- return "-m multiport --sport $$hash{$key}[10] ";
++ if(index($$hash{$key}[10],",") > 0){
++ return "-m multiport --sport $$hash{$key}[10] ";
++ }else{
++ return "--sport $$hash{$key}[10] ";
++ }
+ }elsif($$hash{$key}[9] ne '' && $$hash{$key}[9] ne 'All ICMP-Types'){
+ return "--icmp-type $$hash{$key}[9] ";
+ }elsif($$hash{$key}[9] eq 'All ICMP-Types'){
+@@ -351,7 +355,11 @@ sub get_port
+ if($$hash{$key}[14] eq 'TGT_PORT'){
+ if ($$hash{$key}[15] ne ''){
+ $$hash{$key}[15] =~ s/\|/,/g;
+- return "-m multiport --dport $$hash{$key}[15] ";
++ if(index($$hash{$key}[15],",") > 0){
++ return "-m multiport --dport $$hash{$key}[15] ";
++ }else{
++ return "--dport $$hash{$key}[15] ";
++ }
+ }elsif($$hash{$key}[13] ne '' && $$hash{$key}[13] ne 'All ICMP-Types'){
+ return "--icmp-type $$hash{$key}[13] ";
+ }elsif($$hash{$key}[13] ne '' && $$hash{$key}[13] eq 'All ICMP-Types'){
+diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi
+index ffb0c25..9b4ca0d 100755
+--- a/html/cgi-bin/forwardfw.cgi
++++ b/html/cgi-bin/forwardfw.cgi
+@@ -873,6 +873,8 @@ sub checkrule
+
+ #check source and destination protocol if manual
+ if( $fwdfwsettings{'USE_SRC_PORT'} eq 'ON' && $fwdfwsettings{'USESRV'} eq 'ON'){
++
++
+ if($fwdfwsettings{'PROT'} ne $fwdfwsettings{'TGT_PROT'} && $fwdfwsettings{'grp3'} eq 'TGT_PORT'){
+ $errormessage.=$Lang::tr{'fwdfw err prot'};
+ }
+@@ -1639,11 +1641,11 @@ sub getsrcport
+ {
+ my %hash=%{(shift)};
+ my $key=shift;
+- if($hash{$key}[7] eq 'ON' && ($hash{$key}[8] eq 'TCP' || $hash{$key}[8] eq 'UDP')){
++ if($hash{$key}[7] eq 'ON' && $hash{$key}[8] ne '' && $hash{$key}[10]){
+ $hash{$key}[10]=~ s/\|/,/g;
+- print" : ($hash{$key}[8]) $hash{$key}[10]";
++ print": $hash{$key}[10]";
+ }elsif($hash{$key}[7] eq 'ON' && $hash{$key}[8] eq 'ICMP'){
+- print" : ($hash{$key}[8]) <br> $hash{$key}[9]";
++ print": <br>$hash{$key}[9] ";
+ }
+ }
+ sub gettgtport
+@@ -1658,29 +1660,47 @@ sub gettgtport
+ &General::readhasharray("$configsrv", \%customservice);
+ foreach my $i (sort keys %customservice){
+ if($customservice{$i}[0] eq $hash{$key}[15]){
+- $prot = $hash{$key}[12];
+ $service = $customservice{$i}[0];
+ }
+ }
+ }elsif($hash{$key}[14] eq 'cust_srvgrp'){
+-
+ $service=$hash{$key}[15];
+ }elsif($hash{$key}[14] eq 'TGT_PORT'){
+ $hash{$key}[15]=~ s/\|/,/g;
+ $service=$hash{$key}[15];
+- $prot=$hash{$key}[12];
+ }
++
++ print": $service";
+ }elsif($hash{$key}[11] eq 'ON' && $hash{$key}[12] eq 'ICMP'){
+- print" : ($hash{$key}[12]) <br>$hash{$key}[13]";
++ print":<br>$hash{$key}[13]";
+ }
+-
+- if ($prot ne '' || $service ne ''){
+- print" :";
+- if ($prot ne ''){
+- print"($prot) ";
++}
++sub get_serviceports
++{
++ my $type=shift;
++ my $name=shift;
++ &General::readhasharray("$configsrv", \%customservice);
++ &General::readhasharray("$configsrvgrp", \%customservicegrp);
++ my $protocols;
++ my $tcp;
++ my $udp;
++ if($type eq 'service'){
++ foreach my $key (sort { uc($customservice{$a}[0]) cmp uc($customservice{$b}[0]) } keys %customservice){
++ if ($customservice{$key}[0] eq $name){
++ $protocols=$customservice{$key}[2];
++ }
++ }
++
++ }elsif($type eq 'group'){
++ foreach my $key (sort { uc($customservicegrp{$a}[0]) cmp uc($customservicegrp{$b}[0]) } keys %customservicegrp){
++ if ($customservicegrp{$key}[0] eq $name){
++ if($customservicegrp{$key}[4] eq 'TCP'){$tcp='TCP';}else{$udp='UDP';}
++ }
+ }
+- print" $service";
+ }
++ if($tcp){$protocols.="TCP";}
++ if($udp){$protocols.=",UDP";}
++ return $protocols;
+ }
+ sub viewtablerule
+ {
+@@ -1706,7 +1726,7 @@ sub viewtablenew
+ &General::readhasharray("$config", $hash);
+ print"<b>$title1</b><br>";
+ print"<table width='100%' border='0' cellspacing='1' style='padding-top: 0px; padding-left: 0px; padding-bottom: 0px ;padding-right: 0px ;'>";
+- print"<tr><td align='center' width='1%'><b>#</td><td width='1%'></td><td align='center' width='20%'><b>$Lang::tr{'fwdfw source'}</td><td width='1%'><b>Log</td><td align='center' width='20%'><b>$Lang::tr{'fwdfw target'}</td><td align='center' width='70%'><b>$Lang::tr{'remark'}</td><td align='center' colspan='3' width='1%'><b>$Lang::tr{'fwdfw action'}</td></tr>";
++ print"<tr><td align='center' width='1%'><b>#</td><td width='1%'></td><td align='center' ><b>$Lang::tr{'fwdfw source'}</td><td width='1%'><b>Log</td><td align='center' width='20%'><b>$Lang::tr{'fwdfw target'}</td><td align='center'><b>$Lang::tr{'protocol'}</b></td><td align='center' width='70%'><b>$Lang::tr{'remark'}</td><td align='center' colspan='3' width='1%'><b>$Lang::tr{'fwdfw action'}</td></tr>";
+ foreach my $key (sort {$a <=> $b} keys %$hash){
+ @tmpsrc=();
+ #check if vpn hosts/nets have been deleted
+@@ -1775,7 +1795,7 @@ END
+ $rulecolor=$color{'color16'};
+ }
+ print"<td bgcolor='$rulecolor' width='2%' align='center'><span title='$tooltip'><b>$ruletype</b></span></td>";
+- print"<td align='center'>";
++ print"<td align='center' nowrap='nowrap'>";
+ if ($$hash{$key}[3] eq 'std_net_src'){
+ print &get_name($$hash{$key}[4]);
+ }else{
+@@ -1807,7 +1827,23 @@ END
+ }
+ &gettgtport(\%$hash,$key);
+ ################################################################################
+- print"</td><td width='20%'>$$hash{$key}[16]</td>";
++ print"</td>";
++ #Get Protocol
++ my $prot;
++ if ($$hash{$key}[12]){ #target prot if manual
++ $prot=$$hash{$key}[12];
++ }elsif($$hash{$key}[8]){ #source prot if manual
++ $prot=$$hash{$key}[8];
++ }elsif($$hash{$key}[14] eq 'cust_srv'){
++ $prot=&get_serviceports("service",$$hash{$key}[15]);
++ }elsif($$hash{$key}[14] eq 'cust_srvgrp'){
++ $prot=&get_serviceports("group",$$hash{$key}[15]);
++ }else{
++ $prot=$Lang::tr{'all'};
++ }
++ print"<td align='center'>$prot</td>";
++
++ print"<td width='20%'>$$hash{$key}[16]</td>";
+
+ if($$hash{$key}[2] eq 'ON'){
+ $gif="/images/on.gif"
+--
+1.7.10.4
+
--- /dev/null
+From 7eadfb7fd4b3dc5e8f8606f6f89448536aaf23f6 Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Sat, 19 Jan 2013 20:51:12 +0100
+Subject: [PATCH 052/302] Forward Firewall: Minor changes...
+
+1) improved convert-outgoingfw. source was wrong when tun+ interface
+2) target had always a ":" in ruletable
+3) convert-outgoingfw bugfix: ports where not cleared for next rule
+---
+ config/backup/backup.pl | 6 ++----
+ config/forwardfw/convert-outgoingfw | 14 ++++++++++----
+ html/cgi-bin/forwardfw.cgi | 6 +++---
+ lfs/configroot | 3 +++
+ 4 files changed, 18 insertions(+), 11 deletions(-)
+
+diff --git a/config/backup/backup.pl b/config/backup/backup.pl
+index 0d75853..28129e4 100644
+--- a/config/backup/backup.pl
++++ b/config/backup/backup.pl
+@@ -64,14 +64,12 @@ elsif ($ARGV[0] eq 'restore') {
+ system("cd / && tar -xvz -p -f /tmp/restore.ipf");
+ #Here some converter scripts to correct old Backups (before core 65)
+ system("/usr/sbin/ovpn-ccd-convert");
+- system("/usr/sbin/convert-xtaccess");
+- system("/usr/sbin/convert-outgoingfw");
+-
+- #clean up system, if an old backup was restored
+ if( -d "/var/ipfire/outgoing"){
++ system("/usr/sbin/convert-outgoingfw");
+ rmtree("/var/ipfire/outgoing");
+ }
+ if( -d "/var/ipfire/xtaccess"){
++ system("/usr/sbin/convert-xtaccess");
+ rmtree("/var/ipfire/xtaccess");
+ }
+ }
+diff --git a/config/forwardfw/convert-outgoingfw b/config/forwardfw/convert-outgoingfw
+index cef4f0c..e94692a 100644
+--- a/config/forwardfw/convert-outgoingfw
++++ b/config/forwardfw/convert-outgoingfw
+@@ -182,10 +182,12 @@ sub new_hostgrp
+ $groups{$grpkey}[4] = 0;
+ }
+ }
++ @hostarray=();
+ }
+ &General::writehasharray($confighosts,\%hosts);
+ &General::writehasharray($configgroups,\%groups);
+ &General::writehasharray($confignets,\%nets);
++
+ }
+ sub check_host
+ {
+@@ -251,8 +253,10 @@ sub process_rules
+ foreach my $rule (@lines)
+ {
+ chomp($rule);
++ $port='';
+ print LOG "processing: $rule\n";
+- my @configline = split( /\;/, $rule );
++ my @configline=();
++ @configline = split( /\;/, $rule );
+ my @prot=();
+ if($configline[0] eq $type){
+ #some variables we can use from old config
+@@ -262,7 +266,6 @@ sub process_rules
+ push(@prot,"udp");
+ $useport='ON';
+ $grp3='TGT_PORT';
+-
+ }else{
+ push(@prot,$configline[3]);
+ $useport='ON';
+@@ -270,7 +273,6 @@ sub process_rules
+ }
+ if($configline[4] ne ''){ $remark=$configline[4];}else{$remark='';}
+ if($configline[9] eq 'aktiv'){ $log='ON';}else{$log='';}
+-
+ if($configline[10] eq 'on' && $configline[11] eq 'on' && $configline[12] eq 'on' && $configline[13] eq 'on' && $configline[14] eq 'on' && $configline[15] eq 'on' && $configline[16] eq 'on'){
+ if($configline[17] eq '00:00' && $configline[18] eq '00:00'){
+ $time='';
+@@ -307,7 +309,9 @@ sub process_rules
+ print LOG "-> Rule not converted, ipsec+ interface is obsolet since IPFire 2.7 \n";
+ next;
+ }elsif ($configline[2] eq 'ovpn') {
+- &build_ovpn_grp;
++ &build_ovpn_grp;
++ $grp1='cust_grp_src';
++ $source='ovpn'
+ }elsif ($configline[2] eq 'ip') {
+ my $z=&check_ip($configline[5]);
+ if($z){
+@@ -385,9 +389,11 @@ sub process_rules
+ next;
+ }
+ }
++
+ }
+ $port=join("|",@values);
+ @values=();
++ @parts=();
+ }
+ }else{
+ print LOG "-> Rule not converted because not for Firewall mode $outsettings{'POLICY'} (we are only converting for actual mode)\n";
+diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi
+index 9b4ca0d..4391f12 100755
+--- a/html/cgi-bin/forwardfw.cgi
++++ b/html/cgi-bin/forwardfw.cgi
+@@ -1654,7 +1654,6 @@ sub gettgtport
+ my $key=shift;
+ my $service;
+ my $prot;
+-
+ if($hash{$key}[11] eq 'ON' && $hash{$key}[12] ne 'ICMP'){
+ if($hash{$key}[14] eq 'cust_srv'){
+ &General::readhasharray("$configsrv", \%customservice);
+@@ -1669,8 +1668,9 @@ sub gettgtport
+ $hash{$key}[15]=~ s/\|/,/g;
+ $service=$hash{$key}[15];
+ }
+-
+- print": $service";
++ if($service){
++ print": $service";
++ }
+ }elsif($hash{$key}[11] eq 'ON' && $hash{$key}[12] eq 'ICMP'){
+ print":<br>$hash{$key}[13]";
+ }
+diff --git a/lfs/configroot b/lfs/configroot
+index 292af2e..6bbe3f8 100644
+--- a/lfs/configroot
++++ b/lfs/configroot
+@@ -122,6 +122,9 @@ $(TARGET) :
+ # set rules.pl executable
+ chmod 755 $(CONFIG_ROOT)/forward/bin/rules.pl
+
++ # set converters executable
++ chmod 755 /usr/sbin/convert-*
++
+ # Modify variables in header.pl
+ sed -i -e "s+CONFIG_ROOT+$(CONFIG_ROOT)+g" \
+ -e "s+VERSION+$(VERSION)+g" \
+--
+1.7.10.4
+
--- /dev/null
+From 6caf57590dc4df4e53fe41ee040ff67d17fd8f57 Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Sat, 19 Jan 2013 21:21:18 +0100
+Subject: [PATCH 053/302] Forward Firewall: edited convert-outgoingfw. When a
+ Protocol ESP or GRE is used AND a Port is selected
+ (in old system), the rule was not converted
+ successfully.
+
+---
+ config/forwardfw/convert-outgoingfw | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/config/forwardfw/convert-outgoingfw b/config/forwardfw/convert-outgoingfw
+index e94692a..0f33396 100644
+--- a/config/forwardfw/convert-outgoingfw
++++ b/config/forwardfw/convert-outgoingfw
+@@ -365,7 +365,7 @@ sub process_rules
+ $grp2='std_net_tgt';
+ $target='ALL';
+ }
+- if($configline[8] ne ''){
++ if($configline[8] ne '' && $configline[3] ne 'gre' && $configline[3] ne 'esp'){
+ my @values=();
+ my @parts=split(",",$configline[8]);
+ foreach (@parts){
+@@ -389,7 +389,6 @@ sub process_rules
+ next;
+ }
+ }
+-
+ }
+ $port=join("|",@values);
+ @values=();
+--
+1.7.10.4
+
--- /dev/null
+From faadb02f5bb76227ac442c05bc21258beac725fa Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Sun, 20 Jan 2013 05:54:04 +0100
+Subject: [PATCH 054/302] Forward Firewall: edited Backup.pl. If someone put
+ /var/ipfire/outgoing into
+ /var/ipfire/backup/include, the rules are backed up
+ and need to be restored. Now the backup takes care
+ of this and checks if there are old rules to
+ convert.
+
+---
+ config/backup/backup.pl | 19 +++++++++++++++----
+ 1 file changed, 15 insertions(+), 4 deletions(-)
+ mode change 100644 => 100755 config/forwardfw/convert-outgoingfw
+ mode change 100644 => 100755 config/forwardfw/convert-xtaccess
+
+diff --git a/config/backup/backup.pl b/config/backup/backup.pl
+index 28129e4..b217161 100644
+--- a/config/backup/backup.pl
++++ b/config/backup/backup.pl
+@@ -64,13 +64,24 @@ elsif ($ARGV[0] eq 'restore') {
+ system("cd / && tar -xvz -p -f /tmp/restore.ipf");
+ #Here some converter scripts to correct old Backups (before core 65)
+ system("/usr/sbin/ovpn-ccd-convert");
+- if( -d "/var/ipfire/outgoing"){
++ if( -d "${General::swroot}/outgoing"){
++ if( -f "${General::swroot}/forward/config" ){
++ unlink("${General::swroot}/forward/config");
++ system("touch ${General::swroot}/forward/config");
++ chown 99,99,"${General::swroot}/forward/config";
++ }
++ if( -f "${General::swroot}/forward/input" ){
++ unlink("${General::swroot}/forward/input");
++ system("touch ${General::swroot}/forward/input");
++ chown 99,99,"${General::swroot}/forward/input";
++ }
+ system("/usr/sbin/convert-outgoingfw");
+- rmtree("/var/ipfire/outgoing");
++ rmtree("${General::swroot}/outgoing");
++ system("/usr/local/bin/forwrdfwctrl");
+ }
+- if( -d "/var/ipfire/xtaccess"){
++ if( -d "${General::swroot}/xtaccess"){
+ system("/usr/sbin/convert-xtaccess");
+- rmtree("/var/ipfire/xtaccess");
++ rmtree("${General::swroot}/xtaccess");
+ }
+ }
+ elsif ($ARGV[0] eq 'restoreaddon') {
+diff --git a/config/forwardfw/convert-outgoingfw b/config/forwardfw/convert-outgoingfw
+old mode 100644
+new mode 100755
+diff --git a/config/forwardfw/convert-xtaccess b/config/forwardfw/convert-xtaccess
+old mode 100644
+new mode 100755
+--
+1.7.10.4
+
--- /dev/null
+From 436f2a4ce44c416f88de6d3334be558241ac8c57 Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Sun, 20 Jan 2013 13:18:47 +0100
+Subject: [PATCH 055/302] Forward Firewall: Bugfix: when editing a rule it was
+ possible to enter invalid chars in remark
+
+---
+ html/cgi-bin/forwardfw.cgi | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi
+index 4391f12..e7815a4 100755
+--- a/html/cgi-bin/forwardfw.cgi
++++ b/html/cgi-bin/forwardfw.cgi
+@@ -140,8 +140,9 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule')
+ if ("$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'},$fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'ICMP_TGT'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'LOG'},$fwdfwsettings{'TIME'},$fwdfwsettings{'TIME_MON'},$fwdfwsettings{'TIME_TUE'},$fwdfwsettings{'TIME_WED'},$fwdfwsettings{'TIME_THU'},$fwdfwsettings{'TIME_FRI'},$fwdfwsettings{'TIME_SAT'},$fwdfwsettings{'TIME_SUN'},$fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'}"
+ eq "$configinputfw{$key}[0],$configinputfw{$key}[2],$configinputfw{$key}[3],$configinputfw{$key}[4],$configinputfw{$key}[5],$configinputfw{$key}[6],$configinputfw{$key}[7],$configinputfw{$key}[8],$configinputfw{$key}[9],$configinputfw{$key}[10],$configinputfw{$key}[11],$configinputfw{$key}[12],$configinputfw{$key}[13],$configinputfw{$key}[14],$configinputfw{$key}[15],$configinputfw{$key}[17],$configinputfw{$key}[18],$configinputfw{$key}[19],$configinputfw{$key}[20],$configinputfw{$key}[21],$configinputfw{$key}[22],$configinputfw{$key}[23],$configinputfw{$key}[24],$configinputfw{$key}[25],$configinputfw{$key}[26],$configinputfw{$key}[27]"){
+ $errormessage.=$Lang::tr{'fwdfw err ruleexists'};
+- if ($fwdfwsettings{'oldruleremark'} ne $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'updatefwrule'} eq 'on'){
++ if ($fwdfwsettings{'oldruleremark'} ne $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'updatefwrule'} eq 'on' && &validremark($fwdfwsettings{'ruleremark'})){
+ $errormessage='';
++
+ }
+ if ($fwdfwsettings{'oldruleremark'} eq $fwdfwsettings{'ruleremark'}){
+ $fwdfwsettings{'nosave'} = 'on';
+--
+1.7.10.4
+
--- /dev/null
+From c468242883824663d3533ed2781f51fa4422b994 Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Sun, 20 Jan 2013 20:36:11 +0100
+Subject: [PATCH 056/302] Forward Firewall: Some more checks to check remark
+ if rule was edited
+
+---
+ html/cgi-bin/forwardfw.cgi | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi
+index e7815a4..dda14b5 100755
+--- a/html/cgi-bin/forwardfw.cgi
++++ b/html/cgi-bin/forwardfw.cgi
+@@ -142,7 +142,8 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule')
+ $errormessage.=$Lang::tr{'fwdfw err ruleexists'};
+ if ($fwdfwsettings{'oldruleremark'} ne $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'updatefwrule'} eq 'on' && &validremark($fwdfwsettings{'ruleremark'})){
+ $errormessage='';
+-
++ }elsif($fwdfwsettings{'oldruleremark'} ne $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'updatefwrule'} eq 'on' && !&validremark($fwdfwsettings{'ruleremark'})){
++ $errormessage=$Lang::tr{'fwdfw err remark'}."<br>";
+ }
+ if ($fwdfwsettings{'oldruleremark'} eq $fwdfwsettings{'ruleremark'}){
+ $fwdfwsettings{'nosave'} = 'on';
+@@ -201,8 +202,10 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule')
+ if ("$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'},$fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'ICMP_TGT'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'LOG'},$fwdfwsettings{'TIME'},$fwdfwsettings{'TIME_MON'},$fwdfwsettings{'TIME_TUE'},$fwdfwsettings{'TIME_WED'},$fwdfwsettings{'TIME_THU'},$fwdfwsettings{'TIME_FRI'},$fwdfwsettings{'TIME_SAT'},$fwdfwsettings{'TIME_SUN'},$fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'}"
+ eq "$configfwdfw{$key}[0],$configfwdfw{$key}[2],$configfwdfw{$key}[3],$configfwdfw{$key}[4],$configfwdfw{$key}[5],$configfwdfw{$key}[6],$configfwdfw{$key}[7],$configfwdfw{$key}[8],$configfwdfw{$key}[9],$configfwdfw{$key}[10],$configfwdfw{$key}[11],$configfwdfw{$key}[12],$configfwdfw{$key}[13],$configfwdfw{$key}[14],$configfwdfw{$key}[15],$configfwdfw{$key}[17],$configfwdfw{$key}[18],$configfwdfw{$key}[19],$configfwdfw{$key}[20],$configfwdfw{$key}[21],$configfwdfw{$key}[22],$configfwdfw{$key}[23],$configfwdfw{$key}[24],$configfwdfw{$key}[25],$configfwdfw{$key}[26],$configfwdfw{$key}[27]"){
+ $errormessage.=$Lang::tr{'fwdfw err ruleexists'};
+- if ($fwdfwsettings{'oldruleremark'} ne $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'updatefwrule'} eq 'on'){
++ if ($fwdfwsettings{'oldruleremark'} ne $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'updatefwrule'} eq 'on' && &validremark($fwdfwsettings{'ruleremark'})){
+ $errormessage='';
++ }elsif($fwdfwsettings{'oldruleremark'} ne $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'updatefwrule'} eq 'on' && !&validremark($fwdfwsettings{'ruleremark'})){
++ $errormessage=$Lang::tr{'fwdfw err remark'}."<br>";
+ }
+ if ($fwdfwsettings{'oldruleremark'} eq $fwdfwsettings{'ruleremark'}){
+ $fwdfwsettings{'nosave'} = 'on';
+@@ -217,7 +220,6 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule')
+ $errormessage='';
+ }
+ }
+-
+ #increase counters
+ &checkcounter($fwdfwsettings{'oldgrp1a'},$fwdfwsettings{'oldgrp1b'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}});
+ &checkcounter($fwdfwsettings{'oldgrp2a'},$fwdfwsettings{'oldgrp2b'},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}});
+--
+1.7.10.4
+
--- /dev/null
+From 4ef39659ead213a4a6a9515b6f24bc3992b934b6 Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Mon, 21 Jan 2013 05:54:20 +0100
+Subject: [PATCH 057/302] Forward Firewall: edited colspan for timeframe from
+ 6 to 7 edited de.pl and changed "Port(s) manuel" to
+ "Port(s) manuell"
+
+---
+ html/cgi-bin/forwardfw.cgi | 2 +-
+ langs/de/cgi-bin/de.pl | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi
+index dda14b5..bf35b1f 100755
+--- a/html/cgi-bin/forwardfw.cgi
++++ b/html/cgi-bin/forwardfw.cgi
+@@ -1916,7 +1916,7 @@ END
+ if($$hash{$key}[25] ne ''){push (@days,$Lang::tr{'fwdfw wd_sun'});}
+ my $weekdays=join(",",@days);
+ if (@days){
+- print"<tr bgcolor='#FFE4B5'><td colspan='6'>$Lang::tr{'fwdfw time'} ";
++ print"<tr bgcolor='#FFE4B5'><td colspan='7'>$Lang::tr{'fwdfw time'} ";
+ print"$weekdays";
+ print "  $Lang::tr{'fwdfw from'} $$hash{$key}[26]   $Lang::tr{'fwdfw till'} $$hash{$key}[27]</td><td colspan='8'></d></tr>";
+ }
+diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl
+index 539f648..a56ba64 100644
+--- a/langs/de/cgi-bin/de.pl
++++ b/langs/de/cgi-bin/de.pl
+@@ -907,7 +907,7 @@
+ 'fwdfw hint ip2' => 'Bitte überprüfen Sie ob diese Regel Sinn macht: ',
+ 'fwdfw ipsec network' => 'IPsec Netzwerke:',
+ 'fwdfw log rule' => 'Log Regel',
+-'fwdfw man port' => 'Port(s) manuel:',
++'fwdfw man port' => 'Port(s) manuell:',
+ 'fwdfw moveup' => 'Hoch',
+ 'fwdfw movedown' => 'Runter',
+ 'fwdfw reread' => 'Ãœbernehmen',
+--
+1.7.10.4
+
--- /dev/null
+From 71c9050bcb12a272b648d1a8ba5deb5753a25c55 Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Mon, 21 Jan 2013 14:49:21 +0100
+Subject: [PATCH 058/302] Forward Firewall: extended converter
+
+---
+ config/forwardfw/convert-outgoingfw | 35 +++++++++++++++++++++++++++++------
+ 1 file changed, 29 insertions(+), 6 deletions(-)
+
+diff --git a/config/forwardfw/convert-outgoingfw b/config/forwardfw/convert-outgoingfw
+index 0f33396..89cc356 100755
+--- a/config/forwardfw/convert-outgoingfw
++++ b/config/forwardfw/convert-outgoingfw
+@@ -2,8 +2,11 @@
+
+
+ require '/var/ipfire/general-functions.pl';
++
+ use Socket;
+ use File::Path;
++use File::Copy;
++
+ my $ipgrouppath = "${General::swroot}/outgoing/groups/ipgroups/";
+ my $macgrouppath = "${General::swroot}/outgoing/groups/macgroups/";
+ my $outgoingrules = "${General::swroot}/outgoing/rules";
+@@ -33,6 +36,7 @@ my %fwdsettings=();
+
+ &process_groups;
+ &process_rules;
++&process_p2p;
+
+ sub process_groups
+ {
+@@ -42,14 +46,17 @@ sub process_groups
+ #IP Group processing
+ foreach my $group (@ipgroups){
+ chomp $group;
++ print LOG "\nProcessing IP-GROUP: $group...\n";
+ open (DATEI, "<$ipgrouppath/$group");
+ my @zeilen = <DATEI>;
+ foreach my $ip (@zeilen){
+ chomp($ip);
+ $ip =~ s/\s//gi;
++ print LOG "Check IP $ip from Group $group ";
+ my $val=&check_ip($ip);
+ if($val){
+ push(@hostarray,$val.",ip");
++ print LOG "-> OK\n";
+ }
+ else{
+ print LOG "-> IP \"$ip\" from group $group not converted (invalid IP) \n";
+@@ -65,17 +72,20 @@ sub process_groups
+ #MAC Group processing
+ foreach my $group (@macgroups){
+ chomp $group;
++ print LOG "\nProcessing MAC-GROUP: $group...\n";
+ open (DATEI, "<$macgrouppath/$group");
+ my @zeilen = <DATEI>;
+ foreach my $mac (@zeilen){
+ chomp($mac);
+ $mac =~ s/\s//gi;
++ print LOG "Checking MAC $mac from group $group ";
+ #MAC checking
+ if(&General::validmac($mac)){
+ $val=$mac;
+ }
+ if($val){
+ push(@hostarray,$val.",mac");
++ print LOG "-> OK\n";
+ }
+ else{
+ print LOG "-> Mac $mac from group $group not converted (invalid MAC)\n";
+@@ -123,7 +133,8 @@ sub new_hostgrp
+ my ($ip,$type) = split(",",$adr);
+ my ($ippart,$subnet) = split("/",$ip);
+ my ($byte1,$byte2,$byte3,$byte4) = split(/\./,$subnet);
+- if($byte4 eq '255'){
++ if($byte4 eq '255'){
++ print LOG "Processing SINGLE HOST $ippart/$subnet from group $grp\n";
+ if(!&check_host($ip)){
+ my $key = &General::findhasharraykey(\%hosts);
+ $name="host ";
+@@ -133,10 +144,12 @@ sub new_hostgrp
+ $hosts{$key}[1] = $type;
+ $hosts{$key}[2] = $ip;
+ $hosts{$key}[3] = 1;
++ print LOG "->Host (IP) $ip added to custom hosts\n"
+ }else{
+- print LOG "Host (IP) $ip already exists\n";
++ print LOG "->Host (IP) $ip already exists\n";
+ }
+ }elsif($byte4 < '255'){
++ print LOG "Processing NETWORK $ippart/$subnet from Group $grp\n";
+ if(!&check_net($ippart,$subnet)){
+ my $netkey = &General::findhasharraykey(\%nets);
+ $name="net ";
+@@ -146,6 +159,7 @@ sub new_hostgrp
+ $nets{$netkey}[1] = $ippart;
+ $nets{$netkey}[2] = $subnet;
+ $nets{$netkey}[3] = 1;
++ print LOG "->Network $ippart/$subnet added to custom networks\n";
+ }else{
+ print LOG "Network $ippart already exists\n";
+ }
+@@ -157,10 +171,12 @@ sub new_hostgrp
+ $groups{$grpkey}[2] = $name2;
+ $groups{$grpkey}[3] = $name3;
+ $groups{$grpkey}[4] = 0;
++ print LOG "->$name2 added to group $grp\n";
+ }
+ }elsif($run eq 'mac'){
+ #MACRUN
+ my ($mac,$type) = split(",",$adr);
++ print LOG "Processing HOST (MAC) $mac\n";
+ if(!&check_host($mac)){
+ my $key = &General::findhasharraykey(\%hosts);
+ $name="host ";
+@@ -170,8 +186,9 @@ sub new_hostgrp
+ $hosts{$key}[1] = $type;
+ $hosts{$key}[2] = $mac;
+ $hosts{$key}[3] = 1;
++ print LOG "->Host (MAC) $mac added to custom hosts\n";
+ }else{
+- print LOG "Host (MAC) $mac already exists\n";
++ print LOG "->Host (MAC) $mac already exists\n";
+ }
+ if($name2){
+ my $grpkey = &General::findhasharraykey(\%groups);
+@@ -180,10 +197,11 @@ sub new_hostgrp
+ $groups{$grpkey}[2] = $name2;
+ $groups{$grpkey}[3] = $name3;
+ $groups{$grpkey}[4] = 0;
++ print LOG "->$name2 added to group $grp\n";
+ }
+ }
+- @hostarray=();
+ }
++ @hostarray=();
+ &General::writehasharray($confighosts,\%hosts);
+ &General::writehasharray($configgroups,\%groups);
+ &General::writehasharray($confignets,\%nets);
+@@ -262,8 +280,7 @@ sub process_rules
+ #some variables we can use from old config
+ if($configline[1] eq 'on'){ $active='ON';}else{$active='';}
+ if($configline[3] eq 'all'){
+- push(@prot,"tcp");
+- push(@prot,"udp");
++ push(@prot,"");
+ $useport='ON';
+ $grp3='TGT_PORT';
+ }else{
+@@ -356,6 +373,7 @@ sub process_rules
+ if ($getwebsiteip){
+ $grp2='tgt_addr';
+ $target=$getwebsiteip;
++ $remark.=" $configline[7]";
+ }else{
+ print LOG "-> Rule not converted, invalid domain \"$configline[7]\"\n";
+ next;
+@@ -526,3 +544,8 @@ sub build_ovpn_grp
+ &General::writehasharray($configgroups,\%groups);
+ &General::writehasharray($confignets,\%nets);
+ }
++sub process_p2p
++{
++ copy("/var/ipfire/outgoing/p2protocols","/var/ipfire/forward/p2protocols");
++ chmod oct(0777), '/var/ipfire/forward/p2protocols';
++}
+--
+1.7.10.4
+
--- /dev/null
+From e12eedfd5ec8d59bc51ec685fc39742fcdd98c69 Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Mon, 21 Jan 2013 21:26:44 +0100
+Subject: [PATCH 059/302] Forward Firewall: minor improvements, if an
+ outgoingrule has a given port and prot "all", there
+ are two new rules generated for UDP and TCP. If an
+ outgoingrule has only "all" as prot, but no port,
+ there's only one new rule created
+
+---
+ config/forwardfw/convert-outgoingfw | 18 ++++++++++--------
+ config/forwardfw/rules.pl | 4 ++--
+ 2 files changed, 12 insertions(+), 10 deletions(-)
+
+diff --git a/config/forwardfw/convert-outgoingfw b/config/forwardfw/convert-outgoingfw
+index 89cc356..ada4196 100755
+--- a/config/forwardfw/convert-outgoingfw
++++ b/config/forwardfw/convert-outgoingfw
+@@ -37,7 +37,7 @@ my %fwdsettings=();
+ &process_groups;
+ &process_rules;
+ &process_p2p;
+-
++system("/usr/local/bin/forwardfwctrl");
+ sub process_groups
+ {
+ if(! -d "/var/log/converters"){ mkdir("/var/log/converters");}
+@@ -279,16 +279,19 @@ sub process_rules
+ if($configline[0] eq $type){
+ #some variables we can use from old config
+ if($configline[1] eq 'on'){ $active='ON';}else{$active='';}
+- if($configline[3] eq 'all'){
++ if($configline[3] eq 'all' && $configline[8] ne ''){
++ push(@prot,"TCP");
++ push(@prot,"UDP");
++ }elsif($configline[3] eq 'all' && $configline[8] eq ''){
+ push(@prot,"");
+- $useport='ON';
+- $grp3='TGT_PORT';
+ }else{
+ push(@prot,$configline[3]);
+- $useport='ON';
+- $grp3='TGT_PORT';
+ }
+- if($configline[4] ne ''){ $remark=$configline[4];}else{$remark='';}
++
++ if($configline[4] ne ''){
++ $configline[4] =~ s/,/;/g;
++ $remark = $configline[4];
++ }else{$remark = '';}
+ if($configline[9] eq 'aktiv'){ $log='ON';}else{$log='';}
+ if($configline[10] eq 'on' && $configline[11] eq 'on' && $configline[12] eq 'on' && $configline[13] eq 'on' && $configline[14] eq 'on' && $configline[15] eq 'on' && $configline[16] eq 'on'){
+ if($configline[17] eq '00:00' && $configline[18] eq '00:00'){
+@@ -472,7 +475,6 @@ sub process_rules
+ }
+ }
+ &General::writehasharray($fwdfwconfig,\%fwconfig);
+- system("/usr/local/bin/forwardfwctrl");
+ @prot=();
+ }
+ close(LOG);
+diff --git a/config/forwardfw/rules.pl b/config/forwardfw/rules.pl
+index b51e76e..55437c0 100755
+--- a/config/forwardfw/rules.pl
++++ b/config/forwardfw/rules.pl
+@@ -248,12 +248,12 @@ sub p2pblock
+ my @p2pline = split( /\;/, $p2pentry );
+ if ( $fwdfwsettings{'POLICY'} eq 'MODE2' ) {
+ $DO = "DROP";
+- if ("$p2pline[2]" eq "off") {
++ if ("$p2pline[2]" eq "on") {
+ $P2PSTRING = "$P2PSTRING --$p2pline[1]";
+ }
+ } else {
+ $DO = "RETURN";
+- if ("$p2pline[2]" eq "on") {
++ if ("$p2pline[2]" eq "off") {
+ $P2PSTRING = "$P2PSTRING --$p2pline[1]";
+ }
+ }
+--
+1.7.10.4
+
--- /dev/null
+From 023793775b51fe53e668c75dc67138c96d0b0919 Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Mon, 21 Jan 2013 21:47:32 +0100
+Subject: [PATCH 060/302] Forward Firewall: converter now creates cdir format
+ from ip-addresses
+
+---
+ config/forwardfw/convert-outgoingfw | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/config/forwardfw/convert-outgoingfw b/config/forwardfw/convert-outgoingfw
+index ada4196..03208e6 100755
+--- a/config/forwardfw/convert-outgoingfw
++++ b/config/forwardfw/convert-outgoingfw
+@@ -335,8 +335,10 @@ sub process_rules
+ }elsif ($configline[2] eq 'ip') {
+ my $z=&check_ip($configline[5]);
+ if($z){
++ my ($ipa,$subn) = split("/",$z);
++ $subn=&General::iporsubtocidr($subn);
+ $grp1='src_addr';
+- $source=$z;
++ $source="$ipa/$subn";
+ }else{
+ print LOG "-> Rule not converted, missing/invalid source ip \"$configline[5]\"\n";
+ next;
+@@ -369,8 +371,10 @@ sub process_rules
+ if($configline[7] ne ''){
+ my $address=&check_ip($configline[7]);
+ if($address){
++ my ($dip,$dsub) = split("/",$address);
++ $dsub=&General::iporsubtocidr($dsub);
+ $grp2='tgt_addr';
+- $target=$address;
++ $target="$dip/$dsub";
+ }elsif(!$address){
+ my $getwebsiteip=&get_ip_from_domain($configline[7]);
+ if ($getwebsiteip){
+--
+1.7.10.4
+
--- /dev/null
+From 3455b9f32a3f9b120eb110504a557985a83fd35b Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Tue, 22 Jan 2013 05:42:46 +0100
+Subject: [PATCH 061/302] Forward Firewall:
+
+1) fixed outgoingfw converter: now checkbox for logging is converted corectly
+2) edited p2p_block: now a checked prot is allowed
+---
+ config/forwardfw/convert-outgoingfw | 2 +-
+ config/forwardfw/rules.pl | 6 +++---
+ html/cgi-bin/forwardfw.cgi | 6 +++---
+ 3 files changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/config/forwardfw/convert-outgoingfw b/config/forwardfw/convert-outgoingfw
+index 03208e6..77f76cb 100755
+--- a/config/forwardfw/convert-outgoingfw
++++ b/config/forwardfw/convert-outgoingfw
+@@ -292,7 +292,7 @@ sub process_rules
+ $configline[4] =~ s/,/;/g;
+ $remark = $configline[4];
+ }else{$remark = '';}
+- if($configline[9] eq 'aktiv'){ $log='ON';}else{$log='';}
++ if($configline[9] eq 'Active'){ $log='ON';}else{$log='';}
+ if($configline[10] eq 'on' && $configline[11] eq 'on' && $configline[12] eq 'on' && $configline[13] eq 'on' && $configline[14] eq 'on' && $configline[15] eq 'on' && $configline[16] eq 'on'){
+ if($configline[17] eq '00:00' && $configline[18] eq '00:00'){
+ $time='';
+diff --git a/config/forwardfw/rules.pl b/config/forwardfw/rules.pl
+index 55437c0..3aa73a1 100755
+--- a/config/forwardfw/rules.pl
++++ b/config/forwardfw/rules.pl
+@@ -246,12 +246,12 @@ sub p2pblock
+ my $CMD = "-m ipp2p";
+ foreach my $p2pentry (sort @p2ps) {
+ my @p2pline = split( /\;/, $p2pentry );
+- if ( $fwdfwsettings{'POLICY'} eq 'MODE2' ) {
+- $DO = "DROP";
++ if ( $fwdfwsettings{'POLICY'} eq 'MODE1' ) {
++ $DO = "ACCEPT";
+ if ("$p2pline[2]" eq "on") {
+ $P2PSTRING = "$P2PSTRING --$p2pline[1]";
+ }
+- } else {
++ }else {
+ $DO = "RETURN";
+ if ("$p2pline[2]" eq "off") {
+ $P2PSTRING = "$P2PSTRING --$p2pline[1]";
+diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi
+index bf35b1f..094c544 100755
+--- a/html/cgi-bin/forwardfw.cgi
++++ b/html/cgi-bin/forwardfw.cgi
+@@ -1916,7 +1916,7 @@ END
+ if($$hash{$key}[25] ne ''){push (@days,$Lang::tr{'fwdfw wd_sun'});}
+ my $weekdays=join(",",@days);
+ if (@days){
+- print"<tr bgcolor='#FFE4B5'><td colspan='7'>$Lang::tr{'fwdfw time'} ";
++ print"<tr bgcolor='#FFE4B5'><td colspan='6'>$Lang::tr{'fwdfw time'} ";
+ print"$weekdays";
+ print "  $Lang::tr{'fwdfw from'} $$hash{$key}[26]   $Lang::tr{'fwdfw till'} $$hash{$key}[27]</td><td colspan='8'></d></tr>";
+ }
+@@ -1951,8 +1951,8 @@ END
+ <td width='66%' align='center' colspan='2'>$p2pline[0]:</td><td width='33%' align='center'><input type='hidden' name='P2PROT' value='$p2pline[1]' /><input type='image' img src='$gif' alt='$Lang::tr{'click to disable'}' title='$Lang::tr{'fwdfw toggle'}' style='padding-top: 0px; padding-left: 0px; padding-bottom: 0px ;padding-right: 0px ;display: block;' ><input type='hidden' name='ACTION' value='togglep2p'></td></tr></form>
+ END
+ }
+- print"<tr><td width='10%'><input type='image' img src='/images/on.gif'></td><td>$Lang::tr{'outgoing firewall p2p deny'}</td><td></td></tr>";
+- print"<tr><td width='10%'><input type='image' img src='/images/off.gif'></td><td>$Lang::tr{'outgoing firewall p2p allow'}</td><td></td></tr></table>";
++ print"<tr><td width='10%'><input type='image' img src='/images/on.gif'></td><td>$Lang::tr{'outgoing firewall p2p allow'}</td><td></td></tr>";
++ print"<tr><td width='10%'><input type='image' img src='/images/off.gif'></td><td>$Lang::tr{'outgoing firewall p2p deny'}</td><td></td></tr></table>";
+ &Header::closebox();
+ }
+ sub fillselect
+--
+1.7.10.4
+
--- /dev/null
+From 01d120c63d366ac299a97f6918972f91f911eb1a Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Tue, 22 Jan 2013 12:28:14 +0100
+Subject: [PATCH 062/302] Forward Firewall: edited language file en.pl and
+ changed 'protocol:' to 'protocol' because in de.pl
+ it is also just 'Protokoll'
+
+---
+ langs/en/cgi-bin/en.pl | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
+index 3ee7a33..2f31a13 100644
+--- a/langs/en/cgi-bin/en.pl
++++ b/langs/en/cgi-bin/en.pl
+@@ -1668,7 +1668,7 @@
+ 'profile saved' => 'Profile saved: ',
+ 'profiles' => 'Profiles:',
+ 'proto' => 'Proto',
+-'protocol' => 'Protocol:',
++'protocol' => 'Protocol',
+ 'proxy' => 'Proxy',
+ 'proxy access graphs' => 'Proxy access graphs',
+ 'proxy admin password' => 'Cache administrator password',
+--
+1.7.10.4
+
--- /dev/null
+From 805b6ad361499e055b4130c070a448fba8cb1fc8 Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Wed, 23 Jan 2013 05:51:30 +0100
+Subject: [PATCH 063/302] Forward Firewall: changed sortorder in group tables
+
+---
+ html/cgi-bin/fwhosts.cgi | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/html/cgi-bin/fwhosts.cgi b/html/cgi-bin/fwhosts.cgi
+index 278d57c..1afe0cd 100755
+--- a/html/cgi-bin/fwhosts.cgi
++++ b/html/cgi-bin/fwhosts.cgi
+@@ -1348,7 +1348,7 @@ sub viewtablenet
+ END
+ }
+ my $count=0;
+- foreach my $key (sort { uc($customnetwork{$a}[0]) cmp uc($customnetwork{$b}[0]) } keys %customnetwork) {
++ foreach my $key (sort {$a <=> $b} keys %customnetwork) {
+ if ($fwhostsettings{'ACTION'} eq 'editnet' && $fwhostsettings{'HOSTNAME'} eq $customnetwork{$key}[0]) {
+ print" <tr bgcolor='${Header::colouryellow}'>";
+ }elsif ($count % 2)
+@@ -1395,7 +1395,7 @@ sub viewtablehost
+ END
+ }
+ my $count=0;
+- foreach my $key (sort { uc($customhost{$a}[0]) cmp uc($customhost{$b}[0]) } keys %customhost) {
++ foreach my $key (sort {$a <=> $b} keys %customhost) {
+ if ( ($fwhostsettings{'ACTION'} eq 'edithost' || $fwhostsettings{'error'}) && $fwhostsettings{'HOSTNAME'} eq $customhost{$key}[0]) {
+ print" <tr bgcolor='${Header::colouryellow}'>";
+ }elsif ($count % 2){ print" <tr bgcolor='$color{'color22'}'>";}
+@@ -1442,7 +1442,7 @@ sub viewtablegrp
+ {
+ print "<center><b>$Lang::tr{'fwhost empty'}</b>";
+ }else{
+- foreach my $key (sort { uc($customgrp{$a}[0]) cmp uc($customgrp{$b}[0]) } sort { uc($customgrp{$a}[2]) cmp uc($customgrp{$b}[2]) } keys %customgrp){
++ foreach my $key (sort {$a <=> $b} keys %customgrp){
+
+ $count++;
+ if ($helper ne $customgrp{$key}[0]){
+@@ -1502,7 +1502,7 @@ sub viewtableservice
+ <table width='100%' border='0'>
+ <tr><td align='center'><b>$Lang::tr{'fwhost srv_name'}</td><td align='center'><b>$Lang::tr{'fwhost prot'}</td><td align='center'><b>$Lang::tr{'fwhost port'}</td><td align='center'><b>ICMP</td><td align='center'><b>$Lang::tr{'fwhost used'}</td><td></td><td width='3%'></td></tr>
+ END
+- foreach my $key (sort { uc($customservice{$a}[0]) cmp uc($customservice{$b}[0]) } keys %customservice)
++ foreach my $key (sort {$a <=> $b} keys %customservice)
+ {
+ $count++;
+ if ( ($fwhostsettings{'updatesrv'} eq 'on' || $fwhostsettings{'error'}) && $fwhostsettings{'SRV_NAME'} eq $customservice{$key}[0]) {
+@@ -1542,7 +1542,7 @@ sub viewtableservicegrp
+ &Header::openbox('100%', 'left', $Lang::tr{'fwhost cust srvgrp'});
+ &General::readhasharray("$configsrvgrp", \%customservicegrp);
+ my $number= keys %customservicegrp;
+- foreach my $key (sort { uc($customservicegrp{$a}[0]) cmp uc($customservicegrp{$b}[0]) } keys %customservicegrp){
++ foreach my $key (sort { uc($customservicegrp{$a}[2]) cmp uc($customservicegrp{$b}[2]) } keys %customservicegrp){
+ $count++;
+ if ($helper ne $customservicegrp{$key}[0]){
+ $grpname=$customservicegrp{$key}[0];
+--
+1.7.10.4
+
--- /dev/null
+From 5b5d4bf829cb6fb7ddd6fe5b458da71b52846614 Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Wed, 23 Jan 2013 15:06:21 +0100
+Subject: [PATCH 064/302] Forward Firewall: deleted symlink to outgoingfwctrl
+ from lfs/initscripts
+
+---
+ lfs/initscripts | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/lfs/initscripts b/lfs/initscripts
+index 428896e..30d90bb 100644
+--- a/lfs/initscripts
++++ b/lfs/initscripts
+@@ -176,8 +176,6 @@ $(TARGET) :
+
+ ln -sf ../../dnsmasq /etc/rc.d/init.d/networking/red.up/05-RS-dnsmasq
+ ln -sf ../../firewall /etc/rc.d/init.d/networking/red.up/20-RL-firewall
+- ln -sf ../../../../../usr/local/bin/outgoingfwctrl \
+- /etc/rc.d/init.d/networking/red.up/22-outgoingfwctrl
+ ln -sf ../../../../../usr/local/bin/forwardfwctrl \
+ /etc/rc.d/init.d/networking/red.up/23-forwardfwctrl
+ ln -sf ../../../../../usr/local/bin/snortctrl \
+--
+1.7.10.4
+
--- /dev/null
+From e2417616a979fcf97d03b189eaeaa668ddfe9b84 Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Thu, 24 Jan 2013 05:25:58 +0100
+Subject: [PATCH 065/302] Forward Firewall: changed Layout of P2P table
+
+---
+ html/cgi-bin/forwardfw.cgi | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi
+index 094c544..0e83c8c 100755
+--- a/html/cgi-bin/forwardfw.cgi
++++ b/html/cgi-bin/forwardfw.cgi
+@@ -1934,8 +1934,8 @@ sub p2pblock
+ close FILE;
+ &Header::openbox('100%', 'center', 'P2P-Block');
+ print <<END;
+- <table width='40%' border='0'>
+- <tr bgcolor='$color{'color22'}'><td align=center colspan='2' width='30%'><b>$Lang::tr{'protocol'}</b><td width='10%' align=center><b>$Lang::tr{'status'}</b>
++ <table width='35%' border='1'>
++ <tr bgcolor='$color{'color22'}'><td align=center colspan='2' ><b>$Lang::tr{'protocol'}</b></td><td align='center'><b>$Lang::tr{'status'}</b></td></tr>
+ END
+ foreach my $p2pentry (sort @p2ps)
+ {
+@@ -1948,11 +1948,11 @@ END
+ print <<END;
+ <form method='post' action='$ENV{'SCRIPT_NAME'}'>
+ <tr bgcolor='$color{'color20'}'>
+- <td width='66%' align='center' colspan='2'>$p2pline[0]:</td><td width='33%' align='center'><input type='hidden' name='P2PROT' value='$p2pline[1]' /><input type='image' img src='$gif' alt='$Lang::tr{'click to disable'}' title='$Lang::tr{'fwdfw toggle'}' style='padding-top: 0px; padding-left: 0px; padding-bottom: 0px ;padding-right: 0px ;display: block;' ><input type='hidden' name='ACTION' value='togglep2p'></td></tr></form>
++ <td align='center' colspan='2' >$p2pline[0]:</td><td align='center'><input type='hidden' name='P2PROT' value='$p2pline[1]' /><input type='image' img src='$gif' alt='$Lang::tr{'click to disable'}' title='$Lang::tr{'fwdfw toggle'}' style='padding-top: 0px; padding-left: 0px; padding-bottom: 0px ;padding-right: 0px ;display: block;' ><input type='hidden' name='ACTION' value='togglep2p'></td></tr></form>
+ END
+ }
+- print"<tr><td width='10%'><input type='image' img src='/images/on.gif'></td><td>$Lang::tr{'outgoing firewall p2p allow'}</td><td></td></tr>";
+- print"<tr><td width='10%'><input type='image' img src='/images/off.gif'></td><td>$Lang::tr{'outgoing firewall p2p deny'}</td><td></td></tr></table>";
++ print"<tr><td><input type='image' img src='/images/on.gif'></td><td align='left'>$Lang::tr{'outgoing firewall p2p allow'}</td></tr>";
++ print"<tr><td><input type='image' img src='/images/off.gif'></td><td align='left'>$Lang::tr{'outgoing firewall p2p deny'}</td></tr></table>";
+ &Header::closebox();
+ }
+ sub fillselect
+--
+1.7.10.4
+
--- /dev/null
+From dcfbaa3bd32ac77e794a1b34c42948d5726ef404 Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Thu, 24 Jan 2013 12:50:33 +0100
+Subject: [PATCH 066/302] Forward Firewall: deleted 22-outgoingfwctrl
+
+---
+ config/rootfiles/common/i586/initscripts | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/config/rootfiles/common/i586/initscripts b/config/rootfiles/common/i586/initscripts
+index 62c5ff7..652b2c5 100644
+--- a/config/rootfiles/common/i586/initscripts
++++ b/config/rootfiles/common/i586/initscripts
+@@ -80,7 +80,6 @@ etc/rc.d/init.d/networking/red.up/05-RS-dnsmasq
+ etc/rc.d/init.d/networking/red.up/10-miniupnpd
+ etc/rc.d/init.d/networking/red.up/10-multicast
+ etc/rc.d/init.d/networking/red.up/20-RL-firewall
+-etc/rc.d/init.d/networking/red.up/22-outgoingfwctrl
+ etc/rc.d/init.d/networking/red.up/23-forwardfwctrl
+ etc/rc.d/init.d/networking/red.up/24-RS-snort
+ etc/rc.d/init.d/networking/red.up/25-RS-qos
+--
+1.7.10.4
+
--- /dev/null
+From 53f98315e2354f07dffe52656ba849fd47068817 Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Thu, 24 Jan 2013 14:20:01 +0100
+Subject: [PATCH 067/302] Forward Firewall: set P2Protocols default to "off"
+
+---
+ config/forwardfw/p2protocols | 18 +++++++++---------
+ 1 file changed, 9 insertions(+), 9 deletions(-)
+
+diff --git a/config/forwardfw/p2protocols b/config/forwardfw/p2protocols
+index d899809..7000581 100644
+--- a/config/forwardfw/p2protocols
++++ b/config/forwardfw/p2protocols
+@@ -1,9 +1,9 @@
+-Applejuice;apple;on;
+-Ares;ares;on;
+-Bittorrent;bit;on;
+-DirectConnect;dc;on;
+-Edonkey;edk;on;
+-Gnutella;gnu;on;
+-KaZaA;kazaa;on;
+-SoulSeek;soul;on;
+-WinMX;winmx;on;
++Applejuice;apple;off;
++Ares;ares;off;
++Bittorrent;bit;off;
++DirectConnect;dc;off;
++Edonkey;edk;off;
++Gnutella;gnu;off;
++KaZaA;kazaa;off;
++SoulSeek;soul;off;
++WinMX;winmx;off;
+--
+1.7.10.4
+
--- /dev/null
+From a3f23751de0f366f34c16f0010d42d560210b41f Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Thu, 24 Jan 2013 17:37:34 +0100
+Subject: [PATCH 068/302] FOrward Firewall: disabled p2p table border
+
+---
+ html/cgi-bin/forwardfw.cgi | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi
+index 0e83c8c..72d233f 100755
+--- a/html/cgi-bin/forwardfw.cgi
++++ b/html/cgi-bin/forwardfw.cgi
+@@ -1934,7 +1934,7 @@ sub p2pblock
+ close FILE;
+ &Header::openbox('100%', 'center', 'P2P-Block');
+ print <<END;
+- <table width='35%' border='1'>
++ <table width='35%' border='0'>
+ <tr bgcolor='$color{'color22'}'><td align=center colspan='2' ><b>$Lang::tr{'protocol'}</b></td><td align='center'><b>$Lang::tr{'status'}</b></td></tr>
+ END
+ foreach my $p2pentry (sort @p2ps)
+--
+1.7.10.4
+
--- /dev/null
+From 639192aa0cf3fc0b0dafc1c7067f6c67ae16d692 Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Fri, 25 Jan 2013 12:18:28 +0100
+Subject: [PATCH 069/302] Forward Firewall: minor chnages just layout
+
+---
+ html/cgi-bin/forwardfw.cgi | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi
+index 72d233f..8402198 100755
+--- a/html/cgi-bin/forwardfw.cgi
++++ b/html/cgi-bin/forwardfw.cgi
+@@ -1951,8 +1951,8 @@ END
+ <td align='center' colspan='2' >$p2pline[0]:</td><td align='center'><input type='hidden' name='P2PROT' value='$p2pline[1]' /><input type='image' img src='$gif' alt='$Lang::tr{'click to disable'}' title='$Lang::tr{'fwdfw toggle'}' style='padding-top: 0px; padding-left: 0px; padding-bottom: 0px ;padding-right: 0px ;display: block;' ><input type='hidden' name='ACTION' value='togglep2p'></td></tr></form>
+ END
+ }
+- print"<tr><td><input type='image' img src='/images/on.gif'></td><td align='left'>$Lang::tr{'outgoing firewall p2p allow'}</td></tr>";
+- print"<tr><td><input type='image' img src='/images/off.gif'></td><td align='left'>$Lang::tr{'outgoing firewall p2p deny'}</td></tr></table>";
++ print"<tr><td><img src='/images/on.gif'></td><td align='left'>$Lang::tr{'outgoing firewall p2p allow'}</td></tr>";
++ print"<tr><td><img src='/images/off.gif'></td><td align='left'>$Lang::tr{'outgoing firewall p2p deny'}</td></tr></table>";
+ &Header::closebox();
+ }
+ sub fillselect
+--
+1.7.10.4
+
--- /dev/null
+From 7fc3e7a9e2c76c7b891a8818ac7338f784fbf96f Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Sat, 26 Jan 2013 19:49:24 +0100
+Subject: [PATCH 070/302] Forward Firewall: bugfix: network ip was treated
+ like single host
+
+---
+ config/forwardfw/convert-outgoingfw | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/config/forwardfw/convert-outgoingfw b/config/forwardfw/convert-outgoingfw
+index 77f76cb..a230598 100755
+--- a/config/forwardfw/convert-outgoingfw
++++ b/config/forwardfw/convert-outgoingfw
+@@ -54,6 +54,7 @@ sub process_groups
+ $ip =~ s/\s//gi;
+ print LOG "Check IP $ip from Group $group ";
+ my $val=&check_ip($ip);
++ print "ALARM IP ist nun: $val"; ############################
+ if($val){
+ push(@hostarray,$val.",ip");
+ print LOG "-> OK\n";
+@@ -101,13 +102,16 @@ sub check_ip
+ {
+ my $adr=shift;
+ my $a;
++
++ print "habe bekommen: $adr\n";#########################################
+ #ip with subnet in decimal
+ if($adr =~ m/^(\d\d?\d?).(\d\d?\d?).(\d\d?\d?).(\d\d?\d?)\/(\d{1,2})$/){
++ print "Bin drin, erkannt: cidr\n";################################
+ $adr=int($1).".".int($2).".".int($3).".".int($4);
+ my $b = &General::iporsubtodec($5);
+ $a=$adr."/".$b;
+- }
+- if($adr =~ /^(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})$/){
++ }elsif($adr =~ /^(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})$/){
++ print "Hm erkannt ip ohne subnetz, ersetze es\n";#################
+ $adr=int($1).".".int($2).".".int($3).".".int($4);
+ if(&General::validip($adr)){
+ $a=$adr."/255.255.255.255";
+--
+1.7.10.4
+
--- /dev/null
+From a3f0ef7c75bb620011ea5de94d3dd9dcc19b424e Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Sat, 26 Jan 2013 21:11:21 +0100
+Subject: [PATCH 071/302] Forward Firewall: fixed converterbug and added
+ ruleposition to new rules in forwardfw.cgi
+
+---
+ config/forwardfw/convert-outgoingfw | 11 +++--------
+ html/cgi-bin/forwardfw.cgi | 32 ++++++++++++++++++++++++++++----
+ 2 files changed, 31 insertions(+), 12 deletions(-)
+
+diff --git a/config/forwardfw/convert-outgoingfw b/config/forwardfw/convert-outgoingfw
+index a230598..edb1fd0 100755
+--- a/config/forwardfw/convert-outgoingfw
++++ b/config/forwardfw/convert-outgoingfw
+@@ -54,7 +54,6 @@ sub process_groups
+ $ip =~ s/\s//gi;
+ print LOG "Check IP $ip from Group $group ";
+ my $val=&check_ip($ip);
+- print "ALARM IP ist nun: $val"; ############################
+ if($val){
+ push(@hostarray,$val.",ip");
+ print LOG "-> OK\n";
+@@ -102,16 +101,12 @@ sub check_ip
+ {
+ my $adr=shift;
+ my $a;
+-
+- print "habe bekommen: $adr\n";#########################################
+ #ip with subnet in decimal
+ if($adr =~ m/^(\d\d?\d?).(\d\d?\d?).(\d\d?\d?).(\d\d?\d?)\/(\d{1,2})$/){
+- print "Bin drin, erkannt: cidr\n";################################
+ $adr=int($1).".".int($2).".".int($3).".".int($4);
+ my $b = &General::iporsubtodec($5);
+ $a=$adr."/".$b;
+ }elsif($adr =~ /^(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})$/){
+- print "Hm erkannt ip ohne subnetz, ersetze es\n";#################
+ $adr=int($1).".".int($2).".".int($3).".".int($4);
+ if(&General::validip($adr)){
+ $a=$adr."/255.255.255.255";
+@@ -209,7 +204,7 @@ sub new_hostgrp
+ &General::writehasharray($confighosts,\%hosts);
+ &General::writehasharray($configgroups,\%groups);
+ &General::writehasharray($confignets,\%nets);
+-
++
+ }
+ sub check_host
+ {
+@@ -291,7 +286,7 @@ sub process_rules
+ }else{
+ push(@prot,$configline[3]);
+ }
+-
++
+ if($configline[4] ne ''){
+ $configline[4] =~ s/,/;/g;
+ $remark = $configline[4];
+@@ -557,5 +552,5 @@ sub build_ovpn_grp
+ sub process_p2p
+ {
+ copy("/var/ipfire/outgoing/p2protocols","/var/ipfire/forward/p2protocols");
+- chmod oct(0777), '/var/ipfire/forward/p2protocols';
++ chmod oct('0777'), '/var/ipfire/forward/p2protocols';
+ }
+diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi
+index 8402198..4fc74aa 100755
+--- a/html/cgi-bin/forwardfw.cgi
++++ b/html/cgi-bin/forwardfw.cgi
+@@ -134,8 +134,9 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule')
+ #INPUT part
+ if($fwdfwsettings{'grp2'} eq 'ipfire'){
+ $fwdfwsettings{'chain'} = 'INPUTFW';
++ my $maxkey=&General::findhasharraykey(\%configinputfw);
+ #check if we have an identical rule already
+- if($fwdfwsettings{'oldrulenumer'} eq $fwdfwsettings{'rulepos'}){
++ if($fwdfwsettings{'oldrulenumber'} eq $fwdfwsettings{'rulepos'}){
+ foreach my $key (sort keys %configinputfw){
+ if ("$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'},$fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'ICMP_TGT'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'LOG'},$fwdfwsettings{'TIME'},$fwdfwsettings{'TIME_MON'},$fwdfwsettings{'TIME_TUE'},$fwdfwsettings{'TIME_WED'},$fwdfwsettings{'TIME_THU'},$fwdfwsettings{'TIME_FRI'},$fwdfwsettings{'TIME_SAT'},$fwdfwsettings{'TIME_SUN'},$fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'}"
+ eq "$configinputfw{$key}[0],$configinputfw{$key}[2],$configinputfw{$key}[3],$configinputfw{$key}[4],$configinputfw{$key}[5],$configinputfw{$key}[6],$configinputfw{$key}[7],$configinputfw{$key}[8],$configinputfw{$key}[9],$configinputfw{$key}[10],$configinputfw{$key}[11],$configinputfw{$key}[12],$configinputfw{$key}[13],$configinputfw{$key}[14],$configinputfw{$key}[15],$configinputfw{$key}[17],$configinputfw{$key}[18],$configinputfw{$key}[19],$configinputfw{$key}[20],$configinputfw{$key}[21],$configinputfw{$key}[22],$configinputfw{$key}[23],$configinputfw{$key}[24],$configinputfw{$key}[25],$configinputfw{$key}[26],$configinputfw{$key}[27]"){
+@@ -151,6 +152,16 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule')
+ }
+ }
+ }
++ #check Rulepos on new Rule
++ if($fwdfwsettings{'rulepos'} > 0 && !$fwdfwsettings{'oldrulenumber'}){
++ $fwdfwsettings{'oldrulenumber'}=$maxkey;
++ foreach my $key (sort keys %configinputfw){
++ if ("$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'},$fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'ICMP_TGT'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'LOG'},$fwdfwsettings{'TIME'},$fwdfwsettings{'TIME_MON'},$fwdfwsettings{'TIME_TUE'},$fwdfwsettings{'TIME_WED'},$fwdfwsettings{'TIME_THU'},$fwdfwsettings{'TIME_FRI'},$fwdfwsettings{'TIME_SAT'},$fwdfwsettings{'TIME_SUN'},$fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'}"
++ eq "$configinputfw{$key}[0],$configinputfw{$key}[2],$configinputfw{$key}[3],$configinputfw{$key}[4],$configinputfw{$key}[5],$configinputfw{$key}[6],$configinputfw{$key}[7],$configinputfw{$key}[8],$configinputfw{$key}[9],$configinputfw{$key}[10],$configinputfw{$key}[11],$configinputfw{$key}[12],$configinputfw{$key}[13],$configinputfw{$key}[14],$configinputfw{$key}[15],$configinputfw{$key}[17],$configinputfw{$key}[18],$configinputfw{$key}[19],$configinputfw{$key}[20],$configinputfw{$key}[21],$configinputfw{$key}[22],$configinputfw{$key}[23],$configinputfw{$key}[24],$configinputfw{$key}[25],$configinputfw{$key}[26],$configinputfw{$key}[27]"){
++ $errormessage.=$Lang::tr{'fwdfw err ruleexists'};
++ }
++ }
++ }
+ #check if we just close a rule
+ if( $fwdfwsettings{'oldgrp1a'} eq $fwdfwsettings{'grp1'} && $fwdfwsettings{'oldgrp1b'} eq $fwdfwsettings{$fwdfwsettings{'grp1'}} && $fwdfwsettings{'oldgrp2a'} eq $fwdfwsettings{'grp2'} && $fwdfwsettings{'oldgrp2b'} eq $fwdfwsettings{$fwdfwsettings{'grp2'}} && $fwdfwsettings{'oldgrp3a'} eq $fwdfwsettings{'grp3'} && $fwdfwsettings{'oldgrp3b'} eq $fwdfwsettings{$fwdfwsettings{'grp3'}} && $fwdfwsettings{'oldusesrv'} eq $fwdfwsettings{'USESRV'} ) {
+ if($fwdfwsettings{'nosave'} eq 'on' && $fwdfwsettings{'updatefwrule'} eq 'on'){
+@@ -196,6 +207,7 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule')
+ }else{
+ #FORWARD PART
+ $fwdfwsettings{'chain'} = 'FORWARDFW';
++ my $maxkey=&General::findhasharraykey(\%configfwdfw);
+ if($fwdfwsettings{'oldrulenumber'} eq $fwdfwsettings{'rulepos'}){
+ #check if we have an identical rule already
+ foreach my $key (sort keys %configfwdfw){
+@@ -213,6 +225,16 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule')
+ }
+ }
+ }
++ #check Rulepos on new Rule
++ if($fwdfwsettings{'rulepos'} > 0 && !$fwdfwsettings{'oldrulenumber'}){
++ $fwdfwsettings{'oldrulenumber'}=$maxkey;
++ foreach my $key (sort keys %configfwdfw){
++ if ("$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'},$fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'ICMP_TGT'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'LOG'},$fwdfwsettings{'TIME'},$fwdfwsettings{'TIME_MON'},$fwdfwsettings{'TIME_TUE'},$fwdfwsettings{'TIME_WED'},$fwdfwsettings{'TIME_THU'},$fwdfwsettings{'TIME_FRI'},$fwdfwsettings{'TIME_SAT'},$fwdfwsettings{'TIME_SUN'},$fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'}"
++ eq "$configfwdfw{$key}[0],$configfwdfw{$key}[2],$configfwdfw{$key}[3],$configfwdfw{$key}[4],$configfwdfw{$key}[5],$configfwdfw{$key}[6],$configfwdfw{$key}[7],$configfwdfw{$key}[8],$configfwdfw{$key}[9],$configfwdfw{$key}[10],$configfwdfw{$key}[11],$configfwdfw{$key}[12],$configfwdfw{$key}[13],$configfwdfw{$key}[14],$configfwdfw{$key}[15],$configfwdfw{$key}[17],$configfwdfw{$key}[18],$configfwdfw{$key}[19],$configfwdfw{$key}[20],$configfwdfw{$key}[21],$configfwdfw{$key}[22],$configfwdfw{$key}[23],$configfwdfw{$key}[24],$configfwdfw{$key}[25],$configfwdfw{$key}[26],$configfwdfw{$key}[27]"){
++ $errormessage.=$Lang::tr{'fwdfw err ruleexists'};
++ }
++ }
++ }
+ #check if we just close a rule
+ if( $fwdfwsettings{'oldgrp1a'} eq $fwdfwsettings{'grp1'} && $fwdfwsettings{'oldgrp1b'} eq $fwdfwsettings{$fwdfwsettings{'grp1'}} && $fwdfwsettings{'oldgrp2a'} eq $fwdfwsettings{'grp2'} && $fwdfwsettings{'oldgrp2b'} eq $fwdfwsettings{$fwdfwsettings{'grp2'}} && $fwdfwsettings{'oldgrp3a'} eq $fwdfwsettings{'grp3'} && $fwdfwsettings{'oldgrp3b'} eq $fwdfwsettings{$fwdfwsettings{'grp3'}} && $fwdfwsettings{'oldusesrv'} eq $fwdfwsettings{'USESRV'} && $fwdfwsettings{'oldruleremark'} eq $fwdfwsettings{'ruleremark'} ) {
+ if($fwdfwsettings{'nosave'} eq 'on' && $fwdfwsettings{'updatefwrule'} eq 'on'){
+@@ -989,7 +1011,7 @@ sub newrule
+ foreach my $key (sort keys %hash){
+ $sum++;
+ if ($key eq $fwdfwsettings{'key'}){
+- $fwdfwsettings{'oldrulenumber'} = $key;
++ $fwdfwsettings{'oldrulenumber'} = $fwdfwsettings{'key'};
+ $fwdfwsettings{'RULE_ACTION'} = $hash{$key}[0];
+ $fwdfwsettings{'ACTIVE'} = $hash{$key}[2];
+ $fwdfwsettings{'grp1'} = $hash{$key}[3];
+@@ -1080,7 +1102,6 @@ END
+
+ &Header::closebox();
+ &Header::openbox('100%', 'left', $Lang::tr{'fwdfw source'});
+-
+ #------SOURCE-------------------------------------------------------
+ print<<END;
+ <table width='100%' border='0'>
+@@ -1373,6 +1394,8 @@ END
+ print">$count</option>";
+ }
+ print"</select></td></tr>";
++ }else{
++ print "<tr><td width='12%'>$Lang::tr{'fwdfw rulepos'}:</td><td><input type='text' name='rulepos' size='2'></td></tr>";
+ }
+
+ print<<END;
+@@ -1438,7 +1461,8 @@ END
+ <table border='0' width='100%'>
+ <tr><td align='right'><input type='submit' value='$Lang::tr{'add'}' style='min-width:100px;' />
+ <input type='hidden' name='config' value='$config' >
+- <input type='hidden' name='ACTION' value='saverule' ></form><form method='post' style='display:inline'><input type='submit' value='$Lang::tr{'fwhost back'}' style='min-width:100px;'><input type='hidden' name='ACTION' value'reset'></td></td>
++ <input type='hidden' name='ACTION' value='saverule' >
++ </form><form method='post' style='display:inline'><input type='submit' value='$Lang::tr{'fwhost back'}' style='min-width:100px;'><input type='hidden' name='ACTION' value'reset'></td></td>
+ </table></form>
+ END
+ }else{
+--
+1.7.10.4
+
--- /dev/null
+From 95539e7d1f8a35ceff094fc675b1c8d6946c3f72 Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Sun, 27 Jan 2013 05:08:43 +0100
+Subject: [PATCH 072/302] Forward Firewall: new merge broke en.pl
+
+---
+ langs/en/cgi-bin/en.pl | 2410 ++++++++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 2410 insertions(+)
+ create mode 100644 langs/en/cgi-bin/en.pl
+
+diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
+new file mode 100644
+index 0000000..7b6d174
+--- /dev/null
++++ b/langs/en/cgi-bin/en.pl
+@@ -0,0 +1,2410 @@
++%tr = (
++%tr,
++
++'Act as' => 'Act as:',
++'Add Level7 rule' => 'Add Level7 rule',
++'Add Port Rule' => 'Add port rule',
++'Add Rule' => 'Add rule',
++'Add a route' => 'Add a route',
++'Async logging enabled' => 'Enable asynchronous writing of the syslog file',
++'Choose Rule' => 'Choose <u>one</u> of the following rules.',
++'Class' => 'Class',
++'Class was deleted' => 'with potential subclasses was deleted',
++'Client status and controlc' => 'Client status and control:',
++'ConnSched action' => 'Action:',
++'ConnSched add action' => 'Add action',
++'ConnSched change profile title' => 'Change to profile:',
++'ConnSched days' => 'Days:',
++'ConnSched down' => 'Down',
++'ConnSched ipsecstart' => 'IPSec (re)start',
++'ConnSched ipsecstop' => 'IPSec stop',
++'ConnSched reconnect' => 'Reconnect',
++'ConnSched scheduled actions' => 'Scheduled actions',
++'ConnSched scheduler' => 'Scheduler',
++'ConnSched select profile' => 'Select profile',
++'ConnSched time' => 'Time:',
++'ConnSched up' => 'Up',
++'ConnSched weekdays' => 'Days of the week:',
++'Edit an existing route' => 'Edit an existing route',
++'Enter TOS' => 'Activate or deactivate TOS-bits <br /> and then press <i>Save</i>.',
++'Existing Files' => 'Files in database',
++'HDD temperature' => 'HDD temperature',
++'Level7 Protocol' => 'Level7-Protocol',
++'Level7 Rule' => 'Level7-Rule',
++'Level7 rule' => 'Level7 rule',
++'Local VPN IP' => 'Internal Network (GREEN):',
++'MTU' => 'MTU size:',
++'Number of IPs for the pie chart' => 'Number of IPs for the pie chart',
++'Number of Ports for the pie chart' => 'Number of ports for the pie chart',
++'OVPN' => 'OpenVPN',
++'OpenVPN' => 'OpenVPN',
++'Pages' => 'Pages',
++'Ping' => 'Ping :',
++'Port Rule' => 'Port-Rule',
++'QoS not enabled' => 'QoS is not enabled!',
++'Queuelenght' => 'Queuelenght',
++'Remote IP' => 'Remote IP / Hostname (DynDNS):',
++'Remote VPN IP' => 'VPN Subnet (e.g. 10.0.10.0/255.255.255.0):',
++'Resolv' => 'Resolv-Retry:',
++'Scan for Files' => 'Scan for files',
++'Scan from Directory' => 'Scan from directory',
++'Set time on boot' => 'Force setting the system clock on boot',
++'Subclass' => 'Subclass',
++'TOS Bits' => 'TOS-Bits',
++'TOS Rule' => 'TOS-Rule',
++'TOS rule' => 'TOS rule',
++'The class number does not match the specified interface.' => 'The class number does not match the specified interface.',
++'The destination IP address is invalid.' => 'The destination IP address is invalid.',
++'The source IP address is invalid.' => 'The source IP address is invalid.',
++'Utilization on' => 'Utilization on',
++'Verbose' => 'Verbose:',
++'WakeOnLan' => 'Wake On Lan',
++'a ca certificate with this name already exists' => 'A CA certificate with this name already exists.',
++'a connection with this common name already exists' => 'A connection with this common name already exists.',
++'a connection with this name already exists' => 'A connection with this name already exists.',
++'abort' => 'abort',
++'access allowed' => 'Access allowed from:',
++'access refused with this oinkcode' => 'Access refused with this Oink Code',
++'accounting' => 'Accounting',
++'accounting user nonpdc' => 'Accounting - none PDC Mode',
++'accounting user pdc' => 'Accounting - PDC Mode',
++'action' => 'Action',
++'activate' => 'Activate',
++'activate user' => 'Activate user',
++'active' => 'Active',
++'add' => 'Add',
++'add a host' => 'Add a host:',
++'add a new rule' => 'Add a new rule:',
++'add cron' => 'add cronjob',
++'add device' => 'Add device',
++'add network' => 'Add network',
++'add new alias' => 'Add a new alias:',
++'add new lease' => 'Add a new fixed lease',
++'add new ovpn' => 'OpenVPN Settings:',
++'add printer' => 'Add printer',
++'add service' => 'Add service',
++'add share' => 'Add share',
++'add subclass' => 'Add subclass',
++'add user' => 'Add user',
++'add xtaccess' => 'Add External Access',
++'add-route' => 'Additional push route',
++'added from dhcp lease list' => 'Added from DHCP lease list',
++'admin user password has been changed' => 'Admin user password has been changed.',
++'admin users' => 'User with superuser rights',
++'administrator user password' => 'Admin user password:',
++'adsl settings' => 'ADSL settings',
++'advanced' => 'Advanced',
++'advanced server' => 'Advanced server options',
++'advproxy AUTH always required' => 'Require authentication for unrestricted source addresses',
++'advproxy AUTH auth cache TTL' => 'Authentication cache TTL (in minutes)',
++'advproxy AUTH global settings' => 'Global authentication settings',
++'advproxy AUTH limit of IP addresses' => 'Limit of IP addresses per user',
++'advproxy AUTH method' => 'Authentication method',
++'advproxy AUTH method ident' => 'identd',
++'advproxy AUTH method ldap' => 'LDAP',
++'advproxy AUTH method ncsa' => 'Local',
++'advproxy AUTH method none' => 'None',
++'advproxy AUTH method ntlm' => 'Windows',
++'advproxy AUTH method radius' => 'RADIUS',
++'advproxy AUTH no auth' => 'Domains without authentication (one per line)',
++'advproxy AUTH number of auth processes' => 'Number of authentication processes',
++'advproxy AUTH realm' => 'Authentication realm prompt',
++'advproxy AUTH user IP cache TTL' => 'User/IP cache TTL (in minutes)',
++'advproxy IDENT authorized users' => 'Authorized users (one per line)',
++'advproxy IDENT aware hosts' => 'Ident aware hosts (one per line)',
++'advproxy IDENT identd settings' => 'Common identd settings',
++'advproxy IDENT required' => 'Require identd authentication',
++'advproxy IDENT timeout' => 'Ident timeout (in seconds)',
++'advproxy IDENT unauthorized users' => 'Unauthorized users (one per line)',
++'advproxy IDENT use negative access list' => 'Use negative access control',
++'advproxy IDENT use positive access list' => 'Use positive access control',
++'advproxy IDENT user based access restrictions' => 'User based access restrictions',
++'advproxy LDAP ADS' => 'Active Directory',
++'advproxy LDAP NDS' => 'Novell eDirectory',
++'advproxy LDAP V2' => 'LDAP version 2',
++'advproxy LDAP V3' => 'LDAP version 3',
++'advproxy LDAP auth' => 'LDAP authentication',
++'advproxy LDAP basedn' => 'Base DN',
++'advproxy LDAP binddn password' => 'Bind DN password',
++'advproxy LDAP binddn settings' => 'Bind DN settings',
++'advproxy LDAP binddn username' => 'Bind DN username',
++'advproxy LDAP common settings' => 'Common LDAP settings',
++'advproxy LDAP group access control' => 'Group based access control',
++'advproxy LDAP group required' => 'Required group',
++'advproxy LDAP port' => 'Port',
++'advproxy LDAP server' => 'LDAP Server',
++'advproxy LDAP type' => 'LDAP type',
++'advproxy MIME block types' => ' Block these MIME types (one per line)',
++'advproxy MIME filter' => 'MIME type filter',
++'advproxy NCSA auth' => 'Local user authentication',
++'advproxy NCSA create user' => 'Create user',
++'advproxy NCSA group' => 'Group',
++'advproxy NCSA group membership' => 'Group membership',
++'advproxy NCSA grp disabled' => 'Disabled',
++'advproxy NCSA grp extended' => 'Extended',
++'advproxy NCSA grp standard' => 'Standard',
++'advproxy NCSA min password length' => 'Minimum password length',
++'advproxy NCSA no accounts' => 'No user accounts available',
++'advproxy NCSA password' => 'Password',
++'advproxy NCSA password confirm' => 'Password (confirm)',
++'advproxy NCSA redirector bypass' => 'Bypass redirection for members of the group',
++'advproxy NCSA update user' => 'Update user',
++'advproxy NCSA user accounts' => 'User accounts',
++'advproxy NCSA user management' => 'User management',
++'advproxy NCSA username' => 'Username',
++'advproxy NTLM BDC hostname' => 'BDC hostname',
++'advproxy NTLM PDC hostname' => 'PDC hostname',
++'advproxy NTLM auth' => 'Windows NT/2003 authentication',
++'advproxy NTLM auth mode' => 'Authentication mode',
++'advproxy NTLM authorized users' => 'Authorized domain users (one per line)',
++'advproxy NTLM domain' => 'Domain',
++'advproxy NTLM domain settings' => 'Common domain settings',
++'advproxy NTLM unauthorized users' => 'Unauthorized domain users (one per line)',
++'advproxy NTLM use integrated auth' => 'Enable Windows integrated authentication',
++'advproxy NTLM use negative access list' => 'Use negative access control',
++'advproxy NTLM use positive access list' => 'Use positive access control',
++'advproxy NTLM user based access restrictions' => 'User based access restrictions',
++'advproxy RADIUS authorized users' => 'Authorized users (one per line)',
++'advproxy RADIUS identifier' => 'Identifier',
++'advproxy RADIUS port' => 'Port',
++'advproxy RADIUS radius settings' => 'Common RADIUS settings',
++'advproxy RADIUS secret' => 'Shared secret',
++'advproxy RADIUS server' => 'RADIUS Server',
++'advproxy RADIUS unauthorized users' => 'Unauthorized users (one per line)',
++'advproxy RADIUS use negative access list' => 'Use negative access control',
++'advproxy RADIUS use positive access list' => 'Use positive access control',
++'advproxy RADIUS user based access restrictions' => 'User based access restrictions',
++'advproxy UA enable filter' => 'Enable browser check',
++'advproxy access' => 'Access',
++'advproxy admin mail' => 'Cache administrator e-mail',
++'advproxy advanced proxy' => 'Advanced Proxy',
++'advproxy advanced web proxy' => 'Advanced Web Proxy',
++'advproxy advanced web proxy configuration' => 'Advanced web proxy configuration',
++'advproxy allowed subnets' => 'Allowed subnets (one per line)',
++'advproxy allowed web browsers' => 'Allowed clients for web access',
++'advproxy back to main page' => 'Back to main page',
++'advproxy banned ip clients' => 'Banned IP addresses (one per line)',
++'advproxy banned mac clients' => 'Banned MAC addresses (one per line)',
++'advproxy cache management' => 'Cache management',
++'advproxy cache replacement policy' => 'Cache replacement policy',
++'advproxy chgwebpwd ERROR' => 'E R R O R :',
++'advproxy chgwebpwd SUCCESS' => 'S U C C E S S :',
++'advproxy chgwebpwd change password' => 'Change password',
++'advproxy chgwebpwd change web password' => 'C h a n g e w e b a c c e s s p a s s w o r d',
++'advproxy chgwebpwd new password' => 'New password',
++'advproxy chgwebpwd new password confirm' => 'New password (confirm)',
++'advproxy chgwebpwd old password' => 'Current password',
++'advproxy chgwebpwd username' => 'Username',
++'advproxy classroom extensions' => 'Classroom extensions',
++'advproxy clear cache' => 'Clear Cache',
++'advproxy client IP forwarding' => 'Client IP address forwarding',
++'advproxy common settings' => 'Common settings',
++'advproxy content based throttling' => 'Enable content based throttling',
++'advproxy cre disabled' => 'The management interface has been disabled by the administrator',
++'advproxy cre group definitions' => 'Classroom group definitions',
++'advproxy cre supervisors' => 'Supervisor IP addresses (one per line)',
++'advproxy destination ports' => 'Destination ports',
++'advproxy download throttling' => 'Download throttling',
++'advproxy enabled' => 'Enabled',
++'advproxy enabled on' => 'Enabled on',
++'advproxy errmsg acl cannot be empty' => 'Access control list cannot be empty',
++'advproxy errmsg auth cache ttl' => 'Invalid value for authentication cache TTL',
++'advproxy errmsg auth children' => 'Invalid number of authentication processes',
++'advproxy errmsg auth ipcache may not be null' => 'Authentication cache TTL may not be 0 when using IP address limits',
++'advproxy errmsg auth ipcache ttl' => 'Invalid value for user/IP cache TTL',
++'advproxy errmsg cache' => 'The RAM cache size is greater than the harddisk cache size:',
++'advproxy errmsg change fail' => 'Password could not be changed',
++'advproxy errmsg change success' => 'Password for web access sucessfully changed',
++'advproxy errmsg hdd cache size' => 'Invalid value for harddisk cache size (min 10 MB required)',
++'advproxy errmsg ident timeout' => 'Invalid ident timeout',
++'advproxy errmsg invalid bdc' => 'Invalid hostname for backup domain controller',
++'advproxy errmsg invalid destination port' => 'Invalid destination port',
++'advproxy errmsg invalid ip or mask' => 'Invalid IP address or network mask',
++'advproxy errmsg invalid mac' => 'Invalid MAC address',
++'advproxy errmsg invalid pdc' => 'Invalid hostname for primary domain controller',
++'advproxy errmsg invalid proxy port' => 'Invalid proxy port',
++'advproxy errmsg invalid upstream proxy' => 'Invalid upstream proxy IP/hostname',
++'advproxy errmsg invalid upstream proxy username or password setting' => 'Invalid upstream proxy username or password setting',
++'advproxy errmsg invalid user' => 'Username does not exist',
++'advproxy errmsg ldap base dn' => 'LDAP base DN required',
++'advproxy errmsg ldap bind dn' => 'LDAP bind DN username and password required',
++'advproxy errmsg ldap port' => 'Invalid LDAP port number',
++'advproxy errmsg ldap server' => 'Invalid IP address/hostname for LDAP Server',
++'advproxy errmsg max userip' => 'Invalid number of IP addresses per user',
++'advproxy errmsg mem cache size' => 'Invalid value for memory cache size',
++'advproxy errmsg no browser' => 'At least one browser or client must be selected for web access',
++'advproxy errmsg no password' => 'Password can not be empty',
++'advproxy errmsg no username' => 'Username can not be empty',
++'advproxy errmsg non-transparent proxy required' => 'Web proxy must be running in non-transparent mode for authentication',
++'advproxy errmsg ntlm domain' => 'Windows domain name required',
++'advproxy errmsg ntlm pdc' => 'Hostname for primary domain controller required',
++'advproxy errmsg password incorrect' => 'Password incorrect',
++'advproxy errmsg password length' => 'Invalid value for password length',
++'advproxy errmsg password length 1' => 'Password must have at least ',
++'advproxy errmsg password length 2' => ' characters',
++'advproxy errmsg passwords different' => 'Passwords don\'t match',
++'advproxy errmsg radius port' => 'Invalid RADIUS port number',
++'advproxy errmsg radius secret' => 'RADIUS shared secret required',
++'advproxy errmsg radius server' => 'Invalid IP address for RADIUS Server',
++'advproxy errmsg time restriction' => 'Invalid time restriction',
++'advproxy error design' => 'Error messages design',
++'advproxy error language' => 'Error messages language',
++'advproxy fake referer' => 'Fake referer submitted to external sites',
++'advproxy fake useragent' => 'Fake useragent submitted to external sites',
++'advproxy friday' => 'Fri',
++'advproxy from' => 'From',
++'advproxy hdd cache size' => 'Harddisk cache size (MB)',
++'advproxy invalid num of children' => 'Invalid number of filter processes',
++'advproxy log enabled' => 'Log enabled',
++'advproxy log query' => 'Log query terms',
++'advproxy log settings' => 'Log settings',
++'advproxy log useragent' => 'Log useragents',
++'advproxy max download size' => 'Max download size (KB)',
++'advproxy max size' => 'Max object size (KB)',
++'advproxy max upload size' => 'Max upload size (KB)',
++'advproxy memory replacement policy' => 'Memory replacement policy',
++'advproxy min size' => 'Min object size (KB)',
++'advproxy mode allow' => 'allow',
++'advproxy mode deny' => 'deny',
++'advproxy monday' => 'Mon',
++'advproxy network based access' => 'Network based access control',
++'advproxy no cache sites' => 'Do not cache these domains (one per line)',
++'advproxy no clients defined' => 'No clients defined',
++'advproxy no connection auth' => 'No connection oriented authentication forwarding',
++'advproxy no cre groups' => 'There are no access groups available',
++'advproxy no internal proxy on blue' => 'Disable internal proxy access from BLUE to other subnets',
++'advproxy no internal proxy on green' => 'Disable internal proxy access to GREEN from other subnets',
++'advproxy number of L1 dirs' => 'Number of level-1 subdirectories',
++'advproxy off' => 'Proxy off',
++'advproxy offline mode' => 'Enable offline mode',
++'advproxy on' => 'Proxy on',
++'advproxy privacy' => 'Privacy',
++'advproxy proxy port' => 'Proxy port',
++'advproxy ram cache size' => 'Memory cache size (MB)',
++'advproxy redirector children' => 'Number of filter processes',
++'advproxy reset' => 'Reset',
++'advproxy saturday' => 'Sat',
++'advproxy save and restart' => 'Save and Restart',
++'advproxy squid version' => 'Squid cache version',
++'advproxy squidclamav' => 'SquidClamav',
++'advproxy ssadvanced proxy' => 'advanced proxy',
++'advproxy ssl ports' => 'Allowed SSL ports (one per line)',
++'advproxy standard' => 'Standard',
++'advproxy standard ports' => 'Allowed standard ports (one per line)',
++'advproxy sunday' => 'Sun',
++'advproxy supervisor password' => 'Supervisor password',
++'advproxy suppress version' => 'Suppress version information',
++'advproxy throttle binary' => 'Binary files',
++'advproxy throttle dskimg' => 'CD images',
++'advproxy throttle mmedia' => 'Multimedia',
++'advproxy throttling per host on' => 'Limit per host on',
++'advproxy throttling total on' => 'Overall limit on',
++'advproxy throttling unlimited' => 'unlimited',
++'advproxy thursday' => 'Thu',
++'advproxy time restrictions' => 'Time restrictions',
++'advproxy to' => 'To',
++'advproxy transfer limits' => 'Transfer limits',
++'advproxy transparent on' => 'Transparent on',
++'advproxy tuesday' => 'Tue',
++'advproxy unknown' => 'Unknown',
++'advproxy unrestricted ip clients' => 'Unrestricted IP addresses (one per line)',
++'advproxy unrestricted mac clients' => 'Unrestricted MAC addresses (one per line)',
++'advproxy update accelerator' => 'Update accelerator',
++'advproxy update information' => 'There is an updated version available for download. Visit <a href="http://www.advproxy.net" target="_blank">http://www.advproxy.net</a> for more information.',
++'advproxy update notification' => 'Update notification!',
++'advproxy upstream password' => 'Upstream password',
++'advproxy upstream proxy' => 'Upstream proxy',
++'advproxy upstream proxy host:port' => 'Upstream proxy (host:port)',
++'advproxy upstream username' => 'Upstream username',
++'advproxy url filter' => 'URL filter',
++'advproxy username forwarding' => 'Username forwarding',
++'advproxy via forwarding' => 'Proxy address forwarding',
++'advproxy visible hostname' => 'Visible hostname',
++'advproxy web browser' => 'Web browser',
++'advproxy wednesday' => 'Wed',
++'again' => 'Again:',
++'aktiv' => 'Active',
++'album' => 'Album',
++'alcatelusb help' => 'To utilise the Speedtouch 330 or Speedtouch USB modem you must upload the firmware to your IPFire box. Please download the <b>Embedded Firmware</b> package for SpeedTouch 330 from speedtouch.com, unzip and then upload the appropriate file for your modem : KQD6_3.xxx when Rev<4 or ZZZL_3.xxx for Rev=4 using the form below.',
++'alcatelusb upload' => 'Upload Speedtouch USB firmware',
++'alias ip' => 'Alias IP',
++'aliases' => 'Aliases',
++'aliases not active' => 'Aliases will not be active unless your RED interface is STATIC',
++'all' => 'All',
++'all interfaces' => 'All Interfaces',
++'all services' => 'All Services',
++'all updates installed' => 'All updates installed',
++'allmsg' => 'show all',
++'alt dialup' => 'Dialup',
++'alt home' => 'Home',
++'alt information' => 'Information',
++'alt logs' => 'Logs',
++'alt ovpn' => 'OpenVPN',
++'alt proxy' => 'Proxy',
++'alt services' => 'Services',
++'alt system' => 'System',
++'alt vpn' => 'VPNs',
++'and' => 'And',
++'ansi t1.483' => 'TO BE REMOVED',
++'apcupsd' => 'APC-UPS status',
++'apply' => 'Apply now',
++'april' => 'April',
++'archive not exist' => 'Configuration archive does not exist',
++'are you sure' => 'Are you sure?',
++'arp table entries' => 'ARP Table Entries:',
++'artist' => 'Artist',
++'attemps' => 'Attempts',
++'attention' => 'ATTENTION',
++'august' => 'August',
++'authentication' => 'Authentication:',
++'automatic' => 'Automatic',
++'available updates' => 'Available updates:',
++'average' => 'Average',
++'avoid dod' => 'Do not use this option with Dial on Demand! Mainly used if your IPFire is behind a router. Your RED IP must be inside one of the three reserved network numbers e.g. 10/8, 172.16/12, 192.168/16',
++'back' => 'BACK',
++'backup' => 'Backup',
++'backup archive' => 'Backup File (.dat)',
++'backup clear archive' => 'Clear Backup File (.gz)',
++'backup config floppy' => 'Backup Configuration - Floppy Disk',
++'backup configuration' => 'Backup Configuration:',
++'backup erase key' => 'Erase key',
++'backup explain key' => 'Backup are encrypted using a key. To avoid illegal backup manipulations, IPFire only restores a backup that is encrypted with the key you will specify here. You have three options available to you',
++'backup explain key li1' => 'let IPFire create key for you.',
++'backup explain key li2' => 'import a saved key (possibly password protected).',
++'backup explain key li3' => 'extract a key from a non-encrypted 1.4.10 backup only.',
++'backup explain key no1' => 'you should save this key if you plan to restore new machines, IPFire accepts only once key creation/import.',
++'backup explain key no2' => 'legacy floppy backups are not concerned with this key.',
++'backup export key' => 'Export key',
++'backup extract key' => 'Extract key',
++'backup from' => 'Backup from',
++'backup generate key' => 'Generate key',
++'backup import dat file' => 'Import a backup (.dat) file',
++'backup import key' => 'Import key',
++'backup key' => 'Backup Encryption Key',
++'backup key file' => 'Backup key file',
++'backup key info' => 'IPFire restricts access to the backup key, thus you must know root password. You have possibility to protect this key outside of IPFire with a password.',
++'backup media info' => 'Floppy and/or unformatted media may display stranges partitions sizes. In this case, select the whole device. Remenber to mount harddisk before removing device. Note: floppy created here are not usable with IPFire installer program!',
++'backup missing key' => 'Need the backup key to restore a set',
++'backup password' => 'Backup password',
++'backup protect key password' => 'Backup key password',
++'backup sets' => 'Backup sets',
++'backup to floppy' => 'Backup to floppy',
++'backupaddon' => 'Addon Backup',
++'backupprofile' => 'In case reconnection fails, switch to profile',
++'backups' => 'backups',
++'backupwarning' => 'Please first restore your main backup and after this your addon backups. Please keep the original filename, given when you download.',
++'bad characters in' => 'Bad characters in ',
++'bad characters in script field' => 'Bad characters in script field',
++'bad characters in the telephone number field' => 'Bad characters in the telephone number field.',
++'bad destination range' => 'The Destination port range has a first value that is greater than or equal to the second value.',
++'bad ignore filter' => 'Bad ignore filter:',
++'bad return code' => 'Helper program returned error code',
++'bad source range' => 'The Source port range has a first value that is greater than or equal to the second value.',
++'bandwidth usage' => 'bandwidth usage (external)',
++'bandwitherror' => 'You cannot change the bandwithsettings, with Qos being enabled. First disable Qos.<p>',
++'bandwithsettings' => 'Bandwithsettings',
++'basic options' => 'Basic Options',
++'beep when ppp connects or disconnects' => 'Beep when IPFire connects or disconnects',
++'behind a proxy' => 'Behind a proxy:',
++'bewan adsl pci st' => 'TO BE REMOVED',
++'bewan adsl usb' => 'TO BE REMOVED',
++'bitrate' => 'Bitrate',
++'bleeding rules' => 'Bleeding Edge Snort Rules',
++'blue' => 'BLUE',
++'blue access' => 'Blue Access',
++'blue access use hint' => 'You have to enter the MAC or the IP Address for a device. To enter both is also possible',
++'blue interface' => 'Blue Interface',
++'broadcast' => 'Broadcast',
++'broken pipe' => 'Broken pipe',
++'buffered memory' => 'Buffered Memory',
++'buffers' => 'buffers',
++'bytes per second' => 'Bytes per Second',
++'bytes received' => 'Bytes Received',
++'bytes sent' => 'Bytes Sent',
++'ca certificate' => 'CA Certificate',
++'ca name' => 'CA name',
++'cache management' => 'Cache management',
++'cache size' => 'Cache size (MB):',
++'cached' => 'cached',
++'cached memory' => 'Cached Memory ',
++'cached swap' => 'Cached Swap',
++'calamaris available reports' => 'Available reports',
++'calamaris byte unit' => 'Byte unit',
++'calamaris create report' => 'Create report',
++'calamaris enable content report' => 'Enable content report',
++'calamaris enable distribution histogram' => 'Enable distribution histogram',
++'calamaris enable domain report' => 'Enable domain report',
++'calamaris enable performance report' => 'Enable performance report',
++'calamaris enable requester report' => 'Enable requester report',
++'calamaris enable verbose reporting' => 'Enable verbose reporting',
++'calamaris high' => 'high',
++'calamaris histogram resolution' => 'Histogram resolution',
++'calamaris low' => 'low',
++'calamaris medium' => 'medium',
++'calamaris no reports available' => 'No reports available',
++'calamaris none' => 'none',
++'calamaris number of content types' => 'Number of content types',
++'calamaris number of domains' => 'Number of domains',
++'calamaris number of requested urls' => 'Number of requested URLs',
++'calamaris number of requesting hosts' => 'Number of requesting hosts',
++'calamaris performance options' => 'Performance options',
++'calamaris proxy reports' => 'Proxy Reports',
++'calamaris refresh list' => 'Refresh list',
++'calamaris report interval (in minutes)' => 'Report interval (in minutes)',
++'calamaris report options' => 'Report options',
++'calamaris report period' => 'Report period',
++'calamaris run as background task' => 'Run as background task',
++'calamaris show usernames' => 'Show usernames',
++'calamaris skip archived logfiles' => 'Skip archived logfiles',
++'calamaris unlimited' => 'unlimited',
++'calamaris view' => 'View',
++'calamaris view report' => 'View report',
++'calc traffic all x minutes' => 'Calculate traffic all x minutes',
++'cancel' => 'Cancel',
++'cancel-adv-options' => 'Cancel',
++'cannot enable both nat traversal and compression' => 'Cannot enable both NAT traversal and compression.',
++'cannot enable ntp without specifying primary' => 'Cannot enable NTP without specifying primary.',
++'cannot specify secondary dns without specifying primary' => 'Cannot specify secondary DNS without specifying primary.',
++'cannot specify secondary ntp without specifying primary' => 'Cannot specify Secondary NTP server without specifying Primary',
++'cannot specify secondary wins without specifying primary' => 'Cannot specify secondary WINS without specifying primary.',
++'cant change certificates' => 'Can\'t change certificates.',
++'cant enable xtaccess' => 'The associated port forwarding rule is disabled, therefore you cannot enable external access for this rule.',
++'cant start openssl' => 'Can\'t start OpenSSL',
++'caps all' => 'ALL',
++'capsclosed' => 'DISCONNECTED',
++'capsinactive' => 'INACTIVE',
++'capsopen' => 'CONNECTED',
++'capswarning' => 'WARNING',
++'caption' => 'Caption',
++'ccd add' => 'Add network',
++'ccd choose net' => 'Choose network',
++'ccd client options' => 'Advanced client options',
++'ccd clientip' => 'Host address',
++'ccd dynrange' => 'Dynamic OpenVPN IP address pool',
++'ccd err blue' => 'This is the BLUE subnet.',
++'ccd err green' => 'This is the GREEN subnet.',
++'ccd err hostinnet' => 'You are not able to delete this network, while it still contains clients.',
++'ccd err inuse' => 'Already used by another client.',
++'ccd err invalidname' => 'Invalid name. Allowed characters are A-Z, a-z, dash and space.',
++'ccd err invalidnet' => 'Invalid IP address. Format: 192.168.0.0/24 or 192.168.0.0/255.255.255.0.',
++'ccd err iroute' => 'Network address for route is invalid.',
++'ccd err irouteexist' => 'This route is already in use.',
++'ccd err isipsecnet' => 'The given subnet address already used by an IPsec network.',
++'ccd err isovpnnet' => 'Subnet address already in use for OpenVPN Server.',
++'ccd err issubnet' => 'Subnet address already in use.',
++'ccd err name' => 'Please choose a name.',
++'ccd err nameexist' => 'Name already exists.',
++'ccd err netadr' => 'Subnet address is invalid or range is too large.',
++'ccd err netadrexist' => 'Network already exists.',
++'ccd err orange' => 'This is the ORANGE subnet.',
++'ccd err red' => 'This is the RED subnet.',
++'ccd err routeovpn' => 'Already used by OpenVPN server.',
++'ccd err routeovpn2' => 'Already pushed from OpenVPN server.',
++'ccd hint' => 'On this page you are able to define static networks from which the roadwarrior clients can get fixed IP address assignments.',
++'ccd invalid' => 'Invalid.',
++'ccd iroute' => 'IPFire has access to these networks on the client\'s site',
++'ccd iroute2' => 'Client has access to these networks on IPFire\'s site',
++'ccd iroutehint' => 'Attention! If you change these settings, you have to restart the OpenVPN server that the changes take effect!',
++'ccd modify' => 'Change network',
++'ccd name' => 'Name',
++'ccd net' => 'Static IP address pools',
++'ccd noaddnet' => 'You can only add new static networks when OpenVPN server is stopped.',
++'ccd none' => 'None',
++'ccd routes' => 'Routing:',
++'ccd subnet' => 'Subnet',
++'ccd used' => 'Used addresses',
++'cert' => 'Certificate',
++'certificate' => 'Certificate',
++'certificate authorities' => 'Certificate Authorities',
++'certificate does not have a valid ca associated with it' => 'Certificate does not have a valid CA associated with it.',
++'certificate file move failed' => 'Certificate file move failed',
++'cfg restart' => 'A reboot is suggested after restoring a configuration archive.',
++'chain' => 'Chain',
++'change passwords' => 'Change passwords',
++'change share' => 'edit share options',
++'check for net traffic update' => 'Check for Net-Traffic updates',
++'check vpn lr' => 'Check',
++'choose config' => 'Choose config',
++'choose media' => 'Choose media',
++'cipher' => 'Encryption:',
++'city' => 'City',
++'class in use' => 'The class is already in use.',
++'clear cache' => 'Clear Cache',
++'clear playlist' => 'Empty playlist',
++'clenabled' => 'Provide time to local network',
++'click to disable' => 'Enabled (click to disable)',
++'click to enable' => 'Disabled (click to enable)',
++'client' => 'Workstation Name',
++'clock has not been synchronized' => 'Clock has not been synchronized',
++'clock last synchronized at' => 'Clock was last synchronized at',
++'comment' => 'Description:',
++'common name' => 'Common name',
++'community rules' => 'Emergingthreats.net Community Rules',
++'comp-lzo' => 'LZO-Compression:',
++'compression' => 'Compression:',
++'computer to modem rate' => 'Computer to modem rate:',
++'concentrator name' => 'Concentrator name:',
++'confirmation' => 'confirmation',
++'connect' => 'OVPN Start / Connect',
++'connect the modem' => 'Connect the modem',
++'connect timeout' => 'Connect timeout:',
++'connected' => 'Connected',
++'connecting' => 'Connecting...',
++'connection' => 'Connection',
++'connection closed' => 'Not connected...',
++'connection debugging' => 'Connection debugging',
++'connection status and controlc' => 'Connection status and control:',
++'connection tracking' => 'IPTables Connection Tracking',
++'connection type' => 'Connection Type',
++'connection type is invalid' => 'Connection type is invalid.',
++'connections' => 'Connections',
++'connections are associated with this ca. deleting the ca will delete these connections as well.' => 'connections are associated with this CA. Deleting the CA will delete these connections as well.',
++'connscheduler' => 'Connection Scheduler',
++'core notice 1' => '<strong>Notice:</strong> There is an core-update from',
++'core notice 2' => 'to',
++'core notice 3' => 'available.',
++'could not be opened' => 'could not be opened.',
++'could not connect to' => 'Could not connect to',
++'could not connect to www ipcop org' => 'Could not connect to www.ipfire.org',
++'could not connect to www ipfire org' => 'Could not connect to www.ipfire.org',
++'could not create directory' => 'Could not create directory.',
++'could not download latest patch list' => 'Could not download latest patch list (not connected).',
++'could not download latest updates' => 'Could not download latest updates.',
++'could not download the available updates list' => 'Could not download the available updates list.',
++'could not open available updates file' => 'Could not open available updates file.',
++'could not open installed updates file' => 'Could not open installed updates file',
++'could not open update information file' => 'Could not open update information file. The update file is corrupt.',
++'could not retrieve common name from certificate' => 'Could not retrieve common name from certificate.',
++'country' => 'Country',
++'cpu frequency per' => 'CPU frequency per',
++'cpu idle usage' => 'Idle CPU Usage',
++'cpu interrupt usage' => 'Interrupt CPU Usage',
++'cpu iowait usage' => 'CPU waiting for IO',
++'cpu irq usage' => 'IRQ CPU Usage',
++'cpu nice usage' => 'Nice CPU Usage',
++'cpu steal usage' => 'Steal CPU Usage',
++'cpu system usage' => 'System CPU Usage',
++'cpu usage per' => 'CPU Usage per',
++'cpu user usage' => 'User CPU Usage',
++'create' => 'Create',
++'create mask' => 'UNIX rights for new created files',
++'create new backup' => 'Create a new backup set',
++'credits' => 'Credits',
++'crl' => 'Certificate Revocation List',
++'cron server' => 'CRON Server',
++'current' => 'Current',
++'current aliases' => 'Current aliases:',
++'current class' => 'Current class',
++'current devices' => 'Current devices',
++'current dhcp leases on blue' => 'Current DHCP leases on BLUE',
++'current dynamic leases' => 'Current dynamic leases',
++'current fixed leases' => 'Current fixed leases',
++'current hosts' => 'Current hosts:',
++'current media' => 'Current media',
++'current ovpn' => 'Active OVPN-Connection:',
++'current playlist' => 'Current Playlist',
++'current profile' => 'Current profile:',
++'current rules' => 'Current rules:',
++'custom networks' => 'Custom networks',
++'custom services' => 'Custom services',
++'daily firewallhits' => 'daily firewallhits',
++'dat without key' => 'An encrypted archive cannot be restored without the key.',
++'date' => 'Date',
++'date not in logs' => 'No (or only partial) logs exist for the day queried',
++'day' => 'Day',
++'day after' => 'Day after',
++'day before' => 'Day before',
++'day-graph' => 'Day',
++'days' => 'days.',
++'dbfile' => 'Dbfile',
++'ddns help dnsmadeeasy' => 'In the field for hostname enter your ID (or a list of IDs seperated by;)',
++'ddns help freedns' => 'In the fied username enter your connect string',
++'ddns help plus' => '<b>+</b> marks a mandatory field',
++'ddns hostname added' => 'Dynamic DNS hostname added',
++'ddns hostname modified' => 'Dynamic DNS hostname modified',
++'ddns hostname removed' => 'Dynamic DNS hostname removed',
++'ddns minimize updates' => 'Minimize updates: before an update, compares the dns IP for hostname "[host.]domain" against RED IP.',
++'ddns noip prefix' => 'To use no-ip in group mode, prefix hostname with <b>%</b>',
++'deactivate' => 'deactivate',
++'deactivate user' => 'deactivate user',
++'debugme' => 'Not yet implemented',
++'december' => 'December',
++'deep scan directories' => 'Scan recursive',
++'def lease time' => 'Default Lease Time',
++'default lease time' => 'Default lease time (mins):',
++'default networks' => 'Default networks',
++'default renewal time' => 'Default Renewal Time',
++'default services' => 'Default services',
++'defaultwarning' => 'WARNING - Your settings will be lost and replaced by the default ones.',
++'delete' => 'Delete',
++'delete cron' => 'Delete cronjob',
++'delete pc' => 'Delete workstation',
++'delete share' => 'Delete share',
++'delete user' => 'Delete user',
++'demon login script' => 'Demon login script',
++'deprecated fs warn' => 'Deprecated filesystem! Newer kernel drop the support. Backup and reformat!',
++'description' => 'Description',
++'dest ip and port' => 'Dest. IP: Port',
++'destination' => 'Destination',
++'destination ip' => 'Destination IP',
++'destination ip bad' => 'Invalid destination IP',
++'destination ip or net' => 'Destination IP or net',
++'destination net' => 'Destination Net',
++'destination port' => 'Destination port',
++'destination port numbers' => 'Destination port must be a valid port number or port range.',
++'destination port overlaps' => 'Destination port range overlaps an existing port range.',
++'detail level' => 'Detail level',
++'device' => 'Device',
++'devices on blue' => 'Devices on BLUE',
++'dhcp advopt add' => 'Add a DHCP option',
++'dhcp advopt added' => 'DHCP option added',
++'dhcp advopt blank value' => 'DHCP Option value cannot be empty.',
++'dhcp advopt custom definition' => 'Your custom option definition',
++'dhcp advopt definition' => 'Definition',
++'dhcp advopt definition exists' => 'Definition option already exists. You can only edit or remove it.',
++'dhcp advopt edit' => 'Edit a DHCP option',
++'dhcp advopt help' => 'List options',
++'dhcp advopt list' => 'Additional DHCP options',
++'dhcp advopt modified' => 'DHCP option modified',
++'dhcp advopt name' => 'Option name',
++'dhcp advopt removed' => 'DHCP option removed',
++'dhcp advopt scope' => 'Option scope',
++'dhcp advopt scope global' => 'Global',
++'dhcp advopt scope help' => 'Global scope or limit scope to checked interfaces.',
++'dhcp advopt unknown' => 'DHCP option name not recognized',
++'dhcp advopt value' => 'Option value',
++'dhcp allow bootp' => 'Allow bootp clients',
++'dhcp base ip fixed lease' => 'Base IP for creating fix leases',
++'dhcp bootp pxe data' => 'Enter optional bootp pxe data for this fixed lease',
++'dhcp configuration' => 'DHCP configuration',
++'dhcp create fixed leases' => 'Create fixed leases',
++'dhcp fixed lease err1' => 'For a fix lease you have to enter the MAC address or the hostname, or you enter both.',
++'dhcp fixed lease help1' => 'IP Addresses might be entered as FQDN',
++'dhcp mode' => 'DHCP',
++'dhcp server' => 'DHCP Server',
++'dhcp server disabled' => 'DHCP server disabled. Stopped.',
++'dhcp server disabled on blue interface' => 'DHCP server disabled on BLUE interface',
++'dhcp server enabled' => 'DHCP server enabled. Restarting.',
++'dhcp server enabled on blue interface' => 'DHCP server enabled on BLUE interface',
++'dhcp-options' => 'DHCP push options',
++'dial' => 'Connect',
++'dial profile' => 'Connect with profile',
++'dial user password' => 'Dial user password:',
++'dial user password has been changed' => 'Dial user password has been changed.',
++'dialing mode' => 'Dialing mode:',
++'dialup red not ppp' => 'Dialup profiles can only used if <b>RED</b> is set to <b>PPP Dialup</b><BR>Check the networking setup.',
++'dialup settings' => 'Dialup Settings',
++'directory mask' => 'UNIX directory rights',
++'directory writeable' => 'directory writeable',
++'disabled' => 'disabled',
++'disconnect' => 'OVPN Stop / Disconnect',
++'disconnects' => 'Disconnects',
++'disk access per' => 'Disk Access per',
++'disk usage' => 'Disk usage',
++'display' => 'Display',
++'display charset' => 'Display Charset',
++'display hostname in window title' => 'Display hostname in window title',
++'display traffic at home' => 'Display calculated traffic on startpage',
++'display webinterface effects' => 'Activate effects',
++'dl client arch' => 'Download Client Package (zip)',
++'dmz' => 'DMZ',
++'dmz pinhole configuration' => 'DMZ pinhole configuration',
++'dmz pinhole rule added' => 'DMZ pinhole rule added; restarting DMZ pinhole',
++'dmz pinhole rule removed' => 'DMZ pinhole rule removed; restarting DMZ pinhole',
++'dmzpinholes for same net not necessary' => 'DMZ Pinholes are not necessary for same net. Select different source or destination net.',
++'dns address deleted' => 'Successfully deleted!',
++'dns address deleted txt' => 'The DNS-Server addresses have been successfully deleted.<br />You have to reboot or reconnect that the changes have effect!',
++'dns address done' => 'The DNS-Server address settings are going to be saved.',
++'dns address recon' => 'Trying to reconnect!',
++'dns check failed' => 'DNS check failed',
++'dns desc' => 'If the red0 interface gets the IP address information via DHCP from the provider, the DNS server addresses will be set automatically. Now here you are able to change these DNS server IP addresses with your own ones.',
++'dns error 0' => 'The IP address of the <strong>primary</strong> DNS server is not valid, please check your entries!<br />The entered <strong>secondary</strong> DNS server address is valid.',
++'dns error 01' => 'The entered IP address of the <strong>primary</strong> and <strong>secondary</strong> DNS server are not valid, please check your entries!',
++'dns error 1' => 'The IP address of the <strong>secondary</strong> DNS server is not valid, please check your entries!<br />The entered <strong>primary</strong> DNS server address is valid.',
++'dns header' => 'Assign DNS server addresses only for DHCP on red0',
++'dns list' => 'List of free public DNS servers',
++'dns menu' => 'Assign DNS-Server',
++'dns new 0' => 'New <strong>primary</strong> DNS server IP:',
++'dns new 1' => 'New <strong>secondary</strong> DNS server IP:',
++'dns proxy server' => 'DNS Proxy Server',
++'dns saved' => 'Successfully saved!',
++'dns saved txt' => 'The two entered DNS server addresses have been saved successfully.<br />You have to reboot or reconnect that the changes have effect!',
++'dns server' => 'DNS Server',
++'dns title' => 'Domain Name System',
++'do not log this port list' => 'Drop this port list just before they are logged (reduces log size)',
++'dod' => 'Dial on Demand',
++'dod for dns' => 'Dial on Demand for DNS:',
++'dod not compatible with ddns' => 'Dial on demand is not compatible with dynamic dns services',
++'dod waiting' => 'Dial on Demand waiting',
++'domain' => 'Domain',
++'domain master' => 'Domain Master',
++'domain name' => 'Domain name',
++'domain name suffix' => 'Domain name suffix:',
++'domain not set' => 'Domain not set.',
++'donation' => 'Donation',
++'donation-link' => 'https://www.paypal.com/en_US/GB/i/btn/btn_donateCC_LG.gif',
++'donation-text' => '<strong>IPFire</strong> is driven and maintained by volunteers in their free time. To keep this project running costs incurred, if you like to support us we would be pleased by a small donation.',
++'done' => 'Do it',
++'dos charset' => 'DOS Charset',
++'down and up speed' => 'Enter your Down- and Uplink-Speed <br /> and then press <i>Save</i>.',
++'downlink speed' => 'Downlink speed (kbit/sec)',
++'downlink std class' => 'downlink standard class',
++'download' => 'download',
++'download ca certificate' => 'Download CA certificate',
++'download certificate' => 'Download certificate',
++'download host certificate' => 'Download host certificate',
++'download new ruleset' => 'Download new ruleset',
++'download pkcs12 file' => 'Download PKCS12 file',
++'download root certificate' => 'Download root certificate',
++'dpd action' => 'Dead Peer Detection action',
++'driver' => 'Driver',
++'drop action' => 'Default behaviour of firewall in mode 1',
++'drop input' => 'Log dropped input pakets',
++'drop newnotsyn' => 'Log dropped new not syn pakets',
++'drop forward' => 'Log dropped forward pakets',
++'drop portscan' => 'Log dropped portscan pakets',
++'drop proxy' => 'Drop all packets not addressed to proxy',
++'drop samba' => 'Drop all Microsoft ports 135,137,138,139,445,1025',
++'drop wirelessforward' => 'Log dropped wireless forward packets',
++'drop wirelessinput' => 'Log dropped wireless input packets',
++'dst port' => 'Dst Port',
++'dstprt range overlaps' => 'Destination port range overlaps an already defined port.',
++'dstprt within existing' => 'Destination port is within an already defined port range.',
++'duplicate ip' => 'Duplicate IP address entered',
++'duplicate ip bold' => 'Duplicate addresses are in <b>bold</b>',
++'duplicate mac' => 'Duplicate MAC address entered',
++'duplicate name' => 'That name is already being used, please choose another.',
++'dyn dns source choice' => 'Dynamic DNS provider(s) will receive an IP address for this IPFire from:',
++'dynamic dns' => 'Dynamic DNS',
++'dynamic dns client' => 'Dynamic DNS Client',
++'e-mail address too long' => 'E-mail address is too long; it should not be longer than 40 characters.',
++'eciadsl help' => 'To utilise the ECI ADSL modem you must upload a synch.bin file to your IPFire box. Please download the file from the ECIADSL website and then upload the file <b>synch.bin</b> using the form below.',
++'eciadsl upload' => 'Upload ECI ADSL synch.bin file',
++'edit' => 'Edit',
++'edit a rule' => 'Edit an existing rule:',
++'edit advanced settings when done' => 'Edit advanced settings when done.',
++'edit an existing alias' => 'Edit an existing alias',
++'edit an existing host' => 'Edit an existing host',
++'edit an existing lease' => 'Edit an existing lease',
++'edit device' => 'Edit device',
++'edit hosts' => 'Edit Hosts',
++'edit network' => 'Edit network',
++'edit printer' => 'edit printer',
++'edit service' => 'Edit service',
++'edit share' => 'Edit share',
++'editor' => 'Editor',
++'eg' => 'e.g.:',
++'email server can not be empty' => 'E-mail server can not be empty',
++'emailreportlevel' => 'E-mailreportlevel',
++'empty' => 'This field may be left blank',
++'empty profile' => 'empty',
++'enable ignore filter' => 'Enable ignore filter',
++'enable javascript' => 'Enable javascript',
++'enable wildcards' => 'Enable wildcards:',
++'enabled' => 'Enabled:',
++'enabled on' => 'Enabled on',
++'enabledtitle' => 'Enabled',
++'encapsulation' => 'Encapsulation',
++'encrypted' => 'Encrypted',
++'end address' => 'End address:',
++'enter ack class' => 'Enter the ACK- Class <br /> and then press <i>Save</i>.',
++'enter data' => 'Enter your settings <br /> and then press <i>Save</i>.',
++'err bk 1' => 'Error creating archive',
++'err bk 10 password' => 'Error with backup password',
++'err bk 2 key' => 'Error creating key file',
++'err bk 3 tar' => 'Error appending files to archive',
++'err bk 4 gz' => 'Error compressing archive',
++'err bk 5 encrypt' => 'Error encrypting archive',
++'err rs 1' => 'Error restoring archive',
++'err rs 6 decrypt' => 'Error decrypting archive',
++'err rs 7 untartst' => 'Invalid decrypted archive',
++'err rs 8 untar' => 'Error untarring archive',
++'error config' => 'Could not open /var/ipfire/ovpn/config/ZERINA.ovpn !',
++'error external access' => 'Could not open /var/ipfire/xtaccess/config (external acccess could not be granted)!',
++'error messages' => 'Error messages:',
++'esp encryption' => 'ESP Encryption:',
++'esp grouptype' => 'ESP Grouptype:',
++'esp integrity' => 'ESP Integrity:',
++'esp keylife' => 'ESP Keylife:',
++'esp keylife should be between 1 and 24 hours' => 'ESP keylife should be between 1 and 24 hours.',
++'every' => 'Every',
++'exampel' => 'example',
++'exclude logfiles' => 'Exclude logfiles',
++'excluding buffers and cache' => '-/+ buffers/cache',
++'expected' => 'Expected',
++'expertoptions' => 'Expert options',
++'expires' => 'Expires',
++'export' => 'Export',
++'exportkey' => 'Export PSK',
++'external access' => 'External Access',
++'external access configuration' => 'External access configuration',
++'external access rule added' => 'External access rule added; restarting access controller',
++'external access rule changed' => 'External access rule changed; restarting access controller',
++'external access rule removed' => ' External access rule removed; restarting access controller',
++'external aliases configuration' => 'External aliases configuration',
++'extrahd' => 'ExtraHD',
++'extrahd because there is already a device mounted' => ', because there is already a device mounted',
++'extrahd cant umount' => 'Can\'t umount',
++'extrahd detected drives' => 'detected drives',
++'extrahd install or load driver' => 'If your device isn\'t listed here, you need to install or load the driver.<br />If you can see your device but no partitions you have to create them first.',
++'extrahd maybe the device is in use' => '. Maybe the device is in use',
++'extrahd to' => 'to',
++'extrahd to root' => 'to root',
++'extrahd unable to read' => 'Unable to read',
++'extrahd unable to write' => 'Unable to write',
++'extrahd you cant mount' => 'You can\'t mount',
++'false classnumber' => 'The Class-Number does not match the interface.',
++'false max bandwith' => 'Maximum bandwith is false.',
++'false min bandwith' => 'Minimum bandwith is false.',
++'february' => 'February',
++'fetch ip from' => 'Guess the real public IP with help of an external server',
++'filename' => 'Filename',
++'filesystem full' => 'Filesystem full',
++'fireinfo ipfire version' => 'IPFire version',
++'fireinfo is disabled' => 'Fireinfo is disabled',
++'fireinfo is enabled' => 'Fireinfo is enabled',
++'fireinfo is submitted' => 'Your profile is submitted to the fireinfo service.',
++'fireinfo is submitted button' => 'No, I do not want to send my profile anymore',
++'fireinfo kernel version' => 'Kernel version',
++'fireinfo not submitted' => 'Your profile is not submitted to the fireinfo service.',
++'fireinfo not submitted button' => 'Yes, I want to send my profile',
++'fireinfo pakfire version' => 'Pakfire version',
++'fireinfo please enable' => 'Please enable the fireinfo service.',
++'fireinfo settings' => 'Fireinfo settings',
++'fireinfo system version' => 'System versions',
++'fireinfo why descr1' => 'It is very important for the development of IPFire that you enable this',
++'fireinfo why descr2' => 'service. ',
++'fireinfo why enable' => 'Why should I enable fireinfo?',
++'fireinfo why read more' => 'Read more about the reasons.',
++'fireinfo your profile id' => 'Your profile ID',
++'firewall' => 'Firewall',
++'firewall graphs' => 'Firewall Graphs',
++'firewall hits' => 'Total number of firewall hits for',
++'firewall hits per' => 'firewallhits per',
++'firewall log' => 'Firewall log',
++'firewall log viewer' => 'Firewall Log Viewer',
++'firewall logs' => 'Firewall Logs',
++'firewall logs ip' => 'Fw-Logdgraphs (IP)',
++'firewall logs port' => 'Fw-Loggraphs (Port)',
++'firewallhits' => 'firewallhits',
++'firmware' => 'Firmware',
++'firmware upload' => 'Upload Firmware/Drivers',
++'fixed ip lease added' => 'Fixed IP lease added',
++'fixed ip lease modified' => 'Fixed IP lease modified',
++'fixed ip lease removed' => 'Fixed IP lease removed',
++'force update' => 'Force update',
++'force user' => 'force all new file to user',
++'forwarding rule added' => 'Forwarding rule added; restarting forwarder',
++'forwarding rule removed' => 'Forwarding rule removed; restarting forwarder',
++'forwarding rule updated' => 'Forwarding rule updated; restarting forwarder',
++'forward firewall' => 'Firewall',
++'fwdfw additional' => 'Additional',
++'fwdfw action' => 'Action',
++'fwdfw menu' => 'Firewall',
++'fwdfw addrule' => 'Add new rule:',
++'fwdfw addr grp' => 'Adress groups:',
++'fwdfw change' => 'Update',
++'fwdfw cust addr' => 'Custom addresses:',
++'fwdfw cust net' => 'Custom networks:',
++'fwdfw copy' => 'Copy',
++'fwdfw delete' => 'Delete',
++'fwdfw edit' => 'Edit',
++'fwdfw err nosrc' => 'No source selected.',
++'fwdfw err nosrcip' => 'Please provide source IP address.',
++'fwdfw err notgt' => 'No target selected.',
++'fwdfw err notgtip' => 'Please provide target IP address.',
++'fwdfw err prot' => 'Source and target protocol have to match.',
++'fwdfw err remark' => 'Invalid chars in remark.',
++'fwdfw err ruleexists' => 'This rule already exists.',
++'fwdfw err src_addr' => 'Invalid source MAC/IP.',
++'fwdfw err same' => 'Identical source and target',
++'fwdfw err samesub' => 'Source and target IP adress are in same subnet.',
++'fwdfw err srcport' => 'Please provide source port.',
++'fwdfw err tgtport' => 'Please provide target port.',
++'fwdfw err tgt_addr' => 'Invalid target IP-address.',
++'fwdfw err tgt_port' => 'Invalid target port',
++'fwdfw err tgt_mac' => 'MAC addresses cannot be used as target.',
++'fwdfw err tgt_grp' => 'Target servicegroup is empty',
++'fwdfw err time' => 'You have to define at least one day.',
++'fwdfw from' => 'From:',
++'fwdfw hint ip1' => 'The last generated rule may never be activated because source and target probably are in same subnet.',
++'fwdfw hint ip2' => 'Please doublecheck if this rule makes sense: ',
++'fwdfw ipsec network' => 'IpSec networks:',
++'fwdfw log rule' => 'Log rule',
++'fwdfw man port' => 'Port(s) manual:',
++'fwdfw moveup' => 'Move up',
++'fwdfw movedown' => 'Move down',
++'fwdfw reread' => 'Apply',
++'fwdfw rules' => 'Rules',
++'fwdfw rule action' => 'Rule action:',
++'fwdfw rule activate' => 'Activate rule',
++'fwdfw rulepos' => 'Ruleposition',
++'fwdfw source' => 'Source',
++'fwdfw sourceip' => 'Source address (MAC, IP or Network):',
++'fwdfw std network' => 'Standard networks:',
++'fwdfw target' => 'Target',
++'fwdfw targetip' => 'Target address (IP or network):',
++'fwdfw till' => 'Till:',
++'fwdfw time' => 'Timeframe:',
++'fwdfw timeframe' => 'Add timeframe',
++'fwdfw toggle' => 'Activate or deactivate',
++'fwdfw togglelog' => 'Activate or deactivate logging',
++'fwdfw use srcport' => 'Use sourceport',
++'fwdfw use srv' => 'Use targetport',
++'fwdfw newrule' => 'New rule',
++'fwdfw wd_mon' => 'Mon',
++'fwdfw wd_tue' => 'Tue',
++'fwdfw wd_wed' => 'Wed',
++'fwdfw wd_thu' => 'Thu',
++'fwdfw wd_fri' => 'Fri',
++'fwdfw wd_sat' => 'Sat',
++'fwdfw wd_sun' => 'Sun',
++'fwhost addgrp' => 'Group:',
++'fwhost addgrpname' => 'Groupname:',
++'fwhost addhost' => 'Address:',
++'fwhost addnet' => 'Network:',
++'fwhost addrule' => 'Add new rule:',
++'fwhost any' => 'Any',
++'fwhost attention' => 'ATTENTION',
++'fwhost back' => 'back',
++'fwhost blue' => 'Blue',
++'fwhost ccdhost' => 'OpenVPN clients:',
++'fwhost ccdnet' => 'OpenVPN networks:',
++'fwhost change' => 'Modify',
++'fwhost changeremark' => 'You just modified the remark!',
++'fwhost cust addr' => 'Custom addresses:',
++'fwhost cust grp' => 'Custom groups:',
++'fwhost cust net' => 'Custom networks:',
++'fwhost cust service' => 'Custom services:',
++'fwhost cust srvgrp' => 'Custom servicegroups',
++'fwhost deleted' => 'Deleted',
++'fwhost empty' => 'No entries by now',
++'fwhost err addr' => 'Invalid IP or subnet!',
++'fwhost err addrgrp' => 'Please provide a groupname!',
++'fwhost err empty' => 'Please fill in all fields!',
++'fwhost err grpexist' => 'Group already exists!',
++'fwhost err groupempty' => 'Selected Group is empty!',
++'fwhost err name' => 'Name invalid. Allowed: a-z, A-Z, 0-9 space and minus.',
++'fwhost err name1' => 'Name is empty.',
++'fwhost err netexist' => 'A network with this name already exists!',
++'fwhost err net' => 'Network IP already exists',
++'fwhost err mac' => 'MAC address invalid',
++'fwhost err hostexist' => 'A host with this name already exists!',
++'fwhost err hostip' => 'Net or broadcast not allowed!',
++'fwhost err hostorip' => 'Name or IP invalid.',
++'fwhost err isccdhost' => 'This name is already used by an OpenVPN client!',
++'fwhost err isccdipnet' => 'This IP is already used by an OpenVPN network!',
++'fwhost err isccdiphost'=> 'This IP is already used by an OpenVPN client!',
++'fwhost err isccdnet' => 'This name is already used by an OpenVPN Network!',
++'fwhost err isingrp' => 'This entry already exists in the group!',
++'fwhost err ip' => 'IP address invalid.',
++'fwhost err ipmac' => 'IP/MAC address invalid.',
++'fwhost err ipcheck' => 'This IP address is already in use!',
++'fwhost err ipwithsub' => 'Please provide IP address WITHOUT subnetmask',
++'fwhost err partofnet' => 'This network is part of an already existing one!',
++'fwhost err port' => 'Port is empty.',
++'fwhost err remark' => 'Remark invalid. Allowed: a-z, A-Z, 0-9 space and minus.',
++'fwhost err srvexist' => 'Dieser Dienst ist bereits in der Gruppe',
++'fwhost err srv exists' => 'A Service with this name already exists.',
++'fwhost err sub32' => 'Please add single host. This subnet is no network!',
++'fwhost green' => 'Green',
++'fwhost hosts' => 'Firewall Hosts',
++'fwhost hint' => 'Note',
++'fwhost icmptype' => 'ICMP type:',
++'fwhost ipadr' => 'IP address:',
++'fwhost ip_mac' => 'IP/MAC address',
++'fwhost ipsec host' => 'IPsec clients:',
++'fwhost ipsec net' => 'IPsec networks:',
++'fwhost netaddress' => 'Network address:',
++'fwhost newnet' => 'Network',
++'fwhost newhost' => 'Host',
++'fwhost newgrp' => 'Address grouping',
++'fwhost newservice' => 'Service',
++'fwhost newservicegrp' => 'Service grouping',
++'fwhost macwarn' => 'MAC addresses can not be used as target. Such addresses will be ignored!',
++'fwhost menu' => 'Firewall Groups',
++'fwhost orange' => 'Orange',
++'fwhost ovpn_n2n' => 'OpenVPN N-2-N',
++'fwhost port' => 'Port(s)',
++'fwhost prot' => 'Protocol',
++'fwhost reset' => 'Cancel',
++'fwhost services' => 'Services',
++'fwhost srv_name' => 'Servicename',
++'fwhost stdnet' => 'Standard networks:',
++'fwhost type' => 'Type',
++'fwhost used' => 'Used',
++'fwhost wo subnet' => '(without subnet)',
++'free' => 'Free',
++'free memory' => 'Free Memory ',
++'free swap' => 'Free Swap',
++'frequency' => 'Frequency',
++'friday' => 'Friday',
++'fritzdsl help' => 'To utilise one of Fritz!DSL fcdsl / fcdslsl / fcdsl2 / fcdslusb / fcdslslusb modem, you must upload a package to your IPFire box. Please download the tarball corresponding to your version from the IPFire website and then upload the entire <b>fcdsl-(your_version).tgz</b> using the form below.',
++'fritzdsl upload' => 'Upload Fritz!DSL driver',
++'from' => 'From',
++'from email adr' => 'From e-mail address',
++'from email pw' => 'From e-mail password',
++'from email server' => 'From Email server',
++'from email user' => 'From e-mail user',
++'from warn email bad' => 'From e-mail address is not valid',
++'fw blue' => 'Firewall options for BLUE interface',
++'fw default drop' => 'Firewall policy',
++'fw logging' => 'Firewall logging',
++'g.dtm' => 'TO BE REMOVED',
++'g.lite' => 'TO BE REMOVED',
++'gateway' => 'Gateway',
++'gateway ip' => 'Gateway IP',
++'gen static key' => 'Generate a static key',
++'generate' => 'Generate root/host zertifikate',
++'generate a certificate' => 'Generate a certificate:',
++'generate iso' => 'Generate ISO',
++'generate root/host certificates' => 'Generate root/host certificates',
++'generate tripwire keys and init' => 'generate tripwire keys and init',
++'generatekeys' => 'Generate Keys',
++'generatepolicy' => 'Generate new policy',
++'generatereport' => 'Generate new report',
++'generating the root and host certificates may take a long time. it can take up to several minutes on older hardware. please be patient' => 'Generating the root and host certificates may take a long time. It can take up to several minutes on older hardware. Please be patient.',
++'genkey' => 'Generate PSK',
++'genre' => 'Genre',
++'global settings' => 'Global settings',
++'gpl i accept these terms and conditions' => 'I accept these terms and conditions',
++'gpl license agreement' => 'License Agreement',
++'gpl please read carefully the general public license and accept it below' => 'Please read carefully the General Public License and accept it below',
++'gpl unofficial translation of the general public license v3' => 'Unofficial translation of the General Public License v3',
++'graph' => 'Graph',
++'graph per' => 'per',
++'green' => 'GREEN',
++'green interface' => 'Green Interface',
++'guaranteed bandwith' => 'Guaranteed bandwith',
++'guardian alertfile' => 'Alertfile',
++'guardian configuration' => 'Guardian Configuration',
++'guardian ignorefile' => 'Ignorefile',
++'guardian interface' => 'Interface',
++'guardian logfile' => 'Logfile',
++'guardian timelimit' => 'Timelimit',
++'guest ok' => 'allow guests to access',
++'gui settings' => 'GUI Settings',
++'gz with key' => 'Only an encrypted archive can be restored on this machine.',
++'hangup' => 'Disconnect',
++'hangup string' => 'Hangup:',
++'harddisk temperature' => 'Harddisk temperature',
++'harddisk temperature graphs' => 'hdd temperature graphs',
++'hardware graphs' => 'Hardware Graphs',
++'hdd temperature in' => 'Harddisk temperature in',
++'help' => 'Help',
++'high' => 'High',
++'high memory usage' => 'High memory usage',
++'hint' => 'Hint:',
++'holdoff' => 'Holdoff time (in seconds)',
++'host' => 'Host',
++'host allow' => 'list with allowed hosts',
++'host certificate' => 'Host Certificate',
++'host configuration' => 'Host Configuration',
++'host deny' => 'list with denied hosts',
++'host ip' => 'Host IP address',
++'host to net vpn' => 'Host-to-Net Virtual Private Network (RoadWarrior)',
++'hostname' => 'Hostname',
++'hostname and domain already in use' => 'Hostname and domain already in use.',
++'hostname cant be empty' => 'Hostname can\'t be empty.',
++'hostname not set' => 'Hostname not set.',
++'hosts config added' => 'Hosts config added',
++'hosts config changed' => 'Hosts config changed',
++'hour' => 'Hour',
++'hour-graph' => 'Hour',
++'hours' => 'hours',
++'hours2' => 'Hours',
++'ibod for dual isdn only' => 'iBOD can only be used with Dual ISDN.',
++'icmp selected but no type' => 'ICMP selected for protocol, but no ICMP type specified.',
++'icmp type' => 'ICMP Type',
++'id' => 'ID',
++'idle' => 'Idle',
++'idle timeout' => 'Idle timeout (mins; 0 to disable):',
++'idle timeout not set' => 'Idle timeout not set.',
++'ids log viewer' => 'IDS log viewer',
++'ids logs' => 'IDS Logs',
++'ids preprocessor' => 'IDS preprocessor',
++'ids rules license' => 'To utilize Sourcefire VRT Certified Rules, you need to register on',
++'ids rules license1' => '.',
++'ids rules license2' => 'Acknowledge the license, activate your account by visiting the url you got via mail. Then go to',
++'ids rules license3' => 'press the "Generate code"-button and copy the 40 character Oinkcode into the field below.',
++'ids rules update' => 'Snort rules update',
++'iface' => 'Iface',
++'ignore filter' => 'Ignore filter',
++'ike encryption' => 'IKE Encryption:',
++'ike grouptype' => 'IKE Grouptype:',
++'ike integrity' => 'IKE Integrity:',
++'ike lifetime' => 'IKE Lifetime:',
++'ike lifetime should be between 1 and 8 hours' => 'IKE lifetime should be between 1 and 8 hours.',
++'import' => 'Import',
++'importkey' => 'Import PSK',
++'in' => 'In',
++'inactive' => 'inactive',
++'include logfiles' => 'Include logfiles',
++'incoming' => 'incoming',
++'incoming traffic in bytes per second' => 'Incoming Traffic',
++'incorrect password' => 'Incorrect password',
++'info' => 'Info',
++'init string' => 'Init:',
++'insert floppy' => 'To backup to floppy, insert a formatted floppy into the drive on IPFire and click <i>backup to floppy</i> to backup the system configuration. Please examine the results carefully to make sure the backup completed successfully. This can take a while to complete, so please be patient.<p>',
++'insert removable device' => 'Insert a removable device',
++'install' => 'Install',
++'install new update' => 'Install new update:',
++'installed' => 'Installed',
++'installed updates' => 'Installed updates:',
++'instant update' => 'Instant Update',
++'interface' => 'Interface',
++'interfaces' => 'Interfaces',
++'internet' => 'INTERNET',
++'intrusion detection' => 'Intrusion Detection',
++'intrusion detection system' => 'Intrusion Detection System',
++'intrusion detection system log viewer' => 'Intrusion Detection System Log Viewer',
++'intrusion detection system rules' => 'intrusion detection system rules',
++'intrusion detection system2' => 'Intrusion Detection System:',
++'invalid broadcast ip' => 'Invalid broadcast IP',
++'invalid cache size' => 'Invalid cache size.',
++'invalid characters found in pre-shared key' => 'Invalid characters found in pre-shared key.',
++'invalid date entered' => 'Invalid date entered.',
++'invalid default lease time' => 'Invalid default lease time.',
++'invalid domain name' => 'Invalid domain name.',
++'invalid downlink speed' => 'Invalid downlink speed.',
++'invalid end address' => 'Invalid end address.',
++'invalid fixed ip address' => 'Invalid fixed IP address',
++'invalid fixed mac address' => 'Invalid fixed MAC address',
++'invalid hostname' => 'Invalid hostname.',
++'invalid input' => 'Invalid input',
++'invalid input for authentication method' => 'Invalid input for authentication method.',
++'invalid input for city' => 'Invalid input for city.',
++'invalid input for country' => 'Invalid input for country.',
++'invalid input for department' => 'Invalid input for department.',
++'invalid input for dhcp dns' => 'Invalid input for DHCP DNS',
++'invalid input for dhcp domain' => 'Invalid input for DHCP domain',
++'invalid input for dhcp wins' => 'Invalid input for DHCP WINS',
++'invalid input for e-mail address' => 'Invalid input for e-mail address.',
++'invalid input for esp keylife' => 'Invalid input for ESP Keylife',
++'invalid input for hostname' => 'Invalid input for hostname.',
++'invalid input for ike lifetime' => 'Invalid input for IKE lifetime',
++'invalid input for keepalive 1' => 'Invalid input for Keepalive ping',
++'invalid input for keepalive 1:2' => 'Invalid input for Keepalive use at least a ratio of 1:2',
++'invalid input for keepalive 2' => 'Invalid input for Keepalive ping-restart',
++'invalid input for max clients' => 'Invalid input for Max Clients',
++'invalid input for name' => 'Invalid input for user\'s full name or system hostname',
++'invalid input for oink code' => 'Invalid input for Oink code',
++'invalid input for organization' => 'Invalid input for organization',
++'invalid input for remote host/ip' => 'Invalid input for remote host/ip.',
++'invalid input for state or province' => 'Invalid input for state or province.',
++'invalid ip' => 'Invalid IP Address',
++'invalid keep time' => 'Keep time must be a valid number',
++'invalid key' => 'Invalid key.',
++'invalid loaded file' => 'Invalid loaded file',
++'invalid local-remote id' => 'local & remote id must not be equal and begin with a "@" sign. These are leftid and rightid in strongswan terminology.',
++'invalid logserver address' => 'Invalid syslogd server address',
++'invalid mac address' => 'Invalid MAC address',
++'invalid max lease time' => 'Invalid max lease time.',
++'invalid maximum incoming size' => 'Invalid maximum incoming size.',
++'invalid maximum object size' => 'Invalid maximum object size.',
++'invalid maximum outgoing size' => 'Invalid maximum outgoing size.',
++'invalid md5sum' => 'Invalid MD5Sum.',
++'invalid minimum object size' => 'Invalid minimum object size.',
++'invalid mtu input' => 'Invalid MTU',
++'invalid netmask' => 'Invalid netmask',
++'invalid port' => 'Invalid port. Must be a valid port number.',
++'invalid port list' => 'Port list syntax is: port[,port]... where port is in /etc/services or number',
++'invalid primary dns' => 'Invalid primary DNS.',
++'invalid primary ntp' => 'Invalid Primary NTP server address',
++'invalid secondary dns' => 'Invalid secondary DNS.',
++'invalid secondary ntp' => 'Invalid Secondary NTP server address',
++'invalid start address' => 'Invalid start address.',
++'invalid time entered' => 'Invalid time entered.',
++'invalid time period' => 'Invalid time period',
++'invalid uplink speed' => 'Invalid uplink speed.',
++'invalid upstream proxy username or password setting' => 'Invalid upstream proxy username or password setting.',
++'invalid users' => 'list with users denied to access',
++'invalid vpi vpci' => 'Invalid VPI/VPCI settings',
++'invalid wins address' => 'Invalid WINS server address.',
++'invert' => 'Invert',
++'ip address' => 'IP address',
++'ip address in use' => 'IP address already in use',
++'ip address outside subnets' => 'IP Address outside subnets',
++'ip alias added' => 'External IP alias added',
++'ip alias changed' => 'External IP alias changed',
++'ip alias removed' => 'External IP alias removed',
++'ip info' => 'IP Information',
++'ipfire has now rebooted' => 'IPFire is rebooting now.',
++'ipfire has now shutdown' => 'IPFire is shutting down now.',
++'ipfire side' => 'IPFire side:',
++'ipfire side is invalid' => 'IPFire side is invalid.',
++'ipfires hostname' => 'IPFire\'s Hostname',
++'ipinfo' => 'IP info',
++'iptable rules' => 'IPTable rules',
++'iptmangles' => 'IPTable Mangles',
++'iptnats' => 'IPTable Network Address Translation',
++'ipts' => 'IPTables',
++'isdn' => 'ISDN',
++'isdn settings' => 'Additional ISDN settings:',
++'isdn1' => 'Single ISDN',
++'isdn2' => 'Dual ISDN',
++'january' => 'January',
++'javascript menu error1' => 'If the drop down menus aren\'t working, disable javascript on the',
++'javascript menu error2' => 'page.',
++'july' => 'July',
++'june' => 'June',
++'kernel' => 'Kernel',
++'kernel logging server' => 'Kernel Logging Server',
++'kernel version' => 'Kernel version:',
++'key stuff' => '2. Keys and Certificates',
++'keyreset' => 'Reset Keys',
++'keys' => 'keys',
++'lan' => 'LAN',
++'lang' => 'en',
++'languagepurpose' => 'Select the language you wish IPFire to display in:',
++'last activity' => 'Last Activity',
++'lateprompting' => 'Lateprompting',
++'lease expires' => 'Lease expires',
++'legend' => 'Legend',
++'length' => 'Length',
++'line' => 'Line',
++'linkq' => 'Link Quality',
++'load printer' => 'Load Printer',
++'loaded modules' => 'Loaded modules:',
++'local hard disk' => 'Hard disk',
++'local master' => 'Local Master',
++'local ntp server specified but not enabled' => 'Local NTP server specified but not enabled',
++'local subnet' => 'Local Subnet:',
++'local subnet is invalid' => 'Local subnet is invalid.',
++'local vpn hostname/ip' => 'Local VPN Hostname/IP',
++'localkey' => 'Localkey',
++'localkeyfile' => 'Localkeyfile',
++'log' => 'Log:',
++'log enabled' => 'Log Enabled',
++'log level' => 'Log Level',
++'log lines per page' => 'Lines per page',
++'log server address' => 'Syslog server:',
++'log settings' => 'Log Settings',
++'log summaries' => 'Log summaries',
++'log summary' => 'Log Summary',
++'log var messages' => 'Settings for /var/log/messages:',
++'log view' => 'Log View',
++'log viewer' => 'Log viewer',
++'log viewing options' => 'Log viewing options',
++'log-options' => 'Logfile options',
++'loged in at' => 'Logged in at',
++'logging' => 'Logging',
++'logging server' => 'Logging Server',
++'loginlogout' => 'Login/Logout',
++'logs' => 'logs',
++'lookup failed' => 'Reverse lookup failed',
++'loosedirectorychecking' => 'Loosedirectorychecking',
++'low' => 'Low',
++'ls_dhcpd' => 'DHCP Server:',
++'ls_disk space' => 'Disk space:',
++'ls_free/swan' => 'VPN:',
++'ls_httpd' => 'HTTP Server:',
++'ls_init' => 'Init:',
++'ls_kernel' => 'Kernel and Firewall:',
++'ls_modprobe' => 'Module loader:',
++'ls_pam_unix' => 'Local user logins:',
++'ls_sshd' => 'Remote user logins:',
++'ls_syslogd' => 'Syslogd:',
++'mac address' => 'MAC Address',
++'mac address deleted' => 'Successfully deleted!',
++'mac address deleted txt' => 'The MAC address has been successfully deleted, but changes will only take effect after <strong>reboot</strong>.',
++'mac address done' => 'The MAC address settings are going to be saved.',
++'mac address error not 00' => 'MAC addresse has to start with 00!',
++'mac address error not valid' => 'MAC addresse not valid!',
++'mac address header' => 'MAC address on red0',
++'mac address in use' => 'MAC address already in use',
++'mac address menu' => 'Assign MAC-address',
++'mac address recon' => 'Trying to reconnect!',
++'mac address saved' => 'Successfully saved!',
++'mac address saved txt' => 'The MAC address has been successfully saved, but changes will only take effect after reboot or reconnection.',
++'mac address title' => 'Medium Access Control Address',
++'mac desc' => 'Here you are able to change the MAC address on red0. The address must be entered in hexadecimal (0-9,a-f), a valid entry is <br />e.g. 00-01-02-0e-b8-d6 or 00:01:02:0e:b8:d6.',
++'mac new' => 'new MAC address:',
++'mac1 new' => 'new MAC address 1 (vdsl-inet):',
++'mac2 new' => 'new MAC address 2 (vdsl-iptv):',
++'magic packet send to:' => 'Magic packet send to:',
++'mailmethod' => 'Mailmethod',
++'mailprogramm' => 'Mailprogramm',
++'main page' => 'Main page',
++'manage ovpn' => '5. Tunnel Management:',
++'manage printers' => 'manage printers',
++'manage shares' => 'Manage Shares',
++'manual' => 'Manual',
++'manual control and status' => 'Manual control and status:',
++'manually' => 'Manually',
++'map to guest' => 'Map to Guest',
++'march' => 'March',
++'marked' => 'Marked',
++'max bandwith' => 'Maximum bandwith',
++'max incoming size' => 'Max incoming size (KB):',
++'max lease time' => 'Max lease time (mins):',
++'max outgoing size' => 'Max outgoing size (KB):',
++'max reliability' => 'Maximum reliability',
++'max renewal time' => 'Maximum Renewal Time',
++'max retries not set' => 'Max retries not set.',
++'max size' => 'Max object size (KB):',
++'max throughput' => 'Maximum throughput',
++'maximal' => 'Maximal',
++'maximum retries' => 'Maximum retries:',
++'may' => 'May',
++'mbmon display' => 'Display',
++'mbmon fan' => 'Fan Speed',
++'mbmon fan in' => 'Fan speed in',
++'mbmon graphs' => 'mbmon Graphs',
++'mbmon label' => 'Label',
++'mbmon settings' => 'mbmongraph settings',
++'mbmon temp' => 'Temperature',
++'mbmon temp in' => 'Temperature in',
++'mbmon value' => 'Value',
++'mbmon volt' => 'Voltage',
++'meaning' => 'meaning',
++'media' => 'Media',
++'media information' => 'media information',
++'medium' => 'Medium',
++'memory' => 'Memory',
++'memory information' => 'memory information',
++'memory usage per' => 'Memory Usage per',
++'messages logging' => 'Logsettings for /var/log/messages',
++'method' => 'Method:',
++'min costs' => 'Minimum costs',
++'min delay' => 'Minimum delay',
++'min size' => 'Min object size (KB):',
++'minimal' => 'Minimal',
++'minute' => 'Minute',
++'minutes' => 'Minutes',
++'misc-options' => 'Miscellaneous options',
++'missing dat' => 'Encrypted archive not found',
++'missing gz' => 'Unencrypted archive not found',
++'mode' => 'Mode',
++'modem' => 'Modem',
++'modem configuration' => 'Modem configuration',
++'modem on com1' => 'Modem on COM1',
++'modem on com2' => 'Modem on COM2',
++'modem on com3' => 'Modem on COM3',
++'modem on com4' => 'Modem on COM4',
++'modem on com5' => 'Modem on COM5',
++'modem settings have errors' => 'Modem settings have errors',
++'modem speaker on' => 'Modem speaker on:',
++'modify' => 'Modify',
++'modulation' => 'Modulation',
++'monday' => 'Monday',
++'month' => 'Month',
++'month-graph' => 'Month',
++'monthly firewallhits' => 'monthly firewallhits',
++'monthly start day bad' => 'Monthly start day is not correct',
++'monthly traffic bad' => 'Monthly volume is not correct',
++'monthly volume' => 'Monthly volume',
++'monthly volume start day' => 'First day of monthly period',
++'monthly volume start day short' => 'First day',
++'months' => 'months',
++'more' => 'more',
++'mount' => 'Mount',
++'mounted on' => 'Mounted on',
++'mpfire' => 'Media Player for IPFire',
++'mpfire controls' => 'MPFire Control',
++'mpfire playlist' => 'MPFire Playlist',
++'mpfire scanning' => 'Scan for new files',
++'mpfire search' => 'MPFire Search',
++'mpfire songs' => 'MPFire songlist',
++'mpfire webradio' => 'MPFire Webradio',
++'mtu QoS' => 'This does not change the global MTU, it only sets MTU for QoS.',
++'my new share' => 'My new share',
++'name' => 'Name',
++'name is invalid' => 'Name is invalid',
++'name must only contain characters' => 'Name must only contain characters.',
++'name too long' => 'User\'s full name or system hostname is too long',
++'nat-traversal' => 'Nat Traversal:',
++'needreboot' => 'An update requires a restart',
++'net' => 'Net',
++'net address' => 'net address',
++'net config' => 'Network configuration',
++'net config type' => 'kind of network configuration',
++'net config type help' => 'GREEN is the local network, RED is the internet, BLUE is WLAN, ORANGE is the DMZ.',
++'net to net vpn' => 'Net-to-Net Virtual Private Network',
++'net traffic newversion' => 'New Net-Traffic version is available:',
++'net-traffic configuration' => 'Net-Traffic Configuration',
++'netbios name' => 'Netbios Name',
++'netmask' => 'Netmask',
++'network' => 'Network',
++'network added' => 'Custom network added',
++'network configuration' => 'Network Configuration',
++'network internal' => 'Network (internal)',
++'network options' => 'Network options',
++'network other' => 'Network (other)',
++'network red' => 'Network (external)',
++'network removed' => 'Custom network removed',
++'network status information' => 'Network Status Information',
++'network time' => 'Use a network time server:',
++'network time from' => 'Obtain time from a network time server',
++'network traffic graphs' => 'Network traffic graphs',
++'network traffic graphs external' => 'Net-Traffic graphs (external)',
++'network traffic graphs internal' => 'Net-Traffic graphs (internal)',
++'network traffic graphs others' => 'Network (others)',
++'network updated' => 'Custom Network updated',
++'networks settings' => 'Firewall - Network settings',
++'new optionsfw later' => 'Your modification(s) will be active on next restart',
++'new optionsfw must boot' => 'You must reboot your IPFire',
++'newer' => 'Newer',
++'next' => 'next',
++'no' => 'No',
++'no alcatelusb firmware' => 'No Alcatel USB firmware. Please upload.',
++'no cfg upload' => 'No data was uploaded',
++'no dhcp lease' => 'No DHCP lease has been acquired',
++'no eciadsl synch.bin file' => 'No ECI ADSL synch.bin file. Please upload.',
++'no filter pass' => 'Enter the standard class for non-filtered packets.',
++'no fritzdsl driver' => 'No Fritz!DSL driver. Please upload.',
++'no information available' => 'No information available.',
++'no log selected' => 'No log selected',
++'no modem selected' => 'No modem selected',
++'no set selected' => 'No set was selected',
++'no time limit' => 'unlimited time',
++'none found' => 'none found',
++'nonetworkname' => 'No Network Name entered',
++'noservicename' => 'No Service Name entered',
++'not a valid ca certificate' => 'Not a valid CA certificate.',
++'not enough disk space' => 'Not enough disk space',
++'not present' => '<b>Not</b> present',
++'not running' => 'not running',
++'not set' => 'not set',
++'notes' => 'Notes',
++'november' => 'November',
++'ntp common settings' => 'Common settings',
++'ntp configuration' => 'NTP configuration',
++'ntp must be enabled to have clients' => 'NTP must be enabled to have clients.',
++'ntp server' => 'NTP Server',
++'ntp sync' => 'Synchronization',
++'ntp syncro disabled' => 'NTP synchronization disabled',
++'ntp syncro enabled' => 'NTP synchronization enabled',
++'ntpd restarted' => 'ntpd restarted',
++'number' => 'Number:',
++'o-no' => 'Inactiv',
++'o-yes' => 'Activ',
++'october' => 'October',
++'off' => 'off',
++'ok' => 'OK',
++'older' => 'Older',
++'on' => 'on',
++'online help en' => 'Online help (in english)',
++'only digits allowed in holdoff field' => 'Only digits allowed in holdoff field',
++'only digits allowed in max retries field' => 'Only digits allowed in max retries field.',
++'only digits allowed in the idle timeout' => 'Only digits allowed in the idle timeout.',
++'only red' => 'Only RED',
++'open to all' => 'Override external access to ALL',
++'openssl produced an error' => 'OpenSSL produced an error',
++'openvpn client' => 'OpenVPN client',
++'openvpn default' => 'Default',
++'openvpn destination port used' => 'The destination port is already used by another OpenVPN server.',
++'openvpn disabled' => 'DISABLED',
++'openvpn enabled' => 'ENABLED',
++'openvpn fragment allowed with udp' => 'Using fragment is only allowed when using the UDP protocol.',
++'openvpn log' => 'OpenVPN Log',
++'openvpn mssfix allowed with udp' => 'Using "mssfix" is only allowed when using the UDP protocol.',
++'openvpn prefix local subnet' => 'Using the prefix notation is not supported for the local subnet. Please enter a subnet mask like 255.255.255.0.',
++'openvpn prefix openvpn subnet' => 'Using the prefix notation is not supported for the OpenVPN subnet. Please enter a subnet mask like 255.255.255.0.',
++'openvpn prefix remote subnet' => 'Using the prefix notation is not supported for the remote subnet. Please enter a subnet mask like 255.255.255.0.',
++'openvpn server' => 'OpenVPN server',
++'openvpn subnet is used' => 'The given subnet is used by another OpenVPN server.',
++'optional at cmd' => 'optional AT command',
++'optional data' => '3. Optional Settings:',
++'options' => 'Options',
++'options fw' => 'Firewall Options',
++'optionsfw portlist hint' => 'The list of ports has to be comma separated (e.g. 137,138). You can specify up to a maximum of 15 ports per protocol.',
++'optionsfw warning' => 'Modifying these options implies restart of firewall',
++'or' => 'or',
++'orange' => 'ORANGE',
++'organization cant be empty' => 'Organization can\'t be empty.',
++'organization name' => 'Organization Name',
++'organization too long' => 'Organization is too long; it should not be longer than 60 characters.',
++'original' => 'Original',
++'os level' => 'OS Level',
++'other' => 'Other',
++'other countries' => 'Other countries',
++'other login script' => 'Other login script',
++'otherip' => 'other IP',
++'otherport' => 'other Port',
++'our donors' => 'Our donors',
++'out' => 'Out',
++'outgoing' => 'outgoing',
++'outgoing firewall' => 'Outgoing Firewall',
++'outgoing firewall add ip group' => 'Add IP Address Group',
++'outgoing firewall add mac group' => 'Add MAC Address Group',
++'outgoing firewall edit ip group' => 'Edit IP Address Group',
++'outgoing firewall edit mac group' => 'Edit MAC Address Group',
++'outgoing firewall group error' => 'A group with the same name exists.',
++'outgoing firewall groups' => 'Firewall Groups',
++'outgoing firewall ip groups' => 'Outgoing Firewall IP Address Groups',
++'outgoing firewall mac groups' => 'Outgoing Firewall MAC Address Groups',
++'outgoing firewall mode0' => 'Using this mode, all clients are able to access the internet without any restrictions.',
++'outgoing firewall mode1' => 'Using this mode, only connections based on the defined rules are allowed.',
++'outgoing firewall mode2' => 'Using this mode, all connections are allowed despited off the defined ones.',
++'outgoing firewall outgoing firewall reserved groupname' => 'Please use another group name, this name is reserved.',
++'outgoing firewall p2p allow' => 'p2p protocol is allowed',
++'outgoing firewall p2p deny' => 'p2p protocol is denied',
++'outgoing firewall p2p description 1' => 'The button',
++'outgoing firewall p2p description 2' => 'means that the p2p protocol is allowed or',
++'outgoing firewall p2p description 3' => 'that the p2p protocol is denied.',
++'outgoing firewall reset' => 'Reset all',
++'outgoing firewall view group' => 'View group',
++'outgoing firewall warning' => 'Not selecting source ip or mac ignores them',
++'outgoing traffic in bytes per second' => 'Outgoing Traffic',
++'override mtu' => 'Override default MTU',
++'ovpn' => 'OpenVPN',
++'ovpn con stat' => 'OpenVPN Connection Statistics',
++'ovpn config' => 'OVPN-Config',
++'ovpn device' => 'OpenVPN device:',
++'ovpn dl' => 'OVPN-Config Download',
++'ovpn errmsg green already pushed' => 'Route for green network is always set',
++'ovpn errmsg invalid ip or mask' => 'Invalid network-address or subnetmask',
++'ovpn log' => 'OVPN-Log',
++'ovpn mtu-disc' => 'Path MTU Discovery',
++'ovpn mtu-disc and mtu not 1500' => 'Path MTU Discovery requires a MTU of 1500.',
++'ovpn mtu-disc maybe' => 'Optionally',
++'ovpn mtu-disc no' => 'Never',
++'ovpn mtu-disc off' => 'Disabled',
++'ovpn mtu-disc with mssfix or fragment' => 'Path MTU Discovery cannot be used with mssfix or fragment.',
++'ovpn mtu-disc yes' => 'Forced',
++'ovpn on blue' => 'OpenVPN on BLUE',
++'ovpn on orange' => 'OpenVPN on ORANGE',
++'ovpn on red' => 'OpenVPN on RED',
++'ovpn routes push' => 'Routes (one per line) e.g. 192.168.10.0/255.255.255.0 192.168.20.0/24',
++'ovpn routes push options' => 'Route push options',
++'ovpn server status' => 'Current OpenVPN server status:',
++'ovpn subnet' => 'OpenVPN subnet (e.g. 10.0.10.0/255.255.255.0)',
++'ovpn subnet is invalid' => 'OpenVPN subnet is invalid.',
++'ovpn subnet overlap' => 'OpenVPN Subnet overlaps with : ',
++'ovpn_fastio' => 'Fast-IO',
++'ovpn_fragment' => 'Fragmentsize',
++'ovpn_mssfix' => 'MSSFIX Size',
++'ovpn_mtudisc' => 'MTU-Discovery',
++'ovpn_processprio' => 'Process priority',
++'ovpn_processprioD' => 'Deeply',
++'ovpn_processprioED' => 'Extremely deeply',
++'ovpn_processprioEH' => 'Extremely high',
++'ovpn_processprioEN' => 'More highly than normal',
++'ovpn_processprioH' => 'High',
++'ovpn_processprioLN' => 'More deeply than normal',
++'ovpn_processprioN' => 'Normal',
++'ovpn_processprioVD' => 'Very deeply',
++'ovpn_processprioVH' => 'Very high',
++'ovpnstatus log' => 'OVPN-Status-Log',
++'ovpnsys log' => 'OVPN-System-Log',
++'package failed to install' => 'Package failed to install.',
++'pagerefresh' => 'Page is beeing refreshed, please wait.',
++'pakfire accept all' => 'Do you want to install all packages?',
++'pakfire ago' => 'ago.',
++'pakfire available addons' => 'Available Addons:',
++'pakfire configuration' => 'Pakfire Configuration',
++'pakfire core update auto' => 'Install core and addon updates automatically:',
++'pakfire core update level' => 'Core-Update-Level',
++'pakfire health check' => 'Check if mirror is reachable (ping):',
++'pakfire install description' => 'Please choose one or more items from the list below and <br /> click the plus to install.',
++'pakfire install package' => 'You want to install the following packages: ',
++'pakfire installed addons' => 'Installed Addons:',
++'pakfire last core list update' => 'Last core list update made',
++'pakfire last package update' => 'Last packages list update made',
++'pakfire last serverlist update' => 'Last server list update made',
++'pakfire last update' => 'Last update made',
++'pakfire possible dependency' => ' There may be depending packages, here is a list of packages that need to be installed.',
++'pakfire register' => 'Register at pakfire-server:',
++'pakfire system state' => 'System Status',
++'pakfire uninstall description' => 'Please choose one or more items from the list below and <br /> click the minus to uninstall.',
++'pakfire uninstall package' => 'You want to uninstall the following packages: ',
++'pakfire update daily' => 'Search for updates daily:',
++'pakfire updates' => 'Available Update:',
++'pakfire working' => 'Pakfire is working ... Please wait until all operations have completed successfully.',
++'pap or chap' => 'PAP or CHAP',
++'parentclass' => 'Parentclass',
++'parentclass add' => 'Add parentclass',
++'password' => 'Password:',
++'password contains illegal characters' => 'Password contains illegal characters.',
++'password crypting key' => 'Password crypting the key',
++'password not set' => 'Password not set.',
++'password too short' => 'Password is too short.',
++'passwords do not match' => 'Passwords do not match.',
++'passwords must be at least 6 characters in length' => 'Passwords must be at least 6 characters in length',
++'path to directory' => 'path to share',
++'pc' => 'Workstation',
++'pc add' => 'Add workstation',
++'pdc options' => 'PDC options',
++'percentage' => 'Percentage',
++'persistent' => 'Persistent',
++'pfs yes no' => 'Perfect Forward Secrecy (PFS)',
++'phase1 group' => 'Phase1 Group',
++'phonebook entry' => 'Phonebook entry:',
++'ping disabled' => 'Disable ping response',
++'pkcs12 file password' => 'PKCS12 File Password',
++'play' => 'Play',
++'polfile' => 'Polfile',
++'policy' => 'Policy',
++'port' => 'Port',
++'port forwarding configuration' => 'Port forwarding configuration',
++'ports' => 'Ports',
++'portscans' => 'portscancs',
++'pots' => 'Analog classic line',
++'ppp setup' => 'PPP setup',
++'pppoe' => 'PPPoE',
++'pppoe settings' => 'Additional PPPoE settings:',
++'pptp settings' => 'Additional PPTP settings:',
++'pre-shared key is too short' => 'Pre-shared key is too short.',
++'prefered master' => 'Prefered Master',
++'present' => 'Present',
++'prev' => 'previous',
++'primary dns' => 'Primary DNS:',
++'primary ntp server' => 'Primary NTP server',
++'primary wins server address' => 'Primary WINS server address',
++'printcap name' => 'Printercap name',
++'printer' => 'Printer',
++'printername' => 'Printername',
++'printing' => 'Printing',
++'printing options' => 'printing options',
++'priority' => 'Priority',
++'processes' => 'Processes',
++'profile' => 'Profile',
++'profile deleted' => 'Profile deleted: ',
++'profile has errors' => 'Profile has errors',
++'profile made current' => 'Profile made current: ',
++'profile name' => 'Profile name:',
++'profile name not given' => 'Profile name not given.',
++'profile saved' => 'Profile saved: ',
++'profiles' => 'Profiles:',
++'proto' => 'Proto',
++'protocol' => 'Protocol',
++'proxy' => 'Proxy',
++'proxy access graphs' => 'Proxy access graphs',
++'proxy admin password' => 'Cache administrator password',
++'proxy cachemgr' => 'Activate cachemanager',
++'proxy errmsg filedescriptors' => 'Wrong amount of filedescriptors',
++'proxy filedescriptors' => 'Amount of fildescriptors',
++'proxy log viewer' => 'Proxy log viewer',
++'proxy logs' => 'Proxy Logs',
++'proxy no proxy extend' => 'or specify a list of not proxied destination',
++'proxy no proxy local' => 'Disallow local proxying on BLUE/GREEN networks',
++'proxy port' => 'Proxy Port',
++'proxy reconfigure' => 'Save and Reload',
++'proxy reports' => 'Proxy Reports',
++'proxy reports daily' => 'Daily reports',
++'proxy reports monthly' => 'Monthly reports',
++'proxy reports today' => 'Today',
++'proxy reports weekly' => 'Weekly reports',
++'psk' => 'PSK',
++'pulse' => 'Pulse',
++'pulse dial' => 'Pulse dial:',
++'qos add subclass' => 'Add subclass',
++'qos graphs' => 'Qos Graphs',
++'qos warning' => 'The rule <strong>must</strong> be saved, otherwise it will be discarded!',
++'quick control' => 'Quick Control',
++'quick playlist' => 'Quick Playlist',
++'ram' => 'RAM',
++'read bytes' => 'Read Bytes',
++'read list' => 'list with readonly hosts',
++'real address' => 'Real Address',
++'reboot' => 'Reboot',
++'reboot ask' => 'Reboot?',
++'reboot question' => 'Extra query for restart and shutdown',
++'reboot schedule' => 'Schedule IPFire reboots',
++'reboot sure' => 'Are you sure that you want to reboot?',
++'rebooting' => 'Rebooting',
++'rebooting ipfire' => 'Rebooting IPFire',
++'reconnect' => 'Reconnect',
++'reconnection' => 'Reconnection',
++'red' => 'Internet',
++'references' => 'References',
++'refresh' => 'Refresh',
++'refresh index page while connected' => 'Refresh index.cgi page while connected',
++'refresh update list' => 'Refresh update list',
++'registered user rules' => 'Sourcefire VRT rules for registered users',
++'released' => 'Released',
++'reload' => 'reload',
++'remark' => 'Remark',
++'remark title' => 'Remark:',
++'remote access' => 'Remote access',
++'remote announce' => 'Remote Announce',
++'remote browse sync' => 'Remote Browse Sync',
++'remote host/ip' => 'Remote host/IP',
++'remote logging' => 'Remote logging',
++'remote subnet' => 'Remote subnet:',
++'remote subnet is invalid' => 'Remote subnet is invalid.',
++'removable device advice' => 'Plug in a device, refresh, select and mount before usage. Umount before removal.',
++'remove' => 'Remove',
++'remove ca certificate' => 'Remove CA certificate',
++'remove x509' => 'Remove x509',
++'repeat' => 'Repeat',
++'reportfile' => 'Reportfile',
++'reportlevel' => 'Reportlevel',
++'request' => 'Request',
++'requested data' => '1. Connection Settings:',
++'reserved dst port' => 'Destination port is reserved for IPFire use only:',
++'reserved src port' => 'Source port is reserved for IPFire use only:',
++'reset' => 'Reset',
++'reset shares' => 'Reset share',
++'resetglobals' => 'Reset global settings',
++'resetpolicy' => 'Reset policy to default',
++'resetshares' => 'Reset shares?',
++'resetting the vpn configuration will remove the root ca, the host certificate and all certificate based connections' => 'Resetting the VPN configuration will remove the root CA, the host certificate and all certificate based connections',
++'restart' => 'Restart',
++'restart ovpn server' => 'Restart OpenVPN server',
++'restore' => 'Restore',
++'restore defaults' => 'Restore defaults',
++'restore hardware settings' => 'Restore hardware settings',
++'restore settings' => 'Reset Settings',
++'reverse sort' => 'Sort in reverse chronological order',
++'root' => 'Root',
++'root certificate' => 'Root certificate',
++'root path' => 'Root path',
++'root user password' => 'Root password',
++'route subnet is invalid' => 'Additional push route subnet is invalid',
++'router ip' => 'Router IP address:',
++'routing table entries' => 'Routing Table Entries:',
++'rsvd dst port overlap' => 'Destination Port Range overlaps a port reserved for IPFire:',
++'rsvd src port overlap' => 'Source Port Range overlaps a port reserved for IPFire:',
++'rules already up to date' => 'Rules already up to date',
++'running' => 'RUNNING',
++'safe removal of umounted device' => 'You can safely remove the unmounted device',
++'samba' => 'Samba',
++'samba status' => 'Samba Status',
++'saturday' => 'Saturday',
++'save' => 'Save',
++'save config' => 'save settings',
++'save error' => 'Unable to save configuration archive file',
++'save settings' => 'Save settings',
++'save-adv-options' => 'Save advanced options',
++'script name' => 'Script name:',
++'secondary dns' => 'Secondary DNS:',
++'secondary ntp server' => 'Secondary NTP server',
++'secondary wins server address' => 'Secondary WINS server address',
++'seconds' => 'Secs',
++'section' => 'Section',
++'secure shell server' => 'Secure Shell Server',
++'security' => 'Security',
++'security options' => 'Security Options',
++'select' => 'Select',
++'select dest net' => 'Select a destination net.',
++'select media' => 'Select media <br />(only FAT supported for removable media)',
++'select source net' => 'Select a source net. If you have no ORAGNE or BLUE net configured, you need no DMZ Pinholes.',
++'selecttraffic' => 'Select utilization-overview:',
++'send cr' => 'ISP requires Carriage Return:',
++'send email notification' => 'Enabled, send e-mail notification',
++'send test mail' => 'Send Teste-mail',
++'september' => 'September',
++'serial' => 'Serial',
++'server reserved' => 'The connection name server is reserved and not allowed',
++'server restart' => 'You are not able to save any changes while the OpenVPN server is running.',
++'server string' => 'Server String',
++'service' => 'Service',
++'service added' => 'Custom network service added',
++'service name' => 'Service name:',
++'service removed' => 'Custom network service removed',
++'service updated' => 'Custom network service updated',
++'servicename' => 'Service Name',
++'services' => 'Services',
++'services settings' => 'Firewall - Services settings',
++'set' => 'set',
++'set time now' => 'Set time now',
++'set time now help' => 'To queue a synchronization event at any time (even while using a repeating schedule), press the <i>Set time now</i> button. Please note that you may have to wait for five minutes, or more, before a sync event occurs.',
++'settings' => 'Settings',
++'shaping add options' => 'Add service',
++'shaping list options' => 'Traffic shaping services',
++'shared' => 'shared',
++'sharename' => 'Sharename',
++'shares' => 'Shares',
++'show ajax speedmeter in footer' => 'Show Ajax speedmeter',
++'show areas' => 'show areas',
++'show ca certificate' => 'Show CA certificate',
++'show certificate' => 'Show certificate',
++'show crl' => 'Show certificate revocation list',
++'show host certificate' => 'Show host certificate',
++'show last x lines' => 'Show last x lines',
++'show lines' => 'Show lines',
++'show root certificate' => 'Show root certificate',
++'show share options' => 'Show shares options',
++'shuffle' => 'Shuffle',
++'shutdown' => 'Shutdown',
++'shutdown ask' => 'Shutdown?',
++'shutdown control' => 'Shutdown control',
++'shutdown sure' => 'Are you sure that you want to shutdown?',
++'shutdown2' => 'Shutdown:',
++'shutting down' => 'Shutting down',
++'shutting down ipfire' => 'Shutting down IPFire',
++'since' => 'since',
++'sitekey' => 'Sitekey',
++'sitekeyfile' => 'Sitekeyfile',
++'size' => 'Size',
++'smart information' => 'S.M.A.R.T. information',
++'smartwarn1' => 'Device:',
++'smartwarn2' => 'reports S.M.A.R.T. error',
++'smbreload' => 'Reload samba',
++'smbrestart' => 'Restart samba',
++'smbstart' => 'Start samba',
++'smbstop' => 'Stop samba',
++'smtphost' => 'SMTP host',
++'smtpport' => 'SMTP port',
++'snort hits' => 'Total of number of Intrusion rules activated for',
++'snort working' => 'Snort is working ... Please wait until all operations have completed successfully.',
++'socket options' => 'Socket options',
++'sort ascending' => 'Sort ascending',
++'sort descending' => 'Sort descending',
++'sound' => 'Sound',
++'source' => 'Source',
++'source ip' => 'Source IP',
++'source ip and port' => 'Source IP: Port',
++'source ip bad' => 'Not a valid IP address or a network address.',
++'source ip in use' => 'Source IP in use:',
++'source ip or net' => 'Source IP or Net',
++'source net' => 'Source Net',
++'source network' => 'Source IP, or network (blank for "ALL"):',
++'source port' => 'Source port',
++'source port in use' => 'Source port in use:',
++'source port numbers' => 'Source port must be a valid port number or port range.',
++'source port overlaps' => 'Source port range overlaps an existing port range.',
++'speaker off' => 'Speaker off:',
++'speaker on' => 'Speaker on:',
++'squid extension methods' => 'Your <tt>extension_methods</tt> list',
++'squid extension methods invalid' => 'Your \'extension_methods\' list can only contain uppercase words of letters and digits, separated with a space. ',
++'squid fix cache' => 'Repair cache',
++'src port' => 'Src Port',
++'srcprt range overlaps' => 'Source port range overlaps an already defined port.',
++'srcprt within existing' => 'Source port is within an already defined port range.',
++'ssdmz pinholes' => 'DMZ Pinholes',
++'ssh access' => 'SSH Access',
++'ssh access tip' => 'IPFire SSH is not using default port 222!',
++'ssh fingerprint' => 'Fingerprint',
++'ssh host keys' => 'SSH Host Keys',
++'ssh is disabled' => 'SSH is disabled. Stopping.',
++'ssh is enabled' => 'SSH is enabled. Restarting.',
++'ssh key' => 'Key',
++'ssh key size' => 'Size (bits)',
++'ssh keys' => 'Allow public key based authentication',
++'ssh no auth' => 'You have not allowed any authentication methods; this will stop you logging in',
++'ssh passwords' => 'Allow password based authentication',
++'ssh port' => 'SSH port set to 22 (default is 222)',
++'ssh portfw' => 'Allow TCP forwarding',
++'ssh tempstart15' => 'Stop SSH demon in 15 minutes',
++'ssh tempstart30' => 'Stop SSH demon in 30 minutes',
++'ssh1 disabled' => 'SSHv1 is disabled, a version 2 client will be required.',
++'ssh1 enabled' => 'SSHv1 is enabled, old clients will be supported.',
++'ssh1 support' => 'Support SSH protocol version 1 (required only for old clients)',
++'ssnetwork status' => 'Network Status',
++'sspasswords' => 'Passwords',
++'ssport forwarding' => 'Port Forwarding',
++'ssproxy graphs' => 'Proxy Graphs',
++'sssystem status' => 'System Status',
++'sstraffic' => 'Net-Traffic',
++'sstraffic graphs' => 'Traffic Graphs',
++'standard login script' => 'Standard login script',
++'start' => 'Start',
++'start address' => 'Start address:',
++'start ovpn server' => 'Start OpenVPN Server',
++'state or province' => 'State or Province',
++'static ip' => 'Static IP',
++'static routes' => 'Static routes',
++'status' => 'Status',
++'status information' => 'Status information',
++'status ovpn' => '4. OpenVPN Status / Configuration:',
++'std classes' => 'Standardclasses',
++'stop' => 'Stop',
++'stop ovpn server' => 'Stop OpenVPN Server',
++'stopped' => 'STOPPED',
++'subject' => 'Subject',
++'subject test' => 'Teste-mail',
++'subject warn' => 'Warning - warnlevel reached',
++'subnet' => 'Subnet',
++'subnet is invalid' => 'Netmask is invalid',
++'subscripted user rules' => 'Sourcefire VRT rules with subscription',
++'successfully refreshed updates list' => 'Successfully refreshed updates list.',
++'summaries kept' => 'Keep summaries for',
++'sunday' => 'Sunday',
++'swap' => 'Swap',
++'swap usage per' => 'Swap usage per',
++'system' => 'System',
++'system graphs' => 'System Graphs',
++'system information' => 'System information',
++'system log viewer' => 'System Log Viewer',
++'system logs' => 'System Logs',
++'system status information' => 'System Status Information',
++'telephone not set' => 'Telephone not set.',
++'template' => 'Preset',
++'template warning' => 'You have two options to set up Qos. The First, you press the save button and generate the classes and rules on your own. The second, you press the preset button and classes and rules will be set up by a template.',
++'test' => 'test',
++'test email could not be sent' => 'Could not sent Testemail',
++'test email was sent' => 'Testemail was send successfully',
++'the following update was successfully installed' => 'The following update was successfully installed',
++'the statistics were last updated at' => 'The statistics were last updated at',
++'theme' => 'Theme',
++'there are updates' => 'There are updates available for your system. Please go to the "updates" section for more information.',
++'there are updates available' => 'There are updates available for your system. It is strongly urged that you install them as soon as possible.',
++'there was no file upload' => 'There was no file upload.',
++'this feature has been sponsored by' => 'This feature has been sponsored by',
++'this field may be blank' => 'This field may be blank.',
++'this is not a valid archive' => 'This is not a valid archive.',
++'this is not an authorised update' => 'This is not an authorised update.',
++'this months volume' => 'This months volume',
++'this update is already installed' => 'This update is already installed.',
++'this weeks volume' => 'This weeks volume',
++'thursday' => 'Thursday',
++'time' => 'Time',
++'time date manually reset' => 'Time/Date manually reset.',
++'time server' => 'Time Server',
++'timeout must be a number' => 'Timeout must be a number.',
++'title' => 'Title',
++'to' => 'To',
++'to email adr' => 'To e-mail address',
++'to install an update' => 'To install an update please upload the .tgz.gpg file below:',
++'to warn email bad' => 'To e-mail address is not valid',
++'toggle' => 'pause/resume',
++'toggle enable disable' => 'Enable or disable',
++'tone' => 'Tone',
++'tone dial' => 'Tone dial:',
++'too long 80 char max' => ' is too long, maximum allowed is 80 characters',
++'total connection time' => 'Total connection time',
++'total hits for log section' => 'Total hits for log section',
++'traffic back' => 'Back',
++'traffic calc time' => 'Time of calculation',
++'traffic calc time bad' => 'Calculation time is not correct',
++'traffic info messages' => 'Info messages',
++'traffic monitor' => 'Traffic Monitor',
++'traffic on' => 'Traffic on',
++'traffic shaping' => 'Traffic Shaping',
++'traffic shaping settings' => 'Traffic Shaping Settings',
++'traffic warn level bad' => 'Warnlevel is not correct',
++'trafficblue' => 'WLAN',
++'trafficdate' => 'Date',
++'trafficfrom' => 'From',
++'trafficgreen' => 'Internal net',
++'trafficin' => 'Input',
++'trafficorange' => 'DMZ',
++'trafficout' => 'Output',
++'trafficred' => 'Internet',
++'traffics' => 'Utilization-overview:',
++'trafficsum' => 'Totals',
++'trafficto' => 'To',
++'transfer limits' => 'Transfer limits',
++'transparent on' => 'Transparent on',
++'tripwire' => 'Tripwire',
++'tripwire cronjob' => 'tripwire cronjob',
++'tripwire functions' => 'tripwire functions',
++'tripwire reports' => 'tripwire reports',
++'tripwireoperating' => 'The process was started. This may take serverall minutes, please wait the window will automaticly refresh after the process has finished.',
++'tripwirewarningdatabase' => 'WARNING - Your database will be updated with the data of the last report. Please ensure that no unauthorized changes are reported. Therefor the local-key is needed.',
++'tripwirewarningkeys' => 'WARNING - This will erase your current keys, config, and database and generate them new.',
++'tripwirewarningpolicy' => 'WARNING - Your policy will be rebuild, after that your database will be reinitalised. Therefor the site-key and the local-key are neeeded.',
++'tuesday' => 'Tuesday',
++'type' => 'Type',
++'umount' => 'Umount',
++'umount removable media before to unplug' => 'Umount removable media before unplugging the device',
++'unable to alter profiles while red is active' => 'Unable to alter profiles while RED is active.',
++'unable to contact' => 'Unable to contact',
++'unencrypted' => 'Unencrypted',
++'uninstall' => 'Uninstall',
++'unix charset' => 'UNIX Charset',
++'unix group' => ' UNIX usergroup',
++'unix password sync' => 'Unix Password Sync',
++'unix shell' => 'UNIX Shell',
++'unknown' => 'UNKNOWN',
++'unnamed' => 'Unnamed',
++'update' => 'Update',
++'update accelerator' => 'Update Accelerator',
++'update time' => 'Update the time:',
++'update transcript' => 'Update transcript',
++'updatedatabase' => 'Update Database with last report',
++'updates' => 'Updates',
++'updates installed' => 'Ruleset update from',
++'updates is old1' => 'Your update file is ',
++'updates is old2' => 'days old. We recommend you update it on the <b>System>Updates</b> page.',
++'updxlrtr 3 months' => 'three months',
++'updxlrtr 6 months' => 'six months',
++'updxlrtr all files' => 'all files ...',
++'updxlrtr cache dir' => 'Cache directory',
++'updxlrtr cache maintenance' => 'Cache maintenance',
++'updxlrtr cache size' => 'Cache size (bytes)',
++'updxlrtr cache statistics' => 'Cache statistics',
++'updxlrtr cancel download' => 'Cancel download',
++'updxlrtr children' => 'Number of accelerator processes',
++'updxlrtr common settings' => 'Common settings',
++'updxlrtr condition download' => 'Download',
++'updxlrtr condition nosource' => 'No source',
++'updxlrtr condition ok' => 'Up to date',
++'updxlrtr condition outdated' => 'Out of date',
++'updxlrtr condition suspended' => 'Suspended',
++'updxlrtr condition unknown' => 'Unknown',
++'updxlrtr configuration' => 'Update accelerator configuration',
++'updxlrtr current downloads' => 'Files being downloaded into the local cache',
++'updxlrtr current files' => 'Current files in local cache',
++'updxlrtr daily' => 'daily',
++'updxlrtr data from cache' => 'Data from cache (bytes)',
++'updxlrtr disk usage' => 'Disk usage',
++'updxlrtr efficiency index' => 'Cache efficiency index',
++'updxlrtr empty repository' => 'Local cache is empty',
++'updxlrtr enable autocheck' => 'Enable automatic source checkup',
++'updxlrtr enable log' => 'Enable log',
++'updxlrtr filename' => 'Name',
++'updxlrtr files' => 'Files',
++'updxlrtr filesize' => 'Size',
++'updxlrtr full autosync' => 'Replace outdated files during checkup',
++'updxlrtr invalid disk usage' => 'Invalid value for max. disk usage',
++'updxlrtr invalid download rate' => 'Invalid value for max. download rate',
++'updxlrtr invalid num of children' => 'Invalid number of accelerator processes',
++'updxlrtr last access' => 'Last cache access',
++'updxlrtr last checkup' => 'Last source checkup',
++'updxlrtr low download priority' => 'Lower CPU priority for downloads',
++'updxlrtr maintenance' => 'Maintenance',
++'updxlrtr marked as' => 'marked as',
++'updxlrtr max disk usage' => 'Max. disk usage',
++'updxlrtr max download rate' => 'Max. external download rate (kBit/s)',
++'updxlrtr month' => 'one month',
++'updxlrtr monthly' => 'monthly',
++'updxlrtr not accessed' => 'not accessed since',
++'updxlrtr not enabled' => 'Update Accelerator is not enabled on the web proxy page',
++'updxlrtr other' => 'Other',
++'updxlrtr passive mode' => 'Enable passive mode',
++'updxlrtr pending downloads' => 'Pending downloads',
++'updxlrtr performance options' => 'Performance options',
++'updxlrtr progress' => 'Progress',
++'updxlrtr purge' => 'Purge',
++'updxlrtr remove file' => 'Remove from cache',
++'updxlrtr save and restart' => 'Save and Restart',
++'updxlrtr source' => 'Source',
++'updxlrtr source checkup' => 'Source checkup',
++'updxlrtr source checkup schedule' => 'Source checkup schedule',
++'updxlrtr statistics' => 'Statistics',
++'updxlrtr statistics by source' => 'Statistics by source',
++'updxlrtr summary' => 'Summary',
++'updxlrtr total cache size' => 'Total cache size (bytes)',
++'updxlrtr total data from cache' => 'Total data delivered from cache (bytes)',
++'updxlrtr total files' => 'Total files in cache',
++'updxlrtr unknown' => 'Unknown',
++'updxlrtr update accelerator' => 'Update Accelerator',
++'updxlrtr update information' => 'There is an updated version available for download. Visit <a href="http://update-accelerator.advproxy.net" target="_blank">http://update-accelerator.advproxy.net</a> for more information.',
++'updxlrtr update notification' => 'Update notification!',
++'updxlrtr web proxy service required' => 'Web proxy service must be enabled to use Update Accelerator',
++'updxlrtr week' => 'one week',
++'updxlrtr weekly' => 'weekly',
++'updxlrtr year' => 'one year',
++'upgrade' => 'upgrade',
++'uplink speed' => 'Uplink speed (kbit/sec)',
++'uplink std class' => 'uplink standard class',
++'upload' => 'Upload',
++'upload a certificate' => 'Upload a certificate:',
++'upload a certificate request' => 'Upload a certificate request:',
++'upload ca certificate' => 'Upload CA certificate',
++'upload fcdsl.o' => 'TO BE REMOVED',
++'upload file' => 'Upload file',
++'upload new ruleset' => 'Upload new ruleset',
++'upload p12 file' => 'Upload PKCS12 file',
++'upload static key' => 'Upload a static key',
++'upload successful' => 'Upload successful.',
++'upload synch.bin' => 'Upload synch.bin',
++'upload update file' => 'Upload update file:',
++'upstream password' => 'Upstream password:',
++'upstream proxy host:port' => 'Upstream proxy (host:port)',
++'upstream username' => 'Upstream username:',
++'uptime and users' => 'Uptime and users:',
++'url filter' => 'Content Filter',
++'urlfilter access' => 'Access',
++'urlfilter activity detection' => 'Activity detection',
++'urlfilter add new time constraint rule' => 'Add new time constraint rule',
++'urlfilter add new user quota rule' => 'Add new user quota rule',
++'urlfilter add rule' => 'Add',
++'urlfilter advanced settings' => 'Advanced settings',
++'urlfilter allow' => 'Allow',
++'urlfilter allow access' => 'Allow access',
++'urlfilter allowed domains' => 'Allowed domains (one per line)',
++'urlfilter allowed urls' => 'Allowed URLs (one per line)',
++'urlfilter assigned quota users' => 'Assigned users (one per line)',
++'urlfilter assigned users' => 'Assigned users',
++'urlfilter automatic blacklist update' => 'Automatic blacklist update',
++'urlfilter automatic update schedule' => 'Automatic update schedule',
++'urlfilter back to main page' => 'Back to main page',
++'urlfilter background image' => 'urlfilter background image',
++'urlfilter background text' => 'To use a custom background image for the block page upload the .jpg file below',
++'urlfilter backup' => 'Create backup file',
++'urlfilter backup error' => 'Unable to create backup file',
++'urlfilter backup settings' => 'Backup URL filter settings',
++'urlfilter banned clients' => 'Banned IP addresses',
++'urlfilter blacklist age 1' => 'Last successful blacklist update was',
++'urlfilter blacklist age 2' => 'days ago',
++'urlfilter blacklist category name' => 'Blacklist category name',
++'urlfilter blacklist editor' => 'Blacklist editor',
++'urlfilter blacklist editor info' => 'Create and edit your own blacklist files',
++'urlfilter blacklist name' => 'Blacklist name',
++'urlfilter blacklist update' => 'Blacklist update',
++'urlfilter block' => 'Block',
++'urlfilter block access' => 'Block access',
++'urlfilter block all' => 'Block all URLs not explicitly allowed',
++'urlfilter block archives' => 'Block compressed archive files',
++'urlfilter block audio-video' => 'Block audio/video files',
++'urlfilter block categories' => 'Block categories',
++'urlfilter block executables' => 'Block executable files',
++'urlfilter block ip' => 'Block sites accessed by it\'s IP address',
++'urlfilter block settings' => 'Block page settings',
++'urlfilter blocked domains' => 'Blocked domains (one per line)',
++'urlfilter blocked expressions' => 'Blocked expressions (as regular expressions)',
++'urlfilter blocked urls' => 'Blocked URLs (one per line)',
++'urlfilter category' => 'Category',
++'urlfilter category all' => 'any',
++'urlfilter category data error' => 'Blacklist is empty',
++'urlfilter category log' => 'Split log by categories',
++'urlfilter category name error' => 'Blacklist category name required',
++'urlfilter client' => 'Client',
++'urlfilter configuration' => 'URL filter configuration',
++'urlfilter constraint definition' => 'Definition',
++'urlfilter constraint outside' => 'outside',
++'urlfilter constraint within' => 'within',
++'urlfilter copy rule' => 'Copy',
++'urlfilter current files' => 'Current files in local repository',
++'urlfilter custom blacklist' => 'Custom blacklist',
++'urlfilter custom expression list' => 'Custom expression list',
++'urlfilter custom url' => 'Custom source URL',
++'urlfilter custom url required' => 'Custom source URL required',
++'urlfilter custom whitelist' => 'Custom whitelist',
++'urlfilter daily' => 'daily',
++'urlfilter disabled' => 'disabled',
++'urlfilter domains' => 'Domains (one per line)',
++'urlfilter dont restart urlfilter' => 'Do not restart URL filter',
++'urlfilter dst' => 'Destination',
++'urlfilter dst error' => 'There must be at least one category selected',
++'urlfilter edit domains urls expressions' => 'Edit domains, URLs and expressions',
++'urlfilter edit time constraint rule' => 'Edit an existing time constraint rule',
++'urlfilter edit user quota rule' => 'Edit an existing user quota rule',
++'urlfilter empty ads' => 'Block "ads" with empty window',
++'urlfilter empty repository' => 'Local file repository is empty',
++'urlfilter enable automatic blacklist update' => 'Enable automatic update',
++'urlfilter enable custom blacklist' => 'Enable custom blacklist',
++'urlfilter enable custom expression list' => 'Enable custom expression list',
++'urlfilter enable custom whitelist' => 'Enable custom whitelist',
++'urlfilter enable expression lists' => 'Enable expression lists',
++'urlfilter enable full backup' => 'Include complete blacklist',
++'urlfilter enable jpeg' => 'Enable background image',
++'urlfilter enable log' => 'Enable log',
++'urlfilter enable rewrite rules' => 'Enable local file redirection',
++'urlfilter enabled' => 'Enabled:',
++'urlfilter example' => 'Example: www.domain.com',
++'urlfilter example ads' => 'Example: www.domain.com/ads/',
++'urlfilter export blacklist' => 'Export blacklist',
++'urlfilter export error' => 'Unable to create export file',
++'urlfilter expressions' => 'Expressions (one per line)',
++'urlfilter file ext block' => 'File extension blocking',
++'urlfilter filename' => 'Name',
++'urlfilter filesize' => 'Size',
++'urlfilter filter settings' => 'URL filter settings',
++'urlfilter fri' => 'F',
++'urlfilter friday' => 'Fri',
++'urlfilter from' => 'From',
++'urlfilter hourly' => 'hourly',
++'urlfilter import blacklist' => 'Import blacklist',
++'urlfilter import text' => 'To import a previously saved blacklist editor file upload the .tar.gz file below',
++'urlfilter install blacklist' => 'Install blacklist',
++'urlfilter install information' => 'The new blacklist will be automatically compiled to prebuilt databases. Depending on the size of the blacklist, this may take several minutes.',
++'urlfilter invalid content' => 'File is not a squidGuard compatible blacklist',
++'urlfilter invalid import file' => 'File is not a valid URL filter blacklist editor file',
++'urlfilter invalid ip or mask error' => 'Invalid IP address or network mask',
++'urlfilter invalid restore file' => 'File is not a valid URL filter backup file',
++'urlfilter invalid user error' => 'Invalid username',
++'urlfilter load blacklist' => 'Load blacklist',
++'urlfilter local file redirection' => 'Local file redirection',
++'urlfilter log' => 'urlfilter log',
++'urlfilter log summary' => 'Total number of URL filter hits for',
++'urlfilter log viewer' => 'URL filter log viewer',
++'urlfilter logs' => 'URL Filter Logs',
++'urlfilter maintenance' => 'URL filter maintenance',
++'urlfilter manage local file repository' => 'Manage local file repository',
++'urlfilter manage repository' => 'Manage repository',
++'urlfilter minutes' => 'minutes',
++'urlfilter mode allow' => 'allow',
++'urlfilter mode block' => 'block',
++'urlfilter mon' => 'M',
++'urlfilter monday' => 'Mon',
++'urlfilter monthly' => 'monthly',
++'urlfilter msg text 1' => 'Message line 1',
++'urlfilter msg text 2' => 'Message line 2',
++'urlfilter msg text 3' => 'Message line 3',
++'urlfilter network access control' => 'Network based access control',
++'urlfilter no categories' => 'No categories available',
++'urlfilter not enabled' => 'URL filter is not enabled on the Web proxy page',
++'urlfilter quota restart message' => 'Note: The counters will be reset for all users when restarting the URL filter',
++'urlfilter quota time error' => 'Invalid value for time quota',
++'urlfilter quota user error' => 'At least one username is required',
++'urlfilter redirectpage' => 'Redirect to this URL',
++'urlfilter remove file' => 'Remove file from repository',
++'urlfilter renewal' => 'Renewal',
++'urlfilter renewal period' => 'Renewal period',
++'urlfilter repository information' => 'Download requests for these files will be redirected from the original source to the local file repository.',
++'urlfilter reset' => 'Reset',
++'urlfilter restart' => 'Restart URL filter',
++'urlfilter restart message' => 'The URL filter must be restarted to activate the changed rules',
++'urlfilter restart notification' => 'Activate changed rules',
++'urlfilter restore' => 'Import backup file',
++'urlfilter restore results' => 'Restore results',
++'urlfilter restore settings' => 'Restore URL filter settings',
++'urlfilter restore success' => 'URL filter configuration has been restored. The URL filter must be restarted to activate the new settings.',
++'urlfilter restore text' => 'To restore a previously saved configuration upload the .tar.gz backup file below',
++'urlfilter safesearch' => 'Enable SafeSearch',
++'urlfilter sat' => 'S',
++'urlfilter saturday' => 'Sat',
++'urlfilter save and restart' => 'Save and Restart',
++'urlfilter save schedule' => 'Save update settings',
++'urlfilter select blacklist' => 'Select existing blacklist',
++'urlfilter select multi' => 'Press ctrl key to select multiple categories',
++'urlfilter select source' => 'Select download source',
++'urlfilter set time constraints' => 'Set time constraints',
++'urlfilter set user quota' => 'Set user quota',
++'urlfilter show category' => 'Show category on block page',
++'urlfilter show dnserror' => 'Use "DNS error" to block URLs',
++'urlfilter show ip' => 'Show IP on block page',
++'urlfilter show url' => 'Show URL on block page',
++'urlfilter source' => 'Source host(s) or network(s)',
++'urlfilter src' => 'Source',
++'urlfilter src error' => 'Source cannot be empty',
++'urlfilter sun' => 'S',
++'urlfilter sunday' => 'Sun',
++'urlfilter tar error' => 'Could not extract files from tar archive',
++'urlfilter thu' => 'T',
++'urlfilter thursday' => 'Thu',
++'urlfilter time' => 'Time',
++'urlfilter time quota' => 'Time quota',
++'urlfilter time space' => 'Time space',
++'urlfilter timebased access control' => 'Time based access control',
++'urlfilter timespace error' => 'Error in time space declaration',
++'urlfilter to' => 'To',
++'urlfilter tue' => 'T',
++'urlfilter tuesday' => 'Tue',
++'urlfilter unfiltered clients' => 'Unfiltered IP addresses',
++'urlfilter update information' => 'There is an updated version available for download. Visit <a href="http://www.urlfilter.net" target="_blank">http://www.urlfilter.net</a> for more information.',
++'urlfilter update notification' => 'Update notification!',
++'urlfilter update now' => 'Update now',
++'urlfilter update results' => 'Blacklist update results',
++'urlfilter update rule' => 'Update',
++'urlfilter upload background' => 'Upload image',
++'urlfilter upload blacklist' => 'Upload blacklist',
++'urlfilter upload file' => 'Upload file',
++'urlfilter upload file information 1' => 'Note',
++'urlfilter upload file information 2' => 'The URL filter needs to be restarted to activate changes to the repository.',
++'urlfilter upload file text' => 'To add a file to the local repository upload the file below',
++'urlfilter upload information' => 'The new blacklist will be automatically compiled to prebuilt databases. Depending on the size of the blacklist, this may take several minutes. Please wait for this task to be finished before restarting the URL filter.',
++'urlfilter upload success' => 'Blacklist upload successfully completed.',
++'urlfilter upload text' => 'To install an updated blacklist upload the .tar.gz file below',
++'urlfilter url filter' => 'URL filter',
++'urlfilter urlfilter blacklist editor' => 'URL filter blacklist editor',
++'urlfilter urls' => 'URLs (one per line)',
++'urlfilter user time quota' => 'Time quota (in minutes)',
++'urlfilter username' => 'Username',
++'urlfilter username log' => 'Log username',
++'urlfilter web proxy service required' => 'Web proxy service must be enabled to use URL filter',
++'urlfilter wed' => 'W',
++'urlfilter wednesday' => 'Wed',
++'urlfilter weekday error' => 'There must be at least one day selected',
++'urlfilter weekly' => 'weekly',
++'urlfilter whitelist always allowed' => 'Allow custom whitelist for banned clients',
++'urlfilter wrong filetype' => 'File has not the extension .tar.gz',
++'usb modem on acm0' => 'USB Modem on ACM0',
++'usb modem on acm1' => 'USB Modem on ACM1',
++'usb modem on acm2' => 'USB Modem on ACM2',
++'usb modem on acm3' => 'USB Modem on ACM3',
++'use' => 'Use',
++'use a pre-shared key' => 'Use a pre-shared key:',
++'use dov' => 'Use data over voice (DOV):',
++'use ibod' => 'Use Bandwidth on Demand (iBOD):',
++'use ipfire red ip' => 'The classical RED IP used by IPFire during connection',
++'use only proposed settings' => 'Use only proposed settings.',
++'used' => 'Used',
++'used memory' => 'Used Memory ',
++'used swap' => 'Used Swap',
++'user' => 'User',
++'user log' => 'user log',
++'user proxy logs' => 'user proxy log',
++'username' => 'Username:',
++'username not set' => 'Username not set.',
++'users department' => 'User\'s department',
++'users email' => 'User\'s E-mail address',
++'users fullname or system hostname' => 'User\'s full name or system hostname',
++'valid root certificate already exists' => 'A valid root certificate already exists.',
++'valid till' => 'Valid till',
++'vci number' => 'VCI number:',
++'view log' => 'view log',
++'virtual address' => 'Virtual Address',
++'virtual private networking' => 'Virtual Private Networking',
++'visible in browselist' => 'visible in browselist',
++'visit us at' => 'Visit us at',
++'voldown10' => 'Decrease volume by 10',
++'voldown5' => 'Decrease volume by 5',
++'volup10' => 'Increase volume by 10',
++'volup5' => 'Increase volume by 5',
++'vpi number' => 'VPI number:',
++'vpn' => 'VPN',
++'vpn aggrmode' => 'IKE aggressive mode allowed. Avoid if possible (preshared key is transmitted in clear text)!',
++'vpn altname syntax' => 'SubjectAltName is a comma separated list of e-mail, dns, uri, rid and ip objects.<br />email:an email address. Syntax email:copy takes the email field from the cert to be used.<br />DNS:a valid domain name.<br />URI:any valid uri.<br />RID:registered object identifier.<br />IP:an IP address.<br />Note:charset is limited and case is significant.<br />Example:<br /><b>e-mail:</b>ipfire@foo.org<b>,email:</b>copy<b>,DNS:</b>www.ipfire.org<b>,IP:</b>127.0.0.1<b>,URI:</b>http://url/to/something',
++'vpn auth-dn' => 'Peer is identified by either IPV4_ADDR, FQDN, USER_FQDN or DER_ASN1_DN string in remote ID field',
++'vpn configuration main' => 'VPN configuration - Main',
++'vpn delayed start' => 'Delay before launching VPN (seconds)',
++'vpn delayed start help' => 'If required, this delay can be used to allow dynamic DNS updates to propagate properly. 60 is a common value when RED is a dynamic IP.',
++'vpn incompatible use of defaultroute' => 'hostname=%defaultroute not allowed',
++'vpn keyexchange' => 'Keyexchange',
++'vpn local id' => 'Local ID',
++'vpn missing remote id' => 'You must specify a correct Distinguished Name (DN) for this authentication.',
++'vpn mtu invalid' => 'MTU must be a numeric value!',
++'vpn no full pki' => 'missing private key to generate cert',
++'vpn on blue' => 'VPN on BLUE',
++'vpn on green' => 'VPN on GREEN',
++'vpn on orange' => 'VPN on ORANGE',
++'vpn payload compression' => 'Negotiate payload compression',
++'vpn red name' => 'Public IP or FQDN for RED interface or <%defaultroute>',
++'vpn remote id' => 'Remote ID',
++'vpn subjectaltname' => 'Subject Alt Name',
++'vpn vhost' => 'Roadwarrior virtual IP (sometimes called Inner-IP)',
++'vpn watch' => 'Restart net-to-net vpn when remote peer IP changes (dyndns).',
++'waiting to synchronize clock' => 'Waiting to synchronize clock',
++'warn when traffic reaches' => 'Warn when traffic reaches x %',
++'warning messages' => 'Warning messages',
++'was deleted' => 'was deleted',
++'web hits' => 'Total number of websites matching selected criteria for',
++'web proxy' => 'Web Proxy',
++'web proxy configuration' => 'Web proxy configuration',
++'web server' => 'Web Server',
++'webradio playlist' => 'Webradio Playlist',
++'website' => 'Website',
++'wednesday' => 'Wednesday',
++'week' => 'Week',
++'week-graph' => 'Week',
++'weekly firewallhits' => 'weekly firewallhits',
++'weeks' => 'weeks',
++'wildcards' => 'Wildcards',
++'wins server' => 'Wins Server',
++'wins support' => 'Wins Support',
++'wireless' => 'Wireless',
++'wireless config added' => 'Wireless config added',
++'wireless config changed' => 'Wireless config changed',
++'wireless configuration' => 'Wireless Configuration',
++'wlanap access point' => 'Access Point',
++'wlanap channel' => 'Channel',
++'wlanap debugging' => 'Debugging',
++'wlanap del interface' => 'Remove selected interface?',
++'wlanap encryption' => 'Encryption',
++'wlanap informations' => 'Informations',
++'wlanap interface' => 'Select interface',
++'wlanap invalid wpa' => 'Invalid length in WPA Passphrase. Must be between 8 and 63 characters.',
++'wlanap link dhcp' => 'Wireless lan DHCP configuration',
++'wlanap link wireless' => 'Activate wireless lan clients',
++'wlanap no interface' => 'Selected interface is not a wirless lan card!',
++'wlanap none' => 'none',
++'wlanap notifications' => 'Notifications',
++'wlanap select interface' => 'Please select the wireless lan interface.',
++'wlanap verbose' => 'Verbose',
++'wlanap warnings' => 'Warnings',
++'wlanap wlan card' => 'WLan Card',
++'wlanap wlan services' => 'WLan Services',
++'wlanap wlan settings' => 'WLan Settings',
++'wlanap wlan status' => 'WLan Status',
++'wol wakeup' => 'WakeUp',
++'workgroup' => 'Workgroup',
++'written bytes' => 'Writen Bytes',
++'xtaccess all error' => 'You cannot set an external access to ALL, that is done in the port forwarding record.',
++'xtaccess bad transfert' => 'If you specify a port destination range, the source range must be identical !',
++'year' => 'Year',
++'year-graph' => 'Year',
++'yearly firewallhits' => 'yearly firewallhits',
++'yes' => 'Yes',
++'you can only define one roadwarrior connection when using pre-shared key authentication' => 'You can only define one Roadwarrior connection when using pre-shared key authentication.<br />Either you already have a Roadwarrior connection with pre-shared key authentication, or you\'re trying to add one now.',
++'your department' => 'Your department',
++'your e-mail' => 'Your e-mail address',
++);
++
++#EOF
+--
+1.7.10.4
+
--- /dev/null
+From 90f4bec929aaac67326d1ba2884ff4fd4862696e Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Sun, 27 Jan 2013 13:20:33 +0100
+Subject: [PATCH 073/302] Forward Firewall: Fixed a bug in
+ servicegroup-Tableview
+
+---
+ html/cgi-bin/fwhosts.cgi | 2 +-
+ lfs/cifs-utils | 84 ++++++++++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 85 insertions(+), 1 deletion(-)
+ create mode 100644 lfs/cifs-utils
+
+diff --git a/html/cgi-bin/fwhosts.cgi b/html/cgi-bin/fwhosts.cgi
+index 1afe0cd..89b2a93 100755
+--- a/html/cgi-bin/fwhosts.cgi
++++ b/html/cgi-bin/fwhosts.cgi
+@@ -1542,7 +1542,7 @@ sub viewtableservicegrp
+ &Header::openbox('100%', 'left', $Lang::tr{'fwhost cust srvgrp'});
+ &General::readhasharray("$configsrvgrp", \%customservicegrp);
+ my $number= keys %customservicegrp;
+- foreach my $key (sort { uc($customservicegrp{$a}[2]) cmp uc($customservicegrp{$b}[2]) } keys %customservicegrp){
++ foreach my $key (sort {$a <=> $b} keys %customservicegrp){
+ $count++;
+ if ($helper ne $customservicegrp{$key}[0]){
+ $grpname=$customservicegrp{$key}[0];
+diff --git a/lfs/cifs-utils b/lfs/cifs-utils
+new file mode 100644
+index 0000000..f3b75f5
+--- /dev/null
++++ b/lfs/cifs-utils
+@@ -0,0 +1,84 @@
++###############################################################################
++# #
++# IPFire.org - A linux based firewall #
++# Copyright (C) 2007-2013 IPFire Team <info@ipfire.org> #
++# #
++# This program is free software: you can redistribute it and/or modify #
++# it under the terms of the GNU General Public License as published by #
++# the Free Software Foundation, either version 3 of the License, or #
++# (at your option) any later version. #
++# #
++# This program is distributed in the hope that it will be useful, #
++# but WITHOUT ANY WARRANTY; without even the implied warranty of #
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
++# GNU General Public License for more details. #
++# #
++# You should have received a copy of the GNU General Public License #
++# along with this program. If not, see <http://www.gnu.org/licenses/>. #
++# #
++###############################################################################
++
++###############################################################################
++# Definitions
++###############################################################################
++
++include Config
++
++VER = 5.9
++
++THISAPP = cifs-utils-$(VER)
++DL_FILE = $(THISAPP).tar.bz2
++DL_FROM = $(URL_IPFIRE)
++DIR_APP = $(DIR_SRC)/$(THISAPP)
++TARGET = $(DIR_INFO)/$(THISAPP)
++PROG = cifs-utils
++PAK_VER = 1
++
++DEPS = ""
++
++###############################################################################
++# Top-level Rules
++###############################################################################
++
++objects = $(DL_FILE)
++
++$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
++
++$(DL_FILE)_MD5 = 7164ad6f7963a31fcbffbe4f14a7cfc6
++
++install : $(TARGET)
++
++check : $(patsubst %,$(DIR_CHK)/%,$(objects))
++
++download :$(patsubst %,$(DIR_DL)/%,$(objects))
++
++md5 : $(subst %,%_MD5,$(objects))
++
++dist:
++ @$(PAK)
++
++###############################################################################
++# Downloading, checking, md5sum
++###############################################################################
++
++$(patsubst %,$(DIR_CHK)/%,$(objects)) :
++ @$(CHECK)
++
++$(patsubst %,$(DIR_DL)/%,$(objects)) :
++ @$(LOAD)
++
++$(subst %,%_MD5,$(objects)) :
++ @$(MD5)
++
++###############################################################################
++# Installation Details
++###############################################################################
++
++$(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
++ @$(PREBUILD)
++ @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE)
++ cd $(DIR_APP) && ./configure
++ cd $(DIR_APP) && make $(MAKETUNING) $(EXTRA_MAKE)
++ cd $(DIR_APP) && make install
++ @rm -rf $(DIR_APP)
++ @$(POSTBUILD)
+--
+1.7.10.4
+
--- /dev/null
+From be503735e972206d10d65efffdd38537f4e17ae8 Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Mon, 28 Jan 2013 06:12:51 +0100
+Subject: [PATCH 074/302] Forward FIrewall: tried to sort servicegroups the
+ right way...not perfect now
+
+---
+ html/cgi-bin/fwhosts.cgi | 25 ++++++++++++++-----------
+ 1 file changed, 14 insertions(+), 11 deletions(-)
+
+diff --git a/html/cgi-bin/fwhosts.cgi b/html/cgi-bin/fwhosts.cgi
+index 89b2a93..9702435 100755
+--- a/html/cgi-bin/fwhosts.cgi
++++ b/html/cgi-bin/fwhosts.cgi
+@@ -1313,7 +1313,7 @@ END
+ <tr><td width='1%' nowrap='nowrap'>$Lang::tr{'fwhost cust service'}</td><td><select name='CUST_SRV' style='min-width:185px;'>
+ END
+ &General::readhasharray("$configsrv", \%customservice);
+- foreach my $key (sort { uc($customservice{$a}[0]) cmp uc($customservice{$b}[0]) } keys %customservice)
++ foreach my $key (sort {$a <=> $b} keys %customservice)
+ {
+ print "<option>$customservice{$key}[0]</option>";
+ }
+@@ -1538,11 +1538,10 @@ sub viewtableservicegrp
+ my $remark;
+ my $helper;
+ if (! -z $configsrvgrp){
+-
+ &Header::openbox('100%', 'left', $Lang::tr{'fwhost cust srvgrp'});
+ &General::readhasharray("$configsrvgrp", \%customservicegrp);
+ my $number= keys %customservicegrp;
+- foreach my $key (sort {$a <=> $b} keys %customservicegrp){
++ foreach my $key (sort { uc($customservicegrp{$a}[0]) cmp uc($customservicegrp{$b}[0])|| $a <=> $b } keys %customservicegrp){
+ $count++;
+ if ($helper ne $customservicegrp{$key}[0]){
+ $grpname=$customservicegrp{$key}[0];
+@@ -1560,14 +1559,18 @@ sub viewtableservicegrp
+ }
+ if( $fwhostsettings{'SRVGRP_NAME'} eq $customservicegrp{$key}[0]) {
+ print" <tr bgcolor='${Header::colouryellow}'>";
+- }elsif ($count %2 == 0){print"<tr bgcolor='$color{'color22'}'>";}else{print"<tr bgcolor='$color{'color20'}'>";}
+- print "<td width='39%'>$customservicegrp{$key}[2]</td>";
+- print"<td align='center'>$customservicegrp{$key}[3]</td><td align='center'>$customservicegrp{$key}[4]</td><td width='1%'><form method='post'>";
+- if ($number gt '1'){
+- print"<input type='image' src='/images/delete.gif' align='middle' alt=$Lang::tr{'delete'} title=$Lang::tr{'delete'} />";
+- }
+- print"<input type='hidden' name='ACTION' value='delgrpservice'><input type='hidden' name='delsrvfromgrp' value='$grpname,$remark,$customservicegrp{$key}[2],$customservicegrp{$key}[3]'></form></td></tr>";
+- $helper=$customservicegrp{$key}[0];
++ }elsif ($count %2 == 0){
++ print"<tr bgcolor='$color{'color22'}'>";
++ }else{
++ print"<tr bgcolor='$color{'color20'}'>";
++ }
++ print "<td width='39%'>$customservicegrp{$key}[2]</td>";
++ print"<td align='center'>$customservicegrp{$key}[3]</td><td align='center'>$customservicegrp{$key}[4]</td><td width='1%'><form method='post'>";
++ if ($number gt '1'){
++ print"<input type='image' src='/images/delete.gif' align='middle' alt=$Lang::tr{'delete'} title=$Lang::tr{'delete'} />";
++ }
++ print"<input type='hidden' name='ACTION' value='delgrpservice'><input type='hidden' name='delsrvfromgrp' value='$grpname,$remark,$customservicegrp{$key}[2],$customservicegrp{$key}[3]'></form></td></tr>";
++ $helper=$customservicegrp{$key}[0];
+ }
+ print"</table>";
+ &Header::closebox();
+--
+1.7.10.4
+
--- /dev/null
+From d5af6a1a3d84049047bb8009953bcacf5bd9009e Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Mon, 28 Jan 2013 07:41:23 +0100
+Subject: [PATCH 075/302] FOrward Firewall: adapted en.pl , was a merge
+ problem. Maybe someone did not upload a diff?
+
+---
+ langs/en/cgi-bin/en.pl | 17 ++---------------
+ 1 file changed, 2 insertions(+), 15 deletions(-)
+
+diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
+index 850ade0..bdba8da 100644
+--- a/langs/en/cgi-bin/en.pl
++++ b/langs/en/cgi-bin/en.pl
+@@ -758,28 +758,15 @@
+ 'download root certificate' => 'Download root certificate',
+ 'dpd action' => 'Dead Peer Detection action',
+ 'driver' => 'Driver',
+-<<<<<<< HEAD
+-<<<<<<< HEAD
+-=======
+->>>>>>> be503735e972206d10d65efffdd38537f4e17ae8
+ 'drop action' => 'Default behaviour of firewall in mode 1',
+ 'drop input' => 'Log dropped input pakets',
+ 'drop newnotsyn' => 'Log dropped new not syn pakets',
+ 'drop forward' => 'Log dropped forward pakets',
+ 'drop portscan' => 'Log dropped portscan pakets',
+-<<<<<<< HEAD
+-=======
+-'drop input' => 'Log dropped input packets',
+-'drop newnotsyn' => 'Log dropped new not syn packets',
+-'drop output' => 'Log dropped output packets',
+-'drop portscan' => 'Log dropped portscan packets',
+->>>>>>> 83f1971428fa456462ee24ad6f0baab12f1ae8d7
+-=======
+->>>>>>> be503735e972206d10d65efffdd38537f4e17ae8
+ 'drop proxy' => 'Drop all packets not addressed to proxy',
+ 'drop samba' => 'Drop all Microsoft ports 135,137,138,139,445,1025',
+-'drop wirelessforward' => 'Log dropped wireless forward packets',
+-'drop wirelessinput' => 'Log dropped wireless input packets',
++'drop wirelessforward' => 'Log dropped wireless forward pakets',
++'drop wirelessinput' => 'Log dropped wireless input pakets',
+ 'dst port' => 'Dst Port',
+ 'dstprt range overlaps' => 'Destination port range overlaps an already defined port.',
+ 'dstprt within existing' => 'Destination port is within an already defined port range.',
+--
+1.7.10.4
+
--- /dev/null
+From 5c7315b2af795b811fc133add5f1de6e605a9d73 Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Wed, 30 Jan 2013 06:22:59 +0100
+Subject: [PATCH 076/302] Forward Firewall: Deleted MODE0 from WEB Interface
+ and added a table for DMZ-Rules.
+
+---
+ html/cgi-bin/forwardfw.cgi | 48 +++++++++++++++++++++-----------------------
+ lfs/configroot | 2 +-
+ 2 files changed, 24 insertions(+), 26 deletions(-)
+
+diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi
+index 4fc74aa..8f6ca58 100755
+--- a/html/cgi-bin/forwardfw.cgi
++++ b/html/cgi-bin/forwardfw.cgi
+@@ -303,13 +303,15 @@ if ($fwdfwsettings{'ACTION'} eq $Lang::tr{'reset'})
+ &checkcounter($configinputfw{$key}[5],$configinputfw{$key}[6],,);
+ &checkcounter($configinputfw{$key}[14],$configinputfw{$key}[15],,);
+ }
+- $fwdfwsettings{'POLICY'}='MODE0';
++
+ system("rm ${General::swroot}/forward/config");
+ system("rm ${General::swroot}/forward/input");
+ &General::writehash("${General::swroot}/forward/settings", \%fwdfwsettings);
+ unless (-e "${General::swroot}/forward/config") { system("touch ${General::swroot}/forward/config"); }
+ unless (-e "${General::swroot}/forward/input") { system("touch ${General::swroot}/forward/input"); }
+ %fwdfwsettings = ();
++ $fwdfwsettings{'POLICY'}='MODE2';
++ &General::writehash("${General::swroot}/forward/settings", \%fwdfwsettings);
+ &reread_rules;
+
+ }
+@@ -517,39 +519,23 @@ sub dec_counter
+ }
+ sub base
+ {
+- if ($fwdfwsettings{'POLICY'} eq 'MODE0'){ $selected{'POLICY'}{'MODE0'} = 'selected'; } else { $selected{'POLICY'}{'MODE0'} = ''; }
+ if ($fwdfwsettings{'POLICY'} eq 'MODE1'){ $selected{'POLICY'}{'MODE1'} = 'selected'; } else { $selected{'POLICY'}{'MODE1'} = ''; }
+ if ($fwdfwsettings{'POLICY'} eq 'MODE2'){ $selected{'POLICY'}{'MODE2'} = 'selected'; } else { $selected{'POLICY'}{'MODE2'} = ''; }
+-
+ &hint;
+- if ($fwdfwsettings{'POLICY'} ne 'MODE0' && $fwdfwsettings{'POLICY'} ne '') {
+- &addrule;
+- }
+-
+- #print"<table width='100' border='1'><tr>";
+- #foreach (0 .. 40){
+- #my $i="color".$_;
+- #print"<td bgcolor='$color{$i}'>$_</td>";
+- #}
+- #print"</tr></table>";
+- if ($fwdfwsettings{'POLICY'} eq 'MODE1' || $fwdfwsettings{'POLICY'} eq 'MODE2' ) {
+- &p2pblock;
+- }
++ &addrule;
++ &p2pblock;
+ &Header::openbox('100%', 'center', 'Policy');
+ print <<END;
+ <form method='post' action='$ENV{'SCRIPT_NAME'}'>
+ <table width='100%'>
+- <tr><td width='10%' align='left'><b>$Lang::tr{'mode'} 0:</b><td width='90%' align='left' colspan='2'>$Lang::tr{'outgoing firewall mode0'}</td></tr>
+ <tr><td width='10%' align='left'><b>$Lang::tr{'mode'} 1:</b><td width='90%' align='left' colspan='2'>$Lang::tr{'outgoing firewall mode1'}</td></tr>
+ <tr><td width='10%' align='left'><b>$Lang::tr{'mode'} 2:</b><td width='90%' align='left' colspan='2'>$Lang::tr{'outgoing firewall mode2'}</td></tr>
+ <tr><td colspan='3'><hr /></td></tr>
+- <tr><td width='10%' align='left'> <select name='POLICY' style="width: 85px"><option value='MODE0' $selected{'POLICY'}{'MODE0'}>$Lang::tr{'mode'} 0</option><option value='MODE1' $selected{'POLICY'}{'MODE1'}>$Lang::tr{'mode'} 1</option><option value='MODE2' $selected{'POLICY'}{'MODE2'}>$Lang::tr{'mode'} 2</option></select>
++ <tr><td width='10%' align='left'> <select name='POLICY' style="width: 85px">$Lang::tr{'mode'} 0</option><option value='MODE1' $selected{'POLICY'}{'MODE1'}>$Lang::tr{'mode'} 1</option><option value='MODE2' $selected{'POLICY'}{'MODE2'}>$Lang::tr{'mode'} 2</option></select>
+ <td width='45%' align='left'><input type='submit' name='ACTION' value=$Lang::tr{'save'} />
+ <td width='45%' align='left'>
+ END
+- if ($fwdfwsettings{'POLICY'} ne 'MODE0'&& $fwdfwsettings{'POLICY'} ne '' ) {
+- print "$Lang::tr{'outgoing firewall reset'}: <input type='submit' name='ACTION' value='$Lang::tr{'reset'}' />";
+- }
++ print "$Lang::tr{'outgoing firewall reset'}: <input type='submit' name='ACTION' value='$Lang::tr{'reset'}' />";
+ print "</table></form>";
+ &Header::closebox();
+ }
+@@ -1731,7 +1717,9 @@ sub get_serviceports
+ }
+ sub viewtablerule
+ {
++
+ &viewtablenew(\%configfwdfw,$configfwdfw,$Lang::tr{'fwdfw rules'},"Forward" );
++ &viewtablenew(\%configfwdfw,$configfwdfw,'',"DMZ" );
+ &viewtablenew(\%configinputfw,$configinput,"",$Lang::tr{'external access'} );
+ }
+ sub viewtablenew
+@@ -1740,8 +1728,17 @@ sub viewtablenew
+ my $config=shift;
+ my $title=shift;
+ my $title1=shift;
+-
+- if ( ! -z "$config"){
++ my $go='';
++ &General::readhasharray("$config", $hash);
++ #check if there are DMZ entries
++ if ($title1 eq 'DMZ'){
++ foreach my $key (keys %$hash){
++ if ($$hash{$key}[4] eq 'ORANGE' || $$hash{$key}[6] eq 'ORANGE'){$go='on';}
++ }
++ }elsif( ! -z "$config" ){
++ $go='on';
++ }
++ if($go ne ''){
+ &Header::openbox('100%', 'left',$title);
+ my $count=0;
+ my ($gif,$log);
+@@ -1750,11 +1747,13 @@ sub viewtablenew
+ my $tooltip;
+ my @tmpsrc=();
+ my $coloryellow='';
+- &General::readhasharray("$config", $hash);
+ print"<b>$title1</b><br>";
+ print"<table width='100%' border='0' cellspacing='1' style='padding-top: 0px; padding-left: 0px; padding-bottom: 0px ;padding-right: 0px ;'>";
+ print"<tr><td align='center' width='1%'><b>#</td><td width='1%'></td><td align='center' ><b>$Lang::tr{'fwdfw source'}</td><td width='1%'><b>Log</td><td align='center' width='20%'><b>$Lang::tr{'fwdfw target'}</td><td align='center'><b>$Lang::tr{'protocol'}</b></td><td align='center' width='70%'><b>$Lang::tr{'remark'}</td><td align='center' colspan='3' width='1%'><b>$Lang::tr{'fwdfw action'}</td></tr>";
+ foreach my $key (sort {$a <=> $b} keys %$hash){
++ #check if we have a FORWARDFW OR DMZ RULE
++ if ($title1 eq 'DMZ' && ($$hash{$key}[4] ne 'ORANGE' && $$hash{$key}[6] ne 'ORANGE')){next;}
++ if ($title1 eq 'Forward' && ($$hash{$key}[4] eq 'ORANGE' || $$hash{$key}[6] eq 'ORANGE')){next;}
+ @tmpsrc=();
+ #check if vpn hosts/nets have been deleted
+ if($$hash{$key}[3] =~ /ipsec/i || $$hash{$key}[3] =~ /ovpn/i){
+@@ -1843,7 +1842,6 @@ END
+ <input type='hidden' name='ACTION' value='$Lang::tr{'fwdfw togglelog'}' />
+ </td></form>
+ END
+-
+ print<<END;
+ <td align='center' nowrap='nowrap'>
+ END
+diff --git a/lfs/configroot b/lfs/configroot
+index 6bbe3f8..de9b211 100644
+--- a/lfs/configroot
++++ b/lfs/configroot
+@@ -117,7 +117,7 @@ $(TARGET) :
+ echo "DROPFORWARD=on" >> $(CONFIG_ROOT)/optionsfw/settings
+ echo "FWPOLICY=DROP" >> $(CONFIG_ROOT)/optionsfw/settings
+ echo "DROPPORTSCAN=on" >> $(CONFIG_ROOT)/optionsfw/settings
+- echo "POLICY=MODE0" >> $(CONFIG_ROOT)/forward/settings
++ echo "POLICY=MODE2" >> $(CONFIG_ROOT)/forward/settings
+
+ # set rules.pl executable
+ chmod 755 $(CONFIG_ROOT)/forward/bin/rules.pl
+--
+1.7.10.4
+
--- /dev/null
+From 070c815dea67c3ccd8c5c143043d95b387eb583b Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Wed, 30 Jan 2013 09:14:01 +0100
+Subject: [PATCH 077/302] Forward Firewall: deleted mode0, added default Mode2
+ and fixed /etc/init.d/firewall to reload the rules
+ correctly on reload. Also made it possible to
+ create broadcastrules (To drop broadcastpackets)
+
+---
+ config/forwardfw/rules.pl | 19 ++++++++++++++-----
+ html/cgi-bin/forwardfw.cgi | 12 +++++-------
+ src/initscripts/init.d/firewall | 5 +++--
+ 3 files changed, 22 insertions(+), 14 deletions(-)
+
+diff --git a/config/forwardfw/rules.pl b/config/forwardfw/rules.pl
+index 3aa73a1..0f3b991 100755
+--- a/config/forwardfw/rules.pl
++++ b/config/forwardfw/rules.pl
+@@ -53,12 +53,16 @@ my $configfwdfw = "${General::swroot}/forward/config";
+ my $configinput = "${General::swroot}/forward/input";
+ my $p2pfile = "${General::swroot}/forward/p2protocols";
+ my $configgrp = "${General::swroot}/fwhosts/customgroups";
++my $netsettings = "${General::swroot}/ethernet/settings";
+ my $errormessage='';
++my $orange;
++my $green;
+ my ($TYPE,$PROT,$SPROT,$DPROT,$SPORT,$DPORT,$TIME,$TIMEFROM,$TIMETILL,$SRC_TGT);
+ my $CHAIN="FORWARDFW";
+
+
+ &General::readhash("${General::swroot}/forward/settings", \%fwdfwsettings);
++&General::readhash("$netsettings", \%defaultNetworks);
+ &General::readhasharray($configfwdfw, \%configfwdfw);
+ &General::readhasharray($configinput, \%configinputfw);
+ &General::readhasharray($configgrp, \%customgrp);
+@@ -92,12 +96,17 @@ if($param eq 'flush'){
+ &p2pblock;
+ system ("/usr/sbin/firewall-forward-policy");
+ }elsif($fwdfwsettings{'POLICY'} eq 'MODE2'){
+- &p2pblock;
+- system ("/usr/sbin/firewall-forward-policy");
+- system ("iptables -A $CHAIN -m state --state NEW -j ACCEPT");
+- }elsif($fwdfwsettings{'POLICY'} eq 'MODE0'){
+- system ("/usr/sbin/firewall-forward-policy");
++ if ($defaultNetworks{'ORANGE_DEV'}){
++ $defaultNetworks{'ORANGE_NETMASK'}=&General::iporsubtocidr($defaultNetworks{'ORANGE_NETMASK'});
++ $defaultNetworks{'GREEN_NETMASK'}=&General::iporsubtocidr($defaultNetworks{'GREEN_NETMASK'});
++ $orange="$defaultNetworks{'ORANGE_ADDRESS'}/$defaultNetworks{'ORANGE_NETMASK'}";
++ $green="$defaultNetworks{'GREEN_ADDRESS'}/$defaultNetworks{'GREEN_NETMASK'}";
++ #set default rules for DMZ
++ system ("iptables -A $CHAIN -s $orange -d $green -j RETURN");
++ &p2pblock;
++ }
+ system ("iptables -A $CHAIN -m state --state NEW -j ACCEPT");
++ system ("/usr/sbin/firewall-forward-policy");
+ }
+ }
+ }
+diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi
+index 8f6ca58..6895a9e 100755
+--- a/html/cgi-bin/forwardfw.cgi
++++ b/html/cgi-bin/forwardfw.cgi
+@@ -731,9 +731,9 @@ sub checktarget
+ $ip=&General::ip2dec($ip);
+ $ip=&General::dec2ip($ip);
+
+- #check if net or broadcast
++ #check if net
+ my @tmp= split (/\./,$ip);
+- if (($tmp[3] eq "0") || ($tmp[3] eq "255"))
++ if ($tmp[3] eq "0")
+ {
+ $errormessage=$Lang::tr{'fwhost err hostip'}."<br>";
+ }
+@@ -865,7 +865,7 @@ sub checkrule
+ my $networkip1=&General::getnetworkip($sip,$scidr);
+ my $networkip2=&General::getnetworkip($tip,$tcidr);
+ if ($scidr gt $tcidr){
+- if ( &General::IpInSubnet($networkip1,$tip,&General::iporsubtodec($tcidr)) ){
++ if ( &General::IpInSubnet($networkip1,$tip,&General::iporsubtodec($tcidr))){
+ $errormessage.=$Lang::tr{'fwdfw err samesub'};
+ }
+ }elsif($scidr eq $tcidr && $scidr eq '32'){
+@@ -876,7 +876,7 @@ sub checkrule
+ $hint.=$Lang::tr{'fwdfw hint ip2'}." Source: $networkip1/$scidr Target: $networkip2/$tcidr<br>";
+ }
+ }else{
+- if ( &General::IpInSubnet($networkip2,$sip,&General::iporsubtodec($scidr)) ){
++ if ( &General::IpInSubnet($networkip2,$sip,&General::iporsubtodec($scidr)) && $tcidr ne '32' ){
+ $errormessage.=$Lang::tr{'fwdfw err samesub'};
+ }
+ }
+@@ -884,9 +884,7 @@ sub checkrule
+
+ #check source and destination protocol if manual
+ if( $fwdfwsettings{'USE_SRC_PORT'} eq 'ON' && $fwdfwsettings{'USESRV'} eq 'ON'){
+-
+-
+- if($fwdfwsettings{'PROT'} ne $fwdfwsettings{'TGT_PROT'} && $fwdfwsettings{'grp3'} eq 'TGT_PORT'){
++ if($fwdfwsettings{'PROT'} ne $fwdfwsettings{'TGT_PROT'} && $fwdfwsettings{'grp3'} eq 'TGT_PORT'){
+ $errormessage.=$Lang::tr{'fwdfw err prot'};
+ }
+ #check source and destination protocol if source manual and dest servicegrp
+diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall
+index f858129..fbecc1c 100644
+--- a/src/initscripts/init.d/firewall
++++ b/src/initscripts/init.d/firewall
+@@ -345,9 +345,10 @@ case "$1" in
+ ;;
+ restart)
+ $0 stop
+- $0 stopovpn
+ $0 start
+- $0 startovpn
++ /usr/local/bin/forwardfwctrl
++ /usr/local/bin/openvpnctrl -s > /dev/null 2>&1
++ /usr/local/bin/openvpnctrl -sn2n > /dev/null 2>&1
+ ;;
+ *)
+ echo "Usage: $0 {start|stop|reload|restart}"
+--
+1.7.10.4
+
--- /dev/null
+From 7bea8ef73c15fdd4bc5269fd642ace2bd67d4204 Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Wed, 30 Jan 2013 10:27:38 +0100
+Subject: [PATCH 078/302] Forward Firewall: when resetting firewall, an error
+ was generated in log, because there's no reread
+ file
+
+---
+ html/cgi-bin/forwardfw.cgi | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi
+index 6895a9e..18ed594 100755
+--- a/html/cgi-bin/forwardfw.cgi
++++ b/html/cgi-bin/forwardfw.cgi
+@@ -1997,7 +1997,9 @@ sub rules
+ sub reread_rules
+ {
+ system("/usr/local/bin/forwardfwctrl");
+- system("rm ${General::swroot}/forward/reread");
++ if ( -f "${General::swroot}/forward/reread"){
++ system("rm ${General::swroot}/forward/reread");
++ }
+ }
+ &Header::closebigbox();
+ &Header::closepage();
+--
+1.7.10.4
+
--- /dev/null
+From 40fe3813cad908a24f2562c3e86d43c4139807c8 Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Wed, 30 Jan 2013 13:34:54 +0100
+Subject: [PATCH 079/302] Forward Firewall: set standard rules for blue in
+ mode 2
+
+---
+ config/forwardfw/rules.pl | 13 ++++++++++---
+ html/cgi-bin/forwardfw.cgi | 6 +++---
+ src/initscripts/init.d/firewall | 1 +
+ 3 files changed, 14 insertions(+), 6 deletions(-)
+
+diff --git a/config/forwardfw/rules.pl b/config/forwardfw/rules.pl
+index 0f3b991..342dcfe 100755
+--- a/config/forwardfw/rules.pl
++++ b/config/forwardfw/rules.pl
+@@ -57,6 +57,7 @@ my $netsettings = "${General::swroot}/ethernet/settings";
+ my $errormessage='';
+ my $orange;
+ my $green;
++my $blue;
+ my ($TYPE,$PROT,$SPROT,$DPROT,$SPORT,$DPORT,$TIME,$TIMEFROM,$TIMETILL,$SRC_TGT);
+ my $CHAIN="FORWARDFW";
+
+@@ -96,15 +97,21 @@ if($param eq 'flush'){
+ &p2pblock;
+ system ("/usr/sbin/firewall-forward-policy");
+ }elsif($fwdfwsettings{'POLICY'} eq 'MODE2'){
++ $defaultNetworks{'GREEN_NETMASK'}=&General::iporsubtocidr($defaultNetworks{'GREEN_NETMASK'});
++ $green="$defaultNetworks{'GREEN_ADDRESS'}/$defaultNetworks{'GREEN_NETMASK'}";
+ if ($defaultNetworks{'ORANGE_DEV'}){
+ $defaultNetworks{'ORANGE_NETMASK'}=&General::iporsubtocidr($defaultNetworks{'ORANGE_NETMASK'});
+- $defaultNetworks{'GREEN_NETMASK'}=&General::iporsubtocidr($defaultNetworks{'GREEN_NETMASK'});
+ $orange="$defaultNetworks{'ORANGE_ADDRESS'}/$defaultNetworks{'ORANGE_NETMASK'}";
+- $green="$defaultNetworks{'GREEN_ADDRESS'}/$defaultNetworks{'GREEN_NETMASK'}";
+ #set default rules for DMZ
+ system ("iptables -A $CHAIN -s $orange -d $green -j RETURN");
+- &p2pblock;
+ }
++ if ($defaultNetworks{'BLUE_DEV'}){
++ $defaultNetworks{'BLUE_NETMASK'}=&General::iporsubtocidr($defaultNetworks{'BLUE_NETMASK'});
++ $blue="$defaultNetworks{'BLUE_ADDRESS'}/$defaultNetworks{'BLUE_NETMASK'}";
++ #set default rules for BLUE
++ system ("iptables -A $CHAIN -s $blue -d $green -j RETURN");
++ }
++ &p2pblock;
+ system ("iptables -A $CHAIN -m state --state NEW -j ACCEPT");
+ system ("/usr/sbin/firewall-forward-policy");
+ }
+diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi
+index 18ed594..2b84d17 100755
+--- a/html/cgi-bin/forwardfw.cgi
++++ b/html/cgi-bin/forwardfw.cgi
+@@ -731,9 +731,9 @@ sub checktarget
+ $ip=&General::ip2dec($ip);
+ $ip=&General::dec2ip($ip);
+
+- #check if net
++ #check if net or broadcast
+ my @tmp= split (/\./,$ip);
+- if ($tmp[3] eq "0")
++ if ($tmp[3] eq "0" || ($tmp[3] eq "255"))
+ {
+ $errormessage=$Lang::tr{'fwhost err hostip'}."<br>";
+ }
+@@ -876,7 +876,7 @@ sub checkrule
+ $hint.=$Lang::tr{'fwdfw hint ip2'}." Source: $networkip1/$scidr Target: $networkip2/$tcidr<br>";
+ }
+ }else{
+- if ( &General::IpInSubnet($networkip2,$sip,&General::iporsubtodec($scidr)) && $tcidr ne '32' ){
++ if ( &General::IpInSubnet($networkip2,$sip,&General::iporsubtodec($scidr)) ){
+ $errormessage.=$Lang::tr{'fwdfw err samesub'};
+ }
+ }
+diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall
+index fbecc1c..4136867 100644
+--- a/src/initscripts/init.d/firewall
++++ b/src/initscripts/init.d/firewall
+@@ -347,6 +347,7 @@ case "$1" in
+ $0 stop
+ $0 start
+ /usr/local/bin/forwardfwctrl
++ /usr/local/bin/setportfw
+ /usr/local/bin/openvpnctrl -s > /dev/null 2>&1
+ /usr/local/bin/openvpnctrl -sn2n > /dev/null 2>&1
+ ;;
+--
+1.7.10.4
+
--- /dev/null
+From 5a659359d13f2c85086a151143c31624ddead71a Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Wed, 30 Jan 2013 15:24:57 +0100
+Subject: [PATCH 080/302] Forward Firewall: Tablegroup DMZ and WLAN now only
+ show the own rules
+
+---
+ config/forwardfw/rules.pl | 16 ++++++++++------
+ html/cgi-bin/forwardfw.cgi | 18 ++++++++++++++----
+ 2 files changed, 24 insertions(+), 10 deletions(-)
+
+diff --git a/config/forwardfw/rules.pl b/config/forwardfw/rules.pl
+index 342dcfe..44ad35e 100755
+--- a/config/forwardfw/rules.pl
++++ b/config/forwardfw/rules.pl
+@@ -99,18 +99,22 @@ if($param eq 'flush'){
+ }elsif($fwdfwsettings{'POLICY'} eq 'MODE2'){
+ $defaultNetworks{'GREEN_NETMASK'}=&General::iporsubtocidr($defaultNetworks{'GREEN_NETMASK'});
+ $green="$defaultNetworks{'GREEN_ADDRESS'}/$defaultNetworks{'GREEN_NETMASK'}";
+- if ($defaultNetworks{'ORANGE_DEV'}){
+- $defaultNetworks{'ORANGE_NETMASK'}=&General::iporsubtocidr($defaultNetworks{'ORANGE_NETMASK'});
+- $orange="$defaultNetworks{'ORANGE_ADDRESS'}/$defaultNetworks{'ORANGE_NETMASK'}";
+- #set default rules for DMZ
+- system ("iptables -A $CHAIN -s $orange -d $green -j RETURN");
+- }
+ if ($defaultNetworks{'BLUE_DEV'}){
+ $defaultNetworks{'BLUE_NETMASK'}=&General::iporsubtocidr($defaultNetworks{'BLUE_NETMASK'});
+ $blue="$defaultNetworks{'BLUE_ADDRESS'}/$defaultNetworks{'BLUE_NETMASK'}";
+ #set default rules for BLUE
+ system ("iptables -A $CHAIN -s $blue -d $green -j RETURN");
+ }
++ if ($defaultNetworks{'ORANGE_DEV'}){
++ $defaultNetworks{'ORANGE_NETMASK'}=&General::iporsubtocidr($defaultNetworks{'ORANGE_NETMASK'});
++ $orange="$defaultNetworks{'ORANGE_ADDRESS'}/$defaultNetworks{'ORANGE_NETMASK'}";
++ #set default rules for DMZ
++ system ("iptables -A $CHAIN -s $orange -d $green -j RETURN");
++ if ($defaultNetworks{'BLUE_DEV'}){
++ system ("iptables -A $CHAIN -s $orange -d $blue -j RETURN");
++ }
++ }
++
+ &p2pblock;
+ system ("iptables -A $CHAIN -m state --state NEW -j ACCEPT");
+ system ("/usr/sbin/firewall-forward-policy");
+diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi
+index 2b84d17..82286fe 100755
+--- a/html/cgi-bin/forwardfw.cgi
++++ b/html/cgi-bin/forwardfw.cgi
+@@ -1718,6 +1718,7 @@ sub viewtablerule
+
+ &viewtablenew(\%configfwdfw,$configfwdfw,$Lang::tr{'fwdfw rules'},"Forward" );
+ &viewtablenew(\%configfwdfw,$configfwdfw,'',"DMZ" );
++ &viewtablenew(\%configfwdfw,$configfwdfw,'',"WLAN" );
+ &viewtablenew(\%configinputfw,$configinput,"",$Lang::tr{'external access'} );
+ }
+ sub viewtablenew
+@@ -1731,9 +1732,17 @@ sub viewtablenew
+ #check if there are DMZ entries
+ if ($title1 eq 'DMZ'){
+ foreach my $key (keys %$hash){
+- if ($$hash{$key}[4] eq 'ORANGE' || $$hash{$key}[6] eq 'ORANGE'){$go='on';}
++ if ($$hash{$key}[4] eq 'ORANGE'){$go='on';last}
+ }
+- }elsif( ! -z "$config" ){
++ }elsif($title1 eq 'WLAN'){
++ foreach my $key (keys %$hash){
++ if ($$hash{$key}[4] eq 'BLUE'){$go='on';last}
++ }
++ }elsif($title1 eq 'Forward'){
++ foreach my $key (keys %$hash){
++ if (($$hash{$key}[4] ne 'ORANGE' && $$hash{$key}[4] ne 'BLUE')){$go='on';last}
++ }
++ }elsif( ! -z $config){
+ $go='on';
+ }
+ if($go ne ''){
+@@ -1750,8 +1759,9 @@ sub viewtablenew
+ print"<tr><td align='center' width='1%'><b>#</td><td width='1%'></td><td align='center' ><b>$Lang::tr{'fwdfw source'}</td><td width='1%'><b>Log</td><td align='center' width='20%'><b>$Lang::tr{'fwdfw target'}</td><td align='center'><b>$Lang::tr{'protocol'}</b></td><td align='center' width='70%'><b>$Lang::tr{'remark'}</td><td align='center' colspan='3' width='1%'><b>$Lang::tr{'fwdfw action'}</td></tr>";
+ foreach my $key (sort {$a <=> $b} keys %$hash){
+ #check if we have a FORWARDFW OR DMZ RULE
+- if ($title1 eq 'DMZ' && ($$hash{$key}[4] ne 'ORANGE' && $$hash{$key}[6] ne 'ORANGE')){next;}
+- if ($title1 eq 'Forward' && ($$hash{$key}[4] eq 'ORANGE' || $$hash{$key}[6] eq 'ORANGE')){next;}
++ if ($title1 eq 'DMZ' && ($$hash{$key}[4] ne 'ORANGE')){next;}
++ if ($title1 eq 'WLAN' && ($$hash{$key}[4] ne 'BLUE')){next;}
++ if ($title1 eq 'Forward' && ($$hash{$key}[4] eq 'ORANGE' || $$hash{$key}[4] eq 'BLUE')){next;}
+ @tmpsrc=();
+ #check if vpn hosts/nets have been deleted
+ if($$hash{$key}[3] =~ /ipsec/i || $$hash{$key}[3] =~ /ovpn/i){
+--
+1.7.10.4
+
--- /dev/null
+From 5d534323af23a531647db005223d6c982b595a3d Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Wed, 30 Jan 2013 16:28:18 +0100
+Subject: [PATCH 081/302] Forward Firewall: fixed portforward rules. Now
+ possible even if firewall in mode1
+
+---
+ src/initscripts/init.d/firewall | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall
+index 4136867..2cdacf7 100644
+--- a/src/initscripts/init.d/firewall
++++ b/src/initscripts/init.d/firewall
+@@ -205,7 +205,7 @@ case "$1" in
+ /sbin/iptables -A FORWARD -s 127.0.0.0/8 -m state --state NEW -j DROP
+ /sbin/iptables -A FORWARD -d 127.0.0.0/8 -m state --state NEW -j DROP
+ /sbin/iptables -A INPUT -i $GREEN_DEV -m state --state NEW -j ACCEPT ! -p icmp
+- #/sbin/iptables -A FORWARD -i $GREEN_DEV -m state --state NEW -j ACCEPT
++ /sbin/iptables -A FORWARD -i $GREEN_DEV -m state --state NEW -j ACCEPT
+
+ # If a host on orange tries to initiate a connection to IPFire's red IP and
+ # the connection gets DNATed back through a port forward to a server on orange
+--
+1.7.10.4
+
--- /dev/null
+From 9cb252552a0f4ef6d0515fa9f900a9d8c220080e Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Thu, 31 Jan 2013 05:17:41 +0100
+Subject: [PATCH 082/302] Forward Firewall: changed firewall modes from
+ mode1,mode2 to "allowed" and "blocked". Also new
+ descriptiontext.
+
+---
+ html/cgi-bin/forwardfw.cgi | 12 +++++++-----
+ langs/de/cgi-bin/de.pl | 4 ++++
+ langs/en/cgi-bin/en.pl | 4 ++++
+ 3 files changed, 15 insertions(+), 5 deletions(-)
+
+diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi
+index 82286fe..1ecdd62 100755
+--- a/html/cgi-bin/forwardfw.cgi
++++ b/html/cgi-bin/forwardfw.cgi
+@@ -524,14 +524,16 @@ sub base
+ &hint;
+ &addrule;
+ &p2pblock;
+- &Header::openbox('100%', 'center', 'Policy');
++ &Header::openbox('100%', 'center', $Lang::tr{'fwdfw pol title'});
+ print <<END;
+ <form method='post' action='$ENV{'SCRIPT_NAME'}'>
+- <table width='100%'>
+- <tr><td width='10%' align='left'><b>$Lang::tr{'mode'} 1:</b><td width='90%' align='left' colspan='2'>$Lang::tr{'outgoing firewall mode1'}</td></tr>
+- <tr><td width='10%' align='left'><b>$Lang::tr{'mode'} 2:</b><td width='90%' align='left' colspan='2'>$Lang::tr{'outgoing firewall mode2'}</td></tr>
++ <table width='100%' border='0'>
++ <tr><td colspan='3'>$Lang::tr{'fwdfw pol text'}</td></tr>
++
+ <tr><td colspan='3'><hr /></td></tr>
+- <tr><td width='10%' align='left'> <select name='POLICY' style="width: 85px">$Lang::tr{'mode'} 0</option><option value='MODE1' $selected{'POLICY'}{'MODE1'}>$Lang::tr{'mode'} 1</option><option value='MODE2' $selected{'POLICY'}{'MODE2'}>$Lang::tr{'mode'} 2</option></select>
++ <tr><td width='10%' align='left'> <select name='POLICY' style="width: 85px">
++ <option value='MODE1' $selected{'POLICY'}{'MODE1'}>$Lang::tr{'fwdfw pol block'}</option>
++ <option value='MODE2' $selected{'POLICY'}{'MODE2'}>$Lang::tr{'fwdfw pol allow'}</option></select>
+ <td width='45%' align='left'><input type='submit' name='ACTION' value=$Lang::tr{'save'} />
+ <td width='45%' align='left'>
+ END
+diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl
+index 00dce4b..4c606a6 100644
+--- a/langs/de/cgi-bin/de.pl
++++ b/langs/de/cgi-bin/de.pl
+@@ -910,6 +910,10 @@
+ 'fwdfw man port' => 'Port(s) manuell:',
+ 'fwdfw moveup' => 'Hoch',
+ 'fwdfw movedown' => 'Runter',
++'fwdfw pol allow' => 'Zugelassen',
++'fwdfw pol block' => 'Blockiert',
++'fwdfw pol title' => 'Standardverhalten der Firewall',
++'fwdfw pol text' => 'Standardverhalten für Verbindungen aus den lokalen Netzwerken. Bei "Zugelassen" werden sämtliche Verbindungen zugelassen mit Ausnahme der in Forward konfigurierten Regeln. Mit "Blockiert" werden alle Verbindungsversuche blockiert mit Ausnahme der in Forward erstellten Regeln. Außerdem werden hier der externe Zugang und der Zugriff auf die DMZ geregelt.',
+ 'fwdfw reread' => 'Ãœbernehmen',
+ 'fwdfw rules' => 'Regeln',
+ 'fwdfw rule action' => 'Regel Aktion:',
+diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
+index bdba8da..9b90041 100644
+--- a/langs/en/cgi-bin/en.pl
++++ b/langs/en/cgi-bin/en.pl
+@@ -934,6 +934,10 @@
+ 'fwdfw man port' => 'Port(s) manual:',
+ 'fwdfw moveup' => 'Move up',
+ 'fwdfw movedown' => 'Move down',
++'fwdfw pol allow' => 'Allowed',
++'fwdfw pol block' => 'Blocked',
++'fwdfw pol title' => 'Firewall default behavior',
++'fwdfw pol text' => 'Default behavior for connections from local nwtworks. "Allowed" allows all connections from local networks except the defined rules."Blocked" prohibits all connections except the defined ones.Also external access and connections to/from demilitarized zone are configurable here.',
+ 'fwdfw reread' => 'Apply',
+ 'fwdfw rules' => 'Rules',
+ 'fwdfw rule action' => 'Rule action:',
+--
+1.7.10.4
+
--- /dev/null
+From c6c11ffdfeecee491ad1d0bb63ed847b71e4561a Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Thu, 31 Jan 2013 05:48:20 +0100
+Subject: [PATCH 083/302] Forward Firewall: Typo in en.pl
+
+---
+ langs/en/cgi-bin/en.pl | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
+index 9b90041..1cc907b 100644
+--- a/langs/en/cgi-bin/en.pl
++++ b/langs/en/cgi-bin/en.pl
+@@ -937,7 +937,7 @@
+ 'fwdfw pol allow' => 'Allowed',
+ 'fwdfw pol block' => 'Blocked',
+ 'fwdfw pol title' => 'Firewall default behavior',
+-'fwdfw pol text' => 'Default behavior for connections from local nwtworks. "Allowed" allows all connections from local networks except the defined rules."Blocked" prohibits all connections except the defined ones.Also external access and connections to/from demilitarized zone are configurable here.',
++'fwdfw pol text' => 'Default behavior for connections from local networks. "Allowed" allows all connections from local networks except the defined rules."Blocked" prohibits all connections except the defined ones.Also external access and connections to/from demilitarized zone are configurable here.',
+ 'fwdfw reread' => 'Apply',
+ 'fwdfw rules' => 'Rules',
+ 'fwdfw rule action' => 'Rule action:',
+--
+1.7.10.4
+
--- /dev/null
+From 7a455909114b365eae16f1852e755d077de82fe2 Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Thu, 31 Jan 2013 07:33:47 +0100
+Subject: [PATCH 084/302] Forward Firewall: firewall policy dropdown - resized
+
+---
+ html/cgi-bin/forwardfw.cgi | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi
+index 1ecdd62..c3acfca 100755
+--- a/html/cgi-bin/forwardfw.cgi
++++ b/html/cgi-bin/forwardfw.cgi
+@@ -531,7 +531,7 @@ print <<END;
+ <tr><td colspan='3'>$Lang::tr{'fwdfw pol text'}</td></tr>
+
+ <tr><td colspan='3'><hr /></td></tr>
+- <tr><td width='10%' align='left'> <select name='POLICY' style="width: 85px">
++ <tr><td width='15%' align='left'> <select name='POLICY' style="width: 100px">
+ <option value='MODE1' $selected{'POLICY'}{'MODE1'}>$Lang::tr{'fwdfw pol block'}</option>
+ <option value='MODE2' $selected{'POLICY'}{'MODE2'}>$Lang::tr{'fwdfw pol allow'}</option></select>
+ <td width='45%' align='left'><input type='submit' name='ACTION' value=$Lang::tr{'save'} />
+--
+1.7.10.4
+
--- /dev/null
+From a4abb3a390f508c2ec7af8bbcb1af51f34661a0c Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Thu, 31 Jan 2013 08:45:04 +0100
+Subject: [PATCH 085/302] Forward Firewall: fixed icmp-types and deleted
+ dmzholes chain
+
+---
+ config/fwhosts/icmp-types | 6 +++---
+ src/initscripts/init.d/firewall | 4 ++--
+ 2 files changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/config/fwhosts/icmp-types b/config/fwhosts/icmp-types
+index d41cdbf..a9066a8 100755
+--- a/config/fwhosts/icmp-types
++++ b/config/fwhosts/icmp-types
+@@ -1,4 +1,4 @@
+-0,echo-reply (pong),0
++0,echo-reply,0
+ 1,destination-unreachable,3
+ 2,network-unreachable,3/0
+ 3,host-unreachable,3/1
+@@ -21,10 +21,10 @@
+ 20,host-redirect,5/1
+ 21,TOS-network-redirect,5/2
+ 22,TOS-host-redirect,5/3
+-23,echo-request (ping),8
++23,echo-request,8
+ 24,router-advertisement,9
+ 25,router-solicitation,10
+-26,time-exceeded (ttl-exceeded),11
++26,time-exceeded,11
+ 27,ttl-zero-during-transit,11/0
+ 28,ttl-zero-during-reassembly,11/1
+ 29,parameter-problem,12
+diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall
+index 2cdacf7..25892df 100644
+--- a/src/initscripts/init.d/firewall
++++ b/src/initscripts/init.d/firewall
+@@ -236,9 +236,9 @@ case "$1" in
+
+ iptables_red
+
+- # DMZ pinhole chain. setdmzholes setuid prog adds rules here to allow
++ # DMZ pinhole chain.
+ # ORANGE to talk to GREEN / BLUE.
+- /sbin/iptables -N DMZHOLES
++
+ if [ "$ORANGE_DEV" != "" ]; then
+ /sbin/iptables -A FORWARD -i $ORANGE_DEV -m state --state NEW -j FORWARDFW
+ fi
+--
+1.7.10.4
+
--- /dev/null
+From b17377fe1a019887d1a94113f95da3736966e79c Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Thu, 31 Jan 2013 20:52:56 +0100
+Subject: [PATCH 086/302] Forward Firewall: BUGFIX-CustomGroup sort order
+
+---
+ html/cgi-bin/fwhosts.cgi | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/html/cgi-bin/fwhosts.cgi b/html/cgi-bin/fwhosts.cgi
+index 9702435..0263052 100755
+--- a/html/cgi-bin/fwhosts.cgi
++++ b/html/cgi-bin/fwhosts.cgi
+@@ -1442,7 +1442,7 @@ sub viewtablegrp
+ {
+ print "<center><b>$Lang::tr{'fwhost empty'}</b>";
+ }else{
+- foreach my $key (sort {$a <=> $b} keys %customgrp){
++ foreach my $key (sort { uc($customgrp{$a}[0]) cmp uc($customgrp{$b}[0]) } sort { uc($customgrp{$a}[2]) cmp uc($customgrp{$b}[2]) } keys %customgrp){
+
+ $count++;
+ if ($helper ne $customgrp{$key}[0]){
+--
+1.7.10.4
+
--- /dev/null
+From e1e956ad0c600fdfdf0449bb8dcd592fb6a47a0e Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Fri, 1 Feb 2013 13:18:15 +0100
+Subject: [PATCH 087/302] Forward Firewall: redefined layout of
+ customservicegroups and some layout changes
+
+---
+ html/cgi-bin/fwhosts.cgi | 32 +++++++++++------
+ langs/de/cgi-bin/de.pl | 90 +++++++++++++++++++++++-----------------------
+ langs/en/cgi-bin/en.pl | 52 +++++++++++++--------------
+ 3 files changed, 92 insertions(+), 82 deletions(-)
+
+diff --git a/html/cgi-bin/fwhosts.cgi b/html/cgi-bin/fwhosts.cgi
+index 0263052..88c32c4 100755
+--- a/html/cgi-bin/fwhosts.cgi
++++ b/html/cgi-bin/fwhosts.cgi
+@@ -800,9 +800,8 @@ if ($fwhostsettings{'ACTION'} eq 'saveservicegrp')
+ $customservicegrp{$key}[0] = $fwhostsettings{'SRVGRP_NAME'};
+ $customservicegrp{$key}[1] = $fwhostsettings{'SRVGRP_REMARK'};
+ $customservicegrp{$key}[2] = $fwhostsettings{'CUST_SRV'};
+- $customservicegrp{$key}[3] = $port;
+- $customservicegrp{$key}[4] = $prot;
+- $customservicegrp{$key}[5] = $count;
++ $customservicegrp{$key}[3] = $count;
++
+ &General::writehasharray("$configsrvgrp", \%customservicegrp );
+ $fwhostsettings{'updatesrvgrp'}='on';
+ }
+@@ -1359,7 +1358,7 @@ END
+ print" <tr bgcolor='$color{'color20'}'>";
+ }
+ print<<END;
+- <td width='40%'><form method='post'>$customnetwork{$key}[0]</td><td width=25%'>$customnetwork{$key}[1]</td><td width='25%'>$customnetwork{$key}[2]</td><td align='center'>$customnetwork{$key}[3] x</td>
++ <td width='40%'><form method='post'>$customnetwork{$key}[0]</td><td width=25%'>$customnetwork{$key}[1]</td><td width='25%'>$customnetwork{$key}[2]</td><td align='center'>$customnetwork{$key}[3]x</td>
+ <td width='1%'><input type='image' src='/images/edit.gif' align='middle' alt=$Lang::tr{'edit'} title=$Lang::tr{'edit'} />
+ <input type='hidden' name='ACTION' value='editnet'>
+ <input type='hidden' name='HOSTNAME' value='$customnetwork{$key}[0]' />
+@@ -1402,7 +1401,7 @@ END
+ else{ print" <tr bgcolor='$color{'color20'}'>";}
+ my ($ip,$sub)=split(/\//,$customhost{$key}[2]);
+ print<<END;
+- <td width='40%'><form method='post'>$customhost{$key}[0]</td><td width='50%'>$customhost{$key}[2]</td><td align='center'>$customhost{$key}[3] x</td>
++ <td width='40%'><form method='post'>$customhost{$key}[0]</td><td width='50%'>$customhost{$key}[2]</td><td align='center'>$customhost{$key}[3]x</td>
+ <td width='1%'><input type='image' src='/images/edit.gif' align='middle' alt=$Lang::tr{'edit'} title=$Lang::tr{'edit'} />
+ <input type='hidden' name='ACTION' value='edithost' />
+ <input type='hidden' name='HOSTNAME' value='$customhost{$key}[0]' />
+@@ -1451,7 +1450,7 @@ sub viewtablegrp
+ if($count >=2){print"</table>";}
+ print "<br><b><u>$grpname</u></b>    ";
+ print " <b>$Lang::tr{'remark'}:</b>  $remark   " if ($remark ne '');
+- print "<b>$Lang::tr{'used'}:</b> $customgrp{$key}[4] x";
++ print "<b>$Lang::tr{'used'}:</b> $customgrp{$key}[4]x";
+ if($customgrp{$key}[4] == '0')
+ {
+ print"<form method='post' style='display:inline'><input type='image' src='/images/delete.gif' alt=$Lang::tr{'delete'} title=$Lang::tr{'delete'} align='right' /><input type='hidden' name='grp_name' value='$grpname' ><input type='hidden' name='ACTION' value='delgrp'></form>";
+@@ -1502,7 +1501,7 @@ sub viewtableservice
+ <table width='100%' border='0'>
+ <tr><td align='center'><b>$Lang::tr{'fwhost srv_name'}</td><td align='center'><b>$Lang::tr{'fwhost prot'}</td><td align='center'><b>$Lang::tr{'fwhost port'}</td><td align='center'><b>ICMP</td><td align='center'><b>$Lang::tr{'fwhost used'}</td><td></td><td width='3%'></td></tr>
+ END
+- foreach my $key (sort {$a <=> $b} keys %customservice)
++ foreach my $key (sort { uc($customservice{$a}[0]) cmp uc($customservice{$b}[0])|| $a <=> $b } keys %customservice)
+ {
+ $count++;
+ if ( ($fwhostsettings{'updatesrv'} eq 'on' || $fwhostsettings{'error'}) && $fwhostsettings{'SRV_NAME'} eq $customservice{$key}[0]) {
+@@ -1537,9 +1536,12 @@ sub viewtableservicegrp
+ my $grpname;
+ my $remark;
+ my $helper;
++ my $port;
++ my $protocol;
+ if (! -z $configsrvgrp){
+ &Header::openbox('100%', 'left', $Lang::tr{'fwhost cust srvgrp'});
+ &General::readhasharray("$configsrvgrp", \%customservicegrp);
++ &General::readhasharray("$configsrv", \%customservice);
+ my $number= keys %customservicegrp;
+ foreach my $key (sort { uc($customservicegrp{$a}[0]) cmp uc($customservicegrp{$b}[0])|| $a <=> $b } keys %customservicegrp){
+ $count++;
+@@ -1549,8 +1551,8 @@ sub viewtableservicegrp
+ if($count >=2){print"</table>";}
+ print "<br><b><u>$grpname</u></b>     ";
+ print "<b>$Lang::tr{'remark'}:</b>  $remark " if ($remark ne '');
+- print "  <b>$Lang::tr{'used'}:</b> $customservicegrp{$key}[5] x";
+- if($customservicegrp{$key}[5] == '0')
++ print "  <b>$Lang::tr{'used'}:</b> $customservicegrp{$key}[3]x";
++ if($customservicegrp{$key}[3] == '0')
+ {
+ print"<form method='post' style='display:inline'><input type='image' src='/images/delete.gif' alt=$Lang::tr{'delete'} title=$Lang::tr{'delete'} align='right' /><input type='hidden' name='SRVGRP_NAME' value='$grpname' ><input type='hidden' name='ACTION' value='delservicegrp'></form>";
+ }
+@@ -1559,13 +1561,21 @@ sub viewtableservicegrp
+ }
+ if( $fwhostsettings{'SRVGRP_NAME'} eq $customservicegrp{$key}[0]) {
+ print" <tr bgcolor='${Header::colouryellow}'>";
+- }elsif ($count %2 == 0){
++ }
++ if ($count %2 == 0){
+ print"<tr bgcolor='$color{'color22'}'>";
+ }else{
+ print"<tr bgcolor='$color{'color20'}'>";
+ }
+ print "<td width='39%'>$customservicegrp{$key}[2]</td>";
+- print"<td align='center'>$customservicegrp{$key}[3]</td><td align='center'>$customservicegrp{$key}[4]</td><td width='1%'><form method='post'>";
++ foreach my $srv (sort keys %customservice){
++ if ($customservicegrp{$key}[2] eq $customservice{$srv}[0]){
++ $protocol=$customservice{$srv}[2];
++ $port=$customservice{$srv}[1];
++ last;
++ }
++ }
++ print"<td align='center'>$port</td><td align='center'>$protocol</td><td width='1%'><form method='post'>";
+ if ($number gt '1'){
+ print"<input type='image' src='/images/delete.gif' align='middle' alt=$Lang::tr{'delete'} title=$Lang::tr{'delete'} />";
+ }
+diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl
+index 4c606a6..afdd4cd 100644
+--- a/langs/de/cgi-bin/de.pl
++++ b/langs/de/cgi-bin/de.pl
+@@ -734,7 +734,7 @@
+ 'download root certificate' => 'Root-Zertifikat herunterladen',
+ 'dpd action' => 'Aktion für Dead Peer Detection',
+ 'driver' => 'Treiber',
+-'drop action' => 'Standardverhalten der Firewall in Modus1',
++'drop action' => 'Standardverhalten der Firewall in Modus "Blocked"',
+ 'drop input' => 'Verworfene Input Pakete loggen',
+ 'drop newnotsyn' => 'Verworfene New Not Syn Pakete loggen',
+ 'drop forward' => 'Verworfene Firewall-Pakete loggen',
+@@ -885,25 +885,25 @@
+ 'fwdfw copy' => 'Kopieren',
+ 'fwdfw delete' => 'Löschen',
+ 'fwdfw edit' => 'Bearbeiten',
+-'fwdfw err nosrc' => 'Keine Quelle gewählt.',
+-'fwdfw err nosrcip' => 'Bitte Quell IP-Adresse angeben.',
+-'fwdfw err notgt' => 'Kein Ziel gewählt.',
+-'fwdfw err notgtip' => 'Bitte Ziel IP-Adresse angeben.',
+-'fwdfw err prot' => 'Quell- und Zielprotokoll müssen gleich sein.',
+-'fwdfw err remark' => 'Bemerkung enthält ungültige Zeichen.',
+-'fwdfw err ruleexists' => 'Eine identische Regel existiert bereits.',
+-'fwdfw err src_addr' => 'Quell-MAC/IP ungültig.',
+-'fwdfw err same' => 'Quelle und Ziel sind identisch.',
+-'fwdfw err samesub' => 'Quell und Ziel IP Adresse im selben Subnetz.',
+-'fwdfw err srcport' => 'Bitte Quellport angeben.',
+-'fwdfw err tgtport' => 'Bitte Zielport angeben.',
+-'fwdfw err tgt_addr' => 'Ziel-IP ungültig.',
++'fwdfw err nosrc' => 'Keine Quelle gewählt',
++'fwdfw err nosrcip' => 'Bitte Quell IP-Adresse angeben',
++'fwdfw err notgt' => 'Kein Ziel gewählt',
++'fwdfw err notgtip' => 'Bitte Ziel IP-Adresse angeben',
++'fwdfw err prot' => 'Quell- und Zielprotokoll müssen gleich sein',
++'fwdfw err remark' => 'Bemerkung enthält ungültige Zeichen',
++'fwdfw err ruleexists' => 'Eine identische Regel existiert bereits',
++'fwdfw err src_addr' => 'Quell-MAC/IP ungültig',
++'fwdfw err same' => 'Quelle und Ziel sind identisch',
++'fwdfw err samesub' => 'Quell und Ziel IP Adresse im selben Subnetz',
++'fwdfw err srcport' => 'Bitte Quellport angeben',
++'fwdfw err tgtport' => 'Bitte Zielport angeben',
++'fwdfw err tgt_addr' => 'Ziel-IP ungültig',
+ 'fwdfw err tgt_port' => 'Ziel Port ungültig',
+-'fwdfw err tgt_mac' => 'MAC Adressen können nicht als Ziel defininert werden.',
+-'fwdfw err tgt_grp' => 'Ziel-Dienstgruppe ist leer.',
+-'fwdfw err time' => 'Es muss mindestens ein Tag gewählt werden.',
++'fwdfw err tgt_mac' => 'MAC Adressen können nicht als Ziel defininert werden',
++'fwdfw err tgt_grp' => 'Ziel-Dienstgruppe ist leer',
++'fwdfw err time' => 'Es muss mindestens ein Tag gewählt werden',
+ 'fwdfw from' => 'Von:',
+-'fwdfw hint ip1' => 'Die zuletzt erzeugte Regel wird vielleicht nicht aktiviert, weil Quelle und Ziel evtl im selben Netz sind.',
++'fwdfw hint ip1' => 'Die zuletzt erzeugte Regel wird vielleicht nicht aktiviert, weil Quelle und Ziel evtl im selben Netz sind',
+ 'fwdfw hint ip2' => 'Bitte überprüfen Sie ob diese Regel Sinn macht: ',
+ 'fwdfw ipsec network' => 'IPsec Netzwerke:',
+ 'fwdfw log rule' => 'Log Regel',
+@@ -913,7 +913,7 @@
+ 'fwdfw pol allow' => 'Zugelassen',
+ 'fwdfw pol block' => 'Blockiert',
+ 'fwdfw pol title' => 'Standardverhalten der Firewall',
+-'fwdfw pol text' => 'Standardverhalten für Verbindungen aus den lokalen Netzwerken. Bei "Zugelassen" werden sämtliche Verbindungen zugelassen mit Ausnahme der in Forward konfigurierten Regeln. Mit "Blockiert" werden alle Verbindungsversuche blockiert mit Ausnahme der in Forward erstellten Regeln. Außerdem werden hier der externe Zugang und der Zugriff auf die DMZ geregelt.',
++'fwdfw pol text' => 'Standardverhalten für Verbindungen aus den lokalen Netzwerken. Bei "Zugelassen" werden sämtliche Verbindungen zugelassen mit Ausnahme der in Forward konfigurierten Regeln. Mit "Blockiert" werden alle Verbindungsversuche blockiert, mit Ausnahme der in Forward erstellten Regeln. Außerdem werden hier der externe Zugang und der Zugriff auf die DMZ geregelt.',
+ 'fwdfw reread' => 'Ãœbernehmen',
+ 'fwdfw rules' => 'Regeln',
+ 'fwdfw rule action' => 'Regel Aktion:',
+@@ -959,34 +959,34 @@
+ 'fwhost cust srvgrp' => 'Custom Dienstgruppen',
+ 'fwhost deleted' => 'Gelöscht',
+ 'fwhost empty' => 'Keine Einträge vorhanden',
+-'fwhost err addr' => 'IP oder Subnetzmaske ungültig.',
+-'fwhost err addrgrp' => 'Bitte gruppenname angeben.',
+-'fwhost err empty' => 'Bitte alle Felder füllen.',
+-'fwhost err grpexist' => 'Gruppe existiert bereits.',
+-'fwhost err groupempty' => 'Gewählte Gruppe ist leer.',
+-'fwhost err name' => 'Name ungültig. Erlaubte Zeichen: a-z, A-Z, 0-9 Leerzeichen und Bindestrich.',
+-'fwhost err name1' => 'Name muss gefüllt sein.',
+-'fwhost err netexist' => 'Ein Netz mit diesem Namen existiert bereits!',
++'fwhost err addr' => 'IP oder Subnetzmaske ungültig',
++'fwhost err addrgrp' => 'Bitte gruppenname angeben',
++'fwhost err empty' => 'Bitte alle Felder füllen',
++'fwhost err grpexist' => 'Gruppe existiert bereits',
++'fwhost err groupempty' => 'Gewählte Gruppe ist leer',
++'fwhost err name' => 'Name ungültig. Erlaubte Zeichen: a-z, A-Z, 0-9 Leerzeichen und Bindestrich',
++'fwhost err name1' => 'Name muss gefüllt sein',
++'fwhost err netexist' => 'Ein Netz mit diesem Namen existiert bereits',
+ 'fwhost err net' => 'Netzwerk IP existiert bereits',
+-'fwhost err mac' => 'MAC Adresse ungültig.',
+-'fwhost err hostexist' => 'Ein Host mit diesem Namen existiert bereits.',
+-'fwhost err hostip' => 'Netz- oder Broadcastadressen sind nicht erlaubt.',
+-'fwhost err hostorip' => 'Name oder IP Adresse ungültig.',
+-'fwhost err isccdhost' => 'Dieser Name wird bereits für einen Openvpn Host verwendet.',
+-'fwhost err isccdipnet' => 'Diese IP wird bereits für einen Openvpn Netzwerk verwendet.',
+-'fwhost err isccdiphost'=> 'Diese IP wird bereits für einen Openvpn Host verwendet.',
+-'fwhost err isccdnet' => 'Dieser Name wird bereits für einen Openvpn Netzwerk verwendet.',
+-'fwhost err isingrp' => 'Dieser Eintrag existiert bereits in der Gruppe.',
+-'fwhost err ip' => 'IP Addresse ungültig.',
+-'fwhost err ipmac' => 'IP/MAC Addresse ungültig.',
+-'fwhost err ipcheck' => 'Diese IP Adresse wird bereits verwendet.',
+-'fwhost err ipwithsub' => 'Bitte IP Adresse OHNE Subnetzmaske eingeben.',
+-'fwhost err partofnet' => 'Dieses Netzwerk ist Teil eines bereits existierenden Netzwerks.',
+-'fwhost err port' => 'Port muss gefüllt sein.',
+-'fwhost err remark' => 'Bemerkung ungültig. Erlaubte Zeichen: a-z, A-Z, 0-9 Leerzeichen und Bindestrich.',
++'fwhost err mac' => 'MAC Adresse ungültig',
++'fwhost err hostexist' => 'Ein Host mit diesem Namen existiert bereits',
++'fwhost err hostip' => 'Netz- oder Broadcastadressen sind nicht erlaubt',
++'fwhost err hostorip' => 'Name oder IP Adresse ungültig',
++'fwhost err isccdhost' => 'Dieser Name wird bereits für einen Openvpn Host verwendet',
++'fwhost err isccdipnet' => 'Diese IP wird bereits für einen Openvpn Netzwerk verwendet',
++'fwhost err isccdiphost'=> 'Diese IP wird bereits für einen Openvpn Host verwendet',
++'fwhost err isccdnet' => 'Dieser Name wird bereits für einen Openvpn Netzwerk verwendet',
++'fwhost err isingrp' => 'Dieser Eintrag existiert bereits in der Gruppe',
++'fwhost err ip' => 'IP Addresse ungültig',
++'fwhost err ipmac' => 'IP/MAC Addresse ungültig',
++'fwhost err ipcheck' => 'Diese IP Adresse wird bereits verwendet',
++'fwhost err ipwithsub' => 'Bitte IP Adresse OHNE Subnetzmaske eingeben',
++'fwhost err partofnet' => 'Dieses Netzwerk ist Teil eines bereits existierenden Netzwerks',
++'fwhost err port' => 'Port muss gefüllt sein',
++'fwhost err remark' => 'Bemerkung ungültig. Erlaubte Zeichen: a-z, A-Z, 0-9 Leerzeichen und Bindestrich',
+ 'fwhost err srvexist' => 'Dieser Dienst ist bereits in der Gruppe',
+-'fwhost err srv exists' => 'Ein Service mit diesem Namen existiert bereits.',
+-'fwhost err sub32' => 'Bitte Host hinzufügen. Dieses Subnetz ist kein Netzwerk.',
++'fwhost err srv exists' => 'Ein Service mit diesem Namen existiert bereits',
++'fwhost err sub32' => 'Bitte Host hinzufügen. Dieses Subnetz ist kein Netzwerk',
+ 'fwhost green' => 'Grün',
+ 'fwhost hosts' => 'Firewall Hosts',
+ 'fwhost hint' => 'Hinweis',
+diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
+index 1cc907b..9e70aea 100644
+--- a/langs/en/cgi-bin/en.pl
++++ b/langs/en/cgi-bin/en.pl
+@@ -758,7 +758,7 @@
+ 'download root certificate' => 'Download root certificate',
+ 'dpd action' => 'Dead Peer Detection action',
+ 'driver' => 'Driver',
+-'drop action' => 'Default behaviour of firewall in mode 1',
++'drop action' => 'Default behaviour of firewall in mode "Blocked"',
+ 'drop input' => 'Log dropped input pakets',
+ 'drop newnotsyn' => 'Log dropped new not syn pakets',
+ 'drop forward' => 'Log dropped forward pakets',
+@@ -937,7 +937,7 @@
+ 'fwdfw pol allow' => 'Allowed',
+ 'fwdfw pol block' => 'Blocked',
+ 'fwdfw pol title' => 'Firewall default behavior',
+-'fwdfw pol text' => 'Default behavior for connections from local networks. "Allowed" allows all connections from local networks except the defined rules."Blocked" prohibits all connections except the defined ones.Also external access and connections to/from demilitarized zone are configurable here.',
++'fwdfw pol text' => 'Default behavior for connections from local networks. "Allowed" allows all connections from local networks except the defined rules. "Blocked" prohibits all connections except the defined ones. Also external access and connections to/from the demilitarized zone are configurable here.',
+ 'fwdfw reread' => 'Apply',
+ 'fwdfw rules' => 'Rules',
+ 'fwdfw rule action' => 'Rule action:',
+@@ -975,7 +975,7 @@
+ 'fwhost ccdhost' => 'OpenVPN clients:',
+ 'fwhost ccdnet' => 'OpenVPN networks:',
+ 'fwhost change' => 'Modify',
+-'fwhost changeremark' => 'You just modified the remark!',
++'fwhost changeremark' => 'You just modified the remark',
+ 'fwhost cust addr' => 'Custom addresses:',
+ 'fwhost cust grp' => 'Custom groups:',
+ 'fwhost cust net' => 'Custom networks:',
+@@ -983,34 +983,34 @@
+ 'fwhost cust srvgrp' => 'Custom servicegroups',
+ 'fwhost deleted' => 'Deleted',
+ 'fwhost empty' => 'No entries by now',
+-'fwhost err addr' => 'Invalid IP or subnet!',
+-'fwhost err addrgrp' => 'Please provide a groupname!',
+-'fwhost err empty' => 'Please fill in all fields!',
+-'fwhost err grpexist' => 'Group already exists!',
+-'fwhost err groupempty' => 'Selected Group is empty!',
++'fwhost err addr' => 'Invalid IP or subnet',
++'fwhost err addrgrp' => 'Please provide a groupname',
++'fwhost err empty' => 'Please fill in all fields',
++'fwhost err grpexist' => 'Group already exists',
++'fwhost err groupempty' => 'Selected Group is empty',
+ 'fwhost err name' => 'Name invalid. Allowed: a-z, A-Z, 0-9 space and minus.',
+ 'fwhost err name1' => 'Name is empty.',
+-'fwhost err netexist' => 'A network with this name already exists!',
++'fwhost err netexist' => 'A network with this name already exists',
+ 'fwhost err net' => 'Network IP already exists',
+ 'fwhost err mac' => 'MAC address invalid',
+-'fwhost err hostexist' => 'A host with this name already exists!',
+-'fwhost err hostip' => 'Net or broadcast not allowed!',
+-'fwhost err hostorip' => 'Name or IP invalid.',
+-'fwhost err isccdhost' => 'This name is already used by an OpenVPN client!',
+-'fwhost err isccdipnet' => 'This IP is already used by an OpenVPN network!',
+-'fwhost err isccdiphost'=> 'This IP is already used by an OpenVPN client!',
+-'fwhost err isccdnet' => 'This name is already used by an OpenVPN Network!',
+-'fwhost err isingrp' => 'This entry already exists in the group!',
+-'fwhost err ip' => 'IP address invalid.',
+-'fwhost err ipmac' => 'IP/MAC address invalid.',
+-'fwhost err ipcheck' => 'This IP address is already in use!',
++'fwhost err hostexist' => 'A host with this name already exists',
++'fwhost err hostip' => 'Network or broadcast addresses not allowed',
++'fwhost err hostorip' => 'Name or IP invalid',
++'fwhost err isccdhost' => 'This name is already used by an OpenVPN client',
++'fwhost err isccdipnet' => 'This IP is already used by an OpenVPN network',
++'fwhost err isccdiphost'=> 'This IP is already used by an OpenVPN client',
++'fwhost err isccdnet' => 'This name is already used by an OpenVPN Network',
++'fwhost err isingrp' => 'This entry already exists in the group',
++'fwhost err ip' => 'IP address invalid',
++'fwhost err ipmac' => 'IP/MAC address invalid',
++'fwhost err ipcheck' => 'This IP address is already in use',
+ 'fwhost err ipwithsub' => 'Please provide IP address WITHOUT subnetmask',
+-'fwhost err partofnet' => 'This network is part of an already existing one!',
+-'fwhost err port' => 'Port is empty.',
+-'fwhost err remark' => 'Remark invalid. Allowed: a-z, A-Z, 0-9 space and minus.',
++'fwhost err partofnet' => 'This network is part of an already existing one',
++'fwhost err port' => 'Port is empty',
++'fwhost err remark' => 'Remark invalid. Allowed: a-z, A-Z, 0-9 space and minus',
+ 'fwhost err srvexist' => 'Dieser Dienst ist bereits in der Gruppe',
+-'fwhost err srv exists' => 'A Service with this name already exists.',
+-'fwhost err sub32' => 'Please add single host. This subnet is no network!',
++'fwhost err srv exists' => 'A Service with this name already exists',
++'fwhost err sub32' => 'Please add single host. This subnet is no network',
+ 'fwhost green' => 'Green',
+ 'fwhost hosts' => 'Firewall Hosts',
+ 'fwhost hint' => 'Note',
+@@ -1025,7 +1025,7 @@
+ 'fwhost newgrp' => 'Address grouping',
+ 'fwhost newservice' => 'Service',
+ 'fwhost newservicegrp' => 'Service grouping',
+-'fwhost macwarn' => 'MAC addresses can not be used as target. Such addresses will be ignored!',
++'fwhost macwarn' => 'MAC addresses can not be used as target. Such addresses will be ignored.',
+ 'fwhost menu' => 'Firewall Groups',
+ 'fwhost orange' => 'Orange',
+ 'fwhost ovpn_n2n' => 'OpenVPN N-2-N',
+--
+1.7.10.4
+
--- /dev/null
+From 9f9383c926efc47d44e3262891534d5346a08676 Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Mon, 4 Feb 2013 11:21:33 +0100
+Subject: [PATCH 088/302] Forward Firewall: changed sortorder of customhosts
+ and bugfix when remark is changed
+
+---
+ html/cgi-bin/fwhosts.cgi | 32 ++++----------------------------
+ 1 file changed, 4 insertions(+), 28 deletions(-)
+
+diff --git a/html/cgi-bin/fwhosts.cgi b/html/cgi-bin/fwhosts.cgi
+index 88c32c4..a46777a 100755
+--- a/html/cgi-bin/fwhosts.cgi
++++ b/html/cgi-bin/fwhosts.cgi
+@@ -519,7 +519,6 @@ if ($fwhostsettings{'ACTION'} eq 'savegrp')
+ $grp=$fwhostsettings{'grp_name'};
+
+ if (!&General::validhostname($grp)){$errormessage=$errormessage.$Lang::tr{'fwhost err name'};}
+-
+ ###check standard networks
+ if ($fwhostsettings{'grp2'} eq 'std_net'){
+ @target=$fwhostsettings{'DEFAULT_SRC_ADR'};
+@@ -570,7 +569,6 @@ if ($fwhostsettings{'ACTION'} eq 'savegrp')
+ $fwhostsettings{'grp_name'}='';
+ $fwhostsettings{'remark'}='';
+ }
+-
+ #get address from IPSEC HOST
+ if ($fwhostsettings{'grp2'} eq 'ipsec_host' && $fwhostsettings{'IPSEC_HOST'} ne ''){
+ @target=$fwhostsettings{'IPSEC_HOST'};
+@@ -589,7 +587,6 @@ if ($fwhostsettings{'ACTION'} eq 'savegrp')
+ $fwhostsettings{'grp_name'}='';
+ $fwhostsettings{'remark'}='';
+ }
+-
+ #check if host/net exists in grp
+ my $test="$grp,$fwhostsettings{'oldremark'},@target";
+ foreach my $key (keys %customgrp) {
+@@ -599,7 +596,6 @@ if ($fwhostsettings{'ACTION'} eq 'savegrp')
+ $fwhostsettings{'update'} = 'on';
+ }
+ }
+-
+ if (!$errormessage){
+ #on first save, we have an empty @target, so fill it with nothing
+ my $targetvalues=@target;
+@@ -607,7 +603,6 @@ if ($fwhostsettings{'ACTION'} eq 'savegrp')
+ @target=$Lang::tr{'fwhost empty'};
+ }
+ #on update, we have to delete the dummy entry
+-
+ foreach my $key (keys %customgrp){
+ if ($customgrp{$key}[0] eq $grp && $customgrp{$key}[2] eq $Lang::tr{'fwhost empty'}){
+ delete $customgrp{$key};
+@@ -616,21 +611,6 @@ if ($fwhostsettings{'ACTION'} eq 'savegrp')
+ }
+ &General::writehasharray("$configgrp", \%customgrp);
+ &General::readhasharray("$configgrp", \%customgrp);
+-
+-
+-
+- #check if remark has also changed
+- if ($fwhostsettings{'remark'} ne $fwhostsettings{'oldremark'} && $fwhostsettings{'update'} eq 'on')
+- {
+- foreach my $key (keys %customgrp)
+- {
+- if($customgrp{$key}[0] eq $grp && $customgrp{$key}[1] eq $fwhostsettings{'oldremark'})
+- {
+- $customgrp{$key}[1]='';
+- $customgrp{$key}[1]=$rem;
+- }
+- }
+- }
+ #get count used
+ foreach my $key (keys %customgrp)
+ {
+@@ -676,13 +656,11 @@ if ($fwhostsettings{'ACTION'} eq 'savegrp')
+ }
+ &General::writehasharray("$confighost", \%customhost);
+ }
+-
+ $fwhostsettings{'update'}='on';
+-
+ }
+- if ($fwhostsettings{'remark'} ne $fwhostsettings{'oldremark'} && $errormessage)
++ if ($fwhostsettings{'remark'} ne $fwhostsettings{'oldremark'} )
+ {
+- foreach my $key (keys %customgrp)
++ foreach my $key (sort keys %customgrp)
+ {
+ if($customgrp{$key}[0] eq $grp && $customgrp{$key}[1] eq $fwhostsettings{'oldremark'})
+ {
+@@ -690,9 +668,8 @@ if ($fwhostsettings{'ACTION'} eq 'savegrp')
+ $customgrp{$key}[1]=$rem;
+ }
+ }
+- &General::writehasharray("$configsrvgrp", \%customservicegrp);
++ &General::writehasharray("$configgrp", \%customgrp);
+ $errormessage='';
+- $hint=$Lang::tr{'fwhost changeremark'};
+ $fwhostsettings{'update'}='on';
+ }
+ #check if ruleupdate is needed
+@@ -702,7 +679,6 @@ if ($fwhostsettings{'ACTION'} eq 'savegrp')
+ }
+ &addgrp;
+ &viewtablegrp;
+-
+ }
+ if ($fwhostsettings{'ACTION'} eq 'saveservice')
+ {
+@@ -1394,7 +1370,7 @@ sub viewtablehost
+ END
+ }
+ my $count=0;
+- foreach my $key (sort {$a <=> $b} keys %customhost) {
++ foreach my $key (sort { uc($customhost{$a}[0]) cmp uc($customhost{$b}[0])|| $a <=> $b } keys %customhost) {
+ if ( ($fwhostsettings{'ACTION'} eq 'edithost' || $fwhostsettings{'error'}) && $fwhostsettings{'HOSTNAME'} eq $customhost{$key}[0]) {
+ print" <tr bgcolor='${Header::colouryellow}'>";
+ }elsif ($count % 2){ print" <tr bgcolor='$color{'color22'}'>";}
+--
+1.7.10.4
+
--- /dev/null
+From 47472890dd1349eb557ecc8d80391f2c9d60a0ee Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Mon, 4 Feb 2013 15:36:37 +0100
+Subject: [PATCH 089/302] Forward Firewall: extended the accepted chars for
+ group and servicenames NOw / () and _ are allowed,
+ too
+
+---
+ html/cgi-bin/fwhosts.cgi | 52 +++++-----------------------------------------
+ 1 file changed, 5 insertions(+), 47 deletions(-)
+
+diff --git a/html/cgi-bin/fwhosts.cgi b/html/cgi-bin/fwhosts.cgi
+index a46777a..6b6a5ec 100755
+--- a/html/cgi-bin/fwhosts.cgi
++++ b/html/cgi-bin/fwhosts.cgi
+@@ -120,9 +120,6 @@ if ($fwhostsettings{'ACTION'} eq 'updatehost')
+ }
+ }
+ &General::writehasharray("$confighost", \%customhost);
+-
+-
+-
+ $fwhostsettings{'actualize'} = 'on';
+ $fwhostsettings{'ACTION'} = 'savehost';
+ }
+@@ -131,7 +128,6 @@ if ($fwhostsettings{'ACTION'} eq 'updateservice')
+ my $count=0;
+ my $needrules=0;
+ $errormessage=&checkports(\%customservice);
+-
+ if (!$errormessage){
+ &General::readhasharray("$configsrv", \%customservice);
+ foreach my $key (keys %customservice)
+@@ -166,19 +162,16 @@ if ($fwhostsettings{'ACTION'} eq 'updateservice')
+ $fwhostsettings{'SRV_NAME'} = '';
+ $fwhostsettings{'SRV_PORT'} = '';
+ $fwhostsettings{'PROT'} = '';
+-
+ }else{
+ $fwhostsettings{'SRV_NAME'} = $fwhostsettings{'oldsrvname'};
+ $fwhostsettings{'SRV_PORT'} = $fwhostsettings{'oldsrvport'};
+ $fwhostsettings{'PROT'} = $fwhostsettings{'oldsrvprot'};
+ $fwhostsettings{'updatesrv'}= 'on';
+ }
+-
+ if($needrules eq 'on'){
+ $errormessage="reread!";
+ &rules;
+ }
+-
+ &addservice;
+ }
+ # save
+@@ -187,7 +180,6 @@ if ($fwhostsettings{'ACTION'} eq 'savenet' )
+ my $count=0;
+ my $needrules=0;
+ if ($fwhostsettings{'orgname'} eq ''){$fwhostsettings{'orgname'}=$fwhostsettings{'HOSTNAME'};}
+-
+ #check if all fields are set
+ if ($fwhostsettings{'HOSTNAME'} eq '' || $fwhostsettings{'IP'} eq '' || $fwhostsettings{'SUBNET'} eq '')
+ {
+@@ -207,7 +199,6 @@ if ($fwhostsettings{'ACTION'} eq 'savenet' )
+ if(&General::iporsubtocidr($fwhostsettings{'SUBNET'}) eq '32')
+ {
+ $errormessage=$errormessage.$Lang::tr{'fwhost err sub32'};
+-
+ }
+ if($fwhostsettings{'error'} ne 'on'){
+ #check if we use one of ipfire's networks (green,orange,blue)
+@@ -240,14 +231,12 @@ if ($fwhostsettings{'ACTION'} eq 'savenet' )
+ if (!$errormessage){
+ &plausicheck("editnet");
+ }
+-
+ #check if network ip is part of an already used one
+ if(&checksubnet(\%customnetwork))
+ {
+ $errormessage=$errormessage.$Lang::tr{'fwhost err partofnet'};
+ $fwhostsettings{'HOSTNAME'} = $fwhostsettings{'orgname'};
+ }
+-
+ if($fwhostsettings{'actualize'} eq 'on' && $fwhostsettings{'newnet'} ne 'on' && $errormessage)
+ {
+ $fwhostsettings{'actualize'} = '';
+@@ -260,7 +249,6 @@ if ($fwhostsettings{'ACTION'} eq 'savenet' )
+ &General::writehasharray("$confignet", \%customnetwork);
+ undef %customnetwork;
+ }
+-
+ if (!$errormessage){
+ &General::readhasharray("$confignet", \%customnetwork);
+ if ($fwhostsettings{'ACTION'} eq 'updatenet'){
+@@ -345,23 +333,19 @@ if ($fwhostsettings{'ACTION'} eq 'savenet' )
+ &viewtablenet;
+ }
+ }
+-
+ }
+ if ($fwhostsettings{'ACTION'} eq 'savehost')
+ {
+ my $count=0;
+ my $needrules=0;
+ if ($fwhostsettings{'orgname'} eq ''){$fwhostsettings{'orgname'}=$fwhostsettings{'HOSTNAME'};}
+-
+ $fwhostsettings{'SUBNET'}='32';
+-
+ #check if all fields are set
+ if ($fwhostsettings{'HOSTNAME'} eq '' || $fwhostsettings{'IP'} eq '' || $fwhostsettings{'SUBNET'} eq '')
+ {
+ $errormessage=$errormessage.$Lang::tr{'fwhost err empty'};
+ $fwhostsettings{'ACTION'} = 'edithost';
+ }else{
+-
+ if($fwhostsettings{'type'} eq 'ip' && $fwhostsettings{'IP'}=~/^([0-9a-fA-F]{1,2}:){5}[0-9a-fA-F]{1,2}$/){
+ $fwhostsettings{'type'} = 'mac';
+ }elsif($fwhostsettings{'type'} eq 'mac' && $fwhostsettings{'IP'}=~/^(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})$/){
+@@ -374,13 +358,11 @@ if ($fwhostsettings{'ACTION'} eq 'savehost')
+ $fwhostsettings{'type'} = '';
+ $errormessage=$Lang::tr{'fwhost err ipmac'};
+ }
+-
+ if($fwhostsettings{'type'} eq 'mac' )
+ {
+ if ($fwhostsettings{'IP'}!~/^([0-9a-fA-F]{1,2}:){5}[0-9a-fA-F]{1,2}$/ )
+ {
+ $errormessage=$Lang::tr{'fwhost err mac'};
+-
+ }
+ }
+ #CHECK IP-PART
+@@ -392,7 +374,6 @@ if ($fwhostsettings{'ACTION'} eq 'savehost')
+ $errormessage.=$errormessage.$Lang::tr{'fwhost err ip'};
+ $fwhostsettings{'error'}='on';
+ }
+-
+ }elsif(rindex($fwhostsettings{'IP'},'/') ne '-1' ){
+ $errormessage=$errormessage.$Lang::tr{'fwhost err ipwithsub'};
+ $fwhostsettings{'error'}='on';
+@@ -403,14 +384,10 @@ if ($fwhostsettings{'ACTION'} eq 'savehost')
+ $errormessage=$Lang::tr{'fwhost err hostip'};
+ }
+ }
+-
+-
+-
+ #only check plausi when no error till now
+ if (!$errormessage){
+ &plausicheck("edithost");
+ }
+-
+ if($fwhostsettings{'actualize'} eq 'on' && $fwhostsettings{'newhost'} ne 'on' && $errormessage){
+ $fwhostsettings{'actualize'} = '';
+ my $key = &General::findhasharraykey (\%customhost);
+@@ -425,9 +402,7 @@ if ($fwhostsettings{'ACTION'} eq 'savehost')
+ $customhost{$key}[3] = $fwhostsettings{'count'};
+ &General::writehasharray("$confighost", \%customhost);
+ undef %customhost;
+-
+ }
+-
+ if (!$errormessage){
+ #get count if host was edited
+ if($fwhostsettings{'actualize'} eq 'on'){
+@@ -484,7 +459,6 @@ if ($fwhostsettings{'ACTION'} eq 'savehost')
+ if($fwhostsettings{'newhost'} eq 'on'){$count=0;}
+ $customhost{$key}[3] = $count;
+ &General::writehasharray("$confighost", \%customhost);
+-
+ #$fwhostsettings{'IP'} = $fwhostsettings{'IP'}."/".&General::iporsubtodec($fwhostsettings{'SUBNET'});
+ undef %customhost;
+ $fwhostsettings{'HOSTNAME'}='';
+@@ -500,9 +474,7 @@ if ($fwhostsettings{'ACTION'} eq 'savehost')
+ &addhost;
+ &viewtablehost;
+ }
+-
+ }
+-
+ }
+ if ($fwhostsettings{'ACTION'} eq 'savegrp')
+ {
+@@ -517,8 +489,7 @@ if ($fwhostsettings{'ACTION'} eq 'savegrp')
+ &General::readhasharray("$confignet", \%customnetwork);
+ &General::readhasharray("$confighost", \%customhost);
+ $grp=$fwhostsettings{'grp_name'};
+-
+- if (!&General::validhostname($grp)){$errormessage=$errormessage.$Lang::tr{'fwhost err name'};}
++ if (!&validhostname($grp)){$errormessage=$errormessage.$Lang::tr{'fwhost err name'};}
+ ###check standard networks
+ if ($fwhostsettings{'grp2'} eq 'std_net'){
+ @target=$fwhostsettings{'DEFAULT_SRC_ADR'};
+@@ -638,7 +609,6 @@ if ($fwhostsettings{'ACTION'} eq 'savegrp')
+ $customgrp{$key}[4] = $count;
+ }
+ &General::writehasharray("$configgrp", \%customgrp);
+-
+ #update counter in Host/Net
+ if($updcounter eq 'net'){
+ foreach my $key (keys %customnetwork) {
+@@ -683,10 +653,8 @@ if ($fwhostsettings{'ACTION'} eq 'savegrp')
+ if ($fwhostsettings{'ACTION'} eq 'saveservice')
+ {
+ my $ICMP;
+-
+ &General::readhasharray("$configsrv", \%customservice );
+ $errormessage=&checkports(\%customservice);
+-
+ if ($fwhostsettings{'PROT'} eq 'ICMP'){
+ &General::readhasharray("${General::swroot}/fwhosts/icmp-types", \%icmptypes);
+ foreach my $key (keys %icmptypes){
+@@ -697,7 +665,6 @@ if ($fwhostsettings{'ACTION'} eq 'saveservice')
+ }
+ if($ICMP eq ''){$ICMP='BLANK';}
+ if (!$errormessage){
+-
+ my $key = &General::findhasharraykey (\%customservice);
+ foreach my $i (0 .. 4) { $customservice{$key}[$i] = "";}
+ $customservice{$key}[0] = $fwhostsettings{'SRV_NAME'};
+@@ -711,11 +678,8 @@ if ($fwhostsettings{'ACTION'} eq 'saveservice')
+ $fwhostsettings{'SRV_PORT'}='';
+ $fwhostsettings{'PROT'}='';
+ $fwhostsettings{'ICMP_TYPES'}='';
+-
+ }
+-
+ &addservice;
+-
+ }
+ if ($fwhostsettings{'ACTION'} eq 'saveservicegrp')
+ {
+@@ -724,13 +688,10 @@ if ($fwhostsettings{'ACTION'} eq 'saveservicegrp')
+ my $count=0;
+ &General::readhasharray("$configsrvgrp", \%customservicegrp );
+ &General::readhasharray("$configsrv", \%customservice );
+-
+ $errormessage=&checkservicegroup;
+-
+ if (!$errormessage){
+ #on first save, we have to enter a dummy value
+ if ($fwhostsettings{'CUST_SRV'} eq ''){$fwhostsettings{'CUST_SRV'}=$Lang::tr{'fwhost empty'};}
+-
+ #on update, we have to delete the dummy entry
+ foreach my $key (keys %customservicegrp){
+ if ($customservicegrp{$key}[2] eq $Lang::tr{'fwhost empty'}){
+@@ -770,14 +731,12 @@ if ($fwhostsettings{'ACTION'} eq 'saveservicegrp')
+ }
+ }
+ &General::writehasharray("$configsrv", \%customservice );
+-
+ my $key = &General::findhasharraykey (\%customservicegrp);
+ foreach my $i (0 .. 3) { $customservice{$key}[$i] = "";}
+ $customservicegrp{$key}[0] = $fwhostsettings{'SRVGRP_NAME'};
+ $customservicegrp{$key}[1] = $fwhostsettings{'SRVGRP_REMARK'};
+ $customservicegrp{$key}[2] = $fwhostsettings{'CUST_SRV'};
+ $customservicegrp{$key}[3] = $count;
+-
+ &General::writehasharray("$configsrvgrp", \%customservicegrp );
+ $fwhostsettings{'updatesrvgrp'}='on';
+ }
+@@ -870,7 +829,6 @@ if ($fwhostsettings{'ACTION'} eq 'delhost')
+ }
+ &addhost;
+ &viewtablehost;
+-
+ }
+ if ($fwhostsettings{'ACTION'} eq 'deletegrphost')
+ {
+@@ -1605,7 +1563,7 @@ sub checkservicegroup
+
+
+ #check name
+- if ( ! &General::validhostname($fwhostsettings{'SRVGRP_NAME'}))
++ if ( ! &validhostname($fwhostsettings{'SRVGRP_NAME'}))
+ {
+ $errormessage.=$Lang::tr{'fwhost err name'}."<br>";
+ return $errormessage;
+@@ -1955,7 +1913,7 @@ sub checkports
+ $errormessage=$Lang::tr{'fwhost err port'};
+ }
+ #check valid name
+- if (! &General::validhostname($fwhostsettings{'SRV_NAME'})){
++ if (! &validhostname($fwhostsettings{'SRV_NAME'})){
+ $errormessage="<br>".$Lang::tr{'fwhost err name'};
+ }
+ #change dashes with :
+@@ -1992,13 +1950,13 @@ sub validhostname
+ if (length ($hostname) < 1 || length ($hostname) > 63) {
+ return 0;}
+ # Only valid characters are a-z, A-Z, 0-9 and -
+- if ($hostname !~ /^[a-zA-ZäöüÖÄÜ0-9-\s]*$/) {
++ if ($hostname !~ /^[a-zA-ZäöüÖÄÜ0-9-_()\/\s]*$/) {
+ return 0;}
+ # First character can only be a letter or a digit
+ if (substr ($hostname, 0, 1) !~ /^[a-zA-ZöäüÖÄÜ0-9]*$/) {
+ return 0;}
+ # Last character can only be a letter or a digit
+- if (substr ($hostname, -1, 1) !~ /^[a-zA-ZöäüÖÄÜ0-9]*$/) {
++ if (substr ($hostname, -1, 1) !~ /^[a-zA-ZöäüÖÄÜ0-9()]*$/) {
+ return 0;}
+ return 1;
+ }
+--
+1.7.10.4
+
--- /dev/null
+From ea96c6313b15285e36583ed46b78200cbfa447a5 Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Wed, 6 Feb 2013 15:14:15 +0100
+Subject: [PATCH 090/302] Forward Firewall: Bugfix: now the Protocols are
+ corrected in the tablerule if a servicegroup was
+ used
+
+---
+ html/cgi-bin/forwardfw.cgi | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi
+index c3acfca..7e173f5 100755
+--- a/html/cgi-bin/forwardfw.cgi
++++ b/html/cgi-bin/forwardfw.cgi
+@@ -1703,16 +1703,20 @@ sub get_serviceports
+ $protocols=$customservice{$key}[2];
+ }
+ }
+-
+ }elsif($type eq 'group'){
+ foreach my $key (sort { uc($customservicegrp{$a}[0]) cmp uc($customservicegrp{$b}[0]) } keys %customservicegrp){
+ if ($customservicegrp{$key}[0] eq $name){
+- if($customservicegrp{$key}[4] eq 'TCP'){$tcp='TCP';}else{$udp='UDP';}
++ foreach my $key1 (sort { uc($customservice{$a}[0]) cmp uc($customservice{$b}[0]) } keys %customservice){
++ if ($customservice{$key1}[0] eq $customservicegrp{$key}[2]){
++ if($customservice{$key1}[2] eq 'TCP'){$tcp='TCP';}else{$udp='UDP';}
++ }
++ }
+ }
+ }
+ }
+- if($tcp){$protocols.="TCP";}
+- if($udp){$protocols.=",UDP";}
++ if($tcp && $udp){$protocols="TCP,UDP";
++ }elsif($tcp){$protocols.="TCP";
++ }elsif($udp){$protocols.="UDP";}
+ return $protocols;
+ }
+ sub viewtablerule
+--
+1.7.10.4
+
--- /dev/null
+From 6c8bb545d00696985ad1e4dc312d620d72e0f213 Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Thu, 7 Feb 2013 12:12:11 +0100
+Subject: [PATCH 091/302] Forward Firewall: When changing a service which is
+ used in a rule, the rule was destroyed. Now the
+ configfiles of the firewall are adapted as needed.
+
+---
+ html/cgi-bin/fwhosts.cgi | 25 ++++++++++++++++++++++++-
+ 1 file changed, 24 insertions(+), 1 deletion(-)
+
+diff --git a/html/cgi-bin/fwhosts.cgi b/html/cgi-bin/fwhosts.cgi
+index 6b6a5ec..06522ac 100755
+--- a/html/cgi-bin/fwhosts.cgi
++++ b/html/cgi-bin/fwhosts.cgi
+@@ -151,6 +151,30 @@ if ($fwhostsettings{'ACTION'} eq 'updateservice')
+ $customservice{$key1}[3] = $fwhostsettings{'ICMP_TYPES'};
+ $customservice{$key1}[4] = $count;
+ &General::writehasharray("$configsrv", \%customservice);
++
++ #check if we need to update configfiles for rules
++ if ($fwhostsettings{'SRV_NAME'} ne $fwhostsettings{'oldsrvname'}){
++ if ( ! -z $fwconfigfwd ){
++ &General::readhasharray("$fwconfigfwd", \%fwfwd);
++ foreach my $key (sort keys %fwfwd){
++ if ($fwfwd{$key}[15] eq $fwhostsettings{'oldsrvname'}){
++ $fwfwd{$key}[15] = $fwhostsettings{'SRV_NAME'};
++ }
++ }
++ &General::writehasharray("$fwconfigfwd", \%fwfwd);
++ $needrules='on';
++ }
++ if ( ! -z $fwconfiginp ){
++ &General::readhasharray("$fwconfiginp", \%fwinp);
++ foreach my $line (sort keys %fwinp){
++ if ($fwfwd{$line}[15] eq $fwhostsettings{'oldsrvname'}){
++ $fwfwd{$line}[15] = $fwhostsettings{'SRV_NAME'};
++ }
++ }
++ &General::writehasharray("$fwconfiginp", \%fwinp);
++ }
++ $needrules='on';
++ }
+ if($fwhostsettings{'updatesrv'} eq 'on'){
+ if($count gt 0 && $fwhostsettings{'oldsrvport'} ne $fwhostsettings{'SRV_PORT'} ){
+ $needrules='on';
+@@ -169,7 +193,6 @@ if ($fwhostsettings{'ACTION'} eq 'updateservice')
+ $fwhostsettings{'updatesrv'}= 'on';
+ }
+ if($needrules eq 'on'){
+- $errormessage="reread!";
+ &rules;
+ }
+ &addservice;
+--
+1.7.10.4
+
--- /dev/null
+From a2e2b7ea1cac429dac34b492dd09b2d596bd146b Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Thu, 7 Feb 2013 13:17:25 +0100
+Subject: [PATCH 092/302] Forward Firewall: changed sortorder of
+ servicedropdown in servicegrouping. catched F5 when
+ editing a host-Now no entry is saved in customhosts
+ table theres only the IP shown (deleted subnet)
+
+---
+ html/cgi-bin/fwhosts.cgi | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/html/cgi-bin/fwhosts.cgi b/html/cgi-bin/fwhosts.cgi
+index 06522ac..900928d 100755
+--- a/html/cgi-bin/fwhosts.cgi
++++ b/html/cgi-bin/fwhosts.cgi
+@@ -482,7 +482,6 @@ if ($fwhostsettings{'ACTION'} eq 'savehost')
+ if($fwhostsettings{'newhost'} eq 'on'){$count=0;}
+ $customhost{$key}[3] = $count;
+ &General::writehasharray("$confighost", \%customhost);
+- #$fwhostsettings{'IP'} = $fwhostsettings{'IP'}."/".&General::iporsubtodec($fwhostsettings{'SUBNET'});
+ undef %customhost;
+ $fwhostsettings{'HOSTNAME'}='';
+ $fwhostsettings{'IP'}='';
+@@ -1269,7 +1268,7 @@ END
+ <tr><td width='1%' nowrap='nowrap'>$Lang::tr{'fwhost cust service'}</td><td><select name='CUST_SRV' style='min-width:185px;'>
+ END
+ &General::readhasharray("$configsrv", \%customservice);
+- foreach my $key (sort {$a <=> $b} keys %customservice)
++ foreach my $key (sort { uc($customservice{$a}[0]) cmp uc($customservice{$b}[0])|| $a <=> $b } keys %customservice)
+ {
+ print "<option>$customservice{$key}[0]</option>";
+ }
+@@ -1358,7 +1357,7 @@ END
+ else{ print" <tr bgcolor='$color{'color20'}'>";}
+ my ($ip,$sub)=split(/\//,$customhost{$key}[2]);
+ print<<END;
+- <td width='40%'><form method='post'>$customhost{$key}[0]</td><td width='50%'>$customhost{$key}[2]</td><td align='center'>$customhost{$key}[3]x</td>
++ <td width='40%'><form method='post'>$customhost{$key}[0]</td><td width='50%'>$ip</td><td align='center'>$customhost{$key}[3]x</td>
+ <td width='1%'><input type='image' src='/images/edit.gif' align='middle' alt=$Lang::tr{'edit'} title=$Lang::tr{'edit'} />
+ <input type='hidden' name='ACTION' value='edithost' />
+ <input type='hidden' name='HOSTNAME' value='$customhost{$key}[0]' />
+@@ -1748,9 +1747,10 @@ sub plausicheck
+ &General::readhasharray("$confighost", \%customhost);
+ if (!&checkname(\%customhost))
+ {
+- $errormessage=$errormessage."<br>".$Lang::tr{'fwhost err hostexist'};
++ $errormessage.="<br>".$Lang::tr{'fwhost err hostexist'};
+ $fwhostsettings{'HOSTNAME'} = $fwhostsettings{'orgname'};
+- if ($fwhostsettings{'update'} eq 'on'){$fwhostsettings{'ACTION'}=$edit;}
++ #if ($fwhostsettings{'update'} eq 'on'){$fwhostsettings{'ACTION'}=$edit;}
++ $fwhostsettings{'ACTION'}=$edit;
+ }
+ #check if host with this ip already exists
+ if (!&checkip(\%customhost,2))
+--
+1.7.10.4
+
--- /dev/null
+From fd52348bc58044486704ce6c8880e4dd96f88636 Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Thu, 7 Feb 2013 15:24:19 +0100
+Subject: [PATCH 093/302] Forward Firewall: some code optimizations
+
+---
+ html/cgi-bin/fwhosts.cgi | 21 +++++++++------------
+ 1 file changed, 9 insertions(+), 12 deletions(-)
+
+diff --git a/html/cgi-bin/fwhosts.cgi b/html/cgi-bin/fwhosts.cgi
+index 900928d..c23c909 100755
+--- a/html/cgi-bin/fwhosts.cgi
++++ b/html/cgi-bin/fwhosts.cgi
+@@ -152,7 +152,7 @@ if ($fwhostsettings{'ACTION'} eq 'updateservice')
+ $customservice{$key1}[4] = $count;
+ &General::writehasharray("$configsrv", \%customservice);
+
+- #check if we need to update configfiles for rules
++ #check if we need to update firewallrules
+ if ($fwhostsettings{'SRV_NAME'} ne $fwhostsettings{'oldsrvname'}){
+ if ( ! -z $fwconfigfwd ){
+ &General::readhasharray("$fwconfigfwd", \%fwfwd);
+@@ -162,7 +162,6 @@ if ($fwhostsettings{'ACTION'} eq 'updateservice')
+ }
+ }
+ &General::writehasharray("$fwconfigfwd", \%fwfwd);
+- $needrules='on';
+ }
+ if ( ! -z $fwconfiginp ){
+ &General::readhasharray("$fwconfiginp", \%fwinp);
+@@ -175,14 +174,14 @@ if ($fwhostsettings{'ACTION'} eq 'updateservice')
+ }
+ $needrules='on';
+ }
+- if($fwhostsettings{'updatesrv'} eq 'on'){
+- if($count gt 0 && $fwhostsettings{'oldsrvport'} ne $fwhostsettings{'SRV_PORT'} ){
+- $needrules='on';
+- }
+- if($count gt 0 && $fwhostsettings{'oldsrvprot'} ne $fwhostsettings{'PROT'} ){
+- $needrules='on';
+- }
++
++ if($count gt 0 && $fwhostsettings{'oldsrvport'} ne $fwhostsettings{'SRV_PORT'} ){
++ $needrules='on';
+ }
++ if($count gt 0 && $fwhostsettings{'oldsrvprot'} ne $fwhostsettings{'PROT'} ){
++ $needrules='on';
++ }
++
+ $fwhostsettings{'SRV_NAME'} = '';
+ $fwhostsettings{'SRV_PORT'} = '';
+ $fwhostsettings{'PROT'} = '';
+@@ -1749,14 +1748,12 @@ sub plausicheck
+ {
+ $errormessage.="<br>".$Lang::tr{'fwhost err hostexist'};
+ $fwhostsettings{'HOSTNAME'} = $fwhostsettings{'orgname'};
+- #if ($fwhostsettings{'update'} eq 'on'){$fwhostsettings{'ACTION'}=$edit;}
+- $fwhostsettings{'ACTION'}=$edit;
++ if ($fwhostsettings{'update'} eq 'on'){$fwhostsettings{'ACTION'}=$edit;}
+ }
+ #check if host with this ip already exists
+ if (!&checkip(\%customhost,2))
+ {
+ $errormessage=$errormessage."<br>".$Lang::tr{'fwhost err ipcheck'};
+-
+ }
+
+
+--
+1.7.10.4
+
--- /dev/null
+From 0f1860f1928549b969e33c7ba06ddcfba754569f Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Fri, 8 Feb 2013 06:00:41 +0100
+Subject: [PATCH 094/302] Forward Firewall: when a service is used in a
+ servicegroup, it was not updated when editing the
+ service
+
+---
+ html/cgi-bin/fwhosts.cgi | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/html/cgi-bin/fwhosts.cgi b/html/cgi-bin/fwhosts.cgi
+index c23c909..6ce7ac8 100755
+--- a/html/cgi-bin/fwhosts.cgi
++++ b/html/cgi-bin/fwhosts.cgi
+@@ -151,7 +151,6 @@ if ($fwhostsettings{'ACTION'} eq 'updateservice')
+ $customservice{$key1}[3] = $fwhostsettings{'ICMP_TYPES'};
+ $customservice{$key1}[4] = $count;
+ &General::writehasharray("$configsrv", \%customservice);
+-
+ #check if we need to update firewallrules
+ if ($fwhostsettings{'SRV_NAME'} ne $fwhostsettings{'oldsrvname'}){
+ if ( ! -z $fwconfigfwd ){
+@@ -172,9 +171,19 @@ if ($fwhostsettings{'ACTION'} eq 'updateservice')
+ }
+ &General::writehasharray("$fwconfiginp", \%fwinp);
+ }
++ #check if we need to update groups
++ &General::readhasharray("$configsrvgrp", \%customservicegrp);
++ foreach my $key (sort keys %customservicegrp){
++ if($customservicegrp{$key}[2] eq $fwhostsettings{'oldsrvname'}){
++ $customservicegrp{$key}[2] = $fwhostsettings{'SRV_NAME'};
++ }
++ }
++ &General::writehasharray("$configsrvgrp", \%customservicegrp);
++
+ $needrules='on';
+ }
+
++
+ if($count gt 0 && $fwhostsettings{'oldsrvport'} ne $fwhostsettings{'SRV_PORT'} ){
+ $needrules='on';
+ }
+--
+1.7.10.4
+
--- /dev/null
+From 423117851818bf3c195ebce36317b2a5e542c3da Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Fri, 8 Feb 2013 08:07:45 +0100
+Subject: [PATCH 095/302] Forward Firewall: Fixes Problem when editing a host
+ and afterwards pressing F5, a emtpy entry was
+ created in customhosts
+
+---
+ html/cgi-bin/fwhosts.cgi | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/html/cgi-bin/fwhosts.cgi b/html/cgi-bin/fwhosts.cgi
+index 6ce7ac8..fb39ed8 100755
+--- a/html/cgi-bin/fwhosts.cgi
++++ b/html/cgi-bin/fwhosts.cgi
+@@ -108,7 +108,6 @@ if ($fwhostsettings{'ACTION'} eq 'updatehost')
+ {
+ if($customhost{$key}[0] eq $fwhostsettings{'orgname'})
+ {
+- $fwhostsettings{'orgname'} = $customhost{$key}[0];
+ if ($customhost{$key}[1] eq 'ip'){
+ ($ip,$subnet) = split (/\//,$customhost{$key}[2]);
+ }else{
+@@ -117,11 +116,15 @@ if ($fwhostsettings{'ACTION'} eq 'updatehost')
+ $fwhostsettings{'orgip'} = $ip;
+ $fwhostsettings{'count'} = $customhost{$key}[3];
+ delete $customhost{$key};
++ &General::writehasharray("$confighost", \%customhost);
+ }
+ }
+- &General::writehasharray("$confighost", \%customhost);
+ $fwhostsettings{'actualize'} = 'on';
++ if($fwhostsettings{'orgip'}){
+ $fwhostsettings{'ACTION'} = 'savehost';
++ }else{
++ $fwhostsettings{'ACTION'} = $Lang::tr{'fwhost newhost'};
++ }
+ }
+ if ($fwhostsettings{'ACTION'} eq 'updateservice')
+ {
+--
+1.7.10.4
+
--- /dev/null
+From 8bcd1f72b1d1af8048eb4a6a55299377622ef04d Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Fri, 8 Feb 2013 10:33:04 +0100
+Subject: [PATCH 096/302] Forward Firewall: when editing a group the rules
+ where not read correctly, because of wrong COUNT
+
+---
+ html/cgi-bin/fwhosts.cgi | 13 ++++---------
+ 1 file changed, 4 insertions(+), 9 deletions(-)
+
+diff --git a/html/cgi-bin/fwhosts.cgi b/html/cgi-bin/fwhosts.cgi
+index fb39ed8..bb1b349 100755
+--- a/html/cgi-bin/fwhosts.cgi
++++ b/html/cgi-bin/fwhosts.cgi
+@@ -750,7 +750,7 @@ if ($fwhostsettings{'ACTION'} eq 'saveservicegrp')
+ {
+ if($customservicegrp{$key}[0] eq $fwhostsettings{'SRVGRP_NAME'})
+ {
+- $count=$customservicegrp{$key}[5];
++ $count=$customservicegrp{$key}[3];
+ last;
+ }
+ }
+@@ -1611,7 +1611,6 @@ sub checkservicegroup
+ {
+ $errormessage.=$Lang::tr{'fwhost err groupempty'}."<br>";
+ }
+-
+ #check if name already exists
+ if ($fwhostsettings{'updatesrvgrp'} ne 'on'){
+ foreach my $key (keys %customservicegrp) {
+@@ -1623,14 +1622,10 @@ sub checkservicegroup
+ }
+ #check if service already exists in group
+ foreach my $key (keys %customservicegrp) {
+- if($customservicegrp{$key}[0] eq $fwhostsettings{'SRVGRP_NAME'} && $customservicegrp{$key}[2] eq $fwhostsettings{'CUST_SRV'} ){
+- $errormessage.=$Lang::tr{'fwhost err srvexist'}."<br>";
+-
+- }
++ if($customservicegrp{$key}[0] eq $fwhostsettings{'SRVGRP_NAME'} && $customservicegrp{$key}[2] eq $fwhostsettings{'CUST_SRV'} ){
++ $errormessage.=$Lang::tr{'fwhost err srvexist'}."<br>";
+ }
+-
+-
+-
++ }
+ return $errormessage;
+ }
+ sub error
+--
+1.7.10.4
+
--- /dev/null
+From 98f67ac43c2ae386f5bd85df69ae33b43b3b8e3f Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Fri, 8 Feb 2013 11:03:06 +0100
+Subject: [PATCH 097/302] Forward Firewall: If editing an external access rule
+ and producing an error, the FORWARD Rule with same
+ ID is displayed instead of INPUT rule
+
+---
+ html/cgi-bin/forwardfw.cgi | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi
+index 7e173f5..4816484 100755
+--- a/html/cgi-bin/forwardfw.cgi
++++ b/html/cgi-bin/forwardfw.cgi
+@@ -133,6 +133,7 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule')
+ }
+ #INPUT part
+ if($fwdfwsettings{'grp2'} eq 'ipfire'){
++ $fwdfwsettings{'config'}=$configinput;
+ $fwdfwsettings{'chain'} = 'INPUTFW';
+ my $maxkey=&General::findhasharraykey(\%configinputfw);
+ #check if we have an identical rule already
+@@ -206,6 +207,7 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule')
+ #print"DIENSTE Checkalt:$fwdfwsettings{'oldusesrv'} DIENSTE Checkneu:$fwdfwsettings{'USESRV'} DIENST ALT:$fwdfwsettings{'oldgrp3a'},$fwdfwsettings{'oldgrp3b'} DIENST NEU:$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}}<br>";
+ }else{
+ #FORWARD PART
++ $fwdfwsettings{'config'}=$configfwdfw;
+ $fwdfwsettings{'chain'} = 'FORWARDFW';
+ my $maxkey=&General::findhasharraykey(\%configfwdfw);
+ if($fwdfwsettings{'oldrulenumber'} eq $fwdfwsettings{'rulepos'}){
+--
+1.7.10.4
+
--- /dev/null
+From ecdf3ec3a15c9f24e6dc9ff7c45af45805dafff1 Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Sat, 9 Feb 2013 13:46:25 +0100
+Subject: [PATCH 098/302] Forward Firewall: fixed repositioning function and
+ Networks or broadcasts are now allowed as target
+
+---
+ html/cgi-bin/forwardfw.cgi | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi
+index 4816484..3026e00 100755
+--- a/html/cgi-bin/forwardfw.cgi
++++ b/html/cgi-bin/forwardfw.cgi
+@@ -735,12 +735,12 @@ sub checktarget
+ $ip=&General::ip2dec($ip);
+ $ip=&General::dec2ip($ip);
+
+- #check if net or broadcast
+- my @tmp= split (/\./,$ip);
+- if ($tmp[3] eq "0" || ($tmp[3] eq "255"))
+- {
+- $errormessage=$Lang::tr{'fwhost err hostip'}."<br>";
+- }
++ ##check if net or broadcast
++ #my @tmp= split (/\./,$ip);
++ #if ($tmp[3] eq "0" || ($tmp[3] eq "255"))
++ #{
++ #$errormessage=$Lang::tr{'fwhost err hostip'}."<br>";
++ #}
+ $fwdfwsettings{'tgt_addr'}="$ip/$subnet";
+
+ if(!&General::validipandmask($fwdfwsettings{'tgt_addr'})){
+@@ -1546,7 +1546,7 @@ sub saverule
+ }
+ }
+ &General::writehasharray("$config", $hash);
+- if($fwdfwsettings{'oldrulenumber'} gt $fwdfwsettings{'rulepos'}){
++ if($fwdfwsettings{'oldrulenumber'} > $fwdfwsettings{'rulepos'}){
+ my %tmp=();
+ my $val=$fwdfwsettings{'oldrulenumber'}-$fwdfwsettings{'rulepos'};
+ for (my $z=0;$z<$val;$z++){
+@@ -1573,7 +1573,7 @@ sub saverule
+ }
+ &General::writehasharray("$config", $hash);
+ &rules;
+- }elsif($fwdfwsettings{'rulepos'} gt $fwdfwsettings{'oldrulenumber'}){
++ }elsif($fwdfwsettings{'rulepos'} > $fwdfwsettings{'oldrulenumber'}){
+ my %tmp=();
+ my $val=$fwdfwsettings{'rulepos'}-$fwdfwsettings{'oldrulenumber'};
+ for (my $z=0;$z<$val;$z++){
+--
+1.7.10.4
+
--- /dev/null
+From 02544ec9f4b7d626055a46528dbc319beb958dfe Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Sun, 10 Feb 2013 10:53:16 +0100
+Subject: [PATCH 099/302] Forward Firewall: When a group has only one entry
+ and the group is used, it is not possiblle to
+ delete the group
+
+---
+ html/cgi-bin/fwhosts.cgi | 13 +++++--------
+ 1 file changed, 5 insertions(+), 8 deletions(-)
+
+diff --git a/html/cgi-bin/fwhosts.cgi b/html/cgi-bin/fwhosts.cgi
+index bb1b349..1ace269 100755
+--- a/html/cgi-bin/fwhosts.cgi
++++ b/html/cgi-bin/fwhosts.cgi
+@@ -182,18 +182,14 @@ if ($fwhostsettings{'ACTION'} eq 'updateservice')
+ }
+ }
+ &General::writehasharray("$configsrvgrp", \%customservicegrp);
+-
+ $needrules='on';
+ }
+-
+-
+ if($count gt 0 && $fwhostsettings{'oldsrvport'} ne $fwhostsettings{'SRV_PORT'} ){
+ $needrules='on';
+ }
+ if($count gt 0 && $fwhostsettings{'oldsrvprot'} ne $fwhostsettings{'PROT'} ){
+ $needrules='on';
+ }
+-
+ $fwhostsettings{'SRV_NAME'} = '';
+ $fwhostsettings{'SRV_PORT'} = '';
+ $fwhostsettings{'PROT'} = '';
+@@ -1367,6 +1363,7 @@ END
+ }elsif ($count % 2){ print" <tr bgcolor='$color{'color22'}'>";}
+ else{ print" <tr bgcolor='$color{'color20'}'>";}
+ my ($ip,$sub)=split(/\//,$customhost{$key}[2]);
++ $customhost{$key}[3]=~s/\s+//g;
+ print<<END;
+ <td width='40%'><form method='post'>$customhost{$key}[0]</td><td width='50%'>$ip</td><td align='center'>$customhost{$key}[3]x</td>
+ <td width='1%'><input type='image' src='/images/edit.gif' align='middle' alt=$Lang::tr{'edit'} title=$Lang::tr{'edit'} />
+@@ -1400,18 +1397,18 @@ sub viewtablegrp
+ &General::readhasharray("$confignet", \%customnetwork);
+ my @grp=();
+ my $helper='';
+- my $count=0;
++ my $count=1;
+ my $grpname;
+ my $remark;
+- my $number=keys %customgrp;
++ my $number=1;
+ if (!keys %customgrp)
+ {
+ print "<center><b>$Lang::tr{'fwhost empty'}</b>";
+ }else{
+ foreach my $key (sort { uc($customgrp{$a}[0]) cmp uc($customgrp{$b}[0]) } sort { uc($customgrp{$a}[2]) cmp uc($customgrp{$b}[2]) } keys %customgrp){
+-
+ $count++;
+ if ($helper ne $customgrp{$key}[0]){
++ $number=1;
+ $grpname=$customgrp{$key}[0];
+ $remark=$customgrp{$key}[1];
+ if($count >=2){print"</table>";}
+@@ -1443,7 +1440,7 @@ sub viewtablegrp
+ }else{
+ print"<td>$ip</td><td>$customgrp{$key}[3]</td><td width='1%'><form method='post'>";
+ }
+- if ($number gt '1' && $ip ne ''){
++ if ($number > 1 && $ip ne ''){
+ print"<input type='image' src='/images/delete.gif' align='middle' alt=$Lang::tr{'delete'} title=$Lang::tr{'delete'} />";
+ }
+ print"<input type='hidden' name='ACTION' value='deletegrphost'><input type='hidden' name='delhost' value='$grpname,$remark,$customgrp{$key}[2],$customgrp{$key}[3]'></form></td></tr>";
+--
+1.7.10.4
+
--- /dev/null
+From f88e0083fe9223a6988321e54cbb8298d40032dc Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Mon, 11 Feb 2013 05:51:42 +0100
+Subject: [PATCH 100/302] Forward Firewall: Portfw now working and firewall
+ closed correctly
+
+---
+ html/cgi-bin/fwhosts.cgi | 3 ++-
+ langs/nl/install/lang_nl.c | 2 +-
+ src/initscripts/init.d/firewall | 13 ++++++-------
+ 3 files changed, 9 insertions(+), 9 deletions(-)
+
+diff --git a/html/cgi-bin/fwhosts.cgi b/html/cgi-bin/fwhosts.cgi
+index 1ace269..face57b 100755
+--- a/html/cgi-bin/fwhosts.cgi
++++ b/html/cgi-bin/fwhosts.cgi
+@@ -1400,7 +1400,7 @@ sub viewtablegrp
+ my $count=1;
+ my $grpname;
+ my $remark;
+- my $number=1;
++ my $number;
+ if (!keys %customgrp)
+ {
+ print "<center><b>$Lang::tr{'fwhost empty'}</b>";
+@@ -1446,6 +1446,7 @@ sub viewtablegrp
+ print"<input type='hidden' name='ACTION' value='deletegrphost'><input type='hidden' name='delhost' value='$grpname,$remark,$customgrp{$key}[2],$customgrp{$key}[3]'></form></td></tr>";
+
+ $helper=$customgrp{$key}[0];
++ $number++;
+ }
+ print"</table>";
+
+diff --git a/langs/nl/install/lang_nl.c b/langs/nl/install/lang_nl.c
+index 0153ca0..b9a8ec4 100644
+--- a/langs/nl/install/lang_nl.c
++++ b/langs/nl/install/lang_nl.c
+@@ -354,7 +354,7 @@ char *nl_tr[] = {
+ /* TR_PHONENUMBER_CANNOT_BE_EMPTY */
+ "Telefoonnummer mag niet leeg zijn.",
+ /* TR_PREPARE_HARDDISK */
+-"Het installatieprogramma zal nu de vaste schijf voorbereiden op %s. Eerst wordt de schijf gepartitioneerd, daarna zullen de bestandssystemen erop worden gezet.\n\nALLE DATA OP DE SCHIJF ZAL WORDEN GEWIST. Wilt u hiermee doorgaan?"",
++"Het installatieprogramma zal nu de vaste schijf voorbereiden op %s. Eerst wordt de schijf gepartitioneerd, daarna zullen de bestandssystemen erop worden gezet.\n\nALLE DATA OP DE SCHIJF ZAL WORDEN GEWIST. Wilt u hiermee doorgaan?",
+ /* TR_PRESS_OK_TO_REBOOT */
+ "Druk Ok om te herstarten.",
+ /* TR_PRIMARY_DNS */
+diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall
+index 25892df..a22e5f8 100644
+--- a/src/initscripts/init.d/firewall
++++ b/src/initscripts/init.d/firewall
+@@ -205,7 +205,7 @@ case "$1" in
+ /sbin/iptables -A FORWARD -s 127.0.0.0/8 -m state --state NEW -j DROP
+ /sbin/iptables -A FORWARD -d 127.0.0.0/8 -m state --state NEW -j DROP
+ /sbin/iptables -A INPUT -i $GREEN_DEV -m state --state NEW -j ACCEPT ! -p icmp
+- /sbin/iptables -A FORWARD -i $GREEN_DEV -m state --state NEW -j ACCEPT
++ #/sbin/iptables -A FORWARD -i $GREEN_DEV -m state --state NEW -j ACCEPT
+
+ # If a host on orange tries to initiate a connection to IPFire's red IP and
+ # the connection gets DNATed back through a port forward to a server on orange
+@@ -221,7 +221,11 @@ case "$1" in
+ /sbin/iptables -A INPUT -m state --state NEW -j WIRELESSINPUT
+ /sbin/iptables -N WIRELESSFORWARD
+ /sbin/iptables -A FORWARD -m state --state NEW -j WIRELESSFORWARD
+-
++
++ # PORTFWACCESS chain, used for portforwarding
++ /sbin/iptables -N PORTFWACCESS
++ /sbin/iptables -A FORWARD -m state --state NEW -j PORTFWACCESS
++
+ # OPenSSL
+ /sbin/iptables -N OPENSSLPHYSICAL
+ /sbin/iptables -A INPUT -j OPENSSLPHYSICAL
+@@ -238,15 +242,10 @@ case "$1" in
+
+ # DMZ pinhole chain.
+ # ORANGE to talk to GREEN / BLUE.
+-
+ if [ "$ORANGE_DEV" != "" ]; then
+ /sbin/iptables -A FORWARD -i $ORANGE_DEV -m state --state NEW -j FORWARDFW
+ fi
+
+- # PORTFWACCESS chain, used for portforwarding
+- /sbin/iptables -N PORTFWACCESS
+- /sbin/iptables -A FORWARD -m state --state NEW -j PORTFWACCESS
+-
+ # Custom prerouting chains (for transparent proxy and port forwarding)
+ /sbin/iptables -t nat -N SQUID
+ /sbin/iptables -t nat -A PREROUTING -j SQUID
+--
+1.7.10.4
+
--- /dev/null
+From 9580c8b1274beab1690ca7344f01d8be0a355534 Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Wed, 13 Feb 2013 13:31:55 +0100
+Subject: [PATCH 101/302] Forward Firewall: added "apply" button to
+ groupmanagement. Now the user can make all changes
+ and finally click apply button to reread
+ firewallrules. Also added a comment in de.pl and
+ en.pl which should remiond the user to click the
+ button.
+
+---
+ html/cgi-bin/forwardfw.cgi | 2 +-
+ html/cgi-bin/fwhosts.cgi | 25 +++++++++++++++++++++++--
+ langs/de/cgi-bin/de.pl | 1 +
+ langs/en/cgi-bin/en.pl | 2 +-
+ 4 files changed, 26 insertions(+), 4 deletions(-)
+
+diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi
+index 3026e00..9f89fe7 100755
+--- a/html/cgi-bin/forwardfw.cgi
++++ b/html/cgi-bin/forwardfw.cgi
+@@ -552,7 +552,7 @@ sub addrule
+ print "<table border='0'>";
+ print "<tr><td><input type='submit' name='ACTION' value='$Lang::tr{'fwdfw newrule'}'></td>";
+ if (-f "${General::swroot}/forward/reread"){
+- print "<td><input type='submit' name='ACTION' value='$Lang::tr{'fwdfw reread'}'></td>";
++ print "<td><input type='submit' name='ACTION' value='$Lang::tr{'fwdfw reread'}'>$Lang::tr{'fwhost reread'}</td>";
+ }
+ print"</tr></table></form><hr>";
+
+diff --git a/html/cgi-bin/fwhosts.cgi b/html/cgi-bin/fwhosts.cgi
+index face57b..636cf65 100755
+--- a/html/cgi-bin/fwhosts.cgi
++++ b/html/cgi-bin/fwhosts.cgi
+@@ -80,6 +80,11 @@ unless (-e $configsrvgrp) { system("touch $configsrvgrp"); }
+ &Header::openbigbox('100%', 'center');
+
+ ## ACTION ####
++if ($fwhostsettings{'ACTION'} eq $Lang::tr{'fwdfw reread'})
++{
++ &reread_rules;
++ &showmenu;
++}
+ # Update
+ if ($fwhostsettings{'ACTION'} eq 'updatenet' )
+ {
+@@ -1003,9 +1008,15 @@ sub showmenu
+ <table border='0' width='100%'><form method='post'>
+ <tr><td><input type='submit' name='ACTION' value='$Lang::tr{'fwhost newnet'}' /><input type='submit' name='ACTION' value='$Lang::tr{'fwhost newhost'}' /><input type='submit' name='ACTION' value='$Lang::tr{'fwhost newgrp'}' /></td>
+ <td align='right'><input type='submit' name='ACTION' value='$Lang::tr{'fwhost newservice'}' /><input type='submit' name='ACTION' value='$Lang::tr{'fwhost newservicegrp'}' /></td></tr>
+- <tr><td colspan='6'><hr></hr></td></tr></table></form>
++ <tr><td colspan='6'><hr></hr></td>
+ END
+
++
++ if (-f "${General::swroot}/fwhosts/reread"){
++ print "</tr><tr><td colspan='6'><input type='submit' name='ACTION' value='$Lang::tr{'fwdfw reread'}'>$Lang::tr{'fwhost reread'}</td>";
++ }
++ print"</tr></table></form>";
++
+ &Header::closebox();
+
+ }
+@@ -1877,9 +1888,19 @@ sub getipforgroup
+ }
+ sub rules
+ {
++ if (!-f "${General::swroot}/fwhosts/reread"){
++ system("touch ${General::swroot}/fwhosts/reread");
++ }
++}
++sub reread_rules
++{
+ system ("/usr/local/bin/forwardfwctrl");
+- system("rm ${General::swroot}/forward/reread");
++ if ( -f "${General::swroot}/fwhosts/reread"){
++ system("rm ${General::swroot}/fwhosts/reread");
++ }
++
+ }
++
+ sub decrease
+ {
+ my $grp=$_[0];
+diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl
+index afdd4cd..924c46c 100644
+--- a/langs/de/cgi-bin/de.pl
++++ b/langs/de/cgi-bin/de.pl
+@@ -1006,6 +1006,7 @@
+ 'fwhost ovpn_n2n' => 'OpenVPN N-2-N',
+ 'fwhost port' => 'Port(s)',
+ 'fwhost prot' => 'Protokoll',
++'fwhost reread' => 'Die Firewallregeln müssen neu eingelesen werden. Bitte Übernehmen klicken.',
+ 'fwhost reset' => 'Abbrechen',
+ 'fwhost services' => 'Dienste',
+ 'fwhost srv_name' => 'Dienstname',
+diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
+index 18abcb5..8dd1771 100644
+--- a/langs/en/cgi-bin/en.pl
++++ b/langs/en/cgi-bin/en.pl
+@@ -1031,6 +1031,7 @@
+ 'fwhost ovpn_n2n' => 'OpenVPN N-2-N',
+ 'fwhost port' => 'Port(s)',
+ 'fwhost prot' => 'Protocol',
++'fwhost reread' => 'Firewallrules need to be updated. Please click applybutton.',
+ 'fwhost reset' => 'Cancel',
+ 'fwhost services' => 'Services',
+ 'fwhost srv_name' => 'Servicename',
+@@ -2379,7 +2380,6 @@
+ 'wireless configuration' => 'Wireless Configuration',
+ 'wlanap access point' => 'Access Point',
+ 'wlanap channel' => 'Channel',
+-'wlanap country' => 'Country Code',
+ 'wlanap debugging' => 'Debugging',
+ 'wlanap del interface' => 'Remove selected interface?',
+ 'wlanap encryption' => 'Encryption',
+--
+1.7.10.4
+
--- /dev/null
+From 20182c8314d7bee6916f6760f4d50a8268a26077 Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Thu, 14 Feb 2013 17:23:11 +0100
+Subject: [PATCH 102/302] Forward Firewall: added extra button for changing
+ remark
+
+---
+ html/cgi-bin/fwhosts.cgi | 350 ++++++++++++++++++++++++++--------------------
+ 1 file changed, 196 insertions(+), 154 deletions(-)
+
+diff --git a/html/cgi-bin/fwhosts.cgi b/html/cgi-bin/fwhosts.cgi
+index 636cf65..c45b0de 100755
+--- a/html/cgi-bin/fwhosts.cgi
++++ b/html/cgi-bin/fwhosts.cgi
+@@ -512,7 +512,7 @@ if ($fwhostsettings{'ACTION'} eq 'savehost')
+ }
+ if ($fwhostsettings{'ACTION'} eq 'savegrp')
+ {
+- my $grp;
++ my $grp=$fwhostsettings{'grp_name'};;
+ my $rem=$fwhostsettings{'remark'};
+ my $count;
+ my $type;
+@@ -522,94 +522,106 @@ if ($fwhostsettings{'ACTION'} eq 'savegrp')
+ &General::readhasharray("$configgrp", \%customgrp);
+ &General::readhasharray("$confignet", \%customnetwork);
+ &General::readhasharray("$confighost", \%customhost);
+- $grp=$fwhostsettings{'grp_name'};
+- if (!&validhostname($grp)){$errormessage=$errormessage.$Lang::tr{'fwhost err name'};}
+- ###check standard networks
+- if ($fwhostsettings{'grp2'} eq 'std_net'){
+- @target=$fwhostsettings{'DEFAULT_SRC_ADR'};
+- $type='Standard Network';
+- }
+- ##check custom networks
+- if ($fwhostsettings{'grp2'} eq 'cust_net' && $fwhostsettings{'CUST_SRC_NET'} ne ''){
+- @target=$fwhostsettings{'CUST_SRC_NET'};
+- $updcounter='net';
+- $type='Custom Network';
+- }elsif($fwhostsettings{'grp2'} eq 'cust_net' && $fwhostsettings{'CUST_SRC_NET'} eq ''){
+- $errormessage=$Lang::tr{'fwhost err groupempty'}."<br>";
+- $fwhostsettings{'grp_name'}='';
+- $fwhostsettings{'remark'}='';
+- }
+- #check custom addresses
+- if ($fwhostsettings{'grp2'} eq 'cust_host' && $fwhostsettings{'CUST_SRC_HOST'} ne ''){
+- @target=$fwhostsettings{'CUST_SRC_HOST'};
+- $updcounter='host';
+- $type='Custom Host';
+- }elsif($fwhostsettings{'grp2'} eq 'cust_host' && $fwhostsettings{'CUST_SRC_HOST'} eq ''){
+- $errormessage=$Lang::tr{'fwhost err groupempty'}."<br>";
+- $fwhostsettings{'grp_name'}='';
+- $fwhostsettings{'remark'}='';
+- }
+- #get address from ovpn ccd static net
+- if ($fwhostsettings{'grp2'} eq 'ovpn_net' && $fwhostsettings{'OVPN_CCD_NET'} ne ''){
+- @target=$fwhostsettings{'OVPN_CCD_NET'};
+- $type='OpenVPN static network';
+- }elsif($fwhostsettings{'grp2'} eq 'ovpn_net' && $fwhostsettings{'OVPN_CCD_NET'} eq ''){
+- $errormessage=$Lang::tr{'fwhost err groupempty'};
+- $fwhostsettings{'grp_name'}='';
+- $fwhostsettings{'remark'}='';
+- }
+- #get address from ovpn ccd static host
+- if ($fwhostsettings{'grp2'} eq 'ovpn_host' && $fwhostsettings{'OVPN_CCD_HOST'} ne ''){
+- @target=$fwhostsettings{'OVPN_CCD_HOST'};
+- $type='OpenVPN static host';
+- }elsif ($fwhostsettings{'grp2'} eq 'ovpn_host' && $fwhostsettings{'OVPN_CCD_HOST'} eq ''){
+- $errormessage=$Lang::tr{'fwhost err groupempty'};
+- }
+- #get address from ovpn ccd Net-2-Net
+- if ($fwhostsettings{'grp2'} eq 'ovpn_n2n' && $fwhostsettings{'OVPN_N2N'} ne ''){
+- @target=$fwhostsettings{'OVPN_N2N'};
+- $type='OpenVPN N-2-N';
+- }elsif ($fwhostsettings{'grp2'} eq 'ovpn_n2n' && $fwhostsettings{'OVPN_N2N'} eq ''){
+- $errormessage=$Lang::tr{'fwhost err groupempty'};
+- $fwhostsettings{'grp_name'}='';
+- $fwhostsettings{'remark'}='';
+- }
+- #get address from IPSEC HOST
+- if ($fwhostsettings{'grp2'} eq 'ipsec_host' && $fwhostsettings{'IPSEC_HOST'} ne ''){
+- @target=$fwhostsettings{'IPSEC_HOST'};
+- $type='IpSec Host';
+- }elsif ($fwhostsettings{'grp2'} eq 'ipsec_host' && $fwhostsettings{'IPSEC_HOST'} eq ''){
+- $errormessage=$Lang::tr{'fwhost err groupempty'};
+- $fwhostsettings{'grp_name'}='';
+- $fwhostsettings{'remark'}='';
++ #check name
++ if (!&validhostname($grp)){$errormessage.=$Lang::tr{'fwhost err name'};}
++ #check remark
++ if ($rem ne '' && !&validremark($rem) && $fwhostsettings{'update'} ne 'on'){
++ $errormessage.=$Lang::tr{'fwhost err remark'};
++ $fwhostsettings{'update'} = 'on';
++ $fwhostsettings{'remark'}=$fwhostsettings{'oldremark'};
++ &addgrp;
++ &viewtablegrp;
+ }
+- #get address from IPSEC NETWORK
+- if ($fwhostsettings{'grp2'} eq 'ipsec_net' && $fwhostsettings{'IPSEC_NET'} ne ''){
+- @target=$fwhostsettings{'IPSEC_NET'};
+- $type='IpSec Network';
+- }elsif ($fwhostsettings{'grp2'} eq 'ipsec_net' && $fwhostsettings{'IPSEC_NET'} eq ''){
+- $errormessage=$Lang::tr{'fwhost err groupempty'};
+- $fwhostsettings{'grp_name'}='';
+- $fwhostsettings{'remark'}='';
+- }
+- #check if host/net exists in grp
+- my $test="$grp,$fwhostsettings{'oldremark'},@target";
+- foreach my $key (keys %customgrp) {
+- my $test1="$customgrp{$key}[0],$customgrp{$key}[1],$customgrp{$key}[2]";
+- if ($test1 eq $test){
+- $errormessage=$Lang::tr{'fwhost err isingrp'};
+- $fwhostsettings{'update'} = 'on';
++ if ($fwhostsettings{'update'} eq 'on'){
++ #check standard networks
++ if ($fwhostsettings{'grp2'} eq 'std_net'){
++ @target=$fwhostsettings{'DEFAULT_SRC_ADR'};
++ $type='Standard Network';
++ }
++ #check custom networks
++ if ($fwhostsettings{'grp2'} eq 'cust_net' && $fwhostsettings{'CUST_SRC_NET'} ne ''){
++ @target=$fwhostsettings{'CUST_SRC_NET'};
++ $updcounter='net';
++ $type='Custom Network';
++ }elsif($fwhostsettings{'grp2'} eq 'cust_net' && $fwhostsettings{'CUST_SRC_NET'} eq ''){
++ $errormessage=$Lang::tr{'fwhost err groupempty'}."<br>";
++ $fwhostsettings{'grp_name'}='';
++ $fwhostsettings{'remark'}='';
++ }
++ #check custom addresses
++ if ($fwhostsettings{'grp2'} eq 'cust_host' && $fwhostsettings{'CUST_SRC_HOST'} ne ''){
++ @target=$fwhostsettings{'CUST_SRC_HOST'};
++ $updcounter='host';
++ $type='Custom Host';
++ }elsif($fwhostsettings{'grp2'} eq 'cust_host' && $fwhostsettings{'CUST_SRC_HOST'} eq ''){
++ $errormessage=$Lang::tr{'fwhost err groupempty'}."<br>";
++ $fwhostsettings{'grp_name'}='';
++ $fwhostsettings{'remark'}='';
++ }
++ #get address from ovpn ccd static net
++ if ($fwhostsettings{'grp2'} eq 'ovpn_net' && $fwhostsettings{'OVPN_CCD_NET'} ne ''){
++ @target=$fwhostsettings{'OVPN_CCD_NET'};
++ $type='OpenVPN static network';
++ }elsif($fwhostsettings{'grp2'} eq 'ovpn_net' && $fwhostsettings{'OVPN_CCD_NET'} eq ''){
++ $errormessage=$Lang::tr{'fwhost err groupempty'};
++ $fwhostsettings{'grp_name'}='';
++ $fwhostsettings{'remark'}='';
++ }
++ #get address from ovpn ccd static host
++ if ($fwhostsettings{'grp2'} eq 'ovpn_host' && $fwhostsettings{'OVPN_CCD_HOST'} ne ''){
++ @target=$fwhostsettings{'OVPN_CCD_HOST'};
++ $type='OpenVPN static host';
++ }elsif ($fwhostsettings{'grp2'} eq 'ovpn_host' && $fwhostsettings{'OVPN_CCD_HOST'} eq ''){
++ $errormessage=$Lang::tr{'fwhost err groupempty'};
++ }
++ #get address from ovpn ccd Net-2-Net
++ if ($fwhostsettings{'grp2'} eq 'ovpn_n2n' && $fwhostsettings{'OVPN_N2N'} ne ''){
++ @target=$fwhostsettings{'OVPN_N2N'};
++ $type='OpenVPN N-2-N';
++ }elsif ($fwhostsettings{'grp2'} eq 'ovpn_n2n' && $fwhostsettings{'OVPN_N2N'} eq ''){
++ $errormessage=$Lang::tr{'fwhost err groupempty'};
++ $fwhostsettings{'grp_name'}='';
++ $fwhostsettings{'remark'}='';
++ }
++ #get address from IPSEC HOST
++ if ($fwhostsettings{'grp2'} eq 'ipsec_host' && $fwhostsettings{'IPSEC_HOST'} ne ''){
++ @target=$fwhostsettings{'IPSEC_HOST'};
++ $type='IpSec Host';
++ }elsif ($fwhostsettings{'grp2'} eq 'ipsec_host' && $fwhostsettings{'IPSEC_HOST'} eq ''){
++ $errormessage=$Lang::tr{'fwhost err groupempty'};
++ $fwhostsettings{'grp_name'}='';
++ $fwhostsettings{'remark'}='';
++ }
++ #get address from IPSEC NETWORK
++ if ($fwhostsettings{'grp2'} eq 'ipsec_net' && $fwhostsettings{'IPSEC_NET'} ne ''){
++ @target=$fwhostsettings{'IPSEC_NET'};
++ $type='IpSec Network';
++ }elsif ($fwhostsettings{'grp2'} eq 'ipsec_net' && $fwhostsettings{'IPSEC_NET'} eq ''){
++ $errormessage=$Lang::tr{'fwhost err groupempty'};
++ $fwhostsettings{'grp_name'}='';
++ $fwhostsettings{'remark'}='';
++ }
++ #check if host/net exists in grp
++
++ my $test="$grp,$fwhostsettings{'oldremark'},@target";
++ foreach my $key (keys %customgrp) {
++ my $test1="$customgrp{$key}[0],$customgrp{$key}[1],$customgrp{$key}[2]";
++ if ($test1 eq $test){
++ $errormessage=$Lang::tr{'fwhost err isingrp'};
++ $fwhostsettings{'update'} = 'on';
++ }
+ }
+ }
++
+ if (!$errormessage){
+ #on first save, we have an empty @target, so fill it with nothing
+ my $targetvalues=@target;
+ if ($targetvalues == '0'){
+- @target=$Lang::tr{'fwhost empty'};
++ @target="none";
+ }
+ #on update, we have to delete the dummy entry
+ foreach my $key (keys %customgrp){
+- if ($customgrp{$key}[0] eq $grp && $customgrp{$key}[2] eq $Lang::tr{'fwhost empty'}){
++ if ($customgrp{$key}[0] eq $grp && $customgrp{$key}[2] eq "none"){
+ delete $customgrp{$key};
+ last;
+ }
+@@ -662,20 +674,6 @@ if ($fwhostsettings{'ACTION'} eq 'savegrp')
+ }
+ $fwhostsettings{'update'}='on';
+ }
+- if ($fwhostsettings{'remark'} ne $fwhostsettings{'oldremark'} )
+- {
+- foreach my $key (sort keys %customgrp)
+- {
+- if($customgrp{$key}[0] eq $grp && $customgrp{$key}[1] eq $fwhostsettings{'oldremark'})
+- {
+- $customgrp{$key}[1]='';
+- $customgrp{$key}[1]=$rem;
+- }
+- }
+- &General::writehasharray("$configgrp", \%customgrp);
+- $errormessage='';
+- $fwhostsettings{'update'}='on';
+- }
+ #check if ruleupdate is needed
+ if($count > 0 )
+ {
+@@ -725,10 +723,12 @@ if ($fwhostsettings{'ACTION'} eq 'saveservicegrp')
+ $errormessage=&checkservicegroup;
+ if (!$errormessage){
+ #on first save, we have to enter a dummy value
+- if ($fwhostsettings{'CUST_SRV'} eq ''){$fwhostsettings{'CUST_SRV'}=$Lang::tr{'fwhost empty'};}
++ if ($fwhostsettings{'CUST_SRV'} eq ''){
++ $fwhostsettings{'CUST_SRV'}='none';
++ }
+ #on update, we have to delete the dummy entry
+ foreach my $key (keys %customservicegrp){
+- if ($customservicegrp{$key}[2] eq $Lang::tr{'fwhost empty'}){
++ if ($customservicegrp{$key}[2] eq 'none'){
+ delete $customservicegrp{$key};
+ last;
+ }
+@@ -774,20 +774,6 @@ if ($fwhostsettings{'ACTION'} eq 'saveservicegrp')
+ &General::writehasharray("$configsrvgrp", \%customservicegrp );
+ $fwhostsettings{'updatesrvgrp'}='on';
+ }
+- if ($fwhostsettings{'SRVGRP_REMARK'} ne $fwhostsettings{'oldsrvgrpremark'} && $errormessage){
+- foreach my $key (keys %customservicegrp)
+- {
+- if($customservicegrp{$key}[0] eq $fwhostsettings{'SRVGRP_NAME'} && $customservicegrp{$key}[1] eq $fwhostsettings{'oldsrvgrpremark'})
+- {
+- $customservicegrp{$key}[1]='';
+- $customservicegrp{$key}[1]=$fwhostsettings{'SRVGRP_REMARK'};
+- }
+- }
+- &General::writehasharray("$configsrvgrp", \%customservicegrp);
+- $errormessage='';
+- $hint=$Lang::tr{'fwhost changeremark'};
+- $fwhostsettings{'update'}='on';
+- }
+ if ($count gt 0){
+ &rules;
+ }
+@@ -994,6 +980,62 @@ if ($fwhostsettings{'ACTION'} eq $Lang::tr{'fwhost newservicegrp'})
+ &addservicegrp;
+ &viewtableservicegrp;
+ }
++if ($fwhostsettings{'ACTION'} eq 'changegrpremark')
++{
++ &General::readhasharray("$configgrp", \%customgrp);
++ if ($fwhostsettings{'oldrem'} ne $fwhostsettings{'newrem'} && &validremark($fwhostsettings{'newrem'})){
++ foreach my $key (sort keys %customgrp)
++ {
++ #$customgrp{$key}[1]=~ s/\|/,/g;
++ if($customgrp{$key}[0] eq $fwhostsettings{'grp'} && $customgrp{$key}[1] eq $fwhostsettings{'oldrem'})
++ {
++ #$fwhostsettings{'newrem'}=~ s/,/\|/g;
++ $customgrp{$key}[1]='';
++ $customgrp{$key}[1]=$fwhostsettings{'newrem'};
++ }
++ }
++ &General::writehasharray("$configgrp", \%customgrp);
++ $fwhostsettings{'update'}='on';
++ #$fwhostsettings{'newrem'}=~ s/\|/,/g;
++ $fwhostsettings{'remark'}=$fwhostsettings{'newrem'};
++ }else{
++ $errormessage=$Lang::tr{'fwhost err remark'};
++ $fwhostsettings{'remark'}=$fwhostsettings{'oldrem'};
++ $fwhostsettings{'grp_name'}=$fwhostsettings{'grp'};
++ $fwhostsettings{'update'} = 'on';
++ }
++ $fwhostsettings{'grp_name'}=$fwhostsettings{'grp'};
++ &addgrp;
++ &viewtablegrp;
++}
++if ($fwhostsettings{'ACTION'} eq 'changesrvgrpremark')
++{
++ &General::readhasharray("$configsrvgrp", \%customservicegrp );
++ if ($fwhostsettings{'oldsrvrem'} ne $fwhostsettings{'newsrvrem'} && &validremark($fwhostsettings{'newsrvrem'})){
++ foreach my $key (sort keys %customservicegrp)
++ {
++ #$customservicegrp{$key}[1]=~ s/\|/,/g;
++ if($customservicegrp{$key}[0] eq $fwhostsettings{'srvgrp'} && $customservicegrp{$key}[1] eq $fwhostsettings{'oldsrvrem'})
++ {
++ #$fwhostsettings{'newsrvrem'}=~ s/,/|/g;
++ $customservicegrp{$key}[1]='';
++ $customservicegrp{$key}[1]=$fwhostsettings{'newsrvrem'};
++ }
++ }
++ &General::writehasharray("$configsrvgrp", \%customservicegrp);
++ $fwhostsettings{'updatesrvgrp'}='on';
++ #$fwhostsettings{'newsrvrem'}=~ s/\|/,/g;
++ $fwhostsettings{'SRVGRP_REMARK'}=$fwhostsettings{'newsrvrem'};
++ }else{
++ $errormessage=$Lang::tr{'fwhost err remark'};
++ $fwhostsettings{'SRVGRP_REMARK'}=$fwhostsettings{'oldsrvrem'};
++ $fwhostsettings{'SRVGRP_NAME'}=$fwhostsettings{'srvgrp'};
++ $fwhostsettings{'updatesrvgrp'} = 'on';
++ }
++ $fwhostsettings{'SRVGRP_NAME'}=$fwhostsettings{'srvgrp'};
++ &addservicegrp;
++ &viewtableservicegrp;
++}
+ ### VIEW ###
+ if($fwhostsettings{'ACTION'} eq '')
+ {
+@@ -1081,7 +1123,8 @@ sub addgrp
+ $checked{'check1'}{'on'} = '';
+ $checked{'grp2'}{$fwhostsettings{'grp2'}} = 'CHECKED';
+ $fwhostsettings{'oldremark'}=$fwhostsettings{'remark'};
+-
++ my $grp=$fwhostsettings{'grp_name'};
++ my $rem=$fwhostsettings{'remark'};
+ if ($fwhostsettings{'update'} eq ''){
+ print<<END;
+ <table width='100%' border='0'><form method='post'>
+@@ -1090,18 +1133,14 @@ sub addgrp
+ END
+ }else{
+ print<<END;
+- <table width='100%' border='0'><form method='post'>
+- <tr><td nowrap='nowrap' width='16%'>$Lang::tr{'fwhost addgrpname'}</td><td><input type='TEXT' name='grp_name' value='$fwhostsettings{'grp_name'}' readonly ></td><td>$Lang::tr{'remark'}:</td><td><input type='TEXT' name='remark' size='35' value='$fwhostsettings{'remark'}'></tr>
+- <tr><td colspan='5'><hr></td></tr></table>
++ <table width='100%' border='0'><form method='post' style='display:inline'>
++ <tr><td nowrap='nowrap' width='12%'>$Lang::tr{'fwhost addgrpname'}</td><td><input type='TEXT' name='grp' value='$fwhostsettings{'grp_name'}' readonly ></td><td>$Lang::tr{'remark'}:</td><td><input type='TEXT' name='newrem' size='35' value='$fwhostsettings{'remark'}'></td><td><input type='submit' value='$Lang::tr{'fwhost change'}'><input type='hidden' name='oldrem' value='$fwhostsettings{'oldremark'}'><input type='hidden' name='ACTION' value='changegrpremark' ></td></tr></table></form>
++ <hr>
+ END
+-
+ }
+ if ($fwhostsettings{'update'} eq 'on'){
+-
+-
+ print<<END;
+- <table width='100%' border='0'><tr><td width='1%'><input type='radio' name='grp2' value='std_net' checked></td><td nowrap='nowrap' width='16%'>$Lang::tr{'fwhost stdnet'}</td><td><select name='DEFAULT_SRC_ADR' style='min-width:185px;'>
+-
++ <form method='post'><input type='hidden' name='remark' value='$rem'><input type='hidden' name='grp_name' value='$grp'><table width='100%' border='0'><tr><td width='1%'><input type='radio' name='grp2' value='std_net' checked></td><td nowrap='nowrap' width='16%'>$Lang::tr{'fwhost stdnet'}</td><td><select name='DEFAULT_SRC_ADR' style='min-width:185px;'>
+ END
+ foreach my $network (sort keys %defaultNetworks)
+ {
+@@ -1111,7 +1150,6 @@ END
+ print " selected='selected'" if ($fwhostsettings{'DEFAULT_SRC_ADR'} eq $defaultNetworks{$network}{'NAME'});
+ print ">$network</option>";
+ }
+-
+ print<<END;
+ </select></td><td width='1%'><input type='radio' name='grp2' value='ovpn_net' $checked{'grp2'}{'ovpn_net'}></td><td nowrap='nowrap' width='16%'>$Lang::tr{'fwhost ccdnet'}</td><td nowrap='nowrap' width='1%'><select name='OVPN_CCD_NET' style='min-width:185px;'>
+ END
+@@ -1120,7 +1158,6 @@ END
+ {
+ print"<option value='$ccdnet{$key}[0]'>$ccdnet{$key}[0]</option>";
+ }
+-
+ print<<END;
+ </select></td></tr>
+ <tr><td><input type='radio' name='grp2' value='cust_net' $checked{'grp2'}{'cust_net'}></td><td>$Lang::tr{'fwhost cust net'}</td><td><select name='CUST_SRC_NET' style='min-width:185px;'>
+@@ -1129,7 +1166,6 @@ END
+ foreach my $key (sort { uc($customnetwork{$a}[0]) cmp uc($customnetwork{$b}[0]) } keys %customnetwork) {
+ print"<option>$customnetwork{$key}[0]</option>";
+ }
+-
+ print<<END;
+ </select></td><td width='1%'><input type='radio' name='grp2' value='ovpn_host' $checked{'grp2'}{'ovpn_host'}></td><td nowrap='nowrap' width='16%'>$Lang::tr{'fwhost ccdhost'}</td><td nowrap='nowrap' width='1%'><select name='OVPN_CCD_HOST' style='min-width:185px;'>
+ END
+@@ -1140,7 +1176,6 @@ END
+ print"<option value='$ccdhost{$key}[1]'>$ccdhost{$key}[1]</option>";
+ }
+ }
+-
+ print<<END;
+ </select></td></tr>
+ <tr><td valign='top'><input type='radio' name='grp2' value='cust_host' $checked{'grp2'}{'cust_host'}></td><td valign='top'>$Lang::tr{'fwhost cust addr'}</td><td><select name='CUST_SRC_HOST' style='min-width:185px;'>
+@@ -1182,18 +1217,10 @@ END
+ # print<<END;
+ # </select></td></tr>
+ # <tr>
+- print<<END;
+- <br><br><br>
+- <b>$Lang::tr{'fwhost attention'}:</b><br>
+- $Lang::tr{'fwhost macwarn'}<br><hr>
+-END
++ print"<br><br><b>$Lang::tr{'fwhost attention'}:</b><br> $Lang::tr{'fwhost macwarn'}<br><hr>";
+ }
+- print<<END;
+- <table border='0' width='100%'>
+- <tr><td align='right'><input type='submit' value='$Lang::tr{'add'}' style='min-width:100px;' /><input type='hidden' name='oldremark' value='$fwhostsettings{'oldremark'}'><input type='hidden' name='ACTION' value='savegrp' ></form><form method='post' style='display:inline'><input type='submit' value='$Lang::tr{'fwhost back'}' style='min-width:100px;'><input type='hidden' name='ACTION' value'reset'></td></td>
+- </table></form>
+-END
+-
++ print"<table border='0' width='100%'>";
++ print"<tr><td align='right'><input type='submit' value='$Lang::tr{'add'}' style='min-width:100px;' /><input type='hidden' name='oldremark' value='$fwhostsettings{'oldremark'}'><input type='hidden' name='update' value=$fwhostsettings{'update'} ><input type='hidden' name='ACTION' value='savegrp' ></form><form method='post' style='display:inline'><input type='submit' value='$Lang::tr{'fwhost back'}' style='min-width:100px;'><input type='hidden' name='ACTION' value'reset'></td></td></table></form>";
+ &Header::closebox();
+ }
+ sub addservice
+@@ -1264,7 +1291,6 @@ sub addservicegrp
+ &showmenu;
+ &Header::openbox('100%', 'left', $Lang::tr{'fwhost newservicegrp'});
+ $fwhostsettings{'oldsrvgrpremark'}=$fwhostsettings{'SRVGRP_REMARK'};
+-
+ if ($fwhostsettings{'updatesrvgrp'} eq ''){
+ print<<END;
+ <table width='100%' border='0'><form method='post'>
+@@ -1274,15 +1300,15 @@ sub addservicegrp
+ END
+ }else{
+ print<<END;
+- <table width='100%' border='0'><form method='post'>
+- <tr><td>$Lang::tr{'fwhost addgrpname'}</td><td><input type='text' name='SRVGRP_NAME' value='$fwhostsettings{'SRVGRP_NAME'}' readonly ></td><td>$Lang::tr{'remark'}:</td><td width='1%'><input type='text' name='SRVGRP_REMARK' size='35' value='$fwhostsettings{'SRVGRP_REMARK'}'></td></tr>
+- <tr><td colspan='4'><hr></td></td></tr>
+- </table>
++ <table width='100%' border='0'><form method='post' style='display:inline'>
++ <tr><td>$Lang::tr{'fwhost addgrpname'}</td><td><input type='text' name='srvgrp' value='$fwhostsettings{'SRVGRP_NAME'}' readonly ></td><td>$Lang::tr{'remark'}:</td><td width='1%'><input type='text' name='newsrvrem' size='35' value='$fwhostsettings{'SRVGRP_REMARK'}'></td><td><input type='submit' value='$Lang::tr{'fwhost change'}'><input type='hidden' name='oldsrvrem' value='$fwhostsettings{'oldsrvgrpremark'}'><input type='hidden' name='ACTION' value='changesrvgrpremark' ></td></tr>
++ <tr><td colspan='5'><hr></td></td></tr>
++ </table></form>
+ END
+ }
+ if($fwhostsettings{'updatesrvgrp'} eq 'on'){
+ print<<END;
+- <table border='0' width='100%'>
++ <form method='post'><input type='hidden' name='SRVGRP_REMARK' value='$fwhostsettings{'SRVGRP_REMARK'}'><input type='hidden' name='SRVGRP_NAME' value='$fwhostsettings{'SRVGRP_NAME'}'><table border='0' width='100%'>
+ <tr><td width='1%' nowrap='nowrap'>$Lang::tr{'fwhost cust service'}</td><td><select name='CUST_SRV' style='min-width:185px;'>
+ END
+ &General::readhasharray("$configsrv", \%customservice);
+@@ -1302,7 +1328,6 @@ END
+ <tr><td align='right'><input type='submit' value='$Lang::tr{'add'}' style='min-width:100px;' /><input type='hidden' name='updatesrvgrp' value='$fwhostsettings{'updatesrvgrp'}'><input type='hidden' name='oldsrvgrpremark' value='$fwhostsettings{'oldsrvgrpremark'}'><input type='hidden' name='ACTION' value='saveservicegrp' ></form><form style='display:inline;' method='post'><input type='submit' value='$Lang::tr{'fwhost back'}' style='min-width:100px;'></td></tr>
+ </table></form>
+ END
+-
+ &Header::closebox();
+ }
+ # View
+@@ -1420,8 +1445,9 @@ sub viewtablegrp
+ $count++;
+ if ($helper ne $customgrp{$key}[0]){
+ $number=1;
++ if ($customgrp{$key}[2] eq "none"){$customgrp{$key}[2]=$Lang::tr{'fwhost empty'};}
+ $grpname=$customgrp{$key}[0];
+- $remark=$customgrp{$key}[1];
++ $remark="$customgrp{$key}[1]";
+ if($count >=2){print"</table>";}
+ print "<br><b><u>$grpname</u></b>    ";
+ print " <b>$Lang::tr{'remark'}:</b>  $remark   " if ($remark ne '');
+@@ -1435,11 +1461,13 @@ sub viewtablegrp
+ }
+ if ( ($fwhostsettings{'ACTION'} eq 'editgrp' || $fwhostsettings{'update'} ne '') && $fwhostsettings{'grp_name'} eq $customgrp{$key}[0]) {
+ print" <tr bgcolor='${Header::colouryellow}'>";
+- }elsif ($count %2 == 0){print"<tr bgcolor='$color{'color22'}'>";}else{print"<tr bgcolor='$color{'color20'}'>";}
++ }elsif ($count %2 == 0){
++ print"<tr bgcolor='$color{'color22'}'>";
++ }else{
++ print"<tr bgcolor='$color{'color20'}'>";
++ }
+ my $ip=&getipforgroup($customgrp{$key}[2],$customgrp{$key}[3]);
+ if ($ip eq ''){print"<tr bgcolor='${Header::colouryellow}'>";}
+-
+-
+ print "<td width='39%'>";
+ if($customgrp{$key}[3] eq 'Standard Network'){
+ print &get_name($customgrp{$key}[2])."</td>";
+@@ -1523,7 +1551,10 @@ sub viewtableservicegrp
+ $count++;
+ if ($helper ne $customservicegrp{$key}[0]){
+ $grpname=$customservicegrp{$key}[0];
+- $remark=$customservicegrp{$key}[1];
++ if ($customservicegrp{$key}[2] eq "none"){
++ $customservicegrp{$key}[2]=$Lang::tr{'fwhost empty'};
++ }
++ $remark="$customservicegrp{$key}[1]";
+ if($count >=2){print"</table>";}
+ print "<br><b><u>$grpname</u></b>     ";
+ print "<b>$Lang::tr{'remark'}:</b>  $remark " if ($remark ne '');
+@@ -1537,8 +1568,7 @@ sub viewtableservicegrp
+ }
+ if( $fwhostsettings{'SRVGRP_NAME'} eq $customservicegrp{$key}[0]) {
+ print" <tr bgcolor='${Header::colouryellow}'>";
+- }
+- if ($count %2 == 0){
++ }elsif ($count %2 == 0){
+ print"<tr bgcolor='$color{'color22'}'>";
+ }else{
+ print"<tr bgcolor='$color{'color20'}'>";
+@@ -1610,11 +1640,6 @@ sub checkservicegroup
+ $errormessage.=$Lang::tr{'fwhost err name'}."<br>";
+ return $errormessage;
+ }
+- #check remark
+- if ( ($fwhostsettings{'SRVGRP_REMARK'} ne '') && (! &validhostname($fwhostsettings{'SRVGRP_REMARK'})))
+- {
+- $errormessage.=$Lang::tr{'fwhost err remark'}."<br>";
+- }
+ #check empty selectbox
+ if (keys %customservice lt 1)
+ {
+@@ -1900,7 +1925,6 @@ sub reread_rules
+ }
+
+ }
+-
+ sub decrease
+ {
+ my $grp=$_[0];
+@@ -2006,6 +2030,24 @@ sub validhostname
+ return 0;}
+ return 1;
+ }
+-
++sub validremark
++{
++ # Checks a hostname against RFC1035
++ my $remark = $_[0];
++ # Each part should be at least two characters in length
++ # but no more than 63 characters
++ if (length ($remark) < 1 || length ($remark) > 255) {
++ return 0;}
++ # Only valid characters are a-z, A-Z, 0-9 and -
++ if ($remark !~ /^[a-zäöüA-ZÖÄÜ0-9-.:;_\/\s]*$/) {
++ return 0;}
++ # First character can only be a letter or a digit
++ if (substr ($remark, 0, 1) !~ /^[a-zäöüA-ZÖÄÜ0-9]*$/) {
++ return 0;}
++ # Last character can only be a letter or a digit
++ if (substr ($remark, -1, 1) !~ /^[a-zöäüA-ZÖÄÜ0-9.]*$/) {
++ return 0;}
++ return 1;
++}
+ &Header::closebigbox();
+ &Header::closepage();
+--
+1.7.10.4
+
--- /dev/null
+From a7da136e5dac451a3aa565882e60d93d6ce0cbb1 Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Fri, 15 Feb 2013 06:21:00 +0100
+Subject: [PATCH 103/302] Forward Firewall: Changed "apply" button to be more
+ eye-catching (red font) also some minor bugfixes
+ (The last entry in a used group can not be deleted)
+
+---
+ html/cgi-bin/forwardfw.cgi | 2 +-
+ html/cgi-bin/fwhosts.cgi | 17 +++++++++++++++--
+ 2 files changed, 16 insertions(+), 3 deletions(-)
+
+diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi
+index 9f89fe7..2e783ce 100755
+--- a/html/cgi-bin/forwardfw.cgi
++++ b/html/cgi-bin/forwardfw.cgi
+@@ -552,7 +552,7 @@ sub addrule
+ print "<table border='0'>";
+ print "<tr><td><input type='submit' name='ACTION' value='$Lang::tr{'fwdfw newrule'}'></td>";
+ if (-f "${General::swroot}/forward/reread"){
+- print "<td><input type='submit' name='ACTION' value='$Lang::tr{'fwdfw reread'}'>$Lang::tr{'fwhost reread'}</td>";
++ print "<td><input type='submit' name='ACTION' value='$Lang::tr{'fwdfw reread'}' style='font-face: Comic Sans MS; color: red; font-weight: bold;'>$Lang::tr{'fwhost reread'}</td>";
+ }
+ print"</tr></table></form><hr>";
+
+diff --git a/html/cgi-bin/fwhosts.cgi b/html/cgi-bin/fwhosts.cgi
+index c45b0de..c1229b3 100755
+--- a/html/cgi-bin/fwhosts.cgi
++++ b/html/cgi-bin/fwhosts.cgi
+@@ -1055,7 +1055,7 @@ END
+
+
+ if (-f "${General::swroot}/fwhosts/reread"){
+- print "</tr><tr><td colspan='6'><input type='submit' name='ACTION' value='$Lang::tr{'fwdfw reread'}'>$Lang::tr{'fwhost reread'}</td>";
++ print "</tr><tr><td colspan='6'><input type='submit' name='ACTION' value='$Lang::tr{'fwdfw reread'}' style='font-face: Comic Sans MS; color: red; font-weight: bold;' >$Lang::tr{'fwhost reread'}</td>";
+ }
+ print"</tr></table></form>";
+
+@@ -1437,6 +1437,7 @@ sub viewtablegrp
+ my $grpname;
+ my $remark;
+ my $number;
++ my $delflag;
+ if (!keys %customgrp)
+ {
+ print "<center><b>$Lang::tr{'fwhost empty'}</b>";
+@@ -1444,6 +1445,17 @@ sub viewtablegrp
+ foreach my $key (sort { uc($customgrp{$a}[0]) cmp uc($customgrp{$b}[0]) } sort { uc($customgrp{$a}[2]) cmp uc($customgrp{$b}[2]) } keys %customgrp){
+ $count++;
+ if ($helper ne $customgrp{$key}[0]){
++ $delflag='0';
++ foreach my $key1 (sort { uc($customgrp{$a}[0]) cmp uc($customgrp{$b}[0]) } sort { uc($customgrp{$a}[2]) cmp uc($customgrp{$b}[2]) } keys %customgrp){
++ if ($customgrp{$key}[0] eq $customgrp{$key1}[0])
++ {
++ $delflag++;
++ }
++ #if($delflag > 0){
++ #last;
++ #}
++
++ }
+ $number=1;
+ if ($customgrp{$key}[2] eq "none"){$customgrp{$key}[2]=$Lang::tr{'fwhost empty'};}
+ $grpname=$customgrp{$key}[0];
+@@ -1459,6 +1471,7 @@ sub viewtablegrp
+ print"<form method='post' style='display:inline'><input type='image' src='/images/edit.gif' alt=$Lang::tr{'edit'} title=$Lang::tr{'edit'} align='right' /><input type='hidden' name='grp_name' value='$grpname' ><input type='hidden' name='remark' value='$remark' ><input type='hidden' name='ACTION' value='editgrp'></form>";
+ print"<table width='100%' style='border: 1px solid #000000;' rules='none' ><tr><td align='center'><b>Name</b></td><td align='center'><b>$Lang::tr{'ip address'}</b></td><td align='center' width='25%'><b>$Lang::tr{'fwhost type'}</td></tr>";
+ }
++
+ if ( ($fwhostsettings{'ACTION'} eq 'editgrp' || $fwhostsettings{'update'} ne '') && $fwhostsettings{'grp_name'} eq $customgrp{$key}[0]) {
+ print" <tr bgcolor='${Header::colouryellow}'>";
+ }elsif ($count %2 == 0){
+@@ -1479,7 +1492,7 @@ sub viewtablegrp
+ }else{
+ print"<td>$ip</td><td>$customgrp{$key}[3]</td><td width='1%'><form method='post'>";
+ }
+- if ($number > 1 && $ip ne ''){
++ if ($delflag > '1' && $ip ne ''){
+ print"<input type='image' src='/images/delete.gif' align='middle' alt=$Lang::tr{'delete'} title=$Lang::tr{'delete'} />";
+ }
+ print"<input type='hidden' name='ACTION' value='deletegrphost'><input type='hidden' name='delhost' value='$grpname,$remark,$customgrp{$key}[2],$customgrp{$key}[3]'></form></td></tr>";
+--
+1.7.10.4
+
--- /dev/null
+From 4d6c719bb5fbde69298b491458dd7f2e6c0eb7b5 Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Fri, 15 Feb 2013 08:15:51 +0100
+Subject: [PATCH 104/302] Forward Firewall: Last rule in servicegroup is not
+ deletable if group is used
+
+---
+ html/cgi-bin/fwhosts.cgi | 20 +++++++++++++++-----
+ 1 file changed, 15 insertions(+), 5 deletions(-)
+
+diff --git a/html/cgi-bin/fwhosts.cgi b/html/cgi-bin/fwhosts.cgi
+index c1229b3..6db7046 100755
+--- a/html/cgi-bin/fwhosts.cgi
++++ b/html/cgi-bin/fwhosts.cgi
+@@ -1451,10 +1451,9 @@ sub viewtablegrp
+ {
+ $delflag++;
+ }
+- #if($delflag > 0){
+- #last;
+- #}
+-
++ if($delflag > 1){
++ last;
++ }
+ }
+ $number=1;
+ if ($customgrp{$key}[2] eq "none"){$customgrp{$key}[2]=$Lang::tr{'fwhost empty'};}
+@@ -1555,6 +1554,7 @@ sub viewtableservicegrp
+ my $helper;
+ my $port;
+ my $protocol;
++ my $delflag;
+ if (! -z $configsrvgrp){
+ &Header::openbox('100%', 'left', $Lang::tr{'fwhost cust srvgrp'});
+ &General::readhasharray("$configsrvgrp", \%customservicegrp);
+@@ -1563,6 +1563,16 @@ sub viewtableservicegrp
+ foreach my $key (sort { uc($customservicegrp{$a}[0]) cmp uc($customservicegrp{$b}[0])|| $a <=> $b } keys %customservicegrp){
+ $count++;
+ if ($helper ne $customservicegrp{$key}[0]){
++ $delflag=0;
++ foreach my $key1 (sort { uc($customservicegrp{$a}[0]) cmp uc($customservicegrp{$b}[0]) } sort { uc($customservicegrp{$a}[2]) cmp uc($customservicegrp{$b}[2]) } keys %customservicegrp){
++ if ($customservicegrp{$key}[0] eq $customservicegrp{$key1}[0])
++ {
++ $delflag++;
++ }
++ if($delflag > 1){
++ last;
++ }
++ }
+ $grpname=$customservicegrp{$key}[0];
+ if ($customservicegrp{$key}[2] eq "none"){
+ $customservicegrp{$key}[2]=$Lang::tr{'fwhost empty'};
+@@ -1595,7 +1605,7 @@ sub viewtableservicegrp
+ }
+ }
+ print"<td align='center'>$port</td><td align='center'>$protocol</td><td width='1%'><form method='post'>";
+- if ($number gt '1'){
++ if ($delflag > '1'){
+ print"<input type='image' src='/images/delete.gif' align='middle' alt=$Lang::tr{'delete'} title=$Lang::tr{'delete'} />";
+ }
+ print"<input type='hidden' name='ACTION' value='delgrpservice'><input type='hidden' name='delsrvfromgrp' value='$grpname,$remark,$customservicegrp{$key}[2],$customservicegrp{$key}[3]'></form></td></tr>";
+--
+1.7.10.4
+
--- /dev/null
+From 36c8f9a07b52bf0433dc6fa299e027fd7245cdb7 Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Fri, 15 Feb 2013 13:24:34 +0100
+Subject: [PATCH 105/302] Forward Firewall: When editing a group and deleting
+ an entry, the next mode is also update
+
+---
+ html/cgi-bin/fwhosts.cgi | 28 ++++++++++++++++++++++------
+ 1 file changed, 22 insertions(+), 6 deletions(-)
+
+diff --git a/html/cgi-bin/fwhosts.cgi b/html/cgi-bin/fwhosts.cgi
+index 6db7046..d39fe12 100755
+--- a/html/cgi-bin/fwhosts.cgi
++++ b/html/cgi-bin/fwhosts.cgi
+@@ -852,6 +852,8 @@ if ($fwhostsettings{'ACTION'} eq 'delhost')
+ }
+ if ($fwhostsettings{'ACTION'} eq 'deletegrphost')
+ {
++ my $grpremark;
++ my $grpname;
+ &General::readhasharray("$configgrp", \%customgrp);
+ foreach my $key (keys %customgrp){
+ if($customgrp{$key}[0].",".$customgrp{$key}[1].",".$customgrp{$key}[2].",".$customgrp{$key}[3] eq $fwhostsettings{'delhost'}){
+@@ -876,11 +878,17 @@ if ($fwhostsettings{'ACTION'} eq 'deletegrphost')
+ }
+ &General::writehasharray("$confighost", \%customhost);
+ }
++ $grpname=$customgrp{$key}[0];
++ $grpremark=$customgrp{$key}[1];
+ delete $customgrp{$key};
+ }
+ }
+ &General::writehasharray("$configgrp", \%customgrp);
+ &rules;
++ if ($fwhostsettings{'update'} eq 'on'){
++ $fwhostsettings{'remark'}= $grpremark;
++ $fwhostsettings{'grp_name'}=$grpname;
++ }
+ &addgrp;
+ &viewtablegrp;
+ }
+@@ -934,6 +942,8 @@ if ($fwhostsettings{'ACTION'} eq 'delservicegrp')
+ }
+ if ($fwhostsettings{'ACTION'} eq 'delgrpservice')
+ {
++ my $grpname;
++ my $grpremark;
+ &General::readhasharray("$configsrvgrp", \%customservicegrp);
+ &General::readhasharray("$configsrv", \%customservice);
+ foreach my $key (keys %customservicegrp){
+@@ -947,11 +957,18 @@ if ($fwhostsettings{'ACTION'} eq 'delgrpservice')
+ }
+ }
+ &General::writehasharray("$configsrv", \%customservice);
+- delete $customservicegrp{$key}
++ $grpname=$customservicegrp{$key}[0];
++ $grpremark=$customservicegrp{$key}[1];
++ delete $customservicegrp{$key};
+ }
+ }
+ &General::writehasharray("$configsrvgrp", \%customservicegrp);
+ &rules;
++ if ($fwhostsettings{'updatesrvgrp'} eq 'on'){
++ #$fwhostsettings{'updatesrvgrp'}='on';
++ $fwhostsettings{'SRVGRP_NAME'}=$grpname;
++ $fwhostsettings{'SRVGRP_REMARK'}=$grpremark;
++ }
+ &addservicegrp;
+ &viewtableservicegrp;
+
+@@ -1451,7 +1468,7 @@ sub viewtablegrp
+ {
+ $delflag++;
+ }
+- if($delflag > 1){
++ if($delflag > 0){
+ last;
+ }
+ }
+@@ -1494,7 +1511,7 @@ sub viewtablegrp
+ if ($delflag > '1' && $ip ne ''){
+ print"<input type='image' src='/images/delete.gif' align='middle' alt=$Lang::tr{'delete'} title=$Lang::tr{'delete'} />";
+ }
+- print"<input type='hidden' name='ACTION' value='deletegrphost'><input type='hidden' name='delhost' value='$grpname,$remark,$customgrp{$key}[2],$customgrp{$key}[3]'></form></td></tr>";
++ print"<input type='hidden' name='ACTION' value='deletegrphost'><input type='hidden' name='update' value='$fwhostsettings{'update'}'><input type='hidden' name='delhost' value='$grpname,$remark,$customgrp{$key}[2],$customgrp{$key}[3]'></form></td></tr>";
+
+ $helper=$customgrp{$key}[0];
+ $number++;
+@@ -1554,7 +1571,6 @@ sub viewtableservicegrp
+ my $helper;
+ my $port;
+ my $protocol;
+- my $delflag;
+ if (! -z $configsrvgrp){
+ &Header::openbox('100%', 'left', $Lang::tr{'fwhost cust srvgrp'});
+ &General::readhasharray("$configsrvgrp", \%customservicegrp);
+@@ -1605,10 +1621,10 @@ sub viewtableservicegrp
+ }
+ }
+ print"<td align='center'>$port</td><td align='center'>$protocol</td><td width='1%'><form method='post'>";
+- if ($delflag > '1'){
++ if ($number gt '1'){
+ print"<input type='image' src='/images/delete.gif' align='middle' alt=$Lang::tr{'delete'} title=$Lang::tr{'delete'} />";
+ }
+- print"<input type='hidden' name='ACTION' value='delgrpservice'><input type='hidden' name='delsrvfromgrp' value='$grpname,$remark,$customservicegrp{$key}[2],$customservicegrp{$key}[3]'></form></td></tr>";
++ print"<input type='hidden' name='ACTION' value='delgrpservice'><input type='hidden' name='updatesrvgrp' value='$fwhostsettings{'updatesrvgrp'}'><input type='hidden' name='delsrvfromgrp' value='$grpname,$remark,$customservicegrp{$key}[2],$customservicegrp{$key}[3]'></form></td></tr>";
+ $helper=$customservicegrp{$key}[0];
+ }
+ print"</table>";
+--
+1.7.10.4
+
--- /dev/null
+From 7a7120683f53a48a936448c7ce8c321857659e49 Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Fri, 15 Feb 2013 13:28:27 +0100
+Subject: [PATCH 106/302] Forward Firewall: ; is now allowed in Ruleremark
+
+---
+ html/cgi-bin/forwardfw.cgi | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi
+index 2e783ce..ce2aed9 100755
+--- a/html/cgi-bin/forwardfw.cgi
++++ b/html/cgi-bin/forwardfw.cgi
+@@ -1642,7 +1642,7 @@ sub validremark
+ if (length ($remark) < 1 || length ($remark) > 255) {
+ return 0;}
+ # Only valid characters are a-z, A-Z, 0-9 and -
+- if ($remark !~ /^[a-zäöüA-ZÖÄÜ0-9-.:_\/\s]*$/) {
++ if ($remark !~ /^[a-zäöüA-ZÖÄÜ0-9-.:;_\/\s]*$/) {
+ return 0;}
+ # First character can only be a letter or a digit
+ if (substr ($remark, 0, 1) !~ /^[a-zäöüA-ZÖÄÜ0-9]*$/) {
+--
+1.7.10.4
+
--- /dev/null
+From 85ac90139fc65e7c67430672b8561398d64aa165 Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Sun, 17 Feb 2013 06:34:39 +0100
+Subject: [PATCH 107/302] Forward Firewall: savepoint 1. Trying to add
+ OUTGOING to the firewall. actual working:
+
+Create OUTGOING Rules, change external access or foward rules to outgoing ones.
+Missing: rules.pl need to be updated
+---
+ config/cfgroot/general-functions.pl | 19 +-----
+ html/cgi-bin/forwardfw.cgi | 113 ++++++++++++++++++++++++++++++-----
+ html/cgi-bin/fwhosts.cgi | 1 +
+ 3 files changed, 102 insertions(+), 31 deletions(-)
+
+diff --git a/config/cfgroot/general-functions.pl b/config/cfgroot/general-functions.pl
+index d769790..2c3e566 100644
+--- a/config/cfgroot/general-functions.pl
++++ b/config/cfgroot/general-functions.pl
+@@ -66,6 +66,9 @@ sub setup_default_networks
+ $defaultNetworks->{$Lang::tr{'blue'}}{'IPT'} = "$netsettings{'BLUE_NETADDRESS'}/$netsettings{'BLUE_NETMASK'}";
+ $defaultNetworks->{$Lang::tr{'blue'}}{'NAME'} = "BLUE";
+ }
++
++ #IPFire himself
++ $defaultNetworks->{'IPFire'}{'NAME'} = "IPFire";
+
+ # OpenVPN
+ if(-e "${General::swroot}/ovpn/settings")
+@@ -97,22 +100,6 @@ sub setup_default_networks
+ $defaultNetworks->{'IPsec RW ' .$ip."/".$sub}{'NAME'} = "IPsec RW";
+ }
+ }
+- #open(FILE, "${General::swroot}/ethernet/aliases") or die 'Unable to open aliases file.';
+- #my @current = <FILE>;
+- #close(FILE);
+- #my $ctr = 0;
+- #foreach my $line (@current)
+- #{
+- #if ($line ne ''){
+- #chomp($line);
+- #my @temp = split(/\,/,$line);
+- #if ($temp[2] eq '') {
+- #$temp[2] = "Alias $ctr : $temp[0]";
+- #}
+- #$defaultNetworks->{$temp[2]}{'IPT'} = "$temp[0]";
+- #$ctr++;
+- #}
+- #}
+ }
+ sub get_aliases
+ {
+diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi
+index ce2aed9..fc1d2b5 100755
+--- a/html/cgi-bin/forwardfw.cgi
++++ b/html/cgi-bin/forwardfw.cgi
+@@ -27,7 +27,7 @@
+ # Now that the ccd extension is ready i am able to develop the main request. #
+ # Any feedback is appreciated. #
+ # #
+-# #
++#Copymaster #
+ ###############################################################################
+
+ use strict;
+@@ -45,6 +45,7 @@ unless (-d "${General::swroot}/forward") { system("mkdir ${General::swroot}/f
+ unless (-e "${General::swroot}/forward/settings") { system("touch ${General::swroot}/forward/settings"); }
+ unless (-e "${General::swroot}/forward/config") { system("touch ${General::swroot}/forward/config"); }
+ unless (-e "${General::swroot}/forward/input") { system("touch ${General::swroot}/forward/input"); }
++unless (-e "${General::swroot}/forward/outgoing") { system("touch ${General::swroot}/forward/outgoing"); }
+
+ my %fwdfwsettings=();
+ my %selected=() ;
+@@ -60,6 +61,7 @@ my %customnetwork=();
+ my %ccdhost=();
+ my %configfwdfw=();
+ my %configinputfw=();
++my %configoutgoingfw=();
+ my %ipsecconf=();
+ my %color=();
+ my %mainsettings=();
+@@ -69,6 +71,7 @@ my %ovpnsettings=();
+ my %ipsecsettings=();
+ my %aliases=();
+ my @p2ps = ();
++
+ my $color;
+ my $confignet = "${General::swroot}/fwhosts/customnetworks";
+ my $confighost = "${General::swroot}/fwhosts/customhosts";
+@@ -81,6 +84,7 @@ my $configipsec = "${General::swroot}/vpn/config";
+ my $configipsecrw = "${General::swroot}/vpn/settings";
+ my $configfwdfw = "${General::swroot}/forward/config";
+ my $configinput = "${General::swroot}/forward/input";
++my $configoutgoing = "${General::swroot}/forward/outgoing";
+ my $configovpn = "${General::swroot}/ovpn/settings";
+ my $p2pfile = "${General::swroot}/forward/p2protocols";
+ my $errormessage='';
+@@ -110,27 +114,39 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule')
+ {
+ &General::readhasharray("$configfwdfw", \%configfwdfw);
+ &General::readhasharray("$configinput", \%configinputfw);
++ &General::readhasharray("$configinput", \%configoutgoingfw);
+ $errormessage=&checksource;
+ if(!$errormessage){&checktarget;}
+ if(!$errormessage){&checkrule;}
++
+ #check if we change an forward rule to an external access
+ if( $fwdfwsettings{'grp2'} eq 'ipfire' && $fwdfwsettings{'oldgrp2a'} ne 'ipfire' && $fwdfwsettings{'updatefwrule'} eq 'on'){
+- $fwdfwsettings{'updatefwrule'}='';
+- $fwdfwsettings{'config'}=$configfwdfw;
+- $fwdfwsettings{'nobase'}='on';
+- &deleterule;
+- &checkcounter(0,0,$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}});
+- &checkcounter(0,0,$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}});
++ &changerule($configfwdfw);
+ }
+- #check if we change an external access rule to an forward
++ #check if we change an forward rule to an outgoing
++ if( $fwdfwsettings{$fwdfwsettings{'grp1'}} eq 'IPFire' && $fwdfwsettings{'oldgrp1b'} ne 'IPFire' && $fwdfwsettings{'updatefwrule'} eq 'on'){
++ &changerule($configfwdfw);
++ }
++ #check if we change an external access rule to a forward
+ if( $fwdfwsettings{'grp2'} ne 'ipfire' && $fwdfwsettings{'oldgrp2a'} eq 'ipfire' && $fwdfwsettings{'updatefwrule'} eq 'on'){
+- $fwdfwsettings{'updatefwrule'}='';
+- $fwdfwsettings{'config'}=$configinput;
+- $fwdfwsettings{'nobase'}='on';
+- &deleterule;
+- &checkcounter(0,0,$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}});
+- &checkcounter(0,0,$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}});
+- }
++ &changerule($configinput);
++ }
++ #check if we change an external access rule to a outgoing
++ if( $fwdfwsettings{$fwdfwsettings{'grp1'}} eq 'IPFire' && $fwdfwsettings{'grp2'} ne 'ipfire' && $fwdfwsettings{'oldgrp2a'} eq 'ipfire' && $fwdfwsettings{'updatefwrule'} eq 'on'){
++ &changerule($configinput);
++ }
++ #check if we change an outgoing rule to a forward
++ if( $fwdfwsettings{$fwdfwsettings{'grp1'}} ne 'IPFire' && $fwdfwsettings{'oldgrp1b'} eq 'IPFire' && $fwdfwsettings{'grp2'} ne 'ipfire' &&$fwdfwsettings{'updatefwrule'} eq 'on'){
++ &changerule($configoutgoing);
++ }
++ #check if we change an outgoing rule to a external access
++ if( $fwdfwsettings{$fwdfwsettings{'grp1'}} ne 'IPFire' && $fwdfwsettings{'oldgrp1b'} eq 'IPFire' && $fwdfwsettings{'grp2'} eq 'ipfire' && $fwdfwsettings{'updatefwrule'} eq 'on'){
++ &changerule($configoutgoing);
++ }
++ #check if we try to break rules
++ if( $fwdfwsettings{$fwdfwsettings{'grp1'}} eq 'IPFire' && $fwdfwsettings{'grp2'} eq 'ipfire'){
++ $errormessage.=$Lang::tr{'fwdfw err same'};
++ }
+ #INPUT part
+ if($fwdfwsettings{'grp2'} eq 'ipfire'){
+ $fwdfwsettings{'config'}=$configinput;
+@@ -205,6 +221,59 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule')
+ #print"ALT: $fwdfwsettings{'oldgrp2a'} $fwdfwsettings{'oldgrp2b'} NEU: $fwdfwsettings{'grp2'} $fwdfwsettings{$fwdfwsettings{'grp2'}}<br>";
+ #print"ALT: $fwdfwsettings{'oldgrp3a'} $fwdfwsettings{'oldgrp3b'} NEU: $fwdfwsettings{'grp3'} $fwdfwsettings{$fwdfwsettings{'grp3'}}<br>";
+ #print"DIENSTE Checkalt:$fwdfwsettings{'oldusesrv'} DIENSTE Checkneu:$fwdfwsettings{'USESRV'} DIENST ALT:$fwdfwsettings{'oldgrp3a'},$fwdfwsettings{'oldgrp3b'} DIENST NEU:$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}}<br>";
++ }elsif($fwdfwsettings{$fwdfwsettings{'grp1'}} eq 'IPFire'){
++ $fwdfwsettings{'config'}=$configoutgoing;
++ $fwdfwsettings{'chain'} = 'OUTGOINGFW';
++ my $maxkey=&General::findhasharraykey(\%configoutgoingfw);
++ if($fwdfwsettings{'oldrulenumber'} eq $fwdfwsettings{'rulepos'}){
++ foreach my $key (sort keys %configoutgoingfw){
++ if ("$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'},$fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'ICMP_TGT'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'LOG'},$fwdfwsettings{'TIME'},$fwdfwsettings{'TIME_MON'},$fwdfwsettings{'TIME_TUE'},$fwdfwsettings{'TIME_WED'},$fwdfwsettings{'TIME_THU'},$fwdfwsettings{'TIME_FRI'},$fwdfwsettings{'TIME_SAT'},$fwdfwsettings{'TIME_SUN'},$fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'}"
++ eq "$configoutgoingfw{$key}[0],$configoutgoingfw{$key}[2],$configoutgoingfw{$key}[3],$configoutgoingfw{$key}[4],$configoutgoingfw{$key}[5],$configoutgoingfw{$key}[6],$configoutgoingfw{$key}[7],$configoutgoingfw{$key}[8],$configoutgoingfw{$key}[9],$configoutgoingfw{$key}[10],$configoutgoingfw{$key}[11],$configoutgoingfw{$key}[12],$configoutgoingfw{$key}[13],$configoutgoingfw{$key}[14],$configoutgoingfw{$key}[15],$configoutgoingfw{$key}[17],$configoutgoingfw{$key}[18],$configoutgoingfw{$key}[19],$configoutgoingfw{$key}[20],$configoutgoingfw{$key}[21],$configoutgoingfw{$key}[22],$configoutgoingfw{$key}[23],$configoutgoingfw{$key}[24],$configoutgoingfw{$key}[25],$configoutgoingfw{$key}[26],$configoutgoingfw{$key}[27]"){
++ $errormessage.=$Lang::tr{'fwdfw err ruleexists'};
++ if ($fwdfwsettings{'oldruleremark'} ne $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'updatefwrule'} eq 'on' && &validremark($fwdfwsettings{'ruleremark'})){
++ $errormessage='';
++ }elsif($fwdfwsettings{'oldruleremark'} ne $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'updatefwrule'} eq 'on' && !&validremark($fwdfwsettings{'ruleremark'})){
++ $errormessage=$Lang::tr{'fwdfw err remark'}."<br>";
++ }
++ if ($fwdfwsettings{'oldruleremark'} eq $fwdfwsettings{'ruleremark'}){
++ $fwdfwsettings{'nosave'} = 'on';
++ }
++ }
++ }
++ }
++ #check Rulepos on new Rule
++ if($fwdfwsettings{'rulepos'} > 0 && !$fwdfwsettings{'oldrulenumber'}){
++ $fwdfwsettings{'oldrulenumber'}=$maxkey;
++ foreach my $key (sort keys %configoutgoingfw){
++ if ("$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'},$fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'ICMP_TGT'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'LOG'},$fwdfwsettings{'TIME'},$fwdfwsettings{'TIME_MON'},$fwdfwsettings{'TIME_TUE'},$fwdfwsettings{'TIME_WED'},$fwdfwsettings{'TIME_THU'},$fwdfwsettings{'TIME_FRI'},$fwdfwsettings{'TIME_SAT'},$fwdfwsettings{'TIME_SUN'},$fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'}"
++ eq "$configoutgoingfw{$key}[0],$configoutgoingfw{$key}[2],$configoutgoingfw{$key}[3],$configoutgoingfw{$key}[4],$configoutgoingfw{$key}[5],$configoutgoingfw{$key}[6],$configoutgoingfw{$key}[7],$configoutgoingfw{$key}[8],$configoutgoingfw{$key}[9],$configoutgoingfw{$key}[10],$configoutgoingfw{$key}[11],$configoutgoingfw{$key}[12],$configoutgoingfw{$key}[13],$configoutgoingfw{$key}[14],$configoutgoingfw{$key}[15],$configoutgoingfw{$key}[17],$configoutgoingfw{$key}[18],$configoutgoingfw{$key}[19],$configoutgoingfw{$key}[20],$configoutgoingfw{$key}[21],$configoutgoingfw{$key}[22],$configoutgoingfw{$key}[23],$configoutgoingfw{$key}[24],$configoutgoingfw{$key}[25],$configoutgoingfw{$key}[26],$configoutgoingfw{$key}[27]"){
++ $errormessage.=$Lang::tr{'fwdfw err ruleexists'};
++ }
++ }
++ }
++ #check if we just close a rule
++ if( $fwdfwsettings{'oldgrp1a'} eq $fwdfwsettings{'grp1'} && $fwdfwsettings{'oldgrp1b'} eq $fwdfwsettings{$fwdfwsettings{'grp1'}} && $fwdfwsettings{'oldgrp2a'} eq $fwdfwsettings{'grp2'} && $fwdfwsettings{'oldgrp2b'} eq $fwdfwsettings{$fwdfwsettings{'grp2'}} && $fwdfwsettings{'oldgrp3a'} eq $fwdfwsettings{'grp3'} && $fwdfwsettings{'oldgrp3b'} eq $fwdfwsettings{$fwdfwsettings{'grp3'}} && $fwdfwsettings{'oldusesrv'} eq $fwdfwsettings{'USESRV'} && $fwdfwsettings{'oldruleremark'} eq $fwdfwsettings{'ruleremark'} ) {
++ if($fwdfwsettings{'nosave'} eq 'on' && $fwdfwsettings{'updatefwrule'} eq 'on'){
++ $fwdfwsettings{'nosave2'} = 'on';
++ $errormessage='';
++ }
++ }
++ #increase counters
++ &checkcounter($fwdfwsettings{'oldgrp1a'},$fwdfwsettings{'oldgrp1b'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}});
++ &checkcounter($fwdfwsettings{'oldgrp2a'},$fwdfwsettings{'oldgrp2b'},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}});
++ if($fwdfwsettings{'oldusesrv'} eq '' && $fwdfwsettings{'USESRV'} eq 'ON'){
++ &checkcounter(0,0,$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}});
++ }elsif ($fwdfwsettings{'USESRV'} eq '' && $fwdfwsettings{'oldusesrv'} eq 'ON') {
++ &checkcounter($fwdfwsettings{'oldgrp3a'},$fwdfwsettings{'oldgrp3b'},0,0);
++ }elsif ($fwdfwsettings{'oldusesrv'} eq $fwdfwsettings{'USESRV'} && $fwdfwsettings{'oldgrp3b'} ne $fwdfwsettings{$fwdfwsettings{'grp3'}} && $fwdfwsettings{'updatefwrule'} eq 'on'){
++ &checkcounter($fwdfwsettings{'oldgrp3a'},$fwdfwsettings{'oldgrp3b'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}});
++ }
++ if ($fwdfwsettings{'nobase'} eq 'on'){
++ &checkcounter(0,0,$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}});
++ }
++ if ($fwdfwsettings{'nosave2'} ne 'on'){
++ &saverule(\%configoutgoingfw,$configoutgoing);
++ }
+ }else{
+ #FORWARD PART
+ $fwdfwsettings{'config'}=$configfwdfw;
+@@ -405,6 +474,18 @@ if ($fwdfwsettings{'ACTION'} eq '')
+ &base;
+ }
+ ### Functions ####
++sub changerule
++{
++ my $oldchain=shift;
++ $fwdfwsettings{'updatefwrule'}='';
++ $fwdfwsettings{'config'}=$oldchain;
++ $fwdfwsettings{'nobase'}='on';
++ &deleterule;
++ &checkcounter(0,0,$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}});
++ &checkcounter(0,0,$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}});
++}
++
++
+ sub pos_up
+ {
+ my %uphash=();
+@@ -1233,6 +1314,7 @@ END
+ END
+ foreach my $network (sort keys %defaultNetworks)
+ {
++ next if($defaultNetworks{$network}{'NAME'} eq "IPFire");
+ print "<option value='$defaultNetworks{$network}{'NAME'}'";
+ print " selected='selected'" if ($fwdfwsettings{$fwdfwsettings{'grp2'}} eq $defaultNetworks{$network}{'NAME'});
+ print ">$network</option>";
+@@ -1728,6 +1810,7 @@ sub viewtablerule
+ &viewtablenew(\%configfwdfw,$configfwdfw,'',"DMZ" );
+ &viewtablenew(\%configfwdfw,$configfwdfw,'',"WLAN" );
+ &viewtablenew(\%configinputfw,$configinput,"",$Lang::tr{'external access'} );
++ &viewtablenew(\%configoutgoingfw,$configoutgoing,"","Outgoing" );
+ }
+ sub viewtablenew
+ {
+diff --git a/html/cgi-bin/fwhosts.cgi b/html/cgi-bin/fwhosts.cgi
+index d39fe12..1f85135 100755
+--- a/html/cgi-bin/fwhosts.cgi
++++ b/html/cgi-bin/fwhosts.cgi
+@@ -1571,6 +1571,7 @@ sub viewtableservicegrp
+ my $helper;
+ my $port;
+ my $protocol;
++ my $delflag;
+ if (! -z $configsrvgrp){
+ &Header::openbox('100%', 'left', $Lang::tr{'fwhost cust srvgrp'});
+ &General::readhasharray("$configsrvgrp", \%customservicegrp);
+--
+1.7.10.4
+
--- /dev/null
+From c00192984f65b27c815fa8983ed03831ae7d2a30 Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Sun, 17 Feb 2013 07:03:43 +0100
+Subject: [PATCH 108/302] Forward Firewall: Savepoint2.MOved checks if rule
+ has changed to function saverule to take care that
+ rules are only deleted if there's no error
+
+---
+ html/cgi-bin/forwardfw.cgi | 52 +++++++++++++++++++++-----------------------
+ 1 file changed, 25 insertions(+), 27 deletions(-)
+
+diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi
+index fc1d2b5..386e02d 100755
+--- a/html/cgi-bin/forwardfw.cgi
++++ b/html/cgi-bin/forwardfw.cgi
+@@ -118,31 +118,6 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule')
+ $errormessage=&checksource;
+ if(!$errormessage){&checktarget;}
+ if(!$errormessage){&checkrule;}
+-
+- #check if we change an forward rule to an external access
+- if( $fwdfwsettings{'grp2'} eq 'ipfire' && $fwdfwsettings{'oldgrp2a'} ne 'ipfire' && $fwdfwsettings{'updatefwrule'} eq 'on'){
+- &changerule($configfwdfw);
+- }
+- #check if we change an forward rule to an outgoing
+- if( $fwdfwsettings{$fwdfwsettings{'grp1'}} eq 'IPFire' && $fwdfwsettings{'oldgrp1b'} ne 'IPFire' && $fwdfwsettings{'updatefwrule'} eq 'on'){
+- &changerule($configfwdfw);
+- }
+- #check if we change an external access rule to a forward
+- if( $fwdfwsettings{'grp2'} ne 'ipfire' && $fwdfwsettings{'oldgrp2a'} eq 'ipfire' && $fwdfwsettings{'updatefwrule'} eq 'on'){
+- &changerule($configinput);
+- }
+- #check if we change an external access rule to a outgoing
+- if( $fwdfwsettings{$fwdfwsettings{'grp1'}} eq 'IPFire' && $fwdfwsettings{'grp2'} ne 'ipfire' && $fwdfwsettings{'oldgrp2a'} eq 'ipfire' && $fwdfwsettings{'updatefwrule'} eq 'on'){
+- &changerule($configinput);
+- }
+- #check if we change an outgoing rule to a forward
+- if( $fwdfwsettings{$fwdfwsettings{'grp1'}} ne 'IPFire' && $fwdfwsettings{'oldgrp1b'} eq 'IPFire' && $fwdfwsettings{'grp2'} ne 'ipfire' &&$fwdfwsettings{'updatefwrule'} eq 'on'){
+- &changerule($configoutgoing);
+- }
+- #check if we change an outgoing rule to a external access
+- if( $fwdfwsettings{$fwdfwsettings{'grp1'}} ne 'IPFire' && $fwdfwsettings{'oldgrp1b'} eq 'IPFire' && $fwdfwsettings{'grp2'} eq 'ipfire' && $fwdfwsettings{'updatefwrule'} eq 'on'){
+- &changerule($configoutgoing);
+- }
+ #check if we try to break rules
+ if( $fwdfwsettings{$fwdfwsettings{'grp1'}} eq 'IPFire' && $fwdfwsettings{'grp2'} eq 'ipfire'){
+ $errormessage.=$Lang::tr{'fwdfw err same'};
+@@ -222,6 +197,7 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule')
+ #print"ALT: $fwdfwsettings{'oldgrp3a'} $fwdfwsettings{'oldgrp3b'} NEU: $fwdfwsettings{'grp3'} $fwdfwsettings{$fwdfwsettings{'grp3'}}<br>";
+ #print"DIENSTE Checkalt:$fwdfwsettings{'oldusesrv'} DIENSTE Checkneu:$fwdfwsettings{'USESRV'} DIENST ALT:$fwdfwsettings{'oldgrp3a'},$fwdfwsettings{'oldgrp3b'} DIENST NEU:$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}}<br>";
+ }elsif($fwdfwsettings{$fwdfwsettings{'grp1'}} eq 'IPFire'){
++ # OUTGOING PART
+ $fwdfwsettings{'config'}=$configoutgoing;
+ $fwdfwsettings{'chain'} = 'OUTGOINGFW';
+ my $maxkey=&General::findhasharraykey(\%configoutgoingfw);
+@@ -484,8 +460,6 @@ sub changerule
+ &checkcounter(0,0,$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}});
+ &checkcounter(0,0,$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}});
+ }
+-
+-
+ sub pos_up
+ {
+ my %uphash=();
+@@ -1561,6 +1535,30 @@ sub saverule
+ my $config=shift;
+ &General::readhasharray("$config", $hash);
+ if (!$errormessage){
++ #check if we change an forward rule to an external access
++ if( $fwdfwsettings{'grp2'} eq 'ipfire' && $fwdfwsettings{'oldgrp2a'} ne 'ipfire' && $fwdfwsettings{'updatefwrule'} eq 'on'){
++ &changerule($configfwdfw);
++ }
++ #check if we change an forward rule to an outgoing
++ if( $fwdfwsettings{$fwdfwsettings{'grp1'}} eq 'IPFire' && $fwdfwsettings{'oldgrp1b'} ne 'IPFire' && $fwdfwsettings{'updatefwrule'} eq 'on'){
++ &changerule($configfwdfw);
++ }
++ #check if we change an external access rule to a forward
++ if( $fwdfwsettings{'grp2'} ne 'ipfire' && $fwdfwsettings{'oldgrp2a'} eq 'ipfire' && $fwdfwsettings{'updatefwrule'} eq 'on'){
++ &changerule($configinput);
++ }
++ #check if we change an external access rule to a outgoing
++ if( $fwdfwsettings{$fwdfwsettings{'grp1'}} eq 'IPFire' && $fwdfwsettings{'grp2'} ne 'ipfire' && $fwdfwsettings{'oldgrp2a'} eq 'ipfire' && $fwdfwsettings{'updatefwrule'} eq 'on'){
++ &changerule($configinput);
++ }
++ #check if we change an outgoing rule to a forward
++ if( $fwdfwsettings{$fwdfwsettings{'grp1'}} ne 'IPFire' && $fwdfwsettings{'oldgrp1b'} eq 'IPFire' && $fwdfwsettings{'grp2'} ne 'ipfire' &&$fwdfwsettings{'updatefwrule'} eq 'on'){
++ &changerule($configoutgoing);
++ }
++ #check if we change an outgoing rule to a external access
++ if( $fwdfwsettings{$fwdfwsettings{'grp1'}} ne 'IPFire' && $fwdfwsettings{'oldgrp1b'} eq 'IPFire' && $fwdfwsettings{'grp2'} eq 'ipfire' && $fwdfwsettings{'updatefwrule'} eq 'on'){
++ &changerule($configoutgoing);
++ }
+ if ($fwdfwsettings{'updatefwrule'} ne 'on'){
+ my $key = &General::findhasharraykey ($hash);
+ $$hash{$key}[0] = $fwdfwsettings{'RULE_ACTION'};
+--
+1.7.10.4
+
--- /dev/null
+From 8b9883e0557dc743a2b0bd5b33a08e787cb79363 Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Sun, 17 Feb 2013 13:58:35 +0100
+Subject: [PATCH 109/302] Forward Firewall: First part of adding OUTGOING to
+ th efirewall
+
+---
+ config/forwardfw/firewall-forward-policy | 24 ----------
+ config/forwardfw/firewall-lib.pl | 2 +
+ config/forwardfw/firewall-policy | 39 ++++++++++++++++
+ config/forwardfw/rules.pl | 16 ++++---
+ config/rootfiles/common/stage2 | 2 +-
+ html/cgi-bin/forwardfw.cgi | 71 +++++++++++++++++++-----------
+ html/cgi-bin/optionsfw.cgi | 10 +++++
+ langs/de/cgi-bin/de.pl | 9 ++--
+ langs/en/cgi-bin/en.pl | 6 ++-
+ lfs/configroot | 2 +-
+ src/initscripts/init.d/firewall | 10 +++--
+ 11 files changed, 126 insertions(+), 65 deletions(-)
+ delete mode 100755 config/forwardfw/firewall-forward-policy
+ create mode 100755 config/forwardfw/firewall-policy
+
+diff --git a/config/forwardfw/firewall-forward-policy b/config/forwardfw/firewall-forward-policy
+deleted file mode 100755
+index aec71e2..0000000
+--- a/config/forwardfw/firewall-forward-policy
++++ /dev/null
+@@ -1,24 +0,0 @@
+-#!/bin/sh
+-
+-eval $(/usr/local/bin/readhash /var/ipfire/forward/settings)
+-eval $(/usr/local/bin/readhash /var/ipfire/optionsfw/settings)
+-
+-iptables -F POLICY
+-
+-if [ "$POLICY" == "MODE1" ]; then
+-
+- if [ "$FWPOLICY" == "REJECT" ]; then
+- if [ "$DROPFORWARD" == "on" ]; then
+- /sbin/iptables -A POLICY -m limit --limit 10/minute -j LOG --log-prefix "REJECT_FORWARD"
+- fi
+- /sbin/iptables -A POLICY -j REJECT --reject-with icmp-host-unreachable -m comment --comment "DROP_OUTPUT"
+- fi
+- if [ "$FWPOLICY" == "DROP" ]; then
+- if [ "$DROPFORWARD" == "on" ]; then
+- /sbin/iptables -A POLICY -m limit --limit 10/minute -j LOG --log-prefix "DROP_FORWARD"
+- fi
+- /sbin/iptables -A POLICY -j DROP -m comment --comment "DROP_OUTPUT"
+- fi
+-fi
+-
+-
+diff --git a/config/forwardfw/firewall-lib.pl b/config/forwardfw/firewall-lib.pl
+index eb84c4a..9f80685 100755
+--- a/config/forwardfw/firewall-lib.pl
++++ b/config/forwardfw/firewall-lib.pl
+@@ -221,6 +221,8 @@ sub get_std_net_ip
+ return "$ovpnsettings{'DOVPN_SUBNET'}";
+ }elsif($val =~ /IPsec/i){
+ return "$ipsecsettings{'RW_NET'}";
++ }elsif($val eq 'IPFire'){
++ return ;
+ }
+ }
+ sub get_net_ip
+diff --git a/config/forwardfw/firewall-policy b/config/forwardfw/firewall-policy
+new file mode 100755
+index 0000000..e96278a
+--- /dev/null
++++ b/config/forwardfw/firewall-policy
+@@ -0,0 +1,39 @@
++#!/bin/sh
++
++eval $(/usr/local/bin/readhash /var/ipfire/forward/settings)
++eval $(/usr/local/bin/readhash /var/ipfire/optionsfw/settings)
++
++iptables -F POLICYFWD
++iptables -F POLICYOUT
++
++
++if [ "$POLICY" == "MODE1" ]; then
++ if [ "$FWPOLICY" == "REJECT" ]; then
++ if [ "$DROPFORWARD" == "on" ]; then
++ /sbin/iptables -A POLICYFWD -m limit --limit 10/minute -j LOG --log-prefix "REJECT_FORWARD"
++ fi
++ /sbin/iptables -A POLICYFWD -j REJECT --reject-with icmp-host-unreachable -m comment --comment "DROP_FORWARD"
++ fi
++ if [ "$FWPOLICY" == "DROP" ]; then
++ if [ "$DROPFORWARD" == "on" ]; then
++ /sbin/iptables -A POLICYFWD -m limit --limit 10/minute -j LOG --log-prefix "DROP_FORWARD"
++ fi
++ /sbin/iptables -A POLICYFWD -j DROP -m comment --comment "DROP_FORWARD"
++ fi
++fi
++if [ "$POLICY1" == "MODE1" ]; then
++ /sbin/iptables -A OUTGOINGFW -m state --state ESTABLISHED,RELATED -j ACCEPT
++ if [ "$FWPOLICY1" == "REJECT" ]; then
++ if [ "$DROPOUTGOING" == "on" ]; then
++ /sbin/iptables -A POLICYOUT -m limit --limit 10/minute -j LOG --log-prefix "REJECT_OUTPUT"
++ fi
++ /sbin/iptables -A POLICYOUT -j REJECT --reject-with icmp-host-unreachable -m comment --comment "DROP_OUTPUT"
++ fi
++ if [ "$FWPOLICY1" == "DROP" ]; then
++ if [ "$DROPOUTGOING" == "on" ]; then
++ /sbin/iptables -A POLICYOUT -m limit --limit 10/minute -j LOG --log-prefix "DROP_OUTPUT"
++ fi
++ /sbin/iptables -A POLICYOUT -j DROP -m comment --comment "DROP_OUTPUT"
++ fi
++fi
++
+diff --git a/config/forwardfw/rules.pl b/config/forwardfw/rules.pl
+index 44ad35e..7d03432 100755
+--- a/config/forwardfw/rules.pl
++++ b/config/forwardfw/rules.pl
+@@ -42,6 +42,7 @@ our %sourcehash=();
+ our %targethash=();
+ my @timeframe=();
+ my %configinputfw=();
++my %configoutgoingfw=();
+ my %aliases=();
+ my @DPROT=();
+ my @p2ps=();
+@@ -51,6 +52,7 @@ require "${General::swroot}/forward/bin/firewall-lib.pl";
+
+ my $configfwdfw = "${General::swroot}/forward/config";
+ my $configinput = "${General::swroot}/forward/input";
++my $configoutgoing = "${General::swroot}/forward/outgoing";
+ my $p2pfile = "${General::swroot}/forward/p2protocols";
+ my $configgrp = "${General::swroot}/fwhosts/customgroups";
+ my $netsettings = "${General::swroot}/ethernet/settings";
+@@ -66,6 +68,7 @@ my $CHAIN="FORWARDFW";
+ &General::readhash("$netsettings", \%defaultNetworks);
+ &General::readhasharray($configfwdfw, \%configfwdfw);
+ &General::readhasharray($configinput, \%configinputfw);
++&General::readhasharray($configoutgoing, \%configoutgoingfw);
+ &General::readhasharray($configgrp, \%customgrp);
+ &General::get_aliases(\%aliases);
+
+@@ -95,7 +98,7 @@ if($param eq 'flush'){
+ if($MODE eq '0'){
+ if ($fwdfwsettings{'POLICY'} eq 'MODE1'){
+ &p2pblock;
+- system ("/usr/sbin/firewall-forward-policy");
++ system ("/usr/sbin/firewall-policy");
+ }elsif($fwdfwsettings{'POLICY'} eq 'MODE2'){
+ $defaultNetworks{'GREEN_NETMASK'}=&General::iporsubtocidr($defaultNetworks{'GREEN_NETMASK'});
+ $green="$defaultNetworks{'GREEN_ADDRESS'}/$defaultNetworks{'GREEN_NETMASK'}";
+@@ -117,7 +120,7 @@ if($param eq 'flush'){
+
+ &p2pblock;
+ system ("iptables -A $CHAIN -m state --state NEW -j ACCEPT");
+- system ("/usr/sbin/firewall-forward-policy");
++ system ("/usr/sbin/firewall-policy");
+ }
+ }
+ }
+@@ -125,6 +128,7 @@ sub flush
+ {
+ system ("iptables -F FORWARDFW");
+ system ("iptables -F INPUTFW");
++ system ("iptables -F OUTGOINGFW");
+ }
+ sub preparerules
+ {
+@@ -134,6 +138,9 @@ sub preparerules
+ if (! -z "${General::swroot}/forward/input"){
+ &buildrules(\%configinputfw);
+ }
++ if (! -z "${General::swroot}/forward/outgoing"){
++ &buildrules(\%configoutgoingfw);
++ }
+ }
+ sub buildrules
+ {
+@@ -160,7 +167,6 @@ sub buildrules
+ }
+ }
+ }elsif($$hash{$key}[5] eq 'ipfire'){
+-
+ if($$hash{$key}[6] eq 'Default IP'){
+ open(FILE, "/var/ipfire/red/local-ipaddress") or die 'Unable to open config file.';
+ $targethash{$key}[0]= <FILE>;
+@@ -217,7 +223,7 @@ sub buildrules
+ foreach my $b (sort keys %targethash){
+ if ($sourcehash{$a}[0] ne $targethash{$b}[0] && $targethash{$b}[0] ne 'none' || $sourcehash{$a}[0] eq '0.0.0.0/0.0.0.0'){
+ if($SPROT eq '' || $SPROT eq $DPROT || $DPROT eq ' '){
+- if(substr($sourcehash{$a}[0], 3, 3) ne 'mac'){ $STAG="-s";}
++ if(substr($sourcehash{$a}[0], 3, 3) ne 'mac' && $sourcehash{$a}[0] ne ''){ $STAG="-s";}
+ if ($$hash{$key}[17] eq 'ON'){
+ print "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG\n";
+ }
+@@ -237,7 +243,7 @@ sub buildrules
+ foreach my $b (sort keys %targethash){
+ if ($sourcehash{$a}[0] ne $targethash{$b}[0] && $targethash{$b}[0] ne 'none' || $sourcehash{$a}[0] eq '0.0.0.0/0.0.0.0'){
+ if($SPROT eq '' || $SPROT eq $DPROT || $DPROT eq ' '){
+- if(substr($sourcehash{$a}[0], 3, 3) ne 'mac'){ $STAG="-s";}
++ if(substr($sourcehash{$a}[0], 3, 3) ne 'mac' && $sourcehash{$a}[0] ne ''){ $STAG="-s";}
+ if ($$hash{$key}[17] eq 'ON'){
+ system ("iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG");
+ }
+diff --git a/config/rootfiles/common/stage2 b/config/rootfiles/common/stage2
+index 439e89a..828d1b7 100644
+--- a/config/rootfiles/common/stage2
++++ b/config/rootfiles/common/stage2
+@@ -108,7 +108,7 @@ usr/local/bin/update-lang-cache
+ #usr/local/src
+ #usr/sbin
+ usr/sbin/ovpn-ccd-convert
+-usr/sbin/firewall-forward-policy
++usr/sbin/firewall-policy
+ usr/sbin/convert-xtaccess
+ usr/sbin/convert-outgoingfw
+ #usr/share
+diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi
+index 386e02d..460a08c 100755
+--- a/html/cgi-bin/forwardfw.cgi
++++ b/html/cgi-bin/forwardfw.cgi
+@@ -105,8 +105,10 @@ my $ipgrp="${General::swroot}/outgoing/groups";
+ if ($fwdfwsettings{'ACTION'} eq $Lang::tr{'save'})
+ {
+ my $MODE = $fwdfwsettings{'POLICY'};
++ my $MODE1 = $fwdfwsettings{'POLICY1'};
+ %fwdfwsettings = ();
+ $fwdfwsettings{'POLICY'} = "$MODE";
++ $fwdfwsettings{'POLICY1'} = "$MODE1";
+ &General::writehash("${General::swroot}/forward/settings", \%fwdfwsettings);
+ &reread_rules;
+ }
+@@ -114,7 +116,7 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule')
+ {
+ &General::readhasharray("$configfwdfw", \%configfwdfw);
+ &General::readhasharray("$configinput", \%configinputfw);
+- &General::readhasharray("$configinput", \%configoutgoingfw);
++ &General::readhasharray("$configoutgoing", \%configoutgoingfw);
+ $errormessage=&checksource;
+ if(!$errormessage){&checktarget;}
+ if(!$errormessage){&checkrule;}
+@@ -219,6 +221,7 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule')
+ }
+ #check Rulepos on new Rule
+ if($fwdfwsettings{'rulepos'} > 0 && !$fwdfwsettings{'oldrulenumber'}){
++ print"CHECK OUTGOING DOPPELTE REGEL<br>";
+ $fwdfwsettings{'oldrulenumber'}=$maxkey;
+ foreach my $key (sort keys %configoutgoingfw){
+ if ("$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'},$fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'ICMP_TGT'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'LOG'},$fwdfwsettings{'TIME'},$fwdfwsettings{'TIME_MON'},$fwdfwsettings{'TIME_TUE'},$fwdfwsettings{'TIME_WED'},$fwdfwsettings{'TIME_THU'},$fwdfwsettings{'TIME_FRI'},$fwdfwsettings{'TIME_SAT'},$fwdfwsettings{'TIME_SUN'},$fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'}"
+@@ -356,8 +359,29 @@ if ($fwdfwsettings{'ACTION'} eq $Lang::tr{'reset'})
+ &General::writehash("${General::swroot}/forward/settings", \%fwdfwsettings);
+ unless (-e "${General::swroot}/forward/config") { system("touch ${General::swroot}/forward/config"); }
+ unless (-e "${General::swroot}/forward/input") { system("touch ${General::swroot}/forward/input"); }
++ my $MODE1=$fwdfwsettings{'POLICY1'};
+ %fwdfwsettings = ();
+ $fwdfwsettings{'POLICY'}='MODE2';
++ $fwdfwsettings{'POLICY1'}=$MODE1;
++ &General::writehash("${General::swroot}/forward/settings", \%fwdfwsettings);
++ &reread_rules;
++
++}
++if ($fwdfwsettings{'ACTION'} eq 'resetoutgoing')
++{
++ &General::readhasharray("$configoutgoing", \%configoutgoingfw);
++ foreach my $key (sort keys %configoutgoingfw){
++ &checkcounter($configoutgoingfw{$key}[3],$configoutgoingfw{$key}[4],,);
++ &checkcounter($configoutgoingfw{$key}[5],$configoutgoingfw{$key}[6],,);
++ &checkcounter($configoutgoingfw{$key}[14],$configoutgoingfw{$key}[15],,);
++ }
++ system("rm ${General::swroot}/forward/outgoing");
++ &General::writehash("${General::swroot}/forward/settings", \%fwdfwsettings);
++ unless (-e "${General::swroot}/forward/outgoing") { system("touch ${General::swroot}/forward/outgoing"); }
++ my $MODE=$fwdfwsettings{'POLICY'};
++ %fwdfwsettings = ();
++ $fwdfwsettings{'POLICY'}=$MODE;
++ $fwdfwsettings{'POLICY1'}='MODE2';
+ &General::writehash("${General::swroot}/forward/settings", \%fwdfwsettings);
+ &reread_rules;
+
+@@ -578,6 +602,8 @@ sub base
+ {
+ if ($fwdfwsettings{'POLICY'} eq 'MODE1'){ $selected{'POLICY'}{'MODE1'} = 'selected'; } else { $selected{'POLICY'}{'MODE1'} = ''; }
+ if ($fwdfwsettings{'POLICY'} eq 'MODE2'){ $selected{'POLICY'}{'MODE2'} = 'selected'; } else { $selected{'POLICY'}{'MODE2'} = ''; }
++ if ($fwdfwsettings{'POLICY1'} eq 'MODE1'){ $selected{'POLICY1'}{'MODE1'} = 'selected'; } else { $selected{'POLICY1'}{'MODE1'} = ''; }
++ if ($fwdfwsettings{'POLICY1'} eq 'MODE2'){ $selected{'POLICY1'}{'MODE2'} = 'selected'; } else { $selected{'POLICY1'}{'MODE2'} = ''; }
+ &hint;
+ &addrule;
+ &p2pblock;
+@@ -585,8 +611,8 @@ sub base
+ print <<END;
+ <form method='post' action='$ENV{'SCRIPT_NAME'}'>
+ <table width='100%' border='0'>
++ <tr><td colspan='3' style='font-weight:bold;color:red;'>FORWARD </td></tr>
+ <tr><td colspan='3'>$Lang::tr{'fwdfw pol text'}</td></tr>
+-
+ <tr><td colspan='3'><hr /></td></tr>
+ <tr><td width='15%' align='left'> <select name='POLICY' style="width: 100px">
+ <option value='MODE1' $selected{'POLICY'}{'MODE1'}>$Lang::tr{'fwdfw pol block'}</option>
+@@ -596,6 +622,21 @@ print <<END;
+ END
+ print "$Lang::tr{'outgoing firewall reset'}: <input type='submit' name='ACTION' value='$Lang::tr{'reset'}' />";
+ print "</table></form>";
++ print"<br><br>";
++ print <<END;
++ <form method='post' action='$ENV{'SCRIPT_NAME'}'>
++ <table width='100%' border='0'>
++ <tr><td colspan='3' style='font-weight:bold;color:red;'>OUTGOING </td></tr>
++ <tr><td colspan='3'>$Lang::tr{'fwdfw pol text1'}</td></tr>
++ <tr><td colspan='3'><hr /></td></tr>
++ <tr><td width='15%' align='left'> <select name='POLICY1' style="width: 100px">
++ <option value='MODE1' $selected{'POLICY1'}{'MODE1'}>$Lang::tr{'fwdfw pol block'}</option>
++ <option value='MODE2' $selected{'POLICY1'}{'MODE2'}>$Lang::tr{'fwdfw pol allow'}</option></select>
++ <td width='45%' align='left'><input type='submit' name='ACTION' value='$Lang::tr{'save'}' /></form>
++ <td width='45%' align='left'>
++END
++ print "$Lang::tr{'outgoing firewall reset'}: <form method='post' action='$ENV{'SCRIPT_NAME'}' style='display:inline'><input type='submit' value='$Lang::tr{'reset'}' /><input type='hidden' name='ACTION' value='resetoutgoing' />";
++ print "</table></form>";
+ &Header::closebox();
+ }
+ sub addrule
+@@ -1805,8 +1846,6 @@ sub viewtablerule
+ {
+
+ &viewtablenew(\%configfwdfw,$configfwdfw,$Lang::tr{'fwdfw rules'},"Forward" );
+- &viewtablenew(\%configfwdfw,$configfwdfw,'',"DMZ" );
+- &viewtablenew(\%configfwdfw,$configfwdfw,'',"WLAN" );
+ &viewtablenew(\%configinputfw,$configinput,"",$Lang::tr{'external access'} );
+ &viewtablenew(\%configoutgoingfw,$configoutgoing,"","Outgoing" );
+ }
+@@ -1818,23 +1857,7 @@ sub viewtablenew
+ my $title1=shift;
+ my $go='';
+ &General::readhasharray("$config", $hash);
+- #check if there are DMZ entries
+- if ($title1 eq 'DMZ'){
+- foreach my $key (keys %$hash){
+- if ($$hash{$key}[4] eq 'ORANGE'){$go='on';last}
+- }
+- }elsif($title1 eq 'WLAN'){
+- foreach my $key (keys %$hash){
+- if ($$hash{$key}[4] eq 'BLUE'){$go='on';last}
+- }
+- }elsif($title1 eq 'Forward'){
+- foreach my $key (keys %$hash){
+- if (($$hash{$key}[4] ne 'ORANGE' && $$hash{$key}[4] ne 'BLUE')){$go='on';last}
+- }
+- }elsif( ! -z $config){
+- $go='on';
+- }
+- if($go ne ''){
++ if( ! -z $config){
+ &Header::openbox('100%', 'left',$title);
+ my $count=0;
+ my ($gif,$log);
+@@ -1844,13 +1867,9 @@ sub viewtablenew
+ my @tmpsrc=();
+ my $coloryellow='';
+ print"<b>$title1</b><br>";
+- print"<table width='100%' border='0' cellspacing='1' style='padding-top: 0px; padding-left: 0px; padding-bottom: 0px ;padding-right: 0px ;'>";
++ print"<table width='100%' style='border: 1px solid #000000;' rules='none'; padding-top: 0px; padding-left: 0px; padding-bottom: 0px ;padding-right: 0px ;'>";
+ print"<tr><td align='center' width='1%'><b>#</td><td width='1%'></td><td align='center' ><b>$Lang::tr{'fwdfw source'}</td><td width='1%'><b>Log</td><td align='center' width='20%'><b>$Lang::tr{'fwdfw target'}</td><td align='center'><b>$Lang::tr{'protocol'}</b></td><td align='center' width='70%'><b>$Lang::tr{'remark'}</td><td align='center' colspan='3' width='1%'><b>$Lang::tr{'fwdfw action'}</td></tr>";
+ foreach my $key (sort {$a <=> $b} keys %$hash){
+- #check if we have a FORWARDFW OR DMZ RULE
+- if ($title1 eq 'DMZ' && ($$hash{$key}[4] ne 'ORANGE')){next;}
+- if ($title1 eq 'WLAN' && ($$hash{$key}[4] ne 'BLUE')){next;}
+- if ($title1 eq 'Forward' && ($$hash{$key}[4] eq 'ORANGE' || $$hash{$key}[4] eq 'BLUE')){next;}
+ @tmpsrc=();
+ #check if vpn hosts/nets have been deleted
+ if($$hash{$key}[3] =~ /ipsec/i || $$hash{$key}[3] =~ /ovpn/i){
+diff --git a/html/cgi-bin/optionsfw.cgi b/html/cgi-bin/optionsfw.cgi
+index db4794c..f85c762 100644
+--- a/html/cgi-bin/optionsfw.cgi
++++ b/html/cgi-bin/optionsfw.cgi
+@@ -31,6 +31,7 @@ $settings{'DISABLEPING'} = 'NO';
+ $settings{'DROPNEWNOTSYN'} = 'on';
+ $settings{'DROPINPUT'} = 'on';
+ $settings{'DROPFORWARD'} = 'on';
++$settings{'DROPOUTGOING'} = 'on';
+ $settings{'DROPPORTSCAN'} = 'on';
+ $settings{'DROPWIRELESSINPUT'} = 'on';
+ $settings{'DROPWIRELESSFORWARD'} = 'on';
+@@ -72,6 +73,9 @@ $checked{'DROPINPUT'}{$settings{'DROPINPUT'}} = "checked='checked'";
+ $checked{'DROPFORWARD'}{'off'} = '';
+ $checked{'DROPFORWARD'}{'on'} = '';
+ $checked{'DROPFORWARD'}{$settings{'DROPFORWARD'}} = "checked='checked'";
++$checked{'DROPOUTGOING'}{'off'} = '';
++$checked{'DROPOUTGOING'}{'on'} = '';
++$checked{'DROPOUTGOING'}{$settings{'DROPOUTGOING'}} = "checked='checked'";
+ $checked{'DROPPORTSCAN'}{'off'} = '';
+ $checked{'DROPPORTSCAN'}{'on'} = '';
+ $checked{'DROPPORTSCAN'}{$settings{'DROPPORTSCAN'}} = "checked='checked'";
+@@ -102,6 +106,8 @@ print <<END
+ <input type='radio' name='DROPINPUT' value='off' $checked{'DROPINPUT'}{'off'} /> off</td></tr>
+ <tr><td align='left' width='60%'>$Lang::tr{'drop forward'}</td><td align='left'>on <input type='radio' name='DROPFORWARD' value='on' $checked{'DROPFORWARD'}{'on'} />/
+ <input type='radio' name='DROPFORWARD' value='off' $checked{'DROPFORWARD'}{'off'} /> off</td></tr>
++<tr><td align='left' width='60%'>$Lang::tr{'drop outgoing'}</td><td align='left'>on <input type='radio' name='DROPOUTGOING' value='on' $checked{'DROPOUTGOING'}{'on'} />/
++ <input type='radio' name='DROPOUTGOING' value='off' $checked{'DROPOUTGOING'}{'off'} /> off</td></tr>
+ <tr><td align='left' width='60%'>$Lang::tr{'drop portscan'}</td><td align='left'>on <input type='radio' name='DROPPORTSCAN' value='on' $checked{'DROPPORTSCAN'}{'on'} />/
+ <input type='radio' name='DROPPORTSCAN' value='off' $checked{'DROPPORTSCAN'}{'off'} /> off</td></tr>
+ <tr><td align='left' width='60%'>$Lang::tr{'drop wirelessinput'}</td><td align='left'>on <input type='radio' name='DROPWIRELESSINPUT' value='on' $checked{'DROPWIRELESSINPUT'}{'on'} />/
+@@ -124,6 +130,10 @@ print <<END
+ <option value='DROP' $selected{'FWPOLICY'}{'DROP'}>DROP</option>
+ <option value='REJECT' $selected{'FWPOLICY'}{'REJECT'}>REJECT</option></select>
+ </td></tr>
++<tr><td align='left' width='60%'>$Lang::tr{'drop action1'}</td><td><select name='FWPOLICY1'>
++<option value='DROP' $selected{'FWPOLICY1'}{'DROP'}>DROP</option>
++<option value='REJECT' $selected{'FWPOLICY1'}{'REJECT'}>REJECT</option></select>
++</td></tr>
+ </table>
+
+ <br />
+diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl
+index 3fdd635..827d91b 100644
+--- a/langs/de/cgi-bin/de.pl
++++ b/langs/de/cgi-bin/de.pl
+@@ -734,10 +734,12 @@
+ 'download root certificate' => 'Root-Zertifikat herunterladen',
+ 'dpd action' => 'Aktion für Dead Peer Detection',
+ 'driver' => 'Treiber',
+-'drop action' => 'Standardverhalten der Firewall in Modus "Blocked"',
++'drop action' => 'Standardverhalten der (Forward) Firewall in Modus "Blocked"',
++'drop action1' => 'Standardverhalten der (Outgoing) Firewall in Modus "Blocked"',
+ 'drop input' => 'Verworfene Input Pakete loggen',
+ 'drop newnotsyn' => 'Verworfene New Not Syn Pakete loggen',
+-'drop forward' => 'Verworfene Firewall-Pakete loggen',
++'drop forward' => 'Verworfene (Forward) Firewall-Pakete loggen',
++'drop outgoing' => 'Verworfene (Outgoing) Firewall-Pakete loggen',
+ 'drop portscan' => 'Verworfene Portscan Pakete loggen',
+ 'drop proxy' => 'Alle Pakete verwerfen die nicht direkt an den Proxy gerichtet sind',
+ 'drop samba' => 'Alle Microsoft Pakete verwerfen, Ports 135,137,138,139,445,1025',
+@@ -914,6 +916,7 @@
+ 'fwdfw pol block' => 'Blockiert',
+ 'fwdfw pol title' => 'Standardverhalten der Firewall',
+ 'fwdfw pol text' => 'Standardverhalten für Verbindungen aus den lokalen Netzwerken. Bei "Zugelassen" werden sämtliche Verbindungen zugelassen mit Ausnahme der in Forward konfigurierten Regeln. Mit "Blockiert" werden alle Verbindungsversuche blockiert, mit Ausnahme der in Forward erstellten Regeln. Außerdem werden hier der externe Zugang und der Zugriff auf die DMZ geregelt.',
++'fwdfw pol text1' => 'Standardverhalten für Verbindungen von IPFire. Bei "Zugelassen" werden sämtliche Verbindungen zugelassen mit Ausnahme der in Forward konfigurierten Regeln. Mit "Blockiert" werden alle Verbindungsversuche blockiert, mit Ausnahme der in Forward erstellten Regeln.Achtung! Mit diesen Einstellungen kann man sich aussperren. Normalerweise ist keine Änderung nötig.',
+ 'fwdfw reread' => 'Ãœbernehmen',
+ 'fwdfw rules' => 'Regeln',
+ 'fwdfw rule action' => 'Regel Aktion:',
+@@ -1006,7 +1009,7 @@
+ 'fwhost ovpn_n2n' => 'OpenVPN N-2-N',
+ 'fwhost port' => 'Port(s)',
+ 'fwhost prot' => 'Protokoll',
+-'fwhost reread' => 'Die Firewallregeln müssen neu eingelesen werden. Bitte Übernehmen klicken.',
++'fwhost reread' => 'Die Firewallregeln müssen neu eingelesen werden.',
+ 'fwhost reset' => 'Abbrechen',
+ 'fwhost services' => 'Dienste',
+ 'fwhost srv_name' => 'Dienstname',
+diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
+index 9754e66..95cb111 100644
+--- a/langs/en/cgi-bin/en.pl
++++ b/langs/en/cgi-bin/en.pl
+@@ -758,7 +758,8 @@
+ 'download root certificate' => 'Download root certificate',
+ 'dpd action' => 'Dead Peer Detection action',
+ 'driver' => 'Driver',
+-'drop action' => 'Default behaviour of firewall in mode "Blocked"',
++'drop action' => 'Default behaviour of (forward) firewall in mode "Blocked"',
++'drop action' => 'Default behaviour of (outgoing) firewall in mode "Blocked"',
+ 'drop input' => 'Log dropped input pakets',
+ 'drop newnotsyn' => 'Log dropped new not syn pakets',
+ 'drop forward' => 'Log dropped forward pakets',
+@@ -938,6 +939,7 @@
+ 'fwdfw pol block' => 'Blocked',
+ 'fwdfw pol title' => 'Firewall default behavior',
+ 'fwdfw pol text' => 'Default behavior for connections from local networks. "Allowed" allows all connections from local networks except the defined rules. "Blocked" prohibits all connections except the defined ones. Also external access and connections to/from the demilitarized zone are configurable here.',
++'fwdfw pol text1' => 'Default behavior for connections from IPFire. "Allowed" allows all connections from local networks except the defined rules. "Blocked" prohibits all connections except the defined ones. Attention! YOu can lock yourself out with these settings. Normally there is no need to change anything here.',
+ 'fwdfw reread' => 'Apply',
+ 'fwdfw rules' => 'Rules',
+ 'fwdfw rule action' => 'Rule action:',
+@@ -1031,7 +1033,7 @@
+ 'fwhost ovpn_n2n' => 'OpenVPN N-2-N',
+ 'fwhost port' => 'Port(s)',
+ 'fwhost prot' => 'Protocol',
+-'fwhost reread' => 'Firewallrules need to be updated. Please click applybutton.',
++'fwhost reread' => 'Firewallrules need to be updated.',
+ 'fwhost reset' => 'Cancel',
+ 'fwhost services' => 'Services',
+ 'fwhost srv_name' => 'Servicename',
+diff --git a/lfs/configroot b/lfs/configroot
+index de9b211..500ada0 100644
+--- a/lfs/configroot
++++ b/lfs/configroot
+@@ -104,7 +104,7 @@ $(TARGET) :
+ cp $(DIR_SRC)/config/forwardfw/convert-outgoingfw /usr/sbin/convert-outgoingfw
+ cp $(DIR_SRC)/config/forwardfw/p2protocols $(CONFIG_ROOT)/forward/p2protocols
+ cp $(DIR_SRC)/config/forwardfw/firewall-lib.pl $(CONFIG_ROOT)/forward/bin/firewall-lib.pl
+- cp $(DIR_SRC)/config/forwardfw/firewall-forward-policy /usr/sbin/firewall-forward-policy
++ cp $(DIR_SRC)/config/forwardfw/firewall-policy /usr/sbin/firewall-policy
+ cp $(DIR_SRC)/config/fwhosts/icmp-types $(CONFIG_ROOT)/fwhosts/icmp-types
+ cp $(DIR_SRC)/config/fwhosts/customservices $(CONFIG_ROOT)/fwhosts/customservices
+ # Oneliner configfiles
+diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall
+index a22e5f8..0eb5c12 100644
+--- a/src/initscripts/init.d/firewall
++++ b/src/initscripts/init.d/firewall
+@@ -153,6 +153,7 @@ case "$1" in
+ /sbin/iptables -N OUTGOINGFW
+ /sbin/iptables -N OUTGOINGFWMAC
+ /sbin/iptables -A OUTPUT -j OUTGOINGFW
++ /sbin/iptables -A OUTGOINGFW -m state --state ESTABLISHED,RELATED -j ACCEPT
+ /sbin/iptables -t nat -N CUSTOMPREROUTING
+ /sbin/iptables -t nat -A PREROUTING -j CUSTOMPREROUTING
+ /sbin/iptables -t nat -N CUSTOMPOSTROUTING
+@@ -289,10 +290,13 @@ case "$1" in
+ #/sbin/iptables -A FORWARD -j DROP -m comment --comment "DROP_FORWARD"
+
+ #POLICY CHAIN
+- /sbin/iptables -N POLICY
+- /sbin/iptables -A FORWARD -j POLICY
++ /sbin/iptables -N POLICYFWD
++ /sbin/iptables -A FORWARD -j POLICYFWD
++ /sbin/iptables -N POLICYOUT
++ /sbin/iptables -A OUTPUT -j POLICYOUT
+
+- /usr/sbin/firewall-forward-policy
++
++ /usr/sbin/firewall-policy
+ ;;
+ startovpn)
+ # run openvpn
+--
+1.7.10.4
+
--- /dev/null
+From ccaa81c4388dd2a62fc675bd31584615c2f5c263 Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Sun, 17 Feb 2013 21:53:18 +0100
+Subject: [PATCH 110/302] FORWARD Firewall: integrating OUTGOING Firewall Part
+ 2
+
+---
+ langs/de/cgi-bin/de.pl | 4 ++--
+ langs/en/cgi-bin/en.pl | 2 +-
+ lfs/configroot | 3 +++
+ 3 files changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl
+index 827d91b..b426891 100644
+--- a/langs/de/cgi-bin/de.pl
++++ b/langs/de/cgi-bin/de.pl
+@@ -915,8 +915,8 @@
+ 'fwdfw pol allow' => 'Zugelassen',
+ 'fwdfw pol block' => 'Blockiert',
+ 'fwdfw pol title' => 'Standardverhalten der Firewall',
+-'fwdfw pol text' => 'Standardverhalten für Verbindungen aus den lokalen Netzwerken. Bei "Zugelassen" werden sämtliche Verbindungen zugelassen mit Ausnahme der in Forward konfigurierten Regeln. Mit "Blockiert" werden alle Verbindungsversuche blockiert, mit Ausnahme der in Forward erstellten Regeln. Außerdem werden hier der externe Zugang und der Zugriff auf die DMZ geregelt.',
+-'fwdfw pol text1' => 'Standardverhalten für Verbindungen von IPFire. Bei "Zugelassen" werden sämtliche Verbindungen zugelassen mit Ausnahme der in Forward konfigurierten Regeln. Mit "Blockiert" werden alle Verbindungsversuche blockiert, mit Ausnahme der in Forward erstellten Regeln.Achtung! Mit diesen Einstellungen kann man sich aussperren. Normalerweise ist keine Änderung nötig.',
++'fwdfw pol text' => 'Standardverhalten für Verbindungen aus den lokalen Netzwerken. Bei "Zugelassen" werden sämtliche Verbindungen zugelassen mit Ausnahme der konfigurierten Regeln. Mit "Blockiert" werden alle Verbindungsversuche blockiert, mit Ausnahme erstellten Regeln. Außerdem werden hier der externe Zugang und der Zugriff auf die DMZ geregelt.',
++'fwdfw pol text1' => 'Standardverhalten für Verbindungen von IPFire. Bei "Zugelassen" werden sämtliche Verbindungen zugelassen mit Ausnahme konfigurierten Regeln. Mit "Blockiert" werden alle Verbindungsversuche blockiert, mit Ausnahme der erstellten Regeln.Achtung! Mit diesen Einstellungen kann man sich aussperren. Normalerweise ist keine Änderung nötig.',
+ 'fwdfw reread' => 'Ãœbernehmen',
+ 'fwdfw rules' => 'Regeln',
+ 'fwdfw rule action' => 'Regel Aktion:',
+diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
+index 95cb111..cc7c424 100644
+--- a/langs/en/cgi-bin/en.pl
++++ b/langs/en/cgi-bin/en.pl
+@@ -939,7 +939,7 @@
+ 'fwdfw pol block' => 'Blocked',
+ 'fwdfw pol title' => 'Firewall default behavior',
+ 'fwdfw pol text' => 'Default behavior for connections from local networks. "Allowed" allows all connections from local networks except the defined rules. "Blocked" prohibits all connections except the defined ones. Also external access and connections to/from the demilitarized zone are configurable here.',
+-'fwdfw pol text1' => 'Default behavior for connections from IPFire. "Allowed" allows all connections from local networks except the defined rules. "Blocked" prohibits all connections except the defined ones. Attention! YOu can lock yourself out with these settings. Normally there is no need to change anything here.',
++'fwdfw pol text1' => 'Default behavior for connections from IPFire. "Allowed" allows all connections from local networks except the defined rules. "Blocked" prohibits all connections except the defined ones. Attention! You can lock yourself out with these settings. Normally there is no need to change anything here.',
+ 'fwdfw reread' => 'Apply',
+ 'fwdfw rules' => 'Rules',
+ 'fwdfw rule action' => 'Rule action:',
+diff --git a/lfs/configroot b/lfs/configroot
+index 500ada0..47906b0 100644
+--- a/lfs/configroot
++++ b/lfs/configroot
+@@ -116,8 +116,11 @@ $(TARGET) :
+ echo "DROPINPUT=on" >> $(CONFIG_ROOT)/optionsfw/settings
+ echo "DROPFORWARD=on" >> $(CONFIG_ROOT)/optionsfw/settings
+ echo "FWPOLICY=DROP" >> $(CONFIG_ROOT)/optionsfw/settings
++ echo "FWPOLICY1=DROP" >> $(CONFIG_ROOT)/optionsfw/settings
+ echo "DROPPORTSCAN=on" >> $(CONFIG_ROOT)/optionsfw/settings
++ echo "DROPOUTGOING=on" >> $(CONFIG_ROOT)/optionsfw/settings
+ echo "POLICY=MODE2" >> $(CONFIG_ROOT)/forward/settings
++ echo "POLICY1=MODE2" >> $(CONFIG_ROOT)/forward/settings
+
+ # set rules.pl executable
+ chmod 755 $(CONFIG_ROOT)/forward/bin/rules.pl
+--
+1.7.10.4
+
--- /dev/null
+From 78042fd51b37c4347b8de5dcf4617915706615b8 Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Mon, 18 Feb 2013 05:36:18 +0100
+Subject: [PATCH 111/302] Forward Firewall: Fixed Firewall-options
+ (preselection of new Dropdown) for outgoing
+ firewall default behaviour (DROp/REJECT)
+
+---
+ html/cgi-bin/optionsfw.cgi | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/html/cgi-bin/optionsfw.cgi b/html/cgi-bin/optionsfw.cgi
+index f85c762..b396e3f 100644
+--- a/html/cgi-bin/optionsfw.cgi
++++ b/html/cgi-bin/optionsfw.cgi
+@@ -92,6 +92,8 @@ $checked{'DROPSAMBA'}{'off'} = '';
+ $checked{'DROPSAMBA'}{'on'} = '';
+ $checked{'DROPSAMBA'}{$settings{'DROPSAMBA'}} = "checked='checked'";
+ $selected{'FWPOLICY'}{$settings{'FWPOLICY'}}= 'selected';
++$selected{'FWPOLICY1'}{$settings{'FWPOLICY1'}}= 'selected';
++
+
+ &Header::openbox('100%', 'center', $Lang::tr{'options fw'});
+ print "<form method='post' action='$ENV{'SCRIPT_NAME'}'>";
+--
+1.7.10.4
+
--- /dev/null
+From dde9c35b4e26b480dd8a06c5cc41a64c69af8c7c Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Mon, 18 Feb 2013 10:41:19 +0100
+Subject: [PATCH 112/302] Forward Firewall: Finalize integration of OUTGOING
+ into firewall
+
+---
+ config/forwardfw/firewall-policy | 2 +-
+ html/cgi-bin/forwardfw.cgi | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/config/forwardfw/firewall-policy b/config/forwardfw/firewall-policy
+index e96278a..90d8065 100755
+--- a/config/forwardfw/firewall-policy
++++ b/config/forwardfw/firewall-policy
+@@ -22,7 +22,7 @@ if [ "$POLICY" == "MODE1" ]; then
+ fi
+ fi
+ if [ "$POLICY1" == "MODE1" ]; then
+- /sbin/iptables -A OUTGOINGFW -m state --state ESTABLISHED,RELATED -j ACCEPT
++ /sbin/iptables -I OUTGOINGFW 1 -m state --state ESTABLISHED,RELATED -j ACCEPT
+ if [ "$FWPOLICY1" == "REJECT" ]; then
+ if [ "$DROPOUTGOING" == "on" ]; then
+ /sbin/iptables -A POLICYOUT -m limit --limit 10/minute -j LOG --log-prefix "REJECT_OUTPUT"
+diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi
+index 460a08c..86fed83 100755
+--- a/html/cgi-bin/forwardfw.cgi
++++ b/html/cgi-bin/forwardfw.cgi
+@@ -198,7 +198,7 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule')
+ #print"ALT: $fwdfwsettings{'oldgrp2a'} $fwdfwsettings{'oldgrp2b'} NEU: $fwdfwsettings{'grp2'} $fwdfwsettings{$fwdfwsettings{'grp2'}}<br>";
+ #print"ALT: $fwdfwsettings{'oldgrp3a'} $fwdfwsettings{'oldgrp3b'} NEU: $fwdfwsettings{'grp3'} $fwdfwsettings{$fwdfwsettings{'grp3'}}<br>";
+ #print"DIENSTE Checkalt:$fwdfwsettings{'oldusesrv'} DIENSTE Checkneu:$fwdfwsettings{'USESRV'} DIENST ALT:$fwdfwsettings{'oldgrp3a'},$fwdfwsettings{'oldgrp3b'} DIENST NEU:$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}}<br>";
+- }elsif($fwdfwsettings{$fwdfwsettings{'grp1'}} eq 'IPFire'){
++ }elsif($fwdfwsettings{$fwdfwsettings{'grp1'}} eq 'IPFire' ){
+ # OUTGOING PART
+ $fwdfwsettings{'config'}=$configoutgoing;
+ $fwdfwsettings{'chain'} = 'OUTGOINGFW';
+--
+1.7.10.4
+
--- /dev/null
+From bc70fc6a99b4aebfcdb5141da072e5afc0564a46 Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Mon, 18 Feb 2013 12:28:30 +0100
+Subject: [PATCH 113/302] Forward Firewall: when creating a second group of
+ services, the cached port and protocol from first
+ group are shown in table
+
+---
+ html/cgi-bin/fwhosts.cgi | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/html/cgi-bin/fwhosts.cgi b/html/cgi-bin/fwhosts.cgi
+index 1f85135..4b0a112 100755
+--- a/html/cgi-bin/fwhosts.cgi
++++ b/html/cgi-bin/fwhosts.cgi
+@@ -1593,6 +1593,8 @@ sub viewtableservicegrp
+ $grpname=$customservicegrp{$key}[0];
+ if ($customservicegrp{$key}[2] eq "none"){
+ $customservicegrp{$key}[2]=$Lang::tr{'fwhost empty'};
++ $port='';
++ $protocol='';
+ }
+ $remark="$customservicegrp{$key}[1]";
+ if($count >=2){print"</table>";}
+--
+1.7.10.4
+
--- /dev/null
+From 2776d84a421648630f61643670dcde22b839c7b9 Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Mon, 18 Feb 2013 16:10:42 +0100
+Subject: [PATCH 114/302] Forward Firewall: Fix 80,81,83 (Forum) Apply Button
+ now on group and rule site remark can be delted -
+ and . are allowed in Hostname
+
+---
+ html/cgi-bin/forwardfw.cgi | 2 ++
+ html/cgi-bin/fwhosts.cgi | 12 +++++++-----
+ 2 files changed, 9 insertions(+), 5 deletions(-)
+
+diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi
+index 86fed83..6d66222 100755
+--- a/html/cgi-bin/forwardfw.cgi
++++ b/html/cgi-bin/forwardfw.cgi
+@@ -2110,6 +2110,7 @@ sub rules
+ {
+ if (!-f "${General::swroot}/forward/reread"){
+ system("touch ${General::swroot}/forward/reread");
++ system("touch ${General::swroot}/fwhosts/reread");
+ }
+ }
+ sub reread_rules
+@@ -2117,6 +2118,7 @@ sub reread_rules
+ system("/usr/local/bin/forwardfwctrl");
+ if ( -f "${General::swroot}/forward/reread"){
+ system("rm ${General::swroot}/forward/reread");
++ system("rm ${General::swroot}/fwhosts/reread");
+ }
+ }
+ &Header::closebigbox();
+diff --git a/html/cgi-bin/fwhosts.cgi b/html/cgi-bin/fwhosts.cgi
+index 4b0a112..ae9383d 100755
+--- a/html/cgi-bin/fwhosts.cgi
++++ b/html/cgi-bin/fwhosts.cgi
+@@ -1000,7 +1000,7 @@ if ($fwhostsettings{'ACTION'} eq $Lang::tr{'fwhost newservicegrp'})
+ if ($fwhostsettings{'ACTION'} eq 'changegrpremark')
+ {
+ &General::readhasharray("$configgrp", \%customgrp);
+- if ($fwhostsettings{'oldrem'} ne $fwhostsettings{'newrem'} && &validremark($fwhostsettings{'newrem'})){
++ if ($fwhostsettings{'oldrem'} ne $fwhostsettings{'newrem'} && (&validremark($fwhostsettings{'newrem'}) || $fwhostsettings{'newrem'} eq '')){
+ foreach my $key (sort keys %customgrp)
+ {
+ #$customgrp{$key}[1]=~ s/\|/,/g;
+@@ -1028,7 +1028,7 @@ if ($fwhostsettings{'ACTION'} eq 'changegrpremark')
+ if ($fwhostsettings{'ACTION'} eq 'changesrvgrpremark')
+ {
+ &General::readhasharray("$configsrvgrp", \%customservicegrp );
+- if ($fwhostsettings{'oldsrvrem'} ne $fwhostsettings{'newsrvrem'} && &validremark($fwhostsettings{'newsrvrem'})){
++ if ($fwhostsettings{'oldsrvrem'} ne $fwhostsettings{'newsrvrem'} && (&validremark($fwhostsettings{'newsrvrem'}) || $fwhostsettings{'newsrvrem'} eq '')){
+ foreach my $key (sort keys %customservicegrp)
+ {
+ #$customservicegrp{$key}[1]=~ s/\|/,/g;
+@@ -1468,7 +1468,7 @@ sub viewtablegrp
+ {
+ $delflag++;
+ }
+- if($delflag > 0){
++ if($delflag > 1){
+ last;
+ }
+ }
+@@ -1753,7 +1753,7 @@ sub plausicheck
+
+ my $edit=shift;
+ #check hostname
+- if (!&General::validhostname($fwhostsettings{'HOSTNAME'}))
++ if (!&validhostname($fwhostsettings{'HOSTNAME'}))
+ {
+ $errormessage=$errormessage.$Lang::tr{'fwhost err name'};
+ $fwhostsettings{'BLK_IP'}='readonly';
+@@ -1957,6 +1957,7 @@ sub rules
+ {
+ if (!-f "${General::swroot}/fwhosts/reread"){
+ system("touch ${General::swroot}/fwhosts/reread");
++ system("touch ${General::swroot}/forward/reread");
+ }
+ }
+ sub reread_rules
+@@ -1964,6 +1965,7 @@ sub reread_rules
+ system ("/usr/local/bin/forwardfwctrl");
+ if ( -f "${General::swroot}/fwhosts/reread"){
+ system("rm ${General::swroot}/fwhosts/reread");
++ system("rm ${General::swroot}/forward/reread");
+ }
+
+ }
+@@ -2062,7 +2064,7 @@ sub validhostname
+ if (length ($hostname) < 1 || length ($hostname) > 63) {
+ return 0;}
+ # Only valid characters are a-z, A-Z, 0-9 and -
+- if ($hostname !~ /^[a-zA-ZäöüÖÄÜ0-9-_()\/\s]*$/) {
++ if ($hostname !~ /^[a-zA-ZäöüÖÄÜ0-9-_.;()\/\s]*$/) {
+ return 0;}
+ # First character can only be a letter or a digit
+ if (substr ($hostname, 0, 1) !~ /^[a-zA-ZöäüÖÄÜ0-9]*$/) {
+--
+1.7.10.4
+
--- /dev/null
+From 3b593d222f4f07a8d0b803abf15f98fc6ea63b6f Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Mon, 18 Feb 2013 21:13:07 +0100
+Subject: [PATCH 115/302] Forward Firewall: added remark field to custom hosts
+ and host table
+
+---
+ html/cgi-bin/forwardfw.cgi | 4 ++--
+ html/cgi-bin/fwhosts.cgi | 51 +++++++++++++++++++++-----------------------
+ 2 files changed, 26 insertions(+), 29 deletions(-)
+
+diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi
+index 6d66222..6bcfdc7 100755
+--- a/html/cgi-bin/forwardfw.cgi
++++ b/html/cgi-bin/forwardfw.cgi
+@@ -1763,13 +1763,13 @@ sub validremark
+ if (length ($remark) < 1 || length ($remark) > 255) {
+ return 0;}
+ # Only valid characters are a-z, A-Z, 0-9 and -
+- if ($remark !~ /^[a-zäöüA-ZÖÄÜ0-9-.:;_\/\s]*$/) {
++ if ($remark !~ /^[a-zäöüA-ZÖÄÜ0-9-.:;\|_()\/\s]*$/) {
+ return 0;}
+ # First character can only be a letter or a digit
+ if (substr ($remark, 0, 1) !~ /^[a-zäöüA-ZÖÄÜ0-9]*$/) {
+ return 0;}
+ # Last character can only be a letter or a digit
+- if (substr ($remark, -1, 1) !~ /^[a-zöäüA-ZÖÄÜ0-9.]*$/) {
++ if (substr ($remark, -1, 1) !~ /^[a-zöäüA-ZÖÄÜ0-9.:;_)]*$/) {
+ return 0;}
+ return 1;
+ }
+diff --git a/html/cgi-bin/fwhosts.cgi b/html/cgi-bin/fwhosts.cgi
+index ae9383d..0fbbad9 100755
+--- a/html/cgi-bin/fwhosts.cgi
++++ b/html/cgi-bin/fwhosts.cgi
+@@ -119,7 +119,7 @@ if ($fwhostsettings{'ACTION'} eq 'updatehost')
+ $ip = $customhost{$key}[2];
+ }
+ $fwhostsettings{'orgip'} = $ip;
+- $fwhostsettings{'count'} = $customhost{$key}[3];
++ $fwhostsettings{'count'} = $customhost{$key}[4];
+ delete $customhost{$key};
+ &General::writehasharray("$confighost", \%customhost);
+ }
+@@ -400,6 +400,10 @@ if ($fwhostsettings{'ACTION'} eq 'savehost')
+ $errormessage=$Lang::tr{'fwhost err mac'};
+ }
+ }
++ #check remark
++ if ($fwhostsettings{'HOSTREMARK'} ne '' && !&validremark($fwhostsettings{'HOSTREMARK'})){
++ $errormessage=$Lang::tr{'fwhost err remark'};
++ }
+ #CHECK IP-PART
+ if ($fwhostsettings{'type'} eq 'ip'){
+ #check for subnet
+@@ -426,7 +430,7 @@ if ($fwhostsettings{'ACTION'} eq 'savehost')
+ if($fwhostsettings{'actualize'} eq 'on' && $fwhostsettings{'newhost'} ne 'on' && $errormessage){
+ $fwhostsettings{'actualize'} = '';
+ my $key = &General::findhasharraykey (\%customhost);
+- foreach my $i (0 .. 3) { $customhost{$key}[$i] = "";}
++ foreach my $i (0 .. 4) { $customhost{$key}[$i] = "";}
+ $customhost{$key}[0] = $fwhostsettings{'orgname'} ;
+ $customhost{$key}[1] = $fwhostsettings{'type'} ;
+ if($customhost{$key}[1] eq 'ip'){
+@@ -434,7 +438,8 @@ if ($fwhostsettings{'ACTION'} eq 'savehost')
+ }else{
+ $customhost{$key}[2] = $fwhostsettings{'orgip'};
+ }
+- $customhost{$key}[3] = $fwhostsettings{'count'};
++ $customhost{$key}[3] = $fwhostsettings{'HOSTREMARK'};
++ $customhost{$key}[4] = $fwhostsettings{'count'};
+ &General::writehasharray("$confighost", \%customhost);
+ undef %customhost;
+ }
+@@ -480,7 +485,7 @@ if ($fwhostsettings{'ACTION'} eq 'savehost')
+ }
+ }
+ my $key = &General::findhasharraykey (\%customhost);
+- foreach my $i (0 .. 3) { $customhost{$key}[$i] = "";}
++ foreach my $i (0 .. 4) { $customhost{$key}[$i] = "";}
+ $customhost{$key}[0] = $fwhostsettings{'HOSTNAME'} ;
+ $customhost{$key}[1] = $fwhostsettings{'type'} ;
+ if ($fwhostsettings{'type'} eq 'ip'){
+@@ -492,12 +497,14 @@ if ($fwhostsettings{'ACTION'} eq 'savehost')
+ $customhost{$key}[2] = $fwhostsettings{'IP'};
+ }
+ if($fwhostsettings{'newhost'} eq 'on'){$count=0;}
+- $customhost{$key}[3] = $count;
++ $customhost{$key}[3] = $fwhostsettings{'HOSTREMARK'};
++ $customhost{$key}[4] =$count;
+ &General::writehasharray("$confighost", \%customhost);
+ undef %customhost;
+ $fwhostsettings{'HOSTNAME'}='';
+ $fwhostsettings{'IP'}='';
+ $fwhostsettings{'type'}='';
++ $fwhostsettings{'HOSTREMARK'}='';
+ #check if we need to update rules while host was edited
+ if($needrules eq 'on'){
+ &rules;
+@@ -527,10 +534,6 @@ if ($fwhostsettings{'ACTION'} eq 'savegrp')
+ #check remark
+ if ($rem ne '' && !&validremark($rem) && $fwhostsettings{'update'} ne 'on'){
+ $errormessage.=$Lang::tr{'fwhost err remark'};
+- $fwhostsettings{'update'} = 'on';
+- $fwhostsettings{'remark'}=$fwhostsettings{'oldremark'};
+- &addgrp;
+- &viewtablegrp;
+ }
+ if ($fwhostsettings{'update'} eq 'on'){
+ #check standard networks
+@@ -667,7 +670,7 @@ if ($fwhostsettings{'ACTION'} eq 'savegrp')
+ }elsif($updcounter eq 'host'){
+ foreach my $key (keys %customhost) {
+ if ($customhost{$key}[0] eq $fwhostsettings{'CUST_SRC_HOST'}){
+- $customhost{$key}[3]=$customhost{$key}[3]+1;
++ $customhost{$key}[4]=$customhost{$key}[3]+1;
+ }
+ }
+ &General::writehasharray("$confighost", \%customhost);
+@@ -872,7 +875,7 @@ if ($fwhostsettings{'ACTION'} eq 'deletegrphost')
+ &General::readhasharray("$confighost", \%customhost);
+ foreach my $key1 (keys %customhost){
+ if ($customhost{$key1}[0] eq $customgrp{$key}[2]){
+- $customhost{$key1}[3] = $customhost{$key1}[3]-1;
++ $customhost{$key1}[4] = $customhost{$key1}[4]-1;
+ last;
+ }
+ }
+@@ -884,7 +887,7 @@ if ($fwhostsettings{'ACTION'} eq 'deletegrphost')
+ }
+ }
+ &General::writehasharray("$configgrp", \%customgrp);
+- &rules;
++ if ($fwhostsettings{'grpcnt'} > 0){&rules;}
+ if ($fwhostsettings{'update'} eq 'on'){
+ $fwhostsettings{'remark'}= $grpremark;
+ $fwhostsettings{'grp_name'}=$grpname;
+@@ -1114,6 +1117,7 @@ END
+ if ($fwhostsettings{'type'} eq 'mac'){print "<option value='mac' selected >MAC</option>";}else{print "<option value='mac' >MAC</option>";}
+ print<<END;
+ </option></select></td><td align='right' width='15%'>IP/MAC:</td><td align='right'><input type='TEXT' name='IP' value='$fwhostsettings{'IP'}' $fwhostsettings{'BLK_IP'} ></td></tr>
++ <tr><td>$Lang::tr{'remark'}:</td><td colspan='5'><input type='TEXT' name='HOSTREMARK' value='$fwhostsettings{'HOSTREMARK'}' size='64'></td></tr>
+ <tr><td colspan='7'><br><br><b>$Lang::tr{'fwhost attention'}</b><br>$Lang::tr{'fwhost macwarn'}</td></tr>
+ <tr><td colspan='7'><hr></hr></td></tr>
+ END
+@@ -1406,7 +1410,7 @@ sub viewtablehost
+ }else{
+ print<<END;
+ <table border='0' width='100%'>
+- <tr><td align='center'><b>$Lang::tr{'name'}</td><td align='center'><b>$Lang::tr{'fwhost ip_mac'}</td><td align='center'><b>$Lang::tr{'used'}</td><td></td><td width='3%'></td></tr>
++ <tr><td align='center'><b>$Lang::tr{'name'}</td><td align='center'><b>$Lang::tr{'fwhost ip_mac'}</td><td align='center'><b>$Lang::tr{'remark'}</td><td align='center'><b>$Lang::tr{'used'}</td><td></td><td width='3%'></td></tr>
+ END
+ }
+ my $count=0;
+@@ -1416,17 +1420,18 @@ END
+ }elsif ($count % 2){ print" <tr bgcolor='$color{'color22'}'>";}
+ else{ print" <tr bgcolor='$color{'color20'}'>";}
+ my ($ip,$sub)=split(/\//,$customhost{$key}[2]);
+- $customhost{$key}[3]=~s/\s+//g;
++ $customhost{$key}[4]=~s/\s+//g;
+ print<<END;
+- <td width='40%'><form method='post'>$customhost{$key}[0]</td><td width='50%'>$ip</td><td align='center'>$customhost{$key}[3]x</td>
++ <td width='20%'><form method='post'>$customhost{$key}[0]</td><td width='20%'>$ip</td><td width='50%'>$customhost{$key}[3]</td><td align='center'>$customhost{$key}[4]x</td>
+ <td width='1%'><input type='image' src='/images/edit.gif' align='middle' alt=$Lang::tr{'edit'} title=$Lang::tr{'edit'} />
+ <input type='hidden' name='ACTION' value='edithost' />
+ <input type='hidden' name='HOSTNAME' value='$customhost{$key}[0]' />
+ <input type='hidden' name='IP' value='$ip' />
+ <input type='hidden' name='type' value='$customhost{$key}[1]' />
++ <input type='hidden' name='HOSTREMARK' value='$customhost{$key}[3]' />
+ </td></form>
+ END
+- if($customhost{$key}[3] == '0')
++ if($customhost{$key}[4] == '0')
+ {
+ print"<td width='1%'><form method='post'><input type='image' src='/images/delete.gif' align='middle' alt=$Lang::tr{'delete'} title=$Lang::tr{'delete'} /><input type='hidden' name='ACTION' value='delhost' /><input type='hidden' name='key' value='$customhost{$key}[0]' /></td></form></tr>";
+ }else{
+@@ -1511,7 +1516,7 @@ sub viewtablegrp
+ if ($delflag > '1' && $ip ne ''){
+ print"<input type='image' src='/images/delete.gif' align='middle' alt=$Lang::tr{'delete'} title=$Lang::tr{'delete'} />";
+ }
+- print"<input type='hidden' name='ACTION' value='deletegrphost'><input type='hidden' name='update' value='$fwhostsettings{'update'}'><input type='hidden' name='delhost' value='$grpname,$remark,$customgrp{$key}[2],$customgrp{$key}[3]'></form></td></tr>";
++ print"<input type='hidden' name='ACTION' value='deletegrphost'><input type='hidden' name='grpcnt' value='$customgrp{$key}[4]'><input type='hidden' name='update' value='$fwhostsettings{'update'}'><input type='hidden' name='delhost' value='$grpname,$remark,$customgrp{$key}[2],$customgrp{$key}[3]'></form></td></tr>";
+
+ $helper=$customgrp{$key}[0];
+ $number++;
+@@ -1750,7 +1755,6 @@ sub deletefromgrp
+ }
+ sub plausicheck
+ {
+-
+ my $edit=shift;
+ #check hostname
+ if (!&validhostname($fwhostsettings{'HOSTNAME'}))
+@@ -1761,7 +1765,6 @@ sub plausicheck
+ if ($fwhostsettings{'update'} eq 'on'){$fwhostsettings{'ACTION'}=$edit;}
+ }
+ #check if name collides with CCD Netname
+-
+ &General::readhasharray("$configccdnet", \%ccdnet);
+ foreach my $key (keys %ccdnet) {
+ if($ccdnet{$key}[0] eq $fwhostsettings{'HOSTNAME'}){
+@@ -1771,7 +1774,6 @@ sub plausicheck
+ last;
+ }
+ }
+-
+ #check if IP collides with CCD NetIP
+ if ($fwhostsettings{'type'} ne 'mac'){
+ &General::readhasharray("$configccdnet", \%ccdnet);
+@@ -1786,9 +1788,6 @@ sub plausicheck
+ }
+ }
+ }
+-
+-
+-
+ #check if name collides with CCD Hostname
+ &General::readhasharray("$configccdhost", \%ccdhost);
+ foreach my $key (keys %ccdhost) {
+@@ -1838,8 +1837,6 @@ sub plausicheck
+ {
+ $errormessage=$errormessage."<br>".$Lang::tr{'fwhost err ipcheck'};
+ }
+-
+-
+ return;
+ }
+ sub getipforgroup
+@@ -2083,13 +2080,13 @@ sub validremark
+ if (length ($remark) < 1 || length ($remark) > 255) {
+ return 0;}
+ # Only valid characters are a-z, A-Z, 0-9 and -
+- if ($remark !~ /^[a-zäöüA-ZÖÄÜ0-9-.:;_\/\s]*$/) {
++ if ($remark !~ /^[a-zäöüA-ZÖÄÜ0-9-.:;()_\/\s]*$/) {
+ return 0;}
+ # First character can only be a letter or a digit
+ if (substr ($remark, 0, 1) !~ /^[a-zäöüA-ZÖÄÜ0-9]*$/) {
+ return 0;}
+ # Last character can only be a letter or a digit
+- if (substr ($remark, -1, 1) !~ /^[a-zöäüA-ZÖÄÜ0-9.]*$/) {
++ if (substr ($remark, -1, 1) !~ /^[a-zöäüA-ZÖÄÜ0-9).]*$/) {
+ return 0;}
+ return 1;
+ }
+--
+1.7.10.4
+
--- /dev/null
+From 6a97bd0afc94da5a14d69592a630505c79c28104 Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Mon, 18 Feb 2013 21:20:51 +0100
+Subject: [PATCH 116/302] Forward Firewall: Fixed typo
+
+---
+ langs/en/cgi-bin/en.pl | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
+index cc7c424..cc5936b 100644
+--- a/langs/en/cgi-bin/en.pl
++++ b/langs/en/cgi-bin/en.pl
+@@ -759,7 +759,7 @@
+ 'dpd action' => 'Dead Peer Detection action',
+ 'driver' => 'Driver',
+ 'drop action' => 'Default behaviour of (forward) firewall in mode "Blocked"',
+-'drop action' => 'Default behaviour of (outgoing) firewall in mode "Blocked"',
++'drop action1' => 'Default behaviour of (outgoing) firewall in mode "Blocked"',
+ 'drop input' => 'Log dropped input pakets',
+ 'drop newnotsyn' => 'Log dropped new not syn pakets',
+ 'drop forward' => 'Log dropped forward pakets',
+--
+1.7.10.4
+
--- /dev/null
+From 6e3e14e51904eaddc2d857fac167abbaca4c87e2 Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Tue, 19 Feb 2013 06:29:32 +0100
+Subject: [PATCH 117/302] Forward Firewall: some exentions for remarks
+
+---
+ html/cgi-bin/fwhosts.cgi | 4 ++--
+ langs/de/cgi-bin/de.pl | 2 +-
+ langs/en/cgi-bin/en.pl | 2 +-
+ 3 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/html/cgi-bin/fwhosts.cgi b/html/cgi-bin/fwhosts.cgi
+index 0fbbad9..90e1fb3 100755
+--- a/html/cgi-bin/fwhosts.cgi
++++ b/html/cgi-bin/fwhosts.cgi
+@@ -2080,13 +2080,13 @@ sub validremark
+ if (length ($remark) < 1 || length ($remark) > 255) {
+ return 0;}
+ # Only valid characters are a-z, A-Z, 0-9 and -
+- if ($remark !~ /^[a-zäöüA-ZÖÄÜ0-9-.:;()_\/\s]*$/) {
++ if ($remark !~ /^[a-zäöüA-ZÖÄÜ0-9-.:;\|_()\/\s]*$/) {
+ return 0;}
+ # First character can only be a letter or a digit
+ if (substr ($remark, 0, 1) !~ /^[a-zäöüA-ZÖÄÜ0-9]*$/) {
+ return 0;}
+ # Last character can only be a letter or a digit
+- if (substr ($remark, -1, 1) !~ /^[a-zöäüA-ZÖÄÜ0-9).]*$/) {
++ if (substr ($remark, -1, 1) !~ /^[a-zöäüA-ZÖÄÜ0-9.:;_)]*$/) {
+ return 0;}
+ return 1;
+ }
+diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl
+index b426891..3164294 100644
+--- a/langs/de/cgi-bin/de.pl
++++ b/langs/de/cgi-bin/de.pl
+@@ -986,7 +986,7 @@
+ 'fwhost err ipwithsub' => 'Bitte IP Adresse OHNE Subnetzmaske eingeben',
+ 'fwhost err partofnet' => 'Dieses Netzwerk ist Teil eines bereits existierenden Netzwerks',
+ 'fwhost err port' => 'Port muss gefüllt sein',
+-'fwhost err remark' => 'Bemerkung ungültig. Erlaubte Zeichen: a-z, A-Z, 0-9 Leerzeichen und Bindestrich',
++'fwhost err remark' => 'Bemerkung ungültig. Erlaubte Zeichen: a-z, A-Z, 0-9 und -_();|.',
+ 'fwhost err srvexist' => 'Dieser Dienst ist bereits in der Gruppe',
+ 'fwhost err srv exists' => 'Ein Service mit diesem Namen existiert bereits',
+ 'fwhost err sub32' => 'Bitte Host hinzufügen. Dieses Subnetz ist kein Netzwerk',
+diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
+index cc5936b..5d6e768 100644
+--- a/langs/en/cgi-bin/en.pl
++++ b/langs/en/cgi-bin/en.pl
+@@ -1009,7 +1009,7 @@
+ 'fwhost err ipwithsub' => 'Please provide IP address WITHOUT subnetmask',
+ 'fwhost err partofnet' => 'This network is part of an already existing one',
+ 'fwhost err port' => 'Port is empty',
+-'fwhost err remark' => 'Remark invalid. Allowed: a-z, A-Z, 0-9 space and minus',
++'fwhost err remark' => 'Remark invalid. Allowed: a-z, A-Z, 0-9 and -_();|.',
+ 'fwhost err srvexist' => 'Dieser Dienst ist bereits in der Gruppe',
+ 'fwhost err srv exists' => 'A Service with this name already exists',
+ 'fwhost err sub32' => 'Please add single host. This subnet is no network',
+--
+1.7.10.4
+
--- /dev/null
+From f450a663063cf978402e3fa3b3004e38338a630c Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Tue, 19 Feb 2013 06:34:48 +0100
+Subject: [PATCH 118/302] Forward Firewall: added Policymode for OUTGOING to
+ converterscript
+
+---
+ config/forwardfw/convert-outgoingfw | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/config/forwardfw/convert-outgoingfw b/config/forwardfw/convert-outgoingfw
+index edb1fd0..3c11f92 100755
+--- a/config/forwardfw/convert-outgoingfw
++++ b/config/forwardfw/convert-outgoingfw
+@@ -249,6 +249,7 @@ sub process_rules
+ &General::readhash($fwdfwsettings,\%fwdsettings);
+ if($fwdsettings{'POLICY'} ne $outsettings{'POLICY'}){
+ $fwdsettings{'POLICY'}=$outsettings{'POLICY'};
++ $fwdsettings{'POLICY1'}='MODE2';
+ &General::writehash($fwdfwsettings,\%fwdsettings);
+ }
+ #open LOG
+--
+1.7.10.4
+
--- /dev/null
+From 492591cf036c6aad0b2870700091f9687f4fb38b Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Tue, 19 Feb 2013 06:48:00 +0100
+Subject: [PATCH 119/302] Forward Firewall: outgoing converter is now ble to
+ set default policy correctly
+
+---
+ config/forwardfw/convert-outgoingfw | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/config/forwardfw/convert-outgoingfw b/config/forwardfw/convert-outgoingfw
+index 3c11f92..f279a6c 100755
+--- a/config/forwardfw/convert-outgoingfw
++++ b/config/forwardfw/convert-outgoingfw
+@@ -248,8 +248,8 @@ sub process_rules
+ {
+ &General::readhash($fwdfwsettings,\%fwdsettings);
+ if($fwdsettings{'POLICY'} ne $outsettings{'POLICY'}){
++ if ($outsettings{'POLICY'} eq 'MODE0'){$outsettings{'POLICY'}='MODE2';}
+ $fwdsettings{'POLICY'}=$outsettings{'POLICY'};
+- $fwdsettings{'POLICY1'}='MODE2';
+ &General::writehash($fwdfwsettings,\%fwdsettings);
+ }
+ #open LOG
+--
+1.7.10.4
+
--- /dev/null
+From a914763ea9952cee625896e8e4daec32fa7bc708 Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Tue, 19 Feb 2013 15:24:24 +0100
+Subject: [PATCH 120/302] FORWARD FIREWALL: added remark in custom networks
+
+---
+ html/cgi-bin/fwhosts.cgi | 34 +++++++++++++++++++++++-----------
+ 1 file changed, 23 insertions(+), 11 deletions(-)
+
+diff --git a/html/cgi-bin/fwhosts.cgi b/html/cgi-bin/fwhosts.cgi
+index 90e1fb3..5bba69e 100755
+--- a/html/cgi-bin/fwhosts.cgi
++++ b/html/cgi-bin/fwhosts.cgi
+@@ -96,7 +96,8 @@ if ($fwhostsettings{'ACTION'} eq 'updatenet' )
+ $fwhostsettings{'orgname'} = $customnetwork{$key}[0];
+ $fwhostsettings{'orgip'} = $customnetwork{$key}[1];
+ $fwhostsettings{'orgsub'} = $customnetwork{$key}[2];
+- $fwhostsettings{'count'} = $customnetwork{$key}[3];
++ $fwhostsettings{'netremark'} = $customnetwork{$key}[3];
++ $fwhostsettings{'count'} = $customnetwork{$key}[4];
+ delete $customnetwork{$key};
+
+ }
+@@ -230,6 +231,11 @@ if ($fwhostsettings{'ACTION'} eq 'savenet' )
+ $fwhostsettings{'NOCHECK'} ='false';
+ $fwhostsettings{'error'} ='on';
+ }
++ #check remark
++ if ($fwhostsettings{'NETREMARK'} ne '' && !&validremark($fwhostsettings{'NETREMARK'})){
++ $errormessage=$Lang::tr{'fwhost err remark'};
++ $fwhostsettings{'error'} ='on';
++ }
+ #check if subnet is sigle host
+ if(&General::iporsubtocidr($fwhostsettings{'SUBNET'}) eq '32')
+ {
+@@ -280,17 +286,19 @@ if ($fwhostsettings{'ACTION'} eq 'savenet' )
+ $customnetwork{$key}[0] = $fwhostsettings{'orgname'} ;
+ $customnetwork{$key}[1] = $fwhostsettings{'orgip'} ;
+ $customnetwork{$key}[2] = $fwhostsettings{'orgsub'};
+- $customnetwork{$key}[3] = $fwhostsettings{'count'};
++ $customnetwork{$key}[3] = $fwhostsettings{'NETREMARK'};
++ $customnetwork{$key}[4] = $fwhostsettings{'count'};
+ &General::writehasharray("$confignet", \%customnetwork);
+ undef %customnetwork;
+ }
+ if (!$errormessage){
++
+ &General::readhasharray("$confignet", \%customnetwork);
+ if ($fwhostsettings{'ACTION'} eq 'updatenet'){
+ if ($fwhostsettings{'update'} == '0'){
+ foreach my $key (keys %customnetwork) {
+ if($customnetwork{$key}[0] eq $fwhostsettings{'orgname'}){
+- $count=$customnetwork{$key}[3];
++ $count=$customnetwork{$key}[4];
+ delete $customnetwork{$key};
+ last;
+ }
+@@ -340,22 +348,24 @@ if ($fwhostsettings{'ACTION'} eq 'savenet' )
+ }
+ }
+ my $key = &General::findhasharraykey (\%customnetwork);
+- foreach my $i (0 .. 3) { $customnetwork{$key}[$i] = "";}
++ foreach my $i (0 .. 4) { $customnetwork{$key}[$i] = "";}
+ $fwhostsettings{'SUBNET'} = &General::iporsubtocidr($fwhostsettings{'SUBNET'});
+ $customnetwork{$key}[0] = $fwhostsettings{'HOSTNAME'};
+ #convert ip when leading '0' in byte
+- $fwhostsettings{'IP'}=&General::ip2dec($fwhostsettings{'IP'});
+- $fwhostsettings{'IP'}=&General::dec2ip($fwhostsettings{'IP'});
++ $fwhostsettings{'IP'} =&General::ip2dec($fwhostsettings{'IP'});
++ $fwhostsettings{'IP'} =&General::dec2ip($fwhostsettings{'IP'});
+ $customnetwork{$key}[1] = &General::getnetworkip($fwhostsettings{'IP'},$fwhostsettings{'SUBNET'}) ;
+ $customnetwork{$key}[2] = &General::iporsubtodec($fwhostsettings{'SUBNET'}) ;
+ if($fwhostsettings{'newnet'} eq 'on'){$count=0;}
+- $customnetwork{$key}[3] = $count;
++ $customnetwork{$key}[3] = $fwhostsettings{'NETREMARK'};
++ $customnetwork{$key}[4] = $count;
+ &General::writehasharray("$confignet", \%customnetwork);
+ $fwhostsettings{'IP'}=$fwhostsettings{'IP'}."/".&General::iporsubtodec($fwhostsettings{'SUBNET'});
+ undef %customnetwork;
+ $fwhostsettings{'HOSTNAME'}='';
+ $fwhostsettings{'IP'}='';
+ $fwhostsettings{'SUBNET'}='';
++ $fwhostsettings{'NETREMARK'}='';
+ #check if an edited net affected groups and need to reload rules
+ if ($needrules eq 'on'){
+ &rules;
+@@ -662,7 +672,7 @@ if ($fwhostsettings{'ACTION'} eq 'savegrp')
+ if($updcounter eq 'net'){
+ foreach my $key (keys %customnetwork) {
+ if($customnetwork{$key}[0] eq $fwhostsettings{'CUST_SRC_NET'}){
+- $customnetwork{$key}[3] = $customnetwork{$key}[3]+1;
++ $customnetwork{$key}[4] = $customnetwork{$key}[4]+1;
+ last;
+ }
+ }
+@@ -1092,6 +1102,7 @@ sub addnet
+ print<<END;
+ <table border='0' width='100%'><form method='post' style='display:inline' >
+ <tr><td>$Lang::tr{'name'}:</td><td><input type='TEXT' name='HOSTNAME' id='textbox1' value='$fwhostsettings{'HOSTNAME'}' $fwhostsettings{'BLK_HOST'}><script>document.getElementById('textbox1').focus()</script></td><td>$Lang::tr{'fwhost netaddress'}</td><td><input type='TEXT' name='IP' value='$fwhostsettings{'IP'}' $fwhostsettings{'BLK_IP'} size='14'></td><td align='right'>$Lang::tr{'netmask'}:</td><td align='right'><input type='TEXT' name='SUBNET' value='$fwhostsettings{'SUBNET'}' $fwhostsettings{'BLK_IP'} size='14'></td></tr>
++ <tr><td>$Lang::tr{'remark'}:</td><td colspan='5'><input type='TEXT' name='NETREMARK' value='$fwhostsettings{'NETREMARK'}' size='64'></td></tr>
+ <tr><td colspan='6'><hr></hr></td></tr><tr>
+ END
+ if ($fwhostsettings{'ACTION'} eq 'editnet' || $fwhostsettings{'error'} eq 'on')
+@@ -1363,7 +1374,7 @@ sub viewtablenet
+ }else{
+ print<<END;
+ <table border='0' width='100%'>
+- <tr><td align='center'><b>$Lang::tr{'name'}</td><td align='center'><b>$Lang::tr{'fwhost netaddress'}</td><td align='center'><b>$Lang::tr{'netmask'}</td><td align='center'><b>$Lang::tr{'used'}</td><td></td><td width='3%'></td></tr>
++ <tr><td align='center'><b>$Lang::tr{'name'}</td><td align='center'><b>$Lang::tr{'fwhost netaddress'}</td><td align='center'><b>$Lang::tr{'netmask'}</td><td align='center'><b>$Lang::tr{'remark'}</td><td align='center'><b>$Lang::tr{'used'}</td><td></td><td width='3%'></td></tr>
+ END
+ }
+ my $count=0;
+@@ -1378,15 +1389,16 @@ END
+ print" <tr bgcolor='$color{'color20'}'>";
+ }
+ print<<END;
+- <td width='40%'><form method='post'>$customnetwork{$key}[0]</td><td width=25%'>$customnetwork{$key}[1]</td><td width='25%'>$customnetwork{$key}[2]</td><td align='center'>$customnetwork{$key}[3]x</td>
++ <td width='20%'><form method='post'>$customnetwork{$key}[0]</td><td width=15%'>$customnetwork{$key}[1]</td><td width='15%'>$customnetwork{$key}[2]</td><td width='40%'>$customnetwork{$key}[3]</td><td align='center'>$customnetwork{$key}[4]x</td>
+ <td width='1%'><input type='image' src='/images/edit.gif' align='middle' alt=$Lang::tr{'edit'} title=$Lang::tr{'edit'} />
+ <input type='hidden' name='ACTION' value='editnet'>
+ <input type='hidden' name='HOSTNAME' value='$customnetwork{$key}[0]' />
+ <input type='hidden' name='IP' value='$customnetwork{$key}[1]' />
+ <input type='hidden' name='SUBNET' value='$customnetwork{$key}[2]' />
++ <input type='hidden' name='NETREMARK' value='$customnetwork{$key}[3]' />
+ </td></form>
+ END
+- if($customnetwork{$key}[3] == '0')
++ if($customnetwork{$key}[4] == '0')
+ {
+ print"<td width='1%'><form method='post'><input type='image' src='/images/delete.gif' align='middle' alt=$Lang::tr{'delete'} title=$Lang::tr{'delete'} /><input type='hidden' name='ACTION' value='delnet' /><input type='hidden' name='key' value='$customnetwork{$key}[0]' /></td></form></tr>";
+ }else{
+--
+1.7.10.4
+
--- /dev/null
+From 6db1b4d993ff6a5cdff95c0872040f7fd61b91b1 Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Tue, 19 Feb 2013 15:41:03 +0100
+Subject: [PATCH 121/302] FORWARD FIREWALL: Some Typos in language Files
+
+---
+ html/cgi-bin/fwhosts.cgi | 2 +-
+ langs/de/cgi-bin/de.pl | 1 +
+ langs/en/cgi-bin/en.pl | 2 +-
+ 3 files changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/html/cgi-bin/fwhosts.cgi b/html/cgi-bin/fwhosts.cgi
+index 5bba69e..afb47fa 100755
+--- a/html/cgi-bin/fwhosts.cgi
++++ b/html/cgi-bin/fwhosts.cgi
+@@ -1101,7 +1101,7 @@ sub addnet
+ $fwhostsettings{'orgname'}=$fwhostsettings{'HOSTNAME'};
+ print<<END;
+ <table border='0' width='100%'><form method='post' style='display:inline' >
+- <tr><td>$Lang::tr{'name'}:</td><td><input type='TEXT' name='HOSTNAME' id='textbox1' value='$fwhostsettings{'HOSTNAME'}' $fwhostsettings{'BLK_HOST'}><script>document.getElementById('textbox1').focus()</script></td><td>$Lang::tr{'fwhost netaddress'}</td><td><input type='TEXT' name='IP' value='$fwhostsettings{'IP'}' $fwhostsettings{'BLK_IP'} size='14'></td><td align='right'>$Lang::tr{'netmask'}:</td><td align='right'><input type='TEXT' name='SUBNET' value='$fwhostsettings{'SUBNET'}' $fwhostsettings{'BLK_IP'} size='14'></td></tr>
++ <tr><td>$Lang::tr{'name'}:</td><td><input type='TEXT' name='HOSTNAME' id='textbox1' value='$fwhostsettings{'HOSTNAME'}' $fwhostsettings{'BLK_HOST'}><script>document.getElementById('textbox1').focus()</script></td><td>$Lang::tr{'fwhost netaddress'}:</td><td><input type='TEXT' name='IP' value='$fwhostsettings{'IP'}' $fwhostsettings{'BLK_IP'} size='14'></td><td align='right'>$Lang::tr{'netmask'}:</td><td align='right'><input type='TEXT' name='SUBNET' value='$fwhostsettings{'SUBNET'}' $fwhostsettings{'BLK_IP'} size='14'></td></tr>
+ <tr><td>$Lang::tr{'remark'}:</td><td colspan='5'><input type='TEXT' name='NETREMARK' value='$fwhostsettings{'NETREMARK'}' size='64'></td></tr>
+ <tr><td colspan='6'><hr></hr></td></tr><tr>
+ END
+diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl
+index 3164294..f94289a 100644
+--- a/langs/de/cgi-bin/de.pl
++++ b/langs/de/cgi-bin/de.pl
+@@ -998,6 +998,7 @@
+ 'fwhost ip_mac' => 'IP/MAC Adresse',
+ 'fwhost ipsec host' => 'IpSec Clients:',
+ 'fwhost ipsec net' => 'IpSec Netzwerke:',
++'fwhost netaddress' => 'Netzwerk Adresse',
+ 'fwhost newnet' => 'Netz Einstellungen',
+ 'fwhost newhost' => 'Adress Einstellungen',
+ 'fwhost newgrp' => 'Adress Gruppierung',
+diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
+index 5d6e768..c34a775 100644
+--- a/langs/en/cgi-bin/en.pl
++++ b/langs/en/cgi-bin/en.pl
+@@ -1021,7 +1021,7 @@
+ 'fwhost ip_mac' => 'IP/MAC address',
+ 'fwhost ipsec host' => 'IPsec clients:',
+ 'fwhost ipsec net' => 'IPsec networks:',
+-'fwhost netaddress' => 'Network address:',
++'fwhost netaddress' => 'Network address',
+ 'fwhost newnet' => 'Network',
+ 'fwhost newhost' => 'Host',
+ 'fwhost newgrp' => 'Address grouping',
+--
+1.7.10.4
+
--- /dev/null
+From c1298e74244479237f3ae1055fd4dc14966c8cf8 Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Tue, 19 Feb 2013 16:30:41 +0100
+Subject: [PATCH 122/302] Forward Firewall: Bugfix: on update of network or
+ hostst and changing remark to invalid value, the
+ remark was saved
+
+---
+ html/cgi-bin/fwhosts.cgi | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/html/cgi-bin/fwhosts.cgi b/html/cgi-bin/fwhosts.cgi
+index afb47fa..dc06996 100755
+--- a/html/cgi-bin/fwhosts.cgi
++++ b/html/cgi-bin/fwhosts.cgi
+@@ -286,7 +286,7 @@ if ($fwhostsettings{'ACTION'} eq 'savenet' )
+ $customnetwork{$key}[0] = $fwhostsettings{'orgname'} ;
+ $customnetwork{$key}[1] = $fwhostsettings{'orgip'} ;
+ $customnetwork{$key}[2] = $fwhostsettings{'orgsub'};
+- $customnetwork{$key}[3] = $fwhostsettings{'NETREMARK'};
++ $customnetwork{$key}[3] = $fwhostsettings{'orgnetremark'};
+ $customnetwork{$key}[4] = $fwhostsettings{'count'};
+ &General::writehasharray("$confignet", \%customnetwork);
+ undef %customnetwork;
+@@ -448,7 +448,7 @@ if ($fwhostsettings{'ACTION'} eq 'savehost')
+ }else{
+ $customhost{$key}[2] = $fwhostsettings{'orgip'};
+ }
+- $customhost{$key}[3] = $fwhostsettings{'HOSTREMARK'};
++ $customhost{$key}[3] = $fwhostsettings{'orgremark'};
+ $customhost{$key}[4] = $fwhostsettings{'count'};
+ &General::writehasharray("$confighost", \%customhost);
+ undef %customhost;
+@@ -1099,6 +1099,7 @@ sub addnet
+ &showmenu;
+ &Header::openbox('100%', 'left', $Lang::tr{'fwhost addnet'});
+ $fwhostsettings{'orgname'}=$fwhostsettings{'HOSTNAME'};
++ $fwhostsettings{'orgnetremark'}=$fwhostsettings{'NETREMARK'};
+ print<<END;
+ <table border='0' width='100%'><form method='post' style='display:inline' >
+ <tr><td>$Lang::tr{'name'}:</td><td><input type='TEXT' name='HOSTNAME' id='textbox1' value='$fwhostsettings{'HOSTNAME'}' $fwhostsettings{'BLK_HOST'}><script>document.getElementById('textbox1').focus()</script></td><td>$Lang::tr{'fwhost netaddress'}:</td><td><input type='TEXT' name='IP' value='$fwhostsettings{'IP'}' $fwhostsettings{'BLK_IP'} size='14'></td><td align='right'>$Lang::tr{'netmask'}:</td><td align='right'><input type='TEXT' name='SUBNET' value='$fwhostsettings{'SUBNET'}' $fwhostsettings{'BLK_IP'} size='14'></td></tr>
+@@ -1107,7 +1108,7 @@ sub addnet
+ END
+ if ($fwhostsettings{'ACTION'} eq 'editnet' || $fwhostsettings{'error'} eq 'on')
+ {
+- print "<td colspan='6' align='right' ><input type='submit' value='$Lang::tr{'update'}' style='min-width:100px;'><input type='hidden' name='ACTION' value='updatenet'><input type='hidden' name='orgname' value='$fwhostsettings{'orgname'}' ><input type='hidden' name='update' value='on'><input type='hidden' name='newnet' value='$fwhostsettings{'newnet'}'>";
++ print "<td colspan='6' align='right' ><input type='submit' value='$Lang::tr{'update'}' style='min-width:100px;'><input type='hidden' name='ACTION' value='updatenet'><input type='hidden' name='orgnetremark' value='$fwhostsettings{'orgnetremark'}' ><input type='hidden' name='orgname' value='$fwhostsettings{'orgname'}' ><input type='hidden' name='update' value='on'><input type='hidden' name='newnet' value='$fwhostsettings{'newnet'}'>";
+ }else{
+ print "<td colspan='6' align='right'><input type='submit' value='$Lang::tr{'save'}' style='min-width:100px;'/><input type='hidden' name='ACTION' value='savenet'><input type='hidden' name='newnet' value='on'>";
+ }
+@@ -1120,6 +1121,7 @@ sub addhost
+ &showmenu;
+ &Header::openbox('100%', 'left', $Lang::tr{'fwhost addhost'});
+ $fwhostsettings{'orgname'}=$fwhostsettings{'HOSTNAME'};
++ $fwhostsettings{'orgremark'}=$fwhostsettings{'HOSTREMARK'};
+ print<<END;
+ <table border='0' width='100%'><form method='post' style='display:inline'>
+ <tr><td>$Lang::tr{'name'}:</td><td width='35%'><input type='TEXT' name='HOSTNAME' id='textbox1' value='$fwhostsettings{'HOSTNAME'}' $fwhostsettings{'BLK_HOST'} ><script>document.getElementById('textbox1').focus()</script></td><td><select name='type'>
+@@ -1136,7 +1138,7 @@ END
+ if ($fwhostsettings{'ACTION'} eq 'edithost' || $fwhostsettings{'error'} eq 'on')
+ {
+
+- print " <td colspan='6' align='right'><input type='submit' value='$Lang::tr{'update'}' style='min-width:100px;'/><input type='hidden' name='ACTION' value='updatehost'><input type='hidden' name='orgname' value='$fwhostsettings{'orgname'}' ><input type='hidden' name='update' value='on'><input type='hidden' name='newhost' value='$fwhostsettings{'newhost'}'></form>";
++ print " <td colspan='6' align='right'><input type='submit' value='$Lang::tr{'update'}' style='min-width:100px;'/><input type='hidden' name='ACTION' value='updatehost'><input type='hidden' name='orgremark' value='$fwhostsettings{'orgremark'}' ><input type='hidden' name='orgname' value='$fwhostsettings{'orgname'}' ><input type='hidden' name='update' value='on'><input type='hidden' name='newhost' value='$fwhostsettings{'newhost'}'></form>";
+ }else{
+ print " <td colspan='6' align='right'><input type='submit' name='savehost' value='$Lang::tr{'save'}'style='min-width:100px;' /><input type='hidden' name='ACTION' value='savehost' /><input type='hidden' name='newhost' value='on'>";
+ }
+--
+1.7.10.4
+
--- /dev/null
+From 27b6b4fc0b713005fe43bfb6caba1b756ffe6690 Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Thu, 21 Feb 2013 09:34:07 +0100
+Subject: [PATCH 123/302] Forward Firewall: convert-outgoingfw now supports
+ outgoing rules
+
+---
+ config/forwardfw/convert-outgoingfw | 119 +++++++++++++++++++++++------------
+ 1 file changed, 79 insertions(+), 40 deletions(-)
+
+diff --git a/config/forwardfw/convert-outgoingfw b/config/forwardfw/convert-outgoingfw
+index f279a6c..5980651 100755
+--- a/config/forwardfw/convert-outgoingfw
++++ b/config/forwardfw/convert-outgoingfw
+@@ -19,6 +19,7 @@ my $ovpnsettings = "${General::swroot}/ovpn/settings";
+ my $ovpnconfig = "${General::swroot}/ovpn/ovpnconfig";
+ my $ccdconfig = "${General::swroot}/ovpn/ccd.conf";
+ my $fwdfwconfig = "${General::swroot}/forward/config";
++my $outfwconfig = "${General::swroot}/forward/outgoing";
+ my $fwdfwsettings = "${General::swroot}/forward/settings";
+ my @ipgroups = qx(ls $ipgrouppath);
+ my @macgroups = qx(ls $macgrouppath);
+@@ -30,7 +31,8 @@ my %groups=();
+ my %settingsovpn=();
+ my %configovpn=();
+ my %ccdconf=();
+-my %fwconf=();
++my %fwconfig=();
++my %fwconfigout=();
+ my %fwdsettings=();
+ &General::readhash($outfwsettings,\%outsettings);
+
+@@ -246,17 +248,15 @@ sub check_grp
+ }
+ sub process_rules
+ {
++ my ($type,$action,$active,$grp1,$source,$grp2,$useport,$port,$prot,$grp3,$target,$remark,$log,$time,$time_mon,$time_tue,$time_wed,$time_thu,$time_fri,$time_sat,$time_sun,$time_from,$time_to);
++ print"uzlputz modus ist $outsettings{'POLICY'} \n";
+ &General::readhash($fwdfwsettings,\%fwdsettings);
+- if($fwdsettings{'POLICY'} ne $outsettings{'POLICY'}){
+- if ($outsettings{'POLICY'} eq 'MODE0'){$outsettings{'POLICY'}='MODE2';}
++ if ($outsettings{'POLICY'} eq 'MODE0'){
++ $fwdfwsettings{'POLICY'}='MODE2';
++ }else{
+ $fwdsettings{'POLICY'}=$outsettings{'POLICY'};
+- &General::writehash($fwdfwsettings,\%fwdsettings);
+ }
+- #open LOG
+- if( -f "/var/log/converters/outgoingfw-convert.log"){unlink ("/var/log/converters/outgoingfw-convert.log");}
+- open (LOG, ">/var/log/converters/outgoingfw-convert.log") or die $!;
+-
+- my ($type,$action,$active,$grp1,$source,$grp2,$useport,$port,$prot,$grp3,$target,$remark,$log,$time,$time_mon,$time_tue,$time_wed,$time_thu,$time_fri,$time_sat,$time_sun,$time_from,$time_to);
++ &General::writehash($fwdfwsettings,\%fwdsettings);
+ if ($outsettings{'POLICY'} eq 'MODE1'){
+ $type='ALLOW';
+ $action='ACCEPT';
+@@ -266,6 +266,9 @@ sub process_rules
+ }else{
+ return;
+ }
++ #open LOG
++ if( -f "/var/log/converters/outgoingfw-convert.log"){unlink ("/var/log/converters/outgoingfw-convert.log");}
++ open (LOG, ">/var/log/converters/outgoingfw-convert.log") or die $!;
+ open (DATEI, "<$outgoingrules");
+ my @lines = <DATEI>;
+ foreach my $rule (@lines)
+@@ -320,8 +323,11 @@ sub process_rules
+ $grp1='std_net_src';
+ $source='ORANGE';
+ }elsif ($configline[2] eq 'red') {
+- print LOG "-> Rule not converted, is an outgoing rule.Please put it manually in /etc/sysconfig/firewall.local \n";
+- next;
++ $grp1='std_net_src';
++ $source='IPFire';
++ &General::readhash($fwdfwsettings,\%fwdsettings);
++ $fwdsettings{'POLICY1'}=$outsettings{'POLICY'};
++ &General::writehash($fwdfwsettings,\%fwdsettings);
+ }elsif ($configline[2] eq 'blue') {
+ $grp1='std_net_src';
+ $source='BLUE';
+@@ -355,7 +361,6 @@ sub process_rules
+ $grp1='std_net_src';
+ $source='ALL';
+ }else{
+- #&General::readhasharray($configgroups,\%groups);
+ foreach my $key (sort keys %groups){
+ if($groups{$key}[0] eq $configline[2]){
+ $grp1='cust_grp_src';
+@@ -423,16 +428,22 @@ sub process_rules
+ print LOG "-> Rule not converted because not for Firewall mode $outsettings{'POLICY'} (we are only converting for actual mode)\n";
+ }
+ &General::readhasharray($fwdfwconfig,\%fwconfig);
++ &General::readhasharray($outfwconfig,\%fwconfigout);
+ my $check;
++ my $chain;
+ foreach my $protocol (@prot){
++ if ($source eq 'IPFire'){
++ $chain='OUTGOINGFW';
++ }else{
++ $chain='FORWARDFW';
++ }
+ $protocol=uc($protocol);
+- print LOG "-> Converted: $action,FORWARDFW,$active,$grp1,$source,$grp2,$target,,,,,$useport,$protocol,,$grp3,$port,$remark,$log,$time,$time_mon,$time_tue,$time_wed,$time_thu,$time_fri,$time_sat,$time_sun,$time_from,$time_to\n";
++ print LOG "-> Converted: $action,$chain,$active,$grp1,$source,$grp2,$target,,,,,$useport,$protocol,,$grp3,$port,$remark,$log,$time,$time_mon,$time_tue,$time_wed,$time_thu,$time_fri,$time_sat,$time_sun,$time_from,$time_to\n";
+ #Put rules into system....
+ ###########################
+-
+ #check for double rules
+ foreach my $key (sort keys %fwconfig){
+- if("$action,FORWARDFW,$active,$grp1,$source,$grp2,$target,,,,,$useport,$protocol,,$grp3,$port,$remark,$log,$time,$time_mon,$time_tue,$time_wed,$time_thu,$time_fri,$time_sat,$time_sun,$time_from,$time_to"
++ if("$action,$chain,$active,$grp1,$source,$grp2,$target,,,,,$useport,$protocol,,$grp3,$port,$remark,$log,$time,$time_mon,$time_tue,$time_wed,$time_thu,$time_fri,$time_sat,$time_sun,$time_from,$time_to"
+ eq "$fwconfig{$key}[0],$fwconfig{$key}[1],$fwconfig{$key}[2],$fwconfig{$key}[3],$fwconfig{$key}[4],$fwconfig{$key}[5],$fwconfig{$key}[6],,,,,$fwconfig{$key}[11],$fwconfig{$key}[12],,$fwconfig{$key}[14],$fwconfig{$key}[15],$fwconfig{$key}[16],$fwconfig{$key}[17],$fwconfig{$key}[18],$fwconfig{$key}[19],$fwconfig{$key}[20],$fwconfig{$key}[21],$fwconfig{$key}[22],$fwconfig{$key}[23],$fwconfig{$key}[24],$fwconfig{$key}[25],$fwconfig{$key}[26],$fwconfig{$key}[27]"){
+ $check='on';
+ next;
+@@ -452,33 +463,61 @@ sub process_rules
+ &General::writehasharray($configgroups,\%groups);
+ }
+ }
+- my $key = &General::findhasharraykey(\%fwconfig);
+- $fwconfig{$key}[0] = $action;
+- $fwconfig{$key}[1] = "FORWARDFW";
+- $fwconfig{$key}[2] = $active;
+- $fwconfig{$key}[3] = $grp1;
+- $fwconfig{$key}[4] = $source;
+- $fwconfig{$key}[5] = $grp2;
+- $fwconfig{$key}[6] = $target;
+- $fwconfig{$key}[11] = $useport;
+- $fwconfig{$key}[12] = $protocol;
+- $fwconfig{$key}[14] = $grp3;
+- $fwconfig{$key}[15] = $port;
+- $fwconfig{$key}[16] = $remark;
+- $fwconfig{$key}[17] = $log;
+- $fwconfig{$key}[18] = $time;
+- $fwconfig{$key}[19] = $time_mon;
+- $fwconfig{$key}[20] = $time_tue;
+- $fwconfig{$key}[21] = $time_wed;
+- $fwconfig{$key}[22] = $time_thu;
+- $fwconfig{$key}[23] = $time_fri;
+- $fwconfig{$key}[24] = $time_sat;
+- $fwconfig{$key}[25] = $time_sun;
+- $fwconfig{$key}[26] = $time_from;
+- $fwconfig{$key}[27] = $time_to;
++ if ($chain eq 'FORWARDFW'){
++ my $key = &General::findhasharraykey(\%fwconfig);
++ $fwconfig{$key}[0] = $action;
++ $fwconfig{$key}[1] = $chain;
++ $fwconfig{$key}[2] = $active;
++ $fwconfig{$key}[3] = $grp1;
++ $fwconfig{$key}[4] = $source;
++ $fwconfig{$key}[5] = $grp2;
++ $fwconfig{$key}[6] = $target;
++ $fwconfig{$key}[11] = $useport;
++ $fwconfig{$key}[12] = $protocol;
++ $fwconfig{$key}[14] = $grp3;
++ $fwconfig{$key}[15] = $port;
++ $fwconfig{$key}[16] = $remark;
++ $fwconfig{$key}[17] = $log;
++ $fwconfig{$key}[18] = $time;
++ $fwconfig{$key}[19] = $time_mon;
++ $fwconfig{$key}[20] = $time_tue;
++ $fwconfig{$key}[21] = $time_wed;
++ $fwconfig{$key}[22] = $time_thu;
++ $fwconfig{$key}[23] = $time_fri;
++ $fwconfig{$key}[24] = $time_sat;
++ $fwconfig{$key}[25] = $time_sun;
++ $fwconfig{$key}[26] = $time_from;
++ $fwconfig{$key}[27] = $time_to;
++ }else{
++ my $key = &General::findhasharraykey(\%fwconfigout);
++ $fwconfigout{$key}[0] = $action;
++ $fwconfigout{$key}[1] = $chain;
++ $fwconfigout{$key}[2] = $active;
++ $fwconfigout{$key}[3] = $grp1;
++ $fwconfigout{$key}[4] = $source;
++ $fwconfigout{$key}[5] = $grp2;
++ $fwconfigout{$key}[6] = $target;
++ $fwconfigout{$key}[11] = $useport;
++ $fwconfigout{$key}[12] = $protocol;
++ $fwconfigout{$key}[14] = $grp3;
++ $fwconfigout{$key}[15] = $port;
++ $fwconfigout{$key}[16] = $remark;
++ $fwconfigout{$key}[17] = $log;
++ $fwconfigout{$key}[18] = $time;
++ $fwconfigout{$key}[19] = $time_mon;
++ $fwconfigout{$key}[20] = $time_tue;
++ $fwconfigout{$key}[21] = $time_wed;
++ $fwconfigout{$key}[22] = $time_thu;
++ $fwconfigout{$key}[23] = $time_fri;
++ $fwconfigout{$key}[24] = $time_sat;
++ $fwconfigout{$key}[25] = $time_sun;
++ $fwconfigout{$key}[26] = $time_from;
++ $fwconfigout{$key}[27] = $time_to;
++ }
++ &General::writehasharray($fwdfwconfig,\%fwconfig);
++ &General::writehasharray($outfwconfig,\%fwconfigout);
+ }
+ }
+- &General::writehasharray($fwdfwconfig,\%fwconfig);
+ @prot=();
+ }
+ close(LOG);
+--
+1.7.10.4
+
--- /dev/null
+From d910e306c4269f45498211b2fa4977f32cf76ea2 Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Thu, 21 Feb 2013 10:26:55 +0100
+Subject: [PATCH 124/302] Forward Firewall: moved p2p-block to a seperate cgi
+ and deleted it from forwardfw.cgi
+
+---
+ config/menu/50-firewall.menu | 8 ++-
+ html/cgi-bin/forwardfw.cgi | 66 ++------------------
+ html/cgi-bin/fwhosts.cgi | 13 ++--
+ html/cgi-bin/p2p-block.cgi | 142 ++++++++++++++++++++++++++++++++++++++++++
+ 4 files changed, 158 insertions(+), 71 deletions(-)
+ create mode 100755 html/cgi-bin/p2p-block.cgi
+
+diff --git a/config/menu/50-firewall.menu b/config/menu/50-firewall.menu
+index 90baa65..0295343 100644
+--- a/config/menu/50-firewall.menu
++++ b/config/menu/50-firewall.menu
+@@ -28,12 +28,18 @@
+ 'title' => "Universal Plug and Play",
+ 'enabled' => 0,
+ };
+- $subfirewall->{'80.optingsfw'} = {
++ $subfirewall->{'80.optionsfw'} = {
+ 'caption' => $Lang::tr{'options fw'},
+ 'uri' => '/cgi-bin/optionsfw.cgi',
+ 'title' => "$Lang::tr{'options fw'}",
+ 'enabled' => 1,
+ };
++ $subfirewall->{'81.p2p'} = {
++ 'caption' => 'P2P-Block',
++ 'uri' => '/cgi-bin/p2p-block.cgi',
++ 'title' => "P2P-Block",
++ 'enabled' => 1,
++ };
+ $subfirewall->{'90.iptables'} = {
+ 'caption' => $Lang::tr{'ipts'},
+ 'uri' => '/cgi-bin/iptables.cgi',
+diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi
+index 6bcfdc7..738c387 100755
+--- a/html/cgi-bin/forwardfw.cgi
++++ b/html/cgi-bin/forwardfw.cgi
+@@ -70,7 +70,6 @@ my %icmptypes=();
+ my %ovpnsettings=();
+ my %ipsecsettings=();
+ my %aliases=();
+-my @p2ps = ();
+
+ my $color;
+ my $confignet = "${General::swroot}/fwhosts/customnetworks";
+@@ -86,7 +85,6 @@ my $configfwdfw = "${General::swroot}/forward/config";
+ my $configinput = "${General::swroot}/forward/input";
+ my $configoutgoing = "${General::swroot}/forward/outgoing";
+ my $configovpn = "${General::swroot}/ovpn/settings";
+-my $p2pfile = "${General::swroot}/forward/p2protocols";
+ my $errormessage='';
+ my $hint='';
+ my $ipgrp="${General::swroot}/outgoing/groups";
+@@ -446,29 +444,6 @@ if ($fwdfwsettings{'ACTION'} eq 'copyrule')
+ #$fwdfwsettings{'updatefwrule'}='on';
+ &newrule;
+ }
+-if ($fwdfwsettings{'ACTION'} eq 'togglep2p')
+-{
+- #$errormessage="Toggle $fwdfwsettings{'P2PROT'}<br>";
+- open( FILE, "< $p2pfile" ) or die "Unable to read $p2pfile";
+- @p2ps = <FILE>;
+- close FILE;
+- open( FILE, "> $p2pfile" ) or die "Unable to write $p2pfile";
+- foreach my $p2pentry (sort @p2ps)
+- {
+- my @p2pline = split( /\;/, $p2pentry );
+- if ($p2pline[1] eq $fwdfwsettings{'P2PROT'}) {
+- if($p2pline[2] eq 'on'){
+- $p2pline[2]='off';
+- }else{
+- $p2pline[2]='on';
+- }
+- }
+- print FILE "$p2pline[0];$p2pline[1];$p2pline[2];\n";
+- }
+- close FILE;
+- &rules;
+- &base;
+-}
+ if ($fwdfwsettings{'ACTION'} eq '')
+ {
+ &base;
+@@ -606,7 +581,7 @@ sub base
+ if ($fwdfwsettings{'POLICY1'} eq 'MODE2'){ $selected{'POLICY1'}{'MODE2'} = 'selected'; } else { $selected{'POLICY1'}{'MODE2'} = ''; }
+ &hint;
+ &addrule;
+- &p2pblock;
++ print "<br><hr><br><br>";
+ &Header::openbox('100%', 'center', $Lang::tr{'fwdfw pol title'});
+ print <<END;
+ <form method='post' action='$ENV{'SCRIPT_NAME'}'>
+@@ -642,16 +617,14 @@ END
+ sub addrule
+ {
+ &error;
++ if (-f "${General::swroot}/forward/reread"){
++ print "<table border='0'><form method='post'><td><input type='submit' name='ACTION' value='$Lang::tr{'fwdfw reread'}' style='font-face: Comic Sans MS; color: red; font-weight: bold;'>$Lang::tr{'fwhost reread'}</td></tr></table></form><hr><br>";
++ }
+ &Header::openbox('100%', 'left', $Lang::tr{'fwdfw addrule'});
+-
+ print "<form method='post'>";
+ print "<table border='0'>";
+ print "<tr><td><input type='submit' name='ACTION' value='$Lang::tr{'fwdfw newrule'}'></td>";
+- if (-f "${General::swroot}/forward/reread"){
+- print "<td><input type='submit' name='ACTION' value='$Lang::tr{'fwdfw reread'}' style='font-face: Comic Sans MS; color: red; font-weight: bold;'>$Lang::tr{'fwhost reread'}</td>";
+- }
+- print"</tr></table></form><hr>";
+-
++ print"</tr></table></form><hr>";
+ &Header::closebox();
+ &viewtablerule;
+ }
+@@ -2064,35 +2037,6 @@ END
+ &Header::closebox();
+ }
+ }
+-sub p2pblock
+-{
+- my $gif;
+- open( FILE, "< $p2pfile" ) or die "Unable to read $p2pfile";
+- @p2ps = <FILE>;
+- close FILE;
+- &Header::openbox('100%', 'center', 'P2P-Block');
+- print <<END;
+- <table width='35%' border='0'>
+- <tr bgcolor='$color{'color22'}'><td align=center colspan='2' ><b>$Lang::tr{'protocol'}</b></td><td align='center'><b>$Lang::tr{'status'}</b></td></tr>
+-END
+- foreach my $p2pentry (sort @p2ps)
+- {
+- my @p2pline = split( /\;/, $p2pentry );
+- if($p2pline[2] eq 'on'){
+- $gif="/images/on.gif"
+- }else{
+- $gif="/images/off.gif"
+- }
+- print <<END;
+- <form method='post' action='$ENV{'SCRIPT_NAME'}'>
+- <tr bgcolor='$color{'color20'}'>
+- <td align='center' colspan='2' >$p2pline[0]:</td><td align='center'><input type='hidden' name='P2PROT' value='$p2pline[1]' /><input type='image' img src='$gif' alt='$Lang::tr{'click to disable'}' title='$Lang::tr{'fwdfw toggle'}' style='padding-top: 0px; padding-left: 0px; padding-bottom: 0px ;padding-right: 0px ;display: block;' ><input type='hidden' name='ACTION' value='togglep2p'></td></tr></form>
+-END
+- }
+- print"<tr><td><img src='/images/on.gif'></td><td align='left'>$Lang::tr{'outgoing firewall p2p allow'}</td></tr>";
+- print"<tr><td><img src='/images/off.gif'></td><td align='left'>$Lang::tr{'outgoing firewall p2p deny'}</td></tr></table>";
+- &Header::closebox();
+-}
+ sub fillselect
+ {
+ my %hash=%{(shift)};
+diff --git a/html/cgi-bin/fwhosts.cgi b/html/cgi-bin/fwhosts.cgi
+index dc06996..ae018d6 100755
+--- a/html/cgi-bin/fwhosts.cgi
++++ b/html/cgi-bin/fwhosts.cgi
+@@ -1074,21 +1074,16 @@ if($fwhostsettings{'ACTION'} eq '')
+ ### FUNCTIONS ###
+ sub showmenu
+ {
+-
++ if (-f "${General::swroot}/forward/reread"){
++ print "<table border='0'><form method='post'><td><input type='submit' name='ACTION' value='$Lang::tr{'fwdfw reread'}' style='font-face: Comic Sans MS; color: red; font-weight: bold;'>$Lang::tr{'fwhost reread'}</td></tr></table></form><hr><br>";
++ }
+ &Header::openbox('100%', 'left',$Lang::tr{'fwhost menu'});
+ print<<END;
+ <table border='0' width='100%'><form method='post'>
+ <tr><td><input type='submit' name='ACTION' value='$Lang::tr{'fwhost newnet'}' /><input type='submit' name='ACTION' value='$Lang::tr{'fwhost newhost'}' /><input type='submit' name='ACTION' value='$Lang::tr{'fwhost newgrp'}' /></td>
+ <td align='right'><input type='submit' name='ACTION' value='$Lang::tr{'fwhost newservice'}' /><input type='submit' name='ACTION' value='$Lang::tr{'fwhost newservicegrp'}' /></td></tr>
+- <tr><td colspan='6'><hr></hr></td>
++ <tr><td colspan='6'><hr></hr></td></tr></table></form>
+ END
+-
+-
+- if (-f "${General::swroot}/fwhosts/reread"){
+- print "</tr><tr><td colspan='6'><input type='submit' name='ACTION' value='$Lang::tr{'fwdfw reread'}' style='font-face: Comic Sans MS; color: red; font-weight: bold;' >$Lang::tr{'fwhost reread'}</td>";
+- }
+- print"</tr></table></form>";
+-
+ &Header::closebox();
+
+ }
+diff --git a/html/cgi-bin/p2p-block.cgi b/html/cgi-bin/p2p-block.cgi
+new file mode 100755
+index 0000000..1c69a0e
+--- /dev/null
++++ b/html/cgi-bin/p2p-block.cgi
+@@ -0,0 +1,142 @@
++#!/usr/bin/perl
++###############################################################################
++# #
++# IPFire.org - A linux based firewall #
++# Copyright (C) 2012 #
++# #
++# This program is free software: you can redistribute it and/or modify #
++# it under the terms of the GNU General Public License as published by #
++# the Free Software Foundation, either version 3 of the License, or #
++# (at your option) any later version. #
++# #
++# This program is distributed in the hope that it will be useful, #
++# but WITHOUT ANY WARRANTY; without even the implied warranty of #
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
++# GNU General Public License for more details. #
++# #
++# You should have received a copy of the GNU General Public License #
++# along with this program. If not, see <http://www.gnu.org/licenses/>. #
++# #
++###############################################################################
++# #
++# Hi folks! I hope this code is useful for all. I needed something to handle #
++# my VPN Connections in a comfortable way. As a prerequisite i needed #
++# something that makes sure the vpn roadwarrior are able to have a fixed #
++# ip-address. So i developed the ccd extension for the vpn server. #
++# #
++# Now that the ccd extension is ready i am able to develop the main request. #
++# Any feedback is appreciated. #
++# #
++#Copymaster #
++###############################################################################
++
++use strict;
++no warnings 'uninitialized';
++# enable only the following on debugging purpose
++#use warnings;
++#use CGI::Carp 'fatalsToBrowser';
++
++require '/var/ipfire/general-functions.pl';
++require "${General::swroot}/lang.pl";
++require "${General::swroot}/header.pl";
++
++my $errormessage='';
++my $p2pfile = "${General::swroot}/forward/p2protocols";
++
++my @p2ps = ();
++my %fwdfwsettings=();
++my %color=();
++my %mainsettings=();
++
++&General::readhash("${General::swroot}/forward/settings", \%fwdfwsettings);
++&General::readhash("${General::swroot}/main/settings", \%mainsettings);
++&General::readhash("/srv/web/ipfire/html/themes/".$mainsettings{'THEME'}."/include/colors.txt", \%color);
++
++
++
++&Header::showhttpheaders();
++&Header::getcgihash(\%fwdfwsettings);
++&Header::openpage($Lang::tr{'fwdfw menu'}, 1, '');
++&Header::openbigbox('100%', 'center',$errormessage);
++
++if ($fwdfwsettings{'ACTION'} eq ''){
++&p2pblock;
++}
++if ($fwdfwsettings{'ACTION'} eq 'togglep2p')
++{
++ open( FILE, "< $p2pfile" ) or die "Unable to read $p2pfile";
++ @p2ps = <FILE>;
++ close FILE;
++ open( FILE, "> $p2pfile" ) or die "Unable to write $p2pfile";
++ foreach my $p2pentry (sort @p2ps)
++ {
++ my @p2pline = split( /\;/, $p2pentry );
++ if ($p2pline[1] eq $fwdfwsettings{'P2PROT'}) {
++ if($p2pline[2] eq 'on'){
++ $p2pline[2]='off';
++ }else{
++ $p2pline[2]='on';
++ }
++ }
++ print FILE "$p2pline[0];$p2pline[1];$p2pline[2];\n";
++ }
++ close FILE;
++ &rules;
++ &p2pblock;
++}
++if ($fwdfwsettings{'ACTION'} eq $Lang::tr{'fwdfw reread'})
++{
++ &reread_rules;
++ &p2pblock;
++}
++
++
++sub p2pblock
++{
++ if (-f "${General::swroot}/forward/reread"){
++ print "<table border='0'><form method='post'><td><input type='submit' name='ACTION' value='$Lang::tr{'fwdfw reread'}' style='font-face: Comic Sans MS; color: red; font-weight: bold;'>$Lang::tr{'fwhost reread'}</td></tr></table></form><hr><br>";
++ }
++ my $gif;
++ open( FILE, "< $p2pfile" ) or die "Unable to read $p2pfile";
++ @p2ps = <FILE>;
++ close FILE;
++ &Header::openbox('100%', 'center', 'P2P-Block');
++ print <<END;
++ <table width='35%' border='0'>
++ <tr bgcolor='$color{'color22'}'><td align=center colspan='2' ><b>$Lang::tr{'protocol'}</b></td><td align='center'><b>$Lang::tr{'status'}</b></td></tr>
++END
++ foreach my $p2pentry (sort @p2ps)
++ {
++ my @p2pline = split( /\;/, $p2pentry );
++ if($p2pline[2] eq 'on'){
++ $gif="/images/on.gif"
++ }else{
++ $gif="/images/off.gif"
++ }
++ print <<END;
++ <form method='post' action='$ENV{'SCRIPT_NAME'}'>
++ <tr bgcolor='$color{'color20'}'>
++ <td align='center' colspan='2' >$p2pline[0]:</td><td align='center'><input type='hidden' name='P2PROT' value='$p2pline[1]' /><input type='image' img src='$gif' alt='$Lang::tr{'click to disable'}' title='$Lang::tr{'fwdfw toggle'}' style='padding-top: 0px; padding-left: 0px; padding-bottom: 0px ;padding-right: 0px ;display: block;' ><input type='hidden' name='ACTION' value='togglep2p'></td></tr></form>
++END
++ }
++ print"<tr><td><img src='/images/on.gif'></td><td align='left'>$Lang::tr{'outgoing firewall p2p allow'}</td></tr>";
++ print"<tr><td><img src='/images/off.gif'></td><td align='left'>$Lang::tr{'outgoing firewall p2p deny'}</td></tr></table>";
++ &Header::closebox();
++}
++sub rules
++{
++ if (!-f "${General::swroot}/forward/reread"){
++ system("touch ${General::swroot}/forward/reread");
++ system("touch ${General::swroot}/fwhosts/reread");
++ }
++}
++sub reread_rules
++{
++ system("/usr/local/bin/forwardfwctrl");
++ if ( -f "${General::swroot}/forward/reread"){
++ system("rm ${General::swroot}/forward/reread");
++ system("rm ${General::swroot}/fwhosts/reread");
++ }
++}
++&Header::closebigbox();
++&Header::closepage();
+--
+1.7.10.4
+
--- /dev/null
+From 4895e72e77a84c5991fd7ef119f78fa38aecb491 Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Thu, 21 Feb 2013 15:00:03 +0100
+Subject: [PATCH 125/302] Forward Firewall: changes in rule layout. new Option
+ in firewall-options: it is now possible to select
+ if the colors are shown in ruletable
+
+---
+ html/cgi-bin/forwardfw.cgi | 138 +++++++++++++++++++++++++++++---------------
+ html/cgi-bin/optionsfw.cgi | 12 +++-
+ langs/de/cgi-bin/de.pl | 2 +
+ langs/en/cgi-bin/en.pl | 2 +
+ 4 files changed, 107 insertions(+), 47 deletions(-)
+
+diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi
+index 738c387..c55cbf8 100755
+--- a/html/cgi-bin/forwardfw.cgi
++++ b/html/cgi-bin/forwardfw.cgi
+@@ -70,6 +70,7 @@ my %icmptypes=();
+ my %ovpnsettings=();
+ my %ipsecsettings=();
+ my %aliases=();
++my %optionsfw=();
+
+ my $color;
+ my $confignet = "${General::swroot}/fwhosts/customnetworks";
+@@ -85,14 +86,16 @@ my $configfwdfw = "${General::swroot}/forward/config";
+ my $configinput = "${General::swroot}/forward/input";
+ my $configoutgoing = "${General::swroot}/forward/outgoing";
+ my $configovpn = "${General::swroot}/ovpn/settings";
++my $fwoptions = "${General::swroot}/optionsfw/settings";
+ my $errormessage='';
+ my $hint='';
+ my $ipgrp="${General::swroot}/outgoing/groups";
+-
++my $tdcolor='';
+
+ &General::readhash("${General::swroot}/forward/settings", \%fwdfwsettings);
+ &General::readhash("${General::swroot}/main/settings", \%mainsettings);
+ &General::readhash("/srv/web/ipfire/html/themes/".$mainsettings{'THEME'}."/include/colors.txt", \%color);
++&General::readhash($fwoptions, \%optionsfw);
+
+ &Header::showhttpheaders();
+ &Header::getcgihash(\%fwdfwsettings);
+@@ -133,9 +136,9 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule')
+ if ("$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'},$fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'ICMP_TGT'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'LOG'},$fwdfwsettings{'TIME'},$fwdfwsettings{'TIME_MON'},$fwdfwsettings{'TIME_TUE'},$fwdfwsettings{'TIME_WED'},$fwdfwsettings{'TIME_THU'},$fwdfwsettings{'TIME_FRI'},$fwdfwsettings{'TIME_SAT'},$fwdfwsettings{'TIME_SUN'},$fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'}"
+ eq "$configinputfw{$key}[0],$configinputfw{$key}[2],$configinputfw{$key}[3],$configinputfw{$key}[4],$configinputfw{$key}[5],$configinputfw{$key}[6],$configinputfw{$key}[7],$configinputfw{$key}[8],$configinputfw{$key}[9],$configinputfw{$key}[10],$configinputfw{$key}[11],$configinputfw{$key}[12],$configinputfw{$key}[13],$configinputfw{$key}[14],$configinputfw{$key}[15],$configinputfw{$key}[17],$configinputfw{$key}[18],$configinputfw{$key}[19],$configinputfw{$key}[20],$configinputfw{$key}[21],$configinputfw{$key}[22],$configinputfw{$key}[23],$configinputfw{$key}[24],$configinputfw{$key}[25],$configinputfw{$key}[26],$configinputfw{$key}[27]"){
+ $errormessage.=$Lang::tr{'fwdfw err ruleexists'};
+- if ($fwdfwsettings{'oldruleremark'} ne $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'updatefwrule'} eq 'on' && &validremark($fwdfwsettings{'ruleremark'})){
++ if ($fwdfwsettings{'oldruleremark'} ne $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'updatefwrule'} eq 'on' && $fwdfwsettings{'ruleremark'} eq ''){
+ $errormessage='';
+- }elsif($fwdfwsettings{'oldruleremark'} ne $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'updatefwrule'} eq 'on' && !&validremark($fwdfwsettings{'ruleremark'})){
++ }elsif($fwdfwsettings{'oldruleremark'} ne $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'updatefwrule'} eq 'on' && $fwdfwsettings{'ruleremark'} ne '' && !&validremark($fwdfwsettings{'ruleremark'})){
+ $errormessage=$Lang::tr{'fwdfw err remark'}."<br>";
+ }
+ if ($fwdfwsettings{'oldruleremark'} eq $fwdfwsettings{'ruleremark'}){
+@@ -206,9 +209,9 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule')
+ if ("$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'},$fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'ICMP_TGT'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'LOG'},$fwdfwsettings{'TIME'},$fwdfwsettings{'TIME_MON'},$fwdfwsettings{'TIME_TUE'},$fwdfwsettings{'TIME_WED'},$fwdfwsettings{'TIME_THU'},$fwdfwsettings{'TIME_FRI'},$fwdfwsettings{'TIME_SAT'},$fwdfwsettings{'TIME_SUN'},$fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'}"
+ eq "$configoutgoingfw{$key}[0],$configoutgoingfw{$key}[2],$configoutgoingfw{$key}[3],$configoutgoingfw{$key}[4],$configoutgoingfw{$key}[5],$configoutgoingfw{$key}[6],$configoutgoingfw{$key}[7],$configoutgoingfw{$key}[8],$configoutgoingfw{$key}[9],$configoutgoingfw{$key}[10],$configoutgoingfw{$key}[11],$configoutgoingfw{$key}[12],$configoutgoingfw{$key}[13],$configoutgoingfw{$key}[14],$configoutgoingfw{$key}[15],$configoutgoingfw{$key}[17],$configoutgoingfw{$key}[18],$configoutgoingfw{$key}[19],$configoutgoingfw{$key}[20],$configoutgoingfw{$key}[21],$configoutgoingfw{$key}[22],$configoutgoingfw{$key}[23],$configoutgoingfw{$key}[24],$configoutgoingfw{$key}[25],$configoutgoingfw{$key}[26],$configoutgoingfw{$key}[27]"){
+ $errormessage.=$Lang::tr{'fwdfw err ruleexists'};
+- if ($fwdfwsettings{'oldruleremark'} ne $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'updatefwrule'} eq 'on' && &validremark($fwdfwsettings{'ruleremark'})){
++ if ($fwdfwsettings{'oldruleremark'} ne $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'updatefwrule'} eq 'on' && $fwdfwsettings{'ruleremark'} eq ''){
+ $errormessage='';
+- }elsif($fwdfwsettings{'oldruleremark'} ne $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'updatefwrule'} eq 'on' && !&validremark($fwdfwsettings{'ruleremark'})){
++ }elsif($fwdfwsettings{'oldruleremark'} ne $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'updatefwrule'} eq 'on' && $fwdfwsettings{'ruleremark'} ne '' && !&validremark($fwdfwsettings{'ruleremark'})){
+ $errormessage=$Lang::tr{'fwdfw err remark'}."<br>";
+ }
+ if ($fwdfwsettings{'oldruleremark'} eq $fwdfwsettings{'ruleremark'}){
+@@ -262,9 +265,9 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule')
+ if ("$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'},$fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'ICMP_TGT'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'LOG'},$fwdfwsettings{'TIME'},$fwdfwsettings{'TIME_MON'},$fwdfwsettings{'TIME_TUE'},$fwdfwsettings{'TIME_WED'},$fwdfwsettings{'TIME_THU'},$fwdfwsettings{'TIME_FRI'},$fwdfwsettings{'TIME_SAT'},$fwdfwsettings{'TIME_SUN'},$fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'}"
+ eq "$configfwdfw{$key}[0],$configfwdfw{$key}[2],$configfwdfw{$key}[3],$configfwdfw{$key}[4],$configfwdfw{$key}[5],$configfwdfw{$key}[6],$configfwdfw{$key}[7],$configfwdfw{$key}[8],$configfwdfw{$key}[9],$configfwdfw{$key}[10],$configfwdfw{$key}[11],$configfwdfw{$key}[12],$configfwdfw{$key}[13],$configfwdfw{$key}[14],$configfwdfw{$key}[15],$configfwdfw{$key}[17],$configfwdfw{$key}[18],$configfwdfw{$key}[19],$configfwdfw{$key}[20],$configfwdfw{$key}[21],$configfwdfw{$key}[22],$configfwdfw{$key}[23],$configfwdfw{$key}[24],$configfwdfw{$key}[25],$configfwdfw{$key}[26],$configfwdfw{$key}[27]"){
+ $errormessage.=$Lang::tr{'fwdfw err ruleexists'};
+- if ($fwdfwsettings{'oldruleremark'} ne $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'updatefwrule'} eq 'on' && &validremark($fwdfwsettings{'ruleremark'})){
++ if ($fwdfwsettings{'oldruleremark'} ne $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'updatefwrule'} eq 'on' && $fwdfwsettings{'ruleremark'} eq ''){
+ $errormessage='';
+- }elsif($fwdfwsettings{'oldruleremark'} ne $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'updatefwrule'} eq 'on' && !&validremark($fwdfwsettings{'ruleremark'})){
++ }elsif($fwdfwsettings{'oldruleremark'} ne $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'updatefwrule'} eq 'on' && $fwdfwsettings{'ruleremark'} ne '' && !&validremark($fwdfwsettings{'ruleremark'})){
+ $errormessage=$Lang::tr{'fwdfw err remark'}."<br>";
+ }
+ if ($fwdfwsettings{'oldruleremark'} eq $fwdfwsettings{'ruleremark'}){
+@@ -1817,7 +1820,7 @@ sub get_serviceports
+ }
+ sub viewtablerule
+ {
+-
++ &General::readhash("/var/ipfire/ethernet/settings", \%netsettings);
+ &viewtablenew(\%configfwdfw,$configfwdfw,$Lang::tr{'fwdfw rules'},"Forward" );
+ &viewtablenew(\%configinputfw,$configinput,"",$Lang::tr{'external access'} );
+ &viewtablenew(\%configoutgoingfw,$configoutgoing,"","Outgoing" );
+@@ -1829,6 +1832,7 @@ sub viewtablenew
+ my $title=shift;
+ my $title1=shift;
+ my $go='';
++ &General::get_aliases(\%aliases);
+ &General::readhasharray("$config", $hash);
+ if( ! -z $config){
+ &Header::openbox('100%', 'left',$title);
+@@ -1840,8 +1844,8 @@ sub viewtablenew
+ my @tmpsrc=();
+ my $coloryellow='';
+ print"<b>$title1</b><br>";
+- print"<table width='100%' style='border: 1px solid #000000;' rules='none'; padding-top: 0px; padding-left: 0px; padding-bottom: 0px ;padding-right: 0px ;'>";
+- print"<tr><td align='center' width='1%'><b>#</td><td width='1%'></td><td align='center' ><b>$Lang::tr{'fwdfw source'}</td><td width='1%'><b>Log</td><td align='center' width='20%'><b>$Lang::tr{'fwdfw target'}</td><td align='center'><b>$Lang::tr{'protocol'}</b></td><td align='center' width='70%'><b>$Lang::tr{'remark'}</td><td align='center' colspan='3' width='1%'><b>$Lang::tr{'fwdfw action'}</td></tr>";
++ print"<table width='100%' cellspacing='1' rules='none'; padding-top: 0px; padding-left: 0px; padding-bottom: 0px ;padding-right: 0px ;'>";
++ print"<tr><td align='center'><b>#</td><td ></td><td align='center'><b>$Lang::tr{'fwdfw source'}</td><td><b>Log</td><td align='center'><b>$Lang::tr{'fwdfw target'}</td><td align='center'><b>$Lang::tr{'protocol'}</b></td><td align='center'><b>$Lang::tr{'remark'}</td><td align='center' colspan='6'><b>$Lang::tr{'fwdfw action'}</td></tr>";
+ foreach my $key (sort {$a <=> $b} keys %$hash){
+ @tmpsrc=();
+ #check if vpn hosts/nets have been deleted
+@@ -1887,14 +1891,15 @@ sub viewtablenew
+ $coloryellow='';
+ }elsif($coloryellow eq ''){
+ if ($count % 2){
+- print"<tr bgcolor='$color{'color22'}' >";
++ $color="$color{'color22'}";
+ }
+ else{
+- print"<tr bgcolor='$color{'color20'}' >";
++ $color="$color{'color20'}";
+ }
+ }
++ print"<tr bgcolor='$color' >";
+ print<<END;
+- <td align='right'>$key</td>
++ <td align='right' width='15'>$key</td>
+ END
+ if ($$hash{$key}[0] eq 'ACCEPT'){
+ $ruletype='A';
+@@ -1909,13 +1914,15 @@ END
+ $tooltip='REJECT';
+ $rulecolor=$color{'color16'};
+ }
+- print"<td bgcolor='$rulecolor' width='2%' align='center'><span title='$tooltip'><b>$ruletype</b></span></td>";
+- print"<td align='center' nowrap='nowrap'>";
++ print"<td bgcolor='$rulecolor' align='center' width='20'><span title='$tooltip'><b>$ruletype</b></span></td>";
++ &getcolor($$hash{$key}[4]);
++ print"<td align='center' width='160' $tdcolor>";
+ if ($$hash{$key}[3] eq 'std_net_src'){
+ print &get_name($$hash{$key}[4]);
+ }else{
+ print $$hash{$key}[4];
+ }
++ $tdcolor='';
+ &getsrcport(\%$hash,$key);
+ if ($$hash{$key}[17] eq 'ON'){
+ $log="/images/on.gif";
+@@ -1925,14 +1932,15 @@ END
+ print<<END;
+ </td>
+ <form method='post'>
+- <td width='1%' align='left'><input type='image' img src='$log' alt='$Lang::tr{'click to disable'}' title='$Lang::tr{'fwdfw togglelog'}' style='padding-top: 0px; padding-left: 0px; padding-bottom: 0px ;padding-right: 0px ;'/>
++ <td align='left' width='25'><input type='image' img src='$log' alt='$Lang::tr{'click to disable'}' title='$Lang::tr{'fwdfw togglelog'}' style='padding-top: 0px; padding-left: 0px; padding-bottom: 0px ;padding-right: 0px ;'/>
+ <input type='hidden' name='key' value='$key' />
+ <input type='hidden' name='config' value='$config' />
+ <input type='hidden' name='ACTION' value='$Lang::tr{'fwdfw togglelog'}' />
+ </td></form>
+ END
++ &getcolor($$hash{$key}[6]);
+ print<<END;
+- <td align='center' nowrap='nowrap'>
++ <td align='center' width='160' $tdcolor>
+ END
+ if ($$hash{$key}[5] eq 'std_net_tgt'){
+ print &get_name($$hash{$key}[6]);
+@@ -1940,7 +1948,6 @@ END
+ print $$hash{$key}[6];
+ }
+ &gettgtport(\%$hash,$key);
+- ################################################################################
+ print"</td>";
+ #Get Protocol
+ my $prot;
+@@ -1956,9 +1963,22 @@ END
+ $prot=$Lang::tr{'all'};
+ }
+ print"<td align='center'>$prot</td>";
+-
+- print"<td width='20%'>$$hash{$key}[16]</td>";
+-
++ if ($$hash{$key}[18] eq 'ON'){
++ my @days=();
++ if($$hash{$key}[19] ne ''){push (@days,$Lang::tr{'fwdfw wd_mon'});}
++ if($$hash{$key}[20] ne ''){push (@days,$Lang::tr{'fwdfw wd_tue'});}
++ if($$hash{$key}[21] ne ''){push (@days,$Lang::tr{'fwdfw wd_wed'});}
++ if($$hash{$key}[22] ne ''){push (@days,$Lang::tr{'fwdfw wd_thu'});}
++ if($$hash{$key}[23] ne ''){push (@days,$Lang::tr{'fwdfw wd_fri'});}
++ if($$hash{$key}[24] ne ''){push (@days,$Lang::tr{'fwdfw wd_sat'});}
++ if($$hash{$key}[25] ne ''){push (@days,$Lang::tr{'fwdfw wd_sun'});}
++ my $weekdays=join(",",@days);
++ if (@days){
++ print"<td align='center' width='100'>$weekdays   $$hash{$key}[26] - $$hash{$key}[27]</td>";
++ }
++ }else{
++ print"<td></td>";
++ }
+ if($$hash{$key}[2] eq 'ON'){
+ $gif="/images/on.gif"
+
+@@ -1967,25 +1987,25 @@ END
+ }
+ print<<END;
+ <form method='post'>
+- <td width='1%'><input type='image' img src='$gif' alt='$Lang::tr{'click to disable'}' title='$Lang::tr{'fwdfw toggle'}' style='padding-top: 0px; padding-left: 0px; padding-bottom: 0px ;padding-right: 0px ;display: block;' />
++ <td width='25'><input type='image' img src='$gif' alt='$Lang::tr{'click to disable'}' title='$Lang::tr{'fwdfw toggle'}' style='padding-top: 0px; padding-left: 0px; padding-bottom: 0px ;padding-right: 0px ;display: block;' />
+ <input type='hidden' name='key' value='$key' />
+ <input type='hidden' name='config' value='$config' />
+ <input type='hidden' name='ACTION' value='$Lang::tr{'fwdfw toggle'}' />
+ </td></form>
+ <form method='post'>
+- <td width='1%' ><input type='image' img src='/images/edit.gif' alt='$Lang::tr{'edit'}' title='$Lang::tr{'fwdfw edit'}' style='padding-top: 0px; padding-left: 0px; padding-bottom: 0px ;padding-right: 0px ;display: block;' />
++ <td width='25' ><input type='image' img src='/images/edit.gif' alt='$Lang::tr{'edit'}' title='$Lang::tr{'fwdfw edit'}' style='padding-top: 0px; padding-left: 0px; padding-bottom: 0px ;padding-right: 0px ;display: block;' />
+ <input type='hidden' name='key' value='$key' />
+ <input type='hidden' name='config' value='$config' />
+ <input type='hidden' name='ACTION' value='editrule' />
+ </td></form></td>
+ <form method='post'>
+- <td width='1%'><input type='image' img src='/images/addblue.gif' alt='$Lang::tr{'fwdfw copy'}' title='$Lang::tr{'fwdfw copy'}' style='padding-top: 0px; padding-left: 0px; padding-bottom: 0px ;padding-right: 0px ;display: block;' />
++ <td width='25'><input type='image' img src='/images/addblue.gif' alt='$Lang::tr{'fwdfw copy'}' title='$Lang::tr{'fwdfw copy'}' style='padding-top: 0px; padding-left: 0px; padding-bottom: 0px ;padding-right: 0px ;display: block;' />
+ <input type='hidden' name='key' value='$key' />
+ <input type='hidden' name='config' value='$config' />
+ <input type='hidden' name='ACTION' value='copyrule' />
+ </td></form></td>
+ <form method='post'>
+- <td width='1%' ><input type='image' img src='/images/delete.gif' alt='$Lang::tr{'delete'}' title='$Lang::tr{'fwdfw delete'}' style='padding-top: 0px; padding-left: 0px; padding-bottom: 0px ;padding-right: 0px ;display: block;' />
++ <td width='25' ><input type='image' img src='/images/delete.gif' alt='$Lang::tr{'delete'}' title='$Lang::tr{'fwdfw delete'}' style='padding-top: 0px; padding-left: 0px; padding-bottom: 0px ;padding-right: 0px ;display: block;' />
+ <input type='hidden' name='key' value='$key' />
+ <input type='hidden' name='config' value='$config' />
+ <input type='hidden' name='ACTION' value='deleterule' />
+@@ -1994,49 +2014,75 @@ END
+ if (exists $$hash{$key-1}){
+ print<<END;
+ <form method='post'>
+- <td width='1%'><input type='image' img src='/images/up.gif' alt='$Lang::tr{'fwdfw moveup'}' title='$Lang::tr{'fwdfw moveup'}' style='padding-top: 0px; padding-left: 0px; padding-bottom: 0px ;padding-right: 0px ;display: block;' />
++ <td width='25'><input type='image' img src='/images/up.gif' alt='$Lang::tr{'fwdfw moveup'}' title='$Lang::tr{'fwdfw moveup'}' style='padding-top: 0px; padding-left: 0px; padding-bottom: 0px ;padding-right: 0px ;display: block;' />
+ <input type='hidden' name='key' value='$key' />
+ <input type='hidden' name='config' value='$config' />
+ <input type='hidden' name='ACTION' value='moveup' />
+ </td></form></td>
+ END
+ }else{
+- print"<td></td>";
++ print"<td width='25'><input type='image' img src='/images/up.gif' style='visibility:hidden;'></td>";
+ }
+ if (exists $$hash{$key+1}){
+ print<<END;
+ <form method='post'>
+- <td width='1%' ><input type='image' img src='/images/down.gif' alt='$Lang::tr{'fwdfw movedown'}' title='$Lang::tr{'fwdfw movedown'}' style='padding-top: 0px; padding-left: 0px; padding-bottom: 0px ;padding-right: 0px ;display: block;' />
++ <td width='25' ><input type='image' img src='/images/down.gif' alt='$Lang::tr{'fwdfw movedown'}' title='$Lang::tr{'fwdfw movedown'}' style='padding-top: 0px; padding-left: 0px; padding-bottom: 0px ;padding-right: 0px ;display: block;' />
+ <input type='hidden' name='key' value='$key' />
+ <input type='hidden' name='config' value='$config' />
+ <input type='hidden' name='ACTION' value='movedown' />
+ </td></form></td></tr>
+ END
+ }else{
+- print"<td></td></tr>";
+- }
+- #if timeframe set, print new line in table
+- if ($$hash{$key}[18] eq 'ON'){
+- my @days=();
+- if($$hash{$key}[19] ne ''){push (@days,$Lang::tr{'fwdfw wd_mon'});}
+- if($$hash{$key}[20] ne ''){push (@days,$Lang::tr{'fwdfw wd_tue'});}
+- if($$hash{$key}[21] ne ''){push (@days,$Lang::tr{'fwdfw wd_wed'});}
+- if($$hash{$key}[22] ne ''){push (@days,$Lang::tr{'fwdfw wd_thu'});}
+- if($$hash{$key}[23] ne ''){push (@days,$Lang::tr{'fwdfw wd_fri'});}
+- if($$hash{$key}[24] ne ''){push (@days,$Lang::tr{'fwdfw wd_sat'});}
+- if($$hash{$key}[25] ne ''){push (@days,$Lang::tr{'fwdfw wd_sun'});}
+- my $weekdays=join(",",@days);
+- if (@days){
+- print"<tr bgcolor='#FFE4B5'><td colspan='6'>$Lang::tr{'fwdfw time'} ";
+- print"$weekdays";
+- print "  $Lang::tr{'fwdfw from'} $$hash{$key}[26]   $Lang::tr{'fwdfw till'} $$hash{$key}[27]</td><td colspan='8'></d></tr>";
+- }
++ print"<td width='25'><input type='image' img src='/images/down.gif' style='visibility:hidden;'></td></tr>";
+ }
++ #REMARK
++ print"<tr bgcolor='$color'><td colspan='13' style='border-bottom: 1px solid black'>";
++ print"<b>$Lang::tr{'remark'}:</b> $$hash{$key}[16]</td></tr>";
+ }
+ print"</table>";
+ &Header::closebox();
+ }
+ }
++sub getcolor
++{
++ my $val=shift;
++ if($optionsfw{'SHOWCOLORS'} eq 'on'){
++ foreach my $alias (sort keys %aliases)
++ {
++ if ($val eq $alias){
++ $tdcolor="style='border: 2px solid red;'";
++ return;
++ }
++ }
++ if ($val eq 'GREEN'){
++ $tdcolor="style='border: 2px solid green;'";
++ }elsif ($val eq 'ORANGE'){
++ $tdcolor="style='border: 2px solid orange;'";
++ }elsif ($val eq 'BLUE'){
++ $tdcolor="style='border: 2px solid blue;'";
++ }elsif ($val eq 'IPFire' ){
++ $tdcolor="style='border: 2px solid red;'";
++ }elsif($val =~ /^(.*?)\/(.*?)$/){
++ my ($sip,$scidr) = split ("/",$val);
++ if ( &General::IpInSubnet($sip,$netsettings{'ORANGE_ADDRESS'},$netsettings{'ORANGE_NETMASK'})){
++ $tdcolor="style='border: 2px solid orange;'";
++ }
++ if ( &General::IpInSubnet($sip,$netsettings{'GREEN_ADDRESS'},$netsettings{'GREEN_NETMASK'})){
++ $tdcolor="style='border: 2px solid green;'";
++ }
++ if ( &General::IpInSubnet($sip,$netsettings{'BLUE_ADDRESS'},$netsettings{'BLUE_NETMASK'})){
++ $tdcolor="style='border: 2px solid blue;'";
++ }
++ if ( &General::IpInSubnet($sip,$netsettings{'RED_ADDRESS'},$netsettings{'RED_NETMASK'})){
++ $tdcolor="style='border: 2px solid red;'";
++ }
++ }elsif ($val eq 'Default IP'){
++ $tdcolor="style='border: 2px solid red;'";
++ }else{
++ $tdcolor='';
++ }
++ }
++}
+ sub fillselect
+ {
+ my %hash=%{(shift)};
+diff --git a/html/cgi-bin/optionsfw.cgi b/html/cgi-bin/optionsfw.cgi
+index b396e3f..da246f3 100644
+--- a/html/cgi-bin/optionsfw.cgi
++++ b/html/cgi-bin/optionsfw.cgi
+@@ -91,6 +91,9 @@ $checked{'DROPPROXY'}{$settings{'DROPPROXY'}} = "checked='checked'";
+ $checked{'DROPSAMBA'}{'off'} = '';
+ $checked{'DROPSAMBA'}{'on'} = '';
+ $checked{'DROPSAMBA'}{$settings{'DROPSAMBA'}} = "checked='checked'";
++$checked{'SHOWCOLORS'}{'off'} = '';
++$checked{'SHOWCOLORS'}{'on'} = '';
++$checked{'SHOWCOLORS'}{$settings{'SHOWCOLORS'}} = "checked='checked'";
+ $selected{'FWPOLICY'}{$settings{'FWPOLICY'}}= 'selected';
+ $selected{'FWPOLICY1'}{$settings{'FWPOLICY1'}}= 'selected';
+
+@@ -117,7 +120,8 @@ print <<END
+ <tr><td align='left' width='60%'>$Lang::tr{'drop wirelessforward'}</td><td align='left'>on <input type='radio' name='DROPWIRELESSFORWARD' value='on' $checked{'DROPWIRELESSFORWARD'}{'on'} />/
+ <input type='radio' name='DROPWIRELESSFORWARD' value='off' $checked{'DROPWIRELESSFORWARD'}{'off'} /> off</td></tr>
+ </table>
+-<br />
++<br/>
++
+ <table width='95%' cellspacing='0'>
+ <tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw blue'}</b></td></tr>
+ <tr><td align='left' width='60%'>$Lang::tr{'drop proxy'}</td><td align='left'>on <input type='radio' name='DROPPROXY' value='on' $checked{'DROPPROXY'}{'on'} />/
+@@ -125,6 +129,12 @@ print <<END
+ <tr><td align='left' width='60%'>$Lang::tr{'drop samba'}</td><td align='left'>on <input type='radio' name='DROPSAMBA' value='on' $checked{'DROPSAMBA'}{'on'} />/
+ <input type='radio' name='DROPSAMBA' value='off' $checked{'DROPSAMBA'}{'off'} /> off</td></tr>
+ </table>
++<br>
++<table width='95%' cellspacing='0'>
++<tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw settings'}</b></td></tr>
++<tr><td align='left' width='60%'>$Lang::tr{'fw settings color'}</td><td align='left'>on <input type='radio' name='SHOWCOLORS' value='on' $checked{'SHOWCOLORS'}{'on'} />/
++ <input type='radio' name='SHOWCOLORS' value='off' $checked{'SHOWCOLORS'}{'off'} /> off</td></tr>
++</table>
+ <br />
+ <table width='95%' cellspacing='0'>
+ <tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw default drop'}</b></td></tr>
+diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl
+index f94289a..64bda2e 100644
+--- a/langs/de/cgi-bin/de.pl
++++ b/langs/de/cgi-bin/de.pl
+@@ -1033,6 +1033,8 @@
+ 'from warn email bad' => 'Von Email Adresse ist nicht gültig',
+ 'fw blue' => 'Firewall Optionen für das Blaue Interface',
+ 'fw default drop' => 'Firewall Policy',
++'fw settings' => 'Firewall Einstellungen',
++'fw settings color' => 'Farben in Regeltabelle anzeigen',
+ 'fw logging' => 'Firewall Logging',
+ 'gateway' => 'Gateway',
+ 'gateway ip' => 'Gateway-IP',
+diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
+index c34a775..0118e8d 100644
+--- a/langs/en/cgi-bin/en.pl
++++ b/langs/en/cgi-bin/en.pl
+@@ -1056,6 +1056,8 @@
+ 'from warn email bad' => 'From e-mail address is not valid',
+ 'fw blue' => 'Firewall options for BLUE interface',
+ 'fw default drop' => 'Firewall policy',
++'fw settings' => 'Firewall settings',
++'fw settings color' => 'Show colors in ruletable',
+ 'fw logging' => 'Firewall logging',
+ 'g.dtm' => 'TO BE REMOVED',
+ 'g.lite' => 'TO BE REMOVED',
+--
+1.7.10.4
+
--- /dev/null
+From bd1cbe6be770d5234a50f2173d8aa0a6a87ce309 Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Thu, 21 Feb 2013 16:40:47 +0100
+Subject: [PATCH 126/302] Forward Firewall: fix wlan clients now working with
+ forwardfw
+
+---
+ html/cgi-bin/forwardfw.cgi | 12 ++++++------
+ src/initscripts/init.d/firewall | 6 +++---
+ 2 files changed, 9 insertions(+), 9 deletions(-)
+
+diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi
+index c55cbf8..814f6ec 100755
+--- a/html/cgi-bin/forwardfw.cgi
++++ b/html/cgi-bin/forwardfw.cgi
+@@ -595,10 +595,10 @@ print <<END;
+ <tr><td width='15%' align='left'> <select name='POLICY' style="width: 100px">
+ <option value='MODE1' $selected{'POLICY'}{'MODE1'}>$Lang::tr{'fwdfw pol block'}</option>
+ <option value='MODE2' $selected{'POLICY'}{'MODE2'}>$Lang::tr{'fwdfw pol allow'}</option></select>
+- <td width='45%' align='left'><input type='submit' name='ACTION' value=$Lang::tr{'save'} />
+- <td width='45%' align='left'>
++ <input type='submit' name='ACTION' value=$Lang::tr{'save'} /></td><td width='45%' align='right'>
++
+ END
+- print "$Lang::tr{'outgoing firewall reset'}: <input type='submit' name='ACTION' value='$Lang::tr{'reset'}' />";
++ print "$Lang::tr{'outgoing firewall reset'}: <input type='submit' name='ACTION' value='$Lang::tr{'reset'}' /></td></tr>";
+ print "</table></form>";
+ print"<br><br>";
+ print <<END;
+@@ -610,10 +610,10 @@ END
+ <tr><td width='15%' align='left'> <select name='POLICY1' style="width: 100px">
+ <option value='MODE1' $selected{'POLICY1'}{'MODE1'}>$Lang::tr{'fwdfw pol block'}</option>
+ <option value='MODE2' $selected{'POLICY1'}{'MODE2'}>$Lang::tr{'fwdfw pol allow'}</option></select>
+- <td width='45%' align='left'><input type='submit' name='ACTION' value='$Lang::tr{'save'}' /></form>
+- <td width='45%' align='left'>
++ <input type='submit' name='ACTION' value='$Lang::tr{'save'}' /></form></td><td width='45%' align='right'>
++
+ END
+- print "$Lang::tr{'outgoing firewall reset'}: <form method='post' action='$ENV{'SCRIPT_NAME'}' style='display:inline'><input type='submit' value='$Lang::tr{'reset'}' /><input type='hidden' name='ACTION' value='resetoutgoing' />";
++ print "$Lang::tr{'outgoing firewall reset'}: <form method='post' action='$ENV{'SCRIPT_NAME'}' style='display:inline'><input type='submit' value='$Lang::tr{'reset'}' /><input type='hidden' name='ACTION' value='resetoutgoing' /></tr>";
+ print "</table></form>";
+ &Header::closebox();
+ }
+diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall
+index 0eb5c12..c225ca9 100644
+--- a/src/initscripts/init.d/firewall
++++ b/src/initscripts/init.d/firewall
+@@ -221,7 +221,7 @@ case "$1" in
+ /sbin/iptables -N WIRELESSINPUT
+ /sbin/iptables -A INPUT -m state --state NEW -j WIRELESSINPUT
+ /sbin/iptables -N WIRELESSFORWARD
+- /sbin/iptables -A FORWARD -m state --state NEW -j WIRELESSFORWARD
++ /sbin/iptables -A FORWARDFW -m state --state NEW -j WIRELESSFORWARD
+
+ # PORTFWACCESS chain, used for portforwarding
+ /sbin/iptables -N PORTFWACCESS
+@@ -294,9 +294,9 @@ case "$1" in
+ /sbin/iptables -A FORWARD -j POLICYFWD
+ /sbin/iptables -N POLICYOUT
+ /sbin/iptables -A OUTPUT -j POLICYOUT
+-
+-
++
+ /usr/sbin/firewall-policy
++
+ ;;
+ startovpn)
+ # run openvpn
+--
+1.7.10.4
+
--- /dev/null
+From d822051eef5efa201ade4c8dbf55c5c8f196d56d Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Thu, 21 Feb 2013 21:53:52 +0100
+Subject: [PATCH 127/302] Forward Firewall: bugfix converter->default forward
+ mode is now set correctly some layout changes
+
+---
+ config/forwardfw/convert-outgoingfw | 6 ++---
+ html/cgi-bin/forwardfw.cgi | 49 +++++++++++++++++++++--------------
+ 2 files changed, 32 insertions(+), 23 deletions(-)
+
+diff --git a/config/forwardfw/convert-outgoingfw b/config/forwardfw/convert-outgoingfw
+index 5980651..22c9272 100755
+--- a/config/forwardfw/convert-outgoingfw
++++ b/config/forwardfw/convert-outgoingfw
+@@ -251,10 +251,10 @@ sub process_rules
+ my ($type,$action,$active,$grp1,$source,$grp2,$useport,$port,$prot,$grp3,$target,$remark,$log,$time,$time_mon,$time_tue,$time_wed,$time_thu,$time_fri,$time_sat,$time_sun,$time_from,$time_to);
+ print"uzlputz modus ist $outsettings{'POLICY'} \n";
+ &General::readhash($fwdfwsettings,\%fwdsettings);
+- if ($outsettings{'POLICY'} eq 'MODE0'){
+- $fwdfwsettings{'POLICY'}='MODE2';
++ if ($outsettings{'POLICY'} eq 'MODE1'){
++ $fwdfwsettings{'POLICY'}='MODE1';
+ }else{
+- $fwdsettings{'POLICY'}=$outsettings{'POLICY'};
++ $fwdsettings{'POLICY'}='MODE2';
+ }
+ &General::writehash($fwdfwsettings,\%fwdsettings);
+ if ($outsettings{'POLICY'} eq 'MODE1'){
+diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi
+index 814f6ec..bb6c42e 100755
+--- a/html/cgi-bin/forwardfw.cgi
++++ b/html/cgi-bin/forwardfw.cgi
+@@ -584,7 +584,7 @@ sub base
+ if ($fwdfwsettings{'POLICY1'} eq 'MODE2'){ $selected{'POLICY1'}{'MODE2'} = 'selected'; } else { $selected{'POLICY1'}{'MODE2'} = ''; }
+ &hint;
+ &addrule;
+- print "<br><hr><br><br>";
++ print "<br><br>";
+ &Header::openbox('100%', 'center', $Lang::tr{'fwdfw pol title'});
+ print <<END;
+ <form method='post' action='$ENV{'SCRIPT_NAME'}'>
+@@ -610,10 +610,10 @@ END
+ <tr><td width='15%' align='left'> <select name='POLICY1' style="width: 100px">
+ <option value='MODE1' $selected{'POLICY1'}{'MODE1'}>$Lang::tr{'fwdfw pol block'}</option>
+ <option value='MODE2' $selected{'POLICY1'}{'MODE2'}>$Lang::tr{'fwdfw pol allow'}</option></select>
+- <input type='submit' name='ACTION' value='$Lang::tr{'save'}' /></form></td><td width='45%' align='right'>
++ <input type='submit' name='ACTION' value='$Lang::tr{'save'}' /></td><td width='45%' align='right'></form><form method='post' >
+
+ END
+- print "$Lang::tr{'outgoing firewall reset'}: <form method='post' action='$ENV{'SCRIPT_NAME'}' style='display:inline'><input type='submit' value='$Lang::tr{'reset'}' /><input type='hidden' name='ACTION' value='resetoutgoing' /></tr>";
++ print "$Lang::tr{'outgoing firewall reset'}: <input type='submit' value='$Lang::tr{'reset'}' /><input type='hidden' name='ACTION' value='resetoutgoing' /></tr>";
+ print "</table></form>";
+ &Header::closebox();
+ }
+@@ -1269,7 +1269,7 @@ END
+ $fwdfwsettings{'SRC_PORT'}=~ s/\|/,/g;
+ print<<END;
+ </select></td><td align='right'><input type='text' name='SRC_PORT' value='$fwdfwsettings{'SRC_PORT'}' maxlength='20' size='18' ></td></tr>
+- <tr><td></td><td></td><td></td><td></td><td nowrap='nowrap'>$Lang::tr{'fwhost icmptype'}</td><td colspan='2'><select name='ICMP_TYPES'>
++ <tr><td></td><td></td><td></td><td></td><td nowrap='nowrap'>$Lang::tr{'fwhost icmptype'}</td><td colspan='2'><select name='ICMP_TYPES' style='width:230px;'>
+ END
+ &General::readhasharray("${General::swroot}/fwhosts/icmp-types", \%icmptypes);
+ print"<option>All ICMP-Types</option>";
+@@ -1397,7 +1397,7 @@ END
+ }
+ print<<END;
+ </select></td></tr>
+- <tr><td colspan='2'></td><td><input type='radio' name='grp3' value='cust_srvgrp' $checked{'grp3'}{'cust_srvgrp'}></td><td nowrap='nowrap'>$Lang::tr{'fwhost cust srvgrp'}:</td><td colspan='2'><select name='cust_srvgrp'style='min-width:230px;' >
++ <tr><td colspan='2'></td><td><input type='radio' name='grp3' value='cust_srvgrp' $checked{'grp3'}{'cust_srvgrp'}></td><td nowrap='nowrap'>$Lang::tr{'fwhost cust srvgrp'}:</td><td colspan='2'><select name='cust_srvgrp' style='min-width:230px;' >
+ END
+ &General::readhasharray("$configsrvgrp", \%customservicegrp);
+ my $helper;
+@@ -1425,7 +1425,7 @@ END
+ $fwdfwsettings{'TGT_PORT'} =~ s/\|/,/g;
+ print<<END;
+ </select></td><td align='right'><input type='text' name='TGT_PORT' value='$fwdfwsettings{'TGT_PORT'}' maxlength='20' size='18' ></td></tr>
+- <tr><td colspan='2'></td><td></td><td>$Lang::tr{'fwhost icmptype'}</td><td colspan='2'><select name='ICMP_TGT'>
++ <tr><td colspan='2'></td><td></td><td>$Lang::tr{'fwhost icmptype'}</td><td colspan='2'><select name='ICMP_TGT' style='min-width:230px;'>
+ END
+ &General::readhasharray("${General::swroot}/fwhosts/icmp-types", \%icmptypes);
+ print"<option>All ICMP-Types</option>";
+@@ -1847,6 +1847,7 @@ sub viewtablenew
+ print"<table width='100%' cellspacing='1' rules='none'; padding-top: 0px; padding-left: 0px; padding-bottom: 0px ;padding-right: 0px ;'>";
+ print"<tr><td align='center'><b>#</td><td ></td><td align='center'><b>$Lang::tr{'fwdfw source'}</td><td><b>Log</td><td align='center'><b>$Lang::tr{'fwdfw target'}</td><td align='center'><b>$Lang::tr{'protocol'}</b></td><td align='center'><b>$Lang::tr{'remark'}</td><td align='center' colspan='6'><b>$Lang::tr{'fwdfw action'}</td></tr>";
+ foreach my $key (sort {$a <=> $b} keys %$hash){
++ $tdcolor='';
+ @tmpsrc=();
+ #check if vpn hosts/nets have been deleted
+ if($$hash{$key}[3] =~ /ipsec/i || $$hash{$key}[3] =~ /ovpn/i){
+@@ -1881,8 +1882,8 @@ sub viewtablenew
+ $$hash{$key}[2]='';
+ }
+ }
+- $$hash{$key}[3]='';
+- $$hash{$key}[5]='';
++ #$$hash{$key}[3]='';
++ #$$hash{$key}[5]='';
+ }
+ $$hash{'ACTIVE'}=$$hash{$key}[2];
+ $count++;
+@@ -1915,7 +1916,7 @@ END
+ $rulecolor=$color{'color16'};
+ }
+ print"<td bgcolor='$rulecolor' align='center' width='20'><span title='$tooltip'><b>$ruletype</b></span></td>";
+- &getcolor($$hash{$key}[4]);
++ &getcolor($$hash{$key}[3],$$hash{$key}[4]);
+ print"<td align='center' width='160' $tdcolor>";
+ if ($$hash{$key}[3] eq 'std_net_src'){
+ print &get_name($$hash{$key}[4]);
+@@ -1938,7 +1939,7 @@ END
+ <input type='hidden' name='ACTION' value='$Lang::tr{'fwdfw togglelog'}' />
+ </td></form>
+ END
+- &getcolor($$hash{$key}[6]);
++ &getcolor($$hash{$key}[5],$$hash{$key}[6]);
+ print<<END;
+ <td align='center' width='160' $tdcolor>
+ END
+@@ -1947,6 +1948,7 @@ END
+ }else{
+ print $$hash{$key}[6];
+ }
++ $tdcolor='';
+ &gettgtport(\%$hash,$key);
+ print"</td>";
+ #Get Protocol
+@@ -2041,12 +2043,22 @@ END
+ }
+ print"</table>";
+ &Header::closebox();
++ print "<hr>";
+ }
+ }
+ sub getcolor
+ {
++ my $nettype=shift;
+ my $val=shift;
+ if($optionsfw{'SHOWCOLORS'} eq 'on'){
++ if ($nettype eq 'ovpn_n2n_src' || $nettype eq 'ovpn_n2n_tgt' || $nettype eq 'ovpn_net_src' || $nettype eq 'ovpn_net_tgt'|| $nettype eq 'ovpn_host_src' || $nettype eq 'ovpn_host_tgt'){
++ $tdcolor="style='border: 2px solid $Header::colourovpn;'";
++ return;
++ }
++ if ($nettype eq 'ipsec_net_src' || $nettype eq 'ipsec_net_tgt'){
++ $tdcolor="style='border: 2px solid $Header::colourvpn;'";
++ return;
++ }
+ foreach my $alias (sort keys %aliases)
+ {
+ if ($val eq $alias){
+@@ -2055,26 +2067,23 @@ sub getcolor
+ }
+ }
+ if ($val eq 'GREEN'){
+- $tdcolor="style='border: 2px solid green;'";
++ $tdcolor="style='border: 2px solid $Header::colourgreen;'";
+ }elsif ($val eq 'ORANGE'){
+- $tdcolor="style='border: 2px solid orange;'";
++ $tdcolor="style='border: 2px solid $Header::colourorange;'";
+ }elsif ($val eq 'BLUE'){
+- $tdcolor="style='border: 2px solid blue;'";
++ $tdcolor="style='border: 2px solid $Header::colourblue;'";
+ }elsif ($val eq 'IPFire' ){
+- $tdcolor="style='border: 2px solid red;'";
++ $tdcolor="style='border: 2px solid $Header::colourred;'";
+ }elsif($val =~ /^(.*?)\/(.*?)$/){
+ my ($sip,$scidr) = split ("/",$val);
+ if ( &General::IpInSubnet($sip,$netsettings{'ORANGE_ADDRESS'},$netsettings{'ORANGE_NETMASK'})){
+- $tdcolor="style='border: 2px solid orange;'";
++ $tdcolor="style='border: 2px solid $Header::colourorange;'";
+ }
+ if ( &General::IpInSubnet($sip,$netsettings{'GREEN_ADDRESS'},$netsettings{'GREEN_NETMASK'})){
+- $tdcolor="style='border: 2px solid green;'";
++ $tdcolor="style='border: 2px solid $Header::colourgreen;'";
+ }
+ if ( &General::IpInSubnet($sip,$netsettings{'BLUE_ADDRESS'},$netsettings{'BLUE_NETMASK'})){
+- $tdcolor="style='border: 2px solid blue;'";
+- }
+- if ( &General::IpInSubnet($sip,$netsettings{'RED_ADDRESS'},$netsettings{'RED_NETMASK'})){
+- $tdcolor="style='border: 2px solid red;'";
++ $tdcolor="style='border: 2px solid $Header::colourblue;'";
+ }
+ }elsif ($val eq 'Default IP'){
+ $tdcolor="style='border: 2px solid red;'";
+--
+1.7.10.4
+
--- /dev/null
+From e62b98bd2dfbde1af93a4711cf9c1dc26dabf5f4 Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Fri, 22 Feb 2013 06:25:26 +0100
+Subject: [PATCH 128/302] FOrward Firewall: Minor Layout changes
+
+---
+ html/cgi-bin/forwardfw.cgi | 11 ++++++-----
+ html/cgi-bin/fwhosts.cgi | 16 ++++++++--------
+ 2 files changed, 14 insertions(+), 13 deletions(-)
+
+diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi
+index bb6c42e..1952058 100755
+--- a/html/cgi-bin/forwardfw.cgi
++++ b/html/cgi-bin/forwardfw.cgi
+@@ -1281,7 +1281,7 @@ END
+ }
+ }
+ print<<END;
+- </select></td></tr></table><hr>
++ </select></td></tr></table><br><hr>
+ END
+ &Header::closebox();
+
+@@ -1438,9 +1438,10 @@ END
+ }
+ print<<END;
+ </select></td></tr>
+- </table><hr><br><br>
++ </table><br><hr>
+
+ END
++ &Header::closebox;
+ #---Activate/logging/remark-------------------------------------
+ &Header::openbox('100%', 'left', $Lang::tr{'fwdfw additional'});
+ print<<END;
+@@ -1463,7 +1464,7 @@ END
+ </table><table width='100%'>
+ <tr><td width='1%'><input type='checkbox' name='ACTIVE' value='ON' $checked{'ACTIVE'}{'ON'}></td><td>$Lang::tr{'fwdfw rule activate'}</td></tr>
+ <tr><td width='1%'><input type='checkbox' name='LOG' value='ON' $checked{'LOG'}{'ON'} ></td><td>$Lang::tr{'fwdfw log rule'}</td></tr>
+- </table><hr><br>
++ </table><br><hr>
+ END
+ &Header::closebox();
+ #---ADD TIMEFRAME-----------------------------------------------
+@@ -1513,9 +1514,9 @@ END
+ }
+ print<<END;
+ </select></td></tr>
+- </table><hr>
++ </table><br><hr>
+ END
+- &Header::closebox();
++
+ #---ACTION------------------------------------------------------
+ if($fwdfwsettings{'updatefwrule'} ne 'on'){
+ print<<END;
+diff --git a/html/cgi-bin/fwhosts.cgi b/html/cgi-bin/fwhosts.cgi
+index ae018d6..dc82a18 100755
+--- a/html/cgi-bin/fwhosts.cgi
++++ b/html/cgi-bin/fwhosts.cgi
+@@ -1098,8 +1098,8 @@ sub addnet
+ print<<END;
+ <table border='0' width='100%'><form method='post' style='display:inline' >
+ <tr><td>$Lang::tr{'name'}:</td><td><input type='TEXT' name='HOSTNAME' id='textbox1' value='$fwhostsettings{'HOSTNAME'}' $fwhostsettings{'BLK_HOST'}><script>document.getElementById('textbox1').focus()</script></td><td>$Lang::tr{'fwhost netaddress'}:</td><td><input type='TEXT' name='IP' value='$fwhostsettings{'IP'}' $fwhostsettings{'BLK_IP'} size='14'></td><td align='right'>$Lang::tr{'netmask'}:</td><td align='right'><input type='TEXT' name='SUBNET' value='$fwhostsettings{'SUBNET'}' $fwhostsettings{'BLK_IP'} size='14'></td></tr>
+- <tr><td>$Lang::tr{'remark'}:</td><td colspan='5'><input type='TEXT' name='NETREMARK' value='$fwhostsettings{'NETREMARK'}' size='64'></td></tr>
+- <tr><td colspan='6'><hr></hr></td></tr><tr>
++ <tr><td>$Lang::tr{'remark'}:</td><td colspan='5'><input type='TEXT' name='NETREMARK' value='$fwhostsettings{'NETREMARK'}' size='110'></td></tr>
++ <tr><td colspan='6'><br><hr></hr></td></tr><tr>
+ END
+ if ($fwhostsettings{'ACTION'} eq 'editnet' || $fwhostsettings{'error'} eq 'on')
+ {
+@@ -1125,7 +1125,7 @@ END
+ if ($fwhostsettings{'type'} eq 'mac'){print "<option value='mac' selected >MAC</option>";}else{print "<option value='mac' >MAC</option>";}
+ print<<END;
+ </option></select></td><td align='right' width='15%'>IP/MAC:</td><td align='right'><input type='TEXT' name='IP' value='$fwhostsettings{'IP'}' $fwhostsettings{'BLK_IP'} ></td></tr>
+- <tr><td>$Lang::tr{'remark'}:</td><td colspan='5'><input type='TEXT' name='HOSTREMARK' value='$fwhostsettings{'HOSTREMARK'}' size='64'></td></tr>
++ <tr><td>$Lang::tr{'remark'}:</td><td colspan='5'><input type='TEXT' name='HOSTREMARK' value='$fwhostsettings{'HOSTREMARK'}' size='110'></td></tr>
+ <tr><td colspan='7'><br><br><b>$Lang::tr{'fwhost attention'}</b><br>$Lang::tr{'fwhost macwarn'}</td></tr>
+ <tr><td colspan='7'><hr></hr></td></tr>
+ END
+@@ -1158,7 +1158,7 @@ sub addgrp
+ print<<END;
+ <table width='100%' border='0'><form method='post'>
+ <tr><td>$Lang::tr{'fwhost addgrpname'}</td><td><input type='TEXT' name='grp_name' value='$fwhostsettings{'grp_name'}'></td><td>$Lang::tr{'remark'}:</td><td width='1%'><input type='TEXT' name='remark' size='35' value='$fwhostsettings{'remark'}'></tr>
+- <tr><td colspan='5'><hr></td></tr></table>
++ <tr><td colspan='5'><br><hr></td></tr></table>
+ END
+ }else{
+ print<<END;
+@@ -1288,7 +1288,7 @@ END
+
+ print<<END;
+ </select></td>
+- <tr><td colspan='6'><hr></td></tr>
++ <tr><td colspan='6'><br><hr></td></tr>
+ <tr><td colspan='6' align='right'>
+ END
+ if ($fwhostsettings{'updatesrv'} eq 'on')
+@@ -1324,14 +1324,14 @@ sub addservicegrp
+ print<<END;
+ <table width='100%' border='0'><form method='post'>
+ <tr><td>$Lang::tr{'fwhost addgrpname'}</td><td><input type='text' name='SRVGRP_NAME' value='$fwhostsettings{'SRVGRP_NAME'}'></td><td>$Lang::tr{'remark'}:</td><td width='1%'><input type='text' name='SRVGRP_REMARK' size='35' value='$fwhostsettings{'SRVGRP_REMARK'}'></td></tr>
+- <tr><td colspan='4'><hr></td></td></tr>
++ <tr><td colspan='4'><br><hr></td></td></tr>
+ </table>
+ END
+ }else{
+ print<<END;
+ <table width='100%' border='0'><form method='post' style='display:inline'>
+ <tr><td>$Lang::tr{'fwhost addgrpname'}</td><td><input type='text' name='srvgrp' value='$fwhostsettings{'SRVGRP_NAME'}' readonly ></td><td>$Lang::tr{'remark'}:</td><td width='1%'><input type='text' name='newsrvrem' size='35' value='$fwhostsettings{'SRVGRP_REMARK'}'></td><td><input type='submit' value='$Lang::tr{'fwhost change'}'><input type='hidden' name='oldsrvrem' value='$fwhostsettings{'oldsrvgrpremark'}'><input type='hidden' name='ACTION' value='changesrvgrpremark' ></td></tr>
+- <tr><td colspan='5'><hr></td></td></tr>
++ <tr><td colspan='5'><br><hr></td></td></tr>
+ </table></form>
+ END
+ }
+@@ -1347,7 +1347,7 @@ END
+ }
+ print<<END;
+ </select></td></tr>
+- <tr><td colspan='4'><br><br><br></td></tr>
++ <tr><td colspan='4'><br><br></td></tr>
+ <tr><td colspan='4'><hr></td></tr>
+ </table>
+ END
+--
+1.7.10.4
+
--- /dev/null
+From 2a0be5ddef58a84b5e4fcb2371143458774909f7 Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Fri, 22 Feb 2013 06:43:11 +0100
+Subject: [PATCH 129/302] Forward Firewall: Some minor changes in Language
+ file timeframe:->timeframe
+
+---
+ html/cgi-bin/forwardfw.cgi | 4 ++--
+ langs/de/cgi-bin/de.pl | 2 +-
+ langs/en/cgi-bin/en.pl | 2 +-
+ 3 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi
+index 1952058..f5a775b 100755
+--- a/html/cgi-bin/forwardfw.cgi
++++ b/html/cgi-bin/forwardfw.cgi
+@@ -1846,7 +1846,7 @@ sub viewtablenew
+ my $coloryellow='';
+ print"<b>$title1</b><br>";
+ print"<table width='100%' cellspacing='1' rules='none'; padding-top: 0px; padding-left: 0px; padding-bottom: 0px ;padding-right: 0px ;'>";
+- print"<tr><td align='center'><b>#</td><td ></td><td align='center'><b>$Lang::tr{'fwdfw source'}</td><td><b>Log</td><td align='center'><b>$Lang::tr{'fwdfw target'}</td><td align='center'><b>$Lang::tr{'protocol'}</b></td><td align='center'><b>$Lang::tr{'remark'}</td><td align='center' colspan='6'><b>$Lang::tr{'fwdfw action'}</td></tr>";
++ print"<tr><td align='center'><b>#</td><td ></td><td align='center'><b>$Lang::tr{'fwdfw source'}</td><td><b>Log</td><td align='center'><b>$Lang::tr{'fwdfw target'}</td><td align='center'><b>$Lang::tr{'protocol'}</b></td><td align='center'><b>$Lang::tr{'fwdfw time'}</td><td align='center' colspan='6'><b>$Lang::tr{'fwdfw action'}</td></tr>";
+ foreach my $key (sort {$a <=> $b} keys %$hash){
+ $tdcolor='';
+ @tmpsrc=();
+@@ -1980,7 +1980,7 @@ END
+ print"<td align='center' width='100'>$weekdays   $$hash{$key}[26] - $$hash{$key}[27]</td>";
+ }
+ }else{
+- print"<td></td>";
++ print"<td align='center'>24/7</td>";
+ }
+ if($$hash{$key}[2] eq 'ON'){
+ $gif="/images/on.gif"
+diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl
+index 64bda2e..335610b 100644
+--- a/langs/de/cgi-bin/de.pl
++++ b/langs/de/cgi-bin/de.pl
+@@ -928,7 +928,7 @@
+ 'fwdfw target' => 'Ziel',
+ 'fwdfw targetip' => 'Zieladresse (IP oder Netzwerk):',
+ 'fwdfw till' => 'Bis:',
+-'fwdfw time' => 'Zeitrahmen:',
++'fwdfw time' => 'Zeitrahmen',
+ 'fwdfw timeframe' => 'Zeitrahmen hinzufügen',
+ 'fwdfw toggle' => 'Aktivieren oder deaktivieren',
+ 'fwdfw togglelog' => 'Log aktivieren oder deaktivieren',
+diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
+index 0118e8d..fd169b1 100644
+--- a/langs/en/cgi-bin/en.pl
++++ b/langs/en/cgi-bin/en.pl
+@@ -951,7 +951,7 @@
+ 'fwdfw target' => 'Target',
+ 'fwdfw targetip' => 'Target address (IP or network):',
+ 'fwdfw till' => 'Till:',
+-'fwdfw time' => 'Timeframe:',
++'fwdfw time' => 'Timeframe',
+ 'fwdfw timeframe' => 'Add timeframe',
+ 'fwdfw toggle' => 'Activate or deactivate',
+ 'fwdfw togglelog' => 'Activate or deactivate logging',
+--
+1.7.10.4
+
--- /dev/null
+From 020de7e98b0605b3a9d96c76b67056cf5a412dbb Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Fri, 22 Feb 2013 08:28:48 +0100
+Subject: [PATCH 130/302] Forward Firewall: added default option SHOWCOLOR to
+ options and refined default behaviour of firewall
+ in forwardfw.cgi
+
+---
+ html/cgi-bin/forwardfw.cgi | 64 +++++++++++++++++++++-----------------------
+ html/cgi-bin/optionsfw.cgi | 1 +
+ 2 files changed, 32 insertions(+), 33 deletions(-)
+
+diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi
+index f5a775b..fd68314 100755
+--- a/html/cgi-bin/forwardfw.cgi
++++ b/html/cgi-bin/forwardfw.cgi
+@@ -342,35 +342,33 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule')
+ }
+ if ($fwdfwsettings{'ACTION'} eq $Lang::tr{'reset'})
+ {
+- &General::readhasharray("$configfwdfw", \%configfwdfw);
+- foreach my $key (sort keys %configfwdfw){
+- &checkcounter($configfwdfw{$key}[3],$configfwdfw{$key}[4],,);
+- &checkcounter($configfwdfw{$key}[5],$configfwdfw{$key}[6],,);
+- &checkcounter($configfwdfw{$key}[14],$configfwdfw{$key}[15],,);
+- }
+- &General::readhasharray("$configinput", \%configinputfw);
+- foreach my $key (sort keys %configinputfw){
+- &checkcounter($configinputfw{$key}[3],$configinputfw{$key}[4],,);
+- &checkcounter($configinputfw{$key}[5],$configinputfw{$key}[6],,);
+- &checkcounter($configinputfw{$key}[14],$configinputfw{$key}[15],,);
+- }
+-
+- system("rm ${General::swroot}/forward/config");
+- system("rm ${General::swroot}/forward/input");
+- &General::writehash("${General::swroot}/forward/settings", \%fwdfwsettings);
+- unless (-e "${General::swroot}/forward/config") { system("touch ${General::swroot}/forward/config"); }
+- unless (-e "${General::swroot}/forward/input") { system("touch ${General::swroot}/forward/input"); }
+- my $MODE1=$fwdfwsettings{'POLICY1'};
+- %fwdfwsettings = ();
+- $fwdfwsettings{'POLICY'}='MODE2';
+- $fwdfwsettings{'POLICY1'}=$MODE1;
+- &General::writehash("${General::swroot}/forward/settings", \%fwdfwsettings);
+- &reread_rules;
+-
+-}
+-if ($fwdfwsettings{'ACTION'} eq 'resetoutgoing')
+-{
+- &General::readhasharray("$configoutgoing", \%configoutgoingfw);
++ if($fwdfwsettings{'poltype'} eq 'forward'){
++ &General::readhasharray("$configfwdfw", \%configfwdfw);
++ foreach my $key (sort keys %configfwdfw){
++ &checkcounter($configfwdfw{$key}[3],$configfwdfw{$key}[4],,);
++ &checkcounter($configfwdfw{$key}[5],$configfwdfw{$key}[6],,);
++ &checkcounter($configfwdfw{$key}[14],$configfwdfw{$key}[15],,);
++ }
++ &General::readhasharray("$configinput", \%configinputfw);
++ foreach my $key (sort keys %configinputfw){
++ &checkcounter($configinputfw{$key}[3],$configinputfw{$key}[4],,);
++ &checkcounter($configinputfw{$key}[5],$configinputfw{$key}[6],,);
++ &checkcounter($configinputfw{$key}[14],$configinputfw{$key}[15],,);
++ }
++
++ system("rm ${General::swroot}/forward/config");
++ system("rm ${General::swroot}/forward/input");
++ &General::writehash("${General::swroot}/forward/settings", \%fwdfwsettings);
++ unless (-e "${General::swroot}/forward/config") { system("touch ${General::swroot}/forward/config"); }
++ unless (-e "${General::swroot}/forward/input") { system("touch ${General::swroot}/forward/input"); }
++ my $MODE1=$fwdfwsettings{'POLICY1'};
++ %fwdfwsettings = ();
++ $fwdfwsettings{'POLICY'}='MODE2';
++ $fwdfwsettings{'POLICY1'}=$MODE1;
++ &General::writehash("${General::swroot}/forward/settings", \%fwdfwsettings);
++ &reread_rules;
++ }else{
++ &General::readhasharray("$configoutgoing", \%configoutgoingfw);
+ foreach my $key (sort keys %configoutgoingfw){
+ &checkcounter($configoutgoingfw{$key}[3],$configoutgoingfw{$key}[4],,);
+ &checkcounter($configoutgoingfw{$key}[5],$configoutgoingfw{$key}[6],,);
+@@ -385,7 +383,7 @@ if ($fwdfwsettings{'ACTION'} eq 'resetoutgoing')
+ $fwdfwsettings{'POLICY1'}='MODE2';
+ &General::writehash("${General::swroot}/forward/settings", \%fwdfwsettings);
+ &reread_rules;
+-
++ }
+ }
+ if ($fwdfwsettings{'ACTION'} eq $Lang::tr{'fwdfw newrule'})
+ {
+@@ -598,7 +596,7 @@ print <<END;
+ <input type='submit' name='ACTION' value=$Lang::tr{'save'} /></td><td width='45%' align='right'>
+
+ END
+- print "$Lang::tr{'outgoing firewall reset'}: <input type='submit' name='ACTION' value='$Lang::tr{'reset'}' /></td></tr>";
++ print "$Lang::tr{'outgoing firewall reset'}: <input type='submit' name='ACTION' value='$Lang::tr{'reset'}' /><input type='hidden' name='poltype' value='forward' /></td></tr>";
+ print "</table></form>";
+ print"<br><br>";
+ print <<END;
+@@ -610,10 +608,10 @@ END
+ <tr><td width='15%' align='left'> <select name='POLICY1' style="width: 100px">
+ <option value='MODE1' $selected{'POLICY1'}{'MODE1'}>$Lang::tr{'fwdfw pol block'}</option>
+ <option value='MODE2' $selected{'POLICY1'}{'MODE2'}>$Lang::tr{'fwdfw pol allow'}</option></select>
+- <input type='submit' name='ACTION' value='$Lang::tr{'save'}' /></td><td width='45%' align='right'></form><form method='post' >
++ <input type='submit' name='ACTION' value='$Lang::tr{'save'}' /></td><td width='45%' align='right'>
+
+ END
+- print "$Lang::tr{'outgoing firewall reset'}: <input type='submit' value='$Lang::tr{'reset'}' /><input type='hidden' name='ACTION' value='resetoutgoing' /></tr>";
++ print "$Lang::tr{'outgoing firewall reset'}: <input type='submit' name='ACTION' value='$Lang::tr{'reset'}' /><input type='hidden' name='poltype' value='outgoing' /></tr>";
+ print "</table></form>";
+ &Header::closebox();
+ }
+diff --git a/html/cgi-bin/optionsfw.cgi b/html/cgi-bin/optionsfw.cgi
+index da246f3..39bd419 100644
+--- a/html/cgi-bin/optionsfw.cgi
++++ b/html/cgi-bin/optionsfw.cgi
+@@ -35,6 +35,7 @@ $settings{'DROPOUTGOING'} = 'on';
+ $settings{'DROPPORTSCAN'} = 'on';
+ $settings{'DROPWIRELESSINPUT'} = 'on';
+ $settings{'DROPWIRELESSFORWARD'} = 'on';
++$settings{'SHOWCOLORS'} = 'off';
+
+ my $errormessage = '';
+ my $warnmessage = '';
+--
+1.7.10.4
+
--- /dev/null
+From 730baf6dec81e4a266b5efe17167d8c455858658 Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Fri, 22 Feb 2013 09:12:25 +0100
+Subject: [PATCH 131/302] Forward Firewall: added color for target "internet"
+ (RED)
+
+---
+ html/cgi-bin/forwardfw.cgi | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi
+index fd68314..7170068 100755
+--- a/html/cgi-bin/forwardfw.cgi
++++ b/html/cgi-bin/forwardfw.cgi
+@@ -2071,6 +2071,8 @@ sub getcolor
+ $tdcolor="style='border: 2px solid $Header::colourorange;'";
+ }elsif ($val eq 'BLUE'){
+ $tdcolor="style='border: 2px solid $Header::colourblue;'";
++ }elsif ($val eq 'RED'){
++ $tdcolor="style='border: 2px solid $Header::colourred;'";
+ }elsif ($val eq 'IPFire' ){
+ $tdcolor="style='border: 2px solid $Header::colourred;'";
+ }elsif($val =~ /^(.*?)\/(.*?)$/){
+--
+1.7.10.4
+
--- /dev/null
+From b3e72890f665a4e8978e69cb7f39e0ea2f3b63ab Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Fri, 22 Feb 2013 09:33:05 +0100
+Subject: [PATCH 132/302] Forward Firewall: fixed Table in servicegroups and
+ hostgroups
+
+---
+ html/cgi-bin/fwhosts.cgi | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/html/cgi-bin/fwhosts.cgi b/html/cgi-bin/fwhosts.cgi
+index dc82a18..abb60c9 100755
+--- a/html/cgi-bin/fwhosts.cgi
++++ b/html/cgi-bin/fwhosts.cgi
+@@ -1499,7 +1499,7 @@ sub viewtablegrp
+ print"<form method='post' style='display:inline'><input type='image' src='/images/delete.gif' alt=$Lang::tr{'delete'} title=$Lang::tr{'delete'} align='right' /><input type='hidden' name='grp_name' value='$grpname' ><input type='hidden' name='ACTION' value='delgrp'></form>";
+ }
+ print"<form method='post' style='display:inline'><input type='image' src='/images/edit.gif' alt=$Lang::tr{'edit'} title=$Lang::tr{'edit'} align='right' /><input type='hidden' name='grp_name' value='$grpname' ><input type='hidden' name='remark' value='$remark' ><input type='hidden' name='ACTION' value='editgrp'></form>";
+- print"<table width='100%' style='border: 1px solid #000000;' rules='none' ><tr><td align='center'><b>Name</b></td><td align='center'><b>$Lang::tr{'ip address'}</b></td><td align='center' width='25%'><b>$Lang::tr{'fwhost type'}</td></tr>";
++ print"<table width='100%' style='border: 1px solid #000000;' rules='none' ><tr><td align='center'><b>Name</b></td><td align='center'><b>$Lang::tr{'ip address'}</b></td><td align='center' width='25%'><b>$Lang::tr{'fwhost type'}</td><td></td></tr>";
+ }
+
+ if ( ($fwhostsettings{'ACTION'} eq 'editgrp' || $fwhostsettings{'update'} ne '') && $fwhostsettings{'grp_name'} eq $customgrp{$key}[0]) {
+@@ -1620,7 +1620,7 @@ sub viewtableservicegrp
+ print"<form method='post' style='display:inline'><input type='image' src='/images/delete.gif' alt=$Lang::tr{'delete'} title=$Lang::tr{'delete'} align='right' /><input type='hidden' name='SRVGRP_NAME' value='$grpname' ><input type='hidden' name='ACTION' value='delservicegrp'></form>";
+ }
+ print"<form method='post' style='display:inline'><input type='image' src='/images/edit.gif' alt=$Lang::tr{'edit'} title=$Lang::tr{'edit'} align='right' /><input type='hidden' name='SRVGRP_NAME' value='$grpname' ><input type='hidden' name='SRVGRP_REMARK' value='$remark' ><input type='hidden' name='ACTION' value='editservicegrp'></form>";
+- print"<table width='100%' style='border: 1px solid #000000;' rules='none' ><tr><td align='center'><b>Name</b></td><td align='center'><b>$Lang::tr{'port'}</b></td><td align='center' width='25%'><b>$Lang::tr{'fwhost prot'}</td></tr>";
++ print"<table width='100%' style='border: 1px solid #000000;' rules='none' ><tr><td align='center'><b>Name</b></td><td align='center'><b>$Lang::tr{'port'}</b></td><td align='center' width='25%'><b>$Lang::tr{'fwhost prot'}</td><td></td></tr>";
+ }
+ if( $fwhostsettings{'SRVGRP_NAME'} eq $customservicegrp{$key}[0]) {
+ print" <tr bgcolor='${Header::colouryellow}'>";
+--
+1.7.10.4
+
--- /dev/null
+From d5270f997dfa5825bd46d996101f89f02ebbedf4 Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Fri, 22 Feb 2013 09:50:22 +0100
+Subject: [PATCH 133/302] Forward Firewall: show default policy left aligned
+
+---
+ html/cgi-bin/forwardfw.cgi | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi
+index 7170068..29a6f70 100755
+--- a/html/cgi-bin/forwardfw.cgi
++++ b/html/cgi-bin/forwardfw.cgi
+@@ -587,8 +587,8 @@ sub base
+ print <<END;
+ <form method='post' action='$ENV{'SCRIPT_NAME'}'>
+ <table width='100%' border='0'>
+- <tr><td colspan='3' style='font-weight:bold;color:red;'>FORWARD </td></tr>
+- <tr><td colspan='3'>$Lang::tr{'fwdfw pol text'}</td></tr>
++ <tr><td colspan='3' style='font-weight:bold;color:red;' align='left'>FORWARD </td></tr>
++ <tr><td colspan='3' align='left'>$Lang::tr{'fwdfw pol text'}</td></tr>
+ <tr><td colspan='3'><hr /></td></tr>
+ <tr><td width='15%' align='left'> <select name='POLICY' style="width: 100px">
+ <option value='MODE1' $selected{'POLICY'}{'MODE1'}>$Lang::tr{'fwdfw pol block'}</option>
+@@ -602,8 +602,8 @@ END
+ print <<END;
+ <form method='post' action='$ENV{'SCRIPT_NAME'}'>
+ <table width='100%' border='0'>
+- <tr><td colspan='3' style='font-weight:bold;color:red;'>OUTGOING </td></tr>
+- <tr><td colspan='3'>$Lang::tr{'fwdfw pol text1'}</td></tr>
++ <tr><td colspan='3' style='font-weight:bold;color:red;' align='left'>OUTGOING </td></tr>
++ <tr><td colspan='3' align='left'>$Lang::tr{'fwdfw pol text1'}</td></tr>
+ <tr><td colspan='3'><hr /></td></tr>
+ <tr><td width='15%' align='left'> <select name='POLICY1' style="width: 100px">
+ <option value='MODE1' $selected{'POLICY1'}{'MODE1'}>$Lang::tr{'fwdfw pol block'}</option>
+--
+1.7.10.4
+
--- /dev/null
+From 200bcad57d2ff6cb8b485888e642ad8b63909ee5 Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Fri, 22 Feb 2013 10:01:27 +0100
+Subject: [PATCH 134/302] Forward Firewall: added newlines between groups in
+ tablerule
+
+---
+ html/cgi-bin/forwardfw.cgi | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi
+index 29a6f70..3e170a1 100755
+--- a/html/cgi-bin/forwardfw.cgi
++++ b/html/cgi-bin/forwardfw.cgi
+@@ -1834,6 +1834,7 @@ sub viewtablenew
+ &General::get_aliases(\%aliases);
+ &General::readhasharray("$config", $hash);
+ if( ! -z $config){
++ if ($title1 eq $Lang::tr{'external access'} || $title1 eq 'Outgoing'){print"<br><br>";}
+ &Header::openbox('100%', 'left',$title);
+ my $count=0;
+ my ($gif,$log);
+--
+1.7.10.4
+
--- /dev/null
+From d5fb3cee764240f3ca9a86a89d572e8a7d7b22f4 Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Fri, 22 Feb 2013 10:12:59 +0100
+Subject: [PATCH 135/302] FORWARD Firewall: edited ruletable to look better on
+ IE
+
+---
+ html/cgi-bin/forwardfw.cgi | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi
+index 3e170a1..2343c41 100755
+--- a/html/cgi-bin/forwardfw.cgi
++++ b/html/cgi-bin/forwardfw.cgi
+@@ -1844,7 +1844,7 @@ sub viewtablenew
+ my @tmpsrc=();
+ my $coloryellow='';
+ print"<b>$title1</b><br>";
+- print"<table width='100%' cellspacing='1' rules='none'; padding-top: 0px; padding-left: 0px; padding-bottom: 0px ;padding-right: 0px ;'>";
++ print"<table width='100%' cellspacing='1' style=' padding-top: 0px; padding-left: 0px; padding-bottom: 0px ;padding-right: 0px ;'>";
+ print"<tr><td align='center'><b>#</td><td ></td><td align='center'><b>$Lang::tr{'fwdfw source'}</td><td><b>Log</td><td align='center'><b>$Lang::tr{'fwdfw target'}</td><td align='center'><b>$Lang::tr{'protocol'}</b></td><td align='center'><b>$Lang::tr{'fwdfw time'}</td><td align='center' colspan='6'><b>$Lang::tr{'fwdfw action'}</td></tr>";
+ foreach my $key (sort {$a <=> $b} keys %$hash){
+ $tdcolor='';
+--
+1.7.10.4
+
--- /dev/null
+From 33c8bbea142e58ae1ee3d72687c954a1f52f114d Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Fri, 22 Feb 2013 11:27:30 +0100
+Subject: [PATCH 136/302] Forward Firewall: New Firewall-option "show remark
+ in ruletable"
+
+---
+ html/cgi-bin/forwardfw.cgi | 8 +++++---
+ html/cgi-bin/optionsfw.cgi | 6 ++++++
+ langs/de/cgi-bin/de.pl | 3 ++-
+ langs/en/cgi-bin/en.pl | 3 ++-
+ 4 files changed, 15 insertions(+), 5 deletions(-)
+
+diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi
+index 2343c41..3776542 100755
+--- a/html/cgi-bin/forwardfw.cgi
++++ b/html/cgi-bin/forwardfw.cgi
+@@ -1900,7 +1900,7 @@ sub viewtablenew
+ }
+ print"<tr bgcolor='$color' >";
+ print<<END;
+- <td align='right' width='15'>$key</td>
++ <td align='right' width='15'><b>$key</b></td>
+ END
+ if ($$hash{$key}[0] eq 'ACCEPT'){
+ $ruletype='A';
+@@ -2038,8 +2038,10 @@ END
+ print"<td width='25'><input type='image' img src='/images/down.gif' style='visibility:hidden;'></td></tr>";
+ }
+ #REMARK
+- print"<tr bgcolor='$color'><td colspan='13' style='border-bottom: 1px solid black'>";
+- print"<b>$Lang::tr{'remark'}:</b> $$hash{$key}[16]</td></tr>";
++ if ($optionsfw{'SHOWREMARK'} eq 'on'){
++ print"<tr bgcolor='$color'><td colspan='13' style='border-bottom: 1px solid black'>";
++ print"<b>$Lang::tr{'remark'}:</b> $$hash{$key}[16]</td></tr>";
++ }
+ }
+ print"</table>";
+ &Header::closebox();
+diff --git a/html/cgi-bin/optionsfw.cgi b/html/cgi-bin/optionsfw.cgi
+index 39bd419..ab34230 100644
+--- a/html/cgi-bin/optionsfw.cgi
++++ b/html/cgi-bin/optionsfw.cgi
+@@ -36,6 +36,7 @@ $settings{'DROPPORTSCAN'} = 'on';
+ $settings{'DROPWIRELESSINPUT'} = 'on';
+ $settings{'DROPWIRELESSFORWARD'} = 'on';
+ $settings{'SHOWCOLORS'} = 'off';
++$settings{'SHOWREMARK'} = 'on';
+
+ my $errormessage = '';
+ my $warnmessage = '';
+@@ -95,6 +96,9 @@ $checked{'DROPSAMBA'}{$settings{'DROPSAMBA'}} = "checked='checked'";
+ $checked{'SHOWCOLORS'}{'off'} = '';
+ $checked{'SHOWCOLORS'}{'on'} = '';
+ $checked{'SHOWCOLORS'}{$settings{'SHOWCOLORS'}} = "checked='checked'";
++$checked{'SHOWREMARK'}{'off'} = '';
++$checked{'SHOWREMARK'}{'on'} = '';
++$checked{'SHOWREMARK'}{$settings{'SHOWREMARK'}} = "checked='checked'";
+ $selected{'FWPOLICY'}{$settings{'FWPOLICY'}}= 'selected';
+ $selected{'FWPOLICY1'}{$settings{'FWPOLICY1'}}= 'selected';
+
+@@ -135,6 +139,8 @@ print <<END
+ <tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw settings'}</b></td></tr>
+ <tr><td align='left' width='60%'>$Lang::tr{'fw settings color'}</td><td align='left'>on <input type='radio' name='SHOWCOLORS' value='on' $checked{'SHOWCOLORS'}{'on'} />/
+ <input type='radio' name='SHOWCOLORS' value='off' $checked{'SHOWCOLORS'}{'off'} /> off</td></tr>
++<tr><td align='left' width='60%'>$Lang::tr{'fw settings remark'}</td><td align='left'>on <input type='radio' name='SHOWREMARK' value='on' $checked{'SHOWREMARK'}{'on'} />/
++ <input type='radio' name='SHOWREMARK' value='off' $checked{'SHOWREMARK'}{'off'} /> off</td></tr>
+ </table>
+ <br />
+ <table width='95%' cellspacing='0'>
+diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl
+index 335610b..f9fe1b9 100644
+--- a/langs/de/cgi-bin/de.pl
++++ b/langs/de/cgi-bin/de.pl
+@@ -1035,6 +1035,7 @@
+ 'fw default drop' => 'Firewall Policy',
+ 'fw settings' => 'Firewall Einstellungen',
+ 'fw settings color' => 'Farben in Regeltabelle anzeigen',
++'fw settings remark' => 'Anmerkungen in Regeltabelle anzeigen',
+ 'fw logging' => 'Firewall Logging',
+ 'gateway' => 'Gateway',
+ 'gateway ip' => 'Gateway-IP',
+@@ -1425,7 +1426,7 @@
+ 'network traffic graphs others' => 'Netzwerk (sonstige)',
+ 'network updated' => 'Benutzerdefiniertes Netzwerk aktualisiert',
+ 'networks settings' => 'Firewall - Netzwerkeinstellungen',
+-'new optionsfw later' => 'Ihre Modifikation(en) wird (werden) beim nächsten Neustart aktiv werden',
++'new optionsfw later' => 'Einige Einstellungen werden erst nach einem Neustart aktiv',
+ 'new optionsfw must boot' => 'Sie müssen Ihren IPFire neu starten',
+ 'newer' => 'Neuer',
+ 'next' => 'Nächster',
+diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
+index fd169b1..0e6480f 100644
+--- a/langs/en/cgi-bin/en.pl
++++ b/langs/en/cgi-bin/en.pl
+@@ -1058,6 +1058,7 @@
+ 'fw default drop' => 'Firewall policy',
+ 'fw settings' => 'Firewall settings',
+ 'fw settings color' => 'Show colors in ruletable',
++'fw settings remark' => 'Show remarks in ruletable',
+ 'fw logging' => 'Firewall logging',
+ 'g.dtm' => 'TO BE REMOVED',
+ 'g.lite' => 'TO BE REMOVED',
+@@ -1451,7 +1452,7 @@
+ 'network traffic graphs others' => 'Network (others)',
+ 'network updated' => 'Custom Network updated',
+ 'networks settings' => 'Firewall - Network settings',
+-'new optionsfw later' => 'Your modification(s) will be active on next restart',
++'new optionsfw later' => 'Some options need a reboot to take effect',
+ 'new optionsfw must boot' => 'You must reboot your IPFire',
+ 'newer' => 'Newer',
+ 'next' => 'next',
+--
+1.7.10.4
+
--- /dev/null
+From d2dc574795cdb07e5ecb3e09baa4a96f297d55d7 Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Fri, 22 Feb 2013 13:04:30 +0100
+Subject: [PATCH 137/302] Forward Firewall: removed cellspacing and black
+ lines between rules in ruletable
+
+---
+ html/cgi-bin/forwardfw.cgi | 21 +++++++++++++++++----
+ 1 file changed, 17 insertions(+), 4 deletions(-)
+
+diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi
+index 3776542..694409f 100755
+--- a/html/cgi-bin/forwardfw.cgi
++++ b/html/cgi-bin/forwardfw.cgi
+@@ -1832,6 +1832,7 @@ sub viewtablenew
+ my $title1=shift;
+ my $go='';
+ &General::get_aliases(\%aliases);
++ &General::readhasharray("$confighost", \%customhost);
+ &General::readhasharray("$config", $hash);
+ if( ! -z $config){
+ if ($title1 eq $Lang::tr{'external access'} || $title1 eq 'Outgoing'){print"<br><br>";}
+@@ -1844,7 +1845,7 @@ sub viewtablenew
+ my @tmpsrc=();
+ my $coloryellow='';
+ print"<b>$title1</b><br>";
+- print"<table width='100%' cellspacing='1' style=' padding-top: 0px; padding-left: 0px; padding-bottom: 0px ;padding-right: 0px ;'>";
++ print"<table width='100%' cellspacing='0' style=' padding-top: 0px; padding-left: 0px; padding-bottom: 0px ;padding-right: 0px ;'>";
+ print"<tr><td align='center'><b>#</td><td ></td><td align='center'><b>$Lang::tr{'fwdfw source'}</td><td><b>Log</td><td align='center'><b>$Lang::tr{'fwdfw target'}</td><td align='center'><b>$Lang::tr{'protocol'}</b></td><td align='center'><b>$Lang::tr{'fwdfw time'}</td><td align='center' colspan='6'><b>$Lang::tr{'fwdfw action'}</td></tr>";
+ foreach my $key (sort {$a <=> $b} keys %$hash){
+ $tdcolor='';
+@@ -1916,7 +1917,7 @@ END
+ $rulecolor=$color{'color16'};
+ }
+ print"<td bgcolor='$rulecolor' align='center' width='20'><span title='$tooltip'><b>$ruletype</b></span></td>";
+- &getcolor($$hash{$key}[3],$$hash{$key}[4]);
++ &getcolor($$hash{$key}[3],$$hash{$key}[4],\%customhost);
+ print"<td align='center' width='160' $tdcolor>";
+ if ($$hash{$key}[3] eq 'std_net_src'){
+ print &get_name($$hash{$key}[4]);
+@@ -1939,7 +1940,7 @@ END
+ <input type='hidden' name='ACTION' value='$Lang::tr{'fwdfw togglelog'}' />
+ </td></form>
+ END
+- &getcolor($$hash{$key}[5],$$hash{$key}[6]);
++ &getcolor($$hash{$key}[5],$$hash{$key}[6],\%customhost);
+ print<<END;
+ <td align='center' width='160' $tdcolor>
+ END
+@@ -2039,7 +2040,7 @@ END
+ }
+ #REMARK
+ if ($optionsfw{'SHOWREMARK'} eq 'on'){
+- print"<tr bgcolor='$color'><td colspan='13' style='border-bottom: 1px solid black'>";
++ print"<tr bgcolor='$color'><td colspan='13'>";
+ print"<b>$Lang::tr{'remark'}:</b> $$hash{$key}[16]</td></tr>";
+ }
+ }
+@@ -2052,7 +2053,9 @@ sub getcolor
+ {
+ my $nettype=shift;
+ my $val=shift;
++ my $hash=shift;
+ if($optionsfw{'SHOWCOLORS'} eq 'on'){
++ #VPN networks
+ if ($nettype eq 'ovpn_n2n_src' || $nettype eq 'ovpn_n2n_tgt' || $nettype eq 'ovpn_net_src' || $nettype eq 'ovpn_net_tgt'|| $nettype eq 'ovpn_host_src' || $nettype eq 'ovpn_host_tgt'){
+ $tdcolor="style='border: 2px solid $Header::colourovpn;'";
+ return;
+@@ -2061,6 +2064,15 @@ sub getcolor
+ $tdcolor="style='border: 2px solid $Header::colourvpn;'";
+ return;
+ }
++ #custom Hosts
++ if ($nettype eq 'cust_host_src' || $nettype eq 'cust_host_tgt'){
++ foreach my $key (sort keys %$hash){
++ if ($$hash{$key}[0] eq $val){
++ $val=$$hash{$key}[2];
++ }
++ }
++ }
++ #ALIASE
+ foreach my $alias (sort keys %aliases)
+ {
+ if ($val eq $alias){
+@@ -2068,6 +2080,7 @@ sub getcolor
+ return;
+ }
+ }
++ #standard networks
+ if ($val eq 'GREEN'){
+ $tdcolor="style='border: 2px solid $Header::colourgreen;'";
+ }elsif ($val eq 'ORANGE'){
+--
+1.7.10.4
+
--- /dev/null
+From dba7751945772a87f1ef35a2ecfe8cbf18be1601 Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Sat, 23 Feb 2013 06:21:42 +0100
+Subject: [PATCH 138/302] Forward Firewall: made colored borders in ruletable
+ thinner (1px) and changed remarkline
+
+---
+ html/cgi-bin/forwardfw.cgi | 26 +++++++++++++-------------
+ 1 file changed, 13 insertions(+), 13 deletions(-)
+
+diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi
+index 694409f..24118ab 100755
+--- a/html/cgi-bin/forwardfw.cgi
++++ b/html/cgi-bin/forwardfw.cgi
+@@ -2040,8 +2040,8 @@ END
+ }
+ #REMARK
+ if ($optionsfw{'SHOWREMARK'} eq 'on'){
+- print"<tr bgcolor='$color'><td colspan='13'>";
+- print"<b>$Lang::tr{'remark'}:</b> $$hash{$key}[16]</td></tr>";
++ print"<tr bgcolor='$color'>";
++ print"<td colspan='2'> </td><td colspan='11'>$$hash{$key}[16]</td></tr>";
+ }
+ }
+ print"</table>";
+@@ -2057,11 +2057,11 @@ sub getcolor
+ if($optionsfw{'SHOWCOLORS'} eq 'on'){
+ #VPN networks
+ if ($nettype eq 'ovpn_n2n_src' || $nettype eq 'ovpn_n2n_tgt' || $nettype eq 'ovpn_net_src' || $nettype eq 'ovpn_net_tgt'|| $nettype eq 'ovpn_host_src' || $nettype eq 'ovpn_host_tgt'){
+- $tdcolor="style='border: 2px solid $Header::colourovpn;'";
++ $tdcolor="style='border: 1px solid $Header::colourovpn;'";
+ return;
+ }
+ if ($nettype eq 'ipsec_net_src' || $nettype eq 'ipsec_net_tgt'){
+- $tdcolor="style='border: 2px solid $Header::colourvpn;'";
++ $tdcolor="style='border: 1px solid $Header::colourvpn;'";
+ return;
+ }
+ #custom Hosts
+@@ -2082,28 +2082,28 @@ sub getcolor
+ }
+ #standard networks
+ if ($val eq 'GREEN'){
+- $tdcolor="style='border: 2px solid $Header::colourgreen;'";
++ $tdcolor="style='border: 1px solid $Header::colourgreen;'";
+ }elsif ($val eq 'ORANGE'){
+- $tdcolor="style='border: 2px solid $Header::colourorange;'";
++ $tdcolor="style='border: 1px solid $Header::colourorange;'";
+ }elsif ($val eq 'BLUE'){
+- $tdcolor="style='border: 2px solid $Header::colourblue;'";
++ $tdcolor="style='border: 1px solid $Header::colourblue;'";
+ }elsif ($val eq 'RED'){
+- $tdcolor="style='border: 2px solid $Header::colourred;'";
++ $tdcolor="style='border: 1px solid $Header::colourred;'";
+ }elsif ($val eq 'IPFire' ){
+- $tdcolor="style='border: 2px solid $Header::colourred;'";
++ $tdcolor="style='border: 1px solid $Header::colourred;'";
+ }elsif($val =~ /^(.*?)\/(.*?)$/){
+ my ($sip,$scidr) = split ("/",$val);
+ if ( &General::IpInSubnet($sip,$netsettings{'ORANGE_ADDRESS'},$netsettings{'ORANGE_NETMASK'})){
+- $tdcolor="style='border: 2px solid $Header::colourorange;'";
++ $tdcolor="style='border: 1px solid $Header::colourorange;'";
+ }
+ if ( &General::IpInSubnet($sip,$netsettings{'GREEN_ADDRESS'},$netsettings{'GREEN_NETMASK'})){
+- $tdcolor="style='border: 2px solid $Header::colourgreen;'";
++ $tdcolor="style='border: 1px solid $Header::colourgreen;'";
+ }
+ if ( &General::IpInSubnet($sip,$netsettings{'BLUE_ADDRESS'},$netsettings{'BLUE_NETMASK'})){
+- $tdcolor="style='border: 2px solid $Header::colourblue;'";
++ $tdcolor="style='border: 1px solid $Header::colourblue;'";
+ }
+ }elsif ($val eq 'Default IP'){
+- $tdcolor="style='border: 2px solid red;'";
++ $tdcolor="style='border: 1px solid red;'";
+ }else{
+ $tdcolor='';
+ }
+--
+1.7.10.4
+
--- /dev/null
+From e5bf7723493b59a88bb86cc75819359c14fdc3c4 Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Sat, 23 Feb 2013 06:33:15 +0100
+Subject: [PATCH 139/302] Forward Firewall: minor changes an ruletable
+
+---
+ html/cgi-bin/forwardfw.cgi | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi
+index 24118ab..2b1d962 100755
+--- a/html/cgi-bin/forwardfw.cgi
++++ b/html/cgi-bin/forwardfw.cgi
+@@ -2041,7 +2041,7 @@ END
+ #REMARK
+ if ($optionsfw{'SHOWREMARK'} eq 'on'){
+ print"<tr bgcolor='$color'>";
+- print"<td colspan='2'> </td><td colspan='11'>$$hash{$key}[16]</td></tr>";
++ print"<td> </td><td bgcolor='$rulecolor'></td><td colspan='11'>$$hash{$key}[16]</td></tr>";
+ }
+ }
+ print"</table>";
+--
+1.7.10.4
+
--- /dev/null
+From 4a406e818a27440fc8a50369e69401d3f76ac566 Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Sat, 23 Feb 2013 20:28:47 +0100
+Subject: [PATCH 140/302] Forward Firewall: added p2p-block.cgi to apache2
+
+---
+ config/rootfiles/common/apache2 | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/config/rootfiles/common/apache2 b/config/rootfiles/common/apache2
+index b5aa583..524ce06 100644
+--- a/config/rootfiles/common/apache2
++++ b/config/rootfiles/common/apache2
+@@ -1414,6 +1414,7 @@ srv/web/ipfire/cgi-bin/netother.cgi
+ #srv/web/ipfire/cgi-bin/outgoinggrp.cgi
+ srv/web/ipfire/cgi-bin/optionsfw.cgi
+ srv/web/ipfire/cgi-bin/ovpnmain.cgi
++srv/web/ipfire/cgi-bin/p2p-block.cgi
+ srv/web/ipfire/cgi-bin/pakfire.cgi
+ srv/web/ipfire/cgi-bin/portfw.cgi
+ srv/web/ipfire/cgi-bin/pppsetup.cgi
+--
+1.7.10.4
+
--- /dev/null
+From e0dfa697d69df2bcf616519b7dfcdb06be49829a Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Mon, 25 Feb 2013 13:03:54 +0100
+Subject: [PATCH 141/302] Forward Firewall: Some further layout changes. 1)
+ New textfile for DMZ rules 2) Tablegroups are shown
+ on firewall site 3) Option in firewall-options to
+ disable emtpy ruletables 4) Infotext on P2P-Block
+ site
+
+---
+ html/cgi-bin/forwardfw.cgi | 171 +++++++++++++++++++++++++++++++++++++++-----
+ html/cgi-bin/p2p-block.cgi | 1 +
+ langs/de/cgi-bin/de.pl | 3 +
+ langs/en/cgi-bin/en.pl | 3 +
+ 4 files changed, 162 insertions(+), 16 deletions(-)
+
+diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi
+index 2b1d962..a14c679 100755
+--- a/html/cgi-bin/forwardfw.cgi
++++ b/html/cgi-bin/forwardfw.cgi
+@@ -46,6 +46,7 @@ unless (-e "${General::swroot}/forward/settings") { system("touch ${General::s
+ unless (-e "${General::swroot}/forward/config") { system("touch ${General::swroot}/forward/config"); }
+ unless (-e "${General::swroot}/forward/input") { system("touch ${General::swroot}/forward/input"); }
+ unless (-e "${General::swroot}/forward/outgoing") { system("touch ${General::swroot}/forward/outgoing"); }
++unless (-e "${General::swroot}/forward/dmz") { system("touch ${General::swroot}/forward/dmz"); }
+
+ my %fwdfwsettings=();
+ my %selected=() ;
+@@ -62,6 +63,7 @@ my %ccdhost=();
+ my %configfwdfw=();
+ my %configinputfw=();
+ my %configoutgoingfw=();
++my %configdmzfw=();
+ my %ipsecconf=();
+ my %color=();
+ my %mainsettings=();
+@@ -85,12 +87,14 @@ my $configipsecrw = "${General::swroot}/vpn/settings";
+ my $configfwdfw = "${General::swroot}/forward/config";
+ my $configinput = "${General::swroot}/forward/input";
+ my $configoutgoing = "${General::swroot}/forward/outgoing";
++my $configdmz = "${General::swroot}/forward/dmz";
+ my $configovpn = "${General::swroot}/ovpn/settings";
+ my $fwoptions = "${General::swroot}/optionsfw/settings";
+ my $errormessage='';
+ my $hint='';
+ my $ipgrp="${General::swroot}/outgoing/groups";
+ my $tdcolor='';
++my $checkorange='';
+
+ &General::readhash("${General::swroot}/forward/settings", \%fwdfwsettings);
+ &General::readhash("${General::swroot}/main/settings", \%mainsettings);
+@@ -118,15 +122,83 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule')
+ &General::readhasharray("$configfwdfw", \%configfwdfw);
+ &General::readhasharray("$configinput", \%configinputfw);
+ &General::readhasharray("$configoutgoing", \%configoutgoingfw);
++
+ $errormessage=&checksource;
+ if(!$errormessage){&checktarget;}
+ if(!$errormessage){&checkrule;}
++ #check if manual ip (source) is orange network
++ if ($fwdfwsettings{'grp1'} eq 'src_addr'){
++ my ($sip,$scidr) = split("/",$fwdfwsettings{$fwdfwsettings{'grp1'}});
++ if ( &General::IpInSubnet($sip,$netsettings{'ORANGE_ADDRESS'},$netsettings{'ORANGE_NETMASK'})){
++ $checkorange='on';
++ }
++ }
++ #check useless rules
++ if( ($fwdfwsettings{$fwdfwsettings{'grp1'}} eq 'ORANGE' || $checkorange eq 'on') && $fwdfwsettings{'grp2'} eq 'ipfire'){
++ $errormessage.=$Lang::tr{'fwdfw useless rule'}."<br>";
++ }
++
+ #check if we try to break rules
+ if( $fwdfwsettings{$fwdfwsettings{'grp1'}} eq 'IPFire' && $fwdfwsettings{'grp2'} eq 'ipfire'){
+ $errormessage.=$Lang::tr{'fwdfw err same'};
+ }
++ print" save1 checkorange ist $checkorange und oldorange ist $fwdfwsettings{'oldorange'} neue grp1 ist $fwdfwsettings{$fwdfwsettings{'grp1'}} alte grp1 $fwdfwsettings{'oldgrp1b'} und altgrp2 ist $fwdfwsettings{'oldgrp2a'} und aktuell grp2 $fwdfwsettings{'grp2'} und update ist $fwdfwsettings{'updatefwrule'}<br>";
++
++ #DMZ-Part
++ if ($fwdfwsettings{$fwdfwsettings{'grp1'}} eq 'ORANGE' || $checkorange eq 'on'){
++ $fwdfwsettings{'config'}=$configdmz;
++ $fwdfwsettings{'chain'} = 'FORWARDFW';
++ my $maxkey=&General::findhasharraykey(\%configdmzfw);
++ #check if we have an identical rule already
++ if($fwdfwsettings{'oldrulenumber'} eq $fwdfwsettings{'rulepos'}){
++ foreach my $key (sort keys %configdmzfw){
++ if ("$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'},$fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'ICMP_TGT'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'LOG'},$fwdfwsettings{'TIME'},$fwdfwsettings{'TIME_MON'},$fwdfwsettings{'TIME_TUE'},$fwdfwsettings{'TIME_WED'},$fwdfwsettings{'TIME_THU'},$fwdfwsettings{'TIME_FRI'},$fwdfwsettings{'TIME_SAT'},$fwdfwsettings{'TIME_SUN'},$fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'}"
++ eq "$configdmzfw{$key}[0],$configdmzfw{$key}[2],$configdmzfw{$key}[3],$configdmzfw{$key}[4],$configdmzfw{$key}[5],$configdmzfw{$key}[6],$configdmzfw{$key}[7],$configdmzfw{$key}[8],$configdmzfw{$key}[9],$configdmzfw{$key}[10],$configdmzfw{$key}[11],$configdmzfw{$key}[12],$configdmzfw{$key}[13],$configdmzfw{$key}[14],$configdmzfw{$key}[15],$configdmzfw{$key}[17],$configdmzfw{$key}[18],$configdmzfw{$key}[19],$configdmzfw{$key}[20],$configdmzfw{$key}[21],$configdmzfw{$key}[22],$configdmzfw{$key}[23],$configdmzfw{$key}[24],$configdmzfw{$key}[25],$configdmzfw{$key}[26],$configdmzfw{$key}[27]"){
++ $errormessage.=$Lang::tr{'fwdfw err ruleexists'};
++ if ($fwdfwsettings{'oldruleremark'} ne $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'updatefwrule'} eq 'on' && $fwdfwsettings{'ruleremark'} eq ''){
++ $errormessage='';
++ }elsif($fwdfwsettings{'oldruleremark'} ne $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'updatefwrule'} eq 'on' && $fwdfwsettings{'ruleremark'} ne '' && !&validremark($fwdfwsettings{'ruleremark'})){
++ $errormessage=$Lang::tr{'fwdfw err remark'}."<br>";
++ }
++ if ($fwdfwsettings{'oldruleremark'} eq $fwdfwsettings{'ruleremark'}){
++ $fwdfwsettings{'nosave'} = 'on';
++ }
++ }
++ }
++ }
++ #check Rulepos on new Rule
++ if($fwdfwsettings{'rulepos'} > 0 && !$fwdfwsettings{'oldrulenumber'}){
++ $fwdfwsettings{'oldrulenumber'}=$maxkey;
++ foreach my $key (sort keys %configdmzfw){
++ if ("$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'},$fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'ICMP_TGT'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'LOG'},$fwdfwsettings{'TIME'},$fwdfwsettings{'TIME_MON'},$fwdfwsettings{'TIME_TUE'},$fwdfwsettings{'TIME_WED'},$fwdfwsettings{'TIME_THU'},$fwdfwsettings{'TIME_FRI'},$fwdfwsettings{'TIME_SAT'},$fwdfwsettings{'TIME_SUN'},$fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'}"
++ eq "$configdmzfw{$key}[0],$configdmzfw{$key}[2],$configdmzfw{$key}[3],$configdmzfw{$key}[4],$configdmzfw{$key}[5],$configdmzfw{$key}[6],$configdmzfw{$key}[7],$configdmzfw{$key}[8],$configdmzfw{$key}[9],$configdmzfw{$key}[10],$configdmzfw{$key}[11],$configdmzfw{$key}[12],$configdmzfw{$key}[13],$configdmzfw{$key}[14],$configdmzfw{$key}[15],$configdmzfw{$key}[17],$configdmzfw{$key}[18],$configdmzfw{$key}[19],$configdmzfw{$key}[20],$configdmzfw{$key}[21],$configdmzfw{$key}[22],$configdmzfw{$key}[23],$configdmzfw{$key}[24],$configdmzfw{$key}[25],$configdmzfw{$key}[26],$configdmzfw{$key}[27]"){
++ $errormessage.=$Lang::tr{'fwdfw err ruleexists'};
++ }
++ }
++ }
++ #check if we just close a rule
++ if( $fwdfwsettings{'oldgrp1a'} eq $fwdfwsettings{'grp1'} && $fwdfwsettings{'oldgrp1b'} eq $fwdfwsettings{$fwdfwsettings{'grp1'}} && $fwdfwsettings{'oldgrp2a'} eq $fwdfwsettings{'grp2'} && $fwdfwsettings{'oldgrp2b'} eq $fwdfwsettings{$fwdfwsettings{'grp2'}} && $fwdfwsettings{'oldgrp3a'} eq $fwdfwsettings{'grp3'} && $fwdfwsettings{'oldgrp3b'} eq $fwdfwsettings{$fwdfwsettings{'grp3'}} && $fwdfwsettings{'oldusesrv'} eq $fwdfwsettings{'USESRV'} ) {
++ if($fwdfwsettings{'nosave'} eq 'on' && $fwdfwsettings{'updatefwrule'} eq 'on'){
++ $errormessage='';
++ $fwdfwsettings{'nosave2'} = 'on';
++ }
++ }
++ &checkcounter($fwdfwsettings{'oldgrp1a'},$fwdfwsettings{'oldgrp1b'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}});
++ if ($fwdfwsettings{'nobase'} ne 'on'){
++ &checkcounter($fwdfwsettings{'oldgrp2a'},$fwdfwsettings{'oldgrp2b'},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}});
++ }
++ if($fwdfwsettings{'oldusesrv'} eq '' && $fwdfwsettings{'USESRV'} eq 'ON'){
++ &checkcounter(0,0,$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}});
++ }elsif ($fwdfwsettings{'USESRV'} eq '' && $fwdfwsettings{'oldusesrv'} eq 'ON') {
++ &checkcounter($fwdfwsettings{'oldgrp3a'},$fwdfwsettings{'oldgrp3b'},0,0);
++ }elsif ($fwdfwsettings{'oldusesrv'} eq $fwdfwsettings{'USESRV'} && $fwdfwsettings{'oldgrp3b'} ne $fwdfwsettings{$fwdfwsettings{'grp3'}} && $fwdfwsettings{'updatefwrule'} eq 'on'){
++ &checkcounter($fwdfwsettings{'oldgrp3a'},$fwdfwsettings{'oldgrp3b'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}});
++ }
++ if($fwdfwsettings{'nosave2'} ne 'on'){
++ &saverule(\%configdmzfw,$configdmz);
++ }
+ #INPUT part
+- if($fwdfwsettings{'grp2'} eq 'ipfire'){
++ }elsif($fwdfwsettings{'grp2'} eq 'ipfire' && $fwdfwsettings{$fwdfwsettings{'grp1'}} ne 'ORANGE'){
+ $fwdfwsettings{'config'}=$configinput;
+ $fwdfwsettings{'chain'} = 'INPUTFW';
+ my $maxkey=&General::findhasharraykey(\%configinputfw);
+@@ -1030,6 +1102,7 @@ sub newrule
+ {
+ &error;
+ &General::setup_default_networks(\%defaultNetworks);
++ &General::readhash("/var/ipfire/ethernet/settings", \%netsettings);
+ #read all configfiles
+ &General::readhasharray("$configccdnet", \%ccdnet);
+ &General::readhasharray("$confignet", \%customnetwork);
+@@ -1125,11 +1198,32 @@ sub newrule
+ $fwdfwsettings{'oldgrp3b'}=$fwdfwsettings{$fwdfwsettings{'grp3'}};
+ $fwdfwsettings{'oldusesrv'}=$fwdfwsettings{'USESRV'};
+ $fwdfwsettings{'oldruleremark'}=$fwdfwsettings{'ruleremark'};
++ #check if manual ip (source) is orange network
++ if ($fwdfwsettings{'grp1'} eq 'src_addr'){
++ my ($sip,$scidr) = split("/",$fwdfwsettings{$fwdfwsettings{'grp1'}});
++ if ( &General::IpInSubnet($sip,$netsettings{'ORANGE_ADDRESS'},$netsettings{'ORANGE_NETMASK'})){
++ $fwdfwsettings{'oldorange'} ='on';
++ }
++ }
+ }else{
+ $fwdfwsettings{'ACTIVE'}='ON';
+ $checked{'ACTIVE'}{$fwdfwsettings{'ACTIVE'}} = 'CHECKED';
++ $fwdfwsettings{'oldgrp1a'}=$fwdfwsettings{'grp1'};
++ $fwdfwsettings{'oldgrp1b'}=$fwdfwsettings{$fwdfwsettings{'grp1'}};
++ $fwdfwsettings{'oldgrp2a'}=$fwdfwsettings{'grp2'};
++ $fwdfwsettings{'oldgrp2b'}=$fwdfwsettings{$fwdfwsettings{'grp2'}};
++ $fwdfwsettings{'oldgrp3a'}=$fwdfwsettings{'grp3'};
++ $fwdfwsettings{'oldgrp3b'}=$fwdfwsettings{$fwdfwsettings{'grp3'}};
++ $fwdfwsettings{'oldusesrv'}=$fwdfwsettings{'USESRV'};
++ $fwdfwsettings{'oldruleremark'}=$fwdfwsettings{'ruleremark'};
++ #check if manual ip (source) is orange network
++ if ($fwdfwsettings{'grp1'} eq 'src_addr'){
++ my ($sip,$scidr) = split("/",$fwdfwsettings{$fwdfwsettings{'grp1'}});
++ if ( &General::IpInSubnet($sip,$netsettings{'ORANGE_ADDRESS'},$netsettings{'ORANGE_NETMASK'})){
++ $fwdfwsettings{'oldorange'} ='on';
++ }
++ }
+ }
+-
+ &Header::openbox('100%', 'left', $Lang::tr{'fwdfw addrule'});
+
+ print <<END;
+@@ -1539,6 +1633,7 @@ END
+ <input type='hidden' name='oldrulenumber' value='$fwdfwsettings{'oldrulenumber'}' />
+ <input type='hidden' name='rulenumber' value='$fwdfwsettings{'rulepos'}' />
+ <input type='hidden' name='oldruleremark' value='$fwdfwsettings{'oldruleremark'}' />
++ <input type='hidden' name='oldorange' value='$fwdfwsettings{'oldorange'}' />
+ <input type='hidden' name='ACTION' value='saverule' ></form><form method='post' style='display:inline'><input type='submit' value='$Lang::tr{'fwhost back'}' style='min-width:100px;'><input type='hidden' name='ACTION' value'reset'></td></td>
+ </table></form>
+ END
+@@ -1550,30 +1645,68 @@ sub saverule
+ my $hash=shift;
+ my $config=shift;
+ &General::readhasharray("$config", $hash);
++ print" save1 checkorange ist $checkorange und oldorange ist $fwdfwsettings{'oldorange'}<br>";
++
+ if (!$errormessage){
++ #check if we change a DMZ to an outgoing
++ if( ($fwdfwsettings{'oldgrp1b'} eq 'ORANGE' || $fwdfwsettings{'oldorange'} eq 'on') && $fwdfwsettings{$fwdfwsettings{'grp1'}} eq 'IPFire' && $fwdfwsettings{'updatefwrule'} eq 'on'){
++ &changerule($configdmz);
++ print"1";
++ }
++ #check if we change a DMZ to an external access
++ elsif( $fwdfwsettings{'oldgrp1b'} eq 'ORANGE' && $fwdfwsettings{$fwdfwsettings{'grp1'}} ne 'ORANGE' && $fwdfwsettings{'grp2'} eq 'ipfire' && $fwdfwsettings{'updatefwrule'} eq 'on'){
++ &changerule($configdmz);
++ print"2";
++ }
++ #check if we change an external access rule to a outgoing
++ elsif( $fwdfwsettings{$fwdfwsettings{'grp1'}} eq 'IPFire' && $fwdfwsettings{'oldgrp1b'} ne 'IPFire' && $fwdfwsettings{'grp2'} ne 'ipfire' && $fwdfwsettings{'oldgrp2a'} eq 'ipfire' && $fwdfwsettings{'updatefwrule'} eq 'on'){
++ &changerule($configinput);
++ print"3";
++ }
++ #check if we change an external access rule to a DMZ
++ elsif( $fwdfwsettings{$fwdfwsettings{'grp1'}} eq 'ORANGE' && $fwdfwsettings{'grp2'} ne 'ipfire' && $fwdfwsettings{'oldgrp2a'} eq 'ipfire' && $fwdfwsettings{'updatefwrule'} eq 'on'){
++ &changerule($configinput);
++ print"4";
++ }
++ #check if we change an outgoing rule to a external access
++ if( $fwdfwsettings{$fwdfwsettings{'grp1'}} ne 'IPFire' && $fwdfwsettings{'oldgrp1b'} eq 'IPFire' && $fwdfwsettings{'grp2'} eq 'ipfire' && $fwdfwsettings{'oldgrp2a'} ne 'ipfire' && $fwdfwsettings{'updatefwrule'} eq 'on'){
++ &changerule($configoutgoing);
++ print"5";
++ }
++ #check if we change an outgoing rule to a DMZ
++ if( ($fwdfwsettings{$fwdfwsettings{'grp1'}} eq 'ORANGE' || $checkorange eq 'on') && $fwdfwsettings{'oldgrp1b'} eq 'IPFire' && $fwdfwsettings{'updatefwrule'} eq 'on'){
++ &changerule($configoutgoing);
++ print"6";
++ }
+ #check if we change an forward rule to an external access
+- if( $fwdfwsettings{'grp2'} eq 'ipfire' && $fwdfwsettings{'oldgrp2a'} ne 'ipfire' && $fwdfwsettings{'updatefwrule'} eq 'on'){
++ elsif( $fwdfwsettings{'grp2'} eq 'ipfire' && $fwdfwsettings{'oldgrp2a'} ne 'ipfire' && $fwdfwsettings{'updatefwrule'} eq 'on'){
+ &changerule($configfwdfw);
++ print"7";
++ }
++ #check if we change an forward rule to an DMZ
++ if( ($fwdfwsettings{$fwdfwsettings{'grp1'}} eq 'ORANGE' || $checkorange eq 'on') && ($fwdfwsettings{'oldgrp1b'} ne 'ORANGE' && $fwdfwsettings{'oldorange'} ne 'on') && $fwdfwsettings{'updatefwrule'} eq 'on'){
++ &changerule($configfwdfw);
++ print"8";
+ }
+ #check if we change an forward rule to an outgoing
+- if( $fwdfwsettings{$fwdfwsettings{'grp1'}} eq 'IPFire' && $fwdfwsettings{'oldgrp1b'} ne 'IPFire' && $fwdfwsettings{'updatefwrule'} eq 'on'){
++ elsif( $fwdfwsettings{$fwdfwsettings{'grp1'}} eq 'IPFire' && $fwdfwsettings{'oldgrp1b'} ne 'IPFire' && $fwdfwsettings{'updatefwrule'} eq 'on'){
+ &changerule($configfwdfw);
++ print"9";
+ }
+- #check if we change an external access rule to a forward
+- if( $fwdfwsettings{'grp2'} ne 'ipfire' && $fwdfwsettings{'oldgrp2a'} eq 'ipfire' && $fwdfwsettings{'updatefwrule'} eq 'on'){
+- &changerule($configinput);
++ #check if we change a DMZ to a forward
++ elsif( ($fwdfwsettings{'oldgrp1b'} eq 'ORANGE' || $fwdfwsettings{'oldorange'} eq 'on') && ($fwdfwsettings{$fwdfwsettings{'grp1'}} ne 'ORANGE' && $checkorange ne 'on') && $fwdfwsettings{'updatefwrule'} eq 'on'){
++ &changerule($configdmz);
++ print"10";
+ }
+- #check if we change an external access rule to a outgoing
+- if( $fwdfwsettings{$fwdfwsettings{'grp1'}} eq 'IPFire' && $fwdfwsettings{'grp2'} ne 'ipfire' && $fwdfwsettings{'oldgrp2a'} eq 'ipfire' && $fwdfwsettings{'updatefwrule'} eq 'on'){
++ #check if we change an external access rule to a forward
++ elsif( $fwdfwsettings{'grp2'} ne 'ipfire' && $fwdfwsettings{'oldgrp2a'} eq 'ipfire' && $fwdfwsettings{'updatefwrule'} eq 'on'){
+ &changerule($configinput);
++ print"11";
+ }
+ #check if we change an outgoing rule to a forward
+- if( $fwdfwsettings{$fwdfwsettings{'grp1'}} ne 'IPFire' && $fwdfwsettings{'oldgrp1b'} eq 'IPFire' && $fwdfwsettings{'grp2'} ne 'ipfire' &&$fwdfwsettings{'updatefwrule'} eq 'on'){
+- &changerule($configoutgoing);
+- }
+- #check if we change an outgoing rule to a external access
+- if( $fwdfwsettings{$fwdfwsettings{'grp1'}} ne 'IPFire' && $fwdfwsettings{'oldgrp1b'} eq 'IPFire' && $fwdfwsettings{'grp2'} eq 'ipfire' && $fwdfwsettings{'updatefwrule'} eq 'on'){
++ elsif( $fwdfwsettings{$fwdfwsettings{'grp1'}} ne 'IPFire' && $fwdfwsettings{'oldgrp1b'} eq 'IPFire' && $fwdfwsettings{'grp2'} ne 'ipfire' && $fwdfwsettings{'updatefwrule'} eq 'on'){
+ &changerule($configoutgoing);
++ print"12";
+ }
+ if ($fwdfwsettings{'updatefwrule'} ne 'on'){
+ my $key = &General::findhasharraykey ($hash);
+@@ -1820,7 +1953,8 @@ sub get_serviceports
+ sub viewtablerule
+ {
+ &General::readhash("/var/ipfire/ethernet/settings", \%netsettings);
+- &viewtablenew(\%configfwdfw,$configfwdfw,$Lang::tr{'fwdfw rules'},"Forward" );
++ &viewtablenew(\%configdmzfw,$configdmz,$Lang::tr{'fwdfw rules'},"DMZ" );
++ &viewtablenew(\%configfwdfw,$configfwdfw,"","Forward" );
+ &viewtablenew(\%configinputfw,$configinput,"",$Lang::tr{'external access'} );
+ &viewtablenew(\%configoutgoingfw,$configoutgoing,"","Outgoing" );
+ }
+@@ -1835,7 +1969,6 @@ sub viewtablenew
+ &General::readhasharray("$confighost", \%customhost);
+ &General::readhasharray("$config", $hash);
+ if( ! -z $config){
+- if ($title1 eq $Lang::tr{'external access'} || $title1 eq 'Outgoing'){print"<br><br>";}
+ &Header::openbox('100%', 'left',$title);
+ my $count=0;
+ my ($gif,$log);
+@@ -2047,6 +2180,12 @@ END
+ print"</table>";
+ &Header::closebox();
+ print "<hr>";
++ print "<br><br>";
++ }else{
++ if ($optionsfw{'SHOWTABLES'} eq 'on'){
++ print "<b>$title1</b><br>";
++ print"<table width='100%' border='0' rules='none'><tr><td height='30' bgcolor=$color{'color22'} align='center'>$Lang::tr{'fwhost empty'}</td></tr></table><br><br>";
++ }
+ }
+ }
+ sub getcolor
+diff --git a/html/cgi-bin/p2p-block.cgi b/html/cgi-bin/p2p-block.cgi
+index 1c69a0e..9d248a1 100755
+--- a/html/cgi-bin/p2p-block.cgi
++++ b/html/cgi-bin/p2p-block.cgi
+@@ -121,6 +121,7 @@ END
+ }
+ print"<tr><td><img src='/images/on.gif'></td><td align='left'>$Lang::tr{'outgoing firewall p2p allow'}</td></tr>";
+ print"<tr><td><img src='/images/off.gif'></td><td align='left'>$Lang::tr{'outgoing firewall p2p deny'}</td></tr></table>";
++ print"<br><br><br><table width='100%'><tr><td align='left'>$Lang::tr{'fwdfw p2p txt'}</td></tr></table>";
+ &Header::closebox();
+ }
+ sub rules
+diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl
+index f9fe1b9..b59f196 100644
+--- a/langs/de/cgi-bin/de.pl
++++ b/langs/de/cgi-bin/de.pl
+@@ -912,6 +912,7 @@
+ 'fwdfw man port' => 'Port(s) manuell:',
+ 'fwdfw moveup' => 'Hoch',
+ 'fwdfw movedown' => 'Runter',
++'fwdfw p2p txt' => 'Hier können einzelne P2P Netzwerke erlaubt oder verboten werden. Das System setzt die Regeln automatisch unabhängig vom aktuellen Firewall Modus. Bitte beachten, dass ein erlaubtes P2P Netzwerk unter Umständen einen erheblichen Teil der Bandbreite beanspruchen kann, wenn der Client nicht korrekt konfiguriert ist. Eventuell sollten die QOS Einstellungen entsprechend gesetzt werden.',
+ 'fwdfw pol allow' => 'Zugelassen',
+ 'fwdfw pol block' => 'Blockiert',
+ 'fwdfw pol title' => 'Standardverhalten der Firewall',
+@@ -932,6 +933,7 @@
+ 'fwdfw timeframe' => 'Zeitrahmen hinzufügen',
+ 'fwdfw toggle' => 'Aktivieren oder deaktivieren',
+ 'fwdfw togglelog' => 'Log aktivieren oder deaktivieren',
++'fwdfw useless rule' => 'Diese Regel ist nicht zugelassen.',
+ 'fwdfw use srcport' => 'Quellport benutzen',
+ 'fwdfw use srv' => 'Ziel-Dienstport benutzen',
+ 'fwdfw newrule' => 'Neue Regel',
+@@ -1036,6 +1038,7 @@
+ 'fw settings' => 'Firewall Einstellungen',
+ 'fw settings color' => 'Farben in Regeltabelle anzeigen',
+ 'fw settings remark' => 'Anmerkungen in Regeltabelle anzeigen',
++'fw settings ruletable' => 'Leere Regeltabellen anzeigen',
+ 'fw logging' => 'Firewall Logging',
+ 'gateway' => 'Gateway',
+ 'gateway ip' => 'Gateway-IP',
+diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
+index 0e6480f..1ef3205 100644
+--- a/langs/en/cgi-bin/en.pl
++++ b/langs/en/cgi-bin/en.pl
+@@ -935,6 +935,7 @@
+ 'fwdfw man port' => 'Port(s) manual:',
+ 'fwdfw moveup' => 'Move up',
+ 'fwdfw movedown' => 'Move down',
++'fwdfw p2p txt' => 'Here you can admit or deny or allow single p2p networks. Just define which networks are allowed or denied and the system takes care of the rules depending on the firewall mode. An allowed p2p network may use a lot of bandwith if the clients are not configured correctly. Maybe you should have a look at the QOS settings.',
+ 'fwdfw pol allow' => 'Allowed',
+ 'fwdfw pol block' => 'Blocked',
+ 'fwdfw pol title' => 'Firewall default behavior',
+@@ -955,6 +956,7 @@
+ 'fwdfw timeframe' => 'Add timeframe',
+ 'fwdfw toggle' => 'Activate or deactivate',
+ 'fwdfw togglelog' => 'Activate or deactivate logging',
++'fwdfw useless rule' => 'This rule is rejected (useless).',
+ 'fwdfw use srcport' => 'Use sourceport',
+ 'fwdfw use srv' => 'Use targetport',
+ 'fwdfw newrule' => 'New rule',
+@@ -1059,6 +1061,7 @@
+ 'fw settings' => 'Firewall settings',
+ 'fw settings color' => 'Show colors in ruletable',
+ 'fw settings remark' => 'Show remarks in ruletable',
++'fw settings ruletable' => 'Show empty ruletables',
+ 'fw logging' => 'Firewall logging',
+ 'g.dtm' => 'TO BE REMOVED',
+ 'g.lite' => 'TO BE REMOVED',
+--
+1.7.10.4
+
--- /dev/null
+From 5274b0dbddc8f769f564073b68311dcbda2565d1 Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Mon, 25 Feb 2013 13:11:13 +0100
+Subject: [PATCH 142/302] Forward Firewall: some changes for ISO
+
+---
+ config/rootfiles/common/configroot | 2 ++
+ lfs/configroot | 5 ++++-
+ 2 files changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/config/rootfiles/common/configroot b/config/rootfiles/common/configroot
+index 0e311c7..a64ce06 100644
+--- a/config/rootfiles/common/configroot
++++ b/config/rootfiles/common/configroot
+@@ -48,6 +48,8 @@ var/ipfire/forward/bin/firewall-lib.pl
+ var/ipfire/forward/settings
+ var/ipfire/forward/config
+ var/ipfire/forward/input
++var/ipfire/forward/outgoing
++var/ipfire/forward/dmz
+ var/ipfire/forward/p2protocols
+ var/ipfire/fwhosts
+ var/ipfire/fwhosts/icmp-types
+diff --git a/lfs/configroot b/lfs/configroot
+index 47906b0..28fbafb 100644
+--- a/lfs/configroot
++++ b/lfs/configroot
+@@ -64,7 +64,7 @@ $(TARGET) :
+ for i in auth/users backup/include.user backup/exclude.user \
+ certs/index.txt ddns/config ddns/noipsettings ddns/settings ddns/ipcache dhcp/settings \
+ dhcp/fixleases dhcp/advoptions dhcp/dhcpd.conf.local dns/settings ethernet/aliases ethernet/settings ethernet/known_nics ethernet/scanned_nics \
+- extrahd/scan extrahd/devices extrahd/partitions extrahd/settings forward/settings forward/config forward/input \
++ extrahd/scan extrahd/devices extrahd/partitions extrahd/settings forward/settings forward/config forward/input forward/outgoing forward/dmz \
+ fwhosts/customnetworks fwhosts/customhosts fwhosts/customgroups fwhosts/customservicegrp fwlogs/ipsettings fwlogs/portsettings \
+ isdn/settings mac/settings main/disable_nf_sip main/hosts main/routing main/settings net-traffic/settings optionsfw/settings \
+ ovpn/ccd.conf ovpn/ccdroute ovpn/ccdroute2 pakfire/settings portfw/config ppp/settings-1 ppp/settings-2 ppp/settings-3 ppp/settings-4 \
+@@ -119,6 +119,9 @@ $(TARGET) :
+ echo "FWPOLICY1=DROP" >> $(CONFIG_ROOT)/optionsfw/settings
+ echo "DROPPORTSCAN=on" >> $(CONFIG_ROOT)/optionsfw/settings
+ echo "DROPOUTGOING=on" >> $(CONFIG_ROOT)/optionsfw/settings
++ echo "SHOWREMARK=on" >> $(CONFIG_ROOT)/optionsfw/settings
++ echo "SHOWCOLORS=off" >> $(CONFIG_ROOT)/optionsfw/settings
++ echo "SHOWTABLES=on" >> $(CONFIG_ROOT)/optionsfw/settings
+ echo "POLICY=MODE2" >> $(CONFIG_ROOT)/forward/settings
+ echo "POLICY1=MODE2" >> $(CONFIG_ROOT)/forward/settings
+
+--
+1.7.10.4
+
--- /dev/null
+From 865af8d21c75810ab0c03c8625e8c0d700ab5fda Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Mon, 25 Feb 2013 13:22:43 +0100
+Subject: [PATCH 143/302] Forward Firewall: disabled some dev-comments
+
+---
+ html/cgi-bin/forwardfw.cgi | 28 ++++++++++++----------------
+ 1 file changed, 12 insertions(+), 16 deletions(-)
+
+diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi
+index a14c679..5650717 100755
+--- a/html/cgi-bin/forwardfw.cgi
++++ b/html/cgi-bin/forwardfw.cgi
+@@ -142,8 +142,6 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule')
+ if( $fwdfwsettings{$fwdfwsettings{'grp1'}} eq 'IPFire' && $fwdfwsettings{'grp2'} eq 'ipfire'){
+ $errormessage.=$Lang::tr{'fwdfw err same'};
+ }
+- print" save1 checkorange ist $checkorange und oldorange ist $fwdfwsettings{'oldorange'} neue grp1 ist $fwdfwsettings{$fwdfwsettings{'grp1'}} alte grp1 $fwdfwsettings{'oldgrp1b'} und altgrp2 ist $fwdfwsettings{'oldgrp2a'} und aktuell grp2 $fwdfwsettings{'grp2'} und update ist $fwdfwsettings{'updatefwrule'}<br>";
+-
+ #DMZ-Part
+ if ($fwdfwsettings{$fwdfwsettings{'grp1'}} eq 'ORANGE' || $checkorange eq 'on'){
+ $fwdfwsettings{'config'}=$configdmz;
+@@ -1645,68 +1643,66 @@ sub saverule
+ my $hash=shift;
+ my $config=shift;
+ &General::readhasharray("$config", $hash);
+- print" save1 checkorange ist $checkorange und oldorange ist $fwdfwsettings{'oldorange'}<br>";
+-
+ if (!$errormessage){
+ #check if we change a DMZ to an outgoing
+ if( ($fwdfwsettings{'oldgrp1b'} eq 'ORANGE' || $fwdfwsettings{'oldorange'} eq 'on') && $fwdfwsettings{$fwdfwsettings{'grp1'}} eq 'IPFire' && $fwdfwsettings{'updatefwrule'} eq 'on'){
+ &changerule($configdmz);
+- print"1";
++ #print"1";
+ }
+ #check if we change a DMZ to an external access
+ elsif( $fwdfwsettings{'oldgrp1b'} eq 'ORANGE' && $fwdfwsettings{$fwdfwsettings{'grp1'}} ne 'ORANGE' && $fwdfwsettings{'grp2'} eq 'ipfire' && $fwdfwsettings{'updatefwrule'} eq 'on'){
+ &changerule($configdmz);
+- print"2";
++ #print"2";
+ }
+ #check if we change an external access rule to a outgoing
+ elsif( $fwdfwsettings{$fwdfwsettings{'grp1'}} eq 'IPFire' && $fwdfwsettings{'oldgrp1b'} ne 'IPFire' && $fwdfwsettings{'grp2'} ne 'ipfire' && $fwdfwsettings{'oldgrp2a'} eq 'ipfire' && $fwdfwsettings{'updatefwrule'} eq 'on'){
+ &changerule($configinput);
+- print"3";
++ #print"3";
+ }
+ #check if we change an external access rule to a DMZ
+ elsif( $fwdfwsettings{$fwdfwsettings{'grp1'}} eq 'ORANGE' && $fwdfwsettings{'grp2'} ne 'ipfire' && $fwdfwsettings{'oldgrp2a'} eq 'ipfire' && $fwdfwsettings{'updatefwrule'} eq 'on'){
+ &changerule($configinput);
+- print"4";
++ #print"4";
+ }
+ #check if we change an outgoing rule to a external access
+ if( $fwdfwsettings{$fwdfwsettings{'grp1'}} ne 'IPFire' && $fwdfwsettings{'oldgrp1b'} eq 'IPFire' && $fwdfwsettings{'grp2'} eq 'ipfire' && $fwdfwsettings{'oldgrp2a'} ne 'ipfire' && $fwdfwsettings{'updatefwrule'} eq 'on'){
+ &changerule($configoutgoing);
+- print"5";
++ #print"5";
+ }
+ #check if we change an outgoing rule to a DMZ
+ if( ($fwdfwsettings{$fwdfwsettings{'grp1'}} eq 'ORANGE' || $checkorange eq 'on') && $fwdfwsettings{'oldgrp1b'} eq 'IPFire' && $fwdfwsettings{'updatefwrule'} eq 'on'){
+ &changerule($configoutgoing);
+- print"6";
++ #print"6";
+ }
+ #check if we change an forward rule to an external access
+ elsif( $fwdfwsettings{'grp2'} eq 'ipfire' && $fwdfwsettings{'oldgrp2a'} ne 'ipfire' && $fwdfwsettings{'updatefwrule'} eq 'on'){
+ &changerule($configfwdfw);
+- print"7";
++ #print"7";
+ }
+ #check if we change an forward rule to an DMZ
+ if( ($fwdfwsettings{$fwdfwsettings{'grp1'}} eq 'ORANGE' || $checkorange eq 'on') && ($fwdfwsettings{'oldgrp1b'} ne 'ORANGE' && $fwdfwsettings{'oldorange'} ne 'on') && $fwdfwsettings{'updatefwrule'} eq 'on'){
+ &changerule($configfwdfw);
+- print"8";
++ #print"8";
+ }
+ #check if we change an forward rule to an outgoing
+ elsif( $fwdfwsettings{$fwdfwsettings{'grp1'}} eq 'IPFire' && $fwdfwsettings{'oldgrp1b'} ne 'IPFire' && $fwdfwsettings{'updatefwrule'} eq 'on'){
+ &changerule($configfwdfw);
+- print"9";
++ #print"9";
+ }
+ #check if we change a DMZ to a forward
+ elsif( ($fwdfwsettings{'oldgrp1b'} eq 'ORANGE' || $fwdfwsettings{'oldorange'} eq 'on') && ($fwdfwsettings{$fwdfwsettings{'grp1'}} ne 'ORANGE' && $checkorange ne 'on') && $fwdfwsettings{'updatefwrule'} eq 'on'){
+ &changerule($configdmz);
+- print"10";
++ #print"10";
+ }
+ #check if we change an external access rule to a forward
+ elsif( $fwdfwsettings{'grp2'} ne 'ipfire' && $fwdfwsettings{'oldgrp2a'} eq 'ipfire' && $fwdfwsettings{'updatefwrule'} eq 'on'){
+ &changerule($configinput);
+- print"11";
++ #print"11";
+ }
+ #check if we change an outgoing rule to a forward
+ elsif( $fwdfwsettings{$fwdfwsettings{'grp1'}} ne 'IPFire' && $fwdfwsettings{'oldgrp1b'} eq 'IPFire' && $fwdfwsettings{'grp2'} ne 'ipfire' && $fwdfwsettings{'updatefwrule'} eq 'on'){
+ &changerule($configoutgoing);
+- print"12";
++ #print"12";
+ }
+ if ($fwdfwsettings{'updatefwrule'} ne 'on'){
+ my $key = &General::findhasharraykey ($hash);
+--
+1.7.10.4
+
--- /dev/null
+From 9f948f6019551fcd819e198573adec30f13a4089 Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Mon, 25 Feb 2013 13:56:48 +0100
+Subject: [PATCH 144/302] Forward Firewall: rules.pl supports now DMZ rules.
+ These rules are applied first
+
+---
+ config/forwardfw/rules.pl | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/config/forwardfw/rules.pl b/config/forwardfw/rules.pl
+index 7d03432..764f6bc 100755
+--- a/config/forwardfw/rules.pl
++++ b/config/forwardfw/rules.pl
+@@ -43,6 +43,7 @@ our %targethash=();
+ my @timeframe=();
+ my %configinputfw=();
+ my %configoutgoingfw=();
++my %configdmzfw=();
+ my %aliases=();
+ my @DPROT=();
+ my @p2ps=();
+@@ -50,6 +51,7 @@ require '/var/ipfire/general-functions.pl';
+ require "${General::swroot}/lang.pl";
+ require "${General::swroot}/forward/bin/firewall-lib.pl";
+
++my $configdmz = "${General::swroot}/forward/dmz";
+ my $configfwdfw = "${General::swroot}/forward/config";
+ my $configinput = "${General::swroot}/forward/input";
+ my $configoutgoing = "${General::swroot}/forward/outgoing";
+@@ -66,6 +68,7 @@ my $CHAIN="FORWARDFW";
+
+ &General::readhash("${General::swroot}/forward/settings", \%fwdfwsettings);
+ &General::readhash("$netsettings", \%defaultNetworks);
++&General::readhasharray($configdmz, \%configdmzfw);
+ &General::readhasharray($configfwdfw, \%configfwdfw);
+ &General::readhasharray($configinput, \%configinputfw);
+ &General::readhasharray($configoutgoing, \%configoutgoingfw);
+@@ -132,6 +135,9 @@ sub flush
+ }
+ sub preparerules
+ {
++ if (! -z "${General::swroot}/forward/dmz"){
++ &buildrules(\%configdmzfw);
++ }
+ if (! -z "${General::swroot}/forward/config"){
+ &buildrules(\%configfwdfw);
+ }
+--
+1.7.10.4
+
--- /dev/null
+From 8c0a19510e02ab841708fec8c818204e0d3355f2 Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Mon, 25 Feb 2013 21:25:53 +0100
+Subject: [PATCH 145/302] Forward Firewall: Bugfix: Error appending or writing
+ comments in rule
+
+---
+ html/cgi-bin/forwardfw.cgi | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi
+index 5650717..7d09e4c 100755
+--- a/html/cgi-bin/forwardfw.cgi
++++ b/html/cgi-bin/forwardfw.cgi
+@@ -153,7 +153,7 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule')
+ if ("$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'},$fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'ICMP_TGT'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'LOG'},$fwdfwsettings{'TIME'},$fwdfwsettings{'TIME_MON'},$fwdfwsettings{'TIME_TUE'},$fwdfwsettings{'TIME_WED'},$fwdfwsettings{'TIME_THU'},$fwdfwsettings{'TIME_FRI'},$fwdfwsettings{'TIME_SAT'},$fwdfwsettings{'TIME_SUN'},$fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'}"
+ eq "$configdmzfw{$key}[0],$configdmzfw{$key}[2],$configdmzfw{$key}[3],$configdmzfw{$key}[4],$configdmzfw{$key}[5],$configdmzfw{$key}[6],$configdmzfw{$key}[7],$configdmzfw{$key}[8],$configdmzfw{$key}[9],$configdmzfw{$key}[10],$configdmzfw{$key}[11],$configdmzfw{$key}[12],$configdmzfw{$key}[13],$configdmzfw{$key}[14],$configdmzfw{$key}[15],$configdmzfw{$key}[17],$configdmzfw{$key}[18],$configdmzfw{$key}[19],$configdmzfw{$key}[20],$configdmzfw{$key}[21],$configdmzfw{$key}[22],$configdmzfw{$key}[23],$configdmzfw{$key}[24],$configdmzfw{$key}[25],$configdmzfw{$key}[26],$configdmzfw{$key}[27]"){
+ $errormessage.=$Lang::tr{'fwdfw err ruleexists'};
+- if ($fwdfwsettings{'oldruleremark'} ne $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'updatefwrule'} eq 'on' && $fwdfwsettings{'ruleremark'} eq ''){
++ if ($fwdfwsettings{'oldruleremark'} ne $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'updatefwrule'} eq 'on' ){
+ $errormessage='';
+ }elsif($fwdfwsettings{'oldruleremark'} ne $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'updatefwrule'} eq 'on' && $fwdfwsettings{'ruleremark'} ne '' && !&validremark($fwdfwsettings{'ruleremark'})){
+ $errormessage=$Lang::tr{'fwdfw err remark'}."<br>";
+@@ -206,7 +206,7 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule')
+ if ("$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'},$fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'ICMP_TGT'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'LOG'},$fwdfwsettings{'TIME'},$fwdfwsettings{'TIME_MON'},$fwdfwsettings{'TIME_TUE'},$fwdfwsettings{'TIME_WED'},$fwdfwsettings{'TIME_THU'},$fwdfwsettings{'TIME_FRI'},$fwdfwsettings{'TIME_SAT'},$fwdfwsettings{'TIME_SUN'},$fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'}"
+ eq "$configinputfw{$key}[0],$configinputfw{$key}[2],$configinputfw{$key}[3],$configinputfw{$key}[4],$configinputfw{$key}[5],$configinputfw{$key}[6],$configinputfw{$key}[7],$configinputfw{$key}[8],$configinputfw{$key}[9],$configinputfw{$key}[10],$configinputfw{$key}[11],$configinputfw{$key}[12],$configinputfw{$key}[13],$configinputfw{$key}[14],$configinputfw{$key}[15],$configinputfw{$key}[17],$configinputfw{$key}[18],$configinputfw{$key}[19],$configinputfw{$key}[20],$configinputfw{$key}[21],$configinputfw{$key}[22],$configinputfw{$key}[23],$configinputfw{$key}[24],$configinputfw{$key}[25],$configinputfw{$key}[26],$configinputfw{$key}[27]"){
+ $errormessage.=$Lang::tr{'fwdfw err ruleexists'};
+- if ($fwdfwsettings{'oldruleremark'} ne $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'updatefwrule'} eq 'on' && $fwdfwsettings{'ruleremark'} eq ''){
++ if ($fwdfwsettings{'oldruleremark'} ne $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'updatefwrule'} eq 'on'){
+ $errormessage='';
+ }elsif($fwdfwsettings{'oldruleremark'} ne $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'updatefwrule'} eq 'on' && $fwdfwsettings{'ruleremark'} ne '' && !&validremark($fwdfwsettings{'ruleremark'})){
+ $errormessage=$Lang::tr{'fwdfw err remark'}."<br>";
+@@ -279,7 +279,7 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule')
+ if ("$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'},$fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'ICMP_TGT'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'LOG'},$fwdfwsettings{'TIME'},$fwdfwsettings{'TIME_MON'},$fwdfwsettings{'TIME_TUE'},$fwdfwsettings{'TIME_WED'},$fwdfwsettings{'TIME_THU'},$fwdfwsettings{'TIME_FRI'},$fwdfwsettings{'TIME_SAT'},$fwdfwsettings{'TIME_SUN'},$fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'}"
+ eq "$configoutgoingfw{$key}[0],$configoutgoingfw{$key}[2],$configoutgoingfw{$key}[3],$configoutgoingfw{$key}[4],$configoutgoingfw{$key}[5],$configoutgoingfw{$key}[6],$configoutgoingfw{$key}[7],$configoutgoingfw{$key}[8],$configoutgoingfw{$key}[9],$configoutgoingfw{$key}[10],$configoutgoingfw{$key}[11],$configoutgoingfw{$key}[12],$configoutgoingfw{$key}[13],$configoutgoingfw{$key}[14],$configoutgoingfw{$key}[15],$configoutgoingfw{$key}[17],$configoutgoingfw{$key}[18],$configoutgoingfw{$key}[19],$configoutgoingfw{$key}[20],$configoutgoingfw{$key}[21],$configoutgoingfw{$key}[22],$configoutgoingfw{$key}[23],$configoutgoingfw{$key}[24],$configoutgoingfw{$key}[25],$configoutgoingfw{$key}[26],$configoutgoingfw{$key}[27]"){
+ $errormessage.=$Lang::tr{'fwdfw err ruleexists'};
+- if ($fwdfwsettings{'oldruleremark'} ne $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'updatefwrule'} eq 'on' && $fwdfwsettings{'ruleremark'} eq ''){
++ if ($fwdfwsettings{'oldruleremark'} ne $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'updatefwrule'} eq 'on'){
+ $errormessage='';
+ }elsif($fwdfwsettings{'oldruleremark'} ne $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'updatefwrule'} eq 'on' && $fwdfwsettings{'ruleremark'} ne '' && !&validremark($fwdfwsettings{'ruleremark'})){
+ $errormessage=$Lang::tr{'fwdfw err remark'}."<br>";
+@@ -335,7 +335,7 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule')
+ if ("$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'},$fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'ICMP_TGT'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'LOG'},$fwdfwsettings{'TIME'},$fwdfwsettings{'TIME_MON'},$fwdfwsettings{'TIME_TUE'},$fwdfwsettings{'TIME_WED'},$fwdfwsettings{'TIME_THU'},$fwdfwsettings{'TIME_FRI'},$fwdfwsettings{'TIME_SAT'},$fwdfwsettings{'TIME_SUN'},$fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'}"
+ eq "$configfwdfw{$key}[0],$configfwdfw{$key}[2],$configfwdfw{$key}[3],$configfwdfw{$key}[4],$configfwdfw{$key}[5],$configfwdfw{$key}[6],$configfwdfw{$key}[7],$configfwdfw{$key}[8],$configfwdfw{$key}[9],$configfwdfw{$key}[10],$configfwdfw{$key}[11],$configfwdfw{$key}[12],$configfwdfw{$key}[13],$configfwdfw{$key}[14],$configfwdfw{$key}[15],$configfwdfw{$key}[17],$configfwdfw{$key}[18],$configfwdfw{$key}[19],$configfwdfw{$key}[20],$configfwdfw{$key}[21],$configfwdfw{$key}[22],$configfwdfw{$key}[23],$configfwdfw{$key}[24],$configfwdfw{$key}[25],$configfwdfw{$key}[26],$configfwdfw{$key}[27]"){
+ $errormessage.=$Lang::tr{'fwdfw err ruleexists'};
+- if ($fwdfwsettings{'oldruleremark'} ne $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'updatefwrule'} eq 'on' && $fwdfwsettings{'ruleremark'} eq ''){
++ if ($fwdfwsettings{'oldruleremark'} ne $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'updatefwrule'} eq 'on' ){
+ $errormessage='';
+ }elsif($fwdfwsettings{'oldruleremark'} ne $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'updatefwrule'} eq 'on' && $fwdfwsettings{'ruleremark'} ne '' && !&validremark($fwdfwsettings{'ruleremark'})){
+ $errormessage=$Lang::tr{'fwdfw err remark'}."<br>";
+@@ -2170,7 +2170,7 @@ END
+ #REMARK
+ if ($optionsfw{'SHOWREMARK'} eq 'on'){
+ print"<tr bgcolor='$color'>";
+- print"<td> </td><td bgcolor='$rulecolor'></td><td colspan='11'>$$hash{$key}[16]</td></tr>";
++ print"<td> </td><td bgcolor='$rulecolor'></td><td colspan='11'>  $$hash{$key}[16]</td></tr>";
+ }
+ }
+ print"</table>";
+--
+1.7.10.4
+
--- /dev/null
+From d3417d5359f5a529fcab30f33359ab973edf1ab8 Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Mon, 25 Feb 2013 21:40:09 +0100
+Subject: [PATCH 146/302] Forward Firewall: Forgot to delete a dev-comment
+
+---
+ config/forwardfw/convert-outgoingfw | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/config/forwardfw/convert-outgoingfw b/config/forwardfw/convert-outgoingfw
+index 22c9272..e7d8e80 100755
+--- a/config/forwardfw/convert-outgoingfw
++++ b/config/forwardfw/convert-outgoingfw
+@@ -249,7 +249,6 @@ sub check_grp
+ sub process_rules
+ {
+ my ($type,$action,$active,$grp1,$source,$grp2,$useport,$port,$prot,$grp3,$target,$remark,$log,$time,$time_mon,$time_tue,$time_wed,$time_thu,$time_fri,$time_sat,$time_sun,$time_from,$time_to);
+- print"uzlputz modus ist $outsettings{'POLICY'} \n";
+ &General::readhash($fwdfwsettings,\%fwdsettings);
+ if ($outsettings{'POLICY'} eq 'MODE1'){
+ $fwdfwsettings{'POLICY'}='MODE1';
+--
+1.7.10.4
+
--- /dev/null
+From d8c57f83cefdbe94b546456499911a242df03322 Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Tue, 26 Feb 2013 06:16:14 +0100
+Subject: [PATCH 147/302] Forward Firewall: added a 1px heigh line after each
+ rule. so the coloured borders are looking better
+
+---
+ html/cgi-bin/forwardfw.cgi | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi
+index 7d09e4c..f7d2bb1 100755
+--- a/html/cgi-bin/forwardfw.cgi
++++ b/html/cgi-bin/forwardfw.cgi
+@@ -1974,7 +1974,7 @@ sub viewtablenew
+ my @tmpsrc=();
+ my $coloryellow='';
+ print"<b>$title1</b><br>";
+- print"<table width='100%' cellspacing='0' style=' padding-top: 0px; padding-left: 0px; padding-bottom: 0px ;padding-right: 0px ;'>";
++ print"<table width='100%' cellspacing='0' cellpadding='0'>";
+ print"<tr><td align='center'><b>#</td><td ></td><td align='center'><b>$Lang::tr{'fwdfw source'}</td><td><b>Log</td><td align='center'><b>$Lang::tr{'fwdfw target'}</td><td align='center'><b>$Lang::tr{'protocol'}</b></td><td align='center'><b>$Lang::tr{'fwdfw time'}</td><td align='center' colspan='6'><b>$Lang::tr{'fwdfw action'}</td></tr>";
+ foreach my $key (sort {$a <=> $b} keys %$hash){
+ $tdcolor='';
+@@ -2172,6 +2172,7 @@ END
+ print"<tr bgcolor='$color'>";
+ print"<td> </td><td bgcolor='$rulecolor'></td><td colspan='11'>  $$hash{$key}[16]</td></tr>";
+ }
++ print"<tr bgcolor='$color'><td height='1'></td><td bgcolor='$rulecolor'></td><td colspan='11'></td></tr>";
+ }
+ print"</table>";
+ &Header::closebox();
+--
+1.7.10.4
+
--- /dev/null
+From f5481c3cf0b5e8984d2d164d351edc527fe037c2 Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Tue, 26 Feb 2013 13:41:23 +0100
+Subject: [PATCH 148/302] Forward Firewall: reordered 50-firewall.menu
+
+---
+ config/menu/50-firewall.menu | 48 +++++++++++++++++++++---------------------
+ 1 file changed, 24 insertions(+), 24 deletions(-)
+
+diff --git a/config/menu/50-firewall.menu b/config/menu/50-firewall.menu
+index 0295343..0bf9082 100644
+--- a/config/menu/50-firewall.menu
++++ b/config/menu/50-firewall.menu
+@@ -1,45 +1,45 @@
+- $subfirewall->{'10.dnat'} = {
+- 'caption' => $Lang::tr{'ssport forwarding'},
+- 'uri' => '/cgi-bin/portfw.cgi',
+- 'title' => "$Lang::tr{'ssport forwarding'}",
+- 'enabled' => 1,
+- };
+- $subfirewall->{'30.wireless'} = {
+- 'caption' => $Lang::tr{'blue access'},
+- 'uri' => '/cgi-bin/wireless.cgi',
+- 'title' => "$Lang::tr{'blue access'}",
+- 'enabled' => 1,
+- };
+- $subfirewall->{'51.forward'} = {
++ $subfirewall->{'10.forward'} = {
+ 'caption' => $Lang::tr{'fwdfw menu'},
+ 'uri' => '/cgi-bin/forwardfw.cgi',
+ 'title' => "$Lang::tr{'fwdfw menu'}",
+ 'enabled' => 1,
+- };
+- $subfirewall->{'65.fwhost'} = {
++ };
++ $subfirewall->{'20.fwhost'} = {
+ 'caption' => $Lang::tr{'fwhost menu'},
+ 'uri' => '/cgi-bin/fwhosts.cgi',
+ 'title' => "$Lang::tr{'fwhost menu'}",
+ 'enabled' => 1,
+ };
+- $subfirewall->{'70.upnp'} = {
+- 'caption' => 'UPnP',
+- 'uri' => '/cgi-bin/upnp.cgi',
+- 'title' => "Universal Plug and Play",
+- 'enabled' => 0,
+- };
+- $subfirewall->{'80.optionsfw'} = {
++ $subfirewall->{'30.optionsfw'} = {
+ 'caption' => $Lang::tr{'options fw'},
+ 'uri' => '/cgi-bin/optionsfw.cgi',
+ 'title' => "$Lang::tr{'options fw'}",
+ 'enabled' => 1,
+ };
+- $subfirewall->{'81.p2p'} = {
++ $subfirewall->{'40.p2p'} = {
+ 'caption' => 'P2P-Block',
+ 'uri' => '/cgi-bin/p2p-block.cgi',
+ 'title' => "P2P-Block",
+ 'enabled' => 1,
+- };
++ };
++ $subfirewall->{'50.dnat'} = {
++ 'caption' => $Lang::tr{'ssport forwarding'},
++ 'uri' => '/cgi-bin/portfw.cgi',
++ 'title' => "$Lang::tr{'ssport forwarding'}",
++ 'enabled' => 1,
++ };
++ $subfirewall->{'60.wireless'} = {
++ 'caption' => $Lang::tr{'blue access'},
++ 'uri' => '/cgi-bin/wireless.cgi',
++ 'title' => "$Lang::tr{'blue access'}",
++ 'enabled' => 1,
++ };
++ $subfirewall->{'70.upnp'} = {
++ 'caption' => 'UPnP',
++ 'uri' => '/cgi-bin/upnp.cgi',
++ 'title' => "Universal Plug and Play",
++ 'enabled' => 0,
++ };
+ $subfirewall->{'90.iptables'} = {
+ 'caption' => $Lang::tr{'ipts'},
+ 'uri' => '/cgi-bin/iptables.cgi',
+--
+1.7.10.4
+
--- /dev/null
+From 8a50416c609530b08b3201bebd20938d209f02a4 Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Tue, 26 Feb 2013 14:34:30 +0100
+Subject: [PATCH 149/302] Forward Firewall: removed some text in p2p-block and
+ changed dropdown to radiobutton in optionsfw
+
+---
+ html/cgi-bin/optionsfw.cgi | 31 +++++++++++++++++++------------
+ langs/de/cgi-bin/de.pl | 2 +-
+ langs/en/cgi-bin/en.pl | 2 +-
+ 3 files changed, 21 insertions(+), 14 deletions(-)
+
+diff --git a/html/cgi-bin/optionsfw.cgi b/html/cgi-bin/optionsfw.cgi
+index ab34230..fc9b3d0 100644
+--- a/html/cgi-bin/optionsfw.cgi
++++ b/html/cgi-bin/optionsfw.cgi
+@@ -37,6 +37,7 @@ $settings{'DROPWIRELESSINPUT'} = 'on';
+ $settings{'DROPWIRELESSFORWARD'} = 'on';
+ $settings{'SHOWCOLORS'} = 'off';
+ $settings{'SHOWREMARK'} = 'on';
++$settings{'SHOWTABLES'} = 'on';
+
+ my $errormessage = '';
+ my $warnmessage = '';
+@@ -99,8 +100,15 @@ $checked{'SHOWCOLORS'}{$settings{'SHOWCOLORS'}} = "checked='checked'";
+ $checked{'SHOWREMARK'}{'off'} = '';
+ $checked{'SHOWREMARK'}{'on'} = '';
+ $checked{'SHOWREMARK'}{$settings{'SHOWREMARK'}} = "checked='checked'";
+-$selected{'FWPOLICY'}{$settings{'FWPOLICY'}}= 'selected';
+-$selected{'FWPOLICY1'}{$settings{'FWPOLICY1'}}= 'selected';
++$checked{'SHOWTABLES'}{'off'} = '';
++$checked{'SHOWTABLES'}{'on'} = '';
++$checked{'SHOWTABLES'}{$settings{'SHOWTABLES'}} = "checked='checked'";
++$checked{'FWPOLICY'}{'DROP'} = '';
++$checked{'FWPOLICY'}{'REJECT'} = '';
++$checked{'FWPOLICY'}{$settings{'FWPOLICY'}} = "checked='checked'";
++$checked{'FWPOLICY1'}{'DROP'} = '';
++$checked{'FWPOLICY1'}{'REJECT'} = '';
++$checked{'FWPOLICY1'}{$settings{'FWPOLICY1'}} = "checked='checked'";
+
+
+ &Header::openbox('100%', 'center', $Lang::tr{'options fw'});
+@@ -140,19 +148,18 @@ print <<END
+ <tr><td align='left' width='60%'>$Lang::tr{'fw settings color'}</td><td align='left'>on <input type='radio' name='SHOWCOLORS' value='on' $checked{'SHOWCOLORS'}{'on'} />/
+ <input type='radio' name='SHOWCOLORS' value='off' $checked{'SHOWCOLORS'}{'off'} /> off</td></tr>
+ <tr><td align='left' width='60%'>$Lang::tr{'fw settings remark'}</td><td align='left'>on <input type='radio' name='SHOWREMARK' value='on' $checked{'SHOWREMARK'}{'on'} />/
+- <input type='radio' name='SHOWREMARK' value='off' $checked{'SHOWREMARK'}{'off'} /> off</td></tr>
+-</table>
++ <input type='radio' name='SHOWREMARK' value='off' $checked{'SHOWREMARK'}{'off'} /> off</td></tr>
++<tr><td align='left' width='60%'>$Lang::tr{'fw settings ruletable'}</td><td align='left'>on<input type='radio' name='SHOWTABLES' value='on' $checked{'SHOWTABLES'}{'on'} />/
++ <input type='radio' name='SHOWTABLES' value='off' $checked{'SHOWTABLES'}{'off'} /> off</td></tr>
++</table>
+ <br />
+ <table width='95%' cellspacing='0'>
+ <tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw default drop'}</b></td></tr>
+-<tr><td align='left' width='60%'>$Lang::tr{'drop action'}</td><td><select name='FWPOLICY'>
+-<option value='DROP' $selected{'FWPOLICY'}{'DROP'}>DROP</option>
+-<option value='REJECT' $selected{'FWPOLICY'}{'REJECT'}>REJECT</option></select>
+-</td></tr>
+-<tr><td align='left' width='60%'>$Lang::tr{'drop action1'}</td><td><select name='FWPOLICY1'>
+-<option value='DROP' $selected{'FWPOLICY1'}{'DROP'}>DROP</option>
+-<option value='REJECT' $selected{'FWPOLICY1'}{'REJECT'}>REJECT</option></select>
+-</td></tr>
++<tr><td align='left' width='60%'>$Lang::tr{'drop action'}</td><td align='left'>DROP <input type='radio' name='FWPOLICY' value='DROP' $checked{'FWPOLICY'}{'DROP'} />/
++ <input type='radio' name='FWPOLICY' value='REJECT' $checked{'FWPOLICY'}{'REJECT'} /> REJECT</td></tr>
++<tr><td align='left' width='60%'>$Lang::tr{'drop action1'}</td><td align='left'>DROP <input type='radio' name='FWPOLICY1' value='DROP' $checked{'FWPOLICY1'}{'DROP'} />/
++ <input type='radio' name='FWPOLICY1' value='REJECT' $checked{'FWPOLICY1'}{'REJECT'} /> REJECT</td></tr>
++
+ </table>
+
+ <br />
+diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl
+index b59f196..88ec364 100644
+--- a/langs/de/cgi-bin/de.pl
++++ b/langs/de/cgi-bin/de.pl
+@@ -912,7 +912,7 @@
+ 'fwdfw man port' => 'Port(s) manuell:',
+ 'fwdfw moveup' => 'Hoch',
+ 'fwdfw movedown' => 'Runter',
+-'fwdfw p2p txt' => 'Hier können einzelne P2P Netzwerke erlaubt oder verboten werden. Das System setzt die Regeln automatisch unabhängig vom aktuellen Firewall Modus. Bitte beachten, dass ein erlaubtes P2P Netzwerk unter Umständen einen erheblichen Teil der Bandbreite beanspruchen kann, wenn der Client nicht korrekt konfiguriert ist. Eventuell sollten die QOS Einstellungen entsprechend gesetzt werden.',
++'fwdfw p2p txt' => 'Hier können einzelne P2P Netzwerke erlaubt oder verboten werden. Das System setzt die Regeln automatisch unabhängig vom aktuellen Firewall Modus. Bitte beachten, dass ein erlaubtes P2P Netzwerk unter Umständen einen erheblichen Teil der Bandbreite beanspruchen kann, wenn der Client nicht korrekt konfiguriert ist.',
+ 'fwdfw pol allow' => 'Zugelassen',
+ 'fwdfw pol block' => 'Blockiert',
+ 'fwdfw pol title' => 'Standardverhalten der Firewall',
+diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
+index 1ef3205..ff4204e 100644
+--- a/langs/en/cgi-bin/en.pl
++++ b/langs/en/cgi-bin/en.pl
+@@ -935,7 +935,7 @@
+ 'fwdfw man port' => 'Port(s) manual:',
+ 'fwdfw moveup' => 'Move up',
+ 'fwdfw movedown' => 'Move down',
+-'fwdfw p2p txt' => 'Here you can admit or deny or allow single p2p networks. Just define which networks are allowed or denied and the system takes care of the rules depending on the firewall mode. An allowed p2p network may use a lot of bandwith if the clients are not configured correctly. Maybe you should have a look at the QOS settings.',
++'fwdfw p2p txt' => 'Here you can admit or deny or allow single p2p networks. Just define which networks are allowed or denied and the system takes care of the rules depending on the firewall mode. An allowed p2p network may use a lot of bandwith if the clients are not configured correctly.',
+ 'fwdfw pol allow' => 'Allowed',
+ 'fwdfw pol block' => 'Blocked',
+ 'fwdfw pol title' => 'Firewall default behavior',
+--
+1.7.10.4
+
--- /dev/null
+From 8c25489e800cd2e3230cc8e005814e045ff9e731 Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Tue, 26 Feb 2013 14:40:16 +0100
+Subject: [PATCH 150/302] FOrward Firewall: Typo
+
+---
+ html/cgi-bin/optionsfw.cgi | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/html/cgi-bin/optionsfw.cgi b/html/cgi-bin/optionsfw.cgi
+index fc9b3d0..90c3a32 100644
+--- a/html/cgi-bin/optionsfw.cgi
++++ b/html/cgi-bin/optionsfw.cgi
+@@ -149,7 +149,7 @@ print <<END
+ <input type='radio' name='SHOWCOLORS' value='off' $checked{'SHOWCOLORS'}{'off'} /> off</td></tr>
+ <tr><td align='left' width='60%'>$Lang::tr{'fw settings remark'}</td><td align='left'>on <input type='radio' name='SHOWREMARK' value='on' $checked{'SHOWREMARK'}{'on'} />/
+ <input type='radio' name='SHOWREMARK' value='off' $checked{'SHOWREMARK'}{'off'} /> off</td></tr>
+-<tr><td align='left' width='60%'>$Lang::tr{'fw settings ruletable'}</td><td align='left'>on<input type='radio' name='SHOWTABLES' value='on' $checked{'SHOWTABLES'}{'on'} />/
++<tr><td align='left' width='60%'>$Lang::tr{'fw settings ruletable'}</td><td align='left'>on <input type='radio' name='SHOWTABLES' value='on' $checked{'SHOWTABLES'}{'on'} />/
+ <input type='radio' name='SHOWTABLES' value='off' $checked{'SHOWTABLES'}{'off'} /> off</td></tr>
+ </table>
+ <br />
+--
+1.7.10.4
+
--- /dev/null
+From 00e85dba8e4adf1601ef94f871930c433a25e811 Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Tue, 26 Feb 2013 15:33:27 +0100
+Subject: [PATCH 151/302] Forward Firewall: changed menu to show access to
+ blue correctly
+
+---
+ config/menu/50-firewall.menu | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/config/menu/50-firewall.menu b/config/menu/50-firewall.menu
+index 0bf9082..f8f8098 100644
+--- a/config/menu/50-firewall.menu
++++ b/config/menu/50-firewall.menu
+@@ -10,12 +10,18 @@
+ 'title' => "$Lang::tr{'fwhost menu'}",
+ 'enabled' => 1,
+ };
+- $subfirewall->{'30.optionsfw'} = {
++ $subfirewall->{'29.optionsfw'} = {
+ 'caption' => $Lang::tr{'options fw'},
+ 'uri' => '/cgi-bin/optionsfw.cgi',
+ 'title' => "$Lang::tr{'options fw'}",
+ 'enabled' => 1,
+ };
++ $subfirewall->{'30.wireless'} = {
++ 'caption' => $Lang::tr{'blue access'},
++ 'uri' => '/cgi-bin/wireless.cgi',
++ 'title' => "$Lang::tr{'blue access'}",
++ 'enabled' => 1,
++ };
+ $subfirewall->{'40.p2p'} = {
+ 'caption' => 'P2P-Block',
+ 'uri' => '/cgi-bin/p2p-block.cgi',
+@@ -28,12 +34,6 @@
+ 'title' => "$Lang::tr{'ssport forwarding'}",
+ 'enabled' => 1,
+ };
+- $subfirewall->{'60.wireless'} = {
+- 'caption' => $Lang::tr{'blue access'},
+- 'uri' => '/cgi-bin/wireless.cgi',
+- 'title' => "$Lang::tr{'blue access'}",
+- 'enabled' => 1,
+- };
+ $subfirewall->{'70.upnp'} = {
+ 'caption' => 'UPnP',
+ 'uri' => '/cgi-bin/upnp.cgi',
+--
+1.7.10.4
+
--- /dev/null
+From 4cd9f75c892a67b3278d7f385ec0686e01c09b01 Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Wed, 27 Feb 2013 05:35:41 +0100
+Subject: [PATCH 152/302] Forward Firewall: Some changes in langagefiles and
+ layout in fwhosts.cgi
+
+---
+ html/cgi-bin/fwhosts.cgi | 47 ++++++++++++++++++++--------------------------
+ langs/de/cgi-bin/de.pl | 26 ++++++++++++-------------
+ langs/en/cgi-bin/en.pl | 2 +-
+ 3 files changed, 34 insertions(+), 41 deletions(-)
+
+diff --git a/html/cgi-bin/fwhosts.cgi b/html/cgi-bin/fwhosts.cgi
+index abb60c9..e608b0f 100755
+--- a/html/cgi-bin/fwhosts.cgi
++++ b/html/cgi-bin/fwhosts.cgi
+@@ -391,25 +391,14 @@ if ($fwhostsettings{'ACTION'} eq 'savehost')
+ $errormessage=$errormessage.$Lang::tr{'fwhost err empty'};
+ $fwhostsettings{'ACTION'} = 'edithost';
+ }else{
+- if($fwhostsettings{'type'} eq 'ip' && $fwhostsettings{'IP'}=~/^([0-9a-fA-F]{1,2}:){5}[0-9a-fA-F]{1,2}$/){
++ if($fwhostsettings{'IP'}=~/^([0-9a-fA-F]{1,2}:){5}[0-9a-fA-F]{1,2}$/){
+ $fwhostsettings{'type'} = 'mac';
+- }elsif($fwhostsettings{'type'} eq 'mac' && $fwhostsettings{'IP'}=~/^(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})$/){
+- $fwhostsettings{'type'} = 'ip';
+- }elsif($fwhostsettings{'type'} eq 'mac' && $fwhostsettings{'IP'}=~/^([0-9a-fA-F]{1,2}:){5}[0-9a-fA-F]{1,2}$/){
+- $fwhostsettings{'type'} = 'mac';
+- }elsif($fwhostsettings{'type'} eq 'ip' && $fwhostsettings{'IP'}=~/^(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})$/){
++ }elsif($fwhostsettings{'IP'}=~/^(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})$/){
+ $fwhostsettings{'type'} = 'ip';
+ }else{
+ $fwhostsettings{'type'} = '';
+ $errormessage=$Lang::tr{'fwhost err ipmac'};
+ }
+- if($fwhostsettings{'type'} eq 'mac' )
+- {
+- if ($fwhostsettings{'IP'}!~/^([0-9a-fA-F]{1,2}:){5}[0-9a-fA-F]{1,2}$/ )
+- {
+- $errormessage=$Lang::tr{'fwhost err mac'};
+- }
+- }
+ #check remark
+ if ($fwhostsettings{'HOSTREMARK'} ne '' && !&validremark($fwhostsettings{'HOSTREMARK'})){
+ $errormessage=$Lang::tr{'fwhost err remark'};
+@@ -1097,8 +1086,8 @@ sub addnet
+ $fwhostsettings{'orgnetremark'}=$fwhostsettings{'NETREMARK'};
+ print<<END;
+ <table border='0' width='100%'><form method='post' style='display:inline' >
+- <tr><td>$Lang::tr{'name'}:</td><td><input type='TEXT' name='HOSTNAME' id='textbox1' value='$fwhostsettings{'HOSTNAME'}' $fwhostsettings{'BLK_HOST'}><script>document.getElementById('textbox1').focus()</script></td><td>$Lang::tr{'fwhost netaddress'}:</td><td><input type='TEXT' name='IP' value='$fwhostsettings{'IP'}' $fwhostsettings{'BLK_IP'} size='14'></td><td align='right'>$Lang::tr{'netmask'}:</td><td align='right'><input type='TEXT' name='SUBNET' value='$fwhostsettings{'SUBNET'}' $fwhostsettings{'BLK_IP'} size='14'></td></tr>
+- <tr><td>$Lang::tr{'remark'}:</td><td colspan='5'><input type='TEXT' name='NETREMARK' value='$fwhostsettings{'NETREMARK'}' size='110'></td></tr>
++ <tr><td width='10%'>$Lang::tr{'name'}:</td><td width='20%' align='left'><input type='TEXT' name='HOSTNAME' id='textbox1' value='$fwhostsettings{'HOSTNAME'}' $fwhostsettings{'BLK_HOST'}><script>document.getElementById('textbox1').focus()</script></td><td>$Lang::tr{'fwhost netaddress'}:</td><td><input type='TEXT' name='IP' value='$fwhostsettings{'IP'}' $fwhostsettings{'BLK_IP'} size='14'></td><td align='right'>$Lang::tr{'netmask'}:</td><td align='right'><input type='TEXT' name='SUBNET' value='$fwhostsettings{'SUBNET'}' $fwhostsettings{'BLK_IP'} size='14'></td></tr>
++ <tr><td width='10%'>$Lang::tr{'remark'}:</td><td colspan='5'><input type='TEXT' name='NETREMARK' value='$fwhostsettings{'NETREMARK'}' style='width: 98%;'></td></tr>
+ <tr><td colspan='6'><br><hr></hr></td></tr><tr>
+ END
+ if ($fwhostsettings{'ACTION'} eq 'editnet' || $fwhostsettings{'error'} eq 'on')
+@@ -1119,15 +1108,19 @@ sub addhost
+ $fwhostsettings{'orgremark'}=$fwhostsettings{'HOSTREMARK'};
+ print<<END;
+ <table border='0' width='100%'><form method='post' style='display:inline'>
+- <tr><td>$Lang::tr{'name'}:</td><td width='35%'><input type='TEXT' name='HOSTNAME' id='textbox1' value='$fwhostsettings{'HOSTNAME'}' $fwhostsettings{'BLK_HOST'} ><script>document.getElementById('textbox1').focus()</script></td><td><select name='type'>
++ <tr><td>$Lang::tr{'name'}:</td><td width='10%'><input type='TEXT' name='HOSTNAME' id='textbox1' value='$fwhostsettings{'HOSTNAME'}' $fwhostsettings{'BLK_HOST'} ><script>document.getElementById('textbox1').focus()</script></td>
++
+ END
+- if ($fwhostsettings{'type'} eq 'ip'){print "<option value='ip' selected >IP</option>";}else{print "<option value='ip' >IP</option>";}
+- if ($fwhostsettings{'type'} eq 'mac'){print "<option value='mac' selected >MAC</option>";}else{print "<option value='mac' >MAC</option>";}
++ #<td><select name='type'>
++ #if ($fwhostsettings{'type'} eq 'ip'){print "<option value='ip' selected >IP</option>";}else{print "<option value='ip' >IP</option>";}
++ #if ($fwhostsettings{'type'} eq 'mac'){print "<option value='mac' selected >MAC</option>";}else{print "<option value='mac' >MAC</option>";}
++ #</option></select></td>
+ print<<END;
+- </option></select></td><td align='right' width='15%'>IP/MAC:</td><td align='right'><input type='TEXT' name='IP' value='$fwhostsettings{'IP'}' $fwhostsettings{'BLK_IP'} ></td></tr>
+- <tr><td>$Lang::tr{'remark'}:</td><td colspan='5'><input type='TEXT' name='HOSTREMARK' value='$fwhostsettings{'HOSTREMARK'}' size='110'></td></tr>
+- <tr><td colspan='7'><br><br><b>$Lang::tr{'fwhost attention'}</b><br>$Lang::tr{'fwhost macwarn'}</td></tr>
+- <tr><td colspan='7'><hr></hr></td></tr>
++
++ <td align='right'>IP/MAC:</td><td><input type='TEXT' name='IP' value='$fwhostsettings{'IP'}' $fwhostsettings{'BLK_IP'} ></td></tr>
++ <tr><td width='10%'>$Lang::tr{'remark'}:</td><td colspan='3' ><input type='TEXT' name='HOSTREMARK' value='$fwhostsettings{'HOSTREMARK'}' style='width:60%;'></td></tr>
++ <tr><td colspan='5'><br><br><b>$Lang::tr{'fwhost attention'}</b><br>$Lang::tr{'fwhost macwarn'}</td></tr>
++ <tr><td colspan='5'><hr></hr></td></tr>
+ END
+
+ if ($fwhostsettings{'ACTION'} eq 'edithost' || $fwhostsettings{'error'} eq 'on')
+@@ -1157,7 +1150,7 @@ sub addgrp
+ if ($fwhostsettings{'update'} eq ''){
+ print<<END;
+ <table width='100%' border='0'><form method='post'>
+- <tr><td>$Lang::tr{'fwhost addgrpname'}</td><td><input type='TEXT' name='grp_name' value='$fwhostsettings{'grp_name'}'></td><td>$Lang::tr{'remark'}:</td><td width='1%'><input type='TEXT' name='remark' size='35' value='$fwhostsettings{'remark'}'></tr>
++ <tr><td width='10%'>$Lang::tr{'fwhost addgrpname'}</td><td width='20%'><input type='TEXT' name='grp_name' value='$fwhostsettings{'grp_name'}'></td><td width='10%'>$Lang::tr{'remark'}:</td><td ><input type='TEXT' name='remark' value='$fwhostsettings{'remark'}' style='width: 98%;'></tr>
+ <tr><td colspan='5'><br><hr></td></tr></table>
+ END
+ }else{
+@@ -1265,7 +1258,7 @@ sub addservice
+ }
+ print<<END;
+ <table width='100%' border='0'><form method='post'>
+- <tr><td width='1%' nowrap='nowrap'>$Lang::tr{'fwhost srv_name'}:</td><td width='1%' nowrap='nowrap'><input type='text' name='SRV_NAME' id='textbox1' value='$fwhostsettings{'SRV_NAME'}'><script>document.getElementById('textbox1').focus()</script></td><td width='1%' nowrap='nowrap'>$Lang::tr{'fwhost prot'}:</td><td><select name='PROT'>
++ <tr><td width='1%' nowrap='nowrap'>$Lang::tr{'fwhost srv_name'}:</td><td width='25%' nowrap='nowrap'><input type='text' name='SRV_NAME' id='textbox1' value='$fwhostsettings{'SRV_NAME'}'><script>document.getElementById('textbox1').focus()</script></td><td width='1%' nowrap='nowrap'>$Lang::tr{'fwhost prot'}:</td><td width='10%'><select name='PROT'>
+ END
+ foreach ("TCP","UDP","ICMP")
+ {
+@@ -1277,8 +1270,8 @@ END
+ }
+ }
+ print<<END;
+- </select></td><td>$Lang::tr{'fwhost port'}:</td><td><input type='text' name='SRV_PORT' value='$fwhostsettings{'SRV_PORT'}' maxlength='11' size='9'></td></tr>
+- <tr><td></td><td></td><td nowrap='nowrap'>$Lang::tr{'fwhost icmptype'}</td><td colspan='4'><select name='ICMP_TYPES'>
++ </select></td><td width='2%'>$Lang::tr{'fwhost port'}:</td><td align='left'><input type='text' name='SRV_PORT' value='$fwhostsettings{'SRV_PORT'}' maxlength='11' size='9'></td></tr>
++ <tr><td></td><td></td><td nowrap='nowrap'>$Lang::tr{'fwhost icmptype'}</td><td><select name='ICMP_TYPES'>
+ END
+ &General::readhasharray("${General::swroot}/fwhosts/icmp-types", \%icmptypes);
+ print"<option>All ICMP-Types</option>";
+@@ -1323,7 +1316,7 @@ sub addservicegrp
+ if ($fwhostsettings{'updatesrvgrp'} eq ''){
+ print<<END;
+ <table width='100%' border='0'><form method='post'>
+- <tr><td>$Lang::tr{'fwhost addgrpname'}</td><td><input type='text' name='SRVGRP_NAME' value='$fwhostsettings{'SRVGRP_NAME'}'></td><td>$Lang::tr{'remark'}:</td><td width='1%'><input type='text' name='SRVGRP_REMARK' size='35' value='$fwhostsettings{'SRVGRP_REMARK'}'></td></tr>
++ <tr><td width='10%'>$Lang::tr{'fwhost addgrpname'}</td><td width='20%'><input type='text' name='SRVGRP_NAME' value='$fwhostsettings{'SRVGRP_NAME'}'></td><td width='10%'>$Lang::tr{'remark'}:</td><td><input type='text' name='SRVGRP_REMARK' value='$fwhostsettings{'SRVGRP_REMARK'}' style='width: 98%;'></td></tr>
+ <tr><td colspan='4'><br><hr></td></td></tr>
+ </table>
+ END
+diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl
+index 88ec364..428f60a 100644
+--- a/langs/de/cgi-bin/de.pl
++++ b/langs/de/cgi-bin/de.pl
+@@ -912,7 +912,7 @@
+ 'fwdfw man port' => 'Port(s) manuell:',
+ 'fwdfw moveup' => 'Hoch',
+ 'fwdfw movedown' => 'Runter',
+-'fwdfw p2p txt' => 'Hier können einzelne P2P Netzwerke erlaubt oder verboten werden. Das System setzt die Regeln automatisch unabhängig vom aktuellen Firewall Modus. Bitte beachten, dass ein erlaubtes P2P Netzwerk unter Umständen einen erheblichen Teil der Bandbreite beanspruchen kann, wenn der Client nicht korrekt konfiguriert ist.',
++'fwdfw p2p txt' => 'Hier können einzelne P2P Netzwerke erlaubt oder verboten werden. Das System setzt die Regeln automatisch unabhängig vom aktuellen Firewall Modus. Unter Umständen können einzelne aktivierte P2P Netzewerke einen erheblichen Teil der Bandbreite beanspruchen.',
+ 'fwdfw pol allow' => 'Zugelassen',
+ 'fwdfw pol block' => 'Blockiert',
+ 'fwdfw pol title' => 'Standardverhalten der Firewall',
+@@ -998,16 +998,16 @@
+ 'fwhost icmptype' => 'ICMP-Typ:',
+ 'fwhost ipadr' => 'IP Adresse:',
+ 'fwhost ip_mac' => 'IP/MAC Adresse',
+-'fwhost ipsec host' => 'IpSec Clients:',
+-'fwhost ipsec net' => 'IpSec Netzwerke:',
++'fwhost ipsec host' => 'IPsec Clients:',
++'fwhost ipsec net' => 'IPsec Netzwerke:',
+ 'fwhost netaddress' => 'Netzwerk Adresse',
+-'fwhost newnet' => 'Netz Einstellungen',
+-'fwhost newhost' => 'Adress Einstellungen',
+-'fwhost newgrp' => 'Adress Gruppierung',
+-'fwhost newservice' => 'Dienst Einstellungen',
+-'fwhost newservicegrp' => 'Dienst Gruppierung',
++'fwhost newnet' => 'Netz-Einstellungen',
++'fwhost newhost' => 'Adress-Einstellungen',
++'fwhost newgrp' => 'Adress-Gruppierung',
++'fwhost newservice' => 'Dienst-Einstellungen',
++'fwhost newservicegrp' => 'Dienst-Gruppierung',
+ 'fwhost macwarn' => 'MAC Adressen können nicht als Ziel definiert werden. Solche Adressen werden ignoriert.',
+-'fwhost menu' => 'Firewall Gruppen',
++'fwhost menu' => 'Firewall-Gruppen',
+ 'fwhost orange' => 'Orange',
+ 'fwhost ovpn_n2n' => 'OpenVPN N-2-N',
+ 'fwhost port' => 'Port(s)',
+@@ -1033,13 +1033,13 @@
+ 'from email server' => 'Von Email Server',
+ 'from email user' => 'Von Email Benutzer',
+ 'from warn email bad' => 'Von Email Adresse ist nicht gültig',
+-'fw blue' => 'Firewall Optionen für das Blaue Interface',
++'fw blue' => 'Firewall-Optionen für das Blaue Interface',
+ 'fw default drop' => 'Firewall Policy',
+-'fw settings' => 'Firewall Einstellungen',
++'fw settings' => 'Firewall-Einstellungen',
+ 'fw settings color' => 'Farben in Regeltabelle anzeigen',
+ 'fw settings remark' => 'Anmerkungen in Regeltabelle anzeigen',
+ 'fw settings ruletable' => 'Leere Regeltabellen anzeigen',
+-'fw logging' => 'Firewall Logging',
++'fw logging' => 'Firewall-Logging',
+ 'gateway' => 'Gateway',
+ 'gateway ip' => 'Gateway-IP',
+ 'gen static key' => 'Statischen Schlüssel erzeugen',
+@@ -1493,7 +1493,7 @@
+ 'optional at cmd' => 'zusätzlicher Modembefehl',
+ 'optional data' => '3. Optionale Einstellungen',
+ 'options' => 'Optionen',
+-'options fw' => 'Firewall Optionen',
++'options fw' => 'Firewall-Optionen',
+ 'optionsfw portlist hint' => 'Die Liste der Ports muss durch ein Komma getrennt werden (z.B. 137,138). Sie können maximal bis zu 15 Ports pro Protokoll angeben.',
+ 'optionsfw warning' => 'Verändern dieser Optionen bedingt einen Neustart der Firewall',
+ 'or' => 'oder',
+diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
+index ff4204e..4cf99dc 100644
+--- a/langs/en/cgi-bin/en.pl
++++ b/langs/en/cgi-bin/en.pl
+@@ -935,7 +935,7 @@
+ 'fwdfw man port' => 'Port(s) manual:',
+ 'fwdfw moveup' => 'Move up',
+ 'fwdfw movedown' => 'Move down',
+-'fwdfw p2p txt' => 'Here you can admit or deny or allow single p2p networks. Just define which networks are allowed or denied and the system takes care of the rules depending on the firewall mode. An allowed p2p network may use a lot of bandwith if the clients are not configured correctly.',
++'fwdfw p2p txt' => 'Here you can admit or deny or allow single p2p networks. Just define which networks are allowed or denied and the system takes care of the rules depending on the firewall mode. An allowed p2p network may use a lot of bandwith.',
+ 'fwdfw pol allow' => 'Allowed',
+ 'fwdfw pol block' => 'Blocked',
+ 'fwdfw pol title' => 'Firewall default behavior',
+--
+1.7.10.4
+
--- /dev/null
+From 784f11996fd428a8715ec9dad7568a82c4485b1f Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Wed, 27 Feb 2013 14:23:20 +0100
+Subject: [PATCH 153/302] Forward Firewall: Changed layout of rulecreation.
+ Now only the dropdowns for configured networks are
+ shown on the site Also changed fwhosts.cgi (custom
+ groups) to the same feature
+
+---
+ html/cgi-bin/forwardfw.cgi | 1229 +++++++++++++++++++++-----------------------
+ html/cgi-bin/fwhosts.cgi | 161 +++---
+ 2 files changed, 670 insertions(+), 720 deletions(-)
+
+diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi
+index f7d2bb1..b93557d 100755
+--- a/html/cgi-bin/forwardfw.cgi
++++ b/html/cgi-bin/forwardfw.cgi
+@@ -520,129 +520,19 @@ if ($fwdfwsettings{'ACTION'} eq '')
+ &base;
+ }
+ ### Functions ####
+-sub changerule
+-{
+- my $oldchain=shift;
+- $fwdfwsettings{'updatefwrule'}='';
+- $fwdfwsettings{'config'}=$oldchain;
+- $fwdfwsettings{'nobase'}='on';
+- &deleterule;
+- &checkcounter(0,0,$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}});
+- &checkcounter(0,0,$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}});
+-}
+-sub pos_up
+-{
+- my %uphash=();
+- my %tmp=();
+- &General::readhasharray($fwdfwsettings{'config'}, \%uphash);
+- foreach my $key (sort keys %uphash){
+- if ($key eq $fwdfwsettings{'key'}) {
+- my $last = $key -1;
+- if (exists $uphash{$last}){
+- #save rule last
+- foreach my $y (0 .. $#{$uphash{$last}}) {
+- $tmp{0}[$y] = $uphash{$last}[$y];
+- }
+- #copy active rule to last
+- foreach my $i (0 .. $#{$uphash{$last}}) {
+- $uphash{$last}[$i] = $uphash{$key}[$i];
+- }
+- #copy saved rule to actual position
+- foreach my $x (0 .. $#{$tmp{0}}) {
+- $uphash{$key}[$x] = $tmp{0}[$x];
+- }
+- }
+- }
+- }
+- &General::writehasharray($fwdfwsettings{'config'}, \%uphash);
+- &rules;
+-}
+-sub pos_down
+-{
+- my %downhash=();
+- my %tmp=();
+- &General::readhasharray($fwdfwsettings{'config'}, \%downhash);
+- foreach my $key (sort keys %downhash){
+- if ($key eq $fwdfwsettings{'key'}) {
+- my $next = $key + 1;
+- if (exists $downhash{$next}){
+- #save rule next
+- foreach my $y (0 .. $#{$downhash{$next}}) {
+- $tmp{0}[$y] = $downhash{$next}[$y];
+- }
+- #copy active rule to next
+- foreach my $i (0 .. $#{$downhash{$next}}) {
+- $downhash{$next}[$i] = $downhash{$key}[$i];
+- }
+- #copy saved rule to actual position
+- foreach my $x (0 .. $#{$tmp{0}}) {
+- $downhash{$key}[$x] = $tmp{0}[$x];
+- }
+- }
+- }
+- }
+- &General::writehasharray($fwdfwsettings{'config'}, \%downhash);
+- &rules;
+-}
+-sub checkcounter
+-{
+- my ($base1,$val1,$base2,$val2) = @_;
+-
+- if($base1 eq 'cust_net_src' || $base1 eq 'cust_net_tgt'){
+- &dec_counter($confignet,\%customnetwork,$val1);
+- }elsif($base1 eq 'cust_host_src' || $base1 eq 'cust_host_tgt'){
+- &dec_counter($confighost,\%customhost,$val1);
+- }elsif($base1 eq 'cust_grp_src' || $base1 eq 'cust_grp_tgt'){
+- &dec_counter($configgrp,\%customgrp,$val1);
+- }elsif($base1 eq 'cust_srv'){
+- &dec_counter($configsrv,\%customservice,$val1);
+- }elsif($base1 eq 'cust_srvgrp'){
+- &dec_counter($configsrvgrp,\%customservicegrp,$val1);
+- }
+-
+- if($base2 eq 'cust_net_src' || $base2 eq 'cust_net_tgt'){
+- &inc_counter($confignet,\%customnetwork,$val2);
+- }elsif($base2 eq 'cust_host_src' || $base2 eq 'cust_host_tgt'){
+- &inc_counter($confighost,\%customhost,$val2);
+- }elsif($base2 eq 'cust_grp_src' || $base2 eq 'cust_grp_tgt'){
+- &inc_counter($configgrp,\%customgrp,$val2);
+- }elsif($base2 eq 'cust_srv'){
+- &inc_counter($configsrv,\%customservice,$val2);
+- }elsif($base2 eq 'cust_srvgrp'){
+- &inc_counter($configsrvgrp,\%customservicegrp,$val2);
+- }
+-}
+-sub inc_counter
+-{
+- my $config=shift;
+- my %hash=%{(shift)};
+- my $val=shift;
+- my $pos;
+-
+- &General::readhasharray($config, \%hash);
+- foreach my $key (sort { uc($hash{$a}[0]) cmp uc($hash{$b}[0]) } keys %hash){
+- if($hash{$key}[0] eq $val){
+- $pos=$#{$hash{$key}};
+- $hash{$key}[$pos] = $hash{$key}[$pos]+1;
+- }
+- }
+- &General::writehasharray($config, \%hash);
+-}
+-sub dec_counter
++sub addrule
+ {
+- my $config=shift;
+- my %hash=%{(shift)};
+- my $val=shift;
+- my $pos;
+- #$errormessage.="ALT:config: $config , verringert wird $val <br>";
+- &General::readhasharray($config, \%hash);
+- foreach my $key (sort { uc($hash{$a}[0]) cmp uc($hash{$b}[0]) } keys %hash){
+- if($hash{$key}[0] eq $val){
+- $pos=$#{$hash{$key}};
+- $hash{$key}[$pos] = $hash{$key}[$pos]-1;
+- }
++ &error;
++ if (-f "${General::swroot}/forward/reread"){
++ print "<table border='0'><form method='post'><td><input type='submit' name='ACTION' value='$Lang::tr{'fwdfw reread'}' style='font-face: Comic Sans MS; color: red; font-weight: bold;'>$Lang::tr{'fwhost reread'}</td></tr></table></form><hr><br>";
+ }
+- &General::writehasharray($config, \%hash);
++ &Header::openbox('100%', 'left', $Lang::tr{'fwdfw addrule'});
++ print "<form method='post'>";
++ print "<table border='0'>";
++ print "<tr><td><input type='submit' name='ACTION' value='$Lang::tr{'fwdfw newrule'}'></td>";
++ print"</tr></table></form><hr>";
++ &Header::closebox();
++ &viewtablerule;
+ }
+ sub base
+ {
+@@ -685,65 +575,15 @@ END
+ print "</table></form>";
+ &Header::closebox();
+ }
+-sub addrule
+-{
+- &error;
+- if (-f "${General::swroot}/forward/reread"){
+- print "<table border='0'><form method='post'><td><input type='submit' name='ACTION' value='$Lang::tr{'fwdfw reread'}' style='font-face: Comic Sans MS; color: red; font-weight: bold;'>$Lang::tr{'fwhost reread'}</td></tr></table></form><hr><br>";
+- }
+- &Header::openbox('100%', 'left', $Lang::tr{'fwdfw addrule'});
+- print "<form method='post'>";
+- print "<table border='0'>";
+- print "<tr><td><input type='submit' name='ACTION' value='$Lang::tr{'fwdfw newrule'}'></td>";
+- print"</tr></table></form><hr>";
+- &Header::closebox();
+- &viewtablerule;
+-}
+-sub deleterule
+-{
+- my %delhash=();
+- &General::readhasharray($fwdfwsettings{'config'}, \%delhash);
+- foreach my $key (sort {$a <=> $b} keys %delhash){
+- if ($key == $fwdfwsettings{'key'}){
+- #check hosts/net and groups
+- &checkcounter($delhash{$key}[3],$delhash{$key}[4],,);
+- &checkcounter($delhash{$key}[5],$delhash{$key}[6],,);
+- #check services and groups
+- if ($delhash{$key}[11] eq 'ON'){
+- &checkcounter($delhash{$key}[14],$delhash{$key}[15],,);
+- }
+- }
+- if ($key >= $fwdfwsettings{'key'}) {
+- my $next = $key + 1;
+- if (exists $delhash{$next}) {
+- foreach my $i (0 .. $#{$delhash{$next}}) {
+- $delhash{$key}[$i] = $delhash{$next}[$i];
+- }
+- }
+- }
+- }
+- # Remove the very last entry.
+- my $last_key = (sort {$a <=> $b} keys %delhash)[-1];
+- delete $delhash{$last_key};
+-
+- &General::writehasharray($fwdfwsettings{'config'}, \%delhash);
+- &rules;
+-
+- if($fwdfwsettings{'nobase'} ne 'on'){
+- &base;
+- }
+-}
+-sub disable_rule
++sub changerule
+ {
+- my $key1=shift;
+- &General::readhasharray("$configfwdfw", \%configfwdfw);
+- foreach my $key (sort keys %configfwdfw){
+- if ($key eq $key1 ){
+- if ($configfwdfw{$key}[2] eq 'ON'){$configfwdfw{$key}[2]='';}
+- }
+- }
+- &General::writehasharray("$configfwdfw", \%configfwdfw);
+- &rules;
++ my $oldchain=shift;
++ $fwdfwsettings{'updatefwrule'}='';
++ $fwdfwsettings{'config'}=$oldchain;
++ $fwdfwsettings{'nobase'}='on';
++ &deleterule;
++ &checkcounter(0,0,$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}});
++ &checkcounter(0,0,$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}});
+ }
+ sub checksource
+ {
+@@ -1012,89 +852,475 @@ sub checkrule
+ if ( &General::IpInSubnet($networkip1,$tip,&General::iporsubtodec($tcidr))){
+ $errormessage.=$Lang::tr{'fwdfw err samesub'};
+ }
+- }elsif($scidr eq $tcidr && $scidr eq '32'){
+- my ($sbyte1,$sbyte2,$sbyte3,$sbyte4)=split(/\./,$networkip1);
+- my ($tbyte1,$tbyte2,$tbyte3,$tbyte4)=split(/\./,$networkip2);
+- if ($sbyte1 eq $tbyte1 && $sbyte2 eq $tbyte2 && $sbyte3 eq $tbyte3){
+- $hint=$Lang::tr{'fwdfw hint ip1'}."<br>";
+- $hint.=$Lang::tr{'fwdfw hint ip2'}." Source: $networkip1/$scidr Target: $networkip2/$tcidr<br>";
+- }
+- }else{
+- if ( &General::IpInSubnet($networkip2,$sip,&General::iporsubtodec($scidr)) ){
+- $errormessage.=$Lang::tr{'fwdfw err samesub'};
++ }elsif($scidr eq $tcidr && $scidr eq '32'){
++ my ($sbyte1,$sbyte2,$sbyte3,$sbyte4)=split(/\./,$networkip1);
++ my ($tbyte1,$tbyte2,$tbyte3,$tbyte4)=split(/\./,$networkip2);
++ if ($sbyte1 eq $tbyte1 && $sbyte2 eq $tbyte2 && $sbyte3 eq $tbyte3){
++ $hint=$Lang::tr{'fwdfw hint ip1'}."<br>";
++ $hint.=$Lang::tr{'fwdfw hint ip2'}." Source: $networkip1/$scidr Target: $networkip2/$tcidr<br>";
++ }
++ }else{
++ if ( &General::IpInSubnet($networkip2,$sip,&General::iporsubtodec($scidr)) ){
++ $errormessage.=$Lang::tr{'fwdfw err samesub'};
++ }
++ }
++ }
++
++ #check source and destination protocol if manual
++ if( $fwdfwsettings{'USE_SRC_PORT'} eq 'ON' && $fwdfwsettings{'USESRV'} eq 'ON'){
++ if($fwdfwsettings{'PROT'} ne $fwdfwsettings{'TGT_PROT'} && $fwdfwsettings{'grp3'} eq 'TGT_PORT'){
++ $errormessage.=$Lang::tr{'fwdfw err prot'};
++ }
++ #check source and destination protocol if source manual and dest servicegrp
++ if ($fwdfwsettings{'grp3'} eq 'cust_srv'){
++ &General::readhasharray("$configsrv", \%customservice);
++ foreach my $key (sort keys %customservice){
++ if($customservice{$key}[0] eq $fwdfwsettings{$fwdfwsettings{'grp3'}}){
++ if ($customservice{$key}[2] ne $fwdfwsettings{'PROT'}){
++ $errormessage.=$Lang::tr{'fwdfw err prot'};
++ last;
++ }
++ }
++ }
++ }
++ }
++}
++sub checkcounter
++{
++ my ($base1,$val1,$base2,$val2) = @_;
++
++ if($base1 eq 'cust_net_src' || $base1 eq 'cust_net_tgt'){
++ &dec_counter($confignet,\%customnetwork,$val1);
++ }elsif($base1 eq 'cust_host_src' || $base1 eq 'cust_host_tgt'){
++ &dec_counter($confighost,\%customhost,$val1);
++ }elsif($base1 eq 'cust_grp_src' || $base1 eq 'cust_grp_tgt'){
++ &dec_counter($configgrp,\%customgrp,$val1);
++ }elsif($base1 eq 'cust_srv'){
++ &dec_counter($configsrv,\%customservice,$val1);
++ }elsif($base1 eq 'cust_srvgrp'){
++ &dec_counter($configsrvgrp,\%customservicegrp,$val1);
++ }
++
++ if($base2 eq 'cust_net_src' || $base2 eq 'cust_net_tgt'){
++ &inc_counter($confignet,\%customnetwork,$val2);
++ }elsif($base2 eq 'cust_host_src' || $base2 eq 'cust_host_tgt'){
++ &inc_counter($confighost,\%customhost,$val2);
++ }elsif($base2 eq 'cust_grp_src' || $base2 eq 'cust_grp_tgt'){
++ &inc_counter($configgrp,\%customgrp,$val2);
++ }elsif($base2 eq 'cust_srv'){
++ &inc_counter($configsrv,\%customservice,$val2);
++ }elsif($base2 eq 'cust_srvgrp'){
++ &inc_counter($configsrvgrp,\%customservicegrp,$val2);
++ }
++}
++sub deleterule
++{
++ my %delhash=();
++ &General::readhasharray($fwdfwsettings{'config'}, \%delhash);
++ foreach my $key (sort {$a <=> $b} keys %delhash){
++ if ($key == $fwdfwsettings{'key'}){
++ #check hosts/net and groups
++ &checkcounter($delhash{$key}[3],$delhash{$key}[4],,);
++ &checkcounter($delhash{$key}[5],$delhash{$key}[6],,);
++ #check services and groups
++ if ($delhash{$key}[11] eq 'ON'){
++ &checkcounter($delhash{$key}[14],$delhash{$key}[15],,);
++ }
++ }
++ if ($key >= $fwdfwsettings{'key'}) {
++ my $next = $key + 1;
++ if (exists $delhash{$next}) {
++ foreach my $i (0 .. $#{$delhash{$next}}) {
++ $delhash{$key}[$i] = $delhash{$next}[$i];
++ }
++ }
++ }
++ }
++ # Remove the very last entry.
++ my $last_key = (sort {$a <=> $b} keys %delhash)[-1];
++ delete $delhash{$last_key};
++
++ &General::writehasharray($fwdfwsettings{'config'}, \%delhash);
++ &rules;
++
++ if($fwdfwsettings{'nobase'} ne 'on'){
++ &base;
++ }
++}
++sub disable_rule
++{
++ my $key1=shift;
++ &General::readhasharray("$configfwdfw", \%configfwdfw);
++ foreach my $key (sort keys %configfwdfw){
++ if ($key eq $key1 ){
++ if ($configfwdfw{$key}[2] eq 'ON'){$configfwdfw{$key}[2]='';}
++ }
++ }
++ &General::writehasharray("$configfwdfw", \%configfwdfw);
++ &rules;
++}
++sub dec_counter
++{
++ my $config=shift;
++ my %hash=%{(shift)};
++ my $val=shift;
++ my $pos;
++ #$errormessage.="ALT:config: $config , verringert wird $val <br>";
++ &General::readhasharray($config, \%hash);
++ foreach my $key (sort { uc($hash{$a}[0]) cmp uc($hash{$b}[0]) } keys %hash){
++ if($hash{$key}[0] eq $val){
++ $pos=$#{$hash{$key}};
++ $hash{$key}[$pos] = $hash{$key}[$pos]-1;
++ }
++ }
++ &General::writehasharray($config, \%hash);
++}
++sub error
++{
++ if ($errormessage) {
++ &Header::openbox('100%', 'left', $Lang::tr{'error messages'});
++ print "<class name='base'>$errormessage\n";
++ print " </class>\n";
++ &Header::closebox();
++ print"<hr>";
++ }
++}
++sub fillselect
++{
++ my %hash=%{(shift)};
++ my $val=shift;
++ my $key;
++ foreach my $key (sort { uc($hash{$a}[0]) cmp uc($hash{$b}[0]) } keys %hash){
++ if($hash{$key}[0] eq $val){
++ print"<option value='$hash{$key}[0]' selected>$hash{$key}[0]</option>";
++ }else{
++ print"<option value='$hash{$key}[0]'>$hash{$key}[0]</option>";
++ }
++ }
++}
++sub gen_dd_block
++{
++ my $srctgt = shift;
++ my $grp=shift;
++ my $helper='';
++ my $show='';
++ $checked{'grp1'}{$fwdfwsettings{'grp1'}} = 'CHECKED';
++ $checked{'grp2'}{$fwdfwsettings{'grp2'}} = 'CHECKED';
++ $checked{'grp3'}{$fwdfwsettings{'grp3'}} = 'CHECKED';
++ $checked{'USE_SRC_PORT'}{$fwdfwsettings{'USE_SRC_PORT'}} = 'CHECKED';
++ $checked{'USESRV'}{$fwdfwsettings{'USESRV'}} = 'CHECKED';
++ $checked{'ACTIVE'}{$fwdfwsettings{'ACTIVE'}} = 'CHECKED';
++ $checked{'LOG'}{$fwdfwsettings{'LOG'}} = 'CHECKED';
++ $checked{'TIME'}{$fwdfwsettings{'TIME'}} = 'CHECKED';
++ $checked{'TIME_MON'}{$fwdfwsettings{'TIME_MON'}} = 'CHECKED';
++ $checked{'TIME_TUE'}{$fwdfwsettings{'TIME_TUE'}} = 'CHECKED';
++ $checked{'TIME_WED'}{$fwdfwsettings{'TIME_WED'}} = 'CHECKED';
++ $checked{'TIME_THU'}{$fwdfwsettings{'TIME_THU'}} = 'CHECKED';
++ $checked{'TIME_FRI'}{$fwdfwsettings{'TIME_FRI'}} = 'CHECKED';
++ $checked{'TIME_SAT'}{$fwdfwsettings{'TIME_SAT'}} = 'CHECKED';
++ $checked{'TIME_SUN'}{$fwdfwsettings{'TIME_SUN'}} = 'CHECKED';
++ $selected{'TIME_FROM'}{$fwdfwsettings{'TIME_FROM'}} = 'selected';
++ $selected{'TIME_TO'}{$fwdfwsettings{'TIME_TO'}} = 'selected';
++ $selected{'ipfire'}{$fwdfwsettings{$fwdfwsettings{'grp2'}}} ='selected';
++print<<END;
++ <table width='100%' border='0'>
++ <tr><td width='50%' valign='top'>
++ <table width='100%' border='0'>
++ <tr><td width='1%'><input type='radio' name='$grp' value='std_net_$srctgt' $checked{$grp}{'std_net_'.$srctgt}></td><td>$Lang::tr{'fwhost stdnet'}</td><td><select name='std_net_$srctgt' style='min-width:185px;'>
++END
++ foreach my $network (sort keys %defaultNetworks)
++ {
++ next if($defaultNetworks{$network}{'LOCATION'} eq "IPCOP");
++ next if($defaultNetworks{$network}{'NAME'} eq "RED");
++ print "<option value='$defaultNetworks{$network}{'NAME'}'";
++ print " selected='selected'" if ($fwdfwsettings{$fwdfwsettings{$grp}} eq $defaultNetworks{$network}{'NAME'});
++ print ">$network</option>";
++ }
++ print"</select></td></tr>";
++ #custom networks
++ if (! -z $confignet){
++ print"<tr><td><input type='radio' name='$grp' value='cust_net_$srctgt' $checked{$grp}{'cust_net_'.$srctgt}></td><td>$Lang::tr{'fwhost cust net'}</td><td><select name='cust_net_$srctgt' style='min-width:185px;'>";
++ &fillselect(\%customnetwork,$fwdfwsettings{$fwdfwsettings{$grp}});
++ print"</select></td>";
++ }
++ #custom hosts
++ if (! -z $confighost){
++ print"<tr><td><input type='radio' name='$grp' value='cust_host_$srctgt' $checked{$grp}{'cust_host_'.$srctgt}></td><td>$Lang::tr{'fwhost cust addr'}</td><td><select name='cust_host_$srctgt' style='min-width:185px;'>";
++ &fillselect(\%customhost,$fwdfwsettings{$fwdfwsettings{$grp}});
++ print"</select></td>";
++ }
++ #custom groups
++ if (! -z $configgrp){
++ print"<tr><td valign='top'><input type='radio' name='$grp' value='cust_grp_$srctgt' $checked{$grp}{'cust_grp_'.$srctgt}></td><td >$Lang::tr{'fwhost cust grp'}</td><td><select name='cust_grp_$srctgt' style='min-width:185px;'>";
++ foreach my $key (sort { uc($customgrp{$a}[0]) cmp uc($customgrp{$b}[0]) } keys %customgrp) {
++ if($helper ne $customgrp{$key}[0]){
++ print"<option ";
++ print "selected='selected' " if ($fwdfwsettings{$fwdfwsettings{$grp}} eq $customgrp{$key}[0]);
++ print ">$customgrp{$key}[0]</option>";
++ }
++ $helper=$customgrp{$key}[0];
++ }
++ print"</select></td>";
++ }
++ #End left table. start right table (vpn)
++ print"</tr></table></td><td valign='top'><table width='100%' border='0'><tr>";
++ # CCD networks
++ if( ! -z $configccdnet){
++ print"<td width='1%'><input type='radio' name='$grp' value='ovpn_net_$srctgt' $checked{$grp}{'ovpn_net_'.$srctgt}></td><td nowrap='nowrap' width='16%'>$Lang::tr{'fwhost ccdnet'}</td><td nowrap='nowrap' width='1%'><select name='ovpn_net_$srctgt' style='min-width:185px;'>";
++ &fillselect(\%ccdnet,$fwdfwsettings{$fwdfwsettings{$grp}});
++ print"</select></td></tr>";
++ }
++ #OVPN CCD Hosts
++ foreach my $key (sort { uc($ccdhost{$a}[0]) cmp uc($ccdhost{$b}[0]) } keys %ccdhost){
++ if ($ccdhost{$key}[33] ne ''){
++ print"<tr><td width='1%'><input type='radio' name='$grp' value='ovpn_host_$srctgt' $checked{$grp}{'ovpn_host_'.$srctgt}></td><td nowrap='nowrap' width='16%'>$Lang::tr{'fwhost ccdhost'}</td><td nowrap='nowrap' width='1%'><select name='ovpn_host_$srctgt' style='min-width:185px;'>" if ($show eq '');
++ $show='1';
++ print "<option value='$ccdhost{$key}[1]'";
++ print "selected='selected'" if ($fwdfwsettings{$fwdfwsettings{$grp}} eq $ccdhost{$key}[1]);
++ print ">$ccdhost{$key}[1]</option>";
++ }
++ }
++ if ($show eq '1'){$show='';print"</select></td></tr>";}
++ #OVPN N2N
++ foreach my $key (sort { uc($ccdhost{$a}[0]) cmp uc($ccdhost{$b}[0]) } keys %ccdhost){
++ if ($ccdhost{$key}[3] eq 'net'){
++ print"<tr><td width='1%'><input type='radio' name='$grp' value='ovpn_n2n_$srctgt' $checked{$grp}{'ovpn_n2n_'.$srctgt}></td><td nowrap='nowrap' width='16%'>$Lang::tr{'fwhost ccdhost'}</td><td nowrap='nowrap' width='1%'><select name='ovpn_n2n_$srctgt' style='min-width:185px;'>" if ($show eq '');
++ my $show='1';
++ print "<option value='$ccdhost{$key}[1]'";
++ print "selected='selected'" if ($fwdfwsettings{$fwdfwsettings{$grp}} eq $ccdhost{$key}[1]);
++ print ">$ccdhost{$key}[1]</option>";
++ }
++ }
++ if ($show eq '1'){$show='';print"</select></td></tr>";}
++ #IPsec netze
++ foreach my $key (sort { uc($ipsecconf{$a}[1]) cmp uc($ipsecconf{$b}[1]) } keys %ipsecconf) {
++ if ($ipsecconf{$key}[3] eq 'net'){
++ print"<tr><td valign='top'><input type='radio' name='$grp' value='ipsec_net_$srctgt' $checked{$grp}{'ipsec_net_'.$srctgt}></td><td >$Lang::tr{'fwhost ipsec net'}</td><td><select name='ipsec_net_$srctgt' style='min-width:185px;'>" if ($show eq '');
++ $show='1';
++ print "<option ";
++ print "selected='selected'" if ($fwdfwsettings{$fwdfwsettings{$grp}} eq $ipsecconf{$key}[1]);
++ print ">$ipsecconf{$key}[1]</option>";
++ }
++ }
++ if ($show eq '1'){$show='';print"</select></td></tr>";}
++
++ print"</tr></table>";
++ print"</td></tr></table><br>";
++}
++sub get_ip
++{
++ my $val=shift;
++ my $grp =shift;
++ my $a;
++ my $b;
++ &General::readhash("/var/ipfire/ethernet/settings", \%netsettings);
++ if ($fwdfwsettings{$grp} ne $Lang::tr{'fwhost any'}){
++ if ($fwdfwsettings{$grp} eq $val.'_addr'){
++ ($a,$b) = split (/\//, $fwdfwsettings{$fwdfwsettings{$grp}});
++ }elsif($fwdfwsettings{$grp} eq 'std_net_'.$val){
++ if ($fwdfwsettings{$fwdfwsettings{$grp}} =~ /Gr/i){
++ $a=$netsettings{'GREEN_NETADDRESS'};
++ $b=&General::iporsubtocidr($netsettings{'GREEN_NETMASK'});
++ }elsif($fwdfwsettings{$fwdfwsettings{$grp}} =~ /Ora/i){
++ $a=$netsettings{'ORANGE_NETADDRESS'};
++ $b=&General::iporsubtocidr($netsettings{'ORANGE_NETMASK'});
++ }elsif($fwdfwsettings{$fwdfwsettings{$grp}} =~ /Bl/i){
++ $a=$netsettings{'BLUE_NETADDRESS'};
++ $b=&General::iporsubtocidr($netsettings{'BLUE_NETMASK'});
++ }elsif($fwdfwsettings{$fwdfwsettings{$grp}} =~ /OpenVPN/i){
++ &General::readhash("$configovpn",\%ovpnsettings);
++ ($a,$b) = split (/\//, $ovpnsettings{'DOVPN_SUBNET'});
++ $b=&General::iporsubtocidr($b);
++ }
++ }elsif($fwdfwsettings{$grp} eq 'cust_net_'.$val){
++ &General::readhasharray("$confignet", \%customnetwork);
++ foreach my $key (keys %customnetwork){
++ if($customnetwork{$key}[0] eq $fwdfwsettings{$fwdfwsettings{$grp}}){
++ $a=$customnetwork{$key}[1];
++ $b=&General::iporsubtocidr($customnetwork{$key}[2]);
++ }
++ }
++ }elsif($fwdfwsettings{$grp} eq 'cust_host_'.$val){
++ &General::readhasharray("$confighost", \%customhost);
++ foreach my $key (keys %customhost){
++ if($customhost{$key}[0] eq $fwdfwsettings{$fwdfwsettings{$grp}}){
++ if ($customhost{$key}[1] eq 'ip'){
++ ($a,$b)=split (/\//,$customhost{$key}[2]);
++ $b=&General::iporsubtocidr($b);
++ }else{
++ if ($grp eq 'grp2'){
++ $errormessage=$Lang::tr{'fwdfw err tgt_mac'};
++ }
++ }
++ }
++ }
++ }
++ }
++ return $a,$b;
++}
++sub get_name
++{
++ my $val=shift;
++ &General::setup_default_networks(\%defaultNetworks);
++ foreach my $network (sort keys %defaultNetworks)
++ {
++ return "$network" if ($val eq $defaultNetworks{$network}{'NAME'});
++ }
++}
++sub getsrcport
++{
++ my %hash=%{(shift)};
++ my $key=shift;
++ if($hash{$key}[7] eq 'ON' && $hash{$key}[8] ne '' && $hash{$key}[10]){
++ $hash{$key}[10]=~ s/\|/,/g;
++ print": $hash{$key}[10]";
++ }elsif($hash{$key}[7] eq 'ON' && $hash{$key}[8] eq 'ICMP'){
++ print": <br>$hash{$key}[9] ";
++ }
++}
++sub gettgtport
++{
++ my %hash=%{(shift)};
++ my $key=shift;
++ my $service;
++ my $prot;
++ if($hash{$key}[11] eq 'ON' && $hash{$key}[12] ne 'ICMP'){
++ if($hash{$key}[14] eq 'cust_srv'){
++ &General::readhasharray("$configsrv", \%customservice);
++ foreach my $i (sort keys %customservice){
++ if($customservice{$i}[0] eq $hash{$key}[15]){
++ $service = $customservice{$i}[0];
++ }
++ }
++ }elsif($hash{$key}[14] eq 'cust_srvgrp'){
++ $service=$hash{$key}[15];
++ }elsif($hash{$key}[14] eq 'TGT_PORT'){
++ $hash{$key}[15]=~ s/\|/,/g;
++ $service=$hash{$key}[15];
++ }
++ if($service){
++ print": $service";
++ }
++ }elsif($hash{$key}[11] eq 'ON' && $hash{$key}[12] eq 'ICMP'){
++ print":<br>$hash{$key}[13]";
++ }
++}
++sub get_serviceports
++{
++ my $type=shift;
++ my $name=shift;
++ &General::readhasharray("$configsrv", \%customservice);
++ &General::readhasharray("$configsrvgrp", \%customservicegrp);
++ my $protocols;
++ my $tcp;
++ my $udp;
++ if($type eq 'service'){
++ foreach my $key (sort { uc($customservice{$a}[0]) cmp uc($customservice{$b}[0]) } keys %customservice){
++ if ($customservice{$key}[0] eq $name){
++ $protocols=$customservice{$key}[2];
++ }
++ }
++ }elsif($type eq 'group'){
++ foreach my $key (sort { uc($customservicegrp{$a}[0]) cmp uc($customservicegrp{$b}[0]) } keys %customservicegrp){
++ if ($customservicegrp{$key}[0] eq $name){
++ foreach my $key1 (sort { uc($customservice{$a}[0]) cmp uc($customservice{$b}[0]) } keys %customservice){
++ if ($customservice{$key1}[0] eq $customservicegrp{$key}[2]){
++ if($customservice{$key1}[2] eq 'TCP'){$tcp='TCP';}else{$udp='UDP';}
++ }
++ }
++ }
++ }
++ }
++ if($tcp && $udp){$protocols="TCP,UDP";
++ }elsif($tcp){$protocols.="TCP";
++ }elsif($udp){$protocols.="UDP";}
++ return $protocols;
++}
++sub getcolor
++{
++ my $nettype=shift;
++ my $val=shift;
++ my $hash=shift;
++ if($optionsfw{'SHOWCOLORS'} eq 'on'){
++ #VPN networks
++ if ($nettype eq 'ovpn_n2n_src' || $nettype eq 'ovpn_n2n_tgt' || $nettype eq 'ovpn_net_src' || $nettype eq 'ovpn_net_tgt'|| $nettype eq 'ovpn_host_src' || $nettype eq 'ovpn_host_tgt'){
++ $tdcolor="style='border: 1px solid $Header::colourovpn;'";
++ return;
++ }
++ if ($nettype eq 'ipsec_net_src' || $nettype eq 'ipsec_net_tgt'){
++ $tdcolor="style='border: 1px solid $Header::colourvpn;'";
++ return;
++ }
++ #custom Hosts
++ if ($nettype eq 'cust_host_src' || $nettype eq 'cust_host_tgt'){
++ foreach my $key (sort keys %$hash){
++ if ($$hash{$key}[0] eq $val){
++ $val=$$hash{$key}[2];
++ }
++ }
++ }
++ #ALIASE
++ foreach my $alias (sort keys %aliases)
++ {
++ if ($val eq $alias){
++ $tdcolor="style='border: 2px solid red;'";
++ return;
++ }
++ }
++ #standard networks
++ if ($val eq 'GREEN'){
++ $tdcolor="style='border: 1px solid $Header::colourgreen;'";
++ }elsif ($val eq 'ORANGE'){
++ $tdcolor="style='border: 1px solid $Header::colourorange;'";
++ }elsif ($val eq 'BLUE'){
++ $tdcolor="style='border: 1px solid $Header::colourblue;'";
++ }elsif ($val eq 'RED'){
++ $tdcolor="style='border: 1px solid $Header::colourred;'";
++ }elsif ($val eq 'IPFire' ){
++ $tdcolor="style='border: 1px solid $Header::colourred;'";
++ }elsif($val =~ /^(.*?)\/(.*?)$/){
++ my ($sip,$scidr) = split ("/",$val);
++ if ( &General::IpInSubnet($sip,$netsettings{'ORANGE_ADDRESS'},$netsettings{'ORANGE_NETMASK'})){
++ $tdcolor="style='border: 1px solid $Header::colourorange;'";
++ }
++ if ( &General::IpInSubnet($sip,$netsettings{'GREEN_ADDRESS'},$netsettings{'GREEN_NETMASK'})){
++ $tdcolor="style='border: 1px solid $Header::colourgreen;'";
++ }
++ if ( &General::IpInSubnet($sip,$netsettings{'BLUE_ADDRESS'},$netsettings{'BLUE_NETMASK'})){
++ $tdcolor="style='border: 1px solid $Header::colourblue;'";
+ }
++ }elsif ($val eq 'Default IP'){
++ $tdcolor="style='border: 1px solid red;'";
++ }else{
++ $tdcolor='';
+ }
+ }
+-
+- #check source and destination protocol if manual
+- if( $fwdfwsettings{'USE_SRC_PORT'} eq 'ON' && $fwdfwsettings{'USESRV'} eq 'ON'){
+- if($fwdfwsettings{'PROT'} ne $fwdfwsettings{'TGT_PROT'} && $fwdfwsettings{'grp3'} eq 'TGT_PORT'){
+- $errormessage.=$Lang::tr{'fwdfw err prot'};
+- }
+- #check source and destination protocol if source manual and dest servicegrp
+- if ($fwdfwsettings{'grp3'} eq 'cust_srv'){
+- &General::readhasharray("$configsrv", \%customservice);
+- foreach my $key (sort keys %customservice){
+- if($customservice{$key}[0] eq $fwdfwsettings{$fwdfwsettings{'grp3'}}){
+- if ($customservice{$key}[2] ne $fwdfwsettings{'PROT'}){
+- $errormessage.=$Lang::tr{'fwdfw err prot'};
+- last;
+- }
+- }
+- }
+- }
++}
++sub hint
++{
++ if ($hint) {
++ &Header::openbox('100%', 'left', $Lang::tr{'fwhost hint'});
++ print "<class name='base'>$hint\n";
++ print " </class>\n";
++ &Header::closebox();
++ print"<hr>";
+ }
+ }
+-sub get_ip
++sub inc_counter
+ {
++ my $config=shift;
++ my %hash=%{(shift)};
+ my $val=shift;
+- my $grp =shift;
+- my $a;
+- my $b;
+- &General::readhash("/var/ipfire/ethernet/settings", \%netsettings);
+- if ($fwdfwsettings{$grp} ne $Lang::tr{'fwhost any'}){
+- if ($fwdfwsettings{$grp} eq $val.'_addr'){
+- ($a,$b) = split (/\//, $fwdfwsettings{$fwdfwsettings{$grp}});
+- }elsif($fwdfwsettings{$grp} eq 'std_net_'.$val){
+- if ($fwdfwsettings{$fwdfwsettings{$grp}} =~ /Gr/i){
+- $a=$netsettings{'GREEN_NETADDRESS'};
+- $b=&General::iporsubtocidr($netsettings{'GREEN_NETMASK'});
+- }elsif($fwdfwsettings{$fwdfwsettings{$grp}} =~ /Ora/i){
+- $a=$netsettings{'ORANGE_NETADDRESS'};
+- $b=&General::iporsubtocidr($netsettings{'ORANGE_NETMASK'});
+- }elsif($fwdfwsettings{$fwdfwsettings{$grp}} =~ /Bl/i){
+- $a=$netsettings{'BLUE_NETADDRESS'};
+- $b=&General::iporsubtocidr($netsettings{'BLUE_NETMASK'});
+- }elsif($fwdfwsettings{$fwdfwsettings{$grp}} =~ /OpenVPN/i){
+- &General::readhash("$configovpn",\%ovpnsettings);
+- ($a,$b) = split (/\//, $ovpnsettings{'DOVPN_SUBNET'});
+- $b=&General::iporsubtocidr($b);
+- }
+- }elsif($fwdfwsettings{$grp} eq 'cust_net_'.$val){
+- &General::readhasharray("$confignet", \%customnetwork);
+- foreach my $key (keys %customnetwork){
+- if($customnetwork{$key}[0] eq $fwdfwsettings{$fwdfwsettings{$grp}}){
+- $a=$customnetwork{$key}[1];
+- $b=&General::iporsubtocidr($customnetwork{$key}[2]);
+- }
+- }
+- }elsif($fwdfwsettings{$grp} eq 'cust_host_'.$val){
+- &General::readhasharray("$confighost", \%customhost);
+- foreach my $key (keys %customhost){
+- if($customhost{$key}[0] eq $fwdfwsettings{$fwdfwsettings{$grp}}){
+- if ($customhost{$key}[1] eq 'ip'){
+- ($a,$b)=split (/\//,$customhost{$key}[2]);
+- $b=&General::iporsubtocidr($b);
+- }else{
+- if ($grp eq 'grp2'){
+- $errormessage=$Lang::tr{'fwdfw err tgt_mac'};
+- }
+- }
+- }
+- }
++ my $pos;
++
++ &General::readhasharray($config, \%hash);
++ foreach my $key (sort { uc($hash{$a}[0]) cmp uc($hash{$b}[0]) } keys %hash){
++ if($hash{$key}[0] eq $val){
++ $pos=$#{$hash{$key}};
++ $hash{$key}[$pos] = $hash{$key}[$pos]+1;
+ }
+ }
+- return $a,$b;
++ &General::writehasharray($config, \%hash);
+ }
+ sub newrule
+ {
+@@ -1257,90 +1483,10 @@ END
+ <table width='100%' border='0'>
+ <tr><td width='1%'><input type='radio' name='grp1' value='src_addr' checked></td><td colspan='5'>$Lang::tr{'fwdfw sourceip'}<input type='TEXT' name='src_addr' value='$fwdfwsettings{'src_addr'}' ></td></tr>
+ <tr><td colspan='7'><hr style='border:dotted #BFBFBF; border-width:1px 0 0 0 ; ' /></td></tr>
+- <tr><td width='1%'><input type='radio' name='grp1' value='std_net_src' $checked{'grp1'}{'std_net_src'}></td><td nowrap='nowrap' width='12%'>$Lang::tr{'fwhost stdnet'}</td><td width='13%'><select name='std_net_src' style='min-width:185px;'>
+-END
+- foreach my $network (sort keys %defaultNetworks)
+- {
+- next if($defaultNetworks{$network}{'LOCATION'} eq "IPCOP");
+- next if($defaultNetworks{$network}{'NAME'} eq "RED");
+- print "<option value='$defaultNetworks{$network}{'NAME'}'";
+- print " selected='selected'" if ($fwdfwsettings{$fwdfwsettings{'grp1'}} eq $defaultNetworks{$network}{'NAME'});
+- print ">$network</option>";
+- }
+- print<<END;
+- </select></td><td width='1%'><input type='radio' name='grp1' value='ovpn_net_src' $checked{'grp1'}{'ovpn_net_src'}></td><td nowrap='nowrap' width='16%'>$Lang::tr{'fwhost ccdnet'}</td><td nowrap='nowrap' width='1%'><select name='ovpn_net_src' style='min-width:185px;'>
+-END
+- &fillselect(\%ccdnet,$fwdfwsettings{$fwdfwsettings{'grp1'}});
+- print<<END;
+- </select></td></tr>
+- <tr><td><input type='radio' name='grp1' value='cust_net_src' $checked{'grp1'}{'cust_net_src'}></td><td>$Lang::tr{'fwhost cust net'}</td><td><select name='cust_net_src' style='min-width:185px;'>
+-END
+- &fillselect(\%customnetwork,$fwdfwsettings{$fwdfwsettings{'grp1'}});
+- print<<END;
+- </select></td><td width='1%'><input type='radio' name='grp1' value='ovpn_host_src' $checked{'grp1'}{'ovpn_host_src'}></td><td nowrap='nowrap' width='16%'>$Lang::tr{'fwhost ccdhost'}</td><td nowrap='nowrap' width='1%'><select name='ovpn_host_src' style='min-width:185px;'>
+-END
+- foreach my $key (sort { uc($ccdhost{$a}[0]) cmp uc($ccdhost{$b}[0]) } keys %ccdhost)
+- {
+- if ($ccdhost{$key}[33] ne ''){
+-
+- print "<option value='$ccdhost{$key}[1]'";
+- print "selected='selected'" if ($fwdfwsettings{$fwdfwsettings{'grp1'}} eq $ccdhost{$key}[1]);
+- print ">$ccdhost{$key}[1]</option>";
+- }
+- }
+- print<<END;
+- </select></td></tr>
+- <tr><td valign='top'><input type='radio' name='grp1' value='cust_host_src' $checked{'grp1'}{'cust_host_src'}></td><td>$Lang::tr{'fwhost cust addr'}</td><td><select name='cust_host_src' style='min-width:185px;'>
+-END
+- &fillselect(\%customhost,$fwdfwsettings{$fwdfwsettings{'grp1'}});
+- print<<END;
+- </select></td><td width='1%'><input type='radio' name='grp1' value='ovpn_n2n_src' $checked{'grp1'}{'ovpn_n2n_src'}></td><td >$Lang::tr{'fwhost ovpn_n2n'}</td><td colspan='3'><select name='ovpn_n2n_src' style='min-width:185px;'>
+-END
+- foreach my $key (sort { uc($ccdhost{$a}[0]) cmp uc($ccdhost{$b}[0]) } keys %ccdhost) {
+- if($ccdhost{$key}[3] eq 'net'){
+- print"<option ";
+- print " selected='selected'" if ($fwdfwsettings{$fwdfwsettings{'grp1'}} eq $ccdhost{$key}[1]);
+- print ">$ccdhost{$key}[1]</option>";
+- }
+- }
+- print<<END;
+- </select></td></tr>
+-
+- <tr><td valign='top'><input type='radio' name='grp1' value='cust_grp_src' $checked{'grp1'}{'cust_grp_src'}></td><td >$Lang::tr{'fwhost cust grp'}</td><td><select name='cust_grp_src' style='min-width:185px;'>
+-END
+- foreach my $key (sort { uc($customgrp{$a}[0]) cmp uc($customgrp{$b}[0]) } keys %customgrp) {
+- if($helper ne $customgrp{$key}[0]){
+- print"<option ";
+- print "selected='selected' " if ($fwdfwsettings{$fwdfwsettings{'grp1'}} eq $customgrp{$key}[0]);
+- print ">$customgrp{$key}[0]</option>";
+- }
+- $helper=$customgrp{$key}[0];
+- }
+- print<<END;
+- </select></td>
+- <td valign='top'><input type='radio' name='grp1' value='ipsec_net_src' $checked{'grp1'}{'ipsec_net_src'}></td><td >$Lang::tr{'fwhost ipsec net'}</td><td><select name='ipsec_net_src' style='min-width:185px;'>
+-END
+- foreach my $key (sort { uc($ipsecconf{$a}[1]) cmp uc($ipsecconf{$b}[1]) } keys %ipsecconf) {
+- if ($ipsecconf{$key}[3] eq 'net'){
+- print "<option ";
+- print "selected='selected'" if ($fwdfwsettings{$fwdfwsettings{'grp1'}} eq $ipsecconf{$key}[1]);
+- print ">$ipsecconf{$key}[1]</option>";
+- }
+- }
+- #sourceport
+- print<<END;
+- </select></td></tr>
++ </table>
+ END
++ &gen_dd_block('src','grp1');
+
+-# <td valign='top'><input type='radio' name='grp1' value='ipsec_host_src' $checked{'grp1'}{'ipsec_host_src'}></td><td >$Lang::tr{'fwhost ipsec host'}</td><td><select name='ipsec_host_src' style='min-width:185px;'>
+-#END
+-# foreach my $key (sort { uc($ipsecconf{$a}[1]) cmp uc($ipsecconf{$b}[1]) } keys %ipsecconf) {
+-# if ($ipsecconf{$key}[3] eq 'host'){
+-# print "<option ";
+-# print "selected='selected'" if($fwdfwsettings{$fwdfwsettings{'grp1'}} eq $ipsecconf{$key}[1]);
+-# print ">$ipsecconf{$key}[1]</option>";
+-# }
+-# }
+ print<<END;
+ <tr><td colspan='8'><hr style='border:dotted #BFBFBF; border-width:1px 0 0 0 ; ' /></td></tr></table>
+ <table width='100%' border='0'>
+@@ -1379,7 +1525,7 @@ END
+ &Header::openbox('100%', 'left', $Lang::tr{'fwdfw target'});
+ print<<END;
+ <table width='100%' border='0'>
+- <tr><td width='1%'><input type='radio' name='grp2' value='tgt_addr' checked></td><td colspan='2'>$Lang::tr{'fwdfw targetip'}<input type='TEXT' name='tgt_addr' value='$fwdfwsettings{'tgt_addr'}' size='16'><td><input type='radio' name='grp2' value='ipfire' $checked{'grp2'}{'ipfire'}></td><td><b>IPFire ($Lang::tr{'external access'})</b></td><td><select name='ipfire' style='min-width:185px;'>
++ <tr><td width='1%'><input type='radio' name='grp2' value='tgt_addr' checked></td><td colspan='2'>$Lang::tr{'fwdfw targetip'}<input type='TEXT' name='tgt_addr' value='$fwdfwsettings{'tgt_addr'}' size='16'><td><input type='radio' name='grp2' value='ipfire' $checked{'grp2'}{'ipfire'}></td><td><b>IPFire ($Lang::tr{'external access'})</b></td><td align='right'><select name='ipfire' style='min-width:185px;'>
+ END
+ print "<option value='Default IP' $selected{'ipfire'}{'Default IP'}>Default IP</option>";
+
+@@ -1387,95 +1533,14 @@ END
+ {
+ print "<option value='$alias' $selected{'ipfire'}{$alias}>$alias</option>";
+ }
+-
+ print<<END;
+ </td></tr>
+- <tr><td colspan='7'><hr style='border:dotted #BFBFBF; border-width:1px 0 0 0 ; ' /></td></tr>
+- <tr><td width='1%'><input type='radio' name='grp2' value='std_net_tgt' $checked{'grp2'}{'std_net_tgt'}></td><td nowrap='nowrap' width='12%'>$Lang::tr{'fwhost stdnet'}</td><td width='13%'><select name='std_net_tgt' style='min-width:185px;'>
+-END
+- foreach my $network (sort keys %defaultNetworks)
+- {
+- next if($defaultNetworks{$network}{'NAME'} eq "IPFire");
+- print "<option value='$defaultNetworks{$network}{'NAME'}'";
+- print " selected='selected'" if ($fwdfwsettings{$fwdfwsettings{'grp2'}} eq $defaultNetworks{$network}{'NAME'});
+- print ">$network</option>";
+- }
+- print<<END;
+- </select></td><td width='1%'><input type='radio' name='grp2' value='ovpn_net_tgt' $checked{'grp2'}{'ovpn_net_tgt'}></td><td nowrap='nowrap' width='16%'>$Lang::tr{'fwhost ccdnet'}</td><td nowrap='nowrap' width='1%'><select name='ovpn_net_tgt' style='min-width:185px;'>
+-END
+- &fillselect(\%ccdnet,$fwdfwsettings{$fwdfwsettings{'grp2'}});
+- print<<END;
+- </select></td></tr>
+- <tr><td><input type='radio' name='grp2' value='cust_net_tgt' $checked{'grp2'}{'cust_net_tgt'}></td><td>$Lang::tr{'fwhost cust net'}</td><td><select name='cust_net_tgt' style='min-width:185px;'>
+-END
+- &fillselect(\%customnetwork,$fwdfwsettings{$fwdfwsettings{'grp2'}});
+- print<<END;
+- </select></td><td width='1%'><input type='radio' name='grp2' value='ovpn_host_tgt' $checked{'grp2'}{'ovpn_host_tgt'}></td><td nowrap='nowrap' width='16%'>$Lang::tr{'fwhost ccdhost'}</td><td nowrap='nowrap' width='1%'><select name='ovpn_host_tgt' style='min-width:185px;'>
+-END
+- foreach my $key (sort { uc($ccdhost{$a}[0]) cmp uc($ccdhost{$b}[0]) } keys %ccdhost)
+- {
+- if ($ccdhost{$key}[33] ne ''){
+- print "<option value='$ccdhost{$key}[1]' ";
+- print "selected='selected'" if ($fwdfwsettings{$fwdfwsettings{'grp2'}} eq $ccdhost{$key}[33]);
+- print ">$ccdhost{$key}[1]</option>";
+- }
+- }
+- print<<END;
+- </select></td></tr>
+- <tr><td valign='top'><input type='radio' name='grp2' value='cust_host_tgt' $checked{'grp2'}{'cust_host_tgt'}></td><td>$Lang::tr{'fwhost cust addr'}</td><td><select name='cust_host_tgt' style='min-width:185px;'>
+-END
+- &fillselect(\%customhost,$fwdfwsettings{$fwdfwsettings{'grp2'}});
+- print<<END;
+- </select></td><td width='1%'><input type='radio' name='grp2' value='ovpn_n2n_tgt' $checked{'grp2'}{'ovpn_n2n_tgt'}></td><td >$Lang::tr{'fwhost ovpn_n2n'}</td><td colspan='3'><select name='ovpn_n2n_tgt' style='min-width:185px;'>
+-END
+- foreach my $key (sort { uc($ccdhost{$a}[0]) cmp uc($ccdhost{$b}[0]) } keys %ccdhost) {
+- if($ccdhost{$key}[3] eq 'net'){
+- print "<option ";
+- print "selected='selected'" if($fwdfwsettings{$fwdfwsettings{'grp2'}} eq $ccdhost{$key}[1]);
+- print ">$ccdhost{$key}[1]</option>";
+- }
+- }
+- print<<END;
+- </select></td></tr>
+- <tr><td valign='top'><input type='radio' name='grp2' value='cust_grp_tgt' $checked{'grp2'}{'cust_grp_tgt'}></td><td >$Lang::tr{'fwhost cust grp'}</td><td><select name='cust_grp_tgt' style='min-width:185px;'>
+-END
+- $helper='';
+- foreach my $key (sort { uc($customgrp{$a}[0]) cmp uc($customgrp{$b}[0]) } keys %customgrp) {
+- if($helper ne $customgrp{$key}[0]){
+- print"<option ";
+- print"selected='selected'" if ($fwdfwsettings{$fwdfwsettings{'grp2'}} eq $customgrp{$key}[0]);
+- print">$customgrp{$key}[0]</option>";
+- }
+- $helper=$customgrp{$key}[0];
+- }
+- print<<END;
+- </select></td>
+- <td valign='top'><input type='radio' name='grp2' value='ipsec_net_tgt' $checked{'grp2'}{'ipsec_net_tgt'}></td><td >$Lang::tr{'fwhost ipsec net'}</td><td><select name='ipsec_net_tgt' style='min-width:185px;'>
+-END
+- foreach my $key (sort { uc($ipsecconf{$a}[1]) cmp uc($ipsecconf{$b}[1]) } keys %ipsecconf) {
+- if ($ipsecconf{$key}[3] eq 'net'){
+- print"<option ";
+- print"selected='selected'" if ($fwdfwsettings{$fwdfwsettings{'grp2'}} eq $ipsecconf{$key}[1]);
+- print">$ipsecconf{$key}[1]</option>";
+- }
+- }
+- print<<END;
+- </select></td></tr>
++ <tr><td colspan='7'><hr style='border:dotted #BFBFBF; border-width:1px 0 0 0 ; ' /></td></tr></table>
+ END
+-# <td valign='top'><input type='radio' name='grp2' value='ipsec_host_tgt' $checked{'grp2'}{'ipsec_host_tgt'}></td><td >$Lang::tr{'fwhost ipsec host'}</td><td><select name='ipsec_host_tgt' style='min-width:185px;'>
+-#END
+-# foreach my $key (sort { uc($ipsecconf{$a}[1]) cmp uc($ipsecconf{$b}[1]) } keys %ipsecconf) {
+-# if ($ipsecconf{$key}[3] eq 'host'){
+-# print"<option ";
+-# print"selected='Selected'" if ($fwdfwsettings{$fwdfwsettings{'grp2'}} eq $ipsecconf{$key}[1]);
+-# print">$ipsecconf{$key}[1]</option>";
+-# }
+-# }
++ &gen_dd_block('tgt','grp2');
+ print<<END;
+- </table>
+ <b>$Lang::tr{'fwhost attention'}:</b><br>
+ $Lang::tr{'fwhost macwarn'}<br><hr style='border:dotted #BFBFBF; border-width:1px 0 0 0 ; '></hr><br>
+-
+ <table width='100%' border='0'>
+ <tr><td width='1%'><input type='checkbox' name='USESRV' value='ON' $checked{'USESRV'}{'ON'} ></td><td width='48%'>$Lang::tr{'fwdfw use srv'}</td><td width='1%'><input type='radio' name='grp3' value='cust_srv' checked></td><td nowrap='nowrap'>$Lang::tr{'fwhost cust service'}</td><td width='1%' colspan='2'><select name='cust_srv'style='min-width:230px;' >
+ END
+@@ -1602,41 +1667,109 @@ END
+ print "\t\t\t\t\t<option $selected{'TIME_TO'}{$time}>$i:$j</option>\n";
+ }
+ }
+- print<<END;
+- </select></td></tr>
+- </table><br><hr>
+-END
+-
+- #---ACTION------------------------------------------------------
+- if($fwdfwsettings{'updatefwrule'} ne 'on'){
+- print<<END;
+- <table border='0' width='100%'>
+- <tr><td align='right'><input type='submit' value='$Lang::tr{'add'}' style='min-width:100px;' />
+- <input type='hidden' name='config' value='$config' >
+- <input type='hidden' name='ACTION' value='saverule' >
+- </form><form method='post' style='display:inline'><input type='submit' value='$Lang::tr{'fwhost back'}' style='min-width:100px;'><input type='hidden' name='ACTION' value'reset'></td></td>
+- </table></form>
+-END
+- }else{
+- print<<END;
+- <table border='0' width='100%'>
+- <tr><td align='right'><input type='submit' value='$Lang::tr{'fwdfw change'}' style='min-width:100px;' /><input type='hidden' name='updatefwrule' value='$fwdfwsettings{'updatefwrule'}'><input type='hidden' name='key' value='$fwdfwsettings{'key'}'>
+- <input type='hidden' name='oldgrp1a' value='$fwdfwsettings{'oldgrp1a'}' />
+- <input type='hidden' name='oldgrp1b' value='$fwdfwsettings{'oldgrp1b'}' />
+- <input type='hidden' name='oldgrp2a' value='$fwdfwsettings{'oldgrp2a'}' />
+- <input type='hidden' name='oldgrp2b' value='$fwdfwsettings{'oldgrp2b'}' />
+- <input type='hidden' name='oldgrp3a' value='$fwdfwsettings{'oldgrp3a'}' />
+- <input type='hidden' name='oldgrp3b' value='$fwdfwsettings{'oldgrp3b'}' />
+- <input type='hidden' name='oldusesrv' value='$fwdfwsettings{'oldusesrv'}' />
+- <input type='hidden' name='oldrulenumber' value='$fwdfwsettings{'oldrulenumber'}' />
+- <input type='hidden' name='rulenumber' value='$fwdfwsettings{'rulepos'}' />
+- <input type='hidden' name='oldruleremark' value='$fwdfwsettings{'oldruleremark'}' />
+- <input type='hidden' name='oldorange' value='$fwdfwsettings{'oldorange'}' />
+- <input type='hidden' name='ACTION' value='saverule' ></form><form method='post' style='display:inline'><input type='submit' value='$Lang::tr{'fwhost back'}' style='min-width:100px;'><input type='hidden' name='ACTION' value'reset'></td></td>
+- </table></form>
+-END
+- }
+- &Header::closebox();
++ print<<END;
++ </select></td></tr>
++ </table><br><hr>
++END
++ #---ACTION------------------------------------------------------
++ if($fwdfwsettings{'updatefwrule'} ne 'on'){
++ print<<END;
++ <table border='0' width='100%'>
++ <tr><td align='right'><input type='submit' value='$Lang::tr{'add'}' style='min-width:100px;' />
++ <input type='hidden' name='config' value='$config' >
++ <input type='hidden' name='ACTION' value='saverule' >
++ </form><form method='post' style='display:inline'><input type='submit' value='$Lang::tr{'fwhost back'}' style='min-width:100px;'><input type='hidden' name='ACTION' value'reset'></td></td>
++ </table></form>
++END
++ }else{
++ print<<END;
++ <table border='0' width='100%'>
++ <tr><td align='right'><input type='submit' value='$Lang::tr{'fwdfw change'}' style='min-width:100px;' /><input type='hidden' name='updatefwrule' value='$fwdfwsettings{'updatefwrule'}'><input type='hidden' name='key' value='$fwdfwsettings{'key'}'>
++ <input type='hidden' name='oldgrp1a' value='$fwdfwsettings{'oldgrp1a'}' />
++ <input type='hidden' name='oldgrp1b' value='$fwdfwsettings{'oldgrp1b'}' />
++ <input type='hidden' name='oldgrp2a' value='$fwdfwsettings{'oldgrp2a'}' />
++ <input type='hidden' name='oldgrp2b' value='$fwdfwsettings{'oldgrp2b'}' />
++ <input type='hidden' name='oldgrp3a' value='$fwdfwsettings{'oldgrp3a'}' />
++ <input type='hidden' name='oldgrp3b' value='$fwdfwsettings{'oldgrp3b'}' />
++ <input type='hidden' name='oldusesrv' value='$fwdfwsettings{'oldusesrv'}' />
++ <input type='hidden' name='oldrulenumber' value='$fwdfwsettings{'oldrulenumber'}' />
++ <input type='hidden' name='rulenumber' value='$fwdfwsettings{'rulepos'}' />
++ <input type='hidden' name='oldruleremark' value='$fwdfwsettings{'oldruleremark'}' />
++ <input type='hidden' name='oldorange' value='$fwdfwsettings{'oldorange'}' />
++ <input type='hidden' name='ACTION' value='saverule' ></form><form method='post' style='display:inline'><input type='submit' value='$Lang::tr{'fwhost back'}' style='min-width:100px;'><input type='hidden' name='ACTION' value'reset'></td></td>
++ </table></form>
++END
++ }
++ &Header::closebox();
++}
++sub pos_up
++{
++ my %uphash=();
++ my %tmp=();
++ &General::readhasharray($fwdfwsettings{'config'}, \%uphash);
++ foreach my $key (sort keys %uphash){
++ if ($key eq $fwdfwsettings{'key'}) {
++ my $last = $key -1;
++ if (exists $uphash{$last}){
++ #save rule last
++ foreach my $y (0 .. $#{$uphash{$last}}) {
++ $tmp{0}[$y] = $uphash{$last}[$y];
++ }
++ #copy active rule to last
++ foreach my $i (0 .. $#{$uphash{$last}}) {
++ $uphash{$last}[$i] = $uphash{$key}[$i];
++ }
++ #copy saved rule to actual position
++ foreach my $x (0 .. $#{$tmp{0}}) {
++ $uphash{$key}[$x] = $tmp{0}[$x];
++ }
++ }
++ }
++ }
++ &General::writehasharray($fwdfwsettings{'config'}, \%uphash);
++ &rules;
++}
++sub pos_down
++{
++ my %downhash=();
++ my %tmp=();
++ &General::readhasharray($fwdfwsettings{'config'}, \%downhash);
++ foreach my $key (sort keys %downhash){
++ if ($key eq $fwdfwsettings{'key'}) {
++ my $next = $key + 1;
++ if (exists $downhash{$next}){
++ #save rule next
++ foreach my $y (0 .. $#{$downhash{$next}}) {
++ $tmp{0}[$y] = $downhash{$next}[$y];
++ }
++ #copy active rule to next
++ foreach my $i (0 .. $#{$downhash{$next}}) {
++ $downhash{$next}[$i] = $downhash{$key}[$i];
++ }
++ #copy saved rule to actual position
++ foreach my $x (0 .. $#{$tmp{0}}) {
++ $downhash{$key}[$x] = $tmp{0}[$x];
++ }
++ }
++ }
++ }
++ &General::writehasharray($fwdfwsettings{'config'}, \%downhash);
++ &rules;
++}
++sub rules
++{
++ if (!-f "${General::swroot}/forward/reread"){
++ system("touch ${General::swroot}/forward/reread");
++ system("touch ${General::swroot}/fwhosts/reread");
++ }
++}
++sub reread_rules
++{
++ system("/usr/local/bin/forwardfwctrl");
++ if ( -f "${General::swroot}/forward/reread"){
++ system("rm ${General::swroot}/forward/reread");
++ system("rm ${General::swroot}/fwhosts/reread");
++ }
+ }
+ sub saverule
+ {
+@@ -1828,35 +1961,6 @@ sub saverule
+ }
+ }
+ }
+-sub error
+-{
+- if ($errormessage) {
+- &Header::openbox('100%', 'left', $Lang::tr{'error messages'});
+- print "<class name='base'>$errormessage\n";
+- print " </class>\n";
+- &Header::closebox();
+- print"<hr>";
+- }
+-}
+-sub hint
+-{
+- if ($hint) {
+- &Header::openbox('100%', 'left', $Lang::tr{'fwhost hint'});
+- print "<class name='base'>$hint\n";
+- print " </class>\n";
+- &Header::closebox();
+- print"<hr>";
+- }
+-}
+-sub get_name
+-{
+- my $val=shift;
+- &General::setup_default_networks(\%defaultNetworks);
+- foreach my $network (sort keys %defaultNetworks)
+- {
+- return "$network" if ($val eq $defaultNetworks{$network}{'NAME'});
+- }
+-}
+ sub validremark
+ {
+ # Checks a hostname against RFC1035
+@@ -1877,75 +1981,6 @@ sub validremark
+ return 0;}
+ return 1;
+ }
+-sub getsrcport
+-{
+- my %hash=%{(shift)};
+- my $key=shift;
+- if($hash{$key}[7] eq 'ON' && $hash{$key}[8] ne '' && $hash{$key}[10]){
+- $hash{$key}[10]=~ s/\|/,/g;
+- print": $hash{$key}[10]";
+- }elsif($hash{$key}[7] eq 'ON' && $hash{$key}[8] eq 'ICMP'){
+- print": <br>$hash{$key}[9] ";
+- }
+-}
+-sub gettgtport
+-{
+- my %hash=%{(shift)};
+- my $key=shift;
+- my $service;
+- my $prot;
+- if($hash{$key}[11] eq 'ON' && $hash{$key}[12] ne 'ICMP'){
+- if($hash{$key}[14] eq 'cust_srv'){
+- &General::readhasharray("$configsrv", \%customservice);
+- foreach my $i (sort keys %customservice){
+- if($customservice{$i}[0] eq $hash{$key}[15]){
+- $service = $customservice{$i}[0];
+- }
+- }
+- }elsif($hash{$key}[14] eq 'cust_srvgrp'){
+- $service=$hash{$key}[15];
+- }elsif($hash{$key}[14] eq 'TGT_PORT'){
+- $hash{$key}[15]=~ s/\|/,/g;
+- $service=$hash{$key}[15];
+- }
+- if($service){
+- print": $service";
+- }
+- }elsif($hash{$key}[11] eq 'ON' && $hash{$key}[12] eq 'ICMP'){
+- print":<br>$hash{$key}[13]";
+- }
+-}
+-sub get_serviceports
+-{
+- my $type=shift;
+- my $name=shift;
+- &General::readhasharray("$configsrv", \%customservice);
+- &General::readhasharray("$configsrvgrp", \%customservicegrp);
+- my $protocols;
+- my $tcp;
+- my $udp;
+- if($type eq 'service'){
+- foreach my $key (sort { uc($customservice{$a}[0]) cmp uc($customservice{$b}[0]) } keys %customservice){
+- if ($customservice{$key}[0] eq $name){
+- $protocols=$customservice{$key}[2];
+- }
+- }
+- }elsif($type eq 'group'){
+- foreach my $key (sort { uc($customservicegrp{$a}[0]) cmp uc($customservicegrp{$b}[0]) } keys %customservicegrp){
+- if ($customservicegrp{$key}[0] eq $name){
+- foreach my $key1 (sort { uc($customservice{$a}[0]) cmp uc($customservice{$b}[0]) } keys %customservice){
+- if ($customservice{$key1}[0] eq $customservicegrp{$key}[2]){
+- if($customservice{$key1}[2] eq 'TCP'){$tcp='TCP';}else{$udp='UDP';}
+- }
+- }
+- }
+- }
+- }
+- if($tcp && $udp){$protocols="TCP,UDP";
+- }elsif($tcp){$protocols.="TCP";
+- }elsif($udp){$protocols.="UDP";}
+- return $protocols;
+-}
+ sub viewtablerule
+ {
+ &General::readhash("/var/ipfire/ethernet/settings", \%netsettings);
+@@ -2185,93 +2220,7 @@ END
+ }
+ }
+ }
+-sub getcolor
+-{
+- my $nettype=shift;
+- my $val=shift;
+- my $hash=shift;
+- if($optionsfw{'SHOWCOLORS'} eq 'on'){
+- #VPN networks
+- if ($nettype eq 'ovpn_n2n_src' || $nettype eq 'ovpn_n2n_tgt' || $nettype eq 'ovpn_net_src' || $nettype eq 'ovpn_net_tgt'|| $nettype eq 'ovpn_host_src' || $nettype eq 'ovpn_host_tgt'){
+- $tdcolor="style='border: 1px solid $Header::colourovpn;'";
+- return;
+- }
+- if ($nettype eq 'ipsec_net_src' || $nettype eq 'ipsec_net_tgt'){
+- $tdcolor="style='border: 1px solid $Header::colourvpn;'";
+- return;
+- }
+- #custom Hosts
+- if ($nettype eq 'cust_host_src' || $nettype eq 'cust_host_tgt'){
+- foreach my $key (sort keys %$hash){
+- if ($$hash{$key}[0] eq $val){
+- $val=$$hash{$key}[2];
+- }
+- }
+- }
+- #ALIASE
+- foreach my $alias (sort keys %aliases)
+- {
+- if ($val eq $alias){
+- $tdcolor="style='border: 2px solid red;'";
+- return;
+- }
+- }
+- #standard networks
+- if ($val eq 'GREEN'){
+- $tdcolor="style='border: 1px solid $Header::colourgreen;'";
+- }elsif ($val eq 'ORANGE'){
+- $tdcolor="style='border: 1px solid $Header::colourorange;'";
+- }elsif ($val eq 'BLUE'){
+- $tdcolor="style='border: 1px solid $Header::colourblue;'";
+- }elsif ($val eq 'RED'){
+- $tdcolor="style='border: 1px solid $Header::colourred;'";
+- }elsif ($val eq 'IPFire' ){
+- $tdcolor="style='border: 1px solid $Header::colourred;'";
+- }elsif($val =~ /^(.*?)\/(.*?)$/){
+- my ($sip,$scidr) = split ("/",$val);
+- if ( &General::IpInSubnet($sip,$netsettings{'ORANGE_ADDRESS'},$netsettings{'ORANGE_NETMASK'})){
+- $tdcolor="style='border: 1px solid $Header::colourorange;'";
+- }
+- if ( &General::IpInSubnet($sip,$netsettings{'GREEN_ADDRESS'},$netsettings{'GREEN_NETMASK'})){
+- $tdcolor="style='border: 1px solid $Header::colourgreen;'";
+- }
+- if ( &General::IpInSubnet($sip,$netsettings{'BLUE_ADDRESS'},$netsettings{'BLUE_NETMASK'})){
+- $tdcolor="style='border: 1px solid $Header::colourblue;'";
+- }
+- }elsif ($val eq 'Default IP'){
+- $tdcolor="style='border: 1px solid red;'";
+- }else{
+- $tdcolor='';
+- }
+- }
+-}
+-sub fillselect
+-{
+- my %hash=%{(shift)};
+- my $val=shift;
+- my $key;
+- foreach my $key (sort { uc($hash{$a}[0]) cmp uc($hash{$b}[0]) } keys %hash){
+- if($hash{$key}[0] eq $val){
+- print"<option value='$hash{$key}[0]' selected>$hash{$key}[0]</option>";
+- }else{
+- print"<option value='$hash{$key}[0]'>$hash{$key}[0]</option>";
+- }
+- }
+-}
+-sub rules
+-{
+- if (!-f "${General::swroot}/forward/reread"){
+- system("touch ${General::swroot}/forward/reread");
+- system("touch ${General::swroot}/fwhosts/reread");
+- }
+-}
+-sub reread_rules
+-{
+- system("/usr/local/bin/forwardfwctrl");
+- if ( -f "${General::swroot}/forward/reread"){
+- system("rm ${General::swroot}/forward/reread");
+- system("rm ${General::swroot}/fwhosts/reread");
+- }
+-}
++
++
+ &Header::closebigbox();
+ &Header::closepage();
+diff --git a/html/cgi-bin/fwhosts.cgi b/html/cgi-bin/fwhosts.cgi
+index e608b0f..073565a 100755
+--- a/html/cgi-bin/fwhosts.cgi
++++ b/html/cgi-bin/fwhosts.cgi
+@@ -1086,8 +1086,10 @@ sub addnet
+ $fwhostsettings{'orgnetremark'}=$fwhostsettings{'NETREMARK'};
+ print<<END;
+ <table border='0' width='100%'><form method='post' style='display:inline' >
+- <tr><td width='10%'>$Lang::tr{'name'}:</td><td width='20%' align='left'><input type='TEXT' name='HOSTNAME' id='textbox1' value='$fwhostsettings{'HOSTNAME'}' $fwhostsettings{'BLK_HOST'}><script>document.getElementById('textbox1').focus()</script></td><td>$Lang::tr{'fwhost netaddress'}:</td><td><input type='TEXT' name='IP' value='$fwhostsettings{'IP'}' $fwhostsettings{'BLK_IP'} size='14'></td><td align='right'>$Lang::tr{'netmask'}:</td><td align='right'><input type='TEXT' name='SUBNET' value='$fwhostsettings{'SUBNET'}' $fwhostsettings{'BLK_IP'} size='14'></td></tr>
+- <tr><td width='10%'>$Lang::tr{'remark'}:</td><td colspan='5'><input type='TEXT' name='NETREMARK' value='$fwhostsettings{'NETREMARK'}' style='width: 98%;'></td></tr>
++ <tr><td width='15%'>$Lang::tr{'name'}:</td><td><input type='TEXT' name='HOSTNAME' id='textbox1' value='$fwhostsettings{'HOSTNAME'}' $fwhostsettings{'BLK_HOST'} size='14'><script>document.getElementById('textbox1').focus()</script></td></tr>
++ <tr><td>$Lang::tr{'fwhost netaddress'}:</td><td><input type='TEXT' name='IP' value='$fwhostsettings{'IP'}' $fwhostsettings{'BLK_IP'} size='14' maxlength='15'></td></tr>
++ <tr><td>$Lang::tr{'netmask'}:</td><td><input type='TEXT' name='SUBNET' value='$fwhostsettings{'SUBNET'}' $fwhostsettings{'BLK_IP'} size='14' maxlength='15'></td></tr>
++ <tr><td>$Lang::tr{'remark'}:</td><td><input type='TEXT' name='NETREMARK' value='$fwhostsettings{'NETREMARK'}' style='width: 98.5%;'></td></tr>
+ <tr><td colspan='6'><br><hr></hr></td></tr><tr>
+ END
+ if ($fwhostsettings{'ACTION'} eq 'editnet' || $fwhostsettings{'error'} eq 'on')
+@@ -1108,17 +1110,9 @@ sub addhost
+ $fwhostsettings{'orgremark'}=$fwhostsettings{'HOSTREMARK'};
+ print<<END;
+ <table border='0' width='100%'><form method='post' style='display:inline'>
+- <tr><td>$Lang::tr{'name'}:</td><td width='10%'><input type='TEXT' name='HOSTNAME' id='textbox1' value='$fwhostsettings{'HOSTNAME'}' $fwhostsettings{'BLK_HOST'} ><script>document.getElementById('textbox1').focus()</script></td>
+-
+-END
+- #<td><select name='type'>
+- #if ($fwhostsettings{'type'} eq 'ip'){print "<option value='ip' selected >IP</option>";}else{print "<option value='ip' >IP</option>";}
+- #if ($fwhostsettings{'type'} eq 'mac'){print "<option value='mac' selected >MAC</option>";}else{print "<option value='mac' >MAC</option>";}
+- #</option></select></td>
+- print<<END;
+-
+- <td align='right'>IP/MAC:</td><td><input type='TEXT' name='IP' value='$fwhostsettings{'IP'}' $fwhostsettings{'BLK_IP'} ></td></tr>
+- <tr><td width='10%'>$Lang::tr{'remark'}:</td><td colspan='3' ><input type='TEXT' name='HOSTREMARK' value='$fwhostsettings{'HOSTREMARK'}' style='width:60%;'></td></tr>
++ <tr><td>$Lang::tr{'name'}:</td><td><input type='TEXT' name='HOSTNAME' id='textbox1' value='$fwhostsettings{'HOSTNAME'}' $fwhostsettings{'BLK_HOST'} size='14'><script>document.getElementById('textbox1').focus()</script></td></tr>
++ <tr><td>IP/MAC:</td><td><input type='TEXT' name='IP' value='$fwhostsettings{'IP'}' $fwhostsettings{'BLK_IP'} size='14' maxlength='15'></td></tr>
++ <tr><td width='10%'>$Lang::tr{'remark'}:</td><td><input type='TEXT' name='HOSTREMARK' value='$fwhostsettings{'HOSTREMARK'}' style='width:98%;'></td></tr>
+ <tr><td colspan='5'><br><br><b>$Lang::tr{'fwhost attention'}</b><br>$Lang::tr{'fwhost macwarn'}</td></tr>
+ <tr><td colspan='5'><hr></hr></td></tr>
+ END
+@@ -1126,9 +1120,9 @@ END
+ if ($fwhostsettings{'ACTION'} eq 'edithost' || $fwhostsettings{'error'} eq 'on')
+ {
+
+- print " <td colspan='6' align='right'><input type='submit' value='$Lang::tr{'update'}' style='min-width:100px;'/><input type='hidden' name='ACTION' value='updatehost'><input type='hidden' name='orgremark' value='$fwhostsettings{'orgremark'}' ><input type='hidden' name='orgname' value='$fwhostsettings{'orgname'}' ><input type='hidden' name='update' value='on'><input type='hidden' name='newhost' value='$fwhostsettings{'newhost'}'></form>";
++ print " <td colspan='4' align='right'><input type='submit' value='$Lang::tr{'update'}' style='min-width:100px;'/><input type='hidden' name='ACTION' value='updatehost'><input type='hidden' name='orgremark' value='$fwhostsettings{'orgremark'}' ><input type='hidden' name='orgname' value='$fwhostsettings{'orgname'}' ><input type='hidden' name='update' value='on'><input type='hidden' name='newhost' value='$fwhostsettings{'newhost'}'></form>";
+ }else{
+- print " <td colspan='6' align='right'><input type='submit' name='savehost' value='$Lang::tr{'save'}'style='min-width:100px;' /><input type='hidden' name='ACTION' value='savehost' /><input type='hidden' name='newhost' value='on'>";
++ print " <td colspan='4' align='right'><input type='submit' name='savehost' value='$Lang::tr{'save'}'style='min-width:100px;' /><input type='hidden' name='ACTION' value='savehost' /><input type='hidden' name='newhost' value='on'>";
+ }
+ print " </form><form method='post' style='display:inline'><input type='submit' value='$Lang::tr{'fwhost back'}' style='min-width:100px;' ><input type='hidden' name='ACTION' value='resethost'></td></tr></table></form>";
+ &Header::closebox();
+@@ -1140,7 +1134,14 @@ sub addgrp
+ &showmenu;
+ &Header::openbox('100%', 'left', $Lang::tr{'fwhost addgrp'});
+ &General::setup_default_networks(\%defaultNetworks);
++ &General::readhasharray("$configccdnet", \%ccdnet);
++ &General::readhasharray("$confignet", \%customnetwork);
++ &General::readhasharray("$configccdhost", \%ccdhost);
++ &General::readhasharray("$confighost", \%customhost);
++ &General::readhasharray("$configipsec", \%ipsecconf);
++
+ my %checked=();
++ my $show='';
+ $checked{'check1'}{'off'} = '';
+ $checked{'check1'}{'on'} = '';
+ $checked{'grp2'}{$fwhostsettings{'grp2'}} = 'CHECKED';
+@@ -1150,19 +1151,25 @@ sub addgrp
+ if ($fwhostsettings{'update'} eq ''){
+ print<<END;
+ <table width='100%' border='0'><form method='post'>
+- <tr><td width='10%'>$Lang::tr{'fwhost addgrpname'}</td><td width='20%'><input type='TEXT' name='grp_name' value='$fwhostsettings{'grp_name'}'></td><td width='10%'>$Lang::tr{'remark'}:</td><td ><input type='TEXT' name='remark' value='$fwhostsettings{'remark'}' style='width: 98%;'></tr>
+- <tr><td colspan='5'><br><hr></td></tr></table>
++ <tr><td width='10%'>$Lang::tr{'fwhost addgrpname'}</td><td><input type='TEXT' name='grp_name' value='$fwhostsettings{'grp_name'}' size='14'></td></tr>
++ <tr><td width='10%'>$Lang::tr{'remark'}:</td><td ><input type='TEXT' name='remark' value='$fwhostsettings{'remark'}' style='width: 98%;'></td></tr>
++ <tr><td colspan='2'><br><hr></td></tr></table>
+ END
+ }else{
+ print<<END;
+ <table width='100%' border='0'><form method='post' style='display:inline'>
+- <tr><td nowrap='nowrap' width='12%'>$Lang::tr{'fwhost addgrpname'}</td><td><input type='TEXT' name='grp' value='$fwhostsettings{'grp_name'}' readonly ></td><td>$Lang::tr{'remark'}:</td><td><input type='TEXT' name='newrem' size='35' value='$fwhostsettings{'remark'}'></td><td><input type='submit' value='$Lang::tr{'fwhost change'}'><input type='hidden' name='oldrem' value='$fwhostsettings{'oldremark'}'><input type='hidden' name='ACTION' value='changegrpremark' ></td></tr></table></form>
++ <tr><td nowrap='nowrap' width='12%'>$Lang::tr{'fwhost addgrpname'}</td><td><input type='TEXT' name='grp' value='$fwhostsettings{'grp_name'}' readonly ></td><td></td></tr>
++ <tr><td>$Lang::tr{'remark'}:</td><td><input type='TEXT' name='newrem' size='45' value='$fwhostsettings{'remark'}' style='width:98%'></td><td align='right'><input type='submit' value='$Lang::tr{'fwhost change'}'><input type='hidden' name='oldrem' value='$fwhostsettings{'oldremark'}'><input type='hidden' name='ACTION' value='changegrpremark' ></td></tr></table></form>
+ <hr>
+ END
+ }
+ if ($fwhostsettings{'update'} eq 'on'){
+ print<<END;
+- <form method='post'><input type='hidden' name='remark' value='$rem'><input type='hidden' name='grp_name' value='$grp'><table width='100%' border='0'><tr><td width='1%'><input type='radio' name='grp2' value='std_net' checked></td><td nowrap='nowrap' width='16%'>$Lang::tr{'fwhost stdnet'}</td><td><select name='DEFAULT_SRC_ADR' style='min-width:185px;'>
++ <form method='post'><input type='hidden' name='remark' value='$rem'><input type='hidden' name='grp_name' value='$grp'>
++ <table width='100%' border='0'>
++ <tr><td width=50% valign='top'>
++ <table width='100%' border='0'>
++ <tr><td width='1%'><input type='radio' name='grp2' value='std_net' checked></td><td nowrap='nowrap' width='16%'>$Lang::tr{'fwhost stdnet'}</td><td><select name='DEFAULT_SRC_ADR' style='min-width:185px;'>
+ END
+ foreach my $network (sort keys %defaultNetworks)
+ {
+@@ -1172,77 +1179,67 @@ END
+ print " selected='selected'" if ($fwhostsettings{'DEFAULT_SRC_ADR'} eq $defaultNetworks{$network}{'NAME'});
+ print ">$network</option>";
+ }
+- print<<END;
+- </select></td><td width='1%'><input type='radio' name='grp2' value='ovpn_net' $checked{'grp2'}{'ovpn_net'}></td><td nowrap='nowrap' width='16%'>$Lang::tr{'fwhost ccdnet'}</td><td nowrap='nowrap' width='1%'><select name='OVPN_CCD_NET' style='min-width:185px;'>
+-END
+- &General::readhasharray("$configccdnet", \%ccdnet);
+- foreach my $key (sort { uc($ccdnet{$a}[0]) cmp uc($ccdnet{$b}[0]) } keys %ccdnet)
+- {
+- print"<option value='$ccdnet{$key}[0]'>$ccdnet{$key}[0]</option>";
++ print"</select></td></tr>";
++ if (! -z $confignet){
++ print"<tr><td><input type='radio' name='grp2' value='cust_net' $checked{'grp2'}{'cust_net'}></td><td>$Lang::tr{'fwhost cust net'}</td><td><select name='CUST_SRC_NET' style='min-width:185px;'>";
++ foreach my $key (sort { uc($customnetwork{$a}[0]) cmp uc($customnetwork{$b}[0]) } keys %customnetwork) {
++ print"<option>$customnetwork{$key}[0]</option>";
++ }
++ print"</select></td></tr>";
+ }
+- print<<END;
+- </select></td></tr>
+- <tr><td><input type='radio' name='grp2' value='cust_net' $checked{'grp2'}{'cust_net'}></td><td>$Lang::tr{'fwhost cust net'}</td><td><select name='CUST_SRC_NET' style='min-width:185px;'>
+-END
+- &General::readhasharray("$confignet", \%customnetwork);
+- foreach my $key (sort { uc($customnetwork{$a}[0]) cmp uc($customnetwork{$b}[0]) } keys %customnetwork) {
+- print"<option>$customnetwork{$key}[0]</option>";
++ if (! -z $confighost){
++ print"<tr><td valign='top'><input type='radio' name='grp2' value='cust_host' $checked{'grp2'}{'cust_host'}></td><td valign='top'>$Lang::tr{'fwhost cust addr'}</td><td><select name='CUST_SRC_HOST' style='min-width:185px;'>";
++ foreach my $key (sort { uc($customhost{$a}[0]) cmp uc($customhost{$b}[0]) } keys %customhost) {
++ print"<option>$customhost{$key}[0]</option>";
++ }
++ print"</select></td></tr>";
++ }
++ print"</table>";
++ #Inner table right
++ print"</td><td valign='top'><table width='100%' border='0'>";
++ #OVPN networks
++ if (! -z $configccdnet){
++ print"<td width='1%'><input type='radio' name='grp2' value='ovpn_net' $checked{'grp2'}{'ovpn_net'}></td><td nowrap='nowrap' width='16%'>$Lang::tr{'fwhost ccdnet'}</td><td nowrap='nowrap' width='1%'><select name='OVPN_CCD_NET' style='min-width:185px;'>";
++ foreach my $key (sort { uc($ccdnet{$a}[0]) cmp uc($ccdnet{$b}[0]) } keys %ccdnet)
++ {
++ print"<option value='$ccdnet{$key}[0]'>$ccdnet{$key}[0]</option>";
++ }
++ print"</select></td></tr>";
+ }
+- print<<END;
+- </select></td><td width='1%'><input type='radio' name='grp2' value='ovpn_host' $checked{'grp2'}{'ovpn_host'}></td><td nowrap='nowrap' width='16%'>$Lang::tr{'fwhost ccdhost'}</td><td nowrap='nowrap' width='1%'><select name='OVPN_CCD_HOST' style='min-width:185px;'>
+-END
+- &General::readhasharray("$configccdhost", \%ccdhost);
++ #OVPN clients
+ foreach my $key (sort { uc($ccdhost{$a}[0]) cmp uc($ccdhost{$b}[0]) } keys %ccdhost)
+ {
+ if ($ccdhost{$key}[33] ne ''){
++ print"<td width='1%'><input type='radio' name='grp2' value='ovpn_host' $checked{'grp2'}{'ovpn_host'}></td><td nowrap='nowrap' width='16%'>$Lang::tr{'fwhost ccdhost'}</td><td nowrap='nowrap' width='1%'><select name='OVPN_CCD_HOST' style='min-width:185px;'>" if ($show eq '');
++ $show='1';
+ print"<option value='$ccdhost{$key}[1]'>$ccdhost{$key}[1]</option>";
+ }
+ }
+- print<<END;
+- </select></td></tr>
+- <tr><td valign='top'><input type='radio' name='grp2' value='cust_host' $checked{'grp2'}{'cust_host'}></td><td valign='top'>$Lang::tr{'fwhost cust addr'}</td><td><select name='CUST_SRC_HOST' style='min-width:185px;'>
+-END
+- &General::readhasharray("$confighost", \%customhost);
+- foreach my $key (sort { uc($customhost{$a}[0]) cmp uc($customhost{$b}[0]) } keys %customhost) {
+- print"<option>$customhost{$key}[0]</option>";
+- }
+- print<<END;
+- </select></td><td width='1%'><input type='radio' name='grp2' value='ovpn_n2n' $checked{'grp2'}{'ovpn_n2n'}></td><td valign='top'>$Lang::tr{'fwhost ovpn_n2n'}</td><td colspan='3'><select name='OVPN_N2N' style='min-width:185px;'>
+-END
+- &General::readhasharray("$configccdhost", \%ccdhost);
++ if ($show eq '1'){$show='';print"</select></td></tr>";}
++ #OVPN n2n networks
+ foreach my $key (sort { uc($ccdhost{$a}[0]) cmp uc($ccdhost{$b}[0]) } keys %ccdhost) {
+ if($ccdhost{$key}[3] eq 'net'){
++ print"<td width='1%'><input type='radio' name='grp2' value='ovpn_n2n' $checked{'grp2'}{'ovpn_n2n'}></td><td valign='top'>$Lang::tr{'fwhost ovpn_n2n'}</td><td colspan='3'><select name='OVPN_N2N' style='min-width:185px;'>" if ($show eq '');
++ $show='1';
+ print"<option>$ccdhost{$key}[1]</option>";
+ }
+ }
+- print<<END;
+- </select></td></tr>
+- <tr><td colspan='3'></td><td valign='top'><input type='radio' name='grp2' value='ipsec_net' $checked{'grp2'}{'ipsec_net'}></td><td valign='top'>$Lang::tr{'fwhost ipsec net'}</td><td><select name='IPSEC_NET' style='min-width:185px;'>
+-END
+- &General::readhasharray("$configipsec", \%ipsecconf);
++ if ($show eq '1'){$show='';print"</select></td></tr>";}
++ #IPsec networks
+ foreach my $key (sort { uc($ipsecconf{$a}[0]) cmp uc($ipsecconf{$b}[0]) } keys %ipsecconf) {
+ if ($ipsecconf{$key}[3] eq 'net'){
++ print"<td valign='top'><input type='radio' name='grp2' value='ipsec_net' $checked{'grp2'}{'ipsec_net'}></td><td valign='top'>$Lang::tr{'fwhost ipsec net'}</td><td><select name='IPSEC_NET' style='min-width:185px;'>" if ($show eq '');
++ $show='1';
+ print"<option value='$ipsecconf{$key}[1]'>$ipsecconf{$key}[1]</option>";
+ }
+ }
+- print<<END;
+- </select></td></tr></table>
+-END
+-# <td colspan='3'></td><td valign='top'><input type='radio' name='grp2' value='ipsec_host' $checked{'grp2'}{'ipsec_host'}></td><td valign='top'>$Lang::tr{'fwhost ipsec host'}</td><td><select name='IPSEC_HOST' style='min-width:185px;'>
+-#END
+-# &General::readhasharray("$configipsec", \%ipsecconf);
+-# foreach my $key (sort { uc($ipsecconf{$a}[0]) cmp uc($ipsecconf{$b}[0]) } keys %ipsecconf) {
+-# if ($ipsecconf{$key}[3] eq 'host'){
+-# print"<option>$ipsecconf{$key}[1]</option>";
+-# }
+-# }
+-# print<<END;
+-# </select></td></tr>
+-# <tr>
++ if ($show eq '1'){$show='';print"</select></td></tr>";}
++ print"</table>";
++ print"</td></tr></table>";
+ print"<br><br><b>$Lang::tr{'fwhost attention'}:</b><br> $Lang::tr{'fwhost macwarn'}<br><hr>";
+ }
+- print"<table border='0' width='100%'>";
+- print"<tr><td align='right'><input type='submit' value='$Lang::tr{'add'}' style='min-width:100px;' /><input type='hidden' name='oldremark' value='$fwhostsettings{'oldremark'}'><input type='hidden' name='update' value=$fwhostsettings{'update'} ><input type='hidden' name='ACTION' value='savegrp' ></form><form method='post' style='display:inline'><input type='submit' value='$Lang::tr{'fwhost back'}' style='min-width:100px;'><input type='hidden' name='ACTION' value'reset'></td></td></table></form>";
++ print"<table border='0' width='100%'>";
++ print"<tr><td align='right'><input type='submit' value='$Lang::tr{'add'}' style='min-width:100px;' /><input type='hidden' name='oldremark' value='$fwhostsettings{'oldremark'}'><input type='hidden' name='update' value=$fwhostsettings{'update'} ><input type='hidden' name='ACTION' value='savegrp' ></form><form method='post' style='display:inline'><input type='submit' value='$Lang::tr{'fwhost back'}' style='min-width:100px;'><input type='hidden' name='ACTION' value'reset'></td></td></table></form>";
+ &Header::closebox();
+ }
+ sub addservice
+@@ -1258,7 +1255,8 @@ sub addservice
+ }
+ print<<END;
+ <table width='100%' border='0'><form method='post'>
+- <tr><td width='1%' nowrap='nowrap'>$Lang::tr{'fwhost srv_name'}:</td><td width='25%' nowrap='nowrap'><input type='text' name='SRV_NAME' id='textbox1' value='$fwhostsettings{'SRV_NAME'}'><script>document.getElementById('textbox1').focus()</script></td><td width='1%' nowrap='nowrap'>$Lang::tr{'fwhost prot'}:</td><td width='10%'><select name='PROT'>
++ <tr><td width='10%' nowrap='nowrap'>$Lang::tr{'fwhost srv_name'}:</td><td><input type='text' name='SRV_NAME' id='textbox1' value='$fwhostsettings{'SRV_NAME'}' size='14'><script>document.getElementById('textbox1').focus()</script></td></tr>
++ <tr><td width='10%' nowrap='nowrap'>$Lang::tr{'fwhost prot'}:</td><td><select name='PROT'>
+ END
+ foreach ("TCP","UDP","ICMP")
+ {
+@@ -1270,8 +1268,8 @@ END
+ }
+ }
+ print<<END;
+- </select></td><td width='2%'>$Lang::tr{'fwhost port'}:</td><td align='left'><input type='text' name='SRV_PORT' value='$fwhostsettings{'SRV_PORT'}' maxlength='11' size='9'></td></tr>
+- <tr><td></td><td></td><td nowrap='nowrap'>$Lang::tr{'fwhost icmptype'}</td><td><select name='ICMP_TYPES'>
++ </select></td></tr>
++ <tr><td width='10%' nowrap='nowrap'>$Lang::tr{'fwhost icmptype'}</td><td><select name='ICMP_TYPES'>
+ END
+ &General::readhasharray("${General::swroot}/fwhosts/icmp-types", \%icmptypes);
+ print"<option>All ICMP-Types</option>";
+@@ -1280,7 +1278,8 @@ END
+ }
+
+ print<<END;
+- </select></td>
++ </select></td></tr>
++ <tr><td width='10%'>$Lang::tr{'fwhost port'}:</td><td><input type='text' name='SRV_PORT' value='$fwhostsettings{'SRV_PORT'}' maxlength='11' size='14'></td></tr>
+ <tr><td colspan='6'><br><hr></td></tr>
+ <tr><td colspan='6' align='right'>
+ END
+@@ -1316,15 +1315,17 @@ sub addservicegrp
+ if ($fwhostsettings{'updatesrvgrp'} eq ''){
+ print<<END;
+ <table width='100%' border='0'><form method='post'>
+- <tr><td width='10%'>$Lang::tr{'fwhost addgrpname'}</td><td width='20%'><input type='text' name='SRVGRP_NAME' value='$fwhostsettings{'SRVGRP_NAME'}'></td><td width='10%'>$Lang::tr{'remark'}:</td><td><input type='text' name='SRVGRP_REMARK' value='$fwhostsettings{'SRVGRP_REMARK'}' style='width: 98%;'></td></tr>
+- <tr><td colspan='4'><br><hr></td></td></tr>
++ <tr><td width='10%'>$Lang::tr{'fwhost addgrpname'}</td><td><input type='text' name='SRVGRP_NAME' value='$fwhostsettings{'SRVGRP_NAME'}' size='14'></td></tr>
++ <tr><td width='10%'>$Lang::tr{'remark'}:</td><td><input type='text' name='SRVGRP_REMARK' value='$fwhostsettings{'SRVGRP_REMARK'}' style='width: 98%;'></td></tr>
++ <tr><td colspan='2'><br><hr></tr>
+ </table>
+ END
+ }else{
+ print<<END;
+ <table width='100%' border='0'><form method='post' style='display:inline'>
+- <tr><td>$Lang::tr{'fwhost addgrpname'}</td><td><input type='text' name='srvgrp' value='$fwhostsettings{'SRVGRP_NAME'}' readonly ></td><td>$Lang::tr{'remark'}:</td><td width='1%'><input type='text' name='newsrvrem' size='35' value='$fwhostsettings{'SRVGRP_REMARK'}'></td><td><input type='submit' value='$Lang::tr{'fwhost change'}'><input type='hidden' name='oldsrvrem' value='$fwhostsettings{'oldsrvgrpremark'}'><input type='hidden' name='ACTION' value='changesrvgrpremark' ></td></tr>
+- <tr><td colspan='5'><br><hr></td></td></tr>
++ <tr><td width='10%'>$Lang::tr{'fwhost addgrpname'}</td><td><input type='text' name='srvgrp' value='$fwhostsettings{'SRVGRP_NAME'}' readonly size='14'></td><td width='3%'></td></tr>
++ <tr><td width='10%'>$Lang::tr{'remark'}:</td><td><input type='text' name='newsrvrem' value='$fwhostsettings{'SRVGRP_REMARK'}' style='width:98%;'></td><td align='right'><input type='submit' value='$Lang::tr{'fwhost change'}'><input type='hidden' name='oldsrvrem' value='$fwhostsettings{'oldsrvgrpremark'}'><input type='hidden' name='ACTION' value='changesrvgrpremark' ></td></tr>
++ <tr><td colspan='3'><br><hr></td></td></tr>
+ </table></form>
+ END
+ }
+@@ -1977,7 +1978,7 @@ sub decrease
+ if ( ($customgrp{$key}[0] eq $grp) && ($customgrp{$key}[3] eq 'Custom Network')){
+ foreach my $key1 (sort keys %customnetwork){
+ if ($customnetwork{$key1}[0] eq $customgrp{$key}[2]){
+- $customnetwork{$key1}[3]=$customnetwork{$key1}[3]-1;
++ $customnetwork{$key1}[4]=$customnetwork{$key1}[4]-1;
+ last;
+ }
+ }
+@@ -1986,7 +1987,7 @@ sub decrease
+ if (($customgrp{$key}[0] eq $grp) && ($customgrp{$key}[3] eq 'Custom Host')){
+ foreach my $key2 (sort keys %customhost){
+ if ($customhost{$key2}[0] eq $customgrp{$key}[2]){
+- $customhost{$key2}[3]=$customhost{$key2}[3]-1;
++ $customhost{$key2}[4]=$customhost{$key2}[4]-1;
+ last;
+ }
+ }
+--
+1.7.10.4
+
--- /dev/null
+From 0dee8d019b45fbcf056c3f4b2aa57e706777cf51 Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Thu, 28 Feb 2013 06:05:32 +0100
+Subject: [PATCH 154/302] Forward Firewall: added an option to
+ firewall-options to show all dropdowns on
+ rulecreation site.
+
+---
+ html/cgi-bin/forwardfw.cgi | 39 ++++++++++++++++++++++++---------------
+ html/cgi-bin/optionsfw.cgi | 31 ++++++++++++++++++-------------
+ langs/de/cgi-bin/de.pl | 1 +
+ langs/en/cgi-bin/en.pl | 1 +
+ lfs/configroot | 1 +
+ 5 files changed, 45 insertions(+), 28 deletions(-)
+
+diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi
+index b93557d..f48c240 100755
+--- a/html/cgi-bin/forwardfw.cgi
++++ b/html/cgi-bin/forwardfw.cgi
+@@ -1026,7 +1026,7 @@ print<<END;
+ <table width='100%' border='0'>
+ <tr><td width='50%' valign='top'>
+ <table width='100%' border='0'>
+- <tr><td width='1%'><input type='radio' name='$grp' value='std_net_$srctgt' $checked{$grp}{'std_net_'.$srctgt}></td><td>$Lang::tr{'fwhost stdnet'}</td><td><select name='std_net_$srctgt' style='min-width:185px;'>
++ <tr><td width='1%'><input type='radio' name='$grp' value='std_net_$srctgt' $checked{$grp}{'std_net_'.$srctgt}></td><td>$Lang::tr{'fwhost stdnet'}</td><td align='right'><select name='std_net_$srctgt' style='min-width:185px;'>
+ END
+ foreach my $network (sort keys %defaultNetworks)
+ {
+@@ -1038,20 +1038,20 @@ END
+ }
+ print"</select></td></tr>";
+ #custom networks
+- if (! -z $confignet){
+- print"<tr><td><input type='radio' name='$grp' value='cust_net_$srctgt' $checked{$grp}{'cust_net_'.$srctgt}></td><td>$Lang::tr{'fwhost cust net'}</td><td><select name='cust_net_$srctgt' style='min-width:185px;'>";
++ if (! -z $confignet || $optionsfw{'SHOWDROPDOWN'} eq 'on'){
++ print"<tr><td><input type='radio' name='$grp' value='cust_net_$srctgt' $checked{$grp}{'cust_net_'.$srctgt}></td><td>$Lang::tr{'fwhost cust net'}</td><td align='right'><select name='cust_net_$srctgt' style='min-width:185px;'>";
+ &fillselect(\%customnetwork,$fwdfwsettings{$fwdfwsettings{$grp}});
+ print"</select></td>";
+ }
+ #custom hosts
+- if (! -z $confighost){
+- print"<tr><td><input type='radio' name='$grp' value='cust_host_$srctgt' $checked{$grp}{'cust_host_'.$srctgt}></td><td>$Lang::tr{'fwhost cust addr'}</td><td><select name='cust_host_$srctgt' style='min-width:185px;'>";
++ if (! -z $confighost || $optionsfw{'SHOWDROPDOWN'} eq 'on'){
++ print"<tr><td><input type='radio' name='$grp' value='cust_host_$srctgt' $checked{$grp}{'cust_host_'.$srctgt}></td><td>$Lang::tr{'fwhost cust addr'}</td><td align='right'><select name='cust_host_$srctgt' style='min-width:185px;'>";
+ &fillselect(\%customhost,$fwdfwsettings{$fwdfwsettings{$grp}});
+ print"</select></td>";
+ }
+ #custom groups
+- if (! -z $configgrp){
+- print"<tr><td valign='top'><input type='radio' name='$grp' value='cust_grp_$srctgt' $checked{$grp}{'cust_grp_'.$srctgt}></td><td >$Lang::tr{'fwhost cust grp'}</td><td><select name='cust_grp_$srctgt' style='min-width:185px;'>";
++ if (! -z $configgrp || $optionsfw{'SHOWDROPDOWN'} eq 'on'){
++ print"<tr><td valign='top'><input type='radio' name='$grp' value='cust_grp_$srctgt' $checked{$grp}{'cust_grp_'.$srctgt}></td><td >$Lang::tr{'fwhost cust grp'}</td><td align='right'><select name='cust_grp_$srctgt' style='min-width:185px;'>";
+ foreach my $key (sort { uc($customgrp{$a}[0]) cmp uc($customgrp{$b}[0]) } keys %customgrp) {
+ if($helper ne $customgrp{$key}[0]){
+ print"<option ";
+@@ -1065,43 +1065,52 @@ END
+ #End left table. start right table (vpn)
+ print"</tr></table></td><td valign='top'><table width='100%' border='0'><tr>";
+ # CCD networks
+- if( ! -z $configccdnet){
+- print"<td width='1%'><input type='radio' name='$grp' value='ovpn_net_$srctgt' $checked{$grp}{'ovpn_net_'.$srctgt}></td><td nowrap='nowrap' width='16%'>$Lang::tr{'fwhost ccdnet'}</td><td nowrap='nowrap' width='1%'><select name='ovpn_net_$srctgt' style='min-width:185px;'>";
++ if( ! -z $configccdnet || $optionsfw{'SHOWDROPDOWN'} eq 'on'){
++ print"<td width='1%'><input type='radio' name='$grp' value='ovpn_net_$srctgt' $checked{$grp}{'ovpn_net_'.$srctgt}></td><td nowrap='nowrap' width='16%'>$Lang::tr{'fwhost ccdnet'}</td><td nowrap='nowrap' width='1%' align='right'><select name='ovpn_net_$srctgt' style='min-width:185px;'>";
+ &fillselect(\%ccdnet,$fwdfwsettings{$fwdfwsettings{$grp}});
+ print"</select></td></tr>";
+ }
+ #OVPN CCD Hosts
+ foreach my $key (sort { uc($ccdhost{$a}[0]) cmp uc($ccdhost{$b}[0]) } keys %ccdhost){
+- if ($ccdhost{$key}[33] ne ''){
+- print"<tr><td width='1%'><input type='radio' name='$grp' value='ovpn_host_$srctgt' $checked{$grp}{'ovpn_host_'.$srctgt}></td><td nowrap='nowrap' width='16%'>$Lang::tr{'fwhost ccdhost'}</td><td nowrap='nowrap' width='1%'><select name='ovpn_host_$srctgt' style='min-width:185px;'>" if ($show eq '');
++ if ($ccdhost{$key}[33] ne '' ){
++ print"<tr><td width='1%'><input type='radio' name='$grp' value='ovpn_host_$srctgt' $checked{$grp}{'ovpn_host_'.$srctgt}></td><td nowrap='nowrap' width='16%'>$Lang::tr{'fwhost ccdhost'}</td><td nowrap='nowrap' width='1%' align='right'><select name='ovpn_host_$srctgt' style='min-width:185px;'>" if ($show eq '');
+ $show='1';
+ print "<option value='$ccdhost{$key}[1]'";
+ print "selected='selected'" if ($fwdfwsettings{$fwdfwsettings{$grp}} eq $ccdhost{$key}[1]);
+ print ">$ccdhost{$key}[1]</option>";
+ }
+ }
++ if($optionsfw{'SHOWDROPDOWN'} eq 'on' && $show eq ''){
++ print"<tr><td width='1%'><input type='radio' name='$grp' value='ovpn_host_$srctgt' $checked{$grp}{'ovpn_host_'.$srctgt}></td><td nowrap='nowrap' width='16%'>$Lang::tr{'fwhost ccdhost'}</td><td nowrap='nowrap' width='1%' align='right'><select name='ovpn_host_$srctgt' style='min-width:185px;'></select></td></tr>" ;
++ }
+ if ($show eq '1'){$show='';print"</select></td></tr>";}
+ #OVPN N2N
+ foreach my $key (sort { uc($ccdhost{$a}[0]) cmp uc($ccdhost{$b}[0]) } keys %ccdhost){
+ if ($ccdhost{$key}[3] eq 'net'){
+- print"<tr><td width='1%'><input type='radio' name='$grp' value='ovpn_n2n_$srctgt' $checked{$grp}{'ovpn_n2n_'.$srctgt}></td><td nowrap='nowrap' width='16%'>$Lang::tr{'fwhost ccdhost'}</td><td nowrap='nowrap' width='1%'><select name='ovpn_n2n_$srctgt' style='min-width:185px;'>" if ($show eq '');
+- my $show='1';
++ print"<tr><td width='1%'><input type='radio' name='$grp' value='ovpn_n2n_$srctgt' $checked{$grp}{'ovpn_n2n_'.$srctgt}></td><td nowrap='nowrap' width='16%'>$Lang::tr{'fwhost ovpn_n2n'}:</td><td nowrap='nowrap' width='1%' align='right'><select name='ovpn_n2n_$srctgt' style='min-width:185px;'>" if ($show eq '');
++ $show='1';
+ print "<option value='$ccdhost{$key}[1]'";
+ print "selected='selected'" if ($fwdfwsettings{$fwdfwsettings{$grp}} eq $ccdhost{$key}[1]);
+ print ">$ccdhost{$key}[1]</option>";
+ }
+ }
++ if($optionsfw{'SHOWDROPDOWN'} eq 'on' && $show eq ''){
++ print"<tr><td width='1%'><input type='radio' name='$grp' value='ovpn_n2n_$srctgt' $checked{$grp}{'ovpn_n2n_'.$srctgt}></td><td nowrap='nowrap' width='16%'>$Lang::tr{'fwhost ovpn_n2n'}</td><td nowrap='nowrap' width='1%' align='right'><select name='ovpn_n2n_$srctgt' style='min-width:185px;'></select></td></tr>" ;
++ }
+ if ($show eq '1'){$show='';print"</select></td></tr>";}
+ #IPsec netze
+ foreach my $key (sort { uc($ipsecconf{$a}[1]) cmp uc($ipsecconf{$b}[1]) } keys %ipsecconf) {
+- if ($ipsecconf{$key}[3] eq 'net'){
+- print"<tr><td valign='top'><input type='radio' name='$grp' value='ipsec_net_$srctgt' $checked{$grp}{'ipsec_net_'.$srctgt}></td><td >$Lang::tr{'fwhost ipsec net'}</td><td><select name='ipsec_net_$srctgt' style='min-width:185px;'>" if ($show eq '');
++ if ($ipsecconf{$key}[3] eq 'net' || $optionsfw{'SHOWDROPDOWN'} eq 'on'){
++ print"<tr><td valign='top'><input type='radio' name='$grp' value='ipsec_net_$srctgt' $checked{$grp}{'ipsec_net_'.$srctgt}></td><td >$Lang::tr{'fwhost ipsec net'}</td><td align='right'><select name='ipsec_net_$srctgt' style='min-width:185px;'>" if ($show eq '');
+ $show='1';
+ print "<option ";
+ print "selected='selected'" if ($fwdfwsettings{$fwdfwsettings{$grp}} eq $ipsecconf{$key}[1]);
+ print ">$ipsecconf{$key}[1]</option>";
+ }
+ }
++ if($optionsfw{'SHOWDROPDOWN'} eq 'on' && $show eq ''){
++ print"<tr><td valign='top'><input type='radio' name='$grp' value='ipsec_net_$srctgt' $checked{$grp}{'ipsec_net_'.$srctgt}></td><td >$Lang::tr{'fwhost ipsec net'}</td><td align='right'><select name='ipsec_net_$srctgt' style='min-width:185px;'><select></td></tr>";
++ }
+ if ($show eq '1'){$show='';print"</select></td></tr>";}
+
+ print"</tr></table>";
+diff --git a/html/cgi-bin/optionsfw.cgi b/html/cgi-bin/optionsfw.cgi
+index 90c3a32..898ee28 100644
+--- a/html/cgi-bin/optionsfw.cgi
++++ b/html/cgi-bin/optionsfw.cgi
+@@ -38,6 +38,7 @@ $settings{'DROPWIRELESSFORWARD'} = 'on';
+ $settings{'SHOWCOLORS'} = 'off';
+ $settings{'SHOWREMARK'} = 'on';
+ $settings{'SHOWTABLES'} = 'on';
++$settings{'SHOWDROPDOWN'} = 'off';
+
+ my $errormessage = '';
+ my $warnmessage = '';
+@@ -103,12 +104,11 @@ $checked{'SHOWREMARK'}{$settings{'SHOWREMARK'}} = "checked='checked'";
+ $checked{'SHOWTABLES'}{'off'} = '';
+ $checked{'SHOWTABLES'}{'on'} = '';
+ $checked{'SHOWTABLES'}{$settings{'SHOWTABLES'}} = "checked='checked'";
+-$checked{'FWPOLICY'}{'DROP'} = '';
+-$checked{'FWPOLICY'}{'REJECT'} = '';
+-$checked{'FWPOLICY'}{$settings{'FWPOLICY'}} = "checked='checked'";
+-$checked{'FWPOLICY1'}{'DROP'} = '';
+-$checked{'FWPOLICY1'}{'REJECT'} = '';
+-$checked{'FWPOLICY1'}{$settings{'FWPOLICY1'}} = "checked='checked'";
++$checked{'SHOWDROPDOWN'}{'off'} = '';
++$checked{'SHOWDROPDOWN'}{'on'} = '';
++$checked{'SHOWDROPDOWN'}{$settings{'SHOWDROPDOWN'}} = "checked='checked'";
++$selected{'FWPOLICY'}{$settings{'FWPOLICY'}}= 'selected';
++$selected{'FWPOLICY1'}{$settings{'FWPOLICY1'}}= 'selected';
+
+
+ &Header::openbox('100%', 'center', $Lang::tr{'options fw'});
+@@ -148,18 +148,23 @@ print <<END
+ <tr><td align='left' width='60%'>$Lang::tr{'fw settings color'}</td><td align='left'>on <input type='radio' name='SHOWCOLORS' value='on' $checked{'SHOWCOLORS'}{'on'} />/
+ <input type='radio' name='SHOWCOLORS' value='off' $checked{'SHOWCOLORS'}{'off'} /> off</td></tr>
+ <tr><td align='left' width='60%'>$Lang::tr{'fw settings remark'}</td><td align='left'>on <input type='radio' name='SHOWREMARK' value='on' $checked{'SHOWREMARK'}{'on'} />/
+- <input type='radio' name='SHOWREMARK' value='off' $checked{'SHOWREMARK'}{'off'} /> off</td></tr>
++ <input type='radio' name='SHOWREMARK' value='off' $checked{'SHOWREMARK'}{'off'} /> off</td></tr>
+ <tr><td align='left' width='60%'>$Lang::tr{'fw settings ruletable'}</td><td align='left'>on <input type='radio' name='SHOWTABLES' value='on' $checked{'SHOWTABLES'}{'on'} />/
+ <input type='radio' name='SHOWTABLES' value='off' $checked{'SHOWTABLES'}{'off'} /> off</td></tr>
+-</table>
++<tr><td align='left' width='60%'>$Lang::tr{'fw settings dropdown'}</td><td align='left'>on <input type='radio' name='SHOWDROPDOWN' value='on' $checked{'SHOWDROPDOWN'}{'on'} />/
++ <input type='radio' name='SHOWDROPDOWN' value='off' $checked{'SHOWDROPDOWN'}{'off'} /> off</td></tr>
++</table>
+ <br />
+ <table width='95%' cellspacing='0'>
+ <tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw default drop'}</b></td></tr>
+-<tr><td align='left' width='60%'>$Lang::tr{'drop action'}</td><td align='left'>DROP <input type='radio' name='FWPOLICY' value='DROP' $checked{'FWPOLICY'}{'DROP'} />/
+- <input type='radio' name='FWPOLICY' value='REJECT' $checked{'FWPOLICY'}{'REJECT'} /> REJECT</td></tr>
+-<tr><td align='left' width='60%'>$Lang::tr{'drop action1'}</td><td align='left'>DROP <input type='radio' name='FWPOLICY1' value='DROP' $checked{'FWPOLICY1'}{'DROP'} />/
+- <input type='radio' name='FWPOLICY1' value='REJECT' $checked{'FWPOLICY1'}{'REJECT'} /> REJECT</td></tr>
+-
++<tr><td align='left' width='60%'>$Lang::tr{'drop action'}</td><td><select name='FWPOLICY'>
++<option value='DROP' $selected{'FWPOLICY'}{'DROP'}>DROP</option>
++<option value='REJECT' $selected{'FWPOLICY'}{'REJECT'}>REJECT</option></select>
++</td></tr>
++<tr><td align='left' width='60%'>$Lang::tr{'drop action1'}</td><td><select name='FWPOLICY1'>
++<option value='DROP' $selected{'FWPOLICY1'}{'DROP'}>DROP</option>
++<option value='REJECT' $selected{'FWPOLICY1'}{'REJECT'}>REJECT</option></select>
++</td></tr>
+ </table>
+
+ <br />
+diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl
+index 428f60a..31ff6d5 100644
+--- a/langs/de/cgi-bin/de.pl
++++ b/langs/de/cgi-bin/de.pl
+@@ -1039,6 +1039,7 @@
+ 'fw settings color' => 'Farben in Regeltabelle anzeigen',
+ 'fw settings remark' => 'Anmerkungen in Regeltabelle anzeigen',
+ 'fw settings ruletable' => 'Leere Regeltabellen anzeigen',
++'fw settings dropdown' => 'Alle Netzwerke auf Regelerstellungsseite anzeigen',
+ 'fw logging' => 'Firewall-Logging',
+ 'gateway' => 'Gateway',
+ 'gateway ip' => 'Gateway-IP',
+diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
+index 4cf99dc..1ec37e9 100644
+--- a/langs/en/cgi-bin/en.pl
++++ b/langs/en/cgi-bin/en.pl
+@@ -1062,6 +1062,7 @@
+ 'fw settings color' => 'Show colors in ruletable',
+ 'fw settings remark' => 'Show remarks in ruletable',
+ 'fw settings ruletable' => 'Show empty ruletables',
++'fw settings dropdown' => 'Show all networks on rulecreation site',
+ 'fw logging' => 'Firewall logging',
+ 'g.dtm' => 'TO BE REMOVED',
+ 'g.lite' => 'TO BE REMOVED',
+diff --git a/lfs/configroot b/lfs/configroot
+index 28fbafb..938886b 100644
+--- a/lfs/configroot
++++ b/lfs/configroot
+@@ -122,6 +122,7 @@ $(TARGET) :
+ echo "SHOWREMARK=on" >> $(CONFIG_ROOT)/optionsfw/settings
+ echo "SHOWCOLORS=off" >> $(CONFIG_ROOT)/optionsfw/settings
+ echo "SHOWTABLES=on" >> $(CONFIG_ROOT)/optionsfw/settings
++ echo "SHOWDROPDOWN=off >> $(CONFIG_ROOT)/optionsfw/settings
+ echo "POLICY=MODE2" >> $(CONFIG_ROOT)/forward/settings
+ echo "POLICY1=MODE2" >> $(CONFIG_ROOT)/forward/settings
+
+--
+1.7.10.4
+
--- /dev/null
+From faede0fc2cd9a5d39cee1f639cdd2e465de37d16 Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Thu, 28 Feb 2013 07:30:24 +0100
+Subject: [PATCH 155/302] Forward Firewall: reordered Firewall Menu and
+ changed header.pl to reflect the new menuposition
+ for Blue Access
+
+---
+ config/cfgroot/header.pl | 5 +----
+ config/menu/50-firewall.menu | 14 +++++++-------
+ 2 files changed, 8 insertions(+), 11 deletions(-)
+
+diff --git a/config/cfgroot/header.pl b/config/cfgroot/header.pl
+index bbb0eca..5a1ea52 100644
+--- a/config/cfgroot/header.pl
++++ b/config/cfgroot/header.pl
+@@ -148,11 +148,8 @@ sub genmenu {
+ eval `/bin/cat /var/ipfire/menu.d/*.menu`;
+ eval `/bin/cat /var/ipfire/menu.d/*.main`;
+
+- if (! blue_used() && ! orange_used()) {
+- $menu->{'05.firewall'}{'subMenu'}->{'40.dmz'}{'enabled'} = 0;
+- }
+ if (! blue_used()) {
+- $menu->{'05.firewall'}{'subMenu'}->{'30.wireless'}{'enabled'} = 0;
++ $menu->{'05.firewall'}{'subMenu'}->{'60.wireless'}{'enabled'} = 0;
+ }
+ if ( $ethsettings{'CONFIG_TYPE'} =~ /^(1|2|3|4)$/ && $ethsettings{'RED_TYPE'} eq 'STATIC' ) {
+ $menu->{'03.network'}{'subMenu'}->{'70.aliases'}{'enabled'} = 1;
+diff --git a/config/menu/50-firewall.menu b/config/menu/50-firewall.menu
+index f8f8098..cc50bf6 100644
+--- a/config/menu/50-firewall.menu
++++ b/config/menu/50-firewall.menu
+@@ -10,18 +10,12 @@
+ 'title' => "$Lang::tr{'fwhost menu'}",
+ 'enabled' => 1,
+ };
+- $subfirewall->{'29.optionsfw'} = {
++ $subfirewall->{'30.optionsfw'} = {
+ 'caption' => $Lang::tr{'options fw'},
+ 'uri' => '/cgi-bin/optionsfw.cgi',
+ 'title' => "$Lang::tr{'options fw'}",
+ 'enabled' => 1,
+ };
+- $subfirewall->{'30.wireless'} = {
+- 'caption' => $Lang::tr{'blue access'},
+- 'uri' => '/cgi-bin/wireless.cgi',
+- 'title' => "$Lang::tr{'blue access'}",
+- 'enabled' => 1,
+- };
+ $subfirewall->{'40.p2p'} = {
+ 'caption' => 'P2P-Block',
+ 'uri' => '/cgi-bin/p2p-block.cgi',
+@@ -34,6 +28,12 @@
+ 'title' => "$Lang::tr{'ssport forwarding'}",
+ 'enabled' => 1,
+ };
++ $subfirewall->{'60.wireless'} = {
++ 'caption' => $Lang::tr{'blue access'},
++ 'uri' => '/cgi-bin/wireless.cgi',
++ 'title' => "$Lang::tr{'blue access'}",
++ 'enabled' => 1,
++ };
+ $subfirewall->{'70.upnp'} = {
+ 'caption' => 'UPnP',
+ 'uri' => '/cgi-bin/upnp.cgi',
+--
+1.7.10.4
+
--- /dev/null
+From d1d5168e492c5f8f777ab541295d9800fef8e444 Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Thu, 28 Feb 2013 08:13:13 +0100
+Subject: [PATCH 156/302] Forward Firewall: chnaged "Internet" to "INTERNET"
+ in dropdown (Target)
+
+---
+ config/cfgroot/general-functions.pl | 4 ++--
+ html/cgi-bin/forwardfw.cgi | 4 ++--
+ langs/de/cgi-bin/de.pl | 1 +
+ langs/en/cgi-bin/en.pl | 1 +
+ 4 files changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/config/cfgroot/general-functions.pl b/config/cfgroot/general-functions.pl
+index 2c3e566..1f8f3b9 100644
+--- a/config/cfgroot/general-functions.pl
++++ b/config/cfgroot/general-functions.pl
+@@ -54,8 +54,8 @@ sub setup_default_networks
+ $defaultNetworks->{$Lang::tr{'green'}}{'NAME'} = "GREEN";
+
+ if ($netsettings{'RED_DEV'} ne ''){
+- $defaultNetworks->{$Lang::tr{'red'}}{'IPT'} = "$netsettings{'RED_NETADDRESS'}/$netsettings{'RED_NETMASK'}";
+- $defaultNetworks->{$Lang::tr{'red'}}{'NAME'} = "RED";
++ $defaultNetworks->{$Lang::tr{'fwdfw red'}}{'IPT'} = "$netsettings{'RED_NETADDRESS'}/$netsettings{'RED_NETMASK'}";
++ $defaultNetworks->{$Lang::tr{'fwdfw red'}}{'NAME'} = "RED";
+ }
+ if ($netsettings{'ORANGE_DEV'} ne ''){
+ $defaultNetworks->{$Lang::tr{'orange'}}{'IPT'} = "$netsettings{'ORANGE_NETADDRESS'}/$netsettings{'ORANGE_NETMASK'}";
+diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi
+index f48c240..5703af7 100755
+--- a/html/cgi-bin/forwardfw.cgi
++++ b/html/cgi-bin/forwardfw.cgi
+@@ -1030,8 +1030,8 @@ print<<END;
+ END
+ foreach my $network (sort keys %defaultNetworks)
+ {
+- next if($defaultNetworks{$network}{'LOCATION'} eq "IPCOP");
+- next if($defaultNetworks{$network}{'NAME'} eq "RED");
++ next if($defaultNetworks{$network}{'NAME'} eq "RED" && $srctgt eq 'src');
++ next if($defaultNetworks{$network}{'NAME'} eq "IPFire" && $srctgt eq 'tgt');
+ print "<option value='$defaultNetworks{$network}{'NAME'}'";
+ print " selected='selected'" if ($fwdfwsettings{$fwdfwsettings{$grp}} eq $defaultNetworks{$network}{'NAME'});
+ print ">$network</option>";
+diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl
+index 31ff6d5..bf3fdd1 100644
+--- a/langs/de/cgi-bin/de.pl
++++ b/langs/de/cgi-bin/de.pl
+@@ -918,6 +918,7 @@
+ 'fwdfw pol title' => 'Standardverhalten der Firewall',
+ 'fwdfw pol text' => 'Standardverhalten für Verbindungen aus den lokalen Netzwerken. Bei "Zugelassen" werden sämtliche Verbindungen zugelassen mit Ausnahme der konfigurierten Regeln. Mit "Blockiert" werden alle Verbindungsversuche blockiert, mit Ausnahme erstellten Regeln. Außerdem werden hier der externe Zugang und der Zugriff auf die DMZ geregelt.',
+ 'fwdfw pol text1' => 'Standardverhalten für Verbindungen von IPFire. Bei "Zugelassen" werden sämtliche Verbindungen zugelassen mit Ausnahme konfigurierten Regeln. Mit "Blockiert" werden alle Verbindungsversuche blockiert, mit Ausnahme der erstellten Regeln.Achtung! Mit diesen Einstellungen kann man sich aussperren. Normalerweise ist keine Änderung nötig.',
++'fwdfw red' => 'INTERNET',
+ 'fwdfw reread' => 'Ãœbernehmen',
+ 'fwdfw rules' => 'Regeln',
+ 'fwdfw rule action' => 'Regel Aktion:',
+diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
+index 1ec37e9..71a6c7d 100644
+--- a/langs/en/cgi-bin/en.pl
++++ b/langs/en/cgi-bin/en.pl
+@@ -941,6 +941,7 @@
+ 'fwdfw pol title' => 'Firewall default behavior',
+ 'fwdfw pol text' => 'Default behavior for connections from local networks. "Allowed" allows all connections from local networks except the defined rules. "Blocked" prohibits all connections except the defined ones. Also external access and connections to/from the demilitarized zone are configurable here.',
+ 'fwdfw pol text1' => 'Default behavior for connections from IPFire. "Allowed" allows all connections from local networks except the defined rules. "Blocked" prohibits all connections except the defined ones. Attention! You can lock yourself out with these settings. Normally there is no need to change anything here.',
++'fwdfw red' => 'INTERNET',
+ 'fwdfw reread' => 'Apply',
+ 'fwdfw rules' => 'Rules',
+ 'fwdfw rule action' => 'Rule action:',
+--
+1.7.10.4
+
--- /dev/null
+From 7c23ebaeb7fbac8e46dbb1cbacefff683fd5452f Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Thu, 28 Feb 2013 08:27:16 +0100
+Subject: [PATCH 157/302] Forward Firewall: LAyout change: All dropdowns now
+ have same size
+
+---
+ html/cgi-bin/forwardfw.cgi | 24 ++++++++++++------------
+ 1 file changed, 12 insertions(+), 12 deletions(-)
+
+diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi
+index 5703af7..42a3f1c 100755
+--- a/html/cgi-bin/forwardfw.cgi
++++ b/html/cgi-bin/forwardfw.cgi
+@@ -1026,7 +1026,7 @@ print<<END;
+ <table width='100%' border='0'>
+ <tr><td width='50%' valign='top'>
+ <table width='100%' border='0'>
+- <tr><td width='1%'><input type='radio' name='$grp' value='std_net_$srctgt' $checked{$grp}{'std_net_'.$srctgt}></td><td>$Lang::tr{'fwhost stdnet'}</td><td align='right'><select name='std_net_$srctgt' style='min-width:185px;'>
++ <tr><td width='1%'><input type='radio' name='$grp' value='std_net_$srctgt' $checked{$grp}{'std_net_'.$srctgt}></td><td>$Lang::tr{'fwhost stdnet'}</td><td align='right'><select name='std_net_$srctgt' style='width:200px;'>
+ END
+ foreach my $network (sort keys %defaultNetworks)
+ {
+@@ -1039,19 +1039,19 @@ END
+ print"</select></td></tr>";
+ #custom networks
+ if (! -z $confignet || $optionsfw{'SHOWDROPDOWN'} eq 'on'){
+- print"<tr><td><input type='radio' name='$grp' value='cust_net_$srctgt' $checked{$grp}{'cust_net_'.$srctgt}></td><td>$Lang::tr{'fwhost cust net'}</td><td align='right'><select name='cust_net_$srctgt' style='min-width:185px;'>";
++ print"<tr><td><input type='radio' name='$grp' value='cust_net_$srctgt' $checked{$grp}{'cust_net_'.$srctgt}></td><td>$Lang::tr{'fwhost cust net'}</td><td align='right'><select name='cust_net_$srctgt' style='width:200px;'>";
+ &fillselect(\%customnetwork,$fwdfwsettings{$fwdfwsettings{$grp}});
+ print"</select></td>";
+ }
+ #custom hosts
+ if (! -z $confighost || $optionsfw{'SHOWDROPDOWN'} eq 'on'){
+- print"<tr><td><input type='radio' name='$grp' value='cust_host_$srctgt' $checked{$grp}{'cust_host_'.$srctgt}></td><td>$Lang::tr{'fwhost cust addr'}</td><td align='right'><select name='cust_host_$srctgt' style='min-width:185px;'>";
++ print"<tr><td><input type='radio' name='$grp' value='cust_host_$srctgt' $checked{$grp}{'cust_host_'.$srctgt}></td><td>$Lang::tr{'fwhost cust addr'}</td><td align='right'><select name='cust_host_$srctgt' style='width:200px;'>";
+ &fillselect(\%customhost,$fwdfwsettings{$fwdfwsettings{$grp}});
+ print"</select></td>";
+ }
+ #custom groups
+ if (! -z $configgrp || $optionsfw{'SHOWDROPDOWN'} eq 'on'){
+- print"<tr><td valign='top'><input type='radio' name='$grp' value='cust_grp_$srctgt' $checked{$grp}{'cust_grp_'.$srctgt}></td><td >$Lang::tr{'fwhost cust grp'}</td><td align='right'><select name='cust_grp_$srctgt' style='min-width:185px;'>";
++ print"<tr><td valign='top'><input type='radio' name='$grp' value='cust_grp_$srctgt' $checked{$grp}{'cust_grp_'.$srctgt}></td><td >$Lang::tr{'fwhost cust grp'}</td><td align='right'><select name='cust_grp_$srctgt' style='width:200px;'>";
+ foreach my $key (sort { uc($customgrp{$a}[0]) cmp uc($customgrp{$b}[0]) } keys %customgrp) {
+ if($helper ne $customgrp{$key}[0]){
+ print"<option ";
+@@ -1066,14 +1066,14 @@ END
+ print"</tr></table></td><td valign='top'><table width='100%' border='0'><tr>";
+ # CCD networks
+ if( ! -z $configccdnet || $optionsfw{'SHOWDROPDOWN'} eq 'on'){
+- print"<td width='1%'><input type='radio' name='$grp' value='ovpn_net_$srctgt' $checked{$grp}{'ovpn_net_'.$srctgt}></td><td nowrap='nowrap' width='16%'>$Lang::tr{'fwhost ccdnet'}</td><td nowrap='nowrap' width='1%' align='right'><select name='ovpn_net_$srctgt' style='min-width:185px;'>";
++ print"<td width='1%'><input type='radio' name='$grp' value='ovpn_net_$srctgt' $checked{$grp}{'ovpn_net_'.$srctgt}></td><td nowrap='nowrap' width='16%'>$Lang::tr{'fwhost ccdnet'}</td><td nowrap='nowrap' width='1%' align='right'><select name='ovpn_net_$srctgt' style='width:200px;'>";
+ &fillselect(\%ccdnet,$fwdfwsettings{$fwdfwsettings{$grp}});
+ print"</select></td></tr>";
+ }
+ #OVPN CCD Hosts
+ foreach my $key (sort { uc($ccdhost{$a}[0]) cmp uc($ccdhost{$b}[0]) } keys %ccdhost){
+ if ($ccdhost{$key}[33] ne '' ){
+- print"<tr><td width='1%'><input type='radio' name='$grp' value='ovpn_host_$srctgt' $checked{$grp}{'ovpn_host_'.$srctgt}></td><td nowrap='nowrap' width='16%'>$Lang::tr{'fwhost ccdhost'}</td><td nowrap='nowrap' width='1%' align='right'><select name='ovpn_host_$srctgt' style='min-width:185px;'>" if ($show eq '');
++ print"<tr><td width='1%'><input type='radio' name='$grp' value='ovpn_host_$srctgt' $checked{$grp}{'ovpn_host_'.$srctgt}></td><td nowrap='nowrap' width='16%'>$Lang::tr{'fwhost ccdhost'}</td><td nowrap='nowrap' width='1%' align='right'><select name='ovpn_host_$srctgt' style='width:200px;'>" if ($show eq '');
+ $show='1';
+ print "<option value='$ccdhost{$key}[1]'";
+ print "selected='selected'" if ($fwdfwsettings{$fwdfwsettings{$grp}} eq $ccdhost{$key}[1]);
+@@ -1081,13 +1081,13 @@ END
+ }
+ }
+ if($optionsfw{'SHOWDROPDOWN'} eq 'on' && $show eq ''){
+- print"<tr><td width='1%'><input type='radio' name='$grp' value='ovpn_host_$srctgt' $checked{$grp}{'ovpn_host_'.$srctgt}></td><td nowrap='nowrap' width='16%'>$Lang::tr{'fwhost ccdhost'}</td><td nowrap='nowrap' width='1%' align='right'><select name='ovpn_host_$srctgt' style='min-width:185px;'></select></td></tr>" ;
++ print"<tr><td width='1%'><input type='radio' name='$grp' value='ovpn_host_$srctgt' $checked{$grp}{'ovpn_host_'.$srctgt}></td><td nowrap='nowrap' width='16%'>$Lang::tr{'fwhost ccdhost'}</td><td nowrap='nowrap' width='1%' align='right'><select name='ovpn_host_$srctgt' style='width:200px;'></select></td></tr>" ;
+ }
+ if ($show eq '1'){$show='';print"</select></td></tr>";}
+ #OVPN N2N
+ foreach my $key (sort { uc($ccdhost{$a}[0]) cmp uc($ccdhost{$b}[0]) } keys %ccdhost){
+ if ($ccdhost{$key}[3] eq 'net'){
+- print"<tr><td width='1%'><input type='radio' name='$grp' value='ovpn_n2n_$srctgt' $checked{$grp}{'ovpn_n2n_'.$srctgt}></td><td nowrap='nowrap' width='16%'>$Lang::tr{'fwhost ovpn_n2n'}:</td><td nowrap='nowrap' width='1%' align='right'><select name='ovpn_n2n_$srctgt' style='min-width:185px;'>" if ($show eq '');
++ print"<tr><td width='1%'><input type='radio' name='$grp' value='ovpn_n2n_$srctgt' $checked{$grp}{'ovpn_n2n_'.$srctgt}></td><td nowrap='nowrap' width='16%'>$Lang::tr{'fwhost ovpn_n2n'}:</td><td nowrap='nowrap' width='1%' align='right'><select name='ovpn_n2n_$srctgt' style='width:200px;'>" if ($show eq '');
+ $show='1';
+ print "<option value='$ccdhost{$key}[1]'";
+ print "selected='selected'" if ($fwdfwsettings{$fwdfwsettings{$grp}} eq $ccdhost{$key}[1]);
+@@ -1095,13 +1095,13 @@ END
+ }
+ }
+ if($optionsfw{'SHOWDROPDOWN'} eq 'on' && $show eq ''){
+- print"<tr><td width='1%'><input type='radio' name='$grp' value='ovpn_n2n_$srctgt' $checked{$grp}{'ovpn_n2n_'.$srctgt}></td><td nowrap='nowrap' width='16%'>$Lang::tr{'fwhost ovpn_n2n'}</td><td nowrap='nowrap' width='1%' align='right'><select name='ovpn_n2n_$srctgt' style='min-width:185px;'></select></td></tr>" ;
++ print"<tr><td width='1%'><input type='radio' name='$grp' value='ovpn_n2n_$srctgt' $checked{$grp}{'ovpn_n2n_'.$srctgt}></td><td nowrap='nowrap' width='16%'>$Lang::tr{'fwhost ovpn_n2n'}</td><td nowrap='nowrap' width='1%' align='right'><select name='ovpn_n2n_$srctgt' style='width:200px;'></select></td></tr>" ;
+ }
+ if ($show eq '1'){$show='';print"</select></td></tr>";}
+ #IPsec netze
+ foreach my $key (sort { uc($ipsecconf{$a}[1]) cmp uc($ipsecconf{$b}[1]) } keys %ipsecconf) {
+ if ($ipsecconf{$key}[3] eq 'net' || $optionsfw{'SHOWDROPDOWN'} eq 'on'){
+- print"<tr><td valign='top'><input type='radio' name='$grp' value='ipsec_net_$srctgt' $checked{$grp}{'ipsec_net_'.$srctgt}></td><td >$Lang::tr{'fwhost ipsec net'}</td><td align='right'><select name='ipsec_net_$srctgt' style='min-width:185px;'>" if ($show eq '');
++ print"<tr><td valign='top'><input type='radio' name='$grp' value='ipsec_net_$srctgt' $checked{$grp}{'ipsec_net_'.$srctgt}></td><td >$Lang::tr{'fwhost ipsec net'}</td><td align='right'><select name='ipsec_net_$srctgt' style='width:200px;'>" if ($show eq '');
+ $show='1';
+ print "<option ";
+ print "selected='selected'" if ($fwdfwsettings{$fwdfwsettings{$grp}} eq $ipsecconf{$key}[1]);
+@@ -1109,7 +1109,7 @@ END
+ }
+ }
+ if($optionsfw{'SHOWDROPDOWN'} eq 'on' && $show eq ''){
+- print"<tr><td valign='top'><input type='radio' name='$grp' value='ipsec_net_$srctgt' $checked{$grp}{'ipsec_net_'.$srctgt}></td><td >$Lang::tr{'fwhost ipsec net'}</td><td align='right'><select name='ipsec_net_$srctgt' style='min-width:185px;'><select></td></tr>";
++ print"<tr><td valign='top'><input type='radio' name='$grp' value='ipsec_net_$srctgt' $checked{$grp}{'ipsec_net_'.$srctgt}></td><td >$Lang::tr{'fwhost ipsec net'}</td><td align='right'><select name='ipsec_net_$srctgt' style='width:200px;'><select></td></tr>";
+ }
+ if ($show eq '1'){$show='';print"</select></td></tr>";}
+
+@@ -1534,7 +1534,7 @@ END
+ &Header::openbox('100%', 'left', $Lang::tr{'fwdfw target'});
+ print<<END;
+ <table width='100%' border='0'>
+- <tr><td width='1%'><input type='radio' name='grp2' value='tgt_addr' checked></td><td colspan='2'>$Lang::tr{'fwdfw targetip'}<input type='TEXT' name='tgt_addr' value='$fwdfwsettings{'tgt_addr'}' size='16'><td><input type='radio' name='grp2' value='ipfire' $checked{'grp2'}{'ipfire'}></td><td><b>IPFire ($Lang::tr{'external access'})</b></td><td align='right'><select name='ipfire' style='min-width:185px;'>
++ <tr><td width='1%'><input type='radio' name='grp2' value='tgt_addr' checked></td><td colspan='2'>$Lang::tr{'fwdfw targetip'}<input type='TEXT' name='tgt_addr' value='$fwdfwsettings{'tgt_addr'}' size='16'><td><input type='radio' name='grp2' value='ipfire' $checked{'grp2'}{'ipfire'}></td><td><b>IPFire ($Lang::tr{'external access'})</b></td><td align='right'><select name='ipfire' style='width:200px;'>
+ END
+ print "<option value='Default IP' $selected{'ipfire'}{'Default IP'}>Default IP</option>";
+
+--
+1.7.10.4
+
--- /dev/null
+From 795edbcc2e7ab1fb60f8f64f052e388094d68c2b Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Thu, 28 Feb 2013 09:49:45 +0100
+Subject: [PATCH 158/302] Forward FIrewall: fixed typo
+
+---
+ lfs/configroot | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lfs/configroot b/lfs/configroot
+index 938886b..51ff8a8 100644
+--- a/lfs/configroot
++++ b/lfs/configroot
+@@ -122,7 +122,7 @@ $(TARGET) :
+ echo "SHOWREMARK=on" >> $(CONFIG_ROOT)/optionsfw/settings
+ echo "SHOWCOLORS=off" >> $(CONFIG_ROOT)/optionsfw/settings
+ echo "SHOWTABLES=on" >> $(CONFIG_ROOT)/optionsfw/settings
+- echo "SHOWDROPDOWN=off >> $(CONFIG_ROOT)/optionsfw/settings
++ echo "SHOWDROPDOWN=off" >> $(CONFIG_ROOT)/optionsfw/settings
+ echo "POLICY=MODE2" >> $(CONFIG_ROOT)/forward/settings
+ echo "POLICY1=MODE2" >> $(CONFIG_ROOT)/forward/settings
+
+--
+1.7.10.4
+
--- /dev/null
+From 675e3466a45437ffceb6ac6b5e23fe23cd38ca9a Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Fri, 1 Mar 2013 10:43:25 +0100
+Subject: [PATCH 159/302] Forward Firewall: deleted creation of OVPNFORWARD
+ and the accept rule.
+
+---
+ src/misc-progs/openvpnctrl.c | 24 ++++++++++++------------
+ 1 file changed, 12 insertions(+), 12 deletions(-)
+
+diff --git a/src/misc-progs/openvpnctrl.c b/src/misc-progs/openvpnctrl.c
+index e7b128a..e600b12 100644
+--- a/src/misc-progs/openvpnctrl.c
++++ b/src/misc-progs/openvpnctrl.c
+@@ -243,8 +243,8 @@ void setChainRules(char *chain, char *interface, char *protocol, char *port)
+ executeCommand(str);
+ sprintf(str, "/sbin/iptables -A %sINPUT -i tun+ -j ACCEPT", chain);
+ executeCommand(str);
+- sprintf(str, "/sbin/iptables -A %sFORWARD -i tun+ -j ACCEPT", chain);
+- executeCommand(str);
++ //sprintf(str, "/sbin/iptables -A %sFORWARD -i tun+ -j ACCEPT", chain);
++ //executeCommand(str);
+ }
+
+ void flushChain(char *chain) {
+@@ -252,8 +252,8 @@ void flushChain(char *chain) {
+
+ sprintf(str, "/sbin/iptables -F %sINPUT", chain);
+ executeCommand(str);
+- sprintf(str, "/sbin/iptables -F %sFORWARD", chain);
+- executeCommand(str);
++ //sprintf(str, "/sbin/iptables -F %sFORWARD", chain);
++ //executeCommand(str);
+ safe_system(str);
+ }
+
+@@ -263,8 +263,8 @@ void deleteChainReference(char *chain) {
+ sprintf(str, "/sbin/iptables -D INPUT -j %sINPUT", chain);
+ executeCommand(str);
+ safe_system(str);
+- sprintf(str, "/sbin/iptables -D FORWARD -j %sFORWARD", chain);
+- executeCommand(str);
++ //sprintf(str, "/sbin/iptables -D FORWARD -j %sFORWARD", chain);
++ //executeCommand(str);
+ safe_system(str);
+ }
+
+@@ -273,8 +273,8 @@ void deleteChain(char *chain) {
+
+ sprintf(str, "/sbin/iptables -X %sINPUT", chain);
+ executeCommand(str);
+- sprintf(str, "/sbin/iptables -X %sFORWARD", chain);
+- executeCommand(str);
++ //sprintf(str, "/sbin/iptables -X %sFORWARD", chain);
++ //executeCommand(str);
+ }
+
+ void deleteAllChains(void) {
+@@ -294,16 +294,16 @@ void createChainReference(char *chain) {
+ char str[STRING_SIZE];
+ sprintf(str, "/sbin/iptables -I INPUT %s -j %sINPUT", "14", chain);
+ executeCommand(str);
+- sprintf(str, "/sbin/iptables -I FORWARD %s -j %sFORWARD", "12", chain);
+- executeCommand(str);
++ //sprintf(str, "/sbin/iptables -I FORWARD %s -j %sFORWARD", "12", chain);
++ //executeCommand(str);
+ }
+
+ void createChain(char *chain) {
+ char str[STRING_SIZE];
+ sprintf(str, "/sbin/iptables -N %sINPUT", chain);
+ executeCommand(str);
+- sprintf(str, "/sbin/iptables -N %sFORWARD", chain);
+- executeCommand(str);
++ //sprintf(str, "/sbin/iptables -N %sFORWARD", chain);
++ //executeCommand(str);
+ }
+
+ void createAllChains(void) {
+--
+1.7.10.4
+
--- /dev/null
+From c85f760df40819e61f0b6de9eebb4319025181e3 Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Sat, 2 Mar 2013 05:59:49 +0100
+Subject: [PATCH 160/302] Forward Firewall: patched /usr/libexec/_updown to
+ let IPsec crete RETURN instead of ACCEPT rules For
+ this there's a new folder /config/strongswan, in
+ wich the new _updown script is copied
+
+---
+ config/strongswan/_updown | 789 +++++++++++++++++++++++++++++++++++++++++++++
+ lfs/strongswan | 7 +-
+ 2 files changed, 794 insertions(+), 2 deletions(-)
+ create mode 100755 config/strongswan/_updown
+
+diff --git a/config/strongswan/_updown b/config/strongswan/_updown
+new file mode 100755
+index 0000000..d9f3ea0
+--- /dev/null
++++ b/config/strongswan/_updown
+@@ -0,0 +1,789 @@
++#! /bin/sh
++# iproute2 version, default updown script
++#
++# Copyright (C) 2003-2004 Nigel Meteringham
++# Copyright (C) 2003-2004 Tuomo Soini
++# Copyright (C) 2002-2004 Michael Richardson
++# Copyright (C) 2005-2007 Andreas Steffen <andreas.steffen@strongswan.org>
++#
++# This program is free software; you can redistribute it and/or modify it
++# under the terms of the GNU General Public License as published by the
++# Free Software Foundation; either version 2 of the License, or (at your
++# option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
++#
++# This program is distributed in the hope that it will be useful, but
++# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
++# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
++# for more details.
++
++# CAUTION: Installing a new version of strongSwan will install a new
++# copy of this script, wiping out any custom changes you make. If
++# you need changes, make a copy of this under another name, and customize
++# that, and use the (left/right)updown parameters in ipsec.conf to make
++# strongSwan use yours instead of this default one.
++
++# things that this script gets (from ipsec_pluto(8) man page)
++#
++# PLUTO_VERSION
++# indicates what version of this interface is being
++# used. This document describes version 1.1. This
++# is upwardly compatible with version 1.0.
++#
++# PLUTO_VERB
++# specifies the name of the operation to be performed
++# (prepare-host, prepare-client, up-host, up-client,
++# down-host, or down-client). If the address family
++# for security gateway to security gateway communica-
++# tions is IPv6, then a suffix of -v6 is added to the
++# verb.
++#
++# PLUTO_CONNECTION
++# is the name of the connection for which we are
++# routing.
++#
++# PLUTO_NEXT_HOP
++# is the next hop to which packets bound for the peer
++# must be sent.
++#
++# PLUTO_INTERFACE
++# is the name of the ipsec interface to be used.
++#
++# PLUTO_REQID
++# is the requid of the ESP policy
++#
++# PLUTO_ME
++# is the IP address of our host.
++#
++# PLUTO_MY_ID
++# is the ID of our host.
++#
++# PLUTO_MY_CLIENT
++# is the IP address / count of our client subnet. If
++# the client is just the host, this will be the
++# host's own IP address / max (where max is 32 for
++# IPv4 and 128 for IPv6).
++#
++# PLUTO_MY_CLIENT_NET
++# is the IP address of our client net. If the client
++# is just the host, this will be the host's own IP
++# address.
++#
++# PLUTO_MY_CLIENT_MASK
++# is the mask for our client net. If the client is
++# just the host, this will be 255.255.255.255.
++#
++# PLUTO_MY_SOURCEIP
++# PLUTO_MY_SOURCEIP4_$i
++# PLUTO_MY_SOURCEIP6_$i
++# contains IPv4/IPv6 virtual IP received from a responder,
++# $i enumerates from 1 to the number of IP per address family.
++# PLUTO_MY_SOURCEIP is a legacy variable and equals to the first
++# virtual IP, IPv4 or IPv6.
++#
++# PLUTO_MY_PROTOCOL
++# is the IP protocol that will be transported.
++#
++# PLUTO_MY_PORT
++# is the UDP/TCP port to which the IPsec SA is
++# restricted on our side.
++#
++# PLUTO_PEER
++# is the IP address of our peer.
++#
++# PLUTO_PEER_ID
++# is the ID of our peer.
++#
++# PLUTO_PEER_CA
++# is the CA which issued the cert of our peer.
++#
++# PLUTO_PEER_CLIENT
++# is the IP address / count of the peer's client sub-
++# net. If the client is just the peer, this will be
++# the peer's own IP address / max (where max is 32
++# for IPv4 and 128 for IPv6).
++#
++# PLUTO_PEER_CLIENT_NET
++# is the IP address of the peer's client net. If the
++# client is just the peer, this will be the peer's
++# own IP address.
++#
++# PLUTO_PEER_CLIENT_MASK
++# is the mask for the peer's client net. If the
++# client is just the peer, this will be
++# 255.255.255.255.
++#
++# PLUTO_PEER_PROTOCOL
++# is the IP protocol that will be transported.
++#
++# PLUTO_PEER_PORT
++# is the UDP/TCP port to which the IPsec SA is
++# restricted on the peer side.
++#
++# PLUTO_XAUTH_ID
++# is an optional user ID employed by the XAUTH protocol
++#
++# PLUTO_MARK_IN
++# is an optional XFRM mark set on the inbound IPsec SA
++#
++# PLUTO_MARK_OUT
++# is an optional XFRM mark set on the outbound IPsec SA
++#
++# PLUTO_UDP_ENC
++# contains the remote UDP port in the case of ESP_IN_UDP
++# encapsulation
++#
++# PLUTO_DNS4_$i
++# PLUTO_DNS6_$i
++# contains IPv4/IPv6 DNS server attribute received from a
++# responder, $i enumerates from 1 to the number of servers per
++# address family.
++#
++
++# define a minimum PATH environment in case it is not set
++PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin"
++export PATH
++
++# uncomment to log VPN connections
++VPN_LOGGING=1
++#
++# tag put in front of each log entry:
++TAG=vpn
++#
++# syslog facility and priority used:
++FAC_PRIO=local0.notice
++#
++# to create a special vpn logging file, put the following line into
++# the syslog configuration file /etc/syslog.conf:
++#
++# local0.notice -/var/log/vpn
++
++# in order to use source IP routing the Linux kernel options
++# CONFIG_IP_ADVANCED_ROUTER and CONFIG_IP_MULTIPLE_TABLES
++# must be enabled
++#
++# special routing table for sourceip routes
++SOURCEIP_ROUTING_TABLE=220
++#
++# priority of the sourceip routing table
++SOURCEIP_ROUTING_TABLE_PRIO=220
++
++# check interface version
++case "$PLUTO_VERSION" in
++1.[0|1]) # Older Pluto?!? Play it safe, script may be using new features.
++ echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2
++ echo "$0: called by obsolete Pluto?" >&2
++ exit 2
++ ;;
++1.*) ;;
++*) echo "$0: unknown interface version \`$PLUTO_VERSION'" >&2
++ exit 2
++ ;;
++esac
++
++# check parameter(s)
++case "$1:$*" in
++':') # no parameters
++ ;;
++iptables:iptables) # due to (left/right)firewall; for default script only
++ ;;
++custom:*) # custom parameters (see above CAUTION comment)
++ ;;
++*) echo "$0: unknown parameters \`$*'" >&2
++ exit 2
++ ;;
++esac
++
++function ip_encode() {
++ local IFS=.
++
++ local int=0
++ for field in $1; do
++ int=$(( $(( $int << 8 )) | $field ))
++ done
++
++ echo $int
++}
++
++function ip_in_subnet() {
++ local netmask
++ netmask=$(_netmask $2)
++ [ $(( $(ip_encode $1) & $netmask)) = $(( $(ip_encode ${2%/*}) & $netmask )) ]
++}
++
++function _netmask() {
++ local vlsm
++ vlsm=${1#*/}
++ [ $vlsm -eq 0 ] && echo 0 || echo $(( -1 << $(( 32 - $vlsm )) ))
++}
++
++# utility functions for route manipulation
++# Meddling with this stuff should not be necessary and requires great care.
++uproute() {
++ doroute add
++ ip route flush cache
++}
++downroute() {
++ doroute delete
++ ip route flush cache
++}
++
++addsource() {
++ st=0
++ if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local
++ then
++ it="ip addr add ${PLUTO_MY_SOURCEIP%/*}/32 dev $PLUTO_INTERFACE"
++ oops="`eval $it 2>&1`"
++ st=$?
++ if test " $oops" = " " -a " $st" != " 0"
++ then
++ oops="silent error, exit status $st"
++ fi
++ if test " $oops" != " " -o " $st" != " 0"
++ then
++ echo "$0: addsource \`$it' failed ($oops)" >&2
++ fi
++ fi
++ return $st
++}
++
++doroute() {
++ st=0
++
++ if [ -z "$PLUTO_MY_SOURCEIP" ]
++ then
++ for dir in /etc/sysconfig /etc/conf.d; do
++ if [ -f "$dir/defaultsource" ]
++ then
++ . "$dir/defaultsource"
++ fi
++ done
++
++ if [ -n "$DEFAULTSOURCE" ]
++ then
++ PLUTO_MY_SOURCEIP=$DEFAULTSOURCE
++ fi
++ fi
++
++ if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ]
++ then
++ # leave because no route entry is required
++ return $st
++ fi
++
++ parms1="$PLUTO_PEER_CLIENT"
++
++ if [ -n "$PLUTO_NEXT_HOP" ]
++ then
++ parms2="via $PLUTO_NEXT_HOP"
++ else
++ parms2="via $PLUTO_PEER"
++ fi
++ parms2="$parms2 dev $PLUTO_INTERFACE"
++
++ parms3=
++ if [ -n "$PLUTO_MY_SOURCEIP" ]
++ then
++ if test "$1" = "add"
++ then
++ addsource
++ if ! ip rule list | grep -q "lookup $SOURCEIP_ROUTING_TABLE"
++ then
++ ip rule add pref $SOURCEIP_ROUTING_TABLE_PRIO table $SOURCEIP_ROUTING_TABLE
++ fi
++ fi
++ parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*} table $SOURCEIP_ROUTING_TABLE"
++ fi
++
++ case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
++ "0.0.0.0/0.0.0.0")
++ # opportunistic encryption work around
++ # need to provide route that eclipses default, without
++ # replacing it.
++ it="ip route $1 0.0.0.0/1 $parms2 $parms3 &&
++ ip route $1 128.0.0.0/1 $parms2 $parms3"
++ ;;
++ *) it="ip route $1 $parms1 $parms2 $parms3"
++ ;;
++ esac
++ oops="`eval $it 2>&1`"
++ st=$?
++ if test " $oops" = " " -a " $st" != " 0"
++ then
++ oops="silent error, exit status $st"
++ fi
++ if test " $oops" != " " -o " $st" != " 0"
++ then
++ echo "$0: doroute \`$it' failed ($oops)" >&2
++ fi
++ return $st
++}
++
++# in the presence of KLIPS and ipsecN interfaces do not use IPSEC_POLICY
++if [ `echo "$PLUTO_INTERFACE" | grep "ipsec"` ]
++then
++ KLIPS=1
++ IPSEC_POLICY_IN=""
++ IPSEC_POLICY_OUT=""
++else
++ KLIPS=
++ IPSEC_POLICY="-m policy --pol ipsec --proto esp --reqid $PLUTO_REQID"
++ IPSEC_POLICY_IN="$IPSEC_POLICY --dir in"
++ IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out"
++fi
++
++# are there port numbers?
++if [ "$PLUTO_MY_PORT" != 0 ]
++then
++ S_MY_PORT="--sport $PLUTO_MY_PORT"
++ D_MY_PORT="--dport $PLUTO_MY_PORT"
++fi
++if [ "$PLUTO_PEER_PORT" != 0 ]
++then
++ S_PEER_PORT="--sport $PLUTO_PEER_PORT"
++ D_PEER_PORT="--dport $PLUTO_PEER_PORT"
++fi
++
++# resolve octal escape sequences
++PLUTO_MY_ID=`printf "$PLUTO_MY_ID"`
++PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"`
++
++# the big choice
++case "$PLUTO_VERB:$1" in
++prepare-host:*|prepare-client:*)
++ if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ]
++ then
++ # exit because no route will be added,
++ # so that existing routes can stay
++ exit 0
++ fi
++
++ # delete possibly-existing route (preliminary to adding a route)
++ case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
++ "0.0.0.0/0.0.0.0")
++ # need to provide route that eclipses default, without
++ # replacing it.
++ parms1="0.0.0.0/1"
++ parms2="128.0.0.0/1"
++ it="ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1"
++ oops="`ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1`"
++ ;;
++ *)
++ parms="$PLUTO_PEER_CLIENT"
++ it="ip route delete $parms 2>&1"
++ oops="`ip route delete $parms 2>&1`"
++ ;;
++ esac
++ status="$?"
++ if test " $oops" = " " -a " $status" != " 0"
++ then
++ oops="silent error, exit status $status"
++ fi
++ case "$oops" in
++ *'RTNETLINK answers: No such process'*)
++ # This is what route (currently -- not documented!) gives
++ # for "could not find such a route".
++ oops=
++ status=0
++ ;;
++ esac
++ if test " $oops" != " " -o " $status" != " 0"
++ then
++ echo "$0: \`$it' failed ($oops)" >&2
++ fi
++ exit $status
++ ;;
++route-host:*|route-client:*)
++ # connection to me or my client subnet being routed
++ uproute
++ ;;
++unroute-host:*|unroute-client:*)
++ # connection to me or my client subnet being unrouted
++ downroute
++ ;;
++up-host:)
++ # connection to me coming up
++ # If you are doing a custom version, firewall commands go here.
++ ;;
++down-host:)
++ # connection to me going down
++ # If you are doing a custom version, firewall commands go here.
++ ;;
++up-client:)
++ # connection to my client subnet coming up
++ # If you are doing a custom version, firewall commands go here.
++ ;;
++down-client:)
++ # connection to my client subnet going down
++ # If you are doing a custom version, firewall commands go here.
++ ;;
++up-host:iptables)
++ # connection to me, with (left/right)firewall=yes, coming up
++ # This is used only by the default updown script, not by your custom
++ # ones, so do not mess with it; see CAUTION comment up at top.
++ iptables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
++ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
++ -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
++ iptables -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
++ -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
++ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j MARK --set-mark 50
++ #
++ # log IPsec host connection setup
++ if [ $VPN_LOGGING ]
++ then
++ if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
++ then
++ logger -t $TAG -p $FAC_PRIO \
++ "host+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
++ else
++ logger -t $TAG -p $FAC_PRIO \
++ "host+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
++ fi
++ fi
++ ;;
++down-host:iptables)
++ # connection to me, with (left/right)firewall=yes, going down
++ # This is used only by the default updown script, not by your custom
++ # ones, so do not mess with it; see CAUTION comment up at top.
++ iptables -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
++ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
++ -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
++ iptables -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
++ -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
++ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j MARK --set-mark 50
++ #
++ # log IPsec host connection teardown
++ if [ $VPN_LOGGING ]
++ then
++ if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
++ then
++ logger -t $TAG -p $FAC_PRIO -- \
++ "host- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
++ else
++ logger -t $TAG -p $FAC_PRIO -- \
++ "host- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
++ fi
++ fi
++ ;;
++up-client:iptables)
++ # connection to client subnet, with (left/right)firewall=yes, coming up
++ # This is used only by the default updown script, not by your custom
++ # ones, so do not mess with it; see CAUTION comment up at top.
++ if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
++ then
++ iptables -I IPSECFORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
++ -s $PLUTO_MY_CLIENT $S_MY_PORT \
++ -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j MARK --set-mark 50
++ iptables -I IPSECFORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
++ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
++ -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j RETURN
++ fi
++ #
++ # a virtual IP requires an INPUT and OUTPUT rule on the host
++ # or sometimes host access via the internal IP is needed
++ if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
++ then
++ iptables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
++ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
++ -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
++ iptables -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
++ -s $PLUTO_MY_CLIENT $S_MY_PORT \
++ -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j MARK --set-mark 50
++ fi
++ #
++ # log IPsec client connection setup
++ if [ $VPN_LOGGING ]
++ then
++ if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
++ then
++ logger -t $TAG -p $FAC_PRIO \
++ "client+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
++ else
++ logger -t $TAG -p $FAC_PRIO \
++ "client+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
++ fi
++ fi
++
++ #
++ # Open Firewall for IPinIP + AH + ESP Traffic
++ iptables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p IP \
++ -s $PLUTO_PEER $S_PEER_PORT \
++ -d $PLUTO_ME $D_MY_PORT -j ACCEPT
++ iptables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p AH \
++ -s $PLUTO_PEER $S_PEER_PORT \
++ -d $PLUTO_ME $D_MY_PORT -j ACCEPT
++ iptables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p ESP \
++ -s $PLUTO_PEER $S_PEER_PORT \
++ -d $PLUTO_ME $D_MY_PORT -j ACCEPT
++ if [ $VPN_LOGGING ]
++ then
++ logger -t $TAG -p $FAC_PRIO \
++ "tunnel+ $PLUTO_PEER -- $PLUTO_ME"
++ fi
++
++ # Add source nat so also the gateway can access the other nets
++ eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
++ for _src in ${GREEN_ADDRESS} ${BLUE_ADDRESS} ${ORANGE_ADDRESS}; do
++ ip_in_subnet "${_src}" "${PLUTO_MY_CLIENT}"
++ if [ $? -eq 0 ]; then
++ src=${_src}
++ break
++ fi
++ done
++
++ if [ -n "${src}" ]; then
++ iptables -t nat -A IPSECNAT -o $PLUTO_INTERFACE -s $PLUTO_ME -d $PLUTO_PEER_CLIENT -j SNAT --to $src
++ logger -t $TAG -p $FAC_PRIO \
++ "snat+ $PLUTO_INTERFACE-$PLUTO_ME : $PLUTO_PEER_CLIENT - $src"
++ else
++ logger -t $TAG -p $FAC_PRIO \
++ "Cannot create NAT rule because no IP of the IPFire does match the subnet. $PLUTO_MY_CLIENT"
++ fi
++
++ # Flush routing cache
++ ip route flush cache
++ ;;
++down-client:iptables)
++ # connection to client subnet, with (left/right)firewall=yes, going down
++ # This is used only by the default updown script, not by your custom
++ # ones, so do not mess with it; see CAUTION comment up at top.
++ if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
++ then
++ iptables -D IPSECFORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
++ -s $PLUTO_MY_CLIENT $S_MY_PORT \
++ -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
++ $IPSEC_POLICY_OUT -j MARK --set-mark 50
++ iptables -D IPSECFORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
++ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
++ -d $PLUTO_MY_CLIENT $D_MY_PORT \
++ $IPSEC_POLICY_IN -j RETURN
++ fi
++ #
++ # a virtual IP requires an INPUT and OUTPUT rule on the host
++ # or sometimes host access via the internal IP is needed
++ if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
++ then
++ iptables -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
++ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
++ -d $PLUTO_MY_CLIENT $D_MY_PORT \
++ $IPSEC_POLICY_IN -j ACCEPT
++ iptables -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
++ -s $PLUTO_MY_CLIENT $S_MY_PORT \
++ -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
++ $IPSEC_POLICY_OUT -j MARK --set-mark 50
++ fi
++ #
++ # log IPsec client connection teardown
++ if [ $VPN_LOGGING ]
++ then
++ if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
++ then
++ logger -t $TAG -p $FAC_PRIO -- \
++ "client- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
++ else
++ logger -t $TAG -p $FAC_PRIO -- \
++ "client- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
++ fi
++ fi
++
++ #
++ # Close Firewall for IPinIP + AH + ESP Traffic
++ iptables -D IPSECINPUT -i $PLUTO_INTERFACE -p IP \
++ -s $PLUTO_PEER $S_PEER_PORT \
++ -d $PLUTO_ME $D_MY_PORT -j ACCEPT
++ iptables -D IPSECINPUT -i $PLUTO_INTERFACE -p AH \
++ -s $PLUTO_PEER $S_PEER_PORT \
++ -d $PLUTO_ME $D_MY_PORT -j ACCEPT
++ iptables -D IPSECINPUT -i $PLUTO_INTERFACE -p ESP \
++ -s $PLUTO_PEER $S_PEER_PORT \
++ -d $PLUTO_ME $D_MY_PORT -j ACCEPT
++ if [ $VPN_LOGGING ]
++ then
++ logger -t $TAG -p $FAC_PRIO \
++ "tunnel- $PLUTO_PEER -- $PLUTO_ME"
++ fi
++
++ # remove source nat
++ eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
++ for _src in ${GREEN_ADDRESS} ${BLUE_ADDRESS} ${ORANGE_ADDRESS}; do
++ ip_in_subnet "${_src}" "${PLUTO_MY_CLIENT}"
++ if [ $? -eq 0 ]; then
++ src=${_src}
++ break
++ fi
++ done
++
++ if [ -n "${src}" ]; then
++ iptables -t nat -D IPSECNAT -o $PLUTO_INTERFACE -s $PLUTO_ME -d $PLUTO_PEER_CLIENT -j SNAT --to $src
++ logger -t $TAG -p $FAC_PRIO \
++ "snat- $PLUTO_INTERFACE-$PLUTO_ME : $PLUTO_PEER_CLIENT - $src"
++ else
++ logger -t $TAG -p $FAC_PRIO \
++ "Cannot remove NAT rule because no IP of the IPFire does match the subnet."
++ fi
++
++ # Flush routing cache
++ ip route flush cache
++ ;;
++#
++# IPv6
++#
++prepare-host-v6:*|prepare-client-v6:*)
++ ;;
++route-host-v6:*|route-client-v6:*)
++ # connection to me or my client subnet being routed
++ #uproute_v6
++ ;;
++unroute-host-v6:*|unroute-client-v6:*)
++ # connection to me or my client subnet being unrouted
++ #downroute_v6
++ ;;
++up-host-v6:)
++ # connection to me coming up
++ # If you are doing a custom version, firewall commands go here.
++ ;;
++down-host-v6:)
++ # connection to me going down
++ # If you are doing a custom version, firewall commands go here.
++ ;;
++up-client-v6:)
++ # connection to my client subnet coming up
++ # If you are doing a custom version, firewall commands go here.
++ ;;
++down-client-v6:)
++ # connection to my client subnet going down
++ # If you are doing a custom version, firewall commands go here.
++ ;;
++up-host-v6:iptables)
++ # connection to me, with (left/right)firewall=yes, coming up
++ # This is used only by the default updown script, not by your custom
++ # ones, so do not mess with it; see CAUTION comment up at top.
++ ip6tables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
++ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
++ -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
++ ip6tables -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
++ -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
++ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
++ #
++ # log IPsec host connection setup
++ if [ $VPN_LOGGING ]
++ then
++ if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ]
++ then
++ logger -t $TAG -p $FAC_PRIO \
++ "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
++ else
++ logger -t $TAG -p $FAC_PRIO \
++ "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
++ fi
++ fi
++ ;;
++down-host-v6:iptables)
++ # connection to me, with (left/right)firewall=yes, going down
++ # This is used only by the default updown script, not by your custom
++ # ones, so do not mess with it; see CAUTION comment up at top.
++ ip6tables -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
++ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
++ -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
++ ip6tables -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
++ -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
++ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
++ #
++ # log IPsec host connection teardown
++ if [ $VPN_LOGGING ]
++ then
++ if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ]
++ then
++ logger -t $TAG -p $FAC_PRIO -- \
++ "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
++ else
++ logger -t $TAG -p $FAC_PRIO -- \
++ "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
++ fi
++ fi
++ ;;
++up-client-v6:iptables)
++ # connection to client subnet, with (left/right)firewall=yes, coming up
++ # This is used only by the default updown script, not by your custom
++ # ones, so do not mess with it; see CAUTION comment up at top.
++ if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ]
++ then
++ ip6tables -I IPSECFORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
++ -s $PLUTO_MY_CLIENT $S_MY_PORT \
++ -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
++ ip6tables -I IPSECFORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
++ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
++ -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
++ fi
++ #
++ # a virtual IP requires an INPUT and OUTPUT rule on the host
++ # or sometimes host access via the internal IP is needed
++ if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
++ then
++ ip6tables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
++ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
++ -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
++ ip6tables -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
++ -s $PLUTO_MY_CLIENT $S_MY_PORT \
++ -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
++ fi
++ #
++ # log IPsec client connection setup
++ if [ $VPN_LOGGING ]
++ then
++ if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ]
++ then
++ logger -t $TAG -p $FAC_PRIO \
++ "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
++ else
++ logger -t $TAG -p $FAC_PRIO \
++ "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
++ fi
++ fi
++ ;;
++down-client-v6:iptables)
++ # connection to client subnet, with (left/right)firewall=yes, going down
++ # This is used only by the default updown script, not by your custom
++ # ones, so do not mess with it; see CAUTION comment up at top.
++ if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ]
++ then
++ ip6tables -D IPSECFORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
++ -s $PLUTO_MY_CLIENT $S_MY_PORT \
++ -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
++ $IPSEC_POLICY_OUT -j ACCEPT
++ ip6tables -D IPSECFORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
++ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
++ -d $PLUTO_MY_CLIENT $D_MY_PORT \
++ $IPSEC_POLICY_IN -j ACCEPT
++ fi
++ #
++ # a virtual IP requires an INPUT and OUTPUT rule on the host
++ # or sometimes host access via the internal IP is needed
++ if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
++ then
++ ip6tables -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
++ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
++ -d $PLUTO_MY_CLIENT $D_MY_PORT \
++ $IPSEC_POLICY_IN -j ACCEPT
++ ip6tables -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
++ -s $PLUTO_MY_CLIENT $S_MY_PORT \
++ -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
++ $IPSEC_POLICY_OUT -j ACCEPT
++ fi
++ #
++ # log IPsec client connection teardown
++ if [ $VPN_LOGGING ]
++ then
++ if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ]
++ then
++ logger -t $TAG -p $FAC_PRIO -- \
++ "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
++ else
++ logger -t $TAG -p $FAC_PRIO -- \
++ "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
++ fi
++ fi
++ ;;
++*) echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2
++ exit 1
++ ;;
++esac
+diff --git a/lfs/strongswan b/lfs/strongswan
+index 8e75329..f60ee65 100644
+--- a/lfs/strongswan
++++ b/lfs/strongswan
+@@ -77,8 +77,11 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
+ @$(PREBUILD)
+ @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar jxf $(DIR_DL)/$(DL_FILE)
+
+- cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/strongswan-4.5.3_ipfire.patch
+-
++ #cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/strongswan-4.5.3_ipfire.patch
++
++ #WORKAROUND Forward Firewall
++ cp $(DIR_SRC)/config/strongswan/_updown /usr/libexec/ipsec/
++
+ cd $(DIR_APP) && ./configure \
+ --prefix="/usr" \
+ --sysconfdir="/etc" \
+--
+1.7.10.4
+
--- /dev/null
+From dad16cd16440c81bb4c345a15de7ab9b12345317 Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Sat, 2 Mar 2013 06:11:16 +0100
+Subject: [PATCH 161/302] Forward Firewall: deleted outgoingfwmac, is now
+ useless
+
+---
+ src/initscripts/init.d/firewall | 4 ----
+ 1 file changed, 4 deletions(-)
+
+diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall
+index c225ca9..0c0d929 100644
+--- a/src/initscripts/init.d/firewall
++++ b/src/initscripts/init.d/firewall
+@@ -151,7 +151,6 @@ case "$1" in
+ /sbin/iptables -N CUSTOMOUTPUT
+ /sbin/iptables -A OUTPUT -j CUSTOMOUTPUT
+ /sbin/iptables -N OUTGOINGFW
+- /sbin/iptables -N OUTGOINGFWMAC
+ /sbin/iptables -A OUTPUT -j OUTGOINGFW
+ /sbin/iptables -A OUTGOINGFW -m state --state ESTABLISHED,RELATED -j ACCEPT
+ /sbin/iptables -t nat -N CUSTOMPREROUTING
+@@ -187,9 +186,6 @@ case "$1" in
+ /sbin/iptables -t nat -N IPSECNAT
+ /sbin/iptables -t nat -A POSTROUTING -j IPSECNAT
+
+- # Outgoing Firewall
+- /sbin/iptables -A FORWARD -j OUTGOINGFWMAC
+-
+ # Forward Firewall
+ /sbin/iptables -N FORWARDFW
+ /sbin/iptables -A FORWARD -j FORWARDFW
+--
+1.7.10.4
+
--- /dev/null
+From 2e8d80638c2421eb012bdf3e7453193c3c1c4660 Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Sat, 2 Mar 2013 12:43:16 +0100
+Subject: [PATCH 162/302] Forward Firewall: update _updown on build
+
+---
+ lfs/strongswan | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/lfs/strongswan b/lfs/strongswan
+index f60ee65..7284b81 100644
+--- a/lfs/strongswan
++++ b/lfs/strongswan
+@@ -79,9 +79,6 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
+
+ #cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/strongswan-4.5.3_ipfire.patch
+
+- #WORKAROUND Forward Firewall
+- cp $(DIR_SRC)/config/strongswan/_updown /usr/libexec/ipsec/
+-
+ cd $(DIR_APP) && ./configure \
+ --prefix="/usr" \
+ --sysconfdir="/etc" \
+@@ -107,5 +104,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
+ ln -sf $(CONFIG_ROOT)/certs /etc/ipsec.d/certs
+ ln -sf $(CONFIG_ROOT)/crls /etc/ipsec.d/crls
+
++ #Workaround Forward Firewall
++ cp $(DIR_SRC)/config/strongswan/_updown /usr/libexec/ipsec/
+ #@rm -rf $(DIR_APP)
+ @$(POSTBUILD)
+--
+1.7.10.4
+
--- /dev/null
+From 1e68713a1c82c42faf30ab6abdca1b233a83d9bf Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Sun, 3 Mar 2013 05:14:22 +0100
+Subject: [PATCH 163/302] Forward Firewall: Added Firewall-Options for INPUT
+ Policy (DROP/REJECT) and built a new INPUT-POLICY
+ in firewall-policy.
+
+---
+ config/forwardfw/firewall-policy | 20 ++++++++++++++++----
+ html/cgi-bin/optionsfw.cgi | 5 +++++
+ langs/de/cgi-bin/de.pl | 4 ++--
+ langs/en/cgi-bin/en.pl | 4 ++--
+ 4 files changed, 25 insertions(+), 8 deletions(-)
+
+diff --git a/config/forwardfw/firewall-policy b/config/forwardfw/firewall-policy
+index 90d8065..bbdec37 100755
+--- a/config/forwardfw/firewall-policy
++++ b/config/forwardfw/firewall-policy
+@@ -5,14 +5,14 @@ eval $(/usr/local/bin/readhash /var/ipfire/optionsfw/settings)
+
+ iptables -F POLICYFWD
+ iptables -F POLICYOUT
+-
++iptables -F POLICYIN
+
+ if [ "$POLICY" == "MODE1" ]; then
+ if [ "$FWPOLICY" == "REJECT" ]; then
+ if [ "$DROPFORWARD" == "on" ]; then
+ /sbin/iptables -A POLICYFWD -m limit --limit 10/minute -j LOG --log-prefix "REJECT_FORWARD"
+ fi
+- /sbin/iptables -A POLICYFWD -j REJECT --reject-with icmp-host-unreachable -m comment --comment "DROP_FORWARD"
++ /sbin/iptables -A POLICYFWD -j REJECT --reject-with icmp-host-unreachable -m comment --comment "REJECT_FORWARD"
+ fi
+ if [ "$FWPOLICY" == "DROP" ]; then
+ if [ "$DROPFORWARD" == "on" ]; then
+@@ -27,7 +27,7 @@ if [ "$POLICY1" == "MODE1" ]; then
+ if [ "$DROPOUTGOING" == "on" ]; then
+ /sbin/iptables -A POLICYOUT -m limit --limit 10/minute -j LOG --log-prefix "REJECT_OUTPUT"
+ fi
+- /sbin/iptables -A POLICYOUT -j REJECT --reject-with icmp-host-unreachable -m comment --comment "DROP_OUTPUT"
++ /sbin/iptables -A POLICYOUT -j REJECT --reject-with icmp-host-unreachable -m comment --comment "REJECT_OUTPUT"
+ fi
+ if [ "$FWPOLICY1" == "DROP" ]; then
+ if [ "$DROPOUTGOING" == "on" ]; then
+@@ -36,4 +36,16 @@ if [ "$POLICY1" == "MODE1" ]; then
+ /sbin/iptables -A POLICYOUT -j DROP -m comment --comment "DROP_OUTPUT"
+ fi
+ fi
+-
++#INPUT
++if [ "$FWPOLICY2" == "REJECT" ]; then
++ if [ "$DROPINPUT" == "on" ]; then
++ /sbin/iptables -A POLICYIN -m limit --limit 10/minute -j LOG --log-prefix "REJECT_INPUT"
++ fi
++ /sbin/iptables -A POLICYIN -j REJECT --reject-with icmp-host-unreachable -m comment --comment "REJECT_FORWARD"
++fi
++if [ "$FWPOLICY2" == "DROP" ]; then
++ if [ "$DROPINPUT" == "on" ]; then
++ /sbin/iptables -A POLICYIN -m limit --limit 10/minute -j LOG --log-prefix "DROP_FORWARD"
++ fi
++ /sbin/iptables -A POLICYIN -j DROP -m comment --comment "DROP_FORWARD"
++fi
+diff --git a/html/cgi-bin/optionsfw.cgi b/html/cgi-bin/optionsfw.cgi
+index 898ee28..9e39fbf 100644
+--- a/html/cgi-bin/optionsfw.cgi
++++ b/html/cgi-bin/optionsfw.cgi
+@@ -109,6 +109,7 @@ $checked{'SHOWDROPDOWN'}{'on'} = '';
+ $checked{'SHOWDROPDOWN'}{$settings{'SHOWDROPDOWN'}} = "checked='checked'";
+ $selected{'FWPOLICY'}{$settings{'FWPOLICY'}}= 'selected';
+ $selected{'FWPOLICY1'}{$settings{'FWPOLICY1'}}= 'selected';
++$selected{'FWPOLICY2'}{$settings{'FWPOLICY2'}}= 'selected';
+
+
+ &Header::openbox('100%', 'center', $Lang::tr{'options fw'});
+@@ -165,6 +166,10 @@ print <<END
+ <option value='DROP' $selected{'FWPOLICY1'}{'DROP'}>DROP</option>
+ <option value='REJECT' $selected{'FWPOLICY1'}{'REJECT'}>REJECT</option></select>
+ </td></tr>
++<tr><td align='left' width='60%'>$Lang::tr{'drop action2'}</td><td><select name='FWPOLICY2'>
++<option value='DROP' $selected{'FWPOLICY2'}{'DROP'}>DROP</option>
++<option value='REJECT' $selected{'FWPOLICY2'}{'REJECT'}>REJECT</option></select>
++</td></tr>
+ </table>
+
+ <br />
+diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl
+index c05cd82..546a162 100644
+--- a/langs/de/cgi-bin/de.pl
++++ b/langs/de/cgi-bin/de.pl
+@@ -186,7 +186,6 @@
+ 'advproxy banned mac clients' => 'Gesperrte MAC-Adressen (eine pro Zeile)',
+ 'advproxy cache management' => 'Cacheverwaltung',
+ 'advproxy cache replacement policy' => 'Cache Ersetzungsrichtlinie',
+-'advproxy cache-digest' => 'Cache-Digest-Erstellung aktivieren',
+ 'advproxy chgwebpwd ERROR' => 'F E H L E R :',
+ 'advproxy chgwebpwd SUCCESS' => 'E R F O L G :',
+ 'advproxy chgwebpwd change password' => 'Passwort ändern',
+@@ -737,6 +736,7 @@
+ 'driver' => 'Treiber',
+ 'drop action' => 'Standardverhalten der (Forward) Firewall in Modus "Blocked"',
+ 'drop action1' => 'Standardverhalten der (Outgoing) Firewall in Modus "Blocked"',
++'drop action2' => 'Standardverhalten der (INPUT) Firewall',
+ 'drop input' => 'Verworfene Input Pakete loggen',
+ 'drop newnotsyn' => 'Verworfene New Not Syn Pakete loggen',
+ 'drop forward' => 'Verworfene (Forward) Firewall-Pakete loggen',
+@@ -2364,7 +2364,7 @@
+ 'wlanap encryption' => 'Verschlüsselung',
+ 'wlanap informations' => 'Informationen',
+ 'wlanap interface' => 'Interface übernehmen',
+-'wlanap invalid wpa' => 'Ungültige Länge in WPA-Passphrase. Muss zwischen 8 und 63 ASCII-Zeichen lang sein.',
++'wlanap invalid wpa' => 'Ungültige Länge in WPA-Passphrase. Muss zwischen 8 und 63 Zeichen lang sein.',
+ 'wlanap link dhcp' => 'Wireless Lan DHCP-Einstellungen',
+ 'wlanap link wireless' => 'Wireless Lan Clients freischalten',
+ 'wlanap no interface' => 'Ausgewähltes Interface ist keine WLAN-Karte!',
+diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
+index a7e36ad..123cbf6 100644
+--- a/langs/en/cgi-bin/en.pl
++++ b/langs/en/cgi-bin/en.pl
+@@ -187,7 +187,6 @@
+ 'advproxy banned mac clients' => 'Banned MAC addresses (one per line)',
+ 'advproxy cache management' => 'Cache management',
+ 'advproxy cache replacement policy' => 'Cache replacement policy',
+-'advproxy cache-digest' => 'Enable Cache-Digest Generation',
+ 'advproxy chgwebpwd ERROR' => 'E R R O R :',
+ 'advproxy chgwebpwd SUCCESS' => 'S U C C E S S :',
+ 'advproxy chgwebpwd change password' => 'Change password',
+@@ -761,6 +760,7 @@
+ 'driver' => 'Driver',
+ 'drop action' => 'Default behaviour of (forward) firewall in mode "Blocked"',
+ 'drop action1' => 'Default behaviour of (outgoing) firewall in mode "Blocked"',
++'drop action2' => 'Default behaviour of (input) firewall',
+ 'drop input' => 'Log dropped input pakets',
+ 'drop newnotsyn' => 'Log dropped new not syn pakets',
+ 'drop forward' => 'Log dropped forward pakets',
+@@ -2397,7 +2397,7 @@
+ 'wlanap encryption' => 'Encryption',
+ 'wlanap informations' => 'Informations',
+ 'wlanap interface' => 'Select interface',
+-'wlanap invalid wpa' => 'Invalid length in WPA Passphrase. Must be between 8 and 63 ascii characters.',
++'wlanap invalid wpa' => 'Invalid length in WPA Passphrase. Must be between 8 and 63 characters.',
+ 'wlanap link dhcp' => 'Wireless lan DHCP configuration',
+ 'wlanap link wireless' => 'Activate wireless lan clients',
+ 'wlanap no interface' => 'Selected interface is not a wirless lan card!',
+--
+1.7.10.4
+
--- /dev/null
+From fe852a3aa647f0513e580dd6c3368a723d800a07 Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Sun, 3 Mar 2013 05:59:42 +0100
+Subject: [PATCH 164/302] Forward Firewall: /etc/init.d/firewall now creates
+ POLICYIN
+
+---
+ src/initscripts/init.d/firewall | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall
+index 0c0d929..31156b4 100644
+--- a/src/initscripts/init.d/firewall
++++ b/src/initscripts/init.d/firewall
+@@ -286,6 +286,8 @@ case "$1" in
+ #/sbin/iptables -A FORWARD -j DROP -m comment --comment "DROP_FORWARD"
+
+ #POLICY CHAIN
++ /sbin/iptables -N POLICYIN
++ /sbin/iptables -A INPUT -j POLICYIN
+ /sbin/iptables -N POLICYFWD
+ /sbin/iptables -A FORWARD -j POLICYFWD
+ /sbin/iptables -N POLICYOUT
+--
+1.7.10.4
+
--- /dev/null
+From 61e13525d295c91fb3c3079b362025d765c31b5b Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Sun, 3 Mar 2013 06:12:01 +0100
+Subject: [PATCH 165/302] Forward Firewall: Added configoption in Buildsystem
+ -< POLICY2='DROP' (for POLICYIN)
+
+---
+ lfs/configroot | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/lfs/configroot b/lfs/configroot
+index 51ff8a8..f0fcbca 100644
+--- a/lfs/configroot
++++ b/lfs/configroot
+@@ -117,6 +117,7 @@ $(TARGET) :
+ echo "DROPFORWARD=on" >> $(CONFIG_ROOT)/optionsfw/settings
+ echo "FWPOLICY=DROP" >> $(CONFIG_ROOT)/optionsfw/settings
+ echo "FWPOLICY1=DROP" >> $(CONFIG_ROOT)/optionsfw/settings
++ echo "FWPOLICY2=DROP" >> $(CONFIG_ROOT)/optionsfw/settings
+ echo "DROPPORTSCAN=on" >> $(CONFIG_ROOT)/optionsfw/settings
+ echo "DROPOUTGOING=on" >> $(CONFIG_ROOT)/optionsfw/settings
+ echo "SHOWREMARK=on" >> $(CONFIG_ROOT)/optionsfw/settings
+--
+1.7.10.4
+
--- /dev/null
+From 991f59add21eba332aadff32445ef3edb9de967a Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Sun, 3 Mar 2013 20:12:34 +0100
+Subject: [PATCH 166/302] Forward Firewall: Updated strongswan patch provided
+ my Michael. (Changes _updown script from FORWARD
+ ACCEPT to RETURN)
+
+---
+ config/strongswan/_updown | 789 -----------------------------
+ lfs/strongswan | 4 +-
+ src/patches/strongswan-4.5.3_ipfire.patch | 342 -------------
+ src/patches/strongswan-5.0.2_ipfire.patch | 348 +++++++++++++
+ 4 files changed, 349 insertions(+), 1134 deletions(-)
+ delete mode 100755 config/strongswan/_updown
+ delete mode 100644 src/patches/strongswan-4.5.3_ipfire.patch
+ create mode 100644 src/patches/strongswan-5.0.2_ipfire.patch
+
+diff --git a/config/strongswan/_updown b/config/strongswan/_updown
+deleted file mode 100755
+index d9f3ea0..0000000
+--- a/config/strongswan/_updown
++++ /dev/null
+@@ -1,789 +0,0 @@
+-#! /bin/sh
+-# iproute2 version, default updown script
+-#
+-# Copyright (C) 2003-2004 Nigel Meteringham
+-# Copyright (C) 2003-2004 Tuomo Soini
+-# Copyright (C) 2002-2004 Michael Richardson
+-# Copyright (C) 2005-2007 Andreas Steffen <andreas.steffen@strongswan.org>
+-#
+-# This program is free software; you can redistribute it and/or modify it
+-# under the terms of the GNU General Public License as published by the
+-# Free Software Foundation; either version 2 of the License, or (at your
+-# option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+-#
+-# This program is distributed in the hope that it will be useful, but
+-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+-# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+-# for more details.
+-
+-# CAUTION: Installing a new version of strongSwan will install a new
+-# copy of this script, wiping out any custom changes you make. If
+-# you need changes, make a copy of this under another name, and customize
+-# that, and use the (left/right)updown parameters in ipsec.conf to make
+-# strongSwan use yours instead of this default one.
+-
+-# things that this script gets (from ipsec_pluto(8) man page)
+-#
+-# PLUTO_VERSION
+-# indicates what version of this interface is being
+-# used. This document describes version 1.1. This
+-# is upwardly compatible with version 1.0.
+-#
+-# PLUTO_VERB
+-# specifies the name of the operation to be performed
+-# (prepare-host, prepare-client, up-host, up-client,
+-# down-host, or down-client). If the address family
+-# for security gateway to security gateway communica-
+-# tions is IPv6, then a suffix of -v6 is added to the
+-# verb.
+-#
+-# PLUTO_CONNECTION
+-# is the name of the connection for which we are
+-# routing.
+-#
+-# PLUTO_NEXT_HOP
+-# is the next hop to which packets bound for the peer
+-# must be sent.
+-#
+-# PLUTO_INTERFACE
+-# is the name of the ipsec interface to be used.
+-#
+-# PLUTO_REQID
+-# is the requid of the ESP policy
+-#
+-# PLUTO_ME
+-# is the IP address of our host.
+-#
+-# PLUTO_MY_ID
+-# is the ID of our host.
+-#
+-# PLUTO_MY_CLIENT
+-# is the IP address / count of our client subnet. If
+-# the client is just the host, this will be the
+-# host's own IP address / max (where max is 32 for
+-# IPv4 and 128 for IPv6).
+-#
+-# PLUTO_MY_CLIENT_NET
+-# is the IP address of our client net. If the client
+-# is just the host, this will be the host's own IP
+-# address.
+-#
+-# PLUTO_MY_CLIENT_MASK
+-# is the mask for our client net. If the client is
+-# just the host, this will be 255.255.255.255.
+-#
+-# PLUTO_MY_SOURCEIP
+-# PLUTO_MY_SOURCEIP4_$i
+-# PLUTO_MY_SOURCEIP6_$i
+-# contains IPv4/IPv6 virtual IP received from a responder,
+-# $i enumerates from 1 to the number of IP per address family.
+-# PLUTO_MY_SOURCEIP is a legacy variable and equals to the first
+-# virtual IP, IPv4 or IPv6.
+-#
+-# PLUTO_MY_PROTOCOL
+-# is the IP protocol that will be transported.
+-#
+-# PLUTO_MY_PORT
+-# is the UDP/TCP port to which the IPsec SA is
+-# restricted on our side.
+-#
+-# PLUTO_PEER
+-# is the IP address of our peer.
+-#
+-# PLUTO_PEER_ID
+-# is the ID of our peer.
+-#
+-# PLUTO_PEER_CA
+-# is the CA which issued the cert of our peer.
+-#
+-# PLUTO_PEER_CLIENT
+-# is the IP address / count of the peer's client sub-
+-# net. If the client is just the peer, this will be
+-# the peer's own IP address / max (where max is 32
+-# for IPv4 and 128 for IPv6).
+-#
+-# PLUTO_PEER_CLIENT_NET
+-# is the IP address of the peer's client net. If the
+-# client is just the peer, this will be the peer's
+-# own IP address.
+-#
+-# PLUTO_PEER_CLIENT_MASK
+-# is the mask for the peer's client net. If the
+-# client is just the peer, this will be
+-# 255.255.255.255.
+-#
+-# PLUTO_PEER_PROTOCOL
+-# is the IP protocol that will be transported.
+-#
+-# PLUTO_PEER_PORT
+-# is the UDP/TCP port to which the IPsec SA is
+-# restricted on the peer side.
+-#
+-# PLUTO_XAUTH_ID
+-# is an optional user ID employed by the XAUTH protocol
+-#
+-# PLUTO_MARK_IN
+-# is an optional XFRM mark set on the inbound IPsec SA
+-#
+-# PLUTO_MARK_OUT
+-# is an optional XFRM mark set on the outbound IPsec SA
+-#
+-# PLUTO_UDP_ENC
+-# contains the remote UDP port in the case of ESP_IN_UDP
+-# encapsulation
+-#
+-# PLUTO_DNS4_$i
+-# PLUTO_DNS6_$i
+-# contains IPv4/IPv6 DNS server attribute received from a
+-# responder, $i enumerates from 1 to the number of servers per
+-# address family.
+-#
+-
+-# define a minimum PATH environment in case it is not set
+-PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin"
+-export PATH
+-
+-# uncomment to log VPN connections
+-VPN_LOGGING=1
+-#
+-# tag put in front of each log entry:
+-TAG=vpn
+-#
+-# syslog facility and priority used:
+-FAC_PRIO=local0.notice
+-#
+-# to create a special vpn logging file, put the following line into
+-# the syslog configuration file /etc/syslog.conf:
+-#
+-# local0.notice -/var/log/vpn
+-
+-# in order to use source IP routing the Linux kernel options
+-# CONFIG_IP_ADVANCED_ROUTER and CONFIG_IP_MULTIPLE_TABLES
+-# must be enabled
+-#
+-# special routing table for sourceip routes
+-SOURCEIP_ROUTING_TABLE=220
+-#
+-# priority of the sourceip routing table
+-SOURCEIP_ROUTING_TABLE_PRIO=220
+-
+-# check interface version
+-case "$PLUTO_VERSION" in
+-1.[0|1]) # Older Pluto?!? Play it safe, script may be using new features.
+- echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2
+- echo "$0: called by obsolete Pluto?" >&2
+- exit 2
+- ;;
+-1.*) ;;
+-*) echo "$0: unknown interface version \`$PLUTO_VERSION'" >&2
+- exit 2
+- ;;
+-esac
+-
+-# check parameter(s)
+-case "$1:$*" in
+-':') # no parameters
+- ;;
+-iptables:iptables) # due to (left/right)firewall; for default script only
+- ;;
+-custom:*) # custom parameters (see above CAUTION comment)
+- ;;
+-*) echo "$0: unknown parameters \`$*'" >&2
+- exit 2
+- ;;
+-esac
+-
+-function ip_encode() {
+- local IFS=.
+-
+- local int=0
+- for field in $1; do
+- int=$(( $(( $int << 8 )) | $field ))
+- done
+-
+- echo $int
+-}
+-
+-function ip_in_subnet() {
+- local netmask
+- netmask=$(_netmask $2)
+- [ $(( $(ip_encode $1) & $netmask)) = $(( $(ip_encode ${2%/*}) & $netmask )) ]
+-}
+-
+-function _netmask() {
+- local vlsm
+- vlsm=${1#*/}
+- [ $vlsm -eq 0 ] && echo 0 || echo $(( -1 << $(( 32 - $vlsm )) ))
+-}
+-
+-# utility functions for route manipulation
+-# Meddling with this stuff should not be necessary and requires great care.
+-uproute() {
+- doroute add
+- ip route flush cache
+-}
+-downroute() {
+- doroute delete
+- ip route flush cache
+-}
+-
+-addsource() {
+- st=0
+- if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local
+- then
+- it="ip addr add ${PLUTO_MY_SOURCEIP%/*}/32 dev $PLUTO_INTERFACE"
+- oops="`eval $it 2>&1`"
+- st=$?
+- if test " $oops" = " " -a " $st" != " 0"
+- then
+- oops="silent error, exit status $st"
+- fi
+- if test " $oops" != " " -o " $st" != " 0"
+- then
+- echo "$0: addsource \`$it' failed ($oops)" >&2
+- fi
+- fi
+- return $st
+-}
+-
+-doroute() {
+- st=0
+-
+- if [ -z "$PLUTO_MY_SOURCEIP" ]
+- then
+- for dir in /etc/sysconfig /etc/conf.d; do
+- if [ -f "$dir/defaultsource" ]
+- then
+- . "$dir/defaultsource"
+- fi
+- done
+-
+- if [ -n "$DEFAULTSOURCE" ]
+- then
+- PLUTO_MY_SOURCEIP=$DEFAULTSOURCE
+- fi
+- fi
+-
+- if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ]
+- then
+- # leave because no route entry is required
+- return $st
+- fi
+-
+- parms1="$PLUTO_PEER_CLIENT"
+-
+- if [ -n "$PLUTO_NEXT_HOP" ]
+- then
+- parms2="via $PLUTO_NEXT_HOP"
+- else
+- parms2="via $PLUTO_PEER"
+- fi
+- parms2="$parms2 dev $PLUTO_INTERFACE"
+-
+- parms3=
+- if [ -n "$PLUTO_MY_SOURCEIP" ]
+- then
+- if test "$1" = "add"
+- then
+- addsource
+- if ! ip rule list | grep -q "lookup $SOURCEIP_ROUTING_TABLE"
+- then
+- ip rule add pref $SOURCEIP_ROUTING_TABLE_PRIO table $SOURCEIP_ROUTING_TABLE
+- fi
+- fi
+- parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*} table $SOURCEIP_ROUTING_TABLE"
+- fi
+-
+- case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
+- "0.0.0.0/0.0.0.0")
+- # opportunistic encryption work around
+- # need to provide route that eclipses default, without
+- # replacing it.
+- it="ip route $1 0.0.0.0/1 $parms2 $parms3 &&
+- ip route $1 128.0.0.0/1 $parms2 $parms3"
+- ;;
+- *) it="ip route $1 $parms1 $parms2 $parms3"
+- ;;
+- esac
+- oops="`eval $it 2>&1`"
+- st=$?
+- if test " $oops" = " " -a " $st" != " 0"
+- then
+- oops="silent error, exit status $st"
+- fi
+- if test " $oops" != " " -o " $st" != " 0"
+- then
+- echo "$0: doroute \`$it' failed ($oops)" >&2
+- fi
+- return $st
+-}
+-
+-# in the presence of KLIPS and ipsecN interfaces do not use IPSEC_POLICY
+-if [ `echo "$PLUTO_INTERFACE" | grep "ipsec"` ]
+-then
+- KLIPS=1
+- IPSEC_POLICY_IN=""
+- IPSEC_POLICY_OUT=""
+-else
+- KLIPS=
+- IPSEC_POLICY="-m policy --pol ipsec --proto esp --reqid $PLUTO_REQID"
+- IPSEC_POLICY_IN="$IPSEC_POLICY --dir in"
+- IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out"
+-fi
+-
+-# are there port numbers?
+-if [ "$PLUTO_MY_PORT" != 0 ]
+-then
+- S_MY_PORT="--sport $PLUTO_MY_PORT"
+- D_MY_PORT="--dport $PLUTO_MY_PORT"
+-fi
+-if [ "$PLUTO_PEER_PORT" != 0 ]
+-then
+- S_PEER_PORT="--sport $PLUTO_PEER_PORT"
+- D_PEER_PORT="--dport $PLUTO_PEER_PORT"
+-fi
+-
+-# resolve octal escape sequences
+-PLUTO_MY_ID=`printf "$PLUTO_MY_ID"`
+-PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"`
+-
+-# the big choice
+-case "$PLUTO_VERB:$1" in
+-prepare-host:*|prepare-client:*)
+- if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ]
+- then
+- # exit because no route will be added,
+- # so that existing routes can stay
+- exit 0
+- fi
+-
+- # delete possibly-existing route (preliminary to adding a route)
+- case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
+- "0.0.0.0/0.0.0.0")
+- # need to provide route that eclipses default, without
+- # replacing it.
+- parms1="0.0.0.0/1"
+- parms2="128.0.0.0/1"
+- it="ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1"
+- oops="`ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1`"
+- ;;
+- *)
+- parms="$PLUTO_PEER_CLIENT"
+- it="ip route delete $parms 2>&1"
+- oops="`ip route delete $parms 2>&1`"
+- ;;
+- esac
+- status="$?"
+- if test " $oops" = " " -a " $status" != " 0"
+- then
+- oops="silent error, exit status $status"
+- fi
+- case "$oops" in
+- *'RTNETLINK answers: No such process'*)
+- # This is what route (currently -- not documented!) gives
+- # for "could not find such a route".
+- oops=
+- status=0
+- ;;
+- esac
+- if test " $oops" != " " -o " $status" != " 0"
+- then
+- echo "$0: \`$it' failed ($oops)" >&2
+- fi
+- exit $status
+- ;;
+-route-host:*|route-client:*)
+- # connection to me or my client subnet being routed
+- uproute
+- ;;
+-unroute-host:*|unroute-client:*)
+- # connection to me or my client subnet being unrouted
+- downroute
+- ;;
+-up-host:)
+- # connection to me coming up
+- # If you are doing a custom version, firewall commands go here.
+- ;;
+-down-host:)
+- # connection to me going down
+- # If you are doing a custom version, firewall commands go here.
+- ;;
+-up-client:)
+- # connection to my client subnet coming up
+- # If you are doing a custom version, firewall commands go here.
+- ;;
+-down-client:)
+- # connection to my client subnet going down
+- # If you are doing a custom version, firewall commands go here.
+- ;;
+-up-host:iptables)
+- # connection to me, with (left/right)firewall=yes, coming up
+- # This is used only by the default updown script, not by your custom
+- # ones, so do not mess with it; see CAUTION comment up at top.
+- iptables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+- -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+- -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+- iptables -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+- -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
+- -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j MARK --set-mark 50
+- #
+- # log IPsec host connection setup
+- if [ $VPN_LOGGING ]
+- then
+- if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
+- then
+- logger -t $TAG -p $FAC_PRIO \
+- "host+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
+- else
+- logger -t $TAG -p $FAC_PRIO \
+- "host+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
+- fi
+- fi
+- ;;
+-down-host:iptables)
+- # connection to me, with (left/right)firewall=yes, going down
+- # This is used only by the default updown script, not by your custom
+- # ones, so do not mess with it; see CAUTION comment up at top.
+- iptables -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+- -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+- -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+- iptables -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+- -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
+- -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j MARK --set-mark 50
+- #
+- # log IPsec host connection teardown
+- if [ $VPN_LOGGING ]
+- then
+- if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
+- then
+- logger -t $TAG -p $FAC_PRIO -- \
+- "host- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
+- else
+- logger -t $TAG -p $FAC_PRIO -- \
+- "host- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
+- fi
+- fi
+- ;;
+-up-client:iptables)
+- # connection to client subnet, with (left/right)firewall=yes, coming up
+- # This is used only by the default updown script, not by your custom
+- # ones, so do not mess with it; see CAUTION comment up at top.
+- if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
+- then
+- iptables -I IPSECFORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+- -s $PLUTO_MY_CLIENT $S_MY_PORT \
+- -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j MARK --set-mark 50
+- iptables -I IPSECFORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+- -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+- -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j RETURN
+- fi
+- #
+- # a virtual IP requires an INPUT and OUTPUT rule on the host
+- # or sometimes host access via the internal IP is needed
+- if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+- then
+- iptables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+- -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+- -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+- iptables -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+- -s $PLUTO_MY_CLIENT $S_MY_PORT \
+- -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j MARK --set-mark 50
+- fi
+- #
+- # log IPsec client connection setup
+- if [ $VPN_LOGGING ]
+- then
+- if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
+- then
+- logger -t $TAG -p $FAC_PRIO \
+- "client+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+- else
+- logger -t $TAG -p $FAC_PRIO \
+- "client+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+- fi
+- fi
+-
+- #
+- # Open Firewall for IPinIP + AH + ESP Traffic
+- iptables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p IP \
+- -s $PLUTO_PEER $S_PEER_PORT \
+- -d $PLUTO_ME $D_MY_PORT -j ACCEPT
+- iptables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p AH \
+- -s $PLUTO_PEER $S_PEER_PORT \
+- -d $PLUTO_ME $D_MY_PORT -j ACCEPT
+- iptables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p ESP \
+- -s $PLUTO_PEER $S_PEER_PORT \
+- -d $PLUTO_ME $D_MY_PORT -j ACCEPT
+- if [ $VPN_LOGGING ]
+- then
+- logger -t $TAG -p $FAC_PRIO \
+- "tunnel+ $PLUTO_PEER -- $PLUTO_ME"
+- fi
+-
+- # Add source nat so also the gateway can access the other nets
+- eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
+- for _src in ${GREEN_ADDRESS} ${BLUE_ADDRESS} ${ORANGE_ADDRESS}; do
+- ip_in_subnet "${_src}" "${PLUTO_MY_CLIENT}"
+- if [ $? -eq 0 ]; then
+- src=${_src}
+- break
+- fi
+- done
+-
+- if [ -n "${src}" ]; then
+- iptables -t nat -A IPSECNAT -o $PLUTO_INTERFACE -s $PLUTO_ME -d $PLUTO_PEER_CLIENT -j SNAT --to $src
+- logger -t $TAG -p $FAC_PRIO \
+- "snat+ $PLUTO_INTERFACE-$PLUTO_ME : $PLUTO_PEER_CLIENT - $src"
+- else
+- logger -t $TAG -p $FAC_PRIO \
+- "Cannot create NAT rule because no IP of the IPFire does match the subnet. $PLUTO_MY_CLIENT"
+- fi
+-
+- # Flush routing cache
+- ip route flush cache
+- ;;
+-down-client:iptables)
+- # connection to client subnet, with (left/right)firewall=yes, going down
+- # This is used only by the default updown script, not by your custom
+- # ones, so do not mess with it; see CAUTION comment up at top.
+- if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
+- then
+- iptables -D IPSECFORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+- -s $PLUTO_MY_CLIENT $S_MY_PORT \
+- -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
+- $IPSEC_POLICY_OUT -j MARK --set-mark 50
+- iptables -D IPSECFORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+- -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+- -d $PLUTO_MY_CLIENT $D_MY_PORT \
+- $IPSEC_POLICY_IN -j RETURN
+- fi
+- #
+- # a virtual IP requires an INPUT and OUTPUT rule on the host
+- # or sometimes host access via the internal IP is needed
+- if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+- then
+- iptables -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+- -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+- -d $PLUTO_MY_CLIENT $D_MY_PORT \
+- $IPSEC_POLICY_IN -j ACCEPT
+- iptables -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+- -s $PLUTO_MY_CLIENT $S_MY_PORT \
+- -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
+- $IPSEC_POLICY_OUT -j MARK --set-mark 50
+- fi
+- #
+- # log IPsec client connection teardown
+- if [ $VPN_LOGGING ]
+- then
+- if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
+- then
+- logger -t $TAG -p $FAC_PRIO -- \
+- "client- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+- else
+- logger -t $TAG -p $FAC_PRIO -- \
+- "client- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+- fi
+- fi
+-
+- #
+- # Close Firewall for IPinIP + AH + ESP Traffic
+- iptables -D IPSECINPUT -i $PLUTO_INTERFACE -p IP \
+- -s $PLUTO_PEER $S_PEER_PORT \
+- -d $PLUTO_ME $D_MY_PORT -j ACCEPT
+- iptables -D IPSECINPUT -i $PLUTO_INTERFACE -p AH \
+- -s $PLUTO_PEER $S_PEER_PORT \
+- -d $PLUTO_ME $D_MY_PORT -j ACCEPT
+- iptables -D IPSECINPUT -i $PLUTO_INTERFACE -p ESP \
+- -s $PLUTO_PEER $S_PEER_PORT \
+- -d $PLUTO_ME $D_MY_PORT -j ACCEPT
+- if [ $VPN_LOGGING ]
+- then
+- logger -t $TAG -p $FAC_PRIO \
+- "tunnel- $PLUTO_PEER -- $PLUTO_ME"
+- fi
+-
+- # remove source nat
+- eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
+- for _src in ${GREEN_ADDRESS} ${BLUE_ADDRESS} ${ORANGE_ADDRESS}; do
+- ip_in_subnet "${_src}" "${PLUTO_MY_CLIENT}"
+- if [ $? -eq 0 ]; then
+- src=${_src}
+- break
+- fi
+- done
+-
+- if [ -n "${src}" ]; then
+- iptables -t nat -D IPSECNAT -o $PLUTO_INTERFACE -s $PLUTO_ME -d $PLUTO_PEER_CLIENT -j SNAT --to $src
+- logger -t $TAG -p $FAC_PRIO \
+- "snat- $PLUTO_INTERFACE-$PLUTO_ME : $PLUTO_PEER_CLIENT - $src"
+- else
+- logger -t $TAG -p $FAC_PRIO \
+- "Cannot remove NAT rule because no IP of the IPFire does match the subnet."
+- fi
+-
+- # Flush routing cache
+- ip route flush cache
+- ;;
+-#
+-# IPv6
+-#
+-prepare-host-v6:*|prepare-client-v6:*)
+- ;;
+-route-host-v6:*|route-client-v6:*)
+- # connection to me or my client subnet being routed
+- #uproute_v6
+- ;;
+-unroute-host-v6:*|unroute-client-v6:*)
+- # connection to me or my client subnet being unrouted
+- #downroute_v6
+- ;;
+-up-host-v6:)
+- # connection to me coming up
+- # If you are doing a custom version, firewall commands go here.
+- ;;
+-down-host-v6:)
+- # connection to me going down
+- # If you are doing a custom version, firewall commands go here.
+- ;;
+-up-client-v6:)
+- # connection to my client subnet coming up
+- # If you are doing a custom version, firewall commands go here.
+- ;;
+-down-client-v6:)
+- # connection to my client subnet going down
+- # If you are doing a custom version, firewall commands go here.
+- ;;
+-up-host-v6:iptables)
+- # connection to me, with (left/right)firewall=yes, coming up
+- # This is used only by the default updown script, not by your custom
+- # ones, so do not mess with it; see CAUTION comment up at top.
+- ip6tables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+- -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+- -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+- ip6tables -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+- -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
+- -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+- #
+- # log IPsec host connection setup
+- if [ $VPN_LOGGING ]
+- then
+- if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ]
+- then
+- logger -t $TAG -p $FAC_PRIO \
+- "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
+- else
+- logger -t $TAG -p $FAC_PRIO \
+- "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
+- fi
+- fi
+- ;;
+-down-host-v6:iptables)
+- # connection to me, with (left/right)firewall=yes, going down
+- # This is used only by the default updown script, not by your custom
+- # ones, so do not mess with it; see CAUTION comment up at top.
+- ip6tables -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+- -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+- -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+- ip6tables -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+- -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
+- -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+- #
+- # log IPsec host connection teardown
+- if [ $VPN_LOGGING ]
+- then
+- if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ]
+- then
+- logger -t $TAG -p $FAC_PRIO -- \
+- "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
+- else
+- logger -t $TAG -p $FAC_PRIO -- \
+- "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
+- fi
+- fi
+- ;;
+-up-client-v6:iptables)
+- # connection to client subnet, with (left/right)firewall=yes, coming up
+- # This is used only by the default updown script, not by your custom
+- # ones, so do not mess with it; see CAUTION comment up at top.
+- if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ]
+- then
+- ip6tables -I IPSECFORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+- -s $PLUTO_MY_CLIENT $S_MY_PORT \
+- -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
+- ip6tables -I IPSECFORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+- -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+- -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+- fi
+- #
+- # a virtual IP requires an INPUT and OUTPUT rule on the host
+- # or sometimes host access via the internal IP is needed
+- if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+- then
+- ip6tables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+- -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+- -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+- ip6tables -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+- -s $PLUTO_MY_CLIENT $S_MY_PORT \
+- -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
+- fi
+- #
+- # log IPsec client connection setup
+- if [ $VPN_LOGGING ]
+- then
+- if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ]
+- then
+- logger -t $TAG -p $FAC_PRIO \
+- "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+- else
+- logger -t $TAG -p $FAC_PRIO \
+- "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+- fi
+- fi
+- ;;
+-down-client-v6:iptables)
+- # connection to client subnet, with (left/right)firewall=yes, going down
+- # This is used only by the default updown script, not by your custom
+- # ones, so do not mess with it; see CAUTION comment up at top.
+- if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ]
+- then
+- ip6tables -D IPSECFORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+- -s $PLUTO_MY_CLIENT $S_MY_PORT \
+- -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
+- $IPSEC_POLICY_OUT -j ACCEPT
+- ip6tables -D IPSECFORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+- -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+- -d $PLUTO_MY_CLIENT $D_MY_PORT \
+- $IPSEC_POLICY_IN -j ACCEPT
+- fi
+- #
+- # a virtual IP requires an INPUT and OUTPUT rule on the host
+- # or sometimes host access via the internal IP is needed
+- if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+- then
+- ip6tables -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+- -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+- -d $PLUTO_MY_CLIENT $D_MY_PORT \
+- $IPSEC_POLICY_IN -j ACCEPT
+- ip6tables -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+- -s $PLUTO_MY_CLIENT $S_MY_PORT \
+- -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
+- $IPSEC_POLICY_OUT -j ACCEPT
+- fi
+- #
+- # log IPsec client connection teardown
+- if [ $VPN_LOGGING ]
+- then
+- if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ]
+- then
+- logger -t $TAG -p $FAC_PRIO -- \
+- "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+- else
+- logger -t $TAG -p $FAC_PRIO -- \
+- "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+- fi
+- fi
+- ;;
+-*) echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2
+- exit 1
+- ;;
+-esac
+diff --git a/lfs/strongswan b/lfs/strongswan
+index 7284b81..8eb7554 100644
+--- a/lfs/strongswan
++++ b/lfs/strongswan
+@@ -77,7 +77,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
+ @$(PREBUILD)
+ @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar jxf $(DIR_DL)/$(DL_FILE)
+
+- #cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/strongswan-4.5.3_ipfire.patch
++ cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/strongswan-5.0.2_ipfire.patch
+
+ cd $(DIR_APP) && ./configure \
+ --prefix="/usr" \
+@@ -104,7 +104,5 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
+ ln -sf $(CONFIG_ROOT)/certs /etc/ipsec.d/certs
+ ln -sf $(CONFIG_ROOT)/crls /etc/ipsec.d/crls
+
+- #Workaround Forward Firewall
+- cp $(DIR_SRC)/config/strongswan/_updown /usr/libexec/ipsec/
+ #@rm -rf $(DIR_APP)
+ @$(POSTBUILD)
+diff --git a/src/patches/strongswan-4.5.3_ipfire.patch b/src/patches/strongswan-4.5.3_ipfire.patch
+deleted file mode 100644
+index 2ba975b..0000000
+--- a/src/patches/strongswan-4.5.3_ipfire.patch
++++ /dev/null
+@@ -1,342 +0,0 @@
+-diff -Naur strongswan-4.5.3.org/src/_updown/_updown.in strongswan-4.5.3/src/_updown/_updown.in
+---- strongswan-4.5.3.org/src/_updown/_updown.in 2010-10-22 16:33:30.000000000 +0200
+-+++ strongswan-4.5.3/src/_updown/_updown.in 2011-09-13 14:19:31.000000000 +0200
+-@@ -183,6 +183,29 @@
+- ;;
+- esac
+-
+-+function ip_encode() {
+-+ local IFS=.
+-+
+-+ local int=0
+-+ for field in $1; do
+-+ int=$(( $(( $int << 8 )) | $field ))
+-+ done
+-+
+-+ echo $int
+-+}
+-+
+-+function ip_in_subnet() {
+-+ local netmask
+-+ netmask=$(_netmask $2)
+-+ [ $(( $(ip_encode $1) & $netmask)) = $(( $(ip_encode ${2%/*}) & $netmask )) ]
+-+}
+-+
+-+function _netmask() {
+-+ local vlsm
+-+ vlsm=${1#*/}
+-+ [ $vlsm -eq 0 ] && echo 0 || echo $(( -1 << $(( 32 - $vlsm )) ))
+-+}
+-+
+- # utility functions for route manipulation
+- # Meddling with this stuff should not be necessary and requires great care.
+- uproute() {
+-@@ -387,12 +410,12 @@
+- # connection to me, with (left/right)firewall=yes, coming up
+- # This is used only by the default updown script, not by your custom
+- # ones, so do not mess with it; see CAUTION comment up at top.
+-- iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+-+ iptables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+- -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+- -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+-- iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+-+ iptables -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+- -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
+-- -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+-+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j MARK --set-mark 50
+- #
+- # log IPsec host connection setup
+- if [ $VPN_LOGGING ]
+-@@ -400,10 +423,10 @@
+- if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
+- then
+- logger -t $TAG -p $FAC_PRIO \
+-- "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
+-+ "host+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
+- else
+- logger -t $TAG -p $FAC_PRIO \
+-- "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
+-+ "host+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
+- fi
+- fi
+- ;;
+-@@ -411,12 +434,12 @@
+- # connection to me, with (left/right)firewall=yes, going down
+- # This is used only by the default updown script, not by your custom
+- # ones, so do not mess with it; see CAUTION comment up at top.
+-- iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+-+ iptables -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+- -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+- -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+-- iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+-+ iptables -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+- -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
+-- -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+-+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j MARK --set-mark 50
+- #
+- # log IPsec host connection teardown
+- if [ $VPN_LOGGING ]
+-@@ -424,10 +447,10 @@
+- if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
+- then
+- logger -t $TAG -p $FAC_PRIO -- \
+-- "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
+-+ "host- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
+- else
+- logger -t $TAG -p $FAC_PRIO -- \
+-- "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
+-+ "host- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
+- fi
+- fi
+- ;;
+-@@ -437,10 +460,10 @@
+- # ones, so do not mess with it; see CAUTION comment up at top.
+- if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
+- then
+-- iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+-+ iptables -I IPSECFORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+- -s $PLUTO_MY_CLIENT $S_MY_PORT \
+-- -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
+-- iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+-+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j MARK --set-mark 50
+-+ iptables -I IPSECFORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+- -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+- -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+- fi
+-@@ -449,12 +472,12 @@
+- # or sometimes host access via the internal IP is needed
+- if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+- then
+-- iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+-+ iptables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+- -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+- -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+-- iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+-+ iptables -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+- -s $PLUTO_MY_CLIENT $S_MY_PORT \
+-- -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
+-+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j MARK --set-mark 50
+- fi
+- #
+- # log IPsec client connection setup
+-@@ -463,12 +486,51 @@
+- if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
+- then
+- logger -t $TAG -p $FAC_PRIO \
+-- "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+-+ "client+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+- else
+- logger -t $TAG -p $FAC_PRIO \
+-- "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+-+ "client+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+- fi
+- fi
+-+
+-+ #
+-+ # Open Firewall for IPinIP + AH + ESP Traffic
+-+ iptables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p IP \
+-+ -s $PLUTO_PEER $S_PEER_PORT \
+-+ -d $PLUTO_ME $D_MY_PORT -j ACCEPT
+-+ iptables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p AH \
+-+ -s $PLUTO_PEER $S_PEER_PORT \
+-+ -d $PLUTO_ME $D_MY_PORT -j ACCEPT
+-+ iptables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p ESP \
+-+ -s $PLUTO_PEER $S_PEER_PORT \
+-+ -d $PLUTO_ME $D_MY_PORT -j ACCEPT
+-+ if [ $VPN_LOGGING ]
+-+ then
+-+ logger -t $TAG -p $FAC_PRIO \
+-+ "tunnel+ $PLUTO_PEER -- $PLUTO_ME"
+-+ fi
+-+
+-+ # Add source nat so also the gateway can access the other nets
+-+ eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
+-+ for _src in ${GREEN_ADDRESS} ${BLUE_ADDRESS} ${ORANGE_ADDRESS}; do
+-+ ip_in_subnet "${_src}" "${PLUTO_MY_CLIENT}"
+-+ if [ $? -eq 0 ]; then
+-+ src=${_src}
+-+ break
+-+ fi
+-+ done
+-+
+-+ if [ -n "${src}" ]; then
+-+ iptables -t nat -A IPSECNAT -o $PLUTO_INTERFACE -s $PLUTO_ME -d $PLUTO_PEER_CLIENT -j SNAT --to $src
+-+ logger -t $TAG -p $FAC_PRIO \
+-+ "snat+ $PLUTO_INTERFACE-$PLUTO_ME : $PLUTO_PEER_CLIENT - $src"
+-+ else
+-+ logger -t $TAG -p $FAC_PRIO \
+-+ "Cannot create NAT rule because no IP of the IPFire does match the subnet. $PLUTO_MY_CLIENT"
+-+ fi
+-+
+-+ # Flush routing cache
+-+ ip route flush cache
+- ;;
+- down-client:iptables)
+- # connection to client subnet, with (left/right)firewall=yes, going down
+-@@ -476,11 +538,11 @@
+- # ones, so do not mess with it; see CAUTION comment up at top.
+- if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
+- then
+-- iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+-+ iptables -D IPSECFORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+- -s $PLUTO_MY_CLIENT $S_MY_PORT \
+- -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
+-- $IPSEC_POLICY_OUT -j ACCEPT
+-- iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+-+ $IPSEC_POLICY_OUT -j MARK --set-mark 50
+-+ iptables -D IPSECFORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+- -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+- -d $PLUTO_MY_CLIENT $D_MY_PORT \
+- $IPSEC_POLICY_IN -j ACCEPT
+-@@ -490,14 +552,14 @@
+- # or sometimes host access via the internal IP is needed
+- if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+- then
+-- iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+-+ iptables -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+- -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+- -d $PLUTO_MY_CLIENT $D_MY_PORT \
+- $IPSEC_POLICY_IN -j ACCEPT
+-- iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+-+ iptables -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+- -s $PLUTO_MY_CLIENT $S_MY_PORT \
+- -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
+-- $IPSEC_POLICY_OUT -j ACCEPT
+-+ $IPSEC_POLICY_OUT -j MARK --set-mark 50
+- fi
+- #
+- # log IPsec client connection teardown
+-@@ -506,12 +568,51 @@
+- if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
+- then
+- logger -t $TAG -p $FAC_PRIO -- \
+-- "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+-+ "client- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+- else
+- logger -t $TAG -p $FAC_PRIO -- \
+-- "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+-+ "client- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+- fi
+- fi
+-+
+-+ #
+-+ # Close Firewall for IPinIP + AH + ESP Traffic
+-+ iptables -D IPSECINPUT -i $PLUTO_INTERFACE -p IP \
+-+ -s $PLUTO_PEER $S_PEER_PORT \
+-+ -d $PLUTO_ME $D_MY_PORT -j ACCEPT
+-+ iptables -D IPSECINPUT -i $PLUTO_INTERFACE -p AH \
+-+ -s $PLUTO_PEER $S_PEER_PORT \
+-+ -d $PLUTO_ME $D_MY_PORT -j ACCEPT
+-+ iptables -D IPSECINPUT -i $PLUTO_INTERFACE -p ESP \
+-+ -s $PLUTO_PEER $S_PEER_PORT \
+-+ -d $PLUTO_ME $D_MY_PORT -j ACCEPT
+-+ if [ $VPN_LOGGING ]
+-+ then
+-+ logger -t $TAG -p $FAC_PRIO \
+-+ "tunnel- $PLUTO_PEER -- $PLUTO_ME"
+-+ fi
+-+
+-+ # remove source nat
+-+ eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
+-+ for _src in ${GREEN_ADDRESS} ${BLUE_ADDRESS} ${ORANGE_ADDRESS}; do
+-+ ip_in_subnet "${_src}" "${PLUTO_MY_CLIENT}"
+-+ if [ $? -eq 0 ]; then
+-+ src=${_src}
+-+ break
+-+ fi
+-+ done
+-+
+-+ if [ -n "${src}" ]; then
+-+ iptables -t nat -D IPSECNAT -o $PLUTO_INTERFACE -s $PLUTO_ME -d $PLUTO_PEER_CLIENT -j SNAT --to $src
+-+ logger -t $TAG -p $FAC_PRIO \
+-+ "snat- $PLUTO_INTERFACE-$PLUTO_ME : $PLUTO_PEER_CLIENT - $src"
+-+ else
+-+ logger -t $TAG -p $FAC_PRIO \
+-+ "Cannot remove NAT rule because no IP of the IPFire does match the subnet."
+-+ fi
+-+
+-+ # Flush routing cache
+-+ ip route flush cache
+- ;;
+- #
+- # IPv6
+-@@ -546,10 +647,10 @@
+- # connection to me, with (left/right)firewall=yes, coming up
+- # This is used only by the default updown script, not by your custom
+- # ones, so do not mess with it; see CAUTION comment up at top.
+-- ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+-+ ip6tables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+- -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+- -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+-- ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+-+ ip6tables -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+- -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
+- -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+- #
+-@@ -570,10 +671,10 @@
+- # connection to me, with (left/right)firewall=yes, going down
+- # This is used only by the default updown script, not by your custom
+- # ones, so do not mess with it; see CAUTION comment up at top.
+-- ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+-+ ip6tables -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+- -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+- -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+-- ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+-+ ip6tables -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+- -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
+- -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+- #
+-@@ -596,10 +697,10 @@
+- # ones, so do not mess with it; see CAUTION comment up at top.
+- if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ]
+- then
+-- ip6tables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+-+ ip6tables -I IPSECFORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+- -s $PLUTO_MY_CLIENT $S_MY_PORT \
+- -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
+-- ip6tables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+-+ ip6tables -I IPSECFORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+- -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+- -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+- fi
+-@@ -608,10 +709,10 @@
+- # or sometimes host access via the internal IP is needed
+- if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+- then
+-- ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+-+ ip6tables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+- -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+- -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+-- ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+-+ ip6tables -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+- -s $PLUTO_MY_CLIENT $S_MY_PORT \
+- -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
+- fi
+-@@ -635,11 +736,11 @@
+- # ones, so do not mess with it; see CAUTION comment up at top.
+- if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ]
+- then
+-- ip6tables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+-+ ip6tables -D IPSECFORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+- -s $PLUTO_MY_CLIENT $S_MY_PORT \
+- -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
+- $IPSEC_POLICY_OUT -j ACCEPT
+-- ip6tables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+-+ ip6tables -D IPSECFORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+- -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+- -d $PLUTO_MY_CLIENT $D_MY_PORT \
+- $IPSEC_POLICY_IN -j ACCEPT
+-@@ -649,11 +750,11 @@
+- # or sometimes host access via the internal IP is needed
+- if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+- then
+-- ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+-+ ip6tables -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+- -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+- -d $PLUTO_MY_CLIENT $D_MY_PORT \
+- $IPSEC_POLICY_IN -j ACCEPT
+-- ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+-+ ip6tables -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+- -s $PLUTO_MY_CLIENT $S_MY_PORT \
+- -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
+- $IPSEC_POLICY_OUT -j ACCEPT
+diff --git a/src/patches/strongswan-5.0.2_ipfire.patch b/src/patches/strongswan-5.0.2_ipfire.patch
+new file mode 100644
+index 0000000..6606095
+--- /dev/null
++++ b/src/patches/strongswan-5.0.2_ipfire.patch
+@@ -0,0 +1,348 @@
++diff --git a/src/_updown/_updown.in b/src/_updown/_updown.in
++index 3a40e21..d9f3ea0 100644
++--- a/src/_updown/_updown.in
+++++ b/src/_updown/_updown.in
++@@ -193,6 +193,29 @@ custom:*) # custom parameters (see above CAUTION comment)
++ ;;
++ esac
++
+++function ip_encode() {
+++ local IFS=.
+++
+++ local int=0
+++ for field in $1; do
+++ int=$(( $(( $int << 8 )) | $field ))
+++ done
+++
+++ echo $int
+++}
+++
+++function ip_in_subnet() {
+++ local netmask
+++ netmask=$(_netmask $2)
+++ [ $(( $(ip_encode $1) & $netmask)) = $(( $(ip_encode ${2%/*}) & $netmask )) ]
+++}
+++
+++function _netmask() {
+++ local vlsm
+++ vlsm=${1#*/}
+++ [ $vlsm -eq 0 ] && echo 0 || echo $(( -1 << $(( 32 - $vlsm )) ))
+++}
+++
++ # utility functions for route manipulation
++ # Meddling with this stuff should not be necessary and requires great care.
++ uproute() {
++@@ -397,12 +420,12 @@ up-host:iptables)
++ # connection to me, with (left/right)firewall=yes, coming up
++ # This is used only by the default updown script, not by your custom
++ # ones, so do not mess with it; see CAUTION comment up at top.
++- iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+++ iptables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
++ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
++ -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
++- iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+++ iptables -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
++ -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
++- -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+++ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j MARK --set-mark 50
++ #
++ # log IPsec host connection setup
++ if [ $VPN_LOGGING ]
++@@ -410,10 +433,10 @@ up-host:iptables)
++ if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
++ then
++ logger -t $TAG -p $FAC_PRIO \
++- "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
+++ "host+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
++ else
++ logger -t $TAG -p $FAC_PRIO \
++- "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
+++ "host+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
++ fi
++ fi
++ ;;
++@@ -421,12 +444,12 @@ down-host:iptables)
++ # connection to me, with (left/right)firewall=yes, going down
++ # This is used only by the default updown script, not by your custom
++ # ones, so do not mess with it; see CAUTION comment up at top.
++- iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+++ iptables -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
++ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
++ -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
++- iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+++ iptables -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
++ -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
++- -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+++ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j MARK --set-mark 50
++ #
++ # log IPsec host connection teardown
++ if [ $VPN_LOGGING ]
++@@ -434,10 +457,10 @@ down-host:iptables)
++ if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
++ then
++ logger -t $TAG -p $FAC_PRIO -- \
++- "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
+++ "host- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
++ else
++ logger -t $TAG -p $FAC_PRIO -- \
++- "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
+++ "host- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
++ fi
++ fi
++ ;;
++@@ -447,24 +470,24 @@ up-client:iptables)
++ # ones, so do not mess with it; see CAUTION comment up at top.
++ if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
++ then
++- iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+++ iptables -I IPSECFORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
++ -s $PLUTO_MY_CLIENT $S_MY_PORT \
++- -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
++- iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+++ -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j MARK --set-mark 50
+++ iptables -I IPSECFORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
++ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
++- -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+++ -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j RETURN
++ fi
++ #
++ # a virtual IP requires an INPUT and OUTPUT rule on the host
++ # or sometimes host access via the internal IP is needed
++ if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
++ then
++- iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+++ iptables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
++ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
++ -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
++- iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+++ iptables -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
++ -s $PLUTO_MY_CLIENT $S_MY_PORT \
++- -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
+++ -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j MARK --set-mark 50
++ fi
++ #
++ # log IPsec client connection setup
++@@ -473,12 +496,51 @@ up-client:iptables)
++ if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
++ then
++ logger -t $TAG -p $FAC_PRIO \
++- "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+++ "client+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
++ else
++ logger -t $TAG -p $FAC_PRIO \
++- "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+++ "client+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
++ fi
++ fi
+++
+++ #
+++ # Open Firewall for IPinIP + AH + ESP Traffic
+++ iptables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p IP \
+++ -s $PLUTO_PEER $S_PEER_PORT \
+++ -d $PLUTO_ME $D_MY_PORT -j ACCEPT
+++ iptables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p AH \
+++ -s $PLUTO_PEER $S_PEER_PORT \
+++ -d $PLUTO_ME $D_MY_PORT -j ACCEPT
+++ iptables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p ESP \
+++ -s $PLUTO_PEER $S_PEER_PORT \
+++ -d $PLUTO_ME $D_MY_PORT -j ACCEPT
+++ if [ $VPN_LOGGING ]
+++ then
+++ logger -t $TAG -p $FAC_PRIO \
+++ "tunnel+ $PLUTO_PEER -- $PLUTO_ME"
+++ fi
+++
+++ # Add source nat so also the gateway can access the other nets
+++ eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
+++ for _src in ${GREEN_ADDRESS} ${BLUE_ADDRESS} ${ORANGE_ADDRESS}; do
+++ ip_in_subnet "${_src}" "${PLUTO_MY_CLIENT}"
+++ if [ $? -eq 0 ]; then
+++ src=${_src}
+++ break
+++ fi
+++ done
+++
+++ if [ -n "${src}" ]; then
+++ iptables -t nat -A IPSECNAT -o $PLUTO_INTERFACE -s $PLUTO_ME -d $PLUTO_PEER_CLIENT -j SNAT --to $src
+++ logger -t $TAG -p $FAC_PRIO \
+++ "snat+ $PLUTO_INTERFACE-$PLUTO_ME : $PLUTO_PEER_CLIENT - $src"
+++ else
+++ logger -t $TAG -p $FAC_PRIO \
+++ "Cannot create NAT rule because no IP of the IPFire does match the subnet. $PLUTO_MY_CLIENT"
+++ fi
+++
+++ # Flush routing cache
+++ ip route flush cache
++ ;;
++ down-client:iptables)
++ # connection to client subnet, with (left/right)firewall=yes, going down
++@@ -486,28 +548,28 @@ down-client:iptables)
++ # ones, so do not mess with it; see CAUTION comment up at top.
++ if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
++ then
++- iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+++ iptables -D IPSECFORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
++ -s $PLUTO_MY_CLIENT $S_MY_PORT \
++ -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
++- $IPSEC_POLICY_OUT -j ACCEPT
++- iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+++ $IPSEC_POLICY_OUT -j MARK --set-mark 50
+++ iptables -D IPSECFORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
++ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
++ -d $PLUTO_MY_CLIENT $D_MY_PORT \
++- $IPSEC_POLICY_IN -j ACCEPT
+++ $IPSEC_POLICY_IN -j RETURN
++ fi
++ #
++ # a virtual IP requires an INPUT and OUTPUT rule on the host
++ # or sometimes host access via the internal IP is needed
++ if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
++ then
++- iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+++ iptables -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
++ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
++ -d $PLUTO_MY_CLIENT $D_MY_PORT \
++ $IPSEC_POLICY_IN -j ACCEPT
++- iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+++ iptables -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
++ -s $PLUTO_MY_CLIENT $S_MY_PORT \
++ -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
++- $IPSEC_POLICY_OUT -j ACCEPT
+++ $IPSEC_POLICY_OUT -j MARK --set-mark 50
++ fi
++ #
++ # log IPsec client connection teardown
++@@ -516,12 +578,51 @@ down-client:iptables)
++ if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
++ then
++ logger -t $TAG -p $FAC_PRIO -- \
++- "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+++ "client- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
++ else
++ logger -t $TAG -p $FAC_PRIO -- \
++- "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+++ "client- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
++ fi
++ fi
+++
+++ #
+++ # Close Firewall for IPinIP + AH + ESP Traffic
+++ iptables -D IPSECINPUT -i $PLUTO_INTERFACE -p IP \
+++ -s $PLUTO_PEER $S_PEER_PORT \
+++ -d $PLUTO_ME $D_MY_PORT -j ACCEPT
+++ iptables -D IPSECINPUT -i $PLUTO_INTERFACE -p AH \
+++ -s $PLUTO_PEER $S_PEER_PORT \
+++ -d $PLUTO_ME $D_MY_PORT -j ACCEPT
+++ iptables -D IPSECINPUT -i $PLUTO_INTERFACE -p ESP \
+++ -s $PLUTO_PEER $S_PEER_PORT \
+++ -d $PLUTO_ME $D_MY_PORT -j ACCEPT
+++ if [ $VPN_LOGGING ]
+++ then
+++ logger -t $TAG -p $FAC_PRIO \
+++ "tunnel- $PLUTO_PEER -- $PLUTO_ME"
+++ fi
+++
+++ # remove source nat
+++ eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
+++ for _src in ${GREEN_ADDRESS} ${BLUE_ADDRESS} ${ORANGE_ADDRESS}; do
+++ ip_in_subnet "${_src}" "${PLUTO_MY_CLIENT}"
+++ if [ $? -eq 0 ]; then
+++ src=${_src}
+++ break
+++ fi
+++ done
+++
+++ if [ -n "${src}" ]; then
+++ iptables -t nat -D IPSECNAT -o $PLUTO_INTERFACE -s $PLUTO_ME -d $PLUTO_PEER_CLIENT -j SNAT --to $src
+++ logger -t $TAG -p $FAC_PRIO \
+++ "snat- $PLUTO_INTERFACE-$PLUTO_ME : $PLUTO_PEER_CLIENT - $src"
+++ else
+++ logger -t $TAG -p $FAC_PRIO \
+++ "Cannot remove NAT rule because no IP of the IPFire does match the subnet."
+++ fi
+++
+++ # Flush routing cache
+++ ip route flush cache
++ ;;
++ #
++ # IPv6
++@@ -556,10 +657,10 @@ up-host-v6:iptables)
++ # connection to me, with (left/right)firewall=yes, coming up
++ # This is used only by the default updown script, not by your custom
++ # ones, so do not mess with it; see CAUTION comment up at top.
++- ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+++ ip6tables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
++ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
++ -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
++- ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+++ ip6tables -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
++ -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
++ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
++ #
++@@ -580,10 +681,10 @@ down-host-v6:iptables)
++ # connection to me, with (left/right)firewall=yes, going down
++ # This is used only by the default updown script, not by your custom
++ # ones, so do not mess with it; see CAUTION comment up at top.
++- ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+++ ip6tables -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
++ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
++ -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
++- ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+++ ip6tables -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
++ -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
++ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
++ #
++@@ -606,10 +707,10 @@ up-client-v6:iptables)
++ # ones, so do not mess with it; see CAUTION comment up at top.
++ if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ]
++ then
++- ip6tables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+++ ip6tables -I IPSECFORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
++ -s $PLUTO_MY_CLIENT $S_MY_PORT \
++ -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
++- ip6tables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+++ ip6tables -I IPSECFORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
++ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
++ -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
++ fi
++@@ -618,10 +719,10 @@ up-client-v6:iptables)
++ # or sometimes host access via the internal IP is needed
++ if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
++ then
++- ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+++ ip6tables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
++ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
++ -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
++- ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+++ ip6tables -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
++ -s $PLUTO_MY_CLIENT $S_MY_PORT \
++ -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
++ fi
++@@ -645,11 +746,11 @@ down-client-v6:iptables)
++ # ones, so do not mess with it; see CAUTION comment up at top.
++ if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ]
++ then
++- ip6tables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+++ ip6tables -D IPSECFORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
++ -s $PLUTO_MY_CLIENT $S_MY_PORT \
++ -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
++ $IPSEC_POLICY_OUT -j ACCEPT
++- ip6tables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+++ ip6tables -D IPSECFORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
++ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
++ -d $PLUTO_MY_CLIENT $D_MY_PORT \
++ $IPSEC_POLICY_IN -j ACCEPT
++@@ -659,11 +760,11 @@ down-client-v6:iptables)
++ # or sometimes host access via the internal IP is needed
++ if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
++ then
++- ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+++ ip6tables -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
++ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
++ -d $PLUTO_MY_CLIENT $D_MY_PORT \
++ $IPSEC_POLICY_IN -j ACCEPT
++- ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+++ ip6tables -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
++ -s $PLUTO_MY_CLIENT $S_MY_PORT \
++ -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
++ $IPSEC_POLICY_OUT -j ACCEPT
+--
+1.7.10.4
+
--- /dev/null
+From aed8a4ca12b935ecfa128a9c2f260bfee7bd117a Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Sun, 3 Mar 2013 20:29:29 +0100
+Subject: [PATCH 167/302] Forward Firewall: Added versionnumber on bottom
+ right of firewall.
+
+---
+ html/cgi-bin/forwardfw.cgi | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi
+index 42a3f1c..55f61eb 100755
+--- a/html/cgi-bin/forwardfw.cgi
++++ b/html/cgi-bin/forwardfw.cgi
+@@ -74,6 +74,7 @@ my %ipsecsettings=();
+ my %aliases=();
+ my %optionsfw=();
+
++my $VERSION='0.9.7.9';
+ my $color;
+ my $confignet = "${General::swroot}/fwhosts/customnetworks";
+ my $confighost = "${General::swroot}/fwhosts/customhosts";
+@@ -574,7 +575,9 @@ END
+ print "$Lang::tr{'outgoing firewall reset'}: <input type='submit' name='ACTION' value='$Lang::tr{'reset'}' /><input type='hidden' name='poltype' value='outgoing' /></tr>";
+ print "</table></form>";
+ &Header::closebox();
++ print "<br><br><div align='right'><font size='1' color='grey'>Version: $VERSION</div>";
+ }
++
+ sub changerule
+ {
+ my $oldchain=shift;
+--
+1.7.10.4
+
--- /dev/null
+From 9fa6431b8899ecdaf84b6a84cbc832a1995405d3 Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Mon, 4 Mar 2013 20:56:20 +0100
+Subject: [PATCH 168/302] Forward Firewall: Bugfix: When having more than 1
+ ICMP rule in a group, the rule is not created.
+
+Also changed (INPUT) to (Input) in firewall-options
+---
+ config/forwardfw/rules.pl | 33 ++++++++++++++++++++++++++-------
+ langs/de/cgi-bin/de.pl | 2 +-
+ 2 files changed, 27 insertions(+), 8 deletions(-)
+
+diff --git a/config/forwardfw/rules.pl b/config/forwardfw/rules.pl
+index 764f6bc..8a3e029 100755
+--- a/config/forwardfw/rules.pl
++++ b/config/forwardfw/rules.pl
+@@ -120,7 +120,6 @@ if($param eq 'flush'){
+ system ("iptables -A $CHAIN -s $orange -d $blue -j RETURN");
+ }
+ }
+-
+ &p2pblock;
+ system ("iptables -A $CHAIN -m state --state NEW -j ACCEPT");
+ system ("/usr/sbin/firewall-policy");
+@@ -230,10 +229,20 @@ sub buildrules
+ if ($sourcehash{$a}[0] ne $targethash{$b}[0] && $targethash{$b}[0] ne 'none' || $sourcehash{$a}[0] eq '0.0.0.0/0.0.0.0'){
+ if($SPROT eq '' || $SPROT eq $DPROT || $DPROT eq ' '){
+ if(substr($sourcehash{$a}[0], 3, 3) ne 'mac' && $sourcehash{$a}[0] ne ''){ $STAG="-s";}
+- if ($$hash{$key}[17] eq 'ON'){
+- print "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG\n";
++ if(substr($DPORT, 2, 4) eq 'icmp'){
++ my @icmprule= split(",",substr($DPORT, 12,));
++ foreach (@icmprule){
++ if ($$hash{$key}[17] eq 'ON'){
++ print "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] --icmp-type $_ $TIME -j LOG\n";
++ }
++ print "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] --icmp-type $_ $TIME -j $$hash{$key}[0]\n";
++ }
++ }else{
++ if ($$hash{$key}[17] eq 'ON'){
++ print "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG\n";
++ }
++ print "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n";
+ }
+- print "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n";
+ }
+ }
+ }
+@@ -250,10 +259,20 @@ sub buildrules
+ if ($sourcehash{$a}[0] ne $targethash{$b}[0] && $targethash{$b}[0] ne 'none' || $sourcehash{$a}[0] eq '0.0.0.0/0.0.0.0'){
+ if($SPROT eq '' || $SPROT eq $DPROT || $DPROT eq ' '){
+ if(substr($sourcehash{$a}[0], 3, 3) ne 'mac' && $sourcehash{$a}[0] ne ''){ $STAG="-s";}
+- if ($$hash{$key}[17] eq 'ON'){
+- system ("iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG");
++ if(substr($DPORT, 2, 4) eq 'icmp'){
++ my @icmprule= split(",",substr($DPORT, 12,));
++ foreach (@icmprule){
++ if ($$hash{$key}[17] eq 'ON'){
++ system ("iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] -- icmp-type $_ $TIME -j LOG");
++ }
++ system ("iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] --icmp-type $_ $TIME -j $$hash{$key}[0]");
++ }
++ }else{
++ if ($$hash{$key}[17] eq 'ON'){
++ system ("iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG");
++ }
++ system ("iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]");
+ }
+- system ("iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]");
+ }
+ }
+ }
+diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl
+index 546a162..ef511c2 100644
+--- a/langs/de/cgi-bin/de.pl
++++ b/langs/de/cgi-bin/de.pl
+@@ -736,7 +736,7 @@
+ 'driver' => 'Treiber',
+ 'drop action' => 'Standardverhalten der (Forward) Firewall in Modus "Blocked"',
+ 'drop action1' => 'Standardverhalten der (Outgoing) Firewall in Modus "Blocked"',
+-'drop action2' => 'Standardverhalten der (INPUT) Firewall',
++'drop action2' => 'Standardverhalten der (Input) Firewall',
+ 'drop input' => 'Verworfene Input Pakete loggen',
+ 'drop newnotsyn' => 'Verworfene New Not Syn Pakete loggen',
+ 'drop forward' => 'Verworfene (Forward) Firewall-Pakete loggen',
+--
+1.7.10.4
+
--- /dev/null
+From bb6bdeb0c613e73096d1387214045ab0653e7d5c Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Tue, 5 Mar 2013 06:00:07 +0100
+Subject: [PATCH 169/302] Forward Firewall: Fixed ruletable (view of
+ protocols)
+
+---
+ html/cgi-bin/forwardfw.cgi | 50 +++++++++++++++++++++++++++++---------------
+ 1 file changed, 33 insertions(+), 17 deletions(-)
+
+diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi
+index 55f61eb..a12f1a8 100755
+--- a/html/cgi-bin/forwardfw.cgi
++++ b/html/cgi-bin/forwardfw.cgi
+@@ -74,7 +74,7 @@ my %ipsecsettings=();
+ my %aliases=();
+ my %optionsfw=();
+
+-my $VERSION='0.9.7.9';
++my $VERSION='0.9.8.0';
+ my $color;
+ my $confignet = "${General::swroot}/fwhosts/customnetworks";
+ my $confighost = "${General::swroot}/fwhosts/customhosts";
+@@ -96,7 +96,7 @@ my $hint='';
+ my $ipgrp="${General::swroot}/outgoing/groups";
+ my $tdcolor='';
+ my $checkorange='';
+-
++my @protocols;
+ &General::readhash("${General::swroot}/forward/settings", \%fwdfwsettings);
+ &General::readhash("${General::swroot}/main/settings", \%mainsettings);
+ &General::readhash("/srv/web/ipfire/html/themes/".$mainsettings{'THEME'}."/include/colors.txt", \%color);
+@@ -1223,13 +1223,14 @@ sub get_serviceports
+ my $name=shift;
+ &General::readhasharray("$configsrv", \%customservice);
+ &General::readhasharray("$configsrvgrp", \%customservicegrp);
+- my $protocols;
+ my $tcp;
+ my $udp;
++ my $icmp;
++ @protocols=();
+ if($type eq 'service'){
+ foreach my $key (sort { uc($customservice{$a}[0]) cmp uc($customservice{$b}[0]) } keys %customservice){
+ if ($customservice{$key}[0] eq $name){
+- $protocols=$customservice{$key}[2];
++ push (@protocols,$customservice{$key}[2]);
+ }
+ }
+ }elsif($type eq 'group'){
+@@ -1237,16 +1238,32 @@ sub get_serviceports
+ if ($customservicegrp{$key}[0] eq $name){
+ foreach my $key1 (sort { uc($customservice{$a}[0]) cmp uc($customservice{$b}[0]) } keys %customservice){
+ if ($customservice{$key1}[0] eq $customservicegrp{$key}[2]){
+- if($customservice{$key1}[2] eq 'TCP'){$tcp='TCP';}else{$udp='UDP';}
++ if($customservice{$key1}[2] eq 'TCP'){
++ $tcp='TCP';
++ }elsif($customservice{$key1}[2] eq 'ICMP'){
++ $icmp='ICMP';
++ }elsif($customservice{$key1}[2] eq 'UDP'){
++ $udp='UDP';
++ }
+ }
+ }
+ }
+ }
+ }
+- if($tcp && $udp){$protocols="TCP,UDP";
+- }elsif($tcp){$protocols.="TCP";
+- }elsif($udp){$protocols.="UDP";}
+- return $protocols;
++ if($tcp && $udp && $icmp){
++ push (@protocols,"All");
++ return @protocols;
++ }
++ if($tcp){
++ push (@protocols,"TCP");
++ }
++ if($udp){
++ push (@protocols,"UDP");
++ }
++ if($icmp){
++ push (@protocols,"ICMP");
++ }
++ return @protocols;
+ }
+ sub getcolor
+ {
+@@ -2059,8 +2076,6 @@ sub viewtablenew
+ $$hash{$key}[2]='';
+ }
+ }
+- #$$hash{$key}[3]='';
+- #$$hash{$key}[5]='';
+ }
+ $$hash{'ACTIVE'}=$$hash{$key}[2];
+ $count++;
+@@ -2131,17 +2146,18 @@ END
+ #Get Protocol
+ my $prot;
+ if ($$hash{$key}[12]){ #target prot if manual
+- $prot=$$hash{$key}[12];
++ push (@protocols,$$hash{$key}[12]);
+ }elsif($$hash{$key}[8]){ #source prot if manual
+- $prot=$$hash{$key}[8];
++ push (@protocols,$$hash{$key}[8]);
+ }elsif($$hash{$key}[14] eq 'cust_srv'){
+- $prot=&get_serviceports("service",$$hash{$key}[15]);
++ &get_serviceports("service",$$hash{$key}[15]);
+ }elsif($$hash{$key}[14] eq 'cust_srvgrp'){
+- $prot=&get_serviceports("group",$$hash{$key}[15]);
++ &get_serviceports("group",$$hash{$key}[15]);
+ }else{
+- $prot=$Lang::tr{'all'};
++ push (@protocols,$Lang::tr{'all'});
+ }
+- print"<td align='center'>$prot</td>";
++ my $protz=join(",",@protocols);
++ print"<td align='center'>$protz</td>";
+ if ($$hash{$key}[18] eq 'ON'){
+ my @days=();
+ if($$hash{$key}[19] ne ''){push (@days,$Lang::tr{'fwdfw wd_mon'});}
+--
+1.7.10.4
+
--- /dev/null
+From ebc860193bbeb17fbc625cae457fc29e55822f12 Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Tue, 5 Mar 2013 09:47:21 +0100
+Subject: [PATCH 170/302] Forward Firewall: added --kerneltz option to
+ timeframe
+
+---
+ config/forwardfw/rules.pl | 2 +-
+ html/cgi-bin/forwardfw.cgi | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/config/forwardfw/rules.pl b/config/forwardfw/rules.pl
+index 8a3e029..f1b80a8 100755
+--- a/config/forwardfw/rules.pl
++++ b/config/forwardfw/rules.pl
+@@ -210,7 +210,7 @@ sub buildrules
+ $TIME=join(",",@timeframe);
+ $TIMEFROM="--timestart $$hash{$key}[26] ";
+ $TIMETILL="--timestop $$hash{$key}[27] ";
+- $TIME="-m time --weekdays $TIME $TIMEFROM $TIMETILL";
++ $TIME="-m time --kerneltz --weekdays $TIME $TIMEFROM $TIMETILL";
+ }
+ if ($MODE eq '1'){
+ print "NR:$key ";
+diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi
+index a12f1a8..24dbe29 100755
+--- a/html/cgi-bin/forwardfw.cgi
++++ b/html/cgi-bin/forwardfw.cgi
+@@ -74,7 +74,7 @@ my %ipsecsettings=();
+ my %aliases=();
+ my %optionsfw=();
+
+-my $VERSION='0.9.8.0';
++my $VERSION='0.9.8.1';
+ my $color;
+ my $confignet = "${General::swroot}/fwhosts/customnetworks";
+ my $confighost = "${General::swroot}/fwhosts/customhosts";
+--
+1.7.10.4
+
--- /dev/null
+From 95358e2803621c9263fcfce075b1007c6138ac85 Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Tue, 5 Mar 2013 11:21:13 +0100
+Subject: [PATCH 171/302] Forward Firewall: wrong <font> Tag leads to a
+ sidemenu with small font
+
+---
+ html/cgi-bin/forwardfw.cgi | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi
+index 24dbe29..8ffc200 100755
+--- a/html/cgi-bin/forwardfw.cgi
++++ b/html/cgi-bin/forwardfw.cgi
+@@ -575,7 +575,7 @@ END
+ print "$Lang::tr{'outgoing firewall reset'}: <input type='submit' name='ACTION' value='$Lang::tr{'reset'}' /><input type='hidden' name='poltype' value='outgoing' /></tr>";
+ print "</table></form>";
+ &Header::closebox();
+- print "<br><br><div align='right'><font size='1' color='grey'>Version: $VERSION</div>";
++ print "<br><br><div align='right'><font size='1' color='grey'>Version: $VERSION</font></div>";
+ }
+
+ sub changerule
+--
+1.7.10.4
+
--- /dev/null
+From 70136e59ad8993fbe1ed065642ccc3a6a4fc4ae5 Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Tue, 5 Mar 2013 11:33:21 +0100
+Subject: [PATCH 172/302] Forward Firewall: New Version 0.9.8.2
+
+---
+ html/cgi-bin/forwardfw.cgi | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi
+index 8ffc200..fb0ef59 100755
+--- a/html/cgi-bin/forwardfw.cgi
++++ b/html/cgi-bin/forwardfw.cgi
+@@ -74,7 +74,7 @@ my %ipsecsettings=();
+ my %aliases=();
+ my %optionsfw=();
+
+-my $VERSION='0.9.8.1';
++my $VERSION='0.9.8.2';
+ my $color;
+ my $confignet = "${General::swroot}/fwhosts/customnetworks";
+ my $confighost = "${General::swroot}/fwhosts/customhosts";
+@@ -2158,6 +2158,7 @@ END
+ }
+ my $protz=join(",",@protocols);
+ print"<td align='center'>$protz</td>";
++ @protocols=();
+ if ($$hash{$key}[18] eq 'ON'){
+ my @days=();
+ if($$hash{$key}[19] ne ''){push (@days,$Lang::tr{'fwdfw wd_mon'});}
+--
+1.7.10.4
+
--- /dev/null
+From 6e086a9b637d6db64cdd7242fffa2fa03501dd29 Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Thu, 7 Mar 2013 06:35:03 +0100
+Subject: [PATCH 173/302] Forward Firewall: Try to implement a timeconverter
+ for Rules. New function timeconvert should convert
+ localtime agains gmtime.
+
+---
+ html/cgi-bin/forwardfw.cgi | 62 +++++++++++++++++++++++++++++++++++++++++---
+ 1 file changed, 58 insertions(+), 4 deletions(-)
+
+diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi
+index fb0ef59..1caa348 100755
+--- a/html/cgi-bin/forwardfw.cgi
++++ b/html/cgi-bin/forwardfw.cgi
+@@ -74,7 +74,7 @@ my %ipsecsettings=();
+ my %aliases=();
+ my %optionsfw=();
+
+-my $VERSION='0.9.8.2';
++my $VERSION='0.9.8.3';
+ my $color;
+ my $confignet = "${General::swroot}/fwhosts/customnetworks";
+ my $confighost = "${General::swroot}/fwhosts/customhosts";
+@@ -143,6 +143,12 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule')
+ if( $fwdfwsettings{$fwdfwsettings{'grp1'}} eq 'IPFire' && $fwdfwsettings{'grp2'} eq 'ipfire'){
+ $errormessage.=$Lang::tr{'fwdfw err same'};
+ }
++ #Konvert timeframe if defined
++ if ($fwdfwsettings{'TIME'} eq 'ON'){
++ $fwdfwsettings{'TIME_FROM'} = &timeconvert($fwdfwsettings{'TIME_FROM'},'2utc');
++ $fwdfwsettings{'TIME_TO'} = &timeconvert($fwdfwsettings{'TIME_TO'},'2utc');
++ print "NACHHER: $fwdfwsettings{'TIME_FROM'} - $fwdfwsettings{'TIME_TO'}<br>";
++ }
+ #DMZ-Part
+ if ($fwdfwsettings{$fwdfwsettings{'grp1'}} eq 'ORANGE' || $checkorange eq 'on'){
+ $fwdfwsettings{'config'}=$configdmz;
+@@ -577,7 +583,6 @@ END
+ &Header::closebox();
+ print "<br><br><div align='right'><font size='1' color='grey'>Version: $VERSION</font></div>";
+ }
+-
+ sub changerule
+ {
+ my $oldchain=shift;
+@@ -1386,6 +1391,8 @@ sub newrule
+ $checked{'TIME_FRI'}{$fwdfwsettings{'TIME_FRI'}} = 'CHECKED';
+ $checked{'TIME_SAT'}{$fwdfwsettings{'TIME_SAT'}} = 'CHECKED';
+ $checked{'TIME_SUN'}{$fwdfwsettings{'TIME_SUN'}} = 'CHECKED';
++ $fwdfwsettings{'TIME_FROM'} = &timeconvert($fwdfwsettings{'TIME_FROM'},'');
++ $fwdfwsettings{'TIME_TO'} = &timeconvert($fwdfwsettings{'TIME_TO'},'');
+ $selected{'TIME_FROM'}{$fwdfwsettings{'TIME_FROM'}} = 'selected';
+ $selected{'TIME_TO'}{$fwdfwsettings{'TIME_TO'}} = 'selected';
+ $selected{'ipfire'}{$fwdfwsettings{$fwdfwsettings{'grp2'}}} ='selected';
+@@ -1478,7 +1485,8 @@ sub newrule
+ }
+ }
+ &Header::openbox('100%', 'left', $Lang::tr{'fwdfw addrule'});
+-
++ $fwdfwsettings{'TIME_FROM'} = &timeconvert($fwdfwsettings{'TIME_FROM'},'');
++ $fwdfwsettings{'TIME_TO'} = &timeconvert($fwdfwsettings{'TIME_TO'},'');
+ print <<END;
+ <form method="post">
+ <table border='0'>
+@@ -1990,6 +1998,49 @@ sub saverule
+ }
+ }
+ }
++sub timeconvert
++{
++ my $orgtime=shift;
++ my $type=shift;
++ my $newtime;
++ my ($hour,$min) = split (":", $orgtime);
++ my @locar = localtime(time);
++ my @gmtar = gmtime();
++ my $oldtime = $hour*60 + $min;
++ my $gmt = $gmtar[2]*60 + $gmtar[1];
++ my $loc = $locar[2]*60 + $locar[1];
++ my $diff;
++ my $newtime;
++ if ($gmt > $loc)
++ {
++ $diff = $gmt - $loc;
++ if ($type eq '2utc')
++ {
++ print"umrechnen nach UTC<br>";
++ $newtime = $oldtime + $diff;
++ }else{
++ $newtime = $oldtime - $diff;
++ }
++ }else{
++ $diff = $loc - $gmt;
++ if ($type eq '2utc')
++ {
++ $newtime = $oldtime - $diff;
++ }else{
++ $newtime = $oldtime + $diff;
++ }
++ }
++ if ($newtime < 0 ){
++ $newtime += 1440;
++ }
++ if ($newtime >= 1440){
++ $newtime -= 1440;
++ }
++ my $newhour =sprintf"%02d", $newtime/60;
++ my $newmin = sprintf"%02d",$newtime % 60;
++ $newtime = "$newhour:$newmin";
++ return $newtime;
++}
+ sub validremark
+ {
+ # Checks a hostname against RFC1035
+@@ -2170,7 +2221,10 @@ END
+ if($$hash{$key}[25] ne ''){push (@days,$Lang::tr{'fwdfw wd_sun'});}
+ my $weekdays=join(",",@days);
+ if (@days){
+- print"<td align='center' width='100'>$weekdays   $$hash{$key}[26] - $$hash{$key}[27]</td>";
++ my $from = &timeconvert($$hash{$key}[26],'2loc');
++ my $to = &timeconvert($$hash{$key}[27],'2loc');;
++
++ print"<td align='center' width='100'>$weekdays   $from - $to</td>";
+ }
+ }else{
+ print"<td align='center'>24/7</td>";
+--
+1.7.10.4
+
--- /dev/null
+From fbc9d7ad315c0f0b05a6cf48809375010e236847 Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Thu, 7 Mar 2013 07:43:28 +0100
+Subject: [PATCH 174/302] Forward Firewall: removed --kerneltz from rules.pl.
+ New function timeconvert in forwardfw.cgiu takes
+ care of timeconversion now
+
+---
+ config/forwardfw/rules.pl | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/config/forwardfw/rules.pl b/config/forwardfw/rules.pl
+index f1b80a8..8a3e029 100755
+--- a/config/forwardfw/rules.pl
++++ b/config/forwardfw/rules.pl
+@@ -210,7 +210,7 @@ sub buildrules
+ $TIME=join(",",@timeframe);
+ $TIMEFROM="--timestart $$hash{$key}[26] ";
+ $TIMETILL="--timestop $$hash{$key}[27] ";
+- $TIME="-m time --kerneltz --weekdays $TIME $TIMEFROM $TIMETILL";
++ $TIME="-m time --weekdays $TIME $TIMEFROM $TIMETILL";
+ }
+ if ($MODE eq '1'){
+ print "NR:$key ";
+--
+1.7.10.4
+
--- /dev/null
+From 099e95d0c98d31d69ca87b4eb347a898fe2a36f2 Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Thu, 7 Mar 2013 10:01:24 +0100
+Subject: [PATCH 175/302] Forward Firewall: put rule OUTGOING ACCEPT Related,
+ established into /etc/init.d/firewall deleted
+ ACCEPT OUTGOINGFW related,established from
+ POLICYOUT
+
+---
+ config/forwardfw/firewall-policy | 23 ++++++++++++-----------
+ src/initscripts/init.d/firewall | 6 +++++-
+ 2 files changed, 17 insertions(+), 12 deletions(-)
+
+diff --git a/config/forwardfw/firewall-policy b/config/forwardfw/firewall-policy
+index bbdec37..3b7fa18 100755
+--- a/config/forwardfw/firewall-policy
++++ b/config/forwardfw/firewall-policy
+@@ -7,6 +7,7 @@ iptables -F POLICYFWD
+ iptables -F POLICYOUT
+ iptables -F POLICYIN
+
++#FORWARDFW
+ if [ "$POLICY" == "MODE1" ]; then
+ if [ "$FWPOLICY" == "REJECT" ]; then
+ if [ "$DROPFORWARD" == "on" ]; then
+@@ -21,20 +22,20 @@ if [ "$POLICY" == "MODE1" ]; then
+ /sbin/iptables -A POLICYFWD -j DROP -m comment --comment "DROP_FORWARD"
+ fi
+ fi
++#OUTGOINGFW
+ if [ "$POLICY1" == "MODE1" ]; then
+- /sbin/iptables -I OUTGOINGFW 1 -m state --state ESTABLISHED,RELATED -j ACCEPT
+- if [ "$FWPOLICY1" == "REJECT" ]; then
+- if [ "$DROPOUTGOING" == "on" ]; then
+- /sbin/iptables -A POLICYOUT -m limit --limit 10/minute -j LOG --log-prefix "REJECT_OUTPUT"
+- fi
+- /sbin/iptables -A POLICYOUT -j REJECT --reject-with icmp-host-unreachable -m comment --comment "REJECT_OUTPUT"
++ if [ "$FWPOLICY1" == "REJECT" ]; then
++ if [ "$DROPOUTGOING" == "on" ]; then
++ /sbin/iptables -A POLICYOUT -m limit --limit 10/minute -j LOG --log-prefix "REJECT_OUTPUT"
+ fi
+- if [ "$FWPOLICY1" == "DROP" ]; then
+- if [ "$DROPOUTGOING" == "on" ]; then
+- /sbin/iptables -A POLICYOUT -m limit --limit 10/minute -j LOG --log-prefix "DROP_OUTPUT"
+- fi
+- /sbin/iptables -A POLICYOUT -j DROP -m comment --comment "DROP_OUTPUT"
++ /sbin/iptables -A POLICYOUT -j REJECT --reject-with icmp-host-unreachable -m comment --comment "REJECT_OUTPUT"
++ fi
++ if [ "$FWPOLICY1" == "DROP" ]; then
++ if [ "$DROPOUTGOING" == "on" ]; then
++ /sbin/iptables -A POLICYOUT -m limit --limit 10/minute -j LOG --log-prefix "DROP_OUTPUT"
+ fi
++ /sbin/iptables -A POLICYOUT -j DROP -m comment --comment "DROP_OUTPUT"
++ fi
+ fi
+ #INPUT
+ if [ "$FWPOLICY2" == "REJECT" ]; then
+diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall
+index e2a1e91..f25d9d1 100644
+--- a/src/initscripts/init.d/firewall
++++ b/src/initscripts/init.d/firewall
+@@ -149,10 +149,10 @@ case "$1" in
+ /sbin/iptables -N CUSTOMFORWARD
+ /sbin/iptables -A FORWARD -j CUSTOMFORWARD
+ /sbin/iptables -N CUSTOMOUTPUT
++ /sbin/iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
+ /sbin/iptables -A OUTPUT -j CUSTOMOUTPUT
+ /sbin/iptables -N OUTGOINGFW
+ /sbin/iptables -A OUTPUT -j OUTGOINGFW
+- /sbin/iptables -A OUTGOINGFW -m state --state ESTABLISHED,RELATED -j ACCEPT
+ /sbin/iptables -t nat -N CUSTOMPREROUTING
+ /sbin/iptables -t nat -A PREROUTING -j CUSTOMPREROUTING
+ /sbin/iptables -t nat -N CUSTOMPOSTROUTING
+@@ -173,6 +173,10 @@ case "$1" in
+ /sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
+ /sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
+
++ # Accept everything on lo
++ iptables -A INPUT -i lo -m state --state NEW -j ACCEPT
++ iptables -A OUTPUT -o lo -m state --state NEW -j ACCEPT
++
+ # trafic from ipsecX/TUN/TAP interfaces, before "-i GREEN_DEV" accept everything
+ /sbin/iptables -N IPSECINPUT
+ /sbin/iptables -N IPSECFORWARD
+--
+1.7.10.4
+
--- /dev/null
+From 50eff91c4bcd067b87d474ea071185175c8fb6b4 Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Fri, 8 Mar 2013 08:38:41 +0100
+Subject: [PATCH 176/302] Forward Firewall: Fix ruletimes. Now the timevalues
+ which are entered in the gui are saved to the
+ rulefile. Wenn rule.pl is called, the script
+ calculates the difference to UTC time and sets the
+ iptables times accordingly.
+
+With this approach there's no need to save if the times are created in summertime or wintertime.
+---
+ config/forwardfw/rules.pl | 40 +++++++++++++++++++++++++--
+ html/cgi-bin/forwardfw.cgi | 65 +++++---------------------------------------
+ 2 files changed, 45 insertions(+), 60 deletions(-)
+
+diff --git a/config/forwardfw/rules.pl b/config/forwardfw/rules.pl
+index 8a3e029..fd441de 100755
+--- a/config/forwardfw/rules.pl
++++ b/config/forwardfw/rules.pl
+@@ -25,6 +25,7 @@
+ ###############################################################################
+
+ use strict;
++use Time::Local;
+ no warnings 'uninitialized';
+
+ # enable only the following on debugging purpose
+@@ -200,6 +201,10 @@ sub buildrules
+
+ #get time if defined
+ if($$hash{$key}[18] eq 'ON'){
++ my ($time1,$time2,$daylight);
++ my $daylight=$$hash{$key}[28];
++ $time1=&get_time($$hash{$key}[26],$daylight);
++ $time2=&get_time($$hash{$key}[27],$daylight);
+ if($$hash{$key}[19] ne ''){push (@timeframe,"Mon");}
+ if($$hash{$key}[20] ne ''){push (@timeframe,"Tue");}
+ if($$hash{$key}[21] ne ''){push (@timeframe,"Wed");}
+@@ -208,8 +213,9 @@ sub buildrules
+ if($$hash{$key}[24] ne ''){push (@timeframe,"Sat");}
+ if($$hash{$key}[25] ne ''){push (@timeframe,"Sun");}
+ $TIME=join(",",@timeframe);
+- $TIMEFROM="--timestart $$hash{$key}[26] ";
+- $TIMETILL="--timestop $$hash{$key}[27] ";
++
++ $TIMEFROM="--timestart $time1 ";
++ $TIMETILL="--timestop $time2 ";
+ $TIME="-m time --weekdays $TIME $TIMEFROM $TIMETILL";
+ }
+ if ($MODE eq '1'){
+@@ -287,6 +293,36 @@ sub buildrules
+ undef $TIMETILL;
+ }
+ }
++sub get_time
++{
++ my $val=shift;
++ my $val1=shift;
++ my $time;
++ my $minutes;
++ my $ruletime;
++ $minutes = &utcmin($val);
++ $ruletime = $minutes + &time_get_utc($val);
++ if ($ruletime < 0){$ruletime +=1440;}
++ if ($ruletime > 1440){$ruletime -=1440;}
++ $time=sprintf "%02d:%02d", $ruletime / 60, $ruletime % 60;
++ return $time;
++}
++sub time_get_utc
++{
++ # Calculates the UTCtime from a given time
++ my $val=shift;
++ my @localtime=localtime(time);
++ my @gmtime=gmtime(time);
++ my $diff = ($gmtime[2]*60+$gmtime[1]%60)-($localtime[2]*60+$localtime[1]%60);
++ return $diff;
++}
++sub utcmin
++{
++ my $ruletime=shift;
++ my ($hrs,$min) = split(":",$ruletime);
++ my $newtime = $hrs*60+$min;
++ return $newtime;
++}
+ sub p2pblock
+ {
+ my $P2PSTRING;
+diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi
+index 1caa348..1f3d6a9 100755
+--- a/html/cgi-bin/forwardfw.cgi
++++ b/html/cgi-bin/forwardfw.cgi
+@@ -74,7 +74,7 @@ my %ipsecsettings=();
+ my %aliases=();
+ my %optionsfw=();
+
+-my $VERSION='0.9.8.3';
++my $VERSION='0.9.8.4';
+ my $color;
+ my $confignet = "${General::swroot}/fwhosts/customnetworks";
+ my $confighost = "${General::swroot}/fwhosts/customhosts";
+@@ -143,12 +143,6 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule')
+ if( $fwdfwsettings{$fwdfwsettings{'grp1'}} eq 'IPFire' && $fwdfwsettings{'grp2'} eq 'ipfire'){
+ $errormessage.=$Lang::tr{'fwdfw err same'};
+ }
+- #Konvert timeframe if defined
+- if ($fwdfwsettings{'TIME'} eq 'ON'){
+- $fwdfwsettings{'TIME_FROM'} = &timeconvert($fwdfwsettings{'TIME_FROM'},'2utc');
+- $fwdfwsettings{'TIME_TO'} = &timeconvert($fwdfwsettings{'TIME_TO'},'2utc');
+- print "NACHHER: $fwdfwsettings{'TIME_FROM'} - $fwdfwsettings{'TIME_TO'}<br>";
+- }
+ #DMZ-Part
+ if ($fwdfwsettings{$fwdfwsettings{'grp1'}} eq 'ORANGE' || $checkorange eq 'on'){
+ $fwdfwsettings{'config'}=$configdmz;
+@@ -1391,11 +1385,10 @@ sub newrule
+ $checked{'TIME_FRI'}{$fwdfwsettings{'TIME_FRI'}} = 'CHECKED';
+ $checked{'TIME_SAT'}{$fwdfwsettings{'TIME_SAT'}} = 'CHECKED';
+ $checked{'TIME_SUN'}{$fwdfwsettings{'TIME_SUN'}} = 'CHECKED';
+- $fwdfwsettings{'TIME_FROM'} = &timeconvert($fwdfwsettings{'TIME_FROM'},'');
+- $fwdfwsettings{'TIME_TO'} = &timeconvert($fwdfwsettings{'TIME_TO'},'');
+ $selected{'TIME_FROM'}{$fwdfwsettings{'TIME_FROM'}} = 'selected';
+ $selected{'TIME_TO'}{$fwdfwsettings{'TIME_TO'}} = 'selected';
+ $selected{'ipfire'}{$fwdfwsettings{$fwdfwsettings{'grp2'}}} ='selected';
++
+ #check if update and get values
+ if($fwdfwsettings{'updatefwrule'} eq 'on' || $fwdfwsettings{'copyfwrule'} eq 'on' && !$errormessage){
+ &General::readhasharray("$config", \%hash);
+@@ -1485,8 +1478,10 @@ sub newrule
+ }
+ }
+ &Header::openbox('100%', 'left', $Lang::tr{'fwdfw addrule'});
+- $fwdfwsettings{'TIME_FROM'} = &timeconvert($fwdfwsettings{'TIME_FROM'},'');
+- $fwdfwsettings{'TIME_TO'} = &timeconvert($fwdfwsettings{'TIME_TO'},'');
++ if ($fwdfwsettings{'TIME'} eq 'ON'){
++ $fwdfwsettings{'TIME_FROM'} = &timeconvert($fwdfwsettings{'TIME_FROM'},'');
++ $fwdfwsettings{'TIME_TO'} = &timeconvert($fwdfwsettings{'TIME_TO'},'');
++ }
+ print <<END;
+ <form method="post">
+ <table border='0'>
+@@ -1998,49 +1993,6 @@ sub saverule
+ }
+ }
+ }
+-sub timeconvert
+-{
+- my $orgtime=shift;
+- my $type=shift;
+- my $newtime;
+- my ($hour,$min) = split (":", $orgtime);
+- my @locar = localtime(time);
+- my @gmtar = gmtime();
+- my $oldtime = $hour*60 + $min;
+- my $gmt = $gmtar[2]*60 + $gmtar[1];
+- my $loc = $locar[2]*60 + $locar[1];
+- my $diff;
+- my $newtime;
+- if ($gmt > $loc)
+- {
+- $diff = $gmt - $loc;
+- if ($type eq '2utc')
+- {
+- print"umrechnen nach UTC<br>";
+- $newtime = $oldtime + $diff;
+- }else{
+- $newtime = $oldtime - $diff;
+- }
+- }else{
+- $diff = $loc - $gmt;
+- if ($type eq '2utc')
+- {
+- $newtime = $oldtime - $diff;
+- }else{
+- $newtime = $oldtime + $diff;
+- }
+- }
+- if ($newtime < 0 ){
+- $newtime += 1440;
+- }
+- if ($newtime >= 1440){
+- $newtime -= 1440;
+- }
+- my $newhour =sprintf"%02d", $newtime/60;
+- my $newmin = sprintf"%02d",$newtime % 60;
+- $newtime = "$newhour:$newmin";
+- return $newtime;
+-}
+ sub validremark
+ {
+ # Checks a hostname against RFC1035
+@@ -2221,10 +2173,7 @@ END
+ if($$hash{$key}[25] ne ''){push (@days,$Lang::tr{'fwdfw wd_sun'});}
+ my $weekdays=join(",",@days);
+ if (@days){
+- my $from = &timeconvert($$hash{$key}[26],'2loc');
+- my $to = &timeconvert($$hash{$key}[27],'2loc');;
+-
+- print"<td align='center' width='100'>$weekdays   $from - $to</td>";
++ print"<td align='center' width='100'>$weekdays   $$hash{$key}[26] - $$hash{$key}[27] </td>";
+ }
+ }else{
+ print"<td align='center'>24/7</td>";
+--
+1.7.10.4
+
--- /dev/null
+From 80a799c876a28df499cd9c71390b9f4e9039438e Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Fri, 8 Mar 2013 08:58:22 +0100
+Subject: [PATCH 177/302] Forward Firewall: changes in de languagefile
+
+---
+ langs/de/cgi-bin/de.pl | 20 ++++++++++----------
+ 1 file changed, 10 insertions(+), 10 deletions(-)
+
+diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl
+index ef511c2..94fec45 100644
+--- a/langs/de/cgi-bin/de.pl
++++ b/langs/de/cgi-bin/de.pl
+@@ -881,7 +881,7 @@
+ 'fwdfw action' => 'Aktion',
+ 'fwdfw menu' => 'Firewall',
+ 'fwdfw addrule' => 'Neue Regel hinzufügen:',
+-'fwdfw addr grp' => 'Adress Gruppen:',
++'fwdfw addr grp' => 'Adressgruppen:',
+ 'fwdfw change' => 'Aktualisieren',
+ 'fwdfw cust addr' => 'Custom Adressen:',
+ 'fwdfw cust net' => 'Custom Netzwerke:',
+@@ -909,7 +909,7 @@
+ 'fwdfw hint ip1' => 'Die zuletzt erzeugte Regel wird vielleicht nicht aktiviert, weil Quelle und Ziel evtl im selben Netz sind',
+ 'fwdfw hint ip2' => 'Bitte überprüfen Sie ob diese Regel Sinn macht: ',
+ 'fwdfw ipsec network' => 'IPsec Netzwerke:',
+-'fwdfw log rule' => 'Log Regel',
++'fwdfw log rule' => 'Logging aktivieren',
+ 'fwdfw man port' => 'Port(s) manuell:',
+ 'fwdfw moveup' => 'Hoch',
+ 'fwdfw movedown' => 'Runter',
+@@ -922,7 +922,7 @@
+ 'fwdfw red' => 'INTERNET',
+ 'fwdfw reread' => 'Ãœbernehmen',
+ 'fwdfw rules' => 'Regeln',
+-'fwdfw rule action' => 'Regel Aktion:',
++'fwdfw rule action' => 'Regelaktion:',
+ 'fwdfw rule activate' => 'Regel aktivieren',
+ 'fwdfw rulepos' => 'Regelposition',
+ 'fwdfw source' => 'Quelle',
+@@ -937,7 +937,7 @@
+ 'fwdfw togglelog' => 'Log aktivieren oder deaktivieren',
+ 'fwdfw useless rule' => 'Diese Regel ist nicht zugelassen.',
+ 'fwdfw use srcport' => 'Quellport benutzen',
+-'fwdfw use srv' => 'Ziel-Dienstport benutzen',
++'fwdfw use srv' => 'Zielport benutzen',
+ 'fwdfw newrule' => 'Neue Regel',
+ 'fwdfw wd_mon' => 'Mo',
+ 'fwdfw wd_tue' => 'Di',
+@@ -1003,13 +1003,13 @@
+ 'fwhost ipsec host' => 'IPsec Clients:',
+ 'fwhost ipsec net' => 'IPsec Netzwerke:',
+ 'fwhost netaddress' => 'Netzwerk Adresse',
+-'fwhost newnet' => 'Netz-Einstellungen',
+-'fwhost newhost' => 'Adress-Einstellungen',
+-'fwhost newgrp' => 'Adress-Gruppierung',
+-'fwhost newservice' => 'Dienst-Einstellungen',
+-'fwhost newservicegrp' => 'Dienst-Gruppierung',
++'fwhost newnet' => 'Netzeinstellungen',
++'fwhost newhost' => 'Adresseinstellungen',
++'fwhost newgrp' => 'Adressgruppierung',
++'fwhost newservice' => 'Diensteinstellungen',
++'fwhost newservicegrp' => 'Dienstgruppierung',
+ 'fwhost macwarn' => 'MAC Adressen können nicht als Ziel definiert werden. Solche Adressen werden ignoriert.',
+-'fwhost menu' => 'Firewall-Gruppen',
++'fwhost menu' => 'Firewallgruppen',
+ 'fwhost orange' => 'Orange',
+ 'fwhost ovpn_n2n' => 'OpenVPN N-2-N',
+ 'fwhost port' => 'Port(s)',
+--
+1.7.10.4
+
--- /dev/null
+From 9e19c93f2d17b961926f15b2736f3e129eaab5a0 Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Tue, 12 Mar 2013 14:46:16 +0100
+Subject: [PATCH 178/302] Forward Firewall: fixed a bug in convert-outgoingfw.
+ THe hosts are created with wrong amount of fields
+ in hasharray. Also fixed a bug which sets wrong
+ firewall mode for FORWARD when outgoing rules are
+ used.
+
+---
+ config/forwardfw/convert-outgoingfw | 15 ++++++++-------
+ 1 file changed, 8 insertions(+), 7 deletions(-)
+
+diff --git a/config/forwardfw/convert-outgoingfw b/config/forwardfw/convert-outgoingfw
+index e7d8e80..f337474 100755
+--- a/config/forwardfw/convert-outgoingfw
++++ b/config/forwardfw/convert-outgoingfw
+@@ -186,7 +186,8 @@ sub new_hostgrp
+ $hosts{$key}[0] = $name2;
+ $hosts{$key}[1] = $type;
+ $hosts{$key}[2] = $mac;
+- $hosts{$key}[3] = 1;
++ $hosts{$key}[3] = '';
++ $hosts{$key}[4] = 1;
+ print LOG "->Host (MAC) $mac added to custom hosts\n";
+ }else{
+ print LOG "->Host (MAC) $mac already exists\n";
+@@ -250,21 +251,20 @@ sub process_rules
+ {
+ my ($type,$action,$active,$grp1,$source,$grp2,$useport,$port,$prot,$grp3,$target,$remark,$log,$time,$time_mon,$time_tue,$time_wed,$time_thu,$time_fri,$time_sat,$time_sun,$time_from,$time_to);
+ &General::readhash($fwdfwsettings,\%fwdsettings);
++ print "altefirewall hat modus: $outsettings{'POLICY'}\n";
+ if ($outsettings{'POLICY'} eq 'MODE1'){
+ $fwdfwsettings{'POLICY'}='MODE1';
+- }else{
+- $fwdsettings{'POLICY'}='MODE2';
+- }
+- &General::writehash($fwdfwsettings,\%fwdsettings);
+- if ($outsettings{'POLICY'} eq 'MODE1'){
+ $type='ALLOW';
+ $action='ACCEPT';
+ }elsif($outsettings{'POLICY'} eq 'MODE2'){
++ $fwdsettings{'POLICY'}='MODE2';
+ $type='DENY';
+ $action='DROP';
+ }else{
+ return;
+ }
++ &General::writehash($fwdfwsettings,\%fwdsettings);
++
+ #open LOG
+ if( -f "/var/log/converters/outgoingfw-convert.log"){unlink ("/var/log/converters/outgoingfw-convert.log");}
+ open (LOG, ">/var/log/converters/outgoingfw-convert.log") or die $!;
+@@ -289,7 +289,6 @@ sub process_rules
+ }else{
+ push(@prot,$configline[3]);
+ }
+-
+ if($configline[4] ne ''){
+ $configline[4] =~ s/,/;/g;
+ $remark = $configline[4];
+@@ -326,6 +325,7 @@ sub process_rules
+ $source='IPFire';
+ &General::readhash($fwdfwsettings,\%fwdsettings);
+ $fwdsettings{'POLICY1'}=$outsettings{'POLICY'};
++ $fwdsettings{'POLICY'}=$outsettings{'POLICY'};
+ &General::writehash($fwdfwsettings,\%fwdsettings);
+ }elsif ($configline[2] eq 'blue') {
+ $grp1='std_net_src';
+@@ -398,6 +398,7 @@ sub process_rules
+ my @values=();
+ my @parts=split(",",$configline[8]);
+ foreach (@parts){
++ $_=~ tr/-/:/;
+ if (!($_ =~ /^(\d+)\:(\d+)$/)) {
+ if(&General::validport($_)){
+ $useport='ON';
+--
+1.7.10.4
+
--- /dev/null
+From 1a939422cf4f2e9c82f4c9b546e28827748acbb8 Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Tue, 12 Mar 2013 14:51:34 +0100
+Subject: [PATCH 179/302] Forward Firewall: forgot to delete devel-comment
+
+---
+ config/forwardfw/convert-outgoingfw | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/config/forwardfw/convert-outgoingfw b/config/forwardfw/convert-outgoingfw
+index f337474..e118c08 100755
+--- a/config/forwardfw/convert-outgoingfw
++++ b/config/forwardfw/convert-outgoingfw
+@@ -251,7 +251,6 @@ sub process_rules
+ {
+ my ($type,$action,$active,$grp1,$source,$grp2,$useport,$port,$prot,$grp3,$target,$remark,$log,$time,$time_mon,$time_tue,$time_wed,$time_thu,$time_fri,$time_sat,$time_sun,$time_from,$time_to);
+ &General::readhash($fwdfwsettings,\%fwdsettings);
+- print "altefirewall hat modus: $outsettings{'POLICY'}\n";
+ if ($outsettings{'POLICY'} eq 'MODE1'){
+ $fwdfwsettings{'POLICY'}='MODE1';
+ $type='ALLOW';
+--
+1.7.10.4
+
--- /dev/null
+From 467439de83f2958ee960ef5b2b57bc03bf0fdf57 Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Wed, 13 Mar 2013 06:02:35 +0100
+Subject: [PATCH 180/302] Forward Firewall: fix converter for outgoingfw.
+ remarkfield (new) was not implemented here fwhosts:
+ Some layout changes in tables (cellspacing='0')
+
+---
+ config/forwardfw/convert-outgoingfw | 22 +++++++++++++++++-----
+ html/cgi-bin/fwhosts.cgi | 20 ++++++++++----------
+ 2 files changed, 27 insertions(+), 15 deletions(-)
+
+diff --git a/config/forwardfw/convert-outgoingfw b/config/forwardfw/convert-outgoingfw
+index e118c08..ccb3ea4 100755
+--- a/config/forwardfw/convert-outgoingfw
++++ b/config/forwardfw/convert-outgoingfw
+@@ -96,6 +96,7 @@ sub process_groups
+ }
+ &new_hostgrp($group,'mac');
+ @hostarray=();
++ @zeilen=();
+ }
+ close (LOG);
+ }
+@@ -144,10 +145,14 @@ sub new_hostgrp
+ $hosts{$key}[0] = $name2;
+ $hosts{$key}[1] = $type;
+ $hosts{$key}[2] = $ip;
+- $hosts{$key}[3] = 1;
++ $hosts{$key}[3] = '';
++ $hosts{$key}[4] = 1;
+ print LOG "->Host (IP) $ip added to custom hosts\n"
+ }else{
+- print LOG "->Host (IP) $ip already exists\n";
++ print LOG "->Host (IP) $ip already exists in custom hosts\n";
++ $name="host ";
++ $name2=$name.$ippart;
++ $name3="Custom Host";
+ }
+ }elsif($byte4 < '255'){
+ print LOG "Processing NETWORK $ippart/$subnet from Group $grp\n";
+@@ -159,10 +164,14 @@ sub new_hostgrp
+ $nets{$netkey}[0] = $name2;
+ $nets{$netkey}[1] = $ippart;
+ $nets{$netkey}[2] = $subnet;
+- $nets{$netkey}[3] = 1;
++ $nets{$netkey}[3] = '';
++ $nets{$netkey}[4] = 1;
+ print LOG "->Network $ippart/$subnet added to custom networks\n";
+ }else{
+- print LOG "Network $ippart already exists\n";
++ print LOG "Network $ippart already exists in custom networks\n";
++ $name="net ";
++ $name2=$name.$ippart;
++ $name3="Custom Network";
+ }
+ }
+ if($name2){
+@@ -190,7 +199,10 @@ sub new_hostgrp
+ $hosts{$key}[4] = 1;
+ print LOG "->Host (MAC) $mac added to custom hosts\n";
+ }else{
+- print LOG "->Host (MAC) $mac already exists\n";
++ print LOG "->Host (MAC) $mac already exists in custom hosts \n";
++ $name="host ";
++ $name2=$name.$mac;
++ $name3="Custom Host";
+ }
+ if($name2){
+ my $grpkey = &General::findhasharraykey(\%groups);
+diff --git a/html/cgi-bin/fwhosts.cgi b/html/cgi-bin/fwhosts.cgi
+index 073565a..fd1da8a 100755
+--- a/html/cgi-bin/fwhosts.cgi
++++ b/html/cgi-bin/fwhosts.cgi
+@@ -1364,7 +1364,7 @@ sub viewtablenet
+ print "<center><b>$Lang::tr{'fwhost empty'}</b>";
+ }else{
+ print<<END;
+- <table border='0' width='100%'>
++ <table border='0' width='100%' cellspacing='0'>
+ <tr><td align='center'><b>$Lang::tr{'name'}</td><td align='center'><b>$Lang::tr{'fwhost netaddress'}</td><td align='center'><b>$Lang::tr{'netmask'}</td><td align='center'><b>$Lang::tr{'remark'}</td><td align='center'><b>$Lang::tr{'used'}</td><td></td><td width='3%'></td></tr>
+ END
+ }
+@@ -1380,7 +1380,7 @@ END
+ print" <tr bgcolor='$color{'color20'}'>";
+ }
+ print<<END;
+- <td width='20%'><form method='post'>$customnetwork{$key}[0]</td><td width=15%'>$customnetwork{$key}[1]</td><td width='15%'>$customnetwork{$key}[2]</td><td width='40%'>$customnetwork{$key}[3]</td><td align='center'>$customnetwork{$key}[4]x</td>
++ <td width='20%'><form method='post'>$customnetwork{$key}[0]</td><td width=15%' align='center'>$customnetwork{$key}[1]</td><td width='15%' align='center'>$customnetwork{$key}[2]</td><td width='40%'>$customnetwork{$key}[3]</td><td align='center'>$customnetwork{$key}[4]x</td>
+ <td width='1%'><input type='image' src='/images/edit.gif' align='middle' alt=$Lang::tr{'edit'} title=$Lang::tr{'edit'} />
+ <input type='hidden' name='ACTION' value='editnet'>
+ <input type='hidden' name='HOSTNAME' value='$customnetwork{$key}[0]' />
+@@ -1412,7 +1412,7 @@ sub viewtablehost
+ print "<center><b>$Lang::tr{'fwhost empty'}</b>";
+ }else{
+ print<<END;
+- <table border='0' width='100%'>
++ <table border='0' width='100%' cellspacing='0'>
+ <tr><td align='center'><b>$Lang::tr{'name'}</td><td align='center'><b>$Lang::tr{'fwhost ip_mac'}</td><td align='center'><b>$Lang::tr{'remark'}</td><td align='center'><b>$Lang::tr{'used'}</td><td></td><td width='3%'></td></tr>
+ END
+ }
+@@ -1425,7 +1425,7 @@ END
+ my ($ip,$sub)=split(/\//,$customhost{$key}[2]);
+ $customhost{$key}[4]=~s/\s+//g;
+ print<<END;
+- <td width='20%'><form method='post'>$customhost{$key}[0]</td><td width='20%'>$ip</td><td width='50%'>$customhost{$key}[3]</td><td align='center'>$customhost{$key}[4]x</td>
++ <td width='20%'><form method='post'>$customhost{$key}[0]</td><td width='20%' align='center'>$ip</td><td width='50%' align='left'>$customhost{$key}[3]</td><td align='center'>$customhost{$key}[4]x</td>
+ <td width='1%'><input type='image' src='/images/edit.gif' align='middle' alt=$Lang::tr{'edit'} title=$Lang::tr{'edit'} />
+ <input type='hidden' name='ACTION' value='edithost' />
+ <input type='hidden' name='HOSTNAME' value='$customhost{$key}[0]' />
+@@ -1493,7 +1493,7 @@ sub viewtablegrp
+ print"<form method='post' style='display:inline'><input type='image' src='/images/delete.gif' alt=$Lang::tr{'delete'} title=$Lang::tr{'delete'} align='right' /><input type='hidden' name='grp_name' value='$grpname' ><input type='hidden' name='ACTION' value='delgrp'></form>";
+ }
+ print"<form method='post' style='display:inline'><input type='image' src='/images/edit.gif' alt=$Lang::tr{'edit'} title=$Lang::tr{'edit'} align='right' /><input type='hidden' name='grp_name' value='$grpname' ><input type='hidden' name='remark' value='$remark' ><input type='hidden' name='ACTION' value='editgrp'></form>";
+- print"<table width='100%' style='border: 1px solid #000000;' rules='none' ><tr><td align='center'><b>Name</b></td><td align='center'><b>$Lang::tr{'ip address'}</b></td><td align='center' width='25%'><b>$Lang::tr{'fwhost type'}</td><td></td></tr>";
++ print"<table width='100%' style='border: 1px solid #CCCCCC;' rules='none' cellspacing='0'><tr><td align='center'><b>Name</b></td><td align='center'><b>$Lang::tr{'ip address'}</b></td><td align='center' width='25%'><b>$Lang::tr{'fwhost type'}</td><td></td></tr>";
+ }
+
+ if ( ($fwhostsettings{'ACTION'} eq 'editgrp' || $fwhostsettings{'update'} ne '') && $fwhostsettings{'grp_name'} eq $customgrp{$key}[0]) {
+@@ -1505,16 +1505,16 @@ sub viewtablegrp
+ }
+ my $ip=&getipforgroup($customgrp{$key}[2],$customgrp{$key}[3]);
+ if ($ip eq ''){print"<tr bgcolor='${Header::colouryellow}'>";}
+- print "<td width='39%'>";
++ print "<td width='39%' align='left'>";
+ if($customgrp{$key}[3] eq 'Standard Network'){
+ print &get_name($customgrp{$key}[2])."</td>";
+ }else{
+ print "$customgrp{$key}[2]</td>";
+ }
+ if ($ip eq '' && $customgrp{$key}[2] ne $Lang::tr{'fwhost empty'}){
+- print "<td align='center'>$Lang::tr{'fwhost deleted'}</td><td>$customgrp{$key}[3]</td><td width='1%'><form method='post'>";
++ print "<td align='center'>$Lang::tr{'fwhost deleted'}</td><td align='left'>$customgrp{$key}[3]</td><td width='1%'><form method='post'>";
+ }else{
+- print"<td>$ip</td><td>$customgrp{$key}[3]</td><td width='1%'><form method='post'>";
++ print"<td align='center'>$ip</td><td align='center'>$customgrp{$key}[3]</td><td width='1%'><form method='post'>";
+ }
+ if ($delflag > '1' && $ip ne ''){
+ print"<input type='image' src='/images/delete.gif' align='middle' alt=$Lang::tr{'delete'} title=$Lang::tr{'delete'} />";
+@@ -1539,7 +1539,7 @@ sub viewtableservice
+ &Header::openbox('100%', 'left', $Lang::tr{'fwhost services'});
+ &General::readhasharray("$configsrv", \%customservice);
+ print<<END;
+- <table width='100%' border='0'>
++ <table width='100%' border='0' cellspacing='0'>
+ <tr><td align='center'><b>$Lang::tr{'fwhost srv_name'}</td><td align='center'><b>$Lang::tr{'fwhost prot'}</td><td align='center'><b>$Lang::tr{'fwhost port'}</td><td align='center'><b>ICMP</td><td align='center'><b>$Lang::tr{'fwhost used'}</td><td></td><td width='3%'></td></tr>
+ END
+ foreach my $key (sort { uc($customservice{$a}[0]) cmp uc($customservice{$b}[0])|| $a <=> $b } keys %customservice)
+@@ -1614,7 +1614,7 @@ sub viewtableservicegrp
+ print"<form method='post' style='display:inline'><input type='image' src='/images/delete.gif' alt=$Lang::tr{'delete'} title=$Lang::tr{'delete'} align='right' /><input type='hidden' name='SRVGRP_NAME' value='$grpname' ><input type='hidden' name='ACTION' value='delservicegrp'></form>";
+ }
+ print"<form method='post' style='display:inline'><input type='image' src='/images/edit.gif' alt=$Lang::tr{'edit'} title=$Lang::tr{'edit'} align='right' /><input type='hidden' name='SRVGRP_NAME' value='$grpname' ><input type='hidden' name='SRVGRP_REMARK' value='$remark' ><input type='hidden' name='ACTION' value='editservicegrp'></form>";
+- print"<table width='100%' style='border: 1px solid #000000;' rules='none' ><tr><td align='center'><b>Name</b></td><td align='center'><b>$Lang::tr{'port'}</b></td><td align='center' width='25%'><b>$Lang::tr{'fwhost prot'}</td><td></td></tr>";
++ print"<table width='100%' style='border: 1px solid #CCCCCC;' rules='none' cellspacing='0'><tr><td align='center'><b>Name</b></td><td align='center'><b>$Lang::tr{'port'}</b></td><td align='center' width='25%'><b>$Lang::tr{'fwhost prot'}</td><td></td></tr>";
+ }
+ if( $fwhostsettings{'SRVGRP_NAME'} eq $customservicegrp{$key}[0]) {
+ print" <tr bgcolor='${Header::colouryellow}'>";
+--
+1.7.10.4
+
--- /dev/null
+From 5ded97a5f76947e15609711bb77331a853408007 Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Wed, 13 Mar 2013 08:50:32 +0100
+Subject: [PATCH 181/302] Forward Firewall: moved ruleaction-dropdown from top
+ to target area. some layout changes in
+ forwardfw.cgi (when no alias exists, the dropdown
+ after ipfire is not shown)
+
+---
+ html/cgi-bin/forwardfw.cgi | 67 ++++++++++++++++++++++----------------------
+ langs/de/cgi-bin/de.pl | 3 ++
+ langs/en/cgi-bin/en.pl | 3 ++
+ 3 files changed, 39 insertions(+), 34 deletions(-)
+
+diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi
+index 1f3d6a9..5339f9e 100755
+--- a/html/cgi-bin/forwardfw.cgi
++++ b/html/cgi-bin/forwardfw.cgi
+@@ -1388,7 +1388,7 @@ sub newrule
+ $selected{'TIME_FROM'}{$fwdfwsettings{'TIME_FROM'}} = 'selected';
+ $selected{'TIME_TO'}{$fwdfwsettings{'TIME_TO'}} = 'selected';
+ $selected{'ipfire'}{$fwdfwsettings{$fwdfwsettings{'grp2'}}} ='selected';
+-
++
+ #check if update and get values
+ if($fwdfwsettings{'updatefwrule'} eq 'on' || $fwdfwsettings{'copyfwrule'} eq 'on' && !$errormessage){
+ &General::readhasharray("$config", \%hash);
+@@ -1482,32 +1482,7 @@ sub newrule
+ $fwdfwsettings{'TIME_FROM'} = &timeconvert($fwdfwsettings{'TIME_FROM'},'');
+ $fwdfwsettings{'TIME_TO'} = &timeconvert($fwdfwsettings{'TIME_TO'},'');
+ }
+-print <<END;
+- <form method="post">
+- <table border='0'>
+- <tr><td nowrap>$Lang::tr{'fwdfw rule action'}</td><td><select name='RULE_ACTION'>
+-END
+- foreach ("ACCEPT","DROP","REJECT")
+- {
+- if($fwdfwsettings{'updatefwrule'} eq 'on'){
+- print"<option ";
+- print "selected='selected'" if ($fwdfwsettings{'RULE_ACTION'} eq $_);
+- print">$_</option>";
+- }else{
+- if($fwdfwsettings{'POLICY'} eq 'MODE2'){
+- $fwdfwsettings{'RULE_ACTION'} = 'DROP';
+- }
+-
+- if ($_ eq $fwdfwsettings{'RULE_ACTION'})
+- {
+- print"<option selected>$_</option>";
+- }else{
+- print"<option>$_</option>";
+- }
+- }
+- }
+- print"</select></td></tr></table><hr>";
+-
++print "<form method='post'>";
+ &Header::closebox();
+ &Header::openbox('100%', 'left', $Lang::tr{'fwdfw source'});
+ #------SOURCE-------------------------------------------------------
+@@ -1518,7 +1493,6 @@ END
+ </table>
+ END
+ &gen_dd_block('src','grp1');
+-
+ print<<END;
+ <tr><td colspan='8'><hr style='border:dotted #BFBFBF; border-width:1px 0 0 0 ; ' /></td></tr></table>
+ <table width='100%' border='0'>
+@@ -1557,13 +1531,18 @@ END
+ &Header::openbox('100%', 'left', $Lang::tr{'fwdfw target'});
+ print<<END;
+ <table width='100%' border='0'>
+- <tr><td width='1%'><input type='radio' name='grp2' value='tgt_addr' checked></td><td colspan='2'>$Lang::tr{'fwdfw targetip'}<input type='TEXT' name='tgt_addr' value='$fwdfwsettings{'tgt_addr'}' size='16'><td><input type='radio' name='grp2' value='ipfire' $checked{'grp2'}{'ipfire'}></td><td><b>IPFire ($Lang::tr{'external access'})</b></td><td align='right'><select name='ipfire' style='width:200px;'>
++ <tr><td width='1%'><input type='radio' name='grp2' value='tgt_addr' checked></td><td width='57%' nowrap='nowrap'>$Lang::tr{'fwdfw targetip'}<input type='TEXT' name='tgt_addr' value='$fwdfwsettings{'tgt_addr'}' size='16'><td width='1%'><input type='radio' name='grp2' value='ipfire' $checked{'grp2'}{'ipfire'}></td><td><b>IPFire</b></td>
+ END
+- print "<option value='Default IP' $selected{'ipfire'}{'Default IP'}>Default IP</option>";
++ if (! -z "${General::swroot}/ethernet/aliases"){
++ print"<td align='right'><select name='ipfire' style='width:200px;'>";
++ print "<option value='Default IP' $selected{'ipfire'}{'Default IP'}>Default IP</option>";
+
+- foreach my $alias (sort keys %aliases)
+- {
+- print "<option value='$alias' $selected{'ipfire'}{$alias}>$alias</option>";
++ foreach my $alias (sort keys %aliases)
++ {
++ print "<option value='$alias' $selected{'ipfire'}{$alias}>$alias</option>";
++ }
++ }else{
++ print"<td style='width:200px;'>";
+ }
+ print<<END;
+ </td></tr>
+@@ -1633,8 +1612,28 @@ END
+ &Header::openbox('100%', 'left', $Lang::tr{'fwdfw additional'});
+ print<<END;
+ <table width='100%' border='0'>
+- <tr><td width='12%'>$Lang::tr{'remark'}:</td><td align='left'><input type='text' name='ruleremark' size='40' maxlength='255' value='$fwdfwsettings{'ruleremark'}'></td></tr>
++ <tr><td nowrap>$Lang::tr{'fwdfw rule action'}</td><td><select name='RULE_ACTION'>
+ END
++ foreach ("ACCEPT","DROP","REJECT")
++ {
++ if($fwdfwsettings{'updatefwrule'} eq 'on'){
++ print"<option value='$_'";
++ print "selected='selected'" if ($fwdfwsettings{'RULE_ACTION'} eq $_);
++ print">$Lang::tr{'fwdfw '.$_}</option>";
++ }else{
++ if($fwdfwsettings{'POLICY'} eq 'MODE2'){
++ $fwdfwsettings{'RULE_ACTION'} = 'DROP';
++ }
++ if ($_ eq $fwdfwsettings{'RULE_ACTION'})
++ {
++ print"<option selected>$Lang::tr{'fwdfw '.$_}</option>";
++ }else{
++ print"<option>$Lang::tr{'fwdfw '.$_}</option>";
++ }
++ }
++ }
++ print"</select></td></tr>";
++ print"<tr><td width='12%'>$Lang::tr{'remark'}:</td><td align='left'><input type='text' name='ruleremark' size='40' maxlength='255' value='$fwdfwsettings{'ruleremark'}'></td></tr>";
+ if($fwdfwsettings{'updatefwrule'} eq 'on' || $fwdfwsettings{'copyfwrule'} eq 'on'){
+ print "<tr><td width='12%'>$Lang::tr{'fwdfw rulepos'}:</td><td><select name='rulepos' >";
+ for (my $count =1; $count <= $sum; $count++){
+diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl
+index ba3a574..6457cd2 100644
+--- a/langs/de/cgi-bin/de.pl
++++ b/langs/de/cgi-bin/de.pl
+@@ -882,6 +882,7 @@
+ 'forwarding rule removed' => 'Weiterleitungsregel entfernt. Starte Weiterleitung neu',
+ 'forwarding rule updated' => 'Weiterleitungsregel aktualisiert; starte Weiterleitung neu',
+ 'forward firewall' => 'Firewall',
++'fwdfw ACCEPT' => 'Akzeptieren (ACCEPT)',
+ 'fwdfw additional' => 'Zusätzlich',
+ 'fwdfw action' => 'Aktion',
+ 'fwdfw menu' => 'Firewall',
+@@ -892,6 +893,7 @@
+ 'fwdfw cust net' => 'Custom Netzwerke:',
+ 'fwdfw copy' => 'Kopieren',
+ 'fwdfw delete' => 'Löschen',
++'fwdfw DROP' => 'Verwerfen (DROP)',
+ 'fwdfw edit' => 'Bearbeiten',
+ 'fwdfw err nosrc' => 'Keine Quelle gewählt',
+ 'fwdfw err nosrcip' => 'Bitte Quell IP-Adresse angeben',
+@@ -925,6 +927,7 @@
+ 'fwdfw pol text' => 'Standardverhalten für Verbindungen aus den lokalen Netzwerken. Bei "Zugelassen" werden sämtliche Verbindungen zugelassen mit Ausnahme der konfigurierten Regeln. Mit "Blockiert" werden alle Verbindungsversuche blockiert, mit Ausnahme erstellten Regeln. Außerdem werden hier der externe Zugang und der Zugriff auf die DMZ geregelt.',
+ 'fwdfw pol text1' => 'Standardverhalten für Verbindungen von IPFire. Bei "Zugelassen" werden sämtliche Verbindungen zugelassen mit Ausnahme konfigurierten Regeln. Mit "Blockiert" werden alle Verbindungsversuche blockiert, mit Ausnahme der erstellten Regeln.Achtung! Mit diesen Einstellungen kann man sich aussperren. Normalerweise ist keine Änderung nötig.',
+ 'fwdfw red' => 'INTERNET',
++'fwdfw REJECT' => 'Verweigern (REJECT)',
+ 'fwdfw reread' => 'Ãœbernehmen',
+ 'fwdfw rules' => 'Regeln',
+ 'fwdfw rule action' => 'Regelaktion:',
+diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
+index 90ceebb..9b89d7b 100644
+--- a/langs/en/cgi-bin/en.pl
++++ b/langs/en/cgi-bin/en.pl
+@@ -905,6 +905,7 @@
+ 'forwarding rule removed' => 'Forwarding rule removed; restarting forwarder',
+ 'forwarding rule updated' => 'Forwarding rule updated; restarting forwarder',
+ 'forward firewall' => 'Firewall',
++'fwdfw ACCEPT' => 'ACCEPT',
+ 'fwdfw additional' => 'Additional',
+ 'fwdfw action' => 'Action',
+ 'fwdfw menu' => 'Firewall',
+@@ -915,6 +916,7 @@
+ 'fwdfw cust net' => 'Custom networks:',
+ 'fwdfw copy' => 'Copy',
+ 'fwdfw delete' => 'Delete',
++'fwdfw DROP' => 'DROP',
+ 'fwdfw edit' => 'Edit',
+ 'fwdfw err nosrc' => 'No source selected.',
+ 'fwdfw err nosrcip' => 'Please provide source IP address.',
+@@ -948,6 +950,7 @@
+ 'fwdfw pol text' => 'Default behavior for connections from local networks. "Allowed" allows all connections from local networks except the defined rules. "Blocked" prohibits all connections except the defined ones. Also external access and connections to/from the demilitarized zone are configurable here.',
+ 'fwdfw pol text1' => 'Default behavior for connections from IPFire. "Allowed" allows all connections from local networks except the defined rules. "Blocked" prohibits all connections except the defined ones. Attention! You can lock yourself out with these settings. Normally there is no need to change anything here.',
+ 'fwdfw red' => 'INTERNET',
++'fwdfw REJECT' => 'REJECT',
+ 'fwdfw reread' => 'Apply',
+ 'fwdfw rules' => 'Rules',
+ 'fwdfw rule action' => 'Rule action:',
+--
+1.7.10.4
+
--- /dev/null
+From 0611349ed4eeae559fb5b9aaa01a9b2d544d94df Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Thu, 14 Mar 2013 06:11:28 +0100
+Subject: [PATCH 182/302] Forward Firewall: 1) Custom Hosts: now 17 chars can
+ be entered into IP/MAC field 2) Forwardfw: Bugfix:
+ When no alias is set and IPFIRE is selected as
+ target, no target address is recognised 3)
+ Forwardfw: Now source and Target addressfield
+ (manual) are set to 17 chars maxlegth. 4)
+ Converter: Bugfix: When starting converter from
+ commandline, all hosts are entered into groups
+ again.
+
+---
+ config/forwardfw/convert-outgoingfw | 4 ++--
+ html/cgi-bin/forwardfw.cgi | 43 +++++++++++++++--------------------
+ html/cgi-bin/fwhosts.cgi | 3 +--
+ 3 files changed, 21 insertions(+), 29 deletions(-)
+
+diff --git a/config/forwardfw/convert-outgoingfw b/config/forwardfw/convert-outgoingfw
+index ccb3ea4..f220738 100755
+--- a/config/forwardfw/convert-outgoingfw
++++ b/config/forwardfw/convert-outgoingfw
+@@ -174,7 +174,7 @@ sub new_hostgrp
+ $name3="Custom Network";
+ }
+ }
+- if($name2){
++ if($name2 && !&check_grp($grp,$name2)){
+ my $grpkey = &General::findhasharraykey(\%groups);
+ $groups{$grpkey}[0] = $grp;
+ $groups{$grpkey}[1] = '';
+@@ -204,7 +204,7 @@ sub new_hostgrp
+ $name2=$name.$mac;
+ $name3="Custom Host";
+ }
+- if($name2){
++ if($name2 && !&check_grp($grp,$name2)){
+ my $grpkey = &General::findhasharraykey(\%groups);
+ $groups{$grpkey}[0] = $grp;
+ $groups{$grpkey}[1] = '';
+diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi
+index 5339f9e..6ee2bbc 100755
+--- a/html/cgi-bin/forwardfw.cgi
++++ b/html/cgi-bin/forwardfw.cgi
+@@ -74,7 +74,7 @@ my %ipsecsettings=();
+ my %aliases=();
+ my %optionsfw=();
+
+-my $VERSION='0.9.8.4';
++my $VERSION='0.9.8.6';
+ my $color;
+ my $confignet = "${General::swroot}/fwhosts/customnetworks";
+ my $confighost = "${General::swroot}/fwhosts/customhosts";
+@@ -123,7 +123,6 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule')
+ &General::readhasharray("$configfwdfw", \%configfwdfw);
+ &General::readhasharray("$configinput", \%configinputfw);
+ &General::readhasharray("$configoutgoing", \%configoutgoingfw);
+-
+ $errormessage=&checksource;
+ if(!$errormessage){&checktarget;}
+ if(!$errormessage){&checkrule;}
+@@ -420,18 +419,18 @@ if ($fwdfwsettings{'ACTION'} eq $Lang::tr{'reset'})
+ &checkcounter($configfwdfw{$key}[5],$configfwdfw{$key}[6],,);
+ &checkcounter($configfwdfw{$key}[14],$configfwdfw{$key}[15],,);
+ }
+- &General::readhasharray("$configinput", \%configinputfw);
+- foreach my $key (sort keys %configinputfw){
+- &checkcounter($configinputfw{$key}[3],$configinputfw{$key}[4],,);
+- &checkcounter($configinputfw{$key}[5],$configinputfw{$key}[6],,);
+- &checkcounter($configinputfw{$key}[14],$configinputfw{$key}[15],,);
+- }
+-
++ #&General::readhasharray("$configinput", \%configinputfw);
++ #foreach my $key (sort keys %configinputfw){
++ # &checkcounter($configinputfw{$key}[3],$configinputfw{$key}[4],,);
++ # &checkcounter($configinputfw{$key}[5],$configinputfw{$key}[6],,);
++ # &checkcounter($configinputfw{$key}[14],$configinputfw{$key}[15],,);
++ #}
++
+ system("rm ${General::swroot}/forward/config");
+- system("rm ${General::swroot}/forward/input");
++ #system("rm ${General::swroot}/forward/input");
+ &General::writehash("${General::swroot}/forward/settings", \%fwdfwsettings);
+ unless (-e "${General::swroot}/forward/config") { system("touch ${General::swroot}/forward/config"); }
+- unless (-e "${General::swroot}/forward/input") { system("touch ${General::swroot}/forward/input"); }
++ #unless (-e "${General::swroot}/forward/input") { system("touch ${General::swroot}/forward/input"); }
+ my $MODE1=$fwdfwsettings{'POLICY1'};
+ %fwdfwsettings = ();
+ $fwdfwsettings{'POLICY'}='MODE2';
+@@ -717,14 +716,7 @@ sub checktarget
+ $ip=&General::ip2dec($ip);
+ $ip=&General::dec2ip($ip);
+
+- ##check if net or broadcast
+- #my @tmp= split (/\./,$ip);
+- #if ($tmp[3] eq "0" || ($tmp[3] eq "255"))
+- #{
+- #$errormessage=$Lang::tr{'fwhost err hostip'}."<br>";
+- #}
+ $fwdfwsettings{'tgt_addr'}="$ip/$subnet";
+-
+ if(!&General::validipandmask($fwdfwsettings{'tgt_addr'})){
+ $errormessage.=$Lang::tr{'fwdfw err tgt_addr'}."<br>";
+ }
+@@ -1291,7 +1283,7 @@ sub getcolor
+ foreach my $alias (sort keys %aliases)
+ {
+ if ($val eq $alias){
+- $tdcolor="style='border: 2px solid red;'";
++ $tdcolor="style='border: 1px solid $Header::colourred;'";
+ return;
+ }
+ }
+@@ -1318,7 +1310,7 @@ sub getcolor
+ $tdcolor="style='border: 1px solid $Header::colourblue;'";
+ }
+ }elsif ($val eq 'Default IP'){
+- $tdcolor="style='border: 1px solid red;'";
++ $tdcolor="style='border: 1px solid $Header::colourred;'";
+ }else{
+ $tdcolor='';
+ }
+@@ -1488,7 +1480,7 @@ print "<form method='post'>";
+ #------SOURCE-------------------------------------------------------
+ print<<END;
+ <table width='100%' border='0'>
+- <tr><td width='1%'><input type='radio' name='grp1' value='src_addr' checked></td><td colspan='5'>$Lang::tr{'fwdfw sourceip'}<input type='TEXT' name='src_addr' value='$fwdfwsettings{'src_addr'}' ></td></tr>
++ <tr><td width='1%'><input type='radio' name='grp1' value='src_addr' checked></td><td colspan='5'>$Lang::tr{'fwdfw sourceip'}<input type='TEXT' name='src_addr' value='$fwdfwsettings{'src_addr'}' size='16' maxlength='17'></td></tr>
+ <tr><td colspan='7'><hr style='border:dotted #BFBFBF; border-width:1px 0 0 0 ; ' /></td></tr>
+ </table>
+ END
+@@ -1531,7 +1523,7 @@ END
+ &Header::openbox('100%', 'left', $Lang::tr{'fwdfw target'});
+ print<<END;
+ <table width='100%' border='0'>
+- <tr><td width='1%'><input type='radio' name='grp2' value='tgt_addr' checked></td><td width='57%' nowrap='nowrap'>$Lang::tr{'fwdfw targetip'}<input type='TEXT' name='tgt_addr' value='$fwdfwsettings{'tgt_addr'}' size='16'><td width='1%'><input type='radio' name='grp2' value='ipfire' $checked{'grp2'}{'ipfire'}></td><td><b>IPFire</b></td>
++ <tr><td width='1%'><input type='radio' name='grp2' value='tgt_addr' checked></td><td width='57%' nowrap='nowrap'>$Lang::tr{'fwdfw targetip'}<input type='TEXT' name='tgt_addr' value='$fwdfwsettings{'tgt_addr'}' size='16' maxlength='17'><td width='1%'><input type='radio' name='grp2' value='ipfire' $checked{'grp2'}{'ipfire'}></td><td><b>IPFire</b></td>
+ END
+ if (! -z "${General::swroot}/ethernet/aliases"){
+ print"<td align='right'><select name='ipfire' style='width:200px;'>";
+@@ -1541,8 +1533,9 @@ END
+ {
+ print "<option value='$alias' $selected{'ipfire'}{$alias}>$alias</option>";
+ }
++
+ }else{
+- print"<td style='width:200px;'>";
++ print"<td style='width:200px;'><input type='hidden' name ='ipfire' value='Default IP'>";
+ }
+ print<<END;
+ </td></tr>
+@@ -1626,9 +1619,9 @@ END
+ }
+ if ($_ eq $fwdfwsettings{'RULE_ACTION'})
+ {
+- print"<option selected>$Lang::tr{'fwdfw '.$_}</option>";
++ print"<option value='$_' selected>$Lang::tr{'fwdfw '.$_}</option>";
+ }else{
+- print"<option>$Lang::tr{'fwdfw '.$_}</option>";
++ print"<option value='$_'>$Lang::tr{'fwdfw '.$_}</option>";
+ }
+ }
+ }
+diff --git a/html/cgi-bin/fwhosts.cgi b/html/cgi-bin/fwhosts.cgi
+index fd1da8a..54080a9 100755
+--- a/html/cgi-bin/fwhosts.cgi
++++ b/html/cgi-bin/fwhosts.cgi
+@@ -455,7 +455,6 @@ if ($fwhostsettings{'ACTION'} eq 'savehost')
+ foreach my $key (sort keys %customgrp){
+ if($customgrp{$key}[2] eq $fwhostsettings{'orgname'}){
+ $customgrp{$key}[2]=$fwhostsettings{'HOSTNAME'};
+- last;
+ }
+ }
+ &General::writehasharray("$configgrp", \%customgrp);
+@@ -1111,7 +1110,7 @@ sub addhost
+ print<<END;
+ <table border='0' width='100%'><form method='post' style='display:inline'>
+ <tr><td>$Lang::tr{'name'}:</td><td><input type='TEXT' name='HOSTNAME' id='textbox1' value='$fwhostsettings{'HOSTNAME'}' $fwhostsettings{'BLK_HOST'} size='14'><script>document.getElementById('textbox1').focus()</script></td></tr>
+- <tr><td>IP/MAC:</td><td><input type='TEXT' name='IP' value='$fwhostsettings{'IP'}' $fwhostsettings{'BLK_IP'} size='14' maxlength='15'></td></tr>
++ <tr><td>IP/MAC:</td><td><input type='TEXT' name='IP' value='$fwhostsettings{'IP'}' $fwhostsettings{'BLK_IP'} size='14' maxlength='17'></td></tr>
+ <tr><td width='10%'>$Lang::tr{'remark'}:</td><td><input type='TEXT' name='HOSTREMARK' value='$fwhostsettings{'HOSTREMARK'}' style='width:98%;'></td></tr>
+ <tr><td colspan='5'><br><br><b>$Lang::tr{'fwhost attention'}</b><br>$Lang::tr{'fwhost macwarn'}</td></tr>
+ <tr><td colspan='5'><hr></hr></td></tr>
+--
+1.7.10.4
+
--- /dev/null
+From 87c35ba60110047713ed7bce16b4f408b023b466 Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Thu, 14 Mar 2013 16:24:52 +0100
+Subject: [PATCH 183/302] Forward Firewall: Firewall sets Internetdevice
+ correctly now (was always red0)
+
+---
+ config/forwardfw/firewall-lib.pl | 3 ++-
+ config/forwardfw/rules.pl | 13 +++++++++++--
+ 2 files changed, 13 insertions(+), 3 deletions(-)
+
+diff --git a/config/forwardfw/firewall-lib.pl b/config/forwardfw/firewall-lib.pl
+index 9f80685..a1f96ba 100755
+--- a/config/forwardfw/firewall-lib.pl
++++ b/config/forwardfw/firewall-lib.pl
+@@ -207,6 +207,7 @@ sub get_grp_ip
+ sub get_std_net_ip
+ {
+ my $val=shift;
++ my $con=shift;
+ if ($val eq 'ALL'){
+ return "0.0.0.0/0.0.0.0";
+ }elsif($val eq 'GREEN'){
+@@ -216,7 +217,7 @@ sub get_std_net_ip
+ }elsif($val eq 'BLUE'){
+ return "$netsettings{'BLUE_NETADDRESS'}/$netsettings{'BLUE_NETMASK'}";
+ }elsif($val eq 'RED'){
+- return "0.0.0.0/0 -o red0";
++ return "0.0.0.0/0 -o $con";
+ }elsif($val =~ /OpenVPN/i){
+ return "$ovpnsettings{'DOVPN_SUBNET'}";
+ }elsif($val =~ /IPsec/i){
+diff --git a/config/forwardfw/rules.pl b/config/forwardfw/rules.pl
+index fd441de..a01694c 100755
+--- a/config/forwardfw/rules.pl
++++ b/config/forwardfw/rules.pl
+@@ -65,7 +65,7 @@ my $green;
+ my $blue;
+ my ($TYPE,$PROT,$SPROT,$DPROT,$SPORT,$DPORT,$TIME,$TIMEFROM,$TIMETILL,$SRC_TGT);
+ my $CHAIN="FORWARDFW";
+-
++my $conexists='off';
+
+ &General::readhash("${General::swroot}/forward/settings", \%fwdfwsettings);
+ &General::readhash("$netsettings", \%defaultNetworks);
+@@ -76,6 +76,14 @@ my $CHAIN="FORWARDFW";
+ &General::readhasharray($configgrp, \%customgrp);
+ &General::get_aliases(\%aliases);
+
++#check if we have an internetconnection
++open (CONN,"/var/ipfire/red/iface");
++my $con = <CONN>;
++close(CONN);
++if (-f "/var/ipfire/red/active"){
++ $conexists='on';
++}
++
+ ################################
+ # DEBUG/TEST #
+ ################################
+@@ -153,6 +161,7 @@ sub buildrules
+ my $hash=shift;
+ my $STAG;
+ foreach my $key (sort {$a <=> $b} keys %$hash){
++ next if ($$hash{$key}[6] eq 'RED' && $conexists eq 'off' );
+ $STAG='';
+ if($$hash{$key}[2] eq 'ON'){
+ #get source ip's
+@@ -375,7 +384,7 @@ sub get_address
+ $$hash{$key}[0] = $base2;
+ }
+ }elsif($base eq 'std_net_src' || $base eq 'std_net_tgt' || $base eq 'Standard Network'){
+- $$hash{$key}[0]=&fwlib::get_std_net_ip($base2);
++ $$hash{$key}[0]=&fwlib::get_std_net_ip($base2,$con);
+ }elsif($base eq 'cust_net_src' || $base eq 'cust_net_tgt' || $base eq 'Custom Network'){
+ $$hash{$key}[0]=&fwlib::get_net_ip($base2);
+ }elsif($base eq 'cust_host_src' || $base eq 'cust_host_tgt' || $base eq 'Custom Host'){
+--
+1.7.10.4
+
--- /dev/null
+From 25a62f7d70fb04484071e9f8bf5dc8256d7872e8 Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Sun, 17 Mar 2013 13:49:57 +0100
+Subject: [PATCH 184/302] Forward Firewall: Added support for DNAT/SNAT to
+ forwardfw.cgi
+
+---
+ html/cgi-bin/forwardfw.cgi | 304 +++++++++++++++++++++++++++++++++++++-------
+ 1 file changed, 255 insertions(+), 49 deletions(-)
+
+diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi
+index 6ee2bbc..0bf3a31 100755
+--- a/html/cgi-bin/forwardfw.cgi
++++ b/html/cgi-bin/forwardfw.cgi
+@@ -47,6 +47,7 @@ unless (-e "${General::swroot}/forward/config") { system("touch ${General::swr
+ unless (-e "${General::swroot}/forward/input") { system("touch ${General::swroot}/forward/input"); }
+ unless (-e "${General::swroot}/forward/outgoing") { system("touch ${General::swroot}/forward/outgoing"); }
+ unless (-e "${General::swroot}/forward/dmz") { system("touch ${General::swroot}/forward/dmz"); }
++unless (-e "${General::swroot}/forward/nat") { system("touch ${General::swroot}/forward/nat"); }
+
+ my %fwdfwsettings=();
+ my %selected=() ;
+@@ -64,6 +65,7 @@ my %configfwdfw=();
+ my %configinputfw=();
+ my %configoutgoingfw=();
+ my %configdmzfw=();
++my %confignatfw=();
+ my %ipsecconf=();
+ my %color=();
+ my %mainsettings=();
+@@ -73,8 +75,9 @@ my %ovpnsettings=();
+ my %ipsecsettings=();
+ my %aliases=();
+ my %optionsfw=();
++my %ifaces=();
+
+-my $VERSION='0.9.8.6';
++my $VERSION='0.9.8.7';
+ my $color;
+ my $confignet = "${General::swroot}/fwhosts/customnetworks";
+ my $confighost = "${General::swroot}/fwhosts/customhosts";
+@@ -89,8 +92,10 @@ my $configfwdfw = "${General::swroot}/forward/config";
+ my $configinput = "${General::swroot}/forward/input";
+ my $configoutgoing = "${General::swroot}/forward/outgoing";
+ my $configdmz = "${General::swroot}/forward/dmz";
++my $confignat = "${General::swroot}/forward/nat";
+ my $configovpn = "${General::swroot}/ovpn/settings";
+ my $fwoptions = "${General::swroot}/optionsfw/settings";
++my $ifacesettings = "${General::swroot}/ethernet/settings";
+ my $errormessage='';
+ my $hint='';
+ my $ipgrp="${General::swroot}/outgoing/groups";
+@@ -101,6 +106,7 @@ my @protocols;
+ &General::readhash("${General::swroot}/main/settings", \%mainsettings);
+ &General::readhash("/srv/web/ipfire/html/themes/".$mainsettings{'THEME'}."/include/colors.txt", \%color);
+ &General::readhash($fwoptions, \%optionsfw);
++&General::readhash($ifacesettings, \%ifaces);
+
+ &Header::showhttpheaders();
+ &Header::getcgihash(\%fwdfwsettings);
+@@ -123,6 +129,7 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule')
+ &General::readhasharray("$configfwdfw", \%configfwdfw);
+ &General::readhasharray("$configinput", \%configinputfw);
+ &General::readhasharray("$configoutgoing", \%configoutgoingfw);
++ &General::readhasharray("$confignat", \%confignatfw);
+ $errormessage=&checksource;
+ if(!$errormessage){&checktarget;}
+ if(!$errormessage){&checkrule;}
+@@ -137,13 +144,71 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule')
+ if( ($fwdfwsettings{$fwdfwsettings{'grp1'}} eq 'ORANGE' || $checkorange eq 'on') && $fwdfwsettings{'grp2'} eq 'ipfire'){
+ $errormessage.=$Lang::tr{'fwdfw useless rule'}."<br>";
+ }
+-
+ #check if we try to break rules
+ if( $fwdfwsettings{$fwdfwsettings{'grp1'}} eq 'IPFire' && $fwdfwsettings{'grp2'} eq 'ipfire'){
+ $errormessage.=$Lang::tr{'fwdfw err same'};
+ }
++ #NAT-Part
++ if ($fwdfwsettings{'USE_NAT'} eq 'ON'){
++ $fwdfwsettings{'config'}=$confignat;
++ if ($fwdfwsettings{'nat'} eq 'dnat'){
++ $fwdfwsettings{'chain'} = 'NAT_DESTINATION';
++ }else{
++ $fwdfwsettings{'chain'} = 'NAT_SOURCE';
++ }
++ my $maxkey=&General::findhasharraykey(\%confignatfw);
++ #check if we have an identical rule already
++ if($fwdfwsettings{'oldrulenumber'} eq $fwdfwsettings{'rulepos'}){
++ foreach my $key (sort keys %confignatfw){
++ if ("$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'},$fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'ICMP_TGT'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'TIME'},$fwdfwsettings{'TIME_MON'},$fwdfwsettings{'TIME_TUE'},$fwdfwsettings{'TIME_WED'},$fwdfwsettings{'TIME_THU'},$fwdfwsettings{'TIME_FRI'},$fwdfwsettings{'TIME_SAT'},$fwdfwsettings{'TIME_SUN'},$fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'},$fwdfwsettings{'USE_NAT'},$fwdfwsettings{$fwdfwsettings{'nat'}},$fwdfwsettings{'snatport'},$fwdfwsettings{'dnatport'},$fwdfwsettings{'nat'}"
++ eq "$confignatfw{$key}[0],$confignatfw{$key}[2],$confignatfw{$key}[3],$confignatfw{$key}[4],$confignatfw{$key}[5],$confignatfw{$key}[6],$confignatfw{$key}[7],$confignatfw{$key}[8],$confignatfw{$key}[9],$confignatfw{$key}[10],$confignatfw{$key}[11],$confignatfw{$key}[12],$confignatfw{$key}[13],$confignatfw{$key}[14],$confignatfw{$key}[15],$confignatfw{$key}[17],$confignatfw{$key}[19],$confignatfw{$key}[20],$confignatfw{$key}[21],$confignatfw{$key}[22],$confignatfw{$key}[23],$confignatfw{$key}[24],$confignatfw{$key}[25],$confignatfw{$key}[26],$confignatfw{$key}[27],$confignatfw{$key}[28],$confignatfw{$key}[29],$confignatfw{$key}[30],$confignatfw{$key}[31],$confignatfw{$key}[32]"){
++ $errormessage.=$Lang::tr{'fwdfw err ruleexists'};
++ if ($fwdfwsettings{'oldruleremark'} ne $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'updatefwrule'} eq 'on' ){
++ $errormessage='';
++ }elsif($fwdfwsettings{'oldruleremark'} ne $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'updatefwrule'} eq 'on' && $fwdfwsettings{'ruleremark'} ne '' && !&validremark($fwdfwsettings{'ruleremark'})){
++ $errormessage=$Lang::tr{'fwdfw err remark'}."<br>";
++ }
++ if ($fwdfwsettings{'oldruleremark'} eq $fwdfwsettings{'ruleremark'}){
++ $fwdfwsettings{'nosave'} = 'on';
++ }
++ }
++ }
++ }
++ #check Rulepos on new Rule
++ if($fwdfwsettings{'rulepos'} > 0 && !$fwdfwsettings{'oldrulenumber'}){
++ $fwdfwsettings{'oldrulenumber'}=$maxkey;
++ foreach my $key (sort keys %confignatfw){
++ print"$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'},$fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'ICMP_TGT'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'TIME'},$fwdfwsettings{'TIME_MON'},$fwdfwsettings{'TIME_TUE'},$fwdfwsettings{'TIME_WED'},$fwdfwsettings{'TIME_THU'},$fwdfwsettings{'TIME_FRI'},$fwdfwsettings{'TIME_SAT'},$fwdfwsettings{'TIME_SUN'},$fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'},$fwdfwsettings{'USE_NAT'},$fwdfwsettings{$fwdfwsettings{'nat'}},$fwdfwsettings{'snatport'},$fwdfwsettings{'dnatport'},$fwdfwsettings{'nat'}<br>";
++ print"$confignatfw{$key}[0],$confignatfw{$key}[2],$confignatfw{$key}[3],$confignatfw{$key}[4],$confignatfw{$key}[5],$confignatfw{$key}[6],$confignatfw{$key}[7],$confignatfw{$key}[8],$confignatfw{$key}[9],$confignatfw{$key}[10],$confignatfw{$key}[11],$confignatfw{$key}[12],$confignatfw{$key}[13],$confignatfw{$key}[14],$confignatfw{$key}[15],$confignatfw{$key}[17],$confignatfw{$key}[19],$confignatfw{$key}[20],$confignatfw{$key}[21],$confignatfw{$key}[22],$confignatfw{$key}[23],$confignatfw{$key}[24],$confignatfw{$key}[25],$confignatfw{$key}[26],$confignatfw{$key}[27],$confignatfw{$key}[28],$confignatfw{$key}[29],$confignatfw{$key}[30],$confignatfw{$key}[31],$confignatfw{$key}[32]<br>";
++ if ("$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'},$fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'ICMP_TGT'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'TIME'},$fwdfwsettings{'TIME_MON'},$fwdfwsettings{'TIME_TUE'},$fwdfwsettings{'TIME_WED'},$fwdfwsettings{'TIME_THU'},$fwdfwsettings{'TIME_FRI'},$fwdfwsettings{'TIME_SAT'},$fwdfwsettings{'TIME_SUN'},$fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'},$fwdfwsettings{'USE_NAT'},$fwdfwsettings{$fwdfwsettings{'nat'}},$fwdfwsettings{'snatport'},$fwdfwsettings{'dnatport'},$fwdfwsettings{'nat'}"
++ eq "$confignatfw{$key}[0],$confignatfw{$key}[2],$confignatfw{$key}[3],$confignatfw{$key}[4],$confignatfw{$key}[5],$confignatfw{$key}[6],$confignatfw{$key}[7],$confignatfw{$key}[8],$confignatfw{$key}[9],$confignatfw{$key}[10],$confignatfw{$key}[11],$confignatfw{$key}[12],$confignatfw{$key}[13],$confignatfw{$key}[14],$confignatfw{$key}[15],$confignatfw{$key}[17],$confignatfw{$key}[19],$confignatfw{$key}[20],$confignatfw{$key}[21],$confignatfw{$key}[22],$confignatfw{$key}[23],$confignatfw{$key}[24],$confignatfw{$key}[25],$confignatfw{$key}[26],$confignatfw{$key}[27],$confignatfw{$key}[28],$confignatfw{$key}[29],$confignatfw{$key}[30],$confignatfw{$key}[31],$confignatfw{$key}[32]"){
++ $errormessage.=$Lang::tr{'fwdfw err ruleexists'};
++ }
++ }
++ }
++ #check if we just close a rule
++ if( $fwdfwsettings{'oldgrp1a'} eq $fwdfwsettings{'grp1'} && $fwdfwsettings{'oldgrp1b'} eq $fwdfwsettings{$fwdfwsettings{'grp1'}} && $fwdfwsettings{'oldgrp2a'} eq $fwdfwsettings{'grp2'} && $fwdfwsettings{'oldgrp2b'} eq $fwdfwsettings{$fwdfwsettings{'grp2'}} && $fwdfwsettings{'oldgrp3a'} eq $fwdfwsettings{'grp3'} && $fwdfwsettings{'oldgrp3b'} eq $fwdfwsettings{$fwdfwsettings{'grp3'}} && $fwdfwsettings{'oldusesrv'} eq $fwdfwsettings{'USESRV'} && $fwdfwsettings{'oldruleremark'} eq $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'oldruletype'} eq $fwdfwsettings{'chain'}) {
++ if($fwdfwsettings{'nosave'} eq 'on' && $fwdfwsettings{'updatefwrule'} eq 'on'){
++ $errormessage='';
++ $fwdfwsettings{'nosave2'} = 'on';
++ }
++ }
++ &checkcounter($fwdfwsettings{'oldgrp1a'},$fwdfwsettings{'oldgrp1b'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}});
++ if ($fwdfwsettings{'nobase'} ne 'on'){
++ &checkcounter($fwdfwsettings{'oldgrp2a'},$fwdfwsettings{'oldgrp2b'},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}});
++ }
++ if($fwdfwsettings{'oldusesrv'} eq '' && $fwdfwsettings{'USESRV'} eq 'ON'){
++ &checkcounter(0,0,$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}});
++ }elsif ($fwdfwsettings{'USESRV'} eq '' && $fwdfwsettings{'oldusesrv'} eq 'ON') {
++ &checkcounter($fwdfwsettings{'oldgrp3a'},$fwdfwsettings{'oldgrp3b'},0,0);
++ }elsif ($fwdfwsettings{'oldusesrv'} eq $fwdfwsettings{'USESRV'} && $fwdfwsettings{'oldgrp3b'} ne $fwdfwsettings{$fwdfwsettings{'grp3'}} && $fwdfwsettings{'updatefwrule'} eq 'on'){
++ &checkcounter($fwdfwsettings{'oldgrp3a'},$fwdfwsettings{'oldgrp3b'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}});
++ }
++ if($fwdfwsettings{'nosave2'} ne 'on'){
++ &saverule(\%confignatfw,$confignat);
++ }
+ #DMZ-Part
+- if ($fwdfwsettings{$fwdfwsettings{'grp1'}} eq 'ORANGE' || $checkorange eq 'on'){
++ }elsif ($fwdfwsettings{$fwdfwsettings{'grp1'}} eq 'ORANGE' || $checkorange eq 'on'){
+ $fwdfwsettings{'config'}=$configdmz;
+ $fwdfwsettings{'chain'} = 'FORWARDFW';
+ my $maxkey=&General::findhasharraykey(\%configdmzfw);
+@@ -175,7 +240,7 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule')
+ }
+ }
+ #check if we just close a rule
+- if( $fwdfwsettings{'oldgrp1a'} eq $fwdfwsettings{'grp1'} && $fwdfwsettings{'oldgrp1b'} eq $fwdfwsettings{$fwdfwsettings{'grp1'}} && $fwdfwsettings{'oldgrp2a'} eq $fwdfwsettings{'grp2'} && $fwdfwsettings{'oldgrp2b'} eq $fwdfwsettings{$fwdfwsettings{'grp2'}} && $fwdfwsettings{'oldgrp3a'} eq $fwdfwsettings{'grp3'} && $fwdfwsettings{'oldgrp3b'} eq $fwdfwsettings{$fwdfwsettings{'grp3'}} && $fwdfwsettings{'oldusesrv'} eq $fwdfwsettings{'USESRV'} ) {
++ if( $fwdfwsettings{'oldgrp1a'} eq $fwdfwsettings{'grp1'} && $fwdfwsettings{'oldgrp1b'} eq $fwdfwsettings{$fwdfwsettings{'grp1'}} && $fwdfwsettings{'oldgrp2a'} eq $fwdfwsettings{'grp2'} && $fwdfwsettings{'oldgrp2b'} eq $fwdfwsettings{$fwdfwsettings{'grp2'}} && $fwdfwsettings{'oldgrp3a'} eq $fwdfwsettings{'grp3'} && $fwdfwsettings{'oldgrp3b'} eq $fwdfwsettings{$fwdfwsettings{'grp3'}} && $fwdfwsettings{'oldusesrv'} eq $fwdfwsettings{'USESRV'} && $fwdfwsettings{'oldruleremark'} eq $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'oldruletype'} eq $fwdfwsettings{'chain'}) {
+ if($fwdfwsettings{'nosave'} eq 'on' && $fwdfwsettings{'updatefwrule'} eq 'on'){
+ $errormessage='';
+ $fwdfwsettings{'nosave2'} = 'on';
+@@ -228,7 +293,7 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule')
+ }
+ }
+ #check if we just close a rule
+- if( $fwdfwsettings{'oldgrp1a'} eq $fwdfwsettings{'grp1'} && $fwdfwsettings{'oldgrp1b'} eq $fwdfwsettings{$fwdfwsettings{'grp1'}} && $fwdfwsettings{'oldgrp2a'} eq $fwdfwsettings{'grp2'} && $fwdfwsettings{'oldgrp2b'} eq $fwdfwsettings{$fwdfwsettings{'grp2'}} && $fwdfwsettings{'oldgrp3a'} eq $fwdfwsettings{'grp3'} && $fwdfwsettings{'oldgrp3b'} eq $fwdfwsettings{$fwdfwsettings{'grp3'}} && $fwdfwsettings{'oldusesrv'} eq $fwdfwsettings{'USESRV'} ) {
++ if( $fwdfwsettings{'oldgrp1a'} eq $fwdfwsettings{'grp1'} && $fwdfwsettings{'oldgrp1b'} eq $fwdfwsettings{$fwdfwsettings{'grp1'}} && $fwdfwsettings{'oldgrp2a'} eq $fwdfwsettings{'grp2'} && $fwdfwsettings{'oldgrp2b'} eq $fwdfwsettings{$fwdfwsettings{'grp2'}} && $fwdfwsettings{'oldgrp3a'} eq $fwdfwsettings{'grp3'} && $fwdfwsettings{'oldgrp3b'} eq $fwdfwsettings{$fwdfwsettings{'grp3'}} && $fwdfwsettings{'oldusesrv'} eq $fwdfwsettings{'USESRV'} && $fwdfwsettings{'oldruleremark'} eq $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'oldruletype'} eq $fwdfwsettings{'chain'}) {
+ if($fwdfwsettings{'nosave'} eq 'on' && $fwdfwsettings{'updatefwrule'} eq 'on'){
+ $errormessage='';
+ $fwdfwsettings{'nosave2'} = 'on';
+@@ -302,7 +367,7 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule')
+ }
+ }
+ #check if we just close a rule
+- if( $fwdfwsettings{'oldgrp1a'} eq $fwdfwsettings{'grp1'} && $fwdfwsettings{'oldgrp1b'} eq $fwdfwsettings{$fwdfwsettings{'grp1'}} && $fwdfwsettings{'oldgrp2a'} eq $fwdfwsettings{'grp2'} && $fwdfwsettings{'oldgrp2b'} eq $fwdfwsettings{$fwdfwsettings{'grp2'}} && $fwdfwsettings{'oldgrp3a'} eq $fwdfwsettings{'grp3'} && $fwdfwsettings{'oldgrp3b'} eq $fwdfwsettings{$fwdfwsettings{'grp3'}} && $fwdfwsettings{'oldusesrv'} eq $fwdfwsettings{'USESRV'} && $fwdfwsettings{'oldruleremark'} eq $fwdfwsettings{'ruleremark'} ) {
++ if( $fwdfwsettings{'oldgrp1a'} eq $fwdfwsettings{'grp1'} && $fwdfwsettings{'oldgrp1b'} eq $fwdfwsettings{$fwdfwsettings{'grp1'}} && $fwdfwsettings{'oldgrp2a'} eq $fwdfwsettings{'grp2'} && $fwdfwsettings{'oldgrp2b'} eq $fwdfwsettings{$fwdfwsettings{'grp2'}} && $fwdfwsettings{'oldgrp3a'} eq $fwdfwsettings{'grp3'} && $fwdfwsettings{'oldgrp3b'} eq $fwdfwsettings{$fwdfwsettings{'grp3'}} && $fwdfwsettings{'oldusesrv'} eq $fwdfwsettings{'USESRV'} && $fwdfwsettings{'oldruleremark'} eq $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'oldruletype'} eq $fwdfwsettings{'chain'}) {
+ if($fwdfwsettings{'nosave'} eq 'on' && $fwdfwsettings{'updatefwrule'} eq 'on'){
+ $fwdfwsettings{'nosave2'} = 'on';
+ $errormessage='';
+@@ -332,8 +397,8 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule')
+ if($fwdfwsettings{'oldrulenumber'} eq $fwdfwsettings{'rulepos'}){
+ #check if we have an identical rule already
+ foreach my $key (sort keys %configfwdfw){
+- if ("$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'},$fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'ICMP_TGT'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'LOG'},$fwdfwsettings{'TIME'},$fwdfwsettings{'TIME_MON'},$fwdfwsettings{'TIME_TUE'},$fwdfwsettings{'TIME_WED'},$fwdfwsettings{'TIME_THU'},$fwdfwsettings{'TIME_FRI'},$fwdfwsettings{'TIME_SAT'},$fwdfwsettings{'TIME_SUN'},$fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'}"
+- eq "$configfwdfw{$key}[0],$configfwdfw{$key}[2],$configfwdfw{$key}[3],$configfwdfw{$key}[4],$configfwdfw{$key}[5],$configfwdfw{$key}[6],$configfwdfw{$key}[7],$configfwdfw{$key}[8],$configfwdfw{$key}[9],$configfwdfw{$key}[10],$configfwdfw{$key}[11],$configfwdfw{$key}[12],$configfwdfw{$key}[13],$configfwdfw{$key}[14],$configfwdfw{$key}[15],$configfwdfw{$key}[17],$configfwdfw{$key}[18],$configfwdfw{$key}[19],$configfwdfw{$key}[20],$configfwdfw{$key}[21],$configfwdfw{$key}[22],$configfwdfw{$key}[23],$configfwdfw{$key}[24],$configfwdfw{$key}[25],$configfwdfw{$key}[26],$configfwdfw{$key}[27]"){
++ if ("$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'},$fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'ICMP_TGT'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'TIME'},$fwdfwsettings{'TIME_MON'},$fwdfwsettings{'TIME_TUE'},$fwdfwsettings{'TIME_WED'},$fwdfwsettings{'TIME_THU'},$fwdfwsettings{'TIME_FRI'},$fwdfwsettings{'TIME_SAT'},$fwdfwsettings{'TIME_SUN'},$fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'}"
++ eq "$configfwdfw{$key}[0],$configfwdfw{$key}[2],$configfwdfw{$key}[3],$configfwdfw{$key}[4],$configfwdfw{$key}[5],$configfwdfw{$key}[6],$configfwdfw{$key}[7],$configfwdfw{$key}[8],$configfwdfw{$key}[9],$configfwdfw{$key}[10],$configfwdfw{$key}[11],$configfwdfw{$key}[12],$configfwdfw{$key}[13],$configfwdfw{$key}[14],$configfwdfw{$key}[15],$configfwdfw{$key}[17],$configfwdfw{$key}[19],$configfwdfw{$key}[20],$configfwdfw{$key}[21],$configfwdfw{$key}[22],$configfwdfw{$key}[23],$configfwdfw{$key}[24],$configfwdfw{$key}[25],$configfwdfw{$key}[26],$configfwdfw{$key}[27]"){
+ $errormessage.=$Lang::tr{'fwdfw err ruleexists'};
+ if ($fwdfwsettings{'oldruleremark'} ne $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'updatefwrule'} eq 'on' ){
+ $errormessage='';
+@@ -350,14 +415,14 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule')
+ if($fwdfwsettings{'rulepos'} > 0 && !$fwdfwsettings{'oldrulenumber'}){
+ $fwdfwsettings{'oldrulenumber'}=$maxkey;
+ foreach my $key (sort keys %configfwdfw){
+- if ("$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'},$fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'ICMP_TGT'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'LOG'},$fwdfwsettings{'TIME'},$fwdfwsettings{'TIME_MON'},$fwdfwsettings{'TIME_TUE'},$fwdfwsettings{'TIME_WED'},$fwdfwsettings{'TIME_THU'},$fwdfwsettings{'TIME_FRI'},$fwdfwsettings{'TIME_SAT'},$fwdfwsettings{'TIME_SUN'},$fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'}"
+- eq "$configfwdfw{$key}[0],$configfwdfw{$key}[2],$configfwdfw{$key}[3],$configfwdfw{$key}[4],$configfwdfw{$key}[5],$configfwdfw{$key}[6],$configfwdfw{$key}[7],$configfwdfw{$key}[8],$configfwdfw{$key}[9],$configfwdfw{$key}[10],$configfwdfw{$key}[11],$configfwdfw{$key}[12],$configfwdfw{$key}[13],$configfwdfw{$key}[14],$configfwdfw{$key}[15],$configfwdfw{$key}[17],$configfwdfw{$key}[18],$configfwdfw{$key}[19],$configfwdfw{$key}[20],$configfwdfw{$key}[21],$configfwdfw{$key}[22],$configfwdfw{$key}[23],$configfwdfw{$key}[24],$configfwdfw{$key}[25],$configfwdfw{$key}[26],$configfwdfw{$key}[27]"){
++ if ("$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'},$fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'ICMP_TGT'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'TIME'},$fwdfwsettings{'TIME_MON'},$fwdfwsettings{'TIME_TUE'},$fwdfwsettings{'TIME_WED'},$fwdfwsettings{'TIME_THU'},$fwdfwsettings{'TIME_FRI'},$fwdfwsettings{'TIME_SAT'},$fwdfwsettings{'TIME_SUN'},$fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'}"
++ eq "$configfwdfw{$key}[0],$configfwdfw{$key}[2],$configfwdfw{$key}[3],$configfwdfw{$key}[4],$configfwdfw{$key}[5],$configfwdfw{$key}[6],$configfwdfw{$key}[7],$configfwdfw{$key}[8],$configfwdfw{$key}[9],$configfwdfw{$key}[10],$configfwdfw{$key}[11],$configfwdfw{$key}[12],$configfwdfw{$key}[13],$configfwdfw{$key}[14],$configfwdfw{$key}[15],$configfwdfw{$key}[17],$configfwdfw{$key}[19],$configfwdfw{$key}[20],$configfwdfw{$key}[21],$configfwdfw{$key}[22],$configfwdfw{$key}[23],$configfwdfw{$key}[24],$configfwdfw{$key}[25],$configfwdfw{$key}[26],$configfwdfw{$key}[27]"){
+ $errormessage.=$Lang::tr{'fwdfw err ruleexists'};
+ }
+ }
+ }
+ #check if we just close a rule
+- if( $fwdfwsettings{'oldgrp1a'} eq $fwdfwsettings{'grp1'} && $fwdfwsettings{'oldgrp1b'} eq $fwdfwsettings{$fwdfwsettings{'grp1'}} && $fwdfwsettings{'oldgrp2a'} eq $fwdfwsettings{'grp2'} && $fwdfwsettings{'oldgrp2b'} eq $fwdfwsettings{$fwdfwsettings{'grp2'}} && $fwdfwsettings{'oldgrp3a'} eq $fwdfwsettings{'grp3'} && $fwdfwsettings{'oldgrp3b'} eq $fwdfwsettings{$fwdfwsettings{'grp3'}} && $fwdfwsettings{'oldusesrv'} eq $fwdfwsettings{'USESRV'} && $fwdfwsettings{'oldruleremark'} eq $fwdfwsettings{'ruleremark'} ) {
++ if( $fwdfwsettings{'oldgrp1a'} eq $fwdfwsettings{'grp1'} && $fwdfwsettings{'oldgrp1b'} eq $fwdfwsettings{$fwdfwsettings{'grp1'}} && $fwdfwsettings{'oldgrp2a'} eq $fwdfwsettings{'grp2'} && $fwdfwsettings{'oldgrp2b'} eq $fwdfwsettings{$fwdfwsettings{'grp2'}} && $fwdfwsettings{'oldgrp3a'} eq $fwdfwsettings{'grp3'} && $fwdfwsettings{'oldgrp3b'} eq $fwdfwsettings{$fwdfwsettings{'grp3'}} && $fwdfwsettings{'oldusesrv'} eq $fwdfwsettings{'USESRV'} && $fwdfwsettings{'oldruleremark'} eq $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'oldruletype'} eq $fwdfwsettings{'chain'} ) {
+ if($fwdfwsettings{'nosave'} eq 'on' && $fwdfwsettings{'updatefwrule'} eq 'on'){
+ $fwdfwsettings{'nosave2'} = 'on';
+ $errormessage='';
+@@ -1380,7 +1445,6 @@ sub newrule
+ $selected{'TIME_FROM'}{$fwdfwsettings{'TIME_FROM'}} = 'selected';
+ $selected{'TIME_TO'}{$fwdfwsettings{'TIME_TO'}} = 'selected';
+ $selected{'ipfire'}{$fwdfwsettings{$fwdfwsettings{'grp2'}}} ='selected';
+-
+ #check if update and get values
+ if($fwdfwsettings{'updatefwrule'} eq 'on' || $fwdfwsettings{'copyfwrule'} eq 'on' && !$errormessage){
+ &General::readhasharray("$config", \%hash);
+@@ -1389,6 +1453,7 @@ sub newrule
+ if ($key eq $fwdfwsettings{'key'}){
+ $fwdfwsettings{'oldrulenumber'} = $fwdfwsettings{'key'};
+ $fwdfwsettings{'RULE_ACTION'} = $hash{$key}[0];
++ $fwdfwsettings{'chain'} = $hash{$key}[1];
+ $fwdfwsettings{'ACTIVE'} = $hash{$key}[2];
+ $fwdfwsettings{'grp1'} = $hash{$key}[3];
+ $fwdfwsettings{$fwdfwsettings{'grp1'}} = $hash{$key}[4];
+@@ -1415,6 +1480,11 @@ sub newrule
+ $fwdfwsettings{'TIME_SUN'} = $hash{$key}[25];
+ $fwdfwsettings{'TIME_FROM'} = $hash{$key}[26];
+ $fwdfwsettings{'TIME_TO'} = $hash{$key}[27];
++ $fwdfwsettings{'USE_NAT'} = $hash{$key}[28];
++ $fwdfwsettings{'nat'} = $hash{$key}[32]; #changed order
++ $fwdfwsettings{$fwdfwsettings{'nat'}} = $hash{$key}[29];
++ $fwdfwsettings{'snatport'} = $hash{$key}[30];
++ $fwdfwsettings{'dnatport'} = $hash{$key}[31];
+ $checked{'grp1'}{$fwdfwsettings{'grp1'}} = 'CHECKED';
+ $checked{'grp2'}{$fwdfwsettings{'grp2'}} = 'CHECKED';
+ $checked{'grp3'}{$fwdfwsettings{'grp3'}} = 'CHECKED';
+@@ -1430,9 +1500,13 @@ sub newrule
+ $checked{'TIME_FRI'}{$fwdfwsettings{'TIME_FRI'}} = 'CHECKED';
+ $checked{'TIME_SAT'}{$fwdfwsettings{'TIME_SAT'}} = 'CHECKED';
+ $checked{'TIME_SUN'}{$fwdfwsettings{'TIME_SUN'}} = 'CHECKED';
++ $checked{'USE_NAT'}{$fwdfwsettings{'USE_NAT'}} = 'CHECKED';
++ $checked{'nat'}{$fwdfwsettings{'nat'}} = 'CHECKED';
+ $selected{'TIME_FROM'}{$fwdfwsettings{'TIME_FROM'}} = 'selected';
+ $selected{'TIME_TO'}{$fwdfwsettings{'TIME_TO'}} = 'selected';
+ $selected{'ipfire'}{$fwdfwsettings{$fwdfwsettings{'grp2'}}} ='selected';
++ $selected{'dnat'}{$fwdfwsettings{$fwdfwsettings{'nat'}}} ='selected';
++ $selected{'snat'}{$fwdfwsettings{$fwdfwsettings{'nat'}}} ='selected';
+ }
+ }
+ $fwdfwsettings{'oldgrp1a'}=$fwdfwsettings{'grp1'};
+@@ -1443,6 +1517,12 @@ sub newrule
+ $fwdfwsettings{'oldgrp3b'}=$fwdfwsettings{$fwdfwsettings{'grp3'}};
+ $fwdfwsettings{'oldusesrv'}=$fwdfwsettings{'USESRV'};
+ $fwdfwsettings{'oldruleremark'}=$fwdfwsettings{'ruleremark'};
++ $fwdfwsettings{'oldnat'}=$fwdfwsettings{'USE_NAT'};
++ if ($fwdfwsettings{'config'} eq "${General::swroot}/forward/dmz"){
++ $fwdfwsettings{'oldruletype'}='DMZ';
++ }else{
++ $fwdfwsettings{'oldruletype'}=$fwdfwsettings{'chain'};
++ }
+ #check if manual ip (source) is orange network
+ if ($fwdfwsettings{'grp1'} eq 'src_addr'){
+ my ($sip,$scidr) = split("/",$fwdfwsettings{$fwdfwsettings{'grp1'}});
+@@ -1461,6 +1541,7 @@ sub newrule
+ $fwdfwsettings{'oldgrp3b'}=$fwdfwsettings{$fwdfwsettings{'grp3'}};
+ $fwdfwsettings{'oldusesrv'}=$fwdfwsettings{'USESRV'};
+ $fwdfwsettings{'oldruleremark'}=$fwdfwsettings{'ruleremark'};
++ $fwdfwsettings{'oldnat'}=$fwdfwsettings{'USE_NAT'};
+ #check if manual ip (source) is orange network
+ if ($fwdfwsettings{'grp1'} eq 'src_addr'){
+ my ($sip,$scidr) = split("/",$fwdfwsettings{$fwdfwsettings{'grp1'}});
+@@ -1601,6 +1682,59 @@ END
+
+ END
+ &Header::closebox;
++ #---SNAT / DNAT ------------------------------------------------
++ &Header::openbox('100%', 'left', 'NAT');
++ print<<END;
++ <table width='100%' border='0'>
++ <tr><td width='1%'><input type='checkbox' name='USE_NAT' value='ON' $checked{'USE_NAT'}{'ON'}></td><td>USE NAT</td><td colspan='5'></td></tr>
++ <tr><td colspan='2'></td><td width='1%'><input type='radio' name='nat' value='dnat' checked ></td><td width='20%'> DNAT</td>
++END
++ if (! -z "${General::swroot}/ethernet/aliases"){
++ print"<td width='8%'>IPFire: </td><td width='20% align='right'><select name='dnat' style='width:140px;'>";
++ print "<option value='ALL' $selected{'dnat'}{$Lang::tr{'all'}}>$Lang::tr{'all'}</option>";
++ print "<option value='Default IP' $selected{'dnat'}{'Default IP'}>Default IP</option>";
++
++ foreach my $alias (sort keys %aliases)
++ {
++ print "<option value='$alias' $selected{'dnat'}{$alias}>$alias</option>";
++ }
++ #foreach my $network (sort keys %defaultNetworks)
++ #{
++ #next if($defaultNetworks{$network}{'NAME'} eq "RED");
++ #next if($defaultNetworks{$network}{'NAME'} eq "IPFire");
++ #next if($defaultNetworks{$network}{'NAME'} eq "ALL");
++ #print "<option value='$defaultNetworks{$network}{'NAME'}'";
++ #print " selected='selected'" if ($fwdfwsettings{'snatipfire'} eq $defaultNetworks{$network}{'NAME'});
++ #print ">$network</option>";
++ #}
++ }else{
++ print"<td></td><td style='width:200px;'><input type='hidden' name ='ipfire' value='Default IP'>";
++ }
++ print"</td></tr>";
++ print"<tr><td colspan='4'></td><td>Port: </td><td align='right'><input type='text' name='dnatport' style='width:130px;' value=$fwdfwsettings{'dnatport'}> </td></tr>";
++ print"<tr><td colspan='8'><br></td></tr>";
++ #SNAT
++ print"<tr><td colspan='2'></td><td width='1%'><input type='radio' name='nat' value='snat' $checked{'nat'}{'snat'}></td><td width='20%'> SNAT</td>";
++ print"<td width='8%'>IPFire: </td><td width='20% align='right'><select name='snat' style='width:140px;'>";
++ print "<option value='ALL' $selected{'snat'}{$Lang::tr{'all'}}>$Lang::tr{'all'}</option>";
++ print "<option value='Default IP' $selected{'snat'}{'Default IP'}>Default IP</option>";
++ foreach my $alias (sort keys %aliases)
++ {
++ print "<option value='$alias' $selected{'snat'}{$alias}>$alias</option>";
++ }
++ foreach my $network (sort keys %defaultNetworks)
++ {
++ next if($defaultNetworks{$network}{'NAME'} eq "RED");
++ next if($defaultNetworks{$network}{'NAME'} eq "IPFire");
++ next if($defaultNetworks{$network}{'NAME'} eq "ALL");
++ print "<option value='$defaultNetworks{$network}{'NAME'}'";
++ print " selected='selected'" if ($fwdfwsettings{$fwdfwsettings{'nat'}} eq $defaultNetworks{$network}{'NAME'});
++ print ">$network</option>";
++ }
++ print"<tr><td colspan='4'></td><td>Port: </td><td align='right'><input type='text' name='snatport' style='width:130px;'value=$fwdfwsettings{'snatport'} > </td></tr>";
++ print"</table>";
++ print"<hr>";
++ &Header::closebox();
+ #---Activate/logging/remark-------------------------------------
+ &Header::openbox('100%', 'left', $Lang::tr{'fwdfw additional'});
+ print<<END;
+@@ -1720,6 +1854,8 @@ END
+ <input type='hidden' name='rulenumber' value='$fwdfwsettings{'rulepos'}' />
+ <input type='hidden' name='oldruleremark' value='$fwdfwsettings{'oldruleremark'}' />
+ <input type='hidden' name='oldorange' value='$fwdfwsettings{'oldorange'}' />
++ <input type='hidden' name='oldnat' value='$fwdfwsettings{'oldnat'}' />
++ <input type='hidden' name='oldruletype' value='$fwdfwsettings{'oldruletype'}' />
+ <input type='hidden' name='ACTION' value='saverule' ></form><form method='post' style='display:inline'><input type='submit' value='$Lang::tr{'fwhost back'}' style='min-width:100px;'><input type='hidden' name='ACTION' value'reset'></td></td>
+ </table></form>
+ END
+@@ -1801,66 +1937,101 @@ sub saverule
+ my $config=shift;
+ &General::readhasharray("$config", $hash);
+ if (!$errormessage){
+- #check if we change a DMZ to an outgoing
+- if( ($fwdfwsettings{'oldgrp1b'} eq 'ORANGE' || $fwdfwsettings{'oldorange'} eq 'on') && $fwdfwsettings{$fwdfwsettings{'grp1'}} eq 'IPFire' && $fwdfwsettings{'updatefwrule'} eq 'on'){
+- &changerule($configdmz);
++ #check if we change a NAT to a FORWARD/DMZ
++ if(($fwdfwsettings{'oldruletype'} eq 'NAT_SOURCE' || $fwdfwsettings{'oldruletype'} eq 'NAT_DESTINATION') && $fwdfwsettings{'chain'} eq 'FORWARDFW'){
++ &changerule($confignat);
+ #print"1";
+ }
+- #check if we change a DMZ to an external access
+- elsif( $fwdfwsettings{'oldgrp1b'} eq 'ORANGE' && $fwdfwsettings{$fwdfwsettings{'grp1'}} ne 'ORANGE' && $fwdfwsettings{'grp2'} eq 'ipfire' && $fwdfwsettings{'updatefwrule'} eq 'on'){
+- &changerule($configdmz);
++ #check if we change a NAT to a INPUT (external access)
++ elsif(($fwdfwsettings{'oldruletype'} eq 'NAT_SOURCE' || $fwdfwsettings{'oldruletype'} eq 'NAT_DESTINATION') && $fwdfwsettings{'chain'} eq 'INPUTFW'){
++ &changerule($confignat);
+ #print"2";
+ }
+- #check if we change an external access rule to a outgoing
+- elsif( $fwdfwsettings{$fwdfwsettings{'grp1'}} eq 'IPFire' && $fwdfwsettings{'oldgrp1b'} ne 'IPFire' && $fwdfwsettings{'grp2'} ne 'ipfire' && $fwdfwsettings{'oldgrp2a'} eq 'ipfire' && $fwdfwsettings{'updatefwrule'} eq 'on'){
+- &changerule($configinput);
++ #check if we change a NAT to a OUTGOING
++ elsif(($fwdfwsettings{'oldruletype'} eq 'NAT_SOURCE' || $fwdfwsettings{'oldruletype'} eq 'NAT_DESTINATION') && $fwdfwsettings{'chain'} eq 'OUTGOINGFW'){
++ &changerule($confignat);
+ #print"3";
+ }
+- #check if we change an external access rule to a DMZ
+- elsif( $fwdfwsettings{$fwdfwsettings{'grp1'}} eq 'ORANGE' && $fwdfwsettings{'grp2'} ne 'ipfire' && $fwdfwsettings{'oldgrp2a'} eq 'ipfire' && $fwdfwsettings{'updatefwrule'} eq 'on'){
+- &changerule($configinput);
++ ################################################################
++ #check if we change a DMZ to a NAT
++ elsif($fwdfwsettings{'oldruletype'} eq 'DMZ' && ($fwdfwsettings{'chain'} eq 'NAT_SOURCE' || $fwdfwsettings{'chain'} eq 'NAT_DESTINATION')){
++ &changerule($configdmz);
+ #print"4";
+ }
+- #check if we change an outgoing rule to a external access
+- if( $fwdfwsettings{$fwdfwsettings{'grp1'}} ne 'IPFire' && $fwdfwsettings{'oldgrp1b'} eq 'IPFire' && $fwdfwsettings{'grp2'} eq 'ipfire' && $fwdfwsettings{'oldgrp2a'} ne 'ipfire' && $fwdfwsettings{'updatefwrule'} eq 'on'){
+- &changerule($configoutgoing);
++ #check if we change a DMZ to an OUTGOING
++ elsif($fwdfwsettings{'oldruletype'} eq 'DMZ' && $fwdfwsettings{'chain'} eq 'OUTGOINGFW' ){
++ &changerule($configdmz);
+ #print"5";
+ }
+- #check if we change an outgoing rule to a DMZ
+- if( ($fwdfwsettings{$fwdfwsettings{'grp1'}} eq 'ORANGE' || $checkorange eq 'on') && $fwdfwsettings{'oldgrp1b'} eq 'IPFire' && $fwdfwsettings{'updatefwrule'} eq 'on'){
+- &changerule($configoutgoing);
++ #check if we change a DMZ to an INPUT
++ elsif($fwdfwsettings{'oldruletype'} eq 'DMZ' && $fwdfwsettings{'chain'} eq 'INPUTFW' ){
++ &changerule($configdmz);
+ #print"6";
+ }
+- #check if we change an forward rule to an external access
+- elsif( $fwdfwsettings{'grp2'} eq 'ipfire' && $fwdfwsettings{'oldgrp2a'} ne 'ipfire' && $fwdfwsettings{'updatefwrule'} eq 'on'){
+- &changerule($configfwdfw);
++ #check if we change a DMZ to a FORWARD/DMZ
++ elsif($fwdfwsettings{'oldruletype'} eq 'DMZ' && $fwdfwsettings{'chain'} eq 'FORWARDFW' ){
++ &changerule($configdmz);
+ #print"7";
+ }
+- #check if we change an forward rule to an DMZ
+- if( ($fwdfwsettings{$fwdfwsettings{'grp1'}} eq 'ORANGE' || $checkorange eq 'on') && ($fwdfwsettings{'oldgrp1b'} ne 'ORANGE' && $fwdfwsettings{'oldorange'} ne 'on') && $fwdfwsettings{'updatefwrule'} eq 'on'){
+- &changerule($configfwdfw);
++ ################################################################
++ #check if we change an INPUT rule to a NAT
++ elsif($fwdfwsettings{'oldruletype'} eq 'INPUTFW' && ($fwdfwsettings{'chain'} eq 'NAT_SOURCE' || $fwdfwsettings{'chain'} eq 'NAT_DESTINATION')){
++ &changerule($configinput);
+ #print"8";
+ }
+- #check if we change an forward rule to an outgoing
+- elsif( $fwdfwsettings{$fwdfwsettings{'grp1'}} eq 'IPFire' && $fwdfwsettings{'oldgrp1b'} ne 'IPFire' && $fwdfwsettings{'updatefwrule'} eq 'on'){
+- &changerule($configfwdfw);
++ #check if we change an INPUT rule to a OUTGOING
++ elsif($fwdfwsettings{'oldruletype'} eq 'INPUTFW' && $fwdfwsettings{'chain'} eq 'OUTGOINGFW' ){
++ &changerule($configinput);
+ #print"9";
+ }
+- #check if we change a DMZ to a forward
+- elsif( ($fwdfwsettings{'oldgrp1b'} eq 'ORANGE' || $fwdfwsettings{'oldorange'} eq 'on') && ($fwdfwsettings{$fwdfwsettings{'grp1'}} ne 'ORANGE' && $checkorange ne 'on') && $fwdfwsettings{'updatefwrule'} eq 'on'){
+- &changerule($configdmz);
++ #check if we change an INPUT rule to a FORWARD/DMZ
++ elsif($fwdfwsettings{'oldruletype'} eq 'INPUTFW' && $fwdfwsettings{'chain'} eq 'FORWARDFW' ){
++ &changerule($configinput);
+ #print"10";
+ }
+- #check if we change an external access rule to a forward
+- elsif( $fwdfwsettings{'grp2'} ne 'ipfire' && $fwdfwsettings{'oldgrp2a'} eq 'ipfire' && $fwdfwsettings{'updatefwrule'} eq 'on'){
+- &changerule($configinput);
++ ################################################################
++ #check if we change an OUTGOING rule to an INPUT
++ elsif($fwdfwsettings{'oldruletype'} eq 'OUTGOINGFW' && $fwdfwsettings{'chain'} eq 'INPUTFW' ){
++ &changerule($configoutgoing);
+ #print"11";
+ }
+- #check if we change an outgoing rule to a forward
+- elsif( $fwdfwsettings{$fwdfwsettings{'grp1'}} ne 'IPFire' && $fwdfwsettings{'oldgrp1b'} eq 'IPFire' && $fwdfwsettings{'grp2'} ne 'ipfire' && $fwdfwsettings{'updatefwrule'} eq 'on'){
++ #check if we change an OUTGOING rule to a FORWARD/DMZ
++ elsif($fwdfwsettings{'oldruletype'} eq 'OUTGOINGFW' && $fwdfwsettings{'chain'} eq 'FORWARDFW' ){
+ &changerule($configoutgoing);
+ #print"12";
+ }
++ #check if we change an OUTGOING rule to a NAT
++ elsif($fwdfwsettings{'oldruletype'} eq 'OUTGOINGFW' && ($fwdfwsettings{'chain'} eq 'NAT_SOURCE' || $fwdfwsettings{'chain'} eq 'NAT_DESTINATION')){
++ &changerule($configoutgoing);
++ #print"13";
++ }
++ ################################################################
++ #check if we change a FORWARD rule to an INPUT
++ elsif($fwdfwsettings{'oldruletype'} eq 'FORWARDFW' && $fwdfwsettings{'chain'} eq 'INPUTFW'){
++ &changerule($configfwdfw);
++ #print"14";
++ }
++ #check if we change a FORWARD rule to an DMZ
++ elsif($fwdfwsettings{'oldruletype'} eq 'FORWARDFW' && $fwdfwsettings{$fwdfwsettings{'grp1'}} eq 'ORANGE' || $checkorange eq 'on'){
++ &changerule($configfwdfw);
++ #print"15";
++ }
++ #check if we change a FORWARD rule to an OUTGOING
++ elsif($fwdfwsettings{'oldruletype'} eq 'FORWARDFW' && $fwdfwsettings{'chain'} eq 'OUTGOINGFW'){
++ &changerule($configfwdfw);
++ #print"16";
++ }
++ #check if we change a FORWARD rule to an NAT
++ elsif($fwdfwsettings{'oldruletype'} eq 'FORWARDFW' && ($fwdfwsettings{'chain'} eq 'NAT_SOURCE' || $fwdfwsettings{'chain'} eq 'NAT_DESTINATION')){
++ &changerule($configfwdfw);
++ #print"17";
++ }
++ #Cleanup some values for NAT if they are not used
++ if($fwdfwsettings{'nat'} eq 'dnat'){
++ $fwdfwsettings{'snatport'}='';
++ }else{
++ $fwdfwsettings{'dnatport'}='';
++ }
+ if ($fwdfwsettings{'updatefwrule'} ne 'on'){
+ my $key = &General::findhasharraykey ($hash);
+ $$hash{$key}[0] = $fwdfwsettings{'RULE_ACTION'};
+@@ -1891,6 +2062,13 @@ sub saverule
+ $$hash{$key}[25] = $fwdfwsettings{'TIME_SUN'};
+ $$hash{$key}[26] = $fwdfwsettings{'TIME_FROM'};
+ $$hash{$key}[27] = $fwdfwsettings{'TIME_TO'};
++ if($fwdfwsettings{'USE_NAT'} eq 'ON'){
++ $$hash{$key}[28] = $fwdfwsettings{'USE_NAT'};
++ $$hash{$key}[29] = $fwdfwsettings{$fwdfwsettings{'nat'}};
++ $$hash{$key}[30] = $fwdfwsettings{'snatport'};
++ $$hash{$key}[31] = $fwdfwsettings{'dnatport'};
++ $$hash{$key}[32] = $fwdfwsettings{'nat'};
++ }
+ &General::writehasharray("$config", $hash);
+ }else{
+ foreach my $key (sort {$a <=> $b} keys %$hash){
+@@ -1923,6 +2101,13 @@ sub saverule
+ $$hash{$key}[25] = $fwdfwsettings{'TIME_SUN'};
+ $$hash{$key}[26] = $fwdfwsettings{'TIME_FROM'};
+ $$hash{$key}[27] = $fwdfwsettings{'TIME_TO'};
++ if($fwdfwsettings{'USE_NAT'} eq 'ON'){
++ $$hash{$key}[28] = $fwdfwsettings{'USE_NAT'};
++ $$hash{$key}[29] = $fwdfwsettings{$fwdfwsettings{'nat'}};
++ $$hash{$key}[30] = $fwdfwsettings{'snatport'};
++ $$hash{$key}[31] = $fwdfwsettings{'dnatport'};
++ $$hash{$key}[32] = $fwdfwsettings{'nat'};
++ }
+ last;
+ }
+ }
+@@ -2012,6 +2197,7 @@ sub viewtablerule
+ &viewtablenew(\%configfwdfw,$configfwdfw,"","Forward" );
+ &viewtablenew(\%configinputfw,$configinput,"",$Lang::tr{'external access'} );
+ &viewtablenew(\%configoutgoingfw,$configoutgoing,"","Outgoing" );
++ &viewtablenew(\%confignatfw,$confignat,"","NAT" );
+ }
+ sub viewtablenew
+ {
+@@ -2102,7 +2288,12 @@ END
+ $tooltip='REJECT';
+ $rulecolor=$color{'color16'};
+ }
+- print"<td bgcolor='$rulecolor' align='center' width='20'><span title='$tooltip'><b>$ruletype</b></span></td>";
++ if($$hash{$key}[28] eq 'ON'){
++ print"<td bgcolor='$color' align='center' width='20'></td>";
++ $rulecolor=$color;
++ }else{
++ print"<td bgcolor='$rulecolor' align='center' width='20'><span title='$tooltip'><b>$ruletype</b></span></td>";
++ }
+ &getcolor($$hash{$key}[3],$$hash{$key}[4],\%customhost);
+ print"<td align='center' width='160' $tdcolor>";
+ if ($$hash{$key}[3] eq 'std_net_src'){
+@@ -2112,6 +2303,13 @@ END
+ }
+ $tdcolor='';
+ &getsrcport(\%$hash,$key);
++ #Is this a SNAT rule?
++ if ($$hash{$key}[32] eq 'snat'){
++ print"<br>SNAT -> $$hash{$key}[29]";
++ if ($$hash{$key}[30] ne ''){
++ print": $$hash{$key}[30]";
++ }
++ }
+ if ($$hash{$key}[17] eq 'ON'){
+ $log="/images/on.gif";
+ }else{
+@@ -2130,6 +2328,14 @@ END
+ print<<END;
+ <td align='center' width='160' $tdcolor>
+ END
++ #Is this a DNAT rule?
++ if ($$hash{$key}[32] eq 'dnat'){
++ print "IPFire ($$hash{$key}[29])";
++ if($$hash{$key}[31] ne ''){
++ print": $$hash{$key}[31]";
++ }
++ print"<br> DNAT->";
++ }
+ if ($$hash{$key}[5] eq 'std_net_tgt'){
+ print &get_name($$hash{$key}[6]);
+ }else{
+@@ -2144,7 +2350,7 @@ END
+ push (@protocols,$$hash{$key}[12]);
+ }elsif($$hash{$key}[8]){ #source prot if manual
+ push (@protocols,$$hash{$key}[8]);
+- }elsif($$hash{$key}[14] eq 'cust_srv'){
++ }elsif($$hash{$key}[14] eq 'cust_srv'){
+ &get_serviceports("service",$$hash{$key}[15]);
+ }elsif($$hash{$key}[14] eq 'cust_srvgrp'){
+ &get_serviceports("group",$$hash{$key}[15]);
+--
+1.7.10.4
+
--- /dev/null
+From 3d4bc9ebc38f8f09e0cebd943ac787089b5521c8 Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Tue, 19 Mar 2013 04:48:23 +0100
+Subject: [PATCH 185/302] Forward Firewall: support for SNAT/DNAT in GUI and
+ rules.pl
+
+---
+ config/forwardfw/rules.pl | 100 +++++++++++++++++++++++++++++++++------
+ html/cgi-bin/forwardfw.cgi | 111 +++++++++++++++++++++++++++++---------------
+ langs/de/cgi-bin/de.pl | 5 ++
+ langs/en/cgi-bin/en.pl | 5 ++
+ 4 files changed, 169 insertions(+), 52 deletions(-)
+
+diff --git a/config/forwardfw/rules.pl b/config/forwardfw/rules.pl
+index a01694c..d1b9f94 100755
+--- a/config/forwardfw/rules.pl
++++ b/config/forwardfw/rules.pl
+@@ -45,6 +45,7 @@ my @timeframe=();
+ my %configinputfw=();
+ my %configoutgoingfw=();
+ my %configdmzfw=();
++my %confignatfw=();
+ my %aliases=();
+ my @DPROT=();
+ my @p2ps=();
+@@ -56,6 +57,7 @@ my $configdmz = "${General::swroot}/forward/dmz";
+ my $configfwdfw = "${General::swroot}/forward/config";
+ my $configinput = "${General::swroot}/forward/input";
+ my $configoutgoing = "${General::swroot}/forward/outgoing";
++my $confignat = "${General::swroot}/forward/nat";
+ my $p2pfile = "${General::swroot}/forward/p2protocols";
+ my $configgrp = "${General::swroot}/fwhosts/customgroups";
+ my $netsettings = "${General::swroot}/ethernet/settings";
+@@ -66,13 +68,16 @@ my $blue;
+ my ($TYPE,$PROT,$SPROT,$DPROT,$SPORT,$DPORT,$TIME,$TIMEFROM,$TIMETILL,$SRC_TGT);
+ my $CHAIN="FORWARDFW";
+ my $conexists='off';
+-
++my $command = 'iptables -A';
++my $dnat='';
++my $snat='';
+ &General::readhash("${General::swroot}/forward/settings", \%fwdfwsettings);
+ &General::readhash("$netsettings", \%defaultNetworks);
+ &General::readhasharray($configdmz, \%configdmzfw);
+ &General::readhasharray($configfwdfw, \%configfwdfw);
+ &General::readhasharray($configinput, \%configinputfw);
+ &General::readhasharray($configoutgoing, \%configoutgoingfw);
++&General::readhasharray($confignat, \%confignatfw);
+ &General::readhasharray($configgrp, \%customgrp);
+ &General::get_aliases(\%aliases);
+
+@@ -83,7 +88,9 @@ close(CONN);
+ if (-f "/var/ipfire/red/active"){
+ $conexists='on';
+ }
+-
++open (CONN1,"/var/ipfire/red/local-ipaddress");
++my $redip = <CONN1>;
++close(CONN1);
+ ################################
+ # DEBUG/TEST #
+ ################################
+@@ -155,13 +162,29 @@ sub preparerules
+ if (! -z "${General::swroot}/forward/outgoing"){
+ &buildrules(\%configoutgoingfw);
+ }
++ if (! -z "${General::swroot}/forward/nat"){
++ &buildrules(\%confignatfw);
++ }
+ }
+ sub buildrules
+ {
+ my $hash=shift;
+ my $STAG;
++ my $natip;
++ my $snatport;
++ my $fireport;
+ foreach my $key (sort {$a <=> $b} keys %$hash){
+ next if ($$hash{$key}[6] eq 'RED' && $conexists eq 'off' );
++ if ($$hash{$key}[28] eq 'ON'){
++ $command='iptables -t nat -A';
++ $natip=&get_nat_ip($$hash{$key}[29]);
++ if($$hash{$key}[31] eq 'dnat'){
++ $$hash{$key}[0]='DNAT';
++ $fireport='--dport '.$$hash{$key}[30] if ($$hash{$key}[30]>0);
++ }else{
++ $$hash{$key}[0]='SNAT';
++ }
++ }
+ $STAG='';
+ if($$hash{$key}[2] eq 'ON'){
+ #get source ip's
+@@ -248,15 +271,22 @@ sub buildrules
+ my @icmprule= split(",",substr($DPORT, 12,));
+ foreach (@icmprule){
+ if ($$hash{$key}[17] eq 'ON'){
+- print "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] --icmp-type $_ $TIME -j LOG\n";
++ print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] --icmp-type $_ $TIME -j LOG\n";
+ }
+- print "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] --icmp-type $_ $TIME -j $$hash{$key}[0]\n";
++ print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] --icmp-type $_ $TIME -j $$hash{$key}[0]\n";
+ }
+- }else{
++ }elsif($$hash{$key}[28] ne 'ON'){
+ if ($$hash{$key}[17] eq 'ON'){
+- print "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG\n";
++ print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG\n";
+ }
+- print "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n";
++ print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n";
++ }elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[32] eq 'dnat'){
++ #if ($$hash{$key}[17] eq 'ON'){
++ #print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $targethash{$b}[0] $DPORT $TIME -j LOG\n";
++ #}
++ print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j $$hash{$key}[0] --to $targethash{$b}[0]$DPORT\n";
++ }elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[32] eq 'snat'){
++ print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0] --to $natip$fireport\n";
+ }
+ }
+ }
+@@ -278,15 +308,28 @@ sub buildrules
+ my @icmprule= split(",",substr($DPORT, 12,));
+ foreach (@icmprule){
+ if ($$hash{$key}[17] eq 'ON'){
+- system ("iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] -- icmp-type $_ $TIME -j LOG");
++ system ("$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] -- icmp-type $_ $TIME -j LOG");
+ }
+- system ("iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] --icmp-type $_ $TIME -j $$hash{$key}[0]");
++ system ("$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] --icmp-type $_ $TIME -j $$hash{$key}[0]");
++ }
++ }elsif($$hash{$key}[28] ne 'ON'){
++ if ($$hash{$key}[17] eq 'ON'){
++ system "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG\n";
++ }
++ system "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n";
++ }elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'dnat'){
++ if ($$hash{$key}[17] eq 'ON'){
++ system "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j LOG --log-prefix 'DNAT' \n";
+ }
+- }else{
++ my $fwaccessdport="--dport ".substr($DPORT,1,) if ($DPORT);
++ my ($ip,$sub) =split("/",$targethash{$b}[0]);
++ system "iptables -A PORTFWACCESS $PROT $STAG $sourcehash{$a}[0] -d $targethash{$b}[0] $fwaccessdport $TIME \n";
++ system "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j $$hash{$key}[0] --to $ip$DPORT\n";
++ }elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'snat'){
+ if ($$hash{$key}[17] eq 'ON'){
+- system ("iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG");
++ system "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG --log-prefix 'SNAT '\n";
+ }
+- system ("iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]");
++ system "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0] --to $natip$fireport\n";
+ }
+ }
+ }
+@@ -300,8 +343,28 @@ sub buildrules
+ undef $TIME;
+ undef $TIMEFROM;
+ undef $TIMETILL;
++ undef $fireport;
+ }
+ }
++sub get_nat_ip
++{
++ my $val=shift;
++ my $result;
++ if($val eq 'RED' || $val eq 'GREEN' || $val eq 'ORANGE' || $val eq 'BLUE'){
++ $result=$defaultNetworks{$val.'_ADDRESS'};
++ }elsif($val eq 'ALL'){
++ $result='-i '.$con;
++ }elsif($val eq 'Default IP'){
++ $result='-d '.$redip;
++ }else{
++ foreach my $al (sort keys %aliases){
++ if($val eq $al){
++ $result='-d '.$aliases{$al}{'IPT'};
++ }
++ }
++ }
++ return $result;
++}
+ sub get_time
+ {
+ my $val=shift;
+@@ -364,7 +427,6 @@ sub p2pblock
+ }
+ }
+ }
+-
+ sub get_address
+ {
+ my $base=shift; #source of checking ($configfwdfw{$key}[x] or groupkey
+@@ -439,7 +501,11 @@ sub get_port
+ if(index($$hash{$key}[10],",") > 0){
+ return "-m multiport --sport $$hash{$key}[10] ";
+ }else{
+- return "--sport $$hash{$key}[10] ";
++ if($$hash{$key}[28] ne 'ON' || ($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'snat') ||($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'dnat') ){
++ return "--sport $$hash{$key}[10] ";
++ }else{
++ return ":$$hash{$key}[10]";
++ }
+ }
+ }elsif($$hash{$key}[9] ne '' && $$hash{$key}[9] ne 'All ICMP-Types'){
+ return "--icmp-type $$hash{$key}[9] ";
+@@ -454,7 +520,11 @@ sub get_port
+ if(index($$hash{$key}[15],",") > 0){
+ return "-m multiport --dport $$hash{$key}[15] ";
+ }else{
+- return "--dport $$hash{$key}[15] ";
++ if($$hash{$key}[28] ne 'ON' || ($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'snat') ){
++ return "--dport $$hash{$key}[15] ";
++ }else{
++ return ":$$hash{$key}[15]";
++ }
+ }
+ }elsif($$hash{$key}[13] ne '' && $$hash{$key}[13] ne 'All ICMP-Types'){
+ return "--icmp-type $$hash{$key}[13] ";
+diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi
+index 0bf3a31..84e0170 100755
+--- a/html/cgi-bin/forwardfw.cgi
++++ b/html/cgi-bin/forwardfw.cgi
+@@ -765,7 +765,35 @@ sub checksource
+ sub checktarget
+ {
+ my ($ip,$subnet);
+-
++ &General::readhasharray("$configsrv", \%customservice);
++ #check DNAT settings (has to be single Host and single Port)
++ if ($fwdfwsettings{'USE_NAT'} eq 'ON' && $fwdfwsettings{'nat'} eq 'dnat'){
++ if($fwdfwsettings{'grp2'} eq 'tgt_addr' || $fwdfwsettings{'grp2'} eq 'cust_host_tgt' || $fwdfwsettings{'grp2'} eq 'ovpn_host_tgt'){
++ if ($fwdfwsettings{'USESRV'} eq ''){
++ $errormessage=$Lang::tr{'fwdfw target'}.": ".$Lang::tr{'fwdfw dnat porterr'}."<br>";
++ }
++ #check if manual ip is a single Host (if set)
++ if ($fwdfwsettings{'grp2'} eq 'tgt_addr'){
++ my @tmp= split (/\./,$fwdfwsettings{$fwdfwsettings{'grp2'}});
++ my @tmp1= split ("/",$tmp[3]);
++ if (($tmp1[0] eq "0") || ($tmp1[0] eq "255"))
++ {
++ $errormessage=$Lang::tr{'fwdfw dnat error'}."<br>";
++ }
++ }
++ #check if Port is a single Port
++ if ($fwdfwsettings{'nat'} eq 'dnat' && $fwdfwsettings{'grp3'} eq 'TGT_PORT'){
++ if(($fwdfwsettings{'TGT_PROT'} ne 'TCP'|| $fwdfwsettings{'TGT_PROT'} ne 'UDP') && $fwdfwsettings{'TGT_PORT'} eq ''){
++ $errormessage=$Lang::tr{'fwdfw target'}.": ".$Lang::tr{'fwdfw dnat porterr'}."<br>";
++ }
++ if (($fwdfwsettings{'TGT_PROT'} eq 'TCP'|| $fwdfwsettings{'TGT_PROT'} eq 'UDP') && $fwdfwsettings{'TGT_PORT'} ne '' && !&check_natport($fwdfwsettings{'TGT_PORT'})){
++ $errormessage=$Lang::tr{'fwdfw target'}.": ".$Lang::tr{'fwdfw dnat porterr'}."<br>";
++ }
++ }
++ }else{
++ $errormessage=$Lang::tr{'fwdfw dnat error'}."<br>";
++ }
++ }
+ if ($fwdfwsettings{'tgt_addr'} eq $fwdfwsettings{$fwdfwsettings{'grp2'}} && $fwdfwsettings{'tgt_addr'} ne ''){
+ #check if ip with subnet
+ if ($fwdfwsettings{'tgt_addr'} =~ /^(.*?)\/(.*?)$/) {
+@@ -785,15 +813,12 @@ sub checktarget
+ if(!&General::validipandmask($fwdfwsettings{'tgt_addr'})){
+ $errormessage.=$Lang::tr{'fwdfw err tgt_addr'}."<br>";
+ }
+-
+ }elsif($fwdfwsettings{'tgt_addr'} eq $fwdfwsettings{$fwdfwsettings{'grp2'}} && $fwdfwsettings{'tgt_addr'} eq ''){
+ $errormessage.=$Lang::tr{'fwdfw err notgtip'};
+ return $errormessage;
+ }
+-
+ #check empty fields
+ if ($fwdfwsettings{$fwdfwsettings{'grp2'}} eq ''){ $errormessage.=$Lang::tr{'fwdfw err notgt'}."<br>";}
+-
+ #check tgt services
+ if ($fwdfwsettings{'USESRV'} eq 'ON'){
+ if ($fwdfwsettings{'grp3'} eq 'cust_srv'){
+@@ -886,8 +911,36 @@ sub checktarget
+ }
+ return $errormessage;
+ }
++sub check_natport
++{
++ my $val=shift;
++ if ($val =~ "," || $val =~ ":" || $val>65536 || $val<0){
++ return 0;
++ }
++ return 1;
++}
+ sub checkrule
+ {
++ #check valid port for NAT
++ if($fwdfwsettings{'USE_NAT'} eq 'ON'){
++ if($fwdfwsettings{'nat'} eq 'dnat' && $fwdfwsettings{'grp3'} eq 'TGT_PORT' && $fwdfwsettings{'dnatport'} eq ''){$fwdfwsettings{'dnatport'}=$fwdfwsettings{'TGT_PORT'};}
++ if($fwdfwsettings{'nat'} eq 'dnat' && !&check_natport($fwdfwsettings{'dnatport'})){
++ $errormessage=$Lang::tr{'fwdfw target'}.": ".$Lang::tr{'fwdfw dnat porterr'}."<br>";
++ }
++ elsif($fwdfwsettings{'USESRV'} eq 'ON' && $fwdfwsettings{'grp3'} eq 'cust_srv'){
++ my $custsrvport;
++ #get servcie Protocol and Port
++ foreach my $key (sort keys %customservice){
++ if($fwdfwsettings{$fwdfwsettings{'grp3'}} eq $customservice{$key}[0]){
++ if ($customservice{$key}[2] ne 'TCP' && $customservice{$key}[2] ne 'UDP'){
++ $errormessage=$Lang::tr{'fwdfw target'}.": ".$Lang::tr{'fwdfw dnat porterr'}."<br>";
++ }
++ $custsrvport= $customservice{$key}[1];
++ }
++ }
++ if($fwdfwsettings{'nat'} eq 'dnat' && $fwdfwsettings{'dnatport'} eq ''){$fwdfwsettings{'dnatport'}=$custsrvport;}
++ }
++ }
+ #check valid remark
+ if ($fwdfwsettings{'ruleremark'} ne '' && !&validremark($fwdfwsettings{'ruleremark'})){
+ $errormessage.=$Lang::tr{'fwdfw err remark'}."<br>";
+@@ -897,12 +950,10 @@ sub checkrule
+ $errormessage.=$Lang::tr{'fwdfw err same'};
+ return $errormessage;
+ }
+-
+ #get source and targetip address if possible
+ my ($sip,$scidr,$tip,$tcidr);
+ ($sip,$scidr)=&get_ip("src","grp1");
+ ($tip,$tcidr)=&get_ip("tgt","grp2");
+-
+ #check same iprange in source and target
+ if ($sip ne '' && $scidr ne '' && $tip ne '' && $tcidr ne ''){
+ my $networkip1=&General::getnetworkip($sip,$scidr);
+@@ -924,7 +975,6 @@ sub checkrule
+ }
+ }
+ }
+-
+ #check source and destination protocol if manual
+ if( $fwdfwsettings{'USE_SRC_PORT'} eq 'ON' && $fwdfwsettings{'USESRV'} eq 'ON'){
+ if($fwdfwsettings{'PROT'} ne $fwdfwsettings{'TGT_PROT'} && $fwdfwsettings{'grp3'} eq 'TGT_PORT'){
+@@ -932,7 +982,6 @@ sub checkrule
+ }
+ #check source and destination protocol if source manual and dest servicegrp
+ if ($fwdfwsettings{'grp3'} eq 'cust_srv'){
+- &General::readhasharray("$configsrv", \%customservice);
+ foreach my $key (sort keys %customservice){
+ if($customservice{$key}[0] eq $fwdfwsettings{$fwdfwsettings{'grp3'}}){
+ if ($customservice{$key}[2] ne $fwdfwsettings{'PROT'}){
+@@ -1442,6 +1491,7 @@ sub newrule
+ $checked{'TIME_FRI'}{$fwdfwsettings{'TIME_FRI'}} = 'CHECKED';
+ $checked{'TIME_SAT'}{$fwdfwsettings{'TIME_SAT'}} = 'CHECKED';
+ $checked{'TIME_SUN'}{$fwdfwsettings{'TIME_SUN'}} = 'CHECKED';
++ $checked{'USE_NAT'}{$fwdfwsettings{'USE_NAT'}} = 'CHECKED';
+ $selected{'TIME_FROM'}{$fwdfwsettings{'TIME_FROM'}} = 'selected';
+ $selected{'TIME_TO'}{$fwdfwsettings{'TIME_TO'}} = 'selected';
+ $selected{'ipfire'}{$fwdfwsettings{$fwdfwsettings{'grp2'}}} ='selected';
+@@ -1481,10 +1531,9 @@ sub newrule
+ $fwdfwsettings{'TIME_FROM'} = $hash{$key}[26];
+ $fwdfwsettings{'TIME_TO'} = $hash{$key}[27];
+ $fwdfwsettings{'USE_NAT'} = $hash{$key}[28];
+- $fwdfwsettings{'nat'} = $hash{$key}[32]; #changed order
++ $fwdfwsettings{'nat'} = $hash{$key}[31]; #changed order
+ $fwdfwsettings{$fwdfwsettings{'nat'}} = $hash{$key}[29];
+- $fwdfwsettings{'snatport'} = $hash{$key}[30];
+- $fwdfwsettings{'dnatport'} = $hash{$key}[31];
++ $fwdfwsettings{'dnatport'} = $hash{$key}[30];
+ $checked{'grp1'}{$fwdfwsettings{'grp1'}} = 'CHECKED';
+ $checked{'grp2'}{$fwdfwsettings{'grp2'}} = 'CHECKED';
+ $checked{'grp3'}{$fwdfwsettings{'grp3'}} = 'CHECKED';
+@@ -1686,11 +1735,11 @@ END
+ &Header::openbox('100%', 'left', 'NAT');
+ print<<END;
+ <table width='100%' border='0'>
+- <tr><td width='1%'><input type='checkbox' name='USE_NAT' value='ON' $checked{'USE_NAT'}{'ON'}></td><td>USE NAT</td><td colspan='5'></td></tr>
+- <tr><td colspan='2'></td><td width='1%'><input type='radio' name='nat' value='dnat' checked ></td><td width='20%'> DNAT</td>
++ <tr><td width='1%'><input type='checkbox' name='USE_NAT' value='ON' $checked{'USE_NAT'}{'ON'}></td><td width='15%'>$Lang::tr{'fwdfw use nat'}</td><td colspan='5'></td></tr>
++ <tr><td colspan='2'></td><td width='1%'><input type='radio' name='nat' value='dnat' checked ></td><td width='50%'>$Lang::tr{'fwdfw dnat'}</td>
+ END
+ if (! -z "${General::swroot}/ethernet/aliases"){
+- print"<td width='8%'>IPFire: </td><td width='20% align='right'><select name='dnat' style='width:140px;'>";
++ print"<td width='8%'>IPFire: </td><td width='20%' align='right'><select name='dnat' style='width:140px;'>";
+ print "<option value='ALL' $selected{'dnat'}{$Lang::tr{'all'}}>$Lang::tr{'all'}</option>";
+ print "<option value='Default IP' $selected{'dnat'}{'Default IP'}>Default IP</option>";
+
+@@ -1698,15 +1747,6 @@ END
+ {
+ print "<option value='$alias' $selected{'dnat'}{$alias}>$alias</option>";
+ }
+- #foreach my $network (sort keys %defaultNetworks)
+- #{
+- #next if($defaultNetworks{$network}{'NAME'} eq "RED");
+- #next if($defaultNetworks{$network}{'NAME'} eq "IPFire");
+- #next if($defaultNetworks{$network}{'NAME'} eq "ALL");
+- #print "<option value='$defaultNetworks{$network}{'NAME'}'";
+- #print " selected='selected'" if ($fwdfwsettings{'snatipfire'} eq $defaultNetworks{$network}{'NAME'});
+- #print ">$network</option>";
+- #}
+ }else{
+ print"<td></td><td style='width:200px;'><input type='hidden' name ='ipfire' value='Default IP'>";
+ }
+@@ -1714,9 +1754,8 @@ END
+ print"<tr><td colspan='4'></td><td>Port: </td><td align='right'><input type='text' name='dnatport' style='width:130px;' value=$fwdfwsettings{'dnatport'}> </td></tr>";
+ print"<tr><td colspan='8'><br></td></tr>";
+ #SNAT
+- print"<tr><td colspan='2'></td><td width='1%'><input type='radio' name='nat' value='snat' $checked{'nat'}{'snat'}></td><td width='20%'> SNAT</td>";
+- print"<td width='8%'>IPFire: </td><td width='20% align='right'><select name='snat' style='width:140px;'>";
+- print "<option value='ALL' $selected{'snat'}{$Lang::tr{'all'}}>$Lang::tr{'all'}</option>";
++ print"<tr><td colspan='2'></td><td width='1%'><input type='radio' name='nat' value='snat' $checked{'nat'}{'snat'}></td><td width='20%'>$Lang::tr{'fwdfw snat'}</td>";
++ print"<td width='8%'>IPFire: </td><td width='20%' align='right'><select name='snat' style='width:140px;'>";
+ print "<option value='Default IP' $selected{'snat'}{'Default IP'}>Default IP</option>";
+ foreach my $alias (sort keys %aliases)
+ {
+@@ -1727,11 +1766,11 @@ END
+ next if($defaultNetworks{$network}{'NAME'} eq "RED");
+ next if($defaultNetworks{$network}{'NAME'} eq "IPFire");
+ next if($defaultNetworks{$network}{'NAME'} eq "ALL");
++ next if($defaultNetworks{$network}{'NAME'} =~ /OpenVPN/i);
+ print "<option value='$defaultNetworks{$network}{'NAME'}'";
+ print " selected='selected'" if ($fwdfwsettings{$fwdfwsettings{'nat'}} eq $defaultNetworks{$network}{'NAME'});
+ print ">$network</option>";
+ }
+- print"<tr><td colspan='4'></td><td>Port: </td><td align='right'><input type='text' name='snatport' style='width:130px;'value=$fwdfwsettings{'snatport'} > </td></tr>";
+ print"</table>";
+ print"<hr>";
+ &Header::closebox();
+@@ -2065,9 +2104,8 @@ sub saverule
+ if($fwdfwsettings{'USE_NAT'} eq 'ON'){
+ $$hash{$key}[28] = $fwdfwsettings{'USE_NAT'};
+ $$hash{$key}[29] = $fwdfwsettings{$fwdfwsettings{'nat'}};
+- $$hash{$key}[30] = $fwdfwsettings{'snatport'};
+- $$hash{$key}[31] = $fwdfwsettings{'dnatport'};
+- $$hash{$key}[32] = $fwdfwsettings{'nat'};
++ $$hash{$key}[30] = $fwdfwsettings{'dnatport'};
++ $$hash{$key}[31] = $fwdfwsettings{'nat'};
+ }
+ &General::writehasharray("$config", $hash);
+ }else{
+@@ -2104,9 +2142,8 @@ sub saverule
+ if($fwdfwsettings{'USE_NAT'} eq 'ON'){
+ $$hash{$key}[28] = $fwdfwsettings{'USE_NAT'};
+ $$hash{$key}[29] = $fwdfwsettings{$fwdfwsettings{'nat'}};
+- $$hash{$key}[30] = $fwdfwsettings{'snatport'};
+- $$hash{$key}[31] = $fwdfwsettings{'dnatport'};
+- $$hash{$key}[32] = $fwdfwsettings{'nat'};
++ $$hash{$key}[30] = $fwdfwsettings{'dnatport'};
++ $$hash{$key}[31] = $fwdfwsettings{'nat'};
+ }
+ last;
+ }
+@@ -2304,7 +2341,7 @@ END
+ $tdcolor='';
+ &getsrcport(\%$hash,$key);
+ #Is this a SNAT rule?
+- if ($$hash{$key}[32] eq 'snat'){
++ if ($$hash{$key}[31] eq 'snat'){
+ print"<br>SNAT -> $$hash{$key}[29]";
+ if ($$hash{$key}[30] ne ''){
+ print": $$hash{$key}[30]";
+@@ -2329,10 +2366,10 @@ END
+ <td align='center' width='160' $tdcolor>
+ END
+ #Is this a DNAT rule?
+- if ($$hash{$key}[32] eq 'dnat'){
++ if ($$hash{$key}[31] eq 'dnat'){
+ print "IPFire ($$hash{$key}[29])";
+- if($$hash{$key}[31] ne ''){
+- print": $$hash{$key}[31]";
++ if($$hash{$key}[30] ne ''){
++ print": $$hash{$key}[30]";
+ }
+ print"<br> DNAT->";
+ }
+diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl
+index 6457cd2..fbe62ac 100644
+--- a/langs/de/cgi-bin/de.pl
++++ b/langs/de/cgi-bin/de.pl
+@@ -893,6 +893,9 @@
+ 'fwdfw cust net' => 'Custom Netzwerke:',
+ 'fwdfw copy' => 'Kopieren',
+ 'fwdfw delete' => 'Löschen',
++'fwdfw dnat' => 'DNAT/Portforward (ersetze diese IP mit der aus ZIEL)',
++'fwdfw dnat error' => 'Für DNAT muss ein einzelner Host als ZIEL gewählt werden. Gruppen oder Netzwerke sind nicht erlaubt',
++'fwdfw dnat porterr' => 'Für NAT muss ein einzelner PORT (TCP/UDP) angegeben werden',
+ 'fwdfw DROP' => 'Verwerfen (DROP)',
+ 'fwdfw edit' => 'Bearbeiten',
+ 'fwdfw err nosrc' => 'Keine Quelle gewählt',
+@@ -933,6 +936,7 @@
+ 'fwdfw rule action' => 'Regelaktion:',
+ 'fwdfw rule activate' => 'Regel aktivieren',
+ 'fwdfw rulepos' => 'Regelposition',
++'fwdfw snat' => 'SNAT (ersetze die Adresse(n) von QUELLE mit dieser)',
+ 'fwdfw source' => 'Quelle',
+ 'fwdfw sourceip' => 'Quelladresse (MAC, IP oder Netzwerk):',
+ 'fwdfw std network' => 'Standard Netzwerke:',
+@@ -943,6 +947,7 @@
+ 'fwdfw timeframe' => 'Zeitrahmen hinzufügen',
+ 'fwdfw toggle' => 'Aktivieren oder deaktivieren',
+ 'fwdfw togglelog' => 'Log aktivieren oder deaktivieren',
++'fwdfw use nat' => 'NAT benutzen',
+ 'fwdfw useless rule' => 'Diese Regel ist nicht zugelassen.',
+ 'fwdfw use srcport' => 'Quellport benutzen',
+ 'fwdfw use srv' => 'Zielport benutzen',
+diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
+index 9b89d7b..24112c3 100644
+--- a/langs/en/cgi-bin/en.pl
++++ b/langs/en/cgi-bin/en.pl
+@@ -916,6 +916,9 @@
+ 'fwdfw cust net' => 'Custom networks:',
+ 'fwdfw copy' => 'Copy',
+ 'fwdfw delete' => 'Delete',
++'fwdfw dnat' => 'DNAT/Portforward (replace this IP with the one from TARGET)',
++'fwdfw dnat error' => 'You have to select a single host for DNAT. Groups or networks are not allowed.',
++'fwdfw dnat porterr' => 'You have to select a single port (tcp/udp) for NAT',
+ 'fwdfw DROP' => 'DROP',
+ 'fwdfw edit' => 'Edit',
+ 'fwdfw err nosrc' => 'No source selected.',
+@@ -956,6 +959,7 @@
+ 'fwdfw rule action' => 'Rule action:',
+ 'fwdfw rule activate' => 'Activate rule',
+ 'fwdfw rulepos' => 'Ruleposition',
++'fwdfw snat' => 'SNAT (replace the addresse(s) from SOURCE with this address)',
+ 'fwdfw source' => 'Source',
+ 'fwdfw sourceip' => 'Source address (MAC, IP or Network):',
+ 'fwdfw std network' => 'Standard networks:',
+@@ -966,6 +970,7 @@
+ 'fwdfw timeframe' => 'Add timeframe',
+ 'fwdfw toggle' => 'Activate or deactivate',
+ 'fwdfw togglelog' => 'Activate or deactivate logging',
++'fwdfw use nat' => 'Use NAT',
+ 'fwdfw useless rule' => 'This rule is rejected (useless).',
+ 'fwdfw use srcport' => 'Use sourceport',
+ 'fwdfw use srv' => 'Use targetport',
+--
+1.7.10.4
+
--- /dev/null
+From 16abd76a05f41f45e8c18d0a8bc6e282b3491bfa Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Tue, 19 Mar 2013 05:15:20 +0100
+Subject: [PATCH 186/302] Forward Firewall: delete old portforwarding from
+ system and fix for wlan-firewall part 1 (loop)
+
+---
+ config/rootfiles/common/misc-progs | 1 -
+ html/cgi-bin/portfw.cgi | 1177 ------------------------------------
+ lfs/initscripts | 2 -
+ src/initscripts/init.d/firewall | 16 +-
+ src/misc-progs/Makefile | 6 +-
+ src/misc-progs/setportfw.c | 369 -----------
+ src/misc-progs/wirelessctrl.c | 6 +-
+ 7 files changed, 11 insertions(+), 1566 deletions(-)
+ delete mode 100644 html/cgi-bin/portfw.cgi
+ delete mode 100644 src/misc-progs/setportfw.c
+
+diff --git a/config/rootfiles/common/misc-progs b/config/rootfiles/common/misc-progs
+index 8b0cc81..2e695d1 100644
+--- a/config/rootfiles/common/misc-progs
++++ b/config/rootfiles/common/misc-progs
+@@ -23,7 +23,6 @@ usr/local/bin/rebuildroutes
+ usr/local/bin/redctrl
+ #usr/local/bin/sambactrl
+ usr/local/bin/setaliases
+-usr/local/bin/setportfw
+ usr/local/bin/smartctrl
+ usr/local/bin/snortctrl
+ usr/local/bin/squidctrl
+diff --git a/html/cgi-bin/portfw.cgi b/html/cgi-bin/portfw.cgi
+deleted file mode 100644
+index 199682f..0000000
+--- a/html/cgi-bin/portfw.cgi
++++ /dev/null
+@@ -1,1177 +0,0 @@
+-#!/usr/bin/perl
+-###############################################################################
+-# #
+-# IPFire.org - A linux based firewall #
+-# Copyright (C) 2007 Michael Tremer & Christian Schmidt #
+-# #
+-# This program is free software: you can redistribute it and/or modify #
+-# it under the terms of the GNU General Public License as published by #
+-# the Free Software Foundation, either version 3 of the License, or #
+-# (at your option) any later version. #
+-# #
+-# This program is distributed in the hope that it will be useful, #
+-# but WITHOUT ANY WARRANTY; without even the implied warranty of #
+-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
+-# GNU General Public License for more details. #
+-# #
+-# You should have received a copy of the GNU General Public License #
+-# along with this program. If not, see <http://www.gnu.org/licenses/>. #
+-# #
+-###############################################################################
+-
+-use strict;
+-
+-# enable only the following on debugging purpose
+-#use warnings;
+-#use CGI::Carp 'fatalsToBrowser';
+-
+-require '/var/ipfire/general-functions.pl';
+-require "${General::swroot}/lang.pl";
+-require "${General::swroot}/header.pl";
+-
+-#workaround to suppress a warning when a variable is used only once
+-my @dummy = ( ${Header::colouryellow} );
+-undef (@dummy);
+-
+-my %color = ();
+-my %mainsettings = ();
+-&General::readhash("${General::swroot}/main/settings", \%mainsettings);
+-&General::readhash("/srv/web/ipfire/html/themes/".$mainsettings{'THEME'}."/include/colors.txt", \%color);
+-
+-my %cgiparams=();
+-my %selected=();
+-my %checked=();
+-my $prtrange1=0;
+-my $prtrange2=0;
+-my $errormessage = '';
+-my $filename = "${General::swroot}/portfw/config";
+-my $aliasfile = "${General::swroot}/ethernet/aliases";
+-
+-&Header::showhttpheaders();
+-
+-$cgiparams{'ENABLED'} = 'off';
+-$cgiparams{'KEY1'} = '0';
+-$cgiparams{'KEY2'} = '0';
+-$cgiparams{'PROTOCOL'} = '';
+-$cgiparams{'SRC_PORT'} = '';
+-$cgiparams{'DEST_IP'} = '';
+-$cgiparams{'DEST_PORT'} = '';
+-$cgiparams{'SRC_IP'} = '';
+-$cgiparams{'ORIG_IP'} = '';
+-$cgiparams{'REMARK'} = '';
+-$cgiparams{'OVERRIDE'} = 'off';
+-$cgiparams{'ACTION'} = '';
+-
+-&Header::getcgihash(\%cgiparams);
+-
+-my $disable_all = "0";
+-my $enable_all = "0";
+-
+-if ($cgiparams{'ACTION'} eq $Lang::tr{'add'})
+-{
+- &valaddupdate();
+-
+- # Darren Critchley - if there is an error, don't waste any more time processing
+- if ($errormessage) { goto ERROR; }
+-
+- open(FILE, $filename) or die 'Unable to open config file.';
+- my @current = <FILE>;
+- close(FILE);
+- my $key1 = 0; # used for finding last sequence number used
+- foreach my $line (@current)
+- {
+- my @temp = split(/\,/,$line);
+-
+- chomp ($temp[8]);
+- if ($cgiparams{'KEY2'} eq "0"){ # if key2 is 0 then it is a portfw addition
+- if ( $cgiparams{'SRC_PORT'} eq $temp[3] &&
+- $cgiparams{'PROTOCOL'} eq $temp[2] &&
+- $cgiparams{'SRC_IP'} eq $temp[7])
+- {
+- $errormessage =
+- "$Lang::tr{'source port in use'} $cgiparams{'SRC_PORT'}";
+- }
+- # Check if key2 = 0, if it is then it is a port forward entry and we want the sequence number
+- if ( $temp[1] eq "0") {
+- $key1=$temp[0];
+- }
+- # Darren Critchley - Duplicate or overlapping Port range check
+- if ($temp[1] eq "0" &&
+- $cgiparams{'PROTOCOL'} eq $temp[2] &&
+- $cgiparams{'SRC_IP'} eq $temp[7] &&
+- $errormessage eq '')
+- {
+- &portchecks($temp[3], $temp[5]);
+- }
+- } else {
+- if ( $cgiparams{'KEY1'} eq $temp[0] &&
+- $cgiparams{'ORIG_IP'} eq $temp[8])
+- {
+- $errormessage =
+- "$Lang::tr{'source ip in use'} $cgiparams{'ORIG_IP'}";
+- }
+- }
+- }
+-
+-ERROR:
+- unless ($errormessage)
+- {
+- # Darren Critchley - we only want to store ranges with Colons
+- $cgiparams{'SRC_PORT'} =~ tr/-/:/;
+- $cgiparams{'DEST_PORT'} =~ tr/-/:/;
+-
+- if ($cgiparams{'KEY1'} eq "0") { # 0 in KEY1 indicates it is a portfw add
+- $key1++; # Add one to last sequence number
+- open(FILE,">>$filename") or die 'Unable to open config file.';
+- flock FILE, 2;
+- if ($cgiparams{'ORIG_IP'} eq '0.0.0.0/0') {
+- # if the default/all is taken, then write it to the rule
+- print FILE "$key1,0,$cgiparams{'PROTOCOL'},$cgiparams{'SRC_PORT'},$cgiparams{'DEST_IP'},$cgiparams{'DEST_PORT'},$cgiparams{'ENABLED'},$cgiparams{'SRC_IP'},$cgiparams{'ORIG_IP'},$cgiparams{'REMARK'}\n";
+- } else { # else create an extra record so it shows up
+- print FILE "$key1,0,$cgiparams{'PROTOCOL'},$cgiparams{'SRC_PORT'},$cgiparams{'DEST_IP'},$cgiparams{'DEST_PORT'},$cgiparams{'ENABLED'},$cgiparams{'SRC_IP'},0,$cgiparams{'REMARK'}\n";
+- print FILE "$key1,1,$cgiparams{'PROTOCOL'},0,$cgiparams{'DEST_IP'},$cgiparams{'DEST_PORT'},$cgiparams{'ENABLED'},0,$cgiparams{'ORIG_IP'},$cgiparams{'REMARK'}\n";
+- }
+- close(FILE);
+- undef %cgiparams;
+- &General::log($Lang::tr{'forwarding rule added'});
+- system('/usr/local/bin/setportfw');
+- } else { # else key1 eq 0
+- my $insertpoint = ($cgiparams{'KEY2'} - 1);
+- open(FILE, ">$filename") or die 'Unable to open config file.';
+- flock FILE, 2;
+- foreach my $line (@current) {
+- chomp($line);
+- my @temp = split(/\,/,$line);
+- if ($cgiparams{'KEY1'} eq $temp[0] && $insertpoint eq $temp[1]) {
+- if ($temp[1] eq "0") { # this is the first xtaccess rule, therefore modify the portfw rule
+- $temp[8] = '0';
+- }
+- print FILE "$temp[0],$temp[1],$temp[2],$temp[3],$temp[4],$temp[5],$temp[6],$temp[7],$temp[8],$temp[9]\n";
+- print FILE "$cgiparams{'KEY1'},$cgiparams{'KEY2'},$cgiparams{'PROTOCOL'},0,$cgiparams{'DEST_IP'},$cgiparams{'DEST_PORT'},$cgiparams{'ENABLED'},0,$cgiparams{'ORIG_IP'},$cgiparams{'REMARK'}\n";
+- } else {
+- print FILE "$line\n";
+- }
+- }
+- close(FILE);
+- undef %cgiparams;
+- &General::log($Lang::tr{'external access rule added'});
+- system('/usr/local/bin/setportfw');
+- } # end if if KEY1 eq 0
+- } # end unless($errormessage)
+-}
+-
+-if ($cgiparams{'ACTION'} eq $Lang::tr{'update'})
+-{
+- &valaddupdate();
+-
+- # Darren Critchley - If there is an error don't waste any more processing time
+- if ($errormessage) { $cgiparams{'ACTION'} = $Lang::tr{'edit'}; goto UPD_ERROR; }
+-
+- open(FILE, $filename) or die 'Unable to open config file.';
+- my @current = <FILE>;
+- close(FILE);
+- my $disabledpfw = '0';
+- my $lastpfw = '';
+- my $xtaccessdel = '0';
+-
+- foreach my $line (@current)
+- {
+- my @temp = split(/\,/,$line);
+- if ( $temp[1] eq "0" ) { # keep track of the last portfw and if it is enabled
+- $disabledpfw = $temp[6];
+- $lastpfw = $temp[0];
+- }
+- chomp ($temp[8]);
+- if ( $cgiparams{'SRC_PORT'} eq $temp[3] &&
+- $cgiparams{'PROTOCOL'} eq $temp[2] &&
+- $cgiparams{'SRC_IP'} eq $temp[7])
+- {
+- if ($cgiparams{'KEY1'} ne $temp[0] && $cgiparams{'KEY2'} eq "0")
+- {
+- $errormessage =
+- "$Lang::tr{'source port in use'} $cgiparams{'SRC_PORT'}";
+- }
+- }
+- if ($cgiparams{'ORIG_IP'} eq $temp[8])
+- {
+- if ($cgiparams{'KEY1'} eq $temp[0] && $cgiparams{'KEY2'} ne $temp[1])
+- # If we have the same source ip within a portfw group, then we have a problem!
+- {
+- $errormessage = "$Lang::tr{'source ip in use'} $cgiparams{'ORIG_IP'}";
+- $cgiparams{'ACTION'} = $Lang::tr{'edit'};
+- }
+- }
+-
+- # Darren Critchley - Flag when a user disables an xtaccess
+- if ($cgiparams{'KEY1'} eq $temp[0] &&
+- $cgiparams{'KEY2'} eq $temp[1] &&
+- $cgiparams{'KEY2'} ne "0" && # if KEY2 is 0 then it is a portfw
+- $cgiparams{'ENABLED'} eq "off" &&
+- $temp[6] eq "on") { # we have determined that someone has turned an xtaccess off
+- $xtaccessdel = "1";
+- }
+-
+- # Darren Critchley - Portfw enabled, then enable xtaccess for all associated xtaccess records
+- if ($cgiparams{'ENABLED'} eq "on" && $cgiparams{'KEY2'} eq "0" && $cgiparams{'ENABLED'} ne $temp[6])
+- {
+- $enable_all = "1";
+- } else {
+- $enable_all = "0";
+- }
+- # Darren Critchley - Portfw disabled, then disable xtaccess for all associated xtaccess records
+- if ($cgiparams{'ENABLED'} eq "off" && $cgiparams{'KEY2'} eq "0")
+- {
+- $disable_all = "1";
+- } else {
+- $disable_all = "0";
+- }
+-
+- # Darren Critchley - if we are enabling an xtaccess, only allow if the associated Portfw is enabled
+- if ($cgiparams{'KEY1'} eq $lastpfw && $cgiparams{'KEY2'} ne "0") { # identifies an xtaccess record in the group
+- if ($cgiparams{'ENABLED'} eq "on" && $cgiparams{'ENABLED'} ne $temp[6] ){ # a change has been made
+- if ($disabledpfw eq "off")
+- {
+- $errormessage = "$Lang::tr{'cant enable xtaccess'}";
+- $cgiparams{'ACTION'} = $Lang::tr{'edit'};
+- }
+- }
+- }
+-
+- # Darren Critchley - rule to stop someone from entering ALL into a external access rule,
+- # the portfw is the only place that ALL can be specified
+- if ($cgiparams{'KEY2'} ne "0" && $cgiparams{'ORIG_IP'} eq "0.0.0.0/0") {
+- $errormessage = "$Lang::tr{'xtaccess all error'}";
+- $cgiparams{'ACTION'} = $Lang::tr{'edit'};
+- }
+-
+- # Darren Critchley - Duplicate or overlapping Port range check
+- if ($temp[1] eq "0" &&
+- $cgiparams{'KEY1'} ne $temp[0] &&
+- $cgiparams{'PROTOCOL'} eq $temp[2] &&
+- $cgiparams{'SRC_IP'} eq $temp[7] &&
+- $errormessage eq '')
+- {
+- &portchecks($temp[3], $temp[5]);
+- } # end port testing
+-
+- }
+-
+- # Darren Critchley - if an xtaccess was disabled, now we need to check to see if it was the only xtaccess
+- if($xtaccessdel eq "1") {
+- my $xctr = 0;
+- foreach my $line (@current)
+- {
+- my @temp = split(/\,/,$line);
+- if($temp[0] eq $cgiparams{'KEY1'} &&
+- $temp[6] eq "on") { # we only want to count the enabled xtaccess's
+- $xctr++;
+- }
+- }
+- if ($xctr == 2){
+- $disable_all = "1";
+- }
+- }
+-
+-UPD_ERROR:
+- unless ($errormessage)
+- {
+- # Darren Critchley - we only want to store ranges with Colons
+- $cgiparams{'SRC_PORT'} =~ tr/-/:/;
+- $cgiparams{'DEST_PORT'} =~ tr/-/:/;
+-
+- open(FILE, ">$filename") or die 'Unable to open config file.';
+- flock FILE, 2;
+- foreach my $line (@current) {
+- chomp($line);
+- my @temp = split(/\,/,$line);
+- if ($cgiparams{'KEY1'} eq $temp[0] && $cgiparams{'KEY2'} eq $temp[1]) {
+- print FILE "$cgiparams{'KEY1'},$cgiparams{'KEY2'},$cgiparams{'PROTOCOL'},$cgiparams{'SRC_PORT'},$cgiparams{'DEST_IP'},$cgiparams{'DEST_PORT'},$cgiparams{'ENABLED'},$cgiparams{'SRC_IP'},$cgiparams{'ORIG_IP'},$cgiparams{'REMARK'}\n";
+- } else {
+- # Darren Critchley - If it is a port forward record, then chances are good that a change was made to
+- # Destination Ip or Port, and we need to update all the associated external access records
+- if ($cgiparams{'KEY2'} eq "0" && $cgiparams{'KEY1'} eq $temp[0]) {
+- $temp[4] = $cgiparams{'DEST_IP'};
+- $temp[5] = $cgiparams{'DEST_PORT'};
+- $temp[2] = $cgiparams{'PROTOCOL'};
+- }
+-
+- # Darren Critchley - If a Portfw has been disabled, then set all associated xtaccess as disabled
+- if ( $disable_all eq "1" && $cgiparams{'KEY1'} eq $temp[0] ) {
+- $temp[6] = 'off';
+- }
+- if ( $enable_all eq "1" && $cgiparams{'KEY1'} eq $temp[0] ) {
+- $temp[6] = 'on';
+- }
+- # Darren Critchley - Deal with the override to allow ALL
+- if ( $cgiparams{'OVERRIDE'} eq "on" && $temp[1] ne "0" && $cgiparams{'KEY1'} eq $temp[0] ) {
+- $temp[6] = 'off';
+- }
+- print FILE "$temp[0],$temp[1],$temp[2],$temp[3],$temp[4],$temp[5],$temp[6],$temp[7],$temp[8],$temp[9]\n";
+- }
+- }
+- close(FILE);
+- undef %cgiparams;
+- &General::log($Lang::tr{'forwarding rule updated'});
+- system('/usr/local/bin/setportfw');
+- }
+- if ($errormessage) {
+- $cgiparams{'ACTION'} = $Lang::tr{'edit'};
+- }
+-}
+-
+-# Darren Critchley - Allows rules to be enabled and disabled
+-if ($cgiparams{'ACTION'} eq $Lang::tr{'toggle enable disable'})
+-{
+- open(FILE, $filename) or die 'Unable to open config file.';
+- my @current = <FILE>;
+- close(FILE);
+- my $disabledpfw = '0';
+- my $lastpfw = '';
+- my $xtaccessdel = '0';
+-
+- foreach my $line (@current)
+- {
+- my @temp = split(/\,/,$line);
+- if ( $temp[1] eq "0" ) { # keep track of the last portfw and if it is enabled
+- $disabledpfw = $temp[6];
+- $lastpfw = $temp[0];
+- }
+- # Darren Critchley - Flag when a user disables an xtaccess
+- if ($cgiparams{'KEY1'} eq $temp[0] &&
+- $cgiparams{'KEY2'} eq $temp[1] &&
+- $cgiparams{'KEY2'} ne "0" && # if KEY2 is 0 then it is a portfw
+- $cgiparams{'ENABLED'} eq "off" &&
+- $temp[6] eq "on") { # we have determined that someone has turned an xtaccess off
+- $xtaccessdel = "1";
+- }
+-
+- # Darren Critchley - Portfw enabled, then enable xtaccess for all associated xtaccess records
+- if ($cgiparams{'ENABLED'} eq "on" && $cgiparams{'KEY2'} eq "0" && $cgiparams{'ENABLED'} ne $temp[6])
+- {
+- $enable_all = "1";
+- } else {
+- $enable_all = "0";
+- }
+- # Darren Critchley - Portfw disabled, then disable xtaccess for all associated xtaccess records
+- if ($cgiparams{'ENABLED'} eq "off" && $cgiparams{'KEY2'} eq "0")
+- {
+- $disable_all = "1";
+- } else {
+- $disable_all = "0";
+- }
+-
+- # Darren Critchley - if we are enabling an xtaccess, only allow if the associated Portfw is enabled
+- if ($cgiparams{'KEY1'} eq $lastpfw && $cgiparams{'KEY2'} ne "0") { # identifies an xtaccess record in the group
+- if ($cgiparams{'ENABLED'} eq "on" && $cgiparams{'ENABLED'} ne $temp[6] ){ # a change has been made
+- if ($disabledpfw eq "off")
+- {
+- $errormessage = "$Lang::tr{'cant enable xtaccess'}";
+- goto TOGGLEEXIT;
+- }
+- }
+- }
+- }
+-
+- # Darren Critchley - if an xtaccess was disabled, now we need to check to see if it was the only xtaccess
+- if($xtaccessdel eq "1") {
+- my $xctr = 0;
+- foreach my $line (@current)
+- {
+- my @temp = split(/\,/,$line);
+- if($temp[0] eq $cgiparams{'KEY1'} &&
+- $temp[6] eq "on") { # we only want to count the enabled xtaccess's
+- $xctr++;
+- }
+- }
+- if ($xctr == 2){
+- $disable_all = "1";
+- }
+- }
+-
+- open(FILE, ">$filename") or die 'Unable to open config file.';
+- flock FILE, 2;
+- foreach my $line (@current) {
+- chomp($line);
+- my @temp = split(/\,/,$line);
+- if ($cgiparams{'KEY1'} eq $temp[0] && $cgiparams{'KEY2'} eq $temp[1]) {
+- print FILE "$cgiparams{'KEY1'},$cgiparams{'KEY2'},$temp[2],$temp[3],$temp[4],$temp[5],$cgiparams{'ENABLED'},$temp[7],$temp[8],$temp[9]\n";
+- } else {
+- # Darren Critchley - If a Portfw has been disabled, then set all associated xtaccess as disabled
+- if ( $disable_all eq "1" && $cgiparams{'KEY1'} eq $temp[0] ) {
+- $temp[6] = 'off';
+- }
+- if ( $enable_all eq "1" && $cgiparams{'KEY1'} eq $temp[0] ) {
+- $temp[6] = 'on';
+- }
+- print FILE "$temp[0],$temp[1],$temp[2],$temp[3],$temp[4],$temp[5],$temp[6],$temp[7],$temp[8],$temp[9]\n";
+- }
+- }
+- close(FILE);
+- &General::log($Lang::tr{'forwarding rule updated'});
+- system('/usr/local/bin/setportfw');
+-TOGGLEEXIT:
+- undef %cgiparams;
+-}
+-
+-
+-# Darren Critchley - broke out Edit routine from the delete routine - Edit routine now just puts values in fields
+-if ($cgiparams{'ACTION'} eq $Lang::tr{'edit'})
+-{
+- open(FILE, "$filename") or die 'Unable to open config file.';
+- my @current = <FILE>;
+- close(FILE);
+-
+- unless ($errormessage)
+- {
+- foreach my $line (@current)
+- {
+- chomp($line);
+- my @temp = split(/\,/,$line);
+- if ($cgiparams{'KEY1'} eq $temp[0] && $cgiparams{'KEY2'} eq $temp[1] ) {
+- $cgiparams{'PROTOCOL'} = $temp[2];
+- $cgiparams{'SRC_PORT'} = $temp[3];
+- $cgiparams{'DEST_IP'} = $temp[4];
+- $cgiparams{'DEST_PORT'} = $temp[5];
+- $cgiparams{'ENABLED'} = $temp[6];
+- $cgiparams{'SRC_IP'} = $temp[7];
+- $cgiparams{'ORIG_IP'} = $temp[8];
+- $cgiparams{'REMARK'} = $temp[9];
+- }
+-
+- }
+- }
+-}
+-
+-# Darren Critchley - broke out Remove routine as the logic is getting too complex to be combined with the Edit
+-if ($cgiparams{'ACTION'} eq $Lang::tr{'remove'})
+-{
+- open(FILE, "$filename") or die 'Unable to open config file.';
+- my @current = <FILE>;
+- close(FILE);
+-
+- # If the record being deleted is an xtaccess record, and it is the only one for a portfw record
+- # then we need to adjust the portfw record to be open to ALL ip addressess or an error will occur
+- # in setportfw.c
+- my $fixportfw = '0';
+- if ($cgiparams{'KEY2'} ne "0") {
+- my $counter = 0;
+- foreach my $line (@current)
+- {
+- chomp($line);
+- my @temp = split(/\,/,$line);
+- if ($temp[0] eq $cgiparams{'KEY1'}) {
+- $counter++;
+- }
+- }
+- if ($counter eq 2) {
+- $fixportfw = '1';
+- }
+- }
+-
+- unless ($errormessage)
+- {
+- open(FILE, ">$filename") or die 'Unable to open config file.';
+- flock FILE, 2;
+- my $linedeleted = 0;
+- foreach my $line (@current)
+- {
+- chomp($line);
+- my @temp = split(/\,/,$line);
+-
+- if ($cgiparams{'KEY1'} eq $temp[0] && $cgiparams{'KEY2'} eq $temp[1] ||
+- $cgiparams{'KEY1'} eq $temp[0] && $cgiparams{'KEY2'} eq "0" )
+- {
+- $linedeleted = 1;
+- } else {
+- if ($temp[0] eq $cgiparams{'KEY1'} && $temp[1] eq "0" && $fixportfw eq "1") {
+- $temp[8] = '0.0.0.0/0';
+- }
+- print FILE "$temp[0],$temp[1],$temp[2],$temp[3],$temp[4],$temp[5],$temp[6],$temp[7],$temp[8],$temp[9]\n";
+-# print FILE "$line\n";
+- }
+- }
+- close(FILE);
+- if ($linedeleted == 1) {
+- &General::log($Lang::tr{'forwarding rule removed'});
+- undef %cgiparams;
+- }
+- system('/usr/local/bin/setportfw');
+- }
+-}
+-
+-# Darren Critchley - Added routine to allow external access rules to be added
+-if ($cgiparams{'ACTION'} eq $Lang::tr{'add xtaccess'})
+-{
+- open(FILE, $filename) or die 'Unable to open config file.';
+- my @current = <FILE>;
+- close(FILE);
+- my $key = 0; # used for finding last sequence number used
+- foreach my $line (@current)
+- {
+- my @temp = split(/\,/,$line);
+- if ($temp[0] eq $cgiparams{'KEY1'}) {
+- $key = $temp[1]
+- }
+- if ($cgiparams{'KEY1'} eq $temp[0] && $cgiparams{'KEY2'} eq $temp[1] ) {
+- $cgiparams{'PROTOCOL'} = $temp[2];
+- $cgiparams{'SRC_PORT'} = $temp[3];
+- $cgiparams{'DEST_IP'} = $temp[4];
+- $cgiparams{'DEST_PORT'} = $temp[5];
+- $cgiparams{'ENABLED'} = $temp[6];
+- $cgiparams{'SRC_IP'} = $temp[7];
+- $cgiparams{'ORIG_IP'} = '';
+- $cgiparams{'REMARK'} = $temp[9];
+- }
+- }
+- $key++;
+- $cgiparams{'KEY2'} = $key;
+- # Until the ADD button is hit, there needs to be no change to portfw rules
+-}
+-
+-if ($cgiparams{'ACTION'} eq $Lang::tr{'reset'})
+-{
+- undef %cgiparams;
+-}
+-
+-if ($cgiparams{'ACTION'} eq '')
+-{
+- $cgiparams{'PROTOCOL'} = 'tcp';
+- $cgiparams{'ENABLED'} = 'on';
+- $cgiparams{'SRC_IP'} = '0.0.0.0';
+-}
+-
+-$selected{'PROTOCOL'}{'udp'} = '';
+-$selected{'PROTOCOL'}{'tcp'} = '';
+-$selected{'PROTOCOL'}{'gre'} = '';
+-$selected{'PROTOCOL'}{$cgiparams{'PROTOCOL'}} = "selected='selected'";
+-
+-$selected{'SRC_IP'}{$cgiparams{'SRC_IP'}} = "selected='selected'";
+-
+-$checked{'ENABLED'}{'off'} = '';
+-$checked{'ENABLED'}{'on'} = '';
+-$checked{'ENABLED'}{$cgiparams{'ENABLED'}} = "checked='checked'";
+-
+-&Header::openpage($Lang::tr{'port forwarding configuration'}, 1, '');
+-
+-&Header::openbigbox('100%', 'left', '', $errormessage);
+-
+-if ($errormessage) {
+- &Header::openbox('100%', 'left', $Lang::tr{'error messages'});
+- print "<class name='base'><font color='${Header::colourred}'>$errormessage\n</font>";
+- print " </class>\n";
+- &Header::closebox();
+-}
+-
+-print "<form method='post' action='$ENV{'SCRIPT_NAME'}'>\n";
+-
+-if ($cgiparams{'ACTION'} eq $Lang::tr{'edit'}){
+- &Header::openbox('100%', 'left', $Lang::tr{'edit a rule'});
+-} else {
+- &Header::openbox('100%', 'left', $Lang::tr{'add a new rule'});
+-}
+-
+-if ($cgiparams{'ACTION'} eq $Lang::tr{'edit'} && $cgiparams{'KEY2'} ne "0" || $cgiparams{'ACTION'} eq $Lang::tr{'add xtaccess'}){
+-# if it is not a port forward record, don't validate as the fields are disabled
+- my $PROT = "\U$cgiparams{'PROTOCOL'}\E";
+- # Darren Critchley - Format the source and destination ports
+- my $dstprt = $cgiparams{'DEST_PORT'};
+- $dstprt =~ s/-/ - /;
+- $dstprt =~ s/:/ - /;
+-
+-print <<END
+-<table>
+- <tr>
+- <td class='base'>$Lang::tr{'protocol'}: <b>$PROT</b></td>
+- <td width='20'> </td>
+- <td class='base' align='right'>$Lang::tr{'destination ip'}: </td>
+- <td><b>$cgiparams{'DEST_IP'}</b></td>
+- <td width='20'> </td>
+- <td class='base' align='right'>$Lang::tr{'destination port'}: </td>
+- <td><b>$dstprt</b></td>
+- </tr>
+-</table>
+-
+-<input type='hidden' name='PROTOCOL' value='$cgiparams{'PROTOCOL'}' />
+-<input type='hidden' name='SRC_IP' value='$cgiparams{'SRC_IP'}' />
+-<input type='hidden' name='SRC_PORT' value='$cgiparams{'SRC_PORT'}' />
+-<input type='hidden' name='DEST_IP' value='$cgiparams{'DEST_IP'}' />
+-<input type='hidden' name='DEST_PORT' value='$cgiparams{'DEST_PORT'}' />
+-END
+-;
+-} else {
+-print <<END
+-<table width='100%'>
+- <tr>
+- <td width='10%'>$Lang::tr{'protocol'}: </td>
+- <td width='15%'>
+- <select name='PROTOCOL'>
+- <option value='tcp' $selected{'PROTOCOL'}{'tcp'}>TCP</option>
+- <option value='udp' $selected{'PROTOCOL'}{'udp'}>UDP</option>
+- <option value='gre' $selected{'PROTOCOL'}{'gre'}>GRE</option>
+- </select>
+- </td>
+- <td class='base' width='20%'><font color='${Header::colourred}'>$Lang::tr{'alias ip'}:</font></td>
+- <td>
+- <select name='SRC_IP'>
+- <option value='0.0.0.0' $selected{'SRC_IP'}{'0.0.0.0'}>DEFAULT IP</option>
+-END
+-;
+-open(ALIASES, "$aliasfile") or die 'Unable to open aliases file.';
+-while (<ALIASES>)
+-{
+- chomp($_);
+- my @temp = split(/\,/,$_);
+- if ($temp[1] eq 'on') {
+- print "<option value='$temp[0]' $selected{'SRC_IP'}{$temp[0]}>$temp[0]";
+- if (defined $temp[2] and ($temp[2] ne '')) { print " ($temp[2])"; }
+- print "</option>\n";
+- }
+-}
+-close(ALIASES);
+-print <<END
+- </select>
+- </td>
+- <td class='base' width='20%'><font color='${Header::colourred}'>$Lang::tr{'source port'}:</font></td>
+- <td width='10%'><input type='text' name='SRC_PORT' value='$cgiparams{'SRC_PORT'}' size='8' /></td>
+- </tr>
+- <tr>
+- <td class='base'> </td>
+- <td> </td>
+- <td class='base'>$Lang::tr{'destination ip'}:</td>
+- <td><input type='text' name='DEST_IP' value='$cgiparams{'DEST_IP'}' size='15' /></td>
+- <td class='base'>$Lang::tr{'destination port'}:</td>
+- <td><input type='text' name='DEST_PORT' value='$cgiparams{'DEST_PORT'}' size='8' /></td>
+- </tr>
+-</table>
+-END
+-;
+-}
+-
+-print <<END
+-<table>
+- <tr>
+- <td class='base'>$Lang::tr{'remark title'} <img src='/blob.gif' alt='*' /> </td>
+- <td><input type='text' name='REMARK' value='$cgiparams{'REMARK'}' size='55' maxlength='50' /></td>
+-END
+-;
+-unless ($cgiparams{'ACTION'} eq $Lang::tr{'add xtaccess'} && $cgiparams{'ENABLED'} eq "off") {
+- print "<td width='20'> </td>";
+- print "<td>$Lang::tr{'enabled'} </td><td><input type='checkbox' name='ENABLED' $checked{'ENABLED'}{'on'} /></td>\n";
+-}
+-print <<END
+- </tr>
+-</table>
+-END
+-;
+-
+-if ($cgiparams{'ACTION'} eq $Lang::tr{'edit'} && $cgiparams{'KEY2'} eq "0" && ($cgiparams{'ORIG_IP'} eq "0" || $cgiparams{'ORIG_IP'} eq "0.0.0.0/0")){
+-# if it is a port forward rule with a 0 in the orig_port field, this means there are xtaccess records, and we
+-# don't want to allow a person to change the orig_ip field as it will mess other logic up
+- print "<input type='hidden' name='ORIG_IP' value='$cgiparams{'ORIG_IP'}' />\n";
+-} else {
+-print <<END
+-<table>
+- <tr>
+- <td class='base'><font class='boldbase' color='${Header::colourred}'>$Lang::tr{'source network'}</font> <img src='/blob.gif' alt='*' /> </td>
+- <td><input type='text' name='ORIG_IP' value='$cgiparams{'ORIG_IP'}' size='15' /></td>
+- </tr>
+-</table>
+-END
+-;
+-}
+-
+-print <<END
+-<table width='100%'>
+- <hr />
+- <tr>
+- <td class='base' width='25%'><img src='/blob.gif' alt ='*' align='top' /> <font class='base'>$Lang::tr{'this field may be blank'}</font></td>
+-END
+-;
+-
+-
+-if ($cgiparams{'ACTION'} eq $Lang::tr{'edit'}){
+- if($cgiparams{'KEY2'} eq "0"){
+- print "<td width='35%' align='right'>$Lang::tr{'open to all'}: </td><td width='5%'><input type='checkbox' name='OVERRIDE' $checked{'OVERRIDE'}{'on'} /></td>\n";
+- } else {
+- print "<td width='40%'> </td>\n";
+- }
+- print "<td align='center' width='15%'><input type='submit' name='ACTION' value='$Lang::tr{'update'}' />";
+- print "<input type='hidden' name='KEY1' value='$cgiparams{'KEY1'}' />";
+- print "<input type='hidden' name='KEY2' value='$cgiparams{'KEY2'}' /></TD>";
+- print "<td align='center' width='15%'><input type='submit' name='ACTION' value='$Lang::tr{'reset'}' /></td>";
+- # on an edit and an xtaccess add, for some reason the "Reset" button stops working, so I make it a submit button
+-} else {
+- print "<td width='30%'> </td>\n";
+- print "<td align='center' width='15%'><input type='submit' name='ACTION' value='$Lang::tr{'add'}' /></td>";
+- if ($cgiparams{'ACTION'} eq $Lang::tr{'add xtaccess'}) {
+- print "<td align='center' width='15%'><input type='hidden' name='KEY1' value='$cgiparams{'KEY1'}' />";
+- print "<input type='hidden' name='KEY2' value='$cgiparams{'KEY2'}' />";
+- print "<input type='submit' name='ACTION' value='$Lang::tr{'reset'}' /></td>";
+- } elsif ($errormessage ne '') {
+- print "<td align='center' width='15%'><input type='submit' name='ACTION' value='$Lang::tr{'reset'}' /></td>";
+- } else {
+- print "<td align='center' width='15%'><input type='reset' name='ACTION' value='$Lang::tr{'reset'}' /></td>";
+- }
+-}
+-print <<END
+- <td width='5%' align='right'> </td>
+- </tr>
+-</table>
+-END
+-;
+-&Header::closebox();
+-
+-print "</form>\n";
+-
+-&Header::openbox('100%', 'left', $Lang::tr{'current rules'});
+-print <<END
+-<table width='100%'>
+-<tr>
+-<td width='7%' class='boldbase' align='center'><b>$Lang::tr{'proto'}</b></td>
+-<td width='31%' class='boldbase' align='center'><b>$Lang::tr{'source'}</b></td>
+-<td width='2%' class='boldbase' align='center'> </td>
+-<td width='31%' class='boldbase' align='center'><b>$Lang::tr{'destination'}</b></td>
+-<td width='24%' class='boldbase' align='center'><b>$Lang::tr{'remark'}</b></td>
+-<td width='4%' class='boldbase' colspan='4' align='center'><b>$Lang::tr{'action'}</b></td>
+-</tr>
+-END
+-;
+-
+-my $id = 0;
+-my $xtaccesscolor = '#F6F4F4';
+-open(RULES, "$filename") or die 'Unable to open config file.';
+-while (<RULES>)
+-{
+- my $protocol = '';
+- my $gif = '';
+- my $gdesc = '';
+- my $toggle = '';
+- chomp($_);
+- my @temp = split(/\,/,$_);
+- $temp[9] ='' unless defined $temp[9];# Glles ESpinasse : suppress warning on page init
+- if ($temp[2] eq 'udp') {
+- $protocol = 'UDP'; }
+- elsif ($temp[2] eq 'gre') {
+- $protocol = 'GRE' }
+- else {
+- $protocol = 'TCP' }
+- # Change bgcolor when a new portfw rule is added
+- if ($temp[1] eq "0"){
+- $id++;
+- }
+- # Darren Critchley highlight the row we are editing
+- if ( $cgiparams{'ACTION'} eq $Lang::tr{'edit'} && $cgiparams{'KEY1'} eq $temp[0] && $cgiparams{'KEY2'} eq $temp[1] ) {
+- print "<tr bgcolor='${Header::colouryellow}'>\n";
+- } else {
+- if ($id % 2) {
+- print "<tr bgcolor='$color{'color22'}'>\n";
+- }
+- else {
+- print "<tr bgcolor='$color{'color20'}'>\n";
+- }
+- }
+-
+- if ($temp[6] eq 'on') { $gif = 'on.gif'; $toggle='off'; $gdesc=$Lang::tr{'click to disable'};}
+- else { $gif = 'off.gif'; $toggle='on'; $gdesc=$Lang::tr{'click to enable'}; }
+-
+- # Darren Critchley - this code no longer works - should we remove?
+- # catch for 'old-style' rules file - assume default ip if
+- # none exists
+- if (!&General::validip($temp[7]) || $temp[7] eq '0.0.0.0') {
+- $temp[7] = 'DEFAULT IP'; }
+- if ($temp[1] eq '0') { # Port forwarding entry
+-
+- # Darren Critchley - Format the source and destintation ports
+- my $srcprt = $temp[3];
+- $srcprt =~ s/-/ - /;
+- $srcprt =~ s/:/ - /;
+- my $dstprt = $temp[5];
+- $dstprt =~ s/-/ - /;
+- $dstprt =~ s/:/ - /;
+-
+- # Darren Critchley - Get Port Service Name if we can - code borrowed from firewalllog.dat
+- $_=$temp[3];
+- if (/^\d+$/) {
+- my $servi = uc(getservbyport($temp[3], lc($temp[2])));
+- if ($servi ne '' && $temp[3] < 1024) {
+- $srcprt = "$srcprt($servi)"; }
+- }
+- $_=$temp[5];
+- if (/^\d+$/) {
+- my $servi = uc(getservbyport($temp[5], lc($temp[2])));
+- if ($servi ne '' && $temp[5] < 1024) {
+- $dstprt = "$dstprt($servi)"; }
+- }
+-
+- # Darren Critchley - If the line is too long, wrap the port numbers
+- my $srcaddr = "$temp[7] : $srcprt";
+- if (length($srcaddr) > 22) {
+- $srcaddr = "$temp[7] :<br /> $srcprt";
+- }
+- my $dstaddr = "$temp[4] : $dstprt";
+- if (length($dstaddr) > 26) {
+- $dstaddr = "$temp[4] :<br /> $dstprt";
+- }
+-print <<END
+-<td align='center'>$protocol</td>
+-<td align='center'>$srcaddr</td>
+-<td align='center'><img src='/images/forward.gif' alt='=>' /></td>
+-<td align='center'>$dstaddr</td>
+-<td align='left'> $temp[9]</td>
+-<td align='center'>
+- <form method='post' name='frm$temp[0]c' action='$ENV{'SCRIPT_NAME'}'>
+- <input type='image' name='$Lang::tr{'toggle enable disable'}' src='/images/$gif' alt='$gdesc' title='$gdesc' />
+- <input type='hidden' name='ACTION' value='$Lang::tr{'toggle enable disable'}' />
+- <input type='hidden' name='KEY1' value='$temp[0]' />
+- <input type='hidden' name='KEY2' value='$temp[1]' />
+- <input type='hidden' name='ENABLED' value='$toggle' />
+- </form>
+-</td>
+-
+-<td align='center'>
+- <form method='post' name='frm$temp[0]' action='$ENV{'SCRIPT_NAME'}'>
+- <input type='hidden' name='ACTION' value='$Lang::tr{'add xtaccess'}' />
+- <input type='image' name='$Lang::tr{'add xtaccess'}' src='/images/add.gif' alt='$Lang::tr{'add xtaccess'}' title='$Lang::tr{'add xtaccess'}' />
+- <input type='hidden' name='KEY1' value='$temp[0]' />
+- <input type='hidden' name='KEY2' value='$temp[1]' />
+- </form>
+-</td>
+-
+-<td align='center'>
+- <form method='post' name='frm$temp[0]' action='$ENV{'SCRIPT_NAME'}'>
+- <input type='hidden' name='ACTION' value='$Lang::tr{'edit'}' />
+- <input type='image' name='$Lang::tr{'edit'}' src='/images/edit.gif' alt='$Lang::tr{'edit'}' title='$Lang::tr{'edit'}' />
+- <input type='hidden' name='KEY1' value='$temp[0]' />
+- <input type='hidden' name='KEY2' value='$temp[1]' />
+- </form>
+-</td>
+-
+-<td align='center'>
+- <form method='post' name='frm$temp[0]b' action='$ENV{'SCRIPT_NAME'}'>
+- <input type='hidden' name='ACTION' value='$Lang::tr{'remove'}' />
+- <input type='image' name='$Lang::tr{'remove'}' src='/images/delete.gif' alt='$Lang::tr{'remove'}' title='$Lang::tr{'remove'}' />
+- <input type='hidden' name='KEY1' value='$temp[0]' />
+- <input type='hidden' name='KEY2' value='$temp[1]' />
+- </form>
+-</td>
+-
+-</tr>
+-END
+- ;
+- } else { # external access entry
+-print <<END
+-<td align='center'> </td>
+-
+-<td align='left' colspan='4'> <font color='${Header::colourred}'>$Lang::tr{'access allowed'}</font> $temp[8] ($temp[9])</td>
+-
+-<td align='center'>
+- <form method='post' name='frm$temp[0]$temp[1]t' action='$ENV{'SCRIPT_NAME'}'>
+- <input type='image' name='$Lang::tr{'toggle enable disable'}' src='/images/$gif' alt='$Lang::tr{'toggle enable disable'}' title='$Lang::tr{'toggle enable disable'}' />
+- <input type='hidden' name='ACTION' value='$Lang::tr{'toggle enable disable'}' />
+- <input type='hidden' name='KEY1' value='$temp[0]' />
+- <input type='hidden' name='KEY2' value='$temp[1]' />
+- <input type='hidden' name='ENABLED' value='$toggle' />
+- </form>
+-</td>
+-
+-<td align='center'> </td>
+-
+-<td align='center'>
+- <form method='post' name='frm$temp[0]$temp[1]' action='$ENV{'SCRIPT_NAME'}'>
+- <input type='hidden' name='ACTION' value='$Lang::tr{'edit'}' />
+- <input type='image' name='$Lang::tr{'edit'}' src='/images/edit.gif' alt='$Lang::tr{'edit'}' title='$Lang::tr{'edit'}' />
+- <input type='hidden' name='KEY1' value='$temp[0]' />
+- <input type='hidden' name='KEY2' value='$temp[1]' />
+- </form>
+-</td>
+-
+-<td align='center'>
+- <form method='post' name='frm$temp[0]b$temp[1]b' action='$ENV{'SCRIPT_NAME'}'>
+- <input type='hidden' name='ACTION' value='$Lang::tr{'remove'}' />
+- <input type='image' name='$Lang::tr{'remove'}' src='/images/delete.gif' alt='$Lang::tr{'remove'}' title='$Lang::tr{'remove'}' />
+- <input type='hidden' name='KEY1' value='$temp[0]' />
+- <input type='hidden' name='KEY2' value='$temp[1]' />
+- </form>
+-</td>
+-
+-</tr>
+-END
+- ;
+- }
+-}
+-
+-close(RULES);
+-
+-print "</table>";
+-
+-# If the fixed lease file contains entries, print Key to action icons
+-if ( ! -z "$filename") {
+-print <<END
+-<table>
+-<tr>
+- <td class='boldbase'> <b>$Lang::tr{'legend'}: </b></td>
+- <td><img src='/images/on.gif' alt='$Lang::tr{'click to disable'}' /></td>
+- <td class='base'>$Lang::tr{'click to disable'}</td>
+- <td> </td>
+- <td><img src='/images/off.gif' alt='$Lang::tr{'click to enable'}' /></td>
+- <td class='base'>$Lang::tr{'click to enable'}</td>
+- <td> </td>
+- <td><img src='/images/add.gif' alt='$Lang::tr{'add xtaccess'}' /></td>
+- <td class='base'>$Lang::tr{'add xtaccess'}</td>
+- <td> </td>
+- <td><img src='/images/edit.gif' alt='$Lang::tr{'edit'}' /></td>
+- <td class='base'>$Lang::tr{'edit'}</td>
+- <td> </td>
+- <td><img src='/images/delete.gif' alt='$Lang::tr{'remove'}' /></td>
+- <td class='base'>$Lang::tr{'remove'}</td>
+-</tr>
+-</table>
+-END
+-;
+-}
+-
+-&Header::closebox();
+-
+-&Header::closebigbox();
+-
+-&Header::closepage();
+-
+-# Validate Field Entries
+-sub validateparams
+-{
+- # Darren Critchley - Get rid of dashes in port ranges
+- $cgiparams{'DEST_PORT'}=~ tr/-/:/;
+- $cgiparams{'SRC_PORT'}=~ tr/-/:/;
+-
+- # Darren Critchley - code to substitue wildcards
+- if ($cgiparams{'SRC_PORT'} eq "*") {
+- $cgiparams{'SRC_PORT'} = "1:65535";
+- }
+- if ($cgiparams{'SRC_PORT'} =~ /^(\D)\:(\d+)$/) {
+- $cgiparams{'SRC_PORT'} = "1:$2";
+- }
+- if ($cgiparams{'SRC_PORT'} =~ /^(\d+)\:(\D)$/) {
+- $cgiparams{'SRC_PORT'} = "$1:65535";
+- }
+- if ($cgiparams{'DEST_PORT'} eq "*") {
+- $cgiparams{'DEST_PORT'} = "1:65535";
+- }
+- if ($cgiparams{'DEST_PORT'} =~ /^(\D)\:(\d+)$/) {
+- $cgiparams{'DEST_PORT'} = "1:$2";
+- }
+- if ($cgiparams{'DEST_PORT'} =~ /^(\d+)\:(\D)$/) {
+- $cgiparams{'DEST_PORT'} = "$1:65535";
+- }
+-
+- # Darren Critchley - Add code for GRE protocol - we want to ignore ports, but we need a place holder
+- if ($cgiparams{'PROTOCOL'} eq 'gre') {
+- $cgiparams{'SRC_PORT'} = "GRE";
+- $cgiparams{'DEST_PORT'} = "GRE";
+- }
+-
+- unless($cgiparams{'PROTOCOL'} =~ /^(tcp|udp|gre)$/) { $errormessage = $Lang::tr{'invalid input'}; }
+- # Darren Critchley - Changed how the error routine works a bit - for the validportrange check, we need to
+- # pass in src or dest to determine which side we are working with.
+- # the routine returns the complete error or ''
+- if ($cgiparams{'PROTOCOL'} ne 'gre') {
+- $errormessage = &General::validportrange($cgiparams{'SRC_PORT'}, 'src');
+- }
+- if( ($cgiparams{'ORIG_IP'} ne "0" && $cgiparams{'KEY2'} ne "0") || $cgiparams{'ACTION'} eq $Lang::tr{'add'}) {
+- # if it is a port forward record with 0 in orig_ip then ignore checking this field
+- unless(&General::validipormask($cgiparams{'ORIG_IP'}))
+- {
+- if ($cgiparams{'ORIG_IP'} ne '') {
+- $errormessage = $Lang::tr{'source ip bad'}; }
+- else {
+- $cgiparams{'ORIG_IP'} = '0.0.0.0/0'; }
+- }
+- }
+- # Darren Critchey - New rule that sets destination same as source if dest_port is blank.
+- if ($cgiparams{'DEST_PORT'} eq ''){
+- $cgiparams{'DEST_PORT'} = $cgiparams{'SRC_PORT'};
+- }
+- # Darren Critchey - Just in case error message is already set, this routine would wipe it out if
+- # we don't do a test here
+- if ($cgiparams{'PROTOCOL'} ne 'gre') {
+- unless($errormessage) {$errormessage = &General::validportrange($cgiparams{'DEST_PORT'}, 'dest');}
+- }
+- unless(&General::validip($cgiparams{'DEST_IP'})) { $errormessage = $Lang::tr{'destination ip bad'}; }
+- return;
+-}
+-
+-# Darren Critchley - we want to make sure that a port range does not overlap another port range
+-sub checkportoverlap
+-{
+- my $portrange1 = $_[0]; # New port range
+- my $portrange2 = $_[1]; # existing port range
+- my @tempr1 = split(/\:/,$portrange1);
+- my @tempr2 = split(/\:/,$portrange2);
+-
+- unless (&checkportinc($tempr1[0], $portrange2)){ return 0;}
+- unless (&checkportinc($tempr1[1], $portrange2)){ return 0;}
+-
+- unless (&checkportinc($tempr2[0], $portrange1)){ return 0;}
+- unless (&checkportinc($tempr2[1], $portrange1)){ return 0;}
+-
+- return 1; # Everything checks out!
+-}
+-
+-# Darren Critchley - we want to make sure that a port entry is not within an already existing range
+-sub checkportinc
+-{
+- my $port1 = $_[0]; # Port
+- my $portrange2 = $_[1]; # Port range
+- my @tempr1 = split(/\:/,$portrange2);
+-
+- if ($port1 < $tempr1[0] || $port1 > $tempr1[1]) {
+- return 1;
+- } else {
+- return 0;
+- }
+-}
+-
+-# Darren Critchley - certain ports are reserved for Ipcop
+-# TCP 67,68,81,222,445
+-# UDP 67,68
+-# Params passed in -> port, rangeyn, protocol
+-sub disallowreserved
+-{
+- # port 67 and 68 same for tcp and udp, don't bother putting in an array
+- my $msg = "";
+- my @tcp_reserved = ();
+- my $prt = $_[0]; # the port or range
+- my $ryn = $_[1]; # tells us whether or not it is a port range
+- my $prot = $_[2]; # protocol
+- my $srcdst = $_[3]; # source or destination
+-
+- if ($ryn) { # disect port range
+- if ($srcdst eq "src") {
+- $msg = "$Lang::tr{'rsvd src port overlap'}";
+- } else {
+- $msg = "$Lang::tr{'rsvd dst port overlap'}";
+- }
+- my @tmprng = split(/\:/,$prt);
+- unless (67 < $tmprng[0] || 67 > $tmprng[1]) { $errormessage="$msg 67"; return; }
+- unless (68 < $tmprng[0] || 68 > $tmprng[1]) { $errormessage="$msg 68"; return; }
+- if ($prot eq "tcp") {
+- foreach my $prange (@tcp_reserved) {
+- unless ($prange < $tmprng[0] || $prange > $tmprng[1]) { $errormessage="$msg $prange"; return; }
+- }
+- }
+- } else {
+- if ($srcdst eq "src") {
+- $msg = "$Lang::tr{'reserved src port'}";
+- } else {
+- $msg = "$Lang::tr{'reserved dst port'}";
+- }
+- if ($prt == 67) { $errormessage="$msg 67"; return; }
+- if ($prt == 68) { $errormessage="$msg 68"; return; }
+- if ($prot eq "tcp") {
+- foreach my $prange (@tcp_reserved) {
+- if ($prange == $prt) { $errormessage="$msg $prange"; return; }
+- }
+- }
+- }
+- return;
+-}
+-
+-# Darren Critchley - Attempt to combine Add/Update validation as they are almost the same
+-sub valaddupdate
+-{
+- if ($cgiparams{'KEY2'} eq "0"){ # if it is a port forward rule, then validate properly
+- &validateparams();
+- } else { # it is an xtaccess rule, just check for a valid ip
+- unless(&General::validipormask($cgiparams{'ORIG_IP'}))
+- {
+- if ($cgiparams{'ORIG_IP'} ne '') {
+- $errormessage = $Lang::tr{'source ip bad'}; }
+- else { # this rule stops someone from adding an ALL xtaccess record
+- $errormessage = $Lang::tr{'xtaccess all error'};
+- $cgiparams{'ACTION'} = $Lang::tr{'add xtaccess'};
+- }
+- }
+- # Darren Critchley - check for 0.0.0.0/0 - not allowed for xtaccess
+- if ($cgiparams{'ORIG_IP'} eq "0.0.0.0/0" || $cgiparams{'ORIG_IP'} eq "0.0.0.0") {
+- $errormessage = $Lang::tr{'xtaccess all error'};
+- $cgiparams{'ACTION'} = $Lang::tr{'add xtaccess'};
+- }
+- }
+- # Darren Critchley - Remove commas from remarks
+- $cgiparams{'REMARK'} = &Header::cleanhtml($cgiparams{'REMARK'});
+-
+- # Darren Critchley - Check to see if we are working with port ranges
+- our ($prtrange1, $prtrange2);
+- $_ = $cgiparams{'SRC_PORT'};
+- if ($cgiparams{'KEY2'} eq "0" && m/:/){
+- $prtrange1 = 1;
+- }
+- if ($cgiparams{'SRC_IP'} eq '0.0.0.0') { # Dave Roberts - only check if using DEFAULT IP
+- if ($prtrange1 == 1){ # check for source ports reserved for Ipcop
+- &disallowreserved($cgiparams{'SRC_PORT'},1,$cgiparams{'PROTOCOL'},"src");
+- if ($errormessage) { goto EXITSUB; }
+- } else { # check for source port reserved for Ipcop
+- &disallowreserved($cgiparams{'SRC_PORT'},0,$cgiparams{'PROTOCOL'},"src");
+- if ($errormessage) { goto EXITSUB; }
+- }
+- }
+-
+- $_ = $cgiparams{'DEST_PORT'};
+- if ($cgiparams{'KEY2'} eq "0" && m/:/){
+- $prtrange2 = 1;
+- }
+- if ($cgiparams{'SRC_IP'} eq '0.0.0.0') { # Dave Roberts - only check if using DEFAULT IP
+- if ($prtrange2 == 1){ # check for destination ports reserved for IPFire
+- &disallowreserved($cgiparams{'DEST_PORT'},1,$cgiparams{'PROTOCOL'},"dst");
+- if ($errormessage) { goto EXITSUB; }
+- } else { # check for destination port reserved for IPFire
+- &disallowreserved($cgiparams{'DEST_PORT'},0,$cgiparams{'PROTOCOL'},"dst");
+- if ($errormessage) { goto EXITSUB; }
+- }
+- }
+-
+-
+-EXITSUB:
+- return;
+-}
+-
+-# Darren Critchley - Duplicate or overlapping Port range check
+-sub portchecks
+-{
+- $_ = $_[0];
+- our ($prtrange1, $prtrange2);
+- if (m/:/ && $prtrange1 == 1) { # comparing two port ranges
+- unless (&checkportoverlap($cgiparams{'SRC_PORT'},$_[0])) {
+- $errormessage = "$Lang::tr{'source port overlaps'} $_[0]";
+- }
+- }
+- if (m/:/ && $prtrange1 == 0 && $errormessage eq '') { # compare one port to a range
+- unless (&checkportinc($cgiparams{'SRC_PORT'}, $_[0])) {
+- $errormessage = "$Lang::tr{'srcprt within existing'} $_[0]";
+- }
+- }
+- if (! m/:/ && $prtrange1 == 1 && $errormessage eq '') { # compare one port to a range
+- unless (&checkportinc($_[0], $cgiparams{'SRC_PORT'})) {
+- $errormessage = "$Lang::tr{'srcprt range overlaps'} $_[0]";
+- }
+- }
+-
+- if ($errormessage eq ''){
+- $_ = $_[1];
+- if (m/:/ && $prtrange2 == 1) { # if true then there is a port range
+- unless (&checkportoverlap($cgiparams{'DEST_PORT'},$_[1])) {
+- $errormessage = "$Lang::tr{'destination port overlaps'} $_[1]";
+- }
+- }
+- if (m/:/ && $prtrange2 == 0 && $errormessage eq '') { # compare one port to a range
+- unless (&checkportinc($cgiparams{'DEST_PORT'}, $_[1])) {
+- $errormessage = "$Lang::tr{'dstprt within existing'} $_[1]";
+- }
+- }
+- if (! m/:/ && $prtrange2 == 1 && $errormessage eq '') { # compare one port to a range
+- unless (&checkportinc($_[1], $cgiparams{'DEST_PORT'})) {
+- $errormessage = "$Lang::tr{'dstprt range overlaps'} $_[1]";
+- }
+- }
+- }
+- return;
+-}
+diff --git a/lfs/initscripts b/lfs/initscripts
+index 30d90bb..a59e223 100644
+--- a/lfs/initscripts
++++ b/lfs/initscripts
+@@ -182,8 +182,6 @@ $(TARGET) :
+ /etc/rc.d/init.d/networking/red.up/24-RS-snort
+ ln -sf ../../../../../usr/local/bin/qosctrl \
+ /etc/rc.d/init.d/networking/red.up/25-RS-qos
+- ln -sf ../../../../../usr/local/bin/setportfw \
+- /etc/rc.d/init.d/networking/red.up/26-portfw
+ ln -sf ../../../../../usr/local/bin/dialctrl.pl \
+ /etc/rc.d/init.d/networking/red.up/99-U-dialctrl.pl
+ ln -sf ../../squid /etc/rc.d/init.d/networking/red.up/28-RS-squid
+diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall
+index e395983..74be2c8 100644
+--- a/src/initscripts/init.d/firewall
++++ b/src/initscripts/init.d/firewall
+@@ -221,7 +221,7 @@ case "$1" in
+ /sbin/iptables -N WIRELESSINPUT
+ /sbin/iptables -A INPUT -m state --state NEW -j WIRELESSINPUT
+ /sbin/iptables -N WIRELESSFORWARD
+- /sbin/iptables -A FORWARDFW -m state --state NEW -j WIRELESSFORWARD
++ /sbin/iptables -A FORWARD -m state --state NEW -j WIRELESSFORWARD
+
+ # PORTFWACCESS chain, used for portforwarding
+ /sbin/iptables -N PORTFWACCESS
+@@ -250,19 +250,18 @@ case "$1" in
+ # Custom prerouting chains (for transparent proxy and port forwarding)
+ /sbin/iptables -t nat -N SQUID
+ /sbin/iptables -t nat -A PREROUTING -j SQUID
+- /sbin/iptables -t nat -N PORTFW
+- /sbin/iptables -t nat -A PREROUTING -j PORTFW
+-
++ /sbin/iptables -t nat -N NAT_DESTINATION
++ /sbin/iptables -t nat -N NAT_SOURCE
++ /sbin/iptables -t nat -A PREROUTING -j NAT_DESTINATION
++ /sbin/iptables -t nat -A POSTROUTING -j NAT_SOURCE
++
++
+ # upnp chain for our upnp daemon
+ /sbin/iptables -t nat -N UPNPFW
+ /sbin/iptables -t nat -A PREROUTING -j UPNPFW
+ /sbin/iptables -N UPNPFW
+ /sbin/iptables -A FORWARD -m state --state NEW -j UPNPFW
+
+- # Custom mangle chain (for port fowarding)
+- /sbin/iptables -t mangle -N PORTFWMANGLE
+- /sbin/iptables -t mangle -A PREROUTING -j PORTFWMANGLE
+-
+ # Postrouting rules (for port forwarding)
+ /sbin/iptables -t nat -A POSTROUTING -m mark --mark 1 -j SNAT \
+ --to-source $GREEN_ADDRESS
+@@ -352,7 +351,6 @@ case "$1" in
+ $0 stop
+ $0 start
+ /usr/local/bin/forwardfwctrl
+- /usr/local/bin/setportfw
+ /usr/local/bin/openvpnctrl -s > /dev/null 2>&1
+ /usr/local/bin/openvpnctrl -sn2n > /dev/null 2>&1
+ ;;
+diff --git a/src/misc-progs/Makefile b/src/misc-progs/Makefile
+index ea4da1a..a101a24 100644
+--- a/src/misc-progs/Makefile
++++ b/src/misc-progs/Makefile
+@@ -24,8 +24,7 @@ CFLAGS=-O2 -Wall
+ COMPILE=$(CC) $(CFLAGS)
+
+ PROGS = iowrap
+-SUID_PROGS = setportfw \
+- squidctrl sshctrl ipfirereboot \
++SUID_PROGS = squidctrl sshctrl ipfirereboot \
+ ipsecctrl timectrl dhcpctrl snortctrl \
+ applejuicectrl rebuildhosts backupctrl \
+ logwatch openvpnctrl forwardfwctrl \
+@@ -95,9 +94,6 @@ timectrl: timectrl.c setuid.o ../install+setup/libsmooth/varval.o
+ launch-ether-wake: launch-ether-wake.c setuid.o ../install+setup/libsmooth/varval.o
+ $(COMPILE) -I../install+setup/libsmooth/ launch-ether-wake.c setuid.o ../install+setup/libsmooth/varval.o -o $@
+
+-setportfw: setportfw.c setuid.o ../install+setup/libsmooth/varval.o
+- $(COMPILE) -I../install+setup/libsmooth/ setportfw.c setuid.o ../install+setup/libsmooth/varval.o -o $@
+-
+ rebuildhosts: rebuildhosts.c setuid.o ../install+setup/libsmooth/varval.o
+ $(COMPILE) -I../install+setup/libsmooth/ rebuildhosts.c setuid.o ../install+setup/libsmooth/varval.o -o $@
+
+diff --git a/src/misc-progs/setportfw.c b/src/misc-progs/setportfw.c
+deleted file mode 100644
+index a65aebd..0000000
+--- a/src/misc-progs/setportfw.c
++++ /dev/null
+@@ -1,369 +0,0 @@
+-/* SmoothWall helper program - setportfw\r
+- *\r
+- * This program is distributed under the terms of the GNU General Public\r
+- * Licence. See the file COPYING for details.\r
+- *\r
+- * (c) Daniel Goscomb, 2001\r
+- * Copyright (c) 2002/04/13 Steve Bootes - Added source ip support for aliases\r
+- * \r
+- * Modifications and improvements by Lawrence Manning.\r
+- *\r
+- * 10/04/01 Aslak added protocol support\r
+- * This program reads the list of ports to forward and setups iptables\r
+- * and rules in ipmasqadm to enable them.\r
+- *\r
+- * 02/11/03 Darren Critchley modifications to allow it to open multiple\r
+- * source ip addresses\r
+- * 02/25/03 Darren Critchley modifications to allow port ranges\r
+- * 04/01/03 Darren Critchley modifications to allow gre protocol\r
+- * 20/04/03 Robert Kerr Fixed root exploit, validated all variables properly,\r
+- * tidied up the iptables logic, killed duplicated code,\r
+- * removed srciptmp (unecessary)\r
+- *\r
+- * $Id: setportfw.c,v 1.3.2.6 2005/08/24 18:44:19 gespinasse Exp $\r
+- * \r
+- */\r
+-\r
+-#include <stdio.h>\r
+-#include <string.h>\r
+-#include <stdlib.h>\r
+-#include "libsmooth.h"\r
+-#include "setuid.h"\r
+-\r
+-struct keyvalue *kv = NULL;\r
+-FILE *fwdfile = NULL;\r
+-\r
+-void exithandler(void)\r
+-{\r
+- if(kv)\r
+- freekeyvalues(kv);\r
+- if (fwdfile)\r
+- fclose(fwdfile);\r
+-}\r
+-\r
+-int main(void)\r
+-{\r
+- FILE *ipfile = NULL, *ifacefile = NULL;\r
+- int count;\r
+- char iface[STRING_SIZE] ="";
+- char locip[STRING_SIZE] ="";
+- char greenip[STRING_SIZE] ="", greenmask[STRING_SIZE] ="";
+- char bluedev[STRING_SIZE] ="", blueip[STRING_SIZE] ="", bluemask[STRING_SIZE] ="";
+- char orangedev[STRING_SIZE] ="", orangeip[STRING_SIZE] ="", orangemask[STRING_SIZE] ="";
+- char *protocol;\r
+- char *srcip;\r
+- char *locport;\r
+- char *remip;\r
+- char *remport;\r
+- char *origip;\r
+- char *enabled;\r
+- char s[STRING_SIZE];\r
+- char *result;\r
+- char *key1;\r
+- char *key2;\r
+- char command[STRING_SIZE];\r
+-\r
+- if (!(initsetuid()))\r
+- exit(1);\r
+-\r
+- atexit(exithandler);\r
+-\r
+- /* Read in and verify config */\r
+- kv=initkeyvalues();\r
+-\r
+- if (!readkeyvalues(kv, CONFIG_ROOT "/ethernet/settings"))\r
+- {\r
+- fprintf(stderr, "Cannot read ethernet settings\n");\r
+- exit(1);\r
+- }\r
+-\r
+- if (!findkey(kv, "GREEN_ADDRESS", greenip))\r
+- {\r
+- fprintf(stderr, "Cannot read GREEN_ADDRESS\n");\r
+- exit(1);\r
+- }\r
+-\r
+- if (!VALID_IP(greenip))\r
+- {\r
+- fprintf(stderr, "Bad GREEN_ADDRESS: %s\n", greenip);\r
+- exit(1);\r
+- }\r
+-\r
+- if (!findkey(kv, "GREEN_NETMASK", greenmask))\r
+- {\r
+- fprintf(stderr, "Cannot read GREEN_NETMASK\n");\r
+- exit(1);\r
+- }\r
+-\r
+- if (!VALID_IP(greenmask))\r
+- {\r
+- fprintf(stderr, "Bad GREEN_NETMASK: %s\n", greenmask);\r
+- exit(1);\r
+- }\r
+-\r
+- /* Get the BLUE interface details */\r
+- findkey(kv, "BLUE_DEV", bluedev);\r
+-\r
+- if (strlen(bluedev))\r
+- {\r
+-\r
+- if (!VALID_DEVICE(bluedev))\r
+- {\r
+- fprintf(stderr, "Bad BLUE_DEV: %s\n", bluedev);\r
+- exit(1);\r
+- }\r
+-\r
+- if (!findkey(kv, "BLUE_ADDRESS", blueip))\r
+- {\r
+- fprintf(stderr, "Cannot read BLUE_ADDRESS\n");\r
+- exit(1);\r
+- }\r
+-\r
+- if (!VALID_IP(blueip))\r
+- {\r
+- fprintf(stderr, "Bad BLUE_ADDRESS: %s\n", blueip);\r
+- exit(1);\r
+- }\r
+-\r
+- if (!findkey(kv, "BLUE_NETMASK", bluemask))\r
+- {\r
+- fprintf(stderr, "Cannot read BLUE_NETMASK\n");\r
+- exit(1);\r
+- }\r
+-\r
+- if (!VALID_IP(bluemask))\r
+- {\r
+- fprintf(stderr, "Bad BLUE_NETMASK: %s\n", bluemask);\r
+- exit(1);\r
+- }\r
+-\r
+- }\r
+-\r
+- /* Get the ORANGE interface details */\r
+- findkey(kv, "ORANGE_DEV", orangedev);\r
+-\r
+- if (strlen(orangedev))\r
+- {\r
+-\r
+- if (!VALID_DEVICE(orangedev))\r
+- {\r
+- fprintf(stderr, "Bad ORANGE_DEV: %s\n", orangedev);\r
+- exit(1);\r
+- }\r
+-\r
+- if (!findkey(kv, "ORANGE_ADDRESS", orangeip))\r
+- {\r
+- fprintf(stderr, "Cannot read ORANGE_ADDRESS\n");\r
+- exit(1);\r
+- }\r
+-\r
+- if (!VALID_IP(orangeip))\r
+- {\r
+- fprintf(stderr, "Bad ORANGE_ADDRESS: %s\n", orangeip);\r
+- exit(1);\r
+- }\r
+-\r
+- if (!findkey(kv, "ORANGE_NETMASK", orangemask))\r
+- {\r
+- fprintf(stderr, "Cannot read ORANGE_NETMASK\n");\r
+- exit(1);\r
+- }\r
+-\r
+- if (!VALID_IP(orangemask))\r
+- {\r
+- fprintf(stderr, "Bad ORANGE_NETMASK: %s\n", orangemask);\r
+- exit(1);\r
+- }\r
+-\r
+- }\r
+-\r
+-\r
+- if (!(ipfile = fopen(CONFIG_ROOT "/red/local-ipaddress", "r")))\r
+- {\r
+- fprintf(stderr, "Couldn't open local ip file\n");\r
+- exit(1);\r
+- }\r
+- fgets(locip, STRING_SIZE, ipfile);\r
+- if (locip[strlen(locip) - 1] == '\n')\r
+- locip[strlen(locip) - 1] = '\0';\r
+- fclose (ipfile);\r
+- if (!VALID_IP(locip))\r
+- {\r
+- fprintf(stderr, "Bad local IP: %s\n", locip);\r
+- exit(1);\r
+- }\r
+- \r
+- if (!(ifacefile = fopen(CONFIG_ROOT "/red/iface", "r")))\r
+- {\r
+- fprintf(stderr, "Couldn't open iface file\n");\r
+- exit(1);\r
+- }\r
+- fgets(iface, STRING_SIZE, ifacefile);\r
+- if (iface[strlen(iface) - 1] == '\n')\r
+- iface[strlen(iface) - 1] = '\0';\r
+- fclose (ifacefile);\r
+- if (!VALID_DEVICE(iface))\r
+- {\r
+- fprintf(stderr, "Bad iface: %s\n", iface);\r
+- exit(1);\r
+- }\r
+- \r
+- if (!(fwdfile = fopen(CONFIG_ROOT "/portfw/config", "r")))\r
+- {\r
+- fprintf(stderr, "Couldn't open portfw settings file\n");\r
+- exit(1);\r
+- }\r
+-\r
+- safe_system("/sbin/iptables -t nat -F PORTFW");\r
+- safe_system("/sbin/iptables -t mangle -F PORTFWMANGLE");\r
+- safe_system("/sbin/iptables -F PORTFWACCESS");\r
+-\r
+- while (fgets(s, STRING_SIZE, fwdfile) != NULL)\r
+- {\r
+- if (s[strlen(s) - 1] == '\n')\r
+- s[strlen(s) - 1] = '\0';\r
+- result = strtok(s, ",");\r
+-\r
+- count = 0;\r
+- key1 = NULL;\r
+- key2 = NULL;\r
+- protocol = NULL;\r
+- srcip = NULL;\r
+- locport = NULL;\r
+- remip = NULL;\r
+- origip = NULL;\r
+- remport = NULL;\r
+- enabled = NULL;\r
+- while (result)\r
+- {\r
+- if (count == 0)\r
+- key1 = result;\r
+- else if (count == 1)\r
+- key2 = result;\r
+- else if (count == 2)\r
+- protocol = result;\r
+- else if (count == 3)\r
+- locport = result;\r
+- else if (count == 4)\r
+- remip = result;\r
+- else if (count == 5)\r
+- remport = result;\r
+- else if (count == 6)\r
+- enabled = result;\r
+- else if (count == 7)\r
+- srcip = result;\r
+- else if (count == 8)\r
+- origip = result;\r
+- count++;\r
+- result = strtok(NULL, ",");\r
+- }\r
+- \r
+- if (!(key1 && key2 && protocol && locport && remip && remport && enabled\r
+- && srcip && origip))\r
+- break;\r
+- \r
+- if (!VALID_PROTOCOL(protocol))\r
+- {\r
+- fprintf(stderr, "Bad protocol: %s\n", protocol);\r
+- exit(1);\r
+- }\r
+- if (strcmp(protocol, "gre") == 0)\r
+- {\r
+- locport = "0";\r
+- remport = "0";\r
+- }\r
+- if (strcmp(origip,"0") && !VALID_IP_AND_MASK(origip))\r
+- {\r
+- fprintf(stderr, "Bad IP: %s\n", origip);\r
+- exit(1);\r
+- }\r
+- if (!VALID_PORT_RANGE(locport))\r
+- {\r
+- fprintf(stderr, "Bad local port: %s\n", locport);\r
+- exit(1);\r
+- }\r
+- if (!VALID_IP(remip))\r
+- {\r
+- fprintf(stderr, "Bad remote IP: %s\n", remip);\r
+- exit(1);\r
+- }\r
+- if (!VALID_PORT_RANGE(remport))\r
+- {\r
+- fprintf(stderr, "Bad remote port: %s\n", remport);\r
+- exit(1);\r
+- }\r
+-\r
+- /* check for source ip in config file. If it's there\r
+- * and it's not 0.0.0.0, use it; else use the\r
+- * local ip address. (This makes sure we can use old-style\r
+- * config files without the source ip) */\r
+- if (!srcip || !strcmp(srcip, "0.0.0.0"))\r
+- srcip = locip;\r
+- if (strcmp(srcip,"0") && !VALID_IP(srcip))\r
+- {\r
+- fprintf(stderr, "Bad source IP: %s\n", srcip);\r
+- exit(1);\r
+- }\r
+-\r
+- /* This may seem complicated... refer to portfw.pl for an explanation of\r
+- * the keys and their meaning in certain circumstances */\r
+- \r
+- if (strcmp(enabled, "on") == 0)\r
+- {\r
+-\r
+- /* If key2 is a zero, then it is a portfw command, otherwise it is an\r
+- * external access command */\r
+- if (strcmp(key2, "0") == 0) \r
+- {\r
+- memset(command, 0, STRING_SIZE);\r
+- if (strcmp(protocol, "gre") == 0)\r
+- snprintf(command, STRING_SIZE - 1, "/sbin/iptables -t nat -A PORTFW -p %s -d %s -j DNAT --to %s", protocol, srcip, remip);\r
+- else \r
+- {\r
+- char *ctr;\r
+- /* If locport contains a - we need to change it to a : */\r
+- if ((ctr = strchr(locport, '-')) != NULL) {*ctr = ':';}\r
+- /* If remport contains a : we need to change it to a - */\r
+- if ((ctr = strchr(remport,':')) != NULL){*ctr = '-';}\r
+- snprintf(command, STRING_SIZE - 1, "/sbin/iptables -t nat -A PORTFW -p %s -d %s --dport %s -j DNAT --to %s:%s", protocol, srcip, locport, remip, remport);\r
+- safe_system(command);\r
+- /* Now if remport contains a - we need to change it to a : */\r
+- if ((ctr = strchr(remport,'-')) != NULL){*ctr = ':';}\r
+- snprintf(command, STRING_SIZE - 1, "/sbin/iptables -t mangle -A PORTFWMANGLE -p %s -s %s/%s -d %s --dport %s -j MARK --set-mark 1", protocol, greenip, greenmask, srcip, locport);\r
+- if (strlen(bluedev))\r
+- {\r
+- safe_system(command);\r
+- snprintf(command, STRING_SIZE - 1, "/sbin/iptables -t mangle -A PORTFWMANGLE -p %s -s %s/%s -d %s --dport %s -j MARK --set-mark 2", protocol, blueip, bluemask, srcip, locport);\r
+- }\r
+- if (strlen(orangedev))\r
+- {\r
+- safe_system(command);\r
+- snprintf(command, STRING_SIZE - 1, "/sbin/iptables -t mangle -A PORTFWMANGLE -p %s -s %s/%s -d %s --dport %s -j MARK --set-mark 3", protocol, orangeip, orangemask, srcip, locport);\r
+- }\r
+- }\r
+- safe_system(command);\r
+- }\r
+-\r
+- /* if key2 is not "0" then it's an external access rule, if key2 is "0"\r
+- * then the portfw rule may contain external access information if origip\r
+- * is not "0" (the only defined not 0 value seems to be 0.0.0.0 - open\r
+- * to all; again, check portfw.pl for more details) */\r
+- if(strcmp(key2, "0") || strcmp(origip,"0") )\r
+- {\r
+- memset(command, 0, STRING_SIZE);\r
+- if (strcmp(protocol, "gre") == 0)\r
+- snprintf(command, STRING_SIZE - 1, "/sbin/iptables -A PORTFWACCESS -i %s -p %s -s %s -d %s -j ACCEPT", iface, protocol, origip, remip);\r
+- else\r
+- {\r
+- char *ctr;\r
+- /* If remport contains a - we need to change it to a : */\r
+- if ((ctr = strchr(remport,'-')) != NULL){*ctr = ':';}\r
+- snprintf(command, STRING_SIZE - 1, "/sbin/iptables -A PORTFWACCESS -i %s -p %s -s %s -d %s --dport %s -j ACCEPT", iface, protocol, origip, remip, remport);\r
+- }\r
+- safe_system(command);\r
+- }\r
+- }\r
+- }\r
+-\r
+- return 0;\r
+-}\r
+diff --git a/src/misc-progs/wirelessctrl.c b/src/misc-progs/wirelessctrl.c
+index 90f602d..2a6ed0c 100644
+--- a/src/misc-progs/wirelessctrl.c
++++ b/src/misc-progs/wirelessctrl.c
+@@ -154,7 +154,7 @@ int main(void)
+ (VALID_IP_AND_MASK(ipaddress))) {
+ snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSINPUT -m mac --mac-source %s -s %s -i %s -j ACCEPT", macaddress, ipaddress, blue_dev);
+ safe_system(command);
+- snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -m mac --mac-source %s -s %s -i %s ! -o %s -j ACCEPT", macaddress, ipaddress, blue_dev, green_dev);
++ snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -m mac --mac-source %s -s %s -i %s ! -o %s -j RETURN", macaddress, ipaddress, blue_dev, green_dev);
+ safe_system(command);
+ snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -m mac --mac-source %s -s %s -i %s -j FORWARDFW", macaddress, ipaddress, blue_dev);
+ safe_system(command);
+@@ -164,7 +164,7 @@ int main(void)
+ if (strlen(macaddress) == 17) {
+ snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSINPUT -m mac --mac-source %s -i %s -j ACCEPT", macaddress, blue_dev);
+ safe_system(command);
+- snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -m mac --mac-source %s -i %s ! -o %s -j ACCEPT", macaddress, blue_dev, green_dev);
++ snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -m mac --mac-source %s -i %s ! -o %s -j RETURN", macaddress, blue_dev, green_dev);
+ safe_system(command);
+ snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -m mac --mac-source %s -i %s -j FORWARDFW", macaddress, blue_dev);
+ safe_system(command);
+@@ -173,7 +173,7 @@ int main(void)
+ if (VALID_IP_AND_MASK(ipaddress)) {
+ snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSINPUT -s %s -i %s -j ACCEPT", ipaddress, blue_dev);
+ safe_system(command);
+- snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -s %s -i %s ! -o %s -j ACCEPT", ipaddress, blue_dev, green_dev);
++ snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -s %s -i %s ! -o %s -j RETURN", ipaddress, blue_dev, green_dev);
+ safe_system(command);
+ snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -s %s -i %s -j FORWARDFW", ipaddress, blue_dev);
+ safe_system(command);
+--
+1.7.10.4
+
--- /dev/null
+From 8da89896b553fddd261ea9a74171347f5dda7bea Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Tue, 19 Mar 2013 05:23:54 +0100
+Subject: [PATCH 187/302] Forward Firewall: delete old Portforwarding from
+ Firewall-menu
+
+---
+ config/menu/50-firewall.menu | 8 +-------
+ 1 file changed, 1 insertion(+), 7 deletions(-)
+
+diff --git a/config/menu/50-firewall.menu b/config/menu/50-firewall.menu
+index cc50bf6..2de9e7b 100644
+--- a/config/menu/50-firewall.menu
++++ b/config/menu/50-firewall.menu
+@@ -22,13 +22,7 @@
+ 'title' => "P2P-Block",
+ 'enabled' => 1,
+ };
+- $subfirewall->{'50.dnat'} = {
+- 'caption' => $Lang::tr{'ssport forwarding'},
+- 'uri' => '/cgi-bin/portfw.cgi',
+- 'title' => "$Lang::tr{'ssport forwarding'}",
+- 'enabled' => 1,
+- };
+- $subfirewall->{'60.wireless'} = {
++ $subfirewall->{'60.wireless'} = {
+ 'caption' => $Lang::tr{'blue access'},
+ 'uri' => '/cgi-bin/wireless.cgi',
+ 'title' => "$Lang::tr{'blue access'}",
+--
+1.7.10.4
+
--- /dev/null
+From a212382f45d59c3d51a6f8b2ad8a43d4e765151e Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Tue, 19 Mar 2013 05:39:53 +0100
+Subject: [PATCH 188/302] Forward Firewall: deleted portfw from buildsystem
+
+---
+ config/rootfiles/common/apache2 | 1 -
+ config/rootfiles/common/armv5tel/initscripts | 1 -
+ config/rootfiles/common/i586/initscripts | 1 -
+ 3 files changed, 3 deletions(-)
+
+diff --git a/config/rootfiles/common/apache2 b/config/rootfiles/common/apache2
+index 524ce06..f80bb7f 100644
+--- a/config/rootfiles/common/apache2
++++ b/config/rootfiles/common/apache2
+@@ -1416,7 +1416,6 @@ srv/web/ipfire/cgi-bin/optionsfw.cgi
+ srv/web/ipfire/cgi-bin/ovpnmain.cgi
+ srv/web/ipfire/cgi-bin/p2p-block.cgi
+ srv/web/ipfire/cgi-bin/pakfire.cgi
+-srv/web/ipfire/cgi-bin/portfw.cgi
+ srv/web/ipfire/cgi-bin/pppsetup.cgi
+ srv/web/ipfire/cgi-bin/proxy.cgi
+ srv/web/ipfire/cgi-bin/qos.cgi
+diff --git a/config/rootfiles/common/armv5tel/initscripts b/config/rootfiles/common/armv5tel/initscripts
+index 1a613ac..2c8d256 100644
+--- a/config/rootfiles/common/armv5tel/initscripts
++++ b/config/rootfiles/common/armv5tel/initscripts
+@@ -81,7 +81,6 @@ etc/rc.d/init.d/networking/red.up/20-RL-firewall
+ etc/rc.d/init.d/networking/red.up/22-outgoingfwctrl
+ etc/rc.d/init.d/networking/red.up/23-RS-snort
+ etc/rc.d/init.d/networking/red.up/24-RS-qos
+-etc/rc.d/init.d/networking/red.up/25-portfw
+ etc/rc.d/init.d/networking/red.up/26-xtaccess
+ etc/rc.d/init.d/networking/red.up/27-RS-squid
+ etc/rc.d/init.d/networking/red.up/30-ddns
+diff --git a/config/rootfiles/common/i586/initscripts b/config/rootfiles/common/i586/initscripts
+index 652b2c5..f37cc87 100644
+--- a/config/rootfiles/common/i586/initscripts
++++ b/config/rootfiles/common/i586/initscripts
+@@ -83,7 +83,6 @@ etc/rc.d/init.d/networking/red.up/20-RL-firewall
+ etc/rc.d/init.d/networking/red.up/23-forwardfwctrl
+ etc/rc.d/init.d/networking/red.up/24-RS-snort
+ etc/rc.d/init.d/networking/red.up/25-RS-qos
+-etc/rc.d/init.d/networking/red.up/26-portfw
+ etc/rc.d/init.d/networking/red.up/28-RS-squid
+ etc/rc.d/init.d/networking/red.up/30-ddns
+ etc/rc.d/init.d/networking/red.up/40-ipac
+--
+1.7.10.4
+
--- /dev/null
+From bfb33917a5844eeb142dd8ce4de722773036ea05 Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Tue, 19 Mar 2013 12:56:38 +0100
+Subject: [PATCH 189/302] Forward Firewall: clean up some files
+
+Fix iptables loop wirelessctrl
+Fix firewall chain order
+Fix policies (added comment for statistic)
+---
+ config/forwardfw/firewall-policy | 15 ++++++++++-----
+ html/cgi-bin/forwardfw.cgi | 17 ++++++-----------
+ src/initscripts/init.d/firewall | 15 +++++----------
+ src/misc-progs/wirelessctrl.c | 12 +++---------
+ 4 files changed, 24 insertions(+), 35 deletions(-)
+
+diff --git a/config/forwardfw/firewall-policy b/config/forwardfw/firewall-policy
+index 3b7fa18..2d4b9ec 100755
+--- a/config/forwardfw/firewall-policy
++++ b/config/forwardfw/firewall-policy
+@@ -13,7 +13,7 @@ if [ "$POLICY" == "MODE1" ]; then
+ if [ "$DROPFORWARD" == "on" ]; then
+ /sbin/iptables -A POLICYFWD -m limit --limit 10/minute -j LOG --log-prefix "REJECT_FORWARD"
+ fi
+- /sbin/iptables -A POLICYFWD -j REJECT --reject-with icmp-host-unreachable -m comment --comment "REJECT_FORWARD"
++ /sbin/iptables -A POLICYFWD -j REJECT --reject-with icmp-host-unreachable -m comment --comment "DROP_FORWARD"
+ fi
+ if [ "$FWPOLICY" == "DROP" ]; then
+ if [ "$DROPFORWARD" == "on" ]; then
+@@ -21,14 +21,17 @@ if [ "$POLICY" == "MODE1" ]; then
+ fi
+ /sbin/iptables -A POLICYFWD -j DROP -m comment --comment "DROP_FORWARD"
+ fi
++else
++ /sbin/iptables -A POLICYFWD -j DROP -m comment --comment "DROP_FORWARD"
+ fi
++
+ #OUTGOINGFW
+ if [ "$POLICY1" == "MODE1" ]; then
+ if [ "$FWPOLICY1" == "REJECT" ]; then
+ if [ "$DROPOUTGOING" == "on" ]; then
+ /sbin/iptables -A POLICYOUT -m limit --limit 10/minute -j LOG --log-prefix "REJECT_OUTPUT"
+ fi
+- /sbin/iptables -A POLICYOUT -j REJECT --reject-with icmp-host-unreachable -m comment --comment "REJECT_OUTPUT"
++ /sbin/iptables -A POLICYOUT -j REJECT --reject-with icmp-host-unreachable -m comment --comment "DROP_OUTPUT"
+ fi
+ if [ "$FWPOLICY1" == "DROP" ]; then
+ if [ "$DROPOUTGOING" == "on" ]; then
+@@ -36,17 +39,19 @@ if [ "$POLICY1" == "MODE1" ]; then
+ fi
+ /sbin/iptables -A POLICYOUT -j DROP -m comment --comment "DROP_OUTPUT"
+ fi
++else
++ /sbin/iptables -A POLICYOUT -j DROP -m comment --comment "DROP_OUTPUT"
+ fi
+ #INPUT
+ if [ "$FWPOLICY2" == "REJECT" ]; then
+ if [ "$DROPINPUT" == "on" ]; then
+ /sbin/iptables -A POLICYIN -m limit --limit 10/minute -j LOG --log-prefix "REJECT_INPUT"
+ fi
+- /sbin/iptables -A POLICYIN -j REJECT --reject-with icmp-host-unreachable -m comment --comment "REJECT_FORWARD"
++ /sbin/iptables -A POLICYIN -j REJECT --reject-with icmp-host-unreachable -m comment --comment "DROP_INPUT"
+ fi
+ if [ "$FWPOLICY2" == "DROP" ]; then
+ if [ "$DROPINPUT" == "on" ]; then
+- /sbin/iptables -A POLICYIN -m limit --limit 10/minute -j LOG --log-prefix "DROP_FORWARD"
++ /sbin/iptables -A POLICYIN -m limit --limit 10/minute -j LOG --log-prefix "DROP_INPUT"
+ fi
+- /sbin/iptables -A POLICYIN -j DROP -m comment --comment "DROP_FORWARD"
++ /sbin/iptables -A POLICYIN -j DROP -m comment --comment "DROP_INPUT"
+ fi
+diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi
+index 84e0170..a37fb29 100755
+--- a/html/cgi-bin/forwardfw.cgi
++++ b/html/cgi-bin/forwardfw.cgi
+@@ -1738,17 +1738,12 @@ END
+ <tr><td width='1%'><input type='checkbox' name='USE_NAT' value='ON' $checked{'USE_NAT'}{'ON'}></td><td width='15%'>$Lang::tr{'fwdfw use nat'}</td><td colspan='5'></td></tr>
+ <tr><td colspan='2'></td><td width='1%'><input type='radio' name='nat' value='dnat' checked ></td><td width='50%'>$Lang::tr{'fwdfw dnat'}</td>
+ END
+- if (! -z "${General::swroot}/ethernet/aliases"){
+- print"<td width='8%'>IPFire: </td><td width='20%' align='right'><select name='dnat' style='width:140px;'>";
+- print "<option value='ALL' $selected{'dnat'}{$Lang::tr{'all'}}>$Lang::tr{'all'}</option>";
+- print "<option value='Default IP' $selected{'dnat'}{'Default IP'}>Default IP</option>";
+-
+- foreach my $alias (sort keys %aliases)
+- {
+- print "<option value='$alias' $selected{'dnat'}{$alias}>$alias</option>";
+- }
+- }else{
+- print"<td></td><td style='width:200px;'><input type='hidden' name ='ipfire' value='Default IP'>";
++ print"<td width='8%'>IPFire: </td><td width='20%' align='right'><select name='dnat' style='width:140px;'>";
++ print "<option value='ALL' $selected{'dnat'}{$Lang::tr{'all'}}>$Lang::tr{'all'}</option>";
++ print "<option value='Default IP' $selected{'dnat'}{'Default IP'}>Default IP</option>";
++ foreach my $alias (sort keys %aliases)
++ {
++ print "<option value='$alias' $selected{'dnat'}{$alias}>$alias</option>";
+ }
+ print"</td></tr>";
+ print"<tr><td colspan='4'></td><td>Port: </td><td align='right'><input type='text' name='dnatport' style='width:130px;' value=$fwdfwsettings{'dnatport'}> </td></tr>";
+diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall
+index 74be2c8..7e767f8 100644
+--- a/src/initscripts/init.d/firewall
++++ b/src/initscripts/init.d/firewall
+@@ -190,10 +190,6 @@ case "$1" in
+ /sbin/iptables -t nat -N IPSECNAT
+ /sbin/iptables -t nat -A POSTROUTING -j IPSECNAT
+
+- # Forward Firewall
+- /sbin/iptables -N FORWARDFW
+- /sbin/iptables -A FORWARD -j FORWARDFW
+-
+ # Input Firewall
+ /sbin/iptables -N INPUTFW
+ /sbin/iptables -A INPUT -m state --state NEW -j INPUTFW
+@@ -223,6 +219,10 @@ case "$1" in
+ /sbin/iptables -N WIRELESSFORWARD
+ /sbin/iptables -A FORWARD -m state --state NEW -j WIRELESSFORWARD
+
++ # Forward Firewall
++ /sbin/iptables -N FORWARDFW
++ /sbin/iptables -A FORWARD -j FORWARDFW
++
+ # PORTFWACCESS chain, used for portforwarding
+ /sbin/iptables -N PORTFWACCESS
+ /sbin/iptables -A FORWARD -m state --state NEW -j PORTFWACCESS
+@@ -282,12 +282,7 @@ case "$1" in
+ if [ "$DROPINPUT" == "on" ]; then
+ /sbin/iptables -A INPUT -m limit --limit 10/minute -j LOG --log-prefix "DROP_INPUT "
+ fi
+- /sbin/iptables -A INPUT -j DROP -m comment --comment "DROP_INPUT"
+- #if [ "$DROPFORWARD" == "on" ]; then
+- # /sbin/iptables -A FORWARD -m limit --limit 10/minute -j LOG --log-prefix "DROP_FORWARD "
+- #fi
+- #/sbin/iptables -A FORWARD -j DROP -m comment --comment "DROP_FORWARD"
+-
++
+ #POLICY CHAIN
+ /sbin/iptables -N POLICYIN
+ /sbin/iptables -A INPUT -j POLICYIN
+diff --git a/src/misc-progs/wirelessctrl.c b/src/misc-progs/wirelessctrl.c
+index 2a6ed0c..450aa36 100644
+--- a/src/misc-progs/wirelessctrl.c
++++ b/src/misc-progs/wirelessctrl.c
+@@ -154,9 +154,7 @@ int main(void)
+ (VALID_IP_AND_MASK(ipaddress))) {
+ snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSINPUT -m mac --mac-source %s -s %s -i %s -j ACCEPT", macaddress, ipaddress, blue_dev);
+ safe_system(command);
+- snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -m mac --mac-source %s -s %s -i %s ! -o %s -j RETURN", macaddress, ipaddress, blue_dev, green_dev);
+- safe_system(command);
+- snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -m mac --mac-source %s -s %s -i %s -j FORWARDFW", macaddress, ipaddress, blue_dev);
++ snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -m mac --mac-source %s -s %s -i %s -j RETURN", macaddress, ipaddress, blue_dev);
+ safe_system(command);
+ } else {
+
+@@ -164,18 +162,14 @@ int main(void)
+ if (strlen(macaddress) == 17) {
+ snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSINPUT -m mac --mac-source %s -i %s -j ACCEPT", macaddress, blue_dev);
+ safe_system(command);
+- snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -m mac --mac-source %s -i %s ! -o %s -j RETURN", macaddress, blue_dev, green_dev);
+- safe_system(command);
+- snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -m mac --mac-source %s -i %s -j FORWARDFW", macaddress, blue_dev);
++ snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -m mac --mac-source %s -i %s -j RETURN", macaddress, blue_dev);
+ safe_system(command);
+ }
+
+ if (VALID_IP_AND_MASK(ipaddress)) {
+ snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSINPUT -s %s -i %s -j ACCEPT", ipaddress, blue_dev);
+ safe_system(command);
+- snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -s %s -i %s ! -o %s -j RETURN", ipaddress, blue_dev, green_dev);
+- safe_system(command);
+- snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -s %s -i %s -j FORWARDFW", ipaddress, blue_dev);
++ snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -s %s -i %s -j RETURN", ipaddress, blue_dev);
+ safe_system(command);
+ }
+ }
+--
+1.7.10.4
+
--- /dev/null
+From bc2df2faba76d6aab3e3566949d05195017e9a59 Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Wed, 20 Mar 2013 11:03:29 +0100
+Subject: [PATCH 190/302] Forward Firewall: 0.9.8.7 Implemented SNAT/DNAT
+
+reorganized firewall chains
+---
+ config/forwardfw/convert-portfw | 144 ++++++++++++++++++++++++++++++++++++++
+ config/forwardfw/firewall-policy | 4 +-
+ html/cgi-bin/forwardfw.cgi | 12 ++++
+ langs/de/cgi-bin/de.pl | 1 +
+ langs/en/cgi-bin/en.pl | 1 +
+ 5 files changed, 160 insertions(+), 2 deletions(-)
+ create mode 100755 config/forwardfw/convert-portfw
+
+diff --git a/config/forwardfw/convert-portfw b/config/forwardfw/convert-portfw
+new file mode 100755
+index 0000000..682199f
+--- /dev/null
++++ b/config/forwardfw/convert-portfw
+@@ -0,0 +1,144 @@
++#!/usr/bin/perl
++
++########################################################################
++# Script: convert-portfw
++# Date: 19.03.2013
++# Author: Alexander Marx (amarx@ipfire.org)
++########################################################################
++#
++# This script converts old portforwarding rules from old Firewall
++# to the new one. This is a 3-step process.
++# STEP1: read old config and normalize settings
++# STEP2: create new rules from old ones
++# STEP3: check if rule already exists, when not, put it into
++# /var/ipfire/forward/nat
++########################################################################
++require '/var/ipfire/general-functions.pl';
++my @values=();
++my @built_rules=();
++my %nat=();
++my $portfwconfig = "${General::swroot}/portfw/config";
++my $confignat = "${General::swroot}/forward/nat";
++my ($key,$flag,$prot,$ipfireport,$target,$targetport,$active,$alias,$source,$remark);
++my ($key1,$flag1,$prot1,$ipfireport1,$target1,$targetport1,$active1,$alias1,$source1,$remark1);
++my $count=0;
++my $jump;
++if(! -d "/var/log/converters"){ mkdir("/var/log/converters");}
++open(FILE, $portfwconfig) or die 'Unable to open config file.';
++my @current = <FILE>;
++close(FILE);
++open (LOG, ">/var/log/converters/portfw-convert.log") or die $!;
++open(ALIAS, "${General::swroot}/ethernet/aliases") or die 'Unable to open aliases file.';
++my @alias = <ALIAS>;
++close(ALIAS);
++&get_config;
++&build_rules;
++&write_rules;
++sub get_config
++{
++ print LOG "STEP 1: Get config from old portforward\n#########################################\n";
++ foreach my $line (@current){
++ if($jump eq '1'){
++ $jump='';
++ $count++;
++ next;
++ }
++ my $u=$count+1;
++ ($key,$flag,$prot,$ipfireport,$target,$targetport,$active,$alias,$source,$remark) = split(",",$line);
++ ($key1,$flag1,$prot1,$ipfireport1,$target1,$targetport1,$active1,$alias1,$source1,$remark1) = split(",",$current[$u]);
++ if ($flag1 eq '1'){
++ $source=$source1;
++ $jump='1';
++ }
++ my $now=localtime;
++ chomp($remark);
++ print LOG "$now processing-> KEY: $key FLAG: $flag PROT: $prot FIREPORT: $ipfireport TARGET: $target TGTPORT: $targetport ACTIVE: $active ALIAS: $alias SOURCE: $source REM: $remark Doublerule: $jump\n";
++ push (@values,$prot.",".$ipfireport.",".$target.",".$targetport.",".$active.",".$alias.",".$source.",".$remark);
++ $count++;
++ }
++}
++sub build_rules
++{
++ print LOG "\nSTEP 2: Convert old portforwardrules in a useable format\n########################################################\n";
++ my $src;
++ my $src1;
++ my $ipfireip;
++ my $count=0;
++ my $stop;
++ #build rules for new firewall
++ foreach my $line (@values){
++ chomp ($line);
++ ($prot,$ipfireport,$target,$targetport,$active,$alias,$source,$remark)=split(",",$line);
++ $count++;
++ #get sourcepart
++ if($source eq '0.0.0.0/0'){
++ $src = 'std_net_src';
++ $src1 = 'ALL';
++ }else{
++ $src = 'src_addr';
++ my ($a,$b) = split("/",$source);
++ $src1 = $a."/32";
++ }
++ #get ipfire ip
++ if($alias eq '0.0.0.0'){
++ $alias='ALL';
++ }else{
++ foreach my $ali (@alias){
++ my ($alias_ip,$alias_active,$alias_name) = split (",",$ali);
++ if($alias eq $alias_name){
++ $alias=$alias_name;
++ }
++ }
++ }
++ $active = uc $active;
++ $prot = uc $prot;
++ $remark = chomp($remark);
++ push (@built_rules,"ACCEPT,NAT_DESTINATION,$active,$src,$src1,tgt_addr,$target/32,ON,$prot,,TGT_PORT,$targetport,$remark,00:00,00:00,ON,$alias,$ipfireport,dnat");
++ my $now=localtime;
++ print LOG "$now Converted-> KEY: $count ACCEPT,NAT_DESTINATION,$active,$src,$src1,tgt_addr,$target/32,ON,$prot,,TGT_PORT,$targetport,$remark,00:00,00:00,ON,$alias,$ipfireport,dnat\n";
++ }
++}
++sub write_rules
++{
++ my $skip='';
++ my $id;
++ print LOG "\nSTEP 3: Create DNAT rules in new firewall\n#########################################\n";
++ &General::readhasharray($confignat,\%nat);
++ foreach my $line (@built_rules){
++ $skip='';
++ my ($action,$chain,$active,$src,$src1,$tgt,$tgt1,$use_prot,$prot,$dummy,$tgt_port,$tgt_port1,$remark,$from,$to,$use_port,$alias,$ipfireport,$dnat) = split (",",$line);
++ foreach my $key (sort keys %nat){
++ if ($line eq "$nat{$key}[0],$nat{$key}[1],$nat{$key}[2],$nat{$key}[3],$nat{$key}[4],$nat{$key}[5],$nat{$key}[6],$nat{$key}[11],$nat{$key}[12],$nat{$key}[13],$nat{$key}[14],$nat{$key}[15],$nat{$key}[16],$nat{$key}[26],$nat{$key}[27],$nat{$key}[28],$nat{$key}[29],$nat{$key}[30],$nat{$key}[31]"){
++ my $now=localtime;
++ print LOG "$now SKIP-> Rule $nat{$key}[0],$nat{$key}[1],$nat{$key}[2],$nat{$key}[3],$nat{$key}[4],$nat{$key}[5],$nat{$key}[6],$nat{$key}[11],$nat{$key}[12],$nat{$key}[13],$nat{$key}[14],$nat{$key}[15],$nat{$key}[16],$nat{$key}[26],$nat{$key}[27],$nat{$key}[28],$nat{$key}[29],$nat{$key}[30],$nat{$key}[31] ->EXISTS\n";
++ $skip='1';
++ }
++ }
++ if ($skip ne '1'){
++ $id = &General::findhasharraykey(\%nat);
++ $nat{$id}[0] = $action;
++ $nat{$id}[1] = $chain;
++ $nat{$id}[2] = $active;
++ $nat{$id}[3] = $src;
++ $nat{$id}[4] = $src1;
++ $nat{$id}[5] = $tgt;
++ $nat{$id}[6] = $tgt1;
++ $nat{$id}[11] = $use_prot;
++ $nat{$id}[12] = $prot;
++ $nat{$id}[13] = $dummy;
++ $nat{$id}[14] = $tgt_port;
++ $nat{$id}[15] = $tgt_port1;
++ $nat{$id}[16] = $remark;
++ $nat{$id}[26] = $from;
++ $nat{$id}[27] = $to;
++ $nat{$id}[28] = $use_port;
++ $nat{$id}[29] = $alias;
++ $nat{$id}[30] = $ipfireport;
++ $nat{$id}[31] = $dnat;
++ my $now=localtime;
++ print LOG "$now NEW RULE-> Rule $nat{$id}[0],$nat{$id}[1],$nat{$id}[2],$nat{$id}[3],$nat{$id}[4],$nat{$id}[5],$nat{$id}[6],$nat{$id}[11],$nat{$id}[12],$nat{$id}[13],$nat{$id}[14],$nat{$id}[15],$nat{$id}[16],$nat{$id}[26],$nat{$id}[27],$nat{$id}[28],$nat{$id}[29],$nat{$id}[30],$nat{$id}[31]\n";
++ }
++ }
++ &General::writehasharray($confignat,\%nat);
++}
++close (LOG);
+diff --git a/config/forwardfw/firewall-policy b/config/forwardfw/firewall-policy
+index 2d4b9ec..303a756 100755
+--- a/config/forwardfw/firewall-policy
++++ b/config/forwardfw/firewall-policy
+@@ -22,7 +22,7 @@ if [ "$POLICY" == "MODE1" ]; then
+ /sbin/iptables -A POLICYFWD -j DROP -m comment --comment "DROP_FORWARD"
+ fi
+ else
+- /sbin/iptables -A POLICYFWD -j DROP -m comment --comment "DROP_FORWARD"
++ /sbin/iptables -A POLICYFWD -j ACCEPT -m comment --comment "DROP_FORWARD"
+ fi
+
+ #OUTGOINGFW
+@@ -40,7 +40,7 @@ if [ "$POLICY1" == "MODE1" ]; then
+ /sbin/iptables -A POLICYOUT -j DROP -m comment --comment "DROP_OUTPUT"
+ fi
+ else
+- /sbin/iptables -A POLICYOUT -j DROP -m comment --comment "DROP_OUTPUT"
++ /sbin/iptables -A POLICYOUT -j ACCEPT -m comment --comment "DROP_OUTPUT"
+ fi
+ #INPUT
+ if [ "$FWPOLICY2" == "REJECT" ]; then
+diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi
+index a37fb29..e3b8c4a 100755
+--- a/html/cgi-bin/forwardfw.cgi
++++ b/html/cgi-bin/forwardfw.cgi
+@@ -923,7 +923,19 @@ sub checkrule
+ {
+ #check valid port for NAT
+ if($fwdfwsettings{'USE_NAT'} eq 'ON'){
++ #if no port is given in nat area, take target host port
+ if($fwdfwsettings{'nat'} eq 'dnat' && $fwdfwsettings{'grp3'} eq 'TGT_PORT' && $fwdfwsettings{'dnatport'} eq ''){$fwdfwsettings{'dnatport'}=$fwdfwsettings{'TGT_PORT'};}
++
++ #check if given nat port is already used by another dnatrule
++ if($fwdfwsettings{'nat'} eq 'dnat'){
++ foreach my $id (sort keys %confignatfw){
++ if ($fwdfwsettings{'dnatport'} eq $confignatfw{$id}[30]){
++ $errormessage=$Lang::tr{'fwdfw natport used'}."<br>";
++ }
++ }
++ }
++
++ #check if port given in nat area is a single valid port
+ if($fwdfwsettings{'nat'} eq 'dnat' && !&check_natport($fwdfwsettings{'dnatport'})){
+ $errormessage=$Lang::tr{'fwdfw target'}.": ".$Lang::tr{'fwdfw dnat porterr'}."<br>";
+ }
+diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl
+index fbe62ac..0268b6e 100644
+--- a/langs/de/cgi-bin/de.pl
++++ b/langs/de/cgi-bin/de.pl
+@@ -951,6 +951,7 @@
+ 'fwdfw useless rule' => 'Diese Regel ist nicht zugelassen.',
+ 'fwdfw use srcport' => 'Quellport benutzen',
+ 'fwdfw use srv' => 'Zielport benutzen',
++'fwdfw natport used' => 'Der Natport wird bereits von einer anderen DNAT Regel benutzt',
+ 'fwdfw newrule' => 'Neue Regel',
+ 'fwdfw wd_mon' => 'Mo',
+ 'fwdfw wd_tue' => 'Di',
+diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
+index 24112c3..c6c4278 100644
+--- a/langs/en/cgi-bin/en.pl
++++ b/langs/en/cgi-bin/en.pl
+@@ -974,6 +974,7 @@
+ 'fwdfw useless rule' => 'This rule is rejected (useless).',
+ 'fwdfw use srcport' => 'Use sourceport',
+ 'fwdfw use srv' => 'Use targetport',
++'fwdfw natport used' => 'The NAT port is already used by another DNAT rule',
+ 'fwdfw newrule' => 'New rule',
+ 'fwdfw wd_mon' => 'Mon',
+ 'fwdfw wd_tue' => 'Tue',
+--
+1.7.10.4
+
--- /dev/null
+From 940cc0430ad1055f6696cb477ad6e066fb77f8d4 Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Thu, 21 Mar 2013 07:34:05 +0100
+Subject: [PATCH 191/302] Forward Firewall: fixed converter bug: Remark is "0"
+ and Alias ip is taken as ip instead of name
+
+---
+ config/forwardfw/convert-portfw | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/config/forwardfw/convert-portfw b/config/forwardfw/convert-portfw
+index 682199f..8ec3c34 100755
+--- a/config/forwardfw/convert-portfw
++++ b/config/forwardfw/convert-portfw
+@@ -85,14 +85,15 @@ sub build_rules
+ }else{
+ foreach my $ali (@alias){
+ my ($alias_ip,$alias_active,$alias_name) = split (",",$ali);
+- if($alias eq $alias_name){
++ if($alias eq $alias_ip){
++ chomp($alias_name);
+ $alias=$alias_name;
+ }
+ }
+ }
+ $active = uc $active;
+ $prot = uc $prot;
+- $remark = chomp($remark);
++ chomp($remark);
+ push (@built_rules,"ACCEPT,NAT_DESTINATION,$active,$src,$src1,tgt_addr,$target/32,ON,$prot,,TGT_PORT,$targetport,$remark,00:00,00:00,ON,$alias,$ipfireport,dnat");
+ my $now=localtime;
+ print LOG "$now Converted-> KEY: $count ACCEPT,NAT_DESTINATION,$active,$src,$src1,tgt_addr,$target/32,ON,$prot,,TGT_PORT,$targetport,$remark,00:00,00:00,ON,$alias,$ipfireport,dnat\n";
+--
+1.7.10.4
+
--- /dev/null
+From 4b04d15ae712dd49aa2db9eaf3fcccd5cce6e648 Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Thu, 21 Mar 2013 07:47:28 +0100
+Subject: [PATCH 192/302] Forward Firewall: fixed layout of deleted host in
+ custom group changed version nr in forwardfw.cgi
+
+---
+ html/cgi-bin/forwardfw.cgi | 2 +-
+ html/cgi-bin/fwhosts.cgi | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi
+index e3b8c4a..1f2af8c 100755
+--- a/html/cgi-bin/forwardfw.cgi
++++ b/html/cgi-bin/forwardfw.cgi
+@@ -77,7 +77,7 @@ my %aliases=();
+ my %optionsfw=();
+ my %ifaces=();
+
+-my $VERSION='0.9.8.7';
++my $VERSION='0.9.8.8';
+ my $color;
+ my $confignet = "${General::swroot}/fwhosts/customnetworks";
+ my $confighost = "${General::swroot}/fwhosts/customhosts";
+diff --git a/html/cgi-bin/fwhosts.cgi b/html/cgi-bin/fwhosts.cgi
+index 54080a9..a0bb21f 100755
+--- a/html/cgi-bin/fwhosts.cgi
++++ b/html/cgi-bin/fwhosts.cgi
+@@ -1511,7 +1511,7 @@ sub viewtablegrp
+ print "$customgrp{$key}[2]</td>";
+ }
+ if ($ip eq '' && $customgrp{$key}[2] ne $Lang::tr{'fwhost empty'}){
+- print "<td align='center'>$Lang::tr{'fwhost deleted'}</td><td align='left'>$customgrp{$key}[3]</td><td width='1%'><form method='post'>";
++ print "<td align='center'>$Lang::tr{'fwhost deleted'}</td><td align='center'>$customgrp{$key}[3]</td><td width='1%'><form method='post'>";
+ }else{
+ print"<td align='center'>$ip</td><td align='center'>$customgrp{$key}[3]</td><td width='1%'><form method='post'>";
+ }
+--
+1.7.10.4
+
--- /dev/null
+From f142a002521b4561a7925a192e098f4678b52be1 Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Thu, 21 Mar 2013 10:35:07 +0100
+Subject: [PATCH 193/302] Forward Firewall: Fix converter-outgoingfw. Produced
+ wrong counters while converting
+
+---
+ config/forwardfw/convert-outgoingfw | 45 +++++++++++++++++++++++++++++++----
+ 1 file changed, 40 insertions(+), 5 deletions(-)
+
+diff --git a/config/forwardfw/convert-outgoingfw b/config/forwardfw/convert-outgoingfw
+index f220738..d065b5a 100755
+--- a/config/forwardfw/convert-outgoingfw
++++ b/config/forwardfw/convert-outgoingfw
+@@ -1,5 +1,17 @@
+ #!/usr/bin/perl
+-
++########################################################################
++# Script: convert-outgoingfw
++# Date: 21.03.2013
++# Author: Alexander Marx (amarx@ipfire.org)
++########################################################################
++#
++# This script converts old groups and firewallrules
++# to the new one. This is a 3-step process.
++# STEP1: convert groups ->LOG /var/log/converters
++# STEP2: convert rules ->LOG /var/log/converters
++# STEP3: convert P2P rules
++#
++########################################################################
+
+ require '/var/ipfire/general-functions.pl';
+
+@@ -35,10 +47,12 @@ my %fwconfig=();
+ my %fwconfigout=();
+ my %fwdsettings=();
+ &General::readhash($outfwsettings,\%outsettings);
+-
+-&process_groups;
+-&process_rules;
+-&process_p2p;
++#ONLY RUN if /var/ipfire/outgoing exists
++if ( -d "/var/ipfire/outgoing"){
++ &process_groups;
++ &process_rules;
++ &process_p2p;
++}
+ system("/usr/local/bin/forwardfwctrl");
+ sub process_groups
+ {
+@@ -152,6 +166,13 @@ sub new_hostgrp
+ print LOG "->Host (IP) $ip already exists in custom hosts\n";
+ $name="host ";
+ $name2=$name.$ippart;
++ foreach my $key (sort keys %hosts){
++ if($hosts{$key}[0] eq $name2){
++ $hosts{$key}[4]++;
++ }
++ }
++ $name="host ";
++ $name2=$name.$ippart;
+ $name3="Custom Host";
+ }
+ }elsif($byte4 < '255'){
+@@ -171,6 +192,13 @@ sub new_hostgrp
+ print LOG "Network $ippart already exists in custom networks\n";
+ $name="net ";
+ $name2=$name.$ippart;
++ foreach my $key (sort keys %nets){
++ if($nets{$key}[0] eq $name2){
++ $nets{$key}[4]++;
++ }
++ }
++ $name="net ";
++ $name2=$name.$ippart;
+ $name3="Custom Network";
+ }
+ }
+@@ -202,6 +230,13 @@ sub new_hostgrp
+ print LOG "->Host (MAC) $mac already exists in custom hosts \n";
+ $name="host ";
+ $name2=$name.$mac;
++ foreach my $key (sort keys %hosts){
++ if($hosts{$key}[0] eq $name2){
++ $hosts{$key}[4]++;
++ }
++ }
++ $name="host ";
++ $name2=$name.$mac;
+ $name3="Custom Host";
+ }
+ if($name2 && !&check_grp($grp,$name2)){
+--
+1.7.10.4
+
--- /dev/null
+From 0732b22bda8951a26427690278798ecca0b4019f Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Thu, 21 Mar 2013 14:36:29 +0100
+Subject: [PATCH 194/302] Forward Firewall: Bugfix: blue was allowed to
+ connect to everywhere if forward firewall was open
+
+---
+ config/forwardfw/firewall-policy | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/config/forwardfw/firewall-policy b/config/forwardfw/firewall-policy
+index 303a756..55287dd 100755
+--- a/config/forwardfw/firewall-policy
++++ b/config/forwardfw/firewall-policy
+@@ -6,6 +6,7 @@ eval $(/usr/local/bin/readhash /var/ipfire/optionsfw/settings)
+ iptables -F POLICYFWD
+ iptables -F POLICYOUT
+ iptables -F POLICYIN
++IFACE=`cat /var/ipfire/red/iface`
+
+ #FORWARDFW
+ if [ "$POLICY" == "MODE1" ]; then
+@@ -22,6 +23,7 @@ if [ "$POLICY" == "MODE1" ]; then
+ /sbin/iptables -A POLICYFWD -j DROP -m comment --comment "DROP_FORWARD"
+ fi
+ else
++ /sbin/iptables -A POLICYFWD -i blue0 ! -o $IFACE -j DROP -m comment --comment "DROP_FORWARD_BLUE"
+ /sbin/iptables -A POLICYFWD -j ACCEPT -m comment --comment "DROP_FORWARD"
+ fi
+
+--
+1.7.10.4
+
--- /dev/null
+From 4fd50d4525bfac2d0fd7b9cea3297984cdc774cc Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Thu, 21 Mar 2013 17:34:30 +0100
+Subject: [PATCH 195/302] Forward Firewall: cleanup of initscript. Fixes
+ double log entries when INPUT is set to REJECT
+
+---
+ html/cgi-bin/forwardfw.cgi | 2 +-
+ src/initscripts/init.d/firewall | 22 ++--------------------
+ 2 files changed, 3 insertions(+), 21 deletions(-)
+
+diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi
+index 1f2af8c..3f4ad30 100755
+--- a/html/cgi-bin/forwardfw.cgi
++++ b/html/cgi-bin/forwardfw.cgi
+@@ -77,7 +77,7 @@ my %aliases=();
+ my %optionsfw=();
+ my %ifaces=();
+
+-my $VERSION='0.9.8.8';
++my $VERSION='0.9.8.9';
+ my $color;
+ my $confignet = "${General::swroot}/fwhosts/customnetworks";
+ my $confighost = "${General::swroot}/fwhosts/customhosts";
+diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall
+index 7e767f8..419344a 100644
+--- a/src/initscripts/init.d/firewall
++++ b/src/initscripts/init.d/firewall
+@@ -202,13 +202,7 @@ case "$1" in
+ /sbin/iptables -A FORWARD -s 127.0.0.0/8 -m state --state NEW -j DROP
+ /sbin/iptables -A FORWARD -d 127.0.0.0/8 -m state --state NEW -j DROP
+ /sbin/iptables -A INPUT -i $GREEN_DEV -m state --state NEW -j ACCEPT ! -p icmp
+- #/sbin/iptables -A FORWARD -i $GREEN_DEV -m state --state NEW -j ACCEPT
+-
+- # If a host on orange tries to initiate a connection to IPFire's red IP and
+- # the connection gets DNATed back through a port forward to a server on orange
+- # we end up with orange -> orange traffic passing through IPFire
+- [ "$ORANGE_DEV" != "" ] && /sbin/iptables -A FORWARD -i $ORANGE_DEV -o $ORANGE_DEV -m state --state NEW -j ACCEPT
+-
++
+ # allow DHCP on BLUE to be turned on/off
+ /sbin/iptables -N DHCPBLUEINPUT
+ /sbin/iptables -A INPUT -j DHCPBLUEINPUT
+@@ -240,13 +234,7 @@ case "$1" in
+ /sbin/iptables -t nat -A POSTROUTING -j REDNAT
+
+ iptables_red
+-
+- # DMZ pinhole chain.
+- # ORANGE to talk to GREEN / BLUE.
+- if [ "$ORANGE_DEV" != "" ]; then
+- /sbin/iptables -A FORWARD -i $ORANGE_DEV -m state --state NEW -j FORWARDFW
+- fi
+-
++
+ # Custom prerouting chains (for transparent proxy and port forwarding)
+ /sbin/iptables -t nat -N SQUID
+ /sbin/iptables -t nat -A PREROUTING -j SQUID
+@@ -277,12 +265,6 @@ case "$1" in
+ /etc/sysconfig/firewall.local start
+ fi
+
+- # last rule in input and forward chain is for logging.
+-
+- if [ "$DROPINPUT" == "on" ]; then
+- /sbin/iptables -A INPUT -m limit --limit 10/minute -j LOG --log-prefix "DROP_INPUT "
+- fi
+-
+ #POLICY CHAIN
+ /sbin/iptables -N POLICYIN
+ /sbin/iptables -A INPUT -j POLICYIN
+--
+1.7.10.4
+
--- /dev/null
+From 9bf5d0311081da4928d54007a9bbb967224ea16a Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Fri, 22 Mar 2013 07:55:17 +0100
+Subject: [PATCH 196/302] Forward Firewall: Version update forwardfw.cgi
+
+---
+ html/cgi-bin/forwardfw.cgi | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi
+index 3f4ad30..3e64259 100755
+--- a/html/cgi-bin/forwardfw.cgi
++++ b/html/cgi-bin/forwardfw.cgi
+@@ -77,7 +77,7 @@ my %aliases=();
+ my %optionsfw=();
+ my %ifaces=();
+
+-my $VERSION='0.9.8.9';
++my $VERSION='0.9.9.0';
+ my $color;
+ my $confignet = "${General::swroot}/fwhosts/customnetworks";
+ my $confighost = "${General::swroot}/fwhosts/customhosts";
+--
+1.7.10.4
+
--- /dev/null
+From e513f160390647be7c4b14976ee6c0dc3857c61a Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Tue, 26 Mar 2013 08:35:45 +0100
+Subject: [PATCH 197/302] Forward Firewall: bugfix
+
+1) When editing a NAT rule, error message "port already used" fixed
+---
+ html/cgi-bin/forwardfw.cgi | 13 ++++---------
+ 1 file changed, 4 insertions(+), 9 deletions(-)
+
+diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi
+index 3e64259..7db9cf1 100755
+--- a/html/cgi-bin/forwardfw.cgi
++++ b/html/cgi-bin/forwardfw.cgi
+@@ -174,12 +174,13 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule')
+ }
+ }
+ }
++
+ #check Rulepos on new Rule
+ if($fwdfwsettings{'rulepos'} > 0 && !$fwdfwsettings{'oldrulenumber'}){
+ $fwdfwsettings{'oldrulenumber'}=$maxkey;
+ foreach my $key (sort keys %confignatfw){
+- print"$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'},$fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'ICMP_TGT'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'TIME'},$fwdfwsettings{'TIME_MON'},$fwdfwsettings{'TIME_TUE'},$fwdfwsettings{'TIME_WED'},$fwdfwsettings{'TIME_THU'},$fwdfwsettings{'TIME_FRI'},$fwdfwsettings{'TIME_SAT'},$fwdfwsettings{'TIME_SUN'},$fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'},$fwdfwsettings{'USE_NAT'},$fwdfwsettings{$fwdfwsettings{'nat'}},$fwdfwsettings{'snatport'},$fwdfwsettings{'dnatport'},$fwdfwsettings{'nat'}<br>";
+- print"$confignatfw{$key}[0],$confignatfw{$key}[2],$confignatfw{$key}[3],$confignatfw{$key}[4],$confignatfw{$key}[5],$confignatfw{$key}[6],$confignatfw{$key}[7],$confignatfw{$key}[8],$confignatfw{$key}[9],$confignatfw{$key}[10],$confignatfw{$key}[11],$confignatfw{$key}[12],$confignatfw{$key}[13],$confignatfw{$key}[14],$confignatfw{$key}[15],$confignatfw{$key}[17],$confignatfw{$key}[19],$confignatfw{$key}[20],$confignatfw{$key}[21],$confignatfw{$key}[22],$confignatfw{$key}[23],$confignatfw{$key}[24],$confignatfw{$key}[25],$confignatfw{$key}[26],$confignatfw{$key}[27],$confignatfw{$key}[28],$confignatfw{$key}[29],$confignatfw{$key}[30],$confignatfw{$key}[31],$confignatfw{$key}[32]<br>";
++ #print"$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'},$fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'ICMP_TGT'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'TIME'},$fwdfwsettings{'TIME_MON'},$fwdfwsettings{'TIME_TUE'},$fwdfwsettings{'TIME_WED'},$fwdfwsettings{'TIME_THU'},$fwdfwsettings{'TIME_FRI'},$fwdfwsettings{'TIME_SAT'},$fwdfwsettings{'TIME_SUN'},$fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'},$fwdfwsettings{'USE_NAT'},$fwdfwsettings{$fwdfwsettings{'nat'}},$fwdfwsettings{'snatport'},$fwdfwsettings{'dnatport'},$fwdfwsettings{'nat'}<br>";
++ #print"$confignatfw{$key}[0],$confignatfw{$key}[2],$confignatfw{$key}[3],$confignatfw{$key}[4],$confignatfw{$key}[5],$confignatfw{$key}[6],$confignatfw{$key}[7],$confignatfw{$key}[8],$confignatfw{$key}[9],$confignatfw{$key}[10],$confignatfw{$key}[11],$confignatfw{$key}[12],$confignatfw{$key}[13],$confignatfw{$key}[14],$confignatfw{$key}[15],$confignatfw{$key}[17],$confignatfw{$key}[19],$confignatfw{$key}[20],$confignatfw{$key}[21],$confignatfw{$key}[22],$confignatfw{$key}[23],$confignatfw{$key}[24],$confignatfw{$key}[25],$confignatfw{$key}[26],$confignatfw{$key}[27],$confignatfw{$key}[28],$confignatfw{$key}[29],$confignatfw{$key}[30],$confignatfw{$key}[31],$confignatfw{$key}[32]<br>";
+ if ("$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'},$fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'ICMP_TGT'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'TIME'},$fwdfwsettings{'TIME_MON'},$fwdfwsettings{'TIME_TUE'},$fwdfwsettings{'TIME_WED'},$fwdfwsettings{'TIME_THU'},$fwdfwsettings{'TIME_FRI'},$fwdfwsettings{'TIME_SAT'},$fwdfwsettings{'TIME_SUN'},$fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'},$fwdfwsettings{'USE_NAT'},$fwdfwsettings{$fwdfwsettings{'nat'}},$fwdfwsettings{'snatport'},$fwdfwsettings{'dnatport'},$fwdfwsettings{'nat'}"
+ eq "$confignatfw{$key}[0],$confignatfw{$key}[2],$confignatfw{$key}[3],$confignatfw{$key}[4],$confignatfw{$key}[5],$confignatfw{$key}[6],$confignatfw{$key}[7],$confignatfw{$key}[8],$confignatfw{$key}[9],$confignatfw{$key}[10],$confignatfw{$key}[11],$confignatfw{$key}[12],$confignatfw{$key}[13],$confignatfw{$key}[14],$confignatfw{$key}[15],$confignatfw{$key}[17],$confignatfw{$key}[19],$confignatfw{$key}[20],$confignatfw{$key}[21],$confignatfw{$key}[22],$confignatfw{$key}[23],$confignatfw{$key}[24],$confignatfw{$key}[25],$confignatfw{$key}[26],$confignatfw{$key}[27],$confignatfw{$key}[28],$confignatfw{$key}[29],$confignatfw{$key}[30],$confignatfw{$key}[31],$confignatfw{$key}[32]"){
+ $errormessage.=$Lang::tr{'fwdfw err ruleexists'};
+@@ -927,7 +928,7 @@ sub checkrule
+ if($fwdfwsettings{'nat'} eq 'dnat' && $fwdfwsettings{'grp3'} eq 'TGT_PORT' && $fwdfwsettings{'dnatport'} eq ''){$fwdfwsettings{'dnatport'}=$fwdfwsettings{'TGT_PORT'};}
+
+ #check if given nat port is already used by another dnatrule
+- if($fwdfwsettings{'nat'} eq 'dnat'){
++ if($fwdfwsettings{'nat'} eq 'dnat' && $fwdfwsettings{'updatefwrule'} ne 'on'){
+ foreach my $id (sort keys %confignatfw){
+ if ($fwdfwsettings{'dnatport'} eq $confignatfw{$id}[30]){
+ $errormessage=$Lang::tr{'fwdfw natport used'}."<br>";
+@@ -2072,12 +2073,6 @@ sub saverule
+ &changerule($configfwdfw);
+ #print"17";
+ }
+- #Cleanup some values for NAT if they are not used
+- if($fwdfwsettings{'nat'} eq 'dnat'){
+- $fwdfwsettings{'snatport'}='';
+- }else{
+- $fwdfwsettings{'dnatport'}='';
+- }
+ if ($fwdfwsettings{'updatefwrule'} ne 'on'){
+ my $key = &General::findhasharraykey ($hash);
+ $$hash{$key}[0] = $fwdfwsettings{'RULE_ACTION'};
+--
+1.7.10.4
+
--- /dev/null
+From 41406554ecede13185a14a51da4fddf2c1d49648 Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Wed, 27 Mar 2013 12:36:19 +0100
+Subject: [PATCH 198/302] Forward Firewall: fix NAT-rules: iptables rule was
+ not applied correctly in PORTFWACCESS
+
+---
+ config/forwardfw/rules.pl | 18 ++++++++++++------
+ 1 file changed, 12 insertions(+), 6 deletions(-)
+
+diff --git a/config/forwardfw/rules.pl b/config/forwardfw/rules.pl
+index d1b9f94..f451d19 100755
+--- a/config/forwardfw/rules.pl
++++ b/config/forwardfw/rules.pl
+@@ -147,6 +147,9 @@ sub flush
+ system ("iptables -F FORWARDFW");
+ system ("iptables -F INPUTFW");
+ system ("iptables -F OUTGOINGFW");
++ system ("iptables -F PORTFWACCESS");
++ system ("iptables -t nat -F NAT_DESTINATION");
++ system ("iptables -t nat -F NAT_SOURCE");
+ }
+ sub preparerules
+ {
+@@ -280,11 +283,14 @@ sub buildrules
+ print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG\n";
+ }
+ print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n";
+- }elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[32] eq 'dnat'){
+- #if ($$hash{$key}[17] eq 'ON'){
+- #print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $targethash{$b}[0] $DPORT $TIME -j LOG\n";
+- #}
+- print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j $$hash{$key}[0] --to $targethash{$b}[0]$DPORT\n";
++ }elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'dnat'){
++ if ($$hash{$key}[17] eq 'ON'){
++ print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $fireport $TIME -j LOG --log-prefix 'DNAT' \n";
++ }
++ my $fwaccessdport="--dport ".substr($DPORT,1,) if ($DPORT);
++ my ($ip,$sub) =split("/",$targethash{$b}[0]);
++ print "iptables -A PORTFWACCESS $PROT -i $con -d $ip $fwaccessdport $TIME -j ACCEPT\n";
++ print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j $$hash{$key}[0] --to $ip$DPORT\n";
+ }elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[32] eq 'snat'){
+ print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0] --to $natip$fireport\n";
+ }
+@@ -323,7 +329,7 @@ sub buildrules
+ }
+ my $fwaccessdport="--dport ".substr($DPORT,1,) if ($DPORT);
+ my ($ip,$sub) =split("/",$targethash{$b}[0]);
+- system "iptables -A PORTFWACCESS $PROT $STAG $sourcehash{$a}[0] -d $targethash{$b}[0] $fwaccessdport $TIME \n";
++ system "iptables -A PORTFWACCESS $PROT -i $con -d $ip $fwaccessdport $TIME -j ACCEPT\n";
+ system "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j $$hash{$key}[0] --to $ip$DPORT\n";
+ }elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'snat'){
+ if ($$hash{$key}[17] eq 'ON'){
+--
+1.7.10.4
+
--- /dev/null
+From 2d79d652e2fe420e01d347a71c8bf4a2e101ee9a Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Sun, 31 Mar 2013 16:18:12 +0200
+Subject: [PATCH 199/302] Forward Firewall: bugfix: DNAT now correctly creates
+ rules, when customservice defined as target
+
+---
+ config/forwardfw/rules.pl | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/config/forwardfw/rules.pl b/config/forwardfw/rules.pl
+index f451d19..1a8d63b 100755
+--- a/config/forwardfw/rules.pl
++++ b/config/forwardfw/rules.pl
+@@ -539,7 +539,11 @@ sub get_port
+ }
+ }elsif($$hash{$key}[14] eq 'cust_srv'){
+ if ($prot ne 'ICMP'){
+- return "--dport ".&fwlib::get_srv_port($$hash{$key}[15],1,$prot);
++ if($$hash{$key}[31] eq 'dnat'){
++ return ":".&fwlib::get_srv_port($$hash{$key}[15],1,$prot);
++ }else{
++ return "--dport ".&fwlib::get_srv_port($$hash{$key}[15],1,$prot);
++ }
+ }elsif($prot eq 'ICMP' && $$hash{$key}[15] ne 'All ICMP-Types'){
+ return "--icmp-type ".&fwlib::get_srv_port($$hash{$key}[15],3,$prot);
+ }elsif($prot eq 'ICMP' && $$hash{$key}[15] eq 'All ICMP-Types'){
+--
+1.7.10.4
+
--- /dev/null
+From e8d66606662fd05dcb98eae22986340e1187a20e Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Mon, 1 Apr 2013 06:26:58 +0200
+Subject: [PATCH 200/302] Forward Firewall: enabled Portranges for DNAT
+
+---
+ config/forwardfw/rules.pl | 13 ++++++++-----
+ html/cgi-bin/forwardfw.cgi | 32 +++++++++++++++++++++++++-------
+ langs/de/cgi-bin/de.pl | 2 +-
+ langs/en/cgi-bin/en.pl | 2 +-
+ 4 files changed, 35 insertions(+), 14 deletions(-)
+
+diff --git a/config/forwardfw/rules.pl b/config/forwardfw/rules.pl
+index 1a8d63b..1ec0dea 100755
+--- a/config/forwardfw/rules.pl
++++ b/config/forwardfw/rules.pl
+@@ -287,10 +287,11 @@ sub buildrules
+ if ($$hash{$key}[17] eq 'ON'){
+ print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $fireport $TIME -j LOG --log-prefix 'DNAT' \n";
+ }
+- my $fwaccessdport="--dport ".substr($DPORT,1,) if ($DPORT);
+ my ($ip,$sub) =split("/",$targethash{$b}[0]);
+- print "iptables -A PORTFWACCESS $PROT -i $con -d $ip $fwaccessdport $TIME -j ACCEPT\n";
+ print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j $$hash{$key}[0] --to $ip$DPORT\n";
++ $DPORT =~ s/\-/:/g;
++ my $fwaccessdport="--dport ".substr($DPORT,1,) if ($DPORT);
++ print "iptables -A PORTFWACCESS $PROT -i $con -d $ip $fwaccessdport $TIME -j ACCEPT\n";
+ }elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[32] eq 'snat'){
+ print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0] --to $natip$fireport\n";
+ }
+@@ -327,10 +328,12 @@ sub buildrules
+ if ($$hash{$key}[17] eq 'ON'){
+ system "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j LOG --log-prefix 'DNAT' \n";
+ }
+- my $fwaccessdport="--dport ".substr($DPORT,1,) if ($DPORT);
+ my ($ip,$sub) =split("/",$targethash{$b}[0]);
+- system "iptables -A PORTFWACCESS $PROT -i $con -d $ip $fwaccessdport $TIME -j ACCEPT\n";
+ system "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j $$hash{$key}[0] --to $ip$DPORT\n";
++ $DPORT =~ s/\-/:/g;
++ my $fwaccessdport="--dport ".substr($DPORT,1,) if ($DPORT);
++ system "iptables -A PORTFWACCESS $PROT -i $con -d $ip $fwaccessdport $TIME -j ACCEPT\n";
++
+ }elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'snat'){
+ if ($$hash{$key}[17] eq 'ON'){
+ system "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG --log-prefix 'SNAT '\n";
+@@ -519,7 +522,6 @@ sub get_port
+ return;
+ }
+ }elsif($$hash{$key}[11] eq 'ON' && $SRC_TGT eq ''){
+-
+ if($$hash{$key}[14] eq 'TGT_PORT'){
+ if ($$hash{$key}[15] ne ''){
+ $$hash{$key}[15] =~ s/\|/,/g;
+@@ -529,6 +531,7 @@ sub get_port
+ if($$hash{$key}[28] ne 'ON' || ($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'snat') ){
+ return "--dport $$hash{$key}[15] ";
+ }else{
++ $$hash{$key}[15] =~ s/\:/-/g;
+ return ":$$hash{$key}[15]";
+ }
+ }
+diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi
+index 7db9cf1..8391701 100755
+--- a/html/cgi-bin/forwardfw.cgi
++++ b/html/cgi-bin/forwardfw.cgi
+@@ -731,7 +731,7 @@ sub checksource
+ my @values=();
+ foreach (@parts){
+ chomp($_);
+- if ($_ =~ /^(\d+)\:(\d+)$/) {
++ if ($_ =~ /^(\d+)\-(\d+)$/ || $_ =~ /^(\d+)\:(\d+)$/) {
+ my $check;
+ #change dashes with :
+ $_=~ tr/-/:/;
+@@ -739,11 +739,11 @@ sub checksource
+ push(@values,"1:65535");
+ $check='on';
+ }
+- if ($_ =~ /^(\D)\:(\d+)$/) {
++ if ($_ =~ /^(\D)\:(\d+)$/ || $_ =~ /^(\D)\-(\d+)$/) {
+ push(@values,"1:$2");
+ $check='on';
+ }
+- if ($_ =~ /^(\d+)\:(\D)$/) {
++ if ($_ =~ /^(\d+)\:(\D)$/ || $_ =~ /^(\d+)\-(\D)$/ ) {
+ push(@values,"$1:65535");
+ $check='on'
+ }
+@@ -837,11 +837,14 @@ sub checktarget
+ if ($fwdfwsettings{'grp3'} eq 'TGT_PORT'){
+ if ($fwdfwsettings{'TGT_PROT'} eq 'TCP' || $fwdfwsettings{'TGT_PROT'} eq 'UDP'){
+ if ($fwdfwsettings{'TGT_PORT'} ne ''){
++ if ($fwdfwsettings{'TGT_PORT'} =~ "," && $fwdfwsettings{'USE_NAT'}) {
++ $errormessage=$Lang::tr{'fwdfw dnat porterr'}."<br>";
++ }
+ my @parts=split(",",$fwdfwsettings{'TGT_PORT'});
+ my @values=();
+ foreach (@parts){
+ chomp($_);
+- if ($_ =~ /^(\d+)\:(\d+)$/) {
++ if ($_ =~ /^(\d+)\-(\d+)$/ || $_ =~ /^(\d+)\:(\d+)$/) {
+ my $check;
+ #change dashes with :
+ $_=~ tr/-/:/;
+@@ -849,11 +852,11 @@ sub checktarget
+ push(@values,"1:65535");
+ $check='on';
+ }
+- if ($_ =~ /^(\D)\:(\d+)$/) {
++ if ($_ =~ /^(\D)\:(\d+)$/ || $_ =~ /^(\D)\-(\d+)$/) {
+ push(@values,"1:$2");
+ $check='on';
+ }
+- if ($_ =~ /^(\d+)\:(\D)$/) {
++ if ($_ =~ /^(\d+)\:(\D)$/ || $_ =~ /^(\d+)\-(\D)$/) {
+ push(@values,"$1:65535");
+ $check='on'
+ }
+@@ -915,7 +918,22 @@ sub checktarget
+ sub check_natport
+ {
+ my $val=shift;
+- if ($val =~ "," || $val =~ ":" || $val>65536 || $val<0){
++ if($fwdfwsettings{'USE_NAT'} eq 'ON' && $fwdfwsettings{'nat'} eq 'dnat' && $fwdfwsettings{'dnatport'} ne ''){
++ if ($fwdfwsettings{'dnatport'} =~ /^(\d+)\-(\d+)$/) {
++ $fwdfwsettings{'dnatport'} =~ tr/-/:/;
++ if ($fwdfwsettings{'dnatport'} eq "*") {
++ $fwdfwsettings{'dnatport'}="1:65535";
++ }
++ if ($fwdfwsettings{'dnatport'} =~ /^(\D)\:(\d+)$/) {
++ $fwdfwsettings{'dnatport'} = "1:$2";
++ }
++ if ($fwdfwsettings{'dnatport'} =~ /^(\d+)\:(\D)$/) {
++ $fwdfwsettings{'dnatport'} ="$1:65535";
++ }
++ }
++ return 1;
++ }
++ if ($val =~ "," || $val>65536 || $val<0){
+ return 0;
+ }
+ return 1;
+diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl
+index 0268b6e..65ead1a 100644
+--- a/langs/de/cgi-bin/de.pl
++++ b/langs/de/cgi-bin/de.pl
+@@ -895,7 +895,7 @@
+ 'fwdfw delete' => 'Löschen',
+ 'fwdfw dnat' => 'DNAT/Portforward (ersetze diese IP mit der aus ZIEL)',
+ 'fwdfw dnat error' => 'Für DNAT muss ein einzelner Host als ZIEL gewählt werden. Gruppen oder Netzwerke sind nicht erlaubt',
+-'fwdfw dnat porterr' => 'Für NAT muss ein einzelner PORT (TCP/UDP) angegeben werden',
++'fwdfw dnat porterr' => 'Für NAT muss ein einzelner PORT oder PORTRANGE (TCP/UDP) angegeben werden',
+ 'fwdfw DROP' => 'Verwerfen (DROP)',
+ 'fwdfw edit' => 'Bearbeiten',
+ 'fwdfw err nosrc' => 'Keine Quelle gewählt',
+diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
+index c6c4278..0cdfe24 100644
+--- a/langs/en/cgi-bin/en.pl
++++ b/langs/en/cgi-bin/en.pl
+@@ -918,7 +918,7 @@
+ 'fwdfw delete' => 'Delete',
+ 'fwdfw dnat' => 'DNAT/Portforward (replace this IP with the one from TARGET)',
+ 'fwdfw dnat error' => 'You have to select a single host for DNAT. Groups or networks are not allowed.',
+-'fwdfw dnat porterr' => 'You have to select a single port (tcp/udp) for NAT',
++'fwdfw dnat porterr' => 'You have to select a single port or portrange (tcp/udp) for NAT',
+ 'fwdfw DROP' => 'DROP',
+ 'fwdfw edit' => 'Edit',
+ 'fwdfw err nosrc' => 'No source selected.',
+--
+1.7.10.4
+
--- /dev/null
+From d2987a844f2564ab40b53cc85908f690ad26716a Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Tue, 2 Apr 2013 05:40:50 +0200
+Subject: [PATCH 201/302] Forward Firewall: added dmz-converter.
+
+Also extended backup.pl script to support old backups. Now it is possible to restore old backups into new firewall. On restore, all config files of new firewall will be destroyed and the 4 converters will recreate them.
+---
+ config/backup/backup.pl | 50 +++++++++--
+ config/forwardfw/convert-dmz | 172 ++++++++++++++++++++++++++++++++++++
+ config/rootfiles/common/configroot | 1 +
+ config/rootfiles/common/stage2 | 2 +
+ html/cgi-bin/forwardfw.cgi | 5 +-
+ lfs/configroot | 4 +-
+ 6 files changed, 225 insertions(+), 9 deletions(-)
+ create mode 100755 config/forwardfw/convert-dmz
+
+diff --git a/config/backup/backup.pl b/config/backup/backup.pl
+index b217161..4ad7363 100644
+--- a/config/backup/backup.pl
++++ b/config/backup/backup.pl
+@@ -64,25 +64,63 @@ elsif ($ARGV[0] eq 'restore') {
+ system("cd / && tar -xvz -p -f /tmp/restore.ipf");
+ #Here some converter scripts to correct old Backups (before core 65)
+ system("/usr/sbin/ovpn-ccd-convert");
++ #OUTGOINGFW CONVERTER
+ if( -d "${General::swroot}/outgoing"){
+ if( -f "${General::swroot}/forward/config" ){
+ unlink("${General::swroot}/forward/config");
+ system("touch ${General::swroot}/forward/config");
+ chown 99,99,"${General::swroot}/forward/config";
+ }
+- if( -f "${General::swroot}/forward/input" ){
+- unlink("${General::swroot}/forward/input");
+- system("touch ${General::swroot}/forward/input");
+- chown 99,99,"${General::swroot}/forward/input";
+- }
++ if( -f "${General::swroot}/forward/outgoing" ){
++ unlink("${General::swroot}/forward/outgoing");
++ system("touch ${General::swroot}/forward/outgoing");
++ chown 99,99,"${General::swroot}/forward/outgoing";
++ }
++ unlink("${General::swroot}/fwhosts/*");
++ system("touch ${General::swroot}/fwhosts/customgroups");
++ system("touch ${General::swroot}/fwhosts/customhosts");
++ system("touch ${General::swroot}/fwhosts/customnetworks");
++ system("touch ${General::swroot}/fwhosts/customservicegrp");
++ system("touch ${General::swroot}/fwhosts/customservices");
++ chown 99,99,"${General::swroot}/fwhosts/*";
++ #START CONVERTER "OUTGOINGFW"
+ system("/usr/sbin/convert-outgoingfw");
+ rmtree("${General::swroot}/outgoing");
+- system("/usr/local/bin/forwrdfwctrl");
+ }
++ #XTACCESS CONVERTER
+ if( -d "${General::swroot}/xtaccess"){
++ if( -f "${General::swroot}/forward/input" ){
++ unlink("${General::swroot}/forward/input");
++ system("touch ${General::swroot}/forward/input");
++ chown 99,99,"${General::swroot}/forward/input";
++ }
++ #START CONVERTER "XTACCESS"
+ system("/usr/sbin/convert-xtaccess");
+ rmtree("${General::swroot}/xtaccess");
+ }
++ #DMZ-HOLES CONVERTER
++ if( -d "${General::swroot}/dmz-holes"){
++ if( -f "${General::swroot}/forward/dmz" ){
++ unlink("${General::swroot}/forward/dmz");
++ system("touch ${General::swroot}/forward/dmz");
++ chown 99,99,"${General::swroot}/forward/dmz";
++ }
++ #START CONVERTER "DMZ-HOLES"
++ system("/usr/sbin/convert-dmz");
++ rmtree("${General::swroot}/xtaccess");
++ }
++ #PORTFORWARD CONVERTER
++ if( -d "${General::swroot}/portfw"){
++ if( -f "${General::swroot}/forward/nat" ){
++ unlink("${General::swroot}/forward/nat");
++ system("touch ${General::swroot}/forward/nat");
++ chown 99,99,"${General::swroot}/forward/nat";
++ }
++ #START CONVERTER "PORTFW"
++ system("/usr/sbin/convert-portfw");
++ rmtree("${General::swroot}/portfw");
++ }
++ system("/usr/local/bin/forwardfwctrl");
+ }
+ elsif ($ARGV[0] eq 'restoreaddon') {
+ if ( -e "/tmp/$ARGV[1]" ){system("mv /tmp/$ARGV[1] /var/ipfire/backup/addons/backup/$ARGV[1]");}
+diff --git a/config/forwardfw/convert-dmz b/config/forwardfw/convert-dmz
+new file mode 100755
+index 0000000..639cef3
+--- /dev/null
++++ b/config/forwardfw/convert-dmz
+@@ -0,0 +1,172 @@
++#!/usr/bin/perl
++
++########################################################################
++# Script: convert-dmz
++# Date: 03.04.2013
++# Author: Alexander Marx (amarx@ipfire.org)
++########################################################################
++#
++# This script converts old dmz holes rules from old Firewall
++# to the new one. This is a 2-step process.
++# STEP1: read old config and normalize settings
++# STEP2: check valid ip and save valid rules to new firewall
++#
++########################################################################
++my @current=();
++my @alias=();
++my %configdmz=();
++my %ifaces=();
++my %configfwdfw=();
++require '/var/ipfire/general-functions.pl';
++my $dmzconfig = "${General::swroot}/dmzholes/config";
++my $fwdfwconfig = "${General::swroot}/forward/dmz";
++my $ifacesettings = "${General::swroot}/ethernet/settings";
++my $field0 = 'ACCEPT';
++my $field1 = 'FORWARDFW';
++my $field2 = ''; #ON or emtpy
++my $field3 = ''; #std_net_src or src_addr
++my $field4 = ''; #ALL or IP-Address with /32
++my $field5 = ''; #std_net_tgt or tgt_addr
++my $field6 = ''; #IP or network name
++my $field11 = 'ON'; #use target port
++my $field12 = ''; #TCP or UDP
++my $field13 = 'All ICMP-Types';
++my $field14 = 'TGT_PORT';
++my $field15 = ''; #Port Number
++my $field16 = ''; #remark
++my $field26 = '00:00';
++my $field27 = '00:00';
++open(FILE, $dmzconfig) or die 'Unable to open config file.';
++my @current = <FILE>;
++close(FILE);
++#open LOGFILE
++open (LOG, ">/var/log/converters/dmz-convert.log") or die $!;
++&General::readhash($ifacesettings, \%ifaces);
++&General::readhasharray($fwdfwconfig,\%configfwdfw);
++&process_rules;
++sub process_rules{
++ foreach my $line (@current){
++ my $now=localtime;
++ #get values from old configfile
++ my ($a,$b,$c,$d,$e,$f,$g,$h) = split (",",$line);
++ $h =~ s/\s//gi;
++ print LOG "$Now Processing A: $a B: $b C: $c D: $d E: $e F: $f G: $g H: $h\n";
++ #Now convert values and check ip addresses
++ $a=uc($a);
++ $e=uc($e);
++ $field2=$e if($e eq 'ON');
++ #SOURCE IP-check
++ $b=&check_ip($b);
++ if (&General::validipandmask($b)){
++ #When ip valid, check if we have a network
++ my ($ip,$subnet) = split ("/",$b);
++ if ($f eq 'orange' && $ip eq $ifaces{'ORANGE_NETADDRESS'}){
++ $field3='std_net_src';
++ $field4='ORANGE';
++ }elsif($f eq 'blue' && $ip eq $ifaces{'BLUE_NETADDRESS'}){
++ $field3='std_net_src';
++ $field4='BLUE';
++ }elsif($f eq 'orange' && &General::IpInSubnet($ip,$ifaces{'ORANGE_NETADDRESS'},$ifaces{'ORANGE_NETMASK'})){
++ $field3='src_addr';
++ $field4=$b;
++ }elsif($f eq 'blue' && &General::IpInSubnet($ip,$ifaces{'BLUE_NETADDRESS'},$ifaces{'BLUE_NETMASK'})){
++ $field3='src_addr';
++ $field4=$b;
++ }else{
++ print LOG "$now ->NOT Converted, source ip $b not part of source network $f \n\n";
++ next;
++ }
++ }else{
++ print LOG "$now -> SOURCE IP INVALID. \n\n";
++ next;
++ }
++ #TARGET IP-check
++ $c=&check_ip($c);
++ if (&General::validipandmask($c)){
++ my $now=localtime;
++ #When ip valid, check if we have a network
++ my ($ip,$subnet) = split ("/",$c);
++ if ($g eq 'green' && $ip eq $ifaces{'GREEN_NETADDRESS'}){
++ $field5='std_net_tgt';
++ $field6='GREEN';
++ }elsif($g eq 'blue' && $ip eq $ifaces{'BLUE_NETADDRESS'}){
++ $field5='std_net_tgt';
++ $field6='BLUE';
++ }elsif($g eq 'green' && &General::IpInSubnet($ip,$ifaces{'GREEN_NETADDRESS'},$ifaces{'GREEN_NETMASK'})){
++ $field5='tgt_addr';
++ $field6=$c;
++ }elsif($g eq 'blue' && &General::IpInSubnet($ip,$ifaces{'BLUE_NETADDRESS'},$ifaces{'BLUE_NETMASK'})){
++ $field5='tgt_addr';
++ $field6=$c;
++ }else{
++ print LOG "$Now ->NOT Converted, invalid Source IP $b\n\n";
++ next;
++ }
++ }else{
++ print LOG "$now -> SOURCE IP INVALID. \n\n";
++ next;
++ }
++ $field12=$a;
++ #convert portrange
++ $d =~ tr/-/:/;
++ $field15=$d;
++ $field16=$h;
++ ##Ausgabe
++ #print "A: $a B: $b C: $c D: $d E: $e F: $f G: $g H: $h\n";
++ #print "0:$field0 1:$field1 2:$field2 3:$field3 4:$field4 5:$field5 6:$field6 11:$field11 12:$field12 13:$field13 14:$field14 15:$field15 16:$field16 26:$field26 27:$field27\n\n\n";
++ my $key = &General::findhasharraykey (\%configfwdfw);
++ foreach my $i (0 .. 27) { $configfwdfw{$key}[$i] = "";}
++ $configfwdfw{$key}[0] = $field0;
++ $configfwdfw{$key}[1] = $field1;
++ $configfwdfw{$key}[2] = $field2;
++ $configfwdfw{$key}[3] = $field3;
++ $configfwdfw{$key}[4] = $field4;
++ $configfwdfw{$key}[5] = $field5;
++ $configfwdfw{$key}[6] = $field6;
++ $configfwdfw{$key}[7] = '';
++ $configfwdfw{$key}[8] = '';
++ $configfwdfw{$key}[9] = '';
++ $configfwdfw{$key}[10] = '';
++ $configfwdfw{$key}[11] = $field11;
++ $configfwdfw{$key}[12] = $field12;
++ $configfwdfw{$key}[13] = $field13;
++ $configfwdfw{$key}[14] = $field14;
++ $configfwdfw{$key}[15] = $field15;
++ $configfwdfw{$key}[16] = $field16;
++ $configfwdfw{$key}[17] = '';
++ $configfwdfw{$key}[18] = '';
++ $configfwdfw{$key}[19] = '';
++ $configfwdfw{$key}[20] = '';
++ $configfwdfw{$key}[21] = '';
++ $configfwdfw{$key}[22] = '';
++ $configfwdfw{$key}[23] = '';
++ $configfwdfw{$key}[24] = '';
++ $configfwdfw{$key}[25] = '';
++ $configfwdfw{$key}[26] = $field26;
++ $configfwdfw{$key}[27] = $field27;
++ print LOG "$Now -> Converted to $field0,$field1,$field2,$field3,$field4,$field5,$field6,,,,,$field11,$field12,$field13,$field14,$field15,$field16,,,,,,,,,,$field26,$field27\n";
++ }
++ &General::writehasharray($fwdfwconfig,\%configfwdfw);
++close (LOG);
++}
++
++sub check_ip
++{
++ my $adr=shift;
++ my $a;
++ #ip with subnet in decimal
++ if($adr =~ m/^(\d\d?\d?).(\d\d?\d?).(\d\d?\d?).(\d\d?\d?)\/(\d{1,2})$/){
++ $adr=int($1).".".int($2).".".int($3).".".int($4);
++ my $b = &General::iporsubtodec($5);
++ $a=$adr."/".$b;
++ }elsif($adr =~ /^(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})$/){
++ $adr=int($1).".".int($2).".".int($3).".".int($4);
++ if(&General::validip($adr)){
++ $a=$adr."/32";
++ }
++ }
++ if(&General::validipandmask($adr)){
++ $a=&General::iporsubtodec($adr);
++ }
++ return $a;
++}
+diff --git a/config/rootfiles/common/configroot b/config/rootfiles/common/configroot
+index a64ce06..424947e 100644
+--- a/config/rootfiles/common/configroot
++++ b/config/rootfiles/common/configroot
+@@ -50,6 +50,7 @@ var/ipfire/forward/config
+ var/ipfire/forward/input
+ var/ipfire/forward/outgoing
+ var/ipfire/forward/dmz
++var/ipfire/forward/net
+ var/ipfire/forward/p2protocols
+ var/ipfire/fwhosts
+ var/ipfire/fwhosts/icmp-types
+diff --git a/config/rootfiles/common/stage2 b/config/rootfiles/common/stage2
+index 828d1b7..9fcd920 100644
+--- a/config/rootfiles/common/stage2
++++ b/config/rootfiles/common/stage2
+@@ -111,6 +111,8 @@ usr/sbin/ovpn-ccd-convert
+ usr/sbin/firewall-policy
+ usr/sbin/convert-xtaccess
+ usr/sbin/convert-outgoingfw
++usr/sbin/convert-dmz
++usr/sbin/convert-portfw
+ #usr/share
+ #usr/share/doc
+ #usr/share/doc/licenses
+diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi
+index 8391701..e69e6ce 100755
+--- a/html/cgi-bin/forwardfw.cgi
++++ b/html/cgi-bin/forwardfw.cgi
+@@ -77,7 +77,7 @@ my %aliases=();
+ my %optionsfw=();
+ my %ifaces=();
+
+-my $VERSION='0.9.9.0';
++my $VERSION='0.9.9.1';
+ my $color;
+ my $confignet = "${General::swroot}/fwhosts/customnetworks";
+ my $confighost = "${General::swroot}/fwhosts/customhosts";
+@@ -133,6 +133,7 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule')
+ $errormessage=&checksource;
+ if(!$errormessage){&checktarget;}
+ if(!$errormessage){&checkrule;}
++
+ #check if manual ip (source) is orange network
+ if ($fwdfwsettings{'grp1'} eq 'src_addr'){
+ my ($sip,$scidr) = split("/",$fwdfwsettings{$fwdfwsettings{'grp1'}});
+@@ -2034,7 +2035,7 @@ sub saverule
+ #print"6";
+ }
+ #check if we change a DMZ to a FORWARD/DMZ
+- elsif($fwdfwsettings{'oldruletype'} eq 'DMZ' && $fwdfwsettings{'chain'} eq 'FORWARDFW' ){
++ elsif($fwdfwsettings{'oldruletype'} eq 'DMZ' && $fwdfwsettings{'chain'} eq 'FORWARDFW' && $fwdfwsettings{$fwdfwsettings{'grp1'}} ne 'ORANGE'){
+ &changerule($configdmz);
+ #print"7";
+ }
+diff --git a/lfs/configroot b/lfs/configroot
+index f0fcbca..0eb7728 100644
+--- a/lfs/configroot
++++ b/lfs/configroot
+@@ -64,7 +64,7 @@ $(TARGET) :
+ for i in auth/users backup/include.user backup/exclude.user \
+ certs/index.txt ddns/config ddns/noipsettings ddns/settings ddns/ipcache dhcp/settings \
+ dhcp/fixleases dhcp/advoptions dhcp/dhcpd.conf.local dns/settings ethernet/aliases ethernet/settings ethernet/known_nics ethernet/scanned_nics \
+- extrahd/scan extrahd/devices extrahd/partitions extrahd/settings forward/settings forward/config forward/input forward/outgoing forward/dmz \
++ extrahd/scan extrahd/devices extrahd/partitions extrahd/settings forward/settings forward/config forward/input forward/outgoing forward/dmz forward/nat \
+ fwhosts/customnetworks fwhosts/customhosts fwhosts/customgroups fwhosts/customservicegrp fwlogs/ipsettings fwlogs/portsettings \
+ isdn/settings mac/settings main/disable_nf_sip main/hosts main/routing main/settings net-traffic/settings optionsfw/settings \
+ ovpn/ccd.conf ovpn/ccdroute ovpn/ccdroute2 pakfire/settings portfw/config ppp/settings-1 ppp/settings-2 ppp/settings-3 ppp/settings-4 \
+@@ -102,6 +102,8 @@ $(TARGET) :
+ cp $(DIR_SRC)/config/forwardfw/rules.pl $(CONFIG_ROOT)/forward/bin/rules.pl
+ cp $(DIR_SRC)/config/forwardfw/convert-xtaccess /usr/sbin/convert-xtaccess
+ cp $(DIR_SRC)/config/forwardfw/convert-outgoingfw /usr/sbin/convert-outgoingfw
++ cp $(DIR_SRC)/config/forwardfw/convert-dmz /usr/sbin/convert-dmz
++ cp $(DIR_SRC)/config/forwardfw/convert-portfw /usr/sbin/convert-portfw
+ cp $(DIR_SRC)/config/forwardfw/p2protocols $(CONFIG_ROOT)/forward/p2protocols
+ cp $(DIR_SRC)/config/forwardfw/firewall-lib.pl $(CONFIG_ROOT)/forward/bin/firewall-lib.pl
+ cp $(DIR_SRC)/config/forwardfw/firewall-policy /usr/sbin/firewall-policy
+--
+1.7.10.4
+
--- /dev/null
+From 13b66761051fdc58273ac376ff2589add1a48328 Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Tue, 2 Apr 2013 08:43:18 +0200
+Subject: [PATCH 202/302] Forward Firewall: some typos in dmz-converter
+
+---
+ config/backup/backup.pl | 8 ++++----
+ config/forwardfw/convert-dmz | 8 ++++----
+ 2 files changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/config/backup/backup.pl b/config/backup/backup.pl
+index 4ad7363..4662a8a 100644
+--- a/config/backup/backup.pl
++++ b/config/backup/backup.pl
+@@ -66,9 +66,9 @@ elsif ($ARGV[0] eq 'restore') {
+ system("/usr/sbin/ovpn-ccd-convert");
+ #OUTGOINGFW CONVERTER
+ if( -d "${General::swroot}/outgoing"){
+- if( -f "${General::swroot}/forward/config" ){
++ if( -f "${General::swroot}/forward/config" ){
+ unlink("${General::swroot}/forward/config");
+- system("touch ${General::swroot}/forward/config");
++ system("touch ${General::swroot}/forward/config");
+ chown 99,99,"${General::swroot}/forward/config";
+ }
+ if( -f "${General::swroot}/forward/outgoing" ){
+@@ -99,7 +99,7 @@ elsif ($ARGV[0] eq 'restore') {
+ rmtree("${General::swroot}/xtaccess");
+ }
+ #DMZ-HOLES CONVERTER
+- if( -d "${General::swroot}/dmz-holes"){
++ if( -d "${General::swroot}/dmzholes"){
+ if( -f "${General::swroot}/forward/dmz" ){
+ unlink("${General::swroot}/forward/dmz");
+ system("touch ${General::swroot}/forward/dmz");
+@@ -107,7 +107,7 @@ elsif ($ARGV[0] eq 'restore') {
+ }
+ #START CONVERTER "DMZ-HOLES"
+ system("/usr/sbin/convert-dmz");
+- rmtree("${General::swroot}/xtaccess");
++ rmtree("${General::swroot}/dmzholes");
+ }
+ #PORTFORWARD CONVERTER
+ if( -d "${General::swroot}/portfw"){
+diff --git a/config/forwardfw/convert-dmz b/config/forwardfw/convert-dmz
+index 639cef3..81d77ba 100755
+--- a/config/forwardfw/convert-dmz
++++ b/config/forwardfw/convert-dmz
+@@ -49,8 +49,8 @@ sub process_rules{
+ my $now=localtime;
+ #get values from old configfile
+ my ($a,$b,$c,$d,$e,$f,$g,$h) = split (",",$line);
+- $h =~ s/\s//gi;
+- print LOG "$Now Processing A: $a B: $b C: $c D: $d E: $e F: $f G: $g H: $h\n";
++ $h =~ s/\s*\n//gi;
++ print LOG "$now Processing A: $a B: $b C: $c D: $d E: $e F: $f G: $g H: $h\n";
+ #Now convert values and check ip addresses
+ $a=uc($a);
+ $e=uc($e);
+@@ -99,11 +99,11 @@ sub process_rules{
+ $field5='tgt_addr';
+ $field6=$c;
+ }else{
+- print LOG "$Now ->NOT Converted, invalid Source IP $b\n\n";
++ print LOG "$now ->NOT Converted, target ip $c not part of target network $g \n\n";
+ next;
+ }
+ }else{
+- print LOG "$now -> SOURCE IP INVALID. \n\n";
++ print LOG "$now -> TARGET IP INVALID. \n\n";
+ next;
+ }
+ $field12=$a;
+--
+1.7.10.4
+
--- /dev/null
+From 166fe29a3013aa64f194ac24c75dbe607efbfc38 Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Tue, 2 Apr 2013 11:24:22 +0200
+Subject: [PATCH 203/302] Forward Firewall: some fixes:
+
+1) Counter was not correctly decreased when deleting a network from a customgroup
+2) Convert-outgoingfw improved
+3) Backup didn't set filepermissions correctly
+---
+ config/backup/backup.pl | 20 +++++++----
+ config/forwardfw/convert-outgoingfw | 63 +++++++++++++++++++++--------------
+ html/cgi-bin/fwhosts.cgi | 2 +-
+ 3 files changed, 53 insertions(+), 32 deletions(-)
+
+diff --git a/config/backup/backup.pl b/config/backup/backup.pl
+index 4662a8a..28e2dd8 100644
+--- a/config/backup/backup.pl
++++ b/config/backup/backup.pl
+@@ -76,15 +76,23 @@ elsif ($ARGV[0] eq 'restore') {
+ system("touch ${General::swroot}/forward/outgoing");
+ chown 99,99,"${General::swroot}/forward/outgoing";
+ }
+- unlink("${General::swroot}/fwhosts/*");
++ unlink("${General::swroot}/fwhosts/customgroups");
++ unlink("${General::swroot}/fwhosts/customhosts");
++ unlink("${General::swroot}/fwhosts/customgroups");
++ unlink("${General::swroot}/fwhosts/customnetworks");
++ unlink("${General::swroot}/fwhosts/customservicegrp");
++ unlink("${General::swroot}/fwhosts/customnetworks");
+ system("touch ${General::swroot}/fwhosts/customgroups");
+ system("touch ${General::swroot}/fwhosts/customhosts");
+ system("touch ${General::swroot}/fwhosts/customnetworks");
+ system("touch ${General::swroot}/fwhosts/customservicegrp");
+- system("touch ${General::swroot}/fwhosts/customservices");
+- chown 99,99,"${General::swroot}/fwhosts/*";
+ #START CONVERTER "OUTGOINGFW"
+ system("/usr/sbin/convert-outgoingfw");
++ chown 99,99,"${General::swroot}/fwhosts/customgroups";
++ chown 99,99,"${General::swroot}/fwhosts/customhosts";
++ chown 99,99,"${General::swroot}/fwhosts/customnetworks";
++ chown 99,99,"${General::swroot}/fwhosts/customservicegrp";
++ #START CONVERTER "OUTGOINGFW"
+ rmtree("${General::swroot}/outgoing");
+ }
+ #XTACCESS CONVERTER
+@@ -92,10 +100,10 @@ elsif ($ARGV[0] eq 'restore') {
+ if( -f "${General::swroot}/forward/input" ){
+ unlink("${General::swroot}/forward/input");
+ system("touch ${General::swroot}/forward/input");
+- chown 99,99,"${General::swroot}/forward/input";
+ }
+ #START CONVERTER "XTACCESS"
+ system("/usr/sbin/convert-xtaccess");
++ chown 99,99,"${General::swroot}/forward/input";
+ rmtree("${General::swroot}/xtaccess");
+ }
+ #DMZ-HOLES CONVERTER
+@@ -103,10 +111,10 @@ elsif ($ARGV[0] eq 'restore') {
+ if( -f "${General::swroot}/forward/dmz" ){
+ unlink("${General::swroot}/forward/dmz");
+ system("touch ${General::swroot}/forward/dmz");
+- chown 99,99,"${General::swroot}/forward/dmz";
+ }
+ #START CONVERTER "DMZ-HOLES"
+ system("/usr/sbin/convert-dmz");
++ chown 99,99,"${General::swroot}/forward/dmz";
+ rmtree("${General::swroot}/dmzholes");
+ }
+ #PORTFORWARD CONVERTER
+@@ -114,10 +122,10 @@ elsif ($ARGV[0] eq 'restore') {
+ if( -f "${General::swroot}/forward/nat" ){
+ unlink("${General::swroot}/forward/nat");
+ system("touch ${General::swroot}/forward/nat");
+- chown 99,99,"${General::swroot}/forward/nat";
+ }
+ #START CONVERTER "PORTFW"
+ system("/usr/sbin/convert-portfw");
++ chown 99,99,"${General::swroot}/forward/nat";
+ rmtree("${General::swroot}/portfw");
+ }
+ system("/usr/local/bin/forwardfwctrl");
+diff --git a/config/forwardfw/convert-outgoingfw b/config/forwardfw/convert-outgoingfw
+index d065b5a..54ba709 100755
+--- a/config/forwardfw/convert-outgoingfw
++++ b/config/forwardfw/convert-outgoingfw
+@@ -61,21 +61,22 @@ sub process_groups
+ open (LOG, ">/var/log/converters/groups-convert.log") or die $!;
+ #IP Group processing
+ foreach my $group (@ipgroups){
++ my $now=localtime;
+ chomp $group;
+- print LOG "\nProcessing IP-GROUP: $group...\n";
++ print LOG "\n$now Processing IP-GROUP: $group...\n";
+ open (DATEI, "<$ipgrouppath/$group");
+ my @zeilen = <DATEI>;
+ foreach my $ip (@zeilen){
+ chomp($ip);
+ $ip =~ s/\s//gi;
+- print LOG "Check IP $ip from Group $group ";
++ print LOG "$now Check IP $ip from Group $group ";
+ my $val=&check_ip($ip);
+ if($val){
+ push(@hostarray,$val.",ip");
+- print LOG "-> OK\n";
++ print LOG "$now -> OK\n";
+ }
+ else{
+- print LOG "-> IP \"$ip\" from group $group not converted (invalid IP) \n";
++ print LOG "$now -> IP \"$ip\" from group $group not converted (invalid IP) \n";
+ }
+ $val='';
+ }
+@@ -94,17 +95,17 @@ sub process_groups
+ foreach my $mac (@zeilen){
+ chomp($mac);
+ $mac =~ s/\s//gi;
+- print LOG "Checking MAC $mac from group $group ";
++ print LOG "$now Checking MAC $mac from group $group ";
+ #MAC checking
+ if(&General::validmac($mac)){
+ $val=$mac;
+ }
+ if($val){
+ push(@hostarray,$val.",mac");
+- print LOG "-> OK\n";
++ print LOG "$now -> OK\n";
+ }
+ else{
+- print LOG "-> Mac $mac from group $group not converted (invalid MAC)\n";
++ print LOG "$now -> Mac $mac from group $group not converted (invalid MAC)\n";
+ }
+ $val='';
+ }
+@@ -297,30 +298,31 @@ sub check_grp
+ sub process_rules
+ {
+ my ($type,$action,$active,$grp1,$source,$grp2,$useport,$port,$prot,$grp3,$target,$remark,$log,$time,$time_mon,$time_tue,$time_wed,$time_thu,$time_fri,$time_sat,$time_sun,$time_from,$time_to);
++ #open LOG
++ if( -f "/var/log/converters/outgoingfw-convert.log"){unlink ("/var/log/converters/outgoingfw-convert.log");}
++ open (LOG, ">/var/log/converters/outgoingfw-convert.log") or die $!;
++
+ &General::readhash($fwdfwsettings,\%fwdsettings);
+ if ($outsettings{'POLICY'} eq 'MODE1'){
+- $fwdfwsettings{'POLICY'}='MODE1';
++ $fwdsettings{'POLICY'}='MODE1';
++ $fwdsettings{'POLICY1'}='MODE2';
+ $type='ALLOW';
+ $action='ACCEPT';
+- }elsif($outsettings{'POLICY'} eq 'MODE2'){
++ }else{
+ $fwdsettings{'POLICY'}='MODE2';
++ $fwdsettings{'POLICY1'}='MODE2';
+ $type='DENY';
+ $action='DROP';
+- }else{
+- return;
+ }
+ &General::writehash($fwdfwsettings,\%fwdsettings);
+-
+- #open LOG
+- if( -f "/var/log/converters/outgoingfw-convert.log"){unlink ("/var/log/converters/outgoingfw-convert.log");}
+- open (LOG, ">/var/log/converters/outgoingfw-convert.log") or die $!;
+ open (DATEI, "<$outgoingrules");
+ my @lines = <DATEI>;
+ foreach my $rule (@lines)
+ {
++ my $now=localtime;
+ chomp($rule);
+ $port='';
+- print LOG "processing: $rule\n";
++ print LOG "$now processing: $rule\n";
+ my @configline=();
+ @configline = split( /\;/, $rule );
+ my @prot=();
+@@ -377,9 +379,10 @@ sub process_rules
+ $grp1='std_net_src';
+ $source='BLUE';
+ }elsif ($configline[2] eq 'ipsec') {
+- print LOG "-> Rule not converted, ipsec+ interface is obsolet since IPFire 2.7 \n";
++ print LOG "$now -> Rule not converted, ipsec+ interface is obsolet since IPFire 2.7 \n";
+ next;
+ }elsif ($configline[2] eq 'ovpn') {
++ print LOG "$now ->Creating networks/groups for OpenVPN...\n";
+ &build_ovpn_grp;
+ $grp1='cust_grp_src';
+ $source='ovpn'
+@@ -391,7 +394,7 @@ sub process_rules
+ $grp1='src_addr';
+ $source="$ipa/$subn";
+ }else{
+- print LOG "-> Rule not converted, missing/invalid source ip \"$configline[5]\"\n";
++ print LOG "$now -> Rule not converted, missing/invalid source ip \"$configline[5]\"\n";
+ next;
+ }
+ }elsif ($configline[2] eq 'mac') {
+@@ -399,7 +402,7 @@ sub process_rules
+ $grp1='src_addr';
+ $source=$configline[6];
+ }else{
+- print LOG"-> Rule not converted, invalid MAC \"$configline[6]\" \n";
++ print LOG"$now -> Rule not converted, invalid MAC \"$configline[6]\" \n";
+ next;
+ }
+ }elsif ($configline[2] eq 'all') {
+@@ -413,7 +416,7 @@ sub process_rules
+ }
+ }
+ if ($grp1 eq '' || $source eq ''){
+- print LOG "-> Rule not converted, no valid source recognised\n";
++ print LOG "$now -> Rule not converted, no valid source recognised\n";
+ }
+ }
+ ############################################################
+@@ -432,7 +435,7 @@ sub process_rules
+ $target=$getwebsiteip;
+ $remark.=" $configline[7]";
+ }else{
+- print LOG "-> Rule not converted, invalid domain \"$configline[7]\"\n";
++ print LOG "$now -> Rule not converted, invalid domain \"$configline[7]\"\n";
+ next;
+ }
+ }
+@@ -451,7 +454,7 @@ sub process_rules
+ push (@values,$_);
+ $grp3='TGT_PORT';
+ }else{
+- print LOG "-> Rule not converted, invalid destination Port \"$configline[8]\"\n";
++ print LOG "$now -> Rule not converted, invalid destination Port \"$configline[8]\"\n";
+ next;
+ }
+ }else{
+@@ -461,7 +464,7 @@ sub process_rules
+ push (@values,"$a1:$a2");
+ $grp3='TGT_PORT';
+ }else{
+- print LOG "-> Rule not converted, invalid destination Port \"$configline[8]\"\n";
++ print LOG "$now -> Rule not converted, invalid destination Port \"$configline[8]\"\n";
+ next;
+ }
+ }
+@@ -478,13 +481,14 @@ sub process_rules
+ my $check;
+ my $chain;
+ foreach my $protocol (@prot){
++ my $now=localtime;
+ if ($source eq 'IPFire'){
+ $chain='OUTGOINGFW';
+ }else{
+ $chain='FORWARDFW';
+ }
+ $protocol=uc($protocol);
+- print LOG "-> Converted: $action,$chain,$active,$grp1,$source,$grp2,$target,,,,,$useport,$protocol,,$grp3,$port,$remark,$log,$time,$time_mon,$time_tue,$time_wed,$time_thu,$time_fri,$time_sat,$time_sun,$time_from,$time_to\n";
++ print LOG "$now -> Converted: $action,$chain,$active,$grp1,$source,$grp2,$target,,,,,$useport,$protocol,,$grp3,$port,$remark,$log,$time,$time_mon,$time_tue,$time_wed,$time_thu,$time_fri,$time_sat,$time_sun,$time_from,$time_to\n";
+ #Put rules into system....
+ ###########################
+ #check for double rules
+@@ -583,6 +587,7 @@ sub get_ip_from_domain
+ }
+ sub build_ovpn_grp
+ {
++ my $now=localtime;
+ &General::readhasharray($confighosts,\%hosts);
+ &General::readhasharray($confignets,\%nets);
+ &General::readhasharray($configgroups,\%groups);
+@@ -594,20 +599,24 @@ sub build_ovpn_grp
+ if($settingsovpn{'DOVPN_SUBNET'}){
+ my ($net,$subnet)=split("/",$settingsovpn{'DOVPN_SUBNET'});
+ push (@ovpnnets,"$net,$subnet,dynamic");
++ print LOG "$now ->found dynamic OpenVPN net\n";
+ }
+ foreach my $key (sort keys %ccdconf){
+ my ($net,$subnet)=split("/",$ccdconf{$key}[1]);
+ $subnet=&General::iporsubtodec($subnet);
+ push (@ovpnnets,"$net,$subnet,$ccdconf{$key}[0]");
++ print LOG "$now ->found OpenVPN static net $net/$subnet\n";
+ }
+ foreach my $key (sort keys %configovpn){
+ if ($configovpn{$key}[3] eq 'net'){
+ my ($net,$subnet)=split("/",$configovpn{$key}[27]);
+ push (@ovpnnets,"$net,$subnet,$configovpn{$key}[2]");
++ print LOG "$now ->found OpenVPN $net/$subnet $configovpn{$key}[2]\n";
+ }
+ }
+ #add ovpn nets to customnetworks/groups
+ foreach my $line (@ovpnnets){
++ my $now=localtime;
+ my ($net,$subnet,$name) = split(",",$line);
+ if (!&check_net($net,$subnet)){
+ my $netkey = &General::findhasharraykey(\%nets);
+@@ -616,7 +625,9 @@ sub build_ovpn_grp
+ $nets{$netkey}[0] = $name2;
+ $nets{$netkey}[1] = $net;
+ $nets{$netkey}[2] = $subnet;
+- $nets{$netkey}[3] = 1;
++ $nets{$netkey}[3] = '';
++ $nets{$netkey}[4] = 1;
++ print LOG "$now ->added $name2 $net/$subnet to customnetworks\n";
+ }else{
+ print LOG "-> Custom Network with same IP already exist \"$net/$subnet\" (you can ignore this, if this run was manual from shell)\n";
+ }
+@@ -627,6 +638,7 @@ sub build_ovpn_grp
+ $groups{$grpkey}[2] = $name2;
+ $groups{$grpkey}[3] = "Custom Network";
+ $groups{$grpkey}[4] = 0;
++ print LOG "$now ->added $name2 to customgroup ovpn\n";
+ }
+ $name2='';
+ }
+@@ -634,6 +646,7 @@ sub build_ovpn_grp
+ &General::writehasharray($confighosts,\%hosts);
+ &General::writehasharray($configgroups,\%groups);
+ &General::writehasharray($confignets,\%nets);
++ print LOG "$now ->finished OVPN\n";
+ }
+ sub process_p2p
+ {
+diff --git a/html/cgi-bin/fwhosts.cgi b/html/cgi-bin/fwhosts.cgi
+index a0bb21f..8581141 100755
+--- a/html/cgi-bin/fwhosts.cgi
++++ b/html/cgi-bin/fwhosts.cgi
+@@ -863,7 +863,7 @@ if ($fwhostsettings{'ACTION'} eq 'deletegrphost')
+ &General::readhasharray("$confignet", \%customnetwork);
+ foreach my $key1 (keys %customnetwork){
+ if ($customnetwork{$key1}[0] eq $customgrp{$key}[2]){
+- $customnetwork{$key1}[3] = $customnetwork{$key1}[3]-1;
++ $customnetwork{$key1}[4] = $customnetwork{$key1}[4]-1;
+ last;
+ }
+ }
+--
+1.7.10.4
+
--- /dev/null
+From ea90f3997db73c8f4c3800eca99b54937dfba738 Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Thu, 4 Apr 2013 13:02:50 +0200
+Subject: [PATCH 204/302] Forward Firewall: Version 0.9.9.2
+
+1) Some changes in en.pl
+2) DNAT now supports REJECT/DROP rules
+3) Bugfix: comma in remark customservicegroup
+4) improved installer
+---
+ config/forwardfw/rules.pl | 17 ++++++------
+ config/rootfiles/common/configroot | 2 +-
+ html/cgi-bin/forwardfw.cgi | 51 +++++++++++++-----------------------
+ html/cgi-bin/fwhosts.cgi | 4 +++
+ langs/en/cgi-bin/en.pl | 4 +--
+ 5 files changed, 34 insertions(+), 44 deletions(-)
+
+diff --git a/config/forwardfw/rules.pl b/config/forwardfw/rules.pl
+index 1ec0dea..637614d 100755
+--- a/config/forwardfw/rules.pl
++++ b/config/forwardfw/rules.pl
+@@ -176,16 +176,17 @@ sub buildrules
+ my $natip;
+ my $snatport;
+ my $fireport;
++ my $nat;
+ foreach my $key (sort {$a <=> $b} keys %$hash){
+ next if ($$hash{$key}[6] eq 'RED' && $conexists eq 'off' );
+ if ($$hash{$key}[28] eq 'ON'){
+ $command='iptables -t nat -A';
+ $natip=&get_nat_ip($$hash{$key}[29]);
+ if($$hash{$key}[31] eq 'dnat'){
+- $$hash{$key}[0]='DNAT';
++ $nat='DNAT';
+ $fireport='--dport '.$$hash{$key}[30] if ($$hash{$key}[30]>0);
+ }else{
+- $$hash{$key}[0]='SNAT';
++ $nat='SNAT';
+ }
+ }
+ $STAG='';
+@@ -288,12 +289,12 @@ sub buildrules
+ print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $fireport $TIME -j LOG --log-prefix 'DNAT' \n";
+ }
+ my ($ip,$sub) =split("/",$targethash{$b}[0]);
+- print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j $$hash{$key}[0] --to $ip$DPORT\n";
++ print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j $nat --to $ip$DPORT\n";
+ $DPORT =~ s/\-/:/g;
+ my $fwaccessdport="--dport ".substr($DPORT,1,) if ($DPORT);
+- print "iptables -A PORTFWACCESS $PROT -i $con -d $ip $fwaccessdport $TIME -j ACCEPT\n";
++ print "iptables -A PORTFWACCESS $PROT -i $con $STAG $sourcehash{$a}[0] -d $ip $fwaccessdport $TIME -j $$hash{$key}[0]\n";
+ }elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[32] eq 'snat'){
+- print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0] --to $natip$fireport\n";
++ print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $nat --to $natip$fireport\n";
+ }
+ }
+ }
+@@ -329,16 +330,16 @@ sub buildrules
+ system "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j LOG --log-prefix 'DNAT' \n";
+ }
+ my ($ip,$sub) =split("/",$targethash{$b}[0]);
+- system "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j $$hash{$key}[0] --to $ip$DPORT\n";
++ system "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j $nat --to $ip$DPORT\n";
+ $DPORT =~ s/\-/:/g;
+ my $fwaccessdport="--dport ".substr($DPORT,1,) if ($DPORT);
+- system "iptables -A PORTFWACCESS $PROT -i $con -d $ip $fwaccessdport $TIME -j ACCEPT\n";
++ system "iptables -A PORTFWACCESS $PROT -i $con $STAG $sourcehash{$a}[0] -d $ip $fwaccessdport $TIME -j $$hash{$key}[0]\n";
+
+ }elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'snat'){
+ if ($$hash{$key}[17] eq 'ON'){
+ system "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG --log-prefix 'SNAT '\n";
+ }
+- system "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0] --to $natip$fireport\n";
++ system "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $nat --to $natip$fireport\n";
+ }
+ }
+ }
+diff --git a/config/rootfiles/common/configroot b/config/rootfiles/common/configroot
+index 424947e..711dbcd 100644
+--- a/config/rootfiles/common/configroot
++++ b/config/rootfiles/common/configroot
+@@ -50,7 +50,7 @@ var/ipfire/forward/config
+ var/ipfire/forward/input
+ var/ipfire/forward/outgoing
+ var/ipfire/forward/dmz
+-var/ipfire/forward/net
++var/ipfire/forward/nat
+ var/ipfire/forward/p2protocols
+ var/ipfire/fwhosts
+ var/ipfire/fwhosts/icmp-types
+diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi
+index e69e6ce..68a18b4 100755
+--- a/html/cgi-bin/forwardfw.cgi
++++ b/html/cgi-bin/forwardfw.cgi
+@@ -77,7 +77,7 @@ my %aliases=();
+ my %optionsfw=();
+ my %ifaces=();
+
+-my $VERSION='0.9.9.1';
++my $VERSION='0.9.9.2';
+ my $color;
+ my $confignet = "${General::swroot}/fwhosts/customnetworks";
+ my $confighost = "${General::swroot}/fwhosts/customhosts";
+@@ -161,17 +161,17 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule')
+ #check if we have an identical rule already
+ if($fwdfwsettings{'oldrulenumber'} eq $fwdfwsettings{'rulepos'}){
+ foreach my $key (sort keys %confignatfw){
+- if ("$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'},$fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'ICMP_TGT'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'TIME'},$fwdfwsettings{'TIME_MON'},$fwdfwsettings{'TIME_TUE'},$fwdfwsettings{'TIME_WED'},$fwdfwsettings{'TIME_THU'},$fwdfwsettings{'TIME_FRI'},$fwdfwsettings{'TIME_SAT'},$fwdfwsettings{'TIME_SUN'},$fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'},$fwdfwsettings{'USE_NAT'},$fwdfwsettings{$fwdfwsettings{'nat'}},$fwdfwsettings{'snatport'},$fwdfwsettings{'dnatport'},$fwdfwsettings{'nat'}"
+- eq "$confignatfw{$key}[0],$confignatfw{$key}[2],$confignatfw{$key}[3],$confignatfw{$key}[4],$confignatfw{$key}[5],$confignatfw{$key}[6],$confignatfw{$key}[7],$confignatfw{$key}[8],$confignatfw{$key}[9],$confignatfw{$key}[10],$confignatfw{$key}[11],$confignatfw{$key}[12],$confignatfw{$key}[13],$confignatfw{$key}[14],$confignatfw{$key}[15],$confignatfw{$key}[17],$confignatfw{$key}[19],$confignatfw{$key}[20],$confignatfw{$key}[21],$confignatfw{$key}[22],$confignatfw{$key}[23],$confignatfw{$key}[24],$confignatfw{$key}[25],$confignatfw{$key}[26],$confignatfw{$key}[27],$confignatfw{$key}[28],$confignatfw{$key}[29],$confignatfw{$key}[30],$confignatfw{$key}[31],$confignatfw{$key}[32]"){
+- $errormessage.=$Lang::tr{'fwdfw err ruleexists'};
+- if ($fwdfwsettings{'oldruleremark'} ne $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'updatefwrule'} eq 'on' ){
+- $errormessage='';
+- }elsif($fwdfwsettings{'oldruleremark'} ne $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'updatefwrule'} eq 'on' && $fwdfwsettings{'ruleremark'} ne '' && !&validremark($fwdfwsettings{'ruleremark'})){
+- $errormessage=$Lang::tr{'fwdfw err remark'}."<br>";
+- }
+- if ($fwdfwsettings{'oldruleremark'} eq $fwdfwsettings{'ruleremark'}){
+- $fwdfwsettings{'nosave'} = 'on';
+- }
++ if ("$confignatfw{$key}[0],$confignatfw{$key}[1],$confignatfw{$key}[2],$confignatfw{$key}[3],$confignatfw{$key}[4],$confignatfw{$key}[5],$confignatfw{$key}[6],$confignatfw{$key}[11],$confignatfw{$key}[12],$confignatfw{$key}[14],$confignatfw{$key}[15],$confignatfw{$key}[28],$confignatfw{$key}[29],$confignatfw{$key}[30],$confignatfw{$key}[31]"
++ eq "$fwdfwsettings{'RULE_ACTION'},NAT_DESTINATION,$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'USE_NAT'},$fwdfwsettings{$fwdfwsettings{'nat'}},$fwdfwsettings{'dnatport'},$fwdfwsettings{'nat'}"){
++ $errormessage.=$Lang::tr{'fwdfw err ruleexists'};
++ if ($fwdfwsettings{'oldruleremark'} ne $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'updatefwrule'} eq 'on' ){
++ $errormessage='';
++ }elsif($fwdfwsettings{'oldruleremark'} ne $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'updatefwrule'} eq 'on' && $fwdfwsettings{'ruleremark'} ne '' && !&validremark($fwdfwsettings{'ruleremark'})){
++ $errormessage=$Lang::tr{'fwdfw err remark'}."<br>";
++ }
++ if ($fwdfwsettings{'oldruleremark'} eq $fwdfwsettings{'ruleremark'}){
++ $fwdfwsettings{'nosave'} = 'on';
++ }
+ }
+ }
+ }
+@@ -591,9 +591,9 @@ sub addrule
+ {
+ &error;
+ if (-f "${General::swroot}/forward/reread"){
+- print "<table border='0'><form method='post'><td><input type='submit' name='ACTION' value='$Lang::tr{'fwdfw reread'}' style='font-face: Comic Sans MS; color: red; font-weight: bold;'>$Lang::tr{'fwhost reread'}</td></tr></table></form><hr><br>";
++ print "<table border='0'><form method='post'><td><div style='font-size:11pt; font-weight: bold;vertical-align: middle; '><input type='submit' name='ACTION' value='$Lang::tr{'fwdfw reread'}' style='font-face: Comic Sans MS; color: red; font-weight: bold; font-size: 14pt; text-decoration: blink;'>    $Lang::tr{'fwhost reread'}</div</td></tr></table></form><hr><br>";
+ }
+- &Header::openbox('100%', 'left', $Lang::tr{'fwdfw addrule'});
++ &Header::openbox('100%', 'left', $Lang::tr{'firewall'});
+ print "<form method='post'>";
+ print "<table border='0'>";
+ print "<tr><td><input type='submit' name='ACTION' value='$Lang::tr{'fwdfw newrule'}'></td>";
+@@ -768,7 +768,7 @@ sub checktarget
+ {
+ my ($ip,$subnet);
+ &General::readhasharray("$configsrv", \%customservice);
+- #check DNAT settings (has to be single Host and single Port)
++ #check DNAT settings (has to be single Host and single Port or portrange)
+ if ($fwdfwsettings{'USE_NAT'} eq 'ON' && $fwdfwsettings{'nat'} eq 'dnat'){
+ if($fwdfwsettings{'grp2'} eq 'tgt_addr' || $fwdfwsettings{'grp2'} eq 'cust_host_tgt' || $fwdfwsettings{'grp2'} eq 'ovpn_host_tgt'){
+ if ($fwdfwsettings{'USESRV'} eq ''){
+@@ -783,7 +783,7 @@ sub checktarget
+ $errormessage=$Lang::tr{'fwdfw dnat error'}."<br>";
+ }
+ }
+- #check if Port is a single Port
++ #check if Port is a single Port or portrange
+ if ($fwdfwsettings{'nat'} eq 'dnat' && $fwdfwsettings{'grp3'} eq 'TGT_PORT'){
+ if(($fwdfwsettings{'TGT_PROT'} ne 'TCP'|| $fwdfwsettings{'TGT_PROT'} ne 'UDP') && $fwdfwsettings{'TGT_PORT'} eq ''){
+ $errormessage=$Lang::tr{'fwdfw target'}.": ".$Lang::tr{'fwdfw dnat porterr'}."<br>";
+@@ -945,17 +945,7 @@ sub checkrule
+ if($fwdfwsettings{'USE_NAT'} eq 'ON'){
+ #if no port is given in nat area, take target host port
+ if($fwdfwsettings{'nat'} eq 'dnat' && $fwdfwsettings{'grp3'} eq 'TGT_PORT' && $fwdfwsettings{'dnatport'} eq ''){$fwdfwsettings{'dnatport'}=$fwdfwsettings{'TGT_PORT'};}
+-
+- #check if given nat port is already used by another dnatrule
+- if($fwdfwsettings{'nat'} eq 'dnat' && $fwdfwsettings{'updatefwrule'} ne 'on'){
+- foreach my $id (sort keys %confignatfw){
+- if ($fwdfwsettings{'dnatport'} eq $confignatfw{$id}[30]){
+- $errormessage=$Lang::tr{'fwdfw natport used'}."<br>";
+- }
+- }
+- }
+-
+- #check if port given in nat area is a single valid port
++ #check if port given in nat area is a single valid port or portrange
+ if($fwdfwsettings{'nat'} eq 'dnat' && !&check_natport($fwdfwsettings{'dnatport'})){
+ $errormessage=$Lang::tr{'fwdfw target'}.": ".$Lang::tr{'fwdfw dnat porterr'}."<br>";
+ }
+@@ -2346,12 +2336,7 @@ END
+ $tooltip='REJECT';
+ $rulecolor=$color{'color16'};
+ }
+- if($$hash{$key}[28] eq 'ON'){
+- print"<td bgcolor='$color' align='center' width='20'></td>";
+- $rulecolor=$color;
+- }else{
+- print"<td bgcolor='$rulecolor' align='center' width='20'><span title='$tooltip'><b>$ruletype</b></span></td>";
+- }
++ print"<td bgcolor='$rulecolor' align='center' width='20'><span title='$tooltip'><b>$ruletype</b></span></td>";
+ &getcolor($$hash{$key}[3],$$hash{$key}[4],\%customhost);
+ print"<td align='center' width='160' $tdcolor>";
+ if ($$hash{$key}[3] eq 'std_net_src'){
+diff --git a/html/cgi-bin/fwhosts.cgi b/html/cgi-bin/fwhosts.cgi
+index 8581141..3b5f982 100755
+--- a/html/cgi-bin/fwhosts.cgi
++++ b/html/cgi-bin/fwhosts.cgi
+@@ -722,6 +722,10 @@ if ($fwhostsettings{'ACTION'} eq 'saveservicegrp')
+ &General::readhasharray("$configsrvgrp", \%customservicegrp );
+ &General::readhasharray("$configsrv", \%customservice );
+ $errormessage=&checkservicegroup;
++ #check remark
++ if ($fwhostsettings{'SRVGRP_REMARK'} ne '' && !&validremark($fwhostsettings{'SRVGRP_REMARK'})){
++ $errormessage=$Lang::tr{'fwhost err remark'};
++ }
+ if (!$errormessage){
+ #on first save, we have to enter a dummy value
+ if ($fwhostsettings{'CUST_SRV'} eq ''){
+diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
+index 0cdfe24..23a15ff 100644
+--- a/langs/en/cgi-bin/en.pl
++++ b/langs/en/cgi-bin/en.pl
+@@ -958,7 +958,7 @@
+ 'fwdfw rules' => 'Rules',
+ 'fwdfw rule action' => 'Rule action:',
+ 'fwdfw rule activate' => 'Activate rule',
+-'fwdfw rulepos' => 'Ruleposition',
++'fwdfw rulepos' => 'Rule position',
+ 'fwdfw snat' => 'SNAT (replace the addresse(s) from SOURCE with this address)',
+ 'fwdfw source' => 'Source',
+ 'fwdfw sourceip' => 'Source address (MAC, IP or Network):',
+@@ -1051,7 +1051,7 @@
+ 'fwhost ovpn_n2n' => 'OpenVPN N-2-N',
+ 'fwhost port' => 'Port(s)',
+ 'fwhost prot' => 'Protocol',
+-'fwhost reread' => 'Firewallrules need to be updated.',
++'fwhost reread' => 'Firewall rules need to be updated.',
+ 'fwhost reset' => 'Cancel',
+ 'fwhost services' => 'Services',
+ 'fwhost srv_name' => 'Servicename',
+--
+1.7.10.4
+
--- /dev/null
+From 4f391640f1a97942f01ac8f86d915426ea320b49 Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Thu, 4 Apr 2013 14:18:04 +0200
+Subject: [PATCH 205/302] Forward Firewall: some changes in en.pl and de.pl.
+ Also adapted "apply" button in fwhosts.cgi
+
+---
+ html/cgi-bin/fwhosts.cgi | 2 +-
+ langs/de/cgi-bin/de.pl | 2 +-
+ langs/en/cgi-bin/en.pl | 2 +-
+ 3 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/html/cgi-bin/fwhosts.cgi b/html/cgi-bin/fwhosts.cgi
+index 3b5f982..91ed322 100755
+--- a/html/cgi-bin/fwhosts.cgi
++++ b/html/cgi-bin/fwhosts.cgi
+@@ -1067,7 +1067,7 @@ if($fwhostsettings{'ACTION'} eq '')
+ sub showmenu
+ {
+ if (-f "${General::swroot}/forward/reread"){
+- print "<table border='0'><form method='post'><td><input type='submit' name='ACTION' value='$Lang::tr{'fwdfw reread'}' style='font-face: Comic Sans MS; color: red; font-weight: bold;'>$Lang::tr{'fwhost reread'}</td></tr></table></form><hr><br>";
++ print "<table border='0'><form method='post'><td><div style='font-size:11pt; font-weight: bold;vertical-align: middle; '><input type='submit' name='ACTION' value='$Lang::tr{'fwdfw reread'}' style='font-face: Comic Sans MS; color: red; font-weight: bold; font-size: 14pt; text-decoration: blink;'>$Lang::tr{'fwhost reread'}</td></tr></table></form><hr><br>";
+ }
+ &Header::openbox('100%', 'left',$Lang::tr{'fwhost menu'});
+ print<<END;
+diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl
+index 65ead1a..63cb731 100644
+--- a/langs/de/cgi-bin/de.pl
++++ b/langs/de/cgi-bin/de.pl
+@@ -979,7 +979,7 @@
+ 'fwhost cust service' => 'Custom Dienste:',
+ 'fwhost cust srvgrp' => 'Custom Dienstgruppen',
+ 'fwhost deleted' => 'Gelöscht',
+-'fwhost empty' => 'Keine Einträge vorhanden',
++'fwhost empty' => 'Keine Regeln definiert',
+ 'fwhost err addr' => 'IP oder Subnetzmaske ungültig',
+ 'fwhost err addrgrp' => 'Bitte gruppenname angeben',
+ 'fwhost err empty' => 'Bitte alle Felder füllen',
+diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
+index 23a15ff..f032889 100644
+--- a/langs/en/cgi-bin/en.pl
++++ b/langs/en/cgi-bin/en.pl
+@@ -1002,7 +1002,7 @@
+ 'fwhost cust service' => 'Custom services:',
+ 'fwhost cust srvgrp' => 'Custom servicegroups',
+ 'fwhost deleted' => 'Deleted',
+-'fwhost empty' => 'No entries by now',
++'fwhost empty' => 'No rules defined',
+ 'fwhost err addr' => 'Invalid IP or subnet',
+ 'fwhost err addrgrp' => 'Please provide a groupname',
+ 'fwhost err empty' => 'Please fill in all fields',
+--
+1.7.10.4
+
--- /dev/null
+From 8d18177ee1e93c20db2a8e757784685eb0ab7b59 Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Mon, 8 Apr 2013 15:32:49 +0200
+Subject: [PATCH 206/302] Forward Firewall: little changes in ruletable
+ layout. (Headline)
+
+---
+ html/cgi-bin/forwardfw.cgi | 16 ++++++----------
+ langs/de/cgi-bin/de.pl | 5 +++--
+ langs/en/cgi-bin/en.pl | 9 +++++----
+ 3 files changed, 14 insertions(+), 16 deletions(-)
+
+diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi
+index 68a18b4..584f7f0 100755
+--- a/html/cgi-bin/forwardfw.cgi
++++ b/html/cgi-bin/forwardfw.cgi
+@@ -77,7 +77,7 @@ my %aliases=();
+ my %optionsfw=();
+ my %ifaces=();
+
+-my $VERSION='0.9.9.2';
++my $VERSION='0.9.9.3';
+ my $color;
+ my $confignet = "${General::swroot}/fwhosts/customnetworks";
+ my $confighost = "${General::swroot}/fwhosts/customhosts";
+@@ -593,7 +593,7 @@ sub addrule
+ if (-f "${General::swroot}/forward/reread"){
+ print "<table border='0'><form method='post'><td><div style='font-size:11pt; font-weight: bold;vertical-align: middle; '><input type='submit' name='ACTION' value='$Lang::tr{'fwdfw reread'}' style='font-face: Comic Sans MS; color: red; font-weight: bold; font-size: 14pt; text-decoration: blink;'>    $Lang::tr{'fwhost reread'}</div</td></tr></table></form><hr><br>";
+ }
+- &Header::openbox('100%', 'left', $Lang::tr{'firewall'});
++ &Header::openbox('100%', 'left', "");
+ print "<form method='post'>";
+ print "<table border='0'>";
+ print "<tr><td><input type='submit' name='ACTION' value='$Lang::tr{'fwdfw newrule'}'></td>";
+@@ -1622,11 +1622,7 @@ sub newrule
+ }
+ }
+ &Header::openbox('100%', 'left', $Lang::tr{'fwdfw addrule'});
+- if ($fwdfwsettings{'TIME'} eq 'ON'){
+- $fwdfwsettings{'TIME_FROM'} = &timeconvert($fwdfwsettings{'TIME_FROM'},'');
+- $fwdfwsettings{'TIME_TO'} = &timeconvert($fwdfwsettings{'TIME_TO'},'');
+- }
+-print "<form method='post'>";
++ print "<form method='post'>";
+ &Header::closebox();
+ &Header::openbox('100%', 'left', $Lang::tr{'fwdfw source'});
+ #------SOURCE-------------------------------------------------------
+@@ -2241,11 +2237,11 @@ sub validremark
+ sub viewtablerule
+ {
+ &General::readhash("/var/ipfire/ethernet/settings", \%netsettings);
+- &viewtablenew(\%configdmzfw,$configdmz,$Lang::tr{'fwdfw rules'},"DMZ" );
++ &viewtablenew(\%confignatfw,$confignat,"$Lang::tr{'fwdfw rules'}","Portforward / SNAT" );
+ &viewtablenew(\%configfwdfw,$configfwdfw,"","Forward" );
+- &viewtablenew(\%configinputfw,$configinput,"",$Lang::tr{'external access'} );
+ &viewtablenew(\%configoutgoingfw,$configoutgoing,"","Outgoing" );
+- &viewtablenew(\%confignatfw,$confignat,"","NAT" );
++ &viewtablenew(\%configinputfw,$configinput,"",$Lang::tr{'fwdfw xt access'} );
++ &viewtablenew(\%configdmzfw,$configdmz,"","DMZ" );
+ }
+ sub viewtablenew
+ {
+diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl
+index 63cb731..bcaf89d 100644
+--- a/langs/de/cgi-bin/de.pl
++++ b/langs/de/cgi-bin/de.pl
+@@ -886,7 +886,7 @@
+ 'fwdfw additional' => 'Zusätzlich',
+ 'fwdfw action' => 'Aktion',
+ 'fwdfw menu' => 'Firewall',
+-'fwdfw addrule' => 'Neue Regel hinzufügen:',
++'fwdfw addrule' => 'Regel hinzufügen/ändern:',
+ 'fwdfw addr grp' => 'Adressgruppen:',
+ 'fwdfw change' => 'Aktualisieren',
+ 'fwdfw cust addr' => 'Custom Adressen:',
+@@ -960,11 +960,12 @@
+ 'fwdfw wd_fri' => 'Fr',
+ 'fwdfw wd_sat' => 'Sa',
+ 'fwdfw wd_sun' => 'So',
++'fwdfw xt access' => 'Zugriff auf Firewall',
+ 'fwhost addgrp' => 'Gruppe:',
+ 'fwhost addgrpname' => 'Gruppenname:',
+ 'fwhost addhost' => 'Adresse:',
+ 'fwhost addnet' => 'Netzwerk:',
+-'fwhost addrule' => 'Neue Regel hinzufügen:',
++'fwhost addrule' => 'Regel hinzufügen/ändern:',
+ 'fwhost any' => 'Alle',
+ 'fwhost attention' => 'ACHTUNG',
+ 'fwhost back' => 'Zurück',
+diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
+index f032889..99b029a 100644
+--- a/langs/en/cgi-bin/en.pl
++++ b/langs/en/cgi-bin/en.pl
+@@ -909,7 +909,7 @@
+ 'fwdfw additional' => 'Additional',
+ 'fwdfw action' => 'Action',
+ 'fwdfw menu' => 'Firewall',
+-'fwdfw addrule' => 'Add new rule:',
++'fwdfw addrule' => 'Add/Edit rule:',
+ 'fwdfw addr grp' => 'Adress groups:',
+ 'fwdfw change' => 'Update',
+ 'fwdfw cust addr' => 'Custom addresses:',
+@@ -972,8 +972,8 @@
+ 'fwdfw togglelog' => 'Activate or deactivate logging',
+ 'fwdfw use nat' => 'Use NAT',
+ 'fwdfw useless rule' => 'This rule is rejected (useless).',
+-'fwdfw use srcport' => 'Use sourceport',
+-'fwdfw use srv' => 'Use targetport',
++'fwdfw use srcport' => 'Use source port',
++'fwdfw use srv' => 'Use target port',
+ 'fwdfw natport used' => 'The NAT port is already used by another DNAT rule',
+ 'fwdfw newrule' => 'New rule',
+ 'fwdfw wd_mon' => 'Mon',
+@@ -983,11 +983,12 @@
+ 'fwdfw wd_fri' => 'Fri',
+ 'fwdfw wd_sat' => 'Sat',
+ 'fwdfw wd_sun' => 'Sun',
++'fwdfw xt access' => 'Access to firewall',
+ 'fwhost addgrp' => 'Group:',
+ 'fwhost addgrpname' => 'Groupname:',
+ 'fwhost addhost' => 'Address:',
+ 'fwhost addnet' => 'Network:',
+-'fwhost addrule' => 'Add new rule:',
++'fwhost addrule' => 'Add/Edit rule:',
+ 'fwhost any' => 'Any',
+ 'fwhost attention' => 'ATTENTION',
+ 'fwhost back' => 'back',
+--
+1.7.10.4
+
--- /dev/null
+From 0e712973333125cbd8e4804f22ac229698abf392 Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Thu, 11 Apr 2013 10:50:29 +0200
+Subject: [PATCH 207/302] Forward Firewall: Added multiport support to
+ DNAT/Portforwarding
+
+Now it is possible to use multiple ports under DNAT when TARGET has no Port, one Port or one Portrange defined
+---
+ config/forwardfw/rules.pl | 35 ++++++++++++++++++++++++++++----
+ html/cgi-bin/forwardfw.cgi | 48 ++++++++++++++++++++++++++++++++++++++------
+ html/cgi-bin/fwhosts.cgi | 2 +-
+ 3 files changed, 74 insertions(+), 11 deletions(-)
+
+diff --git a/config/forwardfw/rules.pl b/config/forwardfw/rules.pl
+index 637614d..fad5477 100755
+--- a/config/forwardfw/rules.pl
++++ b/config/forwardfw/rules.pl
+@@ -177,6 +177,7 @@ sub buildrules
+ my $snatport;
+ my $fireport;
+ my $nat;
++ my $fwaccessdport;
+ foreach my $key (sort {$a <=> $b} keys %$hash){
+ next if ($$hash{$key}[6] eq 'RED' && $conexists eq 'off' );
+ if ($$hash{$key}[28] eq 'ON'){
+@@ -184,7 +185,12 @@ sub buildrules
+ $natip=&get_nat_ip($$hash{$key}[29]);
+ if($$hash{$key}[31] eq 'dnat'){
+ $nat='DNAT';
+- $fireport='--dport '.$$hash{$key}[30] if ($$hash{$key}[30]>0);
++ if ($$hash{$key}[30] =~ /\|/){
++ $$hash{$key}[30]=~ tr/|/,/;
++ $fireport='-m multiport --dport '.$$hash{$key}[30];
++ }else{
++ $fireport='--dport '.$$hash{$key}[30] if ($$hash{$key}[30]>0);
++ }
+ }else{
+ $nat='SNAT';
+ }
+@@ -291,7 +297,16 @@ sub buildrules
+ my ($ip,$sub) =split("/",$targethash{$b}[0]);
+ print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j $nat --to $ip$DPORT\n";
+ $DPORT =~ s/\-/:/g;
+- my $fwaccessdport="--dport ".substr($DPORT,1,) if ($DPORT);
++ if ($DPORT){
++ $fwaccessdport="--dport ".substr($DPORT,1,);
++ }elsif(! $DPORT && $$hash{$key}[30] ne ''){
++ if ($$hash{$key}[30]=~m/|/i){
++ $$hash{$key}[30] =~ s/\|/,/g;
++ $fwaccessdport="-m multiport --dport $$hash{$key}[30]";
++ }else{
++ $fwaccessdport="--dport $$hash{$key}[30]";
++ }
++ }
+ print "iptables -A PORTFWACCESS $PROT -i $con $STAG $sourcehash{$a}[0] -d $ip $fwaccessdport $TIME -j $$hash{$key}[0]\n";
+ }elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[32] eq 'snat'){
+ print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $nat --to $natip$fireport\n";
+@@ -332,9 +347,17 @@ sub buildrules
+ my ($ip,$sub) =split("/",$targethash{$b}[0]);
+ system "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j $nat --to $ip$DPORT\n";
+ $DPORT =~ s/\-/:/g;
+- my $fwaccessdport="--dport ".substr($DPORT,1,) if ($DPORT);
++ if ($DPORT){
++ $fwaccessdport="--dport ".substr($DPORT,1,);
++ }elsif(! $DPORT && $$hash{$key}[30] ne ''){
++ if ($$hash{$key}[30]=~m/|/i){
++ $$hash{$key}[30] =~ s/\|/,/g;
++ $fwaccessdport="-m multiport --dport $$hash{$key}[30]";
++ }else{
++ $fwaccessdport="--dport $$hash{$key}[30]";
++ }
++ }
+ system "iptables -A PORTFWACCESS $PROT -i $con $STAG $sourcehash{$a}[0] -d $ip $fwaccessdport $TIME -j $$hash{$key}[0]\n";
+-
+ }elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'snat'){
+ if ($$hash{$key}[17] eq 'ON'){
+ system "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG --log-prefix 'SNAT '\n";
+@@ -499,6 +522,10 @@ sub get_prot
+ return &fwlib::get_srvgrp_prot($$hash{$key}[15]);
+ }
+ }
++ #DNAT
++ if ($SRC_TGT eq '' && $$hash{$key}[31] eq 'dnat' && $$hash{$key}[11] eq '' && $$hash{$key}[12] ne ''){
++ return "$$hash{$key}[12]";
++ }
+ }
+ sub get_port
+ {
+diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi
+index 584f7f0..72771e8 100755
+--- a/html/cgi-bin/forwardfw.cgi
++++ b/html/cgi-bin/forwardfw.cgi
+@@ -591,7 +591,7 @@ sub addrule
+ {
+ &error;
+ if (-f "${General::swroot}/forward/reread"){
+- print "<table border='0'><form method='post'><td><div style='font-size:11pt; font-weight: bold;vertical-align: middle; '><input type='submit' name='ACTION' value='$Lang::tr{'fwdfw reread'}' style='font-face: Comic Sans MS; color: red; font-weight: bold; font-size: 14pt; text-decoration: blink;'>    $Lang::tr{'fwhost reread'}</div</td></tr></table></form><hr><br>";
++ print "<table border='0'><form method='post'><td><div style='font-size:11pt; font-weight: bold;vertical-align: middle; '><input type='submit' name='ACTION' value='$Lang::tr{'fwdfw reread'}' style='font-face: Comic Sans MS; color: red; font-weight: bold; font-size: 14pt;'>    $Lang::tr{'fwhost reread'}</div</td></tr></table></form><hr><br>";
+ }
+ &Header::openbox('100%', 'left', "");
+ print "<form method='post'>";
+@@ -771,7 +771,7 @@ sub checktarget
+ #check DNAT settings (has to be single Host and single Port or portrange)
+ if ($fwdfwsettings{'USE_NAT'} eq 'ON' && $fwdfwsettings{'nat'} eq 'dnat'){
+ if($fwdfwsettings{'grp2'} eq 'tgt_addr' || $fwdfwsettings{'grp2'} eq 'cust_host_tgt' || $fwdfwsettings{'grp2'} eq 'ovpn_host_tgt'){
+- if ($fwdfwsettings{'USESRV'} eq ''){
++ if ($fwdfwsettings{'USESRV'} eq '' && $fwdfwsettings{'dnatport'} eq ''){
+ $errormessage=$Lang::tr{'fwdfw target'}.": ".$Lang::tr{'fwdfw dnat porterr'}."<br>";
+ }
+ #check if manual ip is a single Host (if set)
+@@ -905,7 +905,6 @@ sub checktarget
+ if ($fwdfwsettings{'USESRV'} ne 'ON'){
+ $fwdfwsettings{'grp3'}='';
+ $fwdfwsettings{$fwdfwsettings{'grp3'}}='';
+- $fwdfwsettings{'TGT_PROT'}='';
+ $fwdfwsettings{'ICMP_TGT'}='';
+ }
+ #check timeframe
+@@ -946,10 +945,9 @@ sub checkrule
+ #if no port is given in nat area, take target host port
+ if($fwdfwsettings{'nat'} eq 'dnat' && $fwdfwsettings{'grp3'} eq 'TGT_PORT' && $fwdfwsettings{'dnatport'} eq ''){$fwdfwsettings{'dnatport'}=$fwdfwsettings{'TGT_PORT'};}
+ #check if port given in nat area is a single valid port or portrange
+- if($fwdfwsettings{'nat'} eq 'dnat' && !&check_natport($fwdfwsettings{'dnatport'})){
++ if($fwdfwsettings{'nat'} eq 'dnat' && $fwdfwsettings{'TGT_PORT'} ne '' && !&check_natport($fwdfwsettings{'dnatport'})){
+ $errormessage=$Lang::tr{'fwdfw target'}.": ".$Lang::tr{'fwdfw dnat porterr'}."<br>";
+- }
+- elsif($fwdfwsettings{'USESRV'} eq 'ON' && $fwdfwsettings{'grp3'} eq 'cust_srv'){
++ }elsif($fwdfwsettings{'USESRV'} eq 'ON' && $fwdfwsettings{'grp3'} eq 'cust_srv'){
+ my $custsrvport;
+ #get servcie Protocol and Port
+ foreach my $key (sort keys %customservice){
+@@ -962,6 +960,42 @@ sub checkrule
+ }
+ if($fwdfwsettings{'nat'} eq 'dnat' && $fwdfwsettings{'dnatport'} eq ''){$fwdfwsettings{'dnatport'}=$custsrvport;}
+ }
++ #check if DNAT port is multiple
++ if($fwdfwsettings{'nat'} eq 'dnat' && $fwdfwsettings{'dnatport'} ne ''){
++ my @parts=split(",",$fwdfwsettings{'dnatport'});
++ my @values=();
++ foreach (@parts){
++ chomp($_);
++ if ($_ =~ /^(\d+)\-(\d+)$/ || $_ =~ /^(\d+)\:(\d+)$/) {
++ my $check;
++ #change dashes with :
++ $_=~ tr/-/:/;
++ if ($_ eq "*") {
++ push(@values,"1:65535");
++ $check='on';
++ }
++ if ($_ =~ /^(\D)\:(\d+)$/ || $_ =~ /^(\D)\-(\d+)$/) {
++ push(@values,"1:$2");
++ $check='on';
++ }
++ if ($_ =~ /^(\d+)\:(\D)$/ || $_ =~ /^(\d+)\-(\D)$/) {
++ push(@values,"$1:65535");
++ $check='on'
++ }
++ $errormessage .= &General::validportrange($_, 'destination');
++ if(!$check){
++ push (@values,$_);
++ }
++ }else{
++ if (&General::validport($_)){
++ push (@values,$_);
++ }else{
++
++ }
++ }
++ }
++ $fwdfwsettings{'dnatport'}=join("|",@values);
++ }
+ }
+ #check valid remark
+ if ($fwdfwsettings{'ruleremark'} ne '' && !&validremark($fwdfwsettings{'ruleremark'})){
+@@ -1764,6 +1798,7 @@ END
+ print "<option value='$alias' $selected{'dnat'}{$alias}>$alias</option>";
+ }
+ print"</td></tr>";
++ $fwdfwsettings{'dnatport'}=~ tr/|/,/;
+ print"<tr><td colspan='4'></td><td>Port: </td><td align='right'><input type='text' name='dnatport' style='width:130px;' value=$fwdfwsettings{'dnatport'}> </td></tr>";
+ print"<tr><td colspan='8'><br></td></tr>";
+ #SNAT
+@@ -2371,6 +2406,7 @@ END
+ if ($$hash{$key}[31] eq 'dnat'){
+ print "IPFire ($$hash{$key}[29])";
+ if($$hash{$key}[30] ne ''){
++ $$hash{$key}[30]=~ tr/|/,/;
+ print": $$hash{$key}[30]";
+ }
+ print"<br> DNAT->";
+diff --git a/html/cgi-bin/fwhosts.cgi b/html/cgi-bin/fwhosts.cgi
+index 91ed322..0283f5c 100755
+--- a/html/cgi-bin/fwhosts.cgi
++++ b/html/cgi-bin/fwhosts.cgi
+@@ -1067,7 +1067,7 @@ if($fwhostsettings{'ACTION'} eq '')
+ sub showmenu
+ {
+ if (-f "${General::swroot}/forward/reread"){
+- print "<table border='0'><form method='post'><td><div style='font-size:11pt; font-weight: bold;vertical-align: middle; '><input type='submit' name='ACTION' value='$Lang::tr{'fwdfw reread'}' style='font-face: Comic Sans MS; color: red; font-weight: bold; font-size: 14pt; text-decoration: blink;'>$Lang::tr{'fwhost reread'}</td></tr></table></form><hr><br>";
++ print "<table border='0'><form method='post'><td><div style='font-size:11pt; font-weight: bold;vertical-align: middle; '><input type='submit' name='ACTION' value='$Lang::tr{'fwdfw reread'}' style='font-face: Comic Sans MS; color: red; font-weight: bold; font-size: 14pt;'>$Lang::tr{'fwhost reread'}</td></tr></table></form><hr><br>";
+ }
+ &Header::openbox('100%', 'left',$Lang::tr{'fwhost menu'});
+ print<<END;
+--
+1.7.10.4
+
--- /dev/null
+From 8ec2b80d6e3253bf6dcbc1219e8bfbac5e348dfd Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Thu, 11 Apr 2013 17:33:22 +0200
+Subject: [PATCH 208/302] Forward Firewall: added SNAT multiport support
+
+---
+ config/forwardfw/rules.pl | 15 ++++++++++-----
+ html/cgi-bin/forwardfw.cgi | 4 ++--
+ 2 files changed, 12 insertions(+), 7 deletions(-)
+
+diff --git a/config/forwardfw/rules.pl b/config/forwardfw/rules.pl
+index fad5477..7b8b346 100755
+--- a/config/forwardfw/rules.pl
++++ b/config/forwardfw/rules.pl
+@@ -182,7 +182,7 @@ sub buildrules
+ next if ($$hash{$key}[6] eq 'RED' && $conexists eq 'off' );
+ if ($$hash{$key}[28] eq 'ON'){
+ $command='iptables -t nat -A';
+- $natip=&get_nat_ip($$hash{$key}[29]);
++ $natip=&get_nat_ip($$hash{$key}[29],$$hash{$key}[31]);
+ if($$hash{$key}[31] eq 'dnat'){
+ $nat='DNAT';
+ if ($$hash{$key}[30] =~ /\|/){
+@@ -308,8 +308,8 @@ sub buildrules
+ }
+ }
+ print "iptables -A PORTFWACCESS $PROT -i $con $STAG $sourcehash{$a}[0] -d $ip $fwaccessdport $TIME -j $$hash{$key}[0]\n";
+- }elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[32] eq 'snat'){
+- print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $nat --to $natip$fireport\n";
++ }elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'snat'){
++ print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $nat --to $natip\n";
+ }
+ }
+ }
+@@ -382,17 +382,22 @@ sub buildrules
+ sub get_nat_ip
+ {
+ my $val=shift;
++ my $type=shift;
+ my $result;
+ if($val eq 'RED' || $val eq 'GREEN' || $val eq 'ORANGE' || $val eq 'BLUE'){
+ $result=$defaultNetworks{$val.'_ADDRESS'};
+ }elsif($val eq 'ALL'){
+ $result='-i '.$con;
+- }elsif($val eq 'Default IP'){
++ }elsif($val eq 'Default IP' && $type eq 'dnat'){
+ $result='-d '.$redip;
++ }elsif($val eq 'Default IP' && $type eq 'snat'){
++ $result=$redip;
+ }else{
+ foreach my $al (sort keys %aliases){
+- if($val eq $al){
++ if($val eq $al && $type eq 'dnat'){
+ $result='-d '.$aliases{$al}{'IPT'};
++ }elsif($val eq $al && $type eq 'snat'){
++ $result=$aliases{$al}{'IPT'};
+ }
+ }
+ }
+diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi
+index 72771e8..7bd3fa5 100755
+--- a/html/cgi-bin/forwardfw.cgi
++++ b/html/cgi-bin/forwardfw.cgi
+@@ -77,7 +77,7 @@ my %aliases=();
+ my %optionsfw=();
+ my %ifaces=();
+
+-my $VERSION='0.9.9.3';
++my $VERSION='0.9.9.4';
+ my $color;
+ my $confignet = "${General::swroot}/fwhosts/customnetworks";
+ my $confighost = "${General::swroot}/fwhosts/customhosts";
+@@ -838,7 +838,7 @@ sub checktarget
+ if ($fwdfwsettings{'grp3'} eq 'TGT_PORT'){
+ if ($fwdfwsettings{'TGT_PROT'} eq 'TCP' || $fwdfwsettings{'TGT_PROT'} eq 'UDP'){
+ if ($fwdfwsettings{'TGT_PORT'} ne ''){
+- if ($fwdfwsettings{'TGT_PORT'} =~ "," && $fwdfwsettings{'USE_NAT'}) {
++ if ($fwdfwsettings{'TGT_PORT'} =~ "," && $fwdfwsettings{'USE_NAT'} && $fwdfwsettings{'nat'} eq 'dnat') {
+ $errormessage=$Lang::tr{'fwdfw dnat porterr'}."<br>";
+ }
+ my @parts=split(",",$fwdfwsettings{'TGT_PORT'});
+--
+1.7.10.4
+
--- /dev/null
+From 32865347c65d33b700a26656e965c49a61d227de Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Fri, 12 Apr 2013 12:39:57 +0200
+Subject: [PATCH 209/302] Forward Firewall: edited include file of backup.
+
+---
+ config/backup/include | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/config/backup/include b/config/backup/include
+index 9284b64..142002b 100644
+--- a/config/backup/include
++++ b/config/backup/include
+@@ -14,8 +14,8 @@
+ /etc/ssh/ssh_host*
+ /var/ipfire/auth/users
+ /var/ipfire/dhcp/*
+-/var/ipfire/forward/*
+-/var/ipfire/fwhosts/*
++/var/ipfire/forward
++/var/ipfire/fwhosts
+ /var/ipfire/main/*
+ /var/ipfire/ovpn
+ /var/ipfire/ppp
+--
+1.7.10.4
+
--- /dev/null
+From 761cb7372c31b0c417e71146442370fe29d059de Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Sun, 14 Apr 2013 15:10:13 +0200
+Subject: [PATCH 210/302] Forward Firewall: fixed firewall hits statistik and
+ extended it to show input,output,forward,newnotsyn
+ and portscan seperately.
+
+---
+ config/cfgroot/graphs.pl | 48 ++++++++++++++++++++++++++++----------
+ config/collectd/collectd.conf | 7 +++---
+ config/forwardfw/firewall-policy | 6 ++---
+ src/initscripts/init.d/firewall | 3 +++
+ 4 files changed, 46 insertions(+), 18 deletions(-)
+
+diff --git a/config/cfgroot/graphs.pl b/config/cfgroot/graphs.pl
+index c51e882..83cc60f 100644
+--- a/config/cfgroot/graphs.pl
++++ b/config/cfgroot/graphs.pl
+@@ -216,7 +216,7 @@ sub updatecpugraph {
+ ,"GPRINT:userpct:AVERAGE:%3.2lf%%"
+ ,"GPRINT:userpct:MIN:%3.2lf%%"
+ ,"GPRINT:userpct:LAST:%3.2lf%%\\j"
+- ,"STACK:systempct".$color{"color13"}."A0:".sprintf("%-25s",$Lang::tr{'cpu system usage'})
++ ,"STACK:systempct".$color{"color13"}."A0:".sprintf("%-26s",$Lang::tr{'cpu system usage'})
+ ,"GPRINT:systempct:MAX:%3.2lf%%"
+ ,"GPRINT:systempct:AVERAGE:%3.2lf%%"
+ ,"GPRINT:systempct:MIN:%3.2lf%%"
+@@ -602,26 +602,50 @@ sub updatefwhitsgraph {
+ "--color=SHADEA".$color{"color19"},
+ "--color=SHADEB".$color{"color19"},
+ "--color=BACK".$color{"color21"},
+- "DEF:output=".$mainsettings{'RRDLOG'}."/collectd/localhost/iptables-filter-FORWARD/ipt_bytes-DROP_OUTPUT.rrd:value:AVERAGE",
+- "DEF:input=".$mainsettings{'RRDLOG'}."/collectd/localhost/iptables-filter-INPUT/ipt_bytes-DROP_INPUT.rrd:value:AVERAGE",
++ "DEF:output=".$mainsettings{'RRDLOG'}."/collectd/localhost/iptables-filter-POLICYOUT/ipt_bytes-DROP_OUTPUT.rrd:value:AVERAGE",
++ "DEF:input=".$mainsettings{'RRDLOG'}."/collectd/localhost/iptables-filter-POLICYIN/ipt_bytes-DROP_INPUT.rrd:value:AVERAGE",
++ "DEF:forward=".$mainsettings{'RRDLOG'}."/collectd/localhost/iptables-filter-POLICYFWD/ipt_bytes-DROP_FORWARD.rrd:value:AVERAGE",
+ "DEF:newnotsyn=".$mainsettings{'RRDLOG'}."/collectd/localhost/iptables-filter-NEWNOTSYN/ipt_bytes-DROP_NEWNOTSYN.rrd:value:AVERAGE",
+ "DEF:portscan=".$mainsettings{'RRDLOG'}."/collectd/localhost/iptables-filter-PSCAN/ipt_bytes-DROP_PScan.rrd:value:AVERAGE",
+- "CDEF:amount=output,input,newnotsyn,+,+",
+- "COMMENT:".sprintf("%-20s",$Lang::tr{'caption'}),
++ #"CDEF:amount=input",
++ "COMMENT:".sprintf("%-26s",$Lang::tr{'caption'}),
+ "COMMENT:".sprintf("%15s",$Lang::tr{'maximal'}),
+ "COMMENT:".sprintf("%15s",$Lang::tr{'average'}),
+- "COMMENT:".sprintf("%15s",$Lang::tr{'minimal'}),
++ "COMMENT:".sprintf("%14s",$Lang::tr{'minimal'}),
+ "COMMENT:".sprintf("%15s",$Lang::tr{'current'})."\\j",
+- "AREA:amount".$color{"color24"}."A0:".sprintf("%-20s",$Lang::tr{'firewallhits'}),
+- "GPRINT:amount:MAX:%8.1lf %sBps",
+- "GPRINT:amount:AVERAGE:%8.1lf %sBps",
+- "GPRINT:amount:MIN:%8.1lf %sBps",
+- "GPRINT:amount:LAST:%8.1lf %sBps\\j",
+- "STACK:portscan".$color{"color25"}."A0:".sprintf("%-20s",$Lang::tr{'portscans'}),
++ "AREA:input".$color{"color24"}."A0:".sprintf("%-25s",$Lang::tr{'firewallhits'}."-INPUT"),
++ "GPRINT:input:MAX:%8.1lf %sBps",
++ "GPRINT:input:AVERAGE:%8.1lf %sBps",
++ "GPRINT:input:MIN:%8.1lf %sBps",
++ "GPRINT:input:LAST:%8.1lf %sBps\\j",
++ "AREA:output".$color{"color25"}."A0:".sprintf("%-25s",$Lang::tr{'firewallhits'}."-OUTPUT"),
++ "GPRINT:output:MAX:%8.1lf %sBps",
++ "GPRINT:output:AVERAGE:%8.1lf %sBps",
++ "GPRINT:output:MIN:%8.1lf %sBps",
++ "GPRINT:output:LAST:%8.1lf %sBps\\j",
++ "AREA:forward".$color{"color23"}."A0:".sprintf("%-25s",$Lang::tr{'firewallhits'}."-FORWARD"),
++ "GPRINT:forward:MAX:%8.1lf %sBps",
++ "GPRINT:forward:AVERAGE:%8.1lf %sBps",
++ "GPRINT:forward:MIN:%8.1lf %sBps",
++ "GPRINT:forward:LAST:%8.1lf %sBps\\j",
++ "AREA:newnotsyn".$color{"color14"}."A0:".sprintf("%-24s","NewNotSyn"),
++ "GPRINT:newnotsyn:MAX:%8.1lf %sBps",
++ "GPRINT:newnotsyn:MIN:%8.1lf %sBps",
++ "GPRINT:newnotsyn:AVERAGE:%8.1lf %sBps",
++ "GPRINT:newnotsyn:LAST:%8.1lf %sBps\\j",
++ "AREA:portscan".$color{"color16"}."A0:".sprintf("%-24s",$Lang::tr{'portscans'}),
+ "GPRINT:portscan:MAX:%8.1lf %sBps",
+ "GPRINT:portscan:MIN:%8.1lf %sBps",
+ "GPRINT:portscan:AVERAGE:%8.1lf %sBps",
+ "GPRINT:portscan:LAST:%8.1lf %sBps\\j",
++
++ "LINE1:input".$color{"color24"},
++ "LINE1:output".$color{"color25"},
++ "LINE1:forward".$color{"color23"},
++ "LINE1:newnotsyn".$color{"color14"},
++ "LINE1:portscan".$color{"color16"},
++
++
+ );
+ $ERROR = RRDs::error;
+ print "Error in RRD::graph for firewallhits: ".$ERROR."\n" if $ERROR;
+diff --git a/config/collectd/collectd.conf b/config/collectd/collectd.conf
+index 67d9e19..e222d5c 100644
+--- a/config/collectd/collectd.conf
++++ b/config/collectd/collectd.conf
+@@ -23,7 +23,7 @@ LoadPlugin memory
+ LoadPlugin ping
+ LoadPlugin processes
+ LoadPlugin rrdtool
+-LoadPlugin sensors
++#LoadPlugin sensors
+ LoadPlugin swap
+ LoadPlugin syslog
+ #LoadPlugin wireless
+@@ -45,10 +45,11 @@ include "/etc/collectd.precache"
+ </Plugin>
+
+ <Plugin iptables>
+- Chain filter INPUT DROP_INPUT
+- Chain filter FORWARD DROP_OUTPUT
+ Chain filter PSCAN DROP_PScan
+ Chain filter NEWNOTSYN DROP_NEWNOTSYN
++ Chain filter POLICYFWD DROP_FORWARD
++ Chain filter POLICYOUT DROP_OUTPUT
++ Chain filter POLICYIN DROP_INPUT
+ </Plugin>
+
+ #<Plugin logfile>
+diff --git a/config/forwardfw/firewall-policy b/config/forwardfw/firewall-policy
+index 55287dd..6e648e2 100755
+--- a/config/forwardfw/firewall-policy
++++ b/config/forwardfw/firewall-policy
+@@ -23,8 +23,8 @@ if [ "$POLICY" == "MODE1" ]; then
+ /sbin/iptables -A POLICYFWD -j DROP -m comment --comment "DROP_FORWARD"
+ fi
+ else
+- /sbin/iptables -A POLICYFWD -i blue0 ! -o $IFACE -j DROP -m comment --comment "DROP_FORWARD_BLUE"
+- /sbin/iptables -A POLICYFWD -j ACCEPT -m comment --comment "DROP_FORWARD"
++ /sbin/iptables -A POLICYFWD -i blue0 ! -o $IFACE -j DROP
++ /sbin/iptables -A POLICYFWD -j ACCEPT
+ fi
+
+ #OUTGOINGFW
+@@ -42,7 +42,7 @@ if [ "$POLICY1" == "MODE1" ]; then
+ /sbin/iptables -A POLICYOUT -j DROP -m comment --comment "DROP_OUTPUT"
+ fi
+ else
+- /sbin/iptables -A POLICYOUT -j ACCEPT -m comment --comment "DROP_OUTPUT"
++ /sbin/iptables -A POLICYOUT -j ACCEPT
+ fi
+ #INPUT
+ if [ "$FWPOLICY2" == "REJECT" ]; then
+diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall
+index 419344a..9425063 100644
+--- a/src/initscripts/init.d/firewall
++++ b/src/initscripts/init.d/firewall
+@@ -275,6 +275,9 @@ case "$1" in
+
+ /usr/sbin/firewall-policy
+
++ #Only for firewall Hits statistik
++ /sbin/iptables -A POLICYFWD -j DROP -m comment --comment "DROP_FORWARD"
++ /sbin/iptables -A POLICYOUT -j DROP -m comment --comment "DROP_OUTPUT"
+ ;;
+ startovpn)
+ # run openvpn
+--
+1.7.10.4
+
--- /dev/null
+From 267c6c30f31f4238addf7b5ff34d56e7b5c6c50c Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Mon, 15 Apr 2013 05:50:20 +0200
+Subject: [PATCH 211/302] Forward Firewall: enabled
+ /var/ipfire/optionsfw/settings in configroot
+
+---
+ config/rootfiles/common/configroot | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/config/rootfiles/common/configroot b/config/rootfiles/common/configroot
+index 711dbcd..8e2144c 100644
+--- a/config/rootfiles/common/configroot
++++ b/config/rootfiles/common/configroot
+@@ -115,7 +115,7 @@ var/ipfire/net-traffic
+ #var/ipfire/nfs
+ #var/ipfire/nfs/nfs-server
+ var/ipfire/optionsfw
+-#var/ipfire/optionsfw/settings
++var/ipfire/optionsfw/settings
+ #var/ipfire/outgoing
+ #var/ipfire/outgoing/bin
+ #var/ipfire/outgoing/bin/outgoingfw.pl
+--
+1.7.10.4
+
--- /dev/null
+From c6774cfe3fb90644212003d6407b94d74f9c4922 Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Mon, 15 Apr 2013 09:50:39 +0200
+Subject: [PATCH 212/302] Forward Firewall: added drop rules to firewall's
+ stop script so that collectd is working
+
+---
+ src/initscripts/init.d/firewall | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall
+index 9425063..993d58c 100644
+--- a/src/initscripts/init.d/firewall
++++ b/src/initscripts/init.d/firewall
+@@ -314,6 +314,13 @@ case "$1" in
+ /sbin/iptables -A FORWARD -m limit --limit 10/minute -j LOG --log-prefix "DROP_FORWARD "
+ fi
+ /sbin/iptables -A FORWARD -j DROP -m comment --comment "DROP_FORWARD"
++
++ #Only for firewall Hits statistik
++ /sbin/iptables -A POLICYFWD -j DROP -m comment --comment "DROP_FORWARD"
++ /sbin/iptables -A POLICYOUT -j DROP -m comment --comment "DROP_OUTPUT"
++
++
++
+ ;;
+ stopovpn)
+ # stop openvpn
+--
+1.7.10.4
+
--- /dev/null
+From b6a7b94354165dd75ccc3a3e0c2869156bb8f319 Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Mon, 15 Apr 2013 12:00:35 +0200
+Subject: [PATCH 213/302] Forward Firewall: Firewall Hits graph now with
+ stacked values
+
+---
+ config/cfgroot/graphs.pl | 25 ++++++++-----------------
+ 1 file changed, 8 insertions(+), 17 deletions(-)
+
+diff --git a/config/cfgroot/graphs.pl b/config/cfgroot/graphs.pl
+index 83cc60f..f8b182b 100644
+--- a/config/cfgroot/graphs.pl
++++ b/config/cfgroot/graphs.pl
+@@ -607,45 +607,36 @@ sub updatefwhitsgraph {
+ "DEF:forward=".$mainsettings{'RRDLOG'}."/collectd/localhost/iptables-filter-POLICYFWD/ipt_bytes-DROP_FORWARD.rrd:value:AVERAGE",
+ "DEF:newnotsyn=".$mainsettings{'RRDLOG'}."/collectd/localhost/iptables-filter-NEWNOTSYN/ipt_bytes-DROP_NEWNOTSYN.rrd:value:AVERAGE",
+ "DEF:portscan=".$mainsettings{'RRDLOG'}."/collectd/localhost/iptables-filter-PSCAN/ipt_bytes-DROP_PScan.rrd:value:AVERAGE",
+- #"CDEF:amount=input",
+ "COMMENT:".sprintf("%-26s",$Lang::tr{'caption'}),
+ "COMMENT:".sprintf("%15s",$Lang::tr{'maximal'}),
+ "COMMENT:".sprintf("%15s",$Lang::tr{'average'}),
+ "COMMENT:".sprintf("%14s",$Lang::tr{'minimal'}),
+ "COMMENT:".sprintf("%15s",$Lang::tr{'current'})."\\j",
+- "AREA:input".$color{"color24"}."A0:".sprintf("%-25s",$Lang::tr{'firewallhits'}."-INPUT"),
+- "GPRINT:input:MAX:%8.1lf %sBps",
+- "GPRINT:input:AVERAGE:%8.1lf %sBps",
+- "GPRINT:input:MIN:%8.1lf %sBps",
+- "GPRINT:input:LAST:%8.1lf %sBps\\j",
+ "AREA:output".$color{"color25"}."A0:".sprintf("%-25s",$Lang::tr{'firewallhits'}."-OUTPUT"),
+ "GPRINT:output:MAX:%8.1lf %sBps",
+ "GPRINT:output:AVERAGE:%8.1lf %sBps",
+ "GPRINT:output:MIN:%8.1lf %sBps",
+ "GPRINT:output:LAST:%8.1lf %sBps\\j",
+- "AREA:forward".$color{"color23"}."A0:".sprintf("%-25s",$Lang::tr{'firewallhits'}."-FORWARD"),
++ "STACK:forward".$color{"color23"}."A0:".sprintf("%-25s",$Lang::tr{'firewallhits'}."-FORWARD"),
+ "GPRINT:forward:MAX:%8.1lf %sBps",
+ "GPRINT:forward:AVERAGE:%8.1lf %sBps",
+ "GPRINT:forward:MIN:%8.1lf %sBps",
+ "GPRINT:forward:LAST:%8.1lf %sBps\\j",
+- "AREA:newnotsyn".$color{"color14"}."A0:".sprintf("%-24s","NewNotSyn"),
++ "STACK:input".$color{"color24"}."A0:".sprintf("%-25s",$Lang::tr{'firewallhits'}."-INPUT"),
++ "GPRINT:input:MAX:%8.1lf %sBps",
++ "GPRINT:input:AVERAGE:%8.1lf %sBps",
++ "GPRINT:input:MIN:%8.1lf %sBps",
++ "GPRINT:input:LAST:%8.1lf %sBps\\j",
++ "STACK:newnotsyn".$color{"color14"}."A0:".sprintf("%-24s","NewNotSyn"),
+ "GPRINT:newnotsyn:MAX:%8.1lf %sBps",
+ "GPRINT:newnotsyn:MIN:%8.1lf %sBps",
+ "GPRINT:newnotsyn:AVERAGE:%8.1lf %sBps",
+ "GPRINT:newnotsyn:LAST:%8.1lf %sBps\\j",
+- "AREA:portscan".$color{"color16"}."A0:".sprintf("%-24s",$Lang::tr{'portscans'}),
++ "STACK:portscan".$color{"color16"}."A0:".sprintf("%-24s",$Lang::tr{'portscans'}),
+ "GPRINT:portscan:MAX:%8.1lf %sBps",
+ "GPRINT:portscan:MIN:%8.1lf %sBps",
+ "GPRINT:portscan:AVERAGE:%8.1lf %sBps",
+ "GPRINT:portscan:LAST:%8.1lf %sBps\\j",
+-
+- "LINE1:input".$color{"color24"},
+- "LINE1:output".$color{"color25"},
+- "LINE1:forward".$color{"color23"},
+- "LINE1:newnotsyn".$color{"color14"},
+- "LINE1:portscan".$color{"color16"},
+-
+-
+ );
+ $ERROR = RRDs::error;
+ print "Error in RRD::graph for firewallhits: ".$ERROR."\n" if $ERROR;
+--
+1.7.10.4
+
--- /dev/null
+From aa4e292c78c3bca7b56361615501eaeac41b7176 Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Mon, 15 Apr 2013 15:02:50 +0200
+Subject: [PATCH 214/302] Forward Firewall: some changes in firewall script to
+ make collectd work
+
+---
+ config/collectd/collectd.conf | 2 +-
+ config/forwardfw/firewall-policy | 10 ++++++++--
+ src/initscripts/init.d/firewall | 8 ++++----
+ 3 files changed, 13 insertions(+), 7 deletions(-)
+
+diff --git a/config/collectd/collectd.conf b/config/collectd/collectd.conf
+index e222d5c..14dd568 100644
+--- a/config/collectd/collectd.conf
++++ b/config/collectd/collectd.conf
+@@ -23,7 +23,7 @@ LoadPlugin memory
+ LoadPlugin ping
+ LoadPlugin processes
+ LoadPlugin rrdtool
+-#LoadPlugin sensors
++LoadPlugin sensors
+ LoadPlugin swap
+ LoadPlugin syslog
+ #LoadPlugin wireless
+diff --git a/config/forwardfw/firewall-policy b/config/forwardfw/firewall-policy
+index 6e648e2..9af835c 100755
+--- a/config/forwardfw/firewall-policy
++++ b/config/forwardfw/firewall-policy
+@@ -2,11 +2,15 @@
+
+ eval $(/usr/local/bin/readhash /var/ipfire/forward/settings)
+ eval $(/usr/local/bin/readhash /var/ipfire/optionsfw/settings)
++eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
+
+ iptables -F POLICYFWD
+ iptables -F POLICYOUT
+ iptables -F POLICYIN
+-IFACE=`cat /var/ipfire/red/iface`
++
++if [ -f "/var/ipfire/red/iface" ]; then
++ IFACE=`cat /var/ipfire/red/iface`
++fi
+
+ #FORWARDFW
+ if [ "$POLICY" == "MODE1" ]; then
+@@ -23,7 +27,9 @@ if [ "$POLICY" == "MODE1" ]; then
+ /sbin/iptables -A POLICYFWD -j DROP -m comment --comment "DROP_FORWARD"
+ fi
+ else
+- /sbin/iptables -A POLICYFWD -i blue0 ! -o $IFACE -j DROP
++ if [ "$BLUE_DEV" ] && [ "$IFACE" ]; then
++ /sbin/iptables -A POLICYFWD -i blue0 ! -o $IFACE -j DROP
++ fi
+ /sbin/iptables -A POLICYFWD -j ACCEPT
+ fi
+
+diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall
+index 993d58c..db964ad 100644
+--- a/src/initscripts/init.d/firewall
++++ b/src/initscripts/init.d/firewall
+@@ -120,8 +120,8 @@ iptables_red() {
+ fi
+
+ # Outgoing masquerading (don't masqerade IPSEC (mark 50))
+- /sbin/iptables -t nat -A REDNAT -m mark --mark 50 -o $IFACE -j RETURN
+- /sbin/iptables -t nat -A REDNAT -o $IFACE -j MASQUERADE
++ #/sbin/iptables -t nat -A REDNAT -m mark --mark 50 -o $IFACE -j RETURN
++ #/sbin/iptables -t nat -A REDNAT -o $IFACE -j MASQUERADE
+
+ fi
+ }
+@@ -316,8 +316,8 @@ case "$1" in
+ /sbin/iptables -A FORWARD -j DROP -m comment --comment "DROP_FORWARD"
+
+ #Only for firewall Hits statistik
+- /sbin/iptables -A POLICYFWD -j DROP -m comment --comment "DROP_FORWARD"
+- /sbin/iptables -A POLICYOUT -j DROP -m comment --comment "DROP_OUTPUT"
++ #/sbin/iptables -A POLICYFWD -j DROP -m comment --comment "DROP_FORWARD"
++ #/sbin/iptables -A POLICYOUT -j DROP -m comment --comment "DROP_OUTPUT"
+
+
+
+--
+1.7.10.4
+
--- /dev/null
+From 5270e0a8571f3ef079c4795a879d140ca7485848 Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Mon, 15 Apr 2013 20:29:15 +0200
+Subject: [PATCH 215/302] Forward Firewall: rules for collectd now in
+ firewall-policy instead of /etc/init.d/firewall
+
+---
+ config/forwardfw/firewall-policy | 4 ++++
+ src/initscripts/init.d/firewall | 10 ----------
+ 2 files changed, 4 insertions(+), 10 deletions(-)
+
+diff --git a/config/forwardfw/firewall-policy b/config/forwardfw/firewall-policy
+index 9af835c..0a5cd14 100755
+--- a/config/forwardfw/firewall-policy
++++ b/config/forwardfw/firewall-policy
+@@ -31,6 +31,7 @@ else
+ /sbin/iptables -A POLICYFWD -i blue0 ! -o $IFACE -j DROP
+ fi
+ /sbin/iptables -A POLICYFWD -j ACCEPT
++ /sbin/iptables -A POLICYFWD -m comment --comment "DROP_FORWARD" -j DROP
+ fi
+
+ #OUTGOINGFW
+@@ -49,6 +50,7 @@ if [ "$POLICY1" == "MODE1" ]; then
+ fi
+ else
+ /sbin/iptables -A POLICYOUT -j ACCEPT
++ /sbin/iptables -A POLICYOUT -m comment --comment "DROP_OUTPUT" -j DROP
+ fi
+ #INPUT
+ if [ "$FWPOLICY2" == "REJECT" ]; then
+@@ -63,3 +65,5 @@ if [ "$FWPOLICY2" == "DROP" ]; then
+ fi
+ /sbin/iptables -A POLICYIN -j DROP -m comment --comment "DROP_INPUT"
+ fi
++
++exit 0
+diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall
+index db964ad..dee7d92 100644
+--- a/src/initscripts/init.d/firewall
++++ b/src/initscripts/init.d/firewall
+@@ -274,10 +274,6 @@ case "$1" in
+ /sbin/iptables -A OUTPUT -j POLICYOUT
+
+ /usr/sbin/firewall-policy
+-
+- #Only for firewall Hits statistik
+- /sbin/iptables -A POLICYFWD -j DROP -m comment --comment "DROP_FORWARD"
+- /sbin/iptables -A POLICYOUT -j DROP -m comment --comment "DROP_OUTPUT"
+ ;;
+ startovpn)
+ # run openvpn
+@@ -315,12 +311,6 @@ case "$1" in
+ fi
+ /sbin/iptables -A FORWARD -j DROP -m comment --comment "DROP_FORWARD"
+
+- #Only for firewall Hits statistik
+- #/sbin/iptables -A POLICYFWD -j DROP -m comment --comment "DROP_FORWARD"
+- #/sbin/iptables -A POLICYOUT -j DROP -m comment --comment "DROP_OUTPUT"
+-
+-
+-
+ ;;
+ stopovpn)
+ # stop openvpn
+--
+1.7.10.4
+
--- /dev/null
+From d93146af0bee75e340480ba66b169537ee307ad0 Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Wed, 17 Apr 2013 12:02:13 +0200
+Subject: [PATCH 216/302] Forward Firewall: 0.9.9.4a - Bugfix typo in
+ firewallscript, DMZ Link on startpage now leads to
+ firewall instead of dmzpinholes
+
+---
+ html/cgi-bin/forwardfw.cgi | 2 +-
+ html/cgi-bin/index.cgi | 2 +-
+ src/initscripts/init.d/firewall | 4 ++--
+ 3 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi
+index 7bd3fa5..ef9264c 100755
+--- a/html/cgi-bin/forwardfw.cgi
++++ b/html/cgi-bin/forwardfw.cgi
+@@ -77,7 +77,7 @@ my %aliases=();
+ my %optionsfw=();
+ my %ifaces=();
+
+-my $VERSION='0.9.9.4';
++my $VERSION='0.9.9.4a';
+ my $color;
+ my $confignet = "${General::swroot}/fwhosts/customnetworks";
+ my $confighost = "${General::swroot}/fwhosts/customhosts";
+diff --git a/html/cgi-bin/index.cgi b/html/cgi-bin/index.cgi
+index ea19e26..03ef367 100644
+--- a/html/cgi-bin/index.cgi
++++ b/html/cgi-bin/index.cgi
+@@ -341,7 +341,7 @@ END
+ } else { print $Lang::tr{'advproxy off'}; }
+ }
+ if ( $netsettings{'ORANGE_DEV'} ) { print <<END;
+- <tr><td align='center' bgcolor='$Header::colourorange' width='25%'><a href="/cgi-bin/dmzholes.cgi"><font size='2' color='white'><b>$Lang::tr{'dmz'}</b></font></a><br>
++ <tr><td align='center' bgcolor='$Header::colourorange' width='25%'><a href="/cgi-bin/forwardfw.cgi"><font size='2' color='white'><b>$Lang::tr{'dmz'}</b></font></a><br>
+ <td width='30%' align='center'>$netsettings{'ORANGE_ADDRESS'}
+ <td width='45%' align='center'><font color=$Header::colourgreen>Online</font>
+ END
+diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall
+index dee7d92..b7a2b0a 100644
+--- a/src/initscripts/init.d/firewall
++++ b/src/initscripts/init.d/firewall
+@@ -120,8 +120,8 @@ iptables_red() {
+ fi
+
+ # Outgoing masquerading (don't masqerade IPSEC (mark 50))
+- #/sbin/iptables -t nat -A REDNAT -m mark --mark 50 -o $IFACE -j RETURN
+- #/sbin/iptables -t nat -A REDNAT -o $IFACE -j MASQUERADE
++ /sbin/iptables -t nat -A REDNAT -m mark --mark 50 -o $IFACE -j RETURN
++ /sbin/iptables -t nat -A REDNAT -o $IFACE -j MASQUERADE
+
+ fi
+ }
+--
+1.7.10.4
+
--- /dev/null
+From 4ab54978edee8dea7bc5bac5008e28a87f2e51f4 Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Fri, 19 Apr 2013 13:12:56 +0200
+Subject: [PATCH 217/302] Forward Firewall: added some plausi checks. Now it
+ is checked if someone enters an manual ip address
+ that is a openvpn client. The colors are set
+ correctly in ruletable when someone enters a manual
+ ip which belongs to an IPsec Network, IPsec
+ Roadwarrior (if iprange set) or openvpn n2n
+
+---
+ html/cgi-bin/forwardfw.cgi | 114 ++++++++++++++++++++++++++++++++++++++++----
+ langs/de/cgi-bin/de.pl | 2 +
+ langs/en/cgi-bin/en.pl | 2 +
+ 3 files changed, 109 insertions(+), 9 deletions(-)
+
+diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi
+index ef9264c..e074047 100755
+--- a/html/cgi-bin/forwardfw.cgi
++++ b/html/cgi-bin/forwardfw.cgi
+@@ -77,7 +77,7 @@ my %aliases=();
+ my %optionsfw=();
+ my %ifaces=();
+
+-my $VERSION='0.9.9.4a';
++my $VERSION='0.9.9.5';
+ my $color;
+ my $confignet = "${General::swroot}/fwhosts/customnetworks";
+ my $confighost = "${General::swroot}/fwhosts/customhosts";
+@@ -107,7 +107,9 @@ my @protocols;
+ &General::readhash("/srv/web/ipfire/html/themes/".$mainsettings{'THEME'}."/include/colors.txt", \%color);
+ &General::readhash($fwoptions, \%optionsfw);
+ &General::readhash($ifacesettings, \%ifaces);
+-
++&General::readhash("$configovpn", \%ovpnsettings);
++&General::readhash("$configipsecrw", \%ipsecsettings);
++&General::readhasharray("$configipsec", \%ipsecconf);
+ &Header::showhttpheaders();
+ &Header::getcgihash(\%fwdfwsettings);
+ &Header::openpage($Lang::tr{'fwdfw menu'}, 1, '');
+@@ -656,7 +658,6 @@ sub changerule
+ sub checksource
+ {
+ my ($ip,$subnet);
+-
+ #check ip-address if manual
+ if ($fwdfwsettings{'src_addr'} eq $fwdfwsettings{$fwdfwsettings{'grp1'}} && $fwdfwsettings{'src_addr'} ne ''){
+ #check if ip with subnet
+@@ -676,6 +677,11 @@ sub checksource
+ if (&General::validmac($fwdfwsettings{'src_addr'})){$fwdfwsettings{'ismac'}='on';}
+ }
+ if ($fwdfwsettings{'isip'} eq 'on'){
++ ##check if ip is valid
++ if (! &General::validip($ip)){
++ $errormessage.=$Lang::tr{'fwdfw err src_addr'}."<br>";
++ return $errormessage;
++ }
+ #check and form valid IP
+ $ip=&General::ip2dec($ip);
+ $ip=&General::dec2ip($ip);
+@@ -684,15 +690,24 @@ sub checksource
+ if (($tmp[3] eq "0") || ($tmp[3] eq "255"))
+ {
+ $errormessage=$Lang::tr{'fwhost err hostip'}."<br>";
++ return $errormessage;
++ }
++ #check if the ip is part of an existing openvpn client/net or ipsec network
++ #if this is the case, generate errormessage to make the user use the dropdowns instead of using manual ip's
++ if (! &checkvpn($ip)){
++ $errormessage=$Lang::tr{'fwdfw err srcovpn'};
++ return $errormessage;
++ }else{
++ $fwdfwsettings{'src_addr'}="$ip/$subnet";
+ }
+- $fwdfwsettings{'src_addr'}="$ip/$subnet";
+-
+ if(!&General::validipandmask($fwdfwsettings{'src_addr'})){
+ $errormessage.=$Lang::tr{'fwdfw err src_addr'}."<br>";
++ return $errormessage;
+ }
+ }
+ if ($fwdfwsettings{'isip'} ne 'on' && $fwdfwsettings{'ismac'} ne 'on'){
+ $errormessage.=$Lang::tr{'fwdfw err src_addr'}."<br>";
++ return $errormessage;
+ }
+ }elsif($fwdfwsettings{'src_addr'} eq $fwdfwsettings{$fwdfwsettings{'grp1'}} && $fwdfwsettings{'src_addr'} eq ''){
+ $errormessage.=$Lang::tr{'fwdfw err nosrcip'};
+@@ -761,8 +776,8 @@ sub checksource
+ }
+ }
+ $fwdfwsettings{'SRC_PORT'}=join("|",@values);
+- return $errormessage;
+ }
++ return $errormessage;
+ }
+ sub checktarget
+ {
+@@ -773,6 +788,7 @@ sub checktarget
+ if($fwdfwsettings{'grp2'} eq 'tgt_addr' || $fwdfwsettings{'grp2'} eq 'cust_host_tgt' || $fwdfwsettings{'grp2'} eq 'ovpn_host_tgt'){
+ if ($fwdfwsettings{'USESRV'} eq '' && $fwdfwsettings{'dnatport'} eq ''){
+ $errormessage=$Lang::tr{'fwdfw target'}.": ".$Lang::tr{'fwdfw dnat porterr'}."<br>";
++ return $errormessage;
+ }
+ #check if manual ip is a single Host (if set)
+ if ($fwdfwsettings{'grp2'} eq 'tgt_addr'){
+@@ -781,19 +797,23 @@ sub checktarget
+ if (($tmp1[0] eq "0") || ($tmp1[0] eq "255"))
+ {
+ $errormessage=$Lang::tr{'fwdfw dnat error'}."<br>";
++ return $errormessage;
+ }
+ }
+ #check if Port is a single Port or portrange
+ if ($fwdfwsettings{'nat'} eq 'dnat' && $fwdfwsettings{'grp3'} eq 'TGT_PORT'){
+ if(($fwdfwsettings{'TGT_PROT'} ne 'TCP'|| $fwdfwsettings{'TGT_PROT'} ne 'UDP') && $fwdfwsettings{'TGT_PORT'} eq ''){
+ $errormessage=$Lang::tr{'fwdfw target'}.": ".$Lang::tr{'fwdfw dnat porterr'}."<br>";
++ return $errormessage;
+ }
+ if (($fwdfwsettings{'TGT_PROT'} eq 'TCP'|| $fwdfwsettings{'TGT_PROT'} eq 'UDP') && $fwdfwsettings{'TGT_PORT'} ne '' && !&check_natport($fwdfwsettings{'TGT_PORT'})){
+ $errormessage=$Lang::tr{'fwdfw target'}.": ".$Lang::tr{'fwdfw dnat porterr'}."<br>";
++ return $errormessage;
+ }
+ }
+ }else{
+ $errormessage=$Lang::tr{'fwdfw dnat error'}."<br>";
++ return $errormessage;
+ }
+ }
+ if ($fwdfwsettings{'tgt_addr'} eq $fwdfwsettings{$fwdfwsettings{'grp2'}} && $fwdfwsettings{'tgt_addr'} ne ''){
+@@ -807,13 +827,25 @@ sub checktarget
+ $ip=$fwdfwsettings{'tgt_addr'};
+ $subnet='32';
+ }
++ #check if ip is valid
++ if (! &General::validip($ip)){
++ $errormessage.=$Lang::tr{'fwdfw err tgt_addr'}."<br>";
++ return $errormessage;
++ }
+ #check and form valid IP
+ $ip=&General::ip2dec($ip);
+ $ip=&General::dec2ip($ip);
+-
+- $fwdfwsettings{'tgt_addr'}="$ip/$subnet";
++ #check if the ip is part of an existing openvpn client/net or ipsec network
++ #if this is the case, generate errormessage to make the user use the dropdowns instead of using manual ip's
++ if (! &checkvpn($ip)){
++ $errormessage=$Lang::tr{'fwdfw err tgtovpn'};
++ return $errormessage;
++ }else{
++ $fwdfwsettings{'tgt_addr'}="$ip/$subnet";
++ }
+ if(!&General::validipandmask($fwdfwsettings{'tgt_addr'})){
+ $errormessage.=$Lang::tr{'fwdfw err tgt_addr'}."<br>";
++ return $errormessage;
+ }
+ }elsif($fwdfwsettings{'tgt_addr'} eq $fwdfwsettings{$fwdfwsettings{'grp2'}} && $fwdfwsettings{'tgt_addr'} eq ''){
+ $errormessage.=$Lang::tr{'fwdfw err notgtip'};
+@@ -840,6 +872,7 @@ sub checktarget
+ if ($fwdfwsettings{'TGT_PORT'} ne ''){
+ if ($fwdfwsettings{'TGT_PORT'} =~ "," && $fwdfwsettings{'USE_NAT'} && $fwdfwsettings{'nat'} eq 'dnat') {
+ $errormessage=$Lang::tr{'fwdfw dnat porterr'}."<br>";
++ return $errormessage;
+ }
+ my @parts=split(",",$fwdfwsettings{'TGT_PORT'});
+ my @values=();
+@@ -900,7 +933,6 @@ sub checktarget
+ }
+ }
+ }
+-
+ #check targetport
+ if ($fwdfwsettings{'USESRV'} ne 'ON'){
+ $fwdfwsettings{'grp3'}='';
+@@ -911,6 +943,7 @@ sub checktarget
+ if($fwdfwsettings{'TIME'} eq 'ON'){
+ if($fwdfwsettings{'TIME_MON'} eq '' && $fwdfwsettings{'TIME_TUE'} eq '' && $fwdfwsettings{'TIME_WED'} eq '' && $fwdfwsettings{'TIME_THU'} eq '' && $fwdfwsettings{'TIME_FRI'} eq '' && $fwdfwsettings{'TIME_SAT'} eq '' && $fwdfwsettings{'TIME_SUN'} eq ''){
+ $errormessage=$Lang::tr{'fwdfw err time'};
++ return $errormessage;
+ }
+ }
+ return $errormessage;
+@@ -1077,6 +1110,32 @@ sub checkcounter
+ &inc_counter($configsrvgrp,\%customservicegrp,$val2);
+ }
+ }
++sub checkvpn
++{
++ my $ip=shift;
++ #Test if manual IP is part of static OpenVPN networks
++ &General::readhasharray("$configccdnet", \%ccdnet);
++ foreach my $key (sort keys %ccdnet){
++ my ($vpnip,$vpnsubnet) = split ("/",$ccdnet{$key}[1]);
++ my $sub=&General::iporsubtodec($vpnsubnet);
++ if (&General::IpInSubnet($ip,$vpnip,$sub)){
++ return 0;
++ }
++ }
++ # A Test if manual ip is part of dynamic openvpn subnet is made in getcolor
++ # because if one creates a custom host with the ip, we need to check the color there!
++ # It does not make sense to check this here
++
++ # Test if manual IP is part of an OpenVPN N2N subnet does also not make sense here
++ # Is also checked in getcolor
++
++ # Test if manual ip is part of an IPsec Network is also checked in getcolor
++ return 1;
++}
++sub checkvpncolor
++{
++
++}
+ sub deleterule
+ {
+ my %delhash=();
+@@ -1432,6 +1491,33 @@ sub getcolor
+ my $val=shift;
+ my $hash=shift;
+ if($optionsfw{'SHOWCOLORS'} eq 'on'){
++ #Check if a manual IP is part of a VPN
++ if ($nettype eq 'src_addr' || $nettype eq 'tgt_addr'){
++ #Check if IP is part of OpenVPN dynamic subnet
++ my ($a,$b) = split("/",$ovpnsettings{'DOVPN_SUBNET'});
++ my ($c,$d) = split("/",$val);
++ if (&General::IpInSubnet($c,$a,$b)){
++ $tdcolor="style='border: 1px solid $Header::colourovpn;'";
++ return;
++ }
++ #Check if IP is part of IPsec RW network
++ if ($ipsecsettings{'RW_NET'} ne ''){
++ my ($a,$b) = split("/",$ipsecsettings{'RW_NET'});
++ $b=&General::iporsubtodec($b);
++ if (&General::IpInSubnet($c,$a,$b)){
++ $tdcolor="style='border: 1px solid $Header::colourvpn;'";
++ return;
++ }
++ }
++ #Check if IP is part of a IPsec N2N network
++ foreach my $key (sort keys %ipsecconf){
++ my ($a,$b) = split("/",$ipsecconf{$key}[11]);
++ if (&General::IpInSubnet($c,$a,$b)){
++ $tdcolor="style='border: 1px solid $Header::colourvpn;'";
++ return;
++ }
++ }
++ }
+ #VPN networks
+ if ($nettype eq 'ovpn_n2n_src' || $nettype eq 'ovpn_n2n_tgt' || $nettype eq 'ovpn_net_src' || $nettype eq 'ovpn_net_tgt'|| $nettype eq 'ovpn_host_src' || $nettype eq 'ovpn_host_tgt'){
+ $tdcolor="style='border: 1px solid $Header::colourovpn;'";
+@@ -1460,29 +1546,39 @@ sub getcolor
+ #standard networks
+ if ($val eq 'GREEN'){
+ $tdcolor="style='border: 1px solid $Header::colourgreen;'";
++ return;
+ }elsif ($val eq 'ORANGE'){
+ $tdcolor="style='border: 1px solid $Header::colourorange;'";
++ return;
+ }elsif ($val eq 'BLUE'){
+ $tdcolor="style='border: 1px solid $Header::colourblue;'";
++ return;
+ }elsif ($val eq 'RED'){
+ $tdcolor="style='border: 1px solid $Header::colourred;'";
++ return;
+ }elsif ($val eq 'IPFire' ){
+ $tdcolor="style='border: 1px solid $Header::colourred;'";
++ return;
+ }elsif($val =~ /^(.*?)\/(.*?)$/){
+ my ($sip,$scidr) = split ("/",$val);
+ if ( &General::IpInSubnet($sip,$netsettings{'ORANGE_ADDRESS'},$netsettings{'ORANGE_NETMASK'})){
+ $tdcolor="style='border: 1px solid $Header::colourorange;'";
++ return;
+ }
+ if ( &General::IpInSubnet($sip,$netsettings{'GREEN_ADDRESS'},$netsettings{'GREEN_NETMASK'})){
+ $tdcolor="style='border: 1px solid $Header::colourgreen;'";
++ return;
+ }
+ if ( &General::IpInSubnet($sip,$netsettings{'BLUE_ADDRESS'},$netsettings{'BLUE_NETMASK'})){
+ $tdcolor="style='border: 1px solid $Header::colourblue;'";
++ return;
+ }
+ }elsif ($val eq 'Default IP'){
+ $tdcolor="style='border: 1px solid $Header::colourred;'";
++ return;
+ }else{
+ $tdcolor='';
++ return;
+ }
+ }
+ }
+diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl
+index bcaf89d..711f8b7 100644
+--- a/langs/de/cgi-bin/de.pl
++++ b/langs/de/cgi-bin/de.pl
+@@ -906,11 +906,13 @@
+ 'fwdfw err remark' => 'Bemerkung enthält ungültige Zeichen',
+ 'fwdfw err ruleexists' => 'Eine identische Regel existiert bereits',
+ 'fwdfw err src_addr' => 'Quell-MAC/IP ungültig',
++'fwdfw err srcovpn' => 'Quell-IP ist ein OpenVPN Client. Bitte Dropdown zum Auswählen nutzen',
+ 'fwdfw err same' => 'Quelle und Ziel sind identisch',
+ 'fwdfw err samesub' => 'Quell und Ziel IP Adresse im selben Subnetz',
+ 'fwdfw err srcport' => 'Bitte Quellport angeben',
+ 'fwdfw err tgtport' => 'Bitte Zielport angeben',
+ 'fwdfw err tgt_addr' => 'Ziel-IP ungültig',
++'fwdfw err tgtovpn' => 'Ziel-IP ist ein OpenVPN Client. Bitte Dropdown zum Auswählen nutzen',
+ 'fwdfw err tgt_port' => 'Ziel Port ungültig',
+ 'fwdfw err tgt_mac' => 'MAC Adressen können nicht als Ziel defininert werden',
+ 'fwdfw err tgt_grp' => 'Ziel-Dienstgruppe ist leer',
+diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
+index 99b029a..667c36d 100644
+--- a/langs/en/cgi-bin/en.pl
++++ b/langs/en/cgi-bin/en.pl
+@@ -929,11 +929,13 @@
+ 'fwdfw err remark' => 'Invalid chars in remark.',
+ 'fwdfw err ruleexists' => 'This rule already exists.',
+ 'fwdfw err src_addr' => 'Invalid source MAC/IP.',
++'fwdfw err srcovpn' => 'Source-IP is an OpenVPN client. Please use dropdown for selection',
+ 'fwdfw err same' => 'Identical source and target',
+ 'fwdfw err samesub' => 'Source and target IP adress are in same subnet.',
+ 'fwdfw err srcport' => 'Please provide source port.',
+ 'fwdfw err tgtport' => 'Please provide target port.',
+ 'fwdfw err tgt_addr' => 'Invalid target IP-address.',
++'fwdfw err tgtovpn' => 'Target-IP is an OpenVPN client. Please use dropdown for selection',
+ 'fwdfw err tgt_port' => 'Invalid target port',
+ 'fwdfw err tgt_mac' => 'MAC addresses cannot be used as target.',
+ 'fwdfw err tgt_grp' => 'Target servicegroup is empty',
+--
+1.7.10.4
+
--- /dev/null
+From a2b3a85b3edd4d3d5775729df678276833d070cb Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Tue, 23 Apr 2013 14:14:58 +0200
+Subject: [PATCH 218/302] Forward Firewall: rewrote portcheck routine in
+ ovpnmain so that checks for portforwardingports are
+ made against /var/ipfire/forward/nat instead of
+ /var/ipfire/portfw/config
+
+---
+ html/cgi-bin/ovpnmain.cgi | 90 ++++++++++++---------------------------------
+ 1 file changed, 23 insertions(+), 67 deletions(-)
+
+diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi
+index cbaecd9..4462e2c 100644
+--- a/html/cgi-bin/ovpnmain.cgi
++++ b/html/cgi-bin/ovpnmain.cgi
+@@ -180,49 +180,31 @@ sub deletebackupcert
+ unlink ("${General::swroot}/ovpn/certs/$hexvalue.pem");
+ }
+ }
+-
+ sub checkportfw {
+- my $KEY2 = $_[0]; # key2
+- my $SRC_PORT = $_[1]; # src_port
+- my $PROTOCOL = $_[2]; # protocol
+- my $SRC_IP = $_[3]; # sourceip
+-
+- my $pfwfilename = "${General::swroot}/portfw/config";
+- open(FILE, $pfwfilename) or die 'Unable to open config file.';
+- my @pfwcurrent = <FILE>;
+- close(FILE);
+- my $pfwkey1 = 0; # used for finding last sequence number used
+- foreach my $pfwline (@pfwcurrent)
+- {
+- my @pfwtemp = split(/\,/,$pfwline);
+-
+- chomp ($pfwtemp[8]);
+- if ($KEY2 eq "0"){ # if key2 is 0 then it is a portfw addition
+- if ( $SRC_PORT eq $pfwtemp[3] &&
+- $PROTOCOL eq $pfwtemp[2] &&
+- $SRC_IP eq $pfwtemp[7])
+- {
+- $errormessage = "$Lang::tr{'source port in use'} $SRC_PORT";
+- }
+- # Check if key2 = 0, if it is then it is a port forward entry and we want the sequence number
+- if ( $pfwtemp[1] eq "0") {
+- $pfwkey1=$pfwtemp[0];
+- }
+- # Darren Critchley - Duplicate or overlapping Port range check
+- if ($pfwtemp[1] eq "0" &&
+- $PROTOCOL eq $pfwtemp[2] &&
+- $SRC_IP eq $pfwtemp[7] &&
+- $errormessage eq '')
+- {
+- &portchecks($SRC_PORT, $pfwtemp[5]);
+-# &portchecks($pfwtemp[3], $pfwtemp[5]);
+-# &portchecks($pfwtemp[3], $SRC_IP);
++ my $DPORT = shift;
++ my $DPROT = shift;
++ my %natconfig =();
++ my $confignat = "${General::swroot}/forward/nat";
++ $DPROT= uc ($DPROT);
++ &General::readhasharray($confignat, \%natconfig);
++ foreach my $key (sort keys %natconfig){
++ $errormessage .= "uzlputz: $natconfig{$key}[30] und $natconfig{$key}[12]<br>";
++ my @portarray = split (/\|/,$natconfig{$key}[30]);
++ foreach my $value (@portarray){
++ $errormessage .= "uzlputz -split portaray: $value<br>";
++ if ($value =~ /:/i){
++ my ($a,$b) = split (":",$value);
++ if ($DPROT eq $natconfig{$key}[12] && $DPORT gt $a && $DPORT lt $b){
++ $errormessage= "$Lang::tr{'source port in use'} $DPORT";
++ }
++ }else{
++ if ($DPROT eq $natconfig{$key}[12] && $DPORT eq $value){
++ $errormessage= "$Lang::tr{'source port in use'} $DPORT";
++ }
++ }
+ }
+ }
+- }
+-# $errormessage="$KEY2 $SRC_PORT $PROTOCOL $SRC_IP";
+-
+- return;
++ return;
+ }
+
+ sub checkportoverlap
+@@ -254,32 +236,6 @@ sub checkportinc
+ return 0;
+ }
+ }
+-# Darren Critchley - Duplicate or overlapping Port range check
+-sub portchecks
+-{
+- my $p1 = $_[0]; # New port range
+- my $p2 = $_[1]; # existing port range
+-# $_ = $_[0];
+- our ($prtrange1, $prtrange2);
+- $prtrange1 = 0;
+-# if (m/:/ && $prtrange1 == 1) { # comparing two port ranges
+-# unless (&checkportoverlap($p1,$p2)) {
+-# $errormessage = "$Lang::tr{'source port overlaps'} $p1";
+-# }
+-# }
+- if (m/:/ && $prtrange1 == 0 && $errormessage eq '') { # compare one port to a range
+- unless (&checkportinc($p2,$p1)) {
+- $errormessage = "$Lang::tr{'srcprt within existing'} $p1";
+- }
+- }
+- $prtrange1 = 1;
+- if (! m/:/ && $prtrange1 == 1 && $errormessage eq '') { # compare one port to a range
+- unless (&checkportinc($p1,$p2)) {
+- $errormessage = "$Lang::tr{'srcprt range overlaps'} $p2";
+- }
+- }
+- return;
+-}
+
+ # Darren Critchley - certain ports are reserved for IPFire
+ # TCP 67,68,81,222,445
+@@ -1155,7 +1111,7 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'TYPE'} eq '' && $cg
+
+
+ if ($cgiparams{'ENABLED'} eq 'on'){
+- &checkportfw(0,$cgiparams{'DDEST_PORT'},$cgiparams{'DPROTOCOL'},'0.0.0.0');
++ &checkportfw($cgiparams{'DDEST_PORT'},$cgiparams{'DPROTOCOL'});
+ }
+
+ if ($errormessage) { goto SETTINGS_ERROR; }
+--
+1.7.10.4
+
--- /dev/null
+From 8d4147b6a4ad70e52b83696de23f7d9995089091 Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Tue, 23 Apr 2013 14:21:52 +0200
+Subject: [PATCH 219/302] Forward Firewall: removed devel-tags
+
+---
+ html/cgi-bin/ovpnmain.cgi | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi
+index 4462e2c..db2f913 100644
+--- a/html/cgi-bin/ovpnmain.cgi
++++ b/html/cgi-bin/ovpnmain.cgi
+@@ -188,10 +188,8 @@ sub checkportfw {
+ $DPROT= uc ($DPROT);
+ &General::readhasharray($confignat, \%natconfig);
+ foreach my $key (sort keys %natconfig){
+- $errormessage .= "uzlputz: $natconfig{$key}[30] und $natconfig{$key}[12]<br>";
+ my @portarray = split (/\|/,$natconfig{$key}[30]);
+ foreach my $value (@portarray){
+- $errormessage .= "uzlputz -split portaray: $value<br>";
+ if ($value =~ /:/i){
+ my ($a,$b) = split (":",$value);
+ if ($DPROT eq $natconfig{$key}[12] && $DPORT gt $a && $DPORT lt $b){
+--
+1.7.10.4
+
--- /dev/null
+From 6ab935bb25ee18710da2093239ac78a8a8567c78 Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Wed, 24 Apr 2013 11:49:11 +0200
+Subject: [PATCH 220/302] Forward Firewall: if ipsec rw net is set to green
+ subnet, the rules are colored green instead of
+ purple
+
+---
+ html/cgi-bin/forwardfw.cgi | 75 ++++++++++++++++++++++----------------------
+ 1 file changed, 37 insertions(+), 38 deletions(-)
+
+diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi
+index e074047..922297d 100755
+--- a/html/cgi-bin/forwardfw.cgi
++++ b/html/cgi-bin/forwardfw.cgi
+@@ -77,7 +77,7 @@ my %aliases=();
+ my %optionsfw=();
+ my %ifaces=();
+
+-my $VERSION='0.9.9.5';
++my $VERSION='0.9.9.6';
+ my $color;
+ my $confignet = "${General::swroot}/fwhosts/customnetworks";
+ my $confighost = "${General::swroot}/fwhosts/customhosts";
+@@ -1491,6 +1491,40 @@ sub getcolor
+ my $val=shift;
+ my $hash=shift;
+ if($optionsfw{'SHOWCOLORS'} eq 'on'){
++ #standard networks
++ if ($val eq 'GREEN'){
++ $tdcolor="style='border: 1px solid $Header::colourgreen;'";
++ return;
++ }elsif ($val eq 'ORANGE'){
++ $tdcolor="style='border: 1px solid $Header::colourorange;'";
++ return;
++ }elsif ($val eq 'BLUE'){
++ $tdcolor="style='border: 1px solid $Header::colourblue;'";
++ return;
++ }elsif ($val eq 'RED'){
++ $tdcolor="style='border: 1px solid $Header::colourred;'";
++ return;
++ }elsif ($val eq 'IPFire' ){
++ $tdcolor="style='border: 1px solid $Header::colourred;'";
++ return;
++ }elsif($val =~ /^(.*?)\/(.*?)$/){
++ my ($sip,$scidr) = split ("/",$val);
++ if ( &General::IpInSubnet($sip,$netsettings{'ORANGE_ADDRESS'},$netsettings{'ORANGE_NETMASK'})){
++ $tdcolor="style='border: 1px solid $Header::colourorange;'";
++ return;
++ }
++ if ( &General::IpInSubnet($sip,$netsettings{'GREEN_ADDRESS'},$netsettings{'GREEN_NETMASK'})){
++ $tdcolor="style='border: 1px solid $Header::colourgreen;'";
++ return;
++ }
++ if ( &General::IpInSubnet($sip,$netsettings{'BLUE_ADDRESS'},$netsettings{'BLUE_NETMASK'})){
++ $tdcolor="style='border: 1px solid $Header::colourblue;'";
++ return;
++ }
++ }elsif ($val eq 'Default IP'){
++ $tdcolor="style='border: 1px solid $Header::colourred;'";
++ return;
++ }
+ #Check if a manual IP is part of a VPN
+ if ($nettype eq 'src_addr' || $nettype eq 'tgt_addr'){
+ #Check if IP is part of OpenVPN dynamic subnet
+@@ -1543,44 +1577,9 @@ sub getcolor
+ return;
+ }
+ }
+- #standard networks
+- if ($val eq 'GREEN'){
+- $tdcolor="style='border: 1px solid $Header::colourgreen;'";
+- return;
+- }elsif ($val eq 'ORANGE'){
+- $tdcolor="style='border: 1px solid $Header::colourorange;'";
+- return;
+- }elsif ($val eq 'BLUE'){
+- $tdcolor="style='border: 1px solid $Header::colourblue;'";
+- return;
+- }elsif ($val eq 'RED'){
+- $tdcolor="style='border: 1px solid $Header::colourred;'";
+- return;
+- }elsif ($val eq 'IPFire' ){
+- $tdcolor="style='border: 1px solid $Header::colourred;'";
+- return;
+- }elsif($val =~ /^(.*?)\/(.*?)$/){
+- my ($sip,$scidr) = split ("/",$val);
+- if ( &General::IpInSubnet($sip,$netsettings{'ORANGE_ADDRESS'},$netsettings{'ORANGE_NETMASK'})){
+- $tdcolor="style='border: 1px solid $Header::colourorange;'";
+- return;
+- }
+- if ( &General::IpInSubnet($sip,$netsettings{'GREEN_ADDRESS'},$netsettings{'GREEN_NETMASK'})){
+- $tdcolor="style='border: 1px solid $Header::colourgreen;'";
+- return;
+- }
+- if ( &General::IpInSubnet($sip,$netsettings{'BLUE_ADDRESS'},$netsettings{'BLUE_NETMASK'})){
+- $tdcolor="style='border: 1px solid $Header::colourblue;'";
+- return;
+- }
+- }elsif ($val eq 'Default IP'){
+- $tdcolor="style='border: 1px solid $Header::colourred;'";
+- return;
+- }else{
+- $tdcolor='';
+- return;
+- }
+ }
++ $tdcolor='';
++ return;
+ }
+ sub hint
+ {
+--
+1.7.10.4
+
--- /dev/null
+From c01c39767f2f50edfaecbcad68e2a0f0c670f654 Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Fri, 26 Apr 2013 10:24:34 +0200
+Subject: [PATCH 221/302] Forward Firewall: changed sort-order to
+ Sort::Naturally. This Perl Module will be available
+ since core 68.
+
+---
+ html/cgi-bin/forwardfw.cgi | 26 +++++++++++++-------------
+ html/cgi-bin/fwhosts.cgi | 31 ++++++++++++++++---------------
+ html/cgi-bin/ovpnmain.cgi | 12 ++++++------
+ html/cgi-bin/vpnmain.cgi | 4 ++--
+ 4 files changed, 37 insertions(+), 36 deletions(-)
+
+diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi
+index 922297d..e9c051b 100755
+--- a/html/cgi-bin/forwardfw.cgi
++++ b/html/cgi-bin/forwardfw.cgi
+@@ -31,6 +31,7 @@
+ ###############################################################################
+
+ use strict;
++use Sort::Naturally;
+ no warnings 'uninitialized';
+ # enable only the following on debugging purpose
+ #use warnings;
+@@ -1188,7 +1189,6 @@ sub dec_counter
+ my %hash=%{(shift)};
+ my $val=shift;
+ my $pos;
+- #$errormessage.="ALT:config: $config , verringert wird $val <br>";
+ &General::readhasharray($config, \%hash);
+ foreach my $key (sort { uc($hash{$a}[0]) cmp uc($hash{$b}[0]) } keys %hash){
+ if($hash{$key}[0] eq $val){
+@@ -1213,7 +1213,7 @@ sub fillselect
+ my %hash=%{(shift)};
+ my $val=shift;
+ my $key;
+- foreach my $key (sort { uc($hash{$a}[0]) cmp uc($hash{$b}[0]) } keys %hash){
++ foreach my $key (sort { ncmp($hash{$a}[0],$hash{$b}[0]) } keys %hash){
+ if($hash{$key}[0] eq $val){
+ print"<option value='$hash{$key}[0]' selected>$hash{$key}[0]</option>";
+ }else{
+@@ -1275,7 +1275,7 @@ END
+ #custom groups
+ if (! -z $configgrp || $optionsfw{'SHOWDROPDOWN'} eq 'on'){
+ print"<tr><td valign='top'><input type='radio' name='$grp' value='cust_grp_$srctgt' $checked{$grp}{'cust_grp_'.$srctgt}></td><td >$Lang::tr{'fwhost cust grp'}</td><td align='right'><select name='cust_grp_$srctgt' style='width:200px;'>";
+- foreach my $key (sort { uc($customgrp{$a}[0]) cmp uc($customgrp{$b}[0]) } keys %customgrp) {
++ foreach my $key (sort { ncmp($customgrp{$a}[0],$customgrp{$b}[0]) } keys %customgrp) {
+ if($helper ne $customgrp{$key}[0]){
+ print"<option ";
+ print "selected='selected' " if ($fwdfwsettings{$fwdfwsettings{$grp}} eq $customgrp{$key}[0]);
+@@ -1294,7 +1294,7 @@ END
+ print"</select></td></tr>";
+ }
+ #OVPN CCD Hosts
+- foreach my $key (sort { uc($ccdhost{$a}[0]) cmp uc($ccdhost{$b}[0]) } keys %ccdhost){
++ foreach my $key (sort { ncmp($ccdhost{$a}[0],$ccdhost{$b}[0]) } keys %ccdhost){
+ if ($ccdhost{$key}[33] ne '' ){
+ print"<tr><td width='1%'><input type='radio' name='$grp' value='ovpn_host_$srctgt' $checked{$grp}{'ovpn_host_'.$srctgt}></td><td nowrap='nowrap' width='16%'>$Lang::tr{'fwhost ccdhost'}</td><td nowrap='nowrap' width='1%' align='right'><select name='ovpn_host_$srctgt' style='width:200px;'>" if ($show eq '');
+ $show='1';
+@@ -1308,7 +1308,7 @@ END
+ }
+ if ($show eq '1'){$show='';print"</select></td></tr>";}
+ #OVPN N2N
+- foreach my $key (sort { uc($ccdhost{$a}[0]) cmp uc($ccdhost{$b}[0]) } keys %ccdhost){
++ foreach my $key (sort { ncmp($ccdhost{$a}[1],$ccdhost{$b}[1]) } keys %ccdhost){
+ if ($ccdhost{$key}[3] eq 'net'){
+ print"<tr><td width='1%'><input type='radio' name='$grp' value='ovpn_n2n_$srctgt' $checked{$grp}{'ovpn_n2n_'.$srctgt}></td><td nowrap='nowrap' width='16%'>$Lang::tr{'fwhost ovpn_n2n'}:</td><td nowrap='nowrap' width='1%' align='right'><select name='ovpn_n2n_$srctgt' style='width:200px;'>" if ($show eq '');
+ $show='1';
+@@ -1322,7 +1322,7 @@ END
+ }
+ if ($show eq '1'){$show='';print"</select></td></tr>";}
+ #IPsec netze
+- foreach my $key (sort { uc($ipsecconf{$a}[1]) cmp uc($ipsecconf{$b}[1]) } keys %ipsecconf) {
++ foreach my $key (sort { ncmp($ipsecconf{$a}[1],$ipsecconf{$b}[1]) } keys %ipsecconf) {
+ if ($ipsecconf{$key}[3] eq 'net' || $optionsfw{'SHOWDROPDOWN'} eq 'on'){
+ print"<tr><td valign='top'><input type='radio' name='$grp' value='ipsec_net_$srctgt' $checked{$grp}{'ipsec_net_'.$srctgt}></td><td >$Lang::tr{'fwhost ipsec net'}</td><td align='right'><select name='ipsec_net_$srctgt' style='width:200px;'>" if ($show eq '');
+ $show='1';
+@@ -1448,15 +1448,15 @@ sub get_serviceports
+ my $icmp;
+ @protocols=();
+ if($type eq 'service'){
+- foreach my $key (sort { uc($customservice{$a}[0]) cmp uc($customservice{$b}[0]) } keys %customservice){
++ foreach my $key (sort { ncmp($customservice{$a}[0],$customservice{$b}[0]) } keys %customservice){
+ if ($customservice{$key}[0] eq $name){
+ push (@protocols,$customservice{$key}[2]);
+ }
+ }
+ }elsif($type eq 'group'){
+- foreach my $key (sort { uc($customservicegrp{$a}[0]) cmp uc($customservicegrp{$b}[0]) } keys %customservicegrp){
++ foreach my $key (sort { ncmp($customservicegrp{$a}[0],$customservicegrp{$b}[0]) } keys %customservicegrp){
+ if ($customservicegrp{$key}[0] eq $name){
+- foreach my $key1 (sort { uc($customservice{$a}[0]) cmp uc($customservice{$b}[0]) } keys %customservice){
++ foreach my $key1 (sort { ncmp($customservice{$a}[0],$customservice{$b}[0]) } keys %customservice){
+ if ($customservice{$key1}[0] eq $customservicegrp{$key}[2]){
+ if($customservice{$key1}[2] eq 'TCP'){
+ $tcp='TCP';
+@@ -1784,7 +1784,7 @@ END
+ END
+ &General::readhasharray("${General::swroot}/fwhosts/icmp-types", \%icmptypes);
+ print"<option>All ICMP-Types</option>";
+- foreach my $key (sort { uc($icmptypes{$a}[0]) cmp uc($icmptypes{$b}[0]) } keys %icmptypes){
++ foreach my $key (sort { ncmp($icmptypes{$a}[0],$icmptypes{$b}[0]) } keys %icmptypes){
+ if($fwdfwsettings{'ICMP_TYPES'} eq "$icmptypes{$key}[0]"){
+ print"<option selected>$icmptypes{$key}[0] ($icmptypes{$key}[1])</option>";
+ }else{
+@@ -1826,7 +1826,7 @@ END
+ <tr><td width='1%'><input type='checkbox' name='USESRV' value='ON' $checked{'USESRV'}{'ON'} ></td><td width='48%'>$Lang::tr{'fwdfw use srv'}</td><td width='1%'><input type='radio' name='grp3' value='cust_srv' checked></td><td nowrap='nowrap'>$Lang::tr{'fwhost cust service'}</td><td width='1%' colspan='2'><select name='cust_srv'style='min-width:230px;' >
+ END
+ &General::readhasharray("$configsrv", \%customservice);
+- foreach my $key (sort { uc($customservice{$a}[0]) cmp uc($customservice{$b}[0]) } keys %customservice){
++ foreach my $key (sort { ncmp($customservice{$a}[0],$customservice{$b}[0]) } keys %customservice){
+ print"<option ";
+ print"selected='selected'" if ($fwdfwsettings{$fwdfwsettings{'grp3'}} eq $customservice{$key}[0]);
+ print"value='$customservice{$key}[0]'>$customservice{$key}[0]</option>";
+@@ -1837,7 +1837,7 @@ END
+ END
+ &General::readhasharray("$configsrvgrp", \%customservicegrp);
+ my $helper;
+- foreach my $key (sort { uc($customservicegrp{$a}[0]) cmp uc($customservicegrp{$b}[0]) } keys %customservicegrp){
++ foreach my $key (sort { ncmp($customservicegrp{$a}[0],$customservicegrp{$b}[0]) } keys %customservicegrp){
+ if ($helper ne $customservicegrp{$key}[0]){
+ print"<option ";
+ print"selected='selected'" if ($fwdfwsettings{$fwdfwsettings{'grp3'}} eq $customservicegrp{$key}[0]);
+@@ -1865,7 +1865,7 @@ END
+ END
+ &General::readhasharray("${General::swroot}/fwhosts/icmp-types", \%icmptypes);
+ print"<option>All ICMP-Types</option>";
+- foreach my $key (sort { uc($icmptypes{$a}[0]) cmp uc($icmptypes{$b}[0]) }keys %icmptypes){
++ foreach my $key (sort { ncmp($icmptypes{$a}[0],$icmptypes{$b}[0]) }keys %icmptypes){
+ if($fwdfwsettings{'ICMP_TGT'} eq "$icmptypes{$key}[0]"){
+ print"<option selected>$icmptypes{$key}[0] ($icmptypes{$key}[1])</option>";
+ }else{
+diff --git a/html/cgi-bin/fwhosts.cgi b/html/cgi-bin/fwhosts.cgi
+index 0283f5c..c984ee0 100755
+--- a/html/cgi-bin/fwhosts.cgi
++++ b/html/cgi-bin/fwhosts.cgi
+@@ -26,6 +26,7 @@ use strict;
+
+ # enable only the following on debugging purpose
+ use warnings;
++use Sort::Naturally;
+ use CGI::Carp 'fatalsToBrowser';
+ no warnings 'uninitialized';
+ require '/var/ipfire/general-functions.pl';
+@@ -1185,14 +1186,14 @@ END
+ print"</select></td></tr>";
+ if (! -z $confignet){
+ print"<tr><td><input type='radio' name='grp2' value='cust_net' $checked{'grp2'}{'cust_net'}></td><td>$Lang::tr{'fwhost cust net'}</td><td><select name='CUST_SRC_NET' style='min-width:185px;'>";
+- foreach my $key (sort { uc($customnetwork{$a}[0]) cmp uc($customnetwork{$b}[0]) } keys %customnetwork) {
++ foreach my $key (sort { ncmp($customnetwork{$a}[0],$customnetwork{$b}[0]) } keys %customnetwork) {
+ print"<option>$customnetwork{$key}[0]</option>";
+ }
+ print"</select></td></tr>";
+ }
+ if (! -z $confighost){
+ print"<tr><td valign='top'><input type='radio' name='grp2' value='cust_host' $checked{'grp2'}{'cust_host'}></td><td valign='top'>$Lang::tr{'fwhost cust addr'}</td><td><select name='CUST_SRC_HOST' style='min-width:185px;'>";
+- foreach my $key (sort { uc($customhost{$a}[0]) cmp uc($customhost{$b}[0]) } keys %customhost) {
++ foreach my $key (sort { ncmp($customhost{$a}[0],$customhost{$b}[0]) } keys %customhost) {
+ print"<option>$customhost{$key}[0]</option>";
+ }
+ print"</select></td></tr>";
+@@ -1203,14 +1204,14 @@ END
+ #OVPN networks
+ if (! -z $configccdnet){
+ print"<td width='1%'><input type='radio' name='grp2' value='ovpn_net' $checked{'grp2'}{'ovpn_net'}></td><td nowrap='nowrap' width='16%'>$Lang::tr{'fwhost ccdnet'}</td><td nowrap='nowrap' width='1%'><select name='OVPN_CCD_NET' style='min-width:185px;'>";
+- foreach my $key (sort { uc($ccdnet{$a}[0]) cmp uc($ccdnet{$b}[0]) } keys %ccdnet)
++ foreach my $key (sort { ncmp($ccdnet{$a}[0],$ccdnet{$b}[0]) } keys %ccdnet)
+ {
+ print"<option value='$ccdnet{$key}[0]'>$ccdnet{$key}[0]</option>";
+ }
+ print"</select></td></tr>";
+ }
+ #OVPN clients
+- foreach my $key (sort { uc($ccdhost{$a}[0]) cmp uc($ccdhost{$b}[0]) } keys %ccdhost)
++ foreach my $key (sort { ncmp($ccdhost{$a}[0],$ccdhost{$b}[0]) } keys %ccdhost)
+ {
+ if ($ccdhost{$key}[33] ne ''){
+ print"<td width='1%'><input type='radio' name='grp2' value='ovpn_host' $checked{'grp2'}{'ovpn_host'}></td><td nowrap='nowrap' width='16%'>$Lang::tr{'fwhost ccdhost'}</td><td nowrap='nowrap' width='1%'><select name='OVPN_CCD_HOST' style='min-width:185px;'>" if ($show eq '');
+@@ -1220,7 +1221,7 @@ END
+ }
+ if ($show eq '1'){$show='';print"</select></td></tr>";}
+ #OVPN n2n networks
+- foreach my $key (sort { uc($ccdhost{$a}[0]) cmp uc($ccdhost{$b}[0]) } keys %ccdhost) {
++ foreach my $key (sort { ncmp($ccdhost{$a}[1],$ccdhost{$b}[1]) } keys %ccdhost) {
+ if($ccdhost{$key}[3] eq 'net'){
+ print"<td width='1%'><input type='radio' name='grp2' value='ovpn_n2n' $checked{'grp2'}{'ovpn_n2n'}></td><td valign='top'>$Lang::tr{'fwhost ovpn_n2n'}</td><td colspan='3'><select name='OVPN_N2N' style='min-width:185px;'>" if ($show eq '');
+ $show='1';
+@@ -1229,7 +1230,7 @@ END
+ }
+ if ($show eq '1'){$show='';print"</select></td></tr>";}
+ #IPsec networks
+- foreach my $key (sort { uc($ipsecconf{$a}[0]) cmp uc($ipsecconf{$b}[0]) } keys %ipsecconf) {
++ foreach my $key (sort { ncmp($ipsecconf{$a}[0],$ipsecconf{$b}[0]) } keys %ipsecconf) {
+ if ($ipsecconf{$key}[3] eq 'net'){
+ print"<td valign='top'><input type='radio' name='grp2' value='ipsec_net' $checked{'grp2'}{'ipsec_net'}></td><td valign='top'>$Lang::tr{'fwhost ipsec net'}</td><td><select name='IPSEC_NET' style='min-width:185px;'>" if ($show eq '');
+ $show='1';
+@@ -1276,7 +1277,7 @@ END
+ END
+ &General::readhasharray("${General::swroot}/fwhosts/icmp-types", \%icmptypes);
+ print"<option>All ICMP-Types</option>";
+- foreach my $key (sort { uc($icmptypes{$a}[0]) cmp uc($icmptypes{$b}[0]) }keys %icmptypes){
++ foreach my $key (sort { ncmp($icmptypes{$a}[0],$icmptypes{$b}[0]) }keys %icmptypes){
+ print"<option>$icmptypes{$key}[0] ($icmptypes{$key}[1])</option>";
+ }
+
+@@ -1338,7 +1339,7 @@ END
+ <tr><td width='1%' nowrap='nowrap'>$Lang::tr{'fwhost cust service'}</td><td><select name='CUST_SRV' style='min-width:185px;'>
+ END
+ &General::readhasharray("$configsrv", \%customservice);
+- foreach my $key (sort { uc($customservice{$a}[0]) cmp uc($customservice{$b}[0])|| $a <=> $b } keys %customservice)
++ foreach my $key (sort { ncmp($customservice{$a}[0],$customservice{$b}[0]) } keys %customservice)
+ {
+ print "<option>$customservice{$key}[0]</option>";
+ }
+@@ -1372,7 +1373,7 @@ sub viewtablenet
+ END
+ }
+ my $count=0;
+- foreach my $key (sort {$a <=> $b} keys %customnetwork) {
++ foreach my $key (sort {ncmp($a,$b)} keys %customnetwork) {
+ if ($fwhostsettings{'ACTION'} eq 'editnet' && $fwhostsettings{'HOSTNAME'} eq $customnetwork{$key}[0]) {
+ print" <tr bgcolor='${Header::colouryellow}'>";
+ }elsif ($count % 2)
+@@ -1420,7 +1421,7 @@ sub viewtablehost
+ END
+ }
+ my $count=0;
+- foreach my $key (sort { uc($customhost{$a}[0]) cmp uc($customhost{$b}[0])|| $a <=> $b } keys %customhost) {
++ foreach my $key (sort { ncmp ($customhost{$a}[0],$customhost{$b}[0])} keys %customhost) {
+ if ( ($fwhostsettings{'ACTION'} eq 'edithost' || $fwhostsettings{'error'}) && $fwhostsettings{'HOSTNAME'} eq $customhost{$key}[0]) {
+ print" <tr bgcolor='${Header::colouryellow}'>";
+ }elsif ($count % 2){ print" <tr bgcolor='$color{'color22'}'>";}
+@@ -1470,11 +1471,11 @@ sub viewtablegrp
+ {
+ print "<center><b>$Lang::tr{'fwhost empty'}</b>";
+ }else{
+- foreach my $key (sort { uc($customgrp{$a}[0]) cmp uc($customgrp{$b}[0]) } sort { uc($customgrp{$a}[2]) cmp uc($customgrp{$b}[2]) } keys %customgrp){
++ foreach my $key (sort { ncmp($customgrp{$a}[0],$customgrp{$b}[0]) } sort { ncmp ($customgrp{$a}[2],$customgrp{$b}[2]) } keys %customgrp){
+ $count++;
+ if ($helper ne $customgrp{$key}[0]){
+ $delflag='0';
+- foreach my $key1 (sort { uc($customgrp{$a}[0]) cmp uc($customgrp{$b}[0]) } sort { uc($customgrp{$a}[2]) cmp uc($customgrp{$b}[2]) } keys %customgrp){
++ foreach my $key1 (sort { ncmp($customgrp{$a}[0],$customgrp{$b}[0]) } sort { ncmp($customgrp{$a}[2],$customgrp{$b}[2]) } keys %customgrp){
+ if ($customgrp{$key}[0] eq $customgrp{$key1}[0])
+ {
+ $delflag++;
+@@ -1545,7 +1546,7 @@ sub viewtableservice
+ <table width='100%' border='0' cellspacing='0'>
+ <tr><td align='center'><b>$Lang::tr{'fwhost srv_name'}</td><td align='center'><b>$Lang::tr{'fwhost prot'}</td><td align='center'><b>$Lang::tr{'fwhost port'}</td><td align='center'><b>ICMP</td><td align='center'><b>$Lang::tr{'fwhost used'}</td><td></td><td width='3%'></td></tr>
+ END
+- foreach my $key (sort { uc($customservice{$a}[0]) cmp uc($customservice{$b}[0])|| $a <=> $b } keys %customservice)
++ foreach my $key (sort { ncmp($customservice{$a}[0],$customservice{$b}[0])} keys %customservice)
+ {
+ $count++;
+ if ( ($fwhostsettings{'updatesrv'} eq 'on' || $fwhostsettings{'error'}) && $fwhostsettings{'SRV_NAME'} eq $customservice{$key}[0]) {
+@@ -1588,11 +1589,11 @@ sub viewtableservicegrp
+ &General::readhasharray("$configsrvgrp", \%customservicegrp);
+ &General::readhasharray("$configsrv", \%customservice);
+ my $number= keys %customservicegrp;
+- foreach my $key (sort { uc($customservicegrp{$a}[0]) cmp uc($customservicegrp{$b}[0])|| $a <=> $b } keys %customservicegrp){
++ foreach my $key (sort { ncmp($customservicegrp{$a}[0],$customservicegrp{$b}[0]) } keys %customservicegrp){
+ $count++;
+ if ($helper ne $customservicegrp{$key}[0]){
+ $delflag=0;
+- foreach my $key1 (sort { uc($customservicegrp{$a}[0]) cmp uc($customservicegrp{$b}[0]) } sort { uc($customservicegrp{$a}[2]) cmp uc($customservicegrp{$b}[2]) } keys %customservicegrp){
++ foreach my $key1 (sort { ncmp($customservicegrp{$a}[0],$customservicegrp{$b}[0]) } sort { ncmp($customservicegrp{$a}[2],$customservicegrp{$b}[2]) } keys %customservicegrp){
+ if ($customservicegrp{$key}[0] eq $customservicegrp{$key1}[0])
+ {
+ $delflag++;
+diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi
+index db2f913..c228adc 100644
+--- a/html/cgi-bin/ovpnmain.cgi
++++ b/html/cgi-bin/ovpnmain.cgi
+@@ -2,7 +2,7 @@
+ ###############################################################################
+ # #
+ # IPFire.org - A linux based firewall #
+-# Copyright (C) 2007-2011 IPFire Team <info@ipfire.org> #
++# Copyright (C) 2007-2013 IPFire Team <info@ipfire.org> #
+ # #
+ # This program is free software: you can redistribute it and/or modify #
+ # it under the terms of the GNU General Public License as published by #
+@@ -30,6 +30,7 @@ use File::Copy;
+ use File::Temp qw/ tempfile tempdir /;
+ use strict;
+ use Archive::Zip qw(:ERROR_CODES :CONSTANTS);
++use Sort::Naturally;
+ require '/var/ipfire/general-functions.pl';
+ require "${General::swroot}/lang.pl";
+ require "${General::swroot}/header.pl";
+@@ -4836,11 +4837,10 @@ END
+ </tr>
+ END
+ ;
+- my $id = 0;
+- my $gif;
+- foreach my $key (sort { uc($confighash{$a}[1]) cmp uc($confighash{$b}[1]) } keys %confighash) {
+- if ($confighash{$key}[0] eq 'on') { $gif = 'on.gif'; } else { $gif = 'off.gif'; }
+-
++ my $id = 0;
++ my $gif;
++ foreach my $key (sort { ncmp ($confighash{$a}[1],$confighash{$b}[1]) } keys %confighash) {
++ if ($confighash{$key}[0] eq 'on') { $gif = 'on.gif'; } else { $gif = 'off.gif'; }
+ if ($id % 2) {
+ print "<tr bgcolor='$color{'color20'}'>\n";
+ } else {
+diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi
+index bda49a3..385acf2 100644
+--- a/html/cgi-bin/vpnmain.cgi
++++ b/html/cgi-bin/vpnmain.cgi
+@@ -23,7 +23,7 @@ use Net::DNS;
+ use File::Copy;
+ use File::Temp qw/ tempfile tempdir /;
+ use strict;
+-
++use Sort::Naturally;
+ # enable only the following on debugging purpose
+ #use warnings;
+ #use CGI::Carp 'fatalsToBrowser';
+@@ -2476,7 +2476,7 @@ END
+ ;
+ my $id = 0;
+ my $gif;
+- foreach my $key (keys %confighash) {
++ foreach my $key (sort { ncmp ($confighash{$a}[1],$confighash{$b}[1]) } keys %confighash) {
+ if ($confighash{$key}[0] eq 'on') { $gif = 'on.gif'; } else { $gif = 'off.gif'; }
+
+ if ($id % 2) {
+--
+1.7.10.4
+
--- /dev/null
+From da7524be43a7a44cb4f415b40f8fb57a8cf65d0a Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Mon, 29 Apr 2013 16:12:14 +0200
+Subject: [PATCH 222/302] Forward Firewall: bugfix: counter failure when
+ adding one host to more than 1 Group
+
+---
+ html/cgi-bin/fwhosts.cgi | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/html/cgi-bin/fwhosts.cgi b/html/cgi-bin/fwhosts.cgi
+index c984ee0..aa40068 100755
+--- a/html/cgi-bin/fwhosts.cgi
++++ b/html/cgi-bin/fwhosts.cgi
+@@ -669,7 +669,7 @@ if ($fwhostsettings{'ACTION'} eq 'savegrp')
+ }elsif($updcounter eq 'host'){
+ foreach my $key (keys %customhost) {
+ if ($customhost{$key}[0] eq $fwhostsettings{'CUST_SRC_HOST'}){
+- $customhost{$key}[4]=$customhost{$key}[3]+1;
++ $customhost{$key}[4]=$customhost{$key}[4]+1;
+ }
+ }
+ &General::writehasharray("$confighost", \%customhost);
+--
+1.7.10.4
+
--- /dev/null
+From 4e502478ba432faf1864475682f20fcc51ff1ff8 Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Tue, 30 Apr 2013 08:13:54 +0200
+Subject: [PATCH 223/302] Forward Firewall: reordered some rules to get rid of
+ INPUT_DROP messages in log when connected to
+ webinterface
+
+---
+ src/initscripts/init.d/firewall | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall
+index b7a2b0a..a7e04f2 100644
+--- a/src/initscripts/init.d/firewall
++++ b/src/initscripts/init.d/firewall
+@@ -301,11 +301,10 @@ case "$1" in
+ if [ -x /etc/sysconfig/firewall.local ]; then
+ /etc/sysconfig/firewall.local stop
+ fi
+-
++ /sbin/iptables -A INPUT -j DROP -m comment --comment "DROP_INPUT"
+ if [ "$DROPINPUT" == "on" ]; then
+ /sbin/iptables -A INPUT -m limit --limit 10/minute -j LOG --log-prefix "DROP_INPUT "
+ fi
+- /sbin/iptables -A INPUT -j DROP -m comment --comment "DROP_INPUT"
+ if [ "$DROPFORWARD" == "on" ]; then
+ /sbin/iptables -A FORWARD -m limit --limit 10/minute -j LOG --log-prefix "DROP_FORWARD "
+ fi
+--
+1.7.10.4
+
--- /dev/null
+From e4379cc4caa457f67102556b2c84559107020f79 Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Tue, 30 Apr 2013 09:58:01 +0200
+Subject: [PATCH 224/302] Forward Firewall: edited rules.pl so that in the
+ rules the ip addresses from the remote ovpn N2N
+ subnet are used instead of the openvpn
+ subnet(because its only used as transfer net)
+
+---
+ config/forwardfw/rules.pl | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/config/forwardfw/rules.pl b/config/forwardfw/rules.pl
+index 7b8b346..2996836 100755
+--- a/config/forwardfw/rules.pl
++++ b/config/forwardfw/rules.pl
+@@ -494,7 +494,7 @@ sub get_address
+ }elsif($base eq 'ovpn_host_src' ||$base eq 'ovpn_host_tgt' || $base eq 'OpenVPN static host'){
+ $$hash{$key}[0]=&fwlib::get_ovpn_host_ip($base2,33);
+ }elsif($base eq 'ovpn_n2n_src' ||$base eq 'ovpn_n2n_tgt' || $base eq 'OpenVPN N-2-N'){
+- $$hash{$key}[0]=&fwlib::get_ovpn_n2n_ip($base2,27);
++ $$hash{$key}[0]=&fwlib::get_ovpn_n2n_ip($base2,11);
+ }elsif($base eq 'ipsec_net_src' || $base eq 'ipsec_net_tgt' || $base eq 'IpSec Network'){
+ $$hash{$key}[0]=&fwlib::get_ipsec_net_ip($base2,11);
+ }
+--
+1.7.10.4
+
--- /dev/null
+From 89297c7b515feecb013b6525959715a4090a1fd2 Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Thu, 2 May 2013 15:55:14 +0200
+Subject: [PATCH 225/302] Forward Firewall: restored old settings in
+ graphs.pl. With new Monofont the columnsize is ok
+ now
+
+---
+ config/cfgroot/graphs.pl | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/config/cfgroot/graphs.pl b/config/cfgroot/graphs.pl
+index f8b182b..19c0546 100644
+--- a/config/cfgroot/graphs.pl
++++ b/config/cfgroot/graphs.pl
+@@ -216,7 +216,7 @@ sub updatecpugraph {
+ ,"GPRINT:userpct:AVERAGE:%3.2lf%%"
+ ,"GPRINT:userpct:MIN:%3.2lf%%"
+ ,"GPRINT:userpct:LAST:%3.2lf%%\\j"
+- ,"STACK:systempct".$color{"color13"}."A0:".sprintf("%-26s",$Lang::tr{'cpu system usage'})
++ ,"STACK:systempct".$color{"color13"}."A0:".sprintf("%-25s",$Lang::tr{'cpu system usage'})
+ ,"GPRINT:systempct:MAX:%3.2lf%%"
+ ,"GPRINT:systempct:AVERAGE:%3.2lf%%"
+ ,"GPRINT:systempct:MIN:%3.2lf%%"
+@@ -627,12 +627,12 @@ sub updatefwhitsgraph {
+ "GPRINT:input:AVERAGE:%8.1lf %sBps",
+ "GPRINT:input:MIN:%8.1lf %sBps",
+ "GPRINT:input:LAST:%8.1lf %sBps\\j",
+- "STACK:newnotsyn".$color{"color14"}."A0:".sprintf("%-24s","NewNotSyn"),
++ "STACK:newnotsyn".$color{"color14"}."A0:".sprintf("%-25s","NewNotSyn"),
+ "GPRINT:newnotsyn:MAX:%8.1lf %sBps",
+ "GPRINT:newnotsyn:MIN:%8.1lf %sBps",
+ "GPRINT:newnotsyn:AVERAGE:%8.1lf %sBps",
+ "GPRINT:newnotsyn:LAST:%8.1lf %sBps\\j",
+- "STACK:portscan".$color{"color16"}."A0:".sprintf("%-24s",$Lang::tr{'portscans'}),
++ "STACK:portscan".$color{"color16"}."A0:".sprintf("%-25s",$Lang::tr{'portscans'}),
+ "GPRINT:portscan:MAX:%8.1lf %sBps",
+ "GPRINT:portscan:MIN:%8.1lf %sBps",
+ "GPRINT:portscan:AVERAGE:%8.1lf %sBps",
+--
+1.7.10.4
+
--- /dev/null
+From bcf59ed0c5a88c20e851fd04d5c45dee7e9c7a12 Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Tue, 7 May 2013 12:02:17 +0200
+Subject: [PATCH 226/302] Forward Firewall: fixed wrong log Entries INPUT_DROP
+ when connected via Web or ssh
+
+---
+ src/initscripts/init.d/firewall | 16 ++++++++++++++--
+ 1 file changed, 14 insertions(+), 2 deletions(-)
+
+diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall
+index a7e04f2..64dfa18 100644
+--- a/src/initscripts/init.d/firewall
++++ b/src/initscripts/init.d/firewall
+@@ -265,6 +265,16 @@ case "$1" in
+ /etc/sysconfig/firewall.local start
+ fi
+
++ /sbin/iptables -A INPUT -j DROP -m comment --comment "DROP_INPUT_a"
++
++ if [ "$DROPINPUT" == "on" ]; then
++ /sbin/iptables -A INPUT -m limit --limit 10/minute -j LOG --log-prefix "DROP_INPUT_b"
++ fi
++ if [ "$DROPFORWARD" == "on" ]; then
++ /sbin/iptables -A FORWARD -m limit --limit 10/minute -j LOG --log-prefix "DROP_FORWARD"
++ fi
++ /sbin/iptables -A FORWARD -j DROP -m comment --comment "DROP_FORWARD"
++
+ #POLICY CHAIN
+ /sbin/iptables -N POLICYIN
+ /sbin/iptables -A INPUT -j POLICYIN
+@@ -301,12 +311,14 @@ case "$1" in
+ if [ -x /etc/sysconfig/firewall.local ]; then
+ /etc/sysconfig/firewall.local stop
+ fi
++
+ /sbin/iptables -A INPUT -j DROP -m comment --comment "DROP_INPUT"
++
+ if [ "$DROPINPUT" == "on" ]; then
+- /sbin/iptables -A INPUT -m limit --limit 10/minute -j LOG --log-prefix "DROP_INPUT "
++ /sbin/iptables -A INPUT -m limit --limit 10/minute -j LOG --log-prefix "DROP_INPUT"
+ fi
+ if [ "$DROPFORWARD" == "on" ]; then
+- /sbin/iptables -A FORWARD -m limit --limit 10/minute -j LOG --log-prefix "DROP_FORWARD "
++ /sbin/iptables -A FORWARD -m limit --limit 10/minute -j LOG --log-prefix "DROP_FORWARD"
+ fi
+ /sbin/iptables -A FORWARD -j DROP -m comment --comment "DROP_FORWARD"
+
+--
+1.7.10.4
+
--- /dev/null
+From 2c5bcbc142b5f20d07ccb84c0c509e4fe6abb6ea Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Wed, 8 May 2013 08:19:03 +0200
+Subject: [PATCH 227/302] Forward Firewall: BUGFIX - when using source
+ Protocol and NO target protocol only the target
+ protocol is shown in ruletable.(But rule is applied
+ correctly)
+
+---
+ html/cgi-bin/forwardfw.cgi | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi
+index e9c051b..0fbc030 100755
+--- a/html/cgi-bin/forwardfw.cgi
++++ b/html/cgi-bin/forwardfw.cgi
+@@ -2516,10 +2516,10 @@ END
+ print"</td>";
+ #Get Protocol
+ my $prot;
+- if ($$hash{$key}[12]){ #target prot if manual
+- push (@protocols,$$hash{$key}[12]);
+- }elsif($$hash{$key}[8]){ #source prot if manual
++ if ($$hash{$key}[8] && $$hash{$key}[7] eq 'ON'){#source prot if manual
+ push (@protocols,$$hash{$key}[8]);
++ }elsif ($$hash{$key}[12]){ #target prot if manual
++ push (@protocols,$$hash{$key}[12]);
+ }elsif($$hash{$key}[14] eq 'cust_srv'){
+ &get_serviceports("service",$$hash{$key}[15]);
+ }elsif($$hash{$key}[14] eq 'cust_srvgrp'){
+--
+1.7.10.4
+
--- /dev/null
+From 8ae3baf34e063cba899daf566b5066ac98bd41dd Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Wed, 22 May 2013 07:43:46 +0200
+Subject: [PATCH 228/302] Forward Firewall: extended the customservices list
+
+---
+ config/fwhosts/customservices | 22 ++++++++++++++++------
+ 1 file changed, 16 insertions(+), 6 deletions(-)
+
+diff --git a/config/fwhosts/customservices b/config/fwhosts/customservices
+index d115f97..0e3d6de 100644
+--- a/config/fwhosts/customservices
++++ b/config/fwhosts/customservices
+@@ -1,22 +1,32 @@
+-11,NTP,123,UDP,BLANK,0
++32,Rsync,873,TCP,BLANK,0
+ 21,IMAPS,993,TCP,BLANK,0
+ 7,WINS,42,TCP,BLANK,0
+-2,FTP-control,21,TCP,BLANK,0
++26,Lpd,515,TCP,BLANK,0
+ 17,IRC,194,TCP,BLANK,0
+-22,POP3S,995,TCP,BLANK,0
++2,FTP-control,21,TCP,BLANK,0
+ 1,FTP-data,20,TCP,BLANK,0
+ 18,HTTPS,443,TCP,BLANK,0
++30,Nfs,2049,TCP,BLANK,0
+ 16,SNMP,161,UDP,BLANK,0
++25,Ipp (udp),631,UDP,BLANK,0
++27,JetDirect,9100,TCP,BLANK,0
++28,Ldap,389,TCP,BLANK,0
++14,NetBIOS Sessionservice,139,TCP,BLANK,0
++20,FTPS control,990,TCP,BLANK,0
++24,Ipp (tcp),631,TCP,BLANK,0
++10,SFTP,115,TCP,BLANK,0
++31,Radius,1812,TCP,BLANK,0
++11,NTP,123,UDP,BLANK,0
++22,POP3S,995,TCP,BLANK,0
+ 13,NetBIOS Datagramservice,138,TCP,BLANK,0
++23,RDP,3389,TCP,BLANK,0
++29,Ldaps,636,TCP,BLANK,0
+ 6,TIME,37,TCP,BLANK,0
+ 3,SSH,22,TCP,BLANK,0
+ 9,POP3,110,TCP,BLANK,0
+ 12,NetBIOS nameservice,137,TCP,BLANK,0
+-20,FTPS control,990,TCP,BLANK,0
+ 15,IMAP,143,TCP,BLANK,0
+-14,NetBIOS Sessionservice,139,TCP,BLANK,0
+ 8,HTTP,80,TCP,BLANK,0
+ 4,TELNET,23,UDP,BLANK,0
+-10,SFTP,115,TCP,BLANK,0
+ 19,FTPS data,989,TCP,BLANK,0
+ 5,SMTP,25,TCP,BLANK,0
+--
+1.7.10.4
+
--- /dev/null
+From a116b3ee304172db146be868c29ee22410c1478e Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Mon, 27 May 2013 10:33:50 +0200
+Subject: [PATCH 229/302] Forward Firewall: BUGFIX: When creating DMZ Rules
+ with MANUAL IP as source and afterwards editing the
+ rule, the rule was copied and not just edited.
+ BUGFIX: When using SNAT (outbound) the rule does
+ not seem to work. The NAT_SOURCE chain was on wron
+ position in POSTROUTING
+
+---
+ html/cgi-bin/forwardfw.cgi | 8 ++++----
+ src/initscripts/init.d/firewall | 2 +-
+ 2 files changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi
+index 0fbc030..35d0bc5 100755
+--- a/html/cgi-bin/forwardfw.cgi
++++ b/html/cgi-bin/forwardfw.cgi
+@@ -78,7 +78,7 @@ my %aliases=();
+ my %optionsfw=();
+ my %ifaces=();
+
+-my $VERSION='0.9.9.6';
++my $VERSION='0.9.9.6a';
+ my $color;
+ my $confignet = "${General::swroot}/fwhosts/customnetworks";
+ my $confighost = "${General::swroot}/fwhosts/customhosts";
+@@ -596,7 +596,7 @@ sub addrule
+ if (-f "${General::swroot}/forward/reread"){
+ print "<table border='0'><form method='post'><td><div style='font-size:11pt; font-weight: bold;vertical-align: middle; '><input type='submit' name='ACTION' value='$Lang::tr{'fwdfw reread'}' style='font-face: Comic Sans MS; color: red; font-weight: bold; font-size: 14pt;'>    $Lang::tr{'fwhost reread'}</div</td></tr></table></form><hr><br>";
+ }
+- &Header::openbox('100%', 'left', "");
++ &Header::openbox('100%', 'left', $Lang::tr{'fwdfw menu'});
+ print "<form method='post'>";
+ print "<table border='0'>";
+ print "<tr><td><input type='submit' name='ACTION' value='$Lang::tr{'fwdfw newrule'}'></td>";
+@@ -2151,7 +2151,7 @@ sub saverule
+ #print"6";
+ }
+ #check if we change a DMZ to a FORWARD/DMZ
+- elsif($fwdfwsettings{'oldruletype'} eq 'DMZ' && $fwdfwsettings{'chain'} eq 'FORWARDFW' && $fwdfwsettings{$fwdfwsettings{'grp1'}} ne 'ORANGE'){
++ elsif($fwdfwsettings{'oldruletype'} eq 'DMZ' && $fwdfwsettings{'chain'} eq 'FORWARDFW' && $fwdfwsettings{$fwdfwsettings{'grp1'}} ne 'ORANGE' && $checkorange ne 'on'){
+ &changerule($configdmz);
+ #print"7";
+ }
+@@ -2194,7 +2194,7 @@ sub saverule
+ #print"14";
+ }
+ #check if we change a FORWARD rule to an DMZ
+- elsif($fwdfwsettings{'oldruletype'} eq 'FORWARDFW' && $fwdfwsettings{$fwdfwsettings{'grp1'}} eq 'ORANGE' || $checkorange eq 'on'){
++ elsif($fwdfwsettings{'oldruletype'} eq 'FORWARDFW' && ($fwdfwsettings{$fwdfwsettings{'grp1'}} eq 'ORANGE' || $checkorange eq 'on')){
+ &changerule($configfwdfw);
+ #print"15";
+ }
+diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall
+index 64dfa18..56a1800 100644
+--- a/src/initscripts/init.d/firewall
++++ b/src/initscripts/init.d/firewall
+@@ -241,7 +241,7 @@ case "$1" in
+ /sbin/iptables -t nat -N NAT_DESTINATION
+ /sbin/iptables -t nat -N NAT_SOURCE
+ /sbin/iptables -t nat -A PREROUTING -j NAT_DESTINATION
+- /sbin/iptables -t nat -A POSTROUTING -j NAT_SOURCE
++ /sbin/iptables -t nat -I POSTROUTING 2 -j NAT_SOURCE
+
+
+ # upnp chain for our upnp daemon
+--
+1.7.10.4
+
--- /dev/null
+From 2838b1a77a192f4f954a2a961d4fb06df8fe1207 Mon Sep 17 00:00:00 2001
+From: Michael Tremer <michael.tremer@ipfire.org>
+Date: Wed, 29 May 2013 17:16:37 +0200
+Subject: [PATCH 230/302] openvpnctrl: SNAT transfer networks.
+
+---
+ src/misc-progs/openvpnctrl.c | 105 +++++++++++++++++++++++++++++++++++++++++-
+ 1 file changed, 104 insertions(+), 1 deletion(-)
+
+diff --git a/src/misc-progs/openvpnctrl.c b/src/misc-progs/openvpnctrl.c
+index e600b12..e167009 100644
+--- a/src/misc-progs/openvpnctrl.c
++++ b/src/misc-progs/openvpnctrl.c
+@@ -4,6 +4,8 @@
+ #include <unistd.h>
+ #include <stdlib.h>
+ #include <sys/types.h>
++#include <arpa/inet.h>
++#include <netinet/in.h>
+ #include <fcntl.h>
+ #include "setuid.h"
+ #include "libsmooth.h"
+@@ -25,13 +27,17 @@ char enableorange[STRING_SIZE] = "off";
+ char OVPNRED[STRING_SIZE] = "OVPN";
+ char OVPNBLUE[STRING_SIZE] = "OVPN_BLUE_";
+ char OVPNORANGE[STRING_SIZE] = "OVPN_ORANGE_";
+-char WRAPPERVERSION[STRING_SIZE] = "ipfire-2.2.2";
++char OVPNNAT[STRING_SIZE] = "OVPNNAT";
++char WRAPPERVERSION[STRING_SIZE] = "ipfire-2.2.3";
+
+ struct connection_struct {
+ char name[STRING_SIZE];
+ char type[STRING_SIZE];
+ char proto[STRING_SIZE];
+ char status[STRING_SIZE];
++ char local_subnet[STRING_SIZE];
++ char transfer_subnet[STRING_SIZE];
++ char role[STRING_SIZE];
+ int port;
+ struct connection_struct *next;
+ };
+@@ -132,6 +138,12 @@ connection *getConnections() {
+ strcpy(conn_curr->name, result);
+ } else if (count == 4) {
+ strcpy(conn_curr->type, result);
++ } else if (count == 7) {
++ strcpy(conn_curr->role, result);
++ } else if (count == 9) {
++ strcpy(conn_curr->local_subnet, result);
++ } else if (count == 28) {
++ strcpy(conn_curr->transfer_subnet, result);
+ } else if (count == 29) {
+ strcpy(conn_curr->proto, result);
+ } else if (count == 30) {
+@@ -257,6 +269,13 @@ void flushChain(char *chain) {
+ safe_system(str);
+ }
+
++void flushChainNAT(char *chain) {
++ char str[STRING_SIZE];
++
++ sprintf(str, "/sbin/iptables -t nat -F %s", chain);
++ executeCommand(str);
++}
++
+ void deleteChainReference(char *chain) {
+ char str[STRING_SIZE];
+
+@@ -339,6 +358,80 @@ void createAllChains(void) {
+ }
+ }
+
++char* calcTransferNetAddress(const connection* conn) {
++ char *address = strdup(conn->transfer_subnet);
++ address = strsep(&address, "/");
++
++ struct in_addr address_info;
++ if (!inet_aton(address, &address_info)) {
++ goto ERROR;
++ }
++
++ if (strcmp(conn->role, "server")) {
++ address_info.s_addr += 1 << 24;
++ } else if (strcmp(conn->role, "client")) {
++ address_info.s_addr += 2 << 24;
++ } else {
++ goto ERROR;
++ }
++
++ address = inet_ntoa(address_info);
++ return address;
++
++ERROR:
++ free(address);
++ return NULL;
++}
++
++char* getLocalSubnetAddress(const connection* conn) {
++ kv = initkeyvalues();
++ if (!readkeyvalues(kv, CONFIG_ROOT "/ethernet/settings")) {
++ fprintf(stderr, "Cannot read ethernet settings\n");
++ exit(1);
++ }
++
++ const char *zones[] = {"GREEN", "BLUE", "ORANGE", NULL};
++ char *zone = NULL;
++
++ // Get net address of the local openvpn subnet.
++ char *subnetmask = strdup(conn->local_subnet);
++ char *address = strsep(&subnetmask, "/");
++
++ if ((address == NULL) || (subnetmask == NULL)) {
++ goto ERROR;
++ }
++
++ in_addr_t _address = inet_addr(address);
++ in_addr_t _subnetmask = inet_addr(subnetmask);
++
++ in_addr_t _netaddr = (_address & _subnetmask);
++ in_addr_t _broadcast = (_address | ~_subnetmask);
++
++ char zone_address_key[STRING_SIZE];
++ char zone_address[STRING_SIZE];
++ in_addr_t zone_addr;
++
++ int i = 0;
++ while (zones[i]) {
++ zone = zones[i++];
++ snprintf(zone_address_key, STRING_SIZE, "%s_ADDRESS", zone);
++
++ if (!findkey(kv, zone_address_key, zone_address))
++ continue;
++
++ zone_addr = inet_addr(zone_address);
++ if ((zone_addr > _netaddr) && (zone_addr < _broadcast)) {
++ freekeyvalues(kv);
++
++ return strdup(zone_address);
++ }
++ }
++
++ERROR:
++ freekeyvalues(kv);
++ return NULL;
++}
++
+ void setFirewallRules(void) {
+ char protocol[STRING_SIZE] = "";
+ char dport[STRING_SIZE] = "";
+@@ -372,6 +465,7 @@ void setFirewallRules(void) {
+ flushChain(OVPNRED);
+ flushChain(OVPNBLUE);
+ flushChain(OVPNORANGE);
++ flushChainNAT(OVPNNAT);
+
+ // set firewall rules
+ if (!strcmp(enablered, "on") && strlen(redif))
+@@ -386,11 +480,20 @@ void setFirewallRules(void) {
+
+ // set firewall rules for n2n connections
+ char command[STRING_SIZE];
++ char *local_subnet_address = NULL;
++ char *transfer_subnet_address = NULL;
+ while (conn != NULL) {
+ if (strcmp(conn->type, "net") == 0) {
+ sprintf(command, "/sbin/iptables -A %sINPUT -i %s -p %s --dport %d -j ACCEPT",
+ OVPNRED, redif, conn->proto, conn->port);
+ executeCommand(command);
++
++ local_subnet_address = getLocalSubnetAddress(conn);
++ transfer_subnet_address = calcTransferNetAddress(conn);
++
++ snprintf(command, STRING_SIZE, "/sbin/iptables -t nat -A %s -s %s -j SNAT --to-source %s",
++ OVPNNAT, transfer_subnet_address, local_subnet_address);
++ executeCommand(command);
+ }
+
+ conn = conn->next;
+--
+1.7.10.4
+
--- /dev/null
+From 429e20310dfc28e5e775ef4c0ea19cb6fc05170b Mon Sep 17 00:00:00 2001
+From: Michael Tremer <michael.tremer@ipfire.org>
+Date: Thu, 30 May 2013 21:49:32 +0200
+Subject: [PATCH 231/302] openvpnctrl: Fixes and improvements.
+
+Handle invalid data and make the code more robust.
+---
+ src/misc-progs/openvpnctrl.c | 32 ++++++++++++++++++++------------
+ 1 file changed, 20 insertions(+), 12 deletions(-)
+
+diff --git a/src/misc-progs/openvpnctrl.c b/src/misc-progs/openvpnctrl.c
+index e167009..4b098a6 100644
+--- a/src/misc-progs/openvpnctrl.c
++++ b/src/misc-progs/openvpnctrl.c
+@@ -359,26 +359,29 @@ void createAllChains(void) {
+ }
+
+ char* calcTransferNetAddress(const connection* conn) {
+- char *address = strdup(conn->transfer_subnet);
+- address = strsep(&address, "/");
++ char *subnetmask = strdup(conn->transfer_subnet);
++ char *address = strsep(&subnetmask, "/");
+
+- struct in_addr address_info;
+- if (!inet_aton(address, &address_info)) {
+- goto ERROR;
+- }
++ in_addr_t _address = inet_addr(address);
++ in_addr_t _subnetmask = inet_addr(subnetmask);
++ _address &= _subnetmask;
+
+- if (strcmp(conn->role, "server")) {
+- address_info.s_addr += 1 << 24;
+- } else if (strcmp(conn->role, "client")) {
+- address_info.s_addr += 2 << 24;
++ if (strcmp(conn->role, "server") == 0) {
++ _address += 1 << 24;
++ } else if (strcmp(conn->role, "client") == 0) {
++ _address += 2 << 24;
+ } else {
+ goto ERROR;
+ }
+
+- address = inet_ntoa(address_info);
+- return address;
++ struct in_addr address_info;
++ address_info.s_addr = _address;
++
++ return inet_ntoa(address_info);
+
+ ERROR:
++ fprintf(stderr, "Could not determine transfer net address: %s\n", conn->name);
++
+ free(address);
+ return NULL;
+ }
+@@ -428,6 +431,8 @@ char* getLocalSubnetAddress(const connection* conn) {
+ }
+
+ ERROR:
++ fprintf(stderr, "Could not determine local subnet address: %s\n", conn->name);
++
+ freekeyvalues(kv);
+ return NULL;
+ }
+@@ -491,6 +496,9 @@ void setFirewallRules(void) {
+ local_subnet_address = getLocalSubnetAddress(conn);
+ transfer_subnet_address = calcTransferNetAddress(conn);
+
++ if ((!local_subnet_address) || (!transfer_subnet_address))
++ continue;
++
+ snprintf(command, STRING_SIZE, "/sbin/iptables -t nat -A %s -s %s -j SNAT --to-source %s",
+ OVPNNAT, transfer_subnet_address, local_subnet_address);
+ executeCommand(command);
+--
+1.7.10.4
+
--- /dev/null
+From 7f863eab800ab2d7542c0bf9a80a8d55ffba02a8 Mon Sep 17 00:00:00 2001
+From: Michael Tremer <michael.tremer@ipfire.org>
+Date: Thu, 30 May 2013 21:55:26 +0200
+Subject: [PATCH 232/302] openvpnctrl: Remove unneeded code.
+
+---
+ src/misc-progs/openvpnctrl.c | 17 -----------------
+ 1 file changed, 17 deletions(-)
+
+diff --git a/src/misc-progs/openvpnctrl.c b/src/misc-progs/openvpnctrl.c
+index 4b098a6..5f070a1 100644
+--- a/src/misc-progs/openvpnctrl.c
++++ b/src/misc-progs/openvpnctrl.c
+@@ -253,10 +253,6 @@ void setChainRules(char *chain, char *interface, char *protocol, char *port)
+
+ sprintf(str, "/sbin/iptables -A %sINPUT -i %s -p %s --dport %s -j ACCEPT", chain, interface, protocol, port);
+ executeCommand(str);
+- sprintf(str, "/sbin/iptables -A %sINPUT -i tun+ -j ACCEPT", chain);
+- executeCommand(str);
+- //sprintf(str, "/sbin/iptables -A %sFORWARD -i tun+ -j ACCEPT", chain);
+- //executeCommand(str);
+ }
+
+ void flushChain(char *chain) {
+@@ -264,9 +260,6 @@ void flushChain(char *chain) {
+
+ sprintf(str, "/sbin/iptables -F %sINPUT", chain);
+ executeCommand(str);
+- //sprintf(str, "/sbin/iptables -F %sFORWARD", chain);
+- //executeCommand(str);
+- safe_system(str);
+ }
+
+ void flushChainNAT(char *chain) {
+@@ -281,10 +274,6 @@ void deleteChainReference(char *chain) {
+
+ sprintf(str, "/sbin/iptables -D INPUT -j %sINPUT", chain);
+ executeCommand(str);
+- safe_system(str);
+- //sprintf(str, "/sbin/iptables -D FORWARD -j %sFORWARD", chain);
+- //executeCommand(str);
+- safe_system(str);
+ }
+
+ void deleteChain(char *chain) {
+@@ -292,8 +281,6 @@ void deleteChain(char *chain) {
+
+ sprintf(str, "/sbin/iptables -X %sINPUT", chain);
+ executeCommand(str);
+- //sprintf(str, "/sbin/iptables -X %sFORWARD", chain);
+- //executeCommand(str);
+ }
+
+ void deleteAllChains(void) {
+@@ -313,16 +300,12 @@ void createChainReference(char *chain) {
+ char str[STRING_SIZE];
+ sprintf(str, "/sbin/iptables -I INPUT %s -j %sINPUT", "14", chain);
+ executeCommand(str);
+- //sprintf(str, "/sbin/iptables -I FORWARD %s -j %sFORWARD", "12", chain);
+- //executeCommand(str);
+ }
+
+ void createChain(char *chain) {
+ char str[STRING_SIZE];
+ sprintf(str, "/sbin/iptables -N %sINPUT", chain);
+ executeCommand(str);
+- //sprintf(str, "/sbin/iptables -N %sFORWARD", chain);
+- //executeCommand(str);
+ }
+
+ void createAllChains(void) {
+--
+1.7.10.4
+
--- /dev/null
+From 946f1cee92fb504560ea8e994e6735f941445a43 Mon Sep 17 00:00:00 2001
+From: Michael Tremer <michael.tremer@ipfire.org>
+Date: Fri, 31 May 2013 13:31:48 +0200
+Subject: [PATCH 233/302] openvpnctrl: Block all transfer subnets.
+
+---
+ src/misc-progs/openvpnctrl.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/src/misc-progs/openvpnctrl.c b/src/misc-progs/openvpnctrl.c
+index 5f070a1..311b6bf 100644
+--- a/src/misc-progs/openvpnctrl.c
++++ b/src/misc-progs/openvpnctrl.c
+@@ -27,6 +27,7 @@ char enableorange[STRING_SIZE] = "off";
+ char OVPNRED[STRING_SIZE] = "OVPN";
+ char OVPNBLUE[STRING_SIZE] = "OVPN_BLUE_";
+ char OVPNORANGE[STRING_SIZE] = "OVPN_ORANGE_";
++char OVPNBLOCK[STRING_SIZE] = "OVPNBLOCK";
+ char OVPNNAT[STRING_SIZE] = "OVPNNAT";
+ char WRAPPERVERSION[STRING_SIZE] = "ipfire-2.2.3";
+
+@@ -476,6 +477,11 @@ void setFirewallRules(void) {
+ OVPNRED, redif, conn->proto, conn->port);
+ executeCommand(command);
+
++ /* Block all communication from the transfer nets. */
++ snprintf(command, STRING_SIZE, "/sbin/iptables -A %s -s %s -j DROP",
++ OVPNBLOCK, conn->transfer_subnet);
++ executeCommand(command);
++
+ local_subnet_address = getLocalSubnetAddress(conn);
+ transfer_subnet_address = calcTransferNetAddress(conn);
+
+--
+1.7.10.4
+
--- /dev/null
+From 0d5bb88a42ee163eda4142e2aeec0509d4635440 Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Tue, 11 Jun 2013 15:53:31 +0200
+Subject: [PATCH 234/302] Forward Firewall: Implemented INPUT Firewall
+ (extended external access)
+
+Now you are able to define INPUT Rules on every interface ip
+---
+ config/forwardfw/rules.pl | 11 ++++++++++-
+ html/cgi-bin/forwardfw.cgi | 26 ++++++++++++++++----------
+ langs/de/cgi-bin/de.pl | 1 +
+ langs/en/cgi-bin/en.pl | 1 +
+ 4 files changed, 28 insertions(+), 11 deletions(-)
+
+diff --git a/config/forwardfw/rules.pl b/config/forwardfw/rules.pl
+index 2996836..7646040 100755
+--- a/config/forwardfw/rules.pl
++++ b/config/forwardfw/rules.pl
+@@ -215,7 +215,16 @@ sub buildrules
+ }
+ }
+ }elsif($$hash{$key}[5] eq 'ipfire'){
+- if($$hash{$key}[6] eq 'Default IP'){
++ if($$hash{$key}[6] eq 'GREEN'){
++ $targethash{$key}[0]=$defaultNetworks{'GREEN_ADDRESS'};
++ }
++ if($$hash{$key}[6] eq 'BLUE'){
++ $targethash{$key}[0]=$defaultNetworks{'BLUE_ADDRESS'};
++ }
++ if($$hash{$key}[6] eq 'ORANGE'){
++ $targethash{$key}[0]=$defaultNetworks{'ORANGE_ADDRESS'};
++ }
++ if($$hash{$key}[6] eq 'RED'){
+ open(FILE, "/var/ipfire/red/local-ipaddress") or die 'Unable to open config file.';
+ $targethash{$key}[0]= <FILE>;
+ close(FILE);
+diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi
+index 35d0bc5..22b0d40 100755
+--- a/html/cgi-bin/forwardfw.cgi
++++ b/html/cgi-bin/forwardfw.cgi
+@@ -78,7 +78,7 @@ my %aliases=();
+ my %optionsfw=();
+ my %ifaces=();
+
+-my $VERSION='0.9.9.6a';
++my $VERSION='0.9.9.7';
+ my $color;
+ my $confignet = "${General::swroot}/fwhosts/customnetworks";
+ my $confighost = "${General::swroot}/fwhosts/customhosts";
+@@ -1501,7 +1501,7 @@ sub getcolor
+ }elsif ($val eq 'BLUE'){
+ $tdcolor="style='border: 1px solid $Header::colourblue;'";
+ return;
+- }elsif ($val eq 'RED'){
++ }elsif ($val eq 'RED' ||$val eq 'RED1' ){
+ $tdcolor="style='border: 1px solid $Header::colourred;'";
+ return;
+ }elsif ($val eq 'IPFire' ){
+@@ -1802,17 +1802,18 @@ END
+ <table width='100%' border='0'>
+ <tr><td width='1%'><input type='radio' name='grp2' value='tgt_addr' checked></td><td width='57%' nowrap='nowrap'>$Lang::tr{'fwdfw targetip'}<input type='TEXT' name='tgt_addr' value='$fwdfwsettings{'tgt_addr'}' size='16' maxlength='17'><td width='1%'><input type='radio' name='grp2' value='ipfire' $checked{'grp2'}{'ipfire'}></td><td><b>IPFire</b></td>
+ END
+- if (! -z "${General::swroot}/ethernet/aliases"){
+- print"<td align='right'><select name='ipfire' style='width:200px;'>";
+- print "<option value='Default IP' $selected{'ipfire'}{'Default IP'}>Default IP</option>";
++ print"<td align='right'><select name='ipfire' style='width:200px;'>";
++ print "<option value='ALL' $selected{'ipfire'}{'ALL'}>$Lang::tr{'all'}</option>";
++ print "<option value='GREEN' $selected{'ipfire'}{'GREEN'}>$Lang::tr{'green'} ($ifaces{'GREEN_ADDRESS'})</option>" if $ifaces{'GREEN_ADDRESS'};
++ print "<option value='ORANGE' $selected{'ipfire'}{'ORANGE'}>$Lang::tr{'orange'} ($ifaces{'ORANGE_ADDRESS'})</option>" if $ifaces{'ORANGE_ADDRESS'};
++ print "<option value='BLUE' $selected{'ipfire'}{'BLUE'}>$Lang::tr{'blue'} ($ifaces{'BLUE_ADDRESS'})</option>" if $ifaces{'BLUE_ADDRESS'};
++ print "<option value='RED1' $selected{'ipfire'}{'RED1'}>$Lang::tr{'red1'} (Default IP)</option>" if $ifaces{'RED_ADDRESS'};
+
++ if (! -z "${General::swroot}/ethernet/aliases"){
+ foreach my $alias (sort keys %aliases)
+ {
+ print "<option value='$alias' $selected{'ipfire'}{$alias}>$alias</option>";
+ }
+-
+- }else{
+- print"<td style='width:200px;'><input type='hidden' name ='ipfire' value='Default IP'>";
+ }
+ print<<END;
+ </td></tr>
+@@ -2506,8 +2507,13 @@ END
+ }
+ print"<br> DNAT->";
+ }
+- if ($$hash{$key}[5] eq 'std_net_tgt'){
+- print &get_name($$hash{$key}[6]);
++ if ($$hash{$key}[5] eq 'std_net_tgt' || $$hash{$key}[5] eq 'ipfire' && $$hash{$key}[6] eq 'RED' || $$hash{$key}[6] eq 'RED1' || $$hash{$key}[6] eq 'GREEN' || $$hash{$key}[6] eq 'ORANGE' || $$hash{$key}[6] eq 'BLUE' ){
++ if ($$hash{$key}[6] eq 'RED1')
++ {
++ print $Lang::tr{'red1'};
++ }else{
++ print &get_name($$hash{$key}[6]);
++ }
+ }else{
+ print $$hash{$key}[6];
+ }
+diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl
+index 6e05511..b4aa0a1 100644
+--- a/langs/de/cgi-bin/de.pl
++++ b/langs/de/cgi-bin/de.pl
+@@ -1713,6 +1713,7 @@
+ 'reconnect' => 'Neu Verbinden',
+ 'reconnection' => 'Wiederverbindung',
+ 'red' => 'Internet',
++'red1' => 'ROT',
+ 'references' => 'Referenzen',
+ 'refresh' => 'Aktualisieren',
+ 'refresh index page while connected' => 'Aktualisere index.cgi Seite während der Verbindung',
+diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
+index 0a3baaa..2148f23 100644
+--- a/langs/en/cgi-bin/en.pl
++++ b/langs/en/cgi-bin/en.pl
+@@ -1742,6 +1742,7 @@
+ 'reconnect' => 'Reconnect',
+ 'reconnection' => 'Reconnection',
+ 'red' => 'Internet',
++'red1' => 'RED',
+ 'references' => 'References',
+ 'refresh' => 'Refresh',
+ 'refresh index page while connected' => 'Refresh index.cgi page while connected',
+--
+1.7.10.4
+
--- /dev/null
+From a784e9489118739718afafe525eb64d53dd9b072 Mon Sep 17 00:00:00 2001
+From: Michael Tremer <michael.tremer@ipfire.org>
+Date: Wed, 12 Jun 2013 12:50:33 +0200
+Subject: [PATCH 235/302] openvpnctl: Flush BLOCK and SNAT chain when needed.
+
+---
+ src/misc-progs/openvpnctrl.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/src/misc-progs/openvpnctrl.c b/src/misc-progs/openvpnctrl.c
+index 311b6bf..576e57f 100644
+--- a/src/misc-progs/openvpnctrl.c
++++ b/src/misc-progs/openvpnctrl.c
+@@ -295,6 +295,10 @@ void deleteAllChains(void) {
+ deleteChain(OVPNRED);
+ deleteChain(OVPNBLUE);
+ deleteChain(OVPNORANGE);
++
++ // Only flush chains that are created by the firewall
++ flushChain(OVPNBLOCK);
++ flushChainNAT(OVPNNAT);
+ }
+
+ void createChainReference(char *chain) {
+@@ -454,6 +458,7 @@ void setFirewallRules(void) {
+ flushChain(OVPNRED);
+ flushChain(OVPNBLUE);
+ flushChain(OVPNORANGE);
++ flushChain(OVPNBLOCK);
+ flushChainNAT(OVPNNAT);
+
+ // set firewall rules
+--
+1.7.10.4
+
--- /dev/null
+From ef38666b77cee624071f52c78e5bb1d815a5e0ff Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Wed, 12 Jun 2013 13:00:20 +0200
+Subject: [PATCH 236/302] Forward Firewall: added OVPNBLOCK and fixed rules.pl
+ to correctly get ip address of red iface
+
+---
+ config/forwardfw/rules.pl | 2 +-
+ src/initscripts/init.d/firewall | 32 ++++++++++++++++++++++++--------
+ 2 files changed, 25 insertions(+), 9 deletions(-)
+
+diff --git a/config/forwardfw/rules.pl b/config/forwardfw/rules.pl
+index 7646040..c4c17e6 100755
+--- a/config/forwardfw/rules.pl
++++ b/config/forwardfw/rules.pl
+@@ -224,7 +224,7 @@ sub buildrules
+ if($$hash{$key}[6] eq 'ORANGE'){
+ $targethash{$key}[0]=$defaultNetworks{'ORANGE_ADDRESS'};
+ }
+- if($$hash{$key}[6] eq 'RED'){
++ if($$hash{$key}[6] eq 'RED' || $$hash{$key}[6] eq 'RED1'){
+ open(FILE, "/var/ipfire/red/local-ipaddress") or die 'Unable to open config file.';
+ $targethash{$key}[0]= <FILE>;
+ close(FILE);
+diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall
+index 200c155..94b869d 100644
+--- a/src/initscripts/init.d/firewall
++++ b/src/initscripts/init.d/firewall
+@@ -145,18 +145,23 @@ case "$1" in
+ /sbin/iptables -A INPUT -j CUSTOMINPUT
+ /sbin/iptables -N GUARDIAN
+ /sbin/iptables -A INPUT -j GUARDIAN
++ /sbin/iptables -N OVPNBLOCK
++ /sbin/iptables -A FORWARD -j OVPNBLOCK
+ /sbin/iptables -A FORWARD -j GUARDIAN
+ /sbin/iptables -N CUSTOMFORWARD
+ /sbin/iptables -A FORWARD -j CUSTOMFORWARD
+ /sbin/iptables -N CUSTOMOUTPUT
++ /sbin/iptables -A OUTPUT -j OVPNBLOCK
+ /sbin/iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
+ /sbin/iptables -A OUTPUT -j CUSTOMOUTPUT
+ /sbin/iptables -N OUTGOINGFW
+ /sbin/iptables -A OUTPUT -j OUTGOINGFW
+ /sbin/iptables -t nat -N CUSTOMPREROUTING
++ /sbin/iptables -t nat -N OVPNNAT
+ /sbin/iptables -t nat -A PREROUTING -j CUSTOMPREROUTING
+ /sbin/iptables -t nat -N CUSTOMPOSTROUTING
+ /sbin/iptables -t nat -A POSTROUTING -j CUSTOMPOSTROUTING
++ /sbin/iptables -t nat -A POSTROUTING -j OVPNNAT
+
+ # IPTV chains for IGMPPROXY
+ /sbin/iptables -N IPTVINPUT
+@@ -164,6 +169,9 @@ case "$1" in
+ /sbin/iptables -N IPTVFORWARD
+ /sbin/iptables -A FORWARD -j IPTVFORWARD
+
++ # Filtering ovpn networks INPUT
++ /sbin/iptables -A INPUT -j OVPNBLOCK
++
+ # filtering from GUI
+ /sbin/iptables -N GUIINPUT
+ /sbin/iptables -A INPUT -j GUIINPUT
+@@ -187,9 +195,7 @@ case "$1" in
+ /sbin/iptables -A FORWARD -j IPSECFORWARD
+ /sbin/iptables -A FORWARD -j OPENSSLVIRTUAL -m comment --comment "OPENSSLVIRTUAL FORWARD"
+ /sbin/iptables -A OUTPUT -j IPSECOUTPUT
+- /sbin/iptables -t nat -N OVPNNAT
+ /sbin/iptables -t nat -N IPSECNAT
+- /sbin/iptables -t nat -A POSTROUTING -j OVPNNAT
+ /sbin/iptables -t nat -A POSTROUTING -j IPSECNAT
+
+ # Input Firewall
+@@ -243,7 +249,8 @@ case "$1" in
+ /sbin/iptables -t nat -N NAT_DESTINATION
+ /sbin/iptables -t nat -N NAT_SOURCE
+ /sbin/iptables -t nat -A PREROUTING -j NAT_DESTINATION
+- /sbin/iptables -t nat -I POSTROUTING 2 -j NAT_SOURCE
++ /sbin/iptables -t nat -I POSTROUTING 3 -j NAT_SOURCE
++
+
+
+ # upnp chain for our upnp daemon
+@@ -253,8 +260,7 @@ case "$1" in
+ /sbin/iptables -A FORWARD -m state --state NEW -j UPNPFW
+
+ # Postrouting rules (for port forwarding)
+- /sbin/iptables -t nat -A POSTROUTING -m mark --mark 1 -j SNAT \
+- --to-source $GREEN_ADDRESS
++ /sbin/iptables -t nat -A POSTROUTING -m mark --mark 1 -j SNAT --to-source $GREEN_ADDRESS
+ if [ "$BLUE_DEV" != "" ]; then
+ /sbin/iptables -t nat -A POSTROUTING -m mark --mark 2 -j SNAT --to-source $BLUE_ADDRESS
+ fi
+@@ -266,11 +272,11 @@ case "$1" in
+ if [ -x /etc/sysconfig/firewall.local ]; then
+ /etc/sysconfig/firewall.local start
+ fi
+-
+- /sbin/iptables -A INPUT -j DROP -m comment --comment "DROP_INPUT_a"
++
++ /sbin/iptables -A INPUT -j DROP -m comment --comment "DROP_INPUT"
+
+ if [ "$DROPINPUT" == "on" ]; then
+- /sbin/iptables -A INPUT -m limit --limit 10/minute -j LOG --log-prefix "DROP_INPUT_b"
++ /sbin/iptables -A INPUT -m limit --limit 10/minute -j LOG --log-prefix "DROP_INPUT"
+ fi
+ if [ "$DROPFORWARD" == "on" ]; then
+ /sbin/iptables -A FORWARD -m limit --limit 10/minute -j LOG --log-prefix "DROP_FORWARD"
+@@ -286,6 +292,16 @@ case "$1" in
+ /sbin/iptables -A OUTPUT -j POLICYOUT
+
+ /usr/sbin/firewall-policy
++
++ /sbin/iptables -A INPUT -j DROP -m comment --comment "DROP_INPUT"
++
++ if [ "$DROPINPUT" == "on" ]; then
++ /sbin/iptables -A INPUT -m limit --limit 10/minute -j LOG --log-prefix "DROP_INPUT"
++ fi
++ if [ "$DROPFORWARD" == "on" ]; then
++ /sbin/iptables -A FORWARD -m limit --limit 10/minute -j LOG --log-prefix "DROP_FORWARD"
++ fi
++ /sbin/iptables -A FORWARD -j DROP -m comment --comment "DROP_FORWARD"
+ ;;
+ startovpn)
+ # run openvpn
+--
+1.7.10.4
+
--- /dev/null
+From 0dfcc1af7941b034eaedcb99467b7465b550537e Mon Sep 17 00:00:00 2001
+From: Michael Tremer <michael.tremer@ipfire.org>
+Date: Wed, 12 Jun 2013 14:14:53 +0200
+Subject: [PATCH 237/302] openvpnctrl: Cleanup flushChain functions.
+
+---
+ src/misc-progs/openvpnctrl.c | 21 ++++++++++++++-------
+ 1 file changed, 14 insertions(+), 7 deletions(-)
+
+diff --git a/src/misc-progs/openvpnctrl.c b/src/misc-progs/openvpnctrl.c
+index 576e57f..af13901 100644
+--- a/src/misc-progs/openvpnctrl.c
++++ b/src/misc-progs/openvpnctrl.c
+@@ -259,7 +259,7 @@ void setChainRules(char *chain, char *interface, char *protocol, char *port)
+ void flushChain(char *chain) {
+ char str[STRING_SIZE];
+
+- sprintf(str, "/sbin/iptables -F %sINPUT", chain);
++ sprintf(str, "/sbin/iptables -F %s", chain);
+ executeCommand(str);
+ }
+
+@@ -270,6 +270,13 @@ void flushChainNAT(char *chain) {
+ executeCommand(str);
+ }
+
++void flushChainINPUT(char *chain) {
++ char str[STRING_SIZE];
++
++ snprintf(str, STRING_SIZE, "%sINPUT", chain);
++ flushChain(str);
++}
++
+ void deleteChainReference(char *chain) {
+ char str[STRING_SIZE];
+
+@@ -289,9 +296,9 @@ void deleteAllChains(void) {
+ deleteChainReference(OVPNRED);
+ deleteChainReference(OVPNBLUE);
+ deleteChainReference(OVPNORANGE);
+- flushChain(OVPNRED);
+- flushChain(OVPNBLUE);
+- flushChain(OVPNORANGE);
++ flushChainINPUT(OVPNRED);
++ flushChainINPUT(OVPNBLUE);
++ flushChainINPUT(OVPNORANGE);
+ deleteChain(OVPNRED);
+ deleteChain(OVPNBLUE);
+ deleteChain(OVPNORANGE);
+@@ -455,9 +462,9 @@ void setFirewallRules(void) {
+ freekeyvalues(kv);
+
+ // Flush all chains.
+- flushChain(OVPNRED);
+- flushChain(OVPNBLUE);
+- flushChain(OVPNORANGE);
++ flushChainINPUT(OVPNRED);
++ flushChainINPUT(OVPNBLUE);
++ flushChainINPUT(OVPNORANGE);
+ flushChain(OVPNBLOCK);
+ flushChainNAT(OVPNNAT);
+
+--
+1.7.10.4
+
--- /dev/null
+From 8d3ead51998b04e375441e7cb4ccf2da2967d295 Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Wed, 12 Jun 2013 15:05:31 +0200
+Subject: [PATCH 238/302] Forward Firewall 0.9.9.7: reordered INPUT POLICY.
+
+---
+ src/initscripts/init.d/firewall | 10 ----------
+ 1 file changed, 10 deletions(-)
+
+diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall
+index 94b869d..a7d258a 100644
+--- a/src/initscripts/init.d/firewall
++++ b/src/initscripts/init.d/firewall
+@@ -273,16 +273,6 @@ case "$1" in
+ /etc/sysconfig/firewall.local start
+ fi
+
+- /sbin/iptables -A INPUT -j DROP -m comment --comment "DROP_INPUT"
+-
+- if [ "$DROPINPUT" == "on" ]; then
+- /sbin/iptables -A INPUT -m limit --limit 10/minute -j LOG --log-prefix "DROP_INPUT"
+- fi
+- if [ "$DROPFORWARD" == "on" ]; then
+- /sbin/iptables -A FORWARD -m limit --limit 10/minute -j LOG --log-prefix "DROP_FORWARD"
+- fi
+- /sbin/iptables -A FORWARD -j DROP -m comment --comment "DROP_FORWARD"
+-
+ #POLICY CHAIN
+ /sbin/iptables -N POLICYIN
+ /sbin/iptables -A INPUT -j POLICYIN
+--
+1.7.10.4
+
--- /dev/null
+From f9d5709f9081baea341f45e76bb5e7d499e2f0dd Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Wed, 12 Jun 2013 15:17:12 +0200
+Subject: [PATCH 239/302] Forward Firewall: INPUT Firewall added "ALL" with ip
+ 0.0.0.0
+
+---
+ config/forwardfw/rules.pl | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/config/forwardfw/rules.pl b/config/forwardfw/rules.pl
+index c4c17e6..738f940 100755
+--- a/config/forwardfw/rules.pl
++++ b/config/forwardfw/rules.pl
+@@ -224,6 +224,9 @@ sub buildrules
+ if($$hash{$key}[6] eq 'ORANGE'){
+ $targethash{$key}[0]=$defaultNetworks{'ORANGE_ADDRESS'};
+ }
++ if($$hash{$key}[6] eq 'ALL'){
++ $targethash{$key}[0]='0.0.0.0/0';
++ }
+ if($$hash{$key}[6] eq 'RED' || $$hash{$key}[6] eq 'RED1'){
+ open(FILE, "/var/ipfire/red/local-ipaddress") or die 'Unable to open config file.';
+ $targethash{$key}[0]= <FILE>;
+--
+1.7.10.4
+
--- /dev/null
+From ecdf7f44bcf0e34d96c7d9e37c35273ce55db02f Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Thu, 13 Jun 2013 10:17:18 +0200
+Subject: [PATCH 240/302] Forward Firewall: added checks if manual ip
+ (src/tgt) is part of a OpenVPN to colour the rules
+ accordingly
+
+---
+ html/cgi-bin/forwardfw.cgi | 57 +++++++++++++++++++++++++++++++-------------
+ 1 file changed, 40 insertions(+), 17 deletions(-)
+
+diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi
+index 22b0d40..7ea7d62 100755
+--- a/html/cgi-bin/forwardfw.cgi
++++ b/html/cgi-bin/forwardfw.cgi
+@@ -78,7 +78,7 @@ my %aliases=();
+ my %optionsfw=();
+ my %ifaces=();
+
+-my $VERSION='0.9.9.7';
++my $VERSION='0.9.9.8';
+ my $color;
+ my $confignet = "${General::swroot}/fwhosts/customnetworks";
+ my $confighost = "${General::swroot}/fwhosts/customhosts";
+@@ -693,14 +693,15 @@ sub checksource
+ $errormessage=$Lang::tr{'fwhost err hostip'}."<br>";
+ return $errormessage;
+ }
+- #check if the ip is part of an existing openvpn client/net or ipsec network
+- #if this is the case, generate errormessage to make the user use the dropdowns instead of using manual ip's
+- if (! &checkvpn($ip)){
+- $errormessage=$Lang::tr{'fwdfw err srcovpn'};
+- return $errormessage;
+- }else{
+- $fwdfwsettings{'src_addr'}="$ip/$subnet";
+- }
++ ##check if the ip is part of an existing openvpn client/net or ipsec network
++ ##if this is the case, generate errormessage to make the user use the dropdowns instead of using manual ip's
++ #if (! &checkvpn($ip)){
++ #$errormessage=$Lang::tr{'fwdfw err srcovpn'};
++ #return $errormessage;
++ #}else{
++ #$fwdfwsettings{'src_addr'}="$ip/$subnet";
++ #}
++ $fwdfwsettings{'src_addr'}="$ip/$subnet";
+ if(!&General::validipandmask($fwdfwsettings{'src_addr'})){
+ $errormessage.=$Lang::tr{'fwdfw err src_addr'}."<br>";
+ return $errormessage;
+@@ -836,14 +837,15 @@ sub checktarget
+ #check and form valid IP
+ $ip=&General::ip2dec($ip);
+ $ip=&General::dec2ip($ip);
+- #check if the ip is part of an existing openvpn client/net or ipsec network
+- #if this is the case, generate errormessage to make the user use the dropdowns instead of using manual ip's
+- if (! &checkvpn($ip)){
+- $errormessage=$Lang::tr{'fwdfw err tgtovpn'};
+- return $errormessage;
+- }else{
+- $fwdfwsettings{'tgt_addr'}="$ip/$subnet";
+- }
++ ##check if the ip is part of an existing openvpn client/net or ipsec network
++ ##if this is the case, generate errormessage to make the user use the dropdowns instead of using manual ip's
++ #if (! &checkvpn($ip)){
++ #$errormessage=$Lang::tr{'fwdfw err tgtovpn'};
++ #return $errormessage;
++ #}else{
++ #$fwdfwsettings{'tgt_addr'}="$ip/$subnet";
++ #}
++ $fwdfwsettings{'tgt_addr'}="$ip/$subnet";
+ if(!&General::validipandmask($fwdfwsettings{'tgt_addr'})){
+ $errormessage.=$Lang::tr{'fwdfw err tgt_addr'}."<br>";
+ return $errormessage;
+@@ -1534,6 +1536,25 @@ sub getcolor
+ $tdcolor="style='border: 1px solid $Header::colourovpn;'";
+ return;
+ }
++ #Check if IP is part of OpenVPN static subnet
++ foreach my $key (sort keys %ccdnet){
++ my ($a,$b) = split("/",$ccdnet{$key}[1]);
++ $b =&General::iporsubtodec($b);
++ if (&General::IpInSubnet($c,$a,$b)){
++ $tdcolor="style='border: 1px solid $Header::colourovpn;'";
++ return;
++ }
++ }
++ #Check if IP is part of OpenVPN N2N subnet
++ foreach my $key (sort keys %ccdhost){
++ if ($ccdhost{$key}[3] eq 'net'){
++ my ($a,$b) = split("/",$ccdhost{$key}[11]);
++ if (&General::IpInSubnet($c,$a,$b)){
++ $tdcolor="style='border: 1px solid $Header::colourovpn;'";
++ return;
++ }
++ }
++ }
+ #Check if IP is part of IPsec RW network
+ if ($ipsecsettings{'RW_NET'} ne ''){
+ my ($a,$b) = split("/",$ipsecsettings{'RW_NET'});
+@@ -2384,6 +2405,8 @@ sub viewtablenew
+ &General::get_aliases(\%aliases);
+ &General::readhasharray("$confighost", \%customhost);
+ &General::readhasharray("$config", $hash);
++ &General::readhasharray("$configccdnet", \%ccdnet);
++ &General::readhasharray("$configccdhost", \%ccdhost);
+ if( ! -z $config){
+ &Header::openbox('100%', 'left',$title);
+ my $count=0;
+--
+1.7.10.4
+
--- /dev/null
+From 332d495068509bd36910b5ac0ef518eed95719e2 Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Fri, 14 Jun 2013 08:22:56 +0200
+Subject: [PATCH 241/302] Forward Firewall: redesign of "add timeframe" table
+ in rule creation
+
+---
+ html/cgi-bin/forwardfw.cgi | 22 ++++++++++------------
+ 1 file changed, 10 insertions(+), 12 deletions(-)
+
+diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi
+index 7ea7d62..46c1608 100755
+--- a/html/cgi-bin/forwardfw.cgi
++++ b/html/cgi-bin/forwardfw.cgi
+@@ -1988,25 +1988,23 @@ END
+ &Header::openbox('100%', 'left', $Lang::tr{'fwdfw timeframe'});
+ print<<END;
+ <table width='70%' border='0'>
+- <tr><td width='1%'><input type='checkbox' name='TIME' value='ON' $checked{'TIME'}{'ON'}></td><td colspan='4'>$Lang::tr{'fwdfw timeframe'}</td></tr>
+- <tr><td colspan='7'> </td></tr>
++ <tr><td width='1%'><input type='checkbox' name='TIME' value='ON' $checked{'TIME'}{'ON'}></td><td colspan='9'>$Lang::tr{'fwdfw timeframe'}</td></tr>
++ <tr><td colspan='10'> </td></tr>
+ <tr>
+ <td align='left'>$Lang::tr{'time'}:</td>
+- <td width='30%' align='left'>$Lang::tr{'advproxy monday'} $Lang::tr{'advproxy tuesday'} $Lang::tr{'advproxy wednesday'} $Lang::tr{'advproxy thursday'} $Lang::tr{'advproxy friday'} $Lang::tr{'advproxy saturday'} $Lang::tr{'advproxy sunday'}</td>
++ <td align='left'>$Lang::tr{'advproxy monday'} </td><td>$Lang::tr{'advproxy tuesday'} </td><td>$Lang::tr{'advproxy wednesday'} </td><td>$Lang::tr{'advproxy thursday'} </td><td>$Lang::tr{'advproxy friday'} </td><td>$Lang::tr{'advproxy saturday'} </td><td>$Lang::tr{'advproxy sunday'}</td>
+ <td width='15%' align='left'>$Lang::tr{'advproxy from'}</td>
+ <td width='15%' align='left'>$Lang::tr{'advproxy to'}</td>
+ </tr>
+ <tr>
+ <td align='right'></td>
+- <td width='30%' align='left'>
+- <input type='checkbox' name='TIME_MON' value='on' $checked{'TIME_MON'}{'on'} />
+- <input type='checkbox' name='TIME_TUE' value='on' $checked{'TIME_TUE'}{'on'} />
+- <input type='checkbox' name='TIME_WED' value='on' $checked{'TIME_WED'}{'on'} />
+- <input type='checkbox' name='TIME_THU' value='on' $checked{'TIME_THU'}{'on'} />
+- <input type='checkbox' name='TIME_FRI' value='on' $checked{'TIME_FRI'}{'on'} />
+- <input type='checkbox' name='TIME_SAT' value='on' $checked{'TIME_SAT'}{'on'} />
+- <input type='checkbox' name='TIME_SUN' value='on' $checked{'TIME_SUN'}{'on'} />
+- </td>
++ <td width='1%'align='left'><input type='checkbox' name='TIME_MON' value='on' $checked{'TIME_MON'}{'on'} /></td>
++ <td width='1%'align='left'><input type='checkbox' name='TIME_TUE' value='on' $checked{'TIME_TUE'}{'on'} /></td>
++ <td width='1%'align='left'><input type='checkbox' name='TIME_WED' value='on' $checked{'TIME_WED'}{'on'} /></td>
++ <td width='1%'align='left'><input type='checkbox' name='TIME_THU' value='on' $checked{'TIME_THU'}{'on'} /></td>
++ <td width='1%'align='left'><input type='checkbox' name='TIME_FRI' value='on' $checked{'TIME_FRI'}{'on'} /></td>
++ <td width='1%'align='left'><input type='checkbox' name='TIME_SAT' value='on' $checked{'TIME_SAT'}{'on'} /></td>
++ <td width='15%'align='left'><input type='checkbox' name='TIME_SUN' value='on' $checked{'TIME_SUN'}{'on'} /></td>
+ <td><select name='TIME_FROM'>
+ END
+ for (my $i=0;$i<=23;$i++) {
+--
+1.7.10.4
+
--- /dev/null
+From ce211c4e2e2874434babc47fc5950de22dae5d46 Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Mon, 17 Jun 2013 10:21:24 +0200
+Subject: [PATCH 242/302] Forward Firewall: changed order of LOG and DROP
+ rules for INPUT Chain
+
+---
+ src/initscripts/init.d/firewall | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall
+index a7d258a..5a8cfb1 100644
+--- a/src/initscripts/init.d/firewall
++++ b/src/initscripts/init.d/firewall
+@@ -283,11 +283,10 @@ case "$1" in
+
+ /usr/sbin/firewall-policy
+
+- /sbin/iptables -A INPUT -j DROP -m comment --comment "DROP_INPUT"
+-
+ if [ "$DROPINPUT" == "on" ]; then
+ /sbin/iptables -A INPUT -m limit --limit 10/minute -j LOG --log-prefix "DROP_INPUT"
+ fi
++ /sbin/iptables -A INPUT -j DROP -m comment --comment "DROP_INPUT"
+ if [ "$DROPFORWARD" == "on" ]; then
+ /sbin/iptables -A FORWARD -m limit --limit 10/minute -j LOG --log-prefix "DROP_FORWARD"
+ fi
+--
+1.7.10.4
+
--- /dev/null
+From cf5e284fbfa3cfe9388ba6e835f91b5b0c375949 Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Mon, 17 Jun 2013 12:45:57 +0200
+Subject: [PATCH 243/302] Forward Firewall: cleanup unused code
+
+---
+ config/forwardfw/convert-dmz | 3 --
+ config/forwardfw/convert-xtaccess | 4 +--
+ html/cgi-bin/forwardfw.cgi | 70 -------------------------------------
+ html/cgi-bin/fwhosts.cgi | 7 ----
+ 4 files changed, 1 insertion(+), 83 deletions(-)
+
+diff --git a/config/forwardfw/convert-dmz b/config/forwardfw/convert-dmz
+index 81d77ba..9c1ad04 100755
+--- a/config/forwardfw/convert-dmz
++++ b/config/forwardfw/convert-dmz
+@@ -111,9 +111,6 @@ sub process_rules{
+ $d =~ tr/-/:/;
+ $field15=$d;
+ $field16=$h;
+- ##Ausgabe
+- #print "A: $a B: $b C: $c D: $d E: $e F: $f G: $g H: $h\n";
+- #print "0:$field0 1:$field1 2:$field2 3:$field3 4:$field4 5:$field5 6:$field6 11:$field11 12:$field12 13:$field13 14:$field14 15:$field15 16:$field16 26:$field26 27:$field27\n\n\n";
+ my $key = &General::findhasharraykey (\%configfwdfw);
+ foreach my $i (0 .. 27) { $configfwdfw{$key}[$i] = "";}
+ $configfwdfw{$key}[0] = $field0;
+diff --git a/config/forwardfw/convert-xtaccess b/config/forwardfw/convert-xtaccess
+index 3db7da6..85ad1c8 100755
+--- a/config/forwardfw/convert-xtaccess
++++ b/config/forwardfw/convert-xtaccess
+@@ -55,7 +55,7 @@ foreach my $line (@current){
+ }
+ #check ipfire address
+ if ($e eq '0.0.0.0'){
+- $field6 = 'Default IP';
++ $field6 = 'RED1';
+ }else{
+ foreach my $line (@alias){
+ my ($ip,$state,$aliasname) = split (",",$line);
+@@ -75,8 +75,6 @@ foreach my $line (@current){
+ $c = "$1:65535";
+ }
+ $field15=$c;
+- #Ausgabe
+- #print "0:$field0 1:$field1 2:$field2 3:$field3 4:$field4 5:$field5 6:$field6 11:$field11 12:$field12 13:$field13 14:$field14 15:$field15 16:$field16 26:$field26 27:$field27\n";
+ my $key = &General::findhasharraykey (\%configinputfw);
+ foreach my $i (0 .. 27) { $configinputfw{$key}[$i] = "";}
+ $configinputfw{$key}[0] = $field0;
+diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi
+index 46c1608..61c4d63 100755
+--- a/html/cgi-bin/forwardfw.cgi
++++ b/html/cgi-bin/forwardfw.cgi
+@@ -183,8 +183,6 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule')
+ if($fwdfwsettings{'rulepos'} > 0 && !$fwdfwsettings{'oldrulenumber'}){
+ $fwdfwsettings{'oldrulenumber'}=$maxkey;
+ foreach my $key (sort keys %confignatfw){
+- #print"$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'},$fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'ICMP_TGT'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'TIME'},$fwdfwsettings{'TIME_MON'},$fwdfwsettings{'TIME_TUE'},$fwdfwsettings{'TIME_WED'},$fwdfwsettings{'TIME_THU'},$fwdfwsettings{'TIME_FRI'},$fwdfwsettings{'TIME_SAT'},$fwdfwsettings{'TIME_SUN'},$fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'},$fwdfwsettings{'USE_NAT'},$fwdfwsettings{$fwdfwsettings{'nat'}},$fwdfwsettings{'snatport'},$fwdfwsettings{'dnatport'},$fwdfwsettings{'nat'}<br>";
+- #print"$confignatfw{$key}[0],$confignatfw{$key}[2],$confignatfw{$key}[3],$confignatfw{$key}[4],$confignatfw{$key}[5],$confignatfw{$key}[6],$confignatfw{$key}[7],$confignatfw{$key}[8],$confignatfw{$key}[9],$confignatfw{$key}[10],$confignatfw{$key}[11],$confignatfw{$key}[12],$confignatfw{$key}[13],$confignatfw{$key}[14],$confignatfw{$key}[15],$confignatfw{$key}[17],$confignatfw{$key}[19],$confignatfw{$key}[20],$confignatfw{$key}[21],$confignatfw{$key}[22],$confignatfw{$key}[23],$confignatfw{$key}[24],$confignatfw{$key}[25],$confignatfw{$key}[26],$confignatfw{$key}[27],$confignatfw{$key}[28],$confignatfw{$key}[29],$confignatfw{$key}[30],$confignatfw{$key}[31],$confignatfw{$key}[32]<br>";
+ if ("$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'},$fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'ICMP_TGT'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'TIME'},$fwdfwsettings{'TIME_MON'},$fwdfwsettings{'TIME_TUE'},$fwdfwsettings{'TIME_WED'},$fwdfwsettings{'TIME_THU'},$fwdfwsettings{'TIME_FRI'},$fwdfwsettings{'TIME_SAT'},$fwdfwsettings{'TIME_SUN'},$fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'},$fwdfwsettings{'USE_NAT'},$fwdfwsettings{$fwdfwsettings{'nat'}},$fwdfwsettings{'snatport'},$fwdfwsettings{'dnatport'},$fwdfwsettings{'nat'}"
+ eq "$confignatfw{$key}[0],$confignatfw{$key}[2],$confignatfw{$key}[3],$confignatfw{$key}[4],$confignatfw{$key}[5],$confignatfw{$key}[6],$confignatfw{$key}[7],$confignatfw{$key}[8],$confignatfw{$key}[9],$confignatfw{$key}[10],$confignatfw{$key}[11],$confignatfw{$key}[12],$confignatfw{$key}[13],$confignatfw{$key}[14],$confignatfw{$key}[15],$confignatfw{$key}[17],$confignatfw{$key}[19],$confignatfw{$key}[20],$confignatfw{$key}[21],$confignatfw{$key}[22],$confignatfw{$key}[23],$confignatfw{$key}[24],$confignatfw{$key}[25],$confignatfw{$key}[26],$confignatfw{$key}[27],$confignatfw{$key}[28],$confignatfw{$key}[29],$confignatfw{$key}[30],$confignatfw{$key}[31],$confignatfw{$key}[32]"){
+ $errormessage.=$Lang::tr{'fwdfw err ruleexists'};
+@@ -318,27 +316,6 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule')
+ if($fwdfwsettings{'nosave2'} ne 'on'){
+ &saverule(\%configinputfw,$configinput);
+ }
+- #print "Source: $fwdfwsettings{'grp1'} -> $fwdfwsettings{$fwdfwsettings{'grp1'}}<br>";
+- #print "Sourceport: $fwdfwsettings{'USE_SRC_PORT'}, $fwdfwsettings{'PROT'}, $fwdfwsettings{'ICMP_TYPES'}, $fwdfwsettings{'SRC_PORT'}<br>";
+- #print "Target: $fwdfwsettings{'grp2'} -> $fwdfwsettings{$fwdfwsettings{'grp2'}}<br>";
+- #print "Dienst: $fwdfwsettings{'USESRV'}, $fwdfwsettings{'grp3'} -> $fwdfwsettings{$fwdfwsettings{'grp3'}}<br>";
+- #print "BEMERKUNG: $fwdfwsettings{'ruleremark'}<br>";
+- #print " Regel AKTIV: $fwdfwsettings{'ACTIVE'}<br>";
+- #print " Regel LOG: $fwdfwsettings{'LOG'}<br>";
+- #print " ZEITRAHMEN: $fwdfwsettings{'TIME'}<br>";
+- #print " MO: $fwdfwsettings{'TIME_MON'}<br>";
+- #print " DI: $fwdfwsettings{'TIME_TUE'}<br>";
+- #print " MI: $fwdfwsettings{'TIME_WED'}<br>";
+- #print " DO: $fwdfwsettings{'TIME_THU'}<br>";
+- #print " FR: $fwdfwsettings{'TIME_FRI'}<br>";
+- #print " SA: $fwdfwsettings{'TIME_SAT'}<br>";
+- #print " SO: $fwdfwsettings{'TIME_SUN'}<br>";
+- #print " VON: $fwdfwsettings{'TIME_FROM'} bis $fwdfwsettings{'TIME_TO'}<br>";
+- #print "<br>";
+- #print"ALT: $fwdfwsettings{'oldgrp1a'} $fwdfwsettings{'oldgrp1b'} NEU: $fwdfwsettings{'grp1'} $fwdfwsettings{$fwdfwsettings{'grp1'}}<br>";
+- #print"ALT: $fwdfwsettings{'oldgrp2a'} $fwdfwsettings{'oldgrp2b'} NEU: $fwdfwsettings{'grp2'} $fwdfwsettings{$fwdfwsettings{'grp2'}}<br>";
+- #print"ALT: $fwdfwsettings{'oldgrp3a'} $fwdfwsettings{'oldgrp3b'} NEU: $fwdfwsettings{'grp3'} $fwdfwsettings{$fwdfwsettings{'grp3'}}<br>";
+- #print"DIENSTE Checkalt:$fwdfwsettings{'oldusesrv'} DIENSTE Checkneu:$fwdfwsettings{'USESRV'} DIENST ALT:$fwdfwsettings{'oldgrp3a'},$fwdfwsettings{'oldgrp3b'} DIENST NEU:$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}}<br>";
+ }elsif($fwdfwsettings{$fwdfwsettings{'grp1'}} eq 'IPFire' ){
+ # OUTGOING PART
+ $fwdfwsettings{'config'}=$configoutgoing;
+@@ -449,27 +426,6 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule')
+ if ($fwdfwsettings{'nosave2'} ne 'on'){
+ &saverule(\%configfwdfw,$configfwdfw);
+ }
+- #print "Source: $fwdfwsettings{'grp1'} -> $fwdfwsettings{$fwdfwsettings{'grp1'}}<br>";
+- #print "Sourceport: $fwdfwsettings{'USE_SRC_PORT'}, $fwdfwsettings{'PROT'}, $fwdfwsettings{'ICMP_TYPES'}, $fwdfwsettings{'SRC_PORT'}<br>";
+- #print "Target: $fwdfwsettings{'grp2'} -> $fwdfwsettings{$fwdfwsettings{'grp2'}}<br>";
+- #print "Dienst: $fwdfwsettings{'USESRV'}, $fwdfwsettings{'grp3'} -> $fwdfwsettings{$fwdfwsettings{'grp3'}}<br>";
+- #print "BEMERKUNG: $fwdfwsettings{'ruleremark'}<br>";
+- #print " Regel AKTIV: $fwdfwsettings{'ACTIVE'}<br>";
+- #print " Regel LOG: $fwdfwsettings{'LOG'}<br>";
+- #print " ZEITRAHMEN: $fwdfwsettings{'TIME'}<br>";
+- #print " MO: $fwdfwsettings{'TIME_MON'}<br>";
+- #print " DI: $fwdfwsettings{'TIME_TUE'}<br>";
+- #print " MI: $fwdfwsettings{'TIME_WED'}<br>";
+- #print " DO: $fwdfwsettings{'TIME_THU'}<br>";
+- #print " FR: $fwdfwsettings{'TIME_FRI'}<br>";
+- #print " SA: $fwdfwsettings{'TIME_SAT'}<br>";
+- #print " SO: $fwdfwsettings{'TIME_SUN'}<br>";
+- #print " VON: $fwdfwsettings{'TIME_FROM'} bis $fwdfwsettings{'TIME_TO'}<br>";
+- #print "<br>";
+- #print"ALT: $fwdfwsettings{'oldgrp1a'} $fwdfwsettings{'oldgrp1b'} NEU: $fwdfwsettings{'grp1'} $fwdfwsettings{$fwdfwsettings{'grp1'}}<br>";
+- #print"ALT: $fwdfwsettings{'oldgrp2a'} $fwdfwsettings{'oldgrp2b'} NEU: $fwdfwsettings{'grp2'} $fwdfwsettings{$fwdfwsettings{'grp2'}}<br>";
+- #print"ALT: $fwdfwsettings{'oldgrp3a'} $fwdfwsettings{'oldgrp3b'} NEU: $fwdfwsettings{'grp3'} $fwdfwsettings{$fwdfwsettings{'grp3'}}<br>";
+- #print"DIENSTE Checkalt:$fwdfwsettings{'oldusesrv'} DIENSTE Checkneu:$fwdfwsettings{'USESRV'} DIENST ALT:$fwdfwsettings{'oldgrp3a'},$fwdfwsettings{'oldgrp3b'} DIENST NEU:$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}}<br>";
+ }
+ if ($errormessage){
+ &newrule;
+@@ -489,18 +445,9 @@ if ($fwdfwsettings{'ACTION'} eq $Lang::tr{'reset'})
+ &checkcounter($configfwdfw{$key}[5],$configfwdfw{$key}[6],,);
+ &checkcounter($configfwdfw{$key}[14],$configfwdfw{$key}[15],,);
+ }
+- #&General::readhasharray("$configinput", \%configinputfw);
+- #foreach my $key (sort keys %configinputfw){
+- # &checkcounter($configinputfw{$key}[3],$configinputfw{$key}[4],,);
+- # &checkcounter($configinputfw{$key}[5],$configinputfw{$key}[6],,);
+- # &checkcounter($configinputfw{$key}[14],$configinputfw{$key}[15],,);
+- #}
+-
+ system("rm ${General::swroot}/forward/config");
+- #system("rm ${General::swroot}/forward/input");
+ &General::writehash("${General::swroot}/forward/settings", \%fwdfwsettings);
+ unless (-e "${General::swroot}/forward/config") { system("touch ${General::swroot}/forward/config"); }
+- #unless (-e "${General::swroot}/forward/input") { system("touch ${General::swroot}/forward/input"); }
+ my $MODE1=$fwdfwsettings{'POLICY1'};
+ %fwdfwsettings = ();
+ $fwdfwsettings{'POLICY'}='MODE2';
+@@ -582,7 +529,6 @@ if ($fwdfwsettings{'ACTION'} eq 'movedown')
+ if ($fwdfwsettings{'ACTION'} eq 'copyrule')
+ {
+ $fwdfwsettings{'copyfwrule'}='on';
+- #$fwdfwsettings{'updatefwrule'}='on';
+ &newrule;
+ }
+ if ($fwdfwsettings{'ACTION'} eq '')
+@@ -693,14 +639,6 @@ sub checksource
+ $errormessage=$Lang::tr{'fwhost err hostip'}."<br>";
+ return $errormessage;
+ }
+- ##check if the ip is part of an existing openvpn client/net or ipsec network
+- ##if this is the case, generate errormessage to make the user use the dropdowns instead of using manual ip's
+- #if (! &checkvpn($ip)){
+- #$errormessage=$Lang::tr{'fwdfw err srcovpn'};
+- #return $errormessage;
+- #}else{
+- #$fwdfwsettings{'src_addr'}="$ip/$subnet";
+- #}
+ $fwdfwsettings{'src_addr'}="$ip/$subnet";
+ if(!&General::validipandmask($fwdfwsettings{'src_addr'})){
+ $errormessage.=$Lang::tr{'fwdfw err src_addr'}."<br>";
+@@ -837,14 +775,6 @@ sub checktarget
+ #check and form valid IP
+ $ip=&General::ip2dec($ip);
+ $ip=&General::dec2ip($ip);
+- ##check if the ip is part of an existing openvpn client/net or ipsec network
+- ##if this is the case, generate errormessage to make the user use the dropdowns instead of using manual ip's
+- #if (! &checkvpn($ip)){
+- #$errormessage=$Lang::tr{'fwdfw err tgtovpn'};
+- #return $errormessage;
+- #}else{
+- #$fwdfwsettings{'tgt_addr'}="$ip/$subnet";
+- #}
+ $fwdfwsettings{'tgt_addr'}="$ip/$subnet";
+ if(!&General::validipandmask($fwdfwsettings{'tgt_addr'})){
+ $errormessage.=$Lang::tr{'fwdfw err tgt_addr'}."<br>";
+diff --git a/html/cgi-bin/fwhosts.cgi b/html/cgi-bin/fwhosts.cgi
+index aa40068..444b366 100755
+--- a/html/cgi-bin/fwhosts.cgi
++++ b/html/cgi-bin/fwhosts.cgi
+@@ -971,7 +971,6 @@ if ($fwhostsettings{'ACTION'} eq 'delgrpservice')
+ &General::writehasharray("$configsrvgrp", \%customservicegrp);
+ &rules;
+ if ($fwhostsettings{'updatesrvgrp'} eq 'on'){
+- #$fwhostsettings{'updatesrvgrp'}='on';
+ $fwhostsettings{'SRVGRP_NAME'}=$grpname;
+ $fwhostsettings{'SRVGRP_REMARK'}=$grpremark;
+ }
+@@ -1009,17 +1008,14 @@ if ($fwhostsettings{'ACTION'} eq 'changegrpremark')
+ if ($fwhostsettings{'oldrem'} ne $fwhostsettings{'newrem'} && (&validremark($fwhostsettings{'newrem'}) || $fwhostsettings{'newrem'} eq '')){
+ foreach my $key (sort keys %customgrp)
+ {
+- #$customgrp{$key}[1]=~ s/\|/,/g;
+ if($customgrp{$key}[0] eq $fwhostsettings{'grp'} && $customgrp{$key}[1] eq $fwhostsettings{'oldrem'})
+ {
+- #$fwhostsettings{'newrem'}=~ s/,/\|/g;
+ $customgrp{$key}[1]='';
+ $customgrp{$key}[1]=$fwhostsettings{'newrem'};
+ }
+ }
+ &General::writehasharray("$configgrp", \%customgrp);
+ $fwhostsettings{'update'}='on';
+- #$fwhostsettings{'newrem'}=~ s/\|/,/g;
+ $fwhostsettings{'remark'}=$fwhostsettings{'newrem'};
+ }else{
+ $errormessage=$Lang::tr{'fwhost err remark'};
+@@ -1037,17 +1033,14 @@ if ($fwhostsettings{'ACTION'} eq 'changesrvgrpremark')
+ if ($fwhostsettings{'oldsrvrem'} ne $fwhostsettings{'newsrvrem'} && (&validremark($fwhostsettings{'newsrvrem'}) || $fwhostsettings{'newsrvrem'} eq '')){
+ foreach my $key (sort keys %customservicegrp)
+ {
+- #$customservicegrp{$key}[1]=~ s/\|/,/g;
+ if($customservicegrp{$key}[0] eq $fwhostsettings{'srvgrp'} && $customservicegrp{$key}[1] eq $fwhostsettings{'oldsrvrem'})
+ {
+- #$fwhostsettings{'newsrvrem'}=~ s/,/|/g;
+ $customservicegrp{$key}[1]='';
+ $customservicegrp{$key}[1]=$fwhostsettings{'newsrvrem'};
+ }
+ }
+ &General::writehasharray("$configsrvgrp", \%customservicegrp);
+ $fwhostsettings{'updatesrvgrp'}='on';
+- #$fwhostsettings{'newsrvrem'}=~ s/\|/,/g;
+ $fwhostsettings{'SRVGRP_REMARK'}=$fwhostsettings{'newsrvrem'};
+ }else{
+ $errormessage=$Lang::tr{'fwhost err remark'};
+--
+1.7.10.4
+
--- /dev/null
+From fbda3f2ea53516197110cc6068af0d1b56f431a8 Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Wed, 19 Jun 2013 13:31:40 +0200
+Subject: [PATCH 244/302] Forward Firewall: changed /etc/init.d/firewall.
+ deleted stop routine and rearranged iptables_init
+ and restart routine Now it should be possible to
+ use /etc/init.d/firewall restart without errors
+
+---
+ config/forwardfw/rules.pl | 4 +-
+ src/initscripts/init.d/firewall | 167 +++++++++++++++------------------------
+ 2 files changed, 65 insertions(+), 106 deletions(-)
+
+diff --git a/config/forwardfw/rules.pl b/config/forwardfw/rules.pl
+index 738f940..92b487b 100755
+--- a/config/forwardfw/rules.pl
++++ b/config/forwardfw/rules.pl
+@@ -179,7 +179,7 @@ sub buildrules
+ my $nat;
+ my $fwaccessdport;
+ foreach my $key (sort {$a <=> $b} keys %$hash){
+- next if ($$hash{$key}[6] eq 'RED' && $conexists eq 'off' );
++ next if (($$hash{$key}[6] eq 'RED' || $$hash{$key}[6] eq 'RED1') && $conexists eq 'off' );
+ if ($$hash{$key}[28] eq 'ON'){
+ $command='iptables -t nat -A';
+ $natip=&get_nat_ip($$hash{$key}[29],$$hash{$key}[31]);
+@@ -228,7 +228,7 @@ sub buildrules
+ $targethash{$key}[0]='0.0.0.0/0';
+ }
+ if($$hash{$key}[6] eq 'RED' || $$hash{$key}[6] eq 'RED1'){
+- open(FILE, "/var/ipfire/red/local-ipaddress") or die 'Unable to open config file.';
++ open(FILE, "/var/ipfire/red/local-ipaddress")or die "Couldn't open local-ipaddress";
+ $targethash{$key}[0]= <FILE>;
+ close(FILE);
+ }else{
+diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall
+index 5a8cfb1..844cbf6 100644
+--- a/src/initscripts/init.d/firewall
++++ b/src/initscripts/init.d/firewall
+@@ -73,70 +73,6 @@ iptables_init() {
+ /sbin/iptables -A INPUT -j BADTCP
+ /sbin/iptables -A FORWARD -j BADTCP
+
+-}
+-
+-iptables_red() {
+- /sbin/iptables -F REDINPUT
+- /sbin/iptables -F REDFORWARD
+- /sbin/iptables -t nat -F REDNAT
+-
+- # PPPoE / PPTP Device
+- if [ "$IFACE" != "" ]; then
+- # PPPoE / PPTP
+- if [ "$DEVICE" != "" ]; then
+- /sbin/iptables -A REDINPUT -i $DEVICE -j ACCEPT
+- fi
+- if [ "$RED_TYPE" == "PPTP" -o "$RED_TYPE" == "PPPOE" ]; then
+- if [ "$RED_DEV" != "" ]; then
+- /sbin/iptables -A REDINPUT -i $RED_DEV -j ACCEPT
+- fi
+- fi
+- fi
+-
+- # PPTP over DHCP
+- if [ "$DEVICE" != "" -a "$TYPE" == "PPTP" -a "$METHOD" == "DHCP" ]; then
+- /sbin/iptables -A REDINPUT -p tcp --source-port 67 --destination-port 68 -i $DEVICE -j ACCEPT
+- /sbin/iptables -A REDINPUT -p udp --source-port 67 --destination-port 68 -i $DEVICE -j ACCEPT
+- fi
+-
+- # Orange pinholes
+- if [ "$ORANGE_DEV" != "" ]; then
+- # This rule enables a host on ORANGE network to connect to the outside
+- # (only if we have a red connection)
+- if [ "$IFACE" != "" ]; then
+- /sbin/iptables -A REDFORWARD -i $ORANGE_DEV -o $IFACE -j ACCEPT
+- fi
+- fi
+-
+- if [ "$IFACE" != "" -a -f /var/ipfire/red/active ]; then
+- # DHCP
+- if [ "$RED_DEV" != "" -a "$RED_TYPE" == "DHCP" ]; then
+- /sbin/iptables -A REDINPUT -p tcp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT
+- /sbin/iptables -A REDINPUT -p udp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT
+- fi
+- if [ "$METHOD" == "DHCP" -a "$PROTOCOL" == "RFC1483" ]; then
+- /sbin/iptables -A REDINPUT -p tcp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT
+- /sbin/iptables -A REDINPUT -p udp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT
+- fi
+-
+- # Outgoing masquerading (don't masqerade IPSEC (mark 50))
+- /sbin/iptables -t nat -A REDNAT -m mark --mark 50 -o $IFACE -j RETURN
+- /sbin/iptables -t nat -A REDNAT -o $IFACE -j MASQUERADE
+-
+- fi
+-}
+-
+-# See how we were called.
+-case "$1" in
+- start)
+- iptables_init
+-
+- # Limit Packets- helps reduce dos/syn attacks
+- # original do nothing line
+- #/sbin/iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -m limit --limit 10/sec
+- # the correct one, but the negative '!' do nothing...
+- #/sbin/iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN ! -m limit --limit 10/sec -j DROP
+-
+ # Fix for braindead ISP's
+ /sbin/iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
+
+@@ -273,6 +209,12 @@ case "$1" in
+ /etc/sysconfig/firewall.local start
+ fi
+
++ # run openvpn
++ /usr/local/bin/openvpnctrl --create-chains-and-rules
++
++ # run wirelessctrl
++ /usr/local/bin/wirelessctrl
++
+ #POLICY CHAIN
+ /sbin/iptables -N POLICYIN
+ /sbin/iptables -A INPUT -j POLICYIN
+@@ -283,6 +225,9 @@ case "$1" in
+
+ /usr/sbin/firewall-policy
+
++ # read new firewall
++ /usr/local/bin/forwardfwctrl
++
+ if [ "$DROPINPUT" == "on" ]; then
+ /sbin/iptables -A INPUT -m limit --limit 10/minute -j LOG --log-prefix "DROP_INPUT"
+ fi
+@@ -291,66 +236,80 @@ case "$1" in
+ /sbin/iptables -A FORWARD -m limit --limit 10/minute -j LOG --log-prefix "DROP_FORWARD"
+ fi
+ /sbin/iptables -A FORWARD -j DROP -m comment --comment "DROP_FORWARD"
+- ;;
+- startovpn)
+- # run openvpn
+- /usr/local/bin/openvpnctrl --create-chains-and-rules
+- ;;
+- stop)
+- iptables_init
+- # Accept everyting connected
+- /sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
++}
+
+- # localhost and ethernet.
+- /sbin/iptables -A INPUT -i lo -j ACCEPT
+- /sbin/iptables -A INPUT -i $GREEN_DEV -m state --state NEW -j ACCEPT
++iptables_red() {
++ /sbin/iptables -F REDINPUT
++ /sbin/iptables -F REDFORWARD
++ /sbin/iptables -t nat -F REDNAT
+
+- if [ "$RED_DEV" != "" -a "$RED_TYPE" == "DHCP" ]; then
+- /sbin/iptables -A INPUT -p tcp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT
+- /sbin/iptables -A INPUT -p udp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT
++ # PPPoE / PPTP Device
++ if [ "$IFACE" != "" ]; then
++ # PPPoE / PPTP
++ if [ "$DEVICE" != "" ]; then
++ /sbin/iptables -A REDINPUT -i $DEVICE -j ACCEPT
++ fi
++ if [ "$RED_TYPE" == "PPTP" -o "$RED_TYPE" == "PPPOE" ]; then
++ if [ "$RED_DEV" != "" ]; then
++ /sbin/iptables -A REDINPUT -i $RED_DEV -j ACCEPT
++ fi
++ fi
+ fi
+- if [ "$PROTOCOL" == "RFC1483" -a "$METHOD" == "DHCP" ]; then
+- /sbin/iptables -A INPUT -p tcp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT
+- /sbin/iptables -A INPUT -p udp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT
++
++ # PPTP over DHCP
++ if [ "$DEVICE" != "" -a "$TYPE" == "PPTP" -a "$METHOD" == "DHCP" ]; then
++ /sbin/iptables -A REDINPUT -p tcp --source-port 67 --destination-port 68 -i $DEVICE -j ACCEPT
++ /sbin/iptables -A REDINPUT -p udp --source-port 67 --destination-port 68 -i $DEVICE -j ACCEPT
+ fi
+
+- # run local firewall configuration, if present
+- if [ -x /etc/sysconfig/firewall.local ]; then
+- /etc/sysconfig/firewall.local stop
++ # Orange pinholes
++ if [ "$ORANGE_DEV" != "" ]; then
++ # This rule enables a host on ORANGE network to connect to the outside
++ # (only if we have a red connection)
++ if [ "$IFACE" != "" ]; then
++ /sbin/iptables -A REDFORWARD -i $ORANGE_DEV -o $IFACE -j ACCEPT
++ fi
+ fi
+
+- /sbin/iptables -A INPUT -j DROP -m comment --comment "DROP_INPUT"
++ if [ "$IFACE" != "" -a -f /var/ipfire/red/active ]; then
++ # DHCP
++ if [ "$RED_DEV" != "" -a "$RED_TYPE" == "DHCP" ]; then
++ /sbin/iptables -A REDINPUT -p tcp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT
++ /sbin/iptables -A REDINPUT -p udp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT
++ fi
++ if [ "$METHOD" == "DHCP" -a "$PROTOCOL" == "RFC1483" ]; then
++ /sbin/iptables -A REDINPUT -p tcp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT
++ /sbin/iptables -A REDINPUT -p udp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT
++ fi
++
++ # Outgoing masquerading (don't masqerade IPSEC (mark 50))
++ /sbin/iptables -t nat -A REDNAT -m mark --mark 50 -o $IFACE -j RETURN
++ /sbin/iptables -t nat -A REDNAT -o $IFACE -j MASQUERADE
+
+- if [ "$DROPINPUT" == "on" ]; then
+- /sbin/iptables -A INPUT -m limit --limit 10/minute -j LOG --log-prefix "DROP_INPUT"
+- fi
+- if [ "$DROPFORWARD" == "on" ]; then
+- /sbin/iptables -A FORWARD -m limit --limit 10/minute -j LOG --log-prefix "DROP_FORWARD"
+ fi
+- /sbin/iptables -A FORWARD -j DROP -m comment --comment "DROP_FORWARD"
+-
++}
++
++# See how we were called.
++case "$1" in
++ start)
++ iptables_init
+ ;;
+- stopovpn)
+- # stop openvpn
+- /usr/local/bin/openvpnctrl --delete-chains-and-rules
+- ;;
+ reload)
+ iptables_red
+-
+ # run local firewall configuration, if present
+- if [ -x /etc/sysconfig/firewall.local ]; then
++ if [ -x /etc/sysconfig/firewall.local ]; then
+ /etc/sysconfig/firewall.local reload
+ fi
+ ;;
+ restart)
+- $0 stop
++ # run local firewall configuration, if present
++ if [ -x /etc/sysconfig/firewall.local ]; then
++ /etc/sysconfig/firewall.local stop
++ fi
+ $0 start
+- /usr/local/bin/forwardfwctrl
+- /usr/local/bin/openvpnctrl -s > /dev/null 2>&1
+- /usr/local/bin/openvpnctrl -sn2n > /dev/null 2>&1
+ ;;
+ *)
+- echo "Usage: $0 {start|stop|reload|restart}"
++ echo "Usage: $0 {start|reload|restart}"
+ exit 1
+ ;;
+ esac
+--
+1.7.10.4
+
--- /dev/null
+From b3bc30b71e4ca243a442ffa86d5f463abecd6285 Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Thu, 20 Jun 2013 11:23:43 +0200
+Subject: [PATCH 245/302] Forward Firewall: on every reload of the new
+ firewall-rules the firewall.local is also reloaded
+
+---
+ config/forwardfw/rules.pl | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/config/forwardfw/rules.pl b/config/forwardfw/rules.pl
+index 92b487b..252b598 100755
+--- a/config/forwardfw/rules.pl
++++ b/config/forwardfw/rules.pl
+@@ -139,6 +139,7 @@ if($param eq 'flush'){
+ &p2pblock;
+ system ("iptables -A $CHAIN -m state --state NEW -j ACCEPT");
+ system ("/usr/sbin/firewall-policy");
++ system ("/etc/sysconfig/firewall.local reload");
+ }
+ }
+ }
+--
+1.7.10.4
+
--- /dev/null
+From 5c61b3bbc8a2328b53dcea6dcbc33d3c2ae87029 Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Tue, 25 Jun 2013 12:35:01 +0200
+Subject: [PATCH 246/302] Forward Firewall: reorganised ruletable layout
+
+---
+ html/cgi-bin/forwardfw.cgi | 62 +++++++++++++++++++++++---------------------
+ langs/de/cgi-bin/de.pl | 4 +--
+ langs/en/cgi-bin/en.pl | 2 +-
+ 3 files changed, 35 insertions(+), 33 deletions(-)
+
+diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi
+index 61c4d63..ab9d5b6 100755
+--- a/html/cgi-bin/forwardfw.cgi
++++ b/html/cgi-bin/forwardfw.cgi
+@@ -404,7 +404,7 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule')
+ }
+ }
+ #check if we just close a rule
+- if( $fwdfwsettings{'oldgrp1a'} eq $fwdfwsettings{'grp1'} && $fwdfwsettings{'oldgrp1b'} eq $fwdfwsettings{$fwdfwsettings{'grp1'}} && $fwdfwsettings{'oldgrp2a'} eq $fwdfwsettings{'grp2'} && $fwdfwsettings{'oldgrp2b'} eq $fwdfwsettings{$fwdfwsettings{'grp2'}} && $fwdfwsettings{'oldgrp3a'} eq $fwdfwsettings{'grp3'} && $fwdfwsettings{'oldgrp3b'} eq $fwdfwsettings{$fwdfwsettings{'grp3'}} && $fwdfwsettings{'oldusesrv'} eq $fwdfwsettings{'USESRV'} && $fwdfwsettings{'oldruleremark'} eq $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'oldruletype'} eq $fwdfwsettings{'chain'} ) {
++ if( $fwdfwsettings{'oldgrp1a'} eq $fwdfwsettings{'grp1'} && $fwdfwsettings{'oldgrp1b'} eq $fwdfwsettings{$fwdfwsettings{'grp1'}} && $fwdfwsettings{'oldgrp2a'} eq $fwdfwsettings{'grp2'} && $fwdfwsettings{'oldgrp2b'} eq $fwdfwsettings{$fwdfwsettings{'grp2'}} && $fwdfwsettings{'oldgrp3a'} eq $fwdfwsettings{'grp3'} && $fwdfwsettings{'oldgrp3b'} eq $fwdfwsettings{$fwdfwsettings{'grp3'}} && $fwdfwsettings{'oldusesrv'} eq $fwdfwsettings{'USESRV'} && $fwdfwsettings{'oldruleremark'} eq $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'oldruletype'} eq $fwdfwsettings{'chain'}) {
+ if($fwdfwsettings{'nosave'} eq 'on' && $fwdfwsettings{'updatefwrule'} eq 'on'){
+ $fwdfwsettings{'nosave2'} = 'on';
+ $errormessage='';
+@@ -552,14 +552,14 @@ sub addrule
+ }
+ sub base
+ {
+- if ($fwdfwsettings{'POLICY'} eq 'MODE1'){ $selected{'POLICY'}{'MODE1'} = 'selected'; } else { $selected{'POLICY'}{'MODE1'} = ''; }
+- if ($fwdfwsettings{'POLICY'} eq 'MODE2'){ $selected{'POLICY'}{'MODE2'} = 'selected'; } else { $selected{'POLICY'}{'MODE2'} = ''; }
+- if ($fwdfwsettings{'POLICY1'} eq 'MODE1'){ $selected{'POLICY1'}{'MODE1'} = 'selected'; } else { $selected{'POLICY1'}{'MODE1'} = ''; }
+- if ($fwdfwsettings{'POLICY1'} eq 'MODE2'){ $selected{'POLICY1'}{'MODE2'} = 'selected'; } else { $selected{'POLICY1'}{'MODE2'} = ''; }
+ &hint;
+ &addrule;
+ print "<br><br>";
+ &Header::openbox('100%', 'center', $Lang::tr{'fwdfw pol title'});
++ if ($fwdfwsettings{'POLICY'} eq 'MODE1'){ $selected{'POLICY'}{'MODE1'} = 'selected'; } else { $selected{'POLICY'}{'MODE1'} = ''; }
++ if ($fwdfwsettings{'POLICY'} eq 'MODE2'){ $selected{'POLICY'}{'MODE2'} = 'selected'; } else { $selected{'POLICY'}{'MODE2'} = ''; }
++ if ($fwdfwsettings{'POLICY1'} eq 'MODE1'){ $selected{'POLICY1'}{'MODE1'} = 'selected'; } else { $selected{'POLICY1'}{'MODE1'} = ''; }
++ if ($fwdfwsettings{'POLICY1'} eq 'MODE2'){ $selected{'POLICY1'}{'MODE2'} = 'selected'; } else { $selected{'POLICY1'}{'MODE2'} = ''; }
+ print <<END;
+ <form method='post' action='$ENV{'SCRIPT_NAME'}'>
+ <table width='100%' border='0'>
+@@ -2345,8 +2345,8 @@ sub viewtablenew
+ my @tmpsrc=();
+ my $coloryellow='';
+ print"<b>$title1</b><br>";
+- print"<table width='100%' cellspacing='0' cellpadding='0'>";
+- print"<tr><td align='center'><b>#</td><td ></td><td align='center'><b>$Lang::tr{'fwdfw source'}</td><td><b>Log</td><td align='center'><b>$Lang::tr{'fwdfw target'}</td><td align='center'><b>$Lang::tr{'protocol'}</b></td><td align='center'><b>$Lang::tr{'fwdfw time'}</td><td align='center' colspan='6'><b>$Lang::tr{'fwdfw action'}</td></tr>";
++ print"<table width='100%' cellspacing='0' cellpadding='0' border='0'>";
++ print"<tr><td align='center'><b>#</td><td ></td><td align='center'><b>$Lang::tr{'fwdfw source'}</td><td width='1%'><b>Log</td><td align='center'><b>$Lang::tr{'fwdfw target'}</td><td align='center' width='25'></td><td align='center' colspan='6' width='1%'><b>$Lang::tr{'fwdfw action'}</td></tr>";#<td align='center'><b>$Lang::tr{'fwdfw time'}</td><b>$Lang::tr{'protocol'}</b>
+ foreach my $key (sort {$a <=> $b} keys %$hash){
+ $tdcolor='';
+ @tmpsrc=();
+@@ -2399,7 +2399,7 @@ sub viewtablenew
+ }
+ print"<tr bgcolor='$color' >";
+ print<<END;
+- <td align='right' width='15'><b>$key</b></td>
++ <td align='right' width='18'><b>$key  </b></td>
+ END
+ if ($$hash{$key}[0] eq 'ACCEPT'){
+ $ruletype='A';
+@@ -2414,7 +2414,7 @@ END
+ $tooltip='REJECT';
+ $rulecolor=$color{'color16'};
+ }
+- print"<td bgcolor='$rulecolor' align='center' width='20'><span title='$tooltip'><b>$ruletype</b></span></td>";
++ print"<td bgcolor='$rulecolor' align='center' width='10'><span title='$tooltip'><b>$ruletype</b></span></td>";
+ &getcolor($$hash{$key}[3],$$hash{$key}[4],\%customhost);
+ print"<td align='center' width='160' $tdcolor>";
+ if ($$hash{$key}[3] eq 'std_net_src'){
+@@ -2426,7 +2426,7 @@ END
+ &getsrcport(\%$hash,$key);
+ #Is this a SNAT rule?
+ if ($$hash{$key}[31] eq 'snat'){
+- print"<br>SNAT -> $$hash{$key}[29]";
++ print"<br>-> $$hash{$key}[29]";
+ if ($$hash{$key}[30] ne ''){
+ print": $$hash{$key}[30]";
+ }
+@@ -2456,7 +2456,7 @@ END
+ $$hash{$key}[30]=~ tr/|/,/;
+ print": $$hash{$key}[30]";
+ }
+- print"<br> DNAT->";
++ print"<br>->";
+ }
+ if ($$hash{$key}[5] eq 'std_net_tgt' || $$hash{$key}[5] eq 'ipfire' && $$hash{$key}[6] eq 'RED' || $$hash{$key}[6] eq 'RED1' || $$hash{$key}[6] eq 'GREEN' || $$hash{$key}[6] eq 'ORANGE' || $$hash{$key}[6] eq 'BLUE' ){
+ if ($$hash{$key}[6] eq 'RED1')
+@@ -2487,22 +2487,7 @@ END
+ my $protz=join(",",@protocols);
+ print"<td align='center'>$protz</td>";
+ @protocols=();
+- if ($$hash{$key}[18] eq 'ON'){
+- my @days=();
+- if($$hash{$key}[19] ne ''){push (@days,$Lang::tr{'fwdfw wd_mon'});}
+- if($$hash{$key}[20] ne ''){push (@days,$Lang::tr{'fwdfw wd_tue'});}
+- if($$hash{$key}[21] ne ''){push (@days,$Lang::tr{'fwdfw wd_wed'});}
+- if($$hash{$key}[22] ne ''){push (@days,$Lang::tr{'fwdfw wd_thu'});}
+- if($$hash{$key}[23] ne ''){push (@days,$Lang::tr{'fwdfw wd_fri'});}
+- if($$hash{$key}[24] ne ''){push (@days,$Lang::tr{'fwdfw wd_sat'});}
+- if($$hash{$key}[25] ne ''){push (@days,$Lang::tr{'fwdfw wd_sun'});}
+- my $weekdays=join(",",@days);
+- if (@days){
+- print"<td align='center' width='100'>$weekdays   $$hash{$key}[26] - $$hash{$key}[27] </td>";
+- }
+- }else{
+- print"<td align='center'>24/7</td>";
+- }
++
+ if($$hash{$key}[2] eq 'ON'){
+ $gif="/images/on.gif"
+
+@@ -2560,11 +2545,28 @@ END
+ print"<td width='25'><input type='image' img src='/images/down.gif' style='visibility:hidden;'></td></tr>";
+ }
+ #REMARK
+- if ($optionsfw{'SHOWREMARK'} eq 'on'){
++ if (($optionsfw{'SHOWREMARK'} eq 'on' && $$hash{$key}[16] ne '') || $$hash{$key}[18] eq 'ON'){
+ print"<tr bgcolor='$color'>";
+- print"<td> </td><td bgcolor='$rulecolor'></td><td colspan='11'>  $$hash{$key}[16]</td></tr>";
++ print"<td> </td><td bgcolor='$rulecolor'></td><td colspan='3'>  $$hash{$key}[16]</td>";
++ #TIMEFRAME
++ if ($$hash{$key}[18] eq 'ON'){
++ my @days=();
++ if($$hash{$key}[19] ne ''){push (@days,$Lang::tr{'fwdfw wd_mon'});}
++ if($$hash{$key}[20] ne ''){push (@days,$Lang::tr{'fwdfw wd_tue'});}
++ if($$hash{$key}[21] ne ''){push (@days,$Lang::tr{'fwdfw wd_wed'});}
++ if($$hash{$key}[22] ne ''){push (@days,$Lang::tr{'fwdfw wd_thu'});}
++ if($$hash{$key}[23] ne ''){push (@days,$Lang::tr{'fwdfw wd_fri'});}
++ if($$hash{$key}[24] ne ''){push (@days,$Lang::tr{'fwdfw wd_sat'});}
++ if($$hash{$key}[25] ne ''){push (@days,$Lang::tr{'fwdfw wd_sun'});}
++ my $weekdays=join(",",@days);
++ if (@days){
++ print"<td align='right' colspan='7'>$weekdays   $$hash{$key}[26] - $$hash{$key}[27] </td></tr>";
++ }
++ }else{
++ print"<td align='right' colspan='7'>24/7</td></tr>";
++ }
+ }
+- print"<tr bgcolor='$color'><td height='1'></td><td bgcolor='$rulecolor'></td><td colspan='11'></td></tr>";
++ print"<tr bgcolor='FFFFFF'><td colspan='13' height='1'></td></tr>";
+ }
+ print"</table>";
+ &Header::closebox();
+diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl
+index b4aa0a1..7d9de98 100644
+--- a/langs/de/cgi-bin/de.pl
++++ b/langs/de/cgi-bin/de.pl
+@@ -885,7 +885,7 @@
+ 'fwdfw ACCEPT' => 'Akzeptieren (ACCEPT)',
+ 'fwdfw additional' => 'Zusätzlich',
+ 'fwdfw action' => 'Aktion',
+-'fwdfw menu' => 'Firewall',
++'fwdfw menu' => 'Firewall Regeln',
+ 'fwdfw addrule' => 'Regel hinzufügen/ändern:',
+ 'fwdfw addr grp' => 'Adressgruppen:',
+ 'fwdfw change' => 'Aktualisieren',
+@@ -962,7 +962,7 @@
+ 'fwdfw wd_fri' => 'Fr',
+ 'fwdfw wd_sat' => 'Sa',
+ 'fwdfw wd_sun' => 'So',
+-'fwdfw xt access' => 'Zugriff auf Firewall',
++'fwdfw xt access' => 'Input',
+ 'fwhost addgrp' => 'Gruppe:',
+ 'fwhost addgrpname' => 'Gruppenname:',
+ 'fwhost addhost' => 'Adresse:',
+diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
+index 2148f23..375075a 100644
+--- a/langs/en/cgi-bin/en.pl
++++ b/langs/en/cgi-bin/en.pl
+@@ -908,7 +908,7 @@
+ 'fwdfw ACCEPT' => 'ACCEPT',
+ 'fwdfw additional' => 'Additional',
+ 'fwdfw action' => 'Action',
+-'fwdfw menu' => 'Firewall',
++'fwdfw menu' => 'Firewall rules',
+ 'fwdfw addrule' => 'Add/Edit rule:',
+ 'fwdfw addr grp' => 'Adress groups:',
+ 'fwdfw change' => 'Update',
+--
+1.7.10.4
+
--- /dev/null
+From 1bc3f0e2835dbd40fbfdb776fbbc81ab6f44afe2 Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Wed, 26 Jun 2013 07:38:15 +0200
+Subject: [PATCH 247/302] Forward Firewall: moved "firewall default behaviour"
+ from firewall page to firewall-options page. Some
+ changes in languagefiles de and en.
+
+---
+ html/cgi-bin/forwardfw.cgi | 113 +++++++-------------------------------------
+ html/cgi-bin/optionsfw.cgi | 78 ++++++++++++++++++++++++++----
+ langs/de/cgi-bin/de.pl | 30 ++++++------
+ langs/en/cgi-bin/en.pl | 22 ++++-----
+ 4 files changed, 112 insertions(+), 131 deletions(-)
+
+diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi
+index ab9d5b6..be80364 100755
+--- a/html/cgi-bin/forwardfw.cgi
++++ b/html/cgi-bin/forwardfw.cgi
+@@ -117,16 +117,6 @@ my @protocols;
+ &Header::openbigbox('100%', 'center',$errormessage);
+ #### ACTION #####
+
+-if ($fwdfwsettings{'ACTION'} eq $Lang::tr{'save'})
+-{
+- my $MODE = $fwdfwsettings{'POLICY'};
+- my $MODE1 = $fwdfwsettings{'POLICY1'};
+- %fwdfwsettings = ();
+- $fwdfwsettings{'POLICY'} = "$MODE";
+- $fwdfwsettings{'POLICY1'} = "$MODE1";
+- &General::writehash("${General::swroot}/forward/settings", \%fwdfwsettings);
+- &reread_rules;
+-}
+ if ($fwdfwsettings{'ACTION'} eq 'saverule')
+ {
+ &General::readhasharray("$configfwdfw", \%configfwdfw);
+@@ -436,42 +426,6 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule')
+ &base;
+ }
+ }
+-if ($fwdfwsettings{'ACTION'} eq $Lang::tr{'reset'})
+-{
+- if($fwdfwsettings{'poltype'} eq 'forward'){
+- &General::readhasharray("$configfwdfw", \%configfwdfw);
+- foreach my $key (sort keys %configfwdfw){
+- &checkcounter($configfwdfw{$key}[3],$configfwdfw{$key}[4],,);
+- &checkcounter($configfwdfw{$key}[5],$configfwdfw{$key}[6],,);
+- &checkcounter($configfwdfw{$key}[14],$configfwdfw{$key}[15],,);
+- }
+- system("rm ${General::swroot}/forward/config");
+- &General::writehash("${General::swroot}/forward/settings", \%fwdfwsettings);
+- unless (-e "${General::swroot}/forward/config") { system("touch ${General::swroot}/forward/config"); }
+- my $MODE1=$fwdfwsettings{'POLICY1'};
+- %fwdfwsettings = ();
+- $fwdfwsettings{'POLICY'}='MODE2';
+- $fwdfwsettings{'POLICY1'}=$MODE1;
+- &General::writehash("${General::swroot}/forward/settings", \%fwdfwsettings);
+- &reread_rules;
+- }else{
+- &General::readhasharray("$configoutgoing", \%configoutgoingfw);
+- foreach my $key (sort keys %configoutgoingfw){
+- &checkcounter($configoutgoingfw{$key}[3],$configoutgoingfw{$key}[4],,);
+- &checkcounter($configoutgoingfw{$key}[5],$configoutgoingfw{$key}[6],,);
+- &checkcounter($configoutgoingfw{$key}[14],$configoutgoingfw{$key}[15],,);
+- }
+- system("rm ${General::swroot}/forward/outgoing");
+- &General::writehash("${General::swroot}/forward/settings", \%fwdfwsettings);
+- unless (-e "${General::swroot}/forward/outgoing") { system("touch ${General::swroot}/forward/outgoing"); }
+- my $MODE=$fwdfwsettings{'POLICY'};
+- %fwdfwsettings = ();
+- $fwdfwsettings{'POLICY'}=$MODE;
+- $fwdfwsettings{'POLICY1'}='MODE2';
+- &General::writehash("${General::swroot}/forward/settings", \%fwdfwsettings);
+- &reread_rules;
+- }
+-}
+ if ($fwdfwsettings{'ACTION'} eq $Lang::tr{'fwdfw newrule'})
+ {
+ &newrule;
+@@ -555,41 +509,6 @@ sub base
+ &hint;
+ &addrule;
+ print "<br><br>";
+- &Header::openbox('100%', 'center', $Lang::tr{'fwdfw pol title'});
+- if ($fwdfwsettings{'POLICY'} eq 'MODE1'){ $selected{'POLICY'}{'MODE1'} = 'selected'; } else { $selected{'POLICY'}{'MODE1'} = ''; }
+- if ($fwdfwsettings{'POLICY'} eq 'MODE2'){ $selected{'POLICY'}{'MODE2'} = 'selected'; } else { $selected{'POLICY'}{'MODE2'} = ''; }
+- if ($fwdfwsettings{'POLICY1'} eq 'MODE1'){ $selected{'POLICY1'}{'MODE1'} = 'selected'; } else { $selected{'POLICY1'}{'MODE1'} = ''; }
+- if ($fwdfwsettings{'POLICY1'} eq 'MODE2'){ $selected{'POLICY1'}{'MODE2'} = 'selected'; } else { $selected{'POLICY1'}{'MODE2'} = ''; }
+-print <<END;
+- <form method='post' action='$ENV{'SCRIPT_NAME'}'>
+- <table width='100%' border='0'>
+- <tr><td colspan='3' style='font-weight:bold;color:red;' align='left'>FORWARD </td></tr>
+- <tr><td colspan='3' align='left'>$Lang::tr{'fwdfw pol text'}</td></tr>
+- <tr><td colspan='3'><hr /></td></tr>
+- <tr><td width='15%' align='left'> <select name='POLICY' style="width: 100px">
+- <option value='MODE1' $selected{'POLICY'}{'MODE1'}>$Lang::tr{'fwdfw pol block'}</option>
+- <option value='MODE2' $selected{'POLICY'}{'MODE2'}>$Lang::tr{'fwdfw pol allow'}</option></select>
+- <input type='submit' name='ACTION' value=$Lang::tr{'save'} /></td><td width='45%' align='right'>
+-
+-END
+- print "$Lang::tr{'outgoing firewall reset'}: <input type='submit' name='ACTION' value='$Lang::tr{'reset'}' /><input type='hidden' name='poltype' value='forward' /></td></tr>";
+- print "</table></form>";
+- print"<br><br>";
+- print <<END;
+- <form method='post' action='$ENV{'SCRIPT_NAME'}'>
+- <table width='100%' border='0'>
+- <tr><td colspan='3' style='font-weight:bold;color:red;' align='left'>OUTGOING </td></tr>
+- <tr><td colspan='3' align='left'>$Lang::tr{'fwdfw pol text1'}</td></tr>
+- <tr><td colspan='3'><hr /></td></tr>
+- <tr><td width='15%' align='left'> <select name='POLICY1' style="width: 100px">
+- <option value='MODE1' $selected{'POLICY1'}{'MODE1'}>$Lang::tr{'fwdfw pol block'}</option>
+- <option value='MODE2' $selected{'POLICY1'}{'MODE2'}>$Lang::tr{'fwdfw pol allow'}</option></select>
+- <input type='submit' name='ACTION' value='$Lang::tr{'save'}' /></td><td width='45%' align='right'>
+-
+-END
+- print "$Lang::tr{'outgoing firewall reset'}: <input type='submit' name='ACTION' value='$Lang::tr{'reset'}' /><input type='hidden' name='poltype' value='outgoing' /></tr>";
+- print "</table></form>";
+- &Header::closebox();
+ print "<br><br><div align='right'><font size='1' color='grey'>Version: $VERSION</font></div>";
+ }
+ sub changerule
+@@ -1189,7 +1108,10 @@ END
+ next if($defaultNetworks{$network}{'NAME'} eq "IPFire" && $srctgt eq 'tgt');
+ print "<option value='$defaultNetworks{$network}{'NAME'}'";
+ print " selected='selected'" if ($fwdfwsettings{$fwdfwsettings{$grp}} eq $defaultNetworks{$network}{'NAME'});
+- print ">$network</option>";
++ my $defnet="$defaultNetworks{$network}{'NAME'}_NETADDRESS";
++ $ifaces{$defnet} = '0.0.0.0' if ($defaultNetworks{$network}{'NAME'} eq 'ALL');
++ $defnet = "RED_ADDRESS" if ($defaultNetworks{$network}{'NAME'} eq 'IPFire');
++ print ">$network $ifaces{$defnet} </option>";
+ }
+ print"</select></td></tr>";
+ #custom networks
+@@ -1751,14 +1673,14 @@ END
+ &Header::openbox('100%', 'left', $Lang::tr{'fwdfw target'});
+ print<<END;
+ <table width='100%' border='0'>
+- <tr><td width='1%'><input type='radio' name='grp2' value='tgt_addr' checked></td><td width='57%' nowrap='nowrap'>$Lang::tr{'fwdfw targetip'}<input type='TEXT' name='tgt_addr' value='$fwdfwsettings{'tgt_addr'}' size='16' maxlength='17'><td width='1%'><input type='radio' name='grp2' value='ipfire' $checked{'grp2'}{'ipfire'}></td><td><b>IPFire</b></td>
++ <tr><td width='1%'><input type='radio' name='grp2' value='tgt_addr' checked></td><td width='57%' nowrap='nowrap'>$Lang::tr{'fwdfw targetip'}<input type='TEXT' name='tgt_addr' value='$fwdfwsettings{'tgt_addr'}' size='16' maxlength='17'><td width='1%'><input type='radio' name='grp2' value='ipfire' $checked{'grp2'}{'ipfire'}></td><td><b>Firewall</b></td>
+ END
+ print"<td align='right'><select name='ipfire' style='width:200px;'>";
+- print "<option value='ALL' $selected{'ipfire'}{'ALL'}>$Lang::tr{'all'}</option>";
+- print "<option value='GREEN' $selected{'ipfire'}{'GREEN'}>$Lang::tr{'green'} ($ifaces{'GREEN_ADDRESS'})</option>" if $ifaces{'GREEN_ADDRESS'};
+- print "<option value='ORANGE' $selected{'ipfire'}{'ORANGE'}>$Lang::tr{'orange'} ($ifaces{'ORANGE_ADDRESS'})</option>" if $ifaces{'ORANGE_ADDRESS'};
+- print "<option value='BLUE' $selected{'ipfire'}{'BLUE'}>$Lang::tr{'blue'} ($ifaces{'BLUE_ADDRESS'})</option>" if $ifaces{'BLUE_ADDRESS'};
+- print "<option value='RED1' $selected{'ipfire'}{'RED1'}>$Lang::tr{'red1'} (Default IP)</option>" if $ifaces{'RED_ADDRESS'};
++ print "<option value='ALL' $selected{'ipfire'}{'ALL'}>$Lang::tr{'all'} 0.0.0.0</option>";
++ print "<option value='GREEN' $selected{'ipfire'}{'GREEN'}>$Lang::tr{'green'} $ifaces{'GREEN_ADDRESS'}</option>" if $ifaces{'GREEN_ADDRESS'};
++ print "<option value='ORANGE' $selected{'ipfire'}{'ORANGE'}>$Lang::tr{'orange'} $ifaces{'ORANGE_ADDRESS'}</option>" if $ifaces{'ORANGE_ADDRESS'};
++ print "<option value='BLUE' $selected{'ipfire'}{'BLUE'}>$Lang::tr{'blue'} $ifaces{'BLUE_ADDRESS'}</option>" if $ifaces{'BLUE_ADDRESS'};
++ print "<option value='RED1' $selected{'ipfire'}{'RED1'}>$Lang::tr{'red1'} $ifaces{'RED_ADDRESS'}</option>" if $ifaces{'RED_ADDRESS'};
+
+ if (! -z "${General::swroot}/ethernet/aliases"){
+ foreach my $alias (sort keys %aliases)
+@@ -2545,9 +2467,11 @@ END
+ print"<td width='25'><input type='image' img src='/images/down.gif' style='visibility:hidden;'></td></tr>";
+ }
+ #REMARK
+- if (($optionsfw{'SHOWREMARK'} eq 'on' && $$hash{$key}[16] ne '') || $$hash{$key}[18] eq 'ON'){
++ if ($optionsfw{'SHOWREMARK'} eq 'on' && $$hash{$key}[16] ne ''){
+ print"<tr bgcolor='$color'>";
+- print"<td> </td><td bgcolor='$rulecolor'></td><td colspan='3'>  $$hash{$key}[16]</td>";
++ print"<td> </td><td bgcolor='$rulecolor'></td><td colspan='10'>  $$hash{$key}[16]</td></tr>";
++ }
++ if ($$hash{$key}[18] eq 'ON'){
+ #TIMEFRAME
+ if ($$hash{$key}[18] eq 'ON'){
+ my @days=();
+@@ -2560,11 +2484,10 @@ END
+ if($$hash{$key}[25] ne ''){push (@days,$Lang::tr{'fwdfw wd_sun'});}
+ my $weekdays=join(",",@days);
+ if (@days){
+- print"<td align='right' colspan='7'>$weekdays   $$hash{$key}[26] - $$hash{$key}[27] </td></tr>";
+- }
+- }else{
+- print"<td align='right' colspan='7'>24/7</td></tr>";
++ print"<tr bgcolor='$color'>";
++ print"<td> </td><td bgcolor='$rulecolor'></td><td align='left' colspan='10'>$weekdays   $$hash{$key}[26] - $$hash{$key}[27] </td></tr>";
+ }
++ }
+ }
+ print"<tr bgcolor='FFFFFF'><td colspan='13' height='1'></td></tr>";
+ }
+@@ -2579,7 +2502,5 @@ END
+ }
+ }
+ }
+-
+-
+ &Header::closebigbox();
+ &Header::closepage();
+diff --git a/html/cgi-bin/optionsfw.cgi b/html/cgi-bin/optionsfw.cgi
+index 9e39fbf..616f529 100644
+--- a/html/cgi-bin/optionsfw.cgi
++++ b/html/cgi-bin/optionsfw.cgi
+@@ -27,6 +27,13 @@ my %checked =(); # Checkbox manipulations
+ my $filename = "${General::swroot}/optionsfw/settings";
+
+ our %settings=();
++my %fwdfwsettings=();
++my %configfwdfw=();
++my %configoutgoingfw=();
++
++my $configfwdfw = "${General::swroot}/forward/config";
++my $configoutgoing = "${General::swroot}/forward/outgoing";
++
+ $settings{'DISABLEPING'} = 'NO';
+ $settings{'DROPNEWNOTSYN'} = 'on';
+ $settings{'DROPINPUT'} = 'on';
+@@ -43,22 +50,43 @@ $settings{'SHOWDROPDOWN'} = 'off';
+ my $errormessage = '';
+ my $warnmessage = '';
+
++&General::readhash("${General::swroot}/forward/settings", \%fwdfwsettings);
++
+ &Header::showhttpheaders();
+
+ #Get GUI values
+ &Header::getcgihash(\%settings);
+
++
++
+ if ($settings{'ACTION'} eq $Lang::tr{'save'}) {
+-
+- $errormessage = $Lang::tr{'new optionsfw later'};
+- delete $settings{'__CGI__'};
+- delete $settings{'x'};
+- delete $settings{'y'};
+- &General::writehash($filename, \%settings); # Save good settings
++ if ($settings{'defpol'} ne '1'){
++ $errormessage = $Lang::tr{'new optionsfw later'};
++ delete $settings{'__CGI__'};
++ delete $settings{'x'};
++ delete $settings{'y'};
++ &General::writehash($filename, \%settings); # Save good settings
++ system("/usr/local/bin/forwardfwctrl");
++ }else{
++ if ($settings{'POLICY'} ne ''){
++ $fwdfwsettings{'POLICY'} = $settings{'POLICY'};
++ }
++ if ($settings{'POLICY1'} ne ''){
++ $fwdfwsettings{'POLICY1'} = $settings{'POLICY1'};
++ }
++ my $MODE = $fwdfwsettings{'POLICY'};
++ my $MODE1 = $fwdfwsettings{'POLICY1'};
++ %fwdfwsettings = ();
++ $fwdfwsettings{'POLICY'} = "$MODE";
++ $fwdfwsettings{'POLICY1'} = "$MODE1";
++ &General::writehash("${General::swroot}/forward/settings", \%fwdfwsettings);
++ &General::readhash("${General::swroot}/forward/settings", \%fwdfwsettings);
++ system("/usr/local/bin/forwardfwctrl");
++ }
+ }else {
+ &General::readhash($filename, \%settings); # Get saved settings and reset to good if needed
+- }
+- system("/usr/local/bin/forwardfwctrl");
++}
++
+ &Header::openpage($Lang::tr{'options fw'}, 1, '');
+ &Header::openbigbox('100%', 'left', '', $errormessage);
+
+@@ -111,7 +139,6 @@ $selected{'FWPOLICY'}{$settings{'FWPOLICY'}}= 'selected';
+ $selected{'FWPOLICY1'}{$settings{'FWPOLICY1'}}= 'selected';
+ $selected{'FWPOLICY2'}{$settings{'FWPOLICY2'}}= 'selected';
+
+-
+ &Header::openbox('100%', 'center', $Lang::tr{'options fw'});
+ print "<form method='post' action='$ENV{'SCRIPT_NAME'}'>";
+
+@@ -182,5 +209,38 @@ print <<END
+ END
+ ;
+ &Header::closebox();
++
++&Header::openbox('100%', 'center', $Lang::tr{'fwdfw pol title'});
++ if ($fwdfwsettings{'POLICY'} eq 'MODE1'){ $selected{'POLICY'}{'MODE1'} = 'selected'; } else { $selected{'POLICY'}{'MODE1'} = ''; }
++ if ($fwdfwsettings{'POLICY'} eq 'MODE2'){ $selected{'POLICY'}{'MODE2'} = 'selected'; } else { $selected{'POLICY'}{'MODE2'} = ''; }
++ if ($fwdfwsettings{'POLICY1'} eq 'MODE1'){ $selected{'POLICY1'}{'MODE1'} = 'selected'; } else { $selected{'POLICY1'}{'MODE1'} = ''; }
++ if ($fwdfwsettings{'POLICY1'} eq 'MODE2'){ $selected{'POLICY1'}{'MODE2'} = 'selected'; } else { $selected{'POLICY1'}{'MODE2'} = ''; }
++print <<END;
++ <form method='post' action='$ENV{'SCRIPT_NAME'}'>
++ <table width='100%' border='0'>
++ <tr><td colspan='3' style='font-weight:bold;color:red;' align='left'>FORWARD </td></tr>
++ <tr><td colspan='3' align='left'>$Lang::tr{'fwdfw pol text'}</td></tr>
++ <tr><td colspan='3'><hr /></td></tr>
++ <tr><td width='15%' align='left'> <select name='POLICY' style="width: 100px">
++ <option value='MODE1' $selected{'POLICY'}{'MODE1'}>$Lang::tr{'fwdfw pol block'}</option>
++ <option value='MODE2' $selected{'POLICY'}{'MODE2'}>$Lang::tr{'fwdfw pol allow'}</option></select>
++ <input type='submit' name='ACTION' value=$Lang::tr{'save'} /><input type='hidden' name='defpol' value='1'></td>
++END
++ print "</tr></table></form>";
++ print"<br><br>";
++ print <<END;
++ <form method='post' action='$ENV{'SCRIPT_NAME'}'>
++ <table width='100%' border='0'>
++ <tr><td colspan='3' style='font-weight:bold;color:red;' align='left'>OUTGOING </td></tr>
++ <tr><td colspan='3' align='left'>$Lang::tr{'fwdfw pol text1'}</td></tr>
++ <tr><td colspan='3'><hr /></td></tr>
++ <tr><td width='15%' align='left'> <select name='POLICY1' style="width: 100px">
++ <option value='MODE1' $selected{'POLICY1'}{'MODE1'}>$Lang::tr{'fwdfw pol block'}</option>
++ <option value='MODE2' $selected{'POLICY1'}{'MODE2'}>$Lang::tr{'fwdfw pol allow'}</option></select>
++ <input type='submit' name='ACTION' value='$Lang::tr{'save'}' /><input type='hidden' name='defpol' value='1'></td>
++END
++ print "</tr></table></form>";
++ &Header::closebox();
++
+ &Header::closebigbox();
+ &Header::closepage();
+diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl
+index 7d9de98..fd0c934 100644
+--- a/langs/de/cgi-bin/de.pl
++++ b/langs/de/cgi-bin/de.pl
+@@ -893,26 +893,26 @@
+ 'fwdfw cust net' => 'Custom Netzwerke:',
+ 'fwdfw copy' => 'Kopieren',
+ 'fwdfw delete' => 'Löschen',
+-'fwdfw dnat' => 'DNAT/Portforward (ersetze diese IP mit der aus ZIEL)',
++'fwdfw dnat' => 'DNAT/Portforward (ersetze diese IP Adresse mit der aus ZIEL)',
+ 'fwdfw dnat error' => 'Für DNAT muss ein einzelner Host als ZIEL gewählt werden. Gruppen oder Netzwerke sind nicht erlaubt',
+ 'fwdfw dnat porterr' => 'Für NAT muss ein einzelner PORT oder PORTRANGE (TCP/UDP) angegeben werden',
+ 'fwdfw DROP' => 'Verwerfen (DROP)',
+ 'fwdfw edit' => 'Bearbeiten',
+ 'fwdfw err nosrc' => 'Keine Quelle gewählt',
+-'fwdfw err nosrcip' => 'Bitte Quell IP-Adresse angeben',
++'fwdfw err nosrcip' => 'Bitte Quell IP Adresse angeben',
+ 'fwdfw err notgt' => 'Kein Ziel gewählt',
+-'fwdfw err notgtip' => 'Bitte Ziel IP-Adresse angeben',
++'fwdfw err notgtip' => 'Bitte Ziel IP Adresse angeben',
+ 'fwdfw err prot' => 'Quell- und Zielprotokoll müssen gleich sein',
+ 'fwdfw err remark' => 'Bemerkung enthält ungültige Zeichen',
+ 'fwdfw err ruleexists' => 'Eine identische Regel existiert bereits',
+-'fwdfw err src_addr' => 'Quell-MAC/IP ungültig',
+-'fwdfw err srcovpn' => 'Quell-IP ist ein OpenVPN Client. Bitte Dropdown zum Auswählen nutzen',
++'fwdfw err src_addr' => 'Quell-MAC/IP Adresse ungültig',
++'fwdfw err srcovpn' => 'Quell-IP Adresse ist ein OpenVPN Client. Bitte Dropdown zum Auswählen nutzen',
+ 'fwdfw err same' => 'Quelle und Ziel sind identisch',
+ 'fwdfw err samesub' => 'Quell und Ziel IP Adresse im selben Subnetz',
+ 'fwdfw err srcport' => 'Bitte Quellport angeben',
+ 'fwdfw err tgtport' => 'Bitte Zielport angeben',
+-'fwdfw err tgt_addr' => 'Ziel-IP ungültig',
+-'fwdfw err tgtovpn' => 'Ziel-IP ist ein OpenVPN Client. Bitte Dropdown zum Auswählen nutzen',
++'fwdfw err tgt_addr' => 'Ziel-IP Adresse ungültig',
++'fwdfw err tgtovpn' => 'Ziel-IP Adresse ist ein OpenVPN Client. Bitte Dropdown zum Auswählen nutzen',
+ 'fwdfw err tgt_port' => 'Ziel Port ungültig',
+ 'fwdfw err tgt_mac' => 'MAC Adressen können nicht als Ziel defininert werden',
+ 'fwdfw err tgt_grp' => 'Ziel-Dienstgruppe ist leer',
+@@ -929,8 +929,8 @@
+ 'fwdfw pol allow' => 'Zugelassen',
+ 'fwdfw pol block' => 'Blockiert',
+ 'fwdfw pol title' => 'Standardverhalten der Firewall',
+-'fwdfw pol text' => 'Standardverhalten für Verbindungen aus den lokalen Netzwerken. Bei "Zugelassen" werden sämtliche Verbindungen zugelassen mit Ausnahme der konfigurierten Regeln. Mit "Blockiert" werden alle Verbindungsversuche blockiert, mit Ausnahme erstellten Regeln. Außerdem werden hier der externe Zugang und der Zugriff auf die DMZ geregelt.',
+-'fwdfw pol text1' => 'Standardverhalten für Verbindungen von IPFire. Bei "Zugelassen" werden sämtliche Verbindungen zugelassen mit Ausnahme konfigurierten Regeln. Mit "Blockiert" werden alle Verbindungsversuche blockiert, mit Ausnahme der erstellten Regeln.Achtung! Mit diesen Einstellungen kann man sich aussperren. Normalerweise ist keine Änderung nötig.',
++'fwdfw pol text' => 'Standardverhalten für Verbindungen aus den lokalen Netzwerken. Bei "Zugelassen" werden sämtliche Verbindungen zugelassen mit Ausnahme der konfigurierten Regeln. Mit "Blockiert" werden alle Verbindungsversuche blockiert, mit Ausnahme erstellten Regeln.',
++'fwdfw pol text1' => 'Standardverhalten für Verbindungen von Firewall. Bei "Zugelassen" werden sämtliche Verbindungen zugelassen mit Ausnahme konfigurierten Regeln. Mit "Blockiert" werden alle Verbindungsversuche blockiert, mit Ausnahme der erstellten Regeln.Achtung! Mit diesen Einstellungen kann man sich aussperren. Normalerweise ist keine Änderung nötig.',
+ 'fwdfw red' => 'INTERNET',
+ 'fwdfw REJECT' => 'Verweigern (REJECT)',
+ 'fwdfw reread' => 'Ãœbernehmen',
+@@ -940,10 +940,10 @@
+ 'fwdfw rulepos' => 'Regelposition',
+ 'fwdfw snat' => 'SNAT (ersetze die Adresse(n) von QUELLE mit dieser)',
+ 'fwdfw source' => 'Quelle',
+-'fwdfw sourceip' => 'Quelladresse (MAC, IP oder Netzwerk):',
++'fwdfw sourceip' => 'Quelladresse (MAC, IP Adresse oder Netzwerk):',
+ 'fwdfw std network' => 'Standard Netzwerke:',
+ 'fwdfw target' => 'Ziel',
+-'fwdfw targetip' => 'Zieladresse (IP oder Netzwerk):',
++'fwdfw targetip' => 'Zieladresse (IP Adresse oder Netzwerk):',
+ 'fwdfw till' => 'Bis:',
+ 'fwdfw time' => 'Zeitrahmen',
+ 'fwdfw timeframe' => 'Zeitrahmen hinzufügen',
+@@ -983,7 +983,7 @@
+ 'fwhost cust srvgrp' => 'Custom Dienstgruppen',
+ 'fwhost deleted' => 'Gelöscht',
+ 'fwhost empty' => 'Keine Regeln definiert',
+-'fwhost err addr' => 'IP oder Subnetzmaske ungültig',
++'fwhost err addr' => 'IP Adresse oder Subnetzmaske ungültig',
+ 'fwhost err addrgrp' => 'Bitte gruppenname angeben',
+ 'fwhost err empty' => 'Bitte alle Felder füllen',
+ 'fwhost err grpexist' => 'Gruppe existiert bereits',
+@@ -991,14 +991,14 @@
+ 'fwhost err name' => 'Name ungültig. Erlaubte Zeichen: a-z, A-Z, 0-9 Leerzeichen und Bindestrich',
+ 'fwhost err name1' => 'Name muss gefüllt sein',
+ 'fwhost err netexist' => 'Ein Netz mit diesem Namen existiert bereits',
+-'fwhost err net' => 'Netzwerk IP existiert bereits',
++'fwhost err net' => 'Netzwerk IP Adresse existiert bereits',
+ 'fwhost err mac' => 'MAC Adresse ungültig',
+ 'fwhost err hostexist' => 'Ein Host mit diesem Namen existiert bereits',
+ 'fwhost err hostip' => 'Netz- oder Broadcastadressen sind nicht erlaubt',
+ 'fwhost err hostorip' => 'Name oder IP Adresse ungültig',
+ 'fwhost err isccdhost' => 'Dieser Name wird bereits für einen Openvpn Host verwendet',
+-'fwhost err isccdipnet' => 'Diese IP wird bereits für einen Openvpn Netzwerk verwendet',
+-'fwhost err isccdiphost'=> 'Diese IP wird bereits für einen Openvpn Host verwendet',
++'fwhost err isccdipnet' => 'Diese IP Adresse wird bereits für einen Openvpn Netzwerk verwendet',
++'fwhost err isccdiphost'=> 'Diese IP Adresse wird bereits für einen Openvpn Host verwendet',
+ 'fwhost err isccdnet' => 'Dieser Name wird bereits für einen Openvpn Netzwerk verwendet',
+ 'fwhost err isingrp' => 'Dieser Eintrag existiert bereits in der Gruppe',
+ 'fwhost err ip' => 'IP Addresse ungültig',
+diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
+index 375075a..6b4d5df 100644
+--- a/langs/en/cgi-bin/en.pl
++++ b/langs/en/cgi-bin/en.pl
+@@ -916,7 +916,7 @@
+ 'fwdfw cust net' => 'Custom networks:',
+ 'fwdfw copy' => 'Copy',
+ 'fwdfw delete' => 'Delete',
+-'fwdfw dnat' => 'DNAT/Portforward (replace this IP with the one from TARGET)',
++'fwdfw dnat' => 'DNAT/Portforward (replace this IP address with the one from TARGET)',
+ 'fwdfw dnat error' => 'You have to select a single host for DNAT. Groups or networks are not allowed.',
+ 'fwdfw dnat porterr' => 'You have to select a single port or portrange (tcp/udp) for NAT',
+ 'fwdfw DROP' => 'DROP',
+@@ -929,13 +929,13 @@
+ 'fwdfw err remark' => 'Invalid chars in remark.',
+ 'fwdfw err ruleexists' => 'This rule already exists.',
+ 'fwdfw err src_addr' => 'Invalid source MAC/IP.',
+-'fwdfw err srcovpn' => 'Source-IP is an OpenVPN client. Please use dropdown for selection',
++'fwdfw err srcovpn' => 'Source-IP address is an OpenVPN client. Please use dropdown for selection',
+ 'fwdfw err same' => 'Identical source and target',
+ 'fwdfw err samesub' => 'Source and target IP adress are in same subnet.',
+ 'fwdfw err srcport' => 'Please provide source port.',
+ 'fwdfw err tgtport' => 'Please provide target port.',
+ 'fwdfw err tgt_addr' => 'Invalid target IP-address.',
+-'fwdfw err tgtovpn' => 'Target-IP is an OpenVPN client. Please use dropdown for selection',
++'fwdfw err tgtovpn' => 'Target-IP address is an OpenVPN client. Please use dropdown for selection',
+ 'fwdfw err tgt_port' => 'Invalid target port',
+ 'fwdfw err tgt_mac' => 'MAC addresses cannot be used as target.',
+ 'fwdfw err tgt_grp' => 'Target servicegroup is empty',
+@@ -963,10 +963,10 @@
+ 'fwdfw rulepos' => 'Rule position',
+ 'fwdfw snat' => 'SNAT (replace the addresse(s) from SOURCE with this address)',
+ 'fwdfw source' => 'Source',
+-'fwdfw sourceip' => 'Source address (MAC, IP or Network):',
++'fwdfw sourceip' => 'Source address (MAC, IP address or Network):',
+ 'fwdfw std network' => 'Standard networks:',
+ 'fwdfw target' => 'Target',
+-'fwdfw targetip' => 'Target address (IP or network):',
++'fwdfw targetip' => 'Target address (IP address or network):',
+ 'fwdfw till' => 'Till:',
+ 'fwdfw time' => 'Timeframe',
+ 'fwdfw timeframe' => 'Add timeframe',
+@@ -1006,7 +1006,7 @@
+ 'fwhost cust srvgrp' => 'Custom servicegroups',
+ 'fwhost deleted' => 'Deleted',
+ 'fwhost empty' => 'No rules defined',
+-'fwhost err addr' => 'Invalid IP or subnet',
++'fwhost err addr' => 'Invalid IP address or subnet',
+ 'fwhost err addrgrp' => 'Please provide a groupname',
+ 'fwhost err empty' => 'Please fill in all fields',
+ 'fwhost err grpexist' => 'Group already exists',
+@@ -1014,14 +1014,14 @@
+ 'fwhost err name' => 'Name invalid. Allowed: a-z, A-Z, 0-9 space and minus.',
+ 'fwhost err name1' => 'Name is empty.',
+ 'fwhost err netexist' => 'A network with this name already exists',
+-'fwhost err net' => 'Network IP already exists',
++'fwhost err net' => 'Network IP address already exists',
+ 'fwhost err mac' => 'MAC address invalid',
+ 'fwhost err hostexist' => 'A host with this name already exists',
+ 'fwhost err hostip' => 'Network or broadcast addresses not allowed',
+-'fwhost err hostorip' => 'Name or IP invalid',
++'fwhost err hostorip' => 'Name or IP address invalid',
+ 'fwhost err isccdhost' => 'This name is already used by an OpenVPN client',
+-'fwhost err isccdipnet' => 'This IP is already used by an OpenVPN network',
+-'fwhost err isccdiphost'=> 'This IP is already used by an OpenVPN client',
++'fwhost err isccdipnet' => 'This IP address is already used by an OpenVPN network',
++'fwhost err isccdiphost'=> 'This IP address is already used by an OpenVPN client',
+ 'fwhost err isccdnet' => 'This name is already used by an OpenVPN Network',
+ 'fwhost err isingrp' => 'This entry already exists in the group',
+ 'fwhost err ip' => 'IP address invalid',
+@@ -1031,7 +1031,7 @@
+ 'fwhost err partofnet' => 'This network is part of an already existing one',
+ 'fwhost err port' => 'Port is empty',
+ 'fwhost err remark' => 'Remark invalid. Allowed: a-z, A-Z, 0-9 and -_();|.',
+-'fwhost err srvexist' => 'Dieser Dienst ist bereits in der Gruppe',
++'fwhost err srvexist' => 'This service already exists in the group',
+ 'fwhost err srv exists' => 'A Service with this name already exists',
+ 'fwhost err sub32' => 'Please add single host. This subnet is no network',
+ 'fwhost green' => 'Green',
+--
+1.7.10.4
+
--- /dev/null
+From 2f07d7b0fb5a78a35c72482bce3bfffe2ba79caf Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Wed, 26 Jun 2013 07:56:35 +0200
+Subject: [PATCH 248/302] Forward Firewall: convert-dmz now puts converted
+ files into /var/ipfire/forward/config instead of
+ /var/ipfire/forward/dmz
+
+---
+ config/forwardfw/convert-dmz | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/config/forwardfw/convert-dmz b/config/forwardfw/convert-dmz
+index 9c1ad04..0722f5b 100755
+--- a/config/forwardfw/convert-dmz
++++ b/config/forwardfw/convert-dmz
+@@ -19,7 +19,7 @@ my %ifaces=();
+ my %configfwdfw=();
+ require '/var/ipfire/general-functions.pl';
+ my $dmzconfig = "${General::swroot}/dmzholes/config";
+-my $fwdfwconfig = "${General::swroot}/forward/dmz";
++my $fwdfwconfig = "${General::swroot}/forward/config";
+ my $ifacesettings = "${General::swroot}/ethernet/settings";
+ my $field0 = 'ACCEPT';
+ my $field1 = 'FORWARDFW';
+--
+1.7.10.4
+
--- /dev/null
+From 017ed2c7fb7c4572be74670b8ec9db47d0ecb0d1 Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Wed, 26 Jun 2013 09:07:05 +0200
+Subject: [PATCH 249/302] Forward Firewall: removed DMZ from rules.pl (does no
+ longer exist, is forward now
+
+---
+ config/forwardfw/rules.pl | 6 ------
+ 1 file changed, 6 deletions(-)
+
+diff --git a/config/forwardfw/rules.pl b/config/forwardfw/rules.pl
+index 252b598..34df8b0 100755
+--- a/config/forwardfw/rules.pl
++++ b/config/forwardfw/rules.pl
+@@ -44,7 +44,6 @@ our %targethash=();
+ my @timeframe=();
+ my %configinputfw=();
+ my %configoutgoingfw=();
+-my %configdmzfw=();
+ my %confignatfw=();
+ my %aliases=();
+ my @DPROT=();
+@@ -53,7 +52,6 @@ require '/var/ipfire/general-functions.pl';
+ require "${General::swroot}/lang.pl";
+ require "${General::swroot}/forward/bin/firewall-lib.pl";
+
+-my $configdmz = "${General::swroot}/forward/dmz";
+ my $configfwdfw = "${General::swroot}/forward/config";
+ my $configinput = "${General::swroot}/forward/input";
+ my $configoutgoing = "${General::swroot}/forward/outgoing";
+@@ -73,7 +71,6 @@ my $dnat='';
+ my $snat='';
+ &General::readhash("${General::swroot}/forward/settings", \%fwdfwsettings);
+ &General::readhash("$netsettings", \%defaultNetworks);
+-&General::readhasharray($configdmz, \%configdmzfw);
+ &General::readhasharray($configfwdfw, \%configfwdfw);
+ &General::readhasharray($configinput, \%configinputfw);
+ &General::readhasharray($configoutgoing, \%configoutgoingfw);
+@@ -154,9 +151,6 @@ sub flush
+ }
+ sub preparerules
+ {
+- if (! -z "${General::swroot}/forward/dmz"){
+- &buildrules(\%configdmzfw);
+- }
+ if (! -z "${General::swroot}/forward/config"){
+ &buildrules(\%configfwdfw);
+ }
+--
+1.7.10.4
+
--- /dev/null
+From db4cd4299144536ac6db8067909e39c1acb3cf90 Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Wed, 26 Jun 2013 09:42:38 +0200
+Subject: [PATCH 250/302] Forward Firewall: removed dmz from forwardfw.cgi
+
+---
+ html/cgi-bin/forwardfw.cgi | 113 +++++---------------------------------------
+ 1 file changed, 13 insertions(+), 100 deletions(-)
+
+diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi
+index be80364..2867278 100755
+--- a/html/cgi-bin/forwardfw.cgi
++++ b/html/cgi-bin/forwardfw.cgi
+@@ -47,7 +47,6 @@ unless (-e "${General::swroot}/forward/settings") { system("touch ${General::s
+ unless (-e "${General::swroot}/forward/config") { system("touch ${General::swroot}/forward/config"); }
+ unless (-e "${General::swroot}/forward/input") { system("touch ${General::swroot}/forward/input"); }
+ unless (-e "${General::swroot}/forward/outgoing") { system("touch ${General::swroot}/forward/outgoing"); }
+-unless (-e "${General::swroot}/forward/dmz") { system("touch ${General::swroot}/forward/dmz"); }
+ unless (-e "${General::swroot}/forward/nat") { system("touch ${General::swroot}/forward/nat"); }
+
+ my %fwdfwsettings=();
+@@ -65,7 +64,6 @@ my %ccdhost=();
+ my %configfwdfw=();
+ my %configinputfw=();
+ my %configoutgoingfw=();
+-my %configdmzfw=();
+ my %confignatfw=();
+ my %ipsecconf=();
+ my %color=();
+@@ -92,7 +90,6 @@ my $configipsecrw = "${General::swroot}/vpn/settings";
+ my $configfwdfw = "${General::swroot}/forward/config";
+ my $configinput = "${General::swroot}/forward/input";
+ my $configoutgoing = "${General::swroot}/forward/outgoing";
+-my $configdmz = "${General::swroot}/forward/dmz";
+ my $confignat = "${General::swroot}/forward/nat";
+ my $configovpn = "${General::swroot}/ovpn/settings";
+ my $fwoptions = "${General::swroot}/optionsfw/settings";
+@@ -200,59 +197,6 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule')
+ if($fwdfwsettings{'nosave2'} ne 'on'){
+ &saverule(\%confignatfw,$confignat);
+ }
+- #DMZ-Part
+- }elsif ($fwdfwsettings{$fwdfwsettings{'grp1'}} eq 'ORANGE' || $checkorange eq 'on'){
+- $fwdfwsettings{'config'}=$configdmz;
+- $fwdfwsettings{'chain'} = 'FORWARDFW';
+- my $maxkey=&General::findhasharraykey(\%configdmzfw);
+- #check if we have an identical rule already
+- if($fwdfwsettings{'oldrulenumber'} eq $fwdfwsettings{'rulepos'}){
+- foreach my $key (sort keys %configdmzfw){
+- if ("$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'},$fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'ICMP_TGT'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'LOG'},$fwdfwsettings{'TIME'},$fwdfwsettings{'TIME_MON'},$fwdfwsettings{'TIME_TUE'},$fwdfwsettings{'TIME_WED'},$fwdfwsettings{'TIME_THU'},$fwdfwsettings{'TIME_FRI'},$fwdfwsettings{'TIME_SAT'},$fwdfwsettings{'TIME_SUN'},$fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'}"
+- eq "$configdmzfw{$key}[0],$configdmzfw{$key}[2],$configdmzfw{$key}[3],$configdmzfw{$key}[4],$configdmzfw{$key}[5],$configdmzfw{$key}[6],$configdmzfw{$key}[7],$configdmzfw{$key}[8],$configdmzfw{$key}[9],$configdmzfw{$key}[10],$configdmzfw{$key}[11],$configdmzfw{$key}[12],$configdmzfw{$key}[13],$configdmzfw{$key}[14],$configdmzfw{$key}[15],$configdmzfw{$key}[17],$configdmzfw{$key}[18],$configdmzfw{$key}[19],$configdmzfw{$key}[20],$configdmzfw{$key}[21],$configdmzfw{$key}[22],$configdmzfw{$key}[23],$configdmzfw{$key}[24],$configdmzfw{$key}[25],$configdmzfw{$key}[26],$configdmzfw{$key}[27]"){
+- $errormessage.=$Lang::tr{'fwdfw err ruleexists'};
+- if ($fwdfwsettings{'oldruleremark'} ne $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'updatefwrule'} eq 'on' ){
+- $errormessage='';
+- }elsif($fwdfwsettings{'oldruleremark'} ne $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'updatefwrule'} eq 'on' && $fwdfwsettings{'ruleremark'} ne '' && !&validremark($fwdfwsettings{'ruleremark'})){
+- $errormessage=$Lang::tr{'fwdfw err remark'}."<br>";
+- }
+- if ($fwdfwsettings{'oldruleremark'} eq $fwdfwsettings{'ruleremark'}){
+- $fwdfwsettings{'nosave'} = 'on';
+- }
+- }
+- }
+- }
+- #check Rulepos on new Rule
+- if($fwdfwsettings{'rulepos'} > 0 && !$fwdfwsettings{'oldrulenumber'}){
+- $fwdfwsettings{'oldrulenumber'}=$maxkey;
+- foreach my $key (sort keys %configdmzfw){
+- if ("$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'},$fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'ICMP_TGT'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'LOG'},$fwdfwsettings{'TIME'},$fwdfwsettings{'TIME_MON'},$fwdfwsettings{'TIME_TUE'},$fwdfwsettings{'TIME_WED'},$fwdfwsettings{'TIME_THU'},$fwdfwsettings{'TIME_FRI'},$fwdfwsettings{'TIME_SAT'},$fwdfwsettings{'TIME_SUN'},$fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'}"
+- eq "$configdmzfw{$key}[0],$configdmzfw{$key}[2],$configdmzfw{$key}[3],$configdmzfw{$key}[4],$configdmzfw{$key}[5],$configdmzfw{$key}[6],$configdmzfw{$key}[7],$configdmzfw{$key}[8],$configdmzfw{$key}[9],$configdmzfw{$key}[10],$configdmzfw{$key}[11],$configdmzfw{$key}[12],$configdmzfw{$key}[13],$configdmzfw{$key}[14],$configdmzfw{$key}[15],$configdmzfw{$key}[17],$configdmzfw{$key}[18],$configdmzfw{$key}[19],$configdmzfw{$key}[20],$configdmzfw{$key}[21],$configdmzfw{$key}[22],$configdmzfw{$key}[23],$configdmzfw{$key}[24],$configdmzfw{$key}[25],$configdmzfw{$key}[26],$configdmzfw{$key}[27]"){
+- $errormessage.=$Lang::tr{'fwdfw err ruleexists'};
+- }
+- }
+- }
+- #check if we just close a rule
+- if( $fwdfwsettings{'oldgrp1a'} eq $fwdfwsettings{'grp1'} && $fwdfwsettings{'oldgrp1b'} eq $fwdfwsettings{$fwdfwsettings{'grp1'}} && $fwdfwsettings{'oldgrp2a'} eq $fwdfwsettings{'grp2'} && $fwdfwsettings{'oldgrp2b'} eq $fwdfwsettings{$fwdfwsettings{'grp2'}} && $fwdfwsettings{'oldgrp3a'} eq $fwdfwsettings{'grp3'} && $fwdfwsettings{'oldgrp3b'} eq $fwdfwsettings{$fwdfwsettings{'grp3'}} && $fwdfwsettings{'oldusesrv'} eq $fwdfwsettings{'USESRV'} && $fwdfwsettings{'oldruleremark'} eq $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'oldruletype'} eq $fwdfwsettings{'chain'}) {
+- if($fwdfwsettings{'nosave'} eq 'on' && $fwdfwsettings{'updatefwrule'} eq 'on'){
+- $errormessage='';
+- $fwdfwsettings{'nosave2'} = 'on';
+- }
+- }
+- &checkcounter($fwdfwsettings{'oldgrp1a'},$fwdfwsettings{'oldgrp1b'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}});
+- if ($fwdfwsettings{'nobase'} ne 'on'){
+- &checkcounter($fwdfwsettings{'oldgrp2a'},$fwdfwsettings{'oldgrp2b'},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}});
+- }
+- if($fwdfwsettings{'oldusesrv'} eq '' && $fwdfwsettings{'USESRV'} eq 'ON'){
+- &checkcounter(0,0,$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}});
+- }elsif ($fwdfwsettings{'USESRV'} eq '' && $fwdfwsettings{'oldusesrv'} eq 'ON') {
+- &checkcounter($fwdfwsettings{'oldgrp3a'},$fwdfwsettings{'oldgrp3b'},0,0);
+- }elsif ($fwdfwsettings{'oldusesrv'} eq $fwdfwsettings{'USESRV'} && $fwdfwsettings{'oldgrp3b'} ne $fwdfwsettings{$fwdfwsettings{'grp3'}} && $fwdfwsettings{'updatefwrule'} eq 'on'){
+- &checkcounter($fwdfwsettings{'oldgrp3a'},$fwdfwsettings{'oldgrp3b'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}});
+- }
+- if($fwdfwsettings{'nosave2'} ne 'on'){
+- &saverule(\%configdmzfw,$configdmz);
+- }
+ #INPUT part
+ }elsif($fwdfwsettings{'grp2'} eq 'ipfire' && $fwdfwsettings{$fwdfwsettings{'grp1'}} ne 'ORANGE'){
+ $fwdfwsettings{'config'}=$configinput;
+@@ -1591,11 +1535,7 @@ sub newrule
+ $fwdfwsettings{'oldusesrv'}=$fwdfwsettings{'USESRV'};
+ $fwdfwsettings{'oldruleremark'}=$fwdfwsettings{'ruleremark'};
+ $fwdfwsettings{'oldnat'}=$fwdfwsettings{'USE_NAT'};
+- if ($fwdfwsettings{'config'} eq "${General::swroot}/forward/dmz"){
+- $fwdfwsettings{'oldruletype'}='DMZ';
+- }else{
+- $fwdfwsettings{'oldruletype'}=$fwdfwsettings{'chain'};
+- }
++ $fwdfwsettings{'oldruletype'}=$fwdfwsettings{'chain'};
+ #check if manual ip (source) is orange network
+ if ($fwdfwsettings{'grp1'} eq 'src_addr'){
+ my ($sip,$scidr) = split("/",$fwdfwsettings{$fwdfwsettings{'grp1'}});
+@@ -1991,7 +1931,7 @@ sub saverule
+ my $config=shift;
+ &General::readhasharray("$config", $hash);
+ if (!$errormessage){
+- #check if we change a NAT to a FORWARD/DMZ
++ #check if we change a NAT to a FORWARD
+ if(($fwdfwsettings{'oldruletype'} eq 'NAT_SOURCE' || $fwdfwsettings{'oldruletype'} eq 'NAT_DESTINATION') && $fwdfwsettings{'chain'} eq 'FORWARDFW'){
+ &changerule($confignat);
+ #print"1";
+@@ -2007,78 +1947,52 @@ sub saverule
+ #print"3";
+ }
+ ################################################################
+- #check if we change a DMZ to a NAT
+- elsif($fwdfwsettings{'oldruletype'} eq 'DMZ' && ($fwdfwsettings{'chain'} eq 'NAT_SOURCE' || $fwdfwsettings{'chain'} eq 'NAT_DESTINATION')){
+- &changerule($configdmz);
+- #print"4";
+- }
+- #check if we change a DMZ to an OUTGOING
+- elsif($fwdfwsettings{'oldruletype'} eq 'DMZ' && $fwdfwsettings{'chain'} eq 'OUTGOINGFW' ){
+- &changerule($configdmz);
+- #print"5";
+- }
+- #check if we change a DMZ to an INPUT
+- elsif($fwdfwsettings{'oldruletype'} eq 'DMZ' && $fwdfwsettings{'chain'} eq 'INPUTFW' ){
+- &changerule($configdmz);
+- #print"6";
+- }
+- #check if we change a DMZ to a FORWARD/DMZ
+- elsif($fwdfwsettings{'oldruletype'} eq 'DMZ' && $fwdfwsettings{'chain'} eq 'FORWARDFW' && $fwdfwsettings{$fwdfwsettings{'grp1'}} ne 'ORANGE' && $checkorange ne 'on'){
+- &changerule($configdmz);
+- #print"7";
+- }
+- ################################################################
+ #check if we change an INPUT rule to a NAT
+ elsif($fwdfwsettings{'oldruletype'} eq 'INPUTFW' && ($fwdfwsettings{'chain'} eq 'NAT_SOURCE' || $fwdfwsettings{'chain'} eq 'NAT_DESTINATION')){
+ &changerule($configinput);
+- #print"8";
++ #print"4";
+ }
+ #check if we change an INPUT rule to a OUTGOING
+ elsif($fwdfwsettings{'oldruletype'} eq 'INPUTFW' && $fwdfwsettings{'chain'} eq 'OUTGOINGFW' ){
+ &changerule($configinput);
+- #print"9";
++ #print"5";
+ }
+- #check if we change an INPUT rule to a FORWARD/DMZ
++ #check if we change an INPUT rule to a FORWARD
+ elsif($fwdfwsettings{'oldruletype'} eq 'INPUTFW' && $fwdfwsettings{'chain'} eq 'FORWARDFW' ){
+ &changerule($configinput);
+- #print"10";
++ #print"6";
+ }
+ ################################################################
+ #check if we change an OUTGOING rule to an INPUT
+ elsif($fwdfwsettings{'oldruletype'} eq 'OUTGOINGFW' && $fwdfwsettings{'chain'} eq 'INPUTFW' ){
+ &changerule($configoutgoing);
+- #print"11";
++ #print"7";
+ }
+- #check if we change an OUTGOING rule to a FORWARD/DMZ
++ #check if we change an OUTGOING rule to a FORWARD
+ elsif($fwdfwsettings{'oldruletype'} eq 'OUTGOINGFW' && $fwdfwsettings{'chain'} eq 'FORWARDFW' ){
+ &changerule($configoutgoing);
+- #print"12";
++ #print"8";
+ }
+ #check if we change an OUTGOING rule to a NAT
+ elsif($fwdfwsettings{'oldruletype'} eq 'OUTGOINGFW' && ($fwdfwsettings{'chain'} eq 'NAT_SOURCE' || $fwdfwsettings{'chain'} eq 'NAT_DESTINATION')){
+ &changerule($configoutgoing);
+- #print"13";
++ #print"9";
+ }
+ ################################################################
+ #check if we change a FORWARD rule to an INPUT
+ elsif($fwdfwsettings{'oldruletype'} eq 'FORWARDFW' && $fwdfwsettings{'chain'} eq 'INPUTFW'){
+ &changerule($configfwdfw);
+- #print"14";
+- }
+- #check if we change a FORWARD rule to an DMZ
+- elsif($fwdfwsettings{'oldruletype'} eq 'FORWARDFW' && ($fwdfwsettings{$fwdfwsettings{'grp1'}} eq 'ORANGE' || $checkorange eq 'on')){
+- &changerule($configfwdfw);
+- #print"15";
++ #print"10";
+ }
+ #check if we change a FORWARD rule to an OUTGOING
+ elsif($fwdfwsettings{'oldruletype'} eq 'FORWARDFW' && $fwdfwsettings{'chain'} eq 'OUTGOINGFW'){
+ &changerule($configfwdfw);
+- #print"16";
++ #print"11";
+ }
+ #check if we change a FORWARD rule to an NAT
+ elsif($fwdfwsettings{'oldruletype'} eq 'FORWARDFW' && ($fwdfwsettings{'chain'} eq 'NAT_SOURCE' || $fwdfwsettings{'chain'} eq 'NAT_DESTINATION')){
+ &changerule($configfwdfw);
+- #print"17";
++ #print"12";
+ }
+ if ($fwdfwsettings{'updatefwrule'} ne 'on'){
+ my $key = &General::findhasharraykey ($hash);
+@@ -2243,7 +2157,6 @@ sub viewtablerule
+ &viewtablenew(\%configfwdfw,$configfwdfw,"","Forward" );
+ &viewtablenew(\%configoutgoingfw,$configoutgoing,"","Outgoing" );
+ &viewtablenew(\%configinputfw,$configinput,"",$Lang::tr{'fwdfw xt access'} );
+- &viewtablenew(\%configdmzfw,$configdmz,"","DMZ" );
+ }
+ sub viewtablenew
+ {
+--
+1.7.10.4
+
--- /dev/null
+From 8d09b5e2201696ad8dab3c86b01ba70cfb146152 Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Wed, 26 Jun 2013 10:29:02 +0200
+Subject: [PATCH 251/302] Forward Firewall: changed layout of "apply-button"
+ (after rules where changed. When using single hosts
+ in rules, the prefix is no longer shown in the
+ ruletable. Default settings for firewall-options
+ changed
+
+---
+ html/cgi-bin/forwardfw.cgi | 18 ++++++++++++++++--
+ html/cgi-bin/fwhosts.cgi | 2 +-
+ lfs/configroot | 4 ++--
+ 3 files changed, 19 insertions(+), 5 deletions(-)
+
+diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi
+index 2867278..db09e5c 100755
+--- a/html/cgi-bin/forwardfw.cgi
++++ b/html/cgi-bin/forwardfw.cgi
+@@ -438,7 +438,7 @@ sub addrule
+ {
+ &error;
+ if (-f "${General::swroot}/forward/reread"){
+- print "<table border='0'><form method='post'><td><div style='font-size:11pt; font-weight: bold;vertical-align: middle; '><input type='submit' name='ACTION' value='$Lang::tr{'fwdfw reread'}' style='font-face: Comic Sans MS; color: red; font-weight: bold; font-size: 14pt;'>    $Lang::tr{'fwhost reread'}</div</td></tr></table></form><hr><br>";
++ print "<table border='1' rules='groups' bgcolor='lightgreen' width='100%'><form method='post'><td><div style='font-size:11pt; font-weight: bold;vertical-align: middle; '><input type='submit' name='ACTION' value='$Lang::tr{'fwdfw reread'}' style='font-face: Comic Sans MS; color: green; font-weight: bold; font-size: 14pt;'>    $Lang::tr{'fwhost reread'}</div</td></tr></table></form><hr><br>";
+ }
+ &Header::openbox('100%', 'left', $Lang::tr{'fwdfw menu'});
+ print "<form method='post'>";
+@@ -2155,8 +2155,8 @@ sub viewtablerule
+ &General::readhash("/var/ipfire/ethernet/settings", \%netsettings);
+ &viewtablenew(\%confignatfw,$confignat,"$Lang::tr{'fwdfw rules'}","Portforward / SNAT" );
+ &viewtablenew(\%configfwdfw,$configfwdfw,"","Forward" );
+- &viewtablenew(\%configoutgoingfw,$configoutgoing,"","Outgoing" );
+ &viewtablenew(\%configinputfw,$configinput,"",$Lang::tr{'fwdfw xt access'} );
++ &viewtablenew(\%configoutgoingfw,$configoutgoing,"","Outgoing" );
+ }
+ sub viewtablenew
+ {
+@@ -2254,6 +2254,13 @@ END
+ print"<td align='center' width='160' $tdcolor>";
+ if ($$hash{$key}[3] eq 'std_net_src'){
+ print &get_name($$hash{$key}[4]);
++ }elsif ($$hash{$key}[3] eq 'src_addr'){
++ my ($split1,$split2) = split("/",$$hash{$key}[4]);
++ if ($split2 eq '32'){
++ print $split1;
++ }else{
++ print $$hash{$key}[4];
++ }
+ }else{
+ print $$hash{$key}[4];
+ }
+@@ -2300,6 +2307,13 @@ END
+ }else{
+ print &get_name($$hash{$key}[6]);
+ }
++ }elsif ($$hash{$key}[5] eq 'tgt_addr'){
++ my ($split1,$split2) = split("/",$$hash{$key}[6]);
++ if ($split2 eq '32'){
++ print $split1;
++ }else{
++ print $$hash{$key}[6];
++ }
+ }else{
+ print $$hash{$key}[6];
+ }
+diff --git a/html/cgi-bin/fwhosts.cgi b/html/cgi-bin/fwhosts.cgi
+index 444b366..4aee444 100755
+--- a/html/cgi-bin/fwhosts.cgi
++++ b/html/cgi-bin/fwhosts.cgi
+@@ -1061,7 +1061,7 @@ if($fwhostsettings{'ACTION'} eq '')
+ sub showmenu
+ {
+ if (-f "${General::swroot}/forward/reread"){
+- print "<table border='0'><form method='post'><td><div style='font-size:11pt; font-weight: bold;vertical-align: middle; '><input type='submit' name='ACTION' value='$Lang::tr{'fwdfw reread'}' style='font-face: Comic Sans MS; color: red; font-weight: bold; font-size: 14pt;'>$Lang::tr{'fwhost reread'}</td></tr></table></form><hr><br>";
++ print "<table border='1' rules='groups' bgcolor='lightgreen' width='100%'><form method='post'><td><div style='font-size:11pt; font-weight: bold;vertical-align: middle; '><input type='submit' name='ACTION' value='$Lang::tr{'fwdfw reread'}' style='font-face: Comic Sans MS; color: green; font-weight: bold; font-size: 14pt;'>    $Lang::tr{'fwhost reread'}</td></tr></table></form><hr><br>";
+ }
+ &Header::openbox('100%', 'left',$Lang::tr{'fwhost menu'});
+ print<<END;
+diff --git a/lfs/configroot b/lfs/configroot
+index 0eb7728..c7d6ca6 100644
+--- a/lfs/configroot
++++ b/lfs/configroot
+@@ -123,8 +123,8 @@ $(TARGET) :
+ echo "DROPPORTSCAN=on" >> $(CONFIG_ROOT)/optionsfw/settings
+ echo "DROPOUTGOING=on" >> $(CONFIG_ROOT)/optionsfw/settings
+ echo "SHOWREMARK=on" >> $(CONFIG_ROOT)/optionsfw/settings
+- echo "SHOWCOLORS=off" >> $(CONFIG_ROOT)/optionsfw/settings
+- echo "SHOWTABLES=on" >> $(CONFIG_ROOT)/optionsfw/settings
++ echo "SHOWCOLORS=on" >> $(CONFIG_ROOT)/optionsfw/settings
++ echo "SHOWTABLES=off" >> $(CONFIG_ROOT)/optionsfw/settings
+ echo "SHOWDROPDOWN=off" >> $(CONFIG_ROOT)/optionsfw/settings
+ echo "POLICY=MODE2" >> $(CONFIG_ROOT)/forward/settings
+ echo "POLICY1=MODE2" >> $(CONFIG_ROOT)/forward/settings
+--
+1.7.10.4
+
--- /dev/null
+From fc3837c02c5d952f37b6b6c309721b23cd07b48e Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Wed, 26 Jun 2013 13:30:30 +0200
+Subject: [PATCH 252/302] Forward Firewall: removed NAT table and txt file.
+
+---
+ config/forwardfw/convert-portfw | 8 +--
+ config/forwardfw/rules.pl | 44 +++++++-------
+ html/cgi-bin/forwardfw.cgi | 128 +++++----------------------------------
+ src/initscripts/init.d/firewall | 4 --
+ 4 files changed, 43 insertions(+), 141 deletions(-)
+
+diff --git a/config/forwardfw/convert-portfw b/config/forwardfw/convert-portfw
+index 8ec3c34..691cfb4 100755
+--- a/config/forwardfw/convert-portfw
++++ b/config/forwardfw/convert-portfw
+@@ -2,7 +2,7 @@
+
+ ########################################################################
+ # Script: convert-portfw
+-# Date: 19.03.2013
++# Date: 21.03.2013
+ # Author: Alexander Marx (amarx@ipfire.org)
+ ########################################################################
+ #
+@@ -18,7 +18,7 @@ my @values=();
+ my @built_rules=();
+ my %nat=();
+ my $portfwconfig = "${General::swroot}/portfw/config";
+-my $confignat = "${General::swroot}/forward/nat";
++my $confignat = "${General::swroot}/forward/config";
+ my ($key,$flag,$prot,$ipfireport,$target,$targetport,$active,$alias,$source,$remark);
+ my ($key1,$flag1,$prot1,$ipfireport1,$target1,$targetport1,$active1,$alias1,$source1,$remark1);
+ my $count=0;
+@@ -94,9 +94,9 @@ sub build_rules
+ $active = uc $active;
+ $prot = uc $prot;
+ chomp($remark);
+- push (@built_rules,"ACCEPT,NAT_DESTINATION,$active,$src,$src1,tgt_addr,$target/32,ON,$prot,,TGT_PORT,$targetport,$remark,00:00,00:00,ON,$alias,$ipfireport,dnat");
++ push (@built_rules,"ACCEPT,FORWARDFW,$active,$src,$src1,tgt_addr,$target/32,ON,$prot,,TGT_PORT,$targetport,$remark,00:00,00:00,ON,$alias,$ipfireport,dnat");
+ my $now=localtime;
+- print LOG "$now Converted-> KEY: $count ACCEPT,NAT_DESTINATION,$active,$src,$src1,tgt_addr,$target/32,ON,$prot,,TGT_PORT,$targetport,$remark,00:00,00:00,ON,$alias,$ipfireport,dnat\n";
++ print LOG "$now Converted-> KEY: $count ACCEPT,FORWARDFW,$active,$src,$src1,tgt_addr,$target/32,ON,$prot,,TGT_PORT,$targetport,$remark,00:00,00:00,ON,$alias,$ipfireport,dnat\n";
+ }
+ }
+ sub write_rules
+diff --git a/config/forwardfw/rules.pl b/config/forwardfw/rules.pl
+index 34df8b0..3f0514d 100755
+--- a/config/forwardfw/rules.pl
++++ b/config/forwardfw/rules.pl
+@@ -173,6 +173,7 @@ sub buildrules
+ my $fireport;
+ my $nat;
+ my $fwaccessdport;
++ my $natchain;
+ foreach my $key (sort {$a <=> $b} keys %$hash){
+ next if (($$hash{$key}[6] eq 'RED' || $$hash{$key}[6] eq 'RED1') && $conexists eq 'off' );
+ if ($$hash{$key}[28] eq 'ON'){
+@@ -292,17 +293,13 @@ sub buildrules
+ }
+ print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] --icmp-type $_ $TIME -j $$hash{$key}[0]\n";
+ }
+- }elsif($$hash{$key}[28] ne 'ON'){
+- if ($$hash{$key}[17] eq 'ON'){
+- print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG\n";
+- }
+- print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n";
+ }elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'dnat'){
++ $natchain='NAT_DESTINATION';
+ if ($$hash{$key}[17] eq 'ON'){
+- print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $fireport $TIME -j LOG --log-prefix 'DNAT' \n";
++ print "$command $natchain $PROT $STAG $sourcehash{$a}[0] $fireport $TIME -j LOG --log-prefix 'DNAT' \n";
+ }
+ my ($ip,$sub) =split("/",$targethash{$b}[0]);
+- print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j $nat --to $ip$DPORT\n";
++ print "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j $nat --to $ip$DPORT\n";
+ $DPORT =~ s/\-/:/g;
+ if ($DPORT){
+ $fwaccessdport="--dport ".substr($DPORT,1,);
+@@ -314,10 +311,16 @@ sub buildrules
+ $fwaccessdport="--dport $$hash{$key}[30]";
+ }
+ }
+- print "iptables -A PORTFWACCESS $PROT -i $con $STAG $sourcehash{$a}[0] -d $ip $fwaccessdport $TIME -j $$hash{$key}[0]\n";
++ print "iptables -A FORWARDFW $PROT -i $con $STAG $sourcehash{$a}[0] -d $ip $fwaccessdport $TIME -j $$hash{$key}[0]\n";
++ next;
+ }elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'snat'){
+- print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $nat --to $natip\n";
++ $natchain='NAT_SOURCE';
++ print "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $nat --to $natip\n";
+ }
++ if ($$hash{$key}[17] eq 'ON'){
++ print "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG\n";
++ }
++ print "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n";
+ }
+ }
+ }
+@@ -342,17 +345,13 @@ sub buildrules
+ }
+ system ("$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] --icmp-type $_ $TIME -j $$hash{$key}[0]");
+ }
+- }elsif($$hash{$key}[28] ne 'ON'){
+- if ($$hash{$key}[17] eq 'ON'){
+- system "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG\n";
+- }
+- system "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n";
+ }elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'dnat'){
++ $natchain='NAT_DESTINATION';
+ if ($$hash{$key}[17] eq 'ON'){
+- system "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j LOG --log-prefix 'DNAT' \n";
++ system "$command $natchain $PROT $STAG $sourcehash{$a}[0] $fireport $TIME -j LOG --log-prefix 'DNAT' \n";
+ }
+ my ($ip,$sub) =split("/",$targethash{$b}[0]);
+- system "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j $nat --to $ip$DPORT\n";
++ system "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j $nat --to $ip$DPORT\n";
+ $DPORT =~ s/\-/:/g;
+ if ($DPORT){
+ $fwaccessdport="--dport ".substr($DPORT,1,);
+@@ -364,13 +363,16 @@ sub buildrules
+ $fwaccessdport="--dport $$hash{$key}[30]";
+ }
+ }
+- system "iptables -A PORTFWACCESS $PROT -i $con $STAG $sourcehash{$a}[0] -d $ip $fwaccessdport $TIME -j $$hash{$key}[0]\n";
++ system "iptables -A FORWARDFW $PROT -i $con $STAG $sourcehash{$a}[0] -d $ip $fwaccessdport $TIME -j $$hash{$key}[0]\n";
++ next;
+ }elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'snat'){
+- if ($$hash{$key}[17] eq 'ON'){
+- system "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG --log-prefix 'SNAT '\n";
+- }
+- system "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $nat --to $natip$fireport\n";
++ $natchain='NAT_SOURCE';
++ system "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $nat --to $natip\n";
++ }
++ if ($$hash{$key}[17] eq 'ON'){
++ system "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG\n";
+ }
++ system "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n";
+ }
+ }
+ }
+diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi
+index db09e5c..becacec 100755
+--- a/html/cgi-bin/forwardfw.cgi
++++ b/html/cgi-bin/forwardfw.cgi
+@@ -64,7 +64,6 @@ my %ccdhost=();
+ my %configfwdfw=();
+ my %configinputfw=();
+ my %configoutgoingfw=();
+-my %confignatfw=();
+ my %ipsecconf=();
+ my %color=();
+ my %mainsettings=();
+@@ -90,7 +89,6 @@ my $configipsecrw = "${General::swroot}/vpn/settings";
+ my $configfwdfw = "${General::swroot}/forward/config";
+ my $configinput = "${General::swroot}/forward/input";
+ my $configoutgoing = "${General::swroot}/forward/outgoing";
+-my $confignat = "${General::swroot}/forward/nat";
+ my $configovpn = "${General::swroot}/ovpn/settings";
+ my $fwoptions = "${General::swroot}/optionsfw/settings";
+ my $ifacesettings = "${General::swroot}/ethernet/settings";
+@@ -119,7 +117,6 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule')
+ &General::readhasharray("$configfwdfw", \%configfwdfw);
+ &General::readhasharray("$configinput", \%configinputfw);
+ &General::readhasharray("$configoutgoing", \%configoutgoingfw);
+- &General::readhasharray("$confignat", \%confignatfw);
+ $errormessage=&checksource;
+ if(!$errormessage){&checktarget;}
+ if(!$errormessage){&checkrule;}
+@@ -139,66 +136,8 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule')
+ if( $fwdfwsettings{$fwdfwsettings{'grp1'}} eq 'IPFire' && $fwdfwsettings{'grp2'} eq 'ipfire'){
+ $errormessage.=$Lang::tr{'fwdfw err same'};
+ }
+- #NAT-Part
+- if ($fwdfwsettings{'USE_NAT'} eq 'ON'){
+- $fwdfwsettings{'config'}=$confignat;
+- if ($fwdfwsettings{'nat'} eq 'dnat'){
+- $fwdfwsettings{'chain'} = 'NAT_DESTINATION';
+- }else{
+- $fwdfwsettings{'chain'} = 'NAT_SOURCE';
+- }
+- my $maxkey=&General::findhasharraykey(\%confignatfw);
+- #check if we have an identical rule already
+- if($fwdfwsettings{'oldrulenumber'} eq $fwdfwsettings{'rulepos'}){
+- foreach my $key (sort keys %confignatfw){
+- if ("$confignatfw{$key}[0],$confignatfw{$key}[1],$confignatfw{$key}[2],$confignatfw{$key}[3],$confignatfw{$key}[4],$confignatfw{$key}[5],$confignatfw{$key}[6],$confignatfw{$key}[11],$confignatfw{$key}[12],$confignatfw{$key}[14],$confignatfw{$key}[15],$confignatfw{$key}[28],$confignatfw{$key}[29],$confignatfw{$key}[30],$confignatfw{$key}[31]"
+- eq "$fwdfwsettings{'RULE_ACTION'},NAT_DESTINATION,$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'USE_NAT'},$fwdfwsettings{$fwdfwsettings{'nat'}},$fwdfwsettings{'dnatport'},$fwdfwsettings{'nat'}"){
+- $errormessage.=$Lang::tr{'fwdfw err ruleexists'};
+- if ($fwdfwsettings{'oldruleremark'} ne $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'updatefwrule'} eq 'on' ){
+- $errormessage='';
+- }elsif($fwdfwsettings{'oldruleremark'} ne $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'updatefwrule'} eq 'on' && $fwdfwsettings{'ruleremark'} ne '' && !&validremark($fwdfwsettings{'ruleremark'})){
+- $errormessage=$Lang::tr{'fwdfw err remark'}."<br>";
+- }
+- if ($fwdfwsettings{'oldruleremark'} eq $fwdfwsettings{'ruleremark'}){
+- $fwdfwsettings{'nosave'} = 'on';
+- }
+- }
+- }
+- }
+-
+- #check Rulepos on new Rule
+- if($fwdfwsettings{'rulepos'} > 0 && !$fwdfwsettings{'oldrulenumber'}){
+- $fwdfwsettings{'oldrulenumber'}=$maxkey;
+- foreach my $key (sort keys %confignatfw){
+- if ("$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'},$fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'ICMP_TGT'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'TIME'},$fwdfwsettings{'TIME_MON'},$fwdfwsettings{'TIME_TUE'},$fwdfwsettings{'TIME_WED'},$fwdfwsettings{'TIME_THU'},$fwdfwsettings{'TIME_FRI'},$fwdfwsettings{'TIME_SAT'},$fwdfwsettings{'TIME_SUN'},$fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'},$fwdfwsettings{'USE_NAT'},$fwdfwsettings{$fwdfwsettings{'nat'}},$fwdfwsettings{'snatport'},$fwdfwsettings{'dnatport'},$fwdfwsettings{'nat'}"
+- eq "$confignatfw{$key}[0],$confignatfw{$key}[2],$confignatfw{$key}[3],$confignatfw{$key}[4],$confignatfw{$key}[5],$confignatfw{$key}[6],$confignatfw{$key}[7],$confignatfw{$key}[8],$confignatfw{$key}[9],$confignatfw{$key}[10],$confignatfw{$key}[11],$confignatfw{$key}[12],$confignatfw{$key}[13],$confignatfw{$key}[14],$confignatfw{$key}[15],$confignatfw{$key}[17],$confignatfw{$key}[19],$confignatfw{$key}[20],$confignatfw{$key}[21],$confignatfw{$key}[22],$confignatfw{$key}[23],$confignatfw{$key}[24],$confignatfw{$key}[25],$confignatfw{$key}[26],$confignatfw{$key}[27],$confignatfw{$key}[28],$confignatfw{$key}[29],$confignatfw{$key}[30],$confignatfw{$key}[31],$confignatfw{$key}[32]"){
+- $errormessage.=$Lang::tr{'fwdfw err ruleexists'};
+- }
+- }
+- }
+- #check if we just close a rule
+- if( $fwdfwsettings{'oldgrp1a'} eq $fwdfwsettings{'grp1'} && $fwdfwsettings{'oldgrp1b'} eq $fwdfwsettings{$fwdfwsettings{'grp1'}} && $fwdfwsettings{'oldgrp2a'} eq $fwdfwsettings{'grp2'} && $fwdfwsettings{'oldgrp2b'} eq $fwdfwsettings{$fwdfwsettings{'grp2'}} && $fwdfwsettings{'oldgrp3a'} eq $fwdfwsettings{'grp3'} && $fwdfwsettings{'oldgrp3b'} eq $fwdfwsettings{$fwdfwsettings{'grp3'}} && $fwdfwsettings{'oldusesrv'} eq $fwdfwsettings{'USESRV'} && $fwdfwsettings{'oldruleremark'} eq $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'oldruletype'} eq $fwdfwsettings{'chain'}) {
+- if($fwdfwsettings{'nosave'} eq 'on' && $fwdfwsettings{'updatefwrule'} eq 'on'){
+- $errormessage='';
+- $fwdfwsettings{'nosave2'} = 'on';
+- }
+- }
+- &checkcounter($fwdfwsettings{'oldgrp1a'},$fwdfwsettings{'oldgrp1b'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}});
+- if ($fwdfwsettings{'nobase'} ne 'on'){
+- &checkcounter($fwdfwsettings{'oldgrp2a'},$fwdfwsettings{'oldgrp2b'},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}});
+- }
+- if($fwdfwsettings{'oldusesrv'} eq '' && $fwdfwsettings{'USESRV'} eq 'ON'){
+- &checkcounter(0,0,$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}});
+- }elsif ($fwdfwsettings{'USESRV'} eq '' && $fwdfwsettings{'oldusesrv'} eq 'ON') {
+- &checkcounter($fwdfwsettings{'oldgrp3a'},$fwdfwsettings{'oldgrp3b'},0,0);
+- }elsif ($fwdfwsettings{'oldusesrv'} eq $fwdfwsettings{'USESRV'} && $fwdfwsettings{'oldgrp3b'} ne $fwdfwsettings{$fwdfwsettings{'grp3'}} && $fwdfwsettings{'updatefwrule'} eq 'on'){
+- &checkcounter($fwdfwsettings{'oldgrp3a'},$fwdfwsettings{'oldgrp3b'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}});
+- }
+- if($fwdfwsettings{'nosave2'} ne 'on'){
+- &saverule(\%confignatfw,$confignat);
+- }
+ #INPUT part
+- }elsif($fwdfwsettings{'grp2'} eq 'ipfire' && $fwdfwsettings{$fwdfwsettings{'grp1'}} ne 'ORANGE'){
++ if($fwdfwsettings{'grp2'} eq 'ipfire' && $fwdfwsettings{$fwdfwsettings{'grp1'}} ne 'ORANGE'){
+ $fwdfwsettings{'config'}=$configinput;
+ $fwdfwsettings{'chain'} = 'INPUTFW';
+ my $maxkey=&General::findhasharraykey(\%configinputfw);
+@@ -1931,69 +1870,39 @@ sub saverule
+ my $config=shift;
+ &General::readhasharray("$config", $hash);
+ if (!$errormessage){
+- #check if we change a NAT to a FORWARD
+- if(($fwdfwsettings{'oldruletype'} eq 'NAT_SOURCE' || $fwdfwsettings{'oldruletype'} eq 'NAT_DESTINATION') && $fwdfwsettings{'chain'} eq 'FORWARDFW'){
+- &changerule($confignat);
+- #print"1";
+- }
+- #check if we change a NAT to a INPUT (external access)
+- elsif(($fwdfwsettings{'oldruletype'} eq 'NAT_SOURCE' || $fwdfwsettings{'oldruletype'} eq 'NAT_DESTINATION') && $fwdfwsettings{'chain'} eq 'INPUTFW'){
+- &changerule($confignat);
+- #print"2";
+- }
+- #check if we change a NAT to a OUTGOING
+- elsif(($fwdfwsettings{'oldruletype'} eq 'NAT_SOURCE' || $fwdfwsettings{'oldruletype'} eq 'NAT_DESTINATION') && $fwdfwsettings{'chain'} eq 'OUTGOINGFW'){
+- &changerule($confignat);
+- #print"3";
+- }
+ ################################################################
+- #check if we change an INPUT rule to a NAT
+- elsif($fwdfwsettings{'oldruletype'} eq 'INPUTFW' && ($fwdfwsettings{'chain'} eq 'NAT_SOURCE' || $fwdfwsettings{'chain'} eq 'NAT_DESTINATION')){
+- &changerule($configinput);
+- #print"4";
+- }
+ #check if we change an INPUT rule to a OUTGOING
+- elsif($fwdfwsettings{'oldruletype'} eq 'INPUTFW' && $fwdfwsettings{'chain'} eq 'OUTGOINGFW' ){
++ if($fwdfwsettings{'oldruletype'} eq 'INPUTFW' && $fwdfwsettings{'chain'} eq 'OUTGOINGFW' ){
+ &changerule($configinput);
+- #print"5";
++ #print"1";
+ }
+ #check if we change an INPUT rule to a FORWARD
+ elsif($fwdfwsettings{'oldruletype'} eq 'INPUTFW' && $fwdfwsettings{'chain'} eq 'FORWARDFW' ){
+ &changerule($configinput);
+- #print"6";
++ #print"2";
+ }
+ ################################################################
+ #check if we change an OUTGOING rule to an INPUT
+ elsif($fwdfwsettings{'oldruletype'} eq 'OUTGOINGFW' && $fwdfwsettings{'chain'} eq 'INPUTFW' ){
+ &changerule($configoutgoing);
+- #print"7";
++ #print"3";
+ }
+ #check if we change an OUTGOING rule to a FORWARD
+ elsif($fwdfwsettings{'oldruletype'} eq 'OUTGOINGFW' && $fwdfwsettings{'chain'} eq 'FORWARDFW' ){
+ &changerule($configoutgoing);
+- #print"8";
+- }
+- #check if we change an OUTGOING rule to a NAT
+- elsif($fwdfwsettings{'oldruletype'} eq 'OUTGOINGFW' && ($fwdfwsettings{'chain'} eq 'NAT_SOURCE' || $fwdfwsettings{'chain'} eq 'NAT_DESTINATION')){
+- &changerule($configoutgoing);
+- #print"9";
++ #print"4";
+ }
+ ################################################################
+ #check if we change a FORWARD rule to an INPUT
+ elsif($fwdfwsettings{'oldruletype'} eq 'FORWARDFW' && $fwdfwsettings{'chain'} eq 'INPUTFW'){
+ &changerule($configfwdfw);
+- #print"10";
++ #print"5";
+ }
+ #check if we change a FORWARD rule to an OUTGOING
+ elsif($fwdfwsettings{'oldruletype'} eq 'FORWARDFW' && $fwdfwsettings{'chain'} eq 'OUTGOINGFW'){
+ &changerule($configfwdfw);
+- #print"11";
++ #print"6";
+ }
+- #check if we change a FORWARD rule to an NAT
+- elsif($fwdfwsettings{'oldruletype'} eq 'FORWARDFW' && ($fwdfwsettings{'chain'} eq 'NAT_SOURCE' || $fwdfwsettings{'chain'} eq 'NAT_DESTINATION')){
+- &changerule($configfwdfw);
+- #print"12";
+- }
+ if ($fwdfwsettings{'updatefwrule'} ne 'on'){
+ my $key = &General::findhasharraykey ($hash);
+ $$hash{$key}[0] = $fwdfwsettings{'RULE_ACTION'};
+@@ -2024,12 +1933,10 @@ sub saverule
+ $$hash{$key}[25] = $fwdfwsettings{'TIME_SUN'};
+ $$hash{$key}[26] = $fwdfwsettings{'TIME_FROM'};
+ $$hash{$key}[27] = $fwdfwsettings{'TIME_TO'};
+- if($fwdfwsettings{'USE_NAT'} eq 'ON'){
+- $$hash{$key}[28] = $fwdfwsettings{'USE_NAT'};
+- $$hash{$key}[29] = $fwdfwsettings{$fwdfwsettings{'nat'}};
+- $$hash{$key}[30] = $fwdfwsettings{'dnatport'};
+- $$hash{$key}[31] = $fwdfwsettings{'nat'};
+- }
++ $$hash{$key}[28] = $fwdfwsettings{'USE_NAT'};
++ $$hash{$key}[29] = $fwdfwsettings{$fwdfwsettings{'nat'}};
++ $$hash{$key}[30] = $fwdfwsettings{'dnatport'};
++ $$hash{$key}[31] = $fwdfwsettings{'nat'};
+ &General::writehasharray("$config", $hash);
+ }else{
+ foreach my $key (sort {$a <=> $b} keys %$hash){
+@@ -2062,12 +1969,10 @@ sub saverule
+ $$hash{$key}[25] = $fwdfwsettings{'TIME_SUN'};
+ $$hash{$key}[26] = $fwdfwsettings{'TIME_FROM'};
+ $$hash{$key}[27] = $fwdfwsettings{'TIME_TO'};
+- if($fwdfwsettings{'USE_NAT'} eq 'ON'){
+- $$hash{$key}[28] = $fwdfwsettings{'USE_NAT'};
+- $$hash{$key}[29] = $fwdfwsettings{$fwdfwsettings{'nat'}};
+- $$hash{$key}[30] = $fwdfwsettings{'dnatport'};
+- $$hash{$key}[31] = $fwdfwsettings{'nat'};
+- }
++ $$hash{$key}[28] = $fwdfwsettings{'USE_NAT'};
++ $$hash{$key}[29] = $fwdfwsettings{$fwdfwsettings{'nat'}};
++ $$hash{$key}[30] = $fwdfwsettings{'dnatport'};
++ $$hash{$key}[31] = $fwdfwsettings{'nat'};
+ last;
+ }
+ }
+@@ -2153,7 +2058,6 @@ sub validremark
+ sub viewtablerule
+ {
+ &General::readhash("/var/ipfire/ethernet/settings", \%netsettings);
+- &viewtablenew(\%confignatfw,$confignat,"$Lang::tr{'fwdfw rules'}","Portforward / SNAT" );
+ &viewtablenew(\%configfwdfw,$configfwdfw,"","Forward" );
+ &viewtablenew(\%configinputfw,$configinput,"",$Lang::tr{'fwdfw xt access'} );
+ &viewtablenew(\%configoutgoingfw,$configoutgoing,"","Outgoing" );
+diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall
+index 844cbf6..2f7577f 100644
+--- a/src/initscripts/init.d/firewall
++++ b/src/initscripts/init.d/firewall
+@@ -161,10 +161,6 @@ iptables_init() {
+ /sbin/iptables -N FORWARDFW
+ /sbin/iptables -A FORWARD -j FORWARDFW
+
+- # PORTFWACCESS chain, used for portforwarding
+- /sbin/iptables -N PORTFWACCESS
+- /sbin/iptables -A FORWARD -m state --state NEW -j PORTFWACCESS
+-
+ # OPenSSL
+ /sbin/iptables -N OPENSSLPHYSICAL
+ /sbin/iptables -A INPUT -j OPENSSLPHYSICAL
+--
+1.7.10.4
+
--- /dev/null
+From 47c8d81e05848d32f91f98a2962e78fd546d502d Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Wed, 26 Jun 2013 13:43:53 +0200
+Subject: [PATCH 253/302] Forward Firewall: removed PORTFWACCESS flushing from
+ rules.pl
+
+---
+ config/forwardfw/rules.pl | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/config/forwardfw/rules.pl b/config/forwardfw/rules.pl
+index 3f0514d..507f0ed 100755
+--- a/config/forwardfw/rules.pl
++++ b/config/forwardfw/rules.pl
+@@ -145,7 +145,6 @@ sub flush
+ system ("iptables -F FORWARDFW");
+ system ("iptables -F INPUTFW");
+ system ("iptables -F OUTGOINGFW");
+- system ("iptables -F PORTFWACCESS");
+ system ("iptables -t nat -F NAT_DESTINATION");
+ system ("iptables -t nat -F NAT_SOURCE");
+ }
+--
+1.7.10.4
+
--- /dev/null
+From bcbb275be58476206660d94cf076b0f440cc171d Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Wed, 26 Jun 2013 13:54:18 +0200
+Subject: [PATCH 254/302] UPNP: changed firewall chain from PORTFW to UPNPFW
+
+---
+ html/cgi-bin/upnp.cgi | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/html/cgi-bin/upnp.cgi b/html/cgi-bin/upnp.cgi
+index 8d2666e..2b03eff 100644
+--- a/html/cgi-bin/upnp.cgi
++++ b/html/cgi-bin/upnp.cgi
+@@ -82,7 +82,7 @@ if ($upnpsettings{'ACTION'} eq $Lang::tr{'save'})
+ debug_mode = $upnpsettings{'DEBUGMODE'}
+ insert_forward_rules = $upnpsettings{'FORWARDRULES'}
+ forward_chain_name = FORWARD
+-prerouting_chain_name = PORTFW
++prerouting_chain_name = UPNPFW
+ upstream_bitrate = $upnpsettings{'DOWNSTREAM'}
+ downstream_bitrate = $upnpsettings{'UPSTREAM'}
+ description_document_name = $upnpsettings{'DESCRIPTION'}
+--
+1.7.10.4
+
--- /dev/null
+From 92e5a04674ac6bf561c5a6777f7118ff7bfe3dde Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Wed, 26 Jun 2013 15:25:50 +0200
+Subject: [PATCH 255/302] Forward Firewall: added missing fields to the
+ converters (for dnat)
+
+---
+ config/forwardfw/convert-dmz | 10 ++++++++++
+ config/forwardfw/convert-outgoingfw | 8 ++++++++
+ config/forwardfw/convert-xtaccess | 10 +++++++++-
+ html/cgi-bin/forwardfw.cgi | 29 +++++++++++++++--------------
+ 4 files changed, 42 insertions(+), 15 deletions(-)
+
+diff --git a/config/forwardfw/convert-dmz b/config/forwardfw/convert-dmz
+index 0722f5b..6ba054e 100755
+--- a/config/forwardfw/convert-dmz
++++ b/config/forwardfw/convert-dmz
+@@ -36,6 +36,12 @@ my $field15 = ''; #Port Number
+ my $field16 = ''; #remark
+ my $field26 = '00:00';
+ my $field27 = '00:00';
++my $field28 = '';
++my $field29 = 'ALL';
++my $field30 = '';
++my $field31 = 'dnat';
++
++
+ open(FILE, $dmzconfig) or die 'Unable to open config file.';
+ my @current = <FILE>;
+ close(FILE);
+@@ -141,6 +147,10 @@ sub process_rules{
+ $configfwdfw{$key}[25] = '';
+ $configfwdfw{$key}[26] = $field26;
+ $configfwdfw{$key}[27] = $field27;
++ $configfwdfw{$key}[28] = $field28;
++ $configfwdfw{$key}[29] = $field29;
++ $configfwdfw{$key}[30] = $field30;
++ $configfwdfw{$key}[31] = $field31;
+ print LOG "$Now -> Converted to $field0,$field1,$field2,$field3,$field4,$field5,$field6,,,,,$field11,$field12,$field13,$field14,$field15,$field16,,,,,,,,,,$field26,$field27\n";
+ }
+ &General::writehasharray($fwdfwconfig,\%configfwdfw);
+diff --git a/config/forwardfw/convert-outgoingfw b/config/forwardfw/convert-outgoingfw
+index 54ba709..ef2f7e1 100755
+--- a/config/forwardfw/convert-outgoingfw
++++ b/config/forwardfw/convert-outgoingfw
+@@ -538,6 +538,10 @@ sub process_rules
+ $fwconfig{$key}[25] = $time_sun;
+ $fwconfig{$key}[26] = $time_from;
+ $fwconfig{$key}[27] = $time_to;
++ $fwconfig{$key}[28] = '';
++ $fwconfig{$key}[29] = 'ALL';
++ $fwconfig{$key}[30] = '';
++ $fwconfig{$key}[31] = 'dnat';
+ }else{
+ my $key = &General::findhasharraykey(\%fwconfigout);
+ $fwconfigout{$key}[0] = $action;
+@@ -563,6 +567,10 @@ sub process_rules
+ $fwconfigout{$key}[25] = $time_sun;
+ $fwconfigout{$key}[26] = $time_from;
+ $fwconfigout{$key}[27] = $time_to;
++ $fwconfigout{$key}[28] = '';
++ $fwconfigout{$key}[29] = 'ALL';
++ $fwconfigout{$key}[30] = '';
++ $fwconfigout{$key}[31] = 'dnat';
+ }
+ &General::writehasharray($fwdfwconfig,\%fwconfig);
+ &General::writehasharray($outfwconfig,\%fwconfigout);
+diff --git a/config/forwardfw/convert-xtaccess b/config/forwardfw/convert-xtaccess
+index 85ad1c8..8c3bb56 100755
+--- a/config/forwardfw/convert-xtaccess
++++ b/config/forwardfw/convert-xtaccess
+@@ -21,6 +21,10 @@ my $field15=''; #Port Number
+ my $field16=''; #remark
+ my $field26='00:00';
+ my $field27='00:00';
++my $field28 = '';
++my $field29 = 'ALL';
++my $field30 = '';
++my $field31 = 'dnat';
+ open(FILE, $xtaccessconfig) or die 'Unable to open config file.';
+ my @current = <FILE>;
+ close(FILE);
+@@ -76,7 +80,7 @@ foreach my $line (@current){
+ }
+ $field15=$c;
+ my $key = &General::findhasharraykey (\%configinputfw);
+- foreach my $i (0 .. 27) { $configinputfw{$key}[$i] = "";}
++ foreach my $i (0 .. 31) { $configinputfw{$key}[$i] = "";}
+ $configinputfw{$key}[0] = $field0;
+ $configinputfw{$key}[1] = $field1;
+ $configinputfw{$key}[2] = $field2;
+@@ -105,5 +109,9 @@ foreach my $line (@current){
+ $configinputfw{$key}[25] = '';
+ $configinputfw{$key}[26] = $field26;
+ $configinputfw{$key}[27] = $field27;
++ $configinputfw{$key}[28] = $field28;
++ $configinputfw{$key}[29] = $field29;
++ $configinputfw{$key}[30] = $field30;
++ $configinputfw{$key}[31] = $field31;
+ &General::writehasharray($inputfwconfig,\%configinputfw);
+ }
+diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi
+index becacec..bf945a3 100755
+--- a/html/cgi-bin/forwardfw.cgi
++++ b/html/cgi-bin/forwardfw.cgi
+@@ -144,8 +144,8 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule')
+ #check if we have an identical rule already
+ if($fwdfwsettings{'oldrulenumber'} eq $fwdfwsettings{'rulepos'}){
+ foreach my $key (sort keys %configinputfw){
+- if ("$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'},$fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'ICMP_TGT'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'LOG'},$fwdfwsettings{'TIME'},$fwdfwsettings{'TIME_MON'},$fwdfwsettings{'TIME_TUE'},$fwdfwsettings{'TIME_WED'},$fwdfwsettings{'TIME_THU'},$fwdfwsettings{'TIME_FRI'},$fwdfwsettings{'TIME_SAT'},$fwdfwsettings{'TIME_SUN'},$fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'}"
+- eq "$configinputfw{$key}[0],$configinputfw{$key}[2],$configinputfw{$key}[3],$configinputfw{$key}[4],$configinputfw{$key}[5],$configinputfw{$key}[6],$configinputfw{$key}[7],$configinputfw{$key}[8],$configinputfw{$key}[9],$configinputfw{$key}[10],$configinputfw{$key}[11],$configinputfw{$key}[12],$configinputfw{$key}[13],$configinputfw{$key}[14],$configinputfw{$key}[15],$configinputfw{$key}[17],$configinputfw{$key}[18],$configinputfw{$key}[19],$configinputfw{$key}[20],$configinputfw{$key}[21],$configinputfw{$key}[22],$configinputfw{$key}[23],$configinputfw{$key}[24],$configinputfw{$key}[25],$configinputfw{$key}[26],$configinputfw{$key}[27]"){
++ if ( "$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'}, $fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'}, $fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'}, $fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'ICMP_TGT'},$fwdfwsettings{'grp3'}, $fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'LOG'}, $fwdfwsettings{'TIME'}, $fwdfwsettings{'TIME_MON'},$fwdfwsettings{'TIME_TUE'},$fwdfwsettings{'TIME_WED'},$fwdfwsettings{'TIME_THU'},$fwdfwsettings{'TIME_FRI'},$fwdfwsettings{'TIME_SAT'},$fwdfwsettings{'TIME_SUN'},$fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'},$fwdfwsettings{'USE_NAT'},$fwdfwsettings{$fwdfwsettings{'nat'}},$fwdfwsettings{'dnatport'},$fwdfwsettings{'nat'}"
++ eq "$configinputfw{$key}[0], $configinputfw{$key}[2], $configinputfw{$key}[3],$configinputfw{$key}[4], $configinputfw{$key}[5],$configinputfw{$key}[6], $configinputfw{$key}[7], $configinputfw{$key}[8],$configinputfw{$key}[9], $configinputfw{$key}[10], $configinputfw{$key}[11],$configinputfw{$key}[12], $configinputfw{$key}[13], $configinputfw{$key}[14],$configinputfw{$key}[15], $configinputfw{$key}[17],$configinputfw{$key}[18],$configinputfw{$key}[19], $configinputfw{$key}[20], $configinputfw{$key}[21], $configinputfw{$key}[22], $configinputfw{$key}[23], $configinputfw{$key}[24], $configinputfw{$key}[25], $configinputfw{$key}[26], $configinputfw{$key}[27], $configinputfw{$key}[28], $configinputfw{$key}[29], $configinputfw{$key}[30], $configinputfw{$key}[31]"){
+ $errormessage.=$Lang::tr{'fwdfw err ruleexists'};
+ if ($fwdfwsettings{'oldruleremark'} ne $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'updatefwrule'} eq 'on'){
+ $errormessage='';
+@@ -162,8 +162,8 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule')
+ if($fwdfwsettings{'rulepos'} > 0 && !$fwdfwsettings{'oldrulenumber'}){
+ $fwdfwsettings{'oldrulenumber'}=$maxkey;
+ foreach my $key (sort keys %configinputfw){
+- if ("$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'},$fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'ICMP_TGT'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'LOG'},$fwdfwsettings{'TIME'},$fwdfwsettings{'TIME_MON'},$fwdfwsettings{'TIME_TUE'},$fwdfwsettings{'TIME_WED'},$fwdfwsettings{'TIME_THU'},$fwdfwsettings{'TIME_FRI'},$fwdfwsettings{'TIME_SAT'},$fwdfwsettings{'TIME_SUN'},$fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'}"
+- eq "$configinputfw{$key}[0],$configinputfw{$key}[2],$configinputfw{$key}[3],$configinputfw{$key}[4],$configinputfw{$key}[5],$configinputfw{$key}[6],$configinputfw{$key}[7],$configinputfw{$key}[8],$configinputfw{$key}[9],$configinputfw{$key}[10],$configinputfw{$key}[11],$configinputfw{$key}[12],$configinputfw{$key}[13],$configinputfw{$key}[14],$configinputfw{$key}[15],$configinputfw{$key}[17],$configinputfw{$key}[18],$configinputfw{$key}[19],$configinputfw{$key}[20],$configinputfw{$key}[21],$configinputfw{$key}[22],$configinputfw{$key}[23],$configinputfw{$key}[24],$configinputfw{$key}[25],$configinputfw{$key}[26],$configinputfw{$key}[27]"){
++ if ( "$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'}, $fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'}, $fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'}, $fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'ICMP_TGT'},$fwdfwsettings{'grp3'}, $fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'LOG'}, $fwdfwsettings{'TIME'}, $fwdfwsettings{'TIME_MON'},$fwdfwsettings{'TIME_TUE'},$fwdfwsettings{'TIME_WED'},$fwdfwsettings{'TIME_THU'},$fwdfwsettings{'TIME_FRI'},$fwdfwsettings{'TIME_SAT'},$fwdfwsettings{'TIME_SUN'},$fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'},$fwdfwsettings{'USE_NAT'},$fwdfwsettings{$fwdfwsettings{'nat'}},$fwdfwsettings{'dnatport'},$fwdfwsettings{'nat'}"
++ eq "$configinputfw{$key}[0], $configinputfw{$key}[2], $configinputfw{$key}[3],$configinputfw{$key}[4], $configinputfw{$key}[5],$configinputfw{$key}[6], $configinputfw{$key}[7], $configinputfw{$key}[8],$configinputfw{$key}[9], $configinputfw{$key}[10], $configinputfw{$key}[11],$configinputfw{$key}[12], $configinputfw{$key}[13], $configinputfw{$key}[14],$configinputfw{$key}[15], $configinputfw{$key}[17],$configinputfw{$key}[18],$configinputfw{$key}[19], $configinputfw{$key}[20], $configinputfw{$key}[21], $configinputfw{$key}[22], $configinputfw{$key}[23], $configinputfw{$key}[24], $configinputfw{$key}[25], $configinputfw{$key}[26], $configinputfw{$key}[27], $configinputfw{$key}[28], $configinputfw{$key}[29], $configinputfw{$key}[30], $configinputfw{$key}[31]"){
+ $errormessage.=$Lang::tr{'fwdfw err ruleexists'};
+ }
+ }
+@@ -196,8 +196,8 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule')
+ my $maxkey=&General::findhasharraykey(\%configoutgoingfw);
+ if($fwdfwsettings{'oldrulenumber'} eq $fwdfwsettings{'rulepos'}){
+ foreach my $key (sort keys %configoutgoingfw){
+- if ("$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'},$fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'ICMP_TGT'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'LOG'},$fwdfwsettings{'TIME'},$fwdfwsettings{'TIME_MON'},$fwdfwsettings{'TIME_TUE'},$fwdfwsettings{'TIME_WED'},$fwdfwsettings{'TIME_THU'},$fwdfwsettings{'TIME_FRI'},$fwdfwsettings{'TIME_SAT'},$fwdfwsettings{'TIME_SUN'},$fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'}"
+- eq "$configoutgoingfw{$key}[0],$configoutgoingfw{$key}[2],$configoutgoingfw{$key}[3],$configoutgoingfw{$key}[4],$configoutgoingfw{$key}[5],$configoutgoingfw{$key}[6],$configoutgoingfw{$key}[7],$configoutgoingfw{$key}[8],$configoutgoingfw{$key}[9],$configoutgoingfw{$key}[10],$configoutgoingfw{$key}[11],$configoutgoingfw{$key}[12],$configoutgoingfw{$key}[13],$configoutgoingfw{$key}[14],$configoutgoingfw{$key}[15],$configoutgoingfw{$key}[17],$configoutgoingfw{$key}[18],$configoutgoingfw{$key}[19],$configoutgoingfw{$key}[20],$configoutgoingfw{$key}[21],$configoutgoingfw{$key}[22],$configoutgoingfw{$key}[23],$configoutgoingfw{$key}[24],$configoutgoingfw{$key}[25],$configoutgoingfw{$key}[26],$configoutgoingfw{$key}[27]"){
++ if ( "$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'}, $fwdfwsettings{'grp1'}, $fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'}, $fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'}, $fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'}, $fwdfwsettings{'USESRV'}, $fwdfwsettings{'TGT_PROT'}, $fwdfwsettings{'ICMP_TGT'}, $fwdfwsettings{'grp3'}, $fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'LOG'}, $fwdfwsettings{'TIME'}, $fwdfwsettings{'TIME_MON'}, $fwdfwsettings{'TIME_TUE'}, $fwdfwsettings{'TIME_WED'}, $fwdfwsettings{'TIME_THU'}, $fwdfwsettings{'TIME_FRI'}, $fwdfwsettings{'TIME_SAT'}, $fwdfwsettings{'TIME_SUN'}, $fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'}, $fwdfwsettings{'USE_NAT'}, $fwdfwsettings{$fwdfwsettings{'nat'}},$fwdfwsettings{'dnatport'}, $fwdfwsettings{'nat'}"
++ eq "$configoutgoingfw{$key}[0], $configoutgoingfw{$key}[2],$configoutgoingfw{$key}[3],$configoutgoingfw{$key}[4], $configoutgoingfw{$key}[5],$configoutgoingfw{$key}[6], $configoutgoingfw{$key}[7], $configoutgoingfw{$key}[8],$configoutgoingfw{$key}[9], $configoutgoingfw{$key}[10],$configoutgoingfw{$key}[11],$configoutgoingfw{$key}[12],$configoutgoingfw{$key}[13],$configoutgoingfw{$key}[14],$configoutgoingfw{$key}[15], $configoutgoingfw{$key}[17],$configoutgoingfw{$key}[18],$configoutgoingfw{$key}[19],$configoutgoingfw{$key}[20],$configoutgoingfw{$key}[21],$configoutgoingfw{$key}[22],$configoutgoingfw{$key}[23],$configoutgoingfw{$key}[24],$configoutgoingfw{$key}[25],$configoutgoingfw{$key}[26],$configoutgoingfw{$key}[27],$configoutgoingfw{$key}[28],$configoutgoingfw{$key}[29], $configoutgoingfw{$key}[30],$configoutgoingfw{$key}[31]"){
+ $errormessage.=$Lang::tr{'fwdfw err ruleexists'};
+ if ($fwdfwsettings{'oldruleremark'} ne $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'updatefwrule'} eq 'on'){
+ $errormessage='';
+@@ -215,8 +215,8 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule')
+ print"CHECK OUTGOING DOPPELTE REGEL<br>";
+ $fwdfwsettings{'oldrulenumber'}=$maxkey;
+ foreach my $key (sort keys %configoutgoingfw){
+- if ("$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'},$fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'ICMP_TGT'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'LOG'},$fwdfwsettings{'TIME'},$fwdfwsettings{'TIME_MON'},$fwdfwsettings{'TIME_TUE'},$fwdfwsettings{'TIME_WED'},$fwdfwsettings{'TIME_THU'},$fwdfwsettings{'TIME_FRI'},$fwdfwsettings{'TIME_SAT'},$fwdfwsettings{'TIME_SUN'},$fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'}"
+- eq "$configoutgoingfw{$key}[0],$configoutgoingfw{$key}[2],$configoutgoingfw{$key}[3],$configoutgoingfw{$key}[4],$configoutgoingfw{$key}[5],$configoutgoingfw{$key}[6],$configoutgoingfw{$key}[7],$configoutgoingfw{$key}[8],$configoutgoingfw{$key}[9],$configoutgoingfw{$key}[10],$configoutgoingfw{$key}[11],$configoutgoingfw{$key}[12],$configoutgoingfw{$key}[13],$configoutgoingfw{$key}[14],$configoutgoingfw{$key}[15],$configoutgoingfw{$key}[17],$configoutgoingfw{$key}[18],$configoutgoingfw{$key}[19],$configoutgoingfw{$key}[20],$configoutgoingfw{$key}[21],$configoutgoingfw{$key}[22],$configoutgoingfw{$key}[23],$configoutgoingfw{$key}[24],$configoutgoingfw{$key}[25],$configoutgoingfw{$key}[26],$configoutgoingfw{$key}[27]"){
++ if ( "$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'}, $fwdfwsettings{'grp1'}, $fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'}, $fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'}, $fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'}, $fwdfwsettings{'USESRV'}, $fwdfwsettings{'TGT_PROT'}, $fwdfwsettings{'ICMP_TGT'}, $fwdfwsettings{'grp3'}, $fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'LOG'}, $fwdfwsettings{'TIME'}, $fwdfwsettings{'TIME_MON'}, $fwdfwsettings{'TIME_TUE'}, $fwdfwsettings{'TIME_WED'}, $fwdfwsettings{'TIME_THU'}, $fwdfwsettings{'TIME_FRI'}, $fwdfwsettings{'TIME_SAT'}, $fwdfwsettings{'TIME_SUN'}, $fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'}, $fwdfwsettings{'USE_NAT'}, $fwdfwsettings{$fwdfwsettings{'nat'}},$fwdfwsettings{'dnatport'}, $fwdfwsettings{'nat'}"
++ eq "$configoutgoingfw{$key}[0], $configoutgoingfw{$key}[2],$configoutgoingfw{$key}[3],$configoutgoingfw{$key}[4], $configoutgoingfw{$key}[5],$configoutgoingfw{$key}[6], $configoutgoingfw{$key}[7], $configoutgoingfw{$key}[8],$configoutgoingfw{$key}[9], $configoutgoingfw{$key}[10],$configoutgoingfw{$key}[11],$configoutgoingfw{$key}[12],$configoutgoingfw{$key}[13],$configoutgoingfw{$key}[14],$configoutgoingfw{$key}[15], $configoutgoingfw{$key}[17],$configoutgoingfw{$key}[18],$configoutgoingfw{$key}[19],$configoutgoingfw{$key}[20],$configoutgoingfw{$key}[21],$configoutgoingfw{$key}[22],$configoutgoingfw{$key}[23],$configoutgoingfw{$key}[24],$configoutgoingfw{$key}[25],$configoutgoingfw{$key}[26],$configoutgoingfw{$key}[27],$configoutgoingfw{$key}[28],$configoutgoingfw{$key}[29], $configoutgoingfw{$key}[30],$configoutgoingfw{$key}[31]"){
+ $errormessage.=$Lang::tr{'fwdfw err ruleexists'};
+ }
+ }
+@@ -252,8 +252,8 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule')
+ if($fwdfwsettings{'oldrulenumber'} eq $fwdfwsettings{'rulepos'}){
+ #check if we have an identical rule already
+ foreach my $key (sort keys %configfwdfw){
+- if ("$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'},$fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'ICMP_TGT'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'TIME'},$fwdfwsettings{'TIME_MON'},$fwdfwsettings{'TIME_TUE'},$fwdfwsettings{'TIME_WED'},$fwdfwsettings{'TIME_THU'},$fwdfwsettings{'TIME_FRI'},$fwdfwsettings{'TIME_SAT'},$fwdfwsettings{'TIME_SUN'},$fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'}"
+- eq "$configfwdfw{$key}[0],$configfwdfw{$key}[2],$configfwdfw{$key}[3],$configfwdfw{$key}[4],$configfwdfw{$key}[5],$configfwdfw{$key}[6],$configfwdfw{$key}[7],$configfwdfw{$key}[8],$configfwdfw{$key}[9],$configfwdfw{$key}[10],$configfwdfw{$key}[11],$configfwdfw{$key}[12],$configfwdfw{$key}[13],$configfwdfw{$key}[14],$configfwdfw{$key}[15],$configfwdfw{$key}[17],$configfwdfw{$key}[19],$configfwdfw{$key}[20],$configfwdfw{$key}[21],$configfwdfw{$key}[22],$configfwdfw{$key}[23],$configfwdfw{$key}[24],$configfwdfw{$key}[25],$configfwdfw{$key}[26],$configfwdfw{$key}[27]"){
++ if ( "$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'},$fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'ICMP_TGT'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'TIME'},$fwdfwsettings{'TIME_MON'},$fwdfwsettings{'TIME_TUE'},$fwdfwsettings{'TIME_WED'},$fwdfwsettings{'TIME_THU'},$fwdfwsettings{'TIME_FRI'},$fwdfwsettings{'TIME_SAT'},$fwdfwsettings{'TIME_SUN'},$fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'},$fwdfwsettings{'USE_NAT'},$fwdfwsettings{$fwdfwsettings{'nat'}},$fwdfwsettings{'dnatport'},$fwdfwsettings{'nat'}"
++ eq "$configfwdfw{$key}[0], $configfwdfw{$key}[2], $configfwdfw{$key}[3], $configfwdfw{$key}[4], $configfwdfw{$key}[5], $configfwdfw{$key}[6], $configfwdfw{$key}[7], $configfwdfw{$key}[8], $configfwdfw{$key}[9], $configfwdfw{$key}[10], $configfwdfw{$key}[11], $configfwdfw{$key}[12], $configfwdfw{$key}[13], $configfwdfw{$key}[14],$configfwdfw{$key}[15], $configfwdfw{$key}[18],$configfwdfw{$key}[19], $configfwdfw{$key}[20], $configfwdfw{$key}[21], $configfwdfw{$key}[22], $configfwdfw{$key}[23], $configfwdfw{$key}[24], $configfwdfw{$key}[25], $configfwdfw{$key}[26], $configfwdfw{$key}[27], $configfwdfw{$key}[28], $configfwdfw{$key}[29], $configfwdfw{$key}[30], $configfwdfw{$key}[31]"){
+ $errormessage.=$Lang::tr{'fwdfw err ruleexists'};
+ if ($fwdfwsettings{'oldruleremark'} ne $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'updatefwrule'} eq 'on' ){
+ $errormessage='';
+@@ -262,6 +262,7 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule')
+ }
+ if ($fwdfwsettings{'oldruleremark'} eq $fwdfwsettings{'ruleremark'}){
+ $fwdfwsettings{'nosave'} = 'on';
++ print "uzlputz neu time:$fwdfwsettings{'TIME'} alt:$configfwdfw{$key}[18]";
+ }
+ }
+ }
+@@ -270,8 +271,8 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule')
+ if($fwdfwsettings{'rulepos'} > 0 && !$fwdfwsettings{'oldrulenumber'}){
+ $fwdfwsettings{'oldrulenumber'}=$maxkey;
+ foreach my $key (sort keys %configfwdfw){
+- if ("$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'},$fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'ICMP_TGT'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'TIME'},$fwdfwsettings{'TIME_MON'},$fwdfwsettings{'TIME_TUE'},$fwdfwsettings{'TIME_WED'},$fwdfwsettings{'TIME_THU'},$fwdfwsettings{'TIME_FRI'},$fwdfwsettings{'TIME_SAT'},$fwdfwsettings{'TIME_SUN'},$fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'}"
+- eq "$configfwdfw{$key}[0],$configfwdfw{$key}[2],$configfwdfw{$key}[3],$configfwdfw{$key}[4],$configfwdfw{$key}[5],$configfwdfw{$key}[6],$configfwdfw{$key}[7],$configfwdfw{$key}[8],$configfwdfw{$key}[9],$configfwdfw{$key}[10],$configfwdfw{$key}[11],$configfwdfw{$key}[12],$configfwdfw{$key}[13],$configfwdfw{$key}[14],$configfwdfw{$key}[15],$configfwdfw{$key}[17],$configfwdfw{$key}[19],$configfwdfw{$key}[20],$configfwdfw{$key}[21],$configfwdfw{$key}[22],$configfwdfw{$key}[23],$configfwdfw{$key}[24],$configfwdfw{$key}[25],$configfwdfw{$key}[26],$configfwdfw{$key}[27]"){
++ if ( "$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'},$fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'ICMP_TGT'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'TIME'},$fwdfwsettings{'TIME_MON'},$fwdfwsettings{'TIME_TUE'},$fwdfwsettings{'TIME_WED'},$fwdfwsettings{'TIME_THU'},$fwdfwsettings{'TIME_FRI'},$fwdfwsettings{'TIME_SAT'},$fwdfwsettings{'TIME_SUN'},$fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'},$fwdfwsettings{'USE_NAT'},$fwdfwsettings{$fwdfwsettings{'nat'}},$fwdfwsettings{'dnatport'},$fwdfwsettings{'nat'}"
++ eq "$configfwdfw{$key}[0], $configfwdfw{$key}[2], $configfwdfw{$key}[3], $configfwdfw{$key}[4], $configfwdfw{$key}[5], $configfwdfw{$key}[6], $configfwdfw{$key}[7], $configfwdfw{$key}[8], $configfwdfw{$key}[9], $configfwdfw{$key}[10], $configfwdfw{$key}[11], $configfwdfw{$key}[12], $configfwdfw{$key}[13], $configfwdfw{$key}[14],$configfwdfw{$key}[15], $configfwdfw{$key}[18],$configfwdfw{$key}[19], $configfwdfw{$key}[20], $configfwdfw{$key}[21], $configfwdfw{$key}[22], $configfwdfw{$key}[23], $configfwdfw{$key}[24], $configfwdfw{$key}[25], $configfwdfw{$key}[26], $configfwdfw{$key}[27], $configfwdfw{$key}[28], $configfwdfw{$key}[29], $configfwdfw{$key}[30], $configfwdfw{$key}[31]"){
+ $errormessage.=$Lang::tr{'fwdfw err ruleexists'};
+ }
+ }
+@@ -2171,7 +2172,7 @@ END
+ $tdcolor='';
+ &getsrcport(\%$hash,$key);
+ #Is this a SNAT rule?
+- if ($$hash{$key}[31] eq 'snat'){
++ if ($$hash{$key}[31] eq 'snat' && $$hash{$key}[28] eq 'ON'){
+ print"<br>-> $$hash{$key}[29]";
+ if ($$hash{$key}[30] ne ''){
+ print": $$hash{$key}[30]";
+@@ -2196,7 +2197,7 @@ END
+ <td align='center' width='160' $tdcolor>
+ END
+ #Is this a DNAT rule?
+- if ($$hash{$key}[31] eq 'dnat'){
++ if ($$hash{$key}[31] eq 'dnat' && $$hash{$key}[28] eq 'ON'){
+ print "IPFire ($$hash{$key}[29])";
+ if($$hash{$key}[30] ne ''){
+ $$hash{$key}[30]=~ tr/|/,/;
+--
+1.7.10.4
+
--- /dev/null
+From 22ec57b4b267ff5c4cee411b71aa57ffc1488faa Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Thu, 27 Jun 2013 07:28:06 +0200
+Subject: [PATCH 256/302] Forward Firewall: added new line at bottom of all
+ ruletables with the "final rule"
+
+---
+ html/cgi-bin/forwardfw.cgi | 49 ++++++++++++++++++++++++++++++++++++++++----
+ langs/de/cgi-bin/de.pl | 3 +++
+ langs/en/cgi-bin/en.pl | 3 +++
+ 3 files changed, 51 insertions(+), 4 deletions(-)
+
+diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi
+index bf945a3..d2c502a 100755
+--- a/html/cgi-bin/forwardfw.cgi
++++ b/html/cgi-bin/forwardfw.cgi
+@@ -75,7 +75,7 @@ my %aliases=();
+ my %optionsfw=();
+ my %ifaces=();
+
+-my $VERSION='0.9.9.8';
++my $VERSION='0.9.9.9';
+ my $color;
+ my $confignet = "${General::swroot}/fwhosts/customnetworks";
+ my $confighost = "${General::swroot}/fwhosts/customhosts";
+@@ -2317,20 +2317,61 @@ END
+ my $weekdays=join(",",@days);
+ if (@days){
+ print"<tr bgcolor='$color'>";
+- print"<td> </td><td bgcolor='$rulecolor'></td><td align='left' colspan='10'>$weekdays   $$hash{$key}[26] - $$hash{$key}[27] </td></tr>";
++ print"<td> </td><td bgcolor='$rulecolor'></td><td align='left' colspan='10'>  $weekdays   $$hash{$key}[26] - $$hash{$key}[27] </td></tr>";
+ }
+ }
+ }
+ print"<tr bgcolor='FFFFFF'><td colspan='13' height='1'></td></tr>";
+ }
++ my $col;
++ if ($config eq '/var/ipfire/forward/config'){
++ my $pol='fwdfw '.$fwdfwsettings{'POLICY'};
++ if ($fwdfwsettings{'POLICY'} eq 'MODE1'){
++ $col="bgcolor='darkred'";
++ }else{
++ $col="bgcolor='green'";
++ }
++ print"<tr><td colspan='13' $col align='center'><font color='#FFFFFF'>$Lang::tr{'fwdfw final_rule'} $Lang::tr{$pol}</font></td></tr>";
++ }elsif ($config eq '/var/ipfire/forward/outgoing'){
++ my $pol='fwdfw '.$fwdfwsettings{'POLICY1'};
++ if ($fwdfwsettings{'POLICY1'} eq 'MODE1'){
++ $col="bgcolor='darkred'";
++ }else{
++ $col="bgcolor='green'";
++ }
++ print"<tr><td colspan='13' $col align='center'><font color='#FFFFFF'>$Lang::tr{'fwdfw final_rule'} $Lang::tr{$pol}</font></td></tr>";
++ }else{
++ print"<tr><td colspan='13' bgcolor='darkred' align='center'><font color='#FFFFFF'>$Lang::tr{'fwdfw final_rule'} $Lang::tr{'fwdfw MODE1'}</font></td></tr>";
++ }
+ print"</table>";
+- &Header::closebox();
+ print "<hr>";
+ print "<br><br>";
++ &Header::closebox();
+ }else{
+ if ($optionsfw{'SHOWTABLES'} eq 'on'){
+ print "<b>$title1</b><br>";
+- print"<table width='100%' border='0' rules='none'><tr><td height='30' bgcolor=$color{'color22'} align='center'>$Lang::tr{'fwhost empty'}</td></tr></table><br><br>";
++ print"<table width='100%' border='0' rules='none'><tr><td height='30' bgcolor=$color{'color22'} align='center'>$Lang::tr{'fwhost empty'}</td></tr>";
++ my $col;
++ if ($config eq '/var/ipfire/forward/config'){
++ my $pol='fwdfw '.$fwdfwsettings{'POLICY'};
++ if ($fwdfwsettings{'POLICY'} eq 'MODE1'){
++ $col="bgcolor='darkred'";
++ }else{
++ $col="bgcolor='green'";
++ }
++ print"<tr><td colspan='13' $col align='center'><font color='#FFFFFF'>$Lang::tr{'fwdfw final_rule'} $Lang::tr{$pol}</font></td></tr>";
++ }elsif ($config eq '/var/ipfire/forward/outgoing'){
++ my $pol='fwdfw '.$fwdfwsettings{'POLICY1'};
++ if ($fwdfwsettings{'POLICY1'} eq 'MODE1'){
++ $col="bgcolor='darkred'";
++ }else{
++ $col="bgcolor='green'";
++ }
++ print"<tr><td colspan='13' $col align='center'><font color='#FFFFFF'>$Lang::tr{'fwdfw final_rule'} $Lang::tr{$pol}</font></td></tr>";
++ }else{
++ print"<tr><td colspan='13' bgcolor='darkred' align='center'><font color='#FFFFFF'>$Lang::tr{'fwdfw final_rule'} $Lang::tr{'fwdfw MODE1'}</font></td></tr>";
++ }
++ print"</table><br><br>";
+ }
+ }
+ }
+diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl
+index fd0c934..e62d2e7 100644
+--- a/langs/de/cgi-bin/de.pl
++++ b/langs/de/cgi-bin/de.pl
+@@ -918,6 +918,7 @@
+ 'fwdfw err tgt_grp' => 'Ziel-Dienstgruppe ist leer',
+ 'fwdfw err time' => 'Es muss mindestens ein Tag gewählt werden',
+ 'fwdfw from' => 'Von:',
++'fwdfw final_rule' => 'Letzte Regel: ',
+ 'fwdfw hint ip1' => 'Die zuletzt erzeugte Regel wird vielleicht nicht aktiviert, weil Quelle und Ziel evtl im selben Netz sind',
+ 'fwdfw hint ip2' => 'Bitte überprüfen Sie ob diese Regel Sinn macht: ',
+ 'fwdfw ipsec network' => 'IPsec Netzwerke:',
+@@ -925,6 +926,8 @@
+ 'fwdfw man port' => 'Port(s) manuell:',
+ 'fwdfw moveup' => 'Hoch',
+ 'fwdfw movedown' => 'Runter',
++'fwdfw MODE1' => 'Alle Pakete verwerfen',
++'fwdfw MODE2' => 'Alle Pakete annehmen',
+ 'fwdfw p2p txt' => 'Hier können einzelne P2P Netzwerke erlaubt oder verboten werden. Das System setzt die Regeln automatisch unabhängig vom aktuellen Firewall Modus. Unter Umständen können einzelne aktivierte P2P Netzewerke einen erheblichen Teil der Bandbreite beanspruchen.',
+ 'fwdfw pol allow' => 'Zugelassen',
+ 'fwdfw pol block' => 'Blockiert',
+diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
+index 6b4d5df..dc887b0 100644
+--- a/langs/en/cgi-bin/en.pl
++++ b/langs/en/cgi-bin/en.pl
+@@ -941,6 +941,7 @@
+ 'fwdfw err tgt_grp' => 'Target servicegroup is empty',
+ 'fwdfw err time' => 'You have to define at least one day.',
+ 'fwdfw from' => 'From:',
++'fwdfw final_rule' => 'Last rule: ',
+ 'fwdfw hint ip1' => 'The last generated rule may never be activated because source and target probably are in same subnet.',
+ 'fwdfw hint ip2' => 'Please doublecheck if this rule makes sense: ',
+ 'fwdfw ipsec network' => 'IpSec networks:',
+@@ -948,6 +949,8 @@
+ 'fwdfw man port' => 'Port(s) manual:',
+ 'fwdfw moveup' => 'Move up',
+ 'fwdfw movedown' => 'Move down',
++'fwdfw MODE1' => 'Drop all packets',
++'fwdfw MODE2' => 'Accept all packets',
+ 'fwdfw p2p txt' => 'Here you can admit or deny or allow single p2p networks. Just define which networks are allowed or denied and the system takes care of the rules depending on the firewall mode. An allowed p2p network may use a lot of bandwith.',
+ 'fwdfw pol allow' => 'Allowed',
+ 'fwdfw pol block' => 'Blocked',
+--
+1.7.10.4
+
--- /dev/null
+From fc4307d85c3b8440085da057df1e64ddd454a7e6 Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Fri, 28 Jun 2013 09:36:31 +0200
+Subject: [PATCH 257/302] Forward Firewall: Design changes 1) source has a new
+ option "firewall" with dropdown for interfaces 2)
+ source default networks->deleted IPFire, all ip's
+ now in brackets 3) deleted warning message in
+ Target that a mac is not usable 4) changes for
+ "apply" button 5) in ruletable the protocol is now
+ right beneath the ruletype column 6) changed target
+ dropdown "INTERNET" to "RED" 7) renamed OpenVPN
+ N-2N to OpenVPN Net-to-Net 8) set missing default
+ firewall options 9) little changes on the en and de
+ lang files
+
+---
+ config/forwardfw/rules.pl | 26 ++++++++++-
+ html/cgi-bin/forwardfw.cgi | 106 ++++++++++++++++++++++++++++----------------
+ html/cgi-bin/fwhosts.cgi | 3 +-
+ langs/de/cgi-bin/de.pl | 15 +++----
+ langs/en/cgi-bin/en.pl | 15 +++----
+ lfs/configroot | 2 +
+ 6 files changed, 109 insertions(+), 58 deletions(-)
+
+diff --git a/config/forwardfw/rules.pl b/config/forwardfw/rules.pl
+index 507f0ed..9268a6f 100755
+--- a/config/forwardfw/rules.pl
++++ b/config/forwardfw/rules.pl
+@@ -209,7 +209,7 @@ sub buildrules
+ &get_address($customgrp{$grp}[3],$customgrp{$grp}[2],"tgt");
+ }
+ }
+- }elsif($$hash{$key}[5] eq 'ipfire'){
++ }elsif($$hash{$key}[5] eq 'ipfire' ){
+ if($$hash{$key}[6] eq 'GREEN'){
+ $targethash{$key}[0]=$defaultNetworks{'GREEN_ADDRESS'};
+ }
+@@ -505,6 +505,30 @@ sub get_address
+ $$hash{$key}[0]=&fwlib::get_ovpn_n2n_ip($base2,11);
+ }elsif($base eq 'ipsec_net_src' || $base eq 'ipsec_net_tgt' || $base eq 'IpSec Network'){
+ $$hash{$key}[0]=&fwlib::get_ipsec_net_ip($base2,11);
++ }elsif($base eq 'ipfire_src' ){
++ if($base2 eq 'GREEN'){
++ $$hash{$key}[0]=$defaultNetworks{'GREEN_ADDRESS'};
++ }
++ if($base2 eq 'BLUE'){
++ $$hash{$key}[0]=$defaultNetworks{'BLUE_ADDRESS'};
++ }
++ if($base2 eq 'ORANGE'){
++ $$hash{$key}[0]=$defaultNetworks{'ORANGE_ADDRESS'};
++ }
++ if($base2 eq 'ALL'){
++ $$hash{$key}[0]='0.0.0.0/0';
++ }
++ if($base2 eq 'RED' || $base2 eq 'RED1'){
++ open(FILE, "/var/ipfire/red/local-ipaddress")or die "Couldn't open local-ipaddress";
++ $$hash{$key}[0]= <FILE>;
++ close(FILE);
++ }else{
++ foreach my $alias (sort keys %aliases){
++ if ($base2 eq $alias){
++ $$hash{$key}[0]=$aliases{$alias}{'IPT'};
++ }
++ }
++ }
+ }
+ }
+ sub get_prot
+diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi
+index d2c502a..afa0587 100755
+--- a/html/cgi-bin/forwardfw.cgi
++++ b/html/cgi-bin/forwardfw.cgi
+@@ -189,8 +189,8 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule')
+ if($fwdfwsettings{'nosave2'} ne 'on'){
+ &saverule(\%configinputfw,$configinput);
+ }
+- }elsif($fwdfwsettings{$fwdfwsettings{'grp1'}} eq 'IPFire' ){
+- # OUTGOING PART
++ }elsif($fwdfwsettings{'grp1'} eq 'ipfire_src' ){
++ # OUTGOING PART
+ $fwdfwsettings{'config'}=$configoutgoing;
+ $fwdfwsettings{'chain'} = 'OUTGOINGFW';
+ my $maxkey=&General::findhasharraykey(\%configoutgoingfw);
+@@ -378,7 +378,7 @@ sub addrule
+ {
+ &error;
+ if (-f "${General::swroot}/forward/reread"){
+- print "<table border='1' rules='groups' bgcolor='lightgreen' width='100%'><form method='post'><td><div style='font-size:11pt; font-weight: bold;vertical-align: middle; '><input type='submit' name='ACTION' value='$Lang::tr{'fwdfw reread'}' style='font-face: Comic Sans MS; color: green; font-weight: bold; font-size: 14pt;'>    $Lang::tr{'fwhost reread'}</div</td></tr></table></form><hr><br>";
++ print "<table border='1' rules='groups' bgcolor='lightgreen' width='100%'><form method='post'><td><div style='font-size:11pt; font-weight: bold;vertical-align: middle; '><input type='submit' name='ACTION' value='$Lang::tr{'fwdfw reread'}' style='font-face: Comic Sans MS; color: green; font-weight: bold; font-size: 14pt;'>    $Lang::tr{'fwhost reread'}</div</td></tr></table></form><br>";
+ }
+ &Header::openbox('100%', 'left', $Lang::tr{'fwdfw menu'});
+ print "<form method='post'>";
+@@ -979,6 +979,7 @@ sub gen_dd_block
+ $checked{'TIME_SUN'}{$fwdfwsettings{'TIME_SUN'}} = 'CHECKED';
+ $selected{'TIME_FROM'}{$fwdfwsettings{'TIME_FROM'}} = 'selected';
+ $selected{'TIME_TO'}{$fwdfwsettings{'TIME_TO'}} = 'selected';
++ $selected{'ipfire'}{$fwdfwsettings{$fwdfwsettings{'grp1'}}} ='selected';
+ $selected{'ipfire'}{$fwdfwsettings{$fwdfwsettings{'grp2'}}} ='selected';
+ print<<END;
+ <table width='100%' border='0'>
+@@ -989,13 +990,16 @@ END
+ foreach my $network (sort keys %defaultNetworks)
+ {
+ next if($defaultNetworks{$network}{'NAME'} eq "RED" && $srctgt eq 'src');
+- next if($defaultNetworks{$network}{'NAME'} eq "IPFire" && $srctgt eq 'tgt');
++ next if($defaultNetworks{$network}{'NAME'} eq "IPFire");
+ print "<option value='$defaultNetworks{$network}{'NAME'}'";
+ print " selected='selected'" if ($fwdfwsettings{$fwdfwsettings{$grp}} eq $defaultNetworks{$network}{'NAME'});
+ my $defnet="$defaultNetworks{$network}{'NAME'}_NETADDRESS";
+- $ifaces{$defnet} = '0.0.0.0' if ($defaultNetworks{$network}{'NAME'} eq 'ALL');
+- $defnet = "RED_ADDRESS" if ($defaultNetworks{$network}{'NAME'} eq 'IPFire');
+- print ">$network $ifaces{$defnet} </option>";
++ $ifaces{$defnet}='0.0.0.0' if ($defaultNetworks{$network}{'NAME'} eq 'RED');
++ if ($ifaces{$defnet}){
++ print ">$network ($ifaces{$defnet})</option>";
++ }else{
++ print ">$network</option>";
++ }
+ }
+ print"</select></td></tr>";
+ #custom networks
+@@ -1403,6 +1407,7 @@ sub newrule
+ $selected{'TIME_FROM'}{$fwdfwsettings{'TIME_FROM'}} = 'selected';
+ $selected{'TIME_TO'}{$fwdfwsettings{'TIME_TO'}} = 'selected';
+ $selected{'ipfire'}{$fwdfwsettings{$fwdfwsettings{'grp2'}}} ='selected';
++ $selected{'ipfire'}{$fwdfwsettings{$fwdfwsettings{'grp1'}}} ='selected';
+ #check if update and get values
+ if($fwdfwsettings{'updatefwrule'} eq 'on' || $fwdfwsettings{'copyfwrule'} eq 'on' && !$errormessage){
+ &General::readhasharray("$config", \%hash);
+@@ -1462,6 +1467,7 @@ sub newrule
+ $selected{'TIME_FROM'}{$fwdfwsettings{'TIME_FROM'}} = 'selected';
+ $selected{'TIME_TO'}{$fwdfwsettings{'TIME_TO'}} = 'selected';
+ $selected{'ipfire'}{$fwdfwsettings{$fwdfwsettings{'grp2'}}} ='selected';
++ $selected{'ipfire'}{$fwdfwsettings{$fwdfwsettings{'grp1'}}} ='selected';
+ $selected{'dnat'}{$fwdfwsettings{$fwdfwsettings{'nat'}}} ='selected';
+ $selected{'snat'}{$fwdfwsettings{$fwdfwsettings{'nat'}}} ='selected';
+ }
+@@ -1510,9 +1516,24 @@ sub newrule
+ #------SOURCE-------------------------------------------------------
+ print<<END;
+ <table width='100%' border='0'>
+- <tr><td width='1%'><input type='radio' name='grp1' value='src_addr' checked></td><td colspan='5'>$Lang::tr{'fwdfw sourceip'}<input type='TEXT' name='src_addr' value='$fwdfwsettings{'src_addr'}' size='16' maxlength='17'></td></tr>
+- <tr><td colspan='7'><hr style='border:dotted #BFBFBF; border-width:1px 0 0 0 ; ' /></td></tr>
+- </table>
++ <tr><td width='1%'><input type='radio' name='grp1' value='src_addr' checked></td><td width='60%'>$Lang::tr{'fwdfw sourceip'}<input type='TEXT' name='src_addr' value='$fwdfwsettings{'src_addr'}' size='16' maxlength='17'></td><td width='1%'><input type='radio' name='grp1' value='ipfire_src' $checked{'grp1'}{'ipfire'}></td><td><b>Firewall</b></td>
++END
++ print"<td align='right'><select name='ipfire_src' style='width:200px;'>";
++ print "<option value='ALL' $selected{'ipfire'}{'ALL'}>$Lang::tr{'all'}</option>";
++ print "<option value='GREEN' $selected{'ipfire'}{'GREEN'}>$Lang::tr{'green'} ($ifaces{'GREEN_ADDRESS'})</option>" if $ifaces{'GREEN_ADDRESS'};
++ print "<option value='ORANGE' $selected{'ipfire'}{'ORANGE'}>$Lang::tr{'orange'} ($ifaces{'ORANGE_ADDRESS'})</option>" if $ifaces{'ORANGE_ADDRESS'};
++ print "<option value='BLUE' $selected{'ipfire'}{'BLUE'}>$Lang::tr{'blue'} ($ifaces{'BLUE_ADDRESS'})</option>" if $ifaces{'BLUE_ADDRESS'};
++ print "<option value='RED1' $selected{'ipfire'}{'RED1'}>$Lang::tr{'red1'} ($ifaces{'RED_ADDRESS'})</option>" if $ifaces{'RED_ADDRESS'};
++
++ if (! -z "${General::swroot}/ethernet/aliases"){
++ foreach my $alias (sort keys %aliases)
++ {
++ print "<option value='$alias' $selected{'ipfire'}{$alias}>$alias</option>";
++ }
++ }
++ print<<END;
++ </td></tr>
++ <tr><td colspan='8'><hr style='border:dotted #BFBFBF; border-width:1px 0 0 0 ; ' /></td></tr></table>
+ END
+ &gen_dd_block('src','grp1');
+ print<<END;
+@@ -1553,14 +1574,14 @@ END
+ &Header::openbox('100%', 'left', $Lang::tr{'fwdfw target'});
+ print<<END;
+ <table width='100%' border='0'>
+- <tr><td width='1%'><input type='radio' name='grp2' value='tgt_addr' checked></td><td width='57%' nowrap='nowrap'>$Lang::tr{'fwdfw targetip'}<input type='TEXT' name='tgt_addr' value='$fwdfwsettings{'tgt_addr'}' size='16' maxlength='17'><td width='1%'><input type='radio' name='grp2' value='ipfire' $checked{'grp2'}{'ipfire'}></td><td><b>Firewall</b></td>
++ <tr><td width='1%'><input type='radio' name='grp2' value='tgt_addr' checked></td><td width='60%' nowrap='nowrap'>$Lang::tr{'fwdfw targetip'}<input type='TEXT' name='tgt_addr' value='$fwdfwsettings{'tgt_addr'}' size='16' maxlength='17'><td width='1%'><input type='radio' name='grp2' value='ipfire' $checked{'grp2'}{'ipfire'}></td><td><b>Firewall</b></td>
+ END
+ print"<td align='right'><select name='ipfire' style='width:200px;'>";
+- print "<option value='ALL' $selected{'ipfire'}{'ALL'}>$Lang::tr{'all'} 0.0.0.0</option>";
+- print "<option value='GREEN' $selected{'ipfire'}{'GREEN'}>$Lang::tr{'green'} $ifaces{'GREEN_ADDRESS'}</option>" if $ifaces{'GREEN_ADDRESS'};
+- print "<option value='ORANGE' $selected{'ipfire'}{'ORANGE'}>$Lang::tr{'orange'} $ifaces{'ORANGE_ADDRESS'}</option>" if $ifaces{'ORANGE_ADDRESS'};
+- print "<option value='BLUE' $selected{'ipfire'}{'BLUE'}>$Lang::tr{'blue'} $ifaces{'BLUE_ADDRESS'}</option>" if $ifaces{'BLUE_ADDRESS'};
+- print "<option value='RED1' $selected{'ipfire'}{'RED1'}>$Lang::tr{'red1'} $ifaces{'RED_ADDRESS'}</option>" if $ifaces{'RED_ADDRESS'};
++ print "<option value='ALL' $selected{'ipfire'}{'ALL'}>$Lang::tr{'all'}</option>";
++ print "<option value='GREEN' $selected{'ipfire'}{'GREEN'}>$Lang::tr{'green'} ($ifaces{'GREEN_ADDRESS'})</option>" if $ifaces{'GREEN_ADDRESS'};
++ print "<option value='ORANGE' $selected{'ipfire'}{'ORANGE'}>$Lang::tr{'orange'} ($ifaces{'ORANGE_ADDRESS'})</option>" if $ifaces{'ORANGE_ADDRESS'};
++ print "<option value='BLUE' $selected{'ipfire'}{'BLUE'}>$Lang::tr{'blue'} ($ifaces{'BLUE_ADDRESS'})</option>" if $ifaces{'BLUE_ADDRESS'};
++ print "<option value='RED1' $selected{'ipfire'}{'RED1'}>$Lang::tr{'red1'} ($ifaces{'RED_ADDRESS'})</option>" if $ifaces{'RED_ADDRESS'};
+
+ if (! -z "${General::swroot}/ethernet/aliases"){
+ foreach my $alias (sort keys %aliases)
+@@ -1574,8 +1595,7 @@ END
+ END
+ &gen_dd_block('tgt','grp2');
+ print<<END;
+- <b>$Lang::tr{'fwhost attention'}:</b><br>
+- $Lang::tr{'fwhost macwarn'}<br><hr style='border:dotted #BFBFBF; border-width:1px 0 0 0 ; '></hr><br>
++ <hr style='border:dotted #BFBFBF; border-width:1px 0 0 0 ; '></hr><br>
+ <table width='100%' border='0'>
+ <tr><td width='1%'><input type='checkbox' name='USESRV' value='ON' $checked{'USESRV'}{'ON'} ></td><td width='48%'>$Lang::tr{'fwdfw use srv'}</td><td width='1%'><input type='radio' name='grp3' value='cust_srv' checked></td><td nowrap='nowrap'>$Lang::tr{'fwhost cust service'}</td><td width='1%' colspan='2'><select name='cust_srv'style='min-width:230px;' >
+ END
+@@ -1696,7 +1716,8 @@ END
+ }
+ }
+ print"</select></td></tr>";
+- print"<tr><td width='12%'>$Lang::tr{'remark'}:</td><td align='left'><input type='text' name='ruleremark' size='40' maxlength='255' value='$fwdfwsettings{'ruleremark'}'></td></tr>";
++ print"<tr><td width='100%'>$Lang::tr{'remark'}:</td><td align='left'><input type='text' name='ruleremark' size='78' maxlength='255' value='$fwdfwsettings{'ruleremark'}'></td></tr>";
++ #print"<tr><td width='100%'>$Lang::tr{'remark'}:</td><td align='left'><textarea name='ruleremark' cols='70' rows='3' value='$fwdfwsettings{'ruleremark'}'></textarea></td></tr>";
+ if($fwdfwsettings{'updatefwrule'} eq 'on' || $fwdfwsettings{'copyfwrule'} eq 'on'){
+ print "<tr><td width='12%'>$Lang::tr{'fwdfw rulepos'}:</td><td><select name='rulepos' >";
+ for (my $count =1; $count <= $sum; $count++){
+@@ -2086,7 +2107,7 @@ sub viewtablenew
+ my $coloryellow='';
+ print"<b>$title1</b><br>";
+ print"<table width='100%' cellspacing='0' cellpadding='0' border='0'>";
+- print"<tr><td align='center'><b>#</td><td ></td><td align='center'><b>$Lang::tr{'fwdfw source'}</td><td width='1%'><b>Log</td><td align='center'><b>$Lang::tr{'fwdfw target'}</td><td align='center' width='25'></td><td align='center' colspan='6' width='1%'><b>$Lang::tr{'fwdfw action'}</td></tr>";#<td align='center'><b>$Lang::tr{'fwdfw time'}</td><b>$Lang::tr{'protocol'}</b>
++ print"<tr><td align='center'><b>#</td><td></td><td align='center' width='25'></td><td align='center'><b>$Lang::tr{'fwdfw source'}</td><td width='1%'><b>Log</td><td align='center'><b>$Lang::tr{'fwdfw target'}</td><td align='center' colspan='6' width='1%'><b>$Lang::tr{'fwdfw action'}</td></tr>";
+ foreach my $key (sort {$a <=> $b} keys %$hash){
+ $tdcolor='';
+ @tmpsrc=();
+@@ -2138,9 +2159,11 @@ sub viewtablenew
+ }
+ }
+ print"<tr bgcolor='$color' >";
++ #KEY
+ print<<END;
+ <td align='right' width='18'><b>$key  </b></td>
+ END
++ #RULETYPE (A,R,D)
+ if ($$hash{$key}[0] eq 'ACCEPT'){
+ $ruletype='A';
+ $tooltip='ACCEPT';
+@@ -2155,6 +2178,23 @@ END
+ $rulecolor=$color{'color16'};
+ }
+ print"<td bgcolor='$rulecolor' align='center' width='10'><span title='$tooltip'><b>$ruletype</b></span></td>";
++ #Get Protocol
++ my $prot;
++ if ($$hash{$key}[8] && $$hash{$key}[7] eq 'ON'){#source prot if manual
++ push (@protocols,$$hash{$key}[8]);
++ }elsif ($$hash{$key}[12]){ #target prot if manual
++ push (@protocols,$$hash{$key}[12]);
++ }elsif($$hash{$key}[14] eq 'cust_srv'){
++ &get_serviceports("service",$$hash{$key}[15]);
++ }elsif($$hash{$key}[14] eq 'cust_srvgrp'){
++ &get_serviceports("group",$$hash{$key}[15]);
++ }else{
++ push (@protocols,$Lang::tr{'all'});
++ }
++ my $protz=join(",",@protocols);
++ print"<td align='center'>$protz</td>";
++ @protocols=();
++ #SOURCE
+ &getcolor($$hash{$key}[3],$$hash{$key}[4],\%customhost);
+ print"<td align='center' width='160' $tdcolor>";
+ if ($$hash{$key}[3] eq 'std_net_src'){
+@@ -2170,10 +2210,11 @@ END
+ print $$hash{$key}[4];
+ }
+ $tdcolor='';
++ #SOURCEPORT
+ &getsrcport(\%$hash,$key);
+ #Is this a SNAT rule?
+ if ($$hash{$key}[31] eq 'snat' && $$hash{$key}[28] eq 'ON'){
+- print"<br>-> $$hash{$key}[29]";
++ print"<br>->$$hash{$key}[29]";
+ if ($$hash{$key}[30] ne ''){
+ print": $$hash{$key}[30]";
+ }
+@@ -2183,6 +2224,7 @@ END
+ }else{
+ $log="/images/off.gif";
+ }
++ #LOGGING
+ print<<END;
+ </td>
+ <form method='post'>
+@@ -2192,13 +2234,14 @@ END
+ <input type='hidden' name='ACTION' value='$Lang::tr{'fwdfw togglelog'}' />
+ </td></form>
+ END
++ #TARGET
+ &getcolor($$hash{$key}[5],$$hash{$key}[6],\%customhost);
+ print<<END;
+ <td align='center' width='160' $tdcolor>
+ END
+ #Is this a DNAT rule?
+ if ($$hash{$key}[31] eq 'dnat' && $$hash{$key}[28] eq 'ON'){
+- print "IPFire ($$hash{$key}[29])";
++ print "Firewall ($$hash{$key}[29])";
+ if($$hash{$key}[30] ne ''){
+ $$hash{$key}[30]=~ tr/|/,/;
+ print": $$hash{$key}[30]";
+@@ -2223,25 +2266,10 @@ END
+ print $$hash{$key}[6];
+ }
+ $tdcolor='';
++ #TARGETPORT
+ &gettgtport(\%$hash,$key);
+ print"</td>";
+- #Get Protocol
+- my $prot;
+- if ($$hash{$key}[8] && $$hash{$key}[7] eq 'ON'){#source prot if manual
+- push (@protocols,$$hash{$key}[8]);
+- }elsif ($$hash{$key}[12]){ #target prot if manual
+- push (@protocols,$$hash{$key}[12]);
+- }elsif($$hash{$key}[14] eq 'cust_srv'){
+- &get_serviceports("service",$$hash{$key}[15]);
+- }elsif($$hash{$key}[14] eq 'cust_srvgrp'){
+- &get_serviceports("group",$$hash{$key}[15]);
+- }else{
+- push (@protocols,$Lang::tr{'all'});
+- }
+- my $protz=join(",",@protocols);
+- print"<td align='center'>$protz</td>";
+- @protocols=();
+-
++ #RULE ACTIVE
+ if($$hash{$key}[2] eq 'ON'){
+ $gif="/images/on.gif"
+
+diff --git a/html/cgi-bin/fwhosts.cgi b/html/cgi-bin/fwhosts.cgi
+index 4aee444..ac0c044 100755
+--- a/html/cgi-bin/fwhosts.cgi
++++ b/html/cgi-bin/fwhosts.cgi
+@@ -1061,7 +1061,7 @@ if($fwhostsettings{'ACTION'} eq '')
+ sub showmenu
+ {
+ if (-f "${General::swroot}/forward/reread"){
+- print "<table border='1' rules='groups' bgcolor='lightgreen' width='100%'><form method='post'><td><div style='font-size:11pt; font-weight: bold;vertical-align: middle; '><input type='submit' name='ACTION' value='$Lang::tr{'fwdfw reread'}' style='font-face: Comic Sans MS; color: green; font-weight: bold; font-size: 14pt;'>    $Lang::tr{'fwhost reread'}</td></tr></table></form><hr><br>";
++ print "<table border='1' rules='groups' bgcolor='lightgreen' width='100%'><form method='post'><td><div style='font-size:11pt; font-weight: bold;vertical-align: middle; '><input type='submit' name='ACTION' value='$Lang::tr{'fwdfw reread'}' style='font-face: Comic Sans MS; color: green; font-weight: bold; font-size: 14pt;'>    $Lang::tr{'fwhost reread'}</td></tr></table></form><br>";
+ }
+ &Header::openbox('100%', 'left',$Lang::tr{'fwhost menu'});
+ print<<END;
+@@ -1110,7 +1110,6 @@ sub addhost
+ <tr><td>$Lang::tr{'name'}:</td><td><input type='TEXT' name='HOSTNAME' id='textbox1' value='$fwhostsettings{'HOSTNAME'}' $fwhostsettings{'BLK_HOST'} size='14'><script>document.getElementById('textbox1').focus()</script></td></tr>
+ <tr><td>IP/MAC:</td><td><input type='TEXT' name='IP' value='$fwhostsettings{'IP'}' $fwhostsettings{'BLK_IP'} size='14' maxlength='17'></td></tr>
+ <tr><td width='10%'>$Lang::tr{'remark'}:</td><td><input type='TEXT' name='HOSTREMARK' value='$fwhostsettings{'HOSTREMARK'}' style='width:98%;'></td></tr>
+- <tr><td colspan='5'><br><br><b>$Lang::tr{'fwhost attention'}</b><br>$Lang::tr{'fwhost macwarn'}</td></tr>
+ <tr><td colspan='5'><hr></hr></td></tr>
+ END
+
+diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl
+index e62d2e7..106b1b2 100644
+--- a/langs/de/cgi-bin/de.pl
++++ b/langs/de/cgi-bin/de.pl
+@@ -934,7 +934,7 @@
+ 'fwdfw pol title' => 'Standardverhalten der Firewall',
+ 'fwdfw pol text' => 'Standardverhalten für Verbindungen aus den lokalen Netzwerken. Bei "Zugelassen" werden sämtliche Verbindungen zugelassen mit Ausnahme der konfigurierten Regeln. Mit "Blockiert" werden alle Verbindungsversuche blockiert, mit Ausnahme erstellten Regeln.',
+ 'fwdfw pol text1' => 'Standardverhalten für Verbindungen von Firewall. Bei "Zugelassen" werden sämtliche Verbindungen zugelassen mit Ausnahme konfigurierten Regeln. Mit "Blockiert" werden alle Verbindungsversuche blockiert, mit Ausnahme der erstellten Regeln.Achtung! Mit diesen Einstellungen kann man sich aussperren. Normalerweise ist keine Änderung nötig.',
+-'fwdfw red' => 'INTERNET',
++'fwdfw red' => 'ROT',
+ 'fwdfw REJECT' => 'Verweigern (REJECT)',
+ 'fwdfw reread' => 'Ãœbernehmen',
+ 'fwdfw rules' => 'Regeln',
+@@ -979,11 +979,11 @@
+ 'fwhost ccdnet' => 'OpenVPN Netzwerke:',
+ 'fwhost change' => 'Ändern',
+ 'fwhost changeremark' => 'Es wurde nur die Bemerkung angepasst.',
+-'fwhost cust addr' => 'Custom Adressen:',
+-'fwhost cust grp' => 'Custom Gruppen:',
+-'fwhost cust net' => 'Custom Netzwerke:',
+-'fwhost cust service' => 'Custom Dienste:',
+-'fwhost cust srvgrp' => 'Custom Dienstgruppen',
++'fwhost cust addr' => 'Adressen:',
++'fwhost cust grp' => 'Gruppen:',
++'fwhost cust net' => 'Netzwerke:',
++'fwhost cust service' => 'Dienste:',
++'fwhost cust srvgrp' => 'Dienstgruppen',
+ 'fwhost deleted' => 'Gelöscht',
+ 'fwhost empty' => 'Keine Regeln definiert',
+ 'fwhost err addr' => 'IP Adresse oder Subnetzmaske ungültig',
+@@ -1028,10 +1028,9 @@
+ 'fwhost newgrp' => 'Adressgruppierung',
+ 'fwhost newservice' => 'Diensteinstellungen',
+ 'fwhost newservicegrp' => 'Dienstgruppierung',
+-'fwhost macwarn' => 'MAC Adressen können nicht als Ziel definiert werden. Solche Adressen werden ignoriert.',
+ 'fwhost menu' => 'Firewallgruppen',
+ 'fwhost orange' => 'Orange',
+-'fwhost ovpn_n2n' => 'OpenVPN N-2-N',
++'fwhost ovpn_n2n' => 'OpenVPN Net-to-Net',
+ 'fwhost port' => 'Port(s)',
+ 'fwhost prot' => 'Protokoll',
+ 'fwhost reread' => 'Die Firewallregeln müssen neu eingelesen werden.',
+diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
+index dc887b0..27a2bb6 100644
+--- a/langs/en/cgi-bin/en.pl
++++ b/langs/en/cgi-bin/en.pl
+@@ -957,7 +957,7 @@
+ 'fwdfw pol title' => 'Firewall default behavior',
+ 'fwdfw pol text' => 'Default behavior for connections from local networks. "Allowed" allows all connections from local networks except the defined rules. "Blocked" prohibits all connections except the defined ones. Also external access and connections to/from the demilitarized zone are configurable here.',
+ 'fwdfw pol text1' => 'Default behavior for connections from IPFire. "Allowed" allows all connections from local networks except the defined rules. "Blocked" prohibits all connections except the defined ones. Attention! You can lock yourself out with these settings. Normally there is no need to change anything here.',
+-'fwdfw red' => 'INTERNET',
++'fwdfw red' => 'RED',
+ 'fwdfw REJECT' => 'REJECT',
+ 'fwdfw reread' => 'Apply',
+ 'fwdfw rules' => 'Rules',
+@@ -1002,11 +1002,11 @@
+ 'fwhost ccdnet' => 'OpenVPN networks:',
+ 'fwhost change' => 'Modify',
+ 'fwhost changeremark' => 'You just modified the remark',
+-'fwhost cust addr' => 'Custom addresses:',
+-'fwhost cust grp' => 'Custom groups:',
+-'fwhost cust net' => 'Custom networks:',
+-'fwhost cust service' => 'Custom services:',
+-'fwhost cust srvgrp' => 'Custom servicegroups',
++'fwhost cust addr' => 'Addresses:',
++'fwhost cust grp' => 'Groups:',
++'fwhost cust net' => 'Networks:',
++'fwhost cust service' => 'Services:',
++'fwhost cust srvgrp' => 'Servicegroups',
+ 'fwhost deleted' => 'Deleted',
+ 'fwhost empty' => 'No rules defined',
+ 'fwhost err addr' => 'Invalid IP address or subnet',
+@@ -1051,10 +1051,9 @@
+ 'fwhost newgrp' => 'Address grouping',
+ 'fwhost newservice' => 'Service',
+ 'fwhost newservicegrp' => 'Service grouping',
+-'fwhost macwarn' => 'MAC addresses can not be used as target. Such addresses will be ignored.',
+ 'fwhost menu' => 'Firewall Groups',
+ 'fwhost orange' => 'Orange',
+-'fwhost ovpn_n2n' => 'OpenVPN N-2-N',
++'fwhost ovpn_n2n' => 'OpenVPN Net-to-Net',
+ 'fwhost port' => 'Port(s)',
+ 'fwhost prot' => 'Protocol',
+ 'fwhost reread' => 'Firewall rules need to be updated.',
+diff --git a/lfs/configroot b/lfs/configroot
+index c7d6ca6..b43f0cf 100644
+--- a/lfs/configroot
++++ b/lfs/configroot
+@@ -122,6 +122,8 @@ $(TARGET) :
+ echo "FWPOLICY2=DROP" >> $(CONFIG_ROOT)/optionsfw/settings
+ echo "DROPPORTSCAN=on" >> $(CONFIG_ROOT)/optionsfw/settings
+ echo "DROPOUTGOING=on" >> $(CONFIG_ROOT)/optionsfw/settings
++ echo "DROPSAMBA=on" >> $(CONFIG_ROOT)/optionsfw/settings
++ echo "DROPPROXY=on" >> $(CONFIG_ROOT)/optionsfw/settings
+ echo "SHOWREMARK=on" >> $(CONFIG_ROOT)/optionsfw/settings
+ echo "SHOWCOLORS=on" >> $(CONFIG_ROOT)/optionsfw/settings
+ echo "SHOWTABLES=off" >> $(CONFIG_ROOT)/optionsfw/settings
+--
+1.7.10.4
+
--- /dev/null
+From 6c3e0aa57945c2071bb89bbc6fc1395091d9a405 Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Mon, 1 Jul 2013 16:38:14 +0200
+Subject: [PATCH 258/302] Forward Firewall: changed some names and added
+ subnets to dropdowns
+
+---
+ config/cfgroot/general-functions.pl | 4 ++--
+ html/cgi-bin/forwardfw.cgi | 9 ++++++---
+ html/cgi-bin/fwhosts.cgi | 22 +++++++++++-----------
+ langs/de/cgi-bin/de.pl | 18 ++++++++++--------
+ langs/en/cgi-bin/en.pl | 28 +++++++++++++++-------------
+ 5 files changed, 44 insertions(+), 37 deletions(-)
+
+diff --git a/config/cfgroot/general-functions.pl b/config/cfgroot/general-functions.pl
+index 7aed63b..40d4bc7 100644
+--- a/config/cfgroot/general-functions.pl
++++ b/config/cfgroot/general-functions.pl
+@@ -82,8 +82,8 @@ sub setup_default_networks
+ my ($ip,$sub) = split(/\//,$ovpnSettings{'DOVPN_SUBNET'});
+ $sub=&General::iporsubtocidr($sub);
+ my @tempovpnsubnet = split("\/", $ovpnSettings{'DOVPN_SUBNET'});
+- $defaultNetworks->{'OpenVPN ' .$ip."/".$sub}{'ADR'} = $tempovpnsubnet[0];
+- $defaultNetworks->{'OpenVPN ' .$ip."/".$sub}{'NAME'} = "OpenVPN-Dyn";
++ $defaultNetworks->{'OpenVPN ' ."($ip/$sub)"}{'ADR'} = $tempovpnsubnet[0];
++ $defaultNetworks->{'OpenVPN ' ."($ip/$sub)"}{'NAME'} = "OpenVPN-Dyn";
+ }
+ } # end OpenVPN
+ # IPsec RW NET
+diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi
+index afa0587..8458d4d 100755
+--- a/html/cgi-bin/forwardfw.cgi
++++ b/html/cgi-bin/forwardfw.cgi
+@@ -994,9 +994,12 @@ END
+ print "<option value='$defaultNetworks{$network}{'NAME'}'";
+ print " selected='selected'" if ($fwdfwsettings{$fwdfwsettings{$grp}} eq $defaultNetworks{$network}{'NAME'});
+ my $defnet="$defaultNetworks{$network}{'NAME'}_NETADDRESS";
++ my $defsub="$defaultNetworks{$network}{'NAME'}_NETMASK";
++ my $defsub1=&General::subtocidr($ifaces{$defsub});
+ $ifaces{$defnet}='0.0.0.0' if ($defaultNetworks{$network}{'NAME'} eq 'RED');
++ $defsub1 ='0' if ($defaultNetworks{$network}{'NAME'} eq 'RED');
+ if ($ifaces{$defnet}){
+- print ">$network ($ifaces{$defnet})</option>";
++ print ">$network ($ifaces{$defnet}/$defsub1)</option>";
+ }else{
+ print ">$network</option>";
+ }
+@@ -1694,7 +1697,7 @@ END
+ #---Activate/logging/remark-------------------------------------
+ &Header::openbox('100%', 'left', $Lang::tr{'fwdfw additional'});
+ print<<END;
+- <table width='100%' border='0'>
++ <table width='100%' border='1'>
+ <tr><td nowrap>$Lang::tr{'fwdfw rule action'}</td><td><select name='RULE_ACTION'>
+ END
+ foreach ("ACCEPT","DROP","REJECT")
+@@ -1716,7 +1719,7 @@ END
+ }
+ }
+ print"</select></td></tr>";
+- print"<tr><td width='100%'>$Lang::tr{'remark'}:</td><td align='left'><input type='text' name='ruleremark' size='78' maxlength='255' value='$fwdfwsettings{'ruleremark'}'></td></tr>";
++ print"<tr><td width='12%'>$Lang::tr{'remark'}:</td><td width='88%' align='left'><input type='text' name='ruleremark' maxlength='255' value='$fwdfwsettings{'ruleremark'}' style='width:99%':></td></tr>";
+ #print"<tr><td width='100%'>$Lang::tr{'remark'}:</td><td align='left'><textarea name='ruleremark' cols='70' rows='3' value='$fwdfwsettings{'ruleremark'}'></textarea></td></tr>";
+ if($fwdfwsettings{'updatefwrule'} eq 'on' || $fwdfwsettings{'copyfwrule'} eq 'on'){
+ print "<tr><td width='12%'>$Lang::tr{'fwdfw rulepos'}:</td><td><select name='rulepos' >";
+diff --git a/html/cgi-bin/fwhosts.cgi b/html/cgi-bin/fwhosts.cgi
+index ac0c044..9afc7c8 100755
+--- a/html/cgi-bin/fwhosts.cgi
++++ b/html/cgi-bin/fwhosts.cgi
+@@ -1083,9 +1083,9 @@ sub addnet
+ $fwhostsettings{'orgnetremark'}=$fwhostsettings{'NETREMARK'};
+ print<<END;
+ <table border='0' width='100%'><form method='post' style='display:inline' >
+- <tr><td width='15%'>$Lang::tr{'name'}:</td><td><input type='TEXT' name='HOSTNAME' id='textbox1' value='$fwhostsettings{'HOSTNAME'}' $fwhostsettings{'BLK_HOST'} size='14'><script>document.getElementById('textbox1').focus()</script></td></tr>
+- <tr><td>$Lang::tr{'fwhost netaddress'}:</td><td><input type='TEXT' name='IP' value='$fwhostsettings{'IP'}' $fwhostsettings{'BLK_IP'} size='14' maxlength='15'></td></tr>
+- <tr><td>$Lang::tr{'netmask'}:</td><td><input type='TEXT' name='SUBNET' value='$fwhostsettings{'SUBNET'}' $fwhostsettings{'BLK_IP'} size='14' maxlength='15'></td></tr>
++ <tr><td width='15%'>$Lang::tr{'name'}:</td><td><input type='TEXT' name='HOSTNAME' id='textbox1' value='$fwhostsettings{'HOSTNAME'}' $fwhostsettings{'BLK_HOST'} size='20'><script>document.getElementById('textbox1').focus()</script></td></tr>
++ <tr><td>$Lang::tr{'fwhost netaddress'}:</td><td><input type='TEXT' name='IP' value='$fwhostsettings{'IP'}' $fwhostsettings{'BLK_IP'} size='20' maxlength='15'></td></tr>
++ <tr><td>$Lang::tr{'netmask'}:</td><td><input type='TEXT' name='SUBNET' value='$fwhostsettings{'SUBNET'}' $fwhostsettings{'BLK_IP'} size='20' maxlength='15'></td></tr>
+ <tr><td>$Lang::tr{'remark'}:</td><td><input type='TEXT' name='NETREMARK' value='$fwhostsettings{'NETREMARK'}' style='width: 98.5%;'></td></tr>
+ <tr><td colspan='6'><br><hr></hr></td></tr><tr>
+ END
+@@ -1107,8 +1107,8 @@ sub addhost
+ $fwhostsettings{'orgremark'}=$fwhostsettings{'HOSTREMARK'};
+ print<<END;
+ <table border='0' width='100%'><form method='post' style='display:inline'>
+- <tr><td>$Lang::tr{'name'}:</td><td><input type='TEXT' name='HOSTNAME' id='textbox1' value='$fwhostsettings{'HOSTNAME'}' $fwhostsettings{'BLK_HOST'} size='14'><script>document.getElementById('textbox1').focus()</script></td></tr>
+- <tr><td>IP/MAC:</td><td><input type='TEXT' name='IP' value='$fwhostsettings{'IP'}' $fwhostsettings{'BLK_IP'} size='14' maxlength='17'></td></tr>
++ <tr><td>$Lang::tr{'name'}:</td><td><input type='TEXT' name='HOSTNAME' id='textbox1' value='$fwhostsettings{'HOSTNAME'}' $fwhostsettings{'BLK_HOST'} size='20'><script>document.getElementById('textbox1').focus()</script></td></tr>
++ <tr><td>IP/MAC:</td><td><input type='TEXT' name='IP' value='$fwhostsettings{'IP'}' $fwhostsettings{'BLK_IP'} size='20' maxlength='17'></td></tr>
+ <tr><td width='10%'>$Lang::tr{'remark'}:</td><td><input type='TEXT' name='HOSTREMARK' value='$fwhostsettings{'HOSTREMARK'}' style='width:98%;'></td></tr>
+ <tr><td colspan='5'><hr></hr></td></tr>
+ END
+@@ -1147,7 +1147,7 @@ sub addgrp
+ if ($fwhostsettings{'update'} eq ''){
+ print<<END;
+ <table width='100%' border='0'><form method='post'>
+- <tr><td width='10%'>$Lang::tr{'fwhost addgrpname'}</td><td><input type='TEXT' name='grp_name' value='$fwhostsettings{'grp_name'}' size='14'></td></tr>
++ <tr><td width='10%'>$Lang::tr{'fwhost addgrpname'}</td><td><input type='TEXT' name='grp_name' value='$fwhostsettings{'grp_name'}' size='20'></td></tr>
+ <tr><td width='10%'>$Lang::tr{'remark'}:</td><td ><input type='TEXT' name='remark' value='$fwhostsettings{'remark'}' style='width: 98%;'></td></tr>
+ <tr><td colspan='2'><br><hr></td></tr></table>
+ END
+@@ -1242,7 +1242,7 @@ sub addservice
+ {
+ &error;
+ &showmenu;
+- &Header::openbox('100%', 'left', $Lang::tr{'fwhost newservice'});
++ &Header::openbox('100%', 'left', $Lang::tr{'fwhost addservice'});
+ if ($fwhostsettings{'updatesrv'} eq 'on')
+ {
+ $fwhostsettings{'oldsrvname'} = $fwhostsettings{'SRV_NAME'};
+@@ -1251,7 +1251,7 @@ sub addservice
+ }
+ print<<END;
+ <table width='100%' border='0'><form method='post'>
+- <tr><td width='10%' nowrap='nowrap'>$Lang::tr{'fwhost srv_name'}:</td><td><input type='text' name='SRV_NAME' id='textbox1' value='$fwhostsettings{'SRV_NAME'}' size='14'><script>document.getElementById('textbox1').focus()</script></td></tr>
++ <tr><td width='10%' nowrap='nowrap'>$Lang::tr{'fwhost srv_name'}:</td><td><input type='text' name='SRV_NAME' id='textbox1' value='$fwhostsettings{'SRV_NAME'}' size='24'><script>document.getElementById('textbox1').focus()</script></td></tr>
+ <tr><td width='10%' nowrap='nowrap'>$Lang::tr{'fwhost prot'}:</td><td><select name='PROT'>
+ END
+ foreach ("TCP","UDP","ICMP")
+@@ -1275,7 +1275,7 @@ END
+
+ print<<END;
+ </select></td></tr>
+- <tr><td width='10%'>$Lang::tr{'fwhost port'}:</td><td><input type='text' name='SRV_PORT' value='$fwhostsettings{'SRV_PORT'}' maxlength='11' size='14'></td></tr>
++ <tr><td width='10%'>$Lang::tr{'fwhost port'}:</td><td><input type='text' name='SRV_PORT' value='$fwhostsettings{'SRV_PORT'}' maxlength='11' size='24'></td></tr>
+ <tr><td colspan='6'><br><hr></td></tr>
+ <tr><td colspan='6' align='right'>
+ END
+@@ -1306,12 +1306,12 @@ sub addservicegrp
+ &hint;
+ &error;
+ &showmenu;
+- &Header::openbox('100%', 'left', $Lang::tr{'fwhost newservicegrp'});
++ &Header::openbox('100%', 'left', $Lang::tr{'fwhost addservicegrp'});
+ $fwhostsettings{'oldsrvgrpremark'}=$fwhostsettings{'SRVGRP_REMARK'};
+ if ($fwhostsettings{'updatesrvgrp'} eq ''){
+ print<<END;
+ <table width='100%' border='0'><form method='post'>
+- <tr><td width='10%'>$Lang::tr{'fwhost addgrpname'}</td><td><input type='text' name='SRVGRP_NAME' value='$fwhostsettings{'SRVGRP_NAME'}' size='14'></td></tr>
++ <tr><td width='10%'>$Lang::tr{'fwhost addgrpname'}</td><td><input type='text' name='SRVGRP_NAME' value='$fwhostsettings{'SRVGRP_NAME'}' size='24'></td></tr>
+ <tr><td width='10%'>$Lang::tr{'remark'}:</td><td><input type='text' name='SRVGRP_REMARK' value='$fwhostsettings{'SRVGRP_REMARK'}' style='width: 98%;'></td></tr>
+ <tr><td colspan='2'><br><hr></tr>
+ </table>
+diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl
+index 106b1b2..ed09273 100644
+--- a/langs/de/cgi-bin/de.pl
++++ b/langs/de/cgi-bin/de.pl
+@@ -966,11 +966,13 @@
+ 'fwdfw wd_sat' => 'Sa',
+ 'fwdfw wd_sun' => 'So',
+ 'fwdfw xt access' => 'Input',
+-'fwhost addgrp' => 'Gruppe:',
++'fwhost addgrp' => 'Gruppe hinzufügen:',
+ 'fwhost addgrpname' => 'Gruppenname:',
+-'fwhost addhost' => 'Adresse:',
+-'fwhost addnet' => 'Netzwerk:',
++'fwhost addhost' => 'Host hinzufügen:',
++'fwhost addnet' => 'Netzwerk hinzufügen:',
+ 'fwhost addrule' => 'Regel hinzufügen/ändern:',
++'fwhost addservice' => 'Dienst hinzufügen:',
++'fwhost addservicegrp' => 'Dienstgruppe hinzufügen:',
+ 'fwhost any' => 'Alle',
+ 'fwhost attention' => 'ACHTUNG',
+ 'fwhost back' => 'Zurück',
+@@ -979,7 +981,7 @@
+ 'fwhost ccdnet' => 'OpenVPN Netzwerke:',
+ 'fwhost change' => 'Ändern',
+ 'fwhost changeremark' => 'Es wurde nur die Bemerkung angepasst.',
+-'fwhost cust addr' => 'Adressen:',
++'fwhost cust addr' => 'Hosts:',
+ 'fwhost cust grp' => 'Gruppen:',
+ 'fwhost cust net' => 'Netzwerke:',
+ 'fwhost cust service' => 'Dienste:',
+@@ -1023,10 +1025,10 @@
+ 'fwhost ipsec host' => 'IPsec Clients:',
+ 'fwhost ipsec net' => 'IPsec Netzwerke:',
+ 'fwhost netaddress' => 'Netzwerk Adresse',
+-'fwhost newnet' => 'Netzeinstellungen',
+-'fwhost newhost' => 'Adresseinstellungen',
+-'fwhost newgrp' => 'Adressgruppierung',
+-'fwhost newservice' => 'Diensteinstellungen',
++'fwhost newnet' => 'Netzwerke',
++'fwhost newhost' => 'Hosts',
++'fwhost newgrp' => 'Netzwerk-/ Hostgruppierung',
++'fwhost newservice' => 'Dienst',
+ 'fwhost newservicegrp' => 'Dienstgruppierung',
+ 'fwhost menu' => 'Firewallgruppen',
+ 'fwhost orange' => 'Orange',
+diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
+index 27a2bb6..6b99d2c 100644
+--- a/langs/en/cgi-bin/en.pl
++++ b/langs/en/cgi-bin/en.pl
+@@ -989,24 +989,26 @@
+ 'fwdfw wd_sat' => 'Sat',
+ 'fwdfw wd_sun' => 'Sun',
+ 'fwdfw xt access' => 'Access to firewall',
+-'fwhost addgrp' => 'Group:',
++'fwhost addgrp' => 'Add Network / Host Group:',
+ 'fwhost addgrpname' => 'Groupname:',
+-'fwhost addhost' => 'Address:',
+-'fwhost addnet' => 'Network:',
++'fwhost addhost' => 'Add Host:',
++'fwhost addnet' => 'Add Network:',
+ 'fwhost addrule' => 'Add/Edit rule:',
++'fwhost addservice' => 'Add Service:',
++'fwhost addservicegrp' => 'Add Service Group:',
+ 'fwhost any' => 'Any',
+ 'fwhost attention' => 'ATTENTION',
+-'fwhost back' => 'back',
++'fwhost back' => 'Back',
+ 'fwhost blue' => 'Blue',
+ 'fwhost ccdhost' => 'OpenVPN clients:',
+ 'fwhost ccdnet' => 'OpenVPN networks:',
+ 'fwhost change' => 'Modify',
+ 'fwhost changeremark' => 'You just modified the remark',
+-'fwhost cust addr' => 'Addresses:',
+-'fwhost cust grp' => 'Groups:',
++'fwhost cust addr' => 'Hosts:',
++'fwhost cust grp' => 'Network / Host Groups:',
+ 'fwhost cust net' => 'Networks:',
+ 'fwhost cust service' => 'Services:',
+-'fwhost cust srvgrp' => 'Servicegroups',
++'fwhost cust srvgrp' => 'Service groups:',
+ 'fwhost deleted' => 'Deleted',
+ 'fwhost empty' => 'No rules defined',
+ 'fwhost err addr' => 'Invalid IP address or subnet',
+@@ -1046,11 +1048,11 @@
+ 'fwhost ipsec host' => 'IPsec clients:',
+ 'fwhost ipsec net' => 'IPsec networks:',
+ 'fwhost netaddress' => 'Network address',
+-'fwhost newnet' => 'Network',
+-'fwhost newhost' => 'Host',
+-'fwhost newgrp' => 'Address grouping',
+-'fwhost newservice' => 'Service',
+-'fwhost newservicegrp' => 'Service grouping',
++'fwhost newnet' => 'Networks',
++'fwhost newhost' => 'Hosts',
++'fwhost newgrp' => 'Network / Host Groups',
++'fwhost newservice' => 'Services',
++'fwhost newservicegrp' => 'Service Groups',
+ 'fwhost menu' => 'Firewall Groups',
+ 'fwhost orange' => 'Orange',
+ 'fwhost ovpn_n2n' => 'OpenVPN Net-to-Net',
+@@ -1058,7 +1060,7 @@
+ 'fwhost prot' => 'Protocol',
+ 'fwhost reread' => 'Firewall rules need to be updated.',
+ 'fwhost reset' => 'Cancel',
+-'fwhost services' => 'Services',
++'fwhost services' => 'Services:',
+ 'fwhost srv_name' => 'Servicename',
+ 'fwhost stdnet' => 'Standard networks:',
+ 'fwhost type' => 'Type',
+--
+1.7.10.4
+
--- /dev/null
+From 05f6d089dbfb54fc36ab8b40aab314d6a2c09c60 Mon Sep 17 00:00:00 2001
+From: root <amarx@ipfire.org>
+Date: Tue, 2 Jul 2013 04:16:52 +0200
+Subject: [PATCH 259/302] Forward Firewall: some language changes de.pl and
+ en.pl as well as forwardfw.cgi and fwhost.cgi
+
+---
+ html/cgi-bin/forwardfw.cgi | 14 ++++++++++----
+ html/cgi-bin/fwhosts.cgi | 3 ++-
+ langs/de/cgi-bin/de.pl | 1 +
+ langs/en/cgi-bin/en.pl | 1 +
+ 4 files changed, 14 insertions(+), 5 deletions(-)
+
+diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi
+index 8458d4d..14ba24e 100755
+--- a/html/cgi-bin/forwardfw.cgi
++++ b/html/cgi-bin/forwardfw.cgi
+@@ -1391,6 +1391,10 @@ sub newrule
+ if($fwdfwsettings{'config'} eq ''){$fwdfwsettings{'config'}=$configfwdfw;}
+ my $config=$fwdfwsettings{'config'};
+ my %hash=();
++ #Get Red IP-ADDRESS
++ open (CONN1,"/var/ipfire/red/local-ipaddress");
++ my $redip = <CONN1>;
++ close(CONN1);
+ $checked{'grp1'}{$fwdfwsettings{'grp1'}} = 'CHECKED';
+ $checked{'grp2'}{$fwdfwsettings{'grp2'}} = 'CHECKED';
+ $checked{'grp3'}{$fwdfwsettings{'grp3'}} = 'CHECKED';
+@@ -1410,7 +1414,7 @@ sub newrule
+ $selected{'TIME_FROM'}{$fwdfwsettings{'TIME_FROM'}} = 'selected';
+ $selected{'TIME_TO'}{$fwdfwsettings{'TIME_TO'}} = 'selected';
+ $selected{'ipfire'}{$fwdfwsettings{$fwdfwsettings{'grp2'}}} ='selected';
+- $selected{'ipfire'}{$fwdfwsettings{$fwdfwsettings{'grp1'}}} ='selected';
++ $selected{'ipfire_src'}{$fwdfwsettings{$fwdfwsettings{'grp1'}}} ='selected';
+ #check if update and get values
+ if($fwdfwsettings{'updatefwrule'} eq 'on' || $fwdfwsettings{'copyfwrule'} eq 'on' && !$errormessage){
+ &General::readhasharray("$config", \%hash);
+@@ -1519,14 +1523,14 @@ sub newrule
+ #------SOURCE-------------------------------------------------------
+ print<<END;
+ <table width='100%' border='0'>
+- <tr><td width='1%'><input type='radio' name='grp1' value='src_addr' checked></td><td width='60%'>$Lang::tr{'fwdfw sourceip'}<input type='TEXT' name='src_addr' value='$fwdfwsettings{'src_addr'}' size='16' maxlength='17'></td><td width='1%'><input type='radio' name='grp1' value='ipfire_src' $checked{'grp1'}{'ipfire'}></td><td><b>Firewall</b></td>
++ <tr><td width='1%'><input type='radio' name='grp1' value='src_addr' checked></td><td width='60%'>$Lang::tr{'fwdfw sourceip'}<input type='TEXT' name='src_addr' value='$fwdfwsettings{'src_addr'}' size='16' maxlength='17'></td><td width='1%'><input type='radio' name='grp1' value='ipfire_src' $checked{'grp1'}{'ipfire_src'}></td><td><b>Firewall</b></td>
+ END
+ print"<td align='right'><select name='ipfire_src' style='width:200px;'>";
+ print "<option value='ALL' $selected{'ipfire'}{'ALL'}>$Lang::tr{'all'}</option>";
+ print "<option value='GREEN' $selected{'ipfire'}{'GREEN'}>$Lang::tr{'green'} ($ifaces{'GREEN_ADDRESS'})</option>" if $ifaces{'GREEN_ADDRESS'};
+ print "<option value='ORANGE' $selected{'ipfire'}{'ORANGE'}>$Lang::tr{'orange'} ($ifaces{'ORANGE_ADDRESS'})</option>" if $ifaces{'ORANGE_ADDRESS'};
+ print "<option value='BLUE' $selected{'ipfire'}{'BLUE'}>$Lang::tr{'blue'} ($ifaces{'BLUE_ADDRESS'})</option>" if $ifaces{'BLUE_ADDRESS'};
+- print "<option value='RED1' $selected{'ipfire'}{'RED1'}>$Lang::tr{'red1'} ($ifaces{'RED_ADDRESS'})</option>" if $ifaces{'RED_ADDRESS'};
++ print "<option value='RED1' $selected{'ipfire'}{'RED1'}>$Lang::tr{'red1'} ($redip)" if ($redip);
+
+ if (! -z "${General::swroot}/ethernet/aliases"){
+ foreach my $alias (sort keys %aliases)
+@@ -1697,7 +1701,7 @@ END
+ #---Activate/logging/remark-------------------------------------
+ &Header::openbox('100%', 'left', $Lang::tr{'fwdfw additional'});
+ print<<END;
+- <table width='100%' border='1'>
++ <table width='100%' border='0'>
+ <tr><td nowrap>$Lang::tr{'fwdfw rule action'}</td><td><select name='RULE_ACTION'>
+ END
+ foreach ("ACCEPT","DROP","REJECT")
+@@ -2209,6 +2213,8 @@ END
+ }else{
+ print $$hash{$key}[4];
+ }
++ }elsif ($$hash{$key}[4] eq 'RED1'){
++ print "$Lang::tr{'fwdfw red'}";
+ }else{
+ print $$hash{$key}[4];
+ }
+diff --git a/html/cgi-bin/fwhosts.cgi b/html/cgi-bin/fwhosts.cgi
+index 9afc7c8..9ae490f 100755
+--- a/html/cgi-bin/fwhosts.cgi
++++ b/html/cgi-bin/fwhosts.cgi
+@@ -1064,8 +1064,9 @@ sub showmenu
+ print "<table border='1' rules='groups' bgcolor='lightgreen' width='100%'><form method='post'><td><div style='font-size:11pt; font-weight: bold;vertical-align: middle; '><input type='submit' name='ACTION' value='$Lang::tr{'fwdfw reread'}' style='font-face: Comic Sans MS; color: green; font-weight: bold; font-size: 14pt;'>    $Lang::tr{'fwhost reread'}</td></tr></table></form><br>";
+ }
+ &Header::openbox('100%', 'left',$Lang::tr{'fwhost menu'});
++ print "$Lang::tr{'fwhost welcome'}";
+ print<<END;
+- <table border='0' width='100%'><form method='post'>
++ <br><br><table border='0' width='100%'><form method='post'>
+ <tr><td><input type='submit' name='ACTION' value='$Lang::tr{'fwhost newnet'}' /><input type='submit' name='ACTION' value='$Lang::tr{'fwhost newhost'}' /><input type='submit' name='ACTION' value='$Lang::tr{'fwhost newgrp'}' /></td>
+ <td align='right'><input type='submit' name='ACTION' value='$Lang::tr{'fwhost newservice'}' /><input type='submit' name='ACTION' value='$Lang::tr{'fwhost newservicegrp'}' /></td></tr>
+ <tr><td colspan='6'><hr></hr></td></tr></table></form>
+diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl
+index ed09273..67fe4c8 100644
+--- a/langs/de/cgi-bin/de.pl
++++ b/langs/de/cgi-bin/de.pl
+@@ -1042,6 +1042,7 @@
+ 'fwhost stdnet' => 'Standard Netzwerke:',
+ 'fwhost type' => 'Typ',
+ 'fwhost used' => 'Benutzt',
++'fwhost welcome' => 'Hier können einzelne Netzwerke, Hosts oder Dienste definiert werden. Diese lassen sich zu Gruppen zusammenfassen und in der Firewall verwenden. Durch die Gruppen kann man Einzelne Firewallregeln auf mehrere Netzwerke und Hosts anwenden und so die Regeln übersichtlich halten.',
+ 'fwhost wo subnet' => '(Ohne Subnetz)',
+ 'free' => 'Frei',
+ 'free memory' => 'Freier Speicher ',
+diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
+index 6b99d2c..1fced49 100644
+--- a/langs/en/cgi-bin/en.pl
++++ b/langs/en/cgi-bin/en.pl
+@@ -1065,6 +1065,7 @@
+ 'fwhost stdnet' => 'Standard networks:',
+ 'fwhost type' => 'Type',
+ 'fwhost used' => 'Used',
++'fwhost welcome' => 'Here you can define single Networks, Hosts or Services which can be grouped together. These Networks, Hosts and Groups can then be used in the firewall. You are able to use only a few rules for a big amount of Networks, Hosts or Groups.',
+ 'fwhost wo subnet' => '(without subnet)',
+ 'free' => 'Free',
+ 'free memory' => 'Free Memory ',
+--
+1.7.10.4
+
--- /dev/null
+From 2417eab6814a8a7dce523add38237fc98f40bab5 Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Tue, 2 Jul 2013 08:03:25 +0200
+Subject: [PATCH 260/302] Forward Firewall: When using "Firewall" as source or
+ target, the ruletable looks confusing. Theres "RED"
+ in source and target. Now theres "INTERFACE RED".
+
+---
+ html/cgi-bin/forwardfw.cgi | 19 +++++++++++++------
+ 1 file changed, 13 insertions(+), 6 deletions(-)
+
+diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi
+index 14ba24e..a552ce4 100755
+--- a/html/cgi-bin/forwardfw.cgi
++++ b/html/cgi-bin/forwardfw.cgi
+@@ -75,7 +75,7 @@ my %aliases=();
+ my %optionsfw=();
+ my %ifaces=();
+
+-my $VERSION='0.9.9.9';
++my $VERSION='0.9.9.9a';
+ my $color;
+ my $confignet = "${General::swroot}/fwhosts/customnetworks";
+ my $confighost = "${General::swroot}/fwhosts/customhosts";
+@@ -133,7 +133,7 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule')
+ $errormessage.=$Lang::tr{'fwdfw useless rule'}."<br>";
+ }
+ #check if we try to break rules
+- if( $fwdfwsettings{$fwdfwsettings{'grp1'}} eq 'IPFire' && $fwdfwsettings{'grp2'} eq 'ipfire'){
++ if( $fwdfwsettings{'grp1'} eq 'ipfire_src' && $fwdfwsettings{'grp2'} eq 'ipfire'){
+ $errormessage.=$Lang::tr{'fwdfw err same'};
+ }
+ #INPUT part
+@@ -2202,8 +2202,12 @@ END
+ print"<td align='center'>$protz</td>";
+ @protocols=();
+ #SOURCE
++ my $ipfireiface;
+ &getcolor($$hash{$key}[3],$$hash{$key}[4],\%customhost);
+ print"<td align='center' width='160' $tdcolor>";
++ if ($$hash{$key}[3] eq 'ipfire_src'){
++ $ipfireiface='Interface ';
++ }
+ if ($$hash{$key}[3] eq 'std_net_src'){
+ print &get_name($$hash{$key}[4]);
+ }elsif ($$hash{$key}[3] eq 'src_addr'){
+@@ -2214,9 +2218,9 @@ END
+ print $$hash{$key}[4];
+ }
+ }elsif ($$hash{$key}[4] eq 'RED1'){
+- print "$Lang::tr{'fwdfw red'}";
++ print "$ipfireiface $Lang::tr{'fwdfw red'}";
+ }else{
+- print $$hash{$key}[4];
++ print "ipfireiface $$hash{$key}[4]";
+ }
+ $tdcolor='';
+ #SOURCEPORT
+@@ -2257,10 +2261,13 @@ END
+ }
+ print"<br>->";
+ }
++ if ($$hash{$key}[5] eq 'ipfire'){
++ $ipfireiface='Interface';
++ }
+ if ($$hash{$key}[5] eq 'std_net_tgt' || $$hash{$key}[5] eq 'ipfire' && $$hash{$key}[6] eq 'RED' || $$hash{$key}[6] eq 'RED1' || $$hash{$key}[6] eq 'GREEN' || $$hash{$key}[6] eq 'ORANGE' || $$hash{$key}[6] eq 'BLUE' ){
+ if ($$hash{$key}[6] eq 'RED1')
+ {
+- print $Lang::tr{'red1'};
++ print "$ipfireiface $Lang::tr{'red1'}";
+ }else{
+ print &get_name($$hash{$key}[6]);
+ }
+@@ -2272,7 +2279,7 @@ END
+ print $$hash{$key}[6];
+ }
+ }else{
+- print $$hash{$key}[6];
++ print "$ipfireiface $$hash{$key}[6]";
+ }
+ $tdcolor='';
+ #TARGETPORT
+--
+1.7.10.4
+
--- /dev/null
+From 78661222ad7980b4ed3c1b511865db99d05f4f3b Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Tue, 2 Jul 2013 08:21:38 +0200
+Subject: [PATCH 261/302] Forward Firewall: Bugfix of last commit. Added
+ "Interface" to source or target that uses
+ "Firewall" interfaces
+
+---
+ html/cgi-bin/forwardfw.cgi | 14 ++++++++------
+ langs/en/cgi-bin/en.pl | 2 +-
+ 2 files changed, 9 insertions(+), 7 deletions(-)
+
+diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi
+index a552ce4..cb65dd4 100755
+--- a/html/cgi-bin/forwardfw.cgi
++++ b/html/cgi-bin/forwardfw.cgi
+@@ -134,7 +134,7 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule')
+ }
+ #check if we try to break rules
+ if( $fwdfwsettings{'grp1'} eq 'ipfire_src' && $fwdfwsettings{'grp2'} eq 'ipfire'){
+- $errormessage.=$Lang::tr{'fwdfw err same'};
++ $errormessage=$Lang::tr{'fwdfw err same'};
+ }
+ #INPUT part
+ if($fwdfwsettings{'grp2'} eq 'ipfire' && $fwdfwsettings{$fwdfwsettings{'grp1'}} ne 'ORANGE'){
+@@ -772,7 +772,7 @@ sub checkrule
+ }
+ #check if source and target identical
+ if ($fwdfwsettings{$fwdfwsettings{'grp1'}} eq $fwdfwsettings{$fwdfwsettings{'grp2'}} && $fwdfwsettings{$fwdfwsettings{'grp1'}} ne 'ALL'){
+- $errormessage.=$Lang::tr{'fwdfw err same'};
++ $errormessage=$Lang::tr{'fwdfw err same'};
+ return $errormessage;
+ }
+ #get source and targetip address if possible
+@@ -2265,11 +2265,13 @@ END
+ $ipfireiface='Interface';
+ }
+ if ($$hash{$key}[5] eq 'std_net_tgt' || $$hash{$key}[5] eq 'ipfire' && $$hash{$key}[6] eq 'RED' || $$hash{$key}[6] eq 'RED1' || $$hash{$key}[6] eq 'GREEN' || $$hash{$key}[6] eq 'ORANGE' || $$hash{$key}[6] eq 'BLUE' ){
+- if ($$hash{$key}[6] eq 'RED1')
+- {
++ if ($$hash{$key}[6] eq 'RED1'){
+ print "$ipfireiface $Lang::tr{'red1'}";
++ }elsif ($$hash{$key}[6] ne 'RED')
++ {
++ print "$ipfireiface $$hash{$key}[6]";
+ }else{
+- print &get_name($$hash{$key}[6]);
++ print "$$hash{$key}[6]";
+ }
+ }elsif ($$hash{$key}[5] eq 'tgt_addr'){
+ my ($split1,$split2) = split("/",$$hash{$key}[6]);
+@@ -2279,7 +2281,7 @@ END
+ print $$hash{$key}[6];
+ }
+ }else{
+- print "$ipfireiface $$hash{$key}[6]";
++ print "$$hash{$key}[6]";
+ }
+ $tdcolor='';
+ #TARGETPORT
+diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
+index 1fced49..1442606 100644
+--- a/langs/en/cgi-bin/en.pl
++++ b/langs/en/cgi-bin/en.pl
+@@ -988,7 +988,7 @@
+ 'fwdfw wd_fri' => 'Fri',
+ 'fwdfw wd_sat' => 'Sat',
+ 'fwdfw wd_sun' => 'Sun',
+-'fwdfw xt access' => 'Access to firewall',
++'fwdfw xt access' => 'Input',
+ 'fwhost addgrp' => 'Add Network / Host Group:',
+ 'fwhost addgrpname' => 'Groupname:',
+ 'fwhost addhost' => 'Add Host:',
+--
+1.7.10.4
+
--- /dev/null
+From 6b4c994911972c0e03ac3b832aa372d00f71009f Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Tue, 2 Jul 2013 14:55:46 +0200
+Subject: [PATCH 262/302] Forward Firewall: delted subnets from hosts in
+ firewallgroups, colorized all ip-addresses from the
+ firewall-groups if possible. Some minor changes in
+ forwardfw.cgi
+
+---
+ html/cgi-bin/forwardfw.cgi | 14 +++++++-------
+ html/cgi-bin/fwhosts.cgi | 9 +++++----
+ langs/en/cgi-bin/en.pl | 2 +-
+ 3 files changed, 13 insertions(+), 12 deletions(-)
+
+diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi
+index cb65dd4..1c46d14 100755
+--- a/html/cgi-bin/forwardfw.cgi
++++ b/html/cgi-bin/forwardfw.cgi
+@@ -1614,7 +1614,7 @@ END
+ }
+ print<<END;
+ </select></td></tr>
+- <tr><td colspan='2'></td><td><input type='radio' name='grp3' value='cust_srvgrp' $checked{'grp3'}{'cust_srvgrp'}></td><td nowrap='nowrap'>$Lang::tr{'fwhost cust srvgrp'}:</td><td colspan='2'><select name='cust_srvgrp' style='min-width:230px;' >
++ <tr><td colspan='2'></td><td><input type='radio' name='grp3' value='cust_srvgrp' $checked{'grp3'}{'cust_srvgrp'}></td><td nowrap='nowrap'>$Lang::tr{'fwhost cust srvgrp'}</td><td colspan='2'><select name='cust_srvgrp' style='min-width:230px;' >
+ END
+ &General::readhasharray("$configsrvgrp", \%customservicegrp);
+ my $helper;
+@@ -1680,14 +1680,12 @@ END
+ #SNAT
+ print"<tr><td colspan='2'></td><td width='1%'><input type='radio' name='nat' value='snat' $checked{'nat'}{'snat'}></td><td width='20%'>$Lang::tr{'fwdfw snat'}</td>";
+ print"<td width='8%'>IPFire: </td><td width='20%' align='right'><select name='snat' style='width:140px;'>";
+- print "<option value='Default IP' $selected{'snat'}{'Default IP'}>Default IP</option>";
+ foreach my $alias (sort keys %aliases)
+ {
+ print "<option value='$alias' $selected{'snat'}{$alias}>$alias</option>";
+ }
+ foreach my $network (sort keys %defaultNetworks)
+ {
+- next if($defaultNetworks{$network}{'NAME'} eq "RED");
+ next if($defaultNetworks{$network}{'NAME'} eq "IPFire");
+ next if($defaultNetworks{$network}{'NAME'} eq "ALL");
+ next if($defaultNetworks{$network}{'NAME'} =~ /OpenVPN/i);
+@@ -2220,14 +2218,16 @@ END
+ }elsif ($$hash{$key}[4] eq 'RED1'){
+ print "$ipfireiface $Lang::tr{'fwdfw red'}";
+ }else{
+- print "ipfireiface $$hash{$key}[4]";
++ print "$$hash{$key}[4]";
+ }
+ $tdcolor='';
+ #SOURCEPORT
+ &getsrcport(\%$hash,$key);
+ #Is this a SNAT rule?
+ if ($$hash{$key}[31] eq 'snat' && $$hash{$key}[28] eq 'ON'){
+- print"<br>->$$hash{$key}[29]";
++ my $net=&get_name($$hash{$key}[29]);
++ if ( ! $net){ $net=$$hash{$key}[29];}
++ print"<br>->$net";
+ if ($$hash{$key}[30] ne ''){
+ print": $$hash{$key}[30]";
+ }
+@@ -2269,9 +2269,9 @@ END
+ print "$ipfireiface $Lang::tr{'red1'}";
+ }elsif ($$hash{$key}[6] ne 'RED')
+ {
+- print "$ipfireiface $$hash{$key}[6]";
++ print "$ipfireiface ".&get_name($$hash{$key}[6]);
+ }else{
+- print "$$hash{$key}[6]";
++ print &get_name($$hash{$key}[6]);
+ }
+ }elsif ($$hash{$key}[5] eq 'tgt_addr'){
+ my ($split1,$split2) = split("/",$$hash{$key}[6]);
+diff --git a/html/cgi-bin/fwhosts.cgi b/html/cgi-bin/fwhosts.cgi
+index 9ae490f..753ffbe 100755
+--- a/html/cgi-bin/fwhosts.cgi
++++ b/html/cgi-bin/fwhosts.cgi
+@@ -1376,8 +1376,8 @@ END
+ {
+ print" <tr bgcolor='$color{'color20'}'>";
+ }
++ print"<td width='20%'><form method='post'>$customnetwork{$key}[0]</td><td width=15%' align='center'>".&Header::colorize($customnetwork{$key}[1])."</td><td width='15%' align='center'>$customnetwork{$key}[2]</td><td width='40%'>$customnetwork{$key}[3]</td><td align='center'>$customnetwork{$key}[4]x</td>";
+ print<<END;
+- <td width='20%'><form method='post'>$customnetwork{$key}[0]</td><td width=15%' align='center'>$customnetwork{$key}[1]</td><td width='15%' align='center'>$customnetwork{$key}[2]</td><td width='40%'>$customnetwork{$key}[3]</td><td align='center'>$customnetwork{$key}[4]x</td>
+ <td width='1%'><input type='image' src='/images/edit.gif' align='middle' alt=$Lang::tr{'edit'} title=$Lang::tr{'edit'} />
+ <input type='hidden' name='ACTION' value='editnet'>
+ <input type='hidden' name='HOSTNAME' value='$customnetwork{$key}[0]' />
+@@ -1421,8 +1421,8 @@ END
+ else{ print" <tr bgcolor='$color{'color20'}'>";}
+ my ($ip,$sub)=split(/\//,$customhost{$key}[2]);
+ $customhost{$key}[4]=~s/\s+//g;
++ print"<td width='20%'><form method='post'>$customhost{$key}[0]</td><td width='20%' align='center'>".&Header::colorize($ip)."</td><td width='50%' align='left'>$customhost{$key}[3]</td><td align='center'>$customhost{$key}[4]x</td>";
+ print<<END;
+- <td width='20%'><form method='post'>$customhost{$key}[0]</td><td width='20%' align='center'>$ip</td><td width='50%' align='left'>$customhost{$key}[3]</td><td align='center'>$customhost{$key}[4]x</td>
+ <td width='1%'><input type='image' src='/images/edit.gif' align='middle' alt=$Lang::tr{'edit'} title=$Lang::tr{'edit'} />
+ <input type='hidden' name='ACTION' value='edithost' />
+ <input type='hidden' name='HOSTNAME' value='$customhost{$key}[0]' />
+@@ -1511,7 +1511,7 @@ sub viewtablegrp
+ if ($ip eq '' && $customgrp{$key}[2] ne $Lang::tr{'fwhost empty'}){
+ print "<td align='center'>$Lang::tr{'fwhost deleted'}</td><td align='center'>$customgrp{$key}[3]</td><td width='1%'><form method='post'>";
+ }else{
+- print"<td align='center'>$ip</td><td align='center'>$customgrp{$key}[3]</td><td width='1%'><form method='post'>";
++ print"<td align='center'>".&Header::colorize($ip)."</td><td align='center'>$customgrp{$key}[3]</td><td width='1%'><form method='post'>";
+ }
+ if ($delflag > '1' && $ip ne ''){
+ print"<input type='image' src='/images/delete.gif' align='middle' alt=$Lang::tr{'delete'} title=$Lang::tr{'delete'} />";
+@@ -1904,7 +1904,8 @@ sub getipforgroup
+ if ($type eq 'Custom Host'){
+ foreach my $key (keys %customhost) {
+ if ($customhost{$key}[0] eq $name){
+- return $customhost{$key}[2];
++ my ($ip,$sub) = split("/",$customhost{$key}[2]);
++ return $ip;
+ }
+ }
+ }
+diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
+index 1442606..55d3a48 100644
+--- a/langs/en/cgi-bin/en.pl
++++ b/langs/en/cgi-bin/en.pl
+@@ -1065,7 +1065,7 @@
+ 'fwhost stdnet' => 'Standard networks:',
+ 'fwhost type' => 'Type',
+ 'fwhost used' => 'Used',
+-'fwhost welcome' => 'Here you can define single Networks, Hosts or Services which can be grouped together. These Networks, Hosts and Groups can then be used in the firewall. You are able to use only a few rules for a big amount of Networks, Hosts or Groups.',
++'fwhost welcome' => 'Here you can define single networks, hosts or services which can be grouped together. These networks, hosts and groups can then be used in the firewall. You are able to use only a few rules for a big amount of networks, hosts or groups.',
+ 'fwhost wo subnet' => '(without subnet)',
+ 'free' => 'Free',
+ 'free memory' => 'Free Memory ',
+--
+1.7.10.4
+
--- /dev/null
+From 57bdf0cfa332acdf6d3d916078bf1db7ce519437 Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Tue, 2 Jul 2013 15:43:44 +0200
+Subject: [PATCH 263/302] Forward Firewall: colorize ip addresses when
+ possible in firewall groups. subnetmask now in cidr
+ format
+
+---
+ html/cgi-bin/forwardfw.cgi | 4 ++++
+ html/cgi-bin/fwhosts.cgi | 7 +++++--
+ 2 files changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi
+index 1c46d14..7e23da2 100755
+--- a/html/cgi-bin/forwardfw.cgi
++++ b/html/cgi-bin/forwardfw.cgi
+@@ -817,6 +817,10 @@ sub checkrule
+ }
+ }
+ }
++ if( $fwdfwsettings{'USE_SRC_PORT'} ne 'ON' && $fwdfwsettings{'USESRV'} ne 'ON'){
++ $fwdfwsettings{'PROT'}='';
++ $fwdfwsettings{'TGT_PROT'}='';
++ }
+ }
+ sub checkcounter
+ {
+diff --git a/html/cgi-bin/fwhosts.cgi b/html/cgi-bin/fwhosts.cgi
+index 753ffbe..c854e9f 100755
+--- a/html/cgi-bin/fwhosts.cgi
++++ b/html/cgi-bin/fwhosts.cgi
+@@ -1362,7 +1362,7 @@ sub viewtablenet
+ }else{
+ print<<END;
+ <table border='0' width='100%' cellspacing='0'>
+- <tr><td align='center'><b>$Lang::tr{'name'}</td><td align='center'><b>$Lang::tr{'fwhost netaddress'}</td><td align='center'><b>$Lang::tr{'netmask'}</td><td align='center'><b>$Lang::tr{'remark'}</td><td align='center'><b>$Lang::tr{'used'}</td><td></td><td width='3%'></td></tr>
++ <tr><td align='center'><b>$Lang::tr{'name'}</td><td align='center'><b>$Lang::tr{'fwhost netaddress'}</td><td align='center'><b>$Lang::tr{'remark'}</td><td align='center'><b>$Lang::tr{'used'}</td><td></td><td width='3%'></td></tr>
+ END
+ }
+ my $count=0;
+@@ -1376,7 +1376,8 @@ END
+ {
+ print" <tr bgcolor='$color{'color20'}'>";
+ }
+- print"<td width='20%'><form method='post'>$customnetwork{$key}[0]</td><td width=15%' align='center'>".&Header::colorize($customnetwork{$key}[1])."</td><td width='15%' align='center'>$customnetwork{$key}[2]</td><td width='40%'>$customnetwork{$key}[3]</td><td align='center'>$customnetwork{$key}[4]x</td>";
++ my $colnet="$customnetwork{$key}[1]/".&General::subtocidr($customnetwork{$key}[2]);
++ print"<td width='20%'><form method='post'>$customnetwork{$key}[0]</td><td width=15%' align='center'>".&Header::colorize($colnet)."</td><td width='40%'>$customnetwork{$key}[3]</td><td align='center'>$customnetwork{$key}[4]x</td>";
+ print<<END;
+ <td width='1%'><input type='image' src='/images/edit.gif' align='middle' alt=$Lang::tr{'edit'} title=$Lang::tr{'edit'} />
+ <input type='hidden' name='ACTION' value='editnet'>
+@@ -1511,6 +1512,8 @@ sub viewtablegrp
+ if ($ip eq '' && $customgrp{$key}[2] ne $Lang::tr{'fwhost empty'}){
+ print "<td align='center'>$Lang::tr{'fwhost deleted'}</td><td align='center'>$customgrp{$key}[3]</td><td width='1%'><form method='post'>";
+ }else{
++ my ($colip,$colsub) = split("/",$ip);
++ $ip="$colip/".&General::subtocidr($colsub) if ($colsub);
+ print"<td align='center'>".&Header::colorize($ip)."</td><td align='center'>$customgrp{$key}[3]</td><td width='1%'><form method='post'>";
+ }
+ if ($delflag > '1' && $ip ne ''){
+--
+1.7.10.4
+
--- /dev/null
+From f541dda0abb0ce59bec1c53f118213305b1c85e0 Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Wed, 3 Jul 2013 09:26:39 +0200
+Subject: [PATCH 264/302] Forward Firewall: some bugfixes
+
+---
+ html/cgi-bin/forwardfw.cgi | 9 +++------
+ 1 file changed, 3 insertions(+), 6 deletions(-)
+
+diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi
+index 7e23da2..811c312 100755
+--- a/html/cgi-bin/forwardfw.cgi
++++ b/html/cgi-bin/forwardfw.cgi
+@@ -47,7 +47,6 @@ unless (-e "${General::swroot}/forward/settings") { system("touch ${General::s
+ unless (-e "${General::swroot}/forward/config") { system("touch ${General::swroot}/forward/config"); }
+ unless (-e "${General::swroot}/forward/input") { system("touch ${General::swroot}/forward/input"); }
+ unless (-e "${General::swroot}/forward/outgoing") { system("touch ${General::swroot}/forward/outgoing"); }
+-unless (-e "${General::swroot}/forward/nat") { system("touch ${General::swroot}/forward/nat"); }
+
+ my %fwdfwsettings=();
+ my %selected=() ;
+@@ -75,7 +74,7 @@ my %aliases=();
+ my %optionsfw=();
+ my %ifaces=();
+
+-my $VERSION='0.9.9.9a';
++my $VERSION='0.9.9.9';
+ my $color;
+ my $confignet = "${General::swroot}/fwhosts/customnetworks";
+ my $confighost = "${General::swroot}/fwhosts/customhosts";
+@@ -262,7 +261,6 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule')
+ }
+ if ($fwdfwsettings{'oldruleremark'} eq $fwdfwsettings{'ruleremark'}){
+ $fwdfwsettings{'nosave'} = 'on';
+- print "uzlputz neu time:$fwdfwsettings{'TIME'} alt:$configfwdfw{$key}[18]";
+ }
+ }
+ }
+@@ -1592,8 +1590,7 @@ END
+ print "<option value='GREEN' $selected{'ipfire'}{'GREEN'}>$Lang::tr{'green'} ($ifaces{'GREEN_ADDRESS'})</option>" if $ifaces{'GREEN_ADDRESS'};
+ print "<option value='ORANGE' $selected{'ipfire'}{'ORANGE'}>$Lang::tr{'orange'} ($ifaces{'ORANGE_ADDRESS'})</option>" if $ifaces{'ORANGE_ADDRESS'};
+ print "<option value='BLUE' $selected{'ipfire'}{'BLUE'}>$Lang::tr{'blue'} ($ifaces{'BLUE_ADDRESS'})</option>" if $ifaces{'BLUE_ADDRESS'};
+- print "<option value='RED1' $selected{'ipfire'}{'RED1'}>$Lang::tr{'red1'} ($ifaces{'RED_ADDRESS'})</option>" if $ifaces{'RED_ADDRESS'};
+-
++ print "<option value='RED1' $selected{'ipfire'}{'RED1'}>$Lang::tr{'red1'} ($redip)" if ($redip);
+ if (! -z "${General::swroot}/ethernet/aliases"){
+ foreach my $alias (sort keys %aliases)
+ {
+@@ -2268,7 +2265,7 @@ END
+ if ($$hash{$key}[5] eq 'ipfire'){
+ $ipfireiface='Interface';
+ }
+- if ($$hash{$key}[5] eq 'std_net_tgt' || $$hash{$key}[5] eq 'ipfire' && $$hash{$key}[6] eq 'RED' || $$hash{$key}[6] eq 'RED1' || $$hash{$key}[6] eq 'GREEN' || $$hash{$key}[6] eq 'ORANGE' || $$hash{$key}[6] eq 'BLUE' ){
++ if ($$hash{$key}[5] eq 'std_net_tgt' || $$hash{$key}[5] eq 'ipfire' || $$hash{$key}[6] eq 'RED1' || $$hash{$key}[6] eq 'GREEN' || $$hash{$key}[6] eq 'ORANGE' || $$hash{$key}[6] eq 'BLUE' ){
+ if ($$hash{$key}[6] eq 'RED1'){
+ print "$ipfireiface $Lang::tr{'red1'}";
+ }elsif ($$hash{$key}[6] ne 'RED')
+--
+1.7.10.4
+
--- /dev/null
+From ed625e67d941e934a90f39d10bb401b9546b5bfa Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Wed, 3 Jul 2013 10:13:06 +0200
+Subject: [PATCH 265/302] Forward Firewall: Bugfixes wrong interface in
+ ruletable,when selecting alias firewall interface
+
+---
+ html/cgi-bin/forwardfw.cgi | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi
+index 811c312..8044c66 100755
+--- a/html/cgi-bin/forwardfw.cgi
++++ b/html/cgi-bin/forwardfw.cgi
+@@ -1476,7 +1476,7 @@ sub newrule
+ $selected{'TIME_FROM'}{$fwdfwsettings{'TIME_FROM'}} = 'selected';
+ $selected{'TIME_TO'}{$fwdfwsettings{'TIME_TO'}} = 'selected';
+ $selected{'ipfire'}{$fwdfwsettings{$fwdfwsettings{'grp2'}}} ='selected';
+- $selected{'ipfire'}{$fwdfwsettings{$fwdfwsettings{'grp1'}}} ='selected';
++ $selected{'ipfire_src'}{$fwdfwsettings{$fwdfwsettings{'grp1'}}} ='selected';
+ $selected{'dnat'}{$fwdfwsettings{$fwdfwsettings{'nat'}}} ='selected';
+ $selected{'snat'}{$fwdfwsettings{$fwdfwsettings{'nat'}}} ='selected';
+ }
+@@ -1528,11 +1528,11 @@ sub newrule
+ <tr><td width='1%'><input type='radio' name='grp1' value='src_addr' checked></td><td width='60%'>$Lang::tr{'fwdfw sourceip'}<input type='TEXT' name='src_addr' value='$fwdfwsettings{'src_addr'}' size='16' maxlength='17'></td><td width='1%'><input type='radio' name='grp1' value='ipfire_src' $checked{'grp1'}{'ipfire_src'}></td><td><b>Firewall</b></td>
+ END
+ print"<td align='right'><select name='ipfire_src' style='width:200px;'>";
+- print "<option value='ALL' $selected{'ipfire'}{'ALL'}>$Lang::tr{'all'}</option>";
+- print "<option value='GREEN' $selected{'ipfire'}{'GREEN'}>$Lang::tr{'green'} ($ifaces{'GREEN_ADDRESS'})</option>" if $ifaces{'GREEN_ADDRESS'};
+- print "<option value='ORANGE' $selected{'ipfire'}{'ORANGE'}>$Lang::tr{'orange'} ($ifaces{'ORANGE_ADDRESS'})</option>" if $ifaces{'ORANGE_ADDRESS'};
+- print "<option value='BLUE' $selected{'ipfire'}{'BLUE'}>$Lang::tr{'blue'} ($ifaces{'BLUE_ADDRESS'})</option>" if $ifaces{'BLUE_ADDRESS'};
+- print "<option value='RED1' $selected{'ipfire'}{'RED1'}>$Lang::tr{'red1'} ($redip)" if ($redip);
++ print "<option value='ALL' $selected{'ipfire_src'}{'ALL'}>$Lang::tr{'all'}</option>";
++ print "<option value='GREEN' $selected{'ipfire_src'}{'GREEN'}>$Lang::tr{'green'} ($ifaces{'GREEN_ADDRESS'})</option>" if $ifaces{'GREEN_ADDRESS'};
++ print "<option value='ORANGE' $selected{'ipfire_src'}{'ORANGE'}>$Lang::tr{'orange'} ($ifaces{'ORANGE_ADDRESS'})</option>" if $ifaces{'ORANGE_ADDRESS'};
++ print "<option value='BLUE' $selected{'ipfire_src'}{'BLUE'}>$Lang::tr{'blue'} ($ifaces{'BLUE_ADDRESS'})</option>" if $ifaces{'BLUE_ADDRESS'};
++ print "<option value='RED1' $selected{'ipfire_src'}{'RED1'}>$Lang::tr{'red1'} ($redip)" if ($redip);
+
+ if (! -z "${General::swroot}/ethernet/aliases"){
+ foreach my $alias (sort keys %aliases)
+@@ -2268,11 +2268,11 @@ END
+ if ($$hash{$key}[5] eq 'std_net_tgt' || $$hash{$key}[5] eq 'ipfire' || $$hash{$key}[6] eq 'RED1' || $$hash{$key}[6] eq 'GREEN' || $$hash{$key}[6] eq 'ORANGE' || $$hash{$key}[6] eq 'BLUE' ){
+ if ($$hash{$key}[6] eq 'RED1'){
+ print "$ipfireiface $Lang::tr{'red1'}";
+- }elsif ($$hash{$key}[6] ne 'RED')
++ }elsif ($$hash{$key}[6] eq 'GREEN' || $$hash{$key}[6] eq 'ORANGE' || $$hash{$key}[6] eq 'BLUE'|| $$hash{$key}[6] eq 'ALL')
+ {
+ print "$ipfireiface ".&get_name($$hash{$key}[6]);
+ }else{
+- print &get_name($$hash{$key}[6]);
++ print $$hash{$key}[6];
+ }
+ }elsif ($$hash{$key}[5] eq 'tgt_addr'){
+ my ($split1,$split2) = split("/",$$hash{$key}[6]);
+--
+1.7.10.4
+
--- /dev/null
+From 652371796da8e0830f86eaf61ef13d5e4d361f17 Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Wed, 3 Jul 2013 11:26:44 +0200
+Subject: [PATCH 266/302] Forward Firewall: removed nat part from rules.pl
+ (file nat not existent anymore)
+
+---
+ config/forwardfw/rules.pl | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/config/forwardfw/rules.pl b/config/forwardfw/rules.pl
+index 9268a6f..6c32d93 100755
+--- a/config/forwardfw/rules.pl
++++ b/config/forwardfw/rules.pl
+@@ -55,7 +55,6 @@ require "${General::swroot}/forward/bin/firewall-lib.pl";
+ my $configfwdfw = "${General::swroot}/forward/config";
+ my $configinput = "${General::swroot}/forward/input";
+ my $configoutgoing = "${General::swroot}/forward/outgoing";
+-my $confignat = "${General::swroot}/forward/nat";
+ my $p2pfile = "${General::swroot}/forward/p2protocols";
+ my $configgrp = "${General::swroot}/fwhosts/customgroups";
+ my $netsettings = "${General::swroot}/ethernet/settings";
+@@ -74,7 +73,6 @@ my $snat='';
+ &General::readhasharray($configfwdfw, \%configfwdfw);
+ &General::readhasharray($configinput, \%configinputfw);
+ &General::readhasharray($configoutgoing, \%configoutgoingfw);
+-&General::readhasharray($confignat, \%confignatfw);
+ &General::readhasharray($configgrp, \%customgrp);
+ &General::get_aliases(\%aliases);
+
+--
+1.7.10.4
+
--- /dev/null
+From fe3b59bc62d9b1010bf89bfdf4ffd909ecdc400b Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Wed, 3 Jul 2013 14:38:40 +0200
+Subject: [PATCH 267/302] Forward Firewall: moved default rules from FORWARDFW
+ to POLICYFWD
+
+---
+ config/forwardfw/firewall-policy | 2 ++
+ config/forwardfw/rules.pl | 17 -----------------
+ 2 files changed, 2 insertions(+), 17 deletions(-)
+
+diff --git a/config/forwardfw/firewall-policy b/config/forwardfw/firewall-policy
+index 0a5cd14..459c1a5 100755
+--- a/config/forwardfw/firewall-policy
++++ b/config/forwardfw/firewall-policy
+@@ -30,6 +30,8 @@ else
+ if [ "$BLUE_DEV" ] && [ "$IFACE" ]; then
+ /sbin/iptables -A POLICYFWD -i blue0 ! -o $IFACE -j DROP
+ fi
++ /sbin/iptables -A POLICYFWD -s "$ORANGE_NETADDRESS"/"$ORANGE_NETMASK" -d "$BLUE_NETADDRESS"/"$BLUE_NETMASK" -j DROP
++ /sbin/iptables -A POLICYFWD -s "$ORANGE_NETADDRESS"/"$ORANGE_NETMASK" -d "$GREEN_NETADDRESS"/"$GREEN_NETMASK" -j DROP
+ /sbin/iptables -A POLICYFWD -j ACCEPT
+ /sbin/iptables -A POLICYFWD -m comment --comment "DROP_FORWARD" -j DROP
+ fi
+diff --git a/config/forwardfw/rules.pl b/config/forwardfw/rules.pl
+index 6c32d93..19bf785 100755
+--- a/config/forwardfw/rules.pl
++++ b/config/forwardfw/rules.pl
+@@ -114,23 +114,6 @@ if($param eq 'flush'){
+ &p2pblock;
+ system ("/usr/sbin/firewall-policy");
+ }elsif($fwdfwsettings{'POLICY'} eq 'MODE2'){
+- $defaultNetworks{'GREEN_NETMASK'}=&General::iporsubtocidr($defaultNetworks{'GREEN_NETMASK'});
+- $green="$defaultNetworks{'GREEN_ADDRESS'}/$defaultNetworks{'GREEN_NETMASK'}";
+- if ($defaultNetworks{'BLUE_DEV'}){
+- $defaultNetworks{'BLUE_NETMASK'}=&General::iporsubtocidr($defaultNetworks{'BLUE_NETMASK'});
+- $blue="$defaultNetworks{'BLUE_ADDRESS'}/$defaultNetworks{'BLUE_NETMASK'}";
+- #set default rules for BLUE
+- system ("iptables -A $CHAIN -s $blue -d $green -j RETURN");
+- }
+- if ($defaultNetworks{'ORANGE_DEV'}){
+- $defaultNetworks{'ORANGE_NETMASK'}=&General::iporsubtocidr($defaultNetworks{'ORANGE_NETMASK'});
+- $orange="$defaultNetworks{'ORANGE_ADDRESS'}/$defaultNetworks{'ORANGE_NETMASK'}";
+- #set default rules for DMZ
+- system ("iptables -A $CHAIN -s $orange -d $green -j RETURN");
+- if ($defaultNetworks{'BLUE_DEV'}){
+- system ("iptables -A $CHAIN -s $orange -d $blue -j RETURN");
+- }
+- }
+ &p2pblock;
+ system ("iptables -A $CHAIN -m state --state NEW -j ACCEPT");
+ system ("/usr/sbin/firewall-policy");
+--
+1.7.10.4
+
--- /dev/null
+From 2a84fcf9b3a9db72096385ec1fd11b373d930a4c Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Thu, 4 Jul 2013 12:19:50 +0200
+Subject: [PATCH 268/302] Forward Firewall: added "default-rules-table" at the
+ end of forward ruletable
+
+---
+ config/forwardfw/firewall-policy | 3 +--
+ config/forwardfw/rules.pl | 3 ---
+ html/cgi-bin/forwardfw.cgi | 30 +++++++++++++++++++++++++-----
+ 3 files changed, 26 insertions(+), 10 deletions(-)
+
+diff --git a/config/forwardfw/firewall-policy b/config/forwardfw/firewall-policy
+index 459c1a5..e142f2d 100755
+--- a/config/forwardfw/firewall-policy
++++ b/config/forwardfw/firewall-policy
+@@ -30,8 +30,7 @@ else
+ if [ "$BLUE_DEV" ] && [ "$IFACE" ]; then
+ /sbin/iptables -A POLICYFWD -i blue0 ! -o $IFACE -j DROP
+ fi
+- /sbin/iptables -A POLICYFWD -s "$ORANGE_NETADDRESS"/"$ORANGE_NETMASK" -d "$BLUE_NETADDRESS"/"$BLUE_NETMASK" -j DROP
+- /sbin/iptables -A POLICYFWD -s "$ORANGE_NETADDRESS"/"$ORANGE_NETMASK" -d "$GREEN_NETADDRESS"/"$GREEN_NETMASK" -j DROP
++ /sbin/iptables -A POLICYFWD -i orange0 ! -o $IFACE -j DROP
+ /sbin/iptables -A POLICYFWD -j ACCEPT
+ /sbin/iptables -A POLICYFWD -m comment --comment "DROP_FORWARD" -j DROP
+ fi
+diff --git a/config/forwardfw/rules.pl b/config/forwardfw/rules.pl
+index 19bf785..2c919a0 100755
+--- a/config/forwardfw/rules.pl
++++ b/config/forwardfw/rules.pl
+@@ -140,9 +140,6 @@ sub preparerules
+ if (! -z "${General::swroot}/forward/outgoing"){
+ &buildrules(\%configoutgoingfw);
+ }
+- if (! -z "${General::swroot}/forward/nat"){
+- &buildrules(\%confignatfw);
+- }
+ }
+ sub buildrules
+ {
+diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi
+index 8044c66..fd194a5 100755
+--- a/html/cgi-bin/forwardfw.cgi
++++ b/html/cgi-bin/forwardfw.cgi
+@@ -74,7 +74,7 @@ my %aliases=();
+ my %optionsfw=();
+ my %ifaces=();
+
+-my $VERSION='0.9.9.9';
++my $VERSION='0.9.9.10';
+ my $color;
+ my $confignet = "${General::swroot}/fwhosts/customnetworks";
+ my $confighost = "${General::swroot}/fwhosts/customhosts";
+@@ -2370,6 +2370,8 @@ END
+ }
+ print"<tr bgcolor='FFFFFF'><td colspan='13' height='1'></td></tr>";
+ }
++ print"</table>";
++ print "<table width='100%'rules='cols' border='1'>";
+ my $col;
+ if ($config eq '/var/ipfire/forward/config'){
+ my $pol='fwdfw '.$fwdfwsettings{'POLICY'};
+@@ -2378,7 +2380,7 @@ END
+ }else{
+ $col="bgcolor='green'";
+ }
+- print"<tr><td colspan='13' $col align='center'><font color='#FFFFFF'>$Lang::tr{'fwdfw final_rule'} $Lang::tr{$pol}</font></td></tr>";
++ &show_default_rules($col,$pol);
+ }elsif ($config eq '/var/ipfire/forward/outgoing'){
+ my $pol='fwdfw '.$fwdfwsettings{'POLICY1'};
+ if ($fwdfwsettings{'POLICY1'} eq 'MODE1'){
+@@ -2386,9 +2388,9 @@ END
+ }else{
+ $col="bgcolor='green'";
+ }
+- print"<tr><td colspan='13' $col align='center'><font color='#FFFFFF'>$Lang::tr{'fwdfw final_rule'} $Lang::tr{$pol}</font></td></tr>";
++ print"<tr><td $col width='20%'><font color='#FFFFFF'>$Lang::tr{'fwdfw final_rule'}</td><td $col><font color='#FFFFFF'>$Lang::tr{$pol}</font></td></tr>";
+ }else{
+- print"<tr><td colspan='13' bgcolor='darkred' align='center'><font color='#FFFFFF'>$Lang::tr{'fwdfw final_rule'} $Lang::tr{'fwdfw MODE1'}</font></td></tr>";
++ print"<tr><td bgcolor='darkred' width='20%'><font color='#FFFFFF'>$Lang::tr{'fwdfw final_rule'}</td><td bgcolor='darkred'><font color='#FFFFFF'>$Lang::tr{'fwdfw MODE1'}</font></td></tr>";
+ }
+ print"</table>";
+ print "<hr>";
+@@ -2406,7 +2408,7 @@ END
+ }else{
+ $col="bgcolor='green'";
+ }
+- print"<tr><td colspan='13' $col align='center'><font color='#FFFFFF'>$Lang::tr{'fwdfw final_rule'} $Lang::tr{$pol}</font></td></tr>";
++ &show_defaultrules($col,$pol);
+ }elsif ($config eq '/var/ipfire/forward/outgoing'){
+ my $pol='fwdfw '.$fwdfwsettings{'POLICY1'};
+ if ($fwdfwsettings{'POLICY1'} eq 'MODE1'){
+@@ -2424,3 +2426,21 @@ END
+ }
+ &Header::closebigbox();
+ &Header::closepage();
++
++sub show_defaultrules
++{
++ my $col=shift;
++ my $pol=shift;
++ #STANDARD RULES (From WIKI)
++ print"</table>";
++ print "<table width='100%'rules='cols' border='1'>";
++ if ($col eq "bgcolor='green'"){
++ my $blue = ", <font color=$Header::colourblue> $Lang::tr{'blue'}</font> ($Lang::tr{'fwdfw pol block'})" if $ifaces{'BLUE_DEV'};
++ my $orange = ", <font color=$Header::colourorange> $Lang::tr{'orange'}</font> ($Lang::tr{'fwdfw pol block'})" if $ifaces{'ORANGE_DEV'};
++ print"<tr><td align='center' width='20%'><font color='#000000'>$Lang::tr{'orange'}</td><td><font color=$Header::colourgreen> $Lang::tr{'green'}</font> ($Lang::tr{'fwdfw pol block'}), <font color=$Header::colourred> $Lang::tr{'red'}</font> ($Lang::tr{'fwdfw pol allow'})$blue</td></tr>";
++ print"<tr><td align='center'><font color='#000000'>$Lang::tr{'blue'}</td><td><font color=$Header::colourgreen> $Lang::tr{'green'}</font> ($Lang::tr{'fwdfw pol block'}), <font color=$Header::colourred> $Lang::tr{'red'}</font> ($Lang::tr{'fwdfw pol allow'})$orange</td></tr>" if $ifaces{'BLUE_DEV'};
++ print"<tr><td $col align='center'><font color='#FFFFFF'>$Lang::tr{'fwdfw final_rule'} </font></td><td $col><font color='#FFFFFF'>$Lang::tr{$pol}</font></td></tr>";
++ }elsif($col eq "bgcolor='darkred'"){
++ print"<tr><td $col width='20%'><font color='#FFFFFF'>$Lang::tr{'fwdfw final_rule'}</td><td $col><font color='#FFFFFF'>$Lang::tr{$pol}</font></td></tr>";
++ }
++}
+--
+1.7.10.4
+
--- /dev/null
+From 5fe5c9e2072e40124578f512f15fe54d674938c7 Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Thu, 4 Jul 2013 12:37:34 +0200
+Subject: [PATCH 269/302] Forward Firewall: some textalignment in last rule
+ row
+
+---
+ html/cgi-bin/forwardfw.cgi | 13 +++++++------
+ 1 file changed, 7 insertions(+), 6 deletions(-)
+
+diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi
+index fd194a5..8e87a17 100755
+--- a/html/cgi-bin/forwardfw.cgi
++++ b/html/cgi-bin/forwardfw.cgi
+@@ -2388,9 +2388,9 @@ END
+ }else{
+ $col="bgcolor='green'";
+ }
+- print"<tr><td $col width='20%'><font color='#FFFFFF'>$Lang::tr{'fwdfw final_rule'}</td><td $col><font color='#FFFFFF'>$Lang::tr{$pol}</font></td></tr>";
++ print"<tr><td $col width='20%' align='center'><font color='#FFFFFF'>$Lang::tr{'fwdfw final_rule'}</td><td $col><font color='#FFFFFF'>$Lang::tr{$pol}</font></td></tr>";
+ }else{
+- print"<tr><td bgcolor='darkred' width='20%'><font color='#FFFFFF'>$Lang::tr{'fwdfw final_rule'}</td><td bgcolor='darkred'><font color='#FFFFFF'>$Lang::tr{'fwdfw MODE1'}</font></td></tr>";
++ print"<tr><td bgcolor='darkred' width='20%' align='center'><font color='#FFFFFF'>$Lang::tr{'fwdfw final_rule'}</td><td bgcolor='darkred'><font color='#FFFFFF'>$Lang::tr{'fwdfw MODE1'}</font></td></tr>";
+ }
+ print"</table>";
+ print "<hr>";
+@@ -2399,7 +2399,7 @@ END
+ }else{
+ if ($optionsfw{'SHOWTABLES'} eq 'on'){
+ print "<b>$title1</b><br>";
+- print"<table width='100%' border='0' rules='none'><tr><td height='30' bgcolor=$color{'color22'} align='center'>$Lang::tr{'fwhost empty'}</td></tr>";
++ print"<table width='100%' border='0' rules='none'><tr><td height='30' bgcolor=$color{'color22'} align='center'>$Lang::tr{'fwhost empty'}</td></tr></table>";
+ my $col;
+ if ($config eq '/var/ipfire/forward/config'){
+ my $pol='fwdfw '.$fwdfwsettings{'POLICY'};
+@@ -2410,15 +2410,16 @@ END
+ }
+ &show_defaultrules($col,$pol);
+ }elsif ($config eq '/var/ipfire/forward/outgoing'){
++ print "<table width='100%' rules='cols' border='1'>";
+ my $pol='fwdfw '.$fwdfwsettings{'POLICY1'};
+ if ($fwdfwsettings{'POLICY1'} eq 'MODE1'){
+ $col="bgcolor='darkred'";
+ }else{
+ $col="bgcolor='green'";
+ }
+- print"<tr><td colspan='13' $col align='center'><font color='#FFFFFF'>$Lang::tr{'fwdfw final_rule'} $Lang::tr{$pol}</font></td></tr>";
++ print"<tr><td $col align='center' width='20%'><font color='#FFFFFF'>$Lang::tr{'fwdfw final_rule'}</td><td $col><font color='#FFFFFF'>$Lang::tr{$pol}</font></td></tr>";
+ }else{
+- print"<tr><td colspan='13' bgcolor='darkred' align='center'><font color='#FFFFFF'>$Lang::tr{'fwdfw final_rule'} $Lang::tr{'fwdfw MODE1'}</font></td></tr>";
++ print"<tr><td bgcolor='darkred' align='center' width='20%'><font color='#FFFFFF'>$Lang::tr{'fwdfw final_rule'}</td><td>$Lang::tr{'fwdfw MODE1'}</font></td></tr>";
+ }
+ print"</table><br><br>";
+ }
+@@ -2441,6 +2442,6 @@ sub show_defaultrules
+ print"<tr><td align='center'><font color='#000000'>$Lang::tr{'blue'}</td><td><font color=$Header::colourgreen> $Lang::tr{'green'}</font> ($Lang::tr{'fwdfw pol block'}), <font color=$Header::colourred> $Lang::tr{'red'}</font> ($Lang::tr{'fwdfw pol allow'})$orange</td></tr>" if $ifaces{'BLUE_DEV'};
+ print"<tr><td $col align='center'><font color='#FFFFFF'>$Lang::tr{'fwdfw final_rule'} </font></td><td $col><font color='#FFFFFF'>$Lang::tr{$pol}</font></td></tr>";
+ }elsif($col eq "bgcolor='darkred'"){
+- print"<tr><td $col width='20%'><font color='#FFFFFF'>$Lang::tr{'fwdfw final_rule'}</td><td $col><font color='#FFFFFF'>$Lang::tr{$pol}</font></td></tr>";
++ print"<tr><td $col width='20%' align='center'><font color='#FFFFFF'>$Lang::tr{'fwdfw final_rule'}</td><td $col><font color='#FFFFFF'>$Lang::tr{$pol}</font></td></tr>";
+ }
+ }
+--
+1.7.10.4
+
--- /dev/null
+From c697463a08094c668cb7f740b5bbc2955022d7a2 Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Fri, 5 Jul 2013 12:15:05 +0200
+Subject: [PATCH 270/302] Forward Firewall: Updated outgoingfw-converter.
+ redesign of the ruletable's defaultrules
+
+---
+ config/forwardfw/convert-outgoingfw | 47 +++++++++++++++++++++++++++--------
+ html/cgi-bin/forwardfw.cgi | 32 +++++++++++++-----------
+ html/cgi-bin/fwhosts.cgi | 12 +++++++--
+ html/cgi-bin/optionsfw.cgi | 3 +--
+ 4 files changed, 65 insertions(+), 29 deletions(-)
+
+diff --git a/config/forwardfw/convert-outgoingfw b/config/forwardfw/convert-outgoingfw
+index ef2f7e1..05bf13d 100755
+--- a/config/forwardfw/convert-outgoingfw
++++ b/config/forwardfw/convert-outgoingfw
+@@ -46,7 +46,11 @@ my %ccdconf=();
+ my %fwconfig=();
+ my %fwconfigout=();
+ my %fwdsettings=();
++my %ownnet=();
++my %ovpnSettings = ();
++&General::readhash("${General::swroot}/ovpn/settings", \%ovpnSettings);
+ &General::readhash($outfwsettings,\%outsettings);
++&General::readhash("${General::swroot}/ethernet/settings", \%ownnet);
+ #ONLY RUN if /var/ipfire/outgoing exists
+ if ( -d "/var/ipfire/outgoing"){
+ &process_groups;
+@@ -179,16 +183,39 @@ sub new_hostgrp
+ }elsif($byte4 < '255'){
+ print LOG "Processing NETWORK $ippart/$subnet from Group $grp\n";
+ if(!&check_net($ippart,$subnet)){
+- my $netkey = &General::findhasharraykey(\%nets);
+- $name="net ";
+- $name2=$name.$ippart;
+- $name3="Custom Network";
+- $nets{$netkey}[0] = $name2;
+- $nets{$netkey}[1] = $ippart;
+- $nets{$netkey}[2] = $subnet;
+- $nets{$netkey}[3] = '';
+- $nets{$netkey}[4] = 1;
+- print LOG "->Network $ippart/$subnet added to custom networks\n";
++ #Check if this network is one one of IPFire internal networks
++ if (($ownnet{'GREEN_NETADDRESS'} ne '' && $ownnet{'GREEN_NETADDRESS'} ne '0.0.0.0') && &General::IpInSubnet($ippart,$ownnet{'GREEN_NETADDRESS'},$ownnet{'GREEN_NETMASK'}))
++ {
++ $name2='GREEN';
++ $name3='Standard Network';
++ }elsif (($ownnet{'ORANGE_NETADDRESS'} ne '' && $ownnet{'ORANGE_NETADDRESS'} ne '0.0.0.0') && &General::IpInSubnet($ippart,$ownnet{'ORANGE_NETADDRESS'},$ownnet{'ORANGE_NETMASK'}))
++ {
++ $name2='ORANGE';
++ $name3='Standard Network';
++ }elsif (($ownnet{'BLUE_NETADDRESS'} ne '' && $ownnet{'BLUE_NETADDRESS'} ne '0.0.0.0') && &General::IpInSubnet($ippart,$ownnet{'BLUE_NETADDRESS'},$ownnet{'BLUE_NETMASK'}))
++ {
++ $name2='BLUE';
++ $name3='Standard Network';
++ }elsif ($ippart eq '0.0.0.0')
++ {
++ $name2='ALL';
++ $name3='Standard Network';
++ }elsif(defined($ovpnSettings{'DOVPN_SUBNET'}) && "$ippart/".&General::iporsubtodec($subnet) eq $ovpnSettings{'DOVPN_SUBNET'})
++ {
++ $name2='OpenVPN-Dyn';
++ $name3='Standard Network';
++ }else{
++ my $netkey = &General::findhasharraykey(\%nets);
++ $name="net ";
++ $name2=$name.$ippart;
++ $name3="Custom Network";
++ $nets{$netkey}[0] = $name2;
++ $nets{$netkey}[1] = $ippart;
++ $nets{$netkey}[2] = $subnet;
++ $nets{$netkey}[3] = '';
++ $nets{$netkey}[4] = 1;
++ print LOG "->Network $ippart/$subnet added to custom networks\n";
++ }
+ }else{
+ print LOG "Network $ippart already exists in custom networks\n";
+ $name="net ";
+diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi
+index 8e87a17..5d746c8 100755
+--- a/html/cgi-bin/forwardfw.cgi
++++ b/html/cgi-bin/forwardfw.cgi
+@@ -998,8 +998,7 @@ END
+ my $defnet="$defaultNetworks{$network}{'NAME'}_NETADDRESS";
+ my $defsub="$defaultNetworks{$network}{'NAME'}_NETMASK";
+ my $defsub1=&General::subtocidr($ifaces{$defsub});
+- $ifaces{$defnet}='0.0.0.0' if ($defaultNetworks{$network}{'NAME'} eq 'RED');
+- $defsub1 ='0' if ($defaultNetworks{$network}{'NAME'} eq 'RED');
++ $ifaces{$defnet}='' if ($defaultNetworks{$network}{'NAME'} eq 'RED');
+ if ($ifaces{$defnet}){
+ print ">$network ($ifaces{$defnet}/$defsub1)</option>";
+ }else{
+@@ -2380,7 +2379,7 @@ END
+ }else{
+ $col="bgcolor='green'";
+ }
+- &show_default_rules($col,$pol);
++ &show_defaultrules($col,$pol);
+ }elsif ($config eq '/var/ipfire/forward/outgoing'){
+ my $pol='fwdfw '.$fwdfwsettings{'POLICY1'};
+ if ($fwdfwsettings{'POLICY1'} eq 'MODE1'){
+@@ -2388,9 +2387,9 @@ END
+ }else{
+ $col="bgcolor='green'";
+ }
+- print"<tr><td $col width='20%' align='center'><font color='#FFFFFF'>$Lang::tr{'fwdfw final_rule'}</td><td $col><font color='#FFFFFF'>$Lang::tr{$pol}</font></td></tr>";
++ print"<tr><td $col width='20%' align='center'><font color='#FFFFFF'>$Lang::tr{'fwdfw final_rule'}</td><td $col><font color='#FFFFFF' align='center'>$Lang::tr{$pol}</font></td></tr>";
+ }else{
+- print"<tr><td bgcolor='darkred' width='20%' align='center'><font color='#FFFFFF'>$Lang::tr{'fwdfw final_rule'}</td><td bgcolor='darkred'><font color='#FFFFFF'>$Lang::tr{'fwdfw MODE1'}</font></td></tr>";
++ print"<tr><td bgcolor='darkred' width='20%' align='center'><font color='#FFFFFF'>$Lang::tr{'fwdfw final_rule'}</td><td bgcolor='darkred' align='center'><font color='#FFFFFF'>$Lang::tr{'fwdfw MODE1'}</font></td></tr>";
+ }
+ print"</table>";
+ print "<hr>";
+@@ -2417,9 +2416,9 @@ END
+ }else{
+ $col="bgcolor='green'";
+ }
+- print"<tr><td $col align='center' width='20%'><font color='#FFFFFF'>$Lang::tr{'fwdfw final_rule'}</td><td $col><font color='#FFFFFF'>$Lang::tr{$pol}</font></td></tr>";
++ print"<tr><td $col align='center' width='20%'><font color='#FFFFFF'>$Lang::tr{'fwdfw final_rule'}</td><td $col align='center'><font color='#FFFFFF'>$Lang::tr{$pol}</font></td></tr>";
+ }else{
+- print"<tr><td bgcolor='darkred' align='center' width='20%'><font color='#FFFFFF'>$Lang::tr{'fwdfw final_rule'}</td><td>$Lang::tr{'fwdfw MODE1'}</font></td></tr>";
++ print"<tr><td bgcolor='darkred' align='center' width='20%'><font color='#FFFFFF'>$Lang::tr{'fwdfw final_rule'}</td><td align='center'>$Lang::tr{'fwdfw MODE1'}</font></td></tr>";
+ }
+ print"</table><br><br>";
+ }
+@@ -2433,15 +2432,18 @@ sub show_defaultrules
+ my $col=shift;
+ my $pol=shift;
+ #STANDARD RULES (From WIKI)
+- print"</table>";
+- print "<table width='100%'rules='cols' border='1'>";
++ print"</table><br>";
++ print "<table width='100%' rules='cols' border='1' >";
+ if ($col eq "bgcolor='green'"){
+- my $blue = ", <font color=$Header::colourblue> $Lang::tr{'blue'}</font> ($Lang::tr{'fwdfw pol block'})" if $ifaces{'BLUE_DEV'};
+- my $orange = ", <font color=$Header::colourorange> $Lang::tr{'orange'}</font> ($Lang::tr{'fwdfw pol block'})" if $ifaces{'ORANGE_DEV'};
+- print"<tr><td align='center' width='20%'><font color='#000000'>$Lang::tr{'orange'}</td><td><font color=$Header::colourgreen> $Lang::tr{'green'}</font> ($Lang::tr{'fwdfw pol block'}), <font color=$Header::colourred> $Lang::tr{'red'}</font> ($Lang::tr{'fwdfw pol allow'})$blue</td></tr>";
+- print"<tr><td align='center'><font color='#000000'>$Lang::tr{'blue'}</td><td><font color=$Header::colourgreen> $Lang::tr{'green'}</font> ($Lang::tr{'fwdfw pol block'}), <font color=$Header::colourred> $Lang::tr{'red'}</font> ($Lang::tr{'fwdfw pol allow'})$orange</td></tr>" if $ifaces{'BLUE_DEV'};
+- print"<tr><td $col align='center'><font color='#FFFFFF'>$Lang::tr{'fwdfw final_rule'} </font></td><td $col><font color='#FFFFFF'>$Lang::tr{$pol}</font></td></tr>";
++ my $blue = "<font color=$Header::colourblue> $Lang::tr{'blue'}</font> ($Lang::tr{'fwdfw pol block'})" if $ifaces{'BLUE_DEV'};
++ my $orange = "<font color=$Header::colourorange> $Lang::tr{'orange'}</font> ($Lang::tr{'fwdfw pol block'})" if $ifaces{'ORANGE_DEV'};
++ my $blue1 = "<font color=$Header::colourblue> $Lang::tr{'blue'}</font> ($Lang::tr{'fwdfw pol allow'})" if $ifaces{'BLUE_DEV'};
++ my $orange1 = "<font color=$Header::colourorange> $Lang::tr{'orange'}</font> ($Lang::tr{'fwdfw pol allow'})" if $ifaces{'ORANGE_DEV'};
++ print"<tr><td align='center'><font color='#000000'>$Lang::tr{'green'}</td><td align='center'> <font color=$Header::colourred> $Lang::tr{'red'}</font> ($Lang::tr{'fwdfw pol allow'})</td><td align='center'>$orange1</td><td align='center'>$blue1</td></tr>";
++ print"<tr><td align='center' width='20%'><font color='#000000'>$Lang::tr{'orange'}</td><td align='center'> <font color=$Header::colourred> $Lang::tr{'red'}</font> ($Lang::tr{'fwdfw pol allow'})</td><td align='center'><font color=$Header::colourgreen> $Lang::tr{'green'}</font> ($Lang::tr{'fwdfw pol block'})</td><td align='center'>$blue</td></tr>";
++ print"<tr><td align='center'><font color='#000000'>$Lang::tr{'blue'}</td><td align='center'> <font color=$Header::colourred> $Lang::tr{'red'}</font> ($Lang::tr{'fwdfw pol allow'})</td><td align='center'>$orange</td><td align='center'><font color=$Header::colourgreen> $Lang::tr{'green'}</font> ($Lang::tr{'fwdfw pol block'})</td></tr>" if $ifaces{'BLUE_DEV'};
++ print"<tr><td $col align='center'><font color='#FFFFFF'>$Lang::tr{'fwdfw final_rule'} </font></td><td $col colspan='3' align='center'><font color='#FFFFFF'>$Lang::tr{'fwdfw pol allow'}</font></td></tr>";
+ }elsif($col eq "bgcolor='darkred'"){
+- print"<tr><td $col width='20%' align='center'><font color='#FFFFFF'>$Lang::tr{'fwdfw final_rule'}</td><td $col><font color='#FFFFFF'>$Lang::tr{$pol}</font></td></tr>";
++ print"<tr><td $col width='20%' align='center'><font color='#FFFFFF'>$Lang::tr{'fwdfw final_rule'}</td><td $col align='center'><font color='#FFFFFF'>$Lang::tr{$pol}</font></td></tr>";
+ }
+ }
+diff --git a/html/cgi-bin/fwhosts.cgi b/html/cgi-bin/fwhosts.cgi
+index c854e9f..73dabaa 100755
+--- a/html/cgi-bin/fwhosts.cgi
++++ b/html/cgi-bin/fwhosts.cgi
+@@ -1171,10 +1171,18 @@ END
+ foreach my $network (sort keys %defaultNetworks)
+ {
+ next if($defaultNetworks{$network}{'LOCATION'} eq "IPCOP");
+- next if($defaultNetworks{$network}{'NAME'} eq "RED");
++ next if($defaultNetworks{$network}{'NAME'} eq "IPFire");
+ print "<option value='$defaultNetworks{$network}{'NAME'}'";
+ print " selected='selected'" if ($fwhostsettings{'DEFAULT_SRC_ADR'} eq $defaultNetworks{$network}{'NAME'});
+- print ">$network</option>";
++ my $defnet="$defaultNetworks{$network}{'NAME'}_NETADDRESS";
++ my $defsub="$defaultNetworks{$network}{'NAME'}_NETMASK";
++ my $defsub1=&General::subtocidr($ownnet{$defsub});
++ $ownnet{$defnet}='' if ($defaultNetworks{$network}{'NAME'} eq 'RED');
++ if ($ownnet{$defnet}){
++ print ">$network ($ownnet{$defnet}/$defsub1)</option>";
++ }else{
++ print ">$network</option>";
++ }
+ }
+ print"</select></td></tr>";
+ if (! -z $confignet){
+diff --git a/html/cgi-bin/optionsfw.cgi b/html/cgi-bin/optionsfw.cgi
+index 616f529..61441e4 100644
+--- a/html/cgi-bin/optionsfw.cgi
++++ b/html/cgi-bin/optionsfw.cgi
+@@ -51,12 +51,11 @@ my $errormessage = '';
+ my $warnmessage = '';
+
+ &General::readhash("${General::swroot}/forward/settings", \%fwdfwsettings);
+-
+ &Header::showhttpheaders();
+
+ #Get GUI values
+ &Header::getcgihash(\%settings);
+-
++&General::readhash("${General::swroot}/optionsfw/settings", \%settings);
+
+
+ if ($settings{'ACTION'} eq $Lang::tr{'save'}) {
+--
+1.7.10.4
+
--- /dev/null
+From 4c616a97dbd24c726409ea4960e4d93f0f8a694f Mon Sep 17 00:00:00 2001
+From: Michael Tremer <michael.tremer@ipfire.org>
+Date: Mon, 8 Jul 2013 15:14:15 +0200
+Subject: [PATCH 271/302] iptables: Replace state module by conntrack module.
+
+The state module is deprecated in recent releases of iptables
+and should not be used any more.
+
+Additionally, this patch adds an extra chain for all
+connection tracking rules, so we can keep the entire ruleset
+more small and clean.
+---
+ config/forwardfw/rules.pl | 2 +-
+ src/initscripts/init.d/firewall | 40 +++++++++++++++++++++------------------
+ 2 files changed, 23 insertions(+), 19 deletions(-)
+
+diff --git a/config/forwardfw/rules.pl b/config/forwardfw/rules.pl
+index 2c919a0..68cb640 100755
+--- a/config/forwardfw/rules.pl
++++ b/config/forwardfw/rules.pl
+@@ -115,7 +115,7 @@ if($param eq 'flush'){
+ system ("/usr/sbin/firewall-policy");
+ }elsif($fwdfwsettings{'POLICY'} eq 'MODE2'){
+ &p2pblock;
+- system ("iptables -A $CHAIN -m state --state NEW -j ACCEPT");
++ system ("iptables -A $CHAIN -m conntrack --ctstate NEW -j ACCEPT");
+ system ("/usr/sbin/firewall-policy");
+ system ("/etc/sysconfig/firewall.local reload");
+ }
+diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall
+index 2f7577f..851f3ec 100644
+--- a/src/initscripts/init.d/firewall
++++ b/src/initscripts/init.d/firewall
+@@ -68,7 +68,11 @@ iptables_init() {
+ # SYN/FIN (QueSO or nmap OS probe)
+ /sbin/iptables -A BADTCP -p tcp --tcp-flags SYN,FIN SYN,FIN -j PSCAN
+ # NEW TCP without SYN
+- /sbin/iptables -A BADTCP -p tcp ! --syn -m state --state NEW -j NEWNOTSYN
++ /sbin/iptables -A BADTCP -p tcp ! --syn -m conntrack --ctstate NEW -j NEWNOTSYN
++
++ # Connection tracking chain
++ /sbin/iptables -N CONNTRACK
++ /sbin/iptables -A CONNTRACK -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
+
+ /sbin/iptables -A INPUT -j BADTCP
+ /sbin/iptables -A FORWARD -j BADTCP
+@@ -88,7 +92,6 @@ iptables_init() {
+ /sbin/iptables -A FORWARD -j CUSTOMFORWARD
+ /sbin/iptables -N CUSTOMOUTPUT
+ /sbin/iptables -A OUTPUT -j OVPNBLOCK
+- /sbin/iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
+ /sbin/iptables -A OUTPUT -j CUSTOMOUTPUT
+ /sbin/iptables -N OUTGOINGFW
+ /sbin/iptables -A OUTPUT -j OUTGOINGFW
+@@ -114,12 +117,13 @@ iptables_init() {
+ /sbin/iptables -A GUIINPUT -p icmp --icmp-type 8 -j ACCEPT
+
+ # Accept everything connected
+- /sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
+- /sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
+-
++ for i in INPUT FORWARD OUTPUT; do
++ /sbin/iptables -A ${i} -j CONNTRACK
++ done
++
+ # Accept everything on lo
+- iptables -A INPUT -i lo -m state --state NEW -j ACCEPT
+- iptables -A OUTPUT -o lo -m state --state NEW -j ACCEPT
++ iptables -A INPUT -i lo -m conntrack --ctstate NEW -j ACCEPT
++ iptables -A OUTPUT -o lo -m conntrack --ctstate NEW -j ACCEPT
+
+ # trafic from ipsecX/TUN/TAP interfaces, before "-i GREEN_DEV" accept everything
+ /sbin/iptables -N IPSECINPUT
+@@ -136,16 +140,16 @@ iptables_init() {
+
+ # Input Firewall
+ /sbin/iptables -N INPUTFW
+- /sbin/iptables -A INPUT -m state --state NEW -j INPUTFW
++ /sbin/iptables -A INPUT -m conntrack --ctstate NEW -j INPUTFW
+
+ # localhost and ethernet.
+- /sbin/iptables -A INPUT -i lo -m state --state NEW -j ACCEPT
+- /sbin/iptables -A INPUT -s 127.0.0.0/8 -m state --state NEW -j DROP # Loopback not on lo
+- /sbin/iptables -A INPUT -d 127.0.0.0/8 -m state --state NEW -j DROP
+- /sbin/iptables -A FORWARD -i lo -m state --state NEW -j ACCEPT
+- /sbin/iptables -A FORWARD -s 127.0.0.0/8 -m state --state NEW -j DROP
+- /sbin/iptables -A FORWARD -d 127.0.0.0/8 -m state --state NEW -j DROP
+- /sbin/iptables -A INPUT -i $GREEN_DEV -m state --state NEW -j ACCEPT ! -p icmp
++ /sbin/iptables -A INPUT -i lo -m conntrack --ctstate NEW -j ACCEPT
++ /sbin/iptables -A INPUT -s 127.0.0.0/8 -m conntrack --ctstate NEW -j DROP # Loopback not on lo
++ /sbin/iptables -A INPUT -d 127.0.0.0/8 -m conntrack --ctstate NEW -j DROP
++ /sbin/iptables -A FORWARD -i lo -m conntrack --ctstate NEW -j ACCEPT
++ /sbin/iptables -A FORWARD -s 127.0.0.0/8 -m conntrack --ctstate NEW -j DROP
++ /sbin/iptables -A FORWARD -d 127.0.0.0/8 -m conntrack --ctstate NEW -j DROP
++ /sbin/iptables -A INPUT -i $GREEN_DEV -m conntrack --ctstate NEW -j ACCEPT ! -p icmp
+
+ # allow DHCP on BLUE to be turned on/off
+ /sbin/iptables -N DHCPBLUEINPUT
+@@ -153,9 +157,9 @@ iptables_init() {
+
+ # WIRELESS chains
+ /sbin/iptables -N WIRELESSINPUT
+- /sbin/iptables -A INPUT -m state --state NEW -j WIRELESSINPUT
++ /sbin/iptables -A INPUT -m conntrack --ctstate NEW -j WIRELESSINPUT
+ /sbin/iptables -N WIRELESSFORWARD
+- /sbin/iptables -A FORWARD -m state --state NEW -j WIRELESSFORWARD
++ /sbin/iptables -A FORWARD -m conntrack --ctstate NEW -j WIRELESSFORWARD
+
+ # Forward Firewall
+ /sbin/iptables -N FORWARDFW
+@@ -189,7 +193,7 @@ iptables_init() {
+ /sbin/iptables -t nat -N UPNPFW
+ /sbin/iptables -t nat -A PREROUTING -j UPNPFW
+ /sbin/iptables -N UPNPFW
+- /sbin/iptables -A FORWARD -m state --state NEW -j UPNPFW
++ /sbin/iptables -A FORWARD -m conntrack --ctstate NEW -j UPNPFW
+
+ # Postrouting rules (for port forwarding)
+ /sbin/iptables -t nat -A POSTROUTING -m mark --mark 1 -j SNAT --to-source $GREEN_ADDRESS
+--
+1.7.10.4
+
--- /dev/null
+From 2fab205b5e2c8cbdebee1d7edf63b04fce601da5 Mon Sep 17 00:00:00 2001
+From: Michael Tremer <michael.tremer@ipfire.org>
+Date: Mon, 8 Jul 2013 15:17:56 +0200
+Subject: [PATCH 272/302] iptables: Only jump into BADTCP for TCP packets.
+
+This saves us from evaluating lots of rules for non-TCP
+packets.
+---
+ src/initscripts/init.d/firewall | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall
+index 851f3ec..000d325 100644
+--- a/src/initscripts/init.d/firewall
++++ b/src/initscripts/init.d/firewall
+@@ -70,13 +70,13 @@ iptables_init() {
+ # NEW TCP without SYN
+ /sbin/iptables -A BADTCP -p tcp ! --syn -m conntrack --ctstate NEW -j NEWNOTSYN
+
++ /sbin/iptables -A INPUT -p tcp -j BADTCP
++ /sbin/iptables -A FORWARD -p tcp -j BADTCP
++
+ # Connection tracking chain
+ /sbin/iptables -N CONNTRACK
+ /sbin/iptables -A CONNTRACK -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
+
+- /sbin/iptables -A INPUT -j BADTCP
+- /sbin/iptables -A FORWARD -j BADTCP
+-
+ # Fix for braindead ISP's
+ /sbin/iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
+
+--
+1.7.10.4
+
--- /dev/null
+From 8368a964235d03e5233e649c82d8655b062cafcf Mon Sep 17 00:00:00 2001
+From: Michael Tremer <michael.tremer@ipfire.org>
+Date: Mon, 8 Jul 2013 15:21:04 +0200
+Subject: [PATCH 273/302] iptables: Create LOOPBACK chain.
+
+This chain accepts all communication on the loopback
+interface without running it through the entire connection
+tracking first.
+
+Packets on lo can never be blocked and must always be
+accepted. The firewall has to trust itself anyway.
+---
+ src/initscripts/init.d/firewall | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall
+index 000d325..5d66c60 100644
+--- a/src/initscripts/init.d/firewall
++++ b/src/initscripts/init.d/firewall
+@@ -116,15 +116,19 @@ iptables_init() {
+ /sbin/iptables -A INPUT -j GUIINPUT
+ /sbin/iptables -A GUIINPUT -p icmp --icmp-type 8 -j ACCEPT
+
++ # Accept everything on loopback
++ /sbin/iptables -N LOOPBACK
++ /sbin/iptables -A LOOPBACK -i lo -j ACCEPT
++ /sbin/iptables -A LOOPBACK -o lo -j ACCEPT
++
++ /sbin/iptables -A INPUT -j LOOPBACK
++ /sbin/iptables -A OUTPUT -j LOOPBACK
++
+ # Accept everything connected
+ for i in INPUT FORWARD OUTPUT; do
+ /sbin/iptables -A ${i} -j CONNTRACK
+ done
+
+- # Accept everything on lo
+- iptables -A INPUT -i lo -m conntrack --ctstate NEW -j ACCEPT
+- iptables -A OUTPUT -o lo -m conntrack --ctstate NEW -j ACCEPT
+-
+ # trafic from ipsecX/TUN/TAP interfaces, before "-i GREEN_DEV" accept everything
+ /sbin/iptables -N IPSECINPUT
+ /sbin/iptables -N IPSECFORWARD
+--
+1.7.10.4
+
--- /dev/null
+From 662fd20f68b75a7ed587dc12f4767cf661fb9d63 Mon Sep 17 00:00:00 2001
+From: Michael Tremer <michael.tremer@ipfire.org>
+Date: Mon, 8 Jul 2013 15:25:48 +0200
+Subject: [PATCH 274/302] iptables: Block all loopback packets on non-loopback
+ interfaces.
+
+---
+ src/initscripts/init.d/firewall | 15 +++++++--------
+ 1 file changed, 7 insertions(+), 8 deletions(-)
+
+diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall
+index 5d66c60..59dbfec 100644
+--- a/src/initscripts/init.d/firewall
++++ b/src/initscripts/init.d/firewall
+@@ -121,8 +121,13 @@ iptables_init() {
+ /sbin/iptables -A LOOPBACK -i lo -j ACCEPT
+ /sbin/iptables -A LOOPBACK -o lo -j ACCEPT
+
+- /sbin/iptables -A INPUT -j LOOPBACK
+- /sbin/iptables -A OUTPUT -j LOOPBACK
++ # Filter all packets with loopback addresses on non-loopback interfaces.
++ /sbin/iptables -A LOOPBACK -s 127.0.0.0/8 -j DROP
++ /sbin/iptables -A LOOPBACK -d 127.0.0.0/8 -j DROP
++
++ for i in INPUT FORWARD OUTPUT; do
++ /sbin/iptables -A ${i} -j LOOPBACK
++ done
+
+ # Accept everything connected
+ for i in INPUT FORWARD OUTPUT; do
+@@ -147,12 +152,6 @@ iptables_init() {
+ /sbin/iptables -A INPUT -m conntrack --ctstate NEW -j INPUTFW
+
+ # localhost and ethernet.
+- /sbin/iptables -A INPUT -i lo -m conntrack --ctstate NEW -j ACCEPT
+- /sbin/iptables -A INPUT -s 127.0.0.0/8 -m conntrack --ctstate NEW -j DROP # Loopback not on lo
+- /sbin/iptables -A INPUT -d 127.0.0.0/8 -m conntrack --ctstate NEW -j DROP
+- /sbin/iptables -A FORWARD -i lo -m conntrack --ctstate NEW -j ACCEPT
+- /sbin/iptables -A FORWARD -s 127.0.0.0/8 -m conntrack --ctstate NEW -j DROP
+- /sbin/iptables -A FORWARD -d 127.0.0.0/8 -m conntrack --ctstate NEW -j DROP
+ /sbin/iptables -A INPUT -i $GREEN_DEV -m conntrack --ctstate NEW -j ACCEPT ! -p icmp
+
+ # allow DHCP on BLUE to be turned on/off
+--
+1.7.10.4
+
--- /dev/null
+From b5a219f7470b0fa3b8a3f0798eca9b1bfcad9db4 Mon Sep 17 00:00:00 2001
+From: Michael Tremer <michael.tremer@ipfire.org>
+Date: Mon, 8 Jul 2013 15:36:45 +0200
+Subject: [PATCH 275/302] iptables: Cleanup creating the OVPNBLOCK chain.
+
+This should happen after the CUSTOM* chains.
+---
+ src/initscripts/init.d/firewall | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall
+index 59dbfec..33afbef 100644
+--- a/src/initscripts/init.d/firewall
++++ b/src/initscripts/init.d/firewall
+@@ -85,13 +85,10 @@ iptables_init() {
+ /sbin/iptables -A INPUT -j CUSTOMINPUT
+ /sbin/iptables -N GUARDIAN
+ /sbin/iptables -A INPUT -j GUARDIAN
+- /sbin/iptables -N OVPNBLOCK
+- /sbin/iptables -A FORWARD -j OVPNBLOCK
+ /sbin/iptables -A FORWARD -j GUARDIAN
+ /sbin/iptables -N CUSTOMFORWARD
+ /sbin/iptables -A FORWARD -j CUSTOMFORWARD
+ /sbin/iptables -N CUSTOMOUTPUT
+- /sbin/iptables -A OUTPUT -j OVPNBLOCK
+ /sbin/iptables -A OUTPUT -j CUSTOMOUTPUT
+ /sbin/iptables -N OUTGOINGFW
+ /sbin/iptables -A OUTPUT -j OUTGOINGFW
+@@ -102,15 +99,18 @@ iptables_init() {
+ /sbin/iptables -t nat -A POSTROUTING -j CUSTOMPOSTROUTING
+ /sbin/iptables -t nat -A POSTROUTING -j OVPNNAT
+
++ # Block OpenVPN transfer networks
++ /sbin/iptables -N OVPNBLOCK
++ for i in INPUT FORWARD OUTPUT; do
++ /sbin/iptables -A ${i} -j OVPNBLOCK
++ done
++
+ # IPTV chains for IGMPPROXY
+ /sbin/iptables -N IPTVINPUT
+ /sbin/iptables -A INPUT -j IPTVINPUT
+ /sbin/iptables -N IPTVFORWARD
+ /sbin/iptables -A FORWARD -j IPTVFORWARD
+
+- # Filtering ovpn networks INPUT
+- /sbin/iptables -A INPUT -j OVPNBLOCK
+-
+ # filtering from GUI
+ /sbin/iptables -N GUIINPUT
+ /sbin/iptables -A INPUT -j GUIINPUT
+--
+1.7.10.4
+
--- /dev/null
+From 3dee05d376748e7b3c1627508d9d50b1f42941e7 Mon Sep 17 00:00:00 2001
+From: Michael Tremer <michael.tremer@ipfire.org>
+Date: Mon, 8 Jul 2013 15:38:39 +0200
+Subject: [PATCH 276/302] iptables: Create guardian's chains after the CUSTOM*
+ chains.
+
+---
+ src/initscripts/init.d/firewall | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall
+index 33afbef..1cbca2d 100644
+--- a/src/initscripts/init.d/firewall
++++ b/src/initscripts/init.d/firewall
+@@ -83,9 +83,6 @@ iptables_init() {
+ # CUSTOM chains, can be used by the users themselves
+ /sbin/iptables -N CUSTOMINPUT
+ /sbin/iptables -A INPUT -j CUSTOMINPUT
+- /sbin/iptables -N GUARDIAN
+- /sbin/iptables -A INPUT -j GUARDIAN
+- /sbin/iptables -A FORWARD -j GUARDIAN
+ /sbin/iptables -N CUSTOMFORWARD
+ /sbin/iptables -A FORWARD -j CUSTOMFORWARD
+ /sbin/iptables -N CUSTOMOUTPUT
+@@ -99,6 +96,11 @@ iptables_init() {
+ /sbin/iptables -t nat -A POSTROUTING -j CUSTOMPOSTROUTING
+ /sbin/iptables -t nat -A POSTROUTING -j OVPNNAT
+
++ # Guardian (IPS) chains
++ /sbin/iptables -N GUARDIAN
++ /sbin/iptables -A INPUT -j GUARDIAN
++ /sbin/iptables -A FORWARD -j GUARDIAN
++
+ # Block OpenVPN transfer networks
+ /sbin/iptables -N OVPNBLOCK
+ for i in INPUT FORWARD OUTPUT; do
+--
+1.7.10.4
+
--- /dev/null
+From 3e51a79bad981d06d9bd18f75ac14eddd4f3e3f5 Mon Sep 17 00:00:00 2001
+From: Michael Tremer <michael.tremer@ipfire.org>
+Date: Mon, 8 Jul 2013 15:41:15 +0200
+Subject: [PATCH 277/302] iptables: Create OVPNNAT chain after CUSTOM* chains.
+
+---
+ src/initscripts/init.d/firewall | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall
+index 1cbca2d..cc6bebb 100644
+--- a/src/initscripts/init.d/firewall
++++ b/src/initscripts/init.d/firewall
+@@ -90,11 +90,9 @@ iptables_init() {
+ /sbin/iptables -N OUTGOINGFW
+ /sbin/iptables -A OUTPUT -j OUTGOINGFW
+ /sbin/iptables -t nat -N CUSTOMPREROUTING
+- /sbin/iptables -t nat -N OVPNNAT
+ /sbin/iptables -t nat -A PREROUTING -j CUSTOMPREROUTING
+ /sbin/iptables -t nat -N CUSTOMPOSTROUTING
+ /sbin/iptables -t nat -A POSTROUTING -j CUSTOMPOSTROUTING
+- /sbin/iptables -t nat -A POSTROUTING -j OVPNNAT
+
+ # Guardian (IPS) chains
+ /sbin/iptables -N GUARDIAN
+@@ -107,6 +105,10 @@ iptables_init() {
+ /sbin/iptables -A ${i} -j OVPNBLOCK
+ done
+
++ # OpenVPN transfer network translation
++ /sbin/iptables -t nat -N OVPNNAT
++ /sbin/iptables -t nat -A POSTROUTING -j OVPNNAT
++
+ # IPTV chains for IGMPPROXY
+ /sbin/iptables -N IPTVINPUT
+ /sbin/iptables -A INPUT -j IPTVINPUT
+--
+1.7.10.4
+
--- /dev/null
+From 7fe73a0f046e30dde2f07a0fda7fadedcb00604b Mon Sep 17 00:00:00 2001
+From: Michael Tremer <michael.tremer@ipfire.org>
+Date: Mon, 8 Jul 2013 15:47:57 +0200
+Subject: [PATCH 278/302] iptables: Jump into the firewall rulesets after
+ everything else has been done.
+
+---
+ src/initscripts/init.d/firewall | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall
+index cc6bebb..5423f13 100644
+--- a/src/initscripts/init.d/firewall
++++ b/src/initscripts/init.d/firewall
+@@ -87,8 +87,6 @@ iptables_init() {
+ /sbin/iptables -A FORWARD -j CUSTOMFORWARD
+ /sbin/iptables -N CUSTOMOUTPUT
+ /sbin/iptables -A OUTPUT -j CUSTOMOUTPUT
+- /sbin/iptables -N OUTGOINGFW
+- /sbin/iptables -A OUTPUT -j OUTGOINGFW
+ /sbin/iptables -t nat -N CUSTOMPREROUTING
+ /sbin/iptables -t nat -A PREROUTING -j CUSTOMPREROUTING
+ /sbin/iptables -t nat -N CUSTOMPOSTROUTING
+@@ -151,10 +149,6 @@ iptables_init() {
+ /sbin/iptables -t nat -N IPSECNAT
+ /sbin/iptables -t nat -A POSTROUTING -j IPSECNAT
+
+- # Input Firewall
+- /sbin/iptables -N INPUTFW
+- /sbin/iptables -A INPUT -m conntrack --ctstate NEW -j INPUTFW
+-
+ # localhost and ethernet.
+ /sbin/iptables -A INPUT -i $GREEN_DEV -m conntrack --ctstate NEW -j ACCEPT ! -p icmp
+
+@@ -168,10 +162,16 @@ iptables_init() {
+ /sbin/iptables -N WIRELESSFORWARD
+ /sbin/iptables -A FORWARD -m conntrack --ctstate NEW -j WIRELESSFORWARD
+
+- # Forward Firewall
++ # Jump into the actual firewall ruleset.
++ /sbin/iptables -N INPUTFW
++ /sbin/iptables -A INPUT -j INPUTFW
++
++ /sbin/iptables -N OUTGOINGFW
++ /sbin/iptables -A OUTPUT -j OUTGOINGFW
++
+ /sbin/iptables -N FORWARDFW
+ /sbin/iptables -A FORWARD -j FORWARDFW
+-
++
+ # OPenSSL
+ /sbin/iptables -N OPENSSLPHYSICAL
+ /sbin/iptables -A INPUT -j OPENSSLPHYSICAL
+--
+1.7.10.4
+
--- /dev/null
+From bbd84ab8170643e68ad82a68336237c9fe228d00 Mon Sep 17 00:00:00 2001
+From: Michael Tremer <michael.tremer@ipfire.org>
+Date: Mon, 8 Jul 2013 15:50:02 +0200
+Subject: [PATCH 279/302] iptables: Remove OPENSSL{PHYSICAL,VIRTUAL} chains
+ which are unused.
+
+---
+ src/initscripts/init.d/firewall | 7 -------
+ 1 file changed, 7 deletions(-)
+
+diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall
+index 5423f13..772701e 100644
+--- a/src/initscripts/init.d/firewall
++++ b/src/initscripts/init.d/firewall
+@@ -140,11 +140,8 @@ iptables_init() {
+ /sbin/iptables -N IPSECINPUT
+ /sbin/iptables -N IPSECFORWARD
+ /sbin/iptables -N IPSECOUTPUT
+- /sbin/iptables -N OPENSSLVIRTUAL
+ /sbin/iptables -A INPUT -j IPSECINPUT
+- /sbin/iptables -A INPUT -j OPENSSLVIRTUAL -m comment --comment "OPENSSLVIRTUAL INPUT"
+ /sbin/iptables -A FORWARD -j IPSECFORWARD
+- /sbin/iptables -A FORWARD -j OPENSSLVIRTUAL -m comment --comment "OPENSSLVIRTUAL FORWARD"
+ /sbin/iptables -A OUTPUT -j IPSECOUTPUT
+ /sbin/iptables -t nat -N IPSECNAT
+ /sbin/iptables -t nat -A POSTROUTING -j IPSECNAT
+@@ -172,10 +169,6 @@ iptables_init() {
+ /sbin/iptables -N FORWARDFW
+ /sbin/iptables -A FORWARD -j FORWARDFW
+
+- # OPenSSL
+- /sbin/iptables -N OPENSSLPHYSICAL
+- /sbin/iptables -A INPUT -j OPENSSLPHYSICAL
+-
+ # RED chain, used for the red interface
+ /sbin/iptables -N REDINPUT
+ /sbin/iptables -A INPUT -j REDINPUT
+--
+1.7.10.4
+
--- /dev/null
+From cf3d8b002b59c7ad3063b656a41b3b1413766c92 Mon Sep 17 00:00:00 2001
+From: Michael Tremer <michael.tremer@ipfire.org>
+Date: Mon, 8 Jul 2013 15:53:30 +0200
+Subject: [PATCH 280/302] iptables: Cleanup creating SNAT/DNAT chains.
+
+---
+ src/initscripts/init.d/firewall | 16 +++++++++-------
+ 1 file changed, 9 insertions(+), 7 deletions(-)
+
+diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall
+index 772701e..3f181b1 100644
+--- a/src/initscripts/init.d/firewall
++++ b/src/initscripts/init.d/firewall
+@@ -178,17 +178,19 @@ iptables_init() {
+ /sbin/iptables -t nat -A POSTROUTING -j REDNAT
+
+ iptables_red
+-
+- # Custom prerouting chains (for transparent proxy and port forwarding)
++
++ # Custom prerouting chains (for transparent proxy)
+ /sbin/iptables -t nat -N SQUID
+ /sbin/iptables -t nat -A PREROUTING -j SQUID
++
++ # DNAT rules
+ /sbin/iptables -t nat -N NAT_DESTINATION
+- /sbin/iptables -t nat -N NAT_SOURCE
+ /sbin/iptables -t nat -A PREROUTING -j NAT_DESTINATION
+- /sbin/iptables -t nat -I POSTROUTING 3 -j NAT_SOURCE
+-
+-
+-
++
++ # SNAT rules
++ /sbin/iptables -t nat -N NAT_SOURCE
++ /sbin/iptables -t nat -A POSTROUTING -j NAT_SOURCE
++
+ # upnp chain for our upnp daemon
+ /sbin/iptables -t nat -N UPNPFW
+ /sbin/iptables -t nat -A PREROUTING -j UPNPFW
+--
+1.7.10.4
+
--- /dev/null
+From 79381ea8a09b5bcd4b365e485c2ce3cc064acb7e Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Tue, 9 Jul 2013 14:58:30 +0200
+Subject: [PATCH 281/302] Forward Firewall: deleted postrouting block in
+ firewall (not used anywhere)
+
+---
+ src/initscripts/init.d/firewall | 9 ---------
+ 1 file changed, 9 deletions(-)
+
+diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall
+index 3f181b1..12d8817 100644
+--- a/src/initscripts/init.d/firewall
++++ b/src/initscripts/init.d/firewall
+@@ -197,15 +197,6 @@ iptables_init() {
+ /sbin/iptables -N UPNPFW
+ /sbin/iptables -A FORWARD -m conntrack --ctstate NEW -j UPNPFW
+
+- # Postrouting rules (for port forwarding)
+- /sbin/iptables -t nat -A POSTROUTING -m mark --mark 1 -j SNAT --to-source $GREEN_ADDRESS
+- if [ "$BLUE_DEV" != "" ]; then
+- /sbin/iptables -t nat -A POSTROUTING -m mark --mark 2 -j SNAT --to-source $BLUE_ADDRESS
+- fi
+- if [ "$ORANGE_DEV" != "" ]; then
+- /sbin/iptables -t nat -A POSTROUTING -m mark --mark 3 -j SNAT --to-source $ORANGE_ADDRESS
+- fi
+-
+ # run local firewall configuration, if present
+ if [ -x /etc/sysconfig/firewall.local ]; then
+ /etc/sysconfig/firewall.local start
+--
+1.7.10.4
+
--- /dev/null
+From f9f0b24f561d52af0328e9b828aa1230c1493325 Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Tue, 9 Jul 2013 14:59:55 +0200
+Subject: [PATCH 282/302] Forward Firewall: fixed check for already existing
+ rules.
+
+---
+ html/cgi-bin/forwardfw.cgi | 32 +++++++++++---------------------
+ 1 file changed, 11 insertions(+), 21 deletions(-)
+
+diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi
+index 5d746c8..8585863 100755
+--- a/html/cgi-bin/forwardfw.cgi
++++ b/html/cgi-bin/forwardfw.cgi
+@@ -18,17 +18,7 @@
+ # along with this program. If not, see <http://www.gnu.org/licenses/>. #
+ # #
+ ###############################################################################
+-# #
+-# Hi folks! I hope this code is useful for all. I needed something to handle #
+-# my VPN Connections in a comfortable way. As a prerequisite i needed #
+-# something that makes sure the vpn roadwarrior are able to have a fixed #
+-# ip-address. So i developed the ccd extension for the vpn server. #
+-# #
+-# Now that the ccd extension is ready i am able to develop the main request. #
+-# Any feedback is appreciated. #
+-# #
+-#Copymaster #
+-###############################################################################
++
+
+ use strict;
+ use Sort::Naturally;
+@@ -143,8 +133,8 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule')
+ #check if we have an identical rule already
+ if($fwdfwsettings{'oldrulenumber'} eq $fwdfwsettings{'rulepos'}){
+ foreach my $key (sort keys %configinputfw){
+- if ( "$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'}, $fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'}, $fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'}, $fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'ICMP_TGT'},$fwdfwsettings{'grp3'}, $fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'LOG'}, $fwdfwsettings{'TIME'}, $fwdfwsettings{'TIME_MON'},$fwdfwsettings{'TIME_TUE'},$fwdfwsettings{'TIME_WED'},$fwdfwsettings{'TIME_THU'},$fwdfwsettings{'TIME_FRI'},$fwdfwsettings{'TIME_SAT'},$fwdfwsettings{'TIME_SUN'},$fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'},$fwdfwsettings{'USE_NAT'},$fwdfwsettings{$fwdfwsettings{'nat'}},$fwdfwsettings{'dnatport'},$fwdfwsettings{'nat'}"
+- eq "$configinputfw{$key}[0], $configinputfw{$key}[2], $configinputfw{$key}[3],$configinputfw{$key}[4], $configinputfw{$key}[5],$configinputfw{$key}[6], $configinputfw{$key}[7], $configinputfw{$key}[8],$configinputfw{$key}[9], $configinputfw{$key}[10], $configinputfw{$key}[11],$configinputfw{$key}[12], $configinputfw{$key}[13], $configinputfw{$key}[14],$configinputfw{$key}[15], $configinputfw{$key}[17],$configinputfw{$key}[18],$configinputfw{$key}[19], $configinputfw{$key}[20], $configinputfw{$key}[21], $configinputfw{$key}[22], $configinputfw{$key}[23], $configinputfw{$key}[24], $configinputfw{$key}[25], $configinputfw{$key}[26], $configinputfw{$key}[27], $configinputfw{$key}[28], $configinputfw{$key}[29], $configinputfw{$key}[30], $configinputfw{$key}[31]"){
++ if ( "$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'},$fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'ICMP_TGT'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'LOG'},$fwdfwsettings{'TIME'},$fwdfwsettings{'TIME_MON'},$fwdfwsettings{'TIME_TUE'},$fwdfwsettings{'TIME_WED'},$fwdfwsettings{'TIME_THU'},$fwdfwsettings{'TIME_FRI'},$fwdfwsettings{'TIME_SAT'},$fwdfwsettings{'TIME_SUN'},$fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'},$fwdfwsettings{'USE_NAT'},$fwdfwsettings{$fwdfwsettings{'nat'}},$fwdfwsettings{'dnatport'},$fwdfwsettings{'nat'}"
++ eq "$configinputfw{$key}[0],$configinputfw{$key}[2],$configinputfw{$key}[3],$configinputfw{$key}[4],$configinputfw{$key}[5],$configinputfw{$key}[6],$configinputfw{$key}[7],$configinputfw{$key}[8],$configinputfw{$key}[9],$configinputfw{$key}[10],$configinputfw{$key}[11],$configinputfw{$key}[12],$configinputfw{$key}[13],$configinputfw{$key}[14],$configinputfw{$key}[15],$configinputfw{$key}[17],$configinputfw{$key}[18],$configinputfw{$key}[19],$configinputfw{$key}[20],$configinputfw{$key}[21],$configinputfw{$key}[22],$configinputfw{$key}[23],$configinputfw{$key}[24],$configinputfw{$key}[25],$configinputfw{$key}[26],$configinputfw{$key}[27],$configinputfw{$key}[28],$configinputfw{$key}[29],$configinputfw{$key}[30],$configinputfw{$key}[31]"){
+ $errormessage.=$Lang::tr{'fwdfw err ruleexists'};
+ if ($fwdfwsettings{'oldruleremark'} ne $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'updatefwrule'} eq 'on'){
+ $errormessage='';
+@@ -161,8 +151,8 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule')
+ if($fwdfwsettings{'rulepos'} > 0 && !$fwdfwsettings{'oldrulenumber'}){
+ $fwdfwsettings{'oldrulenumber'}=$maxkey;
+ foreach my $key (sort keys %configinputfw){
+- if ( "$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'}, $fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'}, $fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'}, $fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'ICMP_TGT'},$fwdfwsettings{'grp3'}, $fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'LOG'}, $fwdfwsettings{'TIME'}, $fwdfwsettings{'TIME_MON'},$fwdfwsettings{'TIME_TUE'},$fwdfwsettings{'TIME_WED'},$fwdfwsettings{'TIME_THU'},$fwdfwsettings{'TIME_FRI'},$fwdfwsettings{'TIME_SAT'},$fwdfwsettings{'TIME_SUN'},$fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'},$fwdfwsettings{'USE_NAT'},$fwdfwsettings{$fwdfwsettings{'nat'}},$fwdfwsettings{'dnatport'},$fwdfwsettings{'nat'}"
+- eq "$configinputfw{$key}[0], $configinputfw{$key}[2], $configinputfw{$key}[3],$configinputfw{$key}[4], $configinputfw{$key}[5],$configinputfw{$key}[6], $configinputfw{$key}[7], $configinputfw{$key}[8],$configinputfw{$key}[9], $configinputfw{$key}[10], $configinputfw{$key}[11],$configinputfw{$key}[12], $configinputfw{$key}[13], $configinputfw{$key}[14],$configinputfw{$key}[15], $configinputfw{$key}[17],$configinputfw{$key}[18],$configinputfw{$key}[19], $configinputfw{$key}[20], $configinputfw{$key}[21], $configinputfw{$key}[22], $configinputfw{$key}[23], $configinputfw{$key}[24], $configinputfw{$key}[25], $configinputfw{$key}[26], $configinputfw{$key}[27], $configinputfw{$key}[28], $configinputfw{$key}[29], $configinputfw{$key}[30], $configinputfw{$key}[31]"){
++ if ( "$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'},$fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'ICMP_TGT'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'LOG'},$fwdfwsettings{'TIME'},$fwdfwsettings{'TIME_MON'},$fwdfwsettings{'TIME_TUE'},$fwdfwsettings{'TIME_WED'},$fwdfwsettings{'TIME_THU'},$fwdfwsettings{'TIME_FRI'},$fwdfwsettings{'TIME_SAT'},$fwdfwsettings{'TIME_SUN'},$fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'},$fwdfwsettings{'USE_NAT'},$fwdfwsettings{$fwdfwsettings{'nat'}},$fwdfwsettings{'dnatport'},$fwdfwsettings{'nat'}"
++ eq "$configinputfw{$key}[0],$configinputfw{$key}[2],$configinputfw{$key}[3],$configinputfw{$key}[4],$configinputfw{$key}[5],$configinputfw{$key}[6],$configinputfw{$key}[7],$configinputfw{$key}[8],$configinputfw{$key}[9],$configinputfw{$key}[10],$configinputfw{$key}[11],$configinputfw{$key}[12],$configinputfw{$key}[13],$configinputfw{$key}[14],$configinputfw{$key}[15],$configinputfw{$key}[17],$configinputfw{$key}[18],$configinputfw{$key}[19],$configinputfw{$key}[20],$configinputfw{$key}[21],$configinputfw{$key}[22],$configinputfw{$key}[23],$configinputfw{$key}[24],$configinputfw{$key}[25],$configinputfw{$key}[26],$configinputfw{$key}[27],$configinputfw{$key}[28],$configinputfw{$key}[29],$configinputfw{$key}[30],$configinputfw{$key}[31]"){
+ $errormessage.=$Lang::tr{'fwdfw err ruleexists'};
+ }
+ }
+@@ -195,8 +185,8 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule')
+ my $maxkey=&General::findhasharraykey(\%configoutgoingfw);
+ if($fwdfwsettings{'oldrulenumber'} eq $fwdfwsettings{'rulepos'}){
+ foreach my $key (sort keys %configoutgoingfw){
+- if ( "$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'}, $fwdfwsettings{'grp1'}, $fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'}, $fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'}, $fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'}, $fwdfwsettings{'USESRV'}, $fwdfwsettings{'TGT_PROT'}, $fwdfwsettings{'ICMP_TGT'}, $fwdfwsettings{'grp3'}, $fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'LOG'}, $fwdfwsettings{'TIME'}, $fwdfwsettings{'TIME_MON'}, $fwdfwsettings{'TIME_TUE'}, $fwdfwsettings{'TIME_WED'}, $fwdfwsettings{'TIME_THU'}, $fwdfwsettings{'TIME_FRI'}, $fwdfwsettings{'TIME_SAT'}, $fwdfwsettings{'TIME_SUN'}, $fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'}, $fwdfwsettings{'USE_NAT'}, $fwdfwsettings{$fwdfwsettings{'nat'}},$fwdfwsettings{'dnatport'}, $fwdfwsettings{'nat'}"
+- eq "$configoutgoingfw{$key}[0], $configoutgoingfw{$key}[2],$configoutgoingfw{$key}[3],$configoutgoingfw{$key}[4], $configoutgoingfw{$key}[5],$configoutgoingfw{$key}[6], $configoutgoingfw{$key}[7], $configoutgoingfw{$key}[8],$configoutgoingfw{$key}[9], $configoutgoingfw{$key}[10],$configoutgoingfw{$key}[11],$configoutgoingfw{$key}[12],$configoutgoingfw{$key}[13],$configoutgoingfw{$key}[14],$configoutgoingfw{$key}[15], $configoutgoingfw{$key}[17],$configoutgoingfw{$key}[18],$configoutgoingfw{$key}[19],$configoutgoingfw{$key}[20],$configoutgoingfw{$key}[21],$configoutgoingfw{$key}[22],$configoutgoingfw{$key}[23],$configoutgoingfw{$key}[24],$configoutgoingfw{$key}[25],$configoutgoingfw{$key}[26],$configoutgoingfw{$key}[27],$configoutgoingfw{$key}[28],$configoutgoingfw{$key}[29], $configoutgoingfw{$key}[30],$configoutgoingfw{$key}[31]"){
++ if ( "$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'},$fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'ICMP_TGT'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'LOG'},$fwdfwsettings{'TIME'},$fwdfwsettings{'TIME_MON'},$fwdfwsettings{'TIME_TUE'},$fwdfwsettings{'TIME_WED'},$fwdfwsettings{'TIME_THU'},$fwdfwsettings{'TIME_FRI'},$fwdfwsettings{'TIME_SAT'},$fwdfwsettings{'TIME_SUN'},$fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'},$fwdfwsettings{'USE_NAT'},$fwdfwsettings{$fwdfwsettings{'nat'}},$fwdfwsettings{'dnatport'},$fwdfwsettings{'nat'}"
++ eq "$configoutgoingfw{$key}[0],$configoutgoingfw{$key}[2],$configoutgoingfw{$key}[3],$configoutgoingfw{$key}[4],$configoutgoingfw{$key}[5],$configoutgoingfw{$key}[6],$configoutgoingfw{$key}[7],$configoutgoingfw{$key}[8],$configoutgoingfw{$key}[9],$configoutgoingfw{$key}[10],$configoutgoingfw{$key}[11],$configoutgoingfw{$key}[12],$configoutgoingfw{$key}[13],$configoutgoingfw{$key}[14],$configoutgoingfw{$key}[15],$configoutgoingfw{$key}[17],$configoutgoingfw{$key}[18],$configoutgoingfw{$key}[19],$configoutgoingfw{$key}[20],$configoutgoingfw{$key}[21],$configoutgoingfw{$key}[22],$configoutgoingfw{$key}[23],$configoutgoingfw{$key}[24],$configoutgoingfw{$key}[25],$configoutgoingfw{$key}[26],$configoutgoingfw{$key}[27],$configoutgoingfw{$key}[28],$configoutgoingfw{$key}[29],$configoutgoingfw{$key}[30],$configoutgoingfw{$key}[31]"){
+ $errormessage.=$Lang::tr{'fwdfw err ruleexists'};
+ if ($fwdfwsettings{'oldruleremark'} ne $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'updatefwrule'} eq 'on'){
+ $errormessage='';
+@@ -214,8 +204,8 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule')
+ print"CHECK OUTGOING DOPPELTE REGEL<br>";
+ $fwdfwsettings{'oldrulenumber'}=$maxkey;
+ foreach my $key (sort keys %configoutgoingfw){
+- if ( "$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'}, $fwdfwsettings{'grp1'}, $fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'}, $fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'}, $fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'}, $fwdfwsettings{'USESRV'}, $fwdfwsettings{'TGT_PROT'}, $fwdfwsettings{'ICMP_TGT'}, $fwdfwsettings{'grp3'}, $fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'LOG'}, $fwdfwsettings{'TIME'}, $fwdfwsettings{'TIME_MON'}, $fwdfwsettings{'TIME_TUE'}, $fwdfwsettings{'TIME_WED'}, $fwdfwsettings{'TIME_THU'}, $fwdfwsettings{'TIME_FRI'}, $fwdfwsettings{'TIME_SAT'}, $fwdfwsettings{'TIME_SUN'}, $fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'}, $fwdfwsettings{'USE_NAT'}, $fwdfwsettings{$fwdfwsettings{'nat'}},$fwdfwsettings{'dnatport'}, $fwdfwsettings{'nat'}"
+- eq "$configoutgoingfw{$key}[0], $configoutgoingfw{$key}[2],$configoutgoingfw{$key}[3],$configoutgoingfw{$key}[4], $configoutgoingfw{$key}[5],$configoutgoingfw{$key}[6], $configoutgoingfw{$key}[7], $configoutgoingfw{$key}[8],$configoutgoingfw{$key}[9], $configoutgoingfw{$key}[10],$configoutgoingfw{$key}[11],$configoutgoingfw{$key}[12],$configoutgoingfw{$key}[13],$configoutgoingfw{$key}[14],$configoutgoingfw{$key}[15], $configoutgoingfw{$key}[17],$configoutgoingfw{$key}[18],$configoutgoingfw{$key}[19],$configoutgoingfw{$key}[20],$configoutgoingfw{$key}[21],$configoutgoingfw{$key}[22],$configoutgoingfw{$key}[23],$configoutgoingfw{$key}[24],$configoutgoingfw{$key}[25],$configoutgoingfw{$key}[26],$configoutgoingfw{$key}[27],$configoutgoingfw{$key}[28],$configoutgoingfw{$key}[29], $configoutgoingfw{$key}[30],$configoutgoingfw{$key}[31]"){
++ if ( "$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'},$fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'ICMP_TGT'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'LOG'},$fwdfwsettings{'TIME'},$fwdfwsettings{'TIME_MON'},$fwdfwsettings{'TIME_TUE'},$fwdfwsettings{'TIME_WED'},$fwdfwsettings{'TIME_THU'},$fwdfwsettings{'TIME_FRI'},$fwdfwsettings{'TIME_SAT'},$fwdfwsettings{'TIME_SUN'},$fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'},$fwdfwsettings{'USE_NAT'},$fwdfwsettings{$fwdfwsettings{'nat'}},$fwdfwsettings{'dnatport'},$fwdfwsettings{'nat'}"
++ eq "$configoutgoingfw{$key}[0],$configoutgoingfw{$key}[2],$configoutgoingfw{$key}[3],$configoutgoingfw{$key}[4],$configoutgoingfw{$key}[5],$configoutgoingfw{$key}[6],$configoutgoingfw{$key}[7],$configoutgoingfw{$key}[8],$configoutgoingfw{$key}[9],$configoutgoingfw{$key}[10],$configoutgoingfw{$key}[11],$configoutgoingfw{$key}[12],$configoutgoingfw{$key}[13],$configoutgoingfw{$key}[14],$configoutgoingfw{$key}[15],$configoutgoingfw{$key}[17],$configoutgoingfw{$key}[18],$configoutgoingfw{$key}[19],$configoutgoingfw{$key}[20],$configoutgoingfw{$key}[21],$configoutgoingfw{$key}[22],$configoutgoingfw{$key}[23],$configoutgoingfw{$key}[24],$configoutgoingfw{$key}[25],$configoutgoingfw{$key}[26],$configoutgoingfw{$key}[27],$configoutgoingfw{$key}[28],$configoutgoingfw{$key}[29],$configoutgoingfw{$key}[30],$configoutgoingfw{$key}[31]"){
+ $errormessage.=$Lang::tr{'fwdfw err ruleexists'};
+ }
+ }
+@@ -252,7 +242,7 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule')
+ #check if we have an identical rule already
+ foreach my $key (sort keys %configfwdfw){
+ if ( "$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'},$fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'ICMP_TGT'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'TIME'},$fwdfwsettings{'TIME_MON'},$fwdfwsettings{'TIME_TUE'},$fwdfwsettings{'TIME_WED'},$fwdfwsettings{'TIME_THU'},$fwdfwsettings{'TIME_FRI'},$fwdfwsettings{'TIME_SAT'},$fwdfwsettings{'TIME_SUN'},$fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'},$fwdfwsettings{'USE_NAT'},$fwdfwsettings{$fwdfwsettings{'nat'}},$fwdfwsettings{'dnatport'},$fwdfwsettings{'nat'}"
+- eq "$configfwdfw{$key}[0], $configfwdfw{$key}[2], $configfwdfw{$key}[3], $configfwdfw{$key}[4], $configfwdfw{$key}[5], $configfwdfw{$key}[6], $configfwdfw{$key}[7], $configfwdfw{$key}[8], $configfwdfw{$key}[9], $configfwdfw{$key}[10], $configfwdfw{$key}[11], $configfwdfw{$key}[12], $configfwdfw{$key}[13], $configfwdfw{$key}[14],$configfwdfw{$key}[15], $configfwdfw{$key}[18],$configfwdfw{$key}[19], $configfwdfw{$key}[20], $configfwdfw{$key}[21], $configfwdfw{$key}[22], $configfwdfw{$key}[23], $configfwdfw{$key}[24], $configfwdfw{$key}[25], $configfwdfw{$key}[26], $configfwdfw{$key}[27], $configfwdfw{$key}[28], $configfwdfw{$key}[29], $configfwdfw{$key}[30], $configfwdfw{$key}[31]"){
++ eq "$configfwdfw{$key}[0],$configfwdfw{$key}[2],$configfwdfw{$key}[3],$configfwdfw{$key}[4],$configfwdfw{$key}[5],$configfwdfw{$key}[6],$configfwdfw{$key}[7],$configfwdfw{$key}[8],$configfwdfw{$key}[9],$configfwdfw{$key}[10],$configfwdfw{$key}[11],$configfwdfw{$key}[12],$configfwdfw{$key}[13],$configfwdfw{$key}[14],$configfwdfw{$key}[15],$configfwdfw{$key}[18],$configfwdfw{$key}[19],$configfwdfw{$key}[20],$configfwdfw{$key}[21],$configfwdfw{$key}[22],$configfwdfw{$key}[23],$configfwdfw{$key}[24],$configfwdfw{$key}[25],$configfwdfw{$key}[26],$configfwdfw{$key}[27],$configfwdfw{$key}[28],$configfwdfw{$key}[29],$configfwdfw{$key}[30],$configfwdfw{$key}[31]"){
+ $errormessage.=$Lang::tr{'fwdfw err ruleexists'};
+ if ($fwdfwsettings{'oldruleremark'} ne $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'updatefwrule'} eq 'on' ){
+ $errormessage='';
+@@ -270,7 +260,7 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule')
+ $fwdfwsettings{'oldrulenumber'}=$maxkey;
+ foreach my $key (sort keys %configfwdfw){
+ if ( "$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'},$fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'ICMP_TGT'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'TIME'},$fwdfwsettings{'TIME_MON'},$fwdfwsettings{'TIME_TUE'},$fwdfwsettings{'TIME_WED'},$fwdfwsettings{'TIME_THU'},$fwdfwsettings{'TIME_FRI'},$fwdfwsettings{'TIME_SAT'},$fwdfwsettings{'TIME_SUN'},$fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'},$fwdfwsettings{'USE_NAT'},$fwdfwsettings{$fwdfwsettings{'nat'}},$fwdfwsettings{'dnatport'},$fwdfwsettings{'nat'}"
+- eq "$configfwdfw{$key}[0], $configfwdfw{$key}[2], $configfwdfw{$key}[3], $configfwdfw{$key}[4], $configfwdfw{$key}[5], $configfwdfw{$key}[6], $configfwdfw{$key}[7], $configfwdfw{$key}[8], $configfwdfw{$key}[9], $configfwdfw{$key}[10], $configfwdfw{$key}[11], $configfwdfw{$key}[12], $configfwdfw{$key}[13], $configfwdfw{$key}[14],$configfwdfw{$key}[15], $configfwdfw{$key}[18],$configfwdfw{$key}[19], $configfwdfw{$key}[20], $configfwdfw{$key}[21], $configfwdfw{$key}[22], $configfwdfw{$key}[23], $configfwdfw{$key}[24], $configfwdfw{$key}[25], $configfwdfw{$key}[26], $configfwdfw{$key}[27], $configfwdfw{$key}[28], $configfwdfw{$key}[29], $configfwdfw{$key}[30], $configfwdfw{$key}[31]"){
++ eq "$configfwdfw{$key}[0],$configfwdfw{$key}[2],$configfwdfw{$key}[3],$configfwdfw{$key}[4],$configfwdfw{$key}[5],$configfwdfw{$key}[6],$configfwdfw{$key}[7],$configfwdfw{$key}[8],$configfwdfw{$key}[9],$configfwdfw{$key}[10],$configfwdfw{$key}[11],$configfwdfw{$key}[12],$configfwdfw{$key}[13],$configfwdfw{$key}[14],$configfwdfw{$key}[15],$configfwdfw{$key}[18],$configfwdfw{$key}[19],$configfwdfw{$key}[20],$configfwdfw{$key}[21],$configfwdfw{$key}[22],$configfwdfw{$key}[23],$configfwdfw{$key}[24],$configfwdfw{$key}[25],$configfwdfw{$key}[26],$configfwdfw{$key}[27],$configfwdfw{$key}[28],$configfwdfw{$key}[29],$configfwdfw{$key}[30],$configfwdfw{$key}[31]"){
+ $errormessage.=$Lang::tr{'fwdfw err ruleexists'};
+ }
+ }
+--
+1.7.10.4
+
--- /dev/null
+From b4f876e353b61abeda528a3862c85e75b5a22406 Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Wed, 10 Jul 2013 13:49:52 +0200
+Subject: [PATCH 283/302] Forward Firewall: The default rule table (at the end
+ of Forward) shows only default values depending on
+ the network configuration
+
+---
+ html/cgi-bin/forwardfw.cgi | 34 +++++++++++++++++++++++-----------
+ 1 file changed, 23 insertions(+), 11 deletions(-)
+
+diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi
+index 8585863..12fa8f8 100755
+--- a/html/cgi-bin/forwardfw.cgi
++++ b/html/cgi-bin/forwardfw.cgi
+@@ -1519,8 +1519,8 @@ END
+ print"<td align='right'><select name='ipfire_src' style='width:200px;'>";
+ print "<option value='ALL' $selected{'ipfire_src'}{'ALL'}>$Lang::tr{'all'}</option>";
+ print "<option value='GREEN' $selected{'ipfire_src'}{'GREEN'}>$Lang::tr{'green'} ($ifaces{'GREEN_ADDRESS'})</option>" if $ifaces{'GREEN_ADDRESS'};
+- print "<option value='ORANGE' $selected{'ipfire_src'}{'ORANGE'}>$Lang::tr{'orange'} ($ifaces{'ORANGE_ADDRESS'})</option>" if $ifaces{'ORANGE_ADDRESS'};
+- print "<option value='BLUE' $selected{'ipfire_src'}{'BLUE'}>$Lang::tr{'blue'} ($ifaces{'BLUE_ADDRESS'})</option>" if $ifaces{'BLUE_ADDRESS'};
++ print "<option value='ORANGE' $selected{'ipfire_src'}{'ORANGE'}>$Lang::tr{'orange'} ($ifaces{'ORANGE_ADDRESS'})</option>" if (&Header::orange_used());
++ print "<option value='BLUE' $selected{'ipfire_src'}{'BLUE'}>$Lang::tr{'blue'} ($ifaces{'BLUE_ADDRESS'})</option>" if (&Header::blue_used());
+ print "<option value='RED1' $selected{'ipfire_src'}{'RED1'}>$Lang::tr{'red1'} ($redip)" if ($redip);
+
+ if (! -z "${General::swroot}/ethernet/aliases"){
+@@ -1577,8 +1577,8 @@ END
+ print"<td align='right'><select name='ipfire' style='width:200px;'>";
+ print "<option value='ALL' $selected{'ipfire'}{'ALL'}>$Lang::tr{'all'}</option>";
+ print "<option value='GREEN' $selected{'ipfire'}{'GREEN'}>$Lang::tr{'green'} ($ifaces{'GREEN_ADDRESS'})</option>" if $ifaces{'GREEN_ADDRESS'};
+- print "<option value='ORANGE' $selected{'ipfire'}{'ORANGE'}>$Lang::tr{'orange'} ($ifaces{'ORANGE_ADDRESS'})</option>" if $ifaces{'ORANGE_ADDRESS'};
+- print "<option value='BLUE' $selected{'ipfire'}{'BLUE'}>$Lang::tr{'blue'} ($ifaces{'BLUE_ADDRESS'})</option>" if $ifaces{'BLUE_ADDRESS'};
++ print "<option value='ORANGE' $selected{'ipfire'}{'ORANGE'}>$Lang::tr{'orange'} ($ifaces{'ORANGE_ADDRESS'})</option>" if (&Header::orange_used());
++ print "<option value='BLUE' $selected{'ipfire'}{'BLUE'}>$Lang::tr{'blue'} ($ifaces{'BLUE_ADDRESS'})</option>"if (&Header::blue_used());
+ print "<option value='RED1' $selected{'ipfire'}{'RED1'}>$Lang::tr{'red1'} ($redip)" if ($redip);
+ if (! -z "${General::swroot}/ethernet/aliases"){
+ foreach my $alias (sort keys %aliases)
+@@ -2425,13 +2425,25 @@ sub show_defaultrules
+ print"</table><br>";
+ print "<table width='100%' rules='cols' border='1' >";
+ if ($col eq "bgcolor='green'"){
+- my $blue = "<font color=$Header::colourblue> $Lang::tr{'blue'}</font> ($Lang::tr{'fwdfw pol block'})" if $ifaces{'BLUE_DEV'};
+- my $orange = "<font color=$Header::colourorange> $Lang::tr{'orange'}</font> ($Lang::tr{'fwdfw pol block'})" if $ifaces{'ORANGE_DEV'};
+- my $blue1 = "<font color=$Header::colourblue> $Lang::tr{'blue'}</font> ($Lang::tr{'fwdfw pol allow'})" if $ifaces{'BLUE_DEV'};
+- my $orange1 = "<font color=$Header::colourorange> $Lang::tr{'orange'}</font> ($Lang::tr{'fwdfw pol allow'})" if $ifaces{'ORANGE_DEV'};
+- print"<tr><td align='center'><font color='#000000'>$Lang::tr{'green'}</td><td align='center'> <font color=$Header::colourred> $Lang::tr{'red'}</font> ($Lang::tr{'fwdfw pol allow'})</td><td align='center'>$orange1</td><td align='center'>$blue1</td></tr>";
+- print"<tr><td align='center' width='20%'><font color='#000000'>$Lang::tr{'orange'}</td><td align='center'> <font color=$Header::colourred> $Lang::tr{'red'}</font> ($Lang::tr{'fwdfw pol allow'})</td><td align='center'><font color=$Header::colourgreen> $Lang::tr{'green'}</font> ($Lang::tr{'fwdfw pol block'})</td><td align='center'>$blue</td></tr>";
+- print"<tr><td align='center'><font color='#000000'>$Lang::tr{'blue'}</td><td align='center'> <font color=$Header::colourred> $Lang::tr{'red'}</font> ($Lang::tr{'fwdfw pol allow'})</td><td align='center'>$orange</td><td align='center'><font color=$Header::colourgreen> $Lang::tr{'green'}</font> ($Lang::tr{'fwdfw pol block'})</td></tr>" if $ifaces{'BLUE_DEV'};
++ my $blue = "<font color=$Header::colourblue> $Lang::tr{'blue'}</font> ($Lang::tr{'fwdfw pol block'})" if (&Header::blue_used());
++ my $orange = "<font color=$Header::colourorange> $Lang::tr{'orange'}</font> ($Lang::tr{'fwdfw pol block'})" if (&Header::orange_used());
++ my $blue1 = "<font color=$Header::colourblue> $Lang::tr{'blue'}</font> ($Lang::tr{'fwdfw pol allow'})" if (&Header::blue_used());
++ my $orange1 = "<font color=$Header::colourorange> $Lang::tr{'orange'}</font> ($Lang::tr{'fwdfw pol allow'})" if (&Header::orange_used());
++ print"<tr><td align='center'><font color='#000000'>$Lang::tr{'green'}</td><td align='center'> <font color=$Header::colourred> $Lang::tr{'red'}</font> ($Lang::tr{'fwdfw pol allow'})</td>";
++ print"<td align='center'>$orange1</td>" if (&Header::orange_used());
++ print"<td align='center'>$blue1</td>" if (&Header::blue_used());
++ print"</tr>";
++ if (&Header::orange_used()){
++ print"<tr><td align='center' width='20%'><font color='#000000'>$Lang::tr{'orange'}</td><td align='center'> <font color=$Header::colourred> $Lang::tr{'red'}</font> ($Lang::tr{'fwdfw pol allow'})</td><td align='center'><font color=$Header::colourgreen> $Lang::tr{'green'}</font> ($Lang::tr{'fwdfw pol block'})</td>";
++ print"<td align='center'>$blue</td>" if (&Header::blue_used());
++ print"</tr>";
++ }
++ if (&Header::blue_used()){
++ print"<tr><td align='center'><font color='#000000'>$Lang::tr{'blue'}</td><td align='center'> <font color=$Header::colourred> $Lang::tr{'red'}</font> ($Lang::tr{'fwdfw pol allow'})</td>";
++ print"<td align='center'>$orange</td>" if (&Header::orange_used());
++ print"<td align='center'><font color=$Header::colourgreen> $Lang::tr{'green'}</font> ($Lang::tr{'fwdfw pol block'})</td>";
++ print"</tr>";
++ }
+ print"<tr><td $col align='center'><font color='#FFFFFF'>$Lang::tr{'fwdfw final_rule'} </font></td><td $col colspan='3' align='center'><font color='#FFFFFF'>$Lang::tr{'fwdfw pol allow'}</font></td></tr>";
+ }elsif($col eq "bgcolor='darkred'"){
+ print"<tr><td $col width='20%' align='center'><font color='#FFFFFF'>$Lang::tr{'fwdfw final_rule'}</td><td $col align='center'><font color='#FFFFFF'>$Lang::tr{$pol}</font></td></tr>";
+--
+1.7.10.4
+
--- /dev/null
+From 7196365800384a0720ff887700bf84832149b5e4 Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Wed, 10 Jul 2013 13:51:46 +0200
+Subject: [PATCH 284/302] Forward Firewall: just increased version number
+
+---
+ html/cgi-bin/forwardfw.cgi | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi
+index 12fa8f8..b293b03 100755
+--- a/html/cgi-bin/forwardfw.cgi
++++ b/html/cgi-bin/forwardfw.cgi
+@@ -64,7 +64,7 @@ my %aliases=();
+ my %optionsfw=();
+ my %ifaces=();
+
+-my $VERSION='0.9.9.10';
++my $VERSION='0.9.9.11';
+ my $color;
+ my $confignet = "${General::swroot}/fwhosts/customnetworks";
+ my $confighost = "${General::swroot}/fwhosts/customhosts";
+--
+1.7.10.4
+
--- /dev/null
+From 009323cf883d6b921539d159ae3a9fd6ad8fcdcd Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Thu, 11 Jul 2013 07:43:42 +0200
+Subject: [PATCH 285/302] Forward Firewall: deleted configfile "nat" in
+ ovpnmain.cgi for portfw check. File "nat" no longer
+ exists. Now the portfw rules are in file "config"
+
+---
+ html/cgi-bin/ovpnmain.cgi | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi
+index 1e17dc9..15da7ab 100644
+--- a/html/cgi-bin/ovpnmain.cgi
++++ b/html/cgi-bin/ovpnmain.cgi
+@@ -185,7 +185,7 @@ sub checkportfw {
+ my $DPORT = shift;
+ my $DPROT = shift;
+ my %natconfig =();
+- my $confignat = "${General::swroot}/forward/nat";
++ my $confignat = "${General::swroot}/forward/config";
+ $DPROT= uc ($DPROT);
+ &General::readhasharray($confignat, \%natconfig);
+ foreach my $key (sort keys %natconfig){
+--
+1.7.10.4
+
--- /dev/null
+From f5d801605fc12220cf4cca038b1ccf3b531998f9 Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Thu, 11 Jul 2013 17:15:15 +0200
+Subject: [PATCH 286/302] Forward Firewall: added some java Script to
+ automatically select radiobuttons when dropdowns
+ are changed. Some cleanup of the code
+
+---
+ html/cgi-bin/forwardfw.cgi | 149 ++++++++++++++++++++++++--------------------
+ 1 file changed, 81 insertions(+), 68 deletions(-)
+
+diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi
+index b293b03..bb1126d 100755
+--- a/html/cgi-bin/forwardfw.cgi
++++ b/html/cgi-bin/forwardfw.cgi
+@@ -99,6 +99,27 @@ my @protocols;
+ &Header::getcgihash(\%fwdfwsettings);
+ &Header::openpage($Lang::tr{'fwdfw menu'}, 1, '');
+ &Header::openbigbox('100%', 'center',$errormessage);
++#### JAVA SCRIPT ####
++print<<END;
++<script>
++ \$(document).ready(function() {
++ // Automatically select radio buttons when corresponding
++ // dropdown menu changes.
++ \$("select").change(function() {
++ var id = \$(this).attr("name");
++ //When using SNAT or DNAT, check "USE NAT" Checkbox
++ if ( id === 'snat' || id === 'dnat') {
++ \$('#USE_NAT').prop('checked', true);
++ }
++ \$('#' + id).prop("checked", true);
++ });
++ });
++function checkradio(a){
++ \$(a).attr('checked', true);
++}
++</script>
++END
++
+ #### ACTION #####
+
+ if ($fwdfwsettings{'ACTION'} eq 'saverule')
+@@ -366,7 +387,7 @@ sub addrule
+ {
+ &error;
+ if (-f "${General::swroot}/forward/reread"){
+- print "<table border='1' rules='groups' bgcolor='lightgreen' width='100%'><form method='post'><td><div style='font-size:11pt; font-weight: bold;vertical-align: middle; '><input type='submit' name='ACTION' value='$Lang::tr{'fwdfw reread'}' style='font-face: Comic Sans MS; color: green; font-weight: bold; font-size: 14pt;'>    $Lang::tr{'fwhost reread'}</div</td></tr></table></form><br>";
++ print "<table border='1' rules='groups' bgcolor='lightgreen' width='100%'><form method='post'><td><div style='font-size:11pt; font-weight: bold;vertical-align: middle; '><input type='submit' name='ACTION' value='$Lang::tr{'fwdfw reread'}' style='font-face: Comic Sans MS; color: green; font-weight: bold; font-size: 14pt;'>    $Lang::tr{'fwhost reread'}</div></td></tr></table></form><br>";
+ }
+ &Header::openbox('100%', 'left', $Lang::tr{'fwdfw menu'});
+ print "<form method='post'>";
+@@ -977,7 +998,7 @@ print<<END;
+ <table width='100%' border='0'>
+ <tr><td width='50%' valign='top'>
+ <table width='100%' border='0'>
+- <tr><td width='1%'><input type='radio' name='$grp' value='std_net_$srctgt' $checked{$grp}{'std_net_'.$srctgt}></td><td>$Lang::tr{'fwhost stdnet'}</td><td align='right'><select name='std_net_$srctgt' style='width:200px;'>
++ <tr><td width='1%'><input type='radio' name='$grp' id='std_net_$srctgt' value='std_net_$srctgt' $checked{$grp}{'std_net_'.$srctgt}></td><td>$Lang::tr{'fwhost stdnet'}</td><td align='right'><select name='std_net_$srctgt' style='width:200px;'>
+ END
+ foreach my $network (sort keys %defaultNetworks)
+ {
+@@ -998,19 +1019,19 @@ END
+ print"</select></td></tr>";
+ #custom networks
+ if (! -z $confignet || $optionsfw{'SHOWDROPDOWN'} eq 'on'){
+- print"<tr><td><input type='radio' name='$grp' value='cust_net_$srctgt' $checked{$grp}{'cust_net_'.$srctgt}></td><td>$Lang::tr{'fwhost cust net'}</td><td align='right'><select name='cust_net_$srctgt' style='width:200px;'>";
++ print"<tr><td><input type='radio' name='$grp' id='cust_net_$srctgt' value='cust_net_$srctgt' $checked{$grp}{'cust_net_'.$srctgt}></td><td>$Lang::tr{'fwhost cust net'}</td><td align='right'><select name='cust_net_$srctgt' style='width:200px;'>";
+ &fillselect(\%customnetwork,$fwdfwsettings{$fwdfwsettings{$grp}});
+ print"</select></td>";
+ }
+ #custom hosts
+ if (! -z $confighost || $optionsfw{'SHOWDROPDOWN'} eq 'on'){
+- print"<tr><td><input type='radio' name='$grp' value='cust_host_$srctgt' $checked{$grp}{'cust_host_'.$srctgt}></td><td>$Lang::tr{'fwhost cust addr'}</td><td align='right'><select name='cust_host_$srctgt' style='width:200px;'>";
++ print"<tr><td><input type='radio' name='$grp' id='cust_host_$srctgt' value='cust_host_$srctgt' $checked{$grp}{'cust_host_'.$srctgt}></td><td>$Lang::tr{'fwhost cust addr'}</td><td align='right'><select name='cust_host_$srctgt' style='width:200px;'>";
+ &fillselect(\%customhost,$fwdfwsettings{$fwdfwsettings{$grp}});
+ print"</select></td>";
+ }
+ #custom groups
+ if (! -z $configgrp || $optionsfw{'SHOWDROPDOWN'} eq 'on'){
+- print"<tr><td valign='top'><input type='radio' name='$grp' value='cust_grp_$srctgt' $checked{$grp}{'cust_grp_'.$srctgt}></td><td >$Lang::tr{'fwhost cust grp'}</td><td align='right'><select name='cust_grp_$srctgt' style='width:200px;'>";
++ print"<tr><td valign='top'><input type='radio' name='$grp' id='cust_grp_$srctgt' value='cust_grp_$srctgt' $checked{$grp}{'cust_grp_'.$srctgt}></td><td >$Lang::tr{'fwhost cust grp'}</td><td align='right'><select name='cust_grp_$srctgt' style='width:200px;'>";
+ foreach my $key (sort { ncmp($customgrp{$a}[0],$customgrp{$b}[0]) } keys %customgrp) {
+ if($helper ne $customgrp{$key}[0]){
+ print"<option ";
+@@ -1025,14 +1046,14 @@ END
+ print"</tr></table></td><td valign='top'><table width='100%' border='0'><tr>";
+ # CCD networks
+ if( ! -z $configccdnet || $optionsfw{'SHOWDROPDOWN'} eq 'on'){
+- print"<td width='1%'><input type='radio' name='$grp' value='ovpn_net_$srctgt' $checked{$grp}{'ovpn_net_'.$srctgt}></td><td nowrap='nowrap' width='16%'>$Lang::tr{'fwhost ccdnet'}</td><td nowrap='nowrap' width='1%' align='right'><select name='ovpn_net_$srctgt' style='width:200px;'>";
++ print"<td width='1%'><input type='radio' name='$grp' id='ovpn_net_$srctgt' value='ovpn_net_$srctgt' $checked{$grp}{'ovpn_net_'.$srctgt}></td><td nowrap='nowrap' width='16%'>$Lang::tr{'fwhost ccdnet'}</td><td nowrap='nowrap' width='1%' align='right'><select name='ovpn_net_$srctgt' style='width:200px;'>";
+ &fillselect(\%ccdnet,$fwdfwsettings{$fwdfwsettings{$grp}});
+ print"</select></td></tr>";
+ }
+ #OVPN CCD Hosts
+ foreach my $key (sort { ncmp($ccdhost{$a}[0],$ccdhost{$b}[0]) } keys %ccdhost){
+ if ($ccdhost{$key}[33] ne '' ){
+- print"<tr><td width='1%'><input type='radio' name='$grp' value='ovpn_host_$srctgt' $checked{$grp}{'ovpn_host_'.$srctgt}></td><td nowrap='nowrap' width='16%'>$Lang::tr{'fwhost ccdhost'}</td><td nowrap='nowrap' width='1%' align='right'><select name='ovpn_host_$srctgt' style='width:200px;'>" if ($show eq '');
++ print"<tr><td width='1%'><input type='radio' name='$grp' id='ovpn_host_$srctgt' value='ovpn_host_$srctgt' $checked{$grp}{'ovpn_host_'.$srctgt}></td><td nowrap='nowrap' width='16%'>$Lang::tr{'fwhost ccdhost'}</td><td nowrap='nowrap' width='1%' align='right'><select name='ovpn_host_$srctgt' style='width:200px;'>" if ($show eq '');
+ $show='1';
+ print "<option value='$ccdhost{$key}[1]'";
+ print "selected='selected'" if ($fwdfwsettings{$fwdfwsettings{$grp}} eq $ccdhost{$key}[1]);
+@@ -1040,13 +1061,13 @@ END
+ }
+ }
+ if($optionsfw{'SHOWDROPDOWN'} eq 'on' && $show eq ''){
+- print"<tr><td width='1%'><input type='radio' name='$grp' value='ovpn_host_$srctgt' $checked{$grp}{'ovpn_host_'.$srctgt}></td><td nowrap='nowrap' width='16%'>$Lang::tr{'fwhost ccdhost'}</td><td nowrap='nowrap' width='1%' align='right'><select name='ovpn_host_$srctgt' style='width:200px;'></select></td></tr>" ;
++ print"<tr><td width='1%'><input type='radio' name='$grp' id='ovpn_host_$srctgt' value='ovpn_host_$srctgt' $checked{$grp}{'ovpn_host_'.$srctgt}></td><td nowrap='nowrap' width='16%'>$Lang::tr{'fwhost ccdhost'}</td><td nowrap='nowrap' width='1%' align='right'><select name='ovpn_host_$srctgt' style='width:200px;'></select></td></tr>" ;
+ }
+ if ($show eq '1'){$show='';print"</select></td></tr>";}
+ #OVPN N2N
+ foreach my $key (sort { ncmp($ccdhost{$a}[1],$ccdhost{$b}[1]) } keys %ccdhost){
+ if ($ccdhost{$key}[3] eq 'net'){
+- print"<tr><td width='1%'><input type='radio' name='$grp' value='ovpn_n2n_$srctgt' $checked{$grp}{'ovpn_n2n_'.$srctgt}></td><td nowrap='nowrap' width='16%'>$Lang::tr{'fwhost ovpn_n2n'}:</td><td nowrap='nowrap' width='1%' align='right'><select name='ovpn_n2n_$srctgt' style='width:200px;'>" if ($show eq '');
++ print"<tr><td width='1%'><input type='radio' name='$grp' id='ovpn_n2n_$srctgt' value='ovpn_n2n_$srctgt' $checked{$grp}{'ovpn_n2n_'.$srctgt}></td><td nowrap='nowrap' width='16%'>$Lang::tr{'fwhost ovpn_n2n'}:</td><td nowrap='nowrap' width='1%' align='right'><select name='ovpn_n2n_$srctgt' style='width:200px;'>" if ($show eq '');
+ $show='1';
+ print "<option value='$ccdhost{$key}[1]'";
+ print "selected='selected'" if ($fwdfwsettings{$fwdfwsettings{$grp}} eq $ccdhost{$key}[1]);
+@@ -1054,7 +1075,7 @@ END
+ }
+ }
+ if($optionsfw{'SHOWDROPDOWN'} eq 'on' && $show eq ''){
+- print"<tr><td width='1%'><input type='radio' name='$grp' value='ovpn_n2n_$srctgt' $checked{$grp}{'ovpn_n2n_'.$srctgt}></td><td nowrap='nowrap' width='16%'>$Lang::tr{'fwhost ovpn_n2n'}</td><td nowrap='nowrap' width='1%' align='right'><select name='ovpn_n2n_$srctgt' style='width:200px;'></select></td></tr>" ;
++ print"<tr><td width='1%'><input type='radio' name='$grp' id='ovpn_n2n_$srctgt' value='ovpn_n2n_$srctgt' $checked{$grp}{'ovpn_n2n_'.$srctgt}></td><td nowrap='nowrap' width='16%'>$Lang::tr{'fwhost ovpn_n2n'}</td><td nowrap='nowrap' width='1%' align='right'><select name='ovpn_n2n_$srctgt' style='width:200px;'></select></td></tr>" ;
+ }
+ if ($show eq '1'){$show='';print"</select></td></tr>";}
+ #IPsec netze
+@@ -1068,11 +1089,11 @@ END
+ }
+ }
+ if($optionsfw{'SHOWDROPDOWN'} eq 'on' && $show eq ''){
+- print"<tr><td valign='top'><input type='radio' name='$grp' value='ipsec_net_$srctgt' $checked{$grp}{'ipsec_net_'.$srctgt}></td><td >$Lang::tr{'fwhost ipsec net'}</td><td align='right'><select name='ipsec_net_$srctgt' style='width:200px;'><select></td></tr>";
++ print"<tr><td valign='top'><input type='radio' name='$grp' id='ipsec_net_$srctgt' value='ipsec_net_$srctgt' $checked{$grp}{'ipsec_net_'.$srctgt}></td><td >$Lang::tr{'fwhost ipsec net'}</td><td align='right'><select name='ipsec_net_$srctgt' style='width:200px;'><select></td></tr>";
+ }
+ if ($show eq '1'){$show='';print"</select></td></tr>";}
+
+- print"</tr></table>";
++ print"</table>";
+ print"</td></tr></table><br>";
+ }
+ sub get_ip
+@@ -1514,7 +1535,7 @@ sub newrule
+ #------SOURCE-------------------------------------------------------
+ print<<END;
+ <table width='100%' border='0'>
+- <tr><td width='1%'><input type='radio' name='grp1' value='src_addr' checked></td><td width='60%'>$Lang::tr{'fwdfw sourceip'}<input type='TEXT' name='src_addr' value='$fwdfwsettings{'src_addr'}' size='16' maxlength='17'></td><td width='1%'><input type='radio' name='grp1' value='ipfire_src' $checked{'grp1'}{'ipfire_src'}></td><td><b>Firewall</b></td>
++ <tr><td width='1%'><input type='radio' name='grp1' value='src_addr' checked></td><td width='60%'>$Lang::tr{'fwdfw sourceip'}<input type='TEXT' name='src_addr' value='$fwdfwsettings{'src_addr'}' size='16' maxlength='17' ></td><td width='1%'><input type='radio' name='grp1' id='ipfire_src' value='ipfire_src' $checked{'grp1'}{'ipfire_src'}></td><td><b>Firewall</b></td>
+ END
+ print"<td align='right'><select name='ipfire_src' style='width:200px;'>";
+ print "<option value='ALL' $selected{'ipfire_src'}{'ALL'}>$Lang::tr{'all'}</option>";
+@@ -1530,12 +1551,12 @@ END
+ }
+ }
+ print<<END;
+- </td></tr>
++ </select></td></tr>
+ <tr><td colspan='8'><hr style='border:dotted #BFBFBF; border-width:1px 0 0 0 ; ' /></td></tr></table>
+ END
+ &gen_dd_block('src','grp1');
+ print<<END;
+- <tr><td colspan='8'><hr style='border:dotted #BFBFBF; border-width:1px 0 0 0 ; ' /></td></tr></table>
++ <table><tr><td colspan='8'><hr style='border:dotted #BFBFBF; border-width:1px 0 0 0 ; ' /></td></tr></table>
+ <table width='100%' border='0'>
+ <tr><td width='1%'><input type='checkbox' name='USE_SRC_PORT' value='ON' $checked{'USE_SRC_PORT'}{'ON'}></td><td width='51%' colspan='3'>$Lang::tr{'fwdfw use srcport'}</td>
+ <td width='15%' nowrap='nowrap'>$Lang::tr{'fwdfw man port'}</td><td><select name='PROT'>
+@@ -1572,7 +1593,7 @@ END
+ &Header::openbox('100%', 'left', $Lang::tr{'fwdfw target'});
+ print<<END;
+ <table width='100%' border='0'>
+- <tr><td width='1%'><input type='radio' name='grp2' value='tgt_addr' checked></td><td width='60%' nowrap='nowrap'>$Lang::tr{'fwdfw targetip'}<input type='TEXT' name='tgt_addr' value='$fwdfwsettings{'tgt_addr'}' size='16' maxlength='17'><td width='1%'><input type='radio' name='grp2' value='ipfire' $checked{'grp2'}{'ipfire'}></td><td><b>Firewall</b></td>
++ <tr><td width='1%'><input type='radio' name='grp2' value='tgt_addr' checked></td><td width='60%' nowrap='nowrap'>$Lang::tr{'fwdfw targetip'}<input type='TEXT' name='tgt_addr' value='$fwdfwsettings{'tgt_addr'}' size='16' maxlength='17'><td width='1%'><input type='radio' name='grp2' id='ipfire' value='ipfire' $checked{'grp2'}{'ipfire'}></td><td><b>Firewall</b></td>
+ END
+ print"<td align='right'><select name='ipfire' style='width:200px;'>";
+ print "<option value='ALL' $selected{'ipfire'}{'ALL'}>$Lang::tr{'all'}</option>";
+@@ -1587,14 +1608,14 @@ END
+ }
+ }
+ print<<END;
+- </td></tr>
++ </select></td></tr>
+ <tr><td colspan='7'><hr style='border:dotted #BFBFBF; border-width:1px 0 0 0 ; ' /></td></tr></table>
+ END
+ &gen_dd_block('tgt','grp2');
+ print<<END;
+- <hr style='border:dotted #BFBFBF; border-width:1px 0 0 0 ; '></hr><br>
++ <hr style='border:dotted #BFBFBF; border-width:1px 0 0 0 ; '><br>
+ <table width='100%' border='0'>
+- <tr><td width='1%'><input type='checkbox' name='USESRV' value='ON' $checked{'USESRV'}{'ON'} ></td><td width='48%'>$Lang::tr{'fwdfw use srv'}</td><td width='1%'><input type='radio' name='grp3' value='cust_srv' checked></td><td nowrap='nowrap'>$Lang::tr{'fwhost cust service'}</td><td width='1%' colspan='2'><select name='cust_srv'style='min-width:230px;' >
++ <tr><td width='1%'><input type='checkbox' name='USESRV' value='ON' $checked{'USESRV'}{'ON'} ></td><td width='48%'>$Lang::tr{'fwdfw use srv'}</td><td width='1%'><input type='radio' name='grp3' id='cust_srv' value='cust_srv' checked></td><td nowrap='nowrap'>$Lang::tr{'fwhost cust service'}</td><td width='1%' colspan='2'><select name='cust_srv' style='min-width:230px;' >
+ END
+ &General::readhasharray("$configsrv", \%customservice);
+ foreach my $key (sort { ncmp($customservice{$a}[0],$customservice{$b}[0]) } keys %customservice){
+@@ -1604,7 +1625,7 @@ END
+ }
+ print<<END;
+ </select></td></tr>
+- <tr><td colspan='2'></td><td><input type='radio' name='grp3' value='cust_srvgrp' $checked{'grp3'}{'cust_srvgrp'}></td><td nowrap='nowrap'>$Lang::tr{'fwhost cust srvgrp'}</td><td colspan='2'><select name='cust_srvgrp' style='min-width:230px;' >
++ <tr><td colspan='2'></td><td><input type='radio' name='grp3' id='cust_srvgrp' value='cust_srvgrp' $checked{'grp3'}{'cust_srvgrp'}></td><td nowrap='nowrap'>$Lang::tr{'fwhost cust srvgrp'}</td><td colspan='2'><select name='cust_srvgrp' style='min-width:230px;' >
+ END
+ &General::readhasharray("$configsrvgrp", \%customservicegrp);
+ my $helper;
+@@ -1618,7 +1639,7 @@ END
+ }
+ print<<END;
+ </select></td></tr>
+- <tr><td colspan='2'></td><td><input type='radio' name='grp3' value='TGT_PORT' $checked{'grp3'}{'TGT_PORT'}></td><td>$Lang::tr{'fwdfw man port'}</td><td><select name='TGT_PROT'>
++ <tr><td colspan='2'></td><td><input type='radio' name='grp3' id='TGT_PORT' value='TGT_PORT' $checked{'grp3'}{'TGT_PORT'}></td><td>$Lang::tr{'fwdfw man port'}</td><td><select name='TGT_PROT' onchange='checkradio(\"#TGT_PORT\")'>
+ END
+ foreach ("TCP","UDP","GRE","ESP","AH","ICMP")
+ {
+@@ -1631,7 +1652,7 @@ END
+ }
+ $fwdfwsettings{'TGT_PORT'} =~ s/\|/,/g;
+ print<<END;
+- </select></td><td align='right'><input type='text' name='TGT_PORT' value='$fwdfwsettings{'TGT_PORT'}' maxlength='20' size='18' ></td></tr>
++ </select></td><td align='right'><input type='text' name='TGT_PORT' value='$fwdfwsettings{'TGT_PORT'}' maxlength='20' size='18' onclick='checkradio(\"#TGT_PORT\")'></td></tr>
+ <tr><td colspan='2'></td><td></td><td>$Lang::tr{'fwhost icmptype'}</td><td colspan='2'><select name='ICMP_TGT' style='min-width:230px;'>
+ END
+ &General::readhasharray("${General::swroot}/fwhosts/icmp-types", \%icmptypes);
+@@ -1653,8 +1674,8 @@ END
+ &Header::openbox('100%', 'left', 'NAT');
+ print<<END;
+ <table width='100%' border='0'>
+- <tr><td width='1%'><input type='checkbox' name='USE_NAT' value='ON' $checked{'USE_NAT'}{'ON'}></td><td width='15%'>$Lang::tr{'fwdfw use nat'}</td><td colspan='5'></td></tr>
+- <tr><td colspan='2'></td><td width='1%'><input type='radio' name='nat' value='dnat' checked ></td><td width='50%'>$Lang::tr{'fwdfw dnat'}</td>
++ <tr><td width='1%'><input type='checkbox' name='USE_NAT' id='USE_NAT' value='ON' $checked{'USE_NAT'}{'ON'}></td><td width='15%'>$Lang::tr{'fwdfw use nat'}</td><td colspan='5'></td></tr>
++ <tr><td colspan='2'></td><td width='1%'><input type='radio' name='nat' id='dnat' value='dnat' checked ></td><td width='50%'>$Lang::tr{'fwdfw dnat'}</td>
+ END
+ print"<td width='8%'>IPFire: </td><td width='20%' align='right'><select name='dnat' style='width:140px;'>";
+ print "<option value='ALL' $selected{'dnat'}{$Lang::tr{'all'}}>$Lang::tr{'all'}</option>";
+@@ -1663,12 +1684,12 @@ END
+ {
+ print "<option value='$alias' $selected{'dnat'}{$alias}>$alias</option>";
+ }
+- print"</td></tr>";
++ print"</select></td></tr>";
+ $fwdfwsettings{'dnatport'}=~ tr/|/,/;
+- print"<tr><td colspan='4'></td><td>Port: </td><td align='right'><input type='text' name='dnatport' style='width:130px;' value=$fwdfwsettings{'dnatport'}> </td></tr>";
++ print"<tr><td colspan='4'></td><td>Port: </td><td align='right'><input type='text' name='dnatport' style='width:130px;' value=\"$fwdfwsettings{'dnatport'}\"> </td></tr>";
+ print"<tr><td colspan='8'><br></td></tr>";
+ #SNAT
+- print"<tr><td colspan='2'></td><td width='1%'><input type='radio' name='nat' value='snat' $checked{'nat'}{'snat'}></td><td width='20%'>$Lang::tr{'fwdfw snat'}</td>";
++ print"<tr><td colspan='2'></td><td width='1%'><input type='radio' name='nat' id='snat' value='snat' $checked{'nat'}{'snat'}></td><td width='20%'>$Lang::tr{'fwdfw snat'}</td>";
+ print"<td width='8%'>IPFire: </td><td width='20%' align='right'><select name='snat' style='width:140px;'>";
+ foreach my $alias (sort keys %aliases)
+ {
+@@ -1683,7 +1704,7 @@ END
+ print " selected='selected'" if ($fwdfwsettings{$fwdfwsettings{'nat'}} eq $defaultNetworks{$network}{'NAME'});
+ print ">$network</option>";
+ }
+- print"</table>";
++ print"</select></td></tr></table>";
+ print"<hr>";
+ &Header::closebox();
+ #---Activate/logging/remark-------------------------------------
+@@ -1711,8 +1732,7 @@ END
+ }
+ }
+ print"</select></td></tr>";
+- print"<tr><td width='12%'>$Lang::tr{'remark'}:</td><td width='88%' align='left'><input type='text' name='ruleremark' maxlength='255' value='$fwdfwsettings{'ruleremark'}' style='width:99%':></td></tr>";
+- #print"<tr><td width='100%'>$Lang::tr{'remark'}:</td><td align='left'><textarea name='ruleremark' cols='70' rows='3' value='$fwdfwsettings{'ruleremark'}'></textarea></td></tr>";
++ print"<tr><td width='12%'>$Lang::tr{'remark'}:</td><td width='88%' align='left'><input type='text' name='ruleremark' maxlength='255' value='$fwdfwsettings{'ruleremark'}' style='width:99%;'></td></tr>";
+ if($fwdfwsettings{'updatefwrule'} eq 'on' || $fwdfwsettings{'copyfwrule'} eq 'on'){
+ print "<tr><td width='12%'>$Lang::tr{'fwdfw rulepos'}:</td><td><select name='rulepos' >";
+ for (my $count =1; $count <= $sum; $count++){
+@@ -1737,7 +1757,7 @@ END
+ print<<END;
+ <table width='70%' border='0'>
+ <tr><td width='1%'><input type='checkbox' name='TIME' value='ON' $checked{'TIME'}{'ON'}></td><td colspan='9'>$Lang::tr{'fwdfw timeframe'}</td></tr>
+- <tr><td colspan='10'> </td></tr>
++ <tr><td colspan='10'> </td></tr>
+ <tr>
+ <td align='left'>$Lang::tr{'time'}:</td>
+ <td align='left'>$Lang::tr{'advproxy monday'} </td><td>$Lang::tr{'advproxy tuesday'} </td><td>$Lang::tr{'advproxy wednesday'} </td><td>$Lang::tr{'advproxy thursday'} </td><td>$Lang::tr{'advproxy friday'} </td><td>$Lang::tr{'advproxy saturday'} </td><td>$Lang::tr{'advproxy sunday'}</td>
+@@ -1746,13 +1766,13 @@ END
+ </tr>
+ <tr>
+ <td align='right'></td>
+- <td width='1%'align='left'><input type='checkbox' name='TIME_MON' value='on' $checked{'TIME_MON'}{'on'} /></td>
+- <td width='1%'align='left'><input type='checkbox' name='TIME_TUE' value='on' $checked{'TIME_TUE'}{'on'} /></td>
+- <td width='1%'align='left'><input type='checkbox' name='TIME_WED' value='on' $checked{'TIME_WED'}{'on'} /></td>
+- <td width='1%'align='left'><input type='checkbox' name='TIME_THU' value='on' $checked{'TIME_THU'}{'on'} /></td>
+- <td width='1%'align='left'><input type='checkbox' name='TIME_FRI' value='on' $checked{'TIME_FRI'}{'on'} /></td>
+- <td width='1%'align='left'><input type='checkbox' name='TIME_SAT' value='on' $checked{'TIME_SAT'}{'on'} /></td>
+- <td width='15%'align='left'><input type='checkbox' name='TIME_SUN' value='on' $checked{'TIME_SUN'}{'on'} /></td>
++ <td width='1%' align='left'><input type='checkbox' name='TIME_MON' value='on' $checked{'TIME_MON'}{'on'} /></td>
++ <td width='1%' align='left'><input type='checkbox' name='TIME_TUE' value='on' $checked{'TIME_TUE'}{'on'} /></td>
++ <td width='1%' align='left'><input type='checkbox' name='TIME_WED' value='on' $checked{'TIME_WED'}{'on'} /></td>
++ <td width='1%' align='left'><input type='checkbox' name='TIME_THU' value='on' $checked{'TIME_THU'}{'on'} /></td>
++ <td width='1%' align='left'><input type='checkbox' name='TIME_FRI' value='on' $checked{'TIME_FRI'}{'on'} /></td>
++ <td width='1%' align='left'><input type='checkbox' name='TIME_SAT' value='on' $checked{'TIME_SAT'}{'on'} /></td>
++ <td width='15%' align='left'><input type='checkbox' name='TIME_SUN' value='on' $checked{'TIME_SUN'}{'on'} /></td>
+ <td><select name='TIME_FROM'>
+ END
+ for (my $i=0;$i<=23;$i++) {
+@@ -1776,8 +1796,7 @@ END
+ }
+ }
+ print<<END;
+- </select></td></tr>
+- </table><br><hr>
++ </select></td></tr></table><br><hr>
+ END
+ #---ACTION------------------------------------------------------
+ if($fwdfwsettings{'updatefwrule'} ne 'on'){
+@@ -1785,9 +1804,10 @@ END
+ <table border='0' width='100%'>
+ <tr><td align='right'><input type='submit' value='$Lang::tr{'add'}' style='min-width:100px;' />
+ <input type='hidden' name='config' value='$config' >
+- <input type='hidden' name='ACTION' value='saverule' >
+- </form><form method='post' style='display:inline'><input type='submit' value='$Lang::tr{'fwhost back'}' style='min-width:100px;'><input type='hidden' name='ACTION' value'reset'></td></td>
+- </table></form>
++ <input type='hidden' name='ACTION' value='saverule' ></form>
++ <form method='post' style='display:inline;'><input type='submit' value='$Lang::tr{'fwhost back'}' style='min-width:100px;'><input type='hidden' name='ACTION' value='reset'></form></td></tr>
++ </table>
++ <br>
+ END
+ }else{
+ print<<END;
+@@ -2102,7 +2122,7 @@ sub viewtablenew
+ my $coloryellow='';
+ print"<b>$title1</b><br>";
+ print"<table width='100%' cellspacing='0' cellpadding='0' border='0'>";
+- print"<tr><td align='center'><b>#</td><td></td><td align='center' width='25'></td><td align='center'><b>$Lang::tr{'fwdfw source'}</td><td width='1%'><b>Log</td><td align='center'><b>$Lang::tr{'fwdfw target'}</td><td align='center' colspan='6' width='1%'><b>$Lang::tr{'fwdfw action'}</td></tr>";
++ print"<tr><td align='center'><b>#</b></td><td></td><td align='center' width='25'></td><td align='center'><b>$Lang::tr{'fwdfw source'}</b></td><td width='1%'><b>Log</b></td><td align='center'><b>$Lang::tr{'fwdfw target'}</b></td><td align='center' colspan='6' width='1%'><b>$Lang::tr{'fwdfw action'}</b></td></tr>";
+ foreach my $key (sort {$a <=> $b} keys %$hash){
+ $tdcolor='';
+ @tmpsrc=();
+@@ -2156,7 +2176,7 @@ sub viewtablenew
+ print"<tr bgcolor='$color' >";
+ #KEY
+ print<<END;
+- <td align='right' width='18'><b>$key  </b></td>
++ <td align='right' width='18'><b>$key </b></td>
+ END
+ #RULETYPE (A,R,D)
+ if ($$hash{$key}[0] eq 'ACCEPT'){
+@@ -2230,12 +2250,11 @@ END
+ #LOGGING
+ print<<END;
+ </td>
+- <form method='post'>
+- <td align='left' width='25'><input type='image' img src='$log' alt='$Lang::tr{'click to disable'}' title='$Lang::tr{'fwdfw togglelog'}' style='padding-top: 0px; padding-left: 0px; padding-bottom: 0px ;padding-right: 0px ;'/>
++ <td align='left' width='25'><form method='post'><input type='image' img src='$log' alt='$Lang::tr{'click to disable'}' title='$Lang::tr{'fwdfw togglelog'}' style='padding-top: 0px; padding-left: 0px; padding-bottom: 0px ;padding-right: 0px ;'/>
+ <input type='hidden' name='key' value='$key' />
+ <input type='hidden' name='config' value='$config' />
+ <input type='hidden' name='ACTION' value='$Lang::tr{'fwdfw togglelog'}' />
+- </td></form>
++ </form></td>
+ END
+ #TARGET
+ &getcolor($$hash{$key}[5],$$hash{$key}[6],\%customhost);
+@@ -2285,51 +2304,45 @@ END
+ $gif="/images/off.gif"
+ }
+ print<<END;
+- <form method='post'>
+- <td width='25'><input type='image' img src='$gif' alt='$Lang::tr{'click to disable'}' title='$Lang::tr{'fwdfw toggle'}' style='padding-top: 0px; padding-left: 0px; padding-bottom: 0px ;padding-right: 0px ;display: block;' />
++ <td width='25'><form method='post'><input type='image' img src='$gif' alt='$Lang::tr{'click to disable'}' title='$Lang::tr{'fwdfw toggle'}' style='padding-top: 0px; padding-left: 0px; padding-bottom: 0px ;padding-right: 0px ;display: block;' />
+ <input type='hidden' name='key' value='$key' />
+ <input type='hidden' name='config' value='$config' />
+ <input type='hidden' name='ACTION' value='$Lang::tr{'fwdfw toggle'}' />
+- </td></form>
+- <form method='post'>
+- <td width='25' ><input type='image' img src='/images/edit.gif' alt='$Lang::tr{'edit'}' title='$Lang::tr{'fwdfw edit'}' style='padding-top: 0px; padding-left: 0px; padding-bottom: 0px ;padding-right: 0px ;display: block;' />
++ </form></td>
++ <td width='25' ><form method='post'><input type='image' img src='/images/edit.gif' alt='$Lang::tr{'edit'}' title='$Lang::tr{'fwdfw edit'}' style='padding-top: 0px; padding-left: 0px; padding-bottom: 0px ;padding-right: 0px ;display: block;' />
+ <input type='hidden' name='key' value='$key' />
+ <input type='hidden' name='config' value='$config' />
+ <input type='hidden' name='ACTION' value='editrule' />
+- </td></form></td>
+- <form method='post'>
+- <td width='25'><input type='image' img src='/images/addblue.gif' alt='$Lang::tr{'fwdfw copy'}' title='$Lang::tr{'fwdfw copy'}' style='padding-top: 0px; padding-left: 0px; padding-bottom: 0px ;padding-right: 0px ;display: block;' />
++ </form></td>
++ <td width='25'><form method='post'><input type='image' img src='/images/addblue.gif' alt='$Lang::tr{'fwdfw copy'}' title='$Lang::tr{'fwdfw copy'}' style='padding-top: 0px; padding-left: 0px; padding-bottom: 0px ;padding-right: 0px ;display: block;' />
+ <input type='hidden' name='key' value='$key' />
+ <input type='hidden' name='config' value='$config' />
+ <input type='hidden' name='ACTION' value='copyrule' />
+- </td></form></td>
+- <form method='post'>
+- <td width='25' ><input type='image' img src='/images/delete.gif' alt='$Lang::tr{'delete'}' title='$Lang::tr{'fwdfw delete'}' style='padding-top: 0px; padding-left: 0px; padding-bottom: 0px ;padding-right: 0px ;display: block;' />
++ </form></td>
++ <td width='25' ><form method='post'><input type='image' img src='/images/delete.gif' alt='$Lang::tr{'delete'}' title='$Lang::tr{'fwdfw delete'}' style='padding-top: 0px; padding-left: 0px; padding-bottom: 0px ;padding-right: 0px ;display: block;' />
+ <input type='hidden' name='key' value='$key' />
+ <input type='hidden' name='config' value='$config' />
+ <input type='hidden' name='ACTION' value='deleterule' />
+- </td></form></td>
++ </form></td>
+ END
+ if (exists $$hash{$key-1}){
+ print<<END;
+- <form method='post'>
+- <td width='25'><input type='image' img src='/images/up.gif' alt='$Lang::tr{'fwdfw moveup'}' title='$Lang::tr{'fwdfw moveup'}' style='padding-top: 0px; padding-left: 0px; padding-bottom: 0px ;padding-right: 0px ;display: block;' />
++ <td width='25'><form method='post'><input type='image' img src='/images/up.gif' alt='$Lang::tr{'fwdfw moveup'}' title='$Lang::tr{'fwdfw moveup'}' style='padding-top: 0px; padding-left: 0px; padding-bottom: 0px ;padding-right: 0px ;display: block;' />
+ <input type='hidden' name='key' value='$key' />
+ <input type='hidden' name='config' value='$config' />
+ <input type='hidden' name='ACTION' value='moveup' />
+- </td></form></td>
++ </form></td>
+ END
+ }else{
+ print"<td width='25'><input type='image' img src='/images/up.gif' style='visibility:hidden;'></td>";
+ }
+ if (exists $$hash{$key+1}){
+ print<<END;
+- <form method='post'>
+- <td width='25' ><input type='image' img src='/images/down.gif' alt='$Lang::tr{'fwdfw movedown'}' title='$Lang::tr{'fwdfw movedown'}' style='padding-top: 0px; padding-left: 0px; padding-bottom: 0px ;padding-right: 0px ;display: block;' />
++ <td width='25' ><form method='post'><input type='image' img src='/images/down.gif' alt='$Lang::tr{'fwdfw movedown'}' title='$Lang::tr{'fwdfw movedown'}' style='padding-top: 0px; padding-left: 0px; padding-bottom: 0px ;padding-right: 0px ;display: block;' />
+ <input type='hidden' name='key' value='$key' />
+ <input type='hidden' name='config' value='$config' />
+ <input type='hidden' name='ACTION' value='movedown' />
+- </td></form></td></tr>
++ </form></td></tr>
+ END
+ }else{
+ print"<td width='25'><input type='image' img src='/images/down.gif' style='visibility:hidden;'></td></tr>";
+@@ -2337,7 +2350,7 @@ END
+ #REMARK
+ if ($optionsfw{'SHOWREMARK'} eq 'on' && $$hash{$key}[16] ne ''){
+ print"<tr bgcolor='$color'>";
+- print"<td> </td><td bgcolor='$rulecolor'></td><td colspan='10'>  $$hash{$key}[16]</td></tr>";
++ print"<td> </td><td bgcolor='$rulecolor'></td><td colspan='10'> $$hash{$key}[16]</td></tr>";
+ }
+ if ($$hash{$key}[18] eq 'ON'){
+ #TIMEFRAME
+@@ -2353,7 +2366,7 @@ END
+ my $weekdays=join(",",@days);
+ if (@days){
+ print"<tr bgcolor='$color'>";
+- print"<td> </td><td bgcolor='$rulecolor'></td><td align='left' colspan='10'>  $weekdays   $$hash{$key}[26] - $$hash{$key}[27] </td></tr>";
++ print"<td> </td><td bgcolor='$rulecolor'></td><td align='left' colspan='10'> $weekdays $$hash{$key}[26] - $$hash{$key}[27] </td></tr>";
+ }
+ }
+ }
+--
+1.7.10.4
+
--- /dev/null
+From 15cd8615168b1cad1fa0cdf0dc0afd2ee1274cec Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Fri, 12 Jul 2013 08:01:01 +0200
+Subject: [PATCH 287/302] Forward Firewall: added some javascript to
+ automatically select radiobuttons when dropdowns
+ are changed
+
+---
+ html/cgi-bin/fwhosts.cgi | 94 +++++++++++++++++++++++++++-------------------
+ 1 file changed, 55 insertions(+), 39 deletions(-)
+
+diff --git a/html/cgi-bin/fwhosts.cgi b/html/cgi-bin/fwhosts.cgi
+index 73dabaa..d7a519a 100755
+--- a/html/cgi-bin/fwhosts.cgi
++++ b/html/cgi-bin/fwhosts.cgi
+@@ -80,6 +80,24 @@ unless (-e $configsrvgrp) { system("touch $configsrvgrp"); }
+ &Header::openpage($Lang::tr{'fwhost hosts'}, 1, '');
+ &Header::openbigbox('100%', 'center');
+
++#### JAVA SCRIPT ####
++print<<END;
++<script>
++ \$(document).ready(function() {
++ // Automatically select radio buttons when corresponding
++ // dropdown menu changes.
++ \$("select").change(function() {
++ var id = \$(this).attr("name");
++ //When using SNAT or DNAT, check "USE NAT" Checkbox
++ if ( id === 'snat' || id === 'dnat') {
++ \$('#USE_NAT').prop('checked', true);
++ }
++ \$('#' + id).prop("checked", true);
++ });
++ });
++</script>
++END
++
+ ## ACTION ####
+ if ($fwhostsettings{'ACTION'} eq $Lang::tr{'fwdfw reread'})
+ {
+@@ -373,8 +391,7 @@ if ($fwhostsettings{'ACTION'} eq 'savenet' )
+ }
+ &addnet;
+ &viewtablenet;
+- }else
+- {
++ }else {
+ &addnet;
+ &viewtablenet;
+ }
+@@ -1066,10 +1083,10 @@ sub showmenu
+ &Header::openbox('100%', 'left',$Lang::tr{'fwhost menu'});
+ print "$Lang::tr{'fwhost welcome'}";
+ print<<END;
+- <br><br><table border='0' width='100%'><form method='post'>
+- <tr><td><input type='submit' name='ACTION' value='$Lang::tr{'fwhost newnet'}' /><input type='submit' name='ACTION' value='$Lang::tr{'fwhost newhost'}' /><input type='submit' name='ACTION' value='$Lang::tr{'fwhost newgrp'}' /></td>
+- <td align='right'><input type='submit' name='ACTION' value='$Lang::tr{'fwhost newservice'}' /><input type='submit' name='ACTION' value='$Lang::tr{'fwhost newservicegrp'}' /></td></tr>
+- <tr><td colspan='6'><hr></hr></td></tr></table></form>
++ <br><br><table border='0' width='100%'>
++ <tr><td><form method='post'><input type='submit' name='ACTION' value='$Lang::tr{'fwhost newnet'}' ><input type='submit' name='ACTION' value='$Lang::tr{'fwhost newhost'}' ><input type='submit' name='ACTION' value='$Lang::tr{'fwhost newgrp'}' ></form></td>
++ <td align='right'><form method='post'><input type='submit' name='ACTION' value='$Lang::tr{'fwhost newservice'}' ><input type='submit' name='ACTION' value='$Lang::tr{'fwhost newservicegrp'}' ></form></td></tr>
++ <tr><td colspan='6'><hr></td></tr></table>
+ END
+ &Header::closebox();
+
+@@ -1083,20 +1100,20 @@ sub addnet
+ $fwhostsettings{'orgname'}=$fwhostsettings{'HOSTNAME'};
+ $fwhostsettings{'orgnetremark'}=$fwhostsettings{'NETREMARK'};
+ print<<END;
+- <table border='0' width='100%'><form method='post' style='display:inline' >
+- <tr><td width='15%'>$Lang::tr{'name'}:</td><td><input type='TEXT' name='HOSTNAME' id='textbox1' value='$fwhostsettings{'HOSTNAME'}' $fwhostsettings{'BLK_HOST'} size='20'><script>document.getElementById('textbox1').focus()</script></td></tr>
++ <table border='0' width='100%'>
++ <tr><td width='15%'>$Lang::tr{'name'}:</td><td><form method='post'><input type='TEXT' name='HOSTNAME' id='textbox1' value='$fwhostsettings{'HOSTNAME'}' $fwhostsettings{'BLK_HOST'} size='20'><script>document.getElementById('textbox1').focus()</script></td></tr>
+ <tr><td>$Lang::tr{'fwhost netaddress'}:</td><td><input type='TEXT' name='IP' value='$fwhostsettings{'IP'}' $fwhostsettings{'BLK_IP'} size='20' maxlength='15'></td></tr>
+ <tr><td>$Lang::tr{'netmask'}:</td><td><input type='TEXT' name='SUBNET' value='$fwhostsettings{'SUBNET'}' $fwhostsettings{'BLK_IP'} size='20' maxlength='15'></td></tr>
+ <tr><td>$Lang::tr{'remark'}:</td><td><input type='TEXT' name='NETREMARK' value='$fwhostsettings{'NETREMARK'}' style='width: 98.5%;'></td></tr>
+- <tr><td colspan='6'><br><hr></hr></td></tr><tr>
++ <tr><td colspan='6'><br><hr></td></tr><tr>
+ END
+ if ($fwhostsettings{'ACTION'} eq 'editnet' || $fwhostsettings{'error'} eq 'on')
+ {
+- print "<td colspan='6' align='right' ><input type='submit' value='$Lang::tr{'update'}' style='min-width:100px;'><input type='hidden' name='ACTION' value='updatenet'><input type='hidden' name='orgnetremark' value='$fwhostsettings{'orgnetremark'}' ><input type='hidden' name='orgname' value='$fwhostsettings{'orgname'}' ><input type='hidden' name='update' value='on'><input type='hidden' name='newnet' value='$fwhostsettings{'newnet'}'>";
++ print "<td colspan='6' align='right' ><input type='submit' value='$Lang::tr{'update'}' style='min-width:100px;'><input type='hidden' name='ACTION' value='updatenet'><input type='hidden' name='orgnetremark' value='$fwhostsettings{'orgnetremark'}' ><input type='hidden' name='orgname' value='$fwhostsettings{'orgname'}' ><input type='hidden' name='update' value='on'><input type='hidden' name='newnet' value='$fwhostsettings{'newnet'}'></td>";
+ }else{
+ print "<td colspan='6' align='right'><input type='submit' value='$Lang::tr{'save'}' style='min-width:100px;'/><input type='hidden' name='ACTION' value='savenet'><input type='hidden' name='newnet' value='on'>";
+ }
+- print "</form><form method='post' style='display:inline'><input type='submit' value='$Lang::tr{'fwhost back'}' style='min-width:100px;' ><input type='hidden' name='ACTION' value='resetnet'></td></tr></table></form>";
++ print "</form><form method='post' style='display:inline'><input type='submit' value='$Lang::tr{'fwhost back'}' style='min-width:100px;' ><input type='hidden' name='ACTION' value='resetnet'></form></td></tr></table>";
+ &Header::closebox();
+ }
+ sub addhost
+@@ -1107,11 +1124,11 @@ sub addhost
+ $fwhostsettings{'orgname'}=$fwhostsettings{'HOSTNAME'};
+ $fwhostsettings{'orgremark'}=$fwhostsettings{'HOSTREMARK'};
+ print<<END;
+- <table border='0' width='100%'><form method='post' style='display:inline'>
+- <tr><td>$Lang::tr{'name'}:</td><td><input type='TEXT' name='HOSTNAME' id='textbox1' value='$fwhostsettings{'HOSTNAME'}' $fwhostsettings{'BLK_HOST'} size='20'><script>document.getElementById('textbox1').focus()</script></td></tr>
++ <table border='0' width='100%'>
++ <tr><td>$Lang::tr{'name'}:</td><td><form method='post' style='display:inline;'><input type='TEXT' name='HOSTNAME' id='textbox1' value='$fwhostsettings{'HOSTNAME'}' $fwhostsettings{'BLK_HOST'} size='20'><script>document.getElementById('textbox1').focus()</script></td></tr>
+ <tr><td>IP/MAC:</td><td><input type='TEXT' name='IP' value='$fwhostsettings{'IP'}' $fwhostsettings{'BLK_IP'} size='20' maxlength='17'></td></tr>
+ <tr><td width='10%'>$Lang::tr{'remark'}:</td><td><input type='TEXT' name='HOSTREMARK' value='$fwhostsettings{'HOSTREMARK'}' style='width:98%;'></td></tr>
+- <tr><td colspan='5'><hr></hr></td></tr>
++ <tr><td colspan='5'><hr></td></tr><tr>
+ END
+
+ if ($fwhostsettings{'ACTION'} eq 'edithost' || $fwhostsettings{'error'} eq 'on')
+@@ -1119,9 +1136,9 @@ END
+
+ print " <td colspan='4' align='right'><input type='submit' value='$Lang::tr{'update'}' style='min-width:100px;'/><input type='hidden' name='ACTION' value='updatehost'><input type='hidden' name='orgremark' value='$fwhostsettings{'orgremark'}' ><input type='hidden' name='orgname' value='$fwhostsettings{'orgname'}' ><input type='hidden' name='update' value='on'><input type='hidden' name='newhost' value='$fwhostsettings{'newhost'}'></form>";
+ }else{
+- print " <td colspan='4' align='right'><input type='submit' name='savehost' value='$Lang::tr{'save'}'style='min-width:100px;' /><input type='hidden' name='ACTION' value='savehost' /><input type='hidden' name='newhost' value='on'>";
++ print " <td colspan='4' align='right'><input type='submit' name='savehost' value='$Lang::tr{'save'}' style='min-width:100px;' /><input type='hidden' name='ACTION' value='savehost' /><input type='hidden' name='newhost' value='on'>";
+ }
+- print " </form><form method='post' style='display:inline'><input type='submit' value='$Lang::tr{'fwhost back'}' style='min-width:100px;' ><input type='hidden' name='ACTION' value='resethost'></td></tr></table></form>";
++ print " </form><form method='post' style='display:inline'><input type='submit' value='$Lang::tr{'fwhost back'}' style='min-width:100px;' ><input type='hidden' name='ACTION' value='resethost'></form></td></tr></table>";
+ &Header::closebox();
+ }
+ sub addgrp
+@@ -1147,8 +1164,8 @@ sub addgrp
+ my $rem=$fwhostsettings{'remark'};
+ if ($fwhostsettings{'update'} eq ''){
+ print<<END;
+- <table width='100%' border='0'><form method='post'>
+- <tr><td width='10%'>$Lang::tr{'fwhost addgrpname'}</td><td><input type='TEXT' name='grp_name' value='$fwhostsettings{'grp_name'}' size='20'></td></tr>
++ <table width='100%' border='0'>
++ <tr><td width='10%'>$Lang::tr{'fwhost addgrpname'}</td><td><form method='post'><input type='TEXT' name='grp_name' value='$fwhostsettings{'grp_name'}' size='20'></td></tr>
+ <tr><td width='10%'>$Lang::tr{'remark'}:</td><td ><input type='TEXT' name='remark' value='$fwhostsettings{'remark'}' style='width: 98%;'></td></tr>
+ <tr><td colspan='2'><br><hr></td></tr></table>
+ END
+@@ -1166,7 +1183,7 @@ END
+ <table width='100%' border='0'>
+ <tr><td width=50% valign='top'>
+ <table width='100%' border='0'>
+- <tr><td width='1%'><input type='radio' name='grp2' value='std_net' checked></td><td nowrap='nowrap' width='16%'>$Lang::tr{'fwhost stdnet'}</td><td><select name='DEFAULT_SRC_ADR' style='min-width:185px;'>
++ <tr><td width='1%'><input type='radio' name='grp2' value='std_net' id='DEFAULT_SRC_ADR' checked></td><td nowrap='nowrap' width='16%'>$Lang::tr{'fwhost stdnet'}</td><td><select name='DEFAULT_SRC_ADR' style='min-width:185px;'>
+ END
+ foreach my $network (sort keys %defaultNetworks)
+ {
+@@ -1186,14 +1203,14 @@ END
+ }
+ print"</select></td></tr>";
+ if (! -z $confignet){
+- print"<tr><td><input type='radio' name='grp2' value='cust_net' $checked{'grp2'}{'cust_net'}></td><td>$Lang::tr{'fwhost cust net'}</td><td><select name='CUST_SRC_NET' style='min-width:185px;'>";
++ print"<tr><td><input type='radio' name='grp2' id='CUST_SRC_NET' value='cust_net' $checked{'grp2'}{'cust_net'}></td><td>$Lang::tr{'fwhost cust net'}</td><td><select name='CUST_SRC_NET' style='min-width:185px;'>";
+ foreach my $key (sort { ncmp($customnetwork{$a}[0],$customnetwork{$b}[0]) } keys %customnetwork) {
+ print"<option>$customnetwork{$key}[0]</option>";
+ }
+ print"</select></td></tr>";
+ }
+ if (! -z $confighost){
+- print"<tr><td valign='top'><input type='radio' name='grp2' value='cust_host' $checked{'grp2'}{'cust_host'}></td><td valign='top'>$Lang::tr{'fwhost cust addr'}</td><td><select name='CUST_SRC_HOST' style='min-width:185px;'>";
++ print"<tr><td valign='top'><input type='radio' name='grp2' id='CUST_SRC_HOST' value='cust_host' $checked{'grp2'}{'cust_host'}></td><td valign='top'>$Lang::tr{'fwhost cust addr'}</td><td><select name='CUST_SRC_HOST' style='min-width:185px;'>";
+ foreach my $key (sort { ncmp($customhost{$a}[0],$customhost{$b}[0]) } keys %customhost) {
+ print"<option>$customhost{$key}[0]</option>";
+ }
+@@ -1204,7 +1221,7 @@ END
+ print"</td><td valign='top'><table width='100%' border='0'>";
+ #OVPN networks
+ if (! -z $configccdnet){
+- print"<td width='1%'><input type='radio' name='grp2' value='ovpn_net' $checked{'grp2'}{'ovpn_net'}></td><td nowrap='nowrap' width='16%'>$Lang::tr{'fwhost ccdnet'}</td><td nowrap='nowrap' width='1%'><select name='OVPN_CCD_NET' style='min-width:185px;'>";
++ print"<td width='1%'><input type='radio' name='grp2' id='OVPN_CCD_NET' value='ovpn_net' $checked{'grp2'}{'ovpn_net'}></td><td nowrap='nowrap' width='16%'>$Lang::tr{'fwhost ccdnet'}</td><td nowrap='nowrap' width='1%'><select name='OVPN_CCD_NET' style='min-width:185px;'>";
+ foreach my $key (sort { ncmp($ccdnet{$a}[0],$ccdnet{$b}[0]) } keys %ccdnet)
+ {
+ print"<option value='$ccdnet{$key}[0]'>$ccdnet{$key}[0]</option>";
+@@ -1224,7 +1241,7 @@ END
+ #OVPN n2n networks
+ foreach my $key (sort { ncmp($ccdhost{$a}[1],$ccdhost{$b}[1]) } keys %ccdhost) {
+ if($ccdhost{$key}[3] eq 'net'){
+- print"<td width='1%'><input type='radio' name='grp2' value='ovpn_n2n' $checked{'grp2'}{'ovpn_n2n'}></td><td valign='top'>$Lang::tr{'fwhost ovpn_n2n'}</td><td colspan='3'><select name='OVPN_N2N' style='min-width:185px;'>" if ($show eq '');
++ print"<td width='1%'><input type='radio' name='grp2' id='OVPN_N2N' value='ovpn_n2n' $checked{'grp2'}{'ovpn_n2n'}></td><td valign='top'>$Lang::tr{'fwhost ovpn_n2n'}</td><td colspan='3'><select name='OVPN_N2N' style='min-width:185px;'>" if ($show eq '');
+ $show='1';
+ print"<option>$ccdhost{$key}[1]</option>";
+ }
+@@ -1233,7 +1250,7 @@ END
+ #IPsec networks
+ foreach my $key (sort { ncmp($ipsecconf{$a}[0],$ipsecconf{$b}[0]) } keys %ipsecconf) {
+ if ($ipsecconf{$key}[3] eq 'net'){
+- print"<td valign='top'><input type='radio' name='grp2' value='ipsec_net' $checked{'grp2'}{'ipsec_net'}></td><td valign='top'>$Lang::tr{'fwhost ipsec net'}</td><td><select name='IPSEC_NET' style='min-width:185px;'>" if ($show eq '');
++ print"<td valign='top'><input type='radio' name='grp2' id='IPSEC_NET' value='ipsec_net' $checked{'grp2'}{'ipsec_net'}></td><td valign='top'>$Lang::tr{'fwhost ipsec net'}</td><td><select name='IPSEC_NET' style='min-width:185px;'>" if ($show eq '');
+ $show='1';
+ print"<option value='$ipsecconf{$key}[1]'>$ipsecconf{$key}[1]</option>";
+ }
+@@ -1244,7 +1261,7 @@ END
+ print"<br><br><b>$Lang::tr{'fwhost attention'}:</b><br> $Lang::tr{'fwhost macwarn'}<br><hr>";
+ }
+ print"<table border='0' width='100%'>";
+- print"<tr><td align='right'><input type='submit' value='$Lang::tr{'add'}' style='min-width:100px;' /><input type='hidden' name='oldremark' value='$fwhostsettings{'oldremark'}'><input type='hidden' name='update' value=$fwhostsettings{'update'} ><input type='hidden' name='ACTION' value='savegrp' ></form><form method='post' style='display:inline'><input type='submit' value='$Lang::tr{'fwhost back'}' style='min-width:100px;'><input type='hidden' name='ACTION' value'reset'></td></td></table></form>";
++ print"<tr><td align='right'><input type='submit' value='$Lang::tr{'add'}' style='min-width:100px;' /><input type='hidden' name='oldremark' value='$fwhostsettings{'oldremark'}'><input type='hidden' name='update' value=\"$fwhostsettings{'update'}\"><input type='hidden' name='ACTION' value='savegrp' ></form><form method='post' style='display:inline'><input type='submit' value='$Lang::tr{'fwhost back'}' style='min-width:100px;'><input type='hidden' name='ACTION' value='reset'></form></td></table>";
+ &Header::closebox();
+ }
+ sub addservice
+@@ -1370,7 +1387,7 @@ sub viewtablenet
+ }else{
+ print<<END;
+ <table border='0' width='100%' cellspacing='0'>
+- <tr><td align='center'><b>$Lang::tr{'name'}</td><td align='center'><b>$Lang::tr{'fwhost netaddress'}</td><td align='center'><b>$Lang::tr{'remark'}</td><td align='center'><b>$Lang::tr{'used'}</td><td></td><td width='3%'></td></tr>
++ <tr><td align='center'><b>$Lang::tr{'name'}</b></td><td align='center'><b>$Lang::tr{'fwhost netaddress'}</b></td><td align='center'><b>$Lang::tr{'remark'}</b></td><td align='center'><b>$Lang::tr{'used'}</b></td><td></td><td width='3%'></td></tr>
+ END
+ }
+ my $count=0;
+@@ -1385,7 +1402,7 @@ END
+ print" <tr bgcolor='$color{'color20'}'>";
+ }
+ my $colnet="$customnetwork{$key}[1]/".&General::subtocidr($customnetwork{$key}[2]);
+- print"<td width='20%'><form method='post'>$customnetwork{$key}[0]</td><td width=15%' align='center'>".&Header::colorize($colnet)."</td><td width='40%'>$customnetwork{$key}[3]</td><td align='center'>$customnetwork{$key}[4]x</td>";
++ print"<td width='20%'><form method='post'>$customnetwork{$key}[0]</td><td width='15%' align='center'>".&Header::colorize($colnet)."</td><td width='40%'>$customnetwork{$key}[3]</td><td align='center'>$customnetwork{$key}[4]x</td>";
+ print<<END;
+ <td width='1%'><input type='image' src='/images/edit.gif' align='middle' alt=$Lang::tr{'edit'} title=$Lang::tr{'edit'} />
+ <input type='hidden' name='ACTION' value='editnet'>
+@@ -1399,7 +1416,7 @@ END
+ {
+ print"<td width='1%'><form method='post'><input type='image' src='/images/delete.gif' align='middle' alt=$Lang::tr{'delete'} title=$Lang::tr{'delete'} /><input type='hidden' name='ACTION' value='delnet' /><input type='hidden' name='key' value='$customnetwork{$key}[0]' /></td></form></tr>";
+ }else{
+- print"<td></td></form></tr>";
++ print"<td></td></tr>";
+ }
+ $count++;
+ }
+@@ -1419,7 +1436,7 @@ sub viewtablehost
+ }else{
+ print<<END;
+ <table border='0' width='100%' cellspacing='0'>
+- <tr><td align='center'><b>$Lang::tr{'name'}</td><td align='center'><b>$Lang::tr{'fwhost ip_mac'}</td><td align='center'><b>$Lang::tr{'remark'}</td><td align='center'><b>$Lang::tr{'used'}</td><td></td><td width='3%'></td></tr>
++ <tr><td align='center'><b>$Lang::tr{'name'}</b></td><td align='center'><b>$Lang::tr{'fwhost ip_mac'}</b></td><td align='center'><b>$Lang::tr{'remark'}</b></td><td align='center'><b>$Lang::tr{'used'}</b></td><td></td><td width='3%'></td></tr>
+ END
+ }
+ my $count=0;
+@@ -1430,15 +1447,15 @@ END
+ else{ print" <tr bgcolor='$color{'color20'}'>";}
+ my ($ip,$sub)=split(/\//,$customhost{$key}[2]);
+ $customhost{$key}[4]=~s/\s+//g;
+- print"<td width='20%'><form method='post'>$customhost{$key}[0]</td><td width='20%' align='center'>".&Header::colorize($ip)."</td><td width='50%' align='left'>$customhost{$key}[3]</td><td align='center'>$customhost{$key}[4]x</td>";
++ print"<td width='20%'>$customhost{$key}[0]</td><td width='20%' align='center'>".&Header::colorize($ip)."</td><td width='50%' align='left'>$customhost{$key}[3]</td><td align='center'>$customhost{$key}[4]x</td>";
+ print<<END;
+- <td width='1%'><input type='image' src='/images/edit.gif' align='middle' alt=$Lang::tr{'edit'} title=$Lang::tr{'edit'} />
++ <td width='1%'><form method='post'><input type='image' src='/images/edit.gif' align='middle' alt=$Lang::tr{'edit'} title=$Lang::tr{'edit'} />
+ <input type='hidden' name='ACTION' value='edithost' />
+ <input type='hidden' name='HOSTNAME' value='$customhost{$key}[0]' />
+ <input type='hidden' name='IP' value='$ip' />
+ <input type='hidden' name='type' value='$customhost{$key}[1]' />
+ <input type='hidden' name='HOSTREMARK' value='$customhost{$key}[3]' />
+- </td></form>
++ </form></td>
+ END
+ if($customhost{$key}[4] == '0')
+ {
+@@ -1490,8 +1507,8 @@ sub viewtablegrp
+ if ($customgrp{$key}[2] eq "none"){$customgrp{$key}[2]=$Lang::tr{'fwhost empty'};}
+ $grpname=$customgrp{$key}[0];
+ $remark="$customgrp{$key}[1]";
+- if($count >=2){print"</table>";}
+- print "<br><b><u>$grpname</u></b>    ";
++ if($count gt 2){ print"</table>";}
++ print "<br><b><u>$grpname</u></b> ";
+ print " <b>$Lang::tr{'remark'}:</b>  $remark   " if ($remark ne '');
+ print "<b>$Lang::tr{'used'}:</b> $customgrp{$key}[4]x";
+ if($customgrp{$key}[4] == '0')
+@@ -1548,7 +1565,7 @@ sub viewtableservice
+ &General::readhasharray("$configsrv", \%customservice);
+ print<<END;
+ <table width='100%' border='0' cellspacing='0'>
+- <tr><td align='center'><b>$Lang::tr{'fwhost srv_name'}</td><td align='center'><b>$Lang::tr{'fwhost prot'}</td><td align='center'><b>$Lang::tr{'fwhost port'}</td><td align='center'><b>ICMP</td><td align='center'><b>$Lang::tr{'fwhost used'}</td><td></td><td width='3%'></td></tr>
++ <tr><td align='center'><b>$Lang::tr{'fwhost srv_name'}</b></td><td align='center'><b>$Lang::tr{'fwhost prot'}</b></td><td align='center'><b>$Lang::tr{'fwhost port'}</b></td><td align='center'><b>ICMP</b></td><td align='center'><b>$Lang::tr{'fwhost used'}</b></td><td></td><td width='3%'></td></tr>
+ END
+ foreach my $key (sort { ncmp($customservice{$a}[0],$customservice{$b}[0])} keys %customservice)
+ {
+@@ -1614,9 +1631,9 @@ sub viewtableservicegrp
+ }
+ $remark="$customservicegrp{$key}[1]";
+ if($count >=2){print"</table>";}
+- print "<br><b><u>$grpname</u></b>     ";
+- print "<b>$Lang::tr{'remark'}:</b>  $remark " if ($remark ne '');
+- print "  <b>$Lang::tr{'used'}:</b> $customservicegrp{$key}[3]x";
++ print "<br><b><u>$grpname</u></b> ";
++ print "<b>$Lang::tr{'remark'}:</b> $remark " if ($remark ne '');
++ print " <b>$Lang::tr{'used'}:</b> $customservicegrp{$key}[3]x";
+ if($customservicegrp{$key}[3] == '0')
+ {
+ print"<form method='post' style='display:inline'><input type='image' src='/images/delete.gif' alt=$Lang::tr{'delete'} title=$Lang::tr{'delete'} align='right' /><input type='hidden' name='SRVGRP_NAME' value='$grpname' ><input type='hidden' name='ACTION' value='delservicegrp'></form>";
+@@ -1676,7 +1693,6 @@ sub checkip
+ }
+ sub checksubnet
+ {
+-
+ my %hash=%{(shift)};
+ &General::readhasharray("$confignet", \%hash);
+ foreach my $key (keys %hash) {
+--
+1.7.10.4
+
--- /dev/null
+From 3fad9ee720f66deb6ec6ab7fecf61e37b7e8fae6 Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Fri, 12 Jul 2013 11:05:57 +0200
+Subject: [PATCH 288/302] Forward Firewall: set default options for optionsfw
+ and minor change on optionsfw.cgi
+
+---
+ html/cgi-bin/optionsfw.cgi | 32 ++++----------------------------
+ lfs/configroot | 2 ++
+ 2 files changed, 6 insertions(+), 28 deletions(-)
+
+diff --git a/html/cgi-bin/optionsfw.cgi b/html/cgi-bin/optionsfw.cgi
+index 61441e4..73a2f59 100644
+--- a/html/cgi-bin/optionsfw.cgi
++++ b/html/cgi-bin/optionsfw.cgi
+@@ -22,10 +22,6 @@ require "${General::swroot}/header.pl";
+
+
+ my %checked =(); # Checkbox manipulations
+-
+-# File used
+-my $filename = "${General::swroot}/optionsfw/settings";
+-
+ our %settings=();
+ my %fwdfwsettings=();
+ my %configfwdfw=();
+@@ -33,37 +29,18 @@ my %configoutgoingfw=();
+
+ my $configfwdfw = "${General::swroot}/forward/config";
+ my $configoutgoing = "${General::swroot}/forward/outgoing";
+-
+-$settings{'DISABLEPING'} = 'NO';
+-$settings{'DROPNEWNOTSYN'} = 'on';
+-$settings{'DROPINPUT'} = 'on';
+-$settings{'DROPFORWARD'} = 'on';
+-$settings{'DROPOUTGOING'} = 'on';
+-$settings{'DROPPORTSCAN'} = 'on';
+-$settings{'DROPWIRELESSINPUT'} = 'on';
+-$settings{'DROPWIRELESSFORWARD'} = 'on';
+-$settings{'SHOWCOLORS'} = 'off';
+-$settings{'SHOWREMARK'} = 'on';
+-$settings{'SHOWTABLES'} = 'on';
+-$settings{'SHOWDROPDOWN'} = 'off';
+-
+ my $errormessage = '';
+ my $warnmessage = '';
++my $filename = "${General::swroot}/optionsfw/settings";
+
+ &General::readhash("${General::swroot}/forward/settings", \%fwdfwsettings);
+ &Header::showhttpheaders();
+
+ #Get GUI values
+ &Header::getcgihash(\%settings);
+-&General::readhash("${General::swroot}/optionsfw/settings", \%settings);
+-
+-
+ if ($settings{'ACTION'} eq $Lang::tr{'save'}) {
+ if ($settings{'defpol'} ne '1'){
+- $errormessage = $Lang::tr{'new optionsfw later'};
+- delete $settings{'__CGI__'};
+- delete $settings{'x'};
+- delete $settings{'y'};
++ $errormessage .= $Lang::tr{'new optionsfw later'};
+ &General::writehash($filename, \%settings); # Save good settings
+ system("/usr/local/bin/forwardfwctrl");
+ }else{
+@@ -82,13 +59,12 @@ if ($settings{'ACTION'} eq $Lang::tr{'save'}) {
+ &General::readhash("${General::swroot}/forward/settings", \%fwdfwsettings);
+ system("/usr/local/bin/forwardfwctrl");
+ }
+- }else {
+- &General::readhash($filename, \%settings); # Get saved settings and reset to good if needed
++ &General::readhash($filename, \%settings); # Load good settings
+ }
+
+ &Header::openpage($Lang::tr{'options fw'}, 1, '');
+ &Header::openbigbox('100%', 'left', '', $errormessage);
+-
++&General::readhash($filename, \%settings);
+ if ($errormessage) {
+ &Header::openbox('100%', 'left', $Lang::tr{'warning messages'});
+ print "<font color='red'>$errormessage </font>";
+diff --git a/lfs/configroot b/lfs/configroot
+index f5e81bb..bea1030 100644
+--- a/lfs/configroot
++++ b/lfs/configroot
+@@ -128,6 +128,8 @@ $(TARGET) :
+ echo "SHOWCOLORS=on" >> $(CONFIG_ROOT)/optionsfw/settings
+ echo "SHOWTABLES=off" >> $(CONFIG_ROOT)/optionsfw/settings
+ echo "SHOWDROPDOWN=off" >> $(CONFIG_ROOT)/optionsfw/settings
++ echo "DROPWIRELESSINPUT=off" >> $(CONFIG_ROOT)/optionsfw/settings
++ echo "DROPWIRELESSFORWARD=off" >> $(CONFIG_ROOT)/optionsfw/settings
+ echo "POLICY=MODE2" >> $(CONFIG_ROOT)/forward/settings
+ echo "POLICY1=MODE2" >> $(CONFIG_ROOT)/forward/settings
+
+--
+1.7.10.4
+
--- /dev/null
+From 95518783dabe629a5b7de597e12f7d5a7cd709a3 Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Fri, 12 Jul 2013 11:40:04 +0200
+Subject: [PATCH 289/302] Forward Firewall: language fixes on last rule in
+ ruletable
+
+---
+ html/cgi-bin/forwardfw.cgi | 63 +++++++++++++++++++++++---------------------
+ 1 file changed, 33 insertions(+), 30 deletions(-)
+
+diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi
+index bb1126d..84f7f27 100755
+--- a/html/cgi-bin/forwardfw.cgi
++++ b/html/cgi-bin/forwardfw.cgi
+@@ -2387,12 +2387,13 @@ END
+ my $pol='fwdfw '.$fwdfwsettings{'POLICY1'};
+ if ($fwdfwsettings{'POLICY1'} eq 'MODE1'){
+ $col="bgcolor='darkred'";
++ print"<tr><td $col width='20%' align='center'><font color='#FFFFFF'>$Lang::tr{'fwdfw final_rule'}</td><td $col><font color='#FFFFFF' align='center'>$Lang::tr{'fwdfw pol allow'}</font></td></tr>";
+ }else{
+ $col="bgcolor='green'";
++ print"<tr><td $col width='20%' align='center'><font color='#FFFFFF'>$Lang::tr{'fwdfw final_rule'}</td><td $col><font color='#FFFFFF' align='center'>$Lang::tr{'fwdfw pol block'}</font></td></tr>";
+ }
+- print"<tr><td $col width='20%' align='center'><font color='#FFFFFF'>$Lang::tr{'fwdfw final_rule'}</td><td $col><font color='#FFFFFF' align='center'>$Lang::tr{$pol}</font></td></tr>";
+ }else{
+- print"<tr><td bgcolor='darkred' width='20%' align='center'><font color='#FFFFFF'>$Lang::tr{'fwdfw final_rule'}</td><td bgcolor='darkred' align='center'><font color='#FFFFFF'>$Lang::tr{'fwdfw MODE1'}</font></td></tr>";
++ print"<tr><td bgcolor='darkred' width='20%' align='center'><font color='#FFFFFF'>$Lang::tr{'fwdfw final_rule'}</td><td bgcolor='darkred' align='center'><font color='#FFFFFF'>$Lang::tr{'fwdfw pol block'}</font></td></tr>";
+ }
+ print"</table>";
+ print "<hr>";
+@@ -2416,12 +2417,13 @@ END
+ my $pol='fwdfw '.$fwdfwsettings{'POLICY1'};
+ if ($fwdfwsettings{'POLICY1'} eq 'MODE1'){
+ $col="bgcolor='darkred'";
++ print"<tr><td $col align='center' width='20%'><font color='#FFFFFF'>$Lang::tr{'fwdfw final_rule'}</td><td $col align='center'><font color='#FFFFFF'>$Lang::tr{'fwdfw pol block'}</font></td></tr>";
+ }else{
+ $col="bgcolor='green'";
++ print"<tr><td $col align='center' width='20%'><font color='#FFFFFF'>$Lang::tr{'fwdfw final_rule'}</td><td $col align='center'><font color='#FFFFFF'>$Lang::tr{'fwdfw pol allow'}</font></td></tr>";
+ }
+- print"<tr><td $col align='center' width='20%'><font color='#FFFFFF'>$Lang::tr{'fwdfw final_rule'}</td><td $col align='center'><font color='#FFFFFF'>$Lang::tr{$pol}</font></td></tr>";
+ }else{
+- print"<tr><td bgcolor='darkred' align='center' width='20%'><font color='#FFFFFF'>$Lang::tr{'fwdfw final_rule'}</td><td align='center'>$Lang::tr{'fwdfw MODE1'}</font></td></tr>";
++ print"<tr><td bgcolor='darkred' align='center' width='20%'><font color='#FFFFFF'>$Lang::tr{'fwdfw final_rule'}</td><td align='center'>$Lang::tr{'fwdfw pol block'}</font></td></tr>";
+ }
+ print"</table><br><br>";
+ }
+@@ -2435,30 +2437,31 @@ sub show_defaultrules
+ my $col=shift;
+ my $pol=shift;
+ #STANDARD RULES (From WIKI)
+- print"</table><br>";
+- print "<table width='100%' rules='cols' border='1' >";
+- if ($col eq "bgcolor='green'"){
+- my $blue = "<font color=$Header::colourblue> $Lang::tr{'blue'}</font> ($Lang::tr{'fwdfw pol block'})" if (&Header::blue_used());
+- my $orange = "<font color=$Header::colourorange> $Lang::tr{'orange'}</font> ($Lang::tr{'fwdfw pol block'})" if (&Header::orange_used());
+- my $blue1 = "<font color=$Header::colourblue> $Lang::tr{'blue'}</font> ($Lang::tr{'fwdfw pol allow'})" if (&Header::blue_used());
+- my $orange1 = "<font color=$Header::colourorange> $Lang::tr{'orange'}</font> ($Lang::tr{'fwdfw pol allow'})" if (&Header::orange_used());
+- print"<tr><td align='center'><font color='#000000'>$Lang::tr{'green'}</td><td align='center'> <font color=$Header::colourred> $Lang::tr{'red'}</font> ($Lang::tr{'fwdfw pol allow'})</td>";
+- print"<td align='center'>$orange1</td>" if (&Header::orange_used());
+- print"<td align='center'>$blue1</td>" if (&Header::blue_used());
+- print"</tr>";
+- if (&Header::orange_used()){
+- print"<tr><td align='center' width='20%'><font color='#000000'>$Lang::tr{'orange'}</td><td align='center'> <font color=$Header::colourred> $Lang::tr{'red'}</font> ($Lang::tr{'fwdfw pol allow'})</td><td align='center'><font color=$Header::colourgreen> $Lang::tr{'green'}</font> ($Lang::tr{'fwdfw pol block'})</td>";
+- print"<td align='center'>$blue</td>" if (&Header::blue_used());
+- print"</tr>";
+- }
+- if (&Header::blue_used()){
+- print"<tr><td align='center'><font color='#000000'>$Lang::tr{'blue'}</td><td align='center'> <font color=$Header::colourred> $Lang::tr{'red'}</font> ($Lang::tr{'fwdfw pol allow'})</td>";
+- print"<td align='center'>$orange</td>" if (&Header::orange_used());
+- print"<td align='center'><font color=$Header::colourgreen> $Lang::tr{'green'}</font> ($Lang::tr{'fwdfw pol block'})</td>";
+- print"</tr>";
+- }
+- print"<tr><td $col align='center'><font color='#FFFFFF'>$Lang::tr{'fwdfw final_rule'} </font></td><td $col colspan='3' align='center'><font color='#FFFFFF'>$Lang::tr{'fwdfw pol allow'}</font></td></tr>";
+- }elsif($col eq "bgcolor='darkred'"){
+- print"<tr><td $col width='20%' align='center'><font color='#FFFFFF'>$Lang::tr{'fwdfw final_rule'}</td><td $col align='center'><font color='#FFFFFF'>$Lang::tr{$pol}</font></td></tr>";
+- }
++ print"</table>";
++ if ($col eq "bgcolor='green'"){
++ print "<br><table width='100%' rules='cols' border='1' >";
++ my $blue = "<font color=$Header::colourblue> $Lang::tr{'blue'}</font> ($Lang::tr{'fwdfw pol block'})" if (&Header::blue_used());
++ my $orange = "<font color=$Header::colourorange> $Lang::tr{'orange'}</font> ($Lang::tr{'fwdfw pol block'})" if (&Header::orange_used());
++ my $blue1 = "<font color=$Header::colourblue> $Lang::tr{'blue'}</font> ($Lang::tr{'fwdfw pol allow'})" if (&Header::blue_used());
++ my $orange1 = "<font color=$Header::colourorange> $Lang::tr{'orange'}</font> ($Lang::tr{'fwdfw pol allow'})" if (&Header::orange_used());
++ print"<tr><td align='center'><font color='#000000'>$Lang::tr{'green'}</td><td align='center'> <font color=$Header::colourred> $Lang::tr{'red'}</font> ($Lang::tr{'fwdfw pol allow'})</td>";
++ print"<td align='center'>$orange1</td>" if (&Header::orange_used());
++ print"<td align='center'>$blue1</td>" if (&Header::blue_used());
++ print"</tr>";
++ if (&Header::orange_used()){
++ print"<tr><td align='center' width='20%'><font color='#000000'>$Lang::tr{'orange'}</td><td align='center'> <font color=$Header::colourred> $Lang::tr{'red'}</font> ($Lang::tr{'fwdfw pol allow'})</td><td align='center'><font color=$Header::colourgreen> $Lang::tr{'green'}</font> ($Lang::tr{'fwdfw pol block'})</td>";
++ print"<td align='center'>$blue</td>" if (&Header::blue_used());
++ print"</tr>";
++ }
++ if (&Header::blue_used()){
++ print"<tr><td align='center'><font color='#000000'>$Lang::tr{'blue'}</td><td align='center'> <font color=$Header::colourred> $Lang::tr{'red'}</font> ($Lang::tr{'fwdfw pol allow'})</td>";
++ print"<td align='center'>$orange</td>" if (&Header::orange_used());
++ print"<td align='center'><font color=$Header::colourgreen> $Lang::tr{'green'}</font> ($Lang::tr{'fwdfw pol block'})</td>";
++ print"</tr>";
++ }
++ print"<tr><td $col align='center'><font color='#FFFFFF'>$Lang::tr{'fwdfw final_rule'} </font></td><td $col colspan='3' align='center'><font color='#FFFFFF'>$Lang::tr{'fwdfw pol allow'}</font></td></tr>";
++ }elsif($col eq "bgcolor='darkred'"){
++ print "<table width='100%' rules='cols' border='1' >";
++ print"<tr><td $col width='20%' align='center'><font color='#FFFFFF'>$Lang::tr{'fwdfw final_rule'}</td><td $col align='center'><font color='#FFFFFF'>$Lang::tr{'fwdfw pol block'}</font></td></tr>";
++ }
+ }
+--
+1.7.10.4
+
--- /dev/null
+From c6532535f8644312571df93afea2ba3cb39f161a Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Fri, 12 Jul 2013 13:30:14 +0200
+Subject: [PATCH 290/302] Forward Firewall: show default rule when input is
+ empty
+
+---
+ html/cgi-bin/forwardfw.cgi | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi
+index 84f7f27..1b635b8 100755
+--- a/html/cgi-bin/forwardfw.cgi
++++ b/html/cgi-bin/forwardfw.cgi
+@@ -64,7 +64,7 @@ my %aliases=();
+ my %optionsfw=();
+ my %ifaces=();
+
+-my $VERSION='0.9.9.11';
++my $VERSION='0.9.9.12';
+ my $color;
+ my $confignet = "${General::swroot}/fwhosts/customnetworks";
+ my $confighost = "${General::swroot}/fwhosts/customhosts";
+@@ -2373,6 +2373,7 @@ END
+ print"<tr bgcolor='FFFFFF'><td colspan='13' height='1'></td></tr>";
+ }
+ print"</table>";
++ #SHOW FINAL RULE
+ print "<table width='100%'rules='cols' border='1'>";
+ my $col;
+ if ($config eq '/var/ipfire/forward/config'){
+@@ -2423,7 +2424,8 @@ END
+ print"<tr><td $col align='center' width='20%'><font color='#FFFFFF'>$Lang::tr{'fwdfw final_rule'}</td><td $col align='center'><font color='#FFFFFF'>$Lang::tr{'fwdfw pol allow'}</font></td></tr>";
+ }
+ }else{
+- print"<tr><td bgcolor='darkred' align='center' width='20%'><font color='#FFFFFF'>$Lang::tr{'fwdfw final_rule'}</td><td align='center'>$Lang::tr{'fwdfw pol block'}</font></td></tr>";
++ print "<table width='100%' rules='cols' border='1'>";
++ print"<tr><td bgcolor='darkred' align='center' width='20%'><font color='#FFFFFF'>$Lang::tr{'fwdfw final_rule'}</td><td align='center' bgcolor='darkred'><font color='#FFFFFF'>$Lang::tr{'fwdfw pol block'}</font></td></tr>";
+ }
+ print"</table><br><br>";
+ }
+--
+1.7.10.4
+
--- /dev/null
+From f4a50f3dd995e280ac230dd5b3c287cbdfc86ee5 Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Thu, 18 Jul 2013 11:53:08 +0200
+Subject: [PATCH 291/302] Forward Firewall: SOme language changes and missing
+ translations for firewall-options
+
+---
+ langs/en/cgi-bin/en.pl | 53 ++++++++----------------------------------------
+ 1 file changed, 8 insertions(+), 45 deletions(-)
+
+diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
+index 21075c7..dbe001e 100644
+--- a/langs/en/cgi-bin/en.pl
++++ b/langs/en/cgi-bin/en.pl
+@@ -544,7 +544,7 @@
+ 'clock last synchronized at' => 'Clock was last synchronized at',
+ 'comment' => 'Description:',
+ 'common name' => 'Common name',
+-'community rules' => 'Snort/VRT GPLv2 Community Rules',
++'community rules' => 'Emergingthreats.net Community Rules',
+ 'comp-lzo' => 'LZO-Compression:',
+ 'compression' => 'Compression:',
+ 'computer to modem rate' => 'Computer to modem rate:',
+@@ -736,13 +736,6 @@
+ 'dns saved txt' => 'The two entered DNS server addresses have been saved successfully.<br />You have to reboot or reconnect that the changes have effect!',
+ 'dns server' => 'DNS Server',
+ 'dns title' => 'Domain Name System',
+-'dnsforward' => 'DNS forwarding',
+-'dnsforward add a new entry' => 'Add a new entry:',
+-'dnsforward configuration' => 'DNS forward configuration',
+-'dnsforward edit an entry' => 'Edit an existing entry:',
+-'dnsforward entries' => 'Current entries:',
+-'dnsforward forward_server' => 'Nameserver',
+-'dnsforward zone' => 'Zone',
+ 'do not log this port list' => 'Drop this port list just before they are logged (reduces log size)',
+ 'dod' => 'Dial on Demand',
+ 'dod for dns' => 'Dial on Demand for DNS:',
+@@ -773,14 +766,15 @@
+ 'drop action' => 'Default behaviour of (forward) firewall in mode "Blocked"',
+ 'drop action1' => 'Default behaviour of (outgoing) firewall in mode "Blocked"',
+ 'drop action2' => 'Default behaviour of (input) firewall',
+-'drop input' => 'Log dropped input pakets',
+-'drop newnotsyn' => 'Log dropped new not syn pakets',
+-'drop forward' => 'Log dropped forward pakets',
+-'drop portscan' => 'Log dropped portscan pakets',
++'drop input' => 'Log dropped input packets',
++'drop newnotsyn' => 'Log dropped new not syn packets',
++'drop forward' => 'Log dropped forward packets',
++'drop outgoing' => 'Log dropped outgoing packets',
++'drop portscan' => 'Log dropped portscan packets',
+ 'drop proxy' => 'Drop all packets not addressed to proxy',
+ 'drop samba' => 'Drop all Microsoft ports 135,137,138,139,445,1025',
+-'drop wirelessforward' => 'Log dropped wireless forward pakets',
+-'drop wirelessinput' => 'Log dropped wireless input pakets',
++'drop wirelessforward' => 'Log dropped wireless forward packets',
++'drop wirelessinput' => 'Log dropped wireless input packets',
+ 'dst port' => 'Dst Port',
+ 'dstprt range overlaps' => 'Destination port range overlaps an already defined port.',
+ 'dstprt within existing' => 'Destination port is within an already defined port range.',
+@@ -810,7 +804,6 @@
+ 'eg' => 'e.g.:',
+ 'email server can not be empty' => 'E-mail server can not be empty',
+ 'emailreportlevel' => 'E-mailreportlevel',
+-'emerging rules' => 'Emergingthreats.net Community Rules',
+ 'empty' => 'This field may be left blank',
+ 'empty profile' => 'empty',
+ 'enable ignore filter' => 'Enable ignore filter',
+@@ -2426,36 +2419,6 @@
+ 'wireless config added' => 'Wireless config added',
+ 'wireless config changed' => 'Wireless config changed',
+ 'wireless configuration' => 'Wireless Configuration',
+-'wlan client' => 'Wireless client',
+-'wlan client advanced settings' => 'Advanced settings',
+-'wlan client and' => 'and',
+-'wlan client bssid' => 'BSSID',
+-'wlan client ccmp' => 'CCMP',
+-'wlan client configuration' => 'Wireless Client Configuration',
+-'wlan client disconnected' => 'Disconnected',
+-'wlan client duplicate ssid' => 'Duplicate SSID',
+-'wlan client edit entry' => 'Edit wireless client configuration',
+-'wlan client encryption' => 'Encryption',
+-'wlan client encryption none' => 'None',
+-'wlan client encryption wep' => 'WEP',
+-'wlan client encryption wpa' => 'WPA',
+-'wlan client encryption wpa2' => 'WPA2',
+-'wlan client group cipher' => 'Group cipher',
+-'wlan client group key algorithm' => 'GKA',
+-'wlan client invalid key length' => 'Invalid key length.',
+-'wlan client new entry' => 'Create new wireless client configuration',
+-'wlan client new network' => 'New network',
+-'wlan client pairwise cipher' => 'Pairwise cipher',
+-'wlan client pairwise key algorithm' => 'PKA',
+-'wlan client pairwise key group key' => 'Pairwise key/group key',
+-'wlan client psk' => 'Pre-shared key',
+-'wlan client ssid' => 'SSID',
+-'wlan client tkip' => 'TKIP',
+-'wlan client wpa mode' => 'WPA mode',
+-'wlan client wpa mode all' => 'Auto',
+-'wlan client wpa mode ccmp ccmp' => 'CCMP-CCMP',
+-'wlan client wpa mode ccmp tkip' => 'CCMP-TKIP',
+-'wlan client wpa mode tkip tkip' => 'TKIP-TKIP',
+ 'wlanap access point' => 'Access Point',
+ 'wlanap channel' => 'Channel',
+ 'wlanap debugging' => 'Debugging',
+--
+1.7.10.4
+
--- /dev/null
+From 59277ea84a5eca662b0d0617a4f985e14d57e2d3 Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Thu, 18 Jul 2013 13:15:10 +0200
+Subject: [PATCH 292/302] Forward Firewall: renamed IPFire to Firewall in SNAT
+ area
+
+---
+ html/cgi-bin/forwardfw.cgi | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi
+index 1b635b8..78ef4c3 100755
+--- a/html/cgi-bin/forwardfw.cgi
++++ b/html/cgi-bin/forwardfw.cgi
+@@ -1677,7 +1677,7 @@ END
+ <tr><td width='1%'><input type='checkbox' name='USE_NAT' id='USE_NAT' value='ON' $checked{'USE_NAT'}{'ON'}></td><td width='15%'>$Lang::tr{'fwdfw use nat'}</td><td colspan='5'></td></tr>
+ <tr><td colspan='2'></td><td width='1%'><input type='radio' name='nat' id='dnat' value='dnat' checked ></td><td width='50%'>$Lang::tr{'fwdfw dnat'}</td>
+ END
+- print"<td width='8%'>IPFire: </td><td width='20%' align='right'><select name='dnat' style='width:140px;'>";
++ print"<td width='8%'>Firewall: </td><td width='20%' align='right'><select name='dnat' style='width:140px;'>";
+ print "<option value='ALL' $selected{'dnat'}{$Lang::tr{'all'}}>$Lang::tr{'all'}</option>";
+ print "<option value='Default IP' $selected{'dnat'}{'Default IP'}>Default IP</option>";
+ foreach my $alias (sort keys %aliases)
+@@ -1690,7 +1690,7 @@ END
+ print"<tr><td colspan='8'><br></td></tr>";
+ #SNAT
+ print"<tr><td colspan='2'></td><td width='1%'><input type='radio' name='nat' id='snat' value='snat' $checked{'nat'}{'snat'}></td><td width='20%'>$Lang::tr{'fwdfw snat'}</td>";
+- print"<td width='8%'>IPFire: </td><td width='20%' align='right'><select name='snat' style='width:140px;'>";
++ print"<td width='8%'>Firewall: </td><td width='20%' align='right'><select name='snat' style='width:140px;'>";
+ foreach my $alias (sort keys %aliases)
+ {
+ print "<option value='$alias' $selected{'snat'}{$alias}>$alias</option>";
+--
+1.7.10.4
+
--- /dev/null
+From 15ca1c35194f3f0978e9b664241310ac8da29076 Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Wed, 24 Jul 2013 08:06:24 +0200
+Subject: [PATCH 293/302] Forward FIrewall: BUGFIX: when setting outgoing to
+ blocked and creating a rule, the last rule changes
+ to "accept"
+
+---
+ html/cgi-bin/forwardfw.cgi | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi
+index 78ef4c3..f516e8d 100755
+--- a/html/cgi-bin/forwardfw.cgi
++++ b/html/cgi-bin/forwardfw.cgi
+@@ -2385,15 +2385,15 @@ END
+ }
+ &show_defaultrules($col,$pol);
+ }elsif ($config eq '/var/ipfire/forward/outgoing'){
+- my $pol='fwdfw '.$fwdfwsettings{'POLICY1'};
+ if ($fwdfwsettings{'POLICY1'} eq 'MODE1'){
+ $col="bgcolor='darkred'";
+- print"<tr><td $col width='20%' align='center'><font color='#FFFFFF'>$Lang::tr{'fwdfw final_rule'}</td><td $col><font color='#FFFFFF' align='center'>$Lang::tr{'fwdfw pol allow'}</font></td></tr>";
++ print"<tr><td $col width='20%' align='center'><font color='#FFFFFF'>$Lang::tr{'fwdfw final_rule'}</td><td $col align='center'><font color='#FFFFFF' >$Lang::tr{'fwdfw pol block'}</font></td></tr>";
+ }else{
+ $col="bgcolor='green'";
+- print"<tr><td $col width='20%' align='center'><font color='#FFFFFF'>$Lang::tr{'fwdfw final_rule'}</td><td $col><font color='#FFFFFF' align='center'>$Lang::tr{'fwdfw pol block'}</font></td></tr>";
++ print"<tr><td $col width='20%' align='center'><font color='#FFFFFF'>$Lang::tr{'fwdfw final_rule'}</td><td $col align='center'><font color='#FFFFFF' >$Lang::tr{'fwdfw pol allow'}</font></td></tr>";
+ }
+ }else{
++ print"uzlputz daneben";
+ print"<tr><td bgcolor='darkred' width='20%' align='center'><font color='#FFFFFF'>$Lang::tr{'fwdfw final_rule'}</td><td bgcolor='darkred' align='center'><font color='#FFFFFF'>$Lang::tr{'fwdfw pol block'}</font></td></tr>";
+ }
+ print"</table>";
+--
+1.7.10.4
+
--- /dev/null
+From 1ff573ee861ee473701c84fc021c36ef34d3dae0 Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Thu, 25 Jul 2013 07:33:20 +0200
+Subject: [PATCH 294/302] Forward FIrewall: Bugfix: When using predefined
+ services in rulecreation, the rule was not applied.
+ Bugfix: when in rulecreationpage and pressing
+ "back" the site gets white.
+
+---
+ config/forwardfw/rules.pl | 4 ++--
+ html/cgi-bin/forwardfw.cgi | 3 +--
+ 2 files changed, 3 insertions(+), 4 deletions(-)
+
+diff --git a/config/forwardfw/rules.pl b/config/forwardfw/rules.pl
+index 68cb640..a45cb64 100755
+--- a/config/forwardfw/rules.pl
++++ b/config/forwardfw/rules.pl
+@@ -575,7 +575,7 @@ sub get_port
+ return "--dport $$hash{$key}[15] ";
+ }else{
+ $$hash{$key}[15] =~ s/\:/-/g;
+- return ":$$hash{$key}[15]";
++ return ":$$hash{$key}[15]";
+ }
+ }
+ }elsif($$hash{$key}[13] ne '' && $$hash{$key}[13] ne 'All ICMP-Types'){
+@@ -585,7 +585,7 @@ sub get_port
+ }
+ }elsif($$hash{$key}[14] eq 'cust_srv'){
+ if ($prot ne 'ICMP'){
+- if($$hash{$key}[31] eq 'dnat'){
++ if($$hash{$key}[31] eq 'dnat' && $$hash{$key}[28] eq 'ON'){
+ return ":".&fwlib::get_srv_port($$hash{$key}[15],1,$prot);
+ }else{
+ return "--dport ".&fwlib::get_srv_port($$hash{$key}[15],1,$prot);
+diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi
+index f516e8d..61d02b7 100755
+--- a/html/cgi-bin/forwardfw.cgi
++++ b/html/cgi-bin/forwardfw.cgi
+@@ -378,7 +378,7 @@ if ($fwdfwsettings{'ACTION'} eq 'copyrule')
+ $fwdfwsettings{'copyfwrule'}='on';
+ &newrule;
+ }
+-if ($fwdfwsettings{'ACTION'} eq '')
++if ($fwdfwsettings{'ACTION'} eq '' or $fwdfwsettings{'ACTION'} eq 'reset')
+ {
+ &base;
+ }
+@@ -2393,7 +2393,6 @@ END
+ print"<tr><td $col width='20%' align='center'><font color='#FFFFFF'>$Lang::tr{'fwdfw final_rule'}</td><td $col align='center'><font color='#FFFFFF' >$Lang::tr{'fwdfw pol allow'}</font></td></tr>";
+ }
+ }else{
+- print"uzlputz daneben";
+ print"<tr><td bgcolor='darkred' width='20%' align='center'><font color='#FFFFFF'>$Lang::tr{'fwdfw final_rule'}</td><td bgcolor='darkred' align='center'><font color='#FFFFFF'>$Lang::tr{'fwdfw pol block'}</font></td></tr>";
+ }
+ print"</table>";
+--
+1.7.10.4
+
--- /dev/null
+From 7f93c2cd027f7031d49fa9fd74f0713c180fbe47 Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Thu, 25 Jul 2013 10:36:36 +0200
+Subject: [PATCH 295/302] Forward Firewall: Bugfix: ICMP rules where applied
+ double
+
+---
+ config/forwardfw/rules.pl | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/config/forwardfw/rules.pl b/config/forwardfw/rules.pl
+index a45cb64..f8d6fdc 100755
+--- a/config/forwardfw/rules.pl
++++ b/config/forwardfw/rules.pl
+@@ -297,7 +297,9 @@ sub buildrules
+ if ($$hash{$key}[17] eq 'ON'){
+ print "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG\n";
+ }
+- print "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n";
++ if ($PROT ne '-p ICMP'){
++ print "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n";
++ }
+ }
+ }
+ }
+@@ -314,6 +316,7 @@ sub buildrules
+ if ($sourcehash{$a}[0] ne $targethash{$b}[0] && $targethash{$b}[0] ne 'none' || $sourcehash{$a}[0] eq '0.0.0.0/0.0.0.0'){
+ if($SPROT eq '' || $SPROT eq $DPROT || $DPROT eq ' '){
+ if(substr($sourcehash{$a}[0], 3, 3) ne 'mac' && $sourcehash{$a}[0] ne ''){ $STAG="-s";}
++ #Process ICMP RULE
+ if(substr($DPORT, 2, 4) eq 'icmp'){
+ my @icmprule= split(",",substr($DPORT, 12,));
+ foreach (@icmprule){
+@@ -322,6 +325,7 @@ sub buildrules
+ }
+ system ("$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] --icmp-type $_ $TIME -j $$hash{$key}[0]");
+ }
++ #PROCESS DNAT RULE (Portforward)
+ }elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'dnat'){
+ $natchain='NAT_DESTINATION';
+ if ($$hash{$key}[17] eq 'ON'){
+@@ -342,6 +346,7 @@ sub buildrules
+ }
+ system "iptables -A FORWARDFW $PROT -i $con $STAG $sourcehash{$a}[0] -d $ip $fwaccessdport $TIME -j $$hash{$key}[0]\n";
+ next;
++ #PROCESS SNAT RULE
+ }elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'snat'){
+ $natchain='NAT_SOURCE';
+ system "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $nat --to $natip\n";
+@@ -349,7 +354,10 @@ sub buildrules
+ if ($$hash{$key}[17] eq 'ON'){
+ system "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG\n";
+ }
+- system "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n";
++ #PROCESS EVERY OTHER RULE (If NOT ICMP, else the rule would be applied double)
++ if ($PROT ne '-p ICMP'){
++ system "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n";
++ }
+ }
+ }
+ }
+--
+1.7.10.4
+
--- /dev/null
+From 88337a329bbe1de177128a25afbe499413b9df42 Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Tue, 30 Jul 2013 12:32:25 +0200
+Subject: [PATCH 296/302] Forward Firewall: changed rule coloring. Now whole
+ field is colored instead of just borders. Back
+ Button in firewall groups /hostgroups showed a
+ white site
+
+---
+ html/cgi-bin/forwardfw.cgi | 36 ++++++++++++++++++------------------
+ html/cgi-bin/fwhosts.cgi | 8 +++++++-
+ 2 files changed, 25 insertions(+), 19 deletions(-)
+
+diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi
+index 61d02b7..6e4c186 100755
+--- a/html/cgi-bin/forwardfw.cgi
++++ b/html/cgi-bin/forwardfw.cgi
+@@ -64,7 +64,7 @@ my %aliases=();
+ my %optionsfw=();
+ my %ifaces=();
+
+-my $VERSION='0.9.9.12';
++my $VERSION='0.9.9.13';
+ my $color;
+ my $confignet = "${General::swroot}/fwhosts/customnetworks";
+ my $confighost = "${General::swroot}/fwhosts/customhosts";
+@@ -1250,36 +1250,36 @@ sub getcolor
+ if($optionsfw{'SHOWCOLORS'} eq 'on'){
+ #standard networks
+ if ($val eq 'GREEN'){
+- $tdcolor="style='border: 1px solid $Header::colourgreen;'";
++ $tdcolor="style='background-color: $Header::colourgreen;color:white;'";
+ return;
+ }elsif ($val eq 'ORANGE'){
+- $tdcolor="style='border: 1px solid $Header::colourorange;'";
++ $tdcolor="style='background-color: $Header::colourorange;color:white;'";
+ return;
+ }elsif ($val eq 'BLUE'){
+- $tdcolor="style='border: 1px solid $Header::colourblue;'";
++ $tdcolor="style='background-color: $Header::colourblue;color:white;'";
+ return;
+ }elsif ($val eq 'RED' ||$val eq 'RED1' ){
+- $tdcolor="style='border: 1px solid $Header::colourred;'";
++ $tdcolor="style='background-color: $Header::colourred;color:white;'";
+ return;
+ }elsif ($val eq 'IPFire' ){
+- $tdcolor="style='border: 1px solid $Header::colourred;'";
++ $tdcolor="style='background-color: $Header::colourred;color:white;'";
+ return;
+ }elsif($val =~ /^(.*?)\/(.*?)$/){
+ my ($sip,$scidr) = split ("/",$val);
+ if ( &General::IpInSubnet($sip,$netsettings{'ORANGE_ADDRESS'},$netsettings{'ORANGE_NETMASK'})){
+- $tdcolor="style='border: 1px solid $Header::colourorange;'";
++ $tdcolor="style='background-color: $Header::colourorange;color:white;'";
+ return;
+ }
+ if ( &General::IpInSubnet($sip,$netsettings{'GREEN_ADDRESS'},$netsettings{'GREEN_NETMASK'})){
+- $tdcolor="style='border: 1px solid $Header::colourgreen;'";
++ $tdcolor="style='background-color: $Header::colourgreen;color:white;'";
+ return;
+ }
+ if ( &General::IpInSubnet($sip,$netsettings{'BLUE_ADDRESS'},$netsettings{'BLUE_NETMASK'})){
+- $tdcolor="style='border: 1px solid $Header::colourblue;'";
++ $tdcolor="style='background-color: $Header::colourblue;color:white;'";
+ return;
+ }
+ }elsif ($val eq 'Default IP'){
+- $tdcolor="style='border: 1px solid $Header::colourred;'";
++ $tdcolor="style='background-color: $Header::colourred;color:white;'";
+ return;
+ }
+ #Check if a manual IP is part of a VPN
+@@ -1288,7 +1288,7 @@ sub getcolor
+ my ($a,$b) = split("/",$ovpnsettings{'DOVPN_SUBNET'});
+ my ($c,$d) = split("/",$val);
+ if (&General::IpInSubnet($c,$a,$b)){
+- $tdcolor="style='border: 1px solid $Header::colourovpn;'";
++ $tdcolor="style='background-color: $Header::colourovpn;color:white;'";
+ return;
+ }
+ #Check if IP is part of OpenVPN static subnet
+@@ -1296,7 +1296,7 @@ sub getcolor
+ my ($a,$b) = split("/",$ccdnet{$key}[1]);
+ $b =&General::iporsubtodec($b);
+ if (&General::IpInSubnet($c,$a,$b)){
+- $tdcolor="style='border: 1px solid $Header::colourovpn;'";
++ $tdcolor="style='background-color: $Header::colourovpn;color:white;'";
+ return;
+ }
+ }
+@@ -1305,7 +1305,7 @@ sub getcolor
+ if ($ccdhost{$key}[3] eq 'net'){
+ my ($a,$b) = split("/",$ccdhost{$key}[11]);
+ if (&General::IpInSubnet($c,$a,$b)){
+- $tdcolor="style='border: 1px solid $Header::colourovpn;'";
++ $tdcolor="style='background-color: $Header::colourovpn;color:white;'";
+ return;
+ }
+ }
+@@ -1315,7 +1315,7 @@ sub getcolor
+ my ($a,$b) = split("/",$ipsecsettings{'RW_NET'});
+ $b=&General::iporsubtodec($b);
+ if (&General::IpInSubnet($c,$a,$b)){
+- $tdcolor="style='border: 1px solid $Header::colourvpn;'";
++ $tdcolor="style='background-color: $Header::colourvpn;color:white;'";
+ return;
+ }
+ }
+@@ -1323,18 +1323,18 @@ sub getcolor
+ foreach my $key (sort keys %ipsecconf){
+ my ($a,$b) = split("/",$ipsecconf{$key}[11]);
+ if (&General::IpInSubnet($c,$a,$b)){
+- $tdcolor="style='border: 1px solid $Header::colourvpn;'";
++ $tdcolor="style='background-color: $Header::colourvpn;color:white;'";
+ return;
+ }
+ }
+ }
+ #VPN networks
+ if ($nettype eq 'ovpn_n2n_src' || $nettype eq 'ovpn_n2n_tgt' || $nettype eq 'ovpn_net_src' || $nettype eq 'ovpn_net_tgt'|| $nettype eq 'ovpn_host_src' || $nettype eq 'ovpn_host_tgt'){
+- $tdcolor="style='border: 1px solid $Header::colourovpn;'";
++ $tdcolor="style='background-color: $Header::colourovpn;color:white;'";
+ return;
+ }
+ if ($nettype eq 'ipsec_net_src' || $nettype eq 'ipsec_net_tgt'){
+- $tdcolor="style='border: 1px solid $Header::colourvpn;'";
++ $tdcolor="style='background-color: $Header::colourvpn;color:white;'";
+ return;
+ }
+ #custom Hosts
+@@ -1349,7 +1349,7 @@ sub getcolor
+ foreach my $alias (sort keys %aliases)
+ {
+ if ($val eq $alias){
+- $tdcolor="style='border: 1px solid $Header::colourred;'";
++ $tdcolor="style='background-color:$Header::colourred;color:white;'";
+ return;
+ }
+ }
+diff --git a/html/cgi-bin/fwhosts.cgi b/html/cgi-bin/fwhosts.cgi
+index d7a519a..065d195 100755
+--- a/html/cgi-bin/fwhosts.cgi
++++ b/html/cgi-bin/fwhosts.cgi
+@@ -846,6 +846,12 @@ if ($fwhostsettings{'ACTION'} eq 'resethost')
+ $fwhostsettings{'type'} ="";
+ &showmenu;
+ }
++if ($fwhostsettings{'ACTION'} eq 'resetgrp')
++{
++ $fwhostsettings{'grp_name'} ="";
++ $fwhostsettings{'remark'} ="";
++ &showmenu;
++}
+ # delete
+ if ($fwhostsettings{'ACTION'} eq 'delnet')
+ {
+@@ -1261,7 +1267,7 @@ END
+ print"<br><br><b>$Lang::tr{'fwhost attention'}:</b><br> $Lang::tr{'fwhost macwarn'}<br><hr>";
+ }
+ print"<table border='0' width='100%'>";
+- print"<tr><td align='right'><input type='submit' value='$Lang::tr{'add'}' style='min-width:100px;' /><input type='hidden' name='oldremark' value='$fwhostsettings{'oldremark'}'><input type='hidden' name='update' value=\"$fwhostsettings{'update'}\"><input type='hidden' name='ACTION' value='savegrp' ></form><form method='post' style='display:inline'><input type='submit' value='$Lang::tr{'fwhost back'}' style='min-width:100px;'><input type='hidden' name='ACTION' value='reset'></form></td></table>";
++ print"<tr><td align='right'><input type='submit' value='$Lang::tr{'add'}' style='min-width:100px;' /><input type='hidden' name='oldremark' value='$fwhostsettings{'oldremark'}'><input type='hidden' name='update' value=\"$fwhostsettings{'update'}\"><input type='hidden' name='ACTION' value='savegrp' ></form><form method='post' style='display:inline'><input type='submit' value='$Lang::tr{'fwhost back'}' style='min-width:100px;'><input type='hidden' name='ACTION' value='resetgrp'></form></td></table>";
+ &Header::closebox();
+ }
+ sub addservice
+--
+1.7.10.4
+
--- /dev/null
+From 844c114a87adf87deb47d847fa51d2eab55bbcdc Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Wed, 31 Jul 2013 08:28:29 +0200
+Subject: [PATCH 297/302] Forward Firewall: Network addresses are now allowed
+ as source and the ip addressfield has now size 18.
+
+---
+ html/cgi-bin/forwardfw.cgi | 14 +++++---------
+ langs/de/cgi-bin/de.pl | 1 -
+ langs/en/cgi-bin/en.pl | 1 -
+ 3 files changed, 5 insertions(+), 11 deletions(-)
+
+diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi
+index 6e4c186..2edbb6d 100755
+--- a/html/cgi-bin/forwardfw.cgi
++++ b/html/cgi-bin/forwardfw.cgi
+@@ -433,7 +433,9 @@ sub checksource
+ }
+
+ if ($fwdfwsettings{'isip'} ne 'on'){
+- if (&General::validmac($fwdfwsettings{'src_addr'})){$fwdfwsettings{'ismac'}='on';}
++ if (&General::validmac($fwdfwsettings{'src_addr'})){
++ $fwdfwsettings{'ismac'}='on';
++ }
+ }
+ if ($fwdfwsettings{'isip'} eq 'on'){
+ ##check if ip is valid
+@@ -445,12 +447,6 @@ sub checksource
+ $ip=&General::ip2dec($ip);
+ $ip=&General::dec2ip($ip);
+ #check if net or broadcast
+- my @tmp= split (/\./,$ip);
+- if (($tmp[3] eq "0") || ($tmp[3] eq "255"))
+- {
+- $errormessage=$Lang::tr{'fwhost err hostip'}."<br>";
+- return $errormessage;
+- }
+ $fwdfwsettings{'src_addr'}="$ip/$subnet";
+ if(!&General::validipandmask($fwdfwsettings{'src_addr'})){
+ $errormessage.=$Lang::tr{'fwdfw err src_addr'}."<br>";
+@@ -1535,7 +1531,7 @@ sub newrule
+ #------SOURCE-------------------------------------------------------
+ print<<END;
+ <table width='100%' border='0'>
+- <tr><td width='1%'><input type='radio' name='grp1' value='src_addr' checked></td><td width='60%'>$Lang::tr{'fwdfw sourceip'}<input type='TEXT' name='src_addr' value='$fwdfwsettings{'src_addr'}' size='16' maxlength='17' ></td><td width='1%'><input type='radio' name='grp1' id='ipfire_src' value='ipfire_src' $checked{'grp1'}{'ipfire_src'}></td><td><b>Firewall</b></td>
++ <tr><td width='1%'><input type='radio' name='grp1' value='src_addr' checked></td><td width='60%'>$Lang::tr{'fwdfw sourceip'}<input type='TEXT' name='src_addr' value='$fwdfwsettings{'src_addr'}' size='16' maxlength='18' ></td><td width='1%'><input type='radio' name='grp1' id='ipfire_src' value='ipfire_src' $checked{'grp1'}{'ipfire_src'}></td><td><b>Firewall</b></td>
+ END
+ print"<td align='right'><select name='ipfire_src' style='width:200px;'>";
+ print "<option value='ALL' $selected{'ipfire_src'}{'ALL'}>$Lang::tr{'all'}</option>";
+@@ -1593,7 +1589,7 @@ END
+ &Header::openbox('100%', 'left', $Lang::tr{'fwdfw target'});
+ print<<END;
+ <table width='100%' border='0'>
+- <tr><td width='1%'><input type='radio' name='grp2' value='tgt_addr' checked></td><td width='60%' nowrap='nowrap'>$Lang::tr{'fwdfw targetip'}<input type='TEXT' name='tgt_addr' value='$fwdfwsettings{'tgt_addr'}' size='16' maxlength='17'><td width='1%'><input type='radio' name='grp2' id='ipfire' value='ipfire' $checked{'grp2'}{'ipfire'}></td><td><b>Firewall</b></td>
++ <tr><td width='1%'><input type='radio' name='grp2' value='tgt_addr' checked></td><td width='60%' nowrap='nowrap'>$Lang::tr{'fwdfw targetip'}<input type='TEXT' name='tgt_addr' value='$fwdfwsettings{'tgt_addr'}' size='16' maxlength='18'><td width='1%'><input type='radio' name='grp2' id='ipfire' value='ipfire' $checked{'grp2'}{'ipfire'}></td><td><b>Firewall</b></td>
+ END
+ print"<td align='right'><select name='ipfire' style='width:200px;'>";
+ print "<option value='ALL' $selected{'ipfire'}{'ALL'}>$Lang::tr{'all'}</option>";
+diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl
+index abf2736..620ad49 100644
+--- a/langs/de/cgi-bin/de.pl
++++ b/langs/de/cgi-bin/de.pl
+@@ -1005,7 +1005,6 @@
+ 'fwhost err net' => 'Netzwerk IP Adresse existiert bereits',
+ 'fwhost err mac' => 'MAC Adresse ungültig',
+ 'fwhost err hostexist' => 'Ein Host mit diesem Namen existiert bereits',
+-'fwhost err hostip' => 'Netz- oder Broadcastadressen sind nicht erlaubt',
+ 'fwhost err hostorip' => 'Name oder IP Adresse ungültig',
+ 'fwhost err isccdhost' => 'Dieser Name wird bereits für einen Openvpn Host verwendet',
+ 'fwhost err isccdipnet' => 'Diese IP Adresse wird bereits für einen Openvpn Netzwerk verwendet',
+diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
+index dbe001e..1a05542 100644
+--- a/langs/en/cgi-bin/en.pl
++++ b/langs/en/cgi-bin/en.pl
+@@ -1023,7 +1023,6 @@
+ 'fwhost err net' => 'Network IP address already exists',
+ 'fwhost err mac' => 'MAC address invalid',
+ 'fwhost err hostexist' => 'A host with this name already exists',
+-'fwhost err hostip' => 'Network or broadcast addresses not allowed',
+ 'fwhost err hostorip' => 'Name or IP address invalid',
+ 'fwhost err isccdhost' => 'This name is already used by an OpenVPN client',
+ 'fwhost err isccdipnet' => 'This IP address is already used by an OpenVPN network',
+--
+1.7.10.4
+
--- /dev/null
+From 23cd8f9b5746e28d7794cc776cb64081344f3d98 Mon Sep 17 00:00:00 2001
+From: Michael Tremer <michael.tremer@ipfire.org>
+Date: Wed, 31 Jul 2013 14:31:18 +0200
+Subject: [PATCH 298/302] firewall: Add TOR chains.
+
+---
+ src/initscripts/init.d/firewall | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall
+index 12d8817..fc49da4 100644
+--- a/src/initscripts/init.d/firewall
++++ b/src/initscripts/init.d/firewall
+@@ -158,6 +158,10 @@ iptables_init() {
+ /sbin/iptables -A INPUT -m conntrack --ctstate NEW -j WIRELESSINPUT
+ /sbin/iptables -N WIRELESSFORWARD
+ /sbin/iptables -A FORWARD -m conntrack --ctstate NEW -j WIRELESSFORWARD
++
++ # TOR
++ /sbin/iptables -N TOR_INPUT
++ /sbin/iptables -A INPUT -j TOR_INPUT
+
+ # Jump into the actual firewall ruleset.
+ /sbin/iptables -N INPUTFW
+--
+1.7.10.4
+
--- /dev/null
+From 0d35689c82e7953fd4ed41814f8f7d217ba06ce9 Mon Sep 17 00:00:00 2001
+From: Michael Tremer <michael.tremer@ipfire.org>
+Date: Wed, 31 Jul 2013 15:47:25 +0200
+Subject: [PATCH 299/302] firewall: Language updates (English and German).
+
+---
+ doc/language_issues.de | 81 +++++
+ doc/language_issues.en | 120 ++++++++
+ doc/language_issues.es | 196 ++++++++++++-
+ doc/language_issues.fr | 196 +++++++++++++
+ doc/language_issues.nl | 196 +++++++++++++
+ doc/language_issues.pl | 196 ++++++++++++-
+ doc/language_issues.ru | 196 +++++++++++++
+ doc/language_issues.tr | 196 +++++++++++++
+ doc/language_missings | 766 +++++++++++++++++++++++++++++++++++++++++++++++-
+ langs/de/cgi-bin/de.pl | 331 ++++++++++-----------
+ langs/en/cgi-bin/en.pl | 330 ++++++++++-----------
+ 11 files changed, 2464 insertions(+), 340 deletions(-)
+
+diff --git a/doc/language_issues.de b/doc/language_issues.de
+index 3b6e117..5048c67 100644
+--- a/doc/language_issues.de
++++ b/doc/language_issues.de
+@@ -11,10 +11,12 @@ WARNING: translation string unused: Remote VPN IP
+ WARNING: translation string unused: Resolv
+ WARNING: translation string unused: TOS Bits
+ WARNING: translation string unused: Verbose
++WARNING: translation string unused: access allowed
+ WARNING: translation string unused: access refused with this oinkcode
+ WARNING: translation string unused: add network
+ WARNING: translation string unused: add new ovpn
+ WARNING: translation string unused: add service
++WARNING: translation string unused: add xtaccess
+ WARNING: translation string unused: add-route
+ WARNING: translation string unused: admin user password has been changed
+ WARNING: translation string unused: administrator user password
+@@ -45,6 +47,7 @@ WARNING: translation string unused: all updates installed
+ WARNING: translation string unused: allmsg
+ WARNING: translation string unused: alt information
+ WARNING: translation string unused: alt ovpn
++WARNING: translation string unused: alt vpn
+ WARNING: translation string unused: and
+ WARNING: translation string unused: apply
+ WARNING: translation string unused: archive not exist
+@@ -68,6 +71,7 @@ WARNING: translation string unused: cache management
+ WARNING: translation string unused: cache size
+ WARNING: translation string unused: calamaris report interval (in minutes)
+ WARNING: translation string unused: calc traffic all x minutes
++WARNING: translation string unused: cant enable xtaccess
+ WARNING: translation string unused: capsinactive
+ WARNING: translation string unused: ccd err iroute
+ WARNING: translation string unused: ccd err netadr
+@@ -109,6 +113,11 @@ WARNING: translation string unused: debugme
+ WARNING: translation string unused: deep scan directories
+ WARNING: translation string unused: default networks
+ WARNING: translation string unused: default services
++WARNING: translation string unused: description
++WARNING: translation string unused: destination ip bad
++WARNING: translation string unused: destination ip or net
++WARNING: translation string unused: destination net
++WARNING: translation string unused: destination port overlaps
+ WARNING: translation string unused: dhcp base ip fixed lease
+ WARNING: translation string unused: dhcp create fixed leases
+ WARNING: translation string unused: dhcp fixed lease err1
+@@ -119,10 +128,16 @@ WARNING: translation string unused: dial user password has been changed
+ WARNING: translation string unused: dialup settings
+ WARNING: translation string unused: disconnect
+ WARNING: translation string unused: display traffic at home
++WARNING: translation string unused: dmz pinhole configuration
++WARNING: translation string unused: dmz pinhole rule added
++WARNING: translation string unused: dmz pinhole rule removed
++WARNING: translation string unused: dmzpinholes for same net not necessary
+ WARNING: translation string unused: dns server
+ WARNING: translation string unused: do not log this port list
+ WARNING: translation string unused: donation-link
+ WARNING: translation string unused: driver
++WARNING: translation string unused: dstprt range overlaps
++WARNING: translation string unused: dstprt within existing
+ WARNING: translation string unused: dynamic dns client
+ WARNING: translation string unused: eciadsl help
+ WARNING: translation string unused: eciadsl upload
+@@ -149,6 +164,7 @@ WARNING: translation string unused: error external access
+ WARNING: translation string unused: expected
+ WARNING: translation string unused: expertoptions
+ WARNING: translation string unused: exportkey
++WARNING: translation string unused: external access
+ WARNING: translation string unused: external access rule changed
+ WARNING: translation string unused: extrahd unable to read
+ WARNING: translation string unused: extrahd unable to write
+@@ -158,6 +174,10 @@ WARNING: translation string unused: firewall log viewer
+ WARNING: translation string unused: firmware
+ WARNING: translation string unused: firmware upload
+ WARNING: translation string unused: force update
++WARNING: translation string unused: forward firewall
++WARNING: translation string unused: forwarding rule added
++WARNING: translation string unused: forwarding rule removed
++WARNING: translation string unused: forwarding rule updated
+ WARNING: translation string unused: frequency
+ WARNING: translation string unused: fritzdsl help
+ WARNING: translation string unused: fritzdsl upload
+@@ -166,6 +186,38 @@ WARNING: translation string unused: from email pw
+ WARNING: translation string unused: from email server
+ WARNING: translation string unused: from email user
+ WARNING: translation string unused: from warn email bad
++WARNING: translation string unused: fwdfw ACCEPT
++WARNING: translation string unused: fwdfw DROP
++WARNING: translation string unused: fwdfw MODE1
++WARNING: translation string unused: fwdfw MODE2
++WARNING: translation string unused: fwdfw REJECT
++WARNING: translation string unused: fwdfw addr grp
++WARNING: translation string unused: fwdfw cust addr
++WARNING: translation string unused: fwdfw cust net
++WARNING: translation string unused: fwdfw err srcovpn
++WARNING: translation string unused: fwdfw err srcport
++WARNING: translation string unused: fwdfw err tgt_port
++WARNING: translation string unused: fwdfw err tgtovpn
++WARNING: translation string unused: fwdfw err tgtport
++WARNING: translation string unused: fwdfw from
++WARNING: translation string unused: fwdfw ipsec network
++WARNING: translation string unused: fwdfw natport used
++WARNING: translation string unused: fwdfw rules
++WARNING: translation string unused: fwdfw std network
++WARNING: translation string unused: fwdfw till
++WARNING: translation string unused: fwdfw time
++WARNING: translation string unused: fwhost addrule
++WARNING: translation string unused: fwhost blue
++WARNING: translation string unused: fwhost changeremark
++WARNING: translation string unused: fwhost err addrgrp
++WARNING: translation string unused: fwhost err hostorip
++WARNING: translation string unused: fwhost err mac
++WARNING: translation string unused: fwhost green
++WARNING: translation string unused: fwhost ipadr
++WARNING: translation string unused: fwhost ipsec host
++WARNING: translation string unused: fwhost orange
++WARNING: translation string unused: fwhost reset
++WARNING: translation string unused: fwhost wo subnet
+ WARNING: translation string unused: gen static key
+ WARNING: translation string unused: generate
+ WARNING: translation string unused: genkey
+@@ -220,6 +272,7 @@ WARNING: translation string unused: local hard disk
+ WARNING: translation string unused: localkeyfile
+ WARNING: translation string unused: log enabled
+ WARNING: translation string unused: log viewer
++WARNING: translation string unused: logging
+ WARNING: translation string unused: loosedirectorychecking
+ WARNING: translation string unused: ls_dhcpd
+ WARNING: translation string unused: ls_disk space
+@@ -245,6 +298,7 @@ WARNING: translation string unused: mbmon value
+ WARNING: translation string unused: min size
+ WARNING: translation string unused: missing dat
+ WARNING: translation string unused: missing gz
++WARNING: translation string unused: mode
+ WARNING: translation string unused: modem on com1
+ WARNING: translation string unused: modem on com2
+ WARNING: translation string unused: modem on com3
+@@ -261,6 +315,7 @@ WARNING: translation string unused: monthly volume start day short
+ WARNING: translation string unused: mount
+ WARNING: translation string unused: mtu QoS
+ WARNING: translation string unused: nat-traversal
++WARNING: translation string unused: net
+ WARNING: translation string unused: net address
+ WARNING: translation string unused: net config type
+ WARNING: translation string unused: net config type help
+@@ -286,6 +341,7 @@ WARNING: translation string unused: o-no
+ WARNING: translation string unused: o-yes
+ WARNING: translation string unused: online help en
+ WARNING: translation string unused: only red
++WARNING: translation string unused: open to all
+ WARNING: translation string unused: openvpn disabled
+ WARNING: translation string unused: openvpn enabled
+ WARNING: translation string unused: optional data
+@@ -296,7 +352,16 @@ WARNING: translation string unused: original
+ WARNING: translation string unused: other countries
+ WARNING: translation string unused: our donors
+ WARNING: translation string unused: out
++WARNING: translation string unused: outgoing firewall
++WARNING: translation string unused: outgoing firewall mode0
++WARNING: translation string unused: outgoing firewall mode1
++WARNING: translation string unused: outgoing firewall mode2
+ WARNING: translation string unused: outgoing firewall outgoing firewall reserved groupname
++WARNING: translation string unused: outgoing firewall p2p description 1
++WARNING: translation string unused: outgoing firewall p2p description 2
++WARNING: translation string unused: outgoing firewall p2p description 3
++WARNING: translation string unused: outgoing firewall reset
++WARNING: translation string unused: outgoing firewall warning
+ WARNING: translation string unused: override mtu
+ WARNING: translation string unused: ovpn
+ WARNING: translation string unused: ovpn config
+@@ -327,6 +392,8 @@ WARNING: translation string unused: passwords must be at least 6 characters in l
+ WARNING: translation string unused: phonebook entry
+ WARNING: translation string unused: ping disabled
+ WARNING: translation string unused: polfile
++WARNING: translation string unused: policy
++WARNING: translation string unused: port forwarding configuration
+ WARNING: translation string unused: ports
+ WARNING: translation string unused: pots
+ WARNING: translation string unused: pppoe
+@@ -353,7 +420,9 @@ WARNING: translation string unused: router ip
+ WARNING: translation string unused: rules already up to date
+ WARNING: translation string unused: safe removal of umounted device
+ WARNING: translation string unused: save error
++WARNING: translation string unused: select dest net
+ WARNING: translation string unused: select media
++WARNING: translation string unused: select source net
+ WARNING: translation string unused: selecttraffic
+ WARNING: translation string unused: send email notification
+ WARNING: translation string unused: send test mail
+@@ -369,15 +438,23 @@ WARNING: translation string unused: shutdown2
+ WARNING: translation string unused: shutting down
+ WARNING: translation string unused: sitekeyfile
+ WARNING: translation string unused: smbreload
++WARNING: translation string unused: source ip in use
++WARNING: translation string unused: source ip or net
++WARNING: translation string unused: source net
++WARNING: translation string unused: source port overlaps
+ WARNING: translation string unused: squid extension methods
+ WARNING: translation string unused: squid extension methods invalid
+ WARNING: translation string unused: squid fix cache
++WARNING: translation string unused: srcprt range overlaps
++WARNING: translation string unused: srcprt within existing
++WARNING: translation string unused: ssdmz pinholes
+ WARNING: translation string unused: ssh access tip
+ WARNING: translation string unused: ssh1 disabled
+ WARNING: translation string unused: ssh1 enabled
+ WARNING: translation string unused: ssh1 support
+ WARNING: translation string unused: ssnetwork status
+ WARNING: translation string unused: sspasswords
++WARNING: translation string unused: ssport forwarding
+ WARNING: translation string unused: ssproxy graphs
+ WARNING: translation string unused: sssystem status
+ WARNING: translation string unused: sstraffic graphs
+@@ -472,13 +549,17 @@ WARNING: translation string unused: warn when traffic reaches
+ WARNING: translation string unused: web proxy configuration
+ WARNING: translation string unused: week-graph
+ WARNING: translation string unused: weekly firewallhits
++WARNING: translation string unused: xtaccess all error
+ WARNING: translation string unused: xtaccess bad transfert
+ WARNING: translation string unused: year-graph
+ WARNING: translation string unused: yearly firewallhits
+ WARNING: untranslated string: Scan for Songs
++WARNING: untranslated string: advproxy cache-digest
+ WARNING: untranslated string: bytes
+ WARNING: untranslated string: community rules
+ WARNING: untranslated string: emerging rules
++WARNING: untranslated string: fwhost err hostip
++WARNING: untranslated string: fwhost macwarn
+ WARNING: untranslated string: new
+ WARNING: untranslated string: outgoing firewall reserved groupname
+ WARNING: untranslated string: qos add subclass
+diff --git a/doc/language_issues.en b/doc/language_issues.en
+index 8f530a3..44b8d0a 100644
+--- a/doc/language_issues.en
++++ b/doc/language_issues.en
+@@ -11,10 +11,12 @@ WARNING: translation string unused: Remote VPN IP
+ WARNING: translation string unused: Resolv
+ WARNING: translation string unused: TOS Bits
+ WARNING: translation string unused: Verbose
++WARNING: translation string unused: access allowed
+ WARNING: translation string unused: access refused with this oinkcode
+ WARNING: translation string unused: add network
+ WARNING: translation string unused: add new ovpn
+ WARNING: translation string unused: add service
++WARNING: translation string unused: add xtaccess
+ WARNING: translation string unused: add-route
+ WARNING: translation string unused: admin user password has been changed
+ WARNING: translation string unused: administrator user password
+@@ -46,6 +48,7 @@ WARNING: translation string unused: all updates installed
+ WARNING: translation string unused: allmsg
+ WARNING: translation string unused: alt information
+ WARNING: translation string unused: alt ovpn
++WARNING: translation string unused: alt vpn
+ WARNING: translation string unused: and
+ WARNING: translation string unused: ansi t1.483
+ WARNING: translation string unused: apply
+@@ -87,6 +90,7 @@ WARNING: translation string unused: cache management
+ WARNING: translation string unused: cache size
+ WARNING: translation string unused: calamaris report interval (in minutes)
+ WARNING: translation string unused: calc traffic all x minutes
++WARNING: translation string unused: cant enable xtaccess
+ WARNING: translation string unused: capsinactive
+ WARNING: translation string unused: ccd err iroute
+ WARNING: translation string unused: ccd err netadr
+@@ -129,6 +133,11 @@ WARNING: translation string unused: debugme
+ WARNING: translation string unused: deep scan directories
+ WARNING: translation string unused: default networks
+ WARNING: translation string unused: default services
++WARNING: translation string unused: description
++WARNING: translation string unused: destination ip bad
++WARNING: translation string unused: destination ip or net
++WARNING: translation string unused: destination net
++WARNING: translation string unused: destination port overlaps
+ WARNING: translation string unused: dhcp base ip fixed lease
+ WARNING: translation string unused: dhcp create fixed leases
+ WARNING: translation string unused: dhcp fixed lease err1
+@@ -141,11 +150,17 @@ WARNING: translation string unused: dial user password has been changed
+ WARNING: translation string unused: dialup settings
+ WARNING: translation string unused: disconnect
+ WARNING: translation string unused: display traffic at home
++WARNING: translation string unused: dmz pinhole configuration
++WARNING: translation string unused: dmz pinhole rule added
++WARNING: translation string unused: dmz pinhole rule removed
++WARNING: translation string unused: dmzpinholes for same net not necessary
+ WARNING: translation string unused: dns server
+ WARNING: translation string unused: do not log this port list
+ WARNING: translation string unused: donation-link
+ WARNING: translation string unused: done
+ WARNING: translation string unused: driver
++WARNING: translation string unused: dstprt range overlaps
++WARNING: translation string unused: dstprt within existing
+ WARNING: translation string unused: dynamic dns client
+ WARNING: translation string unused: eciadsl help
+ WARNING: translation string unused: eciadsl upload
+@@ -172,6 +187,7 @@ WARNING: translation string unused: error external access
+ WARNING: translation string unused: expected
+ WARNING: translation string unused: expertoptions
+ WARNING: translation string unused: exportkey
++WARNING: translation string unused: external access
+ WARNING: translation string unused: external access rule changed
+ WARNING: translation string unused: extrahd unable to read
+ WARNING: translation string unused: extrahd unable to write
+@@ -181,6 +197,10 @@ WARNING: translation string unused: firewall log viewer
+ WARNING: translation string unused: firmware
+ WARNING: translation string unused: firmware upload
+ WARNING: translation string unused: force update
++WARNING: translation string unused: forward firewall
++WARNING: translation string unused: forwarding rule added
++WARNING: translation string unused: forwarding rule removed
++WARNING: translation string unused: forwarding rule updated
+ WARNING: translation string unused: frequency
+ WARNING: translation string unused: fritzdsl help
+ WARNING: translation string unused: fritzdsl upload
+@@ -189,6 +209,38 @@ WARNING: translation string unused: from email pw
+ WARNING: translation string unused: from email server
+ WARNING: translation string unused: from email user
+ WARNING: translation string unused: from warn email bad
++WARNING: translation string unused: fwdfw ACCEPT
++WARNING: translation string unused: fwdfw DROP
++WARNING: translation string unused: fwdfw MODE1
++WARNING: translation string unused: fwdfw MODE2
++WARNING: translation string unused: fwdfw REJECT
++WARNING: translation string unused: fwdfw addr grp
++WARNING: translation string unused: fwdfw cust addr
++WARNING: translation string unused: fwdfw cust net
++WARNING: translation string unused: fwdfw err srcovpn
++WARNING: translation string unused: fwdfw err srcport
++WARNING: translation string unused: fwdfw err tgt_port
++WARNING: translation string unused: fwdfw err tgtovpn
++WARNING: translation string unused: fwdfw err tgtport
++WARNING: translation string unused: fwdfw from
++WARNING: translation string unused: fwdfw ipsec network
++WARNING: translation string unused: fwdfw natport used
++WARNING: translation string unused: fwdfw rules
++WARNING: translation string unused: fwdfw std network
++WARNING: translation string unused: fwdfw till
++WARNING: translation string unused: fwdfw time
++WARNING: translation string unused: fwhost addrule
++WARNING: translation string unused: fwhost blue
++WARNING: translation string unused: fwhost changeremark
++WARNING: translation string unused: fwhost err addrgrp
++WARNING: translation string unused: fwhost err hostorip
++WARNING: translation string unused: fwhost err mac
++WARNING: translation string unused: fwhost green
++WARNING: translation string unused: fwhost ipadr
++WARNING: translation string unused: fwhost ipsec host
++WARNING: translation string unused: fwhost orange
++WARNING: translation string unused: fwhost reset
++WARNING: translation string unused: fwhost wo subnet
+ WARNING: translation string unused: g.dtm
+ WARNING: translation string unused: g.lite
+ WARNING: translation string unused: gen static key
+@@ -246,6 +298,7 @@ WARNING: translation string unused: local hard disk
+ WARNING: translation string unused: localkeyfile
+ WARNING: translation string unused: log enabled
+ WARNING: translation string unused: log viewer
++WARNING: translation string unused: logging
+ WARNING: translation string unused: loosedirectorychecking
+ WARNING: translation string unused: ls_dhcpd
+ WARNING: translation string unused: ls_disk space
+@@ -271,6 +324,7 @@ WARNING: translation string unused: mbmon value
+ WARNING: translation string unused: min size
+ WARNING: translation string unused: missing dat
+ WARNING: translation string unused: missing gz
++WARNING: translation string unused: mode
+ WARNING: translation string unused: modem on com1
+ WARNING: translation string unused: modem on com2
+ WARNING: translation string unused: modem on com3
+@@ -287,6 +341,7 @@ WARNING: translation string unused: monthly volume start day short
+ WARNING: translation string unused: mount
+ WARNING: translation string unused: mtu QoS
+ WARNING: translation string unused: nat-traversal
++WARNING: translation string unused: net
+ WARNING: translation string unused: net address
+ WARNING: translation string unused: net config type
+ WARNING: translation string unused: net config type help
+@@ -313,6 +368,7 @@ WARNING: translation string unused: o-no
+ WARNING: translation string unused: o-yes
+ WARNING: translation string unused: online help en
+ WARNING: translation string unused: only red
++WARNING: translation string unused: open to all
+ WARNING: translation string unused: openvpn disabled
+ WARNING: translation string unused: openvpn enabled
+ WARNING: translation string unused: optional data
+@@ -323,7 +379,16 @@ WARNING: translation string unused: original
+ WARNING: translation string unused: other countries
+ WARNING: translation string unused: our donors
+ WARNING: translation string unused: out
++WARNING: translation string unused: outgoing firewall
++WARNING: translation string unused: outgoing firewall mode0
++WARNING: translation string unused: outgoing firewall mode1
++WARNING: translation string unused: outgoing firewall mode2
+ WARNING: translation string unused: outgoing firewall outgoing firewall reserved groupname
++WARNING: translation string unused: outgoing firewall p2p description 1
++WARNING: translation string unused: outgoing firewall p2p description 2
++WARNING: translation string unused: outgoing firewall p2p description 3
++WARNING: translation string unused: outgoing firewall reset
++WARNING: translation string unused: outgoing firewall warning
+ WARNING: translation string unused: override mtu
+ WARNING: translation string unused: ovpn
+ WARNING: translation string unused: ovpn config
+@@ -354,6 +419,8 @@ WARNING: translation string unused: passwords must be at least 6 characters in l
+ WARNING: translation string unused: phonebook entry
+ WARNING: translation string unused: ping disabled
+ WARNING: translation string unused: polfile
++WARNING: translation string unused: policy
++WARNING: translation string unused: port forwarding configuration
+ WARNING: translation string unused: ports
+ WARNING: translation string unused: pots
+ WARNING: translation string unused: pppoe
+@@ -381,7 +448,9 @@ WARNING: translation string unused: router ip
+ WARNING: translation string unused: rules already up to date
+ WARNING: translation string unused: safe removal of umounted device
+ WARNING: translation string unused: save error
++WARNING: translation string unused: select dest net
+ WARNING: translation string unused: select media
++WARNING: translation string unused: select source net
+ WARNING: translation string unused: selecttraffic
+ WARNING: translation string unused: send email notification
+ WARNING: translation string unused: send test mail
+@@ -400,15 +469,23 @@ WARNING: translation string unused: shutdown2
+ WARNING: translation string unused: shutting down
+ WARNING: translation string unused: sitekeyfile
+ WARNING: translation string unused: smbreload
++WARNING: translation string unused: source ip in use
++WARNING: translation string unused: source ip or net
++WARNING: translation string unused: source net
++WARNING: translation string unused: source port overlaps
+ WARNING: translation string unused: squid extension methods
+ WARNING: translation string unused: squid extension methods invalid
+ WARNING: translation string unused: squid fix cache
++WARNING: translation string unused: srcprt range overlaps
++WARNING: translation string unused: srcprt within existing
++WARNING: translation string unused: ssdmz pinholes
+ WARNING: translation string unused: ssh access tip
+ WARNING: translation string unused: ssh1 disabled
+ WARNING: translation string unused: ssh1 enabled
+ WARNING: translation string unused: ssh1 support
+ WARNING: translation string unused: ssnetwork status
+ WARNING: translation string unused: sspasswords
++WARNING: translation string unused: ssport forwarding
+ WARNING: translation string unused: ssproxy graphs
+ WARNING: translation string unused: sssystem status
+ WARNING: translation string unused: sstraffic graphs
+@@ -505,14 +582,57 @@ WARNING: translation string unused: warn when traffic reaches
+ WARNING: translation string unused: web proxy configuration
+ WARNING: translation string unused: week-graph
+ WARNING: translation string unused: weekly firewallhits
++WARNING: translation string unused: xtaccess all error
+ WARNING: translation string unused: xtaccess bad transfert
+ WARNING: translation string unused: year-graph
+ WARNING: translation string unused: yearly firewallhits
+ WARNING: untranslated string: Scan for Songs
++WARNING: untranslated string: advproxy cache-digest
+ WARNING: untranslated string: bytes
++WARNING: untranslated string: dnsforward
++WARNING: untranslated string: dnsforward add a new entry
++WARNING: untranslated string: dnsforward configuration
++WARNING: untranslated string: dnsforward edit an entry
++WARNING: untranslated string: dnsforward entries
++WARNING: untranslated string: dnsforward forward_server
++WARNING: untranslated string: dnsforward zone
++WARNING: untranslated string: emerging rules
++WARNING: untranslated string: fwhost err hostip
++WARNING: untranslated string: fwhost macwarn
+ WARNING: untranslated string: new
+ WARNING: untranslated string: outgoing firewall reserved groupname
+ WARNING: untranslated string: route config changed
+ WARNING: untranslated string: routing config added
+ WARNING: untranslated string: routing config changed
+ WARNING: untranslated string: routing table
++WARNING: untranslated string: wlan client
++WARNING: untranslated string: wlan client advanced settings
++WARNING: untranslated string: wlan client and
++WARNING: untranslated string: wlan client bssid
++WARNING: untranslated string: wlan client ccmp
++WARNING: untranslated string: wlan client configuration
++WARNING: untranslated string: wlan client disconnected
++WARNING: untranslated string: wlan client duplicate ssid
++WARNING: untranslated string: wlan client edit entry
++WARNING: untranslated string: wlan client encryption
++WARNING: untranslated string: wlan client encryption none
++WARNING: untranslated string: wlan client encryption wep
++WARNING: untranslated string: wlan client encryption wpa
++WARNING: untranslated string: wlan client encryption wpa2
++WARNING: untranslated string: wlan client group cipher
++WARNING: untranslated string: wlan client group key algorithm
++WARNING: untranslated string: wlan client invalid key length
++WARNING: untranslated string: wlan client new entry
++WARNING: untranslated string: wlan client new network
++WARNING: untranslated string: wlan client pairwise cipher
++WARNING: untranslated string: wlan client pairwise key algorithm
++WARNING: untranslated string: wlan client pairwise key group key
++WARNING: untranslated string: wlan client psk
++WARNING: untranslated string: wlan client ssid
++WARNING: untranslated string: wlan client tkip
++WARNING: untranslated string: wlan client wpa mode
++WARNING: untranslated string: wlan client wpa mode all
++WARNING: untranslated string: wlan client wpa mode ccmp ccmp
++WARNING: untranslated string: wlan client wpa mode ccmp tkip
++WARNING: untranslated string: wlan client wpa mode tkip tkip
++WARNING: untranslated string: wlanap country
+diff --git a/doc/language_issues.es b/doc/language_issues.es
+index 2258d1b..234b901 100644
+--- a/doc/language_issues.es
++++ b/doc/language_issues.es
+@@ -11,10 +11,12 @@ WARNING: translation string unused: Remote VPN IP
+ WARNING: translation string unused: Resolv
+ WARNING: translation string unused: TOS Bits
+ WARNING: translation string unused: Verbose
++WARNING: translation string unused: access allowed
+ WARNING: translation string unused: access refused with this oinkcode
+ WARNING: translation string unused: add network
+ WARNING: translation string unused: add new ovpn
+ WARNING: translation string unused: add service
++WARNING: translation string unused: add xtaccess
+ WARNING: translation string unused: add-route
+ WARNING: translation string unused: admin user password has been changed
+ WARNING: translation string unused: administrator user password
+@@ -46,6 +48,7 @@ WARNING: translation string unused: all updates installed
+ WARNING: translation string unused: allmsg
+ WARNING: translation string unused: alt information
+ WARNING: translation string unused: alt ovpn
++WARNING: translation string unused: alt vpn
+ WARNING: translation string unused: and
+ WARNING: translation string unused: ansi t1.483
+ WARNING: translation string unused: apply
+@@ -87,6 +90,7 @@ WARNING: translation string unused: cache management
+ WARNING: translation string unused: cache size
+ WARNING: translation string unused: calamaris report interval (in minutes)
+ WARNING: translation string unused: calc traffic all x minutes
++WARNING: translation string unused: cant enable xtaccess
+ WARNING: translation string unused: capsinactive
+ WARNING: translation string unused: cfg restart
+ WARNING: translation string unused: check for net traffic update
+@@ -127,6 +131,11 @@ WARNING: translation string unused: debugme
+ WARNING: translation string unused: deep scan directories
+ WARNING: translation string unused: default networks
+ WARNING: translation string unused: default services
++WARNING: translation string unused: description
++WARNING: translation string unused: destination ip bad
++WARNING: translation string unused: destination ip or net
++WARNING: translation string unused: destination net
++WARNING: translation string unused: destination port overlaps
+ WARNING: translation string unused: dhcp base ip fixed lease
+ WARNING: translation string unused: dhcp create fixed leases
+ WARNING: translation string unused: dhcp fixed lease err1
+@@ -139,11 +148,18 @@ WARNING: translation string unused: dial user password has been changed
+ WARNING: translation string unused: dialup settings
+ WARNING: translation string unused: disconnect
+ WARNING: translation string unused: display traffic at home
++WARNING: translation string unused: dmz pinhole configuration
++WARNING: translation string unused: dmz pinhole rule added
++WARNING: translation string unused: dmz pinhole rule removed
++WARNING: translation string unused: dmzpinholes for same net not necessary
+ WARNING: translation string unused: dns server
+ WARNING: translation string unused: do not log this port list
+ WARNING: translation string unused: donation-link
+ WARNING: translation string unused: done
+ WARNING: translation string unused: driver
++WARNING: translation string unused: drop output
++WARNING: translation string unused: dstprt range overlaps
++WARNING: translation string unused: dstprt within existing
+ WARNING: translation string unused: dynamic dns client
+ WARNING: translation string unused: eciadsl help
+ WARNING: translation string unused: eciadsl upload
+@@ -170,6 +186,7 @@ WARNING: translation string unused: error external access
+ WARNING: translation string unused: expected
+ WARNING: translation string unused: expertoptions
+ WARNING: translation string unused: exportkey
++WARNING: translation string unused: external access
+ WARNING: translation string unused: external access rule changed
+ WARNING: translation string unused: extrahd unable to read
+ WARNING: translation string unused: extrahd unable to write
+@@ -179,6 +196,9 @@ WARNING: translation string unused: firewall log viewer
+ WARNING: translation string unused: firmware
+ WARNING: translation string unused: firmware upload
+ WARNING: translation string unused: force update
++WARNING: translation string unused: forwarding rule added
++WARNING: translation string unused: forwarding rule removed
++WARNING: translation string unused: forwarding rule updated
+ WARNING: translation string unused: frequency
+ WARNING: translation string unused: fritzdsl help
+ WARNING: translation string unused: fritzdsl upload
+@@ -244,6 +264,7 @@ WARNING: translation string unused: local hard disk
+ WARNING: translation string unused: localkeyfile
+ WARNING: translation string unused: log enabled
+ WARNING: translation string unused: log viewer
++WARNING: translation string unused: logging
+ WARNING: translation string unused: loosedirectorychecking
+ WARNING: translation string unused: ls_dhcpd
+ WARNING: translation string unused: ls_disk space
+@@ -269,6 +290,7 @@ WARNING: translation string unused: mbmon value
+ WARNING: translation string unused: min size
+ WARNING: translation string unused: missing dat
+ WARNING: translation string unused: missing gz
++WARNING: translation string unused: mode
+ WARNING: translation string unused: modem on com1
+ WARNING: translation string unused: modem on com2
+ WARNING: translation string unused: modem on com3
+@@ -285,6 +307,7 @@ WARNING: translation string unused: monthly volume start day short
+ WARNING: translation string unused: mount
+ WARNING: translation string unused: mtu QoS
+ WARNING: translation string unused: nat-traversal
++WARNING: translation string unused: net
+ WARNING: translation string unused: net address
+ WARNING: translation string unused: net config type
+ WARNING: translation string unused: net config type help
+@@ -311,6 +334,7 @@ WARNING: translation string unused: o-no
+ WARNING: translation string unused: o-yes
+ WARNING: translation string unused: online help en
+ WARNING: translation string unused: only red
++WARNING: translation string unused: open to all
+ WARNING: translation string unused: optional data
+ WARNING: translation string unused: optionsfw portlist hint
+ WARNING: translation string unused: optionsfw warning
+@@ -318,8 +342,14 @@ WARNING: translation string unused: or
+ WARNING: translation string unused: original
+ WARNING: translation string unused: other countries
+ WARNING: translation string unused: out
++WARNING: translation string unused: outgoing firewall
++WARNING: translation string unused: outgoing firewall mode0
++WARNING: translation string unused: outgoing firewall mode1
++WARNING: translation string unused: outgoing firewall mode2
+ WARNING: translation string unused: outgoing firewall outgoing firewall reserved groupname
+ WARNING: translation string unused: outgoing firewall p2p description
++WARNING: translation string unused: outgoing firewall reset
++WARNING: translation string unused: outgoing firewall warning
+ WARNING: translation string unused: override mtu
+ WARNING: translation string unused: ovpn
+ WARNING: translation string unused: ovpn config
+@@ -350,6 +380,8 @@ WARNING: translation string unused: passwords must be at least 6 characters in l
+ WARNING: translation string unused: phonebook entry
+ WARNING: translation string unused: ping disabled
+ WARNING: translation string unused: polfile
++WARNING: translation string unused: policy
++WARNING: translation string unused: port forwarding configuration
+ WARNING: translation string unused: ports
+ WARNING: translation string unused: pots
+ WARNING: translation string unused: pppoe
+@@ -377,7 +409,9 @@ WARNING: translation string unused: router ip
+ WARNING: translation string unused: rules already up to date
+ WARNING: translation string unused: safe removal of umounted device
+ WARNING: translation string unused: save error
++WARNING: translation string unused: select dest net
+ WARNING: translation string unused: select media
++WARNING: translation string unused: select source net
+ WARNING: translation string unused: selecttraffic
+ WARNING: translation string unused: send email notification
+ WARNING: translation string unused: send test mail
+@@ -396,15 +430,23 @@ WARNING: translation string unused: shutdown2
+ WARNING: translation string unused: shutting down
+ WARNING: translation string unused: sitekeyfile
+ WARNING: translation string unused: smbreload
++WARNING: translation string unused: source ip in use
++WARNING: translation string unused: source ip or net
++WARNING: translation string unused: source net
++WARNING: translation string unused: source port overlaps
+ WARNING: translation string unused: squid extension methods
+ WARNING: translation string unused: squid extension methods invalid
+ WARNING: translation string unused: squid fix cache
++WARNING: translation string unused: srcprt range overlaps
++WARNING: translation string unused: srcprt within existing
++WARNING: translation string unused: ssdmz pinholes
+ WARNING: translation string unused: ssh access tip
+ WARNING: translation string unused: ssh1 disabled
+ WARNING: translation string unused: ssh1 enabled
+ WARNING: translation string unused: ssh1 support
+ WARNING: translation string unused: ssnetwork status
+ WARNING: translation string unused: sspasswords
++WARNING: translation string unused: ssport forwarding
+ WARNING: translation string unused: ssproxy graphs
+ WARNING: translation string unused: sssystem status
+ WARNING: translation string unused: sstraffic graphs
+@@ -497,6 +539,7 @@ WARNING: translation string unused: warn when traffic reaches
+ WARNING: translation string unused: web proxy configuration
+ WARNING: translation string unused: week-graph
+ WARNING: translation string unused: weekly firewallhits
++WARNING: translation string unused: xtaccess all error
+ WARNING: translation string unused: xtaccess bad transfert
+ WARNING: translation string unused: year-graph
+ WARNING: translation string unused: yearly firewallhits
+@@ -549,6 +592,18 @@ WARNING: untranslated string: ccd routes
+ WARNING: untranslated string: ccd subnet
+ WARNING: untranslated string: ccd used
+ WARNING: untranslated string: deprecated fs warn
++WARNING: untranslated string: dnsforward
++WARNING: untranslated string: dnsforward add a new entry
++WARNING: untranslated string: dnsforward configuration
++WARNING: untranslated string: dnsforward edit an entry
++WARNING: untranslated string: dnsforward entries
++WARNING: untranslated string: dnsforward forward_server
++WARNING: untranslated string: dnsforward zone
++WARNING: untranslated string: drop action
++WARNING: untranslated string: drop action1
++WARNING: untranslated string: drop action2
++WARNING: untranslated string: drop forward
++WARNING: untranslated string: drop outgoing
+ WARNING: untranslated string: emerging rules
+ WARNING: untranslated string: fireinfo ipfire version
+ WARNING: untranslated string: fireinfo is disabled
+@@ -567,6 +622,143 @@ WARNING: untranslated string: fireinfo why descr2
+ WARNING: untranslated string: fireinfo why enable
+ WARNING: untranslated string: fireinfo why read more
+ WARNING: untranslated string: fireinfo your profile id
++WARNING: untranslated string: fw default drop
++WARNING: untranslated string: fw settings
++WARNING: untranslated string: fw settings color
++WARNING: untranslated string: fw settings dropdown
++WARNING: untranslated string: fw settings remark
++WARNING: untranslated string: fw settings ruletable
++WARNING: untranslated string: fwdfw action
++WARNING: untranslated string: fwdfw additional
++WARNING: untranslated string: fwdfw addrule
++WARNING: untranslated string: fwdfw change
++WARNING: untranslated string: fwdfw copy
++WARNING: untranslated string: fwdfw delete
++WARNING: untranslated string: fwdfw dnat
++WARNING: untranslated string: fwdfw dnat error
++WARNING: untranslated string: fwdfw dnat porterr
++WARNING: untranslated string: fwdfw edit
++WARNING: untranslated string: fwdfw err nosrc
++WARNING: untranslated string: fwdfw err nosrcip
++WARNING: untranslated string: fwdfw err notgt
++WARNING: untranslated string: fwdfw err notgtip
++WARNING: untranslated string: fwdfw err prot
++WARNING: untranslated string: fwdfw err remark
++WARNING: untranslated string: fwdfw err ruleexists
++WARNING: untranslated string: fwdfw err same
++WARNING: untranslated string: fwdfw err samesub
++WARNING: untranslated string: fwdfw err src_addr
++WARNING: untranslated string: fwdfw err tgt_addr
++WARNING: untranslated string: fwdfw err tgt_grp
++WARNING: untranslated string: fwdfw err tgt_mac
++WARNING: untranslated string: fwdfw err time
++WARNING: untranslated string: fwdfw final_rule
++WARNING: untranslated string: fwdfw hint ip1
++WARNING: untranslated string: fwdfw hint ip2
++WARNING: untranslated string: fwdfw log rule
++WARNING: untranslated string: fwdfw man port
++WARNING: untranslated string: fwdfw menu
++WARNING: untranslated string: fwdfw movedown
++WARNING: untranslated string: fwdfw moveup
++WARNING: untranslated string: fwdfw newrule
++WARNING: untranslated string: fwdfw p2p txt
++WARNING: untranslated string: fwdfw pol allow
++WARNING: untranslated string: fwdfw pol block
++WARNING: untranslated string: fwdfw pol text
++WARNING: untranslated string: fwdfw pol text1
++WARNING: untranslated string: fwdfw pol title
++WARNING: untranslated string: fwdfw red
++WARNING: untranslated string: fwdfw reread
++WARNING: untranslated string: fwdfw rule action
++WARNING: untranslated string: fwdfw rule activate
++WARNING: untranslated string: fwdfw rulepos
++WARNING: untranslated string: fwdfw snat
++WARNING: untranslated string: fwdfw source
++WARNING: untranslated string: fwdfw sourceip
++WARNING: untranslated string: fwdfw target
++WARNING: untranslated string: fwdfw targetip
++WARNING: untranslated string: fwdfw timeframe
++WARNING: untranslated string: fwdfw toggle
++WARNING: untranslated string: fwdfw togglelog
++WARNING: untranslated string: fwdfw use nat
++WARNING: untranslated string: fwdfw use srcport
++WARNING: untranslated string: fwdfw use srv
++WARNING: untranslated string: fwdfw useless rule
++WARNING: untranslated string: fwdfw wd_fri
++WARNING: untranslated string: fwdfw wd_mon
++WARNING: untranslated string: fwdfw wd_sat
++WARNING: untranslated string: fwdfw wd_sun
++WARNING: untranslated string: fwdfw wd_thu
++WARNING: untranslated string: fwdfw wd_tue
++WARNING: untranslated string: fwdfw wd_wed
++WARNING: untranslated string: fwdfw xt access
++WARNING: untranslated string: fwhost addgrp
++WARNING: untranslated string: fwhost addgrpname
++WARNING: untranslated string: fwhost addhost
++WARNING: untranslated string: fwhost addnet
++WARNING: untranslated string: fwhost addservice
++WARNING: untranslated string: fwhost addservicegrp
++WARNING: untranslated string: fwhost any
++WARNING: untranslated string: fwhost attention
++WARNING: untranslated string: fwhost back
++WARNING: untranslated string: fwhost ccdhost
++WARNING: untranslated string: fwhost ccdnet
++WARNING: untranslated string: fwhost change
++WARNING: untranslated string: fwhost cust addr
++WARNING: untranslated string: fwhost cust grp
++WARNING: untranslated string: fwhost cust net
++WARNING: untranslated string: fwhost cust service
++WARNING: untranslated string: fwhost cust srvgrp
++WARNING: untranslated string: fwhost deleted
++WARNING: untranslated string: fwhost empty
++WARNING: untranslated string: fwhost err addr
++WARNING: untranslated string: fwhost err empty
++WARNING: untranslated string: fwhost err groupempty
++WARNING: untranslated string: fwhost err grpexist
++WARNING: untranslated string: fwhost err hostexist
++WARNING: untranslated string: fwhost err hostip
++WARNING: untranslated string: fwhost err ip
++WARNING: untranslated string: fwhost err ipcheck
++WARNING: untranslated string: fwhost err ipmac
++WARNING: untranslated string: fwhost err ipwithsub
++WARNING: untranslated string: fwhost err isccdhost
++WARNING: untranslated string: fwhost err isccdiphost
++WARNING: untranslated string: fwhost err isccdipnet
++WARNING: untranslated string: fwhost err isccdnet
++WARNING: untranslated string: fwhost err isingrp
++WARNING: untranslated string: fwhost err name
++WARNING: untranslated string: fwhost err name1
++WARNING: untranslated string: fwhost err net
++WARNING: untranslated string: fwhost err netexist
++WARNING: untranslated string: fwhost err partofnet
++WARNING: untranslated string: fwhost err port
++WARNING: untranslated string: fwhost err remark
++WARNING: untranslated string: fwhost err srv exists
++WARNING: untranslated string: fwhost err srvexist
++WARNING: untranslated string: fwhost err sub32
++WARNING: untranslated string: fwhost hint
++WARNING: untranslated string: fwhost hosts
++WARNING: untranslated string: fwhost icmptype
++WARNING: untranslated string: fwhost ip_mac
++WARNING: untranslated string: fwhost ipsec net
++WARNING: untranslated string: fwhost macwarn
++WARNING: untranslated string: fwhost menu
++WARNING: untranslated string: fwhost netaddress
++WARNING: untranslated string: fwhost newgrp
++WARNING: untranslated string: fwhost newhost
++WARNING: untranslated string: fwhost newnet
++WARNING: untranslated string: fwhost newservice
++WARNING: untranslated string: fwhost newservicegrp
++WARNING: untranslated string: fwhost ovpn_n2n
++WARNING: untranslated string: fwhost port
++WARNING: untranslated string: fwhost prot
++WARNING: untranslated string: fwhost reread
++WARNING: untranslated string: fwhost services
++WARNING: untranslated string: fwhost srv_name
++WARNING: untranslated string: fwhost stdnet
++WARNING: untranslated string: fwhost type
++WARNING: untranslated string: fwhost used
++WARNING: untranslated string: fwhost welcome
+ WARNING: untranslated string: minute
+ WARNING: untranslated string: new
+ WARNING: untranslated string: openvpn default
+@@ -588,9 +780,6 @@ WARNING: untranslated string: outgoing firewall ip groups
+ WARNING: untranslated string: outgoing firewall mac groups
+ WARNING: untranslated string: outgoing firewall p2p allow
+ WARNING: untranslated string: outgoing firewall p2p deny
+-WARNING: untranslated string: outgoing firewall p2p description 1
+-WARNING: untranslated string: outgoing firewall p2p description 2
+-WARNING: untranslated string: outgoing firewall p2p description 3
+ WARNING: untranslated string: outgoing firewall reserved groupname
+ WARNING: untranslated string: outgoing firewall view group
+ WARNING: untranslated string: ovpn errmsg green already pushed
+@@ -611,6 +800,7 @@ WARNING: untranslated string: proxy reports monthly
+ WARNING: untranslated string: proxy reports today
+ WARNING: untranslated string: proxy reports weekly
+ WARNING: untranslated string: qos enter bandwidths
++WARNING: untranslated string: red1
+ WARNING: untranslated string: route config changed
+ WARNING: untranslated string: routing config added
+ WARNING: untranslated string: routing config changed
+diff --git a/doc/language_issues.fr b/doc/language_issues.fr
+index 58f4454..0e55728 100644
+--- a/doc/language_issues.fr
++++ b/doc/language_issues.fr
+@@ -11,10 +11,12 @@ WARNING: translation string unused: Remote VPN IP
+ WARNING: translation string unused: Resolv
+ WARNING: translation string unused: TOS Bits
+ WARNING: translation string unused: Verbose
++WARNING: translation string unused: access allowed
+ WARNING: translation string unused: access refused with this oinkcode
+ WARNING: translation string unused: add network
+ WARNING: translation string unused: add new ovpn
+ WARNING: translation string unused: add service
++WARNING: translation string unused: add xtaccess
+ WARNING: translation string unused: add-route
+ WARNING: translation string unused: admin user password has been changed
+ WARNING: translation string unused: administrator user password
+@@ -46,6 +48,7 @@ WARNING: translation string unused: all updates installed
+ WARNING: translation string unused: allmsg
+ WARNING: translation string unused: alt information
+ WARNING: translation string unused: alt ovpn
++WARNING: translation string unused: alt vpn
+ WARNING: translation string unused: and
+ WARNING: translation string unused: ansi t1.483
+ WARNING: translation string unused: apply
+@@ -87,6 +90,7 @@ WARNING: translation string unused: cache management
+ WARNING: translation string unused: cache size
+ WARNING: translation string unused: calamaris report interval (in minutes)
+ WARNING: translation string unused: calc traffic all x minutes
++WARNING: translation string unused: cant enable xtaccess
+ WARNING: translation string unused: capsinactive
+ WARNING: translation string unused: cfg restart
+ WARNING: translation string unused: check for net traffic update
+@@ -127,6 +131,11 @@ WARNING: translation string unused: debugme
+ WARNING: translation string unused: deep scan directories
+ WARNING: translation string unused: default networks
+ WARNING: translation string unused: default services
++WARNING: translation string unused: description
++WARNING: translation string unused: destination ip bad
++WARNING: translation string unused: destination ip or net
++WARNING: translation string unused: destination net
++WARNING: translation string unused: destination port overlaps
+ WARNING: translation string unused: dhcp base ip fixed lease
+ WARNING: translation string unused: dhcp create fixed leases
+ WARNING: translation string unused: dhcp fixed lease err1
+@@ -139,11 +148,18 @@ WARNING: translation string unused: dial user password has been changed
+ WARNING: translation string unused: dialup settings
+ WARNING: translation string unused: disconnect
+ WARNING: translation string unused: display traffic at home
++WARNING: translation string unused: dmz pinhole configuration
++WARNING: translation string unused: dmz pinhole rule added
++WARNING: translation string unused: dmz pinhole rule removed
++WARNING: translation string unused: dmzpinholes for same net not necessary
+ WARNING: translation string unused: dns server
+ WARNING: translation string unused: do not log this port list
+ WARNING: translation string unused: donation-link
+ WARNING: translation string unused: done
+ WARNING: translation string unused: driver
++WARNING: translation string unused: drop output
++WARNING: translation string unused: dstprt range overlaps
++WARNING: translation string unused: dstprt within existing
+ WARNING: translation string unused: dynamic dns client
+ WARNING: translation string unused: eciadsl help
+ WARNING: translation string unused: eciadsl upload
+@@ -170,6 +186,7 @@ WARNING: translation string unused: error external access
+ WARNING: translation string unused: expected
+ WARNING: translation string unused: expertoptions
+ WARNING: translation string unused: exportkey
++WARNING: translation string unused: external access
+ WARNING: translation string unused: external access rule changed
+ WARNING: translation string unused: extrahd unable to read
+ WARNING: translation string unused: extrahd unable to write
+@@ -179,6 +196,9 @@ WARNING: translation string unused: firewall log viewer
+ WARNING: translation string unused: firmware
+ WARNING: translation string unused: firmware upload
+ WARNING: translation string unused: force update
++WARNING: translation string unused: forwarding rule added
++WARNING: translation string unused: forwarding rule removed
++WARNING: translation string unused: forwarding rule updated
+ WARNING: translation string unused: frequency
+ WARNING: translation string unused: fritzdsl help
+ WARNING: translation string unused: fritzdsl upload
+@@ -244,6 +264,7 @@ WARNING: translation string unused: local hard disk
+ WARNING: translation string unused: localkeyfile
+ WARNING: translation string unused: log enabled
+ WARNING: translation string unused: log viewer
++WARNING: translation string unused: logging
+ WARNING: translation string unused: loosedirectorychecking
+ WARNING: translation string unused: ls_dhcpd
+ WARNING: translation string unused: ls_disk space
+@@ -269,6 +290,7 @@ WARNING: translation string unused: mbmon value
+ WARNING: translation string unused: min size
+ WARNING: translation string unused: missing dat
+ WARNING: translation string unused: missing gz
++WARNING: translation string unused: mode
+ WARNING: translation string unused: modem on com1
+ WARNING: translation string unused: modem on com2
+ WARNING: translation string unused: modem on com3
+@@ -285,6 +307,7 @@ WARNING: translation string unused: monthly volume start day short
+ WARNING: translation string unused: mount
+ WARNING: translation string unused: mtu QoS
+ WARNING: translation string unused: nat-traversal
++WARNING: translation string unused: net
+ WARNING: translation string unused: net address
+ WARNING: translation string unused: net config type
+ WARNING: translation string unused: net config type help
+@@ -311,6 +334,7 @@ WARNING: translation string unused: o-no
+ WARNING: translation string unused: o-yes
+ WARNING: translation string unused: online help en
+ WARNING: translation string unused: only red
++WARNING: translation string unused: open to all
+ WARNING: translation string unused: optional data
+ WARNING: translation string unused: optionsfw portlist hint
+ WARNING: translation string unused: optionsfw warning
+@@ -318,7 +342,16 @@ WARNING: translation string unused: or
+ WARNING: translation string unused: original
+ WARNING: translation string unused: other countries
+ WARNING: translation string unused: out
++WARNING: translation string unused: outgoing firewall
++WARNING: translation string unused: outgoing firewall mode0
++WARNING: translation string unused: outgoing firewall mode1
++WARNING: translation string unused: outgoing firewall mode2
+ WARNING: translation string unused: outgoing firewall outgoing firewall reserved groupname
++WARNING: translation string unused: outgoing firewall p2p description 1
++WARNING: translation string unused: outgoing firewall p2p description 2
++WARNING: translation string unused: outgoing firewall p2p description 3
++WARNING: translation string unused: outgoing firewall reset
++WARNING: translation string unused: outgoing firewall warning
+ WARNING: translation string unused: override mtu
+ WARNING: translation string unused: ovpn
+ WARNING: translation string unused: ovpn config
+@@ -349,6 +382,8 @@ WARNING: translation string unused: passwords must be at least 6 characters in l
+ WARNING: translation string unused: phonebook entry
+ WARNING: translation string unused: ping disabled
+ WARNING: translation string unused: polfile
++WARNING: translation string unused: policy
++WARNING: translation string unused: port forwarding configuration
+ WARNING: translation string unused: ports
+ WARNING: translation string unused: pots
+ WARNING: translation string unused: pppoe
+@@ -376,7 +411,9 @@ WARNING: translation string unused: router ip
+ WARNING: translation string unused: rules already up to date
+ WARNING: translation string unused: safe removal of umounted device
+ WARNING: translation string unused: save error
++WARNING: translation string unused: select dest net
+ WARNING: translation string unused: select media
++WARNING: translation string unused: select source net
+ WARNING: translation string unused: selecttraffic
+ WARNING: translation string unused: send email notification
+ WARNING: translation string unused: send test mail
+@@ -395,15 +432,23 @@ WARNING: translation string unused: shutdown2
+ WARNING: translation string unused: shutting down
+ WARNING: translation string unused: sitekeyfile
+ WARNING: translation string unused: smbreload
++WARNING: translation string unused: source ip in use
++WARNING: translation string unused: source ip or net
++WARNING: translation string unused: source net
++WARNING: translation string unused: source port overlaps
+ WARNING: translation string unused: squid extension methods
+ WARNING: translation string unused: squid extension methods invalid
+ WARNING: translation string unused: squid fix cache
++WARNING: translation string unused: srcprt range overlaps
++WARNING: translation string unused: srcprt within existing
++WARNING: translation string unused: ssdmz pinholes
+ WARNING: translation string unused: ssh access tip
+ WARNING: translation string unused: ssh1 disabled
+ WARNING: translation string unused: ssh1 enabled
+ WARNING: translation string unused: ssh1 support
+ WARNING: translation string unused: ssnetwork status
+ WARNING: translation string unused: sspasswords
++WARNING: translation string unused: ssport forwarding
+ WARNING: translation string unused: ssproxy graphs
+ WARNING: translation string unused: sssystem status
+ WARNING: translation string unused: sstraffic graphs
+@@ -498,6 +543,7 @@ WARNING: translation string unused: warn when traffic reaches
+ WARNING: translation string unused: web proxy configuration
+ WARNING: translation string unused: week-graph
+ WARNING: translation string unused: weekly firewallhits
++WARNING: translation string unused: xtaccess all error
+ WARNING: translation string unused: xtaccess bad transfert
+ WARNING: translation string unused: year-graph
+ WARNING: translation string unused: yearly firewallhits
+@@ -549,6 +595,18 @@ WARNING: untranslated string: ccd subnet
+ WARNING: untranslated string: ccd used
+ WARNING: untranslated string: deprecated fs warn
+ WARNING: untranslated string: dns address deleted txt
++WARNING: untranslated string: dnsforward
++WARNING: untranslated string: dnsforward add a new entry
++WARNING: untranslated string: dnsforward configuration
++WARNING: untranslated string: dnsforward edit an entry
++WARNING: untranslated string: dnsforward entries
++WARNING: untranslated string: dnsforward forward_server
++WARNING: untranslated string: dnsforward zone
++WARNING: untranslated string: drop action
++WARNING: untranslated string: drop action1
++WARNING: untranslated string: drop action2
++WARNING: untranslated string: drop forward
++WARNING: untranslated string: drop outgoing
+ WARNING: untranslated string: emerging rules
+ WARNING: untranslated string: fireinfo ipfire version
+ WARNING: untranslated string: fireinfo is disabled
+@@ -567,6 +625,143 @@ WARNING: untranslated string: fireinfo why descr2
+ WARNING: untranslated string: fireinfo why enable
+ WARNING: untranslated string: fireinfo why read more
+ WARNING: untranslated string: fireinfo your profile id
++WARNING: untranslated string: fw default drop
++WARNING: untranslated string: fw settings
++WARNING: untranslated string: fw settings color
++WARNING: untranslated string: fw settings dropdown
++WARNING: untranslated string: fw settings remark
++WARNING: untranslated string: fw settings ruletable
++WARNING: untranslated string: fwdfw action
++WARNING: untranslated string: fwdfw additional
++WARNING: untranslated string: fwdfw addrule
++WARNING: untranslated string: fwdfw change
++WARNING: untranslated string: fwdfw copy
++WARNING: untranslated string: fwdfw delete
++WARNING: untranslated string: fwdfw dnat
++WARNING: untranslated string: fwdfw dnat error
++WARNING: untranslated string: fwdfw dnat porterr
++WARNING: untranslated string: fwdfw edit
++WARNING: untranslated string: fwdfw err nosrc
++WARNING: untranslated string: fwdfw err nosrcip
++WARNING: untranslated string: fwdfw err notgt
++WARNING: untranslated string: fwdfw err notgtip
++WARNING: untranslated string: fwdfw err prot
++WARNING: untranslated string: fwdfw err remark
++WARNING: untranslated string: fwdfw err ruleexists
++WARNING: untranslated string: fwdfw err same
++WARNING: untranslated string: fwdfw err samesub
++WARNING: untranslated string: fwdfw err src_addr
++WARNING: untranslated string: fwdfw err tgt_addr
++WARNING: untranslated string: fwdfw err tgt_grp
++WARNING: untranslated string: fwdfw err tgt_mac
++WARNING: untranslated string: fwdfw err time
++WARNING: untranslated string: fwdfw final_rule
++WARNING: untranslated string: fwdfw hint ip1
++WARNING: untranslated string: fwdfw hint ip2
++WARNING: untranslated string: fwdfw log rule
++WARNING: untranslated string: fwdfw man port
++WARNING: untranslated string: fwdfw menu
++WARNING: untranslated string: fwdfw movedown
++WARNING: untranslated string: fwdfw moveup
++WARNING: untranslated string: fwdfw newrule
++WARNING: untranslated string: fwdfw p2p txt
++WARNING: untranslated string: fwdfw pol allow
++WARNING: untranslated string: fwdfw pol block
++WARNING: untranslated string: fwdfw pol text
++WARNING: untranslated string: fwdfw pol text1
++WARNING: untranslated string: fwdfw pol title
++WARNING: untranslated string: fwdfw red
++WARNING: untranslated string: fwdfw reread
++WARNING: untranslated string: fwdfw rule action
++WARNING: untranslated string: fwdfw rule activate
++WARNING: untranslated string: fwdfw rulepos
++WARNING: untranslated string: fwdfw snat
++WARNING: untranslated string: fwdfw source
++WARNING: untranslated string: fwdfw sourceip
++WARNING: untranslated string: fwdfw target
++WARNING: untranslated string: fwdfw targetip
++WARNING: untranslated string: fwdfw timeframe
++WARNING: untranslated string: fwdfw toggle
++WARNING: untranslated string: fwdfw togglelog
++WARNING: untranslated string: fwdfw use nat
++WARNING: untranslated string: fwdfw use srcport
++WARNING: untranslated string: fwdfw use srv
++WARNING: untranslated string: fwdfw useless rule
++WARNING: untranslated string: fwdfw wd_fri
++WARNING: untranslated string: fwdfw wd_mon
++WARNING: untranslated string: fwdfw wd_sat
++WARNING: untranslated string: fwdfw wd_sun
++WARNING: untranslated string: fwdfw wd_thu
++WARNING: untranslated string: fwdfw wd_tue
++WARNING: untranslated string: fwdfw wd_wed
++WARNING: untranslated string: fwdfw xt access
++WARNING: untranslated string: fwhost addgrp
++WARNING: untranslated string: fwhost addgrpname
++WARNING: untranslated string: fwhost addhost
++WARNING: untranslated string: fwhost addnet
++WARNING: untranslated string: fwhost addservice
++WARNING: untranslated string: fwhost addservicegrp
++WARNING: untranslated string: fwhost any
++WARNING: untranslated string: fwhost attention
++WARNING: untranslated string: fwhost back
++WARNING: untranslated string: fwhost ccdhost
++WARNING: untranslated string: fwhost ccdnet
++WARNING: untranslated string: fwhost change
++WARNING: untranslated string: fwhost cust addr
++WARNING: untranslated string: fwhost cust grp
++WARNING: untranslated string: fwhost cust net
++WARNING: untranslated string: fwhost cust service
++WARNING: untranslated string: fwhost cust srvgrp
++WARNING: untranslated string: fwhost deleted
++WARNING: untranslated string: fwhost empty
++WARNING: untranslated string: fwhost err addr
++WARNING: untranslated string: fwhost err empty
++WARNING: untranslated string: fwhost err groupempty
++WARNING: untranslated string: fwhost err grpexist
++WARNING: untranslated string: fwhost err hostexist
++WARNING: untranslated string: fwhost err hostip
++WARNING: untranslated string: fwhost err ip
++WARNING: untranslated string: fwhost err ipcheck
++WARNING: untranslated string: fwhost err ipmac
++WARNING: untranslated string: fwhost err ipwithsub
++WARNING: untranslated string: fwhost err isccdhost
++WARNING: untranslated string: fwhost err isccdiphost
++WARNING: untranslated string: fwhost err isccdipnet
++WARNING: untranslated string: fwhost err isccdnet
++WARNING: untranslated string: fwhost err isingrp
++WARNING: untranslated string: fwhost err name
++WARNING: untranslated string: fwhost err name1
++WARNING: untranslated string: fwhost err net
++WARNING: untranslated string: fwhost err netexist
++WARNING: untranslated string: fwhost err partofnet
++WARNING: untranslated string: fwhost err port
++WARNING: untranslated string: fwhost err remark
++WARNING: untranslated string: fwhost err srv exists
++WARNING: untranslated string: fwhost err srvexist
++WARNING: untranslated string: fwhost err sub32
++WARNING: untranslated string: fwhost hint
++WARNING: untranslated string: fwhost hosts
++WARNING: untranslated string: fwhost icmptype
++WARNING: untranslated string: fwhost ip_mac
++WARNING: untranslated string: fwhost ipsec net
++WARNING: untranslated string: fwhost macwarn
++WARNING: untranslated string: fwhost menu
++WARNING: untranslated string: fwhost netaddress
++WARNING: untranslated string: fwhost newgrp
++WARNING: untranslated string: fwhost newhost
++WARNING: untranslated string: fwhost newnet
++WARNING: untranslated string: fwhost newservice
++WARNING: untranslated string: fwhost newservicegrp
++WARNING: untranslated string: fwhost ovpn_n2n
++WARNING: untranslated string: fwhost port
++WARNING: untranslated string: fwhost prot
++WARNING: untranslated string: fwhost reread
++WARNING: untranslated string: fwhost services
++WARNING: untranslated string: fwhost srv_name
++WARNING: untranslated string: fwhost stdnet
++WARNING: untranslated string: fwhost type
++WARNING: untranslated string: fwhost used
++WARNING: untranslated string: fwhost welcome
+ WARNING: untranslated string: minute
+ WARNING: untranslated string: new
+ WARNING: untranslated string: ntp common settings
+@@ -595,6 +790,7 @@ WARNING: untranslated string: proxy reports monthly
+ WARNING: untranslated string: proxy reports today
+ WARNING: untranslated string: proxy reports weekly
+ WARNING: untranslated string: qos enter bandwidths
++WARNING: untranslated string: red1
+ WARNING: untranslated string: route config changed
+ WARNING: untranslated string: routing config added
+ WARNING: untranslated string: routing config changed
+diff --git a/doc/language_issues.nl b/doc/language_issues.nl
+index d7a7ff7..e67b7fd 100644
+--- a/doc/language_issues.nl
++++ b/doc/language_issues.nl
+@@ -11,10 +11,12 @@ WARNING: translation string unused: Remote VPN IP
+ WARNING: translation string unused: Resolv
+ WARNING: translation string unused: TOS Bits
+ WARNING: translation string unused: Verbose
++WARNING: translation string unused: access allowed
+ WARNING: translation string unused: access refused with this oinkcode
+ WARNING: translation string unused: add network
+ WARNING: translation string unused: add new ovpn
+ WARNING: translation string unused: add service
++WARNING: translation string unused: add xtaccess
+ WARNING: translation string unused: add-route
+ WARNING: translation string unused: admin user password has been changed
+ WARNING: translation string unused: administrator user password
+@@ -46,6 +48,7 @@ WARNING: translation string unused: all updates installed
+ WARNING: translation string unused: allmsg
+ WARNING: translation string unused: alt information
+ WARNING: translation string unused: alt ovpn
++WARNING: translation string unused: alt vpn
+ WARNING: translation string unused: and
+ WARNING: translation string unused: ansi t1.483
+ WARNING: translation string unused: apply
+@@ -87,6 +90,7 @@ WARNING: translation string unused: cache management
+ WARNING: translation string unused: cache size
+ WARNING: translation string unused: calamaris report interval (in minutes)
+ WARNING: translation string unused: calc traffic all x minutes
++WARNING: translation string unused: cant enable xtaccess
+ WARNING: translation string unused: capsinactive
+ WARNING: translation string unused: ccd err iroute
+ WARNING: translation string unused: ccd err netadr
+@@ -129,6 +133,11 @@ WARNING: translation string unused: debugme
+ WARNING: translation string unused: deep scan directories
+ WARNING: translation string unused: default networks
+ WARNING: translation string unused: default services
++WARNING: translation string unused: description
++WARNING: translation string unused: destination ip bad
++WARNING: translation string unused: destination ip or net
++WARNING: translation string unused: destination net
++WARNING: translation string unused: destination port overlaps
+ WARNING: translation string unused: dhcp base ip fixed lease
+ WARNING: translation string unused: dhcp create fixed leases
+ WARNING: translation string unused: dhcp fixed lease err1
+@@ -141,11 +150,18 @@ WARNING: translation string unused: dial user password has been changed
+ WARNING: translation string unused: dialup settings
+ WARNING: translation string unused: disconnect
+ WARNING: translation string unused: display traffic at home
++WARNING: translation string unused: dmz pinhole configuration
++WARNING: translation string unused: dmz pinhole rule added
++WARNING: translation string unused: dmz pinhole rule removed
++WARNING: translation string unused: dmzpinholes for same net not necessary
+ WARNING: translation string unused: dns server
+ WARNING: translation string unused: do not log this port list
+ WARNING: translation string unused: donation-link
+ WARNING: translation string unused: done
+ WARNING: translation string unused: driver
++WARNING: translation string unused: drop output
++WARNING: translation string unused: dstprt range overlaps
++WARNING: translation string unused: dstprt within existing
+ WARNING: translation string unused: dynamic dns client
+ WARNING: translation string unused: eciadsl help
+ WARNING: translation string unused: eciadsl upload
+@@ -172,6 +188,7 @@ WARNING: translation string unused: error external access
+ WARNING: translation string unused: expected
+ WARNING: translation string unused: expertoptions
+ WARNING: translation string unused: exportkey
++WARNING: translation string unused: external access
+ WARNING: translation string unused: external access rule changed
+ WARNING: translation string unused: extrahd unable to read
+ WARNING: translation string unused: extrahd unable to write
+@@ -181,6 +198,9 @@ WARNING: translation string unused: firewall log viewer
+ WARNING: translation string unused: firmware
+ WARNING: translation string unused: firmware upload
+ WARNING: translation string unused: force update
++WARNING: translation string unused: forwarding rule added
++WARNING: translation string unused: forwarding rule removed
++WARNING: translation string unused: forwarding rule updated
+ WARNING: translation string unused: frequency
+ WARNING: translation string unused: fritzdsl help
+ WARNING: translation string unused: fritzdsl upload
+@@ -246,6 +266,7 @@ WARNING: translation string unused: local hard disk
+ WARNING: translation string unused: localkeyfile
+ WARNING: translation string unused: log enabled
+ WARNING: translation string unused: log viewer
++WARNING: translation string unused: logging
+ WARNING: translation string unused: loosedirectorychecking
+ WARNING: translation string unused: ls_dhcpd
+ WARNING: translation string unused: ls_disk space
+@@ -271,6 +292,7 @@ WARNING: translation string unused: mbmon value
+ WARNING: translation string unused: min size
+ WARNING: translation string unused: missing dat
+ WARNING: translation string unused: missing gz
++WARNING: translation string unused: mode
+ WARNING: translation string unused: modem on com1
+ WARNING: translation string unused: modem on com2
+ WARNING: translation string unused: modem on com3
+@@ -287,6 +309,7 @@ WARNING: translation string unused: monthly volume start day short
+ WARNING: translation string unused: mount
+ WARNING: translation string unused: mtu QoS
+ WARNING: translation string unused: nat-traversal
++WARNING: translation string unused: net
+ WARNING: translation string unused: net address
+ WARNING: translation string unused: net config type
+ WARNING: translation string unused: net config type help
+@@ -313,6 +336,7 @@ WARNING: translation string unused: o-no
+ WARNING: translation string unused: o-yes
+ WARNING: translation string unused: online help en
+ WARNING: translation string unused: only red
++WARNING: translation string unused: open to all
+ WARNING: translation string unused: openvpn disabled
+ WARNING: translation string unused: openvpn enabled
+ WARNING: translation string unused: optional data
+@@ -323,7 +347,16 @@ WARNING: translation string unused: original
+ WARNING: translation string unused: other countries
+ WARNING: translation string unused: our donors
+ WARNING: translation string unused: out
++WARNING: translation string unused: outgoing firewall
++WARNING: translation string unused: outgoing firewall mode0
++WARNING: translation string unused: outgoing firewall mode1
++WARNING: translation string unused: outgoing firewall mode2
+ WARNING: translation string unused: outgoing firewall outgoing firewall reserved groupname
++WARNING: translation string unused: outgoing firewall p2p description 1
++WARNING: translation string unused: outgoing firewall p2p description 2
++WARNING: translation string unused: outgoing firewall p2p description 3
++WARNING: translation string unused: outgoing firewall reset
++WARNING: translation string unused: outgoing firewall warning
+ WARNING: translation string unused: override mtu
+ WARNING: translation string unused: ovpn
+ WARNING: translation string unused: ovpn config
+@@ -354,6 +387,8 @@ WARNING: translation string unused: passwords must be at least 6 characters in l
+ WARNING: translation string unused: phonebook entry
+ WARNING: translation string unused: ping disabled
+ WARNING: translation string unused: polfile
++WARNING: translation string unused: policy
++WARNING: translation string unused: port forwarding configuration
+ WARNING: translation string unused: ports
+ WARNING: translation string unused: pots
+ WARNING: translation string unused: pppoe
+@@ -381,7 +416,9 @@ WARNING: translation string unused: router ip
+ WARNING: translation string unused: rules already up to date
+ WARNING: translation string unused: safe removal of umounted device
+ WARNING: translation string unused: save error
++WARNING: translation string unused: select dest net
+ WARNING: translation string unused: select media
++WARNING: translation string unused: select source net
+ WARNING: translation string unused: selecttraffic
+ WARNING: translation string unused: send email notification
+ WARNING: translation string unused: send test mail
+@@ -400,15 +437,23 @@ WARNING: translation string unused: shutdown2
+ WARNING: translation string unused: shutting down
+ WARNING: translation string unused: sitekeyfile
+ WARNING: translation string unused: smbreload
++WARNING: translation string unused: source ip in use
++WARNING: translation string unused: source ip or net
++WARNING: translation string unused: source net
++WARNING: translation string unused: source port overlaps
+ WARNING: translation string unused: squid extension methods
+ WARNING: translation string unused: squid extension methods invalid
+ WARNING: translation string unused: squid fix cache
++WARNING: translation string unused: srcprt range overlaps
++WARNING: translation string unused: srcprt within existing
++WARNING: translation string unused: ssdmz pinholes
+ WARNING: translation string unused: ssh access tip
+ WARNING: translation string unused: ssh1 disabled
+ WARNING: translation string unused: ssh1 enabled
+ WARNING: translation string unused: ssh1 support
+ WARNING: translation string unused: ssnetwork status
+ WARNING: translation string unused: sspasswords
++WARNING: translation string unused: ssport forwarding
+ WARNING: translation string unused: ssproxy graphs
+ WARNING: translation string unused: sssystem status
+ WARNING: translation string unused: sstraffic graphs
+@@ -501,6 +546,7 @@ WARNING: translation string unused: warn when traffic reaches
+ WARNING: translation string unused: web proxy configuration
+ WARNING: translation string unused: week-graph
+ WARNING: translation string unused: weekly firewallhits
++WARNING: translation string unused: xtaccess all error
+ WARNING: translation string unused: xtaccess bad transfert
+ WARNING: translation string unused: year-graph
+ WARNING: translation string unused: yearly firewallhits
+@@ -513,9 +559,159 @@ WARNING: untranslated string: age sminute
+ WARNING: untranslated string: age ssecond
+ WARNING: untranslated string: bytes
+ WARNING: untranslated string: ccd iroute2
++WARNING: untranslated string: dnsforward
++WARNING: untranslated string: dnsforward add a new entry
++WARNING: untranslated string: dnsforward configuration
++WARNING: untranslated string: dnsforward edit an entry
++WARNING: untranslated string: dnsforward entries
++WARNING: untranslated string: dnsforward forward_server
++WARNING: untranslated string: dnsforward zone
++WARNING: untranslated string: drop action
++WARNING: untranslated string: drop action1
++WARNING: untranslated string: drop action2
++WARNING: untranslated string: drop forward
++WARNING: untranslated string: drop outgoing
++WARNING: untranslated string: fw default drop
++WARNING: untranslated string: fw settings
++WARNING: untranslated string: fw settings color
++WARNING: untranslated string: fw settings dropdown
++WARNING: untranslated string: fw settings remark
++WARNING: untranslated string: fw settings ruletable
++WARNING: untranslated string: fwdfw action
++WARNING: untranslated string: fwdfw additional
++WARNING: untranslated string: fwdfw addrule
++WARNING: untranslated string: fwdfw change
++WARNING: untranslated string: fwdfw copy
++WARNING: untranslated string: fwdfw delete
++WARNING: untranslated string: fwdfw dnat
++WARNING: untranslated string: fwdfw dnat error
++WARNING: untranslated string: fwdfw dnat porterr
++WARNING: untranslated string: fwdfw edit
++WARNING: untranslated string: fwdfw err nosrc
++WARNING: untranslated string: fwdfw err nosrcip
++WARNING: untranslated string: fwdfw err notgt
++WARNING: untranslated string: fwdfw err notgtip
++WARNING: untranslated string: fwdfw err prot
++WARNING: untranslated string: fwdfw err remark
++WARNING: untranslated string: fwdfw err ruleexists
++WARNING: untranslated string: fwdfw err same
++WARNING: untranslated string: fwdfw err samesub
++WARNING: untranslated string: fwdfw err src_addr
++WARNING: untranslated string: fwdfw err tgt_addr
++WARNING: untranslated string: fwdfw err tgt_grp
++WARNING: untranslated string: fwdfw err tgt_mac
++WARNING: untranslated string: fwdfw err time
++WARNING: untranslated string: fwdfw final_rule
++WARNING: untranslated string: fwdfw hint ip1
++WARNING: untranslated string: fwdfw hint ip2
++WARNING: untranslated string: fwdfw log rule
++WARNING: untranslated string: fwdfw man port
++WARNING: untranslated string: fwdfw menu
++WARNING: untranslated string: fwdfw movedown
++WARNING: untranslated string: fwdfw moveup
++WARNING: untranslated string: fwdfw newrule
++WARNING: untranslated string: fwdfw p2p txt
++WARNING: untranslated string: fwdfw pol allow
++WARNING: untranslated string: fwdfw pol block
++WARNING: untranslated string: fwdfw pol text
++WARNING: untranslated string: fwdfw pol text1
++WARNING: untranslated string: fwdfw pol title
++WARNING: untranslated string: fwdfw red
++WARNING: untranslated string: fwdfw reread
++WARNING: untranslated string: fwdfw rule action
++WARNING: untranslated string: fwdfw rule activate
++WARNING: untranslated string: fwdfw rulepos
++WARNING: untranslated string: fwdfw snat
++WARNING: untranslated string: fwdfw source
++WARNING: untranslated string: fwdfw sourceip
++WARNING: untranslated string: fwdfw target
++WARNING: untranslated string: fwdfw targetip
++WARNING: untranslated string: fwdfw timeframe
++WARNING: untranslated string: fwdfw toggle
++WARNING: untranslated string: fwdfw togglelog
++WARNING: untranslated string: fwdfw use nat
++WARNING: untranslated string: fwdfw use srcport
++WARNING: untranslated string: fwdfw use srv
++WARNING: untranslated string: fwdfw useless rule
++WARNING: untranslated string: fwdfw wd_fri
++WARNING: untranslated string: fwdfw wd_mon
++WARNING: untranslated string: fwdfw wd_sat
++WARNING: untranslated string: fwdfw wd_sun
++WARNING: untranslated string: fwdfw wd_thu
++WARNING: untranslated string: fwdfw wd_tue
++WARNING: untranslated string: fwdfw wd_wed
++WARNING: untranslated string: fwdfw xt access
++WARNING: untranslated string: fwhost addgrp
++WARNING: untranslated string: fwhost addgrpname
++WARNING: untranslated string: fwhost addhost
++WARNING: untranslated string: fwhost addnet
++WARNING: untranslated string: fwhost addservice
++WARNING: untranslated string: fwhost addservicegrp
++WARNING: untranslated string: fwhost any
++WARNING: untranslated string: fwhost attention
++WARNING: untranslated string: fwhost back
++WARNING: untranslated string: fwhost ccdhost
++WARNING: untranslated string: fwhost ccdnet
++WARNING: untranslated string: fwhost change
++WARNING: untranslated string: fwhost cust addr
++WARNING: untranslated string: fwhost cust grp
++WARNING: untranslated string: fwhost cust net
++WARNING: untranslated string: fwhost cust service
++WARNING: untranslated string: fwhost cust srvgrp
++WARNING: untranslated string: fwhost deleted
++WARNING: untranslated string: fwhost empty
++WARNING: untranslated string: fwhost err addr
++WARNING: untranslated string: fwhost err empty
++WARNING: untranslated string: fwhost err groupempty
++WARNING: untranslated string: fwhost err grpexist
++WARNING: untranslated string: fwhost err hostexist
++WARNING: untranslated string: fwhost err hostip
++WARNING: untranslated string: fwhost err ip
++WARNING: untranslated string: fwhost err ipcheck
++WARNING: untranslated string: fwhost err ipmac
++WARNING: untranslated string: fwhost err ipwithsub
++WARNING: untranslated string: fwhost err isccdhost
++WARNING: untranslated string: fwhost err isccdiphost
++WARNING: untranslated string: fwhost err isccdipnet
++WARNING: untranslated string: fwhost err isccdnet
++WARNING: untranslated string: fwhost err isingrp
++WARNING: untranslated string: fwhost err name
++WARNING: untranslated string: fwhost err name1
++WARNING: untranslated string: fwhost err net
++WARNING: untranslated string: fwhost err netexist
++WARNING: untranslated string: fwhost err partofnet
++WARNING: untranslated string: fwhost err port
++WARNING: untranslated string: fwhost err remark
++WARNING: untranslated string: fwhost err srv exists
++WARNING: untranslated string: fwhost err srvexist
++WARNING: untranslated string: fwhost err sub32
++WARNING: untranslated string: fwhost hint
++WARNING: untranslated string: fwhost hosts
++WARNING: untranslated string: fwhost icmptype
++WARNING: untranslated string: fwhost ip_mac
++WARNING: untranslated string: fwhost ipsec net
++WARNING: untranslated string: fwhost macwarn
++WARNING: untranslated string: fwhost menu
++WARNING: untranslated string: fwhost netaddress
++WARNING: untranslated string: fwhost newgrp
++WARNING: untranslated string: fwhost newhost
++WARNING: untranslated string: fwhost newnet
++WARNING: untranslated string: fwhost newservice
++WARNING: untranslated string: fwhost newservicegrp
++WARNING: untranslated string: fwhost ovpn_n2n
++WARNING: untranslated string: fwhost port
++WARNING: untranslated string: fwhost prot
++WARNING: untranslated string: fwhost reread
++WARNING: untranslated string: fwhost services
++WARNING: untranslated string: fwhost srv_name
++WARNING: untranslated string: fwhost stdnet
++WARNING: untranslated string: fwhost type
++WARNING: untranslated string: fwhost used
++WARNING: untranslated string: fwhost welcome
+ WARNING: untranslated string: new
+ WARNING: untranslated string: outgoing firewall reserved groupname
+ WARNING: untranslated string: qos enter bandwidths
++WARNING: untranslated string: red1
+ WARNING: untranslated string: route config changed
+ WARNING: untranslated string: routing config added
+ WARNING: untranslated string: routing config changed
+diff --git a/doc/language_issues.pl b/doc/language_issues.pl
+index 2258d1b..234b901 100644
+--- a/doc/language_issues.pl
++++ b/doc/language_issues.pl
+@@ -11,10 +11,12 @@ WARNING: translation string unused: Remote VPN IP
+ WARNING: translation string unused: Resolv
+ WARNING: translation string unused: TOS Bits
+ WARNING: translation string unused: Verbose
++WARNING: translation string unused: access allowed
+ WARNING: translation string unused: access refused with this oinkcode
+ WARNING: translation string unused: add network
+ WARNING: translation string unused: add new ovpn
+ WARNING: translation string unused: add service
++WARNING: translation string unused: add xtaccess
+ WARNING: translation string unused: add-route
+ WARNING: translation string unused: admin user password has been changed
+ WARNING: translation string unused: administrator user password
+@@ -46,6 +48,7 @@ WARNING: translation string unused: all updates installed
+ WARNING: translation string unused: allmsg
+ WARNING: translation string unused: alt information
+ WARNING: translation string unused: alt ovpn
++WARNING: translation string unused: alt vpn
+ WARNING: translation string unused: and
+ WARNING: translation string unused: ansi t1.483
+ WARNING: translation string unused: apply
+@@ -87,6 +90,7 @@ WARNING: translation string unused: cache management
+ WARNING: translation string unused: cache size
+ WARNING: translation string unused: calamaris report interval (in minutes)
+ WARNING: translation string unused: calc traffic all x minutes
++WARNING: translation string unused: cant enable xtaccess
+ WARNING: translation string unused: capsinactive
+ WARNING: translation string unused: cfg restart
+ WARNING: translation string unused: check for net traffic update
+@@ -127,6 +131,11 @@ WARNING: translation string unused: debugme
+ WARNING: translation string unused: deep scan directories
+ WARNING: translation string unused: default networks
+ WARNING: translation string unused: default services
++WARNING: translation string unused: description
++WARNING: translation string unused: destination ip bad
++WARNING: translation string unused: destination ip or net
++WARNING: translation string unused: destination net
++WARNING: translation string unused: destination port overlaps
+ WARNING: translation string unused: dhcp base ip fixed lease
+ WARNING: translation string unused: dhcp create fixed leases
+ WARNING: translation string unused: dhcp fixed lease err1
+@@ -139,11 +148,18 @@ WARNING: translation string unused: dial user password has been changed
+ WARNING: translation string unused: dialup settings
+ WARNING: translation string unused: disconnect
+ WARNING: translation string unused: display traffic at home
++WARNING: translation string unused: dmz pinhole configuration
++WARNING: translation string unused: dmz pinhole rule added
++WARNING: translation string unused: dmz pinhole rule removed
++WARNING: translation string unused: dmzpinholes for same net not necessary
+ WARNING: translation string unused: dns server
+ WARNING: translation string unused: do not log this port list
+ WARNING: translation string unused: donation-link
+ WARNING: translation string unused: done
+ WARNING: translation string unused: driver
++WARNING: translation string unused: drop output
++WARNING: translation string unused: dstprt range overlaps
++WARNING: translation string unused: dstprt within existing
+ WARNING: translation string unused: dynamic dns client
+ WARNING: translation string unused: eciadsl help
+ WARNING: translation string unused: eciadsl upload
+@@ -170,6 +186,7 @@ WARNING: translation string unused: error external access
+ WARNING: translation string unused: expected
+ WARNING: translation string unused: expertoptions
+ WARNING: translation string unused: exportkey
++WARNING: translation string unused: external access
+ WARNING: translation string unused: external access rule changed
+ WARNING: translation string unused: extrahd unable to read
+ WARNING: translation string unused: extrahd unable to write
+@@ -179,6 +196,9 @@ WARNING: translation string unused: firewall log viewer
+ WARNING: translation string unused: firmware
+ WARNING: translation string unused: firmware upload
+ WARNING: translation string unused: force update
++WARNING: translation string unused: forwarding rule added
++WARNING: translation string unused: forwarding rule removed
++WARNING: translation string unused: forwarding rule updated
+ WARNING: translation string unused: frequency
+ WARNING: translation string unused: fritzdsl help
+ WARNING: translation string unused: fritzdsl upload
+@@ -244,6 +264,7 @@ WARNING: translation string unused: local hard disk
+ WARNING: translation string unused: localkeyfile
+ WARNING: translation string unused: log enabled
+ WARNING: translation string unused: log viewer
++WARNING: translation string unused: logging
+ WARNING: translation string unused: loosedirectorychecking
+ WARNING: translation string unused: ls_dhcpd
+ WARNING: translation string unused: ls_disk space
+@@ -269,6 +290,7 @@ WARNING: translation string unused: mbmon value
+ WARNING: translation string unused: min size
+ WARNING: translation string unused: missing dat
+ WARNING: translation string unused: missing gz
++WARNING: translation string unused: mode
+ WARNING: translation string unused: modem on com1
+ WARNING: translation string unused: modem on com2
+ WARNING: translation string unused: modem on com3
+@@ -285,6 +307,7 @@ WARNING: translation string unused: monthly volume start day short
+ WARNING: translation string unused: mount
+ WARNING: translation string unused: mtu QoS
+ WARNING: translation string unused: nat-traversal
++WARNING: translation string unused: net
+ WARNING: translation string unused: net address
+ WARNING: translation string unused: net config type
+ WARNING: translation string unused: net config type help
+@@ -311,6 +334,7 @@ WARNING: translation string unused: o-no
+ WARNING: translation string unused: o-yes
+ WARNING: translation string unused: online help en
+ WARNING: translation string unused: only red
++WARNING: translation string unused: open to all
+ WARNING: translation string unused: optional data
+ WARNING: translation string unused: optionsfw portlist hint
+ WARNING: translation string unused: optionsfw warning
+@@ -318,8 +342,14 @@ WARNING: translation string unused: or
+ WARNING: translation string unused: original
+ WARNING: translation string unused: other countries
+ WARNING: translation string unused: out
++WARNING: translation string unused: outgoing firewall
++WARNING: translation string unused: outgoing firewall mode0
++WARNING: translation string unused: outgoing firewall mode1
++WARNING: translation string unused: outgoing firewall mode2
+ WARNING: translation string unused: outgoing firewall outgoing firewall reserved groupname
+ WARNING: translation string unused: outgoing firewall p2p description
++WARNING: translation string unused: outgoing firewall reset
++WARNING: translation string unused: outgoing firewall warning
+ WARNING: translation string unused: override mtu
+ WARNING: translation string unused: ovpn
+ WARNING: translation string unused: ovpn config
+@@ -350,6 +380,8 @@ WARNING: translation string unused: passwords must be at least 6 characters in l
+ WARNING: translation string unused: phonebook entry
+ WARNING: translation string unused: ping disabled
+ WARNING: translation string unused: polfile
++WARNING: translation string unused: policy
++WARNING: translation string unused: port forwarding configuration
+ WARNING: translation string unused: ports
+ WARNING: translation string unused: pots
+ WARNING: translation string unused: pppoe
+@@ -377,7 +409,9 @@ WARNING: translation string unused: router ip
+ WARNING: translation string unused: rules already up to date
+ WARNING: translation string unused: safe removal of umounted device
+ WARNING: translation string unused: save error
++WARNING: translation string unused: select dest net
+ WARNING: translation string unused: select media
++WARNING: translation string unused: select source net
+ WARNING: translation string unused: selecttraffic
+ WARNING: translation string unused: send email notification
+ WARNING: translation string unused: send test mail
+@@ -396,15 +430,23 @@ WARNING: translation string unused: shutdown2
+ WARNING: translation string unused: shutting down
+ WARNING: translation string unused: sitekeyfile
+ WARNING: translation string unused: smbreload
++WARNING: translation string unused: source ip in use
++WARNING: translation string unused: source ip or net
++WARNING: translation string unused: source net
++WARNING: translation string unused: source port overlaps
+ WARNING: translation string unused: squid extension methods
+ WARNING: translation string unused: squid extension methods invalid
+ WARNING: translation string unused: squid fix cache
++WARNING: translation string unused: srcprt range overlaps
++WARNING: translation string unused: srcprt within existing
++WARNING: translation string unused: ssdmz pinholes
+ WARNING: translation string unused: ssh access tip
+ WARNING: translation string unused: ssh1 disabled
+ WARNING: translation string unused: ssh1 enabled
+ WARNING: translation string unused: ssh1 support
+ WARNING: translation string unused: ssnetwork status
+ WARNING: translation string unused: sspasswords
++WARNING: translation string unused: ssport forwarding
+ WARNING: translation string unused: ssproxy graphs
+ WARNING: translation string unused: sssystem status
+ WARNING: translation string unused: sstraffic graphs
+@@ -497,6 +539,7 @@ WARNING: translation string unused: warn when traffic reaches
+ WARNING: translation string unused: web proxy configuration
+ WARNING: translation string unused: week-graph
+ WARNING: translation string unused: weekly firewallhits
++WARNING: translation string unused: xtaccess all error
+ WARNING: translation string unused: xtaccess bad transfert
+ WARNING: translation string unused: year-graph
+ WARNING: translation string unused: yearly firewallhits
+@@ -549,6 +592,18 @@ WARNING: untranslated string: ccd routes
+ WARNING: untranslated string: ccd subnet
+ WARNING: untranslated string: ccd used
+ WARNING: untranslated string: deprecated fs warn
++WARNING: untranslated string: dnsforward
++WARNING: untranslated string: dnsforward add a new entry
++WARNING: untranslated string: dnsforward configuration
++WARNING: untranslated string: dnsforward edit an entry
++WARNING: untranslated string: dnsforward entries
++WARNING: untranslated string: dnsforward forward_server
++WARNING: untranslated string: dnsforward zone
++WARNING: untranslated string: drop action
++WARNING: untranslated string: drop action1
++WARNING: untranslated string: drop action2
++WARNING: untranslated string: drop forward
++WARNING: untranslated string: drop outgoing
+ WARNING: untranslated string: emerging rules
+ WARNING: untranslated string: fireinfo ipfire version
+ WARNING: untranslated string: fireinfo is disabled
+@@ -567,6 +622,143 @@ WARNING: untranslated string: fireinfo why descr2
+ WARNING: untranslated string: fireinfo why enable
+ WARNING: untranslated string: fireinfo why read more
+ WARNING: untranslated string: fireinfo your profile id
++WARNING: untranslated string: fw default drop
++WARNING: untranslated string: fw settings
++WARNING: untranslated string: fw settings color
++WARNING: untranslated string: fw settings dropdown
++WARNING: untranslated string: fw settings remark
++WARNING: untranslated string: fw settings ruletable
++WARNING: untranslated string: fwdfw action
++WARNING: untranslated string: fwdfw additional
++WARNING: untranslated string: fwdfw addrule
++WARNING: untranslated string: fwdfw change
++WARNING: untranslated string: fwdfw copy
++WARNING: untranslated string: fwdfw delete
++WARNING: untranslated string: fwdfw dnat
++WARNING: untranslated string: fwdfw dnat error
++WARNING: untranslated string: fwdfw dnat porterr
++WARNING: untranslated string: fwdfw edit
++WARNING: untranslated string: fwdfw err nosrc
++WARNING: untranslated string: fwdfw err nosrcip
++WARNING: untranslated string: fwdfw err notgt
++WARNING: untranslated string: fwdfw err notgtip
++WARNING: untranslated string: fwdfw err prot
++WARNING: untranslated string: fwdfw err remark
++WARNING: untranslated string: fwdfw err ruleexists
++WARNING: untranslated string: fwdfw err same
++WARNING: untranslated string: fwdfw err samesub
++WARNING: untranslated string: fwdfw err src_addr
++WARNING: untranslated string: fwdfw err tgt_addr
++WARNING: untranslated string: fwdfw err tgt_grp
++WARNING: untranslated string: fwdfw err tgt_mac
++WARNING: untranslated string: fwdfw err time
++WARNING: untranslated string: fwdfw final_rule
++WARNING: untranslated string: fwdfw hint ip1
++WARNING: untranslated string: fwdfw hint ip2
++WARNING: untranslated string: fwdfw log rule
++WARNING: untranslated string: fwdfw man port
++WARNING: untranslated string: fwdfw menu
++WARNING: untranslated string: fwdfw movedown
++WARNING: untranslated string: fwdfw moveup
++WARNING: untranslated string: fwdfw newrule
++WARNING: untranslated string: fwdfw p2p txt
++WARNING: untranslated string: fwdfw pol allow
++WARNING: untranslated string: fwdfw pol block
++WARNING: untranslated string: fwdfw pol text
++WARNING: untranslated string: fwdfw pol text1
++WARNING: untranslated string: fwdfw pol title
++WARNING: untranslated string: fwdfw red
++WARNING: untranslated string: fwdfw reread
++WARNING: untranslated string: fwdfw rule action
++WARNING: untranslated string: fwdfw rule activate
++WARNING: untranslated string: fwdfw rulepos
++WARNING: untranslated string: fwdfw snat
++WARNING: untranslated string: fwdfw source
++WARNING: untranslated string: fwdfw sourceip
++WARNING: untranslated string: fwdfw target
++WARNING: untranslated string: fwdfw targetip
++WARNING: untranslated string: fwdfw timeframe
++WARNING: untranslated string: fwdfw toggle
++WARNING: untranslated string: fwdfw togglelog
++WARNING: untranslated string: fwdfw use nat
++WARNING: untranslated string: fwdfw use srcport
++WARNING: untranslated string: fwdfw use srv
++WARNING: untranslated string: fwdfw useless rule
++WARNING: untranslated string: fwdfw wd_fri
++WARNING: untranslated string: fwdfw wd_mon
++WARNING: untranslated string: fwdfw wd_sat
++WARNING: untranslated string: fwdfw wd_sun
++WARNING: untranslated string: fwdfw wd_thu
++WARNING: untranslated string: fwdfw wd_tue
++WARNING: untranslated string: fwdfw wd_wed
++WARNING: untranslated string: fwdfw xt access
++WARNING: untranslated string: fwhost addgrp
++WARNING: untranslated string: fwhost addgrpname
++WARNING: untranslated string: fwhost addhost
++WARNING: untranslated string: fwhost addnet
++WARNING: untranslated string: fwhost addservice
++WARNING: untranslated string: fwhost addservicegrp
++WARNING: untranslated string: fwhost any
++WARNING: untranslated string: fwhost attention
++WARNING: untranslated string: fwhost back
++WARNING: untranslated string: fwhost ccdhost
++WARNING: untranslated string: fwhost ccdnet
++WARNING: untranslated string: fwhost change
++WARNING: untranslated string: fwhost cust addr
++WARNING: untranslated string: fwhost cust grp
++WARNING: untranslated string: fwhost cust net
++WARNING: untranslated string: fwhost cust service
++WARNING: untranslated string: fwhost cust srvgrp
++WARNING: untranslated string: fwhost deleted
++WARNING: untranslated string: fwhost empty
++WARNING: untranslated string: fwhost err addr
++WARNING: untranslated string: fwhost err empty
++WARNING: untranslated string: fwhost err groupempty
++WARNING: untranslated string: fwhost err grpexist
++WARNING: untranslated string: fwhost err hostexist
++WARNING: untranslated string: fwhost err hostip
++WARNING: untranslated string: fwhost err ip
++WARNING: untranslated string: fwhost err ipcheck
++WARNING: untranslated string: fwhost err ipmac
++WARNING: untranslated string: fwhost err ipwithsub
++WARNING: untranslated string: fwhost err isccdhost
++WARNING: untranslated string: fwhost err isccdiphost
++WARNING: untranslated string: fwhost err isccdipnet
++WARNING: untranslated string: fwhost err isccdnet
++WARNING: untranslated string: fwhost err isingrp
++WARNING: untranslated string: fwhost err name
++WARNING: untranslated string: fwhost err name1
++WARNING: untranslated string: fwhost err net
++WARNING: untranslated string: fwhost err netexist
++WARNING: untranslated string: fwhost err partofnet
++WARNING: untranslated string: fwhost err port
++WARNING: untranslated string: fwhost err remark
++WARNING: untranslated string: fwhost err srv exists
++WARNING: untranslated string: fwhost err srvexist
++WARNING: untranslated string: fwhost err sub32
++WARNING: untranslated string: fwhost hint
++WARNING: untranslated string: fwhost hosts
++WARNING: untranslated string: fwhost icmptype
++WARNING: untranslated string: fwhost ip_mac
++WARNING: untranslated string: fwhost ipsec net
++WARNING: untranslated string: fwhost macwarn
++WARNING: untranslated string: fwhost menu
++WARNING: untranslated string: fwhost netaddress
++WARNING: untranslated string: fwhost newgrp
++WARNING: untranslated string: fwhost newhost
++WARNING: untranslated string: fwhost newnet
++WARNING: untranslated string: fwhost newservice
++WARNING: untranslated string: fwhost newservicegrp
++WARNING: untranslated string: fwhost ovpn_n2n
++WARNING: untranslated string: fwhost port
++WARNING: untranslated string: fwhost prot
++WARNING: untranslated string: fwhost reread
++WARNING: untranslated string: fwhost services
++WARNING: untranslated string: fwhost srv_name
++WARNING: untranslated string: fwhost stdnet
++WARNING: untranslated string: fwhost type
++WARNING: untranslated string: fwhost used
++WARNING: untranslated string: fwhost welcome
+ WARNING: untranslated string: minute
+ WARNING: untranslated string: new
+ WARNING: untranslated string: openvpn default
+@@ -588,9 +780,6 @@ WARNING: untranslated string: outgoing firewall ip groups
+ WARNING: untranslated string: outgoing firewall mac groups
+ WARNING: untranslated string: outgoing firewall p2p allow
+ WARNING: untranslated string: outgoing firewall p2p deny
+-WARNING: untranslated string: outgoing firewall p2p description 1
+-WARNING: untranslated string: outgoing firewall p2p description 2
+-WARNING: untranslated string: outgoing firewall p2p description 3
+ WARNING: untranslated string: outgoing firewall reserved groupname
+ WARNING: untranslated string: outgoing firewall view group
+ WARNING: untranslated string: ovpn errmsg green already pushed
+@@ -611,6 +800,7 @@ WARNING: untranslated string: proxy reports monthly
+ WARNING: untranslated string: proxy reports today
+ WARNING: untranslated string: proxy reports weekly
+ WARNING: untranslated string: qos enter bandwidths
++WARNING: untranslated string: red1
+ WARNING: untranslated string: route config changed
+ WARNING: untranslated string: routing config added
+ WARNING: untranslated string: routing config changed
+diff --git a/doc/language_issues.ru b/doc/language_issues.ru
+index 7b83295..a5a02c7 100644
+--- a/doc/language_issues.ru
++++ b/doc/language_issues.ru
+@@ -11,10 +11,12 @@ WARNING: translation string unused: Remote VPN IP
+ WARNING: translation string unused: Resolv
+ WARNING: translation string unused: TOS Bits
+ WARNING: translation string unused: Verbose
++WARNING: translation string unused: access allowed
+ WARNING: translation string unused: access refused with this oinkcode
+ WARNING: translation string unused: add network
+ WARNING: translation string unused: add new ovpn
+ WARNING: translation string unused: add service
++WARNING: translation string unused: add xtaccess
+ WARNING: translation string unused: add-route
+ WARNING: translation string unused: admin user password has been changed
+ WARNING: translation string unused: administrator user password
+@@ -46,6 +48,7 @@ WARNING: translation string unused: all updates installed
+ WARNING: translation string unused: allmsg
+ WARNING: translation string unused: alt information
+ WARNING: translation string unused: alt ovpn
++WARNING: translation string unused: alt vpn
+ WARNING: translation string unused: and
+ WARNING: translation string unused: ansi t1.483
+ WARNING: translation string unused: apply
+@@ -87,6 +90,7 @@ WARNING: translation string unused: cache management
+ WARNING: translation string unused: cache size
+ WARNING: translation string unused: calamaris report interval (in minutes)
+ WARNING: translation string unused: calc traffic all x minutes
++WARNING: translation string unused: cant enable xtaccess
+ WARNING: translation string unused: capsinactive
+ WARNING: translation string unused: cfg restart
+ WARNING: translation string unused: check for net traffic update
+@@ -126,6 +130,11 @@ WARNING: translation string unused: debugme
+ WARNING: translation string unused: deep scan directories
+ WARNING: translation string unused: default networks
+ WARNING: translation string unused: default services
++WARNING: translation string unused: description
++WARNING: translation string unused: destination ip bad
++WARNING: translation string unused: destination ip or net
++WARNING: translation string unused: destination net
++WARNING: translation string unused: destination port overlaps
+ WARNING: translation string unused: dhcp base ip fixed lease
+ WARNING: translation string unused: dhcp create fixed leases
+ WARNING: translation string unused: dhcp fixed lease err1
+@@ -138,11 +147,18 @@ WARNING: translation string unused: dial user password has been changed
+ WARNING: translation string unused: dialup settings
+ WARNING: translation string unused: disconnect
+ WARNING: translation string unused: display traffic at home
++WARNING: translation string unused: dmz pinhole configuration
++WARNING: translation string unused: dmz pinhole rule added
++WARNING: translation string unused: dmz pinhole rule removed
++WARNING: translation string unused: dmzpinholes for same net not necessary
+ WARNING: translation string unused: dns server
+ WARNING: translation string unused: do not log this port list
+ WARNING: translation string unused: donation-link
+ WARNING: translation string unused: done
+ WARNING: translation string unused: driver
++WARNING: translation string unused: drop output
++WARNING: translation string unused: dstprt range overlaps
++WARNING: translation string unused: dstprt within existing
+ WARNING: translation string unused: dynamic dns client
+ WARNING: translation string unused: eciadsl help
+ WARNING: translation string unused: eciadsl upload
+@@ -169,6 +185,7 @@ WARNING: translation string unused: error external access
+ WARNING: translation string unused: expected
+ WARNING: translation string unused: expertoptions
+ WARNING: translation string unused: exportkey
++WARNING: translation string unused: external access
+ WARNING: translation string unused: external access rule changed
+ WARNING: translation string unused: filename
+ WARNING: translation string unused: firewall graphs
+@@ -176,6 +193,9 @@ WARNING: translation string unused: firewall log viewer
+ WARNING: translation string unused: firmware
+ WARNING: translation string unused: firmware upload
+ WARNING: translation string unused: force update
++WARNING: translation string unused: forwarding rule added
++WARNING: translation string unused: forwarding rule removed
++WARNING: translation string unused: forwarding rule updated
+ WARNING: translation string unused: fritzdsl help
+ WARNING: translation string unused: fritzdsl upload
+ WARNING: translation string unused: from email adr
+@@ -239,6 +259,7 @@ WARNING: translation string unused: local hard disk
+ WARNING: translation string unused: localkeyfile
+ WARNING: translation string unused: log enabled
+ WARNING: translation string unused: log viewer
++WARNING: translation string unused: logging
+ WARNING: translation string unused: loosedirectorychecking
+ WARNING: translation string unused: ls_dhcpd
+ WARNING: translation string unused: ls_disk space
+@@ -264,6 +285,7 @@ WARNING: translation string unused: mbmon value
+ WARNING: translation string unused: min size
+ WARNING: translation string unused: missing dat
+ WARNING: translation string unused: missing gz
++WARNING: translation string unused: mode
+ WARNING: translation string unused: modem on com1
+ WARNING: translation string unused: modem on com2
+ WARNING: translation string unused: modem on com3
+@@ -279,6 +301,7 @@ WARNING: translation string unused: monthly volume start day short
+ WARNING: translation string unused: mount
+ WARNING: translation string unused: mtu QoS
+ WARNING: translation string unused: nat-traversal
++WARNING: translation string unused: net
+ WARNING: translation string unused: net address
+ WARNING: translation string unused: net config type
+ WARNING: translation string unused: net config type help
+@@ -305,6 +328,7 @@ WARNING: translation string unused: o-no
+ WARNING: translation string unused: o-yes
+ WARNING: translation string unused: online help en
+ WARNING: translation string unused: only red
++WARNING: translation string unused: open to all
+ WARNING: translation string unused: optional data
+ WARNING: translation string unused: optionsfw portlist hint
+ WARNING: translation string unused: optionsfw warning
+@@ -312,7 +336,16 @@ WARNING: translation string unused: or
+ WARNING: translation string unused: original
+ WARNING: translation string unused: other countries
+ WARNING: translation string unused: out
++WARNING: translation string unused: outgoing firewall
++WARNING: translation string unused: outgoing firewall mode0
++WARNING: translation string unused: outgoing firewall mode1
++WARNING: translation string unused: outgoing firewall mode2
+ WARNING: translation string unused: outgoing firewall outgoing firewall reserved groupname
++WARNING: translation string unused: outgoing firewall p2p description 1
++WARNING: translation string unused: outgoing firewall p2p description 2
++WARNING: translation string unused: outgoing firewall p2p description 3
++WARNING: translation string unused: outgoing firewall reset
++WARNING: translation string unused: outgoing firewall warning
+ WARNING: translation string unused: override mtu
+ WARNING: translation string unused: ovpn
+ WARNING: translation string unused: ovpn config
+@@ -343,6 +376,8 @@ WARNING: translation string unused: passwords must be at least 6 characters in l
+ WARNING: translation string unused: phonebook entry
+ WARNING: translation string unused: ping disabled
+ WARNING: translation string unused: polfile
++WARNING: translation string unused: policy
++WARNING: translation string unused: port forwarding configuration
+ WARNING: translation string unused: ports
+ WARNING: translation string unused: pots
+ WARNING: translation string unused: pppoe
+@@ -370,7 +405,9 @@ WARNING: translation string unused: router ip
+ WARNING: translation string unused: rules already up to date
+ WARNING: translation string unused: safe removal of umounted device
+ WARNING: translation string unused: save error
++WARNING: translation string unused: select dest net
+ WARNING: translation string unused: select media
++WARNING: translation string unused: select source net
+ WARNING: translation string unused: selecttraffic
+ WARNING: translation string unused: send email notification
+ WARNING: translation string unused: send test mail
+@@ -389,15 +426,23 @@ WARNING: translation string unused: shutdown2
+ WARNING: translation string unused: shutting down
+ WARNING: translation string unused: sitekeyfile
+ WARNING: translation string unused: smbreload
++WARNING: translation string unused: source ip in use
++WARNING: translation string unused: source ip or net
++WARNING: translation string unused: source net
++WARNING: translation string unused: source port overlaps
+ WARNING: translation string unused: squid extension methods
+ WARNING: translation string unused: squid extension methods invalid
+ WARNING: translation string unused: squid fix cache
++WARNING: translation string unused: srcprt range overlaps
++WARNING: translation string unused: srcprt within existing
++WARNING: translation string unused: ssdmz pinholes
+ WARNING: translation string unused: ssh access tip
+ WARNING: translation string unused: ssh1 disabled
+ WARNING: translation string unused: ssh1 enabled
+ WARNING: translation string unused: ssh1 support
+ WARNING: translation string unused: ssnetwork status
+ WARNING: translation string unused: sspasswords
++WARNING: translation string unused: ssport forwarding
+ WARNING: translation string unused: ssproxy graphs
+ WARNING: translation string unused: sssystem status
+ WARNING: translation string unused: sstraffic graphs
+@@ -489,6 +534,7 @@ WARNING: translation string unused: vpn watch
+ WARNING: translation string unused: warn when traffic reaches
+ WARNING: translation string unused: web proxy configuration
+ WARNING: translation string unused: weekly firewallhits
++WARNING: translation string unused: xtaccess all error
+ WARNING: translation string unused: xtaccess bad transfert
+ WARNING: translation string unused: yearly firewallhits
+ WARNING: untranslated string: Add a route
+@@ -542,6 +588,18 @@ WARNING: untranslated string: ccd used
+ WARNING: untranslated string: community rules
+ WARNING: untranslated string: deprecated fs warn
+ WARNING: untranslated string: disk access per
++WARNING: untranslated string: dnsforward
++WARNING: untranslated string: dnsforward add a new entry
++WARNING: untranslated string: dnsforward configuration
++WARNING: untranslated string: dnsforward edit an entry
++WARNING: untranslated string: dnsforward entries
++WARNING: untranslated string: dnsforward forward_server
++WARNING: untranslated string: dnsforward zone
++WARNING: untranslated string: drop action
++WARNING: untranslated string: drop action1
++WARNING: untranslated string: drop action2
++WARNING: untranslated string: drop forward
++WARNING: untranslated string: drop outgoing
+ WARNING: untranslated string: emerging rules
+ WARNING: untranslated string: extrahd because there is already a device mounted
+ WARNING: untranslated string: extrahd cant umount
+@@ -550,6 +608,143 @@ WARNING: untranslated string: extrahd maybe the device is in use
+ WARNING: untranslated string: extrahd to
+ WARNING: untranslated string: extrahd to root
+ WARNING: untranslated string: extrahd you cant mount
++WARNING: untranslated string: fw default drop
++WARNING: untranslated string: fw settings
++WARNING: untranslated string: fw settings color
++WARNING: untranslated string: fw settings dropdown
++WARNING: untranslated string: fw settings remark
++WARNING: untranslated string: fw settings ruletable
++WARNING: untranslated string: fwdfw action
++WARNING: untranslated string: fwdfw additional
++WARNING: untranslated string: fwdfw addrule
++WARNING: untranslated string: fwdfw change
++WARNING: untranslated string: fwdfw copy
++WARNING: untranslated string: fwdfw delete
++WARNING: untranslated string: fwdfw dnat
++WARNING: untranslated string: fwdfw dnat error
++WARNING: untranslated string: fwdfw dnat porterr
++WARNING: untranslated string: fwdfw edit
++WARNING: untranslated string: fwdfw err nosrc
++WARNING: untranslated string: fwdfw err nosrcip
++WARNING: untranslated string: fwdfw err notgt
++WARNING: untranslated string: fwdfw err notgtip
++WARNING: untranslated string: fwdfw err prot
++WARNING: untranslated string: fwdfw err remark
++WARNING: untranslated string: fwdfw err ruleexists
++WARNING: untranslated string: fwdfw err same
++WARNING: untranslated string: fwdfw err samesub
++WARNING: untranslated string: fwdfw err src_addr
++WARNING: untranslated string: fwdfw err tgt_addr
++WARNING: untranslated string: fwdfw err tgt_grp
++WARNING: untranslated string: fwdfw err tgt_mac
++WARNING: untranslated string: fwdfw err time
++WARNING: untranslated string: fwdfw final_rule
++WARNING: untranslated string: fwdfw hint ip1
++WARNING: untranslated string: fwdfw hint ip2
++WARNING: untranslated string: fwdfw log rule
++WARNING: untranslated string: fwdfw man port
++WARNING: untranslated string: fwdfw menu
++WARNING: untranslated string: fwdfw movedown
++WARNING: untranslated string: fwdfw moveup
++WARNING: untranslated string: fwdfw newrule
++WARNING: untranslated string: fwdfw p2p txt
++WARNING: untranslated string: fwdfw pol allow
++WARNING: untranslated string: fwdfw pol block
++WARNING: untranslated string: fwdfw pol text
++WARNING: untranslated string: fwdfw pol text1
++WARNING: untranslated string: fwdfw pol title
++WARNING: untranslated string: fwdfw red
++WARNING: untranslated string: fwdfw reread
++WARNING: untranslated string: fwdfw rule action
++WARNING: untranslated string: fwdfw rule activate
++WARNING: untranslated string: fwdfw rulepos
++WARNING: untranslated string: fwdfw snat
++WARNING: untranslated string: fwdfw source
++WARNING: untranslated string: fwdfw sourceip
++WARNING: untranslated string: fwdfw target
++WARNING: untranslated string: fwdfw targetip
++WARNING: untranslated string: fwdfw timeframe
++WARNING: untranslated string: fwdfw toggle
++WARNING: untranslated string: fwdfw togglelog
++WARNING: untranslated string: fwdfw use nat
++WARNING: untranslated string: fwdfw use srcport
++WARNING: untranslated string: fwdfw use srv
++WARNING: untranslated string: fwdfw useless rule
++WARNING: untranslated string: fwdfw wd_fri
++WARNING: untranslated string: fwdfw wd_mon
++WARNING: untranslated string: fwdfw wd_sat
++WARNING: untranslated string: fwdfw wd_sun
++WARNING: untranslated string: fwdfw wd_thu
++WARNING: untranslated string: fwdfw wd_tue
++WARNING: untranslated string: fwdfw wd_wed
++WARNING: untranslated string: fwdfw xt access
++WARNING: untranslated string: fwhost addgrp
++WARNING: untranslated string: fwhost addgrpname
++WARNING: untranslated string: fwhost addhost
++WARNING: untranslated string: fwhost addnet
++WARNING: untranslated string: fwhost addservice
++WARNING: untranslated string: fwhost addservicegrp
++WARNING: untranslated string: fwhost any
++WARNING: untranslated string: fwhost attention
++WARNING: untranslated string: fwhost back
++WARNING: untranslated string: fwhost ccdhost
++WARNING: untranslated string: fwhost ccdnet
++WARNING: untranslated string: fwhost change
++WARNING: untranslated string: fwhost cust addr
++WARNING: untranslated string: fwhost cust grp
++WARNING: untranslated string: fwhost cust net
++WARNING: untranslated string: fwhost cust service
++WARNING: untranslated string: fwhost cust srvgrp
++WARNING: untranslated string: fwhost deleted
++WARNING: untranslated string: fwhost empty
++WARNING: untranslated string: fwhost err addr
++WARNING: untranslated string: fwhost err empty
++WARNING: untranslated string: fwhost err groupempty
++WARNING: untranslated string: fwhost err grpexist
++WARNING: untranslated string: fwhost err hostexist
++WARNING: untranslated string: fwhost err hostip
++WARNING: untranslated string: fwhost err ip
++WARNING: untranslated string: fwhost err ipcheck
++WARNING: untranslated string: fwhost err ipmac
++WARNING: untranslated string: fwhost err ipwithsub
++WARNING: untranslated string: fwhost err isccdhost
++WARNING: untranslated string: fwhost err isccdiphost
++WARNING: untranslated string: fwhost err isccdipnet
++WARNING: untranslated string: fwhost err isccdnet
++WARNING: untranslated string: fwhost err isingrp
++WARNING: untranslated string: fwhost err name
++WARNING: untranslated string: fwhost err name1
++WARNING: untranslated string: fwhost err net
++WARNING: untranslated string: fwhost err netexist
++WARNING: untranslated string: fwhost err partofnet
++WARNING: untranslated string: fwhost err port
++WARNING: untranslated string: fwhost err remark
++WARNING: untranslated string: fwhost err srv exists
++WARNING: untranslated string: fwhost err srvexist
++WARNING: untranslated string: fwhost err sub32
++WARNING: untranslated string: fwhost hint
++WARNING: untranslated string: fwhost hosts
++WARNING: untranslated string: fwhost icmptype
++WARNING: untranslated string: fwhost ip_mac
++WARNING: untranslated string: fwhost ipsec net
++WARNING: untranslated string: fwhost macwarn
++WARNING: untranslated string: fwhost menu
++WARNING: untranslated string: fwhost netaddress
++WARNING: untranslated string: fwhost newgrp
++WARNING: untranslated string: fwhost newhost
++WARNING: untranslated string: fwhost newnet
++WARNING: untranslated string: fwhost newservice
++WARNING: untranslated string: fwhost newservicegrp
++WARNING: untranslated string: fwhost ovpn_n2n
++WARNING: untranslated string: fwhost port
++WARNING: untranslated string: fwhost prot
++WARNING: untranslated string: fwhost reread
++WARNING: untranslated string: fwhost services
++WARNING: untranslated string: fwhost srv_name
++WARNING: untranslated string: fwhost stdnet
++WARNING: untranslated string: fwhost type
++WARNING: untranslated string: fwhost used
++WARNING: untranslated string: fwhost welcome
+ WARNING: untranslated string: incoming traffic in bytes per second
+ WARNING: untranslated string: minute
+ WARNING: untranslated string: new
+@@ -577,6 +772,7 @@ WARNING: untranslated string: proxy reports monthly
+ WARNING: untranslated string: proxy reports today
+ WARNING: untranslated string: proxy reports weekly
+ WARNING: untranslated string: qos enter bandwidths
++WARNING: untranslated string: red1
+ WARNING: untranslated string: route config changed
+ WARNING: untranslated string: routing config added
+ WARNING: untranslated string: routing config changed
+diff --git a/doc/language_issues.tr b/doc/language_issues.tr
+index 1756840..7855360 100644
+--- a/doc/language_issues.tr
++++ b/doc/language_issues.tr
+@@ -11,10 +11,12 @@ WARNING: translation string unused: Remote VPN IP
+ WARNING: translation string unused: Resolv
+ WARNING: translation string unused: TOS Bits
+ WARNING: translation string unused: Verbose
++WARNING: translation string unused: access allowed
+ WARNING: translation string unused: access refused with this oinkcode
+ WARNING: translation string unused: add network
+ WARNING: translation string unused: add new ovpn
+ WARNING: translation string unused: add service
++WARNING: translation string unused: add xtaccess
+ WARNING: translation string unused: add-route
+ WARNING: translation string unused: admin user password has been changed
+ WARNING: translation string unused: administrator user password
+@@ -46,6 +48,7 @@ WARNING: translation string unused: all updates installed
+ WARNING: translation string unused: allmsg
+ WARNING: translation string unused: alt information
+ WARNING: translation string unused: alt ovpn
++WARNING: translation string unused: alt vpn
+ WARNING: translation string unused: and
+ WARNING: translation string unused: ansi t1.483
+ WARNING: translation string unused: apply
+@@ -87,6 +90,7 @@ WARNING: translation string unused: cache management
+ WARNING: translation string unused: cache size
+ WARNING: translation string unused: calamaris report interval (in minutes)
+ WARNING: translation string unused: calc traffic all x minutes
++WARNING: translation string unused: cant enable xtaccess
+ WARNING: translation string unused: capsinactive
+ WARNING: translation string unused: ccd err iroute
+ WARNING: translation string unused: ccd err netadr
+@@ -129,6 +133,11 @@ WARNING: translation string unused: debugme
+ WARNING: translation string unused: deep scan directories
+ WARNING: translation string unused: default networks
+ WARNING: translation string unused: default services
++WARNING: translation string unused: description
++WARNING: translation string unused: destination ip bad
++WARNING: translation string unused: destination ip or net
++WARNING: translation string unused: destination net
++WARNING: translation string unused: destination port overlaps
+ WARNING: translation string unused: dhcp base ip fixed lease
+ WARNING: translation string unused: dhcp create fixed leases
+ WARNING: translation string unused: dhcp fixed lease err1
+@@ -141,11 +150,18 @@ WARNING: translation string unused: dial user password has been changed
+ WARNING: translation string unused: dialup settings
+ WARNING: translation string unused: disconnect
+ WARNING: translation string unused: display traffic at home
++WARNING: translation string unused: dmz pinhole configuration
++WARNING: translation string unused: dmz pinhole rule added
++WARNING: translation string unused: dmz pinhole rule removed
++WARNING: translation string unused: dmzpinholes for same net not necessary
+ WARNING: translation string unused: dns server
+ WARNING: translation string unused: do not log this port list
+ WARNING: translation string unused: donation-link
+ WARNING: translation string unused: done
+ WARNING: translation string unused: driver
++WARNING: translation string unused: drop output
++WARNING: translation string unused: dstprt range overlaps
++WARNING: translation string unused: dstprt within existing
+ WARNING: translation string unused: dynamic dns client
+ WARNING: translation string unused: eciadsl help
+ WARNING: translation string unused: eciadsl upload
+@@ -172,6 +188,7 @@ WARNING: translation string unused: error external access
+ WARNING: translation string unused: expected
+ WARNING: translation string unused: expertoptions
+ WARNING: translation string unused: exportkey
++WARNING: translation string unused: external access
+ WARNING: translation string unused: external access rule changed
+ WARNING: translation string unused: extrahd unable to read
+ WARNING: translation string unused: extrahd unable to write
+@@ -181,6 +198,9 @@ WARNING: translation string unused: firewall log viewer
+ WARNING: translation string unused: firmware
+ WARNING: translation string unused: firmware upload
+ WARNING: translation string unused: force update
++WARNING: translation string unused: forwarding rule added
++WARNING: translation string unused: forwarding rule removed
++WARNING: translation string unused: forwarding rule updated
+ WARNING: translation string unused: frequency
+ WARNING: translation string unused: fritzdsl help
+ WARNING: translation string unused: fritzdsl upload
+@@ -246,6 +266,7 @@ WARNING: translation string unused: local hard disk
+ WARNING: translation string unused: localkeyfile
+ WARNING: translation string unused: log enabled
+ WARNING: translation string unused: log viewer
++WARNING: translation string unused: logging
+ WARNING: translation string unused: loosedirectorychecking
+ WARNING: translation string unused: ls_dhcpd
+ WARNING: translation string unused: ls_disk space
+@@ -271,6 +292,7 @@ WARNING: translation string unused: mbmon value
+ WARNING: translation string unused: min size
+ WARNING: translation string unused: missing dat
+ WARNING: translation string unused: missing gz
++WARNING: translation string unused: mode
+ WARNING: translation string unused: modem on com1
+ WARNING: translation string unused: modem on com2
+ WARNING: translation string unused: modem on com3
+@@ -287,6 +309,7 @@ WARNING: translation string unused: monthly volume start day short
+ WARNING: translation string unused: mount
+ WARNING: translation string unused: mtu QoS
+ WARNING: translation string unused: nat-traversal
++WARNING: translation string unused: net
+ WARNING: translation string unused: net address
+ WARNING: translation string unused: net config type
+ WARNING: translation string unused: net config type help
+@@ -313,6 +336,7 @@ WARNING: translation string unused: o-no
+ WARNING: translation string unused: o-yes
+ WARNING: translation string unused: online help en
+ WARNING: translation string unused: only red
++WARNING: translation string unused: open to all
+ WARNING: translation string unused: openvpn disabled
+ WARNING: translation string unused: openvpn enabled
+ WARNING: translation string unused: optional data
+@@ -323,7 +347,16 @@ WARNING: translation string unused: original
+ WARNING: translation string unused: other countries
+ WARNING: translation string unused: our donors
+ WARNING: translation string unused: out
++WARNING: translation string unused: outgoing firewall
++WARNING: translation string unused: outgoing firewall mode0
++WARNING: translation string unused: outgoing firewall mode1
++WARNING: translation string unused: outgoing firewall mode2
+ WARNING: translation string unused: outgoing firewall outgoing firewall reserved groupname
++WARNING: translation string unused: outgoing firewall p2p description 1
++WARNING: translation string unused: outgoing firewall p2p description 2
++WARNING: translation string unused: outgoing firewall p2p description 3
++WARNING: translation string unused: outgoing firewall reset
++WARNING: translation string unused: outgoing firewall warning
+ WARNING: translation string unused: override mtu
+ WARNING: translation string unused: ovpn
+ WARNING: translation string unused: ovpn config
+@@ -354,6 +387,8 @@ WARNING: translation string unused: passwords must be at least 6 characters in l
+ WARNING: translation string unused: phonebook entry
+ WARNING: translation string unused: ping disabled
+ WARNING: translation string unused: polfile
++WARNING: translation string unused: policy
++WARNING: translation string unused: port forwarding configuration
+ WARNING: translation string unused: ports
+ WARNING: translation string unused: pots
+ WARNING: translation string unused: pppoe
+@@ -381,7 +416,9 @@ WARNING: translation string unused: router ip
+ WARNING: translation string unused: rules already up to date
+ WARNING: translation string unused: safe removal of umounted device
+ WARNING: translation string unused: save error
++WARNING: translation string unused: select dest net
+ WARNING: translation string unused: select media
++WARNING: translation string unused: select source net
+ WARNING: translation string unused: selecttraffic
+ WARNING: translation string unused: send email notification
+ WARNING: translation string unused: send test mail
+@@ -400,15 +437,23 @@ WARNING: translation string unused: shutdown2
+ WARNING: translation string unused: shutting down
+ WARNING: translation string unused: sitekeyfile
+ WARNING: translation string unused: smbreload
++WARNING: translation string unused: source ip in use
++WARNING: translation string unused: source ip or net
++WARNING: translation string unused: source net
++WARNING: translation string unused: source port overlaps
+ WARNING: translation string unused: squid extension methods
+ WARNING: translation string unused: squid extension methods invalid
+ WARNING: translation string unused: squid fix cache
++WARNING: translation string unused: srcprt range overlaps
++WARNING: translation string unused: srcprt within existing
++WARNING: translation string unused: ssdmz pinholes
+ WARNING: translation string unused: ssh access tip
+ WARNING: translation string unused: ssh1 disabled
+ WARNING: translation string unused: ssh1 enabled
+ WARNING: translation string unused: ssh1 support
+ WARNING: translation string unused: ssnetwork status
+ WARNING: translation string unused: sspasswords
++WARNING: translation string unused: ssport forwarding
+ WARNING: translation string unused: ssproxy graphs
+ WARNING: translation string unused: sssystem status
+ WARNING: translation string unused: sstraffic graphs
+@@ -505,13 +550,164 @@ WARNING: translation string unused: warn when traffic reaches
+ WARNING: translation string unused: web proxy configuration
+ WARNING: translation string unused: week-graph
+ WARNING: translation string unused: weekly firewallhits
++WARNING: translation string unused: xtaccess all error
+ WARNING: translation string unused: xtaccess bad transfert
+ WARNING: translation string unused: year-graph
+ WARNING: translation string unused: yearly firewallhits
+ WARNING: untranslated string: Scan for Songs
+ WARNING: untranslated string: bytes
++WARNING: untranslated string: dnsforward
++WARNING: untranslated string: dnsforward add a new entry
++WARNING: untranslated string: dnsforward configuration
++WARNING: untranslated string: dnsforward edit an entry
++WARNING: untranslated string: dnsforward entries
++WARNING: untranslated string: dnsforward forward_server
++WARNING: untranslated string: dnsforward zone
++WARNING: untranslated string: drop action
++WARNING: untranslated string: drop action1
++WARNING: untranslated string: drop action2
++WARNING: untranslated string: drop forward
++WARNING: untranslated string: drop outgoing
++WARNING: untranslated string: fw default drop
++WARNING: untranslated string: fw settings
++WARNING: untranslated string: fw settings color
++WARNING: untranslated string: fw settings dropdown
++WARNING: untranslated string: fw settings remark
++WARNING: untranslated string: fw settings ruletable
++WARNING: untranslated string: fwdfw action
++WARNING: untranslated string: fwdfw additional
++WARNING: untranslated string: fwdfw addrule
++WARNING: untranslated string: fwdfw change
++WARNING: untranslated string: fwdfw copy
++WARNING: untranslated string: fwdfw delete
++WARNING: untranslated string: fwdfw dnat
++WARNING: untranslated string: fwdfw dnat error
++WARNING: untranslated string: fwdfw dnat porterr
++WARNING: untranslated string: fwdfw edit
++WARNING: untranslated string: fwdfw err nosrc
++WARNING: untranslated string: fwdfw err nosrcip
++WARNING: untranslated string: fwdfw err notgt
++WARNING: untranslated string: fwdfw err notgtip
++WARNING: untranslated string: fwdfw err prot
++WARNING: untranslated string: fwdfw err remark
++WARNING: untranslated string: fwdfw err ruleexists
++WARNING: untranslated string: fwdfw err same
++WARNING: untranslated string: fwdfw err samesub
++WARNING: untranslated string: fwdfw err src_addr
++WARNING: untranslated string: fwdfw err tgt_addr
++WARNING: untranslated string: fwdfw err tgt_grp
++WARNING: untranslated string: fwdfw err tgt_mac
++WARNING: untranslated string: fwdfw err time
++WARNING: untranslated string: fwdfw final_rule
++WARNING: untranslated string: fwdfw hint ip1
++WARNING: untranslated string: fwdfw hint ip2
++WARNING: untranslated string: fwdfw log rule
++WARNING: untranslated string: fwdfw man port
++WARNING: untranslated string: fwdfw menu
++WARNING: untranslated string: fwdfw movedown
++WARNING: untranslated string: fwdfw moveup
++WARNING: untranslated string: fwdfw newrule
++WARNING: untranslated string: fwdfw p2p txt
++WARNING: untranslated string: fwdfw pol allow
++WARNING: untranslated string: fwdfw pol block
++WARNING: untranslated string: fwdfw pol text
++WARNING: untranslated string: fwdfw pol text1
++WARNING: untranslated string: fwdfw pol title
++WARNING: untranslated string: fwdfw red
++WARNING: untranslated string: fwdfw reread
++WARNING: untranslated string: fwdfw rule action
++WARNING: untranslated string: fwdfw rule activate
++WARNING: untranslated string: fwdfw rulepos
++WARNING: untranslated string: fwdfw snat
++WARNING: untranslated string: fwdfw source
++WARNING: untranslated string: fwdfw sourceip
++WARNING: untranslated string: fwdfw target
++WARNING: untranslated string: fwdfw targetip
++WARNING: untranslated string: fwdfw timeframe
++WARNING: untranslated string: fwdfw toggle
++WARNING: untranslated string: fwdfw togglelog
++WARNING: untranslated string: fwdfw use nat
++WARNING: untranslated string: fwdfw use srcport
++WARNING: untranslated string: fwdfw use srv
++WARNING: untranslated string: fwdfw useless rule
++WARNING: untranslated string: fwdfw wd_fri
++WARNING: untranslated string: fwdfw wd_mon
++WARNING: untranslated string: fwdfw wd_sat
++WARNING: untranslated string: fwdfw wd_sun
++WARNING: untranslated string: fwdfw wd_thu
++WARNING: untranslated string: fwdfw wd_tue
++WARNING: untranslated string: fwdfw wd_wed
++WARNING: untranslated string: fwdfw xt access
++WARNING: untranslated string: fwhost addgrp
++WARNING: untranslated string: fwhost addgrpname
++WARNING: untranslated string: fwhost addhost
++WARNING: untranslated string: fwhost addnet
++WARNING: untranslated string: fwhost addservice
++WARNING: untranslated string: fwhost addservicegrp
++WARNING: untranslated string: fwhost any
++WARNING: untranslated string: fwhost attention
++WARNING: untranslated string: fwhost back
++WARNING: untranslated string: fwhost ccdhost
++WARNING: untranslated string: fwhost ccdnet
++WARNING: untranslated string: fwhost change
++WARNING: untranslated string: fwhost cust addr
++WARNING: untranslated string: fwhost cust grp
++WARNING: untranslated string: fwhost cust net
++WARNING: untranslated string: fwhost cust service
++WARNING: untranslated string: fwhost cust srvgrp
++WARNING: untranslated string: fwhost deleted
++WARNING: untranslated string: fwhost empty
++WARNING: untranslated string: fwhost err addr
++WARNING: untranslated string: fwhost err empty
++WARNING: untranslated string: fwhost err groupempty
++WARNING: untranslated string: fwhost err grpexist
++WARNING: untranslated string: fwhost err hostexist
++WARNING: untranslated string: fwhost err hostip
++WARNING: untranslated string: fwhost err ip
++WARNING: untranslated string: fwhost err ipcheck
++WARNING: untranslated string: fwhost err ipmac
++WARNING: untranslated string: fwhost err ipwithsub
++WARNING: untranslated string: fwhost err isccdhost
++WARNING: untranslated string: fwhost err isccdiphost
++WARNING: untranslated string: fwhost err isccdipnet
++WARNING: untranslated string: fwhost err isccdnet
++WARNING: untranslated string: fwhost err isingrp
++WARNING: untranslated string: fwhost err name
++WARNING: untranslated string: fwhost err name1
++WARNING: untranslated string: fwhost err net
++WARNING: untranslated string: fwhost err netexist
++WARNING: untranslated string: fwhost err partofnet
++WARNING: untranslated string: fwhost err port
++WARNING: untranslated string: fwhost err remark
++WARNING: untranslated string: fwhost err srv exists
++WARNING: untranslated string: fwhost err srvexist
++WARNING: untranslated string: fwhost err sub32
++WARNING: untranslated string: fwhost hint
++WARNING: untranslated string: fwhost hosts
++WARNING: untranslated string: fwhost icmptype
++WARNING: untranslated string: fwhost ip_mac
++WARNING: untranslated string: fwhost ipsec net
++WARNING: untranslated string: fwhost macwarn
++WARNING: untranslated string: fwhost menu
++WARNING: untranslated string: fwhost netaddress
++WARNING: untranslated string: fwhost newgrp
++WARNING: untranslated string: fwhost newhost
++WARNING: untranslated string: fwhost newnet
++WARNING: untranslated string: fwhost newservice
++WARNING: untranslated string: fwhost newservicegrp
++WARNING: untranslated string: fwhost ovpn_n2n
++WARNING: untranslated string: fwhost port
++WARNING: untranslated string: fwhost prot
++WARNING: untranslated string: fwhost reread
++WARNING: untranslated string: fwhost services
++WARNING: untranslated string: fwhost srv_name
++WARNING: untranslated string: fwhost stdnet
++WARNING: untranslated string: fwhost type
++WARNING: untranslated string: fwhost used
++WARNING: untranslated string: fwhost welcome
+ WARNING: untranslated string: new
+ WARNING: untranslated string: outgoing firewall reserved groupname
++WARNING: untranslated string: red1
+ WARNING: untranslated string: route config changed
+ WARNING: untranslated string: routing config added
+ WARNING: untranslated string: routing config changed
+diff --git a/doc/language_missings b/doc/language_missings
+index b78b367..21bdc2c 100644
+--- a/doc/language_missings
++++ b/doc/language_missings
+@@ -5,13 +5,50 @@
+ # Checking cgi-bin translations for language: en #
+ ############################################################################
+ < ccd maxclients
++< dnsforward
++< dnsforward add a new entry
++< dnsforward configuration
++< dnsforward edit an entry
++< dnsforward entries
++< dnsforward forward_server
++< dnsforward zone
++< wlanap country
++< wlan client
++< wlan client advanced settings
++< wlan client and
++< wlan client bssid
++< wlan client ccmp
++< wlan client configuration
++< wlan client disconnected
++< wlan client duplicate ssid
++< wlan client edit entry
++< wlan client encryption
++< wlan client encryption none
++< wlan client encryption wep
++< wlan client encryption wpa
++< wlan client encryption wpa2
++< wlan client group cipher
++< wlan client group key algorithm
++< wlan client invalid key length
++< wlan client new entry
++< wlan client new network
++< wlan client pairwise cipher
++< wlan client pairwise key algorithm
++< wlan client pairwise key group key
++< wlan client psk
++< wlan client ssid
++< wlan client tkip
++< wlan client wpa mode
++< wlan client wpa mode all
++< wlan client wpa mode ccmp ccmp
++< wlan client wpa mode ccmp tkip
++< wlan client wpa mode tkip tkip
+ ############################################################################
+ # Checking install/setup translations for language: fr #
+ ############################################################################
+ ############################################################################
+ # Checking cgi-bin translations for language: fr #
+ ############################################################################
+-< advproxy cache-digest
+ < advproxy errmsg cache
+ < advproxy errmsg invalid upstream proxy
+ < age second
+@@ -60,6 +97,18 @@
+ < ccd used
+ < deprecated fs warn
+ < dns address deleted txt
++< dnsforward
++< dnsforward add a new entry
++< dnsforward configuration
++< dnsforward edit an entry
++< dnsforward entries
++< dnsforward forward_server
++< dnsforward zone
++< drop action
++< drop action1
++< drop action2
++< drop forward
++< drop outgoing
+ < fireinfo ipfire version
+ < fireinfo is disabled
+ < fireinfo is enabled
+@@ -77,6 +126,174 @@
+ < fireinfo why enable
+ < fireinfo why read more
+ < fireinfo your profile id
++< forward firewall
++< fw default drop
++< fwdfw ACCEPT
++< fwdfw action
++< fwdfw additional
++< fwdfw addr grp
++< fwdfw addrule
++< fwdfw change
++< fwdfw copy
++< fwdfw cust addr
++< fwdfw cust net
++< fwdfw delete
++< fwdfw dnat
++< fwdfw dnat error
++< fwdfw dnat porterr
++< fwdfw DROP
++< fwdfw edit
++< fwdfw err nosrc
++< fwdfw err nosrcip
++< fwdfw err notgt
++< fwdfw err notgtip
++< fwdfw err prot
++< fwdfw err remark
++< fwdfw err ruleexists
++< fwdfw err same
++< fwdfw err samesub
++< fwdfw err src_addr
++< fwdfw err srcovpn
++< fwdfw err srcport
++< fwdfw err tgt_addr
++< fwdfw err tgt_grp
++< fwdfw err tgt_mac
++< fwdfw err tgtovpn
++< fwdfw err tgtport
++< fwdfw err tgt_port
++< fwdfw err time
++< fwdfw final_rule
++< fwdfw from
++< fwdfw hint ip1
++< fwdfw hint ip2
++< fwdfw ipsec network
++< fwdfw log rule
++< fwdfw man port
++< fwdfw menu
++< fwdfw MODE1
++< fwdfw MODE2
++< fwdfw movedown
++< fwdfw moveup
++< fwdfw natport used
++< fwdfw newrule
++< fwdfw p2p txt
++< fwdfw pol allow
++< fwdfw pol block
++< fwdfw pol text
++< fwdfw pol text1
++< fwdfw pol title
++< fwdfw red
++< fwdfw REJECT
++< fwdfw reread
++< fwdfw rule action
++< fwdfw rule activate
++< fwdfw rulepos
++< fwdfw rules
++< fwdfw snat
++< fwdfw source
++< fwdfw sourceip
++< fwdfw std network
++< fwdfw target
++< fwdfw targetip
++< fwdfw till
++< fwdfw time
++< fwdfw timeframe
++< fwdfw toggle
++< fwdfw togglelog
++< fwdfw useless rule
++< fwdfw use nat
++< fwdfw use srcport
++< fwdfw use srv
++< fwdfw wd_fri
++< fwdfw wd_mon
++< fwdfw wd_sat
++< fwdfw wd_sun
++< fwdfw wd_thu
++< fwdfw wd_tue
++< fwdfw wd_wed
++< fwdfw xt access
++< fwhost addgrp
++< fwhost addgrpname
++< fwhost addhost
++< fwhost addnet
++< fwhost addrule
++< fwhost addservice
++< fwhost addservicegrp
++< fwhost any
++< fwhost attention
++< fwhost back
++< fwhost blue
++< fwhost ccdhost
++< fwhost ccdnet
++< fwhost change
++< fwhost changeremark
++< fwhost cust addr
++< fwhost cust grp
++< fwhost cust net
++< fwhost cust service
++< fwhost cust srvgrp
++< fwhost deleted
++< fwhost empty
++< fwhost err addr
++< fwhost err addrgrp
++< fwhost err empty
++< fwhost err groupempty
++< fwhost err grpexist
++< fwhost err hostexist
++< fwhost err hostorip
++< fwhost err ip
++< fwhost err ipcheck
++< fwhost err ipmac
++< fwhost err ipwithsub
++< fwhost err isccdhost
++< fwhost err isccdiphost
++< fwhost err isccdipnet
++< fwhost err isccdnet
++< fwhost err isingrp
++< fwhost err mac
++< fwhost err name
++< fwhost err name1
++< fwhost err net
++< fwhost err netexist
++< fwhost err partofnet
++< fwhost err port
++< fwhost err remark
++< fwhost err srvexist
++< fwhost err srv exists
++< fwhost err sub32
++< fwhost green
++< fwhost hint
++< fwhost hosts
++< fwhost icmptype
++< fwhost ipadr
++< fwhost ip_mac
++< fwhost ipsec host
++< fwhost ipsec net
++< fwhost menu
++< fwhost netaddress
++< fwhost newgrp
++< fwhost newhost
++< fwhost newnet
++< fwhost newservice
++< fwhost newservicegrp
++< fwhost orange
++< fwhost ovpn_n2n
++< fwhost port
++< fwhost prot
++< fwhost reread
++< fwhost reset
++< fwhost services
++< fwhost srv_name
++< fwhost stdnet
++< fwhost type
++< fwhost used
++< fwhost welcome
++< fwhost wo subnet
++< fw settings
++< fw settings color
++< fw settings dropdown
++< fw settings remark
++< fw settings ruletable
+ < minute
+ < ntp common settings
+ < ntp sync
+@@ -105,6 +322,7 @@
+ < proxy reports today
+ < proxy reports weekly
+ < qos enter bandwidths
++< red1
+ < server restart
+ < snort working
+ < static routes
+@@ -175,7 +393,6 @@
+ ############################################################################
+ # Checking cgi-bin translations for language: es #
+ ############################################################################
+-< advproxy cache-digest
+ < advproxy errmsg cache
+ < advproxy errmsg invalid upstream proxy
+ < age second
+@@ -224,6 +441,18 @@
+ < ccd subnet
+ < ccd used
+ < deprecated fs warn
++< dnsforward
++< dnsforward add a new entry
++< dnsforward configuration
++< dnsforward edit an entry
++< dnsforward entries
++< dnsforward forward_server
++< dnsforward zone
++< drop action
++< drop action1
++< drop action2
++< drop forward
++< drop outgoing
+ < fireinfo ipfire version
+ < fireinfo is disabled
+ < fireinfo is enabled
+@@ -241,6 +470,174 @@
+ < fireinfo why enable
+ < fireinfo why read more
+ < fireinfo your profile id
++< forward firewall
++< fw default drop
++< fwdfw ACCEPT
++< fwdfw action
++< fwdfw additional
++< fwdfw addr grp
++< fwdfw addrule
++< fwdfw change
++< fwdfw copy
++< fwdfw cust addr
++< fwdfw cust net
++< fwdfw delete
++< fwdfw dnat
++< fwdfw dnat error
++< fwdfw dnat porterr
++< fwdfw DROP
++< fwdfw edit
++< fwdfw err nosrc
++< fwdfw err nosrcip
++< fwdfw err notgt
++< fwdfw err notgtip
++< fwdfw err prot
++< fwdfw err remark
++< fwdfw err ruleexists
++< fwdfw err same
++< fwdfw err samesub
++< fwdfw err src_addr
++< fwdfw err srcovpn
++< fwdfw err srcport
++< fwdfw err tgt_addr
++< fwdfw err tgt_grp
++< fwdfw err tgt_mac
++< fwdfw err tgtovpn
++< fwdfw err tgtport
++< fwdfw err tgt_port
++< fwdfw err time
++< fwdfw final_rule
++< fwdfw from
++< fwdfw hint ip1
++< fwdfw hint ip2
++< fwdfw ipsec network
++< fwdfw log rule
++< fwdfw man port
++< fwdfw menu
++< fwdfw MODE1
++< fwdfw MODE2
++< fwdfw movedown
++< fwdfw moveup
++< fwdfw natport used
++< fwdfw newrule
++< fwdfw p2p txt
++< fwdfw pol allow
++< fwdfw pol block
++< fwdfw pol text
++< fwdfw pol text1
++< fwdfw pol title
++< fwdfw red
++< fwdfw REJECT
++< fwdfw reread
++< fwdfw rule action
++< fwdfw rule activate
++< fwdfw rulepos
++< fwdfw rules
++< fwdfw snat
++< fwdfw source
++< fwdfw sourceip
++< fwdfw std network
++< fwdfw target
++< fwdfw targetip
++< fwdfw till
++< fwdfw time
++< fwdfw timeframe
++< fwdfw toggle
++< fwdfw togglelog
++< fwdfw useless rule
++< fwdfw use nat
++< fwdfw use srcport
++< fwdfw use srv
++< fwdfw wd_fri
++< fwdfw wd_mon
++< fwdfw wd_sat
++< fwdfw wd_sun
++< fwdfw wd_thu
++< fwdfw wd_tue
++< fwdfw wd_wed
++< fwdfw xt access
++< fwhost addgrp
++< fwhost addgrpname
++< fwhost addhost
++< fwhost addnet
++< fwhost addrule
++< fwhost addservice
++< fwhost addservicegrp
++< fwhost any
++< fwhost attention
++< fwhost back
++< fwhost blue
++< fwhost ccdhost
++< fwhost ccdnet
++< fwhost change
++< fwhost changeremark
++< fwhost cust addr
++< fwhost cust grp
++< fwhost cust net
++< fwhost cust service
++< fwhost cust srvgrp
++< fwhost deleted
++< fwhost empty
++< fwhost err addr
++< fwhost err addrgrp
++< fwhost err empty
++< fwhost err groupempty
++< fwhost err grpexist
++< fwhost err hostexist
++< fwhost err hostorip
++< fwhost err ip
++< fwhost err ipcheck
++< fwhost err ipmac
++< fwhost err ipwithsub
++< fwhost err isccdhost
++< fwhost err isccdiphost
++< fwhost err isccdipnet
++< fwhost err isccdnet
++< fwhost err isingrp
++< fwhost err mac
++< fwhost err name
++< fwhost err name1
++< fwhost err net
++< fwhost err netexist
++< fwhost err partofnet
++< fwhost err port
++< fwhost err remark
++< fwhost err srvexist
++< fwhost err srv exists
++< fwhost err sub32
++< fwhost green
++< fwhost hint
++< fwhost hosts
++< fwhost icmptype
++< fwhost ipadr
++< fwhost ip_mac
++< fwhost ipsec host
++< fwhost ipsec net
++< fwhost menu
++< fwhost netaddress
++< fwhost newgrp
++< fwhost newhost
++< fwhost newnet
++< fwhost newservice
++< fwhost newservicegrp
++< fwhost orange
++< fwhost ovpn_n2n
++< fwhost port
++< fwhost prot
++< fwhost reread
++< fwhost reset
++< fwhost services
++< fwhost srv_name
++< fwhost stdnet
++< fwhost type
++< fwhost used
++< fwhost welcome
++< fwhost wo subnet
++< fw settings
++< fw settings color
++< fw settings dropdown
++< fw settings remark
++< fw settings ruletable
+ < minute
+ < openvpn default
+ < openvpn destination port used
+@@ -285,6 +682,7 @@
+ < proxy reports today
+ < proxy reports weekly
+ < qos enter bandwidths
++< red1
+ < server restart
+ < Set time on boot
+ < static routes
+@@ -332,7 +730,6 @@
+ ############################################################################
+ # Checking cgi-bin translations for language: pl #
+ ############################################################################
+-< advproxy cache-digest
+ < advproxy errmsg cache
+ < advproxy errmsg invalid upstream proxy
+ < age second
+@@ -380,6 +777,18 @@
+ < ccd subnet
+ < ccd used
+ < deprecated fs warn
++< dnsforward
++< dnsforward add a new entry
++< dnsforward configuration
++< dnsforward edit an entry
++< dnsforward entries
++< dnsforward forward_server
++< dnsforward zone
++< drop action
++< drop action1
++< drop action2
++< drop forward
++< drop outgoing
+ < extrahd because there is already a device mounted
+ < extrahd cant umount
+ < extrahd install or load driver
+@@ -389,6 +798,174 @@
+ < extrahd unable to read
+ < extrahd unable to write
+ < extrahd you cant mount
++< forward firewall
++< fw default drop
++< fwdfw ACCEPT
++< fwdfw action
++< fwdfw additional
++< fwdfw addr grp
++< fwdfw addrule
++< fwdfw change
++< fwdfw copy
++< fwdfw cust addr
++< fwdfw cust net
++< fwdfw delete
++< fwdfw dnat
++< fwdfw dnat error
++< fwdfw dnat porterr
++< fwdfw DROP
++< fwdfw edit
++< fwdfw err nosrc
++< fwdfw err nosrcip
++< fwdfw err notgt
++< fwdfw err notgtip
++< fwdfw err prot
++< fwdfw err remark
++< fwdfw err ruleexists
++< fwdfw err same
++< fwdfw err samesub
++< fwdfw err src_addr
++< fwdfw err srcovpn
++< fwdfw err srcport
++< fwdfw err tgt_addr
++< fwdfw err tgt_grp
++< fwdfw err tgt_mac
++< fwdfw err tgtovpn
++< fwdfw err tgtport
++< fwdfw err tgt_port
++< fwdfw err time
++< fwdfw final_rule
++< fwdfw from
++< fwdfw hint ip1
++< fwdfw hint ip2
++< fwdfw ipsec network
++< fwdfw log rule
++< fwdfw man port
++< fwdfw menu
++< fwdfw MODE1
++< fwdfw MODE2
++< fwdfw movedown
++< fwdfw moveup
++< fwdfw natport used
++< fwdfw newrule
++< fwdfw p2p txt
++< fwdfw pol allow
++< fwdfw pol block
++< fwdfw pol text
++< fwdfw pol text1
++< fwdfw pol title
++< fwdfw red
++< fwdfw REJECT
++< fwdfw reread
++< fwdfw rule action
++< fwdfw rule activate
++< fwdfw rulepos
++< fwdfw rules
++< fwdfw snat
++< fwdfw source
++< fwdfw sourceip
++< fwdfw std network
++< fwdfw target
++< fwdfw targetip
++< fwdfw till
++< fwdfw time
++< fwdfw timeframe
++< fwdfw toggle
++< fwdfw togglelog
++< fwdfw useless rule
++< fwdfw use nat
++< fwdfw use srcport
++< fwdfw use srv
++< fwdfw wd_fri
++< fwdfw wd_mon
++< fwdfw wd_sat
++< fwdfw wd_sun
++< fwdfw wd_thu
++< fwdfw wd_tue
++< fwdfw wd_wed
++< fwdfw xt access
++< fwhost addgrp
++< fwhost addgrpname
++< fwhost addhost
++< fwhost addnet
++< fwhost addrule
++< fwhost addservice
++< fwhost addservicegrp
++< fwhost any
++< fwhost attention
++< fwhost back
++< fwhost blue
++< fwhost ccdhost
++< fwhost ccdnet
++< fwhost change
++< fwhost changeremark
++< fwhost cust addr
++< fwhost cust grp
++< fwhost cust net
++< fwhost cust service
++< fwhost cust srvgrp
++< fwhost deleted
++< fwhost empty
++< fwhost err addr
++< fwhost err addrgrp
++< fwhost err empty
++< fwhost err groupempty
++< fwhost err grpexist
++< fwhost err hostexist
++< fwhost err hostorip
++< fwhost err ip
++< fwhost err ipcheck
++< fwhost err ipmac
++< fwhost err ipwithsub
++< fwhost err isccdhost
++< fwhost err isccdiphost
++< fwhost err isccdipnet
++< fwhost err isccdnet
++< fwhost err isingrp
++< fwhost err mac
++< fwhost err name
++< fwhost err name1
++< fwhost err net
++< fwhost err netexist
++< fwhost err partofnet
++< fwhost err port
++< fwhost err remark
++< fwhost err srvexist
++< fwhost err srv exists
++< fwhost err sub32
++< fwhost green
++< fwhost hint
++< fwhost hosts
++< fwhost icmptype
++< fwhost ipadr
++< fwhost ip_mac
++< fwhost ipsec host
++< fwhost ipsec net
++< fwhost menu
++< fwhost netaddress
++< fwhost newgrp
++< fwhost newhost
++< fwhost newnet
++< fwhost newservice
++< fwhost newservicegrp
++< fwhost orange
++< fwhost ovpn_n2n
++< fwhost port
++< fwhost prot
++< fwhost reread
++< fwhost reset
++< fwhost services
++< fwhost srv_name
++< fwhost stdnet
++< fwhost type
++< fwhost used
++< fwhost welcome
++< fwhost wo subnet
++< fw settings
++< fw settings color
++< fw settings dropdown
++< fw settings remark
++< fw settings ruletable
+ < minute
+ < openvpn default
+ < openvpn destination port used
+@@ -419,6 +996,7 @@
+ < proxy reports today
+ < proxy reports weekly
+ < qos enter bandwidths
++< red1
+ < server restart
+ < static routes
+ < updxlrtr sources
+@@ -465,7 +1043,6 @@
+ # Checking cgi-bin translations for language: ru #
+ ############################################################################
+ < Add a route
+-< advproxy cache-digest
+ < advproxy errmsg cache
+ < advproxy errmsg invalid upstream proxy
+ < age second
+@@ -515,6 +1092,18 @@
+ < day-graph
+ < deprecated fs warn
+ < disk access per
++< dnsforward
++< dnsforward add a new entry
++< dnsforward configuration
++< dnsforward edit an entry
++< dnsforward entries
++< dnsforward forward_server
++< dnsforward zone
++< drop action
++< drop action1
++< drop action2
++< drop forward
++< drop outgoing
+ < Edit an existing route
+ < extrahd because there is already a device mounted
+ < extrahd cant umount
+@@ -525,7 +1114,175 @@
+ < extrahd unable to read
+ < extrahd unable to write
+ < extrahd you cant mount
++< forward firewall
+ < frequency
++< fw default drop
++< fwdfw ACCEPT
++< fwdfw action
++< fwdfw additional
++< fwdfw addr grp
++< fwdfw addrule
++< fwdfw change
++< fwdfw copy
++< fwdfw cust addr
++< fwdfw cust net
++< fwdfw delete
++< fwdfw dnat
++< fwdfw dnat error
++< fwdfw dnat porterr
++< fwdfw DROP
++< fwdfw edit
++< fwdfw err nosrc
++< fwdfw err nosrcip
++< fwdfw err notgt
++< fwdfw err notgtip
++< fwdfw err prot
++< fwdfw err remark
++< fwdfw err ruleexists
++< fwdfw err same
++< fwdfw err samesub
++< fwdfw err src_addr
++< fwdfw err srcovpn
++< fwdfw err srcport
++< fwdfw err tgt_addr
++< fwdfw err tgt_grp
++< fwdfw err tgt_mac
++< fwdfw err tgtovpn
++< fwdfw err tgtport
++< fwdfw err tgt_port
++< fwdfw err time
++< fwdfw final_rule
++< fwdfw from
++< fwdfw hint ip1
++< fwdfw hint ip2
++< fwdfw ipsec network
++< fwdfw log rule
++< fwdfw man port
++< fwdfw menu
++< fwdfw MODE1
++< fwdfw MODE2
++< fwdfw movedown
++< fwdfw moveup
++< fwdfw natport used
++< fwdfw newrule
++< fwdfw p2p txt
++< fwdfw pol allow
++< fwdfw pol block
++< fwdfw pol text
++< fwdfw pol text1
++< fwdfw pol title
++< fwdfw red
++< fwdfw REJECT
++< fwdfw reread
++< fwdfw rule action
++< fwdfw rule activate
++< fwdfw rulepos
++< fwdfw rules
++< fwdfw snat
++< fwdfw source
++< fwdfw sourceip
++< fwdfw std network
++< fwdfw target
++< fwdfw targetip
++< fwdfw till
++< fwdfw time
++< fwdfw timeframe
++< fwdfw toggle
++< fwdfw togglelog
++< fwdfw useless rule
++< fwdfw use nat
++< fwdfw use srcport
++< fwdfw use srv
++< fwdfw wd_fri
++< fwdfw wd_mon
++< fwdfw wd_sat
++< fwdfw wd_sun
++< fwdfw wd_thu
++< fwdfw wd_tue
++< fwdfw wd_wed
++< fwdfw xt access
++< fwhost addgrp
++< fwhost addgrpname
++< fwhost addhost
++< fwhost addnet
++< fwhost addrule
++< fwhost addservice
++< fwhost addservicegrp
++< fwhost any
++< fwhost attention
++< fwhost back
++< fwhost blue
++< fwhost ccdhost
++< fwhost ccdnet
++< fwhost change
++< fwhost changeremark
++< fwhost cust addr
++< fwhost cust grp
++< fwhost cust net
++< fwhost cust service
++< fwhost cust srvgrp
++< fwhost deleted
++< fwhost empty
++< fwhost err addr
++< fwhost err addrgrp
++< fwhost err empty
++< fwhost err groupempty
++< fwhost err grpexist
++< fwhost err hostexist
++< fwhost err hostorip
++< fwhost err ip
++< fwhost err ipcheck
++< fwhost err ipmac
++< fwhost err ipwithsub
++< fwhost err isccdhost
++< fwhost err isccdiphost
++< fwhost err isccdipnet
++< fwhost err isccdnet
++< fwhost err isingrp
++< fwhost err mac
++< fwhost err name
++< fwhost err name1
++< fwhost err net
++< fwhost err netexist
++< fwhost err partofnet
++< fwhost err port
++< fwhost err remark
++< fwhost err srvexist
++< fwhost err srv exists
++< fwhost err sub32
++< fwhost green
++< fwhost hint
++< fwhost hosts
++< fwhost icmptype
++< fwhost ipadr
++< fwhost ip_mac
++< fwhost ipsec host
++< fwhost ipsec net
++< fwhost menu
++< fwhost netaddress
++< fwhost newgrp
++< fwhost newhost
++< fwhost newnet
++< fwhost newservice
++< fwhost newservicegrp
++< fwhost orange
++< fwhost ovpn_n2n
++< fwhost port
++< fwhost prot
++< fwhost reread
++< fwhost reset
++< fwhost services
++< fwhost srv_name
++< fwhost stdnet
++< fwhost type
++< fwhost used
++< fwhost welcome
++< fwhost wo subnet
++< fw settings
++< fw settings color
++< fw settings dropdown
++< fw settings remark
++< fw settings ruletable
+ < hour-graph
+ < incoming traffic in bytes per second
+ < minute
+@@ -556,6 +1313,7 @@
+ < proxy reports today
+ < proxy reports weekly
+ < qos enter bandwidths
++< red1
+ < server restart
+ < static routes
+ < updxlrtr sources
+diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl
+index 620ad49..b68b5db 100644
+--- a/langs/de/cgi-bin/de.pl
++++ b/langs/de/cgi-bin/de.pl
+@@ -1,5 +1,6 @@
+ %tr = (
+ %tr,
++
+ 'Act as' => 'Konfiguriert als',
+ 'Add Level7 rule' => 'Level7-Regel hinzufügen',
+ 'Add Port Rule' => 'Port-Regel hinzufügen',
+@@ -748,9 +749,9 @@
+ 'drop action' => 'Standardverhalten der (Forward) Firewall in Modus "Blocked"',
+ 'drop action1' => 'Standardverhalten der (Outgoing) Firewall in Modus "Blocked"',
+ 'drop action2' => 'Standardverhalten der (Input) Firewall',
++'drop forward' => 'Verworfene (Forward) Firewall-Pakete loggen',
+ 'drop input' => 'Verworfene Input Pakete loggen',
+ 'drop newnotsyn' => 'Verworfene New Not Syn Pakete loggen',
+-'drop forward' => 'Verworfene (Forward) Firewall-Pakete loggen',
+ 'drop outgoing' => 'Verworfene (Outgoing) Firewall-Pakete loggen',
+ 'drop portscan' => 'Verworfene Portscan Pakete loggen',
+ 'drop proxy' => 'Alle Pakete verwerfen die nicht direkt an den Proxy gerichtet sind',
+@@ -884,171 +885,10 @@
+ 'fixed ip lease removed' => 'Feste IP-Zuordnung gelöscht',
+ 'force update' => 'Aktualisierung erzwingen',
+ 'force user' => 'Standardbenutzer für das UNIX Dateisystem',
++'forward firewall' => 'Firewall',
+ 'forwarding rule added' => 'Weiterleitungsregel hinzugefügt. Starte Weiterleitung neu',
+ 'forwarding rule removed' => 'Weiterleitungsregel entfernt. Starte Weiterleitung neu',
+ 'forwarding rule updated' => 'Weiterleitungsregel aktualisiert; starte Weiterleitung neu',
+-'forward firewall' => 'Firewall',
+-'fwdfw ACCEPT' => 'Akzeptieren (ACCEPT)',
+-'fwdfw additional' => 'Zusätzlich',
+-'fwdfw action' => 'Aktion',
+-'fwdfw menu' => 'Firewall Regeln',
+-'fwdfw addrule' => 'Regel hinzufügen/ändern:',
+-'fwdfw addr grp' => 'Adressgruppen:',
+-'fwdfw change' => 'Aktualisieren',
+-'fwdfw cust addr' => 'Custom Adressen:',
+-'fwdfw cust net' => 'Custom Netzwerke:',
+-'fwdfw copy' => 'Kopieren',
+-'fwdfw delete' => 'Löschen',
+-'fwdfw dnat' => 'DNAT/Portforward (ersetze diese IP Adresse mit der aus ZIEL)',
+-'fwdfw dnat error' => 'Für DNAT muss ein einzelner Host als ZIEL gewählt werden. Gruppen oder Netzwerke sind nicht erlaubt',
+-'fwdfw dnat porterr' => 'Für NAT muss ein einzelner PORT oder PORTRANGE (TCP/UDP) angegeben werden',
+-'fwdfw DROP' => 'Verwerfen (DROP)',
+-'fwdfw edit' => 'Bearbeiten',
+-'fwdfw err nosrc' => 'Keine Quelle gewählt',
+-'fwdfw err nosrcip' => 'Bitte Quell IP Adresse angeben',
+-'fwdfw err notgt' => 'Kein Ziel gewählt',
+-'fwdfw err notgtip' => 'Bitte Ziel IP Adresse angeben',
+-'fwdfw err prot' => 'Quell- und Zielprotokoll müssen gleich sein',
+-'fwdfw err remark' => 'Bemerkung enthält ungültige Zeichen',
+-'fwdfw err ruleexists' => 'Eine identische Regel existiert bereits',
+-'fwdfw err src_addr' => 'Quell-MAC/IP Adresse ungültig',
+-'fwdfw err srcovpn' => 'Quell-IP Adresse ist ein OpenVPN Client. Bitte Dropdown zum Auswählen nutzen',
+-'fwdfw err same' => 'Quelle und Ziel sind identisch',
+-'fwdfw err samesub' => 'Quell und Ziel IP Adresse im selben Subnetz',
+-'fwdfw err srcport' => 'Bitte Quellport angeben',
+-'fwdfw err tgtport' => 'Bitte Zielport angeben',
+-'fwdfw err tgt_addr' => 'Ziel-IP Adresse ungültig',
+-'fwdfw err tgtovpn' => 'Ziel-IP Adresse ist ein OpenVPN Client. Bitte Dropdown zum Auswählen nutzen',
+-'fwdfw err tgt_port' => 'Ziel Port ungültig',
+-'fwdfw err tgt_mac' => 'MAC Adressen können nicht als Ziel defininert werden',
+-'fwdfw err tgt_grp' => 'Ziel-Dienstgruppe ist leer',
+-'fwdfw err time' => 'Es muss mindestens ein Tag gewählt werden',
+-'fwdfw from' => 'Von:',
+-'fwdfw final_rule' => 'Letzte Regel: ',
+-'fwdfw hint ip1' => 'Die zuletzt erzeugte Regel wird vielleicht nicht aktiviert, weil Quelle und Ziel evtl im selben Netz sind',
+-'fwdfw hint ip2' => 'Bitte überprüfen Sie ob diese Regel Sinn macht: ',
+-'fwdfw ipsec network' => 'IPsec Netzwerke:',
+-'fwdfw log rule' => 'Logging aktivieren',
+-'fwdfw man port' => 'Port(s) manuell:',
+-'fwdfw moveup' => 'Hoch',
+-'fwdfw movedown' => 'Runter',
+-'fwdfw MODE1' => 'Alle Pakete verwerfen',
+-'fwdfw MODE2' => 'Alle Pakete annehmen',
+-'fwdfw p2p txt' => 'Hier können einzelne P2P Netzwerke erlaubt oder verboten werden. Das System setzt die Regeln automatisch unabhängig vom aktuellen Firewall Modus. Unter Umständen können einzelne aktivierte P2P Netzewerke einen erheblichen Teil der Bandbreite beanspruchen.',
+-'fwdfw pol allow' => 'Zugelassen',
+-'fwdfw pol block' => 'Blockiert',
+-'fwdfw pol title' => 'Standardverhalten der Firewall',
+-'fwdfw pol text' => 'Standardverhalten für Verbindungen aus den lokalen Netzwerken. Bei "Zugelassen" werden sämtliche Verbindungen zugelassen mit Ausnahme der konfigurierten Regeln. Mit "Blockiert" werden alle Verbindungsversuche blockiert, mit Ausnahme erstellten Regeln.',
+-'fwdfw pol text1' => 'Standardverhalten für Verbindungen von Firewall. Bei "Zugelassen" werden sämtliche Verbindungen zugelassen mit Ausnahme konfigurierten Regeln. Mit "Blockiert" werden alle Verbindungsversuche blockiert, mit Ausnahme der erstellten Regeln.Achtung! Mit diesen Einstellungen kann man sich aussperren. Normalerweise ist keine Änderung nötig.',
+-'fwdfw red' => 'ROT',
+-'fwdfw REJECT' => 'Verweigern (REJECT)',
+-'fwdfw reread' => 'Ãœbernehmen',
+-'fwdfw rules' => 'Regeln',
+-'fwdfw rule action' => 'Regelaktion:',
+-'fwdfw rule activate' => 'Regel aktivieren',
+-'fwdfw rulepos' => 'Regelposition',
+-'fwdfw snat' => 'SNAT (ersetze die Adresse(n) von QUELLE mit dieser)',
+-'fwdfw source' => 'Quelle',
+-'fwdfw sourceip' => 'Quelladresse (MAC, IP Adresse oder Netzwerk):',
+-'fwdfw std network' => 'Standard Netzwerke:',
+-'fwdfw target' => 'Ziel',
+-'fwdfw targetip' => 'Zieladresse (IP Adresse oder Netzwerk):',
+-'fwdfw till' => 'Bis:',
+-'fwdfw time' => 'Zeitrahmen',
+-'fwdfw timeframe' => 'Zeitrahmen hinzufügen',
+-'fwdfw toggle' => 'Aktivieren oder deaktivieren',
+-'fwdfw togglelog' => 'Log aktivieren oder deaktivieren',
+-'fwdfw use nat' => 'NAT benutzen',
+-'fwdfw useless rule' => 'Diese Regel ist nicht zugelassen.',
+-'fwdfw use srcport' => 'Quellport benutzen',
+-'fwdfw use srv' => 'Zielport benutzen',
+-'fwdfw natport used' => 'Der Natport wird bereits von einer anderen DNAT Regel benutzt',
+-'fwdfw newrule' => 'Neue Regel',
+-'fwdfw wd_mon' => 'Mo',
+-'fwdfw wd_tue' => 'Di',
+-'fwdfw wd_wed' => 'Mi',
+-'fwdfw wd_thu' => 'Do',
+-'fwdfw wd_fri' => 'Fr',
+-'fwdfw wd_sat' => 'Sa',
+-'fwdfw wd_sun' => 'So',
+-'fwdfw xt access' => 'Input',
+-'fwhost addgrp' => 'Gruppe hinzufügen:',
+-'fwhost addgrpname' => 'Gruppenname:',
+-'fwhost addhost' => 'Host hinzufügen:',
+-'fwhost addnet' => 'Netzwerk hinzufügen:',
+-'fwhost addrule' => 'Regel hinzufügen/ändern:',
+-'fwhost addservice' => 'Dienst hinzufügen:',
+-'fwhost addservicegrp' => 'Dienstgruppe hinzufügen:',
+-'fwhost any' => 'Alle',
+-'fwhost attention' => 'ACHTUNG',
+-'fwhost back' => 'Zurück',
+-'fwhost blue' => 'Blau',
+-'fwhost ccdhost' => 'OpenVPN Clients:',
+-'fwhost ccdnet' => 'OpenVPN Netzwerke:',
+-'fwhost change' => 'Ändern',
+-'fwhost changeremark' => 'Es wurde nur die Bemerkung angepasst.',
+-'fwhost cust addr' => 'Hosts:',
+-'fwhost cust grp' => 'Gruppen:',
+-'fwhost cust net' => 'Netzwerke:',
+-'fwhost cust service' => 'Dienste:',
+-'fwhost cust srvgrp' => 'Dienstgruppen',
+-'fwhost deleted' => 'Gelöscht',
+-'fwhost empty' => 'Keine Regeln definiert',
+-'fwhost err addr' => 'IP Adresse oder Subnetzmaske ungültig',
+-'fwhost err addrgrp' => 'Bitte gruppenname angeben',
+-'fwhost err empty' => 'Bitte alle Felder füllen',
+-'fwhost err grpexist' => 'Gruppe existiert bereits',
+-'fwhost err groupempty' => 'Gewählte Gruppe ist leer',
+-'fwhost err name' => 'Name ungültig. Erlaubte Zeichen: a-z, A-Z, 0-9 Leerzeichen und Bindestrich',
+-'fwhost err name1' => 'Name muss gefüllt sein',
+-'fwhost err netexist' => 'Ein Netz mit diesem Namen existiert bereits',
+-'fwhost err net' => 'Netzwerk IP Adresse existiert bereits',
+-'fwhost err mac' => 'MAC Adresse ungültig',
+-'fwhost err hostexist' => 'Ein Host mit diesem Namen existiert bereits',
+-'fwhost err hostorip' => 'Name oder IP Adresse ungültig',
+-'fwhost err isccdhost' => 'Dieser Name wird bereits für einen Openvpn Host verwendet',
+-'fwhost err isccdipnet' => 'Diese IP Adresse wird bereits für einen Openvpn Netzwerk verwendet',
+-'fwhost err isccdiphost'=> 'Diese IP Adresse wird bereits für einen Openvpn Host verwendet',
+-'fwhost err isccdnet' => 'Dieser Name wird bereits für einen Openvpn Netzwerk verwendet',
+-'fwhost err isingrp' => 'Dieser Eintrag existiert bereits in der Gruppe',
+-'fwhost err ip' => 'IP Addresse ungültig',
+-'fwhost err ipmac' => 'IP/MAC Addresse ungültig',
+-'fwhost err ipcheck' => 'Diese IP Adresse wird bereits verwendet',
+-'fwhost err ipwithsub' => 'Bitte IP Adresse OHNE Subnetzmaske eingeben',
+-'fwhost err partofnet' => 'Dieses Netzwerk ist Teil eines bereits existierenden Netzwerks',
+-'fwhost err port' => 'Port muss gefüllt sein',
+-'fwhost err remark' => 'Bemerkung ungültig. Erlaubte Zeichen: a-z, A-Z, 0-9 und -_();|.',
+-'fwhost err srvexist' => 'Dieser Dienst ist bereits in der Gruppe',
+-'fwhost err srv exists' => 'Ein Service mit diesem Namen existiert bereits',
+-'fwhost err sub32' => 'Bitte Host hinzufügen. Dieses Subnetz ist kein Netzwerk',
+-'fwhost green' => 'Grün',
+-'fwhost hosts' => 'Firewall Hosts',
+-'fwhost hint' => 'Hinweis',
+-'fwhost icmptype' => 'ICMP-Typ:',
+-'fwhost ipadr' => 'IP Adresse:',
+-'fwhost ip_mac' => 'IP/MAC Adresse',
+-'fwhost ipsec host' => 'IPsec Clients:',
+-'fwhost ipsec net' => 'IPsec Netzwerke:',
+-'fwhost netaddress' => 'Netzwerk Adresse',
+-'fwhost newnet' => 'Netzwerke',
+-'fwhost newhost' => 'Hosts',
+-'fwhost newgrp' => 'Netzwerk-/ Hostgruppierung',
+-'fwhost newservice' => 'Dienst',
+-'fwhost newservicegrp' => 'Dienstgruppierung',
+-'fwhost menu' => 'Firewallgruppen',
+-'fwhost orange' => 'Orange',
+-'fwhost ovpn_n2n' => 'OpenVPN Net-to-Net',
+-'fwhost port' => 'Port(s)',
+-'fwhost prot' => 'Protokoll',
+-'fwhost reread' => 'Die Firewallregeln müssen neu eingelesen werden.',
+-'fwhost reset' => 'Abbrechen',
+-'fwhost services' => 'Dienste',
+-'fwhost srv_name' => 'Dienstname',
+-'fwhost stdnet' => 'Standard Netzwerke:',
+-'fwhost type' => 'Typ',
+-'fwhost used' => 'Benutzt',
+-'fwhost welcome' => 'Hier können einzelne Netzwerke, Hosts oder Dienste definiert werden. Diese lassen sich zu Gruppen zusammenfassen und in der Firewall verwenden. Durch die Gruppen kann man Einzelne Firewallregeln auf mehrere Netzwerke und Hosts anwenden und so die Regeln übersichtlich halten.',
+-'fwhost wo subnet' => '(Ohne Subnetz)',
+ 'free' => 'Frei',
+ 'free memory' => 'Freier Speicher ',
+ 'free swap' => 'Freier Swap',
+@@ -1064,12 +904,173 @@
+ 'from warn email bad' => 'Von Email Adresse ist nicht gültig',
+ 'fw blue' => 'Firewall-Optionen für das Blaue Interface',
+ 'fw default drop' => 'Firewall Policy',
++'fw logging' => 'Firewall-Logging',
+ 'fw settings' => 'Firewall-Einstellungen',
+ 'fw settings color' => 'Farben in Regeltabelle anzeigen',
++'fw settings dropdown' => 'Alle Netzwerke auf Regelerstellungsseite anzeigen',
+ 'fw settings remark' => 'Anmerkungen in Regeltabelle anzeigen',
+ 'fw settings ruletable' => 'Leere Regeltabellen anzeigen',
+-'fw settings dropdown' => 'Alle Netzwerke auf Regelerstellungsseite anzeigen',
+-'fw logging' => 'Firewall-Logging',
++'fwdfw ACCEPT' => 'Akzeptieren (ACCEPT)',
++'fwdfw DROP' => 'Verwerfen (DROP)',
++'fwdfw MODE1' => 'Alle Pakete verwerfen',
++'fwdfw MODE2' => 'Alle Pakete annehmen',
++'fwdfw REJECT' => 'Verweigern (REJECT)',
++'fwdfw action' => 'Aktion',
++'fwdfw additional' => 'Weitere Einstellungen',
++'fwdfw addr grp' => 'Adressgruppen:',
++'fwdfw addrule' => 'Regel hinzufügen/ändern:',
++'fwdfw change' => 'Aktualisieren',
++'fwdfw copy' => 'Kopieren',
++'fwdfw cust addr' => 'Custom Adressen:',
++'fwdfw cust net' => 'Custom Netzwerke:',
++'fwdfw delete' => 'Löschen',
++'fwdfw dnat' => 'DNAT/Port-Weiterleitung',
++'fwdfw dnat error' => 'Für Destination-NAT muss ein einzelner Host als Ziel ausgewählt werden. Gruppen oder Netzwerke sind nicht erlaubt',
++'fwdfw dnat porterr' => 'Für NAT-Regeln muss ein einzelner Port oder Portbereich angegeben werden',
++'fwdfw edit' => 'Bearbeiten',
++'fwdfw err nosrc' => 'Keine Quelle ausgewählt',
++'fwdfw err nosrcip' => 'Bitte Quell-IP-Adresse angeben',
++'fwdfw err notgt' => 'Kein Ziel ausgewählt',
++'fwdfw err notgtip' => 'Bitte Ziel-IP-Adresse angeben',
++'fwdfw err prot' => 'Quell- und Zielprotokoll müssen identisch sein',
++'fwdfw err remark' => 'Die Bemerkung enthält ungültige Zeichen',
++'fwdfw err ruleexists' => 'Eine identische Regel existiert bereits',
++'fwdfw err same' => 'Quelle und Ziel sind identisch',
++'fwdfw err samesub' => 'Quell- und Ziel-IP-Adresse befinden sich im selben Subnetz',
++'fwdfw err src_addr' => 'Quell-MAC/IP-Adresse ungültig',
++'fwdfw err srcovpn' => 'Die gewählte Quell-IP-Adresse wird bereits von einem OpenVPN-Client genutzt. Bitte wählen Sie die passende Verbindung direkt aus.',
++'fwdfw err srcport' => 'Bitte Quellport angeben',
++'fwdfw err tgt_addr' => 'Ungültige Ziel-IP-Adresse',
++'fwdfw err tgt_grp' => 'Die Ziel-Dienstgruppe ist leer',
++'fwdfw err tgt_mac' => 'MAC-Adressen können nicht als Ziel defininert werden',
++'fwdfw err tgt_port' => 'Ungültiger Zielport',
++'fwdfw err tgtovpn' => 'Die gewählte Ziel-IP-Adresse wird bereits von einem OpenVPN-Client genutzt. Bitte wählen Sie die passende Verbindung direkt aus.',
++'fwdfw err tgtport' => 'Bitte Zielport angeben',
++'fwdfw err time' => 'Es muss mindestens ein Tag ausgewählt werden',
++'fwdfw final_rule' => 'Letzte Regel: ',
++'fwdfw from' => 'Von:',
++'fwdfw hint ip1' => 'Die zuletzt erzeugte Regel mag eventuell niemals zutreffen, da sich Quelle und Ziel überlappen.',
++'fwdfw hint ip2' => 'Bitte überprüfen Sie, ob diese Regel Sinn macht: ',
++'fwdfw ipsec network' => 'IPsec-Netzwerke:',
++'fwdfw log rule' => 'Logging aktivieren',
++'fwdfw man port' => 'Port(s):',
++'fwdfw menu' => 'Firewallregeln',
++'fwdfw movedown' => 'Herunter',
++'fwdfw moveup' => 'Herauf',
++'fwdfw natport used' => 'Der eingegebene Port wird bereits von einer anderen DNAT-Regel benutzt.',
++'fwdfw newrule' => 'Neue Regel erstellen',
++'fwdfw p2p txt' => 'P2P-Netzwerke erlauben/verbieten.',
++'fwdfw pol allow' => 'Zugelassen',
++'fwdfw pol block' => 'Blockiert',
++'fwdfw pol text' => 'Firewall-Standardverhalten für Verbindungen aus lokalen Netzwerken: Alle Verbindungen können entweder zugelassen oder geblockt werden, wenn keine Ausnahmeregel zutrifft. "Blockiert" trennt ebenfalls die Kommunikation zwischen den lokalen Netzwerken.',
++'fwdfw pol text1' => 'Firewall-Standardverhalten für von der Firewall selbst initiierte Verbindungen.',
++'fwdfw pol title' => 'Standardverhalten der Firewall',
++'fwdfw red' => 'ROT',
++'fwdfw reread' => 'Ãœbernehmen',
++'fwdfw rule action' => 'Regelaktion:',
++'fwdfw rule activate' => 'Regel aktivieren',
++'fwdfw rulepos' => 'Regelposition',
++'fwdfw rules' => 'Regeln',
++'fwdfw snat' => 'SNAT (ersetzt die Quell-IP-Adresse mit der hier konfigurierten)',
++'fwdfw source' => 'Quelle',
++'fwdfw sourceip' => 'Quelladresse (IP/MAC-Adresse oder Netzwerk):',
++'fwdfw std network' => 'Standard Netzwerke:',
++'fwdfw target' => 'Ziel',
++'fwdfw targetip' => 'Zieladresse (IP/MAC-Adresse oder Netzwerk):',
++'fwdfw till' => 'Bis:',
++'fwdfw time' => 'Zeitrahmen',
++'fwdfw timeframe' => 'Zeitrahmen hinzufügen',
++'fwdfw toggle' => 'Aktivieren oder deaktivieren',
++'fwdfw togglelog' => 'Log aktivieren oder deaktivieren',
++'fwdfw use nat' => 'NAT benutzen',
++'fwdfw use srcport' => 'Quellport benutzen',
++'fwdfw use srv' => 'Zielport benutzen',
++'fwdfw useless rule' => 'Diese Regel ist nicht sinnvoll.',
++'fwdfw wd_fri' => 'Fr',
++'fwdfw wd_mon' => 'Mo',
++'fwdfw wd_sat' => 'Sa',
++'fwdfw wd_sun' => 'So',
++'fwdfw wd_thu' => 'Do',
++'fwdfw wd_tue' => 'Di',
++'fwdfw wd_wed' => 'Mi',
++'fwdfw xt access' => 'Input',
++'fwhost addgrp' => 'Neue Gruppe hinzufügen:',
++'fwhost addgrpname' => 'Gruppenname:',
++'fwhost addhost' => 'Neuen Host hinzufügen:',
++'fwhost addnet' => 'Neues Netzwerk hinzufügen:',
++'fwhost addrule' => 'Regel hinzufügen/ändern:',
++'fwhost addservice' => 'Neuen Dienst hinzufügen:',
++'fwhost addservicegrp' => 'Neue Dienstgruppe hinzufügen:',
++'fwhost any' => 'Alle',
++'fwhost attention' => 'ACHTUNG',
++'fwhost back' => 'Zurück',
++'fwhost blue' => 'Blau',
++'fwhost ccdhost' => 'OpenVPN-Clients:',
++'fwhost ccdnet' => 'OpenVPN-Netzwerke:',
++'fwhost change' => 'Ändern',
++'fwhost changeremark' => 'Es wurde nur die Bemerkung angepasst.',
++'fwhost cust addr' => 'Hosts:',
++'fwhost cust grp' => 'Gruppen:',
++'fwhost cust net' => 'Netzwerke:',
++'fwhost cust service' => 'Dienste:',
++'fwhost cust srvgrp' => 'Dienstgruppen',
++'fwhost deleted' => 'Gelöscht',
++'fwhost empty' => 'Keine Regeln definiert',
++'fwhost err addr' => 'IP-Adresse oder Subnetzmaske ungültig',
++'fwhost err addrgrp' => 'Bitte Gruppennamen angeben',
++'fwhost err empty' => 'Bitte alle Felder ausfüllen',
++'fwhost err groupempty' => 'Die gewählte Gruppe ist leer',
++'fwhost err grpexist' => 'Die Gruppe existiert bereits',
++'fwhost err hostexist' => 'Ein Host mit diesem Namen existiert bereits',
++'fwhost err hostorip' => 'Name oder IP-Adresse ungültig',
++'fwhost err ip' => 'IP-Adresse ungültig',
++'fwhost err ipcheck' => 'Diese IP-Adresse wird bereits verwendet',
++'fwhost err ipmac' => 'Ungültige IP/MAC-Addresse',
++'fwhost err ipwithsub' => 'Bitte nur eine IP-Adresse (ohne Subnetzmaske) eingeben',
++'fwhost err isccdhost' => 'Dieser Name wird bereits für einen OpenVPN-Host verwendet',
++'fwhost err isccdiphost' => 'Diese IP-Adresse wird bereits für einen OpenVPN-Host verwendet',
++'fwhost err isccdipnet' => 'Diese IP-Adresse wird bereits für einen OpenVPN-Netzwerk verwendet',
++'fwhost err isccdnet' => 'Dieser Name wird bereits für einen OpenVPN-Netzwerk verwendet',
++'fwhost err isingrp' => 'Dieser Eintrag existiert bereits in der Gruppe',
++'fwhost err mac' => 'Ungültige MAC-Adresse',
++'fwhost err name' => 'Ungültiger Name. Erlaubte Zeichen: Klein- und Großbuchstaben, Leerzeichen und Bindestrich.',
++'fwhost err name1' => 'Der Name muss ausgefüllt sein',
++'fwhost err net' => 'Netzwerk/IP-Adresse existiert bereits',
++'fwhost err netexist' => 'Ein Netz mit diesem Namen existiert bereits',
++'fwhost err partofnet' => 'Dieses Netzwerk ist ein Subnetz eines bereits existierenden Netzwerks',
++'fwhost err port' => 'Port muss gefüllt sein',
++'fwhost err remark' => 'Ungültige Bemerkung. Erlaubte Zeichen: Klein- und Großbuchstaben, Bindestrich, Unterstrich, Runde Klammern, Semikolon, Punkt.',
++'fwhost err srv exists' => 'Ein Service mit diesem Namen existiert bereits',
++'fwhost err srvexist' => 'Dieser Dienst ist bereits in der Gruppe',
++'fwhost err sub32' => 'Bitte einen einzelnen Host hinzufügen, keine Netzwerke',
++'fwhost green' => 'Grün',
++'fwhost hint' => 'Hinweis',
++'fwhost hosts' => 'Firewall-Hosts',
++'fwhost icmptype' => 'ICMP-Typ:',
++'fwhost ip_mac' => 'IP/MAC-Adresse',
++'fwhost ipadr' => 'IP-Adresse:',
++'fwhost ipsec host' => 'IPsec-Clients:',
++'fwhost ipsec net' => 'IPsec-Netzwerke:',
++'fwhost menu' => 'Firewallgruppen',
++'fwhost netaddress' => 'Netzwerkadresse',
++'fwhost newgrp' => 'Netzwerk-/Hostgruppen',
++'fwhost newhost' => 'Hosts',
++'fwhost newnet' => 'Netzwerke',
++'fwhost newservice' => 'Dienst',
++'fwhost newservicegrp' => 'Dienstgruppen',
++'fwhost orange' => 'Orange',
++'fwhost ovpn_n2n' => 'OpenVPN Net-to-Net',
++'fwhost port' => 'Port(s)',
++'fwhost prot' => 'Protokoll',
++'fwhost reread' => 'Die Firewallregeln müssen neu eingelesen werden.',
++'fwhost reset' => 'Abbrechen',
++'fwhost services' => 'Dienste',
++'fwhost srv_name' => 'Dienstname',
++'fwhost stdnet' => 'Standard-Netzwerke:',
++'fwhost type' => 'Typ',
++'fwhost used' => 'Genutzt',
++'fwhost welcome' => 'Hier können einzelne Hosts, Netzwerke oder Dienste zu Gruppen zusammengefasst werden, was das erstellen von Firewallregeln einfacher und schneller macht.',
++'fwhost wo subnet' => '(Ohne Subnetz)',
+ 'gateway' => 'Gateway',
+ 'gateway ip' => 'Gateway-IP',
+ 'gen static key' => 'Statischen Schlüssel erzeugen',
+diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
+index 1a05542..a7c8a65 100644
+--- a/langs/en/cgi-bin/en.pl
++++ b/langs/en/cgi-bin/en.pl
+@@ -766,9 +766,9 @@
+ 'drop action' => 'Default behaviour of (forward) firewall in mode "Blocked"',
+ 'drop action1' => 'Default behaviour of (outgoing) firewall in mode "Blocked"',
+ 'drop action2' => 'Default behaviour of (input) firewall',
++'drop forward' => 'Log dropped forward packets',
+ 'drop input' => 'Log dropped input packets',
+ 'drop newnotsyn' => 'Log dropped new not syn packets',
+-'drop forward' => 'Log dropped forward packets',
+ 'drop outgoing' => 'Log dropped outgoing packets',
+ 'drop portscan' => 'Log dropped portscan packets',
+ 'drop proxy' => 'Drop all packets not addressed to proxy',
+@@ -902,171 +902,10 @@
+ 'fixed ip lease removed' => 'Fixed IP lease removed',
+ 'force update' => 'Force update',
+ 'force user' => 'force all new file to user',
++'forward firewall' => 'Firewall',
+ 'forwarding rule added' => 'Forwarding rule added; restarting forwarder',
+ 'forwarding rule removed' => 'Forwarding rule removed; restarting forwarder',
+ 'forwarding rule updated' => 'Forwarding rule updated; restarting forwarder',
+-'forward firewall' => 'Firewall',
+-'fwdfw ACCEPT' => 'ACCEPT',
+-'fwdfw additional' => 'Additional',
+-'fwdfw action' => 'Action',
+-'fwdfw menu' => 'Firewall rules',
+-'fwdfw addrule' => 'Add/Edit rule:',
+-'fwdfw addr grp' => 'Adress groups:',
+-'fwdfw change' => 'Update',
+-'fwdfw cust addr' => 'Custom addresses:',
+-'fwdfw cust net' => 'Custom networks:',
+-'fwdfw copy' => 'Copy',
+-'fwdfw delete' => 'Delete',
+-'fwdfw dnat' => 'DNAT/Portforward (replace this IP address with the one from TARGET)',
+-'fwdfw dnat error' => 'You have to select a single host for DNAT. Groups or networks are not allowed.',
+-'fwdfw dnat porterr' => 'You have to select a single port or portrange (tcp/udp) for NAT',
+-'fwdfw DROP' => 'DROP',
+-'fwdfw edit' => 'Edit',
+-'fwdfw err nosrc' => 'No source selected.',
+-'fwdfw err nosrcip' => 'Please provide source IP address.',
+-'fwdfw err notgt' => 'No target selected.',
+-'fwdfw err notgtip' => 'Please provide target IP address.',
+-'fwdfw err prot' => 'Source and target protocol have to match.',
+-'fwdfw err remark' => 'Invalid chars in remark.',
+-'fwdfw err ruleexists' => 'This rule already exists.',
+-'fwdfw err src_addr' => 'Invalid source MAC/IP.',
+-'fwdfw err srcovpn' => 'Source-IP address is an OpenVPN client. Please use dropdown for selection',
+-'fwdfw err same' => 'Identical source and target',
+-'fwdfw err samesub' => 'Source and target IP adress are in same subnet.',
+-'fwdfw err srcport' => 'Please provide source port.',
+-'fwdfw err tgtport' => 'Please provide target port.',
+-'fwdfw err tgt_addr' => 'Invalid target IP-address.',
+-'fwdfw err tgtovpn' => 'Target-IP address is an OpenVPN client. Please use dropdown for selection',
+-'fwdfw err tgt_port' => 'Invalid target port',
+-'fwdfw err tgt_mac' => 'MAC addresses cannot be used as target.',
+-'fwdfw err tgt_grp' => 'Target servicegroup is empty',
+-'fwdfw err time' => 'You have to define at least one day.',
+-'fwdfw from' => 'From:',
+-'fwdfw final_rule' => 'Last rule: ',
+-'fwdfw hint ip1' => 'The last generated rule may never be activated because source and target probably are in same subnet.',
+-'fwdfw hint ip2' => 'Please doublecheck if this rule makes sense: ',
+-'fwdfw ipsec network' => 'IpSec networks:',
+-'fwdfw log rule' => 'Log rule',
+-'fwdfw man port' => 'Port(s) manual:',
+-'fwdfw moveup' => 'Move up',
+-'fwdfw movedown' => 'Move down',
+-'fwdfw MODE1' => 'Drop all packets',
+-'fwdfw MODE2' => 'Accept all packets',
+-'fwdfw p2p txt' => 'Here you can admit or deny or allow single p2p networks. Just define which networks are allowed or denied and the system takes care of the rules depending on the firewall mode. An allowed p2p network may use a lot of bandwith.',
+-'fwdfw pol allow' => 'Allowed',
+-'fwdfw pol block' => 'Blocked',
+-'fwdfw pol title' => 'Firewall default behavior',
+-'fwdfw pol text' => 'Default behavior for connections from local networks. "Allowed" allows all connections from local networks except the defined rules. "Blocked" prohibits all connections except the defined ones. Also external access and connections to/from the demilitarized zone are configurable here.',
+-'fwdfw pol text1' => 'Default behavior for connections from IPFire. "Allowed" allows all connections from local networks except the defined rules. "Blocked" prohibits all connections except the defined ones. Attention! You can lock yourself out with these settings. Normally there is no need to change anything here.',
+-'fwdfw red' => 'RED',
+-'fwdfw REJECT' => 'REJECT',
+-'fwdfw reread' => 'Apply',
+-'fwdfw rules' => 'Rules',
+-'fwdfw rule action' => 'Rule action:',
+-'fwdfw rule activate' => 'Activate rule',
+-'fwdfw rulepos' => 'Rule position',
+-'fwdfw snat' => 'SNAT (replace the addresse(s) from SOURCE with this address)',
+-'fwdfw source' => 'Source',
+-'fwdfw sourceip' => 'Source address (MAC, IP address or Network):',
+-'fwdfw std network' => 'Standard networks:',
+-'fwdfw target' => 'Target',
+-'fwdfw targetip' => 'Target address (IP address or network):',
+-'fwdfw till' => 'Till:',
+-'fwdfw time' => 'Timeframe',
+-'fwdfw timeframe' => 'Add timeframe',
+-'fwdfw toggle' => 'Activate or deactivate',
+-'fwdfw togglelog' => 'Activate or deactivate logging',
+-'fwdfw use nat' => 'Use NAT',
+-'fwdfw useless rule' => 'This rule is rejected (useless).',
+-'fwdfw use srcport' => 'Use source port',
+-'fwdfw use srv' => 'Use target port',
+-'fwdfw natport used' => 'The NAT port is already used by another DNAT rule',
+-'fwdfw newrule' => 'New rule',
+-'fwdfw wd_mon' => 'Mon',
+-'fwdfw wd_tue' => 'Tue',
+-'fwdfw wd_wed' => 'Wed',
+-'fwdfw wd_thu' => 'Thu',
+-'fwdfw wd_fri' => 'Fri',
+-'fwdfw wd_sat' => 'Sat',
+-'fwdfw wd_sun' => 'Sun',
+-'fwdfw xt access' => 'Input',
+-'fwhost addgrp' => 'Add Network / Host Group:',
+-'fwhost addgrpname' => 'Groupname:',
+-'fwhost addhost' => 'Add Host:',
+-'fwhost addnet' => 'Add Network:',
+-'fwhost addrule' => 'Add/Edit rule:',
+-'fwhost addservice' => 'Add Service:',
+-'fwhost addservicegrp' => 'Add Service Group:',
+-'fwhost any' => 'Any',
+-'fwhost attention' => 'ATTENTION',
+-'fwhost back' => 'Back',
+-'fwhost blue' => 'Blue',
+-'fwhost ccdhost' => 'OpenVPN clients:',
+-'fwhost ccdnet' => 'OpenVPN networks:',
+-'fwhost change' => 'Modify',
+-'fwhost changeremark' => 'You just modified the remark',
+-'fwhost cust addr' => 'Hosts:',
+-'fwhost cust grp' => 'Network / Host Groups:',
+-'fwhost cust net' => 'Networks:',
+-'fwhost cust service' => 'Services:',
+-'fwhost cust srvgrp' => 'Service groups:',
+-'fwhost deleted' => 'Deleted',
+-'fwhost empty' => 'No rules defined',
+-'fwhost err addr' => 'Invalid IP address or subnet',
+-'fwhost err addrgrp' => 'Please provide a groupname',
+-'fwhost err empty' => 'Please fill in all fields',
+-'fwhost err grpexist' => 'Group already exists',
+-'fwhost err groupempty' => 'Selected Group is empty',
+-'fwhost err name' => 'Name invalid. Allowed: a-z, A-Z, 0-9 space and minus.',
+-'fwhost err name1' => 'Name is empty.',
+-'fwhost err netexist' => 'A network with this name already exists',
+-'fwhost err net' => 'Network IP address already exists',
+-'fwhost err mac' => 'MAC address invalid',
+-'fwhost err hostexist' => 'A host with this name already exists',
+-'fwhost err hostorip' => 'Name or IP address invalid',
+-'fwhost err isccdhost' => 'This name is already used by an OpenVPN client',
+-'fwhost err isccdipnet' => 'This IP address is already used by an OpenVPN network',
+-'fwhost err isccdiphost'=> 'This IP address is already used by an OpenVPN client',
+-'fwhost err isccdnet' => 'This name is already used by an OpenVPN Network',
+-'fwhost err isingrp' => 'This entry already exists in the group',
+-'fwhost err ip' => 'IP address invalid',
+-'fwhost err ipmac' => 'IP/MAC address invalid',
+-'fwhost err ipcheck' => 'This IP address is already in use',
+-'fwhost err ipwithsub' => 'Please provide IP address WITHOUT subnetmask',
+-'fwhost err partofnet' => 'This network is part of an already existing one',
+-'fwhost err port' => 'Port is empty',
+-'fwhost err remark' => 'Remark invalid. Allowed: a-z, A-Z, 0-9 and -_();|.',
+-'fwhost err srvexist' => 'This service already exists in the group',
+-'fwhost err srv exists' => 'A Service with this name already exists',
+-'fwhost err sub32' => 'Please add single host. This subnet is no network',
+-'fwhost green' => 'Green',
+-'fwhost hosts' => 'Firewall Hosts',
+-'fwhost hint' => 'Note',
+-'fwhost icmptype' => 'ICMP type:',
+-'fwhost ipadr' => 'IP address:',
+-'fwhost ip_mac' => 'IP/MAC address',
+-'fwhost ipsec host' => 'IPsec clients:',
+-'fwhost ipsec net' => 'IPsec networks:',
+-'fwhost netaddress' => 'Network address',
+-'fwhost newnet' => 'Networks',
+-'fwhost newhost' => 'Hosts',
+-'fwhost newgrp' => 'Network / Host Groups',
+-'fwhost newservice' => 'Services',
+-'fwhost newservicegrp' => 'Service Groups',
+-'fwhost menu' => 'Firewall Groups',
+-'fwhost orange' => 'Orange',
+-'fwhost ovpn_n2n' => 'OpenVPN Net-to-Net',
+-'fwhost port' => 'Port(s)',
+-'fwhost prot' => 'Protocol',
+-'fwhost reread' => 'Firewall rules need to be updated.',
+-'fwhost reset' => 'Cancel',
+-'fwhost services' => 'Services:',
+-'fwhost srv_name' => 'Servicename',
+-'fwhost stdnet' => 'Standard networks:',
+-'fwhost type' => 'Type',
+-'fwhost used' => 'Used',
+-'fwhost welcome' => 'Here you can define single networks, hosts or services which can be grouped together. These networks, hosts and groups can then be used in the firewall. You are able to use only a few rules for a big amount of networks, hosts or groups.',
+-'fwhost wo subnet' => '(without subnet)',
+ 'free' => 'Free',
+ 'free memory' => 'Free Memory ',
+ 'free swap' => 'Free Swap',
+@@ -1082,12 +921,173 @@
+ 'from warn email bad' => 'From e-mail address is not valid',
+ 'fw blue' => 'Firewall options for BLUE interface',
+ 'fw default drop' => 'Firewall policy',
++'fw logging' => 'Firewall logging',
+ 'fw settings' => 'Firewall settings',
+ 'fw settings color' => 'Show colors in ruletable',
++'fw settings dropdown' => 'Show all networks on rulecreation site',
+ 'fw settings remark' => 'Show remarks in ruletable',
+ 'fw settings ruletable' => 'Show empty ruletables',
+-'fw settings dropdown' => 'Show all networks on rulecreation site',
+-'fw logging' => 'Firewall logging',
++'fwdfw ACCEPT' => 'ACCEPT',
++'fwdfw DROP' => 'DROP',
++'fwdfw MODE1' => 'Drop all packets',
++'fwdfw MODE2' => 'Accept all packets',
++'fwdfw REJECT' => 'REJECT',
++'fwdfw action' => 'Action',
++'fwdfw additional' => 'Additional settings',
++'fwdfw addr grp' => 'Adress groups:',
++'fwdfw addrule' => 'Add/Edit rule:',
++'fwdfw change' => 'Update',
++'fwdfw copy' => 'Copy',
++'fwdfw cust addr' => 'Custom addresses:',
++'fwdfw cust net' => 'Custom networks:',
++'fwdfw delete' => 'Delete',
++'fwdfw dnat' => 'Port forwarding/Destination NAT',
++'fwdfw dnat error' => 'You have to select a single host for DNAT. Groups or networks are not allowed.',
++'fwdfw dnat porterr' => 'You have to select a single port or portrange (tcp/udp) for NAT',
++'fwdfw edit' => 'Edit',
++'fwdfw err nosrc' => 'No source selected.',
++'fwdfw err nosrcip' => 'Please provide a source IP address.',
++'fwdfw err notgt' => 'No destination selected.',
++'fwdfw err notgtip' => 'Please provide a destination IP address.',
++'fwdfw err prot' => 'Source and destination protocol need to match.',
++'fwdfw err remark' => 'Invalid characters in remark.',
++'fwdfw err ruleexists' => 'This rule already exists.',
++'fwdfw err same' => 'Source and destination are identical.',
++'fwdfw err samesub' => 'Source and destination IP addresses are from the same subnet.',
++'fwdfw err src_addr' => 'Invalid source MAC/IP address.',
++'fwdfw err srcovpn' => 'The entered source IP address is used by an OpenVPN client. Please use the dropdown menu and select the right client connection.',
++'fwdfw err srcport' => 'Please provide a source port.',
++'fwdfw err tgt_addr' => 'Invalid destination IP address.',
++'fwdfw err tgt_grp' => 'The destination service group is empty',
++'fwdfw err tgt_mac' => 'A MAC addresses cannot be used as destination.',
++'fwdfw err tgt_port' => 'Invalid destination port.',
++'fwdfw err tgtovpn' => 'The entered destination IP address is used by an OpenVPN client. Please use the dropdown menu and select the right client connection.',
++'fwdfw err tgtport' => 'Please provide a destination port.',
++'fwdfw err time' => 'You have to select at least one day.',
++'fwdfw final_rule' => 'Last rule: ',
++'fwdfw from' => 'From:',
++'fwdfw hint ip1' => 'The last generated rule may never match, because source and destination subnets may overlap.',
++'fwdfw hint ip2' => 'Please double-check if this rule makes sense: ',
++'fwdfw ipsec network' => 'IPsec networks:',
++'fwdfw log rule' => 'Log rule',
++'fwdfw man port' => 'Port(s):',
++'fwdfw menu' => 'Firewall Rules',
++'fwdfw movedown' => 'Move down',
++'fwdfw moveup' => 'Move up',
++'fwdfw natport used' => 'The given port for NAPT is already in use by an other DNAT rule.',
++'fwdfw newrule' => 'New rule',
++'fwdfw p2p txt' => 'Grant/deny access to P2P networks.',
++'fwdfw pol allow' => 'Allowed',
++'fwdfw pol block' => 'Blocked',
++'fwdfw pol text' => 'Sets the default firewall behaviour for connections from local networks. You may either allow all new connections or block them by default. Connections between the local networks are also blocked in the latter mode.',
++'fwdfw pol text1' => 'Sets the default firewall behaviour for connections initiated by the firewall itself. Attention! You may lock yourself out.',
++'fwdfw pol title' => 'Default firewall behaviour',
++'fwdfw red' => 'RED',
++'fwdfw reread' => 'Apply',
++'fwdfw rule action' => 'Rule action:',
++'fwdfw rule activate' => 'Activate rule',
++'fwdfw rulepos' => 'Rule position',
++'fwdfw rules' => 'Rules',
++'fwdfw snat' => 'SNAT (replace the source\'s IP address by this IP address)',
++'fwdfw source' => 'Source',
++'fwdfw sourceip' => 'Source address (MAC/IP address or network):',
++'fwdfw std network' => 'Standard networks:',
++'fwdfw target' => 'Destination',
++'fwdfw targetip' => 'Destination address (MAC/IP address or network):',
++'fwdfw till' => 'Until:',
++'fwdfw time' => 'Time Constraints',
++'fwdfw timeframe' => 'Use time constraints',
++'fwdfw toggle' => 'Activate or deactivate',
++'fwdfw togglelog' => 'Activate or deactivate logging',
++'fwdfw use nat' => 'Use NAT',
++'fwdfw use srcport' => 'Use source port',
++'fwdfw use srv' => 'Use destination port',
++'fwdfw useless rule' => 'This rule is useless.',
++'fwdfw wd_fri' => 'Fri',
++'fwdfw wd_mon' => 'Mon',
++'fwdfw wd_sat' => 'Sat',
++'fwdfw wd_sun' => 'Sun',
++'fwdfw wd_thu' => 'Thu',
++'fwdfw wd_tue' => 'Tue',
++'fwdfw wd_wed' => 'Wed',
++'fwdfw xt access' => 'Input',
++'fwhost addgrp' => 'Add new network/host group:',
++'fwhost addgrpname' => 'Group name:',
++'fwhost addhost' => 'Add new host:',
++'fwhost addnet' => 'Add new hetwork:',
++'fwhost addrule' => 'Add/edit rule:',
++'fwhost addservice' => 'Add service:',
++'fwhost addservicegrp' => 'Add new service group:',
++'fwhost any' => 'Any',
++'fwhost attention' => 'ATTENTION',
++'fwhost back' => 'Back',
++'fwhost blue' => 'Blue',
++'fwhost ccdhost' => 'OpenVPN clients:',
++'fwhost ccdnet' => 'OpenVPN networks:',
++'fwhost change' => 'Modify',
++'fwhost changeremark' => 'You modified just the remark',
++'fwhost cust addr' => 'Hosts:',
++'fwhost cust grp' => 'Network/Host Groups:',
++'fwhost cust net' => 'Networks:',
++'fwhost cust service' => 'Services:',
++'fwhost cust srvgrp' => 'Service Groups:',
++'fwhost deleted' => 'Deleted',
++'fwhost empty' => 'No rules defined',
++'fwhost err addr' => 'Invalid IP address or subnet',
++'fwhost err addrgrp' => 'Please provide a group name',
++'fwhost err empty' => 'Please fill in all input fields',
++'fwhost err groupempty' => 'The selected group is empty',
++'fwhost err grpexist' => 'Group already exists',
++'fwhost err hostexist' => 'A host with the same name already exists',
++'fwhost err hostorip' => 'Invalid name or IP address',
++'fwhost err ip' => 'IP address invalid',
++'fwhost err ipcheck' => 'This IP address is already in use',
++'fwhost err ipmac' => 'IP/MAC address invalid',
++'fwhost err ipwithsub' => 'Please provide only an IP address (without subnet mask)',
++'fwhost err isccdhost' => 'This name is already used by an OpenVPN client connection',
++'fwhost err isccdiphost' => 'This IP address is already used by an OpenVPN client connection',
++'fwhost err isccdipnet' => 'This IP address is already used by an OpenVPN network connection',
++'fwhost err isccdnet' => 'This name is already used by an OpenVPN network',
++'fwhost err isingrp' => 'This entry already exists in the group',
++'fwhost err mac' => 'Invalid MAC address',
++'fwhost err name' => 'Invalid name. Allowed characters: Upper- and lowercase letters, digits, space and dash.',
++'fwhost err name1' => 'Empty name.',
++'fwhost err net' => 'Network/IP address already exists',
++'fwhost err netexist' => 'A network with the same name already exists',
++'fwhost err partofnet' => 'The network is a subnet of an already existing network.',
++'fwhost err port' => 'Port is empty',
++'fwhost err remark' => 'Invalid remark. Allowed characters: Upper- and lowercase letters, digits, space, dash, braces, semicolon, pipe and dot.',
++'fwhost err srv exists' => 'A service with the same name already exists',
++'fwhost err srvexist' => 'This service already exists in the group',
++'fwhost err sub32' => 'Please add a single host, not a network.',
++'fwhost green' => 'Green',
++'fwhost hint' => 'Note',
++'fwhost hosts' => 'Firewall Hosts',
++'fwhost icmptype' => 'ICMP type:',
++'fwhost ip_mac' => 'IP/MAC address',
++'fwhost ipadr' => 'IP address:',
++'fwhost ipsec host' => 'IPsec clients:',
++'fwhost ipsec net' => 'IPsec networks:',
++'fwhost menu' => 'Firewall Groups',
++'fwhost netaddress' => 'Network address',
++'fwhost newgrp' => 'Network/Host Groups',
++'fwhost newhost' => 'Hosts',
++'fwhost newnet' => 'Networks',
++'fwhost newservice' => 'Services',
++'fwhost newservicegrp' => 'Service Groups',
++'fwhost orange' => 'Orange',
++'fwhost ovpn_n2n' => 'OpenVPN Net-to-Net',
++'fwhost port' => 'Port(s)',
++'fwhost prot' => 'Protocol',
++'fwhost reread' => 'Firewall rules need to be updated.',
++'fwhost reset' => 'Cancel',
++'fwhost services' => 'Services:',
++'fwhost srv_name' => 'Service name',
++'fwhost stdnet' => 'Standard networks:',
++'fwhost type' => 'Type',
++'fwhost used' => 'Used',
++'fwhost welcome' => 'Over here, you can group single hosts, networks and services together, which will creating new rules more easy and faster.',
++'fwhost wo subnet' => '(without subnet)',
+ 'g.dtm' => 'TO BE REMOVED',
+ 'g.lite' => 'TO BE REMOVED',
+ 'gateway' => 'Gateway',
+--
+1.7.10.4
+
--- /dev/null
+From 94bfef8e8578f841e91b0438357e5b0769d022f8 Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Fri, 2 Aug 2013 07:55:44 +0200
+Subject: [PATCH 300/302] Forward Firewall: deleted unused warning message
+ regarding mac addresses
+
+---
+ html/cgi-bin/fwhosts.cgi | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/html/cgi-bin/fwhosts.cgi b/html/cgi-bin/fwhosts.cgi
+index 065d195..879e6b8 100755
+--- a/html/cgi-bin/fwhosts.cgi
++++ b/html/cgi-bin/fwhosts.cgi
+@@ -1264,7 +1264,7 @@ END
+ if ($show eq '1'){$show='';print"</select></td></tr>";}
+ print"</table>";
+ print"</td></tr></table>";
+- print"<br><br><b>$Lang::tr{'fwhost attention'}:</b><br> $Lang::tr{'fwhost macwarn'}<br><hr>";
++ print"<br><br><hr>";
+ }
+ print"<table border='0' width='100%'>";
+ print"<tr><td align='right'><input type='submit' value='$Lang::tr{'add'}' style='min-width:100px;' /><input type='hidden' name='oldremark' value='$fwhostsettings{'oldremark'}'><input type='hidden' name='update' value=\"$fwhostsettings{'update'}\"><input type='hidden' name='ACTION' value='savegrp' ></form><form method='post' style='display:inline'><input type='submit' value='$Lang::tr{'fwhost back'}' style='min-width:100px;'><input type='hidden' name='ACTION' value='resetgrp'></form></td></table>";
+--
+1.7.10.4
+
--- /dev/null
+From bbf42ee8321708cdb99ccae4f828f59803e69e2c Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Mon, 5 Aug 2013 09:20:16 +0200
+Subject: [PATCH 301/302] Forward Firewall: deleted outgoingfwmac from
+ firewall script (not used in new firewall)
+
+---
+ lfs/strongswan.save | 114 +++++++++++++++++++++++++++++++++++++++
+ src/initscripts/init.d/firewall | 3 --
+ 2 files changed, 114 insertions(+), 3 deletions(-)
+ create mode 100644 lfs/strongswan.save
+
+diff --git a/lfs/strongswan.save b/lfs/strongswan.save
+new file mode 100644
+index 0000000..797e512
+--- /dev/null
++++ b/lfs/strongswan.save
+@@ -0,0 +1,114 @@
++###############################################################################
++# #
++# IPFire.org - A linux based firewall #
++# Copyright (C) 2007-2013 IPFire Team <info@ipfire.org> #
++# #
++# This program is free software: you can redistribute it and/or modify #
++# it under the terms of the GNU General Public License as published by #
++# the Free Software Foundation, either version 3 of the License, or #
++# (at your option) any later version. #
++# #
++# This program is distributed in the hope that it will be useful, #
++# but WITHOUT ANY WARRANTY; without even the implied warranty of #
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
++# GNU General Public License for more details. #
++# #
++# You should have received a copy of the GNU General Public License #
++# along with this program. If not, see <http://www.gnu.org/licenses/>. #
++# #
++###############################################################################
++
++###############################################################################
++# Definitions
++###############################################################################
++
++include Config
++
++VER = 5.1.0
++
++THISAPP = strongswan-$(VER)
++DL_FILE = $(THISAPP).tar.bz2
++DL_FROM = $(URL_IPFIRE)
++DIR_APP = $(DIR_SRC)/strongswan-$(VER)
++TARGET = $(DIR_INFO)/$(THISAPP)
++
++ifeq "$(MACHINE)" "i586"
++ PADLOCK = --enable-padlock
++else
++ PADLOCK = --disable-padlock
++endif
++
++###############################################################################
++# Top-level Rules
++###############################################################################
++
++objects = $(DL_FILE)
++
++$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
++
++$(DL_FILE)_MD5 = c1cd0a3ba9960f590cae28c8470800e8
++
++install : $(TARGET)
++
++check : $(patsubst %,$(DIR_CHK)/%,$(objects))
++
++download :$(patsubst %,$(DIR_DL)/%,$(objects))
++
++md5 : $(subst %,%_MD5,$(objects))
++
++###############################################################################
++# Downloading, checking, md5sum
++###############################################################################
++
++$(patsubst %,$(DIR_CHK)/%,$(objects)) :
++ @$(CHECK)
++
++$(patsubst %,$(DIR_DL)/%,$(objects)) :
++ @$(LOAD)
++
++$(subst %,%_MD5,$(objects)) :
++ @$(MD5)
++
++###############################################################################
++# Installation Details
++###############################################################################
++
++$(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
++ @$(PREBUILD)
++ @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE)
++
++ cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/strongswan-5.0.2_ipfire.patch
++
++ cd $(DIR_APP) && ./configure \
++ --prefix="/usr" \
++ --sysconfdir="/etc" \
++ --enable-curl \
++ --enable-openssl \
++ --enable-xauth-eap \
++ --enable-eap-radius \
++ --enable-eap-tls \
++ --enable-eap-ttls \
++ --enable-eap-peap \
++ --enable-eap-mschapv2 \
++ --enable-eap-identity \
++ $(PADLOCK)
++
++ cd $(DIR_APP) && make $(MAKETUNING) LDFLAGS="-lrt"
++ cd $(DIR_APP) && make install
++
++ # Remove all library files we don't want or need.
++ rm -vf /usr/lib/ipsec/plugins/*.{,l}a
++
++ -rm -rfv /etc/rc*.d/*ipsec
++ cd $(DIR_SRC) && cp src/initscripts/init.d/ipsec /etc/rc.d/init.d/ipsec
++ rm -f /etc/ipsec.conf /etc/ipsec.secrets
++ ln -sf $(CONFIG_ROOT)/vpn/ipsec.conf /etc/ipsec.conf
++ ln -sf $(CONFIG_ROOT)/vpn/ipsec.secrets /etc/ipsec.secrets
++
++ rm -rf /etc/ipsec.d/{cacerts,certs,crls}
++ ln -sf $(CONFIG_ROOT)/ca /etc/ipsec.d/cacerts
++ ln -sf $(CONFIG_ROOT)/certs /etc/ipsec.d/certs
++ ln -sf $(CONFIG_ROOT)/crls /etc/ipsec.d/crls
++
++ @rm -rf $(DIR_APP)
++ @$(POSTBUILD)
+diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall
+index 5b89e3d..92a3615 100644
+--- a/src/initscripts/init.d/firewall
++++ b/src/initscripts/init.d/firewall
+@@ -150,9 +150,6 @@ iptables_init() {
+ /sbin/iptables -N TOR_INPUT
+ /sbin/iptables -A INPUT -j TOR_INPUT
+
+- # Outgoing Firewall
+- /sbin/iptables -A FORWARD -j OUTGOINGFWMAC
+-
+ # localhost and ethernet.
+ /sbin/iptables -A INPUT -i $GREEN_DEV -m conntrack --ctstate NEW -j ACCEPT ! -p icmp
+
+--
+1.7.10.4
+
--- /dev/null
+From 576da815b9c271f4418bf6ce88be8e73b90e2434 Mon Sep 17 00:00:00 2001
+From: Alexander Marx <amarx@ipfire.org>
+Date: Mon, 5 Aug 2013 09:32:46 +0200
+Subject: [PATCH 302/302] Forward Firewall: deleted double TOR chain
+
+---
+ src/initscripts/init.d/firewall | 4 ----
+ 1 file changed, 4 deletions(-)
+
+diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall
+index 92a3615..fc49da4 100644
+--- a/src/initscripts/init.d/firewall
++++ b/src/initscripts/init.d/firewall
+@@ -146,10 +146,6 @@ iptables_init() {
+ /sbin/iptables -t nat -N IPSECNAT
+ /sbin/iptables -t nat -A POSTROUTING -j IPSECNAT
+
+- # TOR
+- /sbin/iptables -N TOR_INPUT
+- /sbin/iptables -A INPUT -j TOR_INPUT
+-
+ # localhost and ethernet.
+ /sbin/iptables -A INPUT -i $GREEN_DEV -m conntrack --ctstate NEW -j ACCEPT ! -p icmp
+
+--
+1.7.10.4
+
projects / people / ms / ipfire-2.x.git / commitdiff
