X-Git-Url: http://git.ipfire.org/?p=ipfire-2.x.git;a=blobdiff_plain;f=config%2Foutgoingfw%2Foutgoingfw.pl;h=7dd14303a10c2d9d67c5dead71b56e6b28b488a8;hp=8d4d27d313136ab2ae486a50dece740d4f54b9ab;hb=ab74c839ddf125b73f7b79e925c31d03e92aa079;hpb=aa8245cbd54e3ba68903580381de4d60816606c5 diff --git a/config/outgoingfw/outgoingfw.pl b/config/outgoingfw/outgoingfw.pl index 8d4d27d313..7dd14303a1 100644 --- a/config/outgoingfw/outgoingfw.pl +++ b/config/outgoingfw/outgoingfw.pl @@ -2,7 +2,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2005-2010 IPFire Team # +# Copyright (C) 2007-2011 IPFire Team # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -25,6 +25,7 @@ use strict; #use warnings; require '/var/ipfire/general-functions.pl'; +require "${General::swroot}/lang.pl"; my %outfwsettings = (); my %checked = (); @@ -72,7 +73,6 @@ my $PROTO = ""; my $DPORT = ""; my $DEV = ""; my $MAC = ""; -my $POLICY = ""; my $DO = ""; my $DAY = ""; @@ -89,11 +89,9 @@ close FILE; if ( $outfwsettings{'POLICY'} eq 'MODE1' ) { $outfwsettings{'STATE'} = "ALLOW"; - $POLICY = "DROP"; - $DO = "ACCEPT"; + $DO = "RETURN"; } elsif ( $outfwsettings{'POLICY'} eq 'MODE2' ) { $outfwsettings{'STATE'} = "DENY"; - $POLICY = "ACCEPT"; $DO = "DROP -m comment --comment 'DROP_OUTGOINGFW '"; } @@ -111,13 +109,13 @@ if ( $outfwsettings{'POLICY'} eq 'MODE0' ) { } if ( $outfwsettings{'POLICY'} eq 'MODE1' ) { - $CMD = "/sbin/iptables -A OUTGOINGFW -m state --state ESTABLISHED,RELATED -j ACCEPT"; + $CMD = "/sbin/iptables -A OUTGOINGFW -m state --state ESTABLISHED,RELATED -j RETURN"; if ($DEBUG) { print "$CMD\n"; } else { system("$CMD"); } - $CMD = "/sbin/iptables -A OUTGOINGFWMAC -m state --state ESTABLISHED,RELATED -j ACCEPT"; + $CMD = "/sbin/iptables -A OUTGOINGFWMAC -m state --state ESTABLISHED,RELATED -j RETURN"; if ($DEBUG) { print "$CMD\n"; } else { system("$CMD"); } - $CMD = "/sbin/iptables -A OUTGOINGFW -p icmp -j ACCEPT"; + $CMD = "/sbin/iptables -A OUTGOINGFW -p icmp -j RETURN"; if ($DEBUG) { print "$CMD\n"; } else { system("$CMD"); } - $CMD = "/sbin/iptables -A OUTGOINGFWMAC -p icmp -j ACCEPT"; + $CMD = "/sbin/iptables -A OUTGOINGFWMAC -p icmp -j RETURN"; if ($DEBUG) { print "$CMD\n"; } else { system("$CMD"); } } @@ -183,17 +181,19 @@ foreach $configentry (sort @configs) @PROTO = ("tcp","udp"); } + my $macrule = 0; foreach $PROTO (@PROTO){ foreach $SOURCE (@SOURCE) { $SOURCE =~ s/\s//gi; - if ( $SOURCE eq "" ){next;} + if ( $SOURCE eq "" || $configline[1] eq "" ){next;} if ( ( $configline[6] ne "" || $configline[2] eq 'mac' ) && $configline[2] ne 'all'){ $SOURCE =~ s/[^a-zA-Z0-9]/:/gi; - $CMD = "/sbin/iptables -A OUTGOINGFWMAC -m mac --mac-source $SOURCE -d $DESTINATION -p $PROTO"; + $CMD = "-m mac --mac-source $SOURCE -d $DESTINATION -p $PROTO"; + $macrule = 1; } else { - $CMD = "/sbin/iptables -A OUTGOINGFW -s $SOURCE -d $DESTINATION -p $PROTO"; + $CMD = "-s $SOURCE -d $DESTINATION -p $PROTO"; } if ($configline[8] && ( $configline[3] ne 'esp' || $configline[3] ne 'gre') ) { @@ -206,6 +206,7 @@ foreach $configentry (sort @configs) } if ($configline[17] && $configline[18]) { + $DAY = ""; if ($configline[10]){$DAY = "Mon,"} if ($configline[11]){$DAY .= "Tue,"} if ($configline[12]){$DAY .= "Wed,"} @@ -218,19 +219,13 @@ foreach $configentry (sort @configs) $CMD = "$CMD -o $netsettings{'RED_DEV'}"; - if ($configline[9] eq "aktiv") { - if ($DEBUG) { - print "$CMD -m limit --limit 10/minute -j LOG --log-prefix 'DROP_OUTGOINGFW '\n"; - } else { - system("$CMD -m limit --limit 10/minute -j LOG --log-prefix 'DROP_OUTGOINGFW '"); - } + if ( $configline[9] eq $Lang::tr{'aktiv'} && $outfwsettings{'POLICY'} eq 'MODE1' ) { + applyrule("$CMD -m limit --limit 10/minute -j LOG --log-prefix 'LOG_OUTGOINGFW '", $macrule); + } elsif ( $configline[9] eq $Lang::tr{'aktiv'} && $outfwsettings{'POLICY'} eq 'MODE2' ) { + applyrule("$CMD -m limit --limit 10/minute -j LOG --log-prefix 'DROP_OUTGOINGFW '", $macrule); } - if ($DEBUG) { - print "$CMD -j $DO\n"; - } else { - system("$CMD -j $DO"); - } + applyrule("$CMD -j $DO", $macrule); } } } @@ -241,10 +236,9 @@ open( FILE, "< $p2pfile" ) or die "Unable to read $p2pfile"; @p2ps = ; close FILE; -$CMD = "/sbin/iptables -A OUTGOINGFW -m ipp2p"; +$CMD = "-m ipp2p"; -foreach $p2pentry (sort @p2ps) -{ +foreach $p2pentry (sort @p2ps) { @p2pline = split( /\;/, $p2pentry ); if ( $outfwsettings{'POLICY'} eq 'MODE2' ) { $DO = "DROP"; @@ -252,34 +246,30 @@ foreach $p2pentry (sort @p2ps) $P2PSTRING = "$P2PSTRING --$p2pline[1]"; } } else { - $DO = "ACCEPT"; + $DO = "RETURN"; if ("$p2pline[2]" eq "on") { $P2PSTRING = "$P2PSTRING --$p2pline[1]"; } } } if ($P2PSTRING) { - if ($DEBUG) { - print "$CMD $P2PSTRING -j $DO\n"; - } else { - system("$CMD $P2PSTRING -j $DO"); - } + applyrule("$CMD $P2PSTRING -j $DO", 0); } if ( $outfwsettings{'POLICY'} eq 'MODE1' ) { - if ( $outfwsettings{'MODE1LOG'} eq 'on' ) { - $CMD = "/sbin/iptables -A OUTGOINGFW -o $netsettings{'RED_DEV'} -m limit --limit 10/minute -j LOG --log-prefix 'DROP_OUTGOINGFW '"; - if ($DEBUG) { - print "$CMD\n"; - } else { - system("$CMD"); - } - } + if ( $outfwsettings{'MODE1LOG'} eq 'on' ) { + applyrule("-o $netsettings{'RED_DEV'} -m limit --limit 10/minute -j LOG --log-prefix 'DROP_OUTGOINGFW '", 0); + } - $CMD = "/sbin/iptables -A OUTGOINGFW -o $netsettings{'RED_DEV'} -j DROP -m comment --comment 'DROP_OUTGOINGFW '"; - if ($DEBUG) { - print "$CMD\n"; - } else { - system("$CMD"); + applyrule("-o $netsettings{'RED_DEV'} -j DROP -m comment --comment 'DROP_OUTGOINGFW '", 0); +} + +sub applyrule($$) { + my $cmd = shift; + my $macrule = shift; + + system("/sbin/iptables -A OUTGOINGFWMAC $cmd"); + if ($macrule == 0) { + system("/sbin/iptables -A OUTGOINGFW $cmd"); } -} \ No newline at end of file +}