'title' => "Universal Plug and Play",
'enabled' => 0,
};
+ $subfirewall->{'60.optingsfw'} = {
+ 'caption' => $Lang::tr{'options fw'},
+ 'uri' => '/cgi-bin/optionsfw.cgi',
+ 'title' => "$Lang::tr{'options fw'}",
+ 'enabled' => 1,
+ };
--- /dev/null
+etc/inid.d/firewall
+var/ipfire/langs
+var/ipfire/optionsfw/settings
+var/ipfire/menu.d/50-firewall.menu
+srv/web/ipfire/cgi-bin/pakfire.cgi
+srv/web/ipfire/cgi-bin/outgoingfw.cgi
+srv/web/ipfire/cgi-bin/optionsfw.cgi
+srv/web/ipfire/cgi-bin/logs.cgi/showrequestfromip.dat
+srv/web/ipfire/cgi-bin/logs.cgi/showrequestfromport.dat
+srv/web/ipfire/cgi-bin/logs.cgi/log.dat
+srv/web/ipfire/cgi-bin/logs.cgi/firewalllog.dat
--- /dev/null
+#!/bin/bash
+. /opt/pakfire/lib/functions.sh
+perl -e "require '/var/ipfire/lang.pl'; &Lang::BuildCacheLang"
+extract_files
WARNING: translation string unused: net-traffic configuration
WARNING: translation string unused: network configuration
WARNING: translation string unused: network status information
-WARNING: translation string unused: new optionsfw later
WARNING: translation string unused: new optionsfw must boot
WARNING: translation string unused: no alcatelusb firmware
WARNING: translation string unused: no cfg upload
WARNING: translation string unused: openvpn client
WARNING: translation string unused: openvpn server
WARNING: translation string unused: optional data
-WARNING: translation string unused: options fw
WARNING: translation string unused: optionsfw portlist hint
WARNING: translation string unused: optionsfw warning
WARNING: translation string unused: or
WARNING: translation string unused: net-traffic configuration
WARNING: translation string unused: network configuration
WARNING: translation string unused: network status information
-WARNING: translation string unused: new optionsfw later
WARNING: translation string unused: new optionsfw must boot
WARNING: translation string unused: no alcatelusb firmware
WARNING: translation string unused: no cfg upload
WARNING: translation string unused: openvpn client
WARNING: translation string unused: openvpn server
WARNING: translation string unused: optional data
-WARNING: translation string unused: options fw
WARNING: translation string unused: optionsfw portlist hint
WARNING: translation string unused: optionsfw warning
WARNING: translation string unused: or
my $comment = $3;
my $packet = $4;
- $packet =~ /IN=(\w+)/; my $iface=$1;
+ $packet =~ /IN=(\w+)/; my $iface=$1; if ( $1 eq "27" ){ $iface="";}
$packet =~ /SRC=([\d\.]+)/; my $srcaddr=$1;
$packet =~ /DST=([\d\.]+)/; my $dstaddr=$1;
$packet =~ /MAC=([\w+\:]+)/; my $macaddr=$1;
use strict;
# enable only the following on debugging purpose
-#use warnings;
-#use CGI::Carp 'fatalsToBrowser';
+use warnings;
+use CGI::Carp 'fatalsToBrowser';
require '/var/ipfire/general-functions.pl';
require "${General::swroot}/lang.pl";
$cgiparams{'DAY'} = $now[3];
$cgiparams{'MONTH'} = $now[4];
$cgiparams{'ACTION'} = '';
-$cgiparams{'SECTION'} = 'ipfire';
+$cgiparams{'SECTION'} = 'kernel';
my %sections = (
- 'ipfire' => '(ipfire)',
- 'red' => '(red.*|kernel: usb.*|pppd\[.*\]|chat\[.*\]|pppoe\[.*\]|pptp\[.*\]|pppoa\[.*\]|pppoa3\[.*\]|pppoeci\[.*\]|ipppd|ipppd\[.*\]|kernel: ippp\d|kernel: isdn.*|ibod\[.*\]|kernel: eth.*|dhcpcd\[.*\]|modem_run\[.*\])',
- 'dns' => '(dnsmasq\[.*\])',
- 'dhcp' => '(dhcpd)',
- 'cron' => '(fcron\[.*\])',
- 'ntp' => '(ntpd(?:ate)?\[.*\])',
- 'ssh' => '(sshd(?:\(.*\))?\[.*\])',
- 'auth' => '(\w+\(pam_unix\)\[.*\])',
- 'kernel' => '(kernel)',
- 'ipsec' => '(ipsec_[\w_]+|pluto\[.*\]|vpnwatch)',
- 'snort' => '(snort)',
- 'openvpn' => '(openvpnserver)\[.*\]'
+ 'ipfire' => '(ipfire: )',
+ 'red' => '(red:|pppd\[.*\]: |chat\[.*\]|pppoe\[.*\]|pptp\[.*\]|pppoa\[.*\]|pppoa3\[.*\]|pppoeci\[.*\]|ipppd|ipppd\[.*\]|kernel: ippp\d|kernel: isdn.*|ibod\[.*\]|dhcpcd\[.*\]|modem_run\[.*\])',
+ 'dns' => '(dnsmasq\[.*\]: )',
+ 'dhcp' => '(dhcpd: )',
+ 'cron' => '(fcron\[.*\]: )',
+ 'ntp' => '(ntpd(?:ate)?\[.*\]: )',
+ 'ssh' => '(sshd(?:\(.*\))?\[.*\]: )',
+ 'auth' => '(\w+\(pam_unix\)\[.*\]: )',
+ 'kernel' => '(kernel: (?!DROP-))',
+ 'ipsec' => '(ipsec_[\w_]+: |pluto\[.*\]: |vpnwatch: )',
+ 'openvpn' => '(openvpnserver)\[.*\]: '
);
# Translations for the %sections array.
'kernel' => "$Lang::tr{'kernel'}",
'ipsec' => 'IPSec',
'openvpn' => 'OpenVPN',
- 'snort' => 'Snort'
);
#&General::log("reading $filestr");
READ:while (<FILE>) {
my $line = $_;
- if ($line =~ /^${monthstr} ${daystr} ..:..:.. [\w\-]+ ${section}: (.*)/) {
+ if ($line =~ /^${monthstr} ${daystr} ..:..:.. [\w\-]+ ${section}(.*)/) {
# when standart viewing, just keep in memory the correct slice
# it starts a '$start' and size is $viewport
# If export, then keep all lines...
foreach $_ (@log)
{
- /^... (..) (..:..:..) [\w\-]+ ${section}: (.*)$/;
+ /^... (..) (..:..:..) [\w\-]+ ${section}(.*)$/;
my $day = $1;
$day =~ tr / /0/;
my $time = $cgiparams{'DAY'} ? "$2" : "$day/$2" ;
- print "$time $3 $4\r\n";
+ print "$time $3 $4\r\n";
}
exit 0;
}
#print '<tt>';
foreach $_ (@log)
{
- /^... (..) (..:..:..) [\w\-]+ ${section}: (.*)$/;
+ /^... (..) (..:..:..) [\w\-]+ ${section}(.*)$/;
my $day = $1;
$day =~ tr / /0/;
my $time = $cgiparams{'DAY'} ? "$2" : "$day/$2" ;
$timestamp =~ /(...) (..) (..:..:..)/;
my $month = $1; my $day = $2; my $time = $3;
- if ($a =~ /IN\=(\w+)/) { $in = $1; }
+ if ($a =~ /IN\=(\w+)/) { $iface = $1; }
if ($a =~ /OUT\=(\w+)/) { $out = $1; }
if ($a =~ /SRC\=([\d\.]+)/) { $srcaddr = $1; }
if ($a =~ /DST\=([\d\.]+)/) { $dstaddr = $1; }
my $protostrlc = lc($protostr);
if ($a =~ /SPT\=([\d\.]+)/){ $srcport = $1; }
if ($a =~ /DPT\=([\d\.]+)/){ $dstport = $1; }
- $a =~ /IN=(\w+)/; my $iface=$1;
if ($lines % 2) {
print "<tr bgcolor='${Header::table1colour}'>\n"; }
$timestamp =~ /(...) (..) (..:..:..)/;
my $month = $1; my $day = $2; my $time = $3;
- if ($a =~ /IN\=(\w+)/) { $in = $1; }
+ if ($a =~ /IN\=(\w+)/) { $iface = $1; }
if ($a =~ /OUT\=(\w+)/) { $out = $1; }
if ($a =~ /SRC\=([\d\.]+)/) { $srcaddr = $1; }
if ($a =~ /DST\=([\d\.]+)/) { $dstaddr = $1; }
my $protostrlc = lc($protostr);
if ($a =~ /SPT\=([\d\.]+)/){ $srcport = $1; }
if ($a =~ /DPT\=([\d\.]+)/){ $dstport = $1; }
- $a =~ /IN=(\w+)/; my $iface=$1;
if ($lines % 2) {
print "<tr bgcolor='${Header::table1colour}'>\n"; }
--- /dev/null
+#!/usr/bin/perl
+#
+# SmoothWall CGIs
+#
+# This code is distributed under the terms of the GPL
+#
+# (c) The SmoothWall Team
+#
+# Copyright (C) 01-02-2002 Graham Smith <grhm@grhm.co.uk>
+#
+# $Id: optionsfw.cgi,v 1.1.2.10 2005/10/03 00:34:10 gespinasse Exp $
+#
+#
+
+# enable only the following on debugging purpose
+#use warnings;
+#use CGI::Carp 'fatalsToBrowser';
+
+require '/var/ipfire/general-functions.pl';
+require "${General::swroot}/lang.pl";
+require "${General::swroot}/header.pl";
+
+
+my %checked =(); # Checkbox manipulations
+
+# File used
+my $filename = "${General::swroot}/optionsfw/settings";
+
+our %settings=();
+$settings{'DISABLEPING'} = 'NO';
+$settings{'DROPNEWNOTSYN'} = 'on';
+$settings{'DROPINPUT'} = 'on';
+$settings{'DROPOUTPUT'} = 'on';
+$settings{'DROPPORTSCAN'} = 'on';
+
+my $errormessage = '';
+my $warnmessage = '';
+
+&Header::showhttpheaders();
+
+#Get GUI values
+&Header::getcgihash(\%settings);
+
+if ($settings{'ACTION'} eq $Lang::tr{'save'}) {
+ $errormessage = $Lang::tr{'new optionsfw later'};
+ delete $settings{'__CGI__'};delete $settings{'x'};delete $settings{'y'};
+ &General::writehash($filename, \%settings); # Save good settings
+ } else {
+ &General::readhash($filename, \%settings); # Get saved settings and reset to good if needed
+ }
+
+&Header::openpage($Lang::tr{'options fw'}, 1, '');
+&Header::openbigbox('100%', 'left', '', $errormessage);
+
+if ($errormessage) {
+ &Header::openbox('100%', 'left', $Lang::tr{'warning messages'});
+ print "<font color='red'>$errormessage </font>";
+ &Header::closebox();
+}
+
+$checked{'DROPNEWNOTSYN'}{'off'} = '';
+$checked{'DROPNEWNOTSYN'}{'on'} = '';
+$checked{'DROPNEWNOTSYN'}{$settings{'DROPNEWNOTSYN'}} = "checked='checked'";
+$checked{'DROPINPUT'}{'off'} = '';
+$checked{'DROPINPUT'}{'on'} = '';
+$checked{'DROPINPUT'}{$settings{'DROPINPUT'}} = "checked='checked'";
+$checked{'DROPOUTPUT'}{'off'} = '';
+$checked{'DROPOUTPUT'}{'on'} = '';
+$checked{'DROPOUTPUT'}{$settings{'DROPOUTPUT'}} = "checked='checked'";
+$checked{'DROPPORTSCAN'}{'off'} = '';
+$checked{'DROPPORTSCAN'}{'on'} = '';
+$checked{'DROPPORTSCAN'}{$settings{'DROPPORTSCAN'}} = "checked='checked'";
+
+&Header::openbox('100%', 'center', $Lang::tr{'options fw'});
+print "<form method='post' action='$ENV{'SCRIPT_NAME'}'>";
+
+print <<END
+<form method='post' action='$ENV{'SCRIPT_NAME'}'>
+<table width='95%' cellspacing='0'>
+<tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw logging'}</b></td></tr>
+<tr><td align='left' width='40%'>$Lang::tr{'drop newnotsyn'}</td><td align='left'>on <input type='radio' name='DROPNEWNOTSYN' value='on' $checked{'DROPNEWNOTSYN'}{'on'} />/
+ <input type='radio' name='DROPNEWNOTSYN' value='off' $checked{'DROPNEWNOTSYN'}{'off'} /> off</td></tr>
+<tr><td align='left' width='40%'>$Lang::tr{'drop input'}</td><td align='left'>on <input type='radio' name='DROPINPUT' value='on' $checked{'DROPINPUT'}{'on'} />/
+ <input type='radio' name='DROPINPUT' value='off' $checked{'DROPINPUT'}{'off'} /> off</td></tr>
+<tr><td align='left' width='40%'>$Lang::tr{'drop output'}</td><td align='left'>on <input type='radio' name='DROPOUTPUT' value='on' $checked{'DROPOUTPUT'}{'on'} />/
+ <input type='radio' name='DROPOUTPUT' value='off' $checked{'DROPOUTPUT'}{'off'} /> off</td></tr>
+<tr><td align='left' width='40%'>$Lang::tr{'drop portscan'}</td><td align='left'>on <input type='radio' name='DROPPORTSCAN' value='on' $checked{'DROPPORTSCAN'}{'on'} />/
+ <input type='radio' name='DROPPORTSCAN' value='off' $checked{'DROPPORTSCAN'}{'off'} /> off</td></tr>
+</table>
+<br />
+<table width='10%' cellspacing='0'>
+<tr><td align='center'><form method='post' action='$ENV{'SCRIPT_NAME'}'>
+ <input type='hidden' name='ACTION' value=$Lang::tr{'save'} />
+ <input type='image' alt='$Lang::tr{'save'}' title='$Lang::tr{'save'}' src='/images/media-floppy.png' /></form></td></tr>
+</table>
+</form>
+END
+;
+&Header::closebox();
+&Header::closebigbox();
+&Header::closepage();
$outfwsettings{'DISPLAY_SMAC'} = '';
$outfwsettings{'DISPLAY_SIP'} = '';
$outfwsettings{'POLICY'} = 'MODE0';
+$outfwsettings{'MODE1LOG'} = 'off';
&General::readhash("${General::swroot}/outgoing/settings", \%outfwsettings);
&Header::getcgihash(\%outfwsettings);
+$checked{'MODE1LOG'}{'off'} = '';
+$checked{'MODE1LOG'}{'on'} = '';
+$checked{'MODE1LOG'}{$outfwsettings{'MODE1LOG'}} = "checked='checked'";
+
if ($outfwsettings{'POLICY'} eq 'MODE0'){ $selected{'POLICY'}{'MODE0'} = 'selected'; } else { $selected{'POLICY'}{'MODE0'} = ''; }
if ($outfwsettings{'POLICY'} eq 'MODE1'){ $selected{'POLICY'}{'MODE1'} = 'selected'; } else { $selected{'POLICY'}{'MODE1'} = ''; }
if ($outfwsettings{'POLICY'} eq 'MODE2'){ $selected{'POLICY'}{'MODE2'} = 'selected'; } else { $selected{'POLICY'}{'MODE2'} = ''; }
if ($outfwsettings{'ACTION'} eq $Lang::tr{'save'})
{
my $MODE = $outfwsettings{'POLICY'};
+ my $MODE1LOG = $outfwsettings{'MODE1LOG'};
%outfwsettings = ();
$outfwsettings{'POLICY'} = "$MODE";
+ $outfwsettings{'MODE1LOG'} = "$MODE1LOG";
&General::writehash("${General::swroot}/outgoing/settings", \%outfwsettings);
system("/usr/local/bin/outgoingfwctrl");
}
;
}
}
+if ($outfwsettings{'POLICY'} eq 'MODE1'){
+print <<END
+ <tr bgcolor='$color{'color20'}'><form method='post' action='$ENV{'SCRIPT_NAME'}'>
+ <td align='center'>tcp&udp
+ <td align='center'>all
+ <td align='center'>ALL
+ <td align='center'>drop
+ <td align='center'><img src='/images/stock_stop.png' alt='DENY' />
+ <td align='center'>on <input type='radio' name='MODE1LOG' value='on' $checked{'MODE1LOG'}{'on'} /><input type='radio' name='MODE1LOG' value='off' $checked{'MODE1LOG'}{'off'} /> off
+ <td align='center'><input type='hidden' name='ACTION' value=$Lang::tr{'save'} /><input type='image' src='/images/media-floppy.png' width="18" height="18" alt=$Lang::tr{'save'} /></form></tr>
+ <table border='0' cellpadding='0' cellspacing='0'><tr>
+ <td>
+ <td></table>
+END
+;
+}
print <<END
</table>
END
$pakfiresettings{'AUTOUPGRADE'} = 'off';
$pakfiresettings{'UUID'} = 'on';
+sub refreshpage{&Header::openbox( 'Waiting', 1, "<meta http-equiv='refresh' content='1;'>" );print "<center><img src='/images/clock.gif' alt='' /><br/><font color='red'>$Lang::tr{'pagerefresh'}</font></center>";&Header::closebox();}
+
&Header::getcgihash(\%pakfiresettings);
&General::readhash("${General::swroot}/main/settings", \%mainsettings);
} elsif ($pakfiresettings{'ACTION'} eq 'upgrade') {
system("/usr/local/bin/pakfire upgrade -y --no-colors &>/dev/null");
+ refreshpage();
} elsif ($pakfiresettings{'ACTION'} eq "$Lang::tr{'save'}") {
$sambasettings{'GUESTACCOUNT'} = 'samba';
$sambasettings{'MAPTOGUEST'} = 'Never';
$sambasettings{'LOGLEVEL'} = '3 passdb:5 auth:5 winbind:2';
+$sambasettings{'DOSCHARSET'} = 'CP850';
+$sambasettings{'UNIXCHARSET'} = 'UTF8';
+$sambasettings{'DISPLAYCHARSET'} = 'CP850';
$sambasettings{'SOCKETOPTIONS'} = 'TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 SO_KEEPALIVE';
### Values that have to be initialized
$sambasettings{'ACTION'} = '';
$sambasettings{'GUESTACCOUNT'} = 'samba';
$sambasettings{'MAPTOGUEST'} = 'Never';
$sambasettings{'LOGLEVEL'} = '3 passdb:5 auth:5 winbind:2';
+ $sambasettings{'DOSCHARSET'} = 'CP850';
+ $sambasettings{'UNIXCHARSET'} = 'UTF8';
+ $sambasettings{'DISPLAYCHARSET'} = 'CP850';
### Samba CUPS Variablen
$sambasettings{'LOADPRINTERS'} = 'Yes';
$sambasettings{'PRINTING'} = 'cups';
kernel oplocks = false
map to guest = $sambasettings{'MAPTOGUEST'}
smb ports = 445 139
-unix charset = CP850
+dos charset = $sambasettings{'DOSCHARSET'}
+unix charset = $sambasettings{'UNIXCHARSET'}
+display charset = $sambasettings{'DISPLAYCHARSET'}
security = $sambasettings{'SECURITY'}
encrypt passwords = yes
log file = /var/log/samba/samba-log.%m
lock directory = /var/lock/samba
-pid directory = /var/run/
+pid directory = /var/run/
log level = $sambasettings{'LOGLEVEL'}
preferred master = $sambasettings{'PREFERREDMASTER'}
<tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'basic options'}</b></td></tr>
<tr><td align='left' width='40%'>$Lang::tr{'workgroup'}</td><td align='left'><input type='text' name='WORKGRP' value='$sambasettings{'WORKGRP'}' size="30" /></td></tr>
<tr><td align='left' width='40%'>$Lang::tr{'netbios name'}</td><td align='left'><input type='text' name='NETBIOSNAME' value='$sambasettings{'NETBIOSNAME'}' size="30" /></td></tr>
+<tr><td align='left' width='40%'>$Lang::tr{'dos charset'}</td><td align='left'><input type='text' name='DOSCHARSET' value='$sambasettings{'DOSCHARSET'}' size="30" /></td></tr>
+<tr><td align='left' width='40%'>$Lang::tr{'unix charset'}</td><td align='left'><input type='text' name='UNIXCHARSET' value='$sambasettings{'UNIXCHARSET'}' size="30" /></td></tr>
+<tr><td align='left' width='40%'>$Lang::tr{'display charset'}</td><td align='left'><input type='text' name='DISPLAYCHARSET' value='$sambasettings{'DISPLAYCHARSET'}' size="30" /></td></tr>
<tr><td align='left' width='40%'>$Lang::tr{'server string'}</td><td align='left'><input type='text' name='SRVSTRING' value='$sambasettings{'SRVSTRING'}' size="30" /></td></tr>
<tr><td align='left' width='40%'>$Lang::tr{'log level'}</td><td align='left'><input type='text' name='LOGLEVEL' value='$sambasettings{'LOGLEVEL'}' size="30" /></td></tr>
<tr><td align='left' width='40%'>$Lang::tr{'interfaces'}</td><td align='left'>on <input type='radio' name='VPN' value='on' $checked{'VPN'}{'on'} />/
'disk access per' => 'Plattenzugriff je',
'disk usage' => 'Festplattenbelegung',
'display' => 'Anzeige',
+'display charset' => 'Display Charset',
'display hostname in window title' => 'Hostname im Fenstertitel anzeigen',
'display traffic at home' => 'Berechneten Traffic auf der Startseite anzeigen',
'display webinterface effects' => 'Überblendeffekte einschalten',
'domain name' => 'Domainname',
'domain name suffix' => 'Domain-Name-Suffix:',
'domain not set' => 'Domain nicht eingegeben.',
+'dos charset' => 'DOS Charset',
'down and up speed' => 'Geben Sie bitte hier ihre Download- bzw. Upload-Geschwindigkeit ein <br /> und klicken Sie danach auf <i>Speichern</i>.',
'downlink speed' => 'Downlink-Geschwindigkeit (kBit/sek)',
'downlink std class' => 'Downloadstandardklasse',
'download root certificate' => 'Root Zertifikat herunterladen',
'dpd action' => 'Aktion für Dead Peer Detection',
'driver' => 'Treiber',
+'drop input' => 'Verworfene Input Pakete loggen',
+'drop newnotsyn' => 'Verworfene New Not Syn Pakete loggen',
+'drop output' => 'Verworfene Output Pakete loggen',
+'drop portscan' => 'Verworfene Portscan Pakete loggen',
'dst port' => 'Ziel-Port',
'dstprt range overlaps' => 'Der Zielportbereich überlappt mit einem bereits definierten Port.',
'dstprt within existing' => 'Der Zielport liegt innerhalb eines bereits definierten Portbereichs.',
'from email server' => 'Von Email Server',
'from email user' => 'Von Email Benutzer',
'from warn email bad' => 'Von Email Adresse ist nicht gültig',
+'fw logging' => 'Firewall Logging',
'gateway' => 'Gateway',
'gateway ip' => 'Gateway-IP',
'gen static key' => 'Statischen Schlüssel erzeugen',
'unable to contact' => 'Kann nicht erreicht werden',
'unencrypted' => 'Nichtverschlüsselt',
'uninstall' => 'Deinstallieren',
+'unix charset' => 'UNIX Charset',
'unix group' => ' UNIX Benutzergruppe',
'unix password sync' => 'Unix Password Sync',
'unix shell' => 'UNIX Shell',
'disk access per' => 'Disk Access per',
'disk usage' => 'Disk usage',
'display' => 'Display',
+'display charset' => 'Display Charset',
'display hostname in window title' => 'Display hostname in window title',
'display traffic at home' => 'Display calculated traffic on startpage',
'display webinterface effects' => 'Activate effects',
'domain name suffix' => 'Domain name suffix:',
'domain not set' => 'Domain not set.',
'done' => 'Do it',
+'dos charset' => 'DOS Charset',
'down and up speed' => 'Enter your Down- and Uplink-Speed <br /> and then press <i>Save</i>.',
'downlink speed' => 'Downlink speed (kbit/sec)',
'downlink std class' => 'downlink standard class',
'download root certificate' => 'Download Root Certificate',
'dpd action' => 'Dead Peer Detection action',
'driver' => 'Driver',
+'drop input' => 'Log dropped Input pakets',
+'drop newnotsyn' => 'Log dropped New Not Syn pakets',
+'drop output' => 'Log dropped Output pakets',
+'drop portscan' => 'Log dropped Portscan pakets',
'dst port' => 'Dst Port',
'dstprt range overlaps' => 'Destination port range overlaps an already defined port.',
'dstprt within existing' => 'Destination port is within an already defined port range.',
'from email server' => 'From Email server',
'from email user' => 'From Email user',
'from warn email bad' => 'From email address is not valid',
+'fw logging' => 'Firewall logging',
'g.dtm' => 'TO BE REMOVED',
'g.lite' => 'TO BE REMOVED',
'gateway' => 'Gateway',
'unable to contact' => 'Unable to contact',
'unencrypted' => 'Unencrypted',
'uninstall' => 'Uninstall',
+'unix charset' => 'UNIX Charset',
'unix group' => ' UNIX usergroup',
'unix password sync' => 'Unix Password Sync',
'unix shell' => 'UNIX Shell',
echo "VPN_DELAYED_START=0" >>$(CONFIG_ROOT)/vpn/settings
echo "01" > $(CONFIG_ROOT)/certs/serial
echo "nameserver 1.2.3.4" > $(CONFIG_ROOT)/ppp/fake-resolv.conf
- echo "DISABLEPING=NO" > $(CONFIG_ROOT)/optionsfw/settings
+ echo "DROPNEWNOTSYN=on" >> $(CONFIG_ROOT)/optionsfw/settings
+ echo "DROPINPUT=on" >> $(CONFIG_ROOT)/optionsfw/settings
+ echo "DROPOUTPUT=on" >> $(CONFIG_ROOT)/optionsfw/settings
+ echo "DROPINPUT=on" >> $(CONFIG_ROOT)/optionsfw/settings
+ echo "DROPOUTPUT=on" >> $(CONFIG_ROOT)/optionsfw/settings
+ echo "DROPPORTSCAN=on" >> $(CONFIG_ROOT)/optionsfw/settings
# Modify variables in header.pl
sed -i -e "s+CONFIG_ROOT+$(CONFIG_ROOT)+g" \
DIR_APP = $(DIR_SRC)/$(THISAPP)
TARGET = $(DIR_INFO)/$(THISAPP)
PROG = samba
-PAK_VER = 3
+PAK_VER = 4
DEPS = "cups cyrus-sasl"
eval $(/usr/local/bin/readhash /var/ipfire/ppp/settings)
eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
+eval $(/usr/local/bin/readhash /var/ipfire/optionsfw/settings)
IFACE=`/bin/cat /var/ipfire/red/iface 2> /dev/null | /usr/bin/tr -d '\012'`
if [ -f /var/ipfire/red/device ]; then
# This chain will log, then DROPs packets with certain bad combinations
# of flags might indicate a port-scan attempt (xmas, null, etc)
/sbin/iptables -N PSCAN
- /sbin/iptables -A PSCAN -p tcp -m limit --limit 10/minute -j LOG --log-prefix "TCP Scan? "
- /sbin/iptables -A PSCAN -p udp -m limit --limit 10/minute -j LOG --log-prefix "UDP Scan? "
- /sbin/iptables -A PSCAN -p icmp -m limit --limit 10/minute -j LOG --log-prefix "ICMP Scan? "
- /sbin/iptables -A PSCAN -f -m limit --limit 10/minute -j LOG --log-prefix "FRAG Scan? "
- /sbin/iptables -A PSCAN -j DROP
+ if [ "$DROPPORTSCAN" == "on" ]; then
+ /sbin/iptables -A PSCAN -p tcp -m limit --limit 10/minute -j LOG --log-prefix "DROP-TCP Scan " -m comment --comment "DROP-TCP PScan"
+ /sbin/iptables -A PSCAN -p udp -m limit --limit 10/minute -j LOG --log-prefix "DROP-UDP Scan " -m comment --comment "DROP-UPD PScan"
+ /sbin/iptables -A PSCAN -p icmp -m limit --limit 10/minute -j LOG --log-prefix "DROP-ICMP Scan " -m comment --comment "DROP-ICMP PScan"
+ /sbin/iptables -A PSCAN -f -m limit --limit 10/minute -j LOG --log-prefix "DROP-FRAG Scan " -m comment --comment "DROP-FRAG PScan"
+ fi
+ /sbin/iptables -A PSCAN -j DROP -m comment --comment "DROP PScan"
# New tcp packets without SYN set - could well be an obscure type of port scan
# that's not covered above, may just be a broken windows machine
/sbin/iptables -N NEWNOTSYN
- /sbin/iptables -A NEWNOTSYN -m limit --limit 10/minute -j LOG --log-prefix "NEW not SYN? "
+ if [ "$DROPNEWNOTSYN" == "on" ]; then
+ /sbin/iptables -A NEWNOTSYN -m limit --limit 10/minute -j LOG --log-prefix "DROP-NEW not SYN " -m comment --comment "DROP-NEW not SYN"
+ fi
/sbin/iptables -A NEWNOTSYN -j DROP
# Chain to contain all the rules relating to bad TCP flags
# trafic from ipsecX/TUN/TAP interfaces, before "-i GREEN_DEV" accept everything
/sbin/iptables -N IPSECVIRTUAL
/sbin/iptables -N OPENSSLVIRTUAL
- /sbin/iptables -A INPUT -j IPSECVIRTUAL
- /sbin/iptables -A INPUT -j OPENSSLVIRTUAL
- /sbin/iptables -A FORWARD -j IPSECVIRTUAL
- /sbin/iptables -A FORWARD -j OPENSSLVIRTUAL
+ /sbin/iptables -A INPUT -j IPSECVIRTUAL -m comment --comment "IPSECVIRTUAL INPUT"
+ /sbin/iptables -A INPUT -j OPENSSLVIRTUAL -m comment --comment "OPENSSLVIRTUAL INPUT"
+ /sbin/iptables -A FORWARD -j IPSECVIRTUAL -m comment --comment "IPSECVIRTUAL FORWARD"
+ /sbin/iptables -A FORWARD -j OPENSSLVIRTUAL -m comment --comment "OPENSSLVIRTUAL FORWARD"
# Outgoing Firewall
/sbin/iptables -A FORWARD -j OUTGOINGFW
fi
# last rule in input and forward chain is for logging.
- /sbin/iptables -A INPUT -m limit --limit 10/minute -j LOG --log-prefix "INPUT "
- /sbin/iptables -A FORWARD -m limit --limit 10/minute -j LOG --log-prefix "OUTPUT "
+
+ if [ "$DROPINPUT" == "on" ]; then
+ /sbin/iptables -A INPUT -m limit --limit 10/minute -j LOG --log-prefix "DROP-INPUT " -m comment --comment "DROP-INPUT"
+ fi
+ if [ "$DROPOUTPUT" == "on" ]; then
+ /sbin/iptables -A FORWARD -m limit --limit 10/minute -j LOG --log-prefix "DROP-OUTPUT " -m comment --comment "DROP-OUTPUT"
+ fi
;;
startovpn)
# run openvpn
/etc/sysconfig/firewall.local stop
fi
- /sbin/iptables -A INPUT -m limit --limit 10/minute -j LOG --log-prefix "INPUT "
- /sbin/iptables -A FORWARD -m limit --limit 10/minute -j LOG --log-prefix "OUTPUT "
+ if [ "$DROPINPUT" == "on" ]; then
+ /sbin/iptables -A INPUT -m limit --limit 10/minute -j LOG --log-prefix "DROP-INPUT " -m comment --comment "DROP-INPUT"
+ fi
+ if [ "$DROPOUTPUT" == "on" ]; then
+ /sbin/iptables -A FORWARD -m limit --limit 10/minute -j LOG --log-prefix "DROP-OUTPUT " -m comment --comment "DROP-OUTPUT"
+ fi
;;
stopovpn)
# stop openvpn