Added some FW Options for the blue interface
authormaniacikarus <maniacikarus@ea5c0bd1-69bd-2848-81d8-4f18e57aeed8>
Sat, 8 Mar 2008 10:03:43 +0000 (10:03 +0000)
committermaniacikarus <maniacikarus@ea5c0bd1-69bd-2848-81d8-4f18e57aeed8>
Sat, 8 Mar 2008 10:03:43 +0000 (10:03 +0000)
Started building of core10

git-svn-id: http://svn.ipfire.org/svn/ipfire/branches/2.1/trunk@1258 ea5c0bd1-69bd-2848-81d8-4f18e57aeed8

config/rootfiles/core/10/files [new file with mode: 0644]
config/rootfiles/core/10/meta [new file with mode: 0644]
config/rootfiles/core/10/update.sh [new file with mode: 0644]
html/cgi-bin/optionsfw.cgi
langs/de/cgi-bin/de.pl
langs/en/cgi-bin/en.pl
src/misc-progs/wirelessctrl.c

diff --git a/config/rootfiles/core/10/files b/config/rootfiles/core/10/files
new file mode 100644 (file)
index 0000000..f8cbcdf
--- /dev/null
@@ -0,0 +1,3 @@
+usr/local/bin/wirelessctrl
+srv/web/ipfire/cgi-bin/optionsfw.cgi
+var/ipfire/langs
diff --git a/config/rootfiles/core/10/meta b/config/rootfiles/core/10/meta
new file mode 100644 (file)
index 0000000..d547fa8
--- /dev/null
@@ -0,0 +1 @@
+DEPS=""
diff --git a/config/rootfiles/core/10/update.sh b/config/rootfiles/core/10/update.sh
new file mode 100644 (file)
index 0000000..35ee927
--- /dev/null
@@ -0,0 +1,5 @@
+#!/bin/bash
+. /opt/pakfire/lib/functions.sh
+/usr/local/bin/backupctrl exclude >/dev/null 2>&1
+extract_files
+perl -e "require '/var/ipfire/lang.pl'; &Lang::BuildCacheLang"
index cfbd101..ddb68e3 100644 (file)
@@ -78,6 +78,12 @@ $checked{'DROPWIRELESSINPUT'}{$settings{'DROPWIRELESSINPUT'}} = "checked='checke
 $checked{'DROPWIRELESSFORWARD'}{'off'} = '';
 $checked{'DROPWIRELESSFORWARD'}{'on'} = '';
 $checked{'DROPWIRELESSFORWARD'}{$settings{'DROPWIRELESSFORWARD'}} = "checked='checked'";
+$checked{'DROPPROXY'}{'off'} = '';
+$checked{'DROPPROXY'}{'on'} = '';
+$checked{'DROPPROXY'}{$settings{'DROPPROXY'}} = "checked='checked'";
+$checked{'DROPSAMBA'}{'off'} = '';
+$checked{'DROPSAMBA'}{'on'} = '';
+$checked{'DROPSAMBA'}{$settings{'DROPSAMBA'}} = "checked='checked'";
 
 &Header::openbox('100%', 'center', $Lang::tr{'options fw'});
 print "<form method='post' action='$ENV{'SCRIPT_NAME'}'>";
@@ -100,6 +106,14 @@ print <<END
                                                                                                                                                                                <input type='radio' name='DROPWIRELESSFORWARD' value='off' $checked{'DROPWIRELESSFORWARD'}{'off'} /> off</td></tr>
 </table>
 <br />
+<table width='95%' cellspacing='0'>
+<tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw blue'}</b></td></tr>
+<tr><td align='left' width='40%'>$Lang::tr{'drop proxy'}</td><td align='left'>on <input type='radio' name='DROPPROXY' value='on' $checked{'DROPPROXY'}{'on'} />/
+                                                                                                                                                                               <input type='radio' name='DROPPROXY' value='off' $checked{'DROPPROXY'}{'off'} /> off</td></tr>
+<tr><td align='left' width='40%'>$Lang::tr{'drop samba'}</td><td align='left'>on <input type='radio' name='DROPSAMBA' value='on' $checked{'DROPSAMBA'}{'on'} />/
+                                                                                                                                                                               <input type='radio' name='DROPSAMBA' value='off' $checked{'DROPSAMBA'}{'off'} /> off</td></tr>
+</table>
+<br />
 <table width='10%' cellspacing='0'>
 <tr><td align='center'><form method='post' action='$ENV{'SCRIPT_NAME'}'>
                                                                                                <input type='hidden' name='ACTION' value=$Lang::tr{'save'} />
index 9800f5c..25d117b 100644 (file)
 'drop newnotsyn' => 'Verworfene New Not Syn Pakete loggen',
 'drop output' => 'Verworfene Output Pakete loggen',
 'drop portscan' => 'Verworfene Portscan Pakete loggen',
+'drop proxy' => 'Alle Pakete verwerfen die nicht direkt an den Proxy gerichtet sind',
+'drop samba' => 'Alle Microsoft Pakete verwerfen, Ports 135,137,138,139,445,1025',
 'drop wirelessforward' => 'Verworfene Wireless Forward Pakete loggen',
 'drop wirelessinput' => 'Verworfene Wireless Input Pakete loggen',
 'dst port' => 'Ziel-Port',
 'from email server' => 'Von Email Server',
 'from email user' => 'Von Email Benutzer',
 'from warn email bad' => 'Von Email Adresse ist nicht gültig',
+'fw blue' => 'Firewall Optionen für das Blaue Interface',
 'fw logging' => 'Firewall Logging',
 'gateway' => 'Gateway',
 'gateway ip' => 'Gateway-IP',
index 96b3870..aa0add6 100644 (file)
 'drop newnotsyn' => 'Log dropped New Not Syn pakets',
 'drop output' => 'Log dropped Output pakets',
 'drop portscan' => 'Log dropped Portscan pakets',
+'drop proxy' => 'Drop all packets not addressed to proxy',
+'drop samba' => 'Drop all Microsoft Ports 135,137,138,139,445,1025',
 'drop wirelessforward' => 'Log dropped wireless Forward pakets',
 'drop wirelessinput' => 'Log dropped wireless Input pakets',
 'dst port' => 'Dst Port',
 'from email server' => 'From Email server',
 'from email user' => 'From Email user',
 'from warn email bad' => 'From email address is not valid',
+'fw blue' => 'Firewall options for blue interface',
 'fw logging' => 'Firewall logging',
 'g.dtm' => 'TO BE REMOVED',
 'g.lite' => 'TO BE REMOVED',
index ad76cfb..4dd569b 100644 (file)
@@ -27,141 +27,168 @@ char command[STRING_SIZE];
 
 void exithandler(void)
 {
-        /* added comment mark to the drop rules to be able to collect the bytes by the collectd */
-        if(strlen(blue_dev))
-        {
-        snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSINPUT -i %s -j DROP -m comment --comment 'DROP_Wirelessinput'", blue_dev);
-        safe_system(command);
-        snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -i %s -j DROP -m comment --comment 'DROP_Wirelessforward'", blue_dev);
-        safe_system(command);
-        }
-
-        if (fd)
-                fclose(fd);
+                               /* added comment mark to the drop rules to be able to collect the bytes by the collectd */
+                               if(strlen(blue_dev))
+                               {
+                               snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSINPUT -i %s -j DROP -m comment --comment 'DROP_Wirelessinput'", blue_dev);
+                               safe_system(command);
+                               snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -i %s -j DROP -m comment --comment 'DROP_Wirelessforward'", blue_dev);
+                               safe_system(command);
+                               }
+
+                               if (fd)
+                                                       fclose(fd);
 }
 
 int main(void)
 {
-        char green_dev[STRING_SIZE] = "";
-        char buffer[STRING_SIZE];
-        char *index, *ipaddress, *macaddress, *enabled;
-        struct keyvalue *kv = NULL;
-
-        if (!(initsetuid()))
-                exit(1);
-
-        /* flush wireless iptables */
-        safe_system("/sbin/iptables -F WIRELESSINPUT > /dev/null 2> /dev/null");
-        safe_system("/sbin/iptables -F WIRELESSFORWARD > /dev/null 2> /dev/null");
-
-        memset(buffer, 0, STRING_SIZE);
-
-        /* Init the keyvalue structure */
-        kv=initkeyvalues();
-
-        /* Read in the current values */
-        if (!readkeyvalues(kv, CONFIG_ROOT "/ethernet/settings"))
-        {
-                fprintf(stderr, "Cannot read ethernet settings\n");
-                exit(1);
-        }
-
-        /* Read in the firewall values */
-        if (!readkeyvalues(kv, CONFIG_ROOT "/optionsfw/settings"))
-        {
-                fprintf(stderr, "Cannot read optionsfw settings\n");
-                exit(1);
-        }
-
-        /* Get the GREEN interface details */
-        if(!findkey(kv, "GREEN_DEV", green_dev))
-        {
-                fprintf(stderr, "Cannot read GREEN_DEV\n");
-                exit(1);
-        }
-        if (!VALID_DEVICE(green_dev))
-        {
-                fprintf(stderr, "Bad GREEN_DEV: %s\n", green_dev);
-                exit(1);
-        }
-        /* Get the BLUE interface details */
-        if(!findkey(kv, "BLUE_DEV", blue_dev))
-        {
-                fprintf(stderr, "Cannot read BLUE_DEV\n");
-                exit(1);
-        }
-        if (strlen(blue_dev) && !VALID_DEVICE(blue_dev))
-        {
-                fprintf(stderr, "Bad BLUE_DEV: %s\n", blue_dev);
-                exit(1);
-        }
-        if(! strlen(blue_dev) > 0)
-        {
-                fprintf(stderr, "No BLUE interface\n");
-                exit(0);
-        }
-
-        /* with this rule you can disable the logging of the dropped wireless input packets*/
-        if(!findkey(kv, "DROPWIRELESSINPUT", buffer) || strcmp(buffer,"off")){
-                snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSINPUT -i %s -j LOG --log-prefix 'DROP_Wirelessinput'", blue_dev);
-                safe_system(command);
-        }
-        /* with this rule you can disable the logging of the dropped wireless forward packets*/
-        if(!findkey(kv, "DROPWIRELESSFORWARD", buffer) || strcmp(buffer,"off")){
-                snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -i %s -j LOG --log-prefix 'DROP_Wirelessforward'", blue_dev);
-                safe_system(command);
-        }
-
-        /* register exit handler to ensure the block rule is always present */
-        atexit(exithandler);
-
-        if (!(fd = fopen(CONFIG_ROOT "/wireless/config", "r")))
-        {
-                exit(0);
-        }
-        while (fgets(buffer, STRING_SIZE, fd))
-        {
-                buffer[strlen(buffer) - 1] = 0;
-
-                index = strtok(buffer, ",");
-                ipaddress = strtok(NULL, ",");
-                macaddress = strtok(NULL, ",");
-                enabled = strtok(NULL, ",");
-
-                if (!strncmp(enabled, "on", 2)) {
-
-                        /* both specified, added security */
-                        if ((strlen(macaddress) == 17) &&
-                            (VALID_IP(ipaddress))) {
-                                snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSINPUT -m mac --mac-source %s -s %s -i %s -j ACCEPT", macaddress, ipaddress, blue_dev);
-                                safe_system(command);
-                                snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -m mac --mac-source %s -s %s -i %s -o ! %s -j ACCEPT", macaddress, ipaddress, blue_dev, green_dev);
-                                safe_system(command);
-                                snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -m mac --mac-source %s -s %s -i %s -j DMZHOLES", macaddress, ipaddress, blue_dev);
-                                safe_system(command);
-                        } else {
-
-                                /* correctly formed mac address is 17 chars */
-                                if (strlen(macaddress) == 17) {
-                                        snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSINPUT -m mac --mac-source %s -i %s -j ACCEPT", macaddress, blue_dev);
-                                        safe_system(command);
-                                        snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -m mac --mac-source %s -i %s -o ! %s -j ACCEPT", macaddress, blue_dev, green_dev);
-                                        safe_system(command);
-                                        snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -m mac --mac-source %s -i %s -j DMZHOLES", macaddress, blue_dev);
-                                        safe_system(command);
-                                }
-
-                                if (VALID_IP(ipaddress)) {
-                                        snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSINPUT -s %s -i %s -j ACCEPT", ipaddress, blue_dev);
-                                        safe_system(command);
-                                        snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -s %s -i %s -o ! %s -j ACCEPT", ipaddress, blue_dev, green_dev);
-                                        safe_system(command);
-                                        snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -s %s -i %s -j DMZHOLES", ipaddress, blue_dev);
-                                        safe_system(command);
-                                }
-                        }
-                }
-        }
-
-        return 0;
+                               char green_dev[STRING_SIZE] = "";
+                               char buffer[STRING_SIZE];
+                               char *index, *ipaddress, *macaddress, *enabled;
+                               struct keyvalue *kv = NULL;
+
+                               if (!(initsetuid()))
+                                                       exit(1);
+
+                               /* flush wireless iptables */
+                               safe_system("/sbin/iptables -F WIRELESSINPUT > /dev/null 2> /dev/null");
+                               safe_system("/sbin/iptables -F WIRELESSFORWARD > /dev/null 2> /dev/null");
+
+                               memset(buffer, 0, STRING_SIZE);
+
+                               /* Init the keyvalue structure */
+                               kv=initkeyvalues();
+
+                               /* Read in the current values */
+                               if (!readkeyvalues(kv, CONFIG_ROOT "/ethernet/settings"))
+                               {
+                                                       fprintf(stderr, "Cannot read ethernet settings\n");
+                                                       exit(1);
+                               }
+
+                               /* Read in the firewall values */
+                               if (!readkeyvalues(kv, CONFIG_ROOT "/optionsfw/settings"))
+                               {
+                                                       fprintf(stderr, "Cannot read optionsfw settings\n");
+                                                       exit(1);
+                               }
+
+                               /* Get the GREEN interface details */
+                               if(!findkey(kv, "GREEN_DEV", green_dev))
+                               {
+                                                       fprintf(stderr, "Cannot read GREEN_DEV\n");
+                                                       exit(1);
+                               }
+                               if (!VALID_DEVICE(green_dev))
+                               {
+                                                       fprintf(stderr, "Bad GREEN_DEV: %s\n", green_dev);
+                                                       exit(1);
+                               }
+                               /* Get the BLUE interface details */
+                               if(!findkey(kv, "BLUE_DEV", blue_dev))
+                               {
+                                                       fprintf(stderr, "Cannot read BLUE_DEV\n");
+                                                       exit(1);
+                               }
+                               if (strlen(blue_dev) && !VALID_DEVICE(blue_dev))
+                               {
+                                                       fprintf(stderr, "Bad BLUE_DEV: %s\n", blue_dev);
+                                                       exit(1);
+                               }
+                               if(! strlen(blue_dev) > 0)
+                               {
+                                                       fprintf(stderr, "No BLUE interface\n");
+                                                       exit(0);
+                               }
+
+                               /* register exit handler to ensure the block rule is always present */
+                               atexit(exithandler);
+
+                               if (!(fd = fopen(CONFIG_ROOT "/wireless/config", "r")))
+                               {
+                                                       exit(0);
+                               }
+
+                               /* restrict blue access tp the proxy port */
+                               if(findkey(kv, "DROPPROXY", buffer) && strcmp(buffer,"on")){
+                                                       /* Read the proxy values */
+                                                       if (!readkeyvalues(kv, CONFIG_ROOT "/proxy/settings") || !(findkey(kv, "PROXY_PORT", buffer)))
+                                                       {
+                                                                       fprintf(stderr, "Cannot read proxy settings\n");
+                                                                       exit(1);
+                                                       }
+                                                       snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSINPUT -i %s -p tcp  ! --dport %s -j DROP -m comment --comment 'DROP_Wirelessforward'", buffer, blue_dev);
+                                                       safe_system(command);
+                                                       snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSINPUT -i %s -p tcp  ! --dport %s -j DROP -m comment --comment 'DROP_Wirelessinput'", buffer, blue_dev);
+                                                       safe_system(command);
+                               }
+
+                               /* not allow blue to acces a samba server running on local fire*/
+                               if(findkey(kv, "DROPSAMBA", buffer) && strcmp(buffer,"on")){
+                                                       snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -i %s -p tcp -m multiport --dport 135,137,138,139,445,1025-j DROP -m comment --comment 'DROP_Wirelessforward'", blue_dev);
+                                                       safe_system(command);
+                                                       snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSINPUT -i %s -p tcp -m multiport --dport 135,137,,138139,445,1025 -j DROP -m comment --comment 'DROP_Wirelessinput'", blue_dev);
+                                                       safe_system(command);
+                                                       snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -i %s -p udp -m multiport --dport 135,137,138,139,445,1025-j DROP -m comment --comment 'DROP_Wirelessforward'", blue_dev);
+                                                       safe_system(command);
+                                                       snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSINPUT -i %s -p udp -m multiport --dport 135,137,138,139,445,1025 -j DROP -m comment --comment 'DROP_Wirelessinput'", blue_dev);
+                                                       safe_system(command);
+                               }
+
+                               while (fgets(buffer, STRING_SIZE, fd))
+                               {
+                                                       buffer[strlen(buffer) - 1] = 0;
+
+                                                       index = strtok(buffer, ",");
+                                                       ipaddress = strtok(NULL, ",");
+                                                       macaddress = strtok(NULL, ",");
+                                                       enabled = strtok(NULL, ",");
+
+                                                       if (!strncmp(enabled, "on", 2)) {
+
+                                                       /* both specified, added security */
+                                                       if ((strlen(macaddress) == 17) &&
+                                                                       (VALID_IP(ipaddress))) {
+                                                                       snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSINPUT -m mac --mac-source %s -s %s -i %s -j ACCEPT", macaddress, ipaddress, blue_dev);
+                                                                       safe_system(command);
+                                                                       snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -m mac --mac-source %s -s %s -i %s -o ! %s -j ACCEPT", macaddress, ipaddress, blue_dev, green_dev);
+                                                                       safe_system(command);
+                                                                       snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -m mac --mac-source %s -s %s -i %s -j DMZHOLES", macaddress, ipaddress, blue_dev);
+                                                                       safe_system(command);
+                                                       } else {
+
+                                                                       /* correctly formed mac address is 17 chars */
+                                                                       if (strlen(macaddress) == 17) {
+                                                                                                       snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSINPUT -m mac --mac-source %s -i %s -j ACCEPT", macaddress, blue_dev);
+                                                                                                       safe_system(command);
+                                                                                                       snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -m mac --mac-source %s -i %s -o ! %s -j ACCEPT", macaddress, blue_dev, green_dev);
+                                                                                                       safe_system(command);
+                                                                                                       snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -m mac --mac-source %s -i %s -j DMZHOLES", macaddress, blue_dev);
+                                                                                                       safe_system(command);
+                                                                       }
+
+                                                                       if (VALID_IP(ipaddress)) {
+                                                                                                       snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSINPUT -s %s -i %s -j ACCEPT", ipaddress, blue_dev);
+                                                                                                       safe_system(command);
+                                                                                                       snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -s %s -i %s -o ! %s -j ACCEPT", ipaddress, blue_dev, green_dev);
+                                                                                                       safe_system(command);
+                                                                                                       snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -s %s -i %s -j DMZHOLES", ipaddress, blue_dev);
+                                                                                                       safe_system(command);
+                                                                       }
+                                                       }
+                                                       }
+                               }
+
+                               /* with this rule you can disable the logging of the dropped wireless input packets*/
+                               if(!findkey(kv, "DROPWIRELESSINPUT", buffer) || strcmp(buffer,"off")){
+                                                       snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSINPUT -i %s -j LOG --log-prefix 'DROP_Wirelessinput'", blue_dev);
+                                                       safe_system(command);
+                               }
+                               /* with this rule you can disable the logging of the dropped wireless forward packets*/
+                               if(!findkey(kv, "DROPWIRELESSFORWARD", buffer) || strcmp(buffer,"off")){
+                                                       snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -i %s -j LOG --log-prefix 'DROP_Wirelessforward'", blue_dev);
+                                                       safe_system(command);
+                               }
+
+                               return 0;
 }