From: Christian Schmidt Date: Fri, 16 Apr 2010 06:40:01 +0000 (+0200) Subject: Did some final steps for the outgoing fw, this should be working now. X-Git-Tag: v2.9-beta1~375^2 X-Git-Url: http://git.ipfire.org/?p=people%2Fpmueller%2Fipfire-2.x.git;a=commitdiff_plain;h=fdeaa057c2f60b80890e24885db7b3b81bdd8ff2 Did some final steps for the outgoing fw, this should be working now. This fixes bug #0000577 --- diff --git a/config/menu/50-firewall.menu b/config/menu/50-firewall.menu index d8a4908f62..de28f8e259 100644 --- a/config/menu/50-firewall.menu +++ b/config/menu/50-firewall.menu @@ -28,6 +28,12 @@ 'title' => "$Lang::tr{'outgoing firewall'}", 'enabled' => 1, }; + $subfirewall->{'51.outgoinggrp'} = { + 'caption' => $Lang::tr{'outgoing firewall groups'}, + 'uri' => '/cgi-bin/outgoinggrp.cgi', + 'title' => "$Lang::tr{'outgoing firewall groups'}", + 'enabled' => 1, + }; $subfirewall->{'60.upnp'} = { 'caption' => 'UPnP', 'uri' => '/cgi-bin/upnp.cgi', diff --git a/config/outgoingfw/outgoingfw.pl b/config/outgoingfw/outgoingfw.pl index ac27a58fe5..dd42415b73 100644 --- a/config/outgoingfw/outgoingfw.pl +++ b/config/outgoingfw/outgoingfw.pl @@ -2,7 +2,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2009 Michael Tremer & Christian Schmidt # +# Copyright (C) 2005-2010 IPTifre Team # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -37,7 +37,6 @@ my @configline = (); my $p2pentry = ""; my @p2ps = (); my @p2pline = (); -my @proto = (); my $CMD = ""; my $P2PSTRING = ""; @@ -65,8 +64,10 @@ $outfwsettings{'DISPLAY_SMAC'} = ''; $outfwsettings{'DISPLAY_SIP'} = ''; $outfwsettings{'POLICY'} = 'MODE0'; +my @SOURCE = ""; my $SOURCE = ""; my $DESTINATION = ""; +my @PROTO = ""; my $PROTO = ""; my $DPORT = ""; my $DEV = ""; @@ -114,93 +115,112 @@ if ( $outfwsettings{'POLICY'} eq 'MODE1' ) { foreach $configentry (sort @configs) { - $SOURCE = ""; + @SOURCE = ""; $DESTINATION = ""; $PROTO = ""; $DPORT = ""; $DEV = ""; $MAC = ""; @configline = split( /\;/, $configentry ); + if ($outfwsettings{'STATE'} eq $configline[0]) { if ($configline[2] eq 'green') { - $SOURCE = "$netsettings{'GREEN_NETADDRESS'}/$netsettings{'GREEN_NETMASK'}"; + @SOURCE = ("$netsettings{'GREEN_NETADDRESS'}/$netsettings{'GREEN_NETMASK'}"); $DEV = $netsettings{'GREEN_DEV'}; } elsif ($configline[2] eq 'red') { - $SOURCE = "$netsettings{'RED_IP'}"; + @SOURCE = ("$netsettings{'RED_IP'}"); $DEV = ""; } elsif ($configline[2] eq 'blue') { - $SOURCE = "$netsettings{'BLUE_NETADDRESS'}/$netsettings{'BLUE_NETMASK'}"; + @SOURCE = ("$netsettings{'BLUE_NETADDRESS'}/$netsettings{'BLUE_NETMASK'}"); $DEV = $netsettings{'BLUE_DEV'}; } elsif ($configline[2] eq 'orange') { - $SOURCE = "$netsettings{'ORANGE_NETADDRESS'}/$netsettings{'ORANGE_NETMASK'}"; + @SOURCE = ("$netsettings{'ORANGE_NETADDRESS'}/$netsettings{'ORANGE_NETMASK'}"); $DEV = $netsettings{'ORANGE_DEV'}; + } elsif ($configline[2] eq 'ipsec') { + @SOURCE = ""; + $DEV = "ipsec+"; + } elsif ($configline[2] eq 'ovpn') { + @SOURCE = ""; + $DEV = "tun+"; } elsif ($configline[2] eq 'ip') { - $SOURCE = "$configline[5]"; + @SOURCE = ("$configline[5]"); + $DEV = ""; + } + } elsif ($configline[2] eq 'all') { + @SOURCE = ("0/0"); $DEV = ""; - } else { - $SOURCE = "0/0"; + } else { + if ( -e "/var/ipfire/outgoing/groups/ipgroups/$configline[2]" ) + { + @SOURCE = `cat /var/ipfire/outgoing/groups/ipgroups/$configline[2]`; + } $DEV = ""; } if ($configline[7]) { $DESTINATION = "$configline[7]"; } else { $DESTINATION = "0/0"; } if ($configline[3] eq 'tcp') { - @proto = ("tcp"); + @PROTO = ("tcp"); } elsif ($configline[3] eq 'udp') { - @proto = ("udp"); + @PROTO = ("udp"); } elsif ($configline[3] eq 'esp') { - @proto = ("esp"); + @PROTO = ("esp"); } elsif ($configline[3] eq 'gre') { - @proto = ("gre"); + @PROTO = ("gre"); } else { - @proto = ("tcp","udp"); + @PROTO = ("tcp","udp"); } - - - foreach $PROTO (@proto) { - $CMD = "/sbin/iptables -A OUTGOINGFW -s $SOURCE -d $DESTINATION -p $PROTO"; - - if ($configline[8] && $configline[3] ne 'esp' && $configline[3] ne 'gre') { - $DPORT = "$configline[8]"; - $CMD = "$CMD --dport $DPORT"; - } - - if ($DEV) { - $CMD = "$CMD -i $DEV"; - } - - if ($configline[6]) { - $MAC = "$configline[6]"; - $CMD = "$CMD -m mac --mac-source $MAC"; - } - - if ($configline[17] && $configline[18]) { - if ($configline[10]){$DAY = "Mon,"} - if ($configline[11]){$DAY .= "Tue,"} - if ($configline[12]){$DAY .= "Wed,"} - if ($configline[13]){$DAY .= "Thu,"} - if ($configline[14]){$DAY .= "Fri,"} - if ($configline[15]){$DAY .= "Sat,"} - if ($configline[16]){$DAY .= "Sun"} - $CMD = "$CMD -m time --timestart $configline[17] --timestop $configline[18] --weekdays $DAY"; - } - - $CMD = "$CMD -o $netsettings{'RED_DEV'}"; - if ($configline[9] eq "aktiv") { + foreach $PROTO (@PROTO){ + foreach $SOURCE (@SOURCE) { + $SOURCE =~ s/\s//gi; + + if ( $SOURCE eq "" ){next;} + + $CMD = "/sbin/iptables -A OUTGOINGFW -s $SOURCE -d $DESTINATION -p $PROTO"; + + if ($configline[8] && ( $configline[3] ne 'esp' || $configline[3] ne 'gre') ) { + $DPORT = "$configline[8]"; + $CMD = "$CMD -m multiport --destination-port $DPORT"; + } + + if ($DEV) { + $CMD = "$CMD -i $DEV"; + } + + if ($configline[6]) { + $MAC = "$configline[6]"; + $CMD = "$CMD -m mac --mac-source $MAC"; + } + + if ($configline[17] && $configline[18]) { + if ($configline[10]){$DAY = "Mon,"} + if ($configline[11]){$DAY .= "Tue,"} + if ($configline[12]){$DAY .= "Wed,"} + if ($configline[13]){$DAY .= "Thu,"} + if ($configline[14]){$DAY .= "Fri,"} + if ($configline[15]){$DAY .= "Sat,"} + if ($configline[16]){$DAY .= "Sun"} + $CMD = "$CMD -m time --timestart $configline[17] --timestop $configline[18] --weekdays $DAY"; + } + + $CMD = "$CMD -o $netsettings{'RED_DEV'}"; + + if ($configline[9] eq "aktiv") { + if ($DEBUG) { + print "$CMD -m limit --limit 10/minute -j LOG --log-prefix 'DROP_OUTGOINGFW'\n"; + } else { + system("$CMD -m limit --limit 10/minute -j LOG --log-prefix 'DROP_OUTGOINGFW'"); + } + } + if ($DEBUG) { - print "$CMD -m limit --limit 10/minute -j LOG --log-prefix 'DROP_OUTGOINGFW'\n"; + print "$CMD -j $DO\n"; } else { - system("$CMD -m limit --limit 10/minute -j LOG --log-prefix 'DROP_OUTGOINGFW'"); + system("$CMD -j $DO"); } } - - if ($DEBUG) { - print "$CMD -j $DO\n"; - } else { - system("$CMD -j $DO"); - } - } + } } } diff --git a/config/rootfiles/common/apache2 b/config/rootfiles/common/apache2 index e6abdc2b56..a67a44f72f 100644 --- a/config/rootfiles/common/apache2 +++ b/config/rootfiles/common/apache2 @@ -1339,6 +1339,7 @@ srv/web/ipfire/cgi-bin/netexternal.cgi srv/web/ipfire/cgi-bin/netinternal.cgi srv/web/ipfire/cgi-bin/netother.cgi srv/web/ipfire/cgi-bin/outgoingfw.cgi +srv/web/ipfire/cgi-bin/outgoinggrp.cgi srv/web/ipfire/cgi-bin/optionsfw.cgi srv/web/ipfire/cgi-bin/ovpnmain.cgi srv/web/ipfire/cgi-bin/pakfire.cgi diff --git a/config/rootfiles/common/configroot b/config/rootfiles/common/configroot index efbc5fe933..38b8dffc1a 100644 --- a/config/rootfiles/common/configroot +++ b/config/rootfiles/common/configroot @@ -96,6 +96,8 @@ var/ipfire/outgoing #var/ipfire/outgoing/bin #var/ipfire/outgoing/bin/outgoingfw.pl var/ipfire/outgoing/defaultservices +#var/ipfire/outgoing/groups +#var/ipfire/outgoing/ipgroups #var/ipfire/outgoing/p2protocols #var/ipfire/outgoing/rules #var/ipfire/outgoing/settings diff --git a/html/cgi-bin/outgoingfw.cgi b/html/cgi-bin/outgoingfw.cgi index c5db16bab2..e2bfcfdebf 100644 --- a/html/cgi-bin/outgoingfw.cgi +++ b/html/cgi-bin/outgoingfw.cgi @@ -2,7 +2,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2010 Michael Tremer & Christian Schmidt # +# Copyright (C) 2005-2010 IPTifre Team # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -41,6 +41,7 @@ my @p2ps = (); my @p2pline = (); my $configfile = "/var/ipfire/outgoing/rules"; +my $configpath = "/var/ipfire/outgoing/groups/"; my $p2pfile = "/var/ipfire/outgoing/p2protocols"; my $servicefile = "/var/ipfire/outgoing/defaultservices"; @@ -145,7 +146,7 @@ if ( $outfwsettings{'TIME_MON'} eq "" && $outfwsettings{'TIME_SUN'} = "on"; } -&Header::openpage('Ausgehende Firewall', 1, ''); +&Header::openpage($Lang::tr{'outgoing firewall'}, 1, ''); &Header::openbigbox('100%', 'left', '', $errormessage); ############################################################################################################################ @@ -607,88 +608,124 @@ END ; &Header::closebox(); -&Header::closebigbox(); -&Header::closepage(); - ############################################################################################################################ ############################################################################################################################ sub addrule { - &Header::openbox('100%', 'center', 'Rules hinzufuegen'); + &Header::openbox('100%', 'center', $Lang::tr{'Add Rule'}); if ($outfwsettings{'EDIT'} eq 'no') { $selected{'ENABLED'} = 'checked'; } $selected{'TIME_FROM'}{$outfwsettings{'TIME_FROM'}} = "selected='selected'"; $selected{'TIME_TO'}{$outfwsettings{'TIME_TO'}} = "selected='selected'"; - print < - + + + + + + + + + + + + + + - + + + + + + + + + + + + + + + + + - - - + + + + + + + - + + + + + +
$Lang::tr{'description'}: - - $Lang::tr{'active'}: - -
$Lang::tr{'protocol'}: - - - $Lang::tr{'policy'}: - +
$Lang::tr{'description'}: $Lang::tr{'active'}:
$Lang::tr{'protocol'}: + + $Lang::tr{'policy'}: END ; if ($outfwsettings{'POLICY'} eq 'MODE1'){ - print "\t\t\tALLOW\n"; + print "\t\t\t\tALLOW\n"; } elsif ($outfwsettings{'POLICY'} eq 'MODE2'){ - print "\t\t\tDENY\n"; + print "\t\t\t\tDENY\n"; } print <$Lang::tr{'source net'}: -
$Lang::tr{'source'}: + $Lang::tr{'source ip'}: - -
$Lang::tr{'logging'}: - - -
$Lang::tr{'destination ip'}: - - $Lang::tr{'destination port'}: - -
$Lang::tr{'time'}:$Lang::tr{'source ip'}:
$Lang::tr{'logging'}: + + + +
$Lang::tr{'destination ip'}: $Lang::tr{'destination port'}:
$Lang::tr{'time'}: $Lang::tr{'advproxy monday'} $Lang::tr{'advproxy tuesday'} $Lang::tr{'advproxy wednesday'} $Lang::tr{'advproxy thursday'} $Lang::tr{'advproxy friday'} $Lang::tr{'advproxy saturday'} $Lang::tr{'advproxy sunday'} $Lang::tr{'advproxy from'}$Lang::tr{'advproxy to'}
- - - - - - $Lang::tr{'advproxy to'}
+ + + + + + + + - +
-
$Lang::tr{'this field may be blank'} - + +
+
$Lang::tr{'this field may be blank'}
END ; @@ -763,4 +806,7 @@ END print ""; &Header::closebox(); } -} \ No newline at end of file +} + +&Header::closebigbox(); +&Header::closepage(); \ No newline at end of file diff --git a/html/cgi-bin/outgoinggrp.cgi b/html/cgi-bin/outgoinggrp.cgi new file mode 100644 index 0000000000..b277339a1a --- /dev/null +++ b/html/cgi-bin/outgoinggrp.cgi @@ -0,0 +1,213 @@ +#!/usr/bin/perl +############################################################################### +# # +# IPFire.org - A linux based firewall # +# Copyright (C) 2005-2010 IPTifre Team # +# # +# This program is free software: you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation, either version 3 of the License, or # +# (at your option) any later version. # +# # +# This program is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with this program. If not, see . # +# # +############################################################################### + +use strict; +# enable only the following on debugging purpose +#use warnings; +#use CGI::Carp 'fatalsToBrowser'; + +require '/var/ipfire/general-functions.pl'; +require "${General::swroot}/lang.pl"; +require "${General::swroot}/header.pl"; + +my %outgrpsettings = (); +my %netsettings = (); +my %selected= () ; +my $errormessage = ""; + +my $configpath = "/var/ipfire/outgoing/groups/"; +my $servicefile = "/var/ipfire/outgoing/defaultservices"; + +my %color = (); +my %mainsettings = (); +&General::readhash("${General::swroot}/main/settings", \%mainsettings); +&General::readhash("/srv/web/ipfire/html/themes/".$mainsettings{'THEME'}."/include/colors.txt", \%color); + +&General::readhash("${General::swroot}/ethernet/settings", \%netsettings); + +&Header::showhttpheaders(); + +### Values that have to be initialized +$outgrpsettings{'ACTION'} = ''; +$outgrpsettings{'ipgroup'} = 'none'; +$outgrpsettings{'portgroup'} = 'none'; + +&Header::getcgihash(\%outgrpsettings); +delete $outgrpsettings{'__CGI__'};delete $outgrpsettings{'x'};delete $outgrpsettings{'y'}; + +$selected{'ipgroup'}{$outgrpsettings{'ipgroup'}} = "selected='selected'"; +$selected{'portgroup'}{$outgrpsettings{'portgroup'}} = "selected='selected'"; + +&Header::openpage($Lang::tr{'outgoing firewall groups'}, 1, ''); +&Header::openbigbox('100%', 'left', '', $errormessage); + +############### +# DEBUG DEBUG +# &Header::openbox('100%', 'left', 'DEBUG'); +# my $debugCount = 0; +# foreach my $line (sort keys %outgrpsettings) { +# print "$line = $outgrpsettings{$line}
\n"; + # $debugCount++; +# } +# print " Count: $debugCount\n"; +# &Header::closebox(); +# DEBUG DEBUG +############### + +############################################################################################################################ +############################################################################################################################ + +if ($errormessage) +{ + &Header::openbox('100%', 'left', $Lang::tr{'error messages'}); + print "$errormessage\n"; + print " \n"; + &Header::closebox(); +} + +if ($outgrpsettings{'ACTION'} eq 'newipgroup') +{ + &newipgroup(); +} elsif ($outgrpsettings{'ACTION'} eq 'deleteipgroup' ) { + unlink("$configpath/ipgroups/$outgrpsettings{'ipgroup'}"); +} elsif ($outgrpsettings{'ACTION'} eq 'addipgroup') { + open (FILE, ">$configpath/ipgroups/$outgrpsettings{'ipgroup'}") or die "Can't save $outgrpsettings{'ipgroup'} settings $!"; + flock (FILE, 2); + print FILE $outgrpsettings{'ipgroupcontent'}."\n"; + close FILE; +} + +############################################################################################################################ +############################################################################################################################ + +my @ipgroups = qx(ls $configpath/ipgroups/); +if ($outgrpsettings{'ipgroup'} eq "none" and $#ipgroups >= 0 ){ $outgrpsettings{'ipgroup'} = $ipgroups[0];} + +my $ipgroupcontent = `cat $configpath/ipgroups/$outgrpsettings{'ipgroup'} 2>/dev/null`; +$ipgroupcontent =~ s/\n/
/g; + +&Header::openbox('100%', 'center', $Lang::tr{'outgoing firewall ip groups'}); + +print < +
+
+ + + + + + + + + + + + + + + + + + + + + + + +
$Lang::tr{'outgoing firewall ip groups'}

+ + +

$ipgroupcontent

$Lang::tr{'outgoing firewall ip groups'} - $outgrpsettings{'ipgroup'}
+
+ + + + + + +
+
+ + +
+ 		+
+ + + +
+ 		+
+ + + +
+
+ +END +; +&Header::closebox(); + +&Header::closebigbox(); +&Header::closepage(); + +sub newipgroup +{ + &Header::openbox('100%', 'center', $Lang::tr{'outgoing firewall add ip group'}); + +print < + + + + + + + + + + + + + + +
$Lang::tr{'outgoing firewall add ip group'}

+ + + + +
+ +
+ +END +; + &Header::closebox(); + &Header::closebigbox(); + &Header::closepage(); + exit 0; +} \ No newline at end of file diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl index 4e59541aaa..9a6a6138f2 100644 --- a/langs/de/cgi-bin/de.pl +++ b/langs/de/cgi-bin/de.pl @@ -1269,6 +1269,10 @@ 'out' => 'Aus', 'outgoing' => 'ausgehend', 'outgoing firewall' => 'Ausgehende Firewall', +'outgoing firewall groups' => 'Ausgehende Firewall Gruppen', +'outgoing firewall add ip group' => 'IP Adressgruppen hinzufügen', +'outgoing firewall ip groups' => 'Ausgehende Firewall IP Adressgruppen', +'outgoing firewall view group' => 'Gruppe anzeigen', 'outgoing traffic in bytes per second' => 'Abgehender Verkehr', 'outgoingfw mode0' => 'In diesem Modus ist es allen Rechnern im Netzwerk uneingeschränkt möglich Verbindungen ins Internet aufzubauen.', 'outgoingfw mode1' => 'In diesem Modus werden nur Verbindungen nach den oben definierten Regeln zugelassen.', diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index 1336a4ffe7..8906f21941 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -1014,7 +1014,7 @@ 'invalid vpi vpci' => 'Invalid VPI/VPCI settings', 'invalid wins address' => 'Invalid WINS server address.', 'invert' => 'Invert', -'ip address' => 'IP address:', +'ip address' => 'IP address', 'ip address in use' => 'IP address already in use', 'ip address outside subnets' => 'IP Address outside subnets', 'ip alias added' => 'External IP alias added', @@ -1298,6 +1298,10 @@ 'out' => 'Out', 'outgoing' => 'outgoing', 'outgoing firewall' => 'Outgoing Firewall', +'outgoing firewall groups' => 'Outgoing Firewall Groups', +'outgoing firewall add ip group' => 'Add IP Address Group', +'outgoing firewall ip groups' => 'Outgoing Firewall IP Adress Groups', +'outgoing firewall view group' => 'View group', 'outgoing traffic in bytes per second' => 'Outgoing Traffic', 'outgoingfw mode0' => 'Using this mode, all clients are able to access the internet without any restrictions.', 'outgoingfw mode1' => 'Using this mode, only connections based on the defined rules are allowed.', diff --git a/langs/fr/cgi-bin/fr.pl b/langs/fr/cgi-bin/fr.pl index e9fe7e501e..0addee7d19 100644 --- a/langs/fr/cgi-bin/fr.pl +++ b/langs/fr/cgi-bin/fr.pl @@ -1014,7 +1014,7 @@ 'invalid vpi vpci' => 'Invalid VPI/VPCI settings', 'invalid wins address' => 'Invalid WINS server address.', 'invert' => 'Invert', -'ip address' => 'IP address:', +'ip address' => 'IP address', 'ip address in use' => 'IP address already in use', 'ip address outside subnets' => 'IP Address outside subnets', 'ip alias added' => 'External IP alias added', @@ -1296,8 +1296,12 @@ 'otherip' => 'other IP', 'otherport' => 'other Port', 'out' => 'Out', -'outgoing' => 'outgoing', -'outgoing firewall' => 'Outgoing Firewall', +'outgoing' => 'sortant', +'outgoing firewall' => 'Sortant Firewall', +'outgoing firewall groups' => 'Sortant Firewall Groupe', +'outgoing firewall add ip group' => 'Ajouter IP Address Group', +'outgoing firewall ip groups' => 'Sortant Firewall IP Groupe', +'outgoing firewall view group' => 'Montrer groupe', 'outgoing traffic in bytes per second' => 'Outgoing Traffic', 'outgoingfw mode0' => 'Using this mode, all clients are able to access the internet without any restrictions.', 'outgoingfw mode1' => 'Using this mode, only connections based on the defined rules are allowed.', diff --git a/lfs/configroot b/lfs/configroot index 8345e168d1..6b6b798479 100644 --- a/lfs/configroot +++ b/lfs/configroot @@ -52,9 +52,10 @@ $(TARGET) : # Create all directories for i in addon-lang auth backup ca certs connscheduler crls ddns dhcp dhcpc dmzholes dns \ ethernet extrahd/bin fwlogs isdn key langs logging mac main menu.d modem net-traffic \ - net-traffic/templates nfs optionsfw outgoing/bin patches pakfire portfw \ - ppp private proxy/advanced/cre proxy/calamaris/bin qos/bin red remote sensors snort time tripwire/report \ - updatexlrator/bin updatexlrator/autocheck urlfilter/autoupdate urlfilter/bin upnp vpn \ + net-traffic/templates nfs optionsfw outgoing/bin outgoing/groups outgoing/groups/ipgroups \ + patches pakfire portfw ppp private proxy/advanced/cre proxy/calamaris/bin qos/bin red \ + remote sensors snort time tripwire/report updatexlrator/bin updatexlrator/autocheck \ + urlfilter/autoupdate urlfilter/bin upnp vpn \ wakeonlan wireless xtaccess ; do \ mkdir -p $(CONFIG_ROOT)/$$i; \ done