From d9716b067d5ad6c904653840c70d9fde01eac3f7 Mon Sep 17 00:00:00 2001 From: Christian Schmidt Date: Thu, 2 Sep 2010 20:04:03 +0200 Subject: [PATCH] Readded the mac filter to the outgoing firewall. Added mac groups. This feature was requested by bug #0000705. --- config/outgoingfw/outgoingfw.pl | 38 ++++--- config/rootfiles/common/configroot | 2 +- html/cgi-bin/outgoingfw.cgi | 55 +++++++--- html/cgi-bin/outgoinggrp.cgi | 170 ++++++++++++++++++++++++++--- langs/de/cgi-bin/de.pl | 22 ++-- langs/en/cgi-bin/en.pl | 22 ++-- langs/es/cgi-bin/es.pl | 11 +- langs/fr/cgi-bin/fr.pl | 22 ++-- lfs/configroot | 10 +- src/initscripts/init.d/firewall | 3 + 10 files changed, 276 insertions(+), 79 deletions(-) diff --git a/config/outgoingfw/outgoingfw.pl b/config/outgoingfw/outgoingfw.pl index 1bdd6127b8..b323c38047 100644 --- a/config/outgoingfw/outgoingfw.pl +++ b/config/outgoingfw/outgoingfw.pl @@ -94,7 +94,7 @@ if ( $outfwsettings{'POLICY'} eq 'MODE1' ) { } elsif ( $outfwsettings{'POLICY'} eq 'MODE2' ) { $outfwsettings{'STATE'} = "DENY"; $POLICY = "ACCEPT"; - $DO = "DROP -m comment --comment 'DROP_OUTGOINGFW'"; + $DO = "DROP -m comment --comment 'DROP_OUTGOINGFW '"; } ### Initialize IPTables @@ -102,15 +102,23 @@ system("/sbin/iptables --flush OUTGOINGFW >/dev/null 2>&1"); system("/sbin/iptables --delete-chain OUTGOINGFW >/dev/null 2>&1"); system("/sbin/iptables -N OUTGOINGFW >/dev/null 2>&1"); +system("/sbin/iptables --flush OUTGOINGFWMAC >/dev/null 2>&1"); +system("/sbin/iptables --delete-chain OUTGOINGFWMAC >/dev/null 2>&1"); +system("/sbin/iptables -N OUTGOINGFWMAC >/dev/null 2>&1"); + if ( $outfwsettings{'POLICY'} eq 'MODE0' ) { exit 0 } if ( $outfwsettings{'POLICY'} eq 'MODE1' ) { $CMD = "/sbin/iptables -A OUTGOINGFW -m state --state ESTABLISHED,RELATED -j ACCEPT"; + if ($DEBUG) { print "$CMD\n"; } else { system("$CMD"); } + $CMD = "/sbin/iptables -A OUTGOINGFWMAC -m state --state ESTABLISHED,RELATED -j ACCEPT"; if ($DEBUG) { print "$CMD\n"; } else { system("$CMD"); } $CMD = "/sbin/iptables -A OUTGOINGFW -p icmp -j ACCEPT"; if ($DEBUG) { print "$CMD\n"; } else { system("$CMD"); } + $CMD = "/sbin/iptables -A OUTGOINGFWMAC -p icmp -j ACCEPT"; + if ($DEBUG) { print "$CMD\n"; } else { system("$CMD"); } } foreach $configentry (sort @configs) @@ -148,16 +156,20 @@ foreach $configentry (sort @configs) } elsif ($configline[2] eq 'all') { @SOURCE = ("0/0"); $DEV = ""; + } elsif ($configline[2] eq 'mac') { + @SOURCE = ("$configline[6]"); + $DEV = ""; } else { - if ( -e "/var/ipfire/outgoing/groups/ipgroups/$configline[2]" ) - { + if ( -e "/var/ipfire/outgoing/groups/ipgroups/$configline[2]" ) { @SOURCE = `cat /var/ipfire/outgoing/groups/ipgroups/$configline[2]`; + } elsif ( -e "/var/ipfire/outgoing/groups/macgroups/$configline[2]" ) { + @SOURCE = `cat /var/ipfire/outgoing/groups/macgroups/$configline[2]`; } $DEV = ""; } if ($configline[7]) { $DESTINATION = "$configline[7]"; } else { $DESTINATION = "0/0"; } - + if ($configline[3] eq 'tcp') { @PROTO = ("tcp"); } elsif ($configline[3] eq 'udp') { @@ -174,9 +186,14 @@ foreach $configentry (sort @configs) foreach $SOURCE (@SOURCE) { $SOURCE =~ s/\s//gi; - if ( $SOURCE eq "" ){next;} + if ( $SOURCE eq "" ){next;} - $CMD = "/sbin/iptables -A OUTGOINGFW -s $SOURCE -d $DESTINATION -p $PROTO"; + if ( $configline[6] ne "" ){ + $SOURCE =~ s/[^a-zA-Z0-9]/:/gi; + $CMD = "/sbin/iptables -A OUTGOINGFWMAC -m mac --mac-source $SOURCE -d $DESTINATION -p $PROTO"; + } else { + $CMD = "/sbin/iptables -A OUTGOINGFW -s $SOURCE -d $DESTINATION -p $PROTO"; + } if ($configline[8] && ( $configline[3] ne 'esp' || $configline[3] ne 'gre') ) { $DPORT = "$configline[8]"; @@ -187,11 +204,6 @@ foreach $configentry (sort @configs) $CMD = "$CMD -i $DEV"; } - if ($configline[6]) { - $MAC = "$configline[6]"; - $CMD = "$CMD -m mac --mac-source $MAC"; - } - if ($configline[17] && $configline[18]) { if ($configline[10]){$DAY = "Mon,"} if ($configline[11]){$DAY .= "Tue,"} @@ -263,10 +275,10 @@ if ( $outfwsettings{'POLICY'} eq 'MODE1' ) { } } - $CMD = "/sbin/iptables -A OUTGOINGFW -o $netsettings{'RED_DEV'} -j DROP -m comment --comment 'DROP_OUTGOINGFW'"; + $CMD = "/sbin/iptables -A OUTGOINGFW -o $netsettings{'RED_DEV'} -j DROP -m comment --comment 'DROP_OUTGOINGFW '"; if ($DEBUG) { print "$CMD\n"; } else { system("$CMD"); } -} +} \ No newline at end of file diff --git a/config/rootfiles/common/configroot b/config/rootfiles/common/configroot index abc1ee3722..5f0faf3a08 100644 --- a/config/rootfiles/common/configroot +++ b/config/rootfiles/common/configroot @@ -102,7 +102,7 @@ var/ipfire/outgoing var/ipfire/outgoing/defaultservices #var/ipfire/outgoing/groups #var/ipfire/outgoing/groups/ipgroups -#var/ipfire/outgoing/ipgroups +#var/ipfire/outgoing/groups/macgroups #var/ipfire/outgoing/p2protocols #var/ipfire/outgoing/rules #var/ipfire/outgoing/settings diff --git a/html/cgi-bin/outgoingfw.cgi b/html/cgi-bin/outgoingfw.cgi index b746a8e36b..3482f35f0f 100644 --- a/html/cgi-bin/outgoingfw.cgi +++ b/html/cgi-bin/outgoingfw.cgi @@ -321,7 +321,7 @@ END $outfwsettings{'ACTION'} = 'Add rule'; } } -if ($outfwsettings{'ACTION'} eq 'Add rule') +if ($outfwsettings{'ACTION'} eq $Lang::tr{'Add Rule'}) { &addrule(); exit @@ -343,7 +343,7 @@ if ($outfwsettings{'POLICY'} ne 'MODE0'){ &Header::openbox('100%', 'center', 'Rules'); print < - + END ; @@ -462,14 +462,22 @@ END END ; if (($outfwsettings{'SIP'}) || ($outfwsettings{'SMAC'})) { - unless ($outfwsettings{'SIP'}) { $outfwsettings{'DISPLAY_SIP'} = 'ALL'; } else { $outfwsettings{'DISPLAY_SIP'} = $outfwsettings{'SIP'}; } - unless ($outfwsettings{'SMAC'}) { $outfwsettings{'DISPLAY_SMAC'} = 'ALL'; } else { $outfwsettings{'DISPLAY_SMAC'} = $outfwsettings{'SMAC'}; } - print <$Lang::tr{'source ip or net'}: - $outfwsettings{'DISPLAY_SIP'} - -END -; + + unless ($outfwsettings{'SIP'}) { + $outfwsettings{'DISPLAY_SIP'} = 'ALL'; + } else { + $outfwsettings{'DISPLAY_SIP'} = $outfwsettings{'SIP'}; + } + + unless ($outfwsettings{'SMAC'}) { + $outfwsettings{'DISPLAY_SMAC'} = 'ALL'; + print "$Lang::tr{'source ip or net'}: "; + print "$outfwsettings{'DISPLAY_SIP'}"; + } else { + $outfwsettings{'DISPLAY_SMAC'} = $outfwsettings{'SMAC'}; + print "$Lang::tr{'source'} $Lang::tr{'mac address'}: "; + print "$outfwsettings{'DISPLAY_SMAC'}"; + } } print <$Lang::tr{'time'} - @@ -627,7 +635,7 @@ print < - $Lang::tr{'protocol'}: + $Lang::tr{'protocol'} + + + @@ -674,19 +685,35 @@ END } print < - + END ; my @ipgroups = qx(ls $configpath/ipgroups/); foreach (sort @ipgroups){ print "\t\t\t\t\t\n"; } + print < + +END +; + my @macgroups = qx(ls $configpath/macgroups/); + foreach (sort @macgroups){ + print "\t\t\t\t\t\n"; + } print < - $Lang::tr{'source ip or net'} - + $Lang::tr{'outgoingfw warning'} + + + $Lang::tr{'source ip or net'} + + + + $Lang::tr{'source'} $Lang::tr{'mac address'}: + $Lang::tr{'logging'}: diff --git a/html/cgi-bin/outgoinggrp.cgi b/html/cgi-bin/outgoinggrp.cgi index a94ac820b8..28e5261182 100644 --- a/html/cgi-bin/outgoinggrp.cgi +++ b/html/cgi-bin/outgoinggrp.cgi @@ -48,13 +48,13 @@ my %mainsettings = (); ### Values that have to be initialized $outgrpsettings{'ACTION'} = ''; $outgrpsettings{'ipgroup'} = 'none'; -$outgrpsettings{'portgroup'} = 'none'; +$outgrpsettings{'macgroup'} = 'none'; &Header::getcgihash(\%outgrpsettings); delete $outgrpsettings{'__CGI__'};delete $outgrpsettings{'x'};delete $outgrpsettings{'y'}; $selected{'ipgroup'}{$outgrpsettings{'ipgroup'}} = "selected='selected'"; -$selected{'portgroup'}{$outgrpsettings{'portgroup'}} = "selected='selected'"; +$selected{'macgroup'}{$outgrpsettings{'macgroup'}} = "selected='selected'"; &Header::openpage($Lang::tr{'outgoing firewall groups'}, 1, ''); &Header::openbigbox('100%', 'left', '', $errormessage); @@ -75,24 +75,46 @@ $selected{'portgroup'}{$outgrpsettings{'portgroup'}} = "selected='selected'"; ############################################################################################################################ ############################################################################################################################ -if ($errormessage) -{ - &Header::openbox('100%', 'left', $Lang::tr{'error messages'}); - print "$errormessage\n"; - print " \n"; - &Header::closebox(); -} - if ($outgrpsettings{'ACTION'} eq 'newipgroup') { &newipgroup(); } elsif ($outgrpsettings{'ACTION'} eq 'deleteipgroup' ) { unlink("$configpath/ipgroups/$outgrpsettings{'ipgroup'}"); } elsif ($outgrpsettings{'ACTION'} eq 'addipgroup') { - open (FILE, ">$configpath/ipgroups/$outgrpsettings{'ipgroup'}") or die "Can't save $outgrpsettings{'ipgroup'} settings $!"; - flock (FILE, 2); - print FILE $outgrpsettings{'ipgroupcontent'}."\n"; - close FILE; + + if ( -e "$configpath/macgroups/$outgrpsettings{'ipgroup'}" ){ + $errormessage = "$Lang::tr{'outgoing firewall group error'}"; + } else { + open (FILE, ">$configpath/ipgroups/$outgrpsettings{'ipgroup'}") or die "Can't save $outgrpsettings{'ipgroup'} settings $!"; + flock (FILE, 2); + print FILE $outgrpsettings{'ipgroupcontent'}."\n"; + close FILE; + } +} + +if ($outgrpsettings{'ACTION'} eq 'newmacgroup') +{ + &newmacgroup(); +} elsif ($outgrpsettings{'ACTION'} eq 'deletemacgroup' ) { + unlink("$configpath/macgroups/$outgrpsettings{'macgroup'}"); +} elsif ($outgrpsettings{'ACTION'} eq 'addmacgroup') { + + if ( -e "$configpath/ipgroups/$outgrpsettings{'macgroup'}" ){ + $errormessage = "$Lang::tr{'outgoing firewall group error'}"; + } else { + open (FILE, ">$configpath/macgroups/$outgrpsettings{'macgroup'}") or die "Can't save $outgrpsettings{'macgroup'} settings $!"; + flock (FILE, 2); + print FILE $outgrpsettings{'macgroupcontent'}."\n"; + close FILE; + } +} + +if ($errormessage) +{ + &Header::openbox('100%', 'left', $Lang::tr{'error messages'}); + print "$errormessage\n"; + print " \n"; + &Header::closebox(); } ############################################################################################################################ @@ -107,6 +129,7 @@ $ipgroupcontent =~ s/\n/
/g; &Header::openbox('100%', 'center', $Lang::tr{'outgoing firewall ip groups'}); print <
@@ -171,9 +194,91 @@ END ; &Header::closebox(); +############################################################################################################################ +############################################################################################################################ + +my @macgroups = qx(ls $configpath/macgroups/); +if ($outgrpsettings{'macgroup'} eq "none" and $#macgroups >= 0 ){ $outgrpsettings{'macgroup'} = $macgroups[0];} + +my $macgroupcontent = `cat $configpath/macgroups/$outgrpsettings{'macgroup'} 2>/dev/null`; +$macgroupcontent =~ s/\n/
/g; + +&Header::openbox('100%', 'center', $Lang::tr{'outgoing firewall mac groups'}); + +print < +
+ +
+ + + + + + + + + + + + + + + + + + + + + + +
$Lang::tr{'outgoing firewall mac groups'}

+ + +

$macgroupcontent

$Lang::tr{'outgoing firewall mac groups'} - $outgrpsettings{'macgroup'}
+
+ + + + + + +
+
+ + +
+ 		+
+ + + +
+ 		+
+ + + +
+
+ +END +; +&Header::closebox(); + &Header::closebigbox(); &Header::closepage(); + +############################################################################################################################ +############################################################################################################################ + + sub newipgroup { &Header::openbox('100%', 'center', $Lang::tr{'outgoing firewall add ip group'}); @@ -210,3 +315,40 @@ END &Header::closepage(); exit 0; } + +sub newmacgroup +{ + &Header::openbox('100%', 'center', $Lang::tr{'outgoing firewall add mac group'}); + +print < + + + + + + + + + + + + + + +
$Lang::tr{'outgoing firewall add mac group'}

+ + + + +
+ +
+ +END +; + &Header::closebox(); + &Header::closebigbox(); + &Header::closepage(); + exit 0; +} \ No newline at end of file diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl index 7d558571d7..aa09abe3ad 100644 --- a/langs/de/cgi-bin/de.pl +++ b/langs/de/cgi-bin/de.pl @@ -22,6 +22,7 @@ 'ConnSched scheduled actions' => 'Geplante Aktionen', 'ConnSched scheduler' => 'Scheduler', 'ConnSched select profile' => 'Wähle Profil', +'outgoingfw warning' => 'Nur die Auswahl Quell IP / MAC aktiviert diese', 'ConnSched time' => 'Zeit:', 'ConnSched up' => 'Hoch', 'ConnSched weekdays' => 'Wochentage:', @@ -1275,17 +1276,20 @@ 'outgoing firewall groups' => 'Firewall Gruppen', 'outgoing firewall add ip group' => 'IP Adressgruppen hinzufügen', 'outgoing firewall ip groups' => 'Ausgehende Firewall IP Adressgruppen', +'outgoing firewall add mac group' => 'MAC Adressgruppen hinzufügen', +'outgoing firewall mac groups' => 'Ausgehende Firewall MAC Adressgruppen', 'outgoing firewall view group' => 'Gruppe anzeigen', +'outgoing firewall group error' => 'Eine Gruppe mit dem selben Namen existiert bereits.', 'outgoing traffic in bytes per second' => 'Abgehender Verkehr', -'outgoingfw mode0' => 'In diesem Modus ist es allen Rechnern im Netzwerk uneingeschränkt möglich Verbindungen ins Internet aufzubauen.', -'outgoingfw mode1' => 'In diesem Modus werden nur Verbindungen nach den oben definierten Regeln zugelassen.', -'outgoingfw mode2' => 'In diesem Modus werden sämtliche Verbindungen erlaubt, bis auf die oben definierten Block-Regeln.', -'outgoingfw p2p description 1' => 'Das Symbol', -'outgoingfw p2p description 2' => 'bedeutet, dass das P2P-Protokoll erlaubt wird oder', -'outgoingfw p2p description 3' => 'das P2P-Protokoll gesperrt wird.', -'outgoingfw p2p deny' => 'P2P-Protokoll ist gesperrt!', -'outgoingfw p2p allow' => 'P2P-Protokoll ist erlaubt!', -'outgoingfw reset' => 'Alle Regeln löschen', +'outgoing firewall mode0' => 'In diesem Modus ist es allen Rechnern im Netzwerk uneingeschränkt möglich Verbindungen ins Internet aufzubauen.', +'outgoing firewall mode1' => 'In diesem Modus werden nur Verbindungen nach den oben definierten Regeln zugelassen.', +'outgoing firewall mode2' => 'In diesem Modus werden sämtliche Verbindungen erlaubt, bis auf die oben definierten Block-Regeln.', +'outgoing firewall p2p description 1' => 'Das Symbol', +'outgoing firewall p2p description 2' => 'bedeutet, dass das P2P-Protokoll erlaubt wird oder', +'outgoing firewall p2p description 3' => 'das P2P-Protokoll gesperrt wird.', +'outgoing firewall p2p deny' => 'P2P-Protokoll ist gesperrt!', +'outgoing firewall p2p allow' => 'P2P-Protokoll ist erlaubt!', +'outgoing firewall reset' => 'Alle Regeln löschen', 'override mtu' => 'Überschreibe Standard MTU', 'ovpn' => 'OpenVPN', 'ovpn con stat' => 'OpenVPN Verbindungs-Statistik', diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index a66ec677d8..7fbeb39f36 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -19,6 +19,7 @@ 'ConnSched ipsecstop' => 'IPSec stop', 'ConnSched reconnect' => 'Reconnect', 'ConnSched scheduled actions' => 'Scheduled actions', +'outgoingfw warning' => 'Not selecting source ip or mac ignores them', 'ConnSched scheduler' => 'Scheduler', 'ConnSched select profile' => 'Select profile', 'modify' => 'Modify', @@ -1304,17 +1305,20 @@ 'outgoing firewall groups' => 'Firewall Groups', 'outgoing firewall add ip group' => 'Add IP Address Group', 'outgoing firewall ip groups' => 'Outgoing Firewall IP Adress Groups', +'outgoing firewall add mac group' => 'Add MAC Address Group', +'outgoing firewall mac groups' => 'Outgoing Firewall MAC Adress Groups', 'outgoing firewall view group' => 'View group', +'outgoing firewall group error' => 'A group with the same name exists.', 'outgoing traffic in bytes per second' => 'Outgoing Traffic', -'outgoingfw mode0' => 'Using this mode, all clients are able to access the internet without any restrictions.', -'outgoingfw mode1' => 'Using this mode, only connections based on the defined rules are allowed.', -'outgoingfw mode2' => 'Using this mode, all connections are allowed despited off the defined ones.', -'outgoingfw p2p description 1' => 'The button', -'outgoingfw p2p description 2' => 'means that the p2p protocol is allowed or', -'outgoingfw p2p description 3' => 'that the p2p protocol is denied.', -'outgoingfw p2p deny' => 'p2p protocol is denied', -'outgoingfw p2p allow' => 'p2p protocol is allowed', -'outgoingfw reset' => 'Reset all', +'outgoing firewall mode0' => 'Using this mode, all clients are able to access the internet without any restrictions.', +'outgoing firewall mode1' => 'Using this mode, only connections based on the defined rules are allowed.', +'outgoing firewall mode2' => 'Using this mode, all connections are allowed despited off the defined ones.', +'outgoing firewall p2p description 1' => 'The button', +'outgoing firewall p2p description 2' => 'means that the p2p protocol is allowed or', +'outgoing firewall p2p description 3' => 'that the p2p protocol is denied.', +'outgoing firewall p2p deny' => 'p2p protocol is denied', +'outgoing firewall p2p allow' => 'p2p protocol is allowed', +'outgoing firewall reset' => 'Reset all', 'override mtu' => 'Override default MTU', 'ovpn' => 'OpenVPN', 'ovpn con stat' => 'OpenVPN Connection Statistics', diff --git a/langs/es/cgi-bin/es.pl b/langs/es/cgi-bin/es.pl index 5a2fbe342b..8b7d2937ac 100644 --- a/langs/es/cgi-bin/es.pl +++ b/langs/es/cgi-bin/es.pl @@ -18,6 +18,7 @@ 'ConnSched ipsecstop' => 'Detener IPSec', 'ConnSched reconnect' => 'Reconectar', 'ConnSched scheduled actions' => 'Acciones planificadas', +'outgoingfw warning' => 'No seleccionar ip origen o mac las ignora', 'ConnSched scheduler' => 'Planificador', 'ConnSched select profile' => 'Elegir Perfil', 'modify' => 'Modificar', @@ -1300,11 +1301,11 @@ 'outgoing' => 'salida', 'outgoing firewall' => 'Firewall de salida', 'outgoing traffic in bytes per second' => 'Tráfico de salida', -'outgoingfw mode0' => 'Usando este modo, todos los clientes tienen acceso al internet sin restricciones.', -'outgoingfw mode1' => 'Usando este modo, solamente las conexión basadas en las reglas definidas son permitidas.', -'outgoingfw mode2' => 'Usando este modo, todas las conexioens son permitidas sin importar las ya definidias.', -'outgoingfw p2p description' => 'Presiones el botón correspondiente para activar/desactivar el módulo de bloqueo P2P', -'outgoingfw reset' => 'Restablecer todo', +'outgoing firewall mode0' => 'Usando este modo, todos los clientes tienen acceso al internet sin restricciones.', +'outgoing firewall mode1' => 'Usando este modo, solamente las conexión basadas en las reglas definidas son permitidas.', +'outgoing firewall mode2' => 'Usando este modo, todas las conexioens son permitidas sin importar las ya definidias.', +'outgoing firewall p2p description' => 'Presiones el botón correspondiente para activar/desactivar el módulo de bloqueo P2P', +'outgoing firewall reset' => 'Restablecer todo', 'override mtu' => 'Sobreescribir MTU por defecto', 'ovpn' => 'OpenVPN', 'ovpn con stat' => 'Estadisticas de conexión OpenVPN', diff --git a/langs/fr/cgi-bin/fr.pl b/langs/fr/cgi-bin/fr.pl index dbc11bf365..7d76c78d0c 100644 --- a/langs/fr/cgi-bin/fr.pl +++ b/langs/fr/cgi-bin/fr.pl @@ -18,6 +18,7 @@ 'ConnSched ipsecstart' => 'IPSec (re)démarrage', 'ConnSched ipsecstop' => 'IPSec arrêt', 'ConnSched reconnect' => 'Reconnecter', +'outgoingfw warning' => 'Ne pas choisir IP source ou Mac ignore les', 'ConnSched scheduled actions' => 'Actions planifiées', 'ConnSched scheduler' => 'Planificateur', 'ConnSched select profile' => 'Sélectionner profil', @@ -1301,17 +1302,20 @@ 'outgoing firewall groups' => 'Groupes de pare-feu', 'outgoing firewall add ip group' => 'Ajouter un groupe d\'adresses IP', 'outgoing firewall ip groups' => 'Groupes d\'adresses IP du pare-feu sortant', +'outgoing firewall add mac group' => 'Ajouter un groupe d\'adresses MAC', +'outgoing firewall mac groups' => 'Groupes d\'adresses MAC du pare-feu sortant', 'outgoing firewall view group' => 'Voir le groupe', +'outgoing firewall group error' => 'Un groupe portant le même nom existe.', 'outgoing traffic in bytes per second' => 'Trafic sortant', -'outgoingfw mode0' => 'En utilisant ce mode, tous les clients peuvent avoir accès à Internet sans restrictions.', -'outgoingfw mode1' => 'En utilisant ce mode, seules les connexions basées sur les règles prédéfinies sont autorisées.', -'outgoingfw mode2' => 'En utilisant ce mode, toutes les connexions sont autorisées sans tenir compte de la liste de définitions.', -'outgoingfw p2p description 1' => 'Le bouton', -'outgoingfw p2p description 2' => ' signifie que le protocol est autorisé ou', -'outgoingfw p2p description 3' => 'que le protocole p2p est bloqué.', -'outgoingfw p2p deny' => 'le protocole p2p est refusé', -'outgoingfw p2p allow' => 'le protocole p2p est autorisé', -'outgoingfw reset' => 'Tout réinitialiser', +'outgoing firewall mode0' => 'En utilisant ce mode, tous les clients peuvent avoir accès à Internet sans restrictions.', +'outgoing firewall mode1' => 'En utilisant ce mode, seules les connexions basées sur les règles prédéfinies sont autorisées.', +'outgoing firewall mode2' => 'En utilisant ce mode, toutes les connexions sont autorisées sans tenir compte de la liste de définitions.', +'outgoing firewall p2p description 1' => 'Le bouton', +'outgoing firewall p2p description 2' => ' signifie que le protocol est autorisé ou', +'outgoing firewall p2p description 3' => 'que le protocole p2p est bloqué.', +'outgoing firewall p2p deny' => 'le protocole p2p est refusé', +'outgoing firewall p2p allow' => 'le protocole p2p est autorisé', +'outgoing firewall reset' => 'Tout réinitialiser', 'override mtu' => 'Outrepasser le MTU par défaut', 'ovpn' => 'OpenVPN', 'ovpn con stat' => 'Statistiques de connexions OpenVPN', diff --git a/lfs/configroot b/lfs/configroot index 544bb25811..ff1a2062a8 100644 --- a/lfs/configroot +++ b/lfs/configroot @@ -51,12 +51,12 @@ $(TARGET) : # Create all directories for i in addon-lang auth backup ca certs connscheduler crls ddns dhcp dhcpc dmzholes dns \ - ethernet extrahd/bin fwlogs isdn key langs logging mac main menu.d modem net-traffic \ + ethernet extrahd/bin fwlogs isdn key langs logging mac main menu.d modem net-traffic \ net-traffic/templates nfs optionsfw outgoing/bin outgoing/groups outgoing/groups/ipgroups \ - patches pakfire portfw ppp private proxy/advanced/cre proxy/calamaris/bin qos/bin red \ - remote sensors snort time tripwire/report updatexlrator/bin updatexlrator/autocheck \ - urlfilter/autoupdate urlfilter/bin upnp vpn \ - wakeonlan wireless xtaccess ; do \ + outgoing/groups/macgroups patches pakfire portfw ppp private proxy/advanced/cre \ + proxy/calamaris/bin qos/bin red remote sensors snort time tripwire/report \ + updatexlrator/bin updatexlrator/autocheck urlfilter/autoupdate urlfilter/bin upnp vpn \ + wakeonlan wireless xtaccess ; do \ mkdir -p $(CONFIG_ROOT)/$$i; \ done diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall index c38cce5c27..b9f3908303 100644 --- a/src/initscripts/init.d/firewall +++ b/src/initscripts/init.d/firewall @@ -147,6 +147,7 @@ case "$1" in /sbin/iptables -N CUSTOMOUTPUT /sbin/iptables -A OUTPUT -j CUSTOMOUTPUT /sbin/iptables -N OUTGOINGFW + /sbin/iptables -N OUTGOINGFWMAC /sbin/iptables -A OUTPUT -j OUTGOINGFW /sbin/iptables -t nat -N CUSTOMPREROUTING /sbin/iptables -t nat -A PREROUTING -j CUSTOMPREROUTING @@ -183,6 +184,8 @@ case "$1" in # Outgoing Firewall /sbin/iptables -A FORWARD -j OUTGOINGFW + /sbin/iptables -A FORWARD -j OUTGOINGFWMAC + /sbin/iptables -A INPUT -j OUTGOINGFWMAC # localhost and ethernet. /sbin/iptables -A INPUT -i lo -m state --state NEW -j ACCEPT -- 2.39.2