#!/usr/bin/perl ############################################################################### # # # IPFire.org - A linux based firewall # # Copyright (C) 2013 Alexander Marx # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # # the Free Software Foundation, either version 3 of the License, or # # (at your option) any later version. # # # # This program is distributed in the hope that it will be useful, # # but WITHOUT ANY WARRANTY; without even the implied warranty of # # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # # GNU General Public License for more details. # # # # You should have received a copy of the GNU General Public License # # along with this program. If not, see . # # # ############################################################################### use strict; use Sort::Naturally; no warnings 'uninitialized'; # enable only the following on debugging purpose #use warnings; #use CGI::Carp 'fatalsToBrowser'; require '/var/ipfire/general-functions.pl'; require "${General::swroot}/lang.pl"; require "${General::swroot}/header.pl"; require "${General::swroot}/firewall/bin/firewall-lib.pl"; unless (-d "${General::swroot}/firewall") { system("mkdir ${General::swroot}/firewall"); } unless (-e "${General::swroot}/firewall/settings") { system("touch ${General::swroot}/firewall/settings"); } unless (-e "${General::swroot}/firewall/config") { system("touch ${General::swroot}/firewall/config"); } unless (-e "${General::swroot}/firewall/input") { system("touch ${General::swroot}/firewall/input"); } unless (-e "${General::swroot}/firewall/outgoing") { system("touch ${General::swroot}/firewall/outgoing"); } my %fwdfwsettings=(); my %selected=() ; my %defaultNetworks=(); my %netsettings=(); my %customhost=(); my %customgrp=(); my %customnetworks=(); my %customservice=(); my %customservicegrp=(); my %ccdnet=(); my %customnetwork=(); my %ccdhost=(); my %configfwdfw=(); my %configinputfw=(); my %configoutgoingfw=(); my %ipsecconf=(); my %color=(); my %mainsettings=(); my %checked=(); my %icmptypes=(); my %ovpnsettings=(); my %ipsecsettings=(); my %aliases=(); my %optionsfw=(); my %ifaces=(); my @PROTOCOLS = ("TCP", "UDP", "ICMP", "IGMP", "AH", "ESP", "GRE","IPv6","IPIP"); my $color; my $confignet = "${General::swroot}/fwhosts/customnetworks"; my $confighost = "${General::swroot}/fwhosts/customhosts"; my $configgrp = "${General::swroot}/fwhosts/customgroups"; my $configsrv = "${General::swroot}/fwhosts/customservices"; my $configsrvgrp = "${General::swroot}/fwhosts/customservicegrp"; my $configccdnet = "${General::swroot}/ovpn/ccd.conf"; my $configccdhost = "${General::swroot}/ovpn/ovpnconfig"; my $configipsec = "${General::swroot}/vpn/config"; my $configipsecrw = "${General::swroot}/vpn/settings"; my $configfwdfw = "${General::swroot}/firewall/config"; my $configinput = "${General::swroot}/firewall/input"; my $configoutgoing = "${General::swroot}/firewall/outgoing"; my $configovpn = "${General::swroot}/ovpn/settings"; my $fwoptions = "${General::swroot}/optionsfw/settings"; my $ifacesettings = "${General::swroot}/ethernet/settings"; my $errormessage=''; my $hint=''; my $ipgrp="${General::swroot}/outgoing/groups"; my $tdcolor=''; my $checkorange=''; my @protocols; &General::readhash("${General::swroot}/firewall/settings", \%fwdfwsettings); &General::readhash("${General::swroot}/main/settings", \%mainsettings); &General::readhash("/srv/web/ipfire/html/themes/".$mainsettings{'THEME'}."/include/colors.txt", \%color); &General::readhash($fwoptions, \%optionsfw); &General::readhash($ifacesettings, \%ifaces); &General::readhash("$configovpn", \%ovpnsettings); &General::readhash("$configipsecrw", \%ipsecsettings); &General::readhasharray("$configipsec", \%ipsecconf); &Header::showhttpheaders(); &Header::getcgihash(\%fwdfwsettings); &Header::openpage($Lang::tr{'fwdfw menu'}, 1, ''); &Header::openbigbox('100%', 'center',$errormessage); #### JAVA SCRIPT #### print< var PROTOCOLS_WITH_PORTS = ["TCP", "UDP"]; var update_protocol = function() { var protocol = \$("#protocol").val(); if (protocol === undefined) return; // Check if a template is/should be used. if (protocol === "template") { \$("#PROTOCOL_TEMPLATE").show(); } else { \$("#PROTOCOL_TEMPLATE").hide(); } // Check if we are dealing with a protocol, that knows ports. if (\$.inArray(protocol, PROTOCOLS_WITH_PORTS) >= 0) { \$("#PROTOCOL_PORTS").show(); } else { \$("#PROTOCOL_PORTS").hide(); } // Handle ICMP. if (protocol === "ICMP") { \$("#PROTOCOL_ICMP_TYPES").show(); } else { \$("#PROTOCOL_ICMP_TYPES").hide(); } }; \$(document).ready(function() { \$("#protocol").change(update_protocol); update_protocol(); // Show/Hide elements when NAT checkbox is checked. if (\$("#USE_NAT").attr("checked")) { \$("#actions").hide(); } else { \$(".NAT").hide(); } // Show NAT area when "use nat" checkbox is clicked \$("#USE_NAT").change(function() { \$(".NAT").toggle(); \$("#actions").toggle(); }); // Time constraints if(!\$("#USE_TIME_CONSTRAINTS").attr("checked")) { \$("#TIME_CONSTRAINTS").hide(); } \$("#USE_TIME_CONSTRAINTS").change(function() { \$("#TIME_CONSTRAINTS").toggle(); }); // Automatically select radio buttons when corresponding // dropdown menu changes. \$("select").change(function() { var id = \$(this).attr("name"); \$('#' + id).prop("checked", true); }); }); END #### ACTION ##### if ($fwdfwsettings{'ACTION'} eq 'saverule') { &General::readhasharray("$configfwdfw", \%configfwdfw); &General::readhasharray("$configinput", \%configinputfw); &General::readhasharray("$configoutgoing", \%configoutgoingfw); #Set Variables according to the JQuery code in protocol section if ($fwdfwsettings{'PROT'} eq 'TCP' || $fwdfwsettings{'PROT'} eq 'UDP') { if ($fwdfwsettings{'SRC_PORT'} ne '') { $fwdfwsettings{'USE_SRC_PORT'} = 'ON'; } if ($fwdfwsettings{'TGT_PORT'} ne '') { $fwdfwsettings{'USESRV'} = 'ON'; $fwdfwsettings{'grp3'} = 'TGT_PORT'; } } if ($fwdfwsettings{'PROT'} eq 'template') { $fwdfwsettings{'USESRV'} = 'ON'; } $errormessage=&checksource; if(!$errormessage){&checktarget;} if(!$errormessage){&checkrule;} #check if manual ip (source) is orange network if ($fwdfwsettings{'grp1'} eq 'src_addr'){ my ($sip,$scidr) = split("/",$fwdfwsettings{$fwdfwsettings{'grp1'}}); if ( &General::IpInSubnet($sip,$netsettings{'ORANGE_ADDRESS'},$netsettings{'ORANGE_NETMASK'})){ $checkorange='on'; } } #check useless rules if( ($fwdfwsettings{$fwdfwsettings{'grp1'}} eq 'ORANGE' || $checkorange eq 'on') && $fwdfwsettings{'grp2'} eq 'ipfire'){ $errormessage.=$Lang::tr{'fwdfw useless rule'}."
"; } #check if we try to break rules if( $fwdfwsettings{'grp1'} eq 'ipfire_src' && $fwdfwsettings{'grp2'} eq 'ipfire'){ $errormessage=$Lang::tr{'fwdfw err same'}; } #INPUT part if($fwdfwsettings{'grp2'} eq 'ipfire' && $fwdfwsettings{$fwdfwsettings{'grp1'}} ne 'ORANGE'){ $fwdfwsettings{'config'}=$configinput; $fwdfwsettings{'chain'} = 'INPUTFW'; my $maxkey=&General::findhasharraykey(\%configinputfw); #check if we have an identical rule already if($fwdfwsettings{'oldrulenumber'} eq $fwdfwsettings{'rulepos'}){ foreach my $key (sort keys %configinputfw){ if ( "$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'},$fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'ICMP_TGT'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'LOG'},$fwdfwsettings{'TIME'},$fwdfwsettings{'TIME_MON'},$fwdfwsettings{'TIME_TUE'},$fwdfwsettings{'TIME_WED'},$fwdfwsettings{'TIME_THU'},$fwdfwsettings{'TIME_FRI'},$fwdfwsettings{'TIME_SAT'},$fwdfwsettings{'TIME_SUN'},$fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'},$fwdfwsettings{'USE_NAT'},$fwdfwsettings{$fwdfwsettings{'nat'}},$fwdfwsettings{'dnatport'},$fwdfwsettings{'nat'}" eq "$configinputfw{$key}[0],$configinputfw{$key}[2],$configinputfw{$key}[3],$configinputfw{$key}[4],$configinputfw{$key}[5],$configinputfw{$key}[6],$configinputfw{$key}[7],$configinputfw{$key}[8],$configinputfw{$key}[9],$configinputfw{$key}[10],$configinputfw{$key}[11],$configinputfw{$key}[12],$configinputfw{$key}[13],$configinputfw{$key}[14],$configinputfw{$key}[15],$configinputfw{$key}[17],$configinputfw{$key}[18],$configinputfw{$key}[19],$configinputfw{$key}[20],$configinputfw{$key}[21],$configinputfw{$key}[22],$configinputfw{$key}[23],$configinputfw{$key}[24],$configinputfw{$key}[25],$configinputfw{$key}[26],$configinputfw{$key}[27],$configinputfw{$key}[28],$configinputfw{$key}[29],$configinputfw{$key}[30],$configinputfw{$key}[31]"){ $errormessage.=$Lang::tr{'fwdfw err ruleexists'}; if ($fwdfwsettings{'oldruleremark'} ne $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'updatefwrule'} eq 'on'){ $errormessage=''; }elsif($fwdfwsettings{'oldruleremark'} ne $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'updatefwrule'} eq 'on' && $fwdfwsettings{'ruleremark'} ne '' && !&validremark($fwdfwsettings{'ruleremark'})){ $errormessage=$Lang::tr{'fwdfw err remark'}."
"; } if ($fwdfwsettings{'oldruleremark'} eq $fwdfwsettings{'ruleremark'}){ $fwdfwsettings{'nosave'} = 'on'; } } } } #check Rulepos on new Rule if($fwdfwsettings{'rulepos'} > 0 && !$fwdfwsettings{'oldrulenumber'}){ $fwdfwsettings{'oldrulenumber'}=$maxkey; foreach my $key (sort keys %configinputfw){ if ( "$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'},$fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'ICMP_TGT'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'LOG'},$fwdfwsettings{'TIME'},$fwdfwsettings{'TIME_MON'},$fwdfwsettings{'TIME_TUE'},$fwdfwsettings{'TIME_WED'},$fwdfwsettings{'TIME_THU'},$fwdfwsettings{'TIME_FRI'},$fwdfwsettings{'TIME_SAT'},$fwdfwsettings{'TIME_SUN'},$fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'},$fwdfwsettings{'USE_NAT'},$fwdfwsettings{$fwdfwsettings{'nat'}},$fwdfwsettings{'dnatport'},$fwdfwsettings{'nat'}" eq "$configinputfw{$key}[0],$configinputfw{$key}[2],$configinputfw{$key}[3],$configinputfw{$key}[4],$configinputfw{$key}[5],$configinputfw{$key}[6],$configinputfw{$key}[7],$configinputfw{$key}[8],$configinputfw{$key}[9],$configinputfw{$key}[10],$configinputfw{$key}[11],$configinputfw{$key}[12],$configinputfw{$key}[13],$configinputfw{$key}[14],$configinputfw{$key}[15],$configinputfw{$key}[17],$configinputfw{$key}[18],$configinputfw{$key}[19],$configinputfw{$key}[20],$configinputfw{$key}[21],$configinputfw{$key}[22],$configinputfw{$key}[23],$configinputfw{$key}[24],$configinputfw{$key}[25],$configinputfw{$key}[26],$configinputfw{$key}[27],$configinputfw{$key}[28],$configinputfw{$key}[29],$configinputfw{$key}[30],$configinputfw{$key}[31]"){ $errormessage.=$Lang::tr{'fwdfw err ruleexists'}; } } } #check if we just close a rule if( $fwdfwsettings{'oldgrp1a'} eq $fwdfwsettings{'grp1'} && $fwdfwsettings{'oldgrp1b'} eq $fwdfwsettings{$fwdfwsettings{'grp1'}} && $fwdfwsettings{'oldgrp2a'} eq $fwdfwsettings{'grp2'} && $fwdfwsettings{'oldgrp2b'} eq $fwdfwsettings{$fwdfwsettings{'grp2'}} && $fwdfwsettings{'oldgrp3a'} eq $fwdfwsettings{'grp3'} && $fwdfwsettings{'oldgrp3b'} eq $fwdfwsettings{$fwdfwsettings{'grp3'}} && $fwdfwsettings{'oldusesrv'} eq $fwdfwsettings{'USESRV'} && $fwdfwsettings{'oldruleremark'} eq $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'oldruletype'} eq $fwdfwsettings{'chain'}) { if($fwdfwsettings{'nosave'} eq 'on' && $fwdfwsettings{'updatefwrule'} eq 'on'){ $errormessage=''; $fwdfwsettings{'nosave2'} = 'on'; } } if (!$errormessage){ if($fwdfwsettings{'nosave2'} ne 'on'){ &saverule(\%configinputfw,$configinput); } } }elsif($fwdfwsettings{'grp1'} eq 'ipfire_src' ){ # OUTGOING PART $fwdfwsettings{'config'}=$configoutgoing; $fwdfwsettings{'chain'} = 'OUTGOINGFW'; my $maxkey=&General::findhasharraykey(\%configoutgoingfw); if($fwdfwsettings{'oldrulenumber'} eq $fwdfwsettings{'rulepos'}){ foreach my $key (sort keys %configoutgoingfw){ if ( "$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'},$fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'ICMP_TGT'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'LOG'},$fwdfwsettings{'TIME'},$fwdfwsettings{'TIME_MON'},$fwdfwsettings{'TIME_TUE'},$fwdfwsettings{'TIME_WED'},$fwdfwsettings{'TIME_THU'},$fwdfwsettings{'TIME_FRI'},$fwdfwsettings{'TIME_SAT'},$fwdfwsettings{'TIME_SUN'},$fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'},$fwdfwsettings{'USE_NAT'},$fwdfwsettings{$fwdfwsettings{'nat'}},$fwdfwsettings{'dnatport'},$fwdfwsettings{'nat'}" eq "$configoutgoingfw{$key}[0],$configoutgoingfw{$key}[2],$configoutgoingfw{$key}[3],$configoutgoingfw{$key}[4],$configoutgoingfw{$key}[5],$configoutgoingfw{$key}[6],$configoutgoingfw{$key}[7],$configoutgoingfw{$key}[8],$configoutgoingfw{$key}[9],$configoutgoingfw{$key}[10],$configoutgoingfw{$key}[11],$configoutgoingfw{$key}[12],$configoutgoingfw{$key}[13],$configoutgoingfw{$key}[14],$configoutgoingfw{$key}[15],$configoutgoingfw{$key}[17],$configoutgoingfw{$key}[18],$configoutgoingfw{$key}[19],$configoutgoingfw{$key}[20],$configoutgoingfw{$key}[21],$configoutgoingfw{$key}[22],$configoutgoingfw{$key}[23],$configoutgoingfw{$key}[24],$configoutgoingfw{$key}[25],$configoutgoingfw{$key}[26],$configoutgoingfw{$key}[27],$configoutgoingfw{$key}[28],$configoutgoingfw{$key}[29],$configoutgoingfw{$key}[30],$configoutgoingfw{$key}[31]"){ $errormessage.=$Lang::tr{'fwdfw err ruleexists'}; if ($fwdfwsettings{'oldruleremark'} ne $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'updatefwrule'} eq 'on'){ $errormessage=''; }elsif($fwdfwsettings{'oldruleremark'} ne $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'updatefwrule'} eq 'on' && $fwdfwsettings{'ruleremark'} ne '' && !&validremark($fwdfwsettings{'ruleremark'})){ $errormessage=$Lang::tr{'fwdfw err remark'}."
"; } if ($fwdfwsettings{'oldruleremark'} eq $fwdfwsettings{'ruleremark'}){ $fwdfwsettings{'nosave'} = 'on'; } } } } #check Rulepos on new Rule if($fwdfwsettings{'rulepos'} > 0 && !$fwdfwsettings{'oldrulenumber'}){ print"CHECK OUTGOING DOPPELTE REGEL
"; $fwdfwsettings{'oldrulenumber'}=$maxkey; foreach my $key (sort keys %configoutgoingfw){ if ( "$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'},$fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'ICMP_TGT'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'LOG'},$fwdfwsettings{'TIME'},$fwdfwsettings{'TIME_MON'},$fwdfwsettings{'TIME_TUE'},$fwdfwsettings{'TIME_WED'},$fwdfwsettings{'TIME_THU'},$fwdfwsettings{'TIME_FRI'},$fwdfwsettings{'TIME_SAT'},$fwdfwsettings{'TIME_SUN'},$fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'},$fwdfwsettings{'USE_NAT'},$fwdfwsettings{$fwdfwsettings{'nat'}},$fwdfwsettings{'dnatport'},$fwdfwsettings{'nat'}" eq "$configoutgoingfw{$key}[0],$configoutgoingfw{$key}[2],$configoutgoingfw{$key}[3],$configoutgoingfw{$key}[4],$configoutgoingfw{$key}[5],$configoutgoingfw{$key}[6],$configoutgoingfw{$key}[7],$configoutgoingfw{$key}[8],$configoutgoingfw{$key}[9],$configoutgoingfw{$key}[10],$configoutgoingfw{$key}[11],$configoutgoingfw{$key}[12],$configoutgoingfw{$key}[13],$configoutgoingfw{$key}[14],$configoutgoingfw{$key}[15],$configoutgoingfw{$key}[17],$configoutgoingfw{$key}[18],$configoutgoingfw{$key}[19],$configoutgoingfw{$key}[20],$configoutgoingfw{$key}[21],$configoutgoingfw{$key}[22],$configoutgoingfw{$key}[23],$configoutgoingfw{$key}[24],$configoutgoingfw{$key}[25],$configoutgoingfw{$key}[26],$configoutgoingfw{$key}[27],$configoutgoingfw{$key}[28],$configoutgoingfw{$key}[29],$configoutgoingfw{$key}[30],$configoutgoingfw{$key}[31]"){ $errormessage.=$Lang::tr{'fwdfw err ruleexists'}; } } } #check if we just close a rule if( $fwdfwsettings{'oldgrp1a'} eq $fwdfwsettings{'grp1'} && $fwdfwsettings{'oldgrp1b'} eq $fwdfwsettings{$fwdfwsettings{'grp1'}} && $fwdfwsettings{'oldgrp2a'} eq $fwdfwsettings{'grp2'} && $fwdfwsettings{'oldgrp2b'} eq $fwdfwsettings{$fwdfwsettings{'grp2'}} && $fwdfwsettings{'oldgrp3a'} eq $fwdfwsettings{'grp3'} && $fwdfwsettings{'oldgrp3b'} eq $fwdfwsettings{$fwdfwsettings{'grp3'}} && $fwdfwsettings{'oldusesrv'} eq $fwdfwsettings{'USESRV'} && $fwdfwsettings{'oldruleremark'} eq $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'oldruletype'} eq $fwdfwsettings{'chain'}) { if($fwdfwsettings{'nosave'} eq 'on' && $fwdfwsettings{'updatefwrule'} eq 'on'){ $fwdfwsettings{'nosave2'} = 'on'; $errormessage=''; } } #increase counters if (!$errormessage){ if ($fwdfwsettings{'nosave2'} ne 'on'){ &saverule(\%configoutgoingfw,$configoutgoing); } } }else{ #FORWARD PART $fwdfwsettings{'config'}=$configfwdfw; $fwdfwsettings{'chain'} = 'FORWARDFW'; my $maxkey=&General::findhasharraykey(\%configfwdfw); if($fwdfwsettings{'oldrulenumber'} eq $fwdfwsettings{'rulepos'}){ #check if we have an identical rule already foreach my $key (sort keys %configfwdfw){ if ( "$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'},$fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'ICMP_TGT'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'TIME'},$fwdfwsettings{'TIME_MON'},$fwdfwsettings{'TIME_TUE'},$fwdfwsettings{'TIME_WED'},$fwdfwsettings{'TIME_THU'},$fwdfwsettings{'TIME_FRI'},$fwdfwsettings{'TIME_SAT'},$fwdfwsettings{'TIME_SUN'},$fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'},$fwdfwsettings{'USE_NAT'},$fwdfwsettings{$fwdfwsettings{'nat'}},$fwdfwsettings{'dnatport'},$fwdfwsettings{'nat'}" eq "$configfwdfw{$key}[0],$configfwdfw{$key}[2],$configfwdfw{$key}[3],$configfwdfw{$key}[4],$configfwdfw{$key}[5],$configfwdfw{$key}[6],$configfwdfw{$key}[7],$configfwdfw{$key}[8],$configfwdfw{$key}[9],$configfwdfw{$key}[10],$configfwdfw{$key}[11],$configfwdfw{$key}[12],$configfwdfw{$key}[13],$configfwdfw{$key}[14],$configfwdfw{$key}[15],$configfwdfw{$key}[18],$configfwdfw{$key}[19],$configfwdfw{$key}[20],$configfwdfw{$key}[21],$configfwdfw{$key}[22],$configfwdfw{$key}[23],$configfwdfw{$key}[24],$configfwdfw{$key}[25],$configfwdfw{$key}[26],$configfwdfw{$key}[27],$configfwdfw{$key}[28],$configfwdfw{$key}[29],$configfwdfw{$key}[30],$configfwdfw{$key}[31]"){ $errormessage.=$Lang::tr{'fwdfw err ruleexists'}; if ($fwdfwsettings{'oldruleremark'} ne $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'updatefwrule'} eq 'on' ){ $errormessage=''; }elsif($fwdfwsettings{'oldruleremark'} ne $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'updatefwrule'} eq 'on' && $fwdfwsettings{'ruleremark'} ne '' && !&validremark($fwdfwsettings{'ruleremark'})){ $errormessage=$Lang::tr{'fwdfw err remark'}."
"; } if ($fwdfwsettings{'oldruleremark'} eq $fwdfwsettings{'ruleremark'}){ $fwdfwsettings{'nosave'} = 'on'; } } } } #check Rulepos on new Rule if($fwdfwsettings{'rulepos'} > 0 && !$fwdfwsettings{'oldrulenumber'}){ $fwdfwsettings{'oldrulenumber'}=$maxkey; foreach my $key (sort keys %configfwdfw){ if ( "$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'},$fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'ICMP_TGT'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'TIME'},$fwdfwsettings{'TIME_MON'},$fwdfwsettings{'TIME_TUE'},$fwdfwsettings{'TIME_WED'},$fwdfwsettings{'TIME_THU'},$fwdfwsettings{'TIME_FRI'},$fwdfwsettings{'TIME_SAT'},$fwdfwsettings{'TIME_SUN'},$fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'},$fwdfwsettings{'USE_NAT'},$fwdfwsettings{$fwdfwsettings{'nat'}},$fwdfwsettings{'dnatport'},$fwdfwsettings{'nat'}" eq "$configfwdfw{$key}[0],$configfwdfw{$key}[2],$configfwdfw{$key}[3],$configfwdfw{$key}[4],$configfwdfw{$key}[5],$configfwdfw{$key}[6],$configfwdfw{$key}[7],$configfwdfw{$key}[8],$configfwdfw{$key}[9],$configfwdfw{$key}[10],$configfwdfw{$key}[11],$configfwdfw{$key}[12],$configfwdfw{$key}[13],$configfwdfw{$key}[14],$configfwdfw{$key}[15],$configfwdfw{$key}[18],$configfwdfw{$key}[19],$configfwdfw{$key}[20],$configfwdfw{$key}[21],$configfwdfw{$key}[22],$configfwdfw{$key}[23],$configfwdfw{$key}[24],$configfwdfw{$key}[25],$configfwdfw{$key}[26],$configfwdfw{$key}[27],$configfwdfw{$key}[28],$configfwdfw{$key}[29],$configfwdfw{$key}[30],$configfwdfw{$key}[31]"){ $errormessage.=$Lang::tr{'fwdfw err ruleexists'}; } } } #check if we just close a rule if( $fwdfwsettings{'oldgrp1a'} eq $fwdfwsettings{'grp1'} && $fwdfwsettings{'oldgrp1b'} eq $fwdfwsettings{$fwdfwsettings{'grp1'}} && $fwdfwsettings{'oldgrp2a'} eq $fwdfwsettings{'grp2'} && $fwdfwsettings{'oldgrp2b'} eq $fwdfwsettings{$fwdfwsettings{'grp2'}} && $fwdfwsettings{'oldgrp3a'} eq $fwdfwsettings{'grp3'} && $fwdfwsettings{'oldgrp3b'} eq $fwdfwsettings{$fwdfwsettings{'grp3'}} && $fwdfwsettings{'oldusesrv'} eq $fwdfwsettings{'USESRV'} && $fwdfwsettings{'oldruleremark'} eq $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'oldruletype'} eq $fwdfwsettings{'chain'}) { if($fwdfwsettings{'nosave'} eq 'on' && $fwdfwsettings{'updatefwrule'} eq 'on'){ $fwdfwsettings{'nosave2'} = 'on'; $errormessage=''; } } #increase counters if (!$errormessage){ if ($fwdfwsettings{'nosave2'} ne 'on'){ &saverule(\%configfwdfw,$configfwdfw); } } } if ($errormessage){ &newrule; }else{ if($fwdfwsettings{'nosave2'} ne 'on'){ &General::firewall_config_changed(); } &base; } } if ($fwdfwsettings{'ACTION'} eq $Lang::tr{'fwdfw newrule'}) { &newrule; } if ($fwdfwsettings{'ACTION'} eq $Lang::tr{'fwdfw toggle'}) { my %togglehash=(); &General::readhasharray($fwdfwsettings{'config'}, \%togglehash); foreach my $key (sort keys %togglehash){ if ($key eq $fwdfwsettings{'key'}){ if ($togglehash{$key}[2] eq 'ON'){$togglehash{$key}[2]='';}else{$togglehash{$key}[2]='ON';} } } &General::writehasharray($fwdfwsettings{'config'}, \%togglehash); &General::firewall_config_changed(); &base; } if ($fwdfwsettings{'ACTION'} eq $Lang::tr{'fwdfw togglelog'}) { my %togglehash=(); &General::readhasharray($fwdfwsettings{'config'}, \%togglehash); foreach my $key (sort keys %togglehash){ if ($key eq $fwdfwsettings{'key'}){ if ($togglehash{$key}[17] eq 'ON'){$togglehash{$key}[17]='';}else{$togglehash{$key}[17]='ON';} } } &General::writehasharray($fwdfwsettings{'config'}, \%togglehash); &General::firewall_config_changed(); &base; } if ($fwdfwsettings{'ACTION'} eq $Lang::tr{'fwdfw reread'}) { &General::firewall_reload(); &base; } if ($fwdfwsettings{'ACTION'} eq 'editrule') { $fwdfwsettings{'updatefwrule'}='on'; &newrule; } if ($fwdfwsettings{'ACTION'} eq 'deleterule') { &deleterule; } if ($fwdfwsettings{'ACTION'} eq 'moveup') { &pos_up; &base; } if ($fwdfwsettings{'ACTION'} eq 'movedown') { &pos_down; &base; } if ($fwdfwsettings{'ACTION'} eq 'copyrule') { $fwdfwsettings{'copyfwrule'}='on'; &newrule; } if ($fwdfwsettings{'ACTION'} eq '' or $fwdfwsettings{'ACTION'} eq 'reset') { &base; } ### Functions #### sub addrule { &error; &Header::openbox('100%', 'left', ""); print <
END if (&General::firewall_needs_reload()) { print < END } print <

END &Header::closebox(); &viewtablerule; } sub base { &hint; &addrule; } sub changerule { my $oldchain=shift; $fwdfwsettings{'updatefwrule'}=''; $fwdfwsettings{'config'}=$oldchain; $fwdfwsettings{'nobase'}='on'; &deleterule; } sub checksource { my ($ip,$subnet); #check ip-address if manual if ($fwdfwsettings{'src_addr'} eq $fwdfwsettings{$fwdfwsettings{'grp1'}} && $fwdfwsettings{'src_addr'} ne ''){ #check if ip with subnet if ($fwdfwsettings{'src_addr'} =~ /^(.*?)\/(.*?)$/) { ($ip,$subnet)=split (/\//,$fwdfwsettings{'src_addr'}); $subnet = &General::iporsubtocidr($subnet); $fwdfwsettings{'isip'}='on'; } #check if only ip if($fwdfwsettings{'src_addr'}=~/^(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})$/){ $ip=$fwdfwsettings{'src_addr'}; $subnet = '32'; $fwdfwsettings{'isip'}='on'; } if ($fwdfwsettings{'isip'} ne 'on'){ if (&General::validmac($fwdfwsettings{'src_addr'})){ $fwdfwsettings{'ismac'}='on'; } } if ($fwdfwsettings{'isip'} eq 'on'){ ##check if ip is valid if (! &General::validip($ip)){ $errormessage.=$Lang::tr{'fwdfw err src_addr'}."
"; return $errormessage; } #check and form valid IP $ip=&General::ip2dec($ip); $ip=&General::dec2ip($ip); #check if net or broadcast $fwdfwsettings{'src_addr'}="$ip/$subnet"; if(!&General::validipandmask($fwdfwsettings{'src_addr'})){ $errormessage.=$Lang::tr{'fwdfw err src_addr'}."
"; return $errormessage; } } if ($fwdfwsettings{'isip'} ne 'on' && $fwdfwsettings{'ismac'} ne 'on'){ $errormessage.=$Lang::tr{'fwdfw err src_addr'}."
"; return $errormessage; } }elsif($fwdfwsettings{'src_addr'} eq $fwdfwsettings{$fwdfwsettings{'grp1'}} && $fwdfwsettings{'src_addr'} eq ''){ $errormessage.=$Lang::tr{'fwdfw err nosrcip'}; return $errormessage; } #check empty fields if ($fwdfwsettings{$fwdfwsettings{'grp1'}} eq ''){ $errormessage.=$Lang::tr{'fwdfw err nosrc'}."
";} if($fwdfwsettings{'USE_SRC_PORT'} eq 'ON' && ($fwdfwsettings{'PROT'} eq 'TCP' || $fwdfwsettings{'PROT'} eq 'UDP') && $fwdfwsettings{'SRC_PORT'} ne ''){ my @parts=split(",",$fwdfwsettings{'SRC_PORT'}); my @values=(); foreach (@parts){ chomp($_); if ($_ =~ /^(\d+)\-(\d+)$/ || $_ =~ /^(\d+)\:(\d+)$/) { my $check; #change dashes with : $_=~ tr/-/:/; if ($_ eq "*") { push(@values,"1:65535"); $check='on'; } if ($_ =~ /^(\D)\:(\d+)$/ || $_ =~ /^(\D)\-(\d+)$/) { push(@values,"1:$2"); $check='on'; } if ($_ =~ /^(\d+)\:(\D)$/ || $_ =~ /^(\d+)\-(\D)$/ ) { push(@values,"$1:65535"); $check='on' } $errormessage .= &General::validportrange($_, 'destination'); if(!$check){ push (@values,$_); } }else{ if (&General::validport($_)){ push (@values,$_); }else{ } } } $fwdfwsettings{'SRC_PORT'}=join("|",@values); } return $errormessage; } sub checktarget { my ($ip,$subnet); &General::readhasharray("$configsrv", \%customservice); #check DNAT settings (has to be single Host and single Port or portrange) if ($fwdfwsettings{'USE_NAT'} eq 'ON' && $fwdfwsettings{'nat'} eq 'dnat'){ if($fwdfwsettings{'grp2'} eq 'tgt_addr' || $fwdfwsettings{'grp2'} eq 'cust_host_tgt' || $fwdfwsettings{'grp2'} eq 'ovpn_host_tgt'){ #check if manual ip is a single Host (if set) if ($fwdfwsettings{'grp2'} eq 'tgt_addr'){ my @tmp= split (/\./,$fwdfwsettings{$fwdfwsettings{'grp2'}}); my @tmp1= split ("/",$tmp[3]); if (($tmp1[0] eq "0") || ($tmp1[0] eq "255")) { $errormessage=$Lang::tr{'fwdfw dnat error'}."
"; return $errormessage; } } #check if Port is a single Port or portrange if ($fwdfwsettings{'nat'} eq 'dnat' && $fwdfwsettings{'grp3'} eq 'TGT_PORT'){ if(($fwdfwsettings{'PROT'} ne 'TCP'|| $fwdfwsettings{'PROT'} ne 'UDP') && $fwdfwsettings{'TGT_PORT'} eq ''){ $errormessage=$Lang::tr{'fwdfw target'}.": ".$Lang::tr{'fwdfw dnat porterr'}."
"; return $errormessage; } if (($fwdfwsettings{'PROT'} eq 'TCP'|| $fwdfwsettings{'PROT'} eq 'UDP') && $fwdfwsettings{'TGT_PORT'} ne '' && !&check_natport($fwdfwsettings{'TGT_PORT'})){ $errormessage=$Lang::tr{'fwdfw target'}.": ".$Lang::tr{'fwdfw dnat porterr'}."
"; return $errormessage; } } }else{ $errormessage=$Lang::tr{'fwdfw dnat error'}."
"; return $errormessage; } } if ($fwdfwsettings{'tgt_addr'} eq $fwdfwsettings{$fwdfwsettings{'grp2'}} && $fwdfwsettings{'tgt_addr'} ne ''){ #check if ip with subnet if ($fwdfwsettings{'tgt_addr'} =~ /^(.*?)\/(.*?)$/) { ($ip,$subnet)=split (/\//,$fwdfwsettings{'tgt_addr'}); $subnet = &General::iporsubtocidr($subnet); } #check if only ip if($fwdfwsettings{'tgt_addr'}=~/^(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})$/){ $ip=$fwdfwsettings{'tgt_addr'}; $subnet='32'; } #check if ip is valid if (! &General::validip($ip)){ $errormessage.=$Lang::tr{'fwdfw err tgt_addr'}."
"; return $errormessage; } #check and form valid IP $ip=&General::ip2dec($ip); $ip=&General::dec2ip($ip); $fwdfwsettings{'tgt_addr'}="$ip/$subnet"; if(!&General::validipandmask($fwdfwsettings{'tgt_addr'})){ $errormessage.=$Lang::tr{'fwdfw err tgt_addr'}."
"; return $errormessage; } }elsif($fwdfwsettings{'tgt_addr'} eq $fwdfwsettings{$fwdfwsettings{'grp2'}} && $fwdfwsettings{'tgt_addr'} eq ''){ $errormessage.=$Lang::tr{'fwdfw err notgtip'}; return $errormessage; } #check for mac in targetgroup if ($fwdfwsettings{'grp2'} eq 'cust_grp_tgt'){ &General::readhasharray("$configgrp", \%customgrp); &General::readhasharray("$confighost", \%customhost); foreach my $grpkey (sort keys %customgrp){ foreach my $hostkey (sort keys %customhost){ if ($customgrp{$grpkey}[2] eq $customhost{$hostkey}[0] && $customhost{$hostkey}[1] eq 'mac'){ $hint=$Lang::tr{'fwdfw hint mac'}; return $hint; } } } } #check empty fields if ($fwdfwsettings{$fwdfwsettings{'grp2'}} eq ''){ $errormessage.=$Lang::tr{'fwdfw err notgt'}."
";} #check tgt services if ($fwdfwsettings{'USESRV'} eq 'ON'){ if ($fwdfwsettings{'grp3'} eq 'cust_srv'){ $fwdfwsettings{'TGT_PROT'}=''; $fwdfwsettings{'ICMP_TGT'}=''; $fwdfwsettings{'TGT_PORT'}=''; } if ($fwdfwsettings{'grp3'} eq 'cust_srvgrp'){ $fwdfwsettings{'TGT_PROT'}=''; $fwdfwsettings{'ICMP_TGT'}=''; $fwdfwsettings{'TGT_PORT'}=''; #check target service if($fwdfwsettings{$fwdfwsettings{'grp3'}} eq ''){ $errormessage.=$Lang::tr{'fwdfw err tgt_grp'}; } } if ($fwdfwsettings{'grp3'} eq 'TGT_PORT'){ if ($fwdfwsettings{'PROT'} eq 'TCP' || $fwdfwsettings{'PROT'} eq 'UDP'){ if ($fwdfwsettings{'TGT_PORT'} ne ''){ if ($fwdfwsettings{'TGT_PORT'} =~ "," && $fwdfwsettings{'USE_NAT'} && $fwdfwsettings{'nat'} eq 'dnat') { $errormessage=$Lang::tr{'fwdfw dnat porterr'}."
"; return $errormessage; } my @parts=split(",",$fwdfwsettings{'TGT_PORT'}); my @values=(); foreach (@parts){ chomp($_); if ($_ =~ /^(\d+)\-(\d+)$/ || $_ =~ /^(\d+)\:(\d+)$/) { my $check; #change dashes with : $_=~ tr/-/:/; if ($_ eq "*") { push(@values,"1:65535"); $check='on'; } if ($_ =~ /^(\D)\:(\d+)$/ || $_ =~ /^(\D)\-(\d+)$/) { push(@values,"1:$2"); $check='on'; } if ($_ =~ /^(\d+)\:(\D)$/ || $_ =~ /^(\d+)\-(\D)$/) { push(@values,"$1:65535"); $check='on' } $errormessage .= &General::validportrange($_, 'destination'); if(!$check){ push (@values,$_); } }else{ if (&General::validport($_)){ push (@values,$_); }else{ $errormessage=$Lang::tr{'fwdfw err tgt_port'}; return $errormessage; } } } $fwdfwsettings{'TGT_PORT'}=join("|",@values); } }elsif ($fwdfwsettings{'PROT'} eq 'GRE'){ $fwdfwsettings{$fwdfwsettings{'grp3'}} = ''; $fwdfwsettings{'TGT_PORT'} = ''; $fwdfwsettings{'ICMP_TGT'} = ''; }elsif ($fwdfwsettings{'PROT'} eq 'ESP'){ $fwdfwsettings{$fwdfwsettings{'grp3'}} = ''; $fwdfwsettings{'TGT_PORT'} = ''; $fwdfwsettings{'ICMP_TGT'}=''; }elsif ($fwdfwsettings{'PROT'} eq 'AH'){ $fwdfwsettings{$fwdfwsettings{'grp3'}} = ''; $fwdfwsettings{'TGT_PORT'} = ''; $fwdfwsettings{'ICMP_TGT'}=''; }elsif ($fwdfwsettings{'PROT'} eq 'ICMP'){ $fwdfwsettings{$fwdfwsettings{'grp3'}} = ''; $fwdfwsettings{'TGT_PORT'} = ''; } } } #check targetport if ($fwdfwsettings{'USESRV'} ne 'ON'){ $fwdfwsettings{'grp3'}=''; $fwdfwsettings{$fwdfwsettings{'grp3'}}=''; $fwdfwsettings{'ICMP_TGT'}=''; } #check timeframe if($fwdfwsettings{'TIME'} eq 'ON'){ if($fwdfwsettings{'TIME_MON'} eq '' && $fwdfwsettings{'TIME_TUE'} eq '' && $fwdfwsettings{'TIME_WED'} eq '' && $fwdfwsettings{'TIME_THU'} eq '' && $fwdfwsettings{'TIME_FRI'} eq '' && $fwdfwsettings{'TIME_SAT'} eq '' && $fwdfwsettings{'TIME_SUN'} eq ''){ $errormessage=$Lang::tr{'fwdfw err time'}; return $errormessage; } } return $errormessage; } sub check_natport { my $val=shift; if($fwdfwsettings{'USE_NAT'} eq 'ON' && $fwdfwsettings{'nat'} eq 'dnat' && $fwdfwsettings{'dnatport'} ne ''){ if ($fwdfwsettings{'dnatport'} =~ /^(\d+)\-(\d+)$/) { $fwdfwsettings{'dnatport'} =~ tr/-/:/; if ($fwdfwsettings{'dnatport'} eq "*") { $fwdfwsettings{'dnatport'}="1:65535"; } if ($fwdfwsettings{'dnatport'} =~ /^(\D)\:(\d+)$/) { $fwdfwsettings{'dnatport'} = "1:$2"; } if ($fwdfwsettings{'dnatport'} =~ /^(\d+)\:(\D)$/) { $fwdfwsettings{'dnatport'} ="$1:65535"; } } return 1; } if ($val =~ "," || $val>65536 || $val<0){ return 0; } return 1; } sub checkrule { #check valid port for NAT if($fwdfwsettings{'USE_NAT'} eq 'ON'){ #RULE_ACTION must be ACCEPT if we use NAT $fwdfwsettings{'RULE_ACTION'} = 'ACCEPT'; #if no dnat or snat selected errormessage if ($fwdfwsettings{'nat'} eq ''){ $errormessage=$Lang::tr{'fwdfw dnat nochoice'}; return; } #if using snat, the external port has to be empty if ($fwdfwsettings{'nat'} eq 'snat' && $fwdfwsettings{'dnatport'} ne ''){ $errormessage=$Lang::tr{'fwdfw dnat extport'}; return; } #if no dest port is given in nat area, take target host port if($fwdfwsettings{'nat'} eq 'dnat' && $fwdfwsettings{'grp3'} eq 'TGT_PORT' && $fwdfwsettings{'dnatport'} eq ''){$fwdfwsettings{'dnatport'}=$fwdfwsettings{'TGT_PORT'};} if($fwdfwsettings{'TGT_PORT'} eq '' && $fwdfwsettings{'dnatport'} ne '' && ($fwdfwsettings{'PROT'} eq 'TCP' || $fwdfwsettings{'PROT'} eq 'UDP')){ $errormessage=$Lang::tr{'fwdfw dnat porterr2'}; return; } #check if port given in nat area is a single valid port or portrange if($fwdfwsettings{'nat'} eq 'dnat' && $fwdfwsettings{'TGT_PORT'} ne '' && !&check_natport($fwdfwsettings{'dnatport'})){ $errormessage=$Lang::tr{'fwdfw target'}.": ".$Lang::tr{'fwdfw dnat porterr'}."
"; }elsif($fwdfwsettings{'USESRV'} eq 'ON' && $fwdfwsettings{'grp3'} eq 'cust_srv'){ my $custsrvport; #get service Protocol and Port foreach my $key (sort keys %customservice){ if($fwdfwsettings{$fwdfwsettings{'grp3'}} eq $customservice{$key}[0]){ if ($customservice{$key}[2] ne 'TCP' && $customservice{$key}[2] ne 'UDP'){ $errormessage=$Lang::tr{'fwdfw target'}.": ".$Lang::tr{'fwdfw dnat porterr'}."
"; } $custsrvport= $customservice{$key}[1]; } } if($fwdfwsettings{'nat'} eq 'dnat' && $fwdfwsettings{'dnatport'} eq ''){$fwdfwsettings{'dnatport'}=$custsrvport;} } #check if DNAT port is multiple if($fwdfwsettings{'nat'} eq 'dnat' && $fwdfwsettings{'dnatport'} ne ''){ my @parts=split(",",$fwdfwsettings{'dnatport'}); my @values=(); foreach (@parts){ chomp($_); if ($_ =~ /^(\d+)\-(\d+)$/ || $_ =~ /^(\d+)\:(\d+)$/) { my $check; #change dashes with : $_=~ tr/-/:/; if ($_ eq "*") { push(@values,"1:65535"); $check='on'; } if ($_ =~ /^(\D)\:(\d+)$/ || $_ =~ /^(\D)\-(\d+)$/) { push(@values,"1:$2"); $check='on'; } if ($_ =~ /^(\d+)\:(\D)$/ || $_ =~ /^(\d+)\-(\D)$/) { push(@values,"$1:65535"); $check='on' } $errormessage .= &General::validportrange($_, 'destination'); if(!$check){ push (@values,$_); } }else{ if (&General::validport($_)){ push (@values,$_); }else{ } } } $fwdfwsettings{'dnatport'}=join("|",@values); } #check if a rule with prot tcp or udp and ports is edited and now prot is "all", then delete all ports if($fwdfwsettings{'PROT'} eq ''){ $fwdfwsettings{'dnatport'}=''; } } #check valid remark if ($fwdfwsettings{'ruleremark'} ne '' && !&validremark($fwdfwsettings{'ruleremark'})){ $errormessage.=$Lang::tr{'fwdfw err remark'}."
"; } #check if source and target identical if ($fwdfwsettings{$fwdfwsettings{'grp1'}} eq $fwdfwsettings{$fwdfwsettings{'grp2'}} && $fwdfwsettings{$fwdfwsettings{'grp1'}} ne 'ALL'){ $errormessage=$Lang::tr{'fwdfw err same'}; return $errormessage; } #get source and targetip address if possible my ($sip,$scidr,$tip,$tcidr); ($sip,$scidr)=&get_ip("src","grp1"); ($tip,$tcidr)=&get_ip("tgt","grp2"); #check same iprange in source and target if ($sip ne '' && $scidr ne '' && $tip ne '' && $tcidr ne ''){ my $networkip1=&General::getnetworkip($sip,$scidr); my $networkip2=&General::getnetworkip($tip,$tcidr); if ($scidr gt $tcidr){ if ( &General::IpInSubnet($networkip1,$tip,&General::iporsubtodec($tcidr))){ $errormessage.=$Lang::tr{'fwdfw err samesub'}; } }elsif($scidr eq $tcidr && $scidr eq '32'){ my ($sbyte1,$sbyte2,$sbyte3,$sbyte4)=split(/\./,$networkip1); my ($tbyte1,$tbyte2,$tbyte3,$tbyte4)=split(/\./,$networkip2); if ($sbyte1 eq $tbyte1 && $sbyte2 eq $tbyte2 && $sbyte3 eq $tbyte3){ $hint=$Lang::tr{'fwdfw hint ip1'}."
"; $hint.=$Lang::tr{'fwdfw hint ip2'}." Source: $networkip1/$scidr Target: $networkip2/$tcidr
"; } }else{ if ( &General::IpInSubnet($networkip2,$sip,&General::iporsubtodec($scidr)) ){ $errormessage.=$Lang::tr{'fwdfw err samesub'}; } } } #when icmp selected, no source and targetport allowed if (($fwdfwsettings{'PROT'} ne '' && $fwdfwsettings{'PROT'} ne 'TCP' && $fwdfwsettings{'PROT'} ne 'UDP' && $fwdfwsettings{'PROT'} ne 'template') && ($fwdfwsettings{'USESRV'} eq 'ON' || $fwdfwsettings{'USE_SRC_PORT'} eq 'ON')){ $errormessage.=$Lang::tr{'fwdfw err prot_port'}; return; } #change protocol if prot not equal dest single service if ($fwdfwsettings{'grp3'} eq 'cust_srv'){ foreach my $key (sort keys %customservice){ if($customservice{$key}[0] eq $fwdfwsettings{$fwdfwsettings{'grp3'}}){ if ($customservice{$key}[2] ne $fwdfwsettings{'PROT'}){ $fwdfwsettings{'PROT'} = $customservice{$key}[2]; last; } } } } #check source and destination protocol if source manual and dest servicegroup if ($fwdfwsettings{'grp3'} eq 'cust_srvgrp'){ $fwdfwsettings{'PROT'} = ''; } #ATTENTION: $fwdfwsetting{'TGT_PROT'} deprecated since 30.09.2013 $fwdfwsettings{'TGT_PROT'}=''; #Set field empty (deprecated) #Check ICMP Types if ($fwdfwsettings{'PROT'} eq 'ICMP'){ $fwdfwsettings{'USE_SRC_PORT'}=''; $fwdfwsettings{'SRC_PORT'}=''; #$fwdfwsettings{'USESRV'}=''; $fwdfwsettings{'TGT_PORT'}=''; &General::readhasharray("${General::swroot}/fwhosts/icmp-types", \%icmptypes); foreach my $key (keys %icmptypes){ if($fwdfwsettings{'ICMP_TYPES'} eq "$icmptypes{$key}[0] ($icmptypes{$key}[1])"){ $fwdfwsettings{'ICMP_TYPES'}="$icmptypes{$key}[0]"; } } }elsif($fwdfwsettings{'PROT'} eq 'GRE'){ $fwdfwsettings{'USE_SRC_PORT'}=''; $fwdfwsettings{'SRC_PORT'}=''; $fwdfwsettings{'ICMP_TYPES'}=''; $fwdfwsettings{'USESRV'}=''; $fwdfwsettings{'TGT_PORT'}=''; }elsif($fwdfwsettings{'PROT'} eq 'ESP'){ $fwdfwsettings{'USE_SRC_PORT'}=''; $fwdfwsettings{'SRC_PORT'}=''; $fwdfwsettings{'ICMP_TYPES'}=''; $fwdfwsettings{'USESRV'}=''; $fwdfwsettings{'TGT_PORT'}=''; }elsif($fwdfwsettings{'PROT'} eq 'AH'){ $fwdfwsettings{'USE_SRC_PORT'}=''; $fwdfwsettings{'SRC_PORT'}=''; $fwdfwsettings{'ICMP_TYPES'}=''; $fwdfwsettings{'USESRV'}=''; $fwdfwsettings{'TGT_PORT'}=''; }elsif($fwdfwsettings{'PROT'} eq 'IGMP'){ $fwdfwsettings{'USE_SRC_PORT'}=''; $fwdfwsettings{'SRC_PORT'}=''; $fwdfwsettings{'ICMP_TYPES'}=''; $fwdfwsettings{'USESRV'}=''; $fwdfwsettings{'TGT_PORT'}=''; }elsif($fwdfwsettings{'PROT'} eq 'IPv6'){ $fwdfwsettings{'USE_SRC_PORT'}=''; $fwdfwsettings{'SRC_PORT'}=''; $fwdfwsettings{'ICMP_TYPES'}=''; $fwdfwsettings{'USESRV'}=''; $fwdfwsettings{'TGT_PORT'}=''; }elsif($fwdfwsettings{'PROT'} eq 'IPIP'){ $fwdfwsettings{'USE_SRC_PORT'}=''; $fwdfwsettings{'SRC_PORT'}=''; $fwdfwsettings{'ICMP_TYPES'}=''; $fwdfwsettings{'USESRV'}=''; $fwdfwsettings{'TGT_PORT'}=''; }elsif($fwdfwsettings{'PROT'} ne 'TCP' && $fwdfwsettings{'PROT'} ne 'UDP'){ $fwdfwsettings{'ICMP_TYPES'}=''; $fwdfwsettings{'SRC_PORT'}=''; $fwdfwsettings{'TGT_PORT'}=''; }elsif($fwdfwsettings{'PROT'} ne 'ICMP'){ $fwdfwsettings{'ICMP_TYPES'}=''; } } sub checkvpn { my $ip=shift; #Test if manual IP is part of static OpenVPN networks &General::readhasharray("$configccdnet", \%ccdnet); foreach my $key (sort keys %ccdnet){ my ($vpnip,$vpnsubnet) = split ("/",$ccdnet{$key}[1]); my $sub=&General::iporsubtodec($vpnsubnet); if (&General::IpInSubnet($ip,$vpnip,$sub)){ return 0; } } # A Test if manual ip is part of dynamic openvpn subnet is made in getcolor # because if one creates a custom host with the ip, we need to check the color there! # It does not make sense to check this here # Test if manual IP is part of an OpenVPN N2N subnet does also not make sense here # Is also checked in getcolor # Test if manual ip is part of an IPsec Network is also checked in getcolor return 1; } sub checkvpncolor { } sub deleterule { my %delhash=(); &General::readhasharray($fwdfwsettings{'config'}, \%delhash); foreach my $key (sort {$a <=> $b} keys %delhash){ if ($key >= $fwdfwsettings{'key'}) { my $next = $key + 1; if (exists $delhash{$next}) { foreach my $i (0 .. $#{$delhash{$next}}) { $delhash{$key}[$i] = $delhash{$next}[$i]; } } } } # Remove the very last entry. my $last_key = (sort {$a <=> $b} keys %delhash)[-1]; delete $delhash{$last_key}; &General::writehasharray($fwdfwsettings{'config'}, \%delhash); &General::firewall_config_changed(); if($fwdfwsettings{'nobase'} ne 'on'){ &base; } } sub disable_rule { my $key1=shift; &General::readhasharray("$configfwdfw", \%configfwdfw); foreach my $key (sort keys %configfwdfw){ if ($key eq $key1 ){ if ($configfwdfw{$key}[2] eq 'ON'){$configfwdfw{$key}[2]='';} } } &General::writehasharray("$configfwdfw", \%configfwdfw); &General::firewall_config_changed(); } sub error { if ($errormessage) { &Header::openbox('100%', 'left', $Lang::tr{'error messages'}); print "$errormessage\n"; print " \n"; &Header::closebox(); } } sub fillselect { my %hash=%{(shift)}; my $val=shift; my $key; foreach my $key (sort { ncmp($hash{$a}[0],$hash{$b}[0]) } keys %hash){ if($hash{$key}[0] eq $val){ print""; }else{ print""; } } } sub gen_dd_block { my $srctgt = shift; my $grp=shift; my $helper=''; my $show=''; $checked{'grp1'}{$fwdfwsettings{'grp1'}} = 'CHECKED'; $checked{'grp2'}{$fwdfwsettings{'grp2'}} = 'CHECKED'; $checked{'grp3'}{$fwdfwsettings{'grp3'}} = 'CHECKED'; $checked{'USE_SRC_PORT'}{$fwdfwsettings{'USE_SRC_PORT'}} = 'CHECKED'; $checked{'USESRV'}{$fwdfwsettings{'USESRV'}} = 'CHECKED'; $checked{'ACTIVE'}{$fwdfwsettings{'ACTIVE'}} = 'CHECKED'; $checked{'LOG'}{$fwdfwsettings{'LOG'}} = 'CHECKED'; $checked{'TIME'}{$fwdfwsettings{'TIME'}} = 'CHECKED'; $checked{'TIME_MON'}{$fwdfwsettings{'TIME_MON'}} = 'CHECKED'; $checked{'TIME_TUE'}{$fwdfwsettings{'TIME_TUE'}} = 'CHECKED'; $checked{'TIME_WED'}{$fwdfwsettings{'TIME_WED'}} = 'CHECKED'; $checked{'TIME_THU'}{$fwdfwsettings{'TIME_THU'}} = 'CHECKED'; $checked{'TIME_FRI'}{$fwdfwsettings{'TIME_FRI'}} = 'CHECKED'; $checked{'TIME_SAT'}{$fwdfwsettings{'TIME_SAT'}} = 'CHECKED'; $checked{'TIME_SUN'}{$fwdfwsettings{'TIME_SUN'}} = 'CHECKED'; $selected{'TIME_FROM'}{$fwdfwsettings{'TIME_FROM'}} = 'selected'; $selected{'TIME_TO'}{$fwdfwsettings{'TIME_TO'}} = 'selected'; $selected{'ipfire'}{$fwdfwsettings{$fwdfwsettings{'grp1'}}} ='selected'; $selected{'ipfire'}{$fwdfwsettings{$fwdfwsettings{'grp2'}}} ='selected'; print< "; #custom networks if (! -z $confignet || $optionsfw{'SHOWDROPDOWN'} eq 'on'){ print""; } #custom hosts if (! -z $confighost || $optionsfw{'SHOWDROPDOWN'} eq 'on'){ print""; } #custom groups if (! -z $configgrp || $optionsfw{'SHOWDROPDOWN'} eq 'on'){ print""; } #End left table. start right table (vpn) print"
$Lang::tr{'fwhost stdnet'}
$Lang::tr{'fwhost cust net'}
$Lang::tr{'fwhost cust addr'}
$Lang::tr{'fwhost cust grp'}
"; # CCD networks if( ! -z $configccdnet || $optionsfw{'SHOWDROPDOWN'} eq 'on'){ print""; } #OVPN CCD Hosts foreach my $key (sort { ncmp($ccdhost{$a}[0],$ccdhost{$b}[0]) } keys %ccdhost){ if ($ccdhost{$key}[33] ne '' ){ print"" ; } if ($show eq '1'){$show='';print"";} #OVPN N2N foreach my $key (sort { ncmp($ccdhost{$a}[1],$ccdhost{$b}[1]) } keys %ccdhost){ if ($ccdhost{$key}[3] eq 'net'){ print"" ; } if ($show eq '1'){$show='';print"";} #IPsec netze foreach my $key (sort { ncmp($ipsecconf{$a}[1],$ipsecconf{$b}[1]) } keys %ipsecconf) { if ($ipsecconf{$key}[3] eq 'net' || ($optionsfw{'SHOWDROPDOWN'} eq 'on' && $ipsecconf{$key}[3] ne 'host')){ print""; } if ($show eq '1'){$show='';print"";} print"
$Lang::tr{'fwhost ccdnet'}
$Lang::tr{'fwhost ccdhost'}
$Lang::tr{'fwhost ccdhost'}
$Lang::tr{'fwhost ovpn_n2n'}:
$Lang::tr{'fwhost ovpn_n2n'}
$Lang::tr{'fwhost ipsec net'}
$Lang::tr{'fwhost ipsec net'}
"; print"
"; } sub get_ip { my $val=shift; my $grp =shift; my $a; my $b; &General::readhash("/var/ipfire/ethernet/settings", \%netsettings); if ($fwdfwsettings{$grp} ne $Lang::tr{'fwhost any'}){ if ($fwdfwsettings{$grp} eq $val.'_addr'){ ($a,$b) = split (/\//, $fwdfwsettings{$fwdfwsettings{$grp}}); }elsif($fwdfwsettings{$grp} eq 'std_net_'.$val){ if ($fwdfwsettings{$fwdfwsettings{$grp}} =~ /Gr/i){ $a=$netsettings{'GREEN_NETADDRESS'}; $b=&General::iporsubtocidr($netsettings{'GREEN_NETMASK'}); }elsif($fwdfwsettings{$fwdfwsettings{$grp}} =~ /Ora/i){ $a=$netsettings{'ORANGE_NETADDRESS'}; $b=&General::iporsubtocidr($netsettings{'ORANGE_NETMASK'}); }elsif($fwdfwsettings{$fwdfwsettings{$grp}} =~ /Bl/i){ $a=$netsettings{'BLUE_NETADDRESS'}; $b=&General::iporsubtocidr($netsettings{'BLUE_NETMASK'}); }elsif($fwdfwsettings{$fwdfwsettings{$grp}} =~ /OpenVPN/i){ &General::readhash("$configovpn",\%ovpnsettings); ($a,$b) = split (/\//, $ovpnsettings{'DOVPN_SUBNET'}); $b=&General::iporsubtocidr($b); } }elsif($fwdfwsettings{$grp} eq 'cust_net_'.$val){ &General::readhasharray("$confignet", \%customnetwork); foreach my $key (keys %customnetwork){ if($customnetwork{$key}[0] eq $fwdfwsettings{$fwdfwsettings{$grp}}){ $a=$customnetwork{$key}[1]; $b=&General::iporsubtocidr($customnetwork{$key}[2]); } } }elsif($fwdfwsettings{$grp} eq 'cust_host_'.$val){ &General::readhasharray("$confighost", \%customhost); foreach my $key (keys %customhost){ if($customhost{$key}[0] eq $fwdfwsettings{$fwdfwsettings{$grp}}){ if ($customhost{$key}[1] eq 'ip'){ ($a,$b)=split (/\//,$customhost{$key}[2]); $b=&General::iporsubtocidr($b); }else{ if ($grp eq 'grp2'){ $errormessage=$Lang::tr{'fwdfw err tgt_mac'}; } } } } } } return $a,$b; } sub get_name { my $val=shift; &General::setup_default_networks(\%defaultNetworks); foreach my $network (sort keys %defaultNetworks) { return "$network" if ($val eq $defaultNetworks{$network}{'NAME'}); } } sub getsrcport { my %hash=%{(shift)}; my $key=shift; if($hash{$key}[7] eq 'ON' && $hash{$key}[10]){ $hash{$key}[10]=~ s/\|/,/g; print": $hash{$key}[10]"; }elsif($hash{$key}[7] eq 'ON' && $hash{$key}[8] eq 'ICMP'){ print":
$hash{$key}[9] "; } } sub gettgtport { my %hash=%{(shift)}; my $key=shift; my $service; my $prot; if($hash{$key}[11] eq 'ON' && $hash{$key}[12] ne 'ICMP'){ if($hash{$key}[14] eq 'cust_srv'){ &General::readhasharray("$configsrv", \%customservice); foreach my $i (sort keys %customservice){ if($customservice{$i}[0] eq $hash{$key}[15]){ $service = $customservice{$i}[0]; } } }elsif($hash{$key}[14] eq 'cust_srvgrp'){ $service=$hash{$key}[15]; }elsif($hash{$key}[14] eq 'TGT_PORT'){ $hash{$key}[15]=~ s/\|/,/g; $service=$hash{$key}[15]; } if($service){ print": $service"; } } } sub get_serviceports { my $type=shift; my $name=shift; &General::readhasharray("$configsrv", \%customservice); &General::readhasharray("$configsrvgrp", \%customservicegrp); my $tcp; my $udp; my $icmp; @protocols=(); if($type eq 'service'){ foreach my $key (sort { ncmp($customservice{$a}[0],$customservice{$b}[0]) } keys %customservice){ if ($customservice{$key}[0] eq $name){ push (@protocols,$customservice{$key}[2]); } } }elsif($type eq 'group'){ foreach my $key (sort { ncmp($customservicegrp{$a}[0],$customservicegrp{$b}[0]) } keys %customservicegrp){ if ($customservicegrp{$key}[0] eq $name){ foreach my $key1 (sort { ncmp($customservice{$a}[0],$customservice{$b}[0]) } keys %customservice){ if ($customservice{$key1}[0] eq $customservicegrp{$key}[2]){ if($customservice{$key1}[2] eq 'TCP'){ $tcp='TCP'; }elsif($customservice{$key1}[2] eq 'ICMP'){ $icmp='ICMP'; }elsif($customservice{$key1}[2] eq 'UDP'){ $udp='UDP'; } } } } } } if($tcp && $udp && $icmp){ push (@protocols,"TCP,UDP,
ICMP"); return @protocols; } if($tcp){ push (@protocols,"TCP"); } if($udp){ push (@protocols,"UDP"); } if($icmp){ push (@protocols,"ICMP"); } return @protocols; } sub getcolor { my $nettype=shift; my $val=shift; my $hash=shift; if($optionsfw{'SHOWCOLORS'} eq 'on'){ #custom Hosts if ($nettype eq 'cust_host_src' || $nettype eq 'cust_host_tgt'){ foreach my $key (sort keys %$hash){ if ($$hash{$key}[0] eq $val){ $val=$$hash{$key}[2]; } } } #standard networks if ($val eq 'GREEN'){ $tdcolor="style='background-color: $Header::colourgreen;color:white;'"; return; }elsif ($val eq 'ORANGE'){ $tdcolor="style='background-color: $Header::colourorange;color:white;'"; return; }elsif ($val eq 'BLUE'){ $tdcolor="style='background-color: $Header::colourblue;color:white;'"; return; }elsif ($val eq 'RED' ||$val eq 'RED1' ){ $tdcolor="style='background-color: $Header::colourred;color:white;'"; return; }elsif ($val eq 'IPFire' ){ $tdcolor="style='background-color: $Header::colourred;color:white;'"; return; }elsif ($val eq 'OpenVPN-Dyn' ){ $tdcolor="style='background-color: $Header::colourovpn;color:white;'"; return; }elsif ($val eq 'IPsec RW' ){ $tdcolor="style='background-color: $Header::colourvpn;color:white;'"; return; }elsif($val =~ /^(.*?)\/(.*?)$/){ my ($sip,$scidr) = split ("/",$val); if ( &General::IpInSubnet($sip,$netsettings{'ORANGE_ADDRESS'},$netsettings{'ORANGE_NETMASK'})){ $tdcolor="style='background-color: $Header::colourorange;color:white;'"; return; } if ( &General::IpInSubnet($sip,$netsettings{'GREEN_ADDRESS'},$netsettings{'GREEN_NETMASK'})){ $tdcolor="style='background-color: $Header::colourgreen;color:white;'"; return; } if ( &General::IpInSubnet($sip,$netsettings{'BLUE_ADDRESS'},$netsettings{'BLUE_NETMASK'})){ $tdcolor="style='background-color: $Header::colourblue;color:white;'"; return; } }elsif ($val eq 'Default IP'){ $tdcolor="style='background-color: $Header::colourred;color:white;'"; return; } #Check if a manual IP or custom host is part of a VPN if ($nettype eq 'src_addr' || $nettype eq 'tgt_addr' || $nettype eq 'cust_host_src' || $nettype eq 'cust_host_tgt'){ #Check if IP is part of OpenVPN dynamic subnet my ($a,$b) = split("/",$ovpnsettings{'DOVPN_SUBNET'}); my ($c,$d) = split("/",$val); if (&General::IpInSubnet($c,$a,$b)){ $tdcolor="style='background-color: $Header::colourovpn;color:white;'"; return; } #Check if IP is part of OpenVPN static subnet foreach my $key (sort keys %ccdnet){ my ($a,$b) = split("/",$ccdnet{$key}[1]); $b =&General::iporsubtodec($b); if (&General::IpInSubnet($c,$a,$b)){ $tdcolor="style='background-color: $Header::colourovpn;color:white;'"; return; } } #Check if IP is part of OpenVPN N2N subnet foreach my $key (sort keys %ccdhost){ if ($ccdhost{$key}[3] eq 'net'){ my ($a,$b) = split("/",$ccdhost{$key}[11]); if (&General::IpInSubnet($c,$a,$b)){ $tdcolor="style='background-color: $Header::colourovpn;color:white;'"; return; } } } #Check if IP is part of IPsec RW network if ($ipsecsettings{'RW_NET'} ne ''){ my ($a,$b) = split("/",$ipsecsettings{'RW_NET'}); $b=&General::iporsubtodec($b); if (&General::IpInSubnet($c,$a,$b)){ $tdcolor="style='background-color: $Header::colourvpn;color:white;'"; return; } } #Check if IP is part of a IPsec N2N network foreach my $key (sort keys %ipsecconf){ my ($a,$b) = split("/",$ipsecconf{$key}[11]); $b=&General::iporsubtodec($b); if (&General::IpInSubnet($c,$a,$b)){ $tdcolor="style='background-color: $Header::colourvpn;color:white;'"; return; } } } #VPN networks if ($nettype eq 'ovpn_n2n_src' || $nettype eq 'ovpn_n2n_tgt' || $nettype eq 'ovpn_net_src' || $nettype eq 'ovpn_net_tgt'|| $nettype eq 'ovpn_host_src' || $nettype eq 'ovpn_host_tgt'){ $tdcolor="style='background-color: $Header::colourovpn;color:white;'"; return; } if ($nettype eq 'ipsec_net_src' || $nettype eq 'ipsec_net_tgt'){ $tdcolor="style='background-color: $Header::colourvpn;color:white;'"; return; } #ALIASE foreach my $alias (sort keys %aliases) { if ($val eq $alias){ $tdcolor="style='background-color:$Header::colourred;color:white;'"; return; } } } $tdcolor=''; return; } sub hint { if ($hint) { &Header::openbox('100%', 'left', $Lang::tr{'fwhost hint'}); print "$hint\n"; print " \n"; &Header::closebox(); } } sub newrule { &error; &General::setup_default_networks(\%defaultNetworks); &General::readhash("/var/ipfire/ethernet/settings", \%netsettings); #read all configfiles &General::readhasharray("$configccdnet", \%ccdnet); &General::readhasharray("$confignet", \%customnetwork); &General::readhasharray("$configccdhost", \%ccdhost); &General::readhasharray("$confighost", \%customhost); &General::readhasharray("$configccdhost", \%ccdhost); &General::readhasharray("$configgrp", \%customgrp); &General::readhasharray("$configipsec", \%ipsecconf); &General::get_aliases(\%aliases); my %checked=(); my $helper; my $sum=0; if($fwdfwsettings{'config'} eq ''){$fwdfwsettings{'config'}=$configfwdfw;} my $config=$fwdfwsettings{'config'}; my %hash=(); #Get Red IP-ADDRESS open (CONN1,"/var/ipfire/red/local-ipaddress"); my $redip = ; close(CONN1); if (! $fwdfwsettings{'RULE_ACTION'} && $fwdfwsettings{'POLICY'} eq 'MODE2'){ $fwdfwsettings{'RULE_ACTION'}='DROP'; }elsif(! $fwdfwsettings{'RULE_ACTION'} && $fwdfwsettings{'POLICY'} eq 'MODE1'){ $fwdfwsettings{'RULE_ACTION'}='ACCEPT'; } $checked{'grp1'}{$fwdfwsettings{'grp1'}} = 'CHECKED'; $checked{'grp2'}{$fwdfwsettings{'grp2'}} = 'CHECKED'; $checked{'grp3'}{$fwdfwsettings{'grp3'}} = 'CHECKED'; $checked{'USE_SRC_PORT'}{$fwdfwsettings{'USE_SRC_PORT'}} = 'CHECKED'; $checked{'USESRV'}{$fwdfwsettings{'USESRV'}} = 'CHECKED'; $checked{'ACTIVE'}{$fwdfwsettings{'ACTIVE'}} = 'CHECKED'; $checked{'LOG'}{$fwdfwsettings{'LOG'}} = 'CHECKED'; $checked{'TIME'}{$fwdfwsettings{'TIME'}} = 'CHECKED'; $checked{'TIME_MON'}{$fwdfwsettings{'TIME_MON'}} = 'CHECKED'; $checked{'TIME_TUE'}{$fwdfwsettings{'TIME_TUE'}} = 'CHECKED'; $checked{'TIME_WED'}{$fwdfwsettings{'TIME_WED'}} = 'CHECKED'; $checked{'TIME_THU'}{$fwdfwsettings{'TIME_THU'}} = 'CHECKED'; $checked{'TIME_FRI'}{$fwdfwsettings{'TIME_FRI'}} = 'CHECKED'; $checked{'TIME_SAT'}{$fwdfwsettings{'TIME_SAT'}} = 'CHECKED'; $checked{'TIME_SUN'}{$fwdfwsettings{'TIME_SUN'}} = 'CHECKED'; $checked{'USE_NAT'}{$fwdfwsettings{'USE_NAT'}} = 'CHECKED'; $selected{'TIME_FROM'}{$fwdfwsettings{'TIME_FROM'}} = 'selected'; $selected{'TIME_TO'}{$fwdfwsettings{'TIME_TO'}} = 'selected'; $selected{'ipfire'}{$fwdfwsettings{$fwdfwsettings{'grp2'}}} ='selected'; $selected{'ipfire_src'}{$fwdfwsettings{$fwdfwsettings{'grp1'}}} ='selected'; #check if update and get values if($fwdfwsettings{'updatefwrule'} eq 'on' || $fwdfwsettings{'copyfwrule'} eq 'on' && !$errormessage){ &General::readhasharray("$config", \%hash); foreach my $key (sort keys %hash){ $sum++; if ($key eq $fwdfwsettings{'key'}){ $fwdfwsettings{'oldrulenumber'} = $fwdfwsettings{'key'}; $fwdfwsettings{'RULE_ACTION'} = $hash{$key}[0]; $fwdfwsettings{'chain'} = $hash{$key}[1]; $fwdfwsettings{'ACTIVE'} = $hash{$key}[2]; $fwdfwsettings{'grp1'} = $hash{$key}[3]; $fwdfwsettings{$fwdfwsettings{'grp1'}} = $hash{$key}[4]; $fwdfwsettings{'grp2'} = $hash{$key}[5]; $fwdfwsettings{$fwdfwsettings{'grp2'}} = $hash{$key}[6]; $fwdfwsettings{'USE_SRC_PORT'} = $hash{$key}[7]; $fwdfwsettings{'PROT'} = $hash{$key}[8]; $fwdfwsettings{'ICMP_TYPES'} = $hash{$key}[9]; $fwdfwsettings{'SRC_PORT'} = $hash{$key}[10]; $fwdfwsettings{'USESRV'} = $hash{$key}[11]; $fwdfwsettings{'TGT_PROT'} = $hash{$key}[12]; $fwdfwsettings{'ICMP_TGT'} = $hash{$key}[13]; $fwdfwsettings{'grp3'} = $hash{$key}[14]; $fwdfwsettings{$fwdfwsettings{'grp3'}} = $hash{$key}[15]; $fwdfwsettings{'ruleremark'} = $hash{$key}[16]; $fwdfwsettings{'LOG'} = $hash{$key}[17]; $fwdfwsettings{'TIME'} = $hash{$key}[18]; $fwdfwsettings{'TIME_MON'} = $hash{$key}[19]; $fwdfwsettings{'TIME_TUE'} = $hash{$key}[20]; $fwdfwsettings{'TIME_WED'} = $hash{$key}[21]; $fwdfwsettings{'TIME_THU'} = $hash{$key}[22]; $fwdfwsettings{'TIME_FRI'} = $hash{$key}[23]; $fwdfwsettings{'TIME_SAT'} = $hash{$key}[24]; $fwdfwsettings{'TIME_SUN'} = $hash{$key}[25]; $fwdfwsettings{'TIME_FROM'} = $hash{$key}[26]; $fwdfwsettings{'TIME_TO'} = $hash{$key}[27]; $fwdfwsettings{'USE_NAT'} = $hash{$key}[28]; $fwdfwsettings{'nat'} = $hash{$key}[31]; #changed order $fwdfwsettings{$fwdfwsettings{'nat'}} = $hash{$key}[29]; $fwdfwsettings{'dnatport'} = $hash{$key}[30]; $checked{'grp1'}{$fwdfwsettings{'grp1'}} = 'CHECKED'; $checked{'grp2'}{$fwdfwsettings{'grp2'}} = 'CHECKED'; $checked{'grp3'}{$fwdfwsettings{'grp3'}} = 'CHECKED'; $checked{'USE_SRC_PORT'}{$fwdfwsettings{'USE_SRC_PORT'}} = 'CHECKED'; $checked{'USESRV'}{$fwdfwsettings{'USESRV'}} = 'CHECKED'; $checked{'ACTIVE'}{$fwdfwsettings{'ACTIVE'}} = 'CHECKED'; $checked{'LOG'}{$fwdfwsettings{'LOG'}} = 'CHECKED'; $checked{'TIME'}{$fwdfwsettings{'TIME'}} = 'CHECKED'; $checked{'TIME_MON'}{$fwdfwsettings{'TIME_MON'}} = 'CHECKED'; $checked{'TIME_TUE'}{$fwdfwsettings{'TIME_TUE'}} = 'CHECKED'; $checked{'TIME_WED'}{$fwdfwsettings{'TIME_WED'}} = 'CHECKED'; $checked{'TIME_THU'}{$fwdfwsettings{'TIME_THU'}} = 'CHECKED'; $checked{'TIME_FRI'}{$fwdfwsettings{'TIME_FRI'}} = 'CHECKED'; $checked{'TIME_SAT'}{$fwdfwsettings{'TIME_SAT'}} = 'CHECKED'; $checked{'TIME_SUN'}{$fwdfwsettings{'TIME_SUN'}} = 'CHECKED'; $checked{'USE_NAT'}{$fwdfwsettings{'USE_NAT'}} = 'CHECKED'; $checked{'nat'}{$fwdfwsettings{'nat'}} = 'CHECKED'; $selected{'TIME_FROM'}{$fwdfwsettings{'TIME_FROM'}} = 'selected'; $selected{'TIME_TO'}{$fwdfwsettings{'TIME_TO'}} = 'selected'; $selected{'ipfire'}{$fwdfwsettings{$fwdfwsettings{'grp2'}}} ='selected'; $selected{'ipfire_src'}{$fwdfwsettings{$fwdfwsettings{'grp1'}}} ='selected'; } } $fwdfwsettings{'oldgrp1a'}=$fwdfwsettings{'grp1'}; $fwdfwsettings{'oldgrp1b'}=$fwdfwsettings{$fwdfwsettings{'grp1'}}; $fwdfwsettings{'oldgrp2a'}=$fwdfwsettings{'grp2'}; $fwdfwsettings{'oldgrp2b'}=$fwdfwsettings{$fwdfwsettings{'grp2'}}; $fwdfwsettings{'oldgrp3a'}=$fwdfwsettings{'grp3'}; $fwdfwsettings{'oldgrp3b'}=$fwdfwsettings{$fwdfwsettings{'grp3'}}; $fwdfwsettings{'oldusesrv'}=$fwdfwsettings{'USESRV'}; $fwdfwsettings{'oldruleremark'}=$fwdfwsettings{'ruleremark'}; $fwdfwsettings{'oldnat'}=$fwdfwsettings{'USE_NAT'}; $fwdfwsettings{'oldruletype'}=$fwdfwsettings{'chain'}; #check if manual ip (source) is orange network if ($fwdfwsettings{'grp1'} eq 'src_addr'){ my ($sip,$scidr) = split("/",$fwdfwsettings{$fwdfwsettings{'grp1'}}); if ( &General::IpInSubnet($sip,$netsettings{'ORANGE_ADDRESS'},$netsettings{'ORANGE_NETMASK'})){ $fwdfwsettings{'oldorange'} ='on'; } } }else{ $fwdfwsettings{'ACTIVE'}='ON'; $fwdfwsettings{'nat'} = 'dnat'; $checked{'ACTIVE'}{$fwdfwsettings{'ACTIVE'}} = 'CHECKED'; $checked{'nat'}{$fwdfwsettings{'nat'}} = 'CHECKED'; $fwdfwsettings{'oldgrp1a'}=$fwdfwsettings{'grp1'}; $fwdfwsettings{'oldgrp1b'}=$fwdfwsettings{$fwdfwsettings{'grp1'}}; $fwdfwsettings{'oldgrp2a'}=$fwdfwsettings{'grp2'}; $fwdfwsettings{'oldgrp2b'}=$fwdfwsettings{$fwdfwsettings{'grp2'}}; $fwdfwsettings{'oldgrp3a'}=$fwdfwsettings{'grp3'}; $fwdfwsettings{'oldgrp3b'}=$fwdfwsettings{$fwdfwsettings{'grp3'}}; $fwdfwsettings{'oldusesrv'}=$fwdfwsettings{'USESRV'}; $fwdfwsettings{'oldruleremark'}=$fwdfwsettings{'ruleremark'}; $fwdfwsettings{'oldnat'}=$fwdfwsettings{'USE_NAT'}; #check if manual ip (source) is orange network if ($fwdfwsettings{'grp1'} eq 'src_addr'){ my ($sip,$scidr) = split("/",$fwdfwsettings{$fwdfwsettings{'grp1'}}); if ( &General::IpInSubnet($sip,$netsettings{'ORANGE_ADDRESS'},$netsettings{'ORANGE_NETMASK'})){ $fwdfwsettings{'oldorange'} ='on'; } } } # Split manual source and target address and delete the subnet my ($sip,$scidr) = split("/",$fwdfwsettings{$fwdfwsettings{'grp1'}}); if ($scidr eq '32'){$fwdfwsettings{$fwdfwsettings{'grp1'}}=$sip;} my ($dip,$dcidr) = split("/",$fwdfwsettings{$fwdfwsettings{'grp2'}}); if ($scidr eq '32'){$fwdfwsettings{$fwdfwsettings{'grp2'}}=$dip;} &Header::openbox('100%', 'left', $Lang::tr{'fwdfw source'}); #------SOURCE------------------------------------------------------- print "
"; print< $Lang::tr{'fwdfw sourceip'}Firewall END print" $Lang::tr{'fwdfw use nat'}
END if (%aliases) { print <$Lang::tr{'dnat address'}: END } print ""; #SNAT print <
"; } else { print <
$Lang::tr{'snat new source ip address'}:
END &Header::closebox(); #---TARGET------------------------------------------------------ &Header::openbox('100%', 'left', $Lang::tr{'fwdfw target'}); print< $Lang::tr{'fwdfw targetip'}Firewall END print" END print ""; print ""; foreach (@PROTOCOLS) { print""; }else{ print ">$_"; } } print<
$Lang::tr{'fwhost icmptype'}
$Lang::tr{'fwdfw use srcport'} $Lang::tr{'fwdfw use srv'}
$Lang::tr{'fwdfw external port nat'}:
$Lang::tr{'fwhost cust service'}
$Lang::tr{'fwhost cust srvgrp'}
END &Header::closebox; $checked{"RULE_ACTION"}{$fwdfwsettings{'RULE_ACTION'}} = 'CHECKED'; print <
 
  		 
  		 
 

END #---Activate/logging/remark------------------------------------- &Header::openbox('100%', 'left', $Lang::tr{'fwdfw additional'}); print< END print"$Lang::tr{'remark'}:"; if($fwdfwsettings{'updatefwrule'} eq 'on' || $fwdfwsettings{'copyfwrule'} eq 'on'){ print "$Lang::tr{'fwdfw rulepos'}:"; }else{ print "$Lang::tr{'fwdfw rulepos'}:"; } print< END if ($fwdfwsettings{'updatefwrule'} eq 'on') { print < END } else { print < END } print <
$Lang::tr{'fwdfw rule activate'}
$Lang::tr{'fwdfw log rule'}
$Lang::tr{'fwdfw timeframe'}
  $Lang::tr{'advproxy monday'} $Lang::tr{'advproxy tuesday'} $Lang::tr{'advproxy wednesday'} $Lang::tr{'advproxy thursday'} $Lang::tr{'advproxy friday'} $Lang::tr{'advproxy saturday'} $Lang::tr{'advproxy sunday'}  
  END for (my $i=0;$i<=23;$i++) { $i = sprintf("%02s",$i); for (my $j=0;$j<=45;$j+=15) { $j = sprintf("%02s",$j); my $time = $i.":".$j; print "\n"; } } print<

END #---ACTION------------------------------------------------------ if($fwdfwsettings{'updatefwrule'} ne 'on'){ print<

END }else{ print<
END } &Header::closebox(); } sub pos_up { my %uphash=(); my %tmp=(); &General::readhasharray($fwdfwsettings{'config'}, \%uphash); foreach my $key (sort keys %uphash){ if ($key eq $fwdfwsettings{'key'}) { my $last = $key -1; if (exists $uphash{$last}){ #save rule last foreach my $y (0 .. $#{$uphash{$last}}) { $tmp{0}[$y] = $uphash{$last}[$y]; } #copy active rule to last foreach my $i (0 .. $#{$uphash{$last}}) { $uphash{$last}[$i] = $uphash{$key}[$i]; } #copy saved rule to actual position foreach my $x (0 .. $#{$tmp{0}}) { $uphash{$key}[$x] = $tmp{0}[$x]; } } } } &General::writehasharray($fwdfwsettings{'config'}, \%uphash); &General::firewall_config_changed(); } sub pos_down { my %downhash=(); my %tmp=(); &General::readhasharray($fwdfwsettings{'config'}, \%downhash); foreach my $key (sort keys %downhash){ if ($key eq $fwdfwsettings{'key'}) { my $next = $key + 1; if (exists $downhash{$next}){ #save rule next foreach my $y (0 .. $#{$downhash{$next}}) { $tmp{0}[$y] = $downhash{$next}[$y]; } #copy active rule to next foreach my $i (0 .. $#{$downhash{$next}}) { $downhash{$next}[$i] = $downhash{$key}[$i]; } #copy saved rule to actual position foreach my $x (0 .. $#{$tmp{0}}) { $downhash{$key}[$x] = $tmp{0}[$x]; } } } } &General::writehasharray($fwdfwsettings{'config'}, \%downhash); &General::firewall_config_changed(); } sub saverule { my $hash=shift; my $config=shift; &General::readhasharray("$config", $hash); if (!$errormessage){ ################################################################ #check if we change an INPUT rule to a OUTGOING if($fwdfwsettings{'oldruletype'} eq 'INPUTFW' && $fwdfwsettings{'chain'} eq 'OUTGOINGFW' ){ &changerule($configinput); #print"1"; } #check if we change an INPUT rule to a FORWARD elsif($fwdfwsettings{'oldruletype'} eq 'INPUTFW' && $fwdfwsettings{'chain'} eq 'FORWARDFW' ){ &changerule($configinput); #print"2"; } ################################################################ #check if we change an OUTGOING rule to an INPUT elsif($fwdfwsettings{'oldruletype'} eq 'OUTGOINGFW' && $fwdfwsettings{'chain'} eq 'INPUTFW' ){ &changerule($configoutgoing); #print"3"; } #check if we change an OUTGOING rule to a FORWARD elsif($fwdfwsettings{'oldruletype'} eq 'OUTGOINGFW' && $fwdfwsettings{'chain'} eq 'FORWARDFW' ){ &changerule($configoutgoing); #print"4"; } ################################################################ #check if we change a FORWARD rule to an INPUT elsif($fwdfwsettings{'oldruletype'} eq 'FORWARDFW' && $fwdfwsettings{'chain'} eq 'INPUTFW'){ &changerule($configfwdfw); #print"5"; } #check if we change a FORWARD rule to an OUTGOING elsif($fwdfwsettings{'oldruletype'} eq 'FORWARDFW' && $fwdfwsettings{'chain'} eq 'OUTGOINGFW'){ &changerule($configfwdfw); #print"6"; } if ($fwdfwsettings{'updatefwrule'} ne 'on'){ my $key = &General::findhasharraykey ($hash); $$hash{$key}[0] = $fwdfwsettings{'RULE_ACTION'}; $$hash{$key}[1] = $fwdfwsettings{'chain'}; $$hash{$key}[2] = $fwdfwsettings{'ACTIVE'}; $$hash{$key}[3] = $fwdfwsettings{'grp1'}; $$hash{$key}[4] = $fwdfwsettings{$fwdfwsettings{'grp1'}}; $$hash{$key}[5] = $fwdfwsettings{'grp2'}; $$hash{$key}[6] = $fwdfwsettings{$fwdfwsettings{'grp2'}}; $$hash{$key}[7] = $fwdfwsettings{'USE_SRC_PORT'}; $$hash{$key}[8] = $fwdfwsettings{'PROT'}; $$hash{$key}[9] = $fwdfwsettings{'ICMP_TYPES'}; $$hash{$key}[10] = $fwdfwsettings{'SRC_PORT'}; $$hash{$key}[11] = $fwdfwsettings{'USESRV'}; $$hash{$key}[12] = $fwdfwsettings{'TGT_PROT'}; $$hash{$key}[13] = $fwdfwsettings{'ICMP_TGT'}; $$hash{$key}[14] = $fwdfwsettings{'grp3'}; $$hash{$key}[15] = $fwdfwsettings{$fwdfwsettings{'grp3'}}; $$hash{$key}[16] = $fwdfwsettings{'ruleremark'}; $$hash{$key}[17] = $fwdfwsettings{'LOG'}; $$hash{$key}[18] = $fwdfwsettings{'TIME'}; $$hash{$key}[19] = $fwdfwsettings{'TIME_MON'}; $$hash{$key}[20] = $fwdfwsettings{'TIME_TUE'}; $$hash{$key}[21] = $fwdfwsettings{'TIME_WED'}; $$hash{$key}[22] = $fwdfwsettings{'TIME_THU'}; $$hash{$key}[23] = $fwdfwsettings{'TIME_FRI'}; $$hash{$key}[24] = $fwdfwsettings{'TIME_SAT'}; $$hash{$key}[25] = $fwdfwsettings{'TIME_SUN'}; $$hash{$key}[26] = $fwdfwsettings{'TIME_FROM'}; $$hash{$key}[27] = $fwdfwsettings{'TIME_TO'}; $$hash{$key}[28] = $fwdfwsettings{'USE_NAT'}; $$hash{$key}[29] = $fwdfwsettings{$fwdfwsettings{'nat'}}; $$hash{$key}[30] = $fwdfwsettings{'dnatport'}; $$hash{$key}[31] = $fwdfwsettings{'nat'}; &General::writehasharray("$config", $hash); }else{ foreach my $key (sort {$a <=> $b} keys %$hash){ if($key eq $fwdfwsettings{'key'}){ $$hash{$key}[0] = $fwdfwsettings{'RULE_ACTION'}; $$hash{$key}[1] = $fwdfwsettings{'chain'}; $$hash{$key}[2] = $fwdfwsettings{'ACTIVE'}; $$hash{$key}[3] = $fwdfwsettings{'grp1'}; $$hash{$key}[4] = $fwdfwsettings{$fwdfwsettings{'grp1'}}; $$hash{$key}[5] = $fwdfwsettings{'grp2'}; $$hash{$key}[6] = $fwdfwsettings{$fwdfwsettings{'grp2'}}; $$hash{$key}[7] = $fwdfwsettings{'USE_SRC_PORT'}; $$hash{$key}[8] = $fwdfwsettings{'PROT'}; $$hash{$key}[9] = $fwdfwsettings{'ICMP_TYPES'}; $$hash{$key}[10] = $fwdfwsettings{'SRC_PORT'}; $$hash{$key}[11] = $fwdfwsettings{'USESRV'}; $$hash{$key}[12] = $fwdfwsettings{'TGT_PROT'}; $$hash{$key}[13] = $fwdfwsettings{'ICMP_TGT'}; $$hash{$key}[14] = $fwdfwsettings{'grp3'}; $$hash{$key}[15] = $fwdfwsettings{$fwdfwsettings{'grp3'}}; $$hash{$key}[16] = $fwdfwsettings{'ruleremark'}; $$hash{$key}[17] = $fwdfwsettings{'LOG'}; $$hash{$key}[18] = $fwdfwsettings{'TIME'}; $$hash{$key}[19] = $fwdfwsettings{'TIME_MON'}; $$hash{$key}[20] = $fwdfwsettings{'TIME_TUE'}; $$hash{$key}[21] = $fwdfwsettings{'TIME_WED'}; $$hash{$key}[22] = $fwdfwsettings{'TIME_THU'}; $$hash{$key}[23] = $fwdfwsettings{'TIME_FRI'}; $$hash{$key}[24] = $fwdfwsettings{'TIME_SAT'}; $$hash{$key}[25] = $fwdfwsettings{'TIME_SUN'}; $$hash{$key}[26] = $fwdfwsettings{'TIME_FROM'}; $$hash{$key}[27] = $fwdfwsettings{'TIME_TO'}; $$hash{$key}[28] = $fwdfwsettings{'USE_NAT'}; $$hash{$key}[29] = $fwdfwsettings{$fwdfwsettings{'nat'}}; $$hash{$key}[30] = $fwdfwsettings{'dnatport'}; $$hash{$key}[31] = $fwdfwsettings{'nat'}; last; } } } &General::writehasharray("$config", $hash); if($fwdfwsettings{'oldrulenumber'} > $fwdfwsettings{'rulepos'}){ my %tmp=(); my $val=$fwdfwsettings{'oldrulenumber'}-$fwdfwsettings{'rulepos'}; for (my $z=0;$z<$val;$z++){ foreach my $key (sort {$a <=> $b} keys %$hash){ if ($key eq $fwdfwsettings{'oldrulenumber'}) { my $last = $key -1; if (exists $$hash{$last}){ #save rule last foreach my $y (0 .. $#{$$hash{$last}}) { $tmp{0}[$y] = $$hash{$last}[$y]; } #copy active rule to last foreach my $i (0 .. $#{$$hash{$last}}) { $$hash{$last}[$i] = $$hash{$key}[$i]; } #copy saved rule to actual position foreach my $x (0 .. $#{$tmp{0}}) { $$hash{$key}[$x] = $tmp{0}[$x]; } } } } $fwdfwsettings{'oldrulenumber'}--; } &General::writehasharray("$config", $hash); &General::firewall_config_changed(); }elsif($fwdfwsettings{'rulepos'} > $fwdfwsettings{'oldrulenumber'}){ my %tmp=(); my $val=$fwdfwsettings{'rulepos'}-$fwdfwsettings{'oldrulenumber'}; for (my $z=0;$z<$val;$z++){ foreach my $key (sort {$a <=> $b} keys %$hash){ if ($key eq $fwdfwsettings{'oldrulenumber'}) { my $next = $key + 1; if (exists $$hash{$next}){ #save rule next foreach my $y (0 .. $#{$$hash{$next}}) { $tmp{0}[$y] = $$hash{$next}[$y]; } #copy active rule to next foreach my $i (0 .. $#{$$hash{$next}}) { $$hash{$next}[$i] = $$hash{$key}[$i]; } #copy saved rule to actual position foreach my $x (0 .. $#{$tmp{0}}) { $$hash{$key}[$x] = $tmp{0}[$x]; } } } } $fwdfwsettings{'oldrulenumber'}++; } &General::writehasharray("$config", $hash); &General::firewall_config_changed(); } } } sub validremark { # Checks a hostname against RFC1035 my $remark = $_[0]; # Each part should be at least two characters in length # but no more than 63 characters if (length ($remark) < 1 || length ($remark) > 255) { return 0;} # Only valid characters are a-z, A-Z, 0-9 and - if ($remark !~ /^[a-zäöüA-ZÖÄÜ0-9-.:;\|_()\/\s]*$/) { return 0;} # First character can only be a letter or a digit if (substr ($remark, 0, 1) !~ /^[a-zäöüA-ZÖÄÜ0-9(]*$/) { return 0;} # Last character can only be a letter or a digit if (substr ($remark, -1, 1) !~ /^[a-zöäüA-ZÖÄÜ0-9.:;_)]*$/) { return 0;} return 1; } sub viewtablerule { &General::readhash("/var/ipfire/ethernet/settings", \%netsettings); &viewtablenew(\%configfwdfw, $configfwdfw, $Lang::tr{'firewall rules'}); &viewtablenew(\%configinputfw, $configinput, $Lang::tr{'external access'}); &viewtablenew(\%configoutgoingfw, $configoutgoing, $Lang::tr{'outgoing firewall'}); } sub viewtablenew { my $hash=shift; my $config=shift; my $title=shift; my $go=''; my $show_box = (! -z $config) || ($optionsfw{'SHOWTABLES'} eq 'on'); return if (!$show_box); &General::get_aliases(\%aliases); &General::readhasharray("$confighost", \%customhost); &General::readhasharray("$config", $hash); &General::readhasharray("$configccdnet", \%ccdnet); &General::readhasharray("$configccdhost", \%ccdhost); &General::readhasharray("$configgrp", \%customgrp); &General::readhasharray("$configsrvgrp", \%customservicegrp); &Header::openbox('100%', 'left', $title); print ""; if (! -z $config) { my $count=0; my ($gif,$log); my $ruletype; my $rulecolor; my $tooltip; my @tmpsrc=(); my @tmptgt=(); my $coloryellow=''; print < END foreach my $key (sort {$a <=> $b} keys %$hash){ $tdcolor=''; @tmpsrc=(); @tmptgt=(); #check if vpn hosts/nets have been deleted if($$hash{$key}[3] =~ /ipsec/i || $$hash{$key}[3] =~ /ovpn/i){ push (@tmpsrc,$$hash{$key}[4]); } if($$hash{$key}[5] =~ /ipsec/i || $$hash{$key}[5] =~ /ovpn/i){ push (@tmptgt,$$hash{$key}[6]); } foreach my $host (@tmpsrc){ if($$hash{$key}[3] eq 'ipsec_net_src'){ if(&fwlib::get_ipsec_net_ip($host,11) eq ''){ $coloryellow='on'; &disable_rule($key); $$hash{$key}[2]=''; } }elsif($$hash{$key}[3] eq 'ovpn_net_src'){ if(&fwlib::get_ovpn_net_ip($host,1) eq ''){ $coloryellow='on'; &disable_rule($key); $$hash{$key}[2]=''; } }elsif($$hash{$key}[3] eq 'ovpn_n2n_src'){ if(&fwlib::get_ovpn_n2n_ip($host,27) eq ''){ $coloryellow='on'; &disable_rule($key); $$hash{$key}[2]=''; } }elsif($$hash{$key}[3] eq 'ovpn_host_src'){ if(&fwlib::get_ovpn_host_ip($host,33) eq ''){ $coloryellow='on'; &disable_rule($key); $$hash{$key}[2]=''; } } } foreach my $host (@tmptgt){ if($$hash{$key}[5] eq 'ipsec_net_tgt'){ if(&fwlib::get_ipsec_net_ip($host,11) eq ''){ $coloryellow='on'; &disable_rule($key); $$hash{$key}[2]=''; } }elsif($$hash{$key}[5] eq 'ovpn_net_tgt'){ if(&fwlib::get_ovpn_net_ip($host,1) eq ''){ $coloryellow='on'; &disable_rule($key); $$hash{$key}[2]=''; } }elsif($$hash{$key}[5] eq 'ovpn_n2n_tgt'){ if(&fwlib::get_ovpn_n2n_ip($host,27) eq ''){ $coloryellow='on'; &disable_rule($key); $$hash{$key}[2]=''; } }elsif($$hash{$key}[5] eq 'ovpn_host_tgt'){ if(&fwlib::get_ovpn_host_ip($host,33) eq ''){ $coloryellow='on'; &disable_rule($key); $$hash{$key}[2]=''; } } } #check if networkgroups or servicegroups are empty foreach my $netgroup (sort keys %customgrp){ if(($$hash{$key}[4] eq $customgrp{$netgroup}[0] || $$hash{$key}[6] eq $customgrp{$netgroup}[0]) && $customgrp{$netgroup}[2] eq 'none'){ $coloryellow='on'; &disable_rule($key); $$hash{$key}[2]=''; } } foreach my $srvgroup (sort keys %customservicegrp){ if($$hash{$key}[15] eq $customservicegrp{$srvgroup}[0] && $customservicegrp{$srvgroup}[2] eq 'none'){ $coloryellow='on'; &disable_rule($key); $$hash{$key}[2]=''; } } $$hash{'ACTIVE'}=$$hash{$key}[2]; $count++; if($coloryellow eq 'on'){ $color="$color{'color14'}"; $coloryellow=''; }elsif($coloryellow eq ''){ if ($count % 2){ $color="$color{'color22'}"; } else{ $color="$color{'color20'}"; } } print< END #RULETYPE (A,R,D) if ($$hash{$key}[0] eq 'ACCEPT'){ $ruletype='A'; $tooltip='ACCEPT'; $rulecolor=$color{'color17'}; }elsif($$hash{$key}[0] eq 'DROP'){ $ruletype='D'; $tooltip='DROP'; $rulecolor=$color{'color25'}; }elsif($$hash{$key}[0] eq 'REJECT'){ $ruletype='R'; $tooltip='REJECT'; $rulecolor=$color{'color16'}; } print <    END #Get Protocol my $prot; if ($$hash{$key}[8]){ if ($$hash{$key}[8] eq "IPv6"){ push (@protocols,$Lang::tr{'fwdfw prot41 short'}) }else{ push (@protocols,$$hash{$key}[8]); } }elsif($$hash{$key}[14] eq 'cust_srv'){ &get_serviceports("service",$$hash{$key}[15]); }elsif($$hash{$key}[14] eq 'cust_srvgrp'){ &get_serviceports("group",$$hash{$key}[15]); }else{ push (@protocols,$Lang::tr{'all'}); } my $protz=join(",",@protocols); if($protz eq 'ICMP' && $$hash{$key}[9] ne 'All ICMP-Types' && $$hash{$key}[14] ne 'cust_srvgrp'){ &General::readhasharray("${General::swroot}/fwhosts/icmp-types", \%icmptypes); foreach my $keyicmp (sort { ncmp($icmptypes{$a}[0],$icmptypes{$b}[0]) }keys %icmptypes){ if($$hash{$key}[9] eq "$icmptypes{$keyicmp}[0]"){ print ""; last; } } }else{ print""; } @protocols=(); #SOURCE my $ipfireiface; &getcolor($$hash{$key}[3],$$hash{$key}[4],\%customhost); print" END #TARGET &getcolor($$hash{$key}[5],$$hash{$key}[6],\%customhost); print< END #Is this a DNAT rule? if ($$hash{$key}[31] eq 'dnat' && $$hash{$key}[28] eq 'ON'){ print "Firewall ($$hash{$key}[29])"; if($$hash{$key}[30] ne ''){ $$hash{$key}[30]=~ tr/|/,/; print": $$hash{$key}[30]"; } print"
->"; } if ($$hash{$key}[5] eq 'std_net_tgt' || $$hash{$key}[5] eq 'ipfire'){ if ($$hash{$key}[6] eq 'RED1'){ print "$Lang::tr{'red1'}"; }elsif ($$hash{$key}[6] eq 'GREEN' || $$hash{$key}[6] eq 'ORANGE' || $$hash{$key}[6] eq 'BLUE'|| $$hash{$key}[6] eq 'ALL' || $$hash{$key}[6] eq 'RED') { print &get_name($$hash{$key}[6]); }else{ print $$hash{$key}[6]; } }elsif ($$hash{$key}[5] eq 'tgt_addr'){ my ($split1,$split2) = split("/",$$hash{$key}[6]); if ($split2 eq '32'){ print $split1; }else{ print $$hash{$key}[6]; } }else{ print "$$hash{$key}[6]"; } $tdcolor=''; #TARGETPORT &gettgtport(\%$hash,$key); print""; #RULE ACTIVE if($$hash{$key}[2] eq 'ON'){ $gif="/images/on.gif" }else{ $gif="/images/off.gif" } print<
END if (exists $$hash{$key-1}){ print<
END }else{ print""; } if (exists $$hash{$key+1}){ print<
END }else{ print""; } #REMARK if ($optionsfw{'SHOWREMARK'} eq 'on' && $$hash{$key}[16] ne ''){ print < END } if ($$hash{$key}[18] eq 'ON'){ #TIMEFRAME if ($$hash{$key}[18] eq 'ON'){ my @days=(); if($$hash{$key}[19] ne ''){push (@days,$Lang::tr{'fwdfw wd_mon'});} if($$hash{$key}[20] ne ''){push (@days,$Lang::tr{'fwdfw wd_tue'});} if($$hash{$key}[21] ne ''){push (@days,$Lang::tr{'fwdfw wd_wed'});} if($$hash{$key}[22] ne ''){push (@days,$Lang::tr{'fwdfw wd_thu'});} if($$hash{$key}[23] ne ''){push (@days,$Lang::tr{'fwdfw wd_fri'});} if($$hash{$key}[24] ne ''){push (@days,$Lang::tr{'fwdfw wd_sat'});} if($$hash{$key}[25] ne ''){push (@days,$Lang::tr{'fwdfw wd_sun'});} my $weekdays=join(",",@days); if (@days){ print""; print""; } } } print""; } } elsif ($optionsfw{'SHOWTABLES'} eq 'on') { print < END } #SHOW FINAL RULE my $policy = 'fwdfw ' . $fwdfwsettings{'POLICY'}; my $colour = "bgcolor='green'"; if ($fwdfwsettings{'POLICY'} eq 'MODE1') { $colour = "bgcolor='darkred'"; } my $message; if (($config eq '/var/ipfire/firewall/config') && ($fwdfwsettings{'POLICY'} ne 'MODE1')) { print <
# $Lang::tr{'protocol'} $Lang::tr{'fwdfw source'} $Lang::tr{'fwdfw log'} $Lang::tr{'fwdfw target'} $Lang::tr{'fwdfw action'}
$key  $protz ($icmptypes{$keyicmp}[1])$protz"; if ($$hash{$key}[3] eq 'ipfire_src'){ $ipfireiface=$Lang::tr{'fwdfw iface'}; } if ($$hash{$key}[3] eq 'std_net_src'){ print &get_name($$hash{$key}[4]); }elsif ($$hash{$key}[3] eq 'src_addr'){ my ($split1,$split2) = split("/",$$hash{$key}[4]); if ($split2 eq '32'){ print $split1; }else{ print $$hash{$key}[4]; } }elsif ($$hash{$key}[4] eq 'RED1'){ print "$ipfireiface $Lang::tr{'fwdfw red'}"; }elsif ($$hash{$key}[4] eq 'ALL'){ print "$ipfireiface $Lang::tr{'all'}"; }else{ if ($$hash{$key}[4] eq 'GREEN' || $$hash{$key}[4] eq 'ORANGE' || $$hash{$key}[4] eq 'BLUE' || $$hash{$key}[4] eq 'RED'){ print "$ipfireiface $Lang::tr{lc($$hash{$key}[4])}"; }else{ print "$ipfireiface $$hash{$key}[4]"; } } $tdcolor=''; #SOURCEPORT &getsrcport(\%$hash,$key); #Is this a SNAT rule? if ($$hash{$key}[31] eq 'snat' && $$hash{$key}[28] eq 'ON'){ my $net=&get_name($$hash{$key}[29]); if ( ! $net){ $net=$$hash{$key}[29];} print"
->$net"; if ($$hash{$key}[30] ne ''){ print": $$hash{$key}[30]"; } } if ($$hash{$key}[17] eq 'ON'){ $log="/images/on.gif"; }else{ $log="/images/off.gif"; } #LOGGING print<
    $$hash{$key}[16]
   $weekdays   $$hash{$key}[26] - $$hash{$key}[27]
$Lang::tr{'fwhost empty'}
 
END # GREEN print < END if (&Header::orange_used()) { print < $Lang::tr{'orange'} ($Lang::tr{'fwdfw pol allow'}) END } if (&Header::blue_used()) { print < $Lang::tr{'blue'} ($Lang::tr{'fwdfw pol allow'}) END } print""; # ORANGE if (&Header::orange_used()) { print < END if (&Header::blue_used()) { print < $Lang::tr{'blue'} ($Lang::tr{'fwdfw pol block'}) END } print""; } if (&Header::blue_used()) { print < END if (&Header::orange_used()) { print < $Lang::tr{'orange'} ($Lang::tr{'fwdfw pol block'}) END } print""; } print < END $message = $Lang::tr{'fwdfw pol allow'}; } elsif ($config eq '/var/ipfire/firewall/outgoing' && ($fwdfwsettings{'POLICY1'} ne 'MODE1')) { $message = $Lang::tr{'fwdfw pol allow'}; $colour = "bgcolor='green'"; } else { $message = $Lang::tr{'fwdfw pol block'}; $colour = "bgcolor='darkred'"; } if ($message) { print < END } print "
$Lang::tr{'green'} $Lang::tr{'red'} ($Lang::tr{'fwdfw pol allow'})
$Lang::tr{'orange'} $Lang::tr{'red'} ($Lang::tr{'fwdfw pol allow'}) $Lang::tr{'green'} ($Lang::tr{'fwdfw pol block'})
$Lang::tr{'blue'} $Lang::tr{'red'} ($Lang::tr{'fwdfw pol allow'}) $Lang::tr{'green'} ($Lang::tr{'fwdfw pol block'})
$Lang::tr{'policy'}: $message
"; print "
"; &Header::closebox(); } &Header::closebigbox(); &Header::closepage();