my %optionsfw=();
my %ifaces=();
-my $VERSION='0.9.9.2';
+my $VERSION='0.9.9.6';
my $color;
my $confignet = "${General::swroot}/fwhosts/customnetworks";
my $confighost = "${General::swroot}/fwhosts/customhosts";
&General::readhash("/srv/web/ipfire/html/themes/".$mainsettings{'THEME'}."/include/colors.txt", \%color);
&General::readhash($fwoptions, \%optionsfw);
&General::readhash($ifacesettings, \%ifaces);
-
+&General::readhash("$configovpn", \%ovpnsettings);
+&General::readhash("$configipsecrw", \%ipsecsettings);
+&General::readhasharray("$configipsec", \%ipsecconf);
&Header::showhttpheaders();
&Header::getcgihash(\%fwdfwsettings);
&Header::openpage($Lang::tr{'fwdfw menu'}, 1, '');
{
&error;
if (-f "${General::swroot}/forward/reread"){
- print "<table border='0'><form method='post'><td><div style='font-size:11pt; font-weight: bold;vertical-align: middle; '><input type='submit' name='ACTION' value='$Lang::tr{'fwdfw reread'}' style='font-face: Comic Sans MS; color: red; font-weight: bold; font-size: 14pt; text-decoration: blink;'>    $Lang::tr{'fwhost reread'}</div</td></tr></table></form><hr><br>";
+ print "<table border='0'><form method='post'><td><div style='font-size:11pt; font-weight: bold;vertical-align: middle; '><input type='submit' name='ACTION' value='$Lang::tr{'fwdfw reread'}' style='font-face: Comic Sans MS; color: red; font-weight: bold; font-size: 14pt;'>    $Lang::tr{'fwhost reread'}</div</td></tr></table></form><hr><br>";
}
- &Header::openbox('100%', 'left', $Lang::tr{'firewall'});
+ &Header::openbox('100%', 'left', "");
print "<form method='post'>";
print "<table border='0'>";
print "<tr><td><input type='submit' name='ACTION' value='$Lang::tr{'fwdfw newrule'}'></td>";
sub checksource
{
my ($ip,$subnet);
-
#check ip-address if manual
if ($fwdfwsettings{'src_addr'} eq $fwdfwsettings{$fwdfwsettings{'grp1'}} && $fwdfwsettings{'src_addr'} ne ''){
#check if ip with subnet
if (&General::validmac($fwdfwsettings{'src_addr'})){$fwdfwsettings{'ismac'}='on';}
}
if ($fwdfwsettings{'isip'} eq 'on'){
+ ##check if ip is valid
+ if (! &General::validip($ip)){
+ $errormessage.=$Lang::tr{'fwdfw err src_addr'}."<br>";
+ return $errormessage;
+ }
#check and form valid IP
$ip=&General::ip2dec($ip);
$ip=&General::dec2ip($ip);
if (($tmp[3] eq "0") || ($tmp[3] eq "255"))
{
$errormessage=$Lang::tr{'fwhost err hostip'}."<br>";
+ return $errormessage;
+ }
+ #check if the ip is part of an existing openvpn client/net or ipsec network
+ #if this is the case, generate errormessage to make the user use the dropdowns instead of using manual ip's
+ if (! &checkvpn($ip)){
+ $errormessage=$Lang::tr{'fwdfw err srcovpn'};
+ return $errormessage;
+ }else{
+ $fwdfwsettings{'src_addr'}="$ip/$subnet";
}
- $fwdfwsettings{'src_addr'}="$ip/$subnet";
-
if(!&General::validipandmask($fwdfwsettings{'src_addr'})){
$errormessage.=$Lang::tr{'fwdfw err src_addr'}."<br>";
+ return $errormessage;
}
}
if ($fwdfwsettings{'isip'} ne 'on' && $fwdfwsettings{'ismac'} ne 'on'){
$errormessage.=$Lang::tr{'fwdfw err src_addr'}."<br>";
+ return $errormessage;
}
}elsif($fwdfwsettings{'src_addr'} eq $fwdfwsettings{$fwdfwsettings{'grp1'}} && $fwdfwsettings{'src_addr'} eq ''){
$errormessage.=$Lang::tr{'fwdfw err nosrcip'};
}
}
$fwdfwsettings{'SRC_PORT'}=join("|",@values);
- return $errormessage;
}
+ return $errormessage;
}
sub checktarget
{
#check DNAT settings (has to be single Host and single Port or portrange)
if ($fwdfwsettings{'USE_NAT'} eq 'ON' && $fwdfwsettings{'nat'} eq 'dnat'){
if($fwdfwsettings{'grp2'} eq 'tgt_addr' || $fwdfwsettings{'grp2'} eq 'cust_host_tgt' || $fwdfwsettings{'grp2'} eq 'ovpn_host_tgt'){
- if ($fwdfwsettings{'USESRV'} eq ''){
+ if ($fwdfwsettings{'USESRV'} eq '' && $fwdfwsettings{'dnatport'} eq ''){
$errormessage=$Lang::tr{'fwdfw target'}.": ".$Lang::tr{'fwdfw dnat porterr'}."<br>";
+ return $errormessage;
}
#check if manual ip is a single Host (if set)
if ($fwdfwsettings{'grp2'} eq 'tgt_addr'){
if (($tmp1[0] eq "0") || ($tmp1[0] eq "255"))
{
$errormessage=$Lang::tr{'fwdfw dnat error'}."<br>";
+ return $errormessage;
}
}
#check if Port is a single Port or portrange
if ($fwdfwsettings{'nat'} eq 'dnat' && $fwdfwsettings{'grp3'} eq 'TGT_PORT'){
if(($fwdfwsettings{'TGT_PROT'} ne 'TCP'|| $fwdfwsettings{'TGT_PROT'} ne 'UDP') && $fwdfwsettings{'TGT_PORT'} eq ''){
$errormessage=$Lang::tr{'fwdfw target'}.": ".$Lang::tr{'fwdfw dnat porterr'}."<br>";
+ return $errormessage;
}
if (($fwdfwsettings{'TGT_PROT'} eq 'TCP'|| $fwdfwsettings{'TGT_PROT'} eq 'UDP') && $fwdfwsettings{'TGT_PORT'} ne '' && !&check_natport($fwdfwsettings{'TGT_PORT'})){
$errormessage=$Lang::tr{'fwdfw target'}.": ".$Lang::tr{'fwdfw dnat porterr'}."<br>";
+ return $errormessage;
}
}
}else{
$errormessage=$Lang::tr{'fwdfw dnat error'}."<br>";
+ return $errormessage;
}
}
if ($fwdfwsettings{'tgt_addr'} eq $fwdfwsettings{$fwdfwsettings{'grp2'}} && $fwdfwsettings{'tgt_addr'} ne ''){
$ip=$fwdfwsettings{'tgt_addr'};
$subnet='32';
}
+ #check if ip is valid
+ if (! &General::validip($ip)){
+ $errormessage.=$Lang::tr{'fwdfw err tgt_addr'}."<br>";
+ return $errormessage;
+ }
#check and form valid IP
$ip=&General::ip2dec($ip);
$ip=&General::dec2ip($ip);
-
- $fwdfwsettings{'tgt_addr'}="$ip/$subnet";
+ #check if the ip is part of an existing openvpn client/net or ipsec network
+ #if this is the case, generate errormessage to make the user use the dropdowns instead of using manual ip's
+ if (! &checkvpn($ip)){
+ $errormessage=$Lang::tr{'fwdfw err tgtovpn'};
+ return $errormessage;
+ }else{
+ $fwdfwsettings{'tgt_addr'}="$ip/$subnet";
+ }
if(!&General::validipandmask($fwdfwsettings{'tgt_addr'})){
$errormessage.=$Lang::tr{'fwdfw err tgt_addr'}."<br>";
+ return $errormessage;
}
}elsif($fwdfwsettings{'tgt_addr'} eq $fwdfwsettings{$fwdfwsettings{'grp2'}} && $fwdfwsettings{'tgt_addr'} eq ''){
$errormessage.=$Lang::tr{'fwdfw err notgtip'};
if ($fwdfwsettings{'grp3'} eq 'TGT_PORT'){
if ($fwdfwsettings{'TGT_PROT'} eq 'TCP' || $fwdfwsettings{'TGT_PROT'} eq 'UDP'){
if ($fwdfwsettings{'TGT_PORT'} ne ''){
- if ($fwdfwsettings{'TGT_PORT'} =~ "," && $fwdfwsettings{'USE_NAT'}) {
+ if ($fwdfwsettings{'TGT_PORT'} =~ "," && $fwdfwsettings{'USE_NAT'} && $fwdfwsettings{'nat'} eq 'dnat') {
$errormessage=$Lang::tr{'fwdfw dnat porterr'}."<br>";
+ return $errormessage;
}
my @parts=split(",",$fwdfwsettings{'TGT_PORT'});
my @values=();
}
}
}
-
#check targetport
if ($fwdfwsettings{'USESRV'} ne 'ON'){
$fwdfwsettings{'grp3'}='';
$fwdfwsettings{$fwdfwsettings{'grp3'}}='';
- $fwdfwsettings{'TGT_PROT'}='';
$fwdfwsettings{'ICMP_TGT'}='';
}
#check timeframe
if($fwdfwsettings{'TIME'} eq 'ON'){
if($fwdfwsettings{'TIME_MON'} eq '' && $fwdfwsettings{'TIME_TUE'} eq '' && $fwdfwsettings{'TIME_WED'} eq '' && $fwdfwsettings{'TIME_THU'} eq '' && $fwdfwsettings{'TIME_FRI'} eq '' && $fwdfwsettings{'TIME_SAT'} eq '' && $fwdfwsettings{'TIME_SUN'} eq ''){
$errormessage=$Lang::tr{'fwdfw err time'};
+ return $errormessage;
}
}
return $errormessage;
#if no port is given in nat area, take target host port
if($fwdfwsettings{'nat'} eq 'dnat' && $fwdfwsettings{'grp3'} eq 'TGT_PORT' && $fwdfwsettings{'dnatport'} eq ''){$fwdfwsettings{'dnatport'}=$fwdfwsettings{'TGT_PORT'};}
#check if port given in nat area is a single valid port or portrange
- if($fwdfwsettings{'nat'} eq 'dnat' && !&check_natport($fwdfwsettings{'dnatport'})){
+ if($fwdfwsettings{'nat'} eq 'dnat' && $fwdfwsettings{'TGT_PORT'} ne '' && !&check_natport($fwdfwsettings{'dnatport'})){
$errormessage=$Lang::tr{'fwdfw target'}.": ".$Lang::tr{'fwdfw dnat porterr'}."<br>";
- }
- elsif($fwdfwsettings{'USESRV'} eq 'ON' && $fwdfwsettings{'grp3'} eq 'cust_srv'){
+ }elsif($fwdfwsettings{'USESRV'} eq 'ON' && $fwdfwsettings{'grp3'} eq 'cust_srv'){
my $custsrvport;
#get servcie Protocol and Port
foreach my $key (sort keys %customservice){
}
if($fwdfwsettings{'nat'} eq 'dnat' && $fwdfwsettings{'dnatport'} eq ''){$fwdfwsettings{'dnatport'}=$custsrvport;}
}
+ #check if DNAT port is multiple
+ if($fwdfwsettings{'nat'} eq 'dnat' && $fwdfwsettings{'dnatport'} ne ''){
+ my @parts=split(",",$fwdfwsettings{'dnatport'});
+ my @values=();
+ foreach (@parts){
+ chomp($_);
+ if ($_ =~ /^(\d+)\-(\d+)$/ || $_ =~ /^(\d+)\:(\d+)$/) {
+ my $check;
+ #change dashes with :
+ $_=~ tr/-/:/;
+ if ($_ eq "*") {
+ push(@values,"1:65535");
+ $check='on';
+ }
+ if ($_ =~ /^(\D)\:(\d+)$/ || $_ =~ /^(\D)\-(\d+)$/) {
+ push(@values,"1:$2");
+ $check='on';
+ }
+ if ($_ =~ /^(\d+)\:(\D)$/ || $_ =~ /^(\d+)\-(\D)$/) {
+ push(@values,"$1:65535");
+ $check='on'
+ }
+ $errormessage .= &General::validportrange($_, 'destination');
+ if(!$check){
+ push (@values,$_);
+ }
+ }else{
+ if (&General::validport($_)){
+ push (@values,$_);
+ }else{
+
+ }
+ }
+ }
+ $fwdfwsettings{'dnatport'}=join("|",@values);
+ }
}
#check valid remark
if ($fwdfwsettings{'ruleremark'} ne '' && !&validremark($fwdfwsettings{'ruleremark'})){
}elsif($base2 eq 'cust_srvgrp'){
&inc_counter($configsrvgrp,\%customservicegrp,$val2);
}
+}
+sub checkvpn
+{
+ my $ip=shift;
+ #Test if manual IP is part of static OpenVPN networks
+ &General::readhasharray("$configccdnet", \%ccdnet);
+ foreach my $key (sort keys %ccdnet){
+ my ($vpnip,$vpnsubnet) = split ("/",$ccdnet{$key}[1]);
+ my $sub=&General::iporsubtodec($vpnsubnet);
+ if (&General::IpInSubnet($ip,$vpnip,$sub)){
+ return 0;
+ }
+ }
+ # A Test if manual ip is part of dynamic openvpn subnet is made in getcolor
+ # because if one creates a custom host with the ip, we need to check the color there!
+ # It does not make sense to check this here
+
+ # Test if manual IP is part of an OpenVPN N2N subnet does also not make sense here
+ # Is also checked in getcolor
+
+ # Test if manual ip is part of an IPsec Network is also checked in getcolor
+ return 1;
+}
+sub checkvpncolor
+{
+
}
sub deleterule
{
my $val=shift;
my $hash=shift;
if($optionsfw{'SHOWCOLORS'} eq 'on'){
- #VPN networks
- if ($nettype eq 'ovpn_n2n_src' || $nettype eq 'ovpn_n2n_tgt' || $nettype eq 'ovpn_net_src' || $nettype eq 'ovpn_net_tgt'|| $nettype eq 'ovpn_host_src' || $nettype eq 'ovpn_host_tgt'){
- $tdcolor="style='border: 1px solid $Header::colourovpn;'";
- return;
- }
- if ($nettype eq 'ipsec_net_src' || $nettype eq 'ipsec_net_tgt'){
- $tdcolor="style='border: 1px solid $Header::colourvpn;'";
- return;
- }
- #custom Hosts
- if ($nettype eq 'cust_host_src' || $nettype eq 'cust_host_tgt'){
- foreach my $key (sort keys %$hash){
- if ($$hash{$key}[0] eq $val){
- $val=$$hash{$key}[2];
- }
- }
- }
- #ALIASE
- foreach my $alias (sort keys %aliases)
- {
- if ($val eq $alias){
- $tdcolor="style='border: 1px solid $Header::colourred;'";
- return;
- }
- }
#standard networks
if ($val eq 'GREEN'){
$tdcolor="style='border: 1px solid $Header::colourgreen;'";
+ return;
}elsif ($val eq 'ORANGE'){
$tdcolor="style='border: 1px solid $Header::colourorange;'";
+ return;
}elsif ($val eq 'BLUE'){
$tdcolor="style='border: 1px solid $Header::colourblue;'";
+ return;
}elsif ($val eq 'RED'){
$tdcolor="style='border: 1px solid $Header::colourred;'";
+ return;
}elsif ($val eq 'IPFire' ){
$tdcolor="style='border: 1px solid $Header::colourred;'";
+ return;
}elsif($val =~ /^(.*?)\/(.*?)$/){
my ($sip,$scidr) = split ("/",$val);
if ( &General::IpInSubnet($sip,$netsettings{'ORANGE_ADDRESS'},$netsettings{'ORANGE_NETMASK'})){
$tdcolor="style='border: 1px solid $Header::colourorange;'";
+ return;
}
if ( &General::IpInSubnet($sip,$netsettings{'GREEN_ADDRESS'},$netsettings{'GREEN_NETMASK'})){
$tdcolor="style='border: 1px solid $Header::colourgreen;'";
+ return;
}
if ( &General::IpInSubnet($sip,$netsettings{'BLUE_ADDRESS'},$netsettings{'BLUE_NETMASK'})){
$tdcolor="style='border: 1px solid $Header::colourblue;'";
+ return;
}
}elsif ($val eq 'Default IP'){
$tdcolor="style='border: 1px solid $Header::colourred;'";
- }else{
- $tdcolor='';
+ return;
+ }
+ #Check if a manual IP is part of a VPN
+ if ($nettype eq 'src_addr' || $nettype eq 'tgt_addr'){
+ #Check if IP is part of OpenVPN dynamic subnet
+ my ($a,$b) = split("/",$ovpnsettings{'DOVPN_SUBNET'});
+ my ($c,$d) = split("/",$val);
+ if (&General::IpInSubnet($c,$a,$b)){
+ $tdcolor="style='border: 1px solid $Header::colourovpn;'";
+ return;
+ }
+ #Check if IP is part of IPsec RW network
+ if ($ipsecsettings{'RW_NET'} ne ''){
+ my ($a,$b) = split("/",$ipsecsettings{'RW_NET'});
+ $b=&General::iporsubtodec($b);
+ if (&General::IpInSubnet($c,$a,$b)){
+ $tdcolor="style='border: 1px solid $Header::colourvpn;'";
+ return;
+ }
+ }
+ #Check if IP is part of a IPsec N2N network
+ foreach my $key (sort keys %ipsecconf){
+ my ($a,$b) = split("/",$ipsecconf{$key}[11]);
+ if (&General::IpInSubnet($c,$a,$b)){
+ $tdcolor="style='border: 1px solid $Header::colourvpn;'";
+ return;
+ }
+ }
+ }
+ #VPN networks
+ if ($nettype eq 'ovpn_n2n_src' || $nettype eq 'ovpn_n2n_tgt' || $nettype eq 'ovpn_net_src' || $nettype eq 'ovpn_net_tgt'|| $nettype eq 'ovpn_host_src' || $nettype eq 'ovpn_host_tgt'){
+ $tdcolor="style='border: 1px solid $Header::colourovpn;'";
+ return;
+ }
+ if ($nettype eq 'ipsec_net_src' || $nettype eq 'ipsec_net_tgt'){
+ $tdcolor="style='border: 1px solid $Header::colourvpn;'";
+ return;
+ }
+ #custom Hosts
+ if ($nettype eq 'cust_host_src' || $nettype eq 'cust_host_tgt'){
+ foreach my $key (sort keys %$hash){
+ if ($$hash{$key}[0] eq $val){
+ $val=$$hash{$key}[2];
+ }
+ }
+ }
+ #ALIASE
+ foreach my $alias (sort keys %aliases)
+ {
+ if ($val eq $alias){
+ $tdcolor="style='border: 1px solid $Header::colourred;'";
+ return;
+ }
}
}
+ $tdcolor='';
+ return;
}
sub hint
{
}
}
&Header::openbox('100%', 'left', $Lang::tr{'fwdfw addrule'});
- if ($fwdfwsettings{'TIME'} eq 'ON'){
- $fwdfwsettings{'TIME_FROM'} = &timeconvert($fwdfwsettings{'TIME_FROM'},'');
- $fwdfwsettings{'TIME_TO'} = &timeconvert($fwdfwsettings{'TIME_TO'},'');
- }
-print "<form method='post'>";
+ print "<form method='post'>";
&Header::closebox();
&Header::openbox('100%', 'left', $Lang::tr{'fwdfw source'});
#------SOURCE-------------------------------------------------------
print "<option value='$alias' $selected{'dnat'}{$alias}>$alias</option>";
}
print"</td></tr>";
+ $fwdfwsettings{'dnatport'}=~ tr/|/,/;
print"<tr><td colspan='4'></td><td>Port: </td><td align='right'><input type='text' name='dnatport' style='width:130px;' value=$fwdfwsettings{'dnatport'}> </td></tr>";
print"<tr><td colspan='8'><br></td></tr>";
#SNAT
sub viewtablerule
{
&General::readhash("/var/ipfire/ethernet/settings", \%netsettings);
- &viewtablenew(\%configdmzfw,$configdmz,$Lang::tr{'fwdfw rules'},"DMZ" );
+ &viewtablenew(\%confignatfw,$confignat,"$Lang::tr{'fwdfw rules'}","Portforward / SNAT" );
&viewtablenew(\%configfwdfw,$configfwdfw,"","Forward" );
- &viewtablenew(\%configinputfw,$configinput,"",$Lang::tr{'external access'} );
&viewtablenew(\%configoutgoingfw,$configoutgoing,"","Outgoing" );
- &viewtablenew(\%confignatfw,$confignat,"","NAT" );
+ &viewtablenew(\%configinputfw,$configinput,"",$Lang::tr{'fwdfw xt access'} );
+ &viewtablenew(\%configdmzfw,$configdmz,"","DMZ" );
}
sub viewtablenew
{
if ($$hash{$key}[31] eq 'dnat'){
print "IPFire ($$hash{$key}[29])";
if($$hash{$key}[30] ne ''){
+ $$hash{$key}[30]=~ tr/|/,/;
print": $$hash{$key}[30]";
}
print"<br> DNAT->";