]> git.ipfire.org Git - people/teissler/ipfire-2.x.git/blobdiff - html/cgi-bin/forwardfw.cgi
Forward Firewall: added some plausi checks. Now it is checked if someone enters an...
[people/teissler/ipfire-2.x.git] / html / cgi-bin / forwardfw.cgi
index 84e01704d8c754b6c7b15be5068d55d623b2168e..e074047b3c0f3c2fc8e489aa7a8f66684eabbb45 100755 (executable)
@@ -77,7 +77,7 @@ my %aliases=();
 my %optionsfw=();
 my %ifaces=();
 
-my $VERSION='0.9.8.7';
+my $VERSION='0.9.9.5';
 my $color;
 my $confignet          = "${General::swroot}/fwhosts/customnetworks";
 my $confighost         = "${General::swroot}/fwhosts/customhosts";
@@ -107,7 +107,9 @@ my @protocols;
 &General::readhash("/srv/web/ipfire/html/themes/".$mainsettings{'THEME'}."/include/colors.txt", \%color);
 &General::readhash($fwoptions, \%optionsfw); 
 &General::readhash($ifacesettings, \%ifaces);
-
+&General::readhash("$configovpn", \%ovpnsettings);
+&General::readhash("$configipsecrw", \%ipsecsettings);
+&General::readhasharray("$configipsec", \%ipsecconf);
 &Header::showhttpheaders();
 &Header::getcgihash(\%fwdfwsettings);
 &Header::openpage($Lang::tr{'fwdfw menu'}, 1, '');
@@ -133,6 +135,7 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule')
        $errormessage=&checksource;
        if(!$errormessage){&checktarget;}
        if(!$errormessage){&checkrule;}
+       
        #check if manual ip (source) is orange network
        if ($fwdfwsettings{'grp1'} eq 'src_addr'){
                my ($sip,$scidr) = split("/",$fwdfwsettings{$fwdfwsettings{'grp1'}});
@@ -160,26 +163,27 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule')
                #check if we have an identical rule already
                if($fwdfwsettings{'oldrulenumber'} eq $fwdfwsettings{'rulepos'}){
                        foreach my $key (sort keys %confignatfw){
-                               if ("$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'},$fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'ICMP_TGT'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'TIME'},$fwdfwsettings{'TIME_MON'},$fwdfwsettings{'TIME_TUE'},$fwdfwsettings{'TIME_WED'},$fwdfwsettings{'TIME_THU'},$fwdfwsettings{'TIME_FRI'},$fwdfwsettings{'TIME_SAT'},$fwdfwsettings{'TIME_SUN'},$fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'},$fwdfwsettings{'USE_NAT'},$fwdfwsettings{$fwdfwsettings{'nat'}},$fwdfwsettings{'snatport'},$fwdfwsettings{'dnatport'},$fwdfwsettings{'nat'}"
-                                       eq "$confignatfw{$key}[0],$confignatfw{$key}[2],$confignatfw{$key}[3],$confignatfw{$key}[4],$confignatfw{$key}[5],$confignatfw{$key}[6],$confignatfw{$key}[7],$confignatfw{$key}[8],$confignatfw{$key}[9],$confignatfw{$key}[10],$confignatfw{$key}[11],$confignatfw{$key}[12],$confignatfw{$key}[13],$confignatfw{$key}[14],$confignatfw{$key}[15],$confignatfw{$key}[17],$confignatfw{$key}[19],$confignatfw{$key}[20],$confignatfw{$key}[21],$confignatfw{$key}[22],$confignatfw{$key}[23],$confignatfw{$key}[24],$confignatfw{$key}[25],$confignatfw{$key}[26],$confignatfw{$key}[27],$confignatfw{$key}[28],$confignatfw{$key}[29],$confignatfw{$key}[30],$confignatfw{$key}[31],$confignatfw{$key}[32]"){
-                                               $errormessage.=$Lang::tr{'fwdfw err ruleexists'};                               
-                                               if ($fwdfwsettings{'oldruleremark'} ne $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'updatefwrule'} eq 'on' ){
-                                                       $errormessage='';                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          
-                                               }elsif($fwdfwsettings{'oldruleremark'} ne $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'updatefwrule'} eq 'on' && $fwdfwsettings{'ruleremark'} ne '' && !&validremark($fwdfwsettings{'ruleremark'})){
-                                                       $errormessage=$Lang::tr{'fwdfw err remark'}."<br>";
-                                               }
-                                               if ($fwdfwsettings{'oldruleremark'} eq $fwdfwsettings{'ruleremark'}){
-                                                       $fwdfwsettings{'nosave'} = 'on';
-                                               }
+                               if ("$confignatfw{$key}[0],$confignatfw{$key}[1],$confignatfw{$key}[2],$confignatfw{$key}[3],$confignatfw{$key}[4],$confignatfw{$key}[5],$confignatfw{$key}[6],$confignatfw{$key}[11],$confignatfw{$key}[12],$confignatfw{$key}[14],$confignatfw{$key}[15],$confignatfw{$key}[28],$confignatfw{$key}[29],$confignatfw{$key}[30],$confignatfw{$key}[31]"
+                               eq "$fwdfwsettings{'RULE_ACTION'},NAT_DESTINATION,$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'USE_NAT'},$fwdfwsettings{$fwdfwsettings{'nat'}},$fwdfwsettings{'dnatport'},$fwdfwsettings{'nat'}"){
+                                       $errormessage.=$Lang::tr{'fwdfw err ruleexists'};
+                                       if ($fwdfwsettings{'oldruleremark'} ne $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'updatefwrule'} eq 'on' ){
+                                               $errormessage='';
+                                       }elsif($fwdfwsettings{'oldruleremark'} ne $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'updatefwrule'} eq 'on' && $fwdfwsettings{'ruleremark'} ne '' && !&validremark($fwdfwsettings{'ruleremark'})){
+                                               $errormessage=$Lang::tr{'fwdfw err remark'}."<br>";
+                                       }
+                                       if ($fwdfwsettings{'oldruleremark'} eq $fwdfwsettings{'ruleremark'}){
+                                               $fwdfwsettings{'nosave'} = 'on';
+                                       }
                                }
                        }
                }
+               
                #check Rulepos on new Rule
                if($fwdfwsettings{'rulepos'} > 0 && !$fwdfwsettings{'oldrulenumber'}){
                        $fwdfwsettings{'oldrulenumber'}=$maxkey;
                        foreach my $key (sort keys %confignatfw){
-                               print"$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'},$fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'ICMP_TGT'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'TIME'},$fwdfwsettings{'TIME_MON'},$fwdfwsettings{'TIME_TUE'},$fwdfwsettings{'TIME_WED'},$fwdfwsettings{'TIME_THU'},$fwdfwsettings{'TIME_FRI'},$fwdfwsettings{'TIME_SAT'},$fwdfwsettings{'TIME_SUN'},$fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'},$fwdfwsettings{'USE_NAT'},$fwdfwsettings{$fwdfwsettings{'nat'}},$fwdfwsettings{'snatport'},$fwdfwsettings{'dnatport'},$fwdfwsettings{'nat'}<br>";
-                               print"$confignatfw{$key}[0],$confignatfw{$key}[2],$confignatfw{$key}[3],$confignatfw{$key}[4],$confignatfw{$key}[5],$confignatfw{$key}[6],$confignatfw{$key}[7],$confignatfw{$key}[8],$confignatfw{$key}[9],$confignatfw{$key}[10],$confignatfw{$key}[11],$confignatfw{$key}[12],$confignatfw{$key}[13],$confignatfw{$key}[14],$confignatfw{$key}[15],$confignatfw{$key}[17],$confignatfw{$key}[19],$confignatfw{$key}[20],$confignatfw{$key}[21],$confignatfw{$key}[22],$confignatfw{$key}[23],$confignatfw{$key}[24],$confignatfw{$key}[25],$confignatfw{$key}[26],$confignatfw{$key}[27],$confignatfw{$key}[28],$confignatfw{$key}[29],$confignatfw{$key}[30],$confignatfw{$key}[31],$confignatfw{$key}[32]<br>";
+                               #print"$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'},$fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'ICMP_TGT'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'TIME'},$fwdfwsettings{'TIME_MON'},$fwdfwsettings{'TIME_TUE'},$fwdfwsettings{'TIME_WED'},$fwdfwsettings{'TIME_THU'},$fwdfwsettings{'TIME_FRI'},$fwdfwsettings{'TIME_SAT'},$fwdfwsettings{'TIME_SUN'},$fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'},$fwdfwsettings{'USE_NAT'},$fwdfwsettings{$fwdfwsettings{'nat'}},$fwdfwsettings{'snatport'},$fwdfwsettings{'dnatport'},$fwdfwsettings{'nat'}<br>";
+                               #print"$confignatfw{$key}[0],$confignatfw{$key}[2],$confignatfw{$key}[3],$confignatfw{$key}[4],$confignatfw{$key}[5],$confignatfw{$key}[6],$confignatfw{$key}[7],$confignatfw{$key}[8],$confignatfw{$key}[9],$confignatfw{$key}[10],$confignatfw{$key}[11],$confignatfw{$key}[12],$confignatfw{$key}[13],$confignatfw{$key}[14],$confignatfw{$key}[15],$confignatfw{$key}[17],$confignatfw{$key}[19],$confignatfw{$key}[20],$confignatfw{$key}[21],$confignatfw{$key}[22],$confignatfw{$key}[23],$confignatfw{$key}[24],$confignatfw{$key}[25],$confignatfw{$key}[26],$confignatfw{$key}[27],$confignatfw{$key}[28],$confignatfw{$key}[29],$confignatfw{$key}[30],$confignatfw{$key}[31],$confignatfw{$key}[32]<br>";
                                if ("$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'},$fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'ICMP_TGT'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'TIME'},$fwdfwsettings{'TIME_MON'},$fwdfwsettings{'TIME_TUE'},$fwdfwsettings{'TIME_WED'},$fwdfwsettings{'TIME_THU'},$fwdfwsettings{'TIME_FRI'},$fwdfwsettings{'TIME_SAT'},$fwdfwsettings{'TIME_SUN'},$fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'},$fwdfwsettings{'USE_NAT'},$fwdfwsettings{$fwdfwsettings{'nat'}},$fwdfwsettings{'snatport'},$fwdfwsettings{'dnatport'},$fwdfwsettings{'nat'}"
                                        eq "$confignatfw{$key}[0],$confignatfw{$key}[2],$confignatfw{$key}[3],$confignatfw{$key}[4],$confignatfw{$key}[5],$confignatfw{$key}[6],$confignatfw{$key}[7],$confignatfw{$key}[8],$confignatfw{$key}[9],$confignatfw{$key}[10],$confignatfw{$key}[11],$confignatfw{$key}[12],$confignatfw{$key}[13],$confignatfw{$key}[14],$confignatfw{$key}[15],$confignatfw{$key}[17],$confignatfw{$key}[19],$confignatfw{$key}[20],$confignatfw{$key}[21],$confignatfw{$key}[22],$confignatfw{$key}[23],$confignatfw{$key}[24],$confignatfw{$key}[25],$confignatfw{$key}[26],$confignatfw{$key}[27],$confignatfw{$key}[28],$confignatfw{$key}[29],$confignatfw{$key}[30],$confignatfw{$key}[31],$confignatfw{$key}[32]"){
                                                $errormessage.=$Lang::tr{'fwdfw err ruleexists'};
@@ -589,9 +593,9 @@ sub addrule
 {
        &error;
        if (-f "${General::swroot}/forward/reread"){
-               print "<table border='0'><form method='post'><td><input type='submit' name='ACTION' value='$Lang::tr{'fwdfw reread'}' style='font-face: Comic Sans MS; color: red; font-weight: bold;'>$Lang::tr{'fwhost reread'}</td></tr></table></form><hr><br>";
+               print "<table border='0'><form method='post'><td><div style='font-size:11pt; font-weight: bold;vertical-align: middle; '><input type='submit' name='ACTION' value='$Lang::tr{'fwdfw reread'}' style='font-face: Comic Sans MS; color: red; font-weight: bold; font-size: 14pt;'>&nbsp &nbsp $Lang::tr{'fwhost reread'}</div</td></tr></table></form><hr><br>";
        }
-       &Header::openbox('100%', 'left', $Lang::tr{'fwdfw addrule'});
+       &Header::openbox('100%', 'left', "");
        print "<form method='post'>";
        print "<table border='0'>";
        print "<tr><td><input type='submit' name='ACTION' value='$Lang::tr{'fwdfw newrule'}'></td>";
@@ -654,7 +658,6 @@ sub changerule
 sub checksource
 {
        my ($ip,$subnet);
-
        #check ip-address if manual
        if ($fwdfwsettings{'src_addr'} eq $fwdfwsettings{$fwdfwsettings{'grp1'}} && $fwdfwsettings{'src_addr'} ne ''){
                #check if ip with subnet
@@ -674,6 +677,11 @@ sub checksource
                        if (&General::validmac($fwdfwsettings{'src_addr'})){$fwdfwsettings{'ismac'}='on';}
                }
                if ($fwdfwsettings{'isip'} eq 'on'){
+                       ##check if ip is valid
+                       if (! &General::validip($ip)){
+                               $errormessage.=$Lang::tr{'fwdfw err src_addr'}."<br>";
+                               return $errormessage;
+                       }
                        #check and form valid IP
                        $ip=&General::ip2dec($ip);
                        $ip=&General::dec2ip($ip);
@@ -682,15 +690,24 @@ sub checksource
                        if (($tmp[3] eq "0") || ($tmp[3] eq "255"))
                        {
                                $errormessage=$Lang::tr{'fwhost err hostip'}."<br>";
+                               return $errormessage;
+                       }
+                       #check if the ip is part of an existing openvpn client/net or ipsec network
+                       #if this is the case, generate errormessage to make the user use the dropdowns instead of using manual ip's
+                       if (! &checkvpn($ip)){
+                               $errormessage=$Lang::tr{'fwdfw err srcovpn'};
+                               return $errormessage;
+                       }else{
+                               $fwdfwsettings{'src_addr'}="$ip/$subnet";
                        }
-                       $fwdfwsettings{'src_addr'}="$ip/$subnet";
-
                        if(!&General::validipandmask($fwdfwsettings{'src_addr'})){
                                $errormessage.=$Lang::tr{'fwdfw err src_addr'}."<br>";
+                               return $errormessage;
                        }
                }
                if ($fwdfwsettings{'isip'} ne 'on' && $fwdfwsettings{'ismac'} ne 'on'){
                        $errormessage.=$Lang::tr{'fwdfw err src_addr'}."<br>";
+                       return $errormessage;
                }
        }elsif($fwdfwsettings{'src_addr'} eq $fwdfwsettings{$fwdfwsettings{'grp1'}} && $fwdfwsettings{'src_addr'} eq ''){
                $errormessage.=$Lang::tr{'fwdfw err nosrcip'};
@@ -730,7 +747,7 @@ sub checksource
                my @values=();
                foreach (@parts){
                        chomp($_);
-                       if ($_ =~ /^(\d+)\:(\d+)$/) {
+                       if ($_ =~ /^(\d+)\-(\d+)$/ || $_ =~ /^(\d+)\:(\d+)$/) {
                                my $check;
                                #change dashes with :
                                $_=~ tr/-/:/;
@@ -738,11 +755,11 @@ sub checksource
                                        push(@values,"1:65535");
                                        $check='on';
                                }
-                               if ($_ =~ /^(\D)\:(\d+)$/) {
+                               if ($_ =~ /^(\D)\:(\d+)$/ || $_ =~ /^(\D)\-(\d+)$/) {
                                        push(@values,"1:$2");
                                        $check='on';
                                }
-                               if ($_ =~ /^(\d+)\:(\D)$/) {
+                               if ($_ =~ /^(\d+)\:(\D)$/ || $_ =~ /^(\d+)\-(\D)$/ ) {
                                        push(@values,"$1:65535");
                                        $check='on'
                                }
@@ -759,18 +776,19 @@ sub checksource
                        }
                }
                $fwdfwsettings{'SRC_PORT'}=join("|",@values);
-               return $errormessage;
        }
+       return $errormessage;
 }
 sub checktarget
 {
        my ($ip,$subnet);
        &General::readhasharray("$configsrv", \%customservice);
-       #check DNAT settings (has to be single Host and single Port)
+       #check DNAT settings (has to be single Host and single Port or portrange)
        if ($fwdfwsettings{'USE_NAT'} eq 'ON' && $fwdfwsettings{'nat'} eq 'dnat'){
                if($fwdfwsettings{'grp2'} eq 'tgt_addr' || $fwdfwsettings{'grp2'} eq 'cust_host_tgt' || $fwdfwsettings{'grp2'} eq 'ovpn_host_tgt'){
-                       if ($fwdfwsettings{'USESRV'} eq ''){
+                       if ($fwdfwsettings{'USESRV'} eq '' && $fwdfwsettings{'dnatport'} eq ''){
                                $errormessage=$Lang::tr{'fwdfw target'}.": ".$Lang::tr{'fwdfw dnat porterr'}."<br>";
+                               return $errormessage;
                        }
                        #check if manual ip is a single Host (if set)
                        if ($fwdfwsettings{'grp2'} eq 'tgt_addr'){
@@ -779,19 +797,23 @@ sub checktarget
                                if (($tmp1[0] eq "0") || ($tmp1[0] eq "255"))
                                {
                                        $errormessage=$Lang::tr{'fwdfw dnat error'}."<br>";
+                                       return $errormessage;
                                }
                        }
-                       #check if Port is a single Port
+                       #check if Port is a single Port or portrange
                        if ($fwdfwsettings{'nat'} eq 'dnat' &&  $fwdfwsettings{'grp3'} eq 'TGT_PORT'){
                                if(($fwdfwsettings{'TGT_PROT'} ne 'TCP'|| $fwdfwsettings{'TGT_PROT'} ne 'UDP') && $fwdfwsettings{'TGT_PORT'} eq ''){
                                        $errormessage=$Lang::tr{'fwdfw target'}.": ".$Lang::tr{'fwdfw dnat porterr'}."<br>";
+                                       return $errormessage;
                                }
                                if (($fwdfwsettings{'TGT_PROT'} eq 'TCP'|| $fwdfwsettings{'TGT_PROT'} eq 'UDP') && $fwdfwsettings{'TGT_PORT'} ne '' && !&check_natport($fwdfwsettings{'TGT_PORT'})){
                                        $errormessage=$Lang::tr{'fwdfw target'}.": ".$Lang::tr{'fwdfw dnat porterr'}."<br>";
+                                       return $errormessage;
                                }
                        }
                }else{
                        $errormessage=$Lang::tr{'fwdfw dnat error'}."<br>";
+                       return $errormessage;
                }
        }
        if ($fwdfwsettings{'tgt_addr'} eq $fwdfwsettings{$fwdfwsettings{'grp2'}} && $fwdfwsettings{'tgt_addr'} ne ''){
@@ -805,13 +827,25 @@ sub checktarget
                        $ip=$fwdfwsettings{'tgt_addr'};
                        $subnet='32';
                }
+               #check if ip is valid
+               if (! &General::validip($ip)){
+                       $errormessage.=$Lang::tr{'fwdfw err tgt_addr'}."<br>";
+                       return $errormessage;
+               }
                #check and form valid IP
                $ip=&General::ip2dec($ip);
                $ip=&General::dec2ip($ip);
-
-               $fwdfwsettings{'tgt_addr'}="$ip/$subnet";
+               #check if the ip is part of an existing openvpn client/net or ipsec network
+               #if this is the case, generate errormessage to make the user use the dropdowns instead of using manual ip's
+               if (! &checkvpn($ip)){
+                       $errormessage=$Lang::tr{'fwdfw err tgtovpn'};
+                       return $errormessage;
+               }else{
+                       $fwdfwsettings{'tgt_addr'}="$ip/$subnet";
+               }
                if(!&General::validipandmask($fwdfwsettings{'tgt_addr'})){
                        $errormessage.=$Lang::tr{'fwdfw err tgt_addr'}."<br>";
+                       return $errormessage;
                }
        }elsif($fwdfwsettings{'tgt_addr'} eq $fwdfwsettings{$fwdfwsettings{'grp2'}} && $fwdfwsettings{'tgt_addr'} eq ''){
                $errormessage.=$Lang::tr{'fwdfw err notgtip'};
@@ -836,11 +870,15 @@ sub checktarget
                if ($fwdfwsettings{'grp3'} eq 'TGT_PORT'){
                        if ($fwdfwsettings{'TGT_PROT'} eq 'TCP' || $fwdfwsettings{'TGT_PROT'} eq 'UDP'){
                                if ($fwdfwsettings{'TGT_PORT'} ne ''){
+                                       if ($fwdfwsettings{'TGT_PORT'} =~ "," && $fwdfwsettings{'USE_NAT'} && $fwdfwsettings{'nat'} eq 'dnat') {
+                                               $errormessage=$Lang::tr{'fwdfw dnat porterr'}."<br>";
+                                               return $errormessage;
+                                       }
                                        my @parts=split(",",$fwdfwsettings{'TGT_PORT'});
                                        my @values=();
                                        foreach (@parts){
                                                chomp($_);
-                                               if ($_ =~ /^(\d+)\:(\d+)$/) {
+                                               if ($_ =~ /^(\d+)\-(\d+)$/ || $_ =~ /^(\d+)\:(\d+)$/) {
                                                        my $check;
                                                        #change dashes with :
                                                        $_=~ tr/-/:/;
@@ -848,11 +886,11 @@ sub checktarget
                                                                push(@values,"1:65535");
                                                                $check='on';
                                                        }
-                                                       if ($_ =~ /^(\D)\:(\d+)$/) {
+                                                       if ($_ =~ /^(\D)\:(\d+)$/ || $_ =~ /^(\D)\-(\d+)$/) {
                                                                push(@values,"1:$2");
                                                                $check='on';
                                                        }
-                                                       if ($_ =~ /^(\d+)\:(\D)$/) {
+                                                       if ($_ =~ /^(\d+)\:(\D)$/ || $_ =~ /^(\d+)\-(\D)$/) {
                                                                push(@values,"$1:65535");
                                                                $check='on'
                                                        }
@@ -895,18 +933,17 @@ sub checktarget
                        }
                }
        }
-
        #check targetport
        if ($fwdfwsettings{'USESRV'} ne 'ON'){
                $fwdfwsettings{'grp3'}='';
                $fwdfwsettings{$fwdfwsettings{'grp3'}}='';
-               $fwdfwsettings{'TGT_PROT'}='';
                $fwdfwsettings{'ICMP_TGT'}='';
        }
        #check timeframe
        if($fwdfwsettings{'TIME'} eq 'ON'){
                if($fwdfwsettings{'TIME_MON'} eq '' && $fwdfwsettings{'TIME_TUE'} eq '' && $fwdfwsettings{'TIME_WED'} eq '' && $fwdfwsettings{'TIME_THU'} eq '' && $fwdfwsettings{'TIME_FRI'} eq '' && $fwdfwsettings{'TIME_SAT'} eq '' && $fwdfwsettings{'TIME_SUN'} eq ''){
                        $errormessage=$Lang::tr{'fwdfw err time'};
+                       return $errormessage;
                }
        }
        return $errormessage;
@@ -914,7 +951,22 @@ sub checktarget
 sub check_natport
 {
        my $val=shift;
-       if ($val =~ "," || $val =~ ":" || $val>65536 || $val<0){
+       if($fwdfwsettings{'USE_NAT'} eq 'ON' && $fwdfwsettings{'nat'} eq 'dnat' && $fwdfwsettings{'dnatport'} ne ''){
+               if ($fwdfwsettings{'dnatport'} =~ /^(\d+)\-(\d+)$/) {
+                       $fwdfwsettings{'dnatport'} =~ tr/-/:/;
+                       if ($fwdfwsettings{'dnatport'} eq "*") {
+                               $fwdfwsettings{'dnatport'}="1:65535";
+                       }
+                       if ($fwdfwsettings{'dnatport'} =~ /^(\D)\:(\d+)$/) {
+                               $fwdfwsettings{'dnatport'} = "1:$2";
+                       }
+                       if ($fwdfwsettings{'dnatport'} =~ /^(\d+)\:(\D)$/) {
+                               $fwdfwsettings{'dnatport'} ="$1:65535";
+                       }
+               }
+               return 1;
+       }
+       if ($val =~ "," || $val>65536 || $val<0){
                return 0;
        }
        return 1;
@@ -923,11 +975,12 @@ sub checkrule
 {
        #check valid port for NAT
        if($fwdfwsettings{'USE_NAT'} eq 'ON'){
+               #if no port is given in nat area, take target host port
                if($fwdfwsettings{'nat'} eq 'dnat' && $fwdfwsettings{'grp3'} eq 'TGT_PORT' && $fwdfwsettings{'dnatport'} eq ''){$fwdfwsettings{'dnatport'}=$fwdfwsettings{'TGT_PORT'};}
-               if($fwdfwsettings{'nat'} eq 'dnat' && !&check_natport($fwdfwsettings{'dnatport'})){
+               #check if port given in nat area is a single valid port or portrange
+               if($fwdfwsettings{'nat'} eq 'dnat' && $fwdfwsettings{'TGT_PORT'} ne '' && !&check_natport($fwdfwsettings{'dnatport'})){
                        $errormessage=$Lang::tr{'fwdfw target'}.": ".$Lang::tr{'fwdfw dnat porterr'}."<br>";
-               }
-               elsif($fwdfwsettings{'USESRV'} eq 'ON' && $fwdfwsettings{'grp3'} eq 'cust_srv'){
+               }elsif($fwdfwsettings{'USESRV'} eq 'ON' && $fwdfwsettings{'grp3'} eq 'cust_srv'){
                        my $custsrvport;
                        #get servcie Protocol and Port
                        foreach my $key (sort keys %customservice){
@@ -940,6 +993,42 @@ sub checkrule
                        }
                        if($fwdfwsettings{'nat'} eq 'dnat' && $fwdfwsettings{'dnatport'} eq ''){$fwdfwsettings{'dnatport'}=$custsrvport;}
                }
+               #check if DNAT port is multiple
+               if($fwdfwsettings{'nat'} eq 'dnat' && $fwdfwsettings{'dnatport'} ne ''){
+                       my @parts=split(",",$fwdfwsettings{'dnatport'});
+                                       my @values=();
+                                       foreach (@parts){
+                                               chomp($_);
+                                               if ($_ =~ /^(\d+)\-(\d+)$/ || $_ =~ /^(\d+)\:(\d+)$/) {
+                                                       my $check;
+                                                       #change dashes with :
+                                                       $_=~ tr/-/:/;
+                                                       if ($_ eq "*") {
+                                                               push(@values,"1:65535");
+                                                               $check='on';
+                                                       }
+                                                       if ($_ =~ /^(\D)\:(\d+)$/ || $_ =~ /^(\D)\-(\d+)$/) {
+                                                               push(@values,"1:$2");
+                                                               $check='on';
+                                                       }
+                                                       if ($_ =~ /^(\d+)\:(\D)$/ || $_ =~ /^(\d+)\-(\D)$/) {
+                                                               push(@values,"$1:65535");
+                                                               $check='on'
+                                                       }
+                                                       $errormessage .= &General::validportrange($_, 'destination');
+                                                       if(!$check){
+                                                               push (@values,$_);
+                                                       }
+                                               }else{
+                                                       if (&General::validport($_)){
+                                                               push (@values,$_);
+                                                       }else{
+                                                               
+                                                       }
+                                               }
+                                       }
+                                       $fwdfwsettings{'dnatport'}=join("|",@values);
+               }
        }
        #check valid remark
        if ($fwdfwsettings{'ruleremark'} ne '' && !&validremark($fwdfwsettings{'ruleremark'})){
@@ -1020,6 +1109,32 @@ sub checkcounter
        }elsif($base2 eq 'cust_srvgrp'){
                &inc_counter($configsrvgrp,\%customservicegrp,$val2);   
        }
+}
+sub checkvpn
+{
+       my $ip=shift;
+       #Test if manual IP is part of static OpenVPN networks
+       &General::readhasharray("$configccdnet", \%ccdnet);
+       foreach my $key (sort keys %ccdnet){
+               my ($vpnip,$vpnsubnet) = split ("/",$ccdnet{$key}[1]);
+               my $sub=&General::iporsubtodec($vpnsubnet);
+               if (&General::IpInSubnet($ip,$vpnip,$sub)){
+                       return 0;
+               }
+       }
+       # A Test if manual ip is part of dynamic openvpn subnet is made in getcolor
+       # because if one creates a custom host with the ip, we need to check the color there!
+       # It does not make sense to check this here
+       
+       # Test if manual IP is part of an OpenVPN N2N subnet does also not make sense here
+       # Is also checked in getcolor
+       
+       # Test if manual ip is part of an IPsec Network is also checked in getcolor
+       return 1;
+}
+sub checkvpncolor
+{
+       
 }
 sub deleterule
 {
@@ -1376,6 +1491,33 @@ sub getcolor
        my $val=shift;
        my $hash=shift;
        if($optionsfw{'SHOWCOLORS'} eq 'on'){
+               #Check if a manual IP is part of a VPN 
+               if ($nettype eq 'src_addr' || $nettype eq 'tgt_addr'){
+                       #Check if IP is part of OpenVPN dynamic subnet
+                       my ($a,$b) = split("/",$ovpnsettings{'DOVPN_SUBNET'});
+                       my ($c,$d) = split("/",$val);
+                       if (&General::IpInSubnet($c,$a,$b)){
+                               $tdcolor="style='border: 1px solid $Header::colourovpn;'";
+                               return;
+                       }
+                       #Check if IP is part of IPsec RW network
+                       if ($ipsecsettings{'RW_NET'} ne ''){
+                               my ($a,$b) = split("/",$ipsecsettings{'RW_NET'});
+                               $b=&General::iporsubtodec($b);
+                               if (&General::IpInSubnet($c,$a,$b)){
+                                       $tdcolor="style='border: 1px solid $Header::colourvpn;'";
+                                       return;
+                               }
+                       }
+                       #Check if IP is part of a IPsec N2N network
+                       foreach my $key (sort keys %ipsecconf){
+                               my ($a,$b) = split("/",$ipsecconf{$key}[11]);
+                               if (&General::IpInSubnet($c,$a,$b)){
+                                       $tdcolor="style='border: 1px solid $Header::colourvpn;'";
+                                       return;
+                               }
+                       }
+               }
                #VPN networks
                if ($nettype eq 'ovpn_n2n_src' || $nettype eq 'ovpn_n2n_tgt' || $nettype eq 'ovpn_net_src' || $nettype eq 'ovpn_net_tgt'|| $nettype eq 'ovpn_host_src' || $nettype eq 'ovpn_host_tgt'){
                        $tdcolor="style='border: 1px solid $Header::colourovpn;'";
@@ -1404,29 +1546,39 @@ sub getcolor
                #standard networks
                if ($val eq 'GREEN'){
                        $tdcolor="style='border: 1px solid $Header::colourgreen;'";
+                       return;
                }elsif ($val eq 'ORANGE'){
                        $tdcolor="style='border: 1px solid $Header::colourorange;'";
+                       return;
                }elsif ($val eq 'BLUE'){
                        $tdcolor="style='border: 1px solid $Header::colourblue;'";
+                       return;
                }elsif ($val eq 'RED'){
                        $tdcolor="style='border: 1px solid $Header::colourred;'";
+                       return;
                }elsif ($val eq 'IPFire' ){
                        $tdcolor="style='border: 1px solid $Header::colourred;'";
+                       return;
                }elsif($val =~ /^(.*?)\/(.*?)$/){
                        my ($sip,$scidr) = split ("/",$val);
                        if ( &General::IpInSubnet($sip,$netsettings{'ORANGE_ADDRESS'},$netsettings{'ORANGE_NETMASK'})){
                                $tdcolor="style='border: 1px solid $Header::colourorange;'";
+                               return;
                        }
                        if ( &General::IpInSubnet($sip,$netsettings{'GREEN_ADDRESS'},$netsettings{'GREEN_NETMASK'})){
                                $tdcolor="style='border: 1px solid $Header::colourgreen;'";
+                               return;
                        }
                        if ( &General::IpInSubnet($sip,$netsettings{'BLUE_ADDRESS'},$netsettings{'BLUE_NETMASK'})){
                                $tdcolor="style='border: 1px solid $Header::colourblue;'";
+                               return;
                        }
                }elsif ($val eq 'Default IP'){
                        $tdcolor="style='border: 1px solid $Header::colourred;'";
+                       return;
                }else{
                        $tdcolor='';
+                       return;
                }
        }
 }
@@ -1600,11 +1752,7 @@ sub newrule
                }       
        }
        &Header::openbox('100%', 'left', $Lang::tr{'fwdfw addrule'});
-       if ($fwdfwsettings{'TIME'} eq 'ON'){    
-               $fwdfwsettings{'TIME_FROM'} = &timeconvert($fwdfwsettings{'TIME_FROM'},'');
-               $fwdfwsettings{'TIME_TO'} = &timeconvert($fwdfwsettings{'TIME_TO'},'');
-       }
-print "<form method='post'>";
+       print "<form method='post'>";
        &Header::closebox();
        &Header::openbox('100%', 'left', $Lang::tr{'fwdfw source'});
        #------SOURCE-------------------------------------------------------
@@ -1738,19 +1886,15 @@ END
                <tr><td width='1%'><input type='checkbox' name='USE_NAT' value='ON' $checked{'USE_NAT'}{'ON'}></td><td width='15%'>$Lang::tr{'fwdfw use nat'}</td><td colspan='5'></td></tr>
                <tr><td colspan='2'></td><td width='1%'><input type='radio' name='nat' value='dnat' checked ></td><td width='50%'>$Lang::tr{'fwdfw dnat'}</td>
 END
-               if (! -z "${General::swroot}/ethernet/aliases"){
-                       print"<td width='8%'>IPFire: </td><td width='20%' align='right'><select name='dnat' style='width:140px;'>";
-                       print "<option value='ALL' $selected{'dnat'}{$Lang::tr{'all'}}>$Lang::tr{'all'}</option>";
-                       print "<option value='Default IP' $selected{'dnat'}{'Default IP'}>Default IP</option>";
-
-                       foreach my $alias (sort keys %aliases)
-                       {
-                               print "<option value='$alias' $selected{'dnat'}{$alias}>$alias</option>";
-                       }
-               }else{
-                       print"<td></td><td style='width:200px;'><input type='hidden' name ='ipfire' value='Default IP'>";
+               print"<td width='8%'>IPFire: </td><td width='20%' align='right'><select name='dnat' style='width:140px;'>";
+               print "<option value='ALL' $selected{'dnat'}{$Lang::tr{'all'}}>$Lang::tr{'all'}</option>";
+               print "<option value='Default IP' $selected{'dnat'}{'Default IP'}>Default IP</option>";
+               foreach my $alias (sort keys %aliases)
+               {
+                       print "<option value='$alias' $selected{'dnat'}{$alias}>$alias</option>";
                }
                print"</td></tr>";
+               $fwdfwsettings{'dnatport'}=~ tr/|/,/;
                print"<tr><td colspan='4'></td><td>Port: </td><td align='right'><input type='text' name='dnatport' style='width:130px;' value=$fwdfwsettings{'dnatport'}> </td></tr>";
                print"<tr><td colspan='8'><br></td></tr>";
                #SNAT
@@ -2008,7 +2152,7 @@ sub saverule
                        #print"6";
                }
                #check if we change a DMZ to a FORWARD/DMZ
-               elsif($fwdfwsettings{'oldruletype'} eq 'DMZ'  && $fwdfwsettings{'chain'} eq 'FORWARDFW' ){
+               elsif($fwdfwsettings{'oldruletype'} eq 'DMZ'  && $fwdfwsettings{'chain'} eq 'FORWARDFW' && $fwdfwsettings{$fwdfwsettings{'grp1'}} ne 'ORANGE'){
                        &changerule($configdmz);
                        #print"7";
                }
@@ -2065,12 +2209,6 @@ sub saverule
                        &changerule($configfwdfw);
                        #print"17";
                }               
-               #Cleanup some values for NAT if they are not used
-               if($fwdfwsettings{'nat'} eq 'dnat'){
-                       $fwdfwsettings{'snatport'}='';
-               }else{
-                       $fwdfwsettings{'dnatport'}='';
-               }
                if ($fwdfwsettings{'updatefwrule'} ne 'on'){
                        my $key = &General::findhasharraykey ($hash);
                        $$hash{$key}[0]  = $fwdfwsettings{'RULE_ACTION'};
@@ -2230,11 +2368,11 @@ sub validremark
 sub viewtablerule
 {
        &General::readhash("/var/ipfire/ethernet/settings", \%netsettings);
-       &viewtablenew(\%configdmzfw,$configdmz,$Lang::tr{'fwdfw rules'},"DMZ" );
+       &viewtablenew(\%confignatfw,$confignat,"$Lang::tr{'fwdfw rules'}","Portforward / SNAT" );
        &viewtablenew(\%configfwdfw,$configfwdfw,"","Forward" );
-       &viewtablenew(\%configinputfw,$configinput,"",$Lang::tr{'external access'} );
        &viewtablenew(\%configoutgoingfw,$configoutgoing,"","Outgoing" );
-       &viewtablenew(\%confignatfw,$confignat,"","NAT" );
+       &viewtablenew(\%configinputfw,$configinput,"",$Lang::tr{'fwdfw xt access'} );
+       &viewtablenew(\%configdmzfw,$configdmz,"","DMZ" );
 }
 sub viewtablenew
 {
@@ -2325,12 +2463,7 @@ END
                                $tooltip='REJECT';
                                $rulecolor=$color{'color16'};
                        }
-                       if($$hash{$key}[28] eq 'ON'){
-                               print"<td bgcolor='$color' align='center' width='20'></td>";
-                               $rulecolor=$color;
-                       }else{
-                               print"<td bgcolor='$rulecolor' align='center' width='20'><span title='$tooltip'><b>$ruletype</b></span></td>";
-                       }
+                       print"<td bgcolor='$rulecolor' align='center' width='20'><span title='$tooltip'><b>$ruletype</b></span></td>";
                        &getcolor($$hash{$key}[3],$$hash{$key}[4],\%customhost);
                        print"<td align='center' width='160' $tdcolor>";
                        if ($$hash{$key}[3] eq 'std_net_src'){
@@ -2369,6 +2502,7 @@ END
                        if ($$hash{$key}[31] eq 'dnat'){
                                print "IPFire ($$hash{$key}[29])";
                                if($$hash{$key}[30] ne ''){
+                                       $$hash{$key}[30]=~ tr/|/,/;
                                        print": $$hash{$key}[30]";
                                }
                                print"<br> DNAT->";