X-Git-Url: http://git.ipfire.org/?p=people%2Fteissler%2Fipfire-2.x.git;a=blobdiff_plain;f=html%2Fcgi-bin%2Ffirewall.cgi;h=8b02b04467546a8ea728dd772f4b9d929c782dfd;hp=802b2bed34a237eafeac704c7e25930177eb89b5;hb=f4d5310decf8cd8f16d92bfe0457cc8fb87fc663;hpb=901aa8b943e6442e4b3540a73fe7c79c9a9cd419 diff --git a/html/cgi-bin/firewall.cgi b/html/cgi-bin/firewall.cgi index 802b2bed3..8b02b0446 100755 --- a/html/cgi-bin/firewall.cgi +++ b/html/cgi-bin/firewall.cgi @@ -158,11 +158,6 @@ print< - -
+ - END if (&General::firewall_needs_reload()) { @@ -481,8 +439,9 @@ END
-
+
END + &Header::closebox(); &viewtablerule; } @@ -498,8 +457,6 @@ sub changerule $fwdfwsettings{'config'}=$oldchain; $fwdfwsettings{'nobase'}='on'; &deleterule; - &checkcounter(0,0,$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}}); - &checkcounter(0,0,$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}}); } sub checksource { @@ -767,8 +724,11 @@ sub checkrule { #check valid port for NAT if($fwdfwsettings{'USE_NAT'} eq 'ON'){ - #if no port is given in nat area, take target host port + #if no dest port is given in nat area, take target host port if($fwdfwsettings{'nat'} eq 'dnat' && $fwdfwsettings{'grp3'} eq 'TGT_PORT' && $fwdfwsettings{'dnatport'} eq ''){$fwdfwsettings{'dnatport'}=$fwdfwsettings{'TGT_PORT'};} + if($fwdfwsettings{'TGT_PORT'} eq '' && $fwdfwsettings{'dnatport'} ne '' && ($fwdfwsettings{'PROT'} eq 'TCP' || $fwdfwsettings{'PROT'} eq 'UDP')){ + $errormessage=$Lang::tr{'fwdfw dnat porterr2'}; + } #check if port given in nat area is a single valid port or portrange if($fwdfwsettings{'nat'} eq 'dnat' && $fwdfwsettings{'TGT_PORT'} ne '' && !&check_natport($fwdfwsettings{'dnatport'})){ $errormessage=$Lang::tr{'fwdfw target'}.": ".$Lang::tr{'fwdfw dnat porterr'}."
"; @@ -821,6 +781,10 @@ sub checkrule } $fwdfwsettings{'dnatport'}=join("|",@values); } + #check if a rule with prot tcp or udp and ports is edited and now prot is "all", then delete all ports + if($fwdfwsettings{'PROT'} eq ''){ + $fwdfwsettings{'dnatport'}=''; + } } #check valid remark if ($fwdfwsettings{'ruleremark'} ne '' && !&validremark($fwdfwsettings{'ruleremark'})){ @@ -856,12 +820,7 @@ sub checkrule } } } - #When using source- or targetport, the protocol has to be TCP or UDP - if (($fwdfwsettings{'USESRV'} eq 'ON' || $fwdfwsettings{'USE_SRC_PORT'} eq 'ON') && ($fwdfwsettings{'SRC_PORT'} ne '' || $fwdfwsettings{'TGT_PORT'} ne '') && ($fwdfwsettings{'PROT'} ne 'TCP' && $fwdfwsettings{'PROT'} ne 'UDP')){ - $errormessage.=$Lang::tr{'fwdfw err prot_port1'}; - return; - } - #when icmp selected, no targetport allowed + #when icmp selected, no source and targetport allowed if (($fwdfwsettings{'PROT'} ne '' && $fwdfwsettings{'PROT'} ne 'TCP' && $fwdfwsettings{'PROT'} ne 'UDP' && $fwdfwsettings{'PROT'} ne 'template') && ($fwdfwsettings{'USESRV'} eq 'ON' || $fwdfwsettings{'USE_SRC_PORT'} eq 'ON')){ $errormessage.=$Lang::tr{'fwdfw err prot_port'}; return; @@ -931,41 +890,14 @@ sub checkrule $fwdfwsettings{'ICMP_TYPES'}=''; $fwdfwsettings{'USESRV'}=''; $fwdfwsettings{'TGT_PORT'}=''; - }elsif($fwdfwsettings{'PROT'} ne 'TCP' && $fwdfwsettings{'PROT'} ne 'UDP' && $fwdfwsettings{'PROT'} ne 'ICMP'){ + }elsif($fwdfwsettings{'PROT'} ne 'TCP' && $fwdfwsettings{'PROT'} ne 'UDP'){ $fwdfwsettings{'ICMP_TYPES'}=''; - $fwdfwsettings{'PROT'} = ''; + $fwdfwsettings{'SRC_PORT'}=''; + $fwdfwsettings{'TGT_PORT'}=''; }elsif($fwdfwsettings{'PROT'} ne 'ICMP'){ $fwdfwsettings{'ICMP_TYPES'}=''; } } -sub checkcounter -{ - my ($base1,$val1,$base2,$val2) = @_; - - if($base1 eq 'cust_net_src' || $base1 eq 'cust_net_tgt'){ - &dec_counter($confignet,\%customnetwork,$val1); - }elsif($base1 eq 'cust_host_src' || $base1 eq 'cust_host_tgt'){ - &dec_counter($confighost,\%customhost,$val1); - }elsif($base1 eq 'cust_grp_src' || $base1 eq 'cust_grp_tgt'){ - &dec_counter($configgrp,\%customgrp,$val1); - }elsif($base1 eq 'cust_srv'){ - &dec_counter($configsrv,\%customservice,$val1); - }elsif($base1 eq 'cust_srvgrp'){ - &dec_counter($configsrvgrp,\%customservicegrp,$val1); - } - - if($base2 eq 'cust_net_src' || $base2 eq 'cust_net_tgt'){ - &inc_counter($confignet,\%customnetwork,$val2); - }elsif($base2 eq 'cust_host_src' || $base2 eq 'cust_host_tgt'){ - &inc_counter($confighost,\%customhost,$val2); - }elsif($base2 eq 'cust_grp_src' || $base2 eq 'cust_grp_tgt'){ - &inc_counter($configgrp,\%customgrp,$val2); - }elsif($base2 eq 'cust_srv'){ - &inc_counter($configsrv,\%customservice,$val2); - }elsif($base2 eq 'cust_srvgrp'){ - &inc_counter($configsrvgrp,\%customservicegrp,$val2); - } -} sub checkvpn { my $ip=shift; @@ -997,15 +929,6 @@ sub deleterule my %delhash=(); &General::readhasharray($fwdfwsettings{'config'}, \%delhash); foreach my $key (sort {$a <=> $b} keys %delhash){ - if ($key == $fwdfwsettings{'key'}){ - #check hosts/net and groups - &checkcounter($delhash{$key}[3],$delhash{$key}[4],,); - &checkcounter($delhash{$key}[5],$delhash{$key}[6],,); - #check services and groups - if ($delhash{$key}[11] eq 'ON'){ - &checkcounter($delhash{$key}[14],$delhash{$key}[15],,); - } - } if ($key >= $fwdfwsettings{'key'}) { my $next = $key + 1; if (exists $delhash{$next}) { @@ -1038,21 +961,6 @@ sub disable_rule &General::writehasharray("$configfwdfw", \%configfwdfw); &General::firewall_config_changed(); } -sub dec_counter -{ - my $config=shift; - my %hash=%{(shift)}; - my $val=shift; - my $pos; - &General::readhasharray($config, \%hash); - foreach my $key (sort { uc($hash{$a}[0]) cmp uc($hash{$b}[0]) } keys %hash){ - if($hash{$key}[0] eq $val){ - $pos=$#{$hash{$key}}; - $hash{$key}[$pos] = $hash{$key}[$pos]-1; - } - } - &General::writehasharray($config, \%hash); -} sub error { if ($errormessage) { @@ -1187,7 +1095,7 @@ END if ($show eq '1'){$show='';print"";} #IPsec netze foreach my $key (sort { ncmp($ipsecconf{$a}[1],$ipsecconf{$b}[1]) } keys %ipsecconf) { - if ($ipsecconf{$key}[3] eq 'net' || $optionsfw{'SHOWDROPDOWN'} eq 'on'){ + if ($ipsecconf{$key}[3] eq 'net' || ($optionsfw{'SHOWDROPDOWN'} eq 'on' && $ipsecconf{$key}[3] ne 'host')){ print"$Lang::tr{'fwhost ipsec net'} + + + + +END + + if (%aliases) { + print <$Lang::tr{'dnat address'}: + + "; + } else { + print < + - $Lang::tr{'fwdfw dnat'} END - print"Firewall: "; + print ""; + #SNAT - print"$Lang::tr{'fwdfw snat'}"; - print"Firewall: + $Lang::tr{'fwdfw snat'} + + + $Lang::tr{'snat new source ip address'}: + + "; - print""; + + print < + + + + +END &Header::closebox(); + #---TARGET------------------------------------------------------ &Header::openbox('100%', 'left', $Lang::tr{'fwdfw target'}); print<
-
@@ -2074,6 +2023,7 @@ END +
END @@ -2318,7 +2268,7 @@ sub validremark if ($remark !~ /^[a-zäöüA-ZÖÄÜ0-9-.:;\|_()\/\s]*$/) { return 0;} # First character can only be a letter or a digit - if (substr ($remark, 0, 1) !~ /^[a-zäöüA-ZÖÄÜ0-9]*$/) { + if (substr ($remark, 0, 1) !~ /^[a-zäöüA-ZÖÄÜ0-9(]*$/) { return 0;} # Last character can only be a letter or a digit if (substr ($remark, -1, 1) !~ /^[a-zöäüA-ZÖÄÜ0-9.:;_)]*$/) { @@ -2328,36 +2278,41 @@ sub validremark sub viewtablerule { &General::readhash("/var/ipfire/ethernet/settings", \%netsettings); - &viewtablenew(\%configfwdfw,$configfwdfw,"","Forward" ); - &viewtablenew(\%configinputfw,$configinput,"",$Lang::tr{'fwdfw xt access'} ); - &viewtablenew(\%configoutgoingfw,$configoutgoing,"","Outgoing" ); + + &viewtablenew(\%configfwdfw, $configfwdfw, $Lang::tr{'firewall rules'}); + &viewtablenew(\%configinputfw, $configinput, $Lang::tr{'external access'}); + &viewtablenew(\%configoutgoingfw, $configoutgoing, $Lang::tr{'outgoing firewall'}); } sub viewtablenew { my $hash=shift; my $config=shift; my $title=shift; - my $title1=shift; my $go=''; + + my $show_box = (! -z $config) || ($optionsfw{'SHOWTABLES'} eq 'on'); + return if (!$show_box); + &General::get_aliases(\%aliases); &General::readhasharray("$confighost", \%customhost); &General::readhasharray("$config", $hash); &General::readhasharray("$configccdnet", \%ccdnet); &General::readhasharray("$configccdhost", \%ccdhost); - if( ! -z $config){ - &Header::openbox('100%', 'left',$title); + + &Header::openbox('100%', 'left', $title); + print ""; + + if (! -z $config) { my $count=0; my ($gif,$log); my $ruletype; my $rulecolor; my $tooltip; my @tmpsrc=(); + my @tmptgt=(); my $coloryellow=''; - print <$title1 -
-
+ print < "; + $color="$color{'color14'}"; $coloryellow=''; }elsif($coloryellow eq ''){ if ($count % 2){ @@ -2491,9 +2474,9 @@ END #SOURCE my $ipfireiface; &getcolor($$hash{$key}[3],$$hash{$key}[4],\%customhost); - print""; } - print"
# @@ -2370,7 +2325,7 @@ sub viewtablenew $Lang::tr{'fwdfw source'} - Log + $Lang::tr{'fwdfw log'} $Lang::tr{'fwdfw target'} @@ -2384,33 +2339,61 @@ END foreach my $key (sort {$a <=> $b} keys %$hash){ $tdcolor=''; @tmpsrc=(); + @tmptgt=(); #check if vpn hosts/nets have been deleted if($$hash{$key}[3] =~ /ipsec/i || $$hash{$key}[3] =~ /ovpn/i){ push (@tmpsrc,$$hash{$key}[4]); } if($$hash{$key}[5] =~ /ipsec/i || $$hash{$key}[5] =~ /ovpn/i){ - push (@tmpsrc,$$hash{$key}[6]); + push (@tmptgt,$$hash{$key}[6]); } foreach my $host (@tmpsrc){ - if($$hash{$key}[3] eq 'ipsec_net_src' || $$hash{$key}[5] eq 'ipsec_net_tgt'){ + if($$hash{$key}[3] eq 'ipsec_net_src'){ if(&fwlib::get_ipsec_net_ip($host,11) eq ''){ $coloryellow='on'; &disable_rule($key); $$hash{$key}[2]=''; } - }elsif($$hash{$key}[3] eq 'ovpn_net_src' || $$hash{$key}[5] eq 'ovpn_net_tgt'){ + }elsif($$hash{$key}[3] eq 'ovpn_net_src'){ if(&fwlib::get_ovpn_net_ip($host,1) eq ''){ $coloryellow='on'; &disable_rule($key); $$hash{$key}[2]=''; } - }elsif($$hash{$key}[3] eq 'ovpn_n2n_src' || $$hash{$key}[5] eq 'ovpn_n2n_tgt'){ + }elsif($$hash{$key}[3] eq 'ovpn_n2n_src'){ if(&fwlib::get_ovpn_n2n_ip($host,27) eq ''){ $coloryellow='on'; &disable_rule($key); $$hash{$key}[2]=''; } - }elsif($$hash{$key}[3] eq 'ovpn_host_src' || $$hash{$key}[5] eq 'ovpn_host_tgt'){ + }elsif($$hash{$key}[3] eq 'ovpn_host_src'){ + if(&fwlib::get_ovpn_host_ip($host,33) eq ''){ + $coloryellow='on'; + &disable_rule($key); + $$hash{$key}[2]=''; + } + } + } + foreach my $host (@tmptgt){ + if($$hash{$key}[5] eq 'ipsec_net_tgt'){ + if(&fwlib::get_ipsec_net_ip($host,11) eq ''){ + $coloryellow='on'; + &disable_rule($key); + $$hash{$key}[2]=''; + } + }elsif($$hash{$key}[5] eq 'ovpn_net_tgt'){ + if(&fwlib::get_ovpn_net_ip($host,1) eq ''){ + $coloryellow='on'; + &disable_rule($key); + $$hash{$key}[2]=''; + } + }elsif($$hash{$key}[5] eq 'ovpn_n2n_tgt'){ + if(&fwlib::get_ovpn_n2n_ip($host,27) eq ''){ + $coloryellow='on'; + &disable_rule($key); + $$hash{$key}[2]=''; + } + }elsif($$hash{$key}[5] eq 'ovpn_host_tgt'){ if(&fwlib::get_ovpn_host_ip($host,33) eq ''){ $coloryellow='on'; &disable_rule($key); @@ -2421,7 +2404,7 @@ END $$hash{'ACTIVE'}=$$hash{$key}[2]; $count++; if($coloryellow eq 'on'){ - print"
"; + print""; if ($$hash{$key}[3] eq 'ipfire_src'){ - $ipfireiface='Interface '; + $ipfireiface=$Lang::tr{'fwdfw iface'}; } if ($$hash{$key}[3] eq 'std_net_src'){ print &get_name($$hash{$key}[4]); @@ -2506,8 +2489,14 @@ END } }elsif ($$hash{$key}[4] eq 'RED1'){ print "$ipfireiface $Lang::tr{'fwdfw red'}"; + }elsif ($$hash{$key}[4] eq 'ALL'){ + print "$ipfireiface $Lang::tr{'all'}"; }else{ - print "$$hash{$key}[4]"; + if ($$hash{$key}[4] eq 'GREEN' || $$hash{$key}[4] eq 'ORANGE' || $$hash{$key}[4] eq 'BLUE' || $$hash{$key}[4] eq 'RED'){ + print "$ipfireiface $Lang::tr{lc($$hash{$key}[4])}"; + }else{ + print "$ipfireiface $$hash{$key}[4]"; + } } $tdcolor=''; #SOURCEPORT @@ -2552,15 +2541,12 @@ END } print"
->"; } - if ($$hash{$key}[5] eq 'ipfire'){ - $ipfireiface='Interface'; - } - if ($$hash{$key}[5] eq 'std_net_tgt' || $$hash{$key}[5] eq 'ipfire' || $$hash{$key}[6] eq 'RED1' || $$hash{$key}[6] eq 'GREEN' || $$hash{$key}[6] eq 'ORANGE' || $$hash{$key}[6] eq 'BLUE' ){ + if ($$hash{$key}[5] eq 'std_net_tgt' || $$hash{$key}[5] eq 'ipfire'){ if ($$hash{$key}[6] eq 'RED1'){ - print "$ipfireiface $Lang::tr{'red1'}"; - }elsif ($$hash{$key}[6] eq 'GREEN' || $$hash{$key}[6] eq 'ORANGE' || $$hash{$key}[6] eq 'BLUE'|| $$hash{$key}[6] eq 'ALL') + print "$Lang::tr{'red1'}"; + }elsif ($$hash{$key}[6] eq 'GREEN' || $$hash{$key}[6] eq 'ORANGE' || $$hash{$key}[6] eq 'BLUE'|| $$hash{$key}[6] eq 'ALL' || $$hash{$key}[6] eq 'RED') { - print "$ipfireiface ".&get_name($$hash{$key}[6]); + print &get_name($$hash{$key}[6]); }else{ print $$hash{$key}[6]; } @@ -2682,97 +2668,152 @@ END } print"
"; - #SHOW FINAL RULE - print ""; - my $col; - if ($config eq '/var/ipfire/firewall/config'){ - my $pol='fwdfw '.$fwdfwsettings{'POLICY'}; - if ($fwdfwsettings{'POLICY'} eq 'MODE1'){ - $col="bgcolor='darkred'"; - }else{ - $col="bgcolor='green'"; - } - &show_defaultrules($col,$pol); - }elsif ($config eq '/var/ipfire/firewall/outgoing'){ - if ($fwdfwsettings{'POLICY1'} eq 'MODE1'){ - $col="bgcolor='darkred'"; - print""; - }else{ - $col="bgcolor='green'"; - print""; - } - }else{ - print""; + } elsif ($optionsfw{'SHOWTABLES'} eq 'on') { + print < + + +END + } + + #SHOW FINAL RULE + my $policy = 'fwdfw ' . $fwdfwsettings{'POLICY'}; + my $colour = "bgcolor='green'"; + if ($fwdfwsettings{'POLICY'} eq 'MODE1') { + $colour = "bgcolor='darkred'"; + } + + my $message; + if (($config eq '/var/ipfire/firewall/config') && ($fwdfwsettings{'POLICY'} ne 'MODE1')) { + print < + + + + +END } - } -} -&Header::closebigbox(); -&Header::closepage(); -sub show_defaultrules -{ - my $col=shift; - my $pol=shift; - #STANDARD RULES (From WIKI) - print"
$Lang::tr{'fwdfw final_rule'}$Lang::tr{'fwdfw pol block'}
$Lang::tr{'fwdfw final_rule'}$Lang::tr{'fwdfw pol allow'}
$Lang::tr{'fwdfw final_rule'}$Lang::tr{'fwdfw pol block'}
$Lang::tr{'fwhost empty'}
 
+ +END + + # GREEN + print < + + +END + + if (&Header::orange_used()) { + print < + $Lang::tr{'orange'} + ($Lang::tr{'fwdfw pol allow'}) + +END } - print"
+ $Lang::tr{'green'} + + $Lang::tr{'red'} + ($Lang::tr{'fwdfw pol allow'}) +
"; - print "
"; - print "

"; - &Header::closebox(); - }else{ - if ($optionsfw{'SHOWTABLES'} eq 'on'){ - print "$title1
"; - print"
$Lang::tr{'fwhost empty'}
"; - my $col; - if ($config eq '/var/ipfire/firewall/config'){ - my $pol='fwdfw '.$fwdfwsettings{'POLICY'}; - if ($fwdfwsettings{'POLICY'} eq 'MODE1'){ - $col="bgcolor='darkred'"; - }else{ - $col="bgcolor='green'"; - } - &show_defaultrules($col,$pol); - }elsif ($config eq '/var/ipfire/firewall/outgoing'){ - print ""; - my $pol='fwdfw '.$fwdfwsettings{'POLICY1'}; - if ($fwdfwsettings{'POLICY1'} eq 'MODE1'){ - $col="bgcolor='darkred'"; - print""; - }else{ - $col="bgcolor='green'"; - print""; - } - }else{ - print "
$Lang::tr{'fwdfw final_rule'}$Lang::tr{'fwdfw pol block'}
$Lang::tr{'fwdfw final_rule'}$Lang::tr{'fwdfw pol allow'}
"; - print""; - } - print"
$Lang::tr{'fwdfw final_rule'}$Lang::tr{'fwdfw pol block'}


"; + + if (&Header::blue_used()) { + print < + $Lang::tr{'blue'} + ($Lang::tr{'fwdfw pol allow'}) +
"; - if ($col eq "bgcolor='green'"){ - print "
"; - my $blue = " $Lang::tr{'blue'} ($Lang::tr{'fwdfw pol block'})" if (&Header::blue_used()); - my $orange = " $Lang::tr{'orange'} ($Lang::tr{'fwdfw pol block'})" if (&Header::orange_used()); - my $blue1 = " $Lang::tr{'blue'} ($Lang::tr{'fwdfw pol allow'})" if (&Header::blue_used()); - my $orange1 = " $Lang::tr{'orange'} ($Lang::tr{'fwdfw pol allow'})" if (&Header::orange_used()); - print""; - print"" if (&Header::orange_used()); - print"" if (&Header::blue_used()); print""; - if (&Header::orange_used()){ - print""; - print"" if (&Header::blue_used()); + + # ORANGE + if (&Header::orange_used()) { + print < + + + +END + + if (&Header::blue_used()) { + print < + $Lang::tr{'blue'} + ($Lang::tr{'fwdfw pol block'}) + +END + } + print""; } - if (&Header::blue_used()){ - print""; - print"" if (&Header::orange_used()); - print""; + + if (&Header::blue_used()) { + print < + + +END + + if (&Header::orange_used()) { + print < + $Lang::tr{'orange'} + ($Lang::tr{'fwdfw pol block'}) + + +END + } + print""; } - print""; - }elsif($col eq "bgcolor='darkred'"){ - print "
$Lang::tr{'green'} $Lang::tr{'red'} ($Lang::tr{'fwdfw pol allow'})$orange1$blue1
$Lang::tr{'orange'} $Lang::tr{'red'} ($Lang::tr{'fwdfw pol allow'}) $Lang::tr{'green'} ($Lang::tr{'fwdfw pol block'})$blue + $Lang::tr{'orange'} + + $Lang::tr{'red'} + ($Lang::tr{'fwdfw pol allow'}) + + $Lang::tr{'green'} + ($Lang::tr{'fwdfw pol block'}) +
$Lang::tr{'blue'} $Lang::tr{'red'} ($Lang::tr{'fwdfw pol allow'})$orange $Lang::tr{'green'} ($Lang::tr{'fwdfw pol block'}) + $Lang::tr{'blue'} + + $Lang::tr{'red'} + ($Lang::tr{'fwdfw pol allow'}) + + $Lang::tr{'green'} + ($Lang::tr{'fwdfw pol block'}) +
$Lang::tr{'fwdfw final_rule'} $Lang::tr{'fwdfw pol allow'}
"; - print""; + + print < + + +END + + $message = $Lang::tr{'fwdfw pol allow'}; + + } elsif ($config eq '/var/ipfire/firewall/outgoing' && ($fwdfwsettings{'POLICY1'} ne 'MODE1')) { + $message = $Lang::tr{'fwdfw pol allow'}; + $colour = "bgcolor='green'"; + } else { + $message = $Lang::tr{'fwdfw pol block'}; + $colour = "bgcolor='darkred'"; } + + if ($message) { + print < + + +END + } + + print "
$Lang::tr{'fwdfw final_rule'}$Lang::tr{'fwdfw pol block'}
+ $Lang::tr{'policy'}: $message +
"; + print "
"; + + &Header::closebox(); } + +&Header::closebigbox(); +&Header::closepage();