X-Git-Url: http://git.ipfire.org/?p=people%2Fteissler%2Fipfire-2.x.git;a=blobdiff_plain;f=html%2Fcgi-bin%2Ffirewall.cgi;h=ee13033614ac874db302dee9935670e0b3db8421;hp=80989ce58662ddbca0950f79f26daba2e91b8a0a;hb=f5f71c79b7168cc90b5b7fb19a7bda47f3b7bfab;hpb=d8afe3e2c0690899e2efa6742b13a619c4f92298 diff --git a/html/cgi-bin/firewall.cgi b/html/cgi-bin/firewall.cgi old mode 100755 new mode 100644 index 80989ce58..ee1303361 --- a/html/cgi-bin/firewall.cgi +++ b/html/cgi-bin/firewall.cgi @@ -136,14 +136,17 @@ print<"; }elsif($fwdfwsettings{'USESRV'} eq 'ON' && $fwdfwsettings{'grp3'} eq 'cust_srv'){ my $custsrvport; - #get servcie Protocol and Port + #get service Protocol and Port foreach my $key (sort keys %customservice){ if($fwdfwsettings{$fwdfwsettings{'grp3'}} eq $customservice{$key}[0]){ if ($customservice{$key}[2] ne 'TCP' && $customservice{$key}[2] ne 'UDP'){ @@ -820,6 +801,10 @@ sub checkrule } $fwdfwsettings{'dnatport'}=join("|",@values); } + #check if a rule with prot tcp or udp and ports is edited and now prot is "all", then delete all ports + if($fwdfwsettings{'PROT'} eq ''){ + $fwdfwsettings{'dnatport'}=''; + } } #check valid remark if ($fwdfwsettings{'ruleremark'} ne '' && !&validremark($fwdfwsettings{'ruleremark'})){ @@ -855,12 +840,7 @@ sub checkrule } } } - #When using source- or targetport, the protocol has to be TCP or UDP - if (($fwdfwsettings{'USESRV'} eq 'ON' || $fwdfwsettings{'USE_SRC_PORT'} eq 'ON') && ($fwdfwsettings{'SRC_PORT'} ne '' || $fwdfwsettings{'TGT_PORT'} ne '') && ($fwdfwsettings{'PROT'} ne 'TCP' && $fwdfwsettings{'PROT'} ne 'UDP')){ - $errormessage.=$Lang::tr{'fwdfw err prot_port1'}; - return; - } - #when icmp selected, no targetport allowed + #when icmp selected, no source and targetport allowed if (($fwdfwsettings{'PROT'} ne '' && $fwdfwsettings{'PROT'} ne 'TCP' && $fwdfwsettings{'PROT'} ne 'UDP' && $fwdfwsettings{'PROT'} ne 'template') && ($fwdfwsettings{'USESRV'} eq 'ON' || $fwdfwsettings{'USE_SRC_PORT'} eq 'ON')){ $errormessage.=$Lang::tr{'fwdfw err prot_port'}; return; @@ -930,41 +910,14 @@ sub checkrule $fwdfwsettings{'ICMP_TYPES'}=''; $fwdfwsettings{'USESRV'}=''; $fwdfwsettings{'TGT_PORT'}=''; - }elsif($fwdfwsettings{'PROT'} ne 'TCP' && $fwdfwsettings{'PROT'} ne 'UDP' && $fwdfwsettings{'PROT'} ne 'ICMP'){ + }elsif($fwdfwsettings{'PROT'} ne 'TCP' && $fwdfwsettings{'PROT'} ne 'UDP'){ $fwdfwsettings{'ICMP_TYPES'}=''; - $fwdfwsettings{'PROT'} = ''; + $fwdfwsettings{'SRC_PORT'}=''; + $fwdfwsettings{'TGT_PORT'}=''; }elsif($fwdfwsettings{'PROT'} ne 'ICMP'){ $fwdfwsettings{'ICMP_TYPES'}=''; } } -sub checkcounter -{ - my ($base1,$val1,$base2,$val2) = @_; - - if($base1 eq 'cust_net_src' || $base1 eq 'cust_net_tgt'){ - &dec_counter($confignet,\%customnetwork,$val1); - }elsif($base1 eq 'cust_host_src' || $base1 eq 'cust_host_tgt'){ - &dec_counter($confighost,\%customhost,$val1); - }elsif($base1 eq 'cust_grp_src' || $base1 eq 'cust_grp_tgt'){ - &dec_counter($configgrp,\%customgrp,$val1); - }elsif($base1 eq 'cust_srv'){ - &dec_counter($configsrv,\%customservice,$val1); - }elsif($base1 eq 'cust_srvgrp'){ - &dec_counter($configsrvgrp,\%customservicegrp,$val1); - } - - if($base2 eq 'cust_net_src' || $base2 eq 'cust_net_tgt'){ - &inc_counter($confignet,\%customnetwork,$val2); - }elsif($base2 eq 'cust_host_src' || $base2 eq 'cust_host_tgt'){ - &inc_counter($confighost,\%customhost,$val2); - }elsif($base2 eq 'cust_grp_src' || $base2 eq 'cust_grp_tgt'){ - &inc_counter($configgrp,\%customgrp,$val2); - }elsif($base2 eq 'cust_srv'){ - &inc_counter($configsrv,\%customservice,$val2); - }elsif($base2 eq 'cust_srvgrp'){ - &inc_counter($configsrvgrp,\%customservicegrp,$val2); - } -} sub checkvpn { my $ip=shift; @@ -996,15 +949,6 @@ sub deleterule my %delhash=(); &General::readhasharray($fwdfwsettings{'config'}, \%delhash); foreach my $key (sort {$a <=> $b} keys %delhash){ - if ($key == $fwdfwsettings{'key'}){ - #check hosts/net and groups - &checkcounter($delhash{$key}[3],$delhash{$key}[4],,); - &checkcounter($delhash{$key}[5],$delhash{$key}[6],,); - #check services and groups - if ($delhash{$key}[11] eq 'ON'){ - &checkcounter($delhash{$key}[14],$delhash{$key}[15],,); - } - } if ($key >= $fwdfwsettings{'key'}) { my $next = $key + 1; if (exists $delhash{$next}) { @@ -1037,21 +981,6 @@ sub disable_rule &General::writehasharray("$configfwdfw", \%configfwdfw); &General::firewall_config_changed(); } -sub dec_counter -{ - my $config=shift; - my %hash=%{(shift)}; - my $val=shift; - my $pos; - &General::readhasharray($config, \%hash); - foreach my $key (sort { uc($hash{$a}[0]) cmp uc($hash{$b}[0]) } keys %hash){ - if($hash{$key}[0] eq $val){ - $pos=$#{$hash{$key}}; - $hash{$key}[$pos] = $hash{$key}[$pos]-1; - } - } - &General::writehasharray($config, \%hash); -} sub error { if ($errormessage) { @@ -1059,7 +988,6 @@ sub error print "$errormessage\n"; print " \n"; &Header::closebox(); - print"
"; } } sub fillselect @@ -1103,7 +1031,7 @@ sub gen_dd_block print< - +
"; } #End left table. start right table (vpn) - print"
$Lang::tr{'fwhost stdnet'}
$Lang::tr{'fwhost cust grp'}
"; + print"
"; # CCD networks if( ! -z $configccdnet || $optionsfw{'SHOWDROPDOWN'} eq 'on'){ print"";} #IPsec netze foreach my $key (sort { ncmp($ipsecconf{$a}[1],$ipsecconf{$b}[1]) } keys %ipsecconf) { - if ($ipsecconf{$key}[3] eq 'net' || $optionsfw{'SHOWDROPDOWN'} eq 'on'){ + if ($ipsecconf{$key}[3] eq 'net' || ($optionsfw{'SHOWDROPDOWN'} eq 'on' && $ipsecconf{$key}[3] ne 'host')){ print" -
$Lang::tr{'fwhost ccdnet'}
$Lang::tr{'fwhost ipsec net'}
+
+ END &gen_dd_block('src','grp1'); - print"
"; &Header::closebox(); #---SNAT / DNAT ------------------------------------------------ @@ -1680,7 +1617,7 @@ END @@ -1713,7 +1650,7 @@ END @@ -1767,10 +1704,9 @@ END } print< -
+
END &gen_dd_block('tgt','grp2'); - print"
"; &Header::closebox; #---PROTOCOL------------------------------------------------------ $fwdfwsettings{'SRC_PORT'} =~ s/\|/,/g; @@ -1904,7 +1840,7 @@ END &General::readhasharray("$configsrvgrp", \%customservicegrp); my $helper; foreach my $key (sort { ncmp($customservicegrp{$a}[0],$customservicegrp{$b}[0]) } keys %customservicegrp){ - if ($helper ne $customservicegrp{$key}[0]){ + if ($helper ne $customservicegrp{$key}[0] && $customservicegrp{$key}[2] ne 'none'){ print""; @@ -1923,25 +1859,10 @@ END END &Header::closebox; - - $checked{"RULE_ACTION"} = (); - foreach ("ACCEPT", "DROP", "REJECT") { - $checked{"RULE_ACTION"}{$_} = ""; - } - - if($fwdfwsettings{'updatefwrule'} eq 'on') { - $checked{"RULE_ACTION"}{$fwdfwsettings{'RULE_ACTION'}} = "checked"; - } elsif ($fwdfwsettings{'POLICY'} eq 'MODE1') { - $checked{"RULE_ACTION"}{"ACCEPT"} = "checked"; - } elsif ($fwdfwsettings{'POLICY'} eq 'MODE2') { - $checked{"RULE_ACTION"}{"DROP"} = "checked"; - } - + $checked{"RULE_ACTION"}{$fwdfwsettings{'RULE_ACTION'}} = 'CHECKED'; print <
-
- +
 
  @@ -1978,7 +1899,6 @@ END
END - #---Activate/logging/remark------------------------------------- &Header::openbox('100%', 'left', $Lang::tr{'fwdfw additional'}); print<
-
+
END #---ACTION------------------------------------------------------ @@ -2368,15 +2288,14 @@ sub validremark return 0;} return 1; } - -sub viewtablerule { +sub viewtablerule +{ &General::readhash("/var/ipfire/ethernet/settings", \%netsettings); &viewtablenew(\%configfwdfw, $configfwdfw, $Lang::tr{'firewall rules'}); &viewtablenew(\%configinputfw, $configinput, $Lang::tr{'external access'}); &viewtablenew(\%configoutgoingfw, $configoutgoing, $Lang::tr{'outgoing firewall'}); } - sub viewtablenew { my $hash=shift; @@ -2392,9 +2311,11 @@ sub viewtablenew &General::readhasharray("$config", $hash); &General::readhasharray("$configccdnet", \%ccdnet); &General::readhasharray("$configccdhost", \%ccdhost); + &General::readhasharray("$configgrp", \%customgrp); + &General::readhasharray("$configsrvgrp", \%customservicegrp); &Header::openbox('100%', 'left', $title); - print ""; + print "
"; if (! -z $config) { my $count=0; @@ -2403,6 +2324,7 @@ sub viewtablenew my $rulecolor; my $tooltip; my @tmpsrc=(); + my @tmptgt=(); my $coloryellow=''; print < $b} keys %$hash){ $tdcolor=''; @tmpsrc=(); + @tmptgt=(); #check if vpn hosts/nets have been deleted if($$hash{$key}[3] =~ /ipsec/i || $$hash{$key}[3] =~ /ovpn/i){ push (@tmpsrc,$$hash{$key}[4]); } if($$hash{$key}[5] =~ /ipsec/i || $$hash{$key}[5] =~ /ovpn/i){ - push (@tmpsrc,$$hash{$key}[6]); + push (@tmptgt,$$hash{$key}[6]); } foreach my $host (@tmpsrc){ - if($$hash{$key}[3] eq 'ipsec_net_src' || $$hash{$key}[5] eq 'ipsec_net_tgt'){ + if($$hash{$key}[3] eq 'ipsec_net_src'){ if(&fwlib::get_ipsec_net_ip($host,11) eq ''){ $coloryellow='on'; &disable_rule($key); $$hash{$key}[2]=''; } - }elsif($$hash{$key}[3] eq 'ovpn_net_src' || $$hash{$key}[5] eq 'ovpn_net_tgt'){ + }elsif($$hash{$key}[3] eq 'ovpn_net_src'){ if(&fwlib::get_ovpn_net_ip($host,1) eq ''){ $coloryellow='on'; &disable_rule($key); $$hash{$key}[2]=''; } - }elsif($$hash{$key}[3] eq 'ovpn_n2n_src' || $$hash{$key}[5] eq 'ovpn_n2n_tgt'){ + }elsif($$hash{$key}[3] eq 'ovpn_n2n_src'){ if(&fwlib::get_ovpn_n2n_ip($host,27) eq ''){ $coloryellow='on'; &disable_rule($key); $$hash{$key}[2]=''; } - }elsif($$hash{$key}[3] eq 'ovpn_host_src' || $$hash{$key}[5] eq 'ovpn_host_tgt'){ + }elsif($$hash{$key}[3] eq 'ovpn_host_src'){ if(&fwlib::get_ovpn_host_ip($host,33) eq ''){ $coloryellow='on'; &disable_rule($key); @@ -2466,10 +2389,52 @@ END } } } + foreach my $host (@tmptgt){ + if($$hash{$key}[5] eq 'ipsec_net_tgt'){ + if(&fwlib::get_ipsec_net_ip($host,11) eq ''){ + $coloryellow='on'; + &disable_rule($key); + $$hash{$key}[2]=''; + } + }elsif($$hash{$key}[5] eq 'ovpn_net_tgt'){ + if(&fwlib::get_ovpn_net_ip($host,1) eq ''){ + $coloryellow='on'; + &disable_rule($key); + $$hash{$key}[2]=''; + } + }elsif($$hash{$key}[5] eq 'ovpn_n2n_tgt'){ + if(&fwlib::get_ovpn_n2n_ip($host,27) eq ''){ + $coloryellow='on'; + &disable_rule($key); + $$hash{$key}[2]=''; + } + }elsif($$hash{$key}[5] eq 'ovpn_host_tgt'){ + if(&fwlib::get_ovpn_host_ip($host,33) eq ''){ + $coloryellow='on'; + &disable_rule($key); + $$hash{$key}[2]=''; + } + } + } + #check if networkgroups or servicegroups are empty + foreach my $netgroup (sort keys %customgrp){ + if(($$hash{$key}[4] eq $customgrp{$netgroup}[0] || $$hash{$key}[6] eq $customgrp{$netgroup}[0]) && $customgrp{$netgroup}[2] eq 'none'){ + $coloryellow='on'; + &disable_rule($key); + $$hash{$key}[2]=''; + } + } + foreach my $srvgroup (sort keys %customservicegrp){ + if($$hash{$key}[15] eq $customservicegrp{$srvgroup}[0] && $customservicegrp{$srvgroup}[2] eq 'none'){ + $coloryellow='on'; + &disable_rule($key); + $$hash{$key}[2]=''; + } + } $$hash{'ACTIVE'}=$$hash{$key}[2]; $count++; if($coloryellow eq 'on'){ - print""; + $color="$color{'color14'}"; $coloryellow=''; }elsif($coloryellow eq ''){ if ($count % 2){ @@ -2554,8 +2519,14 @@ END } }elsif ($$hash{$key}[4] eq 'RED1'){ print "$ipfireiface $Lang::tr{'fwdfw red'}"; + }elsif ($$hash{$key}[4] eq 'ALL'){ + print "$ipfireiface $Lang::tr{'all'}"; }else{ - print "$$hash{$key}[4]"; + if ($$hash{$key}[4] eq 'GREEN' || $$hash{$key}[4] eq 'ORANGE' || $$hash{$key}[4] eq 'BLUE' || $$hash{$key}[4] eq 'RED'){ + print "$ipfireiface $Lang::tr{lc($$hash{$key}[4])}"; + }else{ + print "$ipfireiface $$hash{$key}[4]"; + } } $tdcolor=''; #SOURCEPORT @@ -2600,15 +2571,12 @@ END } print"
->"; } - if ($$hash{$key}[5] eq 'ipfire'){ - $ipfireiface='Interface'; - } - if ($$hash{$key}[5] eq 'std_net_tgt' || $$hash{$key}[5] eq 'ipfire' || $$hash{$key}[6] eq 'RED1' || $$hash{$key}[6] eq 'GREEN' || $$hash{$key}[6] eq 'ORANGE' || $$hash{$key}[6] eq 'BLUE' ){ + if ($$hash{$key}[5] eq 'std_net_tgt' || $$hash{$key}[5] eq 'ipfire'){ if ($$hash{$key}[6] eq 'RED1'){ - print "$ipfireiface $Lang::tr{'red1'}"; + print "$Lang::tr{'red1'}"; }elsif ($$hash{$key}[6] eq 'GREEN' || $$hash{$key}[6] eq 'ORANGE' || $$hash{$key}[6] eq 'BLUE'|| $$hash{$key}[6] eq 'ALL' || $$hash{$key}[6] eq 'RED') { - print "$ipfireiface ".&get_name($$hash{$key}[6]); + print &get_name($$hash{$key}[6]); }else{ print $$hash{$key}[6]; } @@ -2853,9 +2821,9 @@ END $message = $Lang::tr{'fwdfw pol allow'}; - } elsif ($config eq '/var/ipfire/firewall/outgoing') { + } elsif ($config eq '/var/ipfire/firewall/outgoing' && ($fwdfwsettings{'POLICY1'} ne 'MODE1')) { $message = $Lang::tr{'fwdfw pol allow'}; - + $colour = "bgcolor='green'"; } else { $message = $Lang::tr{'fwdfw pol block'}; $colour = "bgcolor='darkred'";