Forward Firewall: applied all changes as diff and added new files. Also deleted c...
authorMichael Tremer <michael.tremer@ipfire.org>
Fri, 9 Aug 2013 12:02:02 +0000 (14:02 +0200)
committerMichael Tremer <michael.tremer@ipfire.org>
Fri, 9 Aug 2013 12:02:02 +0000 (14:02 +0200)
Signed-off-by: Alexander Marx <amarx@ipfire.org>
Conflicts:
config/backup/include
lfs/configroot
lfs/usb-stick

15 files changed:
config/backup/include
config/cfgroot/general-functions.pl
config/menu/50-firewall.menu
config/rootfiles/common/configroot
config/rootfiles/common/i586/initscripts
config/rootfiles/common/misc-progs
langs/de/cgi-bin/de.pl
langs/en/cgi-bin/en.pl
lfs/configroot
lfs/initscripts
src/initscripts/init.d/firewall
src/initscripts/init.d/network
src/misc-progs/Makefile
src/misc-progs/setdmzholes.c [deleted file]
src/misc-progs/setxtaccess.c [deleted file]

index c863a0e560ed525c74653fe612be75249a75a64f..232ac4897ef2fe4f2038a0232926172725e1f2a7 100644 (file)
@@ -15,6 +15,8 @@
 /var/ipfire/auth/users
 /var/ipfire/dhcp/*
 /var/ipfire/dnsforward/*
+/var/ipfire/forward/*
+/var/ipfire/fwhosts/*
 /var/ipfire/main/*
 /var/ipfire/outgoing/groups
 /var/ipfire/outgoing/macgroups
index 41643d8d7451c25aebda2475600b0f9c170845a4..d81c8bb9809921ff7fe7c7c078175104ab4e9bd8 100644 (file)
@@ -21,8 +21,8 @@ use Net::SSLeay;
 use Net::IPv4Addr qw(:all);
 $|=1; # line buffering
 
-$General::version = 'VERSION';
-$General::swroot = 'CONFIG_ROOT';
+$General::version = '2.11';
+$General::swroot = '/var/ipfire';
 $General::noipprefix = 'noipg-';
 $General::adminmanualurl = 'http://wiki.ipfire.org';
 
@@ -39,6 +39,99 @@ sub log
        $logmessage = $1;
        system('logger', '-t', $tag, $logmessage);
 }
+sub setup_default_networks
+{
+       my %netsettings=();
+       my $defaultNetworks = shift;
+       
+       &readhash("/var/ipfire/ethernet/settings", \%netsettings);
+       
+       # Get current defined networks (Red, Green, Blue, Orange)
+       $defaultNetworks->{$Lang::tr{'fwhost any'}}{'IPT'} = "0.0.0.0/0.0.0.0";
+       $defaultNetworks->{$Lang::tr{'fwhost any'}}{'NAME'} = "ALL";
+               
+       $defaultNetworks->{$Lang::tr{'green'}}{'IPT'} = "$netsettings{'GREEN_NETADDRESS'}/$netsettings{'GREEN_NETMASK'}";
+       $defaultNetworks->{$Lang::tr{'green'}}{'NAME'} = "GREEN";
+
+       if ($netsettings{'ORANGE_DEV'} ne ''){
+               $defaultNetworks->{$Lang::tr{'orange'}}{'IPT'} = "$netsettings{'ORANGE_NETADDRESS'}/$netsettings{'ORANGE_NETMASK'}";
+               $defaultNetworks->{$Lang::tr{'orange'}}{'NAME'} = "ORANGE";
+       }
+
+       if ($netsettings{'BLUE_DEV'} ne ''){
+               $defaultNetworks->{$Lang::tr{'blue'}}{'IPT'} = "$netsettings{'BLUE_NETADDRESS'}/$netsettings{'BLUE_NETMASK'}";
+               $defaultNetworks->{$Lang::tr{'blue'}}{'NAME'} = "BLUE";
+       }
+
+       # OpenVPN
+       if(-e "${General::swroot}/ovpn/settings")
+       {
+               my %ovpnSettings = ();
+               &readhash("${General::swroot}/ovpn/settings", \%ovpnSettings);
+
+               # OpenVPN on Red?
+               if(defined($ovpnSettings{'DOVPN_SUBNET'}))
+               {
+                       my ($ip,$sub) = split(/\//,$ovpnSettings{'DOVPN_SUBNET'});
+                       $sub=&General::iporsubtocidr($sub);
+                       my @tempovpnsubnet = split("\/", $ovpnSettings{'DOVPN_SUBNET'});
+                       $defaultNetworks->{'OpenVPN ' .$ip."/".$sub}{'ADR'} = $tempovpnsubnet[0];
+                       $defaultNetworks->{'OpenVPN ' .$ip."/".$sub}{'NAME'} = "OpenVPN-Dyn";
+               }
+       } # end OpenVPN
+       # IPsec RW NET
+       if(-e "${General::swroot}/vpn/settings")
+       {
+               my %ipsecsettings = ();
+               &readhash("${General::swroot}/vpn/settings", \%ipsecsettings);
+               if($ipsecsettings{'RW_NET'} ne '')
+               {
+                       my ($ip,$sub) = split(/\//,$ipsecsettings{'RW_NET'});
+                       $sub=&General::iporsubtocidr($sub);
+                       my @tempipsecsubnet = split("\/", $ipsecsettings{'RW_NET'});
+                       $defaultNetworks->{'IPsec RW ' .$ip."/".$sub}{'ADR'} = $tempipsecsubnet[0];
+                       $defaultNetworks->{'IPsec RW ' .$ip."/".$sub}{'NAME'} = "IPsec RW";
+               }
+       }
+       #open(FILE, "${General::swroot}/ethernet/aliases") or die 'Unable to open aliases file.';
+       #my @current = <FILE>;
+       #close(FILE);
+       #my $ctr = 0;
+       #foreach my $line (@current)
+       #{
+               #if ($line ne ''){
+                       #chomp($line);
+                       #my @temp = split(/\,/,$line);
+                       #if ($temp[2] eq '') {
+                               #$temp[2] = "Alias $ctr : $temp[0]";
+                       #}
+                       #$defaultNetworks->{$temp[2]}{'IPT'} = "$temp[0]";
+                       #$ctr++;
+               #}
+       #}
+}
+sub get_aliases
+{
+       
+       my $defaultNetworks = shift;
+       open(FILE, "${General::swroot}/ethernet/aliases") or die 'Unable to open aliases file.';
+       my @current = <FILE>;
+       close(FILE);
+       my $ctr = 0;
+       foreach my $line (@current)
+       {
+               if ($line ne ''){
+                       chomp($line);
+                       my @temp = split(/\,/,$line);
+                       if ($temp[2] eq '') {
+                               $temp[2] = "Alias $ctr : $temp[0]";
+                       }
+                       $defaultNetworks->{$temp[2]}{'IPT'} = "$temp[0]";
+                       
+                       $ctr++;
+               }
+       }
+}
 
 sub readhash
 {
index de28f8e259c8cf59870e6ae7a2bdd8d723c1c969..90baa65b2f9ce59686b034848241083cf1771350 100644 (file)
@@ -4,49 +4,37 @@
                                 'title' => "$Lang::tr{'ssport forwarding'}",
                                 'enabled' => 1,
                                 };
-    $subfirewall->{'20.xtaccess'} = {
-                                'caption' => $Lang::tr{'external access'},
-                                'uri' => '/cgi-bin/xtaccess.cgi',
-                                'title' => "$Lang::tr{'external access'}",
-                                'enabled' => 1,
-                                };
     $subfirewall->{'30.wireless'} = {
                                'caption' => $Lang::tr{'blue access'},
                                'uri' => '/cgi-bin/wireless.cgi',
                                'title' => "$Lang::tr{'blue access'}",
                                'enabled' => 1,
                                 };
-    $subfirewall->{'40.dmz'} = {
-                               'caption' => $Lang::tr{'ssdmz pinholes'},
-                               'uri' => '/cgi-bin/dmzholes.cgi',
-                               'title' => "$Lang::tr{'dmz pinhole configuration'}",
+    $subfirewall->{'51.forward'} = {
+                               'caption' => $Lang::tr{'fwdfw menu'},
+                               'uri' => '/cgi-bin/forwardfw.cgi',
+                               'title' => "$Lang::tr{'fwdfw menu'}",
                                'enabled' => 1,
-                                };
-    $subfirewall->{'50.outgoing'} = {
-                               'caption' => $Lang::tr{'outgoing firewall'},
-                               'uri' => '/cgi-bin/outgoingfw.cgi',
-                               'title' => "$Lang::tr{'outgoing firewall'}",
-                               'enabled' => 1,
-                               };
-    $subfirewall->{'51.outgoinggrp'} = {
-                               'caption' => $Lang::tr{'outgoing firewall groups'},
-                               'uri' => '/cgi-bin/outgoinggrp.cgi',
-                               'title' => "$Lang::tr{'outgoing firewall groups'}",
+                               };                      
+       $subfirewall->{'65.fwhost'} = {
+                               'caption' => $Lang::tr{'fwhost menu'},
+                               'uri' => '/cgi-bin/fwhosts.cgi',
+                               'title' => "$Lang::tr{'fwhost menu'}",
                                'enabled' => 1,
                                };
-    $subfirewall->{'60.upnp'} = {
+       $subfirewall->{'70.upnp'} = {
                                'caption' => 'UPnP',
                                'uri' => '/cgi-bin/upnp.cgi',
                                'title' => "Universal Plug and Play",
                                'enabled' => 0,
                                };
-    $subfirewall->{'60.optingsfw'} = {
+       $subfirewall->{'80.optingsfw'} = {
                                'caption' => $Lang::tr{'options fw'},
                                'uri' => '/cgi-bin/optionsfw.cgi',
                                'title' => "$Lang::tr{'options fw'}",
                                'enabled' => 1,
                                };
-    $subfirewall->{'70.iptables'} = {
+       $subfirewall->{'90.iptables'} = {
                                'caption' => $Lang::tr{'ipts'},
                                'uri' => '/cgi-bin/iptables.cgi',
                                'title' => "$Lang::tr{'ipts'}",
index 8965ff70e5a071acf96de06daf92feff2806a464..7a23b8c61cb13b0a69c3ee975f5781e7780fef2b 100644 (file)
@@ -26,8 +26,6 @@ var/ipfire/dhcp
 #var/ipfire/dhcp/fixleases
 #var/ipfire/dhcp/settings
 var/ipfire/dhcpc
-var/ipfire/dmzholes
-#var/ipfire/dmzholes/config
 var/ipfire/dns
 #var/ipfire/dns/settings
 var/ipfire/dnsforward
@@ -47,6 +45,19 @@ var/ipfire/extrahd/partitions
 var/ipfire/extrahd/scan
 var/ipfire/extrahd/settings
 var/ipfire/fwlogs
+var/ipfire/forward
+var/ipfire/forward/bin/rules.pl
+var/ipfire/forward/bin/firewall-lib.pl
+var/ipfire/forward/settings
+var/ipfire/forward/config
+var/ipfire/forward/input
+var/ipfire/fwhosts
+var/ipfire/fwhosts/icmp-types
+var/ipfire/fwhosts/customhosts
+var/ipfire/fwhosts/customnetworks
+var/ipfire/fwhosts/customgroups
+var/ipfire/fwhosts/customservices
+var/ipfire/fwhosts/customservicegrp
 #var/ipfire/fwlogs/ipsettings
 #var/ipfire/fwlogs/portsettings
 var/ipfire/general-functions.pl
@@ -188,7 +199,5 @@ var/ipfire/wakeonlan
 var/ipfire/wireless
 #var/ipfire/wireless/config
 #var/ipfire/wireless/settings
-var/ipfire/xtaccess
-#var/ipfire/xtaccess/config
 var/ipfire/firebuild
 etc/system-release
index 3aca59ece3f4332114bb463227fdaf26983ba9e9..cf606440c52a2d102ed8e1032c4bd540d915a79b 100644 (file)
@@ -84,11 +84,11 @@ etc/rc.d/init.d/networking/red.up/10-miniupnpd
 etc/rc.d/init.d/networking/red.up/10-multicast
 etc/rc.d/init.d/networking/red.up/20-RL-firewall
 etc/rc.d/init.d/networking/red.up/22-outgoingfwctrl
-etc/rc.d/init.d/networking/red.up/23-RS-snort
-etc/rc.d/init.d/networking/red.up/24-RS-qos
-etc/rc.d/init.d/networking/red.up/25-portfw
-etc/rc.d/init.d/networking/red.up/26-xtaccess
-etc/rc.d/init.d/networking/red.up/27-RS-squid
+etc/rc.d/init.d/networking/red.up/23-forwardfwctrl
+etc/rc.d/init.d/networking/red.up/24-RS-snort
+etc/rc.d/init.d/networking/red.up/25-RS-qos
+etc/rc.d/init.d/networking/red.up/26-portfw
+etc/rc.d/init.d/networking/red.up/28-RS-squid
 etc/rc.d/init.d/networking/red.up/30-ddns
 etc/rc.d/init.d/networking/red.up/40-ipac
 etc/rc.d/init.d/networking/red.up/50-ipsec
index 8fd9b0bfc1cd14d3900c1b168b2ff0ebe6bafab5..d2d2a5de25bd0ff4f92da439f1963e4c9579d12d 100644 (file)
@@ -16,6 +16,7 @@ usr/local/bin/logwatch
 #usr/local/bin/mpfirectrl
 usr/local/bin/openvpnctrl
 usr/local/bin/outgoingfwctrl
+usr/local/bin/forwardfwctrl
 usr/local/bin/pakfire
 usr/local/bin/qosctrl
 usr/local/bin/rebuildhosts
@@ -23,9 +24,7 @@ usr/local/bin/rebuildroutes
 usr/local/bin/redctrl
 #usr/local/bin/sambactrl
 usr/local/bin/setaliases
-usr/local/bin/setdmzholes
 usr/local/bin/setportfw
-usr/local/bin/setxtaccess
 usr/local/bin/smartctrl
 usr/local/bin/snortctrl
 usr/local/bin/squidctrl
index 021682f702370f46497179c41480e1acfe9541dc..a6989d3fe9e303a76ed35404c9e6143d57da9c19 100644 (file)
 'forwarding rule added' => 'Weiterleitungsregel hinzugefügt. Starte Weiterleitung neu',
 'forwarding rule removed' => 'Weiterleitungsregel entfernt. Starte Weiterleitung neu',
 'forwarding rule updated' => 'Weiterleitungsregel aktualisiert; starte Weiterleitung neu',
+'forward firewall'             => 'Firewall',
+'fwdfw additional'             => 'Zusätzlich',
+'fwdfw action'                 => 'Aktion',
+'fwdfw menu'                   => 'Firewall',
+'fwdfw addrule'                => 'Neue Regel hinzufügen:',
+'fwdfw addr grp'               => 'Adress Gruppen:',
+'fwdfw change'                 => 'Aktualisieren',
+'fwdfw cust addr'              => 'Custom Adressen:',
+'fwdfw cust net'               => 'Custom Netzwerke:',
+'fwdfw copy'                   => 'Kopieren',
+'fwdfw delete'                 => 'Löschen',
+'fwdfw edit'                   => 'Bearbeiten',
+'fwdfw err nosrc'              => 'Keine Quelle gewählt.',
+'fwdfw err nosrcip'            => 'Bitte Quell IP-Adresse angeben.',
+'fwdfw err notgt'              => 'Kein Ziel gewählt.',
+'fwdfw err notgtip'            => 'Bitte Ziel IP-Adresse angeben.',
+'fwdfw err prot'               => 'Quell- und Zielprotokoll müssen gleich sein.',
+'fwdfw err remark'             => 'Bemerkung enthält ungültige Zeichen.',
+'fwdfw err ruleexists' => 'Eine identische Regel existiert bereits.',
+'fwdfw err src_addr'   => 'Quell-MAC/IP ungültig.',
+'fwdfw err same'               => 'Quelle und Ziel sind identisch.',
+'fwdfw err samesub'            => 'Quell und Ziel IP Adresse im selben Subnetz.',
+'fwdfw err srcport'            => 'Bitte Quellport angeben.',
+'fwdfw err tgtport'            => 'Bitte Zielport angeben.',
+'fwdfw err tgt_addr'   => 'Ziel-IP ungültig.',
+'fwdfw err tgt_port'   => 'Ziel Port ungültig',
+'fwdfw err tgt_mac'            => 'MAC Adressen können nicht als Ziel defininert werden.',
+'fwdfw err tgt_grp'            => 'Ziel-Dienstgruppe ist leer.',
+'fwdfw err time'               => 'Es muss mindestens ein Tag gewählt werden.',
+'fwdfw from'                   => 'Von:',
+'fwdfw hint ip1'               => 'Die zuletzt erzeugte Regel wird vielleicht nicht aktiviert, weil Quelle und Ziel evtl im selben Netz sind.',
+'fwdfw hint ip2'               => 'Bitte überprüfen Sie ob diese Regel Sinn macht: ',
+'fwdfw ipsec network'  => 'IPsec Netzwerke:',
+'fwdfw log rule'               => 'Log Regel',
+'fwdfw man port'               => 'Port(s) manuel:',
+'fwdfw moveup'                 => 'Hoch',
+'fwdfw movedown'               => 'Runter',
+'fwdfw reread'                 => 'Übernehmen',
+'fwdfw rules'                  => 'Regeln',
+'fwdfw rule action'    => 'Regel Aktion:',
+'fwdfw rule activate'  => 'Regel aktivieren',
+'fwdfw source'                         => 'Quelle',
+'fwdfw sourceip'               => 'Quelladresse (MAC, IP oder Netzwerk):',
+'fwdfw std network'    => 'Standard Netzwerke:',
+'fwdfw target'                 => 'Ziel',
+'fwdfw targetip'               => 'Zieladresse (IP oder Netzwerk):',
+'fwdfw till'                   => 'Bis:',
+'fwdfw time'                   => 'Zeitrahmen:',
+'fwdfw timeframe'              => 'Zeitrahmen hinzufügen',
+'fwdfw toggle'                 => 'Aktivieren oder deaktivieren',
+'fwdfw togglelog'              => 'Log aktivieren oder deaktivieren',
+'fwdfw use srcport'            => 'Quellport benutzen',
+'fwdfw use srv'                        => 'Ziel-Dienstport benutzen',
+'fwdfw newrule'                => 'Neue Regel',
+'fwdfw wd_mon'                 => 'Mo',
+'fwdfw wd_tue'                 => 'Di',
+'fwdfw wd_wed'                 => 'Mi',
+'fwdfw wd_thu'                 => 'Do',
+'fwdfw wd_fri'                 => 'Fr',
+'fwdfw wd_sat'                 => 'Sa',
+'fwdfw wd_sun'                 => 'So',
+'fwhost addgrp'                => 'Gruppe:',
+'fwhost addgrpname'            => 'Gruppenname:',
+'fwhost addhost'               => 'Adresse:',
+'fwhost addnet'                => 'Netzwerk:',
+'fwhost addrule'               => 'Neue Regel hinzufügen:',
+'fwhost any'                   => 'Alle',
+'fwhost attention'             => 'ACHTUNG',
+'fwhost back'                  => 'Übernehmen',
+'fwhost blue'                  => 'Blau',
+'fwhost ccdhost'               => 'OpenVPN Clients:',
+'fwhost ccdnet'                        => 'OpenVPN Netzwerke:',
+'fwhost change'                        => 'Ändern',
+'fwhost changeremark'  => 'Es wurde nur die Bemerkung angepasst.',
+'fwhost cust addr'             => 'Custom Adressen:',
+'fwhost cust grp'              => 'Custom Gruppen:',
+'fwhost cust net'              => 'Custom Netzwerke:',
+'fwhost cust service'  => 'Custom Dienste:',
+'fwhost cust srvgrp'   => 'Custom Dienstgruppen',
+'fwhost deleted'               => 'Gelöscht',
+'fwhost empty'                 => 'Keine Einträge vorhanden',
+'fwhost err addr'              => 'IP oder Subnetzmaske ungültig.',
+'fwhost err addrgrp'   => 'Bitte gruppenname angeben.',
+'fwhost err empty'             => 'Bitte alle Felder füllen.',
+'fwhost err grpexist'  => 'Gruppe existiert bereits.',
+'fwhost err groupempty'        => 'Gewählte Gruppe ist leer.',
+'fwhost err name'              => 'Name ungültig. Erlaubte Zeichen: a-z, A-Z, 0-9 Leerzeichen und Bindestrich.',
+'fwhost err name1'             => 'Name muss gefüllt sein.',
+'fwhost err netexist'  => 'Ein Netz mit diesem Namen existiert bereits!',
+'fwhost err net'               => 'Netzwerk IP existiert bereits',
+'fwhost err mac'               => 'MAC Adresse ungültig.',
+'fwhost err hostexist' => 'Ein Host mit diesem Namen existiert bereits.',
+'fwhost err hostip'    => 'Netz- oder Broadcastadressen sind nicht erlaubt.',
+'fwhost err hostorip'  => 'Name oder IP Adresse ungültig.',
+'fwhost err isccdhost' => 'Dieser Name wird bereits für einen Openvpn Host verwendet.',
+'fwhost err isccdipnet'        => 'Diese IP wird bereits für einen Openvpn Netzwerk verwendet.',
+'fwhost err isccdiphost'=> 'Diese IP wird bereits für einen Openvpn Host verwendet.',
+'fwhost err isccdnet'  => 'Dieser Name wird bereits für einen Openvpn Netzwerk verwendet.',
+'fwhost err isingrp'   => 'Dieser Eintrag existiert bereits in der Gruppe.',
+'fwhost err ip'                        => 'IP Addresse ungültig.',
+'fwhost err ipmac'             => 'IP/MAC Addresse ungültig.',
+'fwhost err ipcheck'   => 'Diese IP Adresse wird bereits verwendet.',
+'fwhost err ipwithsub' => 'Bitte IP Adresse OHNE Subnetzmaske eingeben.',
+'fwhost err partofnet' => 'Dieses Netzwerk ist Teil eines bereits existierenden Netzwerks.', 
+'fwhost err port'              => 'Port muss gefüllt sein.',
+'fwhost err remark'            => 'Bemerkung ungültig. Erlaubte Zeichen: a-z, A-Z, 0-9 Leerzeichen und Bindestrich.',
+'fwhost err srvexist'  => 'Dieser Dienst ist bereits in der Gruppe',
+'fwhost err srv exists'        => 'Ein Service mit diesem Namen existiert bereits.',
+'fwhost err sub32'             => 'Bitte Host hinzufügen. Dieses Subnetz ist kein Netzwerk.',
+'fwhost green'                 => 'Grün',
+'fwhost hosts'                         => 'Firewall Hosts',
+'fwhost hint'                  => 'Hinweis',
+'fwhost icmptype'              => 'ICMP-Typ:',
+'fwhost ipadr'                 => 'IP Adresse:',
+'fwhost ip_mac'                        => 'IP/MAC Adresse',
+'fwhost ipsec host'            => 'IpSec Clients:',
+'fwhost ipsec net'             => 'IpSec Netzwerke:',
+'fwhost newnet'                => 'Netz Einstellungen',
+'fwhost newhost'               => 'Adress Einstellungen',
+'fwhost newgrp'                => 'Adress Gruppierung',
+'fwhost newservice'            => 'Dienst Einstellungen',
+'fwhost newservicegrp' => 'Dienst Gruppierung',
+'fwhost macwarn'               => 'MAC Adressen können nicht als Ziel definiert werden. Solche Adressen werden ignoriert.',
+'fwhost menu'                  => 'Firewall Gruppen',
+'fwhost orange'                        => 'Orange',
+'fwhost ovpn_n2n'              => 'OpenVPN N-2-N',
+'fwhost port'                  => 'Port(s)',
+'fwhost prot'                  => 'Protokoll',
+'fwhost reset'                 => 'Abbrechen',
+'fwhost services'              => 'Dienste',
+'fwhost srv_name'              => 'Dienstname',
+'fwhost stdnet'                        => 'Standard Netzwerke:',
+'fwhost type'                  => 'Typ',
+'fwhost used'                  => 'Benutzt',
+'fwhost wo subnet'             => '(Ohne Subnetz)',
 'free' => 'Frei',
 'free memory' => 'Freier Speicher   ',
 'free swap' => 'Freier Swap',
index 2e04c468d08ba95e18c4cc435ebae1b7feff6ded..77e24130d658a6a718def0278b2086a682401f83 100644 (file)
 'forwarding rule added' => 'Forwarding rule added; restarting forwarder',
 'forwarding rule removed' => 'Forwarding rule removed; restarting forwarder',
 'forwarding rule updated' => 'Forwarding rule updated; restarting forwarder',
+'forward firewall'             => 'Firewall',
+'fwdfw additional'             => 'Additional',
+'fwdfw action'                 => 'Action',
+'fwdfw menu'                   => 'Firewall',
+'fwdfw addrule'                => 'Add new rule:',
+'fwdfw addr grp'               => 'Adress groups:',
+'fwdfw change'                 => 'Update',
+'fwdfw cust addr'              => 'Custom addresses:',
+'fwdfw cust net'               => 'Custom networks:',
+'fwdfw copy'                   => 'Copy',
+'fwdfw delete'                 => 'Delete',
+'fwdfw edit'                   => 'Edit',
+'fwdfw err nosrc'              => 'No source selected.',
+'fwdfw err nosrcip'            => 'Please provide source IP address.',
+'fwdfw err notgt'              => 'No target selected.',
+'fwdfw err notgtip'            => 'Please provide target IP address.',
+'fwdfw err prot'               => 'Source and target protocol have to match.',
+'fwdfw err remark'             => 'Invalid chars in remark.',
+'fwdfw err ruleexists' => 'This rule already exists.',
+'fwdfw err src_addr'   => 'Invalid source MAC/IP.',
+'fwdfw err same'               => 'Identical source and target',
+'fwdfw err samesub'            => 'Source and target IP adress are in same subnet.',
+'fwdfw err srcport'            => 'Please provide source port.',
+'fwdfw err tgtport'            => 'Please provide target port.',
+'fwdfw err tgt_addr'   => 'Invalid target IP-address.',
+'fwdfw err tgt_port'   => 'Invalid target port',
+'fwdfw err tgt_mac'            => 'MAC addresses can not be used as target.',
+'fwdfw err tgt_grp'            => 'Target servicegroup is empty',
+'fwdfw err time'               => 'You have to define at least one day.',
+'fwdfw from'                   => 'From:',
+'fwdfw hint ip1'               => 'The last generated rule may never be activated because source and target my be in same subnet.',
+'fwdfw hint ip2'               => 'Please doublecheck if this rule makes sense: ',
+'fwdfw ipsec network'  => 'IpSec networks:',
+'fwdfw log rule'               => 'Log rule',
+'fwdfw man port'               => 'Port(s) manual:',
+'fwdfw moveup'                 => 'Move up',
+'fwdfw movedown'               => 'Move down',
+'fwdfw reread'                 => 'Apply',
+'fwdfw rules'                  => 'Rules',
+'fwdfw rule action'    => 'Rule action:',
+'fwdfw rule activate'  => 'Activate rule',
+'fwdfw source'                         => 'Source',
+'fwdfw sourceip'               => 'Source address (MAC, IP or Network):',
+'fwdfw std network'    => 'Standard networks:',
+'fwdfw target'                 => 'Target',
+'fwdfw targetip'               => 'Target address (IP or network):',
+'fwdfw till'                   => 'Till:',
+'fwdfw time'                   => 'Timeframe:',
+'fwdfw timeframe'              => 'Add timeframe',
+'fwdfw toggle'                 => 'Activate or deactivate',
+'fwdfw togglelog'              => 'Activate or deactivate logging',
+'fwdfw use srcport'            => 'Use sourceport',
+'fwdfw use srv'                        => 'Use targetport',
+'fwdfw newrule'                => 'New rule',
+'fwdfw wd_mon'                 => 'Mon',
+'fwdfw wd_tue'                 => 'Tue',
+'fwdfw wd_wed'                 => 'Wed',
+'fwdfw wd_thu'                 => 'Thu',
+'fwdfw wd_fri'                 => 'Fri',
+'fwdfw wd_sat'                 => 'Sat',
+'fwdfw wd_sun'                 => 'Sun',
+'fwhost addgrp'                => 'Group:',
+'fwhost addgrpname'            => 'Groupname:',
+'fwhost addhost'               => 'Address:',
+'fwhost addnet'                => 'Network:',
+'fwhost addrule'               => 'Add new rule:',
+'fwhost any'                   => 'Any',
+'fwhost attention'             => 'ATTENTION',
+'fwhost back'                  => 'commit',
+'fwhost blue'                  => 'Blue',
+'fwhost ccdhost'               => 'OpenVPN clients:',
+'fwhost ccdnet'                        => 'OpenVPN networks:',
+'fwhost change'                        => 'Modify',
+'fwhost changeremark'  => 'You just modified the remark!',
+'fwhost cust addr'             => 'Custom addresses:',
+'fwhost cust grp'              => 'Custom groups:',
+'fwhost cust net'              => 'Custom networks:',
+'fwhost cust service'  => 'Custom services:',
+'fwhost cust srvgrp'   => 'Custom servicegroups',
+'fwhost deleted'               => 'Deleted',
+'fwhost empty'                 => 'No entries by now',
+'fwhost err addr'              => 'Invalid IP or subnet!',
+'fwhost err addrgrp'   => 'Please provide a groupname!',
+'fwhost err empty'             => 'Please fill in all fields!',
+'fwhost err grpexist'  => 'Group already exists!',
+'fwhost err groupempty'        => 'Selected Group is empty!',
+'fwhost err name'              => 'Name invalid. Allowed: a-z, A-Z, 0-9 space and minus.',
+'fwhost err name1'             => 'Name is empty.',
+'fwhost err netexist'  => 'A network with this name already exists!',
+'fwhost err net'               => 'Network IP already exists',
+'fwhost err mac'               => 'MAC address invalid',
+'fwhost err hostexist' => 'A host with this name already exists!',
+'fwhost err hostip'    => 'Net or broadcast not allowed!',
+'fwhost err hostorip'  => 'Name or IP invalid.',
+'fwhost err isccdhost' => 'This name is already used by an OpenVPN client!',
+'fwhost err isccdipnet'        => 'This IP is already used by an OpenVPN network!',
+'fwhost err isccdiphost'=> 'This IP is already used by an OpenVPN client!',
+'fwhost err isccdnet'  => 'This name is already used by an OpenVPN Network!',
+'fwhost err isingrp'   => 'This entry already exists in the group!',
+'fwhost err ip'                        => 'IP address invalid.',
+'fwhost err ipmac'             => 'IP/MAC address invalid.',
+'fwhost err ipcheck'   => 'This IP address is already in use!',
+'fwhost err ipwithsub' => 'Please provide IP address WITHOUT subnetmask',
+'fwhost err partofnet' => 'This network is part of an already existing one!', 
+'fwhost err port'              => 'Port is empty.',
+'fwhost err remark'            => 'Remark invalid. Allowed: a-z, A-Z, 0-9 space and minus.',
+'fwhost err srvexist'  => 'Dieser Dienst ist bereits in der Gruppe',
+'fwhost err srv exists'        => 'A Service with this name already exists.',
+'fwhost err sub32'             => 'Please add single host. This subnet is no network!',
+'fwhost green'                 => 'Green',
+'fwhost hosts'                         => 'Firewall Hosts',
+'fwhost hint'                  => 'Note',
+'fwhost icmptype'              => 'ICMP type:',
+'fwhost ipadr'                 => 'IP address:',
+'fwhost ip_mac'                        => 'IP/MAC address',
+'fwhost ipsec host'            => 'IPsec clients:',
+'fwhost ipsec net'             => 'IPsec networks:',
+'fwhost netaddress'            => 'Network address:',
+'fwhost newnet'                => 'Network',
+'fwhost newhost'               => 'Host',
+'fwhost newgrp'                => 'Address grouping',
+'fwhost newservice'            => 'Service',
+'fwhost newservicegrp' => 'Service grouping',
+'fwhost macwarn'               => 'MAC addresses can not be used as target. Such addresses will be ignored!',
+'fwhost menu'                  => 'Firewall Groups',
+'fwhost orange'                        => 'Orange',
+'fwhost ovpn_n2n'              => 'OpenVPN N-2-N',
+'fwhost port'                  => 'Port(s)',
+'fwhost prot'                  => 'Protocol',
+'fwhost reset'                 => 'Cancel',
+'fwhost services'              => 'Services',
+'fwhost srv_name'              => 'Servicename',
+'fwhost stdnet'                        => 'Standard networks:',
+'fwhost type'                  => 'Type',
+'fwhost used'                  => 'Used',
+'fwhost wo subnet'             => '(without subnet)',
 'free' => 'Free',
 'free memory' => 'Free Memory    ',
 'free swap' => 'Free Swap',
index 1185236851fa6f695658bcc5db720f121d31a661..5280d8c286833bce2ec569b737f9c07042be91e8 100644 (file)
@@ -50,59 +50,62 @@ $(TARGET) :
        @$(PREBUILD)
 
        # Create all directories
-       for i in addon-lang auth backup ca certs connscheduler crls ddns dhcp dhcpc dmzholes dns dnsforward \
-                       ethernet extrahd/bin fwlogs isdn key langs logging mac main  menu.d modem net-traffic \
+       for i in addon-lang auth backup ca certs connscheduler crls ddns dhcp dhcpc dns dnsforward \
+                       ethernet extrahd/bin fwlogs isdn key langs logging mac main menu.d modem net-traffic \
+                       ethernet extrahd/bin fwlogs fwhosts forward forward/bin isdn key langs logging mac main  menu.d modem net-traffic \
                        net-traffic/templates nfs optionsfw outgoing/bin outgoing/groups outgoing/groups/ipgroups \
                        outgoing/groups/macgroups ovpn patches pakfire portfw ppp private proxy/advanced/cre \
                        proxy/calamaris/bin qos/bin red remote sensors snort time tripwire/report \
                        updatexlrator/bin updatexlrator/autocheck urlfilter/autoupdate urlfilter/bin upnp vpn \
-                       wakeonlan wireless xtaccess ; do \
+                       wakeonlan wireless ; do \
                mkdir -p $(CONFIG_ROOT)/$$i; \
        done
 
        # Touch empty files
        for i in auth/users backup/include.user backup/exclude.user \
            certs/index.txt ddns/config ddns/noipsettings ddns/settings ddns/ipcache dhcp/settings \
-           dhcp/fixleases dhcp/advoptions dhcp/dhcpd.conf.local dmzholes/config dns/settings dnsforward/config ethernet/aliases ethernet/settings ethernet/known_nics ethernet/scanned_nics \
+           dhcp/fixleases dhcp/advoptions dhcp/dhcpd.conf.local dns/settings dnsforward/config ethernet/aliases ethernet/settings ethernet/known_nics ethernet/scanned_nics \
            ethernet/wireless extrahd/scan extrahd/devices extrahd/partitions extrahd/settings fwlogs/ipsettings fwlogs/portsettings \
+           forward/settings forward/config forward/input fwhosts/customnetworks fwhosts/customhosts fwhosts/customgroups fwhosts/customservices fwhosts/customservicegrp fwlogs/ipsettings fwlogs/portsettings \
            isdn/settings mac/settings main/disable_nf_sip main/hosts main/routing main/settings net-traffic/settings optionsfw/settings outgoing/settings outgoing/rules \
            ovpn/ccd.conf ovpn/ccdroute ovpn/ccdroute2 pakfire/settings portfw/config ppp/settings-1 ppp/settings-2 ppp/settings-3 ppp/settings-4 \
-           ppp/settings-5 ppp/settings proxy/settings proxy/advanced/settings proxy/advanced/cre/enable remote/settings qos/settings qos/classes qos/subclasses qos/level7config qos/portconfig \
+               ppp/settings-5 ppp/settings proxy/settings proxy/advanced/settings proxy/advanced/cre/enable remote/settings qos/settings qos/classes qos/subclasses qos/level7config qos/portconfig \
            qos/tosconfig snort/settings tripwire/settings upnp/settings vpn/config vpn/settings vpn/ipsec.conf \
            vpn/ipsec.secrets vpn/caconfig wakeonlan/clients.conf wireless/config wireless/settings; do \
-               touch $(CONFIG_ROOT)/$$i; \
+           touch $(CONFIG_ROOT)/$$i; \
        done
 
        # Copy initial configfiles
        cp $(DIR_SRC)/config/cfgroot/header.pl                  $(CONFIG_ROOT)/
        cp $(DIR_SRC)/config/cfgroot/general-functions.pl       $(CONFIG_ROOT)/
        cp $(DIR_SRC)/config/cfgroot/lang.pl                    $(CONFIG_ROOT)/
-       cp $(DIR_SRC)/config/cfgroot/countries.pl                       $(CONFIG_ROOT)/
+       cp $(DIR_SRC)/config/cfgroot/countries.pl               $(CONFIG_ROOT)/
        cp $(DIR_SRC)/config/cfgroot/graphs.pl                  $(CONFIG_ROOT)/
        cp $(DIR_SRC)/config/cfgroot/advoptions-list            $(CONFIG_ROOT)/dhcp/advoptions-list
        cp $(DIR_SRC)/config/cfgroot/connscheduler-lib.pl       $(CONFIG_ROOT)/connscheduler/lib.pl
        cp $(DIR_SRC)/config/cfgroot/connscheduler.conf         $(CONFIG_ROOT)/connscheduler
        cp $(DIR_SRC)/config/extrahd/*                          $(CONFIG_ROOT)/extrahd/bin/
        cp $(DIR_SRC)/config/cfgroot/sensors-settings           $(CONFIG_ROOT)/sensors/settings
-       cp $(DIR_SRC)/config/menu/*                                     $(CONFIG_ROOT)/menu.d/
+       cp $(DIR_SRC)/config/menu/*                             $(CONFIG_ROOT)/menu.d/
        cp $(DIR_SRC)/config/cfgroot/modem-defaults             $(CONFIG_ROOT)/modem/defaults
        cp $(DIR_SRC)/config/cfgroot/modem-settings             $(CONFIG_ROOT)/modem/settings
        cp $(DIR_SRC)/config/cfgroot/net-traffic-lib.pl         $(CONFIG_ROOT)/net-traffic/net-traffic-lib.pl
-       cp $(DIR_SRC)/config/cfgroot/net-traffic-admin.pl               $(CONFIG_ROOT)/net-traffic/net-traffic-admin.pl
+       cp $(DIR_SRC)/config/cfgroot/net-traffic-admin.pl       $(CONFIG_ROOT)/net-traffic/net-traffic-admin.pl
        cp $(DIR_SRC)/config/cfgroot/nfs-server                 $(CONFIG_ROOT)/nfs/nfs-server
-       cp $(DIR_SRC)/config/cfgroot/p2protocols                        $(CONFIG_ROOT)/outgoing/p2protocols
-       cp $(DIR_SRC)/config/outgoingfw/outgoingfw.pl           $(CONFIG_ROOT)/outgoing/bin/
-       cp $(DIR_SRC)/config/outgoingfw/defaultservices         $(CONFIG_ROOT)/outgoing/
+       cp $(DIR_SRC)/config/cfgroot/p2protocols                $(CONFIG_ROOT)/outgoing/p2protocols
+       cp $(DIR_SRC)/config/outgoingfw/outgoingfw.pl   $(CONFIG_ROOT)/outgoing/bin/
+       cp $(DIR_SRC)/config/outgoingfw/defaultservices $(CONFIG_ROOT)/outgoing/
        cp $(DIR_SRC)/config/cfgroot/proxy-acl                  $(CONFIG_ROOT)/proxy/acl-1.4
-       cp $(DIR_SRC)/config/qos/*                                      $(CONFIG_ROOT)/qos/bin/
-       cp $(DIR_SRC)/config/cfgroot/ssh-settings                       $(CONFIG_ROOT)/remote/settings
-       cp $(DIR_SRC)/config/cfgroot/xtaccess-config            $(CONFIG_ROOT)/xtaccess/config
+       cp $(DIR_SRC)/config/qos/*                                              $(CONFIG_ROOT)/qos/bin/
+       cp $(DIR_SRC)/config/cfgroot/ssh-settings               $(CONFIG_ROOT)/remote/settings
        cp $(DIR_SRC)/config/cfgroot/time-settings              $(CONFIG_ROOT)/time/settings
-       cp $(DIR_SRC)/config/cfgroot/logging-settings           $(CONFIG_ROOT)/logging/settings
+       cp $(DIR_SRC)/config/cfgroot/logging-settings   $(CONFIG_ROOT)/logging/settings
        cp $(DIR_SRC)/config/cfgroot/useragents                 $(CONFIG_ROOT)/proxy/advanced
        cp $(DIR_SRC)/config/cfgroot/ethernet-vlans             $(CONFIG_ROOT)/ethernet/vlans
-       cp $(DIR_SRC)/langs/list                                        $(CONFIG_ROOT)/langs/
-
+       cp $(DIR_SRC)/langs/list                                                $(CONFIG_ROOT)/langs/
+       cp $(DIR_SRC)/config/forwardfw/rules.pl                 $(CONFIG_ROOT)/forward/bin/rules.pl
+       cp $(DIR_SRC)/config/forwardfw/firewall-lib.pl  $(CONFIG_ROOT)/forward/bin/firewall-lib.pl
+       cp $(DIR_SRC)/config/fwhosts/icmp-types                 $(CONFIG_ROOT)/fwhosts/icmp-types
        # Oneliner configfiles
        echo  "ENABLED=off"             > $(CONFIG_ROOT)/vpn/settings
        echo  "VPN_DELAYED_START=0"     >>$(CONFIG_ROOT)/vpn/settings
@@ -115,6 +118,14 @@ $(TARGET) :
        echo  "DROPOUTPUT=on"           >> $(CONFIG_ROOT)/optionsfw/settings
        echo  "DROPPORTSCAN=on"         >> $(CONFIG_ROOT)/optionsfw/settings
 
+       # Set outgoingfw.pl executable
+       chmod 755 $(CONFIG_ROOT)/outgoing/bin/outgoingfw.pl
+       
+       # set rules.pl executable
+       chmod 755 $(CONFIG_ROOT)/forward/bin/rules.pl
+       
+
+
        # Modify variables in header.pl
        sed -i -e "s+CONFIG_ROOT+$(CONFIG_ROOT)+g" \
            -e "s+VERSION+$(VERSION)+g" \
@@ -140,7 +151,5 @@ $(TARGET) :
        done
        chown root:nobody $(CONFIG_ROOT)/dhcpc
 
-       # Set outgoingfw.pl executable
-       chmod 755 $(CONFIG_ROOT)/outgoing/bin/outgoingfw.pl
-
+               
        @$(POSTBUILD)
index 6549147a83afdf68735c2ff3e5503318df3d4bb2..f4ad0f7fe418999452d8c3157c467b2e701ba480 100644 (file)
@@ -181,18 +181,17 @@ $(TARGET) :
        ln -sf ../../firewall /etc/rc.d/init.d/networking/red.up/20-RL-firewall
        ln -sf ../../../../../usr/local/bin/outgoingfwctrl \
                /etc/rc.d/init.d/networking/red.up/22-outgoingfwctrl
+       ln -sf ../../../../../usr/local/bin/forwardfwctrl \
+               /etc/rc.d/init.d/networking/red.up/23-forwardfwctrl
        ln -sf ../../../../../usr/local/bin/snortctrl \
-               /etc/rc.d/init.d/networking/red.up/23-RS-snort
+               /etc/rc.d/init.d/networking/red.up/24-RS-snort
        ln -sf ../../../../../usr/local/bin/qosctrl \
-               /etc/rc.d/init.d/networking/red.up/24-RS-qos
+               /etc/rc.d/init.d/networking/red.up/25-RS-qos
        ln -sf ../../../../../usr/local/bin/setportfw \
-               /etc/rc.d/init.d/networking/red.up/25-portfw
-       ln -sf ../../../../../usr/local/bin/setxtaccess \
-               /etc/rc.d/init.d/networking/red.up/26-xtaccess
+               /etc/rc.d/init.d/networking/red.up/26-portfw
        ln -sf ../../../../../usr/local/bin/dialctrl.pl \
                /etc/rc.d/init.d/networking/red.up/99-U-dialctrl.pl
-       ln -sf ../../squid /etc/rc.d/init.d/networking/red.up/27-RS-squid
-       
+       ln -sf ../../squid /etc/rc.d/init.d/networking/red.up/28-RS-squid
        ln -sf ../../dnsmasq /etc/rc.d/init.d/networking/red.down/05-RS-dnsmasq
        ln -sf ../../firewall /etc/rc.d/init.d/networking/red.down/20-RL-firewall
        ln -sf ../../../../../usr/local/bin/dialctrl.pl \
index 0237297e7014bbe9cd95c94931ae5edaef522f7a..467d1b9ab7b93de9b9a78ebe2b56c53796f0cb84 100644 (file)
@@ -195,6 +195,14 @@ case "$1" in
        # Outgoing Firewall
        /sbin/iptables -A FORWARD -j OUTGOINGFWMAC
 
+    # Forward Firewall
+    /sbin/iptables -N FORWARDFW
+    /sbin/iptables -A FORWARD -j FORWARDFW
+    
+    # Input Firewall
+    /sbin/iptables -N INPUTFW
+    /sbin/iptables -A INPUT -m state --state NEW -j INPUTFW
+    
        # localhost and ethernet.
        /sbin/iptables -A INPUT   -i lo -m state --state NEW -j ACCEPT
        /sbin/iptables -A INPUT   -s 127.0.0.0/8 -m state --state NEW -j DROP   # Loopback not on lo
@@ -234,17 +242,6 @@ case "$1" in
 
        iptables_red
 
-       # DMZ pinhole chain.  setdmzholes setuid prog adds rules here to allow
-       # ORANGE to talk to GREEN / BLUE.
-       /sbin/iptables -N DMZHOLES
-       if [ "$ORANGE_DEV" != "" ]; then
-               /sbin/iptables -A FORWARD -i $ORANGE_DEV -m state --state NEW -j DMZHOLES
-       fi
-
-       # XTACCESS chain, used for external access
-       /sbin/iptables -N XTACCESS
-       /sbin/iptables -A INPUT -m state --state NEW -j XTACCESS
-
        # PORTFWACCESS chain, used for portforwarding
        /sbin/iptables -N PORTFWACCESS
        /sbin/iptables -A FORWARD -m state --state NEW -j PORTFWACCESS
index 9ff2200115c4b425b384be228efba0014f2b6eba..02df4bc975701bd3fcfa8e92add15fa53f63f007 100644 (file)
@@ -47,9 +47,7 @@ init_networking() {
 #      (exit ${failed})
 #      evaluate_retval
 
-       boot_mesg "Setting up DMZ pinholes"
-       /usr/local/bin/setdmzholes; evaluate_retval
-
+       
        if [ "$CONFIG_TYPE" = "3" -o "$CONFIG_TYPE" = "4" ]; then
                boot_mesg "Setting up wireless firewall rules"
                /usr/local/bin/wirelessctrl; evaluate_retval
index 4d09fbf65d2a2685c6c8341d0c3981beb78ab5dd..306773fb67b43ee21d57fb268f3333f2aa926367 100644 (file)
@@ -24,11 +24,11 @@ CFLAGS=-O2 -Wall
 COMPILE=$(CC) $(CFLAGS)
 
 PROGS = iowrap
-SUID_PROGS = setdmzholes setportfw setxtaccess \
+SUID_PROGS = setportfw \
        squidctrl sshctrl ipfirereboot \
        ipsecctrl timectrl dhcpctrl snortctrl \
        applejuicectrl rebuildhosts backupctrl \
-       logwatch openvpnctrl outgoingfwctrl \
+       logwatch openvpnctrl outgoingfwctrl forwardfwctrl \
        wirelessctrl getipstat qosctrl launch-ether-wake \
        redctrl syslogdctrl extrahdctrl sambactrl upnpctrl tripwirectrl \
        smartctrl clamavctrl addonctrl pakfire mpfirectrl wlanapctrl \
@@ -90,15 +90,15 @@ clamavctrl: clamavctrl.c setuid.o ../install+setup/libsmooth/varval.o
 outgoingfwctrl: outgoingfwctrl.c setuid.o ../install+setup/libsmooth/varval.o
        $(COMPILE) -I../install+setup/libsmooth/ outgoingfwctrl.c setuid.o ../install+setup/libsmooth/varval.o -o $@
        
+forwardfwctrl: forwardfwctrl.c setuid.o ../install+setup/libsmooth/varval.o
+       $(COMPILE) -I../install+setup/libsmooth/ forwardfwctrl.c setuid.o ../install+setup/libsmooth/varval.o -o $@
+       
 timectrl: timectrl.c setuid.o ../install+setup/libsmooth/varval.o
        $(COMPILE) -I../install+setup/libsmooth/ timectrl.c setuid.o ../install+setup/libsmooth/varval.o -o $@
 
 launch-ether-wake: launch-ether-wake.c setuid.o ../install+setup/libsmooth/varval.o
        $(COMPILE) -I../install+setup/libsmooth/ launch-ether-wake.c setuid.o ../install+setup/libsmooth/varval.o -o $@
 
-setdmzholes: setdmzholes.c setuid.o ../install+setup/libsmooth/varval.o
-       $(COMPILE) -I../install+setup/libsmooth/ setdmzholes.c setuid.o ../install+setup/libsmooth/varval.o -o $@
-
 setportfw: setportfw.c setuid.o ../install+setup/libsmooth/varval.o
        $(COMPILE) -I../install+setup/libsmooth/ setportfw.c setuid.o ../install+setup/libsmooth/varval.o -o $@
 
diff --git a/src/misc-progs/setdmzholes.c b/src/misc-progs/setdmzholes.c
deleted file mode 100644 (file)
index 7a2643d..0000000
+++ /dev/null
@@ -1,162 +0,0 @@
-/* SmoothWall helper program - setdmzhole\r
- *\r
- * This program is distributed under the terms of the GNU General Public\r
- * Licence.  See the file COPYING for details.\r
- *\r
- * (c) Daniel Goscomb, 2001\r
- * \r
- * Modifications and improvements by Lawrence Manning.\r
- *\r
- * 10/04/01 Aslak added protocol support\r
- * This program reads the list of ports to forward and setups iptables\r
- * and rules in ipmasqadm to enable them.\r
- * \r
- * $Id: setdmzholes.c,v 1.5.2.3 2005/10/18 17:05:27 franck78 Exp $\r
- * \r
- */\r
-#include "libsmooth.h"\r
-#include <stdio.h>\r
-#include <string.h>\r
-#include <stdlib.h>\r
-#include "setuid.h"\r
-\r
-FILE *fwdfile = NULL;\r
-\r
-void exithandler(void)\r
-{\r
-       if (fwdfile)\r
-               fclose(fwdfile);\r
-}\r
-\r
-int main(void)\r
-{\r
-       int count;\r
-       char *protocol;\r
-       char *locip;\r
-       char *remip;\r
-       char *remport;\r
-       char *enabled;\r
-       char *src_net;\r
-       char *dst_net;\r
-       char s[STRING_SIZE];\r
-       char *result;\r
-       struct keyvalue *kv = NULL;\r
-       char orange_dev[STRING_SIZE] = "";\r
-       char blue_dev[STRING_SIZE] = "";\r
-       char green_dev[STRING_SIZE] = "";\r
-       char *idev;\r
-       char *odev;\r
-       char command[STRING_SIZE];\r
-\r
-       if (!(initsetuid()))\r
-               exit(1);\r
-\r
-       atexit(exithandler);\r
-\r
-       kv=initkeyvalues();\r
-       if (!readkeyvalues(kv, CONFIG_ROOT "/ethernet/settings"))\r
-       {\r
-               fprintf(stderr, "Cannot read ethernet settings\n");\r
-               exit(1);\r
-       }\r
-\r
-       if (!findkey(kv, "GREEN_DEV", green_dev))\r
-       {\r
-               fprintf(stderr, "Cannot read GREEN_DEV\n");\r
-               exit(1);\r
-       }\r
-       findkey(kv, "BLUE_DEV", blue_dev);\r
-       findkey(kv, "ORANGE_DEV", orange_dev);\r
-\r
-       if (!(fwdfile = fopen(CONFIG_ROOT "/dmzholes/config", "r")))\r
-       {\r
-               fprintf(stderr, "Couldn't open dmzholes settings file\n");\r
-               exit(1);\r
-       }\r
-\r
-       safe_system("/sbin/iptables -F DMZHOLES");\r
-\r
-       while (fgets(s, STRING_SIZE, fwdfile) != NULL)\r
-       {\r
-               if (s[strlen(s) - 1] == '\n')\r
-                       s[strlen(s) - 1] = '\0';\r
-               result = strtok(s, ",");\r
-               \r
-               count = 0;\r
-               protocol = NULL;\r
-               locip = NULL; remip = NULL;\r
-               remport = NULL;\r
-               enabled = NULL;\r
-               src_net = NULL;\r
-               dst_net = NULL;\r
-               idev = NULL;\r
-               odev = NULL;\r
-               \r
-               while (result)\r
-               {\r
-                       if (count == 0)\r
-                               protocol = result;\r
-                       else if (count == 1)\r
-                               locip = result;\r
-                       else if (count == 2)\r
-                               remip = result;\r
-                       else if (count == 3)\r
-                               remport = result;\r
-                       else if (count == 4)\r
-                               enabled = result;\r
-                       else if (count == 5)\r
-                               src_net = result;\r
-                       else if (count == 6)\r
-                               dst_net = result;\r
-                       count++;\r
-                       result = strtok(NULL, ",");\r
-               }\r
-\r
-               if (!(protocol && locip && remip && remport && enabled))\r
-               {\r
-                       fprintf(stderr, "Bad line:\n");\r
-                       break;\r
-               }\r
-\r
-               if (!VALID_PROTOCOL(protocol))\r
-               {\r
-                       fprintf(stderr, "Bad protocol: %s\n", protocol);\r
-                       exit(1);\r
-               }\r
-               if (!VALID_IP_AND_MASK(locip))\r
-               {\r
-                       fprintf(stderr, "Bad local IP: %s\n", locip);\r
-                       exit(1);\r
-               }\r
-               if (!VALID_IP_AND_MASK(remip))\r
-               {\r
-                       fprintf(stderr, "Bad remote IP: %s\n", remip);\r
-                       exit(1);\r
-               }\r
-               if (!VALID_PORT_RANGE(remport))\r
-               {\r
-                       fprintf(stderr, "Bad remote port: %s\n", remport);\r
-                       exit(1);\r
-               }\r
-               \r
-               if (!src_net) { src_net = strdup ("orange");}\r
-               if (!dst_net) { dst_net = strdup ("green");}\r
-               \r
-               if (!strcmp(src_net, "blue"))   { idev = blue_dev; }\r
-               if (!strcmp(src_net, "orange")) { idev = orange_dev; }\r
-               if (!strcmp(dst_net, "blue"))   { odev = blue_dev; }\r
-               if (!strcmp(dst_net, "green"))  { odev = green_dev; }\r
-               \r
-               if (!strcmp(enabled, "on") && strlen(idev) && strlen (odev))\r
-               {\r
-                       char *ctr;\r
-                       /* If remport contains a - we need to change it to a : */\r
-                       if ((ctr = strchr(remport,'-')) != NULL){*ctr = ':';}\r
-                       memset(command, 0, STRING_SIZE);\r
-                       snprintf(command, STRING_SIZE - 1, "/sbin/iptables -A DMZHOLES -p %s -i %s -o %s -s %s -d %s --dport %s -j ACCEPT", protocol, idev, odev, locip, remip, remport);\r
-                       safe_system(command);\r
-               }\r
-       }\r
-\r
-       return 0;\r
-}\r
diff --git a/src/misc-progs/setxtaccess.c b/src/misc-progs/setxtaccess.c
deleted file mode 100644 (file)
index 27a03e0..0000000
+++ /dev/null
@@ -1,168 +0,0 @@
-/* SmoothWall helper program - setxtaccess\r
- *\r
- * This program is distributed under the terms of the GNU General Public\r
- * Licence.  See the file COPYING for details.\r
- *\r
- * (c) Daniel Goscomb, 2001\r
- * \r
- * Modifications and improvements by Lawrence Manning.\r
- *\r
- * 10/04/01 Aslak added protocol support\r
- * \r
- * (c) Steve Bootes 2002/04/14 - Added source IP support for aliases\r
- *\r
- * 19/04/03 Robert Kerr Fixed root exploit\r
- *\r
- * $Id: setxtaccess.c,v 1.3.2.1 2005/01/04 17:21:40 eoberlander Exp $\r
- * \r
- */\r
-\r
-#include <stdio.h>\r
-#include <stdlib.h>\r
-#include <string.h>\r
-#include "setuid.h"\r
-\r
-FILE *ifacefile = NULL;\r
-FILE *fwdfile = NULL;\r
-FILE *ipfile = NULL;\r
-\r
-void exithandler(void)\r
-{\r
-       if (fwdfile)\r
-               fclose(fwdfile);\r
-}\r
-\r
-int main(void)\r
-{\r
-       char iface[STRING_SIZE] = "";\r
-       char locip[STRING_SIZE] = "";\r
-       char s[STRING_SIZE] = "";\r
-       int count;\r
-       char *protocol;\r
-       char *destip;\r
-       char *remip;\r
-       char *locport;\r
-       char *enabled;\r
-       char *information;\r
-       char *result;\r
-       char command[STRING_SIZE];\r
-\r
-       if (!(initsetuid()))\r
-               exit(1);\r
-\r
-       atexit(exithandler);\r
-\r
-       if (!(ipfile = fopen(CONFIG_ROOT "/red/local-ipaddress", "r")))\r
-       {\r
-               fprintf(stderr, "Couldn't open local ip file\n");\r
-               exit(1);\r
-       }\r
-       if (fgets(locip, STRING_SIZE, ipfile))\r
-       {\r
-               if (locip[strlen(locip) - 1] == '\n')\r
-                       locip[strlen(locip) - 1] = '\0';\r
-       }\r
-       fclose (ipfile);\r
-       if (!VALID_IP(locip))\r
-       {\r
-               fprintf(stderr, "Bad local IP: %s\n", locip);\r
-               exit(1);\r
-       }\r
-\r
-       if (!(ifacefile = fopen(CONFIG_ROOT "/red/iface", "r")))\r
-       {\r
-               fprintf(stderr, "Couldn't open iface file\n");\r
-               exit(1);\r
-       }\r
-       if (fgets(iface, STRING_SIZE, ifacefile))\r
-       {\r
-               if (iface[strlen(iface) - 1] == '\n')\r
-                       iface[strlen(iface) - 1] = '\0';\r
-       }\r
-               fclose (ifacefile);\r
-       if (!VALID_DEVICE(iface))\r
-       {\r
-               fprintf(stderr, "Bad iface: %s\n", iface);\r
-               exit(1);\r
-       }\r
\r
-       if (!(fwdfile = fopen(CONFIG_ROOT "/xtaccess/config", "r")))\r
-       {\r
-               fprintf(stderr, "Couldn't open xtaccess settings file\n");\r
-               exit(1);\r
-       }\r
-\r
-       safe_system("/sbin/iptables -F XTACCESS");\r
-\r
-       while (fgets(s, STRING_SIZE, fwdfile) != NULL)\r
-       {\r
-               if (s[strlen(s) - 1] == '\n')\r
-                       s[strlen(s) - 1] = '\0';\r
-               count = 0;\r
-               protocol = NULL;\r
-               remip = NULL;\r
-               destip = NULL;\r
-               locport = NULL;\r
-               enabled = NULL;\r
-               information = NULL;\r
-               result = strtok(s, ",");\r
-               while (result)\r
-               {\r
-                       if (count == 0)\r
-                               protocol = result;\r
-                       else if (count == 1)\r
-                               remip = result;\r
-                       else if (count == 2)\r
-                               locport = result;\r
-                       else if (count == 3)\r
-                               enabled = result;\r
-                       else if (count == 4)\r
-                               destip = result;\r
-                       else\r
-                               information = result;\r
-                       count++;\r
-                       result = strtok(NULL, ",");\r
-               }\r
-\r
-               if (!(protocol && remip && locport && enabled))\r
-                       break;\r
-               \r
-               if (!VALID_PROTOCOL(protocol))\r
-               {\r
-                       fprintf(stderr, "Bad protocol: %s\n", protocol);\r
-                       exit(1);\r
-               }\r
-               if (!VALID_IP_AND_MASK(remip))\r
-               {\r
-                       fprintf(stderr, "Bad remote IP: %s\n", remip);\r
-                       exit(1);\r
-               }\r
-               if (!VALID_PORT_RANGE(locport))\r
-               {\r
-                       fprintf(stderr, "Bad local port: %s\n", locport);\r
-                       exit(1);\r
-               }\r
-\r
-                /* check for destination ip in config file. If it's there\r
-                 * and it's not 0.0.0.0, use it; else use the current\r
-                 * local ip address. (This makes sure we can use old-style\r
-                 * config files without the destination ip) */\r
-               if (!destip || !strcmp(destip, "0.0.0.0"))\r
-                       destip = locip;\r
-               if (!VALID_IP(destip))\r
-               {\r
-                       fprintf(stderr, "Bad destination IP: %s\n", remip);\r
-                       exit(1);\r
-               }\r
-\r
-               if (strcmp(enabled, "on") == 0)\r
-               {\r
-                       memset(command, 0, STRING_SIZE);\r
-                       snprintf(command, STRING_SIZE - 1, "/sbin/iptables -A XTACCESS -i %s -p %s -s %s -d %s --dport %s -j ACCEPT",\r
-       iface, protocol, remip, destip, locport);\r
-                       safe_system(command);\r
-               }\r
-       }\r
-       \r
-       return 0;\r
-}\r