Forward Firewall: deleted mode0, added default Mode2 and fixed /etc/init.d/firewall...
authorAlexander Marx <amarx@ipfire.org>
Wed, 30 Jan 2013 08:14:01 +0000 (09:14 +0100)
committerMichael Tremer <michael.tremer@ipfire.org>
Fri, 9 Aug 2013 12:08:15 +0000 (14:08 +0200)
config/forwardfw/rules.pl
html/cgi-bin/forwardfw.cgi
src/initscripts/init.d/firewall

index 099f2950d6cc80e809fa7bbfbfc66761eb028f86..3b2cb03f1cf64654e08bda9d27d66261d1d6377a 100755 (executable)
@@ -53,12 +53,16 @@ my $configfwdfw             = "${General::swroot}/forward/config";
 my $configinput            = "${General::swroot}/forward/input";
 my $p2pfile                    = "${General::swroot}/forward/p2protocols";
 my $configgrp          = "${General::swroot}/fwhosts/customgroups";
+my $netsettings                = "${General::swroot}/ethernet/settings";
 my $errormessage='';
+my $orange;
+my $green;
 my ($TYPE,$PROT,$SPROT,$DPROT,$SPORT,$DPORT,$TIME,$TIMEFROM,$TIMETILL,$SRC_TGT);
 my $CHAIN="FORWARDFW";
 
 
 &General::readhash("${General::swroot}/forward/settings", \%fwdfwsettings);
+&General::readhash("$netsettings", \%defaultNetworks);
 &General::readhasharray($configfwdfw, \%configfwdfw);
 &General::readhasharray($configinput, \%configinputfw);
 &General::readhasharray($configgrp, \%customgrp);
@@ -92,12 +96,17 @@ if($param eq 'flush'){
                        &p2pblock;
                        system ("/usr/sbin/firewall-forward-policy"); 
                }elsif($fwdfwsettings{'POLICY'} eq 'MODE2'){
-                       &p2pblock;
-                       system ("/usr/sbin/firewall-forward-policy"); 
-                       system ("iptables -A $CHAIN -m state --state NEW -j ACCEPT");
-               }elsif($fwdfwsettings{'POLICY'} eq 'MODE0'){
-                       system ("/usr/sbin/firewall-forward-policy"); 
+                       if ($defaultNetworks{'ORANGE_DEV'}){
+                               $defaultNetworks{'ORANGE_NETMASK'}=&General::iporsubtocidr($defaultNetworks{'ORANGE_NETMASK'});
+                               $defaultNetworks{'GREEN_NETMASK'}=&General::iporsubtocidr($defaultNetworks{'GREEN_NETMASK'});
+                               $orange="$defaultNetworks{'ORANGE_ADDRESS'}/$defaultNetworks{'ORANGE_NETMASK'}";
+                               $green="$defaultNetworks{'GREEN_ADDRESS'}/$defaultNetworks{'GREEN_NETMASK'}";
+                               #set default rules for DMZ
+                               system ("iptables -A $CHAIN -s $orange -d $green -j RETURN");
+                               &p2pblock;
+                       }
                        system ("iptables -A $CHAIN -m state --state NEW -j ACCEPT");
+                       system ("/usr/sbin/firewall-forward-policy");
                }
        }
 }
index 8f6ca585e8f3419742eb1901963b833c7e5995f8..6895a9eedc89b39f6f7fe0f00c3a6bcbd29c36de 100755 (executable)
@@ -731,9 +731,9 @@ sub checktarget
                $ip=&General::ip2dec($ip);
                $ip=&General::dec2ip($ip);
 
-               #check if net or broadcast
+               #check if net
                my @tmp= split (/\./,$ip);
-               if (($tmp[3] eq "0") || ($tmp[3] eq "255"))
+               if ($tmp[3] eq "0")
                {
                        $errormessage=$Lang::tr{'fwhost err hostip'}."<br>";
                }
@@ -865,7 +865,7 @@ sub checkrule
                my $networkip1=&General::getnetworkip($sip,$scidr);
                my $networkip2=&General::getnetworkip($tip,$tcidr);
                if ($scidr gt $tcidr){
-                       if ( &General::IpInSubnet($networkip1,$tip,&General::iporsubtodec($tcidr)) ){
+                       if ( &General::IpInSubnet($networkip1,$tip,&General::iporsubtodec($tcidr))){
                                $errormessage.=$Lang::tr{'fwdfw err samesub'};
                        }
                }elsif($scidr eq $tcidr && $scidr eq '32'){
@@ -876,7 +876,7 @@ sub checkrule
                                        $hint.=$Lang::tr{'fwdfw hint ip2'}." Source: $networkip1/$scidr Target: $networkip2/$tcidr<br>";
                                }
                }else{
-                       if ( &General::IpInSubnet($networkip2,$sip,&General::iporsubtodec($scidr)) ){
+                       if ( &General::IpInSubnet($networkip2,$sip,&General::iporsubtodec($scidr)) && $tcidr ne '32' ){
                        $errormessage.=$Lang::tr{'fwdfw err samesub'};
                        }
                }
@@ -884,9 +884,7 @@ sub checkrule
 
        #check source and destination protocol if manual
        if( $fwdfwsettings{'USE_SRC_PORT'} eq 'ON' && $fwdfwsettings{'USESRV'} eq 'ON'){
-               
-               
-               if($fwdfwsettings{'PROT'} ne $fwdfwsettings{'TGT_PROT'} && $fwdfwsettings{'grp3'} eq 'TGT_PORT'){
+                       if($fwdfwsettings{'PROT'} ne $fwdfwsettings{'TGT_PROT'} && $fwdfwsettings{'grp3'} eq 'TGT_PORT'){
                        $errormessage.=$Lang::tr{'fwdfw err prot'};
                }
                #check source and destination protocol if source manual and dest servicegrp
index af488b0d75b00c9577fbfa4af17e15d47995bca5..0dbb25feb67181a5736bf7ad142b1fe19141497b 100644 (file)
@@ -351,9 +351,10 @@ case "$1" in
        ;;
   restart)
        $0 stop
-       $0 stopovpn
        $0 start
-       $0 startovpn
+       /usr/local/bin/forwardfwctrl
+       /usr/local/bin/openvpnctrl -s > /dev/null 2>&1
+       /usr/local/bin/openvpnctrl -sn2n > /dev/null 2>&1
        ;;
   *)
         echo "Usage: $0 {start|stop|reload|restart}"