$PROT="-p $PROT" if ($PROT ne '' && $PROT ne ' ');
foreach my $a (sort keys %sourcehash){
foreach my $b (sort keys %targethash){
+ if(! $sourcehash{$a}[0] || ! $targethash{$b}[0] || ($natip eq '-d ' && $$hash{$key}[28] eq 'ON') || (!$natip && $$hash{$key}[28] eq 'ON')){
+ #Skip rules when no RED IP is set (DHCP,DSL)
+ next;
+ }
next if ($targethash{$b}[0] eq 'none');
$STAG='';
if ($sourcehash{$a}[0] ne $targethash{$b}[0] && $targethash{$b}[0] ne 'none' || $sourcehash{$a}[0] eq '0.0.0.0/0.0.0.0'){
my ($ip,$sub) =split("/",$targethash{$b}[0]);
#Process NAT with servicegroup used
if ($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'dnat' && $$hash{$key}[14] eq 'cust_srvgrp'){
- print "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j $nat --to $ip $DPORT\n";
+ print "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j $nat --to-destination $ip $DPORT\n";
$fwaccessdport=$DPORT;
}else{
- print "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j $nat --to $ip$DPORT\n";
+ print "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j $nat --to-destination $ip$DPORT\n";
$DPORT =~ s/\-/:/g;
if ($DPORT){
$fwaccessdport="--dport ".substr($DPORT,1,);
}
}
}
- print "iptables --wait -A FORWARDFW $PROT -i $con $STAG $sourcehash{$a}[0] -d $ip $fwaccessdport $TIME -j $$hash{$key}[0]\n";
+ print "iptables --wait -A FORWARDFW $PROT $STAG $sourcehash{$a}[0] -d $ip $fwaccessdport $TIME -j $$hash{$key}[0]\n";
next;
#PROCESS SNAT RULE
}elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'snat'){
if ($$hash{$key}[17] eq 'ON' ){
print "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG --log-prefix 'SNAT' \n";
}
- print "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $nat --to $natip\n";
+ print "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $nat --to-source $natip\n";
}
#PROCESS EVERY OTHER RULE (If NOT ICMP, else the rule would be applied double)
if ($PROT ne '-p ICMP'){
}
foreach my $a (sort keys %sourcehash){
foreach my $b (sort keys %targethash){
+ if(! $sourcehash{$a}[0] || ! $targethash{$b}[0] || $natip eq '-d ' || !$natip){
+ #Skip rules when no RED IP is set (DHCP,DSL)
+ next;
+ }
next if ($targethash{$b}[0] eq 'none');
$STAG='';
if ($sourcehash{$a}[0] ne $targethash{$b}[0] && $targethash{$b}[0] ne 'none' || $sourcehash{$a}[0] eq '0.0.0.0/0.0.0.0'){
my ($ip,$sub) =split("/",$targethash{$b}[0]);
#Process NAT with servicegroup used
if ($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'dnat' && $$hash{$key}[14] eq 'cust_srvgrp'){
- system "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j $nat --to $ip $DPORT\n";
+ system "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j $nat --to-destination $ip $DPORT\n";
$fwaccessdport=$DPORT;
}else{
- system "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j $nat --to $ip$DPORT\n";
+ system "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j $nat --to-destination $ip$DPORT\n";
$DPORT =~ s/\-/:/g;
if ($DPORT){
$fwaccessdport="--dport ".substr($DPORT,1,);
}
}
}
- system "iptables --wait -A FORWARDFW $PROT -i $con $STAG $sourcehash{$a}[0] -d $ip $fwaccessdport $TIME -j $$hash{$key}[0]\n";
+ system "iptables --wait -A FORWARDFW $PROT $STAG $sourcehash{$a}[0] -d $ip $fwaccessdport $TIME -j $$hash{$key}[0]\n";
next;
#PROCESS SNAT RULE
}elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'snat'){
if ($$hash{$key}[17] eq 'ON' ){
system "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG --log-prefix 'SNAT' \n";
}
- system "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $nat --to $natip\n";
+ system "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $nat --to-source $natip\n";
}
#PROCESS EVERY OTHER RULE (If NOT ICMP, else the rule would be applied double)
if ($PROT ne '-p ICMP'){
$$hash{$key}[0]='0.0.0.0/0';
}
if($base2 eq 'RED' || $base2 eq 'RED1'){
- open(FILE, "/var/ipfire/red/local-ipaddress")or die "Couldn't open local-ipaddress";
+ open(FILE, "/var/ipfire/red/local-ipaddress");
$$hash{$key}[0]= <FILE>;
close(FILE);
}else{
etc/rc.d/init.d/networking/red.up/10-miniupnpd
etc/rc.d/init.d/networking/red.up/10-multicast
etc/rc.d/init.d/networking/red.up/20-RL-firewall
-etc/rc.d/init.d/networking/red.up/22-forwardfwctrl
etc/rc.d/init.d/networking/red.up/23-RS-snort
etc/rc.d/init.d/networking/red.up/24-RS-qos
etc/rc.d/init.d/networking/red.up/27-RS-squid
etc/rc.d/init.d/networking/red.up/10-miniupnpd
etc/rc.d/init.d/networking/red.up/10-multicast
etc/rc.d/init.d/networking/red.up/20-RL-firewall
-etc/rc.d/init.d/networking/red.up/22-forwardfwctrl
etc/rc.d/init.d/networking/red.up/23-RS-snort
etc/rc.d/init.d/networking/red.up/24-RS-qos
etc/rc.d/init.d/networking/red.up/27-RS-squid
etc/ntp
etc/ntp.conf
+etc/rc.d/rc0.d/K46ntpd
+etc/rc.d/rc3.d/S26ntpd
+etc/rc.d/rc6.d/K46ntpd
+usr/bin/ntp-keygen
+usr/bin/ntp-wait
usr/bin/ntpd
usr/bin/ntpdate
usr/bin/ntpdc
+usr/bin/ntpq
+usr/bin/ntptime
+usr/bin/ntptrace
usr/bin/sntp
-#usr/man/man1/ntp-keygen.1
-#usr/man/man1/ntpd.1
-#usr/man/man1/ntpdc.1
-#usr/man/man1/ntpdsim.1
-#usr/man/man1/ntpq.1
-#usr/man/man1/sntp.1
-usr/sbin/ntp-keygen
-usr/sbin/ntp-wait
-usr/sbin/ntpq
-usr/sbin/ntptime
-usr/sbin/ntptrace
-usr/sbin/tickadj
-etc/rc.d/rc0.d/K46ntpd
-etc/rc.d/rc6.d/K46ntpd
-etc/rc.d/rc3.d/S26ntpd
+usr/bin/tickadj
+#usr/share/man/man1/ntp-keygen.1
+#usr/share/man/man1/ntpd.1
+#usr/share/man/man1/ntpdc.1
+#usr/share/man/man1/ntpq.1
+#usr/share/man/man1/ntpsnmpd.1
+#usr/share/man/man1/sntp.1
var/ipfire/time/counter.conf
var/ipfire/time/enable
var/ipfire/time/settime.conf
etc/rc.d/init.d/firewall
-etc/rc.d/init.d/networking/red.up/22-forwardfwctrl
srv/web/ipfire/cgi-bin/firewall.cgi
srv/web/ipfire/cgi-bin/fwhosts.cgi
srv/web/ipfire/cgi-bin/optionsfw.cgi
etc/ntp.conf
+usr/bin/ntp-keygen
+usr/bin/ntp-wait
usr/bin/ntpd
usr/bin/ntpdate
usr/bin/ntpdc
+usr/bin/ntpq
+usr/bin/ntptime
+usr/bin/ntptrace
usr/bin/sntp
-usr/sbin/ntp-keygen
-usr/sbin/ntp-wait
-usr/sbin/ntpq
-usr/sbin/ntptime
-usr/sbin/ntptrace
-usr/sbin/tickadj
+usr/bin/tickadj
+var/ipfire/time/counter.conf
+var/ipfire/time/enable
+var/ipfire/time/settime.conf
+var/ipfire/time/settings
mkdir -p /var/ipfire/firewall
mkdir -p /var/ipfire/fwhosts
+# Remove old ntp binaries
+rm -f /usr/sbin/ntp-keygen
+rm -f /usr/sbin/ntp-wait
+rm -f /usr/sbin/ntpq
+rm -f /usr/sbin/ntptime
+rm -f /usr/sbin/ntptrace
+rm -f /usr/sbin/tickadj
+
+# Remove old firewall helper link
+rm -f /etc/rc.d/init.d/networking/red.up/22-forwardfwctrl
+
#
#Extract files
tar xavf /opt/pakfire/tmp/files* --no-overwrite-dir -p --numeric-owner -C /
# Remove old firewall configuration files
rm -rf /var/ipfire/{dmzholes,portfw,outgoing,xtaccess}
+# In previously released IPFire versions the DROPOUTPUT and DROPINPUT
+# option have two identical lines in the optionsfw/settings file as long as
+# the user hasn't done any changes on the WUI.
+#
+# To prevent from any kind of side effects we are going to solve this issue now.
+
+# Fix doubble enties of DROPOUTPUT when the default settings are still in use
+# (the save button on the WUI page never has been clicked) or convert to the
+# new option name required by the firewall of IPFire 2.15.
+
+optionsfw_file="/var/ipfire/optionsfw/settings"
+
+if [ $(grep -c "DROPOUTPUT" ${optionsfw_file}) -gt 1 ] ; then
+
+ # Drop all DROPUTPUT entries.
+ sed -e "/DROPOUTPUT/d" -i ${optionsfw_file}
+
+ # Add default line for new option.
+ echo "DROPOUTGOING=on" >> ${optionsfw_file}
+else
+
+ # Convert option name to new format.
+ sed -e "s/DROPOUTPUT/DROPOUTGOING/g" -i ${optionsfw_file}
+fi
+
+# Fix doubble enties of DROPINPUT when the default settings are still in use
+# (the save button on the WUI page never has been clicked).
+if [ $(grep -c "DROPINPUT" ${optionsfw_file}) -gt 1 ] ; then
+
+ # We only can remove all entries with an defined string.
+ sed -e "/DROPINPUT/d" -i ${optionsfw_file}
+
+ # Afterwards we have to add the required string with the default
+ # value again.
+ echo "DROPINPUT=on" >> ${optionsfw_file}
+fi
+
+# Add strings and default values for new options of the firewall.
+echo "DROPFORWARD=on" >> ${optionsfw_file}
+echo "FWPOLICY=DROP" >> ${optionsfw_file}
+echo "FWPOLICY1=DROP" >> ${optionsfw_file}
+echo "FWPOLICY2=DROP" >> ${optionsfw_file}
+echo "DROPSAMBA=off" >> ${optionsfw_file}
+echo "DROPPROXY=off" >> ${optionsfw_file}
+echo "SHOWREMARK=on" >> ${optionsfw_file}
+echo "SHOWCOLORS=on" >> ${optionsfw_file}
+echo "SHOWTABLES=off" >> ${optionsfw_file}
+echo "SHOWDROPDOWN=off" >> ${optionsfw_file}
+echo "DROPWIRELESSINPUT=on" >> ${optionsfw_file}
+echo "DROPWIRELESSFORWARD=on" >> ${optionsfw_file}
+
+unset optionsfw_file
+
# Convert inittab and fstab
sed -i -e "s/tty1 9600$/tty1 9600 --noclear/g" /etc/inittab
sed -i -e "s/xvc0 9600$/xvc0 9600 --noclear/g" /etc/inittab
if ( "$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'},$fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'ICMP_TGT'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'LOG'},$fwdfwsettings{'TIME'},$fwdfwsettings{'TIME_MON'},$fwdfwsettings{'TIME_TUE'},$fwdfwsettings{'TIME_WED'},$fwdfwsettings{'TIME_THU'},$fwdfwsettings{'TIME_FRI'},$fwdfwsettings{'TIME_SAT'},$fwdfwsettings{'TIME_SUN'},$fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'},$fwdfwsettings{'USE_NAT'},$fwdfwsettings{$fwdfwsettings{'nat'}},$fwdfwsettings{'dnatport'},$fwdfwsettings{'nat'}"
eq "$configinputfw{$key}[0],$configinputfw{$key}[2],$configinputfw{$key}[3],$configinputfw{$key}[4],$configinputfw{$key}[5],$configinputfw{$key}[6],$configinputfw{$key}[7],$configinputfw{$key}[8],$configinputfw{$key}[9],$configinputfw{$key}[10],$configinputfw{$key}[11],$configinputfw{$key}[12],$configinputfw{$key}[13],$configinputfw{$key}[14],$configinputfw{$key}[15],$configinputfw{$key}[17],$configinputfw{$key}[18],$configinputfw{$key}[19],$configinputfw{$key}[20],$configinputfw{$key}[21],$configinputfw{$key}[22],$configinputfw{$key}[23],$configinputfw{$key}[24],$configinputfw{$key}[25],$configinputfw{$key}[26],$configinputfw{$key}[27],$configinputfw{$key}[28],$configinputfw{$key}[29],$configinputfw{$key}[30],$configinputfw{$key}[31]"){
$errormessage.=$Lang::tr{'fwdfw err ruleexists'};
- if ($fwdfwsettings{'oldruleremark'} ne $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'updatefwrule'} eq 'on'){
- $errormessage='';
- }elsif($fwdfwsettings{'oldruleremark'} ne $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'updatefwrule'} eq 'on' && $fwdfwsettings{'ruleremark'} ne '' && !&validremark($fwdfwsettings{'ruleremark'})){
+ if($fwdfwsettings{'oldruleremark'} ne $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'updatefwrule'} eq 'on' && $fwdfwsettings{'ruleremark'} ne '' && !&validremark($fwdfwsettings{'ruleremark'})){
$errormessage=$Lang::tr{'fwdfw err remark'}."<br>";
}
if ($fwdfwsettings{'oldruleremark'} eq $fwdfwsettings{'ruleremark'}){
$fwdfwsettings{'nosave'} = 'on';
}
- }
- }
+ }
+ }
}
#check Rulepos on new Rule
if($fwdfwsettings{'rulepos'} > 0 && !$fwdfwsettings{'oldrulenumber'}){
if ( "$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'},$fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'ICMP_TGT'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'LOG'},$fwdfwsettings{'TIME'},$fwdfwsettings{'TIME_MON'},$fwdfwsettings{'TIME_TUE'},$fwdfwsettings{'TIME_WED'},$fwdfwsettings{'TIME_THU'},$fwdfwsettings{'TIME_FRI'},$fwdfwsettings{'TIME_SAT'},$fwdfwsettings{'TIME_SUN'},$fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'},$fwdfwsettings{'USE_NAT'},$fwdfwsettings{$fwdfwsettings{'nat'}},$fwdfwsettings{'dnatport'},$fwdfwsettings{'nat'}"
eq "$configoutgoingfw{$key}[0],$configoutgoingfw{$key}[2],$configoutgoingfw{$key}[3],$configoutgoingfw{$key}[4],$configoutgoingfw{$key}[5],$configoutgoingfw{$key}[6],$configoutgoingfw{$key}[7],$configoutgoingfw{$key}[8],$configoutgoingfw{$key}[9],$configoutgoingfw{$key}[10],$configoutgoingfw{$key}[11],$configoutgoingfw{$key}[12],$configoutgoingfw{$key}[13],$configoutgoingfw{$key}[14],$configoutgoingfw{$key}[15],$configoutgoingfw{$key}[17],$configoutgoingfw{$key}[18],$configoutgoingfw{$key}[19],$configoutgoingfw{$key}[20],$configoutgoingfw{$key}[21],$configoutgoingfw{$key}[22],$configoutgoingfw{$key}[23],$configoutgoingfw{$key}[24],$configoutgoingfw{$key}[25],$configoutgoingfw{$key}[26],$configoutgoingfw{$key}[27],$configoutgoingfw{$key}[28],$configoutgoingfw{$key}[29],$configoutgoingfw{$key}[30],$configoutgoingfw{$key}[31]"){
$errormessage.=$Lang::tr{'fwdfw err ruleexists'};
- if ($fwdfwsettings{'oldruleremark'} ne $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'updatefwrule'} eq 'on'){
- $errormessage='';
- }elsif($fwdfwsettings{'oldruleremark'} ne $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'updatefwrule'} eq 'on' && $fwdfwsettings{'ruleremark'} ne '' && !&validremark($fwdfwsettings{'ruleremark'})){
+ if($fwdfwsettings{'oldruleremark'} ne $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'updatefwrule'} eq 'on' && $fwdfwsettings{'ruleremark'} ne '' && !&validremark($fwdfwsettings{'ruleremark'})){
$errormessage=$Lang::tr{'fwdfw err remark'}."<br>";
}
if ($fwdfwsettings{'oldruleremark'} eq $fwdfwsettings{'ruleremark'}){
}
#check Rulepos on new Rule
if($fwdfwsettings{'rulepos'} > 0 && !$fwdfwsettings{'oldrulenumber'}){
- print"CHECK OUTGOING DOPPELTE REGEL<br>";
$fwdfwsettings{'oldrulenumber'}=$maxkey;
foreach my $key (sort keys %configoutgoingfw){
if ( "$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'},$fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'ICMP_TGT'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'LOG'},$fwdfwsettings{'TIME'},$fwdfwsettings{'TIME_MON'},$fwdfwsettings{'TIME_TUE'},$fwdfwsettings{'TIME_WED'},$fwdfwsettings{'TIME_THU'},$fwdfwsettings{'TIME_FRI'},$fwdfwsettings{'TIME_SAT'},$fwdfwsettings{'TIME_SUN'},$fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'},$fwdfwsettings{'USE_NAT'},$fwdfwsettings{$fwdfwsettings{'nat'}},$fwdfwsettings{'dnatport'},$fwdfwsettings{'nat'}"
if ( "$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'},$fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'ICMP_TGT'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'TIME'},$fwdfwsettings{'TIME_MON'},$fwdfwsettings{'TIME_TUE'},$fwdfwsettings{'TIME_WED'},$fwdfwsettings{'TIME_THU'},$fwdfwsettings{'TIME_FRI'},$fwdfwsettings{'TIME_SAT'},$fwdfwsettings{'TIME_SUN'},$fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'},$fwdfwsettings{'USE_NAT'},$fwdfwsettings{$fwdfwsettings{'nat'}},$fwdfwsettings{'dnatport'},$fwdfwsettings{'nat'}"
eq "$configfwdfw{$key}[0],$configfwdfw{$key}[2],$configfwdfw{$key}[3],$configfwdfw{$key}[4],$configfwdfw{$key}[5],$configfwdfw{$key}[6],$configfwdfw{$key}[7],$configfwdfw{$key}[8],$configfwdfw{$key}[9],$configfwdfw{$key}[10],$configfwdfw{$key}[11],$configfwdfw{$key}[12],$configfwdfw{$key}[13],$configfwdfw{$key}[14],$configfwdfw{$key}[15],$configfwdfw{$key}[18],$configfwdfw{$key}[19],$configfwdfw{$key}[20],$configfwdfw{$key}[21],$configfwdfw{$key}[22],$configfwdfw{$key}[23],$configfwdfw{$key}[24],$configfwdfw{$key}[25],$configfwdfw{$key}[26],$configfwdfw{$key}[27],$configfwdfw{$key}[28],$configfwdfw{$key}[29],$configfwdfw{$key}[30],$configfwdfw{$key}[31]"){
$errormessage.=$Lang::tr{'fwdfw err ruleexists'};
- if ($fwdfwsettings{'oldruleremark'} ne $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'updatefwrule'} eq 'on' ){
- $errormessage='';
- }elsif($fwdfwsettings{'oldruleremark'} ne $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'updatefwrule'} eq 'on' && $fwdfwsettings{'ruleremark'} ne '' && !&validremark($fwdfwsettings{'ruleremark'})){
+ if($fwdfwsettings{'oldruleremark'} ne $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'updatefwrule'} eq 'on' && $fwdfwsettings{'ruleremark'} ne '' && !&validremark($fwdfwsettings{'ruleremark'})){
$errormessage=$Lang::tr{'fwdfw err remark'}."<br>";
}
if ($fwdfwsettings{'oldruleremark'} eq $fwdfwsettings{'ruleremark'}){
$fwdfwsettings{'nosave'} = 'on';
}
- }
+ }
}
- }
+ }
#check Rulepos on new Rule
if($fwdfwsettings{'rulepos'} > 0 && !$fwdfwsettings{'oldrulenumber'}){
$fwdfwsettings{'oldrulenumber'}=$maxkey;
if ( "$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'},$fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'ICMP_TGT'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'TIME'},$fwdfwsettings{'TIME_MON'},$fwdfwsettings{'TIME_TUE'},$fwdfwsettings{'TIME_WED'},$fwdfwsettings{'TIME_THU'},$fwdfwsettings{'TIME_FRI'},$fwdfwsettings{'TIME_SAT'},$fwdfwsettings{'TIME_SUN'},$fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'},$fwdfwsettings{'USE_NAT'},$fwdfwsettings{$fwdfwsettings{'nat'}},$fwdfwsettings{'dnatport'},$fwdfwsettings{'nat'}"
eq "$configfwdfw{$key}[0],$configfwdfw{$key}[2],$configfwdfw{$key}[3],$configfwdfw{$key}[4],$configfwdfw{$key}[5],$configfwdfw{$key}[6],$configfwdfw{$key}[7],$configfwdfw{$key}[8],$configfwdfw{$key}[9],$configfwdfw{$key}[10],$configfwdfw{$key}[11],$configfwdfw{$key}[12],$configfwdfw{$key}[13],$configfwdfw{$key}[14],$configfwdfw{$key}[15],$configfwdfw{$key}[18],$configfwdfw{$key}[19],$configfwdfw{$key}[20],$configfwdfw{$key}[21],$configfwdfw{$key}[22],$configfwdfw{$key}[23],$configfwdfw{$key}[24],$configfwdfw{$key}[25],$configfwdfw{$key}[26],$configfwdfw{$key}[27],$configfwdfw{$key}[28],$configfwdfw{$key}[29],$configfwdfw{$key}[30],$configfwdfw{$key}[31]"){
$errormessage.=$Lang::tr{'fwdfw err ruleexists'};
- }
+ }
}
}
#check if we just close a rule
<td colspan='13'> </td>
</tr>
<tr>
- <td colspan='13' style="padding-left:0px;">
+ <td colspan='13' style="padding-left:0px;padding-right:0px">
<table width="100%" border='1' rules="cols" cellspacing='0'>
END
close IPADDR;
chomp ($ipaddr);
}
+ if (open(IPADDR,"${General::swroot}/red/local-ipaddress")) {
+ $ipaddr = <IPADDR>;
+ close IPADDR;
+ chomp ($ipaddr);
+ }
} elsif ($modemsettings{'VALID'} eq 'no') {
print "$Lang::tr{'modem settings have errors'}\n </b></font>\n";
} else {
ln -sf ../../dnsmasq /etc/rc.d/init.d/networking/red.up/05-RS-dnsmasq
ln -sf ../../firewall /etc/rc.d/init.d/networking/red.up/20-RL-firewall
- ln -sf ../../../../../usr/local/bin/firewallctrl \
- /etc/rc.d/init.d/networking/red.up/22-forwardfwctrl
ln -sf ../../../../../usr/local/bin/snortctrl \
/etc/rc.d/init.d/networking/red.up/23-RS-snort
ln -sf ../../../../../usr/local/bin/qosctrl \
include Config
-VER = 3.10.31
+VER = 3.10.32
RPI_PATCHES = linux-3.10.27-grsec-943b563
-GRS_PATCHES = grsecurity-2.9.1-3.10.31-ipfire1.patch.xz
+GRS_PATCHES = grsecurity-2.9.1-3.10.32-ipfire1.patch.xz
THISAPP = linux-$(VER)
DL_FILE = linux-$(VER).tar.xz
CFLAGS =
CXXFLAGS =
-PAK_VER = 36
+PAK_VER = 37
DEPS = ""
VERSUFIX=ipfire$(KCFG)
rpi-patches-$(RPI_PATCHES).patch.xz = $(URL_IPFIRE)/rpi-patches-$(RPI_PATCHES).patch.xz
$(GRS_PATCHES) = $(URL_IPFIRE)/$(GRS_PATCHES)
-$(DL_FILE)_MD5 = 19e2b31f6883822ef35b974813e8e98e
+$(DL_FILE)_MD5 = 58bfaf95f4e23be2d658dab0a7fb9615
rpi-patches-$(RPI_PATCHES).patch.xz_MD5 = 8cf81f48408306d93ccee59b58af2e92
-$(GRS_PATCHES)_MD5 = ac71d9a1a5b7fabeb76ddef95518acd0
+$(GRS_PATCHES)_MD5 = b67dbf569e3f3657dad0e64ec951e1cc
install : $(TARGET)
cd $(DIR_APP) && \
./configure \
--prefix=/usr \
- --bindir=/usr/sbin \
--sysconfdir=/etc \
--disable-nls \
--enable-all-clocks \
iptables -t nat -A REDNAT -o $IFACE -j MASQUERADE
fi
+
+ # Reload all rules.
+ firewallctrl
}
# See how we were called.
case "$1" in
start)
if [ "$ENABLESETONBOOT" == "on" ]; then
- boot_mesg "Setting time on boot..."
- loadproc /usr/local/bin/settime $(cat /var/ipfire/time/settime.conf)
- fi
+ boot_mesg -n "Setting time on boot..."
+ if [ ! -e /var/ipfire/red/active ]; then
+ boot_mesg ""
+ boot_mesg -n "Wait for online connection"
+ for (( i=30; i>1; i-- )) do
+ if [ -e /var/ipfire/red/active ]; then
+ break;
+ fi
+ boot_mesg -n "."
+ sleep 1
+ done
+ sleep 5
+ fi
+ if [ -e /var/ipfire/red/active ]; then
+ boot_mesg ""
+ loadproc /usr/local/bin/settime $(cat /var/ipfire/time/settime.conf)
+ else
+ boot_mesg " not online!"
+ echo_warning
+ fi
+ fi
boot_mesg "Starting ntpd..."
loadproc /usr/bin/ntpd -Ap /var/run/ntpd.pid
[ -e "/var/ipfire/remote/enablessh" ] || exit 0 # SSH is not enabled
boot_mesg "Starting SSH Server..."
- # Also prevent ssh from being killed by out of memory conditions
loadproc /usr/sbin/sshd
- sleep 3
- echo "-16" >/proc/`cat /var/run/sshd.pid`/oom_adj
+
+ # Also prevent ssh from being killed by out of memory conditions
+ (
+ sleep 3
+ pid=$(cat /var/run/sshd.pid 2>/dev/null)
+ [ -n "${pid}" ] && echo "-16" > "/proc/${pid}/oom_score_adj"
+ ) &
;;
stop)