Forward Firewall: First part of adding OUTGOING to th efirewall
authorAlexander Marx <amarx@ipfire.org>
Sun, 17 Feb 2013 12:58:35 +0000 (13:58 +0100)
committerMichael Tremer <michael.tremer@ipfire.org>
Fri, 9 Aug 2013 12:08:20 +0000 (14:08 +0200)
config/forwardfw/firewall-forward-policy [deleted file]
config/forwardfw/firewall-lib.pl
config/forwardfw/firewall-policy [new file with mode: 0755]
config/forwardfw/rules.pl
config/rootfiles/common/stage2
html/cgi-bin/forwardfw.cgi
html/cgi-bin/optionsfw.cgi
langs/de/cgi-bin/de.pl
langs/en/cgi-bin/en.pl
lfs/configroot
src/initscripts/init.d/firewall

diff --git a/config/forwardfw/firewall-forward-policy b/config/forwardfw/firewall-forward-policy
deleted file mode 100755 (executable)
index aec71e2..0000000
+++ /dev/null
@@ -1,24 +0,0 @@
-#!/bin/sh
-
-eval $(/usr/local/bin/readhash /var/ipfire/forward/settings)
-eval $(/usr/local/bin/readhash /var/ipfire/optionsfw/settings)
-
-iptables -F POLICY
-
-if [ "$POLICY" == "MODE1" ]; then
-       
-               if [ "$FWPOLICY" == "REJECT" ]; then
-                       if [ "$DROPFORWARD" == "on" ]; then
-                               /sbin/iptables -A POLICY -m limit --limit 10/minute -j LOG --log-prefix "REJECT_FORWARD"
-                       fi
-                       /sbin/iptables -A POLICY -j REJECT --reject-with icmp-host-unreachable -m comment --comment "DROP_OUTPUT"
-               fi
-               if [ "$FWPOLICY" == "DROP" ]; then
-                       if [ "$DROPFORWARD" == "on" ]; then
-                               /sbin/iptables -A POLICY -m limit --limit 10/minute -j LOG --log-prefix "DROP_FORWARD"
-                       fi
-                       /sbin/iptables -A POLICY -j DROP -m comment --comment "DROP_OUTPUT"
-               fi
-fi
-
-
index eb84c4af4b25e8c15760d4495a23234d1c54b42e..9f806850efa1342f288e6d068e0a13ae9ba5a633 100755 (executable)
@@ -221,6 +221,8 @@ sub get_std_net_ip
                return "$ovpnsettings{'DOVPN_SUBNET'}";
        }elsif($val =~ /IPsec/i){
                return "$ipsecsettings{'RW_NET'}";
+       }elsif($val eq 'IPFire'){
+               return ;
        }
 }
 sub get_net_ip
diff --git a/config/forwardfw/firewall-policy b/config/forwardfw/firewall-policy
new file mode 100755 (executable)
index 0000000..e96278a
--- /dev/null
@@ -0,0 +1,39 @@
+#!/bin/sh
+
+eval $(/usr/local/bin/readhash /var/ipfire/forward/settings)
+eval $(/usr/local/bin/readhash /var/ipfire/optionsfw/settings)
+
+iptables -F POLICYFWD
+iptables -F POLICYOUT
+
+
+if [ "$POLICY" == "MODE1" ]; then
+               if [ "$FWPOLICY" == "REJECT" ]; then
+                       if [ "$DROPFORWARD" == "on" ]; then
+                               /sbin/iptables -A POLICYFWD -m limit --limit 10/minute -j LOG --log-prefix "REJECT_FORWARD"
+                       fi
+                       /sbin/iptables -A POLICYFWD -j REJECT --reject-with icmp-host-unreachable -m comment --comment "DROP_FORWARD"
+               fi
+               if [ "$FWPOLICY" == "DROP" ]; then
+                       if [ "$DROPFORWARD" == "on" ]; then
+                               /sbin/iptables -A POLICYFWD -m limit --limit 10/minute -j LOG --log-prefix "DROP_FORWARD"
+                       fi
+                       /sbin/iptables -A POLICYFWD -j DROP -m comment --comment "DROP_FORWARD"
+               fi
+fi
+if [ "$POLICY1" == "MODE1" ]; then
+       /sbin/iptables -A OUTGOINGFW -m state --state ESTABLISHED,RELATED -j ACCEPT
+               if [ "$FWPOLICY1" == "REJECT" ]; then
+                       if [ "$DROPOUTGOING" == "on" ]; then
+                               /sbin/iptables -A POLICYOUT -m limit --limit 10/minute -j LOG --log-prefix "REJECT_OUTPUT"
+                       fi
+                               /sbin/iptables -A POLICYOUT -j REJECT --reject-with icmp-host-unreachable -m comment --comment "DROP_OUTPUT"
+               fi
+               if [ "$FWPOLICY1" == "DROP" ]; then
+                       if [ "$DROPOUTGOING" == "on" ]; then
+                               /sbin/iptables -A POLICYOUT -m limit --limit 10/minute -j LOG --log-prefix "DROP_OUTPUT"
+                       fi
+                               /sbin/iptables -A POLICYOUT -j DROP -m comment --comment "DROP_OUTPUT"
+               fi
+fi
+
index ddcd560c1feb231d26ae17288097a956a41536c8..ffdb6c2ced90e4059a241a643df10f0c81ed9c54 100755 (executable)
@@ -42,6 +42,7 @@ our %sourcehash=();
 our %targethash=();
 my @timeframe=();
 my %configinputfw=();
+my %configoutgoingfw=();
 my %aliases=();
 my @DPROT=();
 my @p2ps=();
@@ -51,6 +52,7 @@ require "${General::swroot}/forward/bin/firewall-lib.pl";
 
 my $configfwdfw                = "${General::swroot}/forward/config";
 my $configinput            = "${General::swroot}/forward/input";
+my $configoutgoing  = "${General::swroot}/forward/outgoing";
 my $p2pfile                    = "${General::swroot}/forward/p2protocols";
 my $configgrp          = "${General::swroot}/fwhosts/customgroups";
 my $netsettings                = "${General::swroot}/ethernet/settings";
@@ -66,6 +68,7 @@ my $CHAIN="FORWARDFW";
 &General::readhash("$netsettings", \%defaultNetworks);
 &General::readhasharray($configfwdfw, \%configfwdfw);
 &General::readhasharray($configinput, \%configinputfw);
+&General::readhasharray($configoutgoing, \%configoutgoingfw);
 &General::readhasharray($configgrp, \%customgrp);
 &General::get_aliases(\%aliases);
 
@@ -95,7 +98,7 @@ if($param eq 'flush'){
        if($MODE eq '0'){
                if ($fwdfwsettings{'POLICY'} eq 'MODE1'){
                        &p2pblock;
-                       system ("/usr/sbin/firewall-forward-policy"); 
+                       system ("/usr/sbin/firewall-policy"); 
                }elsif($fwdfwsettings{'POLICY'} eq 'MODE2'){
                        $defaultNetworks{'GREEN_NETMASK'}=&General::iporsubtocidr($defaultNetworks{'GREEN_NETMASK'});
                        $green="$defaultNetworks{'GREEN_ADDRESS'}/$defaultNetworks{'GREEN_NETMASK'}";
@@ -117,7 +120,7 @@ if($param eq 'flush'){
                        
                        &p2pblock;
                        system ("iptables -A $CHAIN -m state --state NEW -j ACCEPT");
-                       system ("/usr/sbin/firewall-forward-policy");
+                       system ("/usr/sbin/firewall-policy");
                }
        }
 }
@@ -125,6 +128,7 @@ sub flush
 {
        system ("iptables -F FORWARDFW");
        system ("iptables -F INPUTFW");
+       system ("iptables -F OUTGOINGFW");
 }                      
 sub preparerules
 {
@@ -134,6 +138,9 @@ sub preparerules
        if (! -z  "${General::swroot}/forward/input"){
                &buildrules(\%configinputfw);
        }
+       if (! -z  "${General::swroot}/forward/outgoing"){
+               &buildrules(\%configoutgoingfw);
+       }
 }
 sub buildrules
 {
@@ -160,7 +167,6 @@ sub buildrules
                                        }
                                }
                        }elsif($$hash{$key}[5] eq 'ipfire'){
-
                                if($$hash{$key}[6] eq 'Default IP'){
                                        open(FILE, "/var/ipfire/red/local-ipaddress") or die 'Unable to open config file.';
                                        $targethash{$key}[0]= <FILE>;
@@ -217,7 +223,7 @@ sub buildrules
                                                foreach my $b (sort keys %targethash){
                                                        if ($sourcehash{$a}[0] ne $targethash{$b}[0] && $targethash{$b}[0] ne 'none' || $sourcehash{$a}[0] eq '0.0.0.0/0.0.0.0'){
                                                                if($SPROT eq '' || $SPROT eq $DPROT || $DPROT eq ' '){
-                                                                       if(substr($sourcehash{$a}[0], 3, 3) ne 'mac'){ $STAG="-s";}
+                                                                       if(substr($sourcehash{$a}[0], 3, 3) ne 'mac' && $sourcehash{$a}[0] ne ''){ $STAG="-s";}
                                                                        if ($$hash{$key}[17] eq 'ON'){
                                                                                print "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG\n";
                                                                        }
@@ -237,7 +243,7 @@ sub buildrules
                                                foreach my $b (sort keys %targethash){
                                                        if ($sourcehash{$a}[0] ne $targethash{$b}[0] && $targethash{$b}[0] ne 'none' || $sourcehash{$a}[0] eq '0.0.0.0/0.0.0.0'){
                                                                if($SPROT eq '' || $SPROT eq $DPROT || $DPROT eq ' '){
-                                                                       if(substr($sourcehash{$a}[0], 3, 3) ne 'mac'){ $STAG="-s";}
+                                                                       if(substr($sourcehash{$a}[0], 3, 3) ne 'mac' && $sourcehash{$a}[0] ne ''){ $STAG="-s";}
                                                                        if ($$hash{$key}[17] eq 'ON'){
                                                                                system ("iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG");
                                                                        }
index f772be335397975b8fd1e24c1547ac22bc5a3453..a8e4b79d300a64f75854b1818dc79bec31819b11 100644 (file)
@@ -109,7 +109,7 @@ usr/local/bin/update-lang-cache
 #usr/local/src
 #usr/sbin
 usr/sbin/ovpn-ccd-convert
-usr/sbin/firewall-forward-policy
+usr/sbin/firewall-policy
 usr/sbin/convert-xtaccess
 usr/sbin/convert-outgoingfw
 #usr/share
index 386e02d3ebe0d5d5214718dbcd5c596ffcfbb1b8..460a08c4c83a0e6d3296f87fca9606f7bf03ec72 100755 (executable)
@@ -105,8 +105,10 @@ my $ipgrp="${General::swroot}/outgoing/groups";
 if ($fwdfwsettings{'ACTION'} eq $Lang::tr{'save'})
 {
        my $MODE = $fwdfwsettings{'POLICY'};
+       my $MODE1 = $fwdfwsettings{'POLICY1'};
        %fwdfwsettings = ();
        $fwdfwsettings{'POLICY'} = "$MODE";
+       $fwdfwsettings{'POLICY1'} = "$MODE1";
        &General::writehash("${General::swroot}/forward/settings", \%fwdfwsettings);
        &reread_rules;
 }
@@ -114,7 +116,7 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule')
 {
        &General::readhasharray("$configfwdfw", \%configfwdfw);
        &General::readhasharray("$configinput", \%configinputfw);
-       &General::readhasharray("$configinput", \%configoutgoingfw);
+       &General::readhasharray("$configoutgoing", \%configoutgoingfw);
        $errormessage=&checksource;
        if(!$errormessage){&checktarget;}
        if(!$errormessage){&checkrule;}
@@ -219,6 +221,7 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule')
                }
                #check Rulepos on new Rule
                if($fwdfwsettings{'rulepos'} > 0 && !$fwdfwsettings{'oldrulenumber'}){
+                       print"CHECK OUTGOING DOPPELTE REGEL<br>";
                        $fwdfwsettings{'oldrulenumber'}=$maxkey;
                        foreach my $key (sort keys %configoutgoingfw){
                                if ("$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'},$fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'ICMP_TGT'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'LOG'},$fwdfwsettings{'TIME'},$fwdfwsettings{'TIME_MON'},$fwdfwsettings{'TIME_TUE'},$fwdfwsettings{'TIME_WED'},$fwdfwsettings{'TIME_THU'},$fwdfwsettings{'TIME_FRI'},$fwdfwsettings{'TIME_SAT'},$fwdfwsettings{'TIME_SUN'},$fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'}"
@@ -356,8 +359,29 @@ if ($fwdfwsettings{'ACTION'} eq $Lang::tr{'reset'})
        &General::writehash("${General::swroot}/forward/settings", \%fwdfwsettings);
        unless (-e "${General::swroot}/forward/config")         { system("touch ${General::swroot}/forward/config"); }
        unless (-e "${General::swroot}/forward/input")          { system("touch ${General::swroot}/forward/input"); }
+       my $MODE1=$fwdfwsettings{'POLICY1'};
        %fwdfwsettings = ();
        $fwdfwsettings{'POLICY'}='MODE2';
+       $fwdfwsettings{'POLICY1'}=$MODE1;
+       &General::writehash("${General::swroot}/forward/settings", \%fwdfwsettings);
+       &reread_rules;
+
+}
+if ($fwdfwsettings{'ACTION'} eq 'resetoutgoing')
+{
+       &General::readhasharray("$configoutgoing", \%configoutgoingfw);
+       foreach my $key (sort keys %configoutgoingfw){
+               &checkcounter($configoutgoingfw{$key}[3],$configoutgoingfw{$key}[4],,);
+               &checkcounter($configoutgoingfw{$key}[5],$configoutgoingfw{$key}[6],,);
+               &checkcounter($configoutgoingfw{$key}[14],$configoutgoingfw{$key}[15],,);
+       }
+       system("rm ${General::swroot}/forward/outgoing");
+       &General::writehash("${General::swroot}/forward/settings", \%fwdfwsettings);
+       unless (-e "${General::swroot}/forward/outgoing")       { system("touch ${General::swroot}/forward/outgoing"); }
+       my $MODE=$fwdfwsettings{'POLICY'};
+       %fwdfwsettings = ();
+       $fwdfwsettings{'POLICY'}=$MODE;
+       $fwdfwsettings{'POLICY1'}='MODE2';
        &General::writehash("${General::swroot}/forward/settings", \%fwdfwsettings);
        &reread_rules;
 
@@ -578,6 +602,8 @@ sub base
 {
        if ($fwdfwsettings{'POLICY'} eq 'MODE1'){ $selected{'POLICY'}{'MODE1'} = 'selected'; } else { $selected{'POLICY'}{'MODE1'} = ''; }
        if ($fwdfwsettings{'POLICY'} eq 'MODE2'){ $selected{'POLICY'}{'MODE2'} = 'selected'; } else { $selected{'POLICY'}{'MODE2'} = ''; }
+       if ($fwdfwsettings{'POLICY1'} eq 'MODE1'){ $selected{'POLICY1'}{'MODE1'} = 'selected'; } else { $selected{'POLICY1'}{'MODE1'} = ''; }
+       if ($fwdfwsettings{'POLICY1'} eq 'MODE2'){ $selected{'POLICY1'}{'MODE2'} = 'selected'; } else { $selected{'POLICY1'}{'MODE2'} = ''; }
        &hint;
        &addrule;
        &p2pblock;
@@ -585,8 +611,8 @@ sub base
 print <<END;
        <form method='post' action='$ENV{'SCRIPT_NAME'}'>
        <table width='100%' border='0'>
+               <tr><td colspan='3' style='font-weight:bold;color:red;'>FORWARD </td></tr>
                <tr><td colspan='3'>$Lang::tr{'fwdfw pol text'}</td></tr>
-               
                <tr><td colspan='3'><hr /></td></tr>
                <tr><td width='15%' align='left'>       <select name='POLICY' style="width: 100px">
                <option value='MODE1' $selected{'POLICY'}{'MODE1'}>$Lang::tr{'fwdfw pol block'}</option>
@@ -596,6 +622,21 @@ print <<END;
 END
        print "$Lang::tr{'outgoing firewall reset'}: <input type='submit' name='ACTION' value='$Lang::tr{'reset'}' />";
        print "</table></form>";
+       print"<br><br>";
+       print <<END;
+       <form method='post' action='$ENV{'SCRIPT_NAME'}'>
+       <table width='100%' border='0'>
+               <tr><td colspan='3' style='font-weight:bold;color:red;'>OUTGOING </td></tr>
+               <tr><td colspan='3'>$Lang::tr{'fwdfw pol text1'}</td></tr>
+               <tr><td colspan='3'><hr /></td></tr>
+               <tr><td width='15%' align='left'>       <select name='POLICY1' style="width: 100px">
+               <option value='MODE1' $selected{'POLICY1'}{'MODE1'}>$Lang::tr{'fwdfw pol block'}</option>
+               <option value='MODE2' $selected{'POLICY1'}{'MODE2'}>$Lang::tr{'fwdfw pol allow'}</option></select>
+           <td width='45%' align='left'><input type='submit' name='ACTION' value='$Lang::tr{'save'}' /></form>
+           <td width='45%' align='left'>
+END
+       print "$Lang::tr{'outgoing firewall reset'}: <form method='post' action='$ENV{'SCRIPT_NAME'}' style='display:inline'><input type='submit' value='$Lang::tr{'reset'}' /><input type='hidden' name='ACTION' value='resetoutgoing' />";
+       print "</table></form>";
        &Header::closebox();
 }
 sub addrule
@@ -1805,8 +1846,6 @@ sub viewtablerule
 {
        
        &viewtablenew(\%configfwdfw,$configfwdfw,$Lang::tr{'fwdfw rules'},"Forward" );
-       &viewtablenew(\%configfwdfw,$configfwdfw,'',"DMZ" );
-       &viewtablenew(\%configfwdfw,$configfwdfw,'',"WLAN" );
        &viewtablenew(\%configinputfw,$configinput,"",$Lang::tr{'external access'} );
        &viewtablenew(\%configoutgoingfw,$configoutgoing,"","Outgoing" );
 }
@@ -1818,23 +1857,7 @@ sub viewtablenew
        my $title1=shift;
        my $go='';
        &General::readhasharray("$config", $hash);
-       #check if there are DMZ entries
-       if ($title1 eq 'DMZ'){
-               foreach my $key (keys %$hash){
-                       if ($$hash{$key}[4] eq 'ORANGE'){$go='on';last} 
-               }
-       }elsif($title1 eq 'WLAN'){
-               foreach my $key (keys %$hash){
-                       if ($$hash{$key}[4] eq 'BLUE'){$go='on';last} 
-               }
-       }elsif($title1 eq 'Forward'){
-               foreach my $key (keys %$hash){
-                       if (($$hash{$key}[4] ne 'ORANGE' && $$hash{$key}[4] ne 'BLUE')){$go='on';last} 
-               }
-       }elsif( ! -z $config){
-               $go='on';
-       }
-       if($go ne ''){
+       if( ! -z $config){
                &Header::openbox('100%', 'left',$title);
                my $count=0;
                my ($gif,$log);
@@ -1844,13 +1867,9 @@ sub viewtablenew
                my @tmpsrc=();
                my $coloryellow='';
                print"<b>$title1</b><br>";
-               print"<table width='100%' border='0' cellspacing='1' style='padding-top: 0px; padding-left: 0px; padding-bottom: 0px ;padding-right: 0px ;'>";
+               print"<table width='100%' style='border: 1px solid  #000000;' rules='none'; padding-top: 0px; padding-left: 0px; padding-bottom: 0px ;padding-right: 0px ;'>";
                print"<tr><td align='center' width='1%'><b>#</td><td width='1%'></td><td align='center' ><b>$Lang::tr{'fwdfw source'}</td><td width='1%'><b>Log</td><td align='center' width='20%'><b>$Lang::tr{'fwdfw target'}</td><td align='center'><b>$Lang::tr{'protocol'}</b></td><td align='center' width='70%'><b>$Lang::tr{'remark'}</td><td align='center' colspan='3' width='1%'><b>$Lang::tr{'fwdfw action'}</td></tr>";
                foreach my $key (sort  {$a <=> $b} keys %$hash){
-                       #check if we have a FORWARDFW OR DMZ RULE
-                       if ($title1 eq 'DMZ' && ($$hash{$key}[4] ne 'ORANGE')){next;}
-                       if ($title1 eq 'WLAN' && ($$hash{$key}[4] ne 'BLUE')){next;}
-                       if ($title1 eq 'Forward' && ($$hash{$key}[4] eq 'ORANGE' || $$hash{$key}[4] eq 'BLUE')){next;}
                        @tmpsrc=();
                        #check if vpn hosts/nets have been deleted
                        if($$hash{$key}[3] =~ /ipsec/i || $$hash{$key}[3] =~ /ovpn/i){
index db4794c0c7ef7e093b4762f1c7228e1b5305fcb8..f85c76214feb76321b734fae9c11ef71f40bf10a 100644 (file)
@@ -31,6 +31,7 @@ $settings{'DISABLEPING'} = 'NO';
 $settings{'DROPNEWNOTSYN'} = 'on';
 $settings{'DROPINPUT'} = 'on';
 $settings{'DROPFORWARD'} = 'on';
+$settings{'DROPOUTGOING'} = 'on';
 $settings{'DROPPORTSCAN'} = 'on';
 $settings{'DROPWIRELESSINPUT'} = 'on';
 $settings{'DROPWIRELESSFORWARD'} = 'on';
@@ -72,6 +73,9 @@ $checked{'DROPINPUT'}{$settings{'DROPINPUT'}} = "checked='checked'";
 $checked{'DROPFORWARD'}{'off'} = '';
 $checked{'DROPFORWARD'}{'on'} = '';
 $checked{'DROPFORWARD'}{$settings{'DROPFORWARD'}} = "checked='checked'";
+$checked{'DROPOUTGOING'}{'off'} = '';
+$checked{'DROPOUTGOING'}{'on'} = '';
+$checked{'DROPOUTGOING'}{$settings{'DROPOUTGOING'}} = "checked='checked'";
 $checked{'DROPPORTSCAN'}{'off'} = '';
 $checked{'DROPPORTSCAN'}{'on'} = '';
 $checked{'DROPPORTSCAN'}{$settings{'DROPPORTSCAN'}} = "checked='checked'";
@@ -102,6 +106,8 @@ print <<END
                                                                                                                                                                                <input type='radio' name='DROPINPUT' value='off' $checked{'DROPINPUT'}{'off'} /> off</td></tr>
 <tr><td align='left' width='60%'>$Lang::tr{'drop forward'}</td><td align='left'>on <input type='radio' name='DROPFORWARD' value='on' $checked{'DROPFORWARD'}{'on'} />/
                                                                                                                                                                                <input type='radio' name='DROPFORWARD' value='off' $checked{'DROPFORWARD'}{'off'} /> off</td></tr>
+<tr><td align='left' width='60%'>$Lang::tr{'drop outgoing'}</td><td align='left'>on <input type='radio' name='DROPOUTGOING' value='on' $checked{'DROPOUTGOING'}{'on'} />/
+                                                                                                                                                                               <input type='radio' name='DROPOUTGOING' value='off' $checked{'DROPOUTGOING'}{'off'} /> off</td></tr>                                                                                                                                                                            
 <tr><td align='left' width='60%'>$Lang::tr{'drop portscan'}</td><td align='left'>on <input type='radio' name='DROPPORTSCAN' value='on' $checked{'DROPPORTSCAN'}{'on'} />/
                                                                                                                                                                                <input type='radio' name='DROPPORTSCAN' value='off' $checked{'DROPPORTSCAN'}{'off'} /> off</td></tr>
 <tr><td align='left' width='60%'>$Lang::tr{'drop wirelessinput'}</td><td align='left'>on <input type='radio' name='DROPWIRELESSINPUT' value='on' $checked{'DROPWIRELESSINPUT'}{'on'} />/
@@ -124,6 +130,10 @@ print <<END
 <option value='DROP' $selected{'FWPOLICY'}{'DROP'}>DROP</option>
 <option value='REJECT' $selected{'FWPOLICY'}{'REJECT'}>REJECT</option></select>
 </td></tr>
+<tr><td align='left' width='60%'>$Lang::tr{'drop action1'}</td><td><select name='FWPOLICY1'>
+<option value='DROP' $selected{'FWPOLICY1'}{'DROP'}>DROP</option>
+<option value='REJECT' $selected{'FWPOLICY1'}{'REJECT'}>REJECT</option></select>
+</td></tr>
 </table>
 
 <br />
index 141145eae0942ca97e472dd86bebc15aa317bff3..fd26cd322494689e01fea398a4e79ebc9302a46b 100644 (file)
 'download root certificate' => 'Root-Zertifikat herunterladen',
 'dpd action' => 'Aktion für Dead Peer Detection',
 'driver' => 'Treiber',
-'drop action' => 'Standardverhalten der Firewall in Modus "Blocked"',
+'drop action' => 'Standardverhalten der (Forward) Firewall in Modus "Blocked"',
+'drop action1' => 'Standardverhalten der (Outgoing) Firewall in Modus "Blocked"',
 'drop input' => 'Verworfene Input Pakete loggen',
 'drop newnotsyn' => 'Verworfene New Not Syn Pakete loggen',
-'drop forward' => 'Verworfene Firewall-Pakete loggen',
+'drop forward' => 'Verworfene (Forward) Firewall-Pakete loggen',
+'drop outgoing' => 'Verworfene (Outgoing) Firewall-Pakete loggen',
 'drop portscan' => 'Verworfene Portscan Pakete loggen',
 'drop proxy' => 'Alle Pakete verwerfen die nicht direkt an den Proxy gerichtet sind',
 'drop samba' => 'Alle Microsoft Pakete verwerfen, Ports 135,137,138,139,445,1025',
 'fwdfw pol block'              => 'Blockiert',
 'fwdfw pol title'              => 'Standardverhalten der Firewall',
 'fwdfw pol text'               => 'Standardverhalten für Verbindungen aus den lokalen Netzwerken. Bei "Zugelassen" werden sämtliche Verbindungen zugelassen mit Ausnahme der in Forward konfigurierten Regeln. Mit "Blockiert" werden alle Verbindungsversuche blockiert, mit Ausnahme der in Forward erstellten Regeln. Außerdem werden hier der externe Zugang und der Zugriff auf die DMZ geregelt.',
+'fwdfw pol text1'              => 'Standardverhalten für Verbindungen von IPFire. Bei "Zugelassen" werden sämtliche Verbindungen zugelassen mit Ausnahme der in Forward konfigurierten Regeln. Mit "Blockiert" werden alle Verbindungsversuche blockiert, mit Ausnahme der in Forward erstellten Regeln.Achtung! Mit diesen Einstellungen kann man sich aussperren. Normalerweise ist keine Änderung nötig.',
 'fwdfw reread'                 => 'Übernehmen',
 'fwdfw rules'                  => 'Regeln',
 'fwdfw rule action'    => 'Regel Aktion:',
 'fwhost ovpn_n2n'              => 'OpenVPN N-2-N',
 'fwhost port'                  => 'Port(s)',
 'fwhost prot'                  => 'Protokoll',
-'fwhost reread'                        => 'Die Firewallregeln müssen neu eingelesen werden. Bitte Übernehmen klicken.',
+'fwhost reread'                        => 'Die Firewallregeln müssen neu eingelesen werden.',
 'fwhost reset'                 => 'Abbrechen',
 'fwhost services'              => 'Dienste',
 'fwhost srv_name'              => 'Dienstname',
index 1d0c3e7cf43f06b41078a1a618ded3e046d19399..aea37679bf76d9c4dee01dcd95b566e3c98db8c6 100644 (file)
 'download root certificate' => 'Download root certificate',
 'dpd action' => 'Dead Peer Detection action',
 'driver' => 'Driver',
-'drop action' => 'Default behaviour of firewall in mode "Blocked"',
+'drop action' => 'Default behaviour of (forward) firewall in mode "Blocked"',
+'drop action' => 'Default behaviour of (outgoing) firewall in mode "Blocked"',
 'drop input' => 'Log dropped input pakets',
 'drop newnotsyn' => 'Log dropped new not syn pakets',
 'drop forward' => 'Log dropped forward pakets',
 'fwdfw pol block'              => 'Blocked',
 'fwdfw pol title'              => 'Firewall default behavior',
 'fwdfw pol text'               => 'Default behavior for connections from local networks. "Allowed" allows all connections from local networks except the defined rules. "Blocked" prohibits all connections except the defined ones. Also external access and connections to/from the demilitarized zone are configurable here.',
+'fwdfw pol text1'              => 'Default behavior for connections from IPFire. "Allowed" allows all connections from local networks except the defined rules. "Blocked" prohibits all connections except the defined ones. Attention! YOu can lock yourself out with these settings. Normally there is no need to change anything here.',
 'fwdfw reread'                 => 'Apply',
 'fwdfw rules'                  => 'Rules',
 'fwdfw rule action'    => 'Rule action:',
 'fwhost ovpn_n2n'              => 'OpenVPN N-2-N',
 'fwhost port'                  => 'Port(s)',
 'fwhost prot'                  => 'Protocol',
-'fwhost reread'                        => 'Firewallrules need to be updated. Please click applybutton.',
+'fwhost reread'                        => 'Firewallrules need to be updated.',
 'fwhost reset'                 => 'Cancel',
 'fwhost services'              => 'Services',
 'fwhost srv_name'              => 'Servicename',
index 88fa9f2f832dbb9cdb1fa65cfc9c324464d32430..aa5d764df64c99e9270c9216198ee50443ab677c 100644 (file)
@@ -105,7 +105,7 @@ $(TARGET) :
        cp $(DIR_SRC)/config/forwardfw/convert-outgoingfw       /usr/sbin/convert-outgoingfw
        cp $(DIR_SRC)/config/forwardfw/p2protocols              $(CONFIG_ROOT)/forward/p2protocols
        cp $(DIR_SRC)/config/forwardfw/firewall-lib.pl  $(CONFIG_ROOT)/forward/bin/firewall-lib.pl
-       cp $(DIR_SRC)/config/forwardfw/firewall-forward-policy  /usr/sbin/firewall-forward-policy
+       cp $(DIR_SRC)/config/forwardfw/firewall-policy  /usr/sbin/firewall-policy
        cp $(DIR_SRC)/config/fwhosts/icmp-types                 $(CONFIG_ROOT)/fwhosts/icmp-types
        cp $(DIR_SRC)/config/fwhosts/customservices             $(CONFIG_ROOT)/fwhosts/customservices
        # Oneliner configfiles
index ed7509ff239118554eaac046f8a38e737415ddbc..7ec3274170ec896756529a49d053f4c798f53404 100644 (file)
@@ -153,6 +153,7 @@ case "$1" in
        /sbin/iptables -N OUTGOINGFW
        /sbin/iptables -N OUTGOINGFWMAC
        /sbin/iptables -A OUTPUT -j OUTGOINGFW
+       /sbin/iptables -A OUTGOINGFW -m state --state ESTABLISHED,RELATED -j ACCEPT
        /sbin/iptables -t nat -N CUSTOMPREROUTING
        /sbin/iptables -t nat -A PREROUTING -j CUSTOMPREROUTING
        /sbin/iptables -t nat -N CUSTOMPOSTROUTING
@@ -295,10 +296,13 @@ case "$1" in
        #/sbin/iptables -A FORWARD -j DROP -m comment --comment "DROP_FORWARD"
        
        #POLICY CHAIN
-       /sbin/iptables -N POLICY
-       /sbin/iptables -A FORWARD -j POLICY
+       /sbin/iptables -N POLICYFWD
+       /sbin/iptables -A FORWARD -j POLICYFWD
+       /sbin/iptables -N POLICYOUT
+       /sbin/iptables -A OUTPUT -j POLICYOUT
        
-       /usr/sbin/firewall-forward-policy
+       
+       /usr/sbin/firewall-policy
        ;;
   startovpn)  
        # run openvpn