Forward Firewall: Version 0.9.9.2
authorAlexander Marx <amarx@ipfire.org>
Thu, 4 Apr 2013 11:02:50 +0000 (13:02 +0200)
committerMichael Tremer <michael.tremer@ipfire.org>
Fri, 9 Aug 2013 12:12:39 +0000 (14:12 +0200)
1) Some changes in en.pl
2) DNAT now supports REJECT/DROP rules
3) Bugfix: comma in remark customservicegroup
4) improved installer

config/forwardfw/rules.pl
config/rootfiles/common/configroot
html/cgi-bin/forwardfw.cgi
html/cgi-bin/fwhosts.cgi
langs/en/cgi-bin/en.pl

index 49a45b1a595a7cf1605e42cd2bb06ae3c61c6bd9..c7acd122b5d98fcc75f8ae8c538288748f550dd4 100755 (executable)
@@ -176,16 +176,17 @@ sub buildrules
        my $natip;
        my $snatport;
        my $fireport;
+       my $nat;
        foreach my $key (sort {$a <=> $b} keys %$hash){
                next if ($$hash{$key}[6] eq 'RED' && $conexists eq 'off' );
                if ($$hash{$key}[28] eq 'ON'){
                        $command='iptables -t nat -A';
                        $natip=&get_nat_ip($$hash{$key}[29]);
                        if($$hash{$key}[31] eq 'dnat'){
-                               $$hash{$key}[0]='DNAT';
+                               $nat='DNAT';
                                $fireport='--dport '.$$hash{$key}[30] if ($$hash{$key}[30]>0);
                        }else{
-                               $$hash{$key}[0]='SNAT';
+                               $nat='SNAT';
                        }
                }
                $STAG='';
@@ -288,12 +289,12 @@ sub buildrules
                                                                                        print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $fireport $TIME -j LOG --log-prefix 'DNAT' \n";
                                                                                }
                                                                                my ($ip,$sub) =split("/",$targethash{$b}[0]);
-                                                                               print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j $$hash{$key}[0]  --to $ip$DPORT\n";
+                                                                               print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j $nat --to $ip$DPORT\n";
                                                                                $DPORT =~ s/\-/:/g;
                                                                                my $fwaccessdport="--dport ".substr($DPORT,1,) if ($DPORT);
-                                                                               print "iptables -A PORTFWACCESS $PROT -i $con -d $ip $fwaccessdport $TIME -j ACCEPT\n";
+                                                                               print "iptables -A PORTFWACCESS $PROT -i $con $STAG $sourcehash{$a}[0] -d $ip $fwaccessdport $TIME -j $$hash{$key}[0]\n";
                                                                        }elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[32] eq 'snat'){
-                                                                               print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]  --to $natip$fireport\n";
+                                                                               print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $nat --to $natip$fireport\n";
                                                                        }
                                                                }                               
                                                        }
@@ -329,16 +330,16 @@ sub buildrules
                                                                                        system "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j LOG --log-prefix 'DNAT' \n";
                                                                                }
                                                                                my ($ip,$sub) =split("/",$targethash{$b}[0]);
-                                                                               system "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j $$hash{$key}[0]  --to $ip$DPORT\n";
+                                                                               system "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j $nat --to $ip$DPORT\n";
                                                                                $DPORT =~ s/\-/:/g;
                                                                                my $fwaccessdport="--dport ".substr($DPORT,1,) if ($DPORT);
-                                                                               system "iptables -A PORTFWACCESS $PROT -i $con -d $ip $fwaccessdport $TIME -j ACCEPT\n";
+                                                                               system "iptables -A PORTFWACCESS $PROT -i $con $STAG $sourcehash{$a}[0] -d $ip $fwaccessdport $TIME -j $$hash{$key}[0]\n";
                                                                                
                                                                        }elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'snat'){
                                                                                if ($$hash{$key}[17] eq 'ON'){
                                                                                        system "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG --log-prefix 'SNAT '\n";
                                                                                }
-                                                                               system "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]  --to $natip$fireport\n";
+                                                                               system "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $nat  --to $natip$fireport\n";
                                                                        }
                                                                }                               
                                                        }
index b835931c48954b19580c0fdcb3192a63f6f677f0..a562d65516979f0d682f01434109d280b8a5b8a6 100644 (file)
@@ -53,7 +53,7 @@ var/ipfire/forward/config
 var/ipfire/forward/input
 var/ipfire/forward/outgoing
 var/ipfire/forward/dmz
-var/ipfire/forward/net
+var/ipfire/forward/nat
 var/ipfire/forward/p2protocols
 var/ipfire/fwhosts
 var/ipfire/fwhosts/icmp-types
index e69e6ce9f08525b4f376434f2e6412fb425faa8c..68a18b428bf6e544c7ed5e4aff286f86dfd08e7a 100755 (executable)
@@ -77,7 +77,7 @@ my %aliases=();
 my %optionsfw=();
 my %ifaces=();
 
-my $VERSION='0.9.9.1';
+my $VERSION='0.9.9.2';
 my $color;
 my $confignet          = "${General::swroot}/fwhosts/customnetworks";
 my $confighost         = "${General::swroot}/fwhosts/customhosts";
@@ -161,17 +161,17 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule')
                #check if we have an identical rule already
                if($fwdfwsettings{'oldrulenumber'} eq $fwdfwsettings{'rulepos'}){
                        foreach my $key (sort keys %confignatfw){
-                               if ("$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'},$fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'ICMP_TGT'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'TIME'},$fwdfwsettings{'TIME_MON'},$fwdfwsettings{'TIME_TUE'},$fwdfwsettings{'TIME_WED'},$fwdfwsettings{'TIME_THU'},$fwdfwsettings{'TIME_FRI'},$fwdfwsettings{'TIME_SAT'},$fwdfwsettings{'TIME_SUN'},$fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'},$fwdfwsettings{'USE_NAT'},$fwdfwsettings{$fwdfwsettings{'nat'}},$fwdfwsettings{'snatport'},$fwdfwsettings{'dnatport'},$fwdfwsettings{'nat'}"
-                                       eq "$confignatfw{$key}[0],$confignatfw{$key}[2],$confignatfw{$key}[3],$confignatfw{$key}[4],$confignatfw{$key}[5],$confignatfw{$key}[6],$confignatfw{$key}[7],$confignatfw{$key}[8],$confignatfw{$key}[9],$confignatfw{$key}[10],$confignatfw{$key}[11],$confignatfw{$key}[12],$confignatfw{$key}[13],$confignatfw{$key}[14],$confignatfw{$key}[15],$confignatfw{$key}[17],$confignatfw{$key}[19],$confignatfw{$key}[20],$confignatfw{$key}[21],$confignatfw{$key}[22],$confignatfw{$key}[23],$confignatfw{$key}[24],$confignatfw{$key}[25],$confignatfw{$key}[26],$confignatfw{$key}[27],$confignatfw{$key}[28],$confignatfw{$key}[29],$confignatfw{$key}[30],$confignatfw{$key}[31],$confignatfw{$key}[32]"){
-                                               $errormessage.=$Lang::tr{'fwdfw err ruleexists'};                               
-                                               if ($fwdfwsettings{'oldruleremark'} ne $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'updatefwrule'} eq 'on' ){
-                                                       $errormessage='';                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          
-                                               }elsif($fwdfwsettings{'oldruleremark'} ne $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'updatefwrule'} eq 'on' && $fwdfwsettings{'ruleremark'} ne '' && !&validremark($fwdfwsettings{'ruleremark'})){
-                                                       $errormessage=$Lang::tr{'fwdfw err remark'}."<br>";
-                                               }
-                                               if ($fwdfwsettings{'oldruleremark'} eq $fwdfwsettings{'ruleremark'}){
-                                                       $fwdfwsettings{'nosave'} = 'on';
-                                               }
+                               if ("$confignatfw{$key}[0],$confignatfw{$key}[1],$confignatfw{$key}[2],$confignatfw{$key}[3],$confignatfw{$key}[4],$confignatfw{$key}[5],$confignatfw{$key}[6],$confignatfw{$key}[11],$confignatfw{$key}[12],$confignatfw{$key}[14],$confignatfw{$key}[15],$confignatfw{$key}[28],$confignatfw{$key}[29],$confignatfw{$key}[30],$confignatfw{$key}[31]"
+                               eq "$fwdfwsettings{'RULE_ACTION'},NAT_DESTINATION,$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'USE_NAT'},$fwdfwsettings{$fwdfwsettings{'nat'}},$fwdfwsettings{'dnatport'},$fwdfwsettings{'nat'}"){
+                                       $errormessage.=$Lang::tr{'fwdfw err ruleexists'};
+                                       if ($fwdfwsettings{'oldruleremark'} ne $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'updatefwrule'} eq 'on' ){
+                                               $errormessage='';
+                                       }elsif($fwdfwsettings{'oldruleremark'} ne $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'updatefwrule'} eq 'on' && $fwdfwsettings{'ruleremark'} ne '' && !&validremark($fwdfwsettings{'ruleremark'})){
+                                               $errormessage=$Lang::tr{'fwdfw err remark'}."<br>";
+                                       }
+                                       if ($fwdfwsettings{'oldruleremark'} eq $fwdfwsettings{'ruleremark'}){
+                                               $fwdfwsettings{'nosave'} = 'on';
+                                       }
                                }
                        }
                }
@@ -591,9 +591,9 @@ sub addrule
 {
        &error;
        if (-f "${General::swroot}/forward/reread"){
-               print "<table border='0'><form method='post'><td><input type='submit' name='ACTION' value='$Lang::tr{'fwdfw reread'}' style='font-face: Comic Sans MS; color: red; font-weight: bold;'>$Lang::tr{'fwhost reread'}</td></tr></table></form><hr><br>";
+               print "<table border='0'><form method='post'><td><div style='font-size:11pt; font-weight: bold;vertical-align: middle; '><input type='submit' name='ACTION' value='$Lang::tr{'fwdfw reread'}' style='font-face: Comic Sans MS; color: red; font-weight: bold; font-size: 14pt; text-decoration: blink;'>&nbsp &nbsp $Lang::tr{'fwhost reread'}</div</td></tr></table></form><hr><br>";
        }
-       &Header::openbox('100%', 'left', $Lang::tr{'fwdfw addrule'});
+       &Header::openbox('100%', 'left', $Lang::tr{'firewall'});
        print "<form method='post'>";
        print "<table border='0'>";
        print "<tr><td><input type='submit' name='ACTION' value='$Lang::tr{'fwdfw newrule'}'></td>";
@@ -768,7 +768,7 @@ sub checktarget
 {
        my ($ip,$subnet);
        &General::readhasharray("$configsrv", \%customservice);
-       #check DNAT settings (has to be single Host and single Port)
+       #check DNAT settings (has to be single Host and single Port or portrange)
        if ($fwdfwsettings{'USE_NAT'} eq 'ON' && $fwdfwsettings{'nat'} eq 'dnat'){
                if($fwdfwsettings{'grp2'} eq 'tgt_addr' || $fwdfwsettings{'grp2'} eq 'cust_host_tgt' || $fwdfwsettings{'grp2'} eq 'ovpn_host_tgt'){
                        if ($fwdfwsettings{'USESRV'} eq ''){
@@ -783,7 +783,7 @@ sub checktarget
                                        $errormessage=$Lang::tr{'fwdfw dnat error'}."<br>";
                                }
                        }
-                       #check if Port is a single Port
+                       #check if Port is a single Port or portrange
                        if ($fwdfwsettings{'nat'} eq 'dnat' &&  $fwdfwsettings{'grp3'} eq 'TGT_PORT'){
                                if(($fwdfwsettings{'TGT_PROT'} ne 'TCP'|| $fwdfwsettings{'TGT_PROT'} ne 'UDP') && $fwdfwsettings{'TGT_PORT'} eq ''){
                                        $errormessage=$Lang::tr{'fwdfw target'}.": ".$Lang::tr{'fwdfw dnat porterr'}."<br>";
@@ -945,17 +945,7 @@ sub checkrule
        if($fwdfwsettings{'USE_NAT'} eq 'ON'){
                #if no port is given in nat area, take target host port
                if($fwdfwsettings{'nat'} eq 'dnat' && $fwdfwsettings{'grp3'} eq 'TGT_PORT' && $fwdfwsettings{'dnatport'} eq ''){$fwdfwsettings{'dnatport'}=$fwdfwsettings{'TGT_PORT'};}
-               
-               #check if given nat port is already used by another dnatrule
-               if($fwdfwsettings{'nat'} eq 'dnat' && $fwdfwsettings{'updatefwrule'} ne 'on'){
-                       foreach my $id (sort keys %confignatfw){
-                               if ($fwdfwsettings{'dnatport'} eq $confignatfw{$id}[30]){
-                                       $errormessage=$Lang::tr{'fwdfw natport used'}."<br>";
-                               }
-                       }
-               }
-               
-               #check if port given in nat area is a single valid port
+               #check if port given in nat area is a single valid port or portrange
                if($fwdfwsettings{'nat'} eq 'dnat' && !&check_natport($fwdfwsettings{'dnatport'})){
                        $errormessage=$Lang::tr{'fwdfw target'}.": ".$Lang::tr{'fwdfw dnat porterr'}."<br>";
                }
@@ -2346,12 +2336,7 @@ END
                                $tooltip='REJECT';
                                $rulecolor=$color{'color16'};
                        }
-                       if($$hash{$key}[28] eq 'ON'){
-                               print"<td bgcolor='$color' align='center' width='20'></td>";
-                               $rulecolor=$color;
-                       }else{
-                               print"<td bgcolor='$rulecolor' align='center' width='20'><span title='$tooltip'><b>$ruletype</b></span></td>";
-                       }
+                       print"<td bgcolor='$rulecolor' align='center' width='20'><span title='$tooltip'><b>$ruletype</b></span></td>";
                        &getcolor($$hash{$key}[3],$$hash{$key}[4],\%customhost);
                        print"<td align='center' width='160' $tdcolor>";
                        if ($$hash{$key}[3] eq 'std_net_src'){
index 8581141e97292e5f9d710215859c3e88600f1107..3b5f98218c73d4de21b0064d4edd4c56110f5c5b 100755 (executable)
@@ -722,6 +722,10 @@ if ($fwhostsettings{'ACTION'} eq 'saveservicegrp')
        &General::readhasharray("$configsrvgrp", \%customservicegrp );
        &General::readhasharray("$configsrv", \%customservice );
        $errormessage=&checkservicegroup;
+       #check remark
+       if ($fwhostsettings{'SRVGRP_REMARK'} ne '' && !&validremark($fwhostsettings{'SRVGRP_REMARK'})){
+               $errormessage=$Lang::tr{'fwhost err remark'};
+       }
        if (!$errormessage){
                #on first save, we have to enter a dummy value
                if ($fwhostsettings{'CUST_SRV'} eq ''){
index ac0d1de8ea6c48a5561ff5e86af89452b5a4dec3..33d31fc67432290b4c8b867845dd9dc6ae395133 100644 (file)
 'fwdfw rules'                  => 'Rules',
 'fwdfw rule action'    => 'Rule action:',
 'fwdfw rule activate'  => 'Activate rule',
-'fwdfw rulepos'                        => 'Ruleposition',
+'fwdfw rulepos'                        => 'Rule position',
 'fwdfw snat'                   => 'SNAT (replace the addresse(s) from SOURCE with this address)',
 'fwdfw source'                         => 'Source',
 'fwdfw sourceip'               => 'Source address (MAC, IP or Network):',
 'fwhost ovpn_n2n'              => 'OpenVPN N-2-N',
 'fwhost port'                  => 'Port(s)',
 'fwhost prot'                  => 'Protocol',
-'fwhost reread'                        => 'Firewallrules need to be updated.',
+'fwhost reread'                        => 'Firewall rules need to be updated.',
 'fwhost reset'                 => 'Cancel',
 'fwhost services'              => 'Services',
 'fwhost srv_name'              => 'Servicename',