From: Michael Tremer Date: Fri, 9 Aug 2013 12:02:02 +0000 (+0200) Subject: Forward Firewall: applied all changes as diff and added new files. Also deleted c... X-Git-Url: http://git.ipfire.org/?p=people%2Fteissler%2Fipfire-2.x.git;a=commitdiff_plain;h=111c99ddfa3632a8c2788b9c6d70c5e6d8a1dfd4 Forward Firewall: applied all changes as diff and added new files. Also deleted c files from xtaccess and setdmzholes. Signed-off-by: Alexander Marx Conflicts: config/backup/include lfs/configroot lfs/usb-stick --- diff --git a/config/backup/include b/config/backup/include index c863a0e56..232ac4897 100644 --- a/config/backup/include +++ b/config/backup/include @@ -15,6 +15,8 @@ /var/ipfire/auth/users /var/ipfire/dhcp/* /var/ipfire/dnsforward/* +/var/ipfire/forward/* +/var/ipfire/fwhosts/* /var/ipfire/main/* /var/ipfire/outgoing/groups /var/ipfire/outgoing/macgroups diff --git a/config/cfgroot/general-functions.pl b/config/cfgroot/general-functions.pl index 41643d8d7..d81c8bb98 100644 --- a/config/cfgroot/general-functions.pl +++ b/config/cfgroot/general-functions.pl @@ -21,8 +21,8 @@ use Net::SSLeay; use Net::IPv4Addr qw(:all); $|=1; # line buffering -$General::version = 'VERSION'; -$General::swroot = 'CONFIG_ROOT'; +$General::version = '2.11'; +$General::swroot = '/var/ipfire'; $General::noipprefix = 'noipg-'; $General::adminmanualurl = 'http://wiki.ipfire.org'; @@ -39,6 +39,99 @@ sub log $logmessage = $1; system('logger', '-t', $tag, $logmessage); } +sub setup_default_networks +{ + my %netsettings=(); + my $defaultNetworks = shift; + + &readhash("/var/ipfire/ethernet/settings", \%netsettings); + + # Get current defined networks (Red, Green, Blue, Orange) + $defaultNetworks->{$Lang::tr{'fwhost any'}}{'IPT'} = "0.0.0.0/0.0.0.0"; + $defaultNetworks->{$Lang::tr{'fwhost any'}}{'NAME'} = "ALL"; + + $defaultNetworks->{$Lang::tr{'green'}}{'IPT'} = "$netsettings{'GREEN_NETADDRESS'}/$netsettings{'GREEN_NETMASK'}"; + $defaultNetworks->{$Lang::tr{'green'}}{'NAME'} = "GREEN"; + + if ($netsettings{'ORANGE_DEV'} ne ''){ + $defaultNetworks->{$Lang::tr{'orange'}}{'IPT'} = "$netsettings{'ORANGE_NETADDRESS'}/$netsettings{'ORANGE_NETMASK'}"; + $defaultNetworks->{$Lang::tr{'orange'}}{'NAME'} = "ORANGE"; + } + + if ($netsettings{'BLUE_DEV'} ne ''){ + $defaultNetworks->{$Lang::tr{'blue'}}{'IPT'} = "$netsettings{'BLUE_NETADDRESS'}/$netsettings{'BLUE_NETMASK'}"; + $defaultNetworks->{$Lang::tr{'blue'}}{'NAME'} = "BLUE"; + } + + # OpenVPN + if(-e "${General::swroot}/ovpn/settings") + { + my %ovpnSettings = (); + &readhash("${General::swroot}/ovpn/settings", \%ovpnSettings); + + # OpenVPN on Red? + if(defined($ovpnSettings{'DOVPN_SUBNET'})) + { + my ($ip,$sub) = split(/\//,$ovpnSettings{'DOVPN_SUBNET'}); + $sub=&General::iporsubtocidr($sub); + my @tempovpnsubnet = split("\/", $ovpnSettings{'DOVPN_SUBNET'}); + $defaultNetworks->{'OpenVPN ' .$ip."/".$sub}{'ADR'} = $tempovpnsubnet[0]; + $defaultNetworks->{'OpenVPN ' .$ip."/".$sub}{'NAME'} = "OpenVPN-Dyn"; + } + } # end OpenVPN + # IPsec RW NET + if(-e "${General::swroot}/vpn/settings") + { + my %ipsecsettings = (); + &readhash("${General::swroot}/vpn/settings", \%ipsecsettings); + if($ipsecsettings{'RW_NET'} ne '') + { + my ($ip,$sub) = split(/\//,$ipsecsettings{'RW_NET'}); + $sub=&General::iporsubtocidr($sub); + my @tempipsecsubnet = split("\/", $ipsecsettings{'RW_NET'}); + $defaultNetworks->{'IPsec RW ' .$ip."/".$sub}{'ADR'} = $tempipsecsubnet[0]; + $defaultNetworks->{'IPsec RW ' .$ip."/".$sub}{'NAME'} = "IPsec RW"; + } + } + #open(FILE, "${General::swroot}/ethernet/aliases") or die 'Unable to open aliases file.'; + #my @current = ; + #close(FILE); + #my $ctr = 0; + #foreach my $line (@current) + #{ + #if ($line ne ''){ + #chomp($line); + #my @temp = split(/\,/,$line); + #if ($temp[2] eq '') { + #$temp[2] = "Alias $ctr : $temp[0]"; + #} + #$defaultNetworks->{$temp[2]}{'IPT'} = "$temp[0]"; + #$ctr++; + #} + #} +} +sub get_aliases +{ + + my $defaultNetworks = shift; + open(FILE, "${General::swroot}/ethernet/aliases") or die 'Unable to open aliases file.'; + my @current = ; + close(FILE); + my $ctr = 0; + foreach my $line (@current) + { + if ($line ne ''){ + chomp($line); + my @temp = split(/\,/,$line); + if ($temp[2] eq '') { + $temp[2] = "Alias $ctr : $temp[0]"; + } + $defaultNetworks->{$temp[2]}{'IPT'} = "$temp[0]"; + + $ctr++; + } + } +} sub readhash { diff --git a/config/menu/50-firewall.menu b/config/menu/50-firewall.menu index de28f8e25..90baa65b2 100644 --- a/config/menu/50-firewall.menu +++ b/config/menu/50-firewall.menu @@ -4,49 +4,37 @@ 'title' => "$Lang::tr{'ssport forwarding'}", 'enabled' => 1, }; - $subfirewall->{'20.xtaccess'} = { - 'caption' => $Lang::tr{'external access'}, - 'uri' => '/cgi-bin/xtaccess.cgi', - 'title' => "$Lang::tr{'external access'}", - 'enabled' => 1, - }; $subfirewall->{'30.wireless'} = { 'caption' => $Lang::tr{'blue access'}, 'uri' => '/cgi-bin/wireless.cgi', 'title' => "$Lang::tr{'blue access'}", 'enabled' => 1, }; - $subfirewall->{'40.dmz'} = { - 'caption' => $Lang::tr{'ssdmz pinholes'}, - 'uri' => '/cgi-bin/dmzholes.cgi', - 'title' => "$Lang::tr{'dmz pinhole configuration'}", + $subfirewall->{'51.forward'} = { + 'caption' => $Lang::tr{'fwdfw menu'}, + 'uri' => '/cgi-bin/forwardfw.cgi', + 'title' => "$Lang::tr{'fwdfw menu'}", 'enabled' => 1, - }; - $subfirewall->{'50.outgoing'} = { - 'caption' => $Lang::tr{'outgoing firewall'}, - 'uri' => '/cgi-bin/outgoingfw.cgi', - 'title' => "$Lang::tr{'outgoing firewall'}", - 'enabled' => 1, - }; - $subfirewall->{'51.outgoinggrp'} = { - 'caption' => $Lang::tr{'outgoing firewall groups'}, - 'uri' => '/cgi-bin/outgoinggrp.cgi', - 'title' => "$Lang::tr{'outgoing firewall groups'}", + }; + $subfirewall->{'65.fwhost'} = { + 'caption' => $Lang::tr{'fwhost menu'}, + 'uri' => '/cgi-bin/fwhosts.cgi', + 'title' => "$Lang::tr{'fwhost menu'}", 'enabled' => 1, }; - $subfirewall->{'60.upnp'} = { + $subfirewall->{'70.upnp'} = { 'caption' => 'UPnP', 'uri' => '/cgi-bin/upnp.cgi', 'title' => "Universal Plug and Play", 'enabled' => 0, }; - $subfirewall->{'60.optingsfw'} = { + $subfirewall->{'80.optingsfw'} = { 'caption' => $Lang::tr{'options fw'}, 'uri' => '/cgi-bin/optionsfw.cgi', 'title' => "$Lang::tr{'options fw'}", 'enabled' => 1, }; - $subfirewall->{'70.iptables'} = { + $subfirewall->{'90.iptables'} = { 'caption' => $Lang::tr{'ipts'}, 'uri' => '/cgi-bin/iptables.cgi', 'title' => "$Lang::tr{'ipts'}", diff --git a/config/rootfiles/common/configroot b/config/rootfiles/common/configroot index 8965ff70e..7a23b8c61 100644 --- a/config/rootfiles/common/configroot +++ b/config/rootfiles/common/configroot @@ -26,8 +26,6 @@ var/ipfire/dhcp #var/ipfire/dhcp/fixleases #var/ipfire/dhcp/settings var/ipfire/dhcpc -var/ipfire/dmzholes -#var/ipfire/dmzholes/config var/ipfire/dns #var/ipfire/dns/settings var/ipfire/dnsforward @@ -47,6 +45,19 @@ var/ipfire/extrahd/partitions var/ipfire/extrahd/scan var/ipfire/extrahd/settings var/ipfire/fwlogs +var/ipfire/forward +var/ipfire/forward/bin/rules.pl +var/ipfire/forward/bin/firewall-lib.pl +var/ipfire/forward/settings +var/ipfire/forward/config +var/ipfire/forward/input +var/ipfire/fwhosts +var/ipfire/fwhosts/icmp-types +var/ipfire/fwhosts/customhosts +var/ipfire/fwhosts/customnetworks +var/ipfire/fwhosts/customgroups +var/ipfire/fwhosts/customservices +var/ipfire/fwhosts/customservicegrp #var/ipfire/fwlogs/ipsettings #var/ipfire/fwlogs/portsettings var/ipfire/general-functions.pl @@ -188,7 +199,5 @@ var/ipfire/wakeonlan var/ipfire/wireless #var/ipfire/wireless/config #var/ipfire/wireless/settings -var/ipfire/xtaccess -#var/ipfire/xtaccess/config var/ipfire/firebuild etc/system-release diff --git a/config/rootfiles/common/i586/initscripts b/config/rootfiles/common/i586/initscripts index 3aca59ece..cf606440c 100644 --- a/config/rootfiles/common/i586/initscripts +++ b/config/rootfiles/common/i586/initscripts @@ -84,11 +84,11 @@ etc/rc.d/init.d/networking/red.up/10-miniupnpd etc/rc.d/init.d/networking/red.up/10-multicast etc/rc.d/init.d/networking/red.up/20-RL-firewall etc/rc.d/init.d/networking/red.up/22-outgoingfwctrl -etc/rc.d/init.d/networking/red.up/23-RS-snort -etc/rc.d/init.d/networking/red.up/24-RS-qos -etc/rc.d/init.d/networking/red.up/25-portfw -etc/rc.d/init.d/networking/red.up/26-xtaccess -etc/rc.d/init.d/networking/red.up/27-RS-squid +etc/rc.d/init.d/networking/red.up/23-forwardfwctrl +etc/rc.d/init.d/networking/red.up/24-RS-snort +etc/rc.d/init.d/networking/red.up/25-RS-qos +etc/rc.d/init.d/networking/red.up/26-portfw +etc/rc.d/init.d/networking/red.up/28-RS-squid etc/rc.d/init.d/networking/red.up/30-ddns etc/rc.d/init.d/networking/red.up/40-ipac etc/rc.d/init.d/networking/red.up/50-ipsec diff --git a/config/rootfiles/common/misc-progs b/config/rootfiles/common/misc-progs index 8fd9b0bfc..d2d2a5de2 100644 --- a/config/rootfiles/common/misc-progs +++ b/config/rootfiles/common/misc-progs @@ -16,6 +16,7 @@ usr/local/bin/logwatch #usr/local/bin/mpfirectrl usr/local/bin/openvpnctrl usr/local/bin/outgoingfwctrl +usr/local/bin/forwardfwctrl usr/local/bin/pakfire usr/local/bin/qosctrl usr/local/bin/rebuildhosts @@ -23,9 +24,7 @@ usr/local/bin/rebuildroutes usr/local/bin/redctrl #usr/local/bin/sambactrl usr/local/bin/setaliases -usr/local/bin/setdmzholes usr/local/bin/setportfw -usr/local/bin/setxtaccess usr/local/bin/smartctrl usr/local/bin/snortctrl usr/local/bin/squidctrl diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl index 021682f70..a6989d3fe 100644 --- a/langs/de/cgi-bin/de.pl +++ b/langs/de/cgi-bin/de.pl @@ -885,6 +885,141 @@ 'forwarding rule added' => 'Weiterleitungsregel hinzugefügt. Starte Weiterleitung neu', 'forwarding rule removed' => 'Weiterleitungsregel entfernt. Starte Weiterleitung neu', 'forwarding rule updated' => 'Weiterleitungsregel aktualisiert; starte Weiterleitung neu', +'forward firewall' => 'Firewall', +'fwdfw additional' => 'Zusätzlich', +'fwdfw action' => 'Aktion', +'fwdfw menu' => 'Firewall', +'fwdfw addrule' => 'Neue Regel hinzufügen:', +'fwdfw addr grp' => 'Adress Gruppen:', +'fwdfw change' => 'Aktualisieren', +'fwdfw cust addr' => 'Custom Adressen:', +'fwdfw cust net' => 'Custom Netzwerke:', +'fwdfw copy' => 'Kopieren', +'fwdfw delete' => 'Löschen', +'fwdfw edit' => 'Bearbeiten', +'fwdfw err nosrc' => 'Keine Quelle gewählt.', +'fwdfw err nosrcip' => 'Bitte Quell IP-Adresse angeben.', +'fwdfw err notgt' => 'Kein Ziel gewählt.', +'fwdfw err notgtip' => 'Bitte Ziel IP-Adresse angeben.', +'fwdfw err prot' => 'Quell- und Zielprotokoll müssen gleich sein.', +'fwdfw err remark' => 'Bemerkung enthält ungültige Zeichen.', +'fwdfw err ruleexists' => 'Eine identische Regel existiert bereits.', +'fwdfw err src_addr' => 'Quell-MAC/IP ungültig.', +'fwdfw err same' => 'Quelle und Ziel sind identisch.', +'fwdfw err samesub' => 'Quell und Ziel IP Adresse im selben Subnetz.', +'fwdfw err srcport' => 'Bitte Quellport angeben.', +'fwdfw err tgtport' => 'Bitte Zielport angeben.', +'fwdfw err tgt_addr' => 'Ziel-IP ungültig.', +'fwdfw err tgt_port' => 'Ziel Port ungültig', +'fwdfw err tgt_mac' => 'MAC Adressen können nicht als Ziel defininert werden.', +'fwdfw err tgt_grp' => 'Ziel-Dienstgruppe ist leer.', +'fwdfw err time' => 'Es muss mindestens ein Tag gewählt werden.', +'fwdfw from' => 'Von:', +'fwdfw hint ip1' => 'Die zuletzt erzeugte Regel wird vielleicht nicht aktiviert, weil Quelle und Ziel evtl im selben Netz sind.', +'fwdfw hint ip2' => 'Bitte überprüfen Sie ob diese Regel Sinn macht: ', +'fwdfw ipsec network' => 'IPsec Netzwerke:', +'fwdfw log rule' => 'Log Regel', +'fwdfw man port' => 'Port(s) manuel:', +'fwdfw moveup' => 'Hoch', +'fwdfw movedown' => 'Runter', +'fwdfw reread' => 'Übernehmen', +'fwdfw rules' => 'Regeln', +'fwdfw rule action' => 'Regel Aktion:', +'fwdfw rule activate' => 'Regel aktivieren', +'fwdfw source' => 'Quelle', +'fwdfw sourceip' => 'Quelladresse (MAC, IP oder Netzwerk):', +'fwdfw std network' => 'Standard Netzwerke:', +'fwdfw target' => 'Ziel', +'fwdfw targetip' => 'Zieladresse (IP oder Netzwerk):', +'fwdfw till' => 'Bis:', +'fwdfw time' => 'Zeitrahmen:', +'fwdfw timeframe' => 'Zeitrahmen hinzufügen', +'fwdfw toggle' => 'Aktivieren oder deaktivieren', +'fwdfw togglelog' => 'Log aktivieren oder deaktivieren', +'fwdfw use srcport' => 'Quellport benutzen', +'fwdfw use srv' => 'Ziel-Dienstport benutzen', +'fwdfw newrule' => 'Neue Regel', +'fwdfw wd_mon' => 'Mo', +'fwdfw wd_tue' => 'Di', +'fwdfw wd_wed' => 'Mi', +'fwdfw wd_thu' => 'Do', +'fwdfw wd_fri' => 'Fr', +'fwdfw wd_sat' => 'Sa', +'fwdfw wd_sun' => 'So', +'fwhost addgrp' => 'Gruppe:', +'fwhost addgrpname' => 'Gruppenname:', +'fwhost addhost' => 'Adresse:', +'fwhost addnet' => 'Netzwerk:', +'fwhost addrule' => 'Neue Regel hinzufügen:', +'fwhost any' => 'Alle', +'fwhost attention' => 'ACHTUNG', +'fwhost back' => 'Übernehmen', +'fwhost blue' => 'Blau', +'fwhost ccdhost' => 'OpenVPN Clients:', +'fwhost ccdnet' => 'OpenVPN Netzwerke:', +'fwhost change' => 'Ändern', +'fwhost changeremark' => 'Es wurde nur die Bemerkung angepasst.', +'fwhost cust addr' => 'Custom Adressen:', +'fwhost cust grp' => 'Custom Gruppen:', +'fwhost cust net' => 'Custom Netzwerke:', +'fwhost cust service' => 'Custom Dienste:', +'fwhost cust srvgrp' => 'Custom Dienstgruppen', +'fwhost deleted' => 'Gelöscht', +'fwhost empty' => 'Keine Einträge vorhanden', +'fwhost err addr' => 'IP oder Subnetzmaske ungültig.', +'fwhost err addrgrp' => 'Bitte gruppenname angeben.', +'fwhost err empty' => 'Bitte alle Felder füllen.', +'fwhost err grpexist' => 'Gruppe existiert bereits.', +'fwhost err groupempty' => 'Gewählte Gruppe ist leer.', +'fwhost err name' => 'Name ungültig. Erlaubte Zeichen: a-z, A-Z, 0-9 Leerzeichen und Bindestrich.', +'fwhost err name1' => 'Name muss gefüllt sein.', +'fwhost err netexist' => 'Ein Netz mit diesem Namen existiert bereits!', +'fwhost err net' => 'Netzwerk IP existiert bereits', +'fwhost err mac' => 'MAC Adresse ungültig.', +'fwhost err hostexist' => 'Ein Host mit diesem Namen existiert bereits.', +'fwhost err hostip' => 'Netz- oder Broadcastadressen sind nicht erlaubt.', +'fwhost err hostorip' => 'Name oder IP Adresse ungültig.', +'fwhost err isccdhost' => 'Dieser Name wird bereits für einen Openvpn Host verwendet.', +'fwhost err isccdipnet' => 'Diese IP wird bereits für einen Openvpn Netzwerk verwendet.', +'fwhost err isccdiphost'=> 'Diese IP wird bereits für einen Openvpn Host verwendet.', +'fwhost err isccdnet' => 'Dieser Name wird bereits für einen Openvpn Netzwerk verwendet.', +'fwhost err isingrp' => 'Dieser Eintrag existiert bereits in der Gruppe.', +'fwhost err ip' => 'IP Addresse ungültig.', +'fwhost err ipmac' => 'IP/MAC Addresse ungültig.', +'fwhost err ipcheck' => 'Diese IP Adresse wird bereits verwendet.', +'fwhost err ipwithsub' => 'Bitte IP Adresse OHNE Subnetzmaske eingeben.', +'fwhost err partofnet' => 'Dieses Netzwerk ist Teil eines bereits existierenden Netzwerks.', +'fwhost err port' => 'Port muss gefüllt sein.', +'fwhost err remark' => 'Bemerkung ungültig. Erlaubte Zeichen: a-z, A-Z, 0-9 Leerzeichen und Bindestrich.', +'fwhost err srvexist' => 'Dieser Dienst ist bereits in der Gruppe', +'fwhost err srv exists' => 'Ein Service mit diesem Namen existiert bereits.', +'fwhost err sub32' => 'Bitte Host hinzufügen. Dieses Subnetz ist kein Netzwerk.', +'fwhost green' => 'Grün', +'fwhost hosts' => 'Firewall Hosts', +'fwhost hint' => 'Hinweis', +'fwhost icmptype' => 'ICMP-Typ:', +'fwhost ipadr' => 'IP Adresse:', +'fwhost ip_mac' => 'IP/MAC Adresse', +'fwhost ipsec host' => 'IpSec Clients:', +'fwhost ipsec net' => 'IpSec Netzwerke:', +'fwhost newnet' => 'Netz Einstellungen', +'fwhost newhost' => 'Adress Einstellungen', +'fwhost newgrp' => 'Adress Gruppierung', +'fwhost newservice' => 'Dienst Einstellungen', +'fwhost newservicegrp' => 'Dienst Gruppierung', +'fwhost macwarn' => 'MAC Adressen können nicht als Ziel definiert werden. Solche Adressen werden ignoriert.', +'fwhost menu' => 'Firewall Gruppen', +'fwhost orange' => 'Orange', +'fwhost ovpn_n2n' => 'OpenVPN N-2-N', +'fwhost port' => 'Port(s)', +'fwhost prot' => 'Protokoll', +'fwhost reset' => 'Abbrechen', +'fwhost services' => 'Dienste', +'fwhost srv_name' => 'Dienstname', +'fwhost stdnet' => 'Standard Netzwerke:', +'fwhost type' => 'Typ', +'fwhost used' => 'Benutzt', +'fwhost wo subnet' => '(Ohne Subnetz)', 'free' => 'Frei', 'free memory' => 'Freier Speicher ', 'free swap' => 'Freier Swap', diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index 2e04c468d..77e24130d 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -910,6 +910,142 @@ 'forwarding rule added' => 'Forwarding rule added; restarting forwarder', 'forwarding rule removed' => 'Forwarding rule removed; restarting forwarder', 'forwarding rule updated' => 'Forwarding rule updated; restarting forwarder', +'forward firewall' => 'Firewall', +'fwdfw additional' => 'Additional', +'fwdfw action' => 'Action', +'fwdfw menu' => 'Firewall', +'fwdfw addrule' => 'Add new rule:', +'fwdfw addr grp' => 'Adress groups:', +'fwdfw change' => 'Update', +'fwdfw cust addr' => 'Custom addresses:', +'fwdfw cust net' => 'Custom networks:', +'fwdfw copy' => 'Copy', +'fwdfw delete' => 'Delete', +'fwdfw edit' => 'Edit', +'fwdfw err nosrc' => 'No source selected.', +'fwdfw err nosrcip' => 'Please provide source IP address.', +'fwdfw err notgt' => 'No target selected.', +'fwdfw err notgtip' => 'Please provide target IP address.', +'fwdfw err prot' => 'Source and target protocol have to match.', +'fwdfw err remark' => 'Invalid chars in remark.', +'fwdfw err ruleexists' => 'This rule already exists.', +'fwdfw err src_addr' => 'Invalid source MAC/IP.', +'fwdfw err same' => 'Identical source and target', +'fwdfw err samesub' => 'Source and target IP adress are in same subnet.', +'fwdfw err srcport' => 'Please provide source port.', +'fwdfw err tgtport' => 'Please provide target port.', +'fwdfw err tgt_addr' => 'Invalid target IP-address.', +'fwdfw err tgt_port' => 'Invalid target port', +'fwdfw err tgt_mac' => 'MAC addresses can not be used as target.', +'fwdfw err tgt_grp' => 'Target servicegroup is empty', +'fwdfw err time' => 'You have to define at least one day.', +'fwdfw from' => 'From:', +'fwdfw hint ip1' => 'The last generated rule may never be activated because source and target my be in same subnet.', +'fwdfw hint ip2' => 'Please doublecheck if this rule makes sense: ', +'fwdfw ipsec network' => 'IpSec networks:', +'fwdfw log rule' => 'Log rule', +'fwdfw man port' => 'Port(s) manual:', +'fwdfw moveup' => 'Move up', +'fwdfw movedown' => 'Move down', +'fwdfw reread' => 'Apply', +'fwdfw rules' => 'Rules', +'fwdfw rule action' => 'Rule action:', +'fwdfw rule activate' => 'Activate rule', +'fwdfw source' => 'Source', +'fwdfw sourceip' => 'Source address (MAC, IP or Network):', +'fwdfw std network' => 'Standard networks:', +'fwdfw target' => 'Target', +'fwdfw targetip' => 'Target address (IP or network):', +'fwdfw till' => 'Till:', +'fwdfw time' => 'Timeframe:', +'fwdfw timeframe' => 'Add timeframe', +'fwdfw toggle' => 'Activate or deactivate', +'fwdfw togglelog' => 'Activate or deactivate logging', +'fwdfw use srcport' => 'Use sourceport', +'fwdfw use srv' => 'Use targetport', +'fwdfw newrule' => 'New rule', +'fwdfw wd_mon' => 'Mon', +'fwdfw wd_tue' => 'Tue', +'fwdfw wd_wed' => 'Wed', +'fwdfw wd_thu' => 'Thu', +'fwdfw wd_fri' => 'Fri', +'fwdfw wd_sat' => 'Sat', +'fwdfw wd_sun' => 'Sun', +'fwhost addgrp' => 'Group:', +'fwhost addgrpname' => 'Groupname:', +'fwhost addhost' => 'Address:', +'fwhost addnet' => 'Network:', +'fwhost addrule' => 'Add new rule:', +'fwhost any' => 'Any', +'fwhost attention' => 'ATTENTION', +'fwhost back' => 'commit', +'fwhost blue' => 'Blue', +'fwhost ccdhost' => 'OpenVPN clients:', +'fwhost ccdnet' => 'OpenVPN networks:', +'fwhost change' => 'Modify', +'fwhost changeremark' => 'You just modified the remark!', +'fwhost cust addr' => 'Custom addresses:', +'fwhost cust grp' => 'Custom groups:', +'fwhost cust net' => 'Custom networks:', +'fwhost cust service' => 'Custom services:', +'fwhost cust srvgrp' => 'Custom servicegroups', +'fwhost deleted' => 'Deleted', +'fwhost empty' => 'No entries by now', +'fwhost err addr' => 'Invalid IP or subnet!', +'fwhost err addrgrp' => 'Please provide a groupname!', +'fwhost err empty' => 'Please fill in all fields!', +'fwhost err grpexist' => 'Group already exists!', +'fwhost err groupempty' => 'Selected Group is empty!', +'fwhost err name' => 'Name invalid. Allowed: a-z, A-Z, 0-9 space and minus.', +'fwhost err name1' => 'Name is empty.', +'fwhost err netexist' => 'A network with this name already exists!', +'fwhost err net' => 'Network IP already exists', +'fwhost err mac' => 'MAC address invalid', +'fwhost err hostexist' => 'A host with this name already exists!', +'fwhost err hostip' => 'Net or broadcast not allowed!', +'fwhost err hostorip' => 'Name or IP invalid.', +'fwhost err isccdhost' => 'This name is already used by an OpenVPN client!', +'fwhost err isccdipnet' => 'This IP is already used by an OpenVPN network!', +'fwhost err isccdiphost'=> 'This IP is already used by an OpenVPN client!', +'fwhost err isccdnet' => 'This name is already used by an OpenVPN Network!', +'fwhost err isingrp' => 'This entry already exists in the group!', +'fwhost err ip' => 'IP address invalid.', +'fwhost err ipmac' => 'IP/MAC address invalid.', +'fwhost err ipcheck' => 'This IP address is already in use!', +'fwhost err ipwithsub' => 'Please provide IP address WITHOUT subnetmask', +'fwhost err partofnet' => 'This network is part of an already existing one!', +'fwhost err port' => 'Port is empty.', +'fwhost err remark' => 'Remark invalid. Allowed: a-z, A-Z, 0-9 space and minus.', +'fwhost err srvexist' => 'Dieser Dienst ist bereits in der Gruppe', +'fwhost err srv exists' => 'A Service with this name already exists.', +'fwhost err sub32' => 'Please add single host. This subnet is no network!', +'fwhost green' => 'Green', +'fwhost hosts' => 'Firewall Hosts', +'fwhost hint' => 'Note', +'fwhost icmptype' => 'ICMP type:', +'fwhost ipadr' => 'IP address:', +'fwhost ip_mac' => 'IP/MAC address', +'fwhost ipsec host' => 'IPsec clients:', +'fwhost ipsec net' => 'IPsec networks:', +'fwhost netaddress' => 'Network address:', +'fwhost newnet' => 'Network', +'fwhost newhost' => 'Host', +'fwhost newgrp' => 'Address grouping', +'fwhost newservice' => 'Service', +'fwhost newservicegrp' => 'Service grouping', +'fwhost macwarn' => 'MAC addresses can not be used as target. Such addresses will be ignored!', +'fwhost menu' => 'Firewall Groups', +'fwhost orange' => 'Orange', +'fwhost ovpn_n2n' => 'OpenVPN N-2-N', +'fwhost port' => 'Port(s)', +'fwhost prot' => 'Protocol', +'fwhost reset' => 'Cancel', +'fwhost services' => 'Services', +'fwhost srv_name' => 'Servicename', +'fwhost stdnet' => 'Standard networks:', +'fwhost type' => 'Type', +'fwhost used' => 'Used', +'fwhost wo subnet' => '(without subnet)', 'free' => 'Free', 'free memory' => 'Free Memory ', 'free swap' => 'Free Swap', diff --git a/lfs/configroot b/lfs/configroot index 118523685..5280d8c28 100644 --- a/lfs/configroot +++ b/lfs/configroot @@ -50,59 +50,62 @@ $(TARGET) : @$(PREBUILD) # Create all directories - for i in addon-lang auth backup ca certs connscheduler crls ddns dhcp dhcpc dmzholes dns dnsforward \ - ethernet extrahd/bin fwlogs isdn key langs logging mac main menu.d modem net-traffic \ + for i in addon-lang auth backup ca certs connscheduler crls ddns dhcp dhcpc dns dnsforward \ + ethernet extrahd/bin fwlogs isdn key langs logging mac main menu.d modem net-traffic \ + ethernet extrahd/bin fwlogs fwhosts forward forward/bin isdn key langs logging mac main menu.d modem net-traffic \ net-traffic/templates nfs optionsfw outgoing/bin outgoing/groups outgoing/groups/ipgroups \ outgoing/groups/macgroups ovpn patches pakfire portfw ppp private proxy/advanced/cre \ proxy/calamaris/bin qos/bin red remote sensors snort time tripwire/report \ updatexlrator/bin updatexlrator/autocheck urlfilter/autoupdate urlfilter/bin upnp vpn \ - wakeonlan wireless xtaccess ; do \ + wakeonlan wireless ; do \ mkdir -p $(CONFIG_ROOT)/$$i; \ done # Touch empty files for i in auth/users backup/include.user backup/exclude.user \ certs/index.txt ddns/config ddns/noipsettings ddns/settings ddns/ipcache dhcp/settings \ - dhcp/fixleases dhcp/advoptions dhcp/dhcpd.conf.local dmzholes/config dns/settings dnsforward/config ethernet/aliases ethernet/settings ethernet/known_nics ethernet/scanned_nics \ + dhcp/fixleases dhcp/advoptions dhcp/dhcpd.conf.local dns/settings dnsforward/config ethernet/aliases ethernet/settings ethernet/known_nics ethernet/scanned_nics \ ethernet/wireless extrahd/scan extrahd/devices extrahd/partitions extrahd/settings fwlogs/ipsettings fwlogs/portsettings \ + forward/settings forward/config forward/input fwhosts/customnetworks fwhosts/customhosts fwhosts/customgroups fwhosts/customservices fwhosts/customservicegrp fwlogs/ipsettings fwlogs/portsettings \ isdn/settings mac/settings main/disable_nf_sip main/hosts main/routing main/settings net-traffic/settings optionsfw/settings outgoing/settings outgoing/rules \ ovpn/ccd.conf ovpn/ccdroute ovpn/ccdroute2 pakfire/settings portfw/config ppp/settings-1 ppp/settings-2 ppp/settings-3 ppp/settings-4 \ - ppp/settings-5 ppp/settings proxy/settings proxy/advanced/settings proxy/advanced/cre/enable remote/settings qos/settings qos/classes qos/subclasses qos/level7config qos/portconfig \ + ppp/settings-5 ppp/settings proxy/settings proxy/advanced/settings proxy/advanced/cre/enable remote/settings qos/settings qos/classes qos/subclasses qos/level7config qos/portconfig \ qos/tosconfig snort/settings tripwire/settings upnp/settings vpn/config vpn/settings vpn/ipsec.conf \ vpn/ipsec.secrets vpn/caconfig wakeonlan/clients.conf wireless/config wireless/settings; do \ - touch $(CONFIG_ROOT)/$$i; \ + touch $(CONFIG_ROOT)/$$i; \ done # Copy initial configfiles cp $(DIR_SRC)/config/cfgroot/header.pl $(CONFIG_ROOT)/ cp $(DIR_SRC)/config/cfgroot/general-functions.pl $(CONFIG_ROOT)/ cp $(DIR_SRC)/config/cfgroot/lang.pl $(CONFIG_ROOT)/ - cp $(DIR_SRC)/config/cfgroot/countries.pl $(CONFIG_ROOT)/ + cp $(DIR_SRC)/config/cfgroot/countries.pl $(CONFIG_ROOT)/ cp $(DIR_SRC)/config/cfgroot/graphs.pl $(CONFIG_ROOT)/ cp $(DIR_SRC)/config/cfgroot/advoptions-list $(CONFIG_ROOT)/dhcp/advoptions-list cp $(DIR_SRC)/config/cfgroot/connscheduler-lib.pl $(CONFIG_ROOT)/connscheduler/lib.pl cp $(DIR_SRC)/config/cfgroot/connscheduler.conf $(CONFIG_ROOT)/connscheduler cp $(DIR_SRC)/config/extrahd/* $(CONFIG_ROOT)/extrahd/bin/ cp $(DIR_SRC)/config/cfgroot/sensors-settings $(CONFIG_ROOT)/sensors/settings - cp $(DIR_SRC)/config/menu/* $(CONFIG_ROOT)/menu.d/ + cp $(DIR_SRC)/config/menu/* $(CONFIG_ROOT)/menu.d/ cp $(DIR_SRC)/config/cfgroot/modem-defaults $(CONFIG_ROOT)/modem/defaults cp $(DIR_SRC)/config/cfgroot/modem-settings $(CONFIG_ROOT)/modem/settings cp $(DIR_SRC)/config/cfgroot/net-traffic-lib.pl $(CONFIG_ROOT)/net-traffic/net-traffic-lib.pl - cp $(DIR_SRC)/config/cfgroot/net-traffic-admin.pl $(CONFIG_ROOT)/net-traffic/net-traffic-admin.pl + cp $(DIR_SRC)/config/cfgroot/net-traffic-admin.pl $(CONFIG_ROOT)/net-traffic/net-traffic-admin.pl cp $(DIR_SRC)/config/cfgroot/nfs-server $(CONFIG_ROOT)/nfs/nfs-server - cp $(DIR_SRC)/config/cfgroot/p2protocols $(CONFIG_ROOT)/outgoing/p2protocols - cp $(DIR_SRC)/config/outgoingfw/outgoingfw.pl $(CONFIG_ROOT)/outgoing/bin/ - cp $(DIR_SRC)/config/outgoingfw/defaultservices $(CONFIG_ROOT)/outgoing/ + cp $(DIR_SRC)/config/cfgroot/p2protocols $(CONFIG_ROOT)/outgoing/p2protocols + cp $(DIR_SRC)/config/outgoingfw/outgoingfw.pl $(CONFIG_ROOT)/outgoing/bin/ + cp $(DIR_SRC)/config/outgoingfw/defaultservices $(CONFIG_ROOT)/outgoing/ cp $(DIR_SRC)/config/cfgroot/proxy-acl $(CONFIG_ROOT)/proxy/acl-1.4 - cp $(DIR_SRC)/config/qos/* $(CONFIG_ROOT)/qos/bin/ - cp $(DIR_SRC)/config/cfgroot/ssh-settings $(CONFIG_ROOT)/remote/settings - cp $(DIR_SRC)/config/cfgroot/xtaccess-config $(CONFIG_ROOT)/xtaccess/config + cp $(DIR_SRC)/config/qos/* $(CONFIG_ROOT)/qos/bin/ + cp $(DIR_SRC)/config/cfgroot/ssh-settings $(CONFIG_ROOT)/remote/settings cp $(DIR_SRC)/config/cfgroot/time-settings $(CONFIG_ROOT)/time/settings - cp $(DIR_SRC)/config/cfgroot/logging-settings $(CONFIG_ROOT)/logging/settings + cp $(DIR_SRC)/config/cfgroot/logging-settings $(CONFIG_ROOT)/logging/settings cp $(DIR_SRC)/config/cfgroot/useragents $(CONFIG_ROOT)/proxy/advanced cp $(DIR_SRC)/config/cfgroot/ethernet-vlans $(CONFIG_ROOT)/ethernet/vlans - cp $(DIR_SRC)/langs/list $(CONFIG_ROOT)/langs/ - + cp $(DIR_SRC)/langs/list $(CONFIG_ROOT)/langs/ + cp $(DIR_SRC)/config/forwardfw/rules.pl $(CONFIG_ROOT)/forward/bin/rules.pl + cp $(DIR_SRC)/config/forwardfw/firewall-lib.pl $(CONFIG_ROOT)/forward/bin/firewall-lib.pl + cp $(DIR_SRC)/config/fwhosts/icmp-types $(CONFIG_ROOT)/fwhosts/icmp-types # Oneliner configfiles echo "ENABLED=off" > $(CONFIG_ROOT)/vpn/settings echo "VPN_DELAYED_START=0" >>$(CONFIG_ROOT)/vpn/settings @@ -115,6 +118,14 @@ $(TARGET) : echo "DROPOUTPUT=on" >> $(CONFIG_ROOT)/optionsfw/settings echo "DROPPORTSCAN=on" >> $(CONFIG_ROOT)/optionsfw/settings + # Set outgoingfw.pl executable + chmod 755 $(CONFIG_ROOT)/outgoing/bin/outgoingfw.pl + + # set rules.pl executable + chmod 755 $(CONFIG_ROOT)/forward/bin/rules.pl + + + # Modify variables in header.pl sed -i -e "s+CONFIG_ROOT+$(CONFIG_ROOT)+g" \ -e "s+VERSION+$(VERSION)+g" \ @@ -140,7 +151,5 @@ $(TARGET) : done chown root:nobody $(CONFIG_ROOT)/dhcpc - # Set outgoingfw.pl executable - chmod 755 $(CONFIG_ROOT)/outgoing/bin/outgoingfw.pl - + @$(POSTBUILD) diff --git a/lfs/initscripts b/lfs/initscripts index 6549147a8..f4ad0f7fe 100644 --- a/lfs/initscripts +++ b/lfs/initscripts @@ -181,18 +181,17 @@ $(TARGET) : ln -sf ../../firewall /etc/rc.d/init.d/networking/red.up/20-RL-firewall ln -sf ../../../../../usr/local/bin/outgoingfwctrl \ /etc/rc.d/init.d/networking/red.up/22-outgoingfwctrl + ln -sf ../../../../../usr/local/bin/forwardfwctrl \ + /etc/rc.d/init.d/networking/red.up/23-forwardfwctrl ln -sf ../../../../../usr/local/bin/snortctrl \ - /etc/rc.d/init.d/networking/red.up/23-RS-snort + /etc/rc.d/init.d/networking/red.up/24-RS-snort ln -sf ../../../../../usr/local/bin/qosctrl \ - /etc/rc.d/init.d/networking/red.up/24-RS-qos + /etc/rc.d/init.d/networking/red.up/25-RS-qos ln -sf ../../../../../usr/local/bin/setportfw \ - /etc/rc.d/init.d/networking/red.up/25-portfw - ln -sf ../../../../../usr/local/bin/setxtaccess \ - /etc/rc.d/init.d/networking/red.up/26-xtaccess + /etc/rc.d/init.d/networking/red.up/26-portfw ln -sf ../../../../../usr/local/bin/dialctrl.pl \ /etc/rc.d/init.d/networking/red.up/99-U-dialctrl.pl - ln -sf ../../squid /etc/rc.d/init.d/networking/red.up/27-RS-squid - + ln -sf ../../squid /etc/rc.d/init.d/networking/red.up/28-RS-squid ln -sf ../../dnsmasq /etc/rc.d/init.d/networking/red.down/05-RS-dnsmasq ln -sf ../../firewall /etc/rc.d/init.d/networking/red.down/20-RL-firewall ln -sf ../../../../../usr/local/bin/dialctrl.pl \ diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall index 0237297e7..467d1b9ab 100644 --- a/src/initscripts/init.d/firewall +++ b/src/initscripts/init.d/firewall @@ -195,6 +195,14 @@ case "$1" in # Outgoing Firewall /sbin/iptables -A FORWARD -j OUTGOINGFWMAC + # Forward Firewall + /sbin/iptables -N FORWARDFW + /sbin/iptables -A FORWARD -j FORWARDFW + + # Input Firewall + /sbin/iptables -N INPUTFW + /sbin/iptables -A INPUT -m state --state NEW -j INPUTFW + # localhost and ethernet. /sbin/iptables -A INPUT -i lo -m state --state NEW -j ACCEPT /sbin/iptables -A INPUT -s 127.0.0.0/8 -m state --state NEW -j DROP # Loopback not on lo @@ -234,17 +242,6 @@ case "$1" in iptables_red - # DMZ pinhole chain. setdmzholes setuid prog adds rules here to allow - # ORANGE to talk to GREEN / BLUE. - /sbin/iptables -N DMZHOLES - if [ "$ORANGE_DEV" != "" ]; then - /sbin/iptables -A FORWARD -i $ORANGE_DEV -m state --state NEW -j DMZHOLES - fi - - # XTACCESS chain, used for external access - /sbin/iptables -N XTACCESS - /sbin/iptables -A INPUT -m state --state NEW -j XTACCESS - # PORTFWACCESS chain, used for portforwarding /sbin/iptables -N PORTFWACCESS /sbin/iptables -A FORWARD -m state --state NEW -j PORTFWACCESS diff --git a/src/initscripts/init.d/network b/src/initscripts/init.d/network index 9ff220011..02df4bc97 100644 --- a/src/initscripts/init.d/network +++ b/src/initscripts/init.d/network @@ -47,9 +47,7 @@ init_networking() { # (exit ${failed}) # evaluate_retval - boot_mesg "Setting up DMZ pinholes" - /usr/local/bin/setdmzholes; evaluate_retval - + if [ "$CONFIG_TYPE" = "3" -o "$CONFIG_TYPE" = "4" ]; then boot_mesg "Setting up wireless firewall rules" /usr/local/bin/wirelessctrl; evaluate_retval diff --git a/src/misc-progs/Makefile b/src/misc-progs/Makefile index 4d09fbf65..306773fb6 100644 --- a/src/misc-progs/Makefile +++ b/src/misc-progs/Makefile @@ -24,11 +24,11 @@ CFLAGS=-O2 -Wall COMPILE=$(CC) $(CFLAGS) PROGS = iowrap -SUID_PROGS = setdmzholes setportfw setxtaccess \ +SUID_PROGS = setportfw \ squidctrl sshctrl ipfirereboot \ ipsecctrl timectrl dhcpctrl snortctrl \ applejuicectrl rebuildhosts backupctrl \ - logwatch openvpnctrl outgoingfwctrl \ + logwatch openvpnctrl outgoingfwctrl forwardfwctrl \ wirelessctrl getipstat qosctrl launch-ether-wake \ redctrl syslogdctrl extrahdctrl sambactrl upnpctrl tripwirectrl \ smartctrl clamavctrl addonctrl pakfire mpfirectrl wlanapctrl \ @@ -90,15 +90,15 @@ clamavctrl: clamavctrl.c setuid.o ../install+setup/libsmooth/varval.o outgoingfwctrl: outgoingfwctrl.c setuid.o ../install+setup/libsmooth/varval.o $(COMPILE) -I../install+setup/libsmooth/ outgoingfwctrl.c setuid.o ../install+setup/libsmooth/varval.o -o $@ +forwardfwctrl: forwardfwctrl.c setuid.o ../install+setup/libsmooth/varval.o + $(COMPILE) -I../install+setup/libsmooth/ forwardfwctrl.c setuid.o ../install+setup/libsmooth/varval.o -o $@ + timectrl: timectrl.c setuid.o ../install+setup/libsmooth/varval.o $(COMPILE) -I../install+setup/libsmooth/ timectrl.c setuid.o ../install+setup/libsmooth/varval.o -o $@ launch-ether-wake: launch-ether-wake.c setuid.o ../install+setup/libsmooth/varval.o $(COMPILE) -I../install+setup/libsmooth/ launch-ether-wake.c setuid.o ../install+setup/libsmooth/varval.o -o $@ -setdmzholes: setdmzholes.c setuid.o ../install+setup/libsmooth/varval.o - $(COMPILE) -I../install+setup/libsmooth/ setdmzholes.c setuid.o ../install+setup/libsmooth/varval.o -o $@ - setportfw: setportfw.c setuid.o ../install+setup/libsmooth/varval.o $(COMPILE) -I../install+setup/libsmooth/ setportfw.c setuid.o ../install+setup/libsmooth/varval.o -o $@ diff --git a/src/misc-progs/setdmzholes.c b/src/misc-progs/setdmzholes.c deleted file mode 100644 index 7a2643d9e..000000000 --- a/src/misc-progs/setdmzholes.c +++ /dev/null @@ -1,162 +0,0 @@ -/* SmoothWall helper program - setdmzhole - * - * This program is distributed under the terms of the GNU General Public - * Licence. See the file COPYING for details. - * - * (c) Daniel Goscomb, 2001 - * - * Modifications and improvements by Lawrence Manning. - * - * 10/04/01 Aslak added protocol support - * This program reads the list of ports to forward and setups iptables - * and rules in ipmasqadm to enable them. - * - * $Id: setdmzholes.c,v 1.5.2.3 2005/10/18 17:05:27 franck78 Exp $ - * - */ -#include "libsmooth.h" -#include -#include -#include -#include "setuid.h" - -FILE *fwdfile = NULL; - -void exithandler(void) -{ - if (fwdfile) - fclose(fwdfile); -} - -int main(void) -{ - int count; - char *protocol; - char *locip; - char *remip; - char *remport; - char *enabled; - char *src_net; - char *dst_net; - char s[STRING_SIZE]; - char *result; - struct keyvalue *kv = NULL; - char orange_dev[STRING_SIZE] = ""; - char blue_dev[STRING_SIZE] = ""; - char green_dev[STRING_SIZE] = ""; - char *idev; - char *odev; - char command[STRING_SIZE]; - - if (!(initsetuid())) - exit(1); - - atexit(exithandler); - - kv=initkeyvalues(); - if (!readkeyvalues(kv, CONFIG_ROOT "/ethernet/settings")) - { - fprintf(stderr, "Cannot read ethernet settings\n"); - exit(1); - } - - if (!findkey(kv, "GREEN_DEV", green_dev)) - { - fprintf(stderr, "Cannot read GREEN_DEV\n"); - exit(1); - } - findkey(kv, "BLUE_DEV", blue_dev); - findkey(kv, "ORANGE_DEV", orange_dev); - - if (!(fwdfile = fopen(CONFIG_ROOT "/dmzholes/config", "r"))) - { - fprintf(stderr, "Couldn't open dmzholes settings file\n"); - exit(1); - } - - safe_system("/sbin/iptables -F DMZHOLES"); - - while (fgets(s, STRING_SIZE, fwdfile) != NULL) - { - if (s[strlen(s) - 1] == '\n') - s[strlen(s) - 1] = '\0'; - result = strtok(s, ","); - - count = 0; - protocol = NULL; - locip = NULL; remip = NULL; - remport = NULL; - enabled = NULL; - src_net = NULL; - dst_net = NULL; - idev = NULL; - odev = NULL; - - while (result) - { - if (count == 0) - protocol = result; - else if (count == 1) - locip = result; - else if (count == 2) - remip = result; - else if (count == 3) - remport = result; - else if (count == 4) - enabled = result; - else if (count == 5) - src_net = result; - else if (count == 6) - dst_net = result; - count++; - result = strtok(NULL, ","); - } - - if (!(protocol && locip && remip && remport && enabled)) - { - fprintf(stderr, "Bad line:\n"); - break; - } - - if (!VALID_PROTOCOL(protocol)) - { - fprintf(stderr, "Bad protocol: %s\n", protocol); - exit(1); - } - if (!VALID_IP_AND_MASK(locip)) - { - fprintf(stderr, "Bad local IP: %s\n", locip); - exit(1); - } - if (!VALID_IP_AND_MASK(remip)) - { - fprintf(stderr, "Bad remote IP: %s\n", remip); - exit(1); - } - if (!VALID_PORT_RANGE(remport)) - { - fprintf(stderr, "Bad remote port: %s\n", remport); - exit(1); - } - - if (!src_net) { src_net = strdup ("orange");} - if (!dst_net) { dst_net = strdup ("green");} - - if (!strcmp(src_net, "blue")) { idev = blue_dev; } - if (!strcmp(src_net, "orange")) { idev = orange_dev; } - if (!strcmp(dst_net, "blue")) { odev = blue_dev; } - if (!strcmp(dst_net, "green")) { odev = green_dev; } - - if (!strcmp(enabled, "on") && strlen(idev) && strlen (odev)) - { - char *ctr; - /* If remport contains a - we need to change it to a : */ - if ((ctr = strchr(remport,'-')) != NULL){*ctr = ':';} - memset(command, 0, STRING_SIZE); - snprintf(command, STRING_SIZE - 1, "/sbin/iptables -A DMZHOLES -p %s -i %s -o %s -s %s -d %s --dport %s -j ACCEPT", protocol, idev, odev, locip, remip, remport); - safe_system(command); - } - } - - return 0; -} diff --git a/src/misc-progs/setxtaccess.c b/src/misc-progs/setxtaccess.c deleted file mode 100644 index 27a03e03a..000000000 --- a/src/misc-progs/setxtaccess.c +++ /dev/null @@ -1,168 +0,0 @@ -/* SmoothWall helper program - setxtaccess - * - * This program is distributed under the terms of the GNU General Public - * Licence. See the file COPYING for details. - * - * (c) Daniel Goscomb, 2001 - * - * Modifications and improvements by Lawrence Manning. - * - * 10/04/01 Aslak added protocol support - * - * (c) Steve Bootes 2002/04/14 - Added source IP support for aliases - * - * 19/04/03 Robert Kerr Fixed root exploit - * - * $Id: setxtaccess.c,v 1.3.2.1 2005/01/04 17:21:40 eoberlander Exp $ - * - */ - -#include -#include -#include -#include "setuid.h" - -FILE *ifacefile = NULL; -FILE *fwdfile = NULL; -FILE *ipfile = NULL; - -void exithandler(void) -{ - if (fwdfile) - fclose(fwdfile); -} - -int main(void) -{ - char iface[STRING_SIZE] = ""; - char locip[STRING_SIZE] = ""; - char s[STRING_SIZE] = ""; - int count; - char *protocol; - char *destip; - char *remip; - char *locport; - char *enabled; - char *information; - char *result; - char command[STRING_SIZE]; - - if (!(initsetuid())) - exit(1); - - atexit(exithandler); - - if (!(ipfile = fopen(CONFIG_ROOT "/red/local-ipaddress", "r"))) - { - fprintf(stderr, "Couldn't open local ip file\n"); - exit(1); - } - if (fgets(locip, STRING_SIZE, ipfile)) - { - if (locip[strlen(locip) - 1] == '\n') - locip[strlen(locip) - 1] = '\0'; - } - fclose (ipfile); - if (!VALID_IP(locip)) - { - fprintf(stderr, "Bad local IP: %s\n", locip); - exit(1); - } - - if (!(ifacefile = fopen(CONFIG_ROOT "/red/iface", "r"))) - { - fprintf(stderr, "Couldn't open iface file\n"); - exit(1); - } - if (fgets(iface, STRING_SIZE, ifacefile)) - { - if (iface[strlen(iface) - 1] == '\n') - iface[strlen(iface) - 1] = '\0'; - } - fclose (ifacefile); - if (!VALID_DEVICE(iface)) - { - fprintf(stderr, "Bad iface: %s\n", iface); - exit(1); - } - - if (!(fwdfile = fopen(CONFIG_ROOT "/xtaccess/config", "r"))) - { - fprintf(stderr, "Couldn't open xtaccess settings file\n"); - exit(1); - } - - safe_system("/sbin/iptables -F XTACCESS"); - - while (fgets(s, STRING_SIZE, fwdfile) != NULL) - { - if (s[strlen(s) - 1] == '\n') - s[strlen(s) - 1] = '\0'; - count = 0; - protocol = NULL; - remip = NULL; - destip = NULL; - locport = NULL; - enabled = NULL; - information = NULL; - result = strtok(s, ","); - while (result) - { - if (count == 0) - protocol = result; - else if (count == 1) - remip = result; - else if (count == 2) - locport = result; - else if (count == 3) - enabled = result; - else if (count == 4) - destip = result; - else - information = result; - count++; - result = strtok(NULL, ","); - } - - if (!(protocol && remip && locport && enabled)) - break; - - if (!VALID_PROTOCOL(protocol)) - { - fprintf(stderr, "Bad protocol: %s\n", protocol); - exit(1); - } - if (!VALID_IP_AND_MASK(remip)) - { - fprintf(stderr, "Bad remote IP: %s\n", remip); - exit(1); - } - if (!VALID_PORT_RANGE(locport)) - { - fprintf(stderr, "Bad local port: %s\n", locport); - exit(1); - } - - /* check for destination ip in config file. If it's there - * and it's not 0.0.0.0, use it; else use the current - * local ip address. (This makes sure we can use old-style - * config files without the destination ip) */ - if (!destip || !strcmp(destip, "0.0.0.0")) - destip = locip; - if (!VALID_IP(destip)) - { - fprintf(stderr, "Bad destination IP: %s\n", remip); - exit(1); - } - - if (strcmp(enabled, "on") == 0) - { - memset(command, 0, STRING_SIZE); - snprintf(command, STRING_SIZE - 1, "/sbin/iptables -A XTACCESS -i %s -p %s -s %s -d %s --dport %s -j ACCEPT", - iface, protocol, remip, destip, locport); - safe_system(command); - } - } - - return 0; -}