From: Alexander Marx <amarx@ipfire.org>
Date: Sat, 5 Oct 2013 11:50:35 +0000 (+0200)
Subject: Firewall: added some more plausichecks and additional errormessages
X-Git-Url: http://git.ipfire.org/?p=people%2Fteissler%2Fipfire-2.x.git;a=commitdiff_plain;h=e6e9a8117677eca8319982ce56aa72e93c9b407e

Firewall: added some more plausichecks and additional errormessages
---

diff --git a/config/forwardfw/rules.pl b/config/forwardfw/rules.pl
index baeb7ada5..5116844b7 100755
--- a/config/forwardfw/rules.pl
+++ b/config/forwardfw/rules.pl
@@ -251,7 +251,6 @@ sub buildrules
 				#print rules to console
 				foreach my $DPROT (@DPROT){
 					$DPORT = &get_port($hash,$key,$DPROT);
-					print "uzlputz DPROT= $DPROT $DPORT\n";
 					$PROT=$DPROT;
 					$PROT="-p $PROT" if ($PROT ne '' && $PROT ne ' ');
 					foreach my $a (sort keys %sourcehash){
@@ -593,6 +592,8 @@ sub get_port
 				}else{
 					return "--dport ".&fwlib::get_srv_port($$hash{$key}[15],1,$prot);
 				}
+			}elsif($prot eq 'ICMP' && $$hash{$key}[11] eq 'ON'){        #When PROT is ICMP and "use targetport is checked, this is an icmp-service
+				return "--icmp-type ".&fwlib::get_srv_port($$hash{$key}[15],3,$prot);
 			}
 		}elsif($$hash{$key}[14] eq 'cust_srvgrp'){
 			if 	($prot ne 'ICMP'){
diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi
index 44aa07370..c16fd0ade 100755
--- a/html/cgi-bin/forwardfw.cgi
+++ b/html/cgi-bin/forwardfw.cgi
@@ -805,7 +805,17 @@ sub checkrule
 			}
 		}
 	}
-	#check source and destination protocol if source manual and dest single service
+	#When using source- or targetport, the protocol has to be TCP or UDP
+	if (($fwdfwsettings{'USESRV'} eq 'ON' || $fwdfwsettings{'USE_SRC_PORT'} eq 'ON') && ($fwdfwsettings{'SRC_PORT'} ne '' || $fwdfwsettings{'TGT_PORT'} ne '') && ($fwdfwsettings{'PROT'} ne 'TCP' && $fwdfwsettings{'PROT'} ne 'UDP')){
+		$errormessage.=$Lang::tr{'fwdfw err prot_port1'};
+		return;
+	}
+	#when icmp selected, no targetport allowed
+	if (($fwdfwsettings{'PROT'} ne '' && $fwdfwsettings{'PROT'} ne 'TCP' && $fwdfwsettings{'PROT'} ne 'UDP') && ($fwdfwsettings{'USESRV'} eq 'ON' || $fwdfwsettings{'USE_SRC_PORT'} eq 'ON')){
+		$errormessage.=$Lang::tr{'fwdfw err prot_port'};
+		return;
+	}
+	#change protocol if prot not equal dest single service
 	if ($fwdfwsettings{'grp3'} eq 'cust_srv'){
 		foreach my $key (sort keys %customservice){
 			if($customservice{$key}[0] eq $fwdfwsettings{$fwdfwsettings{'grp3'}}){
@@ -826,7 +836,7 @@ sub checkrule
 	if ($fwdfwsettings{'PROT'} eq 'ICMP'){
 		$fwdfwsettings{'USE_SRC_PORT'}='';
 		$fwdfwsettings{'SRC_PORT'}='';
-		$fwdfwsettings{'USESRV'}='';
+		#$fwdfwsettings{'USESRV'}='';
 		$fwdfwsettings{'TGT_PORT'}='';
 		&General::readhasharray("${General::swroot}/fwhosts/icmp-types", \%icmptypes);
 		foreach my $key (keys %icmptypes){
@@ -1254,7 +1264,7 @@ sub get_serviceports
 		}
 	}
 	if($tcp && $udp && $icmp){
-		push (@protocols,"All");
+		push (@protocols,"TCP,UDP, <br>ICMP");
 		return @protocols;
 	}
 	if($tcp){
@@ -1656,7 +1666,7 @@ END
 		<tr><td><select name='PROT'  id='PROT' onchange="getdropdown()">
 END
 		if ($fwdfwsettings{'PROT'} eq ''){
-				print"<option selected>$Lang::tr{'all'}</option>";
+				print"<option value='' selected>$Lang::tr{'all'}</option>";
 		}else{
 			print"<option value=''>$Lang::tr{'all'}</option>";
 		}
@@ -2244,7 +2254,7 @@ END
 				push (@protocols,$Lang::tr{'all'});
 			}
 			my $protz=join(",",@protocols);
-			if($protz eq 'ICMP'){
+			if($protz eq 'ICMP' && $$hash{$key}[9] ne 'All ICMP-Types'){
 				&General::readhasharray("${General::swroot}/fwhosts/icmp-types", \%icmptypes);
 				foreach my $keyicmp (sort { ncmp($icmptypes{$a}[0],$icmptypes{$b}[0]) }keys %icmptypes){
 					if($$hash{$key}[9] eq "$icmptypes{$keyicmp}[0]"){
diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl
index 92b8fd057..68dd61aa6 100644
--- a/langs/de/cgi-bin/de.pl
+++ b/langs/de/cgi-bin/de.pl
@@ -933,6 +933,8 @@
 'fwdfw err notgt' => 'Kein Ziel ausgewählt',
 'fwdfw err notgtip' => 'Bitte Ziel-IP-Adresse angeben',
 'fwdfw err prot' => 'Quell- und Zielprotokoll müssen identisch sein',
+'fwdfw err prot_port' => 'Bei dem gewählten Protokoll sind Quell- und Zielport nicht erlaubt',
+'fwdfw err prot_port1' => 'Bei Nutzung von Quell- oder Zielport muss als Protokoll TCP oder UDP gewählt werden.',
 'fwdfw err remark' => 'Die Bemerkung enthält ungültige Zeichen',
 'fwdfw err ruleexists' => 'Eine identische Regel existiert bereits',
 'fwdfw err same' => 'Quelle und Ziel sind identisch',
diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
index 085ee221c..5421ef8a0 100644
--- a/langs/en/cgi-bin/en.pl
+++ b/langs/en/cgi-bin/en.pl
@@ -958,6 +958,8 @@
 'fwdfw err notgt' => 'No destination selected.',
 'fwdfw err notgtip' => 'Please provide a destination IP address.',
 'fwdfw err prot' => 'Source and destination protocol need to match.',
+'fwdfw err prot_port' => 'Source- or targetport are not allowed with selected protocol',
+'fwdfw err prot_port1' => 'When using Source- or targetport you have to select TCP or UDP for protocol',
 'fwdfw err remark' => 'Invalid characters in remark.',
 'fwdfw err ruleexists' => 'This rule already exists.',
 'fwdfw err same' => 'Source and destination are identical.',