From 62fc8511664c6646d706aa42927bac53ac6a5b5f Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Wed, 9 Jan 2013 10:22:32 +0100 Subject: [PATCH] Forward Firewall: fixed 12 Bugs from forum. 1) Added more possible chars in remark: : / . 2) Added "Internet" to std networks to be able to define internetaccess 3) When renaming a custom address, the firewallrules get updated 4) Ports are now ignored when using GRE as Protocol 5) When saving a customservice, the cursor is now in first textfield 6) Added a customservices file to installation with predefined services 7) Added ESP as protocol 8) Fixed counterproblem 9) Dropdownboxes for customservices and groups now sorted 10) Firewallrules now sorted in right order 11) fixed a Bug when defining manual address in source and target, the hint message is no longer displayed 12) When defining an external access rule, the last forwardrule was deleted --- config/forwardfw/firewall-forward-policy | 24 + config/forwardfw/firewall-lib.pl | 2 + config/forwardfw/rules.pl | 22 +- config/rootfiles/common/apache2 | 2 +- config/rootfiles/common/stage2 | 1 + html/cgi-bin/dmzholes.cgi | 446 ------------ html/cgi-bin/forwardfw.cgi | 243 +++---- html/cgi-bin/fwhosts.cgi | 56 +- html/cgi-bin/optionsfw.cgi | 27 +- html/cgi-bin/outgoingfw.cgi | 849 ----------------------- langs/de/cgi-bin/de.pl | 8 +- langs/en/cgi-bin/en.pl | 4 +- lfs/configroot | 1 + src/initscripts/init.d/firewall | 27 +- 14 files changed, 224 insertions(+), 1488 deletions(-) create mode 100755 config/forwardfw/firewall-forward-policy delete mode 100644 html/cgi-bin/dmzholes.cgi delete mode 100644 html/cgi-bin/outgoingfw.cgi diff --git a/config/forwardfw/firewall-forward-policy b/config/forwardfw/firewall-forward-policy new file mode 100755 index 000000000..aec71e29b --- /dev/null +++ b/config/forwardfw/firewall-forward-policy @@ -0,0 +1,24 @@ +#!/bin/sh + +eval $(/usr/local/bin/readhash /var/ipfire/forward/settings) +eval $(/usr/local/bin/readhash /var/ipfire/optionsfw/settings) + +iptables -F POLICY + +if [ "$POLICY" == "MODE1" ]; then + + if [ "$FWPOLICY" == "REJECT" ]; then + if [ "$DROPFORWARD" == "on" ]; then + /sbin/iptables -A POLICY -m limit --limit 10/minute -j LOG --log-prefix "REJECT_FORWARD" + fi + /sbin/iptables -A POLICY -j REJECT --reject-with icmp-host-unreachable -m comment --comment "DROP_OUTPUT" + fi + if [ "$FWPOLICY" == "DROP" ]; then + if [ "$DROPFORWARD" == "on" ]; then + /sbin/iptables -A POLICY -m limit --limit 10/minute -j LOG --log-prefix "DROP_FORWARD" + fi + /sbin/iptables -A POLICY -j DROP -m comment --comment "DROP_OUTPUT" + fi +fi + + diff --git a/config/forwardfw/firewall-lib.pl b/config/forwardfw/firewall-lib.pl index 24b990c77..44c0079b7 100755 --- a/config/forwardfw/firewall-lib.pl +++ b/config/forwardfw/firewall-lib.pl @@ -215,6 +215,8 @@ sub get_std_net_ip return "$netsettings{'ORANGE_NETADDRESS'}/$netsettings{'ORANGE_NETMASK'}"; }elsif($val eq 'BLUE'){ return "$netsettings{'BLUE_NETADDRESS'}/$netsettings{'BLUE_NETMASK'}"; + }elsif($val eq 'RED'){ + return "0.0.0.0/0 -o red0"; }elsif($val =~ /OpenVPN/i){ return "$ovpnsettings{'DOVPN_SUBNET'}"; }elsif($val =~ /IPsec/i){ diff --git a/config/forwardfw/rules.pl b/config/forwardfw/rules.pl index 960951fc0..953aad0bc 100755 --- a/config/forwardfw/rules.pl +++ b/config/forwardfw/rules.pl @@ -88,10 +88,11 @@ if($param eq 'flush'){ &preparerules; if($MODE eq '0'){ if ($fwdfwsettings{'POLICY'} eq 'MODE1'){ - #system ("iptables -A $CHAIN -j DROP"); + system ("/usr/sbin/firewall-forward-policy"); }elsif($fwdfwsettings{'POLICY'} eq 'MODE2'){ - #system ("iptables -A $CHAIN -j ACCEPT"); + system ("/usr/sbin/firewall-forward-policy"); }elsif($fwdfwsettings{'POLICY'} eq 'MODE0' || $fwdfwsettings{'POLICY'} eq 'MODE2'){ + system ("/usr/sbin/firewall-forward-policy"); system ("iptables -A $CHAIN -m state --state NEW -j ACCEPT"); } } @@ -113,9 +114,7 @@ sub preparerules } sub buildrules { - my $hash=shift; - foreach my $key (sort keys %$hash){ if($$hash{$key}[2] eq 'ON'){ #get source ip's @@ -163,7 +162,7 @@ sub buildrules if ($DPROT eq ''){$DPROT=' ';} @DPROT=split(",",$DPROT); - + #get time if defined if($$hash{$key}[18] eq 'ON'){ if($$hash{$key}[19] ne ''){push (@timeframe,"Mon");} @@ -178,7 +177,7 @@ sub buildrules $TIMETILL="--timestop $$hash{$key}[27] "; $TIME="-m time --weekdays $TIME $TIMEFROM $TIMETILL"; } - + if ($MODE eq '1'){ print "NR:$key "; foreach my $i (0 .. $#{$$hash{$key}}){ @@ -187,7 +186,7 @@ sub buildrules print "\n"; print"##################################\n"; #print rules to console - + foreach my $DPROT (@DPROT){ $DPORT = &get_port($hash,$key,$DPROT); if ($SPROT ne ''){$PROT=$SPROT;}else{$PROT=$DPROT;} @@ -206,7 +205,7 @@ sub buildrules } print"\n"; } - + }elsif($MODE eq '0'){ foreach my $DPROT (@DPROT){ $DPORT = &get_port($hash,$key,$DPROT); @@ -302,11 +301,12 @@ sub get_port if ($$hash{$key}[7] eq 'ON' && $SRC_TGT eq 'SRC'){ if ($$hash{$key}[10] ne ''){ return "--sport $$hash{$key}[10] "; - }elsif($$hash{$key}[9] ne ''){ + }elsif($$hash{$key}[9] ne '' && $$hash{$key}[9] ne 'All ICMP-Types'){ return "--icmp-type $$hash{$key}[9] "; + }elsif($$hash{$key}[9] eq 'All ICMP-Types'){ + return; } }elsif($$hash{$key}[11] eq 'ON' && $SRC_TGT eq ''){ - if($$hash{$key}[14] eq 'TGT_PORT'){ if ($$hash{$key}[15] ne ''){ return "--dport $$hash{$key}[15] "; @@ -330,8 +330,6 @@ sub get_port elsif($prot eq 'ICMP'){ return &fwlib::get_srvgrp_port($$hash{$key}[15],$prot); } - - } } } diff --git a/config/rootfiles/common/apache2 b/config/rootfiles/common/apache2 index 5d5195fba..d57390443 100644 --- a/config/rootfiles/common/apache2 +++ b/config/rootfiles/common/apache2 @@ -1390,7 +1390,7 @@ srv/web/ipfire/cgi-bin/credits.cgi srv/web/ipfire/cgi-bin/dns.cgi srv/web/ipfire/cgi-bin/ddns.cgi srv/web/ipfire/cgi-bin/dhcp.cgi -srv/web/ipfire/cgi-bin/dmzholes.cgi +#srv/web/ipfire/cgi-bin/dmzholes.cgi srv/web/ipfire/cgi-bin/extrahd.cgi srv/web/ipfire/cgi-bin/fireinfo.cgi srv/web/ipfire/cgi-bin/forwardfw.cgi diff --git a/config/rootfiles/common/stage2 b/config/rootfiles/common/stage2 index 1e91b3743..4755f07f0 100644 --- a/config/rootfiles/common/stage2 +++ b/config/rootfiles/common/stage2 @@ -109,6 +109,7 @@ usr/local/bin/update-lang-cache #usr/local/src #usr/sbin usr/sbin/ovpn-ccd-convert +usr/sbin/firewall-forward-policy #usr/share #usr/share/doc #usr/share/doc/licenses diff --git a/html/cgi-bin/dmzholes.cgi b/html/cgi-bin/dmzholes.cgi deleted file mode 100644 index 5c16f004c..000000000 --- a/html/cgi-bin/dmzholes.cgi +++ /dev/null @@ -1,446 +0,0 @@ -#!/usr/bin/perl -############################################################################### -# # -# IPFire.org - A linux based firewall # -# Copyright (C) 2007 Michael Tremer & Christian Schmidt # -# # -# This program is free software: you can redistribute it and/or modify # -# it under the terms of the GNU General Public License as published by # -# the Free Software Foundation, either version 3 of the License, or # -# (at your option) any later version. # -# # -# This program is distributed in the hope that it will be useful, # -# but WITHOUT ANY WARRANTY; without even the implied warranty of # -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # -# GNU General Public License for more details. # -# # -# You should have received a copy of the GNU General Public License # -# along with this program. If not, see . # -# # -############################################################################### - -use strict; - -# enable only the following on debugging purpose -#use warnings; -#use CGI::Carp 'fatalsToBrowser'; - -require '/var/ipfire/general-functions.pl'; -require "${General::swroot}/lang.pl"; -require "${General::swroot}/header.pl"; - -#workaround to suppress a warning when a variable is used only once -my @dummy = ( ${Header::table2colour}, ${Header::colouryellow} ); -undef (@dummy); - -my %cgiparams=(); -my %checked=(); -my %selected=(); -my %netsettings=(); -my $errormessage = ''; -my $filename = "${General::swroot}/dmzholes/config"; - -&General::readhash("${General::swroot}/ethernet/settings", \%netsettings); - -&Header::showhttpheaders(); - -$cgiparams{'ENABLED'} = 'off'; -$cgiparams{'REMARK'} = ''; -$cgiparams{'ACTION'} = ''; -$cgiparams{'SRC_IP'} = ''; -$cgiparams{'DEST_IP'} =''; -$cgiparams{'DEST_PORT'} = ''; -&Header::getcgihash(\%cgiparams); - -open(FILE, $filename) or die 'Unable to open config file.'; -my @current = ; -close(FILE); - -if ($cgiparams{'ACTION'} eq $Lang::tr{'add'}) -{ - unless($cgiparams{'PROTOCOL'} =~ /^(tcp|udp)$/) { $errormessage = $Lang::tr{'invalid input'}; } - unless(&General::validipormask($cgiparams{'SRC_IP'})) { $errormessage = $Lang::tr{'source ip bad'}; } - unless($errormessage){$errormessage = &General::validportrange($cgiparams{'DEST_PORT'},'dst');} - unless(&General::validipormask($cgiparams{'DEST_IP'})) { $errormessage = $Lang::tr{'destination ip bad'}; } - unless ($errormessage) { - $errormessage = &validNet($cgiparams{'SRC_NET'},$cgiparams{'DEST_NET'}); } - # Darren Critchley - Remove commas from remarks - $cgiparams{'REMARK'} = &Header::cleanhtml($cgiparams{'REMARK'}); - - unless ($errormessage) - { - if($cgiparams{'EDITING'} eq 'no') { - open(FILE,">>$filename") or die 'Unable to open config file.'; - flock FILE, 2; - print FILE "$cgiparams{'PROTOCOL'},"; # [0] - print FILE "$cgiparams{'SRC_IP'},"; # [1] - print FILE "$cgiparams{'DEST_IP'},"; # [2] - print FILE "$cgiparams{'DEST_PORT'},"; # [3] - print FILE "$cgiparams{'ENABLED'},"; # [4] - print FILE "$cgiparams{'SRC_NET'},"; # [5] - print FILE "$cgiparams{'DEST_NET'},"; # [6] - print FILE "$cgiparams{'REMARK'}\n"; # [7] - } else { - open(FILE,">$filename") or die 'Unable to open config file.'; - flock FILE, 2; - my $id = 0; - foreach my $line (@current) - { - $id++; - if ($cgiparams{'EDITING'} eq $id) { - print FILE "$cgiparams{'PROTOCOL'},"; # [0] - print FILE "$cgiparams{'SRC_IP'},"; # [1] - print FILE "$cgiparams{'DEST_IP'},"; # [2] - print FILE "$cgiparams{'DEST_PORT'},"; # [3] - print FILE "$cgiparams{'ENABLED'},"; # [4] - print FILE "$cgiparams{'SRC_NET'},"; # [5] - print FILE "$cgiparams{'DEST_NET'},"; # [6] - print FILE "$cgiparams{'REMARK'}\n"; # [7] - } else { print FILE "$line"; } - } - } - close(FILE); - undef %cgiparams; - &General::log($Lang::tr{'dmz pinhole rule added'}); - system('/usr/local/bin/setdmzholes'); - } -} -if ($cgiparams{'ACTION'} eq $Lang::tr{'remove'}) -{ - my $id = 0; - open(FILE, ">$filename") or die 'Unable to open config file.'; - flock FILE, 2; - foreach my $line (@current) - { - $id++; - unless ($cgiparams{'ID'} eq $id) { print FILE "$line"; } - } - close(FILE); - system('/usr/local/bin/setdmzholes'); - &General::log($Lang::tr{'dmz pinhole rule removed'}); -} -if ($cgiparams{'ACTION'} eq $Lang::tr{'toggle enable disable'}) -{ - my $id = 0; - open(FILE, ">$filename") or die 'Unable to open config file.'; - flock FILE, 2; - foreach my $line (@current) - { - $id++; - unless ($cgiparams{'ID'} eq $id) { print FILE "$line"; } - else - { - chomp($line); - my @temp = split(/\,/,$line); - print FILE "$temp[0],$temp[1],$temp[2],$temp[3],$cgiparams{'ENABLE'},$temp[5],$temp[6],$temp[7]\n"; - } - } - close(FILE); - system('/usr/local/bin/setdmzholes'); -} -if ($cgiparams{'ACTION'} eq $Lang::tr{'edit'}) -{ - my $id = 0; - foreach my $line (@current) - { - $id++; - if ($cgiparams{'ID'} eq $id) - { - chomp($line); - my @temp = split(/\,/,$line); - $cgiparams{'PROTOCOL'} = $temp[0]; - $cgiparams{'SRC_IP'} = $temp[1]; - $cgiparams{'DEST_IP'} = $temp[2]; - $cgiparams{'DEST_PORT'} = $temp[3]; - $cgiparams{'ENABLED'} = $temp[4]; - $cgiparams{'SRC_NET'} = $temp[5]; - $cgiparams{'DEST_NET'} = $temp[6]; - $cgiparams{'REMARK'} = $temp[7]; - } - } -} - -if ($cgiparams{'ACTION'} eq '') -{ - $cgiparams{'PROTOCOL'} = 'tcp'; - $cgiparams{'ENABLED'} = 'on'; - $cgiparams{'SRC_NET'} = 'orange'; - $cgiparams{'DEST_NET'} = 'blue'; -} - -$selected{'PROTOCOL'}{'udp'} = ''; -$selected{'PROTOCOL'}{'tcp'} = ''; -$selected{'PROTOCOL'}{$cgiparams{'PROTOCOL'}} = "selected='selected'"; - -$selected{'SRC_NET'}{'orange'} = ''; -$selected{'SRC_NET'}{'blue'} = ''; -$selected{'SRC_NET'}{$cgiparams{'SRC_NET'}} = "selected='selected'"; - -$selected{'DEST_NET'}{'blue'} = ''; -$selected{'DEST_NET'}{'green'} = ''; -$selected{'DEST_NET'}{$cgiparams{'DEST_NET'}} = "selected='selected'"; - -$checked{'ENABLED'}{'off'} = ''; -$checked{'ENABLED'}{'on'} = ''; -$checked{'ENABLED'}{$cgiparams{'ENABLED'}} = "checked='checked'"; - -&Header::openpage($Lang::tr{'dmz pinhole configuration'}, 1, ''); - -&Header::openbigbox('100%', 'left', '', $errormessage); - -if ($errormessage) { - &Header::openbox('100%', 'left', $Lang::tr{'error messages'}); - print "$errormessage\n"; - print " \n"; - &Header::closebox(); -} - -print "
\n"; - -my $buttonText = $Lang::tr{'add'}; -if ($cgiparams{'ACTION'} eq $Lang::tr{'edit'}) { - &Header::openbox('100%', 'left', $Lang::tr{'edit a rule'}); - $buttonText = $Lang::tr{'update'}; -} else { - &Header::openbox('100%', 'left', $Lang::tr{'add a new rule'}); -} -print < - - - - - - $Lang::tr{'source net'}: - - - - - -   - - $Lang::tr{'destination net'}: - - - - - $Lang::tr{'destination ip or net'}: - - - - - $Lang::tr{'destination port'}:  - - - - - - - - - - - - - -
- $Lang::tr{'remark title'} * - -
- *  - $Lang::tr{'this field may be blank'} - $Lang::tr{'enabled'} - - -
-END -; -if ($cgiparams{'ACTION'} eq $Lang::tr{'edit'}) { - print "\n"; -} else { - print "\n"; -} -&Header::closebox(); -print "\n"; - -&Header::openbox('100%', 'left', $Lang::tr{'current rules'}); -print < - -$Lang::tr{'proto'} -$Lang::tr{'net'} -$Lang::tr{'source'} -  -$Lang::tr{'net'} -$Lang::tr{'destination'} -$Lang::tr{'remark'} -  -$Lang::tr{'action'} -END -; - -# Achim Weber: if i add a new rule, this rule is not displayed?!? -# we re-read always config. -# If something has happeened re-read config -#if($cgiparams{'ACTION'} ne '') -#{ - open(FILE, $filename) or die 'Unable to open config file.'; - @current = ; - close(FILE); -#} -my $id = 0; -foreach my $line (@current) -{ - my $protocol=''; - my $gif=''; - my $toggle=''; - my $gdesc=''; - $id++; - chomp($line); - my @temp = split(/\,/,$line); - if ($temp[0] eq 'udp') { $protocol = 'UDP'; } else { $protocol = 'TCP' } - - my $srcnetcolor = ($temp[5] eq 'blue')? ${Header::colourblue} : ${Header::colourorange}; - my $destnetcolor = ($temp[6] eq 'blue')? ${Header::colourblue} : ${Header::colourgreen}; - - if ($cgiparams{'ACTION'} eq $Lang::tr{'edit'} && $cgiparams{'ID'} eq $id) { - print "\n"; } - elsif ($id % 2) { - print "\n"; } - else { - print "\n"; } - if ($temp[4] eq 'on') { $gif='on.gif'; $toggle='off'; $gdesc=$Lang::tr{'click to disable'};} - else { $gif = 'off.gif'; $toggle='on'; $gdesc=$Lang::tr{'click to enable'}; } - - # Darren Critchley - Get Port Service Name if we can - code borrowed from firewalllog.dat - my $dstprt =$temp[3]; - $_=$temp[3]; - if (/^\d+$/) { - my $servi = uc(getservbyport($temp[3], lc($temp[0]))); - if ($servi ne '' && $temp[3] < 1024) { - $dstprt = "$dstprt($servi)"; } - } - # Darren Critchley - If the line is too long, wrap the port numbers - my $dstaddr = "$temp[2] : $dstprt"; - if (length($dstaddr) > 26) { - $dstaddr = "$temp[2] :
$dstprt"; - } -print <$protocol - -$temp[1] - - -$dstaddr -$temp[7] - - -
- - - - -
- - - -
- - - -
- - - -
- - - -
- - - -END - ; -} -print "\n"; - -# If the fixed lease file contains entries, print Key to action icons -if ( ! -z "$filename") { -print < - -   $Lang::tr{'legend'}: -   $Lang::tr{ - $Lang::tr{'click to disable'} -     $Lang::tr{ - $Lang::tr{'click to enable'} -     $Lang::tr{ - $Lang::tr{'edit'} -     $Lang::tr{ - $Lang::tr{'remove'} - - -END -; -} - -&Header::closebox(); - -&Header::closebigbox(); - -&Header::closepage(); - -sub validNet -{ - my $srcNet = $_[0]; - my $destNet = $_[1]; - - if ($srcNet eq $destNet) { - return $Lang::tr{'dmzpinholes for same net not necessary'}; } - unless ($srcNet =~ /^(blue|orange)$/) { - return $Lang::tr{'select source net'}; } - unless ($destNet =~ /^(blue|green)$/) { - return $Lang::tr{'select dest net'}; } - - return ''; -} - -sub haveOrangeNet -{ - if ($netsettings{'CONFIG_TYPE'} == 2) {return 1;} - if ($netsettings{'CONFIG_TYPE'} == 4) {return 1;} - return 0; -} - -sub haveBlueNet -{ - if ($netsettings{'CONFIG_TYPE'} == 3) {return 1;} - if ($netsettings{'CONFIG_TYPE'} == 4) {return 1;} - return 0; -} diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi index caaba2168..6aadb996b 100755 --- a/html/cgi-bin/forwardfw.cgi +++ b/html/cgi-bin/forwardfw.cgi @@ -112,54 +112,50 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule') $errormessage=&checksource; if(!$errormessage){&checktarget;} if(!$errormessage){&checkrule;} - + #check if we change an forward rule to an external access - if( $fwdfwsettings{'grp2'} eq 'ipfire' && $fwdfwsettings{'oldgrp2a'} ne 'ipfire'){ + if( $fwdfwsettings{'grp2'} eq 'ipfire' && $fwdfwsettings{'oldgrp2a'} ne 'ipfire' && $fwdfwsettings{'updatefwrule'} eq 'on'){ $fwdfwsettings{'updatefwrule'}=''; $fwdfwsettings{'config'}=$configfwdfw; $fwdfwsettings{'nobase'}='on'; &deleterule; + &checkcounter(0,0,$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}}); + &checkcounter(0,0,$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}}); } - + #check if we change an external access rule to an forward - if( $fwdfwsettings{'grp2'} ne 'ipfire' && $fwdfwsettings{'oldgrp2a'} eq 'ipfire'){ + if( $fwdfwsettings{'grp2'} ne 'ipfire' && $fwdfwsettings{'oldgrp2a'} eq 'ipfire' && $fwdfwsettings{'updatefwrule'} eq 'on'){ $fwdfwsettings{'updatefwrule'}=''; $fwdfwsettings{'config'}=$configinput; $fwdfwsettings{'nobase'}='on'; &deleterule; + &checkcounter(0,0,$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}}); + &checkcounter(0,0,$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}}); } - #INPUT part if($fwdfwsettings{'grp2'} eq 'ipfire'){ $fwdfwsettings{'chain'} = 'INPUTFW'; #check if we have an identical rule already foreach my $key (sort keys %configinputfw){ if ("$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'},$fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'ICMP_TGT'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'ruleremark'},$fwdfwsettings{'LOG'},$fwdfwsettings{'TIME'},$fwdfwsettings{'TIME_MON'},$fwdfwsettings{'TIME_TUE'},$fwdfwsettings{'TIME_WED'},$fwdfwsettings{'TIME_THU'},$fwdfwsettings{'TIME_FRI'},$fwdfwsettings{'TIME_SAT'},$fwdfwsettings{'TIME_SUN'},$fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'}" - eq "$configfwdfw{$key}[0],$configfwdfw{$key}[2],$configfwdfw{$key}[3],$configfwdfw{$key}[4],$configfwdfw{$key}[5],$configfwdfw{$key}[6],$configfwdfw{$key}[7],$configfwdfw{$key}[8],$configfwdfw{$key}[9],$configfwdfw{$key}[10],$configfwdfw{$key}[11],$configfwdfw{$key}[12],$configfwdfw{$key}[13],$configfwdfw{$key}[14],$configfwdfw{$key}[15],$configfwdfw{$key}[16],$configfwdfw{$key}[17],$configfwdfw{$key}[18],$configfwdfw{$key}[19],$configfwdfw{$key}[20],$configfwdfw{$key}[21],$configfwdfw{$key}[22],$configfwdfw{$key}[23],$configfwdfw{$key}[24],$configfwdfw{$key}[25],$configfwdfw{$key}[26],$configfwdfw{$key}[27]"){ - $errormessage.=$Lang::tr{'fwdfw err ruleexists'}; - } + eq "$configinputfw{$key}[0],$configinputfw{$key}[2],$configinputfw{$key}[3],$configinputfw{$key}[4],$configinputfw{$key}[5],$configinputfw{$key}[6],$configinputfw{$key}[7],$configinputfw{$key}[8],$configinputfw{$key}[9],$configinputfw{$key}[10],$configinputfw{$key}[11],$configinputfw{$key}[12],$configinputfw{$key}[13],$configinputfw{$key}[14],$configinputfw{$key}[15],$configinputfw{$key}[16],$configinputfw{$key}[17],$configinputfw{$key}[18],$configinputfw{$key}[19],$configinputfw{$key}[20],$configinputfw{$key}[21],$configinputfw{$key}[22],$configinputfw{$key}[23],$configinputfw{$key}[24],$configinputfw{$key}[25],$configinputfw{$key}[26],$configinputfw{$key}[27]"){ + $errormessage.=$Lang::tr{'fwdfw err ruleexists'}; + } } - - &checkcounter($fwdfwsettings{'oldgrp1a'},$fwdfwsettings{'oldgrp1b'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}}); - if ($fwdfwsettings{'nobase'} ne 'on'){ - &checkcounter($fwdfwsettings{'oldgrp2a'},$fwdfwsettings{'oldgrp2b'},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}}); - } - - if($fwdfwsettings{'oldusesrv'} eq '' && $fwdfwsettings{'USESRV'} eq 'ON'){ - &checkcounter(0,0,$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}}); - }elsif ($fwdfwsettings{'USESRV'} eq '' && $fwdfwsettings{'oldusesrv'} eq 'ON') { - &checkcounter($fwdfwsettings{'oldgrp3a'},$fwdfwsettings{'oldgrp3b'},0,0); - }elsif ($fwdfwsettings{'oldusesrv'} eq $fwdfwsettings{'USESRV'} && $fwdfwsettings{'oldgrp3b'} ne $fwdfwsettings{$fwdfwsettings{'grp3'}} && $fwdfwsettings{'updatefwrule'} eq 'on'){ - &checkcounter($fwdfwsettings{'oldgrp3a'},$fwdfwsettings{'oldgrp3b'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}}); - } - - if ($fwdfwsettings{'nobase'} eq 'on'){ - &checkcounter(0,0,$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}}); - } - - + + &checkcounter($fwdfwsettings{'oldgrp1a'},$fwdfwsettings{'oldgrp1b'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}}); + if ($fwdfwsettings{'nobase'} ne 'on'){ + &checkcounter($fwdfwsettings{'oldgrp2a'},$fwdfwsettings{'oldgrp2b'},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}}); + } + if($fwdfwsettings{'oldusesrv'} eq '' && $fwdfwsettings{'USESRV'} eq 'ON'){ + &checkcounter(0,0,$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}}); + }elsif ($fwdfwsettings{'USESRV'} eq '' && $fwdfwsettings{'oldusesrv'} eq 'ON') { + &checkcounter($fwdfwsettings{'oldgrp3a'},$fwdfwsettings{'oldgrp3b'},0,0); + }elsif ($fwdfwsettings{'oldusesrv'} eq $fwdfwsettings{'USESRV'} && $fwdfwsettings{'oldgrp3b'} ne $fwdfwsettings{$fwdfwsettings{'grp3'}} && $fwdfwsettings{'updatefwrule'} eq 'on'){ + &checkcounter($fwdfwsettings{'oldgrp3a'},$fwdfwsettings{'oldgrp3b'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}}); + } + &saverule(\%configinputfw,$configinput); - #print "Source: $fwdfwsettings{'grp1'} -> $fwdfwsettings{$fwdfwsettings{'grp1'}}
"; #print "Sourceport: $fwdfwsettings{'USE_SRC_PORT'}, $fwdfwsettings{'PROT'}, $fwdfwsettings{'ICMP_TYPES'}, $fwdfwsettings{'SRC_PORT'}
"; #print "Target: $fwdfwsettings{'grp2'} -> $fwdfwsettings{$fwdfwsettings{'grp2'}}
"; @@ -181,9 +177,6 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule') #print"ALT: $fwdfwsettings{'oldgrp2a'} $fwdfwsettings{'oldgrp2b'} NEU: $fwdfwsettings{'grp2'} $fwdfwsettings{$fwdfwsettings{'grp2'}}
"; #print"ALT: $fwdfwsettings{'oldgrp3a'} $fwdfwsettings{'oldgrp3b'} NEU: $fwdfwsettings{'grp3'} $fwdfwsettings{$fwdfwsettings{'grp3'}}
"; #print"DIENSTE Checkalt:$fwdfwsettings{'oldusesrv'} DIENSTE Checkneu:$fwdfwsettings{'USESRV'} DIENST ALT:$fwdfwsettings{'oldgrp3a'},$fwdfwsettings{'oldgrp3b'} DIENST NEU:$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}}
"; - - - }else{ $fwdfwsettings{'chain'} = 'FORWARDFW'; #check if we have an identical rule already @@ -196,9 +189,9 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule') } #increase counters &checkcounter($fwdfwsettings{'oldgrp1a'},$fwdfwsettings{'oldgrp1b'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}}); - + &checkcounter($fwdfwsettings{'oldgrp2a'},$fwdfwsettings{'oldgrp2b'},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}}); - + if($fwdfwsettings{'oldusesrv'} eq '' && $fwdfwsettings{'USESRV'} eq 'ON'){ &checkcounter(0,0,$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}}); }elsif ($fwdfwsettings{'USESRV'} eq '' && $fwdfwsettings{'oldusesrv'} eq 'ON') { @@ -206,14 +199,11 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule') }elsif ($fwdfwsettings{'oldusesrv'} eq $fwdfwsettings{'USESRV'} && $fwdfwsettings{'oldgrp3b'} ne $fwdfwsettings{$fwdfwsettings{'grp3'}} && $fwdfwsettings{'updatefwrule'} eq 'on'){ &checkcounter($fwdfwsettings{'oldgrp3a'},$fwdfwsettings{'oldgrp3b'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}}); } - if ($fwdfwsettings{'nobase'} eq 'on'){ &checkcounter(0,0,$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}}); } - - &saverule(\%configfwdfw,$configfwdfw); - + #print "Source: $fwdfwsettings{'grp1'} -> $fwdfwsettings{$fwdfwsettings{'grp1'}}
"; #print "Sourceport: $fwdfwsettings{'USE_SRC_PORT'}, $fwdfwsettings{'PROT'}, $fwdfwsettings{'ICMP_TYPES'}, $fwdfwsettings{'SRC_PORT'}
"; #print "Target: $fwdfwsettings{'grp2'} -> $fwdfwsettings{$fwdfwsettings{'grp2'}}
"; @@ -235,9 +225,6 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule') #print"ALT: $fwdfwsettings{'oldgrp2a'} $fwdfwsettings{'oldgrp2b'} NEU: $fwdfwsettings{'grp2'} $fwdfwsettings{$fwdfwsettings{'grp2'}}
"; #print"ALT: $fwdfwsettings{'oldgrp3a'} $fwdfwsettings{'oldgrp3b'} NEU: $fwdfwsettings{'grp3'} $fwdfwsettings{$fwdfwsettings{'grp3'}}
"; #print"DIENSTE Checkalt:$fwdfwsettings{'oldusesrv'} DIENSTE Checkneu:$fwdfwsettings{'USESRV'} DIENST ALT:$fwdfwsettings{'oldgrp3a'},$fwdfwsettings{'oldgrp3b'} DIENST NEU:$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}}
"; - - - } if ($errormessage){ &newrule; @@ -245,7 +232,6 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule') &rules; &base; } - } if ($fwdfwsettings{'ACTION'} eq $Lang::tr{'reset'}) { @@ -264,12 +250,10 @@ if ($fwdfwsettings{'ACTION'} eq $Lang::tr{'reset'}) $fwdfwsettings{'POLICY'}='MODE0'; system("rm ${General::swroot}/forward/config"); system("rm ${General::swroot}/forward/input"); - %fwdfwsettings = (); - &General::writehash("${General::swroot}/forward/settings", \%fwdfwsettings); unless (-e "${General::swroot}/forward/config") { system("touch ${General::swroot}/forward/config"); } unless (-e "${General::swroot}/forward/input") { system("touch ${General::swroot}/forward/input"); } - + %fwdfwsettings = (); &reread_rules; } @@ -407,7 +391,7 @@ sub checkcounter }elsif($base1 eq 'cust_srvgrp'){ &dec_counter($configsrvgrp,\%customservicegrp,$val1); } - + if($base2 eq 'cust_net_src' || $base2 eq 'cust_net_tgt'){ &inc_counter($confignet,\%customnetwork,$val2); }elsif($base2 eq 'cust_host_src' || $base2 eq 'cust_host_tgt'){ @@ -426,13 +410,12 @@ sub inc_counter my %hash=%{(shift)}; my $val=shift; my $pos; - + &General::readhasharray($config, \%hash); foreach my $key (sort { uc($hash{$a}[0]) cmp uc($hash{$b}[0]) } keys %hash){ if($hash{$key}[0] eq $val){ $pos=$#{$hash{$key}}; $hash{$key}[$pos] = $hash{$key}[$pos]+1; - } } &General::writehasharray($config, \%hash); @@ -449,23 +432,21 @@ sub dec_counter if($hash{$key}[0] eq $val){ $pos=$#{$hash{$key}}; $hash{$key}[$pos] = $hash{$key}[$pos]-1; - } } &General::writehasharray($config, \%hash); } sub base { - if ($fwdfwsettings{'POLICY'} eq 'MODE0'){ $selected{'POLICY'}{'MODE0'} = 'selected'; } else { $selected{'POLICY'}{'MODE0'} = ''; } if ($fwdfwsettings{'POLICY'} eq 'MODE1'){ $selected{'POLICY'}{'MODE1'} = 'selected'; } else { $selected{'POLICY'}{'MODE1'} = ''; } if ($fwdfwsettings{'POLICY'} eq 'MODE2'){ $selected{'POLICY'}{'MODE2'} = 'selected'; } else { $selected{'POLICY'}{'MODE2'} = ''; } - + &hint; if ($fwdfwsettings{'POLICY'} ne 'MODE0' && $fwdfwsettings{'POLICY'} ne '') { &addrule; } - + #print""; #foreach (0 .. 40){ #my $i="color".$_; @@ -494,7 +475,7 @@ sub addrule { &error; &Header::openbox('100%', 'left', $Lang::tr{'fwdfw addrule'}); - + print ""; print "
"; print ""; @@ -505,7 +486,6 @@ sub addrule &Header::closebox(); &viewtablerule; - } sub deleterule { @@ -537,7 +517,7 @@ sub deleterule &General::writehasharray($fwdfwsettings{'config'}, \%delhash); &rules; - + if($fwdfwsettings{'nobase'} ne 'on'){ &base; } @@ -553,7 +533,6 @@ sub disable_rule } &General::writehasharray("$configfwdfw", \%configfwdfw); &rules; - } sub checksource { @@ -589,7 +568,7 @@ sub checksource $errormessage.=$Lang::tr{'fwdfw err nosrcip'}; return $errormessage; } - + #check empty fields if ($fwdfwsettings{$fwdfwsettings{'grp1'}} eq ''){ $errormessage.=$Lang::tr{'fwdfw err nosrc'}."
";} #check icmp source @@ -601,6 +580,12 @@ sub checksource $fwdfwsettings{'ICMP_TYPES'}="$icmptypes{$key}[0]"; } } + }elsif($fwdfwsettings{'USE_SRC_PORT'} eq 'ON' && $fwdfwsettings{'PROT'} eq 'GRE'){ + $fwdfwsettings{'SRC_PORT'}=''; + $fwdfwsettings{'ICMP_TYPES'}=''; + }elsif($fwdfwsettings{'USE_SRC_PORT'} eq 'ON' && $fwdfwsettings{'PROT'} eq 'ESP'){ + $fwdfwsettings{'SRC_PORT'}=''; + $fwdfwsettings{'ICMP_TYPES'}=''; }elsif($fwdfwsettings{'USE_SRC_PORT'} eq 'ON' && $fwdfwsettings{'PROT'} ne 'ICMP'){ $fwdfwsettings{'ICMP_TYPES'}=''; }else{ @@ -608,7 +593,7 @@ sub checksource $fwdfwsettings{'SRC_PORT'}=''; $fwdfwsettings{'PROT'}=''; } - + if($fwdfwsettings{'USE_SRC_PORT'} eq 'ON' && $fwdfwsettings{'PROT'} ne 'ICMP' && $fwdfwsettings{'SRC_PORT'} ne ''){ #change dashes with : $fwdfwsettings{'SRC_PORT'}=~ tr/-/:/; @@ -622,7 +607,7 @@ sub checksource if ($fwdfwsettings{'SRC_PORT'} =~ /^(\d+)\:(\D)$/) { $fwdfwsettings{'SRC_PORT'} = "$1:65535"; } - + $errormessage.=&General::validportrange($fwdfwsettings{'SRC_PORT'},'src'); } return $errormessage; @@ -630,8 +615,7 @@ sub checksource sub checktarget { my ($ip,$subnet); - - + if ($fwdfwsettings{'tgt_addr'} eq $fwdfwsettings{$fwdfwsettings{'grp2'}} && $fwdfwsettings{'tgt_addr'} ne ''){ #check if ip with subnet if ($fwdfwsettings{'tgt_addr'} =~ /^(.*?)\/(.*?)$/) { @@ -658,15 +642,15 @@ sub checktarget if(!&General::validipandmask($fwdfwsettings{'tgt_addr'})){ $errormessage.=$Lang::tr{'fwdfw err tgt_addr'}."
"; } - + }elsif($fwdfwsettings{'tgt_addr'} eq $fwdfwsettings{$fwdfwsettings{'grp2'}} && $fwdfwsettings{'tgt_addr'} eq ''){ $errormessage.=$Lang::tr{'fwdfw err notgtip'}; return $errormessage; } - + #check empty fields if ($fwdfwsettings{$fwdfwsettings{'grp2'}} eq ''){ $errormessage.=$Lang::tr{'fwdfw err notgt'}."
";} - + #check tgt services if ($fwdfwsettings{'USESRV'} eq 'ON'){ if ($fwdfwsettings{'grp3'} eq 'cust_srv'){ @@ -682,7 +666,7 @@ sub checktarget } } if ($fwdfwsettings{'grp3'} eq 'TGT_PORT'){ - if ($fwdfwsettings{'TGT_PROT'} ne 'ICMP'){ + if ($fwdfwsettings{'TGT_PROT'} ne 'ICMP' && $fwdfwsettings{'TGT_PROT'} ne 'GRE'){ if ($fwdfwsettings{'TGT_PORT'} ne ''){ #change dashes with : $fwdfwsettings{'TGT_PORT'}=~ tr/-/:/; @@ -697,19 +681,25 @@ sub checktarget } $errormessage .= &General::validportrange($fwdfwsettings{'TGT_PORT'}, 'destination'); } + }elsif ($fwdfwsettings{'TGT_PROT'} eq 'GRE'){ + $fwdfwsettings{'TGT_PORT'} = ''; + $fwdfwsettings{'ICMP_TGT'} = ''; + }elsif($fwdfwsettings{'TGT_PORT'} eq 'ESP'){ + $fwdfwsettings{'TGT_PORT'}=''; + $fwdfwsettings{'ICMP_TGT'}=''; }elsif ($fwdfwsettings{'TGT_PROT'} eq 'ICMP'){ + $fwdfwsettings{'TGT_PORT'} = ''; &General::readhasharray("${General::swroot}/fwhosts/icmp-types", \%icmptypes); foreach my $key (keys %icmptypes){ if ("$icmptypes{$key}[0] ($icmptypes{$key}[1])" eq $fwdfwsettings{'ICMP_TGT'}){ - $fwdfwsettings{'ICMP_TGT'}=$icmptypes{$key}[0]; } } } } } - + #check targetport if ($fwdfwsettings{'USESRV'} ne 'ON'){ $fwdfwsettings{'grp3'}=''; @@ -717,17 +707,12 @@ sub checktarget $fwdfwsettings{'TGT_PROT'}=''; $fwdfwsettings{'ICMP_TGT'}=''; } - - #check timeframe if($fwdfwsettings{'TIME'} eq 'ON'){ if($fwdfwsettings{'TIME_MON'} eq '' && $fwdfwsettings{'TIME_TUE'} eq '' && $fwdfwsettings{'TIME_WED'} eq '' && $fwdfwsettings{'TIME_THU'} eq '' && $fwdfwsettings{'TIME_FRI'} eq '' && $fwdfwsettings{'TIME_SAT'} eq '' && $fwdfwsettings{'TIME_SUN'} eq ''){ $errormessage=$Lang::tr{'fwdfw err time'}; } } - - - return $errormessage; } sub checkrule @@ -741,17 +726,14 @@ sub checkrule $errormessage.=$Lang::tr{'fwdfw err same'}; return $errormessage; } - + #get source and targetip address if possible my ($sip,$scidr,$tip,$tcidr); ($sip,$scidr)=&get_ip("src","grp1"); ($tip,$tcidr)=&get_ip("tgt","grp2"); - - - + #check same iprange in source and target if ($sip ne '' && $scidr ne '' && $tip ne '' && $tcidr ne ''){ - my $networkip1=&General::getnetworkip($sip,$scidr); my $networkip2=&General::getnetworkip($tip,$tcidr); if ($scidr gt $tcidr){ @@ -759,20 +741,19 @@ sub checkrule $errormessage.=$Lang::tr{'fwdfw err samesub'}; } }elsif($scidr eq $tcidr && $scidr eq '32'){ - my ($sbyte1,$sbyte2,$sbyte3,$sbyte4)=split(".",$networkip1); - my ($tbyte1,$tbyte2,$tbyte3,$tbyte4)=split(".",$networkip2); + my ($sbyte1,$sbyte2,$sbyte3,$sbyte4)=split(/\./,$networkip1); + my ($tbyte1,$tbyte2,$tbyte3,$tbyte4)=split(/\./,$networkip2); if ($sbyte1 eq $tbyte1 && $sbyte2 eq $tbyte2 && $sbyte3 eq $tbyte3){ $hint=$Lang::tr{'fwdfw hint ip1'}."
"; $hint.=$Lang::tr{'fwdfw hint ip2'}." Source: $networkip1/$scidr Target: $networkip2/$tcidr
"; } - }else{ if ( &General::IpInSubnet($networkip2,$sip,&General::iporsubtodec($scidr)) ){ $errormessage.=$Lang::tr{'fwdfw err samesub'}; } } } - + #check source and destination protocol if manual if( $fwdfwsettings{'USE_SRC_PORT'} eq 'ON' && $fwdfwsettings{'USESRV'} eq 'ON'){ if($fwdfwsettings{'PROT'} ne $fwdfwsettings{'TGT_PROT'} && $fwdfwsettings{'grp3'} eq 'TGT_PORT'){ @@ -791,7 +772,6 @@ sub checkrule } } } - } sub get_ip { @@ -842,7 +822,6 @@ sub get_ip } } } - return $a,$b; } sub newrule @@ -858,14 +837,11 @@ sub newrule &General::readhasharray("$configgrp", \%customgrp); &General::readhasharray("$configipsec", \%ipsecconf); &General::get_aliases(\%aliases); - - my %checked=(); my $helper; if($fwdfwsettings{'config'} eq ''){$fwdfwsettings{'config'}=$configfwdfw;} my $config=$fwdfwsettings{'config'}; my %hash=(); - $checked{'grp1'}{$fwdfwsettings{'grp1'}} = 'CHECKED'; $checked{'grp2'}{$fwdfwsettings{'grp2'}} = 'CHECKED'; $checked{'grp3'}{$fwdfwsettings{'grp3'}} = 'CHECKED'; @@ -884,7 +860,6 @@ sub newrule $selected{'TIME_FROM'}{$fwdfwsettings{'TIME_FROM'}} = 'selected'; $selected{'TIME_TO'}{$fwdfwsettings{'TIME_TO'}} = 'selected'; $selected{'ipfire'}{$fwdfwsettings{$fwdfwsettings{'grp2'}}} ='selected'; - #check if update and get values if($fwdfwsettings{'updatefwrule'} eq 'on' || $fwdfwsettings{'copyfwrule'} eq 'on' && !$errormessage){ &General::readhasharray("$config", \%hash); @@ -917,7 +892,6 @@ sub newrule $fwdfwsettings{'TIME_SUN'} = $hash{$key}[25]; $fwdfwsettings{'TIME_FROM'} = $hash{$key}[26]; $fwdfwsettings{'TIME_TO'} = $hash{$key}[27]; - $checked{'grp1'}{$fwdfwsettings{'grp1'}} = 'CHECKED'; $checked{'grp2'}{$fwdfwsettings{'grp2'}} = 'CHECKED'; $checked{'grp3'}{$fwdfwsettings{'grp3'}} = 'CHECKED'; @@ -949,9 +923,9 @@ sub newrule $fwdfwsettings{'ACTIVE'}='ON'; $checked{'ACTIVE'}{$fwdfwsettings{'ACTIVE'}} = 'CHECKED'; } - + &Header::openbox('100%', 'left', $Lang::tr{'fwdfw addrule'}); - + print <
@@ -962,7 +936,7 @@ END if($fwdfwsettings{'POLICY'} eq 'MODE2'){ $fwdfwsettings{'RULE_ACTION'} = 'DROP'; } - + if ($_ eq $fwdfwsettings{'RULE_ACTION'}) { print""; @@ -975,19 +949,19 @@ END &Header::closebox(); &Header::openbox('100%', 'left', $Lang::tr{'fwdfw source'}); - - + + #------SOURCE------------------------------------------------------- print< - + END - + #
$Lang::tr{'fwdfw sourceip'}
$Lang::tr{'fwhost stdnet'}
$Lang::tr{'fwhost cust grp'}
$Lang::tr{'fwhost ipsec host'}
- - - END - #
$Lang::tr{'fwdfw use srcport'} $Lang::tr{'fwdfw man port'}
$Lang::tr{'fwdfw targetip'}IPFire ($Lang::tr{'external access'})
$Lang::tr{'fwhost stdnet'}$Lang::tr{'fwhost ccdnet'}
$Lang::tr{'fwhost cust net'}
$Lang::tr{'fwhost cust grp'}
$Lang::tr{'fwhost ipsec host'}
$Lang::tr{'fwhost attention'}:
$Lang::tr{'fwhost macwarn'}

- +
$Lang::tr{'fwdfw use srv'}$Lang::tr{'fwhost cust service'}
$Lang::tr{'fwdfw man port'}


- + END #---Activate/logging/remark------------------------------------- &Header::openbox('100%', 'left', $Lang::tr{'fwdfw additional'}); @@ -1282,7 +1246,6 @@ END $Lang::tr{'time'}: $Lang::tr{'advproxy monday'} $Lang::tr{'advproxy tuesday'} $Lang::tr{'advproxy wednesday'} $Lang::tr{'advproxy thursday'} $Lang::tr{'advproxy friday'} $Lang::tr{'advproxy saturday'} $Lang::tr{'advproxy sunday'} - $Lang::tr{'advproxy from'} $Lang::tr{'advproxy to'} @@ -1297,7 +1260,6 @@ END - -
-
END } @@ -1355,7 +1315,6 @@ END } sub saverule { - my $hash=shift; my $config=shift; &General::readhasharray("$config", $hash); @@ -1456,7 +1415,7 @@ sub get_name foreach my $network (sort keys %defaultNetworks) { return "$network" if ($val eq $defaultNetworks{$network}{'NAME'}); - } + } } sub validremark { @@ -1468,13 +1427,13 @@ sub validremark if (length ($remark) < 1 || length ($remark) > 255) { return 0;} # Only valid characters are a-z, A-Z, 0-9 and - - if ($remark !~ /^[a-zäöüA-ZÖÄÜ0-9-\s]*$/) { + if ($remark !~ /^[a-zäöüA-ZÖÄÜ0-9-.:\/\s]*$/) { return 0;} # First character can only be a letter or a digit if (substr ($remark, 0, 1) !~ /^[a-zäöüA-ZÖÄÜ0-9]*$/) { return 0;} # Last character can only be a letter or a digit - if (substr ($remark, -1, 1) !~ /^[a-zöäüA-ZÖÄÜ0-9]*$/) { + if (substr ($remark, -1, 1) !~ /^[a-zöäüA-ZÖÄÜ0-9.]*$/) { return 0;} return 1; } @@ -1494,7 +1453,7 @@ sub gettgtport my $key=shift; my $service; my $prot; - + if($hash{$key}[11] eq 'ON' && $hash{$key}[12] ne 'ICMP'){ if($hash{$key}[14] eq 'cust_srv'){ &General::readhasharray("$configsrv", \%customservice); @@ -1506,7 +1465,7 @@ sub gettgtport } } }elsif($hash{$key}[14] eq 'cust_srvgrp'){ - + $service=$hash{$key}[15]; }elsif($hash{$key}[14] eq 'TGT_PORT'){ $service=$hash{$key}[15]; @@ -1515,7 +1474,7 @@ sub gettgtport }elsif($hash{$key}[11] eq 'ON' && $hash{$key}[12] eq 'ICMP'){ print" : ($hash{$key}[12])
$hash{$key}[13]"; } - + if ($prot ne '' || $service ne ''){ print" :"; if ($prot ne ''){ @@ -1535,7 +1494,7 @@ sub viewtablenew my $config=shift; my $title=shift; my $title1=shift; - + if ( ! -z "$config"){ &Header::openbox('100%', 'left',$title); my $count=0; @@ -1549,7 +1508,7 @@ sub viewtablenew print"$title1
"; print""; print""; - foreach my $key (sort keys %$hash){ + foreach my $key (sort {$a <=> $b} keys %$hash){ @tmpsrc=(); #check if vpn hosts/nets have been deleted if($$hash{$key}[3] =~ /ipsec/i || $$hash{$key}[3] =~ /ovpn/i){ @@ -1558,14 +1517,12 @@ sub viewtablenew if($$hash{$key}[5] =~ /ipsec/i || $$hash{$key}[5] =~ /ovpn/i){ push (@tmpsrc,$$hash{$key}[6]); } - foreach my $host (@tmpsrc){ if($$hash{$key}[3] eq 'ipsec_net_src' || $$hash{$key}[5] eq 'ipsec_net_tgt'){ - if(&fwlib::get_ipsec_net_ip($host,11) eq ''){ + if(&fwlib::get_ipsec_net_ip($host,11) eq ''){ $coloryellow='on'; &disable_rule($key); $$hash{$key}[2]=''; - } }elsif($$hash{$key}[3] eq 'ovpn_net_src' || $$hash{$key}[5] eq 'ovpn_net_tgt'){ if(&fwlib::get_ovpn_net_ip($host,1) eq ''){ @@ -1589,10 +1546,8 @@ sub viewtablenew $$hash{$key}[3]=''; $$hash{$key}[5]=''; } - $$hash{'ACTIVE'}=$$hash{$key}[2]; $count++; - if($coloryellow eq 'on'){ print""; $coloryellow=''; @@ -1604,7 +1559,6 @@ sub viewtablenew print""; } } - print<$key END @@ -1636,7 +1590,6 @@ END } print< -
- - - - "; } - if (exists $$hash{$key+1}){ print< @@ -1729,9 +1676,7 @@ END if($$hash{$key}[23] ne ''){push (@days,$Lang::tr{'fwdfw wd_fri'});} if($$hash{$key}[24] ne ''){push (@days,$Lang::tr{'fwdfw wd_sat'});} if($$hash{$key}[25] ne ''){push (@days,$Lang::tr{'fwdfw wd_sun'});} - my $weekdays=join(",",@days); - if (@days){ print"
#$Lang::tr{'fwdfw source'}Log$Lang::tr{'fwdfw target'}$Lang::tr{'remark'}$Lang::tr{'fwdfw action'}
@@ -1662,7 +1615,6 @@ END }else{ $gif="/images/off.gif" - } print< @@ -1671,22 +1623,18 @@ END
@@ -1706,7 +1654,6 @@ END }else{ print"
$Lang::tr{'fwdfw time'} "; print"$weekdays"; @@ -1742,21 +1687,19 @@ END print"
"; &Header::closebox(); } - } sub fillselect { my %hash=%{(shift)}; my $val=shift; my $key; - foreach my $key (sort { uc($hash{$a}[0]) cmp uc($hash{$b}[0]) } keys %hash) - { - if($hash{$key}[0] eq $val){ - print""; - }else{ - print""; - } + foreach my $key (sort { uc($hash{$a}[0]) cmp uc($hash{$b}[0]) } keys %hash){ + if($hash{$key}[0] eq $val){ + print""; + }else{ + print""; } + } } sub rules { diff --git a/html/cgi-bin/fwhosts.cgi b/html/cgi-bin/fwhosts.cgi index 236e0b47c..5a8383692 100755 --- a/html/cgi-bin/fwhosts.cgi +++ b/html/cgi-bin/fwhosts.cgi @@ -47,6 +47,8 @@ my %defaultNetworks=(); my %mainsettings=(); my %ownnet=(); my %ipsecsettings=(); +my %fwfwd=(); +my %fwinp=(); my $errormessage; my $hint; @@ -59,6 +61,8 @@ my $configccdhost = "${General::swroot}/ovpn/ovpnconfig"; my $configipsec = "${General::swroot}/vpn/config"; my $configsrv = "${General::swroot}/fwhosts/customservices"; my $configsrvgrp = "${General::swroot}/fwhosts/customservicegrp"; +my $fwconfigfwd = "${General::swroot}/forward/config"; +my $fwconfiginp = "${General::swroot}/forward/input"; unless (-e $confignet) { system("touch $confignet"); } unless (-e $confighost) { system("touch $confighost"); } @@ -116,6 +120,9 @@ if ($fwhostsettings{'ACTION'} eq 'updatehost') } } &General::writehasharray("$confighost", \%customhost); + + + $fwhostsettings{'actualize'} = 'on'; $fwhostsettings{'ACTION'} = 'savehost'; } @@ -285,6 +292,28 @@ if ($fwhostsettings{'ACTION'} eq 'savenet' ) } } &General::writehasharray("$configgrp", \%customgrp); + #check if we need to update firewallrules + if ( ! -z $fwconfigfwd ){ + &General::readhasharray("$fwconfigfwd", \%fwfwd); + foreach my $line (sort keys %fwfwd){ + if ($fwfwd{$line}[4] eq $fwhostsettings{'orgname'}){ + $fwfwd{$line}[4] = $fwhostsettings{'HOSTNAME'}; + } + if ($fwfwd{$line}[6] eq $fwhostsettings{'orgname'}){ + $fwfwd{$line}[6] = $fwhostsettings{'HOSTNAME'}; + } + } + &General::writehasharray("$fwconfigfwd", \%fwfwd); + } + if ( ! -z $fwconfiginp ){ + &General::readhasharray("$fwconfiginp", \%fwinp); + foreach my $line (sort keys %fwinp){ + if ($fwfwd{$line}[4] eq $fwhostsettings{'orgname'}){ + $fwfwd{$line}[4] = $fwhostsettings{'HOSTNAME'}; + } + } + &General::writehasharray("$fwconfiginp", \%fwinp); + } } } my $key = &General::findhasharraykey (\%customnetwork); @@ -416,9 +445,29 @@ if ($fwhostsettings{'ACTION'} eq 'savehost') } } &General::writehasharray("$configgrp", \%customgrp); + #check if we need to update firewallrules + if ( ! -z $fwconfigfwd ){ + &General::readhasharray("$fwconfigfwd", \%fwfwd); + foreach my $line (sort keys %fwfwd){ + if ($fwfwd{$line}[4] eq $fwhostsettings{'orgname'}){ + $fwfwd{$line}[4] = $fwhostsettings{'HOSTNAME'}; + } + if ($fwfwd{$line}[6] eq $fwhostsettings{'orgname'}){ + $fwfwd{$line}[6] = $fwhostsettings{'HOSTNAME'}; + } + } + &General::writehasharray("$fwconfigfwd", \%fwfwd); + } + if ( ! -z $fwconfiginp ){ + &General::readhasharray("$fwconfiginp", \%fwinp); + foreach my $line (sort keys %fwinp){ + if ($fwfwd{$line}[4] eq $fwhostsettings{'orgname'}){ + $fwfwd{$line}[4] = $fwhostsettings{'HOSTNAME'}; + } + } + &General::writehasharray("$fwconfiginp", \%fwinp); + } } - - } my $key = &General::findhasharraykey (\%customhost); foreach my $i (0 .. 3) { $customhost{$key}[$i] = "";} @@ -1084,6 +1133,7 @@ END foreach my $network (sort keys %defaultNetworks) { next if($defaultNetworks{$network}{'LOCATION'} eq "IPCOP"); + next if($defaultNetworks{$network}{'NAME'} eq "RED"); print ""; @@ -1186,7 +1236,7 @@ sub addservice } print< - $Lang::tr{'fwhost srv_name'}:$Lang::tr{'fwhost prot'}:$Lang::tr{'fwhost prot'}:/ off +
+ + + +
$Lang::tr{'fw default drop'}
$Lang::tr{'drop action'} +
+
+ +
- -
END diff --git a/html/cgi-bin/outgoingfw.cgi b/html/cgi-bin/outgoingfw.cgi deleted file mode 100644 index b417817a2..000000000 --- a/html/cgi-bin/outgoingfw.cgi +++ /dev/null @@ -1,849 +0,0 @@ -#!/usr/bin/perl -############################################################################### -# # -# IPFire.org - A linux based firewall # -# Copyright (C) 2005-2010 IPFire Team # -# # -# This program is free software: you can redistribute it and/or modify # -# it under the terms of the GNU General Public License as published by # -# the Free Software Foundation, either version 3 of the License, or # -# (at your option) any later version. # -# # -# This program is distributed in the hope that it will be useful, # -# but WITHOUT ANY WARRANTY; without even the implied warranty of # -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # -# GNU General Public License for more details. # -# # -# You should have received a copy of the GNU General Public License # -# along with this program. If not, see . # -# # -############################################################################### - -use strict; -# enable only the following on debugging purpose -#use warnings; -#use CGI::Carp 'fatalsToBrowser'; - -require '/var/ipfire/general-functions.pl'; -require "${General::swroot}/lang.pl"; -require "${General::swroot}/header.pl"; - -my %outfwsettings = (); -my %checked = (); -my %selected= () ; -my %netsettings = (); -my $errormessage = ""; -my $configentry = ""; -my @configs = (); -my @configline = (); -my $p2pentry = ""; -my @p2ps = (); -my @p2pline = (); - -my $configfile = "/var/ipfire/outgoing/rules"; -my $configpath = "/var/ipfire/outgoing/groups/"; -my $p2pfile = "/var/ipfire/outgoing/p2protocols"; -my $servicefile = "/var/ipfire/outgoing/defaultservices"; - -my %color = (); -my %mainsettings = (); -&General::readhash("${General::swroot}/main/settings", \%mainsettings); -&General::readhash("/srv/web/ipfire/html/themes/".$mainsettings{'THEME'}."/include/colors.txt", \%color); - -&General::readhash("${General::swroot}/ethernet/settings", \%netsettings); - -&Header::showhttpheaders(); - -### Values that have to be initialized -$outfwsettings{'ACTION'} = ''; -$outfwsettings{'VALID'} = 'yes'; -$outfwsettings{'EDIT'} = 'no'; -$outfwsettings{'NAME'} = ''; -$outfwsettings{'SNET'} = ''; -$outfwsettings{'SIP'} = ''; -$outfwsettings{'SPORT'} = ''; -$outfwsettings{'SMAC'} = ''; -$outfwsettings{'DIP'} = ''; -$outfwsettings{'DPORT'} = ''; -$outfwsettings{'PROT'} = ''; -$outfwsettings{'STATE'} = ''; -$outfwsettings{'DISPLAY_DIP'} = ''; -$outfwsettings{'DISPLAY_DPORT'} = ''; -$outfwsettings{'DISPLAY_SMAC'} = ''; -$outfwsettings{'DISPLAY_SIP'} = ''; -$outfwsettings{'POLICY'} = 'MODE0'; -$outfwsettings{'MODE1LOG'} = 'off'; - -$outfwsettings{'TIME_FROM'} = '00:00'; -$outfwsettings{'TIME_TO'} = '00:00'; - -&General::readhash("${General::swroot}/outgoing/settings", \%outfwsettings); -&Header::getcgihash(\%outfwsettings); - -############### -# DEBUG DEBUG -#&Header::openbox('100%', 'left', 'DEBUG'); -#my $debugCount = 0; -#foreach my $line (sort keys %outfwsettings) { -#print "$line = $outfwsettings{$line}
\n"; -# $debugCount++; -#} -#print " Count: $debugCount\n"; -#&Header::closebox(); -# DEBUG DEBUG -############### - -$selected{'TIME_FROM'}{$outfwsettings{'TIME_FROM'}} = "selected='selected'"; -$selected{'TIME_TO'}{$outfwsettings{'TIME_TO'}} = "selected='selected'"; - -$checked{'MODE1LOG'}{'off'} = ''; -$checked{'MODE1LOG'}{'on'} = ''; -$checked{'MODE1LOG'}{$outfwsettings{'MODE1LOG'}} = "checked='checked'"; -$checked{'TIME_MON'}{'off'} = ''; -$checked{'TIME_MON'}{'on'} = ''; -$checked{'TIME_MON'}{$outfwsettings{'TIME_MON'}} = "checked='checked'"; -$checked{'TIME_TUE'}{'off'} = ''; -$checked{'TIME_TUE'}{'on'} = ''; -$checked{'TIME_TUE'}{$outfwsettings{'TIME_TUE'}} = "checked='checked'"; -$checked{'TIME_WED'}{'off'} = ''; -$checked{'TIME_WED'}{'on'} = ''; -$checked{'TIME_WED'}{$outfwsettings{'TIME_WED'}} = "checked='checked'"; -$checked{'TIME_THU'}{'off'} = ''; -$checked{'TIME_THU'}{'on'} = ''; -$checked{'TIME_THU'}{$outfwsettings{'TIME_THU'}} = "checked='checked'"; -$checked{'TIME_FRI'}{'off'} = ''; -$checked{'TIME_FRI'}{'on'} = ''; -$checked{'TIME_FRI'}{$outfwsettings{'TIME_FRI'}} = "checked='checked'"; -$checked{'TIME_SAT'}{'off'} = ''; -$checked{'TIME_SAT'}{'on'} = ''; -$checked{'TIME_SAT'}{$outfwsettings{'TIME_SAT'}} = "checked='checked'"; -$checked{'TIME_SUN'}{'off'} = ''; -$checked{'TIME_SUN'}{'on'} = ''; -$checked{'TIME_SUN'}{$outfwsettings{'TIME_SUN'}} = "checked='checked'"; - -if ($outfwsettings{'POLICY'} eq 'MODE0'){ $selected{'POLICY'}{'MODE0'} = 'selected'; } else { $selected{'POLICY'}{'MODE0'} = ''; } -if ($outfwsettings{'POLICY'} eq 'MODE1'){ $selected{'POLICY'}{'MODE1'} = 'selected'; } else { $selected{'POLICY'}{'MODE1'} = ''; } -if ($outfwsettings{'POLICY'} eq 'MODE2'){ $selected{'POLICY'}{'MODE2'} = 'selected'; } else { $selected{'POLICY'}{'MODE2'} = ''; } - -# This is a little hack if poeple don´t mark any date then all will be selected, because they might have forgotten to select -# a valid day. A Rule without any matching day will never work, because the timeranges are new feature people might not notice -# that they have to select a day for the rule. - -if ( $outfwsettings{'TIME_MON'} eq "" && - $outfwsettings{'TIME_TUE'} eq "" && - $outfwsettings{'TIME_WED'} eq "" && - $outfwsettings{'TIME_THU'} eq "" && - $outfwsettings{'TIME_FRI'} eq "" && - $outfwsettings{'TIME_SAT'} eq "" && - $outfwsettings{'TIME_SUN'} eq "" ) - { - $outfwsettings{'TIME_MON'} = "on"; - $outfwsettings{'TIME_TUE'} = "on"; - $outfwsettings{'TIME_WED'} = "on"; - $outfwsettings{'TIME_THU'} = "on"; - $outfwsettings{'TIME_FRI'} = "on"; - $outfwsettings{'TIME_SAT'} = "on"; - $outfwsettings{'TIME_SUN'} = "on"; - } - -&Header::openpage($Lang::tr{'outgoing firewall'}, 1, ''); -&Header::openbigbox('100%', 'left', '', $errormessage); - -############################################################################################################################ -############################################################################################################################ - -if ($outfwsettings{'ACTION'} eq $Lang::tr{'reset'}) -{ - $outfwsettings{'POLICY'}='MODE0'; - unlink $configfile; - system("/usr/bin/touch $configfile"); - my $MODE = $outfwsettings{'POLICY'}; - %outfwsettings = (); - $outfwsettings{'POLICY'} = "$MODE"; - &General::writehash("${General::swroot}/outgoing/settings", \%outfwsettings); -} -if ($outfwsettings{'ACTION'} eq $Lang::tr{'save'}) -{ - my $MODE = $outfwsettings{'POLICY'}; - my $MODE1LOG = $outfwsettings{'MODE1LOG'}; - %outfwsettings = (); - $outfwsettings{'POLICY'} = "$MODE"; - $outfwsettings{'MODE1LOG'} = "$MODE1LOG"; - &General::writehash("${General::swroot}/outgoing/settings", \%outfwsettings); - system("/usr/local/bin/outgoingfwctrl"); -} -if ($outfwsettings{'ACTION'} eq 'enable') -{ - open( FILE, "< $p2pfile" ) or die "Unable to read $p2pfile"; - @p2ps = ; - close FILE; - open( FILE, "> $p2pfile" ) or die "Unable to write $p2pfile"; - foreach $p2pentry (sort @p2ps) - { - @p2pline = split( /\;/, $p2pentry ); - if ($p2pline[1] eq $outfwsettings{'P2PROT'}) { - print FILE "$p2pline[0];$p2pline[1];on;\n"; - } else { - print FILE "$p2pline[0];$p2pline[1];$p2pline[2];\n"; - } - } - close FILE; - system("/usr/local/bin/outgoingfwctrl"); -} -if ($outfwsettings{'ACTION'} eq 'disable') -{ - open( FILE, "< $p2pfile" ) or die "Unable to read $p2pfile"; - @p2ps = ; - close FILE; - open( FILE, "> $p2pfile" ) or die "Unable to write $p2pfile"; - foreach $p2pentry (sort @p2ps) - { - @p2pline = split( /\;/, $p2pentry ); - if ($p2pline[1] eq $outfwsettings{'P2PROT'}) { - print FILE "$p2pline[0];$p2pline[1];off;\n"; - } else { - print FILE "$p2pline[0];$p2pline[1];$p2pline[2];\n"; - } - } - close FILE; - system("/usr/local/bin/outgoingfwctrl"); -} -if ($outfwsettings{'ACTION'} eq $Lang::tr{'edit'}) -{ - open( FILE, "< $configfile" ) or die "Unable to read $configfile"; - @configs = ; - close FILE; - open( FILE, "> $configfile" ) or die "Unable to write $configfile"; - foreach $configentry (sort @configs) - { - @configline = split( /\;/, $configentry ); - - $configline[10] = "on" if not exists $configline[11]; - $configline[11] = "on" if not exists $configline[11]; - $configline[12] = "on" if not exists $configline[12]; - $configline[13] = "on" if not exists $configline[13]; - $configline[14] = "on" if not exists $configline[14]; - $configline[15] = "on" if not exists $configline[15]; - $configline[16] = "on" if not exists $configline[16]; - $configline[17] = "00:00" if not exists $configline[17]; - $configline[18] = "00:00" if not exists $configline[18]; - - unless (($configline[0] eq $outfwsettings{'STATE'}) && - ($configline[1] eq $outfwsettings{'ENABLED'}) && - ($configline[2] eq $outfwsettings{'SNET'}) && - ($configline[3] eq $outfwsettings{'PROT'}) && - ($configline[4] eq $outfwsettings{'NAME'}) && - ($configline[5] eq $outfwsettings{'SIP'}) && - ($configline[6] eq $outfwsettings{'SMAC'}) && - ($configline[7] eq $outfwsettings{'DIP'}) && - ($configline[9] eq $outfwsettings{'LOG'}) && - ($configline[8] eq $outfwsettings{'DPORT'}) && - ($configline[10] eq $outfwsettings{'TIME_MON'}) && - ($configline[11] eq $outfwsettings{'TIME_TUE'}) && - ($configline[12] eq $outfwsettings{'TIME_WED'}) && - ($configline[13] eq $outfwsettings{'TIME_THU'}) && - ($configline[14] eq $outfwsettings{'TIME_FRI'}) && - ($configline[15] eq $outfwsettings{'TIME_SAT'}) && - ($configline[16] eq $outfwsettings{'TIME_SUN'}) && - ($configline[17] eq $outfwsettings{'TIME_FROM'}) && - ($configline[18] eq $outfwsettings{'TIME_TO'})) - { - print FILE $configentry; - } - } - close FILE; - $selected{'SNET'}{"$outfwsettings{'SNET'}"} = 'selected'; - $selected{'PROT'}{"$outfwsettings{'PROT'}"} = 'selected'; - $selected{'LOG'}{"$outfwsettings{'LOG'}"} = 'selected'; - &addrule(); - &Header::closebigbox(); - &Header::closepage(); - exit - system("/usr/local/bin/outgoingfwctrl"); -} -if ($outfwsettings{'ACTION'} eq $Lang::tr{'delete'}) -{ - open( FILE, "< $configfile" ) or die "Unable to read $configfile"; - @configs = ; - close FILE; - open( FILE, "> $configfile" ) or die "Unable to write $configfile"; - foreach $configentry (sort @configs) - { - @configline = split( /\;/, $configentry ); - - $configline[10] = "on" if not exists $configline[11]; - $configline[11] = "on" if not exists $configline[11]; - $configline[12] = "on" if not exists $configline[12]; - $configline[13] = "on" if not exists $configline[13]; - $configline[14] = "on" if not exists $configline[14]; - $configline[15] = "on" if not exists $configline[15]; - $configline[16] = "on" if not exists $configline[16]; - $configline[17] = "00:00" if not exists $configline[17]; - $configline[18] = "00:00" if not exists $configline[18]; - - unless (($configline[0] eq $outfwsettings{'STATE'}) && - ($configline[1] eq $outfwsettings{'ENABLED'}) && - ($configline[2] eq $outfwsettings{'SNET'}) && - ($configline[3] eq $outfwsettings{'PROT'}) && - ($configline[4] eq $outfwsettings{'NAME'}) && - ($configline[5] eq $outfwsettings{'SIP'}) && - ($configline[6] eq $outfwsettings{'SMAC'}) && - ($configline[7] eq $outfwsettings{'DIP'}) && - ($configline[9] eq $outfwsettings{'LOG'}) && - ($configline[8] eq $outfwsettings{'DPORT'}) && - ($configline[10] eq $outfwsettings{'TIME_MON'}) && - ($configline[11] eq $outfwsettings{'TIME_TUE'}) && - ($configline[12] eq $outfwsettings{'TIME_WED'}) && - ($configline[13] eq $outfwsettings{'TIME_THU'}) && - ($configline[14] eq $outfwsettings{'TIME_FRI'}) && - ($configline[15] eq $outfwsettings{'TIME_SAT'}) && - ($configline[16] eq $outfwsettings{'TIME_SUN'}) && - ($configline[17] eq $outfwsettings{'TIME_FROM'}) && - ($configline[18] eq $outfwsettings{'TIME_TO'})) - { - print FILE $configentry; - } - } - close FILE; - system("/usr/local/bin/outgoingfwctrl"); -} -if ($outfwsettings{'ACTION'} eq $Lang::tr{'add'}) -{ - if ( $outfwsettings{'VALID'} eq 'yes' ) { - - if ( $outfwsettings{'SNET'} eq "all" ) { - $outfwsettings{'SIP'} =""; - $outfwsettings{'SMAC'}=""; - } - open( FILE, ">> $configfile" ) or die "Unable to write $configfile"; - print FILE <$errormessage\n"; - print " \n"; - &Header::closebox(); -} - -############################################################################################################################ -############################################################################################################################ - -if ($outfwsettings{'POLICY'} ne 'MODE0'){ - &Header::openbox('100%', 'center', 'Rules'); - print < - - -END -; - open( FILE, "< $configfile" ) or die "Unable to read $configfile"; - @configs = ; - close FILE; - if (@configs) { - print < - - - - - - - - - -END -; - foreach $configentry (sort @configs) - { - @configline = split( /\;/, $configentry ); - $outfwsettings{'STATE'} = $configline[0]; - $outfwsettings{'ENABLED'} = $configline[1]; - $outfwsettings{'SNET'} = $configline[2]; - $outfwsettings{'PROT'} = $configline[3]; - $outfwsettings{'NAME'} = $configline[4]; - $outfwsettings{'SIP'} = $configline[5]; - $outfwsettings{'SMAC'} = $configline[6]; - $outfwsettings{'DIP'} = $configline[7]; - $outfwsettings{'DPORT'} = $configline[8]; - $outfwsettings{'LOG'} = $configline[9]; - - $configline[10] = "on" if not exists $configline[11]; - $configline[11] = "on" if not exists $configline[11]; - $configline[12] = "on" if not exists $configline[12]; - $configline[13] = "on" if not exists $configline[13]; - $configline[14] = "on" if not exists $configline[14]; - $configline[15] = "on" if not exists $configline[15]; - $configline[16] = "on" if not exists $configline[16]; - $configline[17] = "00:00" if not exists $configline[17]; - $configline[18] = "00:00" if not exists $configline[18]; - - $outfwsettings{'TIME_MON'} = $configline[10]; - $outfwsettings{'TIME_TUE'} = $configline[11]; - $outfwsettings{'TIME_WED'} = $configline[12]; - $outfwsettings{'TIME_THU'} = $configline[13]; - $outfwsettings{'TIME_FRI'} = $configline[14]; - $outfwsettings{'TIME_SAT'} = $configline[15]; - $outfwsettings{'TIME_SUN'} = $configline[16]; - $outfwsettings{'TIME_FROM'} = $configline[17]; - $outfwsettings{'TIME_TO'} = $configline[18]; - - if ($outfwsettings{'DIP'} eq ''){ $outfwsettings{'DISPLAY_DIP'} = 'ALL'; } else { $outfwsettings{'DISPLAY_DIP'} = $outfwsettings{'DIP'}; } - if ($outfwsettings{'DPORT'} eq ''){ $outfwsettings{'DISPLAY_DPORT'} = 'ALL'; } else { $outfwsettings{'DISPLAY_DPORT'} = $outfwsettings{'DPORT'}; } - if ($outfwsettings{'STATE'} eq 'DENY'){ $outfwsettings{'DISPLAY_STATE'} = "DENY"; } - if ($outfwsettings{'STATE'} eq 'ALLOW'){ $outfwsettings{'DISPLAY_STATE'} = "ALLOW"; } - if ((($outfwsettings{'POLICY'} eq 'MODE1') && ($outfwsettings{'STATE'} eq 'ALLOW')) || (($outfwsettings{'POLICY'} eq 'MODE2') && ($outfwsettings{'STATE'} eq 'DENY'))){ - if ( $outfwsettings{'ENABLED'} eq "on" ){ - print ""; - } else { - print ""; - } - print <$outfwsettings{'PROT'} - "; - print ""; - } else { - $outfwsettings{'DISPLAY_SMAC'} = $outfwsettings{'SMAC'}; - print ""; - print ""; - } - } - print < - - - -END -; - } - } -if ($outfwsettings{'POLICY'} eq 'MODE1'){ -print <
- -
$Lang::tr{'protocol'}$Lang::tr{'network'}$Lang::tr{'destination'}$Lang::tr{'description'}$Lang::tr{'policy'}$Lang::tr{'logging'}$Lang::tr{'action'}
$outfwsettings{'SNET'} - $outfwsettings{'DISPLAY_DIP'}:$outfwsettings{'DISPLAY_DPORT'} - $outfwsettings{'NAME'} - $outfwsettings{'DISPLAY_STATE'} - $outfwsettings{'LOG'} - - -
- - - - - - - - - - - - - - - - - - - - - -
-
- - - - - - - - - - - - - - - - - - - - - -
-END -; - if (($outfwsettings{'SIP'}) || ($outfwsettings{'SMAC'})) { - - unless ($outfwsettings{'SIP'}) { - $outfwsettings{'DISPLAY_SIP'} = 'ALL'; - } else { - $outfwsettings{'DISPLAY_SIP'} = $outfwsettings{'SIP'}; - } - - unless ($outfwsettings{'SMAC'}) { - $outfwsettings{'DISPLAY_SMAC'} = 'ALL'; - print "
$Lang::tr{'source ip or net'}: $outfwsettings{'DISPLAY_SIP'}
$Lang::tr{'source'} $Lang::tr{'mac address'}: $outfwsettings{'DISPLAY_SMAC'}$Lang::tr{'time'} - -END -; - if ($outfwsettings{'TIME_MON'} eq 'on') { print "";} - else { print "";} - print "$Lang::tr{'advproxy monday'},"; - if ($outfwsettings{'TIME_TUE'} eq 'on') { print "";} - else { print "";} - print "$Lang::tr{'advproxy tuesday'},"; - if ($outfwsettings{'TIME_WED'} eq 'on') { print "";} - else { print "";} - print "$Lang::tr{'advproxy wednesday'},"; - if ($outfwsettings{'TIME_THU'} eq 'on') { print "";} - else { print "";} - print "$Lang::tr{'advproxy thursday'},"; - if ($outfwsettings{'TIME_FRI'} eq 'on') { print "";} - else { print "";} - print "$Lang::tr{'advproxy friday'},"; - if ($outfwsettings{'TIME_SAT'} eq 'on') { print "";} - else { print "";} - print "$Lang::tr{'advproxy saturday'},"; - if ($outfwsettings{'TIME_SUN'} eq 'on') { print "";} - else { print "";} - print "$Lang::tr{'advproxy sunday'}"; - print < - $Lang::tr{'advproxy from'} $outfwsettings{'TIME_FROM'}$Lang::tr{'advproxy to'} $outfwsettings{'TIME_TO'}all - all - ALL - drop - DENY - on off -
-
-
-END -; -} - print < -END -; - - } - &Header::closebox(); -} - -if ($outfwsettings{'POLICY'} ne 'MODE0'){ - open( FILE, "< $p2pfile" ) or die "Unable to read $p2pfile"; - @p2ps = ; - close FILE; - &Header::openbox('100%', 'center', 'P2P-Block'); - print < - $Lang::tr{'protocol'} - $Lang::tr{'status'} -END -; - my $id = 1; - foreach $p2pentry (sort @p2ps) - { - @p2pline = split( /\;/, $p2pentry ); - print < -END -; - print "\t\t\t\n"; - print <$p2pline[0]: - -END -; - if ($p2pline[2] eq 'on') { - print < - -END -; - } else { - print < - -END -; - } - print < -END -; - } - print < -
$Lang::tr{'outgoing firewall p2p description 1'} $Lang::tr{ $Lang::tr{'outgoing firewall p2p description 2'} $Lang::tr{ $Lang::tr{'outgoing firewall p2p description 3'} -END -; - &Header::closebox(); -} - -&Header::openbox('100%', 'center', 'Policy'); -print < - - - - - -
$Lang::tr{'mode'} 0:$Lang::tr{'outgoing firewall mode0'}
$Lang::tr{'mode'} 1:$Lang::tr{'outgoing firewall mode1'}
$Lang::tr{'mode'} 2:$Lang::tr{'outgoing firewall mode2'}
- - -END -; - if ($outfwsettings{'POLICY'} ne 'MODE0') { - print < -END -; - } -print < - -END -; -&Header::closebox(); - -############################################################################################################################ -############################################################################################################################ - -sub addrule -{ - &Header::openbox('100%', 'center', $Lang::tr{'Add Rule'}); - if ($outfwsettings{'ENABLED'} eq 'on') { $selected{'ENABLED'} = 'checked'; } - $selected{'TIME_FROM'}{$outfwsettings{'TIME_FROM'}} = "selected='selected'"; - $selected{'TIME_TO'}{$outfwsettings{'TIME_TO'}} = "selected='selected'"; -print < - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
$Lang::tr{'description'}: $Lang::tr{'active'}:
$Lang::tr{'protocol'} - - $Lang::tr{'policy'}: -END -; - if ($outfwsettings{'POLICY'} eq 'MODE1'){ - print "\t\t\t\tALLOW\n"; - } elsif ($outfwsettings{'POLICY'} eq 'MODE2'){ - print "\t\t\t\tDENY\n"; - } - print < -
$Lang::tr{'source'}: - - $Lang::tr{'outgoing firewall warning'}
$Lang::tr{'source ip or net'}
$Lang::tr{'source'} $Lang::tr{'mac address'}: - -
$Lang::tr{'logging'}: - - - -
$Lang::tr{'destination ip or net'}: $Lang::tr{'destination port'}(s)
$Lang::tr{'time'}:$Lang::tr{'advproxy monday'} $Lang::tr{'advproxy tuesday'} $Lang::tr{'advproxy wednesday'} $Lang::tr{'advproxy thursday'} $Lang::tr{'advproxy friday'} $Lang::tr{'advproxy saturday'} $Lang::tr{'advproxy sunday'} - $Lang::tr{'advproxy from'}$Lang::tr{'advproxy to'}
- - - - - - - - - -
-
$Lang::tr{'this field may be blank'}
-END -; - &Header::closebox(); - -if ($outfwsettings{'POLICY'} eq 'MODE1' || $outfwsettings{'POLICY'} eq 'MODE2') -{ -&Header::openbox('100%', 'center', 'Quick Add'); - - open( FILE, "< /var/ipfire/outgoing/defaultservices" ) or die "Unable to read default services"; - my @defservices = ; - close FILE; - -print ""; -foreach my $serviceline(@defservices) - { - my @service = split(/,/,$serviceline); - print <
- - - - - - ";} - elsif ($outfwsettings{'POLICY'} eq 'MODE2'){print "";} - } - print "
$Lang::tr{'service'}$Lang::tr{'description'}$Lang::tr{'port'}$Lang::tr{'protocol'}$Lang::tr{'source net'}$Lang::tr{'logging'}$Lang::tr{'action'}
$service[0]$service[3]$service[1]$service[2] - - - -END -; - if ($outfwsettings{'POLICY'} eq 'MODE1'){ print "
"; - &Header::closebox(); - } -} - -&Header::closebigbox(); -&Header::closepage(); diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl index 7fe166465..11e418756 100644 --- a/langs/de/cgi-bin/de.pl +++ b/langs/de/cgi-bin/de.pl @@ -747,7 +747,8 @@ 'download root certificate' => 'Root-Zertifikat herunterladen', 'dpd action' => 'Aktion für Dead Peer Detection', 'driver' => 'Treiber', -'drop input' => 'Verworfene Input-Pakete loggen', +'drop action' => 'Standardverhalten der Firewall in Modus1', +'drop input' => 'Verworfene Input Pakete loggen', 'drop newnotsyn' => 'Verworfene New Not Syn Pakete loggen', 'drop forward' => 'Verworfene Firewall-Pakete loggen', 'drop portscan' => 'Verworfene Portscan Pakete loggen', @@ -1033,8 +1034,9 @@ 'from email server' => 'Von Email Server', 'from email user' => 'Von Email Benutzer', 'from warn email bad' => 'Von Email Adresse ist nicht gültig', -'fw blue' => 'Firewall-Optionen für das Blaue Interface', -'fw logging' => 'Firewall-Logging', +'fw blue' => 'Firewall Optionen für das Blaue Interface', +'fw default drop' => 'Firewall Policy', +'fw logging' => 'Firewall Logging', 'gateway' => 'Gateway', 'gateway ip' => 'Gateway-IP', 'gen static key' => 'Statischen Schlüssel erzeugen', diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index c33f97247..c4c882bf8 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -771,9 +771,10 @@ 'download root certificate' => 'Download root certificate', 'dpd action' => 'Dead Peer Detection action', 'driver' => 'Driver', +'drop action' => 'Default behaviour of firewall in mode 1', 'drop input' => 'Log dropped input pakets', 'drop newnotsyn' => 'Log dropped new not syn pakets', -'drop forward' => 'Log dropped firewall pakets', +'drop forward' => 'Log dropped forward pakets', 'drop portscan' => 'Log dropped portscan pakets', 'drop proxy' => 'Drop all packets not addressed to proxy', 'drop samba' => 'Drop all Microsoft ports 135,137,138,139,445,1025', @@ -1060,6 +1061,7 @@ 'from email user' => 'From e-mail user', 'from warn email bad' => 'From e-mail address is not valid', 'fw blue' => 'Firewall options for BLUE interface', +'fw default drop' => 'Firewall policy', 'fw logging' => 'Firewall logging', 'g.dtm' => 'TO BE REMOVED', 'g.lite' => 'TO BE REMOVED', diff --git a/lfs/configroot b/lfs/configroot index 704c69007..56ee98df9 100644 --- a/lfs/configroot +++ b/lfs/configroot @@ -103,6 +103,7 @@ $(TARGET) : cp $(DIR_SRC)/langs/list $(CONFIG_ROOT)/langs/ cp $(DIR_SRC)/config/forwardfw/rules.pl $(CONFIG_ROOT)/forward/bin/rules.pl cp $(DIR_SRC)/config/forwardfw/firewall-lib.pl $(CONFIG_ROOT)/forward/bin/firewall-lib.pl + cp $(DIR_SRC)/config/forwardfw/firewall-forward-policy /usr/sbin/firewall-forward-policy cp $(DIR_SRC)/config/fwhosts/icmp-types $(CONFIG_ROOT)/fwhosts/icmp-types cp $(DIR_SRC)/config/fwhosts/customservices $(CONFIG_ROOT)/fwhosts/customservices # Oneliner configfiles diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall index c1daa59b5..0af3d4b2a 100644 --- a/src/initscripts/init.d/firewall +++ b/src/initscripts/init.d/firewall @@ -226,12 +226,6 @@ case "$1" in /sbin/iptables -N OPENSSLPHYSICAL /sbin/iptables -A INPUT -j OPENSSLPHYSICAL - # WIRELESS chains - /sbin/iptables -N WIRELESSINPUT - /sbin/iptables -A INPUT -m state --state NEW -j WIRELESSINPUT - /sbin/iptables -N WIRELESSFORWARD - /sbin/iptables -A FORWARD -m state --state NEW -j WIRELESSFORWARD - # RED chain, used for the red interface /sbin/iptables -N REDINPUT /sbin/iptables -A INPUT -j REDINPUT @@ -283,11 +277,16 @@ case "$1" in /sbin/iptables -A INPUT -m limit --limit 10/minute -j LOG --log-prefix "DROP_INPUT " fi /sbin/iptables -A INPUT -j DROP -m comment --comment "DROP_INPUT" - if [ "$DROPFORWARD" == "on" ]; then - /sbin/iptables -A FORWARD -m limit --limit 10/minute -j LOG --log-prefix "DROP_FORWARD " - fi - /sbin/iptables -A FORWARD -j DROP -m comment --comment "DROP_FORWARD" + #if [ "$DROPFORWARD" == "on" ]; then + # /sbin/iptables -A FORWARD -m limit --limit 10/minute -j LOG --log-prefix "DROP_FORWARD " + #fi + #/sbin/iptables -A FORWARD -j DROP -m comment --comment "DROP_FORWARD" + + #POLICY CHAIN + /sbin/iptables -N POLICY + /sbin/iptables -A FORWARD -j POLICY + /usr/sbin/firewall-forward-policy ;; startovpn) # run openvpn @@ -320,14 +319,10 @@ case "$1" in /sbin/iptables -A INPUT -m limit --limit 10/minute -j LOG --log-prefix "DROP_INPUT " fi /sbin/iptables -A INPUT -j DROP -m comment --comment "DROP_INPUT" - #if [ "$DROPOUTPUT" == "on" ]; then - # /sbin/iptables -A FORWARD -m limit --limit 10/minute -j LOG --log-prefix "DROP_OUTPUT " - #fi - #/sbin/iptables -A FORWARD -j DROP -m comment --comment "DROP_OUTPUT" if [ "$DROPFORWARD" == "on" ]; then - /sbin/iptables -A FORWARDFW -m limit --limit 10/minute -j LOG --log-prefix "DROP_FORWARDFW " + /sbin/iptables -A FORWARD -m limit --limit 10/minute -j LOG --log-prefix "DROP_FORWARD " fi - /sbin/iptables -A FORWARDFW -j DROP -m comment --comment "DROP_FORWARDFW-oberdropper" + /sbin/iptables -A FORWARD -j DROP -m comment --comment "DROP_FORWARD" ;; stopovpn) # stop openvpn -- 2.39.2