From 210ee67b5354f513a71a74df2633e2d3e0ddad95 Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Wed, 30 Jan 2013 09:14:01 +0100 Subject: [PATCH] Forward Firewall: deleted mode0, added default Mode2 and fixed /etc/init.d/firewall to reload the rules correctly on reload. Also made it possible to create broadcastrules (To drop broadcastpackets) --- config/forwardfw/rules.pl | 19 ++++++++++++++----- html/cgi-bin/forwardfw.cgi | 12 +++++------- src/initscripts/init.d/firewall | 5 +++-- 3 files changed, 22 insertions(+), 14 deletions(-) diff --git a/config/forwardfw/rules.pl b/config/forwardfw/rules.pl index 099f2950d..3b2cb03f1 100755 --- a/config/forwardfw/rules.pl +++ b/config/forwardfw/rules.pl @@ -53,12 +53,16 @@ my $configfwdfw = "${General::swroot}/forward/config"; my $configinput = "${General::swroot}/forward/input"; my $p2pfile = "${General::swroot}/forward/p2protocols"; my $configgrp = "${General::swroot}/fwhosts/customgroups"; +my $netsettings = "${General::swroot}/ethernet/settings"; my $errormessage=''; +my $orange; +my $green; my ($TYPE,$PROT,$SPROT,$DPROT,$SPORT,$DPORT,$TIME,$TIMEFROM,$TIMETILL,$SRC_TGT); my $CHAIN="FORWARDFW"; &General::readhash("${General::swroot}/forward/settings", \%fwdfwsettings); +&General::readhash("$netsettings", \%defaultNetworks); &General::readhasharray($configfwdfw, \%configfwdfw); &General::readhasharray($configinput, \%configinputfw); &General::readhasharray($configgrp, \%customgrp); @@ -92,12 +96,17 @@ if($param eq 'flush'){ &p2pblock; system ("/usr/sbin/firewall-forward-policy"); }elsif($fwdfwsettings{'POLICY'} eq 'MODE2'){ - &p2pblock; - system ("/usr/sbin/firewall-forward-policy"); - system ("iptables -A $CHAIN -m state --state NEW -j ACCEPT"); - }elsif($fwdfwsettings{'POLICY'} eq 'MODE0'){ - system ("/usr/sbin/firewall-forward-policy"); + if ($defaultNetworks{'ORANGE_DEV'}){ + $defaultNetworks{'ORANGE_NETMASK'}=&General::iporsubtocidr($defaultNetworks{'ORANGE_NETMASK'}); + $defaultNetworks{'GREEN_NETMASK'}=&General::iporsubtocidr($defaultNetworks{'GREEN_NETMASK'}); + $orange="$defaultNetworks{'ORANGE_ADDRESS'}/$defaultNetworks{'ORANGE_NETMASK'}"; + $green="$defaultNetworks{'GREEN_ADDRESS'}/$defaultNetworks{'GREEN_NETMASK'}"; + #set default rules for DMZ + system ("iptables -A $CHAIN -s $orange -d $green -j RETURN"); + &p2pblock; + } system ("iptables -A $CHAIN -m state --state NEW -j ACCEPT"); + system ("/usr/sbin/firewall-forward-policy"); } } } diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi index 8f6ca585e..6895a9eed 100755 --- a/html/cgi-bin/forwardfw.cgi +++ b/html/cgi-bin/forwardfw.cgi @@ -731,9 +731,9 @@ sub checktarget $ip=&General::ip2dec($ip); $ip=&General::dec2ip($ip); - #check if net or broadcast + #check if net my @tmp= split (/\./,$ip); - if (($tmp[3] eq "0") || ($tmp[3] eq "255")) + if ($tmp[3] eq "0") { $errormessage=$Lang::tr{'fwhost err hostip'}."
"; } @@ -865,7 +865,7 @@ sub checkrule my $networkip1=&General::getnetworkip($sip,$scidr); my $networkip2=&General::getnetworkip($tip,$tcidr); if ($scidr gt $tcidr){ - if ( &General::IpInSubnet($networkip1,$tip,&General::iporsubtodec($tcidr)) ){ + if ( &General::IpInSubnet($networkip1,$tip,&General::iporsubtodec($tcidr))){ $errormessage.=$Lang::tr{'fwdfw err samesub'}; } }elsif($scidr eq $tcidr && $scidr eq '32'){ @@ -876,7 +876,7 @@ sub checkrule $hint.=$Lang::tr{'fwdfw hint ip2'}." Source: $networkip1/$scidr Target: $networkip2/$tcidr
"; } }else{ - if ( &General::IpInSubnet($networkip2,$sip,&General::iporsubtodec($scidr)) ){ + if ( &General::IpInSubnet($networkip2,$sip,&General::iporsubtodec($scidr)) && $tcidr ne '32' ){ $errormessage.=$Lang::tr{'fwdfw err samesub'}; } } @@ -884,9 +884,7 @@ sub checkrule #check source and destination protocol if manual if( $fwdfwsettings{'USE_SRC_PORT'} eq 'ON' && $fwdfwsettings{'USESRV'} eq 'ON'){ - - - if($fwdfwsettings{'PROT'} ne $fwdfwsettings{'TGT_PROT'} && $fwdfwsettings{'grp3'} eq 'TGT_PORT'){ + if($fwdfwsettings{'PROT'} ne $fwdfwsettings{'TGT_PROT'} && $fwdfwsettings{'grp3'} eq 'TGT_PORT'){ $errormessage.=$Lang::tr{'fwdfw err prot'}; } #check source and destination protocol if source manual and dest servicegrp diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall index af488b0d7..0dbb25feb 100644 --- a/src/initscripts/init.d/firewall +++ b/src/initscripts/init.d/firewall @@ -351,9 +351,10 @@ case "$1" in ;; restart) $0 stop - $0 stopovpn $0 start - $0 startovpn + /usr/local/bin/forwardfwctrl + /usr/local/bin/openvpnctrl -s > /dev/null 2>&1 + /usr/local/bin/openvpnctrl -sn2n > /dev/null 2>&1 ;; *) echo "Usage: $0 {start|stop|reload|restart}" -- 2.39.2