From bc912c6e0c34bfd81a915b3f2774fc6b848990ff Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Thu, 4 Apr 2013 13:02:50 +0200 Subject: [PATCH] Forward Firewall: Version 0.9.9.2 1) Some changes in en.pl 2) DNAT now supports REJECT/DROP rules 3) Bugfix: comma in remark customservicegroup 4) improved installer --- config/forwardfw/rules.pl | 17 +++++----- config/rootfiles/common/configroot | 2 +- html/cgi-bin/forwardfw.cgi | 51 +++++++++++------------------- html/cgi-bin/fwhosts.cgi | 4 +++ langs/en/cgi-bin/en.pl | 4 +-- 5 files changed, 34 insertions(+), 44 deletions(-) diff --git a/config/forwardfw/rules.pl b/config/forwardfw/rules.pl index 49a45b1a5..c7acd122b 100755 --- a/config/forwardfw/rules.pl +++ b/config/forwardfw/rules.pl @@ -176,16 +176,17 @@ sub buildrules my $natip; my $snatport; my $fireport; + my $nat; foreach my $key (sort {$a <=> $b} keys %$hash){ next if ($$hash{$key}[6] eq 'RED' && $conexists eq 'off' ); if ($$hash{$key}[28] eq 'ON'){ $command='iptables -t nat -A'; $natip=&get_nat_ip($$hash{$key}[29]); if($$hash{$key}[31] eq 'dnat'){ - $$hash{$key}[0]='DNAT'; + $nat='DNAT'; $fireport='--dport '.$$hash{$key}[30] if ($$hash{$key}[30]>0); }else{ - $$hash{$key}[0]='SNAT'; + $nat='SNAT'; } } $STAG=''; @@ -288,12 +289,12 @@ sub buildrules print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $fireport $TIME -j LOG --log-prefix 'DNAT' \n"; } my ($ip,$sub) =split("/",$targethash{$b}[0]); - print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j $$hash{$key}[0] --to $ip$DPORT\n"; + print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j $nat --to $ip$DPORT\n"; $DPORT =~ s/\-/:/g; my $fwaccessdport="--dport ".substr($DPORT,1,) if ($DPORT); - print "iptables -A PORTFWACCESS $PROT -i $con -d $ip $fwaccessdport $TIME -j ACCEPT\n"; + print "iptables -A PORTFWACCESS $PROT -i $con $STAG $sourcehash{$a}[0] -d $ip $fwaccessdport $TIME -j $$hash{$key}[0]\n"; }elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[32] eq 'snat'){ - print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0] --to $natip$fireport\n"; + print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $nat --to $natip$fireport\n"; } } } @@ -329,16 +330,16 @@ sub buildrules system "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j LOG --log-prefix 'DNAT' \n"; } my ($ip,$sub) =split("/",$targethash{$b}[0]); - system "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j $$hash{$key}[0] --to $ip$DPORT\n"; + system "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j $nat --to $ip$DPORT\n"; $DPORT =~ s/\-/:/g; my $fwaccessdport="--dport ".substr($DPORT,1,) if ($DPORT); - system "iptables -A PORTFWACCESS $PROT -i $con -d $ip $fwaccessdport $TIME -j ACCEPT\n"; + system "iptables -A PORTFWACCESS $PROT -i $con $STAG $sourcehash{$a}[0] -d $ip $fwaccessdport $TIME -j $$hash{$key}[0]\n"; }elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'snat'){ if ($$hash{$key}[17] eq 'ON'){ system "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG --log-prefix 'SNAT '\n"; } - system "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0] --to $natip$fireport\n"; + system "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $nat --to $natip$fireport\n"; } } } diff --git a/config/rootfiles/common/configroot b/config/rootfiles/common/configroot index b835931c4..a562d6551 100644 --- a/config/rootfiles/common/configroot +++ b/config/rootfiles/common/configroot @@ -53,7 +53,7 @@ var/ipfire/forward/config var/ipfire/forward/input var/ipfire/forward/outgoing var/ipfire/forward/dmz -var/ipfire/forward/net +var/ipfire/forward/nat var/ipfire/forward/p2protocols var/ipfire/fwhosts var/ipfire/fwhosts/icmp-types diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi index e69e6ce9f..68a18b428 100755 --- a/html/cgi-bin/forwardfw.cgi +++ b/html/cgi-bin/forwardfw.cgi @@ -77,7 +77,7 @@ my %aliases=(); my %optionsfw=(); my %ifaces=(); -my $VERSION='0.9.9.1'; +my $VERSION='0.9.9.2'; my $color; my $confignet = "${General::swroot}/fwhosts/customnetworks"; my $confighost = "${General::swroot}/fwhosts/customhosts"; @@ -161,17 +161,17 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule') #check if we have an identical rule already if($fwdfwsettings{'oldrulenumber'} eq $fwdfwsettings{'rulepos'}){ foreach my $key (sort keys %confignatfw){ - if ("$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'},$fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'ICMP_TGT'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'TIME'},$fwdfwsettings{'TIME_MON'},$fwdfwsettings{'TIME_TUE'},$fwdfwsettings{'TIME_WED'},$fwdfwsettings{'TIME_THU'},$fwdfwsettings{'TIME_FRI'},$fwdfwsettings{'TIME_SAT'},$fwdfwsettings{'TIME_SUN'},$fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'},$fwdfwsettings{'USE_NAT'},$fwdfwsettings{$fwdfwsettings{'nat'}},$fwdfwsettings{'snatport'},$fwdfwsettings{'dnatport'},$fwdfwsettings{'nat'}" - eq "$confignatfw{$key}[0],$confignatfw{$key}[2],$confignatfw{$key}[3],$confignatfw{$key}[4],$confignatfw{$key}[5],$confignatfw{$key}[6],$confignatfw{$key}[7],$confignatfw{$key}[8],$confignatfw{$key}[9],$confignatfw{$key}[10],$confignatfw{$key}[11],$confignatfw{$key}[12],$confignatfw{$key}[13],$confignatfw{$key}[14],$confignatfw{$key}[15],$confignatfw{$key}[17],$confignatfw{$key}[19],$confignatfw{$key}[20],$confignatfw{$key}[21],$confignatfw{$key}[22],$confignatfw{$key}[23],$confignatfw{$key}[24],$confignatfw{$key}[25],$confignatfw{$key}[26],$confignatfw{$key}[27],$confignatfw{$key}[28],$confignatfw{$key}[29],$confignatfw{$key}[30],$confignatfw{$key}[31],$confignatfw{$key}[32]"){ - $errormessage.=$Lang::tr{'fwdfw err ruleexists'}; - if ($fwdfwsettings{'oldruleremark'} ne $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'updatefwrule'} eq 'on' ){ - $errormessage=''; - }elsif($fwdfwsettings{'oldruleremark'} ne $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'updatefwrule'} eq 'on' && $fwdfwsettings{'ruleremark'} ne '' && !&validremark($fwdfwsettings{'ruleremark'})){ - $errormessage=$Lang::tr{'fwdfw err remark'}."
"; - } - if ($fwdfwsettings{'oldruleremark'} eq $fwdfwsettings{'ruleremark'}){ - $fwdfwsettings{'nosave'} = 'on'; - } + if ("$confignatfw{$key}[0],$confignatfw{$key}[1],$confignatfw{$key}[2],$confignatfw{$key}[3],$confignatfw{$key}[4],$confignatfw{$key}[5],$confignatfw{$key}[6],$confignatfw{$key}[11],$confignatfw{$key}[12],$confignatfw{$key}[14],$confignatfw{$key}[15],$confignatfw{$key}[28],$confignatfw{$key}[29],$confignatfw{$key}[30],$confignatfw{$key}[31]" + eq "$fwdfwsettings{'RULE_ACTION'},NAT_DESTINATION,$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'USE_NAT'},$fwdfwsettings{$fwdfwsettings{'nat'}},$fwdfwsettings{'dnatport'},$fwdfwsettings{'nat'}"){ + $errormessage.=$Lang::tr{'fwdfw err ruleexists'}; + if ($fwdfwsettings{'oldruleremark'} ne $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'updatefwrule'} eq 'on' ){ + $errormessage=''; + }elsif($fwdfwsettings{'oldruleremark'} ne $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'updatefwrule'} eq 'on' && $fwdfwsettings{'ruleremark'} ne '' && !&validremark($fwdfwsettings{'ruleremark'})){ + $errormessage=$Lang::tr{'fwdfw err remark'}."
"; + } + if ($fwdfwsettings{'oldruleremark'} eq $fwdfwsettings{'ruleremark'}){ + $fwdfwsettings{'nosave'} = 'on'; + } } } } @@ -591,9 +591,9 @@ sub addrule { &error; if (-f "${General::swroot}/forward/reread"){ - print "
$Lang::tr{'fwhost reread'}

"; + print "
    $Lang::tr{'fwhost reread'}

"; } - &Header::openbox('100%', 'left', $Lang::tr{'fwdfw addrule'}); + &Header::openbox('100%', 'left', $Lang::tr{'firewall'}); print "
"; print ""; print ""; @@ -768,7 +768,7 @@ sub checktarget { my ($ip,$subnet); &General::readhasharray("$configsrv", \%customservice); - #check DNAT settings (has to be single Host and single Port) + #check DNAT settings (has to be single Host and single Port or portrange) if ($fwdfwsettings{'USE_NAT'} eq 'ON' && $fwdfwsettings{'nat'} eq 'dnat'){ if($fwdfwsettings{'grp2'} eq 'tgt_addr' || $fwdfwsettings{'grp2'} eq 'cust_host_tgt' || $fwdfwsettings{'grp2'} eq 'ovpn_host_tgt'){ if ($fwdfwsettings{'USESRV'} eq ''){ @@ -783,7 +783,7 @@ sub checktarget $errormessage=$Lang::tr{'fwdfw dnat error'}."
"; } } - #check if Port is a single Port + #check if Port is a single Port or portrange if ($fwdfwsettings{'nat'} eq 'dnat' && $fwdfwsettings{'grp3'} eq 'TGT_PORT'){ if(($fwdfwsettings{'TGT_PROT'} ne 'TCP'|| $fwdfwsettings{'TGT_PROT'} ne 'UDP') && $fwdfwsettings{'TGT_PORT'} eq ''){ $errormessage=$Lang::tr{'fwdfw target'}.": ".$Lang::tr{'fwdfw dnat porterr'}."
"; @@ -945,17 +945,7 @@ sub checkrule if($fwdfwsettings{'USE_NAT'} eq 'ON'){ #if no port is given in nat area, take target host port if($fwdfwsettings{'nat'} eq 'dnat' && $fwdfwsettings{'grp3'} eq 'TGT_PORT' && $fwdfwsettings{'dnatport'} eq ''){$fwdfwsettings{'dnatport'}=$fwdfwsettings{'TGT_PORT'};} - - #check if given nat port is already used by another dnatrule - if($fwdfwsettings{'nat'} eq 'dnat' && $fwdfwsettings{'updatefwrule'} ne 'on'){ - foreach my $id (sort keys %confignatfw){ - if ($fwdfwsettings{'dnatport'} eq $confignatfw{$id}[30]){ - $errormessage=$Lang::tr{'fwdfw natport used'}."
"; - } - } - } - - #check if port given in nat area is a single valid port + #check if port given in nat area is a single valid port or portrange if($fwdfwsettings{'nat'} eq 'dnat' && !&check_natport($fwdfwsettings{'dnatport'})){ $errormessage=$Lang::tr{'fwdfw target'}.": ".$Lang::tr{'fwdfw dnat porterr'}."
"; } @@ -2346,12 +2336,7 @@ END $tooltip='REJECT'; $rulecolor=$color{'color16'}; } - if($$hash{$key}[28] eq 'ON'){ - print""; - $rulecolor=$color; - }else{ - print""; - } + print""; &getcolor($$hash{$key}[3],$$hash{$key}[4],\%customhost); print"
$ruletype$ruletype"; if ($$hash{$key}[3] eq 'std_net_src'){ diff --git a/html/cgi-bin/fwhosts.cgi b/html/cgi-bin/fwhosts.cgi index 8581141e9..3b5f98218 100755 --- a/html/cgi-bin/fwhosts.cgi +++ b/html/cgi-bin/fwhosts.cgi @@ -722,6 +722,10 @@ if ($fwhostsettings{'ACTION'} eq 'saveservicegrp') &General::readhasharray("$configsrvgrp", \%customservicegrp ); &General::readhasharray("$configsrv", \%customservice ); $errormessage=&checkservicegroup; + #check remark + if ($fwhostsettings{'SRVGRP_REMARK'} ne '' && !&validremark($fwhostsettings{'SRVGRP_REMARK'})){ + $errormessage=$Lang::tr{'fwhost err remark'}; + } if (!$errormessage){ #on first save, we have to enter a dummy value if ($fwhostsettings{'CUST_SRV'} eq ''){ diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index ac0d1de8e..33d31fc67 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -966,7 +966,7 @@ 'fwdfw rules' => 'Rules', 'fwdfw rule action' => 'Rule action:', 'fwdfw rule activate' => 'Activate rule', -'fwdfw rulepos' => 'Ruleposition', +'fwdfw rulepos' => 'Rule position', 'fwdfw snat' => 'SNAT (replace the addresse(s) from SOURCE with this address)', 'fwdfw source' => 'Source', 'fwdfw sourceip' => 'Source address (MAC, IP or Network):', @@ -1059,7 +1059,7 @@ 'fwhost ovpn_n2n' => 'OpenVPN N-2-N', 'fwhost port' => 'Port(s)', 'fwhost prot' => 'Protocol', -'fwhost reread' => 'Firewallrules need to be updated.', +'fwhost reread' => 'Firewall rules need to be updated.', 'fwhost reset' => 'Cancel', 'fwhost services' => 'Services', 'fwhost srv_name' => 'Servicename', -- 2.39.2