From d47bb8a1adbaadcc1e50231be850853f2d097249 Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Sun, 3 Mar 2013 05:14:22 +0100 Subject: [PATCH] Forward Firewall: Added Firewall-Options for INPUT Policy (DROP/REJECT) and built a new INPUT-POLICY in firewall-policy. --- config/forwardfw/firewall-policy | 20 ++++++++++++++++---- html/cgi-bin/optionsfw.cgi | 5 +++++ langs/de/cgi-bin/de.pl | 4 ++-- langs/en/cgi-bin/en.pl | 4 ++-- 4 files changed, 25 insertions(+), 8 deletions(-) diff --git a/config/forwardfw/firewall-policy b/config/forwardfw/firewall-policy index 90d8065aa..bbdec37bc 100755 --- a/config/forwardfw/firewall-policy +++ b/config/forwardfw/firewall-policy @@ -5,14 +5,14 @@ eval $(/usr/local/bin/readhash /var/ipfire/optionsfw/settings) iptables -F POLICYFWD iptables -F POLICYOUT - +iptables -F POLICYIN if [ "$POLICY" == "MODE1" ]; then if [ "$FWPOLICY" == "REJECT" ]; then if [ "$DROPFORWARD" == "on" ]; then /sbin/iptables -A POLICYFWD -m limit --limit 10/minute -j LOG --log-prefix "REJECT_FORWARD" fi - /sbin/iptables -A POLICYFWD -j REJECT --reject-with icmp-host-unreachable -m comment --comment "DROP_FORWARD" + /sbin/iptables -A POLICYFWD -j REJECT --reject-with icmp-host-unreachable -m comment --comment "REJECT_FORWARD" fi if [ "$FWPOLICY" == "DROP" ]; then if [ "$DROPFORWARD" == "on" ]; then @@ -27,7 +27,7 @@ if [ "$POLICY1" == "MODE1" ]; then if [ "$DROPOUTGOING" == "on" ]; then /sbin/iptables -A POLICYOUT -m limit --limit 10/minute -j LOG --log-prefix "REJECT_OUTPUT" fi - /sbin/iptables -A POLICYOUT -j REJECT --reject-with icmp-host-unreachable -m comment --comment "DROP_OUTPUT" + /sbin/iptables -A POLICYOUT -j REJECT --reject-with icmp-host-unreachable -m comment --comment "REJECT_OUTPUT" fi if [ "$FWPOLICY1" == "DROP" ]; then if [ "$DROPOUTGOING" == "on" ]; then @@ -36,4 +36,16 @@ if [ "$POLICY1" == "MODE1" ]; then /sbin/iptables -A POLICYOUT -j DROP -m comment --comment "DROP_OUTPUT" fi fi - +#INPUT +if [ "$FWPOLICY2" == "REJECT" ]; then + if [ "$DROPINPUT" == "on" ]; then + /sbin/iptables -A POLICYIN -m limit --limit 10/minute -j LOG --log-prefix "REJECT_INPUT" + fi + /sbin/iptables -A POLICYIN -j REJECT --reject-with icmp-host-unreachable -m comment --comment "REJECT_FORWARD" +fi +if [ "$FWPOLICY2" == "DROP" ]; then + if [ "$DROPINPUT" == "on" ]; then + /sbin/iptables -A POLICYIN -m limit --limit 10/minute -j LOG --log-prefix "DROP_FORWARD" + fi + /sbin/iptables -A POLICYIN -j DROP -m comment --comment "DROP_FORWARD" +fi diff --git a/html/cgi-bin/optionsfw.cgi b/html/cgi-bin/optionsfw.cgi index 898ee286f..9e39fbfd3 100644 --- a/html/cgi-bin/optionsfw.cgi +++ b/html/cgi-bin/optionsfw.cgi @@ -109,6 +109,7 @@ $checked{'SHOWDROPDOWN'}{'on'} = ''; $checked{'SHOWDROPDOWN'}{$settings{'SHOWDROPDOWN'}} = "checked='checked'"; $selected{'FWPOLICY'}{$settings{'FWPOLICY'}}= 'selected'; $selected{'FWPOLICY1'}{$settings{'FWPOLICY1'}}= 'selected'; +$selected{'FWPOLICY2'}{$settings{'FWPOLICY2'}}= 'selected'; &Header::openbox('100%', 'center', $Lang::tr{'options fw'}); @@ -165,6 +166,10 @@ print <DROP +$Lang::tr{'drop action2'} +
diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl index 8c026a0a2..4c430770e 100644 --- a/langs/de/cgi-bin/de.pl +++ b/langs/de/cgi-bin/de.pl @@ -186,7 +186,6 @@ 'advproxy banned mac clients' => 'Gesperrte MAC-Adressen (eine pro Zeile)', 'advproxy cache management' => 'Cacheverwaltung', 'advproxy cache replacement policy' => 'Cache Ersetzungsrichtlinie', -'advproxy cache-digest' => 'Cache-Digest-Erstellung aktivieren', 'advproxy chgwebpwd ERROR' => 'F E H L E R :', 'advproxy chgwebpwd SUCCESS' => 'E R F O L G :', 'advproxy chgwebpwd change password' => 'Passwort ändern', @@ -748,6 +747,7 @@ 'driver' => 'Treiber', 'drop action' => 'Standardverhalten der (Forward) Firewall in Modus "Blocked"', 'drop action1' => 'Standardverhalten der (Outgoing) Firewall in Modus "Blocked"', +'drop action2' => 'Standardverhalten der (INPUT) Firewall', 'drop input' => 'Verworfene Input Pakete loggen', 'drop newnotsyn' => 'Verworfene New Not Syn Pakete loggen', 'drop forward' => 'Verworfene (Forward) Firewall-Pakete loggen', @@ -2459,7 +2459,7 @@ 'wlanap encryption' => 'Verschlüsselung', 'wlanap informations' => 'Informationen', 'wlanap interface' => 'Interface übernehmen', -'wlanap invalid wpa' => 'Ungültige Länge in WPA-Passphrase. Muss zwischen 8 und 63 ASCII-Zeichen lang sein.', +'wlanap invalid wpa' => 'Ungültige Länge in WPA-Passphrase. Muss zwischen 8 und 63 Zeichen lang sein.', 'wlanap link dhcp' => 'Wireless Lan DHCP-Einstellungen', 'wlanap link wireless' => 'Wireless Lan Clients freischalten', 'wlanap no interface' => 'Ausgewähltes Interface ist keine WLAN-Karte!', diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index aa07fd07e..48fa3ae83 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -187,7 +187,6 @@ 'advproxy banned mac clients' => 'Banned MAC addresses (one per line)', 'advproxy cache management' => 'Cache management', 'advproxy cache replacement policy' => 'Cache replacement policy', -'advproxy cache-digest' => 'Enable Cache-Digest Generation', 'advproxy chgwebpwd ERROR' => 'E R R O R :', 'advproxy chgwebpwd SUCCESS' => 'S U C C E S S :', 'advproxy chgwebpwd change password' => 'Change password', @@ -773,6 +772,7 @@ 'driver' => 'Driver', 'drop action' => 'Default behaviour of (forward) firewall in mode "Blocked"', 'drop action1' => 'Default behaviour of (outgoing) firewall in mode "Blocked"', +'drop action2' => 'Default behaviour of (input) firewall', 'drop input' => 'Log dropped input pakets', 'drop newnotsyn' => 'Log dropped new not syn pakets', 'drop forward' => 'Log dropped forward pakets', @@ -2496,7 +2496,7 @@ 'wlanap encryption' => 'Encryption', 'wlanap informations' => 'Informations', 'wlanap interface' => 'Select interface', -'wlanap invalid wpa' => 'Invalid length in WPA Passphrase. Must be between 8 and 63 ascii characters.', +'wlanap invalid wpa' => 'Invalid length in WPA Passphrase. Must be between 8 and 63 characters.', 'wlanap link dhcp' => 'Wireless lan DHCP configuration', 'wlanap link wireless' => 'Activate wireless lan clients', 'wlanap no interface' => 'Selected interface is not a wirless lan card!', -- 2.39.2