This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "IPFire 2.x development tree".
The branch, fifteen has been updated via 26f185ecc1e3a4f8afc0a8490de0441295b20a30 (commit) via cf4d6bb76cd51b978ef84a570c3766e7d43a3d16 (commit) via 8d0aa7108271be3a3e7cfb99e3b1b560cbab9b07 (commit) via 949d5c527a9a41e0ddb4a339d84ef48904c3da98 (commit) via 2ac39db92e9b6117d64940f8b0572a24afa07b33 (commit) via eb95ce89a8effefa0c6aa27bf6f048926d21fed0 (commit) via b119578f023df75a015505239751246c23f9a523 (commit) via 0c2cf9e2145737cc6af6f6147f322d9ce60465f6 (commit) via f195a8d763c82635bc1458bd9cd8d13cf45c95a2 (commit) via 4f585d559f2bea5002cdb57f171732cfd8675bec (commit) via 5bee9a9df5739810da488bf5bf71da4fe82be484 (commit) via dc21519f683d5bb0f7e5a9dfcfb4806afb895217 (commit) via caca013c1165230eea388ed4a770f6663ad5608e (commit) via 3027c6bb963cc8f736aca51bc99391bbd00c677f (commit) via 8c60701a4f856689e5bfae2ff2b6c5b7c0f0fdad (commit) via f78d627af390360e60e9878c274bf7ef1855ef71 (commit) via debe3af56492731d6589a9005de8516e3037f88f (commit) via 34aa915f08448c558311a630150c17283d7fe2ad (commit) via 776a1761d0ec5cb1d28e8a546bc6af818892183a (commit) via 9168da6fcc7af41f347ca9fa374500db90994458 (commit) via 29ae57a7fe60cb345fbebb80f76e52c31b5cd163 (commit) via 987b75bcd497233d7f4588efcc6af5c78236caec (commit) via ab4fe66fc95d7e048e44accf5d7750d8bbf03555 (commit) via 43215686ce938ebacf037d14edba46817cf470c2 (commit) via 93c2de1c663566438a15cfeae0c03028201b8690 (commit) via 653a71b9514dc8a88e7d2247d1d709245afe748c (commit) via 6143bc300e2d83a7ed9b7c6a1d8bf019d62a8ae1 (commit) via 357b3fe80df5e54fd327ebb543fd56de859f0c4b (commit) via 4affc3e88997fd395f7b9be00b2cc51539d19122 (commit) via cb051c577c4da9f42c0235383f2455c020bcab51 (commit) via 34f30c5f926e1ca90451cc42d72af230f66406ea (commit) via 2e99ab8bf8a1dc79d1c411281bd82a19acf1c9dc (commit) via b88c88291bc62a7e8bc1ed784182a158d425a11f (commit) via 1ca546126e98aa23155de0238e929e446ac40d94 (commit) via 6584a984a0b149715b9f51451ab82216f42d0e0c (commit) via 595a90f00334fba2c10518998244ac157b76d8f6 (commit) via f8bf364f0d758902de954f8e43bf372d3259929e (commit) via e1efb8199d378a6e8461b11f1ce748492e48bcca (commit) via bb12dd7b69825c7dfa88a4353e0bb39d179ae7a2 (commit) via 47cd046aede256dccbd844dc1e580b47d3dd4c45 (commit) via d5f1422d81ea54a1b56e57dcb4aadde95611111d (commit) via 51ab1de143a9bfcbc15c4d8bf7a6689e44a607b7 (commit) via 815eaff433559a26418be66f6400929d8ce3f0ef (commit) via 1e5553305203cee8b5b83dab82da16ac7b9f8713 (commit) via 3b9a23ce076e25548f4affde5b61eb37f71442fe (commit) via afc611d448aee8eaaefa018dfb6acd4c6d6227a1 (commit) via c0359d6dfbba1124c5b2da60bc56947e7f21769a (commit) via b85d2a9819e5708b1716976c112b6043abe49881 (commit) via 7326051edb1ebec404e0b81bd85292285d7a5b6b (commit) via 4d2e7a35d9592cd2ddae0467b5a0f036fa105476 (commit) via a648546338f22138b5fe26c19b25a5686d23b0b9 (commit) via 7f25a65fc1d53178453ad8cb820a9251a8755402 (commit) via e17121fee73ba9adcc2d102d0127695613b780e8 (commit) via b044bb056937ea59df3b9e244d9d01540fed869e (commit) via fc83b09d437a0137b2c2db6ec07b4bdb8f98b051 (commit) via 72586f0ff0bad5d1e9f75ab02dfc3e7595b47ded (commit) via f1934a05ad64ae5dd78568eece018cdb452b2326 (commit) via cb4439f3943662742f8010d41aff47ac06bb1804 (commit) via d4cb89d2d111e219520f4e1294e2e0985f918dac (commit) via 43d8be093c2dcad28164745d451f8d2351b9b95f (commit) via 1a8fde0e845eab654aeee6dc5b780c3e4596cb4d (commit) via a0fb1099efded1fe13a7e7fb51a97097776a06a8 (commit) via 2af92cf5acf6d3b0ef52528a0e83a29353ff3c83 (commit) via ac9e77e3ba748c96c670f1215abb4c5bdebe66b4 (commit) via 0ac6c61d3770cbc1fd19e3c5332ab76124cd643f (commit) via f557ea1e596033a79ab1f6df4d57fd90c15a2271 (commit) via c12392c0ef3aa71cda43fe38cfd22e4afab5cc5e (commit) via 4f3bd0ca20de32b0020f9be926254d2a201d226a (commit) via 8442c93764a38c903fe683ae9533a4d906a2b038 (commit) via 60607a6c75730e94b115cd2351c910bf022648dc (commit) via 3f09f5309c82ebf8b8518a16aedea8e0aad5e66e (commit) via 3b2ad4a1bddd2185da6bd500be39ee19694399a7 (commit) via 533a2da388be0f83732a07b5a40ec2792fd2fad5 (commit) via 674f4e9d515233f5356fc502c862b28829736fde (commit) via ff4770c79ba800a03fea65ffd5153f75e63cf2b8 (commit) via fb0ce57589a8ba724d3c446b612181f6d7f3b8c5 (commit) via e41b651b4a3b79bb072ac94835e96432ac1968dd (commit) via d9b691e18e59323e14dd37428fe9857ab95246b4 (commit) via 8762442c4ece6aaf6b863a7c86aaefb9e47c8be3 (commit) via ed9ab82c61464a3a719f9662416b58cc83dbf4fd (commit) via 690b0bd7618c2b0e7284beaebcf771c02daced1d (commit) via d2c4a3cab92b07ebf0a01dc745d642429efd8159 (commit) via 2181b55552b061ad76dd4126a0c6a0f15de0b288 (commit) via 05d4f131e9f96a27249f1e833923ba2790dbd49a (commit) via c31f18b6a901bf02dc9e5e1c8474487a23e4c71e (commit) via 7c50b0483420028e1dc5f9b75ea0510b6c775567 (commit) via e1eef9d53e80503c97f86587d1f8e0fb99195a96 (commit) via 4682d02723a3650847c74e1fbfe8d38b75474cec (commit) via bac7013b21485ce8a6263bd19a7ba65440ec3336 (commit) via c400fe4c84dbb3c32e38d961f24275b29bc73d8f (commit) via cb6148989124a4df35fe4ab256b03106a5121357 (commit) via 6fab5bca2a3fc22aa08e7b6691e9f81a259d35ca (commit) via 3e79f33fc28e1f33a1b7599205ab86ae455d44c8 (commit) via 04abd8d95822b660e65cc1a85dac55f2791ae27f (commit) via eff2dbf8336c3935535a5f5565bfc27c4fccd4bb (commit) via e3c589276a90cfd67070e5e3f8007fc7ead6058f (commit) via 139a1ab9475c73f4c773d83de17346aca2e4eb8c (commit) via 6945e46310ca87cd42ca537293db33a77dc35dbe (commit) via 931e1fed53d8b5b74dbf2c2bedafc0399cccc7fe (commit) via dc82656bf97fef330f5f34ee237426fb53d86708 (commit) via aff15defbc1ade178a1fbbf1fa1b592033d4fb77 (commit) via 53f4c74d9bd0eebf70b4540b688be6d6c3e556ab (commit) via 9468a6f71372b680f642cc2c71466db8ce30a186 (commit) via ed31c098f5306caf1bf0abefaf7814ccb6636362 (commit) via be9be7cb5bf598e7d0781559ecd88ad702b58db2 (commit) via 94ea1f03464ab9434189ec270baa83fc2f2dcadd (commit) via 6f348fcb9d96d8372fbfca50675736e81eec6661 (commit) via 08e1c65d856ef4931dd641cdffe75ff75238e286 (commit) via 98cee89f94b5a7eedbfeaef1a4f1dcbc2c0c73d5 (commit) via ed618226bb7f03b3a12155d8f2d1bcdb58adb566 (commit) via d526a95bf105e787d8432af4bf9d4ba1f165d781 (commit) via bc912c6e0c34bfd81a915b3f2774fc6b848990ff (commit) via e09884e04f0aab0c9b4f2f3d22f9f653e93d0cb9 (commit) via f7e649ddfbd915136ae5acdad388d0b517e5ea85 (commit) via a60dbb4b6aef3c4753f3206812ff80d34235e066 (commit) via 829697d076d1b74a2499bd3bda6b70cfa56d6b49 (commit) via 6be32fe50454ded7ecbec877db3a05bd87bdcc05 (commit) via 28640b7365b6bcd73fd760300c1f994a331fc993 (commit) via 82e136591e5dbe3366f2a8d3f9129b98603ad620 (commit) via f0da8d53d02633030dafe6ad301488e8946ffccd (commit) via 218b3341b6fd9da564ee876c08d8bf2c1b0ec78d (commit) via fb61ec6715f8bcf9005477563a6449f51725f286 (commit) via 8343fd125091b3530a76609e8ec17dbf9f63ed69 (commit) via f833ef4660862fce522799582957a64b2159ea72 (commit) via 54d6863787ca89d11e59efc1e9d345fd5b9a5eb9 (commit) via 6b681c40d2d1cf9f0a1d6b8cedcce90809680e1d (commit) via 93b75f31ad920a2aa96206c2053b70affa135a42 (commit) via 6397b6e78974f316d9358841120f8e8bb34007f3 (commit) via e800ca53b20429a09054c8113517061279258ab8 (commit) via 9efd8d1c7eb134c71465396a1bdcc5ae52497d80 (commit) via a6edca5a899eca09c3ccd8cd22c2b7a3223fcdd3 (commit) via 2669161dab909e57a6642c2dea8d5a70900f4f12 (commit) via ddcec9d339162ee49d7973f815e03d8da5e973cd (commit) via f2ab6fba4afa7bc13a7549fade339eebc63c537b (commit) via bedb72f3d42cf71be128cf7c803baa53495af6e3 (commit) via 05612a544bf60d233704be5995241d2354dbde91 (commit) via d58677779f0a678a5495a4b198fc4dfd2fcc6893 (commit) via fccf52cf7eb362d88dca279b4fd4464dba92d6ce (commit) via 21b9a50c68d9c42e56a525c9745f638266469a39 (commit) via 472136c9271f162ab65b224225fe3e478a77ccb4 (commit) via ef6f983b1724f9b3ac4d5d4f5ba45288985c44fc (commit) via a0f267b92c63d8f1ac374073847766873e5fc445 (commit) via c773075074acff71cb574f67fd450f86bf7f6dc1 (commit) via f69ea1c7c59cdeb664cbc93eae60a538191ed44b (commit) via 7874d8200d10669bc7ab8c69c119fa62cbc8c69c (commit) via f38e0c4de02235f31fbff715af6dde0fcd62a78f (commit) via b3f4a4efcf1c8dae2804a879b7f59559935f4b26 (commit) via 8cb1afc817acdf6228a13ed097b514c4ed4cfb6c (commit) via a7d7f5a3da6ed8905c01c7987acaeadbdca9aa5c (commit) via dc33c23b1fa602ab80e7b0b4422ca2019caa24fc (commit) via 36e9534f244f05b93119f4b6ddae47717acdc062 (commit) via a9b3ae26a3e158c3c94cdb169ae55b6af4eb40d4 (commit) via d47bb8a1adbaadcc1e50231be850853f2d097249 (commit) via dafaa4142779c7f9a63b481f23df4cec95c5f03c (commit) via fd4d137dbe29bab16761f5fa90ee200a6725fe19 (commit) via 443a6e8a5f95fbea7dbb9efe254f166be7e38b35 (commit) via ec329c069981d096bc38a1787ca1b04722dc40ed (commit) via 97e2e7b4b72dc635f3b8cb79d16198ad4a966f50 (commit) via 223d3b1dca93f96ed104990bd256a664150360e5 (commit) via a615cab30e57f39cc891d75a195e1df4bf4e21f3 (commit) via d998784149c62299aa7c417b7a7919c3d9abdcf7 (commit) via 8013bd0ac28ac8daee7bae5ebcfe4c9fd8154310 (commit) via 92e4ae9db1334acf481a60656004b289b0accf80 (commit) via 88f18201c74a911303b8ba023830c5e068794a21 (commit) via e2619c15215a9f86773e3bb84056b1f651261ec6 (commit) via 770140a7bfb302261d1e79d3b9add20be6b2b7ed (commit) via 3f8d9da3000a6f2268fc2c3c9b724d593a079f8e (commit) via 5b375ca7e640361701497ae451a4892e7ec5334e (commit) via 3f6bba6dbb92a41ccbe5f63753c98cb6658e06bf (commit) via 25dd450cbae6159727dfeff231da9573a075b4f9 (commit) via 31fef6cc2d8c19fb7b5a86529b4b98bc2d4fd85f (commit) via d603d1dee0376f6816e9643c8a332780cd112d93 (commit) via 5aa8edf6f794691843e13f0febfb29ee0ccf18d7 (commit) via 515863e299fd11273cf06cc3d2a5ecd673553a1f (commit) via 30d80ed42a716aa35c5827a4ec513e2925638da9 (commit) via f83227921516681f642ce29e4f9121d6341e1d99 (commit) via 6ca0b0f5fbfdfe4875a38b7ffc47d2af56efd9ec (commit) via af768a7e80bb8fb3b25bfd8f13a4a0561927f9e2 (commit) via 96502a5a67692ae5fb06b9a83799c64040ced1df (commit) via 289d82ad6e87b8b22b6cb90d3b16fb1a6721734c (commit) via ba6f69f76943a83fece4a12fb632f9ad166edff3 (commit) via d9a4000ba84beb88853a43a7301633b590c79abb (commit) via e638799b12ce108b6a13cfb3e8a180c56f4d3b9c (commit) via 1031c2e4a919e510e09dc975ce1567493841d2c5 (commit) via e28356b92834e75f09756de76e3cb139e9b72e9c (commit) via 562d24b8169ac043b2ab4ebf160862b25e88097e (commit) via 5dd84c259d95ee2fc2967326388d5cc73af4eabc (commit) via 12a43202a6fb6a9b80664ebcf01792928c57c016 (commit) via b324de14db6c48823e570a285c91bb18593f02ff (commit) via 15add1c8afbbc8eed5dd9d9649049109dbce8d58 (commit) via 7bf83f9d39d3101ac096b42d0fc43a8caef97c5e (commit) via 6128ded855eefc07abc6904490cfed055e35647b (commit) via f80db6a4ceb985e14a5bc85134bafbd0b3c34416 (commit) via be5698ef6688c770f422011875b2d6451af017d8 (commit) via e5a058c131806586e53c44d5ecca7e1d4a926f84 (commit) via 046d88c2d0f5718a8efbd5cbee5e2f4e1b5f4dbd (commit) via c178bf21c1e6d68be2fca6763e8e4b8493304d32 (commit) via d928d79566cd802f85cd38bcd8bd76f4bb112547 (commit) via 6563800485c11292341c931ccf8aadb281eaa2c8 (commit) via e3580608b3cd6695980e2ace6eae4f969d71e070 (commit) via d0815ce43f84bf53f31f2a51ba4fb768d6c12e4d (commit) via 0b54aaede3702dcaf76e3d4b50fd5ca591e8fe13 (commit) via aa8647835d948bf7261fb49ba26054b8789b61d8 (commit) via 35fb91640a78eb4c58c0ecab50f317d8bd4341da (commit) via 4e62b47f3371f261d3a295faab9083063b5fbad1 (commit) via 5d7faa4518d894f90218c216bb2fb86e69f46b2a (commit) via d7127db8fb715f13b87cbce980137c2879a1d64e (commit) via c7043621fc4cf73f30749d21310a8569fbf1c78f (commit) via 6ba1cd4ceba9d4b343e5afb47e206e7a507f226c (commit) via 3f8fe51ef093987c5633a9564648b1d3fe2e5087 (commit) via d13a936349b048eb5515699fea46c7242b9c95ac (commit) via 2cee24627a50955ee1ab6b1414ce9d5aa7feeb2c (commit) via 6c8699612cdb1fec557f02b2e4ee22750e7b1ff7 (commit) via cd9d9d8a13405e380ad0422d2b47f48d9ef1f8a4 (commit) via 12dcfbbdbe38f8b81a3969f70516511ec779d011 (commit) via 8f204435d41f19c0e79b3ab0fb364606b8eb1522 (commit) via 0918e51633a3c1582ce075b6e6dc71d0a07566be (commit) via 5de39dea9c1ebbdf7c2a9407dafd3900677ac9db (commit) via 13e5dda402cac2e441d029459e152750c2493e7f (commit) via 5e9707230693d7f3e180ec6a711f54dd0c224ab7 (commit) via bfac6bd4dc79788c16d66b29b84d3ecb6d105653 (commit) via ed73b87ece9ecefd829dde86cc3a559172d3bbcd (commit) via 0013abb07c6dda5f4a67ec2a2025e8d1007c4417 (commit) via bfee206c989a77ae56701aec25a435262dcda1ee (commit) via 5edf47ffbac2f7a8a668c8b64addd767c3df306b (commit) via 7772ae734e9bc926c19adfbd9333471cdf300f6f (commit) via fb70d3d54035db1c7427f8d42570980199455190 (commit) via 937d4e0892956a054f012f9f6d4ce5b1e03227f0 (commit) via 20c00d4bdf1114b983c71d2557dcdb0b067e87e0 (commit) via d6bdebd47d1c163dae1fbde6b6758d58ec66d67b (commit) via 8f1634ffbc7b3d039088bf80c85c3bcf2eeaf56c (commit) via 53f3a4c82dcbcc95118635bf89e67876ccb79206 (commit) via 2b9460abfa947eb91b391e4e97daa95ee7bc87fc (commit) via 0b14d3d9b14ee36a01a67d83591ede814cc9f92d (commit) via 5b7ed8bbae95651ff9098b90466bb815d2361f5f (commit) via 6adcf1569cf30ca399ae0aacb9e86c06fff4ffc6 (commit) via e974ced8c5a280554d4034e60647188e109fe9a1 (commit) via 210ee67b5354f513a71a74df2633e2d3e0ddad95 (commit) via 7bd9d462de4035d508b108ab0bedc3fda87e1326 (commit) via 0f869e32d4ea1f56e84cb61578964adf6eec7659 (commit) via 85dc70c746cd8fe0b602c0e98f2cc4b2232507ec (commit) via 70d38e5089fcd9de5a595dc5e08563104eba65ea (commit) via e3afaf8890558beb5e399efe2f8fa6cbd9123b91 (commit) via f1ec713da7db766dc3593c99b9b5c5cbc6efdb86 (commit) via f3fb9b64ac9a15703827454e7f67bc6754af9c5c (commit) via 47a40c972633d9e817d58d5f0212ba47006b4973 (commit) via 45cfd811310ad839d8cc6b7358cd9074bf43ae80 (commit) via a57a5709a40580f68c4b2ecfd13d3a989ad7d4da (commit) via 4b147d950b148500c5ec04a9f13e04f8b2e1ad96 (commit) via ed62bbfb521de113f824228fed88f2f8f962035a (commit) via 04f24153fcb06d29411569d19784430e16eee237 (commit) via 8d1beadce31786cc87afc01880d731c8a19e120f (commit) via 3b81fad442d9078bc9131e731ce2034656bcb165 (commit) via 5238a8719d75273e5e52f083c0c10cbe9e3ea312 (commit) via 5a9fd5dbd1af37c5ecf3608333486716cf43354b (commit) via 25c4997947301c3be6407fece18e4ef652e59285 (commit) via 61068ee1a4b6d4c029da662f4d8f3bcfa1734909 (commit) via 43902ae5a274e33f0e0bd14787bac49aa827bcc8 (commit) via 9edb1d7a8e5e70c1ebe3d8f4197770e1c1c5d4e3 (commit) via 879462965387442e12cbade08cc20e3498c7672a (commit) via 99e698d03387f4ad40db1d2bd737c0d6cdc55a23 (commit) via 93a5f4a5821f92be219be12696de86ff8641395c (commit) via 8b3dd79147c3804e5f8944eef5c22380788ac348 (commit) via 8f0b047b4ba13521dfd782d0d164a2efec12cba1 (commit) via e0800c21db6316f0a41461f2e02fc7565d7c1a49 (commit) via cf576a12e54b51f563dccc77b783fce7de6b5768 (commit) via 99e5d97623e86562756166eba2cb8e504fad3646 (commit) via d7dc9718d31def634485a1b975a8a8e2a4c8bd4f (commit) via 8910ee647c5aaae0d05e61ca61939a7cfb60ac83 (commit) via 2833f5678e79bdd178d71edf947c5b37f5ccc6d7 (commit) via 27f4a6b159d9b040feffa8b06784fc71965fac2e (commit) via af49e3672351be5c1bad9958dfbd70bb638ffb45 (commit) via bcbf1b8ebe50b470c8ad6e63cb9519c3fea37499 (commit) via 7f9d1c39693c49b767a40dd226b47adf83ffbef1 (commit) via 36196d0d6439f83e8aaff92f186dba32f8f47eeb (commit) via bc3297257288edb70f77c74009669ddb901492ff (commit) via 9ee07ee5d2744bb7a55769bc6afb9ce21addb853 (commit) via d1f01304ffd334ee6ccf42a62f20de72ccc2bbde (commit) via e44fa0792b3d40b482da5213ebb1c3a9f00f7965 (commit) via 02da9f7bafcfc563b2d15b8741145631ea9c6a45 (commit) via 68ae5e591c993092e7f8f20abffb7d7d328ed1b1 (commit) via 992394d55cd19659a6717f2917e27d5a93a73e37 (commit) via 275a92e800636d0ba00daeb65b432d1dcf6c7bed (commit) via 1aec05a64e69852338ffd6e1b49e0d9beb9e5fda (commit) via 2da264ec63eb3091704a6b71cc7f83dc6f07a892 (commit) via 8dc23ff4fcc6b9f07cdd48abe7991419d255d363 (commit) via 8139398721023908ae3145d18839d2712ce522c8 (commit) via 54cb7ff0199cc9a7833038597fee4bfc7dbfeab5 (commit) via b526909163c325956f16fdd90287465aa78ffd17 (commit) via b9648e583305cc03907e9dde6c459fd8ba71cd0c (commit) via 485aac63955b1171f5f74525f345fdc4f94663fd (commit) via bbc14c234d62afe1cd8b0730265d5c3a57111744 (commit) via 9dafa928db040447cd888d6cd901130bdecfaebd (commit) via 62fc8511664c6646d706aa42927bac53ac6a5b5f (commit) via af8bc0d0a8c6a93277d9bfb6ef959f2cc8005b7d (commit) via fd10a52ca2860678368d162ce6b52b8c1cf25d0e (commit) via c0ec19967e4dc75b6e719177af6e258a7b4fd858 (commit) via 3d016366b8c38ed77038f4c1178d8b7afa466115 (commit) via 92788c464b2129302c4fa8b1b3dfec2f329bafdd (commit) via 7f5b2820698c2249b3d8496ec80315be86617f0a (commit) via 74e7001436c27096cd035452bd051a88795ef04f (commit) via 6be0579b189df15a1e6775462c0945c41043801b (commit) via e534554162a34ae47d135f3df251caac14502628 (commit) via 9bdb6b504536142e57acf9d967dc29aea47f09cf (commit) via adf41e6f3733955207801ef06665272aaddefd90 (commit) via c04f132d4947c6fbd41f9c18bc6590bd647e1786 (commit) via 231499fcc85bfb6ae4fbb03fbaca2873984be103 (commit) via d24a34cbdc529fcb9122ed7f99bc48c4a83263bb (commit) via 55674e0d3877ac07f71e26e0d07dacc6baf5759f (commit) via 14f7cb87b993267a1d76098ab9fa088533af1e18 (commit) via 2a81ab0d7701a7afd049d3ca5a28dc4e0fbffd20 (commit) via 111c99ddfa3632a8c2788b9c6d70c5e6d8a1dfd4 (commit) from 30156b054ef332d8b1ece6fc5d9e0cdbc947ca14 (commit)
Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below.
- Log ----------------------------------------------------------------- commit 26f185ecc1e3a4f8afc0a8490de0441295b20a30 Author: Michael Tremer michael.tremer@ipfire.org Date: Wed Aug 28 16:08:10 2013 +0200
Update rootfiles.
commit cf4d6bb76cd51b978ef84a570c3766e7d43a3d16 Author: Michael Tremer michael.tremer@ipfire.org Date: Wed Aug 28 14:07:06 2013 +0200
Add new firewall to fifteen.
commit 8d0aa7108271be3a3e7cfb99e3b1b560cbab9b07 Author: Michael Tremer michael.tremer@ipfire.org Date: Wed Aug 28 13:43:05 2013 +0200
firewall: Convert filewall rules when updating to fifteen.
commit 949d5c527a9a41e0ddb4a339d84ef48904c3da98 Author: Michael Tremer michael.tremer@ipfire.org Date: Wed Aug 28 13:38:12 2013 +0200
Create core update "fifteen".
commit 2ac39db92e9b6117d64940f8b0572a24afa07b33 Merge: 30156b0 eb95ce8 Author: Michael Tremer michael.tremer@ipfire.org Date: Wed Aug 28 11:33:20 2013 +0200
Merge remote-tracking branch 'amarx/firewall' into fifteen
commit eb95ce89a8effefa0c6aa27bf6f048926d21fed0 Author: Alexander Marx amarx@ipfire.org Date: Wed Aug 14 14:19:36 2013 +0200
Forward Firewall: ip addresses in firewall-groups (groups) are now colorized
commit b119578f023df75a015505239751246c23f9a523 Author: Alexander Marx amarx@ipfire.org Date: Wed Aug 14 12:51:21 2013 +0200
Forward Firewall: Now all customhosts are colored correctly in ruletable. Also the ip addresses in firewall-groups (hosts) are colored correctly if they are part of green,orange,blue,openvpn or ipsec
commit 0c2cf9e2145737cc6af6f6147f322d9ce60465f6 Author: Alexander Marx amarx@ipfire.org Date: Wed Aug 14 09:06:38 2013 +0200
Forward Firewall: BUGFIX: when having more than 10 hosts/networks in a firewall-groups group, the table was not shown correctly
commit f195a8d763c82635bc1458bd9cd8d13cf45c95a2 Author: Alexander Marx amarx@ipfire.org Date: Tue Aug 13 16:00:32 2013 +0200
Forward Firewall: BUG: when creating a new group in firewall-groups with the same name as an existing group, the line "no rule defined" was added. BUG: THe line "no rules defined" is now "no entries in this group".
commit 4f585d559f2bea5002cdb57f171732cfd8675bec Author: Alexander Marx amarx@ipfire.org Date: Tue Aug 13 13:58:48 2013 +0200
Forward Firewall: Modified the Message to reread firewallrules in p2p-block.cgi. This is now the same as in forwardfw.cgi and fwhost.cgi
commit 5bee9a9df5739810da488bf5bf71da4fe82be484 Author: Alexander Marx amarx@ipfire.org Date: Tue Aug 13 13:47:27 2013 +0200
Forward Firewall: edited GPL-header
commit dc21519f683d5bb0f7e5a9dfcfb4806afb895217 Author: Alexander Marx amarx@ipfire.org Date: Tue Aug 13 12:44:01 2013 +0200
Forward Firewall: added GPL header to all files
commit caca013c1165230eea388ed4a770f6663ad5608e Author: Alexander Marx amarx@ipfire.org Date: Mon Aug 12 15:53:16 2013 +0200
Forward Firewall: added /var/ipfire/forward/bin to backup-exclude script
commit 3027c6bb963cc8f736aca51bc99391bbd00c677f Author: Michael Tremer michael.tremer@ipfire.org Date: Mon Aug 12 14:45:07 2013 +0200
initscripts: Reset links that reload the firewall after RED connected.
commit 8c60701a4f856689e5bfae2ff2b6c5b7c0f0fdad Author: Michael Tremer michael.tremer@ipfire.org Date: Mon Aug 12 14:42:16 2013 +0200
forwardctrl: Remove unused and possibly dangerous flush option.
Also remove unused header files.
commit f78d627af390360e60e9878c274bf7ef1855ef71 Author: Michael Tremer michael.tremer@ipfire.org Date: Mon Aug 12 14:39:34 2013 +0200
Firewall: Fix spelling of service names in custom services.
commit debe3af56492731d6589a9005de8516e3037f88f Merge: 9e78ce6 34aa915 Author: Alexander Marx amarx@ipfire.org Date: Mon Aug 12 13:30:45 2013 +0200
Merge remote-tracking branch 'ms/firewall-new' into firewall
commit 34aa915f08448c558311a630150c17283d7fe2ad Author: Michael Tremer michael.tremer@ipfire.org Date: Fri Aug 9 14:50:50 2013 +0200
Update translations.
commit 776a1761d0ec5cb1d28e8a546bc6af818892183a Author: Michael Tremer michael.tremer@ipfire.org Date: Mon Aug 5 09:32:46 2013 +0200
general-functions.pl: Fix overwritten substitutions.
commit 9168da6fcc7af41f347ca9fa374500db90994458 Author: Alexander Marx amarx@ipfire.org Date: Fri Aug 2 07:55:44 2013 +0200
Forward Firewall: deleted unused warning message regarding mac addresses
commit 29ae57a7fe60cb345fbebb80f76e52c31b5cd163 Author: Michael Tremer michael.tremer@ipfire.org Date: Wed Jul 31 15:47:25 2013 +0200
firewall: Language updates (English and German).
commit 987b75bcd497233d7f4588efcc6af5c78236caec Author: Michael Tremer michael.tremer@ipfire.org Date: Wed Jul 31 14:31:18 2013 +0200
firewall: Add TOR chains.
commit ab4fe66fc95d7e048e44accf5d7750d8bbf03555 Author: Alexander Marx amarx@ipfire.org Date: Wed Jul 31 08:28:29 2013 +0200
Forward Firewall: Network addresses are now allowed as source and the ip addressfield has now size 18.
commit 43215686ce938ebacf037d14edba46817cf470c2 Author: Alexander Marx amarx@ipfire.org Date: Tue Jul 30 12:32:25 2013 +0200
Forward Firewall: changed rule coloring. Now whole field is colored instead of just borders. Back Button in firewall groups /hostgroups showed a white site
commit 93c2de1c663566438a15cfeae0c03028201b8690 Author: Alexander Marx amarx@ipfire.org Date: Thu Jul 25 10:36:36 2013 +0200
Forward Firewall: Bugfix: ICMP rules where applied double
commit 653a71b9514dc8a88e7d2247d1d709245afe748c Author: Alexander Marx amarx@ipfire.org Date: Thu Jul 25 07:33:20 2013 +0200
Forward FIrewall: Bugfix: When using predefined services in rulecreation, the rule was not applied. Bugfix: when in rulecreationpage and pressing "back" the site gets white.
commit 6143bc300e2d83a7ed9b7c6a1d8bf019d62a8ae1 Author: Alexander Marx amarx@ipfire.org Date: Wed Jul 24 08:06:24 2013 +0200
Forward FIrewall: BUGFIX: when setting outgoing to blocked and creating a rule, the last rule changes to "accept"
commit 357b3fe80df5e54fd327ebb543fd56de859f0c4b Author: Alexander Marx amarx@ipfire.org Date: Thu Jul 18 13:15:10 2013 +0200
Forward Firewall: renamed IPFire to Firewall in SNAT area
commit 4affc3e88997fd395f7b9be00b2cc51539d19122 Author: Alexander Marx amarx@ipfire.org Date: Fri Jul 12 13:30:14 2013 +0200
Forward Firewall: show default rule when input is empty
commit cb051c577c4da9f42c0235383f2455c020bcab51 Author: Alexander Marx amarx@ipfire.org Date: Fri Jul 12 11:40:04 2013 +0200
Forward Firewall: language fixes on last rule in ruletable
commit 34f30c5f926e1ca90451cc42d72af230f66406ea Author: Alexander Marx amarx@ipfire.org Date: Fri Jul 12 11:05:57 2013 +0200
Forward Firewall: set default options for optionsfw and minor change on optionsfw.cgi
commit 2e99ab8bf8a1dc79d1c411281bd82a19acf1c9dc Author: Alexander Marx amarx@ipfire.org Date: Fri Jul 12 08:01:01 2013 +0200
Forward Firewall: added some javascript to automatically select radiobuttons when dropdowns are changed
commit b88c88291bc62a7e8bc1ed784182a158d425a11f Author: Alexander Marx amarx@ipfire.org Date: Thu Jul 11 17:15:15 2013 +0200
Forward Firewall: added some java Script to automatically select radiobuttons when dropdowns are changed. Some cleanup of the code
commit 1ca546126e98aa23155de0238e929e446ac40d94 Author: Alexander Marx amarx@ipfire.org Date: Thu Jul 11 07:43:42 2013 +0200
Forward Firewall: deleted configfile "nat" in ovpnmain.cgi for portfw check. File "nat" no longer exists. Now the portfw rules are in file "config"
commit 6584a984a0b149715b9f51451ab82216f42d0e0c Author: Alexander Marx amarx@ipfire.org Date: Wed Jul 10 13:51:46 2013 +0200
Forward Firewall: just increased version number
commit 595a90f00334fba2c10518998244ac157b76d8f6 Author: Alexander Marx amarx@ipfire.org Date: Wed Jul 10 13:49:52 2013 +0200
Forward Firewall: The default rule table (at the end of Forward) shows only default values depending on the network configuration
commit f8bf364f0d758902de954f8e43bf372d3259929e Author: Alexander Marx amarx@ipfire.org Date: Tue Jul 9 14:59:55 2013 +0200
Forward Firewall: fixed check for already existing rules.
commit e1efb8199d378a6e8461b11f1ce748492e48bcca Author: Alexander Marx amarx@ipfire.org Date: Tue Jul 9 14:58:30 2013 +0200
Forward Firewall: deleted postrouting block in firewall (not used anywhere)
commit bb12dd7b69825c7dfa88a4353e0bb39d179ae7a2 Author: Michael Tremer michael.tremer@ipfire.org Date: Mon Jul 8 15:53:30 2013 +0200
iptables: Cleanup creating SNAT/DNAT chains.
commit 47cd046aede256dccbd844dc1e580b47d3dd4c45 Author: Michael Tremer michael.tremer@ipfire.org Date: Mon Jul 8 15:50:02 2013 +0200
iptables: Remove OPENSSL{PHYSICAL,VIRTUAL} chains which are unused.
commit d5f1422d81ea54a1b56e57dcb4aadde95611111d Author: Michael Tremer michael.tremer@ipfire.org Date: Mon Jul 8 15:47:57 2013 +0200
iptables: Jump into the firewall rulesets after everything else has been done.
commit 51ab1de143a9bfcbc15c4d8bf7a6689e44a607b7 Author: Michael Tremer michael.tremer@ipfire.org Date: Mon Jul 8 15:41:15 2013 +0200
iptables: Create OVPNNAT chain after CUSTOM* chains.
commit 815eaff433559a26418be66f6400929d8ce3f0ef Author: Michael Tremer michael.tremer@ipfire.org Date: Mon Jul 8 15:38:39 2013 +0200
iptables: Create guardian's chains after the CUSTOM* chains.
commit 1e5553305203cee8b5b83dab82da16ac7b9f8713 Author: Michael Tremer michael.tremer@ipfire.org Date: Mon Jul 8 15:36:45 2013 +0200
iptables: Cleanup creating the OVPNBLOCK chain.
This should happen after the CUSTOM* chains.
commit 3b9a23ce076e25548f4affde5b61eb37f71442fe Author: Michael Tremer michael.tremer@ipfire.org Date: Mon Jul 8 15:25:48 2013 +0200
iptables: Block all loopback packets on non-loopback interfaces.
commit afc611d448aee8eaaefa018dfb6acd4c6d6227a1 Author: Michael Tremer michael.tremer@ipfire.org Date: Mon Jul 8 15:21:04 2013 +0200
iptables: Create LOOPBACK chain.
This chain accepts all communication on the loopback interface without running it through the entire connection tracking first.
Packets on lo can never be blocked and must always be accepted. The firewall has to trust itself anyway.
commit c0359d6dfbba1124c5b2da60bc56947e7f21769a Author: Michael Tremer michael.tremer@ipfire.org Date: Mon Jul 8 15:17:56 2013 +0200
iptables: Only jump into BADTCP for TCP packets.
This saves us from evaluating lots of rules for non-TCP packets.
commit b85d2a9819e5708b1716976c112b6043abe49881 Author: Michael Tremer michael.tremer@ipfire.org Date: Mon Jul 8 15:14:15 2013 +0200
iptables: Replace state module by conntrack module.
The state module is deprecated in recent releases of iptables and should not be used any more.
Additionally, this patch adds an extra chain for all connection tracking rules, so we can keep the entire ruleset more small and clean.
commit 7326051edb1ebec404e0b81bd85292285d7a5b6b Author: Alexander Marx amarx@ipfire.org Date: Fri Jul 5 12:15:05 2013 +0200
Forward Firewall: Updated outgoingfw-converter. redesign of the ruletable's defaultrules
commit 4d2e7a35d9592cd2ddae0467b5a0f036fa105476 Author: Alexander Marx amarx@ipfire.org Date: Thu Jul 4 12:37:34 2013 +0200
Forward Firewall: some textalignment in last rule row
commit a648546338f22138b5fe26c19b25a5686d23b0b9 Author: Alexander Marx amarx@ipfire.org Date: Thu Jul 4 12:19:50 2013 +0200
Forward Firewall: added "default-rules-table" at the end of forward ruletable
commit 7f25a65fc1d53178453ad8cb820a9251a8755402 Author: Alexander Marx amarx@ipfire.org Date: Wed Jul 3 14:38:40 2013 +0200
Forward Firewall: moved default rules from FORWARDFW to POLICYFWD
commit e17121fee73ba9adcc2d102d0127695613b780e8 Author: Alexander Marx amarx@ipfire.org Date: Wed Jul 3 11:26:44 2013 +0200
Forward Firewall: removed nat part from rules.pl (file nat not existent anymore)
commit b044bb056937ea59df3b9e244d9d01540fed869e Author: Alexander Marx amarx@ipfire.org Date: Wed Jul 3 10:13:06 2013 +0200
Forward Firewall: Bugfixes wrong interface in ruletable,when selecting alias firewall interface
commit fc83b09d437a0137b2c2db6ec07b4bdb8f98b051 Author: Alexander Marx amarx@ipfire.org Date: Wed Jul 3 09:26:39 2013 +0200
Forward Firewall: some bugfixes
commit 72586f0ff0bad5d1e9f75ab02dfc3e7595b47ded Author: Alexander Marx amarx@ipfire.org Date: Tue Jul 2 15:43:44 2013 +0200
Forward Firewall: colorize ip addresses when possible in firewall groups. subnetmask now in cidr format
commit f1934a05ad64ae5dd78568eece018cdb452b2326 Author: Alexander Marx amarx@ipfire.org Date: Tue Jul 2 14:55:46 2013 +0200
Forward Firewall: delted subnets from hosts in firewallgroups, colorized all ip-addresses from the firewall-groups if possible. Some minor changes in forwardfw.cgi
commit cb4439f3943662742f8010d41aff47ac06bb1804 Author: Alexander Marx amarx@ipfire.org Date: Tue Jul 2 08:21:38 2013 +0200
Forward Firewall: Bugfix of last commit. Added "Interface" to source or target that uses "Firewall" interfaces
commit d4cb89d2d111e219520f4e1294e2e0985f918dac Author: Alexander Marx amarx@ipfire.org Date: Tue Jul 2 08:03:25 2013 +0200
Forward Firewall: When using "Firewall" as source or target, the ruletable looks confusing. Theres "RED" in source and target. Now theres "INTERFACE RED".
commit 43d8be093c2dcad28164745d451f8d2351b9b95f Author: root amarx@ipfire.org Date: Tue Jul 2 04:16:52 2013 +0200
Forward Firewall: some language changes de.pl and en.pl as well as forwardfw.cgi and fwhost.cgi
commit 1a8fde0e845eab654aeee6dc5b780c3e4596cb4d Author: Alexander Marx amarx@ipfire.org Date: Mon Jul 1 16:38:14 2013 +0200
Forward Firewall: changed some names and added subnets to dropdowns
commit a0fb1099efded1fe13a7e7fb51a97097776a06a8 Author: Alexander Marx amarx@ipfire.org Date: Fri Jun 28 09:36:31 2013 +0200
Forward Firewall: Design changes 1) source has a new option "firewall" with dropdown for interfaces 2) source default networks->deleted IPFire, all ip's now in brackets 3) deleted warning message in Target that a mac is not usable 4) changes for "apply" button 5) in ruletable the protocol is now right beneath the ruletype column 6) changed target dropdown "INTERNET" to "RED" 7) renamed OpenVPN N-2N to OpenVPN Net-to-Net 8) set missing default firewall options 9) little changes on the en and de lang files
commit 2af92cf5acf6d3b0ef52528a0e83a29353ff3c83 Author: Alexander Marx amarx@ipfire.org Date: Thu Jun 27 07:28:06 2013 +0200
Forward Firewall: added new line at bottom of all ruletables with the "final rule"
commit ac9e77e3ba748c96c670f1215abb4c5bdebe66b4 Author: Alexander Marx amarx@ipfire.org Date: Wed Jun 26 15:25:50 2013 +0200
Forward Firewall: added missing fields to the converters (for dnat)
commit 0ac6c61d3770cbc1fd19e3c5332ab76124cd643f Author: Alexander Marx amarx@ipfire.org Date: Wed Jun 26 13:54:18 2013 +0200
UPNP: changed firewall chain from PORTFW to UPNPFW
commit f557ea1e596033a79ab1f6df4d57fd90c15a2271 Author: Alexander Marx amarx@ipfire.org Date: Wed Jun 26 13:43:53 2013 +0200
Forward Firewall: removed PORTFWACCESS flushing from rules.pl
commit c12392c0ef3aa71cda43fe38cfd22e4afab5cc5e Author: Alexander Marx amarx@ipfire.org Date: Wed Jun 26 13:30:30 2013 +0200
Forward Firewall: removed NAT table and txt file.
commit 4f3bd0ca20de32b0020f9be926254d2a201d226a Author: Alexander Marx amarx@ipfire.org Date: Wed Jun 26 10:29:02 2013 +0200
Forward Firewall: changed layout of "apply-button" (after rules where changed. When using single hosts in rules, the prefix is no longer shown in the ruletable. Default settings for firewall-options changed
commit 8442c93764a38c903fe683ae9533a4d906a2b038 Author: Alexander Marx amarx@ipfire.org Date: Wed Jun 26 09:42:38 2013 +0200
Forward Firewall: removed dmz from forwardfw.cgi
commit 60607a6c75730e94b115cd2351c910bf022648dc Author: Alexander Marx amarx@ipfire.org Date: Wed Jun 26 09:07:05 2013 +0200
Forward Firewall: removed DMZ from rules.pl (does no longer exist, is forward now
commit 3f09f5309c82ebf8b8518a16aedea8e0aad5e66e Author: Alexander Marx amarx@ipfire.org Date: Wed Jun 26 07:56:35 2013 +0200
Forward Firewall: convert-dmz now puts converted files into /var/ipfire/forward/config instead of /var/ipfire/forward/dmz
commit 3b2ad4a1bddd2185da6bd500be39ee19694399a7 Author: Alexander Marx amarx@ipfire.org Date: Wed Jun 26 07:38:15 2013 +0200
Forward Firewall: moved "firewall default behaviour" from firewall page to firewall-options page. Some changes in languagefiles de and en.
commit 533a2da388be0f83732a07b5a40ec2792fd2fad5 Author: Alexander Marx amarx@ipfire.org Date: Tue Jun 25 12:35:01 2013 +0200
Forward Firewall: reorganised ruletable layout
commit 674f4e9d515233f5356fc502c862b28829736fde Author: Alexander Marx amarx@ipfire.org Date: Thu Jun 20 11:23:43 2013 +0200
Forward Firewall: on every reload of the new firewall-rules the firewall.local is also reloaded
commit ff4770c79ba800a03fea65ffd5153f75e63cf2b8 Author: Alexander Marx amarx@ipfire.org Date: Wed Jun 19 13:31:40 2013 +0200
Forward Firewall: changed /etc/init.d/firewall. deleted stop routine and rearranged iptables_init and restart routine Now it should be possible to use /etc/init.d/firewall restart without errors
commit fb0ce57589a8ba724d3c446b612181f6d7f3b8c5 Author: Alexander Marx amarx@ipfire.org Date: Mon Jun 17 12:45:57 2013 +0200
Forward Firewall: cleanup unused code
commit e41b651b4a3b79bb072ac94835e96432ac1968dd Author: Alexander Marx amarx@ipfire.org Date: Mon Jun 17 10:21:24 2013 +0200
Forward Firewall: changed order of LOG and DROP rules for INPUT Chain
commit d9b691e18e59323e14dd37428fe9857ab95246b4 Author: Alexander Marx amarx@ipfire.org Date: Thu Jun 13 10:17:18 2013 +0200
Forward Firewall: added checks if manual ip (src/tgt) is part of a OpenVPN to colour the rules accordingly
commit 8762442c4ece6aaf6b863a7c86aaefb9e47c8be3 Author: Alexander Marx amarx@ipfire.org Date: Wed Jun 12 15:17:12 2013 +0200
Forward Firewall: INPUT Firewall added "ALL" with ip 0.0.0.0
commit ed9ab82c61464a3a719f9662416b58cc83dbf4fd Author: Alexander Marx amarx@ipfire.org Date: Wed Jun 12 15:05:31 2013 +0200
Forward Firewall 0.9.9.7: reordered INPUT POLICY.
commit 690b0bd7618c2b0e7284beaebcf771c02daced1d Author: Alexander Marx amarx@ipfire.org Date: Wed Jun 12 13:00:20 2013 +0200
Forward Firewall: added OVPNBLOCK and fixed rules.pl to correctly get ip address of red iface
commit d2c4a3cab92b07ebf0a01dc745d642429efd8159 Author: Michael Tremer michael.tremer@ipfire.org Date: Wed Jun 12 14:14:53 2013 +0200
openvpnctrl: Cleanup flushChain functions.
commit 2181b55552b061ad76dd4126a0c6a0f15de0b288 Author: Michael Tremer michael.tremer@ipfire.org Date: Wed Jun 12 12:50:33 2013 +0200
openvpnctl: Flush BLOCK and SNAT chain when needed.
commit 05d4f131e9f96a27249f1e833923ba2790dbd49a Author: Alexander Marx amarx@ipfire.org Date: Tue Jun 11 15:53:31 2013 +0200
Forward Firewall: Implemented INPUT Firewall (extended external access)
Now you are able to define INPUT Rules on every interface ip
commit c31f18b6a901bf02dc9e5e1c8474487a23e4c71e Author: Michael Tremer michael.tremer@ipfire.org Date: Fri May 31 13:31:48 2013 +0200
openvpnctrl: Block all transfer subnets.
commit 7c50b0483420028e1dc5f9b75ea0510b6c775567 Author: Michael Tremer michael.tremer@ipfire.org Date: Thu May 30 21:55:26 2013 +0200
openvpnctrl: Remove unneeded code.
commit e1eef9d53e80503c97f86587d1f8e0fb99195a96 Author: Alexander Marx amarx@ipfire.org Date: Mon May 27 10:33:50 2013 +0200
Forward Firewall: BUGFIX: When creating DMZ Rules with MANUAL IP as source and afterwards editing the rule, the rule was copied and not just edited. BUGFIX: When using SNAT (outbound) the rule does not seem to work. The NAT_SOURCE chain was on wron position in POSTROUTING
commit 4682d02723a3650847c74e1fbfe8d38b75474cec Author: Alexander Marx amarx@ipfire.org Date: Wed May 22 07:43:46 2013 +0200
Forward Firewall: extended the customservices list
commit bac7013b21485ce8a6263bd19a7ba65440ec3336 Author: Alexander Marx amarx@ipfire.org Date: Wed May 8 08:19:03 2013 +0200
Forward Firewall: BUGFIX - when using source Protocol and NO target protocol only the target protocol is shown in ruletable.(But rule is applied correctly)
commit c400fe4c84dbb3c32e38d961f24275b29bc73d8f Author: Alexander Marx amarx@ipfire.org Date: Tue May 7 12:02:17 2013 +0200
Forward Firewall: fixed wrong log Entries INPUT_DROP when connected via Web or ssh
commit cb6148989124a4df35fe4ab256b03106a5121357 Author: Alexander Marx amarx@ipfire.org Date: Thu May 2 15:55:14 2013 +0200
Forward Firewall: restored old settings in graphs.pl. With new Monofont the columnsize is ok now
commit 6fab5bca2a3fc22aa08e7b6691e9f81a259d35ca Author: Alexander Marx amarx@ipfire.org Date: Tue Apr 30 09:58:01 2013 +0200
Forward Firewall: edited rules.pl so that in the rules the ip addresses from the remote ovpn N2N subnet are used instead of the openvpn subnet(because its only used as transfer net)
commit 3e79f33fc28e1f33a1b7599205ab86ae455d44c8 Author: Alexander Marx amarx@ipfire.org Date: Tue Apr 30 08:13:54 2013 +0200
Forward Firewall: reordered some rules to get rid of INPUT_DROP messages in log when connected to webinterface
commit 04abd8d95822b660e65cc1a85dac55f2791ae27f Author: Alexander Marx amarx@ipfire.org Date: Mon Apr 29 16:12:14 2013 +0200
Forward Firewall: bugfix: counter failure when adding one host to more than 1 Group
commit eff2dbf8336c3935535a5f5565bfc27c4fccd4bb Author: Alexander Marx amarx@ipfire.org Date: Fri Apr 26 10:24:34 2013 +0200
Forward Firewall: changed sort-order to Sort::Naturally. This Perl Module will be available since core 68.
commit e3c589276a90cfd67070e5e3f8007fc7ead6058f Author: Alexander Marx amarx@ipfire.org Date: Wed Apr 24 11:49:11 2013 +0200
Forward Firewall: if ipsec rw net is set to green subnet, the rules are colored green instead of purple
commit 139a1ab9475c73f4c773d83de17346aca2e4eb8c Author: Alexander Marx amarx@ipfire.org Date: Tue Apr 23 14:21:52 2013 +0200
Forward Firewall: removed devel-tags
commit 6945e46310ca87cd42ca537293db33a77dc35dbe Author: Alexander Marx amarx@ipfire.org Date: Tue Apr 23 14:14:58 2013 +0200
Forward Firewall: rewrote portcheck routine in ovpnmain so that checks for portforwardingports are made against /var/ipfire/forward/nat instead of /var/ipfire/portfw/config
commit 931e1fed53d8b5b74dbf2c2bedafc0399cccc7fe Author: Alexander Marx amarx@ipfire.org Date: Fri Apr 19 13:12:56 2013 +0200
Forward Firewall: added some plausi checks. Now it is checked if someone enters an manual ip address that is a openvpn client. The colors are set correctly in ruletable when someone enters a manual ip which belongs to an IPsec Network, IPsec Roadwarrior (if iprange set) or openvpn n2n
commit dc82656bf97fef330f5f34ee237426fb53d86708 Author: Alexander Marx amarx@ipfire.org Date: Wed Apr 17 12:02:13 2013 +0200
Forward Firewall: 0.9.9.4a - Bugfix typo in firewallscript, DMZ Link on startpage now leads to firewall instead of dmzpinholes
commit aff15defbc1ade178a1fbbf1fa1b592033d4fb77 Author: Alexander Marx amarx@ipfire.org Date: Mon Apr 15 20:29:15 2013 +0200
Forward Firewall: rules for collectd now in firewall-policy instead of /etc/init.d/firewall
commit 53f4c74d9bd0eebf70b4540b688be6d6c3e556ab Author: Alexander Marx amarx@ipfire.org Date: Mon Apr 15 15:02:50 2013 +0200
Forward Firewall: some changes in firewall script to make collectd work
commit 9468a6f71372b680f642cc2c71466db8ce30a186 Author: Alexander Marx amarx@ipfire.org Date: Mon Apr 15 12:00:35 2013 +0200
Forward Firewall: Firewall Hits graph now with stacked values
commit ed31c098f5306caf1bf0abefaf7814ccb6636362 Author: Alexander Marx amarx@ipfire.org Date: Mon Apr 15 09:50:39 2013 +0200
Forward Firewall: added drop rules to firewall's stop script so that collectd is working
commit be9be7cb5bf598e7d0781559ecd88ad702b58db2 Author: Alexander Marx amarx@ipfire.org Date: Mon Apr 15 05:50:20 2013 +0200
Forward Firewall: enabled /var/ipfire/optionsfw/settings in configroot
commit 94ea1f03464ab9434189ec270baa83fc2f2dcadd Author: Alexander Marx amarx@ipfire.org Date: Sun Apr 14 15:10:13 2013 +0200
Forward Firewall: fixed firewall hits statistik and extended it to show input,output,forward,newnotsyn and portscan seperately.
commit 6f348fcb9d96d8372fbfca50675736e81eec6661 Author: Alexander Marx amarx@ipfire.org Date: Fri Apr 12 12:39:57 2013 +0200
Forward Firewall: edited include file of backup.
commit 08e1c65d856ef4931dd641cdffe75ff75238e286 Author: Alexander Marx amarx@ipfire.org Date: Thu Apr 11 17:33:22 2013 +0200
Forward Firewall: added SNAT multiport support
commit 98cee89f94b5a7eedbfeaef1a4f1dcbc2c0c73d5 Author: Alexander Marx amarx@ipfire.org Date: Thu Apr 11 10:50:29 2013 +0200
Forward Firewall: Added multiport support to DNAT/Portforwarding
Now it is possible to use multiple ports under DNAT when TARGET has no Port, one Port or one Portrange defined
commit ed618226bb7f03b3a12155d8f2d1bcdb58adb566 Author: Alexander Marx amarx@ipfire.org Date: Mon Apr 8 15:32:49 2013 +0200
Forward Firewall: little changes in ruletable layout. (Headline)
commit d526a95bf105e787d8432af4bf9d4ba1f165d781 Author: Alexander Marx amarx@ipfire.org Date: Thu Apr 4 14:18:04 2013 +0200
Forward Firewall: some changes in en.pl and de.pl. Also adapted "apply" button in fwhosts.cgi
commit bc912c6e0c34bfd81a915b3f2774fc6b848990ff Author: Alexander Marx amarx@ipfire.org Date: Thu Apr 4 13:02:50 2013 +0200
Forward Firewall: Version 0.9.9.2
1) Some changes in en.pl 2) DNAT now supports REJECT/DROP rules 3) Bugfix: comma in remark customservicegroup 4) improved installer
commit e09884e04f0aab0c9b4f2f3d22f9f653e93d0cb9 Author: Alexander Marx amarx@ipfire.org Date: Tue Apr 2 11:24:22 2013 +0200
Forward Firewall: some fixes:
1) Counter was not correctly decreased when deleting a network from a customgroup 2) Convert-outgoingfw improved 3) Backup didn't set filepermissions correctly
commit f7e649ddfbd915136ae5acdad388d0b517e5ea85 Author: Alexander Marx amarx@ipfire.org Date: Tue Apr 2 08:43:18 2013 +0200
Forward Firewall: some typos in dmz-converter
commit a60dbb4b6aef3c4753f3206812ff80d34235e066 Author: Alexander Marx amarx@ipfire.org Date: Tue Apr 2 05:40:50 2013 +0200
Forward Firewall: added dmz-converter.
Also extended backup.pl script to support old backups. Now it is possible to restore old backups into new firewall. On restore, all config files of new firewall will be destroyed and the 4 converters will recreate them.
commit 829697d076d1b74a2499bd3bda6b70cfa56d6b49 Author: Alexander Marx amarx@ipfire.org Date: Mon Apr 1 06:26:58 2013 +0200
Forward Firewall: enabled Portranges for DNAT
commit 6be32fe50454ded7ecbec877db3a05bd87bdcc05 Author: Alexander Marx amarx@ipfire.org Date: Sun Mar 31 16:18:12 2013 +0200
Forward Firewall: bugfix: DNAT now correctly creates rules, when customservice defined as target
commit 28640b7365b6bcd73fd760300c1f994a331fc993 Author: Alexander Marx amarx@ipfire.org Date: Wed Mar 27 12:36:19 2013 +0100
Forward Firewall: fix NAT-rules: iptables rule was not applied correctly in PORTFWACCESS
commit 82e136591e5dbe3366f2a8d3f9129b98603ad620 Author: Alexander Marx amarx@ipfire.org Date: Tue Mar 26 08:35:45 2013 +0100
Forward Firewall: bugfix
1) When editing a NAT rule, error message "port already used" fixed
commit f0da8d53d02633030dafe6ad301488e8946ffccd Author: Alexander Marx amarx@ipfire.org Date: Fri Mar 22 07:55:17 2013 +0100
Forward Firewall: Version update forwardfw.cgi
commit 218b3341b6fd9da564ee876c08d8bf2c1b0ec78d Author: Alexander Marx amarx@ipfire.org Date: Thu Mar 21 17:34:30 2013 +0100
Forward Firewall: cleanup of initscript. Fixes double log entries when INPUT is set to REJECT
commit fb61ec6715f8bcf9005477563a6449f51725f286 Author: Alexander Marx amarx@ipfire.org Date: Thu Mar 21 14:36:29 2013 +0100
Forward Firewall: Bugfix: blue was allowed to connect to everywhere if forward firewall was open
commit 8343fd125091b3530a76609e8ec17dbf9f63ed69 Author: Alexander Marx amarx@ipfire.org Date: Thu Mar 21 10:35:07 2013 +0100
Forward Firewall: Fix converter-outgoingfw. Produced wrong counters while converting
commit f833ef4660862fce522799582957a64b2159ea72 Author: Alexander Marx amarx@ipfire.org Date: Thu Mar 21 07:47:28 2013 +0100
Forward Firewall: fixed layout of deleted host in custom group changed version nr in forwardfw.cgi
commit 54d6863787ca89d11e59efc1e9d345fd5b9a5eb9 Author: Alexander Marx amarx@ipfire.org Date: Thu Mar 21 07:34:05 2013 +0100
Forward Firewall: fixed converter bug: Remark is "0" and Alias ip is taken as ip instead of name
commit 6b681c40d2d1cf9f0a1d6b8cedcce90809680e1d Author: Alexander Marx amarx@ipfire.org Date: Wed Mar 20 11:03:29 2013 +0100
Forward Firewall: 0.9.8.7 Implemented SNAT/DNAT
reorganized firewall chains
commit 93b75f31ad920a2aa96206c2053b70affa135a42 Author: Alexander Marx amarx@ipfire.org Date: Tue Mar 19 12:56:38 2013 +0100
Forward Firewall: clean up some files
Fix iptables loop wirelessctrl Fix firewall chain order Fix policies (added comment for statistic)
commit 6397b6e78974f316d9358841120f8e8bb34007f3 Author: Alexander Marx amarx@ipfire.org Date: Tue Mar 19 05:39:53 2013 +0100
Forward Firewall: deleted portfw from buildsystem
commit e800ca53b20429a09054c8113517061279258ab8 Author: Alexander Marx amarx@ipfire.org Date: Tue Mar 19 05:23:54 2013 +0100
Forward Firewall: delete old Portforwarding from Firewall-menu
commit 9efd8d1c7eb134c71465396a1bdcc5ae52497d80 Author: Alexander Marx amarx@ipfire.org Date: Tue Mar 19 05:15:20 2013 +0100
Forward Firewall: delete old portforwarding from system and fix for wlan-firewall part 1 (loop)
commit a6edca5a899eca09c3ccd8cd22c2b7a3223fcdd3 Author: Alexander Marx amarx@ipfire.org Date: Tue Mar 19 04:48:23 2013 +0100
Forward Firewall: support for SNAT/DNAT in GUI and rules.pl
commit 2669161dab909e57a6642c2dea8d5a70900f4f12 Author: Alexander Marx amarx@ipfire.org Date: Sun Mar 17 13:49:57 2013 +0100
Forward Firewall: Added support for DNAT/SNAT to forwardfw.cgi
commit ddcec9d339162ee49d7973f815e03d8da5e973cd Author: Alexander Marx amarx@ipfire.org Date: Thu Mar 14 16:24:52 2013 +0100
Forward Firewall: Firewall sets Internetdevice correctly now (was always red0)
commit f2ab6fba4afa7bc13a7549fade339eebc63c537b Author: Alexander Marx amarx@ipfire.org Date: Thu Mar 14 06:11:28 2013 +0100
Forward Firewall: 1) Custom Hosts: now 17 chars can be entered into IP/MAC field 2) Forwardfw: Bugfix: When no alias is set and IPFIRE is selected as target, no target address is recognised 3) Forwardfw: Now source and Target addressfield (manual) are set to 17 chars maxlegth. 4) Converter: Bugfix: When starting converter from commandline, all hosts are entered into groups again.
commit bedb72f3d42cf71be128cf7c803baa53495af6e3 Author: Alexander Marx amarx@ipfire.org Date: Wed Mar 13 08:50:32 2013 +0100
Forward Firewall: moved ruleaction-dropdown from top to target area. some layout changes in forwardfw.cgi (when no alias exists, the dropdown after ipfire is not shown)
commit 05612a544bf60d233704be5995241d2354dbde91 Author: Alexander Marx amarx@ipfire.org Date: Wed Mar 13 06:02:35 2013 +0100
Forward Firewall: fix converter for outgoingfw. remarkfield (new) was not implemented here fwhosts: Some layout changes in tables (cellspacing='0')
commit d58677779f0a678a5495a4b198fc4dfd2fcc6893 Author: Alexander Marx amarx@ipfire.org Date: Tue Mar 12 14:51:34 2013 +0100
Forward Firewall: forgot to delete devel-comment
commit fccf52cf7eb362d88dca279b4fd4464dba92d6ce Author: Alexander Marx amarx@ipfire.org Date: Tue Mar 12 14:46:16 2013 +0100
Forward Firewall: fixed a bug in convert-outgoingfw. THe hosts are created with wrong amount of fields in hasharray. Also fixed a bug which sets wrong firewall mode for FORWARD when outgoing rules are used.
commit 21b9a50c68d9c42e56a525c9745f638266469a39 Author: Alexander Marx amarx@ipfire.org Date: Fri Mar 8 08:58:22 2013 +0100
Forward Firewall: changes in de languagefile
commit 472136c9271f162ab65b224225fe3e478a77ccb4 Author: Alexander Marx amarx@ipfire.org Date: Fri Mar 8 08:38:41 2013 +0100
Forward Firewall: Fix ruletimes. Now the timevalues which are entered in the gui are saved to the rulefile. Wenn rule.pl is called, the script calculates the difference to UTC time and sets the iptables times accordingly.
With this approach there's no need to save if the times are created in summertime or wintertime.
commit ef6f983b1724f9b3ac4d5d4f5ba45288985c44fc Author: Alexander Marx amarx@ipfire.org Date: Thu Mar 7 10:01:24 2013 +0100
Forward Firewall: put rule OUTGOING ACCEPT Related, established into /etc/init.d/firewall deleted ACCEPT OUTGOINGFW related,established from POLICYOUT
commit a0f267b92c63d8f1ac374073847766873e5fc445 Author: Alexander Marx amarx@ipfire.org Date: Thu Mar 7 07:43:28 2013 +0100
Forward Firewall: removed --kerneltz from rules.pl. New function timeconvert in forwardfw.cgiu takes care of timeconversion now
commit c773075074acff71cb574f67fd450f86bf7f6dc1 Author: Alexander Marx amarx@ipfire.org Date: Thu Mar 7 06:35:03 2013 +0100
Forward Firewall: Try to implement a timeconverter for Rules. New function timeconvert should convert localtime agains gmtime.
commit f69ea1c7c59cdeb664cbc93eae60a538191ed44b Author: Alexander Marx amarx@ipfire.org Date: Tue Mar 5 11:33:21 2013 +0100
Forward Firewall: New Version 0.9.8.2
commit 7874d8200d10669bc7ab8c69c119fa62cbc8c69c Author: Alexander Marx amarx@ipfire.org Date: Tue Mar 5 11:21:13 2013 +0100
Forward Firewall: wrong <font> Tag leads to a sidemenu with small font
commit f38e0c4de02235f31fbff715af6dde0fcd62a78f Author: Alexander Marx amarx@ipfire.org Date: Tue Mar 5 09:47:21 2013 +0100
Forward Firewall: added --kerneltz option to timeframe
commit b3f4a4efcf1c8dae2804a879b7f59559935f4b26 Author: Alexander Marx amarx@ipfire.org Date: Tue Mar 5 06:00:07 2013 +0100
Forward Firewall: Fixed ruletable (view of protocols)
commit 8cb1afc817acdf6228a13ed097b514c4ed4cfb6c Author: Alexander Marx amarx@ipfire.org Date: Mon Mar 4 20:56:20 2013 +0100
Forward Firewall: Bugfix: When having more than 1 ICMP rule in a group, the rule is not created.
Also changed (INPUT) to (Input) in firewall-options
commit a7d7f5a3da6ed8905c01c7987acaeadbdca9aa5c Author: Alexander Marx amarx@ipfire.org Date: Sun Mar 3 20:29:29 2013 +0100
Forward Firewall: Added versionnumber on bottom right of firewall.
commit dc33c23b1fa602ab80e7b0b4422ca2019caa24fc Author: Alexander Marx amarx@ipfire.org Date: Sun Mar 3 20:12:34 2013 +0100
Forward Firewall: Updated strongswan patch provided my Michael. (Changes _updown script from FORWARD ACCEPT to RETURN)
commit 36e9534f244f05b93119f4b6ddae47717acdc062 Author: Alexander Marx amarx@ipfire.org Date: Sun Mar 3 06:12:01 2013 +0100
Forward Firewall: Added configoption in Buildsystem -< POLICY2='DROP' (for POLICYIN)
commit a9b3ae26a3e158c3c94cdb169ae55b6af4eb40d4 Author: Alexander Marx amarx@ipfire.org Date: Sun Mar 3 05:59:42 2013 +0100
Forward Firewall: /etc/init.d/firewall now creates POLICYIN
commit d47bb8a1adbaadcc1e50231be850853f2d097249 Author: Alexander Marx amarx@ipfire.org Date: Sun Mar 3 05:14:22 2013 +0100
Forward Firewall: Added Firewall-Options for INPUT Policy (DROP/REJECT) and built a new INPUT-POLICY in firewall-policy.
commit dafaa4142779c7f9a63b481f23df4cec95c5f03c Author: Alexander Marx amarx@ipfire.org Date: Sat Mar 2 12:43:16 2013 +0100
Forward Firewall: update _updown on build
commit fd4d137dbe29bab16761f5fa90ee200a6725fe19 Author: Alexander Marx amarx@ipfire.org Date: Sat Mar 2 06:11:16 2013 +0100
Forward Firewall: deleted outgoingfwmac, is now useless
commit 443a6e8a5f95fbea7dbb9efe254f166be7e38b35 Author: Alexander Marx amarx@ipfire.org Date: Fri Mar 1 10:43:25 2013 +0100
Forward Firewall: deleted creation of OVPNFORWARD and the accept rule.
commit ec329c069981d096bc38a1787ca1b04722dc40ed Author: Alexander Marx amarx@ipfire.org Date: Thu Feb 28 09:49:45 2013 +0100
Forward FIrewall: fixed typo
commit 97e2e7b4b72dc635f3b8cb79d16198ad4a966f50 Author: Alexander Marx amarx@ipfire.org Date: Thu Feb 28 08:27:16 2013 +0100
Forward Firewall: LAyout change: All dropdowns now have same size
commit 223d3b1dca93f96ed104990bd256a664150360e5 Author: Alexander Marx amarx@ipfire.org Date: Thu Feb 28 08:13:13 2013 +0100
Forward Firewall: chnaged "Internet" to "INTERNET" in dropdown (Target)
commit a615cab30e57f39cc891d75a195e1df4bf4e21f3 Author: Alexander Marx amarx@ipfire.org Date: Thu Feb 28 07:30:24 2013 +0100
Forward Firewall: reordered Firewall Menu and changed header.pl to reflect the new menuposition for Blue Access
commit d998784149c62299aa7c417b7a7919c3d9abdcf7 Author: Alexander Marx amarx@ipfire.org Date: Thu Feb 28 06:05:32 2013 +0100
Forward Firewall: added an option to firewall-options to show all dropdowns on rulecreation site.
commit 8013bd0ac28ac8daee7bae5ebcfe4c9fd8154310 Author: Alexander Marx amarx@ipfire.org Date: Wed Feb 27 14:23:20 2013 +0100
Forward Firewall: Changed layout of rulecreation. Now only the dropdowns for configured networks are shown on the site Also changed fwhosts.cgi (custom groups) to the same feature
commit 92e4ae9db1334acf481a60656004b289b0accf80 Author: Alexander Marx amarx@ipfire.org Date: Wed Feb 27 05:35:41 2013 +0100
Forward Firewall: Some changes in langagefiles and layout in fwhosts.cgi
commit 88f18201c74a911303b8ba023830c5e068794a21 Author: Alexander Marx amarx@ipfire.org Date: Tue Feb 26 15:33:27 2013 +0100
Forward Firewall: changed menu to show access to blue correctly
commit e2619c15215a9f86773e3bb84056b1f651261ec6 Author: Alexander Marx amarx@ipfire.org Date: Tue Feb 26 14:40:16 2013 +0100
FOrward Firewall: Typo
commit 770140a7bfb302261d1e79d3b9add20be6b2b7ed Author: Alexander Marx amarx@ipfire.org Date: Tue Feb 26 14:34:30 2013 +0100
Forward Firewall: removed some text in p2p-block and changed dropdown to radiobutton in optionsfw
commit 3f8d9da3000a6f2268fc2c3c9b724d593a079f8e Author: Alexander Marx amarx@ipfire.org Date: Tue Feb 26 13:41:23 2013 +0100
Forward Firewall: reordered 50-firewall.menu
commit 5b375ca7e640361701497ae451a4892e7ec5334e Author: Alexander Marx amarx@ipfire.org Date: Tue Feb 26 06:16:14 2013 +0100
Forward Firewall: added a 1px heigh line after each rule. so the coloured borders are looking better
commit 3f6bba6dbb92a41ccbe5f63753c98cb6658e06bf Author: Alexander Marx amarx@ipfire.org Date: Mon Feb 25 21:40:09 2013 +0100
Forward Firewall: Forgot to delete a dev-comment
commit 25dd450cbae6159727dfeff231da9573a075b4f9 Author: Alexander Marx amarx@ipfire.org Date: Mon Feb 25 21:25:53 2013 +0100
Forward Firewall: Bugfix: Error appending or writing comments in rule
commit 31fef6cc2d8c19fb7b5a86529b4b98bc2d4fd85f Author: Alexander Marx amarx@ipfire.org Date: Mon Feb 25 13:56:48 2013 +0100
Forward Firewall: rules.pl supports now DMZ rules. These rules are applied first
commit d603d1dee0376f6816e9643c8a332780cd112d93 Author: Alexander Marx amarx@ipfire.org Date: Mon Feb 25 13:22:43 2013 +0100
Forward Firewall: disabled some dev-comments
commit 5aa8edf6f794691843e13f0febfb29ee0ccf18d7 Author: Alexander Marx amarx@ipfire.org Date: Mon Feb 25 13:11:13 2013 +0100
Forward Firewall: some changes for ISO
commit 515863e299fd11273cf06cc3d2a5ecd673553a1f Author: Alexander Marx amarx@ipfire.org Date: Mon Feb 25 13:03:54 2013 +0100
Forward Firewall: Some further layout changes. 1) New textfile for DMZ rules 2) Tablegroups are shown on firewall site 3) Option in firewall-options to disable emtpy ruletables 4) Infotext on P2P-Block site
commit 30d80ed42a716aa35c5827a4ec513e2925638da9 Author: Alexander Marx amarx@ipfire.org Date: Sat Feb 23 20:28:47 2013 +0100
Forward Firewall: added p2p-block.cgi to apache2
commit f83227921516681f642ce29e4f9121d6341e1d99 Author: Alexander Marx amarx@ipfire.org Date: Sat Feb 23 06:33:15 2013 +0100
Forward Firewall: minor changes an ruletable
commit 6ca0b0f5fbfdfe4875a38b7ffc47d2af56efd9ec Author: Alexander Marx amarx@ipfire.org Date: Sat Feb 23 06:21:42 2013 +0100
Forward Firewall: made colored borders in ruletable thinner (1px) and changed remarkline
commit af768a7e80bb8fb3b25bfd8f13a4a0561927f9e2 Author: Alexander Marx amarx@ipfire.org Date: Fri Feb 22 13:04:30 2013 +0100
Forward Firewall: removed cellspacing and black lines between rules in ruletable
commit 96502a5a67692ae5fb06b9a83799c64040ced1df Author: Alexander Marx amarx@ipfire.org Date: Fri Feb 22 11:27:30 2013 +0100
Forward Firewall: New Firewall-option "show remark in ruletable"
commit 289d82ad6e87b8b22b6cb90d3b16fb1a6721734c Author: Alexander Marx amarx@ipfire.org Date: Fri Feb 22 10:12:59 2013 +0100
FORWARD Firewall: edited ruletable to look better on IE
commit ba6f69f76943a83fece4a12fb632f9ad166edff3 Author: Alexander Marx amarx@ipfire.org Date: Fri Feb 22 10:01:27 2013 +0100
Forward Firewall: added newlines between groups in tablerule
commit d9a4000ba84beb88853a43a7301633b590c79abb Author: Alexander Marx amarx@ipfire.org Date: Fri Feb 22 09:50:22 2013 +0100
Forward Firewall: show default policy left aligned
commit e638799b12ce108b6a13cfb3e8a180c56f4d3b9c Author: Alexander Marx amarx@ipfire.org Date: Fri Feb 22 09:33:05 2013 +0100
Forward Firewall: fixed Table in servicegroups and hostgroups
commit 1031c2e4a919e510e09dc975ce1567493841d2c5 Author: Alexander Marx amarx@ipfire.org Date: Fri Feb 22 09:12:25 2013 +0100
Forward Firewall: added color for target "internet" (RED)
commit e28356b92834e75f09756de76e3cb139e9b72e9c Author: Alexander Marx amarx@ipfire.org Date: Fri Feb 22 08:28:48 2013 +0100
Forward Firewall: added default option SHOWCOLOR to options and refined default behaviour of firewall in forwardfw.cgi
commit 562d24b8169ac043b2ab4ebf160862b25e88097e Author: Alexander Marx amarx@ipfire.org Date: Fri Feb 22 06:43:11 2013 +0100
Forward Firewall: Some minor changes in Language file timeframe:->timeframe
commit 5dd84c259d95ee2fc2967326388d5cc73af4eabc Author: Alexander Marx amarx@ipfire.org Date: Fri Feb 22 06:25:26 2013 +0100
FOrward Firewall: Minor Layout changes
commit 12a43202a6fb6a9b80664ebcf01792928c57c016 Author: Alexander Marx amarx@ipfire.org Date: Thu Feb 21 21:53:52 2013 +0100
Forward Firewall: bugfix converter->default forward mode is now set correctly some layout changes
commit b324de14db6c48823e570a285c91bb18593f02ff Author: Alexander Marx amarx@ipfire.org Date: Thu Feb 21 16:40:47 2013 +0100
Forward Firewall: fix wlan clients now working with forwardfw
commit 15add1c8afbbc8eed5dd9d9649049109dbce8d58 Author: Alexander Marx amarx@ipfire.org Date: Thu Feb 21 15:00:03 2013 +0100
Forward Firewall: changes in rule layout. new Option in firewall-options: it is now possible to select if the colors are shown in ruletable
commit 7bf83f9d39d3101ac096b42d0fc43a8caef97c5e Author: Alexander Marx amarx@ipfire.org Date: Thu Feb 21 10:26:55 2013 +0100
Forward Firewall: moved p2p-block to a seperate cgi and deleted it from forwardfw.cgi
commit 6128ded855eefc07abc6904490cfed055e35647b Author: Alexander Marx amarx@ipfire.org Date: Thu Feb 21 09:34:07 2013 +0100
Forward Firewall: convert-outgoingfw now supports outgoing rules
commit f80db6a4ceb985e14a5bc85134bafbd0b3c34416 Author: Alexander Marx amarx@ipfire.org Date: Tue Feb 19 16:30:41 2013 +0100
Forward Firewall: Bugfix: on update of network or hostst and changing remark to invalid value, the remark was saved
commit be5698ef6688c770f422011875b2d6451af017d8 Author: Alexander Marx amarx@ipfire.org Date: Tue Feb 19 15:41:03 2013 +0100
FORWARD FIREWALL: Some Typos in language Files
commit e5a058c131806586e53c44d5ecca7e1d4a926f84 Author: Alexander Marx amarx@ipfire.org Date: Tue Feb 19 15:24:24 2013 +0100
FORWARD FIREWALL: added remark in custom networks
commit 046d88c2d0f5718a8efbd5cbee5e2f4e1b5f4dbd Author: Alexander Marx amarx@ipfire.org Date: Tue Feb 19 06:48:00 2013 +0100
Forward Firewall: outgoing converter is now ble to set default policy correctly
commit c178bf21c1e6d68be2fca6763e8e4b8493304d32 Author: Alexander Marx amarx@ipfire.org Date: Tue Feb 19 06:34:48 2013 +0100
Forward Firewall: added Policymode for OUTGOING to converterscript
commit d928d79566cd802f85cd38bcd8bd76f4bb112547 Author: Alexander Marx amarx@ipfire.org Date: Tue Feb 19 06:29:32 2013 +0100
Forward Firewall: some exentions for remarks
commit 6563800485c11292341c931ccf8aadb281eaa2c8 Author: Alexander Marx amarx@ipfire.org Date: Mon Feb 18 21:20:51 2013 +0100
Forward Firewall: Fixed typo
commit e3580608b3cd6695980e2ace6eae4f969d71e070 Author: Alexander Marx amarx@ipfire.org Date: Mon Feb 18 21:13:07 2013 +0100
Forward Firewall: added remark field to custom hosts and host table
commit d0815ce43f84bf53f31f2a51ba4fb768d6c12e4d Author: Alexander Marx amarx@ipfire.org Date: Mon Feb 18 16:10:42 2013 +0100
Forward Firewall: Fix 80,81,83 (Forum) Apply Button now on group and rule site remark can be delted - and . are allowed in Hostname
commit 0b54aaede3702dcaf76e3d4b50fd5ca591e8fe13 Author: Alexander Marx amarx@ipfire.org Date: Mon Feb 18 12:28:30 2013 +0100
Forward Firewall: when creating a second group of services, the cached port and protocol from first group are shown in table
commit aa8647835d948bf7261fb49ba26054b8789b61d8 Author: Alexander Marx amarx@ipfire.org Date: Mon Feb 18 10:41:19 2013 +0100
Forward Firewall: Finalize integration of OUTGOING into firewall
commit 35fb91640a78eb4c58c0ecab50f317d8bd4341da Author: Alexander Marx amarx@ipfire.org Date: Mon Feb 18 05:36:18 2013 +0100
Forward Firewall: Fixed Firewall-options (preselection of new Dropdown) for outgoing firewall default behaviour (DROp/REJECT)
commit 4e62b47f3371f261d3a295faab9083063b5fbad1 Author: Alexander Marx amarx@ipfire.org Date: Sun Feb 17 21:53:18 2013 +0100
FORWARD Firewall: integrating OUTGOING Firewall Part 2
commit 5d7faa4518d894f90218c216bb2fb86e69f46b2a Author: Alexander Marx amarx@ipfire.org Date: Sun Feb 17 13:58:35 2013 +0100
Forward Firewall: First part of adding OUTGOING to th efirewall
commit d7127db8fb715f13b87cbce980137c2879a1d64e Author: Alexander Marx amarx@ipfire.org Date: Sun Feb 17 07:03:43 2013 +0100
Forward Firewall: Savepoint2.MOved checks if rule has changed to function saverule to take care that rules are only deleted if there's no error
commit c7043621fc4cf73f30749d21310a8569fbf1c78f Author: Alexander Marx amarx@ipfire.org Date: Sun Feb 17 06:34:39 2013 +0100
Forward Firewall: savepoint 1. Trying to add OUTGOING to the firewall. actual working:
Create OUTGOING Rules, change external access or foward rules to outgoing ones. Missing: rules.pl need to be updated
commit 6ba1cd4ceba9d4b343e5afb47e206e7a507f226c Author: Alexander Marx amarx@ipfire.org Date: Fri Feb 15 13:28:27 2013 +0100
Forward Firewall: ; is now allowed in Ruleremark
commit 3f8fe51ef093987c5633a9564648b1d3fe2e5087 Author: Alexander Marx amarx@ipfire.org Date: Fri Feb 15 13:24:34 2013 +0100
Forward Firewall: When editing a group and deleting an entry, the next mode is also update
commit d13a936349b048eb5515699fea46c7242b9c95ac Author: Alexander Marx amarx@ipfire.org Date: Fri Feb 15 08:15:51 2013 +0100
Forward Firewall: Last rule in servicegroup is not deletable if group is used
commit 2cee24627a50955ee1ab6b1414ce9d5aa7feeb2c Author: Alexander Marx amarx@ipfire.org Date: Fri Feb 15 06:21:00 2013 +0100
Forward Firewall: Changed "apply" button to be more eye-catching (red font) also some minor bugfixes (The last entry in a used group can not be deleted)
commit 6c8699612cdb1fec557f02b2e4ee22750e7b1ff7 Author: Alexander Marx amarx@ipfire.org Date: Thu Feb 14 17:23:11 2013 +0100
Forward Firewall: added extra button for changing remark
commit cd9d9d8a13405e380ad0422d2b47f48d9ef1f8a4 Author: Alexander Marx amarx@ipfire.org Date: Wed Feb 13 13:31:55 2013 +0100
Forward Firewall: added "apply" button to groupmanagement. Now the user can make all changes and finally click apply button to reread firewallrules. Also added a comment in de.pl and en.pl which should remiond the user to click the button.
commit 12dcfbbdbe38f8b81a3969f70516511ec779d011 Author: Alexander Marx amarx@ipfire.org Date: Mon Feb 11 05:51:42 2013 +0100
Forward Firewall: Portfw now working and firewall closed correctly
commit 8f204435d41f19c0e79b3ab0fb364606b8eb1522 Author: Alexander Marx amarx@ipfire.org Date: Sun Feb 10 10:53:16 2013 +0100
Forward Firewall: When a group has only one entry and the group is used, it is not possiblle to delete the group
commit 0918e51633a3c1582ce075b6e6dc71d0a07566be Author: Alexander Marx amarx@ipfire.org Date: Sat Feb 9 13:46:25 2013 +0100
Forward Firewall: fixed repositioning function and Networks or broadcasts are now allowed as target
commit 5de39dea9c1ebbdf7c2a9407dafd3900677ac9db Author: Alexander Marx amarx@ipfire.org Date: Fri Feb 8 11:03:06 2013 +0100
Forward Firewall: If editing an external access rule and producing an error, the FORWARD Rule with same ID is displayed instead of INPUT rule
commit 13e5dda402cac2e441d029459e152750c2493e7f Author: Alexander Marx amarx@ipfire.org Date: Fri Feb 8 10:33:04 2013 +0100
Forward Firewall: when editing a group the rules where not read correctly, because of wrong COUNT
commit 5e9707230693d7f3e180ec6a711f54dd0c224ab7 Author: Alexander Marx amarx@ipfire.org Date: Fri Feb 8 08:07:45 2013 +0100
Forward Firewall: Fixes Problem when editing a host and afterwards pressing F5, a emtpy entry was created in customhosts
commit bfac6bd4dc79788c16d66b29b84d3ecb6d105653 Author: Alexander Marx amarx@ipfire.org Date: Fri Feb 8 06:00:41 2013 +0100
Forward Firewall: when a service is used in a servicegroup, it was not updated when editing the service
commit ed73b87ece9ecefd829dde86cc3a559172d3bbcd Author: Alexander Marx amarx@ipfire.org Date: Thu Feb 7 15:24:19 2013 +0100
Forward Firewall: some code optimizations
commit 0013abb07c6dda5f4a67ec2a2025e8d1007c4417 Author: Alexander Marx amarx@ipfire.org Date: Thu Feb 7 13:17:25 2013 +0100
Forward Firewall: changed sortorder of servicedropdown in servicegrouping. catched F5 when editing a host-Now no entry is saved in customhosts table theres only the IP shown (deleted subnet)
commit bfee206c989a77ae56701aec25a435262dcda1ee Author: Alexander Marx amarx@ipfire.org Date: Thu Feb 7 12:12:11 2013 +0100
Forward Firewall: When changing a service which is used in a rule, the rule was destroyed. Now the configfiles of the firewall are adapted as needed.
commit 5edf47ffbac2f7a8a668c8b64addd767c3df306b Author: Alexander Marx amarx@ipfire.org Date: Wed Feb 6 15:14:15 2013 +0100
Forward Firewall: Bugfix: now the Protocols are corrected in the tablerule if a servicegroup was used
commit 7772ae734e9bc926c19adfbd9333471cdf300f6f Author: Alexander Marx amarx@ipfire.org Date: Mon Feb 4 15:36:37 2013 +0100
Forward Firewall: extended the accepted chars for group and servicenames NOw / () and _ are allowed, too
commit fb70d3d54035db1c7427f8d42570980199455190 Author: Alexander Marx amarx@ipfire.org Date: Mon Feb 4 11:21:33 2013 +0100
Forward Firewall: changed sortorder of customhosts and bugfix when remark is changed
commit 937d4e0892956a054f012f9f6d4ce5b1e03227f0 Author: Alexander Marx amarx@ipfire.org Date: Fri Feb 1 13:18:15 2013 +0100
Forward Firewall: redefined layout of customservicegroups and some layout changes
commit 20c00d4bdf1114b983c71d2557dcdb0b067e87e0 Author: Alexander Marx amarx@ipfire.org Date: Thu Jan 31 20:52:56 2013 +0100
Forward Firewall: BUGFIX-CustomGroup sort order
commit d6bdebd47d1c163dae1fbde6b6758d58ec66d67b Author: Alexander Marx amarx@ipfire.org Date: Thu Jan 31 08:45:04 2013 +0100
Forward Firewall: fixed icmp-types and deleted dmzholes chain
commit 8f1634ffbc7b3d039088bf80c85c3bcf2eeaf56c Author: Alexander Marx amarx@ipfire.org Date: Thu Jan 31 07:33:47 2013 +0100
Forward Firewall: firewall policy dropdown - resized
commit 53f3a4c82dcbcc95118635bf89e67876ccb79206 Author: Alexander Marx amarx@ipfire.org Date: Thu Jan 31 05:48:20 2013 +0100
Forward Firewall: Typo in en.pl
commit 2b9460abfa947eb91b391e4e97daa95ee7bc87fc Author: Alexander Marx amarx@ipfire.org Date: Thu Jan 31 05:17:41 2013 +0100
Forward Firewall: changed firewall modes from mode1,mode2 to "allowed" and "blocked". Also new descriptiontext.
commit 0b14d3d9b14ee36a01a67d83591ede814cc9f92d Author: Alexander Marx amarx@ipfire.org Date: Wed Jan 30 16:28:18 2013 +0100
Forward Firewall: fixed portforward rules. Now possible even if firewall in mode1
commit 5b7ed8bbae95651ff9098b90466bb815d2361f5f Author: Alexander Marx amarx@ipfire.org Date: Wed Jan 30 15:24:57 2013 +0100
Forward Firewall: Tablegroup DMZ and WLAN now only show the own rules
commit 6adcf1569cf30ca399ae0aacb9e86c06fff4ffc6 Author: Alexander Marx amarx@ipfire.org Date: Wed Jan 30 13:34:54 2013 +0100
Forward Firewall: set standard rules for blue in mode 2
commit e974ced8c5a280554d4034e60647188e109fe9a1 Author: Alexander Marx amarx@ipfire.org Date: Wed Jan 30 10:27:38 2013 +0100
Forward Firewall: when resetting firewall, an error was generated in log, because there's no reread file
commit 210ee67b5354f513a71a74df2633e2d3e0ddad95 Author: Alexander Marx amarx@ipfire.org Date: Wed Jan 30 09:14:01 2013 +0100
Forward Firewall: deleted mode0, added default Mode2 and fixed /etc/init.d/firewall to reload the rules correctly on reload. Also made it possible to create broadcastrules (To drop broadcastpackets)
commit 7bd9d462de4035d508b108ab0bedc3fda87e1326 Author: Alexander Marx amarx@ipfire.org Date: Wed Jan 30 06:22:59 2013 +0100
Forward Firewall: Deleted MODE0 from WEB Interface and added a table for DMZ-Rules.
commit 0f869e32d4ea1f56e84cb61578964adf6eec7659 Author: Alexander Marx amarx@ipfire.org Date: Mon Jan 28 06:12:51 2013 +0100
Forward FIrewall: tried to sort servicegroups the right way...not perfect now
commit 85dc70c746cd8fe0b602c0e98f2cc4b2232507ec Author: Alexander Marx amarx@ipfire.org Date: Sun Jan 27 13:20:33 2013 +0100
Forward Firewall: Fixed a bug in servicegroup-Tableview
commit 70d38e5089fcd9de5a595dc5e08563104eba65ea Author: Alexander Marx amarx@ipfire.org Date: Sat Jan 26 21:11:21 2013 +0100
Forward Firewall: fixed converterbug and added ruleposition to new rules in forwardfw.cgi
commit e3afaf8890558beb5e399efe2f8fa6cbd9123b91 Author: Alexander Marx amarx@ipfire.org Date: Sat Jan 26 19:49:24 2013 +0100
Forward Firewall: bugfix: network ip was treated like single host
commit f1ec713da7db766dc3593c99b9b5c5cbc6efdb86 Author: Alexander Marx amarx@ipfire.org Date: Fri Jan 25 12:18:28 2013 +0100
Forward Firewall: minor chnages just layout
commit f3fb9b64ac9a15703827454e7f67bc6754af9c5c Author: Alexander Marx amarx@ipfire.org Date: Thu Jan 24 17:37:34 2013 +0100
FOrward Firewall: disabled p2p table border
commit 47a40c972633d9e817d58d5f0212ba47006b4973 Author: Alexander Marx amarx@ipfire.org Date: Thu Jan 24 14:20:01 2013 +0100
Forward Firewall: set P2Protocols default to "off"
commit 45cfd811310ad839d8cc6b7358cd9074bf43ae80 Author: Alexander Marx amarx@ipfire.org Date: Thu Jan 24 12:50:33 2013 +0100
Forward Firewall: deleted 22-outgoingfwctrl
commit a57a5709a40580f68c4b2ecfd13d3a989ad7d4da Author: Alexander Marx amarx@ipfire.org Date: Thu Jan 24 05:25:58 2013 +0100
Forward Firewall: changed Layout of P2P table
commit 4b147d950b148500c5ec04a9f13e04f8b2e1ad96 Author: Alexander Marx amarx@ipfire.org Date: Wed Jan 23 15:06:21 2013 +0100
Forward Firewall: deleted symlink to outgoingfwctrl from lfs/initscripts
commit ed62bbfb521de113f824228fed88f2f8f962035a Author: Alexander Marx amarx@ipfire.org Date: Wed Jan 23 05:51:30 2013 +0100
Forward Firewall: changed sortorder in group tables
commit 04f24153fcb06d29411569d19784430e16eee237 Author: Alexander Marx amarx@ipfire.org Date: Tue Jan 22 12:28:14 2013 +0100
Forward Firewall: edited language file en.pl and changed 'protocol:' to 'protocol' because in de.pl it is also just 'Protokoll'
commit 8d1beadce31786cc87afc01880d731c8a19e120f Author: Alexander Marx amarx@ipfire.org Date: Tue Jan 22 05:42:46 2013 +0100
Forward Firewall:
1) fixed outgoingfw converter: now checkbox for logging is converted corectly 2) edited p2p_block: now a checked prot is allowed
commit 3b81fad442d9078bc9131e731ce2034656bcb165 Author: Alexander Marx amarx@ipfire.org Date: Mon Jan 21 21:47:32 2013 +0100
Forward Firewall: converter now creates cdir format from ip-addresses
commit 5238a8719d75273e5e52f083c0c10cbe9e3ea312 Author: Alexander Marx amarx@ipfire.org Date: Mon Jan 21 21:26:44 2013 +0100
Forward Firewall: minor improvements, if an outgoingrule has a given port and prot "all", there are two new rules generated for UDP and TCP. If an outgoingrule has only "all" as prot, but no port, there's only one new rule created
commit 5a9fd5dbd1af37c5ecf3608333486716cf43354b Author: Alexander Marx amarx@ipfire.org Date: Mon Jan 21 14:49:21 2013 +0100
Forward Firewall: extended converter
commit 25c4997947301c3be6407fece18e4ef652e59285 Author: Alexander Marx amarx@ipfire.org Date: Mon Jan 21 05:54:20 2013 +0100
Forward Firewall: edited colspan for timeframe from 6 to 7 edited de.pl and changed "Port(s) manuel" to "Port(s) manuell"
commit 61068ee1a4b6d4c029da662f4d8f3bcfa1734909 Author: Alexander Marx amarx@ipfire.org Date: Sun Jan 20 20:36:11 2013 +0100
Forward Firewall: Some more checks to check remark if rule was edited
commit 43902ae5a274e33f0e0bd14787bac49aa827bcc8 Author: Alexander Marx amarx@ipfire.org Date: Sun Jan 20 13:18:47 2013 +0100
Forward Firewall: Bugfix: when editing a rule it was possible to enter invalid chars in remark
commit 9edb1d7a8e5e70c1ebe3d8f4197770e1c1c5d4e3 Author: Alexander Marx amarx@ipfire.org Date: Sun Jan 20 05:54:04 2013 +0100
Forward Firewall: edited Backup.pl. If someone put /var/ipfire/outgoing into /var/ipfire/backup/include, the rules are backed up and need to be restored. Now the backup takes care of this and checks if there are old rules to convert.
commit 879462965387442e12cbade08cc20e3498c7672a Author: Alexander Marx amarx@ipfire.org Date: Sat Jan 19 21:21:18 2013 +0100
Forward Firewall: edited convert-outgoingfw. When a Protocol ESP or GRE is used AND a Port is selected (in old system), the rule was not converted successfully.
commit 99e698d03387f4ad40db1d2bd737c0d6cdc55a23 Author: Alexander Marx amarx@ipfire.org Date: Sat Jan 19 20:51:12 2013 +0100
Forward Firewall: Minor changes...
1) improved convert-outgoingfw. source was wrong when tun+ interface 2) target had always a ":" in ruletable 3) convert-outgoingfw bugfix: ports where not cleared for next rule
commit 93a5f4a5821f92be219be12696de86ff8641395c Author: Alexander Marx amarx@ipfire.org Date: Sat Jan 19 14:09:50 2013 +0100
Forward Firewall: implemented ne column in ruletable "protocol"
commit 8b3dd79147c3804e5f8944eef5c22380788ac348 Author: Alexander Marx amarx@ipfire.org Date: Sat Jan 19 07:24:08 2013 +0100
Forward Firewall: deleted comments from converterscript
commit 8f0b047b4ba13521dfd782d0d164a2efec12cba1 Author: Alexander Marx amarx@ipfire.org Date: Sat Jan 19 07:15:25 2013 +0100
Forward Firewall: implemented multiport support for source and target ports
commit e0800c21db6316f0a41461f2e02fc7565d7c1a49 Author: Alexander Marx amarx@ipfire.org Date: Fri Jan 18 10:58:33 2013 +0100
Forward Firewall: Edited Backup.pl so that any old backups get converted to new firewall. Afterwards the directories /var/ipfire/outgoing and /var/ipfire/xtaccess are removed!
commit cf576a12e54b51f563dccc77b783fce7de6b5768 Author: Alexander Marx amarx@ipfire.org Date: Fri Jan 18 10:18:25 2013 +0100
Forward Firewall: Bugfix: when editing an rule, the default ACTION (ACCEPT,DROP,REJECT) was set depending on Firewallmode. Now it checks, if a rule is edited and value is set to rule action
commit 99e5d97623e86562756166eba2cb8e504fad3646 Author: Alexander Marx amarx@ipfire.org Date: Fri Jan 18 10:00:21 2013 +0100
Forward Firewall: removed newline when processing rules.pl
commit d7dc9718d31def634485a1b975a8a8e2a4c8bd4f Author: Alexander Marx amarx@ipfire.org Date: Fri Jan 18 09:40:59 2013 +0100
Forward Firewall: edited rules.pl, so thatrules are created when source and target are 0.0.0.0/0.0.0.0
commit 8910ee647c5aaae0d05e61ca61939a7cfb60ac83 Author: Alexander Marx amarx@ipfire.org Date: Fri Jan 18 09:23:13 2013 +0100
Forward Firewall: Removed console output from outgoingfw-converter
commit 2833f5678e79bdd178d71edf947c5b37f5ccc6d7 Author: Alexander Marx amarx@ipfire.org Date: Fri Jan 18 08:53:51 2013 +0100
Forward Firewall: changed LOG directory to /var/log/converters
commit 27f4a6b159d9b040feffa8b06784fc71965fac2e Author: Alexander Marx amarx@ipfire.org Date: Fri Jan 18 08:35:25 2013 +0100
Forward Firewall: added converters for old exaccess rules and old rules from outgoingfw and old firewallgroups. Also fixed a Bug: Day SUN was not checked when in rule-edit mode
commit af49e3672351be5c1bad9958dfbd70bb638ffb45 Author: Alexander Marx amarx@ipfire.org Date: Wed Jan 16 06:12:34 2013 +0100
Forward Firewall: edited p2pblock call in rules.pl
commit bcbf1b8ebe50b470c8ad6e63cb9519c3fea37499 Author: Alexander Marx amarx@ipfire.org Date: Tue Jan 15 13:07:59 2013 +0100
Forward Firewall: Bugfix: when usinf ESP or AH as target protocol, no rules where created
commit 7f9d1c39693c49b767a40dd226b47adf83ffbef1 Author: Alexander Marx amarx@ipfire.org Date: Tue Jan 15 12:37:27 2013 +0100
Forward Firewall: added p2protocols to /var/ipfire/forward/ for p2pblocking options
commit 36196d0d6439f83e8aaff92f186dba32f8f47eeb Author: Alexander Marx amarx@ipfire.org Date: Tue Jan 15 12:31:09 2013 +0100
Forward Firewall: added P2P Block Option
commit bc3297257288edb70f77c74009669ddb901492ff Author: Alexander Marx amarx@ipfire.org Date: Tue Jan 15 05:04:33 2013 +0100
Forward Firewall: set standard config for Firewall
commit 9ee07ee5d2744bb7a55769bc6afb9ce21addb853 Author: Alexander Marx amarx@ipfire.org Date: Tue Jan 15 04:56:26 2013 +0100
Forward Firewall: updated de.pl
commit d1f01304ffd334ee6ccf42a62f20de72ccc2bbde Author: Alexander Marx amarx@ipfire.org Date: Mon Jan 14 14:15:18 2013 +0100
Forward Firewall: Added AH Protocol and fixed a bug
commit e44fa0792b3d40b482da5213ebb1c3a9f00f7965 Author: Alexander Marx amarx@ipfire.org Date: Mon Jan 14 13:56:36 2013 +0100
Forward Firewall: BUGFIX: When editing a rule and changing position, no other changes where saved. added the DMZHOLES Rule to init.d/firewall (but chnaged DMZHOLES to FORWARDFW
commit 02da9f7bafcfc563b2d15b8741145631ea9c6a45 Author: Alexander Marx amarx@ipfire.org Date: Sat Jan 12 10:51:51 2013 +0100
Forward Firewall: refined routine to check if an existing rule is equal to a new one
commit 68ae5e591c993092e7f8f20abffb7d7d328ed1b1 Author: Alexander Marx amarx@ipfire.org Date: Sat Jan 12 10:22:49 2013 +0100
Forward Firewall: fixed routine for rulepositioning
commit 992394d55cd19659a6717f2917e27d5a93a73e37 Author: Alexander Marx amarx@ipfire.org Date: Sat Jan 12 08:07:33 2013 +0100
Forward Firewall: changed hash sorting to get right ruleorder in Iptables
commit 275a92e800636d0ba00daeb65b432d1dcf6c7bed Author: Alexander Marx amarx@ipfire.org Date: Fri Jan 11 13:33:34 2013 +0100
Forward Firewall: hopefully fixed delte-bug. When deleting a rule, it was possible that the rulenumbers get "holes"
commit 1aec05a64e69852338ffd6e1b49e0d9beb9e5fda Author: Alexander Marx amarx@ipfire.org Date: Fri Jan 11 13:21:43 2013 +0100
Forward Firewall: when adding custom hosts or networks the cursor is now in first textfield
commit 2da264ec63eb3091704a6b71cc7f83dc6f07a892 Author: Alexander Marx amarx@ipfire.org Date: Fri Jan 11 08:48:20 2013 +0100
Forward Firewall: added possibility to change ruleposition
commit 8dc23ff4fcc6b9f07cdd48abe7991419d255d363 Author: Alexander Marx amarx@ipfire.org Date: Thu Jan 10 12:55:56 2013 +0100
Forward Firewall: adapted initscripts/firewall and wirelessctrl.c
Now the Wirelesschains should work with new firewall.
commit 8139398721023908ae3145d18839d2712ce522c8 Author: Alexander Marx amarx@ipfire.org Date: Thu Jan 10 12:17:30 2013 +0100
Forward Firewall: edited /src/initscripts/init.d/firewall and misc-progs/wirelessctrl.c
added WIRELESSFORWARD to FORWARDFW (instead of FORWARD) so that rules work commented out DMZHOLES lines in wirelessctrl.c to get rid of booterrormessages (There's no DMZHOLES anymore)
commit 54cb7ff0199cc9a7833038597fee4bfc7dbfeab5 Author: Alexander Marx amarx@ipfire.org Date: Thu Jan 10 09:58:38 2013 +0100
Forward Firewall: added check for mac rules
commit b526909163c325956f16fdd90287465aa78ffd17 Author: Alexander Marx amarx@ipfire.org Date: Thu Jan 10 09:41:04 2013 +0100
Forward Firewall: BUGFIX: MAC source addresses where not created as rules
commit b9648e583305cc03907e9dde6c459fd8ba71cd0c Author: Alexander Marx amarx@ipfire.org Date: Wed Jan 9 14:54:31 2013 +0100
Forward Firewall: added Red interface to get_std_network function
commit 485aac63955b1171f5f74525f345fdc4f94663fd Author: Alexander Marx amarx@ipfire.org Date: Wed Jan 9 14:48:35 2013 +0100
Forward Firewall: Deleted /var/ipfire/outgoing from /config/rootfiles/common/configroot
commit bbc14c234d62afe1cd8b0730265d5c3a57111744 Author: Alexander Marx amarx@ipfire.org Date: Wed Jan 9 14:44:10 2013 +0100
Forward Firewall: Deleted config/cfgroot/p2protocols
commit 9dafa928db040447cd888d6cd901130bdecfaebd Author: Alexander Marx amarx@ipfire.org Date: Wed Jan 9 14:42:52 2013 +0100
Forward Firewall: Deleted /var/ipfire/outgoing from configroot and aaded default values to /var/ipfire/optionsfw/settings
commit 62fc8511664c6646d706aa42927bac53ac6a5b5f Author: Alexander Marx amarx@ipfire.org Date: Wed Jan 9 10:22:32 2013 +0100
Forward Firewall: fixed 12 Bugs from forum.
1) Added more possible chars in remark: : / . 2) Added "Internet" to std networks to be able to define internetaccess 3) When renaming a custom address, the firewallrules get updated 4) Ports are now ignored when using GRE as Protocol 5) When saving a customservice, the cursor is now in first textfield 6) Added a customservices file to installation with predefined services 7) Added ESP as protocol 8) Fixed counterproblem 9) Dropdownboxes for customservices and groups now sorted 10) Firewallrules now sorted in right order 11) fixed a Bug when defining manual address in source and target, the hint message is no longer displayed 12) When defining an external access rule, the last forwardrule was deleted
commit af8bc0d0a8c6a93277d9bfb6ef959f2cc8005b7d Author: Alexander Marx amarx@ipfire.org Date: Wed Jan 9 09:08:12 2013 +0100
Forward Firewall: added a customservices file with default values
commit fd10a52ca2860678368d162ce6b52b8c1cf25d0e Author: Alexander Marx amarx@ipfire.org Date: Tue Jan 8 11:20:39 2013 +0100
Forward firewall: commented out line in init.d/firewall that all Forward traffic from green is allowed and put it in rules.pl. Now rules.pl allows this traffic when firewall is set to Mode0 or Mode2
commit c0ec19967e4dc75b6e719177af6e258a7b4fd858 Author: Alexander Marx amarx@ipfire.org Date: Sun Jan 6 20:43:23 2013 +0100
Forward Firewall: fixed default entries in /var/ipfire/optionsfw/settings.
commit 3d016366b8c38ed77038f4c1178d8b7afa466115 Author: Alexander Marx amarx@ipfire.org Date: Fri Jan 4 13:25:06 2013 +0100
Forward Firewall: changed languagefiles for loggingoptions in optionsfw.cgi
commit 92788c464b2129302c4fa8b1b3dfec2f329bafdd Author: Alexander Marx amarx@ipfire.org Date: Fri Jan 4 09:44:42 2013 +0100
Forward Firewall: deleted /var/ipfire/outgoing from backup
commit 7f5b2820698c2249b3d8496ec80315be86617f0a Author: Alexander Marx amarx@ipfire.org Date: Fri Jan 4 07:55:24 2013 +0100
Forward Firewall: Changed Buttons and Layout of fwhosts.cgi
commit 74e7001436c27096cd035452bd051a88795ef04f Author: Alexander Marx amarx@ipfire.org Date: Fri Jan 4 05:37:19 2013 +0100
Forward Firewall: Replaced 'drop output' with 'drop forward' in languagefiles. This is for the loggingoption in the firewall options.
commit 6be0579b189df15a1e6775462c0945c41043801b Author: Alexander Marx amarx@ipfire.org Date: Thu Jan 3 17:30:11 2013 +0100
Forward Firewall: replaced Outgoing-Logging with ForwardFW Logging. And changed Options in optionsfw.cgi from outgoing to forward
commit e534554162a34ae47d135f3df251caac14502628 Author: Alexander Marx amarx@ipfire.org Date: Thu Jan 3 13:29:35 2013 +0100
Forward Firewall: Fixed Bug: When deleting a rule, only the last entry in the list is deleted
commit 9bdb6b504536142e57acf9d967dc29aea47f09cf Author: Alexander Marx amarx@ipfire.org Date: Thu Jan 3 12:26:44 2013 +0100
Forward Firewall: Deleted outgoingfw.cgi,outgoinggroups.cgi and xtaccess.cgi from /config/rootfils7common/apache2
commit adf41e6f3733955207801ef06665272aaddefd90 Author: Alexander Marx amarx@ipfire.org Date: Thu Jan 3 12:17:06 2013 +0100
Forward Firewall: removed outgoingfw.cgi from /config/rootfiles/core/66/filelists/files
commit c04f132d4947c6fbd41f9c18bc6590bd647e1786 Author: Alexander Marx amarx@ipfire.org Date: Thu Jan 3 12:00:09 2013 +0100
Forward Firewall: removed outgoingfwctrl from /config/rootfiles/misc-progs
commit 231499fcc85bfb6ae4fbb03fbaca2873984be103 Author: Alexander Marx amarx@ipfire.org Date: Thu Jan 3 08:14:28 2013 +0100
Forward Firewall: build iso with new firewall
commit d24a34cbdc529fcb9122ed7f99bc48c4a83263bb Author: Alexander Marx amarx@ipfire.org Date: Tue Jan 1 06:17:06 2013 +0100
Forward Firewall: changed remarkfield to have maximum 255 chars. Changed Layout from viewtablerule.
Signed-off-by: Alexander Marx amarx@ipfire.org
commit 55674e0d3877ac07f71e26e0d07dacc6baf5759f Author: Alexander Marx amarx@ipfire.org Date: Sat Dec 29 07:09:37 2012 +0100
Forward Firewall: fixed Typos
Signed-off-by: Alexander Marx amarx@ipfire.org
commit 14f7cb87b993267a1d76098ab9fa088533af1e18 Author: Alexander Marx amarx@ipfire.org Date: Fri Dec 28 13:29:34 2012 +0100
Forward Firewall: fixed rules.pl error when using manual target address
Signed-off-by: Alexander Marx amarx@ipfire.org
commit 2a81ab0d7701a7afd049d3ca5a28dc4e0fbffd20 Author: Alexander Marx amarx@ipfire.org Date: Fri Dec 28 08:26:07 2012 +0100
Forward Firewall: added new files
commit 111c99ddfa3632a8c2788b9c6d70c5e6d8a1dfd4 Author: Michael Tremer michael.tremer@ipfire.org Date: Fri Aug 9 14:02:02 2013 +0200
Forward Firewall: applied all changes as diff and added new files. Also deleted c files from xtaccess and setdmzholes.
Signed-off-by: Alexander Marx amarx@ipfire.org
Conflicts: config/backup/include lfs/configroot lfs/usb-stick
-----------------------------------------------------------------------
Summary of changes: config/backup/backup.pl | 69 +- config/backup/exclude | 2 + config/backup/include | 9 +- config/cfgroot/general-functions.pl | 84 + config/cfgroot/graphs.pl | 37 +- config/cfgroot/header.pl | 5 +- config/cfgroot/p2protocols | 9 - config/collectd/collectd.conf | 5 +- config/forwardfw/convert-dmz | 193 ++ config/forwardfw/convert-outgoingfw | 704 ++++++ config/forwardfw/convert-portfw | 158 ++ config/forwardfw/convert-xtaccess | 141 ++ config/forwardfw/firewall-lib.pl | 256 ++ config/forwardfw/firewall-policy | 91 + config/forwardfw/p2protocols | 9 + config/forwardfw/rules.pl | 610 +++++ config/fwhosts/customservices | 32 + config/fwhosts/icmp-types | 36 + config/menu/50-firewall.menu | 64 +- config/outgoingfw/defaultservices | 34 - config/outgoingfw/outgoingfw.pl | 286 --- config/rootfiles/common/apache2 | 12 +- config/rootfiles/common/armv5tel/initscripts | 4 +- config/rootfiles/common/configroot | 32 +- config/rootfiles/common/i586/initscripts | 4 +- config/rootfiles/common/misc-progs | 6 +- .../rootfiles/{oldcore/68 => core/fifteen}/exclude | 0 config/rootfiles/core/fifteen/filelists/files | 13 + config/rootfiles/core/fifteen/filelists/firewall | 29 + .../66 => core/fifteen}/filelists/misc-progs | 0 .../38 => core/fifteen}/filelists/strongswan | 0 config/rootfiles/{oldcore/24 => core/fifteen}/meta | 0 .../{oldcore/73 => core/fifteen}/update.sh | 51 +- config/rootfiles/oldcore/66/filelists/files | 1 - doc/language_issues.de | 81 + doc/language_issues.en | 82 + doc/language_issues.es | 187 +- doc/language_issues.fr | 187 ++ doc/language_issues.nl | 187 ++ doc/language_issues.pl | 187 +- doc/language_issues.ru | 187 ++ doc/language_issues.tr | 187 ++ doc/language_missings | 701 +++++- html/cgi-bin/dmzholes.cgi | 446 ---- html/cgi-bin/forwardfw.cgi | 2463 ++++++++++++++++++++ html/cgi-bin/fwhosts.cgi | 2198 +++++++++++++++++ html/cgi-bin/index.cgi | 2 +- html/cgi-bin/optionsfw.cgi | 149 +- html/cgi-bin/outgoingfw.cgi | 849 ------- html/cgi-bin/ovpnmain.cgi | 98 +- html/cgi-bin/p2p-block.cgi | 134 ++ html/cgi-bin/portfw.cgi | 1177 ---------- html/cgi-bin/upnp.cgi | 2 +- html/cgi-bin/vpnmain.cgi | 4 +- langs/de/cgi-bin/de.pl | 193 +- langs/en/cgi-bin/en.pl | 186 +- lfs/configroot | 83 +- lfs/initscripts | 9 +- lfs/strongswan | 3 +- src/initscripts/init.d/firewall | 332 ++- src/initscripts/init.d/network | 4 +- src/misc-progs/Makefile | 19 +- .../{outgoingfwctrl.c => forwardfwctrl.c} | 10 +- src/misc-progs/openvpnctrl.c | 49 +- src/misc-progs/setdmzholes.c | 162 -- src/misc-progs/setportfw.c | 369 --- src/misc-progs/setxtaccess.c | 168 -- src/misc-progs/wirelessctrl.c | 12 +- ..._ipfire.patch => strongswan-5.0.2_ipfire.patch} | 50 +- 69 files changed, 10099 insertions(+), 4044 deletions(-) delete mode 100644 config/cfgroot/p2protocols create mode 100755 config/forwardfw/convert-dmz create mode 100755 config/forwardfw/convert-outgoingfw create mode 100755 config/forwardfw/convert-portfw create mode 100755 config/forwardfw/convert-xtaccess create mode 100755 config/forwardfw/firewall-lib.pl create mode 100755 config/forwardfw/firewall-policy create mode 100644 config/forwardfw/p2protocols create mode 100755 config/forwardfw/rules.pl create mode 100644 config/fwhosts/customservices create mode 100755 config/fwhosts/icmp-types delete mode 100644 config/outgoingfw/defaultservices delete mode 100644 config/outgoingfw/outgoingfw.pl copy config/rootfiles/{oldcore/68 => core/fifteen}/exclude (100%) create mode 100644 config/rootfiles/core/fifteen/filelists/files create mode 100644 config/rootfiles/core/fifteen/filelists/firewall copy config/rootfiles/{oldcore/66 => core/fifteen}/filelists/misc-progs (100%) copy config/rootfiles/{oldcore/38 => core/fifteen}/filelists/strongswan (100%) copy config/rootfiles/{oldcore/24 => core/fifteen}/meta (100%) copy config/rootfiles/{oldcore/73 => core/fifteen}/update.sh (73%) delete mode 100644 html/cgi-bin/dmzholes.cgi create mode 100755 html/cgi-bin/forwardfw.cgi create mode 100755 html/cgi-bin/fwhosts.cgi delete mode 100644 html/cgi-bin/outgoingfw.cgi create mode 100755 html/cgi-bin/p2p-block.cgi delete mode 100644 html/cgi-bin/portfw.cgi rename src/misc-progs/{outgoingfwctrl.c => forwardfwctrl.c} (53%) delete mode 100644 src/misc-progs/setdmzholes.c delete mode 100644 src/misc-progs/setportfw.c delete mode 100644 src/misc-progs/setxtaccess.c rename src/patches/{strongswan-4.5.3_ipfire.patch => strongswan-5.0.2_ipfire.patch} (91%)
Difference in files: diff --git a/config/backup/backup.pl b/config/backup/backup.pl index f9b8302..28e2dd8 100644 --- a/config/backup/backup.pl +++ b/config/backup/backup.pl @@ -22,7 +22,7 @@ require '/var/ipfire/general-functions.pl'; require "${General::swroot}/lang.pl"; require "${General::swroot}/header.pl"; - +use File::Path; my $debug = 1; my @include = ""; my ($Sekunden, $Minuten, $Stunden, $Monatstag, $Monat, $Jahr, $Wochentag, $Jahrestag, $Sommerzeit) = localtime(time); @@ -64,7 +64,72 @@ elsif ($ARGV[0] eq 'restore') { system("cd / && tar -xvz -p -f /tmp/restore.ipf"); #Here some converter scripts to correct old Backups (before core 65) system("/usr/sbin/ovpn-ccd-convert"); -} + #OUTGOINGFW CONVERTER + if( -d "${General::swroot}/outgoing"){ + if( -f "${General::swroot}/forward/config" ){ + unlink("${General::swroot}/forward/config"); + system("touch ${General::swroot}/forward/config"); + chown 99,99,"${General::swroot}/forward/config"; + } + if( -f "${General::swroot}/forward/outgoing" ){ + unlink("${General::swroot}/forward/outgoing"); + system("touch ${General::swroot}/forward/outgoing"); + chown 99,99,"${General::swroot}/forward/outgoing"; + } + unlink("${General::swroot}/fwhosts/customgroups"); + unlink("${General::swroot}/fwhosts/customhosts"); + unlink("${General::swroot}/fwhosts/customgroups"); + unlink("${General::swroot}/fwhosts/customnetworks"); + unlink("${General::swroot}/fwhosts/customservicegrp"); + unlink("${General::swroot}/fwhosts/customnetworks"); + system("touch ${General::swroot}/fwhosts/customgroups"); + system("touch ${General::swroot}/fwhosts/customhosts"); + system("touch ${General::swroot}/fwhosts/customnetworks"); + system("touch ${General::swroot}/fwhosts/customservicegrp"); + #START CONVERTER "OUTGOINGFW" + system("/usr/sbin/convert-outgoingfw"); + chown 99,99,"${General::swroot}/fwhosts/customgroups"; + chown 99,99,"${General::swroot}/fwhosts/customhosts"; + chown 99,99,"${General::swroot}/fwhosts/customnetworks"; + chown 99,99,"${General::swroot}/fwhosts/customservicegrp"; + #START CONVERTER "OUTGOINGFW" + rmtree("${General::swroot}/outgoing"); + } + #XTACCESS CONVERTER + if( -d "${General::swroot}/xtaccess"){ + if( -f "${General::swroot}/forward/input" ){ + unlink("${General::swroot}/forward/input"); + system("touch ${General::swroot}/forward/input"); + } + #START CONVERTER "XTACCESS" + system("/usr/sbin/convert-xtaccess"); + chown 99,99,"${General::swroot}/forward/input"; + rmtree("${General::swroot}/xtaccess"); + } + #DMZ-HOLES CONVERTER + if( -d "${General::swroot}/dmzholes"){ + if( -f "${General::swroot}/forward/dmz" ){ + unlink("${General::swroot}/forward/dmz"); + system("touch ${General::swroot}/forward/dmz"); + } + #START CONVERTER "DMZ-HOLES" + system("/usr/sbin/convert-dmz"); + chown 99,99,"${General::swroot}/forward/dmz"; + rmtree("${General::swroot}/dmzholes"); + } + #PORTFORWARD CONVERTER + if( -d "${General::swroot}/portfw"){ + if( -f "${General::swroot}/forward/nat" ){ + unlink("${General::swroot}/forward/nat"); + system("touch ${General::swroot}/forward/nat"); + } + #START CONVERTER "PORTFW" + system("/usr/sbin/convert-portfw"); + chown 99,99,"${General::swroot}/forward/nat"; + rmtree("${General::swroot}/portfw"); + } + system("/usr/local/bin/forwardfwctrl"); + } elsif ($ARGV[0] eq 'restoreaddon') { if ( -e "/tmp/$ARGV[1]" ){system("mv /tmp/$ARGV[1] /var/ipfire/backup/addons/backup/$ARGV[1]");} system("cd / && tar -xvz -p -f /var/ipfire/backup/addons/backup/$ARGV[1]"); diff --git a/config/backup/exclude b/config/backup/exclude index 8103bb9..41ae8b5 100644 --- a/config/backup/exclude +++ b/config/backup/exclude @@ -1,5 +1,7 @@ *.tmp /var/ipfire/ethernet/settings +/var/ipfire/forward/bin/* /var/ipfire/proxy/calamaris/bin/* /var/ipfire/qos/bin/qos.pl /var/ipfire/urlfilter/blacklists/*/*.db +/var/ipfire/forward/bin/* diff --git a/config/backup/include b/config/backup/include index c863a0e..551b52d 100644 --- a/config/backup/include +++ b/config/backup/include @@ -15,14 +15,9 @@ /var/ipfire/auth/users /var/ipfire/dhcp/* /var/ipfire/dnsforward/* +/var/ipfire/forward +/var/ipfire/fwhosts /var/ipfire/main/* -/var/ipfire/outgoing/groups -/var/ipfire/outgoing/macgroups -/var/ipfire/outgoing/rules -/var/ipfire/outgoing/p2protocols -/var/ipfire/dmzholes -/var/ipfire/xtaccess -/var/ipfire/portfw /var/ipfire/ovpn /var/ipfire/ppp /var/ipfire/proxy diff --git a/config/cfgroot/general-functions.pl b/config/cfgroot/general-functions.pl index 41643d8..c592d5d 100644 --- a/config/cfgroot/general-functions.pl +++ b/config/cfgroot/general-functions.pl @@ -39,6 +39,90 @@ sub log $logmessage = $1; system('logger', '-t', $tag, $logmessage); } +sub setup_default_networks +{ + my %netsettings=(); + my $defaultNetworks = shift; + + &readhash("/var/ipfire/ethernet/settings", %netsettings); + + # Get current defined networks (Red, Green, Blue, Orange) + $defaultNetworks->{$Lang::tr{'fwhost any'}}{'IPT'} = "0.0.0.0/0.0.0.0"; + $defaultNetworks->{$Lang::tr{'fwhost any'}}{'NAME'} = "ALL"; + + $defaultNetworks->{$Lang::tr{'green'}}{'IPT'} = "$netsettings{'GREEN_NETADDRESS'}/$netsettings{'GREEN_NETMASK'}"; + $defaultNetworks->{$Lang::tr{'green'}}{'NAME'} = "GREEN"; + + if ($netsettings{'RED_DEV'} ne ''){ + $defaultNetworks->{$Lang::tr{'fwdfw red'}}{'IPT'} = "$netsettings{'RED_NETADDRESS'}/$netsettings{'RED_NETMASK'}"; + $defaultNetworks->{$Lang::tr{'fwdfw red'}}{'NAME'} = "RED"; + } + if ($netsettings{'ORANGE_DEV'} ne ''){ + $defaultNetworks->{$Lang::tr{'orange'}}{'IPT'} = "$netsettings{'ORANGE_NETADDRESS'}/$netsettings{'ORANGE_NETMASK'}"; + $defaultNetworks->{$Lang::tr{'orange'}}{'NAME'} = "ORANGE"; + } + + if ($netsettings{'BLUE_DEV'} ne ''){ + $defaultNetworks->{$Lang::tr{'blue'}}{'IPT'} = "$netsettings{'BLUE_NETADDRESS'}/$netsettings{'BLUE_NETMASK'}"; + $defaultNetworks->{$Lang::tr{'blue'}}{'NAME'} = "BLUE"; + } + + #IPFire himself + $defaultNetworks->{'IPFire'}{'NAME'} = "IPFire"; + + # OpenVPN + if(-e "${General::swroot}/ovpn/settings") + { + my %ovpnSettings = (); + &readhash("${General::swroot}/ovpn/settings", %ovpnSettings); + + # OpenVPN on Red? + if(defined($ovpnSettings{'DOVPN_SUBNET'})) + { + my ($ip,$sub) = split(///,$ovpnSettings{'DOVPN_SUBNET'}); + $sub=&General::iporsubtocidr($sub); + my @tempovpnsubnet = split("/", $ovpnSettings{'DOVPN_SUBNET'}); + $defaultNetworks->{'OpenVPN ' ."($ip/$sub)"}{'ADR'} = $tempovpnsubnet[0]; + $defaultNetworks->{'OpenVPN ' ."($ip/$sub)"}{'NAME'} = "OpenVPN-Dyn"; + } + } # end OpenVPN + # IPsec RW NET + if(-e "${General::swroot}/vpn/settings") + { + my %ipsecsettings = (); + &readhash("${General::swroot}/vpn/settings", %ipsecsettings); + if($ipsecsettings{'RW_NET'} ne '') + { + my ($ip,$sub) = split(///,$ipsecsettings{'RW_NET'}); + $sub=&General::iporsubtocidr($sub); + my @tempipsecsubnet = split("/", $ipsecsettings{'RW_NET'}); + $defaultNetworks->{'IPsec RW ' .$ip."/".$sub}{'ADR'} = $tempipsecsubnet[0]; + $defaultNetworks->{'IPsec RW ' .$ip."/".$sub}{'NAME'} = "IPsec RW"; + } + } +} +sub get_aliases +{ + + my $defaultNetworks = shift; + open(FILE, "${General::swroot}/ethernet/aliases") or die 'Unable to open aliases file.'; + my @current = <FILE>; + close(FILE); + my $ctr = 0; + foreach my $line (@current) + { + if ($line ne ''){ + chomp($line); + my @temp = split(/,/,$line); + if ($temp[2] eq '') { + $temp[2] = "Alias $ctr : $temp[0]"; + } + $defaultNetworks->{$temp[2]}{'IPT'} = "$temp[0]"; + + $ctr++; + } + } +}
sub readhash { diff --git a/config/cfgroot/graphs.pl b/config/cfgroot/graphs.pl index c51e882..19c0546 100644 --- a/config/cfgroot/graphs.pl +++ b/config/cfgroot/graphs.pl @@ -602,22 +602,37 @@ sub updatefwhitsgraph { "--color=SHADEA".$color{"color19"}, "--color=SHADEB".$color{"color19"}, "--color=BACK".$color{"color21"}, - "DEF:output=".$mainsettings{'RRDLOG'}."/collectd/localhost/iptables-filter-FORWARD/ipt_bytes-DROP_OUTPUT.rrd:value:AVERAGE", - "DEF:input=".$mainsettings{'RRDLOG'}."/collectd/localhost/iptables-filter-INPUT/ipt_bytes-DROP_INPUT.rrd:value:AVERAGE", + "DEF:output=".$mainsettings{'RRDLOG'}."/collectd/localhost/iptables-filter-POLICYOUT/ipt_bytes-DROP_OUTPUT.rrd:value:AVERAGE", + "DEF:input=".$mainsettings{'RRDLOG'}."/collectd/localhost/iptables-filter-POLICYIN/ipt_bytes-DROP_INPUT.rrd:value:AVERAGE", + "DEF:forward=".$mainsettings{'RRDLOG'}."/collectd/localhost/iptables-filter-POLICYFWD/ipt_bytes-DROP_FORWARD.rrd:value:AVERAGE", "DEF:newnotsyn=".$mainsettings{'RRDLOG'}."/collectd/localhost/iptables-filter-NEWNOTSYN/ipt_bytes-DROP_NEWNOTSYN.rrd:value:AVERAGE", "DEF:portscan=".$mainsettings{'RRDLOG'}."/collectd/localhost/iptables-filter-PSCAN/ipt_bytes-DROP_PScan.rrd:value:AVERAGE", - "CDEF:amount=output,input,newnotsyn,+,+", - "COMMENT:".sprintf("%-20s",$Lang::tr{'caption'}), + "COMMENT:".sprintf("%-26s",$Lang::tr{'caption'}), "COMMENT:".sprintf("%15s",$Lang::tr{'maximal'}), "COMMENT:".sprintf("%15s",$Lang::tr{'average'}), - "COMMENT:".sprintf("%15s",$Lang::tr{'minimal'}), + "COMMENT:".sprintf("%14s",$Lang::tr{'minimal'}), "COMMENT:".sprintf("%15s",$Lang::tr{'current'})."\j", - "AREA:amount".$color{"color24"}."A0:".sprintf("%-20s",$Lang::tr{'firewallhits'}), - "GPRINT:amount:MAX:%8.1lf %sBps", - "GPRINT:amount:AVERAGE:%8.1lf %sBps", - "GPRINT:amount:MIN:%8.1lf %sBps", - "GPRINT:amount:LAST:%8.1lf %sBps\j", - "STACK:portscan".$color{"color25"}."A0:".sprintf("%-20s",$Lang::tr{'portscans'}), + "AREA:output".$color{"color25"}."A0:".sprintf("%-25s",$Lang::tr{'firewallhits'}."-OUTPUT"), + "GPRINT:output:MAX:%8.1lf %sBps", + "GPRINT:output:AVERAGE:%8.1lf %sBps", + "GPRINT:output:MIN:%8.1lf %sBps", + "GPRINT:output:LAST:%8.1lf %sBps\j", + "STACK:forward".$color{"color23"}."A0:".sprintf("%-25s",$Lang::tr{'firewallhits'}."-FORWARD"), + "GPRINT:forward:MAX:%8.1lf %sBps", + "GPRINT:forward:AVERAGE:%8.1lf %sBps", + "GPRINT:forward:MIN:%8.1lf %sBps", + "GPRINT:forward:LAST:%8.1lf %sBps\j", + "STACK:input".$color{"color24"}."A0:".sprintf("%-25s",$Lang::tr{'firewallhits'}."-INPUT"), + "GPRINT:input:MAX:%8.1lf %sBps", + "GPRINT:input:AVERAGE:%8.1lf %sBps", + "GPRINT:input:MIN:%8.1lf %sBps", + "GPRINT:input:LAST:%8.1lf %sBps\j", + "STACK:newnotsyn".$color{"color14"}."A0:".sprintf("%-25s","NewNotSyn"), + "GPRINT:newnotsyn:MAX:%8.1lf %sBps", + "GPRINT:newnotsyn:MIN:%8.1lf %sBps", + "GPRINT:newnotsyn:AVERAGE:%8.1lf %sBps", + "GPRINT:newnotsyn:LAST:%8.1lf %sBps\j", + "STACK:portscan".$color{"color16"}."A0:".sprintf("%-25s",$Lang::tr{'portscans'}), "GPRINT:portscan:MAX:%8.1lf %sBps", "GPRINT:portscan:MIN:%8.1lf %sBps", "GPRINT:portscan:AVERAGE:%8.1lf %sBps", diff --git a/config/cfgroot/header.pl b/config/cfgroot/header.pl index 9129c68..fb57482 100644 --- a/config/cfgroot/header.pl +++ b/config/cfgroot/header.pl @@ -149,11 +149,8 @@ sub genmenu { eval `/bin/cat /var/ipfire/menu.d/*.menu`; eval `/bin/cat /var/ipfire/menu.d/*.main`;
- if (! blue_used() && ! orange_used()) { - $menu->{'05.firewall'}{'subMenu'}->{'40.dmz'}{'enabled'} = 0; - } if (! blue_used()) { - $menu->{'05.firewall'}{'subMenu'}->{'30.wireless'}{'enabled'} = 0; + $menu->{'05.firewall'}{'subMenu'}->{'60.wireless'}{'enabled'} = 0; } if ( $ethsettings{'CONFIG_TYPE'} =~ /^(1|2|3|4)$/ && $ethsettings{'RED_TYPE'} eq 'STATIC' ) { $menu->{'03.network'}{'subMenu'}->{'70.aliases'}{'enabled'} = 1; diff --git a/config/cfgroot/p2protocols b/config/cfgroot/p2protocols deleted file mode 100644 index 78c6101..0000000 --- a/config/cfgroot/p2protocols +++ /dev/null @@ -1,9 +0,0 @@ -Bittorrent;bit;on; -Edonkey;edk;on; -KaZaA;kazaa;on; -Gnutella;gnu;on; -DirectConnect;dc;on; -Applejuice;apple;on; -WinMX;winmx;on; -SoulSeek;soul;on; -Ares;ares;on; \ No newline at end of file diff --git a/config/collectd/collectd.conf b/config/collectd/collectd.conf index 67d9e19..14dd568 100644 --- a/config/collectd/collectd.conf +++ b/config/collectd/collectd.conf @@ -45,10 +45,11 @@ include "/etc/collectd.precache" </Plugin>
<Plugin iptables> - Chain filter INPUT DROP_INPUT - Chain filter FORWARD DROP_OUTPUT Chain filter PSCAN DROP_PScan Chain filter NEWNOTSYN DROP_NEWNOTSYN + Chain filter POLICYFWD DROP_FORWARD + Chain filter POLICYOUT DROP_OUTPUT + Chain filter POLICYIN DROP_INPUT </Plugin>
#<Plugin logfile> diff --git a/config/forwardfw/convert-dmz b/config/forwardfw/convert-dmz new file mode 100755 index 0000000..efc4386 --- /dev/null +++ b/config/forwardfw/convert-dmz @@ -0,0 +1,193 @@ +#!/usr/bin/perl + +############################################################################### +# # +# IPFire.org - A linux based firewall # +# Copyright (C) 2013 Alexander Marx amarx@ipfire.org # +# # +# This program is free software: you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation, either version 3 of the License, or # +# (at your option) any later version. # +# # +# This program is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with this program. If not, see http://www.gnu.org/licenses/. # +# # +############################################################################### +# # +# This script converts old dmz holes rules from old firewall # +# to the new one. This is a 2-step process. # +# STEP1: read old config and normalize settings # +# STEP2: check valid ip and save valid rules to new firewall # +# # +############################################################################### +my @current=(); +my @alias=(); +my %configdmz=(); +my %ifaces=(); +my %configfwdfw=(); +require '/var/ipfire/general-functions.pl'; +my $dmzconfig = "${General::swroot}/dmzholes/config"; +my $fwdfwconfig = "${General::swroot}/forward/config"; +my $ifacesettings = "${General::swroot}/ethernet/settings"; +my $field0 = 'ACCEPT'; +my $field1 = 'FORWARDFW'; +my $field2 = ''; #ON or emtpy +my $field3 = ''; #std_net_src or src_addr +my $field4 = ''; #ALL or IP-Address with /32 +my $field5 = ''; #std_net_tgt or tgt_addr +my $field6 = ''; #IP or network name +my $field11 = 'ON'; #use target port +my $field12 = ''; #TCP or UDP +my $field13 = 'All ICMP-Types'; +my $field14 = 'TGT_PORT'; +my $field15 = ''; #Port Number +my $field16 = ''; #remark +my $field26 = '00:00'; +my $field27 = '00:00'; +my $field28 = ''; +my $field29 = 'ALL'; +my $field30 = ''; +my $field31 = 'dnat'; + + +open(FILE, $dmzconfig) or die 'Unable to open config file.'; +my @current = <FILE>; +close(FILE); +#open LOGFILE +open (LOG, ">/var/log/converters/dmz-convert.log") or die $!; +&General::readhash($ifacesettings, %ifaces); +&General::readhasharray($fwdfwconfig,%configfwdfw); +&process_rules; +sub process_rules{ + foreach my $line (@current){ + my $now=localtime; + #get values from old configfile + my ($a,$b,$c,$d,$e,$f,$g,$h) = split (",",$line); + $h =~ s/\s*\n//gi; + print LOG "$now Processing A: $a B: $b C: $c D: $d E: $e F: $f G: $g H: $h\n"; + #Now convert values and check ip addresses + $a=uc($a); + $e=uc($e); + $field2=$e if($e eq 'ON'); + #SOURCE IP-check + $b=&check_ip($b); + if (&General::validipandmask($b)){ + #When ip valid, check if we have a network + my ($ip,$subnet) = split ("/",$b); + if ($f eq 'orange' && $ip eq $ifaces{'ORANGE_NETADDRESS'}){ + $field3='std_net_src'; + $field4='ORANGE'; + }elsif($f eq 'blue' && $ip eq $ifaces{'BLUE_NETADDRESS'}){ + $field3='std_net_src'; + $field4='BLUE'; + }elsif($f eq 'orange' && &General::IpInSubnet($ip,$ifaces{'ORANGE_NETADDRESS'},$ifaces{'ORANGE_NETMASK'})){ + $field3='src_addr'; + $field4=$b; + }elsif($f eq 'blue' && &General::IpInSubnet($ip,$ifaces{'BLUE_NETADDRESS'},$ifaces{'BLUE_NETMASK'})){ + $field3='src_addr'; + $field4=$b; + }else{ + print LOG "$now ->NOT Converted, source ip $b not part of source network $f \n\n"; + next; + } + }else{ + print LOG "$now -> SOURCE IP INVALID. \n\n"; + next; + } + #TARGET IP-check + $c=&check_ip($c); + if (&General::validipandmask($c)){ + my $now=localtime; + #When ip valid, check if we have a network + my ($ip,$subnet) = split ("/",$c); + if ($g eq 'green' && $ip eq $ifaces{'GREEN_NETADDRESS'}){ + $field5='std_net_tgt'; + $field6='GREEN'; + }elsif($g eq 'blue' && $ip eq $ifaces{'BLUE_NETADDRESS'}){ + $field5='std_net_tgt'; + $field6='BLUE'; + }elsif($g eq 'green' && &General::IpInSubnet($ip,$ifaces{'GREEN_NETADDRESS'},$ifaces{'GREEN_NETMASK'})){ + $field5='tgt_addr'; + $field6=$c; + }elsif($g eq 'blue' && &General::IpInSubnet($ip,$ifaces{'BLUE_NETADDRESS'},$ifaces{'BLUE_NETMASK'})){ + $field5='tgt_addr'; + $field6=$c; + }else{ + print LOG "$now ->NOT Converted, target ip $c not part of target network $g \n\n"; + next; + } + }else{ + print LOG "$now -> TARGET IP INVALID. \n\n"; + next; + } + $field12=$a; + #convert portrange + $d =~ tr/-/:/; + $field15=$d; + $field16=$h; + my $key = &General::findhasharraykey (%configfwdfw); + foreach my $i (0 .. 27) { $configfwdfw{$key}[$i] = "";} + $configfwdfw{$key}[0] = $field0; + $configfwdfw{$key}[1] = $field1; + $configfwdfw{$key}[2] = $field2; + $configfwdfw{$key}[3] = $field3; + $configfwdfw{$key}[4] = $field4; + $configfwdfw{$key}[5] = $field5; + $configfwdfw{$key}[6] = $field6; + $configfwdfw{$key}[7] = ''; + $configfwdfw{$key}[8] = ''; + $configfwdfw{$key}[9] = ''; + $configfwdfw{$key}[10] = ''; + $configfwdfw{$key}[11] = $field11; + $configfwdfw{$key}[12] = $field12; + $configfwdfw{$key}[13] = $field13; + $configfwdfw{$key}[14] = $field14; + $configfwdfw{$key}[15] = $field15; + $configfwdfw{$key}[16] = $field16; + $configfwdfw{$key}[17] = ''; + $configfwdfw{$key}[18] = ''; + $configfwdfw{$key}[19] = ''; + $configfwdfw{$key}[20] = ''; + $configfwdfw{$key}[21] = ''; + $configfwdfw{$key}[22] = ''; + $configfwdfw{$key}[23] = ''; + $configfwdfw{$key}[24] = ''; + $configfwdfw{$key}[25] = ''; + $configfwdfw{$key}[26] = $field26; + $configfwdfw{$key}[27] = $field27; + $configfwdfw{$key}[28] = $field28; + $configfwdfw{$key}[29] = $field29; + $configfwdfw{$key}[30] = $field30; + $configfwdfw{$key}[31] = $field31; + print LOG "$Now -> Converted to $field0,$field1,$field2,$field3,$field4,$field5,$field6,,,,,$field11,$field12,$field13,$field14,$field15,$field16,,,,,,,,,,$field26,$field27\n"; + } + &General::writehasharray($fwdfwconfig,%configfwdfw); +close (LOG); +} + +sub check_ip +{ + my $adr=shift; + my $a; + #ip with subnet in decimal + if($adr =~ m/^(\d\d?\d?).(\d\d?\d?).(\d\d?\d?).(\d\d?\d?)/(\d{1,2})$/){ + $adr=int($1).".".int($2).".".int($3).".".int($4); + my $b = &General::iporsubtodec($5); + $a=$adr."/".$b; + }elsif($adr =~ /^(\d{1,3}).(\d{1,3}).(\d{1,3}).(\d{1,3})$/){ + $adr=int($1).".".int($2).".".int($3).".".int($4); + if(&General::validip($adr)){ + $a=$adr."/32"; + } + } + if(&General::validipandmask($adr)){ + $a=&General::iporsubtodec($adr); + } + return $a; +} diff --git a/config/forwardfw/convert-outgoingfw b/config/forwardfw/convert-outgoingfw new file mode 100755 index 0000000..bd33059 --- /dev/null +++ b/config/forwardfw/convert-outgoingfw @@ -0,0 +1,704 @@ +#!/usr/bin/perl +############################################################################### +# # +# IPFire.org - A linux based firewall # +# Copyright (C) 2013 Alexander Marx amarx@ipfire.org # +# # +# This program is free software: you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation, either version 3 of the License, or # +# (at your option) any later version. # +# # +# This program is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with this program. If not, see http://www.gnu.org/licenses/. # +# # +############################################################################### +# # +# This script converts old groups and firewallrules # +# to the new one. This is a 3-step process. # +# STEP1: convert groups ->LOG /var/log/converters # +# STEP2: convert rules ->LOG /var/log/converters # +# STEP3: convert P2P rules # +# # +############################################################################### + +require '/var/ipfire/general-functions.pl'; + +use Socket; +use File::Path; +use File::Copy; + +my $ipgrouppath = "${General::swroot}/outgoing/groups/ipgroups/"; +my $macgrouppath = "${General::swroot}/outgoing/groups/macgroups/"; +my $outgoingrules = "${General::swroot}/outgoing/rules"; +my $outfwsettings = "${General::swroot}/outgoing/settings"; +my $host = "Converted "; +my $confighosts = "${General::swroot}/fwhosts/customhosts"; +my $confignets = "${General::swroot}/fwhosts/customnetworks"; +my $configgroups = "${General::swroot}/fwhosts/customgroups"; +my $ovpnsettings = "${General::swroot}/ovpn/settings"; +my $ovpnconfig = "${General::swroot}/ovpn/ovpnconfig"; +my $ccdconfig = "${General::swroot}/ovpn/ccd.conf"; +my $fwdfwconfig = "${General::swroot}/forward/config"; +my $outfwconfig = "${General::swroot}/forward/outgoing"; +my $fwdfwsettings = "${General::swroot}/forward/settings"; +my @ipgroups = qx(ls $ipgrouppath); +my @macgroups = qx(ls $macgrouppath); +my @hostarray=(); +my %outsettings=(); +my %hosts=(); +my %nets=(); +my %groups=(); +my %settingsovpn=(); +my %configovpn=(); +my %ccdconf=(); +my %fwconfig=(); +my %fwconfigout=(); +my %fwdsettings=(); +my %ownnet=(); +my %ovpnSettings = (); +&General::readhash("${General::swroot}/ovpn/settings", %ovpnSettings); +&General::readhash($outfwsettings,%outsettings); +&General::readhash("${General::swroot}/ethernet/settings", %ownnet); +#ONLY RUN if /var/ipfire/outgoing exists +if ( -d "/var/ipfire/outgoing"){ + &process_groups; + &process_rules; + &process_p2p; +} +system("/usr/local/bin/forwardfwctrl"); +sub process_groups +{ + if(! -d "/var/log/converters"){ mkdir("/var/log/converters");} + if( -f "/var/log/converters/groups-convert.log"){rmtree("var/log/converters");} + open (LOG, ">/var/log/converters/groups-convert.log") or die $!; + #IP Group processing + foreach my $group (@ipgroups){ + my $now=localtime; + chomp $group; + print LOG "\n$now Processing IP-GROUP: $group...\n"; + open (DATEI, "<$ipgrouppath/$group"); + my @zeilen = <DATEI>; + foreach my $ip (@zeilen){ + chomp($ip); + $ip =~ s/\s//gi; + print LOG "$now Check IP $ip from Group $group "; + my $val=&check_ip($ip); + if($val){ + push(@hostarray,$val.",ip"); + print LOG "$now -> OK\n"; + } + else{ + print LOG "$now -> IP "$ip" from group $group not converted (invalid IP) \n"; + } + $val=''; + } + &new_hostgrp($group,'ip'); + @hostarray=(); + } + $group=''; + @zeilen=(); + @hostarray=(); + #MAC Group processing + foreach my $group (@macgroups){ + chomp $group; + print LOG "\nProcessing MAC-GROUP: $group...\n"; + open (DATEI, "<$macgrouppath/$group"); + my @zeilen = <DATEI>; + foreach my $mac (@zeilen){ + chomp($mac); + $mac =~ s/\s//gi; + print LOG "$now Checking MAC $mac from group $group "; + #MAC checking + if(&General::validmac($mac)){ + $val=$mac; + } + if($val){ + push(@hostarray,$val.",mac"); + print LOG "$now -> OK\n"; + } + else{ + print LOG "$now -> Mac $mac from group $group not converted (invalid MAC)\n"; + } + $val=''; + } + &new_hostgrp($group,'mac'); + @hostarray=(); + @zeilen=(); + } + close (LOG); +} +sub check_ip +{ + my $adr=shift; + my $a; + #ip with subnet in decimal + if($adr =~ m/^(\d\d?\d?).(\d\d?\d?).(\d\d?\d?).(\d\d?\d?)/(\d{1,2})$/){ + $adr=int($1).".".int($2).".".int($3).".".int($4); + my $b = &General::iporsubtodec($5); + $a=$adr."/".$b; + }elsif($adr =~ /^(\d{1,3}).(\d{1,3}).(\d{1,3}).(\d{1,3})$/){ + $adr=int($1).".".int($2).".".int($3).".".int($4); + if(&General::validip($adr)){ + $a=$adr."/255.255.255.255"; + } + } + if(&General::validipandmask($adr)){ + $a=&General::iporsubtodec($adr); + } + return $a; +} +sub new_hostgrp +{ + &General::readhasharray($confighosts,%hosts); + &General::readhasharray($confignets,%nets); + &General::readhasharray($configgroups,%groups); + my $grp=shift; + my $run=shift; + my $name; #"converted" + my $name2; + my $name3; #custom host/custom net + foreach my $adr (@hostarray){ + if($run eq 'ip'){ + my ($ip,$type) = split(",",$adr); + my ($ippart,$subnet) = split("/",$ip); + my ($byte1,$byte2,$byte3,$byte4) = split(/./,$subnet); + if($byte4 eq '255'){ + print LOG "Processing SINGLE HOST $ippart/$subnet from group $grp\n"; + if(!&check_host($ip)){ + my $key = &General::findhasharraykey(%hosts); + $name="host "; + $name2=$name.$ippart; + $name3="Custom Host"; + $hosts{$key}[0] = $name2; + $hosts{$key}[1] = $type; + $hosts{$key}[2] = $ip; + $hosts{$key}[3] = ''; + $hosts{$key}[4] = 1; + print LOG "->Host (IP) $ip added to custom hosts\n" + }else{ + print LOG "->Host (IP) $ip already exists in custom hosts\n"; + $name="host "; + $name2=$name.$ippart; + foreach my $key (sort keys %hosts){ + if($hosts{$key}[0] eq $name2){ + $hosts{$key}[4]++; + } + } + $name="host "; + $name2=$name.$ippart; + $name3="Custom Host"; + } + }elsif($byte4 < '255'){ + print LOG "Processing NETWORK $ippart/$subnet from Group $grp\n"; + if(!&check_net($ippart,$subnet)){ + #Check if this network is one one of IPFire internal networks + if (($ownnet{'GREEN_NETADDRESS'} ne '' && $ownnet{'GREEN_NETADDRESS'} ne '0.0.0.0') && &General::IpInSubnet($ippart,$ownnet{'GREEN_NETADDRESS'},$ownnet{'GREEN_NETMASK'})) + { + $name2='GREEN'; + $name3='Standard Network'; + }elsif (($ownnet{'ORANGE_NETADDRESS'} ne '' && $ownnet{'ORANGE_NETADDRESS'} ne '0.0.0.0') && &General::IpInSubnet($ippart,$ownnet{'ORANGE_NETADDRESS'},$ownnet{'ORANGE_NETMASK'})) + { + $name2='ORANGE'; + $name3='Standard Network'; + }elsif (($ownnet{'BLUE_NETADDRESS'} ne '' && $ownnet{'BLUE_NETADDRESS'} ne '0.0.0.0') && &General::IpInSubnet($ippart,$ownnet{'BLUE_NETADDRESS'},$ownnet{'BLUE_NETMASK'})) + { + $name2='BLUE'; + $name3='Standard Network'; + }elsif ($ippart eq '0.0.0.0') + { + $name2='ALL'; + $name3='Standard Network'; + }elsif(defined($ovpnSettings{'DOVPN_SUBNET'}) && "$ippart/".&General::iporsubtodec($subnet) eq $ovpnSettings{'DOVPN_SUBNET'}) + { + $name2='OpenVPN-Dyn'; + $name3='Standard Network'; + }else{ + my $netkey = &General::findhasharraykey(%nets); + $name="net "; + $name2=$name.$ippart; + $name3="Custom Network"; + $nets{$netkey}[0] = $name2; + $nets{$netkey}[1] = $ippart; + $nets{$netkey}[2] = $subnet; + $nets{$netkey}[3] = ''; + $nets{$netkey}[4] = 1; + print LOG "->Network $ippart/$subnet added to custom networks\n"; + } + }else{ + print LOG "Network $ippart already exists in custom networks\n"; + $name="net "; + $name2=$name.$ippart; + foreach my $key (sort keys %nets){ + if($nets{$key}[0] eq $name2){ + $nets{$key}[4]++; + } + } + $name="net "; + $name2=$name.$ippart; + $name3="Custom Network"; + } + } + if($name2 && !&check_grp($grp,$name2)){ + my $grpkey = &General::findhasharraykey(%groups); + $groups{$grpkey}[0] = $grp; + $groups{$grpkey}[1] = ''; + $groups{$grpkey}[2] = $name2; + $groups{$grpkey}[3] = $name3; + $groups{$grpkey}[4] = 0; + print LOG "->$name2 added to group $grp\n"; + } + }elsif($run eq 'mac'){ + #MACRUN + my ($mac,$type) = split(",",$adr); + print LOG "Processing HOST (MAC) $mac\n"; + if(!&check_host($mac)){ + my $key = &General::findhasharraykey(%hosts); + $name="host "; + $name2=$name.$mac; + $name3="Custom Host"; + $hosts{$key}[0] = $name2; + $hosts{$key}[1] = $type; + $hosts{$key}[2] = $mac; + $hosts{$key}[3] = ''; + $hosts{$key}[4] = 1; + print LOG "->Host (MAC) $mac added to custom hosts\n"; + }else{ + print LOG "->Host (MAC) $mac already exists in custom hosts \n"; + $name="host "; + $name2=$name.$mac; + foreach my $key (sort keys %hosts){ + if($hosts{$key}[0] eq $name2){ + $hosts{$key}[4]++; + } + } + $name="host "; + $name2=$name.$mac; + $name3="Custom Host"; + } + if($name2 && !&check_grp($grp,$name2)){ + my $grpkey = &General::findhasharraykey(%groups); + $groups{$grpkey}[0] = $grp; + $groups{$grpkey}[1] = ''; + $groups{$grpkey}[2] = $name2; + $groups{$grpkey}[3] = $name3; + $groups{$grpkey}[4] = 0; + print LOG "->$name2 added to group $grp\n"; + } + } + } + @hostarray=(); + &General::writehasharray($confighosts,%hosts); + &General::writehasharray($configgroups,%groups); + &General::writehasharray($confignets,%nets); + +} +sub check_host +{ + my $ip=shift; + foreach my $key (sort keys %hosts) + { + if($hosts{$key}[2] eq $ip) + { + return 1; + } + } + return 0; +} +sub check_net +{ + my $ip=shift; + my $sub=shift; + foreach my $key (sort keys %nets) + { + if($nets{$key}[1] eq $ip && $nets{$key}[2] eq $sub) + { + return 1; + } + } + return 0; +} +sub check_grp +{ + my $grp=shift; + my $value=shift; + foreach my $key (sort keys %groups) + { + if($groups{$key}[0] eq $grp && $groups{$key}[2] eq $value) + { + return 1; + } + } + return 0; +} +sub process_rules +{ + my ($type,$action,$active,$grp1,$source,$grp2,$useport,$port,$prot,$grp3,$target,$remark,$log,$time,$time_mon,$time_tue,$time_wed,$time_thu,$time_fri,$time_sat,$time_sun,$time_from,$time_to); + #open LOG + if( -f "/var/log/converters/outgoingfw-convert.log"){unlink ("/var/log/converters/outgoingfw-convert.log");} + open (LOG, ">/var/log/converters/outgoingfw-convert.log") or die $!; + + &General::readhash($fwdfwsettings,%fwdsettings); + if ($outsettings{'POLICY'} eq 'MODE1'){ + $fwdsettings{'POLICY'}='MODE1'; + $fwdsettings{'POLICY1'}='MODE2'; + $type='ALLOW'; + $action='ACCEPT'; + }else{ + $fwdsettings{'POLICY'}='MODE2'; + $fwdsettings{'POLICY1'}='MODE2'; + $type='DENY'; + $action='DROP'; + } + &General::writehash($fwdfwsettings,%fwdsettings); + open (DATEI, "<$outgoingrules"); + my @lines = <DATEI>; + foreach my $rule (@lines) + { + my $now=localtime; + chomp($rule); + $port=''; + print LOG "$now processing: $rule\n"; + my @configline=(); + @configline = split( /;/, $rule ); + my @prot=(); + if($configline[0] eq $type){ + #some variables we can use from old config + if($configline[1] eq 'on'){ $active='ON';}else{$active='';} + if($configline[3] eq 'all' && $configline[8] ne ''){ + push(@prot,"TCP"); + push(@prot,"UDP"); + }elsif($configline[3] eq 'all' && $configline[8] eq ''){ + push(@prot,""); + }else{ + push(@prot,$configline[3]); + } + if($configline[4] ne ''){ + $configline[4] =~ s/,/;/g; + $remark = $configline[4]; + }else{$remark = '';} + if($configline[9] eq 'Active'){ $log='ON';}else{$log='';} + if($configline[10] eq 'on' && $configline[11] eq 'on' && $configline[12] eq 'on' && $configline[13] eq 'on' && $configline[14] eq 'on' && $configline[15] eq 'on' && $configline[16] eq 'on'){ + if($configline[17] eq '00:00' && $configline[18] eq '00:00'){ + $time=''; + }else{ + $time='ON'; + } + }else{ + $time='ON'; + } + $time_mon=$configline[10]; + $time_tue=$configline[11]; + $time_wed=$configline[12]; + $time_thu=$configline[13]; + $time_fri=$configline[14]; + $time_sat=$configline[15]; + $time_sun=$configline[16]; + $time_from=$configline[17]; + $time_to=$configline[18]; + ############################################################ + #sourcepart + if ($configline[2] eq 'green') { + $grp1='std_net_src'; + $source='GREEN'; + }elsif ($configline[2] eq 'orange') { + $grp1='std_net_src'; + $source='ORANGE'; + }elsif ($configline[2] eq 'red') { + $grp1='std_net_src'; + $source='IPFire'; + &General::readhash($fwdfwsettings,%fwdsettings); + $fwdsettings{'POLICY1'}=$outsettings{'POLICY'}; + $fwdsettings{'POLICY'}=$outsettings{'POLICY'}; + &General::writehash($fwdfwsettings,%fwdsettings); + }elsif ($configline[2] eq 'blue') { + $grp1='std_net_src'; + $source='BLUE'; + }elsif ($configline[2] eq 'ipsec') { + print LOG "$now -> Rule not converted, ipsec+ interface is obsolet since IPFire 2.7 \n"; + next; + }elsif ($configline[2] eq 'ovpn') { + print LOG "$now ->Creating networks/groups for OpenVPN...\n"; + &build_ovpn_grp; + $grp1='cust_grp_src'; + $source='ovpn' + }elsif ($configline[2] eq 'ip') { + my $z=&check_ip($configline[5]); + if($z){ + my ($ipa,$subn) = split("/",$z); + $subn=&General::iporsubtocidr($subn); + $grp1='src_addr'; + $source="$ipa/$subn"; + }else{ + print LOG "$now -> Rule not converted, missing/invalid source ip "$configline[5]"\n"; + next; + } + }elsif ($configline[2] eq 'mac') { + if(&General::validmac($configline[6])){ + $grp1='src_addr'; + $source=$configline[6]; + }else{ + print LOG"$now -> Rule not converted, invalid MAC "$configline[6]" \n"; + next; + } + }elsif ($configline[2] eq 'all') { + $grp1='std_net_src'; + $source='ALL'; + }else{ + foreach my $key (sort keys %groups){ + if($groups{$key}[0] eq $configline[2]){ + $grp1='cust_grp_src'; + $source=$configline[2]; + } + } + if ($grp1 eq '' || $source eq ''){ + print LOG "$now -> Rule not converted, no valid source recognised\n"; + } + } + ############################################################ + #destinationpart + if($configline[7] ne ''){ + my $address=&check_ip($configline[7]); + if($address){ + my ($dip,$dsub) = split("/",$address); + $dsub=&General::iporsubtocidr($dsub); + $grp2='tgt_addr'; + $target="$dip/$dsub"; + }elsif(!$address){ + my $getwebsiteip=&get_ip_from_domain($configline[7]); + if ($getwebsiteip){ + $grp2='tgt_addr'; + $target=$getwebsiteip; + $remark.=" $configline[7]"; + }else{ + print LOG "$now -> Rule not converted, invalid domain "$configline[7]"\n"; + next; + } + } + }else{ + $grp2='std_net_tgt'; + $target='ALL'; + } + if($configline[8] ne '' && $configline[3] ne 'gre' && $configline[3] ne 'esp'){ + my @values=(); + my @parts=split(",",$configline[8]); + foreach (@parts){ + $_=~ tr/-/:/; + if (!($_ =~ /^(\d+):(\d+)$/)) { + if(&General::validport($_)){ + $useport='ON'; + push (@values,$_); + $grp3='TGT_PORT'; + }else{ + print LOG "$now -> Rule not converted, invalid destination Port "$configline[8]"\n"; + next; + } + }else{ + my ($a1,$a2) = split(/:/,$_); + if (&General::validport($a1) && &General::validport($a2) && $a1 < $a2){ + $useport='ON'; + push (@values,"$a1:$a2"); + $grp3='TGT_PORT'; + }else{ + print LOG "$now -> Rule not converted, invalid destination Port "$configline[8]"\n"; + next; + } + } + } + $port=join("|",@values); + @values=(); + @parts=(); + } + }else{ + print LOG "-> Rule not converted because not for Firewall mode $outsettings{'POLICY'} (we are only converting for actual mode)\n"; + } + &General::readhasharray($fwdfwconfig,%fwconfig); + &General::readhasharray($outfwconfig,%fwconfigout); + my $check; + my $chain; + foreach my $protocol (@prot){ + my $now=localtime; + if ($source eq 'IPFire'){ + $chain='OUTGOINGFW'; + }else{ + $chain='FORWARDFW'; + } + $protocol=uc($protocol); + print LOG "$now -> Converted: $action,$chain,$active,$grp1,$source,$grp2,$target,,,,,$useport,$protocol,,$grp3,$port,$remark,$log,$time,$time_mon,$time_tue,$time_wed,$time_thu,$time_fri,$time_sat,$time_sun,$time_from,$time_to\n"; + #Put rules into system.... + ########################### + #check for double rules + foreach my $key (sort keys %fwconfig){ + if("$action,$chain,$active,$grp1,$source,$grp2,$target,,,,,$useport,$protocol,,$grp3,$port,$remark,$log,$time,$time_mon,$time_tue,$time_wed,$time_thu,$time_fri,$time_sat,$time_sun,$time_from,$time_to" + eq "$fwconfig{$key}[0],$fwconfig{$key}[1],$fwconfig{$key}[2],$fwconfig{$key}[3],$fwconfig{$key}[4],$fwconfig{$key}[5],$fwconfig{$key}[6],,,,,$fwconfig{$key}[11],$fwconfig{$key}[12],,$fwconfig{$key}[14],$fwconfig{$key}[15],$fwconfig{$key}[16],$fwconfig{$key}[17],$fwconfig{$key}[18],$fwconfig{$key}[19],$fwconfig{$key}[20],$fwconfig{$key}[21],$fwconfig{$key}[22],$fwconfig{$key}[23],$fwconfig{$key}[24],$fwconfig{$key}[25],$fwconfig{$key}[26],$fwconfig{$key}[27]"){ + $check='on'; + next; + } + } + if($check ne 'on'){ + #increase groupcounter + my $check1; + if($grp1 eq 'cust_grp_src'){ + foreach my $key (sort keys %groups){ + if($groups{$key}[0] eq $source){ + $groups{$key}[4]++; + $check1='on'; + } + } + if($check1 eq 'on'){ + &General::writehasharray($configgroups,%groups); + } + } + if ($chain eq 'FORWARDFW'){ + my $key = &General::findhasharraykey(%fwconfig); + $fwconfig{$key}[0] = $action; + $fwconfig{$key}[1] = $chain; + $fwconfig{$key}[2] = $active; + $fwconfig{$key}[3] = $grp1; + $fwconfig{$key}[4] = $source; + $fwconfig{$key}[5] = $grp2; + $fwconfig{$key}[6] = $target; + $fwconfig{$key}[11] = $useport; + $fwconfig{$key}[12] = $protocol; + $fwconfig{$key}[14] = $grp3; + $fwconfig{$key}[15] = $port; + $fwconfig{$key}[16] = $remark; + $fwconfig{$key}[17] = $log; + $fwconfig{$key}[18] = $time; + $fwconfig{$key}[19] = $time_mon; + $fwconfig{$key}[20] = $time_tue; + $fwconfig{$key}[21] = $time_wed; + $fwconfig{$key}[22] = $time_thu; + $fwconfig{$key}[23] = $time_fri; + $fwconfig{$key}[24] = $time_sat; + $fwconfig{$key}[25] = $time_sun; + $fwconfig{$key}[26] = $time_from; + $fwconfig{$key}[27] = $time_to; + $fwconfig{$key}[28] = ''; + $fwconfig{$key}[29] = 'ALL'; + $fwconfig{$key}[30] = ''; + $fwconfig{$key}[31] = 'dnat'; + }else{ + my $key = &General::findhasharraykey(%fwconfigout); + $fwconfigout{$key}[0] = $action; + $fwconfigout{$key}[1] = $chain; + $fwconfigout{$key}[2] = $active; + $fwconfigout{$key}[3] = $grp1; + $fwconfigout{$key}[4] = $source; + $fwconfigout{$key}[5] = $grp2; + $fwconfigout{$key}[6] = $target; + $fwconfigout{$key}[11] = $useport; + $fwconfigout{$key}[12] = $protocol; + $fwconfigout{$key}[14] = $grp3; + $fwconfigout{$key}[15] = $port; + $fwconfigout{$key}[16] = $remark; + $fwconfigout{$key}[17] = $log; + $fwconfigout{$key}[18] = $time; + $fwconfigout{$key}[19] = $time_mon; + $fwconfigout{$key}[20] = $time_tue; + $fwconfigout{$key}[21] = $time_wed; + $fwconfigout{$key}[22] = $time_thu; + $fwconfigout{$key}[23] = $time_fri; + $fwconfigout{$key}[24] = $time_sat; + $fwconfigout{$key}[25] = $time_sun; + $fwconfigout{$key}[26] = $time_from; + $fwconfigout{$key}[27] = $time_to; + $fwconfigout{$key}[28] = ''; + $fwconfigout{$key}[29] = 'ALL'; + $fwconfigout{$key}[30] = ''; + $fwconfigout{$key}[31] = 'dnat'; + } + &General::writehasharray($fwdfwconfig,%fwconfig); + &General::writehasharray($outfwconfig,%fwconfigout); + } + } + @prot=(); + } + close(LOG); + @lines=(); +} +sub get_ip_from_domain +{ + $web=shift; + my $resolvedip; + my $checked; + my ($name,$aliases,$addrtype,$length,@addrs) = gethostbyname($web); + if(@addrs){ + $resolvedip=inet_ntoa($addrs[0]); + return $resolvedip; + } + return; +} +sub build_ovpn_grp +{ + my $now=localtime; + &General::readhasharray($confighosts,%hosts); + &General::readhasharray($confignets,%nets); + &General::readhasharray($configgroups,%groups); + &General::readhasharray($ovpnconfig,%configovpn); + &General::readhasharray($ccdconfig,%ccdconf); + &General::readhash($ovpnsettings,%settingsovpn); + #get ovpn nets + my @ovpnnets=(); + if($settingsovpn{'DOVPN_SUBNET'}){ + my ($net,$subnet)=split("/",$settingsovpn{'DOVPN_SUBNET'}); + push (@ovpnnets,"$net,$subnet,dynamic"); + print LOG "$now ->found dynamic OpenVPN net\n"; + } + foreach my $key (sort keys %ccdconf){ + my ($net,$subnet)=split("/",$ccdconf{$key}[1]); + $subnet=&General::iporsubtodec($subnet); + push (@ovpnnets,"$net,$subnet,$ccdconf{$key}[0]"); + print LOG "$now ->found OpenVPN static net $net/$subnet\n"; + } + foreach my $key (sort keys %configovpn){ + if ($configovpn{$key}[3] eq 'net'){ + my ($net,$subnet)=split("/",$configovpn{$key}[27]); + push (@ovpnnets,"$net,$subnet,$configovpn{$key}[2]"); + print LOG "$now ->found OpenVPN $net/$subnet $configovpn{$key}[2]\n"; + } + } + #add ovpn nets to customnetworks/groups + foreach my $line (@ovpnnets){ + my $now=localtime; + my ($net,$subnet,$name) = split(",",$line); + if (!&check_net($net,$subnet)){ + my $netkey = &General::findhasharraykey(%nets); + $name2=$name."(ovpn)".$net; + $name3="Custom Network"; + $nets{$netkey}[0] = $name2; + $nets{$netkey}[1] = $net; + $nets{$netkey}[2] = $subnet; + $nets{$netkey}[3] = ''; + $nets{$netkey}[4] = 1; + print LOG "$now ->added $name2 $net/$subnet to customnetworks\n"; + }else{ + print LOG "-> Custom Network with same IP already exist "$net/$subnet" (you can ignore this, if this run was manual from shell)\n"; + } + if($name2){ + my $grpkey = &General::findhasharraykey(%groups); + $groups{$grpkey}[0] = "ovpn"; + $groups{$grpkey}[1] = ''; + $groups{$grpkey}[2] = $name2; + $groups{$grpkey}[3] = "Custom Network"; + $groups{$grpkey}[4] = 0; + print LOG "$now ->added $name2 to customgroup ovpn\n"; + } + $name2=''; + } + @ovpnnets=(); + &General::writehasharray($confighosts,%hosts); + &General::writehasharray($configgroups,%groups); + &General::writehasharray($confignets,%nets); + print LOG "$now ->finished OVPN\n"; +} +sub process_p2p +{ + copy("/var/ipfire/outgoing/p2protocols","/var/ipfire/forward/p2protocols"); + chmod oct('0777'), '/var/ipfire/forward/p2protocols'; +} diff --git a/config/forwardfw/convert-portfw b/config/forwardfw/convert-portfw new file mode 100755 index 0000000..a37383e --- /dev/null +++ b/config/forwardfw/convert-portfw @@ -0,0 +1,158 @@ +#!/usr/bin/perl +############################################################################### +# # +# IPFire.org - A linux based firewall # +# Copyright (C) 2013 Alexander Marx amarx@ipfire.org # +# # +# This program is free software: you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation, either version 3 of the License, or # +# (at your option) any later version. # +# # +# This program is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with this program. If not, see http://www.gnu.org/licenses/. # +# # +############################################################################### +# # +# This script converts old portforwarding rules from old Firewall # +# to the new one. This is a 3-step process. # +# STEP1: read old config and normalize settings # +# STEP2: create new rules from old ones # +# STEP3: check if rule already exists, when not, put it into # +# /var/ipfire/forward/nat # +############################################################################### +require '/var/ipfire/general-functions.pl'; +my @values=(); +my @built_rules=(); +my %nat=(); +my $portfwconfig = "${General::swroot}/portfw/config"; +my $confignat = "${General::swroot}/forward/config"; +my ($key,$flag,$prot,$ipfireport,$target,$targetport,$active,$alias,$source,$remark); +my ($key1,$flag1,$prot1,$ipfireport1,$target1,$targetport1,$active1,$alias1,$source1,$remark1); +my $count=0; +my $jump; +if(! -d "/var/log/converters"){ mkdir("/var/log/converters");} +open(FILE, $portfwconfig) or die 'Unable to open config file.'; +my @current = <FILE>; +close(FILE); +open (LOG, ">/var/log/converters/portfw-convert.log") or die $!; +open(ALIAS, "${General::swroot}/ethernet/aliases") or die 'Unable to open aliases file.'; +my @alias = <ALIAS>; +close(ALIAS); +&get_config; +&build_rules; +&write_rules; +sub get_config +{ + print LOG "STEP 1: Get config from old portforward\n#########################################\n"; + foreach my $line (@current){ + if($jump eq '1'){ + $jump=''; + $count++; + next; + } + my $u=$count+1; + ($key,$flag,$prot,$ipfireport,$target,$targetport,$active,$alias,$source,$remark) = split(",",$line); + ($key1,$flag1,$prot1,$ipfireport1,$target1,$targetport1,$active1,$alias1,$source1,$remark1) = split(",",$current[$u]); + if ($flag1 eq '1'){ + $source=$source1; + $jump='1'; + } + my $now=localtime; + chomp($remark); + print LOG "$now processing-> KEY: $key FLAG: $flag PROT: $prot FIREPORT: $ipfireport TARGET: $target TGTPORT: $targetport ACTIVE: $active ALIAS: $alias SOURCE: $source REM: $remark Doublerule: $jump\n"; + push (@values,$prot.",".$ipfireport.",".$target.",".$targetport.",".$active.",".$alias.",".$source.",".$remark); + $count++; + } +} +sub build_rules +{ + print LOG "\nSTEP 2: Convert old portforwardrules in a useable format\n########################################################\n"; + my $src; + my $src1; + my $ipfireip; + my $count=0; + my $stop; + #build rules for new firewall + foreach my $line (@values){ + chomp ($line); + ($prot,$ipfireport,$target,$targetport,$active,$alias,$source,$remark)=split(",",$line); + $count++; + #get sourcepart + if($source eq '0.0.0.0/0'){ + $src = 'std_net_src'; + $src1 = 'ALL'; + }else{ + $src = 'src_addr'; + my ($a,$b) = split("/",$source); + $src1 = $a."/32"; + } + #get ipfire ip + if($alias eq '0.0.0.0'){ + $alias='ALL'; + }else{ + foreach my $ali (@alias){ + my ($alias_ip,$alias_active,$alias_name) = split (",",$ali); + if($alias eq $alias_ip){ + chomp($alias_name); + $alias=$alias_name; + } + } + } + $active = uc $active; + $prot = uc $prot; + chomp($remark); + push (@built_rules,"ACCEPT,FORWARDFW,$active,$src,$src1,tgt_addr,$target/32,ON,$prot,,TGT_PORT,$targetport,$remark,00:00,00:00,ON,$alias,$ipfireport,dnat"); + my $now=localtime; + print LOG "$now Converted-> KEY: $count ACCEPT,FORWARDFW,$active,$src,$src1,tgt_addr,$target/32,ON,$prot,,TGT_PORT,$targetport,$remark,00:00,00:00,ON,$alias,$ipfireport,dnat\n"; + } +} +sub write_rules +{ + my $skip=''; + my $id; + print LOG "\nSTEP 3: Create DNAT rules in new firewall\n#########################################\n"; + &General::readhasharray($confignat,%nat); + foreach my $line (@built_rules){ + $skip=''; + my ($action,$chain,$active,$src,$src1,$tgt,$tgt1,$use_prot,$prot,$dummy,$tgt_port,$tgt_port1,$remark,$from,$to,$use_port,$alias,$ipfireport,$dnat) = split (",",$line); + foreach my $key (sort keys %nat){ + if ($line eq "$nat{$key}[0],$nat{$key}[1],$nat{$key}[2],$nat{$key}[3],$nat{$key}[4],$nat{$key}[5],$nat{$key}[6],$nat{$key}[11],$nat{$key}[12],$nat{$key}[13],$nat{$key}[14],$nat{$key}[15],$nat{$key}[16],$nat{$key}[26],$nat{$key}[27],$nat{$key}[28],$nat{$key}[29],$nat{$key}[30],$nat{$key}[31]"){ + my $now=localtime; + print LOG "$now SKIP-> Rule $nat{$key}[0],$nat{$key}[1],$nat{$key}[2],$nat{$key}[3],$nat{$key}[4],$nat{$key}[5],$nat{$key}[6],$nat{$key}[11],$nat{$key}[12],$nat{$key}[13],$nat{$key}[14],$nat{$key}[15],$nat{$key}[16],$nat{$key}[26],$nat{$key}[27],$nat{$key}[28],$nat{$key}[29],$nat{$key}[30],$nat{$key}[31] ->EXISTS\n"; + $skip='1'; + } + } + if ($skip ne '1'){ + $id = &General::findhasharraykey(%nat); + $nat{$id}[0] = $action; + $nat{$id}[1] = $chain; + $nat{$id}[2] = $active; + $nat{$id}[3] = $src; + $nat{$id}[4] = $src1; + $nat{$id}[5] = $tgt; + $nat{$id}[6] = $tgt1; + $nat{$id}[11] = $use_prot; + $nat{$id}[12] = $prot; + $nat{$id}[13] = $dummy; + $nat{$id}[14] = $tgt_port; + $nat{$id}[15] = $tgt_port1; + $nat{$id}[16] = $remark; + $nat{$id}[26] = $from; + $nat{$id}[27] = $to; + $nat{$id}[28] = $use_port; + $nat{$id}[29] = $alias; + $nat{$id}[30] = $ipfireport; + $nat{$id}[31] = $dnat; + my $now=localtime; + print LOG "$now NEW RULE-> Rule $nat{$id}[0],$nat{$id}[1],$nat{$id}[2],$nat{$id}[3],$nat{$id}[4],$nat{$id}[5],$nat{$id}[6],$nat{$id}[11],$nat{$id}[12],$nat{$id}[13],$nat{$id}[14],$nat{$id}[15],$nat{$id}[16],$nat{$id}[26],$nat{$id}[27],$nat{$id}[28],$nat{$id}[29],$nat{$id}[30],$nat{$id}[31]\n"; + } + } + &General::writehasharray($confignat,%nat); +} +close (LOG); diff --git a/config/forwardfw/convert-xtaccess b/config/forwardfw/convert-xtaccess new file mode 100755 index 0000000..d86c445 --- /dev/null +++ b/config/forwardfw/convert-xtaccess @@ -0,0 +1,141 @@ +#!/usr/bin/perl +############################################################################### +# # +# IPFire.org - A linux based firewall # +# Copyright (C) 2013 Alexander Marx amarx@ipfire.org # +# # +# This program is free software: you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation, either version 3 of the License, or # +# (at your option) any later version. # +# # +# This program is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with this program. If not, see http://www.gnu.org/licenses/. # +# # +############################################################################### +# # +#This script converts old xtaccess rules to new firewall # +#Logfiles are created under /var/log/converters # +# # +############################################################################### +my @current=(); +my @alias=(); +my %configinputfw=(); +require '/var/ipfire/general-functions.pl'; +my $xtaccessconfig = "${General::swroot}/xtaccess/config"; +my $inputfwconfig = "${General::swroot}/forward/input"; +my $aliasconfig = "${General::swroot}/ethernet/aliases"; +my $field0='ACCEPT'; +my $field1='INPUTFW'; +my $field2=''; #ON or emtpy +my $field3=''; #std_net_src or src_addr +my $field4=''; #ALL or IP-Address with /32 +my $field5='ipfire'; +my $field6=''; #Default IP or alias name +my $field11='ON'; #use target port +my $field12=''; #TCP or UDP +my $field13='All ICMP-Types'; +my $field14='TGT_PORT'; +my $field15=''; #Port Number +my $field16=''; #remark +my $field26='00:00'; +my $field27='00:00'; +my $field28 = ''; +my $field29 = 'ALL'; +my $field30 = ''; +my $field31 = 'dnat'; +open(FILE, $xtaccessconfig) or die 'Unable to open config file.'; +my @current = <FILE>; +close(FILE); +open(FILE1, $aliasconfig) or die 'Unable to open config file.'; +my @alias = <FILE1>; +close(FILE1); +&General::readhasharray($inputfwconfig,%configinputfw); + +foreach my $line (@current){ + my ($a,$b,$c,$d,$e,$f) = split (",",$line); + $e =~ s/\R//g; + if ($f gt ''){ + $f =~ s/\R//g; + $field16=$f; + } + #active or not + $field2=uc($d); + #get protocol + if ($a eq 'tcp'){ $field12 ='TCP';}else{$field12='UDP';} + #check source address + if ($b eq '0.0.0.0/0'){ + $field3='std_net_src'; + $field4='ALL'; + }elsif($b =~/^(\d{1,3}).(\d{1,3}).(\d{1,3}).(\d{1,3})$/){ + $field3='src_addr'; + $field4=$b."/32"; + }elsif ($b =~ /^(.*?)/(.*?)$/) { + $field3='src_addr'; + $field4=$b; + }else{ + print "Regel konnte nicht konvertiert werden!\n"; + } + #check ipfire address + if ($e eq '0.0.0.0'){ + $field6 = 'RED1'; + }else{ + foreach my $line (@alias){ + my ($ip,$state,$aliasname) = split (",",$line); + if ($ip eq $e){ + $aliasname =~ s/\R//g; + $field6 = $aliasname; + } + } + } + #get target port + $c=~ s/\R//g; + $c=~ tr/-/:/; + if ($c =~ /^(\D):(\d+)$/) { + $c = "1:$2"; + } + if ($c =~ /^(\d+):(\D)$/) { + $c = "$1:65535"; + } + $field15=$c; + my $key = &General::findhasharraykey (%configinputfw); + foreach my $i (0 .. 31) { $configinputfw{$key}[$i] = "";} + $configinputfw{$key}[0] = $field0; + $configinputfw{$key}[1] = $field1; + $configinputfw{$key}[2] = $field2; + $configinputfw{$key}[3] = $field3; + $configinputfw{$key}[4] = $field4; + $configinputfw{$key}[5] = $field5; + $configinputfw{$key}[6] = $field6; + $configinputfw{$key}[7] = ''; + $configinputfw{$key}[8] = ''; + $configinputfw{$key}[9] = ''; + $configinputfw{$key}[10] = ''; + $configinputfw{$key}[11] = $field11; + $configinputfw{$key}[12] = $field12; + $configinputfw{$key}[13] = $field13; + $configinputfw{$key}[14] = $field14; + $configinputfw{$key}[15] = $field15; + $configinputfw{$key}[16] = $field16; + $configinputfw{$key}[17] = ''; + $configinputfw{$key}[18] = ''; + $configinputfw{$key}[19] = ''; + $configinputfw{$key}[20] = ''; + $configinputfw{$key}[21] = ''; + $configinputfw{$key}[22] = ''; + $configinputfw{$key}[23] = ''; + $configinputfw{$key}[24] = ''; + $configinputfw{$key}[25] = ''; + $configinputfw{$key}[26] = $field26; + $configinputfw{$key}[27] = $field27; + $configinputfw{$key}[28] = $field28; + $configinputfw{$key}[29] = $field29; + $configinputfw{$key}[30] = $field30; + $configinputfw{$key}[31] = $field31; + &General::writehasharray($inputfwconfig,%configinputfw); +} diff --git a/config/forwardfw/firewall-lib.pl b/config/forwardfw/firewall-lib.pl new file mode 100755 index 0000000..f1e8403 --- /dev/null +++ b/config/forwardfw/firewall-lib.pl @@ -0,0 +1,256 @@ +#!/usr/bin/perl +############################################################################### +# # +# IPFire.org - A linux based firewall # +# Copyright (C) 2013 Alexander Marx amarx@ipfire.org # +# # +# This program is free software: you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation, either version 3 of the License, or # +# (at your option) any later version. # +# # +# This program is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with this program. If not, see http://www.gnu.org/licenses/. # +# # +############################################################################### + +use strict; +no warnings 'uninitialized'; + +package fwlib; + +my %customnetwork=(); +my %customhost=(); +my %customgrp=(); +my %customservice=(); +my %customservicegrp=(); +my %ccdnet=(); +my %ccdhost=(); +my %ipsecconf=(); +my %ipsecsettings=(); +my %netsettings=(); +my %ovpnsettings=(); + +require '/var/ipfire/general-functions.pl'; + +my $confignet = "${General::swroot}/fwhosts/customnetworks"; +my $confighost = "${General::swroot}/fwhosts/customhosts"; +my $configgrp = "${General::swroot}/fwhosts/customgroups"; +my $configsrv = "${General::swroot}/fwhosts/customservices"; +my $configsrvgrp = "${General::swroot}/fwhosts/customservicegrp"; +my $configccdnet = "${General::swroot}/ovpn/ccd.conf"; +my $configccdhost = "${General::swroot}/ovpn/ovpnconfig"; +my $configipsec = "${General::swroot}/vpn/config"; +my $configovpn = "${General::swroot}/ovpn/settings"; +my $val; +my $field; + +&General::readhash("/var/ipfire/ethernet/settings", %netsettings); +&General::readhash("${General::swroot}/ovpn/settings", %ovpnsettings); +&General::readhash("${General::swroot}/vpn/settings", %ipsecsettings); + + +&General::readhasharray("$confignet", %customnetwork); +&General::readhasharray("$confighost", %customhost); +&General::readhasharray("$configgrp", %customgrp); +&General::readhasharray("$configccdnet", %ccdnet); +&General::readhasharray("$configccdhost", %ccdhost); +&General::readhasharray("$configipsec", %ipsecconf); +&General::readhasharray("$configsrv", %customservice); +&General::readhasharray("$configsrvgrp", %customservicegrp); + +sub get_srv_prot +{ + my $val=shift; + foreach my $key (sort {$a <=> $b} keys %customservice){ + if($customservice{$key}[0] eq $val){ + if ($customservice{$key}[0] eq $val){ + return $customservice{$key}[2]; + } + } + } +} +sub get_srvgrp_prot +{ + my $val=shift; + my @ips=(); + my $tcp; + my $udp; + my $icmp; + foreach my $key (sort {$a <=> $b} keys %customservicegrp){ + if($customservicegrp{$key}[0] eq $val){ + if (&get_srv_prot($customservicegrp{$key}[2]) eq 'TCP'){ + $tcp=1; + }elsif(&get_srv_prot($customservicegrp{$key}[2]) eq 'UDP'){ + $udp=1; + }elsif(&get_srv_prot($customservicegrp{$key}[2]) eq 'ICMP'){ + $icmp=1; + } + } + } + if ($tcp eq '1'){push (@ips,'TCP');} + if ($udp eq '1'){push (@ips,'UDP');} + if ($icmp eq '1'){push (@ips,'ICMP');} + my $back=join(",",@ips); + return $back; + +} + + +sub get_srv_port +{ + my $val=shift; + my $field=shift; + my $prot=shift; + foreach my $key (sort {$a <=> $b} keys %customservice){ + if($customservice{$key}[0] eq $val){ + if($customservice{$key}[2] eq $prot){ + return $customservice{$key}[$field]; + } + } + } +} +sub get_srvgrp_port +{ + my $val=shift; + my $prot=shift; + my $back; + my $value; + my @ips=(); + foreach my $key (sort {$a <=> $b} keys %customservicegrp){ + if($customservicegrp{$key}[0] eq $val){ + if ($prot ne 'ICMP'){ + $value=&get_srv_port($customservicegrp{$key}[2],1,$prot); + }elsif ($prot eq 'ICMP'){ + $value=&get_srv_port($customservicegrp{$key}[2],3,$prot); + } + push (@ips,$value) if ($value ne '') ; + } + } + if($prot ne 'ICMP'){ + if ($#ips gt 0){$back="-m multiport --dports ";}else{$back="--dport ";} + }elsif ($prot eq 'ICMP'){ + $back="--icmp-type "; + } + + $back.=join(",",@ips); + return $back; +} +sub get_ipsec_net_ip +{ + my $val=shift; + my $field=shift; + foreach my $key (sort {$a <=> $b} keys %ipsecconf){ + if($ipsecconf{$key}[1] eq $val){ + return $ipsecconf{$key}[$field]; + } + } +} +sub get_ipsec_host_ip +{ + my $val=shift; + my $field=shift; + foreach my $key (sort {$a <=> $b} keys %ipsecconf){ + if($ipsecconf{$key}[1] eq $val){ + return $ipsecconf{$key}[$field]; + } + } +} +sub get_ovpn_n2n_ip +{ + my $val=shift; + my $field=shift; + foreach my $key (sort {$a <=> $b} keys %ccdhost){ + if($ccdhost{$key}[1] eq $val){ + return $ccdhost{$key}[$field]; + } + } +} +sub get_ovpn_host_ip +{ + my $val=shift; + my $field=shift; + foreach my $key (sort {$a <=> $b} keys %ccdhost){ + if($ccdhost{$key}[1] eq $val){ + return $ccdhost{$key}[$field]; + } + } +} +sub get_ovpn_net_ip +{ + + my $val=shift; + my $field=shift; + foreach my $key (sort {$a <=> $b} keys %ccdnet){ + if($ccdnet{$key}[0] eq $val){ + return $ccdnet{$key}[$field]; + } + } +} +sub get_grp_ip +{ + my $val=shift; + my $src=shift; + foreach my $key (sort {$a <=> $b} keys %customgrp){ + if ($customgrp{$key}[0] eq $val){ + &get_address($customgrp{$key}[3],$src); + } + } + +} +sub get_std_net_ip +{ + my $val=shift; + my $con=shift; + if ($val eq 'ALL'){ + return "0.0.0.0/0.0.0.0"; + }elsif($val eq 'GREEN'){ + return "$netsettings{'GREEN_NETADDRESS'}/$netsettings{'GREEN_NETMASK'}"; + }elsif($val eq 'ORANGE'){ + return "$netsettings{'ORANGE_NETADDRESS'}/$netsettings{'ORANGE_NETMASK'}"; + }elsif($val eq 'BLUE'){ + return "$netsettings{'BLUE_NETADDRESS'}/$netsettings{'BLUE_NETMASK'}"; + }elsif($val eq 'RED'){ + return "0.0.0.0/0 -o $con"; + }elsif($val =~ /OpenVPN/i){ + return "$ovpnsettings{'DOVPN_SUBNET'}"; + }elsif($val =~ /IPsec/i){ + return "$ipsecsettings{'RW_NET'}"; + }elsif($val eq 'IPFire'){ + return ; + } +} +sub get_net_ip +{ + my $val=shift; + foreach my $key (sort {$a <=> $b} keys %customnetwork){ + if($customnetwork{$key}[0] eq $val){ + return "$customnetwork{$key}[1]/$customnetwork{$key}[2]"; + } + } +} +sub get_host_ip +{ + my $val=shift; + my $src=shift; + foreach my $key (sort {$a <=> $b} keys %customhost){ + if($customhost{$key}[0] eq $val){ + if ($customhost{$key}[1] eq 'mac' && $src eq 'src'){ + return "-m mac --mac-source $customhost{$key}[2]"; + }elsif($customhost{$key}[1] eq 'ip' && $src eq 'src'){ + return "$customhost{$key}[2]"; + }elsif($customhost{$key}[1] eq 'ip' && $src eq 'tgt'){ + return "$customhost{$key}[2]"; + }elsif($customhost{$key}[1] eq 'mac' && $src eq 'tgt'){ + return "none"; + } + } + } +} + +return 1; diff --git a/config/forwardfw/firewall-policy b/config/forwardfw/firewall-policy new file mode 100755 index 0000000..0fcfaa4 --- /dev/null +++ b/config/forwardfw/firewall-policy @@ -0,0 +1,91 @@ +#!/bin/sh + +############################################################################### +# # +# IPFire.org - A linux based firewall # +# Copyright (C) 2013 Alexander Marx amarx@ipfire.org # +# # +# This program is free software: you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation, either version 3 of the License, or # +# (at your option) any later version. # +# # +# This program is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with this program. If not, see http://www.gnu.org/licenses/. # +# # +############################################################################### + + +eval $(/usr/local/bin/readhash /var/ipfire/forward/settings) +eval $(/usr/local/bin/readhash /var/ipfire/optionsfw/settings) +eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings) + +iptables -F POLICYFWD +iptables -F POLICYOUT +iptables -F POLICYIN + +if [ -f "/var/ipfire/red/iface" ]; then + IFACE=`cat /var/ipfire/red/iface` +fi + +#FORWARDFW +if [ "$POLICY" == "MODE1" ]; then + if [ "$FWPOLICY" == "REJECT" ]; then + if [ "$DROPFORWARD" == "on" ]; then + /sbin/iptables -A POLICYFWD -m limit --limit 10/minute -j LOG --log-prefix "REJECT_FORWARD" + fi + /sbin/iptables -A POLICYFWD -j REJECT --reject-with icmp-host-unreachable -m comment --comment "DROP_FORWARD" + fi + if [ "$FWPOLICY" == "DROP" ]; then + if [ "$DROPFORWARD" == "on" ]; then + /sbin/iptables -A POLICYFWD -m limit --limit 10/minute -j LOG --log-prefix "DROP_FORWARD" + fi + /sbin/iptables -A POLICYFWD -j DROP -m comment --comment "DROP_FORWARD" + fi +else + if [ "$BLUE_DEV" ] && [ "$IFACE" ]; then + /sbin/iptables -A POLICYFWD -i blue0 ! -o $IFACE -j DROP + fi + /sbin/iptables -A POLICYFWD -i orange0 ! -o $IFACE -j DROP + /sbin/iptables -A POLICYFWD -j ACCEPT + /sbin/iptables -A POLICYFWD -m comment --comment "DROP_FORWARD" -j DROP +fi + +#OUTGOINGFW +if [ "$POLICY1" == "MODE1" ]; then + if [ "$FWPOLICY1" == "REJECT" ]; then + if [ "$DROPOUTGOING" == "on" ]; then + /sbin/iptables -A POLICYOUT -m limit --limit 10/minute -j LOG --log-prefix "REJECT_OUTPUT" + fi + /sbin/iptables -A POLICYOUT -j REJECT --reject-with icmp-host-unreachable -m comment --comment "DROP_OUTPUT" + fi + if [ "$FWPOLICY1" == "DROP" ]; then + if [ "$DROPOUTGOING" == "on" ]; then + /sbin/iptables -A POLICYOUT -m limit --limit 10/minute -j LOG --log-prefix "DROP_OUTPUT" + fi + /sbin/iptables -A POLICYOUT -j DROP -m comment --comment "DROP_OUTPUT" + fi +else + /sbin/iptables -A POLICYOUT -j ACCEPT + /sbin/iptables -A POLICYOUT -m comment --comment "DROP_OUTPUT" -j DROP +fi +#INPUT +if [ "$FWPOLICY2" == "REJECT" ]; then + if [ "$DROPINPUT" == "on" ]; then + /sbin/iptables -A POLICYIN -m limit --limit 10/minute -j LOG --log-prefix "REJECT_INPUT" + fi + /sbin/iptables -A POLICYIN -j REJECT --reject-with icmp-host-unreachable -m comment --comment "DROP_INPUT" +fi +if [ "$FWPOLICY2" == "DROP" ]; then + if [ "$DROPINPUT" == "on" ]; then + /sbin/iptables -A POLICYIN -m limit --limit 10/minute -j LOG --log-prefix "DROP_INPUT" + fi + /sbin/iptables -A POLICYIN -j DROP -m comment --comment "DROP_INPUT" +fi + +exit 0 diff --git a/config/forwardfw/p2protocols b/config/forwardfw/p2protocols new file mode 100644 index 0000000..7000581 --- /dev/null +++ b/config/forwardfw/p2protocols @@ -0,0 +1,9 @@ +Applejuice;apple;off; +Ares;ares;off; +Bittorrent;bit;off; +DirectConnect;dc;off; +Edonkey;edk;off; +Gnutella;gnu;off; +KaZaA;kazaa;off; +SoulSeek;soul;off; +WinMX;winmx;off; diff --git a/config/forwardfw/rules.pl b/config/forwardfw/rules.pl new file mode 100755 index 0000000..370b7ec --- /dev/null +++ b/config/forwardfw/rules.pl @@ -0,0 +1,610 @@ +#!/usr/bin/perl +############################################################################### +# # +# IPFire.org - A linux based firewall # +# Copyright (C) 2013 Alexander Marx amarx@ipfire.org # +# # +# This program is free software: you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation, either version 3 of the License, or # +# (at your option) any later version. # +# # +# This program is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with this program. If not, see http://www.gnu.org/licenses/. # +# # +############################################################################### + +use strict; +use Time::Local; +no warnings 'uninitialized'; + +# enable only the following on debugging purpose +#use warnings; +#use CGI::Carp 'fatalsToBrowser'; + +my %fwdfwsettings=(); +my %defaultNetworks=(); +my %configfwdfw=(); +my %color=(); +my %icmptypes=(); +my %ovpnSettings=(); +my %customgrp=(); +our %sourcehash=(); +our %targethash=(); +my @timeframe=(); +my %configinputfw=(); +my %configoutgoingfw=(); +my %confignatfw=(); +my %aliases=(); +my @DPROT=(); +my @p2ps=(); +require '/var/ipfire/general-functions.pl'; +require "${General::swroot}/lang.pl"; +require "${General::swroot}/forward/bin/firewall-lib.pl"; + +my $configfwdfw = "${General::swroot}/forward/config"; +my $configinput = "${General::swroot}/forward/input"; +my $configoutgoing = "${General::swroot}/forward/outgoing"; +my $p2pfile = "${General::swroot}/forward/p2protocols"; +my $configgrp = "${General::swroot}/fwhosts/customgroups"; +my $netsettings = "${General::swroot}/ethernet/settings"; +my $errormessage=''; +my $orange; +my $green; +my $blue; +my ($TYPE,$PROT,$SPROT,$DPROT,$SPORT,$DPORT,$TIME,$TIMEFROM,$TIMETILL,$SRC_TGT); +my $CHAIN="FORWARDFW"; +my $conexists='off'; +my $command = 'iptables -A'; +my $dnat=''; +my $snat=''; +&General::readhash("${General::swroot}/forward/settings", %fwdfwsettings); +&General::readhash("$netsettings", %defaultNetworks); +&General::readhasharray($configfwdfw, %configfwdfw); +&General::readhasharray($configinput, %configinputfw); +&General::readhasharray($configoutgoing, %configoutgoingfw); +&General::readhasharray($configgrp, %customgrp); +&General::get_aliases(%aliases); + +#check if we have an internetconnection +open (CONN,"/var/ipfire/red/iface"); +my $con = <CONN>; +close(CONN); +if (-f "/var/ipfire/red/active"){ + $conexists='on'; +} +open (CONN1,"/var/ipfire/red/local-ipaddress"); +my $redip = <CONN1>; +close(CONN1); +################################ +# DEBUG/TEST # +################################ +my $MODE=0; # 0 - normal operation + # 1 - print configline and rules to console + # +################################ +my $param=shift; + +if($param eq 'flush'){ + if ($MODE eq '1'){ + print " Flushing chains...\n"; + } + &flush; +}else{ + if ($MODE eq '1'){ + print " Flushing chains...\n"; + } + &flush; + if ($MODE eq '1'){ + print " Preparing rules...\n"; + } + &preparerules; + if($MODE eq '0'){ + if ($fwdfwsettings{'POLICY'} eq 'MODE1'){ + &p2pblock; + system ("/usr/sbin/firewall-policy"); + }elsif($fwdfwsettings{'POLICY'} eq 'MODE2'){ + &p2pblock; + system ("iptables -A $CHAIN -m conntrack --ctstate NEW -j ACCEPT"); + system ("/usr/sbin/firewall-policy"); + system ("/etc/sysconfig/firewall.local reload"); + } + } +} +sub flush +{ + system ("iptables -F FORWARDFW"); + system ("iptables -F INPUTFW"); + system ("iptables -F OUTGOINGFW"); + system ("iptables -t nat -F NAT_DESTINATION"); + system ("iptables -t nat -F NAT_SOURCE"); +} +sub preparerules +{ + if (! -z "${General::swroot}/forward/config"){ + &buildrules(%configfwdfw); + } + if (! -z "${General::swroot}/forward/input"){ + &buildrules(%configinputfw); + } + if (! -z "${General::swroot}/forward/outgoing"){ + &buildrules(%configoutgoingfw); + } +} +sub buildrules +{ + my $hash=shift; + my $STAG; + my $natip; + my $snatport; + my $fireport; + my $nat; + my $fwaccessdport; + my $natchain; + foreach my $key (sort {$a <=> $b} keys %$hash){ + next if (($$hash{$key}[6] eq 'RED' || $$hash{$key}[6] eq 'RED1') && $conexists eq 'off' ); + if ($$hash{$key}[28] eq 'ON'){ + $command='iptables -t nat -A'; + $natip=&get_nat_ip($$hash{$key}[29],$$hash{$key}[31]); + if($$hash{$key}[31] eq 'dnat'){ + $nat='DNAT'; + if ($$hash{$key}[30] =~ /|/){ + $$hash{$key}[30]=~ tr/|/,/; + $fireport='-m multiport --dport '.$$hash{$key}[30]; + }else{ + $fireport='--dport '.$$hash{$key}[30] if ($$hash{$key}[30]>0); + } + }else{ + $nat='SNAT'; + } + } + $STAG=''; + if($$hash{$key}[2] eq 'ON'){ + #get source ip's + if ($$hash{$key}[3] eq 'cust_grp_src'){ + foreach my $grp (sort {$a <=> $b} keys %customgrp){ + if($customgrp{$grp}[0] eq $$hash{$key}[4]){ + &get_address($customgrp{$grp}[3],$customgrp{$grp}[2],"src"); + } + } + }else{ + &get_address($$hash{$key}[3],$$hash{$key}[4],"src"); + } + #get target ip's + if ($$hash{$key}[5] eq 'cust_grp_tgt'){ + foreach my $grp (sort {$a <=> $b} keys %customgrp){ + if($customgrp{$grp}[0] eq $$hash{$key}[6]){ + &get_address($customgrp{$grp}[3],$customgrp{$grp}[2],"tgt"); + } + } + }elsif($$hash{$key}[5] eq 'ipfire' ){ + if($$hash{$key}[6] eq 'GREEN'){ + $targethash{$key}[0]=$defaultNetworks{'GREEN_ADDRESS'}; + } + if($$hash{$key}[6] eq 'BLUE'){ + $targethash{$key}[0]=$defaultNetworks{'BLUE_ADDRESS'}; + } + if($$hash{$key}[6] eq 'ORANGE'){ + $targethash{$key}[0]=$defaultNetworks{'ORANGE_ADDRESS'}; + } + if($$hash{$key}[6] eq 'ALL'){ + $targethash{$key}[0]='0.0.0.0/0'; + } + if($$hash{$key}[6] eq 'RED' || $$hash{$key}[6] eq 'RED1'){ + open(FILE, "/var/ipfire/red/local-ipaddress")or die "Couldn't open local-ipaddress"; + $targethash{$key}[0]= <FILE>; + close(FILE); + }else{ + foreach my $alias (sort keys %aliases){ + if ($$hash{$key}[6] eq $alias){ + $targethash{$key}[0]=$aliases{$alias}{'IPT'}; + } + } + } + }else{ + &get_address($$hash{$key}[5],$$hash{$key}[6],"tgt"); + } + ##get source prot and port + $SRC_TGT='SRC'; + $SPROT = &get_prot($hash,$key); + $SPORT = &get_port($hash,$key); + $SRC_TGT=''; + + ##get target prot and port + $DPROT=&get_prot($hash,$key); + + if ($DPROT eq ''){$DPROT=' ';} + @DPROT=split(",",$DPROT); + + #get time if defined + if($$hash{$key}[18] eq 'ON'){ + my ($time1,$time2,$daylight); + my $daylight=$$hash{$key}[28]; + $time1=&get_time($$hash{$key}[26],$daylight); + $time2=&get_time($$hash{$key}[27],$daylight); + if($$hash{$key}[19] ne ''){push (@timeframe,"Mon");} + if($$hash{$key}[20] ne ''){push (@timeframe,"Tue");} + if($$hash{$key}[21] ne ''){push (@timeframe,"Wed");} + if($$hash{$key}[22] ne ''){push (@timeframe,"Thu");} + if($$hash{$key}[23] ne ''){push (@timeframe,"Fri");} + if($$hash{$key}[24] ne ''){push (@timeframe,"Sat");} + if($$hash{$key}[25] ne ''){push (@timeframe,"Sun");} + $TIME=join(",",@timeframe); + + $TIMEFROM="--timestart $time1 "; + $TIMETILL="--timestop $time2 "; + $TIME="-m time --weekdays $TIME $TIMEFROM $TIMETILL"; + } + if ($MODE eq '1'){ + print "NR:$key "; + foreach my $i (0 .. $#{$$hash{$key}}){ + print "$i: $$hash{$key}[$i] "; + } + print "\n"; + print"##################################\n"; + #print rules to console + foreach my $DPROT (@DPROT){ + $DPORT = &get_port($hash,$key,$DPROT); + if ($SPROT ne ''){$PROT=$SPROT;}else{$PROT=$DPROT;} + $PROT="-p $PROT" if ($PROT ne '' && $PROT ne ' '); + foreach my $a (sort keys %sourcehash){ + foreach my $b (sort keys %targethash){ + if ($sourcehash{$a}[0] ne $targethash{$b}[0] && $targethash{$b}[0] ne 'none' || $sourcehash{$a}[0] eq '0.0.0.0/0.0.0.0'){ + if($SPROT eq '' || $SPROT eq $DPROT || $DPROT eq ' '){ + if(substr($sourcehash{$a}[0], 3, 3) ne 'mac' && $sourcehash{$a}[0] ne ''){ $STAG="-s";} + if(substr($DPORT, 2, 4) eq 'icmp'){ + my @icmprule= split(",",substr($DPORT, 12,)); + foreach (@icmprule){ + if ($$hash{$key}[17] eq 'ON'){ + print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] --icmp-type $_ $TIME -j LOG\n"; + } + print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] --icmp-type $_ $TIME -j $$hash{$key}[0]\n"; + } + }elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'dnat'){ + $natchain='NAT_DESTINATION'; + if ($$hash{$key}[17] eq 'ON'){ + print "$command $natchain $PROT $STAG $sourcehash{$a}[0] $fireport $TIME -j LOG --log-prefix 'DNAT' \n"; + } + my ($ip,$sub) =split("/",$targethash{$b}[0]); + print "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j $nat --to $ip$DPORT\n"; + $DPORT =~ s/-/:/g; + if ($DPORT){ + $fwaccessdport="--dport ".substr($DPORT,1,); + }elsif(! $DPORT && $$hash{$key}[30] ne ''){ + if ($$hash{$key}[30]=~m/|/i){ + $$hash{$key}[30] =~ s/|/,/g; + $fwaccessdport="-m multiport --dport $$hash{$key}[30]"; + }else{ + $fwaccessdport="--dport $$hash{$key}[30]"; + } + } + print "iptables -A FORWARDFW $PROT -i $con $STAG $sourcehash{$a}[0] -d $ip $fwaccessdport $TIME -j $$hash{$key}[0]\n"; + next; + }elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'snat'){ + $natchain='NAT_SOURCE'; + print "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $nat --to $natip\n"; + } + if ($$hash{$key}[17] eq 'ON'){ + print "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG\n"; + } + if ($PROT ne '-p ICMP'){ + print "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n"; + } + } + } + } + } + print"\n"; + } + }elsif($MODE eq '0'){ + foreach my $DPROT (@DPROT){ + $DPORT = &get_port($hash,$key,$DPROT); + if ($SPROT ne ''){$PROT=$SPROT;}else{$PROT=$DPROT;} + $PROT="-p $PROT" if ($PROT ne '' && $PROT ne ' '); + foreach my $a (sort keys %sourcehash){ + foreach my $b (sort keys %targethash){ + if ($sourcehash{$a}[0] ne $targethash{$b}[0] && $targethash{$b}[0] ne 'none' || $sourcehash{$a}[0] eq '0.0.0.0/0.0.0.0'){ + if($SPROT eq '' || $SPROT eq $DPROT || $DPROT eq ' '){ + if(substr($sourcehash{$a}[0], 3, 3) ne 'mac' && $sourcehash{$a}[0] ne ''){ $STAG="-s";} + #Process ICMP RULE + if(substr($DPORT, 2, 4) eq 'icmp'){ + my @icmprule= split(",",substr($DPORT, 12,)); + foreach (@icmprule){ + if ($$hash{$key}[17] eq 'ON'){ + system ("$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] -- icmp-type $_ $TIME -j LOG"); + } + system ("$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] --icmp-type $_ $TIME -j $$hash{$key}[0]"); + } + #PROCESS DNAT RULE (Portforward) + }elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'dnat'){ + $natchain='NAT_DESTINATION'; + if ($$hash{$key}[17] eq 'ON'){ + system "$command $natchain $PROT $STAG $sourcehash{$a}[0] $fireport $TIME -j LOG --log-prefix 'DNAT' \n"; + } + my ($ip,$sub) =split("/",$targethash{$b}[0]); + system "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j $nat --to $ip$DPORT\n"; + $DPORT =~ s/-/:/g; + if ($DPORT){ + $fwaccessdport="--dport ".substr($DPORT,1,); + }elsif(! $DPORT && $$hash{$key}[30] ne ''){ + if ($$hash{$key}[30]=~m/|/i){ + $$hash{$key}[30] =~ s/|/,/g; + $fwaccessdport="-m multiport --dport $$hash{$key}[30]"; + }else{ + $fwaccessdport="--dport $$hash{$key}[30]"; + } + } + system "iptables -A FORWARDFW $PROT -i $con $STAG $sourcehash{$a}[0] -d $ip $fwaccessdport $TIME -j $$hash{$key}[0]\n"; + next; + #PROCESS SNAT RULE + }elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'snat'){ + $natchain='NAT_SOURCE'; + system "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $nat --to $natip\n"; + } + if ($$hash{$key}[17] eq 'ON'){ + system "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG\n"; + } + #PROCESS EVERY OTHER RULE (If NOT ICMP, else the rule would be applied double) + if ($PROT ne '-p ICMP'){ + system "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n"; + } + } + } + } + } + } + } + } + %sourcehash=(); + %targethash=(); + undef $TIME; + undef $TIMEFROM; + undef $TIMETILL; + undef $fireport; + } +} +sub get_nat_ip +{ + my $val=shift; + my $type=shift; + my $result; + if($val eq 'RED' || $val eq 'GREEN' || $val eq 'ORANGE' || $val eq 'BLUE'){ + $result=$defaultNetworks{$val.'_ADDRESS'}; + }elsif($val eq 'ALL'){ + $result='-i '.$con; + }elsif($val eq 'Default IP' && $type eq 'dnat'){ + $result='-d '.$redip; + }elsif($val eq 'Default IP' && $type eq 'snat'){ + $result=$redip; + }else{ + foreach my $al (sort keys %aliases){ + if($val eq $al && $type eq 'dnat'){ + $result='-d '.$aliases{$al}{'IPT'}; + }elsif($val eq $al && $type eq 'snat'){ + $result=$aliases{$al}{'IPT'}; + } + } + } + return $result; +} +sub get_time +{ + my $val=shift; + my $val1=shift; + my $time; + my $minutes; + my $ruletime; + $minutes = &utcmin($val); + $ruletime = $minutes + &time_get_utc($val); + if ($ruletime < 0){$ruletime +=1440;} + if ($ruletime > 1440){$ruletime -=1440;} + $time=sprintf "%02d:%02d", $ruletime / 60, $ruletime % 60; + return $time; +} +sub time_get_utc +{ + # Calculates the UTCtime from a given time + my $val=shift; + my @localtime=localtime(time); + my @gmtime=gmtime(time); + my $diff = ($gmtime[2]*60+$gmtime[1]%60)-($localtime[2]*60+$localtime[1]%60); + return $diff; +} +sub utcmin +{ + my $ruletime=shift; + my ($hrs,$min) = split(":",$ruletime); + my $newtime = $hrs*60+$min; + return $newtime; +} +sub p2pblock +{ + my $P2PSTRING; + my $DO; + open( FILE, "< $p2pfile" ) or die "Unable to read $p2pfile"; + @p2ps = <FILE>; + close FILE; + my $CMD = "-m ipp2p"; + foreach my $p2pentry (sort @p2ps) { + my @p2pline = split( /;/, $p2pentry ); + if ( $fwdfwsettings{'POLICY'} eq 'MODE1' ) { + $DO = "ACCEPT"; + if ("$p2pline[2]" eq "on") { + $P2PSTRING = "$P2PSTRING --$p2pline[1]"; + } + }else { + $DO = "RETURN"; + if ("$p2pline[2]" eq "off") { + $P2PSTRING = "$P2PSTRING --$p2pline[1]"; + } + } + } + if ($MODE eq 1){ + if($P2PSTRING){ + print"/sbin/iptables -A FORWARDFW $CMD $P2PSTRING -j $DO\n"; + } + }else{ + if($P2PSTRING){ + system("/sbin/iptables -A FORWARDFW $CMD $P2PSTRING -j $DO"); + } + } +} +sub get_address +{ + my $base=shift; #source of checking ($configfwdfw{$key}[x] or groupkey + my $base2=shift; + my $type=shift; #src or tgt + my $hash; + if ($type eq 'src'){ + $hash=%sourcehash; + }else{ + $hash=%targethash; + } + my $key = &General::findhasharraykey($hash); + if($base eq 'src_addr' || $base eq 'tgt_addr' ){ + if (&General::validmac($base2)){ + $$hash{$key}[0] = "-m mac --mac-source $base2"; + }else{ + $$hash{$key}[0] = $base2; + } + }elsif($base eq 'std_net_src' || $base eq 'std_net_tgt' || $base eq 'Standard Network'){ + $$hash{$key}[0]=&fwlib::get_std_net_ip($base2,$con); + }elsif($base eq 'cust_net_src' || $base eq 'cust_net_tgt' || $base eq 'Custom Network'){ + $$hash{$key}[0]=&fwlib::get_net_ip($base2); + }elsif($base eq 'cust_host_src' || $base eq 'cust_host_tgt' || $base eq 'Custom Host'){ + $$hash{$key}[0]=&fwlib::get_host_ip($base2,$type); + }elsif($base eq 'ovpn_net_src' || $base eq 'ovpn_net_tgt' || $base eq 'OpenVPN static network'){ + $$hash{$key}[0]=&fwlib::get_ovpn_net_ip($base2,1); + }elsif($base eq 'ovpn_host_src' ||$base eq 'ovpn_host_tgt' || $base eq 'OpenVPN static host'){ + $$hash{$key}[0]=&fwlib::get_ovpn_host_ip($base2,33); + }elsif($base eq 'ovpn_n2n_src' ||$base eq 'ovpn_n2n_tgt' || $base eq 'OpenVPN N-2-N'){ + $$hash{$key}[0]=&fwlib::get_ovpn_n2n_ip($base2,11); + }elsif($base eq 'ipsec_net_src' || $base eq 'ipsec_net_tgt' || $base eq 'IpSec Network'){ + $$hash{$key}[0]=&fwlib::get_ipsec_net_ip($base2,11); + }elsif($base eq 'ipfire_src' ){ + if($base2 eq 'GREEN'){ + $$hash{$key}[0]=$defaultNetworks{'GREEN_ADDRESS'}; + } + if($base2 eq 'BLUE'){ + $$hash{$key}[0]=$defaultNetworks{'BLUE_ADDRESS'}; + } + if($base2 eq 'ORANGE'){ + $$hash{$key}[0]=$defaultNetworks{'ORANGE_ADDRESS'}; + } + if($base2 eq 'ALL'){ + $$hash{$key}[0]='0.0.0.0/0'; + } + if($base2 eq 'RED' || $base2 eq 'RED1'){ + open(FILE, "/var/ipfire/red/local-ipaddress")or die "Couldn't open local-ipaddress"; + $$hash{$key}[0]= <FILE>; + close(FILE); + }else{ + foreach my $alias (sort keys %aliases){ + if ($base2 eq $alias){ + $$hash{$key}[0]=$aliases{$alias}{'IPT'}; + } + } + } + } +} +sub get_prot +{ + my $hash=shift; + my $key=shift; + if ($$hash{$key}[7] eq 'ON' && $SRC_TGT eq 'SRC'){ + if ($$hash{$key}[10] ne ''){ + return"$$hash{$key}[8]"; + }elsif($$hash{$key}[9] ne ''){ + return"$$hash{$key}[8]"; + }else{ + return "$$hash{$key}[8]"; + } + }elsif($$hash{$key}[11] eq 'ON' && $SRC_TGT eq ''){ + if ($$hash{$key}[14] eq 'TGT_PORT'){ + if ($$hash{$key}[15] ne ''){ + return "$$hash{$key}[12]"; + }elsif($$hash{$key}[13] ne ''){ + return "$$hash{$key}[12]"; + }else{ + return "$$hash{$key}[12]"; + } + }elsif($$hash{$key}[14] eq 'cust_srv'){ + return &fwlib::get_srv_prot($$hash{$key}[15]); + + }elsif($$hash{$key}[14] eq 'cust_srvgrp'){ + return &fwlib::get_srvgrp_prot($$hash{$key}[15]); + } + } + #DNAT + if ($SRC_TGT eq '' && $$hash{$key}[31] eq 'dnat' && $$hash{$key}[11] eq '' && $$hash{$key}[12] ne ''){ + return "$$hash{$key}[12]"; + } +} +sub get_port +{ + my $hash=shift; + my $key=shift; + my $prot=shift; + if ($$hash{$key}[7] eq 'ON' && $SRC_TGT eq 'SRC'){ + if ($$hash{$key}[10] ne ''){ + $$hash{$key}[10] =~ s/|/,/g; + if(index($$hash{$key}[10],",") > 0){ + return "-m multiport --sport $$hash{$key}[10] "; + }else{ + if($$hash{$key}[28] ne 'ON' || ($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'snat') ||($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'dnat') ){ + return "--sport $$hash{$key}[10] "; + }else{ + return ":$$hash{$key}[10]"; + } + } + }elsif($$hash{$key}[9] ne '' && $$hash{$key}[9] ne 'All ICMP-Types'){ + return "--icmp-type $$hash{$key}[9] "; + }elsif($$hash{$key}[9] eq 'All ICMP-Types'){ + return; + } + }elsif($$hash{$key}[11] eq 'ON' && $SRC_TGT eq ''){ + if($$hash{$key}[14] eq 'TGT_PORT'){ + if ($$hash{$key}[15] ne ''){ + $$hash{$key}[15] =~ s/|/,/g; + if(index($$hash{$key}[15],",") > 0){ + return "-m multiport --dport $$hash{$key}[15] "; + }else{ + if($$hash{$key}[28] ne 'ON' || ($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'snat') ){ + return "--dport $$hash{$key}[15] "; + }else{ + $$hash{$key}[15] =~ s/:/-/g; + return ":$$hash{$key}[15]"; + } + } + }elsif($$hash{$key}[13] ne '' && $$hash{$key}[13] ne 'All ICMP-Types'){ + return "--icmp-type $$hash{$key}[13] "; + }elsif($$hash{$key}[13] ne '' && $$hash{$key}[13] eq 'All ICMP-Types'){ + return; + } + }elsif($$hash{$key}[14] eq 'cust_srv'){ + if ($prot ne 'ICMP'){ + if($$hash{$key}[31] eq 'dnat' && $$hash{$key}[28] eq 'ON'){ + return ":".&fwlib::get_srv_port($$hash{$key}[15],1,$prot); + }else{ + return "--dport ".&fwlib::get_srv_port($$hash{$key}[15],1,$prot); + } + }elsif($prot eq 'ICMP' && $$hash{$key}[15] ne 'All ICMP-Types'){ + return "--icmp-type ".&fwlib::get_srv_port($$hash{$key}[15],3,$prot); + }elsif($prot eq 'ICMP' && $$hash{$key}[15] eq 'All ICMP-Types'){ + return; + } + }elsif($$hash{$key}[14] eq 'cust_srvgrp'){ + if ($prot ne 'ICMP'){ + return &fwlib::get_srvgrp_port($$hash{$key}[15],$prot); + } + elsif($prot eq 'ICMP'){ + return &fwlib::get_srvgrp_port($$hash{$key}[15],$prot); + } + } + } +} diff --git a/config/fwhosts/customservices b/config/fwhosts/customservices new file mode 100644 index 0000000..07dd3d2 --- /dev/null +++ b/config/fwhosts/customservices @@ -0,0 +1,32 @@ +32,rsync,873,TCP,BLANK,0 +21,IMAPS,993,TCP,BLANK,0 +7,WINS,42,TCP,BLANK,0 +26,LPD,515,TCP,BLANK,0 +17,IRC,194,TCP,BLANK,0 +2,FTP-control,21,TCP,BLANK,0 +1,FTP-data,20,TCP,BLANK,0 +18,HTTPS,443,TCP,BLANK,0 +30,NFS,2049,TCP,BLANK,0 +16,SNMP,161,UDP,BLANK,0 +25,IPP (UDP),631,UDP,BLANK,0 +27,JetDirect,9100,TCP,BLANK,0 +28,LDAP,389,TCP,BLANK,0 +14,NetBIOS Session Service,139,TCP,BLANK,0 +20,FTPS control,990,TCP,BLANK,0 +24,IPP (TCP),631,TCP,BLANK,0 +10,SFTP,115,TCP,BLANK,0 +31,Radius,1812,TCP,BLANK,0 +11,NTP,123,UDP,BLANK,0 +22,POP3S,995,TCP,BLANK,0 +13,NetBIOS Datagram Service,138,TCP,BLANK,0 +23,RDP,3389,TCP,BLANK,0 +29,LDAPS,636,TCP,BLANK,0 +6,Time,37,TCP,BLANK,0 +3,SSH,22,TCP,BLANK,0 +9,POP3,110,TCP,BLANK,0 +12,NetBIOS Name Service,137,TCP,BLANK,0 +15,IMAP,143,TCP,BLANK,0 +8,HTTP,80,TCP,BLANK,0 +4,Telnet,23,UDP,BLANK,0 +19,FTPS data,989,TCP,BLANK,0 +5,SMTP,25,TCP,BLANK,0 diff --git a/config/fwhosts/icmp-types b/config/fwhosts/icmp-types new file mode 100755 index 0000000..a9066a8 --- /dev/null +++ b/config/fwhosts/icmp-types @@ -0,0 +1,36 @@ +0,echo-reply,0 +1,destination-unreachable,3 +2,network-unreachable,3/0 +3,host-unreachable,3/1 +4,protocol-unreachable,3/2 +5,port-unreachable,3/3 +6,fragmentation-needed,3/4 +7,source-route-failed,3/5 +8,network-unknown,3/6 +9,host-unknown,3/7 +10,network-prohibited,3/9 +11,host-prohibited,3/10 +12,TOS-network-unreachable,3/11 +13,TOS-host-unreachable,3/12 +14,communication-prohibited,3/13 +15,host-precedence-violation,3/14 +16,precedence-cutoff,3/15 +17,source-quench,4 +18,redirect,5 +19,network-redirect,5/0 +20,host-redirect,5/1 +21,TOS-network-redirect,5/2 +22,TOS-host-redirect,5/3 +23,echo-request,8 +24,router-advertisement,9 +25,router-solicitation,10 +26,time-exceeded,11 +27,ttl-zero-during-transit,11/0 +28,ttl-zero-during-reassembly,11/1 +29,parameter-problem,12 +30,ip-header-bad,12/0 +31,required-option-missing,12/1 +32,timestamp-request,13 +33,timestamp-reply,14 +34,address-mask-request,17 +35,address-mask-reply,18 diff --git a/config/menu/50-firewall.menu b/config/menu/50-firewall.menu index de28f8e..2de9e7b 100644 --- a/config/menu/50-firewall.menu +++ b/config/menu/50-firewall.menu @@ -1,52 +1,40 @@ - $subfirewall->{'10.dnat'} = { - 'caption' => $Lang::tr{'ssport forwarding'}, - 'uri' => '/cgi-bin/portfw.cgi', - 'title' => "$Lang::tr{'ssport forwarding'}", - 'enabled' => 1, - }; - $subfirewall->{'20.xtaccess'} = { - 'caption' => $Lang::tr{'external access'}, - 'uri' => '/cgi-bin/xtaccess.cgi', - 'title' => "$Lang::tr{'external access'}", - 'enabled' => 1, - }; - $subfirewall->{'30.wireless'} = { - 'caption' => $Lang::tr{'blue access'}, - 'uri' => '/cgi-bin/wireless.cgi', - 'title' => "$Lang::tr{'blue access'}", + $subfirewall->{'10.forward'} = { + 'caption' => $Lang::tr{'fwdfw menu'}, + 'uri' => '/cgi-bin/forwardfw.cgi', + 'title' => "$Lang::tr{'fwdfw menu'}", 'enabled' => 1, - }; - $subfirewall->{'40.dmz'} = { - 'caption' => $Lang::tr{'ssdmz pinholes'}, - 'uri' => '/cgi-bin/dmzholes.cgi', - 'title' => "$Lang::tr{'dmz pinhole configuration'}", + }; + $subfirewall->{'20.fwhost'} = { + 'caption' => $Lang::tr{'fwhost menu'}, + 'uri' => '/cgi-bin/fwhosts.cgi', + 'title' => "$Lang::tr{'fwhost menu'}", 'enabled' => 1, - }; - $subfirewall->{'50.outgoing'} = { - 'caption' => $Lang::tr{'outgoing firewall'}, - 'uri' => '/cgi-bin/outgoingfw.cgi', - 'title' => "$Lang::tr{'outgoing firewall'}", + }; + $subfirewall->{'30.optionsfw'} = { + 'caption' => $Lang::tr{'options fw'}, + 'uri' => '/cgi-bin/optionsfw.cgi', + 'title' => "$Lang::tr{'options fw'}", 'enabled' => 1, }; - $subfirewall->{'51.outgoinggrp'} = { - 'caption' => $Lang::tr{'outgoing firewall groups'}, - 'uri' => '/cgi-bin/outgoinggrp.cgi', - 'title' => "$Lang::tr{'outgoing firewall groups'}", + $subfirewall->{'40.p2p'} = { + 'caption' => 'P2P-Block', + 'uri' => '/cgi-bin/p2p-block.cgi', + 'title' => "P2P-Block", 'enabled' => 1, }; - $subfirewall->{'60.upnp'} = { + $subfirewall->{'60.wireless'} = { + 'caption' => $Lang::tr{'blue access'}, + 'uri' => '/cgi-bin/wireless.cgi', + 'title' => "$Lang::tr{'blue access'}", + 'enabled' => 1, + }; + $subfirewall->{'70.upnp'} = { 'caption' => 'UPnP', 'uri' => '/cgi-bin/upnp.cgi', 'title' => "Universal Plug and Play", 'enabled' => 0, }; - $subfirewall->{'60.optingsfw'} = { - 'caption' => $Lang::tr{'options fw'}, - 'uri' => '/cgi-bin/optionsfw.cgi', - 'title' => "$Lang::tr{'options fw'}", - 'enabled' => 1, - }; - $subfirewall->{'70.iptables'} = { + $subfirewall->{'90.iptables'} = { 'caption' => $Lang::tr{'ipts'}, 'uri' => '/cgi-bin/iptables.cgi', 'title' => "$Lang::tr{'ipts'}", diff --git a/config/outgoingfw/defaultservices b/config/outgoingfw/defaultservices deleted file mode 100644 index f2cf475..0000000 --- a/config/outgoingfw/defaultservices +++ /dev/null @@ -1,34 +0,0 @@ -bootpc,68,tcp&udp,Bootstrap Protocol Client -bootps,67,tcp&udp,Bootstrap Protocol Server -domain,53,tcp&udp,Domain Name Server -echo,7,tcp&udp,Echo -ftp,21,tcp&udp,File Transfer Control -ftp-data,20,tcp&udp,File Control Data -http,80,tcp,Hypertext Transfer Protocol -https,443,tcp,secure HTTP -imap,143,tcp,Interactive Mail Access Protocol -imap3,220,tcp,Interactive Mail Access Protocol v3 -imaps,993,tcp,secure IMAP -ipfire-https,444,tcp,IPFire HTTPS -ipfire-ssh,222,tcp&udp,IPFire SSH -irc,194,tcp&udp,Internet Relay Chat -ircd,6667,tcp&udp,Internet Relay Chat -microsoft-ds,445,tcp&udp,Netbios Filesharing -nameserver,42,tcp&udp,Host Name Server -netbios-dgm,138,tcp&udp,NETBIOS Datagram Service -netbios-ns,137,tcp&udp,NETBIOS Name Server -netbios-ssn,139,tcp&udp,NETBIOS Session Service -nfs,2049,tcp&udp,Network File System -ntp,123,udp,Network Time Protocol -pop3,110,tcp,POP3 Email -pop3s,995,tcp,secure POP3 Email -sftp,115,tcp&udp,secure File Transfer Protocol -smtp,25,tcp,Simple Mail Transfer Protocol -smtps,465,tcp,secure Simple Mail Transfer Protocol -snmp,161,tcp&udp,Simple Network Management -snmptrap,162,udp,SNMP Trap -ssh,22,tcp&udp,SSH -telnet,23,tcp&udp,Telnet -tftp,69,tcp&udp,Trivial File Transfer -time,37,tcp&udp,Time -wins,1512,tcp&udp,Windows Internet Name Service diff --git a/config/outgoingfw/outgoingfw.pl b/config/outgoingfw/outgoingfw.pl deleted file mode 100644 index 1208567..0000000 --- a/config/outgoingfw/outgoingfw.pl +++ /dev/null @@ -1,286 +0,0 @@ -#!/usr/bin/perl -############################################################################### -# # -# IPFire.org - A linux based firewall # -# Copyright (C) 2007-2011 IPFire Team # -# # -# This program is free software: you can redistribute it and/or modify # -# it under the terms of the GNU General Public License as published by # -# the Free Software Foundation, either version 3 of the License, or # -# (at your option) any later version. # -# # -# This program is distributed in the hope that it will be useful, # -# but WITHOUT ANY WARRANTY; without even the implied warranty of # -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # -# GNU General Public License for more details. # -# # -# You should have received a copy of the GNU General Public License # -# along with this program. If not, see http://www.gnu.org/licenses/. # -# # -############################################################################### - - -use strict; -# enable only the following on debugging purpose -#use warnings; - -require '/var/ipfire/general-functions.pl'; -require "${General::swroot}/lang.pl"; - -my %outfwsettings = (); -my %checked = (); -my %selected= () ; -my %netsettings = (); -my $errormessage = ""; -my $configentry = ""; -my @configs = (); -my @configline = (); -my $p2pentry = ""; -my @p2ps = (); -my @p2pline = (); -my $CMD = ""; -my $P2PSTRING = ""; - -my $DEBUG = 0; - -my $configfile = "/var/ipfire/outgoing/rules"; -my $p2pfile = "/var/ipfire/outgoing/p2protocols"; - -### Values that have to be initialized -$outfwsettings{'ACTION'} = ''; -$outfwsettings{'VALID'} = 'yes'; -$outfwsettings{'EDIT'} = 'no'; -$outfwsettings{'NAME'} = ''; -$outfwsettings{'SNET'} = ''; -$outfwsettings{'SIP'} = ''; -$outfwsettings{'SPORT'} = ''; -$outfwsettings{'SMAC'} = ''; -$outfwsettings{'DIP'} = ''; -$outfwsettings{'DPORT'} = ''; -$outfwsettings{'PROT'} = ''; -$outfwsettings{'STATE'} = ''; -$outfwsettings{'DISPLAY_DIP'} = ''; -$outfwsettings{'DISPLAY_DPORT'} = ''; -$outfwsettings{'DISPLAY_SMAC'} = ''; -$outfwsettings{'DISPLAY_SIP'} = ''; -$outfwsettings{'POLICY'} = 'MODE0'; - -my @SOURCE = ""; -my $SOURCE = ""; -my $DESTINATION = ""; -my @PROTO = ""; -my $PROTO = ""; -my $DPORT = ""; -my $DEV = ""; -my $MAC = ""; -my $DO = ""; -my $DAY = ""; - -# read files -&General::readhash("${General::swroot}/outgoing/settings", %outfwsettings); -&General::readhash("${General::swroot}/ethernet/settings", %netsettings); - -$netsettings{'RED_DEV'}=`cat /var/ipfire/red/iface`; -$netsettings{'RED_IP'}=`cat /var/ipfire/red/local-ipaddress`; - -open( FILE, "< $configfile" ) or die "Unable to read $configfile"; -@configs = <FILE>; -close FILE; - -if ( $outfwsettings{'POLICY'} eq 'MODE1' ) { - $outfwsettings{'STATE'} = "ALLOW"; - $DO = "RETURN"; -} elsif ( $outfwsettings{'POLICY'} eq 'MODE2' ) { - $outfwsettings{'STATE'} = "DENY"; - $DO = "DROP -m comment --comment 'DROP_OUTGOINGFW '"; -} - -### Initialize IPTables -system("/sbin/iptables --flush OUTGOINGFW >/dev/null 2>&1"); -system("/sbin/iptables --delete-chain OUTGOINGFW >/dev/null 2>&1"); -system("/sbin/iptables -N OUTGOINGFW >/dev/null 2>&1"); - -system("/sbin/iptables --flush OUTGOINGFWMAC >/dev/null 2>&1"); -system("/sbin/iptables --delete-chain OUTGOINGFWMAC >/dev/null 2>&1"); -system("/sbin/iptables -N OUTGOINGFWMAC >/dev/null 2>&1"); - -if ( $outfwsettings{'POLICY'} eq 'MODE0' ) { - &firewall_local_reload(); - exit 0 -} - -if ( $outfwsettings{'POLICY'} eq 'MODE1' ) { - $CMD = "/sbin/iptables -A OUTGOINGFW -m state --state ESTABLISHED,RELATED -j RETURN"; - if ($DEBUG) { print "$CMD\n"; } else { system("$CMD"); } - $CMD = "/sbin/iptables -A OUTGOINGFWMAC -m state --state ESTABLISHED,RELATED -j RETURN"; - if ($DEBUG) { print "$CMD\n"; } else { system("$CMD"); } - $CMD = "/sbin/iptables -A OUTGOINGFW -p icmp -j RETURN"; - if ($DEBUG) { print "$CMD\n"; } else { system("$CMD"); } - $CMD = "/sbin/iptables -A OUTGOINGFWMAC -p icmp -j RETURN"; - if ($DEBUG) { print "$CMD\n"; } else { system("$CMD"); } -} - -foreach $configentry (sort @configs) -{ - @SOURCE = ""; - $DESTINATION = ""; - $PROTO = ""; - $DPORT = ""; - $DEV = ""; - $MAC = ""; - @configline = split( /;/, $configentry ); - - if ($outfwsettings{'STATE'} eq $configline[0]) { - if ($configline[2] eq 'green') { - @SOURCE = ("$netsettings{'GREEN_NETADDRESS'}/$netsettings{'GREEN_NETMASK'}"); - $DEV = $netsettings{'GREEN_DEV'}; - } elsif ($configline[2] eq 'red') { - @SOURCE = ("$netsettings{'RED_IP'}"); - $DEV = ""; - } elsif ($configline[2] eq 'blue') { - @SOURCE = ("$netsettings{'BLUE_NETADDRESS'}/$netsettings{'BLUE_NETMASK'}"); - $DEV = $netsettings{'BLUE_DEV'}; - } elsif ($configline[2] eq 'orange') { - @SOURCE = ("$netsettings{'ORANGE_NETADDRESS'}/$netsettings{'ORANGE_NETMASK'}"); - $DEV = $netsettings{'ORANGE_DEV'}; - } elsif ($configline[2] eq 'ipsec') { - @SOURCE = ""; - $DEV = "ipsec+"; - } elsif ($configline[2] eq 'ovpn') { - @SOURCE = ""; - $DEV = "tun+"; - } elsif ($configline[2] eq 'ip') { - @SOURCE = ("$configline[5]"); - $DEV = ""; - } elsif ($configline[2] eq 'mac') { - @SOURCE = ("$configline[6]"); - $DEV = ""; - } elsif ($configline[2] eq 'all') { - @SOURCE = ("0/0"); - $DEV = ""; - } else { - if ( -e "/var/ipfire/outgoing/groups/ipgroups/$configline[2]" ) { - @SOURCE = `cat /var/ipfire/outgoing/groups/ipgroups/$configline[2]`; - } elsif ( -e "/var/ipfire/outgoing/groups/macgroups/$configline[2]" ) { - @SOURCE = `cat /var/ipfire/outgoing/groups/macgroups/$configline[2]`; - $configline[2] = "mac"; - } - $DEV = ""; - } - - if ($configline[7]) { $DESTINATION = "$configline[7]"; } else { $DESTINATION = "0/0"; } - - if ($configline[3] eq 'tcp') { - @PROTO = ("tcp"); - } elsif ($configline[3] eq 'udp') { - @PROTO = ("udp"); - } elsif ($configline[3] eq 'esp') { - @PROTO = ("esp"); - } elsif ($configline[3] eq 'gre') { - @PROTO = ("gre"); - } else { - @PROTO = ("tcp","udp"); - } - - my $macrule = 0; - foreach $PROTO (@PROTO){ - foreach $SOURCE (@SOURCE) { - $SOURCE =~ s/\s//gi; - - if ( $SOURCE eq "" || $configline[1] eq "" ){next;} - - if ( ( $configline[6] ne "" || $configline[2] eq 'mac' ) && $configline[2] ne 'all'){ - $SOURCE =~ s/[^a-zA-Z0-9]/:/gi; - $CMD = "-m mac --mac-source $SOURCE -d $DESTINATION -p $PROTO"; - $macrule = 1; - } else { - $CMD = "-s $SOURCE -d $DESTINATION -p $PROTO"; - } - - if ($configline[8] && ( $configline[3] ne 'esp' || $configline[3] ne 'gre') ) { - $DPORT = "$configline[8]"; - $CMD = "$CMD -m multiport --destination-port $DPORT"; - } - - if ($DEV) { - $CMD = "$CMD -i $DEV"; - } - - if ($configline[17] && $configline[18]) { - $DAY = ""; - if ($configline[10]){$DAY = "Mon,"} - if ($configline[11]){$DAY .= "Tue,"} - if ($configline[12]){$DAY .= "Wed,"} - if ($configline[13]){$DAY .= "Thu,"} - if ($configline[14]){$DAY .= "Fri,"} - if ($configline[15]){$DAY .= "Sat,"} - if ($configline[16]){$DAY .= "Sun"} - $CMD = "$CMD -m time --timestart $configline[17] --timestop $configline[18] --weekdays $DAY"; - } - - $CMD = "$CMD -o $netsettings{'RED_DEV'}"; - - if ( $configline[9] eq $Lang::tr{'aktiv'} && $outfwsettings{'POLICY'} eq 'MODE1' ) { - applyrule("$CMD -m limit --limit 10/minute -j LOG --log-prefix 'LOG_OUTGOINGFW '", $macrule); - } elsif ( $configline[9] eq $Lang::tr{'aktiv'} && $outfwsettings{'POLICY'} eq 'MODE2' ) { - applyrule("$CMD -m limit --limit 10/minute -j LOG --log-prefix 'DROP_OUTGOINGFW '", $macrule); - } - - applyrule("$CMD -j $DO", $macrule); - } - } - } -} - -### Do the P2P-Stuff here -open( FILE, "< $p2pfile" ) or die "Unable to read $p2pfile"; -@p2ps = <FILE>; -close FILE; - -$CMD = "-m ipp2p"; - -foreach $p2pentry (sort @p2ps) { - @p2pline = split( /;/, $p2pentry ); - if ( $outfwsettings{'POLICY'} eq 'MODE2' ) { - $DO = "DROP"; - if ("$p2pline[2]" eq "off") { - $P2PSTRING = "$P2PSTRING --$p2pline[1]"; - } - } else { - $DO = "RETURN"; - if ("$p2pline[2]" eq "on") { - $P2PSTRING = "$P2PSTRING --$p2pline[1]"; - } - } -} -if ($P2PSTRING) { - applyrule("$CMD $P2PSTRING -j $DO", 0); -} - -if ( $outfwsettings{'POLICY'} eq 'MODE1' ) { - if ( $outfwsettings{'MODE1LOG'} eq 'on' ) { - applyrule("-o $netsettings{'RED_DEV'} -m limit --limit 10/minute -j LOG --log-prefix 'DROP_OUTGOINGFW '", 0); - } - - applyrule("-o $netsettings{'RED_DEV'} -j DROP -m comment --comment 'DROP_OUTGOINGFW '", 0); -} - -&firewall_local_reload(); - -sub applyrule($$) { - my $cmd = shift; - my $macrule = shift; - - system("/sbin/iptables -A OUTGOINGFWMAC $cmd"); - if ($macrule == 0) { - system("/sbin/iptables -A OUTGOINGFW $cmd"); - } -} - -sub firewall_local_reload() { - my $script = "/etc/sysconfig/firewall.local"; - - if ( -x $script ) { - system("$script reload >/dev/null 2>&1"); - } -} diff --git a/config/rootfiles/common/apache2 b/config/rootfiles/common/apache2 index 9be3581..8889b67 100644 --- a/config/rootfiles/common/apache2 +++ b/config/rootfiles/common/apache2 @@ -1390,9 +1390,11 @@ srv/web/ipfire/cgi-bin/credits.cgi srv/web/ipfire/cgi-bin/dns.cgi srv/web/ipfire/cgi-bin/ddns.cgi srv/web/ipfire/cgi-bin/dhcp.cgi -srv/web/ipfire/cgi-bin/dmzholes.cgi +#srv/web/ipfire/cgi-bin/dmzholes.cgi srv/web/ipfire/cgi-bin/extrahd.cgi srv/web/ipfire/cgi-bin/fireinfo.cgi +srv/web/ipfire/cgi-bin/forwardfw.cgi +srv/web/ipfire/cgi-bin/fwhosts.cgi srv/web/ipfire/cgi-bin/gui.cgi srv/web/ipfire/cgi-bin/hardwaregraphs.cgi srv/web/ipfire/cgi-bin/hosts.cgi @@ -1408,12 +1410,12 @@ srv/web/ipfire/cgi-bin/modem.cgi srv/web/ipfire/cgi-bin/netexternal.cgi srv/web/ipfire/cgi-bin/netinternal.cgi srv/web/ipfire/cgi-bin/netother.cgi -srv/web/ipfire/cgi-bin/outgoingfw.cgi -srv/web/ipfire/cgi-bin/outgoinggrp.cgi +#srv/web/ipfire/cgi-bin/outgoingfw.cgi +#srv/web/ipfire/cgi-bin/outgoinggrp.cgi srv/web/ipfire/cgi-bin/optionsfw.cgi srv/web/ipfire/cgi-bin/ovpnmain.cgi +srv/web/ipfire/cgi-bin/p2p-block.cgi srv/web/ipfire/cgi-bin/pakfire.cgi -srv/web/ipfire/cgi-bin/portfw.cgi srv/web/ipfire/cgi-bin/pppsetup.cgi srv/web/ipfire/cgi-bin/proxy.cgi srv/web/ipfire/cgi-bin/qos.cgi @@ -1432,6 +1434,6 @@ srv/web/ipfire/cgi-bin/wakeonlan.cgi srv/web/ipfire/cgi-bin/webaccess.cgi srv/web/ipfire/cgi-bin/wireless.cgi srv/web/ipfire/cgi-bin/wirelessclient.cgi -srv/web/ipfire/cgi-bin/xtaccess.cgi +#srv/web/ipfire/cgi-bin/xtaccess.cgi srv/web/ipfire/html var/updatecache diff --git a/config/rootfiles/common/armv5tel/initscripts b/config/rootfiles/common/armv5tel/initscripts index 25fca8d..1b8fbda 100644 --- a/config/rootfiles/common/armv5tel/initscripts +++ b/config/rootfiles/common/armv5tel/initscripts @@ -81,11 +81,9 @@ etc/rc.d/init.d/networking/red.up/05-RS-dnsmasq etc/rc.d/init.d/networking/red.up/10-miniupnpd etc/rc.d/init.d/networking/red.up/10-multicast etc/rc.d/init.d/networking/red.up/20-RL-firewall -etc/rc.d/init.d/networking/red.up/22-outgoingfwctrl +etc/rc.d/init.d/networking/red.up/22-forwardfwctrl etc/rc.d/init.d/networking/red.up/23-RS-snort etc/rc.d/init.d/networking/red.up/24-RS-qos -etc/rc.d/init.d/networking/red.up/25-portfw -etc/rc.d/init.d/networking/red.up/26-xtaccess etc/rc.d/init.d/networking/red.up/27-RS-squid etc/rc.d/init.d/networking/red.up/30-ddns etc/rc.d/init.d/networking/red.up/40-ipac diff --git a/config/rootfiles/common/configroot b/config/rootfiles/common/configroot index 8965ff7..6849250 100644 --- a/config/rootfiles/common/configroot +++ b/config/rootfiles/common/configroot @@ -1,3 +1,8 @@ +usr/sbin/convert-dmz +usr/sbin/convert-outgoingfw +usr/sbin/convert-portfw +usr/sbin/convert-xtaccess +usr/sbin/firewall-policy #var/ipfire var/ipfire/addon-lang var/ipfire/auth @@ -26,8 +31,6 @@ var/ipfire/dhcp #var/ipfire/dhcp/fixleases #var/ipfire/dhcp/settings var/ipfire/dhcpc -var/ipfire/dmzholes -#var/ipfire/dmzholes/config var/ipfire/dns #var/ipfire/dns/settings var/ipfire/dnsforward @@ -47,6 +50,23 @@ var/ipfire/extrahd/partitions var/ipfire/extrahd/scan var/ipfire/extrahd/settings var/ipfire/fwlogs +var/ipfire/forward +var/ipfire/forward/bin/rules.pl +var/ipfire/forward/bin/firewall-lib.pl +var/ipfire/forward/settings +var/ipfire/forward/config +var/ipfire/forward/input +var/ipfire/forward/outgoing +var/ipfire/forward/dmz +var/ipfire/forward/nat +var/ipfire/forward/p2protocols +var/ipfire/fwhosts +var/ipfire/fwhosts/icmp-types +var/ipfire/fwhosts/customhosts +var/ipfire/fwhosts/customnetworks +var/ipfire/fwhosts/customgroups +var/ipfire/fwhosts/customservices +var/ipfire/fwhosts/customservicegrp #var/ipfire/fwlogs/ipsettings #var/ipfire/fwlogs/portsettings var/ipfire/general-functions.pl @@ -105,11 +125,11 @@ var/ipfire/net-traffic #var/ipfire/nfs #var/ipfire/nfs/nfs-server var/ipfire/optionsfw -#var/ipfire/optionsfw/settings -var/ipfire/outgoing +var/ipfire/optionsfw/settings +#var/ipfire/outgoing #var/ipfire/outgoing/bin #var/ipfire/outgoing/bin/outgoingfw.pl -var/ipfire/outgoing/defaultservices +#var/ipfire/outgoing/defaultservices #var/ipfire/outgoing/groups #var/ipfire/outgoing/groups/ipgroups #var/ipfire/outgoing/groups/macgroups @@ -188,7 +208,5 @@ var/ipfire/wakeonlan var/ipfire/wireless #var/ipfire/wireless/config #var/ipfire/wireless/settings -var/ipfire/xtaccess -#var/ipfire/xtaccess/config var/ipfire/firebuild etc/system-release diff --git a/config/rootfiles/common/i586/initscripts b/config/rootfiles/common/i586/initscripts index 3aca59e..ca47f80 100644 --- a/config/rootfiles/common/i586/initscripts +++ b/config/rootfiles/common/i586/initscripts @@ -83,11 +83,9 @@ etc/rc.d/init.d/networking/red.up/05-RS-dnsmasq etc/rc.d/init.d/networking/red.up/10-miniupnpd etc/rc.d/init.d/networking/red.up/10-multicast etc/rc.d/init.d/networking/red.up/20-RL-firewall -etc/rc.d/init.d/networking/red.up/22-outgoingfwctrl +etc/rc.d/init.d/networking/red.up/22-forwardfwctrl etc/rc.d/init.d/networking/red.up/23-RS-snort etc/rc.d/init.d/networking/red.up/24-RS-qos -etc/rc.d/init.d/networking/red.up/25-portfw -etc/rc.d/init.d/networking/red.up/26-xtaccess etc/rc.d/init.d/networking/red.up/27-RS-squid etc/rc.d/init.d/networking/red.up/30-ddns etc/rc.d/init.d/networking/red.up/40-ipac diff --git a/config/rootfiles/common/misc-progs b/config/rootfiles/common/misc-progs index 8fd9b0b..2463ba2 100644 --- a/config/rootfiles/common/misc-progs +++ b/config/rootfiles/common/misc-progs @@ -15,7 +15,8 @@ usr/local/bin/launch-ether-wake usr/local/bin/logwatch #usr/local/bin/mpfirectrl usr/local/bin/openvpnctrl -usr/local/bin/outgoingfwctrl +#usr/local/bin/outgoingfwctrl +usr/local/bin/forwardfwctrl usr/local/bin/pakfire usr/local/bin/qosctrl usr/local/bin/rebuildhosts @@ -23,9 +24,6 @@ usr/local/bin/rebuildroutes usr/local/bin/redctrl #usr/local/bin/sambactrl usr/local/bin/setaliases -usr/local/bin/setdmzholes -usr/local/bin/setportfw -usr/local/bin/setxtaccess usr/local/bin/smartctrl usr/local/bin/snortctrl usr/local/bin/squidctrl diff --git a/config/rootfiles/core/fifteen/exclude b/config/rootfiles/core/fifteen/exclude new file mode 100644 index 0000000..321a931 --- /dev/null +++ b/config/rootfiles/core/fifteen/exclude @@ -0,0 +1,17 @@ +srv/web/ipfire/html/proxy.pac +boot/config.txt +etc/udev/rules.d/30-persistent-network.rules +etc/collectd.custom +etc/shadow +etc/ipsec.conf +etc/ipsec.secrets +etc/ipsec.user.conf +etc/ipsec.user.secrets +var/log/cache +var/updatecache +etc/localtime +var/ipfire/ovpn +etc/ssh/ssh_config +etc/ssh/sshd_config +etc/ssl/openssl.cnf +var/state/dhcp/dhcpd.leases diff --git a/config/rootfiles/core/fifteen/filelists/files b/config/rootfiles/core/fifteen/filelists/files new file mode 100644 index 0000000..2d4ff42 --- /dev/null +++ b/config/rootfiles/core/fifteen/filelists/files @@ -0,0 +1,13 @@ +etc/system-release +etc/issue +etc/rc.d/init.d/network +srv/web/ipfire/cgi-bin/index.cgi +srv/web/ipfire/cgi-bin/ovpnmain.cgi +srv/web/ipfire/cgi-bin/upnp.cgi +srv/web/ipfire/cgi-bin/vpnmain.cgi +var/ipfire/backup/bin/backup.pl +var/ipfire/backup/exclude +var/ipfire/backup/include +var/ipfire/general-functions.pl +var/ipfire/header.pl +var/ipfire/langs diff --git a/config/rootfiles/core/fifteen/filelists/firewall b/config/rootfiles/core/fifteen/filelists/firewall new file mode 100644 index 0000000..fc50598 --- /dev/null +++ b/config/rootfiles/core/fifteen/filelists/firewall @@ -0,0 +1,29 @@ +etc/rc.d/init.d/firewall +etc/rc.d/init.d/networking/red.up/22-forwardfwctrl +srv/web/ipfire/cgi-bin/forwardfw.cgi +srv/web/ipfire/cgi-bin/fwhosts.cgi +srv/web/ipfire/cgi-bin/optionsfw.cgi +srv/web/ipfire/cgi-bin/p2p-block.cgi +usr/sbin/convert-dmz +usr/sbin/convert-outgoingfw +usr/sbin/convert-portfw +usr/sbin/convert-xtaccess +usr/sbin/firewall-policy +var/ipfire/forward +var/ipfire/forward/bin/firewall-lib.pl +var/ipfire/forward/bin/rules.pl +var/ipfire/forward/config +var/ipfire/forward/dmz +var/ipfire/forward/input +var/ipfire/forward/nat +var/ipfire/forward/outgoing +var/ipfire/forward/p2protocols +var/ipfire/forward/settings +var/ipfire/fwhosts +var/ipfire/fwhosts/customhosts +var/ipfire/fwhosts/customnetworks +var/ipfire/fwhosts/customgroups +var/ipfire/fwhosts/customservices +var/ipfire/fwhosts/customservicegrp +var/ipfire/fwhosts/icmp-types +var/ipfire/menu.d/50-firewall.menu diff --git a/config/rootfiles/core/fifteen/filelists/misc-progs b/config/rootfiles/core/fifteen/filelists/misc-progs new file mode 120000 index 0000000..7223cad --- /dev/null +++ b/config/rootfiles/core/fifteen/filelists/misc-progs @@ -0,0 +1 @@ +../../../common/misc-progs \ No newline at end of file diff --git a/config/rootfiles/core/fifteen/filelists/strongswan b/config/rootfiles/core/fifteen/filelists/strongswan new file mode 120000 index 0000000..90c727e --- /dev/null +++ b/config/rootfiles/core/fifteen/filelists/strongswan @@ -0,0 +1 @@ +../../../common/strongswan \ No newline at end of file diff --git a/config/rootfiles/core/fifteen/meta b/config/rootfiles/core/fifteen/meta new file mode 100644 index 0000000..d547fa8 --- /dev/null +++ b/config/rootfiles/core/fifteen/meta @@ -0,0 +1 @@ +DEPS="" diff --git a/config/rootfiles/core/fifteen/update.sh b/config/rootfiles/core/fifteen/update.sh new file mode 100644 index 0000000..3ea5ec5 --- /dev/null +++ b/config/rootfiles/core/fifteen/update.sh @@ -0,0 +1,76 @@ +#!/bin/bash +############################################################################ +# # +# This file is part of the IPFire Firewall. # +# # +# IPFire is free software; you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation; either version 3 of the License, or # +# (at your option) any later version. # +# # +# IPFire is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with IPFire; if not, write to the Free Software # +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # +# # +# Copyright (C) 2013 IPFire-Team info@ipfire.org. # +# # +############################################################################ +# +. /opt/pakfire/lib/functions.sh +/usr/local/bin/backupctrl exclude >/dev/null 2>&1 + +# +# Remove old core updates from pakfire cache to save space... +core=74 +for (( i=1; i<=$core; i++ )) +do + rm -f /var/cache/pakfire/core-upgrade-*-$i.ipfire +done + +# Stop services + + +# Extract files +extract_files + +# Start services + + +# Update Language cache +perl -e "require '/var/ipfire/lang.pl'; &Lang::BuildCacheLang" + +# Remove old initscripts +rm -f /etc/rc.d/init.d/networking/red.up/22-outgoingfwctrl +rm -f /etc/rc.d/init.d/networking/red.up/25-portfw +rm -f /etc/rc.d/init.d/networking/red.up/26-xtaccess + +# Remove old CGI files +rm -f /srv/web/ipfire/cgi-bin/{dmzholes,outgoingfw,portfw,xtaccess}.cgi + +# Convert firewall configuration +/usr/bin/convert-xtaccess +/usr/bin/convert-outgoingfw +/usr/bin/convert-portfw +/usr/bin/convert-dmz + +# Remove old firewall configuration files +rm -rf /var/ipfire/{dmzholes,portfw,outgoing,xtaccess} + +sync + +# This update need a reboot... +touch /var/run/need_reboot + +# Finish +# Update the fireinfo profile +( + /etc/init.d/fireinfo start + sendprofile +) >/dev/null 2>&1 & + +exit 0 diff --git a/config/rootfiles/oldcore/66/filelists/files b/config/rootfiles/oldcore/66/filelists/files index 9d0006f..821263e 100644 --- a/config/rootfiles/oldcore/66/filelists/files +++ b/config/rootfiles/oldcore/66/filelists/files @@ -48,6 +48,5 @@ var/ipfire/backup/bin/backup.pl var/ipfire/backup/include var/ipfire/general-functions.pl var/ipfire/langs -var/ipfire/outgoing/bin/outgoingfw.pl var/ipfire/qos/bin/makeqosscripts.pl var/ipfire/updatexlrator/bin/download diff --git a/doc/language_issues.de b/doc/language_issues.de index bbe5e1d..9f48b8b 100644 --- a/doc/language_issues.de +++ b/doc/language_issues.de @@ -11,10 +11,12 @@ WARNING: translation string unused: Remote VPN IP WARNING: translation string unused: Resolv WARNING: translation string unused: TOS Bits WARNING: translation string unused: Verbose +WARNING: translation string unused: access allowed WARNING: translation string unused: access refused with this oinkcode WARNING: translation string unused: add network WARNING: translation string unused: add new ovpn WARNING: translation string unused: add service +WARNING: translation string unused: add xtaccess WARNING: translation string unused: add-route WARNING: translation string unused: admin user password has been changed WARNING: translation string unused: administrator user password @@ -45,6 +47,7 @@ WARNING: translation string unused: all updates installed WARNING: translation string unused: allmsg WARNING: translation string unused: alt information WARNING: translation string unused: alt ovpn +WARNING: translation string unused: alt vpn WARNING: translation string unused: and WARNING: translation string unused: apply WARNING: translation string unused: archive not exist @@ -68,6 +71,7 @@ WARNING: translation string unused: cache management WARNING: translation string unused: cache size WARNING: translation string unused: calamaris report interval (in minutes) WARNING: translation string unused: calc traffic all x minutes +WARNING: translation string unused: cant enable xtaccess WARNING: translation string unused: capsinactive WARNING: translation string unused: ccd err iroute WARNING: translation string unused: ccd err netadr @@ -109,6 +113,11 @@ WARNING: translation string unused: debugme WARNING: translation string unused: deep scan directories WARNING: translation string unused: default networks WARNING: translation string unused: default services +WARNING: translation string unused: description +WARNING: translation string unused: destination ip bad +WARNING: translation string unused: destination ip or net +WARNING: translation string unused: destination net +WARNING: translation string unused: destination port overlaps WARNING: translation string unused: dhcp base ip fixed lease WARNING: translation string unused: dhcp create fixed leases WARNING: translation string unused: dhcp fixed lease err1 @@ -119,10 +128,16 @@ WARNING: translation string unused: dial user password has been changed WARNING: translation string unused: dialup settings WARNING: translation string unused: disconnect WARNING: translation string unused: display traffic at home +WARNING: translation string unused: dmz pinhole configuration +WARNING: translation string unused: dmz pinhole rule added +WARNING: translation string unused: dmz pinhole rule removed +WARNING: translation string unused: dmzpinholes for same net not necessary WARNING: translation string unused: dns server WARNING: translation string unused: do not log this port list WARNING: translation string unused: donation-link WARNING: translation string unused: driver +WARNING: translation string unused: dstprt range overlaps +WARNING: translation string unused: dstprt within existing WARNING: translation string unused: dynamic dns client WARNING: translation string unused: eciadsl help WARNING: translation string unused: eciadsl upload @@ -149,6 +164,7 @@ WARNING: translation string unused: error external access WARNING: translation string unused: expected WARNING: translation string unused: expertoptions WARNING: translation string unused: exportkey +WARNING: translation string unused: external access WARNING: translation string unused: external access rule changed WARNING: translation string unused: extrahd unable to read WARNING: translation string unused: extrahd unable to write @@ -158,6 +174,10 @@ WARNING: translation string unused: firewall log viewer WARNING: translation string unused: firmware WARNING: translation string unused: firmware upload WARNING: translation string unused: force update +WARNING: translation string unused: forward firewall +WARNING: translation string unused: forwarding rule added +WARNING: translation string unused: forwarding rule removed +WARNING: translation string unused: forwarding rule updated WARNING: translation string unused: frequency WARNING: translation string unused: fritzdsl help WARNING: translation string unused: fritzdsl upload @@ -166,6 +186,39 @@ WARNING: translation string unused: from email pw WARNING: translation string unused: from email server WARNING: translation string unused: from email user WARNING: translation string unused: from warn email bad +WARNING: translation string unused: fwdfw ACCEPT +WARNING: translation string unused: fwdfw DROP +WARNING: translation string unused: fwdfw MODE1 +WARNING: translation string unused: fwdfw MODE2 +WARNING: translation string unused: fwdfw REJECT +WARNING: translation string unused: fwdfw addr grp +WARNING: translation string unused: fwdfw cust addr +WARNING: translation string unused: fwdfw cust net +WARNING: translation string unused: fwdfw err srcovpn +WARNING: translation string unused: fwdfw err srcport +WARNING: translation string unused: fwdfw err tgt_port +WARNING: translation string unused: fwdfw err tgtovpn +WARNING: translation string unused: fwdfw err tgtport +WARNING: translation string unused: fwdfw from +WARNING: translation string unused: fwdfw ipsec network +WARNING: translation string unused: fwdfw natport used +WARNING: translation string unused: fwdfw rules +WARNING: translation string unused: fwdfw std network +WARNING: translation string unused: fwdfw till +WARNING: translation string unused: fwdfw time +WARNING: translation string unused: fwhost addrule +WARNING: translation string unused: fwhost attention +WARNING: translation string unused: fwhost blue +WARNING: translation string unused: fwhost changeremark +WARNING: translation string unused: fwhost err addrgrp +WARNING: translation string unused: fwhost err hostorip +WARNING: translation string unused: fwhost err mac +WARNING: translation string unused: fwhost green +WARNING: translation string unused: fwhost ipadr +WARNING: translation string unused: fwhost ipsec host +WARNING: translation string unused: fwhost orange +WARNING: translation string unused: fwhost reset +WARNING: translation string unused: fwhost wo subnet WARNING: translation string unused: gen static key WARNING: translation string unused: generate WARNING: translation string unused: genkey @@ -220,6 +273,7 @@ WARNING: translation string unused: local hard disk WARNING: translation string unused: localkeyfile WARNING: translation string unused: log enabled WARNING: translation string unused: log viewer +WARNING: translation string unused: logging WARNING: translation string unused: loosedirectorychecking WARNING: translation string unused: ls_dhcpd WARNING: translation string unused: ls_disk space @@ -245,6 +299,7 @@ WARNING: translation string unused: mbmon value WARNING: translation string unused: min size WARNING: translation string unused: missing dat WARNING: translation string unused: missing gz +WARNING: translation string unused: mode WARNING: translation string unused: modem on com1 WARNING: translation string unused: modem on com2 WARNING: translation string unused: modem on com3 @@ -261,6 +316,7 @@ WARNING: translation string unused: monthly volume start day short WARNING: translation string unused: mount WARNING: translation string unused: mtu QoS WARNING: translation string unused: nat-traversal +WARNING: translation string unused: net WARNING: translation string unused: net address WARNING: translation string unused: net config type WARNING: translation string unused: net config type help @@ -286,6 +342,7 @@ WARNING: translation string unused: o-no WARNING: translation string unused: o-yes WARNING: translation string unused: online help en WARNING: translation string unused: only red +WARNING: translation string unused: open to all WARNING: translation string unused: openvpn disabled WARNING: translation string unused: openvpn enabled WARNING: translation string unused: optional data @@ -296,7 +353,16 @@ WARNING: translation string unused: original WARNING: translation string unused: other countries WARNING: translation string unused: our donors WARNING: translation string unused: out +WARNING: translation string unused: outgoing firewall +WARNING: translation string unused: outgoing firewall mode0 +WARNING: translation string unused: outgoing firewall mode1 +WARNING: translation string unused: outgoing firewall mode2 WARNING: translation string unused: outgoing firewall outgoing firewall reserved groupname +WARNING: translation string unused: outgoing firewall p2p description 1 +WARNING: translation string unused: outgoing firewall p2p description 2 +WARNING: translation string unused: outgoing firewall p2p description 3 +WARNING: translation string unused: outgoing firewall reset +WARNING: translation string unused: outgoing firewall warning WARNING: translation string unused: override mtu WARNING: translation string unused: ovpn WARNING: translation string unused: ovpn config @@ -327,6 +393,8 @@ WARNING: translation string unused: passwords must be at least 6 characters in l WARNING: translation string unused: phonebook entry WARNING: translation string unused: ping disabled WARNING: translation string unused: polfile +WARNING: translation string unused: policy +WARNING: translation string unused: port forwarding configuration WARNING: translation string unused: ports WARNING: translation string unused: pots WARNING: translation string unused: pppoe @@ -353,7 +421,9 @@ WARNING: translation string unused: router ip WARNING: translation string unused: rules already up to date WARNING: translation string unused: safe removal of umounted device WARNING: translation string unused: save error +WARNING: translation string unused: select dest net WARNING: translation string unused: select media +WARNING: translation string unused: select source net WARNING: translation string unused: selecttraffic WARNING: translation string unused: send email notification WARNING: translation string unused: send test mail @@ -369,15 +439,23 @@ WARNING: translation string unused: shutdown2 WARNING: translation string unused: shutting down WARNING: translation string unused: sitekeyfile WARNING: translation string unused: smbreload +WARNING: translation string unused: source ip in use +WARNING: translation string unused: source ip or net +WARNING: translation string unused: source net +WARNING: translation string unused: source port overlaps WARNING: translation string unused: squid extension methods WARNING: translation string unused: squid extension methods invalid WARNING: translation string unused: squid fix cache +WARNING: translation string unused: srcprt range overlaps +WARNING: translation string unused: srcprt within existing +WARNING: translation string unused: ssdmz pinholes WARNING: translation string unused: ssh access tip WARNING: translation string unused: ssh1 disabled WARNING: translation string unused: ssh1 enabled WARNING: translation string unused: ssh1 support WARNING: translation string unused: ssnetwork status WARNING: translation string unused: sspasswords +WARNING: translation string unused: ssport forwarding WARNING: translation string unused: ssproxy graphs WARNING: translation string unused: sssystem status WARNING: translation string unused: sstraffic graphs @@ -476,13 +554,16 @@ WARNING: translation string unused: warn when traffic reaches WARNING: translation string unused: web proxy configuration WARNING: translation string unused: week-graph WARNING: translation string unused: weekly firewallhits +WARNING: translation string unused: xtaccess all error WARNING: translation string unused: xtaccess bad transfert WARNING: translation string unused: year-graph WARNING: translation string unused: yearly firewallhits WARNING: untranslated string: Scan for Songs +WARNING: untranslated string: advproxy cache-digest WARNING: untranslated string: bytes WARNING: untranslated string: community rules WARNING: untranslated string: emerging rules +WARNING: untranslated string: fwhost err hostip WARNING: untranslated string: new WARNING: untranslated string: outgoing firewall reserved groupname WARNING: untranslated string: qos add subclass diff --git a/doc/language_issues.en b/doc/language_issues.en index 1248957..328376f 100644 --- a/doc/language_issues.en +++ b/doc/language_issues.en @@ -11,10 +11,12 @@ WARNING: translation string unused: Remote VPN IP WARNING: translation string unused: Resolv WARNING: translation string unused: TOS Bits WARNING: translation string unused: Verbose +WARNING: translation string unused: access allowed WARNING: translation string unused: access refused with this oinkcode WARNING: translation string unused: add network WARNING: translation string unused: add new ovpn WARNING: translation string unused: add service +WARNING: translation string unused: add xtaccess WARNING: translation string unused: add-route WARNING: translation string unused: admin user password has been changed WARNING: translation string unused: administrator user password @@ -46,6 +48,7 @@ WARNING: translation string unused: all updates installed WARNING: translation string unused: allmsg WARNING: translation string unused: alt information WARNING: translation string unused: alt ovpn +WARNING: translation string unused: alt vpn WARNING: translation string unused: and WARNING: translation string unused: ansi t1.483 WARNING: translation string unused: apply @@ -87,6 +90,7 @@ WARNING: translation string unused: cache management WARNING: translation string unused: cache size WARNING: translation string unused: calamaris report interval (in minutes) WARNING: translation string unused: calc traffic all x minutes +WARNING: translation string unused: cant enable xtaccess WARNING: translation string unused: capsinactive WARNING: translation string unused: ccd err iroute WARNING: translation string unused: ccd err netadr @@ -129,6 +133,11 @@ WARNING: translation string unused: debugme WARNING: translation string unused: deep scan directories WARNING: translation string unused: default networks WARNING: translation string unused: default services +WARNING: translation string unused: description +WARNING: translation string unused: destination ip bad +WARNING: translation string unused: destination ip or net +WARNING: translation string unused: destination net +WARNING: translation string unused: destination port overlaps WARNING: translation string unused: dhcp base ip fixed lease WARNING: translation string unused: dhcp create fixed leases WARNING: translation string unused: dhcp fixed lease err1 @@ -141,11 +150,17 @@ WARNING: translation string unused: dial user password has been changed WARNING: translation string unused: dialup settings WARNING: translation string unused: disconnect WARNING: translation string unused: display traffic at home +WARNING: translation string unused: dmz pinhole configuration +WARNING: translation string unused: dmz pinhole rule added +WARNING: translation string unused: dmz pinhole rule removed +WARNING: translation string unused: dmzpinholes for same net not necessary WARNING: translation string unused: dns server WARNING: translation string unused: do not log this port list WARNING: translation string unused: donation-link WARNING: translation string unused: done WARNING: translation string unused: driver +WARNING: translation string unused: dstprt range overlaps +WARNING: translation string unused: dstprt within existing WARNING: translation string unused: dynamic dns client WARNING: translation string unused: eciadsl help WARNING: translation string unused: eciadsl upload @@ -172,6 +187,7 @@ WARNING: translation string unused: error external access WARNING: translation string unused: expected WARNING: translation string unused: expertoptions WARNING: translation string unused: exportkey +WARNING: translation string unused: external access WARNING: translation string unused: external access rule changed WARNING: translation string unused: extrahd unable to read WARNING: translation string unused: extrahd unable to write @@ -181,6 +197,10 @@ WARNING: translation string unused: firewall log viewer WARNING: translation string unused: firmware WARNING: translation string unused: firmware upload WARNING: translation string unused: force update +WARNING: translation string unused: forward firewall +WARNING: translation string unused: forwarding rule added +WARNING: translation string unused: forwarding rule removed +WARNING: translation string unused: forwarding rule updated WARNING: translation string unused: frequency WARNING: translation string unused: fritzdsl help WARNING: translation string unused: fritzdsl upload @@ -189,6 +209,39 @@ WARNING: translation string unused: from email pw WARNING: translation string unused: from email server WARNING: translation string unused: from email user WARNING: translation string unused: from warn email bad +WARNING: translation string unused: fwdfw ACCEPT +WARNING: translation string unused: fwdfw DROP +WARNING: translation string unused: fwdfw MODE1 +WARNING: translation string unused: fwdfw MODE2 +WARNING: translation string unused: fwdfw REJECT +WARNING: translation string unused: fwdfw addr grp +WARNING: translation string unused: fwdfw cust addr +WARNING: translation string unused: fwdfw cust net +WARNING: translation string unused: fwdfw err srcovpn +WARNING: translation string unused: fwdfw err srcport +WARNING: translation string unused: fwdfw err tgt_port +WARNING: translation string unused: fwdfw err tgtovpn +WARNING: translation string unused: fwdfw err tgtport +WARNING: translation string unused: fwdfw from +WARNING: translation string unused: fwdfw ipsec network +WARNING: translation string unused: fwdfw natport used +WARNING: translation string unused: fwdfw rules +WARNING: translation string unused: fwdfw std network +WARNING: translation string unused: fwdfw till +WARNING: translation string unused: fwdfw time +WARNING: translation string unused: fwhost addrule +WARNING: translation string unused: fwhost attention +WARNING: translation string unused: fwhost blue +WARNING: translation string unused: fwhost changeremark +WARNING: translation string unused: fwhost err addrgrp +WARNING: translation string unused: fwhost err hostorip +WARNING: translation string unused: fwhost err mac +WARNING: translation string unused: fwhost green +WARNING: translation string unused: fwhost ipadr +WARNING: translation string unused: fwhost ipsec host +WARNING: translation string unused: fwhost orange +WARNING: translation string unused: fwhost reset +WARNING: translation string unused: fwhost wo subnet WARNING: translation string unused: g.dtm WARNING: translation string unused: g.lite WARNING: translation string unused: gen static key @@ -246,6 +299,7 @@ WARNING: translation string unused: local hard disk WARNING: translation string unused: localkeyfile WARNING: translation string unused: log enabled WARNING: translation string unused: log viewer +WARNING: translation string unused: logging WARNING: translation string unused: loosedirectorychecking WARNING: translation string unused: ls_dhcpd WARNING: translation string unused: ls_disk space @@ -271,6 +325,7 @@ WARNING: translation string unused: mbmon value WARNING: translation string unused: min size WARNING: translation string unused: missing dat WARNING: translation string unused: missing gz +WARNING: translation string unused: mode WARNING: translation string unused: modem on com1 WARNING: translation string unused: modem on com2 WARNING: translation string unused: modem on com3 @@ -287,6 +342,7 @@ WARNING: translation string unused: monthly volume start day short WARNING: translation string unused: mount WARNING: translation string unused: mtu QoS WARNING: translation string unused: nat-traversal +WARNING: translation string unused: net WARNING: translation string unused: net address WARNING: translation string unused: net config type WARNING: translation string unused: net config type help @@ -313,6 +369,7 @@ WARNING: translation string unused: o-no WARNING: translation string unused: o-yes WARNING: translation string unused: online help en WARNING: translation string unused: only red +WARNING: translation string unused: open to all WARNING: translation string unused: openvpn disabled WARNING: translation string unused: openvpn enabled WARNING: translation string unused: optional data @@ -323,7 +380,16 @@ WARNING: translation string unused: original WARNING: translation string unused: other countries WARNING: translation string unused: our donors WARNING: translation string unused: out +WARNING: translation string unused: outgoing firewall +WARNING: translation string unused: outgoing firewall mode0 +WARNING: translation string unused: outgoing firewall mode1 +WARNING: translation string unused: outgoing firewall mode2 WARNING: translation string unused: outgoing firewall outgoing firewall reserved groupname +WARNING: translation string unused: outgoing firewall p2p description 1 +WARNING: translation string unused: outgoing firewall p2p description 2 +WARNING: translation string unused: outgoing firewall p2p description 3 +WARNING: translation string unused: outgoing firewall reset +WARNING: translation string unused: outgoing firewall warning WARNING: translation string unused: override mtu WARNING: translation string unused: ovpn WARNING: translation string unused: ovpn config @@ -354,6 +420,8 @@ WARNING: translation string unused: passwords must be at least 6 characters in l WARNING: translation string unused: phonebook entry WARNING: translation string unused: ping disabled WARNING: translation string unused: polfile +WARNING: translation string unused: policy +WARNING: translation string unused: port forwarding configuration WARNING: translation string unused: ports WARNING: translation string unused: pots WARNING: translation string unused: pppoe @@ -381,7 +449,9 @@ WARNING: translation string unused: router ip WARNING: translation string unused: rules already up to date WARNING: translation string unused: safe removal of umounted device WARNING: translation string unused: save error +WARNING: translation string unused: select dest net WARNING: translation string unused: select media +WARNING: translation string unused: select source net WARNING: translation string unused: selecttraffic WARNING: translation string unused: send email notification WARNING: translation string unused: send test mail @@ -400,15 +470,23 @@ WARNING: translation string unused: shutdown2 WARNING: translation string unused: shutting down WARNING: translation string unused: sitekeyfile WARNING: translation string unused: smbreload +WARNING: translation string unused: source ip in use +WARNING: translation string unused: source ip or net +WARNING: translation string unused: source net +WARNING: translation string unused: source port overlaps WARNING: translation string unused: squid extension methods WARNING: translation string unused: squid extension methods invalid WARNING: translation string unused: squid fix cache +WARNING: translation string unused: srcprt range overlaps +WARNING: translation string unused: srcprt within existing +WARNING: translation string unused: ssdmz pinholes WARNING: translation string unused: ssh access tip WARNING: translation string unused: ssh1 disabled WARNING: translation string unused: ssh1 enabled WARNING: translation string unused: ssh1 support WARNING: translation string unused: ssnetwork status WARNING: translation string unused: sspasswords +WARNING: translation string unused: ssport forwarding WARNING: translation string unused: ssproxy graphs WARNING: translation string unused: sssystem status WARNING: translation string unused: sstraffic graphs @@ -511,14 +589,18 @@ WARNING: translation string unused: warn when traffic reaches WARNING: translation string unused: web proxy configuration WARNING: translation string unused: week-graph WARNING: translation string unused: weekly firewallhits +WARNING: translation string unused: xtaccess all error WARNING: translation string unused: xtaccess bad transfert WARNING: translation string unused: year-graph WARNING: translation string unused: yearly firewallhits WARNING: untranslated string: Scan for Songs +WARNING: untranslated string: advproxy cache-digest WARNING: untranslated string: bytes +WARNING: untranslated string: fwhost err hostip WARNING: untranslated string: new WARNING: untranslated string: outgoing firewall reserved groupname WARNING: untranslated string: route config changed WARNING: untranslated string: routing config added WARNING: untranslated string: routing config changed WARNING: untranslated string: routing table +WARNING: untranslated string: wlanap country diff --git a/doc/language_issues.es b/doc/language_issues.es index 88666b6..2fafaf1 100644 --- a/doc/language_issues.es +++ b/doc/language_issues.es @@ -11,10 +11,12 @@ WARNING: translation string unused: Remote VPN IP WARNING: translation string unused: Resolv WARNING: translation string unused: TOS Bits WARNING: translation string unused: Verbose +WARNING: translation string unused: access allowed WARNING: translation string unused: access refused with this oinkcode WARNING: translation string unused: add network WARNING: translation string unused: add new ovpn WARNING: translation string unused: add service +WARNING: translation string unused: add xtaccess WARNING: translation string unused: add-route WARNING: translation string unused: admin user password has been changed WARNING: translation string unused: administrator user password @@ -46,6 +48,7 @@ WARNING: translation string unused: all updates installed WARNING: translation string unused: allmsg WARNING: translation string unused: alt information WARNING: translation string unused: alt ovpn +WARNING: translation string unused: alt vpn WARNING: translation string unused: and WARNING: translation string unused: ansi t1.483 WARNING: translation string unused: apply @@ -87,6 +90,7 @@ WARNING: translation string unused: cache management WARNING: translation string unused: cache size WARNING: translation string unused: calamaris report interval (in minutes) WARNING: translation string unused: calc traffic all x minutes +WARNING: translation string unused: cant enable xtaccess WARNING: translation string unused: capsinactive WARNING: translation string unused: cfg restart WARNING: translation string unused: check for net traffic update @@ -127,6 +131,11 @@ WARNING: translation string unused: debugme WARNING: translation string unused: deep scan directories WARNING: translation string unused: default networks WARNING: translation string unused: default services +WARNING: translation string unused: description +WARNING: translation string unused: destination ip bad +WARNING: translation string unused: destination ip or net +WARNING: translation string unused: destination net +WARNING: translation string unused: destination port overlaps WARNING: translation string unused: dhcp base ip fixed lease WARNING: translation string unused: dhcp create fixed leases WARNING: translation string unused: dhcp fixed lease err1 @@ -139,11 +148,18 @@ WARNING: translation string unused: dial user password has been changed WARNING: translation string unused: dialup settings WARNING: translation string unused: disconnect WARNING: translation string unused: display traffic at home +WARNING: translation string unused: dmz pinhole configuration +WARNING: translation string unused: dmz pinhole rule added +WARNING: translation string unused: dmz pinhole rule removed +WARNING: translation string unused: dmzpinholes for same net not necessary WARNING: translation string unused: dns server WARNING: translation string unused: do not log this port list WARNING: translation string unused: donation-link WARNING: translation string unused: done WARNING: translation string unused: driver +WARNING: translation string unused: drop output +WARNING: translation string unused: dstprt range overlaps +WARNING: translation string unused: dstprt within existing WARNING: translation string unused: dynamic dns client WARNING: translation string unused: eciadsl help WARNING: translation string unused: eciadsl upload @@ -170,6 +186,7 @@ WARNING: translation string unused: error external access WARNING: translation string unused: expected WARNING: translation string unused: expertoptions WARNING: translation string unused: exportkey +WARNING: translation string unused: external access WARNING: translation string unused: external access rule changed WARNING: translation string unused: extrahd unable to read WARNING: translation string unused: extrahd unable to write @@ -179,6 +196,9 @@ WARNING: translation string unused: firewall log viewer WARNING: translation string unused: firmware WARNING: translation string unused: firmware upload WARNING: translation string unused: force update +WARNING: translation string unused: forwarding rule added +WARNING: translation string unused: forwarding rule removed +WARNING: translation string unused: forwarding rule updated WARNING: translation string unused: frequency WARNING: translation string unused: fritzdsl help WARNING: translation string unused: fritzdsl upload @@ -244,6 +264,7 @@ WARNING: translation string unused: local hard disk WARNING: translation string unused: localkeyfile WARNING: translation string unused: log enabled WARNING: translation string unused: log viewer +WARNING: translation string unused: logging WARNING: translation string unused: loosedirectorychecking WARNING: translation string unused: ls_dhcpd WARNING: translation string unused: ls_disk space @@ -269,6 +290,7 @@ WARNING: translation string unused: mbmon value WARNING: translation string unused: min size WARNING: translation string unused: missing dat WARNING: translation string unused: missing gz +WARNING: translation string unused: mode WARNING: translation string unused: modem on com1 WARNING: translation string unused: modem on com2 WARNING: translation string unused: modem on com3 @@ -285,6 +307,7 @@ WARNING: translation string unused: monthly volume start day short WARNING: translation string unused: mount WARNING: translation string unused: mtu QoS WARNING: translation string unused: nat-traversal +WARNING: translation string unused: net WARNING: translation string unused: net address WARNING: translation string unused: net config type WARNING: translation string unused: net config type help @@ -311,6 +334,7 @@ WARNING: translation string unused: o-no WARNING: translation string unused: o-yes WARNING: translation string unused: online help en WARNING: translation string unused: only red +WARNING: translation string unused: open to all WARNING: translation string unused: optional data WARNING: translation string unused: optionsfw portlist hint WARNING: translation string unused: optionsfw warning @@ -318,8 +342,14 @@ WARNING: translation string unused: or WARNING: translation string unused: original WARNING: translation string unused: other countries WARNING: translation string unused: out +WARNING: translation string unused: outgoing firewall +WARNING: translation string unused: outgoing firewall mode0 +WARNING: translation string unused: outgoing firewall mode1 +WARNING: translation string unused: outgoing firewall mode2 WARNING: translation string unused: outgoing firewall outgoing firewall reserved groupname WARNING: translation string unused: outgoing firewall p2p description +WARNING: translation string unused: outgoing firewall reset +WARNING: translation string unused: outgoing firewall warning WARNING: translation string unused: override mtu WARNING: translation string unused: ovpn WARNING: translation string unused: ovpn config @@ -350,6 +380,8 @@ WARNING: translation string unused: passwords must be at least 6 characters in l WARNING: translation string unused: phonebook entry WARNING: translation string unused: ping disabled WARNING: translation string unused: polfile +WARNING: translation string unused: policy +WARNING: translation string unused: port forwarding configuration WARNING: translation string unused: ports WARNING: translation string unused: pots WARNING: translation string unused: pppoe @@ -377,7 +409,9 @@ WARNING: translation string unused: router ip WARNING: translation string unused: rules already up to date WARNING: translation string unused: safe removal of umounted device WARNING: translation string unused: save error +WARNING: translation string unused: select dest net WARNING: translation string unused: select media +WARNING: translation string unused: select source net WARNING: translation string unused: selecttraffic WARNING: translation string unused: send email notification WARNING: translation string unused: send test mail @@ -396,15 +430,23 @@ WARNING: translation string unused: shutdown2 WARNING: translation string unused: shutting down WARNING: translation string unused: sitekeyfile WARNING: translation string unused: smbreload +WARNING: translation string unused: source ip in use +WARNING: translation string unused: source ip or net +WARNING: translation string unused: source net +WARNING: translation string unused: source port overlaps WARNING: translation string unused: squid extension methods WARNING: translation string unused: squid extension methods invalid WARNING: translation string unused: squid fix cache +WARNING: translation string unused: srcprt range overlaps +WARNING: translation string unused: srcprt within existing +WARNING: translation string unused: ssdmz pinholes WARNING: translation string unused: ssh access tip WARNING: translation string unused: ssh1 disabled WARNING: translation string unused: ssh1 enabled WARNING: translation string unused: ssh1 support WARNING: translation string unused: ssnetwork status WARNING: translation string unused: sspasswords +WARNING: translation string unused: ssport forwarding WARNING: translation string unused: ssproxy graphs WARNING: translation string unused: sssystem status WARNING: translation string unused: sstraffic graphs @@ -497,6 +539,7 @@ WARNING: translation string unused: warn when traffic reaches WARNING: translation string unused: web proxy configuration WARNING: translation string unused: week-graph WARNING: translation string unused: weekly firewallhits +WARNING: translation string unused: xtaccess all error WARNING: translation string unused: xtaccess bad transfert WARNING: translation string unused: year-graph WARNING: translation string unused: yearly firewallhits @@ -556,6 +599,11 @@ WARNING: untranslated string: dnsforward edit an entry WARNING: untranslated string: dnsforward entries WARNING: untranslated string: dnsforward forward_server WARNING: untranslated string: dnsforward zone +WARNING: untranslated string: drop action +WARNING: untranslated string: drop action1 +WARNING: untranslated string: drop action2 +WARNING: untranslated string: drop forward +WARNING: untranslated string: drop outgoing WARNING: untranslated string: emerging rules WARNING: untranslated string: fireinfo ipfire version WARNING: untranslated string: fireinfo is disabled @@ -574,6 +622,141 @@ WARNING: untranslated string: fireinfo why descr2 WARNING: untranslated string: fireinfo why enable WARNING: untranslated string: fireinfo why read more WARNING: untranslated string: fireinfo your profile id +WARNING: untranslated string: fw default drop +WARNING: untranslated string: fw settings +WARNING: untranslated string: fw settings color +WARNING: untranslated string: fw settings dropdown +WARNING: untranslated string: fw settings remark +WARNING: untranslated string: fw settings ruletable +WARNING: untranslated string: fwdfw action +WARNING: untranslated string: fwdfw additional +WARNING: untranslated string: fwdfw addrule +WARNING: untranslated string: fwdfw change +WARNING: untranslated string: fwdfw copy +WARNING: untranslated string: fwdfw delete +WARNING: untranslated string: fwdfw dnat +WARNING: untranslated string: fwdfw dnat error +WARNING: untranslated string: fwdfw dnat porterr +WARNING: untranslated string: fwdfw edit +WARNING: untranslated string: fwdfw err nosrc +WARNING: untranslated string: fwdfw err nosrcip +WARNING: untranslated string: fwdfw err notgt +WARNING: untranslated string: fwdfw err notgtip +WARNING: untranslated string: fwdfw err prot +WARNING: untranslated string: fwdfw err remark +WARNING: untranslated string: fwdfw err ruleexists +WARNING: untranslated string: fwdfw err same +WARNING: untranslated string: fwdfw err samesub +WARNING: untranslated string: fwdfw err src_addr +WARNING: untranslated string: fwdfw err tgt_addr +WARNING: untranslated string: fwdfw err tgt_grp +WARNING: untranslated string: fwdfw err tgt_mac +WARNING: untranslated string: fwdfw err time +WARNING: untranslated string: fwdfw final_rule +WARNING: untranslated string: fwdfw hint ip1 +WARNING: untranslated string: fwdfw hint ip2 +WARNING: untranslated string: fwdfw log rule +WARNING: untranslated string: fwdfw man port +WARNING: untranslated string: fwdfw menu +WARNING: untranslated string: fwdfw movedown +WARNING: untranslated string: fwdfw moveup +WARNING: untranslated string: fwdfw newrule +WARNING: untranslated string: fwdfw p2p txt +WARNING: untranslated string: fwdfw pol allow +WARNING: untranslated string: fwdfw pol block +WARNING: untranslated string: fwdfw pol text +WARNING: untranslated string: fwdfw pol text1 +WARNING: untranslated string: fwdfw pol title +WARNING: untranslated string: fwdfw red +WARNING: untranslated string: fwdfw reread +WARNING: untranslated string: fwdfw rule action +WARNING: untranslated string: fwdfw rule activate +WARNING: untranslated string: fwdfw rulepos +WARNING: untranslated string: fwdfw snat +WARNING: untranslated string: fwdfw source +WARNING: untranslated string: fwdfw sourceip +WARNING: untranslated string: fwdfw target +WARNING: untranslated string: fwdfw targetip +WARNING: untranslated string: fwdfw timeframe +WARNING: untranslated string: fwdfw toggle +WARNING: untranslated string: fwdfw togglelog +WARNING: untranslated string: fwdfw use nat +WARNING: untranslated string: fwdfw use srcport +WARNING: untranslated string: fwdfw use srv +WARNING: untranslated string: fwdfw useless rule +WARNING: untranslated string: fwdfw wd_fri +WARNING: untranslated string: fwdfw wd_mon +WARNING: untranslated string: fwdfw wd_sat +WARNING: untranslated string: fwdfw wd_sun +WARNING: untranslated string: fwdfw wd_thu +WARNING: untranslated string: fwdfw wd_tue +WARNING: untranslated string: fwdfw wd_wed +WARNING: untranslated string: fwdfw xt access +WARNING: untranslated string: fwhost addgrp +WARNING: untranslated string: fwhost addgrpname +WARNING: untranslated string: fwhost addhost +WARNING: untranslated string: fwhost addnet +WARNING: untranslated string: fwhost addservice +WARNING: untranslated string: fwhost addservicegrp +WARNING: untranslated string: fwhost any +WARNING: untranslated string: fwhost back +WARNING: untranslated string: fwhost ccdhost +WARNING: untranslated string: fwhost ccdnet +WARNING: untranslated string: fwhost change +WARNING: untranslated string: fwhost cust addr +WARNING: untranslated string: fwhost cust grp +WARNING: untranslated string: fwhost cust net +WARNING: untranslated string: fwhost cust service +WARNING: untranslated string: fwhost cust srvgrp +WARNING: untranslated string: fwhost deleted +WARNING: untranslated string: fwhost empty +WARNING: untranslated string: fwhost err addr +WARNING: untranslated string: fwhost err empty +WARNING: untranslated string: fwhost err groupempty +WARNING: untranslated string: fwhost err grpexist +WARNING: untranslated string: fwhost err hostexist +WARNING: untranslated string: fwhost err hostip +WARNING: untranslated string: fwhost err ip +WARNING: untranslated string: fwhost err ipcheck +WARNING: untranslated string: fwhost err ipmac +WARNING: untranslated string: fwhost err ipwithsub +WARNING: untranslated string: fwhost err isccdhost +WARNING: untranslated string: fwhost err isccdiphost +WARNING: untranslated string: fwhost err isccdipnet +WARNING: untranslated string: fwhost err isccdnet +WARNING: untranslated string: fwhost err isingrp +WARNING: untranslated string: fwhost err name +WARNING: untranslated string: fwhost err name1 +WARNING: untranslated string: fwhost err net +WARNING: untranslated string: fwhost err netexist +WARNING: untranslated string: fwhost err partofnet +WARNING: untranslated string: fwhost err port +WARNING: untranslated string: fwhost err remark +WARNING: untranslated string: fwhost err srv exists +WARNING: untranslated string: fwhost err srvexist +WARNING: untranslated string: fwhost err sub32 +WARNING: untranslated string: fwhost hint +WARNING: untranslated string: fwhost hosts +WARNING: untranslated string: fwhost icmptype +WARNING: untranslated string: fwhost ip_mac +WARNING: untranslated string: fwhost ipsec net +WARNING: untranslated string: fwhost menu +WARNING: untranslated string: fwhost netaddress +WARNING: untranslated string: fwhost newgrp +WARNING: untranslated string: fwhost newhost +WARNING: untranslated string: fwhost newnet +WARNING: untranslated string: fwhost newservice +WARNING: untranslated string: fwhost newservicegrp +WARNING: untranslated string: fwhost ovpn_n2n +WARNING: untranslated string: fwhost port +WARNING: untranslated string: fwhost prot +WARNING: untranslated string: fwhost reread +WARNING: untranslated string: fwhost services +WARNING: untranslated string: fwhost srv_name +WARNING: untranslated string: fwhost stdnet +WARNING: untranslated string: fwhost type +WARNING: untranslated string: fwhost used +WARNING: untranslated string: fwhost welcome WARNING: untranslated string: minute WARNING: untranslated string: new WARNING: untranslated string: openvpn default @@ -595,9 +778,6 @@ WARNING: untranslated string: outgoing firewall ip groups WARNING: untranslated string: outgoing firewall mac groups WARNING: untranslated string: outgoing firewall p2p allow WARNING: untranslated string: outgoing firewall p2p deny -WARNING: untranslated string: outgoing firewall p2p description 1 -WARNING: untranslated string: outgoing firewall p2p description 2 -WARNING: untranslated string: outgoing firewall p2p description 3 WARNING: untranslated string: outgoing firewall reserved groupname WARNING: untranslated string: outgoing firewall view group WARNING: untranslated string: ovpn errmsg green already pushed @@ -618,6 +798,7 @@ WARNING: untranslated string: proxy reports monthly WARNING: untranslated string: proxy reports today WARNING: untranslated string: proxy reports weekly WARNING: untranslated string: qos enter bandwidths +WARNING: untranslated string: red1 WARNING: untranslated string: route config changed WARNING: untranslated string: routing config added WARNING: untranslated string: routing config changed diff --git a/doc/language_issues.fr b/doc/language_issues.fr index 6c963ae..b07e7ff 100644 --- a/doc/language_issues.fr +++ b/doc/language_issues.fr @@ -11,10 +11,12 @@ WARNING: translation string unused: Remote VPN IP WARNING: translation string unused: Resolv WARNING: translation string unused: TOS Bits WARNING: translation string unused: Verbose +WARNING: translation string unused: access allowed WARNING: translation string unused: access refused with this oinkcode WARNING: translation string unused: add network WARNING: translation string unused: add new ovpn WARNING: translation string unused: add service +WARNING: translation string unused: add xtaccess WARNING: translation string unused: add-route WARNING: translation string unused: admin user password has been changed WARNING: translation string unused: administrator user password @@ -46,6 +48,7 @@ WARNING: translation string unused: all updates installed WARNING: translation string unused: allmsg WARNING: translation string unused: alt information WARNING: translation string unused: alt ovpn +WARNING: translation string unused: alt vpn WARNING: translation string unused: and WARNING: translation string unused: ansi t1.483 WARNING: translation string unused: apply @@ -87,6 +90,7 @@ WARNING: translation string unused: cache management WARNING: translation string unused: cache size WARNING: translation string unused: calamaris report interval (in minutes) WARNING: translation string unused: calc traffic all x minutes +WARNING: translation string unused: cant enable xtaccess WARNING: translation string unused: capsinactive WARNING: translation string unused: cfg restart WARNING: translation string unused: check for net traffic update @@ -127,6 +131,11 @@ WARNING: translation string unused: debugme WARNING: translation string unused: deep scan directories WARNING: translation string unused: default networks WARNING: translation string unused: default services +WARNING: translation string unused: description +WARNING: translation string unused: destination ip bad +WARNING: translation string unused: destination ip or net +WARNING: translation string unused: destination net +WARNING: translation string unused: destination port overlaps WARNING: translation string unused: dhcp base ip fixed lease WARNING: translation string unused: dhcp create fixed leases WARNING: translation string unused: dhcp fixed lease err1 @@ -139,11 +148,18 @@ WARNING: translation string unused: dial user password has been changed WARNING: translation string unused: dialup settings WARNING: translation string unused: disconnect WARNING: translation string unused: display traffic at home +WARNING: translation string unused: dmz pinhole configuration +WARNING: translation string unused: dmz pinhole rule added +WARNING: translation string unused: dmz pinhole rule removed +WARNING: translation string unused: dmzpinholes for same net not necessary WARNING: translation string unused: dns server WARNING: translation string unused: do not log this port list WARNING: translation string unused: donation-link WARNING: translation string unused: done WARNING: translation string unused: driver +WARNING: translation string unused: drop output +WARNING: translation string unused: dstprt range overlaps +WARNING: translation string unused: dstprt within existing WARNING: translation string unused: dynamic dns client WARNING: translation string unused: eciadsl help WARNING: translation string unused: eciadsl upload @@ -170,6 +186,7 @@ WARNING: translation string unused: error external access WARNING: translation string unused: expected WARNING: translation string unused: expertoptions WARNING: translation string unused: exportkey +WARNING: translation string unused: external access WARNING: translation string unused: external access rule changed WARNING: translation string unused: extrahd unable to read WARNING: translation string unused: extrahd unable to write @@ -179,6 +196,9 @@ WARNING: translation string unused: firewall log viewer WARNING: translation string unused: firmware WARNING: translation string unused: firmware upload WARNING: translation string unused: force update +WARNING: translation string unused: forwarding rule added +WARNING: translation string unused: forwarding rule removed +WARNING: translation string unused: forwarding rule updated WARNING: translation string unused: frequency WARNING: translation string unused: fritzdsl help WARNING: translation string unused: fritzdsl upload @@ -244,6 +264,7 @@ WARNING: translation string unused: local hard disk WARNING: translation string unused: localkeyfile WARNING: translation string unused: log enabled WARNING: translation string unused: log viewer +WARNING: translation string unused: logging WARNING: translation string unused: loosedirectorychecking WARNING: translation string unused: ls_dhcpd WARNING: translation string unused: ls_disk space @@ -269,6 +290,7 @@ WARNING: translation string unused: mbmon value WARNING: translation string unused: min size WARNING: translation string unused: missing dat WARNING: translation string unused: missing gz +WARNING: translation string unused: mode WARNING: translation string unused: modem on com1 WARNING: translation string unused: modem on com2 WARNING: translation string unused: modem on com3 @@ -285,6 +307,7 @@ WARNING: translation string unused: monthly volume start day short WARNING: translation string unused: mount WARNING: translation string unused: mtu QoS WARNING: translation string unused: nat-traversal +WARNING: translation string unused: net WARNING: translation string unused: net address WARNING: translation string unused: net config type WARNING: translation string unused: net config type help @@ -311,6 +334,7 @@ WARNING: translation string unused: o-no WARNING: translation string unused: o-yes WARNING: translation string unused: online help en WARNING: translation string unused: only red +WARNING: translation string unused: open to all WARNING: translation string unused: optional data WARNING: translation string unused: optionsfw portlist hint WARNING: translation string unused: optionsfw warning @@ -318,7 +342,16 @@ WARNING: translation string unused: or WARNING: translation string unused: original WARNING: translation string unused: other countries WARNING: translation string unused: out +WARNING: translation string unused: outgoing firewall +WARNING: translation string unused: outgoing firewall mode0 +WARNING: translation string unused: outgoing firewall mode1 +WARNING: translation string unused: outgoing firewall mode2 WARNING: translation string unused: outgoing firewall outgoing firewall reserved groupname +WARNING: translation string unused: outgoing firewall p2p description 1 +WARNING: translation string unused: outgoing firewall p2p description 2 +WARNING: translation string unused: outgoing firewall p2p description 3 +WARNING: translation string unused: outgoing firewall reset +WARNING: translation string unused: outgoing firewall warning WARNING: translation string unused: override mtu WARNING: translation string unused: ovpn WARNING: translation string unused: ovpn config @@ -349,6 +382,8 @@ WARNING: translation string unused: passwords must be at least 6 characters in l WARNING: translation string unused: phonebook entry WARNING: translation string unused: ping disabled WARNING: translation string unused: polfile +WARNING: translation string unused: policy +WARNING: translation string unused: port forwarding configuration WARNING: translation string unused: ports WARNING: translation string unused: pots WARNING: translation string unused: pppoe @@ -376,7 +411,9 @@ WARNING: translation string unused: router ip WARNING: translation string unused: rules already up to date WARNING: translation string unused: safe removal of umounted device WARNING: translation string unused: save error +WARNING: translation string unused: select dest net WARNING: translation string unused: select media +WARNING: translation string unused: select source net WARNING: translation string unused: selecttraffic WARNING: translation string unused: send email notification WARNING: translation string unused: send test mail @@ -395,15 +432,23 @@ WARNING: translation string unused: shutdown2 WARNING: translation string unused: shutting down WARNING: translation string unused: sitekeyfile WARNING: translation string unused: smbreload +WARNING: translation string unused: source ip in use +WARNING: translation string unused: source ip or net +WARNING: translation string unused: source net +WARNING: translation string unused: source port overlaps WARNING: translation string unused: squid extension methods WARNING: translation string unused: squid extension methods invalid WARNING: translation string unused: squid fix cache +WARNING: translation string unused: srcprt range overlaps +WARNING: translation string unused: srcprt within existing +WARNING: translation string unused: ssdmz pinholes WARNING: translation string unused: ssh access tip WARNING: translation string unused: ssh1 disabled WARNING: translation string unused: ssh1 enabled WARNING: translation string unused: ssh1 support WARNING: translation string unused: ssnetwork status WARNING: translation string unused: sspasswords +WARNING: translation string unused: ssport forwarding WARNING: translation string unused: ssproxy graphs WARNING: translation string unused: sssystem status WARNING: translation string unused: sstraffic graphs @@ -498,6 +543,7 @@ WARNING: translation string unused: warn when traffic reaches WARNING: translation string unused: web proxy configuration WARNING: translation string unused: week-graph WARNING: translation string unused: weekly firewallhits +WARNING: translation string unused: xtaccess all error WARNING: translation string unused: xtaccess bad transfert WARNING: translation string unused: year-graph WARNING: translation string unused: yearly firewallhits @@ -556,6 +602,11 @@ WARNING: untranslated string: dnsforward edit an entry WARNING: untranslated string: dnsforward entries WARNING: untranslated string: dnsforward forward_server WARNING: untranslated string: dnsforward zone +WARNING: untranslated string: drop action +WARNING: untranslated string: drop action1 +WARNING: untranslated string: drop action2 +WARNING: untranslated string: drop forward +WARNING: untranslated string: drop outgoing WARNING: untranslated string: emerging rules WARNING: untranslated string: fireinfo ipfire version WARNING: untranslated string: fireinfo is disabled @@ -574,6 +625,141 @@ WARNING: untranslated string: fireinfo why descr2 WARNING: untranslated string: fireinfo why enable WARNING: untranslated string: fireinfo why read more WARNING: untranslated string: fireinfo your profile id +WARNING: untranslated string: fw default drop +WARNING: untranslated string: fw settings +WARNING: untranslated string: fw settings color +WARNING: untranslated string: fw settings dropdown +WARNING: untranslated string: fw settings remark +WARNING: untranslated string: fw settings ruletable +WARNING: untranslated string: fwdfw action +WARNING: untranslated string: fwdfw additional +WARNING: untranslated string: fwdfw addrule +WARNING: untranslated string: fwdfw change +WARNING: untranslated string: fwdfw copy +WARNING: untranslated string: fwdfw delete +WARNING: untranslated string: fwdfw dnat +WARNING: untranslated string: fwdfw dnat error +WARNING: untranslated string: fwdfw dnat porterr +WARNING: untranslated string: fwdfw edit +WARNING: untranslated string: fwdfw err nosrc +WARNING: untranslated string: fwdfw err nosrcip +WARNING: untranslated string: fwdfw err notgt +WARNING: untranslated string: fwdfw err notgtip +WARNING: untranslated string: fwdfw err prot +WARNING: untranslated string: fwdfw err remark +WARNING: untranslated string: fwdfw err ruleexists +WARNING: untranslated string: fwdfw err same +WARNING: untranslated string: fwdfw err samesub +WARNING: untranslated string: fwdfw err src_addr +WARNING: untranslated string: fwdfw err tgt_addr +WARNING: untranslated string: fwdfw err tgt_grp +WARNING: untranslated string: fwdfw err tgt_mac +WARNING: untranslated string: fwdfw err time +WARNING: untranslated string: fwdfw final_rule +WARNING: untranslated string: fwdfw hint ip1 +WARNING: untranslated string: fwdfw hint ip2 +WARNING: untranslated string: fwdfw log rule +WARNING: untranslated string: fwdfw man port +WARNING: untranslated string: fwdfw menu +WARNING: untranslated string: fwdfw movedown +WARNING: untranslated string: fwdfw moveup +WARNING: untranslated string: fwdfw newrule +WARNING: untranslated string: fwdfw p2p txt +WARNING: untranslated string: fwdfw pol allow +WARNING: untranslated string: fwdfw pol block +WARNING: untranslated string: fwdfw pol text +WARNING: untranslated string: fwdfw pol text1 +WARNING: untranslated string: fwdfw pol title +WARNING: untranslated string: fwdfw red +WARNING: untranslated string: fwdfw reread +WARNING: untranslated string: fwdfw rule action +WARNING: untranslated string: fwdfw rule activate +WARNING: untranslated string: fwdfw rulepos +WARNING: untranslated string: fwdfw snat +WARNING: untranslated string: fwdfw source +WARNING: untranslated string: fwdfw sourceip +WARNING: untranslated string: fwdfw target +WARNING: untranslated string: fwdfw targetip +WARNING: untranslated string: fwdfw timeframe +WARNING: untranslated string: fwdfw toggle +WARNING: untranslated string: fwdfw togglelog +WARNING: untranslated string: fwdfw use nat +WARNING: untranslated string: fwdfw use srcport +WARNING: untranslated string: fwdfw use srv +WARNING: untranslated string: fwdfw useless rule +WARNING: untranslated string: fwdfw wd_fri +WARNING: untranslated string: fwdfw wd_mon +WARNING: untranslated string: fwdfw wd_sat +WARNING: untranslated string: fwdfw wd_sun +WARNING: untranslated string: fwdfw wd_thu +WARNING: untranslated string: fwdfw wd_tue +WARNING: untranslated string: fwdfw wd_wed +WARNING: untranslated string: fwdfw xt access +WARNING: untranslated string: fwhost addgrp +WARNING: untranslated string: fwhost addgrpname +WARNING: untranslated string: fwhost addhost +WARNING: untranslated string: fwhost addnet +WARNING: untranslated string: fwhost addservice +WARNING: untranslated string: fwhost addservicegrp +WARNING: untranslated string: fwhost any +WARNING: untranslated string: fwhost back +WARNING: untranslated string: fwhost ccdhost +WARNING: untranslated string: fwhost ccdnet +WARNING: untranslated string: fwhost change +WARNING: untranslated string: fwhost cust addr +WARNING: untranslated string: fwhost cust grp +WARNING: untranslated string: fwhost cust net +WARNING: untranslated string: fwhost cust service +WARNING: untranslated string: fwhost cust srvgrp +WARNING: untranslated string: fwhost deleted +WARNING: untranslated string: fwhost empty +WARNING: untranslated string: fwhost err addr +WARNING: untranslated string: fwhost err empty +WARNING: untranslated string: fwhost err groupempty +WARNING: untranslated string: fwhost err grpexist +WARNING: untranslated string: fwhost err hostexist +WARNING: untranslated string: fwhost err hostip +WARNING: untranslated string: fwhost err ip +WARNING: untranslated string: fwhost err ipcheck +WARNING: untranslated string: fwhost err ipmac +WARNING: untranslated string: fwhost err ipwithsub +WARNING: untranslated string: fwhost err isccdhost +WARNING: untranslated string: fwhost err isccdiphost +WARNING: untranslated string: fwhost err isccdipnet +WARNING: untranslated string: fwhost err isccdnet +WARNING: untranslated string: fwhost err isingrp +WARNING: untranslated string: fwhost err name +WARNING: untranslated string: fwhost err name1 +WARNING: untranslated string: fwhost err net +WARNING: untranslated string: fwhost err netexist +WARNING: untranslated string: fwhost err partofnet +WARNING: untranslated string: fwhost err port +WARNING: untranslated string: fwhost err remark +WARNING: untranslated string: fwhost err srv exists +WARNING: untranslated string: fwhost err srvexist +WARNING: untranslated string: fwhost err sub32 +WARNING: untranslated string: fwhost hint +WARNING: untranslated string: fwhost hosts +WARNING: untranslated string: fwhost icmptype +WARNING: untranslated string: fwhost ip_mac +WARNING: untranslated string: fwhost ipsec net +WARNING: untranslated string: fwhost menu +WARNING: untranslated string: fwhost netaddress +WARNING: untranslated string: fwhost newgrp +WARNING: untranslated string: fwhost newhost +WARNING: untranslated string: fwhost newnet +WARNING: untranslated string: fwhost newservice +WARNING: untranslated string: fwhost newservicegrp +WARNING: untranslated string: fwhost ovpn_n2n +WARNING: untranslated string: fwhost port +WARNING: untranslated string: fwhost prot +WARNING: untranslated string: fwhost reread +WARNING: untranslated string: fwhost services +WARNING: untranslated string: fwhost srv_name +WARNING: untranslated string: fwhost stdnet +WARNING: untranslated string: fwhost type +WARNING: untranslated string: fwhost used +WARNING: untranslated string: fwhost welcome WARNING: untranslated string: minute WARNING: untranslated string: new WARNING: untranslated string: ntp common settings @@ -602,6 +788,7 @@ WARNING: untranslated string: proxy reports monthly WARNING: untranslated string: proxy reports today WARNING: untranslated string: proxy reports weekly WARNING: untranslated string: qos enter bandwidths +WARNING: untranslated string: red1 WARNING: untranslated string: route config changed WARNING: untranslated string: routing config added WARNING: untranslated string: routing config changed diff --git a/doc/language_issues.nl b/doc/language_issues.nl index 8999404..9e17b91 100644 --- a/doc/language_issues.nl +++ b/doc/language_issues.nl @@ -11,10 +11,12 @@ WARNING: translation string unused: Remote VPN IP WARNING: translation string unused: Resolv WARNING: translation string unused: TOS Bits WARNING: translation string unused: Verbose +WARNING: translation string unused: access allowed WARNING: translation string unused: access refused with this oinkcode WARNING: translation string unused: add network WARNING: translation string unused: add new ovpn WARNING: translation string unused: add service +WARNING: translation string unused: add xtaccess WARNING: translation string unused: add-route WARNING: translation string unused: admin user password has been changed WARNING: translation string unused: administrator user password @@ -46,6 +48,7 @@ WARNING: translation string unused: all updates installed WARNING: translation string unused: allmsg WARNING: translation string unused: alt information WARNING: translation string unused: alt ovpn +WARNING: translation string unused: alt vpn WARNING: translation string unused: and WARNING: translation string unused: ansi t1.483 WARNING: translation string unused: apply @@ -87,6 +90,7 @@ WARNING: translation string unused: cache management WARNING: translation string unused: cache size WARNING: translation string unused: calamaris report interval (in minutes) WARNING: translation string unused: calc traffic all x minutes +WARNING: translation string unused: cant enable xtaccess WARNING: translation string unused: capsinactive WARNING: translation string unused: ccd err iroute WARNING: translation string unused: ccd err netadr @@ -129,6 +133,11 @@ WARNING: translation string unused: debugme WARNING: translation string unused: deep scan directories WARNING: translation string unused: default networks WARNING: translation string unused: default services +WARNING: translation string unused: description +WARNING: translation string unused: destination ip bad +WARNING: translation string unused: destination ip or net +WARNING: translation string unused: destination net +WARNING: translation string unused: destination port overlaps WARNING: translation string unused: dhcp base ip fixed lease WARNING: translation string unused: dhcp create fixed leases WARNING: translation string unused: dhcp fixed lease err1 @@ -141,11 +150,18 @@ WARNING: translation string unused: dial user password has been changed WARNING: translation string unused: dialup settings WARNING: translation string unused: disconnect WARNING: translation string unused: display traffic at home +WARNING: translation string unused: dmz pinhole configuration +WARNING: translation string unused: dmz pinhole rule added +WARNING: translation string unused: dmz pinhole rule removed +WARNING: translation string unused: dmzpinholes for same net not necessary WARNING: translation string unused: dns server WARNING: translation string unused: do not log this port list WARNING: translation string unused: donation-link WARNING: translation string unused: done WARNING: translation string unused: driver +WARNING: translation string unused: drop output +WARNING: translation string unused: dstprt range overlaps +WARNING: translation string unused: dstprt within existing WARNING: translation string unused: dynamic dns client WARNING: translation string unused: eciadsl help WARNING: translation string unused: eciadsl upload @@ -172,6 +188,7 @@ WARNING: translation string unused: error external access WARNING: translation string unused: expected WARNING: translation string unused: expertoptions WARNING: translation string unused: exportkey +WARNING: translation string unused: external access WARNING: translation string unused: external access rule changed WARNING: translation string unused: extrahd unable to read WARNING: translation string unused: extrahd unable to write @@ -181,6 +198,9 @@ WARNING: translation string unused: firewall log viewer WARNING: translation string unused: firmware WARNING: translation string unused: firmware upload WARNING: translation string unused: force update +WARNING: translation string unused: forwarding rule added +WARNING: translation string unused: forwarding rule removed +WARNING: translation string unused: forwarding rule updated WARNING: translation string unused: frequency WARNING: translation string unused: fritzdsl help WARNING: translation string unused: fritzdsl upload @@ -246,6 +266,7 @@ WARNING: translation string unused: local hard disk WARNING: translation string unused: localkeyfile WARNING: translation string unused: log enabled WARNING: translation string unused: log viewer +WARNING: translation string unused: logging WARNING: translation string unused: loosedirectorychecking WARNING: translation string unused: ls_dhcpd WARNING: translation string unused: ls_disk space @@ -271,6 +292,7 @@ WARNING: translation string unused: mbmon value WARNING: translation string unused: min size WARNING: translation string unused: missing dat WARNING: translation string unused: missing gz +WARNING: translation string unused: mode WARNING: translation string unused: modem on com1 WARNING: translation string unused: modem on com2 WARNING: translation string unused: modem on com3 @@ -287,6 +309,7 @@ WARNING: translation string unused: monthly volume start day short WARNING: translation string unused: mount WARNING: translation string unused: mtu QoS WARNING: translation string unused: nat-traversal +WARNING: translation string unused: net WARNING: translation string unused: net address WARNING: translation string unused: net config type WARNING: translation string unused: net config type help @@ -313,6 +336,7 @@ WARNING: translation string unused: o-no WARNING: translation string unused: o-yes WARNING: translation string unused: online help en WARNING: translation string unused: only red +WARNING: translation string unused: open to all WARNING: translation string unused: openvpn disabled WARNING: translation string unused: openvpn enabled WARNING: translation string unused: optional data @@ -323,7 +347,16 @@ WARNING: translation string unused: original WARNING: translation string unused: other countries WARNING: translation string unused: our donors WARNING: translation string unused: out +WARNING: translation string unused: outgoing firewall +WARNING: translation string unused: outgoing firewall mode0 +WARNING: translation string unused: outgoing firewall mode1 +WARNING: translation string unused: outgoing firewall mode2 WARNING: translation string unused: outgoing firewall outgoing firewall reserved groupname +WARNING: translation string unused: outgoing firewall p2p description 1 +WARNING: translation string unused: outgoing firewall p2p description 2 +WARNING: translation string unused: outgoing firewall p2p description 3 +WARNING: translation string unused: outgoing firewall reset +WARNING: translation string unused: outgoing firewall warning WARNING: translation string unused: override mtu WARNING: translation string unused: ovpn WARNING: translation string unused: ovpn config @@ -354,6 +387,8 @@ WARNING: translation string unused: passwords must be at least 6 characters in l WARNING: translation string unused: phonebook entry WARNING: translation string unused: ping disabled WARNING: translation string unused: polfile +WARNING: translation string unused: policy +WARNING: translation string unused: port forwarding configuration WARNING: translation string unused: ports WARNING: translation string unused: pots WARNING: translation string unused: pppoe @@ -381,7 +416,9 @@ WARNING: translation string unused: router ip WARNING: translation string unused: rules already up to date WARNING: translation string unused: safe removal of umounted device WARNING: translation string unused: save error +WARNING: translation string unused: select dest net WARNING: translation string unused: select media +WARNING: translation string unused: select source net WARNING: translation string unused: selecttraffic WARNING: translation string unused: send email notification WARNING: translation string unused: send test mail @@ -400,15 +437,23 @@ WARNING: translation string unused: shutdown2 WARNING: translation string unused: shutting down WARNING: translation string unused: sitekeyfile WARNING: translation string unused: smbreload +WARNING: translation string unused: source ip in use +WARNING: translation string unused: source ip or net +WARNING: translation string unused: source net +WARNING: translation string unused: source port overlaps WARNING: translation string unused: squid extension methods WARNING: translation string unused: squid extension methods invalid WARNING: translation string unused: squid fix cache +WARNING: translation string unused: srcprt range overlaps +WARNING: translation string unused: srcprt within existing +WARNING: translation string unused: ssdmz pinholes WARNING: translation string unused: ssh access tip WARNING: translation string unused: ssh1 disabled WARNING: translation string unused: ssh1 enabled WARNING: translation string unused: ssh1 support WARNING: translation string unused: ssnetwork status WARNING: translation string unused: sspasswords +WARNING: translation string unused: ssport forwarding WARNING: translation string unused: ssproxy graphs WARNING: translation string unused: sssystem status WARNING: translation string unused: sstraffic graphs @@ -501,6 +546,7 @@ WARNING: translation string unused: warn when traffic reaches WARNING: translation string unused: web proxy configuration WARNING: translation string unused: week-graph WARNING: translation string unused: weekly firewallhits +WARNING: translation string unused: xtaccess all error WARNING: translation string unused: xtaccess bad transfert WARNING: translation string unused: year-graph WARNING: translation string unused: yearly firewallhits @@ -520,9 +566,150 @@ WARNING: untranslated string: dnsforward edit an entry WARNING: untranslated string: dnsforward entries WARNING: untranslated string: dnsforward forward_server WARNING: untranslated string: dnsforward zone +WARNING: untranslated string: drop action +WARNING: untranslated string: drop action1 +WARNING: untranslated string: drop action2 +WARNING: untranslated string: drop forward +WARNING: untranslated string: drop outgoing +WARNING: untranslated string: fw default drop +WARNING: untranslated string: fw settings +WARNING: untranslated string: fw settings color +WARNING: untranslated string: fw settings dropdown +WARNING: untranslated string: fw settings remark +WARNING: untranslated string: fw settings ruletable +WARNING: untranslated string: fwdfw action +WARNING: untranslated string: fwdfw additional +WARNING: untranslated string: fwdfw addrule +WARNING: untranslated string: fwdfw change +WARNING: untranslated string: fwdfw copy +WARNING: untranslated string: fwdfw delete +WARNING: untranslated string: fwdfw dnat +WARNING: untranslated string: fwdfw dnat error +WARNING: untranslated string: fwdfw dnat porterr +WARNING: untranslated string: fwdfw edit +WARNING: untranslated string: fwdfw err nosrc +WARNING: untranslated string: fwdfw err nosrcip +WARNING: untranslated string: fwdfw err notgt +WARNING: untranslated string: fwdfw err notgtip +WARNING: untranslated string: fwdfw err prot +WARNING: untranslated string: fwdfw err remark +WARNING: untranslated string: fwdfw err ruleexists +WARNING: untranslated string: fwdfw err same +WARNING: untranslated string: fwdfw err samesub +WARNING: untranslated string: fwdfw err src_addr +WARNING: untranslated string: fwdfw err tgt_addr +WARNING: untranslated string: fwdfw err tgt_grp +WARNING: untranslated string: fwdfw err tgt_mac +WARNING: untranslated string: fwdfw err time +WARNING: untranslated string: fwdfw final_rule +WARNING: untranslated string: fwdfw hint ip1 +WARNING: untranslated string: fwdfw hint ip2 +WARNING: untranslated string: fwdfw log rule +WARNING: untranslated string: fwdfw man port +WARNING: untranslated string: fwdfw menu +WARNING: untranslated string: fwdfw movedown +WARNING: untranslated string: fwdfw moveup +WARNING: untranslated string: fwdfw newrule +WARNING: untranslated string: fwdfw p2p txt +WARNING: untranslated string: fwdfw pol allow +WARNING: untranslated string: fwdfw pol block +WARNING: untranslated string: fwdfw pol text +WARNING: untranslated string: fwdfw pol text1 +WARNING: untranslated string: fwdfw pol title +WARNING: untranslated string: fwdfw red +WARNING: untranslated string: fwdfw reread +WARNING: untranslated string: fwdfw rule action +WARNING: untranslated string: fwdfw rule activate +WARNING: untranslated string: fwdfw rulepos +WARNING: untranslated string: fwdfw snat +WARNING: untranslated string: fwdfw source +WARNING: untranslated string: fwdfw sourceip +WARNING: untranslated string: fwdfw target +WARNING: untranslated string: fwdfw targetip +WARNING: untranslated string: fwdfw timeframe +WARNING: untranslated string: fwdfw toggle +WARNING: untranslated string: fwdfw togglelog +WARNING: untranslated string: fwdfw use nat +WARNING: untranslated string: fwdfw use srcport +WARNING: untranslated string: fwdfw use srv +WARNING: untranslated string: fwdfw useless rule +WARNING: untranslated string: fwdfw wd_fri +WARNING: untranslated string: fwdfw wd_mon +WARNING: untranslated string: fwdfw wd_sat +WARNING: untranslated string: fwdfw wd_sun +WARNING: untranslated string: fwdfw wd_thu +WARNING: untranslated string: fwdfw wd_tue +WARNING: untranslated string: fwdfw wd_wed +WARNING: untranslated string: fwdfw xt access +WARNING: untranslated string: fwhost addgrp +WARNING: untranslated string: fwhost addgrpname +WARNING: untranslated string: fwhost addhost +WARNING: untranslated string: fwhost addnet +WARNING: untranslated string: fwhost addservice +WARNING: untranslated string: fwhost addservicegrp +WARNING: untranslated string: fwhost any +WARNING: untranslated string: fwhost back +WARNING: untranslated string: fwhost ccdhost +WARNING: untranslated string: fwhost ccdnet +WARNING: untranslated string: fwhost change +WARNING: untranslated string: fwhost cust addr +WARNING: untranslated string: fwhost cust grp +WARNING: untranslated string: fwhost cust net +WARNING: untranslated string: fwhost cust service +WARNING: untranslated string: fwhost cust srvgrp +WARNING: untranslated string: fwhost deleted +WARNING: untranslated string: fwhost empty +WARNING: untranslated string: fwhost err addr +WARNING: untranslated string: fwhost err empty +WARNING: untranslated string: fwhost err groupempty +WARNING: untranslated string: fwhost err grpexist +WARNING: untranslated string: fwhost err hostexist +WARNING: untranslated string: fwhost err hostip +WARNING: untranslated string: fwhost err ip +WARNING: untranslated string: fwhost err ipcheck +WARNING: untranslated string: fwhost err ipmac +WARNING: untranslated string: fwhost err ipwithsub +WARNING: untranslated string: fwhost err isccdhost +WARNING: untranslated string: fwhost err isccdiphost +WARNING: untranslated string: fwhost err isccdipnet +WARNING: untranslated string: fwhost err isccdnet +WARNING: untranslated string: fwhost err isingrp +WARNING: untranslated string: fwhost err name +WARNING: untranslated string: fwhost err name1 +WARNING: untranslated string: fwhost err net +WARNING: untranslated string: fwhost err netexist +WARNING: untranslated string: fwhost err partofnet +WARNING: untranslated string: fwhost err port +WARNING: untranslated string: fwhost err remark +WARNING: untranslated string: fwhost err srv exists +WARNING: untranslated string: fwhost err srvexist +WARNING: untranslated string: fwhost err sub32 +WARNING: untranslated string: fwhost hint +WARNING: untranslated string: fwhost hosts +WARNING: untranslated string: fwhost icmptype +WARNING: untranslated string: fwhost ip_mac +WARNING: untranslated string: fwhost ipsec net +WARNING: untranslated string: fwhost menu +WARNING: untranslated string: fwhost netaddress +WARNING: untranslated string: fwhost newgrp +WARNING: untranslated string: fwhost newhost +WARNING: untranslated string: fwhost newnet +WARNING: untranslated string: fwhost newservice +WARNING: untranslated string: fwhost newservicegrp +WARNING: untranslated string: fwhost ovpn_n2n +WARNING: untranslated string: fwhost port +WARNING: untranslated string: fwhost prot +WARNING: untranslated string: fwhost reread +WARNING: untranslated string: fwhost services +WARNING: untranslated string: fwhost srv_name +WARNING: untranslated string: fwhost stdnet +WARNING: untranslated string: fwhost type +WARNING: untranslated string: fwhost used +WARNING: untranslated string: fwhost welcome WARNING: untranslated string: new WARNING: untranslated string: outgoing firewall reserved groupname WARNING: untranslated string: qos enter bandwidths +WARNING: untranslated string: red1 WARNING: untranslated string: route config changed WARNING: untranslated string: routing config added WARNING: untranslated string: routing config changed diff --git a/doc/language_issues.pl b/doc/language_issues.pl index 88666b6..2fafaf1 100644 --- a/doc/language_issues.pl +++ b/doc/language_issues.pl @@ -11,10 +11,12 @@ WARNING: translation string unused: Remote VPN IP WARNING: translation string unused: Resolv WARNING: translation string unused: TOS Bits WARNING: translation string unused: Verbose +WARNING: translation string unused: access allowed WARNING: translation string unused: access refused with this oinkcode WARNING: translation string unused: add network WARNING: translation string unused: add new ovpn WARNING: translation string unused: add service +WARNING: translation string unused: add xtaccess WARNING: translation string unused: add-route WARNING: translation string unused: admin user password has been changed WARNING: translation string unused: administrator user password @@ -46,6 +48,7 @@ WARNING: translation string unused: all updates installed WARNING: translation string unused: allmsg WARNING: translation string unused: alt information WARNING: translation string unused: alt ovpn +WARNING: translation string unused: alt vpn WARNING: translation string unused: and WARNING: translation string unused: ansi t1.483 WARNING: translation string unused: apply @@ -87,6 +90,7 @@ WARNING: translation string unused: cache management WARNING: translation string unused: cache size WARNING: translation string unused: calamaris report interval (in minutes) WARNING: translation string unused: calc traffic all x minutes +WARNING: translation string unused: cant enable xtaccess WARNING: translation string unused: capsinactive WARNING: translation string unused: cfg restart WARNING: translation string unused: check for net traffic update @@ -127,6 +131,11 @@ WARNING: translation string unused: debugme WARNING: translation string unused: deep scan directories WARNING: translation string unused: default networks WARNING: translation string unused: default services +WARNING: translation string unused: description +WARNING: translation string unused: destination ip bad +WARNING: translation string unused: destination ip or net +WARNING: translation string unused: destination net +WARNING: translation string unused: destination port overlaps WARNING: translation string unused: dhcp base ip fixed lease WARNING: translation string unused: dhcp create fixed leases WARNING: translation string unused: dhcp fixed lease err1 @@ -139,11 +148,18 @@ WARNING: translation string unused: dial user password has been changed WARNING: translation string unused: dialup settings WARNING: translation string unused: disconnect WARNING: translation string unused: display traffic at home +WARNING: translation string unused: dmz pinhole configuration +WARNING: translation string unused: dmz pinhole rule added +WARNING: translation string unused: dmz pinhole rule removed +WARNING: translation string unused: dmzpinholes for same net not necessary WARNING: translation string unused: dns server WARNING: translation string unused: do not log this port list WARNING: translation string unused: donation-link WARNING: translation string unused: done WARNING: translation string unused: driver +WARNING: translation string unused: drop output +WARNING: translation string unused: dstprt range overlaps +WARNING: translation string unused: dstprt within existing WARNING: translation string unused: dynamic dns client WARNING: translation string unused: eciadsl help WARNING: translation string unused: eciadsl upload @@ -170,6 +186,7 @@ WARNING: translation string unused: error external access WARNING: translation string unused: expected WARNING: translation string unused: expertoptions WARNING: translation string unused: exportkey +WARNING: translation string unused: external access WARNING: translation string unused: external access rule changed WARNING: translation string unused: extrahd unable to read WARNING: translation string unused: extrahd unable to write @@ -179,6 +196,9 @@ WARNING: translation string unused: firewall log viewer WARNING: translation string unused: firmware WARNING: translation string unused: firmware upload WARNING: translation string unused: force update +WARNING: translation string unused: forwarding rule added +WARNING: translation string unused: forwarding rule removed +WARNING: translation string unused: forwarding rule updated WARNING: translation string unused: frequency WARNING: translation string unused: fritzdsl help WARNING: translation string unused: fritzdsl upload @@ -244,6 +264,7 @@ WARNING: translation string unused: local hard disk WARNING: translation string unused: localkeyfile WARNING: translation string unused: log enabled WARNING: translation string unused: log viewer +WARNING: translation string unused: logging WARNING: translation string unused: loosedirectorychecking WARNING: translation string unused: ls_dhcpd WARNING: translation string unused: ls_disk space @@ -269,6 +290,7 @@ WARNING: translation string unused: mbmon value WARNING: translation string unused: min size WARNING: translation string unused: missing dat WARNING: translation string unused: missing gz +WARNING: translation string unused: mode WARNING: translation string unused: modem on com1 WARNING: translation string unused: modem on com2 WARNING: translation string unused: modem on com3 @@ -285,6 +307,7 @@ WARNING: translation string unused: monthly volume start day short WARNING: translation string unused: mount WARNING: translation string unused: mtu QoS WARNING: translation string unused: nat-traversal +WARNING: translation string unused: net WARNING: translation string unused: net address WARNING: translation string unused: net config type WARNING: translation string unused: net config type help @@ -311,6 +334,7 @@ WARNING: translation string unused: o-no WARNING: translation string unused: o-yes WARNING: translation string unused: online help en WARNING: translation string unused: only red +WARNING: translation string unused: open to all WARNING: translation string unused: optional data WARNING: translation string unused: optionsfw portlist hint WARNING: translation string unused: optionsfw warning @@ -318,8 +342,14 @@ WARNING: translation string unused: or WARNING: translation string unused: original WARNING: translation string unused: other countries WARNING: translation string unused: out +WARNING: translation string unused: outgoing firewall +WARNING: translation string unused: outgoing firewall mode0 +WARNING: translation string unused: outgoing firewall mode1 +WARNING: translation string unused: outgoing firewall mode2 WARNING: translation string unused: outgoing firewall outgoing firewall reserved groupname WARNING: translation string unused: outgoing firewall p2p description +WARNING: translation string unused: outgoing firewall reset +WARNING: translation string unused: outgoing firewall warning WARNING: translation string unused: override mtu WARNING: translation string unused: ovpn WARNING: translation string unused: ovpn config @@ -350,6 +380,8 @@ WARNING: translation string unused: passwords must be at least 6 characters in l WARNING: translation string unused: phonebook entry WARNING: translation string unused: ping disabled WARNING: translation string unused: polfile +WARNING: translation string unused: policy +WARNING: translation string unused: port forwarding configuration WARNING: translation string unused: ports WARNING: translation string unused: pots WARNING: translation string unused: pppoe @@ -377,7 +409,9 @@ WARNING: translation string unused: router ip WARNING: translation string unused: rules already up to date WARNING: translation string unused: safe removal of umounted device WARNING: translation string unused: save error +WARNING: translation string unused: select dest net WARNING: translation string unused: select media +WARNING: translation string unused: select source net WARNING: translation string unused: selecttraffic WARNING: translation string unused: send email notification WARNING: translation string unused: send test mail @@ -396,15 +430,23 @@ WARNING: translation string unused: shutdown2 WARNING: translation string unused: shutting down WARNING: translation string unused: sitekeyfile WARNING: translation string unused: smbreload +WARNING: translation string unused: source ip in use +WARNING: translation string unused: source ip or net +WARNING: translation string unused: source net +WARNING: translation string unused: source port overlaps WARNING: translation string unused: squid extension methods WARNING: translation string unused: squid extension methods invalid WARNING: translation string unused: squid fix cache +WARNING: translation string unused: srcprt range overlaps +WARNING: translation string unused: srcprt within existing +WARNING: translation string unused: ssdmz pinholes WARNING: translation string unused: ssh access tip WARNING: translation string unused: ssh1 disabled WARNING: translation string unused: ssh1 enabled WARNING: translation string unused: ssh1 support WARNING: translation string unused: ssnetwork status WARNING: translation string unused: sspasswords +WARNING: translation string unused: ssport forwarding WARNING: translation string unused: ssproxy graphs WARNING: translation string unused: sssystem status WARNING: translation string unused: sstraffic graphs @@ -497,6 +539,7 @@ WARNING: translation string unused: warn when traffic reaches WARNING: translation string unused: web proxy configuration WARNING: translation string unused: week-graph WARNING: translation string unused: weekly firewallhits +WARNING: translation string unused: xtaccess all error WARNING: translation string unused: xtaccess bad transfert WARNING: translation string unused: year-graph WARNING: translation string unused: yearly firewallhits @@ -556,6 +599,11 @@ WARNING: untranslated string: dnsforward edit an entry WARNING: untranslated string: dnsforward entries WARNING: untranslated string: dnsforward forward_server WARNING: untranslated string: dnsforward zone +WARNING: untranslated string: drop action +WARNING: untranslated string: drop action1 +WARNING: untranslated string: drop action2 +WARNING: untranslated string: drop forward +WARNING: untranslated string: drop outgoing WARNING: untranslated string: emerging rules WARNING: untranslated string: fireinfo ipfire version WARNING: untranslated string: fireinfo is disabled @@ -574,6 +622,141 @@ WARNING: untranslated string: fireinfo why descr2 WARNING: untranslated string: fireinfo why enable WARNING: untranslated string: fireinfo why read more WARNING: untranslated string: fireinfo your profile id +WARNING: untranslated string: fw default drop +WARNING: untranslated string: fw settings +WARNING: untranslated string: fw settings color +WARNING: untranslated string: fw settings dropdown +WARNING: untranslated string: fw settings remark +WARNING: untranslated string: fw settings ruletable +WARNING: untranslated string: fwdfw action +WARNING: untranslated string: fwdfw additional +WARNING: untranslated string: fwdfw addrule +WARNING: untranslated string: fwdfw change +WARNING: untranslated string: fwdfw copy +WARNING: untranslated string: fwdfw delete +WARNING: untranslated string: fwdfw dnat +WARNING: untranslated string: fwdfw dnat error +WARNING: untranslated string: fwdfw dnat porterr +WARNING: untranslated string: fwdfw edit +WARNING: untranslated string: fwdfw err nosrc +WARNING: untranslated string: fwdfw err nosrcip +WARNING: untranslated string: fwdfw err notgt +WARNING: untranslated string: fwdfw err notgtip +WARNING: untranslated string: fwdfw err prot +WARNING: untranslated string: fwdfw err remark +WARNING: untranslated string: fwdfw err ruleexists +WARNING: untranslated string: fwdfw err same +WARNING: untranslated string: fwdfw err samesub +WARNING: untranslated string: fwdfw err src_addr +WARNING: untranslated string: fwdfw err tgt_addr +WARNING: untranslated string: fwdfw err tgt_grp +WARNING: untranslated string: fwdfw err tgt_mac +WARNING: untranslated string: fwdfw err time +WARNING: untranslated string: fwdfw final_rule +WARNING: untranslated string: fwdfw hint ip1 +WARNING: untranslated string: fwdfw hint ip2 +WARNING: untranslated string: fwdfw log rule +WARNING: untranslated string: fwdfw man port +WARNING: untranslated string: fwdfw menu +WARNING: untranslated string: fwdfw movedown +WARNING: untranslated string: fwdfw moveup +WARNING: untranslated string: fwdfw newrule +WARNING: untranslated string: fwdfw p2p txt +WARNING: untranslated string: fwdfw pol allow +WARNING: untranslated string: fwdfw pol block +WARNING: untranslated string: fwdfw pol text +WARNING: untranslated string: fwdfw pol text1 +WARNING: untranslated string: fwdfw pol title +WARNING: untranslated string: fwdfw red +WARNING: untranslated string: fwdfw reread +WARNING: untranslated string: fwdfw rule action +WARNING: untranslated string: fwdfw rule activate +WARNING: untranslated string: fwdfw rulepos +WARNING: untranslated string: fwdfw snat +WARNING: untranslated string: fwdfw source +WARNING: untranslated string: fwdfw sourceip +WARNING: untranslated string: fwdfw target +WARNING: untranslated string: fwdfw targetip +WARNING: untranslated string: fwdfw timeframe +WARNING: untranslated string: fwdfw toggle +WARNING: untranslated string: fwdfw togglelog +WARNING: untranslated string: fwdfw use nat +WARNING: untranslated string: fwdfw use srcport +WARNING: untranslated string: fwdfw use srv +WARNING: untranslated string: fwdfw useless rule +WARNING: untranslated string: fwdfw wd_fri +WARNING: untranslated string: fwdfw wd_mon +WARNING: untranslated string: fwdfw wd_sat +WARNING: untranslated string: fwdfw wd_sun +WARNING: untranslated string: fwdfw wd_thu +WARNING: untranslated string: fwdfw wd_tue +WARNING: untranslated string: fwdfw wd_wed +WARNING: untranslated string: fwdfw xt access +WARNING: untranslated string: fwhost addgrp +WARNING: untranslated string: fwhost addgrpname +WARNING: untranslated string: fwhost addhost +WARNING: untranslated string: fwhost addnet +WARNING: untranslated string: fwhost addservice +WARNING: untranslated string: fwhost addservicegrp +WARNING: untranslated string: fwhost any +WARNING: untranslated string: fwhost back +WARNING: untranslated string: fwhost ccdhost +WARNING: untranslated string: fwhost ccdnet +WARNING: untranslated string: fwhost change +WARNING: untranslated string: fwhost cust addr +WARNING: untranslated string: fwhost cust grp +WARNING: untranslated string: fwhost cust net +WARNING: untranslated string: fwhost cust service +WARNING: untranslated string: fwhost cust srvgrp +WARNING: untranslated string: fwhost deleted +WARNING: untranslated string: fwhost empty +WARNING: untranslated string: fwhost err addr +WARNING: untranslated string: fwhost err empty +WARNING: untranslated string: fwhost err groupempty +WARNING: untranslated string: fwhost err grpexist +WARNING: untranslated string: fwhost err hostexist +WARNING: untranslated string: fwhost err hostip +WARNING: untranslated string: fwhost err ip +WARNING: untranslated string: fwhost err ipcheck +WARNING: untranslated string: fwhost err ipmac +WARNING: untranslated string: fwhost err ipwithsub +WARNING: untranslated string: fwhost err isccdhost +WARNING: untranslated string: fwhost err isccdiphost +WARNING: untranslated string: fwhost err isccdipnet +WARNING: untranslated string: fwhost err isccdnet +WARNING: untranslated string: fwhost err isingrp +WARNING: untranslated string: fwhost err name +WARNING: untranslated string: fwhost err name1 +WARNING: untranslated string: fwhost err net +WARNING: untranslated string: fwhost err netexist +WARNING: untranslated string: fwhost err partofnet +WARNING: untranslated string: fwhost err port +WARNING: untranslated string: fwhost err remark +WARNING: untranslated string: fwhost err srv exists +WARNING: untranslated string: fwhost err srvexist +WARNING: untranslated string: fwhost err sub32 +WARNING: untranslated string: fwhost hint +WARNING: untranslated string: fwhost hosts +WARNING: untranslated string: fwhost icmptype +WARNING: untranslated string: fwhost ip_mac +WARNING: untranslated string: fwhost ipsec net +WARNING: untranslated string: fwhost menu +WARNING: untranslated string: fwhost netaddress +WARNING: untranslated string: fwhost newgrp +WARNING: untranslated string: fwhost newhost +WARNING: untranslated string: fwhost newnet +WARNING: untranslated string: fwhost newservice +WARNING: untranslated string: fwhost newservicegrp +WARNING: untranslated string: fwhost ovpn_n2n +WARNING: untranslated string: fwhost port +WARNING: untranslated string: fwhost prot +WARNING: untranslated string: fwhost reread +WARNING: untranslated string: fwhost services +WARNING: untranslated string: fwhost srv_name +WARNING: untranslated string: fwhost stdnet +WARNING: untranslated string: fwhost type +WARNING: untranslated string: fwhost used +WARNING: untranslated string: fwhost welcome WARNING: untranslated string: minute WARNING: untranslated string: new WARNING: untranslated string: openvpn default @@ -595,9 +778,6 @@ WARNING: untranslated string: outgoing firewall ip groups WARNING: untranslated string: outgoing firewall mac groups WARNING: untranslated string: outgoing firewall p2p allow WARNING: untranslated string: outgoing firewall p2p deny -WARNING: untranslated string: outgoing firewall p2p description 1 -WARNING: untranslated string: outgoing firewall p2p description 2 -WARNING: untranslated string: outgoing firewall p2p description 3 WARNING: untranslated string: outgoing firewall reserved groupname WARNING: untranslated string: outgoing firewall view group WARNING: untranslated string: ovpn errmsg green already pushed @@ -618,6 +798,7 @@ WARNING: untranslated string: proxy reports monthly WARNING: untranslated string: proxy reports today WARNING: untranslated string: proxy reports weekly WARNING: untranslated string: qos enter bandwidths +WARNING: untranslated string: red1 WARNING: untranslated string: route config changed WARNING: untranslated string: routing config added WARNING: untranslated string: routing config changed diff --git a/doc/language_issues.ru b/doc/language_issues.ru index 768bc12..90d419d 100644 --- a/doc/language_issues.ru +++ b/doc/language_issues.ru @@ -11,10 +11,12 @@ WARNING: translation string unused: Remote VPN IP WARNING: translation string unused: Resolv WARNING: translation string unused: TOS Bits WARNING: translation string unused: Verbose +WARNING: translation string unused: access allowed WARNING: translation string unused: access refused with this oinkcode WARNING: translation string unused: add network WARNING: translation string unused: add new ovpn WARNING: translation string unused: add service +WARNING: translation string unused: add xtaccess WARNING: translation string unused: add-route WARNING: translation string unused: admin user password has been changed WARNING: translation string unused: administrator user password @@ -46,6 +48,7 @@ WARNING: translation string unused: all updates installed WARNING: translation string unused: allmsg WARNING: translation string unused: alt information WARNING: translation string unused: alt ovpn +WARNING: translation string unused: alt vpn WARNING: translation string unused: and WARNING: translation string unused: ansi t1.483 WARNING: translation string unused: apply @@ -87,6 +90,7 @@ WARNING: translation string unused: cache management WARNING: translation string unused: cache size WARNING: translation string unused: calamaris report interval (in minutes) WARNING: translation string unused: calc traffic all x minutes +WARNING: translation string unused: cant enable xtaccess WARNING: translation string unused: capsinactive WARNING: translation string unused: cfg restart WARNING: translation string unused: check for net traffic update @@ -126,6 +130,11 @@ WARNING: translation string unused: debugme WARNING: translation string unused: deep scan directories WARNING: translation string unused: default networks WARNING: translation string unused: default services +WARNING: translation string unused: description +WARNING: translation string unused: destination ip bad +WARNING: translation string unused: destination ip or net +WARNING: translation string unused: destination net +WARNING: translation string unused: destination port overlaps WARNING: translation string unused: dhcp base ip fixed lease WARNING: translation string unused: dhcp create fixed leases WARNING: translation string unused: dhcp fixed lease err1 @@ -138,11 +147,18 @@ WARNING: translation string unused: dial user password has been changed WARNING: translation string unused: dialup settings WARNING: translation string unused: disconnect WARNING: translation string unused: display traffic at home +WARNING: translation string unused: dmz pinhole configuration +WARNING: translation string unused: dmz pinhole rule added +WARNING: translation string unused: dmz pinhole rule removed +WARNING: translation string unused: dmzpinholes for same net not necessary WARNING: translation string unused: dns server WARNING: translation string unused: do not log this port list WARNING: translation string unused: donation-link WARNING: translation string unused: done WARNING: translation string unused: driver +WARNING: translation string unused: drop output +WARNING: translation string unused: dstprt range overlaps +WARNING: translation string unused: dstprt within existing WARNING: translation string unused: dynamic dns client WARNING: translation string unused: eciadsl help WARNING: translation string unused: eciadsl upload @@ -169,6 +185,7 @@ WARNING: translation string unused: error external access WARNING: translation string unused: expected WARNING: translation string unused: expertoptions WARNING: translation string unused: exportkey +WARNING: translation string unused: external access WARNING: translation string unused: external access rule changed WARNING: translation string unused: filename WARNING: translation string unused: firewall graphs @@ -176,6 +193,9 @@ WARNING: translation string unused: firewall log viewer WARNING: translation string unused: firmware WARNING: translation string unused: firmware upload WARNING: translation string unused: force update +WARNING: translation string unused: forwarding rule added +WARNING: translation string unused: forwarding rule removed +WARNING: translation string unused: forwarding rule updated WARNING: translation string unused: fritzdsl help WARNING: translation string unused: fritzdsl upload WARNING: translation string unused: from email adr @@ -239,6 +259,7 @@ WARNING: translation string unused: local hard disk WARNING: translation string unused: localkeyfile WARNING: translation string unused: log enabled WARNING: translation string unused: log viewer +WARNING: translation string unused: logging WARNING: translation string unused: loosedirectorychecking WARNING: translation string unused: ls_dhcpd WARNING: translation string unused: ls_disk space @@ -264,6 +285,7 @@ WARNING: translation string unused: mbmon value WARNING: translation string unused: min size WARNING: translation string unused: missing dat WARNING: translation string unused: missing gz +WARNING: translation string unused: mode WARNING: translation string unused: modem on com1 WARNING: translation string unused: modem on com2 WARNING: translation string unused: modem on com3 @@ -279,6 +301,7 @@ WARNING: translation string unused: monthly volume start day short WARNING: translation string unused: mount WARNING: translation string unused: mtu QoS WARNING: translation string unused: nat-traversal +WARNING: translation string unused: net WARNING: translation string unused: net address WARNING: translation string unused: net config type WARNING: translation string unused: net config type help @@ -305,6 +328,7 @@ WARNING: translation string unused: o-no WARNING: translation string unused: o-yes WARNING: translation string unused: online help en WARNING: translation string unused: only red +WARNING: translation string unused: open to all WARNING: translation string unused: optional data WARNING: translation string unused: optionsfw portlist hint WARNING: translation string unused: optionsfw warning @@ -312,7 +336,16 @@ WARNING: translation string unused: or WARNING: translation string unused: original WARNING: translation string unused: other countries WARNING: translation string unused: out +WARNING: translation string unused: outgoing firewall +WARNING: translation string unused: outgoing firewall mode0 +WARNING: translation string unused: outgoing firewall mode1 +WARNING: translation string unused: outgoing firewall mode2 WARNING: translation string unused: outgoing firewall outgoing firewall reserved groupname +WARNING: translation string unused: outgoing firewall p2p description 1 +WARNING: translation string unused: outgoing firewall p2p description 2 +WARNING: translation string unused: outgoing firewall p2p description 3 +WARNING: translation string unused: outgoing firewall reset +WARNING: translation string unused: outgoing firewall warning WARNING: translation string unused: override mtu WARNING: translation string unused: ovpn WARNING: translation string unused: ovpn config @@ -343,6 +376,8 @@ WARNING: translation string unused: passwords must be at least 6 characters in l WARNING: translation string unused: phonebook entry WARNING: translation string unused: ping disabled WARNING: translation string unused: polfile +WARNING: translation string unused: policy +WARNING: translation string unused: port forwarding configuration WARNING: translation string unused: ports WARNING: translation string unused: pots WARNING: translation string unused: pppoe @@ -370,7 +405,9 @@ WARNING: translation string unused: router ip WARNING: translation string unused: rules already up to date WARNING: translation string unused: safe removal of umounted device WARNING: translation string unused: save error +WARNING: translation string unused: select dest net WARNING: translation string unused: select media +WARNING: translation string unused: select source net WARNING: translation string unused: selecttraffic WARNING: translation string unused: send email notification WARNING: translation string unused: send test mail @@ -389,15 +426,23 @@ WARNING: translation string unused: shutdown2 WARNING: translation string unused: shutting down WARNING: translation string unused: sitekeyfile WARNING: translation string unused: smbreload +WARNING: translation string unused: source ip in use +WARNING: translation string unused: source ip or net +WARNING: translation string unused: source net +WARNING: translation string unused: source port overlaps WARNING: translation string unused: squid extension methods WARNING: translation string unused: squid extension methods invalid WARNING: translation string unused: squid fix cache +WARNING: translation string unused: srcprt range overlaps +WARNING: translation string unused: srcprt within existing +WARNING: translation string unused: ssdmz pinholes WARNING: translation string unused: ssh access tip WARNING: translation string unused: ssh1 disabled WARNING: translation string unused: ssh1 enabled WARNING: translation string unused: ssh1 support WARNING: translation string unused: ssnetwork status WARNING: translation string unused: sspasswords +WARNING: translation string unused: ssport forwarding WARNING: translation string unused: ssproxy graphs WARNING: translation string unused: sssystem status WARNING: translation string unused: sstraffic graphs @@ -489,6 +534,7 @@ WARNING: translation string unused: vpn watch WARNING: translation string unused: warn when traffic reaches WARNING: translation string unused: web proxy configuration WARNING: translation string unused: weekly firewallhits +WARNING: translation string unused: xtaccess all error WARNING: translation string unused: xtaccess bad transfert WARNING: translation string unused: yearly firewallhits WARNING: untranslated string: Add a route @@ -549,6 +595,11 @@ WARNING: untranslated string: dnsforward edit an entry WARNING: untranslated string: dnsforward entries WARNING: untranslated string: dnsforward forward_server WARNING: untranslated string: dnsforward zone +WARNING: untranslated string: drop action +WARNING: untranslated string: drop action1 +WARNING: untranslated string: drop action2 +WARNING: untranslated string: drop forward +WARNING: untranslated string: drop outgoing WARNING: untranslated string: emerging rules WARNING: untranslated string: extrahd because there is already a device mounted WARNING: untranslated string: extrahd cant umount @@ -557,6 +608,141 @@ WARNING: untranslated string: extrahd maybe the device is in use WARNING: untranslated string: extrahd to WARNING: untranslated string: extrahd to root WARNING: untranslated string: extrahd you cant mount +WARNING: untranslated string: fw default drop +WARNING: untranslated string: fw settings +WARNING: untranslated string: fw settings color +WARNING: untranslated string: fw settings dropdown +WARNING: untranslated string: fw settings remark +WARNING: untranslated string: fw settings ruletable +WARNING: untranslated string: fwdfw action +WARNING: untranslated string: fwdfw additional +WARNING: untranslated string: fwdfw addrule +WARNING: untranslated string: fwdfw change +WARNING: untranslated string: fwdfw copy +WARNING: untranslated string: fwdfw delete +WARNING: untranslated string: fwdfw dnat +WARNING: untranslated string: fwdfw dnat error +WARNING: untranslated string: fwdfw dnat porterr +WARNING: untranslated string: fwdfw edit +WARNING: untranslated string: fwdfw err nosrc +WARNING: untranslated string: fwdfw err nosrcip +WARNING: untranslated string: fwdfw err notgt +WARNING: untranslated string: fwdfw err notgtip +WARNING: untranslated string: fwdfw err prot +WARNING: untranslated string: fwdfw err remark +WARNING: untranslated string: fwdfw err ruleexists +WARNING: untranslated string: fwdfw err same +WARNING: untranslated string: fwdfw err samesub +WARNING: untranslated string: fwdfw err src_addr +WARNING: untranslated string: fwdfw err tgt_addr +WARNING: untranslated string: fwdfw err tgt_grp +WARNING: untranslated string: fwdfw err tgt_mac +WARNING: untranslated string: fwdfw err time +WARNING: untranslated string: fwdfw final_rule +WARNING: untranslated string: fwdfw hint ip1 +WARNING: untranslated string: fwdfw hint ip2 +WARNING: untranslated string: fwdfw log rule +WARNING: untranslated string: fwdfw man port +WARNING: untranslated string: fwdfw menu +WARNING: untranslated string: fwdfw movedown +WARNING: untranslated string: fwdfw moveup +WARNING: untranslated string: fwdfw newrule +WARNING: untranslated string: fwdfw p2p txt +WARNING: untranslated string: fwdfw pol allow +WARNING: untranslated string: fwdfw pol block +WARNING: untranslated string: fwdfw pol text +WARNING: untranslated string: fwdfw pol text1 +WARNING: untranslated string: fwdfw pol title +WARNING: untranslated string: fwdfw red +WARNING: untranslated string: fwdfw reread +WARNING: untranslated string: fwdfw rule action +WARNING: untranslated string: fwdfw rule activate +WARNING: untranslated string: fwdfw rulepos +WARNING: untranslated string: fwdfw snat +WARNING: untranslated string: fwdfw source +WARNING: untranslated string: fwdfw sourceip +WARNING: untranslated string: fwdfw target +WARNING: untranslated string: fwdfw targetip +WARNING: untranslated string: fwdfw timeframe +WARNING: untranslated string: fwdfw toggle +WARNING: untranslated string: fwdfw togglelog +WARNING: untranslated string: fwdfw use nat +WARNING: untranslated string: fwdfw use srcport +WARNING: untranslated string: fwdfw use srv +WARNING: untranslated string: fwdfw useless rule +WARNING: untranslated string: fwdfw wd_fri +WARNING: untranslated string: fwdfw wd_mon +WARNING: untranslated string: fwdfw wd_sat +WARNING: untranslated string: fwdfw wd_sun +WARNING: untranslated string: fwdfw wd_thu +WARNING: untranslated string: fwdfw wd_tue +WARNING: untranslated string: fwdfw wd_wed +WARNING: untranslated string: fwdfw xt access +WARNING: untranslated string: fwhost addgrp +WARNING: untranslated string: fwhost addgrpname +WARNING: untranslated string: fwhost addhost +WARNING: untranslated string: fwhost addnet +WARNING: untranslated string: fwhost addservice +WARNING: untranslated string: fwhost addservicegrp +WARNING: untranslated string: fwhost any +WARNING: untranslated string: fwhost back +WARNING: untranslated string: fwhost ccdhost +WARNING: untranslated string: fwhost ccdnet +WARNING: untranslated string: fwhost change +WARNING: untranslated string: fwhost cust addr +WARNING: untranslated string: fwhost cust grp +WARNING: untranslated string: fwhost cust net +WARNING: untranslated string: fwhost cust service +WARNING: untranslated string: fwhost cust srvgrp +WARNING: untranslated string: fwhost deleted +WARNING: untranslated string: fwhost empty +WARNING: untranslated string: fwhost err addr +WARNING: untranslated string: fwhost err empty +WARNING: untranslated string: fwhost err groupempty +WARNING: untranslated string: fwhost err grpexist +WARNING: untranslated string: fwhost err hostexist +WARNING: untranslated string: fwhost err hostip +WARNING: untranslated string: fwhost err ip +WARNING: untranslated string: fwhost err ipcheck +WARNING: untranslated string: fwhost err ipmac +WARNING: untranslated string: fwhost err ipwithsub +WARNING: untranslated string: fwhost err isccdhost +WARNING: untranslated string: fwhost err isccdiphost +WARNING: untranslated string: fwhost err isccdipnet +WARNING: untranslated string: fwhost err isccdnet +WARNING: untranslated string: fwhost err isingrp +WARNING: untranslated string: fwhost err name +WARNING: untranslated string: fwhost err name1 +WARNING: untranslated string: fwhost err net +WARNING: untranslated string: fwhost err netexist +WARNING: untranslated string: fwhost err partofnet +WARNING: untranslated string: fwhost err port +WARNING: untranslated string: fwhost err remark +WARNING: untranslated string: fwhost err srv exists +WARNING: untranslated string: fwhost err srvexist +WARNING: untranslated string: fwhost err sub32 +WARNING: untranslated string: fwhost hint +WARNING: untranslated string: fwhost hosts +WARNING: untranslated string: fwhost icmptype +WARNING: untranslated string: fwhost ip_mac +WARNING: untranslated string: fwhost ipsec net +WARNING: untranslated string: fwhost menu +WARNING: untranslated string: fwhost netaddress +WARNING: untranslated string: fwhost newgrp +WARNING: untranslated string: fwhost newhost +WARNING: untranslated string: fwhost newnet +WARNING: untranslated string: fwhost newservice +WARNING: untranslated string: fwhost newservicegrp +WARNING: untranslated string: fwhost ovpn_n2n +WARNING: untranslated string: fwhost port +WARNING: untranslated string: fwhost prot +WARNING: untranslated string: fwhost reread +WARNING: untranslated string: fwhost services +WARNING: untranslated string: fwhost srv_name +WARNING: untranslated string: fwhost stdnet +WARNING: untranslated string: fwhost type +WARNING: untranslated string: fwhost used +WARNING: untranslated string: fwhost welcome WARNING: untranslated string: incoming traffic in bytes per second WARNING: untranslated string: minute WARNING: untranslated string: new @@ -584,6 +770,7 @@ WARNING: untranslated string: proxy reports monthly WARNING: untranslated string: proxy reports today WARNING: untranslated string: proxy reports weekly WARNING: untranslated string: qos enter bandwidths +WARNING: untranslated string: red1 WARNING: untranslated string: route config changed WARNING: untranslated string: routing config added WARNING: untranslated string: routing config changed diff --git a/doc/language_issues.tr b/doc/language_issues.tr index af1af7b..b4f0dfe 100644 --- a/doc/language_issues.tr +++ b/doc/language_issues.tr @@ -11,10 +11,12 @@ WARNING: translation string unused: Remote VPN IP WARNING: translation string unused: Resolv WARNING: translation string unused: TOS Bits WARNING: translation string unused: Verbose +WARNING: translation string unused: access allowed WARNING: translation string unused: access refused with this oinkcode WARNING: translation string unused: add network WARNING: translation string unused: add new ovpn WARNING: translation string unused: add service +WARNING: translation string unused: add xtaccess WARNING: translation string unused: add-route WARNING: translation string unused: admin user password has been changed WARNING: translation string unused: administrator user password @@ -46,6 +48,7 @@ WARNING: translation string unused: all updates installed WARNING: translation string unused: allmsg WARNING: translation string unused: alt information WARNING: translation string unused: alt ovpn +WARNING: translation string unused: alt vpn WARNING: translation string unused: and WARNING: translation string unused: ansi t1.483 WARNING: translation string unused: apply @@ -87,6 +90,7 @@ WARNING: translation string unused: cache management WARNING: translation string unused: cache size WARNING: translation string unused: calamaris report interval (in minutes) WARNING: translation string unused: calc traffic all x minutes +WARNING: translation string unused: cant enable xtaccess WARNING: translation string unused: capsinactive WARNING: translation string unused: ccd err iroute WARNING: translation string unused: ccd err netadr @@ -129,6 +133,11 @@ WARNING: translation string unused: debugme WARNING: translation string unused: deep scan directories WARNING: translation string unused: default networks WARNING: translation string unused: default services +WARNING: translation string unused: description +WARNING: translation string unused: destination ip bad +WARNING: translation string unused: destination ip or net +WARNING: translation string unused: destination net +WARNING: translation string unused: destination port overlaps WARNING: translation string unused: dhcp base ip fixed lease WARNING: translation string unused: dhcp create fixed leases WARNING: translation string unused: dhcp fixed lease err1 @@ -141,11 +150,18 @@ WARNING: translation string unused: dial user password has been changed WARNING: translation string unused: dialup settings WARNING: translation string unused: disconnect WARNING: translation string unused: display traffic at home +WARNING: translation string unused: dmz pinhole configuration +WARNING: translation string unused: dmz pinhole rule added +WARNING: translation string unused: dmz pinhole rule removed +WARNING: translation string unused: dmzpinholes for same net not necessary WARNING: translation string unused: dns server WARNING: translation string unused: do not log this port list WARNING: translation string unused: donation-link WARNING: translation string unused: done WARNING: translation string unused: driver +WARNING: translation string unused: drop output +WARNING: translation string unused: dstprt range overlaps +WARNING: translation string unused: dstprt within existing WARNING: translation string unused: dynamic dns client WARNING: translation string unused: eciadsl help WARNING: translation string unused: eciadsl upload @@ -172,6 +188,7 @@ WARNING: translation string unused: error external access WARNING: translation string unused: expected WARNING: translation string unused: expertoptions WARNING: translation string unused: exportkey +WARNING: translation string unused: external access WARNING: translation string unused: external access rule changed WARNING: translation string unused: extrahd unable to read WARNING: translation string unused: extrahd unable to write @@ -181,6 +198,9 @@ WARNING: translation string unused: firewall log viewer WARNING: translation string unused: firmware WARNING: translation string unused: firmware upload WARNING: translation string unused: force update +WARNING: translation string unused: forwarding rule added +WARNING: translation string unused: forwarding rule removed +WARNING: translation string unused: forwarding rule updated WARNING: translation string unused: frequency WARNING: translation string unused: fritzdsl help WARNING: translation string unused: fritzdsl upload @@ -246,6 +266,7 @@ WARNING: translation string unused: local hard disk WARNING: translation string unused: localkeyfile WARNING: translation string unused: log enabled WARNING: translation string unused: log viewer +WARNING: translation string unused: logging WARNING: translation string unused: loosedirectorychecking WARNING: translation string unused: ls_dhcpd WARNING: translation string unused: ls_disk space @@ -271,6 +292,7 @@ WARNING: translation string unused: mbmon value WARNING: translation string unused: min size WARNING: translation string unused: missing dat WARNING: translation string unused: missing gz +WARNING: translation string unused: mode WARNING: translation string unused: modem on com1 WARNING: translation string unused: modem on com2 WARNING: translation string unused: modem on com3 @@ -287,6 +309,7 @@ WARNING: translation string unused: monthly volume start day short WARNING: translation string unused: mount WARNING: translation string unused: mtu QoS WARNING: translation string unused: nat-traversal +WARNING: translation string unused: net WARNING: translation string unused: net address WARNING: translation string unused: net config type WARNING: translation string unused: net config type help @@ -313,6 +336,7 @@ WARNING: translation string unused: o-no WARNING: translation string unused: o-yes WARNING: translation string unused: online help en WARNING: translation string unused: only red +WARNING: translation string unused: open to all WARNING: translation string unused: openvpn disabled WARNING: translation string unused: openvpn enabled WARNING: translation string unused: optional data @@ -323,7 +347,16 @@ WARNING: translation string unused: original WARNING: translation string unused: other countries WARNING: translation string unused: our donors WARNING: translation string unused: out +WARNING: translation string unused: outgoing firewall +WARNING: translation string unused: outgoing firewall mode0 +WARNING: translation string unused: outgoing firewall mode1 +WARNING: translation string unused: outgoing firewall mode2 WARNING: translation string unused: outgoing firewall outgoing firewall reserved groupname +WARNING: translation string unused: outgoing firewall p2p description 1 +WARNING: translation string unused: outgoing firewall p2p description 2 +WARNING: translation string unused: outgoing firewall p2p description 3 +WARNING: translation string unused: outgoing firewall reset +WARNING: translation string unused: outgoing firewall warning WARNING: translation string unused: override mtu WARNING: translation string unused: ovpn WARNING: translation string unused: ovpn config @@ -354,6 +387,8 @@ WARNING: translation string unused: passwords must be at least 6 characters in l WARNING: translation string unused: phonebook entry WARNING: translation string unused: ping disabled WARNING: translation string unused: polfile +WARNING: translation string unused: policy +WARNING: translation string unused: port forwarding configuration WARNING: translation string unused: ports WARNING: translation string unused: pots WARNING: translation string unused: pppoe @@ -381,7 +416,9 @@ WARNING: translation string unused: router ip WARNING: translation string unused: rules already up to date WARNING: translation string unused: safe removal of umounted device WARNING: translation string unused: save error +WARNING: translation string unused: select dest net WARNING: translation string unused: select media +WARNING: translation string unused: select source net WARNING: translation string unused: selecttraffic WARNING: translation string unused: send email notification WARNING: translation string unused: send test mail @@ -400,15 +437,23 @@ WARNING: translation string unused: shutdown2 WARNING: translation string unused: shutting down WARNING: translation string unused: sitekeyfile WARNING: translation string unused: smbreload +WARNING: translation string unused: source ip in use +WARNING: translation string unused: source ip or net +WARNING: translation string unused: source net +WARNING: translation string unused: source port overlaps WARNING: translation string unused: squid extension methods WARNING: translation string unused: squid extension methods invalid WARNING: translation string unused: squid fix cache +WARNING: translation string unused: srcprt range overlaps +WARNING: translation string unused: srcprt within existing +WARNING: translation string unused: ssdmz pinholes WARNING: translation string unused: ssh access tip WARNING: translation string unused: ssh1 disabled WARNING: translation string unused: ssh1 enabled WARNING: translation string unused: ssh1 support WARNING: translation string unused: ssnetwork status WARNING: translation string unused: sspasswords +WARNING: translation string unused: ssport forwarding WARNING: translation string unused: ssproxy graphs WARNING: translation string unused: sssystem status WARNING: translation string unused: sstraffic graphs @@ -505,6 +550,7 @@ WARNING: translation string unused: warn when traffic reaches WARNING: translation string unused: web proxy configuration WARNING: translation string unused: week-graph WARNING: translation string unused: weekly firewallhits +WARNING: translation string unused: xtaccess all error WARNING: translation string unused: xtaccess bad transfert WARNING: translation string unused: year-graph WARNING: translation string unused: yearly firewallhits @@ -517,8 +563,149 @@ WARNING: untranslated string: dnsforward edit an entry WARNING: untranslated string: dnsforward entries WARNING: untranslated string: dnsforward forward_server WARNING: untranslated string: dnsforward zone +WARNING: untranslated string: drop action +WARNING: untranslated string: drop action1 +WARNING: untranslated string: drop action2 +WARNING: untranslated string: drop forward +WARNING: untranslated string: drop outgoing +WARNING: untranslated string: fw default drop +WARNING: untranslated string: fw settings +WARNING: untranslated string: fw settings color +WARNING: untranslated string: fw settings dropdown +WARNING: untranslated string: fw settings remark +WARNING: untranslated string: fw settings ruletable +WARNING: untranslated string: fwdfw action +WARNING: untranslated string: fwdfw additional +WARNING: untranslated string: fwdfw addrule +WARNING: untranslated string: fwdfw change +WARNING: untranslated string: fwdfw copy +WARNING: untranslated string: fwdfw delete +WARNING: untranslated string: fwdfw dnat +WARNING: untranslated string: fwdfw dnat error +WARNING: untranslated string: fwdfw dnat porterr +WARNING: untranslated string: fwdfw edit +WARNING: untranslated string: fwdfw err nosrc +WARNING: untranslated string: fwdfw err nosrcip +WARNING: untranslated string: fwdfw err notgt +WARNING: untranslated string: fwdfw err notgtip +WARNING: untranslated string: fwdfw err prot +WARNING: untranslated string: fwdfw err remark +WARNING: untranslated string: fwdfw err ruleexists +WARNING: untranslated string: fwdfw err same +WARNING: untranslated string: fwdfw err samesub +WARNING: untranslated string: fwdfw err src_addr +WARNING: untranslated string: fwdfw err tgt_addr +WARNING: untranslated string: fwdfw err tgt_grp +WARNING: untranslated string: fwdfw err tgt_mac +WARNING: untranslated string: fwdfw err time +WARNING: untranslated string: fwdfw final_rule +WARNING: untranslated string: fwdfw hint ip1 +WARNING: untranslated string: fwdfw hint ip2 +WARNING: untranslated string: fwdfw log rule +WARNING: untranslated string: fwdfw man port +WARNING: untranslated string: fwdfw menu +WARNING: untranslated string: fwdfw movedown +WARNING: untranslated string: fwdfw moveup +WARNING: untranslated string: fwdfw newrule +WARNING: untranslated string: fwdfw p2p txt +WARNING: untranslated string: fwdfw pol allow +WARNING: untranslated string: fwdfw pol block +WARNING: untranslated string: fwdfw pol text +WARNING: untranslated string: fwdfw pol text1 +WARNING: untranslated string: fwdfw pol title +WARNING: untranslated string: fwdfw red +WARNING: untranslated string: fwdfw reread +WARNING: untranslated string: fwdfw rule action +WARNING: untranslated string: fwdfw rule activate +WARNING: untranslated string: fwdfw rulepos +WARNING: untranslated string: fwdfw snat +WARNING: untranslated string: fwdfw source +WARNING: untranslated string: fwdfw sourceip +WARNING: untranslated string: fwdfw target +WARNING: untranslated string: fwdfw targetip +WARNING: untranslated string: fwdfw timeframe +WARNING: untranslated string: fwdfw toggle +WARNING: untranslated string: fwdfw togglelog +WARNING: untranslated string: fwdfw use nat +WARNING: untranslated string: fwdfw use srcport +WARNING: untranslated string: fwdfw use srv +WARNING: untranslated string: fwdfw useless rule +WARNING: untranslated string: fwdfw wd_fri +WARNING: untranslated string: fwdfw wd_mon +WARNING: untranslated string: fwdfw wd_sat +WARNING: untranslated string: fwdfw wd_sun +WARNING: untranslated string: fwdfw wd_thu +WARNING: untranslated string: fwdfw wd_tue +WARNING: untranslated string: fwdfw wd_wed +WARNING: untranslated string: fwdfw xt access +WARNING: untranslated string: fwhost addgrp +WARNING: untranslated string: fwhost addgrpname +WARNING: untranslated string: fwhost addhost +WARNING: untranslated string: fwhost addnet +WARNING: untranslated string: fwhost addservice +WARNING: untranslated string: fwhost addservicegrp +WARNING: untranslated string: fwhost any +WARNING: untranslated string: fwhost back +WARNING: untranslated string: fwhost ccdhost +WARNING: untranslated string: fwhost ccdnet +WARNING: untranslated string: fwhost change +WARNING: untranslated string: fwhost cust addr +WARNING: untranslated string: fwhost cust grp +WARNING: untranslated string: fwhost cust net +WARNING: untranslated string: fwhost cust service +WARNING: untranslated string: fwhost cust srvgrp +WARNING: untranslated string: fwhost deleted +WARNING: untranslated string: fwhost empty +WARNING: untranslated string: fwhost err addr +WARNING: untranslated string: fwhost err empty +WARNING: untranslated string: fwhost err groupempty +WARNING: untranslated string: fwhost err grpexist +WARNING: untranslated string: fwhost err hostexist +WARNING: untranslated string: fwhost err hostip +WARNING: untranslated string: fwhost err ip +WARNING: untranslated string: fwhost err ipcheck +WARNING: untranslated string: fwhost err ipmac +WARNING: untranslated string: fwhost err ipwithsub +WARNING: untranslated string: fwhost err isccdhost +WARNING: untranslated string: fwhost err isccdiphost +WARNING: untranslated string: fwhost err isccdipnet +WARNING: untranslated string: fwhost err isccdnet +WARNING: untranslated string: fwhost err isingrp +WARNING: untranslated string: fwhost err name +WARNING: untranslated string: fwhost err name1 +WARNING: untranslated string: fwhost err net +WARNING: untranslated string: fwhost err netexist +WARNING: untranslated string: fwhost err partofnet +WARNING: untranslated string: fwhost err port +WARNING: untranslated string: fwhost err remark +WARNING: untranslated string: fwhost err srv exists +WARNING: untranslated string: fwhost err srvexist +WARNING: untranslated string: fwhost err sub32 +WARNING: untranslated string: fwhost hint +WARNING: untranslated string: fwhost hosts +WARNING: untranslated string: fwhost icmptype +WARNING: untranslated string: fwhost ip_mac +WARNING: untranslated string: fwhost ipsec net +WARNING: untranslated string: fwhost menu +WARNING: untranslated string: fwhost netaddress +WARNING: untranslated string: fwhost newgrp +WARNING: untranslated string: fwhost newhost +WARNING: untranslated string: fwhost newnet +WARNING: untranslated string: fwhost newservice +WARNING: untranslated string: fwhost newservicegrp +WARNING: untranslated string: fwhost ovpn_n2n +WARNING: untranslated string: fwhost port +WARNING: untranslated string: fwhost prot +WARNING: untranslated string: fwhost reread +WARNING: untranslated string: fwhost services +WARNING: untranslated string: fwhost srv_name +WARNING: untranslated string: fwhost stdnet +WARNING: untranslated string: fwhost type +WARNING: untranslated string: fwhost used +WARNING: untranslated string: fwhost welcome WARNING: untranslated string: new WARNING: untranslated string: outgoing firewall reserved groupname +WARNING: untranslated string: red1 WARNING: untranslated string: route config changed WARNING: untranslated string: routing config added WARNING: untranslated string: routing config changed diff --git a/doc/language_missings b/doc/language_missings index 1550f47..20838cb 100644 --- a/doc/language_missings +++ b/doc/language_missings @@ -5,13 +5,13 @@ # Checking cgi-bin translations for language: en # ############################################################################ < ccd maxclients +< wlanap country ############################################################################ # Checking install/setup translations for language: fr # ############################################################################ ############################################################################ # Checking cgi-bin translations for language: fr # ############################################################################ -< advproxy cache-digest < advproxy errmsg cache < advproxy errmsg invalid upstream proxy < age second @@ -67,6 +67,11 @@ < dnsforward entries < dnsforward forward_server < dnsforward zone +< drop action +< drop action1 +< drop action2 +< drop forward +< drop outgoing < fireinfo ipfire version < fireinfo is disabled < fireinfo is enabled @@ -84,6 +89,174 @@ < fireinfo why enable < fireinfo why read more < fireinfo your profile id +< forward firewall +< fw default drop +< fwdfw ACCEPT +< fwdfw action +< fwdfw additional +< fwdfw addr grp +< fwdfw addrule +< fwdfw change +< fwdfw copy +< fwdfw cust addr +< fwdfw cust net +< fwdfw delete +< fwdfw dnat +< fwdfw dnat error +< fwdfw dnat porterr +< fwdfw DROP +< fwdfw edit +< fwdfw err nosrc +< fwdfw err nosrcip +< fwdfw err notgt +< fwdfw err notgtip +< fwdfw err prot +< fwdfw err remark +< fwdfw err ruleexists +< fwdfw err same +< fwdfw err samesub +< fwdfw err src_addr +< fwdfw err srcovpn +< fwdfw err srcport +< fwdfw err tgt_addr +< fwdfw err tgt_grp +< fwdfw err tgt_mac +< fwdfw err tgtovpn +< fwdfw err tgtport +< fwdfw err tgt_port +< fwdfw err time +< fwdfw final_rule +< fwdfw from +< fwdfw hint ip1 +< fwdfw hint ip2 +< fwdfw ipsec network +< fwdfw log rule +< fwdfw man port +< fwdfw menu +< fwdfw MODE1 +< fwdfw MODE2 +< fwdfw movedown +< fwdfw moveup +< fwdfw natport used +< fwdfw newrule +< fwdfw p2p txt +< fwdfw pol allow +< fwdfw pol block +< fwdfw pol text +< fwdfw pol text1 +< fwdfw pol title +< fwdfw red +< fwdfw REJECT +< fwdfw reread +< fwdfw rule action +< fwdfw rule activate +< fwdfw rulepos +< fwdfw rules +< fwdfw snat +< fwdfw source +< fwdfw sourceip +< fwdfw std network +< fwdfw target +< fwdfw targetip +< fwdfw till +< fwdfw time +< fwdfw timeframe +< fwdfw toggle +< fwdfw togglelog +< fwdfw useless rule +< fwdfw use nat +< fwdfw use srcport +< fwdfw use srv +< fwdfw wd_fri +< fwdfw wd_mon +< fwdfw wd_sat +< fwdfw wd_sun +< fwdfw wd_thu +< fwdfw wd_tue +< fwdfw wd_wed +< fwdfw xt access +< fwhost addgrp +< fwhost addgrpname +< fwhost addhost +< fwhost addnet +< fwhost addrule +< fwhost addservice +< fwhost addservicegrp +< fwhost any +< fwhost attention +< fwhost back +< fwhost blue +< fwhost ccdhost +< fwhost ccdnet +< fwhost change +< fwhost changeremark +< fwhost cust addr +< fwhost cust grp +< fwhost cust net +< fwhost cust service +< fwhost cust srvgrp +< fwhost deleted +< fwhost empty +< fwhost err addr +< fwhost err addrgrp +< fwhost err empty +< fwhost err groupempty +< fwhost err grpexist +< fwhost err hostexist +< fwhost err hostorip +< fwhost err ip +< fwhost err ipcheck +< fwhost err ipmac +< fwhost err ipwithsub +< fwhost err isccdhost +< fwhost err isccdiphost +< fwhost err isccdipnet +< fwhost err isccdnet +< fwhost err isingrp +< fwhost err mac +< fwhost err name +< fwhost err name1 +< fwhost err net +< fwhost err netexist +< fwhost err partofnet +< fwhost err port +< fwhost err remark +< fwhost err srvexist +< fwhost err srv exists +< fwhost err sub32 +< fwhost green +< fwhost hint +< fwhost hosts +< fwhost icmptype +< fwhost ipadr +< fwhost ip_mac +< fwhost ipsec host +< fwhost ipsec net +< fwhost menu +< fwhost netaddress +< fwhost newgrp +< fwhost newhost +< fwhost newnet +< fwhost newservice +< fwhost newservicegrp +< fwhost orange +< fwhost ovpn_n2n +< fwhost port +< fwhost prot +< fwhost reread +< fwhost reset +< fwhost services +< fwhost srv_name +< fwhost stdnet +< fwhost type +< fwhost used +< fwhost welcome +< fwhost wo subnet +< fw settings +< fw settings color +< fw settings dropdown +< fw settings remark +< fw settings ruletable < minute < ntp common settings < ntp sync @@ -112,6 +285,7 @@ < proxy reports today < proxy reports weekly < qos enter bandwidths +< red1 < server restart < snort working < static routes @@ -233,7 +407,6 @@ ############################################################################ # Checking cgi-bin translations for language: es # ############################################################################ -< advproxy cache-digest < advproxy errmsg cache < advproxy errmsg invalid upstream proxy < age second @@ -289,6 +462,11 @@ < dnsforward entries < dnsforward forward_server < dnsforward zone +< drop action +< drop action1 +< drop action2 +< drop forward +< drop outgoing < fireinfo ipfire version < fireinfo is disabled < fireinfo is enabled @@ -306,6 +484,174 @@ < fireinfo why enable < fireinfo why read more < fireinfo your profile id +< forward firewall +< fw default drop +< fwdfw ACCEPT +< fwdfw action +< fwdfw additional +< fwdfw addr grp +< fwdfw addrule +< fwdfw change +< fwdfw copy +< fwdfw cust addr +< fwdfw cust net +< fwdfw delete +< fwdfw dnat +< fwdfw dnat error +< fwdfw dnat porterr +< fwdfw DROP +< fwdfw edit +< fwdfw err nosrc +< fwdfw err nosrcip +< fwdfw err notgt +< fwdfw err notgtip +< fwdfw err prot +< fwdfw err remark +< fwdfw err ruleexists +< fwdfw err same +< fwdfw err samesub +< fwdfw err src_addr +< fwdfw err srcovpn +< fwdfw err srcport +< fwdfw err tgt_addr +< fwdfw err tgt_grp +< fwdfw err tgt_mac +< fwdfw err tgtovpn +< fwdfw err tgtport +< fwdfw err tgt_port +< fwdfw err time +< fwdfw final_rule +< fwdfw from +< fwdfw hint ip1 +< fwdfw hint ip2 +< fwdfw ipsec network +< fwdfw log rule +< fwdfw man port +< fwdfw menu +< fwdfw MODE1 +< fwdfw MODE2 +< fwdfw movedown +< fwdfw moveup +< fwdfw natport used +< fwdfw newrule +< fwdfw p2p txt +< fwdfw pol allow +< fwdfw pol block +< fwdfw pol text +< fwdfw pol text1 +< fwdfw pol title +< fwdfw red +< fwdfw REJECT +< fwdfw reread +< fwdfw rule action +< fwdfw rule activate +< fwdfw rulepos +< fwdfw rules +< fwdfw snat +< fwdfw source +< fwdfw sourceip +< fwdfw std network +< fwdfw target +< fwdfw targetip +< fwdfw till +< fwdfw time +< fwdfw timeframe +< fwdfw toggle +< fwdfw togglelog +< fwdfw useless rule +< fwdfw use nat +< fwdfw use srcport +< fwdfw use srv +< fwdfw wd_fri +< fwdfw wd_mon +< fwdfw wd_sat +< fwdfw wd_sun +< fwdfw wd_thu +< fwdfw wd_tue +< fwdfw wd_wed +< fwdfw xt access +< fwhost addgrp +< fwhost addgrpname +< fwhost addhost +< fwhost addnet +< fwhost addrule +< fwhost addservice +< fwhost addservicegrp +< fwhost any +< fwhost attention +< fwhost back +< fwhost blue +< fwhost ccdhost +< fwhost ccdnet +< fwhost change +< fwhost changeremark +< fwhost cust addr +< fwhost cust grp +< fwhost cust net +< fwhost cust service +< fwhost cust srvgrp +< fwhost deleted +< fwhost empty +< fwhost err addr +< fwhost err addrgrp +< fwhost err empty +< fwhost err groupempty +< fwhost err grpexist +< fwhost err hostexist +< fwhost err hostorip +< fwhost err ip +< fwhost err ipcheck +< fwhost err ipmac +< fwhost err ipwithsub +< fwhost err isccdhost +< fwhost err isccdiphost +< fwhost err isccdipnet +< fwhost err isccdnet +< fwhost err isingrp +< fwhost err mac +< fwhost err name +< fwhost err name1 +< fwhost err net +< fwhost err netexist +< fwhost err partofnet +< fwhost err port +< fwhost err remark +< fwhost err srvexist +< fwhost err srv exists +< fwhost err sub32 +< fwhost green +< fwhost hint +< fwhost hosts +< fwhost icmptype +< fwhost ipadr +< fwhost ip_mac +< fwhost ipsec host +< fwhost ipsec net +< fwhost menu +< fwhost netaddress +< fwhost newgrp +< fwhost newhost +< fwhost newnet +< fwhost newservice +< fwhost newservicegrp +< fwhost orange +< fwhost ovpn_n2n +< fwhost port +< fwhost prot +< fwhost reread +< fwhost reset +< fwhost services +< fwhost srv_name +< fwhost stdnet +< fwhost type +< fwhost used +< fwhost welcome +< fwhost wo subnet +< fw settings +< fw settings color +< fw settings dropdown +< fw settings remark +< fw settings ruletable < minute < openvpn default < openvpn destination port used @@ -350,6 +696,7 @@ < proxy reports today < proxy reports weekly < qos enter bandwidths +< red1 < server restart < Set time on boot < static routes @@ -448,7 +795,6 @@ ############################################################################ # Checking cgi-bin translations for language: pl # ############################################################################ -< advproxy cache-digest < advproxy errmsg cache < advproxy errmsg invalid upstream proxy < age second @@ -503,6 +849,11 @@ < dnsforward entries < dnsforward forward_server < dnsforward zone +< drop action +< drop action1 +< drop action2 +< drop forward +< drop outgoing < extrahd because there is already a device mounted < extrahd cant umount < extrahd install or load driver @@ -512,6 +863,174 @@ < extrahd unable to read < extrahd unable to write < extrahd you cant mount +< forward firewall +< fw default drop +< fwdfw ACCEPT +< fwdfw action +< fwdfw additional +< fwdfw addr grp +< fwdfw addrule +< fwdfw change +< fwdfw copy +< fwdfw cust addr +< fwdfw cust net +< fwdfw delete +< fwdfw dnat +< fwdfw dnat error +< fwdfw dnat porterr +< fwdfw DROP +< fwdfw edit +< fwdfw err nosrc +< fwdfw err nosrcip +< fwdfw err notgt +< fwdfw err notgtip +< fwdfw err prot +< fwdfw err remark +< fwdfw err ruleexists +< fwdfw err same +< fwdfw err samesub +< fwdfw err src_addr +< fwdfw err srcovpn +< fwdfw err srcport +< fwdfw err tgt_addr +< fwdfw err tgt_grp +< fwdfw err tgt_mac +< fwdfw err tgtovpn +< fwdfw err tgtport +< fwdfw err tgt_port +< fwdfw err time +< fwdfw final_rule +< fwdfw from +< fwdfw hint ip1 +< fwdfw hint ip2 +< fwdfw ipsec network +< fwdfw log rule +< fwdfw man port +< fwdfw menu +< fwdfw MODE1 +< fwdfw MODE2 +< fwdfw movedown +< fwdfw moveup +< fwdfw natport used +< fwdfw newrule +< fwdfw p2p txt +< fwdfw pol allow +< fwdfw pol block +< fwdfw pol text +< fwdfw pol text1 +< fwdfw pol title +< fwdfw red +< fwdfw REJECT +< fwdfw reread +< fwdfw rule action +< fwdfw rule activate +< fwdfw rulepos +< fwdfw rules +< fwdfw snat +< fwdfw source +< fwdfw sourceip +< fwdfw std network +< fwdfw target +< fwdfw targetip +< fwdfw till +< fwdfw time +< fwdfw timeframe +< fwdfw toggle +< fwdfw togglelog +< fwdfw useless rule +< fwdfw use nat +< fwdfw use srcport +< fwdfw use srv +< fwdfw wd_fri +< fwdfw wd_mon +< fwdfw wd_sat +< fwdfw wd_sun +< fwdfw wd_thu +< fwdfw wd_tue +< fwdfw wd_wed +< fwdfw xt access +< fwhost addgrp +< fwhost addgrpname +< fwhost addhost +< fwhost addnet +< fwhost addrule +< fwhost addservice +< fwhost addservicegrp +< fwhost any +< fwhost attention +< fwhost back +< fwhost blue +< fwhost ccdhost +< fwhost ccdnet +< fwhost change +< fwhost changeremark +< fwhost cust addr +< fwhost cust grp +< fwhost cust net +< fwhost cust service +< fwhost cust srvgrp +< fwhost deleted +< fwhost empty +< fwhost err addr +< fwhost err addrgrp +< fwhost err empty +< fwhost err groupempty +< fwhost err grpexist +< fwhost err hostexist +< fwhost err hostorip +< fwhost err ip +< fwhost err ipcheck +< fwhost err ipmac +< fwhost err ipwithsub +< fwhost err isccdhost +< fwhost err isccdiphost +< fwhost err isccdipnet +< fwhost err isccdnet +< fwhost err isingrp +< fwhost err mac +< fwhost err name +< fwhost err name1 +< fwhost err net +< fwhost err netexist +< fwhost err partofnet +< fwhost err port +< fwhost err remark +< fwhost err srvexist +< fwhost err srv exists +< fwhost err sub32 +< fwhost green +< fwhost hint +< fwhost hosts +< fwhost icmptype +< fwhost ipadr +< fwhost ip_mac +< fwhost ipsec host +< fwhost ipsec net +< fwhost menu +< fwhost netaddress +< fwhost newgrp +< fwhost newhost +< fwhost newnet +< fwhost newservice +< fwhost newservicegrp +< fwhost orange +< fwhost ovpn_n2n +< fwhost port +< fwhost prot +< fwhost reread +< fwhost reset +< fwhost services +< fwhost srv_name +< fwhost stdnet +< fwhost type +< fwhost used +< fwhost welcome +< fwhost wo subnet +< fw settings +< fw settings color +< fw settings dropdown +< fw settings remark +< fw settings ruletable < minute < openvpn default < openvpn destination port used @@ -542,6 +1061,7 @@ < proxy reports today < proxy reports weekly < qos enter bandwidths +< red1 < server restart < static routes < tor @@ -639,7 +1159,6 @@ # Checking cgi-bin translations for language: ru # ############################################################################ < Add a route -< advproxy cache-digest < advproxy errmsg cache < advproxy errmsg invalid upstream proxy < age second @@ -696,6 +1215,11 @@ < dnsforward entries < dnsforward forward_server < dnsforward zone +< drop action +< drop action1 +< drop action2 +< drop forward +< drop outgoing < Edit an existing route < extrahd because there is already a device mounted < extrahd cant umount @@ -706,7 +1230,175 @@ < extrahd unable to read < extrahd unable to write < extrahd you cant mount +< forward firewall < frequency +< fw default drop +< fwdfw ACCEPT +< fwdfw action +< fwdfw additional +< fwdfw addr grp +< fwdfw addrule +< fwdfw change +< fwdfw copy +< fwdfw cust addr +< fwdfw cust net +< fwdfw delete +< fwdfw dnat +< fwdfw dnat error +< fwdfw dnat porterr +< fwdfw DROP +< fwdfw edit +< fwdfw err nosrc +< fwdfw err nosrcip +< fwdfw err notgt +< fwdfw err notgtip +< fwdfw err prot +< fwdfw err remark +< fwdfw err ruleexists +< fwdfw err same +< fwdfw err samesub +< fwdfw err src_addr +< fwdfw err srcovpn +< fwdfw err srcport +< fwdfw err tgt_addr +< fwdfw err tgt_grp +< fwdfw err tgt_mac +< fwdfw err tgtovpn +< fwdfw err tgtport +< fwdfw err tgt_port +< fwdfw err time +< fwdfw final_rule +< fwdfw from +< fwdfw hint ip1 +< fwdfw hint ip2 +< fwdfw ipsec network +< fwdfw log rule +< fwdfw man port +< fwdfw menu +< fwdfw MODE1 +< fwdfw MODE2 +< fwdfw movedown +< fwdfw moveup +< fwdfw natport used +< fwdfw newrule +< fwdfw p2p txt +< fwdfw pol allow +< fwdfw pol block +< fwdfw pol text +< fwdfw pol text1 +< fwdfw pol title +< fwdfw red +< fwdfw REJECT +< fwdfw reread +< fwdfw rule action +< fwdfw rule activate +< fwdfw rulepos +< fwdfw rules +< fwdfw snat +< fwdfw source +< fwdfw sourceip +< fwdfw std network +< fwdfw target +< fwdfw targetip +< fwdfw till +< fwdfw time +< fwdfw timeframe +< fwdfw toggle +< fwdfw togglelog +< fwdfw useless rule +< fwdfw use nat +< fwdfw use srcport +< fwdfw use srv +< fwdfw wd_fri +< fwdfw wd_mon +< fwdfw wd_sat +< fwdfw wd_sun +< fwdfw wd_thu +< fwdfw wd_tue +< fwdfw wd_wed +< fwdfw xt access +< fwhost addgrp +< fwhost addgrpname +< fwhost addhost +< fwhost addnet +< fwhost addrule +< fwhost addservice +< fwhost addservicegrp +< fwhost any +< fwhost attention +< fwhost back +< fwhost blue +< fwhost ccdhost +< fwhost ccdnet +< fwhost change +< fwhost changeremark +< fwhost cust addr +< fwhost cust grp +< fwhost cust net +< fwhost cust service +< fwhost cust srvgrp +< fwhost deleted +< fwhost empty +< fwhost err addr +< fwhost err addrgrp +< fwhost err empty +< fwhost err groupempty +< fwhost err grpexist +< fwhost err hostexist +< fwhost err hostorip +< fwhost err ip +< fwhost err ipcheck +< fwhost err ipmac +< fwhost err ipwithsub +< fwhost err isccdhost +< fwhost err isccdiphost +< fwhost err isccdipnet +< fwhost err isccdnet +< fwhost err isingrp +< fwhost err mac +< fwhost err name +< fwhost err name1 +< fwhost err net +< fwhost err netexist +< fwhost err partofnet +< fwhost err port +< fwhost err remark +< fwhost err srvexist +< fwhost err srv exists +< fwhost err sub32 +< fwhost green +< fwhost hint +< fwhost hosts +< fwhost icmptype +< fwhost ipadr +< fwhost ip_mac +< fwhost ipsec host +< fwhost ipsec net +< fwhost menu +< fwhost netaddress +< fwhost newgrp +< fwhost newhost +< fwhost newnet +< fwhost newservice +< fwhost newservicegrp +< fwhost orange +< fwhost ovpn_n2n +< fwhost port +< fwhost prot +< fwhost reread +< fwhost reset +< fwhost services +< fwhost srv_name +< fwhost stdnet +< fwhost type +< fwhost used +< fwhost welcome +< fwhost wo subnet +< fw settings +< fw settings color +< fw settings dropdown +< fw settings remark +< fw settings ruletable < hour-graph < incoming traffic in bytes per second < minute @@ -737,6 +1429,7 @@ < proxy reports today < proxy reports weekly < qos enter bandwidths +< red1 < server restart < static routes < tor diff --git a/html/cgi-bin/dmzholes.cgi b/html/cgi-bin/dmzholes.cgi deleted file mode 100644 index 5c16f00..0000000 --- a/html/cgi-bin/dmzholes.cgi +++ /dev/null @@ -1,446 +0,0 @@ -#!/usr/bin/perl -############################################################################### -# # -# IPFire.org - A linux based firewall # -# Copyright (C) 2007 Michael Tremer & Christian Schmidt # -# # -# This program is free software: you can redistribute it and/or modify # -# it under the terms of the GNU General Public License as published by # -# the Free Software Foundation, either version 3 of the License, or # -# (at your option) any later version. # -# # -# This program is distributed in the hope that it will be useful, # -# but WITHOUT ANY WARRANTY; without even the implied warranty of # -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # -# GNU General Public License for more details. # -# # -# You should have received a copy of the GNU General Public License # -# along with this program. If not, see http://www.gnu.org/licenses/. # -# # -############################################################################### - -use strict; - -# enable only the following on debugging purpose -#use warnings; -#use CGI::Carp 'fatalsToBrowser'; - -require '/var/ipfire/general-functions.pl'; -require "${General::swroot}/lang.pl"; -require "${General::swroot}/header.pl"; - -#workaround to suppress a warning when a variable is used only once -my @dummy = ( ${Header::table2colour}, ${Header::colouryellow} ); -undef (@dummy); - -my %cgiparams=(); -my %checked=(); -my %selected=(); -my %netsettings=(); -my $errormessage = ''; -my $filename = "${General::swroot}/dmzholes/config"; - -&General::readhash("${General::swroot}/ethernet/settings", %netsettings); - -&Header::showhttpheaders(); - -$cgiparams{'ENABLED'} = 'off'; -$cgiparams{'REMARK'} = ''; -$cgiparams{'ACTION'} = ''; -$cgiparams{'SRC_IP'} = ''; -$cgiparams{'DEST_IP'} =''; -$cgiparams{'DEST_PORT'} = ''; -&Header::getcgihash(%cgiparams); - -open(FILE, $filename) or die 'Unable to open config file.'; -my @current = <FILE>; -close(FILE); - -if ($cgiparams{'ACTION'} eq $Lang::tr{'add'}) -{ - unless($cgiparams{'PROTOCOL'} =~ /^(tcp|udp)$/) { $errormessage = $Lang::tr{'invalid input'}; } - unless(&General::validipormask($cgiparams{'SRC_IP'})) { $errormessage = $Lang::tr{'source ip bad'}; } - unless($errormessage){$errormessage = &General::validportrange($cgiparams{'DEST_PORT'},'dst');} - unless(&General::validipormask($cgiparams{'DEST_IP'})) { $errormessage = $Lang::tr{'destination ip bad'}; } - unless ($errormessage) { - $errormessage = &validNet($cgiparams{'SRC_NET'},$cgiparams{'DEST_NET'}); } - # Darren Critchley - Remove commas from remarks - $cgiparams{'REMARK'} = &Header::cleanhtml($cgiparams{'REMARK'}); - - unless ($errormessage) - { - if($cgiparams{'EDITING'} eq 'no') { - open(FILE,">>$filename") or die 'Unable to open config file.'; - flock FILE, 2; - print FILE "$cgiparams{'PROTOCOL'},"; # [0] - print FILE "$cgiparams{'SRC_IP'},"; # [1] - print FILE "$cgiparams{'DEST_IP'},"; # [2] - print FILE "$cgiparams{'DEST_PORT'},"; # [3] - print FILE "$cgiparams{'ENABLED'},"; # [4] - print FILE "$cgiparams{'SRC_NET'},"; # [5] - print FILE "$cgiparams{'DEST_NET'},"; # [6] - print FILE "$cgiparams{'REMARK'}\n"; # [7] - } else { - open(FILE,">$filename") or die 'Unable to open config file.'; - flock FILE, 2; - my $id = 0; - foreach my $line (@current) - { - $id++; - if ($cgiparams{'EDITING'} eq $id) { - print FILE "$cgiparams{'PROTOCOL'},"; # [0] - print FILE "$cgiparams{'SRC_IP'},"; # [1] - print FILE "$cgiparams{'DEST_IP'},"; # [2] - print FILE "$cgiparams{'DEST_PORT'},"; # [3] - print FILE "$cgiparams{'ENABLED'},"; # [4] - print FILE "$cgiparams{'SRC_NET'},"; # [5] - print FILE "$cgiparams{'DEST_NET'},"; # [6] - print FILE "$cgiparams{'REMARK'}\n"; # [7] - } else { print FILE "$line"; } - } - } - close(FILE); - undef %cgiparams; - &General::log($Lang::tr{'dmz pinhole rule added'}); - system('/usr/local/bin/setdmzholes'); - } -} -if ($cgiparams{'ACTION'} eq $Lang::tr{'remove'}) -{ - my $id = 0; - open(FILE, ">$filename") or die 'Unable to open config file.'; - flock FILE, 2; - foreach my $line (@current) - { - $id++; - unless ($cgiparams{'ID'} eq $id) { print FILE "$line"; } - } - close(FILE); - system('/usr/local/bin/setdmzholes'); - &General::log($Lang::tr{'dmz pinhole rule removed'}); -} -if ($cgiparams{'ACTION'} eq $Lang::tr{'toggle enable disable'}) -{ - my $id = 0; - open(FILE, ">$filename") or die 'Unable to open config file.'; - flock FILE, 2; - foreach my $line (@current) - { - $id++; - unless ($cgiparams{'ID'} eq $id) { print FILE "$line"; } - else - { - chomp($line); - my @temp = split(/,/,$line); - print FILE "$temp[0],$temp[1],$temp[2],$temp[3],$cgiparams{'ENABLE'},$temp[5],$temp[6],$temp[7]\n"; - } - } - close(FILE); - system('/usr/local/bin/setdmzholes'); -} -if ($cgiparams{'ACTION'} eq $Lang::tr{'edit'}) -{ - my $id = 0; - foreach my $line (@current) - { - $id++; - if ($cgiparams{'ID'} eq $id) - { - chomp($line); - my @temp = split(/,/,$line); - $cgiparams{'PROTOCOL'} = $temp[0]; - $cgiparams{'SRC_IP'} = $temp[1]; - $cgiparams{'DEST_IP'} = $temp[2]; - $cgiparams{'DEST_PORT'} = $temp[3]; - $cgiparams{'ENABLED'} = $temp[4]; - $cgiparams{'SRC_NET'} = $temp[5]; - $cgiparams{'DEST_NET'} = $temp[6]; - $cgiparams{'REMARK'} = $temp[7]; - } - } -} - -if ($cgiparams{'ACTION'} eq '') -{ - $cgiparams{'PROTOCOL'} = 'tcp'; - $cgiparams{'ENABLED'} = 'on'; - $cgiparams{'SRC_NET'} = 'orange'; - $cgiparams{'DEST_NET'} = 'blue'; -} - -$selected{'PROTOCOL'}{'udp'} = ''; -$selected{'PROTOCOL'}{'tcp'} = ''; -$selected{'PROTOCOL'}{$cgiparams{'PROTOCOL'}} = "selected='selected'"; - -$selected{'SRC_NET'}{'orange'} = ''; -$selected{'SRC_NET'}{'blue'} = ''; -$selected{'SRC_NET'}{$cgiparams{'SRC_NET'}} = "selected='selected'"; - -$selected{'DEST_NET'}{'blue'} = ''; -$selected{'DEST_NET'}{'green'} = ''; -$selected{'DEST_NET'}{$cgiparams{'DEST_NET'}} = "selected='selected'"; - -$checked{'ENABLED'}{'off'} = ''; -$checked{'ENABLED'}{'on'} = ''; -$checked{'ENABLED'}{$cgiparams{'ENABLED'}} = "checked='checked'"; - -&Header::openpage($Lang::tr{'dmz pinhole configuration'}, 1, ''); - -&Header::openbigbox('100%', 'left', '', $errormessage); - -if ($errormessage) { - &Header::openbox('100%', 'left', $Lang::tr{'error messages'}); - print "<class name='base'>$errormessage\n"; - print " </class>\n"; - &Header::closebox(); -} - -print "<form method='post' action='$ENV{'SCRIPT_NAME'}'>\n"; - -my $buttonText = $Lang::tr{'add'}; -if ($cgiparams{'ACTION'} eq $Lang::tr{'edit'}) { - &Header::openbox('100%', 'left', $Lang::tr{'edit a rule'}); - $buttonText = $Lang::tr{'update'}; -} else { - &Header::openbox('100%', 'left', $Lang::tr{'add a new rule'}); -} -print <<END -<table width='100%'> -<tr> -<td> - <select name='PROTOCOL'> - <option value='udp' $selected{'PROTOCOL'}{'udp'}>UDP</option> - <option value='tcp' $selected{'PROTOCOL'}{'tcp'}>TCP</option> - </select> -</td> -<td> - $Lang::tr{'source net'}:</td> -<td> - <select name='SRC_NET'> -END -; - if (&haveOrangeNet()) { - print "<option value='orange' $selected{'SRC_NET'}{'orange'}>$Lang::tr{'orange'}</option>"; - } - if (&haveBlueNet()) { - print "<option value='blue' $selected{'SRC_NET'}{'blue'}>$Lang::tr{'blue'}</option>"; - } -print <<END - </select> -</td> -<td class='base'>$Lang::tr{'source ip or net'}:</td> -<td><input type='text' name='SRC_IP' value='$cgiparams{'SRC_IP'}' size='15' /></td> -</tr> -<tr> -<td> - </td> -<td> - $Lang::tr{'destination net'}:</td> -<td> - <select name='DEST_NET'> -END -; - if (&haveOrangeNet() && &haveBlueNet()) { - print "<option value='blue' $selected{'DEST_NET'}{'blue'}>$Lang::tr{'blue'}</option>"; - } - -print <<END - <option value='green' $selected{'DEST_NET'}{'green'}>$Lang::tr{'green'}</option> - </select> -</td> -<td class='base'> - $Lang::tr{'destination ip or net'}:</td> -<td> - <input type='text' name='DEST_IP' value='$cgiparams{'DEST_IP'}' size='15' /> -</td> -<td class='base'> - $Lang::tr{'destination port'}: - <input type='text' name='DEST_PORT' value='$cgiparams{'DEST_PORT'}' size='5' /> -</td> -</tr> -</table> -<table width='100%'> - <tr> - <td colspan='3' width='50%' class='base'> - <font class='boldbase'>$Lang::tr{'remark title'} <img src='/blob.gif' alt='*' /></font> - <input type='text' name='REMARK' value='$cgiparams{'REMARK'}' size='55' maxlength='50' /> - </td> - </tr> - <tr> - <td class='base' width='50%'> - <img src='/blob.gif' alt ='*' align='top' /> - <font class='base'>$Lang::tr{'this field may be blank'}</font> - </td> - <td class='base' width='25%' align='center'>$Lang::tr{'enabled'}<input type='checkbox' name='ENABLED' $checked{'ENABLED'}{'on'} /></td> - <td width='25%' align='center'> - <input type='hidden' name='ACTION' value='$Lang::tr{'add'}' /> - <input type='submit' name='SUBMIT' value='$buttonText' /> - </td> - </tr> -</table> -END -; -if ($cgiparams{'ACTION'} eq $Lang::tr{'edit'}) { - print "<input type='hidden' name='EDITING' value='$cgiparams{'ID'}' />\n"; -} else { - print "<input type='hidden' name='EDITING' value='no' />\n"; -} -&Header::closebox(); -print "</form>\n"; - -&Header::openbox('100%', 'left', $Lang::tr{'current rules'}); -print <<END -<table width='100%'> -<tr> -<td width='7%' class='boldbase' align='center'><b>$Lang::tr{'proto'}</b></td> -<td width='3%' class='boldbase' align='center'><b>$Lang::tr{'net'}</b></td> -<td width='25%' class='boldbase' align='center'><b>$Lang::tr{'source'}</b></td> -<td width='2%' class='boldbase' align='center'> </td> -<td width='3%' class='boldbase' align='center'><b>$Lang::tr{'net'}</b></td> -<td width='25%' class='boldbase' align='center'><b>$Lang::tr{'destination'}</b></td> -<td width='30%' class='boldbase' align='center'><b>$Lang::tr{'remark'}</b></td> -<td width='1%' class='boldbase' align='center'> </td> -<td width='4%' class='boldbase' colspan='3' align='center'><b>$Lang::tr{'action'}</b></td> -END -; - -# Achim Weber: if i add a new rule, this rule is not displayed?!? -# we re-read always config. -# If something has happeened re-read config -#if($cgiparams{'ACTION'} ne '') -#{ - open(FILE, $filename) or die 'Unable to open config file.'; - @current = <FILE>; - close(FILE); -#} -my $id = 0; -foreach my $line (@current) -{ - my $protocol=''; - my $gif=''; - my $toggle=''; - my $gdesc=''; - $id++; - chomp($line); - my @temp = split(/,/,$line); - if ($temp[0] eq 'udp') { $protocol = 'UDP'; } else { $protocol = 'TCP' } - - my $srcnetcolor = ($temp[5] eq 'blue')? ${Header::colourblue} : ${Header::colourorange}; - my $destnetcolor = ($temp[6] eq 'blue')? ${Header::colourblue} : ${Header::colourgreen}; - - if ($cgiparams{'ACTION'} eq $Lang::tr{'edit'} && $cgiparams{'ID'} eq $id) { - print "<tr bgcolor='${Header::colouryellow}'>\n"; } - elsif ($id % 2) { - print "<tr bgcolor='${Header::table1colour}'>\n"; } - else { - print "<tr bgcolor='${Header::table2colour}'>\n"; } - if ($temp[4] eq 'on') { $gif='on.gif'; $toggle='off'; $gdesc=$Lang::tr{'click to disable'};} - else { $gif = 'off.gif'; $toggle='on'; $gdesc=$Lang::tr{'click to enable'}; } - - # Darren Critchley - Get Port Service Name if we can - code borrowed from firewalllog.dat - my $dstprt =$temp[3]; - $_=$temp[3]; - if (/^\d+$/) { - my $servi = uc(getservbyport($temp[3], lc($temp[0]))); - if ($servi ne '' && $temp[3] < 1024) { - $dstprt = "$dstprt($servi)"; } - } - # Darren Critchley - If the line is too long, wrap the port numbers - my $dstaddr = "$temp[2] : $dstprt"; - if (length($dstaddr) > 26) { - $dstaddr = "$temp[2] :<br /> $dstprt"; - } -print <<END -<td align='center'>$protocol</td> -<td bgcolor='$srcnetcolor'></td> -<td align='center'>$temp[1]</td> -<td align='center'><img src='/images/forward.gif' /></td> -<td bgcolor='$destnetcolor'></td> -<td align='center'>$dstaddr</td> -<td align='center'>$temp[7]</td> - -<td align='center'> -<form method='post' name='frma$id' action='$ENV{'SCRIPT_NAME'}'> -<input type='image' name='$Lang::tr{'toggle enable disable'}' src='/images/$gif' alt='$gdesc' /> -<input type='hidden' name='ID' value='$id' /> -<input type='hidden' name='ENABLE' value='$toggle' /> -<input type='hidden' name='ACTION' value='$Lang::tr{'toggle enable disable'}' /> -</form> -</td> - -<td align='center'> -<form method='post' name='frmb$id' action='$ENV{'SCRIPT_NAME'}'> -<input type='image' name='$Lang::tr{'edit'}' src='/images/edit.gif' alt='$Lang::tr{'edit'}' /> -<input type='hidden' name='ID' value='$id' /> -<input type='hidden' name='ACTION' value='$Lang::tr{'edit'}' /> -</form> -</td> - -<td align='center'> -<form method='post' name='frmc$id' action='$ENV{'SCRIPT_NAME'}'> -<input type='image' name='$Lang::tr{'remove'}' src='/images/delete.gif' alt='$Lang::tr{'remove'}' /> -<input type='hidden' name='ID' value='$id' /> -<input type='hidden' name='ACTION' value='$Lang::tr{'remove'}' /> -</form> -</td> - -</tr> -END - ; -} -print "</table>\n"; - -# If the fixed lease file contains entries, print Key to action icons -if ( ! -z "$filename") { -print <<END -<table> -<tr> - <td class='boldbase'> <b>$Lang::tr{'legend'}:</b></td> - <td> <img src='/images/on.gif' alt='$Lang::tr{'click to disable'}' /></td> - <td class='base'>$Lang::tr{'click to disable'}</td> - <td> <img src='/images/off.gif' alt='$Lang::tr{'click to enable'}' /></td> - <td class='base'>$Lang::tr{'click to enable'}</td> - <td> <img src='/images/edit.gif' alt='$Lang::tr{'edit'}' /></td> - <td class='base'>$Lang::tr{'edit'}</td> - <td> <img src='/images/delete.gif' alt='$Lang::tr{'remove'}' /></td> - <td class='base'>$Lang::tr{'remove'}</td> -</tr> -</table> -END -; -} - -&Header::closebox(); - -&Header::closebigbox(); - -&Header::closepage(); - -sub validNet -{ - my $srcNet = $_[0]; - my $destNet = $_[1]; - - if ($srcNet eq $destNet) { - return $Lang::tr{'dmzpinholes for same net not necessary'}; } - unless ($srcNet =~ /^(blue|orange)$/) { - return $Lang::tr{'select source net'}; } - unless ($destNet =~ /^(blue|green)$/) { - return $Lang::tr{'select dest net'}; } - - return ''; -} - -sub haveOrangeNet -{ - if ($netsettings{'CONFIG_TYPE'} == 2) {return 1;} - if ($netsettings{'CONFIG_TYPE'} == 4) {return 1;} - return 0; -} - -sub haveBlueNet -{ - if ($netsettings{'CONFIG_TYPE'} == 3) {return 1;} - if ($netsettings{'CONFIG_TYPE'} == 4) {return 1;} - return 0; -} diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi new file mode 100755 index 0000000..c18f4f4 --- /dev/null +++ b/html/cgi-bin/forwardfw.cgi @@ -0,0 +1,2463 @@ +#!/usr/bin/perl +############################################################################### +# # +# IPFire.org - A linux based firewall # +# Copyright (C) 2013 Alexander Marx amarx@ipfire.org # +# # +# This program is free software: you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation, either version 3 of the License, or # +# (at your option) any later version. # +# # +# This program is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with this program. If not, see http://www.gnu.org/licenses/. # +# # +############################################################################### + +use strict; +use Sort::Naturally; +no warnings 'uninitialized'; +# enable only the following on debugging purpose +#use warnings; +#use CGI::Carp 'fatalsToBrowser'; + +require '/var/ipfire/general-functions.pl'; +require "${General::swroot}/lang.pl"; +require "${General::swroot}/header.pl"; +require "${General::swroot}/forward/bin/firewall-lib.pl"; + +unless (-d "${General::swroot}/forward") { system("mkdir ${General::swroot}/forward"); } +unless (-e "${General::swroot}/forward/settings") { system("touch ${General::swroot}/forward/settings"); } +unless (-e "${General::swroot}/forward/config") { system("touch ${General::swroot}/forward/config"); } +unless (-e "${General::swroot}/forward/input") { system("touch ${General::swroot}/forward/input"); } +unless (-e "${General::swroot}/forward/outgoing") { system("touch ${General::swroot}/forward/outgoing"); } + +my %fwdfwsettings=(); +my %selected=() ; +my %defaultNetworks=(); +my %netsettings=(); +my %customhost=(); +my %customgrp=(); +my %customnetworks=(); +my %customservice=(); +my %customservicegrp=(); +my %ccdnet=(); +my %customnetwork=(); +my %ccdhost=(); +my %configfwdfw=(); +my %configinputfw=(); +my %configoutgoingfw=(); +my %ipsecconf=(); +my %color=(); +my %mainsettings=(); +my %checked=(); +my %icmptypes=(); +my %ovpnsettings=(); +my %ipsecsettings=(); +my %aliases=(); +my %optionsfw=(); +my %ifaces=(); + +my $VERSION='0.9.9.14'; +my $color; +my $confignet = "${General::swroot}/fwhosts/customnetworks"; +my $confighost = "${General::swroot}/fwhosts/customhosts"; +my $configgrp = "${General::swroot}/fwhosts/customgroups"; +my $configsrv = "${General::swroot}/fwhosts/customservices"; +my $configsrvgrp = "${General::swroot}/fwhosts/customservicegrp"; +my $configccdnet = "${General::swroot}/ovpn/ccd.conf"; +my $configccdhost = "${General::swroot}/ovpn/ovpnconfig"; +my $configipsec = "${General::swroot}/vpn/config"; +my $configipsecrw = "${General::swroot}/vpn/settings"; +my $configfwdfw = "${General::swroot}/forward/config"; +my $configinput = "${General::swroot}/forward/input"; +my $configoutgoing = "${General::swroot}/forward/outgoing"; +my $configovpn = "${General::swroot}/ovpn/settings"; +my $fwoptions = "${General::swroot}/optionsfw/settings"; +my $ifacesettings = "${General::swroot}/ethernet/settings"; +my $errormessage=''; +my $hint=''; +my $ipgrp="${General::swroot}/outgoing/groups"; +my $tdcolor=''; +my $checkorange=''; +my @protocols; +&General::readhash("${General::swroot}/forward/settings", %fwdfwsettings); +&General::readhash("${General::swroot}/main/settings", %mainsettings); +&General::readhash("/srv/web/ipfire/html/themes/".$mainsettings{'THEME'}."/include/colors.txt", %color); +&General::readhash($fwoptions, %optionsfw); +&General::readhash($ifacesettings, %ifaces); +&General::readhash("$configovpn", %ovpnsettings); +&General::readhash("$configipsecrw", %ipsecsettings); +&General::readhasharray("$configipsec", %ipsecconf); +&Header::showhttpheaders(); +&Header::getcgihash(%fwdfwsettings); +&Header::openpage($Lang::tr{'fwdfw menu'}, 1, ''); +&Header::openbigbox('100%', 'center',$errormessage); +#### JAVA SCRIPT #### +print<<END; +<script> + $(document).ready(function() { + // Automatically select radio buttons when corresponding + // dropdown menu changes. + $("select").change(function() { + var id = $(this).attr("name"); + //When using SNAT or DNAT, check "USE NAT" Checkbox + if ( id === 'snat' || id === 'dnat') { + $('#USE_NAT').prop('checked', true); + } + $('#' + id).prop("checked", true); + }); + }); +function checkradio(a){ + $(a).attr('checked', true); +} +</script> +END + +#### ACTION ##### + +if ($fwdfwsettings{'ACTION'} eq 'saverule') +{ + &General::readhasharray("$configfwdfw", %configfwdfw); + &General::readhasharray("$configinput", %configinputfw); + &General::readhasharray("$configoutgoing", %configoutgoingfw); + $errormessage=&checksource; + if(!$errormessage){&checktarget;} + if(!$errormessage){&checkrule;} + + #check if manual ip (source) is orange network + if ($fwdfwsettings{'grp1'} eq 'src_addr'){ + my ($sip,$scidr) = split("/",$fwdfwsettings{$fwdfwsettings{'grp1'}}); + if ( &General::IpInSubnet($sip,$netsettings{'ORANGE_ADDRESS'},$netsettings{'ORANGE_NETMASK'})){ + $checkorange='on'; + } + } + #check useless rules + if( ($fwdfwsettings{$fwdfwsettings{'grp1'}} eq 'ORANGE' || $checkorange eq 'on') && $fwdfwsettings{'grp2'} eq 'ipfire'){ + $errormessage.=$Lang::tr{'fwdfw useless rule'}."<br>"; + } + #check if we try to break rules + if( $fwdfwsettings{'grp1'} eq 'ipfire_src' && $fwdfwsettings{'grp2'} eq 'ipfire'){ + $errormessage=$Lang::tr{'fwdfw err same'}; + } + #INPUT part + if($fwdfwsettings{'grp2'} eq 'ipfire' && $fwdfwsettings{$fwdfwsettings{'grp1'}} ne 'ORANGE'){ + $fwdfwsettings{'config'}=$configinput; + $fwdfwsettings{'chain'} = 'INPUTFW'; + my $maxkey=&General::findhasharraykey(%configinputfw); + #check if we have an identical rule already + if($fwdfwsettings{'oldrulenumber'} eq $fwdfwsettings{'rulepos'}){ + foreach my $key (sort keys %configinputfw){ + if ( "$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'},$fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'ICMP_TGT'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'LOG'},$fwdfwsettings{'TIME'},$fwdfwsettings{'TIME_MON'},$fwdfwsettings{'TIME_TUE'},$fwdfwsettings{'TIME_WED'},$fwdfwsettings{'TIME_THU'},$fwdfwsettings{'TIME_FRI'},$fwdfwsettings{'TIME_SAT'},$fwdfwsettings{'TIME_SUN'},$fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'},$fwdfwsettings{'USE_NAT'},$fwdfwsettings{$fwdfwsettings{'nat'}},$fwdfwsettings{'dnatport'},$fwdfwsettings{'nat'}" + eq "$configinputfw{$key}[0],$configinputfw{$key}[2],$configinputfw{$key}[3],$configinputfw{$key}[4],$configinputfw{$key}[5],$configinputfw{$key}[6],$configinputfw{$key}[7],$configinputfw{$key}[8],$configinputfw{$key}[9],$configinputfw{$key}[10],$configinputfw{$key}[11],$configinputfw{$key}[12],$configinputfw{$key}[13],$configinputfw{$key}[14],$configinputfw{$key}[15],$configinputfw{$key}[17],$configinputfw{$key}[18],$configinputfw{$key}[19],$configinputfw{$key}[20],$configinputfw{$key}[21],$configinputfw{$key}[22],$configinputfw{$key}[23],$configinputfw{$key}[24],$configinputfw{$key}[25],$configinputfw{$key}[26],$configinputfw{$key}[27],$configinputfw{$key}[28],$configinputfw{$key}[29],$configinputfw{$key}[30],$configinputfw{$key}[31]"){ + $errormessage.=$Lang::tr{'fwdfw err ruleexists'}; + if ($fwdfwsettings{'oldruleremark'} ne $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'updatefwrule'} eq 'on'){ + $errormessage=''; + }elsif($fwdfwsettings{'oldruleremark'} ne $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'updatefwrule'} eq 'on' && $fwdfwsettings{'ruleremark'} ne '' && !&validremark($fwdfwsettings{'ruleremark'})){ + $errormessage=$Lang::tr{'fwdfw err remark'}."<br>"; + } + if ($fwdfwsettings{'oldruleremark'} eq $fwdfwsettings{'ruleremark'}){ + $fwdfwsettings{'nosave'} = 'on'; + } + } + } + } + #check Rulepos on new Rule + if($fwdfwsettings{'rulepos'} > 0 && !$fwdfwsettings{'oldrulenumber'}){ + $fwdfwsettings{'oldrulenumber'}=$maxkey; + foreach my $key (sort keys %configinputfw){ + if ( "$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'},$fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'ICMP_TGT'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'LOG'},$fwdfwsettings{'TIME'},$fwdfwsettings{'TIME_MON'},$fwdfwsettings{'TIME_TUE'},$fwdfwsettings{'TIME_WED'},$fwdfwsettings{'TIME_THU'},$fwdfwsettings{'TIME_FRI'},$fwdfwsettings{'TIME_SAT'},$fwdfwsettings{'TIME_SUN'},$fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'},$fwdfwsettings{'USE_NAT'},$fwdfwsettings{$fwdfwsettings{'nat'}},$fwdfwsettings{'dnatport'},$fwdfwsettings{'nat'}" + eq "$configinputfw{$key}[0],$configinputfw{$key}[2],$configinputfw{$key}[3],$configinputfw{$key}[4],$configinputfw{$key}[5],$configinputfw{$key}[6],$configinputfw{$key}[7],$configinputfw{$key}[8],$configinputfw{$key}[9],$configinputfw{$key}[10],$configinputfw{$key}[11],$configinputfw{$key}[12],$configinputfw{$key}[13],$configinputfw{$key}[14],$configinputfw{$key}[15],$configinputfw{$key}[17],$configinputfw{$key}[18],$configinputfw{$key}[19],$configinputfw{$key}[20],$configinputfw{$key}[21],$configinputfw{$key}[22],$configinputfw{$key}[23],$configinputfw{$key}[24],$configinputfw{$key}[25],$configinputfw{$key}[26],$configinputfw{$key}[27],$configinputfw{$key}[28],$configinputfw{$key}[29],$configinputfw{$key}[30],$configinputfw{$key}[31]"){ + $errormessage.=$Lang::tr{'fwdfw err ruleexists'}; + } + } + } + #check if we just close a rule + if( $fwdfwsettings{'oldgrp1a'} eq $fwdfwsettings{'grp1'} && $fwdfwsettings{'oldgrp1b'} eq $fwdfwsettings{$fwdfwsettings{'grp1'}} && $fwdfwsettings{'oldgrp2a'} eq $fwdfwsettings{'grp2'} && $fwdfwsettings{'oldgrp2b'} eq $fwdfwsettings{$fwdfwsettings{'grp2'}} && $fwdfwsettings{'oldgrp3a'} eq $fwdfwsettings{'grp3'} && $fwdfwsettings{'oldgrp3b'} eq $fwdfwsettings{$fwdfwsettings{'grp3'}} && $fwdfwsettings{'oldusesrv'} eq $fwdfwsettings{'USESRV'} && $fwdfwsettings{'oldruleremark'} eq $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'oldruletype'} eq $fwdfwsettings{'chain'}) { + if($fwdfwsettings{'nosave'} eq 'on' && $fwdfwsettings{'updatefwrule'} eq 'on'){ + $errormessage=''; + $fwdfwsettings{'nosave2'} = 'on'; + } + } + &checkcounter($fwdfwsettings{'oldgrp1a'},$fwdfwsettings{'oldgrp1b'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}}); + if ($fwdfwsettings{'nobase'} ne 'on'){ + &checkcounter($fwdfwsettings{'oldgrp2a'},$fwdfwsettings{'oldgrp2b'},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}}); + } + if($fwdfwsettings{'oldusesrv'} eq '' && $fwdfwsettings{'USESRV'} eq 'ON'){ + &checkcounter(0,0,$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}}); + }elsif ($fwdfwsettings{'USESRV'} eq '' && $fwdfwsettings{'oldusesrv'} eq 'ON') { + &checkcounter($fwdfwsettings{'oldgrp3a'},$fwdfwsettings{'oldgrp3b'},0,0); + }elsif ($fwdfwsettings{'oldusesrv'} eq $fwdfwsettings{'USESRV'} && $fwdfwsettings{'oldgrp3b'} ne $fwdfwsettings{$fwdfwsettings{'grp3'}} && $fwdfwsettings{'updatefwrule'} eq 'on'){ + &checkcounter($fwdfwsettings{'oldgrp3a'},$fwdfwsettings{'oldgrp3b'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}}); + } + if($fwdfwsettings{'nosave2'} ne 'on'){ + &saverule(%configinputfw,$configinput); + } + }elsif($fwdfwsettings{'grp1'} eq 'ipfire_src' ){ + # OUTGOING PART + $fwdfwsettings{'config'}=$configoutgoing; + $fwdfwsettings{'chain'} = 'OUTGOINGFW'; + my $maxkey=&General::findhasharraykey(%configoutgoingfw); + if($fwdfwsettings{'oldrulenumber'} eq $fwdfwsettings{'rulepos'}){ + foreach my $key (sort keys %configoutgoingfw){ + if ( "$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'},$fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'ICMP_TGT'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'LOG'},$fwdfwsettings{'TIME'},$fwdfwsettings{'TIME_MON'},$fwdfwsettings{'TIME_TUE'},$fwdfwsettings{'TIME_WED'},$fwdfwsettings{'TIME_THU'},$fwdfwsettings{'TIME_FRI'},$fwdfwsettings{'TIME_SAT'},$fwdfwsettings{'TIME_SUN'},$fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'},$fwdfwsettings{'USE_NAT'},$fwdfwsettings{$fwdfwsettings{'nat'}},$fwdfwsettings{'dnatport'},$fwdfwsettings{'nat'}" + eq "$configoutgoingfw{$key}[0],$configoutgoingfw{$key}[2],$configoutgoingfw{$key}[3],$configoutgoingfw{$key}[4],$configoutgoingfw{$key}[5],$configoutgoingfw{$key}[6],$configoutgoingfw{$key}[7],$configoutgoingfw{$key}[8],$configoutgoingfw{$key}[9],$configoutgoingfw{$key}[10],$configoutgoingfw{$key}[11],$configoutgoingfw{$key}[12],$configoutgoingfw{$key}[13],$configoutgoingfw{$key}[14],$configoutgoingfw{$key}[15],$configoutgoingfw{$key}[17],$configoutgoingfw{$key}[18],$configoutgoingfw{$key}[19],$configoutgoingfw{$key}[20],$configoutgoingfw{$key}[21],$configoutgoingfw{$key}[22],$configoutgoingfw{$key}[23],$configoutgoingfw{$key}[24],$configoutgoingfw{$key}[25],$configoutgoingfw{$key}[26],$configoutgoingfw{$key}[27],$configoutgoingfw{$key}[28],$configoutgoingfw{$key}[29],$configoutgoingfw{$key}[30],$configoutgoingfw{$key}[31]"){ + $errormessage.=$Lang::tr{'fwdfw err ruleexists'}; + if ($fwdfwsettings{'oldruleremark'} ne $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'updatefwrule'} eq 'on'){ + $errormessage=''; + }elsif($fwdfwsettings{'oldruleremark'} ne $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'updatefwrule'} eq 'on' && $fwdfwsettings{'ruleremark'} ne '' && !&validremark($fwdfwsettings{'ruleremark'})){ + $errormessage=$Lang::tr{'fwdfw err remark'}."<br>"; + } + if ($fwdfwsettings{'oldruleremark'} eq $fwdfwsettings{'ruleremark'}){ + $fwdfwsettings{'nosave'} = 'on'; + } + } + } + } + #check Rulepos on new Rule + if($fwdfwsettings{'rulepos'} > 0 && !$fwdfwsettings{'oldrulenumber'}){ + print"CHECK OUTGOING DOPPELTE REGEL<br>"; + $fwdfwsettings{'oldrulenumber'}=$maxkey; + foreach my $key (sort keys %configoutgoingfw){ + if ( "$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'},$fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'ICMP_TGT'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'LOG'},$fwdfwsettings{'TIME'},$fwdfwsettings{'TIME_MON'},$fwdfwsettings{'TIME_TUE'},$fwdfwsettings{'TIME_WED'},$fwdfwsettings{'TIME_THU'},$fwdfwsettings{'TIME_FRI'},$fwdfwsettings{'TIME_SAT'},$fwdfwsettings{'TIME_SUN'},$fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'},$fwdfwsettings{'USE_NAT'},$fwdfwsettings{$fwdfwsettings{'nat'}},$fwdfwsettings{'dnatport'},$fwdfwsettings{'nat'}" + eq "$configoutgoingfw{$key}[0],$configoutgoingfw{$key}[2],$configoutgoingfw{$key}[3],$configoutgoingfw{$key}[4],$configoutgoingfw{$key}[5],$configoutgoingfw{$key}[6],$configoutgoingfw{$key}[7],$configoutgoingfw{$key}[8],$configoutgoingfw{$key}[9],$configoutgoingfw{$key}[10],$configoutgoingfw{$key}[11],$configoutgoingfw{$key}[12],$configoutgoingfw{$key}[13],$configoutgoingfw{$key}[14],$configoutgoingfw{$key}[15],$configoutgoingfw{$key}[17],$configoutgoingfw{$key}[18],$configoutgoingfw{$key}[19],$configoutgoingfw{$key}[20],$configoutgoingfw{$key}[21],$configoutgoingfw{$key}[22],$configoutgoingfw{$key}[23],$configoutgoingfw{$key}[24],$configoutgoingfw{$key}[25],$configoutgoingfw{$key}[26],$configoutgoingfw{$key}[27],$configoutgoingfw{$key}[28],$configoutgoingfw{$key}[29],$configoutgoingfw{$key}[30],$configoutgoingfw{$key}[31]"){ + $errormessage.=$Lang::tr{'fwdfw err ruleexists'}; + } + } + } + #check if we just close a rule + if( $fwdfwsettings{'oldgrp1a'} eq $fwdfwsettings{'grp1'} && $fwdfwsettings{'oldgrp1b'} eq $fwdfwsettings{$fwdfwsettings{'grp1'}} && $fwdfwsettings{'oldgrp2a'} eq $fwdfwsettings{'grp2'} && $fwdfwsettings{'oldgrp2b'} eq $fwdfwsettings{$fwdfwsettings{'grp2'}} && $fwdfwsettings{'oldgrp3a'} eq $fwdfwsettings{'grp3'} && $fwdfwsettings{'oldgrp3b'} eq $fwdfwsettings{$fwdfwsettings{'grp3'}} && $fwdfwsettings{'oldusesrv'} eq $fwdfwsettings{'USESRV'} && $fwdfwsettings{'oldruleremark'} eq $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'oldruletype'} eq $fwdfwsettings{'chain'}) { + if($fwdfwsettings{'nosave'} eq 'on' && $fwdfwsettings{'updatefwrule'} eq 'on'){ + $fwdfwsettings{'nosave2'} = 'on'; + $errormessage=''; + } + } + #increase counters + &checkcounter($fwdfwsettings{'oldgrp1a'},$fwdfwsettings{'oldgrp1b'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}}); + &checkcounter($fwdfwsettings{'oldgrp2a'},$fwdfwsettings{'oldgrp2b'},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}}); + if($fwdfwsettings{'oldusesrv'} eq '' && $fwdfwsettings{'USESRV'} eq 'ON'){ + &checkcounter(0,0,$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}}); + }elsif ($fwdfwsettings{'USESRV'} eq '' && $fwdfwsettings{'oldusesrv'} eq 'ON') { + &checkcounter($fwdfwsettings{'oldgrp3a'},$fwdfwsettings{'oldgrp3b'},0,0); + }elsif ($fwdfwsettings{'oldusesrv'} eq $fwdfwsettings{'USESRV'} && $fwdfwsettings{'oldgrp3b'} ne $fwdfwsettings{$fwdfwsettings{'grp3'}} && $fwdfwsettings{'updatefwrule'} eq 'on'){ + &checkcounter($fwdfwsettings{'oldgrp3a'},$fwdfwsettings{'oldgrp3b'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}}); + } + if ($fwdfwsettings{'nobase'} eq 'on'){ + &checkcounter(0,0,$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}}); + } + if ($fwdfwsettings{'nosave2'} ne 'on'){ + &saverule(%configoutgoingfw,$configoutgoing); + } + }else{ + #FORWARD PART + $fwdfwsettings{'config'}=$configfwdfw; + $fwdfwsettings{'chain'} = 'FORWARDFW'; + my $maxkey=&General::findhasharraykey(%configfwdfw); + if($fwdfwsettings{'oldrulenumber'} eq $fwdfwsettings{'rulepos'}){ + #check if we have an identical rule already + foreach my $key (sort keys %configfwdfw){ + if ( "$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'},$fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'ICMP_TGT'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'TIME'},$fwdfwsettings{'TIME_MON'},$fwdfwsettings{'TIME_TUE'},$fwdfwsettings{'TIME_WED'},$fwdfwsettings{'TIME_THU'},$fwdfwsettings{'TIME_FRI'},$fwdfwsettings{'TIME_SAT'},$fwdfwsettings{'TIME_SUN'},$fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'},$fwdfwsettings{'USE_NAT'},$fwdfwsettings{$fwdfwsettings{'nat'}},$fwdfwsettings{'dnatport'},$fwdfwsettings{'nat'}" + eq "$configfwdfw{$key}[0],$configfwdfw{$key}[2],$configfwdfw{$key}[3],$configfwdfw{$key}[4],$configfwdfw{$key}[5],$configfwdfw{$key}[6],$configfwdfw{$key}[7],$configfwdfw{$key}[8],$configfwdfw{$key}[9],$configfwdfw{$key}[10],$configfwdfw{$key}[11],$configfwdfw{$key}[12],$configfwdfw{$key}[13],$configfwdfw{$key}[14],$configfwdfw{$key}[15],$configfwdfw{$key}[18],$configfwdfw{$key}[19],$configfwdfw{$key}[20],$configfwdfw{$key}[21],$configfwdfw{$key}[22],$configfwdfw{$key}[23],$configfwdfw{$key}[24],$configfwdfw{$key}[25],$configfwdfw{$key}[26],$configfwdfw{$key}[27],$configfwdfw{$key}[28],$configfwdfw{$key}[29],$configfwdfw{$key}[30],$configfwdfw{$key}[31]"){ + $errormessage.=$Lang::tr{'fwdfw err ruleexists'}; + if ($fwdfwsettings{'oldruleremark'} ne $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'updatefwrule'} eq 'on' ){ + $errormessage=''; + }elsif($fwdfwsettings{'oldruleremark'} ne $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'updatefwrule'} eq 'on' && $fwdfwsettings{'ruleremark'} ne '' && !&validremark($fwdfwsettings{'ruleremark'})){ + $errormessage=$Lang::tr{'fwdfw err remark'}."<br>"; + } + if ($fwdfwsettings{'oldruleremark'} eq $fwdfwsettings{'ruleremark'}){ + $fwdfwsettings{'nosave'} = 'on'; + } + } + } + } + #check Rulepos on new Rule + if($fwdfwsettings{'rulepos'} > 0 && !$fwdfwsettings{'oldrulenumber'}){ + $fwdfwsettings{'oldrulenumber'}=$maxkey; + foreach my $key (sort keys %configfwdfw){ + if ( "$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'},$fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'ICMP_TGT'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'TIME'},$fwdfwsettings{'TIME_MON'},$fwdfwsettings{'TIME_TUE'},$fwdfwsettings{'TIME_WED'},$fwdfwsettings{'TIME_THU'},$fwdfwsettings{'TIME_FRI'},$fwdfwsettings{'TIME_SAT'},$fwdfwsettings{'TIME_SUN'},$fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'},$fwdfwsettings{'USE_NAT'},$fwdfwsettings{$fwdfwsettings{'nat'}},$fwdfwsettings{'dnatport'},$fwdfwsettings{'nat'}" + eq "$configfwdfw{$key}[0],$configfwdfw{$key}[2],$configfwdfw{$key}[3],$configfwdfw{$key}[4],$configfwdfw{$key}[5],$configfwdfw{$key}[6],$configfwdfw{$key}[7],$configfwdfw{$key}[8],$configfwdfw{$key}[9],$configfwdfw{$key}[10],$configfwdfw{$key}[11],$configfwdfw{$key}[12],$configfwdfw{$key}[13],$configfwdfw{$key}[14],$configfwdfw{$key}[15],$configfwdfw{$key}[18],$configfwdfw{$key}[19],$configfwdfw{$key}[20],$configfwdfw{$key}[21],$configfwdfw{$key}[22],$configfwdfw{$key}[23],$configfwdfw{$key}[24],$configfwdfw{$key}[25],$configfwdfw{$key}[26],$configfwdfw{$key}[27],$configfwdfw{$key}[28],$configfwdfw{$key}[29],$configfwdfw{$key}[30],$configfwdfw{$key}[31]"){ + $errormessage.=$Lang::tr{'fwdfw err ruleexists'}; + } + } + } + #check if we just close a rule + if( $fwdfwsettings{'oldgrp1a'} eq $fwdfwsettings{'grp1'} && $fwdfwsettings{'oldgrp1b'} eq $fwdfwsettings{$fwdfwsettings{'grp1'}} && $fwdfwsettings{'oldgrp2a'} eq $fwdfwsettings{'grp2'} && $fwdfwsettings{'oldgrp2b'} eq $fwdfwsettings{$fwdfwsettings{'grp2'}} && $fwdfwsettings{'oldgrp3a'} eq $fwdfwsettings{'grp3'} && $fwdfwsettings{'oldgrp3b'} eq $fwdfwsettings{$fwdfwsettings{'grp3'}} && $fwdfwsettings{'oldusesrv'} eq $fwdfwsettings{'USESRV'} && $fwdfwsettings{'oldruleremark'} eq $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'oldruletype'} eq $fwdfwsettings{'chain'}) { + if($fwdfwsettings{'nosave'} eq 'on' && $fwdfwsettings{'updatefwrule'} eq 'on'){ + $fwdfwsettings{'nosave2'} = 'on'; + $errormessage=''; + } + } + #increase counters + &checkcounter($fwdfwsettings{'oldgrp1a'},$fwdfwsettings{'oldgrp1b'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}}); + &checkcounter($fwdfwsettings{'oldgrp2a'},$fwdfwsettings{'oldgrp2b'},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}}); + if($fwdfwsettings{'oldusesrv'} eq '' && $fwdfwsettings{'USESRV'} eq 'ON'){ + &checkcounter(0,0,$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}}); + }elsif ($fwdfwsettings{'USESRV'} eq '' && $fwdfwsettings{'oldusesrv'} eq 'ON') { + &checkcounter($fwdfwsettings{'oldgrp3a'},$fwdfwsettings{'oldgrp3b'},0,0); + }elsif ($fwdfwsettings{'oldusesrv'} eq $fwdfwsettings{'USESRV'} && $fwdfwsettings{'oldgrp3b'} ne $fwdfwsettings{$fwdfwsettings{'grp3'}} && $fwdfwsettings{'updatefwrule'} eq 'on'){ + &checkcounter($fwdfwsettings{'oldgrp3a'},$fwdfwsettings{'oldgrp3b'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}}); + } + if ($fwdfwsettings{'nobase'} eq 'on'){ + &checkcounter(0,0,$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}}); + } + if ($fwdfwsettings{'nosave2'} ne 'on'){ + &saverule(%configfwdfw,$configfwdfw); + } + } + if ($errormessage){ + &newrule; + }else{ + if($fwdfwsettings{'nosave2'} ne 'on'){ + &rules; + } + &base; + } +} +if ($fwdfwsettings{'ACTION'} eq $Lang::tr{'fwdfw newrule'}) +{ + &newrule; +} +if ($fwdfwsettings{'ACTION'} eq $Lang::tr{'fwdfw toggle'}) +{ + my %togglehash=(); + &General::readhasharray($fwdfwsettings{'config'}, %togglehash); + foreach my $key (sort keys %togglehash){ + if ($key eq $fwdfwsettings{'key'}){ + if ($togglehash{$key}[2] eq 'ON'){$togglehash{$key}[2]='';}else{$togglehash{$key}[2]='ON';} + } + } + &General::writehasharray($fwdfwsettings{'config'}, %togglehash); + &rules; + &base; +} +if ($fwdfwsettings{'ACTION'} eq $Lang::tr{'fwdfw togglelog'}) +{ + my %togglehash=(); + &General::readhasharray($fwdfwsettings{'config'}, %togglehash); + foreach my $key (sort keys %togglehash){ + if ($key eq $fwdfwsettings{'key'}){ + if ($togglehash{$key}[17] eq 'ON'){$togglehash{$key}[17]='';}else{$togglehash{$key}[17]='ON';} + } + } + &General::writehasharray($fwdfwsettings{'config'}, %togglehash); + &rules; + &base; +} +if ($fwdfwsettings{'ACTION'} eq $Lang::tr{'fwdfw reread'}) +{ + &reread_rules; + &base; +} +if ($fwdfwsettings{'ACTION'} eq 'editrule') +{ + $fwdfwsettings{'updatefwrule'}='on'; + &newrule; +} +if ($fwdfwsettings{'ACTION'} eq 'deleterule') +{ + &deleterule; +} +if ($fwdfwsettings{'ACTION'} eq 'moveup') +{ + &pos_up; + &base; +} +if ($fwdfwsettings{'ACTION'} eq 'movedown') +{ + &pos_down; + &base; +} +if ($fwdfwsettings{'ACTION'} eq 'copyrule') +{ + $fwdfwsettings{'copyfwrule'}='on'; + &newrule; +} +if ($fwdfwsettings{'ACTION'} eq '' or $fwdfwsettings{'ACTION'} eq 'reset') +{ + &base; +} +### Functions #### +sub addrule +{ + &error; + if (-f "${General::swroot}/forward/reread"){ + print "<table border='1' rules='groups' bgcolor='lightgreen' width='100%'><form method='post'><td><div style='font-size:11pt; font-weight: bold;vertical-align: middle; '><input type='submit' name='ACTION' value='$Lang::tr{'fwdfw reread'}' style='font-face: Comic Sans MS; color: green; font-weight: bold; font-size: 14pt;'>    $Lang::tr{'fwhost reread'}</div></td></tr></table></form><br>"; + } + &Header::openbox('100%', 'left', $Lang::tr{'fwdfw menu'}); + print "<form method='post'>"; + print "<table border='0'>"; + print "<tr><td><input type='submit' name='ACTION' value='$Lang::tr{'fwdfw newrule'}'></td>"; + print"</tr></table></form><hr>"; + &Header::closebox(); + &viewtablerule; +} +sub base +{ + &hint; + &addrule; + print "<br><br>"; + print "<br><br><div align='right'><font size='1' color='grey'>Version: $VERSION</font></div>"; +} +sub changerule +{ + my $oldchain=shift; + $fwdfwsettings{'updatefwrule'}=''; + $fwdfwsettings{'config'}=$oldchain; + $fwdfwsettings{'nobase'}='on'; + &deleterule; + &checkcounter(0,0,$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}}); + &checkcounter(0,0,$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}}); +} +sub checksource +{ + my ($ip,$subnet); + #check ip-address if manual + if ($fwdfwsettings{'src_addr'} eq $fwdfwsettings{$fwdfwsettings{'grp1'}} && $fwdfwsettings{'src_addr'} ne ''){ + #check if ip with subnet + if ($fwdfwsettings{'src_addr'} =~ /^(.*?)/(.*?)$/) { + ($ip,$subnet)=split (///,$fwdfwsettings{'src_addr'}); + $subnet = &General::iporsubtocidr($subnet); + $fwdfwsettings{'isip'}='on'; + } + #check if only ip + if($fwdfwsettings{'src_addr'}=~/^(\d{1,3}).(\d{1,3}).(\d{1,3}).(\d{1,3})$/){ + $ip=$fwdfwsettings{'src_addr'}; + $subnet = '32'; + $fwdfwsettings{'isip'}='on'; + } + + if ($fwdfwsettings{'isip'} ne 'on'){ + if (&General::validmac($fwdfwsettings{'src_addr'})){ + $fwdfwsettings{'ismac'}='on'; + } + } + if ($fwdfwsettings{'isip'} eq 'on'){ + ##check if ip is valid + if (! &General::validip($ip)){ + $errormessage.=$Lang::tr{'fwdfw err src_addr'}."<br>"; + return $errormessage; + } + #check and form valid IP + $ip=&General::ip2dec($ip); + $ip=&General::dec2ip($ip); + #check if net or broadcast + $fwdfwsettings{'src_addr'}="$ip/$subnet"; + if(!&General::validipandmask($fwdfwsettings{'src_addr'})){ + $errormessage.=$Lang::tr{'fwdfw err src_addr'}."<br>"; + return $errormessage; + } + } + if ($fwdfwsettings{'isip'} ne 'on' && $fwdfwsettings{'ismac'} ne 'on'){ + $errormessage.=$Lang::tr{'fwdfw err src_addr'}."<br>"; + return $errormessage; + } + }elsif($fwdfwsettings{'src_addr'} eq $fwdfwsettings{$fwdfwsettings{'grp1'}} && $fwdfwsettings{'src_addr'} eq ''){ + $errormessage.=$Lang::tr{'fwdfw err nosrcip'}; + return $errormessage; + } + + #check empty fields + if ($fwdfwsettings{$fwdfwsettings{'grp1'}} eq ''){ $errormessage.=$Lang::tr{'fwdfw err nosrc'}."<br>";} + #check icmp source + if ($fwdfwsettings{'USE_SRC_PORT'} eq 'ON' && $fwdfwsettings{'PROT'} eq 'ICMP'){ + $fwdfwsettings{'SRC_PORT'}=''; + &General::readhasharray("${General::swroot}/fwhosts/icmp-types", %icmptypes); + foreach my $key (keys %icmptypes){ + if($fwdfwsettings{'ICMP_TYPES'} eq "$icmptypes{$key}[0] ($icmptypes{$key}[1])"){ + $fwdfwsettings{'ICMP_TYPES'}="$icmptypes{$key}[0]"; + } + } + }elsif($fwdfwsettings{'USE_SRC_PORT'} eq 'ON' && $fwdfwsettings{'PROT'} eq 'GRE'){ + $fwdfwsettings{'SRC_PORT'}=''; + $fwdfwsettings{'ICMP_TYPES'}=''; + }elsif($fwdfwsettings{'USE_SRC_PORT'} eq 'ON' && $fwdfwsettings{'PROT'} eq 'ESP'){ + $fwdfwsettings{'SRC_PORT'}=''; + $fwdfwsettings{'ICMP_TYPES'}=''; + }elsif($fwdfwsettings{'USE_SRC_PORT'} eq 'ON' && $fwdfwsettings{'PROT'} eq 'AH'){ + $fwdfwsettings{'SRC_PORT'}=''; + $fwdfwsettings{'ICMP_TYPES'}=''; + }elsif($fwdfwsettings{'USE_SRC_PORT'} eq 'ON' && $fwdfwsettings{'PROT'} ne 'ICMP'){ + $fwdfwsettings{'ICMP_TYPES'}=''; + }else{ + $fwdfwsettings{'ICMP_TYPES'}=''; + $fwdfwsettings{'SRC_PORT'}=''; + $fwdfwsettings{'PROT'}=''; + } + + if($fwdfwsettings{'USE_SRC_PORT'} eq 'ON' && ($fwdfwsettings{'PROT'} eq 'TCP' || $fwdfwsettings{'PROT'} eq 'UDP') && $fwdfwsettings{'SRC_PORT'} ne ''){ + my @parts=split(",",$fwdfwsettings{'SRC_PORT'}); + my @values=(); + foreach (@parts){ + chomp($_); + if ($_ =~ /^(\d+)-(\d+)$/ || $_ =~ /^(\d+):(\d+)$/) { + my $check; + #change dashes with : + $_=~ tr/-/:/; + if ($_ eq "*") { + push(@values,"1:65535"); + $check='on'; + } + if ($_ =~ /^(\D):(\d+)$/ || $_ =~ /^(\D)-(\d+)$/) { + push(@values,"1:$2"); + $check='on'; + } + if ($_ =~ /^(\d+):(\D)$/ || $_ =~ /^(\d+)-(\D)$/ ) { + push(@values,"$1:65535"); + $check='on' + } + $errormessage .= &General::validportrange($_, 'destination'); + if(!$check){ + push (@values,$_); + } + }else{ + if (&General::validport($_)){ + push (@values,$_); + }else{ + + } + } + } + $fwdfwsettings{'SRC_PORT'}=join("|",@values); + } + return $errormessage; +} +sub checktarget +{ + my ($ip,$subnet); + &General::readhasharray("$configsrv", %customservice); + #check DNAT settings (has to be single Host and single Port or portrange) + if ($fwdfwsettings{'USE_NAT'} eq 'ON' && $fwdfwsettings{'nat'} eq 'dnat'){ + if($fwdfwsettings{'grp2'} eq 'tgt_addr' || $fwdfwsettings{'grp2'} eq 'cust_host_tgt' || $fwdfwsettings{'grp2'} eq 'ovpn_host_tgt'){ + if ($fwdfwsettings{'USESRV'} eq '' && $fwdfwsettings{'dnatport'} eq ''){ + $errormessage=$Lang::tr{'fwdfw target'}.": ".$Lang::tr{'fwdfw dnat porterr'}."<br>"; + return $errormessage; + } + #check if manual ip is a single Host (if set) + if ($fwdfwsettings{'grp2'} eq 'tgt_addr'){ + my @tmp= split (/./,$fwdfwsettings{$fwdfwsettings{'grp2'}}); + my @tmp1= split ("/",$tmp[3]); + if (($tmp1[0] eq "0") || ($tmp1[0] eq "255")) + { + $errormessage=$Lang::tr{'fwdfw dnat error'}."<br>"; + return $errormessage; + } + } + #check if Port is a single Port or portrange + if ($fwdfwsettings{'nat'} eq 'dnat' && $fwdfwsettings{'grp3'} eq 'TGT_PORT'){ + if(($fwdfwsettings{'TGT_PROT'} ne 'TCP'|| $fwdfwsettings{'TGT_PROT'} ne 'UDP') && $fwdfwsettings{'TGT_PORT'} eq ''){ + $errormessage=$Lang::tr{'fwdfw target'}.": ".$Lang::tr{'fwdfw dnat porterr'}."<br>"; + return $errormessage; + } + if (($fwdfwsettings{'TGT_PROT'} eq 'TCP'|| $fwdfwsettings{'TGT_PROT'} eq 'UDP') && $fwdfwsettings{'TGT_PORT'} ne '' && !&check_natport($fwdfwsettings{'TGT_PORT'})){ + $errormessage=$Lang::tr{'fwdfw target'}.": ".$Lang::tr{'fwdfw dnat porterr'}."<br>"; + return $errormessage; + } + } + }else{ + $errormessage=$Lang::tr{'fwdfw dnat error'}."<br>"; + return $errormessage; + } + } + if ($fwdfwsettings{'tgt_addr'} eq $fwdfwsettings{$fwdfwsettings{'grp2'}} && $fwdfwsettings{'tgt_addr'} ne ''){ + #check if ip with subnet + if ($fwdfwsettings{'tgt_addr'} =~ /^(.*?)/(.*?)$/) { + ($ip,$subnet)=split (///,$fwdfwsettings{'tgt_addr'}); + $subnet = &General::iporsubtocidr($subnet); + } + #check if only ip + if($fwdfwsettings{'tgt_addr'}=~/^(\d{1,3}).(\d{1,3}).(\d{1,3}).(\d{1,3})$/){ + $ip=$fwdfwsettings{'tgt_addr'}; + $subnet='32'; + } + #check if ip is valid + if (! &General::validip($ip)){ + $errormessage.=$Lang::tr{'fwdfw err tgt_addr'}."<br>"; + return $errormessage; + } + #check and form valid IP + $ip=&General::ip2dec($ip); + $ip=&General::dec2ip($ip); + $fwdfwsettings{'tgt_addr'}="$ip/$subnet"; + if(!&General::validipandmask($fwdfwsettings{'tgt_addr'})){ + $errormessage.=$Lang::tr{'fwdfw err tgt_addr'}."<br>"; + return $errormessage; + } + }elsif($fwdfwsettings{'tgt_addr'} eq $fwdfwsettings{$fwdfwsettings{'grp2'}} && $fwdfwsettings{'tgt_addr'} eq ''){ + $errormessage.=$Lang::tr{'fwdfw err notgtip'}; + return $errormessage; + } + #check empty fields + if ($fwdfwsettings{$fwdfwsettings{'grp2'}} eq ''){ $errormessage.=$Lang::tr{'fwdfw err notgt'}."<br>";} + #check tgt services + if ($fwdfwsettings{'USESRV'} eq 'ON'){ + if ($fwdfwsettings{'grp3'} eq 'cust_srv'){ + $fwdfwsettings{'TGT_PROT'}=''; + $fwdfwsettings{'ICMP_TGT'}=''; + } + if ($fwdfwsettings{'grp3'} eq 'cust_srvgrp'){ + $fwdfwsettings{'TGT_PROT'}=''; + $fwdfwsettings{'ICMP_TGT'}=''; + #check target service + if($fwdfwsettings{$fwdfwsettings{'grp3'}} eq ''){ + $errormessage.=$Lang::tr{'fwdfw err tgt_grp'}; + } + } + if ($fwdfwsettings{'grp3'} eq 'TGT_PORT'){ + if ($fwdfwsettings{'TGT_PROT'} eq 'TCP' || $fwdfwsettings{'TGT_PROT'} eq 'UDP'){ + if ($fwdfwsettings{'TGT_PORT'} ne ''){ + if ($fwdfwsettings{'TGT_PORT'} =~ "," && $fwdfwsettings{'USE_NAT'} && $fwdfwsettings{'nat'} eq 'dnat') { + $errormessage=$Lang::tr{'fwdfw dnat porterr'}."<br>"; + return $errormessage; + } + my @parts=split(",",$fwdfwsettings{'TGT_PORT'}); + my @values=(); + foreach (@parts){ + chomp($_); + if ($_ =~ /^(\d+)-(\d+)$/ || $_ =~ /^(\d+):(\d+)$/) { + my $check; + #change dashes with : + $_=~ tr/-/:/; + if ($_ eq "*") { + push(@values,"1:65535"); + $check='on'; + } + if ($_ =~ /^(\D):(\d+)$/ || $_ =~ /^(\D)-(\d+)$/) { + push(@values,"1:$2"); + $check='on'; + } + if ($_ =~ /^(\d+):(\D)$/ || $_ =~ /^(\d+)-(\D)$/) { + push(@values,"$1:65535"); + $check='on' + } + $errormessage .= &General::validportrange($_, 'destination'); + if(!$check){ + push (@values,$_); + } + }else{ + if (&General::validport($_)){ + push (@values,$_); + }else{ + + } + } + } + $fwdfwsettings{'TGT_PORT'}=join("|",@values); + } + }elsif ($fwdfwsettings{'TGT_PROT'} eq 'GRE'){ + $fwdfwsettings{$fwdfwsettings{'grp3'}} = ''; + $fwdfwsettings{'TGT_PORT'} = ''; + $fwdfwsettings{'ICMP_TGT'} = ''; + }elsif($fwdfwsettings{'TGT_PROT'} eq 'ESP'){ + $fwdfwsettings{$fwdfwsettings{'grp3'}} = ''; + $fwdfwsettings{'TGT_PORT'} = ''; + $fwdfwsettings{'ICMP_TGT'}=''; + }elsif($fwdfwsettings{'TGT_PROT'} eq 'AH'){ + $fwdfwsettings{$fwdfwsettings{'grp3'}} = ''; + $fwdfwsettings{'TGT_PORT'} = ''; + $fwdfwsettings{'ICMP_TGT'}=''; + }elsif ($fwdfwsettings{'TGT_PROT'} eq 'ICMP'){ + $fwdfwsettings{$fwdfwsettings{'grp3'}} = ''; + $fwdfwsettings{'TGT_PORT'} = ''; + &General::readhasharray("${General::swroot}/fwhosts/icmp-types", %icmptypes); + foreach my $key (keys %icmptypes){ + + if ("$icmptypes{$key}[0] ($icmptypes{$key}[1])" eq $fwdfwsettings{'ICMP_TGT'}){ + $fwdfwsettings{'ICMP_TGT'}=$icmptypes{$key}[0]; + } + } + } + } + } + #check targetport + if ($fwdfwsettings{'USESRV'} ne 'ON'){ + $fwdfwsettings{'grp3'}=''; + $fwdfwsettings{$fwdfwsettings{'grp3'}}=''; + $fwdfwsettings{'ICMP_TGT'}=''; + } + #check timeframe + if($fwdfwsettings{'TIME'} eq 'ON'){ + if($fwdfwsettings{'TIME_MON'} eq '' && $fwdfwsettings{'TIME_TUE'} eq '' && $fwdfwsettings{'TIME_WED'} eq '' && $fwdfwsettings{'TIME_THU'} eq '' && $fwdfwsettings{'TIME_FRI'} eq '' && $fwdfwsettings{'TIME_SAT'} eq '' && $fwdfwsettings{'TIME_SUN'} eq ''){ + $errormessage=$Lang::tr{'fwdfw err time'}; + return $errormessage; + } + } + return $errormessage; +} +sub check_natport +{ + my $val=shift; + if($fwdfwsettings{'USE_NAT'} eq 'ON' && $fwdfwsettings{'nat'} eq 'dnat' && $fwdfwsettings{'dnatport'} ne ''){ + if ($fwdfwsettings{'dnatport'} =~ /^(\d+)-(\d+)$/) { + $fwdfwsettings{'dnatport'} =~ tr/-/:/; + if ($fwdfwsettings{'dnatport'} eq "*") { + $fwdfwsettings{'dnatport'}="1:65535"; + } + if ($fwdfwsettings{'dnatport'} =~ /^(\D):(\d+)$/) { + $fwdfwsettings{'dnatport'} = "1:$2"; + } + if ($fwdfwsettings{'dnatport'} =~ /^(\d+):(\D)$/) { + $fwdfwsettings{'dnatport'} ="$1:65535"; + } + } + return 1; + } + if ($val =~ "," || $val>65536 || $val<0){ + return 0; + } + return 1; +} +sub checkrule +{ + #check valid port for NAT + if($fwdfwsettings{'USE_NAT'} eq 'ON'){ + #if no port is given in nat area, take target host port + if($fwdfwsettings{'nat'} eq 'dnat' && $fwdfwsettings{'grp3'} eq 'TGT_PORT' && $fwdfwsettings{'dnatport'} eq ''){$fwdfwsettings{'dnatport'}=$fwdfwsettings{'TGT_PORT'};} + #check if port given in nat area is a single valid port or portrange + if($fwdfwsettings{'nat'} eq 'dnat' && $fwdfwsettings{'TGT_PORT'} ne '' && !&check_natport($fwdfwsettings{'dnatport'})){ + $errormessage=$Lang::tr{'fwdfw target'}.": ".$Lang::tr{'fwdfw dnat porterr'}."<br>"; + }elsif($fwdfwsettings{'USESRV'} eq 'ON' && $fwdfwsettings{'grp3'} eq 'cust_srv'){ + my $custsrvport; + #get servcie Protocol and Port + foreach my $key (sort keys %customservice){ + if($fwdfwsettings{$fwdfwsettings{'grp3'}} eq $customservice{$key}[0]){ + if ($customservice{$key}[2] ne 'TCP' && $customservice{$key}[2] ne 'UDP'){ + $errormessage=$Lang::tr{'fwdfw target'}.": ".$Lang::tr{'fwdfw dnat porterr'}."<br>"; + } + $custsrvport= $customservice{$key}[1]; + } + } + if($fwdfwsettings{'nat'} eq 'dnat' && $fwdfwsettings{'dnatport'} eq ''){$fwdfwsettings{'dnatport'}=$custsrvport;} + } + #check if DNAT port is multiple + if($fwdfwsettings{'nat'} eq 'dnat' && $fwdfwsettings{'dnatport'} ne ''){ + my @parts=split(",",$fwdfwsettings{'dnatport'}); + my @values=(); + foreach (@parts){ + chomp($_); + if ($_ =~ /^(\d+)-(\d+)$/ || $_ =~ /^(\d+):(\d+)$/) { + my $check; + #change dashes with : + $_=~ tr/-/:/; + if ($_ eq "*") { + push(@values,"1:65535"); + $check='on'; + } + if ($_ =~ /^(\D):(\d+)$/ || $_ =~ /^(\D)-(\d+)$/) { + push(@values,"1:$2"); + $check='on'; + } + if ($_ =~ /^(\d+):(\D)$/ || $_ =~ /^(\d+)-(\D)$/) { + push(@values,"$1:65535"); + $check='on' + } + $errormessage .= &General::validportrange($_, 'destination'); + if(!$check){ + push (@values,$_); + } + }else{ + if (&General::validport($_)){ + push (@values,$_); + }else{ + + } + } + } + $fwdfwsettings{'dnatport'}=join("|",@values); + } + } + #check valid remark + if ($fwdfwsettings{'ruleremark'} ne '' && !&validremark($fwdfwsettings{'ruleremark'})){ + $errormessage.=$Lang::tr{'fwdfw err remark'}."<br>"; + } + #check if source and target identical + if ($fwdfwsettings{$fwdfwsettings{'grp1'}} eq $fwdfwsettings{$fwdfwsettings{'grp2'}} && $fwdfwsettings{$fwdfwsettings{'grp1'}} ne 'ALL'){ + $errormessage=$Lang::tr{'fwdfw err same'}; + return $errormessage; + } + #get source and targetip address if possible + my ($sip,$scidr,$tip,$tcidr); + ($sip,$scidr)=&get_ip("src","grp1"); + ($tip,$tcidr)=&get_ip("tgt","grp2"); + #check same iprange in source and target + if ($sip ne '' && $scidr ne '' && $tip ne '' && $tcidr ne ''){ + my $networkip1=&General::getnetworkip($sip,$scidr); + my $networkip2=&General::getnetworkip($tip,$tcidr); + if ($scidr gt $tcidr){ + if ( &General::IpInSubnet($networkip1,$tip,&General::iporsubtodec($tcidr))){ + $errormessage.=$Lang::tr{'fwdfw err samesub'}; + } + }elsif($scidr eq $tcidr && $scidr eq '32'){ + my ($sbyte1,$sbyte2,$sbyte3,$sbyte4)=split(/./,$networkip1); + my ($tbyte1,$tbyte2,$tbyte3,$tbyte4)=split(/./,$networkip2); + if ($sbyte1 eq $tbyte1 && $sbyte2 eq $tbyte2 && $sbyte3 eq $tbyte3){ + $hint=$Lang::tr{'fwdfw hint ip1'}."<br>"; + $hint.=$Lang::tr{'fwdfw hint ip2'}." Source: $networkip1/$scidr Target: $networkip2/$tcidr<br>"; + } + }else{ + if ( &General::IpInSubnet($networkip2,$sip,&General::iporsubtodec($scidr)) ){ + $errormessage.=$Lang::tr{'fwdfw err samesub'}; + } + } + } + #check source and destination protocol if manual + if( $fwdfwsettings{'USE_SRC_PORT'} eq 'ON' && $fwdfwsettings{'USESRV'} eq 'ON'){ + if($fwdfwsettings{'PROT'} ne $fwdfwsettings{'TGT_PROT'} && $fwdfwsettings{'grp3'} eq 'TGT_PORT'){ + $errormessage.=$Lang::tr{'fwdfw err prot'}; + } + #check source and destination protocol if source manual and dest servicegrp + if ($fwdfwsettings{'grp3'} eq 'cust_srv'){ + foreach my $key (sort keys %customservice){ + if($customservice{$key}[0] eq $fwdfwsettings{$fwdfwsettings{'grp3'}}){ + if ($customservice{$key}[2] ne $fwdfwsettings{'PROT'}){ + $errormessage.=$Lang::tr{'fwdfw err prot'}; + last; + } + } + } + } + } + if( $fwdfwsettings{'USE_SRC_PORT'} ne 'ON' && $fwdfwsettings{'USESRV'} ne 'ON'){ + $fwdfwsettings{'PROT'}=''; + $fwdfwsettings{'TGT_PROT'}=''; + } +} +sub checkcounter +{ + my ($base1,$val1,$base2,$val2) = @_; + + if($base1 eq 'cust_net_src' || $base1 eq 'cust_net_tgt'){ + &dec_counter($confignet,%customnetwork,$val1); + }elsif($base1 eq 'cust_host_src' || $base1 eq 'cust_host_tgt'){ + &dec_counter($confighost,%customhost,$val1); + }elsif($base1 eq 'cust_grp_src' || $base1 eq 'cust_grp_tgt'){ + &dec_counter($configgrp,%customgrp,$val1); + }elsif($base1 eq 'cust_srv'){ + &dec_counter($configsrv,%customservice,$val1); + }elsif($base1 eq 'cust_srvgrp'){ + &dec_counter($configsrvgrp,%customservicegrp,$val1); + } + + if($base2 eq 'cust_net_src' || $base2 eq 'cust_net_tgt'){ + &inc_counter($confignet,%customnetwork,$val2); + }elsif($base2 eq 'cust_host_src' || $base2 eq 'cust_host_tgt'){ + &inc_counter($confighost,%customhost,$val2); + }elsif($base2 eq 'cust_grp_src' || $base2 eq 'cust_grp_tgt'){ + &inc_counter($configgrp,%customgrp,$val2); + }elsif($base2 eq 'cust_srv'){ + &inc_counter($configsrv,%customservice,$val2); + }elsif($base2 eq 'cust_srvgrp'){ + &inc_counter($configsrvgrp,%customservicegrp,$val2); + } +} +sub checkvpn +{ + my $ip=shift; + #Test if manual IP is part of static OpenVPN networks + &General::readhasharray("$configccdnet", %ccdnet); + foreach my $key (sort keys %ccdnet){ + my ($vpnip,$vpnsubnet) = split ("/",$ccdnet{$key}[1]); + my $sub=&General::iporsubtodec($vpnsubnet); + if (&General::IpInSubnet($ip,$vpnip,$sub)){ + return 0; + } + } + # A Test if manual ip is part of dynamic openvpn subnet is made in getcolor + # because if one creates a custom host with the ip, we need to check the color there! + # It does not make sense to check this here + + # Test if manual IP is part of an OpenVPN N2N subnet does also not make sense here + # Is also checked in getcolor + + # Test if manual ip is part of an IPsec Network is also checked in getcolor + return 1; +} +sub checkvpncolor +{ + +} +sub deleterule +{ + my %delhash=(); + &General::readhasharray($fwdfwsettings{'config'}, %delhash); + foreach my $key (sort {$a <=> $b} keys %delhash){ + if ($key == $fwdfwsettings{'key'}){ + #check hosts/net and groups + &checkcounter($delhash{$key}[3],$delhash{$key}[4],,); + &checkcounter($delhash{$key}[5],$delhash{$key}[6],,); + #check services and groups + if ($delhash{$key}[11] eq 'ON'){ + &checkcounter($delhash{$key}[14],$delhash{$key}[15],,); + } + } + if ($key >= $fwdfwsettings{'key'}) { + my $next = $key + 1; + if (exists $delhash{$next}) { + foreach my $i (0 .. $#{$delhash{$next}}) { + $delhash{$key}[$i] = $delhash{$next}[$i]; + } + } + } + } + # Remove the very last entry. + my $last_key = (sort {$a <=> $b} keys %delhash)[-1]; + delete $delhash{$last_key}; + + &General::writehasharray($fwdfwsettings{'config'}, %delhash); + &rules; + + if($fwdfwsettings{'nobase'} ne 'on'){ + &base; + } +} +sub disable_rule +{ + my $key1=shift; + &General::readhasharray("$configfwdfw", %configfwdfw); + foreach my $key (sort keys %configfwdfw){ + if ($key eq $key1 ){ + if ($configfwdfw{$key}[2] eq 'ON'){$configfwdfw{$key}[2]='';} + } + } + &General::writehasharray("$configfwdfw", %configfwdfw); + &rules; +} +sub dec_counter +{ + my $config=shift; + my %hash=%{(shift)}; + my $val=shift; + my $pos; + &General::readhasharray($config, %hash); + foreach my $key (sort { uc($hash{$a}[0]) cmp uc($hash{$b}[0]) } keys %hash){ + if($hash{$key}[0] eq $val){ + $pos=$#{$hash{$key}}; + $hash{$key}[$pos] = $hash{$key}[$pos]-1; + } + } + &General::writehasharray($config, %hash); +} +sub error +{ + if ($errormessage) { + &Header::openbox('100%', 'left', $Lang::tr{'error messages'}); + print "<class name='base'>$errormessage\n"; + print " </class>\n"; + &Header::closebox(); + print"<hr>"; + } +} +sub fillselect +{ + my %hash=%{(shift)}; + my $val=shift; + my $key; + foreach my $key (sort { ncmp($hash{$a}[0],$hash{$b}[0]) } keys %hash){ + if($hash{$key}[0] eq $val){ + print"<option value='$hash{$key}[0]' selected>$hash{$key}[0]</option>"; + }else{ + print"<option value='$hash{$key}[0]'>$hash{$key}[0]</option>"; + } + } +} +sub gen_dd_block +{ + my $srctgt = shift; + my $grp=shift; + my $helper=''; + my $show=''; + $checked{'grp1'}{$fwdfwsettings{'grp1'}} = 'CHECKED'; + $checked{'grp2'}{$fwdfwsettings{'grp2'}} = 'CHECKED'; + $checked{'grp3'}{$fwdfwsettings{'grp3'}} = 'CHECKED'; + $checked{'USE_SRC_PORT'}{$fwdfwsettings{'USE_SRC_PORT'}} = 'CHECKED'; + $checked{'USESRV'}{$fwdfwsettings{'USESRV'}} = 'CHECKED'; + $checked{'ACTIVE'}{$fwdfwsettings{'ACTIVE'}} = 'CHECKED'; + $checked{'LOG'}{$fwdfwsettings{'LOG'}} = 'CHECKED'; + $checked{'TIME'}{$fwdfwsettings{'TIME'}} = 'CHECKED'; + $checked{'TIME_MON'}{$fwdfwsettings{'TIME_MON'}} = 'CHECKED'; + $checked{'TIME_TUE'}{$fwdfwsettings{'TIME_TUE'}} = 'CHECKED'; + $checked{'TIME_WED'}{$fwdfwsettings{'TIME_WED'}} = 'CHECKED'; + $checked{'TIME_THU'}{$fwdfwsettings{'TIME_THU'}} = 'CHECKED'; + $checked{'TIME_FRI'}{$fwdfwsettings{'TIME_FRI'}} = 'CHECKED'; + $checked{'TIME_SAT'}{$fwdfwsettings{'TIME_SAT'}} = 'CHECKED'; + $checked{'TIME_SUN'}{$fwdfwsettings{'TIME_SUN'}} = 'CHECKED'; + $selected{'TIME_FROM'}{$fwdfwsettings{'TIME_FROM'}} = 'selected'; + $selected{'TIME_TO'}{$fwdfwsettings{'TIME_TO'}} = 'selected'; + $selected{'ipfire'}{$fwdfwsettings{$fwdfwsettings{'grp1'}}} ='selected'; + $selected{'ipfire'}{$fwdfwsettings{$fwdfwsettings{'grp2'}}} ='selected'; +print<<END; + <table width='100%' border='0'> + <tr><td width='50%' valign='top'> + <table width='100%' border='0'> + <tr><td width='1%'><input type='radio' name='$grp' id='std_net_$srctgt' value='std_net_$srctgt' $checked{$grp}{'std_net_'.$srctgt}></td><td>$Lang::tr{'fwhost stdnet'}</td><td align='right'><select name='std_net_$srctgt' style='width:200px;'> +END + foreach my $network (sort keys %defaultNetworks) + { + next if($defaultNetworks{$network}{'NAME'} eq "RED" && $srctgt eq 'src'); + next if($defaultNetworks{$network}{'NAME'} eq "IPFire"); + print "<option value='$defaultNetworks{$network}{'NAME'}'"; + print " selected='selected'" if ($fwdfwsettings{$fwdfwsettings{$grp}} eq $defaultNetworks{$network}{'NAME'}); + my $defnet="$defaultNetworks{$network}{'NAME'}_NETADDRESS"; + my $defsub="$defaultNetworks{$network}{'NAME'}_NETMASK"; + my $defsub1=&General::subtocidr($ifaces{$defsub}); + $ifaces{$defnet}='' if ($defaultNetworks{$network}{'NAME'} eq 'RED'); + if ($ifaces{$defnet}){ + print ">$network ($ifaces{$defnet}/$defsub1)</option>"; + }else{ + print ">$network</option>"; + } + } + print"</select></td></tr>"; + #custom networks + if (! -z $confignet || $optionsfw{'SHOWDROPDOWN'} eq 'on'){ + print"<tr><td><input type='radio' name='$grp' id='cust_net_$srctgt' value='cust_net_$srctgt' $checked{$grp}{'cust_net_'.$srctgt}></td><td>$Lang::tr{'fwhost cust net'}</td><td align='right'><select name='cust_net_$srctgt' style='width:200px;'>"; + &fillselect(%customnetwork,$fwdfwsettings{$fwdfwsettings{$grp}}); + print"</select></td>"; + } + #custom hosts + if (! -z $confighost || $optionsfw{'SHOWDROPDOWN'} eq 'on'){ + print"<tr><td><input type='radio' name='$grp' id='cust_host_$srctgt' value='cust_host_$srctgt' $checked{$grp}{'cust_host_'.$srctgt}></td><td>$Lang::tr{'fwhost cust addr'}</td><td align='right'><select name='cust_host_$srctgt' style='width:200px;'>"; + &fillselect(%customhost,$fwdfwsettings{$fwdfwsettings{$grp}}); + print"</select></td>"; + } + #custom groups + if (! -z $configgrp || $optionsfw{'SHOWDROPDOWN'} eq 'on'){ + print"<tr><td valign='top'><input type='radio' name='$grp' id='cust_grp_$srctgt' value='cust_grp_$srctgt' $checked{$grp}{'cust_grp_'.$srctgt}></td><td >$Lang::tr{'fwhost cust grp'}</td><td align='right'><select name='cust_grp_$srctgt' style='width:200px;'>"; + foreach my $key (sort { ncmp($customgrp{$a}[0],$customgrp{$b}[0]) } keys %customgrp) { + if($helper ne $customgrp{$key}[0]){ + print"<option "; + print "selected='selected' " if ($fwdfwsettings{$fwdfwsettings{$grp}} eq $customgrp{$key}[0]); + print ">$customgrp{$key}[0]</option>"; + } + $helper=$customgrp{$key}[0]; + } + print"</select></td>"; + } + #End left table. start right table (vpn) + print"</tr></table></td><td valign='top'><table width='100%' border='0'><tr>"; + # CCD networks + if( ! -z $configccdnet || $optionsfw{'SHOWDROPDOWN'} eq 'on'){ + print"<td width='1%'><input type='radio' name='$grp' id='ovpn_net_$srctgt' value='ovpn_net_$srctgt' $checked{$grp}{'ovpn_net_'.$srctgt}></td><td nowrap='nowrap' width='16%'>$Lang::tr{'fwhost ccdnet'}</td><td nowrap='nowrap' width='1%' align='right'><select name='ovpn_net_$srctgt' style='width:200px;'>"; + &fillselect(%ccdnet,$fwdfwsettings{$fwdfwsettings{$grp}}); + print"</select></td></tr>"; + } + #OVPN CCD Hosts + foreach my $key (sort { ncmp($ccdhost{$a}[0],$ccdhost{$b}[0]) } keys %ccdhost){ + if ($ccdhost{$key}[33] ne '' ){ + print"<tr><td width='1%'><input type='radio' name='$grp' id='ovpn_host_$srctgt' value='ovpn_host_$srctgt' $checked{$grp}{'ovpn_host_'.$srctgt}></td><td nowrap='nowrap' width='16%'>$Lang::tr{'fwhost ccdhost'}</td><td nowrap='nowrap' width='1%' align='right'><select name='ovpn_host_$srctgt' style='width:200px;'>" if ($show eq ''); + $show='1'; + print "<option value='$ccdhost{$key}[1]'"; + print "selected='selected'" if ($fwdfwsettings{$fwdfwsettings{$grp}} eq $ccdhost{$key}[1]); + print ">$ccdhost{$key}[1]</option>"; + } + } + if($optionsfw{'SHOWDROPDOWN'} eq 'on' && $show eq ''){ + print"<tr><td width='1%'><input type='radio' name='$grp' id='ovpn_host_$srctgt' value='ovpn_host_$srctgt' $checked{$grp}{'ovpn_host_'.$srctgt}></td><td nowrap='nowrap' width='16%'>$Lang::tr{'fwhost ccdhost'}</td><td nowrap='nowrap' width='1%' align='right'><select name='ovpn_host_$srctgt' style='width:200px;'></select></td></tr>" ; + } + if ($show eq '1'){$show='';print"</select></td></tr>";} + #OVPN N2N + foreach my $key (sort { ncmp($ccdhost{$a}[1],$ccdhost{$b}[1]) } keys %ccdhost){ + if ($ccdhost{$key}[3] eq 'net'){ + print"<tr><td width='1%'><input type='radio' name='$grp' id='ovpn_n2n_$srctgt' value='ovpn_n2n_$srctgt' $checked{$grp}{'ovpn_n2n_'.$srctgt}></td><td nowrap='nowrap' width='16%'>$Lang::tr{'fwhost ovpn_n2n'}:</td><td nowrap='nowrap' width='1%' align='right'><select name='ovpn_n2n_$srctgt' style='width:200px;'>" if ($show eq ''); + $show='1'; + print "<option value='$ccdhost{$key}[1]'"; + print "selected='selected'" if ($fwdfwsettings{$fwdfwsettings{$grp}} eq $ccdhost{$key}[1]); + print ">$ccdhost{$key}[1]</option>"; + } + } + if($optionsfw{'SHOWDROPDOWN'} eq 'on' && $show eq ''){ + print"<tr><td width='1%'><input type='radio' name='$grp' id='ovpn_n2n_$srctgt' value='ovpn_n2n_$srctgt' $checked{$grp}{'ovpn_n2n_'.$srctgt}></td><td nowrap='nowrap' width='16%'>$Lang::tr{'fwhost ovpn_n2n'}</td><td nowrap='nowrap' width='1%' align='right'><select name='ovpn_n2n_$srctgt' style='width:200px;'></select></td></tr>" ; + } + if ($show eq '1'){$show='';print"</select></td></tr>";} + #IPsec netze + foreach my $key (sort { ncmp($ipsecconf{$a}[1],$ipsecconf{$b}[1]) } keys %ipsecconf) { + if ($ipsecconf{$key}[3] eq 'net' || $optionsfw{'SHOWDROPDOWN'} eq 'on'){ + print"<tr><td valign='top'><input type='radio' name='$grp' value='ipsec_net_$srctgt' $checked{$grp}{'ipsec_net_'.$srctgt}></td><td >$Lang::tr{'fwhost ipsec net'}</td><td align='right'><select name='ipsec_net_$srctgt' style='width:200px;'>" if ($show eq ''); + $show='1'; + print "<option "; + print "selected='selected'" if ($fwdfwsettings{$fwdfwsettings{$grp}} eq $ipsecconf{$key}[1]); + print ">$ipsecconf{$key}[1]</option>"; + } + } + if($optionsfw{'SHOWDROPDOWN'} eq 'on' && $show eq ''){ + print"<tr><td valign='top'><input type='radio' name='$grp' id='ipsec_net_$srctgt' value='ipsec_net_$srctgt' $checked{$grp}{'ipsec_net_'.$srctgt}></td><td >$Lang::tr{'fwhost ipsec net'}</td><td align='right'><select name='ipsec_net_$srctgt' style='width:200px;'><select></td></tr>"; + } + if ($show eq '1'){$show='';print"</select></td></tr>";} + + print"</table>"; + print"</td></tr></table><br>"; +} +sub get_ip +{ + my $val=shift; + my $grp =shift; + my $a; + my $b; + &General::readhash("/var/ipfire/ethernet/settings", %netsettings); + if ($fwdfwsettings{$grp} ne $Lang::tr{'fwhost any'}){ + if ($fwdfwsettings{$grp} eq $val.'_addr'){ + ($a,$b) = split (///, $fwdfwsettings{$fwdfwsettings{$grp}}); + }elsif($fwdfwsettings{$grp} eq 'std_net_'.$val){ + if ($fwdfwsettings{$fwdfwsettings{$grp}} =~ /Gr/i){ + $a=$netsettings{'GREEN_NETADDRESS'}; + $b=&General::iporsubtocidr($netsettings{'GREEN_NETMASK'}); + }elsif($fwdfwsettings{$fwdfwsettings{$grp}} =~ /Ora/i){ + $a=$netsettings{'ORANGE_NETADDRESS'}; + $b=&General::iporsubtocidr($netsettings{'ORANGE_NETMASK'}); + }elsif($fwdfwsettings{$fwdfwsettings{$grp}} =~ /Bl/i){ + $a=$netsettings{'BLUE_NETADDRESS'}; + $b=&General::iporsubtocidr($netsettings{'BLUE_NETMASK'}); + }elsif($fwdfwsettings{$fwdfwsettings{$grp}} =~ /OpenVPN/i){ + &General::readhash("$configovpn",%ovpnsettings); + ($a,$b) = split (///, $ovpnsettings{'DOVPN_SUBNET'}); + $b=&General::iporsubtocidr($b); + } + }elsif($fwdfwsettings{$grp} eq 'cust_net_'.$val){ + &General::readhasharray("$confignet", %customnetwork); + foreach my $key (keys %customnetwork){ + if($customnetwork{$key}[0] eq $fwdfwsettings{$fwdfwsettings{$grp}}){ + $a=$customnetwork{$key}[1]; + $b=&General::iporsubtocidr($customnetwork{$key}[2]); + } + } + }elsif($fwdfwsettings{$grp} eq 'cust_host_'.$val){ + &General::readhasharray("$confighost", %customhost); + foreach my $key (keys %customhost){ + if($customhost{$key}[0] eq $fwdfwsettings{$fwdfwsettings{$grp}}){ + if ($customhost{$key}[1] eq 'ip'){ + ($a,$b)=split (///,$customhost{$key}[2]); + $b=&General::iporsubtocidr($b); + }else{ + if ($grp eq 'grp2'){ + $errormessage=$Lang::tr{'fwdfw err tgt_mac'}; + } + } + } + } + } + } + return $a,$b; +} +sub get_name +{ + my $val=shift; + &General::setup_default_networks(%defaultNetworks); + foreach my $network (sort keys %defaultNetworks) + { + return "$network" if ($val eq $defaultNetworks{$network}{'NAME'}); + } +} +sub getsrcport +{ + my %hash=%{(shift)}; + my $key=shift; + if($hash{$key}[7] eq 'ON' && $hash{$key}[8] ne '' && $hash{$key}[10]){ + $hash{$key}[10]=~ s/|/,/g; + print": $hash{$key}[10]"; + }elsif($hash{$key}[7] eq 'ON' && $hash{$key}[8] eq 'ICMP'){ + print": <br>$hash{$key}[9] "; + } +} +sub gettgtport +{ + my %hash=%{(shift)}; + my $key=shift; + my $service; + my $prot; + if($hash{$key}[11] eq 'ON' && $hash{$key}[12] ne 'ICMP'){ + if($hash{$key}[14] eq 'cust_srv'){ + &General::readhasharray("$configsrv", %customservice); + foreach my $i (sort keys %customservice){ + if($customservice{$i}[0] eq $hash{$key}[15]){ + $service = $customservice{$i}[0]; + } + } + }elsif($hash{$key}[14] eq 'cust_srvgrp'){ + $service=$hash{$key}[15]; + }elsif($hash{$key}[14] eq 'TGT_PORT'){ + $hash{$key}[15]=~ s/|/,/g; + $service=$hash{$key}[15]; + } + if($service){ + print": $service"; + } + }elsif($hash{$key}[11] eq 'ON' && $hash{$key}[12] eq 'ICMP'){ + print":<br>$hash{$key}[13]"; + } +} +sub get_serviceports +{ + my $type=shift; + my $name=shift; + &General::readhasharray("$configsrv", %customservice); + &General::readhasharray("$configsrvgrp", %customservicegrp); + my $tcp; + my $udp; + my $icmp; + @protocols=(); + if($type eq 'service'){ + foreach my $key (sort { ncmp($customservice{$a}[0],$customservice{$b}[0]) } keys %customservice){ + if ($customservice{$key}[0] eq $name){ + push (@protocols,$customservice{$key}[2]); + } + } + }elsif($type eq 'group'){ + foreach my $key (sort { ncmp($customservicegrp{$a}[0],$customservicegrp{$b}[0]) } keys %customservicegrp){ + if ($customservicegrp{$key}[0] eq $name){ + foreach my $key1 (sort { ncmp($customservice{$a}[0],$customservice{$b}[0]) } keys %customservice){ + if ($customservice{$key1}[0] eq $customservicegrp{$key}[2]){ + if($customservice{$key1}[2] eq 'TCP'){ + $tcp='TCP'; + }elsif($customservice{$key1}[2] eq 'ICMP'){ + $icmp='ICMP'; + }elsif($customservice{$key1}[2] eq 'UDP'){ + $udp='UDP'; + } + } + } + } + } + } + if($tcp && $udp && $icmp){ + push (@protocols,"All"); + return @protocols; + } + if($tcp){ + push (@protocols,"TCP"); + } + if($udp){ + push (@protocols,"UDP"); + } + if($icmp){ + push (@protocols,"ICMP"); + } + return @protocols; +} +sub getcolor +{ + my $nettype=shift; + my $val=shift; + my $hash=shift; + if($optionsfw{'SHOWCOLORS'} eq 'on'){ + #custom Hosts + if ($nettype eq 'cust_host_src' || $nettype eq 'cust_host_tgt'){ + foreach my $key (sort keys %$hash){ + if ($$hash{$key}[0] eq $val){ + $val=$$hash{$key}[2]; + } + } + } + #standard networks + if ($val eq 'GREEN'){ + $tdcolor="style='background-color: $Header::colourgreen;color:white;'"; + return; + }elsif ($val eq 'ORANGE'){ + $tdcolor="style='background-color: $Header::colourorange;color:white;'"; + return; + }elsif ($val eq 'BLUE'){ + $tdcolor="style='background-color: $Header::colourblue;color:white;'"; + return; + }elsif ($val eq 'RED' ||$val eq 'RED1' ){ + $tdcolor="style='background-color: $Header::colourred;color:white;'"; + return; + }elsif ($val eq 'IPFire' ){ + $tdcolor="style='background-color: $Header::colourred;color:white;'"; + return; + }elsif($val =~ /^(.*?)/(.*?)$/){ + my ($sip,$scidr) = split ("/",$val); + if ( &General::IpInSubnet($sip,$netsettings{'ORANGE_ADDRESS'},$netsettings{'ORANGE_NETMASK'})){ + $tdcolor="style='background-color: $Header::colourorange;color:white;'"; + return; + } + if ( &General::IpInSubnet($sip,$netsettings{'GREEN_ADDRESS'},$netsettings{'GREEN_NETMASK'})){ + $tdcolor="style='background-color: $Header::colourgreen;color:white;'"; + return; + } + if ( &General::IpInSubnet($sip,$netsettings{'BLUE_ADDRESS'},$netsettings{'BLUE_NETMASK'})){ + $tdcolor="style='background-color: $Header::colourblue;color:white;'"; + return; + } + }elsif ($val eq 'Default IP'){ + $tdcolor="style='background-color: $Header::colourred;color:white;'"; + return; + } + #Check if a manual IP or custom host is part of a VPN + if ($nettype eq 'src_addr' || $nettype eq 'tgt_addr' || $nettype eq 'cust_host_src' || $nettype eq 'cust_host_tgt'){ + #Check if IP is part of OpenVPN dynamic subnet + my ($a,$b) = split("/",$ovpnsettings{'DOVPN_SUBNET'}); + my ($c,$d) = split("/",$val); + if (&General::IpInSubnet($c,$a,$b)){ + $tdcolor="style='background-color: $Header::colourovpn;color:white;'"; + return; + } + #Check if IP is part of OpenVPN static subnet + foreach my $key (sort keys %ccdnet){ + my ($a,$b) = split("/",$ccdnet{$key}[1]); + $b =&General::iporsubtodec($b); + if (&General::IpInSubnet($c,$a,$b)){ + $tdcolor="style='background-color: $Header::colourovpn;color:white;'"; + return; + } + } + #Check if IP is part of OpenVPN N2N subnet + foreach my $key (sort keys %ccdhost){ + if ($ccdhost{$key}[3] eq 'net'){ + my ($a,$b) = split("/",$ccdhost{$key}[11]); + if (&General::IpInSubnet($c,$a,$b)){ + $tdcolor="style='background-color: $Header::colourovpn;color:white;'"; + return; + } + } + } + #Check if IP is part of IPsec RW network + if ($ipsecsettings{'RW_NET'} ne ''){ + my ($a,$b) = split("/",$ipsecsettings{'RW_NET'}); + $b=&General::iporsubtodec($b); + if (&General::IpInSubnet($c,$a,$b)){ + $tdcolor="style='background-color: $Header::colourvpn;color:white;'"; + return; + } + } + #Check if IP is part of a IPsec N2N network + foreach my $key (sort keys %ipsecconf){ + my ($a,$b) = split("/",$ipsecconf{$key}[11]); + if (&General::IpInSubnet($c,$a,$b)){ + $tdcolor="style='background-color: $Header::colourvpn;color:white;'"; + return; + } + } + } + #VPN networks + if ($nettype eq 'ovpn_n2n_src' || $nettype eq 'ovpn_n2n_tgt' || $nettype eq 'ovpn_net_src' || $nettype eq 'ovpn_net_tgt'|| $nettype eq 'ovpn_host_src' || $nettype eq 'ovpn_host_tgt'){ + $tdcolor="style='background-color: $Header::colourovpn;color:white;'"; + return; + } + if ($nettype eq 'ipsec_net_src' || $nettype eq 'ipsec_net_tgt'){ + $tdcolor="style='background-color: $Header::colourvpn;color:white;'"; + return; + } + #ALIASE + foreach my $alias (sort keys %aliases) + { + if ($val eq $alias){ + $tdcolor="style='background-color:$Header::colourred;color:white;'"; + return; + } + } + } + $tdcolor=''; + return; +} +sub hint +{ + if ($hint) { + &Header::openbox('100%', 'left', $Lang::tr{'fwhost hint'}); + print "<class name='base'>$hint\n"; + print " </class>\n"; + &Header::closebox(); + print"<hr>"; + } +} +sub inc_counter +{ + my $config=shift; + my %hash=%{(shift)}; + my $val=shift; + my $pos; + + &General::readhasharray($config, %hash); + foreach my $key (sort { uc($hash{$a}[0]) cmp uc($hash{$b}[0]) } keys %hash){ + if($hash{$key}[0] eq $val){ + $pos=$#{$hash{$key}}; + $hash{$key}[$pos] = $hash{$key}[$pos]+1; + } + } + &General::writehasharray($config, %hash); +} +sub newrule +{ + &error; + &General::setup_default_networks(%defaultNetworks); + &General::readhash("/var/ipfire/ethernet/settings", %netsettings); + #read all configfiles + &General::readhasharray("$configccdnet", %ccdnet); + &General::readhasharray("$confignet", %customnetwork); + &General::readhasharray("$configccdhost", %ccdhost); + &General::readhasharray("$confighost", %customhost); + &General::readhasharray("$configccdhost", %ccdhost); + &General::readhasharray("$configgrp", %customgrp); + &General::readhasharray("$configipsec", %ipsecconf); + &General::get_aliases(%aliases); + my %checked=(); + my $helper; + my $sum=0; + if($fwdfwsettings{'config'} eq ''){$fwdfwsettings{'config'}=$configfwdfw;} + my $config=$fwdfwsettings{'config'}; + my %hash=(); + #Get Red IP-ADDRESS + open (CONN1,"/var/ipfire/red/local-ipaddress"); + my $redip = <CONN1>; + close(CONN1); + $checked{'grp1'}{$fwdfwsettings{'grp1'}} = 'CHECKED'; + $checked{'grp2'}{$fwdfwsettings{'grp2'}} = 'CHECKED'; + $checked{'grp3'}{$fwdfwsettings{'grp3'}} = 'CHECKED'; + $checked{'USE_SRC_PORT'}{$fwdfwsettings{'USE_SRC_PORT'}} = 'CHECKED'; + $checked{'USESRV'}{$fwdfwsettings{'USESRV'}} = 'CHECKED'; + $checked{'ACTIVE'}{$fwdfwsettings{'ACTIVE'}} = 'CHECKED'; + $checked{'LOG'}{$fwdfwsettings{'LOG'}} = 'CHECKED'; + $checked{'TIME'}{$fwdfwsettings{'TIME'}} = 'CHECKED'; + $checked{'TIME_MON'}{$fwdfwsettings{'TIME_MON'}} = 'CHECKED'; + $checked{'TIME_TUE'}{$fwdfwsettings{'TIME_TUE'}} = 'CHECKED'; + $checked{'TIME_WED'}{$fwdfwsettings{'TIME_WED'}} = 'CHECKED'; + $checked{'TIME_THU'}{$fwdfwsettings{'TIME_THU'}} = 'CHECKED'; + $checked{'TIME_FRI'}{$fwdfwsettings{'TIME_FRI'}} = 'CHECKED'; + $checked{'TIME_SAT'}{$fwdfwsettings{'TIME_SAT'}} = 'CHECKED'; + $checked{'TIME_SUN'}{$fwdfwsettings{'TIME_SUN'}} = 'CHECKED'; + $checked{'USE_NAT'}{$fwdfwsettings{'USE_NAT'}} = 'CHECKED'; + $selected{'TIME_FROM'}{$fwdfwsettings{'TIME_FROM'}} = 'selected'; + $selected{'TIME_TO'}{$fwdfwsettings{'TIME_TO'}} = 'selected'; + $selected{'ipfire'}{$fwdfwsettings{$fwdfwsettings{'grp2'}}} ='selected'; + $selected{'ipfire_src'}{$fwdfwsettings{$fwdfwsettings{'grp1'}}} ='selected'; + #check if update and get values + if($fwdfwsettings{'updatefwrule'} eq 'on' || $fwdfwsettings{'copyfwrule'} eq 'on' && !$errormessage){ + &General::readhasharray("$config", %hash); + foreach my $key (sort keys %hash){ + $sum++; + if ($key eq $fwdfwsettings{'key'}){ + $fwdfwsettings{'oldrulenumber'} = $fwdfwsettings{'key'}; + $fwdfwsettings{'RULE_ACTION'} = $hash{$key}[0]; + $fwdfwsettings{'chain'} = $hash{$key}[1]; + $fwdfwsettings{'ACTIVE'} = $hash{$key}[2]; + $fwdfwsettings{'grp1'} = $hash{$key}[3]; + $fwdfwsettings{$fwdfwsettings{'grp1'}} = $hash{$key}[4]; + $fwdfwsettings{'grp2'} = $hash{$key}[5]; + $fwdfwsettings{$fwdfwsettings{'grp2'}} = $hash{$key}[6]; + $fwdfwsettings{'USE_SRC_PORT'} = $hash{$key}[7]; + $fwdfwsettings{'PROT'} = $hash{$key}[8]; + $fwdfwsettings{'ICMP_TYPES'} = $hash{$key}[9]; + $fwdfwsettings{'SRC_PORT'} = $hash{$key}[10]; + $fwdfwsettings{'USESRV'} = $hash{$key}[11]; + $fwdfwsettings{'TGT_PROT'} = $hash{$key}[12]; + $fwdfwsettings{'ICMP_TGT'} = $hash{$key}[13]; + $fwdfwsettings{'grp3'} = $hash{$key}[14]; + $fwdfwsettings{$fwdfwsettings{'grp3'}} = $hash{$key}[15]; + $fwdfwsettings{'ruleremark'} = $hash{$key}[16]; + $fwdfwsettings{'LOG'} = $hash{$key}[17]; + $fwdfwsettings{'TIME'} = $hash{$key}[18]; + $fwdfwsettings{'TIME_MON'} = $hash{$key}[19]; + $fwdfwsettings{'TIME_TUE'} = $hash{$key}[20]; + $fwdfwsettings{'TIME_WED'} = $hash{$key}[21]; + $fwdfwsettings{'TIME_THU'} = $hash{$key}[22]; + $fwdfwsettings{'TIME_FRI'} = $hash{$key}[23]; + $fwdfwsettings{'TIME_SAT'} = $hash{$key}[24]; + $fwdfwsettings{'TIME_SUN'} = $hash{$key}[25]; + $fwdfwsettings{'TIME_FROM'} = $hash{$key}[26]; + $fwdfwsettings{'TIME_TO'} = $hash{$key}[27]; + $fwdfwsettings{'USE_NAT'} = $hash{$key}[28]; + $fwdfwsettings{'nat'} = $hash{$key}[31]; #changed order + $fwdfwsettings{$fwdfwsettings{'nat'}} = $hash{$key}[29]; + $fwdfwsettings{'dnatport'} = $hash{$key}[30]; + $checked{'grp1'}{$fwdfwsettings{'grp1'}} = 'CHECKED'; + $checked{'grp2'}{$fwdfwsettings{'grp2'}} = 'CHECKED'; + $checked{'grp3'}{$fwdfwsettings{'grp3'}} = 'CHECKED'; + $checked{'USE_SRC_PORT'}{$fwdfwsettings{'USE_SRC_PORT'}} = 'CHECKED'; + $checked{'USESRV'}{$fwdfwsettings{'USESRV'}} = 'CHECKED'; + $checked{'ACTIVE'}{$fwdfwsettings{'ACTIVE'}} = 'CHECKED'; + $checked{'LOG'}{$fwdfwsettings{'LOG'}} = 'CHECKED'; + $checked{'TIME'}{$fwdfwsettings{'TIME'}} = 'CHECKED'; + $checked{'TIME_MON'}{$fwdfwsettings{'TIME_MON'}} = 'CHECKED'; + $checked{'TIME_TUE'}{$fwdfwsettings{'TIME_TUE'}} = 'CHECKED'; + $checked{'TIME_WED'}{$fwdfwsettings{'TIME_WED'}} = 'CHECKED'; + $checked{'TIME_THU'}{$fwdfwsettings{'TIME_THU'}} = 'CHECKED'; + $checked{'TIME_FRI'}{$fwdfwsettings{'TIME_FRI'}} = 'CHECKED'; + $checked{'TIME_SAT'}{$fwdfwsettings{'TIME_SAT'}} = 'CHECKED'; + $checked{'TIME_SUN'}{$fwdfwsettings{'TIME_SUN'}} = 'CHECKED'; + $checked{'USE_NAT'}{$fwdfwsettings{'USE_NAT'}} = 'CHECKED'; + $checked{'nat'}{$fwdfwsettings{'nat'}} = 'CHECKED'; + $selected{'TIME_FROM'}{$fwdfwsettings{'TIME_FROM'}} = 'selected'; + $selected{'TIME_TO'}{$fwdfwsettings{'TIME_TO'}} = 'selected'; + $selected{'ipfire'}{$fwdfwsettings{$fwdfwsettings{'grp2'}}} ='selected'; + $selected{'ipfire_src'}{$fwdfwsettings{$fwdfwsettings{'grp1'}}} ='selected'; + $selected{'dnat'}{$fwdfwsettings{$fwdfwsettings{'nat'}}} ='selected'; + $selected{'snat'}{$fwdfwsettings{$fwdfwsettings{'nat'}}} ='selected'; + } + } + $fwdfwsettings{'oldgrp1a'}=$fwdfwsettings{'grp1'}; + $fwdfwsettings{'oldgrp1b'}=$fwdfwsettings{$fwdfwsettings{'grp1'}}; + $fwdfwsettings{'oldgrp2a'}=$fwdfwsettings{'grp2'}; + $fwdfwsettings{'oldgrp2b'}=$fwdfwsettings{$fwdfwsettings{'grp2'}}; + $fwdfwsettings{'oldgrp3a'}=$fwdfwsettings{'grp3'}; + $fwdfwsettings{'oldgrp3b'}=$fwdfwsettings{$fwdfwsettings{'grp3'}}; + $fwdfwsettings{'oldusesrv'}=$fwdfwsettings{'USESRV'}; + $fwdfwsettings{'oldruleremark'}=$fwdfwsettings{'ruleremark'}; + $fwdfwsettings{'oldnat'}=$fwdfwsettings{'USE_NAT'}; + $fwdfwsettings{'oldruletype'}=$fwdfwsettings{'chain'}; + #check if manual ip (source) is orange network + if ($fwdfwsettings{'grp1'} eq 'src_addr'){ + my ($sip,$scidr) = split("/",$fwdfwsettings{$fwdfwsettings{'grp1'}}); + if ( &General::IpInSubnet($sip,$netsettings{'ORANGE_ADDRESS'},$netsettings{'ORANGE_NETMASK'})){ + $fwdfwsettings{'oldorange'} ='on'; + } + } + }else{ + $fwdfwsettings{'ACTIVE'}='ON'; + $checked{'ACTIVE'}{$fwdfwsettings{'ACTIVE'}} = 'CHECKED'; + $fwdfwsettings{'oldgrp1a'}=$fwdfwsettings{'grp1'}; + $fwdfwsettings{'oldgrp1b'}=$fwdfwsettings{$fwdfwsettings{'grp1'}}; + $fwdfwsettings{'oldgrp2a'}=$fwdfwsettings{'grp2'}; + $fwdfwsettings{'oldgrp2b'}=$fwdfwsettings{$fwdfwsettings{'grp2'}}; + $fwdfwsettings{'oldgrp3a'}=$fwdfwsettings{'grp3'}; + $fwdfwsettings{'oldgrp3b'}=$fwdfwsettings{$fwdfwsettings{'grp3'}}; + $fwdfwsettings{'oldusesrv'}=$fwdfwsettings{'USESRV'}; + $fwdfwsettings{'oldruleremark'}=$fwdfwsettings{'ruleremark'}; + $fwdfwsettings{'oldnat'}=$fwdfwsettings{'USE_NAT'}; + #check if manual ip (source) is orange network + if ($fwdfwsettings{'grp1'} eq 'src_addr'){ + my ($sip,$scidr) = split("/",$fwdfwsettings{$fwdfwsettings{'grp1'}}); + if ( &General::IpInSubnet($sip,$netsettings{'ORANGE_ADDRESS'},$netsettings{'ORANGE_NETMASK'})){ + $fwdfwsettings{'oldorange'} ='on'; + } + } + } + &Header::openbox('100%', 'left', $Lang::tr{'fwdfw addrule'}); + print "<form method='post'>"; + &Header::closebox(); + &Header::openbox('100%', 'left', $Lang::tr{'fwdfw source'}); + #------SOURCE------------------------------------------------------- + print<<END; + <table width='100%' border='0'> + <tr><td width='1%'><input type='radio' name='grp1' value='src_addr' checked></td><td width='60%'>$Lang::tr{'fwdfw sourceip'}<input type='TEXT' name='src_addr' value='$fwdfwsettings{'src_addr'}' size='16' maxlength='18' ></td><td width='1%'><input type='radio' name='grp1' id='ipfire_src' value='ipfire_src' $checked{'grp1'}{'ipfire_src'}></td><td><b>Firewall</b></td> +END + print"<td align='right'><select name='ipfire_src' style='width:200px;'>"; + print "<option value='ALL' $selected{'ipfire_src'}{'ALL'}>$Lang::tr{'all'}</option>"; + print "<option value='GREEN' $selected{'ipfire_src'}{'GREEN'}>$Lang::tr{'green'} ($ifaces{'GREEN_ADDRESS'})</option>" if $ifaces{'GREEN_ADDRESS'}; + print "<option value='ORANGE' $selected{'ipfire_src'}{'ORANGE'}>$Lang::tr{'orange'} ($ifaces{'ORANGE_ADDRESS'})</option>" if (&Header::orange_used()); + print "<option value='BLUE' $selected{'ipfire_src'}{'BLUE'}>$Lang::tr{'blue'} ($ifaces{'BLUE_ADDRESS'})</option>" if (&Header::blue_used()); + print "<option value='RED1' $selected{'ipfire_src'}{'RED1'}>$Lang::tr{'red1'} ($redip)" if ($redip); + + if (! -z "${General::swroot}/ethernet/aliases"){ + foreach my $alias (sort keys %aliases) + { + print "<option value='$alias' $selected{'ipfire'}{$alias}>$alias</option>"; + } + } + print<<END; + </select></td></tr> + <tr><td colspan='8'><hr style='border:dotted #BFBFBF; border-width:1px 0 0 0 ; ' /></td></tr></table> +END + &gen_dd_block('src','grp1'); + print<<END; + <table><tr><td colspan='8'><hr style='border:dotted #BFBFBF; border-width:1px 0 0 0 ; ' /></td></tr></table> + <table width='100%' border='0'> + <tr><td width='1%'><input type='checkbox' name='USE_SRC_PORT' value='ON' $checked{'USE_SRC_PORT'}{'ON'}></td><td width='51%' colspan='3'>$Lang::tr{'fwdfw use srcport'}</td> + <td width='15%' nowrap='nowrap'>$Lang::tr{'fwdfw man port'}</td><td><select name='PROT'> +END + foreach ("TCP","UDP","GRE","ESP","AH","ICMP") + { + if ($_ eq $fwdfwsettings{'PROT'}) + { + print"<option selected>$_</option>"; + }else{ + print"<option>$_</option>"; + } + } + $fwdfwsettings{'SRC_PORT'}=~ s/|/,/g; + print<<END; + </select></td><td align='right'><input type='text' name='SRC_PORT' value='$fwdfwsettings{'SRC_PORT'}' maxlength='20' size='18' ></td></tr> + <tr><td></td><td></td><td></td><td></td><td nowrap='nowrap'>$Lang::tr{'fwhost icmptype'}</td><td colspan='2'><select name='ICMP_TYPES' style='width:230px;'> +END + &General::readhasharray("${General::swroot}/fwhosts/icmp-types", %icmptypes); + print"<option>All ICMP-Types</option>"; + foreach my $key (sort { ncmp($icmptypes{$a}[0],$icmptypes{$b}[0]) } keys %icmptypes){ + if($fwdfwsettings{'ICMP_TYPES'} eq "$icmptypes{$key}[0]"){ + print"<option selected>$icmptypes{$key}[0] ($icmptypes{$key}[1])</option>"; + }else{ + print"<option>$icmptypes{$key}[0] ($icmptypes{$key}[1])</option>"; + } + } + print<<END; + </select></td></tr></table><br><hr> +END + &Header::closebox(); + + #---TARGET------------------------------------------------------ + &Header::openbox('100%', 'left', $Lang::tr{'fwdfw target'}); + print<<END; + <table width='100%' border='0'> + <tr><td width='1%'><input type='radio' name='grp2' value='tgt_addr' checked></td><td width='60%' nowrap='nowrap'>$Lang::tr{'fwdfw targetip'}<input type='TEXT' name='tgt_addr' value='$fwdfwsettings{'tgt_addr'}' size='16' maxlength='18'><td width='1%'><input type='radio' name='grp2' id='ipfire' value='ipfire' $checked{'grp2'}{'ipfire'}></td><td><b>Firewall</b></td> +END + print"<td align='right'><select name='ipfire' style='width:200px;'>"; + print "<option value='ALL' $selected{'ipfire'}{'ALL'}>$Lang::tr{'all'}</option>"; + print "<option value='GREEN' $selected{'ipfire'}{'GREEN'}>$Lang::tr{'green'} ($ifaces{'GREEN_ADDRESS'})</option>" if $ifaces{'GREEN_ADDRESS'}; + print "<option value='ORANGE' $selected{'ipfire'}{'ORANGE'}>$Lang::tr{'orange'} ($ifaces{'ORANGE_ADDRESS'})</option>" if (&Header::orange_used()); + print "<option value='BLUE' $selected{'ipfire'}{'BLUE'}>$Lang::tr{'blue'} ($ifaces{'BLUE_ADDRESS'})</option>"if (&Header::blue_used()); + print "<option value='RED1' $selected{'ipfire'}{'RED1'}>$Lang::tr{'red1'} ($redip)" if ($redip); + if (! -z "${General::swroot}/ethernet/aliases"){ + foreach my $alias (sort keys %aliases) + { + print "<option value='$alias' $selected{'ipfire'}{$alias}>$alias</option>"; + } + } + print<<END; + </select></td></tr> + <tr><td colspan='7'><hr style='border:dotted #BFBFBF; border-width:1px 0 0 0 ; ' /></td></tr></table> +END + &gen_dd_block('tgt','grp2'); + print<<END; + <hr style='border:dotted #BFBFBF; border-width:1px 0 0 0 ; '><br> + <table width='100%' border='0'> + <tr><td width='1%'><input type='checkbox' name='USESRV' value='ON' $checked{'USESRV'}{'ON'} ></td><td width='48%'>$Lang::tr{'fwdfw use srv'}</td><td width='1%'><input type='radio' name='grp3' id='cust_srv' value='cust_srv' checked></td><td nowrap='nowrap'>$Lang::tr{'fwhost cust service'}</td><td width='1%' colspan='2'><select name='cust_srv' style='min-width:230px;' > +END + &General::readhasharray("$configsrv", %customservice); + foreach my $key (sort { ncmp($customservice{$a}[0],$customservice{$b}[0]) } keys %customservice){ + print"<option "; + print"selected='selected'" if ($fwdfwsettings{$fwdfwsettings{'grp3'}} eq $customservice{$key}[0]); + print"value='$customservice{$key}[0]'>$customservice{$key}[0]</option>"; + } + print<<END; + </select></td></tr> + <tr><td colspan='2'></td><td><input type='radio' name='grp3' id='cust_srvgrp' value='cust_srvgrp' $checked{'grp3'}{'cust_srvgrp'}></td><td nowrap='nowrap'>$Lang::tr{'fwhost cust srvgrp'}</td><td colspan='2'><select name='cust_srvgrp' style='min-width:230px;' > +END + &General::readhasharray("$configsrvgrp", %customservicegrp); + my $helper; + foreach my $key (sort { ncmp($customservicegrp{$a}[0],$customservicegrp{$b}[0]) } keys %customservicegrp){ + if ($helper ne $customservicegrp{$key}[0]){ + print"<option "; + print"selected='selected'" if ($fwdfwsettings{$fwdfwsettings{'grp3'}} eq $customservicegrp{$key}[0]); + print">$customservicegrp{$key}[0]</option>"; + } + $helper=$customservicegrp{$key}[0]; + } + print<<END; + </select></td></tr> + <tr><td colspan='2'></td><td><input type='radio' name='grp3' id='TGT_PORT' value='TGT_PORT' $checked{'grp3'}{'TGT_PORT'}></td><td>$Lang::tr{'fwdfw man port'}</td><td><select name='TGT_PROT' onchange='checkradio(\"#TGT_PORT\")'> +END + foreach ("TCP","UDP","GRE","ESP","AH","ICMP") + { + if ($_ eq $fwdfwsettings{'TGT_PROT'}) + { + print"<option selected>$_</option>"; + }else{ + print"<option>$_</option>"; + } + } + $fwdfwsettings{'TGT_PORT'} =~ s/|/,/g; + print<<END; + </select></td><td align='right'><input type='text' name='TGT_PORT' value='$fwdfwsettings{'TGT_PORT'}' maxlength='20' size='18' onclick='checkradio("#TGT_PORT")'></td></tr> + <tr><td colspan='2'></td><td></td><td>$Lang::tr{'fwhost icmptype'}</td><td colspan='2'><select name='ICMP_TGT' style='min-width:230px;'> +END + &General::readhasharray("${General::swroot}/fwhosts/icmp-types", %icmptypes); + print"<option>All ICMP-Types</option>"; + foreach my $key (sort { ncmp($icmptypes{$a}[0],$icmptypes{$b}[0]) }keys %icmptypes){ + if($fwdfwsettings{'ICMP_TGT'} eq "$icmptypes{$key}[0]"){ + print"<option selected>$icmptypes{$key}[0] ($icmptypes{$key}[1])</option>"; + }else{ + print"<option>$icmptypes{$key}[0] ($icmptypes{$key}[1])</option>"; + } + } + print<<END; + </select></td></tr> + </table><br><hr> + +END + &Header::closebox; + #---SNAT / DNAT ------------------------------------------------ + &Header::openbox('100%', 'left', 'NAT'); + print<<END; + <table width='100%' border='0'> + <tr><td width='1%'><input type='checkbox' name='USE_NAT' id='USE_NAT' value='ON' $checked{'USE_NAT'}{'ON'}></td><td width='15%'>$Lang::tr{'fwdfw use nat'}</td><td colspan='5'></td></tr> + <tr><td colspan='2'></td><td width='1%'><input type='radio' name='nat' id='dnat' value='dnat' checked ></td><td width='50%'>$Lang::tr{'fwdfw dnat'}</td> +END + print"<td width='8%'>Firewall: </td><td width='20%' align='right'><select name='dnat' style='width:140px;'>"; + print "<option value='ALL' $selected{'dnat'}{$Lang::tr{'all'}}>$Lang::tr{'all'}</option>"; + print "<option value='Default IP' $selected{'dnat'}{'Default IP'}>Default IP</option>"; + foreach my $alias (sort keys %aliases) + { + print "<option value='$alias' $selected{'dnat'}{$alias}>$alias</option>"; + } + print"</select></td></tr>"; + $fwdfwsettings{'dnatport'}=~ tr/|/,/; + print"<tr><td colspan='4'></td><td>Port: </td><td align='right'><input type='text' name='dnatport' style='width:130px;' value="$fwdfwsettings{'dnatport'}"> </td></tr>"; + print"<tr><td colspan='8'><br></td></tr>"; + #SNAT + print"<tr><td colspan='2'></td><td width='1%'><input type='radio' name='nat' id='snat' value='snat' $checked{'nat'}{'snat'}></td><td width='20%'>$Lang::tr{'fwdfw snat'}</td>"; + print"<td width='8%'>Firewall: </td><td width='20%' align='right'><select name='snat' style='width:140px;'>"; + foreach my $alias (sort keys %aliases) + { + print "<option value='$alias' $selected{'snat'}{$alias}>$alias</option>"; + } + foreach my $network (sort keys %defaultNetworks) + { + next if($defaultNetworks{$network}{'NAME'} eq "IPFire"); + next if($defaultNetworks{$network}{'NAME'} eq "ALL"); + next if($defaultNetworks{$network}{'NAME'} =~ /OpenVPN/i); + print "<option value='$defaultNetworks{$network}{'NAME'}'"; + print " selected='selected'" if ($fwdfwsettings{$fwdfwsettings{'nat'}} eq $defaultNetworks{$network}{'NAME'}); + print ">$network</option>"; + } + print"</select></td></tr></table>"; + print"<hr>"; + &Header::closebox(); + #---Activate/logging/remark------------------------------------- + &Header::openbox('100%', 'left', $Lang::tr{'fwdfw additional'}); + print<<END; + <table width='100%' border='0'> + <tr><td nowrap>$Lang::tr{'fwdfw rule action'}</td><td><select name='RULE_ACTION'> +END + foreach ("ACCEPT","DROP","REJECT") + { + if($fwdfwsettings{'updatefwrule'} eq 'on'){ + print"<option value='$_'"; + print "selected='selected'" if ($fwdfwsettings{'RULE_ACTION'} eq $_); + print">$Lang::tr{'fwdfw '.$_}</option>"; + }else{ + if($fwdfwsettings{'POLICY'} eq 'MODE2'){ + $fwdfwsettings{'RULE_ACTION'} = 'DROP'; + } + if ($_ eq $fwdfwsettings{'RULE_ACTION'}) + { + print"<option value='$_' selected>$Lang::tr{'fwdfw '.$_}</option>"; + }else{ + print"<option value='$_'>$Lang::tr{'fwdfw '.$_}</option>"; + } + } + } + print"</select></td></tr>"; + print"<tr><td width='12%'>$Lang::tr{'remark'}:</td><td width='88%' align='left'><input type='text' name='ruleremark' maxlength='255' value='$fwdfwsettings{'ruleremark'}' style='width:99%;'></td></tr>"; + if($fwdfwsettings{'updatefwrule'} eq 'on' || $fwdfwsettings{'copyfwrule'} eq 'on'){ + print "<tr><td width='12%'>$Lang::tr{'fwdfw rulepos'}:</td><td><select name='rulepos' >"; + for (my $count =1; $count <= $sum; $count++){ + print"<option value='$count' "; + print"selected='selected'" if($fwdfwsettings{'oldrulenumber'} eq $count); + print">$count</option>"; + } + print"</select></td></tr>"; + }else{ + print "<tr><td width='12%'>$Lang::tr{'fwdfw rulepos'}:</td><td><input type='text' name='rulepos' size='2'></td></tr>"; + } + + print<<END; + </table><table width='100%'> + <tr><td width='1%'><input type='checkbox' name='ACTIVE' value='ON' $checked{'ACTIVE'}{'ON'}></td><td>$Lang::tr{'fwdfw rule activate'}</td></tr> + <tr><td width='1%'><input type='checkbox' name='LOG' value='ON' $checked{'LOG'}{'ON'} ></td><td>$Lang::tr{'fwdfw log rule'}</td></tr> + </table><br><hr> +END + &Header::closebox(); + #---ADD TIMEFRAME----------------------------------------------- + &Header::openbox('100%', 'left', $Lang::tr{'fwdfw timeframe'}); + print<<END; + <table width='70%' border='0'> + <tr><td width='1%'><input type='checkbox' name='TIME' value='ON' $checked{'TIME'}{'ON'}></td><td colspan='9'>$Lang::tr{'fwdfw timeframe'}</td></tr> + <tr><td colspan='10'> </td></tr> + <tr> + <td align='left'>$Lang::tr{'time'}:</td> + <td width='30%' align='left'>$Lang::tr{'advproxy monday'} $Lang::tr{'advproxy tuesday'} $Lang::tr{'advproxy wednesday'} $Lang::tr{'advproxy thursday'} $Lang::tr{'advproxy friday'} $Lang::tr{'advproxy saturday'} $Lang::tr{'advproxy sunday'}</td> + <td width='15%' align='left'>$Lang::tr{'advproxy from'}</td> + <td width='15%' align='left'>$Lang::tr{'advproxy to'}</td> + </tr> + <tr> + <td align='right'></td> + <td width='1%' align='left'><input type='checkbox' name='TIME_MON' value='on' $checked{'TIME_MON'}{'on'} /></td> + <td width='1%' align='left'><input type='checkbox' name='TIME_TUE' value='on' $checked{'TIME_TUE'}{'on'} /></td> + <td width='1%' align='left'><input type='checkbox' name='TIME_WED' value='on' $checked{'TIME_WED'}{'on'} /></td> + <td width='1%' align='left'><input type='checkbox' name='TIME_THU' value='on' $checked{'TIME_THU'}{'on'} /></td> + <td width='1%' align='left'><input type='checkbox' name='TIME_FRI' value='on' $checked{'TIME_FRI'}{'on'} /></td> + <td width='1%' align='left'><input type='checkbox' name='TIME_SAT' value='on' $checked{'TIME_SAT'}{'on'} /></td> + <td width='15%' align='left'><input type='checkbox' name='TIME_SUN' value='on' $checked{'TIME_SUN'}{'on'} /></td> + <td><select name='TIME_FROM'> +END + for (my $i=0;$i<=23;$i++) { + $i = sprintf("%02s",$i); + for (my $j=0;$j<=45;$j+=15) { + $j = sprintf("%02s",$j); + my $time = $i.":".$j; + print "\t\t\t\t\t<option $selected{'TIME_FROM'}{$time}>$i:$j</option>\n"; + } + } + print<<END; + </select></td> + <td><select name='TIME_TO'> +END + for (my $i=0;$i<=23;$i++) { + $i = sprintf("%02s",$i); + for (my $j=0;$j<=45;$j+=15) { + $j = sprintf("%02s",$j); + my $time = $i.":".$j; + print "\t\t\t\t\t<option $selected{'TIME_TO'}{$time}>$i:$j</option>\n"; + } + } + print<<END; + </select></td></tr></table><br><hr> +END + #---ACTION------------------------------------------------------ + if($fwdfwsettings{'updatefwrule'} ne 'on'){ + print<<END; + <table border='0' width='100%'> + <tr><td align='right'><input type='submit' value='$Lang::tr{'add'}' style='min-width:100px;' /> + <input type='hidden' name='config' value='$config' > + <input type='hidden' name='ACTION' value='saverule' ></form> + <form method='post' style='display:inline;'><input type='submit' value='$Lang::tr{'fwhost back'}' style='min-width:100px;'><input type='hidden' name='ACTION' value='reset'></form></td></tr> + </table> + <br> +END + }else{ + print<<END; + <table border='0' width='100%'> + <tr><td align='right'><input type='submit' value='$Lang::tr{'fwdfw change'}' style='min-width:100px;' /><input type='hidden' name='updatefwrule' value='$fwdfwsettings{'updatefwrule'}'><input type='hidden' name='key' value='$fwdfwsettings{'key'}'> + <input type='hidden' name='oldgrp1a' value='$fwdfwsettings{'oldgrp1a'}' /> + <input type='hidden' name='oldgrp1b' value='$fwdfwsettings{'oldgrp1b'}' /> + <input type='hidden' name='oldgrp2a' value='$fwdfwsettings{'oldgrp2a'}' /> + <input type='hidden' name='oldgrp2b' value='$fwdfwsettings{'oldgrp2b'}' /> + <input type='hidden' name='oldgrp3a' value='$fwdfwsettings{'oldgrp3a'}' /> + <input type='hidden' name='oldgrp3b' value='$fwdfwsettings{'oldgrp3b'}' /> + <input type='hidden' name='oldusesrv' value='$fwdfwsettings{'oldusesrv'}' /> + <input type='hidden' name='oldrulenumber' value='$fwdfwsettings{'oldrulenumber'}' /> + <input type='hidden' name='rulenumber' value='$fwdfwsettings{'rulepos'}' /> + <input type='hidden' name='oldruleremark' value='$fwdfwsettings{'oldruleremark'}' /> + <input type='hidden' name='oldorange' value='$fwdfwsettings{'oldorange'}' /> + <input type='hidden' name='oldnat' value='$fwdfwsettings{'oldnat'}' /> + <input type='hidden' name='oldruletype' value='$fwdfwsettings{'oldruletype'}' /> + <input type='hidden' name='ACTION' value='saverule' ></form><form method='post' style='display:inline'><input type='submit' value='$Lang::tr{'fwhost back'}' style='min-width:100px;'><input type='hidden' name='ACTION' value'reset'></td></td> + </table></form> +END + } + &Header::closebox(); +} +sub pos_up +{ + my %uphash=(); + my %tmp=(); + &General::readhasharray($fwdfwsettings{'config'}, %uphash); + foreach my $key (sort keys %uphash){ + if ($key eq $fwdfwsettings{'key'}) { + my $last = $key -1; + if (exists $uphash{$last}){ + #save rule last + foreach my $y (0 .. $#{$uphash{$last}}) { + $tmp{0}[$y] = $uphash{$last}[$y]; + } + #copy active rule to last + foreach my $i (0 .. $#{$uphash{$last}}) { + $uphash{$last}[$i] = $uphash{$key}[$i]; + } + #copy saved rule to actual position + foreach my $x (0 .. $#{$tmp{0}}) { + $uphash{$key}[$x] = $tmp{0}[$x]; + } + } + } + } + &General::writehasharray($fwdfwsettings{'config'}, %uphash); + &rules; +} +sub pos_down +{ + my %downhash=(); + my %tmp=(); + &General::readhasharray($fwdfwsettings{'config'}, %downhash); + foreach my $key (sort keys %downhash){ + if ($key eq $fwdfwsettings{'key'}) { + my $next = $key + 1; + if (exists $downhash{$next}){ + #save rule next + foreach my $y (0 .. $#{$downhash{$next}}) { + $tmp{0}[$y] = $downhash{$next}[$y]; + } + #copy active rule to next + foreach my $i (0 .. $#{$downhash{$next}}) { + $downhash{$next}[$i] = $downhash{$key}[$i]; + } + #copy saved rule to actual position + foreach my $x (0 .. $#{$tmp{0}}) { + $downhash{$key}[$x] = $tmp{0}[$x]; + } + } + } + } + &General::writehasharray($fwdfwsettings{'config'}, %downhash); + &rules; +} +sub rules +{ + if (!-f "${General::swroot}/forward/reread"){ + system("touch ${General::swroot}/forward/reread"); + system("touch ${General::swroot}/fwhosts/reread"); + } +} +sub reread_rules +{ + system("/usr/local/bin/forwardfwctrl"); + if ( -f "${General::swroot}/forward/reread"){ + system("rm ${General::swroot}/forward/reread"); + system("rm ${General::swroot}/fwhosts/reread"); + } +} +sub saverule +{ + my $hash=shift; + my $config=shift; + &General::readhasharray("$config", $hash); + if (!$errormessage){ + ################################################################ + #check if we change an INPUT rule to a OUTGOING + if($fwdfwsettings{'oldruletype'} eq 'INPUTFW' && $fwdfwsettings{'chain'} eq 'OUTGOINGFW' ){ + &changerule($configinput); + #print"1"; + } + #check if we change an INPUT rule to a FORWARD + elsif($fwdfwsettings{'oldruletype'} eq 'INPUTFW' && $fwdfwsettings{'chain'} eq 'FORWARDFW' ){ + &changerule($configinput); + #print"2"; + } + ################################################################ + #check if we change an OUTGOING rule to an INPUT + elsif($fwdfwsettings{'oldruletype'} eq 'OUTGOINGFW' && $fwdfwsettings{'chain'} eq 'INPUTFW' ){ + &changerule($configoutgoing); + #print"3"; + } + #check if we change an OUTGOING rule to a FORWARD + elsif($fwdfwsettings{'oldruletype'} eq 'OUTGOINGFW' && $fwdfwsettings{'chain'} eq 'FORWARDFW' ){ + &changerule($configoutgoing); + #print"4"; + } + ################################################################ + #check if we change a FORWARD rule to an INPUT + elsif($fwdfwsettings{'oldruletype'} eq 'FORWARDFW' && $fwdfwsettings{'chain'} eq 'INPUTFW'){ + &changerule($configfwdfw); + #print"5"; + } + #check if we change a FORWARD rule to an OUTGOING + elsif($fwdfwsettings{'oldruletype'} eq 'FORWARDFW' && $fwdfwsettings{'chain'} eq 'OUTGOINGFW'){ + &changerule($configfwdfw); + #print"6"; + } + if ($fwdfwsettings{'updatefwrule'} ne 'on'){ + my $key = &General::findhasharraykey ($hash); + $$hash{$key}[0] = $fwdfwsettings{'RULE_ACTION'}; + $$hash{$key}[1] = $fwdfwsettings{'chain'}; + $$hash{$key}[2] = $fwdfwsettings{'ACTIVE'}; + $$hash{$key}[3] = $fwdfwsettings{'grp1'}; + $$hash{$key}[4] = $fwdfwsettings{$fwdfwsettings{'grp1'}}; + $$hash{$key}[5] = $fwdfwsettings{'grp2'}; + $$hash{$key}[6] = $fwdfwsettings{$fwdfwsettings{'grp2'}}; + $$hash{$key}[7] = $fwdfwsettings{'USE_SRC_PORT'}; + $$hash{$key}[8] = $fwdfwsettings{'PROT'}; + $$hash{$key}[9] = $fwdfwsettings{'ICMP_TYPES'}; + $$hash{$key}[10] = $fwdfwsettings{'SRC_PORT'}; + $$hash{$key}[11] = $fwdfwsettings{'USESRV'}; + $$hash{$key}[12] = $fwdfwsettings{'TGT_PROT'}; + $$hash{$key}[13] = $fwdfwsettings{'ICMP_TGT'}; + $$hash{$key}[14] = $fwdfwsettings{'grp3'}; + $$hash{$key}[15] = $fwdfwsettings{$fwdfwsettings{'grp3'}}; + $$hash{$key}[16] = $fwdfwsettings{'ruleremark'}; + $$hash{$key}[17] = $fwdfwsettings{'LOG'}; + $$hash{$key}[18] = $fwdfwsettings{'TIME'}; + $$hash{$key}[19] = $fwdfwsettings{'TIME_MON'}; + $$hash{$key}[20] = $fwdfwsettings{'TIME_TUE'}; + $$hash{$key}[21] = $fwdfwsettings{'TIME_WED'}; + $$hash{$key}[22] = $fwdfwsettings{'TIME_THU'}; + $$hash{$key}[23] = $fwdfwsettings{'TIME_FRI'}; + $$hash{$key}[24] = $fwdfwsettings{'TIME_SAT'}; + $$hash{$key}[25] = $fwdfwsettings{'TIME_SUN'}; + $$hash{$key}[26] = $fwdfwsettings{'TIME_FROM'}; + $$hash{$key}[27] = $fwdfwsettings{'TIME_TO'}; + $$hash{$key}[28] = $fwdfwsettings{'USE_NAT'}; + $$hash{$key}[29] = $fwdfwsettings{$fwdfwsettings{'nat'}}; + $$hash{$key}[30] = $fwdfwsettings{'dnatport'}; + $$hash{$key}[31] = $fwdfwsettings{'nat'}; + &General::writehasharray("$config", $hash); + }else{ + foreach my $key (sort {$a <=> $b} keys %$hash){ + if($key eq $fwdfwsettings{'key'}){ + $$hash{$key}[0] = $fwdfwsettings{'RULE_ACTION'}; + $$hash{$key}[1] = $fwdfwsettings{'chain'}; + $$hash{$key}[2] = $fwdfwsettings{'ACTIVE'}; + $$hash{$key}[3] = $fwdfwsettings{'grp1'}; + $$hash{$key}[4] = $fwdfwsettings{$fwdfwsettings{'grp1'}}; + $$hash{$key}[5] = $fwdfwsettings{'grp2'}; + $$hash{$key}[6] = $fwdfwsettings{$fwdfwsettings{'grp2'}}; + $$hash{$key}[7] = $fwdfwsettings{'USE_SRC_PORT'}; + $$hash{$key}[8] = $fwdfwsettings{'PROT'}; + $$hash{$key}[9] = $fwdfwsettings{'ICMP_TYPES'}; + $$hash{$key}[10] = $fwdfwsettings{'SRC_PORT'}; + $$hash{$key}[11] = $fwdfwsettings{'USESRV'}; + $$hash{$key}[12] = $fwdfwsettings{'TGT_PROT'}; + $$hash{$key}[13] = $fwdfwsettings{'ICMP_TGT'}; + $$hash{$key}[14] = $fwdfwsettings{'grp3'}; + $$hash{$key}[15] = $fwdfwsettings{$fwdfwsettings{'grp3'}}; + $$hash{$key}[16] = $fwdfwsettings{'ruleremark'}; + $$hash{$key}[17] = $fwdfwsettings{'LOG'}; + $$hash{$key}[18] = $fwdfwsettings{'TIME'}; + $$hash{$key}[19] = $fwdfwsettings{'TIME_MON'}; + $$hash{$key}[20] = $fwdfwsettings{'TIME_TUE'}; + $$hash{$key}[21] = $fwdfwsettings{'TIME_WED'}; + $$hash{$key}[22] = $fwdfwsettings{'TIME_THU'}; + $$hash{$key}[23] = $fwdfwsettings{'TIME_FRI'}; + $$hash{$key}[24] = $fwdfwsettings{'TIME_SAT'}; + $$hash{$key}[25] = $fwdfwsettings{'TIME_SUN'}; + $$hash{$key}[26] = $fwdfwsettings{'TIME_FROM'}; + $$hash{$key}[27] = $fwdfwsettings{'TIME_TO'}; + $$hash{$key}[28] = $fwdfwsettings{'USE_NAT'}; + $$hash{$key}[29] = $fwdfwsettings{$fwdfwsettings{'nat'}}; + $$hash{$key}[30] = $fwdfwsettings{'dnatport'}; + $$hash{$key}[31] = $fwdfwsettings{'nat'}; + last; + } + } + } + &General::writehasharray("$config", $hash); + if($fwdfwsettings{'oldrulenumber'} > $fwdfwsettings{'rulepos'}){ + my %tmp=(); + my $val=$fwdfwsettings{'oldrulenumber'}-$fwdfwsettings{'rulepos'}; + for (my $z=0;$z<$val;$z++){ + foreach my $key (sort {$a <=> $b} keys %$hash){ + if ($key eq $fwdfwsettings{'oldrulenumber'}) { + my $last = $key -1; + if (exists $$hash{$last}){ + #save rule last + foreach my $y (0 .. $#{$$hash{$last}}) { + $tmp{0}[$y] = $$hash{$last}[$y]; + } + #copy active rule to last + foreach my $i (0 .. $#{$$hash{$last}}) { + $$hash{$last}[$i] = $$hash{$key}[$i]; + } + #copy saved rule to actual position + foreach my $x (0 .. $#{$tmp{0}}) { + $$hash{$key}[$x] = $tmp{0}[$x]; + } + } + } + } + $fwdfwsettings{'oldrulenumber'}--; + } + &General::writehasharray("$config", $hash); + &rules; + }elsif($fwdfwsettings{'rulepos'} > $fwdfwsettings{'oldrulenumber'}){ + my %tmp=(); + my $val=$fwdfwsettings{'rulepos'}-$fwdfwsettings{'oldrulenumber'}; + for (my $z=0;$z<$val;$z++){ + foreach my $key (sort {$a <=> $b} keys %$hash){ + if ($key eq $fwdfwsettings{'oldrulenumber'}) { + my $next = $key + 1; + if (exists $$hash{$next}){ + #save rule next + foreach my $y (0 .. $#{$$hash{$next}}) { + $tmp{0}[$y] = $$hash{$next}[$y]; + } + #copy active rule to next + foreach my $i (0 .. $#{$$hash{$next}}) { + $$hash{$next}[$i] = $$hash{$key}[$i]; + } + #copy saved rule to actual position + foreach my $x (0 .. $#{$tmp{0}}) { + $$hash{$key}[$x] = $tmp{0}[$x]; + } + } + } + } + $fwdfwsettings{'oldrulenumber'}++; + } + &General::writehasharray("$config", $hash); + &rules; + } + } +} +sub validremark +{ + # Checks a hostname against RFC1035 + my $remark = $_[0]; + + # Each part should be at least two characters in length + # but no more than 63 characters + if (length ($remark) < 1 || length ($remark) > 255) { + return 0;} + # Only valid characters are a-z, A-Z, 0-9 and - + if ($remark !~ /^[a-zÀöÌA-ZÃÃÃ0-9-.:;|_()/\s]*$/) { + return 0;} + # First character can only be a letter or a digit + if (substr ($remark, 0, 1) !~ /^[a-zÀöÌA-ZÃÃÃ0-9]*$/) { + return 0;} + # Last character can only be a letter or a digit + if (substr ($remark, -1, 1) !~ /^[a-zöÀÌA-ZÃÃÃ0-9.:;_)]*$/) { + return 0;} + return 1; +} +sub viewtablerule +{ + &General::readhash("/var/ipfire/ethernet/settings", %netsettings); + &viewtablenew(%configfwdfw,$configfwdfw,"","Forward" ); + &viewtablenew(%configinputfw,$configinput,"",$Lang::tr{'fwdfw xt access'} ); + &viewtablenew(%configoutgoingfw,$configoutgoing,"","Outgoing" ); +} +sub viewtablenew +{ + my $hash=shift; + my $config=shift; + my $title=shift; + my $title1=shift; + my $go=''; + &General::get_aliases(%aliases); + &General::readhasharray("$confighost", %customhost); + &General::readhasharray("$config", $hash); + &General::readhasharray("$configccdnet", %ccdnet); + &General::readhasharray("$configccdhost", %ccdhost); + if( ! -z $config){ + &Header::openbox('100%', 'left',$title); + my $count=0; + my ($gif,$log); + my $ruletype; + my $rulecolor; + my $tooltip; + my @tmpsrc=(); + my $coloryellow=''; + print"<b>$title1</b><br>"; + print"<table width='100%' cellspacing='0' cellpadding='0' border='0'>"; + print"<tr><td align='center'><b>#</b></td><td></td><td align='center' width='25'></td><td align='center'><b>$Lang::tr{'fwdfw source'}</b></td><td width='1%'><b>Log</b></td><td align='center'><b>$Lang::tr{'fwdfw target'}</b></td><td align='center' colspan='6' width='1%'><b>$Lang::tr{'fwdfw action'}</b></td></tr>"; + foreach my $key (sort {$a <=> $b} keys %$hash){ + $tdcolor=''; + @tmpsrc=(); + #check if vpn hosts/nets have been deleted + if($$hash{$key}[3] =~ /ipsec/i || $$hash{$key}[3] =~ /ovpn/i){ + push (@tmpsrc,$$hash{$key}[4]); + } + if($$hash{$key}[5] =~ /ipsec/i || $$hash{$key}[5] =~ /ovpn/i){ + push (@tmpsrc,$$hash{$key}[6]); + } + foreach my $host (@tmpsrc){ + if($$hash{$key}[3] eq 'ipsec_net_src' || $$hash{$key}[5] eq 'ipsec_net_tgt'){ + if(&fwlib::get_ipsec_net_ip($host,11) eq ''){ + $coloryellow='on'; + &disable_rule($key); + $$hash{$key}[2]=''; + } + }elsif($$hash{$key}[3] eq 'ovpn_net_src' || $$hash{$key}[5] eq 'ovpn_net_tgt'){ + if(&fwlib::get_ovpn_net_ip($host,1) eq ''){ + $coloryellow='on'; + &disable_rule($key); + $$hash{$key}[2]=''; + } + }elsif($$hash{$key}[3] eq 'ovpn_n2n_src' || $$hash{$key}[5] eq 'ovpn_n2n_tgt'){ + if(&fwlib::get_ovpn_n2n_ip($host,27) eq ''){ + $coloryellow='on'; + &disable_rule($key); + $$hash{$key}[2]=''; + } + }elsif($$hash{$key}[3] eq 'ovpn_host_src' || $$hash{$key}[5] eq 'ovpn_host_tgt'){ + if(&fwlib::get_ovpn_host_ip($host,33) eq ''){ + $coloryellow='on'; + &disable_rule($key); + $$hash{$key}[2]=''; + } + } + } + $$hash{'ACTIVE'}=$$hash{$key}[2]; + $count++; + if($coloryellow eq 'on'){ + print"<tr bgcolor='$color{'color14'}' >"; + $coloryellow=''; + }elsif($coloryellow eq ''){ + if ($count % 2){ + $color="$color{'color22'}"; + } + else{ + $color="$color{'color20'}"; + } + } + print"<tr bgcolor='$color' >"; + #KEY + print<<END; + <td align='right' width='18'><b>$key </b></td> +END + #RULETYPE (A,R,D) + if ($$hash{$key}[0] eq 'ACCEPT'){ + $ruletype='A'; + $tooltip='ACCEPT'; + $rulecolor=$color{'color17'}; + }elsif($$hash{$key}[0] eq 'DROP'){ + $ruletype='D'; + $tooltip='DROP'; + $rulecolor=$color{'color25'}; + }elsif($$hash{$key}[0] eq 'REJECT'){ + $ruletype='R'; + $tooltip='REJECT'; + $rulecolor=$color{'color16'}; + } + print"<td bgcolor='$rulecolor' align='center' width='10'><span title='$tooltip'><b>$ruletype</b></span></td>"; + #Get Protocol + my $prot; + if ($$hash{$key}[8] && $$hash{$key}[7] eq 'ON'){#source prot if manual + push (@protocols,$$hash{$key}[8]); + }elsif ($$hash{$key}[12]){ #target prot if manual + push (@protocols,$$hash{$key}[12]); + }elsif($$hash{$key}[14] eq 'cust_srv'){ + &get_serviceports("service",$$hash{$key}[15]); + }elsif($$hash{$key}[14] eq 'cust_srvgrp'){ + &get_serviceports("group",$$hash{$key}[15]); + }else{ + push (@protocols,$Lang::tr{'all'}); + } + my $protz=join(",",@protocols); + print"<td align='center'>$protz</td>"; + @protocols=(); + #SOURCE + my $ipfireiface; + &getcolor($$hash{$key}[3],$$hash{$key}[4],%customhost); + print"<td align='center' width='160' $tdcolor>"; + if ($$hash{$key}[3] eq 'ipfire_src'){ + $ipfireiface='Interface '; + } + if ($$hash{$key}[3] eq 'std_net_src'){ + print &get_name($$hash{$key}[4]); + }elsif ($$hash{$key}[3] eq 'src_addr'){ + my ($split1,$split2) = split("/",$$hash{$key}[4]); + if ($split2 eq '32'){ + print $split1; + }else{ + print $$hash{$key}[4]; + } + }elsif ($$hash{$key}[4] eq 'RED1'){ + print "$ipfireiface $Lang::tr{'fwdfw red'}"; + }else{ + print "$$hash{$key}[4]"; + } + $tdcolor=''; + #SOURCEPORT + &getsrcport(%$hash,$key); + #Is this a SNAT rule? + if ($$hash{$key}[31] eq 'snat' && $$hash{$key}[28] eq 'ON'){ + my $net=&get_name($$hash{$key}[29]); + if ( ! $net){ $net=$$hash{$key}[29];} + print"<br>->$net"; + if ($$hash{$key}[30] ne ''){ + print": $$hash{$key}[30]"; + } + } + if ($$hash{$key}[17] eq 'ON'){ + $log="/images/on.gif"; + }else{ + $log="/images/off.gif"; + } + #LOGGING + print<<END; + </td> + <td align='left' width='25'><form method='post'><input type='image' img src='$log' alt='$Lang::tr{'click to disable'}' title='$Lang::tr{'fwdfw togglelog'}' style='padding-top: 0px; padding-left: 0px; padding-bottom: 0px ;padding-right: 0px ;'/> + <input type='hidden' name='key' value='$key' /> + <input type='hidden' name='config' value='$config' /> + <input type='hidden' name='ACTION' value='$Lang::tr{'fwdfw togglelog'}' /> + </form></td> +END + #TARGET + &getcolor($$hash{$key}[5],$$hash{$key}[6],%customhost); + print<<END; + <td align='center' width='160' $tdcolor> +END + #Is this a DNAT rule? + if ($$hash{$key}[31] eq 'dnat' && $$hash{$key}[28] eq 'ON'){ + print "Firewall ($$hash{$key}[29])"; + if($$hash{$key}[30] ne ''){ + $$hash{$key}[30]=~ tr/|/,/; + print": $$hash{$key}[30]"; + } + print"<br>->"; + } + if ($$hash{$key}[5] eq 'ipfire'){ + $ipfireiface='Interface'; + } + if ($$hash{$key}[5] eq 'std_net_tgt' || $$hash{$key}[5] eq 'ipfire' || $$hash{$key}[6] eq 'RED1' || $$hash{$key}[6] eq 'GREEN' || $$hash{$key}[6] eq 'ORANGE' || $$hash{$key}[6] eq 'BLUE' ){ + if ($$hash{$key}[6] eq 'RED1'){ + print "$ipfireiface $Lang::tr{'red1'}"; + }elsif ($$hash{$key}[6] eq 'GREEN' || $$hash{$key}[6] eq 'ORANGE' || $$hash{$key}[6] eq 'BLUE'|| $$hash{$key}[6] eq 'ALL') + { + print "$ipfireiface ".&get_name($$hash{$key}[6]); + }else{ + print $$hash{$key}[6]; + } + }elsif ($$hash{$key}[5] eq 'tgt_addr'){ + my ($split1,$split2) = split("/",$$hash{$key}[6]); + if ($split2 eq '32'){ + print $split1; + }else{ + print $$hash{$key}[6]; + } + }else{ + print "$$hash{$key}[6]"; + } + $tdcolor=''; + #TARGETPORT + &gettgtport(%$hash,$key); + print"</td>"; + #RULE ACTIVE + if($$hash{$key}[2] eq 'ON'){ + $gif="/images/on.gif" + + }else{ + $gif="/images/off.gif" + } + print<<END; + <td width='25'><form method='post'><input type='image' img src='$gif' alt='$Lang::tr{'click to disable'}' title='$Lang::tr{'fwdfw toggle'}' style='padding-top: 0px; padding-left: 0px; padding-bottom: 0px ;padding-right: 0px ;display: block;' /> + <input type='hidden' name='key' value='$key' /> + <input type='hidden' name='config' value='$config' /> + <input type='hidden' name='ACTION' value='$Lang::tr{'fwdfw toggle'}' /> + </form></td> + <td width='25' ><form method='post'><input type='image' img src='/images/edit.gif' alt='$Lang::tr{'edit'}' title='$Lang::tr{'fwdfw edit'}' style='padding-top: 0px; padding-left: 0px; padding-bottom: 0px ;padding-right: 0px ;display: block;' /> + <input type='hidden' name='key' value='$key' /> + <input type='hidden' name='config' value='$config' /> + <input type='hidden' name='ACTION' value='editrule' /> + </form></td> + <td width='25'><form method='post'><input type='image' img src='/images/addblue.gif' alt='$Lang::tr{'fwdfw copy'}' title='$Lang::tr{'fwdfw copy'}' style='padding-top: 0px; padding-left: 0px; padding-bottom: 0px ;padding-right: 0px ;display: block;' /> + <input type='hidden' name='key' value='$key' /> + <input type='hidden' name='config' value='$config' /> + <input type='hidden' name='ACTION' value='copyrule' /> + </form></td> + <td width='25' ><form method='post'><input type='image' img src='/images/delete.gif' alt='$Lang::tr{'delete'}' title='$Lang::tr{'fwdfw delete'}' style='padding-top: 0px; padding-left: 0px; padding-bottom: 0px ;padding-right: 0px ;display: block;' /> + <input type='hidden' name='key' value='$key' /> + <input type='hidden' name='config' value='$config' /> + <input type='hidden' name='ACTION' value='deleterule' /> + </form></td> +END + if (exists $$hash{$key-1}){ + print<<END; + <td width='25'><form method='post'><input type='image' img src='/images/up.gif' alt='$Lang::tr{'fwdfw moveup'}' title='$Lang::tr{'fwdfw moveup'}' style='padding-top: 0px; padding-left: 0px; padding-bottom: 0px ;padding-right: 0px ;display: block;' /> + <input type='hidden' name='key' value='$key' /> + <input type='hidden' name='config' value='$config' /> + <input type='hidden' name='ACTION' value='moveup' /> + </form></td> +END + }else{ + print"<td width='25'><input type='image' img src='/images/up.gif' style='visibility:hidden;'></td>"; + } + if (exists $$hash{$key+1}){ + print<<END; + <td width='25' ><form method='post'><input type='image' img src='/images/down.gif' alt='$Lang::tr{'fwdfw movedown'}' title='$Lang::tr{'fwdfw movedown'}' style='padding-top: 0px; padding-left: 0px; padding-bottom: 0px ;padding-right: 0px ;display: block;' /> + <input type='hidden' name='key' value='$key' /> + <input type='hidden' name='config' value='$config' /> + <input type='hidden' name='ACTION' value='movedown' /> + </form></td></tr> +END + }else{ + print"<td width='25'><input type='image' img src='/images/down.gif' style='visibility:hidden;'></td></tr>"; + } + #REMARK + if ($optionsfw{'SHOWREMARK'} eq 'on' && $$hash{$key}[16] ne ''){ + print"<tr bgcolor='$color'>"; + print"<td> </td><td bgcolor='$rulecolor'></td><td colspan='10'> $$hash{$key}[16]</td></tr>"; + } + if ($$hash{$key}[18] eq 'ON'){ + #TIMEFRAME + if ($$hash{$key}[18] eq 'ON'){ + my @days=(); + if($$hash{$key}[19] ne ''){push (@days,$Lang::tr{'fwdfw wd_mon'});} + if($$hash{$key}[20] ne ''){push (@days,$Lang::tr{'fwdfw wd_tue'});} + if($$hash{$key}[21] ne ''){push (@days,$Lang::tr{'fwdfw wd_wed'});} + if($$hash{$key}[22] ne ''){push (@days,$Lang::tr{'fwdfw wd_thu'});} + if($$hash{$key}[23] ne ''){push (@days,$Lang::tr{'fwdfw wd_fri'});} + if($$hash{$key}[24] ne ''){push (@days,$Lang::tr{'fwdfw wd_sat'});} + if($$hash{$key}[25] ne ''){push (@days,$Lang::tr{'fwdfw wd_sun'});} + my $weekdays=join(",",@days); + if (@days){ + print"<tr bgcolor='$color'>"; + print"<td> </td><td bgcolor='$rulecolor'></td><td align='left' colspan='10'> $weekdays $$hash{$key}[26] - $$hash{$key}[27] </td></tr>"; + } + } + } + print"<tr bgcolor='FFFFFF'><td colspan='13' height='1'></td></tr>"; + } + print"</table>"; + #SHOW FINAL RULE + print "<table width='100%'rules='cols' border='1'>"; + my $col; + if ($config eq '/var/ipfire/forward/config'){ + my $pol='fwdfw '.$fwdfwsettings{'POLICY'}; + if ($fwdfwsettings{'POLICY'} eq 'MODE1'){ + $col="bgcolor='darkred'"; + }else{ + $col="bgcolor='green'"; + } + &show_defaultrules($col,$pol); + }elsif ($config eq '/var/ipfire/forward/outgoing'){ + if ($fwdfwsettings{'POLICY1'} eq 'MODE1'){ + $col="bgcolor='darkred'"; + print"<tr><td $col width='20%' align='center'><font color='#FFFFFF'>$Lang::tr{'fwdfw final_rule'}</td><td $col align='center'><font color='#FFFFFF' >$Lang::tr{'fwdfw pol block'}</font></td></tr>"; + }else{ + $col="bgcolor='green'"; + print"<tr><td $col width='20%' align='center'><font color='#FFFFFF'>$Lang::tr{'fwdfw final_rule'}</td><td $col align='center'><font color='#FFFFFF' >$Lang::tr{'fwdfw pol allow'}</font></td></tr>"; + } + }else{ + print"<tr><td bgcolor='darkred' width='20%' align='center'><font color='#FFFFFF'>$Lang::tr{'fwdfw final_rule'}</td><td bgcolor='darkred' align='center'><font color='#FFFFFF'>$Lang::tr{'fwdfw pol block'}</font></td></tr>"; + } + print"</table>"; + print "<hr>"; + print "<br><br>"; + &Header::closebox(); + }else{ + if ($optionsfw{'SHOWTABLES'} eq 'on'){ + print "<b>$title1</b><br>"; + print"<table width='100%' border='0' rules='none'><tr><td height='30' bgcolor=$color{'color22'} align='center'>$Lang::tr{'fwhost empty'}</td></tr></table>"; + my $col; + if ($config eq '/var/ipfire/forward/config'){ + my $pol='fwdfw '.$fwdfwsettings{'POLICY'}; + if ($fwdfwsettings{'POLICY'} eq 'MODE1'){ + $col="bgcolor='darkred'"; + }else{ + $col="bgcolor='green'"; + } + &show_defaultrules($col,$pol); + }elsif ($config eq '/var/ipfire/forward/outgoing'){ + print "<table width='100%' rules='cols' border='1'>"; + my $pol='fwdfw '.$fwdfwsettings{'POLICY1'}; + if ($fwdfwsettings{'POLICY1'} eq 'MODE1'){ + $col="bgcolor='darkred'"; + print"<tr><td $col align='center' width='20%'><font color='#FFFFFF'>$Lang::tr{'fwdfw final_rule'}</td><td $col align='center'><font color='#FFFFFF'>$Lang::tr{'fwdfw pol block'}</font></td></tr>"; + }else{ + $col="bgcolor='green'"; + print"<tr><td $col align='center' width='20%'><font color='#FFFFFF'>$Lang::tr{'fwdfw final_rule'}</td><td $col align='center'><font color='#FFFFFF'>$Lang::tr{'fwdfw pol allow'}</font></td></tr>"; + } + }else{ + print "<table width='100%' rules='cols' border='1'>"; + print"<tr><td bgcolor='darkred' align='center' width='20%'><font color='#FFFFFF'>$Lang::tr{'fwdfw final_rule'}</td><td align='center' bgcolor='darkred'><font color='#FFFFFF'>$Lang::tr{'fwdfw pol block'}</font></td></tr>"; + } + print"</table><br><br>"; + } + } +} +&Header::closebigbox(); +&Header::closepage(); + +sub show_defaultrules +{ + my $col=shift; + my $pol=shift; + #STANDARD RULES (From WIKI) + print"</table>"; + if ($col eq "bgcolor='green'"){ + print "<br><table width='100%' rules='cols' border='1' >"; + my $blue = "<font color=$Header::colourblue> $Lang::tr{'blue'}</font> ($Lang::tr{'fwdfw pol block'})" if (&Header::blue_used()); + my $orange = "<font color=$Header::colourorange> $Lang::tr{'orange'}</font> ($Lang::tr{'fwdfw pol block'})" if (&Header::orange_used()); + my $blue1 = "<font color=$Header::colourblue> $Lang::tr{'blue'}</font> ($Lang::tr{'fwdfw pol allow'})" if (&Header::blue_used()); + my $orange1 = "<font color=$Header::colourorange> $Lang::tr{'orange'}</font> ($Lang::tr{'fwdfw pol allow'})" if (&Header::orange_used()); + print"<tr><td align='center'><font color='#000000'>$Lang::tr{'green'}</td><td align='center'> <font color=$Header::colourred> $Lang::tr{'red'}</font> ($Lang::tr{'fwdfw pol allow'})</td>"; + print"<td align='center'>$orange1</td>" if (&Header::orange_used()); + print"<td align='center'>$blue1</td>" if (&Header::blue_used()); + print"</tr>"; + if (&Header::orange_used()){ + print"<tr><td align='center' width='20%'><font color='#000000'>$Lang::tr{'orange'}</td><td align='center'> <font color=$Header::colourred> $Lang::tr{'red'}</font> ($Lang::tr{'fwdfw pol allow'})</td><td align='center'><font color=$Header::colourgreen> $Lang::tr{'green'}</font> ($Lang::tr{'fwdfw pol block'})</td>"; + print"<td align='center'>$blue</td>" if (&Header::blue_used()); + print"</tr>"; + } + if (&Header::blue_used()){ + print"<tr><td align='center'><font color='#000000'>$Lang::tr{'blue'}</td><td align='center'> <font color=$Header::colourred> $Lang::tr{'red'}</font> ($Lang::tr{'fwdfw pol allow'})</td>"; + print"<td align='center'>$orange</td>" if (&Header::orange_used()); + print"<td align='center'><font color=$Header::colourgreen> $Lang::tr{'green'}</font> ($Lang::tr{'fwdfw pol block'})</td>"; + print"</tr>"; + } + print"<tr><td $col align='center'><font color='#FFFFFF'>$Lang::tr{'fwdfw final_rule'} </font></td><td $col colspan='3' align='center'><font color='#FFFFFF'>$Lang::tr{'fwdfw pol allow'}</font></td></tr>"; + }elsif($col eq "bgcolor='darkred'"){ + print "<table width='100%' rules='cols' border='1' >"; + print"<tr><td $col width='20%' align='center'><font color='#FFFFFF'>$Lang::tr{'fwdfw final_rule'}</td><td $col align='center'><font color='#FFFFFF'>$Lang::tr{'fwdfw pol block'}</font></td></tr>"; + } +} diff --git a/html/cgi-bin/fwhosts.cgi b/html/cgi-bin/fwhosts.cgi new file mode 100755 index 0000000..7ed27c4 --- /dev/null +++ b/html/cgi-bin/fwhosts.cgi @@ -0,0 +1,2198 @@ +#!/usr/bin/perl +############################################################################### +# # +# IPFire.org - A linux based firewall # +# Copyright (C) 2013 Alexander Marx amarx@ipfire.org # +# # +# This program is free software: you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation, either version 3 of the License, or # +# (at your option) any later version. # +# # +# This program is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with this program. If not, see http://www.gnu.org/licenses/. # +# # +############################################################################### +use strict; + +# enable only the following on debugging purpose +use warnings; +use Sort::Naturally; +use CGI::Carp 'fatalsToBrowser'; +no warnings 'uninitialized'; +require '/var/ipfire/general-functions.pl'; +require "${General::swroot}/lang.pl"; +require "${General::swroot}/header.pl"; + +my %fwhostsettings=(); +my %customnetwork=(); +my %customhost=(); +my %customgrp=(); +my %customservice=(); +my %customservicegrp=(); +my %ccdnet=(); +my %ccdhost=(); +my %ipsecconf=(); +my %icmptypes=(); +my %color=(); +my %defaultNetworks=(); +my %mainsettings=(); +my %ownnet=(); +my %ipsecsettings=(); +my %fwfwd=(); +my %fwinp=(); +my %ovpnsettings=(); +my %ipsecconf=(); +my %ipsecsettings=(); + +my $errormessage; +my $hint; +my $update=0; +my $confignet = "${General::swroot}/fwhosts/customnetworks"; +my $confighost = "${General::swroot}/fwhosts/customhosts"; +my $configgrp = "${General::swroot}/fwhosts/customgroups"; +my $configccdnet = "${General::swroot}/ovpn/ccd.conf"; +my $configccdhost = "${General::swroot}/ovpn/ovpnconfig"; +my $configipsec = "${General::swroot}/vpn/config"; +my $configsrv = "${General::swroot}/fwhosts/customservices"; +my $configsrvgrp = "${General::swroot}/fwhosts/customservicegrp"; +my $fwconfigfwd = "${General::swroot}/forward/config"; +my $fwconfiginp = "${General::swroot}/forward/input"; +my $configovpn = "${General::swroot}/ovpn/settings"; +my $tdcolor=''; +my $configipsec = "${General::swroot}/vpn/config"; +my $configipsecrw = "${General::swroot}/vpn/settings"; + +unless (-e $confignet) { system("touch $confignet"); } +unless (-e $confighost) { system("touch $confighost"); } +unless (-e $configgrp) { system("touch $configgrp"); } +unless (-e $configsrv) { system("touch $configsrv"); } +unless (-e $configsrvgrp) { system("touch $configsrvgrp"); } + +&General::readhash("${General::swroot}/main/settings", %mainsettings); +&General::readhash("/srv/web/ipfire/html/themes/".$mainsettings{'THEME'}."/include/colors.txt", %color); +&General::readhash("${General::swroot}/ethernet/settings", %ownnet); +&General::readhash("$configovpn", %ovpnsettings); +&General::readhasharray("$configipsec", %ipsecconf); +&General::readhash("$configipsecrw", %ipsecsettings); + +&Header::getcgihash(%fwhostsettings); + +&Header::showhttpheaders(); +&Header::openpage($Lang::tr{'fwhost hosts'}, 1, ''); +&Header::openbigbox('100%', 'center'); + +#### JAVA SCRIPT #### +print<<END; +<script> + $(document).ready(function() { + // Automatically select radio buttons when corresponding + // dropdown menu changes. + $("select").change(function() { + var id = $(this).attr("name"); + //When using SNAT or DNAT, check "USE NAT" Checkbox + if ( id === 'snat' || id === 'dnat') { + $('#USE_NAT').prop('checked', true); + } + $('#' + id).prop("checked", true); + }); + }); +</script> +END + +## ACTION #### +if ($fwhostsettings{'ACTION'} eq $Lang::tr{'fwdfw reread'}) +{ + &reread_rules; + &showmenu; +} +# Update +if ($fwhostsettings{'ACTION'} eq 'updatenet' ) +{ + &General::readhasharray("$confignet", %customnetwork); + foreach my $key (keys %customnetwork) + { + if($customnetwork{$key}[0] eq $fwhostsettings{'orgname'}) + { + $fwhostsettings{'orgname'} = $customnetwork{$key}[0]; + $fwhostsettings{'orgip'} = $customnetwork{$key}[1]; + $fwhostsettings{'orgsub'} = $customnetwork{$key}[2]; + $fwhostsettings{'netremark'} = $customnetwork{$key}[3]; + $fwhostsettings{'count'} = $customnetwork{$key}[4]; + delete $customnetwork{$key}; + + } + } + &General::writehasharray("$confignet", %customnetwork); + $fwhostsettings{'actualize'} = 'on'; + $fwhostsettings{'ACTION'} = 'savenet'; +} +if ($fwhostsettings{'ACTION'} eq 'updatehost') +{ + my ($ip,$subnet); + &General::readhasharray("$confighost", %customhost); + foreach my $key (keys %customhost) + { + if($customhost{$key}[0] eq $fwhostsettings{'orgname'}) + { + if ($customhost{$key}[1] eq 'ip'){ + ($ip,$subnet) = split (///,$customhost{$key}[2]); + }else{ + $ip = $customhost{$key}[2]; + } + $fwhostsettings{'orgip'} = $ip; + $fwhostsettings{'count'} = $customhost{$key}[4]; + delete $customhost{$key}; + &General::writehasharray("$confighost", %customhost); + } + } + $fwhostsettings{'actualize'} = 'on'; + if($fwhostsettings{'orgip'}){ + $fwhostsettings{'ACTION'} = 'savehost'; + }else{ + $fwhostsettings{'ACTION'} = $Lang::tr{'fwhost newhost'}; + } +} +if ($fwhostsettings{'ACTION'} eq 'updateservice') +{ + my $count=0; + my $needrules=0; + $errormessage=&checkports(%customservice); + if (!$errormessage){ + &General::readhasharray("$configsrv", %customservice); + foreach my $key (keys %customservice) + { + if ($customservice{$key}[0] eq $fwhostsettings{'oldsrvname'}) + { + $count=$customservice{$key}[4]; + delete $customservice{$key}; + &General::writehasharray("$configsrv", %customservice); + last; + } + } + if ($fwhostsettings{'PROT'} ne 'ICMP'){ + $fwhostsettings{'ICMP_TYPES'}='BLANK'; + } + my $key1 = &General::findhasharraykey(%customservice); + foreach my $i (0 .. 4) { $customservice{$key1}[$i] = "";} + $customservice{$key1}[0] = $fwhostsettings{'SRV_NAME'}; + $customservice{$key1}[1] = $fwhostsettings{'SRV_PORT'}; + $customservice{$key1}[2] = $fwhostsettings{'PROT'}; + $customservice{$key1}[3] = $fwhostsettings{'ICMP_TYPES'}; + $customservice{$key1}[4] = $count; + &General::writehasharray("$configsrv", %customservice); + #check if we need to update firewallrules + if ($fwhostsettings{'SRV_NAME'} ne $fwhostsettings{'oldsrvname'}){ + if ( ! -z $fwconfigfwd ){ + &General::readhasharray("$fwconfigfwd", %fwfwd); + foreach my $key (sort keys %fwfwd){ + if ($fwfwd{$key}[15] eq $fwhostsettings{'oldsrvname'}){ + $fwfwd{$key}[15] = $fwhostsettings{'SRV_NAME'}; + } + } + &General::writehasharray("$fwconfigfwd", %fwfwd); + } + if ( ! -z $fwconfiginp ){ + &General::readhasharray("$fwconfiginp", %fwinp); + foreach my $line (sort keys %fwinp){ + if ($fwfwd{$line}[15] eq $fwhostsettings{'oldsrvname'}){ + $fwfwd{$line}[15] = $fwhostsettings{'SRV_NAME'}; + } + } + &General::writehasharray("$fwconfiginp", %fwinp); + } + #check if we need to update groups + &General::readhasharray("$configsrvgrp", %customservicegrp); + foreach my $key (sort keys %customservicegrp){ + if($customservicegrp{$key}[2] eq $fwhostsettings{'oldsrvname'}){ + $customservicegrp{$key}[2] = $fwhostsettings{'SRV_NAME'}; + } + } + &General::writehasharray("$configsrvgrp", %customservicegrp); + $needrules='on'; + } + if($count gt 0 && $fwhostsettings{'oldsrvport'} ne $fwhostsettings{'SRV_PORT'} ){ + $needrules='on'; + } + if($count gt 0 && $fwhostsettings{'oldsrvprot'} ne $fwhostsettings{'PROT'} ){ + $needrules='on'; + } + $fwhostsettings{'SRV_NAME'} = ''; + $fwhostsettings{'SRV_PORT'} = ''; + $fwhostsettings{'PROT'} = ''; + }else{ + $fwhostsettings{'SRV_NAME'} = $fwhostsettings{'oldsrvname'}; + $fwhostsettings{'SRV_PORT'} = $fwhostsettings{'oldsrvport'}; + $fwhostsettings{'PROT'} = $fwhostsettings{'oldsrvprot'}; + $fwhostsettings{'updatesrv'}= 'on'; + } + if($needrules eq 'on'){ + &rules; + } + &addservice; +} +# save +if ($fwhostsettings{'ACTION'} eq 'savenet' ) +{ + my $count=0; + my $needrules=0; + if ($fwhostsettings{'orgname'} eq ''){$fwhostsettings{'orgname'}=$fwhostsettings{'HOSTNAME'};} + #check if all fields are set + if ($fwhostsettings{'HOSTNAME'} eq '' || $fwhostsettings{'IP'} eq '' || $fwhostsettings{'SUBNET'} eq '') + { + $errormessage=$errormessage.$Lang::tr{'fwhost err empty'}; + &addnet; + &viewtablenet; + }else{ + #check valid ip + if (!&General::validipandmask($fwhostsettings{'IP'}."/".$fwhostsettings{'SUBNET'})) + { + $errormessage=$errormessage.$Lang::tr{'fwhost err addr'}; + $fwhostsettings{'BLK_HOST'} ='readonly'; + $fwhostsettings{'NOCHECK'} ='false'; + $fwhostsettings{'error'} ='on'; + } + #check remark + if ($fwhostsettings{'NETREMARK'} ne '' && !&validremark($fwhostsettings{'NETREMARK'})){ + $errormessage=$Lang::tr{'fwhost err remark'}; + $fwhostsettings{'error'} ='on'; + } + #check if subnet is sigle host + if(&General::iporsubtocidr($fwhostsettings{'SUBNET'}) eq '32') + { + $errormessage=$errormessage.$Lang::tr{'fwhost err sub32'}; + } + if($fwhostsettings{'error'} ne 'on'){ + #check if we use one of ipfire's networks (green,orange,blue) + if (($ownnet{'GREEN_NETADDRESS'} ne '' && $ownnet{'GREEN_NETADDRESS'} ne '0.0.0.0') && &General::IpInSubnet($fwhostsettings{'IP'},$ownnet{'GREEN_NETADDRESS'},$ownnet{'GREEN_NETMASK'})) + { + $errormessage=$errormessage.$Lang::tr{'ccd err green'}."<br>"; + $fwhostsettings{'HOSTNAME'} = $fwhostsettings{'orgname'}; + if ($fwhostsettings{'update'} eq 'on'){$fwhostsettings{'ACTION'}='editnet';} + } + if (($ownnet{'ORANGE_NETADDRESS'} ne '' && $ownnet{'ORANGE_NETADDRESS'} ne '0.0.0.0') && &General::IpInSubnet($fwhostsettings{'IP'},$ownnet{'ORANGE_NETADDRESS'},$ownnet{'ORANGE_NETMASK'})) + { + $errormessage=$errormessage.$Lang::tr{'ccd err orange'}."<br>"; + $fwhostsettings{'HOSTNAME'} = $fwhostsettings{'orgname'}; + if ($fwhostsettings{'update'} eq 'on'){$fwhostsettings{'ACTION'}='editnet';} + } + if (($ownnet{'BLUE_NETADDRESS'} ne '' && $ownnet{'BLUE_NETADDRESS'} ne '0.0.0.0') && &General::IpInSubnet($fwhostsettings{'IP'},$ownnet{'BLUE_NETADDRESS'},$ownnet{'BLUE_NETMASK'})) + { + $errormessage=$errormessage.$Lang::tr{'ccd err blue'}."<br>"; + $fwhostsettings{'HOSTNAME'} = $fwhostsettings{'orgname'}; + if ($fwhostsettings{'update'} eq 'on'){$fwhostsettings{'ACTION'}='editnet';} + } + if (($ownnet{'RED_NETADDRESS'} ne '' && $ownnet{'RED_NETADDRESS'} ne '0.0.0.0') && &General::IpInSubnet($fwhostsettings{'IP'},$ownnet{'RED_NETADDRESS'},$ownnet{'RED_NETMASK'})) + { + $errormessage=$errormessage.$Lang::tr{'ccd err red'}."<br>"; + $fwhostsettings{'HOSTNAME'} = $fwhostsettings{'orgname'}; + if ($fwhostsettings{'update'} eq 'on'){$fwhostsettings{'ACTION'}='editnet';} + } + } + #only check plausi when no error till now + if (!$errormessage){ + &plausicheck("editnet"); + } + #check if network ip is part of an already used one + if(&checksubnet(%customnetwork)) + { + $errormessage=$errormessage.$Lang::tr{'fwhost err partofnet'}; + $fwhostsettings{'HOSTNAME'} = $fwhostsettings{'orgname'}; + } + if($fwhostsettings{'actualize'} eq 'on' && $fwhostsettings{'newnet'} ne 'on' && $errormessage) + { + $fwhostsettings{'actualize'} = ''; + my $key = &General::findhasharraykey (%customnetwork); + foreach my $i (0 .. 3) { $customnetwork{$key}[$i] = "";} + $customnetwork{$key}[0] = $fwhostsettings{'orgname'} ; + $customnetwork{$key}[1] = $fwhostsettings{'orgip'} ; + $customnetwork{$key}[2] = $fwhostsettings{'orgsub'}; + $customnetwork{$key}[3] = $fwhostsettings{'orgnetremark'}; + $customnetwork{$key}[4] = $fwhostsettings{'count'}; + &General::writehasharray("$confignet", %customnetwork); + undef %customnetwork; + } + if (!$errormessage){ + + &General::readhasharray("$confignet", %customnetwork); + if ($fwhostsettings{'ACTION'} eq 'updatenet'){ + if ($fwhostsettings{'update'} == '0'){ + foreach my $key (keys %customnetwork) { + if($customnetwork{$key}[0] eq $fwhostsettings{'orgname'}){ + $count=$customnetwork{$key}[4]; + delete $customnetwork{$key}; + last; + } + } + } + } + #get count if actualize is 'on' + if($fwhostsettings{'actualize'} eq 'on'){ + $fwhostsettings{'actualize'} = ''; + $count=$fwhostsettings{'count'}; + #check if we need to reload rules + if($fwhostsettings{'orgip'} ne $fwhostsettings{'IP'} && $count gt '0'){ + $needrules='on'; + } + if ($fwhostsettings{'orgname'} ne $fwhostsettings{'HOSTNAME'}){ + #check if we need to update groups + &General::readhasharray("$configgrp", %customgrp); + foreach my $key (sort keys %customgrp){ + if($customgrp{$key}[2] eq $fwhostsettings{'orgname'}){ + $customgrp{$key}[2]=$fwhostsettings{'HOSTNAME'}; + last; + } + } + &General::writehasharray("$configgrp", %customgrp); + #check if we need to update firewallrules + if ( ! -z $fwconfigfwd ){ + &General::readhasharray("$fwconfigfwd", %fwfwd); + foreach my $line (sort keys %fwfwd){ + if ($fwfwd{$line}[4] eq $fwhostsettings{'orgname'}){ + $fwfwd{$line}[4] = $fwhostsettings{'HOSTNAME'}; + } + if ($fwfwd{$line}[6] eq $fwhostsettings{'orgname'}){ + $fwfwd{$line}[6] = $fwhostsettings{'HOSTNAME'}; + } + } + &General::writehasharray("$fwconfigfwd", %fwfwd); + } + if ( ! -z $fwconfiginp ){ + &General::readhasharray("$fwconfiginp", %fwinp); + foreach my $line (sort keys %fwinp){ + if ($fwfwd{$line}[4] eq $fwhostsettings{'orgname'}){ + $fwfwd{$line}[4] = $fwhostsettings{'HOSTNAME'}; + } + } + &General::writehasharray("$fwconfiginp", %fwinp); + } + } + } + my $key = &General::findhasharraykey (%customnetwork); + foreach my $i (0 .. 4) { $customnetwork{$key}[$i] = "";} + $fwhostsettings{'SUBNET'} = &General::iporsubtocidr($fwhostsettings{'SUBNET'}); + $customnetwork{$key}[0] = $fwhostsettings{'HOSTNAME'}; + #convert ip when leading '0' in byte + $fwhostsettings{'IP'} =&General::ip2dec($fwhostsettings{'IP'}); + $fwhostsettings{'IP'} =&General::dec2ip($fwhostsettings{'IP'}); + $customnetwork{$key}[1] = &General::getnetworkip($fwhostsettings{'IP'},$fwhostsettings{'SUBNET'}) ; + $customnetwork{$key}[2] = &General::iporsubtodec($fwhostsettings{'SUBNET'}) ; + if($fwhostsettings{'newnet'} eq 'on'){$count=0;} + $customnetwork{$key}[3] = $fwhostsettings{'NETREMARK'}; + $customnetwork{$key}[4] = $count; + &General::writehasharray("$confignet", %customnetwork); + $fwhostsettings{'IP'}=$fwhostsettings{'IP'}."/".&General::iporsubtodec($fwhostsettings{'SUBNET'}); + undef %customnetwork; + $fwhostsettings{'HOSTNAME'}=''; + $fwhostsettings{'IP'}=''; + $fwhostsettings{'SUBNET'}=''; + $fwhostsettings{'NETREMARK'}=''; + #check if an edited net affected groups and need to reload rules + if ($needrules eq 'on'){ + &rules; + } + &addnet; + &viewtablenet; + }else { + &addnet; + &viewtablenet; + } + } +} +if ($fwhostsettings{'ACTION'} eq 'savehost') +{ + my $count=0; + my $needrules=0; + if ($fwhostsettings{'orgname'} eq ''){$fwhostsettings{'orgname'}=$fwhostsettings{'HOSTNAME'};} + $fwhostsettings{'SUBNET'}='32'; + #check if all fields are set + if ($fwhostsettings{'HOSTNAME'} eq '' || $fwhostsettings{'IP'} eq '' || $fwhostsettings{'SUBNET'} eq '') + { + $errormessage=$errormessage.$Lang::tr{'fwhost err empty'}; + $fwhostsettings{'ACTION'} = 'edithost'; + }else{ + if($fwhostsettings{'IP'}=~/^([0-9a-fA-F]{1,2}:){5}[0-9a-fA-F]{1,2}$/){ + $fwhostsettings{'type'} = 'mac'; + }elsif($fwhostsettings{'IP'}=~/^(\d{1,3}).(\d{1,3}).(\d{1,3}).(\d{1,3})$/){ + $fwhostsettings{'type'} = 'ip'; + }else{ + $fwhostsettings{'type'} = ''; + $errormessage=$Lang::tr{'fwhost err ipmac'}; + } + #check remark + if ($fwhostsettings{'HOSTREMARK'} ne '' && !&validremark($fwhostsettings{'HOSTREMARK'})){ + $errormessage=$Lang::tr{'fwhost err remark'}; + } + #CHECK IP-PART + if ($fwhostsettings{'type'} eq 'ip'){ + #check for subnet + if (rindex($fwhostsettings{'IP'},'/') eq '-1' ){ + if($fwhostsettings{'type'} eq 'ip' && !&General::validipandmask($fwhostsettings{'IP'}."/32")) + { + $errormessage.=$errormessage.$Lang::tr{'fwhost err ip'}; + $fwhostsettings{'error'}='on'; + } + }elsif(rindex($fwhostsettings{'IP'},'/') ne '-1' ){ + $errormessage=$errormessage.$Lang::tr{'fwhost err ipwithsub'}; + $fwhostsettings{'error'}='on'; + } + #check if net or broadcast + my @tmp= split (/./,$fwhostsettings{'IP'}); + if (($tmp[3] eq "0") || ($tmp[3] eq "255")){ + $errormessage=$Lang::tr{'fwhost err hostip'}; + } + } + #only check plausi when no error till now + if (!$errormessage){ + &plausicheck("edithost"); + } + if($fwhostsettings{'actualize'} eq 'on' && $fwhostsettings{'newhost'} ne 'on' && $errormessage){ + $fwhostsettings{'actualize'} = ''; + my $key = &General::findhasharraykey (%customhost); + foreach my $i (0 .. 4) { $customhost{$key}[$i] = "";} + $customhost{$key}[0] = $fwhostsettings{'orgname'} ; + $customhost{$key}[1] = $fwhostsettings{'type'} ; + if($customhost{$key}[1] eq 'ip'){ + $customhost{$key}[2] = $fwhostsettings{'orgip'}."/".&General::iporsubtodec($fwhostsettings{'SUBNET'}); + }else{ + $customhost{$key}[2] = $fwhostsettings{'orgip'}; + } + $customhost{$key}[3] = $fwhostsettings{'orgremark'}; + $customhost{$key}[4] = $fwhostsettings{'count'}; + &General::writehasharray("$confighost", %customhost); + undef %customhost; + } + if (!$errormessage){ + #get count if host was edited + if($fwhostsettings{'actualize'} eq 'on'){ + $count=$fwhostsettings{'count'}; + if($fwhostsettings{'orgip'} ne $fwhostsettings{'IP'} && $count gt '0' ){ + $needrules='on'; + } + if($fwhostsettings{'orgname'} ne $fwhostsettings{'HOSTNAME'}){ + #check if we need to update groups + &General::readhasharray("$configgrp", %customgrp); + foreach my $key (sort keys %customgrp){ + if($customgrp{$key}[2] eq $fwhostsettings{'orgname'}){ + $customgrp{$key}[2]=$fwhostsettings{'HOSTNAME'}; + } + } + &General::writehasharray("$configgrp", %customgrp); + #check if we need to update firewallrules + if ( ! -z $fwconfigfwd ){ + &General::readhasharray("$fwconfigfwd", %fwfwd); + foreach my $line (sort keys %fwfwd){ + if ($fwfwd{$line}[4] eq $fwhostsettings{'orgname'}){ + $fwfwd{$line}[4] = $fwhostsettings{'HOSTNAME'}; + } + if ($fwfwd{$line}[6] eq $fwhostsettings{'orgname'}){ + $fwfwd{$line}[6] = $fwhostsettings{'HOSTNAME'}; + } + } + &General::writehasharray("$fwconfigfwd", %fwfwd); + } + if ( ! -z $fwconfiginp ){ + &General::readhasharray("$fwconfiginp", %fwinp); + foreach my $line (sort keys %fwinp){ + if ($fwfwd{$line}[4] eq $fwhostsettings{'orgname'}){ + $fwfwd{$line}[4] = $fwhostsettings{'HOSTNAME'}; + } + } + &General::writehasharray("$fwconfiginp", %fwinp); + } + } + } + my $key = &General::findhasharraykey (%customhost); + foreach my $i (0 .. 4) { $customhost{$key}[$i] = "";} + $customhost{$key}[0] = $fwhostsettings{'HOSTNAME'} ; + $customhost{$key}[1] = $fwhostsettings{'type'} ; + if ($fwhostsettings{'type'} eq 'ip'){ + #convert ip when leading '0' in byte + $fwhostsettings{'IP'}=&General::ip2dec($fwhostsettings{'IP'}); + $fwhostsettings{'IP'}=&General::dec2ip($fwhostsettings{'IP'}); + $customhost{$key}[2] = $fwhostsettings{'IP'}."/".&General::iporsubtodec($fwhostsettings{'SUBNET'}); + }else{ + $customhost{$key}[2] = $fwhostsettings{'IP'}; + } + if($fwhostsettings{'newhost'} eq 'on'){$count=0;} + $customhost{$key}[3] = $fwhostsettings{'HOSTREMARK'}; + $customhost{$key}[4] =$count; + &General::writehasharray("$confighost", %customhost); + undef %customhost; + $fwhostsettings{'HOSTNAME'}=''; + $fwhostsettings{'IP'}=''; + $fwhostsettings{'type'}=''; + $fwhostsettings{'HOSTREMARK'}=''; + #check if we need to update rules while host was edited + if($needrules eq 'on'){ + &rules; + } + &addhost; + &viewtablehost; + }else{ + &addhost; + &viewtablehost; + } + } +} +if ($fwhostsettings{'ACTION'} eq 'savegrp') +{ + my $grp=$fwhostsettings{'grp_name'};; + my $rem=$fwhostsettings{'remark'}; + my $count; + my $type; + my $updcounter='off'; + my @target; + my @newgrp; + &General::readhasharray("$configgrp", %customgrp); + &General::readhasharray("$confignet", %customnetwork); + &General::readhasharray("$confighost", %customhost); + #check name + if (!&validhostname($grp)){$errormessage.=$Lang::tr{'fwhost err name'};} + #check existing name + if (!checkgroup(%customgrp,$grp) && $fwhostsettings{'update'} ne 'on'){$errormessage.=$Lang::tr{'fwhost err grpexist'};} + #check remark + if ($rem ne '' && !&validremark($rem) && $fwhostsettings{'update'} ne 'on'){ + $errormessage.=$Lang::tr{'fwhost err remark'}; + } + if ($fwhostsettings{'update'} eq 'on'){ + #check standard networks + if ($fwhostsettings{'grp2'} eq 'std_net'){ + @target=$fwhostsettings{'DEFAULT_SRC_ADR'}; + $type='Standard Network'; + } + #check custom networks + if ($fwhostsettings{'grp2'} eq 'cust_net' && $fwhostsettings{'CUST_SRC_NET'} ne ''){ + @target=$fwhostsettings{'CUST_SRC_NET'}; + $updcounter='net'; + $type='Custom Network'; + }elsif($fwhostsettings{'grp2'} eq 'cust_net' && $fwhostsettings{'CUST_SRC_NET'} eq ''){ + $errormessage=$Lang::tr{'fwhost err groupempty'}."<br>"; + $fwhostsettings{'grp_name'}=''; + $fwhostsettings{'remark'}=''; + } + #check custom addresses + if ($fwhostsettings{'grp2'} eq 'cust_host' && $fwhostsettings{'CUST_SRC_HOST'} ne ''){ + @target=$fwhostsettings{'CUST_SRC_HOST'}; + $updcounter='host'; + $type='Custom Host'; + }elsif($fwhostsettings{'grp2'} eq 'cust_host' && $fwhostsettings{'CUST_SRC_HOST'} eq ''){ + $errormessage=$Lang::tr{'fwhost err groupempty'}."<br>"; + $fwhostsettings{'grp_name'}=''; + $fwhostsettings{'remark'}=''; + } + #get address from ovpn ccd static net + if ($fwhostsettings{'grp2'} eq 'ovpn_net' && $fwhostsettings{'OVPN_CCD_NET'} ne ''){ + @target=$fwhostsettings{'OVPN_CCD_NET'}; + $type='OpenVPN static network'; + }elsif($fwhostsettings{'grp2'} eq 'ovpn_net' && $fwhostsettings{'OVPN_CCD_NET'} eq ''){ + $errormessage=$Lang::tr{'fwhost err groupempty'}; + $fwhostsettings{'grp_name'}=''; + $fwhostsettings{'remark'}=''; + } + #get address from ovpn ccd static host + if ($fwhostsettings{'grp2'} eq 'ovpn_host' && $fwhostsettings{'OVPN_CCD_HOST'} ne ''){ + @target=$fwhostsettings{'OVPN_CCD_HOST'}; + $type='OpenVPN static host'; + }elsif ($fwhostsettings{'grp2'} eq 'ovpn_host' && $fwhostsettings{'OVPN_CCD_HOST'} eq ''){ + $errormessage=$Lang::tr{'fwhost err groupempty'}; + } + #get address from ovpn ccd Net-2-Net + if ($fwhostsettings{'grp2'} eq 'ovpn_n2n' && $fwhostsettings{'OVPN_N2N'} ne ''){ + @target=$fwhostsettings{'OVPN_N2N'}; + $type='OpenVPN N-2-N'; + }elsif ($fwhostsettings{'grp2'} eq 'ovpn_n2n' && $fwhostsettings{'OVPN_N2N'} eq ''){ + $errormessage=$Lang::tr{'fwhost err groupempty'}; + $fwhostsettings{'grp_name'}=''; + $fwhostsettings{'remark'}=''; + } + #get address from IPSEC HOST + if ($fwhostsettings{'grp2'} eq 'ipsec_host' && $fwhostsettings{'IPSEC_HOST'} ne ''){ + @target=$fwhostsettings{'IPSEC_HOST'}; + $type='IpSec Host'; + }elsif ($fwhostsettings{'grp2'} eq 'ipsec_host' && $fwhostsettings{'IPSEC_HOST'} eq ''){ + $errormessage=$Lang::tr{'fwhost err groupempty'}; + $fwhostsettings{'grp_name'}=''; + $fwhostsettings{'remark'}=''; + } + #get address from IPSEC NETWORK + if ($fwhostsettings{'grp2'} eq 'ipsec_net' && $fwhostsettings{'IPSEC_NET'} ne ''){ + @target=$fwhostsettings{'IPSEC_NET'}; + $type='IpSec Network'; + }elsif ($fwhostsettings{'grp2'} eq 'ipsec_net' && $fwhostsettings{'IPSEC_NET'} eq ''){ + $errormessage=$Lang::tr{'fwhost err groupempty'}; + $fwhostsettings{'grp_name'}=''; + $fwhostsettings{'remark'}=''; + } + #check if host/net exists in grp + + my $test="$grp,$fwhostsettings{'oldremark'},@target"; + foreach my $key (keys %customgrp) { + my $test1="$customgrp{$key}[0],$customgrp{$key}[1],$customgrp{$key}[2]"; + if ($test1 eq $test){ + $errormessage=$Lang::tr{'fwhost err isingrp'}; + $fwhostsettings{'update'} = 'on'; + } + } + } + + if (!$errormessage){ + #on first save, we have an empty @target, so fill it with nothing + my $targetvalues=@target; + if ($targetvalues == '0'){ + @target="none"; + } + #on update, we have to delete the dummy entry + foreach my $key (keys %customgrp){ + if ($customgrp{$key}[0] eq $grp && $customgrp{$key}[2] eq "none"){ + delete $customgrp{$key}; + last; + } + } + &General::writehasharray("$configgrp", %customgrp); + &General::readhasharray("$configgrp", %customgrp); + #get count used + foreach my $key (keys %customgrp) + { + if($customgrp{$key}[0] eq $grp) + { + $count=$customgrp{$key}[4]; + last; + } + } + if ($count eq '' ){$count='0';} + + #create array with new lines + foreach my $line (@target){ + push (@newgrp,"$grp,$rem,$line"); + } + #append new entries + my $key = &General::findhasharraykey (%customgrp); + foreach my $line (@newgrp){ + foreach my $i (0 .. 4) { $customgrp{$key}[$i] = "";} + my ($a,$b,$c,$d) = split (",",$line); + $customgrp{$key}[0] = $a; + $customgrp{$key}[1] = $b; + $customgrp{$key}[2] = $c; + $customgrp{$key}[3] = $type; + $customgrp{$key}[4] = $count; + } + &General::writehasharray("$configgrp", %customgrp); + #update counter in Host/Net + if($updcounter eq 'net'){ + foreach my $key (keys %customnetwork) { + if($customnetwork{$key}[0] eq $fwhostsettings{'CUST_SRC_NET'}){ + $customnetwork{$key}[4] = $customnetwork{$key}[4]+1; + last; + } + } + &General::writehasharray("$confignet", %customnetwork); + }elsif($updcounter eq 'host'){ + foreach my $key (keys %customhost) { + if ($customhost{$key}[0] eq $fwhostsettings{'CUST_SRC_HOST'}){ + $customhost{$key}[4]=$customhost{$key}[4]+1; + } + } + &General::writehasharray("$confighost", %customhost); + } + $fwhostsettings{'update'}='on'; + } + #check if ruleupdate is needed + if($count > 0 ) + { + &rules; + } + &addgrp; + &viewtablegrp; +} +if ($fwhostsettings{'ACTION'} eq 'saveservice') +{ + my $ICMP; + &General::readhasharray("$configsrv", %customservice ); + $errormessage=&checkports(%customservice); + if ($fwhostsettings{'PROT'} eq 'ICMP'){ + &General::readhasharray("${General::swroot}/fwhosts/icmp-types", %icmptypes); + foreach my $key (keys %icmptypes){ + if ("$icmptypes{$key}[0] ($icmptypes{$key}[1])" eq $fwhostsettings{'ICMP_TYPES'}){ + $ICMP=$icmptypes{$key}[0]; + } + } + } + if($ICMP eq ''){$ICMP='BLANK';} + if (!$errormessage){ + my $key = &General::findhasharraykey (%customservice); + foreach my $i (0 .. 4) { $customservice{$key}[$i] = "";} + $customservice{$key}[0] = $fwhostsettings{'SRV_NAME'}; + $customservice{$key}[1] = $fwhostsettings{'SRV_PORT'}; + $customservice{$key}[2] = $fwhostsettings{'PROT'}; + $customservice{$key}[3] = $ICMP; + $customservice{$key}[4] = 0; + &General::writehasharray("$configsrv", %customservice ); + #reset fields + $fwhostsettings{'SRV_NAME'}=''; + $fwhostsettings{'SRV_PORT'}=''; + $fwhostsettings{'PROT'}=''; + $fwhostsettings{'ICMP_TYPES'}=''; + } + &addservice; +} +if ($fwhostsettings{'ACTION'} eq 'saveservicegrp') +{ + my $prot; + my $port; + my $count=0; + &General::readhasharray("$configsrvgrp", %customservicegrp ); + &General::readhasharray("$configsrv", %customservice ); + $errormessage=&checkservicegroup; + #check remark + if ($fwhostsettings{'SRVGRP_REMARK'} ne '' && !&validremark($fwhostsettings{'SRVGRP_REMARK'})){ + $errormessage=$Lang::tr{'fwhost err remark'}; + } + if (!$errormessage){ + #on first save, we have to enter a dummy value + if ($fwhostsettings{'CUST_SRV'} eq ''){ + $fwhostsettings{'CUST_SRV'}='none'; + } + #on update, we have to delete the dummy entry + foreach my $key (keys %customservicegrp){ + if ($customservicegrp{$key}[2] eq 'none'){ + delete $customservicegrp{$key}; + last; + } + } + &General::writehasharray("$configsrvgrp", %customservicegrp ); + #check if remark has also changed + if ($fwhostsettings{'SRVGRP_REMARK'} ne $fwhostsettings{'oldsrvgrpremark'} && $fwhostsettings{'updatesrvgrp'} eq 'on') + { + foreach my $key (keys %customservicegrp) + { + if($customservicegrp{$key}[0] eq $fwhostsettings{'SRVGRP_NAME'} && $customservicegrp{$key}[1] eq $fwhostsettings{'oldsrvgrpremark'}) + { + $customservicegrp{$key}[1]=''; + $customservicegrp{$key}[1]=$fwhostsettings{'SRVGRP_REMARK'}; + } + } + } + #get count used + foreach my $key (keys %customservicegrp) + { + if($customservicegrp{$key}[0] eq $fwhostsettings{'SRVGRP_NAME'}) + { + $count=$customservicegrp{$key}[3]; + last; + } + } + if ($count eq '' ){$count='0';} + + foreach my $key (sort keys %customservice){ + if($customservice{$key}[0] eq $fwhostsettings{'CUST_SRV'}){ + $port=$customservice{$key}[1]; + $prot=$customservice{$key}[2]; + $customservice{$key}[4]++; + } + } + &General::writehasharray("$configsrv", %customservice ); + my $key = &General::findhasharraykey (%customservicegrp); + foreach my $i (0 .. 3) { $customservice{$key}[$i] = "";} + $customservicegrp{$key}[0] = $fwhostsettings{'SRVGRP_NAME'}; + $customservicegrp{$key}[1] = $fwhostsettings{'SRVGRP_REMARK'}; + $customservicegrp{$key}[2] = $fwhostsettings{'CUST_SRV'}; + $customservicegrp{$key}[3] = $count; + &General::writehasharray("$configsrvgrp", %customservicegrp ); + $fwhostsettings{'updatesrvgrp'}='on'; + } + if ($count gt 0){ + &rules; + } + &addservicegrp; + &viewtableservicegrp; +} +# edit +if ($fwhostsettings{'ACTION'} eq 'editnet') +{ + &addnet; + &viewtablenet; +} +if ($fwhostsettings{'ACTION'} eq 'edithost') +{ + &addhost; + &viewtablehost; +} +if ($fwhostsettings{'ACTION'} eq 'editgrp') +{ + $fwhostsettings{'update'}='on'; + &addgrp; + &viewtablegrp; +} +if ($fwhostsettings{'ACTION'} eq 'editservice') +{ + $fwhostsettings{'updatesrv'}='on'; + &addservice; +} +if ($fwhostsettings{'ACTION'} eq 'editservicegrp') +{ + $fwhostsettings{'updatesrvgrp'} = 'on'; + &addservicegrp; + &viewtableservicegrp; +} +# reset +if ($fwhostsettings{'ACTION'} eq 'resetnet') +{ + $fwhostsettings{'HOSTNAME'} =""; + $fwhostsettings{'IP'} =""; + $fwhostsettings{'SUBNET'} =""; + &showmenu; +} +if ($fwhostsettings{'ACTION'} eq 'resethost') +{ + $fwhostsettings{'HOSTNAME'} =""; + $fwhostsettings{'IP'} =""; + $fwhostsettings{'type'} =""; + &showmenu; +} +if ($fwhostsettings{'ACTION'} eq 'resetgrp') +{ + $fwhostsettings{'grp_name'} =""; + $fwhostsettings{'remark'} =""; + &showmenu; +} +# delete +if ($fwhostsettings{'ACTION'} eq 'delnet') +{ + &General::readhasharray("$confignet", %customnetwork); + foreach my $key (keys %customnetwork) { + if($fwhostsettings{'key'} eq $customnetwork{$key}[0]){ + delete $customnetwork{$key}; + &General::writehasharray("$confignet", %customnetwork); + last; + } + } + &addnet; + &viewtablenet; +} +if ($fwhostsettings{'ACTION'} eq 'delhost') +{ + &General::readhasharray("$confighost", %customhost); + foreach my $key (keys %customhost) { + if($fwhostsettings{'key'} eq $customhost{$key}[0]){ + delete $customhost{$key}; + &General::writehasharray("$confighost", %customhost); + last; + } + } + &addhost; + &viewtablehost; +} +if ($fwhostsettings{'ACTION'} eq 'deletegrphost') +{ + my $grpremark; + my $grpname; + &General::readhasharray("$configgrp", %customgrp); + foreach my $key (keys %customgrp){ + if($customgrp{$key}[0].",".$customgrp{$key}[1].",".$customgrp{$key}[2].",".$customgrp{$key}[3] eq $fwhostsettings{'delhost'}){ + #decrease count from source host/net + if ($customgrp{$key}[3] eq 'Custom Network'){ + &General::readhasharray("$confignet", %customnetwork); + foreach my $key1 (keys %customnetwork){ + if ($customnetwork{$key1}[0] eq $customgrp{$key}[2]){ + $customnetwork{$key1}[4] = $customnetwork{$key1}[4]-1; + last; + } + } + &General::writehasharray("$confignet", %customnetwork); + } + if ($customgrp{$key}[3] eq 'Custom Host'){ + &General::readhasharray("$confighost", %customhost); + foreach my $key1 (keys %customhost){ + if ($customhost{$key1}[0] eq $customgrp{$key}[2]){ + $customhost{$key1}[4] = $customhost{$key1}[4]-1; + last; + } + } + &General::writehasharray("$confighost", %customhost); + } + $grpname=$customgrp{$key}[0]; + $grpremark=$customgrp{$key}[1]; + delete $customgrp{$key}; + } + } + &General::writehasharray("$configgrp", %customgrp); + if ($fwhostsettings{'grpcnt'} > 0){&rules;} + if ($fwhostsettings{'update'} eq 'on'){ + $fwhostsettings{'remark'}= $grpremark; + $fwhostsettings{'grp_name'}=$grpname; + } + &addgrp; + &viewtablegrp; +} +if ($fwhostsettings{'ACTION'} eq 'delgrp') +{ + &General::readhasharray("$configgrp", %customgrp); + &decrease($fwhostsettings{'grp_name'}); + foreach my $key (sort keys %customgrp) + { + if($customgrp{$key}[0] eq $fwhostsettings{'grp_name'}) + { + delete $customgrp{$key}; + } + } + &General::writehasharray("$configgrp", %customgrp); + $fwhostsettings{'grp_name'}=''; + &addgrp; + &viewtablegrp; +} +if ($fwhostsettings{'ACTION'} eq 'delservice') +{ + &General::readhasharray("$configsrv", %customservice); + foreach my $key (keys %customservice) { + if($customservice{$key}[0] eq $fwhostsettings{'SRV_NAME'}){ + #&deletefromgrp($customhost{$key}[0],$configgrp); + delete $customservice{$key}; + &General::writehasharray("$configsrv", %customservice); + last; + } + } + $fwhostsettings{'SRV_NAME'}=''; + $fwhostsettings{'SRV_PORT'}=''; + $fwhostsettings{'PROT'}=''; + &addservice; +} +if ($fwhostsettings{'ACTION'} eq 'delservicegrp') +{ + &General::readhasharray("$configsrvgrp", %customservicegrp); + &decreaseservice($fwhostsettings{'SRVGRP_NAME'}); + foreach my $key (sort keys %customservicegrp) + { + if($customservicegrp{$key}[0] eq $fwhostsettings{'SRVGRP_NAME'}) + { + delete $customservicegrp{$key}; + } + } + &General::writehasharray("$configsrvgrp", %customservicegrp); + $fwhostsettings{'SRVGRP_NAME'}=''; + &addservicegrp; + &viewtableservicegrp; +} +if ($fwhostsettings{'ACTION'} eq 'delgrpservice') +{ + my $grpname; + my $grpremark; + &General::readhasharray("$configsrvgrp", %customservicegrp); + &General::readhasharray("$configsrv", %customservice); + foreach my $key (keys %customservicegrp){ + if($customservicegrp{$key}[0].",".$customservicegrp{$key}[1].",".$customservicegrp{$key}[2].",".$customservicegrp{$key}[3] eq $fwhostsettings{'delsrvfromgrp'}) + { + #decrease count from source service + foreach my $key1 (sort keys %customservice){ + if($customservice{$key1}[0] eq $customservicegrp{$key}[2]){ + $customservice{$key1}[4]--; + last; + } + } + &General::writehasharray("$configsrv", %customservice); + $grpname=$customservicegrp{$key}[0]; + $grpremark=$customservicegrp{$key}[1]; + delete $customservicegrp{$key}; + } + } + &General::writehasharray("$configsrvgrp", %customservicegrp); + &rules; + if ($fwhostsettings{'updatesrvgrp'} eq 'on'){ + $fwhostsettings{'SRVGRP_NAME'}=$grpname; + $fwhostsettings{'SRVGRP_REMARK'}=$grpremark; + } + &addservicegrp; + &viewtableservicegrp; + +} +if ($fwhostsettings{'ACTION'} eq $Lang::tr{'fwhost newnet'}) +{ + &addnet; + &viewtablenet; +} +if ($fwhostsettings{'ACTION'} eq $Lang::tr{'fwhost newhost'}) +{ + &addhost; + &viewtablehost; +} +if ($fwhostsettings{'ACTION'} eq $Lang::tr{'fwhost newgrp'}) +{ + &addgrp; + &viewtablegrp; +} +if ($fwhostsettings{'ACTION'} eq $Lang::tr{'fwhost newservice'}) +{ + &addservice; +} +if ($fwhostsettings{'ACTION'} eq $Lang::tr{'fwhost newservicegrp'}) +{ + &addservicegrp; + &viewtableservicegrp; +} +if ($fwhostsettings{'ACTION'} eq 'changegrpremark') +{ + &General::readhasharray("$configgrp", %customgrp); + if ($fwhostsettings{'oldrem'} ne $fwhostsettings{'newrem'} && (&validremark($fwhostsettings{'newrem'}) || $fwhostsettings{'newrem'} eq '')){ + foreach my $key (sort keys %customgrp) + { + if($customgrp{$key}[0] eq $fwhostsettings{'grp'} && $customgrp{$key}[1] eq $fwhostsettings{'oldrem'}) + { + $customgrp{$key}[1]=''; + $customgrp{$key}[1]=$fwhostsettings{'newrem'}; + } + } + &General::writehasharray("$configgrp", %customgrp); + $fwhostsettings{'update'}='on'; + $fwhostsettings{'remark'}=$fwhostsettings{'newrem'}; + }else{ + $errormessage=$Lang::tr{'fwhost err remark'}; + $fwhostsettings{'remark'}=$fwhostsettings{'oldrem'}; + $fwhostsettings{'grp_name'}=$fwhostsettings{'grp'}; + $fwhostsettings{'update'} = 'on'; + } + $fwhostsettings{'grp_name'}=$fwhostsettings{'grp'}; + &addgrp; + &viewtablegrp; +} +if ($fwhostsettings{'ACTION'} eq 'changesrvgrpremark') +{ + &General::readhasharray("$configsrvgrp", %customservicegrp ); + if ($fwhostsettings{'oldsrvrem'} ne $fwhostsettings{'newsrvrem'} && (&validremark($fwhostsettings{'newsrvrem'}) || $fwhostsettings{'newsrvrem'} eq '')){ + foreach my $key (sort keys %customservicegrp) + { + if($customservicegrp{$key}[0] eq $fwhostsettings{'srvgrp'} && $customservicegrp{$key}[1] eq $fwhostsettings{'oldsrvrem'}) + { + $customservicegrp{$key}[1]=''; + $customservicegrp{$key}[1]=$fwhostsettings{'newsrvrem'}; + } + } + &General::writehasharray("$configsrvgrp", %customservicegrp); + $fwhostsettings{'updatesrvgrp'}='on'; + $fwhostsettings{'SRVGRP_REMARK'}=$fwhostsettings{'newsrvrem'}; + }else{ + $errormessage=$Lang::tr{'fwhost err remark'}; + $fwhostsettings{'SRVGRP_REMARK'}=$fwhostsettings{'oldsrvrem'}; + $fwhostsettings{'SRVGRP_NAME'}=$fwhostsettings{'srvgrp'}; + $fwhostsettings{'updatesrvgrp'} = 'on'; + } + $fwhostsettings{'SRVGRP_NAME'}=$fwhostsettings{'srvgrp'}; + &addservicegrp; + &viewtableservicegrp; +} +### VIEW ### +if($fwhostsettings{'ACTION'} eq '') +{ + &showmenu; +} +### FUNCTIONS ### +sub showmenu +{ + if (-f "${General::swroot}/forward/reread"){ + print "<table border='1' rules='groups' bgcolor='lightgreen' width='100%'><form method='post'><td><div style='font-size:11pt; font-weight: bold;vertical-align: middle; '><input type='submit' name='ACTION' value='$Lang::tr{'fwdfw reread'}' style='font-face: Comic Sans MS; color: green; font-weight: bold; font-size: 14pt;'>    $Lang::tr{'fwhost reread'}</td></tr></table></form><br>"; + } + &Header::openbox('100%', 'left',$Lang::tr{'fwhost menu'}); + print "$Lang::tr{'fwhost welcome'}"; + print<<END; + <br><br><table border='0' width='100%'> + <tr><td><form method='post'><input type='submit' name='ACTION' value='$Lang::tr{'fwhost newnet'}' ><input type='submit' name='ACTION' value='$Lang::tr{'fwhost newhost'}' ><input type='submit' name='ACTION' value='$Lang::tr{'fwhost newgrp'}' ></form></td> + <td align='right'><form method='post'><input type='submit' name='ACTION' value='$Lang::tr{'fwhost newservice'}' ><input type='submit' name='ACTION' value='$Lang::tr{'fwhost newservicegrp'}' ></form></td></tr> + <tr><td colspan='6'><hr></td></tr></table> +END + &Header::closebox(); + +} +# Add +sub addnet +{ + &error; + &showmenu; + &Header::openbox('100%', 'left', $Lang::tr{'fwhost addnet'}); + $fwhostsettings{'orgname'}=$fwhostsettings{'HOSTNAME'}; + $fwhostsettings{'orgnetremark'}=$fwhostsettings{'NETREMARK'}; + print<<END; + <table border='0' width='100%'> + <tr><td width='15%'>$Lang::tr{'name'}:</td><td><form method='post'><input type='TEXT' name='HOSTNAME' id='textbox1' value='$fwhostsettings{'HOSTNAME'}' $fwhostsettings{'BLK_HOST'} size='20'><script>document.getElementById('textbox1').focus()</script></td></tr> + <tr><td>$Lang::tr{'fwhost netaddress'}:</td><td><input type='TEXT' name='IP' value='$fwhostsettings{'IP'}' $fwhostsettings{'BLK_IP'} size='20' maxlength='15'></td></tr> + <tr><td>$Lang::tr{'netmask'}:</td><td><input type='TEXT' name='SUBNET' value='$fwhostsettings{'SUBNET'}' $fwhostsettings{'BLK_IP'} size='20' maxlength='15'></td></tr> + <tr><td>$Lang::tr{'remark'}:</td><td><input type='TEXT' name='NETREMARK' value='$fwhostsettings{'NETREMARK'}' style='width: 98.5%;'></td></tr> + <tr><td colspan='6'><br><hr></td></tr><tr> +END + if ($fwhostsettings{'ACTION'} eq 'editnet' || $fwhostsettings{'error'} eq 'on') + { + print "<td colspan='6' align='right' ><input type='submit' value='$Lang::tr{'update'}' style='min-width:100px;'><input type='hidden' name='ACTION' value='updatenet'><input type='hidden' name='orgnetremark' value='$fwhostsettings{'orgnetremark'}' ><input type='hidden' name='orgname' value='$fwhostsettings{'orgname'}' ><input type='hidden' name='update' value='on'><input type='hidden' name='newnet' value='$fwhostsettings{'newnet'}'></td>"; + }else{ + print "<td colspan='6' align='right'><input type='submit' value='$Lang::tr{'save'}' style='min-width:100px;'/><input type='hidden' name='ACTION' value='savenet'><input type='hidden' name='newnet' value='on'>"; + } + print "</form><form method='post' style='display:inline'><input type='submit' value='$Lang::tr{'fwhost back'}' style='min-width:100px;' ><input type='hidden' name='ACTION' value='resetnet'></form></td></tr></table>"; + &Header::closebox(); +} +sub addhost +{ + &error; + &showmenu; + &Header::openbox('100%', 'left', $Lang::tr{'fwhost addhost'}); + $fwhostsettings{'orgname'}=$fwhostsettings{'HOSTNAME'}; + $fwhostsettings{'orgremark'}=$fwhostsettings{'HOSTREMARK'}; + print<<END; + <table border='0' width='100%'> + <tr><td>$Lang::tr{'name'}:</td><td><form method='post' style='display:inline;'><input type='TEXT' name='HOSTNAME' id='textbox1' value='$fwhostsettings{'HOSTNAME'}' $fwhostsettings{'BLK_HOST'} size='20'><script>document.getElementById('textbox1').focus()</script></td></tr> + <tr><td>IP/MAC:</td><td><input type='TEXT' name='IP' value='$fwhostsettings{'IP'}' $fwhostsettings{'BLK_IP'} size='20' maxlength='17'></td></tr> + <tr><td width='10%'>$Lang::tr{'remark'}:</td><td><input type='TEXT' name='HOSTREMARK' value='$fwhostsettings{'HOSTREMARK'}' style='width:98%;'></td></tr> + <tr><td colspan='5'><hr></td></tr><tr> +END + + if ($fwhostsettings{'ACTION'} eq 'edithost' || $fwhostsettings{'error'} eq 'on') + { + + print " <td colspan='4' align='right'><input type='submit' value='$Lang::tr{'update'}' style='min-width:100px;'/><input type='hidden' name='ACTION' value='updatehost'><input type='hidden' name='orgremark' value='$fwhostsettings{'orgremark'}' ><input type='hidden' name='orgname' value='$fwhostsettings{'orgname'}' ><input type='hidden' name='update' value='on'><input type='hidden' name='newhost' value='$fwhostsettings{'newhost'}'></form>"; + }else{ + print " <td colspan='4' align='right'><input type='submit' name='savehost' value='$Lang::tr{'save'}' style='min-width:100px;' /><input type='hidden' name='ACTION' value='savehost' /><input type='hidden' name='newhost' value='on'>"; + } + print " </form><form method='post' style='display:inline'><input type='submit' value='$Lang::tr{'fwhost back'}' style='min-width:100px;' ><input type='hidden' name='ACTION' value='resethost'></form></td></tr></table>"; + &Header::closebox(); +} +sub addgrp +{ + &hint; + &error; + &showmenu; + &Header::openbox('100%', 'left', $Lang::tr{'fwhost addgrp'}); + &General::setup_default_networks(%defaultNetworks); + &General::readhasharray("$configccdnet", %ccdnet); + &General::readhasharray("$confignet", %customnetwork); + &General::readhasharray("$configccdhost", %ccdhost); + &General::readhasharray("$confighost", %customhost); + &General::readhasharray("$configipsec", %ipsecconf); + + my %checked=(); + my $show=''; + $checked{'check1'}{'off'} = ''; + $checked{'check1'}{'on'} = ''; + $checked{'grp2'}{$fwhostsettings{'grp2'}} = 'CHECKED'; + $fwhostsettings{'oldremark'}=$fwhostsettings{'remark'}; + my $grp=$fwhostsettings{'grp_name'}; + my $rem=$fwhostsettings{'remark'}; + if ($fwhostsettings{'update'} eq ''){ + print<<END; + <table width='100%' border='0'> + <tr><td width='10%'>$Lang::tr{'fwhost addgrpname'}</td><td><form method='post'><input type='TEXT' name='grp_name' value='$fwhostsettings{'grp_name'}' size='20'></td></tr> + <tr><td width='10%'>$Lang::tr{'remark'}:</td><td ><input type='TEXT' name='remark' value='$fwhostsettings{'remark'}' style='width: 98%;'></td></tr> + <tr><td colspan='2'><br><hr></td></tr></table> +END + }else{ + print<<END; + <table width='100%' border='0'><form method='post' style='display:inline'> + <tr><td nowrap='nowrap' width='12%'>$Lang::tr{'fwhost addgrpname'}</td><td><input type='TEXT' name='grp' value='$fwhostsettings{'grp_name'}' readonly ></td><td></td></tr> + <tr><td>$Lang::tr{'remark'}:</td><td><input type='TEXT' name='newrem' size='45' value='$fwhostsettings{'remark'}' style='width:98%'></td><td align='right'><input type='submit' value='$Lang::tr{'fwhost change'}'><input type='hidden' name='oldrem' value='$fwhostsettings{'oldremark'}'><input type='hidden' name='ACTION' value='changegrpremark' ></td></tr></table></form> + <hr> +END + } + if ($fwhostsettings{'update'} eq 'on'){ + print<<END; + <form method='post'><input type='hidden' name='remark' value='$rem'><input type='hidden' name='grp_name' value='$grp'> + <table width='100%' border='0'> + <tr><td width=50% valign='top'> + <table width='100%' border='0'> + <tr><td width='1%'><input type='radio' name='grp2' value='std_net' id='DEFAULT_SRC_ADR' checked></td><td nowrap='nowrap' width='16%'>$Lang::tr{'fwhost stdnet'}</td><td><select name='DEFAULT_SRC_ADR' style='min-width:185px;'> +END + foreach my $network (sort keys %defaultNetworks) + { + next if($defaultNetworks{$network}{'LOCATION'} eq "IPCOP"); + next if($defaultNetworks{$network}{'NAME'} eq "IPFire"); + print "<option value='$defaultNetworks{$network}{'NAME'}'"; + print " selected='selected'" if ($fwhostsettings{'DEFAULT_SRC_ADR'} eq $defaultNetworks{$network}{'NAME'}); + my $defnet="$defaultNetworks{$network}{'NAME'}_NETADDRESS"; + my $defsub="$defaultNetworks{$network}{'NAME'}_NETMASK"; + my $defsub1=&General::subtocidr($ownnet{$defsub}); + $ownnet{$defnet}='' if ($defaultNetworks{$network}{'NAME'} eq 'RED'); + if ($ownnet{$defnet}){ + print ">$network ($ownnet{$defnet}/$defsub1)</option>"; + }else{ + print ">$network</option>"; + } + } + print"</select></td></tr>"; + if (! -z $confignet){ + print"<tr><td><input type='radio' name='grp2' id='CUST_SRC_NET' value='cust_net' $checked{'grp2'}{'cust_net'}></td><td>$Lang::tr{'fwhost cust net'}</td><td><select name='CUST_SRC_NET' style='min-width:185px;'>"; + foreach my $key (sort { ncmp($customnetwork{$a}[0],$customnetwork{$b}[0]) } keys %customnetwork) { + print"<option>$customnetwork{$key}[0]</option>"; + } + print"</select></td></tr>"; + } + if (! -z $confighost){ + print"<tr><td valign='top'><input type='radio' name='grp2' id='CUST_SRC_HOST' value='cust_host' $checked{'grp2'}{'cust_host'}></td><td valign='top'>$Lang::tr{'fwhost cust addr'}</td><td><select name='CUST_SRC_HOST' style='min-width:185px;'>"; + foreach my $key (sort { ncmp($customhost{$a}[0],$customhost{$b}[0]) } keys %customhost) { + print"<option>$customhost{$key}[0]</option>"; + } + print"</select></td></tr>"; + } + print"</table>"; + #Inner table right + print"</td><td valign='top'><table width='100%' border='0'>"; + #OVPN networks + if (! -z $configccdnet){ + print"<td width='1%'><input type='radio' name='grp2' id='OVPN_CCD_NET' value='ovpn_net' $checked{'grp2'}{'ovpn_net'}></td><td nowrap='nowrap' width='16%'>$Lang::tr{'fwhost ccdnet'}</td><td nowrap='nowrap' width='1%'><select name='OVPN_CCD_NET' style='min-width:185px;'>"; + foreach my $key (sort { ncmp($ccdnet{$a}[0],$ccdnet{$b}[0]) } keys %ccdnet) + { + print"<option value='$ccdnet{$key}[0]'>$ccdnet{$key}[0]</option>"; + } + print"</select></td></tr>"; + } + #OVPN clients + foreach my $key (sort { ncmp($ccdhost{$a}[0],$ccdhost{$b}[0]) } keys %ccdhost) + { + if ($ccdhost{$key}[33] ne ''){ + print"<td width='1%'><input type='radio' name='grp2' value='ovpn_host' $checked{'grp2'}{'ovpn_host'}></td><td nowrap='nowrap' width='16%'>$Lang::tr{'fwhost ccdhost'}</td><td nowrap='nowrap' width='1%'><select name='OVPN_CCD_HOST' style='min-width:185px;'>" if ($show eq ''); + $show='1'; + print"<option value='$ccdhost{$key}[1]'>$ccdhost{$key}[1]</option>"; + } + } + if ($show eq '1'){$show='';print"</select></td></tr>";} + #OVPN n2n networks + foreach my $key (sort { ncmp($ccdhost{$a}[1],$ccdhost{$b}[1]) } keys %ccdhost) { + if($ccdhost{$key}[3] eq 'net'){ + print"<td width='1%'><input type='radio' name='grp2' id='OVPN_N2N' value='ovpn_n2n' $checked{'grp2'}{'ovpn_n2n'}></td><td valign='top'>$Lang::tr{'fwhost ovpn_n2n'}</td><td colspan='3'><select name='OVPN_N2N' style='min-width:185px;'>" if ($show eq ''); + $show='1'; + print"<option>$ccdhost{$key}[1]</option>"; + } + } + if ($show eq '1'){$show='';print"</select></td></tr>";} + #IPsec networks + foreach my $key (sort { ncmp($ipsecconf{$a}[0],$ipsecconf{$b}[0]) } keys %ipsecconf) { + if ($ipsecconf{$key}[3] eq 'net'){ + print"<td valign='top'><input type='radio' name='grp2' id='IPSEC_NET' value='ipsec_net' $checked{'grp2'}{'ipsec_net'}></td><td valign='top'>$Lang::tr{'fwhost ipsec net'}</td><td><select name='IPSEC_NET' style='min-width:185px;'>" if ($show eq ''); + $show='1'; + print"<option value='$ipsecconf{$key}[1]'>$ipsecconf{$key}[1]</option>"; + } + } + if ($show eq '1'){$show='';print"</select></td></tr>";} + print"</table>"; + print"</td></tr></table>"; + print"<br><br><hr>"; + } + print"<table border='0' width='100%'>"; + print"<tr><td align='right'><input type='submit' value='$Lang::tr{'add'}' style='min-width:100px;' /><input type='hidden' name='oldremark' value='$fwhostsettings{'oldremark'}'><input type='hidden' name='update' value="$fwhostsettings{'update'}"><input type='hidden' name='ACTION' value='savegrp' ></form><form method='post' style='display:inline'><input type='submit' value='$Lang::tr{'fwhost back'}' style='min-width:100px;'><input type='hidden' name='ACTION' value='resetgrp'></form></td></table>"; + &Header::closebox(); +} +sub addservice +{ + &error; + &showmenu; + &Header::openbox('100%', 'left', $Lang::tr{'fwhost addservice'}); + if ($fwhostsettings{'updatesrv'} eq 'on') + { + $fwhostsettings{'oldsrvname'} = $fwhostsettings{'SRV_NAME'}; + $fwhostsettings{'oldsrvport'} = $fwhostsettings{'SRV_PORT'}; + $fwhostsettings{'oldsrvprot'} = $fwhostsettings{'PROT'}; + } + print<<END; + <table width='100%' border='0'><form method='post'> + <tr><td width='10%' nowrap='nowrap'>$Lang::tr{'fwhost srv_name'}:</td><td><input type='text' name='SRV_NAME' id='textbox1' value='$fwhostsettings{'SRV_NAME'}' size='24'><script>document.getElementById('textbox1').focus()</script></td></tr> + <tr><td width='10%' nowrap='nowrap'>$Lang::tr{'fwhost prot'}:</td><td><select name='PROT'> +END + foreach ("TCP","UDP","ICMP") + { + if ($_ eq $fwhostsettings{'PROT'}) + { + print"<option selected>$_</option>"; + }else{ + print"<option>$_</option>"; + } + } + print<<END; + </select></td></tr> + <tr><td width='10%' nowrap='nowrap'>$Lang::tr{'fwhost icmptype'}</td><td><select name='ICMP_TYPES'> +END + &General::readhasharray("${General::swroot}/fwhosts/icmp-types", %icmptypes); + print"<option>All ICMP-Types</option>"; + foreach my $key (sort { ncmp($icmptypes{$a}[0],$icmptypes{$b}[0]) }keys %icmptypes){ + print"<option>$icmptypes{$key}[0] ($icmptypes{$key}[1])</option>"; + } + + print<<END; + </select></td></tr> + <tr><td width='10%'>$Lang::tr{'fwhost port'}:</td><td><input type='text' name='SRV_PORT' value='$fwhostsettings{'SRV_PORT'}' maxlength='11' size='24'></td></tr> + <tr><td colspan='6'><br><hr></td></tr> + <tr><td colspan='6' align='right'> +END + if ($fwhostsettings{'updatesrv'} eq 'on') + { + print<<END; + <input type='submit' value='$Lang::tr{'update'}'style='min-width:100px;' > + <input type='hidden' name='ACTION' value='updateservice'> + <input type='hidden' name='oldsrvname' value='$fwhostsettings{'oldsrvname'}'> + <input type='hidden' name='oldsrvport' value='$fwhostsettings{'oldsrvport'}'> + <input type='hidden' name='oldsrvprot' value='$fwhostsettings{'oldsrvprot'}'></form> +END + + }else{ + print"<input type='submit' value='$Lang::tr{'save'}' style='min-width:100px;'><input type='hidden' name='ACTION' value='saveservice'></form>"; + } + print<<END; + <form style='display:inline;' method='post'><input type='submit' value='$Lang::tr{'fwhost back'}' style='min-width:100px;'></form></td></tr> + </table></form> + + +END + &Header::closebox(); + &viewtableservice; +} +sub addservicegrp +{ + &hint; + &error; + &showmenu; + &Header::openbox('100%', 'left', $Lang::tr{'fwhost addservicegrp'}); + $fwhostsettings{'oldsrvgrpremark'}=$fwhostsettings{'SRVGRP_REMARK'}; + if ($fwhostsettings{'updatesrvgrp'} eq ''){ + print<<END; + <table width='100%' border='0'><form method='post'> + <tr><td width='10%'>$Lang::tr{'fwhost addgrpname'}</td><td><input type='text' name='SRVGRP_NAME' value='$fwhostsettings{'SRVGRP_NAME'}' size='24'></td></tr> + <tr><td width='10%'>$Lang::tr{'remark'}:</td><td><input type='text' name='SRVGRP_REMARK' value='$fwhostsettings{'SRVGRP_REMARK'}' style='width: 98%;'></td></tr> + <tr><td colspan='2'><br><hr></tr> + </table> +END + }else{ + print<<END; + <table width='100%' border='0'><form method='post' style='display:inline'> + <tr><td width='10%'>$Lang::tr{'fwhost addgrpname'}</td><td><input type='text' name='srvgrp' value='$fwhostsettings{'SRVGRP_NAME'}' readonly size='14'></td><td width='3%'></td></tr> + <tr><td width='10%'>$Lang::tr{'remark'}:</td><td><input type='text' name='newsrvrem' value='$fwhostsettings{'SRVGRP_REMARK'}' style='width:98%;'></td><td align='right'><input type='submit' value='$Lang::tr{'fwhost change'}'><input type='hidden' name='oldsrvrem' value='$fwhostsettings{'oldsrvgrpremark'}'><input type='hidden' name='ACTION' value='changesrvgrpremark' ></td></tr> + <tr><td colspan='3'><br><hr></td></td></tr> + </table></form> +END + } + if($fwhostsettings{'updatesrvgrp'} eq 'on'){ + print<<END; + <form method='post'><input type='hidden' name='SRVGRP_REMARK' value='$fwhostsettings{'SRVGRP_REMARK'}'><input type='hidden' name='SRVGRP_NAME' value='$fwhostsettings{'SRVGRP_NAME'}'><table border='0' width='100%'> + <tr><td width='1%' nowrap='nowrap'>$Lang::tr{'fwhost cust service'}</td><td><select name='CUST_SRV' style='min-width:185px;'> +END + &General::readhasharray("$configsrv", %customservice); + foreach my $key (sort { ncmp($customservice{$a}[0],$customservice{$b}[0]) } keys %customservice) + { + print "<option>$customservice{$key}[0]</option>"; + } + print<<END; + </select></td></tr> + <tr><td colspan='4'><br><br></td></tr> + <tr><td colspan='4'><hr></td></tr> + </table> +END + } + print<<END; + <table width='100%' border='0'> + <tr><td align='right'><input type='submit' value='$Lang::tr{'add'}' style='min-width:100px;' /><input type='hidden' name='updatesrvgrp' value='$fwhostsettings{'updatesrvgrp'}'><input type='hidden' name='oldsrvgrpremark' value='$fwhostsettings{'oldsrvgrpremark'}'><input type='hidden' name='ACTION' value='saveservicegrp' ></form><form style='display:inline;' method='post'><input type='submit' value='$Lang::tr{'fwhost back'}' style='min-width:100px;'></td></tr> + </table></form> +END + &Header::closebox(); +} +# View +sub viewtablenet +{ + if(! -z $confignet){ + &Header::openbox('100%', 'left', $Lang::tr{'fwhost cust net'}); + &General::readhasharray("$confignet", %customnetwork); + if (!keys %customnetwork) + { + print "<center><b>$Lang::tr{'fwhost empty'}</b>"; + }else{ + print<<END; + <table border='0' width='100%' cellspacing='0'> + <tr><td align='center'><b>$Lang::tr{'name'}</b></td><td align='center'><b>$Lang::tr{'fwhost netaddress'}</b></td><td align='center'><b>$Lang::tr{'remark'}</b></td><td align='center'><b>$Lang::tr{'used'}</b></td><td></td><td width='3%'></td></tr> +END + } + my $count=0; + foreach my $key (sort {ncmp($a,$b)} keys %customnetwork) { + if ($fwhostsettings{'ACTION'} eq 'editnet' && $fwhostsettings{'HOSTNAME'} eq $customnetwork{$key}[0]) { + print" <tr bgcolor='${Header::colouryellow}'>"; + }elsif ($count % 2) + { + print" <tr bgcolor='$color{'color22'}'>"; + }else + { + print" <tr bgcolor='$color{'color20'}'>"; + } + my $colnet="$customnetwork{$key}[1]/".&General::subtocidr($customnetwork{$key}[2]); + print"<td width='20%'><form method='post'>$customnetwork{$key}[0]</td><td width='15%' align='center'>".&Header::colorize($colnet)."</td><td width='40%'>$customnetwork{$key}[3]</td><td align='center'>$customnetwork{$key}[4]x</td>"; + print<<END; + <td width='1%'><input type='image' src='/images/edit.gif' align='middle' alt=$Lang::tr{'edit'} title=$Lang::tr{'edit'} /> + <input type='hidden' name='ACTION' value='editnet'> + <input type='hidden' name='HOSTNAME' value='$customnetwork{$key}[0]' /> + <input type='hidden' name='IP' value='$customnetwork{$key}[1]' /> + <input type='hidden' name='SUBNET' value='$customnetwork{$key}[2]' /> + <input type='hidden' name='NETREMARK' value='$customnetwork{$key}[3]' /> + </td></form> +END + if($customnetwork{$key}[4] == '0') + { + print"<td width='1%'><form method='post'><input type='image' src='/images/delete.gif' align='middle' alt=$Lang::tr{'delete'} title=$Lang::tr{'delete'} /><input type='hidden' name='ACTION' value='delnet' /><input type='hidden' name='key' value='$customnetwork{$key}[0]' /></td></form></tr>"; + }else{ + print"<td></td></tr>"; + } + $count++; + } + print"</table>"; + &Header::closebox(); + } + +} +sub getcolor +{ + my $c=shift; + #Check if IP is part of OpenVPN N2N subnet + foreach my $key (sort keys %ccdhost){ + if ($ccdhost{$key}[3] eq 'net'){ + my ($a,$b) = split("/",$ccdhost{$key}[11]); + if (&General::IpInSubnet($c,$a,$b)){ + $tdcolor="style='color:$Header::colourovpn ;'"; + return $tdcolor; + } + } + } + #Check if IP is part of OpenVPN dynamic subnet + my ($a,$b) = split("/",$ovpnsettings{'DOVPN_SUBNET'}); + if (&General::IpInSubnet($c,$a,$b)){ + $tdcolor="style='color: $Header::colourovpn;'"; + return $tdcolor; + } + #Check if IP is part of OpenVPN static subnet + foreach my $key (sort keys %ccdnet){ + my ($a,$b) = split("/",$ccdnet{$key}[1]); + $b =&General::iporsubtodec($b); + if (&General::IpInSubnet($c,$a,$b)){ + $tdcolor="style='color: $Header::colourovpn;'"; + return $tdcolor; + } + } + #Check if IP is part of IPsec RW network + if ($ipsecsettings{'RW_NET'} ne ''){ + my ($a,$b) = split("/",$ipsecsettings{'RW_NET'}); + $b=&General::iporsubtodec($b); + if (&General::IpInSubnet($c,$a,$b)){ + $tdcolor="style='color: $Header::colourvpn;'"; + return $tdcolor; + } + } + #Check if IP is part of a IPsec N2N network + foreach my $key (sort keys %ipsecconf){ + my ($a,$b) = split("/",$ipsecconf{$key}[11]); + if (&General::IpInSubnet($c,$a,$b)){ + $tdcolor="style='color: $Header::colourvpn;'"; + return $tdcolor; + } + } + $tdcolor=''; + return $tdcolor; +} +sub viewtablehost +{ + if (! -z $confighost){ + &Header::openbox('100%', 'left', $Lang::tr{'fwhost cust addr'}); + &General::readhasharray("$confighost", %customhost); + &General::readhasharray("$configccdnet", %ccdnet); + &General::readhasharray("$configccdhost", %ccdhost); + if (!keys %customhost) + { + print "<center><b>$Lang::tr{'fwhost empty'}</b>"; + }else{ + print<<END; + <table border='0' width='100%' cellspacing='0'> + <tr><td align='center'><b>$Lang::tr{'name'}</b></td><td align='center'><b>$Lang::tr{'fwhost ip_mac'}</b></td><td align='center'><b>$Lang::tr{'remark'}</b></td><td align='center'><b>$Lang::tr{'used'}</b></td><td></td><td width='3%'></td></tr> +END + } + my $count=0; + foreach my $key (sort { ncmp ($customhost{$a}[0],$customhost{$b}[0])} keys %customhost) { + if ( ($fwhostsettings{'ACTION'} eq 'edithost' || $fwhostsettings{'error'}) && $fwhostsettings{'HOSTNAME'} eq $customhost{$key}[0]) { + print" <tr bgcolor='${Header::colouryellow}'>"; + }elsif ($count % 2){ print" <tr bgcolor='$color{'color22'}'>";} + else{ print" <tr bgcolor='$color{'color20'}'>";} + my ($ip,$sub)=split(///,$customhost{$key}[2]); + $customhost{$key}[4]=~s/\s+//g; + print"<td width='20%'>$customhost{$key}[0]</td><td width='20%' align='center' ".&getcolor($ip).">".&Header::colorize($ip)."</td><td width='50%' align='left'>$customhost{$key}[3]</td><td align='center'>$customhost{$key}[4]x</td>"; + print<<END; + <td width='1%'><form method='post'><input type='image' src='/images/edit.gif' align='middle' alt=$Lang::tr{'edit'} title=$Lang::tr{'edit'} /> + <input type='hidden' name='ACTION' value='edithost' /> + <input type='hidden' name='HOSTNAME' value='$customhost{$key}[0]' /> + <input type='hidden' name='IP' value='$ip' /> + <input type='hidden' name='type' value='$customhost{$key}[1]' /> + <input type='hidden' name='HOSTREMARK' value='$customhost{$key}[3]' /> + </form></td> +END + if($customhost{$key}[4] == '0') + { + print"<td width='1%'><form method='post'><input type='image' src='/images/delete.gif' align='middle' alt=$Lang::tr{'delete'} title=$Lang::tr{'delete'} /><input type='hidden' name='ACTION' value='delhost' /><input type='hidden' name='key' value='$customhost{$key}[0]' /></td></form></tr>"; + }else{ + print"<td width='1%'></td></tr>"; + } + $count++; + } + print"</table>"; + &Header::closebox(); + } +} +sub viewtablegrp +{ + if(! -z "$configgrp"){ + &Header::openbox('100%', 'left', $Lang::tr{'fwhost cust grp'}); + &General::readhasharray("$configgrp", %customgrp); + &General::readhasharray("$configipsec", %ipsecconf); + &General::readhasharray("$configccdhost", %ccdhost); + &General::readhasharray("$configccdnet", %ccdnet); + &General::readhasharray("$confighost", %customhost); + &General::readhasharray("$confignet", %customnetwork); + my @grp=(); + my $helper=''; + my $count=1; + my $grpname; + my $remark; + my $number; + my $delflag; + if (!keys %customgrp) + { + print "<center><b>$Lang::tr{'fwhost err emptytable'}</b>"; + }else{ + foreach my $key (sort { ncmp($customgrp{$a}[0],$customgrp{$b}[0]) } sort { ncmp($customgrp{$a}[2],$customgrp{$b}[2]) } keys %customgrp){ + $count++; + if ($helper ne $customgrp{$key}[0]){ + $delflag='0'; + foreach my $key1 (sort { ncmp($customgrp{$a}[0],$customgrp{$b}[0]) } sort { ncmp($customgrp{$a}[2],$customgrp{$b}[2]) } keys %customgrp){ + if ($customgrp{$key}[0] eq $customgrp{$key1}[0]) + { + $delflag++; + } + if($delflag > 1){ + last; + } + } + $number=1; + if ($customgrp{$key}[2] eq "none"){$customgrp{$key}[2]=$Lang::tr{'fwhost err emptytable'};} + $grpname=$customgrp{$key}[0]; + $remark="$customgrp{$key}[1]"; + if($count gt 1){ print"</table>";} + print "<br><b><u>$grpname</u></b> "; + print " <b>$Lang::tr{'remark'}:</b>  $remark   " if ($remark ne ''); + print "<b>$Lang::tr{'used'}:</b> $customgrp{$key}[4]x"; + if($customgrp{$key}[4] == '0') + { + print"<form method='post' style='display:inline'><input type='image' src='/images/delete.gif' alt=$Lang::tr{'delete'} title=$Lang::tr{'delete'} align='right' /><input type='hidden' name='grp_name' value='$grpname' ><input type='hidden' name='ACTION' value='delgrp'></form>"; + } + print"<form method='post' style='display:inline'><input type='image' src='/images/edit.gif' alt=$Lang::tr{'edit'} title=$Lang::tr{'edit'} align='right' /><input type='hidden' name='grp_name' value='$grpname' ><input type='hidden' name='remark' value='$remark' ><input type='hidden' name='ACTION' value='editgrp'></form>"; + print"<table width='100%' style='border: 1px solid #CCCCCC;' rules='none' cellspacing='0'><tr><td align='center'><b>Name</b></td><td align='center'><b>$Lang::tr{'ip address'}</b></td><td align='center' width='25%'><b>$Lang::tr{'fwhost type'}</td><td></td></tr>"; + } + + if ( ($fwhostsettings{'ACTION'} eq 'editgrp' || $fwhostsettings{'update'} ne '') && $fwhostsettings{'grp_name'} eq $customgrp{$key}[0]) { + print" <tr bgcolor='${Header::colouryellow}'>"; + }elsif ($count %2 == 0){ + print"<tr bgcolor='$color{'color22'}'>"; + }else{ + print"<tr bgcolor='$color{'color20'}'>"; + } + my $ip=&getipforgroup($customgrp{$key}[2],$customgrp{$key}[3]); + if ($ip eq ''){print"<tr bgcolor='${Header::colouryellow}'>";} + print "<td width='39%' align='left'>"; + if($customgrp{$key}[3] eq 'Standard Network'){ + print &get_name($customgrp{$key}[2])."</td>"; + }else{ + print "$customgrp{$key}[2]</td>"; + } + if ($ip eq '' && $customgrp{$key}[2] ne $Lang::tr{'fwhost err emptytable'}){ + print "<td align='center'>$Lang::tr{'fwhost deleted'}</td><td align='center'>$customgrp{$key}[3]</td><td width='1%'><form method='post'>"; + }else{ + my ($colip,$colsub) = split("/",$ip); + $ip="$colip/".&General::subtocidr($colsub) if ($colsub); + print"<td align='center' ".&getcolor($colip).">".&Header::colorize($ip)."</td><td align='center'>$customgrp{$key}[3]</td><td width='1%'><form method='post'>"; + } + if ($delflag > '1' && $ip ne ''){ + print"<input type='image' src='/images/delete.gif' align='middle' alt=$Lang::tr{'delete'} title=$Lang::tr{'delete'} />"; + } + print"<input type='hidden' name='ACTION' value='deletegrphost'><input type='hidden' name='grpcnt' value='$customgrp{$key}[4]'><input type='hidden' name='update' value='$fwhostsettings{'update'}'><input type='hidden' name='delhost' value='$grpname,$remark,$customgrp{$key}[2],$customgrp{$key}[3]'></form></td></tr>"; + + $helper=$customgrp{$key}[0]; + $number++; + } + print"</table>"; + } + &Header::closebox(); +} + +} +sub viewtableservice +{ + my $count=0; + if(! -z "$configsrv") + { + &Header::openbox('100%', 'left', $Lang::tr{'fwhost services'}); + &General::readhasharray("$configsrv", %customservice); + print<<END; + <table width='100%' border='0' cellspacing='0'> + <tr><td align='center'><b>$Lang::tr{'fwhost srv_name'}</b></td><td align='center'><b>$Lang::tr{'fwhost prot'}</b></td><td align='center'><b>$Lang::tr{'fwhost port'}</b></td><td align='center'><b>ICMP</b></td><td align='center'><b>$Lang::tr{'fwhost used'}</b></td><td></td><td width='3%'></td></tr> +END + foreach my $key (sort { ncmp($customservice{$a}[0],$customservice{$b}[0])} keys %customservice) + { + $count++; + if ( ($fwhostsettings{'updatesrv'} eq 'on' || $fwhostsettings{'error'}) && $fwhostsettings{'SRV_NAME'} eq $customservice{$key}[0]) { + print" <tr bgcolor='${Header::colouryellow}'>"; + }elsif ($count % 2){ print" <tr bgcolor='$color{'color22'}'>";}else{ print" <tr bgcolor='$color{'color20'}'>";} + print<<END; + <td>$customservice{$key}[0]</td><td align='center'>$customservice{$key}[2]</td><td align='center'>$customservice{$key}[1]</td><td align='center'> +END + if($customservice{$key}[3] ne 'BLANK'){print $customservice{$key}[3];} + + print<<END; + </td><td align='center'>$customservice{$key}[4]x</td> + <td width='1%'><form method='post'><input type='image' src='/images/edit.gif' align='middle' alt=$Lang::tr{'edit'} title=$Lang::tr{'edit'} /><input type='hidden' name='ACTION' value='editservice' /> + <input type='hidden' name='SRV_NAME' value='$customservice{$key}[0]' /> + <input type='hidden' name='SRV_PORT' value='$customservice{$key}[1]' /> + <input type='hidden' name='PROT' value='$customservice{$key}[2]' /></form></td> +END + if ($customservice{$key}[4] eq '0') + { + print"<td width='1%'><form method='post'><input type='image' src='/images/delete.gif' align='middle' alt=$Lang::tr{'delete'} title=$Lang::tr{'delete'} /><input type='hidden' name='ACTION' value='delservice' /><input type='hidden' name='SRV_NAME' value='$customservice{$key}[0]'></td></tr></form>"; + }else{ + print"<td></td></tr>"; + } + } + print"</table>"; + &Header::closebox(); + } +} +sub viewtableservicegrp +{ + my $count=0; + my $grpname; + my $remark; + my $helper; + my $port; + my $protocol; + my $delflag; + if (! -z $configsrvgrp){ + &Header::openbox('100%', 'left', $Lang::tr{'fwhost cust srvgrp'}); + &General::readhasharray("$configsrvgrp", %customservicegrp); + &General::readhasharray("$configsrv", %customservice); + my $number= keys %customservicegrp; + foreach my $key (sort { ncmp($customservicegrp{$a}[0],$customservicegrp{$b}[0]) } keys %customservicegrp){ + $count++; + if ($helper ne $customservicegrp{$key}[0]){ + $delflag=0; + foreach my $key1 (sort { ncmp($customservicegrp{$a}[0],$customservicegrp{$b}[0]) } sort { ncmp($customservicegrp{$a}[2],$customservicegrp{$b}[2]) } keys %customservicegrp){ + if ($customservicegrp{$key}[0] eq $customservicegrp{$key1}[0]) + { + $delflag++; + } + if($delflag > 1){ + last; + } + } + $grpname=$customservicegrp{$key}[0]; + if ($customservicegrp{$key}[2] eq "none"){ + $customservicegrp{$key}[2]=$Lang::tr{'fwhost empty'}; + $port=''; + $protocol=''; + } + $remark="$customservicegrp{$key}[1]"; + if($count >=2){print"</table>";} + print "<br><b><u>$grpname</u></b> "; + print "<b>$Lang::tr{'remark'}:</b> $remark " if ($remark ne ''); + print " <b>$Lang::tr{'used'}:</b> $customservicegrp{$key}[3]x"; + if($customservicegrp{$key}[3] == '0') + { + print"<form method='post' style='display:inline'><input type='image' src='/images/delete.gif' alt=$Lang::tr{'delete'} title=$Lang::tr{'delete'} align='right' /><input type='hidden' name='SRVGRP_NAME' value='$grpname' ><input type='hidden' name='ACTION' value='delservicegrp'></form>"; + } + print"<form method='post' style='display:inline'><input type='image' src='/images/edit.gif' alt=$Lang::tr{'edit'} title=$Lang::tr{'edit'} align='right' /><input type='hidden' name='SRVGRP_NAME' value='$grpname' ><input type='hidden' name='SRVGRP_REMARK' value='$remark' ><input type='hidden' name='ACTION' value='editservicegrp'></form>"; + print"<table width='100%' style='border: 1px solid #CCCCCC;' rules='none' cellspacing='0'><tr><td align='center'><b>Name</b></td><td align='center'><b>$Lang::tr{'port'}</b></td><td align='center' width='25%'><b>$Lang::tr{'fwhost prot'}</td><td></td></tr>"; + } + if( $fwhostsettings{'SRVGRP_NAME'} eq $customservicegrp{$key}[0]) { + print" <tr bgcolor='${Header::colouryellow}'>"; + }elsif ($count %2 == 0){ + print"<tr bgcolor='$color{'color22'}'>"; + }else{ + print"<tr bgcolor='$color{'color20'}'>"; + } + print "<td width='39%'>$customservicegrp{$key}[2]</td>"; + foreach my $srv (sort keys %customservice){ + if ($customservicegrp{$key}[2] eq $customservice{$srv}[0]){ + $protocol=$customservice{$srv}[2]; + $port=$customservice{$srv}[1]; + last; + } + } + print"<td align='center'>$port</td><td align='center'>$protocol</td><td width='1%'><form method='post'>"; + if ($number gt '1'){ + print"<input type='image' src='/images/delete.gif' align='middle' alt=$Lang::tr{'delete'} title=$Lang::tr{'delete'} />"; + } + print"<input type='hidden' name='ACTION' value='delgrpservice'><input type='hidden' name='updatesrvgrp' value='$fwhostsettings{'updatesrvgrp'}'><input type='hidden' name='delsrvfromgrp' value='$grpname,$remark,$customservicegrp{$key}[2],$customservicegrp{$key}[3]'></form></td></tr>"; + $helper=$customservicegrp{$key}[0]; + } + print"</table>"; + &Header::closebox(); + } +} +# Check +sub checkname +{ + my %hash=%{(shift)}; + foreach my $key (keys %hash) { + if($hash{$key}[0] eq $fwhostsettings{'HOSTNAME'}){ + return 0; + } + } + return 1; + +} +sub checkgroup +{ + my %hash=%{(shift)}; + my $name=shift; + foreach my $key (keys %hash) { + if($hash{$key}[0] eq $name){ + return 0; + } + } + return 1; +} +sub checkip +{ + + my %hash=%{(shift)}; + my $a=shift; + foreach my $key (keys %hash) { + if($hash{$key}[$a] eq $fwhostsettings{'IP'}."/".&General::iporsubtodec($fwhostsettings{'SUBNET'})){ + return 0; + } + } + return 1; +} +sub checksubnet +{ + my %hash=%{(shift)}; + &General::readhasharray("$confignet", %hash); + foreach my $key (keys %hash) { + if(&General::IpInSubnet($fwhostsettings{'IP'},$hash{$key}[1],$hash{$key}[2])) + { + return 1; + } + } + return 0; +} +sub checkservicegroup +{ + &General::readhasharray("$configsrvgrp", %customservicegrp); + + + #check name + if ( ! &validhostname($fwhostsettings{'SRVGRP_NAME'})) + { + $errormessage.=$Lang::tr{'fwhost err name'}."<br>"; + return $errormessage; + } + #check empty selectbox + if (keys %customservice lt 1) + { + $errormessage.=$Lang::tr{'fwhost err groupempty'}."<br>"; + } + #check if name already exists + if ($fwhostsettings{'updatesrvgrp'} ne 'on'){ + foreach my $key (keys %customservicegrp) { + if( $customservicegrp{$key}[0] eq $fwhostsettings{'SRVGRP_NAME'} ){ + $errormessage.=$Lang::tr{'fwhost err grpexist'}."<br>"; + + } + } + } + #check if service already exists in group + foreach my $key (keys %customservicegrp) { + if($customservicegrp{$key}[0] eq $fwhostsettings{'SRVGRP_NAME'} && $customservicegrp{$key}[2] eq $fwhostsettings{'CUST_SRV'} ){ + $errormessage.=$Lang::tr{'fwhost err srvexist'}."<br>"; + } + } + return $errormessage; +} +sub error +{ + if ($errormessage) { + &Header::openbox('100%', 'left', $Lang::tr{'error messages'}); + print "<class name='base'>$errormessage\n"; + print " </class>\n"; + &Header::closebox(); + } +} +sub hint +{ + if ($hint) { + &Header::openbox('100%', 'left', $Lang::tr{'fwhost hint'}); + print "<class name='base'>$hint\n"; + print " </class>\n"; + &Header::closebox(); + } +} +sub get_name +{ + my $val=shift; + &General::setup_default_networks(%defaultNetworks); + foreach my $network (sort keys %defaultNetworks) + { + return "$network" if ($val eq $defaultNetworks{$network}{'NAME'}); + } +} + +sub deletefromgrp +{ + my $target=shift; + my $config=shift; + my %hash=(); + &General::readhasharray("$config",%hash); + foreach my $key (keys %hash) { + $errormessage.="lese $hash{$key}[2] und $target<br>"; + if($hash{$key}[2] eq $target){ + + delete $hash{$key}; + $errormessage.="Habe $target aus Gruppe gelöscht!<br>"; + } + } + &General::writehasharray("$config",%hash); + +} +sub plausicheck +{ + my $edit=shift; + #check hostname + if (!&validhostname($fwhostsettings{'HOSTNAME'})) + { + $errormessage=$errormessage.$Lang::tr{'fwhost err name'}; + $fwhostsettings{'BLK_IP'}='readonly'; + $fwhostsettings{'HOSTNAME'} = $fwhostsettings{'orgname'}; + if ($fwhostsettings{'update'} eq 'on'){$fwhostsettings{'ACTION'}=$edit;} + } + #check if name collides with CCD Netname + &General::readhasharray("$configccdnet", %ccdnet); + foreach my $key (keys %ccdnet) { + if($ccdnet{$key}[0] eq $fwhostsettings{'HOSTNAME'}){ + $errormessage=$errormessage.$Lang::tr{'fwhost err isccdnet'};; + $fwhostsettings{'HOSTNAME'} = $fwhostsettings{'orgname'}; + if ($fwhostsettings{'update'} eq 'on'){$fwhostsettings{'ACTION'}=$edit;} + last; + } + } + #check if IP collides with CCD NetIP + if ($fwhostsettings{'type'} ne 'mac'){ + &General::readhasharray("$configccdnet", %ccdnet); + foreach my $key (keys %ccdnet) { + my $test=(&General::getnetworkip($fwhostsettings{'IP'},&General::iporsubtocidr($fwhostsettings{'SUBNET'})))."/".$fwhostsettings{'SUBNET'}; + if($ccdnet{$key}[1] eq $test){ + $errormessage=$errormessage.$Lang::tr{'fwhost err isccdipnet'}; + $fwhostsettings{'IP'} = $fwhostsettings{'orgip'}; + $fwhostsettings{'SUBNET'} = $fwhostsettings{'orgsubnet'}; + if ($fwhostsettings{'update'} eq 'on'){$fwhostsettings{'ACTION'}=$edit;} + last; + } + } + } + #check if name collides with CCD Hostname + &General::readhasharray("$configccdhost", %ccdhost); + foreach my $key (keys %ccdhost) { + my ($ip,$sub)=split(///,$ccdhost{$key}[33]); + if($ip eq $fwhostsettings{'IP'}){ + $errormessage=$Lang::tr{'fwhost err isccdiphost'}; + if ($fwhostsettings{'update'} eq 'on'){$fwhostsettings{'ACTION'}=$edit;} + last; + } + } + #check if IP collides with CCD HostIP (only hosts) + if ($edit eq 'edithost') + { + foreach my $key (keys %ccdhost) { + if($ccdhost{$key}[1] eq $fwhostsettings{'HOSTNAME'}){ + $errormessage=$Lang::tr{'fwhost err isccdhost'}; + $fwhostsettings{'IP'} = $fwhostsettings{'orgname'}; + if ($fwhostsettings{'update'} eq 'on'){$fwhostsettings{'ACTION'}=$edit;} + last; + } + } + } + #check if network with this name already exists + &General::readhasharray("$confignet", %customnetwork); + if (!&checkname(%customnetwork)) + { + $errormessage=$errormessage."<br>".$Lang::tr{'fwhost err netexist'}; + $fwhostsettings{'HOSTNAME'} = $fwhostsettings{'orgname'}; + if ($fwhostsettings{'update'} eq 'on'){$fwhostsettings{'ACTION'}=$edit;} + } + #check if network ip already exists + if (!&checkip(%customnetwork,1)) + { + $errormessage=$errormessage."<br>".$Lang::tr{'fwhost err net'}; + if ($fwhostsettings{'update'} eq 'on'){$fwhostsettings{'ACTION'}=$edit;} + } + #check if host with this name already exists + &General::readhasharray("$confighost", %customhost); + if (!&checkname(%customhost)) + { + $errormessage.="<br>".$Lang::tr{'fwhost err hostexist'}; + $fwhostsettings{'HOSTNAME'} = $fwhostsettings{'orgname'}; + if ($fwhostsettings{'update'} eq 'on'){$fwhostsettings{'ACTION'}=$edit;} + } + #check if host with this ip already exists + if (!&checkip(%customhost,2)) + { + $errormessage=$errormessage."<br>".$Lang::tr{'fwhost err ipcheck'}; + } + return; +} +sub getipforgroup +{ + my $name=$_[0], + my $type=$_[1]; + my $value; + + #get address from IPSEC NETWORK + if ($type eq 'IpSec Network'){ + foreach my $key (keys %ipsecconf) { + if ($ipsecconf{$key}[1] eq $name){ + return $ipsecconf{$key}[11]; + } + } + &deletefromgrp($name,$configgrp); + } + + #get address from IPSEC HOST + if ($type eq 'IpSec Host'){ + foreach my $key (keys %ipsecconf) { + if ($ipsecconf{$key}[1] eq $name){ + return $ipsecconf{$key}[10]; + } + } + &deletefromgrp($name,$configgrp); + } + + #get address from ovpn ccd Net-2-Net + if ($type eq 'OpenVPN N-2-N'){ + foreach my $key (keys %ccdhost) { + if($ccdhost{$key}[1] eq $name){ + my ($a,$b) = split ("/",$ccdhost{$key}[11]); + $b=&General::iporsubtodec($b); + return "$a/$b"; + } + } + &deletefromgrp($name,$configgrp); + } + + #get address from ovpn ccd static host + if ($type eq 'OpenVPN static host'){ + foreach my $key (keys %ccdhost) { + if($ccdhost{$key}[1] eq $name){ + my ($a,$b) = split (///,$ccdhost{$key}[33]); + $b=&General::iporsubtodec($b); + return "$a/$b"; + } + } + &deletefromgrp($name,$configgrp); + } + + #get address from ovpn ccd static net + if ($type eq 'OpenVPN static network'){ + foreach my $key (keys %ccdnet) { + if ($ccdnet{$key}[0] eq $name){ + my ($a,$b) = split (///,$ccdnet{$key}[1]); + $b=&General::iporsubtodec($b); + return "$a/$b"; + } + } + } + + #check custom addresses + if ($type eq 'Custom Host'){ + foreach my $key (keys %customhost) { + if ($customhost{$key}[0] eq $name){ + my ($ip,$sub) = split("/",$customhost{$key}[2]); + return $ip; + } + } + } + + ##check custom networks + if ($type eq 'Custom Network'){ + foreach my $key (keys %customnetwork) { + if($customnetwork{$key}[0] eq $name){ + return $customnetwork{$key}[1]."/".$customnetwork{$key}[2]; + } + } + } + + #check standard networks + if ($type eq 'Standard Network'){ + if ($name =~ /OpenVPN/i){ + my %ovpn=(); + &General::readhash("${General::swroot}/ovpn/settings",%ovpn); + return $ovpn{'DOVPN_SUBNET'}; + } + if ($name eq 'GREEN'){ + my %hash=(); + &General::readhash("${General::swroot}/ethernet/settings",%hash); + return $hash{'GREEN_NETADDRESS'}."/".$hash{'GREEN_NETMASK'}; + } + if ($name eq 'BLUE'){ + my %hash=(); + &General::readhash("${General::swroot}/ethernet/settings",%hash); + return $hash{'BLUE_NETADDRESS'}."/".$hash{'BLUE_NETMASK'}; + } + if ($name eq 'ORANGE'){ + my %hash=(); + &General::readhash("${General::swroot}/ethernet/settings",%hash); + return $hash{'ORANGE_NETADDRESS'}."/".$hash{'ORANGE_NETMASK'}; + } + if ($name eq 'ALL'){ + return "0.0.0.0/0.0.0.0"; + } + if ($name =~ /IPsec/i){ + my %hash=(); + &General::readhash("${General::swroot}/vpn/settings",%hash); + return $hash{'RW_NET'}; + } + } +} +sub rules +{ + if (!-f "${General::swroot}/fwhosts/reread"){ + system("touch ${General::swroot}/fwhosts/reread"); + system("touch ${General::swroot}/forward/reread"); + } +} +sub reread_rules +{ + system ("/usr/local/bin/forwardfwctrl"); + if ( -f "${General::swroot}/fwhosts/reread"){ + system("rm ${General::swroot}/fwhosts/reread"); + system("rm ${General::swroot}/forward/reread"); + } + +} +sub decrease +{ + my $grp=$_[0]; + &General::readhasharray("$confignet", %customnetwork); + &General::readhasharray("$confighost", %customhost); + foreach my $key (sort keys %customgrp ){ + if ( ($customgrp{$key}[0] eq $grp) && ($customgrp{$key}[3] eq 'Custom Network')){ + foreach my $key1 (sort keys %customnetwork){ + if ($customnetwork{$key1}[0] eq $customgrp{$key}[2]){ + $customnetwork{$key1}[4]=$customnetwork{$key1}[4]-1; + last; + } + } + } + + if (($customgrp{$key}[0] eq $grp) && ($customgrp{$key}[3] eq 'Custom Host')){ + foreach my $key2 (sort keys %customhost){ + if ($customhost{$key2}[0] eq $customgrp{$key}[2]){ + $customhost{$key2}[4]=$customhost{$key2}[4]-1; + last; + } + } + + } + } + &General::writehasharray("$confignet", %customnetwork); + &General::writehasharray("$confighost", %customhost); +} +sub decreaseservice +{ + my $grp=$_[0]; + &General::readhasharray("$configsrv", %customservice); + &General::readhasharray("$configsrvgrp", %customservicegrp); + + foreach my $key (sort keys %customservicegrp){ + if ($customservicegrp{$key}[0] eq $grp ){ + foreach my $key2 (sort keys %customservice){ + if ($customservice{$key2}[0] eq $customservicegrp{$key}[2]){ + $customservice{$key2}[4]--; + } + } + } + } + &General::writehasharray("$configsrv", %customservice); + +} +sub checkports +{ + + my %hash=%{(shift)}; + #check empty fields + if ($fwhostsettings{'SRV_NAME'} eq '' ){ + $errormessage=$Lang::tr{'fwhost err name1'}; + } + if ($fwhostsettings{'SRV_PORT'} eq '' && $fwhostsettings{'PROT'} ne 'ICMP'){ + $errormessage=$Lang::tr{'fwhost err port'}; + } + #check valid name + if (! &validhostname($fwhostsettings{'SRV_NAME'})){ + $errormessage="<br>".$Lang::tr{'fwhost err name'}; + } + #change dashes with : + $fwhostsettings{'SRV_PORT'}=~ tr/-/:/; + + if ($fwhostsettings{'SRV_PORT'} eq "*") { + $fwhostsettings{'SRV_PORT'} = "1:65535"; + } + if ($fwhostsettings{'SRV_PORT'} =~ /^(\D):(\d+)$/) { + $fwhostsettings{'SRV_PORT'} = "1:$2"; + } + if ($fwhostsettings{'SRV_PORT'} =~ /^(\d+):(\D)$/) { + $fwhostsettings{'SRV_PORT'} = "$1:65535"; + } + if($fwhostsettings{'PROT'} ne 'ICMP'){ + $errormessage = $errormessage.&General::validportrange($fwhostsettings{'SRV_PORT'}, 'src'); + } + # a new service has to have a different name + foreach my $key (keys %hash){ + if ($hash{$key}[0] eq $fwhostsettings{'SRV_NAME'}){ + $errormessage = "<br>".$Lang::tr{'fwhost err srv exists'}; + last; + } + } + return $errormessage; +} +sub validhostname +{ + # Checks a hostname against RFC1035 + my $hostname = $_[0]; + + # Each part should be at least two characters in length + # but no more than 63 characters + if (length ($hostname) < 1 || length ($hostname) > 63) { + return 0;} + # Only valid characters are a-z, A-Z, 0-9 and - + if ($hostname !~ /^[a-zA-ZÀöÌÃÃÃ0-9-_.;()/\s]*$/) { + return 0;} + # First character can only be a letter or a digit + if (substr ($hostname, 0, 1) !~ /^[a-zA-ZöÀÌÃÃÃ0-9]*$/) { + return 0;} + # Last character can only be a letter or a digit + if (substr ($hostname, -1, 1) !~ /^[a-zA-ZöÀÌÃÃÃ0-9()]*$/) { + return 0;} + return 1; +} +sub validremark +{ + # Checks a hostname against RFC1035 + my $remark = $_[0]; + # Each part should be at least two characters in length + # but no more than 63 characters + if (length ($remark) < 1 || length ($remark) > 255) { + return 0;} + # Only valid characters are a-z, A-Z, 0-9 and - + if ($remark !~ /^[a-zÀöÌA-ZÃÃÃ0-9-.:;|_()/\s]*$/) { + return 0;} + # First character can only be a letter or a digit + if (substr ($remark, 0, 1) !~ /^[a-zÀöÌA-ZÃÃÃ0-9]*$/) { + return 0;} + # Last character can only be a letter or a digit + if (substr ($remark, -1, 1) !~ /^[a-zöÀÌA-ZÃÃÃ0-9.:;_)]*$/) { + return 0;} + return 1; +} +&Header::closebigbox(); +&Header::closepage(); diff --git a/html/cgi-bin/index.cgi b/html/cgi-bin/index.cgi index ea19e26..03ef367 100644 --- a/html/cgi-bin/index.cgi +++ b/html/cgi-bin/index.cgi @@ -341,7 +341,7 @@ END } else { print $Lang::tr{'advproxy off'}; } } if ( $netsettings{'ORANGE_DEV'} ) { print <<END; - <tr><td align='center' bgcolor='$Header::colourorange' width='25%'><a href="/cgi-bin/dmzholes.cgi"><font size='2' color='white'><b>$Lang::tr{'dmz'}</b></font></a><br> + <tr><td align='center' bgcolor='$Header::colourorange' width='25%'><a href="/cgi-bin/forwardfw.cgi"><font size='2' color='white'><b>$Lang::tr{'dmz'}</b></font></a><br> <td width='30%' align='center'>$netsettings{'ORANGE_ADDRESS'} <td width='45%' align='center'><font color=$Header::colourgreen>Online</font> END diff --git a/html/cgi-bin/optionsfw.cgi b/html/cgi-bin/optionsfw.cgi index 1893957..713f37f 100644 --- a/html/cgi-bin/optionsfw.cgi +++ b/html/cgi-bin/optionsfw.cgi @@ -11,7 +11,6 @@ # $Id: optionsfw.cgi,v 1.1.2.10 2005/10/03 00:34:10 gespinasse Exp $ # # - # enable only the following on debugging purpose #use warnings; #use CGI::Carp 'fatalsToBrowser'; @@ -22,38 +21,49 @@ require "${General::swroot}/header.pl";
my %checked =(); # Checkbox manipulations - -# File used -my $filename = "${General::swroot}/optionsfw/settings"; - our %settings=(); -$settings{'DISABLEPING'} = 'NO'; -$settings{'DROPNEWNOTSYN'} = 'on'; -$settings{'DROPINPUT'} = 'on'; -$settings{'DROPOUTPUT'} = 'on'; -$settings{'DROPPORTSCAN'} = 'on'; -$settings{'DROPWIRELESSINPUT'} = 'on'; -$settings{'DROPWIRELESSFORWARD'} = 'on'; +my %fwdfwsettings=(); +my %configfwdfw=(); +my %configoutgoingfw=();
+my $configfwdfw = "${General::swroot}/forward/config"; +my $configoutgoing = "${General::swroot}/forward/outgoing"; my $errormessage = ''; my $warnmessage = ''; +my $filename = "${General::swroot}/optionsfw/settings";
+&General::readhash("${General::swroot}/forward/settings", %fwdfwsettings); &Header::showhttpheaders();
#Get GUI values &Header::getcgihash(%settings); - if ($settings{'ACTION'} eq $Lang::tr{'save'}) { - $errormessage = $Lang::tr{'new optionsfw later'}; - delete $settings{'__CGI__'};delete $settings{'x'};delete $settings{'y'}; - &General::writehash($filename, %settings); # Save good settings - } else { - &General::readhash($filename, %settings); # Get saved settings and reset to good if needed - } + if ($settings{'defpol'} ne '1'){ + $errormessage .= $Lang::tr{'new optionsfw later'}; + &General::writehash($filename, %settings); # Save good settings + system("/usr/local/bin/forwardfwctrl"); + }else{ + if ($settings{'POLICY'} ne ''){ + $fwdfwsettings{'POLICY'} = $settings{'POLICY'}; + } + if ($settings{'POLICY1'} ne ''){ + $fwdfwsettings{'POLICY1'} = $settings{'POLICY1'}; + } + my $MODE = $fwdfwsettings{'POLICY'}; + my $MODE1 = $fwdfwsettings{'POLICY1'}; + %fwdfwsettings = (); + $fwdfwsettings{'POLICY'} = "$MODE"; + $fwdfwsettings{'POLICY1'} = "$MODE1"; + &General::writehash("${General::swroot}/forward/settings", %fwdfwsettings); + &General::readhash("${General::swroot}/forward/settings", %fwdfwsettings); + system("/usr/local/bin/forwardfwctrl"); + } + &General::readhash($filename, %settings); # Load good settings +}
&Header::openpage($Lang::tr{'options fw'}, 1, ''); &Header::openbigbox('100%', 'left', '', $errormessage); - +&General::readhash($filename, %settings); if ($errormessage) { &Header::openbox('100%', 'left', $Lang::tr{'warning messages'}); print "<font color='red'>$errormessage </font>"; @@ -66,9 +76,12 @@ $checked{'DROPNEWNOTSYN'}{$settings{'DROPNEWNOTSYN'}} = "checked='checked'"; $checked{'DROPINPUT'}{'off'} = ''; $checked{'DROPINPUT'}{'on'} = ''; $checked{'DROPINPUT'}{$settings{'DROPINPUT'}} = "checked='checked'"; -$checked{'DROPOUTPUT'}{'off'} = ''; -$checked{'DROPOUTPUT'}{'on'} = ''; -$checked{'DROPOUTPUT'}{$settings{'DROPOUTPUT'}} = "checked='checked'"; +$checked{'DROPFORWARD'}{'off'} = ''; +$checked{'DROPFORWARD'}{'on'} = ''; +$checked{'DROPFORWARD'}{$settings{'DROPFORWARD'}} = "checked='checked'"; +$checked{'DROPOUTGOING'}{'off'} = ''; +$checked{'DROPOUTGOING'}{'on'} = ''; +$checked{'DROPOUTGOING'}{$settings{'DROPOUTGOING'}} = "checked='checked'"; $checked{'DROPPORTSCAN'}{'off'} = ''; $checked{'DROPPORTSCAN'}{'on'} = ''; $checked{'DROPPORTSCAN'}{$settings{'DROPPORTSCAN'}} = "checked='checked'"; @@ -84,6 +97,21 @@ $checked{'DROPPROXY'}{$settings{'DROPPROXY'}} = "checked='checked'"; $checked{'DROPSAMBA'}{'off'} = ''; $checked{'DROPSAMBA'}{'on'} = ''; $checked{'DROPSAMBA'}{$settings{'DROPSAMBA'}} = "checked='checked'"; +$checked{'SHOWCOLORS'}{'off'} = ''; +$checked{'SHOWCOLORS'}{'on'} = ''; +$checked{'SHOWCOLORS'}{$settings{'SHOWCOLORS'}} = "checked='checked'"; +$checked{'SHOWREMARK'}{'off'} = ''; +$checked{'SHOWREMARK'}{'on'} = ''; +$checked{'SHOWREMARK'}{$settings{'SHOWREMARK'}} = "checked='checked'"; +$checked{'SHOWTABLES'}{'off'} = ''; +$checked{'SHOWTABLES'}{'on'} = ''; +$checked{'SHOWTABLES'}{$settings{'SHOWTABLES'}} = "checked='checked'"; +$checked{'SHOWDROPDOWN'}{'off'} = ''; +$checked{'SHOWDROPDOWN'}{'on'} = ''; +$checked{'SHOWDROPDOWN'}{$settings{'SHOWDROPDOWN'}} = "checked='checked'"; +$selected{'FWPOLICY'}{$settings{'FWPOLICY'}}= 'selected'; +$selected{'FWPOLICY1'}{$settings{'FWPOLICY1'}}= 'selected'; +$selected{'FWPOLICY2'}{$settings{'FWPOLICY2'}}= 'selected';
&Header::openbox('100%', 'center', $Lang::tr{'options fw'}); print "<form method='post' action='$ENV{'SCRIPT_NAME'}'>"; @@ -96,8 +124,10 @@ print <<END <input type='radio' name='DROPNEWNOTSYN' value='off' $checked{'DROPNEWNOTSYN'}{'off'} /> off</td></tr> <tr><td align='left' width='60%'>$Lang::tr{'drop input'}</td><td align='left'>on <input type='radio' name='DROPINPUT' value='on' $checked{'DROPINPUT'}{'on'} />/ <input type='radio' name='DROPINPUT' value='off' $checked{'DROPINPUT'}{'off'} /> off</td></tr> -<tr><td align='left' width='60%'>$Lang::tr{'drop output'}</td><td align='left'>on <input type='radio' name='DROPOUTPUT' value='on' $checked{'DROPOUTPUT'}{'on'} />/ - <input type='radio' name='DROPOUTPUT' value='off' $checked{'DROPOUTPUT'}{'off'} /> off</td></tr> +<tr><td align='left' width='60%'>$Lang::tr{'drop forward'}</td><td align='left'>on <input type='radio' name='DROPFORWARD' value='on' $checked{'DROPFORWARD'}{'on'} />/ + <input type='radio' name='DROPFORWARD' value='off' $checked{'DROPFORWARD'}{'off'} /> off</td></tr> +<tr><td align='left' width='60%'>$Lang::tr{'drop outgoing'}</td><td align='left'>on <input type='radio' name='DROPOUTGOING' value='on' $checked{'DROPOUTGOING'}{'on'} />/ + <input type='radio' name='DROPOUTGOING' value='off' $checked{'DROPOUTGOING'}{'off'} /> off</td></tr> <tr><td align='left' width='60%'>$Lang::tr{'drop portscan'}</td><td align='left'>on <input type='radio' name='DROPPORTSCAN' value='on' $checked{'DROPPORTSCAN'}{'on'} />/ <input type='radio' name='DROPPORTSCAN' value='off' $checked{'DROPPORTSCAN'}{'off'} /> off</td></tr> <tr><td align='left' width='60%'>$Lang::tr{'drop wirelessinput'}</td><td align='left'>on <input type='radio' name='DROPWIRELESSINPUT' value='on' $checked{'DROPWIRELESSINPUT'}{'on'} />/ @@ -105,7 +135,8 @@ print <<END <tr><td align='left' width='60%'>$Lang::tr{'drop wirelessforward'}</td><td align='left'>on <input type='radio' name='DROPWIRELESSFORWARD' value='on' $checked{'DROPWIRELESSFORWARD'}{'on'} />/ <input type='radio' name='DROPWIRELESSFORWARD' value='off' $checked{'DROPWIRELESSFORWARD'}{'off'} /> off</td></tr> </table> -<br /> +<br/> + <table width='95%' cellspacing='0'> <tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw blue'}</b></td></tr> <tr><td align='left' width='60%'>$Lang::tr{'drop proxy'}</td><td align='left'>on <input type='radio' name='DROPPROXY' value='on' $checked{'DROPPROXY'}{'on'} />/ @@ -113,15 +144,77 @@ print <<END <tr><td align='left' width='60%'>$Lang::tr{'drop samba'}</td><td align='left'>on <input type='radio' name='DROPSAMBA' value='on' $checked{'DROPSAMBA'}{'on'} />/ <input type='radio' name='DROPSAMBA' value='off' $checked{'DROPSAMBA'}{'off'} /> off</td></tr> </table> +<br> +<table width='95%' cellspacing='0'> +<tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw settings'}</b></td></tr> +<tr><td align='left' width='60%'>$Lang::tr{'fw settings color'}</td><td align='left'>on <input type='radio' name='SHOWCOLORS' value='on' $checked{'SHOWCOLORS'}{'on'} />/ + <input type='radio' name='SHOWCOLORS' value='off' $checked{'SHOWCOLORS'}{'off'} /> off</td></tr> +<tr><td align='left' width='60%'>$Lang::tr{'fw settings remark'}</td><td align='left'>on <input type='radio' name='SHOWREMARK' value='on' $checked{'SHOWREMARK'}{'on'} />/ + <input type='radio' name='SHOWREMARK' value='off' $checked{'SHOWREMARK'}{'off'} /> off</td></tr> +<tr><td align='left' width='60%'>$Lang::tr{'fw settings ruletable'}</td><td align='left'>on <input type='radio' name='SHOWTABLES' value='on' $checked{'SHOWTABLES'}{'on'} />/ + <input type='radio' name='SHOWTABLES' value='off' $checked{'SHOWTABLES'}{'off'} /> off</td></tr> +<tr><td align='left' width='60%'>$Lang::tr{'fw settings dropdown'}</td><td align='left'>on <input type='radio' name='SHOWDROPDOWN' value='on' $checked{'SHOWDROPDOWN'}{'on'} />/ + <input type='radio' name='SHOWDROPDOWN' value='off' $checked{'SHOWDROPDOWN'}{'off'} /> off</td></tr> +</table> +<br /> +<table width='95%' cellspacing='0'> +<tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw default drop'}</b></td></tr> +<tr><td align='left' width='60%'>$Lang::tr{'drop action'}</td><td><select name='FWPOLICY'> +<option value='DROP' $selected{'FWPOLICY'}{'DROP'}>DROP</option> +<option value='REJECT' $selected{'FWPOLICY'}{'REJECT'}>REJECT</option></select> +</td></tr> +<tr><td align='left' width='60%'>$Lang::tr{'drop action1'}</td><td><select name='FWPOLICY1'> +<option value='DROP' $selected{'FWPOLICY1'}{'DROP'}>DROP</option> +<option value='REJECT' $selected{'FWPOLICY1'}{'REJECT'}>REJECT</option></select> +</td></tr> +<tr><td align='left' width='60%'>$Lang::tr{'drop action2'}</td><td><select name='FWPOLICY2'> +<option value='DROP' $selected{'FWPOLICY2'}{'DROP'}>DROP</option> +<option value='REJECT' $selected{'FWPOLICY2'}{'REJECT'}>REJECT</option></select> +</td></tr> +</table> + <br /> <table width='10%' cellspacing='0'> <tr><td align='center'><form method='post' action='$ENV{'SCRIPT_NAME'}'> - <input type='hidden' name='ACTION' value=$Lang::tr{'save'} /> - <input type='image' alt='$Lang::tr{'save'}' title='$Lang::tr{'save'}' src='/images/media-floppy.png' /></form></td></tr> +<input type='submit' name='ACTION' value=$Lang::tr{'save'} /> +</form></td></tr> </table> </form> END ; &Header::closebox(); + +&Header::openbox('100%', 'center', $Lang::tr{'fwdfw pol title'}); + if ($fwdfwsettings{'POLICY'} eq 'MODE1'){ $selected{'POLICY'}{'MODE1'} = 'selected'; } else { $selected{'POLICY'}{'MODE1'} = ''; } + if ($fwdfwsettings{'POLICY'} eq 'MODE2'){ $selected{'POLICY'}{'MODE2'} = 'selected'; } else { $selected{'POLICY'}{'MODE2'} = ''; } + if ($fwdfwsettings{'POLICY1'} eq 'MODE1'){ $selected{'POLICY1'}{'MODE1'} = 'selected'; } else { $selected{'POLICY1'}{'MODE1'} = ''; } + if ($fwdfwsettings{'POLICY1'} eq 'MODE2'){ $selected{'POLICY1'}{'MODE2'} = 'selected'; } else { $selected{'POLICY1'}{'MODE2'} = ''; } +print <<END; + <form method='post' action='$ENV{'SCRIPT_NAME'}'> + <table width='100%' border='0'> + <tr><td colspan='3' style='font-weight:bold;color:red;' align='left'>FORWARD </td></tr> + <tr><td colspan='3' align='left'>$Lang::tr{'fwdfw pol text'}</td></tr> + <tr><td colspan='3'><hr /></td></tr> + <tr><td width='15%' align='left'> <select name='POLICY' style="width: 100px"> + <option value='MODE1' $selected{'POLICY'}{'MODE1'}>$Lang::tr{'fwdfw pol block'}</option> + <option value='MODE2' $selected{'POLICY'}{'MODE2'}>$Lang::tr{'fwdfw pol allow'}</option></select> + <input type='submit' name='ACTION' value=$Lang::tr{'save'} /><input type='hidden' name='defpol' value='1'></td> +END + print "</tr></table></form>"; + print"<br><br>"; + print <<END; + <form method='post' action='$ENV{'SCRIPT_NAME'}'> + <table width='100%' border='0'> + <tr><td colspan='3' style='font-weight:bold;color:red;' align='left'>OUTGOING </td></tr> + <tr><td colspan='3' align='left'>$Lang::tr{'fwdfw pol text1'}</td></tr> + <tr><td colspan='3'><hr /></td></tr> + <tr><td width='15%' align='left'> <select name='POLICY1' style="width: 100px"> + <option value='MODE1' $selected{'POLICY1'}{'MODE1'}>$Lang::tr{'fwdfw pol block'}</option> + <option value='MODE2' $selected{'POLICY1'}{'MODE2'}>$Lang::tr{'fwdfw pol allow'}</option></select> + <input type='submit' name='ACTION' value='$Lang::tr{'save'}' /><input type='hidden' name='defpol' value='1'></td> +END + print "</tr></table></form>"; + &Header::closebox(); + &Header::closebigbox(); &Header::closepage(); diff --git a/html/cgi-bin/outgoingfw.cgi b/html/cgi-bin/outgoingfw.cgi deleted file mode 100644 index b417817..0000000 --- a/html/cgi-bin/outgoingfw.cgi +++ /dev/null @@ -1,849 +0,0 @@ -#!/usr/bin/perl -############################################################################### -# # -# IPFire.org - A linux based firewall # -# Copyright (C) 2005-2010 IPFire Team # -# # -# This program is free software: you can redistribute it and/or modify # -# it under the terms of the GNU General Public License as published by # -# the Free Software Foundation, either version 3 of the License, or # -# (at your option) any later version. # -# # -# This program is distributed in the hope that it will be useful, # -# but WITHOUT ANY WARRANTY; without even the implied warranty of # -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # -# GNU General Public License for more details. # -# # -# You should have received a copy of the GNU General Public License # -# along with this program. If not, see http://www.gnu.org/licenses/. # -# # -############################################################################### - -use strict; -# enable only the following on debugging purpose -#use warnings; -#use CGI::Carp 'fatalsToBrowser'; - -require '/var/ipfire/general-functions.pl'; -require "${General::swroot}/lang.pl"; -require "${General::swroot}/header.pl"; - -my %outfwsettings = (); -my %checked = (); -my %selected= () ; -my %netsettings = (); -my $errormessage = ""; -my $configentry = ""; -my @configs = (); -my @configline = (); -my $p2pentry = ""; -my @p2ps = (); -my @p2pline = (); - -my $configfile = "/var/ipfire/outgoing/rules"; -my $configpath = "/var/ipfire/outgoing/groups/"; -my $p2pfile = "/var/ipfire/outgoing/p2protocols"; -my $servicefile = "/var/ipfire/outgoing/defaultservices"; - -my %color = (); -my %mainsettings = (); -&General::readhash("${General::swroot}/main/settings", %mainsettings); -&General::readhash("/srv/web/ipfire/html/themes/".$mainsettings{'THEME'}."/include/colors.txt", %color); - -&General::readhash("${General::swroot}/ethernet/settings", %netsettings); - -&Header::showhttpheaders(); - -### Values that have to be initialized -$outfwsettings{'ACTION'} = ''; -$outfwsettings{'VALID'} = 'yes'; -$outfwsettings{'EDIT'} = 'no'; -$outfwsettings{'NAME'} = ''; -$outfwsettings{'SNET'} = ''; -$outfwsettings{'SIP'} = ''; -$outfwsettings{'SPORT'} = ''; -$outfwsettings{'SMAC'} = ''; -$outfwsettings{'DIP'} = ''; -$outfwsettings{'DPORT'} = ''; -$outfwsettings{'PROT'} = ''; -$outfwsettings{'STATE'} = ''; -$outfwsettings{'DISPLAY_DIP'} = ''; -$outfwsettings{'DISPLAY_DPORT'} = ''; -$outfwsettings{'DISPLAY_SMAC'} = ''; -$outfwsettings{'DISPLAY_SIP'} = ''; -$outfwsettings{'POLICY'} = 'MODE0'; -$outfwsettings{'MODE1LOG'} = 'off'; - -$outfwsettings{'TIME_FROM'} = '00:00'; -$outfwsettings{'TIME_TO'} = '00:00'; - -&General::readhash("${General::swroot}/outgoing/settings", %outfwsettings); -&Header::getcgihash(%outfwsettings); - -############### -# DEBUG DEBUG -#&Header::openbox('100%', 'left', 'DEBUG'); -#my $debugCount = 0; -#foreach my $line (sort keys %outfwsettings) { -#print "$line = $outfwsettings{$line}<br />\n"; -# $debugCount++; -#} -#print " Count: $debugCount\n"; -#&Header::closebox(); -# DEBUG DEBUG -############### - -$selected{'TIME_FROM'}{$outfwsettings{'TIME_FROM'}} = "selected='selected'"; -$selected{'TIME_TO'}{$outfwsettings{'TIME_TO'}} = "selected='selected'"; - -$checked{'MODE1LOG'}{'off'} = ''; -$checked{'MODE1LOG'}{'on'} = ''; -$checked{'MODE1LOG'}{$outfwsettings{'MODE1LOG'}} = "checked='checked'"; -$checked{'TIME_MON'}{'off'} = ''; -$checked{'TIME_MON'}{'on'} = ''; -$checked{'TIME_MON'}{$outfwsettings{'TIME_MON'}} = "checked='checked'"; -$checked{'TIME_TUE'}{'off'} = ''; -$checked{'TIME_TUE'}{'on'} = ''; -$checked{'TIME_TUE'}{$outfwsettings{'TIME_TUE'}} = "checked='checked'"; -$checked{'TIME_WED'}{'off'} = ''; -$checked{'TIME_WED'}{'on'} = ''; -$checked{'TIME_WED'}{$outfwsettings{'TIME_WED'}} = "checked='checked'"; -$checked{'TIME_THU'}{'off'} = ''; -$checked{'TIME_THU'}{'on'} = ''; -$checked{'TIME_THU'}{$outfwsettings{'TIME_THU'}} = "checked='checked'"; -$checked{'TIME_FRI'}{'off'} = ''; -$checked{'TIME_FRI'}{'on'} = ''; -$checked{'TIME_FRI'}{$outfwsettings{'TIME_FRI'}} = "checked='checked'"; -$checked{'TIME_SAT'}{'off'} = ''; -$checked{'TIME_SAT'}{'on'} = ''; -$checked{'TIME_SAT'}{$outfwsettings{'TIME_SAT'}} = "checked='checked'"; -$checked{'TIME_SUN'}{'off'} = ''; -$checked{'TIME_SUN'}{'on'} = ''; -$checked{'TIME_SUN'}{$outfwsettings{'TIME_SUN'}} = "checked='checked'"; - -if ($outfwsettings{'POLICY'} eq 'MODE0'){ $selected{'POLICY'}{'MODE0'} = 'selected'; } else { $selected{'POLICY'}{'MODE0'} = ''; } -if ($outfwsettings{'POLICY'} eq 'MODE1'){ $selected{'POLICY'}{'MODE1'} = 'selected'; } else { $selected{'POLICY'}{'MODE1'} = ''; } -if ($outfwsettings{'POLICY'} eq 'MODE2'){ $selected{'POLICY'}{'MODE2'} = 'selected'; } else { $selected{'POLICY'}{'MODE2'} = ''; } - -# This is a little hack if poeple donŽt mark any date then all will be selected, because they might have forgotten to select -# a valid day. A Rule without any matching day will never work, because the timeranges are new feature people might not notice -# that they have to select a day for the rule. - -if ( $outfwsettings{'TIME_MON'} eq "" && - $outfwsettings{'TIME_TUE'} eq "" && - $outfwsettings{'TIME_WED'} eq "" && - $outfwsettings{'TIME_THU'} eq "" && - $outfwsettings{'TIME_FRI'} eq "" && - $outfwsettings{'TIME_SAT'} eq "" && - $outfwsettings{'TIME_SUN'} eq "" ) - { - $outfwsettings{'TIME_MON'} = "on"; - $outfwsettings{'TIME_TUE'} = "on"; - $outfwsettings{'TIME_WED'} = "on"; - $outfwsettings{'TIME_THU'} = "on"; - $outfwsettings{'TIME_FRI'} = "on"; - $outfwsettings{'TIME_SAT'} = "on"; - $outfwsettings{'TIME_SUN'} = "on"; - } - -&Header::openpage($Lang::tr{'outgoing firewall'}, 1, ''); -&Header::openbigbox('100%', 'left', '', $errormessage); - -############################################################################################################################ -############################################################################################################################ - -if ($outfwsettings{'ACTION'} eq $Lang::tr{'reset'}) -{ - $outfwsettings{'POLICY'}='MODE0'; - unlink $configfile; - system("/usr/bin/touch $configfile"); - my $MODE = $outfwsettings{'POLICY'}; - %outfwsettings = (); - $outfwsettings{'POLICY'} = "$MODE"; - &General::writehash("${General::swroot}/outgoing/settings", %outfwsettings); -} -if ($outfwsettings{'ACTION'} eq $Lang::tr{'save'}) -{ - my $MODE = $outfwsettings{'POLICY'}; - my $MODE1LOG = $outfwsettings{'MODE1LOG'}; - %outfwsettings = (); - $outfwsettings{'POLICY'} = "$MODE"; - $outfwsettings{'MODE1LOG'} = "$MODE1LOG"; - &General::writehash("${General::swroot}/outgoing/settings", %outfwsettings); - system("/usr/local/bin/outgoingfwctrl"); -} -if ($outfwsettings{'ACTION'} eq 'enable') -{ - open( FILE, "< $p2pfile" ) or die "Unable to read $p2pfile"; - @p2ps = <FILE>; - close FILE; - open( FILE, "> $p2pfile" ) or die "Unable to write $p2pfile"; - foreach $p2pentry (sort @p2ps) - { - @p2pline = split( /;/, $p2pentry ); - if ($p2pline[1] eq $outfwsettings{'P2PROT'}) { - print FILE "$p2pline[0];$p2pline[1];on;\n"; - } else { - print FILE "$p2pline[0];$p2pline[1];$p2pline[2];\n"; - } - } - close FILE; - system("/usr/local/bin/outgoingfwctrl"); -} -if ($outfwsettings{'ACTION'} eq 'disable') -{ - open( FILE, "< $p2pfile" ) or die "Unable to read $p2pfile"; - @p2ps = <FILE>; - close FILE; - open( FILE, "> $p2pfile" ) or die "Unable to write $p2pfile"; - foreach $p2pentry (sort @p2ps) - { - @p2pline = split( /;/, $p2pentry ); - if ($p2pline[1] eq $outfwsettings{'P2PROT'}) { - print FILE "$p2pline[0];$p2pline[1];off;\n"; - } else { - print FILE "$p2pline[0];$p2pline[1];$p2pline[2];\n"; - } - } - close FILE; - system("/usr/local/bin/outgoingfwctrl"); -} -if ($outfwsettings{'ACTION'} eq $Lang::tr{'edit'}) -{ - open( FILE, "< $configfile" ) or die "Unable to read $configfile"; - @configs = <FILE>; - close FILE; - open( FILE, "> $configfile" ) or die "Unable to write $configfile"; - foreach $configentry (sort @configs) - { - @configline = split( /;/, $configentry ); - - $configline[10] = "on" if not exists $configline[11]; - $configline[11] = "on" if not exists $configline[11]; - $configline[12] = "on" if not exists $configline[12]; - $configline[13] = "on" if not exists $configline[13]; - $configline[14] = "on" if not exists $configline[14]; - $configline[15] = "on" if not exists $configline[15]; - $configline[16] = "on" if not exists $configline[16]; - $configline[17] = "00:00" if not exists $configline[17]; - $configline[18] = "00:00" if not exists $configline[18]; - - unless (($configline[0] eq $outfwsettings{'STATE'}) && - ($configline[1] eq $outfwsettings{'ENABLED'}) && - ($configline[2] eq $outfwsettings{'SNET'}) && - ($configline[3] eq $outfwsettings{'PROT'}) && - ($configline[4] eq $outfwsettings{'NAME'}) && - ($configline[5] eq $outfwsettings{'SIP'}) && - ($configline[6] eq $outfwsettings{'SMAC'}) && - ($configline[7] eq $outfwsettings{'DIP'}) && - ($configline[9] eq $outfwsettings{'LOG'}) && - ($configline[8] eq $outfwsettings{'DPORT'}) && - ($configline[10] eq $outfwsettings{'TIME_MON'}) && - ($configline[11] eq $outfwsettings{'TIME_TUE'}) && - ($configline[12] eq $outfwsettings{'TIME_WED'}) && - ($configline[13] eq $outfwsettings{'TIME_THU'}) && - ($configline[14] eq $outfwsettings{'TIME_FRI'}) && - ($configline[15] eq $outfwsettings{'TIME_SAT'}) && - ($configline[16] eq $outfwsettings{'TIME_SUN'}) && - ($configline[17] eq $outfwsettings{'TIME_FROM'}) && - ($configline[18] eq $outfwsettings{'TIME_TO'})) - { - print FILE $configentry; - } - } - close FILE; - $selected{'SNET'}{"$outfwsettings{'SNET'}"} = 'selected'; - $selected{'PROT'}{"$outfwsettings{'PROT'}"} = 'selected'; - $selected{'LOG'}{"$outfwsettings{'LOG'}"} = 'selected'; - &addrule(); - &Header::closebigbox(); - &Header::closepage(); - exit - system("/usr/local/bin/outgoingfwctrl"); -} -if ($outfwsettings{'ACTION'} eq $Lang::tr{'delete'}) -{ - open( FILE, "< $configfile" ) or die "Unable to read $configfile"; - @configs = <FILE>; - close FILE; - open( FILE, "> $configfile" ) or die "Unable to write $configfile"; - foreach $configentry (sort @configs) - { - @configline = split( /;/, $configentry ); - - $configline[10] = "on" if not exists $configline[11]; - $configline[11] = "on" if not exists $configline[11]; - $configline[12] = "on" if not exists $configline[12]; - $configline[13] = "on" if not exists $configline[13]; - $configline[14] = "on" if not exists $configline[14]; - $configline[15] = "on" if not exists $configline[15]; - $configline[16] = "on" if not exists $configline[16]; - $configline[17] = "00:00" if not exists $configline[17]; - $configline[18] = "00:00" if not exists $configline[18]; - - unless (($configline[0] eq $outfwsettings{'STATE'}) && - ($configline[1] eq $outfwsettings{'ENABLED'}) && - ($configline[2] eq $outfwsettings{'SNET'}) && - ($configline[3] eq $outfwsettings{'PROT'}) && - ($configline[4] eq $outfwsettings{'NAME'}) && - ($configline[5] eq $outfwsettings{'SIP'}) && - ($configline[6] eq $outfwsettings{'SMAC'}) && - ($configline[7] eq $outfwsettings{'DIP'}) && - ($configline[9] eq $outfwsettings{'LOG'}) && - ($configline[8] eq $outfwsettings{'DPORT'}) && - ($configline[10] eq $outfwsettings{'TIME_MON'}) && - ($configline[11] eq $outfwsettings{'TIME_TUE'}) && - ($configline[12] eq $outfwsettings{'TIME_WED'}) && - ($configline[13] eq $outfwsettings{'TIME_THU'}) && - ($configline[14] eq $outfwsettings{'TIME_FRI'}) && - ($configline[15] eq $outfwsettings{'TIME_SAT'}) && - ($configline[16] eq $outfwsettings{'TIME_SUN'}) && - ($configline[17] eq $outfwsettings{'TIME_FROM'}) && - ($configline[18] eq $outfwsettings{'TIME_TO'})) - { - print FILE $configentry; - } - } - close FILE; - system("/usr/local/bin/outgoingfwctrl"); -} -if ($outfwsettings{'ACTION'} eq $Lang::tr{'add'}) -{ - if ( $outfwsettings{'VALID'} eq 'yes' ) { - - if ( $outfwsettings{'SNET'} eq "all" ) { - $outfwsettings{'SIP'} =""; - $outfwsettings{'SMAC'}=""; - } - open( FILE, ">> $configfile" ) or die "Unable to write $configfile"; - print FILE <<END -$outfwsettings{'STATE'};$outfwsettings{'ENABLED'};$outfwsettings{'SNET'};$outfwsettings{'PROT'};$outfwsettings{'NAME'};$outfwsettings{'SIP'};$outfwsettings{'SMAC'};$outfwsettings{'DIP'};$outfwsettings{'DPORT'};$outfwsettings{'LOG'};$outfwsettings{'TIME_MON'};$outfwsettings{'TIME_TUE'};$outfwsettings{'TIME_WED'};$outfwsettings{'TIME_THU'};$outfwsettings{'TIME_FRI'};$outfwsettings{'TIME_SAT'};$outfwsettings{'TIME_SUN'};$outfwsettings{'TIME_FROM'};$outfwsettings{'TIME_TO'}; -END -; - close FILE; - system("/usr/local/bin/outgoingfwctrl"); - } else { - $outfwsettings{'ACTION'} = 'Add rule'; - } -} -if ($outfwsettings{'ACTION'} eq $Lang::tr{'Add Rule'}) -{ - &addrule(); - exit -} - -&General::readhash("${General::swroot}/outgoing/settings", %outfwsettings); - -if ($errormessage) { - &Header::openbox('100%', 'left', $Lang::tr{'error messages'}); - print "<class name='base'>$errormessage\n"; - print " </class>\n"; - &Header::closebox(); -} - -############################################################################################################################ -############################################################################################################################ - -if ($outfwsettings{'POLICY'} ne 'MODE0'){ - &Header::openbox('100%', 'center', 'Rules'); - print <<END - <form method='post' action='$ENV{'SCRIPT_NAME'}'> - <input type='submit' name='ACTION' value='$Lang::tr{'Add Rule'}' /> - </form> -END -; - open( FILE, "< $configfile" ) or die "Unable to read $configfile"; - @configs = <FILE>; - close FILE; - if (@configs) { - print <<END - <hr /> - <table border='0' width='100%' cellspacing='0'> - <tr bgcolor='$color{'color22'}'> - <td width='14%' align='center'><b>$Lang::tr{'protocol'}</b></td> - <td width='14%' align='center'><b>$Lang::tr{'network'}</b></td> - <td width='14%' align='center'><b>$Lang::tr{'destination'}</b></td> - <td width='14%' align='center'><b>$Lang::tr{'description'}</b></td> - <td width='14%' align='center'><b>$Lang::tr{'policy'}</b></td> - <td width='16%' align='center'><b>$Lang::tr{'logging'}</b></td> - <td width='14%' align='center'><b>$Lang::tr{'action'}</b></td> -END -; - foreach $configentry (sort @configs) - { - @configline = split( /;/, $configentry ); - $outfwsettings{'STATE'} = $configline[0]; - $outfwsettings{'ENABLED'} = $configline[1]; - $outfwsettings{'SNET'} = $configline[2]; - $outfwsettings{'PROT'} = $configline[3]; - $outfwsettings{'NAME'} = $configline[4]; - $outfwsettings{'SIP'} = $configline[5]; - $outfwsettings{'SMAC'} = $configline[6]; - $outfwsettings{'DIP'} = $configline[7]; - $outfwsettings{'DPORT'} = $configline[8]; - $outfwsettings{'LOG'} = $configline[9]; - - $configline[10] = "on" if not exists $configline[11]; - $configline[11] = "on" if not exists $configline[11]; - $configline[12] = "on" if not exists $configline[12]; - $configline[13] = "on" if not exists $configline[13]; - $configline[14] = "on" if not exists $configline[14]; - $configline[15] = "on" if not exists $configline[15]; - $configline[16] = "on" if not exists $configline[16]; - $configline[17] = "00:00" if not exists $configline[17]; - $configline[18] = "00:00" if not exists $configline[18]; - - $outfwsettings{'TIME_MON'} = $configline[10]; - $outfwsettings{'TIME_TUE'} = $configline[11]; - $outfwsettings{'TIME_WED'} = $configline[12]; - $outfwsettings{'TIME_THU'} = $configline[13]; - $outfwsettings{'TIME_FRI'} = $configline[14]; - $outfwsettings{'TIME_SAT'} = $configline[15]; - $outfwsettings{'TIME_SUN'} = $configline[16]; - $outfwsettings{'TIME_FROM'} = $configline[17]; - $outfwsettings{'TIME_TO'} = $configline[18]; - - if ($outfwsettings{'DIP'} eq ''){ $outfwsettings{'DISPLAY_DIP'} = 'ALL'; } else { $outfwsettings{'DISPLAY_DIP'} = $outfwsettings{'DIP'}; } - if ($outfwsettings{'DPORT'} eq ''){ $outfwsettings{'DISPLAY_DPORT'} = 'ALL'; } else { $outfwsettings{'DISPLAY_DPORT'} = $outfwsettings{'DPORT'}; } - if ($outfwsettings{'STATE'} eq 'DENY'){ $outfwsettings{'DISPLAY_STATE'} = "<img src='/images/stock_stop.png' alt='DENY' />"; } - if ($outfwsettings{'STATE'} eq 'ALLOW'){ $outfwsettings{'DISPLAY_STATE'} = "<img src='/images/stock_ok.png' alt='ALLOW' />"; } - if ((($outfwsettings{'POLICY'} eq 'MODE1') && ($outfwsettings{'STATE'} eq 'ALLOW')) || (($outfwsettings{'POLICY'} eq 'MODE2') && ($outfwsettings{'STATE'} eq 'DENY'))){ - if ( $outfwsettings{'ENABLED'} eq "on" ){ - print "<tr bgcolor='$color{'color20'}'>"; - } else { - print "<tr bgcolor='$color{'color18'}'>"; - } - print <<END - <td align='center'>$outfwsettings{'PROT'} - <td align='center'>$outfwsettings{'SNET'} - <td align='center'>$outfwsettings{'DISPLAY_DIP'}:$outfwsettings{'DISPLAY_DPORT'} - <td align='center'>$outfwsettings{'NAME'} - <td align='center'>$outfwsettings{'DISPLAY_STATE'} - <td align='center'>$outfwsettings{'LOG'} - <td align='center'> - <table border='0' cellpadding='0' cellspacing='0'><tr> - <td><form method='post' action='$ENV{'SCRIPT_NAME'}'> - <input type='hidden' name='PROT' value='$outfwsettings{'PROT'}' /> - <input type='hidden' name='STATE' value='$outfwsettings{'STATE'}' /> - <input type='hidden' name='SNET' value='$outfwsettings{'SNET'}' /> - <input type='hidden' name='DPORT' value='$outfwsettings{'DPORT'}' /> - <input type='hidden' name='DIP' value='$outfwsettings{'DIP'}' /> - <input type='hidden' name='SIP' value='$outfwsettings{'SIP'}' /> - <input type='hidden' name='NAME' value='$outfwsettings{'NAME'}' /> - <input type='hidden' name='SMAC' value='$outfwsettings{'SMAC'}' /> - <input type='hidden' name='ENABLED' value='$outfwsettings{'ENABLED'}' /> - <input type='hidden' name='LOG' value='$outfwsettings{'LOG'}' /> - <input type='hidden' name='TIME_MON' value='$outfwsettings{'TIME_MON'}' /> - <input type='hidden' name='TIME_TUE' value='$outfwsettings{'TIME_TUE'}' /> - <input type='hidden' name='TIME_WED' value='$outfwsettings{'TIME_WED'}' /> - <input type='hidden' name='TIME_THU' value='$outfwsettings{'TIME_THU'}' /> - <input type='hidden' name='TIME_FRI' value='$outfwsettings{'TIME_FRI'}' /> - <input type='hidden' name='TIME_SAT' value='$outfwsettings{'TIME_SAT'}' /> - <input type='hidden' name='TIME_SUN' value='$outfwsettings{'TIME_SUN'}' /> - <input type='hidden' name='TIME_FROM' value='$outfwsettings{'TIME_FROM'}' /> - <input type='hidden' name='TIME_TO' value='$outfwsettings{'TIME_TO'}' /> - <input type='hidden' name='ACTION' value=$Lang::tr{'edit'} /> - <input type='image' src='/images/edit.gif' width="20" height="20" alt=$Lang::tr{'edit'} /> - </form> - <td><form method='post' action='$ENV{'SCRIPT_NAME'}'> - <input type='hidden' name='PROT' value='$outfwsettings{'PROT'}' /> - <input type='hidden' name='STATE' value='$outfwsettings{'STATE'}' /> - <input type='hidden' name='SNET' value='$outfwsettings{'SNET'}' /> - <input type='hidden' name='DPORT' value='$outfwsettings{'DPORT'}' /> - <input type='hidden' name='DIP' value='$outfwsettings{'DIP'}' /> - <input type='hidden' name='SIP' value='$outfwsettings{'SIP'}' /> - <input type='hidden' name='NAME' value='$outfwsettings{'NAME'}' /> - <input type='hidden' name='SMAC' value='$outfwsettings{'SMAC'}' /> - <input type='hidden' name='ENABLED' value='$outfwsettings{'ENABLED'}' /> - <input type='hidden' name='LOG' value='$outfwsettings{'LOG'}' /> - <input type='hidden' name='TIME_MON' value='$outfwsettings{'TIME_MON'}' /> - <input type='hidden' name='TIME_TUE' value='$outfwsettings{'TIME_TUE'}' /> - <input type='hidden' name='TIME_WED' value='$outfwsettings{'TIME_WED'}' /> - <input type='hidden' name='TIME_THU' value='$outfwsettings{'TIME_THU'}' /> - <input type='hidden' name='TIME_FRI' value='$outfwsettings{'TIME_FRI'}' /> - <input type='hidden' name='TIME_SAT' value='$outfwsettings{'TIME_SAT'}' /> - <input type='hidden' name='TIME_SUN' value='$outfwsettings{'TIME_SUN'}' /> - <input type='hidden' name='TIME_FROM' value='$outfwsettings{'TIME_FROM'}' /> - <input type='hidden' name='TIME_TO' value='$outfwsettings{'TIME_TO'}' /> - <input type='hidden' name='ACTION' value=$Lang::tr{'delete'} /> - <input type='image' src='/images/delete.gif' width="20" height="20" alt=$Lang::tr{'delete'} /> - </form></table> -END -; - if (($outfwsettings{'SIP'}) || ($outfwsettings{'SMAC'})) { - - unless ($outfwsettings{'SIP'}) { - $outfwsettings{'DISPLAY_SIP'} = 'ALL'; - } else { - $outfwsettings{'DISPLAY_SIP'} = $outfwsettings{'SIP'}; - } - - unless ($outfwsettings{'SMAC'}) { - $outfwsettings{'DISPLAY_SMAC'} = 'ALL'; - print "<tr><td /><td align='left'>$Lang::tr{'source ip or net'}: </td>"; - print "<td align='left' colspan='2'>$outfwsettings{'DISPLAY_SIP'}</td>"; - } else { - $outfwsettings{'DISPLAY_SMAC'} = $outfwsettings{'SMAC'}; - print "<tr><td /><td align='left'>$Lang::tr{'source'} $Lang::tr{'mac address'}: </td>"; - print "<td align='left' colspan='2'>$outfwsettings{'DISPLAY_SMAC'}</td>"; - } - } - print <<END - <tr><td width='14%' align='right'>$Lang::tr{'time'} - </td> - <td width='14%' align='left'> -END -; - if ($outfwsettings{'TIME_MON'} eq 'on') { print "<font color='$Header::colourgreen'>";} - else { print "<font color='$Header::colourred'>";} - print "$Lang::tr{'advproxy monday'}</font>,"; - if ($outfwsettings{'TIME_TUE'} eq 'on') { print "<font color='$Header::colourgreen'>";} - else { print "<font color='$Header::colourred'>";} - print "$Lang::tr{'advproxy tuesday'}</font>,"; - if ($outfwsettings{'TIME_WED'} eq 'on') { print "<font color='$Header::colourgreen'>";} - else { print "<font color='$Header::colourred'>";} - print "$Lang::tr{'advproxy wednesday'}</font>,"; - if ($outfwsettings{'TIME_THU'} eq 'on') { print "<font color='$Header::colourgreen'>";} - else { print "<font color='$Header::colourred'>";} - print "$Lang::tr{'advproxy thursday'}</font>,"; - if ($outfwsettings{'TIME_FRI'} eq 'on') { print "<font color='$Header::colourgreen'>";} - else { print "<font color='$Header::colourred'>";} - print "$Lang::tr{'advproxy friday'}</font>,"; - if ($outfwsettings{'TIME_SAT'} eq 'on') { print "<font color='$Header::colourgreen'>";} - else { print "<font color='$Header::colourred'>";} - print "$Lang::tr{'advproxy saturday'}</font>,"; - if ($outfwsettings{'TIME_SUN'} eq 'on') { print "<font color='$Header::colourgreen'>";} - else { print "<font color='$Header::colourred'>";} - print "$Lang::tr{'advproxy sunday'}</font>"; - print <<END - </td> - <td width='22%' align='center'>$Lang::tr{'advproxy from'} $outfwsettings{'TIME_FROM'}</td> - <td width='22%' align='center'>$Lang::tr{'advproxy to'} $outfwsettings{'TIME_TO'}</td> - </form> -END -; - } - } -if ($outfwsettings{'POLICY'} eq 'MODE1'){ -print <<END - <tr bgcolor='$color{'color20'}'><form method='post' action='$ENV{'SCRIPT_NAME'}'> - <td align='center'>all - <td align='center'>all - <td align='center'>ALL - <td align='center'>drop - <td align='center'><img src='/images/stock_stop.png' alt='DENY' /> - <td align='center'>on <input type='radio' name='MODE1LOG' value='on' $checked{'MODE1LOG'}{'on'} /><input type='radio' name='MODE1LOG' value='off' $checked{'MODE1LOG'}{'off'} /> off - <td align='center'><input type='hidden' name='ACTION' value=$Lang::tr{'save'} /><input type='image' src='/images/media-floppy.png' width="18" height="18" alt=$Lang::tr{'save'} /></form></tr> - <table border='0' cellpadding='0' cellspacing='0'><tr> - <td> - <td></table> -END -; -} - print <<END - </table> -END -; - - } - &Header::closebox(); -} - -if ($outfwsettings{'POLICY'} ne 'MODE0'){ - open( FILE, "< $p2pfile" ) or die "Unable to read $p2pfile"; - @p2ps = <FILE>; - close FILE; - &Header::openbox('100%', 'center', 'P2P-Block'); - print <<END - <table width='40%'> - <tr bgcolor='$color{'color22'}'><td width='66%' align=center><b>$Lang::tr{'protocol'}</b> - <td width='33%' align=center><b>$Lang::tr{'status'}</b> -END -; - my $id = 1; - foreach $p2pentry (sort @p2ps) - { - @p2pline = split( /;/, $p2pentry ); - print <<END - <form method='post' action='$ENV{'SCRIPT_NAME'}'> -END -; - print "\t\t\t<tr bgcolor='$color{'color20'}'>\n"; - print <<END - <td width='66%' align='center'>$p2pline[0]: - <td width='33%' align='center'><input type='hidden' name='P2PROT' value='$p2pline[1]' /> -END -; - if ($p2pline[2] eq 'on') { - print <<END - <input type='hidden' name='ACTION' value='disable' /> - <input type='image' name='submit' src='/images/stock_ok.png' alt='$Lang::tr{'outgoing firewall p2p allow'}' title='$Lang::tr{'outgoing firewall p2p allow'}'/> -END -; - } else { - print <<END - <input type='hidden' name='ACTION' value='enable' /> - <input type='image' name='submit' src='/images/stock_stop.png' alt='$Lang::tr{'outgoing firewall p2p deny'}' title='$Lang::tr{'outgoing firewall p2p deny'}' /> -END -; - } - print <<END - </form> -END -; - } - print <<END - </table> - <br />$Lang::tr{'outgoing firewall p2p description 1'} <img src='/images/stock_ok.png' align='absmiddle' alt='$Lang::tr{'outgoing firewall p2p deny'}'> $Lang::tr{'outgoing firewall p2p description 2'} <img src='/images/stock_stop.png' align='absmiddle' alt='$Lang::tr{'outgoing firewall p2p deny'}'> $Lang::tr{'outgoing firewall p2p description 3'} -END -; - &Header::closebox(); -} - -&Header::openbox('100%', 'center', 'Policy'); -print <<END - <form method='post' action='$ENV{'SCRIPT_NAME'}'> - <table width='100%'> - <tr><td width='10%' align='left'><b>$Lang::tr{'mode'} 0:</b><td width='90%' align='left' colspan='2'>$Lang::tr{'outgoing firewall mode0'}</td></tr> - <tr><td width='10%' align='left'><b>$Lang::tr{'mode'} 1:</b><td width='90%' align='left' colspan='2'>$Lang::tr{'outgoing firewall mode1'}</td></tr> - <tr><td width='10%' align='left'><b>$Lang::tr{'mode'} 2:</b><td width='90%' align='left' colspan='2'>$Lang::tr{'outgoing firewall mode2'}</td></tr> - <tr><td colspan='3'><hr /></td></tr> - <tr><td width='10%' align='left'> <select name='POLICY' style="width: 85px"><option value='MODE0' $selected{'POLICY'}{'MODE0'}>$Lang::tr{'mode'} 0</option><option value='MODE1' $selected{'POLICY'}{'MODE1'}>$Lang::tr{'mode'} 1</option><option value='MODE2' $selected{'POLICY'}{'MODE2'}>$Lang::tr{'mode'} 2</option></select> - <td width='45%' align='left'><input type='submit' name='ACTION' value=$Lang::tr{'save'} /> - <td width='45%' align='left'> -END -; - if ($outfwsettings{'POLICY'} ne 'MODE0') { - print <<END - $Lang::tr{'outgoing firewall reset'}: <input type='submit' name='ACTION' value=$Lang::tr{'reset'} /> -END -; - } -print <<END - </table> - </form> -END -; -&Header::closebox(); - -############################################################################################################################ -############################################################################################################################ - -sub addrule -{ - &Header::openbox('100%', 'center', $Lang::tr{'Add Rule'}); - if ($outfwsettings{'ENABLED'} eq 'on') { $selected{'ENABLED'} = 'checked'; } - $selected{'TIME_FROM'}{$outfwsettings{'TIME_FROM'}} = "selected='selected'"; - $selected{'TIME_TO'}{$outfwsettings{'TIME_TO'}} = "selected='selected'"; -print <<END - <form method='post' action='$ENV{'SCRIPT_NAME'}'> - <table width='80%'> - <tr> - <td width='20%' align='right'>$Lang::tr{'description'}: <img src='/blob.gif' /></td> - <td width='30%' align='left'><input type='text' name='NAME' maxlength='30' value='$outfwsettings{'NAME'}' /></td> - <td width='20%' align='right' colspan='2'>$Lang::tr{'active'}:</td> - <td width='30%' align='left' colspan='2'><input type='checkbox' name='ENABLED' $selected{'ENABLED'} /></td> - </tr> - <tr> - <td width='20%' align='right'>$Lang::tr{'protocol'}</td> - <td width='30%' align='left'> - <select name='PROT'> - <option value='all' $selected{'PROT'}{'all'}>All</option> - <option value='tcp' $selected{'PROT'}{'tcp'}>TCP</option> - <option value='udp' $selected{'PROT'}{'udp'}>UDP</option> - <option value='gre' $selected{'PROT'}{'gre'}>GRE</option> - <option value='esp' $selected{'PROT'}{'esp'}>ESP</option> - </select> - </td> - <td width='20%' align='right' colspan='2'>$Lang::tr{'policy'}:</td> - <td width='30%' align='left' colspan='2'> -END -; - if ($outfwsettings{'POLICY'} eq 'MODE1'){ - print "\t\t\t\tALLOW<input type='hidden' name='STATE' value='ALLOW' />\n"; - } elsif ($outfwsettings{'POLICY'} eq 'MODE2'){ - print "\t\t\t\tDENY<input type='hidden' name='STATE' value='DENY' />\n"; - } - print <<END - </td> - </tr> - <tr> - <td width='20%' align='right'>$Lang::tr{'source'}:</td> - <td width='30%' align='left'> - <select name='SNET'> - <optgroup label='---'> - <option value='all' $selected{'SNET'}{'ALL'}>$Lang::tr{'all'}</option> - <optgroup label='$Lang::tr{'mac address'}'> - <option value='mac' $selected{'SNET'}{'mac'}>$Lang::tr{'source'} $Lang::tr{'mac address'}</option> - </optgroup> - <optgroup label='$Lang::tr{'ip address'}'> - <option value='ip' $selected{'SNET'}{'ip'}>$Lang::tr{'source ip or net'}</option> - <option value='red' $selected{'SNET'}{'red'}>$Lang::tr{'red'} IP</option> - </optgroup> - <optgroup label='$Lang::tr{'alt vpn'}'> - <option value='ovpn' $selected{'SNET'}{'ovpn'}>OpenVPN $Lang::tr{'interface'}</option> - </optgroup> - <optgroup label='$Lang::tr{'network'}'> - <option value='green' $selected{'SNET'}{'green'}>$Lang::tr{'green'}</option> -END -; - if (&Header::blue_used()){ - print "\t\t\t\t\t<option value='blue' $selected{'SNET'}{'blue'}>$Lang::tr{'wireless'}</option>\n"; - } - if (&Header::orange_used()){ - print "\t\t\t\t\t<option value='orange' $selected{'SNET'}{'orange'}>$Lang::tr{'dmz'}</option>\n"; - } - print <<END - </optgroup> - <optgroup label='IP $Lang::tr{'advproxy NCSA group'}'> -END -; - my @ipgroups = qx(ls $configpath/ipgroups/); - foreach (sort @ipgroups){ - chomp($_); - print "\t\t\t\t\t<option value='$_' $selected{'SNET'}{$_}>$_</option>\n"; - } - print <<END - </optgroup> - <optgroup label='MAC $Lang::tr{'advproxy NCSA group'}'> -END -; - my @macgroups = qx(ls $configpath/macgroups/); - foreach (sort @macgroups){ - chomp($_); - print "\t\t\t\t\t<option value='$_' $selected{'SNET'}{$_}>$_</option>\n"; - } - print <<END - </optgroup> - </select> - </td> - <td align='right' colspan='4'><font color='red'>$Lang::tr{'outgoing firewall warning'}</font></td> - </tr> - <tr> - <td align='right' colspan='4' >$Lang::tr{'source ip or net'}<img src='/blob.gif' /></td> - <td align='left' colspan='4' ><input type='text' name='SIP' value='$outfwsettings{'SIP'}' /></td> - </tr> - <tr> - <td align='right' colspan='4' >$Lang::tr{'source'} $Lang::tr{'mac address'}: <img src='/blob.gif' /> - <td align='left' colspan='4' ><input type='text' name='SMAC' maxlength='23' value='$outfwsettings{'SMAC'}' /> - </tr> - <tr> - <td width='20%' align='right'>$Lang::tr{'logging'}:</td> - <td width='30%' align='left'> - <select name='LOG'> - <option value='$Lang::tr{'active'}' $selected{'LOG'}{$Lang::tr{'active'}}>$Lang::tr{'active'}</option> - <option value='$Lang::tr{'inactive'}' $selected{'LOG'}{$Lang::tr{'inactive'}}>$Lang::tr{'inactive'}</option> - </select> - </td> - <td width='20%' align='right' colspan='2' /> - <td width='30%' align='left' colspan='2' /> - <tr> - <td width='20%' align='right'>$Lang::tr{'destination ip or net'}: <img src='/blob.gif' /></td> - <td width='30%' align='left'><input type='text' name='DIP' value='$outfwsettings{'DIP'}' /></td> - <td width='20%' align='right' colspan='2'>$Lang::tr{'destination port'}(s) <img src='/blob.gif' /></td> - <td width='30%' align='left' colspan='2'><input type='text' name='DPORT' value='$outfwsettings{'DPORT'}' /></td> - </tr> - <tr> - <td width='20%' align='right'>$Lang::tr{'time'}:</td> - <td width='30%' align='left'>$Lang::tr{'advproxy monday'} $Lang::tr{'advproxy tuesday'} $Lang::tr{'advproxy wednesday'} $Lang::tr{'advproxy thursday'} $Lang::tr{'advproxy friday'} $Lang::tr{'advproxy saturday'} $Lang::tr{'advproxy sunday'}</td> - <td width='20%' align='right' colspan='2' /> - <td width='15%' align='left'>$Lang::tr{'advproxy from'}</td> - <td width='15%' align='left'>$Lang::tr{'advproxy to'}</td> - </tr> - <tr> - <td width='20%' align='right'></td> - <td width='30%' align='left'> - <input type='checkbox' name='TIME_MON' $checked{'TIME_MON'}{'on'} /> - <input type='checkbox' name='TIME_TUE' $checked{'TIME_TUE'}{'on'} /> - <input type='checkbox' name='TIME_WED' $checked{'TIME_WED'}{'on'} /> - <input type='checkbox' name='TIME_THU' $checked{'TIME_THU'}{'on'} /> - <input type='checkbox' name='TIME_FRI' $checked{'TIME_FRI'}{'on'} /> - <input type='checkbox' name='TIME_SAT' $checked{'TIME_SAT'}{'on'} /> - <input type='checkbox' name='TIME_SUN' $checked{'TIME_SUN'}{'on'} /> - </td> - <td width='20%' align='right' colspan='2' /> - <td width='15%' align='left'> - <select name='TIME_FROM'> -END -; -for (my $i=0;$i<=23;$i++) { - $i = sprintf("%02s",$i); - for (my $j=0;$j<=45;$j+=15) { - $j = sprintf("%02s",$j); - my $time = $i.":".$j; - print "\t\t\t\t\t<option $selected{'TIME_FROM'}{$time}>$i:$j</option>\n"; - } -} -print <<END - </select> - </td> - <td width='15%' align='left'><select name='TIME_TO'> -END -; -for (my $i=0;$i<=23;$i++) { - $i = sprintf("%02s",$i); - for (my $j=0;$j<=45;$j+=15) { - $j = sprintf("%02s",$j); - my $time = $i.":".$j; - print "\t\t\t\t\t<option $selected{'TIME_TO'}{$time}>$i:$j</option>\n"; - } -} -print <<END - </select> - </td> - </tr> - <tr> - <td colspan='6' /> - <tr> - <tr> - <td width='40%' align='right' colspan='2'><img src='/blob.gif' />$Lang::tr{'this field may be blank'}</td> - <td width='60%' align='left' colspan='4'><input type='submit' name='ACTION' value=$Lang::tr{'add'} /></td> - </table></form> -END -; - &Header::closebox(); - -if ($outfwsettings{'POLICY'} eq 'MODE1' || $outfwsettings{'POLICY'} eq 'MODE2') -{ -&Header::openbox('100%', 'center', 'Quick Add'); - - open( FILE, "< /var/ipfire/outgoing/defaultservices" ) or die "Unable to read default services"; - my @defservices = <FILE>; - close FILE; - -print "<table width='100%'><tr bgcolor='$color{'color20'}'><td><b>$Lang::tr{'service'}</b></td><td><b>$Lang::tr{'description'}</b></td><td><b>$Lang::tr{'port'}</b></td><td><b>$Lang::tr{'protocol'}</b></td><td><b>$Lang::tr{'source net'}</b></td><td><b>$Lang::tr{'logging'}</b></td><td><b>$Lang::tr{'action'}</b></td></tr>"; -foreach my $serviceline(@defservices) - { - my @service = split(/,/,$serviceline); - print <<END - <tr><form method='post' action='$ENV{'SCRIPT_NAME'}'> - <td>$service[0]<input type='hidden' name='NAME' value='@service[0]' /></td> - <td>$service[3]</td> - <td><a href='http://isc.sans.org/port_details.php?port=$service[1]' target='top'>$service[1]</a><input type='hidden' name='DPORT' value='@service[1]' /></td> - <td>$service[2]<input type='hidden' name='PROT' value='@service[2]' /></td> - <td><select name='SNET'><option value='all' $selected{'SNET'}{'ALL'}>$Lang::tr{'all'}</option><option value='green' $selected{'SNET'}{'green'}>$Lang::tr{'green'}</option> -END -; - if (&Header::blue_used()){ - print "<option value='blue' $selected{'SNET'}{'blue'}>$Lang::tr{'wireless'}</option>"; - } - if (&Header::orange_used()){ - print "<option value='orange' $selected{'SNET'}{'orange'}>$Lang::tr{'dmz'}</option>"; - } - print <<END - </select></td> - <td><select name='LOG'><option value='$Lang::tr{'active'}'>$Lang::tr{'active'}</option><option value='$Lang::tr{'inactive'}' 'selected'>$Lang::tr{'inactive'}</option></select></td><td> - <input type='hidden' name='ACTION' value=$Lang::tr{'add'} /> - <input type='image' alt='$Lang::tr{'add'}' src='/images/add.gif' /> - <input type='hidden' name='ENABLED' value='on' /> -END -; - if ($outfwsettings{'POLICY'} eq 'MODE1'){ print "<input type='hidden' name='STATE' value='ALLOW' /></form></td></tr>";} - elsif ($outfwsettings{'POLICY'} eq 'MODE2'){print "<input type='hidden' name='STATE' value='DENY' /></form></td></tr>";} - } - print "</table>"; - &Header::closebox(); - } -} - -&Header::closebigbox(); -&Header::closepage(); diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi index 73e610b..f012358 100644 --- a/html/cgi-bin/ovpnmain.cgi +++ b/html/cgi-bin/ovpnmain.cgi @@ -30,6 +30,7 @@ use File::Copy; use File::Temp qw/ tempfile tempdir /; use strict; use Archive::Zip qw(:ERROR_CODES :CONSTANTS); +use Sort::Naturally; require '/var/ipfire/general-functions.pl'; require "${General::swroot}/lang.pl"; require "${General::swroot}/header.pl"; @@ -165,49 +166,29 @@ sub deletebackupcert unlink ("${General::swroot}/ovpn/certs/$hexvalue.pem"); } } - sub checkportfw { - my $KEY2 = $_[0]; # key2 - my $SRC_PORT = $_[1]; # src_port - my $PROTOCOL = $_[2]; # protocol - my $SRC_IP = $_[3]; # sourceip - - my $pfwfilename = "${General::swroot}/portfw/config"; - open(FILE, $pfwfilename) or die 'Unable to open config file.'; - my @pfwcurrent = <FILE>; - close(FILE); - my $pfwkey1 = 0; # used for finding last sequence number used - foreach my $pfwline (@pfwcurrent) - { - my @pfwtemp = split(/,/,$pfwline); - - chomp ($pfwtemp[8]); - if ($KEY2 eq "0"){ # if key2 is 0 then it is a portfw addition - if ( $SRC_PORT eq $pfwtemp[3] && - $PROTOCOL eq $pfwtemp[2] && - $SRC_IP eq $pfwtemp[7]) - { - $errormessage = "$Lang::tr{'source port in use'} $SRC_PORT"; - } - # Check if key2 = 0, if it is then it is a port forward entry and we want the sequence number - if ( $pfwtemp[1] eq "0") { - $pfwkey1=$pfwtemp[0]; - } - # Darren Critchley - Duplicate or overlapping Port range check - if ($pfwtemp[1] eq "0" && - $PROTOCOL eq $pfwtemp[2] && - $SRC_IP eq $pfwtemp[7] && - $errormessage eq '') - { - &portchecks($SRC_PORT, $pfwtemp[5]); -# &portchecks($pfwtemp[3], $pfwtemp[5]); -# &portchecks($pfwtemp[3], $SRC_IP); + my $DPORT = shift; + my $DPROT = shift; + my %natconfig =(); + my $confignat = "${General::swroot}/forward/config"; + $DPROT= uc ($DPROT); + &General::readhasharray($confignat, %natconfig); + foreach my $key (sort keys %natconfig){ + my @portarray = split (/|/,$natconfig{$key}[30]); + foreach my $value (@portarray){ + if ($value =~ /:/i){ + my ($a,$b) = split (":",$value); + if ($DPROT eq $natconfig{$key}[12] && $DPORT gt $a && $DPORT lt $b){ + $errormessage= "$Lang::tr{'source port in use'} $DPORT"; + } + }else{ + if ($DPROT eq $natconfig{$key}[12] && $DPORT eq $value){ + $errormessage= "$Lang::tr{'source port in use'} $DPORT"; + } + } } } - } -# $errormessage="$KEY2 $SRC_PORT $PROTOCOL $SRC_IP"; - - return; + return; }
sub checkportoverlap @@ -239,32 +220,6 @@ sub checkportinc return 0; } } -# Darren Critchley - Duplicate or overlapping Port range check -sub portchecks -{ - my $p1 = $_[0]; # New port range - my $p2 = $_[1]; # existing port range -# $_ = $_[0]; - our ($prtrange1, $prtrange2); - $prtrange1 = 0; -# if (m/:/ && $prtrange1 == 1) { # comparing two port ranges -# unless (&checkportoverlap($p1,$p2)) { -# $errormessage = "$Lang::tr{'source port overlaps'} $p1"; -# } -# } - if (m/:/ && $prtrange1 == 0 && $errormessage eq '') { # compare one port to a range - unless (&checkportinc($p2,$p1)) { - $errormessage = "$Lang::tr{'srcprt within existing'} $p1"; - } - } - $prtrange1 = 1; - if (! m/:/ && $prtrange1 == 1 && $errormessage eq '') { # compare one port to a range - unless (&checkportinc($p1,$p2)) { - $errormessage = "$Lang::tr{'srcprt range overlaps'} $p2"; - } - } - return; -}
# Darren Critchley - certain ports are reserved for IPFire # TCP 67,68,81,222,445 @@ -1144,7 +1099,7 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'TYPE'} eq '' && $cg
if ($cgiparams{'ENABLED'} eq 'on'){ - &checkportfw(0,$cgiparams{'DDEST_PORT'},$cgiparams{'DPROTOCOL'},'0.0.0.0'); + &checkportfw($cgiparams{'DDEST_PORT'},$cgiparams{'DPROTOCOL'}); } if ($errormessage) { goto SETTINGS_ERROR; } @@ -4895,11 +4850,10 @@ END </tr> END ; - my $id = 0; - my $gif; - foreach my $key (sort { uc($confighash{$a}[1]) cmp uc($confighash{$b}[1]) } keys %confighash) { - if ($confighash{$key}[0] eq 'on') { $gif = 'on.gif'; } else { $gif = 'off.gif'; } - + my $id = 0; + my $gif; + foreach my $key (sort { ncmp ($confighash{$a}[1],$confighash{$b}[1]) } keys %confighash) { + if ($confighash{$key}[0] eq 'on') { $gif = 'on.gif'; } else { $gif = 'off.gif'; } if ($id % 2) { print "<tr bgcolor='$color{'color20'}'>\n"; } else { diff --git a/html/cgi-bin/p2p-block.cgi b/html/cgi-bin/p2p-block.cgi new file mode 100755 index 0000000..cfca542 --- /dev/null +++ b/html/cgi-bin/p2p-block.cgi @@ -0,0 +1,134 @@ +#!/usr/bin/perl +############################################################################### +# # +# IPFire.org - A linux based firewall # +# Copyright (C) 2013 # +# # +# This program is free software: you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation, either version 3 of the License, or # +# (at your option) any later version. # +# # +# This program is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with this program. If not, see http://www.gnu.org/licenses/. # +# # +############################################################################### +# Author: Alexander Marx (Amarx@ipfire.org) # +############################################################################### + +use strict; +no warnings 'uninitialized'; +# enable only the following on debugging purpose +#use warnings; +#use CGI::Carp 'fatalsToBrowser'; + +require '/var/ipfire/general-functions.pl'; +require "${General::swroot}/lang.pl"; +require "${General::swroot}/header.pl"; + +my $errormessage=''; +my $p2pfile = "${General::swroot}/forward/p2protocols"; + +my @p2ps = (); +my %fwdfwsettings=(); +my %color=(); +my %mainsettings=(); + +&General::readhash("${General::swroot}/forward/settings", %fwdfwsettings); +&General::readhash("${General::swroot}/main/settings", %mainsettings); +&General::readhash("/srv/web/ipfire/html/themes/".$mainsettings{'THEME'}."/include/colors.txt", %color); + + + +&Header::showhttpheaders(); +&Header::getcgihash(%fwdfwsettings); +&Header::openpage($Lang::tr{'fwdfw menu'}, 1, ''); +&Header::openbigbox('100%', 'center',$errormessage); + +if ($fwdfwsettings{'ACTION'} eq ''){ +&p2pblock; +} +if ($fwdfwsettings{'ACTION'} eq 'togglep2p') +{ + open( FILE, "< $p2pfile" ) or die "Unable to read $p2pfile"; + @p2ps = <FILE>; + close FILE; + open( FILE, "> $p2pfile" ) or die "Unable to write $p2pfile"; + foreach my $p2pentry (sort @p2ps) + { + my @p2pline = split( /;/, $p2pentry ); + if ($p2pline[1] eq $fwdfwsettings{'P2PROT'}) { + if($p2pline[2] eq 'on'){ + $p2pline[2]='off'; + }else{ + $p2pline[2]='on'; + } + } + print FILE "$p2pline[0];$p2pline[1];$p2pline[2];\n"; + } + close FILE; + &rules; + &p2pblock; +} +if ($fwdfwsettings{'ACTION'} eq $Lang::tr{'fwdfw reread'}) +{ + &reread_rules; + &p2pblock; +} + + +sub p2pblock +{ + if (-f "${General::swroot}/forward/reread"){ + print "<table border='1' rules='groups' bgcolor='lightgreen' width='100%'><form method='post'><td><div style='font-size:11pt; font-weight: bold;vertical-align: middle; '><input type='submit' name='ACTION' value='$Lang::tr{'fwdfw reread'}' style='font-face: Comic Sans MS; color: green; font-weight: bold; font-size: 14pt;'>    $Lang::tr{'fwhost reread'}</div></td></tr></table></form><br>"; + } + my $gif; + open( FILE, "< $p2pfile" ) or die "Unable to read $p2pfile"; + @p2ps = <FILE>; + close FILE; + &Header::openbox('100%', 'center', 'P2P-Block'); + print <<END; + <table width='35%' border='0'> + <tr bgcolor='$color{'color22'}'><td align=center colspan='2' ><b>$Lang::tr{'protocol'}</b></td><td align='center'><b>$Lang::tr{'status'}</b></td></tr> +END + foreach my $p2pentry (sort @p2ps) + { + my @p2pline = split( /;/, $p2pentry ); + if($p2pline[2] eq 'on'){ + $gif="/images/on.gif" + }else{ + $gif="/images/off.gif" + } + print <<END; + <form method='post' action='$ENV{'SCRIPT_NAME'}'> + <tr bgcolor='$color{'color20'}'> + <td align='center' colspan='2' >$p2pline[0]:</td><td align='center'><input type='hidden' name='P2PROT' value='$p2pline[1]' /><input type='image' img src='$gif' alt='$Lang::tr{'click to disable'}' title='$Lang::tr{'fwdfw toggle'}' style='padding-top: 0px; padding-left: 0px; padding-bottom: 0px ;padding-right: 0px ;display: block;' ><input type='hidden' name='ACTION' value='togglep2p'></td></tr></form> +END + } + print"<tr><td><img src='/images/on.gif'></td><td align='left'>$Lang::tr{'outgoing firewall p2p allow'}</td></tr>"; + print"<tr><td><img src='/images/off.gif'></td><td align='left'>$Lang::tr{'outgoing firewall p2p deny'}</td></tr></table>"; + print"<br><br><br><table width='100%'><tr><td align='left'>$Lang::tr{'fwdfw p2p txt'}</td></tr></table>"; + &Header::closebox(); +} +sub rules +{ + if (!-f "${General::swroot}/forward/reread"){ + system("touch ${General::swroot}/forward/reread"); + system("touch ${General::swroot}/fwhosts/reread"); + } +} +sub reread_rules +{ + system("/usr/local/bin/forwardfwctrl"); + if ( -f "${General::swroot}/forward/reread"){ + system("rm ${General::swroot}/forward/reread"); + system("rm ${General::swroot}/fwhosts/reread"); + } +} +&Header::closebigbox(); +&Header::closepage(); diff --git a/html/cgi-bin/portfw.cgi b/html/cgi-bin/portfw.cgi deleted file mode 100644 index 199682f..0000000 --- a/html/cgi-bin/portfw.cgi +++ /dev/null @@ -1,1177 +0,0 @@ -#!/usr/bin/perl -############################################################################### -# # -# IPFire.org - A linux based firewall # -# Copyright (C) 2007 Michael Tremer & Christian Schmidt # -# # -# This program is free software: you can redistribute it and/or modify # -# it under the terms of the GNU General Public License as published by # -# the Free Software Foundation, either version 3 of the License, or # -# (at your option) any later version. # -# # -# This program is distributed in the hope that it will be useful, # -# but WITHOUT ANY WARRANTY; without even the implied warranty of # -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # -# GNU General Public License for more details. # -# # -# You should have received a copy of the GNU General Public License # -# along with this program. If not, see http://www.gnu.org/licenses/. # -# # -############################################################################### - -use strict; - -# enable only the following on debugging purpose -#use warnings; -#use CGI::Carp 'fatalsToBrowser'; - -require '/var/ipfire/general-functions.pl'; -require "${General::swroot}/lang.pl"; -require "${General::swroot}/header.pl"; - -#workaround to suppress a warning when a variable is used only once -my @dummy = ( ${Header::colouryellow} ); -undef (@dummy); - -my %color = (); -my %mainsettings = (); -&General::readhash("${General::swroot}/main/settings", %mainsettings); -&General::readhash("/srv/web/ipfire/html/themes/".$mainsettings{'THEME'}."/include/colors.txt", %color); - -my %cgiparams=(); -my %selected=(); -my %checked=(); -my $prtrange1=0; -my $prtrange2=0; -my $errormessage = ''; -my $filename = "${General::swroot}/portfw/config"; -my $aliasfile = "${General::swroot}/ethernet/aliases"; - -&Header::showhttpheaders(); - -$cgiparams{'ENABLED'} = 'off'; -$cgiparams{'KEY1'} = '0'; -$cgiparams{'KEY2'} = '0'; -$cgiparams{'PROTOCOL'} = ''; -$cgiparams{'SRC_PORT'} = ''; -$cgiparams{'DEST_IP'} = ''; -$cgiparams{'DEST_PORT'} = ''; -$cgiparams{'SRC_IP'} = ''; -$cgiparams{'ORIG_IP'} = ''; -$cgiparams{'REMARK'} = ''; -$cgiparams{'OVERRIDE'} = 'off'; -$cgiparams{'ACTION'} = ''; - -&Header::getcgihash(%cgiparams); - -my $disable_all = "0"; -my $enable_all = "0"; - -if ($cgiparams{'ACTION'} eq $Lang::tr{'add'}) -{ - &valaddupdate(); - - # Darren Critchley - if there is an error, don't waste any more time processing - if ($errormessage) { goto ERROR; } - - open(FILE, $filename) or die 'Unable to open config file.'; - my @current = <FILE>; - close(FILE); - my $key1 = 0; # used for finding last sequence number used - foreach my $line (@current) - { - my @temp = split(/,/,$line); - - chomp ($temp[8]); - if ($cgiparams{'KEY2'} eq "0"){ # if key2 is 0 then it is a portfw addition - if ( $cgiparams{'SRC_PORT'} eq $temp[3] && - $cgiparams{'PROTOCOL'} eq $temp[2] && - $cgiparams{'SRC_IP'} eq $temp[7]) - { - $errormessage = - "$Lang::tr{'source port in use'} $cgiparams{'SRC_PORT'}"; - } - # Check if key2 = 0, if it is then it is a port forward entry and we want the sequence number - if ( $temp[1] eq "0") { - $key1=$temp[0]; - } - # Darren Critchley - Duplicate or overlapping Port range check - if ($temp[1] eq "0" && - $cgiparams{'PROTOCOL'} eq $temp[2] && - $cgiparams{'SRC_IP'} eq $temp[7] && - $errormessage eq '') - { - &portchecks($temp[3], $temp[5]); - } - } else { - if ( $cgiparams{'KEY1'} eq $temp[0] && - $cgiparams{'ORIG_IP'} eq $temp[8]) - { - $errormessage = - "$Lang::tr{'source ip in use'} $cgiparams{'ORIG_IP'}"; - } - } - } - -ERROR: - unless ($errormessage) - { - # Darren Critchley - we only want to store ranges with Colons - $cgiparams{'SRC_PORT'} =~ tr/-/:/; - $cgiparams{'DEST_PORT'} =~ tr/-/:/; - - if ($cgiparams{'KEY1'} eq "0") { # 0 in KEY1 indicates it is a portfw add - $key1++; # Add one to last sequence number - open(FILE,">>$filename") or die 'Unable to open config file.'; - flock FILE, 2; - if ($cgiparams{'ORIG_IP'} eq '0.0.0.0/0') { - # if the default/all is taken, then write it to the rule - print FILE "$key1,0,$cgiparams{'PROTOCOL'},$cgiparams{'SRC_PORT'},$cgiparams{'DEST_IP'},$cgiparams{'DEST_PORT'},$cgiparams{'ENABLED'},$cgiparams{'SRC_IP'},$cgiparams{'ORIG_IP'},$cgiparams{'REMARK'}\n"; - } else { # else create an extra record so it shows up - print FILE "$key1,0,$cgiparams{'PROTOCOL'},$cgiparams{'SRC_PORT'},$cgiparams{'DEST_IP'},$cgiparams{'DEST_PORT'},$cgiparams{'ENABLED'},$cgiparams{'SRC_IP'},0,$cgiparams{'REMARK'}\n"; - print FILE "$key1,1,$cgiparams{'PROTOCOL'},0,$cgiparams{'DEST_IP'},$cgiparams{'DEST_PORT'},$cgiparams{'ENABLED'},0,$cgiparams{'ORIG_IP'},$cgiparams{'REMARK'}\n"; - } - close(FILE); - undef %cgiparams; - &General::log($Lang::tr{'forwarding rule added'}); - system('/usr/local/bin/setportfw'); - } else { # else key1 eq 0 - my $insertpoint = ($cgiparams{'KEY2'} - 1); - open(FILE, ">$filename") or die 'Unable to open config file.'; - flock FILE, 2; - foreach my $line (@current) { - chomp($line); - my @temp = split(/,/,$line); - if ($cgiparams{'KEY1'} eq $temp[0] && $insertpoint eq $temp[1]) { - if ($temp[1] eq "0") { # this is the first xtaccess rule, therefore modify the portfw rule - $temp[8] = '0'; - } - print FILE "$temp[0],$temp[1],$temp[2],$temp[3],$temp[4],$temp[5],$temp[6],$temp[7],$temp[8],$temp[9]\n"; - print FILE "$cgiparams{'KEY1'},$cgiparams{'KEY2'},$cgiparams{'PROTOCOL'},0,$cgiparams{'DEST_IP'},$cgiparams{'DEST_PORT'},$cgiparams{'ENABLED'},0,$cgiparams{'ORIG_IP'},$cgiparams{'REMARK'}\n"; - } else { - print FILE "$line\n"; - } - } - close(FILE); - undef %cgiparams; - &General::log($Lang::tr{'external access rule added'}); - system('/usr/local/bin/setportfw'); - } # end if if KEY1 eq 0 - } # end unless($errormessage) -} - -if ($cgiparams{'ACTION'} eq $Lang::tr{'update'}) -{ - &valaddupdate(); - - # Darren Critchley - If there is an error don't waste any more processing time - if ($errormessage) { $cgiparams{'ACTION'} = $Lang::tr{'edit'}; goto UPD_ERROR; } - - open(FILE, $filename) or die 'Unable to open config file.'; - my @current = <FILE>; - close(FILE); - my $disabledpfw = '0'; - my $lastpfw = ''; - my $xtaccessdel = '0'; - - foreach my $line (@current) - { - my @temp = split(/,/,$line); - if ( $temp[1] eq "0" ) { # keep track of the last portfw and if it is enabled - $disabledpfw = $temp[6]; - $lastpfw = $temp[0]; - } - chomp ($temp[8]); - if ( $cgiparams{'SRC_PORT'} eq $temp[3] && - $cgiparams{'PROTOCOL'} eq $temp[2] && - $cgiparams{'SRC_IP'} eq $temp[7]) - { - if ($cgiparams{'KEY1'} ne $temp[0] && $cgiparams{'KEY2'} eq "0") - { - $errormessage = - "$Lang::tr{'source port in use'} $cgiparams{'SRC_PORT'}"; - } - } - if ($cgiparams{'ORIG_IP'} eq $temp[8]) - { - if ($cgiparams{'KEY1'} eq $temp[0] && $cgiparams{'KEY2'} ne $temp[1]) - # If we have the same source ip within a portfw group, then we have a problem! - { - $errormessage = "$Lang::tr{'source ip in use'} $cgiparams{'ORIG_IP'}"; - $cgiparams{'ACTION'} = $Lang::tr{'edit'}; - } - } - - # Darren Critchley - Flag when a user disables an xtaccess - if ($cgiparams{'KEY1'} eq $temp[0] && - $cgiparams{'KEY2'} eq $temp[1] && - $cgiparams{'KEY2'} ne "0" && # if KEY2 is 0 then it is a portfw - $cgiparams{'ENABLED'} eq "off" && - $temp[6] eq "on") { # we have determined that someone has turned an xtaccess off - $xtaccessdel = "1"; - } - - # Darren Critchley - Portfw enabled, then enable xtaccess for all associated xtaccess records - if ($cgiparams{'ENABLED'} eq "on" && $cgiparams{'KEY2'} eq "0" && $cgiparams{'ENABLED'} ne $temp[6]) - { - $enable_all = "1"; - } else { - $enable_all = "0"; - } - # Darren Critchley - Portfw disabled, then disable xtaccess for all associated xtaccess records - if ($cgiparams{'ENABLED'} eq "off" && $cgiparams{'KEY2'} eq "0") - { - $disable_all = "1"; - } else { - $disable_all = "0"; - } - - # Darren Critchley - if we are enabling an xtaccess, only allow if the associated Portfw is enabled - if ($cgiparams{'KEY1'} eq $lastpfw && $cgiparams{'KEY2'} ne "0") { # identifies an xtaccess record in the group - if ($cgiparams{'ENABLED'} eq "on" && $cgiparams{'ENABLED'} ne $temp[6] ){ # a change has been made - if ($disabledpfw eq "off") - { - $errormessage = "$Lang::tr{'cant enable xtaccess'}"; - $cgiparams{'ACTION'} = $Lang::tr{'edit'}; - } - } - } - - # Darren Critchley - rule to stop someone from entering ALL into a external access rule, - # the portfw is the only place that ALL can be specified - if ($cgiparams{'KEY2'} ne "0" && $cgiparams{'ORIG_IP'} eq "0.0.0.0/0") { - $errormessage = "$Lang::tr{'xtaccess all error'}"; - $cgiparams{'ACTION'} = $Lang::tr{'edit'}; - } - - # Darren Critchley - Duplicate or overlapping Port range check - if ($temp[1] eq "0" && - $cgiparams{'KEY1'} ne $temp[0] && - $cgiparams{'PROTOCOL'} eq $temp[2] && - $cgiparams{'SRC_IP'} eq $temp[7] && - $errormessage eq '') - { - &portchecks($temp[3], $temp[5]); - } # end port testing - - } - - # Darren Critchley - if an xtaccess was disabled, now we need to check to see if it was the only xtaccess - if($xtaccessdel eq "1") { - my $xctr = 0; - foreach my $line (@current) - { - my @temp = split(/,/,$line); - if($temp[0] eq $cgiparams{'KEY1'} && - $temp[6] eq "on") { # we only want to count the enabled xtaccess's - $xctr++; - } - } - if ($xctr == 2){ - $disable_all = "1"; - } - } - -UPD_ERROR: - unless ($errormessage) - { - # Darren Critchley - we only want to store ranges with Colons - $cgiparams{'SRC_PORT'} =~ tr/-/:/; - $cgiparams{'DEST_PORT'} =~ tr/-/:/; - - open(FILE, ">$filename") or die 'Unable to open config file.'; - flock FILE, 2; - foreach my $line (@current) { - chomp($line); - my @temp = split(/,/,$line); - if ($cgiparams{'KEY1'} eq $temp[0] && $cgiparams{'KEY2'} eq $temp[1]) { - print FILE "$cgiparams{'KEY1'},$cgiparams{'KEY2'},$cgiparams{'PROTOCOL'},$cgiparams{'SRC_PORT'},$cgiparams{'DEST_IP'},$cgiparams{'DEST_PORT'},$cgiparams{'ENABLED'},$cgiparams{'SRC_IP'},$cgiparams{'ORIG_IP'},$cgiparams{'REMARK'}\n"; - } else { - # Darren Critchley - If it is a port forward record, then chances are good that a change was made to - # Destination Ip or Port, and we need to update all the associated external access records - if ($cgiparams{'KEY2'} eq "0" && $cgiparams{'KEY1'} eq $temp[0]) { - $temp[4] = $cgiparams{'DEST_IP'}; - $temp[5] = $cgiparams{'DEST_PORT'}; - $temp[2] = $cgiparams{'PROTOCOL'}; - } - - # Darren Critchley - If a Portfw has been disabled, then set all associated xtaccess as disabled - if ( $disable_all eq "1" && $cgiparams{'KEY1'} eq $temp[0] ) { - $temp[6] = 'off'; - } - if ( $enable_all eq "1" && $cgiparams{'KEY1'} eq $temp[0] ) { - $temp[6] = 'on'; - } - # Darren Critchley - Deal with the override to allow ALL - if ( $cgiparams{'OVERRIDE'} eq "on" && $temp[1] ne "0" && $cgiparams{'KEY1'} eq $temp[0] ) { - $temp[6] = 'off'; - } - print FILE "$temp[0],$temp[1],$temp[2],$temp[3],$temp[4],$temp[5],$temp[6],$temp[7],$temp[8],$temp[9]\n"; - } - } - close(FILE); - undef %cgiparams; - &General::log($Lang::tr{'forwarding rule updated'}); - system('/usr/local/bin/setportfw'); - } - if ($errormessage) { - $cgiparams{'ACTION'} = $Lang::tr{'edit'}; - } -} - -# Darren Critchley - Allows rules to be enabled and disabled -if ($cgiparams{'ACTION'} eq $Lang::tr{'toggle enable disable'}) -{ - open(FILE, $filename) or die 'Unable to open config file.'; - my @current = <FILE>; - close(FILE); - my $disabledpfw = '0'; - my $lastpfw = ''; - my $xtaccessdel = '0'; - - foreach my $line (@current) - { - my @temp = split(/,/,$line); - if ( $temp[1] eq "0" ) { # keep track of the last portfw and if it is enabled - $disabledpfw = $temp[6]; - $lastpfw = $temp[0]; - } - # Darren Critchley - Flag when a user disables an xtaccess - if ($cgiparams{'KEY1'} eq $temp[0] && - $cgiparams{'KEY2'} eq $temp[1] && - $cgiparams{'KEY2'} ne "0" && # if KEY2 is 0 then it is a portfw - $cgiparams{'ENABLED'} eq "off" && - $temp[6] eq "on") { # we have determined that someone has turned an xtaccess off - $xtaccessdel = "1"; - } - - # Darren Critchley - Portfw enabled, then enable xtaccess for all associated xtaccess records - if ($cgiparams{'ENABLED'} eq "on" && $cgiparams{'KEY2'} eq "0" && $cgiparams{'ENABLED'} ne $temp[6]) - { - $enable_all = "1"; - } else { - $enable_all = "0"; - } - # Darren Critchley - Portfw disabled, then disable xtaccess for all associated xtaccess records - if ($cgiparams{'ENABLED'} eq "off" && $cgiparams{'KEY2'} eq "0") - { - $disable_all = "1"; - } else { - $disable_all = "0"; - } - - # Darren Critchley - if we are enabling an xtaccess, only allow if the associated Portfw is enabled - if ($cgiparams{'KEY1'} eq $lastpfw && $cgiparams{'KEY2'} ne "0") { # identifies an xtaccess record in the group - if ($cgiparams{'ENABLED'} eq "on" && $cgiparams{'ENABLED'} ne $temp[6] ){ # a change has been made - if ($disabledpfw eq "off") - { - $errormessage = "$Lang::tr{'cant enable xtaccess'}"; - goto TOGGLEEXIT; - } - } - } - } - - # Darren Critchley - if an xtaccess was disabled, now we need to check to see if it was the only xtaccess - if($xtaccessdel eq "1") { - my $xctr = 0; - foreach my $line (@current) - { - my @temp = split(/,/,$line); - if($temp[0] eq $cgiparams{'KEY1'} && - $temp[6] eq "on") { # we only want to count the enabled xtaccess's - $xctr++; - } - } - if ($xctr == 2){ - $disable_all = "1"; - } - } - - open(FILE, ">$filename") or die 'Unable to open config file.'; - flock FILE, 2; - foreach my $line (@current) { - chomp($line); - my @temp = split(/,/,$line); - if ($cgiparams{'KEY1'} eq $temp[0] && $cgiparams{'KEY2'} eq $temp[1]) { - print FILE "$cgiparams{'KEY1'},$cgiparams{'KEY2'},$temp[2],$temp[3],$temp[4],$temp[5],$cgiparams{'ENABLED'},$temp[7],$temp[8],$temp[9]\n"; - } else { - # Darren Critchley - If a Portfw has been disabled, then set all associated xtaccess as disabled - if ( $disable_all eq "1" && $cgiparams{'KEY1'} eq $temp[0] ) { - $temp[6] = 'off'; - } - if ( $enable_all eq "1" && $cgiparams{'KEY1'} eq $temp[0] ) { - $temp[6] = 'on'; - } - print FILE "$temp[0],$temp[1],$temp[2],$temp[3],$temp[4],$temp[5],$temp[6],$temp[7],$temp[8],$temp[9]\n"; - } - } - close(FILE); - &General::log($Lang::tr{'forwarding rule updated'}); - system('/usr/local/bin/setportfw'); -TOGGLEEXIT: - undef %cgiparams; -} - - -# Darren Critchley - broke out Edit routine from the delete routine - Edit routine now just puts values in fields -if ($cgiparams{'ACTION'} eq $Lang::tr{'edit'}) -{ - open(FILE, "$filename") or die 'Unable to open config file.'; - my @current = <FILE>; - close(FILE); - - unless ($errormessage) - { - foreach my $line (@current) - { - chomp($line); - my @temp = split(/,/,$line); - if ($cgiparams{'KEY1'} eq $temp[0] && $cgiparams{'KEY2'} eq $temp[1] ) { - $cgiparams{'PROTOCOL'} = $temp[2]; - $cgiparams{'SRC_PORT'} = $temp[3]; - $cgiparams{'DEST_IP'} = $temp[4]; - $cgiparams{'DEST_PORT'} = $temp[5]; - $cgiparams{'ENABLED'} = $temp[6]; - $cgiparams{'SRC_IP'} = $temp[7]; - $cgiparams{'ORIG_IP'} = $temp[8]; - $cgiparams{'REMARK'} = $temp[9]; - } - - } - } -} - -# Darren Critchley - broke out Remove routine as the logic is getting too complex to be combined with the Edit -if ($cgiparams{'ACTION'} eq $Lang::tr{'remove'}) -{ - open(FILE, "$filename") or die 'Unable to open config file.'; - my @current = <FILE>; - close(FILE); - - # If the record being deleted is an xtaccess record, and it is the only one for a portfw record - # then we need to adjust the portfw record to be open to ALL ip addressess or an error will occur - # in setportfw.c - my $fixportfw = '0'; - if ($cgiparams{'KEY2'} ne "0") { - my $counter = 0; - foreach my $line (@current) - { - chomp($line); - my @temp = split(/,/,$line); - if ($temp[0] eq $cgiparams{'KEY1'}) { - $counter++; - } - } - if ($counter eq 2) { - $fixportfw = '1'; - } - } - - unless ($errormessage) - { - open(FILE, ">$filename") or die 'Unable to open config file.'; - flock FILE, 2; - my $linedeleted = 0; - foreach my $line (@current) - { - chomp($line); - my @temp = split(/,/,$line); - - if ($cgiparams{'KEY1'} eq $temp[0] && $cgiparams{'KEY2'} eq $temp[1] || - $cgiparams{'KEY1'} eq $temp[0] && $cgiparams{'KEY2'} eq "0" ) - { - $linedeleted = 1; - } else { - if ($temp[0] eq $cgiparams{'KEY1'} && $temp[1] eq "0" && $fixportfw eq "1") { - $temp[8] = '0.0.0.0/0'; - } - print FILE "$temp[0],$temp[1],$temp[2],$temp[3],$temp[4],$temp[5],$temp[6],$temp[7],$temp[8],$temp[9]\n"; -# print FILE "$line\n"; - } - } - close(FILE); - if ($linedeleted == 1) { - &General::log($Lang::tr{'forwarding rule removed'}); - undef %cgiparams; - } - system('/usr/local/bin/setportfw'); - } -} - -# Darren Critchley - Added routine to allow external access rules to be added -if ($cgiparams{'ACTION'} eq $Lang::tr{'add xtaccess'}) -{ - open(FILE, $filename) or die 'Unable to open config file.'; - my @current = <FILE>; - close(FILE); - my $key = 0; # used for finding last sequence number used - foreach my $line (@current) - { - my @temp = split(/,/,$line); - if ($temp[0] eq $cgiparams{'KEY1'}) { - $key = $temp[1] - } - if ($cgiparams{'KEY1'} eq $temp[0] && $cgiparams{'KEY2'} eq $temp[1] ) { - $cgiparams{'PROTOCOL'} = $temp[2]; - $cgiparams{'SRC_PORT'} = $temp[3]; - $cgiparams{'DEST_IP'} = $temp[4]; - $cgiparams{'DEST_PORT'} = $temp[5]; - $cgiparams{'ENABLED'} = $temp[6]; - $cgiparams{'SRC_IP'} = $temp[7]; - $cgiparams{'ORIG_IP'} = ''; - $cgiparams{'REMARK'} = $temp[9]; - } - } - $key++; - $cgiparams{'KEY2'} = $key; - # Until the ADD button is hit, there needs to be no change to portfw rules -} - -if ($cgiparams{'ACTION'} eq $Lang::tr{'reset'}) -{ - undef %cgiparams; -} - -if ($cgiparams{'ACTION'} eq '') -{ - $cgiparams{'PROTOCOL'} = 'tcp'; - $cgiparams{'ENABLED'} = 'on'; - $cgiparams{'SRC_IP'} = '0.0.0.0'; -} - -$selected{'PROTOCOL'}{'udp'} = ''; -$selected{'PROTOCOL'}{'tcp'} = ''; -$selected{'PROTOCOL'}{'gre'} = ''; -$selected{'PROTOCOL'}{$cgiparams{'PROTOCOL'}} = "selected='selected'"; - -$selected{'SRC_IP'}{$cgiparams{'SRC_IP'}} = "selected='selected'"; - -$checked{'ENABLED'}{'off'} = ''; -$checked{'ENABLED'}{'on'} = ''; -$checked{'ENABLED'}{$cgiparams{'ENABLED'}} = "checked='checked'"; - -&Header::openpage($Lang::tr{'port forwarding configuration'}, 1, ''); - -&Header::openbigbox('100%', 'left', '', $errormessage); - -if ($errormessage) { - &Header::openbox('100%', 'left', $Lang::tr{'error messages'}); - print "<class name='base'><font color='${Header::colourred}'>$errormessage\n</font>"; - print " </class>\n"; - &Header::closebox(); -} - -print "<form method='post' action='$ENV{'SCRIPT_NAME'}'>\n"; - -if ($cgiparams{'ACTION'} eq $Lang::tr{'edit'}){ - &Header::openbox('100%', 'left', $Lang::tr{'edit a rule'}); -} else { - &Header::openbox('100%', 'left', $Lang::tr{'add a new rule'}); -} - -if ($cgiparams{'ACTION'} eq $Lang::tr{'edit'} && $cgiparams{'KEY2'} ne "0" || $cgiparams{'ACTION'} eq $Lang::tr{'add xtaccess'}){ -# if it is not a port forward record, don't validate as the fields are disabled - my $PROT = "\U$cgiparams{'PROTOCOL'}\E"; - # Darren Critchley - Format the source and destination ports - my $dstprt = $cgiparams{'DEST_PORT'}; - $dstprt =~ s/-/ - /; - $dstprt =~ s/:/ - /; - -print <<END -<table> - <tr> - <td class='base'>$Lang::tr{'protocol'}: <b>$PROT</b></td> - <td width='20'> </td> - <td class='base' align='right'>$Lang::tr{'destination ip'}: </td> - <td><b>$cgiparams{'DEST_IP'}</b></td> - <td width='20'> </td> - <td class='base' align='right'>$Lang::tr{'destination port'}: </td> - <td><b>$dstprt</b></td> - </tr> -</table> - -<input type='hidden' name='PROTOCOL' value='$cgiparams{'PROTOCOL'}' /> -<input type='hidden' name='SRC_IP' value='$cgiparams{'SRC_IP'}' /> -<input type='hidden' name='SRC_PORT' value='$cgiparams{'SRC_PORT'}' /> -<input type='hidden' name='DEST_IP' value='$cgiparams{'DEST_IP'}' /> -<input type='hidden' name='DEST_PORT' value='$cgiparams{'DEST_PORT'}' /> -END -; -} else { -print <<END -<table width='100%'> - <tr> - <td width='10%'>$Lang::tr{'protocol'}: </td> - <td width='15%'> - <select name='PROTOCOL'> - <option value='tcp' $selected{'PROTOCOL'}{'tcp'}>TCP</option> - <option value='udp' $selected{'PROTOCOL'}{'udp'}>UDP</option> - <option value='gre' $selected{'PROTOCOL'}{'gre'}>GRE</option> - </select> - </td> - <td class='base' width='20%'><font color='${Header::colourred}'>$Lang::tr{'alias ip'}:</font></td> - <td> - <select name='SRC_IP'> - <option value='0.0.0.0' $selected{'SRC_IP'}{'0.0.0.0'}>DEFAULT IP</option> -END -; -open(ALIASES, "$aliasfile") or die 'Unable to open aliases file.'; -while (<ALIASES>) -{ - chomp($_); - my @temp = split(/,/,$_); - if ($temp[1] eq 'on') { - print "<option value='$temp[0]' $selected{'SRC_IP'}{$temp[0]}>$temp[0]"; - if (defined $temp[2] and ($temp[2] ne '')) { print " ($temp[2])"; } - print "</option>\n"; - } -} -close(ALIASES); -print <<END - </select> - </td> - <td class='base' width='20%'><font color='${Header::colourred}'>$Lang::tr{'source port'}:</font></td> - <td width='10%'><input type='text' name='SRC_PORT' value='$cgiparams{'SRC_PORT'}' size='8' /></td> - </tr> - <tr> - <td class='base'> </td> - <td> </td> - <td class='base'>$Lang::tr{'destination ip'}:</td> - <td><input type='text' name='DEST_IP' value='$cgiparams{'DEST_IP'}' size='15' /></td> - <td class='base'>$Lang::tr{'destination port'}:</td> - <td><input type='text' name='DEST_PORT' value='$cgiparams{'DEST_PORT'}' size='8' /></td> - </tr> -</table> -END -; -} - -print <<END -<table> - <tr> - <td class='base'>$Lang::tr{'remark title'} <img src='/blob.gif' alt='*' /> </td> - <td><input type='text' name='REMARK' value='$cgiparams{'REMARK'}' size='55' maxlength='50' /></td> -END -; -unless ($cgiparams{'ACTION'} eq $Lang::tr{'add xtaccess'} && $cgiparams{'ENABLED'} eq "off") { - print "<td width='20'> </td>"; - print "<td>$Lang::tr{'enabled'} </td><td><input type='checkbox' name='ENABLED' $checked{'ENABLED'}{'on'} /></td>\n"; -} -print <<END - </tr> -</table> -END -; - -if ($cgiparams{'ACTION'} eq $Lang::tr{'edit'} && $cgiparams{'KEY2'} eq "0" && ($cgiparams{'ORIG_IP'} eq "0" || $cgiparams{'ORIG_IP'} eq "0.0.0.0/0")){ -# if it is a port forward rule with a 0 in the orig_port field, this means there are xtaccess records, and we -# don't want to allow a person to change the orig_ip field as it will mess other logic up - print "<input type='hidden' name='ORIG_IP' value='$cgiparams{'ORIG_IP'}' />\n"; -} else { -print <<END -<table> - <tr> - <td class='base'><font class='boldbase' color='${Header::colourred}'>$Lang::tr{'source network'}</font> <img src='/blob.gif' alt='*' /> </td> - <td><input type='text' name='ORIG_IP' value='$cgiparams{'ORIG_IP'}' size='15' /></td> - </tr> -</table> -END -; -} - -print <<END -<table width='100%'> - <hr /> - <tr> - <td class='base' width='25%'><img src='/blob.gif' alt ='*' align='top' /> <font class='base'>$Lang::tr{'this field may be blank'}</font></td> -END -; - - -if ($cgiparams{'ACTION'} eq $Lang::tr{'edit'}){ - if($cgiparams{'KEY2'} eq "0"){ - print "<td width='35%' align='right'>$Lang::tr{'open to all'}: </td><td width='5%'><input type='checkbox' name='OVERRIDE' $checked{'OVERRIDE'}{'on'} /></td>\n"; - } else { - print "<td width='40%'> </td>\n"; - } - print "<td align='center' width='15%'><input type='submit' name='ACTION' value='$Lang::tr{'update'}' />"; - print "<input type='hidden' name='KEY1' value='$cgiparams{'KEY1'}' />"; - print "<input type='hidden' name='KEY2' value='$cgiparams{'KEY2'}' /></TD>"; - print "<td align='center' width='15%'><input type='submit' name='ACTION' value='$Lang::tr{'reset'}' /></td>"; - # on an edit and an xtaccess add, for some reason the "Reset" button stops working, so I make it a submit button -} else { - print "<td width='30%'> </td>\n"; - print "<td align='center' width='15%'><input type='submit' name='ACTION' value='$Lang::tr{'add'}' /></td>"; - if ($cgiparams{'ACTION'} eq $Lang::tr{'add xtaccess'}) { - print "<td align='center' width='15%'><input type='hidden' name='KEY1' value='$cgiparams{'KEY1'}' />"; - print "<input type='hidden' name='KEY2' value='$cgiparams{'KEY2'}' />"; - print "<input type='submit' name='ACTION' value='$Lang::tr{'reset'}' /></td>"; - } elsif ($errormessage ne '') { - print "<td align='center' width='15%'><input type='submit' name='ACTION' value='$Lang::tr{'reset'}' /></td>"; - } else { - print "<td align='center' width='15%'><input type='reset' name='ACTION' value='$Lang::tr{'reset'}' /></td>"; - } -} -print <<END - <td width='5%' align='right'> </td> - </tr> -</table> -END -; -&Header::closebox(); - -print "</form>\n"; - -&Header::openbox('100%', 'left', $Lang::tr{'current rules'}); -print <<END -<table width='100%'> -<tr> -<td width='7%' class='boldbase' align='center'><b>$Lang::tr{'proto'}</b></td> -<td width='31%' class='boldbase' align='center'><b>$Lang::tr{'source'}</b></td> -<td width='2%' class='boldbase' align='center'> </td> -<td width='31%' class='boldbase' align='center'><b>$Lang::tr{'destination'}</b></td> -<td width='24%' class='boldbase' align='center'><b>$Lang::tr{'remark'}</b></td> -<td width='4%' class='boldbase' colspan='4' align='center'><b>$Lang::tr{'action'}</b></td> -</tr> -END -; - -my $id = 0; -my $xtaccesscolor = '#F6F4F4'; -open(RULES, "$filename") or die 'Unable to open config file.'; -while (<RULES>) -{ - my $protocol = ''; - my $gif = ''; - my $gdesc = ''; - my $toggle = ''; - chomp($_); - my @temp = split(/,/,$_); - $temp[9] ='' unless defined $temp[9];# Glles ESpinasse : suppress warning on page init - if ($temp[2] eq 'udp') { - $protocol = 'UDP'; } - elsif ($temp[2] eq 'gre') { - $protocol = 'GRE' } - else { - $protocol = 'TCP' } - # Change bgcolor when a new portfw rule is added - if ($temp[1] eq "0"){ - $id++; - } - # Darren Critchley highlight the row we are editing - if ( $cgiparams{'ACTION'} eq $Lang::tr{'edit'} && $cgiparams{'KEY1'} eq $temp[0] && $cgiparams{'KEY2'} eq $temp[1] ) { - print "<tr bgcolor='${Header::colouryellow}'>\n"; - } else { - if ($id % 2) { - print "<tr bgcolor='$color{'color22'}'>\n"; - } - else { - print "<tr bgcolor='$color{'color20'}'>\n"; - } - } - - if ($temp[6] eq 'on') { $gif = 'on.gif'; $toggle='off'; $gdesc=$Lang::tr{'click to disable'};} - else { $gif = 'off.gif'; $toggle='on'; $gdesc=$Lang::tr{'click to enable'}; } - - # Darren Critchley - this code no longer works - should we remove? - # catch for 'old-style' rules file - assume default ip if - # none exists - if (!&General::validip($temp[7]) || $temp[7] eq '0.0.0.0') { - $temp[7] = 'DEFAULT IP'; } - if ($temp[1] eq '0') { # Port forwarding entry - - # Darren Critchley - Format the source and destintation ports - my $srcprt = $temp[3]; - $srcprt =~ s/-/ - /; - $srcprt =~ s/:/ - /; - my $dstprt = $temp[5]; - $dstprt =~ s/-/ - /; - $dstprt =~ s/:/ - /; - - # Darren Critchley - Get Port Service Name if we can - code borrowed from firewalllog.dat - $_=$temp[3]; - if (/^\d+$/) { - my $servi = uc(getservbyport($temp[3], lc($temp[2]))); - if ($servi ne '' && $temp[3] < 1024) { - $srcprt = "$srcprt($servi)"; } - } - $_=$temp[5]; - if (/^\d+$/) { - my $servi = uc(getservbyport($temp[5], lc($temp[2]))); - if ($servi ne '' && $temp[5] < 1024) { - $dstprt = "$dstprt($servi)"; } - } - - # Darren Critchley - If the line is too long, wrap the port numbers - my $srcaddr = "$temp[7] : $srcprt"; - if (length($srcaddr) > 22) { - $srcaddr = "$temp[7] :<br /> $srcprt"; - } - my $dstaddr = "$temp[4] : $dstprt"; - if (length($dstaddr) > 26) { - $dstaddr = "$temp[4] :<br /> $dstprt"; - } -print <<END -<td align='center'>$protocol</td> -<td align='center'>$srcaddr</td> -<td align='center'><img src='/images/forward.gif' alt='=>' /></td> -<td align='center'>$dstaddr</td> -<td align='left'> $temp[9]</td> -<td align='center'> - <form method='post' name='frm$temp[0]c' action='$ENV{'SCRIPT_NAME'}'> - <input type='image' name='$Lang::tr{'toggle enable disable'}' src='/images/$gif' alt='$gdesc' title='$gdesc' /> - <input type='hidden' name='ACTION' value='$Lang::tr{'toggle enable disable'}' /> - <input type='hidden' name='KEY1' value='$temp[0]' /> - <input type='hidden' name='KEY2' value='$temp[1]' /> - <input type='hidden' name='ENABLED' value='$toggle' /> - </form> -</td> - -<td align='center'> - <form method='post' name='frm$temp[0]' action='$ENV{'SCRIPT_NAME'}'> - <input type='hidden' name='ACTION' value='$Lang::tr{'add xtaccess'}' /> - <input type='image' name='$Lang::tr{'add xtaccess'}' src='/images/add.gif' alt='$Lang::tr{'add xtaccess'}' title='$Lang::tr{'add xtaccess'}' /> - <input type='hidden' name='KEY1' value='$temp[0]' /> - <input type='hidden' name='KEY2' value='$temp[1]' /> - </form> -</td> - -<td align='center'> - <form method='post' name='frm$temp[0]' action='$ENV{'SCRIPT_NAME'}'> - <input type='hidden' name='ACTION' value='$Lang::tr{'edit'}' /> - <input type='image' name='$Lang::tr{'edit'}' src='/images/edit.gif' alt='$Lang::tr{'edit'}' title='$Lang::tr{'edit'}' /> - <input type='hidden' name='KEY1' value='$temp[0]' /> - <input type='hidden' name='KEY2' value='$temp[1]' /> - </form> -</td> - -<td align='center'> - <form method='post' name='frm$temp[0]b' action='$ENV{'SCRIPT_NAME'}'> - <input type='hidden' name='ACTION' value='$Lang::tr{'remove'}' /> - <input type='image' name='$Lang::tr{'remove'}' src='/images/delete.gif' alt='$Lang::tr{'remove'}' title='$Lang::tr{'remove'}' /> - <input type='hidden' name='KEY1' value='$temp[0]' /> - <input type='hidden' name='KEY2' value='$temp[1]' /> - </form> -</td> - -</tr> -END - ; - } else { # external access entry -print <<END -<td align='center'> </td> - -<td align='left' colspan='4'> <font color='${Header::colourred}'>$Lang::tr{'access allowed'}</font> $temp[8] ($temp[9])</td> - -<td align='center'> - <form method='post' name='frm$temp[0]$temp[1]t' action='$ENV{'SCRIPT_NAME'}'> - <input type='image' name='$Lang::tr{'toggle enable disable'}' src='/images/$gif' alt='$Lang::tr{'toggle enable disable'}' title='$Lang::tr{'toggle enable disable'}' /> - <input type='hidden' name='ACTION' value='$Lang::tr{'toggle enable disable'}' /> - <input type='hidden' name='KEY1' value='$temp[0]' /> - <input type='hidden' name='KEY2' value='$temp[1]' /> - <input type='hidden' name='ENABLED' value='$toggle' /> - </form> -</td> - -<td align='center'> </td> - -<td align='center'> - <form method='post' name='frm$temp[0]$temp[1]' action='$ENV{'SCRIPT_NAME'}'> - <input type='hidden' name='ACTION' value='$Lang::tr{'edit'}' /> - <input type='image' name='$Lang::tr{'edit'}' src='/images/edit.gif' alt='$Lang::tr{'edit'}' title='$Lang::tr{'edit'}' /> - <input type='hidden' name='KEY1' value='$temp[0]' /> - <input type='hidden' name='KEY2' value='$temp[1]' /> - </form> -</td> - -<td align='center'> - <form method='post' name='frm$temp[0]b$temp[1]b' action='$ENV{'SCRIPT_NAME'}'> - <input type='hidden' name='ACTION' value='$Lang::tr{'remove'}' /> - <input type='image' name='$Lang::tr{'remove'}' src='/images/delete.gif' alt='$Lang::tr{'remove'}' title='$Lang::tr{'remove'}' /> - <input type='hidden' name='KEY1' value='$temp[0]' /> - <input type='hidden' name='KEY2' value='$temp[1]' /> - </form> -</td> - -</tr> -END - ; - } -} - -close(RULES); - -print "</table>"; - -# If the fixed lease file contains entries, print Key to action icons -if ( ! -z "$filename") { -print <<END -<table> -<tr> - <td class='boldbase'> <b>$Lang::tr{'legend'}: </b></td> - <td><img src='/images/on.gif' alt='$Lang::tr{'click to disable'}' /></td> - <td class='base'>$Lang::tr{'click to disable'}</td> - <td> </td> - <td><img src='/images/off.gif' alt='$Lang::tr{'click to enable'}' /></td> - <td class='base'>$Lang::tr{'click to enable'}</td> - <td> </td> - <td><img src='/images/add.gif' alt='$Lang::tr{'add xtaccess'}' /></td> - <td class='base'>$Lang::tr{'add xtaccess'}</td> - <td> </td> - <td><img src='/images/edit.gif' alt='$Lang::tr{'edit'}' /></td> - <td class='base'>$Lang::tr{'edit'}</td> - <td> </td> - <td><img src='/images/delete.gif' alt='$Lang::tr{'remove'}' /></td> - <td class='base'>$Lang::tr{'remove'}</td> -</tr> -</table> -END -; -} - -&Header::closebox(); - -&Header::closebigbox(); - -&Header::closepage(); - -# Validate Field Entries -sub validateparams -{ - # Darren Critchley - Get rid of dashes in port ranges - $cgiparams{'DEST_PORT'}=~ tr/-/:/; - $cgiparams{'SRC_PORT'}=~ tr/-/:/; - - # Darren Critchley - code to substitue wildcards - if ($cgiparams{'SRC_PORT'} eq "*") { - $cgiparams{'SRC_PORT'} = "1:65535"; - } - if ($cgiparams{'SRC_PORT'} =~ /^(\D):(\d+)$/) { - $cgiparams{'SRC_PORT'} = "1:$2"; - } - if ($cgiparams{'SRC_PORT'} =~ /^(\d+):(\D)$/) { - $cgiparams{'SRC_PORT'} = "$1:65535"; - } - if ($cgiparams{'DEST_PORT'} eq "*") { - $cgiparams{'DEST_PORT'} = "1:65535"; - } - if ($cgiparams{'DEST_PORT'} =~ /^(\D):(\d+)$/) { - $cgiparams{'DEST_PORT'} = "1:$2"; - } - if ($cgiparams{'DEST_PORT'} =~ /^(\d+):(\D)$/) { - $cgiparams{'DEST_PORT'} = "$1:65535"; - } - - # Darren Critchley - Add code for GRE protocol - we want to ignore ports, but we need a place holder - if ($cgiparams{'PROTOCOL'} eq 'gre') { - $cgiparams{'SRC_PORT'} = "GRE"; - $cgiparams{'DEST_PORT'} = "GRE"; - } - - unless($cgiparams{'PROTOCOL'} =~ /^(tcp|udp|gre)$/) { $errormessage = $Lang::tr{'invalid input'}; } - # Darren Critchley - Changed how the error routine works a bit - for the validportrange check, we need to - # pass in src or dest to determine which side we are working with. - # the routine returns the complete error or '' - if ($cgiparams{'PROTOCOL'} ne 'gre') { - $errormessage = &General::validportrange($cgiparams{'SRC_PORT'}, 'src'); - } - if( ($cgiparams{'ORIG_IP'} ne "0" && $cgiparams{'KEY2'} ne "0") || $cgiparams{'ACTION'} eq $Lang::tr{'add'}) { - # if it is a port forward record with 0 in orig_ip then ignore checking this field - unless(&General::validipormask($cgiparams{'ORIG_IP'})) - { - if ($cgiparams{'ORIG_IP'} ne '') { - $errormessage = $Lang::tr{'source ip bad'}; } - else { - $cgiparams{'ORIG_IP'} = '0.0.0.0/0'; } - } - } - # Darren Critchey - New rule that sets destination same as source if dest_port is blank. - if ($cgiparams{'DEST_PORT'} eq ''){ - $cgiparams{'DEST_PORT'} = $cgiparams{'SRC_PORT'}; - } - # Darren Critchey - Just in case error message is already set, this routine would wipe it out if - # we don't do a test here - if ($cgiparams{'PROTOCOL'} ne 'gre') { - unless($errormessage) {$errormessage = &General::validportrange($cgiparams{'DEST_PORT'}, 'dest');} - } - unless(&General::validip($cgiparams{'DEST_IP'})) { $errormessage = $Lang::tr{'destination ip bad'}; } - return; -} - -# Darren Critchley - we want to make sure that a port range does not overlap another port range -sub checkportoverlap -{ - my $portrange1 = $_[0]; # New port range - my $portrange2 = $_[1]; # existing port range - my @tempr1 = split(/:/,$portrange1); - my @tempr2 = split(/:/,$portrange2); - - unless (&checkportinc($tempr1[0], $portrange2)){ return 0;} - unless (&checkportinc($tempr1[1], $portrange2)){ return 0;} - - unless (&checkportinc($tempr2[0], $portrange1)){ return 0;} - unless (&checkportinc($tempr2[1], $portrange1)){ return 0;} - - return 1; # Everything checks out! -} - -# Darren Critchley - we want to make sure that a port entry is not within an already existing range -sub checkportinc -{ - my $port1 = $_[0]; # Port - my $portrange2 = $_[1]; # Port range - my @tempr1 = split(/:/,$portrange2); - - if ($port1 < $tempr1[0] || $port1 > $tempr1[1]) { - return 1; - } else { - return 0; - } -} - -# Darren Critchley - certain ports are reserved for Ipcop -# TCP 67,68,81,222,445 -# UDP 67,68 -# Params passed in -> port, rangeyn, protocol -sub disallowreserved -{ - # port 67 and 68 same for tcp and udp, don't bother putting in an array - my $msg = ""; - my @tcp_reserved = (); - my $prt = $_[0]; # the port or range - my $ryn = $_[1]; # tells us whether or not it is a port range - my $prot = $_[2]; # protocol - my $srcdst = $_[3]; # source or destination - - if ($ryn) { # disect port range - if ($srcdst eq "src") { - $msg = "$Lang::tr{'rsvd src port overlap'}"; - } else { - $msg = "$Lang::tr{'rsvd dst port overlap'}"; - } - my @tmprng = split(/:/,$prt); - unless (67 < $tmprng[0] || 67 > $tmprng[1]) { $errormessage="$msg 67"; return; } - unless (68 < $tmprng[0] || 68 > $tmprng[1]) { $errormessage="$msg 68"; return; } - if ($prot eq "tcp") { - foreach my $prange (@tcp_reserved) { - unless ($prange < $tmprng[0] || $prange > $tmprng[1]) { $errormessage="$msg $prange"; return; } - } - } - } else { - if ($srcdst eq "src") { - $msg = "$Lang::tr{'reserved src port'}"; - } else { - $msg = "$Lang::tr{'reserved dst port'}"; - } - if ($prt == 67) { $errormessage="$msg 67"; return; } - if ($prt == 68) { $errormessage="$msg 68"; return; } - if ($prot eq "tcp") { - foreach my $prange (@tcp_reserved) { - if ($prange == $prt) { $errormessage="$msg $prange"; return; } - } - } - } - return; -} - -# Darren Critchley - Attempt to combine Add/Update validation as they are almost the same -sub valaddupdate -{ - if ($cgiparams{'KEY2'} eq "0"){ # if it is a port forward rule, then validate properly - &validateparams(); - } else { # it is an xtaccess rule, just check for a valid ip - unless(&General::validipormask($cgiparams{'ORIG_IP'})) - { - if ($cgiparams{'ORIG_IP'} ne '') { - $errormessage = $Lang::tr{'source ip bad'}; } - else { # this rule stops someone from adding an ALL xtaccess record - $errormessage = $Lang::tr{'xtaccess all error'}; - $cgiparams{'ACTION'} = $Lang::tr{'add xtaccess'}; - } - } - # Darren Critchley - check for 0.0.0.0/0 - not allowed for xtaccess - if ($cgiparams{'ORIG_IP'} eq "0.0.0.0/0" || $cgiparams{'ORIG_IP'} eq "0.0.0.0") { - $errormessage = $Lang::tr{'xtaccess all error'}; - $cgiparams{'ACTION'} = $Lang::tr{'add xtaccess'}; - } - } - # Darren Critchley - Remove commas from remarks - $cgiparams{'REMARK'} = &Header::cleanhtml($cgiparams{'REMARK'}); - - # Darren Critchley - Check to see if we are working with port ranges - our ($prtrange1, $prtrange2); - $_ = $cgiparams{'SRC_PORT'}; - if ($cgiparams{'KEY2'} eq "0" && m/:/){ - $prtrange1 = 1; - } - if ($cgiparams{'SRC_IP'} eq '0.0.0.0') { # Dave Roberts - only check if using DEFAULT IP - if ($prtrange1 == 1){ # check for source ports reserved for Ipcop - &disallowreserved($cgiparams{'SRC_PORT'},1,$cgiparams{'PROTOCOL'},"src"); - if ($errormessage) { goto EXITSUB; } - } else { # check for source port reserved for Ipcop - &disallowreserved($cgiparams{'SRC_PORT'},0,$cgiparams{'PROTOCOL'},"src"); - if ($errormessage) { goto EXITSUB; } - } - } - - $_ = $cgiparams{'DEST_PORT'}; - if ($cgiparams{'KEY2'} eq "0" && m/:/){ - $prtrange2 = 1; - } - if ($cgiparams{'SRC_IP'} eq '0.0.0.0') { # Dave Roberts - only check if using DEFAULT IP - if ($prtrange2 == 1){ # check for destination ports reserved for IPFire - &disallowreserved($cgiparams{'DEST_PORT'},1,$cgiparams{'PROTOCOL'},"dst"); - if ($errormessage) { goto EXITSUB; } - } else { # check for destination port reserved for IPFire - &disallowreserved($cgiparams{'DEST_PORT'},0,$cgiparams{'PROTOCOL'},"dst"); - if ($errormessage) { goto EXITSUB; } - } - } - - -EXITSUB: - return; -} - -# Darren Critchley - Duplicate or overlapping Port range check -sub portchecks -{ - $_ = $_[0]; - our ($prtrange1, $prtrange2); - if (m/:/ && $prtrange1 == 1) { # comparing two port ranges - unless (&checkportoverlap($cgiparams{'SRC_PORT'},$_[0])) { - $errormessage = "$Lang::tr{'source port overlaps'} $_[0]"; - } - } - if (m/:/ && $prtrange1 == 0 && $errormessage eq '') { # compare one port to a range - unless (&checkportinc($cgiparams{'SRC_PORT'}, $_[0])) { - $errormessage = "$Lang::tr{'srcprt within existing'} $_[0]"; - } - } - if (! m/:/ && $prtrange1 == 1 && $errormessage eq '') { # compare one port to a range - unless (&checkportinc($_[0], $cgiparams{'SRC_PORT'})) { - $errormessage = "$Lang::tr{'srcprt range overlaps'} $_[0]"; - } - } - - if ($errormessage eq ''){ - $_ = $_[1]; - if (m/:/ && $prtrange2 == 1) { # if true then there is a port range - unless (&checkportoverlap($cgiparams{'DEST_PORT'},$_[1])) { - $errormessage = "$Lang::tr{'destination port overlaps'} $_[1]"; - } - } - if (m/:/ && $prtrange2 == 0 && $errormessage eq '') { # compare one port to a range - unless (&checkportinc($cgiparams{'DEST_PORT'}, $_[1])) { - $errormessage = "$Lang::tr{'dstprt within existing'} $_[1]"; - } - } - if (! m/:/ && $prtrange2 == 1 && $errormessage eq '') { # compare one port to a range - unless (&checkportinc($_[1], $cgiparams{'DEST_PORT'})) { - $errormessage = "$Lang::tr{'dstprt range overlaps'} $_[1]"; - } - } - } - return; -} diff --git a/html/cgi-bin/upnp.cgi b/html/cgi-bin/upnp.cgi index 8d2666e..2b03eff 100644 --- a/html/cgi-bin/upnp.cgi +++ b/html/cgi-bin/upnp.cgi @@ -82,7 +82,7 @@ if ($upnpsettings{'ACTION'} eq $Lang::tr{'save'}) debug_mode = $upnpsettings{'DEBUGMODE'} insert_forward_rules = $upnpsettings{'FORWARDRULES'} forward_chain_name = FORWARD -prerouting_chain_name = PORTFW +prerouting_chain_name = UPNPFW upstream_bitrate = $upnpsettings{'DOWNSTREAM'} downstream_bitrate = $upnpsettings{'UPSTREAM'} description_document_name = $upnpsettings{'DESCRIPTION'} diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi index 58645c3..2fbe480 100644 --- a/html/cgi-bin/vpnmain.cgi +++ b/html/cgi-bin/vpnmain.cgi @@ -23,7 +23,7 @@ use Net::DNS; use File::Copy; use File::Temp qw/ tempfile tempdir /; use strict; - +use Sort::Naturally; # enable only the following on debugging purpose #use warnings; #use CGI::Carp 'fatalsToBrowser'; @@ -2491,7 +2491,7 @@ END ; my $id = 0; my $gif; - foreach my $key (keys %confighash) { + foreach my $key (sort { ncmp ($confighash{$a}[1],$confighash{$b}[1]) } keys %confighash) { if ($confighash{$key}[0] eq 'on') { $gif = 'on.gif'; } else { $gif = 'off.gif'; }
if ($id % 2) { diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl index 4e005e1..c054b0c 100644 --- a/langs/de/cgi-bin/de.pl +++ b/langs/de/cgi-bin/de.pl @@ -1,4 +1,4 @@ -%tr = ( +%tr = ( %tr,
'Act as' => 'Konfiguriert als', @@ -187,7 +187,6 @@ 'advproxy banned mac clients' => 'Gesperrte MAC-Adressen (eine pro Zeile)', 'advproxy cache management' => 'Cacheverwaltung', 'advproxy cache replacement policy' => 'Cache Ersetzungsrichtlinie', -'advproxy cache-digest' => 'Cache-Digest-Erstellung aktivieren', 'advproxy chgwebpwd ERROR' => 'F E H L E R :', 'advproxy chgwebpwd SUCCESS' => 'E R F O L G :', 'advproxy chgwebpwd change password' => 'Passwort Àndern', @@ -747,12 +746,16 @@ 'download root certificate' => 'Root-Zertifikat herunterladen', 'dpd action' => 'Aktion fÃŒr Dead Peer Detection', 'driver' => 'Treiber', -'drop input' => 'Verworfene Input-Pakete loggen', +'drop action' => 'Standardverhalten der (Forward) Firewall in Modus "Blocked"', +'drop action1' => 'Standardverhalten der (Outgoing) Firewall in Modus "Blocked"', +'drop action2' => 'Standardverhalten der (Input) Firewall', +'drop forward' => 'Verworfene (Forward) Firewall-Pakete loggen', +'drop input' => 'Verworfene Input Pakete loggen', 'drop newnotsyn' => 'Verworfene New Not Syn Pakete loggen', -'drop output' => 'Verworfene Output-Pakete loggen', -'drop portscan' => 'Verworfene Portscan-Pakete loggen', -'drop proxy' => 'Alle Pakete verwerfen, die nicht direkt an den Proxy gerichtet sind', -'drop samba' => 'Alle Microsoft-Pakete verwerfen, Ports 135,137,138,139,445,1025', +'drop outgoing' => 'Verworfene (Outgoing) Firewall-Pakete loggen', +'drop portscan' => 'Verworfene Portscan Pakete loggen', +'drop proxy' => 'Alle Pakete verwerfen die nicht direkt an den Proxy gerichtet sind', +'drop samba' => 'Alle Microsoft Pakete verwerfen, Ports 135,137,138,139,445,1025', 'drop wirelessforward' => 'Verworfene Wireless Forward Pakete loggen', 'drop wirelessinput' => 'Verworfene Wireless Input Pakete loggen', 'dst port' => 'Ziel-Port', @@ -882,6 +885,7 @@ 'fixed ip lease removed' => 'Feste IP-Zuordnung gelöscht', 'force update' => 'Aktualisierung erzwingen', 'force user' => 'Standardbenutzer fÃŒr das UNIX Dateisystem', +'forward firewall' => 'Firewall', 'forwarding rule added' => 'Weiterleitungsregel hinzugefÃŒgt. Starte Weiterleitung neu', 'forwarding rule removed' => 'Weiterleitungsregel entfernt. Starte Weiterleitung neu', 'forwarding rule updated' => 'Weiterleitungsregel aktualisiert; starte Weiterleitung neu', @@ -899,7 +903,175 @@ 'from email user' => 'Von Email Benutzer', 'from warn email bad' => 'Von Email Adresse ist nicht gÃŒltig', 'fw blue' => 'Firewall-Optionen fÃŒr das Blaue Interface', +'fw default drop' => 'Firewall Policy', 'fw logging' => 'Firewall-Logging', +'fw settings' => 'Firewall-Einstellungen', +'fw settings color' => 'Farben in Regeltabelle anzeigen', +'fw settings dropdown' => 'Alle Netzwerke auf Regelerstellungsseite anzeigen', +'fw settings remark' => 'Anmerkungen in Regeltabelle anzeigen', +'fw settings ruletable' => 'Leere Regeltabellen anzeigen', +'fwdfw ACCEPT' => 'Akzeptieren (ACCEPT)', +'fwdfw DROP' => 'Verwerfen (DROP)', +'fwdfw MODE1' => 'Alle Pakete verwerfen', +'fwdfw MODE2' => 'Alle Pakete annehmen', +'fwdfw REJECT' => 'Verweigern (REJECT)', +'fwdfw action' => 'Aktion', +'fwdfw additional' => 'Weitere Einstellungen', +'fwdfw addr grp' => 'Adressgruppen:', +'fwdfw addrule' => 'Regel hinzufÃŒgen/Àndern:', +'fwdfw change' => 'Aktualisieren', +'fwdfw copy' => 'Kopieren', +'fwdfw cust addr' => 'Custom Adressen:', +'fwdfw cust net' => 'Custom Netzwerke:', +'fwdfw delete' => 'Löschen', +'fwdfw dnat' => 'DNAT/Port-Weiterleitung', +'fwdfw dnat error' => 'FÃŒr Destination-NAT muss ein einzelner Host als Ziel ausgewÀhlt werden. Gruppen oder Netzwerke sind nicht erlaubt', +'fwdfw dnat porterr' => 'FÃŒr NAT-Regeln muss ein einzelner Port oder Portbereich angegeben werden', +'fwdfw edit' => 'Bearbeiten', +'fwdfw err nosrc' => 'Keine Quelle ausgewÀhlt', +'fwdfw err nosrcip' => 'Bitte Quell-IP-Adresse angeben', +'fwdfw err notgt' => 'Kein Ziel ausgewÀhlt', +'fwdfw err notgtip' => 'Bitte Ziel-IP-Adresse angeben', +'fwdfw err prot' => 'Quell- und Zielprotokoll mÃŒssen identisch sein', +'fwdfw err remark' => 'Die Bemerkung enthÀlt ungÃŒltige Zeichen', +'fwdfw err ruleexists' => 'Eine identische Regel existiert bereits', +'fwdfw err same' => 'Quelle und Ziel sind identisch', +'fwdfw err samesub' => 'Quell- und Ziel-IP-Adresse befinden sich im selben Subnetz', +'fwdfw err src_addr' => 'Quell-MAC/IP-Adresse ungÃŒltig', +'fwdfw err srcovpn' => 'Die gewÀhlte Quell-IP-Adresse wird bereits von einem OpenVPN-Client genutzt. Bitte wÀhlen Sie die passende Verbindung direkt aus.', +'fwdfw err srcport' => 'Bitte Quellport angeben', +'fwdfw err tgt_addr' => 'UngÃŒltige Ziel-IP-Adresse', +'fwdfw err tgt_grp' => 'Die Ziel-Dienstgruppe ist leer', +'fwdfw err tgt_mac' => 'MAC-Adressen können nicht als Ziel defininert werden', +'fwdfw err tgt_port' => 'UngÃŒltiger Zielport', +'fwdfw err tgtovpn' => 'Die gewÀhlte Ziel-IP-Adresse wird bereits von einem OpenVPN-Client genutzt. Bitte wÀhlen Sie die passende Verbindung direkt aus.', +'fwdfw err tgtport' => 'Bitte Zielport angeben', +'fwdfw err time' => 'Es muss mindestens ein Tag ausgewÀhlt werden', +'fwdfw final_rule' => 'Letzte Regel: ', +'fwdfw from' => 'Von:', +'fwdfw hint ip1' => 'Die zuletzt erzeugte Regel mag eventuell niemals zutreffen, da sich Quelle und Ziel ÃŒberlappen.', +'fwdfw hint ip2' => 'Bitte ÃŒberprÃŒfen Sie, ob diese Regel Sinn macht: ', +'fwdfw ipsec network' => 'IPsec-Netzwerke:', +'fwdfw log rule' => 'Logging aktivieren', +'fwdfw man port' => 'Port(s):', +'fwdfw menu' => 'Firewallregeln', +'fwdfw movedown' => 'Herunter', +'fwdfw moveup' => 'Herauf', +'fwdfw natport used' => 'Der eingegebene Port wird bereits von einer anderen DNAT-Regel benutzt.', +'fwdfw newrule' => 'Neue Regel erstellen', +'fwdfw p2p txt' => 'P2P-Netzwerke erlauben/verbieten.', +'fwdfw pol allow' => 'Zugelassen', +'fwdfw pol block' => 'Blockiert', +'fwdfw pol text' => 'Firewall-Standardverhalten fÃŒr Verbindungen aus lokalen Netzwerken: Alle Verbindungen können entweder zugelassen oder geblockt werden, wenn keine Ausnahmeregel zutrifft. "Blockiert" trennt ebenfalls die Kommunikation zwischen den lokalen Netzwerken.', +'fwdfw pol text1' => 'Firewall-Standardverhalten fÃŒr von der Firewall selbst initiierte Verbindungen.', +'fwdfw pol title' => 'Standardverhalten der Firewall', +'fwdfw red' => 'ROT', +'fwdfw reread' => 'Ãbernehmen', +'fwdfw rule action' => 'Regelaktion:', +'fwdfw rule activate' => 'Regel aktivieren', +'fwdfw rulepos' => 'Regelposition', +'fwdfw rules' => 'Regeln', +'fwdfw snat' => 'SNAT (ersetzt die Quell-IP-Adresse mit der hier konfigurierten)', +'fwdfw source' => 'Quelle', +'fwdfw sourceip' => 'Quelladresse (IP/MAC-Adresse oder Netzwerk):', +'fwdfw std network' => 'Standard Netzwerke:', +'fwdfw target' => 'Ziel', +'fwdfw targetip' => 'Zieladresse (IP/MAC-Adresse oder Netzwerk):', +'fwdfw till' => 'Bis:', +'fwdfw time' => 'Zeitrahmen', +'fwdfw timeframe' => 'Zeitrahmen hinzufÃŒgen', +'fwdfw toggle' => 'Aktivieren oder deaktivieren', +'fwdfw togglelog' => 'Log aktivieren oder deaktivieren', +'fwdfw use nat' => 'NAT benutzen', +'fwdfw use srcport' => 'Quellport benutzen', +'fwdfw use srv' => 'Zielport benutzen', +'fwdfw useless rule' => 'Diese Regel ist nicht sinnvoll.', +'fwdfw wd_fri' => 'Fr', +'fwdfw wd_mon' => 'Mo', +'fwdfw wd_sat' => 'Sa', +'fwdfw wd_sun' => 'So', +'fwdfw wd_thu' => 'Do', +'fwdfw wd_tue' => 'Di', +'fwdfw wd_wed' => 'Mi', +'fwdfw xt access' => 'Input', +'fwhost addgrp' => 'Neue Gruppe hinzufÃŒgen:', +'fwhost addgrpname' => 'Gruppenname:', +'fwhost addhost' => 'Neuen Host hinzufÃŒgen:', +'fwhost addnet' => 'Neues Netzwerk hinzufÃŒgen:', +'fwhost addrule' => 'Regel hinzufÃŒgen/Àndern:', +'fwhost addservice' => 'Neuen Dienst hinzufÃŒgen:', +'fwhost addservicegrp' => 'Neue Dienstgruppe hinzufÃŒgen:', +'fwhost any' => 'Alle', +'fwhost attention' => 'ACHTUNG', +'fwhost back' => 'ZurÃŒck', +'fwhost blue' => 'Blau', +'fwhost ccdhost' => 'OpenVPN-Clients:', +'fwhost ccdnet' => 'OpenVPN-Netzwerke:', +'fwhost change' => 'Ãndern', +'fwhost changeremark' => 'Es wurde nur die Bemerkung angepasst.', +'fwhost cust addr' => 'Hosts:', +'fwhost cust grp' => 'Gruppen:', +'fwhost cust net' => 'Netzwerke:', +'fwhost cust service' => 'Dienste:', +'fwhost cust srvgrp' => 'Dienstgruppen', +'fwhost deleted' => 'Gelöscht', +'fwhost empty' => 'Keine Regeln definiert', +'fwhost err addr' => 'IP-Adresse oder Subnetzmaske ungÃŒltig', +'fwhost err addrgrp' => 'Bitte Gruppennamen angeben', +'fwhost err empty' => 'Bitte alle Felder ausfÃŒllen', +'fwhost err emptytable' => 'Keine EintrÀge in Gruppe', +'fwhost err groupempty' => 'Die gewÀhlte Gruppe ist leer', +'fwhost err grpexist' => 'Die Gruppe existiert bereits', +'fwhost err hostexist' => 'Ein Host mit diesem Namen existiert bereits', +'fwhost err hostorip' => 'Name oder IP-Adresse ungÃŒltig', +'fwhost err ip' => 'IP-Adresse ungÃŒltig', +'fwhost err ipcheck' => 'Diese IP-Adresse wird bereits verwendet', +'fwhost err ipmac' => 'UngÃŒltige IP/MAC-Addresse', +'fwhost err ipwithsub' => 'Bitte nur eine IP-Adresse (ohne Subnetzmaske) eingeben', +'fwhost err isccdhost' => 'Dieser Name wird bereits fÃŒr einen OpenVPN-Host verwendet', +'fwhost err isccdiphost' => 'Diese IP-Adresse wird bereits fÃŒr einen OpenVPN-Host verwendet', +'fwhost err isccdipnet' => 'Diese IP-Adresse wird bereits fÃŒr einen OpenVPN-Netzwerk verwendet', +'fwhost err isccdnet' => 'Dieser Name wird bereits fÃŒr einen OpenVPN-Netzwerk verwendet', +'fwhost err isingrp' => 'Dieser Eintrag existiert bereits in der Gruppe', +'fwhost err mac' => 'UngÃŒltige MAC-Adresse', +'fwhost err name' => 'UngÃŒltiger Name. Erlaubte Zeichen: Klein- und GroÃbuchstaben, Leerzeichen und Bindestrich.', +'fwhost err name1' => 'Der Name muss ausgefÃŒllt sein', +'fwhost err net' => 'Netzwerk/IP-Adresse existiert bereits', +'fwhost err netexist' => 'Ein Netz mit diesem Namen existiert bereits', +'fwhost err partofnet' => 'Dieses Netzwerk ist ein Subnetz eines bereits existierenden Netzwerks', +'fwhost err port' => 'Port muss gefÃŒllt sein', +'fwhost err remark' => 'UngÃŒltige Bemerkung. Erlaubte Zeichen: Klein- und GroÃbuchstaben, Bindestrich, Unterstrich, Runde Klammern, Semikolon, Punkt.', +'fwhost err srv exists' => 'Ein Service mit diesem Namen existiert bereits', +'fwhost err srvexist' => 'Dieser Dienst ist bereits in der Gruppe', +'fwhost err sub32' => 'Bitte einen einzelnen Host hinzufÃŒgen, keine Netzwerke', +'fwhost green' => 'GrÃŒn', +'fwhost hint' => 'Hinweis', +'fwhost hosts' => 'Firewall-Hosts', +'fwhost icmptype' => 'ICMP-Typ:', +'fwhost ip_mac' => 'IP/MAC-Adresse', +'fwhost ipadr' => 'IP-Adresse:', +'fwhost ipsec host' => 'IPsec-Clients:', +'fwhost ipsec net' => 'IPsec-Netzwerke:', +'fwhost menu' => 'Firewallgruppen', +'fwhost netaddress' => 'Netzwerkadresse', +'fwhost newgrp' => 'Netzwerk-/Hostgruppen', +'fwhost newhost' => 'Hosts', +'fwhost newnet' => 'Netzwerke', +'fwhost newservice' => 'Dienst', +'fwhost newservicegrp' => 'Dienstgruppen', +'fwhost orange' => 'Orange', +'fwhost ovpn_n2n' => 'OpenVPN Net-to-Net', +'fwhost port' => 'Port(s)', +'fwhost prot' => 'Protokoll', +'fwhost reread' => 'Die Firewallregeln mÃŒssen neu eingelesen werden.', +'fwhost reset' => 'Abbrechen', +'fwhost services' => 'Dienste', +'fwhost srv_name' => 'Dienstname', +'fwhost stdnet' => 'Standard-Netzwerke:', +'fwhost type' => 'Typ', +'fwhost used' => 'Genutzt', +'fwhost welcome' => 'Hier können einzelne Hosts, Netzwerke oder Dienste zu Gruppen zusammengefasst werden, was das erstellen von Firewallregeln einfacher und schneller macht.', +'fwhost wo subnet' => '(Ohne Subnetz)', 'gateway' => 'Gateway', 'gateway ip' => 'Gateway-IP', 'gen static key' => 'Statischen SchlÃŒssel erzeugen', @@ -1289,7 +1461,7 @@ 'network traffic graphs others' => 'Netzwerk (sonstige)', 'network updated' => 'Benutzerdefiniertes Netzwerk aktualisiert', 'networks settings' => 'Firewall - Netzwerkeinstellungen', -'new optionsfw later' => 'Ihre Modifikation(en) wird (werden) beim nÀchsten Neustart aktiv werden', +'new optionsfw later' => 'Einige Einstellungen werden erst nach einem Neustart aktiv', 'new optionsfw must boot' => 'Sie mÃŒssen Ihren IPFire neu starten', 'newer' => 'Neuer', 'next' => 'NÀchster', @@ -1353,7 +1525,7 @@ 'optional at cmd' => 'zusÀtzlicher Modembefehl', 'optional data' => '3. Optionale Einstellungen', 'options' => 'Optionen', -'options fw' => 'Firewall Optionen', +'options fw' => 'Firewall-Optionen', 'optionsfw portlist hint' => 'Die Liste der Ports muss durch ein Komma getrennt werden (z.B. 137,138). Sie können maximal bis zu 15 Ports pro Protokoll angeben.', 'optionsfw warning' => 'VerÀndern dieser Optionen bedingt einen Neustart der Firewall', 'or' => 'oder', @@ -1553,6 +1725,7 @@ 'reconnect' => 'Neu Verbinden', 'reconnection' => 'Wiederverbindung', 'red' => 'Internet', +'red1' => 'ROT', 'references' => 'Referenzen', 'refresh' => 'Aktualisieren', 'refresh index page while connected' => 'Aktualisere index.cgi Seite wÀhrend der Verbindung', @@ -2307,7 +2480,7 @@ 'wlanap encryption' => 'VerschlÃŒsselung', 'wlanap informations' => 'Informationen', 'wlanap interface' => 'Interface ÃŒbernehmen', -'wlanap invalid wpa' => 'UngÃŒltige LÀnge in WPA-Passphrase. Muss zwischen 8 und 63 ASCII-Zeichen lang sein.', +'wlanap invalid wpa' => 'UngÃŒltige LÀnge in WPA-Passphrase. Muss zwischen 8 und 63 Zeichen lang sein.', 'wlanap link dhcp' => 'Wireless Lan DHCP-Einstellungen', 'wlanap link wireless' => 'Wireless Lan Clients freischalten', 'wlanap no interface' => 'AusgewÀhltes Interface ist keine WLAN-Karte!', diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index ba80985..c38ba96 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -1,4 +1,4 @@ -%tr = ( +%tr = ( %tr,
'Act as' => 'Act as:', @@ -187,7 +187,6 @@ 'advproxy banned mac clients' => 'Banned MAC addresses (one per line)', 'advproxy cache management' => 'Cache management', 'advproxy cache replacement policy' => 'Cache replacement policy', -'advproxy cache-digest' => 'Enable Cache-Digest Generation', 'advproxy chgwebpwd ERROR' => 'E R R O R :', 'advproxy chgwebpwd SUCCESS' => 'S U C C E S S :', 'advproxy chgwebpwd change password' => 'Change password', @@ -771,9 +770,13 @@ 'download root certificate' => 'Download root certificate', 'dpd action' => 'Dead Peer Detection action', 'driver' => 'Driver', +'drop action' => 'Default behaviour of (forward) firewall in mode "Blocked"', +'drop action1' => 'Default behaviour of (outgoing) firewall in mode "Blocked"', +'drop action2' => 'Default behaviour of (input) firewall', +'drop forward' => 'Log dropped forward packets', 'drop input' => 'Log dropped input packets', 'drop newnotsyn' => 'Log dropped new not syn packets', -'drop output' => 'Log dropped output packets', +'drop outgoing' => 'Log dropped outgoing packets', 'drop portscan' => 'Log dropped portscan packets', 'drop proxy' => 'Drop all packets not addressed to proxy', 'drop samba' => 'Drop all Microsoft ports 135,137,138,139,445,1025', @@ -907,6 +910,7 @@ 'fixed ip lease removed' => 'Fixed IP lease removed', 'force update' => 'Force update', 'force user' => 'force all new file to user', +'forward firewall' => 'Firewall', 'forwarding rule added' => 'Forwarding rule added; restarting forwarder', 'forwarding rule removed' => 'Forwarding rule removed; restarting forwarder', 'forwarding rule updated' => 'Forwarding rule updated; restarting forwarder', @@ -924,7 +928,175 @@ 'from email user' => 'From e-mail user', 'from warn email bad' => 'From e-mail address is not valid', 'fw blue' => 'Firewall options for BLUE interface', +'fw default drop' => 'Firewall policy', 'fw logging' => 'Firewall logging', +'fw settings' => 'Firewall settings', +'fw settings color' => 'Show colors in ruletable', +'fw settings dropdown' => 'Show all networks on rulecreation site', +'fw settings remark' => 'Show remarks in ruletable', +'fw settings ruletable' => 'Show empty ruletables', +'fwdfw ACCEPT' => 'ACCEPT', +'fwdfw DROP' => 'DROP', +'fwdfw MODE1' => 'Drop all packets', +'fwdfw MODE2' => 'Accept all packets', +'fwdfw REJECT' => 'REJECT', +'fwdfw action' => 'Action', +'fwdfw additional' => 'Additional settings', +'fwdfw addr grp' => 'Adress groups:', +'fwdfw addrule' => 'Add/Edit rule:', +'fwdfw change' => 'Update', +'fwdfw copy' => 'Copy', +'fwdfw cust addr' => 'Custom addresses:', +'fwdfw cust net' => 'Custom networks:', +'fwdfw delete' => 'Delete', +'fwdfw dnat' => 'Port forwarding/Destination NAT', +'fwdfw dnat error' => 'You have to select a single host for DNAT. Groups or networks are not allowed.', +'fwdfw dnat porterr' => 'You have to select a single port or portrange (tcp/udp) for NAT', +'fwdfw edit' => 'Edit', +'fwdfw err nosrc' => 'No source selected.', +'fwdfw err nosrcip' => 'Please provide a source IP address.', +'fwdfw err notgt' => 'No destination selected.', +'fwdfw err notgtip' => 'Please provide a destination IP address.', +'fwdfw err prot' => 'Source and destination protocol need to match.', +'fwdfw err remark' => 'Invalid characters in remark.', +'fwdfw err ruleexists' => 'This rule already exists.', +'fwdfw err same' => 'Source and destination are identical.', +'fwdfw err samesub' => 'Source and destination IP addresses are from the same subnet.', +'fwdfw err src_addr' => 'Invalid source MAC/IP address.', +'fwdfw err srcovpn' => 'The entered source IP address is used by an OpenVPN client. Please use the dropdown menu and select the right client connection.', +'fwdfw err srcport' => 'Please provide a source port.', +'fwdfw err tgt_addr' => 'Invalid destination IP address.', +'fwdfw err tgt_grp' => 'The destination service group is empty', +'fwdfw err tgt_mac' => 'A MAC addresses cannot be used as destination.', +'fwdfw err tgt_port' => 'Invalid destination port.', +'fwdfw err tgtovpn' => 'The entered destination IP address is used by an OpenVPN client. Please use the dropdown menu and select the right client connection.', +'fwdfw err tgtport' => 'Please provide a destination port.', +'fwdfw err time' => 'You have to select at least one day.', +'fwdfw final_rule' => 'Last rule: ', +'fwdfw from' => 'From:', +'fwdfw hint ip1' => 'The last generated rule may never match, because source and destination subnets may overlap.', +'fwdfw hint ip2' => 'Please double-check if this rule makes sense: ', +'fwdfw ipsec network' => 'IPsec networks:', +'fwdfw log rule' => 'Log rule', +'fwdfw man port' => 'Port(s):', +'fwdfw menu' => 'Firewall Rules', +'fwdfw movedown' => 'Move down', +'fwdfw moveup' => 'Move up', +'fwdfw natport used' => 'The given port for NAPT is already in use by an other DNAT rule.', +'fwdfw newrule' => 'New rule', +'fwdfw p2p txt' => 'Grant/deny access to P2P networks.', +'fwdfw pol allow' => 'Allowed', +'fwdfw pol block' => 'Blocked', +'fwdfw pol text' => 'Sets the default firewall behaviour for connections from local networks. You may either allow all new connections or block them by default. Connections between the local networks are also blocked in the latter mode.', +'fwdfw pol text1' => 'Sets the default firewall behaviour for connections initiated by the firewall itself. Attention! You may lock yourself out.', +'fwdfw pol title' => 'Default firewall behaviour', +'fwdfw red' => 'RED', +'fwdfw reread' => 'Apply', +'fwdfw rule action' => 'Rule action:', +'fwdfw rule activate' => 'Activate rule', +'fwdfw rulepos' => 'Rule position', +'fwdfw rules' => 'Rules', +'fwdfw snat' => 'SNAT (replace the source's IP address by this IP address)', +'fwdfw source' => 'Source', +'fwdfw sourceip' => 'Source address (MAC/IP address or network):', +'fwdfw std network' => 'Standard networks:', +'fwdfw target' => 'Destination', +'fwdfw targetip' => 'Destination address (MAC/IP address or network):', +'fwdfw till' => 'Until:', +'fwdfw time' => 'Time Constraints', +'fwdfw timeframe' => 'Use time constraints', +'fwdfw toggle' => 'Activate or deactivate', +'fwdfw togglelog' => 'Activate or deactivate logging', +'fwdfw use nat' => 'Use NAT', +'fwdfw use srcport' => 'Use source port', +'fwdfw use srv' => 'Use destination port', +'fwdfw useless rule' => 'This rule is useless.', +'fwdfw wd_fri' => 'Fri', +'fwdfw wd_mon' => 'Mon', +'fwdfw wd_sat' => 'Sat', +'fwdfw wd_sun' => 'Sun', +'fwdfw wd_thu' => 'Thu', +'fwdfw wd_tue' => 'Tue', +'fwdfw wd_wed' => 'Wed', +'fwdfw xt access' => 'Input', +'fwhost addgrp' => 'Add new network/host group:', +'fwhost addgrpname' => 'Group name:', +'fwhost addhost' => 'Add new host:', +'fwhost addnet' => 'Add new hetwork:', +'fwhost addrule' => 'Add/edit rule:', +'fwhost addservice' => 'Add service:', +'fwhost addservicegrp' => 'Add new service group:', +'fwhost any' => 'Any', +'fwhost attention' => 'ATTENTION', +'fwhost back' => 'Back', +'fwhost blue' => 'Blue', +'fwhost ccdhost' => 'OpenVPN clients:', +'fwhost ccdnet' => 'OpenVPN networks:', +'fwhost change' => 'Modify', +'fwhost changeremark' => 'You modified just the remark', +'fwhost cust addr' => 'Hosts:', +'fwhost cust grp' => 'Network/Host Groups:', +'fwhost cust net' => 'Networks:', +'fwhost cust service' => 'Services:', +'fwhost cust srvgrp' => 'Service Groups:', +'fwhost deleted' => 'Deleted', +'fwhost empty' => 'No rules defined', +'fwhost err addr' => 'Invalid IP address or subnet', +'fwhost err addrgrp' => 'Please provide a group name', +'fwhost err empty' => 'Please fill in all input fields', +'fwhost err emptytable' => 'No entries in this group', +'fwhost err groupempty' => 'The selected group is empty', +'fwhost err grpexist' => 'Group already exists', +'fwhost err hostexist' => 'A host with the same name already exists', +'fwhost err hostorip' => 'Invalid name or IP address', +'fwhost err ip' => 'IP address invalid', +'fwhost err ipcheck' => 'This IP address is already in use', +'fwhost err ipmac' => 'IP/MAC address invalid', +'fwhost err ipwithsub' => 'Please provide only an IP address (without subnet mask)', +'fwhost err isccdhost' => 'This name is already used by an OpenVPN client connection', +'fwhost err isccdiphost' => 'This IP address is already used by an OpenVPN client connection', +'fwhost err isccdipnet' => 'This IP address is already used by an OpenVPN network connection', +'fwhost err isccdnet' => 'This name is already used by an OpenVPN network', +'fwhost err isingrp' => 'This entry already exists in the group', +'fwhost err mac' => 'Invalid MAC address', +'fwhost err name' => 'Invalid name. Allowed characters: Upper- and lowercase letters, digits, space and dash.', +'fwhost err name1' => 'Empty name.', +'fwhost err net' => 'Network/IP address already exists', +'fwhost err netexist' => 'A network with the same name already exists', +'fwhost err partofnet' => 'The network is a subnet of an already existing network.', +'fwhost err port' => 'Port is empty', +'fwhost err remark' => 'Invalid remark. Allowed characters: Upper- and lowercase letters, digits, space, dash, braces, semicolon, pipe and dot.', +'fwhost err srv exists' => 'A service with the same name already exists', +'fwhost err srvexist' => 'This service already exists in the group', +'fwhost err sub32' => 'Please add a single host, not a network.', +'fwhost green' => 'Green', +'fwhost hint' => 'Note', +'fwhost hosts' => 'Firewall Hosts', +'fwhost icmptype' => 'ICMP type:', +'fwhost ip_mac' => 'IP/MAC address', +'fwhost ipadr' => 'IP address:', +'fwhost ipsec host' => 'IPsec clients:', +'fwhost ipsec net' => 'IPsec networks:', +'fwhost menu' => 'Firewall Groups', +'fwhost netaddress' => 'Network address', +'fwhost newgrp' => 'Network/Host Groups', +'fwhost newhost' => 'Hosts', +'fwhost newnet' => 'Networks', +'fwhost newservice' => 'Services', +'fwhost newservicegrp' => 'Service Groups', +'fwhost orange' => 'Orange', +'fwhost ovpn_n2n' => 'OpenVPN Net-to-Net', +'fwhost port' => 'Port(s)', +'fwhost prot' => 'Protocol', +'fwhost reread' => 'Firewall rules need to be updated.', +'fwhost reset' => 'Cancel', +'fwhost services' => 'Services:', +'fwhost srv_name' => 'Service name', +'fwhost stdnet' => 'Standard networks:', +'fwhost type' => 'Type', +'fwhost used' => 'Used', +'fwhost welcome' => 'Over here, you can group single hosts, networks and services together, which will creating new rules more easy and faster.', +'fwhost wo subnet' => '(without subnet)', 'g.dtm' => 'TO BE REMOVED', 'g.lite' => 'TO BE REMOVED', 'gateway' => 'Gateway', @@ -1317,7 +1489,7 @@ 'network traffic graphs others' => 'Network (others)', 'network updated' => 'Custom Network updated', 'networks settings' => 'Firewall - Network settings', -'new optionsfw later' => 'Your modification(s) will be active on next restart', +'new optionsfw later' => 'Some options need a reboot to take effect', 'new optionsfw must boot' => 'You must reboot your IPFire', 'newer' => 'Newer', 'next' => 'next', @@ -1543,7 +1715,7 @@ 'profile saved' => 'Profile saved: ', 'profiles' => 'Profiles:', 'proto' => 'Proto', -'protocol' => 'Protocol:', +'protocol' => 'Protocol', 'proxy' => 'Proxy', 'proxy access graphs' => 'Proxy access graphs', 'proxy admin password' => 'Cache administrator password', @@ -1584,6 +1756,7 @@ 'reconnect' => 'Reconnect', 'reconnection' => 'Reconnection', 'red' => 'Internet', +'red1' => 'RED', 'references' => 'References', 'refresh' => 'Refresh', 'refresh index page while connected' => 'Refresh index.cgi page while connected', @@ -2339,13 +2512,12 @@ 'wlan client wpa mode tkip tkip' => 'TKIP-TKIP', 'wlanap access point' => 'Access Point', 'wlanap channel' => 'Channel', -'wlanap country' => 'Country Code', 'wlanap debugging' => 'Debugging', 'wlanap del interface' => 'Remove selected interface?', 'wlanap encryption' => 'Encryption', 'wlanap informations' => 'Informations', 'wlanap interface' => 'Select interface', -'wlanap invalid wpa' => 'Invalid length in WPA Passphrase. Must be between 8 and 63 ascii characters.', +'wlanap invalid wpa' => 'Invalid length in WPA Passphrase. Must be between 8 and 63 characters.', 'wlanap link dhcp' => 'Wireless lan DHCP configuration', 'wlanap link wireless' => 'Activate wireless lan clients', 'wlanap no interface' => 'Selected interface is not a wirless lan card!', diff --git a/lfs/configroot b/lfs/configroot index 1185236..341b146 100644 --- a/lfs/configroot +++ b/lfs/configroot @@ -50,59 +50,66 @@ $(TARGET) : @$(PREBUILD)
# Create all directories - for i in addon-lang auth backup ca certs connscheduler crls ddns dhcp dhcpc dmzholes dns dnsforward \ - ethernet extrahd/bin fwlogs isdn key langs logging mac main menu.d modem net-traffic \ - net-traffic/templates nfs optionsfw outgoing/bin outgoing/groups outgoing/groups/ipgroups \ - outgoing/groups/macgroups ovpn patches pakfire portfw ppp private proxy/advanced/cre \ + for i in addon-lang auth backup ca certs connscheduler crls ddns dhcp dhcpc dns dnsforward \ + ethernet extrahd/bin fwlogs isdn key langs logging mac main menu.d modem net-traffic \ + ethernet extrahd/bin fwlogs fwhosts forward forward/bin isdn key langs logging mac main menu.d modem net-traffic \ + net-traffic/templates nfs optionsfw \ + ovpn patches pakfire portfw ppp private proxy/advanced/cre \ proxy/calamaris/bin qos/bin red remote sensors snort time tripwire/report \ updatexlrator/bin updatexlrator/autocheck urlfilter/autoupdate urlfilter/bin upnp vpn \ - wakeonlan wireless xtaccess ; do \ + wakeonlan wireless ; do \ mkdir -p $(CONFIG_ROOT)/$$i; \ done
# Touch empty files for i in auth/users backup/include.user backup/exclude.user \ certs/index.txt ddns/config ddns/noipsettings ddns/settings ddns/ipcache dhcp/settings \ - dhcp/fixleases dhcp/advoptions dhcp/dhcpd.conf.local dmzholes/config dns/settings dnsforward/config ethernet/aliases ethernet/settings ethernet/known_nics ethernet/scanned_nics \ - ethernet/wireless extrahd/scan extrahd/devices extrahd/partitions extrahd/settings fwlogs/ipsettings fwlogs/portsettings \ - isdn/settings mac/settings main/disable_nf_sip main/hosts main/routing main/settings net-traffic/settings optionsfw/settings outgoing/settings outgoing/rules \ + dhcp/fixleases dhcp/advoptions dhcp/dhcpd.conf.local dns/settings dnsforward/config ethernet/aliases ethernet/settings ethernet/known_nics ethernet/scanned_nics \ + extrahd/scan extrahd/devices extrahd/partitions extrahd/settings forward/settings forward/config forward/input forward/outgoing forward/dmz forward/nat \ + fwhosts/customnetworks fwhosts/customhosts fwhosts/customgroups fwhosts/customservicegrp fwlogs/ipsettings fwlogs/portsettings \ + isdn/settings mac/settings main/disable_nf_sip main/hosts main/routing main/settings net-traffic/settings optionsfw/settings \ ovpn/ccd.conf ovpn/ccdroute ovpn/ccdroute2 pakfire/settings portfw/config ppp/settings-1 ppp/settings-2 ppp/settings-3 ppp/settings-4 \ - ppp/settings-5 ppp/settings proxy/settings proxy/advanced/settings proxy/advanced/cre/enable remote/settings qos/settings qos/classes qos/subclasses qos/level7config qos/portconfig \ + ppp/settings-5 ppp/settings proxy/settings proxy/advanced/settings proxy/advanced/cre/enable remote/settings qos/settings qos/classes qos/subclasses qos/level7config qos/portconfig \ qos/tosconfig snort/settings tripwire/settings upnp/settings vpn/config vpn/settings vpn/ipsec.conf \ vpn/ipsec.secrets vpn/caconfig wakeonlan/clients.conf wireless/config wireless/settings; do \ - touch $(CONFIG_ROOT)/$$i; \ + touch $(CONFIG_ROOT)/$$i; \ done
# Copy initial configfiles cp $(DIR_SRC)/config/cfgroot/header.pl $(CONFIG_ROOT)/ cp $(DIR_SRC)/config/cfgroot/general-functions.pl $(CONFIG_ROOT)/ cp $(DIR_SRC)/config/cfgroot/lang.pl $(CONFIG_ROOT)/ - cp $(DIR_SRC)/config/cfgroot/countries.pl $(CONFIG_ROOT)/ + cp $(DIR_SRC)/config/cfgroot/countries.pl $(CONFIG_ROOT)/ cp $(DIR_SRC)/config/cfgroot/graphs.pl $(CONFIG_ROOT)/ cp $(DIR_SRC)/config/cfgroot/advoptions-list $(CONFIG_ROOT)/dhcp/advoptions-list cp $(DIR_SRC)/config/cfgroot/connscheduler-lib.pl $(CONFIG_ROOT)/connscheduler/lib.pl cp $(DIR_SRC)/config/cfgroot/connscheduler.conf $(CONFIG_ROOT)/connscheduler cp $(DIR_SRC)/config/extrahd/* $(CONFIG_ROOT)/extrahd/bin/ cp $(DIR_SRC)/config/cfgroot/sensors-settings $(CONFIG_ROOT)/sensors/settings - cp $(DIR_SRC)/config/menu/* $(CONFIG_ROOT)/menu.d/ + cp $(DIR_SRC)/config/menu/* $(CONFIG_ROOT)/menu.d/ cp $(DIR_SRC)/config/cfgroot/modem-defaults $(CONFIG_ROOT)/modem/defaults cp $(DIR_SRC)/config/cfgroot/modem-settings $(CONFIG_ROOT)/modem/settings cp $(DIR_SRC)/config/cfgroot/net-traffic-lib.pl $(CONFIG_ROOT)/net-traffic/net-traffic-lib.pl - cp $(DIR_SRC)/config/cfgroot/net-traffic-admin.pl $(CONFIG_ROOT)/net-traffic/net-traffic-admin.pl + cp $(DIR_SRC)/config/cfgroot/net-traffic-admin.pl $(CONFIG_ROOT)/net-traffic/net-traffic-admin.pl cp $(DIR_SRC)/config/cfgroot/nfs-server $(CONFIG_ROOT)/nfs/nfs-server - cp $(DIR_SRC)/config/cfgroot/p2protocols $(CONFIG_ROOT)/outgoing/p2protocols - cp $(DIR_SRC)/config/outgoingfw/outgoingfw.pl $(CONFIG_ROOT)/outgoing/bin/ - cp $(DIR_SRC)/config/outgoingfw/defaultservices $(CONFIG_ROOT)/outgoing/ cp $(DIR_SRC)/config/cfgroot/proxy-acl $(CONFIG_ROOT)/proxy/acl-1.4 - cp $(DIR_SRC)/config/qos/* $(CONFIG_ROOT)/qos/bin/ - cp $(DIR_SRC)/config/cfgroot/ssh-settings $(CONFIG_ROOT)/remote/settings - cp $(DIR_SRC)/config/cfgroot/xtaccess-config $(CONFIG_ROOT)/xtaccess/config + cp $(DIR_SRC)/config/qos/* $(CONFIG_ROOT)/qos/bin/ + cp $(DIR_SRC)/config/cfgroot/ssh-settings $(CONFIG_ROOT)/remote/settings cp $(DIR_SRC)/config/cfgroot/time-settings $(CONFIG_ROOT)/time/settings - cp $(DIR_SRC)/config/cfgroot/logging-settings $(CONFIG_ROOT)/logging/settings + cp $(DIR_SRC)/config/cfgroot/logging-settings $(CONFIG_ROOT)/logging/settings cp $(DIR_SRC)/config/cfgroot/useragents $(CONFIG_ROOT)/proxy/advanced cp $(DIR_SRC)/config/cfgroot/ethernet-vlans $(CONFIG_ROOT)/ethernet/vlans - cp $(DIR_SRC)/langs/list $(CONFIG_ROOT)/langs/ - + cp $(DIR_SRC)/langs/list $(CONFIG_ROOT)/langs/ + cp $(DIR_SRC)/config/forwardfw/rules.pl $(CONFIG_ROOT)/forward/bin/rules.pl + cp $(DIR_SRC)/config/forwardfw/convert-xtaccess /usr/sbin/convert-xtaccess + cp $(DIR_SRC)/config/forwardfw/convert-outgoingfw /usr/sbin/convert-outgoingfw + cp $(DIR_SRC)/config/forwardfw/convert-dmz /usr/sbin/convert-dmz + cp $(DIR_SRC)/config/forwardfw/convert-portfw /usr/sbin/convert-portfw + cp $(DIR_SRC)/config/forwardfw/p2protocols $(CONFIG_ROOT)/forward/p2protocols + cp $(DIR_SRC)/config/forwardfw/firewall-lib.pl $(CONFIG_ROOT)/forward/bin/firewall-lib.pl + cp $(DIR_SRC)/config/forwardfw/firewall-policy /usr/sbin/firewall-policy + cp $(DIR_SRC)/config/fwhosts/icmp-types $(CONFIG_ROOT)/fwhosts/icmp-types + cp $(DIR_SRC)/config/fwhosts/customservices $(CONFIG_ROOT)/fwhosts/customservices # Oneliner configfiles echo "ENABLED=off" > $(CONFIG_ROOT)/vpn/settings echo "VPN_DELAYED_START=0" >>$(CONFIG_ROOT)/vpn/settings @@ -110,11 +117,29 @@ $(TARGET) : echo "nameserver 1.2.3.4" > $(CONFIG_ROOT)/ppp/fake-resolv.conf echo "DROPNEWNOTSYN=on" >> $(CONFIG_ROOT)/optionsfw/settings echo "DROPINPUT=on" >> $(CONFIG_ROOT)/optionsfw/settings - echo "DROPOUTPUT=on" >> $(CONFIG_ROOT)/optionsfw/settings - echo "DROPINPUT=on" >> $(CONFIG_ROOT)/optionsfw/settings - echo "DROPOUTPUT=on" >> $(CONFIG_ROOT)/optionsfw/settings + echo "DROPFORWARD=on" >> $(CONFIG_ROOT)/optionsfw/settings + echo "FWPOLICY=DROP" >> $(CONFIG_ROOT)/optionsfw/settings + echo "FWPOLICY1=DROP" >> $(CONFIG_ROOT)/optionsfw/settings + echo "FWPOLICY2=DROP" >> $(CONFIG_ROOT)/optionsfw/settings echo "DROPPORTSCAN=on" >> $(CONFIG_ROOT)/optionsfw/settings - + echo "DROPOUTGOING=on" >> $(CONFIG_ROOT)/optionsfw/settings + echo "DROPSAMBA=on" >> $(CONFIG_ROOT)/optionsfw/settings + echo "DROPPROXY=on" >> $(CONFIG_ROOT)/optionsfw/settings + echo "SHOWREMARK=on" >> $(CONFIG_ROOT)/optionsfw/settings + echo "SHOWCOLORS=on" >> $(CONFIG_ROOT)/optionsfw/settings + echo "SHOWTABLES=off" >> $(CONFIG_ROOT)/optionsfw/settings + echo "SHOWDROPDOWN=off" >> $(CONFIG_ROOT)/optionsfw/settings + echo "DROPWIRELESSINPUT=off" >> $(CONFIG_ROOT)/optionsfw/settings + echo "DROPWIRELESSFORWARD=off" >> $(CONFIG_ROOT)/optionsfw/settings + echo "POLICY=MODE2" >> $(CONFIG_ROOT)/forward/settings + echo "POLICY1=MODE2" >> $(CONFIG_ROOT)/forward/settings + + # set rules.pl executable + chmod 755 $(CONFIG_ROOT)/forward/bin/rules.pl + + # set converters executable + chmod 755 /usr/sbin/convert-* + # Modify variables in header.pl sed -i -e "s+CONFIG_ROOT+$(CONFIG_ROOT)+g" \ -e "s+VERSION+$(VERSION)+g" \ @@ -131,7 +156,7 @@ $(TARGET) :
# Language files cp $(DIR_SRC)/langs/*/cgi-bin/*.pl $(CONFIG_ROOT)/langs/ - + # Configroot permissions chown -R nobody:nobody $(CONFIG_ROOT) chown root:root $(CONFIG_ROOT) @@ -140,7 +165,5 @@ $(TARGET) : done chown root:nobody $(CONFIG_ROOT)/dhcpc
- # Set outgoingfw.pl executable - chmod 755 $(CONFIG_ROOT)/outgoing/bin/outgoingfw.pl - + @$(POSTBUILD) diff --git a/lfs/initscripts b/lfs/initscripts index 6549147..0b2dbee 100644 --- a/lfs/initscripts +++ b/lfs/initscripts @@ -179,20 +179,15 @@ $(TARGET) :
ln -sf ../../dnsmasq /etc/rc.d/init.d/networking/red.up/05-RS-dnsmasq ln -sf ../../firewall /etc/rc.d/init.d/networking/red.up/20-RL-firewall - ln -sf ../../../../../usr/local/bin/outgoingfwctrl \ - /etc/rc.d/init.d/networking/red.up/22-outgoingfwctrl + ln -sf ../../../../../usr/local/bin/forwardfwctrl \ + /etc/rc.d/init.d/networking/red.up/22-forwardfwctrl ln -sf ../../../../../usr/local/bin/snortctrl \ /etc/rc.d/init.d/networking/red.up/23-RS-snort ln -sf ../../../../../usr/local/bin/qosctrl \ /etc/rc.d/init.d/networking/red.up/24-RS-qos - ln -sf ../../../../../usr/local/bin/setportfw \ - /etc/rc.d/init.d/networking/red.up/25-portfw - ln -sf ../../../../../usr/local/bin/setxtaccess \ - /etc/rc.d/init.d/networking/red.up/26-xtaccess ln -sf ../../../../../usr/local/bin/dialctrl.pl \ /etc/rc.d/init.d/networking/red.up/99-U-dialctrl.pl ln -sf ../../squid /etc/rc.d/init.d/networking/red.up/27-RS-squid - ln -sf ../../dnsmasq /etc/rc.d/init.d/networking/red.down/05-RS-dnsmasq ln -sf ../../firewall /etc/rc.d/init.d/networking/red.down/20-RL-firewall ln -sf ../../../../../usr/local/bin/dialctrl.pl \ diff --git a/lfs/strongswan b/lfs/strongswan index 4701f34..9ac2e68 100644 --- a/lfs/strongswan +++ b/lfs/strongswan @@ -76,8 +76,7 @@ $(subst %,%_MD5,$(objects)) : $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(PREBUILD) @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE) - - cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/strongswan-4.5.3_ipfire.patch + cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/strongswan-5.0.2_ipfire.patch
cd $(DIR_APP) && [ -x "configure" ] || ./autogen.sh cd $(DIR_APP) && ./configure \ diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall index 0237297..fc49da4 100644 --- a/src/initscripts/init.d/firewall +++ b/src/initscripts/init.d/firewall @@ -68,74 +68,14 @@ iptables_init() { # SYN/FIN (QueSO or nmap OS probe) /sbin/iptables -A BADTCP -p tcp --tcp-flags SYN,FIN SYN,FIN -j PSCAN # NEW TCP without SYN - /sbin/iptables -A BADTCP -p tcp ! --syn -m state --state NEW -j NEWNOTSYN + /sbin/iptables -A BADTCP -p tcp ! --syn -m conntrack --ctstate NEW -j NEWNOTSYN
- /sbin/iptables -A INPUT -j BADTCP - /sbin/iptables -A FORWARD -j BADTCP + /sbin/iptables -A INPUT -p tcp -j BADTCP + /sbin/iptables -A FORWARD -p tcp -j BADTCP
-} - -iptables_red() { - /sbin/iptables -F REDINPUT - /sbin/iptables -F REDFORWARD - /sbin/iptables -t nat -F REDNAT - - # PPPoE / PPTP Device - if [ "$IFACE" != "" ]; then - # PPPoE / PPTP - if [ "$DEVICE" != "" ]; then - /sbin/iptables -A REDINPUT -i $DEVICE -j ACCEPT - fi - if [ "$RED_TYPE" == "PPTP" -o "$RED_TYPE" == "PPPOE" ]; then - if [ "$RED_DEV" != "" ]; then - /sbin/iptables -A REDINPUT -i $RED_DEV -j ACCEPT - fi - fi - fi - - # PPTP over DHCP - if [ "$DEVICE" != "" -a "$TYPE" == "PPTP" -a "$METHOD" == "DHCP" ]; then - /sbin/iptables -A REDINPUT -p tcp --source-port 67 --destination-port 68 -i $DEVICE -j ACCEPT - /sbin/iptables -A REDINPUT -p udp --source-port 67 --destination-port 68 -i $DEVICE -j ACCEPT - fi - - # Orange pinholes - if [ "$ORANGE_DEV" != "" ]; then - # This rule enables a host on ORANGE network to connect to the outside - # (only if we have a red connection) - if [ "$IFACE" != "" ]; then - /sbin/iptables -A REDFORWARD -i $ORANGE_DEV -o $IFACE -j ACCEPT - fi - fi - - if [ "$IFACE" != "" -a -f /var/ipfire/red/active ]; then - # DHCP - if [ "$RED_DEV" != "" -a "$RED_TYPE" == "DHCP" ]; then - /sbin/iptables -A REDINPUT -p tcp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT - /sbin/iptables -A REDINPUT -p udp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT - fi - if [ "$METHOD" == "DHCP" -a "$PROTOCOL" == "RFC1483" ]; then - /sbin/iptables -A REDINPUT -p tcp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT - /sbin/iptables -A REDINPUT -p udp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT - fi - - # Outgoing masquerading (don't masqerade IPSEC (mark 50)) - /sbin/iptables -t nat -A REDNAT -m mark --mark 50 -o $IFACE -j RETURN - /sbin/iptables -t nat -A REDNAT -o $IFACE -j MASQUERADE - - fi -} - -# See how we were called. -case "$1" in - start) - iptables_init - - # Limit Packets- helps reduce dos/syn attacks - # original do nothing line - #/sbin/iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -m limit --limit 10/sec - # the correct one, but the negative '!' do nothing... - #/sbin/iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN ! -m limit --limit 10/sec -j DROP + # Connection tracking chain + /sbin/iptables -N CONNTRACK + /sbin/iptables -A CONNTRACK -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# Fix for braindead ISP's /sbin/iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu @@ -143,21 +83,30 @@ case "$1" in # CUSTOM chains, can be used by the users themselves /sbin/iptables -N CUSTOMINPUT /sbin/iptables -A INPUT -j CUSTOMINPUT - /sbin/iptables -N GUARDIAN - /sbin/iptables -A INPUT -j GUARDIAN - /sbin/iptables -A FORWARD -j GUARDIAN /sbin/iptables -N CUSTOMFORWARD /sbin/iptables -A FORWARD -j CUSTOMFORWARD /sbin/iptables -N CUSTOMOUTPUT /sbin/iptables -A OUTPUT -j CUSTOMOUTPUT - /sbin/iptables -N OUTGOINGFW - /sbin/iptables -N OUTGOINGFWMAC - /sbin/iptables -A OUTPUT -j OUTGOINGFW /sbin/iptables -t nat -N CUSTOMPREROUTING /sbin/iptables -t nat -A PREROUTING -j CUSTOMPREROUTING /sbin/iptables -t nat -N CUSTOMPOSTROUTING /sbin/iptables -t nat -A POSTROUTING -j CUSTOMPOSTROUTING
+ # Guardian (IPS) chains + /sbin/iptables -N GUARDIAN + /sbin/iptables -A INPUT -j GUARDIAN + /sbin/iptables -A FORWARD -j GUARDIAN + + # Block OpenVPN transfer networks + /sbin/iptables -N OVPNBLOCK + for i in INPUT FORWARD OUTPUT; do + /sbin/iptables -A ${i} -j OVPNBLOCK + done + + # OpenVPN transfer network translation + /sbin/iptables -t nat -N OVPNNAT + /sbin/iptables -t nat -A POSTROUTING -j OVPNNAT + # IPTV chains for IGMPPROXY /sbin/iptables -N IPTVINPUT /sbin/iptables -A INPUT -j IPTVINPUT @@ -169,60 +118,60 @@ case "$1" in /sbin/iptables -A INPUT -j GUIINPUT /sbin/iptables -A GUIINPUT -p icmp --icmp-type 8 -j ACCEPT
+ # Accept everything on loopback + /sbin/iptables -N LOOPBACK + /sbin/iptables -A LOOPBACK -i lo -j ACCEPT + /sbin/iptables -A LOOPBACK -o lo -j ACCEPT + + # Filter all packets with loopback addresses on non-loopback interfaces. + /sbin/iptables -A LOOPBACK -s 127.0.0.0/8 -j DROP + /sbin/iptables -A LOOPBACK -d 127.0.0.0/8 -j DROP + + for i in INPUT FORWARD OUTPUT; do + /sbin/iptables -A ${i} -j LOOPBACK + done + # Accept everything connected - /sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT - /sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT - + for i in INPUT FORWARD OUTPUT; do + /sbin/iptables -A ${i} -j CONNTRACK + done + # trafic from ipsecX/TUN/TAP interfaces, before "-i GREEN_DEV" accept everything /sbin/iptables -N IPSECINPUT /sbin/iptables -N IPSECFORWARD /sbin/iptables -N IPSECOUTPUT - /sbin/iptables -N OPENSSLVIRTUAL /sbin/iptables -A INPUT -j IPSECINPUT - /sbin/iptables -A INPUT -j OPENSSLVIRTUAL -m comment --comment "OPENSSLVIRTUAL INPUT" /sbin/iptables -A FORWARD -j IPSECFORWARD - /sbin/iptables -A FORWARD -j OPENSSLVIRTUAL -m comment --comment "OPENSSLVIRTUAL FORWARD" /sbin/iptables -A OUTPUT -j IPSECOUTPUT - /sbin/iptables -t nat -N OVPNNAT /sbin/iptables -t nat -N IPSECNAT - /sbin/iptables -t nat -A POSTROUTING -j OVPNNAT /sbin/iptables -t nat -A POSTROUTING -j IPSECNAT
- # TOR - /sbin/iptables -N TOR_INPUT - /sbin/iptables -A INPUT -j TOR_INPUT - - # Outgoing Firewall - /sbin/iptables -A FORWARD -j OUTGOINGFWMAC - # localhost and ethernet. - /sbin/iptables -A INPUT -i lo -m state --state NEW -j ACCEPT - /sbin/iptables -A INPUT -s 127.0.0.0/8 -m state --state NEW -j DROP # Loopback not on lo - /sbin/iptables -A INPUT -d 127.0.0.0/8 -m state --state NEW -j DROP - /sbin/iptables -A FORWARD -i lo -m state --state NEW -j ACCEPT - /sbin/iptables -A FORWARD -s 127.0.0.0/8 -m state --state NEW -j DROP - /sbin/iptables -A FORWARD -d 127.0.0.0/8 -m state --state NEW -j DROP - /sbin/iptables -A INPUT -i $GREEN_DEV -m state --state NEW -j ACCEPT ! -p icmp - /sbin/iptables -A FORWARD -i $GREEN_DEV -m state --state NEW -j ACCEPT - - # If a host on orange tries to initiate a connection to IPFire's red IP and - # the connection gets DNATed back through a port forward to a server on orange - # we end up with orange -> orange traffic passing through IPFire - [ "$ORANGE_DEV" != "" ] && /sbin/iptables -A FORWARD -i $ORANGE_DEV -o $ORANGE_DEV -m state --state NEW -j ACCEPT - + /sbin/iptables -A INPUT -i $GREEN_DEV -m conntrack --ctstate NEW -j ACCEPT ! -p icmp + # allow DHCP on BLUE to be turned on/off /sbin/iptables -N DHCPBLUEINPUT /sbin/iptables -A INPUT -j DHCPBLUEINPUT - - # OPenSSL - /sbin/iptables -N OPENSSLPHYSICAL - /sbin/iptables -A INPUT -j OPENSSLPHYSICAL - + # WIRELESS chains /sbin/iptables -N WIRELESSINPUT - /sbin/iptables -A INPUT -m state --state NEW -j WIRELESSINPUT + /sbin/iptables -A INPUT -m conntrack --ctstate NEW -j WIRELESSINPUT /sbin/iptables -N WIRELESSFORWARD - /sbin/iptables -A FORWARD -m state --state NEW -j WIRELESSFORWARD + /sbin/iptables -A FORWARD -m conntrack --ctstate NEW -j WIRELESSFORWARD + + # TOR + /sbin/iptables -N TOR_INPUT + /sbin/iptables -A INPUT -j TOR_INPUT + + # Jump into the actual firewall ruleset. + /sbin/iptables -N INPUTFW + /sbin/iptables -A INPUT -j INPUTFW + + /sbin/iptables -N OUTGOINGFW + /sbin/iptables -A OUTPUT -j OUTGOINGFW + + /sbin/iptables -N FORWARDFW + /sbin/iptables -A FORWARD -j FORWARDFW
# RED chain, used for the red interface /sbin/iptables -N REDINPUT @@ -234,119 +183,130 @@ case "$1" in
iptables_red
- # DMZ pinhole chain. setdmzholes setuid prog adds rules here to allow - # ORANGE to talk to GREEN / BLUE. - /sbin/iptables -N DMZHOLES - if [ "$ORANGE_DEV" != "" ]; then - /sbin/iptables -A FORWARD -i $ORANGE_DEV -m state --state NEW -j DMZHOLES - fi - - # XTACCESS chain, used for external access - /sbin/iptables -N XTACCESS - /sbin/iptables -A INPUT -m state --state NEW -j XTACCESS - - # PORTFWACCESS chain, used for portforwarding - /sbin/iptables -N PORTFWACCESS - /sbin/iptables -A FORWARD -m state --state NEW -j PORTFWACCESS - - # Custom prerouting chains (for transparent proxy and port forwarding) + # Custom prerouting chains (for transparent proxy) /sbin/iptables -t nat -N SQUID /sbin/iptables -t nat -A PREROUTING -j SQUID - /sbin/iptables -t nat -N PORTFW - /sbin/iptables -t nat -A PREROUTING -j PORTFW + + # DNAT rules + /sbin/iptables -t nat -N NAT_DESTINATION + /sbin/iptables -t nat -A PREROUTING -j NAT_DESTINATION + + # SNAT rules + /sbin/iptables -t nat -N NAT_SOURCE + /sbin/iptables -t nat -A POSTROUTING -j NAT_SOURCE
# upnp chain for our upnp daemon /sbin/iptables -t nat -N UPNPFW /sbin/iptables -t nat -A PREROUTING -j UPNPFW /sbin/iptables -N UPNPFW - /sbin/iptables -A FORWARD -m state --state NEW -j UPNPFW - - # Custom mangle chain (for port fowarding) - /sbin/iptables -t mangle -N PORTFWMANGLE - /sbin/iptables -t mangle -A PREROUTING -j PORTFWMANGLE - - # Postrouting rules (for port forwarding) - /sbin/iptables -t nat -A POSTROUTING -m mark --mark 1 -j SNAT \ - --to-source $GREEN_ADDRESS - if [ "$BLUE_DEV" != "" ]; then - /sbin/iptables -t nat -A POSTROUTING -m mark --mark 2 -j SNAT --to-source $BLUE_ADDRESS - fi - if [ "$ORANGE_DEV" != "" ]; then - /sbin/iptables -t nat -A POSTROUTING -m mark --mark 3 -j SNAT --to-source $ORANGE_ADDRESS - fi + /sbin/iptables -A FORWARD -m conntrack --ctstate NEW -j UPNPFW
# run local firewall configuration, if present if [ -x /etc/sysconfig/firewall.local ]; then /etc/sysconfig/firewall.local start fi - - # last rule in input and forward chain is for logging. + + # run openvpn + /usr/local/bin/openvpnctrl --create-chains-and-rules + + # run wirelessctrl + /usr/local/bin/wirelessctrl + + #POLICY CHAIN + /sbin/iptables -N POLICYIN + /sbin/iptables -A INPUT -j POLICYIN + /sbin/iptables -N POLICYFWD + /sbin/iptables -A FORWARD -j POLICYFWD + /sbin/iptables -N POLICYOUT + /sbin/iptables -A OUTPUT -j POLICYOUT + + /usr/sbin/firewall-policy + + # read new firewall + /usr/local/bin/forwardfwctrl
if [ "$DROPINPUT" == "on" ]; then - /sbin/iptables -A INPUT -m limit --limit 10/minute -j LOG --log-prefix "DROP_INPUT " + /sbin/iptables -A INPUT -m limit --limit 10/minute -j LOG --log-prefix "DROP_INPUT" fi /sbin/iptables -A INPUT -j DROP -m comment --comment "DROP_INPUT" - if [ "$DROPOUTPUT" == "on" ]; then - /sbin/iptables -A FORWARD -m limit --limit 10/minute -j LOG --log-prefix "DROP_OUTPUT " + if [ "$DROPFORWARD" == "on" ]; then + /sbin/iptables -A FORWARD -m limit --limit 10/minute -j LOG --log-prefix "DROP_FORWARD" fi - /sbin/iptables -A FORWARD -j DROP -m comment --comment "DROP_OUTPUT" - ;; - startovpn) - # run openvpn - /usr/local/bin/openvpnctrl --create-chains-and-rules - ;; - stop) - iptables_init - # Accept everyting connected - /sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT + /sbin/iptables -A FORWARD -j DROP -m comment --comment "DROP_FORWARD" +}
- # localhost and ethernet. - /sbin/iptables -A INPUT -i lo -j ACCEPT - /sbin/iptables -A INPUT -i $GREEN_DEV -m state --state NEW -j ACCEPT +iptables_red() { + /sbin/iptables -F REDINPUT + /sbin/iptables -F REDFORWARD + /sbin/iptables -t nat -F REDNAT
- if [ "$RED_DEV" != "" -a "$RED_TYPE" == "DHCP" ]; then - /sbin/iptables -A INPUT -p tcp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT - /sbin/iptables -A INPUT -p udp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT - fi - if [ "$PROTOCOL" == "RFC1483" -a "$METHOD" == "DHCP" ]; then - /sbin/iptables -A INPUT -p tcp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT - /sbin/iptables -A INPUT -p udp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT + # PPPoE / PPTP Device + if [ "$IFACE" != "" ]; then + # PPPoE / PPTP + if [ "$DEVICE" != "" ]; then + /sbin/iptables -A REDINPUT -i $DEVICE -j ACCEPT + fi + if [ "$RED_TYPE" == "PPTP" -o "$RED_TYPE" == "PPPOE" ]; then + if [ "$RED_DEV" != "" ]; then + /sbin/iptables -A REDINPUT -i $RED_DEV -j ACCEPT + fi + fi fi
- # run local firewall configuration, if present - if [ -x /etc/sysconfig/firewall.local ]; then - /etc/sysconfig/firewall.local stop + # PPTP over DHCP + if [ "$DEVICE" != "" -a "$TYPE" == "PPTP" -a "$METHOD" == "DHCP" ]; then + /sbin/iptables -A REDINPUT -p tcp --source-port 67 --destination-port 68 -i $DEVICE -j ACCEPT + /sbin/iptables -A REDINPUT -p udp --source-port 67 --destination-port 68 -i $DEVICE -j ACCEPT fi
- if [ "$DROPINPUT" == "on" ]; then - /sbin/iptables -A INPUT -m limit --limit 10/minute -j LOG --log-prefix "DROP_INPUT " + # Orange pinholes + if [ "$ORANGE_DEV" != "" ]; then + # This rule enables a host on ORANGE network to connect to the outside + # (only if we have a red connection) + if [ "$IFACE" != "" ]; then + /sbin/iptables -A REDFORWARD -i $ORANGE_DEV -o $IFACE -j ACCEPT + fi fi - /sbin/iptables -A INPUT -j DROP -m comment --comment "DROP_INPUT" - if [ "$DROPOUTPUT" == "on" ]; then - /sbin/iptables -A FORWARD -m limit --limit 10/minute -j LOG --log-prefix "DROP_OUTPUT " + + if [ "$IFACE" != "" -a -f /var/ipfire/red/active ]; then + # DHCP + if [ "$RED_DEV" != "" -a "$RED_TYPE" == "DHCP" ]; then + /sbin/iptables -A REDINPUT -p tcp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT + /sbin/iptables -A REDINPUT -p udp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT + fi + if [ "$METHOD" == "DHCP" -a "$PROTOCOL" == "RFC1483" ]; then + /sbin/iptables -A REDINPUT -p tcp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT + /sbin/iptables -A REDINPUT -p udp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT + fi + + # Outgoing masquerading (don't masqerade IPSEC (mark 50)) + /sbin/iptables -t nat -A REDNAT -m mark --mark 50 -o $IFACE -j RETURN + /sbin/iptables -t nat -A REDNAT -o $IFACE -j MASQUERADE + fi - /sbin/iptables -A FORWARD -j DROP -m comment --comment "DROP_OUTPUT" - ;; - stopovpn) - # stop openvpn - /usr/local/bin/openvpnctrl --delete-chains-and-rules - ;; +} + +# See how we were called. +case "$1" in + start) + iptables_init + ;; reload) iptables_red - # run local firewall configuration, if present - if [ -x /etc/sysconfig/firewall.local ]; then + if [ -x /etc/sysconfig/firewall.local ]; then /etc/sysconfig/firewall.local reload fi ;; restart) - $0 stop - $0 stopovpn + # run local firewall configuration, if present + if [ -x /etc/sysconfig/firewall.local ]; then + /etc/sysconfig/firewall.local stop + fi $0 start - $0 startovpn ;; *) - echo "Usage: $0 {start|stop|reload|restart}" + echo "Usage: $0 {start|reload|restart}" exit 1 ;; esac diff --git a/src/initscripts/init.d/network b/src/initscripts/init.d/network index 9ff2200..02df4bc 100644 --- a/src/initscripts/init.d/network +++ b/src/initscripts/init.d/network @@ -47,9 +47,7 @@ init_networking() { # (exit ${failed}) # evaluate_retval
- boot_mesg "Setting up DMZ pinholes" - /usr/local/bin/setdmzholes; evaluate_retval - + if [ "$CONFIG_TYPE" = "3" -o "$CONFIG_TYPE" = "4" ]; then boot_mesg "Setting up wireless firewall rules" /usr/local/bin/wirelessctrl; evaluate_retval diff --git a/src/misc-progs/Makefile b/src/misc-progs/Makefile index 4d09fbf..c748a66 100644 --- a/src/misc-progs/Makefile +++ b/src/misc-progs/Makefile @@ -24,11 +24,10 @@ CFLAGS=-O2 -Wall COMPILE=$(CC) $(CFLAGS)
PROGS = iowrap -SUID_PROGS = setdmzholes setportfw setxtaccess \ - squidctrl sshctrl ipfirereboot \ +SUID_PROGS = squidctrl sshctrl ipfirereboot \ ipsecctrl timectrl dhcpctrl snortctrl \ applejuicectrl rebuildhosts backupctrl \ - logwatch openvpnctrl outgoingfwctrl \ + logwatch openvpnctrl forwardfwctrl \ wirelessctrl getipstat qosctrl launch-ether-wake \ redctrl syslogdctrl extrahdctrl sambactrl upnpctrl tripwirectrl \ smartctrl clamavctrl addonctrl pakfire mpfirectrl wlanapctrl \ @@ -86,22 +85,16 @@ smartctrl: smartctrl.c setuid.o ../install+setup/libsmooth/varval.o
clamavctrl: clamavctrl.c setuid.o ../install+setup/libsmooth/varval.o $(COMPILE) -I../install+setup/libsmooth/ clamavctrl.c setuid.o ../install+setup/libsmooth/varval.o -o $@ - -outgoingfwctrl: outgoingfwctrl.c setuid.o ../install+setup/libsmooth/varval.o - $(COMPILE) -I../install+setup/libsmooth/ outgoingfwctrl.c setuid.o ../install+setup/libsmooth/varval.o -o $@ - + +forwardfwctrl: forwardfwctrl.c setuid.o ../install+setup/libsmooth/varval.o + $(COMPILE) -I../install+setup/libsmooth/ forwardfwctrl.c setuid.o ../install+setup/libsmooth/varval.o -o $@ + timectrl: timectrl.c setuid.o ../install+setup/libsmooth/varval.o $(COMPILE) -I../install+setup/libsmooth/ timectrl.c setuid.o ../install+setup/libsmooth/varval.o -o $@
launch-ether-wake: launch-ether-wake.c setuid.o ../install+setup/libsmooth/varval.o $(COMPILE) -I../install+setup/libsmooth/ launch-ether-wake.c setuid.o ../install+setup/libsmooth/varval.o -o $@
-setdmzholes: setdmzholes.c setuid.o ../install+setup/libsmooth/varval.o - $(COMPILE) -I../install+setup/libsmooth/ setdmzholes.c setuid.o ../install+setup/libsmooth/varval.o -o $@ - -setportfw: setportfw.c setuid.o ../install+setup/libsmooth/varval.o - $(COMPILE) -I../install+setup/libsmooth/ setportfw.c setuid.o ../install+setup/libsmooth/varval.o -o $@ - rebuildhosts: rebuildhosts.c setuid.o ../install+setup/libsmooth/varval.o $(COMPILE) -I../install+setup/libsmooth/ rebuildhosts.c setuid.o ../install+setup/libsmooth/varval.o -o $@
diff --git a/src/misc-progs/forwardfwctrl.c b/src/misc-progs/forwardfwctrl.c new file mode 100644 index 0000000..797d27a --- /dev/null +++ b/src/misc-progs/forwardfwctrl.c @@ -0,0 +1,16 @@ +/* This file is part of the IPFire Firewall. + * + * This program is distributed under the terms of the GNU General Public + * Licence. See the file COPYING for details. + * + */ + +#include "setuid.h" + +int main(int argc, char *argv[]) { + if (!(initsetuid())) + exit(1); + + safe_system("/var/ipfire/forward/bin/rules.pl"); + return 0; +} diff --git a/src/misc-progs/openvpnctrl.c b/src/misc-progs/openvpnctrl.c index 76916f1..97491e4 100644 --- a/src/misc-progs/openvpnctrl.c +++ b/src/misc-progs/openvpnctrl.c @@ -27,6 +27,7 @@ char enableorange[STRING_SIZE] = "off"; char OVPNRED[STRING_SIZE] = "OVPN"; char OVPNBLUE[STRING_SIZE] = "OVPN_BLUE_"; char OVPNORANGE[STRING_SIZE] = "OVPN_ORANGE_"; +char OVPNBLOCK[STRING_SIZE] = "OVPNBLOCK"; char OVPNNAT[STRING_SIZE] = "OVPNNAT"; char WRAPPERVERSION[STRING_SIZE] = "ipfire-2.2.3";
@@ -253,20 +254,13 @@ void setChainRules(char *chain, char *interface, char *protocol, char *port)
sprintf(str, "/sbin/iptables -A %sINPUT -i %s -p %s --dport %s -j ACCEPT", chain, interface, protocol, port); executeCommand(str); - sprintf(str, "/sbin/iptables -A %sINPUT -i tun+ -j ACCEPT", chain); - executeCommand(str); - sprintf(str, "/sbin/iptables -A %sFORWARD -i tun+ -j ACCEPT", chain); - executeCommand(str); }
void flushChain(char *chain) { char str[STRING_SIZE];
- sprintf(str, "/sbin/iptables -F %sINPUT", chain); + sprintf(str, "/sbin/iptables -F %s", chain); executeCommand(str); - sprintf(str, "/sbin/iptables -F %sFORWARD", chain); - executeCommand(str); - safe_system(str); }
void flushChainNAT(char *chain) { @@ -276,15 +270,18 @@ void flushChainNAT(char *chain) { executeCommand(str); }
+void flushChainINPUT(char *chain) { + char str[STRING_SIZE]; + + snprintf(str, STRING_SIZE, "%sINPUT", chain); + flushChain(str); +} + void deleteChainReference(char *chain) { char str[STRING_SIZE];
sprintf(str, "/sbin/iptables -D INPUT -j %sINPUT", chain); executeCommand(str); - safe_system(str); - sprintf(str, "/sbin/iptables -D FORWARD -j %sFORWARD", chain); - executeCommand(str); - safe_system(str); }
void deleteChain(char *chain) { @@ -292,8 +289,6 @@ void deleteChain(char *chain) {
sprintf(str, "/sbin/iptables -X %sINPUT", chain); executeCommand(str); - sprintf(str, "/sbin/iptables -X %sFORWARD", chain); - executeCommand(str); }
void deleteAllChains(void) { @@ -301,28 +296,28 @@ void deleteAllChains(void) { deleteChainReference(OVPNRED); deleteChainReference(OVPNBLUE); deleteChainReference(OVPNORANGE); - flushChain(OVPNRED); - flushChain(OVPNBLUE); - flushChain(OVPNORANGE); + flushChainINPUT(OVPNRED); + flushChainINPUT(OVPNBLUE); + flushChainINPUT(OVPNORANGE); deleteChain(OVPNRED); deleteChain(OVPNBLUE); deleteChain(OVPNORANGE); + + // Only flush chains that are created by the firewall + flushChain(OVPNBLOCK); + flushChainNAT(OVPNNAT); }
void createChainReference(char *chain) { char str[STRING_SIZE]; sprintf(str, "/sbin/iptables -I INPUT %s -j %sINPUT", "14", chain); executeCommand(str); - sprintf(str, "/sbin/iptables -I FORWARD %s -j %sFORWARD", "12", chain); - executeCommand(str); }
void createChain(char *chain) { char str[STRING_SIZE]; sprintf(str, "/sbin/iptables -N %sINPUT", chain); executeCommand(str); - sprintf(str, "/sbin/iptables -N %sFORWARD", chain); - executeCommand(str); }
void createAllChains(void) { @@ -471,9 +466,10 @@ void setFirewallRules(void) { freekeyvalues(kv);
// Flush all chains. - flushChain(OVPNRED); - flushChain(OVPNBLUE); - flushChain(OVPNORANGE); + flushChainINPUT(OVPNRED); + flushChainINPUT(OVPNBLUE); + flushChainINPUT(OVPNORANGE); + flushChain(OVPNBLOCK); flushChainNAT(OVPNNAT);
// set firewall rules @@ -497,6 +493,11 @@ void setFirewallRules(void) { OVPNRED, redif, conn->proto, conn->port); executeCommand(command);
+ /* Block all communication from the transfer nets. */ + snprintf(command, STRING_SIZE, "/sbin/iptables -A %s -s %s -j DROP", + OVPNBLOCK, conn->transfer_subnet); + executeCommand(command); + local_subnet_address = getLocalSubnetAddress(conn); transfer_subnet_address = calcTransferNetAddress(conn);
diff --git a/src/misc-progs/outgoingfwctrl.c b/src/misc-progs/outgoingfwctrl.c deleted file mode 100644 index 2d993d9..0000000 --- a/src/misc-progs/outgoingfwctrl.c +++ /dev/null @@ -1,24 +0,0 @@ -/* This file is part of the IPFire Firewall. - * - * This program is distributed under the terms of the GNU General Public - * Licence. See the file COPYING for details. - * - */ - -#include <stdlib.h> -#include <stdio.h> -#include <string.h> -#include <unistd.h> -#include <sys/types.h> -#include <fcntl.h> -#include "setuid.h" - -int main(int argc, char *argv[]) { - - if (!(initsetuid())) - exit(1); - - safe_system("chmod 755 /var/ipfire/outgoing/bin/outgoingfw.pl"); - safe_system("/var/ipfire/outgoing/bin/outgoingfw.pl"); - return 0; -} diff --git a/src/misc-progs/setdmzholes.c b/src/misc-progs/setdmzholes.c deleted file mode 100644 index 7a2643d..0000000 --- a/src/misc-progs/setdmzholes.c +++ /dev/null @@ -1,162 +0,0 @@ -/* SmoothWall helper program - setdmzhole - * - * This program is distributed under the terms of the GNU General Public - * Licence. See the file COPYING for details. - * - * (c) Daniel Goscomb, 2001 - * - * Modifications and improvements by Lawrence Manning. - * - * 10/04/01 Aslak added protocol support - * This program reads the list of ports to forward and setups iptables - * and rules in ipmasqadm to enable them. - * - * $Id: setdmzholes.c,v 1.5.2.3 2005/10/18 17:05:27 franck78 Exp $ - * - */ -#include "libsmooth.h" -#include <stdio.h> -#include <string.h> -#include <stdlib.h> -#include "setuid.h" - -FILE *fwdfile = NULL; - -void exithandler(void) -{ - if (fwdfile) - fclose(fwdfile); -} - -int main(void) -{ - int count; - char *protocol; - char *locip; - char *remip; - char *remport; - char *enabled; - char *src_net; - char *dst_net; - char s[STRING_SIZE]; - char *result; - struct keyvalue *kv = NULL; - char orange_dev[STRING_SIZE] = ""; - char blue_dev[STRING_SIZE] = ""; - char green_dev[STRING_SIZE] = ""; - char *idev; - char *odev; - char command[STRING_SIZE]; - - if (!(initsetuid())) - exit(1); - - atexit(exithandler); - - kv=initkeyvalues(); - if (!readkeyvalues(kv, CONFIG_ROOT "/ethernet/settings")) - { - fprintf(stderr, "Cannot read ethernet settings\n"); - exit(1); - } - - if (!findkey(kv, "GREEN_DEV", green_dev)) - { - fprintf(stderr, "Cannot read GREEN_DEV\n"); - exit(1); - } - findkey(kv, "BLUE_DEV", blue_dev); - findkey(kv, "ORANGE_DEV", orange_dev); - - if (!(fwdfile = fopen(CONFIG_ROOT "/dmzholes/config", "r"))) - { - fprintf(stderr, "Couldn't open dmzholes settings file\n"); - exit(1); - } - - safe_system("/sbin/iptables -F DMZHOLES"); - - while (fgets(s, STRING_SIZE, fwdfile) != NULL) - { - if (s[strlen(s) - 1] == '\n') - s[strlen(s) - 1] = '\0'; - result = strtok(s, ","); - - count = 0; - protocol = NULL; - locip = NULL; remip = NULL; - remport = NULL; - enabled = NULL; - src_net = NULL; - dst_net = NULL; - idev = NULL; - odev = NULL; - - while (result) - { - if (count == 0) - protocol = result; - else if (count == 1) - locip = result; - else if (count == 2) - remip = result; - else if (count == 3) - remport = result; - else if (count == 4) - enabled = result; - else if (count == 5) - src_net = result; - else if (count == 6) - dst_net = result; - count++; - result = strtok(NULL, ","); - } - - if (!(protocol && locip && remip && remport && enabled)) - { - fprintf(stderr, "Bad line:\n"); - break; - } - - if (!VALID_PROTOCOL(protocol)) - { - fprintf(stderr, "Bad protocol: %s\n", protocol); - exit(1); - } - if (!VALID_IP_AND_MASK(locip)) - { - fprintf(stderr, "Bad local IP: %s\n", locip); - exit(1); - } - if (!VALID_IP_AND_MASK(remip)) - { - fprintf(stderr, "Bad remote IP: %s\n", remip); - exit(1); - } - if (!VALID_PORT_RANGE(remport)) - { - fprintf(stderr, "Bad remote port: %s\n", remport); - exit(1); - } - - if (!src_net) { src_net = strdup ("orange");} - if (!dst_net) { dst_net = strdup ("green");} - - if (!strcmp(src_net, "blue")) { idev = blue_dev; } - if (!strcmp(src_net, "orange")) { idev = orange_dev; } - if (!strcmp(dst_net, "blue")) { odev = blue_dev; } - if (!strcmp(dst_net, "green")) { odev = green_dev; } - - if (!strcmp(enabled, "on") && strlen(idev) && strlen (odev)) - { - char *ctr; - /* If remport contains a - we need to change it to a : */ - if ((ctr = strchr(remport,'-')) != NULL){*ctr = ':';} - memset(command, 0, STRING_SIZE); - snprintf(command, STRING_SIZE - 1, "/sbin/iptables -A DMZHOLES -p %s -i %s -o %s -s %s -d %s --dport %s -j ACCEPT", protocol, idev, odev, locip, remip, remport); - safe_system(command); - } - } - - return 0; -} diff --git a/src/misc-progs/setportfw.c b/src/misc-progs/setportfw.c deleted file mode 100644 index a65aebd..0000000 --- a/src/misc-progs/setportfw.c +++ /dev/null @@ -1,369 +0,0 @@ -/* SmoothWall helper program - setportfw - * - * This program is distributed under the terms of the GNU General Public - * Licence. See the file COPYING for details. - * - * (c) Daniel Goscomb, 2001 - * Copyright (c) 2002/04/13 Steve Bootes - Added source ip support for aliases - * - * Modifications and improvements by Lawrence Manning. - * - * 10/04/01 Aslak added protocol support - * This program reads the list of ports to forward and setups iptables - * and rules in ipmasqadm to enable them. - * - * 02/11/03 Darren Critchley modifications to allow it to open multiple - * source ip addresses - * 02/25/03 Darren Critchley modifications to allow port ranges - * 04/01/03 Darren Critchley modifications to allow gre protocol - * 20/04/03 Robert Kerr Fixed root exploit, validated all variables properly, - * tidied up the iptables logic, killed duplicated code, - * removed srciptmp (unecessary) - * - * $Id: setportfw.c,v 1.3.2.6 2005/08/24 18:44:19 gespinasse Exp $ - * - */ - -#include <stdio.h> -#include <string.h> -#include <stdlib.h> -#include "libsmooth.h" -#include "setuid.h" - -struct keyvalue *kv = NULL; -FILE *fwdfile = NULL; - -void exithandler(void) -{ - if(kv) - freekeyvalues(kv); - if (fwdfile) - fclose(fwdfile); -} - -int main(void) -{ - FILE *ipfile = NULL, *ifacefile = NULL; - int count; - char iface[STRING_SIZE] =""; - char locip[STRING_SIZE] =""; - char greenip[STRING_SIZE] ="", greenmask[STRING_SIZE] =""; - char bluedev[STRING_SIZE] ="", blueip[STRING_SIZE] ="", bluemask[STRING_SIZE] =""; - char orangedev[STRING_SIZE] ="", orangeip[STRING_SIZE] ="", orangemask[STRING_SIZE] =""; - char *protocol; - char *srcip; - char *locport; - char *remip; - char *remport; - char *origip; - char *enabled; - char s[STRING_SIZE]; - char *result; - char *key1; - char *key2; - char command[STRING_SIZE]; - - if (!(initsetuid())) - exit(1); - - atexit(exithandler); - - /* Read in and verify config */ - kv=initkeyvalues(); - - if (!readkeyvalues(kv, CONFIG_ROOT "/ethernet/settings")) - { - fprintf(stderr, "Cannot read ethernet settings\n"); - exit(1); - } - - if (!findkey(kv, "GREEN_ADDRESS", greenip)) - { - fprintf(stderr, "Cannot read GREEN_ADDRESS\n"); - exit(1); - } - - if (!VALID_IP(greenip)) - { - fprintf(stderr, "Bad GREEN_ADDRESS: %s\n", greenip); - exit(1); - } - - if (!findkey(kv, "GREEN_NETMASK", greenmask)) - { - fprintf(stderr, "Cannot read GREEN_NETMASK\n"); - exit(1); - } - - if (!VALID_IP(greenmask)) - { - fprintf(stderr, "Bad GREEN_NETMASK: %s\n", greenmask); - exit(1); - } - - /* Get the BLUE interface details */ - findkey(kv, "BLUE_DEV", bluedev); - - if (strlen(bluedev)) - { - - if (!VALID_DEVICE(bluedev)) - { - fprintf(stderr, "Bad BLUE_DEV: %s\n", bluedev); - exit(1); - } - - if (!findkey(kv, "BLUE_ADDRESS", blueip)) - { - fprintf(stderr, "Cannot read BLUE_ADDRESS\n"); - exit(1); - } - - if (!VALID_IP(blueip)) - { - fprintf(stderr, "Bad BLUE_ADDRESS: %s\n", blueip); - exit(1); - } - - if (!findkey(kv, "BLUE_NETMASK", bluemask)) - { - fprintf(stderr, "Cannot read BLUE_NETMASK\n"); - exit(1); - } - - if (!VALID_IP(bluemask)) - { - fprintf(stderr, "Bad BLUE_NETMASK: %s\n", bluemask); - exit(1); - } - - } - - /* Get the ORANGE interface details */ - findkey(kv, "ORANGE_DEV", orangedev); - - if (strlen(orangedev)) - { - - if (!VALID_DEVICE(orangedev)) - { - fprintf(stderr, "Bad ORANGE_DEV: %s\n", orangedev); - exit(1); - } - - if (!findkey(kv, "ORANGE_ADDRESS", orangeip)) - { - fprintf(stderr, "Cannot read ORANGE_ADDRESS\n"); - exit(1); - } - - if (!VALID_IP(orangeip)) - { - fprintf(stderr, "Bad ORANGE_ADDRESS: %s\n", orangeip); - exit(1); - } - - if (!findkey(kv, "ORANGE_NETMASK", orangemask)) - { - fprintf(stderr, "Cannot read ORANGE_NETMASK\n"); - exit(1); - } - - if (!VALID_IP(orangemask)) - { - fprintf(stderr, "Bad ORANGE_NETMASK: %s\n", orangemask); - exit(1); - } - - } - - - if (!(ipfile = fopen(CONFIG_ROOT "/red/local-ipaddress", "r"))) - { - fprintf(stderr, "Couldn't open local ip file\n"); - exit(1); - } - fgets(locip, STRING_SIZE, ipfile); - if (locip[strlen(locip) - 1] == '\n') - locip[strlen(locip) - 1] = '\0'; - fclose (ipfile); - if (!VALID_IP(locip)) - { - fprintf(stderr, "Bad local IP: %s\n", locip); - exit(1); - } - - if (!(ifacefile = fopen(CONFIG_ROOT "/red/iface", "r"))) - { - fprintf(stderr, "Couldn't open iface file\n"); - exit(1); - } - fgets(iface, STRING_SIZE, ifacefile); - if (iface[strlen(iface) - 1] == '\n') - iface[strlen(iface) - 1] = '\0'; - fclose (ifacefile); - if (!VALID_DEVICE(iface)) - { - fprintf(stderr, "Bad iface: %s\n", iface); - exit(1); - } - - if (!(fwdfile = fopen(CONFIG_ROOT "/portfw/config", "r"))) - { - fprintf(stderr, "Couldn't open portfw settings file\n"); - exit(1); - } - - safe_system("/sbin/iptables -t nat -F PORTFW"); - safe_system("/sbin/iptables -t mangle -F PORTFWMANGLE"); - safe_system("/sbin/iptables -F PORTFWACCESS"); - - while (fgets(s, STRING_SIZE, fwdfile) != NULL) - { - if (s[strlen(s) - 1] == '\n') - s[strlen(s) - 1] = '\0'; - result = strtok(s, ","); - - count = 0; - key1 = NULL; - key2 = NULL; - protocol = NULL; - srcip = NULL; - locport = NULL; - remip = NULL; - origip = NULL; - remport = NULL; - enabled = NULL; - while (result) - { - if (count == 0) - key1 = result; - else if (count == 1) - key2 = result; - else if (count == 2) - protocol = result; - else if (count == 3) - locport = result; - else if (count == 4) - remip = result; - else if (count == 5) - remport = result; - else if (count == 6) - enabled = result; - else if (count == 7) - srcip = result; - else if (count == 8) - origip = result; - count++; - result = strtok(NULL, ","); - } - - if (!(key1 && key2 && protocol && locport && remip && remport && enabled - && srcip && origip)) - break; - - if (!VALID_PROTOCOL(protocol)) - { - fprintf(stderr, "Bad protocol: %s\n", protocol); - exit(1); - } - if (strcmp(protocol, "gre") == 0) - { - locport = "0"; - remport = "0"; - } - if (strcmp(origip,"0") && !VALID_IP_AND_MASK(origip)) - { - fprintf(stderr, "Bad IP: %s\n", origip); - exit(1); - } - if (!VALID_PORT_RANGE(locport)) - { - fprintf(stderr, "Bad local port: %s\n", locport); - exit(1); - } - if (!VALID_IP(remip)) - { - fprintf(stderr, "Bad remote IP: %s\n", remip); - exit(1); - } - if (!VALID_PORT_RANGE(remport)) - { - fprintf(stderr, "Bad remote port: %s\n", remport); - exit(1); - } - - /* check for source ip in config file. If it's there - * and it's not 0.0.0.0, use it; else use the - * local ip address. (This makes sure we can use old-style - * config files without the source ip) */ - if (!srcip || !strcmp(srcip, "0.0.0.0")) - srcip = locip; - if (strcmp(srcip,"0") && !VALID_IP(srcip)) - { - fprintf(stderr, "Bad source IP: %s\n", srcip); - exit(1); - } - - /* This may seem complicated... refer to portfw.pl for an explanation of - * the keys and their meaning in certain circumstances */ - - if (strcmp(enabled, "on") == 0) - { - - /* If key2 is a zero, then it is a portfw command, otherwise it is an - * external access command */ - if (strcmp(key2, "0") == 0) - { - memset(command, 0, STRING_SIZE); - if (strcmp(protocol, "gre") == 0) - snprintf(command, STRING_SIZE - 1, "/sbin/iptables -t nat -A PORTFW -p %s -d %s -j DNAT --to %s", protocol, srcip, remip); - else - { - char *ctr; - /* If locport contains a - we need to change it to a : */ - if ((ctr = strchr(locport, '-')) != NULL) {*ctr = ':';} - /* If remport contains a : we need to change it to a - */ - if ((ctr = strchr(remport,':')) != NULL){*ctr = '-';} - snprintf(command, STRING_SIZE - 1, "/sbin/iptables -t nat -A PORTFW -p %s -d %s --dport %s -j DNAT --to %s:%s", protocol, srcip, locport, remip, remport); - safe_system(command); - /* Now if remport contains a - we need to change it to a : */ - if ((ctr = strchr(remport,'-')) != NULL){*ctr = ':';} - snprintf(command, STRING_SIZE - 1, "/sbin/iptables -t mangle -A PORTFWMANGLE -p %s -s %s/%s -d %s --dport %s -j MARK --set-mark 1", protocol, greenip, greenmask, srcip, locport); - if (strlen(bluedev)) - { - safe_system(command); - snprintf(command, STRING_SIZE - 1, "/sbin/iptables -t mangle -A PORTFWMANGLE -p %s -s %s/%s -d %s --dport %s -j MARK --set-mark 2", protocol, blueip, bluemask, srcip, locport); - } - if (strlen(orangedev)) - { - safe_system(command); - snprintf(command, STRING_SIZE - 1, "/sbin/iptables -t mangle -A PORTFWMANGLE -p %s -s %s/%s -d %s --dport %s -j MARK --set-mark 3", protocol, orangeip, orangemask, srcip, locport); - } - } - safe_system(command); - } - - /* if key2 is not "0" then it's an external access rule, if key2 is "0" - * then the portfw rule may contain external access information if origip - * is not "0" (the only defined not 0 value seems to be 0.0.0.0 - open - * to all; again, check portfw.pl for more details) */ - if(strcmp(key2, "0") || strcmp(origip,"0") ) - { - memset(command, 0, STRING_SIZE); - if (strcmp(protocol, "gre") == 0) - snprintf(command, STRING_SIZE - 1, "/sbin/iptables -A PORTFWACCESS -i %s -p %s -s %s -d %s -j ACCEPT", iface, protocol, origip, remip); - else - { - char *ctr; - /* If remport contains a - we need to change it to a : */ - if ((ctr = strchr(remport,'-')) != NULL){*ctr = ':';} - snprintf(command, STRING_SIZE - 1, "/sbin/iptables -A PORTFWACCESS -i %s -p %s -s %s -d %s --dport %s -j ACCEPT", iface, protocol, origip, remip, remport); - } - safe_system(command); - } - } - } - - return 0; -} diff --git a/src/misc-progs/setxtaccess.c b/src/misc-progs/setxtaccess.c deleted file mode 100644 index 27a03e0..0000000 --- a/src/misc-progs/setxtaccess.c +++ /dev/null @@ -1,168 +0,0 @@ -/* SmoothWall helper program - setxtaccess - * - * This program is distributed under the terms of the GNU General Public - * Licence. See the file COPYING for details. - * - * (c) Daniel Goscomb, 2001 - * - * Modifications and improvements by Lawrence Manning. - * - * 10/04/01 Aslak added protocol support - * - * (c) Steve Bootes 2002/04/14 - Added source IP support for aliases - * - * 19/04/03 Robert Kerr Fixed root exploit - * - * $Id: setxtaccess.c,v 1.3.2.1 2005/01/04 17:21:40 eoberlander Exp $ - * - */ - -#include <stdio.h> -#include <stdlib.h> -#include <string.h> -#include "setuid.h" - -FILE *ifacefile = NULL; -FILE *fwdfile = NULL; -FILE *ipfile = NULL; - -void exithandler(void) -{ - if (fwdfile) - fclose(fwdfile); -} - -int main(void) -{ - char iface[STRING_SIZE] = ""; - char locip[STRING_SIZE] = ""; - char s[STRING_SIZE] = ""; - int count; - char *protocol; - char *destip; - char *remip; - char *locport; - char *enabled; - char *information; - char *result; - char command[STRING_SIZE]; - - if (!(initsetuid())) - exit(1); - - atexit(exithandler); - - if (!(ipfile = fopen(CONFIG_ROOT "/red/local-ipaddress", "r"))) - { - fprintf(stderr, "Couldn't open local ip file\n"); - exit(1); - } - if (fgets(locip, STRING_SIZE, ipfile)) - { - if (locip[strlen(locip) - 1] == '\n') - locip[strlen(locip) - 1] = '\0'; - } - fclose (ipfile); - if (!VALID_IP(locip)) - { - fprintf(stderr, "Bad local IP: %s\n", locip); - exit(1); - } - - if (!(ifacefile = fopen(CONFIG_ROOT "/red/iface", "r"))) - { - fprintf(stderr, "Couldn't open iface file\n"); - exit(1); - } - if (fgets(iface, STRING_SIZE, ifacefile)) - { - if (iface[strlen(iface) - 1] == '\n') - iface[strlen(iface) - 1] = '\0'; - } - fclose (ifacefile); - if (!VALID_DEVICE(iface)) - { - fprintf(stderr, "Bad iface: %s\n", iface); - exit(1); - } - - if (!(fwdfile = fopen(CONFIG_ROOT "/xtaccess/config", "r"))) - { - fprintf(stderr, "Couldn't open xtaccess settings file\n"); - exit(1); - } - - safe_system("/sbin/iptables -F XTACCESS"); - - while (fgets(s, STRING_SIZE, fwdfile) != NULL) - { - if (s[strlen(s) - 1] == '\n') - s[strlen(s) - 1] = '\0'; - count = 0; - protocol = NULL; - remip = NULL; - destip = NULL; - locport = NULL; - enabled = NULL; - information = NULL; - result = strtok(s, ","); - while (result) - { - if (count == 0) - protocol = result; - else if (count == 1) - remip = result; - else if (count == 2) - locport = result; - else if (count == 3) - enabled = result; - else if (count == 4) - destip = result; - else - information = result; - count++; - result = strtok(NULL, ","); - } - - if (!(protocol && remip && locport && enabled)) - break; - - if (!VALID_PROTOCOL(protocol)) - { - fprintf(stderr, "Bad protocol: %s\n", protocol); - exit(1); - } - if (!VALID_IP_AND_MASK(remip)) - { - fprintf(stderr, "Bad remote IP: %s\n", remip); - exit(1); - } - if (!VALID_PORT_RANGE(locport)) - { - fprintf(stderr, "Bad local port: %s\n", locport); - exit(1); - } - - /* check for destination ip in config file. If it's there - * and it's not 0.0.0.0, use it; else use the current - * local ip address. (This makes sure we can use old-style - * config files without the destination ip) */ - if (!destip || !strcmp(destip, "0.0.0.0")) - destip = locip; - if (!VALID_IP(destip)) - { - fprintf(stderr, "Bad destination IP: %s\n", remip); - exit(1); - } - - if (strcmp(enabled, "on") == 0) - { - memset(command, 0, STRING_SIZE); - snprintf(command, STRING_SIZE - 1, "/sbin/iptables -A XTACCESS -i %s -p %s -s %s -d %s --dport %s -j ACCEPT", - iface, protocol, remip, destip, locport); - safe_system(command); - } - } - - return 0; -} diff --git a/src/misc-progs/wirelessctrl.c b/src/misc-progs/wirelessctrl.c index 12b954b..450aa36 100644 --- a/src/misc-progs/wirelessctrl.c +++ b/src/misc-progs/wirelessctrl.c @@ -154,9 +154,7 @@ int main(void) (VALID_IP_AND_MASK(ipaddress))) { snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSINPUT -m mac --mac-source %s -s %s -i %s -j ACCEPT", macaddress, ipaddress, blue_dev); safe_system(command); - snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -m mac --mac-source %s -s %s -i %s ! -o %s -j ACCEPT", macaddress, ipaddress, blue_dev, green_dev); - safe_system(command); - snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -m mac --mac-source %s -s %s -i %s -j DMZHOLES", macaddress, ipaddress, blue_dev); + snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -m mac --mac-source %s -s %s -i %s -j RETURN", macaddress, ipaddress, blue_dev); safe_system(command); } else {
@@ -164,18 +162,14 @@ int main(void) if (strlen(macaddress) == 17) { snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSINPUT -m mac --mac-source %s -i %s -j ACCEPT", macaddress, blue_dev); safe_system(command); - snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -m mac --mac-source %s -i %s ! -o %s -j ACCEPT", macaddress, blue_dev, green_dev); - safe_system(command); - snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -m mac --mac-source %s -i %s -j DMZHOLES", macaddress, blue_dev); + snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -m mac --mac-source %s -i %s -j RETURN", macaddress, blue_dev); safe_system(command); }
if (VALID_IP_AND_MASK(ipaddress)) { snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSINPUT -s %s -i %s -j ACCEPT", ipaddress, blue_dev); safe_system(command); - snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -s %s -i %s ! -o %s -j ACCEPT", ipaddress, blue_dev, green_dev); - safe_system(command); - snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -s %s -i %s -j DMZHOLES", ipaddress, blue_dev); + snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -s %s -i %s -j RETURN", ipaddress, blue_dev); safe_system(command); } } diff --git a/src/patches/strongswan-4.5.3_ipfire.patch b/src/patches/strongswan-4.5.3_ipfire.patch deleted file mode 100644 index 2ba975b..0000000 --- a/src/patches/strongswan-4.5.3_ipfire.patch +++ /dev/null @@ -1,342 +0,0 @@ -diff -Naur strongswan-4.5.3.org/src/_updown/_updown.in strongswan-4.5.3/src/_updown/_updown.in ---- strongswan-4.5.3.org/src/_updown/_updown.in 2010-10-22 16:33:30.000000000 +0200 -+++ strongswan-4.5.3/src/_updown/_updown.in 2011-09-13 14:19:31.000000000 +0200 -@@ -183,6 +183,29 @@ - ;; - esac - -+function ip_encode() { -+ local IFS=. -+ -+ local int=0 -+ for field in $1; do -+ int=$(( $(( $int << 8 )) | $field )) -+ done -+ -+ echo $int -+} -+ -+function ip_in_subnet() { -+ local netmask -+ netmask=$(_netmask $2) -+ [ $(( $(ip_encode $1) & $netmask)) = $(( $(ip_encode ${2%/*}) & $netmask )) ] -+} -+ -+function _netmask() { -+ local vlsm -+ vlsm=${1#*/} -+ [ $vlsm -eq 0 ] && echo 0 || echo $(( -1 << $(( 32 - $vlsm )) )) -+} -+ - # utility functions for route manipulation - # Meddling with this stuff should not be necessary and requires great care. - uproute() { -@@ -387,12 +410,12 @@ - # connection to me, with (left/right)firewall=yes, coming up - # This is used only by the default updown script, not by your custom - # ones, so do not mess with it; see CAUTION comment up at top. -- iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ -+ iptables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT -- iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ -+ iptables -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ -- -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT -+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j MARK --set-mark 50 - # - # log IPsec host connection setup - if [ $VPN_LOGGING ] -@@ -400,10 +423,10 @@ - if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] - then - logger -t $TAG -p $FAC_PRIO \ -- "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" -+ "host+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" - else - logger -t $TAG -p $FAC_PRIO \ -- "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" -+ "host+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" - fi - fi - ;; -@@ -411,12 +434,12 @@ - # connection to me, with (left/right)firewall=yes, going down - # This is used only by the default updown script, not by your custom - # ones, so do not mess with it; see CAUTION comment up at top. -- iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ -+ iptables -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT -- iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ -+ iptables -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ -- -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT -+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j MARK --set-mark 50 - # - # log IPsec host connection teardown - if [ $VPN_LOGGING ] -@@ -424,10 +447,10 @@ - if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] - then - logger -t $TAG -p $FAC_PRIO -- \ -- "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" -+ "host- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" - else - logger -t $TAG -p $FAC_PRIO -- \ -- "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" -+ "host- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" - fi - fi - ;; -@@ -437,10 +460,10 @@ - # ones, so do not mess with it; see CAUTION comment up at top. - if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] - then -- iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ -+ iptables -I IPSECFORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_MY_CLIENT $S_MY_PORT \ -- -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT -- iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ -+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j MARK --set-mark 50 -+ iptables -I IPSECFORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT - fi -@@ -449,12 +472,12 @@ - # or sometimes host access via the internal IP is needed - if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] - then -- iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ -+ iptables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT -- iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ -+ iptables -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_MY_CLIENT $S_MY_PORT \ -- -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT -+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j MARK --set-mark 50 - fi - # - # log IPsec client connection setup -@@ -463,12 +486,51 @@ - if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] - then - logger -t $TAG -p $FAC_PRIO \ -- "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" -+ "client+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" - else - logger -t $TAG -p $FAC_PRIO \ -- "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" -+ "client+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" - fi - fi -+ -+ # -+ # Open Firewall for IPinIP + AH + ESP Traffic -+ iptables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p IP \ -+ -s $PLUTO_PEER $S_PEER_PORT \ -+ -d $PLUTO_ME $D_MY_PORT -j ACCEPT -+ iptables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p AH \ -+ -s $PLUTO_PEER $S_PEER_PORT \ -+ -d $PLUTO_ME $D_MY_PORT -j ACCEPT -+ iptables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p ESP \ -+ -s $PLUTO_PEER $S_PEER_PORT \ -+ -d $PLUTO_ME $D_MY_PORT -j ACCEPT -+ if [ $VPN_LOGGING ] -+ then -+ logger -t $TAG -p $FAC_PRIO \ -+ "tunnel+ $PLUTO_PEER -- $PLUTO_ME" -+ fi -+ -+ # Add source nat so also the gateway can access the other nets -+ eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings) -+ for _src in ${GREEN_ADDRESS} ${BLUE_ADDRESS} ${ORANGE_ADDRESS}; do -+ ip_in_subnet "${_src}" "${PLUTO_MY_CLIENT}" -+ if [ $? -eq 0 ]; then -+ src=${_src} -+ break -+ fi -+ done -+ -+ if [ -n "${src}" ]; then -+ iptables -t nat -A IPSECNAT -o $PLUTO_INTERFACE -s $PLUTO_ME -d $PLUTO_PEER_CLIENT -j SNAT --to $src -+ logger -t $TAG -p $FAC_PRIO \ -+ "snat+ $PLUTO_INTERFACE-$PLUTO_ME : $PLUTO_PEER_CLIENT - $src" -+ else -+ logger -t $TAG -p $FAC_PRIO \ -+ "Cannot create NAT rule because no IP of the IPFire does match the subnet. $PLUTO_MY_CLIENT" -+ fi -+ -+ # Flush routing cache -+ ip route flush cache - ;; - down-client:iptables) - # connection to client subnet, with (left/right)firewall=yes, going down -@@ -476,11 +538,11 @@ - # ones, so do not mess with it; see CAUTION comment up at top. - if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] - then -- iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ -+ iptables -D IPSECFORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_MY_CLIENT $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ -- $IPSEC_POLICY_OUT -j ACCEPT -- iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ -+ $IPSEC_POLICY_OUT -j MARK --set-mark 50 -+ iptables -D IPSECFORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_MY_CLIENT $D_MY_PORT \ - $IPSEC_POLICY_IN -j ACCEPT -@@ -490,14 +552,14 @@ - # or sometimes host access via the internal IP is needed - if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] - then -- iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ -+ iptables -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_MY_CLIENT $D_MY_PORT \ - $IPSEC_POLICY_IN -j ACCEPT -- iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ -+ iptables -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_MY_CLIENT $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ -- $IPSEC_POLICY_OUT -j ACCEPT -+ $IPSEC_POLICY_OUT -j MARK --set-mark 50 - fi - # - # log IPsec client connection teardown -@@ -506,12 +568,51 @@ - if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] - then - logger -t $TAG -p $FAC_PRIO -- \ -- "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" -+ "client- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" - else - logger -t $TAG -p $FAC_PRIO -- \ -- "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" -+ "client- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" - fi - fi -+ -+ # -+ # Close Firewall for IPinIP + AH + ESP Traffic -+ iptables -D IPSECINPUT -i $PLUTO_INTERFACE -p IP \ -+ -s $PLUTO_PEER $S_PEER_PORT \ -+ -d $PLUTO_ME $D_MY_PORT -j ACCEPT -+ iptables -D IPSECINPUT -i $PLUTO_INTERFACE -p AH \ -+ -s $PLUTO_PEER $S_PEER_PORT \ -+ -d $PLUTO_ME $D_MY_PORT -j ACCEPT -+ iptables -D IPSECINPUT -i $PLUTO_INTERFACE -p ESP \ -+ -s $PLUTO_PEER $S_PEER_PORT \ -+ -d $PLUTO_ME $D_MY_PORT -j ACCEPT -+ if [ $VPN_LOGGING ] -+ then -+ logger -t $TAG -p $FAC_PRIO \ -+ "tunnel- $PLUTO_PEER -- $PLUTO_ME" -+ fi -+ -+ # remove source nat -+ eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings) -+ for _src in ${GREEN_ADDRESS} ${BLUE_ADDRESS} ${ORANGE_ADDRESS}; do -+ ip_in_subnet "${_src}" "${PLUTO_MY_CLIENT}" -+ if [ $? -eq 0 ]; then -+ src=${_src} -+ break -+ fi -+ done -+ -+ if [ -n "${src}" ]; then -+ iptables -t nat -D IPSECNAT -o $PLUTO_INTERFACE -s $PLUTO_ME -d $PLUTO_PEER_CLIENT -j SNAT --to $src -+ logger -t $TAG -p $FAC_PRIO \ -+ "snat- $PLUTO_INTERFACE-$PLUTO_ME : $PLUTO_PEER_CLIENT - $src" -+ else -+ logger -t $TAG -p $FAC_PRIO \ -+ "Cannot remove NAT rule because no IP of the IPFire does match the subnet." -+ fi -+ -+ # Flush routing cache -+ ip route flush cache - ;; - # - # IPv6 -@@ -546,10 +647,10 @@ - # connection to me, with (left/right)firewall=yes, coming up - # This is used only by the default updown script, not by your custom - # ones, so do not mess with it; see CAUTION comment up at top. -- ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ -+ ip6tables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT -- ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ -+ ip6tables -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT - # -@@ -570,10 +671,10 @@ - # connection to me, with (left/right)firewall=yes, going down - # This is used only by the default updown script, not by your custom - # ones, so do not mess with it; see CAUTION comment up at top. -- ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ -+ ip6tables -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT -- ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ -+ ip6tables -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT - # -@@ -596,10 +697,10 @@ - # ones, so do not mess with it; see CAUTION comment up at top. - if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ] - then -- ip6tables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ -+ ip6tables -I IPSECFORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_MY_CLIENT $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT -- ip6tables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ -+ ip6tables -I IPSECFORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT - fi -@@ -608,10 +709,10 @@ - # or sometimes host access via the internal IP is needed - if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] - then -- ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ -+ ip6tables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT -- ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ -+ ip6tables -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_MY_CLIENT $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT - fi -@@ -635,11 +736,11 @@ - # ones, so do not mess with it; see CAUTION comment up at top. - if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ] - then -- ip6tables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ -+ ip6tables -D IPSECFORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_MY_CLIENT $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ - $IPSEC_POLICY_OUT -j ACCEPT -- ip6tables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ -+ ip6tables -D IPSECFORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_MY_CLIENT $D_MY_PORT \ - $IPSEC_POLICY_IN -j ACCEPT -@@ -649,11 +750,11 @@ - # or sometimes host access via the internal IP is needed - if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] - then -- ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ -+ ip6tables -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_MY_CLIENT $D_MY_PORT \ - $IPSEC_POLICY_IN -j ACCEPT -- ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ -+ ip6tables -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_MY_CLIENT $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ - $IPSEC_POLICY_OUT -j ACCEPT diff --git a/src/patches/strongswan-5.0.2_ipfire.patch b/src/patches/strongswan-5.0.2_ipfire.patch new file mode 100644 index 0000000..6606095 --- /dev/null +++ b/src/patches/strongswan-5.0.2_ipfire.patch @@ -0,0 +1,348 @@ +diff --git a/src/_updown/_updown.in b/src/_updown/_updown.in +index 3a40e21..d9f3ea0 100644 +--- a/src/_updown/_updown.in ++++ b/src/_updown/_updown.in +@@ -193,6 +193,29 @@ custom:*) # custom parameters (see above CAUTION comment) + ;; + esac + ++function ip_encode() { ++ local IFS=. ++ ++ local int=0 ++ for field in $1; do ++ int=$(( $(( $int << 8 )) | $field )) ++ done ++ ++ echo $int ++} ++ ++function ip_in_subnet() { ++ local netmask ++ netmask=$(_netmask $2) ++ [ $(( $(ip_encode $1) & $netmask)) = $(( $(ip_encode ${2%/*}) & $netmask )) ] ++} ++ ++function _netmask() { ++ local vlsm ++ vlsm=${1#*/} ++ [ $vlsm -eq 0 ] && echo 0 || echo $(( -1 << $(( 32 - $vlsm )) )) ++} ++ + # utility functions for route manipulation + # Meddling with this stuff should not be necessary and requires great care. + uproute() { +@@ -397,12 +420,12 @@ up-host:iptables) + # connection to me, with (left/right)firewall=yes, coming up + # This is used only by the default updown script, not by your custom + # ones, so do not mess with it; see CAUTION comment up at top. +- iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ ++ iptables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT +- iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ ++ iptables -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ +- -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT ++ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j MARK --set-mark 50 + # + # log IPsec host connection setup + if [ $VPN_LOGGING ] +@@ -410,10 +433,10 @@ up-host:iptables) + if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] + then + logger -t $TAG -p $FAC_PRIO \ +- "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" ++ "host+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" + else + logger -t $TAG -p $FAC_PRIO \ +- "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" ++ "host+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" + fi + fi + ;; +@@ -421,12 +444,12 @@ down-host:iptables) + # connection to me, with (left/right)firewall=yes, going down + # This is used only by the default updown script, not by your custom + # ones, so do not mess with it; see CAUTION comment up at top. +- iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ ++ iptables -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT +- iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ ++ iptables -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ +- -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT ++ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j MARK --set-mark 50 + # + # log IPsec host connection teardown + if [ $VPN_LOGGING ] +@@ -434,10 +457,10 @@ down-host:iptables) + if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] + then + logger -t $TAG -p $FAC_PRIO -- \ +- "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" ++ "host- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" + else + logger -t $TAG -p $FAC_PRIO -- \ +- "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" ++ "host- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" + fi + fi + ;; +@@ -447,24 +470,24 @@ up-client:iptables) + # ones, so do not mess with it; see CAUTION comment up at top. + if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] + then +- iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ ++ iptables -I IPSECFORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ +- -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT +- iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ ++ -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j MARK --set-mark 50 ++ iptables -I IPSECFORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ +- -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT ++ -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j RETURN + fi + # + # a virtual IP requires an INPUT and OUTPUT rule on the host + # or sometimes host access via the internal IP is needed + if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] + then +- iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ ++ iptables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT +- iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ ++ iptables -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ +- -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT ++ -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j MARK --set-mark 50 + fi + # + # log IPsec client connection setup +@@ -473,12 +496,51 @@ up-client:iptables) + if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] + then + logger -t $TAG -p $FAC_PRIO \ +- "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" ++ "client+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" + else + logger -t $TAG -p $FAC_PRIO \ +- "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" ++ "client+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" + fi + fi ++ ++ # ++ # Open Firewall for IPinIP + AH + ESP Traffic ++ iptables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p IP \ ++ -s $PLUTO_PEER $S_PEER_PORT \ ++ -d $PLUTO_ME $D_MY_PORT -j ACCEPT ++ iptables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p AH \ ++ -s $PLUTO_PEER $S_PEER_PORT \ ++ -d $PLUTO_ME $D_MY_PORT -j ACCEPT ++ iptables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p ESP \ ++ -s $PLUTO_PEER $S_PEER_PORT \ ++ -d $PLUTO_ME $D_MY_PORT -j ACCEPT ++ if [ $VPN_LOGGING ] ++ then ++ logger -t $TAG -p $FAC_PRIO \ ++ "tunnel+ $PLUTO_PEER -- $PLUTO_ME" ++ fi ++ ++ # Add source nat so also the gateway can access the other nets ++ eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings) ++ for _src in ${GREEN_ADDRESS} ${BLUE_ADDRESS} ${ORANGE_ADDRESS}; do ++ ip_in_subnet "${_src}" "${PLUTO_MY_CLIENT}" ++ if [ $? -eq 0 ]; then ++ src=${_src} ++ break ++ fi ++ done ++ ++ if [ -n "${src}" ]; then ++ iptables -t nat -A IPSECNAT -o $PLUTO_INTERFACE -s $PLUTO_ME -d $PLUTO_PEER_CLIENT -j SNAT --to $src ++ logger -t $TAG -p $FAC_PRIO \ ++ "snat+ $PLUTO_INTERFACE-$PLUTO_ME : $PLUTO_PEER_CLIENT - $src" ++ else ++ logger -t $TAG -p $FAC_PRIO \ ++ "Cannot create NAT rule because no IP of the IPFire does match the subnet. $PLUTO_MY_CLIENT" ++ fi ++ ++ # Flush routing cache ++ ip route flush cache + ;; + down-client:iptables) + # connection to client subnet, with (left/right)firewall=yes, going down +@@ -486,28 +548,28 @@ down-client:iptables) + # ones, so do not mess with it; see CAUTION comment up at top. + if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] + then +- iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ ++ iptables -D IPSECFORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ +- $IPSEC_POLICY_OUT -j ACCEPT +- iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ ++ $IPSEC_POLICY_OUT -j MARK --set-mark 50 ++ iptables -D IPSECFORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT \ +- $IPSEC_POLICY_IN -j ACCEPT ++ $IPSEC_POLICY_IN -j RETURN + fi + # + # a virtual IP requires an INPUT and OUTPUT rule on the host + # or sometimes host access via the internal IP is needed + if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] + then +- iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ ++ iptables -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT \ + $IPSEC_POLICY_IN -j ACCEPT +- iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ ++ iptables -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ +- $IPSEC_POLICY_OUT -j ACCEPT ++ $IPSEC_POLICY_OUT -j MARK --set-mark 50 + fi + # + # log IPsec client connection teardown +@@ -516,12 +578,51 @@ down-client:iptables) + if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] + then + logger -t $TAG -p $FAC_PRIO -- \ +- "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" ++ "client- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" + else + logger -t $TAG -p $FAC_PRIO -- \ +- "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" ++ "client- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" + fi + fi ++ ++ # ++ # Close Firewall for IPinIP + AH + ESP Traffic ++ iptables -D IPSECINPUT -i $PLUTO_INTERFACE -p IP \ ++ -s $PLUTO_PEER $S_PEER_PORT \ ++ -d $PLUTO_ME $D_MY_PORT -j ACCEPT ++ iptables -D IPSECINPUT -i $PLUTO_INTERFACE -p AH \ ++ -s $PLUTO_PEER $S_PEER_PORT \ ++ -d $PLUTO_ME $D_MY_PORT -j ACCEPT ++ iptables -D IPSECINPUT -i $PLUTO_INTERFACE -p ESP \ ++ -s $PLUTO_PEER $S_PEER_PORT \ ++ -d $PLUTO_ME $D_MY_PORT -j ACCEPT ++ if [ $VPN_LOGGING ] ++ then ++ logger -t $TAG -p $FAC_PRIO \ ++ "tunnel- $PLUTO_PEER -- $PLUTO_ME" ++ fi ++ ++ # remove source nat ++ eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings) ++ for _src in ${GREEN_ADDRESS} ${BLUE_ADDRESS} ${ORANGE_ADDRESS}; do ++ ip_in_subnet "${_src}" "${PLUTO_MY_CLIENT}" ++ if [ $? -eq 0 ]; then ++ src=${_src} ++ break ++ fi ++ done ++ ++ if [ -n "${src}" ]; then ++ iptables -t nat -D IPSECNAT -o $PLUTO_INTERFACE -s $PLUTO_ME -d $PLUTO_PEER_CLIENT -j SNAT --to $src ++ logger -t $TAG -p $FAC_PRIO \ ++ "snat- $PLUTO_INTERFACE-$PLUTO_ME : $PLUTO_PEER_CLIENT - $src" ++ else ++ logger -t $TAG -p $FAC_PRIO \ ++ "Cannot remove NAT rule because no IP of the IPFire does match the subnet." ++ fi ++ ++ # Flush routing cache ++ ip route flush cache + ;; + # + # IPv6 +@@ -556,10 +657,10 @@ up-host-v6:iptables) + # connection to me, with (left/right)firewall=yes, coming up + # This is used only by the default updown script, not by your custom + # ones, so do not mess with it; see CAUTION comment up at top. +- ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ ++ ip6tables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT +- ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ ++ ip6tables -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT + # +@@ -580,10 +681,10 @@ down-host-v6:iptables) + # connection to me, with (left/right)firewall=yes, going down + # This is used only by the default updown script, not by your custom + # ones, so do not mess with it; see CAUTION comment up at top. +- ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ ++ ip6tables -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT +- ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ ++ ip6tables -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT + # +@@ -606,10 +707,10 @@ up-client-v6:iptables) + # ones, so do not mess with it; see CAUTION comment up at top. + if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ] + then +- ip6tables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ ++ ip6tables -I IPSECFORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT +- ip6tables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ ++ ip6tables -I IPSECFORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT + fi +@@ -618,10 +719,10 @@ up-client-v6:iptables) + # or sometimes host access via the internal IP is needed + if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] + then +- ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ ++ ip6tables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT +- ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ ++ ip6tables -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT + fi +@@ -645,11 +746,11 @@ down-client-v6:iptables) + # ones, so do not mess with it; see CAUTION comment up at top. + if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ] + then +- ip6tables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ ++ ip6tables -D IPSECFORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ + $IPSEC_POLICY_OUT -j ACCEPT +- ip6tables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ ++ ip6tables -D IPSECFORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT \ + $IPSEC_POLICY_IN -j ACCEPT +@@ -659,11 +760,11 @@ down-client-v6:iptables) + # or sometimes host access via the internal IP is needed + if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] + then +- ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ ++ ip6tables -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT \ + $IPSEC_POLICY_IN -j ACCEPT +- ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ ++ ip6tables -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ + $IPSEC_POLICY_OUT -j ACCEPT
hooks/post-receive -- IPFire 2.x development tree