This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "IPFire 2.x development tree".
The branch, next has been updated via d71bcfce59ceac8c5cb9d96ef33de10742d161aa (commit) via 21df0788abbb174bb675c5ade256f86f6427d6a0 (commit) via 7e09a94a8109be124f1e172999da06e478b15eed (commit) via 60bce6ba6a70bf6b6683b8125aa86384c9ef5c4e (commit) via 2acc3cd9e72789df0b05904559a73e98d9f840d2 (commit) via b14e0f7d0eb0c833f2287e2a092b59667c878a91 (commit) via 82f8d118b731a6bcd619c4a0e6bb55a27b47eb93 (commit) via df6649b0feb13d5a08bdcff7bb1eb65b538b23ca (commit) via b30890aa068415f5c47ee76d90b19753f0ee1da5 (commit) via b7784e38bdca9a8377ffd3e7e990592510f13a35 (commit) via 2a3506f3493a38609e787c9cf20718d233812584 (commit) via d6796d144a772c40a4e6a82d6b9d1db8299fac6e (commit) via 61466ab18dff0dc9809578f2e5d810a6a16d9aa4 (commit) via cea3c8cf53ce5f23d737cfbd3c781c76edde3dd5 (commit) via d8cc44393847801d8516ae026656ad29a4453437 (commit) via ca4259a75817c7568f801c6c9535a2a2a60a8850 (commit) via 5751876534a53176db3b537bca34bdfc096d948a (commit) via d2793ea80576ac5200f62c911b9492a5c102a81b (commit) via d8deec0b4fac7b97b7b6f3f944b7f874c997db2f (commit) via 79ad6f7e539e82ba3dc51ca025ffcb7267f7c51f (commit) via 3928f52b397bc5c2d8c10d401bbd1258fc826df3 (commit) via 48f07c195761d0c7129b6beb314c339ba7164eaf (commit) from 7a35d102cb321598a0bb9568dfc446a6362de7f8 (commit)
Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below.
- Log ----------------------------------------------------------------- commit d71bcfce59ceac8c5cb9d96ef33de10742d161aa Author: Alexander Marx amarx@ipfire.org Date: Wed Sep 17 15:52:45 2014 +0200
squid-accounting: set right permissions of html directory for graphs and logo
commit 21df0788abbb174bb675c5ade256f86f6427d6a0 Author: Michael Tremer michael.tremer@ipfire.org Date: Fri Sep 26 13:03:48 2014 +0200
core84: Add changed files from #10620
commit 7e09a94a8109be124f1e172999da06e478b15eed Merge: 60bce6b ca4259a Author: Michael Tremer michael.tremer@ipfire.org Date: Fri Sep 26 13:03:22 2014 +0200
Merge remote-tracking branch 'amarx/BUG10620' into next
commit 60bce6ba6a70bf6b6683b8125aa86384c9ef5c4e Merge: 2acc3cd 5751876 Author: Michael Tremer michael.tremer@ipfire.org Date: Fri Sep 26 13:02:28 2014 +0200
Merge remote-tracking branch 'amarx/BUG10615' into next
commit 2acc3cd9e72789df0b05904559a73e98d9f840d2 Author: Michael Tremer michael.tremer@ipfire.org Date: Fri Sep 26 13:00:38 2014 +0200
core84: Add changed files from fw-checksubnet branch
commit b14e0f7d0eb0c833f2287e2a092b59667c878a91 Merge: 82f8d11 d8cc443 Author: Michael Tremer michael.tremer@ipfire.org Date: Fri Sep 26 12:59:26 2014 +0200
Merge remote-tracking branch 'amarx/fw-checksubnet' into next
commit 82f8d118b731a6bcd619c4a0e6bb55a27b47eb93 Author: Michael Tremer michael.tremer@ipfire.org Date: Fri Sep 26 12:58:13 2014 +0200
core84: Add changed files from the firewall-dnat branch
commit df6649b0feb13d5a08bdcff7bb1eb65b538b23ca Merge: b30890a 48f07c1 Author: Michael Tremer michael.tremer@ipfire.org Date: Fri Sep 26 12:55:55 2014 +0200
Merge remote-tracking branch 'amarx/firewall-dnat' into next
Conflicts: config/firewall/rules.pl
commit b30890aa068415f5c47ee76d90b19753f0ee1da5 Author: Michael Tremer michael.tremer@ipfire.org Date: Fri Sep 26 12:42:27 2014 +0200
bash: Import upstream patches for CVE-2014-6271 and CVE-2014-7169
commit b7784e38bdca9a8377ffd3e7e990592510f13a35 Author: Michael Tremer michael.tremer@ipfire.org Date: Fri Sep 26 12:25:48 2014 +0200
core84: Add dnsmasq update
commit 2a3506f3493a38609e787c9cf20718d233812584 Author: Michael Tremer michael.tremer@ipfire.org Date: Fri Sep 26 12:24:16 2014 +0200
Create core update 84
commit d6796d144a772c40a4e6a82d6b9d1db8299fac6e Merge: 7a35d10 61466ab Author: Michael Tremer michael.tremer@ipfire.org Date: Fri Sep 26 12:21:18 2014 +0200
Merge branch 'master' into next
commit d8cc44393847801d8516ae026656ad29a4453437 Author: Alexander Marx amarx@ipfire.org Date: Fri Sep 5 08:12:44 2014 +0200
fw-groups: fix language strings
commit ca4259a75817c7568f801c6c9535a2a2a60a8850 Author: Alexander Marx amarx@ipfire.org Date: Thu Sep 11 17:13:07 2014 +0200
BUG10620: reload firewall.local in rules.pl, no longer in initscript
commit 5751876534a53176db3b537bca34bdfc096d948a Author: Alexander Marx amarx@ipfire.org Date: Thu Sep 11 15:10:48 2014 +0200
BUG10615: fix wrong values in firewall.cgi
commit d2793ea80576ac5200f62c911b9492a5c102a81b Author: Alexander Marx amarx@ipfire.org Date: Thu Sep 11 14:01:28 2014 +0200
BUG10615 part3: adapt rules.pl to use connectionlimit and ratelimit
commit d8deec0b4fac7b97b7b6f3f944b7f874c997db2f Author: Alexander Marx amarx@ipfire.org Date: Thu Sep 11 13:59:54 2014 +0200
BUG10615 part2: Add ratelimit to firewallgui
commit 79ad6f7e539e82ba3dc51ca025ffcb7267f7c51f Author: Alexander Marx amarx@ipfire.org Date: Thu Sep 11 10:59:25 2014 +0200
BUG10615 part1: Add connectionlimit to firewallgui
commit 3928f52b397bc5c2d8c10d401bbd1258fc826df3 Author: Alexander Marx amarx@ipfire.org Date: Fri Sep 5 08:09:54 2014 +0200
fw-groups: cleanup checksubnets
Now the checksubnets function from general-functions.pl is used.
commit 48f07c195761d0c7129b6beb314c339ba7164eaf Author: Alexander Marx alexander.marx@ipfire.org Date: Fri Jul 18 08:44:45 2014 +0200
Firewall: make DNAT only accessible from selected source network
We added RED to the standard networks and now portforwardings are only useable from the selected source. If selected "all" the portforwarding can be used from any internal network. Else the access is only grnated from the selected source network.
-----------------------------------------------------------------------
Summary of changes: config/firewall/firewall-lib.pl | 53 ++++++--- config/firewall/rules.pl | 55 ++++++++- config/rootfiles/core/{83 => 84}/exclude | 0 config/rootfiles/core/{83 => 84}/filelists/bash | 0 .../{oldcore/32 => core/84}/filelists/dnsmasq | 0 config/rootfiles/core/84/filelists/files | 8 ++ config/rootfiles/core/{83 => 84}/meta | 0 config/rootfiles/core/{83 => 84}/update.sh | 4 +- .../{core => oldcore}/82/filelists/iputils | 0 .../{core => oldcore}/82/filelists/openssl-compat | 0 config/rootfiles/{core => oldcore}/83/exclude | 0 .../rootfiles/{core => oldcore}/83/filelists/bash | 0 .../rootfiles/{core => oldcore}/83/filelists/files | 0 .../{core => oldcore}/83/filelists/findutils | 0 .../rootfiles/{core => oldcore}/83/filelists/squid | 0 config/rootfiles/{core => oldcore}/83/meta | 0 config/rootfiles/{core => oldcore}/83/update.sh | 3 + html/cgi-bin/firewall.cgi | 126 ++++++++++++++++++--- html/cgi-bin/fwhosts.cgi | 49 +++----- langs/de/cgi-bin/de.pl | 8 +- langs/en/cgi-bin/en.pl | 8 +- lfs/bash | 4 +- lfs/squid-accounting | 2 +- make.sh | 4 +- src/initscripts/init.d/firewall | 14 --- src/paks/squid-accounting/install.sh | 3 + src/patches/bash-3.2-CVE-2014-7169.patch | 11 -- .../bash32-052} | 32 ++++++ src/patches/bash/bash32-053 | 54 +++++++++ 29 files changed, 332 insertions(+), 106 deletions(-) copy config/rootfiles/core/{83 => 84}/exclude (100%) copy config/rootfiles/core/{83 => 84}/filelists/bash (100%) copy config/rootfiles/{oldcore/32 => core/84}/filelists/dnsmasq (100%) create mode 100644 config/rootfiles/core/84/filelists/files copy config/rootfiles/core/{83 => 84}/meta (100%) copy config/rootfiles/core/{83 => 84}/update.sh (97%) rename config/rootfiles/{core => oldcore}/82/filelists/iputils (100%) rename config/rootfiles/{core => oldcore}/82/filelists/openssl-compat (100%) rename config/rootfiles/{core => oldcore}/83/exclude (100%) rename config/rootfiles/{core => oldcore}/83/filelists/bash (100%) rename config/rootfiles/{core => oldcore}/83/filelists/files (100%) rename config/rootfiles/{core => oldcore}/83/filelists/findutils (100%) rename config/rootfiles/{core => oldcore}/83/filelists/squid (100%) rename config/rootfiles/{core => oldcore}/83/meta (100%) rename config/rootfiles/{core => oldcore}/83/update.sh (97%) delete mode 100644 src/patches/bash-3.2-CVE-2014-7169.patch rename src/patches/{bash-3.2-CVE-2014-6271.patch => bash/bash32-052} (75%) create mode 100644 src/patches/bash/bash32-053
Difference in files: diff --git a/config/firewall/firewall-lib.pl b/config/firewall/firewall-lib.pl index c4a19e5..9b3f2bf 100755 --- a/config/firewall/firewall-lib.pl +++ b/config/firewall/firewall-lib.pl @@ -217,7 +217,7 @@ sub get_std_net_ip }elsif($val eq 'BLUE'){ return "$netsettings{'BLUE_NETADDRESS'}/$netsettings{'BLUE_NETMASK'}"; }elsif($val eq 'RED'){ - return "0.0.0.0/0 -o $con"; + return "0.0.0.0/0"; }elsif($val =~ /OpenVPN/i){ return "$ovpnsettings{'DOVPN_SUBNET'}"; }elsif($val =~ /IPsec/i){ @@ -226,6 +226,23 @@ sub get_std_net_ip return ; } } +sub get_interface +{ + my $net=shift; + if($net eq "$netsettings{'GREEN_NETADDRESS'}/$netsettings{'GREEN_NETMASK'}"){ + return "$netsettings{'GREEN_DEV'}"; + } + if($net eq "$netsettings{'ORANGE_NETADDRESS'}/$netsettings{'ORANGE_NETMASK'}"){ + return "$netsettings{'ORANGE_DEV'}"; + } + if($net eq "$netsettings{'BLUE_NETADDRESS'}/$netsettings{'BLUE_NETMASK'}"){ + return "$netsettings{'BLUE_DEV'}"; + } + if($net eq "0.0.0.0/0"){ + return "$netsettings{'RED_DEV'}"; + } + return ""; +} sub get_net_ip { my $val=shift; @@ -305,9 +322,9 @@ sub get_address # address. Otherwise, we assume that it is an IP address. if ($key ~~ ["src_addr", "tgt_addr"]) { if (&General::validmac($value)) { - push(@ret, "-m mac --mac-source $value"); + push(@ret, ["-m mac --mac-source $value", ""]); } else { - push(@ret, $value); + push(@ret, [$value, ""]); }
# If a default network interface (GREEN, BLUE, etc.) is selected, we @@ -316,88 +333,90 @@ sub get_address my $external_interface = &get_external_interface();
my $network_address = &get_std_net_ip($value, $external_interface); + if ($network_address) { - push(@ret, $network_address); + my $interface = &get_interface($network_address); + push(@ret, [$network_address, $interface]); }
# Custom networks. } elsif ($key ~~ ["cust_net_src", "cust_net_tgt", "Custom Network"]) { my $network_address = &get_net_ip($value); if ($network_address) { - push(@ret, $network_address); + push(@ret, [$network_address, ""]); }
# Custom hosts. } elsif ($key ~~ ["cust_host_src", "cust_host_tgt", "Custom Host"]) { my $host_address = &get_host_ip($value, $type); if ($host_address) { - push(@ret, $host_address); + push(@ret, [$host_address, ""]); }
# OpenVPN networks. } elsif ($key ~~ ["ovpn_net_src", "ovpn_net_tgt", "OpenVPN static network"]) { my $network_address = &get_ovpn_net_ip($value, 1); if ($network_address) { - push(@ret, $network_address); + push(@ret, [$network_address, ""]); }
# OpenVPN hosts. } elsif ($key ~~ ["ovpn_host_src", "ovpn_host_tgt", "OpenVPN static host"]) { my $host_address = &get_ovpn_host_ip($value, 33); if ($host_address) { - push(@ret, $host_address); + push(@ret, [$host_address, ""]); }
# OpenVPN N2N. } elsif ($key ~~ ["ovpn_n2n_src", "ovpn_n2n_tgt", "OpenVPN N-2-N"]) { my $network_address = &get_ovpn_n2n_ip($value, 11); if ($network_address) { - push(@ret, $network_address); + push(@ret, [$network_address, ""]); }
# IPsec networks. } elsif ($key ~~ ["ipsec_net_src", "ipsec_net_tgt", "IpSec Network"]) { my $network_address = &get_ipsec_net_ip($value, 11); if ($network_address) { - push(@ret, $network_address); + push(@ret, [$network_address, ""]); }
# The firewall's own IP addresses. } elsif ($key ~~ ["ipfire", "ipfire_src"]) { # ALL if ($value eq "ALL") { - push(@ret, "0/0"); + push(@ret, ["0/0", ""]);
# GREEN } elsif ($value eq "GREEN") { - push(@ret, $netsettings{"GREEN_ADDRESS"}); + push(@ret, [$netsettings{"GREEN_ADDRESS"}, ""]);
# BLUE } elsif ($value eq "BLUE") { - push(@ret, $netsettings{"BLUE_ADDRESS"}); + push(@ret, [$netsettings{"BLUE_ADDRESS"}, ""]);
# ORANGE } elsif ($value eq "ORANGE") { - push(@ret, $netsettings{"ORANGE_ADDRESS"}); + push(@ret, [$netsettings{"ORANGE_ADDRESS"}, ""]);
# RED } elsif ($value ~~ ["RED", "RED1"]) { my $address = &get_external_address(); if ($address) { - push(@ret, $address); + push(@ret, [$address, ""]); }
# Aliases } else { my $alias = &get_alias($value); if ($alias) { - push(@ret, $alias); + push(@ret, [$alias, ""]); } }
# If nothing was selected, we assume "any". } else { - push(@ret, "0/0"); + push(@ret, ["0/0", ""]); }
return @ret; diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl index aa8870c..40fb8dd 100755 --- a/config/firewall/rules.pl +++ b/config/firewall/rules.pl @@ -268,6 +268,33 @@ sub buildrules { } }
+ # Concurrent connection limit + my @ratelimit_options = (); + if ($$hash{$key}[32] eq 'ON') { + my $conn_limit = $$hash{$key}[33]; + + if ($conn_limit ge 1) { + push(@ratelimit_options, ("-m", "connlimit")); + + # Use the the entire source IP address + push(@ratelimit_options, "--connlimit-saddr"); + push(@ratelimit_options, ("--connlimit-mask", "32")); + + # Apply the limit + push(@ratelimit_options, ("--connlimit-upto", $conn_limit)); + } + } + + # Ratelimit + if ($$hash{$key}[34] eq 'ON') { + my $rate_limit = "$$hash{$key}[35]/$$hash{$key}[36]"; + + if ($rate_limit) { + push(@ratelimit_options, ("-m", "limit")); + push(@ratelimit_options, ("--limit", $rate_limit)); + } + } + # Check which protocols are used in this rule and so that we can # later group rules by protocols. my @protocols = &get_protocols($hash, $key); @@ -295,22 +322,26 @@ sub buildrules { next unless ($src);
# Sanitize source. - my $source = $src; + my $source = @$src[0]; if ($source ~~ @ANY_ADDRESSES) { $source = ""; }
+ my $source_intf = @$src[1]; + foreach my $dst (@destinations) { # Skip invalid rules. next unless (defined $dst); next if (!$dst || ($dst eq "none"));
# Sanitize destination. - my $destination = $dst; + my $destination = @$dst[0]; if ($destination ~~ @ANY_ADDRESSES) { $destination = ""; }
+ my $destination_intf = @$dst[1]; + # Array with iptables arguments. my @options = ();
@@ -327,15 +358,26 @@ sub buildrules { push(@source_options, ("-s", $source)); }
+ if ($source_intf) { + push(@source_options, ("-i", $source_intf)); + } + # Prepare destination options. my @destination_options = (); if ($destination) { push(@destination_options, ("-d", $destination)); }
+ if ($destination_intf) { + push(@destination_options, ("-o", $destination_intf)); + } + # Add time constraint options. push(@options, @time_options);
+ # Add ratelimiting option + push(@options, @ratelimit_options); + my $firewall_is_in_source_subnet = 1; if ($source) { $firewall_is_in_source_subnet = &firewall_is_in_subnet($source); @@ -366,7 +408,7 @@ sub buildrules { # Make port-forwardings useable from the internal networks. my @internal_addresses = &fwlib::get_internal_firewall_ip_addresses(1); unless ($nat_address ~~ @internal_addresses) { - &add_dnat_mangle_rules($nat_address, @nat_options); + &add_dnat_mangle_rules($nat_address, $source_intf, @nat_options); }
push(@nat_options, @source_options); @@ -457,6 +499,10 @@ sub buildrules { } } } + #Reload firewall.local if present + if ( -f '/etc/sysconfig/firewall.local'){ + run("/etc/sysconfig/firewall.local reload"); + } }
# Formats the given timestamp into the iptables format which is "hh:mm" UTC. @@ -683,6 +729,7 @@ sub get_dnat_target_port {
sub add_dnat_mangle_rules { my $nat_address = shift; + my $interface = shift; my @options = @_;
my $mark = 0; @@ -693,6 +740,8 @@ sub add_dnat_mangle_rules { next unless (exists $defaultNetworks{$zone . "_NETADDRESS"}); next unless (exists $defaultNetworks{$zone . "_NETMASK"});
+ next if ($interface && $interface ne $defaultNetworks{$zone . "_DEV"}); + my @mangle_options = @options;
my $netaddress = $defaultNetworks{$zone . "_NETADDRESS"}; diff --git a/config/rootfiles/core/82/filelists/iputils b/config/rootfiles/core/82/filelists/iputils deleted file mode 120000 index 361c28f..0000000 --- a/config/rootfiles/core/82/filelists/iputils +++ /dev/null @@ -1 +0,0 @@ -../../../common/iputils \ No newline at end of file diff --git a/config/rootfiles/core/82/filelists/openssl-compat b/config/rootfiles/core/82/filelists/openssl-compat deleted file mode 120000 index c9fa421..0000000 --- a/config/rootfiles/core/82/filelists/openssl-compat +++ /dev/null @@ -1 +0,0 @@ -../../../common/openssl-compat \ No newline at end of file diff --git a/config/rootfiles/core/83/exclude b/config/rootfiles/core/83/exclude deleted file mode 100644 index 18e9b4d..0000000 --- a/config/rootfiles/core/83/exclude +++ /dev/null @@ -1,20 +0,0 @@ -boot/config.txt -etc/collectd.custom -etc/ipsec.conf -etc/ipsec.secrets -etc/ipsec.user.conf -etc/ipsec.user.secrets -etc/localtime -etc/shadow -etc/ssh/ssh_config -etc/ssh/sshd_config -etc/ssl/openssl.cnf -etc/sudoers -etc/sysconfig/firewall.local -etc/sysconfig/rc.local -etc/udev/rules.d/30-persistent-network.rules -srv/web/ipfire/html/proxy.pac -var/ipfire/ovpn -var/log/cache -var/state/dhcp/dhcpd.leases -var/updatecache diff --git a/config/rootfiles/core/83/filelists/bash b/config/rootfiles/core/83/filelists/bash deleted file mode 120000 index de970cb..0000000 --- a/config/rootfiles/core/83/filelists/bash +++ /dev/null @@ -1 +0,0 @@ -../../../common/bash \ No newline at end of file diff --git a/config/rootfiles/core/83/filelists/files b/config/rootfiles/core/83/filelists/files deleted file mode 100644 index 5c0b6fe..0000000 --- a/config/rootfiles/core/83/filelists/files +++ /dev/null @@ -1,6 +0,0 @@ -etc/system-release -etc/issue -srv/web/ipfire/cgi-bin/logs.cgi/ids.dat -srv/web/ipfire/cgi-bin/proxy.cgi -srv/web/ipfire/cgi-bin/urlfilter.cgi -var/ipfire/general-functions.pl diff --git a/config/rootfiles/core/83/filelists/findutils b/config/rootfiles/core/83/filelists/findutils deleted file mode 120000 index 545280a..0000000 --- a/config/rootfiles/core/83/filelists/findutils +++ /dev/null @@ -1 +0,0 @@ -../../../common/findutils \ No newline at end of file diff --git a/config/rootfiles/core/83/filelists/squid b/config/rootfiles/core/83/filelists/squid deleted file mode 120000 index 2dc8372..0000000 --- a/config/rootfiles/core/83/filelists/squid +++ /dev/null @@ -1 +0,0 @@ -../../../common/squid \ No newline at end of file diff --git a/config/rootfiles/core/83/meta b/config/rootfiles/core/83/meta deleted file mode 100644 index d547fa8..0000000 --- a/config/rootfiles/core/83/meta +++ /dev/null @@ -1 +0,0 @@ -DEPS="" diff --git a/config/rootfiles/core/83/update.sh b/config/rootfiles/core/83/update.sh deleted file mode 100644 index 195ba23..0000000 --- a/config/rootfiles/core/83/update.sh +++ /dev/null @@ -1,56 +0,0 @@ -#!/bin/bash -############################################################################ -# # -# This file is part of the IPFire Firewall. # -# # -# IPFire is free software; you can redistribute it and/or modify # -# it under the terms of the GNU General Public License as published by # -# the Free Software Foundation; either version 3 of the License, or # -# (at your option) any later version. # -# # -# IPFire is distributed in the hope that it will be useful, # -# but WITHOUT ANY WARRANTY; without even the implied warranty of # -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # -# GNU General Public License for more details. # -# # -# You should have received a copy of the GNU General Public License # -# along with IPFire; if not, write to the Free Software # -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # -# # -# Copyright (C) 2014 IPFire-Team info@ipfire.org. # -# # -############################################################################ -# -. /opt/pakfire/lib/functions.sh -/usr/local/bin/backupctrl exclude >/dev/null 2>&1 - -# Remove old core updates from pakfire cache to save space... -core=83 -for (( i=1; i<=$core; i++ )) -do - rm -f /var/cache/pakfire/core-upgrade-*-$i.ipfire -done - -# Stop services - -# Remove old files - -# Extract files -extract_files - -# Start services - -# Update Language cache -perl -e "require '/var/ipfire/lang.pl'; &Lang::BuildCacheLang" - -sync - -# This update need a reboot... -touch /var/run/need_reboot - -# Finish -/etc/init.d/fireinfo start -sendprofile - -# Don't report the exitcode last command -exit 0 diff --git a/config/rootfiles/core/84/exclude b/config/rootfiles/core/84/exclude new file mode 100644 index 0000000..18e9b4d --- /dev/null +++ b/config/rootfiles/core/84/exclude @@ -0,0 +1,20 @@ +boot/config.txt +etc/collectd.custom +etc/ipsec.conf +etc/ipsec.secrets +etc/ipsec.user.conf +etc/ipsec.user.secrets +etc/localtime +etc/shadow +etc/ssh/ssh_config +etc/ssh/sshd_config +etc/ssl/openssl.cnf +etc/sudoers +etc/sysconfig/firewall.local +etc/sysconfig/rc.local +etc/udev/rules.d/30-persistent-network.rules +srv/web/ipfire/html/proxy.pac +var/ipfire/ovpn +var/log/cache +var/state/dhcp/dhcpd.leases +var/updatecache diff --git a/config/rootfiles/core/84/filelists/bash b/config/rootfiles/core/84/filelists/bash new file mode 120000 index 0000000..de970cb --- /dev/null +++ b/config/rootfiles/core/84/filelists/bash @@ -0,0 +1 @@ +../../../common/bash \ No newline at end of file diff --git a/config/rootfiles/core/84/filelists/dnsmasq b/config/rootfiles/core/84/filelists/dnsmasq new file mode 120000 index 0000000..d469c74 --- /dev/null +++ b/config/rootfiles/core/84/filelists/dnsmasq @@ -0,0 +1 @@ +../../../common/dnsmasq \ No newline at end of file diff --git a/config/rootfiles/core/84/filelists/files b/config/rootfiles/core/84/filelists/files new file mode 100644 index 0000000..85bca99 --- /dev/null +++ b/config/rootfiles/core/84/filelists/files @@ -0,0 +1,8 @@ +etc/system-release +etc/issue +etc/rc.d/init.d/firewall +srv/web/ipfire/cgi-bin/firewall.cgi +srv/web/ipfire/cgi-bin/fwhosts.cgi +usr/lib/firewall/firewall-lib.pl +usr/lib/firewall/rules.pl +var/ipfire/langs diff --git a/config/rootfiles/core/84/meta b/config/rootfiles/core/84/meta new file mode 100644 index 0000000..d547fa8 --- /dev/null +++ b/config/rootfiles/core/84/meta @@ -0,0 +1 @@ +DEPS="" diff --git a/config/rootfiles/core/84/update.sh b/config/rootfiles/core/84/update.sh new file mode 100644 index 0000000..1b83326 --- /dev/null +++ b/config/rootfiles/core/84/update.sh @@ -0,0 +1,58 @@ +#!/bin/bash +############################################################################ +# # +# This file is part of the IPFire Firewall. # +# # +# IPFire is free software; you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation; either version 3 of the License, or # +# (at your option) any later version. # +# # +# IPFire is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with IPFire; if not, write to the Free Software # +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # +# # +# Copyright (C) 2014 IPFire-Team info@ipfire.org. # +# # +############################################################################ +# +. /opt/pakfire/lib/functions.sh +/usr/local/bin/backupctrl exclude >/dev/null 2>&1 + +# Remove old core updates from pakfire cache to save space... +core=84 +for (( i=1; i<=$core; i++ )) +do + rm -f /var/cache/pakfire/core-upgrade-*-$i.ipfire +done + +# Stop services +/etc/init.d/dnsmasq stop + +# Remove old files + +# Extract files +extract_files + +# Start services +/etc/init.d/dnsmasq start + +# Update Language cache +perl -e "require '/var/ipfire/lang.pl'; &Lang::BuildCacheLang" + +sync + +# This update need a reboot... +touch /var/run/need_reboot + +# Finish +/etc/init.d/fireinfo start +sendprofile + +# Don't report the exitcode last command +exit 0 diff --git a/config/rootfiles/oldcore/82/filelists/iputils b/config/rootfiles/oldcore/82/filelists/iputils new file mode 120000 index 0000000..361c28f --- /dev/null +++ b/config/rootfiles/oldcore/82/filelists/iputils @@ -0,0 +1 @@ +../../../common/iputils \ No newline at end of file diff --git a/config/rootfiles/oldcore/82/filelists/openssl-compat b/config/rootfiles/oldcore/82/filelists/openssl-compat new file mode 120000 index 0000000..c9fa421 --- /dev/null +++ b/config/rootfiles/oldcore/82/filelists/openssl-compat @@ -0,0 +1 @@ +../../../common/openssl-compat \ No newline at end of file diff --git a/config/rootfiles/oldcore/83/exclude b/config/rootfiles/oldcore/83/exclude new file mode 100644 index 0000000..18e9b4d --- /dev/null +++ b/config/rootfiles/oldcore/83/exclude @@ -0,0 +1,20 @@ +boot/config.txt +etc/collectd.custom +etc/ipsec.conf +etc/ipsec.secrets +etc/ipsec.user.conf +etc/ipsec.user.secrets +etc/localtime +etc/shadow +etc/ssh/ssh_config +etc/ssh/sshd_config +etc/ssl/openssl.cnf +etc/sudoers +etc/sysconfig/firewall.local +etc/sysconfig/rc.local +etc/udev/rules.d/30-persistent-network.rules +srv/web/ipfire/html/proxy.pac +var/ipfire/ovpn +var/log/cache +var/state/dhcp/dhcpd.leases +var/updatecache diff --git a/config/rootfiles/oldcore/83/filelists/bash b/config/rootfiles/oldcore/83/filelists/bash new file mode 120000 index 0000000..de970cb --- /dev/null +++ b/config/rootfiles/oldcore/83/filelists/bash @@ -0,0 +1 @@ +../../../common/bash \ No newline at end of file diff --git a/config/rootfiles/oldcore/83/filelists/files b/config/rootfiles/oldcore/83/filelists/files new file mode 100644 index 0000000..5c0b6fe --- /dev/null +++ b/config/rootfiles/oldcore/83/filelists/files @@ -0,0 +1,6 @@ +etc/system-release +etc/issue +srv/web/ipfire/cgi-bin/logs.cgi/ids.dat +srv/web/ipfire/cgi-bin/proxy.cgi +srv/web/ipfire/cgi-bin/urlfilter.cgi +var/ipfire/general-functions.pl diff --git a/config/rootfiles/oldcore/83/filelists/findutils b/config/rootfiles/oldcore/83/filelists/findutils new file mode 120000 index 0000000..545280a --- /dev/null +++ b/config/rootfiles/oldcore/83/filelists/findutils @@ -0,0 +1 @@ +../../../common/findutils \ No newline at end of file diff --git a/config/rootfiles/oldcore/83/filelists/squid b/config/rootfiles/oldcore/83/filelists/squid new file mode 120000 index 0000000..2dc8372 --- /dev/null +++ b/config/rootfiles/oldcore/83/filelists/squid @@ -0,0 +1 @@ +../../../common/squid \ No newline at end of file diff --git a/config/rootfiles/oldcore/83/meta b/config/rootfiles/oldcore/83/meta new file mode 100644 index 0000000..d547fa8 --- /dev/null +++ b/config/rootfiles/oldcore/83/meta @@ -0,0 +1 @@ +DEPS="" diff --git a/config/rootfiles/oldcore/83/update.sh b/config/rootfiles/oldcore/83/update.sh new file mode 100644 index 0000000..c766b42 --- /dev/null +++ b/config/rootfiles/oldcore/83/update.sh @@ -0,0 +1,59 @@ +#!/bin/bash +############################################################################ +# # +# This file is part of the IPFire Firewall. # +# # +# IPFire is free software; you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation; either version 3 of the License, or # +# (at your option) any later version. # +# # +# IPFire is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with IPFire; if not, write to the Free Software # +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # +# # +# Copyright (C) 2014 IPFire-Team info@ipfire.org. # +# # +############################################################################ +# +. /opt/pakfire/lib/functions.sh +/usr/local/bin/backupctrl exclude >/dev/null 2>&1 + +# Remove old core updates from pakfire cache to save space... +core=83 +for (( i=1; i<=$core; i++ )) +do + rm -f /var/cache/pakfire/core-upgrade-*-$i.ipfire +done + +# Stop services + +# Remove old files + +# Extract files +extract_files + +# reload init because glibc/linker changed +telinit -u + +# Start services + +# Update Language cache +perl -e "require '/var/ipfire/lang.pl'; &Lang::BuildCacheLang" + +sync + +# This update need a reboot... +touch /var/run/need_reboot + +# Finish +/etc/init.d/fireinfo start +sendprofile + +# Don't report the exitcode last command +exit 0 diff --git a/html/cgi-bin/firewall.cgi b/html/cgi-bin/firewall.cgi index e6ae527..badee6b 100644 --- a/html/cgi-bin/firewall.cgi +++ b/html/cgi-bin/firewall.cgi @@ -161,6 +161,22 @@ print<<END; $("#TIME_CONSTRAINTS").toggle(); });
+ // Limit concurrent connections per ip + if(!$("#USE_LIMIT_CONCURRENT_CONNECTIONS_PER_IP").attr("checked")) { + $("#LIMIT_CON").hide(); + } + $("#USE_LIMIT_CONCURRENT_CONNECTIONS_PER_IP").change(function() { + $("#LIMIT_CON").toggle(); + }); + + // Rate-limit new connections + if(!$("#USE_RATELIMIT").attr("checked")) { + $("#RATELIMIT").hide(); + } + $("#USE_RATELIMIT").change(function() { + $("#RATELIMIT").toggle(); + }); + // Automatically select radio buttons when corresponding // dropdown menu changes. $("select").change(function() { @@ -222,8 +238,8 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule') #check if we have an identical rule already if($fwdfwsettings{'oldrulenumber'} eq $fwdfwsettings{'rulepos'}){ foreach my $key (sort keys %configinputfw){ - if ( "$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'},$fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'ICMP_TGT'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'LOG'},$fwdfwsettings{'TIME'},$fwdfwsettings{'TIME_MON'},$fwdfwsettings{'TIME_TUE'},$fwdfwsettings{'TIME_WED'},$fwdfwsettings{'TIME_THU'},$fwdfwsettings{'TIME_FRI'},$fwdfwsettings{'TIME_SAT'},$fwdfwsettings{'TIME_SUN'},$fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'},$fwdfwsettings{'USE_NAT'},$fwdfwsettings{$fwdfwsettings{'nat'}},$fwdfwsettings{'dnatport'},$fwdfwsettings{'nat'}" - eq "$configinputfw{$key}[0],$configinputfw{$key}[2],$configinputfw{$key}[3],$configinputfw{$key}[4],$configinputfw{$key}[5],$configinputfw{$key}[6],$configinputfw{$key}[7],$configinputfw{$key}[8],$configinputfw{$key}[9],$configinputfw{$key}[10],$configinputfw{$key}[11],$configinputfw{$key}[12],$configinputfw{$key}[13],$configinputfw{$key}[14],$configinputfw{$key}[15],$configinputfw{$key}[17],$configinputfw{$key}[18],$configinputfw{$key}[19],$configinputfw{$key}[20],$configinputfw{$key}[21],$configinputfw{$key}[22],$configinputfw{$key}[23],$configinputfw{$key}[24],$configinputfw{$key}[25],$configinputfw{$key}[26],$configinputfw{$key}[27],$configinputfw{$key}[28],$configinputfw{$key}[29],$configinputfw{$key}[30],$configinputfw{$key}[31]"){ + if ( "$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'},$fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'ICMP_TGT'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'LOG'},$fwdfwsettings{'TIME'},$fwdfwsettings{'TIME_MON'},$fwdfwsettings{'TIME_TUE'},$fwdfwsettings{'TIME_WED'},$fwdfwsettings{'TIME_THU'},$fwdfwsettings{'TIME_FRI'},$fwdfwsettings{'TIME_SAT'},$fwdfwsettings{'TIME_SUN'},$fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'},$fwdfwsettings{'USE_NAT'},$fwdfwsettings{$fwdfwsettings{'nat'}},$fwdfwsettings{'dnatport'},$fwdfwsettings{'nat'},$fwdfwsettings{'LIMIT_CON_CON'},$fwdfwsettings{'concon'},$fwdfwsettings{'RATE_LIMIT'},$fwdfwsettings{'ratecon'},$fwdfwsettings{'RATETIME'}" + eq "$configinputfw{$key}[0],$configinputfw{$key}[2],$configinputfw{$key}[3],$configinputfw{$key}[4],$configinputfw{$key}[5],$configinputfw{$key}[6],$configinputfw{$key}[7],$configinputfw{$key}[8],$configinputfw{$key}[9],$configinputfw{$key}[10],$configinputfw{$key}[11],$configinputfw{$key}[12],$configinputfw{$key}[13],$configinputfw{$key}[14],$configinputfw{$key}[15],$configinputfw{$key}[17],$configinputfw{$key}[18],$configinputfw{$key}[19],$configinputfw{$key}[20],$configinputfw{$key}[21],$configinputfw{$key}[22],$configinputfw{$key}[23],$configinputfw{$key}[24],$configinputfw{$key}[25],$configinputfw{$key}[26],$configinputfw{$key}[27],$configinputfw{$key}[28],$configinputfw{$key}[29],$configinputfw{$key}[30],$configinputfw{$key}[31],$configinputfw{$key}[32],$configinputfw{$key}[33],$configinputfw{$key}[34],$configinputfw{$key}[35],$configinputfw{$key}[36]"){ $errormessage.=$Lang::tr{'fwdfw err ruleexists'}; if($fwdfwsettings{'oldruleremark'} ne $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'updatefwrule'} eq 'on' && $fwdfwsettings{'ruleremark'} ne '' && !&validremark($fwdfwsettings{'ruleremark'})){ $errormessage=$Lang::tr{'fwdfw err remark'}."<br>"; @@ -241,14 +257,14 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule') if($fwdfwsettings{'rulepos'} > 0 && !$fwdfwsettings{'oldrulenumber'}){ $fwdfwsettings{'oldrulenumber'}=$maxkey; foreach my $key (sort keys %configinputfw){ - if ( "$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'},$fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'ICMP_TGT'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'LOG'},$fwdfwsettings{'TIME'},$fwdfwsettings{'TIME_MON'},$fwdfwsettings{'TIME_TUE'},$fwdfwsettings{'TIME_WED'},$fwdfwsettings{'TIME_THU'},$fwdfwsettings{'TIME_FRI'},$fwdfwsettings{'TIME_SAT'},$fwdfwsettings{'TIME_SUN'},$fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'},$fwdfwsettings{'USE_NAT'},$fwdfwsettings{$fwdfwsettings{'nat'}},$fwdfwsettings{'dnatport'},$fwdfwsettings{'nat'}" - eq "$configinputfw{$key}[0],$configinputfw{$key}[2],$configinputfw{$key}[3],$configinputfw{$key}[4],$configinputfw{$key}[5],$configinputfw{$key}[6],$configinputfw{$key}[7],$configinputfw{$key}[8],$configinputfw{$key}[9],$configinputfw{$key}[10],$configinputfw{$key}[11],$configinputfw{$key}[12],$configinputfw{$key}[13],$configinputfw{$key}[14],$configinputfw{$key}[15],$configinputfw{$key}[17],$configinputfw{$key}[18],$configinputfw{$key}[19],$configinputfw{$key}[20],$configinputfw{$key}[21],$configinputfw{$key}[22],$configinputfw{$key}[23],$configinputfw{$key}[24],$configinputfw{$key}[25],$configinputfw{$key}[26],$configinputfw{$key}[27],$configinputfw{$key}[28],$configinputfw{$key}[29],$configinputfw{$key}[30],$configinputfw{$key}[31]"){ + if ( "$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'},$fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'ICMP_TGT'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'LOG'},$fwdfwsettings{'TIME'},$fwdfwsettings{'TIME_MON'},$fwdfwsettings{'TIME_TUE'},$fwdfwsettings{'TIME_WED'},$fwdfwsettings{'TIME_THU'},$fwdfwsettings{'TIME_FRI'},$fwdfwsettings{'TIME_SAT'},$fwdfwsettings{'TIME_SUN'},$fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'},$fwdfwsettings{'USE_NAT'},$fwdfwsettings{$fwdfwsettings{'nat'}},$fwdfwsettings{'dnatport'},$fwdfwsettings{'nat'},$fwdfwsettings{'LIMIT_CON_CON'},$fwdfwsettings{'concon'},$fwdfwsettings{'RATE_LIMIT'},$fwdfwsettings{'ratecon'},$fwdfwsettings{'RATETIME'}" + eq "$configinputfw{$key}[0],$configinputfw{$key}[2],$configinputfw{$key}[3],$configinputfw{$key}[4],$configinputfw{$key}[5],$configinputfw{$key}[6],$configinputfw{$key}[7],$configinputfw{$key}[8],$configinputfw{$key}[9],$configinputfw{$key}[10],$configinputfw{$key}[11],$configinputfw{$key}[12],$configinputfw{$key}[13],$configinputfw{$key}[14],$configinputfw{$key}[15],$configinputfw{$key}[17],$configinputfw{$key}[18],$configinputfw{$key}[19],$configinputfw{$key}[20],$configinputfw{$key}[21],$configinputfw{$key}[22],$configinputfw{$key}[23],$configinputfw{$key}[24],$configinputfw{$key}[25],$configinputfw{$key}[26],$configinputfw{$key}[27],$configinputfw{$key}[28],$configinputfw{$key}[29],$configinputfw{$key}[30],$configinputfw{$key}[31],$configinputfw{$key}[32],$configinputfw{$key}[33],$configinputfw{$key}[34],$configinputfw{$key}[35],$configinputfw{$key}[36]"){ $errormessage.=$Lang::tr{'fwdfw err ruleexists'}; } } } #check if we just close a rule - if( $fwdfwsettings{'oldgrp1a'} eq $fwdfwsettings{'grp1'} && $fwdfwsettings{'oldgrp1b'} eq $fwdfwsettings{$fwdfwsettings{'grp1'}} && $fwdfwsettings{'oldgrp2a'} eq $fwdfwsettings{'grp2'} && $fwdfwsettings{'oldgrp2b'} eq $fwdfwsettings{$fwdfwsettings{'grp2'}} && $fwdfwsettings{'oldgrp3a'} eq $fwdfwsettings{'grp3'} && $fwdfwsettings{'oldgrp3b'} eq $fwdfwsettings{$fwdfwsettings{'grp3'}} && $fwdfwsettings{'oldusesrv'} eq $fwdfwsettings{'USESRV'} && $fwdfwsettings{'oldruleremark'} eq $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'oldruletype'} eq $fwdfwsettings{'chain'}) { + if( $fwdfwsettings{'oldgrp1a'} eq $fwdfwsettings{'grp1'} && $fwdfwsettings{'oldgrp1b'} eq $fwdfwsettings{$fwdfwsettings{'grp1'}} && $fwdfwsettings{'oldgrp2a'} eq $fwdfwsettings{'grp2'} && $fwdfwsettings{'oldgrp2b'} eq $fwdfwsettings{$fwdfwsettings{'grp2'}} && $fwdfwsettings{'oldgrp3a'} eq $fwdfwsettings{'grp3'} && $fwdfwsettings{'oldgrp3b'} eq $fwdfwsettings{$fwdfwsettings{'grp3'}} && $fwdfwsettings{'oldusesrv'} eq $fwdfwsettings{'USESRV'} && $fwdfwsettings{'oldruleremark'} eq $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'oldruletype'} eq $fwdfwsettings{'chain'} ) { if($fwdfwsettings{'nosave'} eq 'on' && $fwdfwsettings{'updatefwrule'} eq 'on'){ $errormessage=''; $fwdfwsettings{'nosave2'} = 'on'; @@ -266,8 +282,8 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule') my $maxkey=&General::findhasharraykey(%configoutgoingfw); if($fwdfwsettings{'oldrulenumber'} eq $fwdfwsettings{'rulepos'}){ foreach my $key (sort keys %configoutgoingfw){ - if ( "$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'},$fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'ICMP_TGT'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'LOG'},$fwdfwsettings{'TIME'},$fwdfwsettings{'TIME_MON'},$fwdfwsettings{'TIME_TUE'},$fwdfwsettings{'TIME_WED'},$fwdfwsettings{'TIME_THU'},$fwdfwsettings{'TIME_FRI'},$fwdfwsettings{'TIME_SAT'},$fwdfwsettings{'TIME_SUN'},$fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'},$fwdfwsettings{'USE_NAT'},$fwdfwsettings{$fwdfwsettings{'nat'}},$fwdfwsettings{'dnatport'},$fwdfwsettings{'nat'}" - eq "$configoutgoingfw{$key}[0],$configoutgoingfw{$key}[2],$configoutgoingfw{$key}[3],$configoutgoingfw{$key}[4],$configoutgoingfw{$key}[5],$configoutgoingfw{$key}[6],$configoutgoingfw{$key}[7],$configoutgoingfw{$key}[8],$configoutgoingfw{$key}[9],$configoutgoingfw{$key}[10],$configoutgoingfw{$key}[11],$configoutgoingfw{$key}[12],$configoutgoingfw{$key}[13],$configoutgoingfw{$key}[14],$configoutgoingfw{$key}[15],$configoutgoingfw{$key}[17],$configoutgoingfw{$key}[18],$configoutgoingfw{$key}[19],$configoutgoingfw{$key}[20],$configoutgoingfw{$key}[21],$configoutgoingfw{$key}[22],$configoutgoingfw{$key}[23],$configoutgoingfw{$key}[24],$configoutgoingfw{$key}[25],$configoutgoingfw{$key}[26],$configoutgoingfw{$key}[27],$configoutgoingfw{$key}[28],$configoutgoingfw{$key}[29],$configoutgoingfw{$key}[30],$configoutgoingfw{$key}[31]"){ + if ( "$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'},$fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'ICMP_TGT'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'LOG'},$fwdfwsettings{'TIME'},$fwdfwsettings{'TIME_MON'},$fwdfwsettings{'TIME_TUE'},$fwdfwsettings{'TIME_WED'},$fwdfwsettings{'TIME_THU'},$fwdfwsettings{'TIME_FRI'},$fwdfwsettings{'TIME_SAT'},$fwdfwsettings{'TIME_SUN'},$fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'},$fwdfwsettings{'USE_NAT'},$fwdfwsettings{$fwdfwsettings{'nat'}},$fwdfwsettings{'dnatport'},$fwdfwsettings{'nat'},$fwdfwsettings{'LIMIT_CON_CON'},$fwdfwsettings{'concon'},$fwdfwsettings{'RATE_LIMIT'},$fwdfwsettings{'ratecon'},$fwdfwsettings{'RATETIME'}" + eq "$configoutgoingfw{$key}[0],$configoutgoingfw{$key}[2],$configoutgoingfw{$key}[3],$configoutgoingfw{$key}[4],$configoutgoingfw{$key}[5],$configoutgoingfw{$key}[6],$configoutgoingfw{$key}[7],$configoutgoingfw{$key}[8],$configoutgoingfw{$key}[9],$configoutgoingfw{$key}[10],$configoutgoingfw{$key}[11],$configoutgoingfw{$key}[12],$configoutgoingfw{$key}[13],$configoutgoingfw{$key}[14],$configoutgoingfw{$key}[15],$configoutgoingfw{$key}[17],$configoutgoingfw{$key}[18],$configoutgoingfw{$key}[19],$configoutgoingfw{$key}[20],$configoutgoingfw{$key}[21],$configoutgoingfw{$key}[22],$configoutgoingfw{$key}[23],$configoutgoingfw{$key}[24],$configoutgoingfw{$key}[25],$configoutgoingfw{$key}[26],$configoutgoingfw{$key}[27],$configoutgoingfw{$key}[28],$configoutgoingfw{$key}[29],$configoutgoingfw{$key}[30],$configoutgoingfw{$key}[31],$configoutgoingfw{$key}[32],$configoutgoingfw{$key}[33],$configoutgoingfw{$key}[34],$configoutgoingfw{$key}[35],$configoutgoingfw{$key}[36]"){ $errormessage.=$Lang::tr{'fwdfw err ruleexists'}; if($fwdfwsettings{'oldruleremark'} ne $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'updatefwrule'} eq 'on' && $fwdfwsettings{'ruleremark'} ne '' && !&validremark($fwdfwsettings{'ruleremark'})){ $errormessage=$Lang::tr{'fwdfw err remark'}."<br>"; @@ -285,14 +301,14 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule') if($fwdfwsettings{'rulepos'} > 0 && !$fwdfwsettings{'oldrulenumber'}){ $fwdfwsettings{'oldrulenumber'}=$maxkey; foreach my $key (sort keys %configoutgoingfw){ - if ( "$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'},$fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'ICMP_TGT'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'LOG'},$fwdfwsettings{'TIME'},$fwdfwsettings{'TIME_MON'},$fwdfwsettings{'TIME_TUE'},$fwdfwsettings{'TIME_WED'},$fwdfwsettings{'TIME_THU'},$fwdfwsettings{'TIME_FRI'},$fwdfwsettings{'TIME_SAT'},$fwdfwsettings{'TIME_SUN'},$fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'},$fwdfwsettings{'USE_NAT'},$fwdfwsettings{$fwdfwsettings{'nat'}},$fwdfwsettings{'dnatport'},$fwdfwsettings{'nat'}" - eq "$configoutgoingfw{$key}[0],$configoutgoingfw{$key}[2],$configoutgoingfw{$key}[3],$configoutgoingfw{$key}[4],$configoutgoingfw{$key}[5],$configoutgoingfw{$key}[6],$configoutgoingfw{$key}[7],$configoutgoingfw{$key}[8],$configoutgoingfw{$key}[9],$configoutgoingfw{$key}[10],$configoutgoingfw{$key}[11],$configoutgoingfw{$key}[12],$configoutgoingfw{$key}[13],$configoutgoingfw{$key}[14],$configoutgoingfw{$key}[15],$configoutgoingfw{$key}[17],$configoutgoingfw{$key}[18],$configoutgoingfw{$key}[19],$configoutgoingfw{$key}[20],$configoutgoingfw{$key}[21],$configoutgoingfw{$key}[22],$configoutgoingfw{$key}[23],$configoutgoingfw{$key}[24],$configoutgoingfw{$key}[25],$configoutgoingfw{$key}[26],$configoutgoingfw{$key}[27],$configoutgoingfw{$key}[28],$configoutgoingfw{$key}[29],$configoutgoingfw{$key}[30],$configoutgoingfw{$key}[31]"){ + if ( "$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'},$fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'ICMP_TGT'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'LOG'},$fwdfwsettings{'TIME'},$fwdfwsettings{'TIME_MON'},$fwdfwsettings{'TIME_TUE'},$fwdfwsettings{'TIME_WED'},$fwdfwsettings{'TIME_THU'},$fwdfwsettings{'TIME_FRI'},$fwdfwsettings{'TIME_SAT'},$fwdfwsettings{'TIME_SUN'},$fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'},$fwdfwsettings{'USE_NAT'},$fwdfwsettings{$fwdfwsettings{'nat'}},$fwdfwsettings{'dnatport'},$fwdfwsettings{'nat'},$fwdfwsettings{'LIMIT_CON_CON'},$fwdfwsettings{'concon'},$fwdfwsettings{'RATE_LIMIT'},$fwdfwsettings{'ratecon'},$fwdfwsettings{'RATETIME'}" + eq "$configoutgoingfw{$key}[0],$configoutgoingfw{$key}[2],$configoutgoingfw{$key}[3],$configoutgoingfw{$key}[4],$configoutgoingfw{$key}[5],$configoutgoingfw{$key}[6],$configoutgoingfw{$key}[7],$configoutgoingfw{$key}[8],$configoutgoingfw{$key}[9],$configoutgoingfw{$key}[10],$configoutgoingfw{$key}[11],$configoutgoingfw{$key}[12],$configoutgoingfw{$key}[13],$configoutgoingfw{$key}[14],$configoutgoingfw{$key}[15],$configoutgoingfw{$key}[17],$configoutgoingfw{$key}[18],$configoutgoingfw{$key}[19],$configoutgoingfw{$key}[20],$configoutgoingfw{$key}[21],$configoutgoingfw{$key}[22],$configoutgoingfw{$key}[23],$configoutgoingfw{$key}[24],$configoutgoingfw{$key}[25],$configoutgoingfw{$key}[26],$configoutgoingfw{$key}[27],$configoutgoingfw{$key}[28],$configoutgoingfw{$key}[29],$configoutgoingfw{$key}[30],$configoutgoingfw{$key}[31],$configoutgoingfw{$key}[32],$configoutgoingfw{$key}[33],$configoutgoingfw{$key}[34],$configoutgoingfw{$key}[35],$configoutgoingfw{$key}[36]"){ $errormessage.=$Lang::tr{'fwdfw err ruleexists'}; } } } #check if we just close a rule - if( $fwdfwsettings{'oldgrp1a'} eq $fwdfwsettings{'grp1'} && $fwdfwsettings{'oldgrp1b'} eq $fwdfwsettings{$fwdfwsettings{'grp1'}} && $fwdfwsettings{'oldgrp2a'} eq $fwdfwsettings{'grp2'} && $fwdfwsettings{'oldgrp2b'} eq $fwdfwsettings{$fwdfwsettings{'grp2'}} && $fwdfwsettings{'oldgrp3a'} eq $fwdfwsettings{'grp3'} && $fwdfwsettings{'oldgrp3b'} eq $fwdfwsettings{$fwdfwsettings{'grp3'}} && $fwdfwsettings{'oldusesrv'} eq $fwdfwsettings{'USESRV'} && $fwdfwsettings{'oldruleremark'} eq $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'oldruletype'} eq $fwdfwsettings{'chain'}) { + if( $fwdfwsettings{'oldgrp1a'} eq $fwdfwsettings{'grp1'} && $fwdfwsettings{'oldgrp1b'} eq $fwdfwsettings{$fwdfwsettings{'grp1'}} && $fwdfwsettings{'oldgrp2a'} eq $fwdfwsettings{'grp2'} && $fwdfwsettings{'oldgrp2b'} eq $fwdfwsettings{$fwdfwsettings{'grp2'}} && $fwdfwsettings{'oldgrp3a'} eq $fwdfwsettings{'grp3'} && $fwdfwsettings{'oldgrp3b'} eq $fwdfwsettings{$fwdfwsettings{'grp3'}} && $fwdfwsettings{'oldusesrv'} eq $fwdfwsettings{'USESRV'} && $fwdfwsettings{'oldruleremark'} eq $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'oldruletype'} eq $fwdfwsettings{'chain'} ) { if($fwdfwsettings{'nosave'} eq 'on' && $fwdfwsettings{'updatefwrule'} eq 'on'){ $fwdfwsettings{'nosave2'} = 'on'; $errormessage=''; @@ -312,8 +328,8 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule') if($fwdfwsettings{'oldrulenumber'} eq $fwdfwsettings{'rulepos'}){ #check if we have an identical rule already foreach my $key (sort keys %configfwdfw){ - if ( "$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'},$fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'ICMP_TGT'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'TIME'},$fwdfwsettings{'TIME_MON'},$fwdfwsettings{'TIME_TUE'},$fwdfwsettings{'TIME_WED'},$fwdfwsettings{'TIME_THU'},$fwdfwsettings{'TIME_FRI'},$fwdfwsettings{'TIME_SAT'},$fwdfwsettings{'TIME_SUN'},$fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'},$fwdfwsettings{'USE_NAT'},$fwdfwsettings{$fwdfwsettings{'nat'}},$fwdfwsettings{'dnatport'},$fwdfwsettings{'nat'}" - eq "$configfwdfw{$key}[0],$configfwdfw{$key}[2],$configfwdfw{$key}[3],$configfwdfw{$key}[4],$configfwdfw{$key}[5],$configfwdfw{$key}[6],$configfwdfw{$key}[7],$configfwdfw{$key}[8],$configfwdfw{$key}[9],$configfwdfw{$key}[10],$configfwdfw{$key}[11],$configfwdfw{$key}[12],$configfwdfw{$key}[13],$configfwdfw{$key}[14],$configfwdfw{$key}[15],$configfwdfw{$key}[18],$configfwdfw{$key}[19],$configfwdfw{$key}[20],$configfwdfw{$key}[21],$configfwdfw{$key}[22],$configfwdfw{$key}[23],$configfwdfw{$key}[24],$configfwdfw{$key}[25],$configfwdfw{$key}[26],$configfwdfw{$key}[27],$configfwdfw{$key}[28],$configfwdfw{$key}[29],$configfwdfw{$key}[30],$configfwdfw{$key}[31]"){ + if ( "$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'},$fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'ICMP_TGT'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'TIME'},$fwdfwsettings{'TIME_MON'},$fwdfwsettings{'TIME_TUE'},$fwdfwsettings{'TIME_WED'},$fwdfwsettings{'TIME_THU'},$fwdfwsettings{'TIME_FRI'},$fwdfwsettings{'TIME_SAT'},$fwdfwsettings{'TIME_SUN'},$fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'},$fwdfwsettings{'USE_NAT'},$fwdfwsettings{$fwdfwsettings{'nat'}},$fwdfwsettings{'dnatport'},$fwdfwsettings{'nat'},$fwdfwsettings{'LIMIT_CON_CON'},$fwdfwsettings{'concon'},$fwdfwsettings{'RATE_LIMIT'},$fwdfwsettings{'ratecon'},$fwdfwsettings{'RATETIME'}" + eq "$configfwdfw{$key}[0],$configfwdfw{$key}[2],$configfwdfw{$key}[3],$configfwdfw{$key}[4],$configfwdfw{$key}[5],$configfwdfw{$key}[6],$configfwdfw{$key}[7],$configfwdfw{$key}[8],$configfwdfw{$key}[9],$configfwdfw{$key}[10],$configfwdfw{$key}[11],$configfwdfw{$key}[12],$configfwdfw{$key}[13],$configfwdfw{$key}[14],$configfwdfw{$key}[15],$configfwdfw{$key}[18],$configfwdfw{$key}[19],$configfwdfw{$key}[20],$configfwdfw{$key}[21],$configfwdfw{$key}[22],$configfwdfw{$key}[23],$configfwdfw{$key}[24],$configfwdfw{$key}[25],$configfwdfw{$key}[26],$configfwdfw{$key}[27],$configfwdfw{$key}[28],$configfwdfw{$key}[29],$configfwdfw{$key}[30],$configfwdfw{$key}[31],$configfwdfw{$key}[32],$configfwdfw{$key}[33],$configfwdfw{$key}[34],$configfwdfw{$key}[35],$configfwdfw{$key}[36]"){ $errormessage.=$Lang::tr{'fwdfw err ruleexists'}; if($fwdfwsettings{'oldruleremark'} ne $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'updatefwrule'} eq 'on' && $fwdfwsettings{'ruleremark'} ne '' && !&validremark($fwdfwsettings{'ruleremark'})){ $errormessage=$Lang::tr{'fwdfw err remark'}."<br>"; @@ -331,19 +347,35 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule') if($fwdfwsettings{'rulepos'} > 0 && !$fwdfwsettings{'oldrulenumber'}){ $fwdfwsettings{'oldrulenumber'}=$maxkey; foreach my $key (sort keys %configfwdfw){ - if ( "$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'},$fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'ICMP_TGT'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'TIME'},$fwdfwsettings{'TIME_MON'},$fwdfwsettings{'TIME_TUE'},$fwdfwsettings{'TIME_WED'},$fwdfwsettings{'TIME_THU'},$fwdfwsettings{'TIME_FRI'},$fwdfwsettings{'TIME_SAT'},$fwdfwsettings{'TIME_SUN'},$fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'},$fwdfwsettings{'USE_NAT'},$fwdfwsettings{$fwdfwsettings{'nat'}},$fwdfwsettings{'dnatport'},$fwdfwsettings{'nat'}" - eq "$configfwdfw{$key}[0],$configfwdfw{$key}[2],$configfwdfw{$key}[3],$configfwdfw{$key}[4],$configfwdfw{$key}[5],$configfwdfw{$key}[6],$configfwdfw{$key}[7],$configfwdfw{$key}[8],$configfwdfw{$key}[9],$configfwdfw{$key}[10],$configfwdfw{$key}[11],$configfwdfw{$key}[12],$configfwdfw{$key}[13],$configfwdfw{$key}[14],$configfwdfw{$key}[15],$configfwdfw{$key}[18],$configfwdfw{$key}[19],$configfwdfw{$key}[20],$configfwdfw{$key}[21],$configfwdfw{$key}[22],$configfwdfw{$key}[23],$configfwdfw{$key}[24],$configfwdfw{$key}[25],$configfwdfw{$key}[26],$configfwdfw{$key}[27],$configfwdfw{$key}[28],$configfwdfw{$key}[29],$configfwdfw{$key}[30],$configfwdfw{$key}[31]"){ + if ( "$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'},$fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'ICMP_TGT'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'TIME'},$fwdfwsettings{'TIME_MON'},$fwdfwsettings{'TIME_TUE'},$fwdfwsettings{'TIME_WED'},$fwdfwsettings{'TIME_THU'},$fwdfwsettings{'TIME_FRI'},$fwdfwsettings{'TIME_SAT'},$fwdfwsettings{'TIME_SUN'},$fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'},$fwdfwsettings{'USE_NAT'},$fwdfwsettings{$fwdfwsettings{'nat'}},$fwdfwsettings{'dnatport'},$fwdfwsettings{'nat'},$fwdfwsettings{'LIMIT_CON_CON'},$fwdfwsettings{'concon'},$fwdfwsettings{'RATE_LIMIT'},$fwdfwsettings{'ratecon'},$fwdfwsettings{'RATETIME'}" + eq "$configfwdfw{$key}[0],$configfwdfw{$key}[2],$configfwdfw{$key}[3],$configfwdfw{$key}[4],$configfwdfw{$key}[5],$configfwdfw{$key}[6],$configfwdfw{$key}[7],$configfwdfw{$key}[8],$configfwdfw{$key}[9],$configfwdfw{$key}[10],$configfwdfw{$key}[11],$configfwdfw{$key}[12],$configfwdfw{$key}[13],$configfwdfw{$key}[14],$configfwdfw{$key}[15],$configfwdfw{$key}[18],$configfwdfw{$key}[19],$configfwdfw{$key}[20],$configfwdfw{$key}[21],$configfwdfw{$key}[22],$configfwdfw{$key}[23],$configfwdfw{$key}[24],$configfwdfw{$key}[25],$configfwdfw{$key}[26],$configfwdfw{$key}[27],$configfwdfw{$key}[28],$configfwdfw{$key}[29],$configfwdfw{$key}[30],$configfwdfw{$key}[31],$configfwdfw{$key}[32],$configfwdfw{$key}[33],$configfwdfw{$key}[34],$configfwdfw{$key}[35],$configfwdfw{$key}[36]"){ $errormessage.=$Lang::tr{'fwdfw err ruleexists'}; } } } #check if we just close a rule - if( $fwdfwsettings{'oldgrp1a'} eq $fwdfwsettings{'grp1'} && $fwdfwsettings{'oldgrp1b'} eq $fwdfwsettings{$fwdfwsettings{'grp1'}} && $fwdfwsettings{'oldgrp2a'} eq $fwdfwsettings{'grp2'} && $fwdfwsettings{'oldgrp2b'} eq $fwdfwsettings{$fwdfwsettings{'grp2'}} && $fwdfwsettings{'oldgrp3a'} eq $fwdfwsettings{'grp3'} && $fwdfwsettings{'oldgrp3b'} eq $fwdfwsettings{$fwdfwsettings{'grp3'}} && $fwdfwsettings{'oldusesrv'} eq $fwdfwsettings{'USESRV'} && $fwdfwsettings{'oldruleremark'} eq $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'oldruletype'} eq $fwdfwsettings{'chain'}) { + if( $fwdfwsettings{'oldgrp1a'} eq $fwdfwsettings{'grp1'} && $fwdfwsettings{'oldgrp1b'} eq $fwdfwsettings{$fwdfwsettings{'grp1'}} && $fwdfwsettings{'oldgrp2a'} eq $fwdfwsettings{'grp2'} && $fwdfwsettings{'oldgrp2b'} eq $fwdfwsettings{$fwdfwsettings{'grp2'}} && $fwdfwsettings{'oldgrp3a'} eq $fwdfwsettings{'grp3'} && $fwdfwsettings{'oldgrp3b'} eq $fwdfwsettings{$fwdfwsettings{'grp3'}} && $fwdfwsettings{'oldusesrv'} eq $fwdfwsettings{'USESRV'} && $fwdfwsettings{'oldruleremark'} eq $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'oldruletype'} eq $fwdfwsettings{'chain'}){ if($fwdfwsettings{'nosave'} eq 'on' && $fwdfwsettings{'updatefwrule'} eq 'on'){ $fwdfwsettings{'nosave2'} = 'on'; $errormessage=''; } } + #check max concurrent connections per ip address + if ($fwdfwsettings{'LIMIT_CON_CON'} eq 'ON'){ + if (!($fwdfwsettings{'concon'} =~ /^(\d+)$/)) { + $errormessage.=$Lang::tr{'fwdfw err concon'}; + } + }else{ + $fwdfwsettings{'concon'}=''; + } + #check ratelimit value + if ($fwdfwsettings{'RATE_LIMIT'} eq 'ON'){ + if (!($fwdfwsettings{'ratecon'} =~ /^(\d+)$/)) { + $errormessage.=$Lang::tr{'fwdfw err ratecon'}; + } + }else{ + $fwdfwsettings{'ratecon'}=''; + } #increase counters if (!$errormessage){ if ($fwdfwsettings{'nosave2'} ne 'on'){ @@ -1064,7 +1096,6 @@ print<<END; END foreach my $network (sort keys %defaultNetworks) { - next if($defaultNetworks{$network}{'NAME'} eq "RED" && $srctgt eq 'src'); next if($defaultNetworks{$network}{'NAME'} eq "IPFire"); print "<option value='$defaultNetworks{$network}{'NAME'}'"; print " selected='selected'" if ($fwdfwsettings{$fwdfwsettings{$grp}} eq $defaultNetworks{$network}{'NAME'}); @@ -1517,6 +1548,11 @@ sub newrule $fwdfwsettings{'nat'} = $hash{$key}[31]; #changed order $fwdfwsettings{$fwdfwsettings{'nat'}} = $hash{$key}[29]; $fwdfwsettings{'dnatport'} = $hash{$key}[30]; + $fwdfwsettings{'LIMIT_CON_CON'} = $hash{$key}[32]; + $fwdfwsettings{'concon'} = $hash{$key}[33]; + $fwdfwsettings{'RATE_LIMIT'} = $hash{$key}[34]; + $fwdfwsettings{'ratecon'} = $hash{$key}[35]; + $fwdfwsettings{'RATETIME'} = $hash{$key}[36]; $checked{'grp1'}{$fwdfwsettings{'grp1'}} = 'CHECKED'; $checked{'grp2'}{$fwdfwsettings{'grp2'}} = 'CHECKED'; $checked{'grp3'}{$fwdfwsettings{'grp3'}} = 'CHECKED'; @@ -1534,12 +1570,15 @@ sub newrule $checked{'TIME_SUN'}{$fwdfwsettings{'TIME_SUN'}} = 'CHECKED'; $checked{'USE_NAT'}{$fwdfwsettings{'USE_NAT'}} = 'CHECKED'; $checked{'nat'}{$fwdfwsettings{'nat'}} = 'CHECKED'; + $checked{'LIMIT_CON_CON'}{$fwdfwsettings{'LIMIT_CON_CON'}} = 'CHECKED'; + $checked{'RATE_LIMIT'}{$fwdfwsettings{'RATE_LIMIT'}} = 'CHECKED'; $selected{'TIME_FROM'}{$fwdfwsettings{'TIME_FROM'}} = 'selected'; $selected{'TIME_TO'}{$fwdfwsettings{'TIME_TO'}} = 'selected'; $selected{'ipfire'}{$fwdfwsettings{$fwdfwsettings{'grp2'}}} ='selected'; $selected{'ipfire_src'}{$fwdfwsettings{$fwdfwsettings{'grp1'}}} ='selected'; $selected{'dnat'}{$fwdfwsettings{'dnat'}} ='selected'; $selected{'snat'}{$fwdfwsettings{'snat'}} ='selected'; + $selected{'RATETIME'}{$fwdfwsettings{'RATETIME'}} ='selected'; } } $fwdfwsettings{'oldgrp1a'}=$fwdfwsettings{'grp1'}; @@ -1552,6 +1591,11 @@ sub newrule $fwdfwsettings{'oldruleremark'}=$fwdfwsettings{'ruleremark'}; $fwdfwsettings{'oldnat'}=$fwdfwsettings{'USE_NAT'}; $fwdfwsettings{'oldruletype'}=$fwdfwsettings{'chain'}; + $fwdfwsettings{'oldconcon'}=$fwdfwsettings{'LIMIT_CON_CON'}; + $fwdfwsettings{'olduseratelimit'}=$fwdfwsettings{'RATE_LIMIT'}; + $fwdfwsettings{'olduseratelimitamount'}=$fwdfwsettings{'ratecon'}; + $fwdfwsettings{'oldratelimittime'}=$fwdfwsettings{'RATETIME'}; + #check if manual ip (source) is orange network if ($fwdfwsettings{'grp1'} eq 'src_addr'){ my ($sip,$scidr) = split("/",$fwdfwsettings{$fwdfwsettings{'grp1'}}); @@ -1573,6 +1617,7 @@ sub newrule $fwdfwsettings{'oldusesrv'}=$fwdfwsettings{'USESRV'}; $fwdfwsettings{'oldruleremark'}=$fwdfwsettings{'ruleremark'}; $fwdfwsettings{'oldnat'}=$fwdfwsettings{'USE_NAT'}; + $fwdfwsettings{'oldconcon'}=$fwdfwsettings{'LIMIT_CON_CON'}; #check if manual ip (source) is orange network if ($fwdfwsettings{'grp1'} eq 'src_addr'){ my ($sip,$scidr) = split("/",$fwdfwsettings{$fwdfwsettings{'grp1'}}); @@ -2012,6 +2057,44 @@ END </table> </td> </tr> + <tr> + <td width='1%'> + <input type='checkbox' name='LIMIT_CON_CON' id="USE_LIMIT_CONCURRENT_CONNECTIONS_PER_IP" value='ON' $checked{'LIMIT_CON_CON'}{'ON'}> + </td> + <td>$Lang::tr{'fwdfw limitconcon'}</td> + </tr> + <tr id="LIMIT_CON"> + <td colspan='2'> + <table width='66%' border='0'> + <tr> + <td width="20em"> </td> + <td>$Lang::tr{'fwdfw maxconcon'}: <input type='text' name='concon' size='2' value="$fwdfwsettings{'concon'}"></td> + </tr> + </table> + </td> + </tr> + <tr> + <td width='1%'> + <input type='checkbox' name='RATE_LIMIT' id="USE_RATELIMIT" value='ON' $checked{'RATE_LIMIT'}{'ON'}> + </td> + <td>$Lang::tr{'fwdfw ratelimit'}</td> + </tr> + <tr id="RATELIMIT"> + <td colspan='2'> + <table width='66%' border='0'> + <tr> + <td width="20em"> </td> + <td>$Lang::tr{'fwdfw numcon'}: <input type='text' name='ratecon' size='2' value="$fwdfwsettings{'ratecon'}"> / + <select name='RATETIME' style='width:100px;'> + <option value='second' $selected{'RATETIME'}{'second'}>$Lang::tr{'age second'}</option> + <option value='minute' $selected{'RATETIME'}{'minute'}>$Lang::tr{'minute'}</option> + <option value='hour' $selected{'RATETIME'}{'hour'}>$Lang::tr{'hour'}</option> + </select> + </td> + </tr> + </table> + </td> + </tr> </table> <br> END @@ -2044,6 +2127,7 @@ END <input type='hidden' name='oldorange' value='$fwdfwsettings{'oldorange'}' /> <input type='hidden' name='oldnat' value='$fwdfwsettings{'oldnat'}' /> <input type='hidden' name='oldruletype' value='$fwdfwsettings{'oldruletype'}' /> + <input type='hidden' name='oldconcon' value='$fwdfwsettings{'oldconcon'}' /> <input type='hidden' name='ACTION' value='saverule' ></form><form method='post' style='display:inline'><input type='submit' value='$Lang::tr{'fwhost back'}' style='min-width:100px;'><input type='hidden' name='ACTION' value'reset'></td></td> </table></form> END @@ -2180,6 +2264,11 @@ sub saverule $$hash{$key}[29] = $fwdfwsettings{$fwdfwsettings{'nat'}}; $$hash{$key}[30] = $fwdfwsettings{'dnatport'}; $$hash{$key}[31] = $fwdfwsettings{'nat'}; + $$hash{$key}[32] = $fwdfwsettings{'LIMIT_CON_CON'}; + $$hash{$key}[33] = $fwdfwsettings{'concon'}; + $$hash{$key}[34] = $fwdfwsettings{'RATE_LIMIT'}; + $$hash{$key}[35] = $fwdfwsettings{'ratecon'}; + $$hash{$key}[36] = $fwdfwsettings{'RATETIME'}; &General::writehasharray("$config", $hash); }else{ foreach my $key (sort {$a <=> $b} keys %$hash){ @@ -2216,6 +2305,11 @@ sub saverule $$hash{$key}[29] = $fwdfwsettings{$fwdfwsettings{'nat'}}; $$hash{$key}[30] = $fwdfwsettings{'dnatport'}; $$hash{$key}[31] = $fwdfwsettings{'nat'}; + $$hash{$key}[32] = $fwdfwsettings{'LIMIT_CON_CON'}; + $$hash{$key}[33] = $fwdfwsettings{'concon'}; + $$hash{$key}[34] = $fwdfwsettings{'RATE_LIMIT'}; + $$hash{$key}[35] = $fwdfwsettings{'ratecon'}; + $$hash{$key}[36] = $fwdfwsettings{'RATETIME'}; last; } } diff --git a/html/cgi-bin/fwhosts.cgi b/html/cgi-bin/fwhosts.cgi index 1f96336..c3642f0 100644 --- a/html/cgi-bin/fwhosts.cgi +++ b/html/cgi-bin/fwhosts.cgi @@ -291,42 +291,13 @@ if ($fwhostsettings{'ACTION'} eq 'savenet' ) $errormessage=$errormessage.$Lang::tr{'fwhost err sub32'}; } if($fwhostsettings{'error'} ne 'on'){ - #check if we use one of ipfire's networks (green,orange,blue) - if (($ownnet{'GREEN_NETADDRESS'} ne '' && $ownnet{'GREEN_NETADDRESS'} ne '0.0.0.0') && ($fwhostsettings{'IP'} eq $ownnet{'GREEN_NETADDRESS'} && $fwhostsettings{'SUBNET'} eq $ownnet{'GREEN_NETMASK'})) - { - $errormessage=$errormessage.$Lang::tr{'ccd err green'}."<br>"; - $fwhostsettings{'HOSTNAME'} = $fwhostsettings{'orgname'}; - if ($fwhostsettings{'update'} eq 'on'){$fwhostsettings{'ACTION'}='editnet';} - } - if (($ownnet{'ORANGE_NETADDRESS'} ne '' && $ownnet{'ORANGE_NETADDRESS'} ne '0.0.0.0') && ($fwhostsettings{'IP'} eq $ownnet{'ORANGE_NETADDRESS'} && $fwhostsettings{'SUBNET'} eq $ownnet{'ORANGE_NETMASK'})) - { - $errormessage=$errormessage.$Lang::tr{'ccd err orange'}."<br>"; - $fwhostsettings{'HOSTNAME'} = $fwhostsettings{'orgname'}; - if ($fwhostsettings{'update'} eq 'on'){$fwhostsettings{'ACTION'}='editnet';} - } - if (($ownnet{'BLUE_NETADDRESS'} ne '' && $ownnet{'BLUE_NETADDRESS'} ne '0.0.0.0') && ($fwhostsettings{'IP'} eq $ownnet{'BLUE_NETADDRESS'} && $fwhostsettings{'SUBNET'} eq $ownnet{'BLUE_NETMASK'})) - { - $errormessage=$errormessage.$Lang::tr{'ccd err blue'}."<br>"; - $fwhostsettings{'HOSTNAME'} = $fwhostsettings{'orgname'}; - if ($fwhostsettings{'update'} eq 'on'){$fwhostsettings{'ACTION'}='editnet';} - } - if (($ownnet{'RED_NETADDRESS'} ne '' && $ownnet{'RED_NETADDRESS'} ne '0.0.0.0') && ($fwhostsettings{'IP'} eq $ownnet{'RED_NETADDRESS'} && $fwhostsettings{'SUBNET'} eq $ownnet{'RED_NETMASK'})) - { - $errormessage=$errormessage.$Lang::tr{'ccd err red'}."<br>"; - $fwhostsettings{'HOSTNAME'} = $fwhostsettings{'orgname'}; - if ($fwhostsettings{'update'} eq 'on'){$fwhostsettings{'ACTION'}='editnet';} - } + my $fullip="$fwhostsettings{'IP'}/".&General::iporsubtocidr($fwhostsettings{'SUBNET'}); + $errormessage=$errormessage.&General::checksubnets($fwhostsettings{'HOSTNAME'},$fullip,""); } #only check plausi when no error till now if (!$errormessage){ &plausicheck("editnet"); } - #check if network ip is part of an already used one - if(&checksubnet(%customnetwork)) - { - $errormessage=$errormessage.$Lang::tr{'fwhost err partofnet'}; - $fwhostsettings{'HOSTNAME'} = $fwhostsettings{'orgname'}; - } if($fwhostsettings{'actualize'} eq 'on' && $fwhostsettings{'newnet'} ne 'on' && $errormessage) { $fwhostsettings{'actualize'} = ''; @@ -338,9 +309,8 @@ if ($fwhostsettings{'ACTION'} eq 'savenet' ) $customnetwork{$key}[3] = $fwhostsettings{'orgnetremark'}; &General::writehasharray("$confignet", %customnetwork); undef %customnetwork; - } + } if (!$errormessage){ - &General::readhasharray("$confignet", %customnetwork); if ($fwhostsettings{'ACTION'} eq 'updatenet'){ if ($fwhostsettings{'update'} == '0'){ @@ -392,7 +362,7 @@ if ($fwhostsettings{'ACTION'} eq 'savenet' ) &General::writehasharray("$fwconfiginp", %fwinp); } } - } + } my $key = &General::findhasharraykey (%customnetwork); foreach my $i (0 .. 3) { $customnetwork{$key}[$i] = "";} $fwhostsettings{'SUBNET'} = &General::iporsubtocidr($fwhostsettings{'SUBNET'}); @@ -416,7 +386,8 @@ if ($fwhostsettings{'ACTION'} eq 'savenet' ) } &addnet; &viewtablenet; - }else { + }else{ + $fwhostsettings{'HOSTNAME'} = $fwhostsettings{'orgname'}; &addnet; &viewtablenet; } @@ -1644,7 +1615,10 @@ sub getcolor $tdcolor="<font style='color: $Header::colourblue;'>$c</font>"; return $tdcolor; } - + if ("$sip/$scidr" eq "0.0.0.0/0"){ + $tdcolor="<font style='color: $Header::colourred;'>$c</font>"; + return $tdcolor; + } #Check if IP is part of OpenVPN N2N subnet foreach my $key (sort keys %ccdhost){ if ($ccdhost{$key}[3] eq 'net'){ @@ -2501,6 +2475,9 @@ sub getipforgroup &General::readhash("${General::swroot}/vpn/settings",%hash); return $hash{'RW_NET'}; } + if ($name eq 'RED'){ + return "0.0.0.0/0"; + } } } sub decrease diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl index 6c46f70..b7692ee 100644 --- a/langs/de/cgi-bin/de.pl +++ b/langs/de/cgi-bin/de.pl @@ -982,12 +982,14 @@ 'fwdfw dnat porterr' => 'Für NAT-Regeln muss ein einzelner Port oder Portbereich angegeben werden.', 'fwdfw dnat porterr2' => 'Externer Port (NAT) darf nur angegeben werden, wenn ein Ziel-Port definiert ist.', 'fwdfw edit' => 'Bearbeiten', +'fwdfw err concon' => 'Ungültige Zahl für gleichzeitige Verbindungen', 'fwdfw err nosrc' => 'Keine Quelle ausgewählt', 'fwdfw err nosrcip' => 'Bitte Quell-IP-Adresse angeben', 'fwdfw err notgt' => 'Kein Ziel ausgewählt', 'fwdfw err notgtip' => 'Bitte Ziel-IP-Adresse angeben', 'fwdfw err prot_port' => 'Bei dem gewählten Protokoll sind Quell- und Zielport nicht erlaubt', 'fwdfw err prot_port1' => 'Bei Nutzung von Quell- oder Zielport muss als Protokoll TCP oder UDP gewählt werden.', +'fwdfw err ratecon' => 'Ungültiger Wert bei Anzahl der Verbindungen für Ratenlimitierung', 'fwdfw err remark' => 'Die Bemerkung enthält ungültige Zeichen', 'fwdfw err ruleexists' => 'Eine identische Regel existiert bereits', 'fwdfw err same' => 'Quelle und Ziel sind identisch', @@ -1006,15 +1008,18 @@ 'fwdfw hint mac' => 'Sie nutzen MAC-Adressen in der Zielgruppe. Diese werden bei der Regelerstellung übersprungen.', 'fwdfw iface' => 'Interface', 'fwdfw ipsec network' => 'IPsec-Netzwerke:', +'fwdfw limitconcon' => 'Beschränke gleichzeitige Verbindungen je IP-Adresse', 'fwdfw log' => 'Log', 'fwdfw log rule' => 'Logging aktivieren', 'fwdfw man port' => 'Port(s):', 'fwdfw many' => 'Diverse', +'fwdfw maxconcon' => 'Max. gleichzeitige Verbindungen', 'fwdfw menu' => 'Firewall', 'fwdfw movedown' => 'Herunter', 'fwdfw moveup' => 'Herauf', 'fwdfw natport used' => 'Der eingegebene Port wird bereits von einer anderen DNAT-Regel benutzt.', 'fwdfw newrule' => 'Neue Regel erstellen', +'fwdfw numcon' => 'Anzahl der Verbindungen', 'fwdfw p2p txt' => 'P2P-Netzwerke erlauben/verbieten.', 'fwdfw pol allow' => 'Zugelassen', 'fwdfw pol block' => 'Blockiert', @@ -1023,6 +1028,7 @@ 'fwdfw pol title' => 'Standardverhalten der Firewall', 'fwdfw prot41' => 'IPv6 Encapsulation (Protokoll 41)', 'fwdfw prot41 short' => 'IPv6 Encap', +'fwdfw ratelimit' => 'Ratenlimitierung für neue Verbindungen', 'fwdfw red' => 'ROT', 'fwdfw reread' => 'Änderungen übernehmen', 'fwdfw rule action' => 'Regelaktion:', @@ -1111,7 +1117,7 @@ 'fwhost err remark' => 'Ungültige Bemerkung. Erlaubte Zeichen: Klein- und Großbuchstaben, Bindestrich, Unterstrich, Runde Klammern, Semikolon, Punkt.', 'fwhost err srv exists' => 'Ein Service mit diesem Namen existiert bereits', 'fwhost err srvexist' => 'Dieser Dienst ist bereits in der Gruppe', -'fwhost err sub32' => 'Bitte einen einzelnen Host hinzufügen, keine Netzwerke', +'fwhost err sub32' => 'Bitte Netzwerke hinzufügen, keinen einzelnen Host', 'fwhost green' => 'Grün', 'fwhost hint' => 'Hinweis', 'fwhost hosts' => 'Firewall-Hosts', diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index b537868..a15090a 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -1009,12 +1009,14 @@ 'fwdfw dnat porterr' => 'You have to select a single port or portrange (tcp/udp) for NAT', 'fwdfw dnat porterr2' => 'Cannot use external port (NAT) when no destination port is defined.', 'fwdfw edit' => 'Edit', +'fwdfw err concon' => 'Invalid number for concurrent connections', 'fwdfw err nosrc' => 'No source selected.', 'fwdfw err nosrcip' => 'Please provide a source IP address.', 'fwdfw err notgt' => 'No destination selected.', 'fwdfw err notgtip' => 'Please provide a destination IP address.', 'fwdfw err prot_port' => 'Source- or targetport are not allowed with selected protocol', 'fwdfw err prot_port1' => 'When using Source- or targetport you have to select TCP or UDP for protocol', +'fwdfw err ratecon' => 'Invalid value for connections in Rate-limit', 'fwdfw err remark' => 'Invalid characters in remark.', 'fwdfw err ruleexists' => 'This rule already exists.', 'fwdfw err same' => 'Source and destination are identical.', @@ -1033,15 +1035,18 @@ 'fwdfw hint mac' => 'The destination group contains MAC addresses, which will be skipped during rule creation.', 'fwdfw iface' => 'Interface', 'fwdfw ipsec network' => 'IPsec networks:', +'fwdfw limitconcon' => 'Limit concurrent connections per IP address', 'fwdfw log' => 'Log', 'fwdfw log rule' => 'Log rule', 'fwdfw man port' => 'Port(s):', 'fwdfw many' => 'Many', +'fwdfw maxconcon' => 'Max. concurrent connections', 'fwdfw menu' => 'Firewall', 'fwdfw movedown' => 'Move down', 'fwdfw moveup' => 'Move up', 'fwdfw natport used' => 'The given port for NAPT is already in use by an other DNAT rule.', 'fwdfw newrule' => 'New rule', +'fwdfw numcon' => 'Number of connections', 'fwdfw p2p txt' => 'Grant/deny access to P2P networks.', 'fwdfw pol allow' => 'Allowed', 'fwdfw pol block' => 'Blocked', @@ -1050,6 +1055,7 @@ 'fwdfw pol title' => 'Default firewall behaviour', 'fwdfw prot41' => 'IPv6 Encapsulation (Protocol 41)', 'fwdfw prot41 short' => 'IPv6 Encap', +'fwdfw ratelimit' => 'Rate-limit new connections', 'fwdfw red' => 'RED', 'fwdfw reread' => 'Apply changes', 'fwdfw rule action' => 'Rule action:', @@ -1138,7 +1144,7 @@ 'fwhost err remark' => 'Invalid remark. Allowed characters: Upper- and lowercase letters, digits, space, dash, braces, semicolon, pipe and dot.', 'fwhost err srv exists' => 'A service with the same name already exists', 'fwhost err srvexist' => 'This service already exists in the group', -'fwhost err sub32' => 'Please add a single host, not a network.', +'fwhost err sub32' => 'Please add a network, not a single host', 'fwhost green' => 'Green', 'fwhost hint' => 'Note', 'fwhost hosts' => 'Firewall Hosts', diff --git a/lfs/bash b/lfs/bash index 58556fa..55afd24 100644 --- a/lfs/bash +++ b/lfs/bash @@ -89,15 +89,13 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(PREBUILD) @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE)
- for i in $$(seq 1 51); do \ + for i in $$(seq 1 53); do \ cd $(DIR_APP) && patch -Np0 < $(DIR_SRC)/src/patches/bash/bash32-$$(printf "%03d" "$${i}") || exit 1; \ done
cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/bash-4.0-paths-1.patch cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/bash-4.0-profile-1.patch cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/bash-3.2-ssh_source_bash.patch - cd $(DIR_APP) && patch -Np0 < $(DIR_SRC)/src/patches/bash-3.2-CVE-2014-6271.patch - cd $(DIR_APP) && patch -Np0 < $(DIR_SRC)/src/patches/bash-3.2-CVE-2014-7169.patch
cd $(DIR_APP) && ./configure $(EXTRA_CONFIG) cd $(DIR_APP) && make $(EXTRA_MAKE) diff --git a/lfs/squid-accounting b/lfs/squid-accounting index 6f0fdc3..0dca63f 100644 --- a/lfs/squid-accounting +++ b/lfs/squid-accounting @@ -15,7 +15,7 @@ THISAPP = squid-accounting-$(VER) DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) PROG = squid-accounting -PAK_VER = 2 +PAK_VER = 3
DEPS = "perl-DBI perl-DBD-SQLite perl-File-ReadBackwards perl-PDF-API2 sendEmail"
diff --git a/make.sh b/make.sh index 2b8f769..23ef2b6 100755 --- a/make.sh +++ b/make.sh @@ -25,8 +25,8 @@ NAME="IPFire" # Software name SNAME="ipfire" # Short name VERSION="2.15" # Version number -CORE="83" # Core Level (Filename) -PAKFIRE_CORE="82" # Core Level (PAKFIRE) +CORE="84" # Core Level (Filename) +PAKFIRE_CORE="83" # Core Level (PAKFIRE) GIT_BRANCH=`git rev-parse --abbrev-ref HEAD` # Git Branch SLOGAN="www.ipfire.org" # Software slogan CONFIG_ROOT=/var/ipfire # Configuration rootdir diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall index c7f8b67..66ca432 100644 --- a/src/initscripts/init.d/firewall +++ b/src/initscripts/init.d/firewall @@ -402,21 +402,11 @@ case "$1" in boot_mesg "Setting up firewall" iptables_init evaluate_retval - - # run local firewall configuration, if present - if [ -x /etc/sysconfig/firewall.local ]; then - /etc/sysconfig/firewall.local start - fi ;; reload|up) boot_mesg "Reloading firewall" iptables_red_up evaluate_retval - - # run local firewall configuration, if present - if [ -x /etc/sysconfig/firewall.local ]; then - /etc/sysconfig/firewall.local reload - fi ;; down) boot_mesg "Disabling firewall access to RED" @@ -424,10 +414,6 @@ case "$1" in evaluate_retval ;; restart) - # run local firewall configuration, if present - if [ -x /etc/sysconfig/firewall.local ]; then - /etc/sysconfig/firewall.local stop - fi $0 start ;; *) diff --git a/src/paks/squid-accounting/install.sh b/src/paks/squid-accounting/install.sh index f20b85f..835055a 100644 --- a/src/paks/squid-accounting/install.sh +++ b/src/paks/squid-accounting/install.sh @@ -31,5 +31,8 @@ if [ ! -f /var/ipfire/accounting/acct.db ]; then chmod 644 /var/ipfire/accounting/acct.db chown nobody.nobody /var/ipfire/accounting/acct.db fi +#Set right permissions of directory /srv/web/ipfire/html/accounting +chown -R nobody.nobody /srv/web/ipfire/html/accounting +chmod 755 -R /srv/web/ipfire/html/accounting rm -f /var/ipfire/accounting/dbinstall.pl /usr/local/bin/update-lang-cache diff --git a/src/patches/bash-3.2-CVE-2014-6271.patch b/src/patches/bash-3.2-CVE-2014-6271.patch deleted file mode 100644 index 3964916..0000000 --- a/src/patches/bash-3.2-CVE-2014-6271.patch +++ /dev/null @@ -1,72 +0,0 @@ -*** ../bash-3.2.51/builtins/common.h 2006-03-06 09:38:44.000000000 -0500 ---- builtins/common.h 2014-09-16 19:08:02.000000000 -0400 -*************** -*** 34,37 **** ---- 34,39 ---- - - /* Flags for describe_command, shared between type.def and command.def */ -+ #define SEVAL_FUNCDEF 0x080 /* only allow function definitions */ -+ #define SEVAL_ONECMD 0x100 /* only allow a single command */ - #define CDESC_ALL 0x001 /* type -a */ - #define CDESC_SHORTDESC 0x002 /* command -V */ -*** ../bash-3.2.51/builtins/evalstring.c 2008-11-15 17:47:04.000000000 -0500 ---- builtins/evalstring.c 2014-09-16 19:08:02.000000000 -0400 -*************** -*** 235,238 **** ---- 235,246 ---- - struct fd_bitmap *bitmap; - -+ if ((flags & SEVAL_FUNCDEF) && command->type != cm_function_def) -+ { -+ internal_warning ("%s: ignoring function definition attempt", from_file); -+ should_jump_to_top_level = 0; -+ last_result = last_command_exit_value = EX_BADUSAGE; -+ break; -+ } -+ - bitmap = new_fd_bitmap (FD_BITMAP_SIZE); - begin_unwind_frame ("pe_dispose"); -*************** -*** 292,295 **** ---- 300,306 ---- - dispose_fd_bitmap (bitmap); - discard_unwind_frame ("pe_dispose"); -+ -+ if (flags & SEVAL_ONECMD) -+ break; - } - } -*** ../bash-3.2.51/variables.c 2008-11-15 17:15:06.000000000 -0500 ---- variables.c 2014-09-16 19:10:39.000000000 -0400 -*************** -*** 319,328 **** - strcpy (temp_string + char_index + 1, string); - -! parse_and_execute (temp_string, name, SEVAL_NONINT|SEVAL_NOHIST); -! -! /* Ancient backwards compatibility. Old versions of bash exported -! functions like name()=() {...} */ -! if (name[char_index - 1] == ')' && name[char_index - 2] == '(') -! name[char_index - 2] = '\0'; - - if (temp_var = find_function (name)) ---- 319,326 ---- - strcpy (temp_string + char_index + 1, string); - -! /* Don't import function names that are invalid identifiers from the -! environment. */ -! if (legal_identifier (name)) -! parse_and_execute (temp_string, name, SEVAL_NONINT|SEVAL_NOHIST|SEVAL_FUNCDEF|SEVAL_ONECMD); - - if (temp_var = find_function (name)) -*************** -*** 333,340 **** - else - report_error (_("error importing function definition for `%s'"), name);