[git.ipfire.org] IPFire 2.x development tree branch, master, updated. d22294fa7e70fa6eb907239ba00c2a0c7ae1863d - IPFire-SCM

12 Apr 2014

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "IPFire 2.x development tree".
The branch, master has been updated
       via  d22294fa7e70fa6eb907239ba00c2a0c7ae1863d (commit)
       via  cc81c4305319798f6c47a90acf8a84cdb7a281c8 (commit)
       via  2dd3aa93f443ae2d29d92e3c6256329c8fb5ff46 (commit)
       via  766c2f601dc6015a04855420f338eebcd4e815e3 (commit)
       via  28e003e4861004579d1a271ac4255c62303c7b6a (commit)
       via  aa5f4b65685421555cf09eccb068890926512abd (commit)
      from  dd73ef846e9b75c52da993044c0bbba67dc8f7f6 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit d22294fa7e70fa6eb907239ba00c2a0c7ae1863d
Author: Michael Tremer michael.tremer@ipfire.org
Date:   Sat Apr 12 16:17:20 2014 +0200
firewall: Fix outgoing OpenVPN N2N tunnel packets.
Don't throw away packets from the firewall that pass through
    an OpenVPN N2N tunnel.
commit cc81c4305319798f6c47a90acf8a84cdb7a281c8
Author: Michael Tremer michael.tremer@ipfire.org
Date:   Sat Apr 12 16:01:11 2014 +0200
firewall: Fix spelling and seperate spelling issues.
commit 2dd3aa93f443ae2d29d92e3c6256329c8fb5ff46
Author: Michael Tremer michael.tremer@ipfire.org
Date:   Sat Apr 12 15:55:44 2014 +0200
firewall: Change headlines for rule sections.
commit 766c2f601dc6015a04855420f338eebcd4e815e3
Author: Michael Tremer michael.tremer@ipfire.org
Date:   Sat Apr 12 15:39:08 2014 +0200
rules.pl: Rewrite P2P protocol filter.
commit 28e003e4861004579d1a271ac4255c62303c7b6a
Author: Michael Tremer michael.tremer@ipfire.org
Date:   Sat Apr 12 15:23:45 2014 +0200
firewall.cgi: Sort protocols alphabetically.
commit aa5f4b65685421555cf09eccb068890926512abd
Author: Michael Tremer michael.tremer@ipfire.org
Date:   Sat Apr 12 15:16:08 2014 +0200
firewall: Fix creation of automatic rules for the firewall.
If the firewall is part of a local network (e.g. GREEN),
    we automatically add rules that grant/forbid access for the firewall,
    too.
This has been broken for various default policies other than ALLOWED.
-----------------------------------------------------------------------
Summary of changes:
 config/firewall/firewall-lib.pl |   3 +
 config/firewall/rules.pl        | 122 +++++++++++++++++++++++++++++-----------
 config/menu/50-firewall.menu    |   6 +-
 doc/language_issues.de          |   3 +
 doc/language_issues.en          |   3 +
 doc/language_issues.es          |   5 +-
 doc/language_issues.fr          |   5 +-
 doc/language_issues.nl          |   5 +-
 doc/language_issues.pl          |   5 +-
 doc/language_issues.ru          |   5 +-
 doc/language_issues.tr          |   5 ++
 doc/language_missings           |   8 +++
 html/cgi-bin/firewall.cgi       |  10 +++-
 langs/de/cgi-bin/de.pl          |   6 +-
 langs/en/cgi-bin/en.pl          |   2 +
 src/initscripts/init.d/firewall |   1 -
 16 files changed, 146 insertions(+), 48 deletions(-)
Difference in files:

diff --git a/config/firewall/firewall-lib.pl b/config/firewall/firewall-lib.pl
index 9f546a9..c4a19e5 100755
--- a/config/firewall/firewall-lib.pl
+++ b/config/firewall/firewall-lib.pl
@@ -520,6 +520,9 @@ sub get_internal_firewall_ip_address
    	return 0;
    }
+	# Convert net mask into correct format for &General::IpInSubnet().
+	$net_mask = &General::iporsubtodec($net_mask);
+
    my @addresses = &get_internal_firewall_ip_addresses($use_orange);
    foreach my $zone_address (@addresses) {
    	if (&General::IpInSubnet($zone_address, $net_address, $net_mask)) {
diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl
index 92f1c0a..2c314d1 100755
--- a/config/firewall/rules.pl
+++ b/config/firewall/rules.pl
@@ -47,6 +47,7 @@ my @PROTOCOLS_WITH_PORTS = ("tcp", "udp");
 my @VALID_TARGETS = ("ACCEPT", "DROP", "REJECT");
my %fwdfwsettings=();
+my %fwoptions = ();
 my %defaultNetworks=();
 my %configfwdfw=();;
 my %customgrp=();
@@ -63,6 +64,7 @@ my $configgrp		= "${General::swroot}/fwhosts/customgroups";
 my $netsettings		= "${General::swroot}/ethernet/settings";
&General::readhash("${General::swroot}/firewall/settings", %fwdfwsettings);
+&General::readhash("${General::swroot}/optionsfw/settings", %fwoptions);
 &General::readhash("$netsettings", %defaultNetworks);
 &General::readhasharray($configfwdfw, %configfwdfw);
 &General::readhasharray($configinput, %configinputfw);
@@ -71,6 +73,14 @@ my $netsettings		= "${General::swroot}/ethernet/settings";
my @log_limit_options = &make_log_limit_options();
+my $POLICY_INPUT_ALLOWED   = 0;
+my $POLICY_FORWARD_ALLOWED = ($fwdfwsettings{"POLICY"} eq "MODE2");
+my $POLICY_OUTPUT_ALLOWED  = ($fwdfwsettings{"POLICY1"} eq "MODE2");
+
+my $POLICY_INPUT_ACTION    = $fwoptions{"FWPOLICY2"};
+my $POLICY_FORWARD_ACTION  = $fwoptions{"FWPOLICY"};
+my $POLICY_OUTPUT_ACTION   = $fwoptions{"FWPOLICY1"};
+
 # MAIN
 &main();
@@ -131,20 +141,47 @@ sub flush {
 }
sub preparerules {
-	if (! -z  "${General::swroot}/firewall/config"){
-		&buildrules(%configfwdfw);
-	}
    if (! -z  "${General::swroot}/firewall/input"){
    	&buildrules(%configinputfw);
    }
    if (! -z  "${General::swroot}/firewall/outgoing"){
    	&buildrules(%configoutgoingfw);
    }
+	if (! -z  "${General::swroot}/firewall/config"){
+		&buildrules(%configfwdfw);
+	}
 }
sub buildrules {
    my $hash = shift;
+	# Search for targets that need to be specially handled when adding
+	# forwarding rules. Additional rules will automatically get inserted
+	# into the INPUT/OUTPUT chains for these targets.
+	my @special_input_targets = ();
+	if (!$POLICY_FORWARD_ALLOWED) {
+		push(@special_input_targets, "ACCEPT");
+	}
+
+	if ($POLICY_INPUT_ACTION eq "DROP") {
+		push(@special_input_targets, "REJECT");
+	} elsif ($POLICY_INPUT_ACTION eq "REJECT") {
+		push(@special_input_targets, "DROP");
+	}
+
+	my @special_output_targets = ();
+	if ($POLICY_OUTPUT_ALLOWED) {
+		push(@special_output_targets, ("DROP", "REJECT"));
+	} else {
+		push(@special_output_targets, "ACCEPT");
+
+		if ($POLICY_OUTPUT_ACTION eq "DROP") {
+			push(@special_output_targets, "REJECT");
+		} elsif ($POLICY_OUTPUT_ACTION eq "REJECT") {
+			push(@special_output_targets, "DROP");
+		}
+	}
+
    foreach my $key (sort {$a <=> $b} keys %$hash) {
    	# Skip disabled rules.
    	next unless ($$hash{$key}[2] eq 'ON');
@@ -297,11 +334,16 @@ sub buildrules {
    				# Add time constraint options.
    				push(@options, @time_options);
-					my $firewall_is_in_source_subnet = 0;
+					my $firewall_is_in_source_subnet = 1;
    				if ($source) {
    					$firewall_is_in_source_subnet = &firewall_is_in_subnet($source);
    				}
+					my $firewall_is_in_destination_subnet = 1;
+					if ($destination) {
+						$firewall_is_in_destination_subnet = &firewall_is_in_subnet($destination);
+					}
+
    				# Process NAT rules.
    				if ($NAT) {
    					my $nat_address = &fwlib::get_nat_address($$hash{$key}[29], $source);
@@ -380,14 +422,6 @@ sub buildrules {
    				}
push(@options, @source_options);
-
-					if ($firewall_is_in_source_subnet && ($fwdfwsettings{"POLICY"} eq "MODE1") && ($chain eq $CHAIN_FORWARD)) {
-						if ($LOG && !$NAT) {
-							run("$IPTABLES -A $CHAIN_INPUT @options @log_limit_options -j LOG --log-prefix '$CHAIN_INPUT '");
-						}
-						run("$IPTABLES -A $CHAIN_INPUT @options -j $target");
-					}
-
    				push(@options, @destination_options);
# Insert firewall rule.
@@ -395,6 +429,27 @@ sub buildrules {
    					run("$IPTABLES -A $chain @options @log_limit_options -j LOG --log-prefix '$chain '");
    				}
    				run("$IPTABLES -A $chain @options -j $target");
+
+					# Handle forwarding rules and add corresponding rules for firewall access.
+					if ($chain eq $CHAIN_FORWARD) {
+						# If the firewall is part of the destination subnet and access to the destination network
+						# is granted/forbidden for any network that the firewall itself is part of, we grant/forbid access
+						# for the firewall, too.
+						if ($firewall_is_in_destination_subnet && ($target ~~ @special_input_targets)) {
+							if ($LOG && !$NAT) {
+								run("$IPTABLES -A $CHAIN_INPUT @options @log_limit_options -j LOG --log-prefix '$CHAIN_INPUT '");
+							}
+							run("$IPTABLES -A $CHAIN_INPUT @options -j $target");
+						}
+
+						# Likewise.
+						if ($firewall_is_in_source_subnet && ($target ~~ @special_output_targets)) {
+							if ($LOG && !$NAT) {
+								run("$IPTABLES -A $CHAIN_OUTPUT @options @log_limit_options -j LOG --log-prefix '$CHAIN_OUTPUT '");
+							}
+							run("$IPTABLES -A $CHAIN_OUTPUT @options -j $target");
+						}
+					}
    			}
    		}
    	}
@@ -440,29 +495,29 @@ sub time_convert_to_minutes {
 }
sub p2pblock {
-	my $P2PSTRING = "";
-	my $DO;
-	open( FILE, "< $p2pfile" ) or die "Unable to read $p2pfile";
-	@p2ps = <FILE>;
-	close FILE;
-	my $CMD = "-m ipp2p";
-	foreach my $p2pentry (sort @p2ps) {
-		my @p2pline = split( /;/, $p2pentry );
-		if ( $fwdfwsettings{'POLICY'} eq 'MODE1' ) {
-			$DO = "ACCEPT";
-			if ("$p2pline[2]" eq "on") {
-				$P2PSTRING = "$P2PSTRING --$p2pline[1]";
-			}
-		}else {
-			$DO = "RETURN";
-			if ("$p2pline[2]" eq "off") {
-				$P2PSTRING = "$P2PSTRING --$p2pline[1]";
-			}
-		}
+	my $search_action;
+	my $target;
+
+	if ($fwdfwsettings{"POLICY"} eq "MODE1") {
+		$search_action = "on";
+		$target = "ACCEPT";
+	} else {
+		$search_action = "off";
+		$target = "DROP";
    }
-	if($P2PSTRING) {
-		run("$IPTABLES -A FORWARDFW $CMD $P2PSTRING -j $DO");
+	open(FILE, "<$p2pfile") or die "Unable to read $p2pfile";
+	my @protocols = ();
+	foreach my $p2pentry (<FILE>) {
+		my @p2pline = split(/;/, $p2pentry);
+		next unless ($p2pline[2] eq $search_action);
+
+		push(@protocols, "--$p2pline[1]");
+	}
+	close(FILE);
+
+	if (@protocols) {
+		run("$IPTABLES -A FORWARDFW -m ipp2p @protocols -j $target");
    }
 }
@@ -675,4 +730,3 @@ sub firewall_is_in_subnet {
return 0;
 }
-
diff --git a/config/menu/50-firewall.menu b/config/menu/50-firewall.menu
index ce6fd9d..e872e64 100644
--- a/config/menu/50-firewall.menu
+++ b/config/menu/50-firewall.menu
@@ -1,7 +1,7 @@
-    $subfirewall->{'10.forward'} = {
-				'caption' => $Lang::tr{'fwdfw menu'},
+    $subfirewall->{'10.firewall'} = {
+				'caption' => $Lang::tr{'firewall rules'},
    			'uri' => '/cgi-bin/firewall.cgi',
-				'title' => "$Lang::tr{'fwdfw menu'}",
+				'title' => "$Lang::tr{'firewall rules'}",
    			'enabled' => 1,
    			};
    $subfirewall->{'20.fwhost'} = {
diff --git a/doc/language_issues.de b/doc/language_issues.de
index d501b71..486ecba 100644
--- a/doc/language_issues.de
+++ b/doc/language_issues.de
@@ -181,6 +181,7 @@ WARNING: translation string unused: esp keylife
 WARNING: translation string unused: expected
 WARNING: translation string unused: expertoptions
 WARNING: translation string unused: exportkey
+WARNING: translation string unused: external access
 WARNING: translation string unused: external access configuration
 WARNING: translation string unused: external access rule added
 WARNING: translation string unused: external access rule changed
@@ -216,6 +217,7 @@ WARNING: translation string unused: fwdfw final_rule
 WARNING: translation string unused: fwdfw from
 WARNING: translation string unused: fwdfw ipsec network
 WARNING: translation string unused: fwdfw man port
+WARNING: translation string unused: fwdfw menu
 WARNING: translation string unused: fwdfw natport used
 WARNING: translation string unused: fwdfw p2p txt
 WARNING: translation string unused: fwdfw rule action
@@ -379,6 +381,7 @@ WARNING: translation string unused: original
 WARNING: translation string unused: other countries
 WARNING: translation string unused: our donors
 WARNING: translation string unused: out
+WARNING: translation string unused: outgoing firewall
 WARNING: translation string unused: outgoing firewall add ip group
 WARNING: translation string unused: outgoing firewall add mac group
 WARNING: translation string unused: outgoing firewall edit ip group
diff --git a/doc/language_issues.en b/doc/language_issues.en
index 494780f..e968b59 100644
--- a/doc/language_issues.en
+++ b/doc/language_issues.en
@@ -203,6 +203,7 @@ WARNING: translation string unused: esp keylife
 WARNING: translation string unused: expected
 WARNING: translation string unused: expertoptions
 WARNING: translation string unused: exportkey
+WARNING: translation string unused: external access
 WARNING: translation string unused: external access configuration
 WARNING: translation string unused: external access rule added
 WARNING: translation string unused: external access rule changed
@@ -238,6 +239,7 @@ WARNING: translation string unused: fwdfw final_rule
 WARNING: translation string unused: fwdfw from
 WARNING: translation string unused: fwdfw ipsec network
 WARNING: translation string unused: fwdfw man port
+WARNING: translation string unused: fwdfw menu
 WARNING: translation string unused: fwdfw natport used
 WARNING: translation string unused: fwdfw p2p txt
 WARNING: translation string unused: fwdfw rule action
@@ -405,6 +407,7 @@ WARNING: translation string unused: original
 WARNING: translation string unused: other countries
 WARNING: translation string unused: our donors
 WARNING: translation string unused: out
+WARNING: translation string unused: outgoing firewall
 WARNING: translation string unused: outgoing firewall add ip group
 WARNING: translation string unused: outgoing firewall add mac group
 WARNING: translation string unused: outgoing firewall edit ip group
diff --git a/doc/language_issues.es b/doc/language_issues.es
index 0e73b2e..dbccd8f 100644
--- a/doc/language_issues.es
+++ b/doc/language_issues.es
@@ -196,6 +196,7 @@ WARNING: translation string unused: esp keylife
 WARNING: translation string unused: expected
 WARNING: translation string unused: expertoptions
 WARNING: translation string unused: exportkey
+WARNING: translation string unused: external access
 WARNING: translation string unused: external access configuration
 WARNING: translation string unused: external access rule added
 WARNING: translation string unused: external access rule changed
@@ -361,6 +362,7 @@ WARNING: translation string unused: or
 WARNING: translation string unused: original
 WARNING: translation string unused: other countries
 WARNING: translation string unused: out
+WARNING: translation string unused: outgoing firewall
 WARNING: translation string unused: outgoing firewall mode0
 WARNING: translation string unused: outgoing firewall mode1
 WARNING: translation string unused: outgoing firewall mode2
@@ -717,7 +719,6 @@ WARNING: untranslated string: fwdfw iface
 WARNING: untranslated string: fwdfw log
 WARNING: untranslated string: fwdfw log rule
 WARNING: untranslated string: fwdfw many
-WARNING: untranslated string: fwdfw menu
 WARNING: untranslated string: fwdfw movedown
 WARNING: untranslated string: fwdfw moveup
 WARNING: untranslated string: fwdfw newrule
@@ -820,6 +821,7 @@ WARNING: untranslated string: fwhost used
 WARNING: untranslated string: fwhost welcome
 WARNING: untranslated string: grouptype
 WARNING: untranslated string: hardware support
+WARNING: untranslated string: incoming firewall access
 WARNING: untranslated string: integrity
 WARNING: untranslated string: invalid input for dpd delay
 WARNING: untranslated string: invalid input for dpd timeout
@@ -845,6 +847,7 @@ WARNING: untranslated string: openvpn prefix openvpn subnet
 WARNING: untranslated string: openvpn prefix remote subnet
 WARNING: untranslated string: openvpn subnet is used
 WARNING: untranslated string: other
+WARNING: untranslated string: outgoing firewall access
 WARNING: untranslated string: outgoing firewall p2p allow
 WARNING: untranslated string: outgoing firewall p2p deny
 WARNING: untranslated string: ovpn errmsg green already pushed
diff --git a/doc/language_issues.fr b/doc/language_issues.fr
index 8206c57..4acdaf4 100644
--- a/doc/language_issues.fr
+++ b/doc/language_issues.fr
@@ -196,6 +196,7 @@ WARNING: translation string unused: esp keylife
 WARNING: translation string unused: expected
 WARNING: translation string unused: expertoptions
 WARNING: translation string unused: exportkey
+WARNING: translation string unused: external access
 WARNING: translation string unused: external access configuration
 WARNING: translation string unused: external access rule added
 WARNING: translation string unused: external access rule changed
@@ -361,6 +362,7 @@ WARNING: translation string unused: or
 WARNING: translation string unused: original
 WARNING: translation string unused: other countries
 WARNING: translation string unused: out
+WARNING: translation string unused: outgoing firewall
 WARNING: translation string unused: outgoing firewall add ip group
 WARNING: translation string unused: outgoing firewall add mac group
 WARNING: translation string unused: outgoing firewall edit ip group
@@ -728,7 +730,6 @@ WARNING: untranslated string: fwdfw iface
 WARNING: untranslated string: fwdfw log
 WARNING: untranslated string: fwdfw log rule
 WARNING: untranslated string: fwdfw many
-WARNING: untranslated string: fwdfw menu
 WARNING: untranslated string: fwdfw movedown
 WARNING: untranslated string: fwdfw moveup
 WARNING: untranslated string: fwdfw newrule
@@ -831,6 +832,7 @@ WARNING: untranslated string: fwhost used
 WARNING: untranslated string: fwhost welcome
 WARNING: untranslated string: grouptype
 WARNING: untranslated string: hardware support
+WARNING: untranslated string: incoming firewall access
 WARNING: untranslated string: integrity
 WARNING: untranslated string: invalid input for dpd delay
 WARNING: untranslated string: invalid input for dpd timeout
@@ -858,6 +860,7 @@ WARNING: untranslated string: openvpn prefix openvpn subnet
 WARNING: untranslated string: openvpn prefix remote subnet
 WARNING: untranslated string: openvpn subnet is used
 WARNING: untranslated string: other
+WARNING: untranslated string: outgoing firewall access
 WARNING: untranslated string: ovpn mgmt in root range
 WARNING: untranslated string: ovpn mtu-disc
 WARNING: untranslated string: ovpn mtu-disc and mtu not 1500
diff --git a/doc/language_issues.nl b/doc/language_issues.nl
index f6311e9..949acdc 100644
--- a/doc/language_issues.nl
+++ b/doc/language_issues.nl
@@ -198,6 +198,7 @@ WARNING: translation string unused: esp keylife
 WARNING: translation string unused: expected
 WARNING: translation string unused: expertoptions
 WARNING: translation string unused: exportkey
+WARNING: translation string unused: external access
 WARNING: translation string unused: external access configuration
 WARNING: translation string unused: external access rule added
 WARNING: translation string unused: external access rule changed
@@ -366,6 +367,7 @@ WARNING: translation string unused: original
 WARNING: translation string unused: other countries
 WARNING: translation string unused: our donors
 WARNING: translation string unused: out
+WARNING: translation string unused: outgoing firewall
 WARNING: translation string unused: outgoing firewall add ip group
 WARNING: translation string unused: outgoing firewall add mac group
 WARNING: translation string unused: outgoing firewall edit ip group
@@ -675,7 +677,6 @@ WARNING: untranslated string: fwdfw iface
 WARNING: untranslated string: fwdfw log
 WARNING: untranslated string: fwdfw log rule
 WARNING: untranslated string: fwdfw many
-WARNING: untranslated string: fwdfw menu
 WARNING: untranslated string: fwdfw movedown
 WARNING: untranslated string: fwdfw moveup
 WARNING: untranslated string: fwdfw newrule
@@ -778,6 +779,7 @@ WARNING: untranslated string: fwhost used
 WARNING: untranslated string: fwhost welcome
 WARNING: untranslated string: grouptype
 WARNING: untranslated string: hardware support
+WARNING: untranslated string: incoming firewall access
 WARNING: untranslated string: integrity
 WARNING: untranslated string: invalid input for dpd delay
 WARNING: untranslated string: invalid input for dpd timeout
@@ -793,6 +795,7 @@ WARNING: untranslated string: most preferred
 WARNING: untranslated string: no hardware random number generator
 WARNING: untranslated string: notice
 WARNING: untranslated string: openvpn network
+WARNING: untranslated string: outgoing firewall access
 WARNING: untranslated string: ovpn mgmt in root range
 WARNING: untranslated string: ovpn no connections
 WARNING: untranslated string: ovpn port in root range
diff --git a/doc/language_issues.pl b/doc/language_issues.pl
index 0e73b2e..dbccd8f 100644
--- a/doc/language_issues.pl
+++ b/doc/language_issues.pl
@@ -196,6 +196,7 @@ WARNING: translation string unused: esp keylife
 WARNING: translation string unused: expected
 WARNING: translation string unused: expertoptions
 WARNING: translation string unused: exportkey
+WARNING: translation string unused: external access
 WARNING: translation string unused: external access configuration
 WARNING: translation string unused: external access rule added
 WARNING: translation string unused: external access rule changed
@@ -361,6 +362,7 @@ WARNING: translation string unused: or
 WARNING: translation string unused: original
 WARNING: translation string unused: other countries
 WARNING: translation string unused: out
+WARNING: translation string unused: outgoing firewall
 WARNING: translation string unused: outgoing firewall mode0
 WARNING: translation string unused: outgoing firewall mode1
 WARNING: translation string unused: outgoing firewall mode2
@@ -717,7 +719,6 @@ WARNING: untranslated string: fwdfw iface
 WARNING: untranslated string: fwdfw log
 WARNING: untranslated string: fwdfw log rule
 WARNING: untranslated string: fwdfw many
-WARNING: untranslated string: fwdfw menu
 WARNING: untranslated string: fwdfw movedown
 WARNING: untranslated string: fwdfw moveup
 WARNING: untranslated string: fwdfw newrule
@@ -820,6 +821,7 @@ WARNING: untranslated string: fwhost used
 WARNING: untranslated string: fwhost welcome
 WARNING: untranslated string: grouptype
 WARNING: untranslated string: hardware support
+WARNING: untranslated string: incoming firewall access
 WARNING: untranslated string: integrity
 WARNING: untranslated string: invalid input for dpd delay
 WARNING: untranslated string: invalid input for dpd timeout
@@ -845,6 +847,7 @@ WARNING: untranslated string: openvpn prefix openvpn subnet
 WARNING: untranslated string: openvpn prefix remote subnet
 WARNING: untranslated string: openvpn subnet is used
 WARNING: untranslated string: other
+WARNING: untranslated string: outgoing firewall access
 WARNING: untranslated string: outgoing firewall p2p allow
 WARNING: untranslated string: outgoing firewall p2p deny
 WARNING: untranslated string: ovpn errmsg green already pushed
diff --git a/doc/language_issues.ru b/doc/language_issues.ru
index e385fd8..e57e91e 100644
--- a/doc/language_issues.ru
+++ b/doc/language_issues.ru
@@ -195,6 +195,7 @@ WARNING: translation string unused: esp keylife
 WARNING: translation string unused: expected
 WARNING: translation string unused: expertoptions
 WARNING: translation string unused: exportkey
+WARNING: translation string unused: external access
 WARNING: translation string unused: external access configuration
 WARNING: translation string unused: external access rule added
 WARNING: translation string unused: external access rule changed
@@ -355,6 +356,7 @@ WARNING: translation string unused: or
 WARNING: translation string unused: original
 WARNING: translation string unused: other countries
 WARNING: translation string unused: out
+WARNING: translation string unused: outgoing firewall
 WARNING: translation string unused: outgoing firewall add ip group
 WARNING: translation string unused: outgoing firewall add mac group
 WARNING: translation string unused: outgoing firewall edit ip group
@@ -712,7 +714,6 @@ WARNING: untranslated string: fwdfw iface
 WARNING: untranslated string: fwdfw log
 WARNING: untranslated string: fwdfw log rule
 WARNING: untranslated string: fwdfw many
-WARNING: untranslated string: fwdfw menu
 WARNING: untranslated string: fwdfw movedown
 WARNING: untranslated string: fwdfw moveup
 WARNING: untranslated string: fwdfw newrule
@@ -815,6 +816,7 @@ WARNING: untranslated string: fwhost used
 WARNING: untranslated string: fwhost welcome
 WARNING: untranslated string: grouptype
 WARNING: untranslated string: hardware support
+WARNING: untranslated string: incoming firewall access
 WARNING: untranslated string: incoming traffic in bytes per second
 WARNING: untranslated string: integrity
 WARNING: untranslated string: invalid input for dpd delay
@@ -841,6 +843,7 @@ WARNING: untranslated string: openvpn prefix openvpn subnet
 WARNING: untranslated string: openvpn prefix remote subnet
 WARNING: untranslated string: openvpn subnet is used
 WARNING: untranslated string: other
+WARNING: untranslated string: outgoing firewall access
 WARNING: untranslated string: outgoing traffic in bytes per second
 WARNING: untranslated string: ovpn mgmt in root range
 WARNING: untranslated string: ovpn mtu-disc
diff --git a/doc/language_issues.tr b/doc/language_issues.tr
index a880a58..0502043 100644
--- a/doc/language_issues.tr
+++ b/doc/language_issues.tr
@@ -203,6 +203,7 @@ WARNING: translation string unused: esp keylife
 WARNING: translation string unused: expected
 WARNING: translation string unused: expertoptions
 WARNING: translation string unused: exportkey
+WARNING: translation string unused: external access
 WARNING: translation string unused: external access configuration
 WARNING: translation string unused: external access rule added
 WARNING: translation string unused: external access rule changed
@@ -238,6 +239,7 @@ WARNING: translation string unused: fwdfw final_rule
 WARNING: translation string unused: fwdfw from
 WARNING: translation string unused: fwdfw ipsec network
 WARNING: translation string unused: fwdfw man port
+WARNING: translation string unused: fwdfw menu
 WARNING: translation string unused: fwdfw natport used
 WARNING: translation string unused: fwdfw p2p txt
 WARNING: translation string unused: fwdfw rule action
@@ -405,6 +407,7 @@ WARNING: translation string unused: original
 WARNING: translation string unused: other countries
 WARNING: translation string unused: our donors
 WARNING: translation string unused: out
+WARNING: translation string unused: outgoing firewall
 WARNING: translation string unused: outgoing firewall add ip group
 WARNING: translation string unused: outgoing firewall add mac group
 WARNING: translation string unused: outgoing firewall edit ip group
@@ -646,6 +649,8 @@ WARNING: untranslated string: bytes
 WARNING: untranslated string: count
 WARNING: untranslated string: fwdfw many
 WARNING: untranslated string: fwhost err hostip
+WARNING: untranslated string: incoming firewall access
+WARNING: untranslated string: outgoing firewall access
 WARNING: untranslated string: route config changed
 WARNING: untranslated string: routing config added
 WARNING: untranslated string: routing config changed
diff --git a/doc/language_missings b/doc/language_missings
index fc30890..3f1f997 100644
--- a/doc/language_missings
+++ b/doc/language_missings
@@ -295,6 +295,7 @@
 < fw settings ruletable
 < grouptype
 < hardware support
+< incoming firewall access
 < integrity
 < invalid input for dpd delay
 < invalid input for dpd timeout
@@ -328,6 +329,7 @@
 < openvpn subnet is used
 < other
 < our donors
+< outgoing firewall access
 < ovpn mgmt in root range
 < ovpn mtu-disc
 < ovpn mtu-disc and mtu not 1500
@@ -761,6 +763,7 @@
 < fw settings ruletable
 < grouptype
 < hardware support
+< incoming firewall access
 < integrity
 < invalid input for dpd delay
 < invalid input for dpd timeout
@@ -792,6 +795,7 @@
 < openvpn subnet is used
 < other
 < our donors
+< outgoing firewall access
 < outgoing firewall add ip group
 < outgoing firewall add mac group
 < outgoing firewall edit ip group
@@ -1211,6 +1215,7 @@
 < fw settings ruletable
 < grouptype
 < hardware support
+< incoming firewall access
 < integrity
 < invalid input for dpd delay
 < invalid input for dpd timeout
@@ -1242,6 +1247,7 @@
 < openvpn subnet is used
 < other
 < our donors
+< outgoing firewall access
 < ovpn errmsg green already pushed
 < ovpn errmsg invalid ip or mask
 < ovpn mgmt in root range
@@ -1651,6 +1657,7 @@
 < grouptype
 < hardware support
 < hour-graph
+< incoming firewall access
 < incoming traffic in bytes per second
 < integrity
 < invalid input for dpd delay
@@ -1684,6 +1691,7 @@
 < openvpn subnet is used
 < other
 < our donors
+< outgoing firewall access
 < outgoing traffic in bytes per second
 < ovpn mgmt in root range
 < ovpn mtu-disc
diff --git a/html/cgi-bin/firewall.cgi b/html/cgi-bin/firewall.cgi
index 9af97d1..53c7c1c 100644
--- a/html/cgi-bin/firewall.cgi
+++ b/html/cgi-bin/firewall.cgi
@@ -101,7 +101,7 @@ my @protocols;
 &General::readhasharray("$configipsec", %ipsecconf);
 &Header::showhttpheaders();
 &Header::getcgihash(%fwdfwsettings);
-&Header::openpage($Lang::tr{'fwdfw menu'}, 1, '');
+&Header::openpage($Lang::tr{'firewall rules'}, 1, '');
 &Header::openbigbox('100%', 'center',$errormessage);
 #### JAVA SCRIPT ####
 print<<END;
@@ -1284,6 +1284,10 @@ sub get_serviceports
    		}
    	}
    }
+
+	# Sort protocols alphabetically.
+	@protocols = sort(@protocols);
+
    return @protocols;
 }
 sub getcolor
@@ -2295,8 +2299,8 @@ sub viewtablerule
    &General::readhash("/var/ipfire/ethernet/settings", %netsettings);
&viewtablenew(%configfwdfw, $configfwdfw, $Lang::tr{'firewall rules'});
-	&viewtablenew(%configinputfw, $configinput, $Lang::tr{'external access'});
-	&viewtablenew(%configoutgoingfw, $configoutgoing, $Lang::tr{'outgoing firewall'});
+	&viewtablenew(%configinputfw, $configinput, $Lang::tr{'incoming firewall access'});
+	&viewtablenew(%configoutgoingfw, $configoutgoing, $Lang::tr{'outgoing firewall access'});
 }
 sub viewtablenew
 {
diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl
index 5e8892d..74bd6e8 100644
--- a/langs/de/cgi-bin/de.pl
+++ b/langs/de/cgi-bin/de.pl
@@ -932,7 +932,7 @@
 'from email server' => 'Von Email Server',
 'from email user' => 'Von Email Benutzer',
 'from warn email bad' => 'Von Email Adresse ist nicht gültig',
-'fw blue' => 'Firewall-Optionen für das Blaue Interface',
+'fw blue' => 'Firewalloptionen für das Blaue Interface',
 'fw default drop' => 'Firewall Policy',
 'fw logging' => 'Firewall-Logging',
 'fw settings' => 'Firewall-Einstellungen',
@@ -1200,6 +1200,7 @@
 'inactive' => 'inaktiv',
 'include logfiles' => 'mit Logdateien',
 'incoming' => 'eingehend',
+'incoming firewall access' => 'Eingehender Firewallzugang',
 'incoming traffic in bytes per second' => 'Eingehender Verkehr',
 'incorrect password' => 'Fehlerhaftes Passwort',
 'info' => 'Info',
@@ -1580,7 +1581,7 @@
 'optional at cmd' => 'zusätzlicher Modembefehl',
 'optional data' => '3. Optionale Einstellungen',
 'options' => 'Optionen',
-'options fw' => 'Firewall-Optionen',
+'options fw' => 'Firewalloptionen',
 'optionsfw portlist hint' => 'Die Liste der Ports muss durch ein Komma getrennt werden (z.B. 137,138). Sie können maximal bis zu 15 Ports pro Protokoll angeben.',
 'optionsfw warning' => 'Verändern dieser Optionen bedingt einen Neustart der Firewall',
 'or' => 'oder',
@@ -1599,6 +1600,7 @@
 'out' => 'Aus',
 'outgoing' => 'ausgehend',
 'outgoing firewall' => 'Ausgehende Firewall',
+'outgoing firewall access' => 'Ausgehender Firewallzugang',
 'outgoing firewall add ip group' => 'IP Adressgruppen hinzufügen',
 'outgoing firewall add mac group' => 'MAC Adressgruppen hinzufügen',
 'outgoing firewall edit ip group' => 'IP Adressgruppen bearbeiten',
diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
index db31a89..f8cdf76 100644
--- a/langs/en/cgi-bin/en.pl
+++ b/langs/en/cgi-bin/en.pl
@@ -1228,6 +1228,7 @@
 'inactive' => 'inactive',
 'include logfiles' => 'Include logfiles',
 'incoming' => 'incoming',
+'incoming firewall access' => 'Incoming Firewall Access',
 'incoming traffic in bytes per second' => 'Incoming Traffic',
 'incorrect password' => 'Incorrect password',
 'info' => 'Info',
@@ -1629,6 +1630,7 @@
 'out' => 'Out',
 'outgoing' => 'outgoing',
 'outgoing firewall' => 'Outgoing Firewall',
+'outgoing firewall access' => 'Outgoing Firewall Access',
 'outgoing firewall add ip group' => 'Add IP Address Group',
 'outgoing firewall add mac group' => 'Add MAC Address Group',
 'outgoing firewall edit ip group' => 'Edit IP Address Group',
diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall
index 31aa2c9..f0d9c49 100644
--- a/src/initscripts/init.d/firewall
+++ b/src/initscripts/init.d/firewall
@@ -107,7 +107,6 @@ iptables_init() {
    # Block OpenVPN transfer networks
    iptables -N OVPNBLOCK
    iptables -A INPUT   -i tun+ -j OVPNBLOCK
-	iptables -A OUTPUT  -o tun+ -j OVPNBLOCK
    iptables -A FORWARD -i tun+ -j OVPNBLOCK
    iptables -A FORWARD -o tun+ -j OVPNBLOCK
hooks/post-receive
--
IPFire 2.x development tree

    