This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "IPFire 2.x development tree".

The branch, fifteen has been updated via cbc6219852bbb1162469e5a002e1c923e7e4fad9 (commit) via f8cbcb7c8ac944c54c57023fe7951ac1770941c2 (commit) via 7b82bee7c4886652ef64f639fd877daa727d1348 (commit) via 84ac1131b1789de9c0ff76a24190b508c4101806 (commit) via ab4876ad4221acad2e62bbb7fe7f92ba45099806 (commit) from 89f8ad0e9966e0d78cbafcb6eedce4ed7bd4b133 (commit)

Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below.

- Log ----------------------------------------------------------------- commit cbc6219852bbb1162469e5a002e1c923e7e4fad9 Author: Alexander Marx amarx@ipfire.org Date: Tue Nov 5 13:47:56 2013 +0100

Firewall: Fix typo in backup script which stops the conversion of old firewallrules

commit f8cbcb7c8ac944c54c57023fe7951ac1770941c2 Author: Alexander Marx amarx@ipfire.org Date: Mon Nov 4 08:04:44 2013 +0100

Firewall: Bugfix: When creating a servcie in firewall-groups and selecting a protocol other than icmp, the enty in the ruletable shows correct values PLUS the "all icmp-types" under ICMP. Now the ICMP FIeld is emtpy when selecting another protocol than icmp

commit 7b82bee7c4886652ef64f639fd877daa727d1348 Author: Alexander Marx amarx@ipfire.org Date: Fri Nov 8 13:40:24 2013 +0100

Firewall: Bugfix: When creating a rule and using brackets in comment, the rule is denied because of invalid characters in String. But when creating a rule with just valid characters (witjout brackets) and then editing the rule it is possible to use brackets without errormessage. Now brackets are allowed.

commit 84ac1131b1789de9c0ff76a24190b508c4101806 Author: Alexander Marx amarx@ipfire.org Date: Mon Nov 4 07:31:31 2013 +0100

Firewall: remove /var/ipfire/portfw as it is not used anymore

commit ab4876ad4221acad2e62bbb7fe7f92ba45099806 Author: Michael Tremer michael.tremer@ipfire.org Date: Fri Nov 8 13:38:09 2013 +0100

firewall: Don't require to enable the RW server for N2N networks.

The firewall rules for OpenVPN have not been applied for N2N connections when the road warrior server was disabled.

-----------------------------------------------------------------------

Summary of changes: config/backup/backup.pl | 2 +- config/rootfiles/common/configroot | 2 +- html/cgi-bin/firewall.cgi | 2 +- html/cgi-bin/fwhosts.cgi | 1 + src/initscripts/init.d/firewall | 8 ++- src/misc-progs/openvpnctrl.c | 144 +++++-------------------------------- 6 files changed, 28 insertions(+), 131 deletions(-)

Difference in files: diff --git a/config/backup/backup.pl b/config/backup/backup.pl index 5424a1e..a56a698 100644 --- a/config/backup/backup.pl +++ b/config/backup/backup.pl @@ -120,7 +120,7 @@ elsif ($ARGV[0] eq 'restore') { #PORTFORWARD CONVERTER if( -d "${General::swroot}/portfw"){ #START CONVERTER "PORTFW" - System("/usr/sbin/convert-portfw"); + system("/usr/sbin/convert-portfw"); rmtree("${General::swroot}/portfw"); } system("/usr/local/bin/firewallctrl"); diff --git a/config/rootfiles/common/configroot b/config/rootfiles/common/configroot index 7fdc983..795bdb1 100644 --- a/config/rootfiles/common/configroot +++ b/config/rootfiles/common/configroot @@ -134,7 +134,7 @@ var/ipfire/ovpn var/ipfire/pakfire #var/ipfire/pakfire/settings #var/ipfire/patches -var/ipfire/portfw +#var/ipfire/portfw #var/ipfire/portfw/config var/ipfire/ppp #var/ipfire/ppp/fake-resolv.conf diff --git a/html/cgi-bin/firewall.cgi b/html/cgi-bin/firewall.cgi index 0b7c6fc..3e4e3b0 100755 --- a/html/cgi-bin/firewall.cgi +++ b/html/cgi-bin/firewall.cgi @@ -2355,7 +2355,7 @@ sub validremark if ($remark !~ /^[a-zäöüA-ZÖÄÜ0-9-.:;|_()/\s]*$/) { return 0;} # First character can only be a letter or a digit - if (substr ($remark, 0, 1) !~ /^[a-zäöüA-ZÖÄÜ0-9]*$/) { + if (substr ($remark, 0, 1) !~ /^[a-zäöüA-ZÖÄÜ0-9(]*$/) { return 0;} # Last character can only be a letter or a digit if (substr ($remark, -1, 1) !~ /^[a-zöäüA-ZÖÄÜ0-9.:;_)]*$/) { diff --git a/html/cgi-bin/fwhosts.cgi b/html/cgi-bin/fwhosts.cgi index fd66a49..91de897 100755 --- a/html/cgi-bin/fwhosts.cgi +++ b/html/cgi-bin/fwhosts.cgi @@ -741,6 +741,7 @@ if ($fwhostsettings{'ACTION'} eq 'saveservice') } } if($ICMP eq ''){$ICMP=$fwhostsettings{'ICMP_TYPES'};} + if ($fwhostsettings{'PROT'} ne 'ICMP'){$ICMP='';} if (!$errormessage){ my $key = &General::findhasharraykey (%customservice); foreach my $i (0 .. 4) { $customservice{$key}[$i] = "";} diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall index 36d7e44..37ef351 100644 --- a/src/initscripts/init.d/firewall +++ b/src/initscripts/init.d/firewall @@ -159,6 +159,10 @@ iptables_init() { /sbin/iptables -N WIRELESSFORWARD /sbin/iptables -A FORWARD -m conntrack --ctstate NEW -j WIRELESSFORWARD

+ # OpenVPN + /sbin/iptables -N OVPNINPUT + /sbin/iptables -A INPUT -j OVPNINPUT + # TOR /sbin/iptables -N TOR_INPUT /sbin/iptables -A INPUT -j TOR_INPUT @@ -206,8 +210,8 @@ iptables_init() { /etc/sysconfig/firewall.local start fi

- # run openvpn - /usr/local/bin/openvpnctrl --create-chains-and-rules + # Apply OpenVPN firewall rules + /usr/local/bin/openvpnctrl --firewall-rules

# run wirelessctrl /usr/local/bin/wirelessctrl diff --git a/src/misc-progs/openvpnctrl.c b/src/misc-progs/openvpnctrl.c index 2577788..2af5372 100644 --- a/src/misc-progs/openvpnctrl.c +++ b/src/misc-progs/openvpnctrl.c @@ -25,12 +25,10 @@ char enableblue[STRING_SIZE] = "off"; char enableorange[STRING_SIZE] = "off";

// consts -char OVPNRED[STRING_SIZE] = "OVPN"; -char OVPNBLUE[STRING_SIZE] = "OVPN_BLUE_"; -char OVPNORANGE[STRING_SIZE] = "OVPN_ORANGE_"; +char OVPNINPUT[STRING_SIZE] = "OVPNINPUT"; char OVPNBLOCK[STRING_SIZE] = "OVPNBLOCK"; char OVPNNAT[STRING_SIZE] = "OVPNNAT"; -char WRAPPERVERSION[STRING_SIZE] = "ipfire-2.2.3"; +char WRAPPERVERSION[STRING_SIZE] = "ipfire-2.2.4";

struct connection_struct { char name[STRING_SIZE]; @@ -40,7 +38,7 @@ struct connection_struct { char local_subnet[STRING_SIZE]; char transfer_subnet[STRING_SIZE]; char role[STRING_SIZE]; - int port; + char port[STRING_SIZE]; struct connection_struct *next; };

@@ -81,10 +79,6 @@ void usage(void) printf(" removes current OpenVPN chains and rules and resets them according to the config\n"); printf(" -sdo --start-daemon-only\n"); printf(" starts OpenVPN daemon only\n"); - printf(" -ccr --create-chains-and-rules\n"); - printf(" creates chains and rules for OpenVPN\n"); - printf(" -dcr --delete-chains-and-rules\n"); - printf(" removes all chains for OpenVPN\n"); exit(1); }

@@ -149,7 +143,7 @@ connection *getConnections() { } else if (count == 29) { strcpy(conn_curr->proto, result); } else if (count == 30) { - conn_curr->port = atoi(result); + strcpy(conn_curr->port, result); }

count++; @@ -242,111 +236,28 @@ void executeCommand(char *command) { safe_system(strncat(command, " >/dev/null 2>&1", 17)); }

-void setChainRules(char *chain, char *interface, char *protocol, char *port) -{ - char str[STRING_SIZE]; +void addRule(const char *chain, const char *interface, const char *protocol, const char *port) { + char command[STRING_SIZE];

- sprintf(str, "/sbin/iptables -A %sINPUT -i %s -p %s --dport %s -j ACCEPT", chain, interface, protocol, port); - executeCommand(str); + snprintf(command, STRING_SIZE - 1, "/sbin/iptables -A %s -i %s -p %s --dport %s -j ACCEPT", + chain, interface, protocol, port); + executeCommand(command); }

void flushChain(char *chain) { char str[STRING_SIZE];

- sprintf(str, "/sbin/iptables -F %s", chain); + snprintf(str, STRING_SIZE - 1, "/sbin/iptables -F %s", chain); executeCommand(str); }

void flushChainNAT(char *chain) { char str[STRING_SIZE];

- sprintf(str, "/sbin/iptables -t nat -F %s", chain); - executeCommand(str); -} - -void flushChainINPUT(char *chain) { - char str[STRING_SIZE]; - - snprintf(str, STRING_SIZE, "%sINPUT", chain); - flushChain(str); -} - -void deleteChainReference(char *chain) { - char str[STRING_SIZE]; - - sprintf(str, "/sbin/iptables -D INPUT -j %sINPUT", chain); - executeCommand(str); -} - -void deleteChain(char *chain) { - char str[STRING_SIZE]; - - sprintf(str, "/sbin/iptables -X %sINPUT", chain); - executeCommand(str); -} - -void deleteAllChains(void) { - // not an elegant solution, but to avoid timing problems with undeleted chain references - deleteChainReference(OVPNRED); - deleteChainReference(OVPNBLUE); - deleteChainReference(OVPNORANGE); - flushChainINPUT(OVPNRED); - flushChainINPUT(OVPNBLUE); - flushChainINPUT(OVPNORANGE); - deleteChain(OVPNRED); - deleteChain(OVPNBLUE); - deleteChain(OVPNORANGE); - - // Only flush chains that are created by the firewall - flushChain(OVPNBLOCK); - flushChainNAT(OVPNNAT); -} - -void createChainReference(char *chain) { - char str[STRING_SIZE]; - sprintf(str, "/sbin/iptables -I INPUT %s -j %sINPUT", "14", chain); - executeCommand(str); -} - -void createChain(char *chain) { - char str[STRING_SIZE]; - sprintf(str, "/sbin/iptables -N %sINPUT", chain); + snprintf(str, STRING_SIZE - 1, "/sbin/iptables -t nat -F %s", chain); executeCommand(str); }

-void createAllChains(void) { - // create chain and chain references - if (!strcmp(enableorange, "on")) { - if (strlen(orangeif) > 0) { - createChain(OVPNORANGE); - createChainReference(OVPNORANGE); - } else { - fprintf(stderr, "OpenVPN enabled on orange but no orange interface found\n"); - //exit(1); - } - } - - if (!strcmp(enableblue, "on")) { - if (strlen(blueif) > 0) { - createChain(OVPNBLUE); - createChainReference(OVPNBLUE); - } else { - fprintf(stderr, "OpenVPN enabled on blue but no blue interface found\n"); - //exit(1); - } - } - - if (!strcmp(enablered, "on")) { - if (strlen(redif) > 0) { - createChain(OVPNRED); - createChainReference(OVPNRED); - } else { - fprintf(stderr, "OpenVPN enabled on red but no red interface found\n"); - //exit(1); - } - } -} - char* calcTransferNetAddress(const connection* conn) { char *subnetmask = strdup(conn->transfer_subnet); char *address = strsep(&subnetmask, "/"); @@ -459,19 +370,17 @@ void setFirewallRules(void) { freekeyvalues(kv);

// Flush all chains. - flushChainINPUT(OVPNRED); - flushChainINPUT(OVPNBLUE); - flushChainINPUT(OVPNORANGE); + flushChain(OVPNINPUT); flushChain(OVPNBLOCK); flushChainNAT(OVPNNAT);

// set firewall rules if (!strcmp(enablered, "on") && strlen(redif)) - setChainRules(OVPNRED, redif, protocol, dport); + addRule(OVPNINPUT, redif, protocol, dport); if (!strcmp(enableblue, "on") && strlen(blueif)) - setChainRules(OVPNBLUE, blueif, protocol, dport); + addRule(OVPNINPUT, blueif, protocol, dport); if (!strcmp(enableorange, "on") && strlen(orangeif)) - setChainRules(OVPNORANGE, orangeif, protocol, dport); + addRule(OVPNINPUT, orangeif, protocol, dport);

// read connection configuration connection *conn = getConnections(); @@ -482,12 +391,10 @@ void setFirewallRules(void) { char *transfer_subnet_address = NULL; while (conn != NULL) { if (strcmp(conn->type, "net") == 0) { - sprintf(command, "/sbin/iptables -A %sINPUT -i %s -p %s --dport %d -j ACCEPT", - OVPNRED, redif, conn->proto, conn->port); - executeCommand(command); + addRule(OVPNINPUT, redif, conn->proto, conn->port);

/* Block all communication from the transfer nets. */ - snprintf(command, STRING_SIZE, "/sbin/iptables -A %s -s %s -j DROP", + snprintf(command, STRING_SIZE - 1, "/sbin/iptables -A %s -s %s -j DROP", OVPNBLOCK, conn->transfer_subnet); executeCommand(command);

@@ -495,7 +402,7 @@ void setFirewallRules(void) { transfer_subnet_address = calcTransferNetAddress(conn);

if ((local_subnet_address) && (transfer_subnet_address)) { - snprintf(command, STRING_SIZE, "/sbin/iptables -t nat -A %s -s %s -j SNAT --to-source %s", + snprintf(command, STRING_SIZE - 1, "/sbin/iptables -t nat -A %s -s %s -j SNAT --to-source %s", OVPNNAT, transfer_subnet_address, local_subnet_address); executeCommand(command); } @@ -705,16 +612,10 @@ int main(int argc, char *argv[]) { displayopenvpn(); return 0; } - else if( (strcmp(argv[1], "-dcr") == 0) || (strcmp(argv[1], "--delete-chains-and-rules") == 0) ) { - deleteAllChains(); - return 0; - } else { ovpnInit(); if( (strcmp(argv[1], "-s") == 0) || (strcmp(argv[1], "--start") == 0) ) { - deleteAllChains(); - createAllChains(); setFirewallRules(); startDaemon(); return 0; @@ -733,20 +634,11 @@ int main(int argc, char *argv[]) { } else if( (strcmp(argv[1], "-r") == 0) || (strcmp(argv[1], "--restart") == 0) ) { stopDaemon(); - deleteAllChains(); - createAllChains(); setFirewallRules(); startDaemon(); return 0; } else if( (strcmp(argv[1], "-fwr") == 0) || (strcmp(argv[1], "--firewall-rules") == 0) ) { - deleteAllChains(); - createAllChains(); - setFirewallRules(); - return 0; - } - else if( (strcmp(argv[1], "-ccr") == 0) || (strcmp(argv[1], "--create-chains-and-rules") == 0) ) { - createAllChains(); setFirewallRules(); return 0; }

hooks/post-receive -- IPFire 2.x development tree