@@ -31,6 +31,16 @@ for (( i=1; i<=$core; i++ )); do
rm -f /var/cache/pakfire/core-upgrade-*-$i.ipfire
done
+# Add default lines for new firewall options
+optionsfw_file="/var/ipfire/optionsfw/settings"
+
+ echo "FORCE_DNS_ON_GREEN=off" >> ${optionsfw_file}
+ echo "FORCE_DNS_ON_BLUE=off" >> ${optionsfw_file}
+ echo "FORCE_NTP_ON_GREEN=off" >> ${optionsfw_file}
+ echo "FORCE_NTP_ON_BLUE=off" >> ${optionsfw_file}
+
+unset optionsfw_file
+
# Remove files
# Stop services
@@ -69,6 +69,31 @@ if ($settings{'ACTION'} eq $Lang::tr{'save'}) {
&General::readhash($filename, \%settings); # Load good settings
}
+if ($settings{'ACTION'} eq $Lang::tr{'fw settings save and restart'}) {
+ if ($settings{'defpol'} ne '1'){
+ &General::writehash($filename, \%settings); # Save good settings
+ system("/usr/local/bin/firewallctrl");
+ system("/usr/local/bin/optionsfwctrl restart >/dev/null 2>&1");
+ }else{
+ if ($settings{'POLICY'} ne ''){
+ $fwdfwsettings{'POLICY'} = $settings{'POLICY'};
+ }
+ if ($settings{'POLICY1'} ne ''){
+ $fwdfwsettings{'POLICY1'} = $settings{'POLICY1'};
+ }
+ my $MODE = $fwdfwsettings{'POLICY'};
+ my $MODE1 = $fwdfwsettings{'POLICY1'};
+ %fwdfwsettings = ();
+ $fwdfwsettings{'POLICY'} = "$MODE";
+ $fwdfwsettings{'POLICY1'} = "$MODE1";
+ &General::writehash("${General::swroot}/firewall/settings", \%fwdfwsettings);
+ &General::readhash("${General::swroot}/firewall/settings", \%fwdfwsettings);
+ system("/usr/local/bin/firewallctrl");
+ system("/usr/local/bin/optionsfwctrl restart >/dev/null 2>&1");
+ }
+ &General::readhash($filename, \%settings); # Load good settings
+}
+
&Header::openpage($Lang::tr{'options fw'}, 1, '');
&Header::openbigbox('100%', 'left', '', $errormessage);
&General::readhash($filename, \%settings);
@@ -158,6 +183,18 @@ $selected{'MASQUERADE_ORANGE'}{$settings{'MASQUERADE_ORANGE'}} = 'selected="sele
$selected{'MASQUERADE_BLUE'}{'off'} = '';
$selected{'MASQUERADE_BLUE'}{'on'} = '';
$selected{'MASQUERADE_BLUE'}{$settings{'MASQUERADE_BLUE'}} = 'selected="selected"';
+$checked{'DNS_FORCE_ON_GREEN'}{'off'} = '';
+$checked{'DNS_FORCE_ON_GREEN'}{'on'} = '';
+$checked{'DNS_FORCE_ON_GREEN'}{$settings{'DNS_FORCE_ON_GREEN'}} = "checked='checked'";
+$checked{'DNS_FORCE_ON_BLUE'}{'off'} = '';
+$checked{'DNS_FORCE_ON_BLUE'}{'on'} = '';
+$checked{'DNS_FORCE_ON_BLUE'}{$settings{'DNS_FORCE_ON_BLUE'}} = "checked='checked'";
+$checked{'NTP_FORCE_ON_GREEN'}{'off'} = '';
+$checked{'NTP_FORCE_ON_GREEN'}{'on'} = '';
+$checked{'NTP_FORCE_ON_GREEN'}{$settings{'NTP_FORCE_ON_GREEN'}} = "checked='checked'";
+$checked{'NTP_FORCE_ON_BLUE'}{'off'} = '';
+$checked{'NTP_FORCE_ON_BLUE'}{'on'} = '';
+$checked{'NTP_FORCE_ON_BLUE'}{$settings{'NTP_FORCE_ON_BLUE'}} = "checked='checked'";
&Header::openbox('100%', 'center',);
print "<form method='post' action='$ENV{'SCRIPT_NAME'}'>";
@@ -207,7 +244,38 @@ END
END
}
- print <<END
+print <<END;
+ <table width='95%' cellspacing='0'>
+ <tr bgcolor='$color{'color20'}'></tr>
+ <tr> </tr>
+ <td colspan='2' align='left'><b>$Lang::tr{'fw green'}</b></td>
+ </tr>
+ <tr><td align='left' width='60%'>$Lang::tr{'dns force on green'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DNS_FORCE_ON_GREEN' value='on' $checked{'DNS_FORCE_ON_GREEN'}{'on'} />/
+ <input type='radio' name='DNS_FORCE_ON_GREEN' value='off' $checked{'DNS_FORCE_ON_GREEN'}{'off'} /> $Lang::tr{'off'}</td></tr>
+ <tr><td align='left' width='60%'>$Lang::tr{'ntp force on green'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='NTP_FORCE_ON_GREEN' value='on' $checked{'NTP_FORCE_ON_GREEN'}{'on'} />/
+ <input type='radio' name='NTP_FORCE_ON_GREEN' value='off' $checked{'NTP_FORCE_ON_GREEN'}{'off'} /> $Lang::tr{'off'}</td></tr>
+END
+
+ if (&Header::blue_used()) {
+ print <<END;
+ <table width='95%' cellspacing='0'>
+ <tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw blue'}</b></td></tr>
+ <tr> </tr>
+ <tr>
+ <tr><td align='left' width='60%'>$Lang::tr{'dns force on blue'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DNS_FORCE_ON_BLUE' value='on' $checked{'DNS_FORCE_ON_BLUE'}{'on'} />/
+ <input type='radio' name='DNS_FORCE_ON_BLUE' value='off' $checked{'DNS_FORCE_ON_BLUE'}{'off'} /> $Lang::tr{'off'}</td></tr>
+ <tr><td align='left' width='60%'>$Lang::tr{'ntp force on blue'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='NTP_FORCE_ON_BLUE' value='on' $checked{'NTP_FORCE_ON_BLUE'}{'on'} />/
+ <input type='radio' name='NTP_FORCE_ON_BLUE' value='off' $checked{'NTP_FORCE_ON_BLUE'}{'off'} /> $Lang::tr{'off'}</td></tr>
+ <tr><td align='left' width='60%'>$Lang::tr{'drop proxy'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPPROXY' value='on' $checked{'DROPPROXY'}{'on'} />/
+ <input type='radio' name='DROPPROXY' value='off' $checked{'DROPPROXY'}{'off'} /> $Lang::tr{'off'}</td></tr>
+ <tr><td align='left' width='60%'>$Lang::tr{'drop samba'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPSAMBA' value='on' $checked{'DROPSAMBA'}{'on'} />/
+ <input type='radio' name='DROPSAMBA' value='off' $checked{'DROPSAMBA'}{'off'} /> $Lang::tr{'off'}</td></tr>
+ </td>
+ </tr>
+END
+ }
+
+ print <<END;
</table>
<br>
@@ -224,21 +292,25 @@ END
<input type='radio' name='DROPOUTGOING' value='off' $checked{'DROPOUTGOING'}{'off'} /> $Lang::tr{'off'}</td></tr>
<tr><td align='left' width='60%'>$Lang::tr{'drop portscan'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPPORTSCAN' value='on' $checked{'DROPPORTSCAN'}{'on'} />/
<input type='radio' name='DROPPORTSCAN' value='off' $checked{'DROPPORTSCAN'}{'off'} /> $Lang::tr{'off'}</td></tr>
-<tr><td align='left' width='60%'>$Lang::tr{'drop wirelessinput'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPWIRELESSINPUT' value='on' $checked{'DROPWIRELESSINPUT'}{'on'} />/
+END
+
+ if (&Header::blue_used()) {
+ print <<END;
+ <table width='95%' cellspacing='0'>
+ <tr>
+ <tr><td align='left' width='60%'>$Lang::tr{'drop wirelessinput'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPWIRELESSINPUT' value='on' $checked{'DROPWIRELESSINPUT'}{'on'} />/
<input type='radio' name='DROPWIRELESSINPUT' value='off' $checked{'DROPWIRELESSINPUT'}{'off'} /> $Lang::tr{'off'}</td></tr>
-<tr><td align='left' width='60%'>$Lang::tr{'drop wirelessforward'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPWIRELESSFORWARD' value='on' $checked{'DROPWIRELESSFORWARD'}{'on'} />/
+ <tr><td align='left' width='60%'>$Lang::tr{'drop wirelessforward'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPWIRELESSFORWARD' value='on' $checked{'DROPWIRELESSFORWARD'}{'on'} />/
<input type='radio' name='DROPWIRELESSFORWARD' value='off' $checked{'DROPWIRELESSFORWARD'}{'off'} /> $Lang::tr{'off'}</td></tr>
-</table>
-<br/>
+ </tr>
+END
+ }
+
+ print <<END;
+ </table>
+
+ <br/>
-<table width='95%' cellspacing='0'>
-<tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw blue'}</b></td></tr>
-<tr><td align='left' width='60%'>$Lang::tr{'drop proxy'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPPROXY' value='on' $checked{'DROPPROXY'}{'on'} />/
- <input type='radio' name='DROPPROXY' value='off' $checked{'DROPPROXY'}{'off'} /> $Lang::tr{'off'}</td></tr>
-<tr><td align='left' width='60%'>$Lang::tr{'drop samba'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPSAMBA' value='on' $checked{'DROPSAMBA'}{'on'} />/
- <input type='radio' name='DROPSAMBA' value='off' $checked{'DROPSAMBA'}{'off'} /> $Lang::tr{'off'}</td></tr>
-</table>
-<br>
<table width='95%' cellspacing='0'>
<tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw settings'}</b></td></tr>
<tr><td align='left' width='60%'>$Lang::tr{'fw settings color'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='SHOWCOLORS' value='on' $checked{'SHOWCOLORS'}{'on'} />/
@@ -323,7 +395,8 @@ END
<br />
<table width='100%' cellspacing='0'>
<tr><td align='right'><form method='post' action='$ENV{'SCRIPT_NAME'}'>
-<input type='submit' name='ACTION' value=$Lang::tr{'save'} />
+<input type='submit' name='ACTION' value='$Lang::tr{'save'}' />
+<input type='submit' name='ACTION' value='$Lang::tr{'fw settings save and restart'}' />
</form></td></tr>
</table>
</form>
@@ -836,6 +836,8 @@
'dns error 0' => 'Die IP Adresse vom <strong>primären</strong> DNS Server ist nicht gültig, bitte überprüfen Sie Ihre Eingabe!<br />Die eingegebene <strong>sekundären</strong> DNS Server Adresse ist jedoch gültig.<br />',
'dns error 01' => 'Die eingegebene IP Adresse des <strong>primären</strong> wie auch des <strong>sekundären</strong> DNS-Servers sind nicht gültig, bitte überprüfen Sie Ihre Eingaben!',
'dns error 1' => 'Die IP Adresse vom <strong>sekundären</strong> DNS Server ist nicht gültig, bitte überprüfen Sie Ihre Eingabe!<br />Die eingegebene <strong>primäre</strong> DNS Server Adresse ist jedoch gültig.',
+'dns force on blue' => 'Erzwinge lokale DNS-Server auf BLAU',
+'dns force on green' => 'Erzwinge lokale DNS-Server auf GRÜN',
'dns forward disable dnssec' => 'DNSSEC deaktivieren (nicht empfohlen)',
'dns forwarding dnssec disabled notice' => '(DNSSEC deaktiviert)',
'dns header' => 'DNS Server Adressen zuweisen nur mit DHCP an red0',
@@ -1104,12 +1106,14 @@
'from warn email bad' => 'Von E-Mail-Adresse ist nicht gültig',
'fw blue' => 'Firewalloptionen für das Blaue Interface',
'fw default drop' => 'Firewallrichtlinie',
+'fw green' => 'Firewalloptionen für das Grüne Interface',
'fw logging' => 'Firewallprotokollierung',
'fw settings' => 'Firewalleinstellungen',
'fw settings color' => 'Farben in Regeltabelle anzeigen',
'fw settings dropdown' => 'Alle Netzwerke auf Regelerstellungsseite anzeigen',
'fw settings remark' => 'Anmerkungen in Regeltabelle anzeigen',
'fw settings ruletable' => 'Leere Regeltabellen anzeigen',
+'fw settings save and restart' => 'Speichern und Neustart',
'fwdfw ACCEPT' => 'Akzeptieren (ACCEPT)',
'fwdfw DROP' => 'Verwerfen (DROP)',
'fwdfw MODE1' => 'Alle Pakete verwerfen',
@@ -1814,6 +1818,8 @@
'november' => 'November',
'ntp common settings' => 'Allgemeine Einstellungen',
'ntp configuration' => 'Zeitserverkonfiguration',
+'ntp force on blue' => 'Erzwinge lokale NTP-Server auf BLAU',
+'ntp force on green' => 'Erzwinge lokale NTP-Server auf GRÜN',
'ntp must be enabled to have clients' => 'Um Clients annehmen zu können, muss NTP vorher aktiviert sein.',
'ntp server' => 'NTP-Server',
'ntp sync' => 'Synchronisation',
@@ -859,6 +859,8 @@
'dns error 0' => 'The IP address of the <strong>primary</strong> DNS server is not valid, please check your entries!<br />The entered <strong>secondary</strong> DNS server address is valid.',
'dns error 01' => 'The entered IP address of the <strong>primary</strong> and <strong>secondary</strong> DNS server are not valid, please check your entries!',
'dns error 1' => 'The IP address of the <strong>secondary</strong> DNS server is not valid, please check your entries!<br />The entered <strong>primary</strong> DNS server address is valid.',
+'dns force on green' => 'Force DNS to use local DNS servers on GREEN',
+'dns force on blue' => 'Force DNS to use local DNS servers on BLUE',
'dns forward disable dnssec' => 'Disable DNSSEC (dangerous)',
'dns forwarding dnssec disabled notice' => '(DNSSEC disabled)',
'dns header' => 'Assign DNS server addresses only for DHCP on red0',
@@ -1130,12 +1132,14 @@
'from warn email bad' => 'From e-mail address is not valid',
'fw blue' => 'Firewall options for BLUE interface',
'fw default drop' => 'Firewall policy',
+'fw green' => 'Firewall options for GREEN interface',
'fw logging' => 'Firewall logging',
'fw settings' => 'Firewall settings',
'fw settings color' => 'Show colors in ruletable',
'fw settings dropdown' => 'Show all networks on rulecreation site',
'fw settings remark' => 'Show remarks in ruletable',
'fw settings ruletable' => 'Show empty ruletables',
+'fw settings save and restart' => 'Save and Restart',
'fwdfw ACCEPT' => 'ACCEPT',
'fwdfw DROP' => 'DROP',
'fwdfw MODE1' => 'Drop all packets',
@@ -1844,6 +1848,8 @@
'november' => 'November',
'ntp common settings' => 'Common settings',
'ntp configuration' => 'NTP Configuration',
+'ntp force on green' => 'Force NTP to use local NTP servers on GREEN',
+'ntp force on blue' => 'Force NTP to use local NTP servers on BLUE',
'ntp must be enabled to have clients' => 'NTP must be enabled to have clients.',
'ntp server' => 'NTP Server',
'ntp sync' => 'Synchronization',
@@ -129,6 +129,10 @@ $(TARGET) :
echo "SHOWDROPDOWN=off" >> $(CONFIG_ROOT)/optionsfw/settings
echo "DROPWIRELESSINPUT=on" >> $(CONFIG_ROOT)/optionsfw/settings
echo "DROPWIRELESSFORWARD=on" >> $(CONFIG_ROOT)/optionsfw/settings
+ echo "FORCE_DNS_ON_GREEN=off" >> $(CONFIG_ROOT)/optionsfw/settings
+ echo "FORCE_DNS_ON_BLUE=off" >> $(CONFIG_ROOT)/optionsfw/settings
+ echo "FORCE_NTP_ON_GREEN=off" >> $(CONFIG_ROOT)/optionsfw/settings
+ echo "FORCE_NTP_ON_BLUE=off" >> $(CONFIG_ROOT)/optionsfw/settings
echo "POLICY=MODE2" >> $(CONFIG_ROOT)/firewall/settings
echo "POLICY1=MODE2" >> $(CONFIG_ROOT)/firewall/settings
echo "USE_ISP_NAMESERVERS=on" >> $(CONFIG_ROOT)/dns/settings
@@ -246,6 +246,77 @@ iptables_init() {
iptables -A ${i} -j CAPTIVE_PORTAL
done
+# Force DNS REDIRECT on GREEN (udp, tcp, 53)
+if [ "$DNS_FORCE_ON_GREEN" == "on" ]; then
+ if ! iptables -t nat -C CUSTOMPREROUTING -i green0 -p udp -m udp --dport 53 -j REDIRECT >/dev/null 2>&1; then
+ iptables -t nat -A CUSTOMPREROUTING -i green0 -p udp -m udp --dport 53 -j REDIRECT
+ fi
+
+ if ! iptables -t nat -C CUSTOMPREROUTING -i green0 -p tcp -m tcp --dport 53 -j REDIRECT >/dev/null 2>&1; then
+ iptables -t nat -A CUSTOMPREROUTING -i green0 -p tcp -m tcp --dport 53 -j REDIRECT
+ fi
+
+else
+
+ if iptables -t nat -C CUSTOMPREROUTING -i green0 -p udp -m udp --dport 53 -j REDIRECT >/dev/null 2>&1; then
+ iptables -t nat -D CUSTOMPREROUTING -i green0 -p udp -m udp --dport 53 -j REDIRECT >/dev/null 2>&1
+ fi
+
+ if iptables -t nat -C CUSTOMPREROUTING -i green0 -p tcp -m tcp --dport 53 -j REDIRECT >/dev/null 2>&1; then
+ iptables -t nat -D CUSTOMPREROUTING -i green0 -p tcp -m tcp --dport 53 -j REDIRECT >/dev/null 2>&1
+ fi
+fi
+
+# Force DNS REDIRECT on BLUE (udp, tcp, 53)
+if [ "$DNS_FORCE_ON_BLUE" == "on" ]; then
+ if ! iptables -t nat -C CUSTOMPREROUTING -i blue0 -p udp -m udp --dport 53 -j REDIRECT >/dev/null 2>&1; then
+ iptables -t nat -A CUSTOMPREROUTING -i blue0 -p udp -m udp --dport 53 -j REDIRECT
+ fi
+
+ if ! iptables -t nat -C CUSTOMPREROUTING -i blue0 -p tcp -m tcp --dport 53 -j REDIRECT >/dev/null 2>&1; then
+ iptables -t nat -A CUSTOMPREROUTING -i blue0 -p tcp -m tcp --dport 53 -j REDIRECT
+ fi
+
+else
+
+ if iptables -t nat -C CUSTOMPREROUTING -i blue0 -p udp -m udp --dport 53 -j REDIRECT >/dev/null 2>&1; then
+ iptables -t nat -D CUSTOMPREROUTING -i blue0 -p udp -m udp --dport 53 -j REDIRECT >/dev/null 2>&1
+ fi
+
+ if iptables -t nat -C CUSTOMPREROUTING -i blue0 -p tcp -m tcp --dport 53 -j REDIRECT >/dev/null 2>&1; then
+ iptables -t nat -D CUSTOMPREROUTING -i blue0 -p tcp -m tcp --dport 53 -j REDIRECT >/dev/null 2>&1
+ fi
+
+fi
+
+# Force NTP REDIRECT on GREEN (udp, 123)
+if [ "$NTP_FORCE_ON_GREEN" == "on" ]; then
+ if ! iptables -t nat -C CUSTOMPREROUTING -i green0 -p udp -m udp --dport 123 -j REDIRECT >/dev/null 2>&1; then
+ iptables -t nat -A CUSTOMPREROUTING -i green0 -p udp -m udp --dport 123 -j REDIRECT
+ fi
+
+else
+
+ if iptables -t nat -C CUSTOMPREROUTING -i green0 -p udp -m udp --dport 123 -j REDIRECT >/dev/null 2>&1; then
+ iptables -t nat -D CUSTOMPREROUTING -i green0 -p udp -m udp --dport 123 -j REDIRECT >/dev/null 2>&1
+ fi
+
+fi
+
+# Force DNS REDIRECT on BLUE (udp, 123)
+if [ "$NTP_FORCE_ON_BLUE" == "on" ]; then
+ if ! iptables -t nat -C CUSTOMPREROUTING -i blue0 -p udp -m udp --dport 123 -j REDIRECT >/dev/null 2>&1; then
+ iptables -t nat -A CUSTOMPREROUTING -i blue0 -p udp -m udp --dport 123 -j REDIRECT
+ fi
+
+else
+
+ if iptables -t nat -C CUSTOMPREROUTING -i blue0 -p udp -m udp --dport 123 -j REDIRECT >/dev/null 2>&1; then
+ iptables -t nat -D CUSTOMPREROUTING -i blue0 -p udp -m udp --dport 123 -j REDIRECT >/dev/null 2>&1
+ fi
+
+fi
+
# Accept everything connected
for i in INPUT FORWARD OUTPUT; do
iptables -A ${i} -j CONNTRACK