move firewall6 save_rule and setup to firwall/save_rule6 and setup6

2026-03-20 16:50:24 +00:00 · 2017-06-28 13:21:33 +02:00
parent bd0719cdf6
commit 2ba020877c
4 changed files with 662 additions and 2 deletions
--- a/firewall/index.cgi
+++ b/firewall/index.cgi
@@ -106,7 +106,7 @@ if (!$config{'direct'} &&
 		# Offer to set up a firewall
 		print &text($in{'reset'} ? 'index_rsetup' : 'index_setup',
 			    "<tt>$ipvx_save</tt>"),"<p>\n";
-		print &ui_form_start("setup.cgi");
+		print &ui_form_start("setup${ipvx}.cgi");
                print &ui_hidden("version", ${ipvx_arg});
 		print &ui_hidden("reset", $in{'reset'});
 		print "<center><table><tr><td>\n";
--- a/firewall/save_rule.cgi
+++ b/firewall/save_rule.cgi
@@ -19,7 +19,7 @@ else {
 	}
 if ($in{'clone'}) {
 	# Go back to the editing page
-	&redirect("edit_rule.cgi?new=1&clone=$in{'idx'}&".
+	&redirect("edit_rule${ipvx}.cgi?version=${ipvx_arg}&new=1&clone=$in{'idx'}&".
 		  "table=".&urlize($in{'table'})."&".
 		  "after=$in{'idx'}&".
 		  "chain=".&urlize($rule->{'chain'}));
--- a/firewall/save_rule6.cgi
+++ b/firewall/save_rule6.cgi
@@ -0,0 +1,410 @@
+#!/usr/local/bin/perl
+# save_rule.cgi
+# Save, create or delete a rule in a chain
+
+require './firewall-lib.pl';
+&ReadParse();
+if (&get_ipvx_version() == 6) { require './firewall6-lib.pl';
+	} else { require './firewall4-lib.pl'; }
+&error_setup($text{'save_err'});
+@tables = &get_iptables_save();
+$table = $tables[$in{'table'}];
+&can_edit_table($table->{'name'}) || &error($text{'etable'});
+if ($in{'new'}) {
+	$rule = { 'chain' => $in{'chain'} };
+	}
+else {
+	$rule = $table->{'rules'}->[$in{'idx'}];
+	&can_jump($rule) || &error($text{'ejump'});
+	}
+if ($in{'clone'}) {
+	# Go back to the editing page
+	&redirect("edit_rule${ipvx}.cgi?version=${ipvx_arg}&new=1&clone=$in{'idx'}&".
+		  "table=".&urlize($in{'table'})."&".
+		  "chain=".&urlize($rule->{'chain'}));
+	}
+
+&lock_file($ipvx_save);
+if ($in{'delete'}) {
+	# Just delete this rule
+	splice(@{$table->{'rules'}}, $in{'idx'}, 1);
+	}
+else {
+	# Validate and store inputs
+	if ($config{'comment_mod'}) {
+		$in{'cmt'} =~ s/^\s+//;
+		$in{'cmt'} =~ s/\s+$//;
+		if ($in{'cmt'}) {
+			$rule->{'comment'} = [ "", $in{'cmt'} ];
+			push(@mods, "comment");
+			}
+		else {
+			delete($rule->{'comment'});
+			}
+		}
+	else {
+		$rule->{'cmt'} = $in{'cmt'};
+		delete($rule->{'comment'});
+		@mods = grep { $_ ne "comment" } @mods;
+		}
+	if ($in{'jump'} eq '*') {
+		$in{'other'} =~ /^\S+$/ || &error($text{'save_echain'});
+		$rule->{'j'} = [ "", $in{'other'} ];
+		}
+	elsif ($in{'jump'}) {
+		$rule->{'j'} = [ "", $in{'jump'} ];
+		}
+	else {
+		delete($rule->{'j'});
+		}
+	&can_jump($rule) || &error($text{'save_ecanjump'});
+	if (defined($in{'rwithtype'})) {
+		if ($rule->{'j'}->[1] eq 'REJECT' && !$in{'rwithdef'}) {
+			$rule->{'reject-with'} = [ "", $in{'rwithtype'} ];
+			}
+		else {
+			delete($rule->{'reject-with'});
+			}
+		}
+
+	# Parse redirect or masquerade input
+	if ($table->{'name'} eq 'nat') {
+		if ($rule->{'j'}->[1] eq 'REDIRECT' && !$in{'rtodef'}) {
+			$in{'rtofrom'} =~ /^\d+$/ ||
+				&error($text{'save_ertoports'});
+			$in{'rtoto'} =~ /^\d*$/ ||
+				&error($text{'save_ertoports'});
+			$rule->{'to-ports'} = [ "", $in{'rtoto'} eq '' ?
+			    $in{'rtofrom'} : $in{'rtofrom'}."-".$in{'rtoto'} ];
+			}
+		elsif ($rule->{'j'}->[1] eq 'MASQUERADE' && !$in{'mtodef'}) {
+			$in{'mtofrom'} =~ /^\d+$/ ||
+				&error($text{'save_emtoports'});
+			$in{'mtoto'} =~ /^\d*$/ ||
+				&error($text{'save_emtoports'});
+			$rule->{'to-ports'} = [ "", $in{'mtoto'} eq '' ?
+			    $in{'mtofrom'} : $in{'mtofrom'}."-".$in{'mtoto'} ];
+			}
+		else {
+			delete($rule->{'to-ports'});
+			}
+		}
+	if ($table->{'name'} eq 'nat' && $rule->{'chain'} ne 'POSTROUTING') {
+		if ($rule->{'j'}->[1] eq 'DNAT' && !$in{'dnatdef'}) {
+			!$in{'dipfrom'} || &check_ipaddress($in{'dipfrom'}) ||
+				&error($text{'save_edipfrom'});
+			!$in{'dipto'} || &check_ipaddress($in{'dipto'}) ||
+				&error($text{'save_edipto'});
+			local $v = "[".$in{'dipfrom'}."]";
+			$v .= "-[".$in{'dipto'}."]" if ($in{'dipto'});
+			if ($in{'dpfrom'} ne '') {
+				$in{'dpfrom'} =~ /^\d+$/ ||
+					&error($text{'save_edpfrom'});
+				$in{'dpto'} =~ /^\d*$/ ||
+					&error($text{'save_edpto'});
+				if ($in{'dpto'} eq '') {
+					$v .= ":".$in{'dpfrom'};
+					}
+				else {
+					$v .= ":".$in{'dpfrom'}."-".$in{'dpto'};
+					}
+				}
+			$rule->{'to-destination'} = [ "", $v ];
+			}
+		else {
+			delete($rule->{'to-destination'});
+			}
+		}
+	if ($table->{'name'} eq 'nat' && $rule->{'chain'} ne 'PREROUTING' &&
+	    $rule->{'chain'} ne 'OUTPUT') {
+		if ($rule->{'j'}->[1] eq 'SNAT' && !$in{'snatdef'}) {
+			(!$in{'sipfrom'} && !$in{'sipto'}) ||
+			    &check_ipaddress($in{'sipfrom'}) ||
+				&error($text{'save_esipfrom'});
+			!$in{'sipto'} || &check_ipaddress($in{'sipto'}) ||
+				&error($text{'save_esipto'});
+			local $v = $in{'sipfrom'};
+			$v .= "-".$in{'sipto'} if ($in{'sipto'});
+			if ($in{'spfrom'} ne '') {
+				$in{'spfrom'} =~ /^\d+$/ ||
+					&error($text{'save_espfrom'});
+				$in{'spto'} =~ /^\d*$/ ||
+					&error($text{'save_espto'});
+				if ($in{'spto'} eq '') {
+					$v .= ":".$in{'spfrom'};
+					}
+				else {
+					$v .= ":".$in{'spfrom'}."-".$in{'spto'};
+					}
+				}
+			$rule->{'to-source'} = [ "", $v ];
+			}
+		else {
+			delete($rule->{'to-source'});
+			}
+		}
+	if (&parse_mode("source", $rule, "s")) {
+		&check_ipmask($in{'source'}) || &error($text{'save_esource'});
+		$rule->{'s'}->[1] = $in{'source'};
+		}
+	if (&parse_mode("dest", $rule, "d")) {
+		&check_ipmask($in{'dest'}) || &error($text{'save_edest'});
+		$rule->{'d'}->[1] = $in{'dest'};
+		}
+	if (&parse_mode("in", $rule, "i")) {
+		$in{'in'} ne '' || $in{'in_other'} =~ /^\S+$/ ||
+			&error($text{'save_ein'});
+		$rule->{'i'}->[1] = $in{'in'} eq '' || $in{'in'} eq 'other' ?
+					$in{'in_other'} : $in{'in'};
+		}
+	if (&parse_mode("out", $rule, "o")) {
+		$in{'out'} ne '' || $in{'out_other'} =~ /^\S+$/ ||
+			&error($text{'save_eout'});
+		$rule->{'o'}->[1] = $in{'out'} eq '' || $in{'out'} eq 'other' ?
+					$in{'out_other'} : $in{'out'};
+		}
+	if ($in{'frag'} == 0) { delete($rule->{'f'}); }
+	elsif ($in{'frag'} == 1) { $rule->{'f'} = [ "" ]; }
+	else { $rule->{'f'} = [ "!" ]; }
+	if (&parse_mode("proto", $rule, "p")) {
+		$in{'proto'} || $in{'proto_other'} =~ /^\d+$/ ||
+			&error($text{'save_eproto'});
+		$rule->{'p'}->[1] = $in{'proto'} || $in{'proto_other'};
+		if (!$rule->{'p'}->[0]) {
+			$proto = $in{'proto'};
+			push(@mods, $in{'proto'})
+				if ($proto eq 'tcp' || $proto eq 'udp' ||
+				    $proto eq "icmp${ipvx_icmp}" && $in{'icmptype_mode'});
+			}
+		}
+
+	if (&parse_mode("sport", $rule, "sport")) {
+		$proto eq "tcp" || $proto eq "udp" || $proto eq "sctp" ||
+			&error($text{'save_etcpudp'});
+		if ($in{"sport_type"} == 0) {
+			$in{"sport"} =~ /^\S+$/ ||
+				&error($text{'save_esport'});
+			if ($in{"sport"} =~ /,/) {
+				$rule->{'sports'}->[1] = $in{"sport"};
+				$rule->{'sports'}->[0] = $rule->{'sport'}->[0];
+				push(@mods, "multiport");
+				delete($rule->{'sport'});
+				}
+			else {
+				$rule->{'sport'}->[1] = $in{"sport"};
+				delete($rule->{'sports'});
+				}
+			}
+		else {
+			$in{"sport_from"} =~ /^\d*$/ ||
+				&error($text{'save_esportfrom'});
+			$in{"sport_to"} =~ /^\d*$/ ||
+				&error($text{'save_esportto'});
+			$rule->{'sport'}->[1] = $in{"sport_from"}.":".
+						$in{"sport_to"};
+			$rule->{'sport'}->[1] eq ":" &&
+				&error($text{'save_esportrange'});
+			delete($rule->{'sports'});
+			}
+		}
+	else {
+		delete($rule->{'sports'});
+		}
+	if (&parse_mode("dport", $rule, "dport")) {
+		$proto eq "tcp" || $proto eq "udp" || $proto eq "sctp" ||
+			&error($text{'save_etcpudp'});
+		if ($in{"dport_type"} == 0) {
+			$in{"dport"} =~ /^\S+$/ ||
+				&error($text{'save_edport'});
+			if ($in{"dport"} =~ /,/) {
+				$rule->{'dports'}->[1] = $in{"dport"};
+				$rule->{'dports'}->[0] = $rule->{'dport'}->[0];
+				push(@mods, "multiport");
+				delete($rule->{'dport'});
+				}
+			else {
+				$rule->{'dport'}->[1] = $in{"dport"};
+				delete($rule->{'dports'});
+				}
+			}
+		else {
+			$in{"dport_from"} =~ /^\d*$/ ||
+				&error($text{'save_edportfrom'});
+			$in{"dport_to"} =~ /^\d*$/ ||
+				&error($text{'save_edportto'});
+			$rule->{'dport'}->[1] = $in{"dport_from"}.":".
+						$in{"dport_to"};
+			$rule->{'dport'}->[1] eq ":" &&
+				&error($text{'save_edportrange'});
+			delete($rule->{'dports'});
+			}
+		}
+	else {
+		delete($rule->{'dports'});
+		}
+	if (&parse_mode("ports", $rule, "ports")) {
+		$proto eq "tcp" || $proto eq "udp" || $proto eq "sctp" ||
+			&error($text{'save_etcpudp'});
+		$in{"ports"} =~ /^\S+$/ || &error($text{'save_eports'});
+		$rule->{'ports'}->[1] = $in{'ports'};
+		push(@mods, "multiport");
+		}
+	if (&parse_mode("tcpflags", $rule, "tcp-flags")) {
+		$proto eq "tcp" || &error($text{'save_etcp1'});
+		local $tcp0 = join(",", split(/\0/, $in{"tcpflags0"}));
+		local $tcp1 = join(",", split(/\0/, $in{"tcpflags1"}));
+		#$tcp0 && $tcp1 || &error($text{'save_etcpflags'});
+		$tcp0 || &error($text{'save_etcpflags2'});
+		$rule->{'tcp-flags'}->[1] = $tcp0;
+		$rule->{'tcp-flags'}->[2] = $tcp1 || "NONE";
+		}
+	if (&parse_mode("tcpoption", $rule, "tcp-option")) {
+		$proto eq "tcp" || &error($text{'save_etcp2'});
+		$in{"tcpoption"} =~ /^\d+$/ ||
+			&error($text{'save_etcpoption'});
+		$rule->{'tcp-option'}->[1] = $in{"tcpoption"};
+		}
+	if (&parse_mode("icmptype", $rule, "icmp${ipvx_icmp}-type")) {
+		$proto eq "icmp${ipvx_icmp}" || &error($text{'save_eicmp'});
+		$rule->{"icmp${ipvx_icmp}-type"}->[1] = $in{'icmptype'};
+		}
+	if (&parse_mode("macsource", $rule, "mac-source")) {
+		$in{"macsource"} =~ /^([0-9a-z]{2}:){5}[[0-9a-z]{2}$/i ||
+			&error($text{'save_emac'});
+		$rule->{'mac-source'}->[1] = $in{'macsource'};
+		push(@mods, "mac");
+		}
+	if (&parse_mode("limit", $rule, "limit")) {
+		$in{'limit0'} =~ /^\d+$/ || &error($text{'save_elimit'});
+		$rule->{'limit'}->[1] = $in{'limit0'}."/".$in{'limit1'};
+		push(@mods, "limit");
+		}
+	if (&parse_mode("limitburst", $rule, "limit-burst")) {
+		$in{'limitburst'} =~ /^\d+$/ ||
+			&error($text{'save_elimitburst'});
+		$rule->{'limit-burst'}->[1] = $in{'limitburst'};
+		push(@mods, "limit");
+		}
+
+	if ($rule->{'chain'} eq 'OUTPUT') {
+		if (&parse_mode("uidowner", $rule, "uid-owner")) {
+			defined(getpwnam($in{"uidowner"})) ||
+				&error($text{'save_euidowner'});
+			$rule->{'uid-owner'}->[1] = $in{"uidowner"};
+			push(@mods, "owner");
+			}
+		if (&parse_mode("gidowner", $rule, "gid-owner")) {
+			defined(getgrnam($in{"gidowner"})) ||
+				&error($text{'save_egidowner'});
+			$rule->{'gid-owner'}->[1] = $in{"gidowner"};
+			push(@mods, "owner");
+			}
+		if (&parse_mode("pidowner", $rule, "pid-owner")) {
+			$in{"pidowner"} =~ /^\d+$/ ||
+				&error($text{'save_epidowner'});
+			$rule->{'pid-owner'}->[1] = $in{"pidowner"};
+			push(@mods, "owner");
+			}
+		if (&parse_mode("sidowner", $rule, "sid-owner")) {
+			$in{"sidowner"} =~ /^\d+$/ ||
+				&error($text{'save_esidowner'});
+			$rule->{'sid-owner'}->[1] = $in{"sidowner"};
+			push(@mods, "owner");
+			}
+		}
+
+	# Save connection states and TOS
+	if (&parse_mode("state", $rule, "state")) {
+		@states = split(/\0/, $in{'state'});
+		@states || &error($text{'save_estates'});
+		$rule->{'state'}->[1] = join(",", @states);
+		push(@mods, "state");
+		}
+	if (&parse_mode("tos", $rule, "tos")) {
+		$rule->{'tos'}->[1] = $in{'tos'};
+		push(@mods, "tos");
+		}
+
+	# Parse physical input and output interfaces
+	if (&parse_mode("physdevin", $rule, "physdev-in")) {
+		$in{'physdevin'} ne '' || $in{'physdevin_other'} =~ /^\S+$/ ||
+			&error($text{'save_ephysdevin'});
+		$rule->{'physdev-in'}->[1] =
+		  $in{'physdevin'} eq '' || $in{'physdevin'} eq 'other' ?
+			$in{'physdevin_other'} : $in{'physdevin'};
+		push(@mods, "physdev");
+		}
+	if (&parse_mode("physdevout", $rule, "physdev-out")) {
+		$in{'physdevout'} ne '' || $in{'physdevout_other'} =~ /^\S+$/ ||
+			&error($text{'save_ephysdevout'});
+		$rule->{'physdev-out'}->[1] =
+		  $in{'physdevout'} eq '' || $in{'physdevout'} eq 'other' ?
+			$in{'physdevout_other'} : $in{'physdevout'};
+		push(@mods, "physdev");
+		}
+
+	# Parse physdev match modes
+	if (&parse_mode("physdevisin", $rule, "physdev-is-in")) {
+		push(@mods, "physdev");
+		}
+	if (&parse_mode("physdevisout", $rule, "physdev-is-out")) {
+		push(@mods, "physdev");
+		}
+	if (&parse_mode("physdevisbridged", $rule, "physdev-is-bridged")) {
+		push(@mods, "physdev");
+		}
+
+	# Add custom paramters and modules
+	$rule->{'args'} = $in{'args'};
+	push(@mods, split(/\s+/, $in{'mods'}));
+
+	# Save the rule
+	if (@mods) {
+		$rule->{'m'} = [ map { [ "", $_ ] } &unique(@mods) ];
+		}
+	else {
+		delete($rule->{'m'});
+		}
+	delete($rule->{'j'}) if (!$in{'jump'});
+	if ($in{'new'}) {
+		if ($in{'before'} ne '') {
+			splice(@{$table->{'rules'}}, $in{'before'}, 0, $rule);
+			}
+		elsif ($in{'after'} ne '') {
+			splice(@{$table->{'rules'}}, $in{'after'}+1, 0, $rule);
+			}
+		else {
+			push(@{$table->{'rules'}}, $rule);
+			}
+		}
+	}
+
+# Write out the new save file
+&run_before_command();
+&save_table($table);
+&run_after_command();
+&copy_to_cluster();
+&unlock_file($ipvx_save);
+&webmin_log($in{'delete'} ? "delete" : $in{'new'} ? "create" : "modify",
+	    "rule", undef, { 'chain' => $rule->{'chain'},
+			     'table' => $table->{'name'} });
+&redirect("index.cgi?table=$in{'table'}");
+
+# parse_mode(name, &rule, option)
+sub parse_mode
+{
+if ($in{"$_[0]_mode"} == 0) {
+	delete($_[1]->{$_[2]});
+	return 0;
+	}
+elsif ($in{"$_[0]_mode"} == 1) {
+	$_[1]->{$_[2]} = [ "" ];
+	return 1;
+	}
+else {
+	$_[1]->{$_[2]} = [ "!" ];
+	return 1;
+	}
+}
+
+
--- a/firewall/setup6.cgi
+++ b/firewall/setup6.cgi
@@ -0,0 +1,250 @@
+#!/usr/local/bin/perl
+# setup.cgi
+# Setup an initial save file
+
+require './firewall6-lib.pl';
+&ReadParse();
+$access{'setup'} || &error($text{'setup_ecannot'});
+
+&lock_file($ip6tables_save_file);
+if ($in{'reset'}) {
+	# Clear out all rules
+	foreach $t ("filter", "nat", "mangle") {
+		&system_logged("ip6tables -t $t -P INPUT ACCEPT >/dev/null 2>&1");
+		&system_logged("ip6tables -t $t -P OUTPUT ACCEPT >/dev/null 2>&1");
+		&system_logged("ip6tables -t $t -P FORWARD ACCEPT >/dev/null 2>&1");
+		&system_logged("ip6tables -t $t -P PREROUTING ACCEPT >/dev/null 2>&1");
+		&system_logged("ip6tables -t $t -P POSTROUTING ACCEPT >/dev/null 2>&1");
+		&system_logged("ip6tables -t $t -F >/dev/null 2>&1");
+		&system_logged("ip6tables -t $t -X >/dev/null 2>&1");
+		}
+	}
+
+# Save all existing active rules
+if (defined(&unapply_ip6tables)) {
+	&unapply_ip6tables();
+	}
+else {
+	&backquote_logged("ip6tables-save >$ip6tables_save_file 2>&1");
+	}
+
+# Get important variable ports
+&get_miniserv_config(\%miniserv);
+$webmin_port = $miniserv{'port'} || 10000;
+$webmin_port2 = $webmin_port + 10;
+$usermin_port = undef;
+if (&foreign_installed("usermin")) {
+	&foreign_require("usermin", "usermin-lib.pl");
+	&usermin::get_usermin_miniserv_config(\%uminiserv);
+	$usermin_port = $uminiserv{'port'};
+	}
+$usermin_port ||= 20000;
+$ssh_port = undef;
+if (&foreign_installed("sshd")) {
+	&foreign_require("sshd", "sshd-lib.pl");
+	$conf = &sshd::get_sshd_config();
+	$ssh_port = &sshd::find_value("Port", $conf);
+	}
+$ssh_port ||= 22;
+
+if ($in{'auto'}) {
+	@tables = &get_ip6tables_save();
+	if ($in{'auto'} == 1) {
+		# Add a single rule to the nat table for masquerading
+		$iface = $in{'iface1'} eq 'other' ? $in{'iface1_other'}
+						  : $in{'iface1'};
+		$iface || &error($text{'setup_eiface'});
+		($table) = grep { $_->{'name'} eq 'nat' } @tables;
+		$table ||= { 'name' => 'nat',
+			     'rules' => [ ],
+			     'defaults' => { } };
+		push(@{$table->{'rules'}},
+		     	{ 'chain' => 'POSTROUTING',
+			  'o' => [ "", $iface ],
+			  'j' => [ "", 'MASQUERADE' ] } );
+		}
+	elsif ($in{'auto'} >= 2) {
+		# Block all incoming traffic, except for established
+		# connections, DNS replies and safe ICMP types
+		# In mode 3 allow ssh and ident too
+		# In mode 4 allow ftp, echo-request and high ports too
+		$iface = $in{'iface'.$in{'auto'}} eq 'other' ?
+				 $in{'iface'.$in{'auto'}.'_other'} :
+				 $in{'iface'.$in{'auto'}};
+		$iface || &error($text{'setup_eiface'});
+		($table) = grep { $_->{'name'} eq 'filter' } @tables;
+		$table ||= { 'name' => 'nat',
+			     'rules' => [ ],
+			     'defaults' => { } };
+		$table->{'defaults'}->{'INPUT'} = 'DROP';
+		push(@{$table->{'rules'}},
+		     { 'chain' => 'INPUT',
+		       'i' => [ "!", $iface ],
+		       'j' => [ "", 'ACCEPT' ],
+		       'cmt' => 'Accept traffic from internal interfaces' },
+		     { 'chain' => 'INPUT',
+		       'm' => [ [ "", "tcp" ] ],
+		       'p' => [ "", "tcp" ],
+		       'tcp-flags' => [ "", "ACK", "ACK" ],
+		       'j' => [ "", 'ACCEPT' ],
+		       'cmt' => 'Accept traffic with the ACK flag set' },
+		     { 'chain' => 'INPUT',
+		       'm' => [ [ "", "state" ] ],
+		       'state' => [ "", "ESTABLISHED" ],
+		       'j' => [ "", 'ACCEPT' ],
+		       'cmt' => 'Allow incoming data that is part of a connection we established' },
+		     { 'chain' => 'INPUT',
+		       'm' => [ [ "", "state" ] ],
+		       'state' => [ "", "RELATED" ],
+		       'j' => [ "", 'ACCEPT' ],
+		       'cmt' => 'Allow data that is related to existing connections' },
+		     { 'chain' => 'INPUT',
+		       'm' => [ [ "", "udp" ] ],
+		       'p' => [ "", "udp" ],
+		       'sport' => [ "", 53 ],
+		       'dport' => [ "", "1024:65535" ],
+		       'j' => [ "", 'ACCEPT' ],
+		       'cmt' => 'Accept responses to DNS queries' },
+		     { 'chain' => 'INPUT',
+		       'm' => [ [ "", "icmpv6" ] ],
+		       'p' => [ [ "", "icmpv6" ] ],
+		       'j' => [ "", 'ACCEPT' ],
+		       'cmt' => 'Accept all ICMPv6 traffic' },
+			);
+		if ($in{'auto'} >= 3) {
+			# Allow ssh and ident
+			push(@{$table->{'rules'}},
+			     { 'chain' => 'INPUT',
+			       'm' => [ [ "", "tcp" ] ],
+			       'p' => [ "", "tcp" ],
+			       'dport' => [ "", $ssh_port ],
+			       'j' => [ "", 'ACCEPT' ],
+			       'cmt' => 'Allow connections to our SSH server' },
+			     { 'chain' => 'INPUT',
+			       'm' => [ [ "", "tcp" ] ],
+			       'p' => [ "", "tcp" ],
+			       'dport' => [ "", "auth" ],
+			       'j' => [ "", 'ACCEPT' ],
+			       'cmt' => 'Allow connections to our IDENT server'}
+				);
+			}
+		if ($in{'auto'} >= 4) {
+			# Allow pings
+			push(@{$table->{'rules'}},
+			     { 'chain' => 'INPUT',
+			       'm' => [ [ "", "icmpv6" ] ],
+			       'p' => [ [ "", "icmpv6" ] ],
+			       'icmpv6-type' => [ "", "echo-request" ],
+			       'j' => [ "", 'ACCEPT' ],
+			       'cmt' => 'Respond to pings' }, );
+			}
+		if ($in{'auto'} == 4) {
+			# Allow pings and most high ports
+			push(@{$table->{'rules'}},
+			     { 'chain' => 'INPUT',
+			       'm' => [ [ "", "tcp" ] ],
+			       'p' => [ "", "tcp" ],
+			       'dport' => [ "", "2049:2050" ],
+			       'j' => [ "", 'DROP' ],
+			       'cmt' => 'Protect our NFS server' },
+			     { 'chain' => 'INPUT',
+			       'm' => [ [ "", "tcp" ] ],
+			       'p' => [ "", "tcp" ],
+			       'dport' => [ "", "6000:6063" ],
+			       'j' => [ "", 'DROP' ],
+			       'cmt' => 'Protect our X11 display server' },
+			     { 'chain' => 'INPUT',
+			       'm' => [ [ "", "tcp" ] ],
+			       'p' => [ "", "tcp" ],
+			       'dport' => [ "", "7000:7010" ],
+			       'j' => [ "", 'DROP' ],
+			       'cmt' => 'Protect our X font server' },
+			     { 'chain' => 'INPUT',
+			       'm' => [ [ "", "tcp" ] ],
+			       'p' => [ "", "tcp" ],
+			       'dport' => [ "", "1024:65535" ],
+			       'j' => [ "", 'ACCEPT' ],
+			       'cmt' => 'Allow connections to unprivileged ports' },
+				);
+			}
+		if ($in{'auto'} == 5) {
+			# Allow typical hosting server ports
+			push(@{$table->{'rules'}},
+			     { 'chain' => 'INPUT',
+			       'm' => [ [ "", "tcp" ] ],
+			       'p' => [ "", "tcp" ],
+			       'dport' => [ "", "53" ],
+			       'j' => [ "", 'ACCEPT' ],
+			       'cmt' => 'Allow DNS zone transfers' },
+			     { 'chain' => 'INPUT',
+			       'm' => [ [ "", "udp" ] ],
+			       'p' => [ "", "udp" ],
+			       'dport' => [ "", "53" ],
+			       'j' => [ "", 'ACCEPT' ],
+			       'cmt' => 'Allow DNS queries' },
+			     { 'chain' => 'INPUT',
+			       'm' => [ [ "", "tcp" ] ],
+			       'p' => [ "", "tcp" ],
+			       'dport' => [ "", "80" ],
+			       'j' => [ "", 'ACCEPT' ],
+			       'cmt' => 'Allow connections to webserver' },
+			     { 'chain' => 'INPUT',
+			       'm' => [ [ "", "tcp" ] ],
+			       'p' => [ "", "tcp" ],
+			       'dport' => [ "", "443" ],
+			       'j' => [ "", 'ACCEPT' ],
+			       'cmt' => 'Allow SSL connections to webserver' },
+			     { 'chain' => 'INPUT',
+			       'm' => [ [ "", "tcp" ], [ "", "multiport" ] ],
+			       'p' => [ "", "tcp" ],
+			       'dports' => [ "", "25,587" ],
+			       'j' => [ "", 'ACCEPT' ],
+			       'cmt' => 'Allow connections to mail server' },
+			     { 'chain' => 'INPUT',
+			       'm' => [ [ "", "tcp" ] ],
+			       'p' => [ "", "tcp" ],
+			       'dport' => [ "", "20:21" ],
+			       'j' => [ "", 'ACCEPT' ],
+			       'cmt' => 'Allow connections to FTP server' },
+			     { 'chain' => 'INPUT',
+			       'm' => [ [ "", "tcp" ], [ "", "multiport" ] ],
+			       'p' => [ "", "tcp" ],
+			       'dports' => [ "", "110,995" ],
+			       'j' => [ "", 'ACCEPT' ],
+			       'cmt' => 'Allow connections to POP3 server' },
+			     { 'chain' => 'INPUT',
+			       'm' => [ [ "", "tcp" ], [ "", "multiport" ] ],
+			       'p' => [ "", "tcp" ],
+			       'dports' => [ "", "143,220,993" ],
+			       'j' => [ "", 'ACCEPT' ],
+			       'cmt' => 'Allow connections to IMAP server' },
+			     { 'chain' => 'INPUT',
+			       'm' => [ [ "", "tcp" ] ],
+			       'p' => [ "", "tcp" ],
+			       'dport' => [ "",$webmin_port.":".$webmin_port2 ],
+			       'j' => [ "", 'ACCEPT' ],
+			       'cmt' => 'Allow connections to Webmin' },
+			     { 'chain' => 'INPUT',
+			       'm' => [ [ "", "tcp" ] ],
+			       'p' => [ "", "tcp" ],
+			       'dport' => [ "", $usermin_port ],
+			       'j' => [ "", 'ACCEPT' ],
+			       'cmt' => 'Allow connections to Usermin' },
+				);
+			}
+		}
+	&run_before_command();
+	&save_table($table);
+	&run_after_command();
+	&copy_to_cluster();
+	}
+
+if ($in{'atboot'}) {
+	&create_firewall_init();
+	}
+&unlock_file($ip6tables_save_file);
+
+&webmin_log("setup");
+&redirect("");
+
+