From 7127ac2072618c3ea269b1122f70ee5eca7ce991 Mon Sep 17 00:00:00 2001 From: Kay Marquardt Date: Wed, 10 May 2017 11:51:10 +0200 Subject: [PATCH 1/7] add warning aubout using filter_chain without direct --- firewall/index.cgi | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/firewall/index.cgi b/firewall/index.cgi index 4b5c0d136..234ee4108 100755 --- a/firewall/index.cgi +++ b/firewall/index.cgi @@ -436,9 +436,15 @@ sub fail2ban_message { local ($filter) = grep { $_->{'name'} eq 'filter' } @{$_[0]}; if ($filter->{'defaults'} ~~ /^f2b-|^fail2ban-/) { - print "
", - &text('index_fail2ban', "$gconfig{'webprefix'}/fail2ban/"), - "

\n"; + local $fwconf="$gconfig{'webprefix'}/config.cgi?firewall"; + if(!$config{'direct'}) { + print "

", + &text('index_filter_nodirect', $fwconf), + "

\n"; + } + print "

", + &text('index_fail2ban', "$gconfig{'webprefix'}/fail2ban/", $fwconf), + "

\n"; } } From 09c125ad9a07457c6c67c3a181b8d207a3b868ee Mon Sep 17 00:00:00 2001 From: Kay Marquardt Date: Wed, 10 May 2017 11:54:46 +0200 Subject: [PATCH 2/7] prevent modifiying of filtered chains --- firewall/index.cgi | 34 ++++++++++++++++++++++++---------- 1 file changed, 24 insertions(+), 10 deletions(-) diff --git a/firewall/index.cgi b/firewall/index.cgi index 234ee4108..e55a3f995 100755 --- a/firewall/index.cgi +++ b/firewall/index.cgi @@ -172,16 +172,30 @@ else { $form++; } - # Display a table of rules for each chain - foreach $c (sort by_string_for_iptables keys %{$table->{'defaults'}}) { - print &ui_hr(); - @rules = grep { lc($_->{'chain'}) eq lc($c) } - @{$table->{'rules'}}; - print "",$text{"index_chain_".lc($c)} || - &text('index_chain', "$c"),"
\n"; - print "

\n"; - print &ui_hidden("table", $in{'table'}); - print &ui_hidden("chain", $c); + # Display a table of rules for each chain + CHAIN: + foreach $c (sort by_string_for_iptables keys %{$table->{'defaults'}}) { + print &ui_hr(); + @rules = grep { lc($_->{'chain'}) eq lc($c) } + @{$table->{'rules'}}; + print "",$text{"index_chain_".lc($c)} || + &text('index_chain', "$c"),"
\n"; + + # check if chain is filtered out + if ($config{'filter_chain'}) { + foreach $filter (split(',', $config{'filter_chain'})) { + if($c =~ /^$filter$/) { + # not managed by firewall, do not dispaly or modify + print $text{'index_filter_chain'},"
\n"; + next CHAIN; + } + } + } + + print "\n"; + print &ui_hidden("table", $in{'table'}); + print &ui_hidden("chain", $c); + if (@rules) { @links = ( &select_all_link("d", $form), &select_invert_link("d", $form) ); From 18e165e9257e00522c5f324ecd8beae89f49f758 Mon Sep 17 00:00:00 2001 From: Kay Marquardt Date: Wed, 10 May 2017 12:02:37 +0200 Subject: [PATCH 3/7] filter_chain works now also without direct filter_chain works now also without direct but its recommended. a waning is displayed if you use it with fail2ban detected and without direct mode --- firewall/config.info.de | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/firewall/config.info.de b/firewall/config.info.de index cb71f039d..648bb0c94 100644 --- a/firewall/config.info.de +++ b/firewall/config.info.de @@ -11,4 +11,4 @@ after_apply_cmd=Befehle zum Anwendung der Konfiguration,3,Keiner line1=System Konfiguration,11 save_file=IPtables Speicherdatei zum Bearbeiten,3,Verwendung des Betriebssystems oder Webmin Standard direct=Direktes Bearbeiten der Firewall-Regeln anstatt von gespeicherter Datei?,1,1-Ja,0-Nein -filter_chain=Liste von RegEx zum Ausfiltern von Ketten die nicht von Firewall verwaltet werden. Die Option "Direktes Bearbeiten der Firewall-Regeln" muss aktiv sein,0 +filter_chain=Komma getrennte Liste von Regex zum Ausfiltern von Ketten die nicht von Firewall verwaltet werden,0 From 771e303e37e9e3584cf079bf912d239ee3da5fb4 Mon Sep 17 00:00:00 2001 From: Kay Marquardt Date: Wed, 10 May 2017 12:05:44 +0200 Subject: [PATCH 4/7] filter_chain does now work without direct BUT only if no external firewall configuration is detected, i.e. fail2ban. In this case a Warning is diplayed to activate direct. --- firewall/config.info | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/firewall/config.info b/firewall/config.info index 763aa32c5..a7291eaee 100644 --- a/firewall/config.info +++ b/firewall/config.info @@ -11,4 +11,4 @@ after_apply_cmd=Command to run after applying configuration,3,None line1=System configuration,11 save_file=IPtables save file to edit,3,Use operating system or Webmin default direct=Directly edit firewall rules instead of save file?,1,1-Yes,0-No -filter_chain=List of regexes to filter out chains not managed by firewall. You must activate "direct edit firewall rules" to use this feature,0 +filter_chain=Comma sepeated list of regexes to filter out chains not managed by firewall,0 From f9d1278a00f5d222ecd8a62dc6f7df9e5e0d0090 Mon Sep 17 00:00:00 2001 From: Kay Marquardt Date: Wed, 10 May 2017 12:10:33 +0200 Subject: [PATCH 5/7] Warning about external Firewall programm and no direct mode --- firewall/lang/de | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/firewall/lang/de b/firewall/lang/de index e749bc4ad..fca2f47e8 100644 --- a/firewall/lang/de +++ b/firewall/lang/de @@ -191,8 +191,10 @@ index_ecommand=Der Befehl $1 wurde nicht auf Ihrem System gefunden. Webmin ben&# index_editing=Regel Datei $1 index_ekernel=Ein Fehler ist beim Überprüfen Ihrer aktuellen IPtables-Konfiguration aufgetreten : $1 Dies könnte darauf hindeuten, dass Ihr Kernel IPtables nicht unterstützt. index_existing=Webmin hat erkannt, dass $1 IPtables Firewall-Regel(n) derzeit in Benutzung sind, die nicht in der Datei $2 gespeichert wurden. Diese Regeln wurden vermutlich von einem Skript einrichtet, jedoch dieses Modul nicht in der Lage ist, dieses zu lesen und zu bearbeiten.

Wenn Sie dieses Modul benutzen wollen, um Ihre IPtables-Firewall verwalten zu lassen, klicken Sie auf die Schaltfläche unten, um die bestehenden Regeln zu einer Sicherungsdatei zu konvertieren und anschließend Ihr bestehendes Firewall-Skript zu deaktivieren. -index_fail2ban=Warnung! Es scheint, dass Fail2ban verwendet wird, um das Firewall-System zu generieren. Vielleicht sollten Sie die Fail2Ban-Modul verwenden. -index_firewalld=Warnung! Es scheint, dass FirewallD verwendet wird, um das Firewall-System zu generieren. Vielleicht sollten Sie die FirewallD Firewall-Modul verwenden. +index_firewalld=Hinweis! Es scheint, dass FirewallD verwendet wird, um das Firewall-System zu generieren. Vielleicht sollten Sie die FirewallD Firewall-Modul verwenden. +index_fail2ban=Hinweis! Verwendung von Fail2Ban wurde erkannt. Verwalten sie Fail2Ban mit dem Fail2Ban Modul und filtern nach f2b-.* bzw. fail2ban-.* +index_filter_chain=wird nicht von Linux-Firewall verwaltet. +index_filter_nodirect=Warnung! Extern verwaltete Regeln erkannt. Bitte aktiveren sie die Option "Direkte Bearbeitung von Firewall-Regeln". index_header=Firewall Konfiguration von $1 index_headerex=Bestehende Firewall Konfiguration index_jump=Führe Regel $1 aus @@ -218,7 +220,7 @@ index_return=Regelliste index_rsetup=Die IPtables-Firewall-Konfiguration auf Ihrem System ist dabei neu eingerichtet zu werden. Webmin richtet neue Standard-Regeln ein, die in der Datei $1 gespeichert werden, mit den initialen Einstellungen basierend Ihrer Firewall-Typ-Auswahl unten .. index_saveex=Speichere Firewall Regeln index_setup=Keine IPtables-Firewall wurde bisher auf Ihrem System eingerichtet. Webmin kann das für Sie erledigen und dies in der Datei $1, mit den initialen Einstellungen basierend Ihre Firewall-Typ Auswahl unten, speichern.. -index_shorewall=Warnung! Es scheint, dass Shorewall verwendet wird, um das Firewall-System zu generieren. Vielleicht sollten Sie die Shoreline Firewall-Modul verwenden. +index_shorewall=Hinweis! Es scheint, dass Shorewall verwendet wird, um das Firewall-System zu generieren. Vielleicht sollten Sie die Shoreline Firewall-Modul verwenden. index_table_filter=Packet filtering (filter) index_table_mangle=Packet alteration (mangle) index_table_nat=Network address translation (nat) From 7dcce2a64f71b8a6390cc1f3836195216ee2b60f Mon Sep 17 00:00:00 2001 From: Kay Marquardt Date: Wed, 10 May 2017 12:18:06 +0200 Subject: [PATCH 6/7] Warning about external Firewall programm and no direct mode --- firewall/lang/en | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/firewall/lang/en b/firewall/lang/en index 18069edc9..fc7fa7ab4 100644 --- a/firewall/lang/en +++ b/firewall/lang/en @@ -67,9 +67,11 @@ index_auto4=Block all except SSH, IDENT, ping and high ports on interface: index_auto5=Block all except ports used for virtual hosting, on interface: index_auto=Setup Firewall index_add=Add -index_shorewall=Warning! It appears that Shorewall is being used to generate your system's firewall. Maybe you should use the Shoreline Firewall module instead. -index_firewalld=Warning! It appears that FirewallD is being used to generate your system's firewall. Maybe you should use the FirewallD module instead. -index_fail2ban=Warning! It appears that Fail2Ban is being used to generate your system's firewall. Maybe you should use the Fail2Ban module instead. +index_shorewall=Note! It appears that Shorewall is being used to generate your system's firewall. Maybe you should use the Shoreline Firewall module instead. +index_firewalld=Note! It appears that FirewallD is being used to generate your system's firewall. Maybe you should use the FirewallD module instead. +index_fail2ban=Note! It appears that Fail2Ban is being used to manage some firewall rules. You should modify them with Fail2Ban module and filter f2b-.* or fail2ban-.*. +index_filter_chain=ist not managed by firewall. +index_filter_nodirect=Warning! External managed rules detected. Activate "Directly edit firewall rules" or your firewall rules may break. index_reset=Reset Firewall index_resetdesc=Click this button to clear all existing firewall rules and set up new rules for a basic initial configuration. index_cluster=Cluster Servers From ba263882a65bb83fc8a4d5b67153533ade9aee3f Mon Sep 17 00:00:00 2001 From: Kay Marquardt Date: Wed, 10 May 2017 17:39:42 +0200 Subject: [PATCH 7/7] disable edit/delete for filtered rules, unified firewall_message because we must hold jump to chain rules even if filtered to statisfy iptables-restore, edit and delet these rules is disabled. replaced shorewall_message, firewalld_message and fail2ban_message by one sub external_firewall_message --- firewall/index.cgi | 106 ++++++++++++++++++++++++--------------------- 1 file changed, 57 insertions(+), 49 deletions(-) diff --git a/firewall/index.cgi b/firewall/index.cgi index e55a3f995..904334cd5 100755 --- a/firewall/index.cgi +++ b/firewall/index.cgi @@ -48,9 +48,9 @@ if (!$config{'direct'} && &foreign_check("init")) { # Check if the save file exists. If not, check for any existing firewall # rules, and offer to create a save file from them @livetables = &get_iptables_save("iptables-save 2>/dev/null |"); -&shorewall_message(\@livetables); -&firewalld_message(\@livetables); -&fail2ban_message(\@livetables); + +#display warnings about active external firewalls! +&external_firewall_message(\@livetables); if (!$config{'direct'} && (!-s $iptables_save_file || $in{'reset'}) && $access{'setup'}) { @tables = @livetables; @@ -186,7 +186,7 @@ else { foreach $filter (split(',', $config{'filter_chain'})) { if($c =~ /^$filter$/) { # not managed by firewall, do not dispaly or modify - print $text{'index_filter_chain'},"
\n"; + print "".$text{'index_filter_chain'}."
\n"; next CHAIN; } } @@ -224,7 +224,19 @@ else { local $act = $text{"index_jump_".lc($r->{'j'}->[1])} || &text('index_jump', $r->{'j'}->[1]); - if ($edit) { + + # check if chain jump TO is filtered out + local $chain_filtered; + if ($config{'filter_chain'}) { + foreach $filter (split(',', $config{'filter_chain'})) { + if($r->{'j'}->[1] =~ /^$filter$/) { + $chain_filtered=&text('index_filter_chain'); + $act=$act."
$chain_filtered"; + } + } + } + # chain to jump to is filtered, switch of edit + if ($edit && !$chain_filtered)) { push(@cols, &ui_link("edit_rule.cgi?table=".&urlize($in{'table'})."&idx=$r->{'index'}",$act)); } else { @@ -276,16 +288,19 @@ else { "&chain=".&urlize($c)."&new=1&". "before=$r->{'index'}'>"; - push(@cols, $adder); - - if ($edit) { - print &ui_checked_columns_row( - \@cols, \@tds, "d", $r->{'index'}); - } - else { - print &ui_columns_row(\@cols, \@tds); - } - } + push(@cols, $adder); + # chain to jump to is filtered, switch of edit + if ($edit && !$chain_filtered) { + print &ui_checked_columns_row( + \@cols, \@tds, "d", $r->{'index'}); + } + else { + local $r=&ui_columns_row(\@cols, \@tds); + # fix missing first colum, need be a better solution ... + $r=~ s/<\/td>{'name'} eq 'filter' } @{$_[0]}; -if ($filter->{'defaults'}->{'shorewall'}) { - print "

", - &text('index_shorewall', "$gconfig{'webprefix'}/shorewall/"), - "

\n"; - } -} +sub external_firewall_message + { + local $fwname=""; + local $fwconfig="$gconfig{'webprefix'}/config.cgi?firewall"; -sub firewalld_message -{ -local ($filter) = grep { $_->{'name'} eq 'filter' } @{$_[0]}; -if ($filter->{'defaults'}->{'INPUT_ZONES'}) { - print "

", - &text('index_firewalld', "$gconfig{'webprefix'}/firewalld/"), - "

\n"; - } -} - -sub fail2ban_message -{ -local ($filter) = grep { $_->{'name'} eq 'filter' } @{$_[0]}; -if ($filter->{'defaults'} ~~ /^f2b-|^fail2ban-/) { - local $fwconf="$gconfig{'webprefix'}/config.cgi?firewall"; - if(!$config{'direct'}) { - print "

", - &text('index_filter_nodirect', $fwconf), + # detect external firewalls + local ($filter) = grep { $_->{'name'} eq 'filter' } @{$_[0]}; + if ($filter->{'defaults'}->{'shorewall'}) { + $fwname+='shorewall '; + } + if ($filter->{'defaults'}->{'INPUT_ZONES'}) { + $fwname+='firewalld '; + } + if ($filter->{'defaults'} ~~ /^f2b-|^fail2ban-/) { + $fwname+='fail2ban '; + } + # warning about not using direct + if($fwname && !$config{'direct'}) { + print "
", + &text('index_filter_nodirect', $fwconfig), "

\n"; - } - print "

", - &text('index_fail2ban', "$gconfig{'webprefix'}/fail2ban/", $fwconf), - "

\n"; - } -} - + } + # naming the detected firewall modules + foreach my $word (split ' ', $fwname) { + print "

", + &text("index_$word", "$gconfig{'webprefix'}/$word/", $fwconfig), + "

\n"; + } + }