mirror of
https://github.com/webmin/webmin.git
synced 2026-06-20 03:10:30 +01:00
remove edit_rule6
This commit is contained in:
Kay Marquardt (Gnadelwartz)
@@ -25,8 +25,9 @@ else {
|
||||
&can_jump($rule) || &error($text{'ejump'});
|
||||
}
|
||||
|
||||
print &ui_form_start("save_rule.cgi", "post");
|
||||
foreach $f ('version', 'table', 'idx', 'new', 'chain', 'before', 'after') {
|
||||
print &ui_form_start("save_rule${ipvx}.cgi", "post");
|
||||
print &ui_hidden("version", ${ipvx_arg});
|
||||
foreach $f ('table', 'idx', 'new', 'chain', 'before', 'after') {
|
||||
print &ui_hidden($f, $in{$f});
|
||||
}
|
||||
|
||||
@@ -83,15 +84,11 @@ if (&indexof('REJECT', @jumps) >= 0 && &can_jump("REJECT")) {
|
||||
if ($rule->{'j'}->[1] eq 'REJECT') {
|
||||
$rwith = $rule->{'reject-with'}->[1];
|
||||
}
|
||||
local @rtypes = ( "icmp-net-unreachable", "icmp-host-unreachable",
|
||||
"icmp-port-unreachable", "icmp-proto-unreachable",
|
||||
"icmp-net-prohibited", "icmp-host-prohibited",
|
||||
"echo-reply", "tcp-reset" );
|
||||
print &ui_table_row($text{'edit_rwith'},
|
||||
&ui_radio("rwithdef", $rwith eq "" ? 1 : 0,
|
||||
[ [ 1, $text{'default'} ],
|
||||
[ 0, &text('edit_rwithtype',
|
||||
&icmptype_input("rwithtype", $rwith, \@rtypes)) ],
|
||||
&icmptype_input("rwithtype", $rwith, \@ipvx_rtypes)) ],
|
||||
]));
|
||||
}
|
||||
|
||||
@@ -128,7 +125,7 @@ if (($table->{'name'} eq 'nat' && $rule->{'chain'} ne 'POSTROUTING') &&
|
||||
&can_jump("DNAT")) {
|
||||
if ($rule->{'j'}->[1] eq 'DNAT') {
|
||||
if ($rule->{'to-destination'}->[1] =~
|
||||
/^([0-9\.]+)(\-([0-9\.]+))?(:(\d+)(\-(\d+))?)?$/) {
|
||||
/$ipvx_todestpattern/) {
|
||||
$dipfrom = $1;
|
||||
$dipto = $3;
|
||||
$dpfrom = $5;
|
||||
|
||||
@@ -1,488 +0,0 @@
|
||||
#!/usr/local/bin/perl
|
||||
# edit_rule.cgi
|
||||
# Display the details of one firewall rule, or allow the adding of a new one
|
||||
require './firewall-lib.pl';
|
||||
&ReadParse();
|
||||
if (&get_ipvx_version() == 6) { require './firewall6-lib.pl';
|
||||
} else { require './firewall4-lib.pl'; }
|
||||
@tables = &get_iptables_save();
|
||||
$table = $tables[$in{'table'}];
|
||||
&can_edit_table($table->{'name'}) || &error($text{'etable'});
|
||||
if ($in{'clone'} ne '') {
|
||||
&ui_print_header(undef, $text{'edit_title3'}, "");
|
||||
%clone = %{$table->{'rules'}->[$in{'clone'}]};
|
||||
$rule = \%clone;
|
||||
}
|
||||
elsif ($in{'new'}) {
|
||||
&ui_print_header(undef, $text{'edit_title1'}, "");
|
||||
$rule = { 'chain' => $in{'chain'},
|
||||
'j' => &can_jump('DROP') ? 'DROP' : "" };
|
||||
}
|
||||
else {
|
||||
&ui_print_header(undef, $text{'edit_title2'}, "");
|
||||
$rule = $table->{'rules'}->[$in{'idx'}];
|
||||
&can_jump($rule) || &error($text{'ejump'});
|
||||
}
|
||||
|
||||
print &ui_form_start("save_rule.cgi", "post");
|
||||
foreach $f ('version', 'table', 'idx', 'new', 'chain', 'before', 'after') {
|
||||
print &ui_hidden($f, $in{$f});
|
||||
}
|
||||
|
||||
# Display action section
|
||||
print &ui_table_start($text{'edit_header1'}, "width=100%", 2);
|
||||
|
||||
print &ui_table_row($text{'edit_chain'},
|
||||
$text{"index_chain_".lc($rule->{'chain'})} ||
|
||||
&text('index_chain', "<tt>$rule->{'chain'}</tt>"));
|
||||
|
||||
# Rule comment
|
||||
if ($config{'comment_mod'} || $rule->{'comment'}) {
|
||||
# Get comment from --comment option
|
||||
$cmt = $rule->{'comment'}->[1];
|
||||
}
|
||||
else {
|
||||
# Get comment from # at end of line
|
||||
$cmt = $rule->{'cmt'};
|
||||
}
|
||||
print &ui_table_row($text{'edit_cmt'},
|
||||
&ui_textbox("cmt", $cmt, 50));
|
||||
|
||||
# Action to take or chain to jump to
|
||||
if ($table->{'name'} eq 'nat') {
|
||||
@jumps = ( undef, 'ACCEPT', 'DROP' );
|
||||
if ($rule->{'chain'} eq 'POSTROUTING') {
|
||||
push(@jumps, 'MASQUERADE', 'SNAT');
|
||||
}
|
||||
elsif ($rule->{'chain'} eq 'PREROUTING' ||
|
||||
$rule->{'chain'} eq 'OUTPUT') {
|
||||
push(@jumps, 'REDIRECT', 'DNAT');
|
||||
}
|
||||
else {
|
||||
push(@jumps, 'MASQUERADE', 'SNAT', 'REDIRECT', 'DNAT');
|
||||
}
|
||||
}
|
||||
else {
|
||||
@jumps = ( undef, 'ACCEPT', 'DROP', 'REJECT', 'QUEUE', 'RETURN', 'LOG' );
|
||||
}
|
||||
@grid = ( );
|
||||
$found = 0;
|
||||
foreach $j (grep { &can_jump($_) } @jumps) {
|
||||
push(@grid, &ui_oneradio("jump", $j, $text{"index_jump_".lc($j)},
|
||||
$rule->{'j'}->[1] eq $j));
|
||||
$found++ if ($rule->{'j'}->[1] eq $j);
|
||||
}
|
||||
push(@grid, &ui_oneradio("jump", "*", $text{'edit_jump_other'}, !$found));
|
||||
push(@grid, &ui_textbox("other", $found ? "" : $rule->{'j'}->[1], 12));
|
||||
print &ui_table_row($text{'edit_jump'},
|
||||
&ui_grid_table(\@grid, 6, undef));
|
||||
|
||||
if (&indexof('REJECT', @jumps) >= 0 && &can_jump("REJECT")) {
|
||||
# Show input for REJECT icmp type
|
||||
if ($rule->{'j'}->[1] eq 'REJECT') {
|
||||
$rwith = $rule->{'reject-with'}->[1];
|
||||
}
|
||||
local @rtypes = ( "icmp6-no-route", "icmp6-adm-prohibited",
|
||||
"icmp6-addr-unreachable", "icmp6-port-unreachable",
|
||||
"echo-reply", "tcp-reset" );
|
||||
print &ui_table_row($text{'edit_rwith'},
|
||||
&ui_radio("rwithdef", $rwith eq "" ? 1 : 0,
|
||||
[ [ 1, $text{'default'} ],
|
||||
[ 0, &text('edit_rwithtype',
|
||||
&icmptype_input("rwithtype", $rwith, \@rtypes)) ],
|
||||
]));
|
||||
}
|
||||
|
||||
if (($table->{'name'} eq 'nat' && $rule->{'chain'} ne 'POSTROUTING') &&
|
||||
&can_jump("REDIRECT")) {
|
||||
# Show inputs for redirect host and port
|
||||
if ($rule->{'j'}->[1] eq 'REDIRECT') {
|
||||
($rtofrom, $rtoto) = split(/\-/, $rule->{'to-ports'}->[1]);
|
||||
}
|
||||
print &ui_table_row($text{'edit_rtoports'},
|
||||
&ui_radio("rtodef", $rtofrom eq "" ? 1 : 0,
|
||||
[ [ 1, $text{'default'} ],
|
||||
[ 0, &text('edit_prange',
|
||||
&ui_textbox("rtofrom", $rtofrom, 6),
|
||||
&ui_textbox("rtoto", $rtoto, 6)) ] ]));
|
||||
}
|
||||
|
||||
if (($table->{'name'} eq 'nat' && $rule->{'chain'} ne 'PREROUTING' &&
|
||||
$rule->{'chain'} ne 'OUTPUT') &&
|
||||
&can_jump("MASQUERADE")) {
|
||||
# Show inputs for masquerading ports
|
||||
if ($rule->{'j'}->[1] eq 'MASQUERADE') {
|
||||
($mtofrom, $mtoto) = split(/\-/, $rule->{'to-ports'}->[1]);
|
||||
}
|
||||
print &ui_table_row($text{'edit_mtoports'},
|
||||
&ui_radio("mtodef", $mtofrom eq "" ? 1 : 0,
|
||||
[ [ 1, $text{'edit_any'} ],
|
||||
[ 0, &text('edit_prange',
|
||||
&ui_textbox("mtofrom", $mtofrom, 6),
|
||||
&ui_textbox("mtoto", $mtoto, 6)) ] ]));
|
||||
}
|
||||
|
||||
if (($table->{'name'} eq 'nat' && $rule->{'chain'} ne 'POSTROUTING') &&
|
||||
&can_jump("DNAT")) {
|
||||
if ($rule->{'j'}->[1] eq 'DNAT') {
|
||||
if ($rule->{'to-destination'}->[1] =~
|
||||
/^\[([0-9A-Fa-f:]+)](\-([0-9A-Fa-f:]+))?(:(\d+)(\-(\d+))?)?$/) {
|
||||
$dipfrom = $1;
|
||||
$dipto = $3;
|
||||
$dpfrom = $5;
|
||||
$dpto = $7;
|
||||
}
|
||||
elsif ($rule->{'to-destination'}->[1] =~ /^(:(\d+)(\-(\d+))?)?$/) {
|
||||
$dipfrom = "";
|
||||
$dipto = "";
|
||||
$dpfrom = $2;
|
||||
$dpto = $4;
|
||||
}
|
||||
}
|
||||
print &ui_table_row($text{'edit_dnat'},
|
||||
&ui_radio("dnatdef", $dipfrom eq "" ? 1 : 0,
|
||||
[ [ 1, $text{'default'} ],
|
||||
[ 0, &text('edit_dnatip',
|
||||
&ui_textbox("dipfrom", $dipfrom, 15),
|
||||
&ui_textbox("dipto", $dipto, 15))." ".
|
||||
&text('edit_prange',
|
||||
&ui_textbox("dpfrom", $dpfrom, 6),
|
||||
&ui_textbox("dpto", $dpto, 6)) ] ]));
|
||||
}
|
||||
|
||||
if (($table->{'name'} eq 'nat' && $rule->{'chain'} ne 'PREROUTING' &&
|
||||
$rule->{'chain'} ne 'OUTPUT') &&
|
||||
&can_jump("SNAT")) {
|
||||
if ($rule->{'j'}->[1] eq 'SNAT') {
|
||||
if ($rule->{'to-source'}->[1] =~
|
||||
/^([0-9\.]+)?(\-([0-9\.]+))?(:(\d+)(\-(\d+))?)?$/) {
|
||||
$sipfrom = $1;
|
||||
$sipto = $3;
|
||||
$spfrom = $5;
|
||||
$spto = $7;
|
||||
}
|
||||
}
|
||||
print &ui_table_row($text{'edit_snat'},
|
||||
&ui_radio("snatdef", $sipfrom eq "" ? 1 : 0,
|
||||
[ [ 1, $text{'default'} ],
|
||||
[ 0, &text('edit_dnatip',
|
||||
&ui_textbox("sipfrom", $sipfrom, 15),
|
||||
&ui_textbox("sipto", $sipto, 15))." ".
|
||||
&text('edit_prange',
|
||||
&ui_textbox("spfrom", $spfrom, 6),
|
||||
&ui_textbox("spto", $spto, 6)) ] ]));
|
||||
}
|
||||
|
||||
print &ui_table_end();
|
||||
|
||||
# Display conditions section
|
||||
print "$text{'edit_desc'}<br>\n";
|
||||
print &ui_table_start($text{'edit_header2'}, "width=100%", 2);
|
||||
|
||||
# Packet source
|
||||
print &ui_table_row($text{'edit_source'},
|
||||
&print_mode("source", $rule->{'s'})." ".
|
||||
&ui_textbox("source", $rule->{'s'}->[1], 40));
|
||||
|
||||
# Packet destination
|
||||
print &ui_table_row($text{'edit_dest'},
|
||||
&print_mode("dest", $rule->{'d'})." ".
|
||||
&ui_textbox("dest", $rule->{'d'}->[1], 40));
|
||||
|
||||
# Incoming interface
|
||||
print &ui_table_row($text{'edit_in'},
|
||||
&print_mode("in", $rule->{'i'})." ".
|
||||
&interface_choice("in", $rule->{'i'}->[1]));
|
||||
|
||||
# Outgoing interface
|
||||
print &ui_table_row($text{'edit_out'},
|
||||
&print_mode("out", $rule->{'o'})." ".
|
||||
&interface_choice("out", $rule->{'o'}->[1]));
|
||||
|
||||
# Packet fragmentation
|
||||
$f = !$rule->{'f'} ? 0 : $rule->{'f'}->[0] eq "!" ? 2 : 1;
|
||||
print &ui_table_row($text{'edit_frag'},
|
||||
&ui_radio("frag", $f, [ [ 0, $text{'edit_ignore'} ],
|
||||
[ 1, $text{'edit_fragis'} ],
|
||||
[ 2, $text{'edit_fragnot'} ] ]));
|
||||
|
||||
# IP protocol
|
||||
print &ui_table_row($text{'edit_proto'},
|
||||
&print_mode("proto", $rule->{'p'})." ".
|
||||
&protocol_input("proto", $rule->{'p'}->[1]));
|
||||
|
||||
print &ui_table_hr();
|
||||
|
||||
# Source port
|
||||
print &ui_table_row($text{'edit_sport'},
|
||||
&print_mode("sport", $rule->{'sports'} || $rule->{'sport'})." ".
|
||||
&port_input("sport", $rule->{'sports'}->[1] || $rule->{'sport'}->[1]));
|
||||
|
||||
# Destination port
|
||||
print &ui_table_row($text{'edit_dport'},
|
||||
&print_mode("dport", $rule->{'dports'} || $rule->{'dport'})." ".
|
||||
&port_input("dport", $rule->{'dports'}->[1] || $rule->{'dport'}->[1]));
|
||||
|
||||
# Source and destination ports
|
||||
print &ui_table_row($text{'edit_ports'},
|
||||
&print_mode("ports", $rule->{'ports'})." ".
|
||||
&ui_textbox("ports", $rule->{'ports'}->[1], 30));
|
||||
|
||||
# TCP flags
|
||||
print &ui_table_row($text{'edit_tcpflags'},
|
||||
"<table><tr><td>".&print_mode("tcpflags", $rule->{'tcp-flags'}).
|
||||
"</td> <td>".&text('edit_flags',
|
||||
&tcpflag_input("tcpflags0", $rule->{'tcp-flags'}->[1]),
|
||||
&tcpflag_input("tcpflags1", $rule->{'tcp-flags'}->[2])).
|
||||
"</td></tr></table>");
|
||||
|
||||
# TCP options
|
||||
print &ui_table_row($text{'edit_tcpoption'},
|
||||
&print_mode("tcpoption", $rule->{'tcp-option'})." ".
|
||||
&ui_textbox("tcpoption", $rule->{'tcp-option'}->[1], 6));
|
||||
|
||||
print &ui_table_hr();
|
||||
|
||||
# ICMP packet type
|
||||
print &ui_table_row($text{'edit_icmptype'},
|
||||
&print_mode("icmptype", $rule->{"icmp${ipvx_icmp}-type"})." ".
|
||||
&icmptype_input("icmptype", $rule->{"icmp${ipvx_icmp}-type"}->[1]));
|
||||
|
||||
# MAC address
|
||||
print &ui_table_row($text{'edit_mac'},
|
||||
&print_mode("macsource", $rule->{'mac-source'})." ".
|
||||
&ui_textbox("macsource", $rule->{'mac-source'}->[1], 18));
|
||||
|
||||
print &ui_table_hr();
|
||||
|
||||
# Packet flow limit
|
||||
($n, $u) = $rule->{'limit'} &&
|
||||
$rule->{'limit'}->[1] =~ /^(\d+)\/(\S+)$/ ? ($1, $2) : ();
|
||||
print &ui_table_row($text{'edit_limit'},
|
||||
&print_mode("limit", $rule->{'limit'},
|
||||
$text{'edit_below'}, $text{'edit_above'}, 1)." ".
|
||||
&ui_textbox("limit0", $n, 6)." / ".
|
||||
&ui_select("limit1", $u, ['second', 'minute', 'hour', 'day']));
|
||||
|
||||
# Packet burst rate
|
||||
print &ui_table_row($text{'edit_limitburst'},
|
||||
&print_mode("limitburst", $rule->{'limit-burst'},
|
||||
$text{'edit_below'}, $text{'edit_above'}, 1)." ".
|
||||
&ui_textbox("limitburst", $rule->{'limit-burst'}->[1], 6));
|
||||
|
||||
if ($rule->{'chain'} eq 'OUTPUT') {
|
||||
print &ui_table_hr();
|
||||
|
||||
# Sending UID
|
||||
print &ui_table_row($text{'edit_uidowner'},
|
||||
&print_mode("uidowner", $rule->{'uid-owner'})." ".
|
||||
&ui_user_textbox("uidowner", $rule->{'uid-owner'}->[1]));
|
||||
|
||||
# Sending GID
|
||||
print &ui_table_row($text{'edit_gidowner'},
|
||||
&print_mode("gidowner", $rule->{'gid-owner'})." ".
|
||||
&ui_group_textbox("gidowner", $rule->{'gid-owner'}->[1]));
|
||||
|
||||
# Sending process ID
|
||||
print &ui_table_row($text{'edit_pidowner'},
|
||||
&print_mode("pidowner", $rule->{'pid-owner'})." ".
|
||||
&ui_textbox("pidowner", $rule->{'pid-owner'}->[1], 6));
|
||||
|
||||
# Sending process group
|
||||
print &ui_table_row($text{'edit_sidowner'},
|
||||
&print_mode("sidowner", $rule->{'sid-owner'})." ".
|
||||
&ui_textbox("sidowner", $rule->{'sid-owner'}->[1], 6));
|
||||
}
|
||||
|
||||
print &ui_table_hr();
|
||||
|
||||
# Connection states
|
||||
print &ui_table_row($text{'edit_state'},
|
||||
"<table cellpadding=0 cellspacing=0><tr><td valign=top>".
|
||||
&print_mode("state", $rule->{'state'})."</td>\n".
|
||||
"<td> ".
|
||||
&ui_select("state", [ split(/,/, $rule->{'state'}->[1]) ],
|
||||
[ map { [ $_, $text{"edit_state_".lc($_)} ] }
|
||||
('NEW', 'ESTABLISHED', 'RELATED', 'INVALID', 'UNTRACKED') ], 5, 1).
|
||||
"</td></tr></table>");
|
||||
|
||||
# Type of service
|
||||
print &ui_table_row($text{'edit_tos'},
|
||||
&print_mode("tos", $rule->{'tos'})." ".
|
||||
&tos_input("tos", $rule->{'tos'}->[1]));
|
||||
|
||||
print &ui_table_hr();
|
||||
|
||||
# Input physical device
|
||||
print &ui_table_row($text{'edit_physdevin'},
|
||||
&print_mode("physdevin", $rule->{'physdev-in'})." ".
|
||||
&interface_choice("physdevin", $rule->{'physdev-in'}->[1]));
|
||||
|
||||
# Output physical device
|
||||
print &ui_table_row($text{'edit_physdevout'},
|
||||
&print_mode("physdevout", $rule->{'physdev-out'})." ".
|
||||
&interface_choice("physdevout", $rule->{'physdev-out'}->[1]));
|
||||
|
||||
# Physdev match modes
|
||||
print &ui_table_row($text{'edit_physdevisin'},
|
||||
&print_mode("physdevisin", $rule->{'physdev-is-in'},
|
||||
$text{'yes'}, $text{'no'}));
|
||||
print &ui_table_row($text{'edit_physdevisout'},
|
||||
&print_mode("physdevisout", $rule->{'physdev-is-out'},
|
||||
$text{'yes'}, $text{'no'}));
|
||||
print &ui_table_row($text{'edit_physdevisbridged'},
|
||||
&print_mode("physdevisbridged", $rule->{'physdev-is-bridged'},
|
||||
$text{'yes'}, $text{'no'}));
|
||||
|
||||
print &ui_table_hr();
|
||||
|
||||
# Show unknown modules
|
||||
@mods = grep { !/^(tcp|udp|icmp${ipvx_icmp}|multiport|mac|limit|owner|state|tos|comment|physdev)$/ } map { $_->[1] } @{$rule->{'m'}};
|
||||
print &ui_table_row($text{'edit_mods'},
|
||||
&ui_textbox("mods", join(" ", @mods), 60));
|
||||
|
||||
# Show unknown parameters
|
||||
$rule->{'args'} =~ s/^\s+//;
|
||||
$rule->{'args'} =~ s/\s+$//;
|
||||
print &ui_table_row($text{'edit_args'},
|
||||
&ui_textbox("args", $rule->{'args'}, 60));
|
||||
|
||||
print &ui_table_end();
|
||||
if ($in{'new'}) {
|
||||
print &ui_form_end([ [ undef, $text{'create'} ] ]);
|
||||
}
|
||||
else {
|
||||
print &ui_form_end([ [ undef, $text{'save'} ],
|
||||
[ 'clone', $text{'edit_clone'} ],
|
||||
[ 'delete', $text{'delete'} ] ]);
|
||||
}
|
||||
|
||||
&ui_print_footer("index.cgi?version=${ipvx_arg}", $text{'index_return'});
|
||||
|
||||
# print_mode(name, &value, [yes-option, no-option], [no-no-option])
|
||||
sub print_mode
|
||||
{
|
||||
local ($name, $value, $yes_opt, $no_opt, $no_no_opt) = @_;
|
||||
local $m = !$value ? 0 :
|
||||
$value->[0] eq "!" ? 2 : 1;
|
||||
return &ui_select($name."_mode", $m,
|
||||
[ [ 0, "<$text{'edit_ignore'}>" ],
|
||||
[ 1, $yes_opt || $text{'edit_is'} ],
|
||||
!$no_no_opt || $m == 2 ? ( [ 2, $no_opt || $text{'edit_not'} ] )
|
||||
: ( ) ]);
|
||||
}
|
||||
|
||||
# port_input(name, value)
|
||||
sub port_input
|
||||
{
|
||||
local ($name, $value) = @_;
|
||||
local ($s, $e, $p);
|
||||
if ($value =~ /^(\d*):(\d*)$/) {
|
||||
$s = $1; $e = $2;
|
||||
}
|
||||
else {
|
||||
$p = $value || "";
|
||||
}
|
||||
return &ui_radio($name."_type", defined($p) ? 0 : 1,
|
||||
[ [ 0, $text{'edit_port0'}." ".
|
||||
&ui_textbox($name, $p, 15) ],
|
||||
[ 1, &text('edit_port1',
|
||||
&ui_textbox($name."_from", $s, 6),
|
||||
&ui_textbox($name."_to", $e, 6)) ] ]);
|
||||
}
|
||||
|
||||
# tcpflag_input(name, value)
|
||||
sub tcpflag_input
|
||||
{
|
||||
local ($name, $value) = @_;
|
||||
local %flags = map { $_, 1 } split(/,/, $value);
|
||||
local $f;
|
||||
local $rv = "<font size=-1>\n";
|
||||
foreach $f ('SYN', 'ACK', 'FIN', 'RST', 'URG', 'PSH') {
|
||||
$rv .= &ui_checkbox($name, $f, "<tt>$f</tt>",
|
||||
$flags{$f} || $flags{'ALL'})."\n";
|
||||
}
|
||||
$rv .= "</font>\n";
|
||||
return $rv;
|
||||
}
|
||||
|
||||
# icmptype_input(name, value, [&types])
|
||||
sub icmptype_input
|
||||
{
|
||||
local ($name, $value, $types) = @_;
|
||||
local ($started, @types, $major, $minor);
|
||||
$major = -1;
|
||||
if ($types) {
|
||||
@types = @$types;
|
||||
}
|
||||
else {
|
||||
open(IPTABLES, "ip${ipvx}tables -p icmp${ipvx_icmp} -h 2>/dev/null |");
|
||||
while(<IPTABLES>) {
|
||||
if (/valid\s+icmp\s+types:/i) {
|
||||
$started = 1;
|
||||
}
|
||||
elsif (!/\S/) {
|
||||
$started = 0;
|
||||
}
|
||||
elsif ($started && /^\s*(\S+)/) {
|
||||
push(@types, $1);
|
||||
}
|
||||
}
|
||||
close(IPTABLES);
|
||||
}
|
||||
if (@types && $value !~ /^\d+$/ && $value !~ /^\d+\/\d+$/) {
|
||||
return &ui_select($name, $value, \@types);
|
||||
}
|
||||
else {
|
||||
return &ui_textbox($name, $value, 6);
|
||||
}
|
||||
}
|
||||
|
||||
# protocol_input(name, value)
|
||||
sub protocol_input
|
||||
{
|
||||
local ($name, $value) = @_;
|
||||
local @stdprotos = ( 'tcp', 'udp', "icmp${ipvx_icmp}", undef );
|
||||
$value ||= "tcp";
|
||||
local @otherprotos;
|
||||
open(PROTOS, "/etc/protocols");
|
||||
while(<PROTOS>) {
|
||||
s/\r|\n//g;
|
||||
s/#.*$//;
|
||||
push(@otherprotos, $1) if (/^(\S+)\s+(\d+)/);
|
||||
}
|
||||
close(PROTOS);
|
||||
@otherprotos = sort { lc($a) cmp lc($b) } @otherprotos;
|
||||
local $p;
|
||||
local @allprotos = &unique(@stdprotos, @otherprotos);
|
||||
local $found = &indexof($value, @allprotos) >= 0;
|
||||
return &ui_select($name, $found ? $value : "",
|
||||
[ (map { [ $_, uc($_) || "-------" ] } @allprotos),
|
||||
[ '', $text{'edit_oifc'} ] ])." ".
|
||||
&ui_textbox($name."_other", $found ? undef : $value, 5);
|
||||
}
|
||||
|
||||
# tos_input(name, value)
|
||||
sub tos_input
|
||||
{
|
||||
local ($name, $value) = @_;
|
||||
local ($started, @opts);
|
||||
open(IPTABLES, "ip${ipvx}tables -m tos -h 2>/dev/null |");
|
||||
while(<IPTABLES>) {
|
||||
if (/TOS.*options:/i) {
|
||||
$started = 1;
|
||||
}
|
||||
elsif ($started && /^\s+(\S+)\s+(\d+)\s+\((0x[0-9a-f]+)\)/i) {
|
||||
push(@opts, [ $1, $3 ]);
|
||||
}
|
||||
}
|
||||
close(IPTABLES);
|
||||
if (@opts) {
|
||||
return &ui_select($name, $value,
|
||||
[ map { [ $o->[0], "$o->[0] ($o->[1])" ] } @opts ]);
|
||||
}
|
||||
else {
|
||||
return &ui_textbox($name, $value, 20);
|
||||
}
|
||||
}
|
||||
|
||||
@@ -298,7 +298,7 @@ else {
|
||||
}
|
||||
# chain to jump to is filtered, switch of edit
|
||||
if ($edit && !$chain_filtered) {
|
||||
push(@cols, &ui_link("edit_rule${ipvx}.cgi?version=${ipvx_arg}&table=".&urlize($in{'table'})."&idx=$r->{'index'}",$act));
|
||||
push(@cols, &ui_link("edit_rule.cgi?version=${ipvx_arg}&table=".&urlize($in{'table'})."&idx=$r->{'index'}",$act));
|
||||
}
|
||||
else {
|
||||
# add col for not visible checkmark
|
||||
@@ -340,12 +340,12 @@ else {
|
||||
|
||||
# Before / after adder
|
||||
local $adder;
|
||||
$adder .= "<a href='edit_rule${ipvx}.cgi?version=${ipvx_arg}&table=".
|
||||
$adder .= "<a href='edit_rule.cgi?version=${ipvx_arg}&table=".
|
||||
&urlize($in{'table'}).
|
||||
"&chain=".&urlize($c)."&new=1&".
|
||||
"after=$r->{'index'}'><img src=".
|
||||
"images/after.gif border=0></a>";
|
||||
$adder .= "<a href='edit_rule${ipvx}.cgi?version=${ipvx_arg}&table=".
|
||||
$adder .= "<a href='edit_rule.cgi?version=${ipvx_arg}&table=".
|
||||
&urlize($in{'table'}).
|
||||
"&chain=".&urlize($c)."&new=1&".
|
||||
"before=$r->{'index'}'><img src=".
|
||||
|
||||
@@ -14,7 +14,7 @@ $table = $tables[$in{'table'}];
|
||||
|
||||
if ($in{'add'}) {
|
||||
# Redirect to the rule page for adding a rule
|
||||
&redirect("edit_rule${ipvx}.cgi?version=${ipvx_arg}&table=".&urlize($in{'table'}).
|
||||
&redirect("edit_rule.cgi?version=${ipvx_arg}&table=".&urlize($in{'table'}).
|
||||
"&chain=".&urlize($in{'chain'})."&new=1");
|
||||
}
|
||||
elsif ($in{'delete'} && $in{'confirm'}) {
|
||||
|
||||
@@ -19,7 +19,7 @@ else {
|
||||
}
|
||||
if ($in{'clone'}) {
|
||||
# Go back to the editing page
|
||||
&redirect("edit_rule${ipvx}.cgi?version=${ipvx_arg}&new=1&clone=$in{'idx'}&".
|
||||
&redirect("edit_rule.cgi?version=${ipvx_arg}&new=1&clone=$in{'idx'}&".
|
||||
"table=".&urlize($in{'table'})."&".
|
||||
"after=$in{'idx'}&".
|
||||
"chain=".&urlize($rule->{'chain'}));
|
||||
|
||||
@@ -19,7 +19,7 @@ else {
|
||||
}
|
||||
if ($in{'clone'}) {
|
||||
# Go back to the editing page
|
||||
&redirect("edit_rule${ipvx}.cgi?version=${ipvx_arg}&new=1&clone=$in{'idx'}&".
|
||||
&redirect("edit_rule.cgi?version=${ipvx_arg}&new=1&clone=$in{'idx'}&".
|
||||
"table=".&urlize($in{'table'})."&".
|
||||
"chain=".&urlize($rule->{'chain'}));
|
||||
}
|
||||
|
||||
@@ -1,36 +0,0 @@
|
||||
#!/usr/local/bin/perl
|
||||
# move.cgi
|
||||
# Swap two rules in some chain
|
||||
|
||||
require './firewall6-lib.pl';
|
||||
&ReadParse();
|
||||
&lock_file($ip6tables_save_file);
|
||||
@tables = &get_ip6tables_save();
|
||||
$table = $tables[$in{'table'}];
|
||||
&can_edit_table($table->{'name'}) || &error($text{'etable'});
|
||||
$r = $table->{'rules'};
|
||||
$c = $r->[$in{'idx'}]->{'chain'};
|
||||
@rules = grep { lc($_->{'chain'}) eq lc($c) } @$r;
|
||||
$pos = &indexof($r->[$in{'idx'}], @rules);
|
||||
&can_jump($r->[$in{'idx'}]) || &error($text{'ejump'});
|
||||
if ($in{'down'}) {
|
||||
# Swap with next rule in this chain
|
||||
$nxt = $rules[$pos+1]->{'index'};
|
||||
&can_jump($r->[$nxt]) || &error($text{'ejump'});
|
||||
($r->[$in{'idx'}], $r->[$nxt]) = ($r->[$nxt], $r->[$in{'idx'}]);
|
||||
}
|
||||
else {
|
||||
# Swap with previous rule in this chain
|
||||
$prv = $rules[$pos-1]->{'index'};
|
||||
&can_jump($r->[$prv]) || &error($text{'ejump'});
|
||||
($r->[$in{'idx'}], $r->[$prv]) = ($r->[$prv], $r->[$in{'idx'}]);
|
||||
}
|
||||
&run_before_command();
|
||||
&save_table($table);
|
||||
&run_after_command();
|
||||
©_to_cluster();
|
||||
&unlock_file($ip6tables_save_file);
|
||||
&webmin_log("move", "rule", undef, { 'table' => $table->{'name'},
|
||||
'chain' => $r->[$in{'idx'}]->{'chain'} });
|
||||
&redirect("index.cgi?table=$in{'table'}");
|
||||
|
||||
1
firewall6/move.cgi
Symbolic link
1
firewall6/move.cgi
Symbolic link
@@ -0,0 +1 @@
|
||||
../firewall/move.cgi
|
||||
@@ -1,25 +0,0 @@
|
||||
#!/usr/local/bin/perl
|
||||
# newchain.cgi
|
||||
# Create a new user-defined chain
|
||||
|
||||
require './firewall6-lib.pl';
|
||||
$access{'newchain'} || &error($text{'new_ecannot'});
|
||||
&ReadParse();
|
||||
@tables = &get_ip6tables_save();
|
||||
$table = $tables[$in{'table'}];
|
||||
&can_edit_table($table->{'name'}) || &error($text{'etable'});
|
||||
&error_setup($text{'new_err'});
|
||||
&lock_file($ip6tables_save_file);
|
||||
$in{'chain'} =~ /^\S+$/ || &error($text{'new_ename'});
|
||||
$table->{'defaults'}->{$in{'chain'}} && &error($text{'new_etaken'});
|
||||
$table->{'defaults'}->{$in{'chain'}} = '-';
|
||||
&run_before_command();
|
||||
&save_table($table);
|
||||
&run_after_command();
|
||||
©_to_cluster();
|
||||
&unlock_file($ip6tables_save_file);
|
||||
&webmin_log("create", "chain", undef, { 'chain' => $in{'chain'},
|
||||
'table' => $table->{'name'} });
|
||||
|
||||
&redirect("index.cgi?table=$in{'table'}");
|
||||
|
||||
1
firewall6/newchain.cgi
Symbolic link
1
firewall6/newchain.cgi
Symbolic link
@@ -0,0 +1 @@
|
||||
../firewall/newchain.cgi
|
||||
@@ -1,217 +0,0 @@
|
||||
#!/usr/local/bin/perl
|
||||
# save_policy.cgi
|
||||
# Change the default policy for some chain
|
||||
|
||||
require './firewall6-lib.pl';
|
||||
&ReadParse();
|
||||
@tables = &get_ip6tables_save();
|
||||
$table = $tables[$in{'table'}];
|
||||
&can_edit_table($table->{'name'}) || &error($text{'etable'});
|
||||
@d = split(/\0/, $in{'d'});
|
||||
|
||||
if ($in{'add'}) {
|
||||
# Redirect to the rule page for adding a rule
|
||||
&redirect("edit_rule.cgi?table=".&urlize($in{'table'}).
|
||||
"&chain=".&urlize($in{'chain'})."&new=1");
|
||||
}
|
||||
elsif ($in{'delete'} && $in{'confirm'}) {
|
||||
# Delete this entire chain and all rules in it
|
||||
&lock_file($ip6tables_save_file);
|
||||
$access{'delchain'} || &error($text{'delete_ecannot'});
|
||||
$table->{'rules'} = [ grep { $_->{'chain'} ne $in{'chain'} }
|
||||
@{$table->{'rules'}} ];
|
||||
delete($table->{'defaults'}->{$in{'chain'}});
|
||||
&run_before_command();
|
||||
&save_table($table);
|
||||
&run_after_command();
|
||||
©_to_cluster();
|
||||
&unlock_file($ip6tables_save_file);
|
||||
&webmin_log("delete", "chain", undef, { 'chain' => $in{'chain'},
|
||||
'table' => $table->{'name'} });
|
||||
&redirect("index.cgi?table=".&urlize($in{'table'}));
|
||||
}
|
||||
elsif ($in{'clear'} && $in{'confirm'}) {
|
||||
# Delete all rules from this chain
|
||||
$access{'delchain'} || &error($text{'clear_ecannot'});
|
||||
&lock_file($ip6tables_save_file);
|
||||
$table->{'rules'} = [ grep { $_->{'chain'} ne $in{'chain'} }
|
||||
@{$table->{'rules'}} ];
|
||||
&run_before_command();
|
||||
&save_table($table);
|
||||
&run_after_command();
|
||||
©_to_cluster();
|
||||
&unlock_file($ip6tables_save_file);
|
||||
&webmin_log("clear", "chain", undef, { 'chain' => $in{'chain'},
|
||||
'table' => $table->{'name'} });
|
||||
&redirect("index.cgi?table=".&urlize($in{'table'}));
|
||||
}
|
||||
elsif ($in{'delete'} || $in{'clear'}) {
|
||||
# Ask for confirmation on deleting the chain
|
||||
$mode = $in{'delete'} ? "delete" : "clear";
|
||||
$access{'delchain'} || &error($text{$mode.'_ecannot'});
|
||||
&ui_print_header(undef, $text{$mode.'_title'}, "");
|
||||
|
||||
@rules = grep { $_->{'chain'} eq $in{'chain'} } @{$table->{'rules'}};
|
||||
print &ui_form_start("save_policy.cgi");
|
||||
print &ui_hidden("table", $in{'table'});
|
||||
print &ui_hidden("chain", $in{'chain'});
|
||||
print &ui_hidden($mode, 1);
|
||||
print "<center><b>",&text($mode.'_rusure', "<tt>$in{'chain'}</tt>",
|
||||
scalar(@rules)),"</b><p>\n";
|
||||
print &ui_submit($text{'delete_ok'}, 'confirm');
|
||||
print "</center>\n";
|
||||
print &ui_form_end();
|
||||
|
||||
&ui_print_footer("index.cgi?table=".&urlize($in{'table'}),
|
||||
$text{'index_return'});
|
||||
}
|
||||
elsif ($in{'rename'} && $in{'newname'}) {
|
||||
# Rename a chain
|
||||
&lock_file($ip6tables_save_file);
|
||||
$access{'delchain'} || &error($text{'rename_ecannot'});
|
||||
$in{'newname'} =~ /^\S+$/ || &error($text{'new_ename'});
|
||||
|
||||
# Change the chain on each rule
|
||||
foreach $r (@{$table->{'rules'}}) {
|
||||
if ($r->{'chain'} eq $in{'chain'}) {
|
||||
$r->{'chain'} = $in{'newname'};
|
||||
}
|
||||
}
|
||||
|
||||
# Rename the default
|
||||
$table->{'defaults'}->{$in{'newname'}} =
|
||||
$table->{'defaults'}->{$in{'chain'}};
|
||||
delete($table->{'defaults'}->{$in{'chain'}});
|
||||
|
||||
# Adjust any other rules
|
||||
if ($in{'adjust'}) {
|
||||
foreach $r (@{$table->{'rules'}}) {
|
||||
if ($r->{'j'} && $r->{'j'}->[1] eq $in{'chain'}) {
|
||||
$r->{'j'}->[1] = $in{'newname'};
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
&run_before_command();
|
||||
&save_table($table);
|
||||
&run_after_command();
|
||||
©_to_cluster();
|
||||
&unlock_file($ip6tables_save_file);
|
||||
&webmin_log("rename", "chain", undef, { 'chain' => $in{'chain'},
|
||||
'table' => $table->{'name'} });
|
||||
&redirect("index.cgi?table=".&urlize($in{'table'}));
|
||||
}
|
||||
elsif ($in{'rename'}) {
|
||||
# Show chain rename form
|
||||
&ui_print_header(undef, $text{'rename_title'}, "");
|
||||
|
||||
print &ui_form_start("save_policy.cgi");
|
||||
print &ui_hidden("table", $in{'table'});
|
||||
print &ui_hidden("chain", $in{'chain'});
|
||||
print &ui_hidden("rename", 1);
|
||||
print &ui_table_start($text{'rename_header'}, undef, 2);
|
||||
|
||||
# Number of rules and old name
|
||||
@rules = grep { $_->{'chain'} eq $in{'chain'} } @{$table->{'rules'}};
|
||||
print &ui_table_row($text{'rename_chain'}, $in{'chain'});
|
||||
print &ui_table_row($text{'rename_count'},
|
||||
scalar(@rules) || $text{'rename_none'});
|
||||
|
||||
# Destination chain
|
||||
print &ui_table_row($text{'rename_name'},
|
||||
&ui_textbox("newname", undef, 20));
|
||||
|
||||
# Adjust other rules?
|
||||
print &ui_table_row(" ",
|
||||
&ui_checkbox("adjust", 1, $text{'rename_adjust'}, 1));
|
||||
|
||||
print &ui_table_end();
|
||||
print &ui_form_end([ [ undef, $text{'rename_ok'} ] ]);
|
||||
|
||||
&ui_print_footer("index.cgi?table=".&urlize($in{'table'}),
|
||||
$text{'index_return'});
|
||||
}
|
||||
elsif ($in{'delsel'}) {
|
||||
# Just delete selected rules
|
||||
%idxs = map { $_, 1 } @d;
|
||||
&lock_file($ip6tables_save_file);
|
||||
$table->{'rules'} = [ grep { $_->{'chain'} ne $in{'chain'} ||
|
||||
!$idxs{$_->{'index'}} }
|
||||
@{$table->{'rules'}} ];
|
||||
&run_before_command();
|
||||
&save_table($table);
|
||||
&run_after_command();
|
||||
©_to_cluster();
|
||||
&unlock_file($ip6tables_save_file);
|
||||
&webmin_log("delsel", "chain", undef, { 'chain' => $in{'chain'},
|
||||
'table' => $table->{'name'},
|
||||
'count' => scalar(@d)});
|
||||
&redirect("index.cgi?table=".&urlize($in{'table'}));
|
||||
}
|
||||
elsif ($in{'movesel'} && $in{'dest'}) {
|
||||
# Move selected rules to new chain
|
||||
%idxs = map { $_, 1 } @d;
|
||||
&lock_file($ip6tables_save_file);
|
||||
|
||||
# Change the chain on each rule
|
||||
foreach $r (@{$table->{'rules'}}) {
|
||||
if ($r->{'chain'} eq $in{'chain'} && $idxs{$r->{'index'}}) {
|
||||
$r->{'chain'} = $in{'dest'};
|
||||
}
|
||||
}
|
||||
|
||||
&run_before_command();
|
||||
&save_table($table);
|
||||
&run_after_command();
|
||||
©_to_cluster();
|
||||
&unlock_file($ip6tables_save_file);
|
||||
&webmin_log("movesel", "chain", undef, { 'chain' => $in{'chain'},
|
||||
'table' => $table->{'name'},
|
||||
'count' => scalar(@d)});
|
||||
&redirect("index.cgi?table=".&urlize($in{'table'}));
|
||||
}
|
||||
elsif ($in{'movesel'}) {
|
||||
# Show rule move form
|
||||
&ui_print_header(undef, $text{'move_title'}, "");
|
||||
|
||||
print &ui_form_start("save_policy.cgi");
|
||||
print &ui_hidden("table", $in{'table'});
|
||||
print &ui_hidden("chain", $in{'chain'});
|
||||
print &ui_hidden("movesel", 1);
|
||||
foreach $d (@d) {
|
||||
print &ui_hidden("d", $d);
|
||||
}
|
||||
print &ui_table_start($text{'move_header'}, undef, 2);
|
||||
|
||||
# Number of rules and source
|
||||
print &ui_table_row($text{'move_count'}, scalar(@d));
|
||||
print &ui_table_row($text{'move_chain'}, $in{'chain'});
|
||||
|
||||
# Destination chain
|
||||
print &ui_table_row($text{'move_dest'},
|
||||
&ui_select("dest", $in{'chain'},
|
||||
[ grep { $_ ne $in{'chain'} }
|
||||
sort by_string_for_ip6tables
|
||||
(keys %{$table->{'defaults'}}) ]));
|
||||
|
||||
print &ui_table_end();
|
||||
print &ui_form_end([ [ undef, $text{'move_ok'} ] ]);
|
||||
|
||||
&ui_print_footer("index.cgi?table=".&urlize($in{'table'}),
|
||||
$text{'index_return'});
|
||||
}
|
||||
else {
|
||||
# Change the default for this chain
|
||||
$access{'policy'} || &error($text{'policy_ecannot'});
|
||||
&lock_file($ip6tables_save_file);
|
||||
$table->{'defaults'}->{$in{'chain'}} = $in{'policy'};
|
||||
&run_before_command();
|
||||
&save_table($table);
|
||||
&run_after_command();
|
||||
©_to_cluster();
|
||||
&unlock_file($ip6tables_save_file);
|
||||
&webmin_log("modify", "chain", undef, { 'chain' => $in{'chain'},
|
||||
'table' => $table->{'name'} });
|
||||
&redirect("index.cgi?table=".&urlize($in{'table'}));
|
||||
}
|
||||
|
||||
1
firewall6/save_policy.cgi
Symbolic link
1
firewall6/save_policy.cgi
Symbolic link
@@ -0,0 +1 @@
|
||||
../firewall/save_policy.cgi
|
||||
@@ -1,410 +0,0 @@
|
||||
#!/usr/local/bin/perl
|
||||
# save_rule.cgi
|
||||
# Save, create or delete a rule in a chain
|
||||
|
||||
require './firewall-lib.pl';
|
||||
&ReadParse();
|
||||
if (&get_ipvx_version() == 6) { require './firewall6-lib.pl';
|
||||
} else { require './firewall4-lib.pl'; }
|
||||
&error_setup($text{'save_err'});
|
||||
@tables = &get_iptables_save();
|
||||
$table = $tables[$in{'table'}];
|
||||
&can_edit_table($table->{'name'}) || &error($text{'etable'});
|
||||
if ($in{'new'}) {
|
||||
$rule = { 'chain' => $in{'chain'} };
|
||||
}
|
||||
else {
|
||||
$rule = $table->{'rules'}->[$in{'idx'}];
|
||||
&can_jump($rule) || &error($text{'ejump'});
|
||||
}
|
||||
if ($in{'clone'}) {
|
||||
# Go back to the editing page
|
||||
&redirect("edit_rule.cgi?new=1&clone=$in{'idx'}&".
|
||||
"table=".&urlize($in{'table'})."&".
|
||||
"chain=".&urlize($rule->{'chain'}));
|
||||
}
|
||||
|
||||
&lock_file($ipvx_save);
|
||||
if ($in{'delete'}) {
|
||||
# Just delete this rule
|
||||
splice(@{$table->{'rules'}}, $in{'idx'}, 1);
|
||||
}
|
||||
else {
|
||||
# Validate and store inputs
|
||||
if ($config{'comment_mod'}) {
|
||||
$in{'cmt'} =~ s/^\s+//;
|
||||
$in{'cmt'} =~ s/\s+$//;
|
||||
if ($in{'cmt'}) {
|
||||
$rule->{'comment'} = [ "", $in{'cmt'} ];
|
||||
push(@mods, "comment");
|
||||
}
|
||||
else {
|
||||
delete($rule->{'comment'});
|
||||
}
|
||||
}
|
||||
else {
|
||||
$rule->{'cmt'} = $in{'cmt'};
|
||||
delete($rule->{'comment'});
|
||||
@mods = grep { $_ ne "comment" } @mods;
|
||||
}
|
||||
if ($in{'jump'} eq '*') {
|
||||
$in{'other'} =~ /^\S+$/ || &error($text{'save_echain'});
|
||||
$rule->{'j'} = [ "", $in{'other'} ];
|
||||
}
|
||||
elsif ($in{'jump'}) {
|
||||
$rule->{'j'} = [ "", $in{'jump'} ];
|
||||
}
|
||||
else {
|
||||
delete($rule->{'j'});
|
||||
}
|
||||
&can_jump($rule) || &error($text{'save_ecanjump'});
|
||||
if (defined($in{'rwithtype'})) {
|
||||
if ($rule->{'j'}->[1] eq 'REJECT' && !$in{'rwithdef'}) {
|
||||
$rule->{'reject-with'} = [ "", $in{'rwithtype'} ];
|
||||
}
|
||||
else {
|
||||
delete($rule->{'reject-with'});
|
||||
}
|
||||
}
|
||||
|
||||
# Parse redirect or masquerade input
|
||||
if ($table->{'name'} eq 'nat') {
|
||||
if ($rule->{'j'}->[1] eq 'REDIRECT' && !$in{'rtodef'}) {
|
||||
$in{'rtofrom'} =~ /^\d+$/ ||
|
||||
&error($text{'save_ertoports'});
|
||||
$in{'rtoto'} =~ /^\d*$/ ||
|
||||
&error($text{'save_ertoports'});
|
||||
$rule->{'to-ports'} = [ "", $in{'rtoto'} eq '' ?
|
||||
$in{'rtofrom'} : $in{'rtofrom'}."-".$in{'rtoto'} ];
|
||||
}
|
||||
elsif ($rule->{'j'}->[1] eq 'MASQUERADE' && !$in{'mtodef'}) {
|
||||
$in{'mtofrom'} =~ /^\d+$/ ||
|
||||
&error($text{'save_emtoports'});
|
||||
$in{'mtoto'} =~ /^\d*$/ ||
|
||||
&error($text{'save_emtoports'});
|
||||
$rule->{'to-ports'} = [ "", $in{'mtoto'} eq '' ?
|
||||
$in{'mtofrom'} : $in{'mtofrom'}."-".$in{'mtoto'} ];
|
||||
}
|
||||
else {
|
||||
delete($rule->{'to-ports'});
|
||||
}
|
||||
}
|
||||
if ($table->{'name'} eq 'nat' && $rule->{'chain'} ne 'POSTROUTING') {
|
||||
if ($rule->{'j'}->[1] eq 'DNAT' && !$in{'dnatdef'}) {
|
||||
!$in{'dipfrom'} || &check_ipaddress($in{'dipfrom'}) ||
|
||||
&error($text{'save_edipfrom'});
|
||||
!$in{'dipto'} || &check_ipaddress($in{'dipto'}) ||
|
||||
&error($text{'save_edipto'});
|
||||
local $v = "[".$in{'dipfrom'}."]";
|
||||
$v .= "-[".$in{'dipto'}."]" if ($in{'dipto'});
|
||||
if ($in{'dpfrom'} ne '') {
|
||||
$in{'dpfrom'} =~ /^\d+$/ ||
|
||||
&error($text{'save_edpfrom'});
|
||||
$in{'dpto'} =~ /^\d*$/ ||
|
||||
&error($text{'save_edpto'});
|
||||
if ($in{'dpto'} eq '') {
|
||||
$v .= ":".$in{'dpfrom'};
|
||||
}
|
||||
else {
|
||||
$v .= ":".$in{'dpfrom'}."-".$in{'dpto'};
|
||||
}
|
||||
}
|
||||
$rule->{'to-destination'} = [ "", $v ];
|
||||
}
|
||||
else {
|
||||
delete($rule->{'to-destination'});
|
||||
}
|
||||
}
|
||||
if ($table->{'name'} eq 'nat' && $rule->{'chain'} ne 'PREROUTING' &&
|
||||
$rule->{'chain'} ne 'OUTPUT') {
|
||||
if ($rule->{'j'}->[1] eq 'SNAT' && !$in{'snatdef'}) {
|
||||
(!$in{'sipfrom'} && !$in{'sipto'}) ||
|
||||
&check_ipaddress($in{'sipfrom'}) ||
|
||||
&error($text{'save_esipfrom'});
|
||||
!$in{'sipto'} || &check_ipaddress($in{'sipto'}) ||
|
||||
&error($text{'save_esipto'});
|
||||
local $v = $in{'sipfrom'};
|
||||
$v .= "-".$in{'sipto'} if ($in{'sipto'});
|
||||
if ($in{'spfrom'} ne '') {
|
||||
$in{'spfrom'} =~ /^\d+$/ ||
|
||||
&error($text{'save_espfrom'});
|
||||
$in{'spto'} =~ /^\d*$/ ||
|
||||
&error($text{'save_espto'});
|
||||
if ($in{'spto'} eq '') {
|
||||
$v .= ":".$in{'spfrom'};
|
||||
}
|
||||
else {
|
||||
$v .= ":".$in{'spfrom'}."-".$in{'spto'};
|
||||
}
|
||||
}
|
||||
$rule->{'to-source'} = [ "", $v ];
|
||||
}
|
||||
else {
|
||||
delete($rule->{'to-source'});
|
||||
}
|
||||
}
|
||||
if (&parse_mode("source", $rule, "s")) {
|
||||
&check_ipmask($in{'source'}) || &error($text{'save_esource'});
|
||||
$rule->{'s'}->[1] = $in{'source'};
|
||||
}
|
||||
if (&parse_mode("dest", $rule, "d")) {
|
||||
&check_ipmask($in{'dest'}) || &error($text{'save_edest'});
|
||||
$rule->{'d'}->[1] = $in{'dest'};
|
||||
}
|
||||
if (&parse_mode("in", $rule, "i")) {
|
||||
$in{'in'} ne '' || $in{'in_other'} =~ /^\S+$/ ||
|
||||
&error($text{'save_ein'});
|
||||
$rule->{'i'}->[1] = $in{'in'} eq '' || $in{'in'} eq 'other' ?
|
||||
$in{'in_other'} : $in{'in'};
|
||||
}
|
||||
if (&parse_mode("out", $rule, "o")) {
|
||||
$in{'out'} ne '' || $in{'out_other'} =~ /^\S+$/ ||
|
||||
&error($text{'save_eout'});
|
||||
$rule->{'o'}->[1] = $in{'out'} eq '' || $in{'out'} eq 'other' ?
|
||||
$in{'out_other'} : $in{'out'};
|
||||
}
|
||||
if ($in{'frag'} == 0) { delete($rule->{'f'}); }
|
||||
elsif ($in{'frag'} == 1) { $rule->{'f'} = [ "" ]; }
|
||||
else { $rule->{'f'} = [ "!" ]; }
|
||||
if (&parse_mode("proto", $rule, "p")) {
|
||||
$in{'proto'} || $in{'proto_other'} =~ /^\d+$/ ||
|
||||
&error($text{'save_eproto'});
|
||||
$rule->{'p'}->[1] = $in{'proto'} || $in{'proto_other'};
|
||||
if (!$rule->{'p'}->[0]) {
|
||||
$proto = $in{'proto'};
|
||||
push(@mods, $in{'proto'})
|
||||
if ($proto eq 'tcp' || $proto eq 'udp' ||
|
||||
$proto eq "icmp${ipvx_icmp}" && $in{'icmptype_mode'});
|
||||
}
|
||||
}
|
||||
|
||||
if (&parse_mode("sport", $rule, "sport")) {
|
||||
$proto eq "tcp" || $proto eq "udp" || $proto eq "sctp" ||
|
||||
&error($text{'save_etcpudp'});
|
||||
if ($in{"sport_type"} == 0) {
|
||||
$in{"sport"} =~ /^\S+$/ ||
|
||||
&error($text{'save_esport'});
|
||||
if ($in{"sport"} =~ /,/) {
|
||||
$rule->{'sports'}->[1] = $in{"sport"};
|
||||
$rule->{'sports'}->[0] = $rule->{'sport'}->[0];
|
||||
push(@mods, "multiport");
|
||||
delete($rule->{'sport'});
|
||||
}
|
||||
else {
|
||||
$rule->{'sport'}->[1] = $in{"sport"};
|
||||
delete($rule->{'sports'});
|
||||
}
|
||||
}
|
||||
else {
|
||||
$in{"sport_from"} =~ /^\d*$/ ||
|
||||
&error($text{'save_esportfrom'});
|
||||
$in{"sport_to"} =~ /^\d*$/ ||
|
||||
&error($text{'save_esportto'});
|
||||
$rule->{'sport'}->[1] = $in{"sport_from"}.":".
|
||||
$in{"sport_to"};
|
||||
$rule->{'sport'}->[1] eq ":" &&
|
||||
&error($text{'save_esportrange'});
|
||||
delete($rule->{'sports'});
|
||||
}
|
||||
}
|
||||
else {
|
||||
delete($rule->{'sports'});
|
||||
}
|
||||
if (&parse_mode("dport", $rule, "dport")) {
|
||||
$proto eq "tcp" || $proto eq "udp" || $proto eq "sctp" ||
|
||||
&error($text{'save_etcpudp'});
|
||||
if ($in{"dport_type"} == 0) {
|
||||
$in{"dport"} =~ /^\S+$/ ||
|
||||
&error($text{'save_edport'});
|
||||
if ($in{"dport"} =~ /,/) {
|
||||
$rule->{'dports'}->[1] = $in{"dport"};
|
||||
$rule->{'dports'}->[0] = $rule->{'dport'}->[0];
|
||||
push(@mods, "multiport");
|
||||
delete($rule->{'dport'});
|
||||
}
|
||||
else {
|
||||
$rule->{'dport'}->[1] = $in{"dport"};
|
||||
delete($rule->{'dports'});
|
||||
}
|
||||
}
|
||||
else {
|
||||
$in{"dport_from"} =~ /^\d*$/ ||
|
||||
&error($text{'save_edportfrom'});
|
||||
$in{"dport_to"} =~ /^\d*$/ ||
|
||||
&error($text{'save_edportto'});
|
||||
$rule->{'dport'}->[1] = $in{"dport_from"}.":".
|
||||
$in{"dport_to"};
|
||||
$rule->{'dport'}->[1] eq ":" &&
|
||||
&error($text{'save_edportrange'});
|
||||
delete($rule->{'dports'});
|
||||
}
|
||||
}
|
||||
else {
|
||||
delete($rule->{'dports'});
|
||||
}
|
||||
if (&parse_mode("ports", $rule, "ports")) {
|
||||
$proto eq "tcp" || $proto eq "udp" || $proto eq "sctp" ||
|
||||
&error($text{'save_etcpudp'});
|
||||
$in{"ports"} =~ /^\S+$/ || &error($text{'save_eports'});
|
||||
$rule->{'ports'}->[1] = $in{'ports'};
|
||||
push(@mods, "multiport");
|
||||
}
|
||||
if (&parse_mode("tcpflags", $rule, "tcp-flags")) {
|
||||
$proto eq "tcp" || &error($text{'save_etcp1'});
|
||||
local $tcp0 = join(",", split(/\0/, $in{"tcpflags0"}));
|
||||
local $tcp1 = join(",", split(/\0/, $in{"tcpflags1"}));
|
||||
#$tcp0 && $tcp1 || &error($text{'save_etcpflags'});
|
||||
$tcp0 || &error($text{'save_etcpflags2'});
|
||||
$rule->{'tcp-flags'}->[1] = $tcp0;
|
||||
$rule->{'tcp-flags'}->[2] = $tcp1 || "NONE";
|
||||
}
|
||||
if (&parse_mode("tcpoption", $rule, "tcp-option")) {
|
||||
$proto eq "tcp" || &error($text{'save_etcp2'});
|
||||
$in{"tcpoption"} =~ /^\d+$/ ||
|
||||
&error($text{'save_etcpoption'});
|
||||
$rule->{'tcp-option'}->[1] = $in{"tcpoption"};
|
||||
}
|
||||
if (&parse_mode("icmptype", $rule, "icmp${ipvx_icmp}-type")) {
|
||||
$proto eq "icmp${ipvx_icmp}" || &error($text{'save_eicmp'});
|
||||
$rule->{"icmp${ipvx_icmp}-type"}->[1] = $in{'icmptype'};
|
||||
}
|
||||
if (&parse_mode("macsource", $rule, "mac-source")) {
|
||||
$in{"macsource"} =~ /^([0-9a-z]{2}:){5}[[0-9a-z]{2}$/i ||
|
||||
&error($text{'save_emac'});
|
||||
$rule->{'mac-source'}->[1] = $in{'macsource'};
|
||||
push(@mods, "mac");
|
||||
}
|
||||
if (&parse_mode("limit", $rule, "limit")) {
|
||||
$in{'limit0'} =~ /^\d+$/ || &error($text{'save_elimit'});
|
||||
$rule->{'limit'}->[1] = $in{'limit0'}."/".$in{'limit1'};
|
||||
push(@mods, "limit");
|
||||
}
|
||||
if (&parse_mode("limitburst", $rule, "limit-burst")) {
|
||||
$in{'limitburst'} =~ /^\d+$/ ||
|
||||
&error($text{'save_elimitburst'});
|
||||
$rule->{'limit-burst'}->[1] = $in{'limitburst'};
|
||||
push(@mods, "limit");
|
||||
}
|
||||
|
||||
if ($rule->{'chain'} eq 'OUTPUT') {
|
||||
if (&parse_mode("uidowner", $rule, "uid-owner")) {
|
||||
defined(getpwnam($in{"uidowner"})) ||
|
||||
&error($text{'save_euidowner'});
|
||||
$rule->{'uid-owner'}->[1] = $in{"uidowner"};
|
||||
push(@mods, "owner");
|
||||
}
|
||||
if (&parse_mode("gidowner", $rule, "gid-owner")) {
|
||||
defined(getgrnam($in{"gidowner"})) ||
|
||||
&error($text{'save_egidowner'});
|
||||
$rule->{'gid-owner'}->[1] = $in{"gidowner"};
|
||||
push(@mods, "owner");
|
||||
}
|
||||
if (&parse_mode("pidowner", $rule, "pid-owner")) {
|
||||
$in{"pidowner"} =~ /^\d+$/ ||
|
||||
&error($text{'save_epidowner'});
|
||||
$rule->{'pid-owner'}->[1] = $in{"pidowner"};
|
||||
push(@mods, "owner");
|
||||
}
|
||||
if (&parse_mode("sidowner", $rule, "sid-owner")) {
|
||||
$in{"sidowner"} =~ /^\d+$/ ||
|
||||
&error($text{'save_esidowner'});
|
||||
$rule->{'sid-owner'}->[1] = $in{"sidowner"};
|
||||
push(@mods, "owner");
|
||||
}
|
||||
}
|
||||
|
||||
# Save connection states and TOS
|
||||
if (&parse_mode("state", $rule, "state")) {
|
||||
@states = split(/\0/, $in{'state'});
|
||||
@states || &error($text{'save_estates'});
|
||||
$rule->{'state'}->[1] = join(",", @states);
|
||||
push(@mods, "state");
|
||||
}
|
||||
if (&parse_mode("tos", $rule, "tos")) {
|
||||
$rule->{'tos'}->[1] = $in{'tos'};
|
||||
push(@mods, "tos");
|
||||
}
|
||||
|
||||
# Parse physical input and output interfaces
|
||||
if (&parse_mode("physdevin", $rule, "physdev-in")) {
|
||||
$in{'physdevin'} ne '' || $in{'physdevin_other'} =~ /^\S+$/ ||
|
||||
&error($text{'save_ephysdevin'});
|
||||
$rule->{'physdev-in'}->[1] =
|
||||
$in{'physdevin'} eq '' || $in{'physdevin'} eq 'other' ?
|
||||
$in{'physdevin_other'} : $in{'physdevin'};
|
||||
push(@mods, "physdev");
|
||||
}
|
||||
if (&parse_mode("physdevout", $rule, "physdev-out")) {
|
||||
$in{'physdevout'} ne '' || $in{'physdevout_other'} =~ /^\S+$/ ||
|
||||
&error($text{'save_ephysdevout'});
|
||||
$rule->{'physdev-out'}->[1] =
|
||||
$in{'physdevout'} eq '' || $in{'physdevout'} eq 'other' ?
|
||||
$in{'physdevout_other'} : $in{'physdevout'};
|
||||
push(@mods, "physdev");
|
||||
}
|
||||
|
||||
# Parse physdev match modes
|
||||
if (&parse_mode("physdevisin", $rule, "physdev-is-in")) {
|
||||
push(@mods, "physdev");
|
||||
}
|
||||
if (&parse_mode("physdevisout", $rule, "physdev-is-out")) {
|
||||
push(@mods, "physdev");
|
||||
}
|
||||
if (&parse_mode("physdevisbridged", $rule, "physdev-is-bridged")) {
|
||||
push(@mods, "physdev");
|
||||
}
|
||||
|
||||
# Add custom paramters and modules
|
||||
$rule->{'args'} = $in{'args'};
|
||||
push(@mods, split(/\s+/, $in{'mods'}));
|
||||
|
||||
# Save the rule
|
||||
if (@mods) {
|
||||
$rule->{'m'} = [ map { [ "", $_ ] } &unique(@mods) ];
|
||||
}
|
||||
else {
|
||||
delete($rule->{'m'});
|
||||
}
|
||||
delete($rule->{'j'}) if (!$in{'jump'});
|
||||
if ($in{'new'}) {
|
||||
if ($in{'before'} ne '') {
|
||||
splice(@{$table->{'rules'}}, $in{'before'}, 0, $rule);
|
||||
}
|
||||
elsif ($in{'after'} ne '') {
|
||||
splice(@{$table->{'rules'}}, $in{'after'}+1, 0, $rule);
|
||||
}
|
||||
else {
|
||||
push(@{$table->{'rules'}}, $rule);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
# Write out the new save file
|
||||
&run_before_command();
|
||||
&save_table($table);
|
||||
&run_after_command();
|
||||
©_to_cluster();
|
||||
&unlock_file($ipvx_save);
|
||||
&webmin_log($in{'delete'} ? "delete" : $in{'new'} ? "create" : "modify",
|
||||
"rule", undef, { 'chain' => $rule->{'chain'},
|
||||
'table' => $table->{'name'} });
|
||||
&redirect("index.cgi?table=$in{'table'}");
|
||||
|
||||
# parse_mode(name, &rule, option)
|
||||
sub parse_mode
|
||||
{
|
||||
if ($in{"$_[0]_mode"} == 0) {
|
||||
delete($_[1]->{$_[2]});
|
||||
return 0;
|
||||
}
|
||||
elsif ($in{"$_[0]_mode"} == 1) {
|
||||
$_[1]->{$_[2]} = [ "" ];
|
||||
return 1;
|
||||
}
|
||||
else {
|
||||
$_[1]->{$_[2]} = [ "!" ];
|
||||
return 1;
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@@ -1,250 +0,0 @@
|
||||
#!/usr/local/bin/perl
|
||||
# setup.cgi
|
||||
# Setup an initial save file
|
||||
|
||||
require './firewall6-lib.pl';
|
||||
&ReadParse();
|
||||
$access{'setup'} || &error($text{'setup_ecannot'});
|
||||
|
||||
&lock_file($ip6tables_save_file);
|
||||
if ($in{'reset'}) {
|
||||
# Clear out all rules
|
||||
foreach $t ("filter", "nat", "mangle") {
|
||||
&system_logged("ip6tables -t $t -P INPUT ACCEPT >/dev/null 2>&1");
|
||||
&system_logged("ip6tables -t $t -P OUTPUT ACCEPT >/dev/null 2>&1");
|
||||
&system_logged("ip6tables -t $t -P FORWARD ACCEPT >/dev/null 2>&1");
|
||||
&system_logged("ip6tables -t $t -P PREROUTING ACCEPT >/dev/null 2>&1");
|
||||
&system_logged("ip6tables -t $t -P POSTROUTING ACCEPT >/dev/null 2>&1");
|
||||
&system_logged("ip6tables -t $t -F >/dev/null 2>&1");
|
||||
&system_logged("ip6tables -t $t -X >/dev/null 2>&1");
|
||||
}
|
||||
}
|
||||
|
||||
# Save all existing active rules
|
||||
if (defined(&unapply_ip6tables)) {
|
||||
&unapply_ip6tables();
|
||||
}
|
||||
else {
|
||||
&backquote_logged("ip6tables-save >$ip6tables_save_file 2>&1");
|
||||
}
|
||||
|
||||
# Get important variable ports
|
||||
&get_miniserv_config(\%miniserv);
|
||||
$webmin_port = $miniserv{'port'} || 10000;
|
||||
$webmin_port2 = $webmin_port + 10;
|
||||
$usermin_port = undef;
|
||||
if (&foreign_installed("usermin")) {
|
||||
&foreign_require("usermin", "usermin-lib.pl");
|
||||
&usermin::get_usermin_miniserv_config(\%uminiserv);
|
||||
$usermin_port = $uminiserv{'port'};
|
||||
}
|
||||
$usermin_port ||= 20000;
|
||||
$ssh_port = undef;
|
||||
if (&foreign_installed("sshd")) {
|
||||
&foreign_require("sshd", "sshd-lib.pl");
|
||||
$conf = &sshd::get_sshd_config();
|
||||
$ssh_port = &sshd::find_value("Port", $conf);
|
||||
}
|
||||
$ssh_port ||= 22;
|
||||
|
||||
if ($in{'auto'}) {
|
||||
@tables = &get_ip6tables_save();
|
||||
if ($in{'auto'} == 1) {
|
||||
# Add a single rule to the nat table for masquerading
|
||||
$iface = $in{'iface1'} eq 'other' ? $in{'iface1_other'}
|
||||
: $in{'iface1'};
|
||||
$iface || &error($text{'setup_eiface'});
|
||||
($table) = grep { $_->{'name'} eq 'nat' } @tables;
|
||||
$table ||= { 'name' => 'nat',
|
||||
'rules' => [ ],
|
||||
'defaults' => { } };
|
||||
push(@{$table->{'rules'}},
|
||||
{ 'chain' => 'POSTROUTING',
|
||||
'o' => [ "", $iface ],
|
||||
'j' => [ "", 'MASQUERADE' ] } );
|
||||
}
|
||||
elsif ($in{'auto'} >= 2) {
|
||||
# Block all incoming traffic, except for established
|
||||
# connections, DNS replies and safe ICMP types
|
||||
# In mode 3 allow ssh and ident too
|
||||
# In mode 4 allow ftp, echo-request and high ports too
|
||||
$iface = $in{'iface'.$in{'auto'}} eq 'other' ?
|
||||
$in{'iface'.$in{'auto'}.'_other'} :
|
||||
$in{'iface'.$in{'auto'}};
|
||||
$iface || &error($text{'setup_eiface'});
|
||||
($table) = grep { $_->{'name'} eq 'filter' } @tables;
|
||||
$table ||= { 'name' => 'nat',
|
||||
'rules' => [ ],
|
||||
'defaults' => { } };
|
||||
$table->{'defaults'}->{'INPUT'} = 'DROP';
|
||||
push(@{$table->{'rules'}},
|
||||
{ 'chain' => 'INPUT',
|
||||
'i' => [ "!", $iface ],
|
||||
'j' => [ "", 'ACCEPT' ],
|
||||
'cmt' => 'Accept traffic from internal interfaces' },
|
||||
{ 'chain' => 'INPUT',
|
||||
'm' => [ [ "", "tcp" ] ],
|
||||
'p' => [ "", "tcp" ],
|
||||
'tcp-flags' => [ "", "ACK", "ACK" ],
|
||||
'j' => [ "", 'ACCEPT' ],
|
||||
'cmt' => 'Accept traffic with the ACK flag set' },
|
||||
{ 'chain' => 'INPUT',
|
||||
'm' => [ [ "", "state" ] ],
|
||||
'state' => [ "", "ESTABLISHED" ],
|
||||
'j' => [ "", 'ACCEPT' ],
|
||||
'cmt' => 'Allow incoming data that is part of a connection we established' },
|
||||
{ 'chain' => 'INPUT',
|
||||
'm' => [ [ "", "state" ] ],
|
||||
'state' => [ "", "RELATED" ],
|
||||
'j' => [ "", 'ACCEPT' ],
|
||||
'cmt' => 'Allow data that is related to existing connections' },
|
||||
{ 'chain' => 'INPUT',
|
||||
'm' => [ [ "", "udp" ] ],
|
||||
'p' => [ "", "udp" ],
|
||||
'sport' => [ "", 53 ],
|
||||
'dport' => [ "", "1024:65535" ],
|
||||
'j' => [ "", 'ACCEPT' ],
|
||||
'cmt' => 'Accept responses to DNS queries' },
|
||||
{ 'chain' => 'INPUT',
|
||||
'm' => [ [ "", "icmpv6" ] ],
|
||||
'p' => [ [ "", "icmpv6" ] ],
|
||||
'j' => [ "", 'ACCEPT' ],
|
||||
'cmt' => 'Accept all ICMPv6 traffic' },
|
||||
);
|
||||
if ($in{'auto'} >= 3) {
|
||||
# Allow ssh and ident
|
||||
push(@{$table->{'rules'}},
|
||||
{ 'chain' => 'INPUT',
|
||||
'm' => [ [ "", "tcp" ] ],
|
||||
'p' => [ "", "tcp" ],
|
||||
'dport' => [ "", $ssh_port ],
|
||||
'j' => [ "", 'ACCEPT' ],
|
||||
'cmt' => 'Allow connections to our SSH server' },
|
||||
{ 'chain' => 'INPUT',
|
||||
'm' => [ [ "", "tcp" ] ],
|
||||
'p' => [ "", "tcp" ],
|
||||
'dport' => [ "", "auth" ],
|
||||
'j' => [ "", 'ACCEPT' ],
|
||||
'cmt' => 'Allow connections to our IDENT server'}
|
||||
);
|
||||
}
|
||||
if ($in{'auto'} >= 4) {
|
||||
# Allow pings
|
||||
push(@{$table->{'rules'}},
|
||||
{ 'chain' => 'INPUT',
|
||||
'm' => [ [ "", "icmpv6" ] ],
|
||||
'p' => [ [ "", "icmpv6" ] ],
|
||||
'icmpv6-type' => [ "", "echo-request" ],
|
||||
'j' => [ "", 'ACCEPT' ],
|
||||
'cmt' => 'Respond to pings' }, );
|
||||
}
|
||||
if ($in{'auto'} == 4) {
|
||||
# Allow pings and most high ports
|
||||
push(@{$table->{'rules'}},
|
||||
{ 'chain' => 'INPUT',
|
||||
'm' => [ [ "", "tcp" ] ],
|
||||
'p' => [ "", "tcp" ],
|
||||
'dport' => [ "", "2049:2050" ],
|
||||
'j' => [ "", 'DROP' ],
|
||||
'cmt' => 'Protect our NFS server' },
|
||||
{ 'chain' => 'INPUT',
|
||||
'm' => [ [ "", "tcp" ] ],
|
||||
'p' => [ "", "tcp" ],
|
||||
'dport' => [ "", "6000:6063" ],
|
||||
'j' => [ "", 'DROP' ],
|
||||
'cmt' => 'Protect our X11 display server' },
|
||||
{ 'chain' => 'INPUT',
|
||||
'm' => [ [ "", "tcp" ] ],
|
||||
'p' => [ "", "tcp" ],
|
||||
'dport' => [ "", "7000:7010" ],
|
||||
'j' => [ "", 'DROP' ],
|
||||
'cmt' => 'Protect our X font server' },
|
||||
{ 'chain' => 'INPUT',
|
||||
'm' => [ [ "", "tcp" ] ],
|
||||
'p' => [ "", "tcp" ],
|
||||
'dport' => [ "", "1024:65535" ],
|
||||
'j' => [ "", 'ACCEPT' ],
|
||||
'cmt' => 'Allow connections to unprivileged ports' },
|
||||
);
|
||||
}
|
||||
if ($in{'auto'} == 5) {
|
||||
# Allow typical hosting server ports
|
||||
push(@{$table->{'rules'}},
|
||||
{ 'chain' => 'INPUT',
|
||||
'm' => [ [ "", "tcp" ] ],
|
||||
'p' => [ "", "tcp" ],
|
||||
'dport' => [ "", "53" ],
|
||||
'j' => [ "", 'ACCEPT' ],
|
||||
'cmt' => 'Allow DNS zone transfers' },
|
||||
{ 'chain' => 'INPUT',
|
||||
'm' => [ [ "", "udp" ] ],
|
||||
'p' => [ "", "udp" ],
|
||||
'dport' => [ "", "53" ],
|
||||
'j' => [ "", 'ACCEPT' ],
|
||||
'cmt' => 'Allow DNS queries' },
|
||||
{ 'chain' => 'INPUT',
|
||||
'm' => [ [ "", "tcp" ] ],
|
||||
'p' => [ "", "tcp" ],
|
||||
'dport' => [ "", "80" ],
|
||||
'j' => [ "", 'ACCEPT' ],
|
||||
'cmt' => 'Allow connections to webserver' },
|
||||
{ 'chain' => 'INPUT',
|
||||
'm' => [ [ "", "tcp" ] ],
|
||||
'p' => [ "", "tcp" ],
|
||||
'dport' => [ "", "443" ],
|
||||
'j' => [ "", 'ACCEPT' ],
|
||||
'cmt' => 'Allow SSL connections to webserver' },
|
||||
{ 'chain' => 'INPUT',
|
||||
'm' => [ [ "", "tcp" ], [ "", "multiport" ] ],
|
||||
'p' => [ "", "tcp" ],
|
||||
'dports' => [ "", "25,587" ],
|
||||
'j' => [ "", 'ACCEPT' ],
|
||||
'cmt' => 'Allow connections to mail server' },
|
||||
{ 'chain' => 'INPUT',
|
||||
'm' => [ [ "", "tcp" ] ],
|
||||
'p' => [ "", "tcp" ],
|
||||
'dport' => [ "", "20:21" ],
|
||||
'j' => [ "", 'ACCEPT' ],
|
||||
'cmt' => 'Allow connections to FTP server' },
|
||||
{ 'chain' => 'INPUT',
|
||||
'm' => [ [ "", "tcp" ], [ "", "multiport" ] ],
|
||||
'p' => [ "", "tcp" ],
|
||||
'dports' => [ "", "110,995" ],
|
||||
'j' => [ "", 'ACCEPT' ],
|
||||
'cmt' => 'Allow connections to POP3 server' },
|
||||
{ 'chain' => 'INPUT',
|
||||
'm' => [ [ "", "tcp" ], [ "", "multiport" ] ],
|
||||
'p' => [ "", "tcp" ],
|
||||
'dports' => [ "", "143,220,993" ],
|
||||
'j' => [ "", 'ACCEPT' ],
|
||||
'cmt' => 'Allow connections to IMAP server' },
|
||||
{ 'chain' => 'INPUT',
|
||||
'm' => [ [ "", "tcp" ] ],
|
||||
'p' => [ "", "tcp" ],
|
||||
'dport' => [ "",$webmin_port.":".$webmin_port2 ],
|
||||
'j' => [ "", 'ACCEPT' ],
|
||||
'cmt' => 'Allow connections to Webmin' },
|
||||
{ 'chain' => 'INPUT',
|
||||
'm' => [ [ "", "tcp" ] ],
|
||||
'p' => [ "", "tcp" ],
|
||||
'dport' => [ "", $usermin_port ],
|
||||
'j' => [ "", 'ACCEPT' ],
|
||||
'cmt' => 'Allow connections to Usermin' },
|
||||
);
|
||||
}
|
||||
}
|
||||
&run_before_command();
|
||||
&save_table($table);
|
||||
&run_after_command();
|
||||
©_to_cluster();
|
||||
}
|
||||
|
||||
if ($in{'atboot'}) {
|
||||
&create_firewall_init();
|
||||
}
|
||||
&unlock_file($ip6tables_save_file);
|
||||
|
||||
&webmin_log("setup");
|
||||
&redirect("");
|
||||
|
||||
|
||||
1
firewall6/setup6.cgi
Symbolic link
1
firewall6/setup6.cgi
Symbolic link
@@ -0,0 +1 @@
|
||||
../firewall/setup6.cgi
|
||||
@@ -1,20 +0,0 @@
|
||||
#!/usr/local/bin/perl
|
||||
# unapply.cgi
|
||||
# Revert the firewall configuration from the kernel settings
|
||||
|
||||
require './firewall6-lib.pl';
|
||||
&ReadParse();
|
||||
$access{'unapply'} || &error($text{'unapply_ecannot'});
|
||||
&error_setup($text{'apply_err'});
|
||||
if (defined(&unapply_ip6tables)) {
|
||||
# Call distro's unapply command
|
||||
$err = &unapply_ip6tables();
|
||||
}
|
||||
else {
|
||||
# Manually run ip6tables-save
|
||||
$err = &ip6tables_save();
|
||||
}
|
||||
&error($err) if ($err);
|
||||
&webmin_log("unapply");
|
||||
&redirect("index.cgi?table=$in{'table'}");
|
||||
|
||||
1
firewall6/unapply.cgi
Symbolic link
1
firewall6/unapply.cgi
Symbolic link
@@ -0,0 +1 @@
|
||||
../firewall/unapply.cgi
|
||||
Reference in New Issue
Block a user