ipfw/0040775000567100000120000000000010224617526011516 5ustar jcameronwheelipfw/images/0040775000567100000120000000000010044060513012747 5ustar jcameronwheelipfw/images/icon.gif0100664000567100000120000000554610035140357014402 0ustar jcameronwheelGIF89a00çN螆nXpTDº`@4~¼M‰6'¼F,îõßMÀB¤’VF¿>X7,D,¶l…$ñÏ-¼:­~gÞ¤U!´žä§E蘥&^†˜b+!¤"²RöÞ^uÔ½5Ŧ†ß‡”>¥S,$ÎÊ¢Ák é²HºVF›5¾~6…®º.ºföÞbb&ïÁ‚Ÿ-yÌÖ¨Ú’.ÃT ? ¼*N&žŠnbæ®m¾¶’š…Áy+òÚ>ðÆ&¤5u²‹oê꾺b ÖŠJÍm³G9R"jò„¦j.¾‚¦ƱšZ,’#ꪸ®Œê¸o¨BÑw꺂‘¾] £ ¶-ää·eH9x4òÍvºrN®Öšb bPÞžbö~."v؈²4ðÆPÂf¡a)ä’v^†²²LÐw–7+îÀZ±-ÖêÈf ž,Âv^ØlÑv¯:îÃr÷ûÊšB*å¡8µ¦…k ±&Ë\ã§dÁUÚÐbj:.í¸OºbO€dQ®2&-!¶ÂŽrŽ>*ªZ(Ó†/f¦šzª,˜V>iN?à”!¤&ž ™ ¶œ$Ý—T®J&óØ]ÛÖ«n°o1š2"v ´\ÅF–zâ‚Œ$Š¢ uZI²D¼ ƒj@4Í~@ sZè¨4Úv•G%šbNnH:Ìf,00þK•²cG AƒÃ \°Ë Æ(9pÂy€ºtB7 S y]ºª1ÒRY¨,¨0áÁ†|4g„dy ”(K·òt–èÔÉ G‚úYº@a©„³ìbö :í,¡±,GŽøãÚO® (Á4ÁŒÙ®–J1<Œ'È" H<ÍîD‡.Û‘lt~Å’ÍìQú0áç 6KM4âÂ…€Å ¨¼îÄ·g6,ô:ùÍæ×l Š1e6jd¢©À]-|øˆG@8AŽH`v#gÂG¾ëርàAÔð3›—x>Þ–ZÀLeAØÅYTÞ%³×Ñaƒþcqc܃[¶²•ø(¯M‹$dŒ‘‘tNŠ¥s’¾{ôH›1 FüÉÑ 2ÀnP@‚ ºá`²¡D»˜@›s’¸•EL3QBƒ Dä€]Bùu„èyàz¶\€-nè%RC>TF@‡L%‚Ð@€IÐ@ %5h´Ñ.€Þ‹¶œwÉ%¶ü´ÓM 8Ôá3rÍV™8Ð%¤AÐ çyÁqP†…hC•0RZr!Ž—liH€8â8×ÈV9’f Ù˜gË›¤1yœyX”‰VÜé39–؈lcfG@<’hBF€c%åWzá5Tþ Øq©†â]0ƒàáǸBqH³“¢ÈÃâH‚˜œ3”0·  ®’‘uÜA ÐÂ?@ ô ŸÈÁ_Ä3\PIØÒm •¥0£þV‰þ„$£KXÂ[¨ö !€ ÊŠr‚ t± ²ä4.ˆÂH”° â-| ìšH&ö o€VWAt9€(X܈0«ÙˆCGrÀ‘H‚@èàÖø<à±ÆF* @ ߸Ž "ˆÂÃÈ-ùÀ*‹8‘#!HGLBa?à†5Æ CxB Æ10ðà‘¯H¢QÒå€|œ(ŒÀ® öÑŽ‡V0¬‚<ˆA4ŸŒ`èášéЃ,ÃðŠ¬£é7¢G€FH"{а‚4¾ñqô¢ÄàÆ,f‘zöáž}þC¶ŽV0áŸLÅ ú~¨Ó˜¬aMÐá©°GŽà6p(S cV 6\ó OàÁ6D]´£í‚Jë¡ iª Z …< çˆµAg&u™ÀáŠ1Œ¡–ÛèÀ!,@Ôkê!¨é€,`!OT ¨G0x ‚0¤A¦à¬)™fc$ÆB :øi ¶ 6°hǤʃl¡KM†\=‹5¹$ÅHhg’MqaŒ©ÁWʃ'Œ"°Raq€µ>a}ÐSÿÑŒdÀ¢Ð2†0%`™aŒ‡ ¸@HpÖÀ+(¬Fq€œ •Pþ©ÒUèâ•pA,‹ÙCÈB@PNÂiE.̆téJ8Dpˆ` bB¨k;䚌JŒÀ CX…¡("º8,~Üp€“v5ýrNdAÁHÀÔà‰ú&£ÍøÇa†ër×|f- jˆ‚r˜Ä1Ó¥Õ Œ/ :XÀpˆ@UÈ°*’ñ‹*ƒ.˜À ¦ÀŽ)Ô‚ µPÃ2Zk”ÂbV(„5ˆÁV< ù@Òi jíðÄ?þ‘Œ «&D-D<…ÔBɼXF»XXXÀ @{<Ó—MâÇAnÆ/öñ U”ùÀ0EþòÀ‰œ¡ LÀ'hA‹(/ÕÍP‘uá…^o¯7©Á<ÑŽ<ÿâ à€7òðS¼#Þˆ´7‚‚< TÀ>Á ¹Žù o®„6c‘‘$i$rh‡*Í18á·ØÃ3ôQŒZCbÐÇ6ð‚ƒÀÎ@l7Wa¢ÐA,2ˆXb cЇßÑj'4$0‡9 ÑënâÛh†0Ê  eü:k^³±…P1¸"xá EÆd¼#ÐD€mhÛÏxF¯÷qï;@Ê *`CÝgh»E†™ÊcáHÃ8à Gç{ßØÖ6Sþ}¼@ÜÂØvð:¸<ø@1'jàzÔƒâì¹Àè9 ÿ€š°vÌáïL¼`×ú@B–Ž†¦/¼sh8>âŽ)xõB P;ipfw/images/smallicon.gif0100664000567100000120000000265210040100272015412 0ustar jcameronwheelGIF87açtÆQç¬N­ã)`™…½:/{œ7¾»TÒl ªã]ÃEË^j'œ."x»f!n§ZÓeÛƒÄi t*"“â”$é£ ÛzÇT¸kšv0'¤Ïa»/l|é©'µ¾S™?2h£K' ‡&ƒ‹&o yoòÏMe¯$¥ ¡?€Ãf$ü¯bÔNôÚ_™ÀÄuDùsºPAÅO¬è³q_„˜„"…7'z½Ú‘L±!Áqöp©\‹ ¼ZIVÎÉXw¬2 º°TóŸ m¦ß’’;&ËËw·¤8b!Z$j£Ë\JVV|/'g´K= §'ZÙŒØgS·Wã¡9§A0n±z1(êd¸KÀ€\ÀFÁB§L=À@©C ‰õÝTƒ‡$u®n4)gçt-%¤8&š£Ï\n'†ðw`«ïÄ[¡^—2q>2ì½y±WF¼¦2¨ÁK” ”Õ~Ëx͹ºa*òlÅk ÞX¿WFÊ‘}´2sc#¶ïi¼EÛUÞšPŽÇÔyj$²W¿N?³ìf‹› ‡6,Ä ýf"°écøf0 œÙmXÖˆ7“ ¼c ˆ,þ‰ìj­`¸‚È|=“ô¡Êµa_Dòë@c˽ÜrK³D`F?ƒŽ ×âC "„à BÀ»‡lQÎ- @ 4\ƒ£³¤Ëƒ%I¤"€©¸âŠ4SÐHK-è„¢ þ,°ÜÌLtqŽ#ul#L@;ipfw/images/gap.gif0100644000567100000120000000011110044060513014171 0ustar jcameronwheelGIF89a€ÿÿÿÿÿÿ!þMade with GIMP!ù ,„©Ëí£œ´Ú‹³>;ipfw/images/up.gif0100644000567100000120000000014710044060513014057 0ustar jcameronwheelGIF89a¡ÄÄÄrrrÿÿÿ!þMade with GIMP!ù ,&œ©° ‚|'ÊùìÅIoÎ|b%”Âe–Á‚RGë°;Sõs³f;ipfw/images/down.gif0100644000567100000120000000015410044060513014400 0ustar jcameronwheelGIF89a¡ÄÄÄrrrÿÿÿ!þMade with GIMP!ù ,+œ©›@"IíÁU³Ùiœ÷eJƒbAúÓ ƒI ‡m.±­ËdN‚;ipfw/images/before.gif0100644000567100000120000000012410044060513014670 0ustar jcameronwheelGIF89a¡ÿÿÿJ©ÿÿ!ù,%„iÁí-–˜´Rµ0n¹ØsuihzŠl ¦«ì²büæ];ipfw/images/after.gif0100664000567100000120000000012210044060513014527 0ustar jcameronwheelGIF89a¡ÿÿÿJ©ÿÿÿÿÿ!ù ,#„©Ë!zQ:hoµ4ƒžÍCb#¹©´Nå‹:ÂL×´‡;ipfw/lang/0040775000567100000120000000000010216464355012440 5ustar jcameronwheelipfw/lang/en0100664000567100000120000002133710203566210012755 0ustar jcameronwheelindex_title=BSD Firewall index_eipfw=The BSD firewall command $1 was not found on your system. Maybe it is not installed, or the module configuration is incorrect. index_elist=An error occurred fetching the active firewall rules using the command $1 : $2. Maybe the kernel has not been configured to support firewalling, or the module configuration is incorrect. index_version=IPFW version $1 index_apply=Apply Configuration index_applydesc=Click this button to make the firewall configuration listed above active. Any firewall rules currently in effect will be flushed and replaced index_unapply=Revert Configuration index_unapplydesc=Click this button to reset the configuration listed above to the one that is currently active. index_boot=Activate at boot index_bootdesc=Change this option to control whether your firewall is activated at boot time or not. index_setup=No IPFW firewall has been setup yet on your system. Webmin can set one up for you, to be stored in the file $1, with the initial settings based your selection of firewall type below.. index_rsetup=The IPFW firewall configuration on your system is about to be re-set. Webmin will set up new default rules, to be stored in the file $1, with the initial settings based your selection of firewall type below.. index_auto0=Allow all traffic index_auto1=Do network address translation on external interface: index_auto2=Block all incoming connections on external interface: index_auto3=Block all except SSH and IDENT on external interface: index_auto4=Block all except SSH, IDENT, ping and high ports on interface: index_auto=Setup Firewall index_atboot=Enable firewall at boot time? index_count1=Packets index_count2=Data index_reset=Reset Firewall index_resetdesc=Click this button to clear all existing firewall rules and set up new rules for a basic initial configuration. index_num=Num index_action=Action index_desc=Condition index_cmt=Comment index_move=Move index_radd=Add index_add=Add a new firewall rule. index_add2=Add Firewall Rule index_delete=Delete Selected index_existing=Webmin has detected $1 IPFW firewall rules currently in use, which are not recorded in the file $2. These rules were probably setup from a script, which this module does not know how to read and edit.

If you want to use this module to manage your IPFW firewall, click the button below to convert the existing rules to a save file, and then disable your existing firewall script. index_saveex=Save Firewall Rules index_headerex=Existing firewall configuration action_allow=Allow action_deny=Drop action_reject=Reject action_reset=Reset action_skipto=Skip to action_check-state=Check dynamic ruleset action_count=Update counters action_divert=Divert to port action_fwd=Forward to IP and port action_pipe=Pass to pipe action_queue=Pass to queue action_tee=Send copy to port action_unreach=Return ICMP laction_allow=Allow packet laction_deny=Drop packet laction_reject=Return ICMP rejection laction_reset=Reset TCP connection laction_skipto=Skip to rule edit_title1=Create Rule edit_title2=Edit Rule $1 edit_header1=Rule action edit_cmt=Rule comment edit_action=Action to take edit_num=Ordering number edit_log=Log matching packets? edit_logyes=Yes, at most $1 times (leave empty for no limit) edit_proto=Protocol edit_proto_not=Any protocol except selected edit_any= edit_desc=The action selected above will only be carried out if all the conditions below are met. edit_headerfrom=Packet source conditions edit_headerto=Packet destination conditions edit_from=Source address edit_sany=Any address edit_sme=Firewall system's addresses edit_saddr=Address, host or network edit_snot=All addresses except those selected edit_to=Destination address edit_portfrom=Source ports edit_pany=Any ports edit_ports=Port numbers, names or ranges edit_portto=Destination ports edit_pnot=All ports except those entered edit_header2=Other rule options edit_inout=Packet direction edit_ignored=Ignored edit_inout1=Incoming edit_inout2=Outgoing edit_via=Passed via interface edit_recv=Received on interface edit_xmit=Sent on interface edit_oifc=Other.. edit_orblock=IPFW expression edit_established=Match established TCP connections? edit_keep-state=Allow rest of connection? edit_bridged=Match bridged packets? edit_frag=Match fragmented packets? edit_setup=Match TCP connection setup? edit_mac1=Source MAC address edit_mac2=Destination MAC address edit_macaddr=Ethernet address edit_uid=Send or received by user edit_gid=Send or received by group edit_dstport=Optional destination ports are edit_srcport=Optional source ports are edit_user=Unix user or #UID edit_group=Unix group or #GID edit_header3=Rule conditions edit_icmptypes=Match ICMP types edit_tcpflags=Match if TCP flags are set edit_not=Not $1 edit_limit=Maximum matching connections edit_unlimited=Unlimited edit_src-addr=From source address.. edit_src-port=From source port.. edit_dst-addr=To destination address.. edit_dst-port=To destination port.. save_err=Failed to save rule save_eskipto=Missing or invalid rule number to skip to save_efwdip=Missing or invalid IP address to forward to save_efwdport=Invalid port number to forward to save_eteeport=Missing or invalid port number in action save_efrom=Missing or invalid source address, host or network save_eto=Missing or invalid destination address, host or network save_eportsprotofrom=Source ports can only be specified for the TCP or UDP protocols save_eportsprototo=Destination ports can only be specified for the TCP or UDP protocols save_eportsfrom=Missing or invalid source port number, name, range or comma-separate list save_eportsto=Missing or invalid destination port number, name, range or comma-separate list save_elogamount=Invalid maximum number of times to log save_evia=Invalid passed via interface send_erecv=Invalid recieved interface send_exmit=Invalid transmitted interface save_eorblockproto=Missing or invalid IPFW expression for protocol save_eorblockfrom=Missing or invalid IPFW expression for source address save_eorblockto=Missing or invalid IPFW expression for destination address save_eorblockfrom_ports=Missing or invalid IPFW expression for source ports save_eorblockto_ports=Missing or invalid IPFW expression for destination ports save_emac1=Invalid source MAC address save_emac2=Invalid destination MAC address save_euid=Missing or invalid Unix username save_egid=Missing or invalid Unix group name save_eicmptypes=ICMP types can only be specified if the protocol is ICMP save_etcpflags=TCP flags can only be specified if the protocol is TCP save_elimit=Missing or invalid maximum limit save_edstport=Missing or invalid destination port save_esrcport=Missing or invalid source port apply_err=Failed to apply configuration desc_if=If $1 desc_and=and desc_always=Always desc_proto=protocol is $1 desc_proto_not=protocol is not $1 desc_from=source is $1 desc_from_not=source is not desc_to=destination is $1 desc_to_not=destination is not $1 desc_me=this host desc_from_ports=source port is $1 desc_from_ports_not=source port is not $1 desc_to_ports=destination port is $1 desc_to_ports_not=destination port is not $1 desc_established=connection is established desc_established_not=connection is not established desc_bridged=is bridged desc_bridged_not=is not bridged desc_frag=is fragmented desc_frag_not=is not fragmented desc_setup=is TCP setup desc_setup_not=is not TCP setup desc_xmit=transmitted on $1 desc_xmit_not=not transmitted on $1 desc_recv=received on $1 desc_recv_not=not received on $1 desc_via=passed via $1 desc_via_not=not passed via $1 desc_mac=destination MAC is $1 and source MAC is $2 desc_mac1=source MAC is $1 desc_mac2=destination MAC is $1 desc_uid=sent by UID $1 desc_gid=sent by GID $1 desc_dstport=optional destination ports are $1 desc_srcport=optional source ports are $1 desc_icmptypes=ICMP type is $1 desc_tcpflags=TCP flags $1 are set desc_src-port=source port desc_src-addr=source address desc_dst-port=destination port desc_dst-addr=destination address desc_limit=, with $1 limit of $2 desc_where=where $1 desc_all=for all packets desc_in=packet is incoming desc_out=packet is outgoing log_create_rule=Created $1 rule log_delete_rule=Deleted $1 rule log_modify_rule=Modified $1 rule log_move_rule=Moved $1 rule log_create_rule_l=Created $1 rule $2 log_delete_rule_l=Deleted $1 rule $2 log_modify_rule_l=Modified $1 rule $2 log_move_rule_l=Moved $1 rule $2 log_apply=Applied firewall configuration log_bootup=Enabled firewall at boot log_bootdown=Disabled firewall at boot log_convert=Converted active firewall rules log_setup=Performed initial firewall setup log_unapply=Reverted firewall configuration log_delsel=Deleted $1 rules ipfw/lang/ca0100644000567100000120000002274610153713000012734 0ustar jcameronwheelindex_title=Tallafocs BSD index_eipfw=No s'ha trobat al sistema l'ordre $1 del tallafocs BSD. Pot ser que no estigui instal·lada, o bé que la configuració del mòdul sigui incorrecta. index_elist=S'ha produït un error en obtenir les regles actives del tallafocs emprant l'ordre $1: $2. Pot ser que el kernel no estigui configurat per suportar tallafocs, o bé que la configuració del mòdul sigui incorrecta. index_version=IPFW versió $1 index_apply=Aplica la Configuració index_applydesc=Fes clic sobre aquest botó per fer activa la configuració del tallafocs llistada a sobre. Totes les regles que estan actives actualment seran descartades i substituïdes index_unapply=Reverteix la Configuració index_unapplydesc=Fes clic sobre aquest botó per reiniciar la configuració llistada a sobre a la que està activa actualment. index_boot=Activa'l en engegar el sistema index_bootdesc=Canvia aquesta opció per controlar si el tallafocs s'activa en engegar el sistema o no. index_setup=No hi ha cap tallafocs IPFW configurat al sistema. Webmin en pot configurar un per tu, i emmagatzemar-lo en el fitxer $1, amb els valors inicials basats en la teva selecció del tipus de tallafocs més avall... index_rsetup=La configuració IPFW del sistema s'està reiniciant. Webmin establirà noves regles per defecte per a emmagatzemar-les al fitxer $1, amb la configuració inicial basada en la selecció del tipus de tallafocs a sota... index_auto0=Permet tot el trànsit index_auto1=Fes traducció d'adreces de xarxa sobre la interfície externa: index_auto2=Bloqueja totes les connexions d'entrada a la interfície externa: index_auto3=Bloqueja totes les connexions expecte SSH i IDENT a la interfície externa: index_auto4=Bloqueja totes les connexions excepte SSH, IDENT, ping i ports alts a la interfície: index_auto=Configura el Tallafocs index_atboot=Activa el tallafocs en engegar el sistema index_count1=Paquets index_count2=Dades index_reset=Reinicia el Tallafocs index_resetdesc=Fes clic sobre aquest botó per eliminar totes les regles existents del tallafocs i establir-ne de noves per a una configuració inicial bàsica. index_num=Núm index_action=Acció index_desc=Condició index_cmt=Comentari index_move=Desplaça index_radd=Afegeix index_add=Afegeix una nova regla del tallafocs. index_existing=Webmin ha detectat $1 regles del tallafocs IPFW actualment en ús que no estan enregistrades al fitxer $2. Probablement, aquestes regles s'han configurat des d'un script que aquest mòdul no sap llegir ni editar.

Si vols fer servir aquest mòdul per gestionar el tallafocs IPFW, fes clic sobre el botó de sota per convertir les regles existents a un fitxer desat, i llavors desactivar el script del tallafocs. index_saveex=Desa les Regles del Tallafocs index_headerex=Configuració del tallafocs existent action_allow=Permet action_deny=Elimina action_reject=Rebutja action_reset=Reinicia action_skipto=Salta a action_check-state=Comprova el conjunt de regles dinàmic action_count=Actualitza els comptadors action_divert=Desvia-ho al port action_fwd=Reenvia a la IP i port action_pipe=Passa-ho al pipe action_queue=Passa-ho a la cua action_tee=Envia'n còpia al port action_unreach=Retorna ICMP laction_allow=Permet el paquet laction_deny=Elimina el paquet laction_reject=Retorna un rebuig ICMP laction_reset=Reinicia la connexió TCP laction_skipto=Salta a la regla edit_title1=Creació de Regla edit_title2=Edició de la Regla $1 edit_header1=Acció de la regla edit_cmt=Comentari de la regla edit_action=Acció a prendre edit_num=Número d'ordre edit_log=registra els paquets coincidents edit_logyes=Sí, com a molt $1 cops (deixa-ho buit si no vols cap límit) edit_proto=Protocol edit_proto_not=Qualsevol protocol excepte els seleccionats edit_any= edit_desc=L'acció seleccionada més amunt només es durà a terme si es compleixen totes les condicions de sota. edit_headerfrom=Condicions sobre l'origen dels paquets edit_headerto=Condicions sobre la destinació dels paquets edit_from=Adreça origen edit_sany=Qualsevol adreça edit_sme=Adreça del sistema del tallafocs edit_saddr=Adreça, host o xarxa edit_snot=Totes les adreces excepte les seleccionades edit_to=Adreça de destinació edit_portfrom=Ports d'origen edit_pany=Qualsevol port edit_ports=Números, noms o rangs de ports edit_portto=Ports de destinació edit_pnot=Tots els ports excepte els introduïts edit_header2=Altres opcions de la regla edit_inout=Direcció dels paquets edit_ignored=Ignorada edit_inout1=Entrada edit_inout2=Sortida edit_via=Passats via interfície edit_recv=Rebuts sobre la interfície edit_xmit=Enviats sobre la interfície edit_oifc=Altres... edit_orblock=Expressió IPFW edit_established=Coincideix amb les connexions TCP establertes edit_keep-state=Permet la resta de connexions edit_bridged=Coincideix amb els paquets pontejats edit_frag=Coincideix amb els paquets fragmentats edit_setup=Coincideix amb la configuració de la connexió TCP edit_mac1=Adreça MAC origen edit_mac2=Adreça MAC destí edit_macaddr=Adreça Ethernet edit_uid=Enviats o rebuts per l'usuari edit_gid=Enviats o rebuts pel grup edit_user=Usuari o #UID Unix edit_group=Grup o #GID Unix edit_header3=Condicions de la regla edit_icmptypes=Coincideix amb els tipus ICMP edit_tcpflags=Coincideix si les banderes TCP estan activades edit_not=No $1 edit_limit=Nombre màxim de connexions coincidents edit_unlimited=Il·limitat edit_src-addr=Des de l'adreça d'origen... edit_src-port=Des del port d'origen... edit_dst-addr=A l'adreça de destinació... edit_dst-port=Al port de destinació... save_err=No he pogut desar la regla save_eskipto=Hi falta el número de regla per saltar-hi o bé és invàlid save_efwdip=Hi falta l'adreça IP de reenviament o bé és invàlida save_efwdport=Número de port de reenviament invàlid save_eteeport=Hi falta el número de port de l'acció o bé és invàlid save_efrom=Hi falta l'adreça, host o xarxa d'origen, o bé és invàlida save_eto=Hi falta l'adreça, host o xarxa de destinació, o bé és invàlida save_eportsprotofrom=Els ports d'origen només es poden especificar amb els protocols TCP o UDP save_eportsprototo=Els ports de destinació només es poden especificar amb els protocols TCP o UDP save_eportsfrom=Hi falta el número, nom, rang o llista de ports origen, o bé és invàlid save_eportsto=Hi falta el número, nom, rang o llista de ports destí, o bé és invàlid save_elogamount=Nombre màxim de cops a registrar invàlid save_evia=Interfície de pas invàlida send_erecv=Interfície de recepció invàlida send_exmit=Interfície d'emissió invàlida save_eorblockproto=Hi falta l'expressió IPFW del protocol o bé és invàlida save_eorblockfrom=Hi falta l'expressió IPFW de l'adreça origen o bé és invàlida save_eorblockto=Hi falta l'expressió IPFW de l'adreça destí o bé és invàlida save_eorblockfrom_ports=Hi falta l'expressió IPFW dels ports origen o bé és invàlida save_eorblockto_ports=Hi falta l'expressió IPFW dels ports destí o bé és invàlida save_emac1=Adreça MAC origen invàlida save_emac2=Adreça MAC destí invàlida save_euid=Hi falta l'usuari Unix o bé és invàlid save_egid=Hi falta el grup Unix o bé és invàlid save_eicmptypes=Els tipus ICMP només es poden especificar si el protocol és ICMP save_etcpflags=Les banderes TCP només es poden especificar si el protocol és TCP save_elimit=Hi falta el límit màxim o bé és invàlid apply_err=No he pogut aplicar la configuració desc_if=Si $1 desc_and=i desc_always=Sempre desc_proto=el protocol és $1 desc_proto_not=el protocol no és $1 desc_from=l'origen és $1 desc_from_not=l'origen no és $1 desc_to=la destinació és $1 desc_to_not=la destinació és $1 desc_me=aquest host desc_from_ports=el port origen és $1 desc_from_ports_not=el port origen no és $1 desc_to_ports=el port destí és $1 desc_to_ports_not=el port destí no és $1 desc_established=la connexió està establerta desc_established_not=la connexió no està establerta desc_bridged=està pontejat desc_bridged_not=no està pontejat desc_frag=està fragmentat desc_frag_not=no està fragmentat desc_setup=està configurat amb TCP desc_setup_not=no està configurat amb TCP desc_xmit=s'ha tramès sobre $1 desc_xmit_not=no s'ha tramès on $1 desc_recv=s'ha rebut sobre $1 desc_recv_not=no s'ha rebut sobre $1 desc_via=s'ha passat via $1 desc_via_not=no s'ha passat via $1 desc_mac=la MAC destí és $1 i la MAC origen és $2 desc_mac1=la MAC origen és $1 desc_mac2=la MAC destí és $1 desc_uid=s'ha enviat amb UID $1 desc_gid=s'ha enviat amb GID $1 desc_icmptypes=el tipus ICMP és $1 desc_tcpflags=s'han activat les banderes TCP $1 desc_src-port=el port d'origen desc_src-addr=l'adreça d'origen desc_dst-port=el port de destinació desc_dst-addr=l'adreça de destinació desc_limit=, amb un límit $1 de $2 desc_where=on $1 desc_all=per a tots els paquets desc_in=el paquet és d'entrada desc_out=el paquet és de sortida log_create_rule=He creat la regla $1 log_delete_rule=He suprimit la regla $1 log_modify_rule=He modificat la regla $1 log_move_rule=He desplaçat la regla $1 log_create_rule_l=He creat la regla $1 $2 log_delete_rule_l=He suprimit la regla $1 $2 log_modify_rule_l=He modificat la regla $1 $2 log_move_rule_l=He desplaçat la regla $1 $2 log_apply=He aplicat la configuració del tallafocs log_bootup=He activat el tallafocs en engegar el sistema log_bootdown=He desactivat el tallafocs en engegar el sistema log_convert=He convertit les regles actives del tallafocs log_setup=He dut a terme la configuració inicial del tallafocs log_unapply=He revertit la configuració del tallafocs ipfw/save_rule.cgi0100775000567100000120000001746310203566277014205 0ustar jcameronwheel#!/usr/local/bin/perl # Create, update or delete a firewall rule require './ipfw-lib.pl'; &ReadParse(); &error_setup($text{'save_err'}); $rules = &get_config(); if ($in{'new'}) { # Find the last editable rule if ($rules->[@$rules-1]->{'num'} == 65535 && @$rules > 1) { $lastidx = $rules->[@$rules-2]->{'index'}; } else { $lastidx = $rules->[@$rules-1]->{'index'}; } # Work out where to insert, and what number to use if ($in{'before'} ne '') { # Adding before some rule local $pn = $in{'before'} == 0 ? 0 : $rules->[$in{'before'}-1]->{'num'}; $rule = { 'num' => ($rules->[$in{'before'}]->{'num'}+$pn)/2 }; splice(@$rules, $in{'before'}, 0, $rule); } elsif ($in{'after'} ne '') { # Adding after some rule local $nn = $in{'after'} == $lastidx ? $rules->[$in{'after'}]->{'num'}+200 : $rules->[$in{'after'}+1]->{'num'}; $rule = { 'num' => ($rules->[$in{'after'}]->{'num'}+$nn)/2 }; splice(@$rules, $in{'after'}+1, 0, $rule); } elsif (!@$rules) { # First rule $rule = { 'num' => '00100' }; push(@$rules, $rule); } else { # At end or before last deny-all rule $rule = { 'num' => $rules->[$lastidx]->{'num'}+100 }; splice(@$rules, $lastidx+1, 0, $rule); } $rule->{'num'} = sprintf "%5.5d", $rule->{'num'}; } else { $rule = $rules->[$in{'idx'}]; delete($rule->{'text'}); } if ($in{'delete'}) { # Just remove this rule splice(@$rules, $in{'idx'}, 1); } else { # Validate inputs and contruct the rule object $in{'cmt'} =~ s/\r//g; $rule->{'cmt'} = $in{'cmt'}; # Parse rule action and arg $rule->{'action'} = $in{'action'}; if ($in{'action'} eq "skipto") { $in{'action_skipto'} =~ /^\d+$/ || &error($text{'save_eskipto'}); $rule->{'aarg'} = $in{'action_skipto'}; } elsif ($in{'action'} eq "fwd") { &check_ipaddress($in{'action_fwdip'}) || &error($text{'save_efwdip'}); if ($in{'action_fwdport'} eq "") { $rule->{'aarg'} = $in{'action_fwdip'}; } else { $in{'action_fwdport'} =~ /^\d+$/ || &error($text{'save_efwdport'}); $rule->{'aarg'} = $in{'action_fwdip'}.",". $in{'action_fwdport'}; } } elsif ($in{'action'} eq "divert" || $in{'action'} eq "pipe" || $in{'action'} eq "queue" || $in{'action'} eq "tee") { $in{'action_port'} =~ /^\d+$/ || &error($text{'save_eteeport'}); $rule->{'aarg'} = $in{'action_port'}; } elsif ($in{'action'} eq "unreach") { $rule->{'aarg'} = $in{'action_unreach'}; } else { delete($rule->{'aarg'}); } # Parse protocol if ($in{'proto_orblock'}) { $rule->{'proto'} = &parse_orblock("proto"); } else { $rule->{'proto'} = $in{'proto'}; } # Parse in/out option delete($rule->{'in'}); delete($rule->{'out'}); delete($rule->{'in_not'}); delete($rule->{'out_not'}); if ($in{'inout'} == 1) { $rule->{'in'} = 1; } elsif ($in{'inout'} == 2) { $rule->{'out'} = 1; } # Parse via interface $rule->{'via'} = &parse_interface("via"); # Parse logging level if ($in{'log'}) { $rule->{'log'} = 1; if ($in{'logamount'} ne "") { $in{'logamount'} =~ /^\d+$/ || &error($text{'save_elogamount'}); $rule->{'logamount'} = $in{'logamount'}; } else { delete($rule->{'logamount'}); } } else { $rule->{'log'} = 0; } # Parse source and destination foreach $s ("from", "to") { # IP address if ($in{$s."_orblock"}) { $rule->{$s} = &parse_orblock($s); } elsif ($in{$s."_mode"} == 0) { $rule->{$s} = "any"; } elsif ($in{$s."_mode"} == 1) { $rule->{$s} = "me"; } else { gethostbyname($in{$s}) || &check_ipaddress($in{$s}) || ($in{$s} =~ /^([0-9\.]+)\/(\d+)$/ && &check_ipaddress($1)) || ($in{$s} =~ /^([0-9\.]+)\/(\d+)\{([0-9,]+)\}$/ && &check_ipaddress($1) && $ipfw_version >= 2) || &error($text{'save_e'.$s}); $rule->{$s} = $in{$s}; } # Port numbers if ($in{$s."_ports_orblock"}) { # XXX could be optional? $rule->{$s."_ports"} = &parse_orblock($s."_ports"); } elsif ($in{$s."_ports_mode"} == 0) { delete($rule->{$s."_ports"}); } else { local $p = $rule->{'proto'}; $p eq "tcp" || $p eq "udp" || $ipfw_version >= 2 || &error($text{'save_eportsproto'.$s}); $in{$s."_ports"} =~ /^\d+$/ || getservbyname($in{$s."_ports"}, $p) || $in{$s."_ports"} =~ /^\d+\-\d+$/ || ($in{$s."_ports"} =~ /^([a-z0-9]+)\-([a-z0-9]+)$/i && getservbyname($1, $p) && getservbyname($2, $p)) || $in{$s."_ports"} =~ /^([a-z0-9]+)(,[a-z0-9]+)*$/ || ($in{$s."_ports"} =~ /^([a-z0-9]+|([a-z0-9]+)\-([a-z0-9]+))(,[a-z0-9]+|,([a-z0-9]+)\-([a-z0-9]+))*$/ && $ipfw_version >= 2) || &error($text{'save_eports'.$s}); $rule->{$s."_ports"} = $in{$s."_ports"}; $rule->{$s."_ports_not"} = $in{$s."_ports_not"} if ($ipfw_version >= 2); } } $rule->{'xmit'} = &parse_interface("xmit"); $rule->{'recv'} = &parse_interface("recv"); # XXX multiple options # Parse various options &parse_yes_no_ignored("established"); &parse_yes_no_ignored("keep-state"); &parse_yes_no_ignored("bridged"); &parse_yes_no_ignored("frag"); &parse_yes_no_ignored("setup"); # Parse MAC address if ($ipfw_version >= 2) { if ($in{'mac1_def'} && $in{'mac2_def'}) { delete($rule->{'mac'}); } else { local @mac; if ($in{'mac2_def'}) { push(@mac, "any"); } else { $in{'mac2'} =~ /^[0-9a-f]{2}(:[0-9a-f]{2}){5}(\/\d+)?$/ || &error($text{'save_emac2'}); push(@mac, $in{'mac2'}); } if ($in{'mac1_def'}) { push(@mac, "any"); } else { $in{'mac1'} =~ /^[0-9a-f]{2}(:[0-9a-f]{2}){5}(\/\d+)?$/ || &error($text{'save_emac1'}); push(@mac, $in{'mac1'}); } $rule->{'mac'} = \@mac; } } # Parse UID and GID if ($in{'uid_def'}) { delete($rule->{'uid'}); } elsif ($in{'uid'} =~ /^#(\d+)$/) { $rule->{'uid'} = $1; } else { defined($rule->{'uid'} = getpwnam($in{'uid'})) || &error($text{'save_euid'}); } if ($in{'gid_def'}) { delete($rule->{'gid'}); } elsif ($in{'gid'} =~ /^#(\d+)$/) { $rule->{'gid'} = $1; } else { defined($rule->{'gid'} = getgrnam($in{'gid'})) || &error($text{'save_egid'}); } # Parse ICMP types if ($in{'icmptypes'}) { $rule->{'proto'} eq 'icmp' || &error($text{'save_eicmptypes'}); $rule->{'icmptypes'} = join(",", split(/\0/, $in{'icmptypes'})); } else { delete($rule->{'icmptypes'}); } # Parse tcp flags if ($in{'tcpflags'}) { $rule->{'proto'} eq 'tcp' || &error($text{'save_etcpflags'}); $rule->{'tcpflags'} = join(",", split(/\0/, $in{'tcpflags'})); } else { delete($rule->{'tcpflags'}); } # Parse limit directive if ($in{'limit'}) { $in{'limit2'} =~ /^\d+$/ || &error($text{'save_elimit'}); $rule->{'limit'} = [ $in{'limit'}, $in{'limit2'} ]; } else { delete($rule->{'limit'}); } # Parse dst-port and src-port directive foreach $ds ('dst', 'src') { if (!$in{$ds.'port_def'}) { local @dstports = split(/[ ,]+/, $in{$ds.'port'}); foreach $p (@dstports) { &valid_port($p, $rule->{'proto'}) || &error($text{'save_e'.$ds.'port'}); } $rule->{$ds.'-port'} = \@dstports; } else { delete($rule->{$ds.'-port'}); } } } # Save all rules &lock_file($ipfw_file); &save_config($rules); &unlock_file($ipfw_file); &webmin_log($in{'delete'} ? "delete" : $in{'new'} ? "create" : "modify", "rule", $rule->{'action'}, $rule); &redirect(""); # parse_interface(name) sub parse_interface { local $iface = $in{$_[0]} eq "other" ? $in{$_[0]."_other"} : $in{$_[0]}; return undef if (!$iface); $iface =~ /^\S+$/ || &error($text{'save_e'.$_[0]}); return $iface; } # parse_orblock(name) sub parse_orblock { $in{$_[0]} =~ /\S/ || &error(&text('save_eorblock'.$_[0])); return [ split(/\s+/, $in{$_[0]}) ]; } # parse_yes_no_ignored(name) sub parse_yes_no_ignored { if ($in{$_[0]} == 0) { delete($rule->{$_[0]}); } elsif ($in{$_[0]} == 1) { $rule->{$_[0]} = 1; $rule->{$_[0]."_not"} = 0; } elsif ($in{$_[0]} == 2) { $rule->{$_[0]} = 1; $rule->{$_[0]."_not"} = 1; } } ipfw/module.info0100664000567100000120000000027210224617633013655 0ustar jcameronwheeldesc=BSD Firewall os_support=freebsd macos depends=net init category=net longdesc=Configure a BSD firewall using IPFW, by creating and editing rules. desc_ca=Tallafocs BSD version=1.193 ipfw/ipfw-lib.pl0100664000567100000120000002747610217373456013604 0ustar jcameronwheel# Functions for managing an ipfw firewall. # Works on a file as generated by ipfw list and read by ipfw /path/name, # rather than a script. # XXX some thing are not supported by ipfw1 do '../web-lib.pl'; &init_config(); do '../ui-lib.pl'; $ipfw_file = $config{'save_file'} || "$module_config_directory/ipfw.rules"; @actions = ( "allow", "deny", "reject", "reset", "skipto", "fwd", "check-state", "count", "divert", "pipe", "queue", "tee", "unreach" ); @unreaches = ( "net", "host", "protocol", "port", "needfrag", "srcfail", "net-unknown", "host-unknown", "isolated", "net-prohib", "host-prohib", "tosnet", "toshost", "filter-prohib", "host-precedence", "precedence-cutoff" ); @options = ( "bridged", "established", "frag", "in", "out", "keep-state", "setup" ); @one_options = ( "gid", "uid", "icmptypes", "recv", "xmit", "via", "tcpflags" ); @two_options = ( "limit", "mac" ); @multi_options = ( "dst-port", "src-port" ); @icmptypes = ( "echo-reply", undef, undef, "destination-unreachable", "source-quench", "redirect", undef, undef, "echo-request", "router-advertisement", "router-solicitation", "ttl-exceeded", "ip-header-bad", "timestamp-request", "timestamp-reply", "information-request", "information-reply", "address-mask-request", "address-mask-reply" ); @tcpflags = ( "fin", "syn", "rst", "psh", "ack", "urg" ); # Get the detected ipfw version if (open(VERSION, "$module_config_directory/version")) { chop($ipfw_version = ); close(VERSION); } # get_config([file], [&output]) # Returns a list of rules from the firewall file sub get_config { local $file = $_[0] || $ipfw_file; local @rv; local $cmt; local $lnum = 0; open(LIST, $file); while() { ${$_[1]} .= $_ if ($_[1]); if (/^(\d+)\s+(.*)/) { # an ipfw rule local @cmts = split(/\n/, $cmt); local $rule = { 'index' => scalar(@rv), 'line' => $lnum-scalar(@cmts), 'eline' => $lnum, 'num' => $1, 'text' => $2, 'cmt' => $cmt }; $cmt = undef; local @w = split(/\s+/, $2); # Parse counts, if given if ($w[0] =~ /^\d+$/) { $rule->{'count1'} = shift(@w); $rule->{'count2'} = shift(@w); } # parse the set number if ($w[0] eq "set") { shift(@w); $rule->{'set'} = shift(@w); } # parse the probability of match if ($w[0] eq "prob") { shift(@w); $rule->{'prob'} = shift(@w); } # Parse the action $rule->{'action'} = shift(@w); if ($rule->{'action'} =~ /divert|fwd|forward|pipe|queue|skipto|tee|unreach/) { # Action has an arg $rule->{'aarg'} = shift(@w); } # Parse the log section if ($w[0] eq "log") { $rule->{'log'} = 1; shift(@w); if ($w[0] eq "logamount") { shift(@w); $rule->{'logamount'} = shift(@w); } } # Parse the protocol local $hasproto; if ($w[0] eq "{" || $w[0] eq "(") { $rule->{'proto'} = &words_to_orblock(\@w); } else { $rule->{'proto'} = shift(@w); $hasproto++ if ($rule->{'proto'} ne "ip" && $rule->{'proto'} ne "any"); } # Parse the source and destination sections local $s; foreach $s ("from", "to") { local $sn = shift(@w); next if ($sn ne $s); # Parse IP address if ($w[0] eq "not") { $rule->{$s."_not"} = 1; shift(@w); } if ($w[0] eq "{" || $w[0] eq "(") { $rule->{$s} = &words_to_orblock(\@w); } else { $rule->{$s} = shift(@w); } # Parse ports local $pr = $rule->{'proto'}; if ($w[0] eq "not" && @w > 1 && ($w[1] =~ /^\d+$/ || $w[1] =~ /,/ || $w[1] =~ /\-/ || defined(getservbyname($w[1], $rule->{'proto'})))) { shift(@w); $rule->{$s."_ports_not"} = 1; } if ($w[0] =~ /^\d+$/ || $w[0] =~ /,/ || ($w[0] =~ /^(\S+)\-(\S+)$/ && &valid_port($1, $pr) && &valid_port($2, $pr)) || &valid_port($w[0], $pr)) { $rule->{$s."_ports"} = shift(@w); } } # Parse any options if ($w[0] eq "{" || $w[0] eq "(") { # XXX can be an or-block! $rule->{'options'} = &words_to_orblock(\@w); } else { local $nextnot = 0; while(@w) { local $o = lc(shift(@w)); $o = "icmptypes" if ($o eq "icmptype"); print STDERR "$o in $rule->{'num'}\n"; if ($o eq "not") { $nextnot = 1; } else { if (&indexof($o, @options) >= 0) { # Stand-alone option $rule->{$o}++; $rule->{$o."_not"} = $nextnot; } elsif (&indexof($o, @one_options) >= 0) { # Option with one value $rule->{$o} = shift(@w); $rule->{$o."_not"} = $nextnot; } elsif (&indexof($o, @two_options) >= 0) { $rule->{$o} = [ shift(@w), shift(@w) ]; $rule->{$o."_not"} = $nextnot; } elsif (&indexof($o, @multi_options) >= 0) { $rule->{$o} = [ ]; while(@w && $w[0] =~ /^\d+$/) { push(@{$rule->{$o}}, shift(@w)); } $rule->{$o."_not"} = $nextnot; } else { # Unknown option!! push(@{$rule->{'unknown'}}, "not") if ($nextnot); push(@{$rule->{'unknown'}}, $o); } $nextnot = 0; } } } push(@rv, $rule); } elsif (/^#\s*(.*)/) { # A comment, which applies to the next rule $cmt .= "\n" if ($cmt); $cmt .= $1; } } close(LIST); return \@rv; } # valid_port(text, protocol) sub valid_port { return 1 if ($_[0] =~ /^\d+$/); return 1 if (defined(getservbyname($_[0], $_[1]))); return 0; } # save_config(&rules) # Updates the firewall file with a list of rules sub save_config { open(LIST, ">$ipfw_file"); foreach $r (@{$_[0]}) { local @lines = &rule_lines($r); local $l; foreach $l (@lines) { print LIST $l,"\n"; } } close(LIST); } # rule_lines(&rule, [nocomment]) # Returns the lines of text to make up a rule sub rule_lines { local ($rule) = @_; local @cmts = $_[1] ? ( ) : map { "# $_" } split(/\n/, $rule->{'cmt'}); if (defined($rule->{'text'})) { # Assume un-changed return (@cmts, $rule->{'num'}." ".$rule->{'text'}); } else { # Need to construct local @w; # Add the basic rule parameters push(@w, $rule->{'num'}); push(@w, "set", $rule->{'set'}) if (defined($rule->{'set'})); push(@w, "prob", $rule->{'prob'}) if (defined($rule->{'prob'})); push(@w, $rule->{'action'}); push(@w, $rule->{'aarg'}) if (defined($rule->{'aarg'})); if ($rule->{'log'}) { push(@w, "log"); push(@w, "logamount", $rule->{'logamount'}) if (defined($rule->{'logamount'})); } push(@w, &orblock_to_words($rule->{'proto'})); # Add the from and to sections local $s; foreach $s ("from", "to") { push(@w, $s); push(@w, "not") if ($rule->{$s."_not"}); push(@w, &orblock_to_words($rule->{$s})); if (defined($rule->{$s."_ports"})) { push(@w, "not") if ($rule->{$s."_ports_not"}); push(@w, $rule->{$s."_ports"}); } } # Add the options if (ref($rule->{'options'})) { push(@w, &orblock_to_words($rule->{'options'})); } else { local $o; foreach $o (@options) { if ($rule->{$o}) { push(@w, "not") if ($rule->{$o."_not"}); push(@w, $o); } } foreach $o (@one_options) { if (defined($rule->{$o})) { push(@w, "not") if ($rule->{$o."_not"}); push(@w, $o); push(@w, $rule->{$o}); } } foreach $o (@two_options, @multi_options) { if (defined($rule->{$o})) { push(@w, "not") if ($rule->{$o."_not"}); push(@w, $o); push(@w, @{$rule->{$o}}); } } push(@w, @{$rule->{'unknown'}}); } return (@cmts, join(" ", @w)); } } sub describe_rule { local $r = $_[0]; local @rv; if ($r->{'proto'} ne 'all' && $r->{'proto'} ne 'ip') { push(@rv, &text($r->{'proto_not'} ? 'desc_proto_not' : 'desc_proto', "".uc($r->{'proto'})."")); } if ($r->{'from'} ne 'any') { push(@rv, &text($r->{'from_not'} ? 'desc_from_not' : 'desc_from', $r->{'from'} eq 'me' ? $text{'desc_me'} : "$r->{'from'}")); } if ($r->{'from_ports'} ne '') { push(@rv, &text($r->{'from_ports_not'} ? 'desc_from_ports_not' : 'desc_from_ports', "$r->{'from_ports'}")); } if ($r->{'to'} ne 'any') { push(@rv, &text($r->{'to_not'} ? 'desc_to_not' : 'desc_to', $r->{'to'} eq 'me' ? $text{'desc_me'} : "$r->{'to'}")); } if ($r->{'to_ports'} ne '') { push(@rv, &text($r->{'to_ports_not'} ? 'desc_to_ports_not' : 'desc_to_ports', "$r->{'to_ports'}")); } push(@rv, $text{'desc_in'}) if ($r->{'in'}); push(@rv, $text{'desc_out'}) if ($r->{'out'}); local $o; foreach $o (@options) { if ($r->{$o} && $r->{$o."_not"}) { push(@rv, $text{'desc_'.$o.'_not'}); } elsif ($r->{$o}) { push(@rv, $text{'desc_'.$o}); } } foreach $o (@one_options) { local $v = $r->{$o}; if ($o eq "icmptypes") { $v = join(",", map { $icmptypes[$_] || $_ } split(/,/, $v)); } if ($r->{$o} && $r->{$o."_not"}) { push(@rv, &text('desc_'.$o.'_not', "$v")); } elsif ($r->{$o}) { push(@rv, &text('desc_'.$o, "$v")); } } if ($r->{'mac'}) { if ($r->{'mac'}->[0] eq "any") { push(@rv, &text('desc_mac1', "$r->{'mac'}->[1]")); } elsif ($r->{'mac'}->[1] eq "any") { push(@rv, &text('desc_mac2', "$r->{'mac'}->[0]")); } else { push(@rv, &text('desc_mac', "$r->{'mac'}->[0]", "$r->{'mac'}->[1]")); } } if ($r->{'limit'}) { $limit = &text('desc_limit', $text{'desc_'.$r->{'limit'}->[0]}, $r->{'limit'}->[1]); } if ($r->{'dst-port'}) { push(@rv, &text('desc_dstport', join(", ", @{$r->{'dst-port'}}))); } if ($r->{'src-port'}) { push(@rv, &text('desc_srcport', join(", ", @{$r->{'src-port'}}))); } return @rv ? &text($_[1] ? 'desc_where' : 'desc_if', join(" $text{'desc_and'} ", @rv)).$limit : $text{$_[1] ? 'desc_all' : 'desc_always'}.$limit; } # words_to_orblock(&words) sub words_to_orblock { local $st = shift(@{$_[0]}); while($_[0]->[0] ne $st) { push(@or, shift(@{$_[0]})); } shift(@{$_[0]}); return \@or; } # orblock_to_words(&block) sub orblock_to_words { if (ref($_[0])) { return ( "{", @{$_[0]}, "}" ); } else { return ( $_[0] ); } } # real_action(name) # Returns the proper name for some action sub real_action { return $_[0] =~ /accept|pass|permit/ ? "allow" : $_[0] =~ /drop/ ? "deny" : $_[0] =~ /forward/ ? "fwd" : $_[0]; } sub list_protocols { local @stdprotos = ( 'tcp', 'udp', 'icmp' ); local @otherprotos; open(PROTOS, "/etc/protocols"); while() { s/\r|\n//g; s/#.*$//; push(@otherprotos, $1) if (/^(\S+)\s+(\d+)/); } close(PROTOS); @otherprotos = sort { lc($a) cmp lc($b) } @otherprotos; return &unique(@stdprotos, @otherprotos); } # apply_rules(&rules) # Apply the supplied firewall rules sub apply_rules { local $dir = `pwd`; chop($dir); chdir("/"); &system_logged("$config{'ipfw'} -f flush >/dev/null 2>&1"); local $r; foreach $r (@{$_[0]}) { if ($r->{'num'} != 65535) { # skip auto-added final rule local ($line) = &rule_lines($r, 1); local $cmd = "$config{'ipfw'} add $line"; $out = &backquote_logged("$cmd 2>&1 $cmd failed : $out" if ($?); } } chdir($dir); return undef; } # disable_rules() # Returns the system to an 'accept all' state sub disable_rules { local $dir = `pwd`; chop($dir); chdir("/"); &system_logged("$config{'ipfw'} -f flush >/dev/null 2>&1"); &system_logged("$config{'ipfw'} add allow ip from any to any >/dev/null 2>&1"); chdir($dir); return undef; } # interface_choice(name, value, noignored) sub interface_choice { local @ifaces; if (&foreign_check("net")) { &foreign_require("net", "net-lib.pl"); return &net::interface_choice($_[0], $_[1], $_[2] ? undef : "<$text{'edit_ignored'}>"); } else { return ""; } } sub create_firewall_init { &foreign_require("init", "init-lib.pl"); &foreign_require("cron", "cron-lib.pl"); &cron::create_wrapper("$module_config_directory/start.pl", $module_name, "start.pl"); &cron::create_wrapper("$module_config_directory/stop.pl", $module_name, "stop.pl"); &init::enable_at_boot($module_name, "Start firewall", "$module_config_directory/start.pl", "$module_config_directory/stop.pl"); } 1; ipfw/index.cgi0100775000567100000120000001377610222156150013314 0ustar jcameronwheel#!/usr/local/bin/perl # Show all firewall rules require './ipfw-lib.pl'; &ReadParse(); # Make sure the ipfw command is installed if (!&has_command($config{'ipfw'})) { &ui_print_header(undef, $text{'index_title'}, "", undef, 1, 1); &ui_print_endpage( &ui_config_link('index_eipfw', [ "$config{'ipfw'}", undef ])); } # Make sure ipfw works $rules = &get_config(); $active = &get_config("$config{'ipfw'} show |", \$out); if ($?) { &ui_print_header(undef, $text{'index_title'}, "", undef, 1, 1); &ui_print_endpage( &ui_config_link('index_elist', [ "$config{'ipfw'} list", "

$out
", undef ])); } # Get the version number $vout = `$config{'ipfw'} 2>&1`; if ($vout =~ /preproc/) { $ipfw_version = 2; } else { $ipfw_version = 1; } open(VERSION, ">$module_config_directory/version"); print VERSION $ipfw_version,"\n"; close(VERSION); &ui_print_header(undef, $text{'index_title'}, "", undef, 1, 1, 0, &help_search_link("ipfw", "man", "doc", "google"), undef, undef, &text('index_version', $ipfw_version)); # Check for an active firewall that is not managed by this module if (!@$rules && @$active > 1) { # Yes .. offer to convert print &text('index_existing', scalar(@$active), "$ipfw_file"),"

\n"; print &ui_form_start("convert.cgi"); print "

",&ui_submit($text{'index_saveex'}),"

\n"; print "

\n"; print &ui_form_end(); print "\n"; print "\n"; print "
$text{'index_headerex'}
";
	print $out;
	print "
\n"; } elsif (@$rules && !$in{'reset'}) { # Find last editable rule if ($rules->[@$rules-1]->{'num'} == 65535 && @$rules > 1) { $lastidx = $rules->[@$rules-2]->{'index'}; } else { $lastidx = $rules->[@$rules-1]->{'index'}; } # Build map of active rules local %amap = map { int($_->{'num'}), $_ } @$active; # Show the rules print &ui_form_start("edit_rule.cgi"); local @widths = ( "width=10", "width=5%", undef ); push(@widths, undef) if ($config{'view_condition'}); push(@widths, undef) if ($config{'view_comment'}); push(@widths, "width=5%", "width=5% nowrap") if ($config{'view_counters'}); push(@widths, "width=5%", "width=5%"); print &select_all_link("d", 0),"\n"; print &select_invert_link("d", 0),"
\n"; print &ui_columns_start([ "", $text{'index_num'}, $text{'index_action'}, $config{'view_condition'} ? ( $text{'index_desc'} ) : ( ), $config{'view_comment'} ? ( $text{'index_cmt'} ) : ( ), $config{'view_counters'} ? ( $text{'index_count1'}, $text{'index_count2'} ) : ( ), $text{'index_move'}, $text{'index_radd'} ], 100, 0, \@widths); foreach $r (@$rules) { local ($mover, $adder); if ($r->{'index'} >= $lastidx) { $mover .= ""; } else { $mover .= ""; } if ($r->{'index'} == 0 || $r->{'index'} > $lastidx) { $mover .= ""; } else { $mover .= ""; } if ($r->{'index'} <= $lastidx) { $adder .= "". ""; $adder .= "". ""; } local ($ls, $le); if ($r->{'index'} <= $lastidx) { $ls = ""; $le = ""; } local $act = $amap{int($r->{'num'})}; print &ui_columns_row( [ &ui_checkbox("d", $r->{'num'}, "", 0), $ls.$r->{'num'}.$le, $ls.($text{'action_'.&real_action($r->{'action'})} || uc($r->{'action'})). (defined($r->{'aarg'}) ? " $r->{'aarg'}" : "").$le, $config{'view_condition'} ? ( &describe_rule($r) ) : ( ), $config{'view_comment'} ? ( $r->{'cmt'} || "
" ) : ( ), $config{'view_counters'} ? ( $act->{'count1'}, &nice_size($act->{'count2'}) ) : ( ), $mover, $adder ], \@widths); } print &ui_columns_end(); print &select_all_link("d", 0),"\n"; print &select_invert_link("d", 0),"
\n"; print "\n"; print "\n"; print "\n"; print "
", &ui_submit($text{'index_delete'}, "delsel"),"", &ui_submit($text{'index_add2'}, "new"),"
\n"; print &ui_form_end(); # Show buttons to apply configuration and start at boot print "
\n"; &foreign_require("init", "init-lib.pl"); $atboot = &init::action_status($module_name); print &ui_buttons_start(); print &ui_buttons_row("apply.cgi", $text{'index_apply'}, $text{'index_applydesc'}); print &ui_buttons_row("unapply.cgi", $text{'index_unapply'}, $text{'index_unapplydesc'}); print &ui_buttons_row("bootup.cgi", $text{'index_boot'}, $text{'index_bootdesc'}, undef, &ui_radio("boot", $atboot == 2 ? 1 : 0, [ [ 1, $text{'yes'} ], [ 0, $text{'no'} ] ])); print &ui_buttons_row("index.cgi", $text{'index_reset'}, $text{'index_resetdesc'}, undef, &ui_hidden("reset", 1)); print &ui_buttons_end(); } else { # Offer to setup simple firewall print &text($in{'reset'} ? 'index_rsetup' : 'index_setup', "$ipfw_file"),"

\n"; print "

\n"; print &ui_hidden("reset", $in{'reset'}); print "
\n"; print " ", "$text{'index_auto0'}

\n"; foreach $a (2 .. 4) { print " ", "$text{'index_auto'.$a} ", &interface_choice("iface".$a, undef, 1),"

\n"; } print "

\n"; print "

\n"; print " ", "$text{'index_atboot'}\n"; print "

\n"; } &ui_print_footer("/", $text{'index'}); ipfw/convert.cgi0100775000567100000120000000043010045317112013644 0ustar jcameronwheel#!/usr/local/bin/perl # Save active firewall rules to a file require './ipfw-lib.pl'; &ReadParse(); &error_setup($text{'convert_err'}); &lock_file($ipfw_file); &system_logged("$config{'ipfw'} list > $ipfw_file"); &unlock_file($ipfw_file); &webmin_log("convert"); &redirect(""); ipfw/config.info0100664000567100000120000000033610212736246013635 0ustar jcameronwheelsave_file=IPFW save file to edit,3,Webmin's default view_condition=Display conditions?,1,1-Yes,0-No view_comment=Display comments?,1,1-Yes,0-No view_counters=Display counters?,1,1-Yes,0-No ipfw=Full path to ipfw command,0 ipfw/config0100664000567100000120000000010010045542636012672 0ustar jcameronwheelview_comment=0 view_condition=1 view_counters=0 ipfw=/sbin/ipfw ipfw/bootup.cgi0100775000567100000120000000047610045315441013511 0ustar jcameronwheel#!/usr/local/bin/perl # bootup.cgi # Enable or disable ipfw at boot time require './ipfw-lib.pl'; &ReadParse(); if ($in{'boot'}) { &create_firewall_init(); } else { &foreign_require("init", "init-lib.pl"); &init::disable_at_boot($module_name); } &webmin_log($in{'boot'} ? "bootup" : "bootdown"); &redirect(""); ipfw/edit_rule.cgi0100775000567100000120000002366610203566212014163 0ustar jcameronwheel#!/usr/local/bin/perl # Display a form for editing or creating a firewall rule require './ipfw-lib.pl'; &ReadParse(); $rules = &get_config(); if ($in{'delsel'}) { # Special case - deleting selected rules %nums = map { $_, 1 } split(/\0/, $in{'d'}); @$rules = grep { !$nums{$_->{'num'}} } @$rules; &lock_file($ipfw_file); &save_config($rules); &unlock_file($ipfw_file); &webmin_log("delsel", undef, undef, { 'count' => scalar(keys %nums) }); &redirect(""); exit; } if ($in{'new'}) { &ui_print_header(undef, $text{'edit_title1'}, ""); $rule = { 'action' => 'allow', 'from' => 'any', 'to' => 'any' }; } else { $rule = $rules->[$in{'idx'}]; &ui_print_header(undef, &text('edit_title2', $rule->{'num'}), ""); } print &ui_form_start("save_rule.cgi", "post"); print &ui_hidden("new", $in{'new'}),"\n"; print &ui_hidden("idx", $in{'idx'}),"\n"; print &ui_hidden("before", $in{'before'}),"\n"; print &ui_hidden("after", $in{'after'}),"\n"; @tds = ( "width=20%", undef ); print &ui_table_start($text{'edit_header1'}, "width=100%", 2); # Comment print &ui_table_row($text{'edit_cmt'}, $rule->{'cmt'} =~ /\n/ ? &ui_textarea("cmt", $rule->{'cmt'}, 3, 50) : &ui_textbox("cmt", $rule->{'cmt'}, 50), undef, \@tds); # Rule action and argument $ra = &real_action($rule->{'action'}); push(@action, $ra) if ($ra && &indexof($ra, @actions) < 0); $acts = "\n"; $i = 0; foreach $a (@actions) { $acts .= "\n" if ($i%2 == 0); $acts .= ""; $acts .= "\n" if ($i++%2 == 1); } $acts .= "
"; local $ma = $rule->{'action'} eq $a; $acts .= &ui_oneradio("action", $a, $text{"laction_".$a} || $text{"action_".$a} || uc($a), $ma); if ($a eq "skipto") { $acts .= &ui_textbox("action_skipto", $ma ? $rule->{'aarg'} : "", 8); } elsif ($a eq "fwd") { local ($ip, $port) = split(/,/, $rule->{'aarg'}); $acts .= &ui_textbox("action_fwdip", $ma ? $ip : "", 15).":". &ui_textbox("action_fwdport", $ma ? $port : "", 5); } elsif ($a eq "divert" || $a eq "pipe" || $a eq "queue" || $a eq "tee") { $acts .= &ui_textbox("action_port", $ma ? $rule->{'aarg'} : "", 5); } elsif ($a eq "unreach") { $acts .= &ui_select("action_unreach", $ma ? $rule->{'aarg'} :"", [ map { [ $_, $_ ] } @unreaches ]); } $acts .= "
\n"; print &ui_table_row($text{'edit_action'}, $acts, undef, \@tds); # Logging field print &ui_table_row($text{'edit_log'}, &ui_oneradio("log", 0, $text{'no'}, !$rule->{'log'})." ". &ui_oneradio("log", 1, &text('edit_logyes', &ui_textbox("logamount", $rule->{'logamount'}, 5)), $rule->{'log'})); # State-keeping rule print &ui_table_row($text{'edit_keep-state'}, &yes_no_ignored_input("keep-state"), 1, \@tds); print &ui_table_end(); print "

\n"; # Condition section print "$text{'edit_desc'}
\n"; print &ui_table_start($text{'edit_header3'}, "width=100%", 4); # Protocol field if (ref($rule->{'proto'})) { # Multiple or-block values! print &ui_table_row($text{'edit_proto'}, &orblock_input("proto", $rule->{'proto'})); } else { local @protos = &list_protocols(); $rule->{'proto'} = "all" if ($rule->{'proto'} eq "ip"); print &ui_table_row($text{'edit_proto'}, &ui_select("proto", $rule->{'proto'}, [ [ "all", $text{'edit_any'} ], map { [ $_, uc($_) ] } @protos ]), undef, \@tds); } # Incoming / outgoing $iomode = $rule->{'in'} || $rule->{'out'} && $rule->{'out_not'} ? 1 : $rule->{'out'} || $rule->{'in'} && $rule->{'in_not'} ? 2 : 0; print &ui_table_row($text{'edit_inout'}, &ui_select("inout", $iomode, [ [ 0, "<$text{'edit_ignored'}>" ], [ 1, $text{'edit_inout1'} ], [ 2, $text{'edit_inout2'} ] ]), 1, \@tds); # Via interface print &ui_table_row($text{'edit_via'}, &interface_choice("via", $rule->{'via'}), 1, \@tds); print &ui_table_end(); print "

\n"; # Source and destination sections foreach $s ("from", "to") { print &ui_table_start($text{'edit_header'.$s}, "width=100%", 2); # IP address if (ref($rule->{$s})) { print &ui_table_row($text{'edit_'.$s}, &orblock_input($s, $rule->{$s})); } else { local $mode = $rule->{$s} eq "any" ? 0 : $rule->{$s} eq "me" ? 1 : 2; print &ui_table_row($text{'edit_'.$s}, &ui_oneradio($s."_mode", 0, $text{'edit_sany'}, $mode == 0)."
". &ui_oneradio($s."_mode", 1, $text{'edit_sme'}, $mode == 1)."
". &ui_oneradio($s."_mode", 2, $text{'edit_saddr'}, $mode == 2)." ". &ui_textbox($s, $mode == 2 ? $rule->{$s} : "", 40), undef, \@tds); print &ui_table_row("", &ui_checkbox($s."_not", 1, $text{'edit_snot'}, $rule->{$s."_not"}), undef, \@tds); } #print &ui_table_hr(); # Ports within IPs if (ref($rule->{$s."_ports"})) { print &ui_table_row($text{'edit_port'.$s}, &orblock_input($s."_ports", $rule->{$s."_ports"})); } else { local $mode = defined($rule->{$s."_ports"}) ? 1 : 0; print &ui_table_row($text{'edit_port'.$s}, &ui_oneradio($s."_ports_mode", 0, $text{'edit_pany'}, $mode == 0)."
". &ui_oneradio($s."_ports_mode", 1, $text{'edit_ports'}, $mode == 1)." ". &ui_textbox($s."_ports", $mode == 1 ? $rule->{$s."_ports"} : "", 40), undef, \@tds); if ($ipfw_version >= 2) { print &ui_table_row("", &ui_checkbox($s."_ports_not", 1, $text{'edit_pnot'}, $rule->{$s."_ports_not"}), undef, \@tds); } } # Received interface local $rs = $s eq "from" ? "recv" : "xmit"; print &ui_table_row($text{'edit_'.$rs}, &interface_choice($rs, $rule->{$rs}), 1, \@tds); print &ui_table_end(); print "

\n"; } # Options section @tds = ( "", "nowrap" ); # XXX or-block support print &ui_table_start($text{'edit_header2'}, "width=100%", 4); # Established traffic print &ui_table_row($text{'edit_established'}, &yes_no_ignored_input("established"), 1, \@tds); # TCP setup packets print &ui_table_row($text{'edit_setup'}, &yes_no_ignored_input("setup"), 1, \@tds); # Bridged packets print &ui_table_row($text{'edit_bridged'}, &yes_no_ignored_input("bridged"), 1, \@tds); # Fragmented packets print &ui_table_row($text{'edit_frag'}, &yes_no_ignored_input("frag"), 1, \@tds); # MAC addresses (if supported) if ($ipfw_version >= 2) { local ($md, $ms) = $rule->{'mac'} ? @{$rule->{'mac'}} : ( "any", "any" ); print &ui_table_row($text{'edit_mac1'}, &ui_radio("mac1_def", $ms eq "any" ? 1 : 0, [ [ 1, $text{'edit_ignored'} ], [ 0, $text{'edit_macaddr'} ] ] )." ". &ui_textbox("mac1", $ms eq "any" ? "" : $ms, 20), 3, \@tds); print &ui_table_row($text{'edit_mac2'}, &ui_radio("mac2_def", $md eq "any" ? 1 : 0, [ [ 1, $text{'edit_ignored'} ], [ 0, $text{'edit_macaddr'} ] ] )." ". &ui_textbox("mac2", $md eq "any" ? "" : $md, 20), 3, \@tds); } # UID and GID if (defined($rule->{'uid'})) { $user = getpwuid($rule->{'uid'}); $user = "#".$rule->{'uid'} if (!defined($user)); } print &ui_table_row($text{'edit_uid'}, &ui_radio("uid_def", $user ? 0 : 1, [ [ 1, $text{'edit_ignored'} ], [ 0, $text{'edit_user'} ] ] )." ". &ui_user_textbox("uid", $user), 3, \@tds); if (defined($rule->{'gid'})) { $group = getgrgid($rule->{'gid'}); $group = "#".$rule->{'gid'} if (!defined($group)); } print &ui_table_row($text{'edit_gid'}, &ui_radio("gid_def", $group ? 0 : 1, [ [ 1, $text{'edit_ignored'} ], [ 0, $text{'edit_group'} ] ] )." ". &ui_group_textbox("gid", $group), 3, \@tds); # ICMP types %gottypes = map { $_, 1 } map { $_ =~ /^(\d+)\-(\d+)$/ ? ( $1 .. $2 ) : ( $_ ) } split(/,/, $rule->{'icmptypes'}); $icmptypes = "\n"; print &ui_table_row($text{'edit_icmptypes'}, $icmptypes, 1, \@tds); # TCP flags %gotflags = map { $_, 1 } split(/,/, $rule->{'tcpflags'}); $tcpflags = "\n"; print &ui_table_row($text{'edit_tcpflags'}, $tcpflags, 1, \@tds); # Limit directive print &ui_table_row($text{'edit_limit'}, &ui_select("limit", $rule->{'limit'} ? $rule->{'limit'}->[0] : "", [ [ "", "<$text{'edit_unlimited'}>" ], [ "src-addr", $text{'edit_src-addr'} ], [ "src-port", $text{'edit_src-port'} ], [ "dst-addr", $text{'edit_dst-addr'} ], [ "dst-port", $text{'edit_dst-port'} ] ])." ". &ui_textbox("limit2", $rule->{'limit'} ? $rule->{'limit'}->[1] : "", 6), 3, \@tds); # Destination ports directive print &ui_table_row($text{'edit_dstport'}, &ui_opt_textbox("dstport", $rule->{'dst-port'} ? join(" ", @{$rule->{'dst-port'}}) : undef, 30, $text{'edit_pany'}), 3, \@tds); # Source ports directive print &ui_table_row($text{'edit_srcport'}, &ui_opt_textbox("srcport", $rule->{'src-port'} ? join(" ", @{$rule->{'src-port'}}) : undef, 30, $text{'edit_pany'}), 3, \@tds); print &ui_table_end(); if ($in{'new'}) { print &ui_form_end([ [ 'create', $text{'create'} ] ], "100%"); } else { print &ui_form_end([ [ 'save', $text{'save'} ], [ 'delete', $text{'delete'} ] ], "100%"); } # orblock_input(name, &orblock) sub orblock_input { return $text{'edit_orblock'}." ". &ui_textbox($_[0], join(" ", @{$_[1]}), 50). &ui_hidden($_[0]."_orblock", 1); } # yes_no_ignored_input(name) sub yes_no_ignored_input { local $mode = $rule->{$_[0]} && $rule->{$_[0]."_not"} ? 2 : $rule->{$_[0]} ? 1 : 0; return &ui_radio($_[0], $mode, [ [ 1, $text{'yes'} ], [ 0, $text{'no'} ] ]); } ipfw/apply.cgi0100775000567100000120000000041210043616664013325 0ustar jcameronwheel#!/usr/local/bin/perl # apply.cgi # Apply the current firewall configuration require './ipfw-lib.pl'; &ReadParse(); &error_setup($text{'apply_err'}); $rules = &get_config(); $err = &apply_rules($rules); &error($err) if ($err); &webmin_log("apply"); &redirect(""); ipfw/stop.pl0100775000567100000120000000040410043617560013033 0ustar jcameronwheel#!/usr/local/bin/perl # stop.pl # Turn off the firewall $no_acl_check++; require './ipfw-lib.pl'; &ReadParse(); $err = &disable_rules(); if ($err) { $err =~ s/<[^>]*>//g; print STDERR "Failed to disable firewall : $err\n"; exit(1); } else { exit(0); } ipfw/install_check.pl0100664000567100000120000000074410044713464014656 0ustar jcameronwheel# install_check.pl do 'ipfw-lib.pl'; # is_installed(mode) # For mode 1, returns 2 if the server is installed and configured for use by # Webmin, 1 if installed but not configured, or 0 otherwise. # For mode 0, returns 1 if installed, 0 if not sub is_installed { return 0 if (!&has_command($config{'ipfw'})); local $ex = system("$config{'ipfw'} list >/dev/null 2>&1 ]*>//g; print STDERR "Failed to enable firewall : $err\n"; exit(1); } else { exit(0); } ipfw/move.cgi0100775000567100000120000000104310045126002013127 0ustar jcameronwheel#!/usr/local/bin/perl # move.cgi # Swap two rules require './ipfw-lib.pl'; &ReadParse(); $rules = &get_config(); $rule1 = $rules->[$in{'idx'}]; $rule2 = $rules->[$in{'up'} ? $in{'idx'}-1 : $in{'idx'}+1]; ($rules->[$rule1->{'index'}], $rules->[$rule2->{'index'}]) = ($rules->[$rule2->{'index'}], $rules->[$rule1->{'index'}]); ($rule1->{'num'}, $rule2->{'num'}) = ($rule2->{'num'}, $rule1->{'num'}); &lock_file($ipfw_file); &save_config($rules); &unlock_file($ipfw_file); &webmin_log("move", "rule", $rule1->{'action'}, $rule1); &redirect(""); ipfw/log_parser.pl0100644000567100000120000000107110176304150014172 0ustar jcameronwheel# log_parser.pl # Functions for parsing this module's logs do 'ipfw-lib.pl'; # parse_webmin_log(user, script, action, type, object, ¶ms) # Converts logged information from this module into human-readable form sub parse_webmin_log { local ($user, $script, $action, $type, $object, $p, $long) = @_; if ($type eq "rule") { return &text("log_${action}_rule".($long ? "_l" : ""), $text{'action_'.$object}, &describe_rule($p, 1)); } elsif ($action eq "delsel") { return &text('log_delsel', $p->{'count'}); } else { return $text{"log_$action"}; } } ipfw/CHANGELOG0100664000567100000120000000052510176305017012722 0ustar jcameronwheel---- Changes since 1.140 ---- First version of this module, which can manage a BSD IPFW firewall. Allows the creation, and editing of rules, and supports all actions and the most common conditions and options. Thanks to Olav Berge for sponsoring this module. ---- Changes since 1.180 ---- Added button for deleting multiple rules from list. ipfw/setup.cgi0100775000567100000120000000760010125741043013335 0ustar jcameronwheel#!/usr/local/bin/perl # setup.cgi # Create an initial IPFW rules file require './ipfw-lib.pl'; &ReadParse(); # Start with base configuration, which will include 65535 rule $rules = &get_config("$config{'ipfw'} list |", \$out); if ($in{'reset'}) { @$rules = grep { $_->{'num'} == 65535 } @$rules; } # Add selected rules if ($in{'auto'} == 0) { # Allow all traffic splice(@$rules, 0, 0, { "action" => "allow", "num" => "00100", "proto" => "all", "from" => "any", "to" => "any", "cmt" => "Allow all traffic" }); } elsif ($in{'auto'} >= 2) { # Block all traffic, apart from established connections, DNS replies # and safe ICMP types $iface = $in{'iface'.$in{'auto'}} || $in{'iface'.$in{'auto'}.'_other'}; $iface || &error($text{'setup_eiface'}); splice(@$rules, 0, 0, { "action" => "skipto", "aarg" => "00300", "num" => "00100", "proto" => "all", "from" => "any", "to" => "any", "recv" => $iface, "cmt" => "Skip next rule for external interface" }, { "action" => "allow", "num" => "00200", "proto" => "all", "from" => "any", "to" => "any", "cmt" => "Allow all traffic on internal interfaces" }, { "action" => "allow", "num" => "00300", "proto" => "tcp", "from" => "any", "to" => "any", "established" => 1, "cmt" => "Allow established TCP connections" }, { "action" => "allow", "num" => "00400", "proto" => "tcp", "from" => "any", "to" => "any", "tcpflags" => "ack", "cmt" => "Allow traffic with ACK flag set" }, { "action" => "allow", "num" => "00500", "proto" => "udp", "from" => "any", "from_ports" => "53", "to" => "any", "to_ports" => "1024-65535", "cmt" => "Accept responses to DNS queries" }, { "action" => "allow", "num" => "00600", "proto" => "icmp", "from" => "any", "to" => "any", "icmptypes" => "0,3,4,11,12", "cmt" => "Accept safe ICMP types" }); if ($in{'auto'} >= 3) { # Add SSH and ident splice(@$rules, @$rules-1, 0, { "action" => "allow", "num" => "00700", "proto" => "tcp", "from" => "any", "to" => "any", "to_ports" => "ssh", "cmt" => "Allow connections to our SSH server" }, { "action" => "allow", "num" => "00800", "proto" => "tcp", "from" => "any", "to" => "any", "to_ports" => "auth", "cmt" => "Allow connections to our IDENT server" }); } if ($in{'auto'} >= 4) { # Allow pings and most high ports splice(@$rules, @$rules-1, 0, { "action" => "allow", "num" => "00900", "proto" => "icmp", "from" => "any", "to" => "any", "icmptypes" => "8", "cmt" => "Respond to pings" }, { "action" => "deny", "num" => "01000", "proto" => "tcp", "from" => "any", "to" => "any", "to_ports" => "2049-2050", "cmt" => "Protect our NFS server" }, { "action" => "deny", "num" => "01100", "proto" => "tcp", "from" => "any", "to" => "any", "to_ports" => "6000-6063", "cmt" => "Protect our X11 display server" }, { "action" => "deny", "num" => "01200", "proto" => "tcp", "from" => "any", "to" => "any", "to_ports" => "7000-7010", "cmt" => "Protect our X font server" }, { "action" => "allow", "num" => "01300", "proto" => "tcp", "from" => "any", "to" => "any", "to_ports" => "1024-65535", "cmt" => "Allow connections to unprivileged ports" }); } # Add final deny all rule (if needed) local $lr = $rules->[@$rules-1]; if ($lr->{'num'} != 65535 || $lr->{'action'} ne 'deny') { splice(@$rules, @$rules-1, 0, { "action" => "deny", "num" => "10000", "proto" => "all", "from" => "any", "to" => "any" }); } } # Save firewall &lock_file($ipfw_file); &save_config($rules); &unlock_file($ipfw_file); if ($in{'atboot'}) { &create_firewall_init(); } &webmin_log("setup"); &redirect(""); ipfw/config.info.ca0100644000567100000120000000035710115717246014221 0ustar jcameronwheelsave_file=Fitxer de desat IPFW a editar,3,Per defecte de Webmin view_condition=Mostra la condició,1,1-Sí,0-No view_comment=Mostra el comentari,1,1-Sí,0-No view_counters=Mostra els comptadors,1,1-Sí,0-No ipfw=Camí complet de l'ordre ipfw,0 ipfw/unapply.cgi0100775000567100000120000000040710045317120013657 0ustar jcameronwheel#!/usr/local/bin/perl # unapply.cgi # Copy the active firewall configuration to the save file require './ipfw-lib.pl'; &lock_file($ipfw_file); &system_logged("$config{'ipfw'} list > $ipfw_file"); &unlock_file($ipfw_file); &webmin_log("unapply"); &redirect("");