diff options
author | Steven Barth <steven@midlink.org> | 2008-10-03 16:04:09 +0000 |
---|---|---|
committer | Steven Barth <steven@midlink.org> | 2008-10-03 16:04:09 +0000 |
commit | 1e10c4ae4a6a43ca0a2ea07c2b4cf95fce66cc7d (patch) | |
tree | b62814b4527adc5912e72403215f56085b07fad6 /applications | |
parent | c2a2fccca3ad2cd805ff366a99d9f656918484d7 (diff) |
Redesigned firewall configuration
Diffstat (limited to 'applications')
11 files changed, 155 insertions, 68 deletions
diff --git a/applications/luci-fw/luasrc/controller/luci_fw/luci_fw.lua b/applications/luci-fw/luasrc/controller/luci_fw/luci_fw.lua index 18b6f87f65..4d8c13840e 100644 --- a/applications/luci-fw/luasrc/controller/luci_fw/luci_fw.lua +++ b/applications/luci-fw/luasrc/controller/luci_fw/luci_fw.lua @@ -7,11 +7,14 @@ function index() local nodes = {} table.insert(nodes, entry({"admin", "network", "firewall"}, alias("admin", "network", "firewall", "zones"), i18n("fw_fw"), 60)) - table.insert(nodes, entry({"admin", "network", "firewall", "zones"}, cbi("luci_fw/general"), i18n("fw_zones"), 10)) - table.insert(nodes, entry({"admin", "network", "firewall", "portfw"}, cbi("luci_fw/portfw"), i18n("fw_portfw"), 20)) - table.insert(nodes, entry({"admin", "network", "firewall", "forwarding"}, cbi("luci_fw/routing"), i18n("fw_forwarding"), 30)) - table.insert(nodes, entry({"admin", "network", "firewall", "rules"}, cbi("luci_fw/firewall"), i18n("fw_rules"), 40)) - table.insert(nodes, entry({"admin", "network", "firewall", "customfwd"}, cbi("luci_fw/customfwd"), i18n("fw_custfwd"), 50)) + table.insert(nodes, entry({"admin", "network", "firewall", "zones"}, cbi("luci_fw/zones"), i18n("fw_zones"), 10)) + table.insert(nodes, entry({"admin", "network", "firewall", "redirection"}, cbi("luci_fw/redirect"), i18n("fw_redirect"), 30)) + table.insert(nodes, entry({"admin", "network", "firewall", "traffic"}, cbi("luci_fw/traffic"), i18n("fw_traffic"), 20)) + + table.insert(nodes, entry({"admin", "network", "firewall", "rule"}, cbi("luci_fw/trule"))) + nodes[#nodes].leaf = true + table.insert(nodes, entry({"admin", "network", "firewall", "redirect"}, cbi("luci_fw/rrule"))) + nodes[#nodes].leaf = true table.insert(nodes, entry({"mini", "network", "portfw"}, cbi("luci_fw/miniportfw"), i18n("fw_portfw", "Portweiterleitung"), 70)) diff --git a/applications/luci-fw/luasrc/i18n/luci-fw.de.lua b/applications/luci-fw/luasrc/i18n/luci-fw.de.lua index df071a05e6..0261d73f0d 100644 --- a/applications/luci-fw/luasrc/i18n/luci-fw.de.lua +++ b/applications/luci-fw/luasrc/i18n/luci-fw.de.lua @@ -1,12 +1,17 @@ fw_portfw = 'Portweiterleitung' -fw_forwarding = 'Zone-zu-Zone Weiterleitung' +fw_redirect = 'Umleitungen' +fw_redirect_desc = 'Umleitungen erlauben es das Ziel von weitergeleiteten Paketen zu verändern.' +fw_forwarding = 'Zone-zu-Zone Verkehr' fw_fw = 'Firewall' fw_zone = 'Zone' fw_zones = 'Zonen' fw_custfwd = 'Erweiterte Weiterleitung' -fw_rules = 'Regeln für eingehenden Verkehr' -fw_rules1 = 'An dieser Stelle können benutzerdefinierte Firewallregeln eingestellt werden um den Netzverkehr zu kontrollieren.' +firewall_rule = 'Erweiterte Regeln' +firewall_rule_desc = 'Mit erweiterten Regeln kann die Firewall an die eigenen Bedürfnisse angepasst werden. Es werden nur neue Verbindungen betrachtet. Pakete, die zu bereits bestehenden Verbindungen gehören werden automatisch akzeptiert.' fw_fw1 = 'Die Firewall erstellt Netzwerkzonen über bestimmte Netzwerkschnittstellen um den Netzverkehr zu trennen.' +fw_src = 'Quelle' +fw_dest = 'Ziel' +fw_traffic = 'Verkehrskontrolle' firewall_rule_src = 'Eingangszone' firewall_rule_dest = 'Ausgangszone' firewall_rule_srcip = 'Quelladresse' @@ -26,6 +31,8 @@ firewall_redirect_destip = 'Interne Adresse' firewall_redirect_destip_desc = 'IP-Adresse' firewall_redirect_destport = 'Interner Port (optional)' firewall_redirect_destport_desc = 'Port od. Erster-Letzter Port' +firewall_redirect_srcip = 'Quelladresse' +firewall_redirect_srcmac = 'Quell-MAC-Adresse' fw_forwarding1 = 'An dieser Stelle kann festgelegt zwischen welchen Zonen Netzverkehr hin und her fließen kann. Es werden nur neue Verbindungen betrachtet. Pakete, die zu bereits bestehenden Verbindungen gehören werden automatisch akzeptiert.' firewall_forwarding_src = 'Eingang' firewall_forwarding_dest = 'Ausgang' diff --git a/applications/luci-fw/luasrc/i18n/luci-fw.de.xml b/applications/luci-fw/luasrc/i18n/luci-fw.de.xml index 6bf355015e..3825bb4ae9 100644 --- a/applications/luci-fw/luasrc/i18n/luci-fw.de.xml +++ b/applications/luci-fw/luasrc/i18n/luci-fw.de.xml @@ -3,14 +3,19 @@ <i18n:msgs xmlns:i18n="http://luci.freifunk-halle.net/2008/i18n#" xmlns="http://www.w3.org/1999/xhtml"> <i18n:msg xml:id="fw_portfw">Portweiterleitung</i18n:msg> -<i18n:msg xml:id="fw_forwarding">Zone-zu-Zone Weiterleitung</i18n:msg> +<i18n:msg xml:id="fw_redirect">Umleitungen</i18n:msg> +<i18n:msg xml:id="fw_redirect_desc">Umleitungen erlauben es das Ziel von weitergeleiteten Paketen zu verändern.</i18n:msg> +<i18n:msg xml:id="fw_forwarding">Zone-zu-Zone Verkehr</i18n:msg> <i18n:msg xml:id="fw_fw">Firewall</i18n:msg> <i18n:msg xml:id="fw_zone">Zone</i18n:msg> <i18n:msg xml:id="fw_zones">Zonen</i18n:msg> <i18n:msg xml:id="fw_custfwd">Erweiterte Weiterleitung</i18n:msg> -<i18n:msg xml:id="fw_rules">Regeln für eingehenden Verkehr</i18n:msg> -<i18n:msg xml:id="fw_rules1">An dieser Stelle können benutzerdefinierte Firewallregeln eingestellt werden um den Netzverkehr zu kontrollieren.</i18n:msg> +<i18n:msg xml:id="firewall_rule">Erweiterte Regeln</i18n:msg> +<i18n:msg xml:id="firewall_rule_desc">Mit erweiterten Regeln kann die Firewall an die eigenen Bedürfnisse angepasst werden. Es werden nur neue Verbindungen betrachtet. Pakete, die zu bereits bestehenden Verbindungen gehören werden automatisch akzeptiert.</i18n:msg> <i18n:msg xml:id="fw_fw1">Die Firewall erstellt Netzwerkzonen über bestimmte Netzwerkschnittstellen um den Netzverkehr zu trennen.</i18n:msg> +<i18n:msg xml:id="fw_src">Quelle</i18n:msg> +<i18n:msg xml:id="fw_dest">Ziel</i18n:msg> +<i18n:msg xml:id="fw_traffic">Verkehrskontrolle</i18n:msg> <i18n:msg xml:id="firewall_rule_src">Eingangszone</i18n:msg> <i18n:msg xml:id="firewall_rule_dest">Ausgangszone</i18n:msg> <i18n:msg xml:id="firewall_rule_srcip">Quelladresse</i18n:msg> @@ -31,6 +36,9 @@ <i18n:msg xml:id="firewall_redirect_destip_desc">IP-Adresse</i18n:msg> <i18n:msg xml:id="firewall_redirect_destport">Interner Port (optional)</i18n:msg> <i18n:msg xml:id="firewall_redirect_destport_desc">Port od. Erster-Letzter Port</i18n:msg> +<i18n:msg xml:id="firewall_redirect_srcip">Quelladresse</i18n:msg> +<i18n:msg xml:id="firewall_redirect_srcmac">Quell-MAC-Adresse</i18n:msg> + <i18n:msg xml:id="fw_forwarding1">An dieser Stelle kann festgelegt zwischen welchen Zonen Netzverkehr hin und her fließen kann. Es werden nur neue Verbindungen betrachtet. Pakete, die zu bereits bestehenden Verbindungen gehören werden automatisch akzeptiert.</i18n:msg> <i18n:msg xml:id="firewall_forwarding_src">Eingang</i18n:msg> diff --git a/applications/luci-fw/luasrc/i18n/luci-fw.en.lua b/applications/luci-fw/luasrc/i18n/luci-fw.en.lua index 74da02f63e..800eee4d60 100644 --- a/applications/luci-fw/luasrc/i18n/luci-fw.en.lua +++ b/applications/luci-fw/luasrc/i18n/luci-fw.en.lua @@ -1,12 +1,14 @@ fw_portfw = 'Port forwarding' -fw_forwarding = 'Zone-to-Zone forwarding' +fw_redirect = 'Traffic Redirection' +fw_redirect_desc = 'Traffic redirection allows you to change the destination address of forwarded packets.' +fw_forwarding = 'Zone-to-Zone traffic' fw_fw = 'Firewall' fw_zone = 'Zone' fw_zones = 'Zones' fw_custfwd = 'Custom forwarding' -fw_rules = 'Incoming traffic rules' -fw_rules1 = 'Here you can create custom firewall rules to control your network traffic.' fw_fw1 = 'The firewall creates zones over your network interfaces to control network traffic flow.' +firewall_rule = 'Advanced Rules' +firewall_rule_desc = 'Advanced rules let you customize the firewall to your needs. Only new connections will be matched. Packets belonging to already open connections are automatically allowed to pass the firewall.' firewall_rule_src = 'Input Zone' firewall_rule_dest = 'Output Zone' firewall_rule_srcip = 'Source address' @@ -18,10 +20,15 @@ firewall_rule_target = 'Action' fw_accept = 'accept' fw_reject = 'reject' fw_drop = 'drop' +fw_src = 'Source' +fw_dest = 'Destination' +fw_traffic = 'Traffic Control' fw_portfw1 = 'Port forwarding allows to provide network services in the internal network to an external network.' firewall_redirect_src_desc = 'External Zone' firewall_redirect_srcdport = 'External port' firewall_redirect_srcdport_desc = 'port or range as first-last' +firewall_redirect_srcip = 'Source address' +firewall_redirect_srcmac = 'Source MAC' firewall_redirect_destip = 'Internal address' firewall_redirect_destip_desc = 'IP-Address' firewall_redirect_destport = 'Internal port (optional)' diff --git a/applications/luci-fw/luasrc/i18n/luci-fw.en.xml b/applications/luci-fw/luasrc/i18n/luci-fw.en.xml index 1ad9acb8c8..1da35bc239 100644 --- a/applications/luci-fw/luasrc/i18n/luci-fw.en.xml +++ b/applications/luci-fw/luasrc/i18n/luci-fw.en.xml @@ -3,14 +3,16 @@ <i18n:msgs xmlns:i18n="http://luci.freifunk-halle.net/2008/i18n#" xmlns="http://www.w3.org/1999/xhtml"> <i18n:msg xml:id="fw_portfw">Port forwarding</i18n:msg> -<i18n:msg xml:id="fw_forwarding">Zone-to-Zone forwarding</i18n:msg> +<i18n:msg xml:id="fw_redirect">Traffic Redirection</i18n:msg> +<i18n:msg xml:id="fw_redirect_desc">Traffic redirection allows you to change the destination address of forwarded packets.</i18n:msg> +<i18n:msg xml:id="fw_forwarding">Zone-to-Zone traffic</i18n:msg> <i18n:msg xml:id="fw_fw">Firewall</i18n:msg> <i18n:msg xml:id="fw_zone">Zone</i18n:msg> <i18n:msg xml:id="fw_zones">Zones</i18n:msg> <i18n:msg xml:id="fw_custfwd">Custom forwarding</i18n:msg> -<i18n:msg xml:id="fw_rules">Incoming traffic rules</i18n:msg> -<i18n:msg xml:id="fw_rules1">Here you can create custom firewall rules to control your network traffic.</i18n:msg> <i18n:msg xml:id="fw_fw1">The firewall creates zones over your network interfaces to control network traffic flow.</i18n:msg> +<i18n:msg xml:id="firewall_rule">Advanced Rules</i18n:msg> +<i18n:msg xml:id="firewall_rule_desc">Advanced rules let you customize the firewall to your needs. Only new connections will be matched. Packets belonging to already open connections are automatically allowed to pass the firewall.</i18n:msg> <i18n:msg xml:id="firewall_rule_src">Input Zone</i18n:msg> <i18n:msg xml:id="firewall_rule_dest">Output Zone</i18n:msg> <i18n:msg xml:id="firewall_rule_srcip">Source address</i18n:msg> @@ -22,11 +24,16 @@ <i18n:msg xml:id="fw_accept">accept</i18n:msg> <i18n:msg xml:id="fw_reject">reject</i18n:msg> <i18n:msg xml:id="fw_drop">drop</i18n:msg> +<i18n:msg xml:id="fw_src">Source</i18n:msg> +<i18n:msg xml:id="fw_dest">Destination</i18n:msg> +<i18n:msg xml:id="fw_traffic">Traffic Control</i18n:msg> <i18n:msg xml:id="fw_portfw1">Port forwarding allows to provide network services in the internal network to an external network.</i18n:msg> <i18n:msg xml:id="firewall_redirect_src_desc">External Zone</i18n:msg> <i18n:msg xml:id="firewall_redirect_srcdport">External port</i18n:msg> <i18n:msg xml:id="firewall_redirect_srcdport_desc">port or range as first-last</i18n:msg> +<i18n:msg xml:id="firewall_redirect_srcip">Source address</i18n:msg> +<i18n:msg xml:id="firewall_redirect_srcmac">Source MAC</i18n:msg> <i18n:msg xml:id="firewall_redirect_destip">Internal address</i18n:msg> <i18n:msg xml:id="firewall_redirect_destip_desc">IP-Address</i18n:msg> <i18n:msg xml:id="firewall_redirect_destport">Internal port (optional)</i18n:msg> diff --git a/applications/luci-fw/luasrc/model/cbi/luci_fw/portfw.lua b/applications/luci-fw/luasrc/model/cbi/luci_fw/redirect.lua index 9afd4f3e5a..3aa1066f52 100644 --- a/applications/luci-fw/luasrc/model/cbi/luci_fw/portfw.lua +++ b/applications/luci-fw/luasrc/model/cbi/luci_fw/redirect.lua @@ -12,13 +12,14 @@ You may obtain a copy of the License at $Id$ ]]-- require("luci.sys") -m = Map("firewall", translate("fw_portfw"), translate("fw_portfw1")) +m = Map("firewall", translate("fw_redirect"), translate("fw_redirect_desc")) s = m:section(TypedSection, "redirect", "") s.template = "cbi/tblsection" s.addremove = true s.anonymous = true +s.extedit = luci.dispatcher.build_url("admin", "network", "firewall", "redirect", "%s") name = s:option(Value, "_name", translate("name"), translate("cbi_optional")) name.size = 10 diff --git a/applications/luci-fw/luasrc/model/cbi/luci_fw/routing.lua b/applications/luci-fw/luasrc/model/cbi/luci_fw/routing.lua deleted file mode 100644 index f8689a05c5..0000000000 --- a/applications/luci-fw/luasrc/model/cbi/luci_fw/routing.lua +++ /dev/null @@ -1,30 +0,0 @@ ---[[ -LuCI - Lua Configuration Interface - -Copyright 2008 Steven Barth <steven@midlink.org> - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -$Id$ -]]-- -m = Map("firewall", translate("fw_forwarding"), translate("fw_forwarding1")) - -s = m:section(TypedSection, "forwarding", "") -s.template = "cbi/tblsection" -s.addremove = true -s.anonymous = true - -iface = s:option(ListValue, "src") -oface = s:option(ListValue, "dest") - -luci.model.uci.cursor():foreach("firewall", "zone", - function (section) - iface:value(section.name) - oface:value(section.name) - end) - -return m diff --git a/applications/luci-fw/luasrc/model/cbi/luci_fw/customfwd.lua b/applications/luci-fw/luasrc/model/cbi/luci_fw/rrule.lua index b883c47501..7958676163 100644 --- a/applications/luci-fw/luasrc/model/cbi/luci_fw/customfwd.lua +++ b/applications/luci-fw/luasrc/model/cbi/luci_fw/rrule.lua @@ -12,11 +12,12 @@ You may obtain a copy of the License at $Id$ ]]-- require("luci.sys") -m = Map("firewall", translate("fw_portfw"), translate("fw_portfw1")) +arg[1] = arg[1] or "" +m = Map("firewall", translate("fw_redirect"), translate("fw_redirect_desc")) -s = m:section(TypedSection, "redirect", "") -s.addremove = true + +s = m:section(NamedSection, arg[1], "redirect", "") s.anonymous = true name = s:option(Value, "_name", translate("name")) @@ -30,10 +31,10 @@ luci.model.uci.cursor():foreach("firewall", "zone", iface:value(section.name) end) -s:option(Value, "src_ip").optional = true -s:option(Value, "src_mac").optional = true +s:option(Value, "src_ip", translate("firewall_redirect_srcip")).optional = true +s:option(Value, "src_mac", translate("firewall_redirect_srcmac")).optional = true -sport = s:option(Value, "src_port") +sport = s:option(Value, "src_port", translate("firewall_redirect_srcport")) sport.optional = true sport:depends("proto", "tcp") sport:depends("proto", "udp") @@ -46,19 +47,19 @@ proto:value("tcp", "TCP") proto:value("udp", "UDP") proto:value("tcpudp", "TCP+UDP") -dport = s:option(Value, "src_dport") +dport = s:option(Value, "src_dport", translate("firewall_redirect_srcdport")) dport.size = 5 dport.optional = true dport:depends("proto", "tcp") dport:depends("proto", "udp") dport:depends("proto", "tcpudp") -to = s:option(Value, "dest_ip") +to = s:option(Value, "dest_ip", translate("firewall_redirect_destip")) for i, dataset in ipairs(luci.sys.net.arptable()) do to:value(dataset["IP address"]) end -toport = s:option(Value, "dest_port") +toport = s:option(Value, "dest_port", translate("firewall_redirect_destport")) toport.optional = true toport.size = 5 diff --git a/applications/luci-fw/luasrc/model/cbi/luci_fw/traffic.lua b/applications/luci-fw/luasrc/model/cbi/luci_fw/traffic.lua new file mode 100644 index 0000000000..660f9706ac --- /dev/null +++ b/applications/luci-fw/luasrc/model/cbi/luci_fw/traffic.lua @@ -0,0 +1,80 @@ +--[[ +LuCI - Lua Configuration Interface + +Copyright 2008 Steven Barth <steven@midlink.org> +Copyright 2008 Jo-Philipp Wich <xm@leipzig.freifunk.net> + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +$Id$ +]]-- + +m = Map("firewall", translate("fw_traffic")) +s = m:section(TypedSection, "forwarding", translate("fw_forwarding"), translate("fw_forwarding1")) +s.template = "cbi/tblsection" +s.addremove = true +s.anonymous = true + +iface = s:option(ListValue, "src", translate("fw_src")) +oface = s:option(ListValue, "dest", translate("fw_dest")) + +luci.model.uci.cursor():foreach("firewall", "zone", + function (section) + iface:value(section.name) + oface:value(section.name) + end) + + + +s = m:section(TypedSection, "rule") +s.addremove = true +s.anonymous = true +s.template = "cbi/tblsection" +s.extedit = luci.dispatcher.build_url("admin", "network", "firewall", "rule", "%s") + +local created = nil + +function s.create(self, section) + created = TypedSection.create(self, section) +end + +function s.parse(self, ...) + TypedSection.parse(self, ...) + if created then + m.uci:save("firewall") + luci.http.redirect(luci.dispatcher.build_url( + "admin", "network", "firewall", "rule", created + )) + end +end + +s:option(DummyValue, "_name", translate("name")) +s:option(DummyValue, "proto", translate("protocol")) + +src = s:option(DummyValue, "src", translate("fw_src")) +function src.cfgvalue(self, s) + return "%s:%s:%s" % { + self.map:get(s, "src") or "*", + self.map:get(s, "src_ip") or "0.0.0.0/0", + self.map:get(s, "src_port") or "*" + } +end + +dest = s:option(DummyValue, "dest", translate("fw_dest")) +function dest.cfgvalue(self, s) + return "%s:%s:%s" % { + self.map:get(s, "dest") or "*", + self.map:get(s, "dest_ip") or "0.0.0.0/0", + self.map:get(s, "dest_port") or "*" + } +end + + +s:option(DummyValue, "target") + + +return m
\ No newline at end of file diff --git a/applications/luci-fw/luasrc/model/cbi/luci_fw/firewall.lua b/applications/luci-fw/luasrc/model/cbi/luci_fw/trule.lua index 0d9af93fc6..3712196ff8 100644 --- a/applications/luci-fw/luasrc/model/cbi/luci_fw/firewall.lua +++ b/applications/luci-fw/luasrc/model/cbi/luci_fw/trule.lua @@ -11,16 +11,19 @@ You may obtain a copy of the License at $Id$ ]]-- -m = Map("firewall", translate("fw_rules"), translate("fw_rules1")) +arg[1] = arg[1] or "" +m = Map("firewall", translate("firewall_rule"), translate("firewall_rule_desc")) -s = m:section(TypedSection, "rule", "") -s.addremove = true +s = m:section(NamedSection, arg[1], "rule", "") s.anonymous = true -iface = s:option(ListValue, "src") +name = s:option(Value, "_name", translate("name")..translate("cbi_optional")) +name.rmempty = true + +iface = s:option(ListValue, "src", translate("firewall_rule_src")) iface.rmempty = true -oface = s:option(ListValue, "dest") +oface = s:option(ListValue, "dest", translate("firewall_rule_dest")) oface:value("") oface.optional = true @@ -38,23 +41,23 @@ proto:value("tcp", "TCP") proto:value("udp", "UDP") proto:value("icmp", "ICMP") -s:option(Value, "src_ip").optional = true -s:option(Value, "dest_ip").optional = true -s:option(Value, "src_mac").optional = true +s:option(Value, "src_ip", translate("firewall_rule_srcip")).optional = true +s:option(Value, "dest_ip", translate("firewall_rule_destip")).optional = true +s:option(Value, "src_mac", translate("firewall_rule_srcmac")).optional = true -sport = s:option(Value, "src_port") +sport = s:option(Value, "src_port", translate("firewall_rule_srcport")) sport.optional = true sport:depends("proto", "tcp") sport:depends("proto", "udp") sport:depends("proto", "tcpudp") -dport = s:option(Value, "dest_port") +dport = s:option(Value, "dest_port", translate("firewall_rule_destport")) dport.optional = true dport:depends("proto", "tcp") dport:depends("proto", "udp") dport:depends("proto", "tcpudp") -jump = s:option(ListValue, "target") +jump = s:option(ListValue, "target", translate("firewall_rule_target")) jump.rmempty = true jump.default = "ACCEPT" jump:value("DROP", translate("fw_drop")) diff --git a/applications/luci-fw/luasrc/model/cbi/luci_fw/general.lua b/applications/luci-fw/luasrc/model/cbi/luci_fw/zones.lua index 38f95136d0..38f95136d0 100644 --- a/applications/luci-fw/luasrc/model/cbi/luci_fw/general.lua +++ b/applications/luci-fw/luasrc/model/cbi/luci_fw/zones.lua |