From 1e10c4ae4a6a43ca0a2ea07c2b4cf95fce66cc7d Mon Sep 17 00:00:00 2001 From: Steven Barth Date: Fri, 3 Oct 2008 16:04:09 +0000 Subject: [PATCH] Redesigned firewall configuration --- .../luci-fw/luasrc/controller/luci_fw/luci_fw.lua | 13 ++-- applications/luci-fw/luasrc/i18n/luci-fw.de.lua | 13 +++- applications/luci-fw/luasrc/i18n/luci-fw.de.xml | 14 +++- applications/luci-fw/luasrc/i18n/luci-fw.en.lua | 13 +++- applications/luci-fw/luasrc/i18n/luci-fw.en.xml | 13 +++- .../model/cbi/luci_fw/{portfw.lua => redirect.lua} | 3 +- .../luci-fw/luasrc/model/cbi/luci_fw/routing.lua | 30 -------- .../model/cbi/luci_fw/{customfwd.lua => rrule.lua} | 19 ++--- .../luci-fw/luasrc/model/cbi/luci_fw/traffic.lua | 80 ++++++++++++++++++++++ .../model/cbi/luci_fw/{firewall.lua => trule.lua} | 25 ++++--- .../model/cbi/luci_fw/{general.lua => zones.lua} | 0 11 files changed, 155 insertions(+), 68 deletions(-) rename applications/luci-fw/luasrc/model/cbi/luci_fw/{portfw.lua => redirect.lua} (87%) delete mode 100644 applications/luci-fw/luasrc/model/cbi/luci_fw/routing.lua rename applications/luci-fw/luasrc/model/cbi/luci_fw/{customfwd.lua => rrule.lua} (66%) create mode 100644 applications/luci-fw/luasrc/model/cbi/luci_fw/traffic.lua rename applications/luci-fw/luasrc/model/cbi/luci_fw/{firewall.lua => trule.lua} (58%) rename applications/luci-fw/luasrc/model/cbi/luci_fw/{general.lua => zones.lua} (100%) diff --git a/applications/luci-fw/luasrc/controller/luci_fw/luci_fw.lua b/applications/luci-fw/luasrc/controller/luci_fw/luci_fw.lua index 18b6f87f6..4d8c13840 100644 --- a/applications/luci-fw/luasrc/controller/luci_fw/luci_fw.lua +++ b/applications/luci-fw/luasrc/controller/luci_fw/luci_fw.lua @@ -7,11 +7,14 @@ function index() local nodes = {} table.insert(nodes, entry({"admin", "network", "firewall"}, alias("admin", "network", "firewall", "zones"), i18n("fw_fw"), 60)) - table.insert(nodes, entry({"admin", "network", "firewall", "zones"}, cbi("luci_fw/general"), i18n("fw_zones"), 10)) - table.insert(nodes, entry({"admin", "network", "firewall", "portfw"}, cbi("luci_fw/portfw"), i18n("fw_portfw"), 20)) - table.insert(nodes, entry({"admin", "network", "firewall", "forwarding"}, cbi("luci_fw/routing"), i18n("fw_forwarding"), 30)) - table.insert(nodes, entry({"admin", "network", "firewall", "rules"}, cbi("luci_fw/firewall"), i18n("fw_rules"), 40)) - table.insert(nodes, entry({"admin", "network", "firewall", "customfwd"}, cbi("luci_fw/customfwd"), i18n("fw_custfwd"), 50)) + table.insert(nodes, entry({"admin", "network", "firewall", "zones"}, cbi("luci_fw/zones"), i18n("fw_zones"), 10)) + table.insert(nodes, entry({"admin", "network", "firewall", "redirection"}, cbi("luci_fw/redirect"), i18n("fw_redirect"), 30)) + table.insert(nodes, entry({"admin", "network", "firewall", "traffic"}, cbi("luci_fw/traffic"), i18n("fw_traffic"), 20)) + + table.insert(nodes, entry({"admin", "network", "firewall", "rule"}, cbi("luci_fw/trule"))) + nodes[#nodes].leaf = true + table.insert(nodes, entry({"admin", "network", "firewall", "redirect"}, cbi("luci_fw/rrule"))) + nodes[#nodes].leaf = true table.insert(nodes, entry({"mini", "network", "portfw"}, cbi("luci_fw/miniportfw"), i18n("fw_portfw", "Portweiterleitung"), 70)) diff --git a/applications/luci-fw/luasrc/i18n/luci-fw.de.lua b/applications/luci-fw/luasrc/i18n/luci-fw.de.lua index df071a05e..0261d73f0 100644 --- a/applications/luci-fw/luasrc/i18n/luci-fw.de.lua +++ b/applications/luci-fw/luasrc/i18n/luci-fw.de.lua @@ -1,12 +1,17 @@ fw_portfw = 'Portweiterleitung' -fw_forwarding = 'Zone-zu-Zone Weiterleitung' +fw_redirect = 'Umleitungen' +fw_redirect_desc = 'Umleitungen erlauben es das Ziel von weitergeleiteten Paketen zu verändern.' +fw_forwarding = 'Zone-zu-Zone Verkehr' fw_fw = 'Firewall' fw_zone = 'Zone' fw_zones = 'Zonen' fw_custfwd = 'Erweiterte Weiterleitung' -fw_rules = 'Regeln für eingehenden Verkehr' -fw_rules1 = 'An dieser Stelle können benutzerdefinierte Firewallregeln eingestellt werden um den Netzverkehr zu kontrollieren.' +firewall_rule = 'Erweiterte Regeln' +firewall_rule_desc = 'Mit erweiterten Regeln kann die Firewall an die eigenen Bedürfnisse angepasst werden. Es werden nur neue Verbindungen betrachtet. Pakete, die zu bereits bestehenden Verbindungen gehören werden automatisch akzeptiert.' fw_fw1 = 'Die Firewall erstellt Netzwerkzonen über bestimmte Netzwerkschnittstellen um den Netzverkehr zu trennen.' +fw_src = 'Quelle' +fw_dest = 'Ziel' +fw_traffic = 'Verkehrskontrolle' firewall_rule_src = 'Eingangszone' firewall_rule_dest = 'Ausgangszone' firewall_rule_srcip = 'Quelladresse' @@ -26,6 +31,8 @@ firewall_redirect_destip = 'Interne Adresse' firewall_redirect_destip_desc = 'IP-Adresse' firewall_redirect_destport = 'Interner Port (optional)' firewall_redirect_destport_desc = 'Port od. Erster-Letzter Port' +firewall_redirect_srcip = 'Quelladresse' +firewall_redirect_srcmac = 'Quell-MAC-Adresse' fw_forwarding1 = 'An dieser Stelle kann festgelegt zwischen welchen Zonen Netzverkehr hin und her fließen kann. Es werden nur neue Verbindungen betrachtet. Pakete, die zu bereits bestehenden Verbindungen gehören werden automatisch akzeptiert.' firewall_forwarding_src = 'Eingang' firewall_forwarding_dest = 'Ausgang' diff --git a/applications/luci-fw/luasrc/i18n/luci-fw.de.xml b/applications/luci-fw/luasrc/i18n/luci-fw.de.xml index 6bf355015..3825bb4ae 100644 --- a/applications/luci-fw/luasrc/i18n/luci-fw.de.xml +++ b/applications/luci-fw/luasrc/i18n/luci-fw.de.xml @@ -3,14 +3,19 @@ Portweiterleitung -Zone-zu-Zone Weiterleitung +Umleitungen +Umleitungen erlauben es das Ziel von weitergeleiteten Paketen zu verändern. +Zone-zu-Zone Verkehr Firewall Zone Zonen Erweiterte Weiterleitung -Regeln für eingehenden Verkehr -An dieser Stelle können benutzerdefinierte Firewallregeln eingestellt werden um den Netzverkehr zu kontrollieren. +Erweiterte Regeln +Mit erweiterten Regeln kann die Firewall an die eigenen Bedürfnisse angepasst werden. Es werden nur neue Verbindungen betrachtet. Pakete, die zu bereits bestehenden Verbindungen gehören werden automatisch akzeptiert. Die Firewall erstellt Netzwerkzonen über bestimmte Netzwerkschnittstellen um den Netzverkehr zu trennen. +Quelle +Ziel +Verkehrskontrolle Eingangszone Ausgangszone Quelladresse @@ -31,6 +36,9 @@ IP-Adresse Interner Port (optional) Port od. Erster-Letzter Port +Quelladresse +Quell-MAC-Adresse + An dieser Stelle kann festgelegt zwischen welchen Zonen Netzverkehr hin und her fließen kann. Es werden nur neue Verbindungen betrachtet. Pakete, die zu bereits bestehenden Verbindungen gehören werden automatisch akzeptiert. Eingang diff --git a/applications/luci-fw/luasrc/i18n/luci-fw.en.lua b/applications/luci-fw/luasrc/i18n/luci-fw.en.lua index 74da02f63..800eee4d6 100644 --- a/applications/luci-fw/luasrc/i18n/luci-fw.en.lua +++ b/applications/luci-fw/luasrc/i18n/luci-fw.en.lua @@ -1,12 +1,14 @@ fw_portfw = 'Port forwarding' -fw_forwarding = 'Zone-to-Zone forwarding' +fw_redirect = 'Traffic Redirection' +fw_redirect_desc = 'Traffic redirection allows you to change the destination address of forwarded packets.' +fw_forwarding = 'Zone-to-Zone traffic' fw_fw = 'Firewall' fw_zone = 'Zone' fw_zones = 'Zones' fw_custfwd = 'Custom forwarding' -fw_rules = 'Incoming traffic rules' -fw_rules1 = 'Here you can create custom firewall rules to control your network traffic.' fw_fw1 = 'The firewall creates zones over your network interfaces to control network traffic flow.' +firewall_rule = 'Advanced Rules' +firewall_rule_desc = 'Advanced rules let you customize the firewall to your needs. Only new connections will be matched. Packets belonging to already open connections are automatically allowed to pass the firewall.' firewall_rule_src = 'Input Zone' firewall_rule_dest = 'Output Zone' firewall_rule_srcip = 'Source address' @@ -18,10 +20,15 @@ firewall_rule_target = 'Action' fw_accept = 'accept' fw_reject = 'reject' fw_drop = 'drop' +fw_src = 'Source' +fw_dest = 'Destination' +fw_traffic = 'Traffic Control' fw_portfw1 = 'Port forwarding allows to provide network services in the internal network to an external network.' firewall_redirect_src_desc = 'External Zone' firewall_redirect_srcdport = 'External port' firewall_redirect_srcdport_desc = 'port or range as first-last' +firewall_redirect_srcip = 'Source address' +firewall_redirect_srcmac = 'Source MAC' firewall_redirect_destip = 'Internal address' firewall_redirect_destip_desc = 'IP-Address' firewall_redirect_destport = 'Internal port (optional)' diff --git a/applications/luci-fw/luasrc/i18n/luci-fw.en.xml b/applications/luci-fw/luasrc/i18n/luci-fw.en.xml index 1ad9acb8c..1da35bc23 100644 --- a/applications/luci-fw/luasrc/i18n/luci-fw.en.xml +++ b/applications/luci-fw/luasrc/i18n/luci-fw.en.xml @@ -3,14 +3,16 @@ Port forwarding -Zone-to-Zone forwarding +Traffic Redirection +Traffic redirection allows you to change the destination address of forwarded packets. +Zone-to-Zone traffic Firewall Zone Zones Custom forwarding -Incoming traffic rules -Here you can create custom firewall rules to control your network traffic. The firewall creates zones over your network interfaces to control network traffic flow. +Advanced Rules +Advanced rules let you customize the firewall to your needs. Only new connections will be matched. Packets belonging to already open connections are automatically allowed to pass the firewall. Input Zone Output Zone Source address @@ -22,11 +24,16 @@ accept reject drop +Source +Destination +Traffic Control Port forwarding allows to provide network services in the internal network to an external network. External Zone External port port or range as first-last +Source address +Source MAC Internal address IP-Address Internal port (optional) diff --git a/applications/luci-fw/luasrc/model/cbi/luci_fw/portfw.lua b/applications/luci-fw/luasrc/model/cbi/luci_fw/redirect.lua similarity index 87% rename from applications/luci-fw/luasrc/model/cbi/luci_fw/portfw.lua rename to applications/luci-fw/luasrc/model/cbi/luci_fw/redirect.lua index 9afd4f3e5..3aa1066f5 100644 --- a/applications/luci-fw/luasrc/model/cbi/luci_fw/portfw.lua +++ b/applications/luci-fw/luasrc/model/cbi/luci_fw/redirect.lua @@ -12,13 +12,14 @@ You may obtain a copy of the License at $Id$ ]]-- require("luci.sys") -m = Map("firewall", translate("fw_portfw"), translate("fw_portfw1")) +m = Map("firewall", translate("fw_redirect"), translate("fw_redirect_desc")) s = m:section(TypedSection, "redirect", "") s.template = "cbi/tblsection" s.addremove = true s.anonymous = true +s.extedit = luci.dispatcher.build_url("admin", "network", "firewall", "redirect", "%s") name = s:option(Value, "_name", translate("name"), translate("cbi_optional")) name.size = 10 diff --git a/applications/luci-fw/luasrc/model/cbi/luci_fw/routing.lua b/applications/luci-fw/luasrc/model/cbi/luci_fw/routing.lua deleted file mode 100644 index f8689a05c..000000000 --- a/applications/luci-fw/luasrc/model/cbi/luci_fw/routing.lua +++ /dev/null @@ -1,30 +0,0 @@ ---[[ -LuCI - Lua Configuration Interface - -Copyright 2008 Steven Barth - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -$Id$ -]]-- -m = Map("firewall", translate("fw_forwarding"), translate("fw_forwarding1")) - -s = m:section(TypedSection, "forwarding", "") -s.template = "cbi/tblsection" -s.addremove = true -s.anonymous = true - -iface = s:option(ListValue, "src") -oface = s:option(ListValue, "dest") - -luci.model.uci.cursor():foreach("firewall", "zone", - function (section) - iface:value(section.name) - oface:value(section.name) - end) - -return m diff --git a/applications/luci-fw/luasrc/model/cbi/luci_fw/customfwd.lua b/applications/luci-fw/luasrc/model/cbi/luci_fw/rrule.lua similarity index 66% rename from applications/luci-fw/luasrc/model/cbi/luci_fw/customfwd.lua rename to applications/luci-fw/luasrc/model/cbi/luci_fw/rrule.lua index b883c4750..795867616 100644 --- a/applications/luci-fw/luasrc/model/cbi/luci_fw/customfwd.lua +++ b/applications/luci-fw/luasrc/model/cbi/luci_fw/rrule.lua @@ -12,11 +12,12 @@ You may obtain a copy of the License at $Id$ ]]-- require("luci.sys") -m = Map("firewall", translate("fw_portfw"), translate("fw_portfw1")) +arg[1] = arg[1] or "" +m = Map("firewall", translate("fw_redirect"), translate("fw_redirect_desc")) -s = m:section(TypedSection, "redirect", "") -s.addremove = true + +s = m:section(NamedSection, arg[1], "redirect", "") s.anonymous = true name = s:option(Value, "_name", translate("name")) @@ -30,10 +31,10 @@ luci.model.uci.cursor():foreach("firewall", "zone", iface:value(section.name) end) -s:option(Value, "src_ip").optional = true -s:option(Value, "src_mac").optional = true +s:option(Value, "src_ip", translate("firewall_redirect_srcip")).optional = true +s:option(Value, "src_mac", translate("firewall_redirect_srcmac")).optional = true -sport = s:option(Value, "src_port") +sport = s:option(Value, "src_port", translate("firewall_redirect_srcport")) sport.optional = true sport:depends("proto", "tcp") sport:depends("proto", "udp") @@ -46,19 +47,19 @@ proto:value("tcp", "TCP") proto:value("udp", "UDP") proto:value("tcpudp", "TCP+UDP") -dport = s:option(Value, "src_dport") +dport = s:option(Value, "src_dport", translate("firewall_redirect_srcdport")) dport.size = 5 dport.optional = true dport:depends("proto", "tcp") dport:depends("proto", "udp") dport:depends("proto", "tcpudp") -to = s:option(Value, "dest_ip") +to = s:option(Value, "dest_ip", translate("firewall_redirect_destip")) for i, dataset in ipairs(luci.sys.net.arptable()) do to:value(dataset["IP address"]) end -toport = s:option(Value, "dest_port") +toport = s:option(Value, "dest_port", translate("firewall_redirect_destport")) toport.optional = true toport.size = 5 diff --git a/applications/luci-fw/luasrc/model/cbi/luci_fw/traffic.lua b/applications/luci-fw/luasrc/model/cbi/luci_fw/traffic.lua new file mode 100644 index 000000000..660f9706a --- /dev/null +++ b/applications/luci-fw/luasrc/model/cbi/luci_fw/traffic.lua @@ -0,0 +1,80 @@ +--[[ +LuCI - Lua Configuration Interface + +Copyright 2008 Steven Barth +Copyright 2008 Jo-Philipp Wich + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +$Id$ +]]-- + +m = Map("firewall", translate("fw_traffic")) +s = m:section(TypedSection, "forwarding", translate("fw_forwarding"), translate("fw_forwarding1")) +s.template = "cbi/tblsection" +s.addremove = true +s.anonymous = true + +iface = s:option(ListValue, "src", translate("fw_src")) +oface = s:option(ListValue, "dest", translate("fw_dest")) + +luci.model.uci.cursor():foreach("firewall", "zone", + function (section) + iface:value(section.name) + oface:value(section.name) + end) + + + +s = m:section(TypedSection, "rule") +s.addremove = true +s.anonymous = true +s.template = "cbi/tblsection" +s.extedit = luci.dispatcher.build_url("admin", "network", "firewall", "rule", "%s") + +local created = nil + +function s.create(self, section) + created = TypedSection.create(self, section) +end + +function s.parse(self, ...) + TypedSection.parse(self, ...) + if created then + m.uci:save("firewall") + luci.http.redirect(luci.dispatcher.build_url( + "admin", "network", "firewall", "rule", created + )) + end +end + +s:option(DummyValue, "_name", translate("name")) +s:option(DummyValue, "proto", translate("protocol")) + +src = s:option(DummyValue, "src", translate("fw_src")) +function src.cfgvalue(self, s) + return "%s:%s:%s" % { + self.map:get(s, "src") or "*", + self.map:get(s, "src_ip") or "0.0.0.0/0", + self.map:get(s, "src_port") or "*" + } +end + +dest = s:option(DummyValue, "dest", translate("fw_dest")) +function dest.cfgvalue(self, s) + return "%s:%s:%s" % { + self.map:get(s, "dest") or "*", + self.map:get(s, "dest_ip") or "0.0.0.0/0", + self.map:get(s, "dest_port") or "*" + } +end + + +s:option(DummyValue, "target") + + +return m \ No newline at end of file diff --git a/applications/luci-fw/luasrc/model/cbi/luci_fw/firewall.lua b/applications/luci-fw/luasrc/model/cbi/luci_fw/trule.lua similarity index 58% rename from applications/luci-fw/luasrc/model/cbi/luci_fw/firewall.lua rename to applications/luci-fw/luasrc/model/cbi/luci_fw/trule.lua index 0d9af93fc..3712196ff 100644 --- a/applications/luci-fw/luasrc/model/cbi/luci_fw/firewall.lua +++ b/applications/luci-fw/luasrc/model/cbi/luci_fw/trule.lua @@ -11,16 +11,19 @@ You may obtain a copy of the License at $Id$ ]]-- -m = Map("firewall", translate("fw_rules"), translate("fw_rules1")) +arg[1] = arg[1] or "" +m = Map("firewall", translate("firewall_rule"), translate("firewall_rule_desc")) -s = m:section(TypedSection, "rule", "") -s.addremove = true +s = m:section(NamedSection, arg[1], "rule", "") s.anonymous = true -iface = s:option(ListValue, "src") +name = s:option(Value, "_name", translate("name")..translate("cbi_optional")) +name.rmempty = true + +iface = s:option(ListValue, "src", translate("firewall_rule_src")) iface.rmempty = true -oface = s:option(ListValue, "dest") +oface = s:option(ListValue, "dest", translate("firewall_rule_dest")) oface:value("") oface.optional = true @@ -38,23 +41,23 @@ proto:value("tcp", "TCP") proto:value("udp", "UDP") proto:value("icmp", "ICMP") -s:option(Value, "src_ip").optional = true -s:option(Value, "dest_ip").optional = true -s:option(Value, "src_mac").optional = true +s:option(Value, "src_ip", translate("firewall_rule_srcip")).optional = true +s:option(Value, "dest_ip", translate("firewall_rule_destip")).optional = true +s:option(Value, "src_mac", translate("firewall_rule_srcmac")).optional = true -sport = s:option(Value, "src_port") +sport = s:option(Value, "src_port", translate("firewall_rule_srcport")) sport.optional = true sport:depends("proto", "tcp") sport:depends("proto", "udp") sport:depends("proto", "tcpudp") -dport = s:option(Value, "dest_port") +dport = s:option(Value, "dest_port", translate("firewall_rule_destport")) dport.optional = true dport:depends("proto", "tcp") dport:depends("proto", "udp") dport:depends("proto", "tcpudp") -jump = s:option(ListValue, "target") +jump = s:option(ListValue, "target", translate("firewall_rule_target")) jump.rmempty = true jump.default = "ACCEPT" jump:value("DROP", translate("fw_drop")) diff --git a/applications/luci-fw/luasrc/model/cbi/luci_fw/general.lua b/applications/luci-fw/luasrc/model/cbi/luci_fw/zones.lua similarity index 100% rename from applications/luci-fw/luasrc/model/cbi/luci_fw/general.lua rename to applications/luci-fw/luasrc/model/cbi/luci_fw/zones.lua -- 2.11.0