From e7291874449a30d74e1a1b656747f30ae3195b6a Mon Sep 17 00:00:00 2001 From: Steven Barth Date: Fri, 3 Oct 2008 16:23:43 +0000 Subject: [PATCH] Redesigned firewall configuration --- .../luasrc/controller/luci_fw/luci_fw.lua | 13 +-- .../luci-fw/luasrc/i18n/luci-fw.de.lua | 13 ++- .../luci-fw/luasrc/i18n/luci-fw.de.xml | 14 +++- .../luci-fw/luasrc/i18n/luci-fw.en.lua | 13 ++- .../luci-fw/luasrc/i18n/luci-fw.en.xml | 13 ++- .../cbi/luci_fw/{portfw.lua => redirect.lua} | 3 +- .../luasrc/model/cbi/luci_fw/routing.lua | 30 ------- .../cbi/luci_fw/{customfwd.lua => rrule.lua} | 19 ++--- .../luasrc/model/cbi/luci_fw/traffic.lua | 80 +++++++++++++++++++ .../cbi/luci_fw/{firewall.lua => trule.lua} | 25 +++--- .../cbi/luci_fw/{general.lua => zones.lua} | 0 11 files changed, 155 insertions(+), 68 deletions(-) rename applications/luci-fw/luasrc/model/cbi/luci_fw/{portfw.lua => redirect.lua} (87%) delete mode 100644 applications/luci-fw/luasrc/model/cbi/luci_fw/routing.lua rename applications/luci-fw/luasrc/model/cbi/luci_fw/{customfwd.lua => rrule.lua} (66%) create mode 100644 applications/luci-fw/luasrc/model/cbi/luci_fw/traffic.lua rename applications/luci-fw/luasrc/model/cbi/luci_fw/{firewall.lua => trule.lua} (58%) rename applications/luci-fw/luasrc/model/cbi/luci_fw/{general.lua => zones.lua} (100%) diff --git a/applications/luci-fw/luasrc/controller/luci_fw/luci_fw.lua b/applications/luci-fw/luasrc/controller/luci_fw/luci_fw.lua index 18b6f87f65..4d8c13840e 100644 --- a/applications/luci-fw/luasrc/controller/luci_fw/luci_fw.lua +++ b/applications/luci-fw/luasrc/controller/luci_fw/luci_fw.lua @@ -7,11 +7,14 @@ function index() local nodes = {} table.insert(nodes, entry({"admin", "network", "firewall"}, alias("admin", "network", "firewall", "zones"), i18n("fw_fw"), 60)) - table.insert(nodes, entry({"admin", "network", "firewall", "zones"}, cbi("luci_fw/general"), i18n("fw_zones"), 10)) - table.insert(nodes, entry({"admin", "network", "firewall", "portfw"}, cbi("luci_fw/portfw"), i18n("fw_portfw"), 20)) - table.insert(nodes, entry({"admin", "network", "firewall", "forwarding"}, cbi("luci_fw/routing"), i18n("fw_forwarding"), 30)) - table.insert(nodes, entry({"admin", "network", "firewall", "rules"}, cbi("luci_fw/firewall"), i18n("fw_rules"), 40)) - table.insert(nodes, entry({"admin", "network", "firewall", "customfwd"}, cbi("luci_fw/customfwd"), i18n("fw_custfwd"), 50)) + table.insert(nodes, entry({"admin", "network", "firewall", "zones"}, cbi("luci_fw/zones"), i18n("fw_zones"), 10)) + table.insert(nodes, entry({"admin", "network", "firewall", "redirection"}, cbi("luci_fw/redirect"), i18n("fw_redirect"), 30)) + table.insert(nodes, entry({"admin", "network", "firewall", "traffic"}, cbi("luci_fw/traffic"), i18n("fw_traffic"), 20)) + + table.insert(nodes, entry({"admin", "network", "firewall", "rule"}, cbi("luci_fw/trule"))) + nodes[#nodes].leaf = true + table.insert(nodes, entry({"admin", "network", "firewall", "redirect"}, cbi("luci_fw/rrule"))) + nodes[#nodes].leaf = true table.insert(nodes, entry({"mini", "network", "portfw"}, cbi("luci_fw/miniportfw"), i18n("fw_portfw", "Portweiterleitung"), 70)) diff --git a/applications/luci-fw/luasrc/i18n/luci-fw.de.lua b/applications/luci-fw/luasrc/i18n/luci-fw.de.lua index df071a05e6..0261d73f0d 100644 --- a/applications/luci-fw/luasrc/i18n/luci-fw.de.lua +++ b/applications/luci-fw/luasrc/i18n/luci-fw.de.lua @@ -1,12 +1,17 @@ fw_portfw = 'Portweiterleitung' -fw_forwarding = 'Zone-zu-Zone Weiterleitung' +fw_redirect = 'Umleitungen' +fw_redirect_desc = 'Umleitungen erlauben es das Ziel von weitergeleiteten Paketen zu verändern.' +fw_forwarding = 'Zone-zu-Zone Verkehr' fw_fw = 'Firewall' fw_zone = 'Zone' fw_zones = 'Zonen' fw_custfwd = 'Erweiterte Weiterleitung' -fw_rules = 'Regeln für eingehenden Verkehr' -fw_rules1 = 'An dieser Stelle können benutzerdefinierte Firewallregeln eingestellt werden um den Netzverkehr zu kontrollieren.' +firewall_rule = 'Erweiterte Regeln' +firewall_rule_desc = 'Mit erweiterten Regeln kann die Firewall an die eigenen Bedürfnisse angepasst werden. Es werden nur neue Verbindungen betrachtet. Pakete, die zu bereits bestehenden Verbindungen gehören werden automatisch akzeptiert.' fw_fw1 = 'Die Firewall erstellt Netzwerkzonen über bestimmte Netzwerkschnittstellen um den Netzverkehr zu trennen.' +fw_src = 'Quelle' +fw_dest = 'Ziel' +fw_traffic = 'Verkehrskontrolle' firewall_rule_src = 'Eingangszone' firewall_rule_dest = 'Ausgangszone' firewall_rule_srcip = 'Quelladresse' @@ -26,6 +31,8 @@ firewall_redirect_destip = 'Interne Adresse' firewall_redirect_destip_desc = 'IP-Adresse' firewall_redirect_destport = 'Interner Port (optional)' firewall_redirect_destport_desc = 'Port od. Erster-Letzter Port' +firewall_redirect_srcip = 'Quelladresse' +firewall_redirect_srcmac = 'Quell-MAC-Adresse' fw_forwarding1 = 'An dieser Stelle kann festgelegt zwischen welchen Zonen Netzverkehr hin und her fließen kann. Es werden nur neue Verbindungen betrachtet. Pakete, die zu bereits bestehenden Verbindungen gehören werden automatisch akzeptiert.' firewall_forwarding_src = 'Eingang' firewall_forwarding_dest = 'Ausgang' diff --git a/applications/luci-fw/luasrc/i18n/luci-fw.de.xml b/applications/luci-fw/luasrc/i18n/luci-fw.de.xml index 6bf355015e..3825bb4ae9 100644 --- a/applications/luci-fw/luasrc/i18n/luci-fw.de.xml +++ b/applications/luci-fw/luasrc/i18n/luci-fw.de.xml @@ -3,14 +3,19 @@ Portweiterleitung -Zone-zu-Zone Weiterleitung +Umleitungen +Umleitungen erlauben es das Ziel von weitergeleiteten Paketen zu verändern. +Zone-zu-Zone Verkehr Firewall Zone Zonen Erweiterte Weiterleitung -Regeln für eingehenden Verkehr -An dieser Stelle können benutzerdefinierte Firewallregeln eingestellt werden um den Netzverkehr zu kontrollieren. +Erweiterte Regeln +Mit erweiterten Regeln kann die Firewall an die eigenen Bedürfnisse angepasst werden. Es werden nur neue Verbindungen betrachtet. Pakete, die zu bereits bestehenden Verbindungen gehören werden automatisch akzeptiert. Die Firewall erstellt Netzwerkzonen über bestimmte Netzwerkschnittstellen um den Netzverkehr zu trennen. +Quelle +Ziel +Verkehrskontrolle Eingangszone Ausgangszone Quelladresse @@ -31,6 +36,9 @@ IP-Adresse Interner Port (optional) Port od. Erster-Letzter Port +Quelladresse +Quell-MAC-Adresse + An dieser Stelle kann festgelegt zwischen welchen Zonen Netzverkehr hin und her fließen kann. Es werden nur neue Verbindungen betrachtet. Pakete, die zu bereits bestehenden Verbindungen gehören werden automatisch akzeptiert. Eingang diff --git a/applications/luci-fw/luasrc/i18n/luci-fw.en.lua b/applications/luci-fw/luasrc/i18n/luci-fw.en.lua index 74da02f63e..800eee4d60 100644 --- a/applications/luci-fw/luasrc/i18n/luci-fw.en.lua +++ b/applications/luci-fw/luasrc/i18n/luci-fw.en.lua @@ -1,12 +1,14 @@ fw_portfw = 'Port forwarding' -fw_forwarding = 'Zone-to-Zone forwarding' +fw_redirect = 'Traffic Redirection' +fw_redirect_desc = 'Traffic redirection allows you to change the destination address of forwarded packets.' +fw_forwarding = 'Zone-to-Zone traffic' fw_fw = 'Firewall' fw_zone = 'Zone' fw_zones = 'Zones' fw_custfwd = 'Custom forwarding' -fw_rules = 'Incoming traffic rules' -fw_rules1 = 'Here you can create custom firewall rules to control your network traffic.' fw_fw1 = 'The firewall creates zones over your network interfaces to control network traffic flow.' +firewall_rule = 'Advanced Rules' +firewall_rule_desc = 'Advanced rules let you customize the firewall to your needs. Only new connections will be matched. Packets belonging to already open connections are automatically allowed to pass the firewall.' firewall_rule_src = 'Input Zone' firewall_rule_dest = 'Output Zone' firewall_rule_srcip = 'Source address' @@ -18,10 +20,15 @@ firewall_rule_target = 'Action' fw_accept = 'accept' fw_reject = 'reject' fw_drop = 'drop' +fw_src = 'Source' +fw_dest = 'Destination' +fw_traffic = 'Traffic Control' fw_portfw1 = 'Port forwarding allows to provide network services in the internal network to an external network.' firewall_redirect_src_desc = 'External Zone' firewall_redirect_srcdport = 'External port' firewall_redirect_srcdport_desc = 'port or range as first-last' +firewall_redirect_srcip = 'Source address' +firewall_redirect_srcmac = 'Source MAC' firewall_redirect_destip = 'Internal address' firewall_redirect_destip_desc = 'IP-Address' firewall_redirect_destport = 'Internal port (optional)' diff --git a/applications/luci-fw/luasrc/i18n/luci-fw.en.xml b/applications/luci-fw/luasrc/i18n/luci-fw.en.xml index 1ad9acb8c8..1da35bc239 100644 --- a/applications/luci-fw/luasrc/i18n/luci-fw.en.xml +++ b/applications/luci-fw/luasrc/i18n/luci-fw.en.xml @@ -3,14 +3,16 @@ Port forwarding -Zone-to-Zone forwarding +Traffic Redirection +Traffic redirection allows you to change the destination address of forwarded packets. +Zone-to-Zone traffic Firewall Zone Zones Custom forwarding -Incoming traffic rules -Here you can create custom firewall rules to control your network traffic. The firewall creates zones over your network interfaces to control network traffic flow. +Advanced Rules +Advanced rules let you customize the firewall to your needs. Only new connections will be matched. Packets belonging to already open connections are automatically allowed to pass the firewall. Input Zone Output Zone Source address @@ -22,11 +24,16 @@ accept reject drop +Source +Destination +Traffic Control Port forwarding allows to provide network services in the internal network to an external network. External Zone External port port or range as first-last +Source address +Source MAC Internal address IP-Address Internal port (optional) diff --git a/applications/luci-fw/luasrc/model/cbi/luci_fw/portfw.lua b/applications/luci-fw/luasrc/model/cbi/luci_fw/redirect.lua similarity index 87% rename from applications/luci-fw/luasrc/model/cbi/luci_fw/portfw.lua rename to applications/luci-fw/luasrc/model/cbi/luci_fw/redirect.lua index 9afd4f3e5a..3aa1066f52 100644 --- a/applications/luci-fw/luasrc/model/cbi/luci_fw/portfw.lua +++ b/applications/luci-fw/luasrc/model/cbi/luci_fw/redirect.lua @@ -12,13 +12,14 @@ You may obtain a copy of the License at $Id$ ]]-- require("luci.sys") -m = Map("firewall", translate("fw_portfw"), translate("fw_portfw1")) +m = Map("firewall", translate("fw_redirect"), translate("fw_redirect_desc")) s = m:section(TypedSection, "redirect", "") s.template = "cbi/tblsection" s.addremove = true s.anonymous = true +s.extedit = luci.dispatcher.build_url("admin", "network", "firewall", "redirect", "%s") name = s:option(Value, "_name", translate("name"), translate("cbi_optional")) name.size = 10 diff --git a/applications/luci-fw/luasrc/model/cbi/luci_fw/routing.lua b/applications/luci-fw/luasrc/model/cbi/luci_fw/routing.lua deleted file mode 100644 index f8689a05c5..0000000000 --- a/applications/luci-fw/luasrc/model/cbi/luci_fw/routing.lua +++ /dev/null @@ -1,30 +0,0 @@ ---[[ -LuCI - Lua Configuration Interface - -Copyright 2008 Steven Barth - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -$Id$ -]]-- -m = Map("firewall", translate("fw_forwarding"), translate("fw_forwarding1")) - -s = m:section(TypedSection, "forwarding", "") -s.template = "cbi/tblsection" -s.addremove = true -s.anonymous = true - -iface = s:option(ListValue, "src") -oface = s:option(ListValue, "dest") - -luci.model.uci.cursor():foreach("firewall", "zone", - function (section) - iface:value(section.name) - oface:value(section.name) - end) - -return m diff --git a/applications/luci-fw/luasrc/model/cbi/luci_fw/customfwd.lua b/applications/luci-fw/luasrc/model/cbi/luci_fw/rrule.lua similarity index 66% rename from applications/luci-fw/luasrc/model/cbi/luci_fw/customfwd.lua rename to applications/luci-fw/luasrc/model/cbi/luci_fw/rrule.lua index b883c47501..7958676163 100644 --- a/applications/luci-fw/luasrc/model/cbi/luci_fw/customfwd.lua +++ b/applications/luci-fw/luasrc/model/cbi/luci_fw/rrule.lua @@ -12,11 +12,12 @@ You may obtain a copy of the License at $Id$ ]]-- require("luci.sys") -m = Map("firewall", translate("fw_portfw"), translate("fw_portfw1")) +arg[1] = arg[1] or "" +m = Map("firewall", translate("fw_redirect"), translate("fw_redirect_desc")) -s = m:section(TypedSection, "redirect", "") -s.addremove = true + +s = m:section(NamedSection, arg[1], "redirect", "") s.anonymous = true name = s:option(Value, "_name", translate("name")) @@ -30,10 +31,10 @@ luci.model.uci.cursor():foreach("firewall", "zone", iface:value(section.name) end) -s:option(Value, "src_ip").optional = true -s:option(Value, "src_mac").optional = true +s:option(Value, "src_ip", translate("firewall_redirect_srcip")).optional = true +s:option(Value, "src_mac", translate("firewall_redirect_srcmac")).optional = true -sport = s:option(Value, "src_port") +sport = s:option(Value, "src_port", translate("firewall_redirect_srcport")) sport.optional = true sport:depends("proto", "tcp") sport:depends("proto", "udp") @@ -46,19 +47,19 @@ proto:value("tcp", "TCP") proto:value("udp", "UDP") proto:value("tcpudp", "TCP+UDP") -dport = s:option(Value, "src_dport") +dport = s:option(Value, "src_dport", translate("firewall_redirect_srcdport")) dport.size = 5 dport.optional = true dport:depends("proto", "tcp") dport:depends("proto", "udp") dport:depends("proto", "tcpudp") -to = s:option(Value, "dest_ip") +to = s:option(Value, "dest_ip", translate("firewall_redirect_destip")) for i, dataset in ipairs(luci.sys.net.arptable()) do to:value(dataset["IP address"]) end -toport = s:option(Value, "dest_port") +toport = s:option(Value, "dest_port", translate("firewall_redirect_destport")) toport.optional = true toport.size = 5 diff --git a/applications/luci-fw/luasrc/model/cbi/luci_fw/traffic.lua b/applications/luci-fw/luasrc/model/cbi/luci_fw/traffic.lua new file mode 100644 index 0000000000..660f9706ac --- /dev/null +++ b/applications/luci-fw/luasrc/model/cbi/luci_fw/traffic.lua @@ -0,0 +1,80 @@ +--[[ +LuCI - Lua Configuration Interface + +Copyright 2008 Steven Barth +Copyright 2008 Jo-Philipp Wich + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +$Id$ +]]-- + +m = Map("firewall", translate("fw_traffic")) +s = m:section(TypedSection, "forwarding", translate("fw_forwarding"), translate("fw_forwarding1")) +s.template = "cbi/tblsection" +s.addremove = true +s.anonymous = true + +iface = s:option(ListValue, "src", translate("fw_src")) +oface = s:option(ListValue, "dest", translate("fw_dest")) + +luci.model.uci.cursor():foreach("firewall", "zone", + function (section) + iface:value(section.name) + oface:value(section.name) + end) + + + +s = m:section(TypedSection, "rule") +s.addremove = true +s.anonymous = true +s.template = "cbi/tblsection" +s.extedit = luci.dispatcher.build_url("admin", "network", "firewall", "rule", "%s") + +local created = nil + +function s.create(self, section) + created = TypedSection.create(self, section) +end + +function s.parse(self, ...) + TypedSection.parse(self, ...) + if created then + m.uci:save("firewall") + luci.http.redirect(luci.dispatcher.build_url( + "admin", "network", "firewall", "rule", created + )) + end +end + +s:option(DummyValue, "_name", translate("name")) +s:option(DummyValue, "proto", translate("protocol")) + +src = s:option(DummyValue, "src", translate("fw_src")) +function src.cfgvalue(self, s) + return "%s:%s:%s" % { + self.map:get(s, "src") or "*", + self.map:get(s, "src_ip") or "0.0.0.0/0", + self.map:get(s, "src_port") or "*" + } +end + +dest = s:option(DummyValue, "dest", translate("fw_dest")) +function dest.cfgvalue(self, s) + return "%s:%s:%s" % { + self.map:get(s, "dest") or "*", + self.map:get(s, "dest_ip") or "0.0.0.0/0", + self.map:get(s, "dest_port") or "*" + } +end + + +s:option(DummyValue, "target") + + +return m \ No newline at end of file diff --git a/applications/luci-fw/luasrc/model/cbi/luci_fw/firewall.lua b/applications/luci-fw/luasrc/model/cbi/luci_fw/trule.lua similarity index 58% rename from applications/luci-fw/luasrc/model/cbi/luci_fw/firewall.lua rename to applications/luci-fw/luasrc/model/cbi/luci_fw/trule.lua index 0d9af93fc6..3712196ff8 100644 --- a/applications/luci-fw/luasrc/model/cbi/luci_fw/firewall.lua +++ b/applications/luci-fw/luasrc/model/cbi/luci_fw/trule.lua @@ -11,16 +11,19 @@ You may obtain a copy of the License at $Id$ ]]-- -m = Map("firewall", translate("fw_rules"), translate("fw_rules1")) +arg[1] = arg[1] or "" +m = Map("firewall", translate("firewall_rule"), translate("firewall_rule_desc")) -s = m:section(TypedSection, "rule", "") -s.addremove = true +s = m:section(NamedSection, arg[1], "rule", "") s.anonymous = true -iface = s:option(ListValue, "src") +name = s:option(Value, "_name", translate("name")..translate("cbi_optional")) +name.rmempty = true + +iface = s:option(ListValue, "src", translate("firewall_rule_src")) iface.rmempty = true -oface = s:option(ListValue, "dest") +oface = s:option(ListValue, "dest", translate("firewall_rule_dest")) oface:value("") oface.optional = true @@ -38,23 +41,23 @@ proto:value("tcp", "TCP") proto:value("udp", "UDP") proto:value("icmp", "ICMP") -s:option(Value, "src_ip").optional = true -s:option(Value, "dest_ip").optional = true -s:option(Value, "src_mac").optional = true +s:option(Value, "src_ip", translate("firewall_rule_srcip")).optional = true +s:option(Value, "dest_ip", translate("firewall_rule_destip")).optional = true +s:option(Value, "src_mac", translate("firewall_rule_srcmac")).optional = true -sport = s:option(Value, "src_port") +sport = s:option(Value, "src_port", translate("firewall_rule_srcport")) sport.optional = true sport:depends("proto", "tcp") sport:depends("proto", "udp") sport:depends("proto", "tcpudp") -dport = s:option(Value, "dest_port") +dport = s:option(Value, "dest_port", translate("firewall_rule_destport")) dport.optional = true dport:depends("proto", "tcp") dport:depends("proto", "udp") dport:depends("proto", "tcpudp") -jump = s:option(ListValue, "target") +jump = s:option(ListValue, "target", translate("firewall_rule_target")) jump.rmempty = true jump.default = "ACCEPT" jump:value("DROP", translate("fw_drop")) diff --git a/applications/luci-fw/luasrc/model/cbi/luci_fw/general.lua b/applications/luci-fw/luasrc/model/cbi/luci_fw/zones.lua similarity index 100% rename from applications/luci-fw/luasrc/model/cbi/luci_fw/general.lua rename to applications/luci-fw/luasrc/model/cbi/luci_fw/zones.lua -- 2.30.2