[ previous ] [ next ] [ threads ]
 
 From:  Jim McBeath <jimmc at macrovision dot com>
 To:  Bart Smit <bit at signature dot nl>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] mods to firewall rule code
 Date:  Fri, 31 Oct 2003 18:00:26 -0800
On Sat, Nov 01, 2003 at 01:34:47AM +0100, Bart Smit wrote:
> On Fri, 31 Oct 2003, Jim McBeath wrote:
> 
> > * sequence (to order the rules within an interface group)
> > * type (block or pass)
> > * disabled (to disable a rule without removing it)
> 
> Yay! Hear, hear! Nice!
> 
> > 1. Are you interested in these changes?
> 
> I want to have a look anyway, even if they're not going into the official
> m0n0wall. This sounds pretty much like a remedy for bits I was missing
> too.

OK, one customer is enough for me to distribute the changes.

> > 2. If so, how should I submit them?
> 
> Well, could you post to the list?
> 
> > 3. I have just started using m0n0 and these changes; how much/how long
> >    should I test them before submitting them?
> 
> I'll gladly report any findings.

Thanks.

> regards,
> 
> --Bart

Below are the changes in diff -u format.  The mfsroot.orig directory
in the patch is the original mfsroot directory as extracted from the
net45xx-pb18r522 download.

--
Jim McBeath
http://www.alumni.caltech.edu/~jimmc


diff -aur mfsroot.orig/etc/inc/filter.inc mfsroot/etc/inc/filter.inc
--- mfsroot.orig/etc/inc/filter.inc	Sat Oct 11 13:46:37 2003
+++ mfsroot/etc/inc/filter.inc	Thu Oct 30 15:26:05 2003
@@ -472,6 +472,10 @@
 	
 	if (isset($config['filter']['rule']))
 		foreach ($config['filter']['rule'] as $rule) {
+
+		/* don't include disabled rules */
+		if (isset($rule['disabled']))
+			continue;
 		
 		/* does the rule deal with a PPTP interface? */
 		if ($rule['interface'] == "pptp") {
@@ -519,7 +523,19 @@
 				}
 			}
 			
-			$line = "pass in quick ";
+			$type = strtolower($rule['type']);
+			if ($type!="pass" && $type!="block") {
+				/* default (for older rules) is pass */
+				$type = "pass";
+			}
+
+			$line = $type;
+			$line .= " in ";
+
+			if (isset($rule['log']))
+				$line .= "log ";
+
+			$line .= "quick ";
 			
 			if ($ispptp) {
 				$line .= "on ng" . ($iif+1) . " ";
@@ -625,7 +641,8 @@
 				}
 			}
 			
-			$line .= "keep state ";
+			if ($type!="block")
+				$line .= "keep state ";
 			
 			if (isset($rule['frags']))
 				$line .= "keep frags ";
diff -aur mfsroot.orig/usr/local/www/firewall_rules.php mfsroot/usr/local/www/firewall_rules.php
--- mfsroot.orig/usr/local/www/firewall_rules.php	Sat Oct 11 13:46:37 2003
+++ mfsroot/usr/local/www/firewall_rules.php	Fri Oct 31 09:05:15 2003
@@ -88,11 +88,11 @@
                 <?php if ($filterent['interface'] != $lastif): ?>
                 <?php if ($i): ?>
                 <tr>
-                  <td colspan="8" class="list" height="12"></td>
+                  <td colspan="10" class="list" height="12"></td>
 				</tr>
 				<?php endif; ?>
                 <tr>
-                  <td colspan="7" class="listtopic"><?php
+                  <td colspan="9" class="listtopic"><?php
 				  $iflabels = array('lan' => 'LAN interface', 'wan' => 'WAN interface', 'pptp' => 'PPTP
clients');
 				  for ($j = 1; isset($config['interfaces']['opt' . $j]); $j++)
 				  	$iflabels['opt' . $j] = $config['interfaces']['opt' . $j]['descr'] . " interface";
@@ -100,18 +100,26 @@
 				  <td class="list"></td>
 				</tr>
                 <tr>
-                  <td width="10%" class="listhdrr">Proto</td>
-                  <td width="15%" class="listhdrr">Source</td>
+                  <td width="3%" class="listhdrr">Seq</td>
+                  <td width="3%" class="listhdrr">Type</td>
+                  <td width="9%" class="listhdrr">Proto</td>
+                  <td width="14%" class="listhdrr">Source</td>
                   <td width="10%" class="listhdrr">Port</td>
-                  <td width="15%" class="listhdrr">Destination</td>
+                  <td width="14%" class="listhdrr">Destination</td>
                   <td width="10%" class="listhdrr">Port</td>
-                  <td width="5%" class="listhdrrns">Frag</td>
+                  <td width="3%" class="listhdrrns">Flags</td>
                   <td width="25%" class="listhdr">Description</td>
-                  <td width="10%" class="list"></td>
+                  <td width="9%" class="list"></td>
 				</tr>
 				<?php $lastif = $filterent['interface']; endif; ?>
                 <tr valign="top">
                   <td class="listlr"> 
+                    <?php if (isset($filterent['sequence']) && $filterent['sequence']!="") echo
$filterent['sequence']; else echo "0";?>
+                  </td>
+                  <td class="listr"> 
+                    <?php if (isset($filterent['type'])) echo strtoupper($filterent['type']); else
echo "PASS";?>
+                  </td>
+                  <td class="listr"> 
                     <?php if (isset($filterent['protocol'])) echo
strtoupper($filterent['protocol']); else echo "*"; ?>
                   </td>
                   <td class="listr">
@@ -127,7 +135,12 @@
                     <?php echo htmlspecialchars(pprint_port($filterent['destination']['port'])); ?>
                   </td>
                   <td class="listr"> 
-                    <?php if (isset($filterent['frags'])) echo "Y"; else echo "&nbsp;";?>
+                    <?php
+		      $t = false;
+		      if (isset($filterent['disabled'])) {echo "D";$t=true;}
+                      if (isset($filterent['frags'])) {echo "F"; $t=true;}
+                      if (isset($filterent['log'])) {echo "L"; $t=true;}
+		      if (!$t) echo "&nbsp;"; ?>
                   </td>
                   <td class="listbg"> 
                     <?=htmlspecialchars($filterent['descr']);?>&nbsp;
@@ -137,7 +150,9 @@
 				</tr>
 			  <?php $i++; endforeach; ?>
                 <tr> 
-                  <td class="list" colspan="7"></td>
+                  <td class="list" colspan="9">
+		    Flags: D=Disabled, F=Fragments, L=Log
+		  </td>
                   <td class="list"> <a href="firewall_rules_edit.php"><img src="plus.gif"
width="17" height="17" border="0"></a></td>
 				</tr>
               </table>
diff -aur mfsroot.orig/usr/local/www/firewall_rules_edit.php
mfsroot/usr/local/www/firewall_rules_edit.php
--- mfsroot.orig/usr/local/www/firewall_rules_edit.php	Sat Oct 11 13:46:37 2003
+++ mfsroot/usr/local/www/firewall_rules_edit.php	Fri Oct 31 07:45:47 2003
@@ -104,6 +104,17 @@
 }
 
 if (isset($id) && $a_filter[$id]) {
+	/* When upgrading from a previous config, set seq=0 for all rules */
+	if (!isset($a_filter[$id]['sequence']) || $a_filter[$id]['sequence']=="")
+		$pconfig['sequence'] = "0";
+	else
+		$pconfig['sequence'] = $a_filter[$id]['sequence'];
+
+	if (!isset($a_filter[$id]['sequence']) || $a_filter[$id]['sequence']=="")
+		$pconfig['type'] = "pass";
+	else
+		$pconfig['type'] = $a_filter[$id]['type'];
+
 	$pconfig['interface'] = $a_filter[$id]['interface'];
 	
 	if (isset($a_filter[$id]['protocol']))
@@ -119,13 +130,18 @@
 		$pconfig['dstmask'], $pconfig['dstnot'],
 		$pconfig['dstbeginport'], $pconfig['dstendport']);
 
+	$pconfig['disabled'] = isset($a_filter[$id]['disabled']);
 	$pconfig['frags'] = isset($a_filter[$id]['frags']);
+	$pconfig['log'] = isset($a_filter[$id]['log']);
 	$pconfig['descr'] = $a_filter[$id]['descr'];
 	
 } else {
 	/* defaults */
+	$pconfig['sequence'] = "0";
+	$pconfig['type'] = "PASS";
 	$pconfig['src'] = "any";
 	$pconfig['dst'] = "any";
+	$pconfig['disabled'] = false;
 }
 
 if ($_POST) {
@@ -185,8 +201,8 @@
 	$pconfig = $_POST;
 
 	/* input validation */
-	$reqdfields = explode(" ", "interface proto src dst");
-	$reqdfieldsn = explode(",", "Interface,Protocol,Source,Destination");
+	$reqdfields = explode(" ", "type interface proto src dst");
+	$reqdfieldsn = explode(",", "Type,Interface,Protocol,Source,Destination");
 	
 	if (!(is_specialnet($_POST['srctype']) || ($_POST['srctype'] == "single"))) {
 		$reqdfields[] = "srcmask";
@@ -253,6 +269,8 @@
 
 	if (!$input_errors) {
 		$filterent = array();
+		$filterent['sequence'] = $_POST['sequence'];
+		$filterent['type'] = $_POST['type'];
 		$filterent['interface'] = $_POST['interface'];
 		
 		if ($_POST['proto'] != "any")
@@ -268,7 +286,9 @@
 			$_POST['dstmask'], $_POST['dstnot'],
 			$_POST['dstbeginport'], $_POST['dstendport']);
 		
+		$filterent['disabled'] = $_POST['disabled'] ? true : false;
 		$filterent['frags'] = $_POST['frags'] ? true : false;
+		$filterent['log'] = $_POST['log'] ? true : false;
 		$filterent['descr'] = $_POST['descr'];
 		
 		if (isset($id) && $a_filter[$id])
@@ -397,6 +417,27 @@
 <?php if ($savemsg) echo htmlspecialchars($savemsg); ?>
             <form action="firewall_rules_edit.php" method="post" name="iform" id="iform">
               <table width="100%" border="0" cellpadding="6" cellspacing="0">
+		<tr>
+                  <td valign="top" class="vncellreq">Sequence</td>
+                  <td class="vtable"> <input name="sequence" type="text" class="formfld"
id="sequence" size="5" value="<?=htmlspecialchars($pconfig['sequence']);?>"> 
+                    <br> <span class="vexpl">Change this value to change the
+		    position of this rule relative to the other rules on
+		    the same interface.</span></td>
+                </tr>
+                <tr> 
+                  <td valign="top" class="vncellreq">Rule Type</td>
+                  <td class="vtable"><select name="type" class="formfld">
+                      <?php $types = explode(" ", "PASS BLOCK"); foreach ($types as $type): ?>
+                      <option value="<?=strtolower($type);?>" <?php if (strtolower($type) ==
strtolower($pconfig['type'])) echo "selected"; if ($type=="PASS") echo " default"; ?>>
+                      <?=htmlspecialchars($type);?>
+                      </option>
+                      <?php endforeach; ?>
+                    </select> <br>
+                    <span class="vexpl">Select PASS to pass data for the
+		    criteria specified below; select BLOCK to block data
+		    for the criteria specified below.<br>
+                    </span></td>
+                </tr>
                 <tr> 
                   <td valign="top" class="vncellreq">Interface</td>
                   <td class="vtable"><select name="interface" class="formfld">
@@ -582,6 +623,15 @@
                     the destination of the packet for this rule.<br>
                     Hint: you can leave the <em>'to'</em> field empty if you only 
                     want to filter a single port</span></td>
+		</tr>
+		<tr>
+                  <td valign="top" class="vncellreq">Disabled</td>
+                  <td class="vtable"><input name="disabled" type="checkbox" id="disabled"
value="yes" <?php if ($pconfig['disabled']) echo "checked"; ?>>
+                    <strong>Disabled</strong><br>
+		    Set this option to disable this rule without removing it
+		    from the list.<br>
+		  </td>
+                </tr>
                 <tr> 
                   <td width="100" valign="top" class="vncellreq">Fragments</td>
                   <td class="vtable"> <input name="frags" type="checkbox" id="frags" value="yes"
<?php if ($pconfig['frags']) echo "checked"; ?>>
@@ -591,6 +641,17 @@
                     DoS attacks. In most cases, it is not needed. Try enabling 
                     it if you have troubles<br>
                     connecting to certain sites.</span></td>
+                </tr>
+                <tr> 
+                  <td width="100" valign="top" class="vncellreq">Log</td>
+                  <td class="vtable"> <input name="log" type="checkbox" id="log" value="yes" <?php
if ($pconfig['log']) echo "checked"; ?>>
+                    <strong>Log packets that are handled by this rule.</strong><br>
+                    <span class="vexpl">Hint: the firewall has limited local
+		    log space.  Don't turn on logging for everything.<br>
+		    If you want to do a lot of logging, consider using
+		    syslog to log to a remote machine (see the
+		    Diagnostics:System logs:Settings page).
+                    </span></td>
                 </tr>
                 <tr> 
                   <td valign="top" class="vncellreq">Description</td>
diff -aur mfsroot.orig/usr/local/www/guiconfig.inc mfsroot/usr/local/www/guiconfig.inc
--- mfsroot.orig/usr/local/www/guiconfig.inc	Sat Oct 11 13:46:37 2003
+++ mfsroot/usr/local/www/guiconfig.inc	Thu Oct 30 11:28:42 2003
@@ -212,6 +212,7 @@
 	
 	function filtercmp($a, $b) {
 		if ($a['interface'] == $b['interface']) {
+		    if ((int)$a['sequence'] == (int)$b['sequence']) {
 			if ($a['protocol'] == $b['protocol']) {
 				if ($a['destination']['port'] == $b['destination']['port']) {
 					return 0;
@@ -221,6 +222,9 @@
 			} else {
 				return strcmp($a['protocol'], $b['protocol']);
 			}
+		    } else {
+			return (int)$a['sequence'] - (int)$b['sequence'];
+		    }
 		} else {
 			return -strcmp($a['interface'], $b['interface']);
 		}