zentyal-firewall-2.3.9+quantal1/0000775000000000000000000000000012017102347013425 5ustar zentyal-firewall-2.3.9+quantal1/COPYING0000664000000000000000000004311012017102347014457 0ustar GNU GENERAL PUBLIC LICENSE Version 2, June 1991 Copyright (C) 1989, 1991 Free Software Foundation, Inc. 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed. Preamble The licenses for most software are designed to take away your freedom to share and change it. By contrast, the GNU General Public License is intended to guarantee your freedom to share and change free software--to make sure the software is free for all its users. This General Public License applies to most of the Free Software Foundation's software and to any other program whose authors commit to using it. (Some other Free Software Foundation software is covered by the GNU Library General Public License instead.) You can apply it to your programs, too. When we speak of free software, we are referring to freedom, not price. Our General Public Licenses are designed to make sure that you have the freedom to distribute copies of free software (and charge for this service if you wish), that you receive source code or can get it if you want it, that you can change the software or use pieces of it in new free programs; and that you know you can do these things. To protect your rights, we need to make restrictions that forbid anyone to deny you these rights or to ask you to surrender the rights. These restrictions translate to certain responsibilities for you if you distribute copies of the software, or if you modify it. For example, if you distribute copies of such a program, whether gratis or for a fee, you must give the recipients all the rights that you have. You must make sure that they, too, receive or can get the source code. And you must show them these terms so they know their rights. We protect your rights with two steps: (1) copyright the software, and (2) offer you this license which gives you legal permission to copy, distribute and/or modify the software. Also, for each author's protection and ours, we want to make certain that everyone understands that there is no warranty for this free software. If the software is modified by someone else and passed on, we want its recipients to know that what they have is not the original, so that any problems introduced by others will not reflect on the original authors' reputations. Finally, any free program is threatened constantly by software patents. We wish to avoid the danger that redistributors of a free program will individually obtain patent licenses, in effect making the program proprietary. To prevent this, we have made it clear that any patent must be licensed for everyone's free use or not licensed at all. The precise terms and conditions for copying, distribution and modification follow. GNU GENERAL PUBLIC LICENSE TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 0. This License applies to any program or other work which contains a notice placed by the copyright holder saying it may be distributed under the terms of this General Public License. The "Program", below, refers to any such program or work, and a "work based on the Program" means either the Program or any derivative work under copyright law: that is to say, a work containing the Program or a portion of it, either verbatim or with modifications and/or translated into another language. (Hereinafter, translation is included without limitation in the term "modification".) Each licensee is addressed as "you". Activities other than copying, distribution and modification are not covered by this License; they are outside its scope. The act of running the Program is not restricted, and the output from the Program is covered only if its contents constitute a work based on the Program (independent of having been made by running the Program). Whether that is true depends on what the Program does. 1. You may copy and distribute verbatim copies of the Program's source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice and disclaimer of warranty; keep intact all the notices that refer to this License and to the absence of any warranty; and give any other recipients of the Program a copy of this License along with the Program. You may charge a fee for the physical act of transferring a copy, and you may at your option offer warranty protection in exchange for a fee. 2. You may modify your copy or copies of the Program or any portion of it, thus forming a work based on the Program, and copy and distribute such modifications or work under the terms of Section 1 above, provided that you also meet all of these conditions: a) You must cause the modified files to carry prominent notices stating that you changed the files and the date of any change. b) You must cause any work that you distribute or publish, that in whole or in part contains or is derived from the Program or any part thereof, to be licensed as a whole at no charge to all third parties under the terms of this License. c) If the modified program normally reads commands interactively when run, you must cause it, when started running for such interactive use in the most ordinary way, to print or display an announcement including an appropriate copyright notice and a notice that there is no warranty (or else, saying that you provide a warranty) and that users may redistribute the program under these conditions, and telling the user how to view a copy of this License. (Exception: if the Program itself is interactive but does not normally print such an announcement, your work based on the Program is not required to print an announcement.) These requirements apply to the modified work as a whole. If identifiable sections of that work are not derived from the Program, and can be reasonably considered independent and separate works in themselves, then this License, and its terms, do not apply to those sections when you distribute them as separate works. But when you distribute the same sections as part of a whole which is a work based on the Program, the distribution of the whole must be on the terms of this License, whose permissions for other licensees extend to the entire whole, and thus to each and every part regardless of who wrote it. Thus, it is not the intent of this section to claim rights or contest your rights to work written entirely by you; rather, the intent is to exercise the right to control the distribution of derivative or collective works based on the Program. In addition, mere aggregation of another work not based on the Program with the Program (or with a work based on the Program) on a volume of a storage or distribution medium does not bring the other work under the scope of this License. 3. You may copy and distribute the Program (or a work based on it, under Section 2) in object code or executable form under the terms of Sections 1 and 2 above provided that you also do one of the following: a) Accompany it with the complete corresponding machine-readable source code, which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or, b) Accompany it with a written offer, valid for at least three years, to give any third party, for a charge no more than your cost of physically performing source distribution, a complete machine-readable copy of the corresponding source code, to be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or, c) Accompany it with the information you received as to the offer to distribute corresponding source code. (This alternative is allowed only for noncommercial distribution and only if you received the program in object code or executable form with such an offer, in accord with Subsection b above.) The source code for a work means the preferred form of the work for making modifications to it. For an executable work, complete source code means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the executable. However, as a special exception, the source code distributed need not include anything that is normally distributed (in either source or binary form) with the major components (compiler, kernel, and so on) of the operating system on which the executable runs, unless that component itself accompanies the executable. If distribution of executable or object code is made by offering access to copy from a designated place, then offering equivalent access to copy the source code from the same place counts as distribution of the source code, even though third parties are not compelled to copy the source along with the object code. 4. You may not copy, modify, sublicense, or distribute the Program except as expressly provided under this License. Any attempt otherwise to copy, modify, sublicense or distribute the Program is void, and will automatically terminate your rights under this License. However, parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance. 5. You are not required to accept this License, since you have not signed it. However, nothing else grants you permission to modify or distribute the Program or its derivative works. These actions are prohibited by law if you do not accept this License. Therefore, by modifying or distributing the Program (or any work based on the Program), you indicate your acceptance of this License to do so, and all its terms and conditions for copying, distributing or modifying the Program or works based on it. 6. Each time you redistribute the Program (or any work based on the Program), the recipient automatically receives a license from the original licensor to copy, distribute or modify the Program subject to these terms and conditions. You may not impose any further restrictions on the recipients' exercise of the rights granted herein. You are not responsible for enforcing compliance by third parties to this License. 7. If, as a consequence of a court judgment or allegation of patent infringement or for any other reason (not limited to patent issues), conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of this License. If you cannot distribute so as to satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you may not distribute the Program at all. For example, if a patent license would not permit royalty-free redistribution of the Program by all those who receive copies directly or indirectly through you, then the only way you could satisfy both it and this License would be to refrain entirely from distribution of the Program. If any portion of this section is held invalid or unenforceable under any particular circumstance, the balance of the section is intended to apply and the section as a whole is intended to apply in other circumstances. It is not the purpose of this section to induce you to infringe any patents or other property right claims or to contest validity of any such claims; this section has the sole purpose of protecting the integrity of the free software distribution system, which is implemented by public license practices. Many people have made generous contributions to the wide range of software distributed through that system in reliance on consistent application of that system; it is up to the author/donor to decide if he or she is willing to distribute software through any other system and a licensee cannot impose that choice. This section is intended to make thoroughly clear what is believed to be a consequence of the rest of this License. 8. If the distribution and/or use of the Program is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Program under this License may add an explicit geographical distribution limitation excluding those countries, so that distribution is permitted only in or among countries not thus excluded. In such case, this License incorporates the limitation as if written in the body of this License. 9. The Free Software Foundation may publish revised and/or new versions of the General Public License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns. Each version is given a distinguishing version number. If the Program specifies a version number of this License which applies to it and "any later version", you have the option of following the terms and conditions either of that version or of any later version published by the Free Software Foundation. If the Program does not specify a version number of this License, you may choose any version ever published by the Free Software Foundation. 10. If you wish to incorporate parts of the Program into other free programs whose distribution conditions are different, write to the author to ask for permission. For software which is copyrighted by the Free Software Foundation, write to the Free Software Foundation; we sometimes make exceptions for this. Our decision will be guided by the two goals of preserving the free status of all derivatives of our free software and of promoting the sharing and reuse of software generally. NO WARRANTY 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. END OF TERMS AND CONDITIONS How to Apply These Terms to Your New Programs If you develop a new program, and you want it to be of the greatest possible use to the public, the best way to achieve this is to make it free software which everyone can redistribute and change under these terms. To do so, attach the following notices to the program. It is safest to attach them to the start of each source file to most effectively convey the exclusion of warranty; and each file should have at least the "copyright" line and a pointer to where the full notice is found. Copyright (C) This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA Also add information on how to contact you by electronic and paper mail. If the program is interactive, make it output a short notice like this when it starts in an interactive mode: Gnomovision version 69, Copyright (C) year name of author Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'. This is free software, and you are welcome to redistribute it under certain conditions; type `show c' for details. The hypothetical commands `show w' and `show c' should show the appropriate parts of the General Public License. Of course, the commands you use may be called something other than `show w' and `show c'; they could even be mouse-clicks or menu items--whatever suits your program. You should also get your employer (if you work as a programmer) or your school, if any, to sign a "copyright disclaimer" for the program, if necessary. Here is a sample; alter the names: Yoyodyne, Inc., hereby disclaims all copyright interest in the program `Gnomovision' (which makes passes at compilers) written by James Hacker. , 1 April 1989 Ty Coon, President of Vice This General Public License does not permit incorporating your program into proprietary programs. If your program is a subroutine library, you may consider it more useful to permit linking proprietary applications with the library. If this is what you want to do, use the GNU Library General Public License instead of this License. zentyal-firewall-2.3.9+quantal1/debian/0000775000000000000000000000000012017102347014647 5ustar zentyal-firewall-2.3.9+quantal1/debian/zentyal-firewall.postrm0000664000000000000000000000033512017102347021407 0ustar #!/bin/bash set -e #DEBHELPER# case "$1" in purge) # purge configuration /usr/share/zentyal/purge-module firewall ;; remove) dpkg-trigger --no-await zentyal-core ;; esac exit 0 zentyal-firewall-2.3.9+quantal1/debian/compat0000664000000000000000000000000212017102347016045 0ustar 5 zentyal-firewall-2.3.9+quantal1/debian/copyright0000664000000000000000000000214212017102347016601 0ustar This package was debianized by Zentyal Packaging Maintainers Fri, 20 Feb 2005 15:13:22 +0100. It was downloaded from http://www.zentyal.org/ Files: * Upstream Author: eBox Technologies S.L. Copyright (C) 2004-2012 eBox Technologies S.L.. License: This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. On Debian systems, the complete text of the GNU General Public License can be found in /usr/share/common-licenses/GPL-2 file. The Debian packaging is: (C) 2004-2011, Zentyal Packaging Maintainers and is licensed under the GPL, see `/usr/share/common-licenses/GPL-2'. zentyal-firewall-2.3.9+quantal1/debian/control0000664000000000000000000000172012017102347016252 0ustar Source: zentyal-firewall Section: web Priority: optional Maintainer: Zentyal Packaging Maintainers Uploaders: Jorge Salamero Sanz Build-Depends: zbuildtools Standards-Version: 3.9.2 Homepage: http://www.zentyal.org/ Vcs-Browser: http://git.zentyal.org/zentyal.git/tree/quantal:/main/firewall Vcs-Git: git://git.zentyal.org/zentyal.git Package: zentyal-firewall Architecture: all Replaces: ebox-firewall (<< 2.0.100) Breaks: ebox-firewall (<< 2.0.100) Depends: zentyal-core (>= 2.3), zentyal-core (<< 2.3.100), zentyal-network, zentyal-objects, zentyal-services, iptables, ${misc:Depends} Description: Zentyal - Firewall Zentyal is a Linux small business server that can act as a Gateway, Unified Threat Manager, Office Server, Infrastructure Manager, Unified Communications Server or a combination of them. One single, easy-to-use platform to manage all your network services. . This module adds firewalling capabilities. zentyal-firewall-2.3.9+quantal1/debian/source/0000775000000000000000000000000012017102347016147 5ustar zentyal-firewall-2.3.9+quantal1/debian/source/format0000664000000000000000000000001512017102347017356 0ustar 3.0 (native) zentyal-firewall-2.3.9+quantal1/debian/rules0000775000000000000000000000010612017102347015724 0ustar #!/usr/bin/make -f include /usr/share/zbuildtools/1/rules/zentyal.mk zentyal-firewall-2.3.9+quantal1/debian/zentyal-firewall.postinst0000664000000000000000000000043412017102347021746 0ustar #!/bin/bash set -e #DEBHELPER# case "$1" in configure) # initial setup /usr/share/zentyal/initial-setup firewall $2 # restart module invoke-rc.d zentyal firewall restart || true dpkg-trigger --no-await zentyal-core ;; esac exit 0 zentyal-firewall-2.3.9+quantal1/debian/changelog0000664000000000000000000002024312017102347016522 0ustar zentyal-firewall (2.3.9+quantal1) quantal; urgency=low * New upstream release for Quantal -- Jorge Salamero Sanz Tue, 28 Aug 2012 10:18:14 +0200 zentyal-firewall (2.3.9) precise; urgency=low * New upstream release -- José A. Calvo Thu, 23 Aug 2012 02:27:10 +0200 zentyal-firewall (2.3.8) precise; urgency=low * New upstream release -- José A. Calvo Wed, 18 Jul 2012 22:01:23 +0200 zentyal-firewall (2.3.7) precise; urgency=low * New upstream release -- José A. Calvo Thu, 14 Jun 2012 04:50:47 +0200 zentyal-firewall (2.3.6) precise; urgency=low * New upstream release -- José A. Calvo Mon, 04 Jun 2012 11:12:22 +0200 zentyal-firewall (2.3.5) precise; urgency=low * New upstream release -- José A. Calvo Mon, 02 Apr 2012 17:52:25 +0200 zentyal-firewall (2.3.4) precise; urgency=low * New upstream release -- José A. Calvo Mon, 26 Mar 2012 14:07:40 +0200 zentyal-firewall (2.3.1) precise; urgency=low * New upstream release -- José A. Calvo Tue, 06 Mar 2012 21:55:56 +0100 zentyal-firewall (2.3-1) precise; urgency=low * Updated Standards-Version to 3.9.2 -- José A. Calvo Wed, 08 Feb 2012 16:12:47 +0100 zentyal-firewall (2.3) precise; urgency=low * New upstream release -- José A. Calvo Mon, 30 Jan 2012 01:43:04 +0100 zentyal-firewall (2.2) lucid; urgency=low * New upstream release -- José A. Calvo Tue, 13 Sep 2011 04:41:12 +0200 zentyal-firewall (2.1.7) lucid; urgency=low * New upstream release -- José A. Calvo Thu, 08 Sep 2011 16:21:22 +0200 zentyal-firewall (2.1.6) lucid; urgency=low * New upstream release -- José A. Calvo Thu, 25 Aug 2011 19:55:24 +0200 zentyal-firewall (2.1.5) lucid; urgency=low * New upstream release -- José A. Calvo Wed, 24 Aug 2011 03:19:42 +0200 zentyal-firewall (2.1.4) lucid; urgency=low * New upstream release -- José A. Calvo Tue, 16 Aug 2011 20:25:04 +0200 zentyal-firewall (2.1.3) lucid; urgency=low * New upstream release -- José A. Calvo Thu, 14 Jul 2011 15:38:12 +0200 zentyal-firewall (2.1.2) lucid; urgency=low * New upstream release -- José A. Calvo Wed, 29 Jun 2011 19:36:55 +0200 zentyal-firewall (2.1.1) lucid; urgency=low * New upstream release -- José A. Calvo Tue, 10 May 2011 22:43:15 +0200 zentyal-firewall (2.1) lucid; urgency=low * New upstream release -- José A. Calvo Tue, 22 Feb 2011 03:12:35 +0100 ebox-firewall (2.0.1) lucid; urgency=low * New upstream release -- José A. Calvo Mon, 20 Dec 2010 19:15:54 +0100 ebox-firewall (2.0) lucid; urgency=low * New upstream release -- José A. Calvo Mon, 30 Aug 2010 21:53:49 +0200 ebox-firewall (1.5.6-0ubuntu1~ppa1~lucid1) lucid; urgency=low * New upstream release -- José A. Calvo Mon, 23 Aug 2010 02:15:18 +0200 ebox-firewall (1.5.5-0ubuntu1~ppa1~lucid1) lucid; urgency=low * New upstream release -- José A. Calvo Wed, 18 Aug 2010 22:42:20 +0200 ebox-firewall (1.5.4-0ubuntu1~ppa1~lucid1) lucid; urgency=low * New upstream release -- José A. Calvo Wed, 04 Aug 2010 15:49:20 +0200 ebox-firewall (1.5.3-0ubuntu1~ppa1~lucid1) lucid; urgency=low * New upstream release -- José A. Calvo Sun, 20 Jun 2010 20:41:41 +0200 ebox-firewall (1.5.2-0ubuntu1~ppa1~lucid1) lucid; urgency=low * New upstream release -- José A. Calvo Thu, 10 Jun 2010 16:32:16 +0200 ebox-firewall (1.5.1-0ubuntu1~ppa1~lucid1) lucid; urgency=low * New upstream release -- José A. Calvo Thu, 13 May 2010 01:34:41 +0200 ebox-firewall (1.5-0ubuntu1) lucid; urgency=low [Javier Uruen Val] * New upstream release (LP: #521803) * debian/control - Bump eBox dependency - Update description * debian/ebox-firewall.postinst - Add new firewall_report.sql -- Javier Uruen Val Sun, 07 Feb 2010 18:51:11 +0100 ebox-firewall (1.3.5-0ubuntu1) karmic; urgency=low [Javier Uruen Val] * New upstream release [LP: #411545] * cdbs/ebox.mk - GConf schemas are not used anymore - Remove SCHEMASPATH variable - Remove schemadir variable - Use new upstart directory and file naming convention * debian/control - Bump standards version - Bump eBox depenency * debian/ebox-firewall.postinst - Fix indentation - Do not pkill gconfd as it's not necessary anymore - Run ebox trigger - Add set -e - Add || true * debian/ebox-firewall.postrm - Run ebox trigger - Add set -e * debian/ebox-firewall.prerm - Add set -e * debian/rules - Do not include debian/cdbs/gnome.mk -- Javier Uruen Val Wed, 05 Aug 2009 12:29:43 +0200 ebox-firewall (0.12.4-0ubuntu1) jaunty; urgency=low [ Javier Uruen Val ] * New upstream release. Closes (LP: #318813) * debian/control: - drop dpatch build dependency. - bump standard revision. * debian/watch: - add watch file. -- Mathias Gug Mon, 26 Jan 2009 19:06:56 -0500 ebox-firewall (0.11.99-0ubuntu2) hardy; urgency=low * debian/control - Added dpatch. * debian/rules - Added dpatch support. * debian/patches/01_enable_log_observer.dpatch - Enable log observer. * debian/patches/02_fix_log_parsing.dpatch - Parses new iptables log format. -- Chuck Short Mon, 24 Mar 2008 08:46:41 -0400 ebox-firewall (0.11.99-0ubuntu1) hardy; urgency=low * New upstream release. -- Chuck Short Wed, 27 Feb 2008 13:14:34 -0500 ebox-firewall (0.11.99-0ubuntu1~ppa1) hardy; urgency=low * New upstream release -- Javier Uruen Val Mon, 25 Feb 2008 13:24:27 +0100 ebox-firewall (0.11.99) unstable; urgency=low * New upstream release -- Enrique José Hernández Blasco Tue, 8 Jan 2008 16:14:38 +0100 ebox-firewall (0.11-0ubuntu1~ppa1) hardy; urgency=low * First Ubuntu release based on Soren's package -- Javier Uruen Val Wed, 28 Nov 2007 15:23:32 +0100 ebox-firewall (0.10.99) unstable; urgency=low * New upstream release -- Javier Uruen Val Thu, 01 Nov 2007 21:38:13 +0100 ebox-firewall (0.10) unstable; urgency=low * New upstream release -- Javier Uruen Val Wed, 10 Oct 2007 21:53:48 +0200 ebox-firewall (0.9.100) unstable; urgency=low * New upstream release -- Javier Uruen Val Tue, 04 Sep 2007 14:03:20 +0200 ebox-firewall (0.9.99) unstable; urgency=low * New upstream release -- Javier Amor Garcia Tue, 24 Jul 2007 12:35:49 +0200 ebox-firewall (0.9.3) unstable; urgency=low * New upstream release -- Javier Uruen Val Sun, 24 Jun 2007 16:38:47 +0200 ebox-firewall (0.9.2) unstable; urgency=low * New upstream release -- Javier Uruen Val Tue, 12 Jun 2007 18:59:26 +0200 ebox-firewall (0.9.1) unstable; urgency=low * New upstream release -- Javier Uruen Val Tue, 15 May 2007 13:02:24 +0200 ebox-firewall (0.9) unstable; urgency=low * New upstream release -- Javier Amor Garcia Thu, 22 Mar 2007 12:14:26 +0100 ebox-firewall (0.7.99) unstable; urgency=low * New upstream release -- Enrique Jos� Hern�ndez Blasco Mon, 27 Nov 2006 14:47:53 +0100 ebox-firewall (0.7.1) unstable; urgency=low * New upstream release -- Daniel Baeyens Sicilia Wed, 22 Mar 2006 16:04:20 +0100 ebox-firewall (0.7.0.99-rc1+0.7.1-rc1) unstable; urgency=low * New upstream release -- Javier Uruen Val Tue, 17 Jan 2006 11:43:30 +0100 ebox-firewall (0.5) unstable; urgency=low * New upstream release -- Javier Uruen Mon, 16 Apr 2005 14:33:06 +0100 zentyal-firewall-2.3.9+quantal1/conf/0000775000000000000000000000000012017102347014352 5ustar zentyal-firewall-2.3.9+quantal1/conf/firewall.conf0000664000000000000000000000152212017102347017026 0ustar # firewall.conf - configuration file for zentyal-firewall # # This file contains the most basic settings, most other stuff is configured # using the web interface. # # Everything after a '#' character is ignored # # All whitespace is ignored # # Config keys are set this way: # # key = value # # They may contain comments at the end: # # key = value # this is ignored # Limit of logged packets per minute. iptables_log_limit = 50 # Burst iptables_log_burst = 10 # Logs all the drops iptables_log_drops = yes # Extra iptables modules to load # Each module should be sperated by a comma, you can include module parameters iptables_modules = nf_conntrack_ftp, nf_nat_ftp, nf_conntrack_h323, nf_nat_h323, nf_conntrack_pptp, nf_nat_pptp, nf_conntrack_sip, nf_nat_sip # Enable source NAT, if your router does NAT you can disable it nat_enabled = yes zentyal-firewall-2.3.9+quantal1/src/0000775000000000000000000000000012017102347014214 5ustar zentyal-firewall-2.3.9+quantal1/src/templates/0000775000000000000000000000000012017102347016212 5ustar zentyal-firewall-2.3.9+quantal1/src/templates/ajax/0000775000000000000000000000000012017102347017135 5ustar zentyal-firewall-2.3.9+quantal1/src/templates/ajax/viewer/0000775000000000000000000000000012017102347020436 5ustar zentyal-firewall-2.3.9+quantal1/src/templates/ajax/viewer/fwDecisionViewer.mas0000664000000000000000000000107112017102347024413 0ustar <%args> $data % if ( (defined ( $data->value())) and % ($data->value() eq 'accept')) { <% $data->printableValue() %> % } elsif ($data->value() eq 'deny') { <% $data->printableValue() %> % } elsif ($data->value() eq 'log') { <% $data->printableValue() %> % } zentyal-firewall-2.3.9+quantal1/src/templates/filter.mas0000664000000000000000000000725112017102347020206 0ustar <%args> $showImages => 1 <%init> use EBox::Gettext;

% if ($showImages) { % }

<% __('Filtering rules from internal networks to Zentyal') %>

<% __('These rules allow you to control access from internal networks to services running on your Zentyal machine.') %>

<% __('Configure rules') %>

% if ($showImages) { % }

<% __('Filtering rules for internal networks') %>

<% __('These rules allow you to control access from internal networks to the Internet and traffic between internal networks. If you wish to provide access to your Zentyal services, you must use the above section.') %>

<% __('Configure rules') %>

% if ($showImages) { % }

<% __('Filtering rules from external networks to Zentyal') %>

<% __('These rules allow you to control access from external networks to sevices running on your Zentyal machine.') %>
<% __('Be advised that adding rules in this section may compromise your network security as you may grant access from untrusted networks. Please do not use this unless you know what you are doing.') %>

<% __('Configure rules') %>

% if ($showImages) { % }

<% __('Filtering rules from external networks to internal networks') %>

<% __('These rules allow you to control access from external networks to internal networks.') %>
<% __('Be advised that adding rules in this section may compromise your network security as you may grant access from untrusted networks. Please do not use this unless you know what you are doing.') %>

<% __('Configure rules') %>

% if ($showImages) { % }

<% __('Filtering rules for traffic coming out from Zentyal') %>

<% __('These rules allow you to control access from your Zentyal to external services.') %>

<% __('Configure rules') %>

% if ($showImages) { % }

<% __('Rules added by Zentyal services (Advanced)') %>

<% __('These rules are automatically added by the Zentyal services.') %>
<% __('You can disable these rules, but make sure you know what you are doing or otherwise some services could stop working.') %>

<% __('Configure rules') %>

zentyal-firewall-2.3.9+quantal1/src/scripts/0000775000000000000000000000000012017102347015703 5ustar zentyal-firewall-2.3.9+quantal1/src/scripts/dhcp-firewall.pl0000775000000000000000000000232712017102347020770 0ustar #!/usr/bin/perl # Copyright (C) 2008-2012 eBox Technologies S.L. # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License, version 2, as # published by the Free Software Foundation. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA use strict; use warnings; use EBox; use EBox::Global; use EBox::Exceptions::Lock; use Error qw(:try); EBox::init(); my $timeout = 60; my $global = EBox::Global->getInstance(1); $global->modExists("firewall") or exit(0); my $fw = $global->modInstance("firewall"); exit (0) unless ($fw->isEnabled()); while ($timeout) { try { $fw->restartService(); exit(0); } catch EBox::Exceptions::Lock with { sleep 5; $timeout -= 5; }; } EBox::error("DHCP hook: Firewall module has been locked for 60 seconds, ". "I give up."); zentyal-firewall-2.3.9+quantal1/src/EBox/0000775000000000000000000000000012017102347015051 5ustar zentyal-firewall-2.3.9+quantal1/src/EBox/FirewallObserver.pm0000664000000000000000000000327212017102347020670 0ustar # Copyright (C) 2008-2012 eBox Technologies S.L. # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License, version 2, as # published by the Free Software Foundation. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA package EBox::FirewallObserver; use strict; use warnings; use EBox::Gettext; sub new { my $class = shift; my $self = {}; bless($self, $class); return $self; } # Method: firewallHelper # # All modules using any of the functions in FirewallHelper.pm # should override this method to return the implementation # of that interface. # # Returns: # # An object implementing EBox::FirewallHelper sub firewallHelper { return undef; } # Method: usesPort # # This method is used by the firewall to find out if a given port # is available or not. So if your module implements the # EBox::FirewallHelper to allow some ports for the service it manages, # you must implement this method to inform about this when requested. # This means you should check if the requested port is used by your # service. # # Parameters: # # protocol - protocol (tcp|udp) # port - port number # iface - interface # # Returns: # # boolean - if the given port is used sub usesPort # (protocol, port, iface) { return undef; } 1; zentyal-firewall-2.3.9+quantal1/src/EBox/Firewall/0000775000000000000000000000000012017102347016616 5ustar zentyal-firewall-2.3.9+quantal1/src/EBox/Firewall/Composite/0000775000000000000000000000000012017102347020560 5ustar zentyal-firewall-2.3.9+quantal1/src/EBox/Firewall/Composite/PacketTrafficReport.pm0000664000000000000000000000305412017102347025022 0ustar # Copyright (C) 2008-2012 eBox Technologies S.L. # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License, version 2, as # published by the Free Software Foundation. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA package EBox::Firewall::Composite::PacketTrafficReport; use base 'EBox::Model::Composite'; use strict; use warnings; use EBox::Gettext; # Group: Public methods # Constructor: new # # Constructor for the general events composite # # Returns: # # - a # general events composite # sub new { my ($class, @params) = @_; my $self = $class->SUPER::new(@params); return $self; } # Group: Protected methods # Method: _description # # Overrides: # # # sub _description { my $description = { layout => 'top-bottom', name => 'PacketTrafficReport', printableName => __('Packet traffic report'), pageTitle => __('Firewall packet traffic report'), compositeDomain => 'Firewall', }; return $description; } 1; zentyal-firewall-2.3.9+quantal1/src/EBox/Firewall/IptablesRedirectRule.pm0000664000000000000000000002001712017102347023231 0ustar # Copyright (C) 2008-2012 eBox Technologies S.L. # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License, version 2, as # published by the Free Software Foundation. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # Class: EBox::Firewall::IptablesRedirectRule # # This class extends to add # some stuff which is needed by redirects: # # - Setting the interface name # # - Setting a custom service (port and protocol) # # - Setting destination (address and port) # package EBox::Firewall::IptablesRedirectRule; use warnings; use strict; use EBox::Global; use EBox::Model::Manager; use EBox::Exceptions::MissingArgument; use EBox::NetWrappers; use Perl6::Junction qw( any ); use base 'EBox::Firewall::IptablesRule'; sub new { my $class = shift; my %opts = @_; my $self = $class->SUPER::new(@_); $self->{'log'} = 0; $self->{'log_level'} = 7; $self->{'snat'} = 0; $self->{service} = []; bless($self, $class); return $self; } # Method: strings # # Return the iptables rules built as a string # # Returns: # # Array ref of strings containing a iptables rule sub strings { my ($self) = @_; my @rules; my $state = $self->state(); my $modulesConf = $self->modulesConf(); my $iface = $self->interface(); my $netModule = EBox::Global->modInstance('network'); $iface = $netModule->realIface($iface); # Iptables needs to use the real interface $iface =~ s/:.*$//; my $limit = EBox::Config::configkey('iptables_log_limit'); my $burst = EBox::Config::configkey('iptables_log_burst'); unless (defined($limit) and $limit =~ /^\d+$/) { throw EBox::Exceptions::External(__('You must set the ' . 'iptables_log_limit variable in the ebox configuration file')); } unless (defined($burst) and $burst =~ /^\d+$/) { throw EBox::Exceptions::External(__('You must set the ' . 'iptables_log_burst variable in the ebox configuration file')); } foreach my $src (@{$self->{'source'}}) { foreach my $origDst (@{$self->{'destination'}}) { my ($dst, $toDst) = @{$self->{'destinationNAT'}}; foreach my $service (@{$self->{'service'}}) { my $natSvc = $service->{nat}; my $postroutingSvc = $service->{postrouting}; my $filterSvc = $service->{filter}; my $natRule = "-t nat -A PREROUTING $modulesConf " . "-i $iface $src $natSvc $origDst -j DNAT $toDst"; my $filterRule = "-A fredirects $state $modulesConf " . "-i $iface $src $filterSvc $dst -j ACCEPT"; push (@rules, $natRule); push (@rules, $filterRule); # Add SNAT rule if neccesary if ($self->{'snat'}) { my $snatAddress = $self->snatAddress($netModule, $dst); if ($snatAddress) { my $snatRule = "-t nat -A POSTROUTING $modulesConf " . " $src $dst $postroutingSvc " . " -j SNAT --to-source $snatAddress"; push (@rules, $snatRule); } else { EBox::warn("Unable to find a SNAT address for redirection to $toDst. No SNAT rule will be added for this redirection."); } } # Add log rule if it's activated if ( $self->{'log'} ) { my $logRule = "-A fredirects $state $modulesConf " . "-i $iface $src $filterSvc $dst -j LOG -m limit ". "--limit $limit/min ". "--limit-burst $burst " . '--log-level ' . $self->{'log_level'} . ' ' . '--log-prefix "ebox-firewall redirect "'; unshift (@rules, $logRule); } } } } return \@rules; } sub snatAddress { my ($self, $netModule, $destination) = @_; my @parts = split '\s+', $destination; my $dstIP = $parts[-1]; my @internalIfaces = @{ $netModule->InternalIfaces() }; foreach my $iface (@internalIfaces) { my @addresses = @{ $netModule->ifaceAddresses($iface) }; foreach my $address (@addresses) { my $ip = $address->{address}; my $netmask = $address->{netmask}; my $localNetwork = EBox::NetWrappers::ip_network($ip, $netmask); if (EBox::Validate::isIPInNetwork($localNetwork, $netmask, $dstIP)) { return $ip; } } } return undef; } # Method: setInterface # # Set interface for rules # # Parameters: # # (POSITIONAL) # # interface - interface name # sub setInterface { my ($self, $interface) = @_; $self->{'interface'} = $interface; } # Method: interface # # Return interface for rules # # Returns: # # interface - it can be any valid chain or interface like accept, drop, reject # sub interface { my ($self) = @_; if (exists $self->{'interface'}) { return $self->{'interface'}; } else { return undef; } } # Method: setDestination # # Set destination for rules # # Parameters: # # (POSITIONAL) # # addr - destination address # port - destination port (optional: can be undef) # sub setDestination { my ($self, $addr, $port) = @_; my $destination = "-d $addr"; my $toDestination = "--to-destination $addr"; if (defined ($port)) { $toDestination .= ":$port"; } $self->{'destinationNAT'} = [$destination, $toDestination]; } # Method: setCustomService # # Set a custom service for the rule # # Parameters: # # (POSITIONAL) # # extPort - external port # dstPort - destination port # protocol - protocol (tcp, udp, ...) # dstPortFilter - destination port to be used in filter table sub setCustomService { my ($self, $extPort, $dstPort, $protocol, $dstPortFilter) = @_; unless (defined($extPort)) { throw EBox::Exceptions::MissingArgument("extPort"); } unless (defined($dstPort)) { throw EBox::Exceptions::MissingArgument("dstPort"); } unless (defined($protocol)) { throw EBox::Exceptions::MissingArgument("protocol"); } unless (defined($dstPortFilter)) { throw EBox::Exceptions::MissingArgument("$dstPortFilter"); } my $nat = ""; my $filter = ""; my $postrouting = ''; if ($protocol eq any ('tcp', 'udp', 'tcp/udp')) { if ($extPort ne 'any') { $nat .= " --dport $extPort"; } if ($dstPort ne 'any') { $filter .= " --dport $dstPortFilter"; } } $postrouting = "$filter -m conntrack --ctstate DNAT"; my @protocols; if ($protocol eq 'tcp/udp') { push @protocols, 'tcp', 'udp'; } else { push @protocols, $protocol; } foreach my $pr (@protocols) { push @{$self->{'service'}}, { nat => "-p $pr $nat", postrouting => "-p $pr $postrouting", filter => "-p $pr $filter", }; } } # Method: setLog # # Set log flag for rules # # Parameters: # # (POSITIONAL) # # log - 1 to activate logging # sub setLog { my ($self, $log) = @_; $self->{'log'} = $log; } # Method: setLogLevel # # Sets syslog level por log rule # # Parameters: # # (POSITIONAL) # # level - log level # sub setLogLevel { my ($self, $level) = @_; $self->{'log_level'} = $level; } sub setSNAT { my ($self, $snat) = @_; $self->{snat} = $snat; } 1; zentyal-firewall-2.3.9+quantal1/src/EBox/Firewall/IptablesRule.pm0000664000000000000000000003527212017102347021560 0ustar # Copyright (C) 2008-2012 eBox Technologies S.L. # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License, version 2, as # published by the Free Software Foundation. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # Class: EBox::Firewall::IptablesRule # # This is a conveninece class to manage iptables rules. # It is meant to be used to easily build iptables rules # based on data stored in data models. # # Use the setters to configure the rule and eventually call # strings() to get the iptables rules stringfied. # package EBox::Firewall::IptablesRule; use warnings; use strict; use Clone::Fast; use EBox::Validate qw( checkCIDR ); use EBox::Model::Manager; use EBox::Exceptions::MissingArgument; use Perl6::Junction qw( any ); sub new { my $class = shift; my %opts = @_; my $self = {}; $self->{'table'} = delete $opts{'table'}; $self->{'chain'} = delete $opts{'chain'}; $self->{'source'} = ['']; $self->{'destination'} = ['']; $self->{'objects'} = EBox::Global->modInstance('objects'); $self->{'services'} = EBox::Global->modInstance('services'); bless($self, $class); return $self; } # Method: strings # # Return the iptables rules built as a string # # Returns: # # Array ref of strings containing a iptables rule sub strings { my ($self) = @_; my @rules; my $table = ' -t ' . $self->table(); my $decision = ''; if ($self->decision()) { $decision = ' -j ' . $self->decision(); } my $chain = ' -A ' . $self->chain(); my $state = $self->state(); my $modulesConf = $self->modulesConf(); foreach my $src (@{$self->{'source'}}) { foreach my $dst (@{$self->{'destination'}}) { foreach my $service (@{$self->{'service'}}) { my $rule = "$table $chain $modulesConf " . "$src $dst $service $state $decision"; push (@rules, $rule); } } } return \@rules; } # Method: setService # # Set service for the rule # # Parameters: # # (POSITIONAL) # # service - a service id from # inverseMatch - inverse match sub setService { my ($self, $service, $inverseMatch) = @_; unless (defined($service)) { throw EBox::Exceptions::MissingArgument("service"); } my $serviceConf = $self->{'services'}->serviceConfiguration($service); unless (defined($serviceConf)) { throw EBox::Exceptions::DataNotFound('data' => 'service', 'value' => $service); } my $inverse = ''; if ($inverseMatch) { $inverse = ' ! '; } my $iptables; foreach my $ser (@{$serviceConf}) { $iptables = ""; my $srcPort = $ser->{'source'}; my $dstPort = $ser->{'destination'}; my $protocol = $ser->{'protocol'}; my $invProto = ''; if ($inverseMatch and $srcPort eq 'any' and $dstPort eq 'any') { $invProto = ' ! '; } if ($protocol eq any ('tcp', 'udp', 'tcp/udp')) { if ($srcPort ne 'any') { $iptables .= " --source-port $inverse $srcPort "; } if ($dstPort ne 'any') { $iptables .= " --destination-port $inverse $dstPort "; } if ($protocol eq 'tcp/udp') { push (@{$self->{'service'}}, " $invProto -p udp " . $iptables); push (@{$self->{'service'}}, " $invProto -p tcp " . $iptables); } else { push (@{$self->{'service'}}, " $invProto -p $protocol " . $iptables); } } elsif ($protocol eq 'icmp') { my @icmp_types = qw(echo-request echo-reply destination-unreachable source-quench parameter-problem); foreach my $type (@icmp_types) { $iptables = " $invProto -p $protocol --icmp-type $type ! -f"; push (@{$self->{'service'}}, $iptables); } } elsif ($protocol eq any ('gre', 'esp')) { $iptables = " -p $invProto $protocol"; push (@{$self->{'service'}}, $iptables); } elsif ($protocol eq 'any') { push (@{$self->{'service'}}, ''); } } } # Method: setChain # # Set chain for rules # # Parameters: # # (POSITIONAL) # # chain - it can be any valid chain or chain like accept, drop, reject # sub setChain { my ($self, $chain) = @_; $self->{'chain'} = $chain; } # Method: chain # # Return chain for rules # # Returns: # # chain - it can be any valid chain or chain like accept, drop, reject # sub chain { my ($self) = @_; if (exists $self->{'chain'}) { return $self->{'chain'}; } else { return undef; } } # Method: setState # # Set state for rules # # Parameters: # # (NAMED) # # Set those states which you wish to use. Do not set them to remove them # # new # established # related sub setState { my ($self, %params) = @_; for my $stateKey (qw(new established related)) { if (exists $params{$stateKey} and $params{$stateKey}) { $self->{"state_$stateKey"} = 1; } else { $self->{"state_$stateKey"} = 0; } } } # Method: state # # Return state for rules # # Returns: # # state - it can be any valid state or state like accept, drop, reject # sub state { my ($self) = @_; my $states = undef; for my $stateKey (qw(new established related)) { next unless ($self->{"state_$stateKey"}); $states .= ', ' if ($states); $states .= uc($stateKey); } return '' unless ($states); return '-m state --state ' . $states; } # Method: setDecision # # Set decision for rules # # Parameters: # # (POSITIONAL) # # decision - it can be any valid chain or decision like accept, drop, reject # sub setDecision { my ($self, $decision) = @_; $self->{'decision'} = $decision; } # Method: decision # # Return decision for rules # # Returns: # # decision - it can be any valid chain or decision like accept, drop, reject # sub decision { my ($self) = @_; if (exists $self->{'decision'}) { return $self->{'decision'}; } else { return undef; } } # Method: setTable # # Set table to insert rules into # # Parameters: # # (POSITIONAL) # # table - it can be one of these: filter, nat, mangle # # sub setTable { my ($self, $table) = @_; unless (defined($table) and ($table eq any(qw(filter nat mangle)))) { throw EBox::Exceptions::InvalidData('data' => 'table'); } $self->{'table'} = $table; } # Method: decision # # Return decision for rules # # Returns: # # decision - it can be any valid chain or decision like accept, drop, reject # sub table { my ($self) = @_; if (exists $self->{'table'}) { return $self->{'table'}; } else { return undef; } } # Method: setSourceAddress # # Set the source address/es to build the rule # # Parameters: # # (NAMED) # # inverseMatch - whether or not to do inverse match # The source it can either: # sourceAdddress - # sourceRange - # sourceObject - object's id # sub setSourceAddress { my ($self, %params) = @_; $params{'addressType'} = 'source'; $self->_setAddress(%params); } # Method: sourceAddress # # Return source address # # Returns: # # Array ref containing source adddresses # sub sourceAddress { my ($self) = @_; if (exists $self->{'source'}) { return $self->{'source'}; } else { return undef; } } # Method: setDestinationAddress # # Set the destination address/es to build the rule # # Parameters: # # (NAMED) # # inverseMatch - whether or not to do inverse match # The destination it can either: # destinationAdddress - # destinationRange - # destinationObject - object's id # # sub setDestinationAddress { my ($self, %params) = @_; $params{'addressType'} = 'destination'; $self->_setAddress(%params); } # Method: destinationAddress # # Return destination address # # Returns: # # Array ref containing destination adddresses # sub destinationAddress { my ($self) = @_; if (exists $self->{'destination'}) { return $self->{'destination'}; } else { return undef; } } # Method: setMark # # Mark the packet with the mark number given. It also sets the # decision to MARK and the table to mangle one since it is the only # one possible # # Parameters: # # markNumber - Int the mark number # # markMask - Int the mark mask in a hexadecimal string # sub setMark { my ($self, $markNumber, $markMask) = @_; $self->setTable('mangle'); $self->setDecision("MARK --set-mark $markNumber"); $self->addModule('mark', 'mark', "0/$markMask"); } # Method: addModule # # Add a configuration parameter to an iptables module. If the # configuration parameter exists, it is overridden. # # Parameters: # # moduleName - String the iptables module's name # confParamName - String the configuration parameter's name # # confParamValue - the configuration parameter's value # *(Optional)* # sub addModule { my ($self, $moduleName, $confParamName, $confParamValue) = @_; $confParamValue = '' unless defined ( $confParamValue ); $self->{modules}->{$moduleName}->{$confParamName} = $confParamValue; } # Method: removeModule # # Remove a configuration parameter from an iptables module # # Parameters: # # moduleName - String the iptables module's name # confParamName - String the configuration parameter's name # sub removeModule { my ($self, $moduleName, $confParamName) = @_; delete $self->{modules}->{$moduleName}->{$confParamName}; } # Method: module # # Get the string to configure an iptables' module # # Parameters: # # moduleName - String the iptables module's name # # Exceptions: # # - thrown if the module has not # been added # sub module { my ($self, $moduleName) = @_; unless ( defined ( $self->{modules}->{$moduleName} )) { throw EBox::Exceptions::DataNotFound( data => q{Iptables' module}, value => $moduleName); } my $str = "-m $moduleName "; foreach my $confParam ( keys ( %{$self->{modules}->{$moduleName}})) { $str .= "--$confParam "; $str .= $self->{modules}->{$moduleName}->{$confParam} . ' '; } return $str; } # Method: modulesConf # # Get the string to configure every module required by the # iptables' rule # sub modulesConf { my ($self) = @_; my $str = ''; foreach my $module ( keys(%{$self->{modules}})) { $str .= $self->module($module); } return $str; } # Private helper funcions # sub _setAddress { my ($self, %params) = @_; my $addressType = delete $params{'addressType'}; my $addr = delete $params{$addressType . 'Address'}; my $obj = delete $params{$addressType . 'Object'}; my $range = delete $params{$addressType . 'Range'}; my $objMembers; my $inverse = ''; if ($params{'inverseMatch'}) { $inverse = ' ! '; }; if (defined($addr) and defined($obj)) { throw EBox::Exceptions::External( "address and object are mutual exclusive"); } if (defined($addr)) { # Checking correct address unless ( $addr->isa('EBox::Types::IPAddr') or $addr->isa('EBox::Types::HostIP') or $addr->isa('EBox::Types::MACAddr')) { throw EBox::Exceptions::InvalidData('data' => 'src', 'value' => $addr); } if ( $addr->isa('EBox::Types::MACAddr') and $addressType ne 'source') { print( 'MACAddr filtering can be only ' . 'done in source not in destination' ); } } if (defined($obj)) { if (not $self->{'objects'}->objectExists($obj)) { throw EBox::Exceptions::DataNotFound('data' => 'object', 'value' => $obj); } $objMembers = $self->{'objects'}->objectMembers($obj); unless (@{$objMembers}) { EBox::warn("No members on obj $obj: " . $self->{'objects'}->objectDescription($obj) . ' make no iptables rules being created'); } } $self->{$addressType} = [] ; my $flag = ' --source '; my $rangeFlag = ' --src-range '; if ($addressType eq 'destination') { $flag = ' --destination '; $rangeFlag = ' --dst-range '; } if (defined($obj)) { foreach my $member (@{ $objMembers }) { if ($member->{type} eq 'ipaddr') { push (@{$self->{$addressType}}, $inverse . $flag . $member->{ipaddr}); } elsif ($member->{type} eq 'iprange') { my $range = $member->{begin} . '-' . $member->{end}; push (@{$self->{$addressType}}, ' -m iprange ' . $inverse . $rangeFlag . $range); } } } elsif (defined $range) { my $range = $range->begin() . '-' . $range->end(); $self->{$addressType} = [' -m iprange ' . $inverse . $rangeFlag . $range]; } else { if (defined ($addr) and $addr->isa('EBox::Types::IPAddr') and defined($addr->ip())) { $self->{$addressType} = ["$inverse $flag " . $addr->printableValue()]; } elsif (defined ($addr) and $addr->isa('EBox::Types::MACAddr')) { $self->{$addressType} = ["-m mac --mac-source $inverse " . $addr->printableValue()] ; } elsif (defined ($addr) and $addr->isa('EBox::Types::HostIP')) { $self->{$addressType} = [$addr->printableValue()]; } else { $self->{$addressType} = ['']; } } } # Method: clone # # Clone this rule # # Returns: # # - the cloned object # sub clone { my ($self) = @_; my $clonedRule = {}; bless($clonedRule, ref($self)); my @skipKeys = qw/services objects/; foreach my $key (keys %{$self}) { unless ($key eq any @skipKeys) { $clonedRule->{$key} = Clone::Fast::clone($self->{$key}); } } for my $key (@skipKeys) { $clonedRule->{$key} = $self->{$key}; } return $clonedRule; } 1; zentyal-firewall-2.3.9+quantal1/src/EBox/Firewall/IptablesRule/0000775000000000000000000000000012017102347021211 5ustar zentyal-firewall-2.3.9+quantal1/src/EBox/Firewall/IptablesRule/SNAT.pm0000664000000000000000000001341412017102347022317 0ustar # Copyright (C) 2012 eBox Technologies S.L. # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License, version 2, as # published by the Free Software Foundation. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA use warnings; use strict; package EBox::Firewall::IptablesRule::SNAT; use base 'EBox::Firewall::IptablesRule'; use EBox::Global; use EBox::Model::Manager; use EBox::Exceptions::MissingArgument; use EBox::NetWrappers; use Perl6::Junction qw( any ); sub new { my $class = shift; my %opts = @_; my $self = $class->SUPER::new(@_); $self->{readOnly} = $opts{readOnly}; $self->{'log'} = 0; $self->{'log_level'} = 7; $self->{'snat'} = 0; $self->{service} = []; bless($self, $class); return $self; } # Method: strings # # Return the iptables rules built as a string # # Returns: # # Array ref of strings containing a iptables rule sub strings { my ($self) = @_; my @rules; my $state = $self->state(); my $modulesConf = $self->modulesConf(); my $iface = $self->interface(); my $netModule = EBox::Global->getInstance($self->{readOnly})->modInstance('network'); $iface = $netModule->realIface($iface); # Iptables needs to use the real interface $iface =~ s/:.*$//; my $limit = EBox::Config::configkey('iptables_log_limit'); my $burst = EBox::Config::configkey('iptables_log_burst'); unless (defined($limit) and $limit =~ /^\d+$/) { throw EBox::Exceptions::External(__('You must set the ' . 'iptables_log_limit variable in the ebox configuration file')); } unless (defined($burst) and $burst =~ /^\d+$/) { throw EBox::Exceptions::External(__('You must set the ' . 'iptables_log_burst variable in the ebox configuration file')); } my $snat = $self->{snat}; foreach my $src (@{$self->{'source'}}) { foreach my $dst (@{$self->{'destination'}}) { foreach my $service (@{$self->{'service'}}) { my $snatRule = "-t nat -A POSTROUTING $modulesConf " . "-o $iface " . " $src $dst $service " . " -j SNAT --to-source $snat"; push (@rules, $snatRule); # Add log rule if it's activated if ( $self->{'log'} ) { my $logRule = "-A fredirects $state $modulesConf " . "-o $iface --src $snat $service $dst -j LOG -m limit ". "--limit $limit/min ". "--limit-burst $burst " . '--log-level ' . $self->{'log_level'} . ' ' . '--log-prefix "ebox-firewall snat "'; unshift (@rules, $logRule); } } } } return \@rules; } # Method: setInterface # # Set interface for rules # # Parameters: # # (POSITIONAL) # # interface - interface name # sub setInterface { my ($self, $interface) = @_; $self->{'interface'} = $interface; } # Method: interface # # Return interface for rules # # Returns: # # interface - it can be any valid chain or interface like accept, drop, reject # sub interface { my ($self) = @_; if (exists $self->{'interface'}) { return $self->{'interface'}; } else { return undef; } } # Method: setCustomService # # Set a custom service for the rule # # Parameters: # # (POSITIONAL) # # extPort - external port # dstPort - destination port # protocol - protocol (tcp, udp, ...) # dstPortFilter - destination port to be used in filter table sub setCustomService { my ($self, $extPort, $dstPort, $protocol, $dstPortFilter) = @_; unless (defined($extPort)) { throw EBox::Exceptions::MissingArgument("extPort"); } unless (defined($dstPort)) { throw EBox::Exceptions::MissingArgument("dstPort"); } unless (defined($protocol)) { throw EBox::Exceptions::MissingArgument("protocol"); } unless (defined($dstPortFilter)) { throw EBox::Exceptions::MissingArgument("$dstPortFilter"); } my $nat = ""; my $filter = ""; if ($protocol eq any ('tcp', 'udp', 'tcp/udp')) { if ($extPort ne 'any') { $nat .= " --dport $extPort"; } if ($dstPort ne 'any') { $filter .= " --dport $dstPortFilter"; } if ($protocol eq 'tcp/udp') { push (@{$self->{'service'}}, ["-p udp $nat", "-p udp $filter"]); push (@{$self->{'service'}}, ["-p tcp $nat", "-p tcp $filter"]); } else { push (@{$self->{'service'}}, [" -p $protocol $nat", " -p $protocol $filter"]); } } elsif ($protocol eq any ('gre', 'icmp', 'esp', 'ah', 'all')) { my $iptables = " -p $protocol"; push (@{$self->{'service'}}, [$iptables, $iptables]); } } # Method: setLog # # Set log flag for rules # # Parameters: # # (POSITIONAL) # # log - 1 to activate logging # sub setLog { my ($self, $log) = @_; $self->{'log'} = $log; } # Method: setLogLevel # # Sets syslog level por log rule # # Parameters: # # (POSITIONAL) # # level - log level # sub setLogLevel { my ($self, $level) = @_; $self->{'log_level'} = $level; } sub setSNAT { my ($self, $snat) = @_; $self->{snat} = $snat; } 1; zentyal-firewall-2.3.9+quantal1/src/EBox/Firewall/Model/0000775000000000000000000000000012017102347017656 5ustar zentyal-firewall-2.3.9+quantal1/src/EBox/Firewall/Model/RedirectsTable.pm0000664000000000000000000002754112017102347023121 0ustar # Copyright (C) 2008-2012 eBox Technologies S.L. # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License, version 2, as # published by the Free Software Foundation. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # Class: EBox::Firewall::Model::RedirectsTable # package EBox::Firewall::Model::RedirectsTable; use EBox::Global; use EBox::Gettext; use EBox::Validate qw(:all); use EBox::Exceptions::External; use EBox::Types::Text; use EBox::Types::Union::Text; use EBox::Types::Boolean; use EBox::Types::Select; use EBox::Types::Port; use EBox::Types::PortRange; use EBox::Types::Union; use EBox::Types::HostIP; use EBox::Sudo; use strict; use warnings; use base 'EBox::Model::DataTable'; sub new { my $class = shift; my %parms = @_; my $self = $class->SUPER::new(@_); bless($self, $class); return $self; } sub interface { my $net = EBox::Global->modInstance('network'); my $ifaces = $net->allIfaces(); my @options; foreach my $iface (@{$ifaces}) { push(@options, { 'value' => $iface, 'printableValue' => $net->ifaceAlias($iface) }); } return \@options; } sub protocol { my @options = ( { 'value' => 'tcp/udp', 'printableValue' => 'TCP/UDP' }, { 'value' => 'tcp', 'printableValue' => 'TCP' }, { 'value' => 'udp', 'printableValue' => 'UDP' }, { 'value' => 'ah', 'printableValue' => 'AH' }, { 'value' => 'esp', 'printableValue' => 'ESP' }, { 'value' => 'gre', 'printableValue' => 'GRE' }, { 'value' => 'icmp', 'printableValue' => 'ICMP' }, { 'value' => 'all', 'printableValue' => 'All' }, ); return \@options; } sub objectModel { return EBox::Global->modInstance('objects')->model('ObjectTable'); } # Method: validateTypedRow # # Overrides: # # # # XXX Disabled until we make sure that we don't reject valid rules sub validateTypedRowDisable { my ($self, $action, $changedFields, $allFields) = @_; my $new_iface = $allFields->{interface}; my $new_eport = $allFields->{external_port}; my $new_protocol = $allFields->{protocol}; my $new_source = $allFields->{source}; foreach my $id (@{$self->ids()}) { my $row = $self->row($id); if ($action eq 'update' and $id eq $changedFields->{id}) { next; # We must not check against the row that is being modified } my $iface = $row->elementByName('interface'); my $eport = $row->elementByName('external_port'); my $protocol = $row->elementByName('protocol'); my $source = $row->elementByName('source'); ($iface->value() eq $new_iface->value()) or next; $self->_sameProtocol($protocol->value(), $new_protocol->value()) or next; $self->_samePort($eport, $new_eport) or next; $self->_sameSource($source, $new_source) or next; throw EBox::Exceptions::External(__x('Contradictory rule found. Remove it first')); } } sub _sameProtocol { my ($self, $protocol, $new_protocol) = @_; if ($protocol eq $new_protocol) { return 1; } if (($protocol eq 'tcp/udp') and (($new_protocol eq 'tcp') or ($new_protocol eq 'udp'))) { return 1; } if (($new_protocol eq 'tcp/udp') and (($protocol eq 'tcp') or ($protocol eq 'udp'))) { return 1; } return 0; } sub _samePort { my ($self, $port, $new_port) = @_; if (($port->rangeType() eq 'any') or ($new_port->rangeType() eq 'any')) { return 1; } if ($port->rangeType() eq 'single') { if ($new_port->rangeType() eq 'single') { if ($port->single() == $new_port->single()) { return 1; } } elsif ($new_port->rangeType() eq 'range') { if (($port->single() >= $new_port->from()) and ($port->single() <= $new_port->to())) { return 1; } } } elsif ($port->rangeType() eq 'range') { if ($new_port->rangeType() eq 'single') { if (($new_port->single() >= $port->from()) and ($new_port->single() <= $port->to())) { return 1; } } elsif ($new_port->rangeType() eq 'range') { if (($new_port->from() >= $port->from()) and ($new_port->from() <= $port->to())) { return 1; } if (($new_port->to() >= $port->from()) and ($new_port->to() <= $port->to())) { return 1; } } } return 0; } sub _sameSource { my ($self, $source, $new_source) = @_; if (($source->selectedType() eq 'source_any') or ($new_source->selectedType() eq 'source_any')) { return 1; } if (($source->selectedType() eq 'source_ipaddr') and ($new_source->selectedType() eq 'source_ipaddr')) { if ($source->value() eq $new_source->value()) { return 1; } } # Ignore source_object's because currently we don't have # a way to notice changes in object members. return 0; } # Method: _fieldDescription # # Return the field description for a firewall redirect table. You have to # decided if you need destination, source, or both of them. # # Returns: # # Array ref of objects derivated of # sub _fieldDescription { my ($self) = @_; my @tableHead; my $iface = new EBox::Types::Select( 'fieldName' => 'interface', 'printableName' => __('Interface'), 'populate' => \&interface, 'editable' => 1); push (@tableHead, $iface); my $origDest = new EBox::Types::Union( 'fieldName' => 'origDest', 'printableName' => __('Original destination'), 'subtypes' => [ new EBox::Types::Union::Text( 'fieldName' => 'origDest_ebox', 'printableName' => __('Zentyal')), new EBox::Types::IPAddr( 'fieldName' => 'origDest_ipaddr', 'printableName' => __('IP Address'), 'editable' => 1,), new EBox::Types::Select( 'fieldName' => 'origDest_object', 'printableName' => __('Object'), 'foreignModel' => \&objectModel, 'foreignField' => 'name', 'foreignNextPageField' => 'members', 'editable' => 1), ]); push (@tableHead, $origDest); my $protocol = new EBox::Types::Select( 'fieldName' => 'protocol', 'printableName' => __('Protocol'), 'populate' => \&protocol, 'editable' => 1); push (@tableHead, $protocol); my $external_port = new EBox::Types::PortRange( 'fieldName' => 'external_port', 'printableName' => __('Original destination port'), # FIXME: this usability improvement cannot be # implemented because PortRange type cannot be # optional, maybe we should fix viewCustomizer to # automatically ignore hidden values even # if not marked as optional #'defaultSelectedType' => 'single', ); push (@tableHead, $external_port); my $source = new EBox::Types::Union( 'fieldName' => 'source', 'printableName' => __('Source'), 'subtypes' => [ new EBox::Types::Union::Text( 'fieldName' => 'source_any', 'printableName' => __('Any')), new EBox::Types::IPAddr( 'fieldName' => 'source_ipaddr', 'printableName' => __('Source IP'), 'editable' => 1,), new EBox::Types::Select( 'fieldName' => 'source_object', 'printableName' => __('Source object'), 'foreignModel' => \&objectModel, 'foreignField' => 'name', 'foreignNextPageField' => 'members', 'editable' => 1), ], 'unique' => 1, 'editable' => 1); push (@tableHead, $source); my $dest = new EBox::Types::HostIP( 'fieldName' => 'destination', 'printableName' => __('Destination IP'), 'editable' => 1); push (@tableHead, $dest); my $dport = new EBox::Types::Union( 'fieldName' => 'destination_port', 'printableName' => __('Port'), 'subtypes' => [ new EBox::Types::Union::Text( 'fieldName' => 'destination_port_same', 'printableName' => __('Same')), new EBox::Types::Port( 'fieldName' => 'destination_port_other', 'printableName' => __('Other'), 'editable' => 1,) ], 'editable' => 1); push (@tableHead, $dport); my $snat = new EBox::Types::Boolean( 'fieldName' => 'snat', 'printableName' => __('Replace source address'), 'editable' => 1, 'defaultValue' => 1, 'help' => __(q{Replaces the original source address of the connection with the Zentyal's own address. This could be neccesary when the destination does not have a return route or has restrictive firewall rules}) ); push (@tableHead, $snat); my $plog = new EBox::Types::Boolean( 'fieldName' => 'log', 'printableName' => __('Log'), 'editable' => 1, 'help' => __('Log new forwarded connections')); push (@tableHead, $plog); my $desc = new EBox::Types::Text( 'fieldName' => 'description', 'printableName' => __('Description'), 'size' => '32', 'editable' => 1, 'optional' => 1); push (@tableHead, $desc); return \@tableHead; } sub _table { my ($self) = @_; my $dataTable = { 'tableName' => 'RedirectsTable', 'printableTableName' => __('List of forwarded ports'), 'pageTitle' => __('Port Forwarding'), 'automaticRemove' => 1, 'defaultController' => '/Firewall/Controller/RedirectsTable', 'defaultActions' => [ 'add', 'del', 'editField', 'changeView', 'clone', 'move' ], 'order' => 1, 'tableDescription' => $self->_fieldDescription('source' => 1), 'menuNamespace' => 'Firewall/View/RedirectsTable', 'printableRowName' => __('forwarding'), }; return $dataTable; } # Method: viewCustomizer # # # Overrides: # # # sub viewCustomizer { my ($self) = @_; my $customizer = $self->SUPER::viewCustomizer(); # disable port selection in protless protocols my $portFields = [qw(external_port destination_port)]; $customizer->setOnChangeActions({ protocol => { 'tcp/udp' => {show => $portFields}, 'tcp' => {show => $portFields}, 'udp' => {show => $portFields}, 'ah' => { hide => $portFields }, 'esp' => { hide => $portFields }, 'gre' => { hide => $portFields }, 'icmp' => { hide => $portFields }, 'all' => { hide => $portFields }, } }); return $customizer; } 1; zentyal-firewall-2.3.9+quantal1/src/EBox/Firewall/Model/ToInternetRuleTable.pm0000664000000000000000000000431212017102347024107 0ustar # Copyright (C) 2008-2012 eBox Technologies S.L. # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License, version 2, as # published by the Free Software Foundation. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # Class: EBox::Firewall::Model::ToInternetRuleTable # # This class describes the model used to store rules to access Internet # from internal networks # # Inherits from to fetch # the field description # package EBox::Firewall::Model::ToInternetRuleTable; use EBox::Global; use EBox::Gettext; use EBox::Validate qw(:all); use EBox::Exceptions::External; use EBox::Types::Text; use EBox::Types::Boolean; use EBox::Types::Select; use EBox::Types::InverseMatchSelect; use EBox::Types::IPAddr; use EBox::Types::InverseMatchUnion; use EBox::Sudo; use strict; use warnings; use base qw(EBox::Firewall::Model::BaseRuleTable) ; sub new { my $class = shift; my %parms = @_; my $self = $class->SUPER::new(@_); bless($self, $class); return $self; } sub _table { my ($self) = @_; my $dataTable = { 'tableName' => 'ToInternetRuleTable', 'printableTableName' => __('Internal networks'), 'automaticRemove' => 1, 'defaultController' => '/Firewall/Controller/ToInternetRuleTable', 'defaultActions' => [ 'add', 'del', 'move', 'editField', 'changeView', 'clone' ], 'tableDescription' => $self->_fieldDescription('source' => 1, 'destination' => 1), 'menuNamespace' => 'Firewall/View/ToInternetRuleTable', 'class' => 'dataTable', 'order' => 1, 'rowUnique' => 0, 'printableRowName' => __('rule'), }; return $dataTable; } 1; zentyal-firewall-2.3.9+quantal1/src/EBox/Firewall/Model/InternalToEBoxRuleTable.pm0000664000000000000000000000420112017102347024646 0ustar # Copyright (C) 2008-2012 eBox Technologies S.L. # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License, version 2, as # published by the Free Software Foundation. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # Class: EBox::Firewall::Model::InternalToEBoxRuleTable # # This class describes the model used to store rules to access # services running on Zentyal from internal networks # # Inherits from to fetch # the field description # package EBox::Firewall::Model::InternalToEBoxRuleTable; use EBox::Global; use EBox::Gettext; use EBox::Validate qw(:all); use EBox::Exceptions::External; use EBox::Types::Text; use EBox::Types::Boolean; use EBox::Types::Select; use EBox::Types::InverseMatchSelect; use EBox::Types::IPAddr; use EBox::Types::InverseMatchUnion; use EBox::Sudo; use strict; use warnings; use base qw(EBox::Firewall::Model::BaseRuleTable) ; sub new { my $class = shift; my %parms = @_; my $self = $class->SUPER::new(@_); bless($self, $class); return $self; } sub _table { my ($self) = @_; my $dataTable = { 'tableName' => 'InternalToEBoxRuleTable', 'printableTableName' => __('Internal networks to Zentyal'), 'automaticRemove' => 1, 'defaultController' => '/Firewall/Controller/InternalToEBoxRuleTable', 'defaultActions' => [ 'add', 'del', 'move', 'editField', 'changeView', 'clone' ], 'tableDescription' => $self->_fieldDescription('source' => 1), 'menuNamespace' => 'Firewall/View/InternalToEBoxRuleTable', 'order' => 1, 'printableRowName' => __('rule'), }; return $dataTable; } 1; zentyal-firewall-2.3.9+quantal1/src/EBox/Firewall/Model/EBoxServicesRuleTable.pm0000664000000000000000000001253012017102347024356 0ustar # Copyright (C) 2010-2012 eBox Technologies S.L. # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License, version 2, as # published by the Free Software Foundation. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # Class: EBox::Firewall::Model::EBoxServicesRuleTable # # This class is used for enable or disable the rules automatically # added by the eBox services implementing FirewallHelper. # package EBox::Firewall::Model::EBoxServicesRuleTable; use EBox::Global; use EBox::Gettext; use EBox::Validate qw(:all); use EBox::Exceptions::External; use EBox::Types::Boolean; use EBox::Types::Text; use EBox::Iptables; use strict; use warnings; use base 'EBox::Model::DataTable'; my %RULE_TYPES = ('imodules' => __('Input'), 'iexternalmodules' => __('External Input'), 'omodules' => __('Output'), 'fmodules' => __('Forward'), 'premodules' => __('NAT prerouting'), 'postmodules' => __('NAT postrouting')); sub new { my $class = shift; my %parms = @_; my $self = $class->SUPER::new(@_); bless($self, $class); return $self; } # Method: syncRows # # Overrides # sub syncRows { my ($self, $currentRows) = @_; my $iptables = new EBox::Iptables(); my %newRules = map { $_->{'rule'} => $_ } @{$iptables->moduleRules()}; my %currentRules = map { $self->row($_)->valueByName('rule') => $_ } @{$currentRows}; my $modified = 0; my @rulesToAdd = grep { not exists $currentRules{$_} } keys %newRules; my @rulesToDel = grep { not exists $newRules{$_} } keys %currentRules; foreach my $rule (@rulesToAdd) { my $module = $newRules{$rule}->{'module'}->{'printableName'}; my ($table, $chain, $condition, $decision, $type); if ($rule =~ m/-A/) { # common firewall rule ($table, $chain, $condition, $decision) = $rule =~ /-t ([a-z]+) -A ([a-z]+) (.*) -j (.*)/; if (defined($RULE_TYPES{$chain})) { $type = $RULE_TYPES{$chain}; } else { $type = $chain; } } else { ($table, $chain) = $rule =~ /-t ([a-z]+) -N ([a-z]+)/; $condition = ''; $decision = $chain; $type = __('Chain creation'); } $self->add(rule => $rule, type => $type, module => $module, condition => $condition, decision => $decision, ); $modified = 1; } foreach my $rule (@rulesToDel) { my $id = $currentRules{$rule}; my $row = $self->row($id); $self->removeRow($id, 1); $modified = 1; } return $modified; } sub _table { my ($self) = @_; my @tableHeader = ( new EBox::Types::Text( 'fieldName' => 'rule', 'printableName' => __('Rule'), 'hidden' => 1 ), new EBox::Types::Boolean ( 'fieldName' => 'enabled', 'printableName' => __('Enabled'), 'defaultValue' => 1, 'editable' => 1 ), new EBox::Types::Text( 'fieldName' => 'type', 'printableName' => __('Type'), 'editable' => 0 ), new EBox::Types::Text( 'fieldName' => 'module', 'printableName' => __('Module'), 'editable' => 0 ), new EBox::Types::Text( 'fieldName' => 'condition', 'printableName' => __('Condition'), 'editable' => 0 ), new EBox::Types::Text( 'fieldName' => 'decision', 'printableName' => __('Decision'), 'editable' => 0 ), ); my $dataTable = { 'tableName' => 'EBoxServicesRuleTable', 'printableTableName' => __('Rules added by Zentyal services (Advanced)'), 'automaticRemove' => 1, 'sortedBy' => 'type', 'defaultController' => '/Firewall/Controller/EBoxServicesRuleTable', 'defaultActions' => [ 'editField', 'changeView' ], 'tableDescription' => \@tableHeader, 'menuNamespace' => 'Firewall/View/EBoxServicesRuleTable', 'printableRowName' => __('rule'), }; return $dataTable; } # Method: viewCustomizer # # Overrides # to show breadcrumbs # sub viewCustomizer { my ($self) = @_; my $custom = $self->SUPER::viewCustomizer(); $custom->setHTMLTitle([ { title => __('Packet Filter'), link => '/Firewall/Filter', }, { title => $self->printableName(), link => '' } ]); return $custom; } sub headTitle { return __d('Configure Rules', 'ebox-firewall'); } 1; zentyal-firewall-2.3.9+quantal1/src/EBox/Firewall/Model/SNAT.pm0000664000000000000000000001427212017102347020767 0ustar # Copyright (C) 2012 eBox Technologies S.L. # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License, version 2, as # published by the Free Software Foundation. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA use strict; use warnings; package EBox::Firewall::Model::SNAT; use base 'EBox::Model::DataTable'; use EBox::Global; use EBox::Gettext; use EBox::Validate qw(:all); use EBox::Exceptions::External; use EBox::Types::Text; use EBox::Types::Union::Text; use EBox::Types::Boolean; use EBox::Types::Select; use EBox::Types::Port; use EBox::Types::PortRange; use EBox::Types::Union; use EBox::Types::HostIP; use EBox::Sudo; sub interfacePopulateSub { my ($self) = @_; my $net = $self->global()->modInstance('network'); return sub { my $ifaces = $net->allIfaces(); my @options; foreach my $iface (@{$ifaces}) { push(@options, { 'value' => $iface, 'printableValue' => $net->ifaceAlias($iface) }); } return \@options; } } # Method: _fieldDescription # # Return the field description for a firewall redirect table. You have to # decided if you need destination, source, or both of them. # # Returns: # # Array ref of objects derivated of # sub _fieldDescription { my ($self) = @_; my @tableHead; my $snat = new EBox::Types::HostIP( 'fieldName' => 'snat', 'printableName' => __('SNAT address'), 'editable' => 1, 'help' => __() ); push (@tableHead, $snat); my $iface = new EBox::Types::Select( 'fieldName' => 'interface', 'printableName' => __('Outgoing interface'), 'populate' => $self->interfacePopulateSub, 'editable' => 1); push (@tableHead, $iface); my $source = new EBox::Types::Union( 'fieldName' => 'source', 'printableName' => __('Source'), 'subtypes' => [ new EBox::Types::Union::Text( 'fieldName' => 'source_any', 'printableName' => __('Any')), new EBox::Types::IPAddr( 'fieldName' => 'source_ipaddr', 'printableName' => __('Source IP'), 'editable' => 1,), new EBox::Types::Select( 'fieldName' => 'source_object', 'printableName' => __('Source object'), 'foreignModel' => $self->modelGetter('objects', 'ObjectTable'), 'foreignField' => 'name', 'foreignNextPageField' => 'members', 'editable' => 1), ], 'unique' => 1, 'editable' => 1); push (@tableHead, $source); my $destination = new EBox::Types::Union( 'fieldName' => 'destination', 'printableName' => __('Destination'), 'subtypes' => [ new EBox::Types::Union::Text( 'fieldName' => 'destination_any', 'printableName' => __('Any')), new EBox::Types::IPAddr( 'fieldName' => 'destination_ipaddr', 'printableName' => __('IP Address'), 'editable' => 1,), new EBox::Types::Select( 'fieldName' => 'destination_object', 'printableName' => __('Object'), 'foreignModel' => $self->modelGetter('objects', 'ObjectTable'), 'foreignField' => 'name', 'foreignNextPageField' => 'members', 'editable' => 1), ]); push (@tableHead, $destination); my $service = new EBox::Types::InverseMatchSelect( 'fieldName' => 'service', 'printableName' => __('Service'), 'foreignModel' => $self->modelGetter('services', 'ServiceTable'), 'foreignField' => 'printableName', 'foreignNextPageField' => 'configuration', 'editable' => 1, 'help' => __('If inverse match is ticked, any ' . 'service but the selected one will match this rule') ); push (@tableHead, $service); my $plog = new EBox::Types::Boolean( 'fieldName' => 'log', 'printableName' => __('Log'), 'editable' => 1, 'help' => __('Log new forwarded connections')); push (@tableHead, $plog); my $desc = new EBox::Types::Text( 'fieldName' => 'description', 'printableName' => __('Description'), 'size' => '32', 'editable' => 1, 'optional' => 1); push (@tableHead, $desc); return \@tableHead; } sub _table { my ($self) = @_; my $dataTable = { 'tableName' => 'SNAT', 'printableTableName' => __('Source Network Address Translation rules'), 'pageTitle' => __('SNAT'), 'automaticRemove' => 1, 'defaultController' => '/Firewall/Controller/SNAT', 'defaultActions' => [ 'add', 'del', 'move', 'editField', 'changeView', 'clone', ], 'order' => 1, 'tableDescription' => $self->_fieldDescription(), 'menuNamespace' => 'Firewall/View/SNAT', 'printableRowName' => __('SNAT rule'), }; return $dataTable; } sub usesIface { my ($self, $iface) = @_; my $row = $self->find(interface => $iface); return $row ? 1 : 0; } sub freeIface { my ($self, $iface) = @_; $self->_removeIfaceRules($iface); } sub freeViface { my ($self, $iface, $viface) = @_; $self->_removeIfaceRules("$iface:$viface"); } sub _removeIfaceRules { my ($self, $iface) = @_; my @idsToRemove = $self->findAll(interface => $iface); foreach my $id (@idsToRemove) { $self->removeRow($id); } } 1; zentyal-firewall-2.3.9+quantal1/src/EBox/Firewall/Model/PacketTrafficDetails.pm0000664000000000000000000000526512017102347024240 0ustar # Copyright (C) 2008-2012 eBox Technologies S.L. # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License, version 2, as # published by the Free Software Foundation. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA package EBox::Firewall::Model::PacketTrafficDetails; use base 'EBox::Logs::Model::Details'; # use strict; use warnings; use EBox::Gettext; use EBox::Types::Int; sub new { my $class = shift @_; my $self = $class->SUPER::new(@_); bless($self, $class); return $self; } sub dbFields { my ($package) = @_; return { drop => { printableName => __('packets dropped'), }, } } sub _table { my $tableHead = [ new EBox::Types::Text( 'fieldName' => 'date', 'printableName' => __('Date'), 'size' => '12', editable => 0, ), new EBox::Types::Int( fieldName => 'drop', printableName => __('Packets dropped'), editable => 0, ), ]; my $dataTable = { 'tableName' =>__PACKAGE__->tableName(), 'printableTableName' => __('Packet traffic details'), 'defaultActions' => [ 'changeView', 'editField' ], 'defaultController' => '/Firewall/Controller/PacketTrafficReport', 'tableDescription' => $tableHead, 'class' => 'dataTable', 'order' => 0, 'rowUnique' => 0, 'printableRowName' => __('traffic'), 'sortedBy' => 'date', 'withoutActions' => 1, }; return $dataTable; } sub dbTableName { return 'firewall_packet_traffic'; } sub tableName { return 'PacketTrafficDetails'; } sub timePeriod { my ($self) = @_; my $model = $self->{confmodule}->{PacketTrafficReportOptions}; my $row = $model->row(); return $row->valueByName('timePeriod'); } 1; zentyal-firewall-2.3.9+quantal1/src/EBox/Firewall/Model/ExternalToInternalRuleTable.pm0000664000000000000000000000444312017102347025603 0ustar # Copyright (C) 2008-2012 eBox Technologies S.L. # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License, version 2, as # published by the Free Software Foundation. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # Class: EBox::Firewall::Model::ExternalToInternalRuleTable # # This class describes the model used to store rules to access # internal networks from external networks. # # Inherits from to fetch # the field description # package EBox::Firewall::Model::ExternalToInternalRuleTable; use EBox::Global; use EBox::Gettext; use EBox::Validate qw(:all); use EBox::Exceptions::External; use EBox::Types::Text; use EBox::Types::Union::Text; use EBox::Types::Boolean; use EBox::Types::Select; use EBox::Types::InverseMatchSelect; use EBox::Types::IPAddr; use EBox::Types::InverseMatchUnion; use EBox::Sudo; use strict; use warnings; use base qw(EBox::Firewall::Model::BaseRuleTable) ; sub new { my $class = shift; my %parms = @_; my $self = $class->SUPER::new(@_); bless($self, $class); return $self; } sub _table { my ($self) = @_; my $dataTable = { 'tableName' => 'ExternalToInternalRuleTable', 'printableTableName' => __('External networks to internal networks'), 'automaticRemove' => 1, 'defaultController' => '/Firewall/Controller/ExternalToInternalRuleTable', 'defaultActions' => [ 'add', 'del', 'move', 'editField', 'changeView', 'clone' ], 'tableDescription' => $self->_fieldDescription('source' => 1, 'destination' => 1), 'menuNamespace' => 'Firewall/View/ExternalToInternalRuleTable', 'class' => 'dataTable', 'order' => 1, 'rowUnique' => 0, 'printableRowName' => __('rule'), }; return $dataTable; } 1; zentyal-firewall-2.3.9+quantal1/src/EBox/Firewall/Model/BaseRuleTable.pm0000664000000000000000000002043112017102347022666 0ustar # Copyright (C) 2008-2012 eBox Technologies S.L. # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License, version 2, as # published by the Free Software Foundation. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # Class: EBox::Firewall::Model::BaseRuleTable # # This class is used as a base for firewall models, as they are pretty # similar. All of them use objects, services, and decisions. # # The only difference is which kind of table the define. Tables used # to filter traffic from and to eBox do not need a destination field. # # You must use _fieldDescription to decide if you want to have # a destination field. # # use strict; use warnings; package EBox::Firewall::Model::BaseRuleTable; use base 'EBox::Model::DataTable'; use EBox::Global; use EBox::Gettext; use EBox::Validate qw(:all); use EBox::Exceptions::External; use EBox::Types::Text; use EBox::Types::Union::Text; use EBox::Types::Boolean; use EBox::Types::Select; use EBox::Types::InverseMatchSelect; use EBox::Types::IPAddr; use EBox::Types::MACAddr; use EBox::Types::InverseMatchUnion; use EBox::Sudo; sub new { my $class = shift; my %parms = @_; my $self = $class->SUPER::new(@_); bless($self, $class); return $self; } sub decision { my @options = ({ 'value' => 'accept', 'printableValue' => __('ACCEPT') }, { 'value' => 'deny', 'printableValue' => __('DENY') }, { 'value' => 'log', 'printableValue' => __('LOG') }); return \@options; } # Method: _fieldDescription # # Return the field description for a firewall rule table. You have to # decided if you need destination, source, or both of them. # # # Parameters: # # (NAMED) # # destination - boolean to indicate you need a destination field # source - boolean to indicate you need a source field # # Returns: # # Array ref of objects derivated of sub _fieldDescription { my ($self, %params) = @_; my @tableHead = ( new EBox::Types::Select( 'fieldName' => 'decision', 'printableName' => __('Decision'), 'populate' => \&decision, 'HTMLViewer' => '/firewall/ajax/viewer/fwDecisionViewer.mas', 'editable' => 1 )); if ($params{'source'}) { my $source = new EBox::Types::InverseMatchUnion( 'fieldName' => 'source', 'printableName' => __('Source'), 'subtypes' => [ new EBox::Types::Union::Text( 'fieldName' => 'source_any', 'printableName' => __('Any')), new EBox::Types::IPAddr( 'fieldName' => 'source_ipaddr', 'printableName' => __('Source IP'), 'editable' => 1,), new EBox::Types::MACAddr( 'fieldName' => 'source_macaddr', 'printableName' => __('Source MAC'), 'editable' => 1,), new EBox::Types::Select( 'fieldName' => 'source_object', 'printableName' => __('Source object'), 'foreignModel' => $self->modelGetter('objects', 'ObjectTable'), 'foreignField' => 'name', 'foreignNextPageField' => 'members', 'editable' => 1), ], 'unique' => 1, 'editable' => 1 ); push (@tableHead, $source); } if ($params{'destination'}) { my $dest= new EBox::Types::InverseMatchUnion( 'fieldName' => 'destination', 'printableName' => __('Destination'), 'subtypes' => [ new EBox::Types::Union::Text( 'fieldName' => 'destination_any', 'printableName' => __('Any')), new EBox::Types::IPAddr( 'fieldName' => 'destination_ipaddr', 'printableName' => __('Destination IP'), 'editable' => 1), new EBox::Types::Select( 'fieldName' => 'destination_object', 'printableName' => __('Destination object'), 'foreignModel' => $self->modelGetter('objects', 'ObjectTable'), 'foreignField' => 'name', 'foreignNextPageField' => 'members', 'editable' => 1), ], 'unique' => 1, 'editable' => 1 ); push (@tableHead, $dest); } push (@tableHead, new EBox::Types::InverseMatchSelect( 'fieldName' => 'service', 'printableName' => __('Service'), 'foreignModel' => $self->modelGetter('services', 'ServiceTable'), 'foreignField' => 'printableName', 'foreignNextPageField' => 'configuration', 'editable' => 1, 'help' => __('If inverse match is ticked, any ' . 'service but the selected one will match this rule') ), new EBox::Types::Text( 'fieldName' => 'description', 'printableName' => __('Description'), 'size' => '32', 'editable' => 1, 'optional' => 1, ), ); return \@tableHead; } # Method: viewCustomizer # # Overrides # to show breadcrumbs # sub viewCustomizer { my ($self) = @_; my $custom = $self->SUPER::viewCustomizer(); $custom->setHTMLTitle([ { title => __('Packet Filter'), link => '/Firewall/Filter', }, { title => $self->printableName(), link => '' } ]); return $custom; } sub headTitle { return __d('Configure Rules', 'ebox-firewall'); } sub validateTypedRow { my ($self, $action, $params_r, $actual_r) = @_; my @addrsParams = qw(source destination); foreach my $addrParam (@addrsParams) { if ($params_r->{$addrParam}) { my $addrElement = $params_r->{$addrParam}; if ($addrElement->inverseMatch()) { my $anyType = $addrParam . '_any'; if ($addrElement->selectedType() eq $anyType) { throw EBox::Exceptions::External( __x(q{'Any' {addr} cannot have a inverse march}, addr => $addrElement->printableName() ) ); } } } } if ($params_r->{service}) { my $service = $params_r->{service}; # don't allow inverse match of any service if ($service->inverseMatch()) { my $serviceTable = $self->global()->modInstance('services')->model('ServiceTable'); my $serviceId = $service->value(); if ($serviceId eq $serviceTable->serviceForAnyConnectionId('tcp/udp')) { throw EBox::Exceptions::External( __(q{'Any' service cannot have a inverse march}) ); } } } } 1; zentyal-firewall-2.3.9+quantal1/src/EBox/Firewall/Model/ExternalToEBoxRuleTable.pm0000664000000000000000000000433312017102347024662 0ustar # Copyright (C) 2008-2012 eBox Technologies S.L. # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License, version 2, as # published by the Free Software Foundation. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # Class: EBox::Firewall::Model::ExternalToEBoxRuleTable # # This class describes the model used to store rules to access # services running on Zentyal from internal networks. # # Inherits from to fetch # the field description # package EBox::Firewall::Model::ExternalToEBoxRuleTable; use EBox::Global; use EBox::Gettext; use EBox::Validate qw(:all); use EBox::Exceptions::External; use EBox::Types::Text; use EBox::Types::Union::Text; use EBox::Types::Boolean; use EBox::Types::Select; use EBox::Types::InverseMatchSelect; use EBox::Types::IPAddr; use EBox::Types::InverseMatchUnion; use EBox::Sudo; use strict; use warnings; use base qw(EBox::Firewall::Model::BaseRuleTable) ; sub new { my $class = shift; my %parms = @_; my $self = $class->SUPER::new(@_); bless($self, $class); return $self; } sub _table { my ($self) = @_; my $dataTable = { 'tableName' => 'ExternalToEBoxRuleTable', 'printableTableName' => __('External networks to Zentyal'), 'automaticRemove' => 1, 'defaultController' => '/Firewall/Controller/ExternalToEBoxRuleTable', 'defaultActions' => [ 'add', 'del', 'move', 'editField', 'changeView', 'clone' ], 'tableDescription' => $self->_fieldDescription('source' => 1), 'menuNamespace' => 'Firewall/View/ExternalToEBoxRuleTable', 'class' => 'dataTable', 'order' => 1, 'rowUnique' => 0, 'printableRowName' => __('rule'), }; return $dataTable; } 1; zentyal-firewall-2.3.9+quantal1/src/EBox/Firewall/Model/PacketTrafficReportOptions.pm0000664000000000000000000000215112017102347025471 0ustar # Copyright (C) 2008-2012 eBox Technologies S.L. # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License, version 2, as # published by the Free Software Foundation. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA package EBox::Firewall::Model::PacketTrafficReportOptions; use base 'EBox::Logs::Model::OptionsBase'; # use strict; use warnings; sub new { my $class = shift; my $self = $class->SUPER::new(@_); bless $self, $class; return $self; } sub tableName { return 'PacketTrafficReportOptions'; } sub modelDomain { return 'Firewall'; } sub reportUrl { return '/Firewall/Composite/PacketTrafficReport'; } 1; zentyal-firewall-2.3.9+quantal1/src/EBox/Firewall/Model/EBoxOutputRuleTable.pm0000664000000000000000000000414612017102347024077 0ustar # Copyright (C) 2008-2012 eBox Technologies S.L. # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License, version 2, as # published by the Free Software Foundation. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # Class: EBox::Firewall::Model::EBoxOutputRuleTable # # This class describes the model used to store rules to allow Zentyal to # access external services # # Inherits from to fetch # the field description # package EBox::Firewall::Model::EBoxOutputRuleTable; use EBox::Global; use EBox::Gettext; use EBox::Validate qw(:all); use EBox::Exceptions::External; use EBox::Types::Text; use EBox::Types::Boolean; use EBox::Types::Select; use EBox::Types::InverseMatchSelect; use EBox::Types::IPAddr; use EBox::Types::InverseMatchUnion; use EBox::Sudo; use strict; use warnings; use base qw(EBox::Firewall::Model::BaseRuleTable) ; sub new { my $class = shift; my %parms = @_; my $self = $class->SUPER::new(@_); bless($self, $class); return $self; } sub _table { my ($self) = @_; my $dataTable = { 'tableName' => 'EBoxOutputRuleTable', 'printableTableName' => __('Traffic coming out from Zentyal'), 'automaticRemove' => 1, 'defaultController' => '/Firewall/Controller/EBoxOutputRuleTable', 'defaultActions' => [ 'add', 'del', 'move', 'editField', 'changeView', 'clone' ], 'tableDescription' => $self->_fieldDescription('destination' => 1), 'menuNamespace' => 'Firewall/View/EBoxOutputRuleTable', 'order' => 1, 'printableRowName' => __('rule'), }; return $dataTable; } 1; zentyal-firewall-2.3.9+quantal1/src/EBox/Firewall/Model/PacketTrafficGraph.pm0000664000000000000000000000507112017102347023707 0ustar # Copyright (C) 2008-2012 eBox Technologies S.L. # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License, version 2, as # published by the Free Software Foundation. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA package EBox::Firewall::Model::PacketTrafficGraph; use base 'EBox::Logs::Model::Graph'; # use strict; use warnings; use EBox::Gettext; use Error qw(:try); sub new { my $class = shift; my $self = $class->SUPER::new(@_); bless $self, $class; return $self; } sub dbTableName { return 'firewall_packet_traffic'; } sub dbFields { my ($package) = @_; return { drop => { printableName => __('packets dropped'), }, } } sub altText { return __('Firewall packet traffic chart'); } # Method: _table # # The table description which consists of three fields: # # You can only edit enabled and configuration fields. The event # name and description are read-only fields. # sub _table { my $dataTable = { tableDescription => [], tableName => 'PacketTrafficGraph', printableTableName => __('Packet traffic'), modelDomain => 'Firewall', # help => __(''), defaultActions => [ 'editField', 'changeView', ], messages => { 'add' => undef, 'del' => undef, 'update' => undef, 'moveUp' => undef, 'moveDown' => undef, } }; return $dataTable; } sub tableName { return 'PacketTrafficGraph'; } sub timePeriod { my ($self) = @_; my $model = $self->{confmodule}->{PacketTrafficReportOptions}; my $row = $model->row(); return $row->valueByName('timePeriod'); } 1; zentyal-firewall-2.3.9+quantal1/src/EBox/Firewall/IptablesHelper.pm0000664000000000000000000003045612017102347022067 0ustar # Copyright (C) 2008-2012 eBox Technologies S.L. # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License, version 2, as # published by the Free Software Foundation. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # Class: EBox::Firewall::IptablesHelper # # This class is used to build iptables rules based on the data # stored in the firewall models, namely: # # # # It uses to assit with rules creation # package EBox::Firewall::IptablesHelper; use warnings; use strict; use EBox::Model::Manager; use EBox::Firewall::IptablesRule; use EBox::Firewall::IptablesRedirectRule; use EBox::Firewall::IptablesRule::SNAT; use EBox::Types::IPAddr; use EBox::Exceptions::Internal; sub new { my $class = shift; my %opts = @_; my $self = {}; $self->{'manager'} = EBox::Model::Manager->instance(); $self->{firewall} = EBox::Global->modInstance('firewall'); bless($self, $class); return $self; } # Method: ToInternetRuleTable # # Return iptables rules from # # Returns: # # Array ref of strings containing iptables rules sub ToInternetRuleTable { my ($self) = @_; my $model = $self->{'manager'}->model('ToInternetRuleTable'); defined($model) or throw EBox::Exceptions::Internal( "Cant' get ToInternetRuleTableModel"); my @rules; for my $id (@{$model->ids()}) { my $row = $model->row($id); my $rule = new EBox::Firewall::IptablesRule( 'table' => 'filter', 'chain' => 'fglobal'); $self->_addAddressToRule($rule, $row, 'source'); $self->_addAddressToRule($rule, $row, 'destination'); $self->_addServiceToRule($rule, $row); $self->_addDecisionToRule($rule, $row); push (@rules, @{$rule->strings()}); } return \@rules; } # Method: ExternalToInternalRuleTable # # Return iptables rules from # # # Returns: # # Array ref of strings containing iptables rules sub ExternalToInternalRuleTable { my ($self) = @_; my $model = $self->{'manager'}->model('ExternalToInternalRuleTable'); defined($model) or throw EBox::Exceptions::Internal( "Cant' get ExternalToInternalRuleTableModel"); my @rules; for my $id (@{$model->ids()}) { my $row = $model->row($id); my $rule = new EBox::Firewall::IptablesRule( 'table' => 'filter', 'chain' => 'ffwdrules'); $self->_addAddressToRule($rule, $row, 'source'); $self->_addAddressToRule($rule, $row, 'destination'); $self->_addServiceToRule($rule, $row); $self->_addDecisionToRule($rule, $row); push (@rules, @{$rule->strings()}); } return \@rules; } # Method: InternalToEBoxRuleTable # # Return iptables rules from # # Returns: # # Array ref of strings containing iptables rules sub InternalToEBoxRuleTable { my ($self) = @_; my $model = $self->{'manager'}->model('InternalToEBoxRuleTable'); defined($model) or throw EBox::Exceptions::Internal( "Cant' get InternalToEBoxRuleTableModel"); my @rules; for my $id (@{$model->ids()}) { my $row = $model->row($id); my $rule = new EBox::Firewall::IptablesRule( 'table' => 'filter', 'chain' => 'iglobal'); $rule->setState('new' => 1); $self->_addAddressToRule($rule, $row, 'source'); $self->_addServiceToRule($rule, $row); $self->_addDecisionToRule($rule, $row); push (@rules, @{$rule->strings()}); } return \@rules; } # Method: ExternalToEBoxRuleTable # # Return iptables rules from # # Returns: # # Array ref of strings containing iptables rules sub ExternalToEBoxRuleTable { my ($self) = @_; my $model = $self->{'manager'}->model('ExternalToEBoxRuleTable'); defined($model) or throw EBox::Exceptions::Internal( "Cant' get ExternalToEBoxRuleTableModel"); my @rules; for my $id (@{$model->ids()}) { my $row = $model->row($id); my $rule = new EBox::Firewall::IptablesRule( 'table' => 'filter', 'chain' => 'iexternal'); $rule->setState('new' => 1); $self->_addAddressToRule($rule, $row, 'source'); $self->_addServiceToRule($rule, $row); $self->_addDecisionToRule($rule, $row); push (@rules, @{$rule->strings()}); } return \@rules; } # Method: EBoxOutputRuleTable # # Return iptables rules from # # Returns: # # Array ref of strings containing iptables rules sub EBoxOutputRuleTable { my ($self) = @_; my $model = $self->{'manager'}->model('EBoxOutputRuleTable'); defined($model) or throw EBox::Exceptions::Internal( "Cant' get EBoxOutputRuleTableModel"); my @rules; for my $id (@{$model->ids()}) { my $row = $model->row($id); my $rule = new EBox::Firewall::IptablesRule( 'table' => 'filter', 'chain' => 'oglobal'); $rule->setState('new' => 1); $self->_addAddressToRule($rule, $row, 'destination'); $self->_addServiceToRule($rule, $row); $self->_addDecisionToRule($rule, $row); push (@rules, @{$rule->strings()}); } return \@rules; } # Method: RedirectsRuleTable # # Return iptables rules from # # Returns: # # Array ref of strings containing iptables rules sub RedirectsRuleTable { my ($self) = @_; my $model = $self->{'manager'}->model('RedirectsTable'); defined($model) or throw EBox::Exceptions::Internal( "Can't get RedirectsTable Model"); my @rules; for my $id (@{$model->ids()}) { my $row = $model->row($id); my $rule = new EBox::Firewall::IptablesRedirectRule(); $rule->setState('new' => 1); $self->_addIfaceToRule($rule, $row); $self->_addOrigAddressToRule($rule, $row); $self->_addCustomServiceToRule($rule, $row); $self->_addAddressToRule($rule, $row, 'source'); $self->_addDestinationToRule($rule, $row); $self->_addSNATToRule($rule, $row); $self->_addLoggingToRule($rule, $row); push (@rules, @{$rule->strings()}); } return \@rules; } sub SNATRules { my ($self) = @_; my $model = $self->{'manager'}->model('SNAT'); defined($model) or throw EBox::Exceptions::Internal( "Can't get RedirectsTable Model"); my @rules; for my $id (@{$model->ids()}) { my $row = $model->row($id); my $rule = new EBox::Firewall::IptablesRule::SNAT(); $rule->setState('new' => 1); $self->_addIfaceToRule($rule, $row); $self->_addServiceToRule($rule, $row); $self->_addAddressToRule($rule, $row, 'source'); $self->_addAddressToRule($rule, $row, 'destination'); $self->_addSNATToRule($rule, $row); $self->_addLoggingToRule($rule, $row); push (@rules, @{$rule->strings()}); } return \@rules; } sub _addOrigAddressToRule { my ($self, $rule, $row) = @_; my %params; my $addr = $row->elementByName('origDest'); my $type = $addr->selectedType(); if ($type eq 'origDest_ebox') { my $iface = $row->valueByName('interface'); my $netModule = EBox::Global->modInstance('network'); my $extaddr; my $method = $netModule->ifaceMethod($iface); if (($method eq 'dhcp') or ($method eq 'ppp')) { $extaddr = $netModule->DHCPAddress($iface); } elsif ($method eq 'static'){ $extaddr = $netModule->ifaceAddress($iface); } unless (defined($extaddr) and length($extaddr) > 0) { return; } my $addr = new EBox::Types::IPAddr( fieldName => 'ip'); $addr->setValue("$extaddr/32"); $params{'destinationAddress'} = $addr; } else { if ($type eq 'origDest_ipaddr') { $params{'destinationAddress'} = $addr->subtype(); } elsif ($type eq 'origDest_object') { $params{'destinationObject'} = $addr->value(); } if ($addr->isa('EBox::Types::InverseMatchUnion')) { $params{'inverseMatch'} = $addr->inverseMatch(); } } $rule->setDestinationAddress(%params); } sub _addAddressToRule { my ($self, $rule, $row, $address) = @_; my %params; my $addr = $row->elementByName($address); # TODO: It would be nice to have another class to translate # eBox types to iptables params to avoid these checks if ($addr->isa('EBox::Types::Union')) { my $type = $addr->selectedType(); if ($type eq $address . '_ipaddr') { $params{$address .'Address'} = $addr->subtype(); } elsif ($type eq $address . '_macaddr') { # $params{$address . 'MAC'} = $addr->subtype(); $params{$address . 'Address'} = $addr->subtype(); } elsif ($type eq $address . '_object') { $params{$address . 'Object'} = $addr->value(); } if ($addr->isa('EBox::Types::InverseMatchUnion')) { $params{'inverseMatch'} = $addr->inverseMatch(); } } else { $params{$address .'Address'} = $addr; } if ($address eq 'source') { $rule->setSourceAddress(%params); } else { $rule->setDestinationAddress(%params); } } sub _addServiceToRule { my ($self, $rule, $row) = @_; my $service = $row->elementByName('service'); $rule->setService($service->value(), $service->inverseMatch()); } sub _addIfaceToRule { my ($self, $rule, $row) = @_; my $interface = $row->elementByName('interface'); $rule->setInterface($interface->value()); } sub _addCustomServiceToRule { my ($self, $rule, $row) = @_; my ($extPort, $extPortValue, $dstPort, $dstPortValue, $dstPortFilter); $extPort = $row->elementByName('external_port'); $extPortValue = $extPort->value(); $dstPort = $row->elementByName('destination_port'); if ($dstPort->selectedType() eq 'destination_port_same') { if ($extPort->rangeType() eq 'range') { $dstPortValue = $extPort->from(); $dstPortFilter = $extPort->from() . ':' . $extPort->to(); } else { $dstPortValue = $extPort->value(); # 'any' or single() $dstPortFilter = $extPort->value(); } } else { $dstPortValue = $dstPort->value(); if ($extPort->rangeType() eq 'range') { my $endValue = $dstPortValue + ($extPort->to() - $extPort->from()); $dstPortFilter = "$dstPortValue:$endValue"; } else { $dstPortFilter = $dstPortValue; } } my $protocol = $row->elementByName('protocol')->value(); $rule->setCustomService($extPortValue, $dstPortValue, $protocol, $dstPortFilter); } sub _addDestinationToRule { my ($self, $rule, $row) = @_; my $dstAddr = $row->elementByName('destination')->value(); my $dstPort = undef; my $dstPortElement = $row->elementByName('destination_port'); if ($dstPortElement->selectedType() eq 'destination_port_other') { $dstPort = $dstPortElement->value(); } $rule->setDestination($dstAddr, $dstPort); } sub _addDecisionToRule { my ($self, $rule, $row) = @_; my $decision = $row->valueByName('decision'); if ($decision eq 'accept') { $rule->setDecision('ACCEPT'); } elsif ($decision eq 'deny') { $rule->setDecision('drop'); } elsif ($decision eq 'log') { $rule->setDecision('log'); } } sub _addSNATToRule { my ($self, $rule, $row) = @_; my $snat = $row->elementByName('snat'); $rule->setSNAT($snat->value()); } # Logging for redirect rules sub _addLoggingToRule { my ($self, $rule, $row) = @_; my $log = $row->valueByName('log'); $rule->setLog( $self->{firewall}->logging() && $log ); $rule->setLogLevel( EBox::Iptables->SYSLOG_LEVEL ); } 1; zentyal-firewall-2.3.9+quantal1/src/EBox/CGI/0000775000000000000000000000000012017102347015453 5ustar zentyal-firewall-2.3.9+quantal1/src/EBox/CGI/Filter.pm0000664000000000000000000000227712017102347017246 0ustar # Copyright (C) 2008-2012 eBox Technologies S.L. # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License, version 2, as # published by the Free Software Foundation. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA package EBox::CGI::Firewall::Filter; use strict; use warnings; use base 'EBox::CGI::ClientBase'; use EBox::Gettext; use EBox::Config; sub new # (error=?, msg=?, cgi=?) { my $class = shift; my $self = $class->SUPER::new('title' => ('Packet Filter'), 'template' => '/firewall/filter.mas', @_); my $hideImages = EBox::Config::configkey('hide_firewall_images'); if ($hideImages eq 'yes') { $self->{params} = [ showImages => 0 ]; } bless($self, $class); return $self; } 1; zentyal-firewall-2.3.9+quantal1/src/EBox/FirewallHelper.pm0000664000000000000000000001073212017102347020317 0ustar # Copyright (C) 2008-2012 eBox Technologies S.L. # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License, version 2, as # published by the Free Software Foundation. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA package EBox::FirewallHelper; use strict; use warnings; use EBox::Gettext; sub new { my $class = shift; my $self = {}; $self->{net} = EBox::Global->modInstance('network'); bless($self, $class); return $self; } # Method: prerouting # # Rules returned by this method are added to the PREROUTING chain in # the NAT table. You can use them to do NAT on the destination # address of packets. # # Returns: # # array ref - containing prerouting rules sub prerouting { return []; } # Method: postrouting # # Rules returned by this method are added to the POSTROUTING chain in # the NAT table. You can use them to do NAT on the source # address of packets. # # Returns: # # array ref - containing postrouting rules sub postrouting { return []; } # Method: forward # # Rules returned by this method are added to the FORWARD chain in # the filter table. You can use them to filter packets passing through # the firewall. # # Returns: # # array ref - containing forward rules sub forward { return []; } # Method: forwardNoSpoof # # Rules returned by this method are added to the fnospoofmodules chain in # the filter table. You can use them to add exceptions on the default # source checking in the firewall. This is mainly used by IPsec special # routing rules. # # Returns: # # array ref - containing forward no spoof rules sub forwardNoSpoof { return []; } # Method: input # # Rules returned by this method are added to the INPUT chain for INTERNAL ifaces in # the filter table. You can use them to filter packets directed at # the firewall itself. # # Returns: # # array ref - containing input rules sub input { return []; } # Method: inputNoSpoof # # Rules returned by this method are added to the inospoofmodules chain in # the filter table. You can use them to add exceptions on the default # source checking in the firewall. This is mainly used by IPsec special # routing rules. # # Returns: # # array ref - containing input no spoof rules sub inputNoSpoof { return []; } # Method: output # # Rules returned by this method are added to the OUTPUT chain in # the filter table. You can use them to filter packets originated # within the firewall. # # Returns: # # array ref - containing output rules sub output { return []; } # Method: externalInput # # Rules returned by this method are added to the INPUT for EXTERNAL interfaces chain in # the filter table. You can use them to filter packets directed at # the firewall itself. # # Returns: # # array ref - containing input rules sub externalInput { return []; } # Method: chains # # Chains returned by this method are created and can be referenced on this helper # defined rules # # Returns: # # hash ref - containing table-chain name pairs. Example: # { nat => ['chain1', 'chain2'], filter => ['chain3'] } sub chains { return {} } # Method: _outputIface # # Returns iptables rule part for output interface selection # If the interface is a bridge port it matches de whole bridge (brX) # # Parameters: # # Iface - Iface name # sub _outputIface # (iface) { my ($self, $iface) = @_; if ( $self->{net}->ifaceExists($iface) and $self->{net}->ifaceMethod($iface) eq 'bridged' ) { my $br = $self->{net}->ifaceBridge($iface); return "-o br$br"; } else { return "-o $iface"; } } # Method: _inputIface # # Returns iptables rule part for input interface selection # Takes into account if the iface is part of a bridge # # Parameters: # # Iface - Iface name # sub _inputIface # (iface) { my ($self, $iface) = @_; if ( $self->{net}->ifaceExists($iface) and $self->{net}->ifaceMethod($iface) eq 'bridged' ) { return "-m physdev --physdev-in $iface"; } else { return "-i $iface"; } } 1; zentyal-firewall-2.3.9+quantal1/src/EBox/Iptables.pm0000664000000000000000000007313712017102347017165 0ustar # Copyright (C) 2008-2012 eBox Technologies S.L. # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License, version 2, as # published by the Free Software Foundation. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA package EBox::Iptables; # Package to manage iptables command utility # private functions will return references to sets of commands to be run # instead of running the commands themselves use strict; use warnings; use EBox; use EBox::Firewall; use EBox::Config; use EBox::Global; use EBox::Gettext; use EBox::Objects; use EBox::Network; use EBox::Firewall::IptablesHelper; use EBox::Exceptions::External; use EBox::Exceptions::Internal; use Error qw( :try ); use Perl6::Junction qw( any ); use EBox::Sudo; my $statenew = " -m state --state NEW "; use constant IPT_MODULES => ('ip_conntrack_ftp', 'ip_nat_ftp', 'ip_conntrack_tftp'); use constant SYSLOG_LEVEL => 7; # Constructor: new # # Create a new EBox::Iptables object # # Returns: # # A recently created EBox::Iptables object sub new { my $class = shift; my $self = {}; $self->{firewall} = EBox::Global->modInstance('firewall'); $self->{objects} = EBox::Global->modInstance('objects'); $self->{net} = EBox::Global->modInstance('network'); bless($self, $class); return $self; } # Method: pf # # Execute iptables command with options # # Parameters: # # opts - options passed to iptables # # Returns: # # array ref - the output of iptables command in an array # sub pf # (options) { my ($opts) = @_; return "/sbin/iptables $opts"; } # Method: _startIPForward # # Change kernel to do IPv4 forwarding (default) # # Returns: # # array ref - the output of sysctl command in an array # sub _startIPForward { return [ '/sbin/sysctl -q -w net.ipv4.ip_forward="1"' ]; } # Method: _stopIPForward # # Change kernel to stop doing IPv4 forwarding # # Returns: # # array ref - the output of sysctl command in an array # sub _stopIPForward { return [ '/sbin/sysctl -q -w net.ipv4.ip_forward="0"' ]; } # Method: _setKernelParameters # # Set kernel parameters for increased security # # Returns: # # array ref - the output of sysctl command in an array # sub _setKernelParameters { my @commands; # enable TCP SYN cookie protection push(@commands, '/sbin/sysctl -q -w net.ipv4.tcp_syncookies="1"'); # don't log spoofed, source-routed, or redirect packets push(@commands, '/sbin/sysctl -q -w net.ipv4.conf.all.log_martians="0"'); # disable ICMP redirects push(@commands, '/sbin/sysctl -q -w net.ipv4.conf.all.accept_redirects="0"'); push(@commands, '/sbin/sysctl -q -w net.ipv4.conf.all.send_redirects="0"'); # drop source-routed packets push(@commands, '/sbin/sysctl -q -w net.ipv4.conf.all.accept_source_route="0"'); # enable bad error message protection push(@commands, '/sbin/sysctl -q -w net.ipv4.icmp_ignore_bogus_error_responses="1"'); # enable ICMP broadcast echo protection push(@commands, '/sbin/sysctl -q -w net.ipv4.icmp_echo_ignore_broadcasts="1"'); return \@commands; } # Method: _clearTables # # Clear all tables (user defined and nat), set a policy to # OUTPUT, INPUT and FORWARD chains and allow always traffic # from/to loopback interface. # # Parameters: # # policy - It can be a target # (ACCEPT|DROP|REJECT|QUEUE|RETURN|user-defined chain) # See iptables TARGETS section # sub _clearTables # (policy) { my $self = shift; my $policy = shift; my @commands; push(@commands, pf("-F"), pf("-X"), pf("-t nat -F"), pf("-t nat -X"), ); # Allow loopback if (($policy eq 'DROP') or ($policy eq 'REJECT')) { push(@commands, pf('-A INPUT -i lo -j ACCEPT'), pf('-A OUTPUT -o lo -j ACCEPT'), ); } push(@commands, pf("-P OUTPUT $policy"), pf("-P INPUT $policy"), pf("-P FORWARD $policy"), ); return \@commands; } # Method: _setStructure # # Set structure to Firewall module to work # sub _setStructure { my ($self) = @_; my @commands = (); push(@commands, @{$self->_clearTables("DROP")} ); # state rules push(@commands, pf('-N odrop'), pf('-A OUTPUT -m state --state INVALID -j odrop'), pf('-A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT'), pf('-N idrop'), pf('-A INPUT -m state --state INVALID -j idrop'), pf('-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT'), pf('-N fdrop'), pf('-A FORWARD -m state --state INVALID -j fdrop'), pf('-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT'), pf('-t nat -N premodules'), pf('-t nat -N postmodules'), pf('-N fnospoofmodules'), pf('-N fnospoof'), pf('-A fnospoof -j fnospoofmodules'), pf('-N fredirects'), pf('-N fmodules'), pf('-N ffwdrules'), pf('-N fnoexternal'), pf('-N fdns'), pf('-N fobjects'), pf('-N fglobal'), pf('-N ftoexternalonly'), pf('-N inospoofmodules'), pf('-N inospoof'), pf('-A inospoof -j inospoofmodules'), pf('-N inointernal'), pf('-N iexternalmodules'), pf('-N iexternal'), pf('-N inoexternal'), pf('-N imodules'), pf('-N iintservs'), pf('-N iglobal'), pf('-N drop'), pf('-N log'), pf('-N ointernal'), pf('-N omodules'), pf('-N oglobal'), pf('-t nat -A PREROUTING -j premodules'), pf('-t nat -A POSTROUTING -j postmodules'), pf('-A FORWARD -j fnospoof'), pf('-A FORWARD -j fredirects'), pf('-A FORWARD -j fmodules'), pf('-A FORWARD -j ffwdrules'), pf('-A FORWARD -j fnoexternal'), pf('-A FORWARD -j fdns'), pf('-A FORWARD -j fobjects'), pf('-A FORWARD -j fglobal'), pf("-A FORWARD -p icmp --icmp-type echo-request ! -f $statenew -j ACCEPT"), # accept ping requests pf("-A FORWARD -p icmp --icmp-type echo-reply ! -f $statenew -j ACCEPT"), # accept ping responses pf("-A FORWARD -p icmp --icmp-type destination-unreachable ! -f $statenew -j ACCEPT"), # accept notifications of unreachable hosts pf("-A FORWARD -p icmp --icmp-type source-quench ! -f $statenew -j ACCEPT"), # accept notifications to reduce sending speed pf("-A FORWARD -p icmp --icmp-type time-exceeded ! -f $statenew -j ACCEPT"), # accept notifications of lost packets pf("-A FORWARD -p icmp --icmp-type parameter-problem ! -f $statenew -j ACCEPT"), # accept notifications of protocol problems pf('-A FORWARD -j fdrop'), pf('-A INPUT -j inospoof'), pf('-A INPUT -j iexternalmodules'), pf('-A INPUT -j iexternal'), pf('-A INPUT -j inoexternal'), pf('-A INPUT -j imodules'), pf('-A INPUT -j iintservs'), pf('-A INPUT -j iglobal'), pf("-A INPUT -p icmp --icmp-type echo-request ! -f $statenew -j ACCEPT"), # accept ping requests pf("-A INPUT -p icmp --icmp-type echo-reply ! -f $statenew -j ACCEPT"), # accept ping responses pf("-A INPUT -p icmp --icmp-type destination-unreachable ! -f $statenew -j ACCEPT"), # accept notifications of unreachable hosts pf("-A INPUT -p icmp --icmp-type source-quench ! -f $statenew -j ACCEPT"), # accept notifications to reduce sending speed pf("-A INPUT -p icmp --icmp-type time-exceeded ! -f $statenew -j ACCEPT"), # accept notifications of lost packets pf("-A INPUT -p icmp --icmp-type parameter-problem ! -f $statenew -j ACCEPT"), # accept notifications of protocol problems pf('-A INPUT -j idrop'), pf('-A OUTPUT -j ointernal'), pf('-A OUTPUT -j omodules'), pf('-A OUTPUT -j oglobal'), pf("-A OUTPUT -p icmp --icmp-type echo-request ! -f $statenew -j ACCEPT"), # accept ping requests pf("-A OUTPUT -p icmp --icmp-type echo-reply ! -f $statenew -j ACCEPT"), # accept ping responses pf("-A OUTPUT -p icmp --icmp-type destination-unreachable ! -f $statenew -j ACCEPT"), # accept notifications of unreachable hosts pf("-A OUTPUT -p icmp --icmp-type source-quench ! -f $statenew -j ACCEPT"), # accept notifications to reduce sending speed pf("-A OUTPUT -p icmp --icmp-type time-exceeded ! -f $statenew -j ACCEPT"), # accept notifications of lost packets pf("-A OUTPUT -p icmp --icmp-type parameter-problem ! -f $statenew -j ACCEPT"), # accept notifications of protocol problems pf('-A OUTPUT -j odrop'), pf("-A idrop -j drop"), pf("-A odrop -j drop"), pf("-A fdrop -j drop"), ); return \@commands; } # Method: _setDNS # # Set DNS traffic for forwarding and output with destination dns # # Parameters: # # dns - address/[mask] destination to accept DNS traffic # sub _setDNS # (dns) { my ($self, $dns) = @_; my @commands = ( pf("-A ointernal $statenew -p udp --dport 53 -d $dns -j ACCEPT || true"), pf("-A ointernal $statenew -p tcp --dport 53 -d $dns -j ACCEPT || true"), pf("-A fdns $statenew -p udp --dport 53 -d $dns -j ACCEPT || true"), pf("-A fdns $statenew -p tcp --dport 53 -d $dns -j ACCEPT || true"), ); return \@commands; } # Method: _setDHCP # # Set output DHCP traffic # # Parameters: # # interface - # sub _setDHCP { my ($self, $interface) = @_; $interface = $self->{net}->realIface($interface); return [ pf("-A ointernal $statenew -o $interface -p udp --dport 67 -j ACCEPT") ]; } # Method: _setRemoteServices # # Set output rules required to remote services to work # # sub _setRemoteServices { my ($self) = @_; my @commands; my $gl = EBox::Global->getInstance(); if ( $gl->modExists('remoteservices') ) { my $rsMod = $gl->modInstance('remoteservices'); if ( $rsMod->eBoxSubscribed() ) { if ( $rsMod->hasBundle() ) { my $vpnIface = $rsMod->ifaceVPN(); push(@commands, pf("-A ointernal $statenew -o $vpnIface -j ACCEPT") ); } try { if ( $rsMod->hasBundle() ) { my %vpnSettings = %{$rsMod->vpnSettings()}; push(@commands, pf("-A ointernal $statenew -p $vpnSettings{protocol} " . "-d $vpnSettings{ipAddr} --dport $vpnSettings{port} -j ACCEPT") ); } # Allow communications between ns and www and API? eval "use EBox::RemoteServices::Configuration"; my ($dnsServer, $publicWebServer, $mirrorCount) = ( EBox::RemoteServices::Configuration->DNSServer(), EBox::RemoteServices::Configuration->PublicWebServer(), EBox::RemoteServices::Configuration->eBoxServicesMirrorCount(), ); # We are assuming just one name server push(@commands, pf("-A ointernal $statenew -p udp -d $dnsServer --dport 53 -j ACCEPT || true"), ); # Public WWW servers to connect to for my $no ( 1 .. $mirrorCount ) { my $site = $publicWebServer; $site =~ s:\.:$no.:; push(@commands, pf("-A ointernal $statenew -p tcp -d $site --dport 443 -j ACCEPT || true") ); } } catch EBox::Exceptions::External with { # Cannot contact eBox CC, no DNS? my ($exc) = @_; my $msg = "Cannot contact Zentyal Cloud: $exc"; EBox::error($msg); $gl->addSaveMessage($msg); }; } } return \@commands; } # Method: _nospoof # # Set no IP spoofing (forged) for the given addresses to the # interface given # # Parameters: # # interface - the allowed interface for the addresses # addresses - An array ref with the address to allow traffic from # the given interface. Each slot has the following # fields: # - address - the IP address # - netmask - the IP network mask sub _nospoof # (interface, \@addresses) { my ($self, $iface, $addresses) = @_; $iface = $self->{net}->realIface($iface); my @commands; foreach (@{$addresses}) { my $addr = $_->{address}; my $mask = $_->{netmask}; push(@commands, pf("-A fnospoof -s $addr/$mask ! -i $iface -j fdrop"), pf("-A inospoof -s $addr/$mask ! -i $iface -j idrop"), # pf("-A inospoof ! -i $iface -d $addr -j idrop"), ); } return \@commands; } # Method: stop # # Stop iptables service, stop forwarding from kernel # and free all tables # sub stop { my ($self) = @_; my @commands; push(@commands, @{_stopIPForward()}); push(@commands, @{$self->_clearTables("ACCEPT")}); EBox::Sudo::root(@commands); } # Method: vifaceRealname # # Return the real name from a virtual interface # # Parameters: # # viface - Virtual interface # # Returns: # # string - The real name from the given virtual interface # sub vifaceRealname # (viface) { my $virtual = shift; $virtual =~ s/:.*$//; return $virtual; } # Method: start # # Start firewall service setting up the structure and the rules # to work with iptables. # sub start { my $self = shift; my @commands; push(@commands, @{$self->_loadIptModules()}); push(@commands, @{$self->_setStructure()}); my @dns = @{$self->{net}->nameservers()}; foreach (@dns) { push(@commands, @{$self->_setDNS($_)}); } foreach my $object (@{$self->{objects}->objects}) { my $members = $self->{objects}->objectMembers($object->{id}); foreach my $member (@{$members}) { my $mac = $member->{macaddr}; defined($mac) or next; ($mac ne "") or next; my $address = $member->{ipaddr}; push(@commands, pf("-A inospoof -m mac -s $address " . "! --mac-source $mac -j idrop"), pf("-A fnospoof -m mac -s $address " . "! --mac-source $mac -j fdrop"), ); } } my @ifaces = @{$self->{net}->ifaces()}; foreach my $ifc (@ifaces) { next if ($self->{net}->ifaceMethod($ifc) eq 'bridged'); if ($self->{net}->ifaceMethod($ifc) eq any('dhcp', 'ppp')) { push(@commands, @{$self->_setDHCP($ifc)}); my $dnsSrvs = $self->{net}->DHCPNameservers($ifc); foreach my $srv (@{$dnsSrvs}) { push(@commands, @{$self->_setDNS($srv)}); } } else { # Anti-spoof rules only for static interfaces my $addrs = $self->{net}->ifaceAddresses($ifc); push(@commands, @{$self->_nospoof($ifc, $addrs)}); } } push(@commands, @{$self->_setRemoteServices()}); push(@commands, @{$self->_redirects()}); push (@commands, @{$self->_snat() }); @ifaces = @{$self->{net}->ExternalIfaces()}; foreach my $if (@ifaces) { my $method = $self->{net}->ifaceMethod($if); $if = $self->{net}->realIface($if); my $input = $self->_inputIface($if); my $output = $self->_outputIface($if); unless ( $self->{net}->ifaceIsBridge($if) ) { push(@commands, pf("-A fnoexternal $statenew $input -j fdrop"), pf("-A inoexternal $statenew $input -j idrop"), pf("-A ftoexternalonly $output -j ACCEPT"), ); } next unless (_natEnabled()); if ($method eq 'static') { my $addr = $self->{net}->ifaceAddress($if); my $src = $addr; # If it's a bridge SNAT traffic out of the network if ( $self->{net}->ifaceIsBridge($if) ) { my $mask = $self->{net}->ifaceNetmask($if); $src = "$addr/$mask"; } push(@commands, pf("-t nat -A POSTROUTING ! -s $src $output " . "-j SNAT --to $addr") ); } elsif (($method eq 'dhcp') or ($method eq 'ppp')) { if ( $self->{net}->ifaceIsBridge($if) ) { push(@commands, pf("-t nat -A POSTROUTING $output -m physdev" . " ! --physdev-is-bridged -j MASQUERADE") ); } else { push(@commands, pf("-t nat -A POSTROUTING $output -j MASQUERADE") ); } } } push(@commands, @{$self->_drop()}); push(@commands, @{$self->_log()}); push(@commands, @{$self->_iexternal()}); push(@commands, @{$self->_iglobal()}); push(@commands, pf("-A ftoexternalonly -j fdrop")); push(@commands, @{$self->_fglobal()}); push(@commands, @{$self->_ffwdrules()}); push(@commands, @{$self->_oglobal()}); push(@commands, @{_startIPForward()}); push(@commands, @{_setKernelParameters()}); EBox::Sudo::root(@commands); # Create rules by modules firewall helpers $self->_executeModuleRules(); } # Method: moduleRules # # Get the rules added by the Zentyal modules through FirewallObserver # # Returns: # # Reference to array of hashrefs { module, priority, rule } # sub moduleRules { my ($self) = @_; my $global = EBox::Global->getInstance(); my @modNames = @{$global->modNames}; my @mods = @{$global->modInstancesOfType('EBox::FirewallObserver')}; my @modRules; foreach my $mod (@mods) { my $helper = $mod->firewallHelper(); ($helper) or next; # add rules push(@modRules, @{$self->_modRules($mod, $helper)}); } return \@modRules; } sub _loadIptModules { my @commands; my @toLoad = IPT_MODULES; my $extraModules = EBox::Config::configkey("iptables_modules"); if ($extraModules) { push @toLoad, split (',+', $extraModules); } foreach my $module (@toLoad) { push(@commands, "modprobe $module || true"); } return \@commands; } # Execute firewall helper rules for each module sub _executeModuleRules { my ($self) = @_; my $global = EBox::Global->getInstance(); my $model = $self->{firewall}->{'EBoxServicesRuleTable'}; my %enabledRules = map { $model->row($_)->valueByName('rule') => 1 } @{$model->enabledRows()}; my @mods = @{$global->modInstancesOfType('EBox::FirewallObserver')}; my @failedMods; foreach my $mod (@mods) { my $helper = $mod->firewallHelper(); ($helper) or next; my $modRules = $self->_modRules($mod, $helper); my @sortedRules = sort { $a->{'priority'} <=> $b->{'priority'} } @{$modRules}; my @commands = map { my $r = $_->{'rule'}; pf($r) if $enabledRules{$r} } @sortedRules; try { EBox::Sudo::root(@commands); } otherwise { EBox::error('Error executing firewall rules for module ' . $mod->name()); push(@failedMods, $mod->name()); }; } if (@failedMods) { my $message = __('Firewall failed to add rules for the following modules: '); $message .= join(', ', @failedMods) . '. '; $message .= __('Probably this is caused by a lack of connectivity, ' . 'check your configuration or disable those modules'); $global->addSaveMessage($message); } } # Helper rules for one module sub _modRules { my ($self, $mod, $helper) = @_; my @modRules; push(@modRules, @{$self->_createChains($mod, $helper)}); push(@modRules, @{$self->_doRuleset($mod, 'nat', 'premodules', $helper->prerouting())} ); push(@modRules, @{$self->_doRuleset($mod, 'nat', 'postmodules', $helper->postrouting())} ); push(@modRules, @{$self->_doRuleset($mod, 'filter', 'fnospoofmodules', $helper->forwardNoSpoof())} ); push(@modRules, @{$self->_doRuleset($mod, 'filter', 'inospoofmodules', $helper->inputNoSpoof())} ); push(@modRules, @{$self->_doRuleset($mod, 'filter', 'fmodules', $helper->forward())} ); push(@modRules, @{$self->_doRuleset($mod, 'filter', 'iexternalmodules', $helper->externalInput())} ); push(@modRules, @{$self->_doRuleset($mod, 'filter', 'imodules', $helper->input())} ); push(@modRules, @{$self->_doRuleset($mod, 'filter', 'omodules', $helper->output())} ); return \@modRules; } sub _createChains { my ($self, $module, $helper) = @_; my @commands; my %chains = %{$helper->chains()}; foreach my $table ( keys %chains ) { my @tchains = @{$chains{$table}}; foreach my $chain (@tchains) { my $pfrule = "-t $table -N $chain"; my $r = { 'module' => $module, 'priority' => 1, 'rule' => $pfrule }; push(@commands, $r); } } return \@commands; } sub _doRuleset # (module, table, chain, \@rules) { my ($self, $module, $table, $chain, $rules) = @_; my @commands; foreach my $r (@{$rules}) { my $priority = 50; my $pfrule; my $pfchain = $chain; if (ref($r) eq 'HASH') { if(defined($r->{'priority'})) { $priority = $r->{'priority'}; } if(defined($r->{'chain'})) { $pfchain = $r->{'chain'}; } $pfrule = $r->{'rule'}; } else { $pfrule = $r; } $pfrule = "-t $table -A $pfchain $pfrule"; my $r = { 'module' => $module, 'priority' => $priority, 'rule' => $pfrule }; push(@commands, $r); } return \@commands; } # Method: _iexternalCheckInit # # Add checks to iexternalmodules and iexternal to only affect # packates coming from external interfaces sub _iexternalCheckInit { my ($self) = @_; my @commands; my @internalIfaces = @{$self->{net}->InternalIfaces()}; foreach my $if (@internalIfaces) { $if = $self->{net}->realIface($if); my $input = $self->_inputIface($if); push(@commands, pf("-A iexternalmodules $input -j RETURN"), pf("-A iexternal $input -j RETURN"), ); } foreach my $if (@{_vpnIfaces()}) { my $input = $self->_inputIface($if); push(@commands, pf("-A iexternalmodules $input -j RETURN"), pf("-A iexternal $input -j RETURN"), ); } return \@commands; } # Method: _iexternal # # Add checks to iexternalmodules and iexternal to only affect # packates coming from external interfaces sub _iexternal { my ($self) = @_; my @commands; push (@commands, @{$self->_iexternalCheckInit()}); my $iptHelper = new EBox::Firewall::IptablesHelper; for my $rule (@{$iptHelper->ExternalToEBoxRuleTable()}) { push(@commands, pf("$rule")); } return \@commands; } # Method: _iglobal # # Add rules to iglobal, that is the chain to control access # from the internal networks to Zentyal sub _iglobal { my ($self) = @_; my @commands; my $iptHelper = new EBox::Firewall::IptablesHelper; for my $rule (@{$iptHelper->InternalToEBoxRuleTable()}) { push(@commands, pf("$rule")); } return \@commands; } # Method: _oglobal # # Add rules to iglobal, that is the chain to control access # from Zentyal to external services sub _oglobal { my ($self) = @_; my @commands; my $iptHelper = new EBox::Firewall::IptablesHelper; for my $rule (@{$iptHelper->EBoxOutputRuleTable()}) { push(@commands, pf("$rule")); } return \@commands; } # Method: _fglobal # # Add rules to fglobal, that is the chain to control access # from the internal networks to Internet sub _fglobal { my ($self) = @_; my @commands; my $iptHelper = new EBox::Firewall::IptablesHelper; for my $rule (@{$iptHelper->ToInternetRuleTable()}) { push(@commands, pf("$rule")); } return \@commands; } # Method: _ffwdrules # # Add rules to ffwdrules, that is the chain to control access # from the external networks to Internet sub _ffwdrules { my ($self) = @_; my @commands; my @internalIfaces = @{$self->{net}->InternalIfaces()}; foreach my $if (@internalIfaces) { $if = $self->{net}->realIface($if); my $input = $self->_inputIface($if); push(@commands, pf("-A ffwdrules $input -j RETURN")); } my $iptHelper = new EBox::Firewall::IptablesHelper; for my $rule (@{$iptHelper->ExternalToInternalRuleTable()}) { push(@commands, pf("$rule")); } return \@commands; } # Method: _redirects # # Add redirects rules sub _redirects { my ($self) = @_; my @commands; my $iptHelper = new EBox::Firewall::IptablesHelper; for my $rule (@{$iptHelper->RedirectsRuleTable()}) { push(@commands, pf("$rule")); } return \@commands; } sub _snat { my ($self) = @_; my @commands; my $iptHelper = new EBox::Firewall::IptablesHelper; for my $rule (@{$iptHelper->SNATRules()}) { push(@commands, pf("$rule")); } return \@commands; } # Method: _drop # # Set up drop chain. Log rule and drop rule # sub _drop { my ($self) = @_; my @commands; push(@commands, pf('-I drop -j DROP')); my $logDrops = EBox::Config::configkey('iptables_log_drops'); defined($logDrops) or $logDrops = 'yes'; # If logging is disabled or we don't want to log drops, then we are done if($self->{firewall}->logging() and ($logDrops eq 'yes')) { my $limit = EBox::Config::configkey('iptables_log_limit'); my $burst = EBox::Config::configkey('iptables_log_burst'); unless (defined($limit) and $limit =~ /^\d+$/) { throw EBox::Exceptions::External(__('You must set the ' . 'iptables_log_limit variable in the ebox configuration file')); } unless (defined($burst) and $burst =~ /^\d+$/) { throw EBox::Exceptions::External(__('You must set the ' . 'iptables_log_burst variable in the ebox configuration file')); } push(@commands, pf("-I drop -j LOG -m limit --limit $limit/min " . "--limit-burst $burst" . ' --log-level ' . SYSLOG_LEVEL . ' --log-prefix "ebox-firewall drop "') ); } return \@commands; } # Method: _log # # Set up log chain. Log rule and return rule # sub _log { my ($self) = @_; my @commands; push(@commands, pf('-I log -j RETURN')); # If logging is disabled we are done if ($self->{firewall}->logging()) { my $limit = EBox::Config::configkey('iptables_log_limit'); my $burst = EBox::Config::configkey('iptables_log_burst'); unless (defined($limit) and $limit =~ /^\d+$/) { throw EBox::Exceptions::External(__('You must set the ' . 'iptables_log_limit variable in the ebox configuration file')); } unless (defined($burst) and $burst =~ /^\d+$/) { throw EBox::Exceptions::External(__('You must set the ' . 'iptables_log_burst variable in the ebox configuration file')); } push(@commands, pf("-I log -j LOG -m limit --limit $limit/min " . "--limit-burst $burst" . ' --log-level ' . SYSLOG_LEVEL . ' --log-prefix "ebox-firewall log "') ); } return \@commands; } # Method: _outputIface # # Returns iptables rule part for output interface selection # Takes into account if the iface is part of a bridge # # Parameters: # # Iface - Iface name # sub _outputIface # (iface) { my ($self, $iface) = @_; if ( $self->{net}->ifaceExists($iface) and $self->{net}->ifaceMethod($iface) eq 'bridged' ) { return "-m physdev --physdev-out $iface"; } else { return "-o $iface"; } } # Method: _inputIface # # Returns iptables rule part for input interface selection # Takes into account if the iface is part of a bridge # # Parameters: # # Iface - Iface name # sub _inputIface # (iface) { my ($self, $iface) = @_; if ( $self->{net}->ifaceExists($iface) and $self->{net}->ifaceMethod($iface) eq 'bridged' ) { return "-m physdev --physdev-in $iface"; } else { return "-i $iface"; } } # Method: _natEnabled # # Fetch value to enable NAT # sub _natEnabled { my $nat = EBox::Config::configkey('nat_enabled'); return 1 unless (defined($nat)); if ($nat =~ /no/) { return undef; } else { return 1; } } # Method: _vpnIfaces # # Fetch vpn interfaces sub _vpnIfaces { my $gl = EBox::Global->getInstance(); if ($gl->modExists('openvpn')) { my $vpn = $gl->modInstance('openvpn'); $vpn->initializeInterfaces(); return [map {$_->iface() } $vpn->activeDaemons()]; } else { return []; } } 1; zentyal-firewall-2.3.9+quantal1/src/EBox/Firewall.pm0000664000000000000000000005645212017102347017170 0ustar # Copyright (C) 2008-2012 eBox Technologies S.L. # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License, version 2, as # published by the Free Software Foundation. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA package EBox::Firewall; use strict; use warnings; use base qw(EBox::Module::Service EBox::ObjectsObserver EBox::NetworkObserver EBox::LogObserver); use EBox::Objects; use EBox::Global; use EBox::Validate qw( :all ); use EBox::Exceptions::InvalidData; use EBox::Exceptions::MissingArgument; use EBox::Exceptions::DataNotFound; use EBox::Firewall::Model::ToInternetRuleTable; use EBox::Firewall::Model::InternalToEBoxRuleTable; use EBox::Firewall::Model::ExternalToEBoxRuleTable; use EBox::Firewall::Model::EBoxOutputRuleTable; use EBox::Firewall::Model::ExternalToInternalRuleTable; use EBox::Firewall::Model::EBoxServicesRuleTable; use EBox::Firewall::Model::RedirectsTable; use EBox::Firewall::Model::PacketTrafficDetails; use EBox::Firewall::Model::PacketTrafficGraph; use EBox::Firewall::Model::PacketTrafficReportOptions; use EBox::FirewallLogHelper; use EBox::Gettext; sub _create { my $class = shift; my $self =$class->SUPER::_create(name => 'firewall', printableName => __n('Firewall'), @_); $self->{'ToInternetRuleModel'} = $self->model('ToInternetRuleTable'); $self->{'InternalToEBoxRuleModel'} = $self->model('InternalToEBoxRuleTable'); $self->{'ExternalToEBoxRuleModel'} = $self->model('ExternalToEBoxRuleTable'); $self->{'EBoxOutputRuleModel'} = $self->model('EBoxOutputRuleTable'); $self->{'ExternalToInternalRuleTable'} = $self->model('ExternalToInternalRuleTable'); $self->{'EBoxServicesRuleTable'} = $self->model('EBoxServicesRuleTable'); $self->{'RedirectsTable'} = $self->model('RedirectsTable'); $self->{'PacketTrafficDetails'} = $self->model('PacketTrafficDetails'); $self->{'PacketTrafficGraph'} = $self->model('PacketTrafficGraph'); $self->{'PacketTrafficReportOptions'} = $self->model('PacketTrafficReportOptions'); bless($self, $class); return $self; } # Method: actions # # Override EBox::Module::Service::actions # sub actions { return [ { 'action' => __('Flush previous firewall rules'), 'reason' => __('The Zentyal firewall will flush any previous firewall ' . 'rules which have been added manually or by another tool'), 'module' => 'firewall' }, { 'action' => __('Secure by default'), 'reason' => __('Just a few connections are allowed by default. ' . 'Make sure you add the proper incoming and outcoming ' . 'rules to make your system work as expected. Usually, ' . 'all outcoming connections are denied by default, and ' . 'only SSH and HTTPS incoming connections are allowed.'), 'module' => 'firewall' } ]; } # Method: initialSetup # # Overrides: # EBox::Module::Base::initialSetup # sub initialSetup { my ($self, $version) = @_; # Create default rules only if installing the first time unless ($version) { $self->setInternalService('administration', 'accept'); $self->setInternalService('ssh', 'accept'); my $services = EBox::Global->modInstance('services'); my $any = $services->serviceId('any'); unless (defined $any) { EBox::error('Cannot add default rules: Service "any" not found.'); return; } # Allow any Zentyal output by default $self->model('EBoxOutputRuleTable')->add( decision => 'accept', destination => { destination_any => undef }, service => $any, ); # Allow any Internet access from internal networks $self->model('ToInternetRuleTable')->add( decision => 'accept', source => { source_any => undef }, destination => { destination_any => undef }, service => $any, ); } } sub restoreDependencies { my ($self) = @_; return ['services']; } # utility used by CGI sub externalIfaceExists { my $network = EBox::Global->modInstance('network'); my $externalIfaceExists = @{$network->ExternalIfaces() } > 0; return $externalIfaceExists; } ## internal utility functions sub _checkAction # (action, name?) { my ($i, $name) = @_; if ($i eq "allow" || $i eq "deny") { return 1; } if (defined($name)) { throw EBox::Exceptions::InvalidData('data' => $name, 'value' => $i); } else { return 0; } } ## api functions sub isRunning { my ($self) = @_; return $self->isEnabled(); } sub _supportActions { return undef; } sub _enforceServiceState { my ($self) = @_; use EBox::Iptables; my $ipt = new EBox::Iptables; if($self->isEnabled()) { $ipt->start(); } else { $ipt->stop(); } } sub _stopService { my ($self) = @_; use EBox::Iptables; my $ipt = new EBox::Iptables; $ipt->stop(); } # Method: removePortRedirectionsOnIface # # Removes all the port redirections on a given interface # # Parameters: # # iface - network intercace # sub removePortRedirectionsOnIface # (interface) { my ($self, $iface) = @_; my $model = $self->{'RedirectsTable'}; foreach my $rowId (@{$model->ids()}) { my $row = $model->row($rowId); if ($row->valueByName('interface') eq $iface) { $model->removeRow($rowId); } } } # Method: availablePort # # Checks if a port is available, i.e: it's not used by any module. # # Parameters: # # proto - protocol # port - port number # interface - interface # # Returns: # # boolean - true if it's available, otherwise undef # sub availablePort # (proto, port, interface) { my ($self, $proto, $port, $iface) = @_; defined($proto) or return undef; ($proto ne "") or return undef; defined($port) or return undef; ($port ne "") or return undef; my $global = EBox::Global->getInstance($self->isReadOnly()); my $network = $global->modInstance('network'); my $services = $global->modInstance('services'); # if it's an internal interface, check all services unless ($iface && ($network->ifaceIsExternal($iface) || $network->vifaceExists($iface))) { unless ($services->availablePort($proto, $port)) { return undef; } } # check for port redirections on the interface, on all internal ifaces # if its my @ifaces = (); if ($iface) { push(@ifaces, $iface); } else { my $tmp = $network->InternalIfaces(); @ifaces = @{$tmp}; } my $redirs = $self->{'RedirectsTable'}->ids(); foreach my $ifc (@ifaces) { foreach my $id (@{$redirs}) { my $red = $self->{'RedirectsTable'}->row($id); ($red->valueByName('protocol') eq $proto) or next; ($red->valueByName('interface') eq $ifc) or next; ($red->valueByName('external_port') eq $port) and return undef; } } my @mods = @{$global->modInstances()}; foreach my $mod (@mods) { $mod->can('usesPort') or next; if ($mod->usesPort($proto, $port, $iface)) { return undef; } } return 1; } # Method: requestAvailablePort # # Returns the same requested port if available or the next # available one if not. # # Parameters: # # protocol - requested port protocol # port - requested port number # alternative - *optional* alternative port if preferred is not available # sub requestAvailablePort { my ($self, $protocol, $port, $alternative) = @_; # Check port availability my $available = 0; do { $available = $self->availablePort($protocol, $port); unless ($available) { if (defined ($alternative)) { $port = $alternative; $alternative = undef; } else { $port++; } } } until ($available); return $port; } # Method: usesIface # # Implements EBox::NetworkObserver interface. # # sub usesIface # (iface) { my ($self, $iface) = @_; my $model = $self->{'RedirectsTable'}; foreach my $rowId (@{$model->ids()}) { my $row = $model->row($rowId); if ($row->valueByName('interface') eq $iface) { return 1; } } my $snatModel = $self->model('SNAT'); if ($snatModel->usesIface($iface)) { return 1; } return undef; } # Method: ifaceMethodChanged # # Implements EBox::NetworkObserver interface. # # sub ifaceMethodChanged # (iface, oldmethod, newmethod) { my ($self, $iface, $oldm, $newm) = @_; ($newm eq 'static') and return undef; ($newm eq 'dhcp') and return undef; return $self->usesIface($iface); } # Method: vifaceDelete # # Implements EBox::NetworkObserver interface. # # sub vifaceDelete # (iface, viface) { my ($self, $iface, $viface) = @_; return $self->usesIface("$iface:$viface"); } # Method: freeIface # # Implements EBox::NetworkObserver interface. # # sub freeIface # (iface) { my ($self, $iface) = @_; $self->removePortRedirectionsOnIface($iface); $self->model('snat')->freeIface($iface); } # Method: freeViface # # Implements EBox::NetworkObserver interface. # # sub freeViface # (iface, viface) { my ($self, $iface, $viface) = @_; $self->removePortRedirectionsOnIface("$iface:$viface"); $self->model('snat')->freeViface($iface, $viface); } # Method: setInternalService # # This method adds a rule to the "internal networks to Zentyal services" # table. # # In case the service has already been configured with a custom # rule by the user the adding operation is aborted. # # Modules configuring internal services running on Zentyal should use # this method if they wish to allow access from internal networks # to the service by default. # # Parameters: # # service - service's name # decision - accept or deny # # Returns: # # boolan - true if the rule has been added, otherwise false and # that implies there is already a custom rule # # Exceptions: # # # sub setInternalService { my ($self, $service, $decision) = @_; return $self->_setService($service, $decision, 1); } # Method: setExternalService # # This method adds a rule to the "external networks to Zentyal services" # table. # # In case the service has already been configured with a custom # rule by the user the adding operation is aborted. # # Modules configuring internal services running on Zentyal should use # this method if they wish to allow access from external networks # to the service by default. # # Parameters: # # service - service's name # decision - accept or deny # # Returns: # # boolan - true if the rule has been added, otherwise false and # that implies there is already a custom rule # # Exceptions: # # # sub setExternalService { my ($self, $service, $decision) = @_; return $self->_setService($service, $decision, 0); } sub _setService { my ($self, $service, $decision, $internal) = @_; my $serviceMod = EBox::Global->modInstance('services'); unless (defined($service)) { throw EBox::Exceptions::MissingArgument('service'); } unless (defined($decision)) { throw EBox::Exceptions::MissingArgument('decision'); } unless ($decision eq 'accept' or $decision eq 'deny') { throw EBox::Exceptions::InvalidData('data' => 'decision', value => $decision, 'advice' => 'accept or deny'); } my $serviceId = $serviceMod->serviceId($service); unless (defined($serviceId)) { throw EBox::Exceptions::DataNotFound('data' => 'service', 'value' => $service); } my $model; if ($internal) { $model = 'InternalToEBoxRuleModel'; } else { $model = 'ExternalToEBoxRuleModel'; } my $rulesModel = $self->{$model}; # Do not add rule if there is already a rule if ($rulesModel->findValue('service' => $serviceId)) { EBox::info("Existing rule for $service overrides default rule"); return undef; } my %params; $params{'decision'} = $decision; $params{'source_selected'} = 'source_any'; $params{'service'} = $serviceId; $rulesModel->addRow(%params); return 1; } # Method: enableLog # # Override # # sub enableLog { my ($self, $enable) = @_; $self->setLogging($enable); } # Method: setLogging # # This method is used to enable/disable the iptables logging facilities. # # When enabled, it will log drop packets to syslog, and they will be # introduced into the Zentyal log DB. # # Parameters: # # enable - boolean true to enable, false to disable # sub setLogging { my ($self, $enable) = @_; if ($enable xor $self->logging()) { $self->set_bool('logging', $enable); } } # Method: logging # # This method is used to fetch the logging status which is set by the user # # # Returns: # # boolean true to enable, false to disable # sub logging { my ($self) = @_; return $self->get_bool('logging'); } # Method: menu # # Overrides EBox::Module method. # sub menu { my ($self, $root) = @_; my $folder = new EBox::Menu::Folder('name' => 'Firewall', 'text' => $self->printableName(), 'separator' => 'Gateway', 'order' => 310); $folder->add(new EBox::Menu::Item('url' => 'Firewall/Filter', 'text' => __('Packet Filter'))); $folder->add(new EBox::Menu::Item('url' => 'Firewall/View/RedirectsTable', 'text' => __('Port Forwarding'))); $folder->add(new EBox::Menu::Item('url' => 'Firewall/View/SNAT', 'text' => __('SNAT'))); $root->add($folder); } # Method: addInternalService # # Helper method to add new internal services to the service module and related # firewall rules # # # Named Parameters: # name - name of the service # protocol - protocol used by the service # sourcePort - source port used by the service (default : any) # destinationPort - destination port used by the service (default : any) # target - target for the firewall rule (default: allow) # sub addInternalService { my ($self, %params) = @_; exists $params{name} or throw EBox::Exceptions::MissingArgument('name'); $self->_addService(%params); my @fwRuleParams = ($params{name}); push @fwRuleParams, $params{target} if exists $params{target}; $self->_fwRuleForInternalService(@fwRuleParams); $self->saveConfigRecursive(); } # Method: addServiceRules # # Helper method to add a set of new internal services and # the firewall rules associated to them # # Takes as argument an array ref of hashes with the following keys: # name - name of the service # protocol - protocol used by the service # sourcePort - source port used by the service (default : any) # destinationPorts - array ref of destination port numbers # services - array ref of hashes with protocol, sourcePort # and destinationPort # rules - array ref of tables and decision # example: [ 'internal' => 'accept', 'external' => 'deny' ] # # Important: destinationPorts and services are mutually exclusive # sub addServiceRules { my ($self, $services) = @_; my $servicesMod = EBox::Global->modInstance('services'); foreach my $service (@{$services}) { my $name = $service->{'name'}; unless ($servicesMod->serviceExists(name => $name)) { unless (defined ($service->{'readOnly'})) { $service->{'readOnly'} = 1; } if (exists $service->{'destinationPorts'}) { my $protocol = $service->{'protocol'}; my $sourcePort = $service->{'sourcePort'}; my @ports; foreach my $port (@{$service->{'destinationPorts'}}) { push (@ports, { 'protocol' => $protocol, 'sourcePort' => $sourcePort, 'destinationPort' => $port }); } $service->{'services'} = \@ports; } $servicesMod->addMultipleService(%{$service}); } my %rules = %{$service->{'rules'}}; while (my ($table, $decision) = each (%rules)) { if ($table eq 'internal') { $self->setInternalService($name, $decision); } elsif ($table eq 'external') { $self->setExternalService($name, $decision); } elsif ($table eq 'output') { $self->model('EBoxOutputRuleTable')->add( decision => $decision, destination => { destination_any => undef }, service => $servicesMod->serviceId($name), ); } elsif ($table eq 'internet') { $self->model('ToInternetRuleTable')->add( decision => $decision, source => { source_any => undef }, destination => { destination_any => undef }, service => $servicesMod->serviceId($name), ); } } } } sub _fwRuleForInternalService { my ($self, $service, $target) = @_; $service or throw EBox::Exceptions::MissingArgument('service'); $target or $target = 'accept'; $self->setInternalService($service, $target); } sub _addService { my ($self, %params) = @_; exists $params{name} or throw EBox::Exceptions::MissingArgument('name'); exists $params{protocol} or throw EBox::Exceptions::MissingArgument('protocol'); exists $params{sourcePort} or $params{sourcePort} = 'any'; exists $params{destinationPort} or $params{destinationPort} = 'any'; my $serviceMod = EBox::Global->modInstance('services'); if (not $serviceMod->serviceExists('name' => $params{name})) { $serviceMod->addService('name' => $params{name}, 'printableName' => $params{printableName}, 'protocol' => $params{protocol}, 'sourcePort' => $params{sourcePort}, 'destinationPort' => $params{destinationPort}, 'description' => $params{description}, 'internal' => 1, 'readOnly' => 1 ); } else { $serviceMod->setService('name' => $params{name}, 'printableName' => $params{printableName}, 'protocol' => $params{protocol}, 'sourcePort' => $params{sourcePort}, 'destinationPort' => $params{destinationPort}, 'description' => $params{description}, 'internal' => 1, 'readOnly' => 1); EBox::info( "Not adding $params{name} service as it already exists instead"); } $serviceMod->saveConfig(); } # Impelment LogHelper interface sub tableInfo { my ($self) = @_ ; my $titles = { 'timestamp' => __('Date'), 'fw_in' => __('Input interface'), 'fw_out' => __('Output interface'), 'fw_src' => __('Source'), 'fw_dst' => __('Destination'), 'fw_proto' => __('Protocol'), 'fw_spt' => __('Source port'), 'fw_dpt' => __('Destination port'), 'event' => __('Decision') }; my @order = qw(timestamp fw_in fw_out fw_src fw_dst fw_proto fw_spt fw_dpt event); my $events = { 'drop' => __('DROP'), 'log' => __('LOG'), 'redirect' => __('REDIRECT'), }; return [{ 'name' => __('Firewall'), 'tablename' => 'firewall', 'titles' => $titles, 'order' => \@order, 'timecol' => 'timestamp', 'filter' => ['fw_in', 'fw_out', 'fw_src', 'fw_dst', 'fw_proto', 'fw_spt', 'fw_dpt'], 'types' => { 'fw_src' => 'IPAddr', 'fw_dst' => 'IPAddr' }, 'events' => $events, 'eventcol' => 'event', 'disabledByDefault' => 1, 'consolidate' => $self->_consolidate(), }]; } sub _consolidate { my ($self) = @_; my $table = 'firewall_packet_traffic'; my $spec = { filter => sub { my ($row_r) = @_; return $row_r->{event} eq 'drop' }, accummulateColumns => { drop => 0 }, consolidateColumns => { event => { conversor => sub { return 1 }, accummulate => sub { my ($v) = @_; if ($v eq 'drop') { return 'drop'; } }, }, } }; return { $table => $spec }; } sub logHelper { my ($self) = @_; return (new EBox::FirewallLogHelper); } sub consolidateReportQueries { return [ { 'target_table' => 'firewall_report', 'query' => { 'select' => 'event, fw_src AS source, fw_proto AS proto, fw_dpt AS dport, COUNT(event) AS packets', 'from' => 'firewall', 'group' => 'event, source, proto, dport' } } ]; } sub report { my ($self, $beg, $end, $options) = @_; my $report = {}; my $db = EBox::DBEngineFactory::DBEngine(); $report->{'dropped_packets'} = $self->runMonthlyQuery($beg, $end, { 'select' => 'event, SUM(packets) AS packets', 'from' => 'firewall_report', 'where' => "event = 'drop'", 'group' => 'event', }, { 'key' => 'event' } ); $report->{'top_dropped_sources'} = $self->runQuery($beg, $end, { 'select' => 'source, SUM(packets) AS packets', 'from' => 'firewall_report', 'where' => "event = 'drop'", 'group' => 'source', 'limit' => $options->{'max_dropped_sources'}, 'order' => 'packets DESC' }); return $report; } 1; zentyal-firewall-2.3.9+quantal1/src/EBox/FirewallLogHelper.pm0000664000000000000000000000457212017102347020766 0ustar # Copyright (C) 2008-2012 eBox Technologies S.L. # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License, version 2, as # published by the Free Software Foundation. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA package EBox::FirewallLogHelper; use base 'EBox::LogHelper'; use strict; use warnings; use EBox; use EBox::Config; use EBox::Gettext; use constant FIREWALL_LOGFILE => '/var/log/syslog'; sub new { my $class = shift; my $self = {}; bless($self, $class); return $self; } # Method: logFiles # # This function must return the file or files to be read from. # # Returns: # # array ref - containing the whole paths # sub logFiles { return [FIREWALL_LOGFILE]; } # Method: processLine # # This fucntion will be run every time a new line is recieved in # the associated file. You must parse the line, and generate # the messages which will be logged to ebox through an object # implementing EBox::AbstractLogger interface. # # Parameters: # # file - file name # line - string containing the log line # dbengine- An instance of class implemeting AbstractDBEngineinterface # sub processLine # (file, line, logger) { my ($self, $file, $line, $dbengine) = @_; unless ($line =~ /^(\w+\s+\d+ \d\d:\d\d:\d\d) .*: \[.*\] ebox-firewall (\w+) (.+)/) { return; } my $date = $1 . ' ' . (${[localtime(time)]}[5] + 1900); my $type = $2; my $rule = $3; my @pairs = grep (/=./, split(' ', $rule)); my %fields = map { split('='); } @pairs; my %dataToInsert; my $timestamp = $self->_convertTimestamp('%b %e %H:%M:%S %Y', $date); $dataToInsert{timestamp} = $timestamp; $dataToInsert{event} = $type; my @fieldNames = qw(in out src dst proto spt dpt); for my $name (@fieldNames) { my $uName = uc ($name); if (exists $fields{$uName}) { $dataToInsert{'fw_' . $name} = $fields{$uName}; } else { $dataToInsert{'fw_' . $name} = undef; } } $dbengine->insert('firewall', \%dataToInsert); } 1; zentyal-firewall-2.3.9+quantal1/ChangeLog0000664000000000000000000001620212017102347015200 0ustar 2.3.9 + Firewall is now under Gateway instead of UTM + Added priority to redirects + Fixed bug with SNAT and redirects to the same target + Improved style of packet filtering page + Added modeldepends to yaml schema + Fixed i10n bug in prohibition of inverse match for "any" service + Adjusted table to existence of inverse match for addresses + Fixed error which broke rules for inverse address match for single IP address + Fixed error which broke rules for inverse service match for any TCP or any UDP for all ports 2.3.8 + Use Clone::Fast instead of Clone + Added load of custom iptables modules + Added table for SNAT rules + Added filtering by source MAC + EBox::Firewall::IPRule can accept now IPRange objects as source or destination 2.3.7 + Remove obsolete denyAction code + Adapted to new Model management framework + Remove obsolete OutputRules code + Remove obsolete localredirects methods + Remove obsolete import of EBox::Order 2.3.6 + Set RemoteServices rules taking into account no bundle state + Added clone action to tables + EBox::Firewall::availablePort now works for non-FirewallObserver modules and it uses the same readonly status as the firewall module 2.3.5 + Create tables with MyISAM engine by default 2.3.4 + Use new unified tableBody.mas in PacketTrafficDetails.pm 2.3.3 + Packaging fixes for precise 2.3.2 + Updated Standards-Version to 3.9.2 2.3.1 + Use printableName instead of name to select services + Remove firewall hook template as examples are already included in core 2.3 + Adapted to new MySQL logs backend + Disabled source/destination port for portless protocols in redirections + Using iprange module for iptable rules referencing range object members + Replaced autotools with zbuildtools 2.1.7 + Avoid some crashes caused by connectivity issues during save changes 2.1.6 + Fixed check of hide_firewall_images config key 2.1.5 + Do not crash when a firewall helper rule fails and inform the user + Hide explanatory images in the GUI if hide_firewall_images key defined + Removed /zentyal prefix from URLs + Set single by default in the PortRange of the RedirectRules table 2.1.4 + Fixed deprecated use of iptables command 2.1.3 + Added help images to each firewall filtering table + Improve kernel settings for increased firewall security + Use the new "Add new..." option in the object selectors + Removed obsolete gettext calls 2.1.2 + Changed RedirectRules table order (Protocol before Port) + Added chains method to firewall helpers (lets them create custom chains) 2.1.1 + Added SNAT option in Port Forwarding rules + Remove unnecessary code from EBoxServicesRuleTable::syncRows + Add forwardNoSpoof and inputNoSpoof FirewallHelper methods to allow exceptions on default spoof checking in the firewall + Log INVALID packets as we do with DROPped ones + Fixed bug when getting the value of destination port in redirect table 2.1 + Removed unnecesary call to isReadOnly in syncRows + New addServiceRules helper method for initial setup of modules + Added addToInternetService to exposed methods + Added new addInternalService and requestAvailablePort methods + Use new initialSetup method to add default rules + Remove obsolete migrations + Replace /etc/ebox/80firewall.conf with /etc/zentyal/firewall.conf 2.0.1 + PPPOE MTU is now changed in network module when reconfiguring gateways 1.5.6 + Zentyal rebrand 1.5.5 + Use modelClasses API for firewall rule tables + Increased size of description fields for rules 1.5.4 + Set iptables rule properly to fix PPPoE problems with some websites 1.5.3 + Bridged mode support 1.5.2 + New logging feature for port forwarding rules + Only allow safe ICMP types everywhere 1.5.1 + New firewall table containing rules added by eBox services + Bug fix: port forwarding now works with PPPoE + Bug fix: openVPN interfaces are added as internal interfaces to iexternal and iexternalmodules (Closes #1758) + Bug fix: allow only safe ICMP types and insert the rules after user rules so these override the default ones. Drop INVALID packets first too + Added TCP/53 to DNS rules in fdns and ointernal chains + Inverse match is not longer allowed for service 'any' 1.4.2 + Add a config option to disable the logging of dropped packets in firewall 1.4 + Bug fix: i18n 1.3.14 + Added multi-gateway support for DHCP and PPPoE + Add an allow rule by default from internal networks to internet 1.3.11 + Added report support + Add description field for redirects + Breadcrumbs + Change Redirections for Port Forwarding 1.3.6 + Add clone() to EBox::Firewall::IptablesRule 1.3.4 + bugfix: inospoof chain was buggy and didn't allow traffic to internal eBox addresses from other internal networks + bugfix: insert missing port data using NULL in logs data base 1.1.30 + Add all and ah protocols to redirections 1.1.20 + New release 1.1.10 + New release 1.1 + Added required output rules to connect remote services when the eBox is subscribed + Use the new ids() and row() API + Added support to redirects to introduce the origin destination address. So far, only local address could be used. + Bugfix: fix regression that didn't allow to use virtual interfaces on redirections + Allow outgoing connections from eBox by default 0.12.101 + Bugfix: Add redirect migration script to Makefile.am 0.12.100 + New release 0.12.99 + Add support for reporting + Add rules to allow DHCP requests from interfaces configured via DHCP 0.12.1 + Add log decision to firewall rules + Add conf parameter to disable NAT 0.12 + Use the new EBox::Model::Row api + Add help field to firewall models + Bugfix. Use exit and not return in dchp-firewall external script + Bugfix. Use #DEBHELPER# properly to be able to flush the firewall rules when the package is uninstalled + Add support for ESP protocol 0.11.102 + Set editable attribute to 1 in Decision field. To comply with what the type expects and avoid warnings 0.11.101 + Unroll inoexternal chain + Bugfix. Do not restart firewall module if called from dhcp context and the module is not enabled + Add setExternalService 0.11.100 + Fix English string + onInstall() functionality moved to migration script 0.11.99 + Added log domain for firewall's drops. Firewall logging limits are stored in a configuration file + Enhanced strings 0.11 + New release 0.10.99 + Fix some typos 0.10 + Load ip_nat_ftp module 0.9.100 + Use new model/view framework which implies several changes + Now the user can add rules to INPUT/OUTPUT chain + Use the new services module 0.9.99 + New release 0.9.3 + New release 0.9.2 + New release 0.9.1 + Small UI changes + Fix bug with rules and more than one external interface 0.9 + Added Polish translation + Added Aragonese translation + Added German translation + dhcp-hooks script will be installed by network module 0.8.99 + Add externalInput to FirewallObserver to provide rules for external interfaces 0.8.1 + New release 0.8 + New release 0.7.99 + Add Portuguese translation 0.7.1 + GUI fixes + Use of ebox-sudoers-friendly 0.7 + First public release 0.6 + Separate module from ebox base + move to client + API documented using naturaldocs + Update install + Update debian scripts zentyal-firewall-2.3.9+quantal1/AUTHORS0000664000000000000000000000024112017102347014472 0ustar Copyright (C) 2004-2012 eBox Technologies S.L.. For an updated list of the current and past developers please visit: http://trac.zentyal.org/wiki/Contributors zentyal-firewall-2.3.9+quantal1/schemas/0000775000000000000000000000000012017102347015050 5ustar zentyal-firewall-2.3.9+quantal1/schemas/firewall.yaml0000664000000000000000000000250112017102347017537 0ustar class: 'EBox::Firewall' depends: - objects - network - services enabledepends: - network models: - ToInternetRuleTable - InternalToEBoxRuleTable - ExternalToEBoxRuleTable - EBoxOutputRuleTable - ExternalToInternalRuleTable - EBoxServicesRuleTable - RedirectsTable - SNAT - PacketTrafficDetails - PacketTrafficGraph - PacketTrafficReportOptions modeldepends: ToInternetRuleTable: services/ServiceTable: [service] objects/ObjectTable: [source_object, destination_object] InternalToEBoxRuleTable: services/ServiceTable: [service] objects/ObjectTable: [source_object] ExternalToEBoxRuleTable: services/ServiceTable: [service] objects/ObjectTable: [source_object] EBoxOutputRuleTable: services/ServiceTable: [service] objects/ObjectTable: [destination_object] ExternalToInternalRuleTable: services/ServiceTable: [service] objects/ObjectTable: [source_object, destination_object] RedirectsTable: objects/ObjectTable: [origDest_object, source_object] SNAT: services/ServiceTable: [service] objects/ObjectTable: [source_object, destination_object] composites: PacketTrafficReport: [PacketTrafficReportOptions, PacketTrafficGraph, PacketTrafficDetails] zentyal-firewall-2.3.9+quantal1/schemas/sql/0000775000000000000000000000000012017102347015647 5ustar zentyal-firewall-2.3.9+quantal1/schemas/sql/period/0000775000000000000000000000000012017102347017131 5ustar zentyal-firewall-2.3.9+quantal1/schemas/sql/period/firewall_packet_traffic.sql0000664000000000000000000000024112017102347024501 0ustar CREATE TABLE IF NOT EXISTS firewall_packet_traffic( `date` TIMESTAMP NOT NULL, `drop` BIGINT DEFAULT 0, INDEX(`date`) ) ENGINE = MyISAM; zentyal-firewall-2.3.9+quantal1/schemas/sql/firewall_report.sql0000664000000000000000000000027212017102347021571 0ustar CREATE TABLE IF NOT EXISTS firewall_report ( `date` DATE, event VARCHAR(16), source INT UNSIGNED, proto VARCHAR(16), dport INT, packets BIGINT ) ENGINE = MyISAM; zentyal-firewall-2.3.9+quantal1/schemas/sql/firewall.sql0000664000000000000000000000043012017102347020172 0ustar CREATE TABLE IF NOT EXISTS firewall( fw_in VARCHAR(16), fw_out VARCHAR(16), fw_src INT UNSIGNED, fw_dst INT UNSIGNED, fw_proto VARCHAR(16), fw_spt INT, fw_dpt INT, event VARCHAR(16), timestamp TIMESTAMP, INDEX(timestamp) ) ENGINE = MyISAM; zentyal-firewall-2.3.9+quantal1/www/0000775000000000000000000000000012017102347014251 5ustar zentyal-firewall-2.3.9+quantal1/www/firewall/0000775000000000000000000000000012017102347016056 5ustar zentyal-firewall-2.3.9+quantal1/www/firewall/external_to_internal.png0000664000000000000000000002573112017102347023014 0ustar PNG  IHDRHzsRGBbKGD pHYs  tIME 8> IDATxwU?sۀ7 (*bT5OM4Œ$[ k@EE^ֻ2?ݻlaV@{μ;;#BW&P(0 BP(0 %LBP(a* %LBP(a* %LB SP(a*J B SP(a*J B SPT(J BPT(J BPT(0 BP(0 BP(0 %LBP(a* %LBP(a* %LB SP(a*J B SP(auHo0THd꫹G!js%LEl-_+@:ةwǺ(q~ R*jIS~qM}N^:U51;0qJjavNE 4L&lZm zQ_5c*a*v`hyѬR7f@vƫ݊ӚÔ %jMRJ]֨d #v_AȫV0akyFd&0~Sg| UTt^|+MctJfʇݺf3Z~A0d  nzd2QFD-\-F7| z3B7v]FDPBH~pZzYc q%z~oQ߭nt[Hw/)[0D6xm\@"wR8ɏ:k艄\i< )[]{eatCrԾ{3-ͽ.xw1{(@БNl_|Df{Kqy$fItҟ 8 K tOKe/'?RLN Z{`H;$pkpʖ㖭'^N}faE׸PFG5Dj4jm+5vȸf!d8fp#O;AV-Ie#0n ޽&^sttLy>Z:)=䱿a>q6{G$'U~\##…hnGCa/HSԾDV.LJ na {=?jK =aXͿ}°p+7Pqxn%|%d5}W=izt3U_~̇KEM6~%d9G=љsJzdVK̛K"Q a(2Td2Dov-DH`dD0MƮ6F`rC}@y>@D H$@<uL!"Gk^=4kA%T=~?MM3gM \4W2AzKpi_WPUkf1qpj/>v> mYW1}*B΢%&րiږ0\v=%/~5vɜOS'=[DZ"30DO=Fa+/@6f{oURqڼC.uW6m {Ǥ?}EQ64kM`)*סE ?jsm}࣡ޠ!S0JFwffHejHTfXMBD ..I 融4akp I&*\-(GX!yf^[,ޏ>-gatC c!fF_0|p=0X,=DN Itd¹\>aL#ng~(Z(sunI(@+y+LsMq[WZ<ְIN*iwr2]`{-ڹ$?yaMOQ: x,㮧?)iBK3I_Kv>6YΜ%ϲllV%iIg⸞㏸BX+h@L=HPK-mr%aub!аQLh ȏv[`ҡ7q`CXCn{D~z;< (x6SnCVδ3a !zyJtL俐^Zn^Fz H=@fT=+fG;9S6>T B7Z줁a's&u 4̪YΤ}o?I[W"#ZeճI/NLװbvs@7ZO*lU$~A0zn&N2]sK:sɊ ` 7e,X=MAjKn};)uo׀seH;(hKl6ta;W,ݶ%fl6Gyth\\98n ӻztBZ؟XOBhȋths^: k&`秧Oޗ/bwr3gU|vxc?YIͳWkdϱ9ƏKw̖ Һ(u],sNf#n&l nC/sh@MĎc]3\4I2:/`t^N颖u;DxrL5l\.}\F F'OZ1 ݪ8v~YUɑ#.ES<ݠr-P;IЌ0q̚0N$e'>ߧɺ- ЄGt7~@U#;UT?q!^&ߎe |Szhy|Kl7(Cnu)bإZO-m7i~F% 0lR3E&8wy/4!Cx S3nfYG_J ?ʡY3]$Vjn~h2vl ݢoF?^15ve4:vo>&2,2;@̹wͣ2^>=eͦyhٵӌ 3u썟аM2Q&J3Z`Պګι[Ϧ83ޣw>:[ ='Z0kH/yYwA%N餩}/8g?H' )EGI̾;] \kwxVvN !4'v#wj8~&m)u!+ %0lwѥ/.yCHW2fY$z7?~4["C`OS0 ȑ?sҭ|Y~ =M@0f"][m{Fno#42ܲ5p7|İϣӉ[B^~CSݺN gjNr=5%  co%hE*^&ɶ,4Mg'1g3s9_1fYԦ*Ye>/"ټ^H,u3 1 \:2@@`{(J Vp?Q/4/• +7~؊9@[y866͊ya܊ħRgTff@btB`i͆T5xZmPpd|\73HNP9󪵎]WӚ9ӷ(~~̤tL,KhBWa6nb)y$*j6OM͟!3#.a ).hw6/3浼ah<􂾹xgѿz+[<_p SѺ+m;;FA B"'ڼcYHq?5s&7Ӯt$)#`sI},1-ە;͝x_;[/v ,Z(nD{BوLp'J3䛲j^0 {mDEt+ڗ6[[!F<sȋӧ0p" :^}-gn56 tx_< $0`>[b,;y%D'J|q7/A D 1 EɟL! :\TzHuf#}mNR  ~yG;,j#Z^ ?^<'#վߪ^ڶ3Kg3aճ}6&v4wp.۪粞s+=hcx.rR&grE-Snw3&db+ڀ1]IԸN8ps$3^+:xaA6W'/B"epJٴ̲׉MVPAՔ|غ/_W,ܟ[l揜l`j<.lA/CUoR1~a!oљٶάtRDϾalճnݗZM˛,ɬL#Ƞ^cx9QaTZ<4X&3jq].wڤ\3loJ z D Ja9[ aгv><Ũh[DD}xnrN SqjgD;٨qsAEzbmlYN})|o;8yzYQ w«-,!{nٔN:ØQN7,)[=F%;a/9%3 #,/Y7,*N{=ugJե+o598k?.]LzM߭.={!^g{o/t&5Ӯ\DOdv}NcyL'tRC.aw#eU}Y=)f 6- te={$~#MhMG'0hְы ^-zB3| !%!K/)w*+L_:Oc MIDATbk<CnD]8su  | Dt>/Рµ=k .P5bn-n7P' {\CfCyO#EC ՔՖSp4D` °n%mtր_ȼM\Ggӊe6:6u;!@ȱ5mW Lh\n.Κ@3ȿ)_Gm\y/H{7Ev{퇍̊ķ32^٥o!b' 3c)>%cݔ)7lf_צ 3Hku$/QѦ7}ǼsԼS?.+"yOP?S3j썟QHEu#|ĕ_Yi;GF숖.`Z h;wkxH'COY{Լl6WLxH'CݻH2+ڈSG'EAKͳG)v+UO^L_dG#gRܕ7zSiP9HML-yg?+2Ҍ]N7ZKtf" ^hV}L }2az6o,ykF&vD*3c0 ضlfYYKSyA}1/BDVx)t2YIHwkx5I/}Fl;=A ɻ}ƮQb9'"ůY5ఓv%Km5O%ߛ;KA+/79n !X{ ; q' $UtX2⏞G5 b]5Ժ6 w#!5o "w  SU_ S_F2Q 3IoAr΃~攦Zj8/"ruh_yM@Hϟ3 uB+ELr=gܔs Q^@t܍(Q9koV;; u,r k4 ӎ-G僧lYFqxf?BqT ؄w~ N$޽ {\Mp;4X V1)FQ\Q2]Cz8_G)aat5h|ɠ#⮻A \P@1 E/%*p,ݼ?=[CԵ =ة3]f]Yy7 \D\#^ǧ>C#G僧䄩gwk[/}~#.aAS[({/2, .^%3%saE ր0 z8ߍt& PpTKH/Nz8g&2QNf,XV} hF:)ޣ w2a'ϝ?t!(ءDzɄG~?g5 drϨt5>JJ d$0┯CIyf}mvm.VѾ3hBa6wz`"]9ZDOY_n\Tl4yCN 3Yz &=j^9"(ލ~)5U|F {C^HC-˿W'x?e aOc2[gxlvѢ;~>4R[7UoBQ|Åh$={읏)ԝߑ KHϭߒDhXn7>ʩb2'CWec&Rݦ>G휶]کW㔭!hl{tp-]ߢ"lV$L-%L%LEO`RK)zb.dW){qd%!BHb?UӪH Tk<$aԦ:a3gE>P /b1=#xψ{LYEGϚzAObLE4рCQģgAq&y̗2w~1B SFw]*~uH13DLCYz Z^ 3"|٣{ ** VԇOlԻ`zd0FQ_.Тݰ:ƪYRg"T_cjU(R SP(SPT(J BPT(J BPT(0 BP(0 %LBP(0 %LBP(a* %LB SP(a* %LB SP(a*J B SPT(J B SPT(J BPT(0 BPT(F?4--}IENDB`zentyal-firewall-2.3.9+quantal1/www/firewall/advanced.png0000664000000000000000000003252012017102347020333 0ustar PNG  IHDRHzsRGBbKGD pHYs  tIME .2s IDATxy\Uksj3,APAQ䪠8Oz^'(UՕt'%޿ϧRN9{k*[T+<1=^e"V15[ k$S hyJVЕsh1_#\B&ײ{Em13R/eQe4ҝ(VJbuhu‰Ѷ(YEo>}#9$5  <1_f;oC^0*sjvv:Ȍ~H3D"`>ABE-V(Z PcޗEU1ik﹔*P}*܊'mR}ه`!";Cew,GzP鈺zF$nNJq;r@'1=R3Pkr ESEOCh,k8qvT$VHݠTI˱r8njM4p`[MD6- Ueb~xaI;CX2O-zX'jTQʹ(D h[Fs?j}Z!7 lP.{1f1:'5vFڄ<ؓ_ͷi&@;EG黽#?| Kh], K$0tN7s,ιcu4!y;HK}p𘤾UДpuJG`{46+ja>Q~pd7?ʑULD%\P3!FS}7`R<ڤyU\NoDR =/Y5Z#<\Z;܄MNDH{RYvU&f@ rH+ A|n/9=17Z9>(]?b#?F:yD#$݊tSwa#vmuܦH$<~5zy WZU }d`i2@_o}=EX-[ 1hkSV?G`rLl߾%Yꗱ䊛Dkš'n"4wSө{Ia'6?8 XPsUaiWӵ5KC ȝK:mK3Ǫp6t9XtLۍh7i;M?лUZ&I:?I},W)]r$ڷqlUmh<2I~ip)7oŕdpM:u,* u)JF>HnAiه1$ȚEx1j}-JEٙ}:Q=<17+<"goRpR$I'^%O|5{FQ⟚%PNj#!=a.leV{QҌtRϩ}MD-({*?il^T瑾kTahRX0 {R=Bf9wEX|FhҴ;y7'6xuZ^Z~}\nys,}De`}Z,dE1iZj3"Z9^¥jAAtXm(=xsP; #Fz]۶{q2jaO לҥ J; ŮDmy(cOக]rr'C F@41)6j%*ZwkuK-ĪcP2i+5$M|Em¿[R14|7¦_X\{w ._^Hṃ[b;1`#ZZgOjVmbS XTR'_SOIR.VADlIQΡqĪl"ΞLDHSG8$&51N!N Uk$D8kHRZgYjlAŠbNREc}sw89"*6MxBTpm #^'OaEXܝX0=aW-_A30e[ xlpC&5uuUUV΁HI,ͪf5uDL  BۂU^ '=9`Rm5\S`k%[o2%co}[:/ HX18OtK~ųDMmQV <ϯ)ښ$QG5B&AA]RԩxPNIHn(a&3"Y"QBf֩HHqWmWj\"3sA]C!̻<9[)*6Vڎ{H ~vѤI2ֲrTkZHG M1Dg'&dr 81-L@(J"@"LFV2*&&W`LCn:z dv]8 {۽؝CEvE -A5|Q;1z$i9:J)Mss䤙&I$8ZU8 C"ı[YB6,C9Rl(džR5T J[I֐$S+j2 qSo]dEo%X4GemQgqZ,k>c S:6vW׭U,|H\h&:Q)G.gh0.?z&*(S?`eHu#0ԹI$n'd!<ʶC>Ŏ@VaK u_g#BXP!*QfwQ`>QD%K @S?JN \x(waS5~9v&M 1m<~z SG\if(N<^0lA%[qH')q4*$R9|s~g2c% }K+yWF|FμXPJh$F ˴=RKJ0KWW1x.J ɷo)δK99 ^xwA3'[y&W,?BTCh& ]LRSlJ&KPD>w1fdK/y|t_~ 4%Z"#D KXn1օWzh!? ]{aRWVk珪2ga#s[UṉnyYS˰.ILH̦LCm:̚1w UUڦm(PNyDhTc`-_)t?^IMYUV0lԼGX縎cv&7, -D=Â[ǵcUQR5Yu[2j%9_vS:_U%Ak2\eACMk0XK5T7JW>~! =7Ge( ,aym2ojlA^^u hw@5fs6ivLܓ.'TU8H!8ZSms* RKx$(MPl X`y͸51= vy1!+dpZ Șܣ/Mc:Y3IF .Cq" z9Ě s98kU(ԥ4\5& U6mz >SO 5d1*E2hV_{WXo*UTc?cLfj[R3[는 3k0r,h6{;MI\fSke'1m#;/MVDfF2֮at,zAO o8qvnVj1>{?9؃=jH`ySTӡʒ-GmAgdMSdxaXbsOW$jfk'7j-Jݵ0֩uuVMKש㖘n&~.Kg 5M)6ԃY8걖=N`"r%$Fuk8g⦯5znLft2%kdM^B[6qcp.h]ts&%r]bP:>4׺nI*:iT5mY ͶD́2Iʬ{Rwl6G4kjPWa]!GF ztl{%U|[wѸ%/J ̩3aޕmL}Cy(ϵo510[Dڦ3a1QպVQ!gѢOth)vzkJ=˨>z-ɋwy曬%a+PjجWE&Y ]K2SAWPk(:uo9PD҅\ iF%1H6YA03|zse C‚=R{U֣rկwp!NK(9|EY绚S06+BjJ!׺lP"QgײL+:NԹefK۔/u} =|&\(D-#ONcG2;{9n%k_`[uYGǝ~RuUMfve+M8D>qajg `0E>0,(Bc {E(a;rH y!8Ad7-sȍgNl{`WꈟSlQg_ݸ<ݸY!O)n';l!Fȏ״͒ R ,vұ.[ԂTU,|t#Ιe2d>zg"a~l3/̷yY[|*BE\>̚4oSU4.w;I^M<i6TʉPJs8;woYƦFJ(qd$NەγOҽ^>S0f )ª%oDŬwlD@UEj`F%0xl#cLr$Qq"+5jіil2iBR'rHc,&TLII`RR҅tycc3μҞhmTw=qt)u'ܾ h86!ekK+5P-Ƿ :Cu*$[HsdsšMHܟrǷy޽鴹^bۑQ 2D' ƺ\6"Z⊈[́%PC,zgEHKa`&lZ%6T\/#5j HH-"F ~iWidv< L|Etn){@sܩyB SWi ʽA4ňf4v"0,"Xw䊣ͪu4o_|OJkce&펦 dlĴ#k&-q͓pZI(^A5rǕcECQαghu r k?'B7`nri9Mm}I7o#Uh}YA6!d2f`ˢ1hR_:@jSB1InSg cR'44W rv=zt g)ȵ6m7)`.d#{?5]5i\A."%3Xy3Mn,A %4! p)k=6M+ 3BFRSUǥuL!jzɟʄ|s hڜ.&|/':l _R.mB{ HS8M1G8 o%^uyO_eK_"7!43Ċ"^ong8c7Wt6A=c—?>U؆'Dkkhj~?M{ vGZ5I&e\ 31CqA(Q w3o!ODXtϯX+B(꾣88ygw/H[b= @&MS3^1P1s؂ (=wHD3vw6qH iIR#Jd(@Eg)FGIDAT jsK,Ƒ9{*T ybO>7M=1ǭ9  6"M&#p Oc3dnH%(!)[L?w|V?`dSpyogwOhp1C%*a1ć@\H\ȽIF3y6-G .?ۺ}Ih}ϟP$'!B0Gٙ!! MSgefyZZ'\Hy=#\FK>r!T]v|,}$ѲdlReS0A3\9W>+BNu -[.9d4[l)VR4 ÿ@w0&ܝrdXb)5&D9APn;[̵95LDkϑKB"B`z&ϻ 0ey)tl0r*6IX ⁕Ɛ\]dIllZ'\PAmnFN3绲kRr/ϙʹ=HuT%X 3ϧ鳐Kl C$g}^E碹VmJlz}k^Ċ[jvdlUjW\mX I*bH%BW ACu7I$Aܻtc l90B85 \`h2qN6 lueuهf4 ]A8ywDmgQm4&}̌s|L"tNe"\^)ӻ0PߩArFF:(AK7goRɻ{1J DN ͜0bH5%9 bUmf!؁4BU03Bc\׻aDkK]uS/"13JDHSk50R:m̱Iԉm*|;מ2zNU@IcKCzW<#RO8eE9 ,r!BK>B)P)BP h%H!tIP)P!h2i 1e/]IB;Iqꙑ)}?uEc| HyDUU C SZʨRCUi$ZUG[˖1nDrSВ 0H329C%g) ,/@!TR,(%Z {_1rdE|KX@E:əeC}$*)ݎ/lV2]u͹j6M IlnUbzbn$9[rotG )WLMSNKюoa:f0#aHJhSuqS[$r1M7ޣ'3k xjC ( @VV<#F ;4D:jv tkҭ~ybn TҔ@kUѰ@שW`ܐ: z乄@jyO ZW)Am)h O}Z%Qh1AEZRkU[깅jcFaQD{H$gMv>dۘQbzUOaHҾ N'G M3B#R+s ldwӜjdI'bl6˺@K&UGH1>^wlJ˷&KOJOͧ²K*BM9"YN8y]w^XqqB{k ffMk_ }dv:ѻJ(i9ta ;$79 Qɫj}7|n Z&xzTԹw|F-銫-+I™us:x '=M=epL'L ^J-dIl3]M۱AP~;Q.G75U ۢ})B1QT,_G`ZhҘC8y{?~]J0iG'AŀѺZ]RUyBmn]FoPÙ ԾLL͵P$x鉹YTYB%K-oQo>{@oEm@L#tu}ރNrׯDb`FZ'Z0f֛\BuuU|9yL_wb=ҶiɻB ,coKo>iR%wGx֑ W.dc|.:h} XVMT#{.!?!MOO> z/8lD3$(=>"-- 3pAC[?-Ki_TL{Zr﹊Y{C&{HCue:1(kƖHW/$Y'!(9pNΜJ/#@Kgn7f¶ 7cۿ)ʗ %^cc䗔'Sk+qˎ#XlK1{};GgQBw:AұђjC7ålqygL·#>h#/;^"瞴B|0Ʀ'EZS1i`3°ꭨE?u=4"v#aˏShILJn&W(4})>EQkU}O4RSD\2Cݔl .\+RDgS+`kAۤO\;/͵7RM{+_ot GxUL''?XrC:m5dTPKe>n؁q=I*k aw `‘&{%mDH2H5] ξέ,Y=UWh=+~~ blȷ/ɟr;򪝋C?&}0p=. .?ؗ ^p_sGAUP8tMKJO6e߄YMl-bCS\YW*stݜ S8 qh#ؚ iܤ!Mt[l}1a=)7>`Sv+!gBuI&nOxt rPUiG>jC БB6xH3VoexP휉|[sڶMn-' _w "&{@k kUcybk)v! 1 T;I\oA:n mSifΆ@`Y+ܒ$[|=%{?Q惄jWo2$:r>''O!SWSTЁp1'C . As!fRt)| k2ƒ^nHX~iyT.]0u D<)*eJѐ hT9ްJ ꃏdHDxd1I̴k jôw]@毠!ۣAPkXI%k CCG1Mb$FM5(V=lm(Φ^ēכ5iԃfr ĺu]i%{Ą(y%kqrdhy To=UNoC/?ySzuRjF:*k;iQܼ^gQoiT{ߴ#w{&fuj(y3چ.o0ŽiT+ecW#κ Xf_E:3/ Y- @_/]Tz)=~=AM^u|Mm,tnȢ\Kh$ׂ ~؅R*]47}'08 Vo';o;T"}z/xj?IS6@d"+|?J `I)Ż0 U\%:g@LsU*ZZl$1Zr.GQ?O"3b~4oc0jF@샙x?$GzHW:$4:꣈7$ar)t N$*úy$&K-A@yKTi}l&gFgE#t%D)VnzH.i)T(vY+YSX4K(=u#=u=&N ]A/juE-Iw>=(y;SB led)صry!JrVlC&xxbzlw,ͳ4<<1=^eB{lY^ɻ''''''*TkIENDB`zentyal-firewall-2.3.9+quantal1/www/firewall/internal_networks.png0000664000000000000000000003654512017102347022351 0ustar PNG  IHDRHzsRGBbKGD pHYs  tIME =@ IDATxwl]zPAԈXPc~FIhlQKbEaCEAP pp21{{\t>׽nwvv;)ą {W.\t…KL.\bp%澍=ssz.4WFM[yѺH B"w%BJ)~t/a'#vi, 't}p{fz=%}DPv~bxz# \jL; fRЃ]N"-GŪڄL |Y]b؁Bs~©@UP4Q]tzwڝҠBu)ESJQK_\?,#\Qy'܀wY?Ecb>Eduk#mbwĩy]t.Z3QCO$t`lG&ts&ZCʪ(ŽU k˱c`E 䢄:;7M痢82S=ί.1[H!i Ջor%jvw p^ҊaDh^AZ&ҶPTP4/.Cч(p# EkVId֞ČQj?<(P8ߘy j"$fr"v6$j̲5ڙtOMw 4bd-VtVj0cy}Pz>PZ{ "xяƎ!`1F?8ƞ:OF݆Y&C ~?~ON46|Egڶډk$chKC EErQ…8>ƔOI)!a%78o=;^->9vCMǪHcW_T8>y|Za+46~6UNoNB9xi&R "owx#'#|]F `lAQg _@7H: iԢǮ.F*dB |YD>YkNlԬF)y?Jb !FʧO*]6B"}1&uk\ Vcl_ŶMmyN3FY!cLYRb%|b_ 4+ L:M oF"o;3M|N(*URuOct)x;<$S?ZMX>կ_Puz[e%hUCPGo_8c\$MqИB lb _;L?{͍ ܡ)Rֽ. u 댇y)T D:OlMFGIؼ{>! -ufYŐ~2a[8Iwbl]A훑Hbs=Y1N62H)҈!9$UO5;RJQ|9(cT)@x|uqI&]=g_N)¨%I)%RZO3ME9 )S.Pu_n]Kk*ցmS?*דr;IAj7;qՃ1H.y5F& eH|?hEUՉV 'cIYgfٽP|]FhKwhuR"T0_ D?w[޳U#XAױ#Nk  B{khC#͐IA۱k'p΀\=/A퐲dy 7-RIJ ;if=Yj)iÕOp_gSq"_/,}S562^[o{| mhiI=ۉ7ڎF5x%s!xU(Y{֔{SD .JV7-ߡP;olm n?bjg׮BV 4zsu ;qd]J2-cA&UVd+R>w E84cT>w>OJkj*4 JvW~?Ǐ4b$s4Ĥ(zj^_b35Tٞ+{ 6IqSJum8 w!<>@>; EVN>oSZJ#>|Ɗ-g1m#wI|~6Ͽy.6emE*bgi{ vC=!HCK8++oixGɶs|3QF%z5OH9=Pcl!n.e(hxz%ܧQ3A՝fBcI6 ?K)zDZ hbsl=wfSƖU2[2k/N%ٱJj^2]<?D0y-D0m"ܾuv.Ok2b֊UyLsb:tnHKfjZ50Ԡ dm}t\d7_Ze&sNãzɮt.ʣ uqWÖ%X Xly=KY_'ߋpk6JVOۃ;ț(&.-lzs'GB6i(ƚY[S-6 ~ ޑ1yv'L \5˨~7N9?QL?ֲ5l,%Q,ӟז e'M ] UIeEr *cmt[TƊvJ/UL~lV|j5" <b[9V(B (|=z Ӌ?";ԙ@_6YNhM"'Y_n"RbYIVhz+S$6!]0a u= IYh_|@Np/D CqRVPgٗ(.iFVH+ ĎXj`m\1S鄎 !y0cm[ ҌcA+G:A"kBhܼFZ2VV(`vf/CK"JlN|;)(m5-4H/TEJXvfZHis[Enn.*Yֲլp!9BwL>t4=epm>Gq9Ar@goةmf!i26pEC26|TGA s R|px8M11."ƚ r͆9=ۤ1AQ89NC XB B' sJus1Bz6&eԭ$҈-ӚWJi1&O5$(Vll|H,TECUT^X͐ζ|*i#5qB"i؊0!BKM&V1mliY4ȱF#C5}_X%X%Kǖma١.\x= 3D FVDJhEk?!^R82}!WZ:g<)U9vp#ؚHA6R] Rm]`f.Avslݲʚ-DUV2e)x4ucodI6V*"6d(xP-}UњI_HlNfetK^mZ]j*4E'Q"UG'\ptƹ׭}$sLSYUAC wAsЗk2]81'5z?j[+ֱd ʪ7S-%R[4]S ?S5Kk '76Z{匇̥#5r#h>!0cOEgH=6ĮڄՕKv]]LSjSSn5[2ݽ`PZY W7?&aDm+6Rdbdc]8!4[BtDyS dt[j`Fz2RR5lbswDҷiBorG+>G{ПlBBz!';v#M+otyJ}ynf)&4;k(BK3G&kzi觽@rɘE;^izۉC!e՛zb7U[1,!C“gq- PAՔ˝zغNi2$uÊtL:Uכܫ?q"YMGx 4` _}&´ʹ jYi ѭ`]r(JZ!KДlVB%<4=btG^][Ib{SIid=CE(*H) 2˘pe$QO<xbK,0ݿFDb5J~؛C(9~#ox v=z`Wnl<&fPux]Pձ6S175JB`lY u76EF`3pHcoqD8/ӦAllQY8;,u\üh 9Qm2&m$VDjaB.iA4sT=}DL=kA ̸G'R_#%(f ](H30*czz035ƴ7cιYE.y̺yvզ:̞"мf?}!7 "eq`Eg^E"܄ï|wftB_oq@I)a&=~71CN{ r…d 5֖fFݖ( &O,]q>~}:_%vĒh=p C2OM0m]N%-MS&AzCpWZ4s.dIIhx/ڴSsm"ڇuP ;v_IrX?c,<} ;r-Vx4 l :Bc .c;sDSBmr;8b҈GOI,yIJ2`Jv,8uŞu={=wE%݄ϸqDѝM4"$LW uAKg,=mY4ؑRj=(ZPVUK;A wCDIb! կ+)&M?z w`m[-E"g([@&3>^LڧTUS>bwA_vz;1;!k$HʌżaBt?euh]?Jb*_GGb;ZB{iMERKnOk Sd/B( 2Y,lói1Gb,k>7{'uCA}6y/#"ek%߁5<[)\u3Ѽ||9 N>A74|#OӨIgLNݻ_xus0X>bwեV&p߯Fbg1M9j)r:h]{ZGϚtO B~v8&HbU'%x}L7쌺Fi[f?H#NmEӟ?3nϠS!eA"#K?Cg,USK̭˨||&;57ҬŎW:~>Q{j!xGdwE(v;m%xM<넧vee" &#m |guyq|`/&U o[胎0\4hCt7;OguK7x4/7OM k$ifգѵ$)99j{-N m|C6%]S-'iNLBQ H( |d}5P=OmGTaG_8ڴJpi GƆ1E#—[[;o"/{_?M`ZI ;}!f$_Ji=g?TYGB>1M}0%o;yjcݗor')o=+- 3lׁFLF<0e\զl"=+ xn`%ɩV1S4j^8i[^zie07E%KX}:W Tӎ7ܪh3vo?pB:}=ogxD2Vv^f _Jf!:Q!À+8eo-H$- [bGCH,xe0wF K?#Q#26j^h^vtU/]B䭛Rcڦ3z%Ʀř>*j]Ks Qxٔh7o7u9iƉw#%26B'U[6y^Ń|e%W:h\;|m¤`e5yKƷ"mDBm,mx \;a!-5G}Լy63H7KsmڅN*{ُ9֊;JbN{UG]1)Qd] ^Vi;/T}04$CrL|N&xŸڔ~p68X ΖJVWrV~02^ܪGQt B*Y>I_= 5{7SvyFzľ|)oqV fv~i^HF u=#E&c~z\QAQR,5$@h$g?UN3}IR;K)Ѻ'|`[b糧 =wOV8=(Dt7oĩDi瞴*vor.} s$N'-̭KcY[NrLXI=Zce 8^c?1;$aظ[F JTP8f{$R MNGzq)NDQ)%~z>~x2OUR̢mY{zc4#ۼ"iʒ=9q B g؂)$Tg((jC7lǻg=3Kd2Jٽ8M)+@)C4T#gNB[N؋xw/~R|QEg^4ݜkhO-?@li[jg=Y4?m1[^< ^%jWкLg-;T\ WOK ] KLm E__>@ ??_2iBu}hD&^24뵭Pҁ u۶Д1Q>_O%; 5;zuKהuZbJ) rsTz{y$|K~Pb,hBÎ zqsT l%C !* }f\t#3jR$ xƅy1!4E(vC>5MX(.x '*Y\>dF}IAvT)QB_> xf3) 0 &!Dq^.hZ ?nV2ÔipՕ;Qs Hq*P\bh䆺@eRRKL )%@~}t6o[ %nhE_q颣ѣT!4 %DL(*Yvs#:y`W%n.:\Q%5w(W}^?>eї$6uF lgl7Ys] :ֈq6$Qn~r<* 3O^G hOA,ZCŲ9&}xAlg Il>}!

}^e^5$_|7E1U_n YEJ% =yf1dt~on?zsV I鈬Up/ڲ20Vy7^_Ѽ}gФ;;Ƕ-INJPDxYP#$ˋS#)4}GEX[{ҦG`pᛨJviRΜPdQ.tAvj̽mq㩌li)$̥'ԏѰ3#l\>'wUC}zQTUdl1SYRmߴPʧv)]b&mQR¤`ZIF? >ohLX2mp%OPQ[;K.Zyݠ IԴ<~<:Ym8a0ՇlYPU [W.D}؉ZƞA{97u# sx`i\}4$MРks3l+}u羂hI[w1,[e l  BJ^iY~QPXea)$B6{`H"4`vK}Hs~S|<9m@0z\ӿӃ= }u[/ym>Ww)|* 5,4#F2\/^6#cJI "@6-N*+fƭ]߿FGJۖsP-EJzض(L>v:YV C$VA=Liu{7$Uwu P0]r¡VP|xkZ#*@:1# g2ǘ"%L#j0C1p"gcihCNJE9\rsr=oZW0I)_ГnEf>.sM#ݹU,DJØ'1ס ޴ƌͿF*tnsD rM~_L16>y Z(+QwQ >81''Vj"m$D`KIT&+?v 웏YxY`\x/c&]5meװpڵALé6n7 =/FI%um5 ygeq1wr؈e>[2*Zƴ li* 9Bz7Lv3TEJ6^Ŷ"j%TlfD)pR;J72qx$( μ!OJwv"ian{"\;jh0Ygŀ>p?06n++QNھx[lz$DS RJ ree Ժ?{Jg3Zy8/lM YoٯkdDP}"뿣En m#?~LVt.s]:y}?`x4 zs?nIA*41f-otOk5_=|׉9M2 ئLkPM]zxo Q:=6|9BeYuh0]ǟ;-kXMضɀsn V${XLPo#&-05hZB̸>k`*Z|o|igmΤ\O,'D}T-b S~g+d`I:it-dsJV}ɓo_˧ svCG dBJrW.4(Ɵk?J_? wُ/$wF>z81@7G[yהuS0r.߯xT/6 m5!gf:lI7[HTl!oxT_/ΈkO{]1-sר";4SKL -~ 7J~1a>ـO -Ķ b[tjf* rHdѽ mo?EtoNg}3K Ekjպa%VBЗQD/IJM< bƞm$Xv2)5MY[͆w!{ν`{_NKۦZP$w5COeYb:B((ʨ~rĻ ,TˆObьH-A HW9^ʾa|MvT.m ?$YSdT_]}@i˴{*";o91]H +_5T`t>F\| ]ߥ Vwvm& hd kjɸ_A(a\S.!+؉`4)[IAJz T.%hBRZYJxnzS M=KJYՃax#&KL )%S9v 2"vmv+A%S&I=+ j%A ٝ۔qMYNNyDfئAK/v *j^?uvJ;"1j]%T`zү#B`[&IolIESmy.DQEt\x5*υvy~м*~Duղv"ޤvj7*MúF\;<*>{50Jm)fz/?AaCS\cl}/̓^؏\tOiR)% 8gxeW `S;z?Rl=cǠ6Dqr/a=߂cْ݅=J]>r^5fk:Yad)K\KrEU_#%Md6 NAѻ KLI"DE-)!-HCN~!J蚆aP"Ħj&t5ξ-3a3ס7a>cZ‡ˀ3n~v{kL.aZ T(q;Kub{SVJGG٘yQ@XR!QGC׋Nۤ%}Um:fg~ME իxnZduyc&ѣz оM. .1]L:#Ӆną .\p…KL.\t% .\bpӅ .1]pӅ .\h? HfAIENDB`zentyal-firewall-2.3.9+quantal1/www/firewall/outgoing_traffic.png0000664000000000000000000002543512017102347022126 0ustar PNG  IHDRHzsRGBbKGD pHYs  tIME >5 IDATxwUǿsιmޥ ETEElc&UjƘh1j1T((ҋJΖ)qe)v=ef~333BJ)Q(*B SP(a*J B SPT(J BPT(J BPT(0 BP(0 BP(0 %LBP(a* %LBP(a* %LB SP(a*J B SP(a*J B SPT(J BP"*E&%B!3ict=(DT,B s#n p5D&NpyΤ=",)%Ii&%̼ZRVHz 0:iaV >@+&_]屭|ev,ggttDJ0 [ 5m+ًe =K'>d+aLhbv̂}bNrJSf.+xzK^`CҬkdэ|zme5M3Є-+Ql]v2t128P~Hs/лӡJUSVA4{_2:wуw>y*ƽ.lcB`XKrRvkh~æ< -:R2vvE75`gZ Af^l}Ӆ|*I׬skZs%w`Z;5w!:Oώ)Ch:ka)o?D+p@S<4<>9v퍘ŽMnWj[¬h'YÏ}HF BRi`'<2+6eOcϺw8F">f6k&H}2zH)c'6N,W5ܨ8N~(A׶G~)%q9]<kM/m%نu|;q@3';I|_H̹|!hHs?cF!3Wl[GdQt {:"D&`X26|F ̚sI`F)D6Wiy+ɏ)Q¬,MۗЫL#rl.p{v`,k`Hx#z6"k=%Rey\{Ƌ$y $$2o޾ gZmzѶD ߄r.y;ōDmVi:OFmH~(fk7 sAJ̚ /^br3T igRb@;)@~==-/ZQ5Ld+Ggu; 7@L҇CZ vp+6#e9 !Boݎ}{וR9xNaW4{5ƭ0c=4vQ5L&0 +ɷ1}UW:tOzE;)%nÉrKSгktr0t?:h}H+Igl_fO0]s IZE/6ҵG0_:Wًk|p!r-ދ)ۈS_K;|Oh:5sN9`#d޳->k|6hk,\k6-gв<+m\&cx?b#կ]29xn2%c'( w]WpZ0f]߲64}􊷨xX 6rfcWc1Tr OjDB{Uq1B;&ʟKtRPڎՂ.#NeyoL_p7ia3R͋V6lCxt=nZp 幷1+oW:\4=d^v&/̹hr=; P_C"UZ#+Ga\0&GsO{Z:bc{Su Zd@4ȩںC"I gr }<{8q3`\ǮG:焎Qu'nz+ Az RO`u~bc91YvVlћ8e wF8P5b4l7Ct77 c?Ku?lFS{(kǤ?gk59fe"fZ>{q2O-,_9 Bh:1FaZHLzӾʾ≙?a ?Fh+]4QȠ2hSиde_a7i[؝cMkҤgԌ떽gv\1)h1v\b:zo9b9sYƯ.l>#?,:uj;Ig. 9Vb݄eNUSo;֐e!(|"X5қ?iU1iy!{6(J c;_{ k$"boj}6W:kBg?xk8=exN=t*髚lLCX:vނJ ?~BoJOf{~^G"&F}s޸أ%.weLwKsؘFc!cݚPp-/p-"ݍ0IEA |AYEk5_ubArㄎ"wWLz۞:x,|cr&] đбA[d;i+@Х` ݷw.V69*k}Q 2n W5<&̃-CzE0JTr؛|=GȰ ؛ t[w xeziDBk3 4I2:o` K^&%/ SJ qqs'`d#B ˾Yס =;JcgFӪ'؀$&Gr4*7Ut }?i~yKg-d6sȩL%0:ۣFCfg:G+w+!!eZao]ޮ^ڄ)>%^"=B.bu^Q3Ef3ti;ϟ?޾>ǧo 7nG3j$<6|M_͇V镳6}B2 }FGVEIkXvh}Xkܭg/i~>zjs :݂^ -PBP򵤗OGh&S0Ivbo28evIl^b6?qWoVit ֈvjӟΝO㭏r Bжr?)M9ٲZa'V?L$|̕v6$8[\)lS N-ܱ:knz6h v g ({b*M˚,MYgjАv {:v}L©z/@hF=dWBC m"S^|7).N%/U1F1C/dզY~nve$ett]'hK~2ztmXd34G\:Zˑßswz7ߕk/w'ZLWu?:Xo}'ߖ5تy[7%-b3nAoRiX[WБVk\v}B%UfCQ7M1CڢY)/y-Ҏ3LiDN{jj>pEYYNi%m/^k\{PxbX5!NS<(  o2g ¬=.fІԊH/F]]3AЀ0w͌~&!(}D ^oKv}loPѭ83jޮF7\a)\3{˦>sIL}+6]\Bkyfo}[=|z^Pq*V!FIٜ}nrz18+_k[`͹u2w*aO+07neK0u7Ue{ap2MJGB{zҟtR@fȮ*,/%QݼFJJyOZ]PnG+[!nt[tZ&ko-2ax?zC1F]MI~uMAUC3S"6ˑV.^[y2f4wH{>G>gn)SXamXj]f ;S|VloS o 0D."1ʟ5t}$mօ;e;!W1F\~ 4e/c tm#c[l`rksr3Bi|#4wlCoӓîV&j%3rl@{eΓ.DM6瀕3RcTBx{F5םQ&c[ U=nб cpvG wI=< #1ܲ-cJ@/nb}5/'\RnKٓg< "'笍{lfy8!'%K,濐h0i (&++4{Y8vxۆn[g5C& k]`[#J kׂU|? |G݈5c\fe0|SsX30$?x!MzT:Z𸛈%Z^\w]_[2=@1:G숾|.)3nٶ׷K7ZqNKgbt?K k ʪhv@&([5qwveȊ܅o"u o-[(CJ S1jg4\$7V89 $5qOuԴ;ݴ>6*{ ZcTBmqu"ldcbRK_C7Kg2UD>cH}>F]^PjFL`̩}o!лB o>wZ`>\2 3qabȯ|=Fz7 ͫbs,s4a95VߎS!]G\JuA&pSVl#.7EJ7^ܞMEݘ5WRJ6`D}}i9#cev`@61XH)Į@lVWƷ#"ӅZZ7b3n، [O< p]_|aƷqӘ4d~b%h7JF>]g71jj{'8srYMp/Kga u?_1?}7Nq&,URxu B#r6_5jNŦBfdV]H fٶDNFMO셓~O_':[G_ڠmw#镳p˿_juAΧ-#:$?x>F At&p޺Qx ;^$/^B+({|c9MOMPOh>ʞ< |":#47{8;z[f'a|{eatw)YM4Mhm{71Ô\1䇏y DgR_L |z/FiNuުڥwMu>28VIvDԂm)>D}-^mj4R2-TݎE VɳV̩YU" {_U#t?s~6h7Qfl#/kTo//޷6}Fz#EeY?j>hE>ڥSx޾b[3LpA;oUZGPp#؛>#9ϤN橭 w H%2 IDAT ?cұpzIAXE1zF)gIvb)ޙBR Yª큵p{/oe[HwCpEުѦ(>=NLrMz}HZ˫]$swV BǢ`z90+oPpoٵnةe:FɿٻtXB %rҭqqw8luZa'/&8\vNfTx%Nt+/_Mԇw[HIr "eXmtOkɳZ-IjpbջK}"]s-BS|k䭳-EM&$MRǢL|e3s["ksM(x Ձ֌9)⍽~2KW L7x%.>Gy+S| CyG/⻁³rD]G㧪ED_[T{֦(HA+D+[^^%0 "f{pWKh} Pt᳹,u>rta5.R;Սًlv){,*^kӒ}Zq.R!̇Ck=qNA)oĉ5S4ﺚap} O/qwڄmL'?3(dTJy~Kzl2$0b#/B HSdO/Z1Mp[IxF7ъF т%^/|=߫>-0;Qة{C&>&%W6!5wh)5k J=5[gѻq$߼OQxh݆%r Ytn%oޮ`vŏT9 v2΄8'4Zd&Ib=$o` ]."|h{<̽"J@zK1\pm?`H )u:6Rٹ'ݓt$!'[*aS ̗c;0{d Ig(}lPyp}U)i7  #\sٸ}dH LN[8p+'#ҕX?K[exSIƪ݄ؑۋWeew`Nol3!M焩u5`뢷Xet.iaV"2e{ VN*§+ΣgF+S?1(Z |ۣ0Nf6.R+s5eok.:H8(4M2%FU1ۿ[kBFE,GI~]hb9YT$e3?q6. S'詴;8v--Dŧ3(6\>]/x ) 0-&'LIHXt,V}:Zb;hNˈ7ϩ|iivN" otOԡS@3u F$.摗>O*@5j !O=K_DoI`!=%0Lw#|S>ZFL5M<_qdBf F~1hfj*ET-*P(P(a* %LB SP(a* %LB SP(a*J B SPT(J B SPT(J BPT(0 BPT(0 BP(0 %LBP(0 %LBP(a* %LB SP(a* %LB SP(a*J B SPT(J B SPT(J BhyL&ũIENDB`zentyal-firewall-2.3.9+quantal1/www/firewall/external_to_zentyal.png0000664000000000000000000002004212017102347022654 0ustar PNG  IHDRHzsRGBbKGD pHYs  tIME 22}IDATxw|Uwe -SR-8pUꬫ_VYj[ֶVm7(Y! d$ws&!zJ]|x(F6!@D 0A)SD 0A)S 0Aa S 0Aa  "LAa  "LAD A)"LAD A)SD 0A)SD 0Aa S 0Aa S Mm5J)X=72̔Kj`'\q?̂]a܊ xUInZ[ l5nĩyWDE|Lz~_sEX>'.Dhd)!8ܦ*'&H[H›q+7R̥DOyO.IT}Wl\kgezNf K~J1?ܓo'0]ƦJ)cv药a\2O۶ٲ'{u9hŋiw\l+qԨiQU^Nb+(hp6yA 8;R$VΣ3Qlek0RЀR:ZN#R'޺Vg0S?˟qW3z4^|3kz@Ak͞|kG{T=voL$=ь oNp+փa6~Jy+=VLۧũf /P~;ĜG˞&VA4^yw nBn#^lk=/RnQRW~Or킦0lb>sv19;uaQ)%Vj7cF^y*Xy!lZc[~woa~ äOt9֛(BTlaM"N쓇w8X:fVR)NR MA)l\2};?&Etd.*hW~F5pgLX;*00bLwe9]smԞKl#xXn:"ټhVKk Y4˚z6jbgp1<'=b#%40L]Dsf1/jA= S'ypZ{V‘6鏙tO 14*3q9/V.^y~YirTJʗt .vX97P5ǘy ::I +]E`Y5d2Hn{wǿP| P\~&z<ǷtbdwC2YA>\4Y&cG7HL.F%>{ dY&Kt)+?&w_QBDAľ|"紻 i0Sqd⥩Nfsх>MI74,B-{ū^fGsgڡi7#@WfD҉Z&L&!o<(=ਲ਼ pJF;1@Xjʏ>p&]As jօm6.&}.HFF:[]7 I70qLya#k>֕,O3'Iy,c1MKp|2}sRuehP`ɣwi{XECp*s/Aw?aaԼ~1?n>S_[=ɚF{~%sP\9?gw_:[$'ԑx7HP1\9E:ўK ۴0k^6 x$)[}݉lH9O3I]vb(_Nj@u4i%KOXhh"L,^Mm#ƨov3@:&:t0 @,2yXd eP^)/xg]Jq@c*Y:8me µ\61D-Tnz5AKvxD{ނ+O%'^[ #TЂT?H× UkM` t2BqgRUme k,b]g-H<W/oW* v6_v#5٪ٌ<G^gNb[z,>\FIJ ='[< @p g1urALn*㫣=nƴ D.V1rG|eXXFbjKmB;K_溥7ozc";v"oCkMq 6n[Jq `KrJ+נL Pfu+:q74I7ƒկнP| ?0h;i>M۾C7 Li+2ya-~2wTkd{xo^L٪ܺ C.@{n#}u\2uԌnYЇʷpKbmcf`vu"/ -3#X1%32BkTڌZVv2}z:ι ө3dx ֗.)/72E#!Vl|?։4,-D2oRWm;K-gE0[U>*엲jN9`XYHȟaXncC)>D0S\b" 6P] {$;؁M{.W|x"e˙C|9nHEV+e,}^E#?,!0mXu2j .l쫗qKav!MY[ڸ$-D73 j*"tm*q*|m%)\E]Wo |kLFk=llB<һ:V}=?U!%uU'`S|z.KTSD6z;n!Ho^ޓ*"ZdUaPνs$5rŸZ*L!Qd[܊D"b?.je|ٴKr|tµv(l+h쥪i</<ϐ^ؿ䆊,ӟ)kbZcr#S^1x\~3VU>w2}$(0뙳DU\8Fw>i#]XX%0qyiQ\ﻲMk`DPk#KwxX> eX19Sn$Y # L+JO4^bU&n٪Ϭ_6h G=7IȟGncc<{FCv qFl+uũ%]tS%OλxOxaӶ| ֕.fDZkk"7Q+YcNz7KDL`>h2pRC"$6,<иI7 A?KJ -_QU60nI5LON*Ĩ5Ii uCfi,ônuuLt;tbjR8Df4µ\61UkiޓZ8׿qD 2E:۫21sHJwC'j}:N'U4*K0uuzzN]G1ǡ 5zkӃBkMQFú҅TG &8S'ϟAIJNt zN7_>JAN=vtۋ(ɒWzӵNFq6|alYl]av.%у(;H`̏P3w8+@k g(eSJQ;DgfBA%4Up1Z/@$~@M?u#SIڴ̈́3g2~߉nmuH79֥Dcĩowg8lz}h,՛]499l3@4^;K|E:k\ܣ9`ʎygܗun䒌S%x50[++kdu­.g] OE'`,_O>杺:%2笏͕i[&˸/D 7SY=N҅=۔RV8u%-t0s˞eҥ@9?6]X=wCQ*?/<ʇO#;{j7lsxݐ5;ֻR}7ٔ.!i$T45;[rNeў2Qg6.Og|;!';;ۦ Ö<:q׋3UӍocC$X#Qz4}LL8`N %t3wl^y0?-'}1N+2ˇypO1 Do\vwõTTooga[$ rݏQ Lk|}MO)YOm.vhQUR(I>%!U{W|!j_#9'N_EZcv:,.}k}0#uoeZT[^dp8YF?1O$Vyd#ʗst3^sY.bqU/ٱzN:}ZrQZE+zLcɝ1 J'E{L܅mh1k^2t,n#7,]p5GpO^vBgʾV0[C1;lJa !t/viRFQ6z'lNԢҮP]@d& <2Sٳ/q)ؠ|.zwvO׎vqwnͶx .~:aɿ$Y|\IwN{ jܚRҕW[wJ%P\̎0 bwcTjoeVFDpt3_l| KI$ \)@?F۾4C3#d]44X%_Ie0[ɂb{B~O|hL4]}aO/M:VVU/.>^s:7$MSw$::e;MIsrPaC" n%Z~t`+^JҘx`z$7y#XR˦}$=ƖBl֠c0;N7K)Sq*@~3#TA ƜDw –wY !Eng\s7"IPI~w "qhrk_掳 Ab[.JkθI DY>θ'|.d tGtS&R./Љ7 QJ){W&Ou0(>'h%0GЌa 0r~COw_~"ZNR@^gqVi!5.oImL)lE7*mk{nESD 0A)SD 0A)S 0Aa S 0Aa  "LAa  "LAD A)"LAD A)SD 0A)SD 0Ah'_rIENDB`zentyal-firewall-2.3.9+quantal1/www/firewall/internal_to_zentyal.png0000664000000000000000000002201712017102347022652 0ustar PNG  IHDRHzsRGBbKGD pHYs  tIME ) IDATxyxUչ?kOgHBdQq@yZmZkjmZljmSVhE GT@̑QB d89}r0&yēa]BJ)Q(= MB SP(a*J B SPT(J BPT(J BPT(0 BP(0 BP(0 %LBP(a* %LBP(a* %LB SP(a*J B SP(a*J B SPT(Qrz:^qct tvu D_^8ch|J{Cjn]+Zh腃(%D!z %=^1 gB;+TIf+HWCh%)4{_]af>ȿC^P<(E7-Ze^Cs  b:d֠cRnٛB)fujū M% !jd& p* s1aEBEeN k~cG!6^VPRd~>&V8-j8U'Mf\o܃y h,/Rs[qԐY:Z~"gk4D@ s&gRw8K+,;ZLĦi?[ Z~h)zǁ$^*޸/YWiV/YOlO5Sn&t7̎I%L ɓxŹG#%u^zU( ^9!6^b}$tڏ%}(ˆ"/4e<餐v a|:! v2C5^=(f:F٘bJp3!H-x{U1ȼy~nIFoy2 ,[?M;""ZXb~-U+ְJꛪq4BhZǑ-|ײms𤇔Ki ge#_f~UG;7-&J^p. Ƈū~GKcU,Y:G<[yӿabj6SsBo$]iy_PgMU!Xp?20xNp-eE] ҋƮ |izֵຄ&>2kRHB7s-tx@zFR>C 4d=?j\Y$FX#O똸L\o"U'gk/=Ba.V B,ty yo|f&@'=$4XF bAt$*Dts.nRevT=) Iv3q}9^躆I2T=_l]ʻ1tjs$f\ ^6oş^efqpc4PLo#I$Tfݮw̄ h8|5 jJ˂BJ0lز?|?|^yrc׬_ "|l[8i?kVݢ|Qo8i=ć6VhH\Cf0ڧ[۸?K `ņw?l*`9d_>&TefA9w.i0Į54S)3~=.ڳA86l^Ѯ .}Wٵ1L` ;v9i^KC|wXm"X >MËUw[=m7,xH;:O+#cO!ϼ}+n嬥i4/}+Ҙaw)-M>cȦq+P2ܝ[np=+ԉ7uE ?|*Oʹ<:FJ1|Fz~6Tzew=ٝ~/g.2Q,0+#x:pM!K+`[FW/%C\fܠ^0A+Jnb}&.3Nxz|^5o䢓~WXvL3h?1,R)%#L umF:CG^:NÈ^pO`+:!y\x3nGkuL sȻCX+&>'ȧgMH21p\oL{F_!6Ϥ/cدʹDE5åO3y.nK,%cǁ2-Dw?RZ\g{ @;Wv DOWt5Au̵ uȯ/_3yuK)%Rzloܔ\ tAk/Kbr]̡ c%LRv4eS8Sxd ]H7"~:;R>B]v#@;e1 Iӈ3fcI{øx]{zQy-!ds*bmloDMZbm8 ]3wb[L<Ι|P BCW#-%1phWu=%`mOj4q܋q] zFNTH; 83t㾵ެl$-[z ^GK{˲L5S_&븻MO -l]lM&7n Zs_8Q{YM8l&=CL/hNudeϹQ:s8o܊mW9;wa|G$Ӭ03 =F+COi[p/y'^y%-{^+Q)c)4*$~x /{9K"nhS Z<\_:EKr]˥ٳŔ~y ˚'Lo{]>e]rܠI#~vܾ㻭r(0T᢬lZ^:7Ę~#aQPA~;!t9Kfȹ'ʽ/ᇗG|svI5jz6Z0? v/܋+F׬@J)VF6;UBOcLQ4 ݻ:PȲ&+Odv 7V[?b$>w1JGT/%a~iOp̐#x] Z\ѓCдp@/If밧)v`v/sڼg#x Nz%{P6`t3~LRIGc6s3zz|g_L$}G:+k?ټԯӛaΫ簨_TTΥopΘxZiF1L m_k?"8=&~nv4MS_j!B%j& |̉׵㾊%?MI@"A*L) ݴ&ŷ""}Oٲ[/y6 Yy4*NwU΍9ث Vn @N/E As&5V"~m~2ʊ|rqDs1ދU""]>6MI_gb3níYt-Z`^q.k^EvG5dͥu@f BSⳓ;aRbNs;[1\6':d6C|nBKO?[P!栉=_>Q85тet'ƞGdM(>jXc%ELR/aQ6 w0_[=oXMEѮb=>)+k$1l5̝P)0N$]D'+t rƏTh:K7DQ̞zYb3nPѩ?o[\бW+6=FIH)7?Fq ?#z/ѬHvH%ؖ Z\i'M?o^3aXt)EKbL<27$VGu2uBgfծ%-DZjPq{V+1JF PVm\mĦ߂XKxM-MzCew$hANOx׷M5Ğ꺕[7Z%ΦoK֣G`4Nw:ҫ"uܚ+tmґ_V^"LE/6D w462+:^:7ƞ98h2\^(Bd:^2WT+}=޺+{m CW3NJSZ'I^#fYr2{^ )'ũ 4 0-fJ'ח8K,%LE/C_9l Lf{ @ڝ6(hɏLt]=޵uA;j( ,D+7kFOWaVr{KvPQW̓h/=ɐZOŭYǙxA v5˄O4+SS`n%xHh-tsjABRF>CJ&GHz'9f^z):°uB~/^L55k}plJw}E۲$FQ~Vbv"֓yl3חXjK[)ҋA/8(˽m=CCrɄO"E2UtX;vN@j n)!SwsTXa/-D%کe'xubNfܜ~W_IנG4}U>ql}[:^ !+xى>IBԲHaa2?kyضFI`g,DžM- ܆*O\mmΊ `>=l O|zyZJ7VMCSI/|Dfm,[gocH!Њ|Áw=s4,g;}DLBymnWJx<1u,j^9*H@b>Yw B S1|63;v*`W/Op7!dϥxq7 s{h*^|&:j%]d =R t"ug*%oE 8?_=5^U$ ;s 1B7hz{4N~t#M/⥛$ܺ~Wn'-t?:id4:jISDN,ykvHU,d$ϫ#/ 1u VR;b$xF?wRliєѩO ҁRBCf7b{ jQ0$ Y.t /SS,P(Ӆ_gID@L&?7Q"’lXLr6ϥo Nq#l:h^s9O-J %3eɻ&l:)HPPSI)4+M)Q*0;h"s|m=Z6aacfcx14ĺ~q">W1/ـ]|O7-wFqPJ %nk%RX^PjPSP(a* %LB SP(a*J B SPT(J B SPT(J BPT(0 BPT(0 BP(0 %LBP(0 %LBP(a* %LB SP(a*J B SP(a*J B SPT(J BPT(J BPT(0 BP(0 Ş(;n;IENDB`