diff -r -C2 -N -xRCS -x*.v FCT-1.0.9.p3/CHANGES FCT-1.1/CHANGES *** FCT-1.0.9.p3/CHANGES Sat Oct 31 12:12:07 1998 --- FCT-1.1/CHANGES Sun Nov 1 14:54:34 1998 *************** *** 5,9 **** Author: Jens Hellmerichs-Friedrich ! E-mail: ft114@fen.baynet.de This program is free software; you can redistribute it and/or modify --- 5,9 ---- Author: Jens Hellmerichs-Friedrich ! E-mail: jhf@altavista.net This program is free software; you can redistribute it and/or modify *************** *** 18,21 **** --- 18,24 ---- (c) 1997 J. Hellmerichs-Friedrich + + 1.1.0 - Support IP-Masquerading (ipfwadm, ipchanis) for + every service from internal and perimeter networks 1.0.9 - changed Installation possibilities: diff -r -C2 -N -xRCS -x*.v FCT-1.0.9.p3/FAQ FCT-1.1/FAQ *** FCT-1.0.9.p3/FAQ Thu Jan 1 01:00:00 1970 --- FCT-1.1/FAQ Sun Nov 1 23:39:41 1998 *************** *** 0 **** --- 1,98 ---- + FAQ - Frequently asked questions for FCT + ---------------------------------------- + So far, (nearly) _all_ problems reported with FCT depend on the + configuration of the HTTP-Server. So i give you these informations + for CGI configuration of an apache HTTP-Server. + + Q0: FCT just doesnīt work. I have done all you mentioned for installation. + A: Read the rest of FAQ ;-) + Maybe you want to disable any caching in your Browser to get the actual + HTML-Pages generated by FCT every time! + Q1:I have problems with CGI. I get an error-message like: + "Forbidden + You don't have permission to access /Firewall/cgi-bin/fill_net_cfg.cgi + on this server." + A: This occurs, when the access rights are not coorect, e.g. missing + the x-bit for FCT/cgi-bin/*.cgi, or your HTTP-Daemon is misconfigured + for CGI. + Execute Install.sh to set correct access rights. + Configure your HTTP-Daemon correct for CGI - see below. + + Q2:I have problems with CGI. I get an error-message like: + "Internal Server Error + The server encountered an internal error or misconfiguration and was + unable to complete your request." + A: This occurs, when the access rights are not correct, e.g. missing + the r-bit for FCT/cgi-bin/*.cgi or an error occured while executing + a cgi-script. + Execute Install.sh to set correct access rights. + Check the cgi-script, e.g. execute it by hand in a shell! + + Q3:I have problems with CGI. The source-code is displayed by the HTTP-Server + instead of executed. + A: Your HTTP-Daemon is wrong configured. CGI insīt executed. + Configure your HTTP-Daemon for CGI. + Also, check that the access rights are set correct, see file INSTALL. + Here are my configuration files for apache: + access.conf: + # all standard - no changes + + Options Indexes FollowSymLinks + AllowOverride None + order allow,deny + allow from all + + + AllowOverride None + Options None + + # new for FCT + + Options ExecCGI + + srm.conf: + # all standard - no changes + DocumentRoot /usr/local/httpd/htdocs + UserDir public_html + DirectoryIndex index.html index.htm welcome.html welcome.htm + FancyIndexing on + ... + # To use CGI scripts: (ScriptAlias should do the same) + AddHandler cgi-script .cgi + ... + # new for FCT + ScriptAlias /FCT/cgi-bin/ /var/adm/FCT/cgi-bin/ + Alias /FCT /var/adm/FCT + + Q4:How does CGI work, who do i configure apache for CGI? + A: See Q1-3 above. + Some basic comments about CGI: + - (some) CGI directories must be defined for the HTTP-Server + -> file access.conf: + + Options ExecCGI + + -> The path '/FCT' is an alias (for the HTTP-Server) and points + to the FCT installation directory, e.g. '/var/adm/FCT' + -> file srm.conf: + Alias /FCT /var/adm/FCT + ScriptAlias /FCT/cgi-bin/ /var/adm/FCT/cgi-bin/ + + - CGI scripts are in general executable scripts with HTML output + or plain ascii output - for the later, the lines + Content-type: text/plain + "" + must (!) be printed first. + - all CGI scripts may be executed by hand in a shell + + - the scripts and the directory need rx-bits (read/execute) for the + user-id of the HTTP-Server + -> execute file Install.sh, maybe with user-id of httpd as parameter + root# ./Install.sh -cgi wwwrun + + - The HTTP-Daemon needs a SIGHUP signal, when config files have been changed. + + - The HTTP-Daemon spawns aditional processes with the user-id defined in httpd.conf. + So, in general, there is one httpd process owned by root and additional + httpd proceses, e.g. owned by nobody or wwwrun or ... + diff -r -C2 -N -xRCS -x*.v FCT-1.0.9.p3/Install.sh FCT-1.1/Install.sh *** FCT-1.0.9.p3/Install.sh Sat Oct 31 12:12:07 1998 --- FCT-1.1/Install.sh Sun Nov 1 14:01:58 1998 *************** *** 1,5 **** #!/bin/sh ! # $Id: Install.sh,v 1.0.9.2 1998/06/14 10:51:36 jens Exp jens $ ! # $Date: 1998/06/14 10:51:36 $ # # File: Install.sh --- 1,5 ---- #!/bin/sh ! # $Id: Install.sh,v 1.1 1998/10/12 18:05:00 jens Exp $ ! # $Date: 1998/10/12 18:05:00 $ # # File: Install.sh *************** *** 21,24 **** --- 21,27 ---- # # $Log: Install.sh,v $ + # Revision 1.1 1998/10/12 18:05:00 jens + # entered into RCS + # # Revision 1.0.9.2 1998/06/14 10:51:36 jens # inserted cgi-bin/.htaccess *************** *** 43,47 **** # dirs/files read by HTTP-Server http_dirs='cgi-bin etc etc/config etc/cfg_header etc/sheets html log rules rules/Firewall setup' ! http_files='firewall cgi-bin/*.* cgi-bin/.htaccess etc/*.sh etc/config/*.* etc/cfg_header/*.* etc/sheets/*.* html/*.*' http_exe='accounting firewall fw_rules reset save_config cgi-bin/*.*' --- 46,50 ---- # dirs/files read by HTTP-Server http_dirs='cgi-bin etc etc/config etc/cfg_header etc/sheets html log rules rules/Firewall setup' ! http_files='firewall index.html cgi-bin/*.* cgi-bin/.htaccess etc/*.sh etc/config/*.* etc/cfg_header/*.* etc/sheets/*.* html/*.*' http_exe='accounting firewall fw_rules reset save_config cgi-bin/*.*' *************** *** 81,89 **** case "$unix" in Linux) ! ps_opt=aux who=`whoami` ;; *) ! ps_opt=ef who=`id | cut -d"(" -f2 | cut -d")" -f1` ;; --- 84,93 ---- case "$unix" in Linux) ! ps_opt=-aux ! #ps_opt=aux who=`whoami` ;; *) ! ps_opt=-ef who=`id | cut -d"(" -f2 | cut -d")" -f1` ;; *************** *** 129,133 **** # try to get httpd-id with `ps` if [ -z "$uid" ]; then ! uid=`ps -$ps_opt | grep -v grep | grep http | sort -r | head -1 | cut -f1 -d" "` fi --- 133,139 ---- # try to get httpd-id with `ps` if [ -z "$uid" ]; then ! uid=`ps $ps_opt | grep -v grep | grep http | sort -r | head -1 | cut -f1 -d" "` ! # uid=root ! ans=y fi diff -r -C2 -N -xRCS -x*.v FCT-1.0.9.p3/cgi-bin/create_service_rules.cgi FCT-1.1/cgi-bin/create_service_rules.cgi *** FCT-1.0.9.p3/cgi-bin/create_service_rules.cgi Sat Oct 31 12:12:05 1998 --- FCT-1.1/cgi-bin/create_service_rules.cgi Sun Nov 1 12:16:24 1998 *************** *** 1,5 **** #!/bin/sh ! # $Id: create_service_rules.cgi,v 1.0.9.2 1998/06/02 18:00:30 jens Exp $ ! # $Date: 1998/06/02 18:00:30 $ # # File: create_service_rules.cgi --- 1,5 ---- #!/bin/sh ! # $Id: create_service_rules.cgi,v 1.1 1998/10/30 14:27:37 jens Exp jens $ ! # $Date: 1998/10/30 14:27:37 $ # # File: create_service_rules.cgi *************** *** 21,24 **** --- 21,27 ---- # # $Log: create_service_rules.cgi,v $ + # Revision 1.1 1998/10/30 14:27:37 jens + # entered into RCS + # # Revision 1.0.9.2 1998/06/02 18:00:30 jens # *** empty log message *** *************** *** 93,96 **** --- 96,104 ---- . \$FWDIR/etc/services.cfg + # check masquerading + imq="\$imq_${1}" + pmq="\$pmq_${1}" + ipmq="\$ipmq_${1}" + EOF *************** *** 102,105 **** --- 110,114 ---- eval source_data=\$src_$flt_nr eval dir_data=\$dir_$flt_nr + close_for=true close_if=true *************** *** 235,240 **** --- 244,251 ---- eval port_s_i="\$${proto}_src_i"; eval port_d_i="\$${proto}_dst_i" eval log_i="\$${proto}_log_i" + eval port_s_o="\$${proto}_src_o"; eval port_d_o="\$${proto}_dst_o" eval log_o="\$${proto}_log_o" + eval port_src_i="\"$port_s_i\""; eval port_dst_i="\"$port_d_i\"" eval port_src_o="\"$port_s_o\""; eval port_dst_o="\"$port_d_o\"" diff -r -C2 -N -xRCS -x*.v FCT-1.0.9.p3/cgi-bin/fill_net_cfg.cgi FCT-1.1/cgi-bin/fill_net_cfg.cgi *** FCT-1.0.9.p3/cgi-bin/fill_net_cfg.cgi Sat Oct 31 12:12:05 1998 --- FCT-1.1/cgi-bin/fill_net_cfg.cgi Sun Nov 1 12:16:24 1998 *************** *** 1,5 **** #!/usr/bin/perl ! # $Id: fill_net_cfg.cgi,v 1.0.9.1 1998/06/01 19:34:34 jens Exp $ ! # $Date: 1998/06/01 19:34:34 $ # # File: fill_net_cfg.cgi - Firewall Configuration Tool --- 1,5 ---- #!/usr/bin/perl ! # $Id: fill_net_cfg.cgi,v 1.1 1998/10/27 21:10:37 jens Exp jens $ ! # $Date: 1998/10/27 21:10:37 $ # # File: fill_net_cfg.cgi - Firewall Configuration Tool *************** *** 21,24 **** --- 21,27 ---- # # $Log: fill_net_cfg.cgi,v $ + # Revision 1.1 1998/10/27 21:10:37 jens + # entered into RCS + # # Revision 1.0.9.1 1998/06/01 19:34:34 jens # initial ci -r 1.0.9 *************** *** 73,79 **** } ! $Def{"selipfwadm"} = ""; ! $Def{"selipF"} = ""; ! $Def{"selipchains"} = ""; if ( $Def{"ip_cmd"} =~ /ipfwadm/ ) { --- 76,85 ---- } ! $Def{"selipfwadm"} = ""; ! $Def{"selipF"} = ""; ! $Def{"selipchains"} = ""; ! $Def{"MASQINTERNAL"} = ""; ! $Def{"MASQPERIMETER"}= ""; ! $Def{"MASQINTPERI"} = ""; if ( $Def{"ip_cmd"} =~ /ipfwadm/ ) { *************** *** 83,86 **** --- 89,101 ---- } elsif ( $Def{"ip_cmd"} =~ /ipF/ ) { $Def{"selipF"} = "selected"; + } + if ( $Def{"masquerade_internal"} =~ /true/ ) { + $Def{"MASQINTERNAL"} = "checked"; + } + if ( $Def{"masquerade_perimeter"} =~ /true/ ) { + $Def{"MASQPERIMETER"} = "checked"; + } + if ( $Def{"masqu_int_peri"} =~ /true/ ) { + $Def{"MASQINTPERI"} = "checked"; } close (CFG); diff -r -C2 -N -xRCS -x*.v FCT-1.0.9.p3/cgi-bin/fill_services_cfg.cgi FCT-1.1/cgi-bin/fill_services_cfg.cgi *** FCT-1.0.9.p3/cgi-bin/fill_services_cfg.cgi Sat Oct 31 12:12:05 1998 --- FCT-1.1/cgi-bin/fill_services_cfg.cgi Sun Nov 1 12:16:24 1998 *************** *** 1,5 **** #!/usr/bin/perl ! # $Id: fill_services_cfg.cgi,v 1.0.9.2 1998/06/02 18:00:41 jens Exp $ ! # $Date: 1998/06/02 18:00:41 $ # # File: fill_services_cfg.cgi --- 1,5 ---- #!/usr/bin/perl ! # $Id: fill_services_cfg.cgi,v 1.1 1998/10/28 21:57:12 jens Exp jens $ ! # $Date: 1998/10/28 21:57:12 $ # # File: fill_services_cfg.cgi *************** *** 21,24 **** --- 21,27 ---- # # $Log: fill_services_cfg.cgi,v $ + # Revision 1.1 1998/10/28 21:57:12 jens + # entered into RCS + # # Revision 1.0.9.2 1998/06/02 18:00:41 jens # *** empty log message *** *************** *** 49,56 **** sub list_services { $cnt=0; ! foreach $serv ( @_ ) { ! chomp(($service, $def) = split (/=/, $serv)); ! next unless ( -r "$cfg_dir/$service.def" ); ! if ( ++$cnt == 2 ) { $trb=''; $tre=''; $cnt=0; --- 52,63 ---- sub list_services { $cnt=0; ! foreach ( @_ ) { ! #chomp ($_); ! ($service, $def) = /(.*?)=(.*?)[;\s].*$/; ! ($imq) = /.*imq_.*?="*(.*?)"*[;\s].*$/; ! ($pmq) = /.*[^i]pmq_.*?="*(.*)\b.*$/; ! ($ipmq)= /.*ipmq_.*?="*(.*)\b.*$/; ! #next unless ( -r "$cfg_dir/$service.def" ); ! if ( ++$cnt == 2 ) { $trb=''; $tre=''; $cnt=0; *************** *** 60,72 **** $sel_b='';$sel_f='';$sel_i='';$sel_o=''; ! if ( $def =~ /'OUT'/ ) { $sel_o="selected"; ! } elsif ( $def =~ /'FILTERED'/ ) { $sel_f="selected"; ! } elsif ( $def =~ /'IN'/ ) { $sel_i="selected"; } else { $sel_b="selected"; } print "$trb\n"; --- 67,88 ---- $sel_b='';$sel_f='';$sel_i='';$sel_o=''; ! if ( $def =~ /OUT/ ) { $sel_o="selected"; ! } elsif ( $def =~ /FILTERED/ ) { $sel_f="selected"; ! } elsif ( $def =~ /IN/ ) { $sel_i="selected"; } else { $sel_b="selected"; } + if ( $imq =~ /true/ ) { + $imq=checked; + } + if ( $pmq =~ /true/ ) { + $pmq=checked; + } + if ( $ipmq =~ /true/ ) { + $ipmq=checked; + } print "$trb\n"; *************** *** 78,81 **** --- 94,103 ---- print " \n"; print " \n"; + print " "; + print " "; + print " "; print "$tre\n"; *************** *** 94,98 **** if ( grep /^\w+=.*$/, $_ ) { push @services, $_; - push @selected, $_; } } --- 116,119 ---- *************** *** 113,117 **** ($serv, $suffix) = split /\./, $file; unless ( grep /^$serv=/, @services ) { ! @file_svc = (@file_svc, $serv); } } --- 134,138 ---- ($serv, $suffix) = split /\./, $file; unless ( grep /^$serv=/, @services ) { ! push @file_svc, "$serv=BLOCKED\n"; } } *************** *** 121,122 **** --- 142,144 ---- close SERVICE_CFG; + diff -r -C2 -N -xRCS -x*.v FCT-1.0.9.p3/cgi-bin/fill_trusted_cfg.cgi FCT-1.1/cgi-bin/fill_trusted_cfg.cgi *** FCT-1.0.9.p3/cgi-bin/fill_trusted_cfg.cgi Sat Oct 31 12:12:05 1998 --- FCT-1.1/cgi-bin/fill_trusted_cfg.cgi Sun Nov 1 12:49:36 1998 *************** *** 52,56 **** print " \n"; print " \n"; ! print " allow\n"; print " Log\n"; print "\n"; --- 52,56 ---- print " \n"; print " \n"; ! print " allowed \n"; print " Log\n"; print "\n"; *************** *** 59,63 **** print " \n"; print " \n"; ! print " allow\n"; print " Log\n"; print "\n"; --- 59,63 ---- print " \n"; print " \n"; ! print " allowed \n"; print " Log\n"; print "\n"; *************** *** 86,90 **** print_file ($fwdir . "/etc/sheets/trusted_cfg_head.htm"); - print_file ($fwdir . "/etc/sheets/trusted_cfg_body.htm"); list_trusted (@trusted); print_file ($fwdir . "/etc/sheets/trusted_cfg_end.htm"); --- 86,89 ---- diff -r -C2 -N -xRCS -x*.v FCT-1.0.9.p3/cgi-bin/form_cfg_services.cgi FCT-1.1/cgi-bin/form_cfg_services.cgi *** FCT-1.0.9.p3/cgi-bin/form_cfg_services.cgi Sat Oct 31 12:12:06 1998 --- FCT-1.1/cgi-bin/form_cfg_services.cgi Sun Nov 1 12:16:24 1998 *************** *** 1,5 **** ! #!/bin/sh ! # $Id: form_cfg_services.cgi,v 1.0.9.1 1998/06/01 19:34:38 jens Exp $ ! # $Date: 1998/06/01 19:34:38 $ # # File: form_cfg_services.cgi --- 1,5 ---- ! #!/usr/bin/perl ! # $Id: form_cfg_services.cgi,v 1.1 1998/10/27 19:43:34 jens Exp jens $ ! # $Date: 1998/10/27 19:43:34 $ # # File: form_cfg_services.cgi *************** *** 21,24 **** --- 21,27 ---- # # $Log: form_cfg_services.cgi,v $ + # Revision 1.1 1998/10/27 19:43:34 jens + # entered into RCS + # # Revision 1.0.9.1 1998/06/01 19:34:38 jens # initial ci -r 1.0.9 *************** *** 29,49 **** # ! # where is the firewall-package located ? ! [ -z "$FWDIR" ] && FWDIR=`echo $0 | sed -e 's/[\/]cgi-bin[\/][A-Za-z0-9_\.-]*$//'` - FILE=services - HEADER=$FWDIR/etc/cfg_header/$FILE.header - CONFIG=$FWDIR/etc/$FILE.cfg - - cat $HEADER > $CONFIG - - read post - echo $post | tr "&" "\n" | sed -e "s/=/='/g" | tr '+' ' ' | sed -e "s/$/'/g" | fgrep -v SUBMIT_ >> $CONFIG - echo "" >> $CONFIG - echo fi >> $CONFIG - - echo Content-type: text/html - echo - echo "
"
- cat $CONFIG
- echo "
Back to Configure." --- 32,93 ---- # ! use File::Copy; ! ! $fwdir=`pwd`; ! $fwdir =~ s/\/cgi-bin//; ! chomp ($fwdir); ! ! $fl = "services"; ! $fhead="$fwdir/etc/cfg_header/$fl.header"; ! $fconfig="$fwdir/etc/$fl.cfg"; ! ! sub read_form { ! ! read(STDIN, $buffer, $ENV{'CONTENT_LENGTH'}); ! @pairs = split(/&/, $buffer); ! ! open (CFG, ">>$_[0]"); ! ! foreach $pair (@pairs) ! { ! local($name, $value) = split(/=/, $pair); ! ! $name =~ tr/+/ /; ! $name =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg; ! $name =~ s/('|,)//g; ! ! next if $name =~ /^SUBMIT/; ! ! $value =~ tr/+/ /; ! $value =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg; ! $value =~ s/('|,)//g; ! $value =~ s///g; ! ! next if $value =~ /^\s*$/; ! ! if ($name =~ /^([ip]|ip)mq_/) { ! print CFG "; $name=\"$value\""; ! } ! else { ! print CFG "\n$name=\"$value\""; ! }; ! } ! print CFG "\n\nfi\n"; ! close (CFG); ! } ! ! sub print_file ! { ! open (FH, "$_[0]"); ! print "Content-type: text/html\n\n
";
!     while () {
!         print ;
!     }
!     close (FH);
!     print "
(c) Copyright 1998 J. Hellmerichs-Friedrich\n"; ! } ! ! copy ("$fhead", "$fconfig"); ! &read_form ($fconfig); ! print_file ($fconfig); diff -r -C2 -N -xRCS -x*.v FCT-1.0.9.p3/etc/aliases.cfg FCT-1.1/etc/aliases.cfg *** FCT-1.0.9.p3/etc/aliases.cfg Sat Oct 31 12:12:06 1998 --- FCT-1.1/etc/aliases.cfg Sun Nov 1 15:05:48 1998 *************** *** 41,44 **** --- 41,47 ---- ssl_p='443 563' + # temporary masquerading ports ('!:' isnīt allowed here) + msqPorts="1024:5999 6004:65535" + # You may want to change/add values below # --------------------------------------- diff -r -C2 -N -xRCS -x*.v FCT-1.0.9.p3/etc/gateway.sh FCT-1.1/etc/gateway.sh *** FCT-1.0.9.p3/etc/gateway.sh Sat Oct 31 12:12:06 1998 --- FCT-1.1/etc/gateway.sh Mon Nov 2 01:05:04 1998 *************** *** 1,5 **** #!/bin/sh ! # $Id: gateway.sh,v 1.0.9.1 1998/06/01 19:34:40 jens Exp $ ! # $Date: 1998/06/01 19:34:40 $ # # File: gateway.sh --- 1,5 ---- #!/bin/sh ! # $Id: gateway.sh,v 1.1 1998/10/30 14:22:51 jens Exp jens $ ! # $Date: 1998/10/30 14:22:51 $ # # File: gateway.sh *************** *** 24,27 **** --- 24,32 ---- # # $Log: gateway.sh,v $ + # Revision 1.1 1998/10/30 14:22:51 jens + # entered into RCS + # + # 98/10/14 inserted IP Masquerading in ipgw() + # # Revision 1.0.9.1 1998/06/01 19:34:40 jens # initial ci -r 1.0.9 *************** *** 64,67 **** --- 69,75 ---- setup_file="not_defined" + # temporary masquerading Ports should be defined in aliases.cfg + [ -z "$msqPorts" ] && msqPorts="$client" + # ---------------- # GATEWAY Function *************** *** 69,72 **** --- 77,81 ---- # implementation of filtering rules for a gateway # the gateway has an incoming and an outgoing device + # IP Masquerading is possible for outgoing connections # ipgw ( *************** *** 81,84 **** --- 90,94 ---- # ack "" | ack # log log + # msq imq | pmq # ) *************** *** 97,100 **** --- 107,113 ---- [ "$8" = "log" ] && iplog="log" + srcm="$3" + destm="$4" + srcprt="$5" [ "$5" = "any" ] && srcprt="" *************** *** 106,109 **** --- 119,134 ---- [ "$7" = "any" ] && proto="" + masq="" + MFW=`echo "$FW" | awk '{print $1}'` + + # masquerading is not available for ipfilter + if [ "$IPFW" = "f_ipfilter" ]; then + masquerade_internal="" + masquerade_perimeter="" + imq="" + pmq="" + ipmq="" + fi + # there are 3 incoming and 3 outgoing routings: $OUT_DEV -> $IN_DEV # I: $ANY -> $INTERNAL $OUT_DEV0 -> $IN_DEV0 *************** *** 116,143 **** if [ $# -gt 3 ]; then case $2 in ! -I) if [ `echo $PERIMETER | grep "$3" | wc -l` -gt 0 ]; then OUT_DEV=$IN_DEV1 else OUT_DEV=$OUT_DEV0 fi ! if [ `echo $PERIMETER | grep "$4" | wc -l` -gt 0 ]; then IN_DEV=$IN_DEV1 else IN_DEV=$IN_DEV0 fi ! if [ "x$OUT_DEV" != x -a "x$IN_DEV" != x ]; then for dev in $OUT_DEV; do ! $IPFW -I "$opt" "$1" "$ack" "$3" "$srcprt" "$4" "$destprt" "$proto" "$dev" "$iplog" done if [ "$proto" != tcp -o -z "$iplog" ]; then for dev in $IN_DEV; do ! $IPFW -O "$opt" "$1" "$ack" "$3" "$srcprt" "$4" "$destprt" "$proto" "$dev" done - $IPFW -F "$opt" "$1" "$ack" "$3" "$srcprt" "$4" "$destprt" "$proto" -b fi else ! if [ "x$4" = "x$FW" -a "x$OUT_DEV" != x ]; then for dev in $OUT_DEV; do ! $IPFW -I "$opt" "$1" "$ack" "$3" "$srcprt" "$4" "$destprt" "$proto" "$dev" "$iplog" done fi --- 141,211 ---- if [ $# -gt 3 ]; then case $2 in ! -I) if [ `echo $PERIMETER | grep "$srcm" | wc -l` -gt 0 ]; then OUT_DEV=$IN_DEV1 else OUT_DEV=$OUT_DEV0 fi ! if [ `echo $PERIMETER | grep "$destm" | wc -l` -gt 0 ]; then IN_DEV=$IN_DEV1 else IN_DEV=$IN_DEV0 fi ! ! # activate masquerading ? ! if [ "$OUT_DEV" = "$OUT_DEV0" ]; then ! [ "$masquerade_internal" = true -a "$IN_DEV" = "$IN_DEV0" ] && masq="true" ! [ "$masquerade_perimeter" = true -a "$IN_DEV" = "$IN_DEV1" ] && masq="true" ! [ "$imq" = true -a "$IN_DEV" = "$IN_DEV0" ] && masq="true" ! [ "$pmq" = true -a "$IN_DEV" = "$IN_DEV1" ] && masq="true" ! elif [ "$OUT_DEV" = "$IN_DEV1" ]; then ! [ "$masquerade_int_peri" = true -a "$IN_DEV" = "$IN_DEV0" ] && masq="true" ! [ "$ipmq" = true -a "$IN_DEV" = "$IN_DEV0" ] && masq="true" ! fi ! ! # masqerading doesnīt support icmp, only accept is valid ! [ "$proto" = icmp -o "$1" != "accept" ] && masq="" ! ! # masqerading uses temporary ports ($msqPorts)! ! if [ "$masq" = true ]; then ! destprtm="$msqPorts" ! else ! destprtm="$destprt" ! fi ! ! if [ -n "$OUT_DEV" -a -n "$IN_DEV" ]; then ! ! # masquerade incoming: remember dest a. opt, masq dest ! if [ "$masq" = true ]; then ! mdest="$destm" ! destm="$MFW" ! if [ "$opt" = -a ]; then ! mopt="$opt" ! opt="-i" ! fi ! fi ! for dev in $OUT_DEV; do ! for dpm in $destprtm; do ! $IPFW -I "$opt" "$1" "$ack" "$srcm" "$srcprt" "$destm" "$dpm" "$proto" "$dev" "$iplog" ! done done + + # masquerade incoming: restore dest, opt + if [ -n "$masq" ]; then + destm="$mdest" + opt="$mopt" + else + $IPFW -F "$opt" "$1" "$ack" "$srcm" "$srcprt" "$destm" "$destprt" "$proto" -b + fi + if [ "$proto" != tcp -o -z "$iplog" ]; then for dev in $IN_DEV; do ! $IPFW -O "$opt" "$1" "$ack" "$srcm" "$srcprt" "$destm" "$destprt" "$proto" "$dev" done fi else ! if [ "$destm" = "$MFW" -a -n "$OUT_DEV" ]; then for dev in $OUT_DEV; do ! $IPFW -I "$opt" "$1" "$ack" "$srcm" "$srcprt" "$destm" "$destprt" "$proto" "$dev" "$iplog" done fi *************** *** 145,154 **** ;; ! -O) if [ `echo $PERIMETER | grep "$4" | wc -l` -gt 0 ]; then OUT_DEV=$IN_DEV1 else OUT_DEV=$OUT_DEV0 fi ! if [ `echo $PERIMETER | grep "$3" | wc -l` -gt 0 ]; then IN_DEV=$IN_DEV1 else --- 213,222 ---- ;; ! -O) if [ `echo $PERIMETER | grep "$destm" | wc -l` -gt 0 ]; then OUT_DEV=$IN_DEV1 else OUT_DEV=$OUT_DEV0 fi ! if [ `echo $PERIMETER | grep "$srcm" | wc -l` -gt 0 ]; then IN_DEV=$IN_DEV1 else *************** *** 156,173 **** fi ! if [ "x$OUT_DEV" != x -a "x$IN_DEV" != x ]; then for dev in $IN_DEV; do ! $IPFW -I "$opt" "$1" "$ack" "$3" "$srcprt" "$4" "$destprt" "$proto" "$dev" "$iplog" done if [ "$proto" != tcp -o -z "$iplog" ]; then for dev in $OUT_DEV; do ! $IPFW -O "$opt" "$1" "$ack" "$3" "$srcprt" "$4" "$destprt" "$proto" "$dev" done - $IPFW -F "$opt" "$1" "$ack" "$3" "$srcprt" "$4" "$destprt" "$proto" -b fi else ! if [ "x$3" = "x$FW" -a "x$IN_DEV" != x ]; then for dev in $OUT_DEV; do ! $IPFW -O "$opt" "$1" "$ack" "$3" "$srcprt" "$4" "$destprt" "$proto" "$dev" "$iplog" done fi --- 224,273 ---- fi ! # activate masquerading ? ! if [ "$OUT_DEV" = "$OUT_DEV0" ]; then ! [ "$masquerade_internal" = true -a "$IN_DEV" = "$IN_DEV0" ] && masq="true" ! [ "$masquerade_perimeter" = true -a "$IN_DEV" = "$IN_DEV1" ] && masq="true" ! [ "$imq" = true -a "$IN_DEV" = "$IN_DEV0" ] && masq="true" ! [ "$pmq" = true -a "$IN_DEV" = "$IN_DEV1" ] && masq="true" ! elif [ "$OUT_DEV" = "$IN_DEV1" ]; then ! [ "$masquerade_int_peri" = true -a "$IN_DEV" = "$IN_DEV0" ] && masq="true" ! [ "$ipmq" = true -a "$IN_DEV" = "$IN_DEV0" ] && masq="true" ! fi ! ! # masqerading doesnīt support icmp, only accept is valid ! [ "$proto" = icmp -o "$1" != "accept" ] && masq="" ! ! # masqerading uses temporary ports ($msqPorts)! ! if [ "$masq" = true ]; then ! optm="-m $opt" ! srcprtm="$msqPorts" ! else ! optm="$opt" ! srcprtm="$srcprt" ! fi ! ! if [ -n "$OUT_DEV" -a -n "$IN_DEV" ]; then for dev in $IN_DEV; do ! $IPFW -I "$opt" "$1" "$ack" "$srcm" "$srcprt" "$destm" "$destprt" "$proto" "$dev" "$iplog" done if [ "$proto" != tcp -o -z "$iplog" ]; then + $IPFW -F "$optm" "$1" "$ack" "$srcm" "$srcprt" "$destm" "$destprt" "$proto" -b + + # masquerade outgoing: rewrite src + if [ "$masq" = true ]; then + srcm="$MFW" + [ "$opt" = -a ] && opt="-i" + fi + for dev in $OUT_DEV; do ! for spm in $srcprtm; do ! $IPFW -O "$opt" "$1" "$ack" "$srcm" "$spm" "$destm" "$destprt" "$proto" "$dev" ! done done fi else ! if [ "$srcm" = "$MFW" -a -n "$IN_DEV" ]; then for dev in $OUT_DEV; do ! $IPFW -O "$opt" "$1" "$ack" "$srcm" "$srcprt" "$destm" "$destprt" "$proto" "$dev" "$iplog" done fi diff -r -C2 -N -xRCS -x*.v FCT-1.0.9.p3/etc/ipFilter.sh FCT-1.1/etc/ipFilter.sh *** FCT-1.0.9.p3/etc/ipFilter.sh Sat Oct 31 12:12:06 1998 --- FCT-1.1/etc/ipFilter.sh Sun Nov 1 12:15:50 1998 *************** *** 1,5 **** #!/bin/sh ! # $Id: ipFilter.sh,v 1.0.9.1 1998/06/01 19:35:03 jens Exp $ ! # $Date: 1998/06/01 19:35:03 $ # # File: ipFilter.sh --- 1,5 ---- #!/bin/sh ! # $Id: ipFilter.sh,v 1.1 1998/10/20 22:02:14 jens Exp jens $ ! # $Date: 1998/10/20 22:02:14 $ # # File: ipFilter.sh *************** *** 21,24 **** --- 21,27 ---- # # $Log: ipFilter.sh,v $ + # Revision 1.1 1998/10/20 22:02:14 jens + # entered into RCS + # # Revision 1.0.9.1 1998/06/01 19:35:03 jens # initial ci -r 1.0.9 *************** *** 73,77 **** [ "$skip" = "false" ] && case "$2" in ! -a) ipopt="@1";; -i) ipopt="";; -d) ipopt=""; ipf_opt="-r";; --- 76,80 ---- [ "$skip" = "false" ] && case "$2" in ! -a*) ipopt="@1";; -i) ipopt="";; -d) ipopt=""; ipf_opt="-r";; *************** *** 110,114 **** srcl=`echo "$5" | sed -e 's/\/.*//'` if [ `grep -c "$srcl" /etc/networks` -gt 0 ]; then ! srcnm=`grep "$srcl" /etc/networks | head -1 | cut -f2` else srcnm="$srcl" --- 113,117 ---- srcl=`echo "$5" | sed -e 's/\/.*//'` if [ `grep -c "$srcl" /etc/networks` -gt 0 ]; then ! srcnm=`grep "$srcl" /etc/networks | head -1 | awk '{print $2}'` else srcnm="$srcl" *************** *** 171,175 **** dstl=`echo "$7" | sed -e 's/\/.*//'` if [ `grep -c "$dstl" /etc/networks` -gt 0 ]; then ! dstnm=`grep "$dstl" /etc/networks | head -1 | cut -f2` else dstnm="$dstl" --- 174,178 ---- dstl=`echo "$7" | sed -e 's/\/.*//'` if [ `grep -c "$dstl" /etc/networks` -gt 0 ]; then ! dstnm=`grep "$dstl" /etc/networks | head -1 | awk '{print $2}'` else dstnm="$dstl" diff -r -C2 -N -xRCS -x*.v FCT-1.0.9.p3/etc/ipchains.sh FCT-1.1/etc/ipchains.sh *** FCT-1.0.9.p3/etc/ipchains.sh Sat Oct 31 12:12:06 1998 --- FCT-1.1/etc/ipchains.sh Mon Nov 2 00:20:20 1998 *************** *** 1,5 **** #!/bin/sh ! # $Id: ipchains.sh,v 1.0.9.1 1998/06/01 19:35:04 jens Exp $ ! # $Date: 1998/06/01 19:35:04 $ # # File: ipchains.sh --- 1,5 ---- #!/bin/sh ! # $Id: ipchains.sh,v 1.1 1998/10/20 22:01:04 jens Exp jens $ ! # $Date: 1998/10/20 22:01:04 $ # # File: ipchains.sh *************** *** 21,24 **** --- 21,27 ---- # # $Log: ipchains.sh,v $ + # Revision 1.1 1998/10/20 22:01:04 jens + # entered into RCS + # # Revision 1.0.9.1 1998/06/01 19:35:04 jens # initial ci -r 1.0.9 *************** *** 92,107 **** # -p: -P $dir $pol # -f: -F $dir $pol [ -n "$pol" ] && j="-j" [ "$pol" = "DENY " ] && l="-l" case "$2" in ! -a) rule="-A $dir $j $pol $l";; ! -i) rule="-I $dir 1 $j $pol $l";; ! -d) rule="-D $dir $j $pol $l";; ! -p) rule="-P $dir $pol ";; ! -f) rule="-F $dir ";; ! *) echo "ERROR / FixMe: modus '$1' isn't implemented yet." ! skip=true;; esac --- 95,115 ---- # -p: -P $dir $pol # -f: -F $dir $pol + # -m: -j MASQ [ -n "$pol" ] && j="-j" [ "$pol" = "DENY " ] && l="-l" + [ `echo "$2" | grep -c -- '-m'` -gt 0 ] && pol="MASQ " + case "$2" in ! -m\ -a) rule="-A -M $dir $j $pol $l";; ! -a) rule="-A -M $dir $j $pol $l";; ! -i) rule="-I $dir 1 $j $pol $l";; ! -m\ -d) rule="-D $dir $j $pol $l";; ! -d) rule="-D $dir $j $pol $l";; ! -p) rule="-P $dir $pol ";; ! -f) rule="-F $dir ";; ! *) echo "ERROR / FixMe: modus '$2' isn't implemented yet." ! skip=true;; esac diff -r -C2 -N -xRCS -x*.v FCT-1.0.9.p3/etc/ipfwadm.sh FCT-1.1/etc/ipfwadm.sh *** FCT-1.0.9.p3/etc/ipfwadm.sh Sat Oct 31 12:12:06 1998 --- FCT-1.1/etc/ipfwadm.sh Mon Nov 2 00:20:44 1998 *************** *** 1,5 **** #!/bin/sh ! # $Id: ipfwadm.sh,v 1.0.9.1 1998/06/01 19:35:04 jens Exp $ ! # $Date: 1998/06/01 19:35:04 $ # # File: ipfwadm.sh --- 1,5 ---- #!/bin/sh ! # $Id: ipfwadm.sh,v 1.1 1998/10/20 21:59:54 jens Exp jens $ ! # $Date: 1998/10/20 21:59:54 $ # # File: ipfwadm.sh *************** *** 21,24 **** --- 21,27 ---- # # $Log: ipfwadm.sh,v $ + # Revision 1.1 1998/10/20 21:59:54 jens + # entered into RCS + # # Revision 1.0.9.1 1998/06/01 19:35:04 jens # initial ci -r 1.0.9 *************** *** 67,75 **** esac case "$2" in -p) l=' ';; ! -a) l='-o';; ! -i) l='-o';; ! -d) l='-o';; esac --- 70,78 ---- esac + # policy has no log-option case "$2" in -p) l=' ';; ! -*) l='-o';; ! *) l=' ';; esac *************** *** 114,118 **** [ -n "$6" ] && ports="$6" [ -n "$8" ] && ports="$ports -> $8" ! printf "%s %s %-7s %-4s %-4s %-9s %-30s %-30s %s\n" \ "$1" "$2" "$pol" "$pro" "$IPflags" "$ipdev" "$psrc" "$pdst" "$ports" fi --- 117,121 ---- [ -n "$6" ] && ports="$6" [ -n "$8" ] && ports="$ports -> $8" ! printf "%s %5s %-9s %-7s %-4s %-9s %-30s %-30s %s\n" \ "$1" "$2" "$pol" "$pro" "$IPflags" "$ipdev" "$psrc" "$pdst" "$ports" fi diff -r -C2 -N -xRCS -x*.v FCT-1.0.9.p3/etc/sheets/net_cfg.htm FCT-1.1/etc/sheets/net_cfg.htm *** FCT-1.0.9.p3/etc/sheets/net_cfg.htm Sat Oct 31 12:12:06 1998 --- FCT-1.1/etc/sheets/net_cfg.htm Sun Nov 1 12:31:56 1998 *************** *** 38,44 **** value="#NETMASK#">($NETMASK) ! Use the variable '$internal' to describe your internal network in other masks - $internal=$DOMAIN/$NETMASK (is defined in Aliases).
  --- 38,66 ---- value="#NETMASK#">($NETMASK) ! ! ! IP Masquerading:  ! !  Internal Network ! ($masquerade_internal) !   masq. $internal -> $perimeter also ! ($masq_int_peri) ! ! ! (for all services!) !  Perimeter Network ! ($masquerade_perimeter) ! !

Use the variable '$internal' to describe your internal network in other masks - $internal=$DOMAIN/$NETMASK (is defined in Aliases). +
+ Normally, IP-Masquerading is only needed for connections to the Internet ($any). + Thus IP-Masquerading takes not place for connections from internal to perimeter + network. You can enable this by checking the '$masquerade_int_peri' variable + above. IP-Masquerading is actually not available for "IP-Filter".
  diff -r -C2 -N -xRCS -x*.v FCT-1.0.9.p3/etc/sheets/services_cfg_body.htm FCT-1.1/etc/sheets/services_cfg_body.htm *** FCT-1.0.9.p3/etc/sheets/services_cfg_body.htm Sat Oct 31 12:12:06 1998 --- FCT-1.1/etc/sheets/services_cfg_body.htm Sun Nov 1 12:15:32 1998 *************** *** 1,2 **** --- 1,14 ---- + + + + + + + + + + + + diff -r -C2 -N -xRCS -x*.v FCT-1.0.9.p3/etc/sheets/services_cfg_head.htm FCT-1.1/etc/sheets/services_cfg_head.htm *** FCT-1.0.9.p3/etc/sheets/services_cfg_head.htm Sat Oct 31 12:12:06 1998 --- FCT-1.1/etc/sheets/services_cfg_head.htm Sun Nov 1 12:38:32 1998 *************** *** 22,35 ****
Filtered 
Outgoing  !
Incoming
  Int.- / Perim.- / I->P Masqu.  Int.- / Perim.- / I->P Masqu.
- the service is blocked 
- the normal IP-filtering rules are used (as defined in Screening
- only incoming connections are possible (Filtered AND Outgoing)  !
- only incoming connections are possible (Filtered AND Incomming)
!

Services on internal and perimeter network

--- 22,45 ----
Filtered 
Outgoing  !
Incoming !
  !
Int.- Masquerading !
Perim.- Masquerading !
I->P - Masquerading ! - the service is blocked 
- the normal IP-filtering rules are used (as defined in Screening
- only incoming connections are possible (Filtered AND Outgoing)  !
- only incoming connections are possible (Filtered AND Incomming) !
  !
- IP-Masquerading for service from internal network (to $ANY) !
- IP-Masquerading for service from perimeter network (to $ANY) !
- IP-Masquerading for service from internal to perimeter network ! !

Services and IP-Masquerading on internal and perimeter network

diff -r -C2 -N -xRCS -x*.v FCT-1.0.9.p3/etc/sheets/trusted_cfg_body.htm FCT-1.1/etc/sheets/trusted_cfg_body.htm *** FCT-1.0.9.p3/etc/sheets/trusted_cfg_body.htm Sat Oct 31 12:12:06 1998 --- FCT-1.1/etc/sheets/trusted_cfg_body.htm Thu Jan 1 01:00:00 1970 *************** *** 1,6 **** - - - - - - --- 0 ---- diff -r -C2 -N -xRCS -x*.v FCT-1.0.9.p3/etc/sheets/trusted_cfg_head.htm FCT-1.1/etc/sheets/trusted_cfg_head.htm *** FCT-1.0.9.p3/etc/sheets/trusted_cfg_head.htm Sat Oct 31 12:12:06 1998 --- FCT-1.1/etc/sheets/trusted_cfg_head.htm Sun Nov 1 12:47:51 1998 *************** *** 20,23 ****

! ! --- 20,31 ----

! !

HostInterfaceFirewall
! ! ! ! ! ! ! ! diff -r -C2 -N -xRCS -x*.v FCT-1.0.9.p3/firewallct.lsm FCT-1.1/firewallct.lsm *** FCT-1.0.9.p3/firewallct.lsm Sat Oct 31 12:12:07 1998 --- FCT-1.1/firewallct.lsm Sun Nov 1 13:51:35 1998 *************** *** 1,21 **** Begin3 Title: FCT - Firewall Configuration Tool ! Version: 1.0.9 ! Entered-date: 01JUN98 Description: A HTML based tool for the configuration of a firewall. It uses a WEB-Interface, but can also be configured in a shell with vi ;-) Automatically script-generation for IP-filtering commands ! (ipfwadm, ipchains, IP-Filter/ipf) on a firewall for multiple interfaces and _any_ internet services. Keywords: firewall ipfwadm ipchains IP-Filter ! Author: jens.hellmerichs-friedrich@fen.baynet.de (Jens Hellmerichs-Friedrich) ! Maintained-by: jens.hellmerichs-friedrich@fen.baynet.de (Jens Hellmerichs-Friedrich) Primary-site: http://www.fen.baynet.de ~ft114/ftp ! 1k firewallct-1.0.9.lsm ! 110k firewallct-1.0.9.tar.gz Alternate-site: sunsite.unc.edu /pub/Linux/system/network/admin ! 1k firewallct-1.0.9.lsm ! 110k firewallct-1.0.9.tar.gz Original-site: http://www.fen.baynet.de ~ft114/ftp Platforms: UNIX (Linux, Solaris, HP-UX, ...), ipfwadm | ipchains | IP-Filter, CGI, perl --- 1,21 ---- Begin3 Title: FCT - Firewall Configuration Tool ! Version: 1.1.0 ! Entered-date: 01NOV98 Description: A HTML based tool for the configuration of a firewall. It uses a WEB-Interface, but can also be configured in a shell with vi ;-) Automatically script-generation for IP-filtering commands ! (ipfwadm, ipchains, IP-Filter) on a firewall for multiple interfaces and _any_ internet services. Keywords: firewall ipfwadm ipchains IP-Filter ! Author: jhf@altavista.net (Jens Hellmerichs-Friedrich) ! Maintained-by: jhf@altavista.net (Jens Hellmerichs-Friedrich) Primary-site: http://www.fen.baynet.de ~ft114/ftp ! 1k firewallct-1.1.0.lsm ! 106k firewallct-1.1.0.tar.gz Alternate-site: sunsite.unc.edu /pub/Linux/system/network/admin ! 1k firewallct-1.1.0.lsm ! 106k firewallct-1.1.0.tar.gz Original-site: http://www.fen.baynet.de ~ft114/ftp Platforms: UNIX (Linux, Solaris, HP-UX, ...), ipfwadm | ipchains | IP-Filter, CGI, perl diff -r -C2 -N -xRCS -x*.v FCT-1.0.9.p3/html/firewall.htm FCT-1.1/html/firewall.htm *** FCT-1.0.9.p3/html/firewall.htm Sat Oct 31 12:12:06 1998 --- FCT-1.1/html/firewall.htm Sun Nov 1 13:45:00 1998 *************** *** 1,10 **** ! ! ! ! ! Firewall Configuration Tool --- 1,9 ---- ! FCT - Firewall Configuration Tool ! ! ! *************** *** 70,77 ****

!

(c) 1998 Jens Hellmerichs-Friedrich  This software is free software under the terms of the GNU GPL - SEE THE COPYRIGHT. !

! Download FCT from my ftp directory on my homepage. --- 69,76 ----

!

This software is free software under the terms of the GNU GPL - SEE THE COPYRIGHT. !
! (c) 1998 Jens Hellmerichs-Friedrich  diff -r -C2 -N -xRCS -x*.v FCT-1.0.9.p3/html/index.htm FCT-1.1/html/index.htm *** FCT-1.0.9.p3/html/index.htm Sat Oct 31 12:12:06 1998 --- FCT-1.1/html/index.htm Sun Nov 1 13:44:24 1998 *************** *** 1,8 **** ! Firewall Configuration Tool ! ! ! --- 1,8 ---- ! FCT - Firewall Configuration Tool (V 1.1) ! ! ! diff -r -C2 -N -xRCS -x*.v FCT-1.0.9.p3/html/man.htm FCT-1.1/html/man.htm *** FCT-1.0.9.p3/html/man.htm Sat Oct 31 12:12:06 1998 --- FCT-1.1/html/man.htm Sun Nov 1 23:39:22 1998 *************** *** 7,11 ****

! FCT - Firewall Configuration Tool (V.1.0.9)

The Firewall Configuration Tool (FCT) is a configuration tool for setting up a firewall on a UNIX-Host with a HTML-Browser like --- 7,11 ----

! FCT - Firewall Configuration Tool (V.1.1)

The Firewall Configuration Tool (FCT) is a configuration tool for setting up a firewall on a UNIX-Host with a HTML-Browser like *************** *** 575,579 ****
  • ! Support for IP-Masquerading / NAT / REDIR ?
  • --- 575,579 ----
  • ! Support for NAT / REDIR ?
  • diff -r -C2 -N -xRCS -x*.v FCT-1.0.9.p3/index.html FCT-1.1/index.html *** FCT-1.0.9.p3/index.html Thu Jan 1 01:00:00 1970 --- FCT-1.1/index.html Sun Nov 1 12:16:32 1998 *************** *** 0 **** --- 1,13 ---- + + + + + + + +

    + FCT - Firewall Configuration Tool

    + Please use  /FCT/html/index.htm  + to configure FCT. + +
    • Host Interface Firewall Log