Revision: 7262
http://sourceforge.net/p/ipcop/svn/7262
Author: owes
Date: 2014-02-28 21:50:59 +0000 (Fri, 28 Feb 2014)
Log Message:
-----------
Use a seperate port (tcp/82) for transparent proxy and adjust the needed
firewall rules. While there reserve tcp/83 for future use.
tcp/82 is fixed just like tcp/81, no setreservedports helper to modify it
Modified Paths:
--------------
ipcop/trunk/src/libs/DataAccess.pl
ipcop/trunk/src/misc-progs/restartsquid.c
ipcop/trunk/src/scripts/makesquidconf.pl
ipcop/trunk/src/scripts/puzzleFwRules.pl
ipcop/trunk/updates/2.1.2/ROOTFILES.i486-2.1.2
Modified: ipcop/trunk/src/libs/DataAccess.pl
===================================================================
--- ipcop/trunk/src/libs/DataAccess.pl 2014-02-28 21:37:52 UTC (rev 7261)
+++ ipcop/trunk/src/libs/DataAccess.pl 2014-02-28 21:50:59 UTC (rev 7262)
@@ -43,11 +43,13 @@
$DATA::policyFile = "/var/ipcop/firewall/policy";
@DATA::ruleKeys_unique = (
- 'SRC_NET_TYPE', 'SRC_NET', 'SRC_ADR_TYPE', 'SRC_ADR',
'INV_SRC_ADR',
- 'SRC_PORT', 'INV_SRC_PORT', 'PORTFW_EXT_ADR',
'PORTFW_SERVICE_TYPE','PORTFW_SERVICE',
- 'DST_NET_TYPE', 'DST_NET', 'DST_IP_TYPE',
- 'DST_IP', 'INV_DST_IP', 'SERVICE_TYPE', 'SERVICE',
'LOG_ENABLED', 'LIMIT_FOR',
- 'LIMIT_TYPE', 'MATCH_LIMIT', 'MATCH_STRING_ON', 'MATCH_STRING',
'INV_MATCH_STRING', 'RULEACTION'
+ 'SRC_NET_TYPE', 'SRC_NET', 'SRC_ADR_TYPE', 'SRC_ADR',
'INV_SRC_ADR', 'SRC_PORT', 'INV_SRC_PORT',
+ 'PORTFW_EXT_ADR', 'PORTFW_SERVICE_TYPE','PORTFW_SERVICE',
+ 'DST_NET_TYPE', 'DST_NET', 'DST_IP_TYPE', 'DST_IP',
'INV_DST_IP',
+ 'SERVICE_TYPE', 'SERVICE',
+ 'LOG_ENABLED', 'LIMIT_FOR', 'LIMIT_TYPE',
+ 'MATCH_LIMIT', 'MATCH_STRING_ON', 'MATCH_STRING', 'INV_MATCH_STRING',
+ 'RULEACTION'
);
@DATA::ruleKeys_all = ('ENABLED', 'RULEMODE', @DATA::ruleKeys_unique,
'TIMEFRAME_ENABLED', 'REMARK');
@@ -132,6 +134,14 @@
$dServices->{'IPCop http'}{'PORT_IPT'} = "--dport 81";
$dServices->{'IPCop http'}{'PORT_NR'} = '81';
$dServices->{'IPCop http'}{'PROTOCOL'} = 'tcp';
+ # use tcp/82 as intercept proxy port
+ $dServices->{'IPCop proxy-int-1'}{'PORT_IPT'} = "--dport 82";
+ $dServices->{'IPCop proxy-int-1'}{'PORT_NR'} = '82';
+ $dServices->{'IPCop proxy-int-1'}{'PROTOCOL'} = 'tcp';
+ # reserve tcp/83 for proxy future use
+ $dServices->{'IPCop proxy-int-2'}{'PORT_IPT'} = "--dport 83";
+ $dServices->{'IPCop proxy-int-2'}{'PORT_NR'} = '83';
+ $dServices->{'IPCop proxy-int-2'}{'PROTOCOL'} = 'tcp';
my $ssh = '8022';
if (defined($mainsettings{'SSHPORT'})) {
Modified: ipcop/trunk/src/misc-progs/restartsquid.c
===================================================================
--- ipcop/trunk/src/misc-progs/restartsquid.c 2014-02-28 21:37:52 UTC (rev
7261)
+++ ipcop/trunk/src/misc-progs/restartsquid.c 2014-02-28 21:50:59 UTC (rev
7262)
@@ -42,6 +42,7 @@
#include "common.h"
#include "setuid.h"
+#define PORT_PROXY_INTERCEPT 82
void usage(char *prg, int exit_code)
{
@@ -471,8 +472,8 @@
/* install the redirect for other port http destinations from green */
if (snprintf(buffer, STRING_SIZE - 1,
- "/sbin/iptables -t nat -A SQUID -i %s -p tcp --dport 80
-j REDIRECT --to-port %s",
- ipcop_ethernet.device[GREEN][1], proxy_port) >=
STRING_SIZE) {
+ "/sbin/iptables -t nat -A SQUID -i %s -p tcp --dport 80
-j REDIRECT --to-port %d",
+ ipcop_ethernet.device[GREEN][1], PORT_PROXY_INTERCEPT) >=
STRING_SIZE) {
fprintf(stderr, "Command too long\n");
exit(1);
}
@@ -493,8 +494,8 @@
/* install the redirect for other port http destinations from blue */
if (snprintf(buffer, STRING_SIZE - 1,
- "/sbin/iptables -t nat -A SQUID -i %s -p tcp --dport 80
-j REDIRECT --to-port %s",
- ipcop_ethernet.device[BLUE][1], proxy_port) >=
STRING_SIZE) {
+ "/sbin/iptables -t nat -A SQUID -i %s -p tcp --dport 80
-j REDIRECT --to-port %d",
+ ipcop_ethernet.device[BLUE][1], PORT_PROXY_INTERCEPT) >=
STRING_SIZE) {
fprintf(stderr, "Command too long\n");
exit(1);
}
@@ -515,8 +516,8 @@
/* install the redirect for other port http destinations from OpenVPN
*/
if (snprintf(buffer, STRING_SIZE - 1,
- "/sbin/iptables -t nat -A SQUID -i %s -p tcp --dport 80
-j REDIRECT --to-port %s",
- "tun0", proxy_port) >= STRING_SIZE) {
+ "/sbin/iptables -t nat -A SQUID -i %s -p tcp --dport 80
-j REDIRECT --to-port %d",
+ "tun0", PORT_PROXY_INTERCEPT) >= STRING_SIZE) {
fprintf(stderr, "Command too long\n");
exit(1);
}
Modified: ipcop/trunk/src/scripts/makesquidconf.pl
===================================================================
--- ipcop/trunk/src/scripts/makesquidconf.pl 2014-02-28 21:37:52 UTC (rev
7261)
+++ ipcop/trunk/src/scripts/makesquidconf.pl 2014-02-28 21:50:59 UTC (rev
7262)
@@ -28,6 +28,7 @@
require '/usr/lib/ipcop/general-functions.pl';
my $http_port='81';
+my $http_intercept_port='82';
my $https_port='8443'; # default value, pull actual value from
main/settings later
my %mainsettings=();
@@ -329,22 +330,25 @@
if ($proxysettings{'ENABLED_GREEN_1'} eq 'on') {
print FILE "http_port
$netsettings{'GREEN_1_ADDRESS'}:$proxysettings{'PROXY_PORT'}";
- if ($proxysettings{'TRANSPARENT_GREEN_1'} eq 'on') { print FILE "
intercept" }
if ($proxysettings{'NO_CONNECTION_AUTH'} eq 'on') { print FILE "
no-connection-auth" }
print FILE "\n";
+ # intercept port, disables authentication so no need to add no-auth
+ if ($proxysettings{'TRANSPARENT_GREEN_1'} eq 'on') { print FILE
"http_port $netsettings{'GREEN_1_ADDRESS'}:$http_intercept_port intercept\n" }
}
if (($netsettings{'BLUE_COUNT'} >= 1) && ($proxysettings{'ENABLED_BLUE_1'}
eq 'on')) {
print FILE "http_port
$netsettings{'BLUE_1_ADDRESS'}:$proxysettings{'PROXY_PORT'}";
- if ($proxysettings{'TRANSPARENT_BLUE_1'} eq 'on') { print FILE "
intercept" }
if ($proxysettings{'NO_CONNECTION_AUTH'} eq 'on') { print FILE "
no-connection-auth" }
print FILE "\n";
+ # intercept port, disables authentication so no need to add no-auth
+ if ($proxysettings{'TRANSPARENT_BLUE_1'} eq 'on') { print FILE
"http_port $netsettings{'BLUE_1_ADDRESS'}:$http_intercept_port intercept\n" }
}
if ($proxysettings{'ENABLED_OVPN'} eq 'on') {
my $serverip =
NetAddr::IP->new($ovpnsettings{'DOVPN_SUBNET'})->first()->addr();
print FILE "http_port $serverip:$proxysettings{'PROXY_PORT'}";
- if ($proxysettings{'TRANSPARENT_OVPN'} eq 'on') { print FILE "
intercept" }
if ($proxysettings{'NO_CONNECTION_AUTH'} eq 'on') { print FILE "
no-connection-auth" }
print FILE "\n";
+ # intercept port, disables authentication so no need to add no-auth
+ if ($proxysettings{'TRANSPARENT_OVPN'} eq 'on') { print FILE
"http_port $serverip:$http_intercept_port intercept\n" }
}
if (($proxysettings{'CACHE_SIZE'} > 0) || ($proxysettings{'CACHE_MEM'} >
0)) {
@@ -728,6 +732,8 @@
print FILE <<END
#Access to squid:
+#http_access allow localhost manager
+http_access deny manager
#local machine, no restriction
http_access allow localhost
Modified: ipcop/trunk/src/scripts/puzzleFwRules.pl
===================================================================
--- ipcop/trunk/src/scripts/puzzleFwRules.pl 2014-02-28 21:37:52 UTC (rev
7261)
+++ ipcop/trunk/src/scripts/puzzleFwRules.pl 2014-02-28 21:50:59 UTC (rev
7262)
@@ -1061,17 +1061,17 @@
my @ipcopServices = ();
# Some IPCop services for Green
if ($FW::interfaces{$inIface}{'COLOR'} =~ /^GREEN_COLOR$/) {
- @ipcopServices = ('IPCop dhcp', 'IPCop dns', 'IPCop ntp',
'IPCop proxy', 'IPCop http', 'Ping');
+ @ipcopServices = ('IPCop dhcp', 'IPCop dns', 'IPCop ntp',
'IPCop proxy', 'IPCop http', 'IPCop proxy-int-1', 'Ping');
# Add a firewall log filter for DHCP broadcast responses
&prepareRule("-A FW_IPCOP -i
$FW::interfaces{$inIface}{'IFACE'} -p udp --sport 67 --dport 68 -j DROP");
}
# Some IPCop services for Blue (DHCP, IPsec, OpenVPN are already
opened above)
if ($FW::interfaces{$inIface}{'COLOR'} =~ /^BLUE_COLOR$/) {
- @ipcopServices = ('IPCop dns', 'IPCop ntp', 'IPCop proxy',
'IPCop http', 'Ping');
+ @ipcopServices = ('IPCop dns', 'IPCop ntp', 'IPCop proxy',
'IPCop http', 'IPCop proxy-int-1', 'Ping');
}
# Some IPCop services for IPsec and OpenVPN (no DHCP needed for
VPN)
if ($FW::interfaces{$inIface}{'COLOR'} =~
/^IPSEC_COLOR|OVPN_COLOR$/) {
- @ipcopServices = ('IPCop dns', 'IPCop ntp', 'IPCop proxy',
'IPCop http', 'Ping');
+ @ipcopServices = ('IPCop dns', 'IPCop ntp', 'IPCop proxy',
'IPCop http', 'IPCop proxy-int-1', 'Ping');
}
foreach my $service (@ipcopServices) {
Modified: ipcop/trunk/updates/2.1.2/ROOTFILES.i486-2.1.2
===================================================================
--- ipcop/trunk/updates/2.1.2/ROOTFILES.i486-2.1.2 2014-02-28 21:37:52 UTC
(rev 7261)
+++ ipcop/trunk/updates/2.1.2/ROOTFILES.i486-2.1.2 2014-02-28 21:50:59 UTC
(rev 7262)
@@ -11,10 +11,12 @@
/home/httpd/cgi-bin/trafficadm.cgi
/home/httpd/cgi-bin/urlfilter.cgi
/home/httpd/cgi-bin/wireless.cgi
+/usr/lib/ipcop/DataAccess.pl
/usr/lib/ipcop/ddns-lib.pl
/usr/local/bin/dhcpcd.sh
/usr/local/bin/makesquidconf.pl
/usr/local/bin/puzzleFwRules.pl
+/usr/local/bin/restartsquid
/usr/local/bin/setddns.pl
/usr/share/locale/af_ZA/LC_MESSAGES/ipcop.mo
/usr/share/locale/bg_BG/LC_MESSAGES/ipcop.mo
This was sent by the SourceForge.net collaborative development platform, the
world's largest Open Source development site.
------------------------------------------------------------------------------
Flow-based real-time traffic analytics software. Cisco certified tool.
Monitor traffic, SLAs, QoS, Medianet, WAAS etc. with NetFlow Analyzer
Customize your own dashboards, set traffic alerts and generate reports.
Network behavioral analysis & security monitoring. All-in-one tool.
http://pubads.g.doubleclick.net/gampad/clk?id=126839071&iu=/4140/ostg.clktrk
_______________________________________________
Ipcop-svn mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/ipcop-svn
