lucaspalomodevelop/core
1
0
Fork 0
mirror of https://github.com/lucaspalomodevelop/core.git synced 2026-03-14 08:34:39 +00:00
Code Issues Packages Projects Releases Wiki Activity

system: do a little thing called ftp-proxy(8) for clients #155

Browse Source 
While there, clean up a little and remove the dysfunct tftp-proxy.
Server part is a little harder, but can be done, too.
This commit is contained in:
Franco Fichtner 2015-04-29 11:23:00 +02:00
parent f5fc00dd19
commit 87f2fc9711
3 changed files with 39 additions and 57 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

62
src/etc/inc/filter.inc
View File

@ -1738,20 +1738,15 @@ function filter_nat_rules_generate() {
unset($tonathosts, $tonathosts_array, $numberofnathosts);
}
/* load balancer anchor */
$natrules .= "\n# Load balancing anchor\n";
$natrules .= "\n# Load balancing\n";
$natrules .= "rdr-anchor \"relayd/*\"\n";
update_filter_reload_status(gettext("Setting up TFTP helper"));
$natrules .= "# TFTP proxy\n";
$natrules .= "rdr-anchor \"tftp-proxy/*\"\n";
if (!empty($config['system']['tftpinterface'])) {
$tftpifs = explode(",", $config['system']['tftpinterface']);
foreach($tftpifs as $tftpif) {
if ($FilterIflist[$tftpif])
$natrules .= "rdr pass on {$FilterIflist[$tftpif]['if']} proto udp from any to any port tftp -> 127.0.0.1 port 6969\n";
}
if (isset($config['system']['ftp-proxy']['client'])) {
$natrules .= "\n# FTP proxy\n";
$natrules .= "nat-anchor \"ftp-proxy/*\"\n";
$natrules .= "rdr-anchor \"ftp-proxy/*\"\n";
$natrules .= "rdr pass proto tcp to port ftp -> 127.0.0.1 port 8021\n";
mwexec('service ftp-proxy onerestart');
}
/* DIAG: add ipv6 NAT, if requested */
@ -1762,13 +1757,7 @@ function filter_nat_rules_generate() {
$natrules .= "rdr on \${$FilterIflist['wan']['descr']} proto ipv6 from any to any -> {$config['diag']['ipv6nat']['ipaddr']}\n";
}
if(file_exists("/var/etc/inetd.conf"))
@unlink("/var/etc/inetd.conf");
// Open inetd.conf write handle
$inetd_fd = fopen("/var/etc/inetd.conf","w");
/* add tftp protocol helper */
// TODO triggers "inetd[28893]: tftp-proxy/udp: unknown service"
//fwrite($inetd_fd, "tftp-proxy\tdgram\tudp\twait\t\troot\t/usr/libexec/tftp-proxy\ttftp-proxy -v\n");
$inetd_fd = fopen('/var/etc/inetd.conf', 'w');
if(isset($config['nat']['rule'])) {
/* start reflection redirects on port 19000 of localhost */
@ -1928,8 +1917,9 @@ function filter_nat_rules_generate() {
if($reflection_type == "proxy" && !isset($rule['nordr'])) {
$natrules .= filter_generate_reflection_proxy($rule, $nordr, $nat_if_list, $srcaddr, $dstaddr, $starting_localhost_port, $reflection_rules);
$nat_if_list = array($natif);
foreach ($reflection_rules as $txtline)
foreach ($reflection_rules as $txtline) {
fwrite($inetd_fd, $txtline);
}
} else if($reflection_type == "purenat" || isset($rule['nordr'])) {
$rdr_if_list = implode(" ", $nat_if_list);
if(count($nat_if_list) > 1)
@ -1949,7 +1939,8 @@ function filter_nat_rules_generate() {
}
}
}
fclose($inetd_fd); // Close file handle
fclose($inetd_fd);
if (isset($config['pptpd']['mode']) && ($config['pptpd']['mode'] != "off")) {
if ($config['pptpd']['mode'] == "redir") {
@ -1961,20 +1952,17 @@ function filter_nat_rules_generate() {
}
$natrules .= "# UPnPd rdr anchor\n";
$natrules .= "\n# UPnP\n";
$natrules .= "rdr-anchor \"miniupnpd\"\n";
if(!empty($reflection_txt))
if (!empty($reflection_txt)) {
$natrules .= "\n# Reflection redirects and NAT for 1:1 mappings\n" . $reflection_txt;
}
// Check if inetd is running, if not start it. If so, restart it gracefully.
$helpers = is_process_running('inetd');
if (file_exists('/var/etc/inetd.conf')) {
if (!$helpers) {
mwexec("/usr/sbin/inetd -wW -R 0 -a 127.0.0.1 /var/etc/inetd.conf");
} else {
killbypid('/var/run/inetd.pid', 'HUP');
}
if (!isvalidpid('/var/run/inetd.pid')) {
mwexec("/usr/sbin/inetd -wW -R 0 -a 127.0.0.1 /var/etc/inetd.conf");
} else {
killbypid('/var/run/inetd.pid', 'HUP');
}
return $natrules;
@ -2585,6 +2573,12 @@ function filter_rules_generate()
$ipfrules .= "anchor \"openvpn/*\"\n";
/* IPsec user rules from radius */
$ipfrules .= "anchor \"ipsec/*\"\n";
if (isset($config['system']['ftp-proxy']['client'])) {
$ipfrules .= "\nanchor \"ftp-proxy/*\"\n";
$ipfrules .= "pass out quick proto tcp from 127.0.0.1 to port ftp\n";
}
# BEGIN OF firewall rules
/* default block logging? */
$log = array();
@ -2595,13 +2589,13 @@ function filter_rules_generate()
if(!isset($config['system']['ipv6allow'])) {
$ipfrules .= "# Block all IPv6\n";
$ipfrules .= "\n# Block all IPv6\n";
$ipfrules .= "block in {$log['block']} quick inet6 all label \"Block all IPv6\"\n";
$ipfrules .= "block out {$log['block']} quick inet6 all label \"Block all IPv6\"\n";
}
$ipfrules .= <<<EOD
#---------------------------------------------------------------------------
# default deny rules
#---------------------------------------------------------------------------
@ -3139,8 +3133,6 @@ EOD;
update_filter_reload_status(gettext("Creating IPsec rules..."));
$ipfrules .= filter_generate_ipsec_rules($log);
$ipfrules .= "\nanchor \"tftp-proxy/*\"\n";
update_filter_reload_status("Creating uPNP rules...");
if (is_array($config['installedpackages']['miniupnpd']) && is_array($config['installedpackages']['miniupnpd']['config'][0])) {
if (isset($config['installedpackages']['miniupnpd']['config'][0]['enable']))

2
src/etc/inc/interfaces.inc
View File

@ -1581,7 +1581,7 @@ function interface_ppps_configure($interface)
$descr = isset($ifcfg['descr']) ? $ifcfg['descr'] : strtoupper($interface);
echo "starting {$pppif} link...";
// Do not re-configure the interface if we are booting and it's already been started
if (isvalidproc("/var/run/{$ppp['type']}_{$interface}.pid")) {
if (isvalidpid("/var/run/{$ppp['type']}_{$interface}.pid")) {
return 0;
}
}

32
src/www/system_advanced_firewall.php
View File

@ -55,11 +55,10 @@ $pconfig['enablebinatreflection'] = $config['system']['enablebinatreflection'];
$pconfig['reflectiontimeout'] = $config['system']['reflectiontimeout'];
$pconfig['bypassstaticroutes'] = isset($config['filter']['bypassstaticroutes']);
$pconfig['disablescrub'] = isset($config['system']['disablescrub']);
$pconfig['tftpinterface'] = explode(",", $config['system']['tftpinterface']);
$pconfig['ftp-proxy-client'] = isset($config['system']['ftp-proxy']['client']);
$pconfig['disablevpnrules'] = isset($config['system']['disablevpnrules']);
if ($_POST) {
unset($input_errors);
$pconfig = $_POST;
@ -179,10 +178,11 @@ if ($_POST) {
else
unset($config['system']['disablescrub']);
if ($_POST['tftpinterface'])
$config['system']['tftpinterface'] = implode(",", $_POST['tftpinterface']);
else
unset($config['system']['tftpinterface']);
if ($_POST['ftp-proxy-client'] == 'yes') {
$config['system']['ftp-proxy']['client'] = true;
} else {
unset($config['system']['ftp-proxy']['client']);
}
if ($_POST['bogonsinterval'] != $config['system']['bogons']['interval']) {
switch ($_POST['bogonsinterval']) {
@ -502,22 +502,12 @@ include("head.inc");
</td>
</tr>
<tr>
<td width="22%" valign="top" class="vncell"><?=gettext("TFTP Proxy");?></td>
<td width="22%" valign="top" class="vncell"><?=gettext("FTP Proxy");?></td>
<td width="78%" class="vtable">
<select name="tftpinterface[]" multiple="multiple" class="formselect selectpicker" data-style="btn-default" data-width="auto">
<?php
$ifdescs = get_configured_interface_with_descr();
$rowIndex = 0;
foreach ($ifdescs as $ifent => $ifdesc):
$rowIndex++;
?>
<option value="<?=$ifent;?>" <?php if (in_array($ifent, $pconfig['tftpinterface'])) echo "selected=\"selected\""; ?>><?=gettext($ifdesc);?></option>
<?php endforeach;
if ($rowIndex == 0)
echo "<option></option>";
?>
</select>
<strong><?=gettext("Choose the interfaces where you want TFTP proxy helper to be enabled.");?></strong>
<input name="ftp-proxy-client" type="checkbox" id="ftp-proxy-client" value="yes" <?php if (isset($config['system']['ftp-proxy']['client'])) echo "checked=\"checked\""; ?> />
<strong><?=gettext("Enable FTP proxy for clients");?></strong>
<br />
<?=gettext("Configures the FTP proxy to allow for client connections behind the firewall using active file transfer mode.");?>
</td>
</tr>