pax_global_header00006660000000000000000000000064123544707650014527gustar00rootroot0000000000000052 comment=2754565524cca7f5ca989fbab6765fe45dd337db uif-1.1.4/000077500000000000000000000000001235447076500123155ustar00rootroot00000000000000uif-1.1.4/COPYRIGHT000066400000000000000000000020511235447076500136060ustar00rootroot00000000000000Copyright (C) 2002-2014 Jörg Platte Copyright (C) 2002-2014 Cajus Pollmeier Copyright (C) 2013-2014 Mike Gabriel Copyright (C) 2013-2014 Alex Owen This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA On Debian GNU/Linux systems, a copy of the GNU General Public License may be found in the file /usr/share/common-licenses/GPL-2. uif-1.1.4/ChangeLog000066400000000000000000000273171235447076500141010ustar00rootroot00000000000000uif (1.1.4-0) unstable; urgency=medium * New upstream version (1.1.4): - Make sure that masq|snat|dnat|nat rules get ignored in IPv6 mode. * debian/copyright, debian/rules: + Update from Debian package." -- Mike Gabriel Tue, 01 Jul 2014 10:28:24 +0200 uif (1.1.3-0) unstable; urgency=low * New upstream version (1.1.3): - Make ICMPv6 neighbor-solicitation (packet type 135) a MUST for the incoming filter in uif.conf. - Make ICMPv6 neighbor-advertisement (packet type 136) a MUST for the incoming filter in uif.conf. - Examples: Provide an IPv4+6 configuration file example. * debian/uif.postinst: + Provide a DebConf mediated workstation config that also protects from IPv6 attacks. -- Mike Gabriel Tue, 03 Jun 2014 23:49:06 +0200 uif (1.1.2-0) unstable; urgency=low * New upstream version (1.1.2): - Provide new protocol: ipv6-icmp. Rework ICMP types in services file. - Add services "rdp" and "vnc-support" to services file. - services file: Use more appropriate icmp packet type names. - uif.conf: Enable inclusion of services file by default. * debian/changelog: + Use revison -0 in package version. * uif.spec: + Update Version: and Release: field. -- Mike Gabriel Tue, 20 May 2014 16:26:18 +0200 uif (1.1.1-0) unstable; urgency=low * New upstream version (1.1.1): - Make sure that hostnames resolve to IPv6 addresses when setting up the IPv6 filtering rules. - Fix typos and mal-used minus signs in uif.conf.5 man page. - Default log level for iptables: crit (not debug). * debian/control: + Alioth-canonicalize Vcs-Git: field. * debian/rules: + Add get-orig-source rule. + Install lintian overrides. Override issue false-positive issue maintainer-script-should-not-use-service. * debian/uif.init: + Leave reporting startup failures to init-functions. + Beautify init script when failures occur. -- Mike Gabriel Wed, 22 Jan 2014 16:31:09 +0100 uif (1.1.0-0) unstable; urgency=low [ Alex Owen ] * New upstream version (1.1.0): - Add IPv6 support. [ Mike Gabriel ] * New upstream version (1.1.0): - Update README, mention issue trackers. - Create README.IPv6 as upstream file. - Provide IPv4/IPv6 capable set of default configuration files. Rename example files to denote that they show IPv4-only examples. - Init script: be more explicit on whether init script actions are IPv4 or IPv6 actions. - Update COPYRIGHT file. Add /me as copyright co-holder and update FSF address. - Update upstream download source in INSTALL file. Mark Net::LDAP as optional dependency. - Drop deb: rule vom Makefile. - Keep lines in README below 80 characters. - Add /me and Alex Owen as copyright holders. - Support filtering rules that apply to IPv4/IPv6 only. - Enable IPv6 support by default. * debian/control: + Drop separate package uif-ldap again. Sync in packaging folder from Debian. + Bump Standards: to 3.9.5. No changes needed. * debian/rules: + Leaving clean-up to dh_clean. * debian/*.docs: + Install README* files into bin:packages. * debian/rules: + Run dh_link during install. * debian/uif.postinst: + Adapt Debianic configuration of workstation profile to IPv6 capabilities. Enable IPv6 by default, as well, on Debian systems. + Calls of update-rc.d are now handled by debhelper. Add #DEBHELPER# macro after the new uif configuration has been created. * debian/uif.init: + Provide an LSB compliant init script for Debian. * debian/uif.install: + Don't install upstream's init script on Debian system. -- Mike Gabriel Wed, 22 Jan 2014 14:36:44 +0100 uif (1.0.8-0) unstable; urgency=low * New upstream version (1.0.8): - uif.pl: convert umlaut to UTF-8, fix FSF address. - Fix hyphens and spelling errors in man pages. -- Mike Gabriel Tue, 11 Jun 2013 00:28:49 +0200 uif (1.0.7-0) unstable; urgency=low [ Alex Owen ] * New upstream version (1.0.7): - Fix "uif uses deprecated position of ! to negate rules". - Make LDAP dependency optional. [ Mike Gabriel ] * New upstream version (1.0.7): - Provide a default (nothing-in/all-out) uif.conf. * debian/control: + Add fields: Vcs-Git, Vcs-Browser. * debian/rules: + Run dh_clean in clean stanza. * debian/source/format: 3.0 (quilt). * Lintian issues fixed: + W: uif source: debian-rules-missing-recommended-target build-arch. + W. uif source: debian-rules-missing-recommended-target build-indep. + W: uif source: stray-translated-debconf-templates templates.de. * Bumped Standards: field to: 3.9.4 (after above changes). [ Gregor Herrmann ] * Fix "New Japanese translation": add ja.po, thanks to victory. -- Mike Gabriel Mon, 10 Jun 2013 23:38:59 +0200 uif (1.0.6-1) unstable; urgency=low * New upstream version. * Fix incompatibility with new conntrack modules. * Fix pending l10n issues. Debconf translations: - Danish. Closes: #590000 * Fix rate limiting issue. Closes: #514993 * Made alias interfaces valid interfaces. Closes: #496751 -- Cajus Pollmeier Mon, 25 Jul 2011 17:28:09 +0200 uif (1.0.5-4.3) unstable; urgency=low * Non-maintainer upload. * Bump debhelper compatibility to 7 * As a consequence, replace obsoleted "dh_clean -k" calls by "dh_prep" * Explicitly use 1.0 as source format * Fix spelling error ("informations") in README.Debian * Drop useless debian/templates.de file * Fix pending l10n issues. Debconf translations: - Spanish (Francisco Javier Cuadrado). Closes: #513352 -- Christian Perrier Tue, 04 May 2010 07:35:54 +0200 uif (1.0.5-4.2) unstable; urgency=low * Non-maintainer upload. * Fix pending l10n issues. Debconf translations: - Swedish. Closes: #492183 - Italian. Closes: #503763 * Remove stray debconf translation debian/templates.de. Superseded by the regular translation debian/po/de.po for ages. -- Christian Perrier Thu, 30 Oct 2008 07:35:35 +0100 uif (1.0.5-4.1) unstable; urgency=low * Non-maintainer upload to fix pending l10n issues. * Add debconf-updatepo to the clean target. Closes: #469254 * Remove useless debian/templates.de file * Fix typos in debconf templates. Closes: #323959 * Remove extra spaces in debconf templates in various places * Remove overzealous exclamation mark in debconf templates * Turn one note into error * Debconf translations: - Portuguese. Closes: #414056 - French. Closes: #471541 - German - Finnish. Closes: #478669 * Basque. Closes: #479450 * Portuguese. Closes: #479627 * Czech. Closes: #479630 * Vietnamese. Closes: #479746 * Galician. Closes: #479834 * Russian. Closes: #480252 * [Lintian] Move po-debconf and debhelper to Build-Depends as they're used in the clean target * [Lintian] Set debhelper compatibility level in debian/compat, not debian/rules -- Christian Perrier Sat, 19 Apr 2008 20:08:36 +0200 uif (1.0.5-4) unstable; urgency=low * Added LSB formatted dependency info (Closes:#469112) -- Cajus Pollmeier Mon, 03 Mar 2008 08:57:11 +0100 uif (1.0.5-3.1) unstable; urgency=low * Non-maintainer upload to fix the pending l10n issues. * Debconf translations: - German corrected. Closes: #313873 - Vietnamese. Closes: #323958 -- Christian Perrier Thu, 8 Feb 2007 18:28:36 +0100 uif (1.0.5-3) unstable; urgency=low * Adjusted command line parameter for tail (Closes:#301414) -- Cajus Pollmeier Fri, 15 Apr 2005 16:01:09 +0200 uif (1.0.5-2) unstable; urgency=low * Added Czech debconf translation contributed by Miroslav Kure (Closes:#287541) -- Cajus Pollmeier Sun, 2 Jan 2005 10:27:28 +0100 uif (1.0.5-1) unstable; urgency=low * New upstream release (Closes:#262363) -- Cajus Pollmeier Sat, 31 Jul 2004 09:28:11 +0200 uif (1.0.4-10) unstable; urgency=low * Added catalan debconf translation (Closes:#248756) -- Cajus Pollmeier Fri, 14 May 2004 11:43:59 +0200 uif (1.0.4-9) unstable; urgency=low * Made init script return an error code if setting the rules failes * Do not try to simplify a group of networks when definitions contain mac addresses -- Cajus Pollmeier Fri, 23 Apr 2004 18:20:27 +0200 uif (1.0.4-8) unstable; urgency=low * Fixed regex in uif which had problems to parse new /etc/protocols -- Cajus Pollmeier Thu, 19 Feb 2004 07:12:48 +0100 uif (1.0.4-7) unstable; urgency=low * Added conflicts to other firewalls (Closes: #223359) * Updated contributed configuration -- Cajus Pollmeier Sat, 13 Dec 2003 20:42:09 +0100 uif (1.0.4-6) unstable; urgency=low * Included french translation done by Michel Grentzinger (Closes: #200673) -- Cajus Pollmeier Thu, 10 Jul 2003 07:30:12 +0200 uif (1.0.4-5) unstable; urgency=low * Converted debconf dialogs to support the new gettext aware translations. (Closes: #199834) * Fixed two little translation bugs for the german i18n -- Cajus Pollmeier Thu, 3 Jul 2003 20:18:27 +0200 uif (1.0.4-4) unstable; urgency=low * Fixed problem when specifying multiple portranges * Added extra checks just in case the kernel has no module support * Updated standards-version -- Cajus Pollmeier Mon, 30 Dec 2002 14:16:52 +0100 uif (1.0.4-3) unstable; urgency=low * Initial Debian release (Closes: #170565) -- Cajus Pollmeier Mon, 25 Nov 2002 16:59:16 +0100 uif (1.0.4-2) unstable; urgency=low * removed debugging output -- Joerg Platte Tue, 8 Oct 2002 08:34:00 +0200 uif (1.0.4-1) unstable; urgency=low * new upstream release fixes mark problems -- Joerg Platte Wed, 14 Aug 2002 11:15:00 +0200 uif (1.0.3-1) unstable; urgency=low * new upstream release -- Cajus Pollmeier Thu, 18 Jul 2002 22:37:38 +0200 uif (1.0.2-1) unstable; urgency=low * New upstream release * Added mark support * Added dhis service * cosmetical changes -- Joerg Platte Thu, 18 Jul 2002 20:39:58 +0200 uif (1.0.1-5) unstable; urgency=low * fixed init script -- Cajus Pollmeier Sun, 30 Jun 2002 20:25:15 +0200 uif (1.0.1-4) unstable; urgency=low * uif depends on bsdutils, added to control -- Cajus Pollmeier Mon, 10 Jun 2002 10:34:31 +0200 uif (1.0.1-3) unstable; urgency=low * Followed lintians suggestions... * Fixed typo in uif.prerm -- Cajus Pollmeier Fri, 31 May 2002 11:19:57 +0200 uif (1.0.1-2) unstable; urgency=low * Fixed uif.prerm to update cleanly -- Cajus Pollmeier Mon, 27 May 2002 10:44:56 +0200 uif (1.0.1-1) unstable; urgency=low * Updated documentation, added more examples * Fixed README to not contain "blahfasel" -- Cajus Pollmeier Sun, 26 May 2002 21:50:21 +0200 uif (1.0.0-3) unstable; urgency=low * fixed typo in uif.pl -- Joerg Platte Sun, 26 May 2002 12:11:21 +0200 uif (1.0.0-2) unstable; urgency=low * NMU :-) * manpage update * added documentation: examples.txt -- Joerg Platte Sun, 26 May 2002 11:15:49 +0200 uif (1.0.0-1) unstable; urgency=low * Initial release. -- Cajus Pollmeier Sun, 24 Feb 2002 17:35:29 +0200 uif-1.1.4/INSTALL000066400000000000000000000012541235447076500133500ustar00rootroot00000000000000UIF 1.0.1 Package ================= This file contains some quick installation hints for the uif package. Download: You can get the newest version at https://github.com/cajus/uif. Dependencies: In order to use the script, you need iptables, perl, NetAddr::IP (>=3.0) and optionally Net::LDAP. Build: Well - there's nothing to build. Just change the PREFIX on top of the Makefile and do a "make install". If you want to start uif during bootup you should add the needed links in /etc/rc*. See file "uif" for a working init script. Debian: You can type "make deb" to create a debian package in /tmp Documentation: Use "man uif" and "man uif.conf" to see what's possible. uif-1.1.4/Makefile000066400000000000000000000037011235447076500137560ustar00rootroot00000000000000# uif-1.1.x Installer Makefile # # Cajus Pollmeier # Jörg Platte # Mike Gabriel # Change here to install to different location PREFIX = ${DESTDIR} VERS = `sed -n "s/[^ ]* (\([0-9.]*\)-[0-9]*).*/\1/p" debian/changelog | head -1` install: @echo "Installing uif script..." @# create directories install -o root -g root -m 700 -d ${PREFIX}/etc/uif install -o root -g root -m 755 -d ${PREFIX}/etc/default install -o root -g root -m 755 -d ${PREFIX}/etc/init.d install -o root -g root -m 755 -d ${PREFIX}/etc/ldap/schema install -o root -g root -m 755 -d ${PREFIX}/usr/sbin install -o root -g root -m 755 -d ${PREFIX}/usr/share/doc/uif install -o root -g root -m 755 -d ${PREFIX}/usr/share/man/man8 install -o root -g root -m 755 -d ${PREFIX}/usr/share/man/man5 @# install files install -o root -g root -m 700 uif.pl ${PREFIX}/usr/sbin/uif install -o root -g root -m 600 default ${PREFIX}/etc/default/uif install -o root -g root -m 600 services ${PREFIX}/etc/uif if [ ! -e ${PREFIX}/etc/uif/uif.conf ]; then install -o root -g root -m 600 uif.conf ${PREFIX}/etc/uif; fi if [ ! -e ${PREFIX}/etc/uif/uif-ipv4-networks.inc ]; then install -o root -g root -m 600 uif-ipv4-networks.inc ${PREFIX}/etc/uif; fi if [ ! -e ${PREFIX}/etc/uif/uif-ipv6-networks.inc ]; then install -o root -g root -m 600 uif-ipv6-networks.inc ${PREFIX}/etc/uif; fi install -o root -g root -m 755 uif ${PREFIX}/etc/init.d install -o root -g root -m 644 uif.schema ${PREFIX}/etc/ldap/schema @# install documentation install -o root -g root -m 644 docs/uif.conf.IPv4.tmpl ${PREFIX}/usr/share/doc/uif install -o root -g root -m 644 docs/uif.conf.IPv4+6.tmpl ${PREFIX}/usr/share/doc/uif install -o root -g root -m 644 docs/examples.IPv4.txt ${PREFIX}/usr/share/doc/uif install -o root -g root -m 644 uif.8 ${PREFIX}/usr/share/man/man8 install -o root -g root -m 644 uif.conf.5 ${PREFIX}/usr/share/man/man5 uif-1.1.4/README000066400000000000000000000021031235447076500131710ustar00rootroot00000000000000README for uif ============== DOCUMENTATION The uif project has been developed for a diskless router system and provides a mechanism to create and simplify packet filter rules. It forces you to provide names for every value you use in order to make firewalls less confusing. Please have a look at the man pages for uif(8) and uif.conf(5). There are also example configurations in the docs/ directory. There is some LDAP support built-in, with that you can handle a big farm of diskles router configurations. Use uif(8) and information provided in the doc/ directory to configure the firewall fitting your needs. BUGS/WISHLIST uif is on Github. If you've found a bug, or have suggestions for future versions please report it via the project's issue tracker: https://github.com/cajus/uif/issues If you have installed uif on Debian, you can also use the Debian BTS for reporting bugs. As the Debian maintainer of uif is a member of the uif upstream development team, the Debian bugs will also reach upstream quickly. Have fun, -Jörg Platte, Cajus Pollmeier, Mike Gabriel, Alex Owen uif-1.1.4/README.IPv6000066400000000000000000000034631235447076500137660ustar00rootroot00000000000000IPv6 support for uif -------------------- Starting with version 1.1.0 uif is able to handle IPv6 iptables as well as IPv4 iptables. The IPv6 support was originally provided by Alex Owen via a patch sent to the Debian bug tracker. Awesome thanks to Alex for this initial piece of work!!! With IPv6 support added, uif can now also produce IPv6 firewall rules. The init script can, by setting IPV6MODE=1 in /etc/default/uif, be made to install the IPv4 rules from /etc/uif/uif.conf and the IPv6 rules from /etc/uif/uif6.conf. Judicious use of the include and include4 and include6 sections of the config files can mean that the ipv6 and ipv4 rules can be identical except for including a network section with IPv4 definitions and IPv6 definitions respectivly. The file uif6.conf can be a sym-link to uif.conf or contain: --uif6.conf-- include { "/etc/uif/uif.conf" } ------------- The file uif.conf can then be used for a single set of rules but can include different network definitions as needed: --uif.conf-- #include common services include { "/etc/uif/services" } # in IPv4 mode include IPv4 network definitions include4 { "/etc/uif/networks4" } #In IPv6 mode include IPv6 network defnintions include6 { "/etc/uif/networks6" } #common filter block for both ipv4 and ipv6 filter { #Put your firewall rules here } ------------ As an addition it is possible to append "(4)" or "(6)" to network names in filtering rules (e.g.: "in+ s=trusted(4)"). This limits the application of this rule to the specified IP protocol version only. This can be especially helpful, if some of your network names only exist for one IP protocol version but not for the other. --- Alex Owen , Sun, 15 Jul 2012 14:41:22 +0100 Mike Gabriel , Wed, 22 Jan 2014 13:50:01 +0100 --- uif-1.1.4/README.LDAP000066400000000000000000000004311235447076500137120ustar00rootroot00000000000000README.LDAP for uif =================== DOCUMENTATION / LDAP There is some LDAP support built into uif, with that you can handle a big farm of diskles router configurations. Use uif(8) and information provided in the doc/ directory to configure the firewall fitting your needs. uif-1.1.4/debian/000077500000000000000000000000001235447076500135375ustar00rootroot00000000000000uif-1.1.4/debian/README.debian000066400000000000000000000011451235447076500156410ustar00rootroot00000000000000uif for Debian -------------- This package has been developed for a diskless router system and provides a mechanism to create and simplify packetfilter rules. It forces you to provide names for every value you use in order to make firewalls less confusing. There is some ldap support build in, to handle a big farm of diskles router configurations. Use uif(8) and information provided in /usr/share/doc/uif to configure the firewall fitting your needs. --- Mike Gabriel , Tue, 11 Jun 2013 22:50:12 +0200 Cajus Pollmeier , Sun, 24 Feb 2002 17:35:29 +0100 uif-1.1.4/debian/changelog000077700000000000000000000000001235447076500173712../ChangeLogustar00rootroot00000000000000uif-1.1.4/debian/compat000066400000000000000000000000021235447076500147350ustar00rootroot000000000000007 uif-1.1.4/debian/control000066400000000000000000000015221235447076500151420ustar00rootroot00000000000000Source: uif Section: net Priority: optional Maintainer: Mike Gabriel Standards-Version: 3.9.5 Build-Depends: debhelper (>= 7), po-debconf, Vcs-Git: git://anonscm.debian.org/collab-maint/uif.git Vcs-Browser: http://anonscm.debian.org/gitweb/?p=collab-maint/uif.git;a=summary Homepage: https://github.com/cajus/uif Package: uif Architecture: all Depends: ${perl:Depends}, ${misc:Depends}, libnetaddr-ip-perl (>= 3.0), iptables, bsdutils (>=2.11u), Recommends: libnet-ldap-perl, Suggests: fwlogwatch, Conflicts: knetfilter, firewall-easy, shorewall, fiaif, Description: Advanced iptables-firewall script Complete package to create and simplify iptables packetfilter rules using perl. It was developed for a diskless router system that can store its configurations in regular files or LDAP databases. uif-1.1.4/debian/copyright000066400000000000000000000026571235447076500155040ustar00rootroot00000000000000Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ Upstream-Name: uif Upstream-Contact: Cajus Pollmeier Source: https://github.com/cajus/uif Files: * Copyright: 2002-2014, Jörg Platte 2002-2014, Cajus Pollmeier 2013-2014, Mike Gabriel 2013-2014, Alex Owen License: GPL-2+ Files: /debian/* Copyright: 2002, Jörg Platte 2002-2012, Cajus Pollmeier 2013-2014, Mike Gabriel License: GPL-2+ License: GPL-2+ This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. . This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. . You should have received a copy of the GNU General Public License along with this package; if not, write to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA . On Debian systems, the full text of the GNU General Public License version 2 can be found in the file `/usr/share/common-licenses/GPL-2'. uif-1.1.4/debian/po/000077500000000000000000000000001235447076500141555ustar00rootroot00000000000000uif-1.1.4/debian/po/POTFILES.in000066400000000000000000000000441235447076500157300ustar00rootroot00000000000000[type: gettext/rfc822deb] templates uif-1.1.4/debian/po/ca.po000066400000000000000000000114321235447076500151010ustar00rootroot00000000000000# uif (debconf) translation to Catalan. # Copyright (C) 2004 Free Software Foundation, Inc. # Aleix Badia i Bosch , 2004 msgid "" msgstr "" "Project-Id-Version: uif_1.0.4-8_templates\n" "Report-Msgid-Bugs-To: \n" "POT-Creation-Date: 2010-05-04 11:43+0200\n" "PO-Revision-Date: 2004-03-12 19:46GMT\n" "Last-Translator: Aleix Badia i Bosch \n" "Language-Team: Catalan \n" "Language: ca\n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=ISO-8859-1\n" "Content-Transfer-Encoding: 8bit\n" #. Type: select #. Choices #: ../templates:1001 msgid "don't touch" msgstr "no ho toqueu" #. Type: select #. Choices #: ../templates:1001 msgid "workstation" msgstr "estaci de treball" #. Type: select #. Description #: ../templates:1002 msgid "Firewall configuration method" msgstr "Mtode de configuraci del tallafocs" #. Type: select #. Description #: ../templates:1002 msgid "" "The firewall can be initialized using debconf, or using information you " "manually put into /etc/uif/uif.conf." msgstr "" "El tallafocs es pot inicialitzar utilitzant el debconf o utilitzant la " "informaci introduda manualment al fitxer /etc/uif/uif.conf." #. Type: string #. Description #: ../templates:2001 #, fuzzy msgid "Enter trusted hosts and/or networks:" msgstr "Introduu els ordinadors i/o xarxes de confiana" #. Type: string #. Description #: ../templates:2001 #, fuzzy msgid "" "In workstation mode, you can specify some hosts or networks to be globally " "trusted. All incoming traffic coming from there will be allowed. Multiple " "entries have to be separate with spaces." msgstr "" "En el mode d'estaci de treball podeu definir una relaci de confiana " "global amb diversos ordinadors o xarxes. Es permetr tot el trfic provinent " "de la relaci. Introduu les entrades mltiples separades per espais." #. Type: string #. Description #: ../templates:2001 msgid "Example: 10.1.0.0/16 trust.mydomain.com 192.168.1.55" msgstr "Exemple: 10.1.0.0/16 trust.mydomain.com 192.168.1.55" #. Type: boolean #. Description #: ../templates:3001 msgid "Do you want your host to be reachable via ping?" msgstr "Voleu que el vostre servidor respongui via el ping?" #. Type: boolean #. Description #: ../templates:3001 msgid "" "Normally an Internet host should be reachable with pings. Choosing no here " "will disable pings which might be somewhat confusing when analyzing network " "problems." msgstr "" "Normalment els ordinador d'Internet haurien de respondre via ping. Si " "escolliu no, s'inhabilitar el ping i pot induir a confusions en l'anlisi " "de problemes de xarxa." #. Type: boolean #. Description #: ../templates:4001 msgid "Do you want your host to react to traceroutes?" msgstr "Voleu que l'ordinador reaccioni al traceroute?" #. Type: boolean #. Description #: ../templates:4001 msgid "" "Normally an Internet host should react to traceroutes. Choosing no here will " "disable this, which might be somewhat confusing when analyzing network " "problems." msgstr "" "Normalment un ordinador d'Internet hauria de reaccionar al traceroute. Si " "escolliu no, s'inhabilitar i pot induir a confusions en l'anlisi de " "problemes de xarxa." #. Type: note #. Description #: ../templates:5001 #, fuzzy msgid "Firewall for simple workstation setups" msgstr "Tallafocs per a configuracions d'estaci de treball simples." #. Type: note #. Description #: ../templates:5001 msgid "" "Warning: This configuration provides a very simple firewall setup which is " "only able to trust certain hosts and configure global ping / traceroute " "behaviour." msgstr "" "Avs: la configuraci proporciona una configuraci de tallafocs simple que " "permet establir relacions de confiana amb determinats ordinadors i " "configurar el comportament del ping/traceroute globals." #. Type: note #. Description #: ../templates:5001 msgid "" "If you need a more specific setup, use /etc/uif/uif.conf as a template and " "choose \"don't touch\" next time." msgstr "" "Si necessiteu una configuraci ms especfica utilitzeu el fitxer /etc/uif/" "uif.conf com a plantilla i escolliu \"no ho toquis\" la propera vegada." #. Type: error #. Description #: ../templates:6001 msgid "Error in list of trusted hosts" msgstr "S'ha produt un error en la llista d'ordinadors de confiana" #. Type: error #. Description #: ../templates:6001 msgid "" "Please check the hosts / networks you entered. One or more entries are not " "correct, contain no resolvable hosts, valid IP-addresses, valid network " "definitions or masks." msgstr "" "Comproveu els ordinadors/xarxes que heu introdut. Una o ms entrades no sn " "correctes perqu contenen ordinadors que no es poden resoldre, adreces d'IP " "no vlides o definicions de la xarxa o mscares no vlides." #~ msgid "don't touch, workstation" #~ msgstr "no ho toqueu, estaci de treball" uif-1.1.4/debian/po/cs.po000066400000000000000000000121541235447076500151250ustar00rootroot00000000000000# # Translators, if you are not familiar with the PO format, gettext # documentation is worth reading, especially sections dedicated to # this format, e.g. by running: # info -n '(gettext)PO Files' # info -n '(gettext)Header Entry' # # Some information specific to po-debconf are available at # /usr/share/doc/po-debconf/README-trans # or http://www.debian.org/intl/l10n/po-debconf/README-trans # # Developers do not need to manually edit POT or PO files. # msgid "" msgstr "" "Project-Id-Version: uif\n" "Report-Msgid-Bugs-To: \n" "POT-Creation-Date: 2010-05-04 11:43+0200\n" "PO-Revision-Date: 2008-05-05 22:21+0200\n" "Last-Translator: Miroslav Kure \n" "Language-Team: Czech \n" "Language: cs\n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" #. Type: select #. Choices #: ../templates:1001 msgid "don't touch" msgstr "ponechat" #. Type: select #. Choices #: ../templates:1001 msgid "workstation" msgstr "pracovní stanice" #. Type: select #. Description #: ../templates:1002 msgid "Firewall configuration method" msgstr "Způsob nastavení firewallu" #. Type: select #. Description #: ../templates:1002 msgid "" "The firewall can be initialized using debconf, or using information you " "manually put into /etc/uif/uif.conf." msgstr "" "Firewall může být nastaven buď přes debconf nebo ruční úpravou souboru /etc/" "uif/uif.conf." #. Type: string #. Description #: ../templates:2001 msgid "Enter trusted hosts and/or networks:" msgstr "Zadejte důvěryhodné počítače a/nebo sítě:" #. Type: string #. Description #: ../templates:2001 msgid "" "In workstation mode, you can specify some hosts or networks to be globally " "trusted. All incoming traffic coming from there will be allowed. Multiple " "entries have to be separate with spaces." msgstr "" "V režimu pracovní stanice můžete zadat některé počítače nebo sítě, kterým " "důvěřujete. Veškerý příchozí provoz z těchto míst bude povolen. Jednotlivé " "položky oddělte mezerami." #. Type: string #. Description #: ../templates:2001 msgid "Example: 10.1.0.0/16 trust.mydomain.com 192.168.1.55" msgstr "Příklad: 10.1.0.0/16 verim.sve.domene.cz 192.168.1.55" #. Type: boolean #. Description #: ../templates:3001 msgid "Do you want your host to be reachable via ping?" msgstr "Chcete, aby byl počítač dosažitelný přes ping?" #. Type: boolean #. Description #: ../templates:3001 msgid "" "Normally an Internet host should be reachable with pings. Choosing no here " "will disable pings which might be somewhat confusing when analyzing network " "problems." msgstr "" "Normálně by všechny počítače na Internetu měly být dostupné přes ping. Pokud " "zde odpovíte ne, pingy zakážete, což vás může zmást později při analýze " "síťových problémů." #. Type: boolean #. Description #: ../templates:4001 msgid "Do you want your host to react to traceroutes?" msgstr "Chcete, aby počítač odpovídal na „sledovače cesty“?" #. Type: boolean #. Description #: ../templates:4001 msgid "" "Normally an Internet host should react to traceroutes. Choosing no here will " "disable this, which might be somewhat confusing when analyzing network " "problems." msgstr "" "Normálně by všechny počítače na Internetu měly odpovídat na požadavky o " "sledování cesty (traceroute). Pokud zde odpovíte ne, váš počítač nebude " "odpovídat na tyto požadavky, ovšem později vás to může zmást při analýze " "síťových problémů." #. Type: note #. Description #: ../templates:5001 msgid "Firewall for simple workstation setups" msgstr "Jednoduchý firewall pro pracovní stanice" #. Type: note #. Description #: ../templates:5001 msgid "" "Warning: This configuration provides a very simple firewall setup which is " "only able to trust certain hosts and configure global ping / traceroute " "behaviour." msgstr "" "Varování: toto nastavení poskytuje velmi jednoduchý firewall, který umí " "pouze důvěřovat určitým počítačům a dokáže globálně změnit chování ohledně " "ping / traceroute požadavků." #. Type: note #. Description #: ../templates:5001 msgid "" "If you need a more specific setup, use /etc/uif/uif.conf as a template and " "choose \"don't touch\" next time." msgstr "" "Potřebujete-li přesnější nastavení, použijte soubor /etc/uif/uif.conf jako " "vzor a příště vyberte možnost „ponechat“." #. Type: error #. Description #: ../templates:6001 msgid "Error in list of trusted hosts" msgstr "Chyba v seznamu důvěryhodných počítačů" #. Type: error #. Description #: ../templates:6001 msgid "" "Please check the hosts / networks you entered. One or more entries are not " "correct, contain no resolvable hosts, valid IP-addresses, valid network " "definitions or masks." msgstr "" "Prosíme, zkontrolujte seznam zadaných počítačů / sítí. Jeden nebo více " "záznamů nejsou správné, neobsahují přeložitelné jméno, platnou IP adresu, " "platnou definici sítě nebo masky." #~ msgid "don't touch, workstation" #~ msgstr "ponechat, pracovní stanice" uif-1.1.4/debian/po/da.po000066400000000000000000000111711235447076500151020ustar00rootroot00000000000000# Danish translation uif. # Copyright (C) 2010 uif & nedenstående oversætttere. # This file is distributed under the same license as the uif package. # Joe Hansen , 2010 # msgid "" msgstr "" "Project-Id-Version: uif\n" "Report-Msgid-Bugs-To: \n" "POT-Creation-Date: 2010-05-04 11:43+0200\n" "PO-Revision-Date: 2010-07-22 14:44+0200\n" "Last-Translator: Joe Hansen \n" "Language-Team: Danish \n" "Language: \n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" #. Type: select #. Choices #: ../templates:1001 msgid "don't touch" msgstr "rør ikke" #. Type: select #. Choices #: ../templates:1001 msgid "workstation" msgstr "arbejdsstation" #. Type: select #. Description #: ../templates:1002 msgid "Firewall configuration method" msgstr "Konfigurationsmetode for brandmur (firewall)" #. Type: select #. Description #: ../templates:1002 msgid "" "The firewall can be initialized using debconf, or using information you " "manually put into /etc/uif/uif.conf." msgstr "" "Brandmuren (firewall) kan initialiseres med brug af debconf, eller brug af " "information du manuelt indsætter i /etc/uif/uif.conf." #. Type: string #. Description #: ../templates:2001 msgid "Enter trusted hosts and/or networks:" msgstr "Tillad troværdige værter og/eller netværk:" #. Type: string #. Description #: ../templates:2001 msgid "" "In workstation mode, you can specify some hosts or networks to be globally " "trusted. All incoming traffic coming from there will be allowed. Multiple " "entries have to be separate with spaces." msgstr "" "I tilstanden arbejdsstation, kan du angive nogle værter eller netværk som " "globalt anses som troværdige. Al indgående trafik derfra vil være tilladt. " "Flere punkter skal være adskilt af mellemrum." #. Type: string #. Description #: ../templates:2001 msgid "Example: 10.1.0.0/16 trust.mydomain.com 192.168.1.55" msgstr "Eksempel: 10.1.0.0/16 trust.mitdomæne.com 192.168.1.55" #. Type: boolean #. Description #: ../templates:3001 msgid "Do you want your host to be reachable via ping?" msgstr "Ønsker du, at din vært skal svare på pingforespørgsler?" #. Type: boolean #. Description #: ../templates:3001 msgid "" "Normally an Internet host should be reachable with pings. Choosing no here " "will disable pings which might be somewhat confusing when analyzing network " "problems." msgstr "" "Normalt skal en internetvært kunne tilgås med ping'er. Valg af nej her vil " "deaktivere ping'er, hvilket kan være noget forvirrende, når " "netværksproblemer skal analyseres." #. Type: boolean #. Description #: ../templates:4001 msgid "Do you want your host to react to traceroutes?" msgstr "Skal din vært reagere på tracerouter?" #. Type: boolean #. Description #: ../templates:4001 msgid "" "Normally an Internet host should react to traceroutes. Choosing no here will " "disable this, which might be somewhat confusing when analyzing network " "problems." msgstr "" "Normalt skal en internetvært reagere på tracerouter. Valg af nej her vil " "deaktivere dette, hvilket kan være noget forvirrende når netværksproblemer " "skal analyseres." #. Type: note #. Description #: ../templates:5001 msgid "Firewall for simple workstation setups" msgstr "Brandmur (firewall) for simple arbejdsstationsopsætninger" #. Type: note #. Description #: ../templates:5001 msgid "" "Warning: This configuration provides a very simple firewall setup which is " "only able to trust certain hosts and configure global ping / traceroute " "behaviour." msgstr "" "Advarsel: Denne konfiguration tilbyder en meget simpel brandmursopsætning " "som kun er i stand til at stole på bestemte værter og konfigurere global " "ping-/tracerouteopførsel." #. Type: note #. Description #: ../templates:5001 msgid "" "If you need a more specific setup, use /etc/uif/uif.conf as a template and " "choose \"don't touch\" next time." msgstr "" "Hvis du har brug for en mere specifik opsætning, så brug /etc/uif/uif.conf " "som en skabelon og vælg »rør ikke« næste gang." #. Type: error #. Description #: ../templates:6001 msgid "Error in list of trusted hosts" msgstr "Fejl i liste over troværdige værter" #. Type: error #. Description #: ../templates:6001 msgid "" "Please check the hosts / networks you entered. One or more entries are not " "correct, contain no resolvable hosts, valid IP-addresses, valid network " "definitions or masks." msgstr "" "Undersøg venligst værterne/netværkene du indtastede. En eller flere punkter " "er ikke korrekt, indeholder ingen opløselige værter, gyldige IP-adresser, " "gyldige netværksdefinitioner eller masker." uif-1.1.4/debian/po/de.po000066400000000000000000000114651235447076500151140ustar00rootroot00000000000000# Translation of uif debconf templates to German # Copyright (C) Cajus Pollmeier , 2003. # Copyright (C) Helge Kreutzmann , 2008. # Copyright (C) Mike Gabriel , 2013. # This file is distributed under the same license as the uif package. # msgid "" msgstr "" "Project-Id-Version: uif 1.0.8-1\n" "Report-Msgid-Bugs-To: \n" "POT-Creation-Date: 2010-05-04 11:43+0200\n" "PO-Revision-Date: 2008-04-28 23:12+0200\n" "Last-Translator: Mike Gabriel \n" "Language-Team: de \n" "Language: \n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" #. Type: select #. Choices #: ../templates:1001 msgid "don't touch" msgstr "nicht ändern" #. Type: select #. Choices #: ../templates:1001 msgid "workstation" msgstr "Arbeitsstation" #. Type: select #. Description #: ../templates:1002 msgid "Firewall configuration method" msgstr "Firewall Konfigurationsmethode" #. Type: select #. Description #: ../templates:1002 msgid "" "The firewall can be initialized using debconf, or using information you " "manually put into /etc/uif/uif.conf." msgstr "" "Die Firewall kann entweder über Debconf, oder manuell über die " "Konfigurationsdatei /etc/uif/uif.conf eingestellt werden." #. Type: string #. Description #: ../templates:2001 msgid "Enter trusted hosts and/or networks:" msgstr "Eingabe der vertrauenswürdigen Rechner / Netze:" #. Type: string #. Description #: ../templates:2001 msgid "" "In workstation mode, you can specify some hosts or networks to be globally " "trusted. All incoming traffic coming from there will be allowed. Multiple " "entries have to be separate with spaces." msgstr "" "Im »Arbeitsstation«-Modus kann eine Liste von Rechnern oder Netzen angegeben " "werden, die als vertrauenswürdig angesehen werden. Diese haben dann " "kompletten Zugriff auf die Arbeitsstation. Mehrere Einträge sind durch ein " "Leerzeichen zu trennen." #. Type: string #. Description #: ../templates:2001 msgid "Example: 10.1.0.0/16 trust.mydomain.com 192.168.1.55" msgstr "Beispiel: 10.1.0.0/16 trust.mydomain.com 192.168.1.55" #. Type: boolean #. Description #: ../templates:3001 msgid "Do you want your host to be reachable via ping?" msgstr "Soll der Rechner via ping erreichbar sein?" #. Type: boolean #. Description #: ../templates:3001 msgid "" "Normally an Internet host should be reachable with pings. Choosing no here " "will disable pings which might be somewhat confusing when analyzing network " "problems." msgstr "" "Normalerweise sollte ein Rechner im Netz via ping erreichbar sein. Falls Sie " "dies ausschalten möchten, beachten Sie dies bei der Suche nach Netzproblemen." #. Type: boolean #. Description #: ../templates:4001 msgid "Do you want your host to react to traceroutes?" msgstr "Soll der Rechner traceroutes beantworten?" #. Type: boolean #. Description #: ../templates:4001 msgid "" "Normally an Internet host should react to traceroutes. Choosing no here will " "disable this, which might be somewhat confusing when analyzing network " "problems." msgstr "" "Normalerweise sollte ein Rechner im Netz auf traceroutes reagieren. Falls " "Sie dies ausschalten möchten, beachten Sie dies bei der Suche nach " "Netzproblemen." #. Type: note #. Description #: ../templates:5001 msgid "Firewall for simple workstation setups" msgstr "Firewall für einfache Arbeitsstationen" #. Type: note #. Description #: ../templates:5001 msgid "" "Warning: This configuration provides a very simple firewall setup which is " "only able to trust certain hosts and configure global ping / traceroute " "behaviour." msgstr "" "Achtung: Diese Konfiguration stellt eine recht einfache Firewall zur " "Verfügung. Beachten Sie, dass dieses Vorgehen keine gut geplante Firewall " "ersetzen kann und nur die Möglichkeit bietet, einzelnen Rechnern/Netzen " "einen kompletten Zugriff zu gewähren." #. Type: note #. Description #: ../templates:5001 msgid "" "If you need a more specific setup, use /etc/uif/uif.conf as a template and " "choose \"don't touch\" next time." msgstr "" "Falls ein spezielleres Setup gewünscht ist, sollten Sie die Datei /etc/uif/" "uif.conf als Vorlage und beim nächsten Mal »nicht ändern« wählen." #. Type: error #. Description #: ../templates:6001 msgid "Error in list of trusted hosts" msgstr "Fehler in der Liste der vertrauenswürdigen Rechnern" #. Type: error #. Description #: ../templates:6001 msgid "" "Please check the hosts / networks you entered. One or more entries are not " "correct, contain no resolvable hosts, valid IP-addresses, valid network " "definitions or masks." msgstr "" "Überprüfen Sie bitte Ihre Eingaben. Ein oder mehrer Einträge enthalten " "entweder einen nicht auflösbaren Rechnernamen, eine ungültige Netz-/IP-" "Adresse oder Netzmaske." uif-1.1.4/debian/po/es.po000066400000000000000000000132741235447076500151330ustar00rootroot00000000000000# uif po-debconf translation to Spanish # Copyright (C) 2007, 2009 Software in the Public Interest # This file is distributed under the same license as the uif package. # # Changes: # - Initial translation # Enrique Matias Sanchez , 2007 # # - Updates # Francisco Javier Cuadrado , 2009 # # Traductores, si no conocen el formato PO, merece la pena leer la # documentación de gettext, especialmente las secciones dedicadas a este # formato, por ejemplo ejecutando: # info -n '(gettext)PO Files' # info -n '(gettext)Header Entry' # # Equipo de traducción al español, por favor lean antes de traducir # los siguientes documentos: # # - El proyecto de traducción de Debian al español # http://www.debian.org/intl/spanish/ # especialmente las notas de traducción en # http://www.debian.org/intl/spanish/notas # # - La guía de traducción de po's de debconf: # /usr/share/doc/po-debconf/README-trans # o http://www.debian.org/intl/l10n/po-debconf/README-trans # msgid "" msgstr "" "Project-Id-Version: uif 1.0.5-4.2\n" "Report-Msgid-Bugs-To: \n" "POT-Creation-Date: 2010-05-04 11:43+0200\n" "PO-Revision-Date: 2009-01-18 23:06+0100\n" "Last-Translator: Francisco Javier Cuadrado \n" "Language-Team: Debian l10n Spanish \n" "Language: \n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" #. Type: select #. Choices #: ../templates:1001 msgid "don't touch" msgstr "no tocar" #. Type: select #. Choices #: ../templates:1001 msgid "workstation" msgstr "estación de trabajo" #. Type: select #. Description #: ../templates:1002 msgid "Firewall configuration method" msgstr "Método de configuración del cortafuegos" #. Type: select #. Description #: ../templates:1002 msgid "" "The firewall can be initialized using debconf, or using information you " "manually put into /etc/uif/uif.conf." msgstr "" "El cortafuegos se puede iniciar usando debconf, o usando la información que " "ponga manualmente en «/etc/uif/uif.conf»." #. Type: string #. Description #: ../templates:2001 msgid "Enter trusted hosts and/or networks:" msgstr "Introduzca las máquinas y/o redes de confianza:" #. Type: string #. Description #: ../templates:2001 msgid "" "In workstation mode, you can specify some hosts or networks to be globally " "trusted. All incoming traffic coming from there will be allowed. Multiple " "entries have to be separate with spaces." msgstr "" "En el modo de estación de trabajo, puede indicar que algunas máquinas o " "redes sean de absoluta confianza. Se permitirá todo el tráfico procedente de " "ellas. Si hay varias entradas, deben separarse con espacios." #. Type: string #. Description #: ../templates:2001 msgid "Example: 10.1.0.0/16 trust.mydomain.com 192.168.1.55" msgstr "Ejemplo: 10.1.0.0/16 deconfianza.midominio.com 192.168.1.55" #. Type: boolean #. Description #: ../templates:3001 msgid "Do you want your host to be reachable via ping?" msgstr "¿Desea que su máquina responda a los «ping»?" #. Type: boolean #. Description #: ../templates:3001 msgid "" "Normally an Internet host should be reachable with pings. Choosing no here " "will disable pings which might be somewhat confusing when analyzing network " "problems." msgstr "" "Normalmente, una máquina de Internet debería responder a los «ping». Si " "elige «No» se deshabilitarán los «ping», lo que podría causar confusión al " "analizar los problemas de red." #. Type: boolean #. Description #: ../templates:4001 msgid "Do you want your host to react to traceroutes?" msgstr "¿Desea que su máquina reaccione a los «traceroute»?" #. Type: boolean #. Description #: ../templates:4001 msgid "" "Normally an Internet host should react to traceroutes. Choosing no here will " "disable this, which might be somewhat confusing when analyzing network " "problems." msgstr "" "Normalmente, una máquina de Internet debería reaccionar a los «traceroute». " "Si elige «No» se deshabilitarán, lo que podría causar confusión al analizar " "problemas de red." #. Type: note #. Description #: ../templates:5001 msgid "Firewall for simple workstation setups" msgstr "Cortafuegos para estaciones de trabajo sencillas" #. Type: note #. Description #: ../templates:5001 msgid "" "Warning: This configuration provides a very simple firewall setup which is " "only able to trust certain hosts and configure global ping / traceroute " "behaviour." msgstr "" "Advertencia: Esta configuración proporciona un cortafuegos muy sencillo, que " "sólo es capaz de confiar en algunas máquinas y configurar el comportamiento " "global ante «ping»/«traceroute»." #. Type: note #. Description #: ../templates:5001 msgid "" "If you need a more specific setup, use /etc/uif/uif.conf as a template and " "choose \"don't touch\" next time." msgstr "" "Si necesita una configuración mas específica, use el archivo «/etc/uif/uif." "conf» como plantilla y seleccione «no tocar» la próxima vez." #. Type: error #. Description #: ../templates:6001 msgid "Error in list of trusted hosts" msgstr "Error en la lista de las máquinas de confianza" #. Type: error #. Description #: ../templates:6001 msgid "" "Please check the hosts / networks you entered. One or more entries are not " "correct, contain no resolvable hosts, valid IP-addresses, valid network " "definitions or masks." msgstr "" "Compruebe las máquinas y/o redes que ha introducido. Hay al menos una " "entrada que no es correcta, que contiene máquinas que no se pueden resolver, " "o que contiene direcciones IP, definiciones de red o máscaras de red no " "válidas." #~ msgid "don't touch, workstation" #~ msgstr "no tocar, estación de trabajo" uif-1.1.4/debian/po/eu.po000066400000000000000000000111641235447076500151310ustar00rootroot00000000000000# translation of uif-eu.po to Euskara # Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER # This file is distributed under the same license as the PACKAGE package. # # Piarres Beobide , 2008. msgid "" msgstr "" "Project-Id-Version: uif-eu\n" "Report-Msgid-Bugs-To: \n" "POT-Creation-Date: 2010-05-04 11:43+0200\n" "PO-Revision-Date: 2008-05-04 23:11+0200\n" "Last-Translator: Piarres Beobide \n" "Language-Team: Euskara \n" "Language: \n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" "X-Generator: KBabel 1.11.4\n" #. Type: select #. Choices #: ../templates:1001 msgid "don't touch" msgstr "ez ukitu" #. Type: select #. Choices #: ../templates:1001 msgid "workstation" msgstr "lanpostua" #. Type: select #. Description #: ../templates:1002 msgid "Firewall configuration method" msgstr "Suebaki konfigurazio metodoa" #. Type: select #. Description #: ../templates:1002 msgid "" "The firewall can be initialized using debconf, or using information you " "manually put into /etc/uif/uif.conf." msgstr "" "Suebakia debconf erabiliaz abiarazi daiteke, edo eskuz /etc/uif/uif.conf " "fitxategian ipini duzun informazioa erabiliaz." #. Type: string #. Description #: ../templates:2001 msgid "Enter trusted hosts and/or networks:" msgstr "Sartu konfidantzazko ostalari eta/edo sareak:" #. Type: string #. Description #: ../templates:2001 msgid "" "In workstation mode, you can specify some hosts or networks to be globally " "trusted. All incoming traffic coming from there will be allowed. Multiple " "entries have to be separate with spaces." msgstr "" "Lanpostu moduan, orokorki konfidantzazko ostalari edo sareak ezarri " "ditzakezu. Toki horietatik datorren trafiko guztia onartuko da. Sarrera " "ezberdinak zuriunez bereizi behar dira." #. Type: string #. Description #: ../templates:2001 msgid "Example: 10.1.0.0/16 trust.mydomain.com 192.168.1.55" msgstr "Adibidea: 10.1.0.0/16 konfidantza.niredomeinua.com 192.168.1.55" #. Type: boolean #. Description #: ../templates:3001 msgid "Do you want your host to be reachable via ping?" msgstr "Zure ostalaria ping bidez eskuragarri izatea nahi duzu?" #. Type: boolean #. Description #: ../templates:3001 msgid "" "Normally an Internet host should be reachable with pings. Choosing no here " "will disable pings which might be somewhat confusing when analyzing network " "problems." msgstr "" "Normalean Internet ostalari bat ping bidez eskuratu ahal izan beharko zen. " "Hemen ez hautatuaz ping-a ezgaituko da sare arazoak analizatzean gauzak " "zaildu ditzakeena." #. Type: boolean #. Description #: ../templates:4001 msgid "Do you want your host to react to traceroutes?" msgstr "Zure ostalariak traceroute erabiltzeko aukera izatea nahi duzu?" #. Type: boolean #. Description #: ../templates:4001 msgid "" "Normally an Internet host should react to traceroutes. Choosing no here will " "disable this, which might be somewhat confusing when analyzing network " "problems." msgstr "" "Normalean Internet ostalari batek tracerouteri jaramon egin beharko zion. " "Hemen ez hautatuaz hau ezgaituko da sare arazoak analizatzean gauzak zaildu " "ditzakeena." #. Type: note #. Description #: ../templates:5001 msgid "Firewall for simple workstation setups" msgstr "Lanpostu soiletarako suebaki konfigurazioak" #. Type: note #. Description #: ../templates:5001 msgid "" "Warning: This configuration provides a very simple firewall setup which is " "only able to trust certain hosts and configure global ping / traceroute " "behaviour." msgstr "" "Abisua: Konfigurazio honek zenbait ostalariz fidatu eta ping / traceroute " "portamoldea ezartzen duen oso suebaki konfigurazio sinple bat sortzen du." #. Type: note #. Description #: ../templates:5001 msgid "" "If you need a more specific setup, use /etc/uif/uif.conf as a template and " "choose \"don't touch\" next time." msgstr "" "Konfigurazio zehatzago bat behar baduzu, erabili /etc/uif/uif.conf txantiloi " "gisa eta hautatu \"ez ukitu\" hurrengo aldian." #. Type: error #. Description #: ../templates:6001 msgid "Error in list of trusted hosts" msgstr "Errorea konfidantzazko ostalari zerrendan" #. Type: error #. Description #: ../templates:6001 msgid "" "Please check the hosts / networks you entered. One or more entries are not " "correct, contain no resolvable hosts, valid IP-addresses, valid network " "definitions or masks." msgstr "" "Mesedez egiaztatu idatzitako ostalari / sareak. Sarrera bat edo gehiago ez " "dira zuzenak, ebatzi ezin diren, IP-helbide, sare edo maskara okerra duten " "ostalariak ditu." #~ msgid "don't touch, workstation" #~ msgstr "ez ukitu, lanpostua" uif-1.1.4/debian/po/fi.po000066400000000000000000000110451235447076500151140ustar00rootroot00000000000000msgid "" msgstr "" "Project-Id-Version: uif\n" "Report-Msgid-Bugs-To: \n" "POT-Creation-Date: 2010-05-04 11:43+0200\n" "PO-Revision-Date: 2008-04-30 11:21+0200\n" "Last-Translator: Esko Arajärvi \n" "Language-Team: Finnish \n" "Language: fi\n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" "X-Poedit-Language: Finnish\n" "X-Poedit-Country: FINLAND\n" #. Type: select #. Choices #: ../templates:1001 msgid "don't touch" msgstr "manuaalinen" #. Type: select #. Choices #: ../templates:1001 msgid "workstation" msgstr "työpöytä" #. Type: select #. Description #: ../templates:1002 msgid "Firewall configuration method" msgstr "Palomuurin asetustyyppi:" #. Type: select #. Description #: ../templates:1002 msgid "" "The firewall can be initialized using debconf, or using information you " "manually put into /etc/uif/uif.conf." msgstr "" "Palomuuri voidaan alustaa käyttäen debconfia tai muokkaamalla käsin " "tiedostoa /etc/uif/uif.conf." #. Type: string #. Description #: ../templates:2001 msgid "Enter trusted hosts and/or networks:" msgstr "Luotetut koneet ja verkot:" #. Type: string #. Description #: ../templates:2001 msgid "" "In workstation mode, you can specify some hosts or networks to be globally " "trusted. All incoming traffic coming from there will be allowed. Multiple " "entries have to be separate with spaces." msgstr "" "Työpöytätilassa voidaan määrittää joitain luotettavia koneita tai verkkoja. " "Kaikki näiltä tälle koneelle tuleva liikenne sallitaan. Useampia koneita tai " "verkkoja voidaan listata välilyönnein eroteltuina." #. Type: string #. Description #: ../templates:2001 msgid "Example: 10.1.0.0/16 trust.mydomain.com 192.168.1.55" msgstr "Esimerkki: 10.1.0.0/16 luotettava.esimerkki.fi 192.168.1.55" #. Type: boolean #. Description #: ../templates:3001 msgid "Do you want your host to be reachable via ping?" msgstr "Tulisiko koneen vastata pingiin?" #. Type: boolean #. Description #: ../templates:3001 msgid "" "Normally an Internet host should be reachable with pings. Choosing no here " "will disable pings which might be somewhat confusing when analyzing network " "problems." msgstr "" "Yleensä Internetissä olevien koneiden tulisi vastata pingiin. Jos tätä ei " "valita, pingeihin ei vastata, mikä saattaa aiheuttaa sekaannusta " "selvitettäessä verkko-ongelmia." #. Type: boolean #. Description #: ../templates:4001 msgid "Do you want your host to react to traceroutes?" msgstr "Tulisiko koneen reagoida tracerouteen?" #. Type: boolean #. Description #: ../templates:4001 msgid "" "Normally an Internet host should react to traceroutes. Choosing no here will " "disable this, which might be somewhat confusing when analyzing network " "problems." msgstr "" "Yleensä Internetissä olevien koneiden tulisi reagoida tracerouteen. Jos tätä " "ei valita, tracerouteen ei reagoida, mikä saattaa aiheuttaa sekaannusta " "selvitettäessä verkko-ongelmia." #. Type: note #. Description #: ../templates:5001 msgid "Firewall for simple workstation setups" msgstr "Palomuuri yksinkertaisille työpöytäasennuksille" #. Type: note #. Description #: ../templates:5001 msgid "" "Warning: This configuration provides a very simple firewall setup which is " "only able to trust certain hosts and configure global ping / traceroute " "behaviour." msgstr "" "Varoitus: Tämä asetusprosessi tuottaa erittäin yksinkertaiset " "palomuuriasetukset, joissa voidaan vain asettaa jotkin koneet luotetuiksi ja " "asettaa yleinen pingin ja tracerouten toimintatapa." #. Type: note #. Description #: ../templates:5001 msgid "" "If you need a more specific setup, use /etc/uif/uif.conf as a template and " "choose \"don't touch\" next time." msgstr "" "Yksityiskohtaisempia asetuksia voidaan tarvittaessa tehdä käyttäen " "tiedostoa /etc/uif/uif.conf pohjana. Tällöin ensi kerralla tulisi valita " "”manuaalinen”." #. Type: error #. Description #: ../templates:6001 msgid "Error in list of trusted hosts" msgstr "Virhe luotettujen koneiden listassa" #. Type: error #. Description #: ../templates:6001 msgid "" "Please check the hosts / networks you entered. One or more entries are not " "correct, contain no resolvable hosts, valid IP-addresses, valid network " "definitions or masks." msgstr "" "Tarkista syötetyt koneet ja verkot. Yksi tai useampi kohta sisältää nimiä, " "joita ei voida selvittää, epäkelpoja IP-osoitteita tai virheellisiä " "verkkomääritteitä tai -peitteitä." #~ msgid "don't touch, workstation" #~ msgstr "manuaalinen, työpöytä" uif-1.1.4/debian/po/fr.po000066400000000000000000000120411235447076500151220ustar00rootroot00000000000000# Translation of uif debconf templates to French # Copyright (C) 2008 David Kremer # This file is distributed under the same license as the iodine package. # # Michel Grentzinger , 2006 # David Kremer , 2008. msgid "" msgstr "" "Project-Id-Version: uif_1.0.5-4_fr\n" "Report-Msgid-Bugs-To: \n" "POT-Creation-Date: 2010-05-04 11:43+0200\n" "PO-Revision-Date: 2008-03-13 16:57+0100\n" "Last-Translator: David Kremer \n" "Language-Team: français \n" "Language: \n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" "X-Generator: KBabel 1.11.4\n" #. Type: select #. Choices #: ../templates:1001 msgid "don't touch" msgstr "ne pas modifier" #. Type: select #. Choices #: ../templates:1001 msgid "workstation" msgstr "station de travail" #. Type: select #. Description #: ../templates:1002 msgid "Firewall configuration method" msgstr "Méthode de configuration du pare-feu :" #. Type: select #. Description #: ../templates:1002 msgid "" "The firewall can be initialized using debconf, or using information you " "manually put into /etc/uif/uif.conf." msgstr "" "Le pare-feu (« firewall ») peut être configuré automatiquement ou en " "modifiant directement le fichier de configuration /etc/uif/uif.conf." #. Type: string #. Description #: ../templates:2001 msgid "Enter trusted hosts and/or networks:" msgstr "Hôtes ou réseaux de confiance :" #. Type: string #. Description #: ../templates:2001 msgid "" "In workstation mode, you can specify some hosts or networks to be globally " "trusted. All incoming traffic coming from there will be allowed. Multiple " "entries have to be separate with spaces." msgstr "" "En mode « station de travail », vous pouvez indiquer plusieurs hôtes ou " "réseaux auxquels vous faites entièrement confiance. Tout le trafic en " "provenance de ces hôtes sera autorisé. Les entrées multiples doivent être " "séparées par des espaces." #. Type: string #. Description #: ../templates:2001 msgid "Example: 10.1.0.0/16 trust.mydomain.com 192.168.1.55" msgstr "Exemple : 10.1.0.0/16 confiance.mondomaine.com 192.168.1.55" #. Type: boolean #. Description #: ../templates:3001 msgid "Do you want your host to be reachable via ping?" msgstr "Souhaitez-vous que cet hôte réponde aux pings ?" #. Type: boolean #. Description #: ../templates:3001 msgid "" "Normally an Internet host should be reachable with pings. Choosing no here " "will disable pings which might be somewhat confusing when analyzing network " "problems." msgstr "" "Normalement, la réponse aux « pings » devrait être activée. La désactivation " "de cette option peut conduire à des confusions lors de l'analyse de " "problèmes réseau." #. Type: boolean #. Description #: ../templates:4001 msgid "Do you want your host to react to traceroutes?" msgstr "Souhaitez-vous que cet hôte réponde à « traceroute » ?" #. Type: boolean #. Description #: ../templates:4001 msgid "" "Normally an Internet host should react to traceroutes. Choosing no here will " "disable this, which might be somewhat confusing when analyzing network " "problems." msgstr "" "Normalement, la réponse à « traceroute » devrait être activée. La " "désactivation de cette option peut conduire à des confusions lors de " "l'analyse de problèmes réseau." #. Type: note #. Description #: ../templates:5001 msgid "Firewall for simple workstation setups" msgstr "Pare-feu pour les simples stations de travail" #. Type: note #. Description #: ../templates:5001 msgid "" "Warning: This configuration provides a very simple firewall setup which is " "only able to trust certain hosts and configure global ping / traceroute " "behaviour." msgstr "" "Veuillez noter que cette configuration est une mise en œuvre simple d'un " "pare-feu avec comme seules possibilités le choix de certains hôtes de " "confiance et le réglage du comportement global pour ping/traceroute." #. Type: note #. Description #: ../templates:5001 msgid "" "If you need a more specific setup, use /etc/uif/uif.conf as a template and " "choose \"don't touch\" next time." msgstr "" "Si vous avez besoin d'une configuration plus avancée, utilisez /etc/uif/uif." "conf comme modèle et choisissez l'option « ne pas modifier » la prochaine " "fois." #. Type: error #. Description #: ../templates:6001 msgid "Error in list of trusted hosts" msgstr "Erreur dans la liste des hôtes de confiance" #. Type: error #. Description #: ../templates:6001 msgid "" "Please check the hosts / networks you entered. One or more entries are not " "correct, contain no resolvable hosts, valid IP-addresses, valid network " "definitions or masks." msgstr "" "Veuillez vérifier les hôtes et les réseaux indiqués. Une ou plusieurs " "entrées sont incorrectes, ne peuvent être résolues, contiennent des adresses " "réseau non valables ou des définitions ou des masques de réseau non valables." #~ msgid "don't touch, workstation" #~ msgstr "ne pas modifier, station de travail" uif-1.1.4/debian/po/gl.po000066400000000000000000000113261235447076500151220ustar00rootroot00000000000000# Galician translation of uif's debconf templates # This file is distributed under the same license as the uif package. # Jacobo Tarrio , 2008. # msgid "" msgstr "" "Project-Id-Version: uif\n" "Report-Msgid-Bugs-To: \n" "POT-Creation-Date: 2010-05-04 11:43+0200\n" "PO-Revision-Date: 2008-05-06 21:21+0100\n" "Last-Translator: Jacobo Tarrio \n" "Language-Team: Galician \n" "Language: gl\n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" #. Type: select #. Choices #: ../templates:1001 msgid "don't touch" msgstr "non tocar" #. Type: select #. Choices #: ../templates:1001 msgid "workstation" msgstr "estación de traballo" #. Type: select #. Description #: ../templates:1002 msgid "Firewall configuration method" msgstr "Método para a configuración da devasa" #. Type: select #. Description #: ../templates:1002 msgid "" "The firewall can be initialized using debconf, or using information you " "manually put into /etc/uif/uif.conf." msgstr "" "Pódese inicializar a devasa empregando debconf, ou empregando información " "escrita á man en /etc/uif/uif.conf." #. Type: string #. Description #: ../templates:2001 msgid "Enter trusted hosts and/or networks:" msgstr "Introduza as máquinas e/ou redes de confianza:" #. Type: string #. Description #: ../templates:2001 msgid "" "In workstation mode, you can specify some hosts or networks to be globally " "trusted. All incoming traffic coming from there will be allowed. Multiple " "entries have to be separate with spaces." msgstr "" "No modo de estación de traballo, pode indicar algunhas máquinas ou redes nas " "que se ha confiar. Hase admitir todo o tráfico procedente de alí. Para " "introducir varios valores, sepáreos mediante espazos." #. Type: string #. Description #: ../templates:2001 msgid "Example: 10.1.0.0/16 trust.mydomain.com 192.168.1.55" msgstr "Por exemplo: 10.1.0.0/16 confio.dominio.com 192.168.1.55" #. Type: boolean #. Description #: ../templates:3001 msgid "Do you want your host to be reachable via ping?" msgstr "¿Quere que se poida alcanzar a súa máquina mediante ping?" #. Type: boolean #. Description #: ../templates:3001 msgid "" "Normally an Internet host should be reachable with pings. Choosing no here " "will disable pings which might be somewhat confusing when analyzing network " "problems." msgstr "" "Normalmente deberíase poder alcanzar unha máquina conectada a Internet " "mediante ping. Se escolle \"non\" aquí hanse desactivar os pings, o que pode " "causar confusión ao analizar problemas na rede." #. Type: boolean #. Description #: ../templates:4001 msgid "Do you want your host to react to traceroutes?" msgstr "¿Quere que a súa máquina reaccione aos traceroutes?" #. Type: boolean #. Description #: ../templates:4001 msgid "" "Normally an Internet host should react to traceroutes. Choosing no here will " "disable this, which might be somewhat confusing when analyzing network " "problems." msgstr "" "Normalmente, unha máquina en Internet debería reaccionar a traceroutes. Se " "escolle \"non\" aquí ha desactivalo, o que pode levar a confusións ao " "analizar problemas na rede." #. Type: note #. Description #: ../templates:5001 msgid "Firewall for simple workstation setups" msgstr "Devasa para configuracións simples de estación de traballo" #. Type: note #. Description #: ../templates:5001 msgid "" "Warning: This configuration provides a very simple firewall setup which is " "only able to trust certain hosts and configure global ping / traceroute " "behaviour." msgstr "" "Aviso: Esta configuración fornece unha devasa moi simple que só pode confiar " "nalgunhas máquinas e configurar o comportamento global de ping/traceroute." #. Type: note #. Description #: ../templates:5001 msgid "" "If you need a more specific setup, use /etc/uif/uif.conf as a template and " "choose \"don't touch\" next time." msgstr "" "Se precisa dunha configuración máis específica, empregue /etc/uif/uif.conf " "coma patrón e escolla \"non tocar\" a próxima vez." #. Type: error #. Description #: ../templates:6001 msgid "Error in list of trusted hosts" msgstr "Erro na lista de máquinas de confianza" #. Type: error #. Description #: ../templates:6001 msgid "" "Please check the hosts / networks you entered. One or more entries are not " "correct, contain no resolvable hosts, valid IP-addresses, valid network " "definitions or masks." msgstr "" "Comprobe as máquinas / redes que introduciu. Unha ou máis entradas non son " "correctas, conteñen nomes que non se poden resolver, enderezos IP non " "válidos, definicións de rede non válidas ou máscaras de rede non válidas." #~ msgid "don't touch, workstation" #~ msgstr "non tocar, estación de traballo" uif-1.1.4/debian/po/it.po000066400000000000000000000115511235447076500151340ustar00rootroot00000000000000# ITALIAN TRANSLATION OF UIF'S.PO-DEBCONF FILE # Copyright (C) 2008 THE UIF'S COPYRIGHT HOLDER # This file is distributed under the same license as the uif package. # # Vincenzo Campanella , 2008. msgid "" msgstr "" "Project-Id-Version: it\n" "Report-Msgid-Bugs-To: \n" "POT-Creation-Date: 2010-05-04 11:43+0200\n" "PO-Revision-Date: 2008-10-23 09:25+0200\n" "Last-Translator: Vincenzo Campanella \n" "Language-Team: Italian \n" "Language: it\n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" "X-Generator: KBabel 1.11.4\n" #. Type: select #. Choices #: ../templates:1001 msgid "don't touch" msgstr "«Don't touch»" #. Type: select #. Choices #: ../templates:1001 msgid "workstation" msgstr "«workstation»" #. Type: select #. Description #: ../templates:1002 msgid "Firewall configuration method" msgstr "Metodo di configurazione del firewall" #. Type: select #. Description #: ../templates:1002 msgid "" "The firewall can be initialized using debconf, or using information you " "manually put into /etc/uif/uif.conf." msgstr "" "Il firewall può essere inizializzato utilizzando debconf o utilizzando le " "informazioni che vengono inserite manualmente dall'utente in «/etc/uif/uif." "conf»." #. Type: string #. Description #: ../templates:2001 msgid "Enter trusted hosts and/or networks:" msgstr "Inserire gli host e/o le reti fidati:" #. Type: string #. Description #: ../templates:2001 msgid "" "In workstation mode, you can specify some hosts or networks to be globally " "trusted. All incoming traffic coming from there will be allowed. Multiple " "entries have to be separate with spaces." msgstr "" "In modalità «workstation» è possibile specificare taluni host o reti " "globalmente fidati. Tutto il traffico in entrata da questi sarà sempre " "permesso. Molteplici valori devono essere separati da spaziature." #. Type: string #. Description #: ../templates:2001 msgid "Example: 10.1.0.0/16 trust.mydomain.com 192.168.1.55" msgstr "Per esempio: «10.1.0.0/16 trust.miodominio.com 192.168.1.55»" #. Type: boolean #. Description #: ../templates:3001 msgid "Do you want your host to be reachable via ping?" msgstr "Si desidera che il proprio host sia raggiungibile via ping?" #. Type: boolean #. Description #: ../templates:3001 msgid "" "Normally an Internet host should be reachable with pings. Choosing no here " "will disable pings which might be somewhat confusing when analyzing network " "problems." msgstr "" "Normalmente un host internet dovrebbe essere raggiungibile via ping. Se si " "sceglie di no, i ping saranno disabilitati; questo potrebbe creare " "confusioni quando si analizzano problemi della rete." #. Type: boolean #. Description #: ../templates:4001 msgid "Do you want your host to react to traceroutes?" msgstr "Si desidera che il proprio host reagisca a traceroute?" #. Type: boolean #. Description #: ../templates:4001 msgid "" "Normally an Internet host should react to traceroutes. Choosing no here will " "disable this, which might be somewhat confusing when analyzing network " "problems." msgstr "" "Normalmente un host internet dovrebbe reagire a traceroute. Se si sceglie di " "no, le reazioni a traceroute saranno disabilitate; questo potrebbe creare " "confusioni quando si analizzano problemi della rete." #. Type: note #. Description #: ../templates:5001 msgid "Firewall for simple workstation setups" msgstr "Impostazioni del firewall per postazioni semplici" #. Type: note #. Description #: ../templates:5001 msgid "" "Warning: This configuration provides a very simple firewall setup which is " "only able to trust certain hosts and configure global ping / traceroute " "behaviour." msgstr "" "Attenzione: questa configurazione fornisce un'impostazione del firewall " "molto semplice che può solo accordare fiducia a certi host e configurare " "comportamenti globali relativi a ping e traceroute." #. Type: note #. Description #: ../templates:5001 msgid "" "If you need a more specific setup, use /etc/uif/uif.conf as a template and " "choose \"don't touch\" next time." msgstr "" "Se occorre un'impostazione più specifica, utilizzare «/etc/uif/uif.conf» " "come modello e scegliere l'opzione «don't touch» la prossima volta." #. Type: error #. Description #: ../templates:6001 msgid "Error in list of trusted hosts" msgstr "Errore nell'elenco di host fidati" #. Type: error #. Description #: ../templates:6001 msgid "" "Please check the hosts / networks you entered. One or more entries are not " "correct, contain no resolvable hosts, valid IP-addresses, valid network " "definitions or masks." msgstr "" "Controllare gli host e le reti inseriti. Uno o più valori non sono corretti, " "contengono host non risolvibili, indirizzi IP non validi, definizioni di " "rete o di maschere non valide." #~ msgid "don't touch, workstation" #~ msgstr "«Don't touch», «workstation»" uif-1.1.4/debian/po/ja.po000066400000000000000000000120231235447076500151050ustar00rootroot00000000000000# SOME DESCRIPTIVE TITLE. # Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER # This file is distributed under the same license as the PACKAGE package. # victory , 2012. # msgid "" msgstr "" "Project-Id-Version: uif\n" "Report-Msgid-Bugs-To: \n" "POT-Creation-Date: 2012-06-17 00:37+0000\n" "PO-Revision-Date: 2012-06-17 09:37+0900\n" "Last-Translator: victory \n" "Language-Team: Japanese \n" "Language: ja\n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" #. Type: select #. Choices #: ../templates:1001 msgid "don't touch" msgstr "触らない" #. Type: select #. Choices #: ../templates:1001 msgid "workstation" msgstr "ワークステーション" #. Type: select #. Description #: ../templates:1002 msgid "Firewall configuration method" msgstr "ファイアウォール設定方法" #. Type: select #. Description #: ../templates:1002 msgid "" "The firewall can be initialized using debconf, or using information you " "manually put into /etc/uif/uif.conf." msgstr "" "ファイアウォールは debconf を使って、あるいは /etc/uif/uif.conf に手作業で書き" "込んだ情報を元に初期設定できます。" #. Type: string #. Description #: ../templates:2001 msgid "Enter trusted hosts and/or networks:" msgstr "信頼するホストやネットワークを入力してください:" #. Type: string #. Description #: ../templates:2001 msgid "" "In workstation mode, you can specify some hosts or networks to be globally " "trusted. All incoming traffic coming from there will be allowed. Multiple " "entries have to be separate with spaces." msgstr "" "ワークステーションモードでは、全体的に信頼するホストやネットワークを指定できま" "す。そこからのトラフィックはすべて許可されます。エントリを複数入力する場合は、" "スペースで区切ってください。" #. Type: string #. Description #: ../templates:2001 msgid "Example: 10.1.0.0/16 trust.mydomain.com 192.168.1.55" msgstr "例: 10.1.0.0/16 trust.mydomain.com 192.168.1.55" #. Type: boolean #. Description #: ../templates:3001 msgid "Do you want your host to be reachable via ping?" msgstr "ホストを ping が到達可能にしますか?" #. Type: boolean #. Description #: ../templates:3001 msgid "" "Normally an Internet host should be reachable with pings. Choosing no here " "will disable pings which might be somewhat confusing when analyzing network " "problems." msgstr "" "通常、インターネットホストは ping が到達可能であるべきです。ここで no を選択す" "ると ping を無効にするため、ネットワーク問題の分析の際にやや混乱が生まれるかも" "しれません。" #. Type: boolean #. Description #: ../templates:4001 msgid "Do you want your host to react to traceroutes?" msgstr "ホストを traceroute に反応するようにしますか?" #. Type: boolean #. Description #: ../templates:4001 msgid "" "Normally an Internet host should react to traceroutes. Choosing no here will " "disable this, which might be somewhat confusing when analyzing network " "problems." msgstr "" "通常、インターネットホストは traceroute に反応するべきです。ここで no を選択す" "るとこれを無効にするため、ネットワーク問題の分析の際にやや混乱が生まれるかも" "しれません。" #. Type: note #. Description #: ../templates:5001 msgid "Firewall for simple workstation setups" msgstr "単純なワークステーション用設定によるファイアウォール" #. Type: note #. Description #: ../templates:5001 msgid "" "Warning: This configuration provides a very simple firewall setup which is " "only able to trust certain hosts and configure global ping / traceroute " "behaviour." msgstr "" "警告: この設定が提供するのは非常に単純なファイアウォールで、できることは特定の" "ホストを信頼することと全体的な ping / traceroute の動作の設定だけです。" #. Type: note #. Description #: ../templates:5001 msgid "" "If you need a more specific setup, use /etc/uif/uif.conf as a template and " "choose \"don't touch\" next time." msgstr "" "もっと具体的な設定が必要な場合は、/etc/uif/uif.conf をテンプレートとして使い、" "次回は「触らない」を選択してください。" #. Type: error #. Description #: ../templates:6001 msgid "Error in list of trusted hosts" msgstr "信頼するホスト一覧に誤りがあります" #. Type: error #. Description #: ../templates:6001 msgid "" "Please check the hosts / networks you entered. One or more entries are not " "correct, contain no resolvable hosts, valid IP-addresses, valid network " "definitions or masks." msgstr "" "入力したホストやネットワークを確認してください。解決可能なホスト、有効な IP " "アドレス、有効なネットワーク定義またはマスクのない不正なエントリがあります。" uif-1.1.4/debian/po/pt.po000066400000000000000000000114141235447076500151410ustar00rootroot00000000000000# Portuguese translation of uif's debconf messages. # Copyright (C) 2007 # This file is distributed under the same license as the uif package. # Ricardo Silva , 2007-2008. # msgid "" msgstr "" "Project-Id-Version: uif 1.0.5-4.1\n" "Report-Msgid-Bugs-To: \n" "POT-Creation-Date: 2010-05-04 11:43+0200\n" "PO-Revision-Date: 2008-05-05 21:14+0100\n" "Last-Translator: Ricardo Silva \n" "Language-Team: Portuguese \n" "Language: pt\n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" #. Type: select #. Choices #: ../templates:1001 msgid "don't touch" msgstr "não mexer" #. Type: select #. Choices #: ../templates:1001 msgid "workstation" msgstr "estação de trabalho" #. Type: select #. Description #: ../templates:1002 msgid "Firewall configuration method" msgstr "Método de configuração da firewall" #. Type: select #. Description #: ../templates:1002 msgid "" "The firewall can be initialized using debconf, or using information you " "manually put into /etc/uif/uif.conf." msgstr "" "A Firewall pode ser inicializada usando o debconf, ou usando informação " "introduzida por si em /etc/uif/uif.conf." #. Type: string #. Description #: ../templates:2001 msgid "Enter trusted hosts and/or networks:" msgstr "Introduza as máquinas e/ou redes de confiança:" #. Type: string #. Description #: ../templates:2001 msgid "" "In workstation mode, you can specify some hosts or networks to be globally " "trusted. All incoming traffic coming from there will be allowed. Multiple " "entries have to be separate with spaces." msgstr "" "No modo estação de trabalho, pode especificar algumas máquinas ou redes como " "sendo confiadas globalmente. Todo o tráfego vindo deles será permitido. " "Separe as várias entradas por espaços." #. Type: string #. Description #: ../templates:2001 msgid "Example: 10.1.0.0/16 trust.mydomain.com 192.168.1.55" msgstr "Exemplo: 10.1.0.0/16 dominio.confiado.com 192.168.1.55" #. Type: boolean #. Description #: ../templates:3001 msgid "Do you want your host to be reachable via ping?" msgstr "Deseja que o seu computador responda a ping?" #. Type: boolean #. Description #: ../templates:3001 msgid "" "Normally an Internet host should be reachable with pings. Choosing no here " "will disable pings which might be somewhat confusing when analyzing network " "problems." msgstr "" "Normalmente uma máquina na Internet deve responder a pings. Escolher não " "aqui irá desactivar pings o que pode ser um pouco confuso quando estiver a " "analisar problemas de rede." #. Type: boolean #. Description #: ../templates:4001 msgid "Do you want your host to react to traceroutes?" msgstr "Deseja que o seu computador reaja a traceroutes?" #. Type: boolean #. Description #: ../templates:4001 msgid "" "Normally an Internet host should react to traceroutes. Choosing no here will " "disable this, which might be somewhat confusing when analyzing network " "problems." msgstr "" "Normalmente uma máquina na Internet deve reagir a traceroutes. Escolher não " "aqui irá desactivar esta resposta, o que pode ser um pouco confuso quando " "estiver a analisar problemas de rede." #. Type: note #. Description #: ../templates:5001 msgid "Firewall for simple workstation setups" msgstr "Firewall para configurações simples de estações de trabalho" #. Type: note #. Description #: ../templates:5001 msgid "" "Warning: This configuration provides a very simple firewall setup which is " "only able to trust certain hosts and configure global ping / traceroute " "behaviour." msgstr "" "Aviso: Esta configuração disponibiliza uma configuração de firewall muito " "simples que apenas é capaz de confiar em determinadas máquinas e configurar " "o comportamento global aquando de um ping ou traceroute." #. Type: note #. Description #: ../templates:5001 msgid "" "If you need a more specific setup, use /etc/uif/uif.conf as a template and " "choose \"don't touch\" next time." msgstr "" "Se precisa de uma configuração mais específica, use /etc/uif/uif.conf como " "um modelo e escolha \"não mexer\" da próxima vez." #. Type: error #. Description #: ../templates:6001 msgid "Error in list of trusted hosts" msgstr "Erro na lista de máquinas confiadas" #. Type: error #. Description #: ../templates:6001 msgid "" "Please check the hosts / networks you entered. One or more entries are not " "correct, contain no resolvable hosts, valid IP-addresses, valid network " "definitions or masks." msgstr "" "Por favor verifique as máquinass / redes que introduziu. Uma ou mais " "entradas não estão corrrectas, contêm máquinas não resolúveis (por dns), " "endereços IP inválidos ou definições de rede ou máscaras inválidas." #~ msgid "don't touch, workstation" #~ msgstr "não mexer, estação de trabalho" uif-1.1.4/debian/po/ru.po000066400000000000000000000135361235447076500151530ustar00rootroot00000000000000# translation of ru.po to Russian # Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER # This file is distributed under the same license as the PACKAGE package. # # Yuri Kozlov , 2008. msgid "" msgstr "" "Project-Id-Version: uif new\n" "Report-Msgid-Bugs-To: \n" "POT-Creation-Date: 2010-05-04 11:43+0200\n" "PO-Revision-Date: 2008-05-09 08:58+0400\n" "Last-Translator: Yuri Kozlov \n" "Language-Team: Russian \n" "Language: ru\n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" "X-Generator: KBabel 1.11.4\n" "Plural-Forms: nplurals=3; plural=(n%10==1 && n%100!=11 ? 0 : n%10>=2 && n" "%10<=4 && (n%100<10 || n%100>=20) ? 1 : 2);\n" #. Type: select #. Choices #: ../templates:1001 msgid "don't touch" msgstr "не менять" #. Type: select #. Choices #: ../templates:1001 msgid "workstation" msgstr "рабочая станция" #. Type: select #. Description #: ../templates:1002 msgid "Firewall configuration method" msgstr "Тип настройки межсетевого экрана" #. Type: select #. Description #: ../templates:1002 msgid "" "The firewall can be initialized using debconf, or using information you " "manually put into /etc/uif/uif.conf." msgstr "" "Настройка межсетевого экрана может быть выполнена с помощью debconf или " "ручного редактирования файла /etc/uif/uif.conf." #. Type: string #. Description #: ../templates:2001 msgid "Enter trusted hosts and/or networks:" msgstr "Введите доверительные хосты и/или сети:" #. Type: string #. Description #: ../templates:2001 msgid "" "In workstation mode, you can specify some hosts or networks to be globally " "trusted. All incoming traffic coming from there will be allowed. Multiple " "entries have to be separate with spaces." msgstr "" "В режиме \"рабочая станция\", вы можете указать несколько хостов или сетей, " "которым вы полностью доверяете. С них будет разрешён весь входящий трафик. " "Несколько значений должны разделяться пробелами." #. Type: string #. Description #: ../templates:2001 msgid "Example: 10.1.0.0/16 trust.mydomain.com 192.168.1.55" msgstr "Пример: 10.1.0.0/16 trust.mydomain.com 192.168.1.55" #. Type: boolean #. Description #: ../templates:3001 msgid "Do you want your host to be reachable via ping?" msgstr "Разрешить ответы хоста на ping?" #. Type: boolean #. Description #: ../templates:3001 msgid "" "Normally an Internet host should be reachable with pings. Choosing no here " "will disable pings which might be somewhat confusing when analyzing network " "problems." msgstr "" "Обычно, хосты в интернет должны быть доступны по ping. При отрицательном " "ответе реакция хоста на ping будет заблокирована, что может затруднить " "анализ в случае проблем с сетью." #. Type: boolean #. Description #: ../templates:4001 msgid "Do you want your host to react to traceroutes?" msgstr "Разрешить ответы хоста на traceroute?" #. Type: boolean #. Description #: ../templates:4001 msgid "" "Normally an Internet host should react to traceroutes. Choosing no here will " "disable this, which might be somewhat confusing when analyzing network " "problems." msgstr "" "Обычно, хосты в интернет должны реагировать на traceroute. При отрицательном " "ответе реакция хоста на traceroute будет заблокирована, что может затруднить " "анализ в случае проблем с сетью." #. Type: note #. Description #: ../templates:5001 msgid "Firewall for simple workstation setups" msgstr "Межсетевой экран для рабочих станций с простыми требованиями" #. Type: note #. Description #: ../templates:5001 msgid "" "Warning: This configuration provides a very simple firewall setup which is " "only able to trust certain hosts and configure global ping / traceroute " "behaviour." msgstr "" "Предупреждение: здесь выполняется очень простая настройка межсетевого " "экрана, при которой задаются доверительные хосты и общее поведение для " "ping / traceroute." #. Type: note #. Description #: ../templates:5001 msgid "" "If you need a more specific setup, use /etc/uif/uif.conf as a template and " "choose \"don't touch\" next time." msgstr "" "Если вам требуется более специализированная настройка, используйте /etc/uif/" "uif.conf в качестве шаблона, и в следующий раз выберите \"не менять\"." #. Type: error #. Description #: ../templates:6001 msgid "Error in list of trusted hosts" msgstr "Ошибка в списке доверительных хостов" #. Type: error #. Description #: ../templates:6001 msgid "" "Please check the hosts / networks you entered. One or more entries are not " "correct, contain no resolvable hosts, valid IP-addresses, valid network " "definitions or masks." msgstr "" "Проверьте введённые хосты/сети. Одна или более записей неверны, содержат " "неразрешимые имена хостов, неправильные IP-адреса, подсети или маски." #~ msgid "don't touch, workstation" #~ msgstr "не менять, рабочая станция" uif-1.1.4/debian/po/sv.po000066400000000000000000000121071235447076500151460ustar00rootroot00000000000000# # Translators, if you are not familiar with the PO format, gettext # documentation is worth reading, especially sections dedicated to # this format, e.g. by running: # info -n '(gettext)PO Files' # info -n '(gettext)Header Entry' # # Some information specific to po-debconf are available at # /usr/share/doc/po-debconf/README-trans # or http://www.debian.org/intl/l10n/po-debconf/README-trans # # Developers do not need to manually edit POT or PO files. # msgid "" msgstr "" "Project-Id-Version: sv\n" "Report-Msgid-Bugs-To: \n" "POT-Creation-Date: 2010-05-04 11:43+0200\n" "PO-Revision-Date: 2008-10-18 20:45+0200\n" "Last-Translator: Martin Bagge \n" "Language-Team: Swedish \n" "Language: sv\n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" "X-Poedit-Language: swe\n" "X-Poedit-Country: swe\n" "X-Generator: KBabel 1.11.4\n" #. Type: select #. Choices #: ../templates:1001 msgid "don't touch" msgstr "rör inte" #. Type: select #. Choices #: ../templates:1001 msgid "workstation" msgstr "arbetsstation" #. Type: select #. Description #: ../templates:1002 msgid "Firewall configuration method" msgstr "Metod för konfigurering av brandväggen" #. Type: select #. Description #: ../templates:1002 msgid "" "The firewall can be initialized using debconf, or using information you " "manually put into /etc/uif/uif.conf." msgstr "" "Brandväggen kan initieras via debconf eller om du manuellt matar in " "information i /etc/uif/uif.conf." #. Type: string #. Description #: ../templates:2001 msgid "Enter trusted hosts and/or networks:" msgstr "Ange pålitliga värdar och/eller nätverk:" #. Type: string #. Description #: ../templates:2001 msgid "" "In workstation mode, you can specify some hosts or networks to be globally " "trusted. All incoming traffic coming from there will be allowed. Multiple " "entries have to be separate with spaces." msgstr "" "I läget för arbetsstation kan du ange några värdsystem eller nätverk som " "globalt ska vara pålitliga. All inkommande trafik som kommer därifrån kommer " "att tillåtas. Multipla poster måste separeras med mellanslag." #. Type: string #. Description #: ../templates:2001 msgid "Example: 10.1.0.0/16 trust.mydomain.com 192.168.1.55" msgstr "Exempel: 10.1.0.0/16 lita.mindomain.se 192.168.1.55" #. Type: boolean #. Description #: ../templates:3001 msgid "Do you want your host to be reachable via ping?" msgstr "Vill du att ditt värdsystem ska vara nåbar via ping?" #. Type: boolean #. Description #: ../templates:3001 msgid "" "Normally an Internet host should be reachable with pings. Choosing no here " "will disable pings which might be somewhat confusing when analyzing network " "problems." msgstr "" "Normalt är ett värdsystem på Internet nåbar med ping. Välja nej här kommer " "att stänga av ping som dock kan vara förvirrande vid analyser av " "nätverksproblem." #. Type: boolean #. Description #: ../templates:4001 msgid "Do you want your host to react to traceroutes?" msgstr "Vill du att ditt värdsystem ska reagera på \"traceroute\"?" #. Type: boolean #. Description #: ../templates:4001 msgid "" "Normally an Internet host should react to traceroutes. Choosing no here will " "disable this, which might be somewhat confusing when analyzing network " "problems." msgstr "" "Normalt reagerar ett värdsystem på Internet på traceroute. Välja nej här " "kommer att stänga av det som dock kan vara förvirrande vi analyser av " "nätverksproblem." #. Type: note #. Description #: ../templates:5001 msgid "Firewall for simple workstation setups" msgstr "Brandvägg för enkla konfigurationer av arbetsstationer." #. Type: note #. Description #: ../templates:5001 msgid "" "Warning: This configuration provides a very simple firewall setup which is " "only able to trust certain hosts and configure global ping / traceroute " "behaviour." msgstr "" "Varning: Denna konfiguration ger en väldigt enkel konfiguration av " "brandväggen som bara kan lita på vissa värdar och konfigurera ett globalt " "beteende för ping och traceroute." #. Type: note #. Description #: ../templates:5001 msgid "" "If you need a more specific setup, use /etc/uif/uif.conf as a template and " "choose \"don't touch\" next time." msgstr "" "Om du behöver en mer specifik konfiguration, använd /etc/uif/uif.conf som en " "mall och välj \"rör inte\" nästa gång." #. Type: error #. Description #: ../templates:6001 msgid "Error in list of trusted hosts" msgstr "Fel i listan av pålitliga värdar" #. Type: error #. Description #: ../templates:6001 msgid "" "Please check the hosts / networks you entered. One or more entries are not " "correct, contain no resolvable hosts, valid IP-addresses, valid network " "definitions or masks." msgstr "" "Kontrollera värdnamnen/nätverken som du angav. En eller flera av dessa är " "felaktigt angiven, har inga värdar som kan slås upp, innehålle inga IP-" "adresser, korrekta nätverksdefinitioner eller nätmasker." #~ msgid "don't touch, workstation" #~ msgstr "rör inte, arbetsstation" uif-1.1.4/debian/po/templates.pot000066400000000000000000000065431235447076500167070ustar00rootroot00000000000000# # Translators, if you are not familiar with the PO format, gettext # documentation is worth reading, especially sections dedicated to # this format, e.g. by running: # info -n '(gettext)PO Files' # info -n '(gettext)Header Entry' # # Some information specific to po-debconf are available at # /usr/share/doc/po-debconf/README-trans # or http://www.debian.org/intl/l10n/po-debconf/README-trans # # Developers do not need to manually edit POT or PO files. # #, fuzzy msgid "" msgstr "" "Project-Id-Version: PACKAGE VERSION\n" "Report-Msgid-Bugs-To: \n" "POT-Creation-Date: 2010-05-04 11:43+0200\n" "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" "Last-Translator: FULL NAME \n" "Language-Team: LANGUAGE \n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=CHARSET\n" "Content-Transfer-Encoding: 8bit\n" #. Type: select #. Choices #: ../templates:1001 msgid "don't touch" msgstr "" #. Type: select #. Choices #: ../templates:1001 msgid "workstation" msgstr "" #. Type: select #. Description #: ../templates:1002 msgid "Firewall configuration method" msgstr "" #. Type: select #. Description #: ../templates:1002 msgid "" "The firewall can be initialized using debconf, or using information you " "manually put into /etc/uif/uif.conf." msgstr "" #. Type: string #. Description #: ../templates:2001 msgid "Enter trusted hosts and/or networks:" msgstr "" #. Type: string #. Description #: ../templates:2001 msgid "" "In workstation mode, you can specify some hosts or networks to be globally " "trusted. All incoming traffic coming from there will be allowed. Multiple " "entries have to be separate with spaces." msgstr "" #. Type: string #. Description #: ../templates:2001 msgid "Example: 10.1.0.0/16 trust.mydomain.com 192.168.1.55" msgstr "" #. Type: boolean #. Description #: ../templates:3001 msgid "Do you want your host to be reachable via ping?" msgstr "" #. Type: boolean #. Description #: ../templates:3001 msgid "" "Normally an Internet host should be reachable with pings. Choosing no here " "will disable pings which might be somewhat confusing when analyzing network " "problems." msgstr "" #. Type: boolean #. Description #: ../templates:4001 msgid "Do you want your host to react to traceroutes?" msgstr "" #. Type: boolean #. Description #: ../templates:4001 msgid "" "Normally an Internet host should react to traceroutes. Choosing no here will " "disable this, which might be somewhat confusing when analyzing network " "problems." msgstr "" #. Type: note #. Description #: ../templates:5001 msgid "Firewall for simple workstation setups" msgstr "" #. Type: note #. Description #: ../templates:5001 msgid "" "Warning: This configuration provides a very simple firewall setup which is " "only able to trust certain hosts and configure global ping / traceroute " "behaviour." msgstr "" #. Type: note #. Description #: ../templates:5001 msgid "" "If you need a more specific setup, use /etc/uif/uif.conf as a template and " "choose \"don't touch\" next time." msgstr "" #. Type: error #. Description #: ../templates:6001 msgid "Error in list of trusted hosts" msgstr "" #. Type: error #. Description #: ../templates:6001 msgid "" "Please check the hosts / networks you entered. One or more entries are not " "correct, contain no resolvable hosts, valid IP-addresses, valid network " "definitions or masks." msgstr "" uif-1.1.4/debian/po/vi.po000066400000000000000000000121571235447076500151410ustar00rootroot00000000000000# Vietnamese translation for UIF. # Copyright © 2008 Free Software Foundation, Inc. # Clytie Siddall , 2005-2008. # msgid "" msgstr "" "Project-Id-Version: uif 1.0.5-4.1\n" "Report-Msgid-Bugs-To: \n" "POT-Creation-Date: 2010-05-04 11:43+0200\n" "PO-Revision-Date: 2008-05-06 20:16+0930\n" "Last-Translator: Clytie Siddall \n" "Language-Team: Vietnamese \n" "Language: vi\n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" "Plural-Forms: nplurals=1; plural=0;\n" "X-Generator: LocFactoryEditor 1.7b3\n" #. Type: select #. Choices #: ../templates:1001 msgid "don't touch" msgstr "đừng làm gì" #. Type: select #. Choices #: ../templates:1001 msgid "workstation" msgstr "máy trạm" #. Type: select #. Description #: ../templates:1002 msgid "Firewall configuration method" msgstr "Phương pháp cấu hình bức tường lửa" #. Type: select #. Description #: ../templates:1002 msgid "" "The firewall can be initialized using debconf, or using information you " "manually put into /etc/uif/uif.conf." msgstr "" "Có thể sơ khởi bức tường lửa dùng debconf, hoặc dùng thông tin bạn tự ghi " "vào tập tin « /etc/uif/uif.conf »." #. Type: string #. Description #: ../templates:2001 msgid "Enter trusted hosts and/or networks:" msgstr "Nhập các máy/mạng đáng tin:" #. Type: string #. Description #: ../templates:2001 msgid "" "In workstation mode, you can specify some hosts or networks to be globally " "trusted. All incoming traffic coming from there will be allowed. Multiple " "entries have to be separate with spaces." msgstr "" "Trong chế độ máy trạm, bạn có thể xác định một số máy hay mạng sẽ được tin " "cây toàn cục. Sau đó thì tất cả giao thông đến từ đó sẽ được phép. Nhiều mục " "phải định giới bằng dấu cách." #. Type: string #. Description #: ../templates:2001 msgid "Example: 10.1.0.0/16 trust.mydomain.com 192.168.1.55" msgstr "Ví dụ : 10.1.0.0/16 people.vnoss.org 192.168.1.55" #. Type: boolean #. Description #: ../templates:3001 msgid "Do you want your host to be reachable via ping?" msgstr "Bạn có muốn cho tín hiệu ping tới máy của mình không?" #. Type: boolean #. Description #: ../templates:3001 msgid "" "Normally an Internet host should be reachable with pings. Choosing no here " "will disable pings which might be somewhat confusing when analyzing network " "problems." msgstr "" "Bình thường, một máy Internet nên cho tín hiệu ping tới được. Không bật tùy " "chọn này thì tắt nhận tín hiệu ping mà có thể gây ra tình trạng lộn xộn khi " "phân tích vấn đề chạy mạng." #. Type: boolean #. Description #: ../templates:4001 msgid "Do you want your host to react to traceroutes?" msgstr "Bạn có muốn máy này đáp ứng việc tìm đường không?" #. Type: boolean #. Description #: ../templates:4001 msgid "" "Normally an Internet host should react to traceroutes. Choosing no here will " "disable this, which might be somewhat confusing when analyzing network " "problems." msgstr "" "Bình thường, một máy Internet nên đáp ứng tiến trình tìm đường (traceroute). " "Không bật tùy chọn này thì tắt khả năng này, mà có thể gây ra tình trạng lộn " "xộn khi phân tích vấn đề chạy mạng." #. Type: note #. Description #: ../templates:5001 msgid "Firewall for simple workstation setups" msgstr "Bức tường lửa cho thiết lập máy trạm đơn giản" #. Type: note #. Description #: ../templates:5001 msgid "" "Warning: This configuration provides a very simple firewall setup which is " "only able to trust certain hosts and configure global ping / traceroute " "behaviour." msgstr "" "Cảnh báo : cấu hình này cung cấp một thiết lập bức tường lửa rất đơn giản mà " "chỉ có khả năng tin cây một số máy nào đó, và cấu hình ứng xử ping/tìm đường " "toàn cục." #. Type: note #. Description #: ../templates:5001 msgid "" "If you need a more specific setup, use /etc/uif/uif.conf as a template and " "choose \"don't touch\" next time." msgstr "" "Nếu bạn cần thiết lập đặc biệt hơn, hãy dùng tập tin cấu hình « /etc/uif/uif." "conf » làm mẫu, và chọn « Đừng làm gì » lần kế tiếp." #. Type: error #. Description #: ../templates:6001 msgid "Error in list of trusted hosts" msgstr "Gặp lỗi trong danh sách các máy đáng tin." #. Type: error #. Description #: ../templates:6001 msgid "" "Please check the hosts / networks you entered. One or more entries are not " "correct, contain no resolvable hosts, valid IP-addresses, valid network " "definitions or masks." msgstr "" "Hãy kiểm tra xem bạn đã nhập các máy/mạng đúng. Một hay nhiều mục nhập không " "phải là đúng, không chứa máy có thể quyết định, địa chỉ IP hợp lệ, lời xác " "định mạng hợp lệ hay mặt nạ." #~ msgid "don't touch, workstation" #~ msgstr "đừng làm gì, máy trạm" uif-1.1.4/debian/rules000077500000000000000000000030551235447076500146220ustar00rootroot00000000000000#!/usr/bin/make -f # Sample debian/rules that uses debhelper. # GNU copyright 1997 to 1999 by Joey Hess. # Uncomment this to turn on verbose mode. #export DH_VERBOSE=1 # This is the debhelper compatability version to use. package=uif version=$(shell dpkg-parsechangelog | sed -n -e '/^Version:/s/^Version: //p') tmp=`pwd`/debian/tmp build: build-arch build-indep build-arch: # Nothing to do here... build-indep: dh_testdir touch build clean: dh_testdir dh_testroot -rm -f build -rm -f `find . -name "*~"` -rm -rf debian/tmp debian/files* debian/*.debhelper core debian/uif -rm -rf debian/uif.substvars debconf-updatepo dh_clean install: build dh_testdir dh_testroot dh_prep dh_installdirs usr/sbin usr/share/doc $(MAKE) install DESTDIR=$(tmp) dh_install binary-arch: build install binary-indep: build install # dh_testversion dh_testdir dh_testroot dh_installdebconf dh_installdocs # dh_installexamples # dh_installmenu # dh_installemacsen # dh_installpam dh_installinit # dh_installcron dh_installman # dh_installinfo # dh_undocumented dh_lintian dh_installchangelogs dh_link # dh_strip dh_compress dh_fixperms # You may want to make some executables suid here. # dh_suidregister # dh_makeshlibs dh_installdeb dh_perl # dh_shlibdeps dh_gencontrol dh_md5sums dh_builddeb binary: binary-indep binary-arch .PHONY: build clean binary-indep binary-arch binary install get-orig-source: uscan --noconf --force-download --rename --download-current-version --destdir=.. uif-1.1.4/debian/source/000077500000000000000000000000001235447076500150375ustar00rootroot00000000000000uif-1.1.4/debian/source/format000066400000000000000000000000151235447076500162460ustar00rootroot000000000000003.0 (native) uif-1.1.4/debian/templates000066400000000000000000000033311235447076500154600ustar00rootroot00000000000000Template: uif/conf_method Type: select __Choices: don't touch, workstation Default: don't touch _Description: Firewall configuration method The firewall can be initialized using debconf, or using information you manually put into /etc/uif/uif.conf. Template: uif/trusted Type: string _Description: Enter trusted hosts and/or networks: In workstation mode, you can specify some hosts or networks to be globally trusted. All incoming traffic coming from there will be allowed. Multiple entries have to be separate with spaces. . Example: 10.1.0.0/16 trust.mydomain.com 192.168.1.55 Template: uif/pings Type: boolean Default: true _Description: Do you want your host to be reachable via ping? Normally an Internet host should be reachable with pings. Choosing no here will disable pings which might be somewhat confusing when analyzing network problems. Template: uif/traceroute Type: boolean Default: true _Description: Do you want your host to react to traceroutes? Normally an Internet host should react to traceroutes. Choosing no here will disable this, which might be somewhat confusing when analyzing network problems. Template: uif/workstation Type: note _Description: Firewall for simple workstation setups Warning: This configuration provides a very simple firewall setup which is only able to trust certain hosts and configure global ping / traceroute behaviour. . If you need a more specific setup, use /etc/uif/uif.conf as a template and choose "don't touch" next time. Template: uif/error Type: error _Description: Error in list of trusted hosts Please check the hosts / networks you entered. One or more entries are not correct, contain no resolvable hosts, valid IP-addresses, valid network definitions or masks. uif-1.1.4/debian/uif.config000077500000000000000000000030251235447076500155140ustar00rootroot00000000000000#!/bin/sh set -e # Source debconf library. . /usr/share/debconf/confmodule is_ip() { echo "$1" | egrep -q '^([01]?[0-9][0-9]?|2[0-4][0-9]|25[0-5])\.([01]?[0-9][0-9]?|2[0-4][0-9]|25[0-5])\.([01]?[0-9][0-9]?|2[0-4][0-9]|25[0-5])\.([01]?[0-9][0-9]?|2[0-4][0-9]|25[0-5])$' } is_net() { NET=`echo "$1" | cut -d/ -f1` MASK=`echo "$1" | cut -d/ -f2` is_ip "$MASK" && is_ip "$NET" && return 0 echo "$MASK"|egrep -q '^([0-2]?[0-9]?|3[0-2])$' && is_ip "$NET" && return 0 return 1 } is_host() { host "$1" 2> /dev/null| egrep '([01]?[0-9][0-9]?|2[0-4][0-9]|25[0-5])\.([01]?[0-9][0-9]?|2[0-4][0-9]|25[0-5])\.([01]?[0-9][0-9]?|2[0-4][0-9]|25[0-5])\.([01]?[0-9][0-9]?|2[0-4][0-9]|25[0-5])' | cut -f3 } # Chooser for conf_method db_input high uif/conf_method || true db_go # Check their answer. db_get uif/conf_method case "$RET" in workstation) # show message db_input high uif/workstation || true db_go # configure ping / traceroutes db_input high uif/pings || true db_go db_input high uif/traceroute || true db_go # configure trusted hosts while true; do db_input high uif/trusted || true db_go db_get uif/trusted if [ -n "$RET" ]; then for i in $RET; do WORKS=0 is_ip "$i" && WORKS=1 [ $WORKS -eq "0" ] && is_net "$i" && WORKS=1 [ $WORKS -eq "0" ] && HOST=`is_host "$i"` [ -n "$HOST" ] && WORKS=1 if [ $WORKS -eq 0 ]; then db_input high uif/error || true db_go break fi done [ $WORKS -eq 0 ] && continue fi break done ;; *) ;; esac exit 0 uif-1.1.4/debian/uif.docs000066400000000000000000000000371235447076500151740ustar00rootroot00000000000000README README.LDAP README.IPv6 uif-1.1.4/debian/uif.init000077500000000000000000000125441235447076500152200ustar00rootroot00000000000000#! /bin/bash ### BEGIN INIT INFO # Provides: uif # Required-Start: $network $syslog $remote_fs # Required-Stop: $network $syslog $remote_fs # Default-Start: 2 3 4 5 # Default-Stop: 0 1 6 # Short-Description: Universal Internet Firewall # Description: Start the firewall defined in /etc/uif/uif.conf. ### END INIT INFO # # Version: @(#)/etc/init.d/uif 1.1.4 July-2014 Mike Gabriel # # RedHat specific settings - ignore for real systems --------------------------- # chkconfig: - 60 95 # description: provides iptables packet filtering . /lib/lsb/init-functions PATH=/usr/sbin:/sbin:$PATH UIF=/usr/sbin/uif IPV6MODE=0 # Include firewall defaults if available if [ -f /etc/default/uif ] ; then . /etc/default/uif fi #THIS IS DEFAULT ANYWAY#[ -z "$OPTIONS" ] && OPTIONS="-c /etc/uif/uif.conf" # Binaries installed? if [ ! -f /sbin/iptables ]; then log_failure_msg "uif: iptables not found - aborting" exit 1 fi if [ $IPV6MODE = 1 -a ! -f /sbin/ip6tables ] ; then log_failure_msg "uif: ip6tables not found - aborting" exit 1 fi # uif installed? Without this script makes no sense... [ -f $UIF ] || exit 1 # As the name says. If the kernel supports modules, it'll try to load # the ones listed in "MODULES". load_modules() { [ -f /proc/modules ] || return LIST=`/sbin/lsmod|awk '!/Module/ {print $1}'` for mod in $MODULES; do echo $LIST | grep -q $mod || modprobe $mod || /bin/true done } case "$1" in start) log_daemon_msg "Starting uif" logger "Starting uif" [ -f /proc/modules ] && { log_progress_msg "modules"; load_modules; } log_progress_msg "IPv4-rules" EMSG=`$UIF $OPTIONS 2>&1` RET4=$? if [ $RET4 -ne 0 ]; then logger "Starting uif failed: $EMSG" [ -n "$MAILTO" ] && \ echo -e "Hi. This is your firewall script - which has failed" \ "to execute in a proper way.\nHere is the error message:\n" \ "\n$EMSG\n\nPlease fix to be sure..." | mail -s "Firewall script failure" $MAILTO log_end_msg $RET4 echo echo -e "Error message: $EMSG\n" exit 1 fi if [ $IPV6MODE = 1 ] ; then log_progress_msg "IPv6-rules" EMSG=`$UIF -6 $OPTIONS 2>&1` RET6=$? if [ $RET6 -ne 0 ]; then logger "Starting uif failed: $EMSG" [ -n "$MAILTO" ] && \ echo -e "Hi. This is your IPv6 firewall script - which has failed" \ "to execute in a proper way.\nHere is the error message:\n" \ "\n$EMSG\n\nPlease fix to be sure..." | mail -s "Firewall script failure" $MAILTO log_end_msg $RET6 echo echo -e "Error message: $EMSG\n" exit 1 fi else RET6=0; fi log_end_msg $(($RET4+$RET6)) ;; stop) log_daemon_msg "Stopping uif" logger "Stopping uif" if [ $IPV6MODE = 1 ] ; then log_progress_msg "IPv4" fi $UIF -d if [ $IPV6MODE = 1 ] ; then log_progress_msg "IPv6" $UIF -6 -d fi log_end_msg 0 ;; print) echo "Printing rules based on your current configuration" $UIF $OPTIONS -pt if [ $IPV6MODE = 1 ] ; then $UIF -6 $OPTIONS -pt fi ;; test|test4) if [ $IPV6MODE = 1 ] ; then echo -n "IPv4 Test: " fi echo -n "Activating IPv4 ruleset for $TIMEOUT seconds: modules, " trap 'echo "aborted, IPv4 rules restored"; exit 0' SIGINT load_modules echo -n "IPv4 rules - active, waiting - " EMSG=`$UIF -T $TIMEOUT $OPTIONS` if [ $? -eq 0 ]; then echo ok exit 0 fi echo failed echo -e "Error message: $EMSG\n" ;; test6) if [ $IPV6MODE = 1 ] ; then echo -n "IPv6 Test: " echo -n "Activating IPv6 ruleset for $TIMEOUT seconds: modules, " trap 'echo "aborted, IPv6 rules restored"; exit 0' SIGINT load_modules echo -n "IPv6 rules - active, waiting - " EMSG=`$UIF -6 -T $TIMEOUT $OPTIONS` if [ $? -eq 0 ]; then echo ok exit 0 fi echo failed echo -e "Error message: $EMSG\n" fi ;; status) if [ "`id -u`" != "0" ]; then echo "Can't retrieve status information. You need to be root." exit 1 fi if [ $IPV6MODE = 1 ] ; then echo "IPv4 STATUS:" fi # Simple rule listing echo -e "\nRule listing:\n" iptables-save | sed "/^#/d" # Show accounting data if [ -n "$ACCOUNTPREFIX" ]; then echo -e "\n\nCurrent accounting information:\n" iptables -vnx -L 2>&1 | sed "/pkts/d" | sed -ne "/^Chain $ACCOUNTPREFIX/N" -e "s/\n/ /p" | \ sed "s/[ ][ ]*/ /g" | awk '{ print $2"\t"$6" Bytes"; }' fi if [ $IPV6MODE = 1 ] ; then echo "IPv6 STATUS:" # Simple rule listing echo -e "\nRule listing:\n" ip6tables-save | sed "/^#/d" # Show accounting data if [ -n "$ACCOUNTPREFIX" ]; then echo -e "\n\nCurrent accounting information:\n" ip6tables -vnx -L 2>&1 | sed "/pkts/d" | sed -ne "/^Chain $ACCOUNTPREFIX/N" -e "s/\n/ /p" | \ sed "s/[ ][ ]*/ /g" | awk '{ print $2"\t"$6" Bytes"; }' fi fi # Show last 10 policy violations if [ -n "$LOGPREFIX" ]; then if [ $IPV6MODE = 1 ] ; then echo -e "\n\nLast 10 policy violations (IPv4 & IPv6 combined):" else echo -e "\n\nLast 10 policy violations (IPv4 only):" fi dmesg | grep "`hostname`.* $LOGPREFIX .*:" 2> /dev/null | tail -n 10 fi echo -e "\n\n" ;; restart|reload|force-reload) $0 start ;; flush) echo -n "Flushing IPv4 packet counters: " iptables -Z &> /dev/null if [ $? -eq 0 ]; then echo ok else echo failed fi if [ $IPV6MODE = 1 ] ; then echo -n "Flushing IPv6 packet counters: " ip6tables -Z &> /dev/null if [ $? -eq 0 ]; then echo ok else echo failed fi fi ;; *) echo "Usage: $0 {start|stop|status|restart|reload|flush|print}" exit 1 esac exit 0 uif-1.1.4/debian/uif.install000066400000000000000000000000441235447076500157100ustar00rootroot00000000000000etc/default/ etc/ldap/ etc/uif/ usr/uif-1.1.4/debian/uif.links000066400000000000000000000000421235447076500153600ustar00rootroot00000000000000etc/uif/uif.conf etc/uif/uif6.confuif-1.1.4/debian/uif.lintian-overrides000066400000000000000000000002071235447076500177010ustar00rootroot00000000000000# false-positive... the "service" key word occurs inside a quoted text block uif: maintainer-script-should-not-use-service postinst:161uif-1.1.4/debian/uif.postinst000077500000000000000000000176331235447076500161440ustar00rootroot00000000000000#!/bin/sh set -e # Source debconf library. . /usr/share/debconf/confmodule # We exit unless the package is being configured case "$1" in abort*upgrade) exit 0;; abort*remove) exit 0;; abort*deconfigure) exit 0;; configure) ;; *) exit 0; esac # Check their answer. db_get uif/conf_method case "$RET" in workstation) PINGS=0 TRACERT=0 TRUSTED="" # show message db_get uif/workstation # configure ping / traceroutes db_get uif/pings [ "$RET" = "true" ] && PINGS=1 db_get uif/traceroute [ "$RET" = "true" ] && TRACERT=1 # configure trusted hosts db_get uif/trusted if [ -n "$RET" ]; then TRUSTED="$TRUSTED $RET" fi if [ "$PINGS" = "1" -o "$TRACERT" = "1" ]; then ICMP_RULE="in+ p=" else ICMP_RULE="#in+ p=ping,traceroute" fi [ "$PINGS" = "1" ] && ICMP_RULE="${ICMP_RULE}ping" [ "$PINGS" = "1" -a "$TRACERT" = "1" ] && ICMP_RULE="${ICMP_RULE}," [ "$TRACERT" = "1" ] && ICMP_RULE="${ICMP_RULE}traceroute" if [ -n "$TRUSTED" ]; then TRUSTED="trusted4 $TRUSTED" TRUSTED_RULE="in+ s=trusted4(4)" else TRUSTED="#trusted4 10.0.0.1" TRUSTED_RULE="#in+ s=trusted4(4)" fi if [ -f /etc/uif/uif.conf ]; then echo "Backing up your old uif.conf to uif.conf.old..." cp /etc/uif/uif.conf /etc/uif/uif.conf.old fi cat > /etc/uif/uif-ipv4-networks.inc < /etc/uif/uif-ipv6-networks.inc < /etc/uif/uif.conf << EOF ## uif Firewall Configuration ## automatically configured for Debian systems... ## This file has been automatically generated by debconf. It will be overwritten ## the next time you configure firewall without choosing "don't touch". ## Sysconfig definitions # These entries define the global behaviour of the firewall package. Normally # they are preset in /etc/default/uif and may be overwritten by this # section. # # syntax: LogLevel : set the kernel loglevel for iptables rules # LogPrefix: prepend this string to all iptables logs # LogLimit: set packet limit per time interval (times/interval) # LogBurst: set packet log burst # example: # sysconfig { # LogLevel debug # LogPrefix FW # LogLimit 20/minute # LogBurst 5 # AccountPrefix ACC_ # } ## Include predefined services # The include section takes a bunch of files and includes them into this # configuration file. # # syntax: "filename" include { "/etc/uif/services" } ## Services needed for workstation setup # The service section provides the protocol definitions you're # using in the rules. You're forced to declare everything you # need for your setup. # # syntax: service_name [tcp([source:range]/[dest:range])] [udp([source:range]/[dest:range])] # [protocol_name([source:range][/][dest:range])] [service_name] ... # examples: http tcp(/80) # dns tcp(/53) udp(/53) # group http dns tcp(/443) # ipsec esp(/) udp(/500) #service { # traceroute udp(32769:65535/33434:33523) icmp(11) # ping icmp(8) #} ## Network definitions needed for IPv4+6 workstation setup # The network definitions are included from two separate files. # 1. /etc/uif/uif-ipv4-networks.inc # 2. /etc/uif/uif-ipv6-networks.inc # # If you want to setup IPv4 and IPv6 firewalling easily, # make sure that all network names you use in your ruleset # in both include files. # # Additionally make /etc/uif/uif6.conf a symlink that points to # /etc/uif/uif.conf. # # IPv4 network definitions # # If you update from a version of UIF that supported IPv4 only, then # you probably want to leave the uif.conf file untouched for now and # move your network definitions block from uif.conf to uif-ipv4-networks.inc # manually later. include4 { "/etc/uif/uif-ipv4-networks.inc" } # IPv6 network definitions # # Make sure IPV6MODE is set to 1 in /etc/default/uif if you want to use # IPv6 support on your UIF based firewall. include6 { "/etc/uif/uif-ipv6-networks.inc" } ## Interface definitions # Since all definitions used in the filter section are symbolic, # you've to specify symbolic names for all your interfaces you're # going to use. # # syntax: interface_name [unix network interface] [interface_name] # examples: internal eth0 # external ippp0 ipsec0 # allppp ppp+ # group external allppp eth3 interface { loop lo } ## Filter definitions # The filter section defines the rules for in, out, forward, masquerading # and nat. All rules make use of the symbolic names defined above. This # section can be used multiple times in one config file. This makes more # senese when using one of these alias names: # filter, nat, input, output, forward, masquerade # # syntax: in[-/+] [i=interface] [s=source_net] [d=dest_net] [p=protocol] [f=flag_1,..,flag_n] # out[-/+] [o=interface] [s=source_net] [d=dest_net] [p=protocol] [f=flag_1,..,flag_n] # fw[-/+] [i/o=interface][s=source_net] [d=dest_net] [p=protocol] [f=flag_1,..,flag_n] # masq[-/+][i/o=interface][s=source_net] [d=dest_net] [p=protocol] [f=flag_1,..,flag_n] # nat[-/+] additionally allows [S=from source] [D=to destination] [P=to port:[range]] # flags: limit([count/time[,burst]]) # reject([reject type]) # log([name]) # account(name) # examples: # masq+ o=extern s=intranet # nat+ s=intranet p=http D=relayintern P=squid # in+ s=trusted p=ssh,ping,traceroute,http # out- s=intranet p=smb f=reject # fw- d=microsoft f=reject,log(ms-alert) # fw+ p=myhttp f=account(HTTP) # Take an attention about the protocol for your accounting rules. If you # want to count user http traffice, you may need a "myhttp tcp(80/)". filter { in+ i=loop s=localhost out+ o=loop d=localhost # IPv4 rules $ICMP_RULE $TRUSTED_RULE # ICMP is a must in IPv6, blocking breaks compliancy # to RFC 4443 (http://tools.ietf.org/html/rfc4443) in+ s=all(6) p=ping,pong,noroute,packet-too-big,time-exceeded,parameter-problem,neighbor-advertisement,neighbor-solicitation #in+ s=trusted6(6) out+ d=all in- f=log(input),reject out- f=log(output),reject fw- f=log(forward),reject } EOF ;; *) ;; esac # protect the uif configuration files against other users chmod 600 /etc/uif/uif.conf chmod 600 /etc/uif/uif-ipv*-networks.inc #DEBHELPER# exit 0 uif-1.1.4/debian/uif.postrm000077500000000000000000000000471235447076500155740ustar00rootroot00000000000000#!/bin/sh set -e #DEBHELPER# exit 0 uif-1.1.4/debian/uif.prerm000077500000000000000000000003631235447076500153760ustar00rootroot00000000000000#!/bin/sh set -e # only stop firewall when uif is going to be removed if [ "$1" = "remove" -o "$1" = "deconfigure" ]; then invoke-rc.d uif stop else echo "Please restart uif manually using: invoke-rc.d uif restart" fi #DEBHELPER# exit 0 uif-1.1.4/default000066400000000000000000000012701235447076500136640ustar00rootroot00000000000000## Debian firewall package standard values # See "man 8 uif" for details. # the iptables loglevel LOGLEVEL="crit" # prefix for all logged incidents LOGPREFIX="FW" # iptables log specific options LOGLIMIT="20/minute" LOGBURST="5" # iptables limit specific options LIMIT="20/minute" BURST="5" # firewall testing timeout TIMEOUT=30 # specify modules to load before startup MODULES="ip_conntrack_ftp" # who should get the mails when the script fails MAILTO="root" # prefix for accounting rules ACCOUNTPREFIX="ACC_" # IPV6MODE can be set to 0 or 1. By default it is 0 # If set to 1 then both an IPv4 and an IPv6 firewall will be started # Uncomment below to enable the IPV6MODE IPV6MODE=1 uif-1.1.4/docs/000077500000000000000000000000001235447076500132455ustar00rootroot00000000000000uif-1.1.4/docs/examples.IPv4.txt000066400000000000000000000075531235447076500164170ustar00rootroot00000000000000EXAMPLES for UIF ================ These sample configurations are fully virtual setups but may contain valid ip addresses. 1) Simple router/proxy setup Imagine the following scenario with one packet filter and masquerading: ppp0 eth0 internet-----------filter-------------proxy---------intranet 193.174.71.23 192.168.0.1 192.168.0.2 192.168.0.0/24 The filter masquerades the proxy address and rejects all other internal traffic to the internet. Don't forget to enable forwarding (sysctl -w net.ipv4.ip_forward=1), respectivly adding it to /etc/sysctl.conf. 8<--------------------------------------------------------------------- include { # include the basic service definitions "/etc/uif/services" } service { # define all valid services from the proxy into the internet proxytraffic http https ntp pop3s imaps smtp ssh ftp } network { # define all networks and hosts proxy 192.168.0.2 intern 192.168.0.0/24 gonicus 21.8.6.9 ds 129.27.18.16 # accept external ssh connections from gonicus and ds sshok ds gonicus } interface { # define all local interfaces loop lo extern ppp0 intern eth0 } input { # permit all loopback traffic in+ i=loop # accept local ssh logins in+ i=intern s=intern p=ssh # accept external ssh connections from gonicus and ds in+ i=extern s=sshok p=ssh # accept pings in+ i=extern p=ping # reject and log all other incoming connentions in- f=log(incoming),reject } output { # permit all loopback traffic out+ o=loop # permit all outgoing traffic to the internal network out+ o=intern # permit outgoing ntp and ssh connections out+ o=extern p=ntp,ssh # reject all and log all other outgoing connentions out- f=log(outgoing),reject } forward { # in case of an pppoe dsl line the following line may be useful # it sets the mss of every forwarded packet to a smaller value fw> o=extern # forward previously defined proxy traffic to external hosts fw+ o=extern s=proxy p=proxytraffic # reject all and log all other outgoing connentions fw- f=log(forwarding),reject } masquerade { # masquerade proxy traffic masq+ o=extern s=proxy } --------------------------------------------------------------------->8 2) Router doing nat and transparent proxys Imagine the following (not really usable) scenario: eth0 eth1 Internet---------filter------------switch 80.67.1.53 10.10.0.1 | +--gatekeeper 10.10.0.15 | +--[intranet] Imagine "filter" is running squid as a transparent proxy and "gatekeeper" is your ssh gateway to the intranet. No other connections to the intranet are allowed. "filter" is acting as nameserver, no additional connections from the inside to the outside are allowed. 8<--------------------------------------------------------------------- include { # include the basic service definitions "/etc/uif/services" } network { # define all networks and hosts proxy 10.10.0.1 intern 10.10.0.0/16 gate 10.10.0.5 } interface { # define all local interfaces loop lo extern eth0 intern eth1 } filter { # permit all loopback traffic in+ i=loop out+ o=loop # permit all outgoing traffic for "filter" out+ o=intern,extern # accept pings in+ i=extern p=ping # accept local ssh logins, dns, http in+ i=intern s=intern p=ssh,dns,http # redirect port 80 to 10.10.0.1:3128 nat+ i=intern s=intern p=http D=proxy P=squid # redirect incomming ssh connections to gatekeeper nat+ i=extern p=ssh D=gatekeeper # reject and log all other connentions in- f=log(incoming),reject out- f=log(outgoing),reject fw- f=log(forward),reject } --------------------------------------------------------------------->8 uif-1.1.4/docs/uif.conf.IPv4+6.tmpl000066400000000000000000000115001235447076500165710ustar00rootroot00000000000000## Debian GNU Linux Firewall Package ## This file has been automatically generated by debconf. It will be overwritten ## the next time you configure firewall without choosing "don't touch". ## Sysconfig definitions # These entries define the global behaviour of the firewall package. Normally # they are preset in /etc/default/uif and may be overwritten by this # section. # # syntax: LogLevel : set the kernel loglevel for iptables rules # LogPrefix: prepend this string to all iptables logs # LogLimit: set packet log limit per time interval (times/interval) # LogBurst: set packet log burst # Limit: set packet limit per time interval (times/interval) # Burst: set packet burst # example: # sysconfig { # LogLevel debug # LogPrefix FW # LogLimit 20/minute # LogBurst 5 # Limit 20/minute # Burst 5 # AccountPrefix ACC_ # } ## Include predefined services # The include section takes a bunch of files and includes them into this # configuration file. # # syntax: "filename" #include { # "/etc/uif/services" #} ## Services needed for workstation setup # The service section provides the protocol definitions you're # using in the rules. You're forced to declare everything you # need for your setup. # # syntax: service_name [tcp([source:range]/[dest:range])] [udp([source:range]/[dest:range])] # [protocol_name([source:range][/][dest:range])] [service_name] ... # examples: http tcp(/80) # dns tcp(/53) udp(/53) # group http dns tcp(/443) # ipsec esp(/) udp(/500) service { traceroute udp(32769:65535/33434:33523) icmp(11) ping icmp(8) } ## Network definitions needed for simple workstation setup # In the network section you're asked to provide informations on all # hosts and/or networks running in your setup. # # syntax: net_name [ip-address[:mac-address]] [network] [net_name] # examples: webserver 192.168.1.5 # intranet 10.1.0.0/16 # dmz 10.5.0.0/255.255.0.0 # some intranet dmz 10.2.1.1 # router 10.1.0.1=0A:32:F2:C7:1A:31 network { localhost 127.0.0.1 all 0.0.0.0/0 trusted4 192.168.1.0/24 trusted6 fd00:1:2:3::/64 } ## Interface definitions # Since all definitions used in the filter section are symbolic, # you've to specify symbolic names for all your interfaces you're # going to use. # # syntax: interface_name [unix network interface] [interface_name] # examples: internal eth0 # external ippp0 ipsec0 # allppp ppp+ # group external allppp eth3 interface { loop lo } ## Filter definitions # The filter section defines the rules for in, out, forward, masquerading # and nat. All rules make use of the symbolic names defined above. This # section can be used multiple times in one config file. This makes more # senese when using one of these alias names: # filter, nat, input, output, forward, masquerade # # syntax: in[-/+] [i=interface] [s=source_net] [d=dest_net] [p=protocol] [f=flag_1,..,flag_n] # out[-/+] [o=interface] [s=source_net] [d=dest_net] [p=protocol] [f=flag_1,..,flag_n] # fw[>/-/+] [i/o=interface][s=source_net] [d=dest_net] [p=protocol] [f=flag_1,..,flag_n] # masq[-/+][i/o=interface][s=source_net] [d=dest_net] [p=protocol] [f=flag_1,..,flag_n] # nat[-/+] additionally allows [S=from source] [D=to destination] [P=to port:[range]] # additional: # All keys mentioned in the syntax section (in/out/...) can be prefixed with "sl", which # causes the creation of a stateless rule. # flags: limit([count/time[,burst]]) # reject([reject type]) # log([name]) # account(name) # examples: # masq+ o=extern s=intranet # nat+ s=intranet p=http D=relayintern P=squid # in+ s=trusted p=ssh,ping,traceroute,http # out- s=intranet p=smb f=reject # fw- d=microsoft f=reject,log(ms-alert) # slin+ s=testnet # slout- d=testnet # fw> o=extern # fw+ p=myhttp f=account(HTTP) # Take an attention about the protocol for your accounting rules. If you # want to count user http traffice, you may need a "myhttp tcp(80/)". filter { in+ i=loop s=localhost out+ o=loop d=localhost # allow incoming pings for IPv4 in+ s=all(4) p=ping # these IPv6-ICMP types are a MUST for IPv6 in+ s=all(6) p=ping,pong,noroute,packet-too-big,time-exceeded,parameter-problem,neighbor-advertisement,neighbor-solicitation in+ p=traceroute in+ s=trusted4(4) in+ s=trusted6(6) out+ d=all in- f=log(input),reject out- f=log(output),reject fw- f=log(forward),reject } uif-1.1.4/docs/uif.conf.IPv4.tmpl000066400000000000000000000110271235447076500164340ustar00rootroot00000000000000## Debian GNU Linux Firewall Package ## This file has been automatically generated by debconf. It will be overwritten ## the next time you configure firewall without choosing "don't touch". ## Sysconfig definitions # These entries define the global behaviour of the firewall package. Normally # they are preset in /etc/default/uif and may be overwritten by this # section. # # syntax: LogLevel : set the kernel loglevel for iptables rules # LogPrefix: prepend this string to all iptables logs # LogLimit: set packet log limit per time interval (times/interval) # LogBurst: set packet log burst # Limit: set packet limit per time interval (times/interval) # Burst: set packet burst # example: # sysconfig { # LogLevel debug # LogPrefix FW # LogLimit 20/minute # LogBurst 5 # Limit 20/minute # Burst 5 # AccountPrefix ACC_ # } ## Include predefined services # The include section takes a bunch of files and includes them into this # configuration file. # # syntax: "filename" #include { # "/etc/uif/services" #} ## Services needed for workstation setup # The service section provides the protocol definitions you're # using in the rules. You're forced to declare everything you # need for your setup. # # syntax: service_name [tcp([source:range]/[dest:range])] [udp([source:range]/[dest:range])] # [protocol_name([source:range][/][dest:range])] [service_name] ... # examples: http tcp(/80) # dns tcp(/53) udp(/53) # group http dns tcp(/443) # ipsec esp(/) udp(/500) service { traceroute udp(32769:65535/33434:33523) icmp(11) ping icmp(8) } ## Network definitions needed for simple workstation setup # In the network section you're asked to provide informations on all # hosts and/or networks running in your setup. # # syntax: net_name [ip-address[:mac-address]] [network] [net_name] # examples: webserver 192.168.1.5 # intranet 10.1.0.0/16 # dmz 10.5.0.0/255.255.0.0 # some intranet dmz 10.2.1.1 # router 10.1.0.1=0A:32:F2:C7:1A:31 network { localhost 127.0.0.1 all 0.0.0.0/0 trusted 192.168.1.0/24 } ## Interface definitions # Since all definitions used in the filter section are symbolic, # you've to specify symbolic names for all your interfaces you're # going to use. # # syntax: interface_name [unix network interface] [interface_name] # examples: internal eth0 # external ippp0 ipsec0 # allppp ppp+ # group external allppp eth3 interface { loop lo } ## Filter definitions # The filter section defines the rules for in, out, forward, masquerading # and nat. All rules make use of the symbolic names defined above. This # section can be used multiple times in one config file. This makes more # senese when using one of these alias names: # filter, nat, input, output, forward, masquerade # # syntax: in[-/+] [i=interface] [s=source_net] [d=dest_net] [p=protocol] [f=flag_1,..,flag_n] # out[-/+] [o=interface] [s=source_net] [d=dest_net] [p=protocol] [f=flag_1,..,flag_n] # fw[>/-/+] [i/o=interface][s=source_net] [d=dest_net] [p=protocol] [f=flag_1,..,flag_n] # masq[-/+][i/o=interface][s=source_net] [d=dest_net] [p=protocol] [f=flag_1,..,flag_n] # nat[-/+] additionally allows [S=from source] [D=to destination] [P=to port:[range]] # additional: # All keys mentioned in the syntax section (in/out/...) can be prefixed with "sl", which # causes the creation of a stateless rule. # flags: limit([count/time[,burst]]) # reject([reject type]) # log([name]) # account(name) # examples: # masq+ o=extern s=intranet # nat+ s=intranet p=http D=relayintern P=squid # in+ s=trusted p=ssh,ping,traceroute,http # out- s=intranet p=smb f=reject # fw- d=microsoft f=reject,log(ms-alert) # slin+ s=testnet # slout- d=testnet # fw> o=extern # fw+ p=myhttp f=account(HTTP) # Take an attention about the protocol for your accounting rules. If you # want to count user http traffice, you may need a "myhttp tcp(80/)". filter { in+ i=loop s=localhost out+ o=loop d=localhost in+ p=ping,traceroute in+ s=trusted out+ d=all in- f=log(input),reject out- f=log(output),reject fw- f=log(forward),reject } uif-1.1.4/services000066400000000000000000000044371235447076500140730ustar00rootroot00000000000000## UIF 1.0 sample services file # (C) 2002-2014, Cajus Pollmeier # (C) 2002-2014, Jörg Platte # (C) 2013-2014, Mike Gabriel # (C) 2013-2014, Alex Owen service { # ICMP & Routing traceroute udp(32769:65535/33434:33523) # ICMP protocol: IPv4 and IPv6 ICMP types ping icmp(echo-request) ipv6-icmp(echo-request) pong icmp(echo-reply) ipv6-icmp(echo-reply) noroute icmp(destination-unreachable) ipv6-icmp(destination-unreachable) router-advertisement icmp(router-advertisement) ipv6-icmp(router-advertisement) router-solicitation icmp(router-solicitation) ipv6-icmp(router-solicitation) # ICMP protocol: IPv4-only ICMP types host-unreachable icmp(host-unreachable) ttl-exceeded icmp(ttl-exceeded) source-quench icmp(source-quench) # ICMP protocol: IPv6-only ICMP types packet-too-big ipv6-icmp(packet-too-big) time-exceeded ipv6-icmp(time-exceeded) parameter-problem ipv6-icmp(parameter-problem) neighbor-advertisement ipv6-icmp(neighbor-advertisement) neighbor-solicitation ipv6-icmp(neighbor-solicitation) # Most common services you may want to filter ftp tcp(/21) ssh tcp(/22) telnet tcp(/23) smtp tcp(/25) whois tcp(/43) dns tcp(/53) udp(/53) bootp tcp(68/67) udp(68/67) http tcp(/80) pop3 tcp(/110) sunrpc udp(/111) tcp(/111) ident tcp(/113) ntp udp(/123) nntp tcp(/119) smb tcp(/137:139) udp(/137:139) tcp(/445) udp(/445) imap tcp(/143) xdmcp udp(/177) ldap tcp(/389) https tcp(/443) ssmtp tcp(/465) syslog udp(/514) route udp(/520) icmp(9) uucp tcp(/540) real tcp(/554) ipp tcp(/631) udp(/631) mount udp(/635) imaps tcp(/993) pop3s tcp(/995) nfs udp(/2049) tcp(/2049) cvspserver tcp(/2401) squid tcp(/3128) rdp tcp(/3389) vnc-support tcp(/5500:5509) x11 tcp(/6000:6063) proxy tcp(/8080) dhis udp(/58800) # ipsec ipsec esp(/) udp(/500) # some proprietary protocols arkeia tcp(/617) pcanywhere udp(/5632) tcp(/5631) msterminal tcp(/3389) udp(/3389) # some protocols igmp igmp() pim pim() tcp tcp(0:65535/0:65535) udp udp(0:65535/0:65535) # some useful definitions lowports udp(/1:1023) tcp(/1:1023) highports udp(/1024:65535) tcp(/1024:65535) } uif-1.1.4/uif000077500000000000000000000124261235447076500130330ustar00rootroot00000000000000#! /bin/bash ### BEGIN INIT INFO # Provides: uif # Required-Start: $network $syslog $remote_fs # Required-Stop: $network $syslog $remote_fs # Default-Start: 2 3 4 5 # Default-Stop: 0 1 6 # Short-Description: Universal Internet Firewall # Description: Start the firewall defined in /etc/uif/uif.conf. ### END INIT INFO # # Version: @(#)/etc/init.d/uif 1.1.4 July-2014 Mike Gabriel # # RedHat specific settings - ignore for real systems --------------------------- # chkconfig: - 60 95 # description: provides iptables packet filtering PATH=/usr/sbin:/sbin:$PATH UIF=/usr/sbin/uif IPV6MODE=0 # Include firewall defaults if available if [ -f /etc/default/uif ] ; then . /etc/default/uif fi #THIS IS DEFAULT ANYWAY#[ -z "$OPTIONS" ] && OPTIONS="-c /etc/uif/uif.conf" # Binaries installed? if [ ! -f /sbin/iptables ]; then echo "uif: iptables not found - aborting" exit 1 fi if [ $IPV6MODE = 1 -a ! -f /sbin/ip6tables ] ; then echo "uif: ip6tables not found - aborting" exit 1 fi # uif installed? Without this script makes no sense... [ -f $UIF ] || exit 1 # As the name says. If the kernel supports modules, it'll try to load # the ones listed in "MODULES". load_modules() { [ -f /proc/modules ] || return LIST=`/sbin/lsmod|awk '!/Module/ {print $1}'` for mod in $MODULES; do echo $LIST | grep -q $mod || modprobe $mod || /bin/true done } case "$1" in start) echo -n "Starting uif: modules, " logger "Starting uif" [ -f /proc/modules ] && load_modules echo -n "IPv4 rules: " EMSG=`$UIF $OPTIONS 2>&1` if [ $? -ne 0 ]; then echo "failed. Old IPv4 rules have been restored." logger "Starting uif failed: $EMSG" [ -n "$MAILTO" ] && \ echo -e "Hi. This is your firewall script - which has failed" \ "to execute in a proper way.\nHere is the error message:\n" \ "\n$EMSG\n\nPlease fix to be sure..." | mail -s "Firewall script failure" $MAILTO echo -e "Error message: $EMSG\n" exit 1 else echo ok. fi if [ $IPV6MODE = 1 ] ; then echo -n "IPv6 rules: " EMSG=`$UIF -6 $OPTIONS 2>&1` if [ $? -ne 0 ]; then echo "failed. Old IPv6 rules have been restored." logger "Starting uif failed: $EMSG" [ -n "$MAILTO" ] && \ echo -e "Hi. This is your IPv6 firewall script - which has failed" \ "to execute in a proper way.\nHere is the error message:\n" \ "\n$EMSG\n\nPlease fix to be sure..." | mail -s "Firewall script failure" $MAILTO echo -e "Error message: $EMSG\n" exit 1 else echo ok. fi fi ;; stop) echo -n "Stopping uif: " logger "Stopping uif" if [ $IPV6MODE = 1 ] ; then echo -n "IPv4: " fi $UIF -d if [ $IPV6MODE = 1 ] ; then echo ok. echo -n "Stopping uif: IPv6: " $UIF -6 -d fi echo ok. ;; print) echo "Printing rules based on your current configuration" $UIF $OPTIONS -pt if [ $IPV6MODE = 1 ] ; then $UIF -6 $OPTIONS -pt fi ;; test|test4) if [ $IPV6MODE = 1 ] ; then echo -n "IPv4 Test: " fi echo -n "Activating IPv4 ruleset for $TIMEOUT seconds: modules, " trap 'echo "aborted, IPv4 rules restored"; exit 0' SIGINT load_modules echo -n "IPv4 rules - active, waiting - " EMSG=`$UIF -T $TIMEOUT $OPTIONS` if [ $? -eq 0 ]; then echo ok exit 0 fi echo failed echo -e "Error message: $EMSG\n" ;; test6) if [ $IPV6MODE = 1 ] ; then echo -n "IPv6 Test: " echo -n "Activating IPv6 ruleset for $TIMEOUT seconds: modules, " trap 'echo "aborted, IPv6 rules restored"; exit 0' SIGINT load_modules echo -n "IPv6 rules - active, waiting - " EMSG=`$UIF -6 -T $TIMEOUT $OPTIONS` if [ $? -eq 0 ]; then echo ok exit 0 fi echo failed echo -e "Error message: $EMSG\n" fi ;; status) if [ "`id -u`" != "0" ]; then echo "Can't retrieve status information. You need to be root." exit 1 fi if [ $IPV6MODE = 1 ] ; then echo "IPv4 STATUS:" fi # Simple rule listing echo -e "\nRule listing:\n" iptables-save | sed "/^#/d" # Show accounting data if [ -n "$ACCOUNTPREFIX" ]; then echo -e "\n\nCurrent accounting information:\n" iptables -vnx -L 2>&1 | sed "/pkts/d" | sed -ne "/^Chain $ACCOUNTPREFIX/N" -e "s/\n/ /p" | \ sed "s/[ ][ ]*/ /g" | awk '{ print $2"\t"$6" Bytes"; }' fi if [ $IPV6MODE = 1 ] ; then echo "IPv6 STATUS:" # Simple rule listing echo -e "\nRule listing:\n" ip6tables-save | sed "/^#/d" # Show accounting data if [ -n "$ACCOUNTPREFIX" ]; then echo -e "\n\nCurrent accounting information:\n" ip6tables -vnx -L 2>&1 | sed "/pkts/d" | sed -ne "/^Chain $ACCOUNTPREFIX/N" -e "s/\n/ /p" | \ sed "s/[ ][ ]*/ /g" | awk '{ print $2"\t"$6" Bytes"; }' fi fi # Show last 10 policy violations if [ -n "$LOGPREFIX" ]; then if [ $IPV6MODE = 1 ] ; then echo -e "\n\nLast 10 policy violations (IPv4 & IPv6 combined):" else echo -e "\n\nLast 10 policy violations (IPv4 only):" fi dmesg | grep "`hostname`.* $LOGPREFIX .*:" 2> /dev/null | tail -n 10 fi echo -e "\n\n" ;; restart|reload|force-reload) $0 start ;; flush) echo -n "Flushing IPv4 packet counters: " iptables -Z &> /dev/null if [ $? -eq 0 ]; then echo ok else echo failed fi if [ $IPV6MODE = 1 ] ; then echo -n "Flushing IPv6 packet counters: " ip6tables -Z &> /dev/null if [ $? -eq 0 ]; then echo ok else echo failed fi fi ;; *) echo "Usage: $0 {start|stop|status|restart|reload|flush|print}" exit 1 esac exit 0 uif-1.1.4/uif-ipv4-networks.inc000066400000000000000000000010331235447076500163220ustar00rootroot00000000000000## IPv4 network name definitions for UIF # In the network section you're asked to provide informations on all # IPv4 hosts and/or networks running in your setup. # # syntax: net_name [ip-address[=mac-address]] [network] [net_name] # examples: webserver 192.168.1.5 # intranet 10.1.0.0/16 # dmz 10.5.0.0/255.255.0.0 # some intranet dmz 10.2.1.1 # router 10.1.0.1=0A:32:F2:C7:1A:31 network { localhost 127.0.0.1 all 0.0.0.0/0 # trusted 192.168.1.0/24 } uif-1.1.4/uif-ipv6-networks.inc000066400000000000000000000010511235447076500163240ustar00rootroot00000000000000## IPv6 network name definitions for UIF # In the network section you're asked to provide informations on all # IPv6 hosts and/or networks running in your setup. # # syntax: net_name [ip-address[=mac-address]] [network] [net_name] # examples: webserver 2001:610:1908:b000::148:14 # intranet fd00:0:0:1::/64 # dmz fd00:0:0:5::/64 # some intranet dmz fd00:0:2:1::1 # router fd00:0:0:1::1=0A:32:F2:C7:1A:31 network { localhost ::1 all ::/0 # trusted fd00:1:2:3::/64 } uif-1.1.4/uif.8000066400000000000000000000107721235447076500132000ustar00rootroot00000000000000.\" -*- nroff -*- .TH UIF 8 "February 25th, 2002" .\" Please adjust this date whenever revising the manpage. .Dd May 24, 2002 .Dt UIF 8 .Os .ds operating-system UIF(8) .Sh NAME .Nm uif .Nd Tool for generating optimized packetfilter rules .Sh SYNOPSIS .Nm uif .Op Fl 6 .Op Fl dptW .Op Fl b Ar base .Op Fl c Ar config_file .Op Fl C Ar config_file .Op Fl D Ar bind_dn .Op Fl r Ar ruleset .Op Fl R Ar ruleset .Op Fl s Ar server .Op Fl T Ar time .Op Fl w Ar password .Sh DESCRIPTION .Pp This manual page documents the .Nm command. It is used to generate optimized .Xr iptables 8 packetfilter rules, using a simple description file specified by the user. Generated rules are provided in .Xr iptables\-save 8 style. .Nm can be used to read or write rulesets from or to LDAP servers in your network, which provides a global storing mechanism. (LDAP support is currently broken, note that you need to include the uif.schema to your slapd configuration in order to use it.) .Pp .Xr uif.conf 5 provides an easy way to specify rules, without exact knowledge of the iptables syntax. It provides groups and aliases to make your packetfilter human readable. .Pp Keep in mind that .Nm uif is intended to assist you when designing firewalls, but will not tell you what to filter. .Sh Options The options are as follows: .Bl -tag -width Ds .It Fl 6 Turn on IPv6 mode so as to manipulate ip6tables rules. Default configuration file is changed to .Ar /etc/uif/uif6.conf see .Ar \-c below. It should be noted that nat rules are silently ignored if .Ar \-6 is used. .It Fl b Ar base Specify the base to act on when using LDAP based firewall configuration. .Nm will look in the subtree .Ar ou=filter, ou=sysconfig, base for your rulesets. .It Fl c Ar config_file This option specifies the configuration file to be read by .Nm \. See .Xr uif.conf 5 for detailed information on the fileformat. It defaults to .Ar /etc/uif/uif.conf. .It Fl C Ar config_file When reading configuration data from other sources than specified with .Ar \-c you may want to convert this information into a textual configuration file. This options writes the parsed config back to the file specified by .Ar config_file. .It Fl d Clears all firewall rules immediatly. .It Fl D Ar bind_dn If a special account is needed to bind to the LDAP database, the account dn can be specified at this point. Note: you should use this when writing an existing configuration to the LDAP. Reading the configuration may be done with an anonymous bind. .It Fl p Prints rules specified in the configuration to stdout. This option is mainly used for debugging the rule simplifier. .It Fl r Ar ruleset Specifies the name of the ruleset to load from the LDAP database. Remember to use the .Ar \-b option to set the base. Rulesets are stored using the following dn: .Ar cn=name, ou=rulesets, ou=filter, ou=sysconfig, base, where name will be replaced by the ruleset specified. .It Fl R Ar ruleset Specifies the name of the ruleset to write to the LDAP database. This option can be used to convert i.e. a textual configuration to a LDAP based ruleset. Like using .Ar \-r you've to specify the LDAP base to use. Target is .Ar cn=name, ou=rulesets, ou=filter, ou=sysconfig, base, where name will be replaced by the ruleset specified. .It Fl s Ar server This option specified the LDAP server to be used. .It Fl t This option is used to validate the packetfilter configuration without applying any rules. Mainly used for debugging. .It Fl T Ar time When changing your packetfiltering rules remotely, it is useful to have a test option. Specify this one to apply your rules for a period of time (in seconds). After that the original rules will be restored. .It Fl w Ar password When connecting to the LDAP server, you may need to authenticate via passwords. If you really need to specify a password, use this option, otherwise use .Ar \-W and enter it interactivly. .It Fl W Activate interactive password query for LDAP authentication. .El .Pp .Nm is meant to leave the packetfilter rules in a defined state, so if something went wrong during the initialisation, or .Nm is aborted by the user, the rules that were active before starting will be restored. .Pp Normally you will not need to call this binary directly. Use the init script instead, since it does the most common steps for you. .Sh FILES Configuration files are located in /etc/uif. .Sh SEE ALSO uif.conf(5) iptables(8) .Pp .Sh AUTHOR This manual page was written by Cajus Pollmeier and Jörg Platte , for the Debian GNU/Linux system (but may be used by others). uif-1.1.4/uif.conf000066400000000000000000000117331235447076500137540ustar00rootroot00000000000000## uif Firewall Configuration ## Sysconfig definitions # These entries define the global behaviour of the firewall package. Normally # they are preset in /etc/default/uif and may be overwritten by this # section. # # syntax: LogLevel : set the kernel loglevel for iptables rules # LogPrefix: prepend this string to all iptables logs # LogLimit: set packet log limit per time interval (times/interval) # LogBurst: set packet log burst # Limit: set packet limit per time interval (times/interval) # Burst: set packet burst # example: # sysconfig { # LogLevel debug # LogPrefix FW # LogLimit 20/minute # LogBurst 5 # Limit 20/minute # Burst 5 # AccountPrefix ACC_ # } ## Include predefined services # The include section takes a bunch of files and includes them into this # configuration file. # # syntax: "filename" include { "/etc/uif/services" } ## Services needed for workstation setup # The service section provides the protocol definitions you're # using in the rules. You're forced to declare everything you # need for your setup. # # syntax: service_name [tcp([source:range]/[dest:range])] [udp([source:range]/[dest:range])] # [protocol_name([source:range][/][dest:range])] [service_name] ... # examples: http tcp(/80) # dns tcp(/53) udp(/53) # group http dns tcp(/443) # ipsec esp(/) udp(/500) service { traceroute udp(32769:65535/33434:33523) icmp(11) ping icmp(8) } ## Network definitions needed for simple workstation setup # The network definitions are included from two separate files. # 1. /etc/uif/uif-ipv4-networks.inc # 2. /etc/uif/uif-ipv6-networks.inc # # If you want to setup IPv4 and IPv6 firewalling easily, # make sure that all network names you use in your ruleset # in both include files. # # Additionally make /etc/uif/uif6.conf a symlink that points to # /etc/uif/uif.conf. # # IPv4 network definitions # # If you update from a version of UIF that supported IPv4 only, then # you probably want to leave the uif.conf file untouched for now and # move your network definitions block from uif.conf to uif-ipv4-networks.inc # manually later. include4 { "/etc/uif/uif-ipv4-networks.inc" } # IPv6 network definitions # # Make sure IPV6MODE is set to 1 in /etc/default/uif if you want to use # IPv6 support on your UIF based firewall. include6 { "/etc/uif/uif-ipv6-networks.inc" } ## Interface definitions # Since all definitions used in the filter section are symbolic, # you've to specify symbolic names for all your interfaces you're # going to use. # # syntax: interface_name [unix network interface] [interface_name] # examples: internal eth0 # external ippp0 ipsec0 # allppp ppp+ # group external allppp eth3 interface { loop lo } ## Filter definitions # The filter section defines the rules for in, out, forward, masquerading # and nat. All rules make use of the symbolic names defined above. This # section can be used multiple times in one config file. This makes more # senese when using one of these alias names: # filter, nat, input, output, forward, masquerade # # syntax: in[-/+] [i=interface] [s=source_net] [d=dest_net] [p=protocol] [f=flag_1,..,flag_n] # out[-/+] [o=interface] [s=source_net] [d=dest_net] [p=protocol] [f=flag_1,..,flag_n] # fw[>/-/+] [i/o=interface][s=source_net] [d=dest_net] [p=protocol] [f=flag_1,..,flag_n] # masq[-/+][i/o=interface][s=source_net] [d=dest_net] [p=protocol] [f=flag_1,..,flag_n] # nat[-/+] additionally allows [S=from source] [D=to destination] [P=to port:[range]] # additional: # All keys mentioned in the syntax section (in/out/...) can be prefixed with "sl", which # causes the creation of a stateless rule. # flags: limit([count/time[,burst]]) # reject([reject type]) # log([name]) # account(name) # examples: # masq+ o=extern s=intranet # nat+ s=intranet p=http D=relayintern P=squid # in+ s=trusted p=ssh,ping,traceroute,http # out- s=intranet p=smb f=reject # fw- d=microsoft f=reject,log(ms-alert) # slin+ s=testnet # slout- d=testnet # fw> o=extern # fw+ p=myhttp f=account(HTTP) # Take an attention about the protocol for your accounting rules. If you # want to count user http traffice, you may need a "myhttp tcp(80/)". filter { in+ i=loop s=localhost out+ o=loop d=localhost in+ s=all(4) p=ping # these IPv6-ICMP types are a MUST for IPv6 in+ s=all(6) p=ping,pong,noroute,packet-too-big,time-exceeded,parameter-problem,neighbor-advertisement,neighbor-solicitation in+ p=traceroute # in+ s=trusted(4) # in+ s=trusted(6) out+ d=all in- f=log(input),reject out- f=log(output),reject fw- f=log(forward),reject } uif-1.1.4/uif.conf.5000066400000000000000000000201611235447076500141120ustar00rootroot00000000000000.\" -*- nroff -*- .TH UIF.CONF 5 "June 11th, 2013" .\" Please adjust this date whenever revising the manpage. .Dd June, 2013 .Dt UIF.CONF 5 .Os .ds operating-system UIF.CONF(5) .Sh NAME .Nm uif.conf .Nd Tool for generating optimized packet filter rules .ds Default configuration file for uif .Sh DESCRIPTION First of all, the syntax of this configuration file is far from being perfect. If you've got some better ideas just drop me a line... .Ar /etc/uif/uif.conf is the default configuration file for .Xr uif 8 . This file may contain several sections and comments. Each section begins with the section name and the left curly brace and ends with the right curly brace in a single line. A comment starts with a hash mark .Cm (#) at the beginning of a line. .Pp Blank lines are silently ignored. The following sections are valid: .Cm include, include4, include6, sysconfig, service, network, interface, marker, filter, nat, input, output, forward, masquerade and .Cm stateless. .Pp The sections .Cm service, network, marker and .Cm interface have all a very similar syntax. Each line starts with an identifier followed by one or more blanks and one or more section specific entries or defined identifiers separated by blanks. A valid identifier is case sensitive and consists of letters, digits, underscores and hyphens. .Pp If two or more identifiers in one section are equal, the corresponding entries are merged to the first identifier. Hence, it's not possible to overwrite perviously defined identifiers. As a result the order of the section entries is irrelevant and it's possible to define a section more than once. .Ss include section Include other configuration files. Each line in this section, enclosed in quotation marks ("), must be a valid filename. The contents of this file are added to the actual configuration file and each file should contain at least one section (a comment only file is not really useful...). .Ss include4 section Include other configuration files but ONLY in IPv4 mode (WITHOUT \-6 switch to uif). Otherwise equivalent to the include section above. .Ss include6 section Include other configuration files but ONLY in IPv6 mode (WITH \-6 switch to uif). Otherwise equivalent to the include section above. .Ss sysconfig section Set some global settings. Each line in this section starts with one of the following identifiers followed by one or more blanks and the desired value: .Cm LogLevel, LogPrefix, LogLimit, LogBurst, Limit, Burst and .Cm AccountPrefix. If there are multiple definitions of one entry the last definition is stored. .Bl -tag -width Ds .It Cm LogLevel A valid default log priority (see .Xr syslog.conf 5) .It Cm LogPrefix The default log prefix. Each iptables logmessage starts with this prefix. .It Cm LogLimit The default limit value for logmessages (see .Xr iptables 8) .It Cm LogBurst The default burst value for logmessages (see .Xr iptables 8) .It Cm Limit The default limit value (see .Xr iptables 8) .It Cm Burst The default burst value (see .Xr iptables 8) .It Cm AccountPrefix The default prefix for accounting chains. .Pp .El .Ss service section This section defines all needed services. A service description starts with the protocol (see .Xr protocols 5) followed by parameters in parenthesis. Most protocols don't need any parameters. The only exceptions are tcp, udp and icmp. The tcp and udp parameter defines the source and destionation port(\-range). The source and destination ports are separated by a slash (/) and portranges are separated by a colon (eg. tcp(123:333/99): tcp protocol, source\-portrange 123\-333, destination port 99). Empty source or destination ports are expanded to 1:65535. The icmp protocol parameter must be a valid icmp type (see iptables \-p icmp \-\-help). .Ss network section This section defines all needed networks and hosts. A network description starts with a valid IPv4 address (dotted quad), an optional netmask in cidr notation (number of bits) or an optional MAC\-address (with a prefixed equal sign (=). Some valid entries are: 127.0.0.1 127.0.0.0/8 192.168.0.1=00:00:00:00:00:FF. .Ss interface section This section defines all needed (physical and bridged) interfaces (eg. eth0, lo, ppp0). .Ss marker section This section defines all needed numerical (decimal) values for packet marking purposes. .Ss filter, nat, input, output, forward, masquerade and stateless sections Due to better partitioning of the packetfilter, rules can be split into these sections. Internally they are equivalent and contain all rules. As an exception to all other sections the order of entries in these sections is important. .Pp The default policy for the chains INPUT, OUTPUT and FORWARD is DROP (see .Xr iptables 8) and it's not possible to change this. .Pp Each line in in this section begins with .Cm in, out, fw, nat, masq, slin, slout or .Cm slfw followed by '+', '\-' or a mark identifier enclosed in curly braces (or, in case of fw followed by '>'). The identifiers .Cm in, out and .Cm fw define rules for incoming, outgoing and forwarded IP\-packets. Each packet with an INVALID state (see .Xr iptables 8) is matched by .Cm slin, slout and .Cm slfw. The lines starting with .Cm nat and .Cm masq define rules to modify the source or destination address or the destination port. .Pp The plus and minus signs specify the type of the rule: '+' accepts matching packets and '\-' drops them. As a special case the identifier out and fw accept the greater than (>) sign to modify the MSS depending on the PMTU (see .Xr iptables 8) .Pp A very basic ruleset may look like this: .Cm out+ .Pp This allows every outgoing traffic and rejects all incoming connections (because of the default policy). .Pp To be more specific, each line may contain several parameters. Each parameter starts with a single character followed by an equal sign (=) and one or more previously defined identifiers (in the corresponding sections) separated by commas. The following parameters are valid: .Bl -tag -width Ds .It Cm s The source address or network. .It Cm d The destination address or network. .It Cm i The input interface. .It Cm o The output interface. .It Cm pi The physical input interface (only useful when used with bridged interfaces). .It Cm po The physical output interface (only useful when used with bridged interfaces). .It Cm p The service description (protocol). .It Cm m The mark field associated with a packet. .It Cm S The the new source address in nat rules. .It Cm D The the new destination address in nat rules. .It Cm P The the new service description in nat rules. This is only valid with tcp or udp packets. .It Cm f This parameter sets some 'flags'. A flag definition starts with the flag identifier and optional parameters in parenthesis. Valid flags are: .Pp .Cm log \- Logs matching packages to syslog. The given parameter is included in the log entry. The number of logged packets and the loglevel can be set in the sysconfig section. .Pp .Cm reject \- Only valid in DROP rules. This is used to send back an error packet in response to the matched packet. The default behaviour is a packet with set RST flag on tcp connections and a destination\-unreachable icmp packet in every other case. Valid parameters are listed in .Xr iptables 8 in the REJECT section. .Pp .Cm account \- Create an accounting chain for all matching packages and possible responses. The optional parameter is a part of the name of the chain. .Pp .Cm limit \- Limits the number of matching packets. The default values are set in the sysconfig section. Other values can be defined with the optional parameter. The first entry sets a new limit and the second parameter (separated by a comma (,)) sets the burst value (see Limit and Burst in sysconfig section). .El It's possible to invert the identifier of one of following parameters \- if it expands to ecactly one object \- by prepending a exclamation mark (!): .Cm s, d, i, o, p (eg.: s=!local p=!http). .Sh FILES Configuration files are located in /etc/uif. There is a sample configuration in .Ar /usr/share/doc/uif/uif.conf.tmpl.gz. .Sh SEE ALSO iptables(8) uif(8) .Sh AUTHOR This manual page was written by Jörg Platte and Cajus Pollmeier , for the Debian GNU/Linux system (but may be used by others). uif-1.1.4/uif.pl000077500000000000000000001576241235447076500134570ustar00rootroot00000000000000#!/usr/bin/perl -w # Copyright (C) 2002-2014 Jörg Platte # Copyright (C) 2002-2014 Cajus Pollmeier # Copyright (C) 2013-2014 Mike Gabriel # Copyright (C) 2013-2014 Alex Owen # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA # # On Debian GNU/Linux systems, a copy of the GNU General Public License may be # found in the file /usr/share/common-licenses/GPL. use strict; my $LDAPENABLED = eval "use Net::LDAP; 1" ? '1' : '0'; use Getopt::Std; use NetAddr::IP; my $SignalCatched=0; my $configfile="/etc/uif/uif.conf"; my $configfile6="/etc/uif/uif6.conf"; my $ipv6=0; my @mapping = ( [ 'n', 'uifid', 'Name' ], [ 's', 'uifsource', 'Source'], [ 'i', 'uifindevice', 'InputInterface'], [ 'pi', 'uifpindevice', 'PhysicalInputInterface'], [ 'd', 'uifdest', 'Destination'], [ 'o', 'uifoutdevice', 'OutputInterface'], [ 'po', 'uifpoutdevice', 'PhysicalOutputInterface'], [ 'p', 'uifservice', 'Service'], [ 'm', 'uifmark', 'MarkMatch'], [ 'S', 'uiftranssource', 'TranslatedSource'], [ 'D', 'uiftransdest', 'TranslatedDestination'], [ 'P', 'uiftransservice', 'TranslatedService'], [ '', 'uiftype', 'Type'], [ 'f', 'uifflag', 'Flags']); my %charstringmap; my %ldapstringmap; my %ldapwritemap; my %stringcharmap; foreach (@mapping) { $charstringmap{${$_}[0]}=${$_}[2]; $stringcharmap{${$_}[2]}=${$_}[0]; if (${$_}[0]) { $ldapstringmap{${$_}[1]}=${$_}[2]; } $ldapwritemap{${$_}[2]}=${$_}[1]; } sub readConfig { my ($configfile, $Networks, $Services, $Interfaces, $Protocols, $Rules, $Id, $Sysconfig, $Marker) = @_; my @conflines; my @protlines; my $state='NONE'; my $line; unless (defined($$Protocols{'OK'})) { $$Protocols{'OK'}=1; open (PROT, '/etc/protocols') || die "Can't read '/etc/protocols'\n"; @protlines = ; close (PROT); foreach $line (@protlines) { if ($line =~ /^\s*(#|$)/) { next; } chomp($line); if ($line =~ /^([a-z0-9-.]+)\s+(\d+)\s+/) { $$Protocols{$1}=$2; $$Protocols{$2}=$1; } else { die "invalid line in '/etc/protocols': $line\n"; } } } open (CONF, $configfile) || die "Can't read configfile '$configfile'\n"; @conflines = ; close (CONF); foreach $line (@conflines) { $line =~ /^\s*(#|$)/ && next; chomp($line); if ($state eq 'NONE') { my $type; if ($line =~ /^\s*([^\s}]+)\s*{\s*$/) { $state="\U$1"; } else { die "invalid line: $line\n"; } } else { if ($line =~ /^\s*}\s*$/) { $state='NONE'; } elsif ($state eq 'SERVICE') { if ($line =~ /^\s*([a-zA-Z0-9_-]+)\s+(.*)$/) { $$Services{$1}.="$2 "; } else { die "invalid line in section service: $line\n"; } } elsif ($state eq 'INCLUDE') { if ($line =~ /^\s*\"(.+)\"$/) { my $file = $1; readConfig ($file, $Networks, $Services, $Interfaces, $Protocols, $Rules, $Id, $Sysconfig); } else { die "invalid line in section include: $line\n"; } } elsif ($state eq 'INCLUDE6') { if ($ipv6) { if ($line =~ /^\s*\"(.+)\"$/) { my $file = $1; readConfig ($file, $Networks, $Services, $Interfaces, $Protocols, $Rules, $Id, $Sysconfig); } else { die "invalid line in section include6: $line\n"; } } } elsif ($state eq 'INCLUDE4') { if ($ipv6) {} else { if ($line =~ /^\s*\"(.+)\"$/) { my $file = $1; readConfig ($file, $Networks, $Services, $Interfaces, $Protocols, $Rules, $Id, $Sysconfig); } else { die "invalid line in section include4: $line\n"; } } } elsif ($state eq 'NETWORK') { if ($line =~ /^\s*([a-zA-Z0-9_-]+)\s+(.*)$/) { $$Networks{$1}.="$2 "; } else { die "invalid line in section network: $line\n"; } } elsif ($state eq 'INTERFACE') { if ($line =~ /^\s*([a-zA-Z0-9_-]+(:\d+)?)\s+(.*)$/) { $$Interfaces{$1}.="$3 "; } else { die "invalid line in section interface: $line\n"; } } elsif ($state eq 'MARKER') { if ($line =~ /^\s*([a-zA-Z0-9_-]+)\s+(.*)$/) { $$Marker{$1}.="$2 "; } else { die "invalid line in section marker: $line\n"; } } elsif ($state eq 'SYSCONFIG') { if ($line =~ /^\s*([a-zA-Z0-9_-]+)\s+(.*)$/) { $$Sysconfig{$1}=$2; } else { die "invalid line in section sysconfig: $line\n"; } } elsif ($state =~ /^(FILTER|NAT|INPUT|OUTPUT|FORWARD|MASQUERADE|STATELESS)$/) { if ($line =~ /^\s*(\w+([-+|>]|{\w+}))\s*(.*)$/) { my $type = $1; my $parameter = $3; my %temphash; $temphash{'Type'}=$type; $temphash{'Rule'}=$line; $temphash{'Id'}=$$Id++; my $entry; foreach $entry (split(/\s+/, $parameter)) { $entry eq '' && next; if ($entry =~ /^([a-zA-Z]{1,2})=([^=]+)$/) { if (exists($charstringmap{$1})) { my $value = $2; $value =~ tr /,/ /; $temphash{$charstringmap{$1}}.="$value "; } else { die "invalid prefix: $1\n"; } } else { die "invalid parameter: $entry\n"; } } push (@$Rules, \%temphash); } else { die "invalid line in section filter/nat: $line\n" } } else { die "invalid section: \L$state\n"; } } } } sub resolveHashentries { my ($value, $Hash, $depth) = @_; unless (defined($depth)) { $depth=1; } elsif ($depth++ > 50) { die "possible loop in configfile: $value\n"; } my $newvalue; my $entry; foreach $entry (split (/\s+/, $value)) { $entry eq '' && next; if (exists($$Hash{$entry})) { $newvalue.=" ".resolveHashentries($$Hash{$entry}, $Hash, $depth); } else { $newvalue.=" ".$entry; } } return $newvalue; } sub expandRange { my ($range, $multi) = @_; if (@$range != 0) { unless (@$multi == 0 && @$range==1) { my %rangehash; my @rangearray; my $entry; foreach $entry (@$range) { $entry =~ /(\d+):(\d+)/; my $range=$2-$1+1; if (exists($rangehash{$range})) { push (@{$rangehash{$range}}, $1); } else { $rangehash{$range}=[$1]; } push (@rangearray, $range); } @rangearray=sort {$a <=> $b} (@rangearray); my $again=1; my $last=15; while ($again) { $again=0; while (@rangearray) { my $range=$rangearray[0]; if (@$multi+$range<=$last) { my $first=shift(@{$rangehash{$range}}); my $port; for ($port=$first+$range-1; $port>=$first; $port--) { push (@$multi, $port); } shift (@rangearray); } else { last; } } if (@rangearray>1) { $last+=15; if (@$multi+$rangearray[0]+$rangearray[1]<=$last) { $again=1; } } } my @temprange; foreach $range (@rangearray) { foreach (@{$rangehash{$range}}) { my $last=$_+$range-1; push(@temprange, "$_:$last"); } } @$range=@temprange; } } } sub simplifyNetworks { my (@networks) = @_; my @netobjects; my $netref; my %macs; my $mac; my $network; if (@networks) { my $ip; my $onlymacs=1; foreach (@networks) { my $ip; if ($_ =~ /(^[^=]+)=([^=]+)$/ ) { if ($ipv6) { $ip=NetAddr::IP->new6($1) || die "not a valid network: $1\n"; } else { $ip=NetAddr::IP->new($1) || die "not a valid network: $1\n"; } if (!exists($macs{$ip})) { $macs{$ip}=[]; } push (@{$macs{$ip}}, $2); } else { if ($ipv6) { $ip=NetAddr::IP->new6($_) || die "not a valid network: $1\n"; } else { $ip=NetAddr::IP->new($_) || die "not a valid network: $1\n"; } $onlymacs=0; } push(@netobjects, $ip); }; if ($onlymacs==0) { $netref = NetAddr::IP::compactref(\@netobjects); @networks=(); foreach $network (@$netref) { if (exists($macs{$network})) { foreach $mac (@{$macs{$network}}) { push (@networks, $network."=".$mac); } } else { push (@networks, $network); } }; } } return (@networks); } sub checkLimit { my ($limit) = @_; if ($limit =~/^\d+(\/second|\/minute|\/hour|\/day|)$/) { return 1; } else { return 0; } } sub validateSysconfig { my ($Sysconfig) = @_; my $syskey; foreach $syskey (keys (%$Sysconfig)) { if ("\L$syskey" eq "loglevel") { my $level=$$Sysconfig{$syskey}; delete $$Sysconfig{$syskey}; $level =~ s/\s+//g; if ($level =~/^(debug|info|notice|warning|err|crit|alert|emerg)$/) { $$Sysconfig{'LogLevel'}=$level; } else { die "unknown loglevel: $level\n"; } } elsif ("\L$syskey" eq "logprefix") { my $prefix=$$Sysconfig{$syskey}; delete $$Sysconfig{$syskey}; $$Sysconfig{'LogPrefix'}=$prefix; } elsif ("\L$syskey" eq "loglimit") { my $limit=$$Sysconfig{$syskey}; delete $$Sysconfig{$syskey}; $limit =~ s/\s+//g; if (checkLimit $limit) { $$Sysconfig{'LogLimit'}=$limit; } else { die "unknown loglimit: $limit:\n"; } } elsif ("\L$syskey" eq "logburst") { my $burst=$$Sysconfig{$syskey}; delete $$Sysconfig{$syskey}; $burst =~ s/\s+//g; if ($burst =~/^\d+$/) { $$Sysconfig{'LogBurst'}=$burst; } else { die "unknown logburst: $burst\n"; } } elsif ("\L$syskey" eq "limit") { my $limit=$$Sysconfig{$syskey}; delete $$Sysconfig{$syskey}; $limit =~ s/\s+//g; if (checkLimit $limit) { $$Sysconfig{'Limit'}=$limit; } else { die "unknown limit: $limit:\n"; } } elsif ("\L$syskey" eq "burst") { my $burst=$$Sysconfig{$syskey}; delete $$Sysconfig{$syskey}; $burst =~ s/\s+//g; if ($burst =~/^\d+$/) { $$Sysconfig{'Burst'}=$burst; } else { die "unknown burst: $burst\n"; } } elsif ("\L$syskey" eq "accountprefix") { my $prefix=$$Sysconfig{$syskey}; delete $$Sysconfig{$syskey}; $prefix =~ s/\s+//g; if ($prefix =~/^\w+$/) { $$Sysconfig{'AccountPrefix'}=$prefix; } else { die "invalid account prefix: $prefix\n"; } } else { die "unknown sysconfig parameter: $syskey\n"; } } } sub toRange { my ($range, $proto, $rule) = @_; if ($range =~ /^(\d*)(|:(\d*))$/) { if ($1 && $3) { return "$1:$3"; } elsif ($1 && $2) { return "$1:65535"; } elsif ($2 && $3) { return "0:$3"; } elsif ($1) { return "$1:$1"; } else { return "0:65535"; } } else { die "invalid $proto service: $range:\n$rule\n"; } } sub validateData { my ($Networks, $Services, $Interfaces, $Protocols, $Rules, $Sysconfig, $Marker) = @_; validateSysconfig $Sysconfig; my $key; foreach $key (keys (%$Networks)) { $$Networks{$key} = resolveHashentries($$Networks{$key}, $Networks); } foreach $key (keys (%$Services)) { $$Services{$key} = resolveHashentries($$Services{$key}, $Services); } foreach $key (keys (%$Interfaces)) { $$Interfaces{$key} = resolveHashentries($$Interfaces{$key}, $Interfaces); } foreach $key (keys (%$Interfaces)) { if (!($$Interfaces{$key} =~ /^[a-zA-Z0-9+ ]+(:\d+)?$/)) { die "invalid character in interface definition: $$Interfaces{$key}\n"; } } foreach $key (keys (%$Marker)) { $$Marker{$key} = resolveHashentries($$Marker{$key}, $Marker); } ## marken auf plausibilität prüfen my $rule; foreach $rule (@$Rules) { if (exists($$rule{'TranslatedSource'}) && exists($$rule{'TranslatedDestination'})) { die "can't modify source and destination address in one rule:\n$$rule{'Rule'}\n"; } my $ruletype=$$rule{'Type'}; if ($ruletype =~ /^\s*(masq|snat|dnat|nat)(\+|-)$/) { my $type = $1; my $action = $2; $$rule{'Table'}='nat'; if ($type eq 'masq') { if ($ipv6) { $$rule{'Type'}='IGNORE-IPV6-POSTROUTING'; } else { $$rule{'Type'}='POSTROUTING'; } $$rule{'Action'}='MASQUERADE'; } elsif ($type =~ /^(s|d|)nat$/) { if (exists($$rule{'TranslatedSource'})) { if ($ipv6) { $$rule{'Type'}='IGNORE-IPV6-POSTROUTING'; } else { $$rule{'Type'}='POSTROUTING'; } $$rule{'Action'}='SNAT'; } elsif (exists($$rule{'TranslatedDestination'})) { if ($ipv6) { $$rule{'Type'}='IGNORE-IPV6-PREROUTING'; } else { $$rule{'Type'}='PREROUTING'; } $$rule{'Action'}='DNAT'; } else { die "nat rule without address translation makes no sense:\n$$rule{'Rule'}\n"; } } if ($action eq '-') { $$rule{'Action'}='DROP'; } } elsif ($ruletype =~ /^\s*(in|out|fw|slin|slout|slfw)(\+|-|\||>|{\w+})$/) { my $type = $1; my $action = $2; $$rule{'Table'}='filter'; if ($type eq 'fw') { $$rule{'Type'}='FORWARD'; } elsif ($type eq 'in') { $$rule{'Type'}='INPUT'; } elsif ($type eq 'out') { $$rule{'Type'}='OUTPUT'; } elsif ($type eq 'slfw') { $$rule{'Type'}='STATELESSFORWARD'; } elsif ($type eq 'slin') { $$rule{'Type'}='STATELESSINPUT'; } else { $$rule{'Type'}='STATELESSOUTPUT'; } if ($action eq '+') { $$rule{'Action'}='ACCEPT'; } elsif ($action eq '-') { $$rule{'Action'}='DROP'; } elsif ($action eq '|') { if ($$rule{'Type'} =~ /OUTPUT/) { die "can't use mirror in OUTPUT chain\n"; } else { $$rule{'Action'}='MIRROR'; } } elsif ($action =~ /^{(\w+)}$/) { my $marker=$1; $$rule{'Action'}='MARK'; $$rule{'Table'}='mangle'; if (exists($$Marker{$marker})) { my @dummy = split(/\s+/, $$Marker{$marker}); if ($#dummy == 1) { $$rule{'Mark'}=$$Marker{$marker}; } else { die "can't mark packet with multiple mark values: $marker\n$$rule{'Rule'}\n"; } } else { die "invalid mark identifier: $marker\n$$rule{'Rule'}\n"; } } else { if ($$rule{'Type'} =~ /INPUT/) { die "can't use TCPMSS in INPUT chain\n"; } else { $$rule{'Action'}='TCPMSS'; } } if (exists($$rule{'TranslatedSource'}) || exists($$rule{'TranslatedDestination'}) || exists($$rule{'TranslatedService'})) { die "you can modify source or destination address only in nat rules:\n$$rule{'Rule'}\n"; } } else { die "unknown ruletype:\n$$rule{'Rule'}\n"; } my $hashentry; foreach $hashentry (qw(Source Destination TranslatedSource TranslatedDestination)) { my @simplenetwork; if (exists($$rule{$hashentry})) { my $position; foreach $position (split (/\s+/, $$rule{$hashentry})) { $position eq '' && next; $position =~ /^(!{0,1})(.*)/; if ($1) { $$rule{"${hashentry}-not"} = 1; } $position=$2; # support IPv4-only/IPv6-only rules if ($position =~ /^.*\((.+)\)$/) { my $only_proto = $1; $position =~ s/\((.+)\)$//; if (($ipv6) && ($only_proto eq "4")) { print "IPv6 setup: Skipping IPv4-only rule for network \"$position\"\n"; next; } elsif ((! $ipv6) && ($only_proto eq "6")) { print "IPv4 setup: Skipping IPv6-only rule for network \"$position\"\n"; next; } } if ($$rule{'Type'} =~ /^IGNORE\-IPV6\-.*$/) { next; } if (exists($$Networks{$position})) { my $network; foreach $network (split (/\s+/, $$Networks{$position})) { $network eq '' && next; push (@simplenetwork, $network); } } else { die "invalid network name: $position\n$$rule{'Rule'}\n"; } } @simplenetwork = simplifyNetworks (@simplenetwork); $$rule{$hashentry} = \@simplenetwork; } } foreach (qw(TranslatedSource TranslatedDestination)) { if (exists($$rule{$_}) && @{$$rule{$_}}>1) { die "you can specify only one source or destination network as nat target:\n$$rule{'Rule'}\n"; } if (exists($$rule{"$_-not"})) { die "inverting nat destinations is not possible\n$$rule{'Rule'}\n"; } } foreach (qw(Source Destination)) { if (exists($$rule{"${_}-not"}) && @{$$rule{$_}}>1) { die "you can specify only one source or destination network with not statement:\n$$rule{'Rule'}\n"; } } if (exists($$rule{'MarkMatch'})) { my $mark; my @array; foreach $mark (split (/\s+/, $$rule{'MarkMatch'})) { $mark eq '' && next; foreach (split(/\s+/, $$Marker{$mark})) { $_ eq '' && next; push (@array, $_); } } $$rule{'MarkMatch'}=\@array; } foreach $hashentry (qw(InputInterface OutputInterface PhysicalInputInterface PhysicalOutputInterface)) { if (exists($$rule{$hashentry})) { if (($hashentry eq 'InputInterface' || $hashentry eq 'PhysicalInputInterface') && $$rule{'Type'} =~ /(OUTPUT|POSTROUTING)/) { die "can't use input interface in output rule:\n$$rule{'Rule'}\n"; } elsif (($hashentry eq 'OutputInterface' || $hashentry eq 'PhysicalOutputInterface') && $$rule{'Type'} =~ /(INPUT|PREROUTING)/) { die "can't use output interface in input rule:\n$$rule{'Rule'}\n"; } my $position; my %interfacehash; foreach $position (split (/\s+/, $$rule{$hashentry})) { $position eq '' && next; $position =~ /^(!{0,1})(.*)/; if ($1) { $$rule{"${hashentry}-not"} = 1; } $position=$2; if (exists($$Interfaces{$position})) { my $interface; foreach $interface (split (/\s+/, $$Interfaces{$position})) { $interface eq '' && next; $interfacehash{$interface}=1; } } else { die "invalid interface entry: $position\n"; } } my @array = keys (%interfacehash); $$rule{$hashentry} = \@array; } if (exists($$rule{"${hashentry}-not"}) && @{$$rule{$hashentry}}>1) { die "you can specify only one input or output interface with not statement:\n$$rule{'Rule'}\n"; } } my $serviceentry; my $servicecounter=0; foreach $serviceentry (qw(Service TranslatedService)) { $servicecounter=0; if (exists($$rule{$serviceentry})) { my $serviceprefix=''; if ($serviceentry eq 'TranslatedService') { $serviceprefix='Translated'; } my @newservice; my $position; my %protocols; foreach $position (split (/\s+/, $$rule{$serviceentry})) { $position eq '' && next; $position =~ /^(!{0,1})(.*)/; if ($1) { if ($serviceprefix) { die "can't use not in nat destination service description: $position\n$$rule{'Rule'}\n"; } $$rule{"Service-not"}=1; } $position=$2; if (exists($$Services{$position})) { my $service; foreach $service (split (/\s+/, $$Services{$position})) { $service eq '' && next; if ($service =~ /^([\w-]+)\((.*)\)$/) { my $proto=$1; my $param=$2; if ($param eq '') { $param='all'; } if (exists($$Protocols{$proto})) { if ($proto =~ /^\d+$/) { $proto = $$Protocols{$proto}; } } else { die "unknown protocol: $service:\n$$rule{'Rule'}\n"; } $protocols{"$serviceprefix$proto"}.=" $param"; } else { die "invalid service entry: $service:\n$$rule{'Rule'}\n"; } } } else { die "invalid service entry: $position\n"; } } delete $$rule{$serviceentry}; my $proto; foreach $proto (qw(udp tcp)) { if (exists($protocols{"$serviceprefix$proto"})) { my @multisource; my @multidestination; my @sourcerange; my @destinationrange; my @sourcedestination; my %other; my $service; foreach $service (split (/\s+/, $protocols{"$serviceprefix$proto"})) { $service eq '' && next; if ($service =~ /^([^\/]*)\/([^\/]*)$/) { my $range=toRange ($1, $proto, $$rule{'Rule'}); $range.="/".toRange ($2, $proto, $$rule{'Rule'}); $other{$range}=1; } else { die "invalid $proto service: $service:\n$$rule{'Rule'}\n"; } } my $again=0; my $first=1; while ($first || $again) { $first=0; $again=0; LOOP: foreach $service (keys (%other)) { next unless exists($other{$service}); if ($service =~ /^(\d+):(\d+)\/(\d+):(\d+)$/) { my $ss=$1; my $se=$2; my $ds=$3; my $de=$4; if ($ss>$se || $ds>$de) { die "invalid port range: $service:\n$$rule{'Rule'}\n"; } my $test; foreach $test (keys (%other)) { $test eq $service && next; $test =~ /(\d+):(\d+)\/(\d+):(\d+)/; if ( $1 == $ss && $2 == $se ) { if ( $3 >= $ds && $4 <= $de) { delete $other{$test}; $again=1; last LOOP; } if ( $4 == $ds-1 || ($4 >= $ds && $4 <= $de)) { $ds=$3; $de=$4 if $4>$de; delete $other{$service}; delete $other{$test}; $other{"$ss:$se/$ds:$de"}=1; $again=1; last LOOP; } } elsif ( $3 == $ds && $4 == $de ) { if ( $1 >= $ss && $2 <= $se) { delete $other{$test}; $again=1; last LOOP; } if ( $2 == $ss-1 || ($2 >= $ss && $2 <= $se)) { $ss=$1; $se=$2 if $2>$se; delete $other{$service}; delete $other{$test}; $other{"$ss:$se/$ds:$de"}=1; $again=1; last LOOP; } } } } else { die "invalid service entry: $service:\n$$rule{'Rule'}\n"; } } } my $entry; foreach $entry (keys (%other)) { if ($entry =~ /(\d+):(\d+)\/0:65535/) { if ($1 != $2) { push (@sourcerange, "$1:$2"); } else { push (@multisource, $1); } } elsif ($entry =~ /0:65535\/(\d+):(\d+)/) { if ($1 != $2) { push (@destinationrange, "$1:$2"); } else { push (@multidestination, $1); } } else { push (@sourcedestination, $entry); } } if ($serviceprefix eq '') { expandRange (\@sourcerange, \@multisource); expandRange (\@destinationrange, \@multidestination); } $$rule{"$serviceprefix\u$proto"}= [\@multisource, \@multidestination, \@sourcerange, \@destinationrange, \@sourcedestination]; $servicecounter+=@multisource+@multidestination+@sourcerange+@destinationrange+@sourcedestination; delete $protocols{"$serviceprefix$proto"}; } } if ($serviceprefix ne '' && $servicecounter>1) { die "you can specify only one service or service range as nat target:\n$$rule{'Rule'}\n"; } if (exists($$rule{"Service-not"}) && $serviceprefix eq '' && $servicecounter>1) { die "you can specify only one service in not statement:\n$$rule{'Rule'}\n"; } if (exists($protocols{"${serviceprefix}icmp"})) { if ($serviceprefix ne '') { die "can't use icmp nat target:\n$$rule{'Rule'}\n"; } my %icmphash; my $message; foreach $message (split (/\s+/, $protocols{"${serviceprefix}icmp"})) { # message validation missing $message eq '' && next; $icmphash{$message}=1; } my @array = keys (%icmphash); $$rule{"${serviceprefix}ICMP"}=\@array; delete $protocols{"${serviceprefix}icmp"}; } if (exists($protocols{"${serviceprefix}ipv6-icmp"})) { if ($serviceprefix ne '') { die "can't use ipv6-icmp nat target:\n$$rule{'Rule'}\n"; } my %icmp6hash; my $message; foreach $message (split (/\s+/, $protocols{"${serviceprefix}ipv6-icmp"})) { # message validation missing $message eq '' && next; $icmp6hash{$message}=1; } my @array = keys (%icmp6hash); $$rule{"${serviceprefix}ICMP6"}=\@array; delete $protocols{"${serviceprefix}ipv6-icmp"}; } if (keys (%protocols)) { if ($serviceprefix ne '') { die "you can use tcp and udp based nat targets only:\n$$rule{'Rule'}\n"; } my @array = keys (%protocols); $$rule{"${serviceprefix}OtherProtocols"} = \@array; } } } if ( (exists($$rule{'TranslatedTcp'}) && exists($$rule{'Udp'})) || (exists($$rule{'TranslatedUdp'}) && exists($$rule{'Tcp'}))) { die "source protocol and translated protocol must be equal in nat rule:\n$$rule{'Rule'}\n"; } if (exists($$rule{'Flags'})) { my $flag; foreach $flag (split (/\s+/, $$rule{'Flags'})) { $flag eq '' && next; if ($flag =~ /^log(\((.+)\)|)$/) { $$rule{'Log'}=$2; } elsif ($flag =~ /^reject(\((.+)\)|)$/) { if ($$rule{'Table'} eq 'nat') { die "can't use reject with nat:\n$$rule{'Rule'}\n"; } if ($$rule{'Action'} ne 'DROP') { die "rejecting packets in allow rule makes no sense:\n$$rule{'Rule'}\n"; } if ($2) { my $param=$2; if ($param =~ /^(icmp-(net|host|port|proto)-unreachable|icmp-(net|host)-prohibited|tcp-reset)$/) { $$rule{'Reject'}=$param; } else { die "invalid reject parameter: $param:\n$$rule{'Rule'}\n"; } if ($param eq 'tcp-reset') { if (exists($$rule{'OtherProtocols'}) || exists($$rule{'ICMP'}) || exists($$rule{'ICMP6'}) || exists($$rule{'Udp'})) { die "can't use tcp-reset with other protocols than tcp:\n$$rule{'Rule'}\n"; } unless (exists($$rule{'Tcp'})) { die "need tcp protocol for tcp-reset:\n$$rule{'Rule'}\n"; } } } else { $$rule{'Reject'}=1; } } elsif ($flag =~ /^account(\((.+)\)|)$/) { if ($$rule{'Table'} eq 'nat') { die "can't use accounting with nat:\n$$rule{'Rule'}\n"; } if ($$rule{'Action'} eq 'DROP') { die "accounting packets in reject/drop rule makes no sense:\n$$rule{'Rule'}\n"; } if ($2) { my $param=$2; if ($param =~ /^[a-zA-Z0-9]+$/) { $$rule{'Accounting'}=$param; } else { die "invalid character in accountingname '$param':\n$$rule{'Rule'}\n"; } } else { $$rule{'Reject'}='default'; } } elsif ($flag =~ /^limit(\((.*)\)|)$/) { if ($$rule{'Action'} eq 'DROP') { die "limiting packets in reject/drop rule makes no sense:\n$$rule{'Rule'}\n"; } if (exists($$rule{'Accounting'})) { die "limiting packets does not work with accounting in current implementation:\n$$rule{'Rule'}\n"; } if ($2) { my $param=$2; if ($param =~ /^([^:]+)(:\d+|)$/) { if (checkLimit $1) { $$rule{'Limit'}=$1; if ($2) { # no need to check burst since it # is guaranteed to be either empty # or digits only (plus leading colon). # Empty results in other part of if # clause. my $burst=$2; $burst=~s/^://; $$rule{'Limit-burst'}=$burst; } else { $$rule{'Limit-burst'}=$$Sysconfig{'Burst'}; } } else { die "invalid limit '$param':\n$$rule{'Rule'}\n"; } } else { die "invalid limit descriptionb '$param':\n$$rule{'Rule'}\n"; } } else { $$rule{'Limit'}=$$Sysconfig{'Limit'}; $$rule{'Limit-burst'}=$$Sysconfig{'Burst'}; } } else { die "invalid flag: $flag -- $$rule{'Flags'}:\n$$rule{'Rule'}\n"; } } } } } sub genRuleDump { my ($Rules, $Listing, $Sysconfig) = @_; my @partial; my $rule; my %nat; my %filter; my %mangle; my @nat; my @filter; my @mangle; my $table; my $chains; foreach $rule (@$Rules) { my @protocol; my @source; my @destination; my @inputinterface; my @outputinterface; my @physicalinputinterface; my @physicaloutputinterface; my @mark; my $action; my $logaction; my $type; my $name; my $proto; my $id; my $not; if ($$rule{'Table'} eq 'filter') { $table=\@filter; $chains=\%filter; } elsif ($$rule{'Table'} eq 'nat') { $table=\@nat; $chains=\%nat; } elsif ($$rule{'Table'} eq 'mangle') { $table=\@mangle; $chains=\%mangle; } else { die "$$rule{'Table'} is not implemented!\n"; } $type="-A $$rule{'Type'}"; if (exists($$rule{'Name'})) { $name=$$rule{'Name'}; $name=~s/\s+//g; } else { $name="-"; } $id=$$rule{'Id'}; if (exists($$rule{'Reject'})) { if ($$rule{'Reject'} ne '1') { if ($$rule{'Reject'} =~ /tcp/) { $action="-p tcp -m tcp -j REJECT --reject-with $$rule{'Reject'}"; } else { $action="-j REJECT --reject-with $$rule{'Reject'}"; } } else { $action="-j MYREJECT"; } $logaction="REJECT"; } elsif ($$rule{'Action'} eq "TCPMSS") { $action="-p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu"; $logaction="TCPMSS"; } elsif ($$rule{'Action'} eq "MARK") { $action="-j MARK --set-mark $$rule{'Mark'}"; $logaction="MARK"; } else { $action="-j $$rule{'Action'}"; $logaction=$$rule{'Action'}; } if (exists($$rule{"Service-not"})) { $not='!'; } else { $not=''; } foreach $proto (qw(tcp udp)) { if (exists($$rule{"\u$proto"})) { my $string; my $entry; foreach $entry (qw(0 1)) { my $multiport; my $count=0; foreach $multiport (@{$$rule{"\u$proto"}[$entry]}) { if ($count==0) { $string=''; } $string.="$multiport,"; $count++; if ($count==15) { $string =~ s/,$//; $string="-p $proto -m multiport --".($entry==1?"d":"s")."port ".$string; push (@protocol, $string); $string=''; $count=0; } } if (defined($string) && $count) { $string =~ s/,$//; if ($count > 1) { $string="-p $proto -m multiport --".($entry==1?"d":"s")."port ".$string; } else { $string="-p $proto -m $proto --".($entry==1?"d":"s")."port ".$string; } push (@protocol, $string); } } my $range; foreach $range (@{$$rule{"\u$proto"}[2]}) { push (@protocol, "-p $proto -m $proto $not --sport $range"); } foreach $range (@{$$rule{"\u$proto"}[3]}) { push (@protocol, "-p $proto -m $proto $not --dport $range"); } foreach $range (@{$$rule{"\u$proto"}[4]}) { $range =~ /^(.+)\/(.+)$/; push (@protocol, "-p $proto -m $proto $not --sport $1 $not --dport $2"); } } } if (exists($$rule{'ICMP'}) && (! $ipv6)) { my $type; foreach $type (@{$$rule{'ICMP'}}) { if ($type eq 'all') { push (@protocol, "$not -p icmp"); } else { push (@protocol, "-p icmp -m icmp $not --icmp-type $type"); } } } if (exists($$rule{'ICMP6'}) and ($ipv6)) { my $type; foreach $type (@{$$rule{'ICMP6'}}) { if ($type eq 'all') { push (@protocol, "$not -p icmpv6"); } else { push (@protocol, "-p icmpv6 -m icmpv6 $not --icmpv6-type $type"); } } } if (exists($$rule{'OtherProtocols'})) { my $proto; foreach $proto (@{$$rule{'OtherProtocols'}}) { push (@protocol, "$not -p $proto"); } } if (exists($$rule{'Source'})) { if (exists($$rule{'Source-not'})) { $not='!'; } else { $not=''; } my $source; foreach $source (@{$$rule{'Source'}}) { if ($source =~ /(.+)=(.+)/ && ($$rule{'Table'} eq 'filter')) { push (@source, "$not -s $1 -m mac $not --mac-source $2"); } else { $source =~ /([^=]+)/; push (@source, "$not -s $1"); } } } if (exists($$rule{'Destination'})) { if (exists($$rule{'Destination-not'})) { $not='!'; } else { $not=''; } my $destination; foreach $destination (@{$$rule{'Destination'}}) { $destination =~ /([^=]+)/; push (@destination, "$not -d $1"); } } if (exists($$rule{'TranslatedSource'})) { my $source; $source=${$$rule{'TranslatedSource'}}[0]; $source =~ /([^=]+)/; $source=$1; my $ip = new NetAddr::IP ($source) || die "not a valid network: $source\n"; my $net=$ip->network(); my $bcast = $ip->broadcast(); if ($net ne $bcast) { $source="$net-$bcast"; } $source =~ s/\/[^-]+//g; # $action="-t nat ".$action; $action.=" --to-source $source"; } if (exists($$rule{'TranslatedDestination'})) { my $destination; $destination=${$$rule{'TranslatedDestination'}}[0]; $destination =~ /([^=]+)/; $destination=$1; my $ip = new NetAddr::IP ($destination) || die "not a valid network: $destination\n"; my $net=$ip->network(); my $bcast = $ip->broadcast(); if ($net ne $bcast) { $destination="$net-$bcast"; } $destination =~ s/\/[^-]+//g; # $action="-t nat ".$action; $action.=" --to-destination $destination"; } foreach $proto (qw(tcp udp)) { if (exists($$rule{"Translated\u$proto"})) { my $ref = $$rule{"Translated\u$proto"}; if (defined($$ref[1][0])) { $action.=":$$ref[1][0]"; $action="-p $proto -m $proto ".$action; } if (defined($$ref[3][0])) { $action.=":$$ref[3][0]"; $action="-p $proto -m $proto ".$action; } last; } } if (exists($$rule{'InputInterface'})) { if (exists($$rule{'InputInterface-not'})) { $not='!'; } else { $not=''; } my $input; foreach $input (@{$$rule{'InputInterface'}}) { push (@inputinterface, "$not -i $input"); } } if (exists($$rule{'OutputInterface'})) { if (exists($$rule{'OutputInterface-not'})) { $not='!'; } else { $not=''; } my $output; foreach $output (@{$$rule{'OutputInterface'}}) { push (@outputinterface, "$not -o $output"); } } if (exists($$rule{'PhysicalInputInterface'})) { if (exists($$rule{'PhysicalInputInterface-not'})) { $not='!'; } else { $not=''; } my $input; foreach $input (@{$$rule{'PhysicalInputInterface'}}) { push (@physicalinputinterface, "-m physdev $not --physdev-in $input"); } } if (exists($$rule{'PhysicalOutputInterface'})) { if (exists($$rule{'PhysicalOutputInterface-not'})) { $not='!'; } else { $not=''; } my $output; foreach $output (@{$$rule{'PhysicalOutputInterface'}}) { push (@physicaloutputinterface, "-m physdev $not --physdev-out $output"); } } if (exists($$rule{'MarkMatch'})) { my $mark; foreach $mark (@{$$rule{'MarkMatch'}}) { push (@mark, "-m mark --mark $mark"); } } if (exists($$rule{'Log'})) { my $chain = "${id}$$rule{'Action'}log"; $$chains{$chain}=1; my $logid; if ($$rule{'Log'}) { $logid=$$rule{'Log'}; } else { $logid=$name; } push (@$table, "-A $chain -m limit --limit $$Sysconfig{'LogLimit'} --limit-burst $$Sysconfig{'LogBurst'} -j LOG --log-prefix \"$$Sysconfig{'LogPrefix'} $logaction ($logid): \" --log-level $$Sysconfig{'LogLevel'} --log-tcp-options --log-ip-options"); push (@$table, "-A $chain $action"); $action="-j $chain"; } if (exists($$rule{'Accounting'})) { my $accountchain="$$Sysconfig{'AccountPrefix'}$$rule{'Accounting'}"; unless (exists($$chains{"$accountchain"})) { $$chains{"$accountchain"}=1; push (@$table, "-A $accountchain $action"); } my $accountrules="${id}_ACCOUNTING_$$rule{'Accounting'}"; $$chains{$accountrules}=1; push (@$table, "$type -j $accountrules"); push (@$table, "-A ACCOUNTING$$rule{'Type'} -j $accountrules"); $type="-A $accountrules "; $action=" -j $accountchain"; } if (exists($$rule{'Limit'})) { $action=" -m limit --limit $$rule{'Limit'} --limit-burst $$rule{'Limit-burst'} $action"; } my @rulearray = (\@inputinterface, \@outputinterface, \@physicalinputinterface, \@physicaloutputinterface, \@protocol, \@source, \@destination, \@mark); my $level=1; my $again=1; while ($again) { @partial = (); $again=0; my $array; # adjust if you have many entries... my $depth=0xFFFF; foreach $array (@rulearray) { if (@$array && $depth>@$array) { $depth=@$array; } } foreach $array (@rulearray) { if (@$array==$depth) { my $i; for ($i=0; $i<@$array; $i++) { $partial[$i].=" $$array[$i]"; } @$array = (); if ($depth != 1) { last; } } } foreach $array (@rulearray) { if (@$array) { $again=1; last; } } my $jumpto; if ($again) { $jumpto="-j ${id}_$level"; } else { $jumpto=$action; } if (@partial) { my $newjumpto; my $part; foreach $part (@partial) { $newjumpto=$jumpto; if ($part =~ /-p (udp|tcp)/ && $jumpto =~ /-p (udp|tcp)/) { $newjumpto =~ s/-p (udp|tcp) -m (udp|tcp)//; } push (@$table, $type." $part $newjumpto"); } } else { push (@$table, "$type $jumpto"); } if ($again) { $type="-A ${id}_$level"; $$chains{"${id}_$level"}=1; $level++; } } } my $entry; foreach $entry (qw(mangle filter nat)) { if ($entry eq "nat" && $ipv6 == 1) {next}; my $chain; push (@$Listing, "*$entry"); if ($entry eq 'filter') { $table=\@filter; $chains=\%filter; push (@$Listing, ":MYREJECT - [0:0]"); push (@$Listing, ":STATENOTNEW - [0:0]"); foreach (qw(INPUT OUTPUT FORWARD)) { push (@$Listing, ":ACCOUNTING$_ - [0:0]"); push (@$Listing, ":ACCOUNTINGSTATELESS$_ - [0:0]"); push (@$Listing, ":STATE$_ - [0:0]"); push (@$Listing, ":STATELESS$_ - [0:0]"); push (@$Listing, ":$_ DROP [0:0]"); push (@$Listing, "-A $_ -j STATE$_"); push (@$Listing, "-A STATE$_ -m state --state INVALID -j STATELESS$_"); push (@$Listing, "-A STATE$_ -j ACCOUNTING$_"); push (@$Listing, "-A STATE$_ -m state --state ESTABLISHED,RELATED -j ACCEPT"); if ($ipv6) { push (@$Listing, "-A STATE$_ ! -p ipv6-icmp -m state ! --state NEW -j STATENOTNEW"); } else { push (@$Listing, "-A STATE$_ -m state ! --state NEW -j STATENOTNEW"); } push (@$Listing, "-A STATELESS$_ -j ACCOUNTINGSTATELESS$_"); } push (@$Listing, "-A STATENOTNEW -m limit --limit $$Sysconfig{'LogLimit'} --limit-burst $$Sysconfig{'LogBurst'} -j LOG --log-prefix \"$$Sysconfig{'LogPrefix'} STATE NOT NEW: \" --log-level $$Sysconfig{'LogLevel'} --log-tcp-options --log-ip-options"); push (@$Listing, "-A STATENOTNEW -j DROP"); push (@$Listing, "-A MYREJECT -m tcp -p tcp -j REJECT --reject-with tcp-reset"); if ($ipv6) { push (@$Listing, "-A MYREJECT -j REJECT --reject-with icmp6-port-unreachable"); } else { push (@$Listing, "-A MYREJECT -j REJECT --reject-with icmp-port-unreachable"); } } elsif ($entry eq 'nat') { $table=\@nat; $chains=\%nat; foreach (qw(POSTROUTING PREROUTING OUTPUT)) { push (@$Listing, ":$_ ACCEPT [0:0]"); } } else { $table=\@mangle; $chains=\%mangle; foreach (qw(PREROUTING OUTPUT)) { push (@$Listing, ":$_ ACCEPT [0:0]"); } } foreach (keys(%$chains)) { push (@$Listing, ":$_ - [0:0]"); } push (@$Listing, "#"); push (@$Listing, "# beginning of user generated $entry rules"); push (@$Listing, "#"); foreach (@$table) { push (@$Listing, $_); } push (@$Listing, "#"); push (@$Listing, "# end of user generated $entry rules"); push (@$Listing, "#"); if ($entry eq 'filter') { foreach (qw(INPUT OUTPUT FORWARD)) { push (@$Listing, "-A STATELESS$_ -m limit --limit $$Sysconfig{'LogLimit'} --limit-burst $$Sysconfig{'LogBurst'} -j LOG --log-prefix \"$$Sysconfig{'LogPrefix'} INVALID STATE: \" --log-level $$Sysconfig{'LogLevel'} --log-tcp-options --log-ip-options"); push (@$Listing, "-A STATELESS$_ -j DROP"); } } push (@$Listing, "COMMIT"); } } sub printRules { my ($Listing) = @_; @$Listing=map { $_."\n" } @$Listing; print @$Listing; } sub signalCatcher { $SignalCatched=1; } sub applyRules { my ($timeout, $Listing) = @_; my @oldrules; my $error; @$Listing=map { $_."\n" } @$Listing; if ($ipv6) { open (IPT, '/sbin/ip6tables-save|'); } else { open (IPT, '/sbin/iptables-save|'); } @oldrules = ; close (IPT); $SIG{'INT'} = 'signalCatcher'; $SIG{'KILL'} = 'signalCatcher'; $SIG{'QUIT'} = 'signalCatcher'; $SIG{'TERM'} = 'signalCatcher'; if ($ipv6) { open (IPT, '|/sbin/ip6tables-restore'); } else { open (IPT, '|/sbin/iptables-restore'); } print IPT @$Listing; close (IPT); $error=$?; if ($timeout && !$error) { sleep $timeout; } if ($timeout || $SignalCatched || $error) { if ($ipv6) { open (IPT, '|/sbin/ip6tables-restore'); } else { open (IPT, '|/sbin/iptables-restore'); } print IPT @oldrules; close (IPT); if ($SignalCatched) { die "aborted. old rules restored.\n"; } elsif ($error) { die "error in generated rules\n"; } } } sub readCommandLine { my %Networks; my %Services; my %Protocols; my %Interfaces; my %Sysconfig; my %Marker; my @Rules; my @Listing; my $test=0; my $print=0; my $disable=0; my $writeconfigfile; my $writeldapruleset; my $ldap; my $readldap=0; my $writeldap=0; my $mesg; my $ldapbase='o=unconfigured'; my $ldapserver='localhost:389'; my $ldapruleset='std'; my $ldapbinddn; my $ldappassword; my $timeout=0; if (exists($ENV{'LOGLIMIT'})) { $Sysconfig{'LogLimit'}=$ENV{'LOGLIMIT'}; } else { $Sysconfig{'LogLimit'}='20/minute'; } if (exists($ENV{'LOGBURST'})) { $Sysconfig{'LogBurst'}=$ENV{'LOGBURST'}; } else { $Sysconfig{'LogBurst'}='5'; } if (exists($ENV{'LOGLEVEL'})) { $Sysconfig{'LogLevel'}=$ENV{'LOGLEVEL'}; } else { $Sysconfig{'LogLevel'}='debug'; } if (exists($ENV{'LOGPREFIX'})) { $Sysconfig{'LogPrefix'}=$ENV{'LOGPREFIX'}; } else { $Sysconfig{'LogPrefix'}='FW'; } if (exists($ENV{'LIMIT'})) { $Sysconfig{'Limit'}=$ENV{'LIMIT'}; } else { $Sysconfig{'Limit'}='20/minute'; } if (exists($ENV{'BURST'})) { $Sysconfig{'Burst'}=$ENV{'BURST'}; } else { $Sysconfig{'Burst'}='5'; } if (exists($ENV{'ACCOUNTPREFIX'})) { $Sysconfig{'AccountPrefix'}=$ENV{'ACCOUNTPREFIX'}; } else { $Sysconfig{'AccountPrefix'}='ACC_'; } my %opt; getopts('6c:tpds:b:r:T:C:R:D:w:W', \%opt) || uifUsg (); $ipv6 = 1 if $opt{'6'}; $configfile=$configfile6 if $opt{'6'}; $configfile = $opt{'c'} if $opt{'c'}; $test = 1 if $opt{'t'}; $print = 1 if $opt{'p'}; $disable = 1 if $opt{'d'}; if ($opt{'T'}) { if ($opt{'T'} =~ /^(\d+)$/) { $timeout=$1; } else { die "timeout must be numeric: $opt{'T'}\n"; uifUsg (); } } if ($opt{'s'}) { $ldapserver=$opt{'s'}; } if ($opt{'b'}) { $ldapbase=$opt{'b'}; } if ($opt{'r'}) { $readldap=1; $ldapruleset=$opt{'r'}; } if ($opt{'C'}) { $ldap=1; $writeconfigfile=$opt{'C'}; } if ($opt{'R'}) { $writeldap=1; $writeldapruleset=$opt{'R'}; } if ($opt{'D'}) { $ldapbinddn=$opt{'D'}; } if ($opt{'w'}) { $ldappassword=$opt{'w'}; } if ($opt{'W'}) { print "password: "; $ldappassword=; chomp($ldappassword); } if ($ipv6) { if (exists($ENV{'LOGPREFIX6'})) { $Sysconfig{'LogPrefix'}=$ENV{'LOGPREFIX6'}; } else { $Sysconfig{'LogPrefix'}='FW6'; } } if ($readldap || $writeldap) { if ($LDAPENABLED == 0) { die "To use LDAP fatures be sure to install Net::LDAP from debain package libnet-ldap-perl" } ; $ldap = Net::LDAP->new($ldapserver) or die "$@"; if ($ldapbinddn && ($ldappassword eq "")) { $mesg=$ldap->bind( $ldapbinddn); } elsif ($ldapbinddn && $ldappassword) { $mesg=$ldap->bind( $ldapbinddn, password => $ldappassword); } else { $mesg=$ldap->bind; } if ($mesg->is_error) { die "can't bind to ldap server: ".$mesg->error."\n"; uifUsg (); } } unless ($disable) { if ($readldap) { readLdap ($ldap, $ldapbase, $ldapruleset, \%Networks, \%Services, \%Interfaces, \%Protocols, \@Rules, \%Sysconfig, \%Marker); } else { my $Id=0; readConfig ($configfile, \%Networks, \%Services, \%Interfaces, \%Protocols, \@Rules, \$Id, \%Sysconfig, \%Marker); } if ($writeconfigfile) { writeConfig ($writeconfigfile, \%Networks, \%Services, \%Interfaces, \%Protocols, \@Rules, \%Sysconfig, \%Marker); exit 0; } elsif ($writeldap) { writeLdap ($ldap, $ldapbase, $writeldapruleset, \%Networks, \%Services, \%Interfaces, \%Protocols, \@Rules, \%Sysconfig, \%Marker); exit 0; } else { validateData (\%Networks, \%Services, \%Interfaces, \%Protocols, \@Rules, \%Sysconfig, \%Marker); genRuleDump (\@Rules, \@Listing, \%Sysconfig); } } else { clearAllRules (\@Listing); } if ($print) { printRules (\@Listing); } if ($test==0) { applyRules ($timeout, \@Listing); } } sub clearAllRules { my ($Listing) = @_; push (@$Listing,"*mangle"); push (@$Listing, ":PREROUTING ACCEPT [0:0]"); push (@$Listing, ":OUTPUT ACCEPT [0:0]"); push (@$Listing, "COMMIT"); if ($ipv6) {} else { push (@$Listing, "*nat"); push (@$Listing, ":PREROUTING ACCEPT [0:0]"); push (@$Listing, ":POSTROUTING ACCEPT [0:0]"); push (@$Listing, ":OUTPUT ACCEPT [0:0]"); push (@$Listing, "COMMIT"); } push (@$Listing, "*filter"); push (@$Listing, ":INPUT ACCEPT [0:0]"); push (@$Listing, ":OUTPUT ACCEPT [0:0]"); push (@$Listing, ":FORWARD ACCEPT [0:0]"); push (@$Listing, "COMMIT"); } sub uifUsg { print "usage: $0 [-6] [-c configfile] [-t] [-p] [-d] [-s server] [-b base] [-r ruleset] [-R ruleset] [-D ] [-W] [-w ] [-T time] [-C configfile]\n"; print "-6 ipv6 mode default config $configfile6\n"; print "-c read instead of $configfile (or in ipv6 mode $configfile6)\n"; print "-t test rules\n"; print "-p print rules to stdout\n"; print "-d disable firewall (clear all rules)\n"; print "-s LDAP-server (default: localhost)\n"; print "-b LDAP-base\n"; print "-r LDAP ruleset\n"; print "-T apply new rules and restore old rules after