From 1494acc6763914e0d4280f84718e5e5ded695efc Mon Sep 17 00:00:00 2001 From: Florian Schaal Date: Fri, 19 Mar 2021 06:51:31 +0100 Subject: [PATCH 1/6] use placeholders for the firewall (#6112) --- .../sql/incremental/upd_dev_collection.sql | 2 + install/sql/ispconfig3.sql | 1 + ...plugin_server_firewall_placeholder.inc.php | 118 ++++++++++++ .../lib/classes/validate_firewall.inc.php | 65 +++++++ interface/web/admin/firewall_edit.php | 1 - interface/web/admin/form/firewall.tform.php | 28 +-- .../web/admin/form/server_config.tform.php | 14 ++ .../web/admin/lib/lang/ar_server_config.lng | 1 + .../web/admin/lib/lang/bg_server_config.lng | 1 + .../web/admin/lib/lang/br_server_config.lng | 1 + .../web/admin/lib/lang/ca_server_config.lng | 1 + .../web/admin/lib/lang/cz_server_config.lng | 1 + .../web/admin/lib/lang/de_server_config.lng | 1 + .../web/admin/lib/lang/dk_server_config.lng | 1 + .../web/admin/lib/lang/el_server_config.lng | 1 + .../web/admin/lib/lang/en_server_config.lng | 1 + .../web/admin/lib/lang/es_server_config.lng | 1 + .../web/admin/lib/lang/fi_server_config.lng | 1 + .../web/admin/lib/lang/fr_server_config.lng | 1 + .../web/admin/lib/lang/hr_server_config.lng | 1 + .../web/admin/lib/lang/hu_server_config.lng | 1 + .../web/admin/lib/lang/id_server_config.lng | 1 + .../web/admin/lib/lang/it_server_config.lng | 1 + .../web/admin/lib/lang/ja_server_config.lng | 1 + .../web/admin/lib/lang/nl_server_config.lng | 1 + .../web/admin/lib/lang/pl_server_config.lng | 1 + .../web/admin/lib/lang/pt_server_config.lng | 1 + .../web/admin/lib/lang/ro_server_config.lng | 1 + .../web/admin/lib/lang/ru_server_config.lng | 1 + .../web/admin/lib/lang/se_server_config.lng | 1 + .../web/admin/lib/lang/sk_server_config.lng | 1 + .../web/admin/lib/lang/tr_server_config.lng | 1 + .../web/admin/templates/firewall_edit.htm | 57 +++--- .../web/admin/templates/firewall_list.htm | 98 +++++----- .../server_config_firewall_placeholder.htm | 8 + ...erver_config_firewall_placeholder_edit.htm | 6 + .../plugins-available/firewall_plugin.inc.php | 168 +++++++++++++----- 37 files changed, 457 insertions(+), 134 deletions(-) create mode 100755 interface/lib/classes/plugin_server_firewall_placeholder.inc.php create mode 100755 interface/lib/classes/validate_firewall.inc.php create mode 100644 interface/web/admin/templates/server_config_firewall_placeholder.htm create mode 100644 interface/web/admin/templates/server_config_firewall_placeholder_edit.htm diff --git a/install/sql/incremental/upd_dev_collection.sql b/install/sql/incremental/upd_dev_collection.sql index e69de29bb2..cff669653f 100644 --- a/install/sql/incremental/upd_dev_collection.sql +++ b/install/sql/incremental/upd_dev_collection.sql @@ -0,0 +1,2 @@ +ALTER TABLE `server` +ADD `firewall_placeholder` TINYTEXT NOT NULL DEFAULT '{"FTP":[20,21,"40110:40210"],"MAIL":[25,110,143,465,587,993,995],"RSPAMD":[11334],"DNS":[53],"WEB":[80,443],"ISPCONFIG":[8080],CUSTOM_TCP":[""],"CUSTOM_UDP":[""]}'; diff --git a/install/sql/ispconfig3.sql b/install/sql/ispconfig3.sql index 006beb6b53..039ba11401 100644 --- a/install/sql/ispconfig3.sql +++ b/install/sql/ispconfig3.sql @@ -1367,6 +1367,7 @@ CREATE TABLE `server` ( `mirror_server_id` int(11) unsigned NOT NULL default '0', `dbversion` int(11) unsigned NOT NULL default '1', `active` tinyint(1) NOT NULL default '1', + `firewall_placeholder` TINYTEXT NOT NULL DEFAULT '{"FTP":[20,21,"40110:40210"],"MAIL":[25,110,143,465,587,993,995],"RSPAMD":[11334],"DNS":[53],"WEB":[80,443],"ISPCONFIG":[8080],CUSTOM_TCP":[""],"CUSTOM_UDP":[""]}', PRIMARY KEY (`server_id`) ) DEFAULT CHARSET=utf8 AUTO_INCREMENT=1 ; diff --git a/interface/lib/classes/plugin_server_firewall_placeholder.inc.php b/interface/lib/classes/plugin_server_firewall_placeholder.inc.php new file mode 100755 index 0000000000..b2627f6488 --- /dev/null +++ b/interface/lib/classes/plugin_server_firewall_placeholder.inc.php @@ -0,0 +1,118 @@ +newTemplate('templates/server_config_firewall_placeholder_edit.htm'); + + //* Get the data + $temp = $app->db->queryOneRecord('SELECT `firewall_placeholder` FROM `server` WHERE `server_id` = ?', $this->form->id); + $data = json_decode($temp['firewall_placeholder'], true); + foreach($data as $idx=>$val) { + $records[$idx] = implode(',',$val); + } + if(is_array($records)) { + foreach($records as $service=>$ports) { + $rec['service'] = $app->functions->htmlentities($service); + $rec['ports'] = $ports; + $records_new[] = $rec; + } + } + $listTpl->setLoop('records',@$records_new); + $listTpl->setVar('parent_id',$this->form->id); + + + // Setting Returnto information in the session + $list_name = 'server_firewall_placeholder'; + $_SESSION['s']['list'][$list_name]['parent_id'] = $this->form->id; + $_SESSION['s']['list'][$list_name]['parent_name'] = $app->tform->formDef['name']; + $_SESSION['s']['list'][$list_name]['parent_tab'] = $_SESSION['s']['form']['tab']; + $_SESSION['s']['list'][$list_name]['parent_script'] = $app->tform->formDef['action']; + $_SESSION['s']['form']["return_to"] = $list_name; + return $listTpl->grab(); + } + + function onUpdate() { + global $app; + + $dataRecord = $this->form->dataRecord; + $server_id = intval($dataRecord['id']); + $temp = $app->db->queryOneRecord('SELECT `firewall_placeholder` FROM `server` WHERE `server_id` = ?', $server_id); + $data = json_decode($temp['firewall_placeholder'], true); + $update = false; + $error = ''; + foreach($data as $idx=>$val) { + //* validate updates + if($dataRecord[$idx] != implode(',',$val)) { + $check = explode(',',$dataRecord[$idx]); + foreach($check as $_idx=>$validate) { + $validate = trim($validate); + if($validate != '') { + if(!preg_match('/^\d{1,5}(?::\d{1,5})?(?:,\d{1,5}(?::\d{1,5})?)*$/', $validate)) { + $error .= "Invalide value $validate for $idx
"; + } else { + $dataRecord[$_idx] = $validate; + } + } + } + $data[$idx] = explode(',',$dataRecord[$_idx]); + $update = true; + } + } + + if($error != '') { + $app->error($error); + } + + if($update) { + $app->db->query('UPDATE `server` SET `firewall_placeholder` = ? WHERE `server_id` = ?', json_encode($data), $server_id); + $firewall = $app->db->queryOneRecord('SELECT * FROM `firewall` WHERE `server_id` = ? AND `active` = ?', $server_id, 'y'); + if($firewall) { + $app->db->datalogUpdate('firewall', $firewall, 'firewall_id', $firewall['firewall_id'], true); + } + } + + } + +} + diff --git a/interface/lib/classes/validate_firewall.inc.php b/interface/lib/classes/validate_firewall.inc.php new file mode 100755 index 0000000000..f9aed6a077 --- /dev/null +++ b/interface/lib/classes/validate_firewall.inc.php @@ -0,0 +1,65 @@ +tform->wordbook[$errmsg])) { + return $app->tform->wordbook[$errmsg]."
\r\n"; + } else { + return $errmsg."
\r\n"; + } + } + + function check_firewall($field_name, $field_value, $validator) { + global $app; + + $temp = $app->db->queryOneRecord('SELECT firewall_placeholder FROM server WHERE server_id = ?', intval($_POST['server_id'])); + $records = json_decode($temp['firewall_placeholder'], true); + foreach($records as $idx=>$val) $placeholder[] = '{'.$idx.'}'; + $placeholder[] = '{AUTO}'; + + if($field_value != '') { +// print_R($placeholder); + $temp = str_replace($placeholder, '', $field_value); + $ports = explode(',', $temp); + $ports = array_filter($ports, function($value) { return !is_null($value) && $value !== ''; }); + if(!empty($ports)) { + $regex = '/^\d{1,5}(?::\d{1,5})?(?:,\d{1,5}(?::\d{1,5})?)*$/'; + if(!preg_match($regex, implode(',', $ports))) return $this->get_error($validator['errmsg']); + } + } + } + +} + diff --git a/interface/web/admin/firewall_edit.php b/interface/web/admin/firewall_edit.php index 01cad2b815..23008b4b12 100644 --- a/interface/web/admin/firewall_edit.php +++ b/interface/web/admin/firewall_edit.php @@ -64,7 +64,6 @@ class page_action extends tform_actions { parent::onShowEnd(); } - function onBeforeUpdate() { global $app, $conf; diff --git a/interface/web/admin/form/firewall.tform.php b/interface/web/admin/form/firewall.tform.php index eb7dcb3acf..9170af7290 100644 --- a/interface/web/admin/form/firewall.tform.php +++ b/interface/web/admin/form/firewall.tform.php @@ -75,11 +75,15 @@ $form["tabs"]['firewall'] = array ( 'tcp_port' => array ( 'datatype' => 'VARCHAR', 'formtype' => 'TEXT', - 'validators' => array ( 0 => array ( 'type' => 'REGEX', - 'regex' => '/^$|\d{1,5}(?::\d{1,5})?(?:,\d{1,5}(?::\d{1,5})?)*$/', - 'errmsg'=> 'tcp_ports_error_regex'), - ), - 'default' => '20,21,22,25,53,80,110,143,443,465,587,993,995,3306,8080,8081,10000', + 'validators' => array ( + 0 => array ( + 'type' => 'CUSTOM', + 'class' => 'validate_firewall', + 'function' => 'check_firewall', + 'errmsg'=> 'tcp_ports_error_regex' + ) + ), + 'default' => '{AUTO}', 'value' => '', 'width' => '30', 'maxlength' => '255' @@ -87,11 +91,15 @@ $form["tabs"]['firewall'] = array ( 'udp_port' => array ( 'datatype' => 'VARCHAR', 'formtype' => 'TEXT', - 'validators' => array ( 0 => array ( 'type' => 'REGEX', - 'regex' => '/^$|\d{1,5}(?::\d{1,5})?(?:,\d{1,5}(?::\d{1,5})?)*$/', - 'errmsg'=> 'udp_ports_error_regex'), - ), - 'default' => '53,3306', + 'validators' => array ( + 0 => array ( + 'type' => 'CUSTOM', + 'class' => 'validate_firewall', + 'function' => 'check_firewall', + 'errmsg'=> 'udp_ports_error_regex' + ) + ), + 'default' => '{AUTO}', 'value' => '', 'width' => '30', 'maxlength' => '255' diff --git a/interface/web/admin/form/server_config.tform.php b/interface/web/admin/form/server_config.tform.php index 1818b2ef3b..17fd55b693 100644 --- a/interface/web/admin/form/server_config.tform.php +++ b/interface/web/admin/form/server_config.tform.php @@ -2072,6 +2072,20 @@ $form["tabs"]['rescue'] = array( //################################# ) ); +$form['tabs']['firewall_placeholder'] = array( + 'title' => 'firewall_placeholder', + 'width' => 80, + 'template' => 'templates/server_config_firewall_placeholder.htm', + 'readonly' => false, + 'plugins' => array ( + 'placeholder_records' => array ( + 'class' => 'plugin_server_firewall_placeholder', + 'options' => array( + ) + ) + ) +); + /*$mail_config = $app->getconf->get_server_config($conf['server_id'], 'mail'); if(!isset($mail_config['rspamd_available']) || $mail_config['rspamd_available'] != 'y') { diff --git a/interface/web/admin/lib/lang/ar_server_config.lng b/interface/web/admin/lib/lang/ar_server_config.lng index b95b3567e6..d286780a9e 100644 --- a/interface/web/admin/lib/lang/ar_server_config.lng +++ b/interface/web/admin/lib/lang/ar_server_config.lng @@ -326,3 +326,4 @@ $wb['tooltip_jailkit_hardlinks_txt'] = 'Using hardlinks is insecure, but saves d $wb['jailkit_hardlinks_allow_txt'] = 'Allow hardlinks within the jail'; $wb['jailkit_hardlinks_no_txt'] = 'No, remove hardlinked files'; $wb['jailkit_hardlinks_yes_txt'] = 'Yes, use hardlinks if possible'; +$wb['firewall_placeholder'] = 'Firewall Placeholder'; diff --git a/interface/web/admin/lib/lang/bg_server_config.lng b/interface/web/admin/lib/lang/bg_server_config.lng index fcd34e7292..c285fa53bc 100644 --- a/interface/web/admin/lib/lang/bg_server_config.lng +++ b/interface/web/admin/lib/lang/bg_server_config.lng @@ -326,3 +326,4 @@ $wb['tooltip_jailkit_hardlinks_txt'] = 'Using hardlinks is insecure, but saves d $wb['jailkit_hardlinks_allow_txt'] = 'Allow hardlinks within the jail'; $wb['jailkit_hardlinks_no_txt'] = 'No, remove hardlinked files'; $wb['jailkit_hardlinks_yes_txt'] = 'Yes, use hardlinks if possible'; +$wb['firewall_placeholder'] = 'Firewall Placeholder'; diff --git a/interface/web/admin/lib/lang/br_server_config.lng b/interface/web/admin/lib/lang/br_server_config.lng index 0e8d43ca8e..1b0698ab54 100644 --- a/interface/web/admin/lib/lang/br_server_config.lng +++ b/interface/web/admin/lib/lang/br_server_config.lng @@ -326,3 +326,4 @@ $wb['tooltip_jailkit_hardlinks_txt'] = 'Usar links físicos é inseguro, mas eco $wb['jailkit_hardlinks_allow_txt'] = 'Permitir links físicos enjaulados'; $wb['jailkit_hardlinks_no_txt'] = 'Não, remover arquivos de links físicos'; $wb['jailkit_hardlinks_yes_txt'] = 'Sim, usar links físicos quando possível'; +$wb['firewall_placeholder'] = 'Firewall Placeholder'; diff --git a/interface/web/admin/lib/lang/ca_server_config.lng b/interface/web/admin/lib/lang/ca_server_config.lng index 2e02e31c6b..2db6809592 100644 --- a/interface/web/admin/lib/lang/ca_server_config.lng +++ b/interface/web/admin/lib/lang/ca_server_config.lng @@ -326,3 +326,4 @@ $wb['tooltip_jailkit_hardlinks_txt'] = 'Using hardlinks is insecure, but saves d $wb['jailkit_hardlinks_allow_txt'] = 'Allow hardlinks within the jail'; $wb['jailkit_hardlinks_no_txt'] = 'No, remove hardlinked files'; $wb['jailkit_hardlinks_yes_txt'] = 'Yes, use hardlinks if possible'; +$wb['firewall_placeholder'] = 'Firewall Placeholder'; diff --git a/interface/web/admin/lib/lang/cz_server_config.lng b/interface/web/admin/lib/lang/cz_server_config.lng index 633db75fbd..534cc1f15e 100644 --- a/interface/web/admin/lib/lang/cz_server_config.lng +++ b/interface/web/admin/lib/lang/cz_server_config.lng @@ -326,3 +326,4 @@ $wb['tooltip_jailkit_hardlinks_txt'] = 'Using hardlinks is insecure, but saves d $wb['jailkit_hardlinks_allow_txt'] = 'Allow hardlinks within the jail'; $wb['jailkit_hardlinks_no_txt'] = 'Ne, odstranit soubory s pevným odkazem'; $wb['jailkit_hardlinks_yes_txt'] = 'Ano, pokud je to možné, použijte pevné odkazy'; +$wb['firewall_placeholder'] = 'Firewall Placeholder'; diff --git a/interface/web/admin/lib/lang/de_server_config.lng b/interface/web/admin/lib/lang/de_server_config.lng index e287b9a622..e8fb52680f 100644 --- a/interface/web/admin/lib/lang/de_server_config.lng +++ b/interface/web/admin/lib/lang/de_server_config.lng @@ -326,3 +326,4 @@ $wb['tooltip_jailkit_hardlinks_txt'] = 'Using hardlinks is insecure, but saves d $wb['jailkit_hardlinks_allow_txt'] = 'Allow hardlinks within the jail'; $wb['jailkit_hardlinks_no_txt'] = 'No, remove hardlinked files'; $wb['jailkit_hardlinks_yes_txt'] = 'Yes, use hardlinks if possible'; +$wb['firewall_placeholder'] = 'Firewall Placeholder'; diff --git a/interface/web/admin/lib/lang/dk_server_config.lng b/interface/web/admin/lib/lang/dk_server_config.lng index 77a29251d5..b7c93665b7 100644 --- a/interface/web/admin/lib/lang/dk_server_config.lng +++ b/interface/web/admin/lib/lang/dk_server_config.lng @@ -326,3 +326,4 @@ $wb['tooltip_jailkit_hardlinks_txt'] = 'Using hardlinks is insecure, but saves d $wb['jailkit_hardlinks_allow_txt'] = 'Allow hardlinks within the jail'; $wb['jailkit_hardlinks_no_txt'] = 'No, remove hardlinked files'; $wb['jailkit_hardlinks_yes_txt'] = 'Yes, use hardlinks if possible'; +$wb['firewall_placeholder'] = 'Firewall Placeholder'; diff --git a/interface/web/admin/lib/lang/el_server_config.lng b/interface/web/admin/lib/lang/el_server_config.lng index 0913624503..b16a3dd662 100644 --- a/interface/web/admin/lib/lang/el_server_config.lng +++ b/interface/web/admin/lib/lang/el_server_config.lng @@ -326,3 +326,4 @@ $wb['tooltip_jailkit_hardlinks_txt'] = 'Using hardlinks is insecure, but saves d $wb['jailkit_hardlinks_allow_txt'] = 'Allow hardlinks within the jail'; $wb['jailkit_hardlinks_no_txt'] = 'No, remove hardlinked files'; $wb['jailkit_hardlinks_yes_txt'] = 'Yes, use hardlinks if possible'; +$wb['firewall_placeholder'] = 'Firewall Placeholder'; diff --git a/interface/web/admin/lib/lang/en_server_config.lng b/interface/web/admin/lib/lang/en_server_config.lng index 3df6f02dfb..1a1d0e6b28 100644 --- a/interface/web/admin/lib/lang/en_server_config.lng +++ b/interface/web/admin/lib/lang/en_server_config.lng @@ -332,3 +332,4 @@ $wb['tooltip_jailkit_hardlinks_txt'] = 'Using hardlinks is insecure, but saves d $wb['jailkit_hardlinks_allow_txt'] = 'Allow hardlinks within the jail'; $wb['jailkit_hardlinks_no_txt'] = 'No, remove hardlinked files'; $wb['jailkit_hardlinks_yes_txt'] = 'Yes, use hardlinks if possible'; +$wb['firewall_placeholder'] = 'Firewall Placeholder'; diff --git a/interface/web/admin/lib/lang/es_server_config.lng b/interface/web/admin/lib/lang/es_server_config.lng index fadf3180c0..ab0ac1504c 100644 --- a/interface/web/admin/lib/lang/es_server_config.lng +++ b/interface/web/admin/lib/lang/es_server_config.lng @@ -326,3 +326,4 @@ $wb['tooltip_jailkit_hardlinks_txt'] = 'Using hardlinks is insecure, but saves d $wb['jailkit_hardlinks_allow_txt'] = 'Allow hardlinks within the jail'; $wb['jailkit_hardlinks_no_txt'] = 'No, remove hardlinked files'; $wb['jailkit_hardlinks_yes_txt'] = 'Yes, use hardlinks if possible'; +$wb['firewall_placeholder'] = 'Firewall Placeholder'; diff --git a/interface/web/admin/lib/lang/fi_server_config.lng b/interface/web/admin/lib/lang/fi_server_config.lng index ec974d3249..f8d77d895d 100644 --- a/interface/web/admin/lib/lang/fi_server_config.lng +++ b/interface/web/admin/lib/lang/fi_server_config.lng @@ -326,3 +326,4 @@ $wb['tooltip_jailkit_hardlinks_txt'] = 'Using hardlinks is insecure, but saves d $wb['jailkit_hardlinks_allow_txt'] = 'Allow hardlinks within the jail'; $wb['jailkit_hardlinks_no_txt'] = 'No, remove hardlinked files'; $wb['jailkit_hardlinks_yes_txt'] = 'Yes, use hardlinks if possible'; +$wb['firewall_placeholder'] = 'Firewall Placeholder'; diff --git a/interface/web/admin/lib/lang/fr_server_config.lng b/interface/web/admin/lib/lang/fr_server_config.lng index a413c4214d..4b945f050b 100644 --- a/interface/web/admin/lib/lang/fr_server_config.lng +++ b/interface/web/admin/lib/lang/fr_server_config.lng @@ -326,3 +326,4 @@ $wb['tooltip_jailkit_hardlinks_txt'] = 'Using hardlinks is insecure, but saves d $wb['jailkit_hardlinks_allow_txt'] = 'Allow hardlinks within the jail'; $wb['jailkit_hardlinks_no_txt'] = 'No, remove hardlinked files'; $wb['jailkit_hardlinks_yes_txt'] = 'Yes, use hardlinks if possible'; +$wb['firewall_placeholder'] = 'Firewall Placeholder'; diff --git a/interface/web/admin/lib/lang/hr_server_config.lng b/interface/web/admin/lib/lang/hr_server_config.lng index 4eb3574d45..4569be2c6a 100644 --- a/interface/web/admin/lib/lang/hr_server_config.lng +++ b/interface/web/admin/lib/lang/hr_server_config.lng @@ -326,3 +326,4 @@ $wb['tooltip_jailkit_hardlinks_txt'] = 'Using hardlinks is insecure, but saves d $wb['jailkit_hardlinks_allow_txt'] = 'Allow hardlinks within the jail'; $wb['jailkit_hardlinks_no_txt'] = 'No, remove hardlinked files'; $wb['jailkit_hardlinks_yes_txt'] = 'Yes, use hardlinks if possible'; +$wb['firewall_placeholder'] = 'Firewall Placeholder'; diff --git a/interface/web/admin/lib/lang/hu_server_config.lng b/interface/web/admin/lib/lang/hu_server_config.lng index 73f0181f3d..910a0b7b35 100644 --- a/interface/web/admin/lib/lang/hu_server_config.lng +++ b/interface/web/admin/lib/lang/hu_server_config.lng @@ -326,3 +326,4 @@ $wb['tooltip_jailkit_hardlinks_txt'] = 'Using hardlinks is insecure, but saves d $wb['jailkit_hardlinks_allow_txt'] = 'Allow hardlinks within the jail'; $wb['jailkit_hardlinks_no_txt'] = 'No, remove hardlinked files'; $wb['jailkit_hardlinks_yes_txt'] = 'Yes, use hardlinks if possible'; +$wb['firewall_placeholder'] = 'Firewall Placeholder'; diff --git a/interface/web/admin/lib/lang/id_server_config.lng b/interface/web/admin/lib/lang/id_server_config.lng index 3555ba3288..f1c9a3dbe0 100644 --- a/interface/web/admin/lib/lang/id_server_config.lng +++ b/interface/web/admin/lib/lang/id_server_config.lng @@ -326,3 +326,4 @@ $wb['tooltip_jailkit_hardlinks_txt'] = 'Using hardlinks is insecure, but saves d $wb['jailkit_hardlinks_allow_txt'] = 'Allow hardlinks within the jail'; $wb['jailkit_hardlinks_no_txt'] = 'No, remove hardlinked files'; $wb['jailkit_hardlinks_yes_txt'] = 'Yes, use hardlinks if possible'; +$wb['firewall_placeholder'] = 'Firewall Placeholder'; diff --git a/interface/web/admin/lib/lang/it_server_config.lng b/interface/web/admin/lib/lang/it_server_config.lng index 39b7161ddf..a5706531eb 100644 --- a/interface/web/admin/lib/lang/it_server_config.lng +++ b/interface/web/admin/lib/lang/it_server_config.lng @@ -326,3 +326,4 @@ $wb['tooltip_jailkit_hardlinks_txt'] = 'Using hardlinks is insecure, but saves d $wb['jailkit_hardlinks_allow_txt'] = 'Allow hardlinks within the jail'; $wb['jailkit_hardlinks_no_txt'] = 'No, remove hardlinked files'; $wb['jailkit_hardlinks_yes_txt'] = 'Yes, use hardlinks if possible'; +$wb['firewall_placeholder'] = 'Firewall Placeholder'; diff --git a/interface/web/admin/lib/lang/ja_server_config.lng b/interface/web/admin/lib/lang/ja_server_config.lng index a50922639c..fbee8a11ad 100644 --- a/interface/web/admin/lib/lang/ja_server_config.lng +++ b/interface/web/admin/lib/lang/ja_server_config.lng @@ -326,3 +326,4 @@ $wb['tooltip_jailkit_hardlinks_txt'] = 'Using hardlinks is insecure, but saves d $wb['jailkit_hardlinks_allow_txt'] = 'Allow hardlinks within the jail'; $wb['jailkit_hardlinks_no_txt'] = 'No, remove hardlinked files'; $wb['jailkit_hardlinks_yes_txt'] = 'Yes, use hardlinks if possible'; +$wb['firewall_placeholder'] = 'Firewall Placeholder'; diff --git a/interface/web/admin/lib/lang/nl_server_config.lng b/interface/web/admin/lib/lang/nl_server_config.lng index 9ef50bb6c1..1f74b8b0f6 100644 --- a/interface/web/admin/lib/lang/nl_server_config.lng +++ b/interface/web/admin/lib/lang/nl_server_config.lng @@ -326,3 +326,4 @@ $wb['tooltip_jailkit_hardlinks_txt'] = 'Using hardlinks is insecure, but saves d $wb['jailkit_hardlinks_allow_txt'] = 'Allow hardlinks within the jail'; $wb['jailkit_hardlinks_no_txt'] = 'No, remove hardlinked files'; $wb['jailkit_hardlinks_yes_txt'] = 'Yes, use hardlinks if possible'; +$wb['firewall_placeholder'] = 'Firewall Placeholder'; diff --git a/interface/web/admin/lib/lang/pl_server_config.lng b/interface/web/admin/lib/lang/pl_server_config.lng index af839bb2e3..9eec1d3c78 100644 --- a/interface/web/admin/lib/lang/pl_server_config.lng +++ b/interface/web/admin/lib/lang/pl_server_config.lng @@ -326,3 +326,4 @@ $wb['tooltip_jailkit_hardlinks_txt'] = 'Using hardlinks is insecure, but saves d $wb['jailkit_hardlinks_allow_txt'] = 'Allow hardlinks within the jail'; $wb['jailkit_hardlinks_no_txt'] = 'No, remove hardlinked files'; $wb['jailkit_hardlinks_yes_txt'] = 'Yes, use hardlinks if possible'; +$wb['firewall_placeholder'] = 'Firewall Placeholder'; diff --git a/interface/web/admin/lib/lang/pt_server_config.lng b/interface/web/admin/lib/lang/pt_server_config.lng index 6b581c8593..da9f5bc9b2 100644 --- a/interface/web/admin/lib/lang/pt_server_config.lng +++ b/interface/web/admin/lib/lang/pt_server_config.lng @@ -326,3 +326,4 @@ $wb['tooltip_jailkit_hardlinks_txt'] = 'Using hardlinks is insecure, but saves d $wb['jailkit_hardlinks_allow_txt'] = 'Allow hardlinks within the jail'; $wb['jailkit_hardlinks_no_txt'] = 'No, remove hardlinked files'; $wb['jailkit_hardlinks_yes_txt'] = 'Yes, use hardlinks if possible'; +$wb['firewall_placeholder'] = 'Firewall Placeholder'; diff --git a/interface/web/admin/lib/lang/ro_server_config.lng b/interface/web/admin/lib/lang/ro_server_config.lng index e15c99fb67..1f17aef2e1 100644 --- a/interface/web/admin/lib/lang/ro_server_config.lng +++ b/interface/web/admin/lib/lang/ro_server_config.lng @@ -326,3 +326,4 @@ $wb['tooltip_jailkit_hardlinks_txt'] = 'Using hardlinks is insecure, but saves d $wb['jailkit_hardlinks_allow_txt'] = 'Allow hardlinks within the jail'; $wb['jailkit_hardlinks_no_txt'] = 'No, remove hardlinked files'; $wb['jailkit_hardlinks_yes_txt'] = 'Yes, use hardlinks if possible'; +$wb['firewall_placeholder'] = 'Firewall Placeholder'; diff --git a/interface/web/admin/lib/lang/ru_server_config.lng b/interface/web/admin/lib/lang/ru_server_config.lng index 3465d2120d..0b3bb2c44f 100644 --- a/interface/web/admin/lib/lang/ru_server_config.lng +++ b/interface/web/admin/lib/lang/ru_server_config.lng @@ -326,3 +326,4 @@ $wb['tooltip_jailkit_hardlinks_txt'] = 'Using hardlinks is insecure, but saves d $wb['jailkit_hardlinks_allow_txt'] = 'Allow hardlinks within the jail'; $wb['jailkit_hardlinks_no_txt'] = 'No, remove hardlinked files'; $wb['jailkit_hardlinks_yes_txt'] = 'Yes, use hardlinks if possible'; +$wb['firewall_placeholder'] = 'Firewall Placeholder'; diff --git a/interface/web/admin/lib/lang/se_server_config.lng b/interface/web/admin/lib/lang/se_server_config.lng index 9bbbcc80ac..f273f51214 100644 --- a/interface/web/admin/lib/lang/se_server_config.lng +++ b/interface/web/admin/lib/lang/se_server_config.lng @@ -326,3 +326,4 @@ $wb['tooltip_jailkit_hardlinks_txt'] = 'Using hardlinks is insecure, but saves d $wb['jailkit_hardlinks_allow_txt'] = 'Allow hardlinks within the jail'; $wb['jailkit_hardlinks_no_txt'] = 'No, remove hardlinked files'; $wb['jailkit_hardlinks_yes_txt'] = 'Yes, use hardlinks if possible'; +$wb['firewall_placeholder'] = 'Firewall Placeholder'; diff --git a/interface/web/admin/lib/lang/sk_server_config.lng b/interface/web/admin/lib/lang/sk_server_config.lng index 1b96cf57ad..6160565a02 100644 --- a/interface/web/admin/lib/lang/sk_server_config.lng +++ b/interface/web/admin/lib/lang/sk_server_config.lng @@ -326,3 +326,4 @@ $wb['tooltip_jailkit_hardlinks_txt'] = 'Using hardlinks is insecure, but saves d $wb['jailkit_hardlinks_allow_txt'] = 'Allow hardlinks within the jail'; $wb['jailkit_hardlinks_no_txt'] = 'No, remove hardlinked files'; $wb['jailkit_hardlinks_yes_txt'] = 'Yes, use hardlinks if possible'; +$wb['firewall_placeholder'] = 'Firewall Placeholder'; diff --git a/interface/web/admin/lib/lang/tr_server_config.lng b/interface/web/admin/lib/lang/tr_server_config.lng index 84210ce9b8..c5f376f78f 100644 --- a/interface/web/admin/lib/lang/tr_server_config.lng +++ b/interface/web/admin/lib/lang/tr_server_config.lng @@ -320,3 +320,4 @@ $wb['tooltip_jailkit_hardlinks_txt'] = 'Using hardlinks is insecure, but saves d $wb['jailkit_hardlinks_allow_txt'] = 'Allow hardlinks within the jail'; $wb['jailkit_hardlinks_no_txt'] = 'No, remove hardlinked files'; $wb['jailkit_hardlinks_yes_txt'] = 'Yes, use hardlinks if possible'; +$wb['firewall_placeholder'] = 'Firewall Placeholder'; diff --git a/interface/web/admin/templates/firewall_edit.htm b/interface/web/admin/templates/firewall_edit.htm index 07fe3d0ff5..bb5b0d921e 100644 --- a/interface/web/admin/templates/firewall_edit.htm +++ b/interface/web/admin/templates/firewall_edit.htm @@ -1,26 +1,33 @@ -
- -
-
-
- -
-
- -
-
- -
- {tmpl_var name='active'} -
-
- - - +
+

+
+

+ +
+ +
+
+ +
+ Firewall TCP: {AUTO}, {FTP}, {MAIL}, {DNS}, {WEB}, {ISPCONFIG}, {CUSTOM_TCP},
+
+
-
- - -
+
+ +
+ Firewall UDP: {AUTO}, {DNS}, {CUSTOM_UDP},
+
+
+
+ +
{tmpl_var name='active'}
+
+ + + + +
+ + +
diff --git a/interface/web/admin/templates/firewall_list.htm b/interface/web/admin/templates/firewall_list.htm index b40414a5da..fb89fc0e80 100644 --- a/interface/web/admin/templates/firewall_list.htm +++ b/interface/web/admin/templates/firewall_list.htm @@ -2,61 +2,47 @@

- - -

{tmpl_var name="toolsarea_head_txt"}

- - - - - - -

-
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
{tmpl_var name='search_limit'}
- -
{tmpl_var name="active"}{tmpl_var name="server_id"}{tmpl_var name="tcp_port"}{tmpl_var name="udp_port"} - -
{tmpl_var name='globalsearch_noresults_text_txt'}
+

{tmpl_var name="toolsarea_head_txt"}

+ +

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
{tmpl_var name='search_limit'}
+ +
{tmpl_var name="active"}{tmpl_var name="server_id"}{tmpl_var name="tcp_port"}{tmpl_var name="udp_port"} + +
{tmpl_var name='globalsearch_noresults_text_txt'}
- \ No newline at end of file + diff --git a/interface/web/admin/templates/server_config_firewall_placeholder.htm b/interface/web/admin/templates/server_config_firewall_placeholder.htm new file mode 100644 index 0000000000..df72723513 --- /dev/null +++ b/interface/web/admin/templates/server_config_firewall_placeholder.htm @@ -0,0 +1,8 @@ +

{tmpl_var name='server_name'}

 + {tmpl_var name='placeholder_records'} + +
+ + +
+ diff --git a/interface/web/admin/templates/server_config_firewall_placeholder_edit.htm b/interface/web/admin/templates/server_config_firewall_placeholder_edit.htm new file mode 100644 index 0000000000..9602975452 --- /dev/null +++ b/interface/web/admin/templates/server_config_firewall_placeholder_edit.htm @@ -0,0 +1,6 @@ + +
+ +
+
+ diff --git a/server/plugins-available/firewall_plugin.inc.php b/server/plugins-available/firewall_plugin.inc.php index b924f43a26..5f1a4c7a04 100644 --- a/server/plugins-available/firewall_plugin.inc.php +++ b/server/plugins-available/firewall_plugin.inc.php @@ -106,19 +106,13 @@ class firewall_plugin { private function ufw_update($event_name, $data) { global $app, $conf; - $app->uses('system'); - if(!$app->system->is_installed('ufw')) { $app->log('UFW Firewall is not installed', LOGLEVEL_WARN); return false; } - exec('ufw --version', $out); - $parts = explode(' ', $out[0]); - $ufwversion = $parts[1]; - unset($parts); - unset($out); - + $app->system->exec_safe('ufw --version'); + $ufwversion = explode(' ', $app->system->last_exec_out()[0])[1]; if(version_compare( $ufwversion , '0.30') < 0) { $app->log('The installed UFW Firewall version is too old. Minimum required version 0.30', LOGLEVEL_WARN); return false; @@ -126,21 +120,49 @@ class firewall_plugin { //* Basic firewall setup when the firewall is added the first time if($event_name == 'firewall_insert') { - exec('ufw --force disable'); - exec('ufw --force reset'); - exec('ufw default deny incoming'); - exec('ufw default allow outgoing'); + $app->system->exec_safe('ufw --force disable'); + $app->system->exec_safe('ufw --force reset'); + $app->system->exec_safe('ufw default deny incoming'); + $app->system->exec_safe('ufw default allow outgoing'); } + $data = $this->placeholder($data); + $tcp_ports_new = $this->clean_ports($data['new']['tcp_port'], ','); - $tcp_ports_old = $this->clean_ports($data['old']['tcp_port'], ','); $udp_ports_new = $this->clean_ports($data['new']['udp_port'], ','); - $udp_ports_old = $this->clean_ports($data['old']['udp_port'], ','); - $tcp_ports_new_array = explode(',', $tcp_ports_new); - $tcp_ports_old_array = explode(',', $tcp_ports_old); $udp_ports_new_array = explode(',', $udp_ports_new); - $udp_ports_old_array = explode(',', $udp_ports_old); + + //* get current firewall-rules + $tcp_ports_old_array = array(); + $udp_ports_old_array = array(); + $app->system->exec_safe('ufw status'); + if($app->system->last_exec_out()[0] == 'Status: inactive') { + //ufw is inactive - force start after updates + $force_ufw = true; + } else { + $force_ufw = false; + } + + foreach($app->system->last_exec_out() as $rule) { + if($rule !== '' && ctype_digit($rule[0])) { + $temp = explode('/', $rule); + if (strpos($temp[1], 'tcp') === 0) { + $tcp_ports_old_array[] = $temp[0]; + } else { + $udp_ports_old_array[] = $temp[0];; + } + unset($temp); + } + } + $tcp_ports_old_array = array_unique($tcp_ports_old_array); + $tcp_ports_old_array = array_unique($tcp_ports_old_array); + + $req_ports=array('22', '5666'); + foreach($req_ports as $req) { + if(!in_array($req, $tcp_ports_new_array)) $tcp_ports_new_array[]=$req; + if(!in_array($req, $udp_ports_new_array)) $udp_ports_new_array[]=$req; + } //* add tcp ports foreach($tcp_ports_new_array as $port) { @@ -180,19 +202,24 @@ class firewall_plugin { if($data['new']['active'] == 'y') { if($data['new']['active'] == $data['old']['active']) { - exec('ufw reload'); - $app->log('Reloading the firewall', LOGLEVEL_DEBUG); + if($force_ufw) { + $app->system->exec_safe('ufw --force enable'); + $app->log('Starting the firewall', LOGLEVEL_DEBUG); + } else { + $app->system->exec_safe('ufw reload'); + $app->log('Reloading the firewall', LOGLEVEL_DEBUG); + } } else { //* Ensure that bastille firewall is stopped - exec($conf['init_scripts'] . '/' . 'bastille-firewall stop 2>/dev/null'); - if(@is_file('/etc/debian_version')) exec('update-rc.d -f bastille-firewall remove'); + if(@is_file($conf['init_scripts'] . '/' . 'bastille-firewall')) $app->system->exec_safe($conf['init_scripts'] . '/' . 'bastille-firewall stop 2>/dev/null'); + if(@is_file('/etc/debian_version')) $app->system->exec_safe('update-rc.d -f bastille-firewall remove'); //* Start ufw firewall - exec('ufw --force enable'); + $app->system->exec_safe('ufw --force enable'); $app->log('Starting the firewall', LOGLEVEL_DEBUG); } } else { - exec('ufw disable'); + $app->system->exec_safe('ufw disable'); $app->log('Stopping the firewall', LOGLEVEL_DEBUG); } } @@ -216,7 +243,7 @@ class firewall_plugin { private function bastille_update($event_name, $data) { global $app, $conf; - $app->uses('system'); + $data = $this->placeholder($data); $tcp_ports = $this->clean_ports($data['new']['tcp_port'], ' '); $udp_ports = $this->clean_ports($data['new']['udp_port'], ' '); @@ -235,38 +262,33 @@ class firewall_plugin { if($data['new']['active'] == 'y') { //* ensure that ufw firewall is disabled in case both firewalls are installed if($app->system->is_installed('ufw')) { - exec('ufw disable'); + $app->system->exec_safe('ufw disable'); } - exec($conf['init_scripts'] . '/' . 'bastille-firewall restart 2>/dev/null'); - if(@is_file('/etc/debian_version')) exec('update-rc.d bastille-firewall defaults'); - if(@is_file('/sbin/insserv')) exec('insserv -d bastille-firewall'); + $app->system->exec_safe($conf['init_scripts'] . '/' . 'bastille-firewall restart 2>/dev/null'); + if(@is_file('/etc/debian_version')) $app->system->exec_safe('update-rc.d bastille-firewall defaults'); + if(@is_file('/sbin/insserv')) $app->system->exec_safe('insserv -d bastille-firewall'); $app->log('Restarting the firewall', LOGLEVEL_DEBUG); } else { - exec($conf['init_scripts'] . '/' . 'bastille-firewall stop 2>/dev/null'); - if(@is_file('/etc/debian_version')) exec('update-rc.d -f bastille-firewall remove'); - if(@is_file('/sbin/insserv')) exec('insserv -r -f bastille-firewall'); + $app->system->exec_safe($conf['init_scripts'] . '/' . 'bastille-firewall stop 2>/dev/null'); + if(@is_file('/etc/debian_version')) $app->system->exec_safe('update-rc.d -f bastille-firewall remove'); + if(@is_file('/sbin/insserv')) $app->system->exec_safe('insserv -r -f bastille-firewall'); $app->log('Stopping the firewall', LOGLEVEL_DEBUG); } - - } private function bastille_delete($event_name, $data) { global $app, $conf; - exec($conf['init_scripts'] . '/' . 'bastille-firewall stop 2>/dev/null'); - if(@is_file('/etc/debian_version')) exec('update-rc.d -f bastille-firewall remove'); - if(@is_file('/sbin/insserv')) exec('insserv -r -f bastille-firewall'); + if(@is_file($conf['init_scripts'] . '/' . 'bastille-firewall')) $app->system->exec_safe($conf['init_scripts'] . '/' . 'bastille-firewall stop 2>/dev/null'); + if(@is_file('/etc/debian_version')) $app->system->exec_safe('update-rc.d -f bastille-firewall remove'); + if(@is_file('/sbin/insserv')) $app->system->exec_safe('insserv -r -f bastille-firewall'); $app->log('Stopping the firewall', LOGLEVEL_DEBUG); - } - - private function clean_ports($portlist, $spacer) { + private function clean_ports($portlist, $seperator) { $ports = explode(',', $portlist); $ports_out = ''; - if(is_array($ports)) { foreach($ports as $p) { $p_clean = ''; @@ -283,14 +305,76 @@ class firewall_plugin { $p_clean = $tmp; } } - if($p_clean != '') $ports_out .= $p_clean . $spacer; + if($p_clean != '') $ports_out .= $p_clean . $seperator; } } - return substr($ports_out, 0, strlen($spacer)*-1); + return substr($ports_out, 0, strlen($seperator)*-1); } + private function auto_ports($records, $type, $server) { + global $app, $conf; + + $ports = array(); + if($type == 'tcp') { + if($conf['server_id'] == 1) { + $check = $app->db->queryOneRecord('SELECT count(server_id) as c FROM server')['c']; + if($check > 1) $records['ISPCONFIG'][] = 3306; + $ports[] = implode(',', $records['ISPCONFIG']); + } + if($server['mail_server'] == 1) { + $ports[] = implode(',', $records['MAIL']); + // check for rspamd + $app->uses('getconf,system,functions'); + $mail_config = $app->getconf->get_server_config($conf['server_id'], 'mail'); + if($mail_config['content_filter'] == 'rspamd') { + $ports[] = implode(',', $records['RSPAMD']); + } + } + if($server['dns_server'] == 1) $ports[] = implode(',', $records['DNS']); + if($server['web_server'] == 1) { + $ports[] = implode(',', $records['FTP']); + $ports[] = implode(',', $records['WEB']); + } + } elseif($type == 'udp') { + if($server['dns_server'] == 1) $ports[] = implode(',', $records['DNS']); + } + return(implode(',', $ports)); + } + + private function placeholder($data) { + global $app, $conf; + + $temp = $app->db->queryOneRecord('SELECT firewall_placeholder FROM server WHERE server_id = ?', $conf['server_id']); + $records = json_decode($temp['firewall_placeholder'], true); + foreach($records as $idx=>$val) $placeholders['{'.$idx.'}'] = $val; + $_replace = array(); + foreach($placeholders as $placeholder => $ports) { + $_search[] = $placeholder; + $_replace[] = implode(',', $ports); + } + + $server = $app->db->queryOneRecord('SELECT * FROM server WHERE server_id = ?', $conf['server_id']); + if($data['new']['tcp_port'] != '' || $data['old']['tcp_port'] != '') { + $search = $_search; + $replace = $_replace; + $search[] = '{AUTO}'; + $replace[] = $this->auto_ports($records, 'tcp', $server); + $data['new']['tcp_port'] = str_replace($search, $replace, $data['new']['tcp_port']); + $data['old']['tcp_port'] = str_replace($search, $replace, $data['old']['tcp_port']); + } + if($data['new']['udp_port'] != '' || $data['old']['udp_port'] != '') { + $search = $_search; + $replace = $_replace; + $search[] = '{AUTO}'; + $replace[] = $this->auto_ports($records, 'udp', $server); + $data['new']['udp_port'] = str_replace($search, $replace, $data['new']['udp_port']); + $data['old']['udp_port'] = str_replace($search, $replace, $data['old']['udp_port']); + } + + return $data; + } } // end class -- GitLab From 499144cfeef74d07210601b0665631bee904ba5e Mon Sep 17 00:00:00 2001 From: Florian Schaal Date: Fri, 19 Mar 2021 06:02:52 +0000 Subject: [PATCH 2/6] Update firewall_plugin.inc.php --- server/plugins-available/firewall_plugin.inc.php | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/server/plugins-available/firewall_plugin.inc.php b/server/plugins-available/firewall_plugin.inc.php index 5f1a4c7a04..a502d4327b 100644 --- a/server/plugins-available/firewall_plugin.inc.php +++ b/server/plugins-available/firewall_plugin.inc.php @@ -157,12 +157,13 @@ class firewall_plugin { } $tcp_ports_old_array = array_unique($tcp_ports_old_array); $tcp_ports_old_array = array_unique($tcp_ports_old_array); - +/* $req_ports=array('22', '5666'); foreach($req_ports as $req) { if(!in_array($req, $tcp_ports_new_array)) $tcp_ports_new_array[]=$req; if(!in_array($req, $udp_ports_new_array)) $udp_ports_new_array[]=$req; } +*/ //* add tcp ports foreach($tcp_ports_new_array as $port) { -- GitLab From 9eefb0fcab7bf3b636d9a5fd6bd120d13ed1ea86 Mon Sep 17 00:00:00 2001 From: Florian Schaal Date: Fri, 19 Mar 2021 09:39:20 +0100 Subject: [PATCH 3/6] fix an error on older mysql-servers (#6112) --- install/lib/installer_base.lib.php | 14 +++++++------- install/sql/incremental/upd_dev_collection.sql | 3 ++- install/sql/ispconfig3.sql | 2 +- 3 files changed, 10 insertions(+), 9 deletions(-) diff --git a/install/lib/installer_base.lib.php b/install/lib/installer_base.lib.php index 6de768f7e5..48156e64ba 100644 --- a/install/lib/installer_base.lib.php +++ b/install/lib/installer_base.lib.php @@ -449,18 +449,18 @@ class installer_base { } $current_db_version = intval($current_db_version); - + $firewall_placeholder = '{"FTP":[20,21,"40110:40210"],"MAIL":[25,110,143,465,587,993,995],"RSPAMD":[11334],"DNS":[53],"WEB":[80,443],"ISPCONFIG":[8080,8081],"CUSTOM_TCP":[""],"CUSTOM_UDP":[""]}'; if($conf['mysql']['master_slave_setup'] == 'y') { //* Insert the server record in master DB - $sql = "INSERT INTO `server` (`sys_userid`, `sys_groupid`, `sys_perm_user`, `sys_perm_group`, `sys_perm_other`, `server_name`, `mail_server`, `web_server`, `dns_server`, `file_server`, `db_server`, `vserver_server`, `config`, `updated`, `active`, `dbversion`,`firewall_server`,`proxy_server`) VALUES (1, 1, 'riud', 'riud', 'r', ?, ?, ?, ?, ?, ?, ?, ?, 0, 1, ?, ?, ?);"; - $this->dbmaster->query($sql, $conf['hostname'], $mail_server_enabled, $web_server_enabled, $dns_server_enabled, $file_server_enabled, $db_server_enabled, $vserver_server_enabled, $server_ini_content, $current_db_version, $proxy_server_enabled, $firewall_server_enabled); + $sql = "INSERT INTO `server` (`sys_userid`, `sys_groupid`, `sys_perm_user`, `sys_perm_group`, `sys_perm_other`, `server_name`, `mail_server`, `web_server`, `dns_server`, `file_server`, `db_server`, `vserver_server`, `config`, `updated`, `active`, `dbversion`,`firewall_server`,`proxy_server`, `firewall_placeholder`) VALUES (1, 1, 'riud', 'riud', 'r', ?, ?, ?, ?, ?, ?, ?, ?, 0, 1, ?, ?, ?, ?);"; + $this->dbmaster->query($sql, $conf['hostname'], $mail_server_enabled, $web_server_enabled, $dns_server_enabled, $file_server_enabled, $db_server_enabled, $vserver_server_enabled, $server_ini_content, $current_db_version, $proxy_server_enabled, $firewall_server_enabled, $firewall_placeholder); $conf['server_id'] = $this->dbmaster->insertID(); $conf['server_id'] = $conf['server_id']; //* Insert the same record in the local DB - $sql = "INSERT INTO `server` (`server_id`, `sys_userid`, `sys_groupid`, `sys_perm_user`, `sys_perm_group`, `sys_perm_other`, `server_name`, `mail_server`, `web_server`, `dns_server`, `file_server`, `db_server`, `vserver_server`, `config`, `updated`, `active`, `dbversion`,`firewall_server`,`proxy_server`) VALUES (?,1, 1, 'riud', 'riud', 'r', ?, ?, ?, ?, ?, ?, ?, ?, 0, 1, ?, ?, ?);"; - $this->db->query($sql, $conf['server_id'], $conf['hostname'], $mail_server_enabled, $web_server_enabled, $dns_server_enabled, $file_server_enabled, $db_server_enabled, $vserver_server_enabled, $server_ini_content, $current_db_version, $proxy_server_enabled, $firewall_server_enabled); + $sql = "INSERT INTO `server` (`server_id`, `sys_userid`, `sys_groupid`, `sys_perm_user`, `sys_perm_group`, `sys_perm_other`, `server_name`, `mail_server`, `web_server`, `dns_server`, `file_server`, `db_server`, `vserver_server`, `config`, `updated`, `active`, `dbversion`,`firewall_server`,`proxy_server`, `firewall_placeholder`) VALUES (?,1, 1, 'riud', 'riud', 'r', ?, ?, ?, ?, ?, ?, ?, ?, 0, 1, ?, ?, ?, ?);"; + $this->db->query($sql, $conf['server_id'], $conf['hostname'], $mail_server_enabled, $web_server_enabled, $dns_server_enabled, $file_server_enabled, $db_server_enabled, $vserver_server_enabled, $server_ini_content, $current_db_version, $proxy_server_enabled, $firewall_server_enabled, $firewall_placeholder); //* username for the ispconfig user $conf['mysql']['master_ispconfig_user'] = 'ispcsrv'.$conf['server_id']; @@ -469,8 +469,8 @@ class installer_base { } else { //* Insert the server, if its not a mster / slave setup - $sql = "INSERT INTO `server` (`sys_userid`, `sys_groupid`, `sys_perm_user`, `sys_perm_group`, `sys_perm_other`, `server_name`, `mail_server`, `web_server`, `dns_server`, `file_server`, `db_server`, `vserver_server`, `config`, `updated`, `active`, `dbversion`,`firewall_server`,`proxy_server`) VALUES (1, 1, 'riud', 'riud', 'r', ?, ?, ?, ?, ?, ?, ?, ?, 0, 1, ?, ?, ?);"; - $this->db->query($sql, $conf['hostname'], $mail_server_enabled, $web_server_enabled, $dns_server_enabled, $file_server_enabled, $db_server_enabled, $vserver_server_enabled, $server_ini_content, $current_db_version, $proxy_server_enabled, $firewall_server_enabled); + $sql = "INSERT INTO `server` (`sys_userid`, `sys_groupid`, `sys_perm_user`, `sys_perm_group`, `sys_perm_other`, `server_name`, `mail_server`, `web_server`, `dns_server`, `file_server`, `db_server`, `vserver_server`, `config`, `updated`, `active`, `dbversion`,`firewall_server`,`proxy_server`, `firewall_placeholder`) VALUES (1, 1, 'riud', 'riud', 'r', ?, ?, ?, ?, ?, ?, ?, ?, 0, 1, ?, ?, ?, ?);"; + $this->db->query($sql, $conf['hostname'], $mail_server_enabled, $web_server_enabled, $dns_server_enabled, $file_server_enabled, $db_server_enabled, $vserver_server_enabled, $server_ini_content, $current_db_version, $proxy_server_enabled, $firewall_server_enabled, $firewall_placeholder); $conf['server_id'] = $this->db->insertID(); $conf['server_id'] = $conf['server_id']; } diff --git a/install/sql/incremental/upd_dev_collection.sql b/install/sql/incremental/upd_dev_collection.sql index cff669653f..e720d518a3 100644 --- a/install/sql/incremental/upd_dev_collection.sql +++ b/install/sql/incremental/upd_dev_collection.sql @@ -1,2 +1,3 @@ ALTER TABLE `server` -ADD `firewall_placeholder` TINYTEXT NOT NULL DEFAULT '{"FTP":[20,21,"40110:40210"],"MAIL":[25,110,143,465,587,993,995],"RSPAMD":[11334],"DNS":[53],"WEB":[80,443],"ISPCONFIG":[8080],CUSTOM_TCP":[""],"CUSTOM_UDP":[""]}'; +ADD `firewall_placeholder` TINYTEXT NOT NULL; +UPDATE `server` SET `firewall_placeholder` = '{"FTP":[20,21,"40110:40210"],"MAIL":[25,110,143,465,587,993,995],"RSPAMD":[11334],"DNS":[53],"WEB":[80,443],"ISPCONFIG":[8080,8081],"CUSTOM_TCP":[""],"CUSTOM_UDP":[""]}'; diff --git a/install/sql/ispconfig3.sql b/install/sql/ispconfig3.sql index 039ba11401..3aba2e98d6 100644 --- a/install/sql/ispconfig3.sql +++ b/install/sql/ispconfig3.sql @@ -1367,7 +1367,7 @@ CREATE TABLE `server` ( `mirror_server_id` int(11) unsigned NOT NULL default '0', `dbversion` int(11) unsigned NOT NULL default '1', `active` tinyint(1) NOT NULL default '1', - `firewall_placeholder` TINYTEXT NOT NULL DEFAULT '{"FTP":[20,21,"40110:40210"],"MAIL":[25,110,143,465,587,993,995],"RSPAMD":[11334],"DNS":[53],"WEB":[80,443],"ISPCONFIG":[8080],CUSTOM_TCP":[""],"CUSTOM_UDP":[""]}', + `firewall_placeholder` TINYTEXT NOT NULL, PRIMARY KEY (`server_id`) ) DEFAULT CHARSET=utf8 AUTO_INCREMENT=1 ; -- GitLab From 6132f614788aa57d5a80da06032b42fdcf5be77b Mon Sep 17 00:00:00 2001 From: Florian Schaal Date: Tue, 23 Mar 2021 09:48:32 +0000 Subject: [PATCH 4/6] fix edit firewall placeholder --- .../lib/classes/plugin_server_firewall_placeholder.inc.php | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/interface/lib/classes/plugin_server_firewall_placeholder.inc.php b/interface/lib/classes/plugin_server_firewall_placeholder.inc.php index b2627f6488..8cb628665e 100755 --- a/interface/lib/classes/plugin_server_firewall_placeholder.inc.php +++ b/interface/lib/classes/plugin_server_firewall_placeholder.inc.php @@ -84,6 +84,7 @@ class plugin_server_firewall_placeholder extends plugin_base { foreach($data as $idx=>$val) { //* validate updates if($dataRecord[$idx] != implode(',',$val)) { + $new = array(); $check = explode(',',$dataRecord[$idx]); foreach($check as $_idx=>$validate) { $validate = trim($validate); @@ -91,10 +92,11 @@ class plugin_server_firewall_placeholder extends plugin_base { if(!preg_match('/^\d{1,5}(?::\d{1,5})?(?:,\d{1,5}(?::\d{1,5})?)*$/', $validate)) { $error .= "Invalide value $validate for $idx
"; } else { - $dataRecord[$_idx] = $validate; + $new[] = $validate; } } } + if(!empty($new)) $dataRecord[$_idx] = implode(',', $new); $data[$idx] = explode(',',$dataRecord[$_idx]); $update = true; } -- GitLab From ae66559f48de65d5f0e27e5b64641187bf5e699b Mon Sep 17 00:00:00 2001 From: Florian Schaal Date: Tue, 23 Mar 2021 14:28:49 +0000 Subject: [PATCH 5/6] open port 3306 with remote databases --- server/plugins-available/firewall_plugin.inc.php | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/server/plugins-available/firewall_plugin.inc.php b/server/plugins-available/firewall_plugin.inc.php index a502d4327b..c42d7e3930 100644 --- a/server/plugins-available/firewall_plugin.inc.php +++ b/server/plugins-available/firewall_plugin.inc.php @@ -337,6 +337,10 @@ class firewall_plugin { $ports[] = implode(',', $records['FTP']); $ports[] = implode(',', $records['WEB']); } + if($server['db_server'] == 1) { + $tmp = $app->db->queryOneRecord("SELECT count(server_id) as number from web_database where active = 'y' AND remote_access = 'y' AND server_id = ?", $conf['server_id']); + if($tmp['number'] > 0) $ports[] = 3306; + } } elseif($type == 'udp') { if($server['dns_server'] == 1) $ports[] = implode(',', $records['DNS']); } -- GitLab From 7d19c847cbe20276214ddd4ef22a3971cef09aca Mon Sep 17 00:00:00 2001 From: Florian Schaal Date: Tue, 23 Mar 2021 14:30:02 +0000 Subject: [PATCH 6/6] handle firewall based on db-remote access --- interface/lib/classes/sites_database_plugin.inc.php | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/interface/lib/classes/sites_database_plugin.inc.php b/interface/lib/classes/sites_database_plugin.inc.php index 68421d6083..c3693053c1 100644 --- a/interface/lib/classes/sites_database_plugin.inc.php +++ b/interface/lib/classes/sites_database_plugin.inc.php @@ -51,6 +51,14 @@ class sites_database_plugin { $sql = "UPDATE web_database SET sys_groupid = ?, backup_interval = ?, backup_copies = ? WHERE database_id = ?"; $app->db->query($sql, $sys_groupid, $backup_interval, $backup_copies, $form_page->id); + + if($form_page->dataRecord['remote_access'] == 'y' && $form_page->dataRecord['active'] == 'y') { + $firewall = $app->db->queryOneRecord("SELECT * FROM firewall WHERE active = 'y' AND server_id = ?", $form_page->dataRecord['server_id']); + if($firewall) { + $app->db->datalogUpdate('firewall', $firewall, 'firewall_id', $firewall['firewall_id'], true); + file_put_contents("debug", "update fw"); + } + } } } -- GitLab