]> git.ipfire.org Git - people/ms/ipfire-2.x.git/commitdiff
projects / people / ms / ipfire-2.x.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: c9e01c8)
outgoingfw: mode=1: Change policy ACCEPT -> RETURN.
authorMichael Tremer <michael.tremer@ipfire.org>
Tue, 7 Aug 2012 14:37:29 +0000 (16:37 +0200)
committerMichael Tremer <michael.tremer@ipfire.org>
Tue, 7 Aug 2012 14:45:22 +0000 (16:45 +0200)
Because of the early acceptance of packets, that pass the outgoing
firewall, it was possible to circumvent the MAC address filter on
blue.
The RETURN target forces the packets to go on. Other packets,
that do not pass the outgoing firewall will be dropped immediately.

config/outgoingfw/outgoingfw.pl patch | blob | blame | history
config/rootfiles/core/62/filelists/files patch | blob | blame | history

diff --git a/config/outgoingfw/outgoingfw.pl b/config/outgoingfw/outgoingfw.pl
index 1d7dd93aa00b04abe9a27f92c8da065abb6c55f6..c4813e9df17a724d9d42ba8d91671755ff0d2177 100644 (file)
--- a/config/outgoingfw/outgoingfw.pl
+++ b/config/outgoingfw/outgoingfw.pl
@@ -91,10 +91,10 @@ close FILE;
 if ( $outfwsettings{'POLICY'} eq 'MODE1' ) {
        $outfwsettings{'STATE'} = "ALLOW";
        $POLICY = "DROP";
-       $DO = "ACCEPT";
+       $DO = "RETURN";
 } elsif ( $outfwsettings{'POLICY'} eq 'MODE2' ) {
        $outfwsettings{'STATE'} = "DENY";
-       $POLICY = "ACCEPT";
+       $POLICY = "RETURN";
        $DO = "DROP -m comment --comment 'DROP_OUTGOINGFW '";
 }
 
@@ -112,13 +112,13 @@ if ( $outfwsettings{'POLICY'} eq 'MODE0' ) {
 }
 
 if ( $outfwsettings{'POLICY'} eq 'MODE1' ) {
-       $CMD = "/sbin/iptables -A OUTGOINGFW -m state --state ESTABLISHED,RELATED -j ACCEPT";
+       $CMD = "/sbin/iptables -A OUTGOINGFW -m state --state ESTABLISHED,RELATED -j RETURN";
        if ($DEBUG) { print "$CMD\n"; } else { system("$CMD"); }
-       $CMD = "/sbin/iptables -A OUTGOINGFWMAC -m state --state ESTABLISHED,RELATED -j ACCEPT";
+       $CMD = "/sbin/iptables -A OUTGOINGFWMAC -m state --state ESTABLISHED,RELATED -j RETURN";
        if ($DEBUG) { print "$CMD\n"; } else { system("$CMD"); }
-               $CMD = "/sbin/iptables -A OUTGOINGFW -p icmp -j ACCEPT";
+               $CMD = "/sbin/iptables -A OUTGOINGFW -p icmp -j RETURN";
        if ($DEBUG) { print "$CMD\n"; } else { system("$CMD"); }
-               $CMD = "/sbin/iptables -A OUTGOINGFWMAC -p icmp -j ACCEPT";
+               $CMD = "/sbin/iptables -A OUTGOINGFWMAC -p icmp -j RETURN";
        if ($DEBUG) { print "$CMD\n"; } else { system("$CMD"); }
 }
 
@@ -260,7 +260,7 @@ foreach $p2pentry (sort @p2ps)
                        $P2PSTRING = "$P2PSTRING --$p2pline[1]";
                }
        } else {
-               $DO = "ACCEPT";
+               $DO = "RETURN";
                if ("$p2pline[2]" eq "on") {
                        $P2PSTRING = "$P2PSTRING --$p2pline[1]";
                }
@@ -290,4 +290,4 @@ if ( $outfwsettings{'POLICY'} eq 'MODE1' ) {
        } else {
                system("$CMD");
        }
-}
\ No newline at end of file
+}
diff --git a/config/rootfiles/core/62/filelists/files b/config/rootfiles/core/62/filelists/files
index 89987a1b6e0e2b4fee96de2ba887013893938295..731daa03c902a2bf4234d167796b726a1c4f5709 100644 (file)
--- a/config/rootfiles/core/62/filelists/files
+++ b/config/rootfiles/core/62/filelists/files
@@ -2,3 +2,4 @@ etc/system-release
 etc/issue
 srv/web/ipfire/cgi-bin/connections.cgi
 usr/lib/gconv
+var/ipfire/outgoing/bin/outgoingfw.pl
Michael's tree of IPFire 2.x.