]>
git.ipfire.org Git - people/stevee/network.git/blob - src/functions/functions.firewall-policy
2 ###############################################################################
4 # IPFire.org - A linux based firewall #
5 # Copyright (C) 2012 IPFire Network Development Team #
7 # This program is free software: you can redistribute it and/or modify #
8 # it under the terms of the GNU General Public License as published by #
9 # the Free Software Foundation, either version 3 of the License, or #
10 # (at your option) any later version. #
12 # This program is distributed in the hope that it will be useful, #
13 # but WITHOUT ANY WARRANTY; without even the implied warranty of #
14 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
15 # GNU General Public License for more details. #
17 # You should have received a copy of the GNU General Public License #
18 # along with this program. If not, see <http://www.gnu.org/licenses/>. #
20 ###############################################################################
26 local ${FIREWALL_ZONE_SETTINGS}
27 firewall_zone_read
${zone}
30 if enabled MASQUERADE4
; then
31 policy_zone_masquerade4
${zone}
34 # Allow/deny cross-zone communication.
36 for other_zone
in $
(zones_get_all
); do
37 if list_match
"${other_zone}" ${FRIEND_ZONES}; then
38 policy_zone_allow_all
${zone} ${other_zone}
40 policy_zone_deny_all
${zone} ${other_zone}
45 policy_zone_masquerade4
() {
49 local chain
="ZONE_${zone^^}_SNAT"
51 iptables
-4 -t nat
-A "${chain}" -o ${zone} \
52 -j MASQUERADE
--random
55 policy_zone_allow_all
() {
60 assert isset other_zone
62 local chain
="ZONE_${zone^^}_${other_zone^^}_POLICY"
64 # Just accept all new connections.
65 iptables
-A "${chain}" -m conntrack
--ctstate NEW
-j ACCEPT
68 policy_zone_deny_all
() {
73 assert isset other_zone
75 local chain
="ZONE_${zone^^}_${other_zone^^}_POLICY"
77 # Just accept all new connections.
78 iptables
-A "${chain}" -j DROP
82 # Nothing to do here, because that is the
83 # default policy of the INPUT/OUTPUT/FORWARD chain.
87 policy_import_all_rules
() {
88 # This will populate all chains with the rules
97 local zone_dir
=$
(firewall_zone_dir
${zone})
100 local rulesfile
="${zone_dir}/rules"
102 #firewall_parse_rules "${rulesfile}" \
103 # -A ${chain}_RULES_INC
108 assert isset zone_from
116 # Allow routes that have the same incoming and outgoing interface.
117 if [ "${zone_from}" = "${zone_to}" ]; then
118 iptables
-A ${chain} -j ACCEPT
122 # Grant all local zones accessing everything (GREEN).
123 if zone_is_local
${zone_from}; then
124 iptables
-A ${chain} -j ACCEPT