# INPUT
+# Drop syslog from anywhere but localhost
+# sysklogd cannot bind to specific interface and therefore we need to
+# block access by adding firewall rules
+case "${FWPOLICY}" in
+ REJECT)
+ iptables -A POLICYIN -p udp --dport 514 -j REJECT --reject-with icmp-host-unreachable
+ ;;
+ *)
+ iptables -A POLICYIN -p udp --dport 514 -j DROP
+ ;;
+esac
+
# Allow access from GREEN
-iptables -A POLICYIN -i "${GREEN_DEV}" -j ACCEPT
+if [ -n "${GREEN_DEV}" ]; then
+ iptables -A POLICYIN -i "${GREEN_DEV}" -j ACCEPT
+fi
# Allow access from BLUE
if [ "${HAVE_BLUE}" = "true" ] && [ -n "${BLUE_DEV}" ]; then
*)
# Access from GREEN is granted to everywhere
- if [ "${IFACE}" = "${GREEN_DEV}" ]; then
- # internet via green
- # don't check source IP/NET if IFACE is GREEN
- iptables -A POLICYFWD -i "${GREEN_DEV}" -j ACCEPT
- else
- iptables -A POLICYFWD -i "${GREEN_DEV}" -s "${GREEN_NETADDRESS}/${GREEN_NETMASK}" -j ACCEPT
+ if [ -n "${GREEN_DEV}" ]; then
+ if [ "${IFACE}" = "${GREEN_DEV}" ]; then
+ # internet via green
+ # don't check source IP/NET if IFACE is GREEN
+ iptables -A POLICYFWD -i "${GREEN_DEV}" -j ACCEPT
+ else
+ iptables -A POLICYFWD -i "${GREEN_DEV}" -s "${GREEN_NETADDRESS}/${GREEN_NETMASK}" -j ACCEPT
+ fi
fi
# Grant access for IPsec VPN connections