X-Git-Url: http://git.ipfire.org/?a=blobdiff_plain;f=config%2Ffirewall%2Ffirewall-policy;h=cbba3b021a4eb93bd3609ea58edaaea3cbe1353f;hb=4a6cfe51a16575c7100862e2cc6f959bc48c6628;hp=2176d6b9e5a2c2d8e3ebacd9213109d48dce6666;hpb=c26a9ed25c6a3e81d42d824b4b7785f78f500eea;p=people%2Fpmueller%2Fipfire-2.x.git

diff --git a/config/firewall/firewall-policy b/config/firewall/firewall-policy
index 2176d6b9e5..cbba3b021a 100755
--- a/config/firewall/firewall-policy
+++ b/config/firewall/firewall-policy
@@ -57,6 +57,14 @@ HAVE_OPENVPN="true"
 
 # INPUT
 
+# Allow access from GREEN
+iptables -A POLICYIN -i "${GREEN_DEV}" -j ACCEPT
+
+# Allow access from BLUE
+if [ "${HAVE_BLUE}" = "true" ] && [ -n "${BLUE_DEV}" ]; then
+	iptables -A POLICYIN -i "${BLUE_DEV}" -j ACCEPT
+fi
+
 # IPsec INPUT
 case "${HAVE_IPSEC},${POLICY}" in
 	true,MODE1) ;;
@@ -111,7 +119,13 @@ case "${POLICY}" in
 
 	*)
 		# Access from GREEN is granted to everywhere
-		iptables -A POLICYFWD -i "${GREEN_DEV}" -s "${GREEN_NETADDRESS}/${GREEN_NETMASK}" -j ACCEPT
+		if [ "${IFACE}" = "${GREEN_DEV}" ]; then
+			# internet via green
+			# don't check source IP/NET if IFACE is GREEN
+			iptables -A POLICYFWD -i "${GREEN_DEV}" -j ACCEPT
+		else
+			iptables -A POLICYFWD -i "${GREEN_DEV}" -s "${GREEN_NETADDRESS}/${GREEN_NETMASK}" -j ACCEPT
+		fi
 
 		# Grant access for IPsec VPN connections
 		iptables -A POLICYFWD -m policy --pol ipsec --dir in -j ACCEPT