Because of the early acceptance of packets, that pass the outgoing
firewall, it was possible to circumvent the MAC address filter on
blue.
The RETURN target forces the packets to go on. Other packets,
that do not pass the outgoing firewall will be dropped immediately.
if ( $outfwsettings{'POLICY'} eq 'MODE1' ) {
$outfwsettings{'STATE'} = "ALLOW";
$POLICY = "DROP";
if ( $outfwsettings{'POLICY'} eq 'MODE1' ) {
$outfwsettings{'STATE'} = "ALLOW";
$POLICY = "DROP";
} elsif ( $outfwsettings{'POLICY'} eq 'MODE2' ) {
$outfwsettings{'STATE'} = "DENY";
} elsif ( $outfwsettings{'POLICY'} eq 'MODE2' ) {
$outfwsettings{'STATE'} = "DENY";
$DO = "DROP -m comment --comment 'DROP_OUTGOINGFW '";
}
$DO = "DROP -m comment --comment 'DROP_OUTGOINGFW '";
}
}
if ( $outfwsettings{'POLICY'} eq 'MODE1' ) {
}
if ( $outfwsettings{'POLICY'} eq 'MODE1' ) {
- $CMD = "/sbin/iptables -A OUTGOINGFW -m state --state ESTABLISHED,RELATED -j ACCEPT";
+ $CMD = "/sbin/iptables -A OUTGOINGFW -m state --state ESTABLISHED,RELATED -j RETURN";
if ($DEBUG) { print "$CMD\n"; } else { system("$CMD"); }
if ($DEBUG) { print "$CMD\n"; } else { system("$CMD"); }
- $CMD = "/sbin/iptables -A OUTGOINGFWMAC -m state --state ESTABLISHED,RELATED -j ACCEPT";
+ $CMD = "/sbin/iptables -A OUTGOINGFWMAC -m state --state ESTABLISHED,RELATED -j RETURN";
if ($DEBUG) { print "$CMD\n"; } else { system("$CMD"); }
if ($DEBUG) { print "$CMD\n"; } else { system("$CMD"); }
- $CMD = "/sbin/iptables -A OUTGOINGFW -p icmp -j ACCEPT";
+ $CMD = "/sbin/iptables -A OUTGOINGFW -p icmp -j RETURN";
if ($DEBUG) { print "$CMD\n"; } else { system("$CMD"); }
if ($DEBUG) { print "$CMD\n"; } else { system("$CMD"); }
- $CMD = "/sbin/iptables -A OUTGOINGFWMAC -p icmp -j ACCEPT";
+ $CMD = "/sbin/iptables -A OUTGOINGFWMAC -p icmp -j RETURN";
if ($DEBUG) { print "$CMD\n"; } else { system("$CMD"); }
}
if ($DEBUG) { print "$CMD\n"; } else { system("$CMD"); }
}
$P2PSTRING = "$P2PSTRING --$p2pline[1]";
}
} else {
$P2PSTRING = "$P2PSTRING --$p2pline[1]";
}
} else {
if ("$p2pline[2]" eq "on") {
$P2PSTRING = "$P2PSTRING --$p2pline[1]";
}
if ("$p2pline[2]" eq "on") {
$P2PSTRING = "$P2PSTRING --$p2pline[1]";
}
} else {
system("$CMD");
}
} else {
system("$CMD");
}
-}
\ No newline at end of file
etc/issue
srv/web/ipfire/cgi-bin/connections.cgi
usr/lib/gconv
etc/issue
srv/web/ipfire/cgi-bin/connections.cgi
usr/lib/gconv
+var/ipfire/outgoing/bin/outgoingfw.pl