From: Michael Tremer <michael.tremer@ipfire.org>
Date: Mon, 2 Sep 2013 19:51:22 +0000 (+0200)
Subject: firewall: Rewrite policy script.
X-Git-Tag: v2.15-beta1~273
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=52c5ec837f1b8ebbb93d1477dcb345ea921b84a7;p=people%2Fms%2Fipfire-2.x.git

firewall: Rewrite policy script.

Restructure the code; add fallback options if no configuration
is set; reliably check if BLUE or ORANGE are used.
---

diff --git a/config/forwardfw/firewall-policy b/config/forwardfw/firewall-policy
index 0fcfaa471a..6f7e95c0f9 100755
--- a/config/forwardfw/firewall-policy
+++ b/config/forwardfw/firewall-policy
@@ -1,5 +1,4 @@
 #!/bin/sh
-
 ###############################################################################
 #                                                                             #
 # IPFire.org - A linux based firewall                                         #
@@ -20,72 +19,106 @@
 #                                                                             #
 ###############################################################################
 
-
+eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
 eval $(/usr/local/bin/readhash /var/ipfire/forward/settings)
 eval $(/usr/local/bin/readhash /var/ipfire/optionsfw/settings)
-eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
 
 iptables -F POLICYFWD
 iptables -F POLICYOUT
 iptables -F POLICYIN
 
 if [ -f "/var/ipfire/red/iface" ]; then
-	IFACE=`cat /var/ipfire/red/iface`
+	IFACE="$(</var/ipfire/red/iface)"
 fi
 
-#FORWARDFW
-if [ "$POLICY" == "MODE1" ]; then
-		if [ "$FWPOLICY" == "REJECT" ]; then
-			if [ "$DROPFORWARD" == "on" ]; then
-				/sbin/iptables -A POLICYFWD -m limit --limit 10/minute -j LOG --log-prefix "REJECT_FORWARD"
-			fi
-			/sbin/iptables -A POLICYFWD -j REJECT --reject-with icmp-host-unreachable -m comment --comment "DROP_FORWARD"
+# Figure out what devices are configured.
+HAVE_BLUE="false"
+HAVE_ORANGE="false"
+
+case "${CONFIG_TYPE}" in
+	2)
+		HAVE_BLUE="true"
+		;;
+	3)
+		HAVE_ORANGE="true"
+		;;
+	4)
+		HAVE_BLUE="true"
+		HAVE_ORANGE="true"
+		;;
+esac
+
+# INPUT
+case "${FWPOLICY2}" in
+	REJECT)
+		if [ "${DROPINPUT}" = "on" ]; then
+			/sbin/iptables -A POLICYIN -m limit --limit 10/minute -j LOG --log-prefix "REJECT_INPUT"
 		fi
-		if [ "$FWPOLICY" == "DROP" ]; then
-			if [ "$DROPFORWARD" == "on" ]; then
-				/sbin/iptables -A POLICYFWD -m limit --limit 10/minute -j LOG --log-prefix "DROP_FORWARD"
-			fi
-			/sbin/iptables -A POLICYFWD -j DROP -m comment --comment "DROP_FORWARD"
+		/sbin/iptables -A POLICYIN -j REJECT --reject-with icmp-host-unreachable -m comment --comment "DROP_INPUT"
+		;;
+	*) # DROP
+		if [ "${DROPINPUT}" = "on" ]; then
+			/sbin/iptables -A POLICYIN -m limit --limit 10/minute -j LOG --log-prefix "DROP_INPUT"
 		fi
-else
-	if [  "$BLUE_DEV" ] && [ "$IFACE" ]; then
-		/sbin/iptables -A POLICYFWD -i blue0 ! -o $IFACE -j DROP 
-	fi
-	/sbin/iptables -A POLICYFWD -i orange0 ! -o $IFACE -j DROP
-	/sbin/iptables -A POLICYFWD -j ACCEPT 
-	/sbin/iptables -A POLICYFWD -m comment --comment "DROP_FORWARD" -j DROP
-fi
+		/sbin/iptables -A POLICYIN -j DROP -m comment --comment "DROP_INPUT"
+		;;
+esac
 
-#OUTGOINGFW
-if [ "$POLICY1" == "MODE1" ]; then
-	if [ "$FWPOLICY1" == "REJECT" ]; then
-		if [ "$DROPOUTGOING" == "on" ]; then
-			/sbin/iptables -A POLICYOUT -m limit --limit 10/minute -j LOG --log-prefix "REJECT_OUTPUT"
-		fi
-		/sbin/iptables -A POLICYOUT -j REJECT --reject-with icmp-host-unreachable -m comment --comment "DROP_OUTPUT"
-	fi
-	if [ "$FWPOLICY1" == "DROP" ]; then
-		if [ "$DROPOUTGOING" == "on" ]; then
-			/sbin/iptables -A POLICYOUT -m limit --limit 10/minute -j LOG --log-prefix "DROP_OUTPUT"
+# FORWARD
+case "${POLICY}" in
+	MODE1)
+		case "${FWPOLICY}" in
+			REJECT)
+				if [ "${DROPFORWARD}" = "on" ]; then
+					/sbin/iptables -A POLICYFWD -m limit --limit 10/minute -j LOG --log-prefix "REJECT_FORWARD"
+				fi
+				/sbin/iptables -A POLICYFWD -j REJECT --reject-with icmp-host-unreachable -m comment --comment "DROP_FORWARD"
+				;;
+			*) # DROP
+				if [ "${DROPFORWARD}" = "on" ]; then
+					/sbin/iptables -A POLICYFWD -m limit --limit 10/minute -j LOG --log-prefix "DROP_FORWARD"
+				fi
+				/sbin/iptables -A POLICYFWD -j DROP -m comment --comment "DROP_FORWARD"
+				;;
+		esac
+		;;
+
+	*)
+		if [ -n "${IFACE}" ]; then
+			if [ "${HAVE_BLUE}" = "true" ] && [ -n "${BLUE_DEV}" ]; then
+				/sbin/iptables -A POLICYFWD -i "${BLUE_DEV}" ! -o "${IFACE}" -j DROP
+			fi
+			if [ "${HAVE_ORANGE}" = "true" ] && [ -n "${ORANGE_DEV}" ]; then
+				/sbin/iptables -A POLICYFWD -i "${ORANGE_DEV}" ! -o "${IFACE}" -j DROP
+			fi
 		fi
-			/sbin/iptables -A POLICYOUT -j DROP -m comment --comment "DROP_OUTPUT"
-	fi
-else
-	/sbin/iptables -A POLICYOUT -j ACCEPT 
-	/sbin/iptables -A POLICYOUT -m comment --comment "DROP_OUTPUT" -j DROP
-fi
-#INPUT
-if [ "$FWPOLICY2" == "REJECT" ]; then
-	if [ "$DROPINPUT" == "on" ]; then
-		/sbin/iptables -A POLICYIN -m limit --limit 10/minute -j LOG --log-prefix "REJECT_INPUT"
-	fi
-	/sbin/iptables -A POLICYIN -j REJECT --reject-with icmp-host-unreachable -m comment --comment "DROP_INPUT"
-fi
-if [ "$FWPOLICY2" == "DROP" ]; then
-	if [ "$DROPINPUT" == "on" ]; then
-		/sbin/iptables -A POLICYIN -m limit --limit 10/minute -j LOG --log-prefix "DROP_INPUT"
-	fi
-	/sbin/iptables -A POLICYIN -j DROP -m comment --comment "DROP_INPUT"
-fi
+		/sbin/iptables -A POLICYFWD -j ACCEPT
+		/sbin/iptables -A POLICYFWD -m comment --comment "DROP_FORWARD" -j DROP
+		;;
+esac
+
+# OUTGOING
+case "${POLICY1}" in
+	MODE1)
+		case "${FWPOLICY1}" in
+			REJECT)
+				if [ "${DROPOUTGOING}" = "on" ]; then
+					/sbin/iptables -A POLICYOUT -m limit --limit 10/minute -j LOG --log-prefix "REJECT_OUTPUT"
+				fi
+				/sbin/iptables -A POLICYOUT -j REJECT --reject-with icmp-host-unreachable -m comment --comment "DROP_OUTPUT"
+				;;
+			*) # DROP
+				if [ "${DROPOUTGOING}" == "on" ]; then
+					/sbin/iptables -A POLICYOUT -m limit --limit 10/minute -j LOG --log-prefix "DROP_OUTPUT"
+				fi
+				/sbin/iptables -A POLICYOUT -j DROP -m comment --comment "DROP_OUTPUT"
+				;;
+		esac
+		;;
+	*)
+		/sbin/iptables -A POLICYOUT -j ACCEPT
+		/sbin/iptables -A POLICYOUT -m comment --comment "DROP_OUTPUT" -j DROP
+		;;
+esac
 
 exit 0