From: Michael Tremer <michael.tremer@ipfire.org>
Date: Tue, 7 Aug 2012 14:37:29 +0000 (+0200)
Subject: outgoingfw: mode=1: Change policy ACCEPT -> RETURN.
X-Git-Tag: v2.11-core62^2~19^2~1
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=78a14abf81e61ea4fc62d313dfd6779cda9421ae;p=people%2Fummeegge%2Fipfire-2.x.git

outgoingfw: mode=1: Change policy ACCEPT -> RETURN.

Because of the early acceptance of packets, that pass the outgoing
firewall, it was possible to circumvent the MAC address filter on
blue.
The RETURN target forces the packets to go on. Other packets,
that do not pass the outgoing firewall will be dropped immediately.
---

diff --git a/config/outgoingfw/outgoingfw.pl b/config/outgoingfw/outgoingfw.pl
index 1d7dd93aa0..c4813e9df1 100644
--- a/config/outgoingfw/outgoingfw.pl
+++ b/config/outgoingfw/outgoingfw.pl
@@ -91,10 +91,10 @@ close FILE;
 if ( $outfwsettings{'POLICY'} eq 'MODE1' ) {
 	$outfwsettings{'STATE'} = "ALLOW";
 	$POLICY = "DROP";
-	$DO = "ACCEPT";
+	$DO = "RETURN";
 } elsif ( $outfwsettings{'POLICY'} eq 'MODE2' ) {
 	$outfwsettings{'STATE'} = "DENY";
-	$POLICY = "ACCEPT";
+	$POLICY = "RETURN";
 	$DO = "DROP -m comment --comment 'DROP_OUTGOINGFW '";
 }
 
@@ -112,13 +112,13 @@ if ( $outfwsettings{'POLICY'} eq 'MODE0' ) {
 }
 
 if ( $outfwsettings{'POLICY'} eq 'MODE1' ) {
-	$CMD = "/sbin/iptables -A OUTGOINGFW -m state --state ESTABLISHED,RELATED -j ACCEPT";
+	$CMD = "/sbin/iptables -A OUTGOINGFW -m state --state ESTABLISHED,RELATED -j RETURN";
 	if ($DEBUG) { print "$CMD\n"; } else { system("$CMD"); }
-	$CMD = "/sbin/iptables -A OUTGOINGFWMAC -m state --state ESTABLISHED,RELATED -j ACCEPT";
+	$CMD = "/sbin/iptables -A OUTGOINGFWMAC -m state --state ESTABLISHED,RELATED -j RETURN";
 	if ($DEBUG) { print "$CMD\n"; } else { system("$CMD"); }
-		$CMD = "/sbin/iptables -A OUTGOINGFW -p icmp -j ACCEPT";
+		$CMD = "/sbin/iptables -A OUTGOINGFW -p icmp -j RETURN";
 	if ($DEBUG) { print "$CMD\n"; } else { system("$CMD"); }
-		$CMD = "/sbin/iptables -A OUTGOINGFWMAC -p icmp -j ACCEPT";
+		$CMD = "/sbin/iptables -A OUTGOINGFWMAC -p icmp -j RETURN";
 	if ($DEBUG) { print "$CMD\n"; } else { system("$CMD"); }
 }
 
@@ -260,7 +260,7 @@ foreach $p2pentry (sort @p2ps)
 			$P2PSTRING = "$P2PSTRING --$p2pline[1]";
 		}
 	} else {
-		$DO = "ACCEPT";
+		$DO = "RETURN";
 		if ("$p2pline[2]" eq "on") {
 			$P2PSTRING = "$P2PSTRING --$p2pline[1]";
 		}
@@ -290,4 +290,4 @@ if ( $outfwsettings{'POLICY'} eq 'MODE1' ) {
 	} else {
 		system("$CMD");
 	}
-}
\ No newline at end of file
+}
diff --git a/config/rootfiles/core/62/filelists/files b/config/rootfiles/core/62/filelists/files
index 89987a1b6e..731daa03c9 100644
--- a/config/rootfiles/core/62/filelists/files
+++ b/config/rootfiles/core/62/filelists/files
@@ -2,3 +2,4 @@ etc/system-release
 etc/issue
 srv/web/ipfire/cgi-bin/connections.cgi
 usr/lib/gconv
+var/ipfire/outgoing/bin/outgoingfw.pl