From: Michael Tremer Date: Fri, 21 Apr 2023 12:23:00 +0000 (+0000) Subject: firewall: Drop legacy rules for PPPoE/PPTP X-Git-Tag: v2.27-core175~148 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=aac0baea15bf3ef87ef878ffbe46efcafe24e06c;p=ipfire-2.x.git firewall: Drop legacy rules for PPPoE/PPTP These rules where created to permit any local traffic to the firewall when using a PPP connection that utilised Ethernet as transport. This is however nonsensical and a security issue for any other connection methods that call the RED interface "red0" and use PPP (e.g. QMI). Since PPPoE packets do not flow through iptables, these rules can be dropped safely. We do not know whether PPTP works at all these days. Fixes: #13088 - firewall: INPUT accepts all packets when using QMI for dial-in Tested-by: Stefan Schantl Tested-by: Arne Fitzenreiter Signed-off-by: Michael Tremer --- diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall index dfa08d58b6..50f2b3e029 100644 --- a/src/initscripts/system/firewall +++ b/src/initscripts/system/firewall @@ -424,19 +424,6 @@ iptables_red_up() { fi fi - # PPPoE / PPTP Device - if [ "$IFACE" != "" ]; then - # PPPoE / PPTP - if [ "$DEVICE" != "" ]; then - iptables -A REDINPUT -i $DEVICE -j ACCEPT - fi - if [ "$RED_TYPE" == "PPTP" -o "$RED_TYPE" == "PPPOE" ]; then - if [ "$RED_DEV" != "" ]; then - iptables -A REDINPUT -i $RED_DEV -j ACCEPT - fi - fi - fi - # PPTP over DHCP if [ "$DEVICE" != "" -a "$TYPE" == "PPTP" -a "$METHOD" == "DHCP" ]; then iptables -A REDINPUT -p tcp --source-port 67 --destination-port 68 -i $DEVICE -j ACCEPT