From 4b12aa414c0ae63e135d3ec36737152fff44f6d9 Mon Sep 17 00:00:00 2001
From: Timo Eissler <timo@eissler.pro>
Date: Thu, 7 Aug 2014 19:00:58 +0200
Subject: [PATCH] firewall: fix faulty masquerading packets

---
 lfs/initscripts                               |  1 -
 src/initscripts/init.d/firewall               | 31 ++++++++++++++++---
 .../init.d/networking/red.down/20-firewall    |  3 ++
 .../init.d/networking/red.up/20-firewall      |  3 ++
 4 files changed, 33 insertions(+), 5 deletions(-)
 create mode 100644 src/initscripts/init.d/networking/red.down/20-firewall
 create mode 100644 src/initscripts/init.d/networking/red.up/20-firewall

diff --git a/lfs/initscripts b/lfs/initscripts
index 02f97431a2..ab870dc77d 100644
--- a/lfs/initscripts
+++ b/lfs/initscripts
@@ -187,7 +187,6 @@ $(TARGET) :
 		/etc/rc.d/init.d/networking/red.up/24-RS-qos
 	ln -sf ../../squid /etc/rc.d/init.d/networking/red.up/27-RS-squid
 	ln -sf ../../dnsmasq /etc/rc.d/init.d/networking/red.down/05-RS-dnsmasq
-	ln -sf ../../firewall /etc/rc.d/init.d/networking/red.down/20-RL-firewall
 
 	for i in green blue orange; do \
 		ln -sf any /etc/rc.d/init.d/networking/$$i; \
diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall
index f77bc02032..0d80e7cd6d 100644
--- a/src/initscripts/init.d/firewall
+++ b/src/initscripts/init.d/firewall
@@ -277,10 +277,16 @@ iptables_init() {
 	/usr/sbin/firewall-policy
 
 	# Install firewall rules for the red interface.
-	iptables_red
+	iptables_red_up
+
+	# If red has not been brought up yet, we will
+	# add the blocking rules for MASQUERADE
+	if [ ! -e "/var/ipfire/red/active" ]; then
+		iptables_red_down
+	fi
 }
 
-iptables_red() {
+iptables_red_up() {
 	iptables -F REDINPUT
 	iptables -F REDFORWARD
 	iptables -t nat -F REDNAT
@@ -358,6 +364,18 @@ iptables_red() {
 	/usr/local/bin/firewallctrl
 }
 
+iptables_red_down() {
+	# Prohibit packets to reach the masquerading rule
+	# while the wan interface is down - this is required to
+	# circumvent udp related NAT issues
+	# http://forum.ipfire.org/index.php?topic=11127.0
+	iptables -F REDFORWARD
+	iptables -A REDFORWARD -o $IFACE -j DROP
+
+	# Reload all rules.
+	/usr/local/bin/firewallctrl
+}
+
 # See how we were called.
 case "$1" in
   start)
@@ -388,9 +406,9 @@ case "$1" in
 		/etc/sysconfig/firewall.local start
 	fi
 	;;
-  reload)
+  reload|up)
 	boot_mesg "Reloading firewall"
-	iptables_red
+	iptables_red_up
 	evaluate_retval
 
 	# run local firewall configuration, if present
@@ -398,6 +416,11 @@ case "$1" in
 		/etc/sysconfig/firewall.local reload
 	fi
 	;;
+  down)
+	boot_mesg "Disabling firewall access to RED"
+	iptables_red_down
+	evaluate_retval
+	;;
   restart)
 	# run local firewall configuration, if present
 	if [ -x /etc/sysconfig/firewall.local ]; then
diff --git a/src/initscripts/init.d/networking/red.down/20-firewall b/src/initscripts/init.d/networking/red.down/20-firewall
new file mode 100644
index 0000000000..d21c97ce91
--- /dev/null
+++ b/src/initscripts/init.d/networking/red.down/20-firewall
@@ -0,0 +1,3 @@
+#!/bin/bash
+
+exec /etc/rc.d/init.d/firewall down
diff --git a/src/initscripts/init.d/networking/red.up/20-firewall b/src/initscripts/init.d/networking/red.up/20-firewall
new file mode 100644
index 0000000000..ca52b4bd94
--- /dev/null
+++ b/src/initscripts/init.d/networking/red.up/20-firewall
@@ -0,0 +1,3 @@
+#!/bin/bash
+
+exec /etc/rc.d/init.d/firewall up
-- 
2.39.5