From c60301c06a340cdd7a1bc619a3fa081d4771fc76 Mon Sep 17 00:00:00 2001
From: Michael Tremer <michael.tremer@ipfire.org>
Date: Wed, 31 Jul 2013 12:52:40 +0200
Subject: [PATCH] tor: Add necessary firewall rules.

---
 src/initscripts/init.d/firewall |  4 ++++
 src/initscripts/init.d/tor      | 25 +++++++++++++++++++++++++
 2 files changed, 29 insertions(+)

diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall
index 844618a304..0237297e70 100644
--- a/src/initscripts/init.d/firewall
+++ b/src/initscripts/init.d/firewall
@@ -188,6 +188,10 @@ case "$1" in
 	/sbin/iptables -t nat -A POSTROUTING -j OVPNNAT
 	/sbin/iptables -t nat -A POSTROUTING -j IPSECNAT
 
+	# TOR
+	/sbin/iptables -N TOR_INPUT
+	/sbin/iptables -A INPUT -j TOR_INPUT
+
 	# Outgoing Firewall
 	/sbin/iptables -A FORWARD -j OUTGOINGFWMAC
 
diff --git a/src/initscripts/init.d/tor b/src/initscripts/init.d/tor
index 82dab68bd9..d376178241 100644
--- a/src/initscripts/init.d/tor
+++ b/src/initscripts/init.d/tor
@@ -9,8 +9,27 @@
 . /etc/sysconfig/rc
 . ${rc_functions}
 
+function setup_firewall() {
+	eval $(readhash /var/ipfire/tor/settings)
+
+	# Flush all rules.
+	flush_firewall
+
+	if [ "${TOR_RELAY_ENABLED}" = "on" -a -n "${TOR_RELAY_PORT}" ]; then
+		iptables -A TOR_INPUT -p tcp --dport "${TOR_RELAY_PORT}" -j ACCEPT
+	fi
+}
+
+function flush_firewall() {
+	# Flush all rules.
+	iptables -F TOR_INPUT
+}
+
 case "${1}" in
 	start)
+		# Setup firewall.
+		setup_firewall
+
 		boot_mesg "Starting tor..."
 		loadproc /usr/bin/tor \
 			--runasdaemon 1 \
@@ -20,11 +39,17 @@ case "${1}" in
 		;;
 
 	stop)
+		# Flush firewall.
+		flush_firewall
+
 		boot_mesg "Stopping tor..."
 		killproc /usr/bin/tor
 		;;
 
 	reload)
+		# Setup firewall.
+		setup_firewall
+
 		boot_mesg "Reloading tor..."
 		reloadproc /usr/bin/tor
 		;;
-- 
2.39.5