ipsec: Add block rules to avoid conntrack entries

[ipfire-2.x.git] / src / initscripts / init.d / firewall

diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall
index 8ca02bc9d1932b4530556d5baf29ef0053eb090d..2d462d786d1bf31cb82756d164cac4f7d6bf6abd 100644 (file)
--- a/src/initscripts/init.d/firewall
+++ b/src/initscripts/init.d/firewall
@@ -115,6 +115,11 @@ iptables_init() {
        iptables -A INPUT -j GUARDIAN
        iptables -A FORWARD -j GUARDIAN
 
+       # Block non-established IPsec networks
+       iptables -N IPSECBLOCK
+       iptables -A FORWARD -m policy --dir out --pol none -j IPSECBLOCK
+       iptables -A OUTPUT  -m policy --dir out --pol none -j IPSECBLOCK
+
        # Block OpenVPN transfer networks
        iptables -N OVPNBLOCK
        iptables -A INPUT   -i tun+ -j OVPNBLOCK
@@ -270,6 +275,9 @@ iptables_init() {
        iptables -t nat -N REDNAT
        iptables -t nat -A POSTROUTING -j REDNAT
 
+       # Populate IPsec block chain
+       /usr/lib/firewall/ipsec-block
+
        # Apply OpenVPN firewall rules
        /usr/local/bin/openvpnctrl --firewall-rules