Merge remote-tracking branch 'stevee/next-suricata' into next

[ipfire-2.x.git] / src / initscripts / system / firewall

diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
index cab791c1f7a599059483bfe3257179df49f01658..be6c9169f36ff42c125e860b8d9be87c88663a4b 100644 (file)
--- a/src/initscripts/system/firewall
+++ b/src/initscripts/system/firewall
@@ -185,6 +185,12 @@ iptables_init() {
        iptables -A INPUT -j GUARDIAN
        iptables -A FORWARD -j GUARDIAN
 
+       # IPS (suricata) chains
+       iptables -N IPS
+       iptables -A INPUT -j IPS
+       iptables -A FORWARD -j IPS
+       iptables -A OUTPUT -j IPS
+
        # Block non-established IPsec networks
        iptables -N IPSECBLOCK
        iptables -A FORWARD -m policy --dir out --pol none -j IPSECBLOCK
@@ -280,7 +286,9 @@ iptables_init() {
        # Always allow accessing the web GUI from GREEN.
        iptables -N GUIINPUT
        iptables -A INPUT -j GUIINPUT
-       iptables -A GUIINPUT -i "${GREEN_DEV}" -p tcp --dport 444 -j ACCEPT
+       if [ -n "${GREEN_DEV}" ]; then
+               iptables -A GUIINPUT -i "${GREEN_DEV}" -p tcp --dport 444 -j ACCEPT
+       fi
 
        # WIRELESS chains
        iptables -N WIRELESSINPUT
@@ -292,9 +300,11 @@ iptables_init() {
        iptables -N OVPNINPUT
        iptables -A INPUT -j OVPNINPUT
 
-       # TOR
+       # Tor (inbound and outbound)
        iptables -N TOR_INPUT
        iptables -A INPUT -j TOR_INPUT
+       iptables -N TOR_OUTPUT
+       iptables -A OUTPUT -j TOR_OUTPUT
        
        # Jump into the actual firewall ruleset.
        iptables -N INPUTFW
@@ -329,8 +339,10 @@ iptables_init() {
        iptables -t nat -N NAT_DESTINATION_FIX
        iptables -t nat -A POSTROUTING -j NAT_DESTINATION_FIX
 
-       iptables -t nat -A NAT_DESTINATION_FIX \
-               -m mark --mark 1 -j SNAT --to-source "${GREEN_ADDRESS}"
+       if [ -n "${GREEN_ADDRESS}" ]; then
+               iptables -t nat -A NAT_DESTINATION_FIX \
+                       -m mark --mark 1 -j SNAT --to-source "${GREEN_ADDRESS}"
+       fi
 
        if [ -n "${BLUE_ADDRESS}" ]; then
                iptables -t nat -A NAT_DESTINATION_FIX \
@@ -356,8 +368,8 @@ iptables_init() {
        iptables -t nat -N REDNAT
        iptables -t nat -A POSTROUTING -j REDNAT
 
-       # Populate IPsec block chain
-       /usr/lib/firewall/ipsec-block
+       # Populate IPsec chains
+       /usr/lib/firewall/ipsec-policy
 
        # Apply OpenVPN firewall rules
        /usr/local/bin/openvpnctrl --firewall-rules
@@ -410,15 +422,6 @@ iptables_red_up() {
                iptables -A REDINPUT -p udp --source-port 67 --destination-port 68 -i $DEVICE -j ACCEPT
        fi
 
-       # Orange pinholes
-       if [ "$ORANGE_DEV" != "" ]; then
-               # This rule enables a host on ORANGE network to connect to the outside
-               # (only if we have a red connection)
-               if [ "$IFACE" != "" ]; then
-                       iptables -A REDFORWARD -i $ORANGE_DEV -o $IFACE -j ACCEPT
-               fi
-       fi
-
        if [ "$IFACE" != "" -a -f /var/ipfire/red/active ]; then
                # DHCP
                if [ "$RED_DEV" != "" -a "$RED_TYPE" == "DHCP" ]; then
@@ -466,7 +469,7 @@ iptables_red_up() {
 
 iptables_red_down() {
        # Prohibit packets to reach the masquerading rule
-       # while the wan interface is down - this is required to
+       # while the WAN interface is down - this is required to
        # circumvent udp related NAT issues
        # http://forum.ipfire.org/index.php?topic=11127.0
        if [ -n "${IFACE}" ]; then