X-Git-Url: http://git.ipfire.org/?p=ipfire-2.x.git;a=blobdiff_plain;f=src%2Finitscripts%2Fsystem%2Ffirewall;h=be6c9169f36ff42c125e860b8d9be87c88663a4b;hp=9a79cb1aa98e8ae814ca1f1217ce1b0097adea98;hb=01604708c386da93713cffadb3d5d40665f62ec9;hpb=39155be80547e808e859f8f4dcd93763876bff5f diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall index 9a79cb1aa9..be6c9169f3 100644 --- a/src/initscripts/system/firewall +++ b/src/initscripts/system/firewall @@ -189,6 +189,7 @@ iptables_init() { iptables -N IPS iptables -A INPUT -j IPS iptables -A FORWARD -j IPS + iptables -A OUTPUT -j IPS # Block non-established IPsec networks iptables -N IPSECBLOCK @@ -299,9 +300,11 @@ iptables_init() { iptables -N OVPNINPUT iptables -A INPUT -j OVPNINPUT - # TOR + # Tor (inbound and outbound) iptables -N TOR_INPUT iptables -A INPUT -j TOR_INPUT + iptables -N TOR_OUTPUT + iptables -A OUTPUT -j TOR_OUTPUT # Jump into the actual firewall ruleset. iptables -N INPUTFW @@ -365,8 +368,8 @@ iptables_init() { iptables -t nat -N REDNAT iptables -t nat -A POSTROUTING -j REDNAT - # Populate IPsec block chain - /usr/lib/firewall/ipsec-block + # Populate IPsec chains + /usr/lib/firewall/ipsec-policy # Apply OpenVPN firewall rules /usr/local/bin/openvpnctrl --firewall-rules @@ -419,15 +422,6 @@ iptables_red_up() { iptables -A REDINPUT -p udp --source-port 67 --destination-port 68 -i $DEVICE -j ACCEPT fi - # Orange pinholes - if [ "$ORANGE_DEV" != "" ]; then - # This rule enables a host on ORANGE network to connect to the outside - # (only if we have a red connection) - if [ "$IFACE" != "" ]; then - iptables -A REDFORWARD -i $ORANGE_DEV -o $IFACE -j ACCEPT - fi - fi - if [ "$IFACE" != "" -a -f /var/ipfire/red/active ]; then # DHCP if [ "$RED_DEV" != "" -a "$RED_TYPE" == "DHCP" ]; then @@ -475,7 +469,7 @@ iptables_red_up() { iptables_red_down() { # Prohibit packets to reach the masquerading rule - # while the wan interface is down - this is required to + # while the WAN interface is down - this is required to # circumvent udp related NAT issues # http://forum.ipfire.org/index.php?topic=11127.0 if [ -n "${IFACE}" ]; then