firewall: Allow blocking access to GREEN from GREEN.

author Michael Tremer <michael.tremer@ipfire.org>

Tue, 20 May 2014 09:41:23 +0000 (11:41 +0200)

committer Michael Tremer <michael.tremer@ipfire.org>

Tue, 20 May 2014 09:41:23 +0000 (11:41 +0200)
author Michael Tremer <michael.tremer@ipfire.org>
Tue, 20 May 2014 09:41:23 +0000 (11:41 +0200)
committer Michael Tremer <michael.tremer@ipfire.org>
Tue, 20 May 2014 09:41:23 +0000 (11:41 +0200)
diff --git a/config/firewall/firewall-policy b/config/firewall/firewall-policy

index 96b9b2fe5aba650033a67c67c1b035599d3dd0e5..4ba1ace8cec12cee5aab07082e1c8d0cc107a053 100755 (executable)
--- a/config/firewall/firewall-policy
+++ b/config/firewall/firewall-policy
@@ -57,6 +57,9 @@ HAVE_OPENVPN="true"
  
  # INPUT
  
+# Allow access from GREEN
+iptables -A POLICYIN -i "${GREEN_DEV}" -j ACCEPT
+
  # IPsec INPUT
  case "${HAVE_IPSEC},${POLICY}" in
         true,MODE1) ;;
diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall

index 853f195cf909a94bb546d7655f17067c2aa57058..7a18502bfa728743bc951fef3ccbce84389a57f4 100644 (file)
--- a/src/initscripts/init.d/firewall
+++ b/src/initscripts/init.d/firewall
@@ -179,7 +179,10 @@ iptables_init() {
         iptables -t nat -A POSTROUTING -j IPSECNAT
  
         # localhost and ethernet.
-       iptables -A INPUT   -i $GREEN_DEV  -m conntrack --ctstate NEW -j ACCEPT ! -p icmp
+       # Always allow accessing the web GUI from GREEN.
+       iptables -N GUIINPUT
+       iptables -A INPUT -j GUIINPUT
+       iptables -A GUIINPUT -i "${GREEN_DEV}" -p tcp --dport 444 -j ACCEPT
  
         # WIRELESS chains
         iptables -N WIRELESSINPUT
author	Michael Tremer <michael.tremer@ipfire.org>
	Tue, 20 May 2014 09:41:23 +0000 (11:41 +0200)
committer	Michael Tremer <michael.tremer@ipfire.org>
	Tue, 20 May 2014 09:41:23 +0000 (11:41 +0200)
config/firewall/firewall-policy		patch \| blob \| blame \| history
src/initscripts/init.d/firewall		patch \| blob \| blame \| history