firewall: fix green only mode.

disable masquerade and green IP/NET check if internet is
connected via green.

diff --git a/config/firewall/firewall-policy b/config/firewall/firewall-policy
index 2176d6b9e5a2c2d8e3ebacd9213109d48dce6666..16e98a5d4bb4b73f95e3bf1a38d9a6140eba9451 100755 (executable)
--- a/config/firewall/firewall-policy
+++ b/config/firewall/firewall-policy
@@ -110,8 +110,15 @@ case "${POLICY}" in
                ;;
 
        *)
+
                # Access from GREEN is granted to everywhere
-               iptables -A POLICYFWD -i "${GREEN_DEV}" -s "${GREEN_NETADDRESS}/${GREEN_NETMASK}" -j ACCEPT
+               if [ "${IFACE}" = "${GREEN_DEV}" ]; then
+                       # internet via green
+                       # don't check source IP/NET if IFACE is GREEN
+                       iptables -A POLICYFWD -i "${GREEN_DEV}" -j ACCEPT
+               else
+                       iptables -A POLICYFWD -i "${GREEN_DEV}" -s "${GREEN_NETADDRESS}/${GREEN_NETMASK}" -j ACCEPT
+               fi
 
                # Grant access for IPsec VPN connections
                iptables -A POLICYFWD -m policy --pol ipsec --dir in -j ACCEPT

diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall
index a67af7056486ad4e93db4786100d0a83ea80d100..246be37b9cde98b554210201902e65ec84abc624 100644 (file)
--- a/src/initscripts/init.d/firewall
+++ b/src/initscripts/init.d/firewall
@@ -311,7 +311,10 @@ iptables_red() {
 
                # Outgoing masquerading (don't masqerade IPSEC (mark 50))
                iptables -t nat -A REDNAT -m mark --mark 50 -o $IFACE -j RETURN
-               iptables -t nat -A REDNAT -o $IFACE -j MASQUERADE
+
+               if [ "$IFACE" != "$GREEN_DEV" ]; then
+                       iptables -t nat -A REDNAT -o $IFACE -j MASQUERADE
+               fi
 
        fi