From: Alexander Marx Date: Sun, 17 Feb 2013 12:58:35 +0000 (+0100) Subject: Forward Firewall: First part of adding OUTGOING to th efirewall X-Git-Tag: v2.15-beta1~286^2~11^2~188 X-Git-Url: http://git.ipfire.org/?p=ipfire-2.x.git;a=commitdiff_plain;h=5d7faa4518d894f90218c216bb2fb86e69f46b2a Forward Firewall: First part of adding OUTGOING to th efirewall --- diff --git a/config/forwardfw/firewall-forward-policy b/config/forwardfw/firewall-forward-policy deleted file mode 100755 index aec71e29b5..0000000000 --- a/config/forwardfw/firewall-forward-policy +++ /dev/null @@ -1,24 +0,0 @@ -#!/bin/sh - -eval $(/usr/local/bin/readhash /var/ipfire/forward/settings) -eval $(/usr/local/bin/readhash /var/ipfire/optionsfw/settings) - -iptables -F POLICY - -if [ "$POLICY" == "MODE1" ]; then - - if [ "$FWPOLICY" == "REJECT" ]; then - if [ "$DROPFORWARD" == "on" ]; then - /sbin/iptables -A POLICY -m limit --limit 10/minute -j LOG --log-prefix "REJECT_FORWARD" - fi - /sbin/iptables -A POLICY -j REJECT --reject-with icmp-host-unreachable -m comment --comment "DROP_OUTPUT" - fi - if [ "$FWPOLICY" == "DROP" ]; then - if [ "$DROPFORWARD" == "on" ]; then - /sbin/iptables -A POLICY -m limit --limit 10/minute -j LOG --log-prefix "DROP_FORWARD" - fi - /sbin/iptables -A POLICY -j DROP -m comment --comment "DROP_OUTPUT" - fi -fi - - diff --git a/config/forwardfw/firewall-lib.pl b/config/forwardfw/firewall-lib.pl index eb84c4af4b..9f806850ef 100755 --- a/config/forwardfw/firewall-lib.pl +++ b/config/forwardfw/firewall-lib.pl @@ -221,6 +221,8 @@ sub get_std_net_ip return "$ovpnsettings{'DOVPN_SUBNET'}"; }elsif($val =~ /IPsec/i){ return "$ipsecsettings{'RW_NET'}"; + }elsif($val eq 'IPFire'){ + return ; } } sub get_net_ip diff --git a/config/forwardfw/firewall-policy b/config/forwardfw/firewall-policy new file mode 100755 index 0000000000..e96278a165 --- /dev/null +++ b/config/forwardfw/firewall-policy @@ -0,0 +1,39 @@ +#!/bin/sh + +eval $(/usr/local/bin/readhash /var/ipfire/forward/settings) +eval $(/usr/local/bin/readhash /var/ipfire/optionsfw/settings) + +iptables -F POLICYFWD +iptables -F POLICYOUT + + +if [ "$POLICY" == "MODE1" ]; then + if [ "$FWPOLICY" == "REJECT" ]; then + if [ "$DROPFORWARD" == "on" ]; then + /sbin/iptables -A POLICYFWD -m limit --limit 10/minute -j LOG --log-prefix "REJECT_FORWARD" + fi + /sbin/iptables -A POLICYFWD -j REJECT --reject-with icmp-host-unreachable -m comment --comment "DROP_FORWARD" + fi + if [ "$FWPOLICY" == "DROP" ]; then + if [ "$DROPFORWARD" == "on" ]; then + /sbin/iptables -A POLICYFWD -m limit --limit 10/minute -j LOG --log-prefix "DROP_FORWARD" + fi + /sbin/iptables -A POLICYFWD -j DROP -m comment --comment "DROP_FORWARD" + fi +fi +if [ "$POLICY1" == "MODE1" ]; then + /sbin/iptables -A OUTGOINGFW -m state --state ESTABLISHED,RELATED -j ACCEPT + if [ "$FWPOLICY1" == "REJECT" ]; then + if [ "$DROPOUTGOING" == "on" ]; then + /sbin/iptables -A POLICYOUT -m limit --limit 10/minute -j LOG --log-prefix "REJECT_OUTPUT" + fi + /sbin/iptables -A POLICYOUT -j REJECT --reject-with icmp-host-unreachable -m comment --comment "DROP_OUTPUT" + fi + if [ "$FWPOLICY1" == "DROP" ]; then + if [ "$DROPOUTGOING" == "on" ]; then + /sbin/iptables -A POLICYOUT -m limit --limit 10/minute -j LOG --log-prefix "DROP_OUTPUT" + fi + /sbin/iptables -A POLICYOUT -j DROP -m comment --comment "DROP_OUTPUT" + fi +fi + diff --git a/config/forwardfw/rules.pl b/config/forwardfw/rules.pl index ddcd560c1f..ffdb6c2ced 100755 --- a/config/forwardfw/rules.pl +++ b/config/forwardfw/rules.pl @@ -42,6 +42,7 @@ our %sourcehash=(); our %targethash=(); my @timeframe=(); my %configinputfw=(); +my %configoutgoingfw=(); my %aliases=(); my @DPROT=(); my @p2ps=(); @@ -51,6 +52,7 @@ require "${General::swroot}/forward/bin/firewall-lib.pl"; my $configfwdfw = "${General::swroot}/forward/config"; my $configinput = "${General::swroot}/forward/input"; +my $configoutgoing = "${General::swroot}/forward/outgoing"; my $p2pfile = "${General::swroot}/forward/p2protocols"; my $configgrp = "${General::swroot}/fwhosts/customgroups"; my $netsettings = "${General::swroot}/ethernet/settings"; @@ -66,6 +68,7 @@ my $CHAIN="FORWARDFW"; &General::readhash("$netsettings", \%defaultNetworks); &General::readhasharray($configfwdfw, \%configfwdfw); &General::readhasharray($configinput, \%configinputfw); +&General::readhasharray($configoutgoing, \%configoutgoingfw); &General::readhasharray($configgrp, \%customgrp); &General::get_aliases(\%aliases); @@ -95,7 +98,7 @@ if($param eq 'flush'){ if($MODE eq '0'){ if ($fwdfwsettings{'POLICY'} eq 'MODE1'){ &p2pblock; - system ("/usr/sbin/firewall-forward-policy"); + system ("/usr/sbin/firewall-policy"); }elsif($fwdfwsettings{'POLICY'} eq 'MODE2'){ $defaultNetworks{'GREEN_NETMASK'}=&General::iporsubtocidr($defaultNetworks{'GREEN_NETMASK'}); $green="$defaultNetworks{'GREEN_ADDRESS'}/$defaultNetworks{'GREEN_NETMASK'}"; @@ -117,7 +120,7 @@ if($param eq 'flush'){ &p2pblock; system ("iptables -A $CHAIN -m state --state NEW -j ACCEPT"); - system ("/usr/sbin/firewall-forward-policy"); + system ("/usr/sbin/firewall-policy"); } } } @@ -125,6 +128,7 @@ sub flush { system ("iptables -F FORWARDFW"); system ("iptables -F INPUTFW"); + system ("iptables -F OUTGOINGFW"); } sub preparerules { @@ -134,6 +138,9 @@ sub preparerules if (! -z "${General::swroot}/forward/input"){ &buildrules(\%configinputfw); } + if (! -z "${General::swroot}/forward/outgoing"){ + &buildrules(\%configoutgoingfw); + } } sub buildrules { @@ -160,7 +167,6 @@ sub buildrules } } }elsif($$hash{$key}[5] eq 'ipfire'){ - if($$hash{$key}[6] eq 'Default IP'){ open(FILE, "/var/ipfire/red/local-ipaddress") or die 'Unable to open config file.'; $targethash{$key}[0]= ; @@ -217,7 +223,7 @@ sub buildrules foreach my $b (sort keys %targethash){ if ($sourcehash{$a}[0] ne $targethash{$b}[0] && $targethash{$b}[0] ne 'none' || $sourcehash{$a}[0] eq '0.0.0.0/0.0.0.0'){ if($SPROT eq '' || $SPROT eq $DPROT || $DPROT eq ' '){ - if(substr($sourcehash{$a}[0], 3, 3) ne 'mac'){ $STAG="-s";} + if(substr($sourcehash{$a}[0], 3, 3) ne 'mac' && $sourcehash{$a}[0] ne ''){ $STAG="-s";} if ($$hash{$key}[17] eq 'ON'){ print "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG\n"; } @@ -237,7 +243,7 @@ sub buildrules foreach my $b (sort keys %targethash){ if ($sourcehash{$a}[0] ne $targethash{$b}[0] && $targethash{$b}[0] ne 'none' || $sourcehash{$a}[0] eq '0.0.0.0/0.0.0.0'){ if($SPROT eq '' || $SPROT eq $DPROT || $DPROT eq ' '){ - if(substr($sourcehash{$a}[0], 3, 3) ne 'mac'){ $STAG="-s";} + if(substr($sourcehash{$a}[0], 3, 3) ne 'mac' && $sourcehash{$a}[0] ne ''){ $STAG="-s";} if ($$hash{$key}[17] eq 'ON'){ system ("iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG"); } diff --git a/config/rootfiles/common/stage2 b/config/rootfiles/common/stage2 index f772be3353..a8e4b79d30 100644 --- a/config/rootfiles/common/stage2 +++ b/config/rootfiles/common/stage2 @@ -109,7 +109,7 @@ usr/local/bin/update-lang-cache #usr/local/src #usr/sbin usr/sbin/ovpn-ccd-convert -usr/sbin/firewall-forward-policy +usr/sbin/firewall-policy usr/sbin/convert-xtaccess usr/sbin/convert-outgoingfw #usr/share diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi index 386e02d3eb..460a08c4c8 100755 --- a/html/cgi-bin/forwardfw.cgi +++ b/html/cgi-bin/forwardfw.cgi @@ -105,8 +105,10 @@ my $ipgrp="${General::swroot}/outgoing/groups"; if ($fwdfwsettings{'ACTION'} eq $Lang::tr{'save'}) { my $MODE = $fwdfwsettings{'POLICY'}; + my $MODE1 = $fwdfwsettings{'POLICY1'}; %fwdfwsettings = (); $fwdfwsettings{'POLICY'} = "$MODE"; + $fwdfwsettings{'POLICY1'} = "$MODE1"; &General::writehash("${General::swroot}/forward/settings", \%fwdfwsettings); &reread_rules; } @@ -114,7 +116,7 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule') { &General::readhasharray("$configfwdfw", \%configfwdfw); &General::readhasharray("$configinput", \%configinputfw); - &General::readhasharray("$configinput", \%configoutgoingfw); + &General::readhasharray("$configoutgoing", \%configoutgoingfw); $errormessage=&checksource; if(!$errormessage){&checktarget;} if(!$errormessage){&checkrule;} @@ -219,6 +221,7 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule') } #check Rulepos on new Rule if($fwdfwsettings{'rulepos'} > 0 && !$fwdfwsettings{'oldrulenumber'}){ + print"CHECK OUTGOING DOPPELTE REGEL
"; $fwdfwsettings{'oldrulenumber'}=$maxkey; foreach my $key (sort keys %configoutgoingfw){ if ("$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'},$fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'ICMP_TGT'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'LOG'},$fwdfwsettings{'TIME'},$fwdfwsettings{'TIME_MON'},$fwdfwsettings{'TIME_TUE'},$fwdfwsettings{'TIME_WED'},$fwdfwsettings{'TIME_THU'},$fwdfwsettings{'TIME_FRI'},$fwdfwsettings{'TIME_SAT'},$fwdfwsettings{'TIME_SUN'},$fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'}" @@ -356,8 +359,29 @@ if ($fwdfwsettings{'ACTION'} eq $Lang::tr{'reset'}) &General::writehash("${General::swroot}/forward/settings", \%fwdfwsettings); unless (-e "${General::swroot}/forward/config") { system("touch ${General::swroot}/forward/config"); } unless (-e "${General::swroot}/forward/input") { system("touch ${General::swroot}/forward/input"); } + my $MODE1=$fwdfwsettings{'POLICY1'}; %fwdfwsettings = (); $fwdfwsettings{'POLICY'}='MODE2'; + $fwdfwsettings{'POLICY1'}=$MODE1; + &General::writehash("${General::swroot}/forward/settings", \%fwdfwsettings); + &reread_rules; + +} +if ($fwdfwsettings{'ACTION'} eq 'resetoutgoing') +{ + &General::readhasharray("$configoutgoing", \%configoutgoingfw); + foreach my $key (sort keys %configoutgoingfw){ + &checkcounter($configoutgoingfw{$key}[3],$configoutgoingfw{$key}[4],,); + &checkcounter($configoutgoingfw{$key}[5],$configoutgoingfw{$key}[6],,); + &checkcounter($configoutgoingfw{$key}[14],$configoutgoingfw{$key}[15],,); + } + system("rm ${General::swroot}/forward/outgoing"); + &General::writehash("${General::swroot}/forward/settings", \%fwdfwsettings); + unless (-e "${General::swroot}/forward/outgoing") { system("touch ${General::swroot}/forward/outgoing"); } + my $MODE=$fwdfwsettings{'POLICY'}; + %fwdfwsettings = (); + $fwdfwsettings{'POLICY'}=$MODE; + $fwdfwsettings{'POLICY1'}='MODE2'; &General::writehash("${General::swroot}/forward/settings", \%fwdfwsettings); &reread_rules; @@ -578,6 +602,8 @@ sub base { if ($fwdfwsettings{'POLICY'} eq 'MODE1'){ $selected{'POLICY'}{'MODE1'} = 'selected'; } else { $selected{'POLICY'}{'MODE1'} = ''; } if ($fwdfwsettings{'POLICY'} eq 'MODE2'){ $selected{'POLICY'}{'MODE2'} = 'selected'; } else { $selected{'POLICY'}{'MODE2'} = ''; } + if ($fwdfwsettings{'POLICY1'} eq 'MODE1'){ $selected{'POLICY1'}{'MODE1'} = 'selected'; } else { $selected{'POLICY1'}{'MODE1'} = ''; } + if ($fwdfwsettings{'POLICY1'} eq 'MODE2'){ $selected{'POLICY1'}{'MODE2'} = 'selected'; } else { $selected{'POLICY1'}{'MODE2'} = ''; } &hint; &addrule; &p2pblock; @@ -585,8 +611,8 @@ sub base print < + -
FORWARD
$Lang::tr{'fwdfw pol text'}
"; + print"

"; + print < + + + + +
OUTGOING
$Lang::tr{'fwdfw pol text1'}
+ + +END + print "$Lang::tr{'outgoing firewall reset'}:
"; + print "
"; &Header::closebox(); } sub addrule @@ -1805,8 +1846,6 @@ sub viewtablerule { &viewtablenew(\%configfwdfw,$configfwdfw,$Lang::tr{'fwdfw rules'},"Forward" ); - &viewtablenew(\%configfwdfw,$configfwdfw,'',"DMZ" ); - &viewtablenew(\%configfwdfw,$configfwdfw,'',"WLAN" ); &viewtablenew(\%configinputfw,$configinput,"",$Lang::tr{'external access'} ); &viewtablenew(\%configoutgoingfw,$configoutgoing,"","Outgoing" ); } @@ -1818,23 +1857,7 @@ sub viewtablenew my $title1=shift; my $go=''; &General::readhasharray("$config", $hash); - #check if there are DMZ entries - if ($title1 eq 'DMZ'){ - foreach my $key (keys %$hash){ - if ($$hash{$key}[4] eq 'ORANGE'){$go='on';last} - } - }elsif($title1 eq 'WLAN'){ - foreach my $key (keys %$hash){ - if ($$hash{$key}[4] eq 'BLUE'){$go='on';last} - } - }elsif($title1 eq 'Forward'){ - foreach my $key (keys %$hash){ - if (($$hash{$key}[4] ne 'ORANGE' && $$hash{$key}[4] ne 'BLUE')){$go='on';last} - } - }elsif( ! -z $config){ - $go='on'; - } - if($go ne ''){ + if( ! -z $config){ &Header::openbox('100%', 'left',$title); my $count=0; my ($gif,$log); @@ -1844,13 +1867,9 @@ sub viewtablenew my @tmpsrc=(); my $coloryellow=''; print"$title1
"; - print""; + print"
"; print""; foreach my $key (sort {$a <=> $b} keys %$hash){ - #check if we have a FORWARDFW OR DMZ RULE - if ($title1 eq 'DMZ' && ($$hash{$key}[4] ne 'ORANGE')){next;} - if ($title1 eq 'WLAN' && ($$hash{$key}[4] ne 'BLUE')){next;} - if ($title1 eq 'Forward' && ($$hash{$key}[4] eq 'ORANGE' || $$hash{$key}[4] eq 'BLUE')){next;} @tmpsrc=(); #check if vpn hosts/nets have been deleted if($$hash{$key}[3] =~ /ipsec/i || $$hash{$key}[3] =~ /ovpn/i){ diff --git a/html/cgi-bin/optionsfw.cgi b/html/cgi-bin/optionsfw.cgi index db4794c0c7..f85c76214f 100644 --- a/html/cgi-bin/optionsfw.cgi +++ b/html/cgi-bin/optionsfw.cgi @@ -31,6 +31,7 @@ $settings{'DISABLEPING'} = 'NO'; $settings{'DROPNEWNOTSYN'} = 'on'; $settings{'DROPINPUT'} = 'on'; $settings{'DROPFORWARD'} = 'on'; +$settings{'DROPOUTGOING'} = 'on'; $settings{'DROPPORTSCAN'} = 'on'; $settings{'DROPWIRELESSINPUT'} = 'on'; $settings{'DROPWIRELESSFORWARD'} = 'on'; @@ -72,6 +73,9 @@ $checked{'DROPINPUT'}{$settings{'DROPINPUT'}} = "checked='checked'"; $checked{'DROPFORWARD'}{'off'} = ''; $checked{'DROPFORWARD'}{'on'} = ''; $checked{'DROPFORWARD'}{$settings{'DROPFORWARD'}} = "checked='checked'"; +$checked{'DROPOUTGOING'}{'off'} = ''; +$checked{'DROPOUTGOING'}{'on'} = ''; +$checked{'DROPOUTGOING'}{$settings{'DROPOUTGOING'}} = "checked='checked'"; $checked{'DROPPORTSCAN'}{'off'} = ''; $checked{'DROPPORTSCAN'}{'on'} = ''; $checked{'DROPPORTSCAN'}{$settings{'DROPPORTSCAN'}} = "checked='checked'"; @@ -102,6 +106,8 @@ print < off + +
#$Lang::tr{'fwdfw source'}Log$Lang::tr{'fwdfw target'}$Lang::tr{'protocol'}$Lang::tr{'remark'}$Lang::tr{'fwdfw action'}
$Lang::tr{'drop forward'}on / off
$Lang::tr{'drop outgoing'}on / + off
$Lang::tr{'drop portscan'}on / off
$Lang::tr{'drop wirelessinput'}on / @@ -124,6 +130,10 @@ print <DROP
$Lang::tr{'drop action1'} +

diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl index 141145eae0..fd26cd3224 100644 --- a/langs/de/cgi-bin/de.pl +++ b/langs/de/cgi-bin/de.pl @@ -746,10 +746,12 @@ 'download root certificate' => 'Root-Zertifikat herunterladen', 'dpd action' => 'Aktion für Dead Peer Detection', 'driver' => 'Treiber', -'drop action' => 'Standardverhalten der Firewall in Modus "Blocked"', +'drop action' => 'Standardverhalten der (Forward) Firewall in Modus "Blocked"', +'drop action1' => 'Standardverhalten der (Outgoing) Firewall in Modus "Blocked"', 'drop input' => 'Verworfene Input Pakete loggen', 'drop newnotsyn' => 'Verworfene New Not Syn Pakete loggen', -'drop forward' => 'Verworfene Firewall-Pakete loggen', +'drop forward' => 'Verworfene (Forward) Firewall-Pakete loggen', +'drop outgoing' => 'Verworfene (Outgoing) Firewall-Pakete loggen', 'drop portscan' => 'Verworfene Portscan Pakete loggen', 'drop proxy' => 'Alle Pakete verwerfen die nicht direkt an den Proxy gerichtet sind', 'drop samba' => 'Alle Microsoft Pakete verwerfen, Ports 135,137,138,139,445,1025', @@ -926,6 +928,7 @@ 'fwdfw pol block' => 'Blockiert', 'fwdfw pol title' => 'Standardverhalten der Firewall', 'fwdfw pol text' => 'Standardverhalten für Verbindungen aus den lokalen Netzwerken. Bei "Zugelassen" werden sämtliche Verbindungen zugelassen mit Ausnahme der in Forward konfigurierten Regeln. Mit "Blockiert" werden alle Verbindungsversuche blockiert, mit Ausnahme der in Forward erstellten Regeln. Außerdem werden hier der externe Zugang und der Zugriff auf die DMZ geregelt.', +'fwdfw pol text1' => 'Standardverhalten für Verbindungen von IPFire. Bei "Zugelassen" werden sämtliche Verbindungen zugelassen mit Ausnahme der in Forward konfigurierten Regeln. Mit "Blockiert" werden alle Verbindungsversuche blockiert, mit Ausnahme der in Forward erstellten Regeln.Achtung! Mit diesen Einstellungen kann man sich aussperren. Normalerweise ist keine Änderung nötig.', 'fwdfw reread' => 'Übernehmen', 'fwdfw rules' => 'Regeln', 'fwdfw rule action' => 'Regel Aktion:', @@ -1018,7 +1021,7 @@ 'fwhost ovpn_n2n' => 'OpenVPN N-2-N', 'fwhost port' => 'Port(s)', 'fwhost prot' => 'Protokoll', -'fwhost reread' => 'Die Firewallregeln müssen neu eingelesen werden. Bitte Übernehmen klicken.', +'fwhost reread' => 'Die Firewallregeln müssen neu eingelesen werden.', 'fwhost reset' => 'Abbrechen', 'fwhost services' => 'Dienste', 'fwhost srv_name' => 'Dienstname', diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index 1d0c3e7cf4..aea37679bf 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -771,7 +771,8 @@ 'download root certificate' => 'Download root certificate', 'dpd action' => 'Dead Peer Detection action', 'driver' => 'Driver', -'drop action' => 'Default behaviour of firewall in mode "Blocked"', +'drop action' => 'Default behaviour of (forward) firewall in mode "Blocked"', +'drop action' => 'Default behaviour of (outgoing) firewall in mode "Blocked"', 'drop input' => 'Log dropped input pakets', 'drop newnotsyn' => 'Log dropped new not syn pakets', 'drop forward' => 'Log dropped forward pakets', @@ -952,6 +953,7 @@ 'fwdfw pol block' => 'Blocked', 'fwdfw pol title' => 'Firewall default behavior', 'fwdfw pol text' => 'Default behavior for connections from local networks. "Allowed" allows all connections from local networks except the defined rules. "Blocked" prohibits all connections except the defined ones. Also external access and connections to/from the demilitarized zone are configurable here.', +'fwdfw pol text1' => 'Default behavior for connections from IPFire. "Allowed" allows all connections from local networks except the defined rules. "Blocked" prohibits all connections except the defined ones. Attention! YOu can lock yourself out with these settings. Normally there is no need to change anything here.', 'fwdfw reread' => 'Apply', 'fwdfw rules' => 'Rules', 'fwdfw rule action' => 'Rule action:', @@ -1045,7 +1047,7 @@ 'fwhost ovpn_n2n' => 'OpenVPN N-2-N', 'fwhost port' => 'Port(s)', 'fwhost prot' => 'Protocol', -'fwhost reread' => 'Firewallrules need to be updated. Please click applybutton.', +'fwhost reread' => 'Firewallrules need to be updated.', 'fwhost reset' => 'Cancel', 'fwhost services' => 'Services', 'fwhost srv_name' => 'Servicename', diff --git a/lfs/configroot b/lfs/configroot index 88fa9f2f83..aa5d764df6 100644 --- a/lfs/configroot +++ b/lfs/configroot @@ -105,7 +105,7 @@ $(TARGET) : cp $(DIR_SRC)/config/forwardfw/convert-outgoingfw /usr/sbin/convert-outgoingfw cp $(DIR_SRC)/config/forwardfw/p2protocols $(CONFIG_ROOT)/forward/p2protocols cp $(DIR_SRC)/config/forwardfw/firewall-lib.pl $(CONFIG_ROOT)/forward/bin/firewall-lib.pl - cp $(DIR_SRC)/config/forwardfw/firewall-forward-policy /usr/sbin/firewall-forward-policy + cp $(DIR_SRC)/config/forwardfw/firewall-policy /usr/sbin/firewall-policy cp $(DIR_SRC)/config/fwhosts/icmp-types $(CONFIG_ROOT)/fwhosts/icmp-types cp $(DIR_SRC)/config/fwhosts/customservices $(CONFIG_ROOT)/fwhosts/customservices # Oneliner configfiles diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall index ed7509ff23..7ec3274170 100644 --- a/src/initscripts/init.d/firewall +++ b/src/initscripts/init.d/firewall @@ -153,6 +153,7 @@ case "$1" in /sbin/iptables -N OUTGOINGFW /sbin/iptables -N OUTGOINGFWMAC /sbin/iptables -A OUTPUT -j OUTGOINGFW + /sbin/iptables -A OUTGOINGFW -m state --state ESTABLISHED,RELATED -j ACCEPT /sbin/iptables -t nat -N CUSTOMPREROUTING /sbin/iptables -t nat -A PREROUTING -j CUSTOMPREROUTING /sbin/iptables -t nat -N CUSTOMPOSTROUTING @@ -295,10 +296,13 @@ case "$1" in #/sbin/iptables -A FORWARD -j DROP -m comment --comment "DROP_FORWARD" #POLICY CHAIN - /sbin/iptables -N POLICY - /sbin/iptables -A FORWARD -j POLICY + /sbin/iptables -N POLICYFWD + /sbin/iptables -A FORWARD -j POLICYFWD + /sbin/iptables -N POLICYOUT + /sbin/iptables -A OUTPUT -j POLICYOUT - /usr/sbin/firewall-forward-policy + + /usr/sbin/firewall-policy ;; startovpn) # run openvpn