From: Peter Müller <peter.mueller@ipfire.org>
Date: Wed, 6 Feb 2019 21:00:00 +0000 (+0000)
Subject: apply default firewall policy for ORANGE, too
X-Git-Tag: v2.21-core128~35
X-Git-Url: http://git.ipfire.org/?p=ipfire-2.x.git;a=commitdiff_plain;h=e01e07ec8b770eb849a42ad3f8c0f67e55faf905

apply default firewall policy for ORANGE, too

If firewall default policy is set to DROP, this setting was not
applied to outgoing ORANGE traffic as well, which was misleading.

Fixes #11973

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Cc: Michael Tremer <michael.tremer@ipfire.org>
Cc: Oliver Fuhrer <oliver.fuhrer@bluewin.ch>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---

diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
index 707209987e..b9dd3485e0 100644
--- a/src/initscripts/system/firewall
+++ b/src/initscripts/system/firewall
@@ -294,7 +294,7 @@ iptables_init() {
 	iptables -N OVPNINPUT
 	iptables -A INPUT -j OVPNINPUT
 
-	# TOR
+	# Tor
 	iptables -N TOR_INPUT
 	iptables -A INPUT -j TOR_INPUT
 	
@@ -414,15 +414,6 @@ iptables_red_up() {
 		iptables -A REDINPUT -p udp --source-port 67 --destination-port 68 -i $DEVICE -j ACCEPT
 	fi
 
-	# Orange pinholes
-	if [ "$ORANGE_DEV" != "" ]; then
-		# This rule enables a host on ORANGE network to connect to the outside
-		# (only if we have a red connection)
-		if [ "$IFACE" != "" ]; then
-			iptables -A REDFORWARD -i $ORANGE_DEV -o $IFACE -j ACCEPT
-		fi
-	fi
-
 	if [ "$IFACE" != "" -a -f /var/ipfire/red/active ]; then
 		# DHCP
 		if [ "$RED_DEV" != "" -a "$RED_TYPE" == "DHCP" ]; then
@@ -470,7 +461,7 @@ iptables_red_up() {
 
 iptables_red_down() {
 	# Prohibit packets to reach the masquerading rule
-	# while the wan interface is down - this is required to
+	# while the WAN interface is down - this is required to
 	# circumvent udp related NAT issues
 	# http://forum.ipfire.org/index.php?topic=11127.0
 	if [ -n "${IFACE}" ]; then