]> git.ipfire.org Git - people/ms/network.git/blob - functions.firewall-policy
projects / people / ms / network.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
hostapd: Enable WMM by default.
[people/ms/network.git] / functions.firewall-policy
1 #!/bin/bash
2 ###############################################################################
3 # #
4 # IPFire.org - A linux based firewall #
5 # Copyright (C) 2012 IPFire Network Development Team #
6 # #
7 # This program is free software: you can redistribute it and/or modify #
8 # it under the terms of the GNU General Public License as published by #
9 # the Free Software Foundation, either version 3 of the License, or #
10 # (at your option) any later version. #
11 # #
12 # This program is distributed in the hope that it will be useful, #
13 # but WITHOUT ANY WARRANTY; without even the implied warranty of #
14 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
15 # GNU General Public License for more details. #
16 # #
17 # You should have received a copy of the GNU General Public License #
18 # along with this program. If not, see <http://www.gnu.org/licenses/>. #
19 # #
20 ###############################################################################
21
22 function policy_zone_add() {
23 local zone=${1}
24 assert isset zone
25
26 local ${FIREWALL_ZONE_SETTINGS}
27 firewall_zone_read ${zone}
28
29 # Apply masquerading.
30 if enabled MASQUERADE4; then
31 policy_zone_masquerade4 ${zone}
32 fi
33
34 # Allow/deny cross-zone communication.
35 local other_zone
36 for other_zone in $(zones_get_all); do
37 if list_match "${other_zone}" ${FRIEND_ZONES}; then
38 policy_zone_allow_all ${zone} ${other_zone}
39 else
40 policy_zone_deny_all ${zone} ${other_zone}
41 fi
42 done
43 }
44
45 function policy_zone_masquerade4() {
46 local zone=${1}
47 assert isset zone
48
49 local chain="ZONE_${zone^^}_SNAT"
50
51 iptables -4 -t nat -A "${chain}" -o ${zone} \
52 -j MASQUERADE --random
53 }
54
55 function policy_zone_allow_all() {
56 local zone=${1}
57 assert isset zone
58
59 local other_zone=${2}
60 assert isset other_zone
61
62 local chain="ZONE_${zone^^}_${other_zone^^}_POLICY"
63
64 # Just accept all new connections.
65 iptables -A "${chain}" -m conntrack --ctstate NEW -j ACCEPT
66 }
67
68 function policy_zone_deny_all() {
69 local zone=${1}
70 assert isset zone
71
72 local other_zone=${2}
73 assert isset other_zone
74
75 local chain="ZONE_${zone^^}_${other_zone^^}_POLICY"
76
77 # Just accept all new connections.
78 iptables -A "${chain}" -j DROP
79 }
80
81 function policy_drop_all() {
82 # Nothing to do here, because that is the
83 # default policy of the INPUT/OUTPUT/FORWARD chain.
84 :
85 }
86
87 function policy_import_all_rules() {
88 # This will populate all chains with the rules
89 # for the given zone.
90
91 local zone=${1}
92 assert isset zone
93
94 local chain=${2}
95 assert isset chain
96
97 local zone_dir=$(firewall_zone_dir ${zone})
98 assert isset zone_dir
99
100 local rulesfile="${zone_dir}/rules"
101
102 #firewall_parse_rules "${rulesfile}" \
103 # -A ${chain}_RULES_INC
104 }
105
106 function policy_load() {
107 local zone_from=${1}
108 assert isset zone_from
109
110 local zone_to=${2}
111 assert isset zone_to
112
113 local chain=${3}
114 assert isset chain
115
116 # Allow routes that have the same incoming and outgoing interface.
117 if [ "${zone_from}" = "${zone_to}" ]; then
118 iptables -A ${chain} -j ACCEPT
119 return ${EXIT_OK}
120 fi
121
122 # Grant all local zones accessing everything (GREEN).
123 if zone_is_local ${zone_from}; then
124 iptables -A ${chain} -j ACCEPT
125 return ${EXIT_OK}
126 fi
127 }
Networking code of IPFire 3.x.