syslog: Listen to network and block access from anywhere but localhost

[people/pmueller/ipfire-2.x.git] / config / firewall / firewall-policy

diff --git a/config/firewall/firewall-policy b/config/firewall/firewall-policy
index b820a7f3ee9dd9ca7fce76521a1c63b56eb2b804..078c3c515c31f1f385a2159f83fb5c6c52f5e89f 100755 (executable)
--- a/config/firewall/firewall-policy
+++ b/config/firewall/firewall-policy
@@ -52,10 +52,41 @@ case "${CONFIG_TYPE}" in
                ;;
 esac
 
+HAVE_IPSEC="true"
 HAVE_OPENVPN="true"
 
 # INPUT
 
+# Drop syslog from anywhere but localhost
+# sysklogd cannot bind to specific interface and therefore we need to
+# block access by adding firewall rules
+case "${FWPOLICY}" in
+       REJECT)
+               iptables -A POLICYIN -p udp --dport 514 -j REJECT --reject-with icmp-host-unreachable
+               ;;
+       *)
+               iptables -A POLICYIN -p udp --dport 514 -j DROP
+               ;;
+esac
+
+# Allow access from GREEN
+if [ -n "${GREEN_DEV}" ]; then
+       iptables -A POLICYIN -i "${GREEN_DEV}" -j ACCEPT
+fi
+
+# Allow access from BLUE
+if [ "${HAVE_BLUE}" = "true" ] && [ -n "${BLUE_DEV}" ]; then
+       iptables -A POLICYIN -i "${BLUE_DEV}" -j ACCEPT
+fi
+
+# IPsec INPUT
+case "${HAVE_IPSEC},${POLICY}" in
+       true,MODE1) ;;
+       true,*)
+               iptables -A POLICYIN -m policy --pol ipsec --dir in -j ACCEPT
+               ;;
+esac
+
 # OpenVPN INPUT
 # Allow direct access to the internal IP addresses of the firewall
 # from remote subnets if forward policy is allowed.
@@ -101,15 +132,36 @@ case "${POLICY}" in
                ;;
 
        *)
+               # Access from GREEN is granted to everywhere
+               if [ -n "${GREEN_DEV}" ]; then
+                       if [ "${IFACE}" = "${GREEN_DEV}" ]; then
+                               # internet via green
+                               # don't check source IP/NET if IFACE is GREEN
+                               iptables -A POLICYFWD -i "${GREEN_DEV}" -j ACCEPT
+                       else
+                               iptables -A POLICYFWD -i "${GREEN_DEV}" -s "${GREEN_NETADDRESS}/${GREEN_NETMASK}" -j ACCEPT
+                       fi
+               fi
+
+               # Grant access for IPsec VPN connections
+               iptables -A POLICYFWD -m policy --pol ipsec --dir in -j ACCEPT
+
+               # Grant access for OpenVPN connections
+               iptables -A POLICYFWD -i tun+ -j ACCEPT
+
                if [ -n "${IFACE}" ]; then
                        if [ "${HAVE_BLUE}" = "true" ] && [ -n "${BLUE_DEV}" ]; then
-                               iptables -A POLICYFWD -i "${BLUE_DEV}" ! -o "${IFACE}" -j DROP
+                               iptables -A POLICYFWD -i "${BLUE_DEV}" -s "${BLUE_NETADDRESS}/${BLUE_NETMASK}" -o "${IFACE}" -j ACCEPT
                        fi
+
                        if [ "${HAVE_ORANGE}" = "true" ] && [ -n "${ORANGE_DEV}" ]; then
-                               iptables -A POLICYFWD -i "${ORANGE_DEV}" ! -o "${IFACE}" -j DROP
+                               iptables -A POLICYFWD -i "${ORANGE_DEV}" -s "${ORANGE_NETADDRESS}/${ORANGE_NETMASK}" -o "${IFACE}" -j ACCEPT
                        fi
                fi
-               iptables -A POLICYFWD -j ACCEPT
+
+               if [ "${DROPFORWARD}" = "on" ]; then
+                       iptables -A POLICYFWD -m limit --limit 10/minute -j LOG --log-prefix "DROP_FORWARD "
+               fi
                iptables -A POLICYFWD -m comment --comment "DROP_FORWARD" -j DROP
                ;;
 esac