Merge remote-tracking branch 'origin/master' into next

[people/pmueller/ipfire-2.x.git] / config / firewall / firewall-policy

diff --git a/config/firewall/firewall-policy b/config/firewall/firewall-policy
index 2176d6b9e5a2c2d8e3ebacd9213109d48dce6666..cbba3b021a4eb93bd3609ea58edaaea3cbe1353f 100755 (executable)
--- a/config/firewall/firewall-policy
+++ b/config/firewall/firewall-policy
@@ -57,6 +57,14 @@ HAVE_OPENVPN="true"
 
 # INPUT
 
+# Allow access from GREEN
+iptables -A POLICYIN -i "${GREEN_DEV}" -j ACCEPT
+
+# Allow access from BLUE
+if [ "${HAVE_BLUE}" = "true" ] && [ -n "${BLUE_DEV}" ]; then
+       iptables -A POLICYIN -i "${BLUE_DEV}" -j ACCEPT
+fi
+
 # IPsec INPUT
 case "${HAVE_IPSEC},${POLICY}" in
        true,MODE1) ;;
@@ -111,7 +119,13 @@ case "${POLICY}" in
 
        *)
                # Access from GREEN is granted to everywhere
-               iptables -A POLICYFWD -i "${GREEN_DEV}" -s "${GREEN_NETADDRESS}/${GREEN_NETMASK}" -j ACCEPT
+               if [ "${IFACE}" = "${GREEN_DEV}" ]; then
+                       # internet via green
+                       # don't check source IP/NET if IFACE is GREEN
+                       iptables -A POLICYFWD -i "${GREEN_DEV}" -j ACCEPT
+               else
+                       iptables -A POLICYFWD -i "${GREEN_DEV}" -s "${GREEN_NETADDRESS}/${GREEN_NETMASK}" -j ACCEPT
+               fi
 
                # Grant access for IPsec VPN connections
                iptables -A POLICYFWD -m policy --pol ipsec --dir in -j ACCEPT